n0o.com - Personal archive of discovered vulns & writeups.

[CVE-2018-20505] Integer overflow in FTS3 of SQLite

Reported on : 1 Nov 2018 Shipped on : 13 Dec 2018 Type : Integer Overflow / Heap Buffer Overflow In Function : to be confirmed Different from CVE-2018-20346. SQLite before 3.25.3, when the FTS3 extension is enabled, encounters an integer overflow (and resultant buffer overflow) for FTS3 queries that occur after crafted changes to FTS3 shadow tables, allowing remote attackers to execute arbitrary code by leveraging the ability to run arbitrary SQL statements (such as in certain WebSQL use cases), aka Magellan. 
TO BE ADDED

[CVE-2018-20346] Integer Overflow in FTS3 of SQLite

Reported on : 1 Nov 2018 Shipped on : 13 Dec 2018 Type : Integer Overflow / Heap Buffer Overflow In Function : to be confirmed SQLite before 3.25.3, when the FTS3 extension is enabled, encounters an integer overflow (and resultant buffer overflow) for FTS3 queries that occur after crafted changes to FTS3 shadow tables, allowing remote attackers to execute arbitrary code by leveraging the ability to run arbitrary SQL statements (such as in certain WebSQL use cases), aka Magellan. 
TO BE ADDED

[CVE-2018-12686] Integer Overflow caused Heap buffer overflow in CivetWeb

Reported on : 2 Jun 2018 Shipped on : 28 Jun 2018 Type : Integer Overflow / Heap Buffer Overflow In Function : CivetServer::getParam "Content-Length" is user-supplied, hence con_len_str could be a negative number (-1). Then the signed int is converted into unsigned int, which will pass the check con_len > 0, and then malloc(-1 + 1) = malloc(0) , and mg_read will write data out-of-bound far over from here cause a heap buffer overflow. One attack scenario is when the server enables SSL (combined with OpenSSL), an attacker could overwrite the SSL_ctx object and thus the mg_write-->SSL_write(function pointer is overwritten) will cause a remote code execution. 

https://github.com/civetweb/civetweb/issues/633
https://github.com/civetweb/civetweb/commit/82c03a22f4690fb05137b1c00f

[CVE-2018-12685] Out-of-bounds Read in CivetWeb (2)

Reported on : 2 Jun 2018 Shipped on : 28 Jun 2018 Type : Information Leak In Function : mg_start The libcivetweb must be compiled with Symbian support and runs in Symbian system, then attacker calls the function to get system information locally to trigger this problem. Number of data sources supplied is less than the number declared, which could cause a information leak vunlnerability or Denial of Service. 
https://github.com/civetweb/civetweb/issues/633
https://github.com/civetweb/civetweb/commit/6a1f14d47941a190b1c038b67f

[CVE-2018-12684] Out-of-bounds Read in CivetWeb

Reported on : 2 Jun 2018 Shipped on : 28 Jun 2018 Type : OOB Access - Read In Function : send_ssi_file Out-of-bounds Read in the send_ssi_file function in civetweb.c in CivetWeb through 1.10 allows attackers to cause a Denial of Service or Information Disclosure via a crafted SSI file. Server must enable SSI (server side includes) support, then attacker could send a request with a malformed SSI file locally or remotely. 

https://github.com/civetweb/civetweb/issues/633
https://github.com/civetweb/civetweb/commit/8fd069f6dedb064339f1091069

[CVE-2018-6110] Script Execution on non-HTML page in Google Chrome

Reported on : 24 Oct 2017 Shipped on : 25 Apr 2018 Type : Unexpected Results In Function : MIME Detection Parsing documents as HTML in Downloads in Google Chrome prior to 66.0.3359.117 allowed a remote attacker to cause Chrome to execute scripts via a local non-HTML page. 
https://crbug.com/777737

[CVE-2016-3267] Microsoft Browser Information Disclosure Vulnerability

Reported on : 21 Mar 2016 Shipped on : 17 Nov 2016 Type : Information Disclosure In Function : readyState detection Local file detection problem in IE11/Edge using iframe and readyState. IE disabled loading a res protocol URI in image element, which will fails the check v31 = CMarkup::CheckForLMZLLoad (v8, 1) in CImgHelper::SetImgCtx, but an attacker can use an iframe instead to load an res URI under web zone. By using the readyState attribute, attacker can tell the existence of a local file. For example "interactive,interactive," means this file exists and is loaded in iframe, "loading, interactive" means file is not exist. IE version less than IE11 is not affected. Since they will have "interactive,complete" readyState no matter local file exists or not, so attacker can't tell the existence of local file. 
https://github.com/leonwxqian/n0o-vuln-archive/blob/master/CVE-2016-3267.html

[CVE-2016-3276] Microsoft Browser Spoofing Vulnerability

Reported on : 10 Mar 2016 Shipped on : 15 Jul 2016 Type : XSS based Spoofing In Function : Reading Mode XSS in Reading Mode of Microsoft Edge. Visiting the page with "read:URL". Microsoft Internet Explorer 11 and Microsoft Edge allow remote attackers to conduct content-spoofing attacks via a crafted URL, aka "Microsoft Browser Spoofing Vulnerability." 
https://github.com/leonwxqian/n0o-vuln-archive/blob/master/CVE-2016-3276.html

[CVE-2016-0161] Remote Privilege Escalation Vulnerability

Reported on : 3 Jan 2016 Shipped on : 13 Apr 2016 Type : XSS based EOP In Function : Webnote XSS in Webnote of Microsoft Edge, allow JavaScript run incorrectly on file:/// protocol. Microsoft Edge is prone to a remote privilege-escalation vulnerability. An attacker can exploit this issue to gain elevated privileges. Successful exploits may aid in further attacks. 

https://github.com/leonwxqian/n0o-vuln-archive/blob/master/CVE-2016-0161.html

[CVE-2015-6162] Internet Explorer 10 Memory Corruption Vulnerability

Reported on : 29 Jul 2015 Shipped on : 9 Dec 2015 Type : UAF In Function : MSHTML!CTreeNode::ComputeFormats Microsoft Internet Explorer 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability". 
   https://github.com/leonwxqian/n0o-vuln-archive/blob/master/CVE-2015-6162.html
1  2  3  4