Microsoft Windows 10 - Desktop Bridge Virtual Registry CVE-2018-0880 Incomplete Fix Privilege Escalation

Microsoft Windows 10 - Desktop Bridge Virtual Registry CVE-2018-0880 Incomplete Fix Privilege Escalation Windows: Windows: Desktop Bridge Virtual Registry CVE-2018-0880 Incomplete Fix EoP Platform: Windows 1709 not tested earlier version Class: Elevation of Privilege Summary: The handling of the...

Linux Kernel 4.16.11 - ext4_read_inline_data() Memory Corruption

Linux Kernel 4.16.11 - ext4readinlinedata Memory Corruption ext4 can store data for small regular files as "inline data", meaning that the data is stored inside the corresponding inode instead of in separate blocks. Inline data is stored in two places: The first 60 bytes go in the iblock field in...

CloudMe Sync 1.11.0 - Buffer Overflow (SEH) (DEP Bypass)

CloudMe Sync 1.11.0 - Buffer Overflow SEH DEP Bypass Exploit: CloudMe Sync netstat -nao | find "8888" TCP 0.0.0.0:8888 0.0.0.0:0 LISTENING 2640 C:\tasklist | find "2640" CloudMe.exe 2640 Console 1 36,632 K Attacking Machine: root@kali:/Desktop python cloudme.py CloudMe Sync v1.10.9 Buffer Overflo...

2345 Security Guard 3.7 - 2345BdPcSafe.sys Denial of Service

2345 Security Guard 3.7 - 2345BdPcSafe.sys Denial of Service Exploit Title: BSOD by IOCTL 0x002220e0 in 2345BdPcSafe.sys of 2345 Security Guard 3.7 Date: 20180509 Exploit Author: anhkgg Vendor Homepage: http://safe.2345.cc/ Software Link: http://dl.2345.cc/2345pcsafe/2345pcsafev3.7.0.9345.exe...

VMware Workstation 12.5.2 - Drag n Drop Use-After-Free (Pwn2Own 2017) (PoC)

VMware Workstation 12.5.2 - Drag n Drop Use-After-Free Pwn2Own 2017 PoC char initialdnd = "tools.capability.dndversion 4"; static const int cbObj = 0x100; char seconddnd = "tools.capability.dndversion 2"; char chgver = "vmx.capability.dndversion"; char calltransport = "dnd.transport "; char...

DLink DIR-601 - Admin Password Disclosure

DLink DIR-601 - Admin Password Disclosure Exploit Title: DLink DIR-601 Unauthenticated Admin password disclosure Google Dork: N/A Date: 12/24/2017 Exploit Author: Kevin Randall Vendor Homepage: https://www.dlink.com Software Link: N/A Version: Firmware: 2.02NA Hardware Version B1 Tested on: Windo...

Easy Avi Divx Xvid to DVD Burner 2.9.11 - .avi Denial of Service

Easy Avi Divx Xvid to DVD Burner 2.9.11 - .avi Denial of Service !/usr/bin/python Exploit Title : Easy Avi Divx Xvid to DVD Burner v2.9.11 - Local Denial of Service Exploit Author : Hashim Jawad Twitter : @ihack4falafel Author Website : ihack4falafel.com Vendor Homepage :...

Google Software Updater macOS - Unsafe use of Distributed Objects Privilege Escalation

Google Software Updater macOS - Unsafe use of Distributed Objects Privilege Escalation / Google software updater ships with Chrome on MacOS and installs a root service com.google.Keystone.Daemon.UpdateEngine which lives here:...

WebLog Expert Enterprise 9.4 - Denial of Service

WebLog Expert Enterprise 9.4 - Denial of Service + Credits: John Page aka hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/WEBLOG-EXPERT-WEB-SERVER-ENTERPRISE-v9.4-DENIAL-OF-SERVICE.txt + ISR: Apparition Security Vendor: ======= www.weblogexpert.c...

