Metasploit Weekly Wrap-Up

Veritas Backup Exec Agent RCE This module kindly provided by c0rs targets the Veritas Backup Exec Agent in order to gain RCE as the system/root user. The exploit itself is actually a chain of 3 separate CVEs CVE-2021-27876, CVE-2021-27877 and CVE-2021-27878 which only makes it more impressive...

Veritas Backup Exec Agent Remote Code Execution

frozenstringliteral: true This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Veritas Backup Exec Agent Remote Code Execution', 'Description' = %q Veritas Backup Exec Agent supports multiple...

Veritas Backup Exec Agent Remote Code Execution Exploit

Veritas Backup Exec Agent supports multiple authentication schemes and SHA authentication is one of them. This authentication scheme is no longer used within Backup Exec versions, but had not yet been disabled. An attacker could remotely exploit the SHA authentication scheme to gain unauthorized...

Veritas Backup Exec Agent Remote Code Execution

Veritas Backup Exec Agent supports multiple authentication schemes and SHA authentication is one of them. This authentication scheme is no longer used within Backup Exec versions, but hadn't yet been disabled. An attacker could remotely exploit the SHA authentication scheme to gain unauthorized...

GSD-2022-1005822 posix-cpu-timers: Cleanup CPU timers before freeing them during exec

posix-cpu-timers: Cleanup CPU timers before freeing them during exec This is an automated ID intended to aid in discovery of potential security vulnerabilities. The actual impact and attack plausibility have not yet been proven. This ID is fixed in Linux Kernel version v5.10.137 by commit...

GSD-2022-1005555 posix-cpu-timers: Cleanup CPU timers before freeing them during exec

posix-cpu-timers: Cleanup CPU timers before freeing them during exec This is an automated ID intended to aid in discovery of potential security vulnerabilities. The actual impact and attack plausibility have not yet been proven. This ID is fixed in Linux Kernel version v5.15.61 by commit...

GSD-2022-1005193 posix-cpu-timers: Cleanup CPU timers before freeing them during exec

posix-cpu-timers: Cleanup CPU timers before freeing them during exec This is an automated ID intended to aid in discovery of potential security vulnerabilities. The actual impact and attack plausibility have not yet been proven. This ID is fixed in Linux Kernel version v5.19.2 by commit...

OESA-2022-1914 colord security update

colord is a system service that makes it easy to manage, install and generate color profiles to accurately color manage input and output devices. Security Fixes: There are two Information Disclosure vulnerabilities in colord, and they lie in colord/src/cd-device-db.c and colord/src/cd-profile-db....

Powershell Exec, Windows shellcode stage, Windows x86 Reverse Named Pipe (SMB) Stager

Execute an x86 payload from a command via PowerShell. Custom shellcode stage. Connect back to the attacker via a named pipe pivot Module Options msf use payload/cmd/windows/powershell/custom/reversenamedpipe msf payloadreversenamedpipe show actions ...actions... msf payloadreversenamedpipe set...

Powershell Exec, Windows shellcode stage, Windows x64 Reverse TCP Stager

Execute an x64 payload from a command via PowerShell. Custom shellcode stage. Connect back to the attacker Windows x64 Module Options msf use payload/cmd/windows/powershell/x64/custom/reversetcp msf payloadreversetcp show actions ...actions... msf payloadreversetcp set ACTION msf payloadreversetc...

Powershell Exec, Windows shellcode stage, Hidden Bind Ipknock TCP Stager

Execute an x86 payload from a command via PowerShell. Custom shellcode stage. Listen for a connection. First, the port will need to be knocked from the IP defined in KHOST. This IP will work as an authentication method you can spoof it with tools like hping. After that you could get your shellcod...

Powershell Exec, Windows shellcode stage, Windows Reverse HTTP Stager (winhttp)

Execute an x86 payload from a command via PowerShell. Custom shellcode stage. Tunnel communication over HTTP Windows winhttp Module Options msf use payload/cmd/windows/powershell/custom/reversewinhttp msf payloadreversewinhttp show actions ...actions... msf payloadreversewinhttp set ACTION msf...

Powershell Exec, Windows shellcode stage, Reverse UDP Stager with UUID Support

Execute an x86 payload from a command via PowerShell. Custom shellcode stage. Connect back to the attacker with UUID Support Module Options msf use payload/cmd/windows/powershell/custom/reverseudp msf payloadreverseudp show actions ...actions... msf payloadreverseudp set ACTION msf...

(Pwn2Own) ConnMan received_data Out-Of-Bounds Write Remote Code Execution Vulnerability

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installation of ConnMan. Authentication is not required to exploit this vulnerability. The specific flaw exists within the receiveddata method. Crafted data in a HTTP response can trigger a write past the e...

PT-2022-24790 · Libdwarf · Libdwarf

Name of the Vulnerable Software and Affected Versions: libdwarf version 0.4.1 Description: The issue is related to a double free in the dwarf exec frame instr function located in dwarf frame.c. Recommendations: For libdwarf version 0.4.1, at the moment, there is no information about a newer versi...

Command Injection

moment-timezone is vulnerable to command injection. An attacker can inject and execute the malicious commands using the childprocess exec function as it does not sanitize the input...

Font-Converter Vulnerable to Arbitrary Command Injection

Overview font-converter is a FontForge wrapper that allows conversion between different font formats TTF, WOFF, OTF All versions of this package are vulnerable to Arbitrary Command Injection due to missing sanitization of input that potentially flows into the childprocess.exec function. PoC js va...

GHSA-G2C3-VWFF-M3XR Font-Converter Vulnerable to Arbitrary Command Injection

Overview font-converter is a FontForge wrapper that allows conversion between different font formats TTF, WOFF, OTF All versions of this package are vulnerable to Arbitrary Command Injection due to missing sanitization of input that potentially flows into the childprocess.exec function. PoC js va...

Apache Airflow Remote Code Execution Vulnerability (CNVD-2022-59057)

Apache Airflow is an open source platform for creating, managing and monitoring workflows from the Apache Foundation. The platform is scalable and dynamically monitored, etc. A remote code execution vulnerability exists in versions of Apache Airflow prior to 3.0.0. The vulnerability stems from th...

EulerOS 2.0 SP10 : docker-engine (EulerOS-SA-2022-2253)

According to the versions of the docker-engine package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - Moby is an open-source project created by Docker to enable software containerization. A bug was found in Moby Docker Engine where attempti...