jcran (12)
Last Login: October 24, 2024
jcran's Latest (3) Contributions
Technical Analysis
As others have said, this would likely require either MiTM or otherwise coaxing someone to run an executable in a typical malware distribution scenario for the authenticode bit. So, if defining exploitation as successful compromise of a user connection or system, I think the complexity of this is high, but the payoff/utility especially for snooping is fairly critical.
Agreed on the RCE vector, but I do have a problem with the “RCE” label since it tends to imply a certain specific type of code execution, rather than the enablement of a vector of execution, which this is.
Technical Analysis
Causes a hard crash for the web application server (for example, Tomcat) which directly handles web requests by simply posting 4097 characters to an affected server using the AES GCM cipher (where that server has the requisite CPU extensions enabled, which is most modern processors). Super easy to exploit; can just use curl.
See the blog post I wrote about it:
https://blog.rapid7.com/2015/07/16/r7-2015-09-oracle-java-jre-aes-intrinsics-remote-denial-of-service-cve-2015-2659/
Technical Analysis
This vuln is triggerable as a drive-by if someone visits a site using a browser while the impacted nvidia blob driver was used on the system. You could do this by installing a custom set of font glyphs that contain shellcode, and overflowing the video buffer with a long “string” of those glyphs (which would write past the video buffer memory boundary). However, the likelihood of someone using this driver today is extremely low, so, not very useful.