Joomla! Component NeoRecruit 4.1 - SQL Injection

Joomla! Component NeoRecruit 4.1 - SQL Injection Exploit Title: Joomla! Component NeoRecruit 4.1 - SQL Injection Dork: N/A Date: 16.02.2018 Vendor Homepage: http://neojoomla.com/ Software Link: https://extensions.joomla.org/extensions/extension/ads-a-affiliates/jobs-a-recruitment/neorecruit/...

Dodocool DC38 N300 - Cross-site Request Forgery

Dodocool DC38 N300 - Cross-site Request Forgery Exploit Title: DODOCOOL DC38 N300 Cross-site Request Forgery Date: 17-01-2018 Exploit Authors: Raffaele Sabato Contact: https://twitter.com/syrion89 Vendor: DODOCOOL Vendor Homepage: www.dodocool.com Version: RTN2-AW.GD.R3465.1.20161103 CVE:...

Trustwave SWG 11.8.0.27 - SSH Unauthorized Access

Trustwave SWG 11.8.0.27 - SSH Unauthorized Access Vulnerability Summary The following advisory describes an unauthorized access vulnerability that allows an unauthenticated user to add their own SSH key to a remote Trustwave SWG version 11.8.0.27. Trustwave Secure Web Gateway SWG “provides...

Joomla! Component JEXTN Video Gallery 3.0.5 - id SQL Injection

Joomla! Component JEXTN Video Gallery 3.0.5 - id SQL Injection Exploit Title: Joomla! Component JEXTN Video Gallery 3.0.5 - SQL Injection Dork: N/A Date: 13.12.2017 Vendor Homepage: http://jextn.com/ Software Link:...

Microsoft Windows Defender - Controlled Folder Bypass Through UNC Path

Microsoft Windows Defender - Controlled Folder Bypass Through UNC Path / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1418 Windows Defender: Controlled Folder Bypass through UNC Path Platform: Windows 10 1709 + Antimalware client version 4.12.16299.15 Class: Security Feature...

WebKit - WebCore::RenderText::localCaretRect Out-of-Bounds Read

WebKit - WebCore::RenderText::localCaretRect Out-of-Bounds Read / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1348 There is an out-of-bounds read security vulnerability in WebKit. The vulnerability was confirmed on ASan build of WebKit nightly. PoC:...

Kirby CMS 2.5.7 - Cross-Site Scripting

Kirby CMS 2.5.7 - Cross-Site Scripting Exploit Title: KirbyCMS 2.5.7 Stored Cross Site Scripting Vendor Homepage: https://getkirby.com/ Software Link: https://getkirby.com/try Discovered by: Ishaq Mohammed Contact: https://twitter.com/securityprince Website: https://about.me/security-prince...

OpenText Documentum Content Server - Privilege Escalation

OpenText Documentum Content Server - Privilege Escalation !/usr/bin/env python Opentext Documentum Content Server formerly known as EMC Documentum Content Server contains following design gap, which allows authenticated user to gain privileges of superuser: Content Server allows to upload content...

Trend Micro OfficeScan 11.0XG (12.0) - Remote Code Execution (Metasploit)

Trend Micro OfficeScan 11.0XG 12.0 - Remote Code Execution Metasploit This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule "Trend Micro OfficeScan Remote Code Execution", 'Description' = %q This modul...

FLIR Thermal Camera FFCPTD - Information Disclosure

FLIR Thermal Camera FFCPTD - Information Disclosure FLIR Systems FLIR Thermal Camera F/FC/PT/D Multiple Information Disclosures Vendor: FLIR Systems, Inc. Product web page: http://www.flir.com Affected version: Firmware version: 8.0.0.64 Software version: 10.0.2.43 Release: 1.4.1, 1.4, 1.3.4 GA,...

Viap Automation WinPLC7 5.0.45.5921 - Recv Buffer Overflow (Metasploit)

Viap Automation WinPLC7 5.0.45.5921 - Recv Buffer Overflow Metasploit require 'msf/core' class MetasploitModule 'VIPA Authomation WinPLC7 recv Stack Buffer Overflow', 'Description' = %q This module exploits a stack based buffer overflow found in VIPA Automation WinPLC7 'james fitts' , 'License' =...

