Raptor is a web application firewall written in C that uses DFA to block SQL injection, cross site scripting, and path traversals.
e124a10f5e1cc12f366263958aeaf678bc45ef125e7d80430afc2808ac8cf4a5The escape handler for 0x10000e9 lacks bounds checks, and passes a user specified size as the size to memcpy, resulting in a stack buffer overflow.
e764018c50128a89c728c3202c374cd2eee6b13beea7305fa6c32f6c0bab6212There is a missing bounds check in inner loop of the escape handler for 0x7000014 that leads to a stack buffer overflow.
6154ad3c9f831583ddc42198a12cfa12363713dc40cd3172b448eda799e5eae1Gentoo Linux Security Advisory 201610-9 - Multiple vulnerabilities have been found in the Chromium web browser, the worst of which allows remote attackers to execute arbitrary code. Versions less than 54.0.2840.59 are affected.
ad761228304f4fe9f8b6ce1842cf6603b66fd22ae641b2101ff84d93f1db9fcfThe DxgkDdiEscape handler for 0x70000d5 lacks bounds checks.
217f80d673facc15accb636f625922543219ec6b5feb5df98734f4a373cb88c7The DxgkDdiEscape handler for 0x7000170 lacks proper bounds checks for the variable size input escape data, and relies on a user provided size as the upper bound for writing output.
7290a345ac11921d719fab843f9ee44533b83cdd39e09fc45d06819460973000The DxgkDdiEscape handler for escape 0x100009a lacks proper bounds checks.
b14a13d1b77ffa3d060b707004362638f3c5ff6e048afd8cf77611c8cdde2d1aThe NvStreamKms.sys driver calls PsSetCreateProcessNotifyRoutineEx to set up a process creation notification routine. wcscpy_s is used incorrectly here, as the second argument is not the size of |Dst|, but rather the calculated size of the filename. |Dst| is a stack buffer that is at least 255 characters long. The the maximum component paths of most filesystems on Windows have a limit that is <= 255 though, so this shouldn't be an issue on normal filesystems. However, one can pass UNC paths to CreateProcessW containing forward slashes as the path delimiter, which means that the extracted filename here can be "a/b/c/...", leading to a buffer overflow. Additionally, this function has no stack cookie.
d534aa5dbfaaf39a96770f8f3d77175a1058baafc21fe140187d747f2c80d76aThe DxgkDdiEscape handler for 0x5000027 accepts a user provided pointer, but does no checks on it before using it.
ad8c4174f1e08e6564d58aa2d42e1e83d8e014e6a4e5db8020415f6aba4ec946NVIDIA suffers from a missing bounds check in escape 0x100010b.
0ac6c7ff8137b4f4210690565bb24e9090b98312b19fb5b9f81228ab56b1211cThe DxgkDdiEscape handler for 0x70001b2 doesn't do proper bounds checks for its variable size input.
3f0707279202aa000fc87188c9423545af5ea5238e8a0a0747d912d04badb09dThe DxgkDdiEscape handler for 0x700010d accepts a user provided pointer as the destination for a memcpy call, without doing any checks on said pointer.
00028040fc1696111b53b38186779858df513b4aa81a7ab2a7c1d708f6b717c5The DxgkDdiEscape handler for 0x600000D passes an unchecked user provided pointer as the destination for a memcpy call. This leads to kernel memory corruption.
88df8868b62f20e6af812714d8f4fbc7c341957f6633b3258e0389967bc4db8eA logic issue in launchd message requeuing allows arbitrary mach message control. Mac OS X version 10.11.6 is affected.
0c4a95bb9942e2aa50c7ff4c3ea1baae30e2d99475cd575f65c1e1f70c6285a5NVIDIA escape code leaks uninitialized ExAllocatePoolWithTag memory to userspace.
f708d6be27d7323b5b92bfefe4673bcc69a708dc90f8c96a6211dd65b7f7b009Multiple memory safety issues exist in Mac OS X and iOS inside of mach_ports_register.
164ada40109fdf8bff76ff09d76b270061f06289e2e74b857944849bdf5cb42eNVIDIA's UVMLiteController ioctl handling in nvlddmkm.sys failed to provide proper length checking.
35df092ce423d70fd6bbcf76399d366b6e2c33dd7474e617edb4a4aae54093e8The DxgkDdiEscape handler for 0x7000194 doesn't do bounds checking with the user provided lengths it receives. When these lengths are passed to memcpy, overreads and memory corruption can occur.
fe4199c90270a4da962ed45b45ddf04bfdf0f113751182e41c3f39b735a8f2c9
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed