ntop-ng 2.0.151021 - Privilege Escalation

ntop-ng 2.0.151021 - Privilege Escalation Vulnerability title: ntop-ng = 2.0.151021 - Privilege Escalation Author: Dolev Farhi Contact: dolev at flaresec.com Vulnerable version: 2.0.151021 Fixed version: 2.2 Link: ntop.org Date 27.11.2015 CVE-2015-8368 Product Details: ntopng is the next generati...

Belkin N150 Wireless Router F9K1009 v1 - Multiple Vulnerabilities

Belkin N150 Wireless Router F9K1009 v1 - Multiple Vulnerabilities Full Disclosure: Exploit Title : Belkin N150 Wireless Home Router Multiple Vulnerabilities Exploit Author : Rahul Pratap Singh Date : 30/Nov/2015 Home Page Link : http://www.belkin.com Blog Url : 0x62626262.wordpress.com Linkedin :...

Kodi 15 - Web Interface Arbitrary File Access

Kodi 15 - Web Interface Arbitrary File Access Exploit Title: arbitrary file access kodi web interface Shodan dork: title:kodi Date: 25-11-2015 Contact: https://twitter.com/mpronk89 Software Link: http://kodi.tv/ Original report: http://forum.kodi.tv/showthread.php?tid=144110&pid=2170305pid2170305...

Invision Power Board (IP.Board) 4.1.4.x - Persistent Cross-Site Scripting

Invision Power Board IP.Board 4.1.4.x - Persistent Cross-Site Scripting Exploit Title: IP.Board Persistent XSS Vulnerability Date: 29/10/2015 Software Link: https://www.invisionpower.com/buy Software version : 4.1.4.x Exploit Author: Mehdi Alouache Contact: [email protected]...

ZenPhoto 1.4.10 - Local File Inclusion

ZenPhoto 1.4.10 - Local File Inclusion + Credits: hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/ZEN-PHOTO-1.4.10-LFI.txt Vendor: ==================== www.zenphoto.org Product: =================== Zenphoto 1.4.10 Vulnerability Type:...

MyCustomers CMS 1.3.873 - SQL Injection

MyCustomers CMS 1.3.873 - SQL Injection Exploit Title : MyCustomers Cms Sql Injection Vulnerability Exploit Author : Persian Hack Team Vendor Homepage : http://www.iran-php.com/ Google Dork : "Powered By IranPHP" & inurl:/index.php?DPT=IP17 & "Powered+by+MyCustomers-1.3.873" Date: 2015/11/28...

Easy File Sharing Web Server 7.2 - Remote Buffer Overflow (SEH) (DEP Bypass + ROP)

Easy File Sharing Web Server 7.2 - Remote Buffer Overflow SEH DEP Bypass + ROP !/usr/bin/env python Exploit title: Easy File Sharing Web Server v7.2 - Remote SEH Buffer Overflow DEP bypass with ROP Date: 29/11/2015 Exploit Author: Knaps Contact: @TheKnapsy Website: http://blog.knapsy.com Software...

HumHub 0.11.20.20.0-beta.2 - SQL Injection

HumHub 0.11.20.20.0-beta.2 - SQL Injection === LSE Leading Security Experts GmbH - Security Advisory 2015-10-14 === HumHub - SQL-Injection ------------------------------------------------------------------------ Tested Versions =============== HumHub 0.11.2 and 0.20.0-beta.2 Issue Overview...

SysAid Help Desk Software 14.4.32 b25 - SQL Injection (Metasploit)

SysAid Help Desk Software 14.4.32 b25 - SQL Injection Metasploit Exploit Title: Sysaid Helpdesk Software Unauthenticated SQLi Date: 28.11.2015 Exploit Author: hland Vendor Homepage: https://www.sysaid.com/ Version: v14.4.32 b25 Tested on: Windows 7, Windows 10 Blog post:...

SAP Sybase Adaptive Server Enterprise - XML External Entity Information Disclosure

SAP Sybase Adaptive Server Enterprise - XML External Entity Information Disclosure source: https://www.securityfocus.com/bid/63193/info SAP Sybase Adaptive Server Enterprise is prone to an information-disclosure vulnerability. An attacker can exploit this issue to gain access to sensitive...

WordPress Plugin WP-Client 3.8.7 - Persistent Cross-Site Scripting

WordPress Plugin WP-Client 3.8.7 - Persistent Cross-Site Scripting Application: WP-Client Version: 3.8.7 Author: Pier-Luc Maltais from COSIG Twitter: @COSIG 1 Introduction 2 Report Timeline 3 Technical details 4 POC =============== 1 Introduction =============== One plugin configures multiple are...

