CVE-2016-1803
published 2016-05-20CVE-2016-1803: CoreCapture in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1 allows attackers to execute arbitrary code in a…
PriorityP346high7.8CVSS 3.0
AVLACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
5.14%
91.4th percentile
CoreCapture in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1 allows attackers to execute arbitrary code in a privileged context or cause a denial of service (NULL pointer dereference) via a crafted app.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | ios | — | — |
| apple | iphone_os | < 9.3.2 | 9.3.2 |
| apple | mac_os_x | < 10.11.5 | 10.11.5 |
| apple | os_x_el_capitan_v10.11.5_and_security_update_2016-003 | — | — |
| apple | tvos | < 9.2.1 | 9.2.1 |
| apple | tvos | — | — |
| apple | watchos | < 2.2.1 | 2.2.1 |
| apple | watchos | — | — |
CVSS provenance
nvdv3.07.8HIGHCVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Apple
CVE-2016-1803: watchOS 2.2.1
vendor_apple·CVSS 7.8
CVE-2016-1803 [HIGH] CVE-2016-1803: watchOS 2.2.1
Apple Security Update: About the security content of watchOS 2.2.1
Product: watchOS
Version: 2.2.1
CVE: CVE-2016-1803
Component: CVE-ID
Apple
CVE-2016-1803: iOS 9.3.2
vendor_apple·CVSS 7.8
CVE-2016-1803 [HIGH] CVE-2016-1803: iOS 9.3.2
Apple Security Update: About the security content of iOS 9.3.2
Product: iOS
Version: 9.3.2
CVE: CVE-2016-1803
Component: CVE-ID
Apple
CVE-2016-1803: OS X El Capitan v10.11.5 and Security Update 2016-003
vendor_apple·CVSS 7.8
CVE-2016-1803 [HIGH] CVE-2016-1803: OS X El Capitan v10.11.5 and Security Update 2016-003
Apple Security Update: About the security content of OS X El Capitan v10.11.5 and Security Update 2016-003
Product: OS X El Capitan v10.11.5 and Security Update 2016-003
CVE: CVE-2016-1803
Component: CVE-ID
Apple
CVE-2016-1803: tvOS 9.2.1
vendor_apple·CVSS 7.8
CVE-2016-1803 [HIGH] CVE-2016-1803: tvOS 9.2.1
Apple Security Update: About the security content of tvOS 9.2.1
Product: tvOS
Version: 9.2.1
CVE: CVE-2016-1803
Component: CVE-ID
GHSA
GHSA-p527-v5gr-wr27: CoreCapture in Apple iOS before 9
ghsa_unreviewed·2022-05-14
CVE-2016-1803 [HIGH] CWE-476 GHSA-p527-v5gr-wr27: CoreCapture in Apple iOS before 9
CoreCapture in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1 allows attackers to execute arbitrary code in a privileged context or cause a denial of service (NULL pointer dereference) via a crafted app.
No detection rules found.
Exploit-DB
Microsoft Windows 10 - Theme API 'ThemePack' File Parsing
exploitdb·2020-01-29·CVSS 8.1
CVE-2018-8413 [HIGH] Microsoft Windows 10 - Theme API 'ThemePack' File Parsing
Microsoft Windows 10 - Theme API 'ThemePack' File Parsing
---
# Exploit Title: Microsoft Windows 10 - Theme API 'ThemePack' File Parsing
# Google Dork: n/a
# Date: 2020-10-28
# Exploit Author: Eduardo Braun Prado
# Vendor Homepage: http://www.microsoft.com/
# Software Link: http://www.microsoft.com/
# Version: 10 v.1803 (17134.407)
# Tested on: Windows 7, 8.0, 8.1, 10, Server 2012, Server 2012 R2, Server 2016, Server 2019
# CVE : CVE-2018-8413
# Discovered by: Eduardo Braun Prado
[Details]
Microsoft 'themepack' files are classic '.theme' files compressed for
sharing over the internet. Theme files
allows users to customize visual aspects of their device, such as icons
for known features like 'My computer'
and 'trash bin' folders, the default screensaver (which by the way
allowed attacke
Exploit-DB
Zapya Desktop 1.803 - 'ZapyaService.exe' Local Privilege Escalation
exploitdb·2016-09-13
Zapya Desktop 1.803 - 'ZapyaService.exe' Local Privilege Escalation
Zapya Desktop 1.803 - 'ZapyaService.exe' Local Privilege Escalation
---
# Exploit Title: Zapya Desktop Version ('ZapyaService.exe') Privilege Escalation
# Date: 2016/9/12
# Exploit Author: Arash Khazaei
# Vendor Homepage: http://www.izapya.com/
# Software Link: http://binaries.izapya.com/Izapya/Windows_PC/ZapyaSetup_1803_en.exe
# Version: 1.803 (Latest)
# Tested on: Windows 7 Professional X86 - Windows 10 Pro X64
# CVE : N/A
# Description :
# Zapya is a 100% free tool for sharing files across devices like Android, iPhone, iPad, Window’s Phone, PC, and Mac computers in an instant.