Wireless Repeater BE126 - Local File Inclusion

Wireless Repeater BE126 - Local File Inclusion Exploit Title: WIFI Repeater BE126 – Local File Inclusion Date Publish: 23/08/2017 Exploit Authors: Hay Mizrachi, Omer Kaspi Contact: [email protected], [email protected] Vendor Homepage: http://www.twsz.com Category: Webapps Version: 1.0 Tested...

Unitrends UEB 9.1 - Authentication Bypass Remote Command Execution

Unitrends UEB 9.1 - Authentication Bypass Remote Command Execution Exploit Title: Unauthenticated root RCE for Unitrends UEB 9.1 Date: 08/08/2017 Exploit Authors: Cale Smith, Benny Husted, Jared Arave Contact: https://twitter.com/iotennui || https://twitter.com/BennyHusted ||...

LAME 3.99.5 - Multiple Vulnerabilities

LAME 3.99.5 - Multiple Vulnerabilities LAME multiple vulnerabilities ================ Author : qflb.wu =============== Introduction: ============= Following the great history of GNU naming, LAME originally stood for LAME Ain't an Mp3 Encoder. LAME is an educational tool to be used for learning...

SoundTouch 1.9.2 - Multiple Vulnerabilities

SoundTouch 1.9.2 - Multiple Vulnerabilities SoundTouch multiple vulnerabilities ================ Author : qflb.wu =============== Introduction: ============= SoundTouch is an open-source audio processing library for changing the Tempo, Pitch and Playback Rates of audio streams or audio files. The...

Piwigo Plugin Facetag 0.0.3 - SQL Injection

Piwigo Plugin Facetag 0.0.3 - SQL Injection Exploit Title: Facetag Extension in Piwigo, Multiple SQL injection Date: 30-05-2017 Extension Version: 0.0.3 Software Link: http://piwigo.org/basics/downloads Extension link : http://piwigo.org/ext/extensionview.php?eid=845 Exploit Author: Touhid M.Shai...

CERIO DT-100G-NDT-300NCW-300N - Multiple Vulnerabilities

CERIO DT-100G-NDT-300NCW-300N - Multiple Vulnerabilities CERIO 11nbg 2.4Ghz High Power Wireless Router pekcmd Rootshell Backdoors Vendor: CERIO Corporation Product web page: http://www.cerio.com.tw Affected version: DT-100G-N fw: Cen-WR-G2H5 v1.0.6 DT-300N fw: Cen-CPE-N2H10A v1.0.14 DT-300N fw:...

Tecnovision DLX Spot - Authentication Bypass

Tecnovision DLX Spot - Authentication Bypass Exploit Title: DlxSpot - Player4 LED video wall - Admin Interface SQL Injection Google Dork: "DlxSpot - Player4" Date: 2017-05-14 Discoverer: Simon Brannstrom Authors Website: https://unknownpwn.github.io/ Vendor Homepage: http://www.tecnovision.com/...

Tecnovision DLX Spot - Arbitrary File Upload

Tecnovision DLX Spot - Arbitrary File Upload Exploit Title: DlxSpot - Player4 LED video wall - Arbitrary File Upload to RCE Google Dork: "DlxSpot - Player4" Date: 2017-05-14 Discoverer: Simon Brannstrom Authors Website: https://unknownpwn.github.io/ Vendor Homepage: http://www.tecnovision.com/...

Apple iOS 10.3.2 - Notifications API Denial of Service

Apple iOS 10.3.2 - Notifications API Denial of Service Exploit Title: Apple iOS 10.3.2 - Notifications API Denial of Service Date: 05-15-2017 Exploit Author: Sem Voigtländer @OxFEEDFACE, Vincent Desmurs @vincedes3 and Joseph Shenton Vendor Homepage: https://apple.com Software Link:...