Audacious 3.7 - ID3 Local Crash (PoC)

Audacious 3.7 - ID3 Local Crash PoC Exploit Title: Audacious 3.7 ID3 Local Crash PoC Date: 11-20-2015 Exploit Author: Antonio Z. Vendor Homepage: http://audacious-media-player.org/ Software Link: http://audacious-media-player.org/download |...

Nvidia Stereoscopic 3D Driver Service 7.17.13.5382 - Arbitrary Run Key Creation

Nvidia Stereoscopic 3D Driver Service 7.17.13.5382 - Arbitrary Run Key Creation Source: https://code.google.com/p/google-security-research/issues/detail?id=515 NVIDIA: Stereoscopic 3D Driver Service Arbitrary Run Key Creation Platform: Windows, NVIDIA Service Version 7.17.13.5382 Class: Elevation...

vBulletin 5.x - Remote Code Execution

vBulletin 5.x - Remote Code Execution + Title: Vbulletin 5.x - Remote Code Execution Exploit + Product: vbulletin + Vendor: http://vbulletin.com + Vulnerable Versions: Vbulletin 5.x Author : Mohammad Reza Espargham Linkedin : https://ir.linkedin.com/in/rezasp E-Mail : meatrezadotes ,...

Microsoft Windows - ndis.sys IOCTL 0x170034 (ndis!ndisNsiGetIfNameForIfIndex) Pool Buffer Overflow (MS15-117)

Microsoft Windows - ndis.sys IOCTL 0x170034 ndis!ndisNsiGetIfNameForIfIndex Pool Buffer Overflow MS15-117 Source: https://code.google.com/p/google-security-research/issues/detail?id=516 The attached testcase crashes Windows 7 32-bit due to a pool buffer overflow in an ioctl handler. Enabling...

Microsoft Windows Kernel - Device Contexts and NtGdiSelectBitmap Use-After-Free (MS15-115)

Microsoft Windows Kernel - Device Contexts and NtGdiSelectBitmap Use-After-Free MS15-115 Source: https://code.google.com/p/google-security-research/issues/detail?id=505 The attached testcase triggers a use-after-free condition in win32k. The attached debugger output was triggered on Windows 7 wit...

Acrobat Reader DC 15.008.20082.15957 - .PDF Parsing Memory Corruption

Acrobat Reader DC 15.008.20082.15957 - .PDF Parsing Memory Corruption Application: Acrobat Reader DC Platforms: Windows Versions: 15.008.20082.15957 CVE: CVE-2015-7622 Author: Francis Provencher of COSIG Twitter: @COSIG 1 Introduction 2 Report Timeline 3 Technical details 4 POC =============== 1...

Oracle Outside In PDF 8.5.2 - Parsing Memory Corruption (1)

Oracle Outside In PDF 8.5.2 - Parsing Memory Corruption 1 Application: Oracle Outside In Platforms: Windows Versions: 8.5.2 CVE: CVE-2015-4877 Author: Francis Provencher of COSIG Twitter: @COSIG 1 Introduction 2 Report Timeline 3 Technical details 4 POC =============== 1 Introduction...

Microsoft Windows - Cursor Object Memory Leak (MS15-115)

Microsoft Windows - Cursor Object Memory Leak MS15-115 Source: https://code.google.com/p/google-security-research/issues/detail?id=510 The attached poc crashes 32-bit Windows 7 with a screen resolution of 1024x768 and 32bit color depth. The crash occurs during a memmove opperation while copying t...

Microsoft Windows - Race Condition DestroySMWP Use-After-Free (MS15-115)

Microsoft Windows - Race Condition DestroySMWP Use-After-Free MS15-115 Source: https://code.google.com/p/google-security-research/issues/detail?id=509 The attached testcase crashes Window 7 32-bit with Special Pool enabled on win32k.sys due to a use-after-free condition. The bug appears to be a...

Oracle Outside In PDF 8.5.2 - Parsing Memory Corruption (2)

Oracle Outside In PDF 8.5.2 - Parsing Memory Corruption 2 Application: Oracle Outside In Platforms: Windows Versions: 8.5.2 CVE: CVE-2015-4878 Author: Francis Provencher of COSIG Twitter: @COSIG 1 Introduction 2 Report Timeline 3 Technical details 4 POC =============== 1 Introduction...

Cambium ePMP 1000 - Multiple Vulnerabilities

Cambium ePMP 1000 - Multiple Vulnerabilities July 14, 2015: First contacted Cambium July 14, 2015: Initial vendor response July 16, 2015: Vuln Details reported to Cambium July 31, 2015: Followup on advisory and fix timelines August 03, 2015: Vendor gives mid-Aug as fix v2.5 release timeline. Ceas...

