Design/Logic Flaw

Gentoo Portage through 2.3.84 allows local users to place a Trojan horse plugin in the /usr/lib64/nagios/plugins directory by leveraging access to the nagios user account, because this directory is writable in between a call to emake and a call to fowners...

Razer: Aws bucket writable mobile.razer.com

The tester discovered an S3 bucked owned by Mobile that was writeable. No files were present but the permissions were incorrect and subsequently fixed. Razer appreciates the report...

Reptile Rootkit reptile_cmd Privilege Escalation

This module uses Reptile rootkit's reptilecmd backdoor executable to gain root privileges using the root command. This module has been tested successfully with Reptile from master branch 2019-03-04 on Ubuntu 18.04.3 x64 and Linux Mint 19 x64. This module requires Metasploit:...

CVE-2019-15541

rustls-mio/examples/tlsserver.rs in the rustls crate before 0.16.0 for Rust allows attackers to cause a denial of service loop of connevent and ready by arranging for a client to never be writable...

CVE-2019-12589

In Firejail before 0.9.60, seccomp filters are writable inside the jail, leading to a lack of intended seccomp restrictions for a process that is joined to the jail after a filter has been modified by an attacker...

CVE-2019-9798

On Android systems, Firefox can load a library from APITRACELIB, which is writable by all users and applications. This could allow malicious third party applications to execute a man-in-the-middle attack if a malicious code was written to that location and loaded. Note: This issue only affects...

CVE-2019-9798

On Android systems, Firefox can load a library from APITRACELIB, which is writable by all users and applications. This could allow malicious third party applications to execute a man-in-the-middle attack if a malicious code was written to that location and loaded. Note: This issue only affects...

Design/Logic Flaw

In SolarWinds SFTP/SCP Server through 2018-09-10, the configuration file is world readable and writable, and stores user passwords in an insecure manner, allowing an attacker to determine passwords for potentially privileged accounts. This also grants the attacker an ability to backdoor the serve...

CVE-2014-8677

The installation process for SOPlanning 1.32 and earlier allows remote authenticated users with a prepared database, and access to an existing database with a crafted name, or permissions to create arbitrary databases, or if PHP before 5.2 is being used, the configuration database is down, and...

BSA-2017-245

Security Advisory ID : BSA-2017-245 Component : SNMP Revision : 1.0: Interim snmpdin SCOOpenServerhas an SNMP community string that is writable by default, which allows local attackers to modify the host's configuration. Affected Products Brocade is investigating its product lines to determine...

Ruby: Open S3 Bucket WriteAble To Any Aws User

Hi All, I know that http://rubyci.s3.amazonaws.com is used for file uploads on reports and so when i open your s3 bucket i able see all of your public/private files i already see you fix this vulnerability but it not completely fixed root@injector: aws s3 ls s3://rubyci PRE aix71ppc/ PRE amazon/...

Ruby: Writable RubyCi Amazon s3 bucket

Hello, I have discovered that the bucket: http://rubyci.s3.amazonaws.com/ is able to be written to by authenticated aws users. This is due to the current permissions configurations I have added a file here: http://rubyci.s3.amazonaws.com/test.html for proof of concept. This can be potentially...

MacOS Kernel 10.12.1 - Writable Privileged IOKit Registry Properties Code Execution Exploit

Exploit for macOS platform in category dos / poc / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=974 There are two ways for IOServices to define their IOUserClient classes: they can override IOService::newUserClient and allocate the correct type themselves or they can set the...

Apple macOS 10.12.1 Kernel - Writable Privileged IOKit Registry Properties Code Execution

/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=974 There are two ways for IOServices to define their IOUserClient classes: they can override IOService::newUserClient and allocate the correct type themselves or they can set the IOUserClientClass key in their registry entry. Th...

CVE-2016-1238

It was found that perl can load modules from the current directory if not found in the module directories, via the @INC path. A local, authenticated attacker could create a specially crafted module in a writable directory and trick a user into running a perl program from that directory; if the...

SMB Share Enumeration

This module determines what shares are provided by the SMB service and which ones are readable/writable. It also collects additional information such as share types, directories, files, time stamps, etc. By default, a RubySMB netshareenumall request is done in order to retrieve share information,...

Zendesk: AWS S3 bucket writable for authenticated aws user

The researcher reported an AWS S3 bucket exposed with read and write privledges. The S3 bucket was intentionally readable but the write privledges have since been removed...

Udemy: AWS S3 bucket writable for authenticated aws user

Hey, I found an open S3 Amazon bucket udemy-maven. While I can’t confirm if you own it or not, it appears that it is publicly writable using the aws cli. When I write to udemy-maven, I get: move: ./test.txt to s3://udemy-maven/test.txt And also when I remove file, I get: delete:...

Solaris <= 7.0 Coredump Vulnerbility

No description provided by source. source: http://www.securityfocus.com/bid/296/info There is a vulnerability in the way Solaris 2.4 pre Jumbo Kernel Patch -35 for SPARC dumps core files. Under normal operation the operating system writes out a core image of a process when it is terminated due to...

Rocks Clusters <= 4.1 (umount-loop) Local Root Exploit

No description provided by source. !/usr/bin/env python rocksumountdirty.py: Rocks release =4.1 local root exploit quick and nasty version of the exploit. make sure the . is writable and you clean up afterwards. ; coded by: [email protected] http://xavsec.blogspot.com x=import'os';c=x.getcwd...