Apple WebKit - JSC::B3::Procedure::resetReachability Use-After-Free

Apple WebKit - JSC::B3::Procedure::resetReachability Use-After-Free function for var i = 0; i 1000000; ++i const v = Array & 1 ? v : 1; typeof o = 'object'; ; !-- Asan Log: ================================================================= ==32191==ERROR: AddressSanitizer: heap-use-after-free on...

Apple WebKit - ComposedTreeIterator::traverseNextInShadowTree Use-After-Free

Apple WebKit - ComposedTreeIterator::traverseNextInShadowTree Use-After-Free function go d.open = false; d.innerHTML = "foo"; d.open = true; foo !-- ================================================================= ASan log: =================================================================...

EyesOfNetwork (EON) 5.0 - SQL Injection

EyesOfNetwork EON 5.0 - SQL Injection CVE-2017-6088 EON 5.0 Multiple SQL Injection Description EyesOfNetwork "EON" is an OpenSource network monitoring solution. SQL injection authenticated The Eonweb code does not correctly filter arguments, allowing authenticated users to inject arbitrary SQL...

AXIS Communications - Cross-Site Scripting Content Injection

AXIS Communications - Cross-Site Scripting Content Injection 0RWELLL4BS security advisory olsa-2015-8258 PGP: 79A6CCC0 @orwelllabs Advisory Information ==================== - Title: ImagePath Resource Injection/Open script editor - Vendor: AXIS Communications - Research and Advisory: Orwelllabs -...

Microsoft Windows DVD Maker 6.1.7 - XML External Entity Injection

Microsoft Windows DVD Maker 6.1.7 - XML External Entity Injection + Credits: John Page AKA hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-DVD-MAKER-XML-EXTERNAL-ENTITY-FILE-DISCLOSURE.txt + ISR: ApparitionSec Vendor: =================...

Sophos Web Appliance 4.3.1.1 - Session Fixation

Sophos Web Appliance 4.3.1.1 - Session Fixation Exploit Title: Sophos Secure Web Appliance Session Fixation Vulnerability Date: 28/02/2017 Exploit Author: SlidingWindow , Twitter: @KapilKhot Vendor Homepage: https://www.sophos.com/en-us/products/secure-web-gateway.aspx Version: Tested on Sophos W...

Joomla! Component Soccer Bet 4.1.5 - userid SQL Injection

Joomla! Component Soccer Bet 4.1.5 - userid SQL Injection Exploit Title: Joomla! Component Soccer Bet 4.1.5 - 'userid' Parameter SQL Injection Google Dork: inurl:index.php?option=comsoccerbet Date: 12.02.2017 Vendor Homepage: http://www.jomsoccerbet.com/ Software Buy:...

TrueConf Server 4.3.7 - Multiple Vulnerabilities

TrueConf Server 4.3.7 - Multiple Vulnerabilities TrueConf Server v4.3.7 Multiple Remote Web Vulnerabilities Vendor: TrueConf LLC Product web page: https://www.trueconf.com Affected version: 4.3.7.12255 and 4.3.7.12219 Summary: TrueConf Server is a powerful, high-quality and highly secured video...

Blackboard LMS 9.1 SP14 - Cross-Site Scripting

Blackboard LMS 9.1 SP14 - Cross-Site Scripting Document Title: =============== Blackboard LMS 9.1 SP14 - Profile Persistent Vulnerability References Source: ==================== http://www.vulnerability-lab.com/getcontent.php?id=1900 Release Date: ============= 2017-01-09 Vulnerability Laboratory...

Microsoft Edge (Windows 10) - chakra.dll Information Leak Type Confusion Remote Code Execution

Microsoft Edge Windows 10 - chakra.dll Information Leak Type Confusion Remote Code Execution Source: https://github.com/theori-io/chakra-2016-11 Proofs of Concept: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/40990.zip chakra.dll Info Leak + Type Confusion fo...

Apple macOS 10.12.2 iOS 10.2 - Broken Kernel Mach Port Name uref Handling Privileged Port Name Replacement Privilege Escalation

Apple macOS 10.12.2 iOS 10.2 - Broken Kernel Mach Port Name uref Handling Privileged Port Name Replacement Privilege Escalation / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=959 Proofs of Concept:...