# It’s Easy to use and supports multiple languages. We are already a community of 300 million strong users and growing rapidly.
# When You Install Zapya Desktop , Zapya Will Install A Service Named ZapyaService
Exploit-DB
Apple Mac OSX Kernel - NULL Dereference in CoreCaptureResponder Due to Unchecked Return Value
exploitdb·2016-06-10
CVE-2016-1803 Apple Mac OSX Kernel - NULL Dereference in CoreCaptureResponder Due to Unchecked Return Value
Apple Mac OSX Kernel - NULL Dereference in CoreCaptureResponder Due to Unchecked Return Value
---
/*
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=777
Pretty much all the external methods of CoreCaptureUserClient call CoreCaptureUserClient::stashGet passing an attacker controlled key.
If that key isn't in the list of stashed objects then stashGet returns a NULL pointer. No callers actually check
the return value though which leads immediately to a call to a virtual method on a NULL pointer. By mapping the NULL
page we can get trivial RIP control.
Tested on OS X 10.11.4 (15E65) on MacBookAir 5,2
*/
// ianbeer
//clang -o CoreCaptureNull CoreCaptureNull.c -framework IOKit -m32 -lpthread -pagezero_size 0x0
/*
OS X exploitable kernel NULL dereference in CoreCaptureRe
http://lists.apple.com/archives/security-announce/2016/May/msg00001.htmlhttp://lists.apple.com/archives/security-announce/2016/May/msg00002.htmlhttp://lists.apple.com/archives/security-announce/2016/May/msg00003.htmlhttp://lists.apple.com/archives/security-announce/2016/May/msg00004.htmlhttp://packetstormsecurity.com/files/137399/OS-X-CoreCaptureResponder-NULL-Pointer-Dereference.htmlhttp://www.securityfocus.com/bid/90694http://www.securitytracker.com/id/1035890http://www.zerodayinitiative.com/advisories/ZDI-16-339https://bugs.chromium.org/p/project-zero/issues/detail?id=777https://support.apple.com/HT206564https://support.apple.com/HT206566https://support.apple.com/HT206567https://support.apple.com/HT206568https://www.exploit-db.com/exploits/39925/http://lists.apple.com/archives/security-announce/2016/May/msg00001.htmlhttp://lists.apple.com/archives/security-announce/2016/May/msg00002.htmlhttp://lists.apple.com/archives/security-announce/2016/May/msg00003.htmlhttp://lists.apple.com/archives/security-announce/2016/May/msg00004.htmlhttp://packetstormsecurity.com/files/137399/OS-X-CoreCaptureResponder-NULL-Pointer-Dereference.htmlhttp://www.securityfocus.com/bid/90694http://www.securitytracker.com/id/1035890http://www.zerodayinitiative.com/advisories/ZDI-16-339https://bugs.chromium.org/p/project-zero/issues/detail?id=777https://support.apple.com/HT206564https://support.apple.com/HT206566https://support.apple.com/HT206567https://support.apple.com/HT206568https://www.exploit-db.com/exploits/39925/
2016-05-20
Published