jcran (12)

Last Login: March 24, 2020
Assessments
3
Score
12

jcran's Latest (3) Contributions

Sort by:
Filter by:
4
Ratings
  • Attacker Value
    High
  • Exploitability
    Low
Technical Analysis

As others have said, this would likely require either MiTM or otherwise coaxing someone to run an executable in a typical malware distribution scenario for the authenticode bit. So, if defining exploitation as successful compromise of a user connection or system, I think the complexity of this is high, but the payoff/utility especially for snooping is fairly critical.

Agreed on the RCE vector, but I do have a problem with the “RCE” label since it tends to imply a certain specific type of code execution, rather than the enablement of a vector of execution, which this is.

3
Ratings
  • Attacker Value
    Medium
  • Exploitability
    Very High
Technical Analysis

Causes a hard crash for the web application server (for example, Tomcat) which directly handles web requests by simply posting 4097 characters to an affected server using the AES GCM cipher (where that server has the requisite CPU extensions enabled, which is most modern processors). Super easy to exploit; can just use curl.

See the blog post I wrote about it:
https://blog.rapid7.com/2015/07/16/r7-2015-09-oracle-java-jre-aes-intrinsics-remote-denial-of-service-cve-2015-2659/

2
Ratings
  • Attacker Value
    Very Low
  • Exploitability
    Very High
Technical Analysis

This vuln is triggerable as a drive-by if someone visits a site using a browser while the impacted nvidia blob driver was used on the system. You could do this by installing a custom set of font glyphs that contain shellcode, and overflowing the video buffer with a long “string” of those glyphs (which would write past the video buffer memory boundary). However, the likelihood of someone using this driver today is extremely low, so, not very useful.