Microsoft Internet Explorer 11 - MSHTML CPaste­Command::Convert­Bitmapto­Png Heap Buffer Overflow (MS14-056)

Microsoft Internet Explorer 11 - MSHTML CPaste­Command::Convert­Bitmapto­Png Heap Buffer Overflow MS14-056 Security Settings - Choose a zone - Scripting should prevent websites from programmatically copy/pasting an image. Disabling execution of scripts on web-pages altogether will have the same...

Apple macOS 10.12.2 iOS 10.2 - _kernelrpc_mach_port_insert_right_trap Kernel Reference Count Leak Use-After-Free

Apple macOS 10.12.2 iOS 10.2 - kernelrpcmachportinsertrighttrap Kernel Reference Count Leak Use-After-Free / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=941 Proofs of Concept: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/40956.zip The...

Microsoft Windows 10 (x86x64) - WLAN AutoConfig Denial of Service (PoC)

Microsoft Windows 10 x86x64 - WLAN AutoConfig Denial of Service PoC !/usr/bin/python wlanautoconfig-poc.py Windows WLAN AutoConfig Named Pipe POC Jeremy Brown jbrown3264/gmail Dec 2016 wifinetworkmanager.dll!FatalErrorchar const ,unsigned long,char const , ... AsyncPipe::ReadCompletedCallbackvoid...

Microsoft PowerShell - XML External Entity Injection

Microsoft PowerShell - XML External Entity Injection + Credits: John Page aka hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-POWERSHELL-XML-EXTERNAL-ENTITY.txt + ISR: ApparitionSec Vendor: ================= www.microsoft.com Product:...

LifeSize Room 5.0.9 - Multiple Vulnerabilities

LifeSize Room 5.0.9 - Multiple Vulnerabilities Source: https://github.com/XiphosResearch/exploits/tree/master/deathsize LifeSize Room 5.0.9, remote config disclosure, code execution & local privilege escalation Ultimately the Lifesize Room products have fundamentally flawed firmware, many similar...

Industrial Secure Routers EDR-810 EDR-G902 EDR-G903 - Insecure Configuration Management

Industrial Secure Routers EDR-810 EDR-G902 EDR-G903 - Insecure Configuration Management Title: Industrial Secure Routers - Insecure Configuration Management Type: Local/Remote Author: Nassim Asrir Author Company: HenceForth Impact: Insecure Configuration Management Risk: 4/5 Release Date:...

Oracle Netbeans IDE 8.1 - Directory Traversal

Oracle Netbeans IDE 8.1 - Directory Traversal + Credits: John Page aka hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/ORACLE-NETBEANS-IDE-DIRECTORY-TRAVERSAL.txt + ISR: ApparitionSec Vendor: =============== www.oracle.com Product:...

IObit Advanced SystemCare 10.0.2 - Unquoted Service Path Privilege Escalation

IObit Advanced SystemCare 10.0.2 - Unquoted Service Path Privilege Escalation Exploit Title: IObit Advanced SystemCare Unquoted Service Path Privilege Escalation Date: 19/10/2016 Author: Ashiyane Digital Security Team Vendor Homepage: http://www.iobit.com/en/index.php Software Link:...

WSO2 Identity Server 5.1.0 - Multiple Vulnerabilities

WSO2 Identity Server 5.1.0 - Multiple Vulnerabilities + Credits: John Page aka HYP3RLINX + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/WSO2-IDENTITY-SERVER-v5.1.0-XML-External-Entity.txt + ISR: ApparitionSec Vendor: ============= www.wso2.com Product:...

AXIS (Multiple Products) - devtools (Authenticated) Remote Command Execution

AXIS Multiple Products - devtools Authenticated Remote Command Execution / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ 0 | R | W | 3 | L | L | L | 4 | 8 | 5 / / / / / / / / / / www.orwelllabs.com security advisory olsa-2015-8257 PGP: 79A6CCC0 Advisory Information...