The AccessArray function in the VBScript engine of Internet Explorer is prone to a redefinition attack. By accessing a VBScript array using a specially crafted object as the index, it is possible to resize the array in the middle of the AccessArray function, leaving the array in an inconsistent state, which can be abused by an attacker to execute arbitrary code on systems running vulnerable versions of Internet Explorer.
Internet Explorer is prone to a use-after-free vulnerability when trying to access the ArrayBuffer that was backing a Typed Array after it has been detached by transferring it to a Web Worker by calling the postMessage() function. This vulnerability can be abused by an attacker to execute arbitrary code on systems running vulnerable versions of Internet Explorer.
Acunetix Web Vulnerability Scanner 10.0 build 20160216 and previous versions, allows remote attackers to execute arbitrary JavaScript code in the context of the scanner GUI. The flaw exists in the way Acunetix WVS render some html elements inside it's GUI, using jscript.dll without any concert about unsafe ActiveX object such as WScript.shell. If Acunetix WVS triggers a vulnerability during a scan session, it saves a local html with the content of html page. With this, it's possible to trigger a fake vulnerability and inject a JavaScript code which triggers the remote command execution. This module also abuses of a second vulnerability affecting the Acunetix Web Vulnerability Scanner Scheduler. The Scheduler allows programmatically scanning of websites without any user interaction. It is possible to schedule a scan via the web interface listening on 127.0.0.1:8183. When a scan is scheduled, a new instance of Acunetix WVS is launched as SYSTEM. Previous to the real scan, several tests are performed on the target host using script files located in %ProgramData%\Acunetix WVS 10\Data\Scripts. Due to bad ACL's in this folder, any user can modify these scripts files. This module modifies the AJP_Audit.script file in order to execute an agent as SYSTEM.
The Password Manager component installed by various Trend Micro products runs a Node.js HTTP server by default. This web server opens multiple HTTP RPC ports for handling API requests. For example, the openUrlInDefaultBrowser API function, which internally maps to a ShellExecute function call, allows and attacker to execute arbitrary commands on localhost without the need of any type of credentials. This module will wait for a vulnerable target to connect and deploy an agent by abusing the mentioned API functionallity provided by the vulnerable component.
Windows Media Center is prone to a vulnerability that may allow execution of a remote dll.
MSHTML.dll is prone to a vulnerability that may allow binary planting of crafted dlls if MSHTML.DLL of version 11.0.9600.18231 (from Internet explorer 11) is located in system32 in the target and using a crafted word document to trigger.
The Filter function of the VBScript engine in Microsoft Internet Explorer is prone to a type confusion vulnerability when processing specially crafted parameters. This vulnerability allows attackers to execute arbitrary code on vulnerable machines by enticing unsuspecting users to visit a specially crafted website. In order to bypass ASLR, this module also exploits a memory disclosure vulnerability from the same Microsoft security bulletin. This second vulnerability exists in the IE JavaScript engine when dealing with ArrayBuffer objects.
Microsoft Word is prone to a vulnerability that may allow execution of a remote dll.
The vulnerability is due to an error while parsing crafted PRX files which can result in an buffer overflow. This module runs a malicious web site on the Core Impact Console and waits for an unsuspecting user to trigger the exploit by connecting to the web site.
Microsoft Word is prone to a vulnerability that may allow execution of mqrt.dll.