ZTE ZXHN H108N R1A ZXV10 W300 Routers - Multiple Vulnerabilities

ZTE ZXHN H108N R1A ZXV10 W300 Routers - Multiple Vulnerabilities Exploit Title: ZTE ZXHN H108N R1A + ZXV10 W300 routers - multiple vulnerabilities Discovered by: Karn Ganeshen CERT VU 391604 Vendor Homepage: www.zte.com.cn Versions Reported ZTE ZXHN H108N R1A - Software version ZTE.bhs.ZXHNH108NR...

ZTE ADSL ZXV10 W300 Modems - Multiple Vulnerabilities

ZTE ADSL ZXV10 W300 Modems - Multiple Vulnerabilities Exploit Title: ZTE ADSL ZXV10 W300 modems - Multiple vulnerabilities Discovered by: Karn Ganeshen Vendor Homepage: www.zte.com.cn Versions Reported: W300V2.1.0fER7PEO57 and W300V2.1.0hER7PEO57 CVE-ID: CVE-2015-7257 CVE-2015-7258 CVE-2015-7259...

Netwin SurgeFTP Sever 23d6 - Persistent Cross-Site Scripting

Netwin SurgeFTP Sever 23d6 - Persistent Cross-Site Scripting Exploit Netwin SurgeFTP Sever Stored Cross Site Scripting Vulnerabilities Date: 11/18/2015 Exploit Author: UnN0n Vendor: NetWin Software Link: http://netwinsite.com/cgi-bin/keycgi.exe?cmd=download&product=surgeftp Version: 23d6 Tested o...

SuperScan 4.1 - Scan HostnameIP Field Buffer Overflow

SuperScan 4.1 - Scan HostnameIP Field Buffer Overflow !/usr/bin/env python -- coding: utf-8 -- Exploit Title : SuperScan 4.1 Scan Hostname/IP Field Buffer Overflow Crash PoC Discovery by : Luis Martínez Email : [email protected] Discovery Date : 18/11/2015 Vendor Homepage :...

Sam Spade 1.14 - Decode URL Buffer Overflow Crash (PoC)

Sam Spade 1.14 - Decode URL Buffer Overflow Crash PoC !/usr/bin/env python Exploit Title : Sam Spade 1.14 Decode URL Buffer Overflow Crash PoC Discovery by : Vivek Mahajan - c3p70r Discovery Date : 19/11/2015 Vendor Homepage : http://samspade.org Software Link :...

Google Chrome - open-vcdiff Out-of-Bounds Read in Browser Process Integer Overflow

Google Chrome - open-vcdiff Out-of-Bounds Read in Browser Process Integer Overflow Source: https://code.google.com/p/google-security-research/issues/detail?id=513 There's an integer overflow issue in sanity checking section lengths when parsing the vcdiff format used in SDCH content encoding. Thi...

SuperScan 4.1 - Tools HostnameIPURL Field Buffer Overflow

SuperScan 4.1 - Tools HostnameIPURL Field Buffer Overflow !/usr/bin/env python -- coding: utf-8 -- Exploit Title : SuperScan 4.1 Tools Hostname/IP/URL Field Buffer Overflow Crash PoC Discovery by : Luis Martínez Email : [email protected] Discovery Date : 18/11/2015 Vendor Homepage :...

SuperScan 4.1 - Windows Enumeration HostnameIPURL Field Overflow (SEH)

SuperScan 4.1 - Windows Enumeration HostnameIPURL Field Overflow SEH !/usr/bin/env python -- coding: utf-8 -- Exploit Title : SuperScan 4.1 Windows Enumeration Hostname/IP/URL Field SEH Overflow Crash PoC Discovery by : Luis Martínez Email : [email protected] Discovery Date : 18/11/2015...

Horde Groupware 5.2.10 - Cross-Site Request Forgery

Horde Groupware 5.2.10 - Cross-Site Request Forgery Advisory ID: HTB23272 Product: Horde Groupware Vendor: http://www.horde.org Vulnerable Versions: 5.2.10 and probably prior Tested Version: 5.2.10 Advisory Publication: September 30, 2015 without technical details Vendor Notification: September 3...

WordPress Plugin Users Ultra 1.5.50 - Unrestricted Arbitrary File Upload

WordPress Plugin Users Ultra 1.5.50 - Unrestricted Arbitrary File Upload Exploit Title: WordPress Users Ultra Plugin Unrestricted File Upload Discovery Date: 2015/10/27 Public Disclosure Date: 2015/12/01 Exploit Author: Panagiotis Vagenas Contact: https://twitter.com/panVagenas Vendor Homepage:...

IBM i Access 7.1 - Local Buffer Overflow Code Execution

IBM i Access 7.1 - Local Buffer Overflow Code Execution + Credits: John Page aka hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/IBMI-CLIENT-ACCESS-BUFFER-OVERFLOW.txt Vendor: ============== www.ibm.com Product:...

Sam Spade 1.14 - Browse URL Buffer Overflow (PoC)

Sam Spade 1.14 - Browse URL Buffer Overflow PoC !/usr/bin/env python Exploit Title : Sam Spade 1.14 Browse URL Buffer Overflow PoC Discovery by : Nipun Jaswal Email : [email protected] Discovery Date : 14/11/2015 Vendor Homepage : http://samspade.org Software Link :...

D-Link DIR-866L - Multiple Buffer Overflow Vulnerabilities

D-Link DIR-866L - Multiple Buffer Overflow Vulnerabilities Advisory Information Title: DIR-866L Buffer overflows in HNAP and send email functionalities Vendors contacted: William Brown , Patrick Cline [email protected] CVE: None Note: All these security issues have been discussed with...

CF Image Host 1.65 - PHP Command Injection

CF Image Host 1.65 - PHP Command Injection + Credits: hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/AS-CFIMAGEHOST-PHP-CMD-INJECTION.txt Vendor: ==================================== codefuture.co.uk/projects/imagehost Product:...

AlegroCart 1.2.8 - Multiple SQL Injections

AlegroCart 1.2.8 - Multiple SQL Injections Security Advisory - Curesec Research Team 1. Introduction Affected Product: AlegroCart 1.2.8 Fixed in: Patch AC128fix17102015 Path Link: http://forum.alegrocart.com/download/file.php?id=1040 Vendor Website: http://alegrocart.com/ Vulnerability Type: SQL...

TECO SG2 LAD Client 3.51 - .gen Overwrite Buffer Overflow (SEH)

TECO SG2 LAD Client 3.51 - .gen Overwrite Buffer Overflow SEH !/usr/bin/perl TECO SG2 LAD Client 3.51 SEH Overwrite Buffer Overflow Exploit Vendor: TECO Electric and Machinery Co., Ltd. Product web page: http://www.teco-group.eu Download: http://globalsa.teco.com.tw/supportdownload.aspx?KindID=9...

VideoLAN VLC Media Player Web Interface 2.2.1 - Metadata Title Cross-Site Scripting

VideoLAN VLC Media Player Web Interface 2.2.1 - Metadata Title Cross-Site Scripting Andrea Sindoni - @invictus1306 XSS vulnerability via metadata 1. Introduction Affected Product: VLC 2.2.1 / WEB INTERFACE Vulnerability Type: XSS 2. Vulnerability Description XSS vulnerability via metadata title 3...

D-Link DIR-890LR - Multiple Buffer Overflow Vulnerabilities

D-Link DIR-890LR - Multiple Buffer Overflow Vulnerabilities Advisory Information Title: DIR-890L/R Buffer overflows in authentication and HNAP functionalities. Date published: July,17th, 2015 Vendors contacted: William Brown , Patrick Cline [email protected] CVE: None Note: All these...

D-Link DIR-615 - Multiple Buffer Overflow Vulnerabilities

D-Link DIR-615 - Multiple Buffer Overflow Vulnerabilities Advisory Information Title: Dlink DIR-615 Authenticated Buffer overflow in Ping and Send email functionality Vendors contacted: William Brown , Patrick Cline [email protected] CVE: None Note: All these security issues have been...

AlegroCart 1.2.8 - LocalRemote File Inclusion

AlegroCart 1.2.8 - LocalRemote File Inclusion Security Advisory - Curesec Research Team 1. Introduction Affected Product: AlegroCart 1.2.8 Fixed in: Patch AC128fix22102015 Path Link: http://forum.alegrocart.com/download/file.php?id=1047 Vendor Website: http://alegrocart.com/ Vulnerability Type:...

TECO JN5 L510-DriveLink 1.482 - .lf5 Overwrite Buffer Overflow (SEH)

TECO JN5 L510-DriveLink 1.482 - .lf5 Overwrite Buffer Overflow SEH !/usr/bin/perl TECO JN5 L510-DriveLink 1.482 SEH Overwrite Buffer Overflow Exploit Vendor: TECO Electric and Machinery Co., Ltd. Product web page: http://www.teco-group.eu Download:...

D-Link DIR-825 (vC) - Multiple Vulnerabilities

D-Link DIR-825 vC - Multiple Vulnerabilities Advisory Information Title: DIR-825 vC Buffer overflows in authentication,HNAP and ping functionalities. Also a directory traversal issue exists which can be exploited Vendors contacted: William Brown , Patrick Cline [email protected] CVE:...

D-Link DIR-818W - Multiple Vulnerabilities

D-Link DIR-818W - Multiple Vulnerabilities Advisory Information Title: DIR-818W Buffer overflows and Command injection in authentication and HNAP functionalities Vendors contacted: William Brown , Patrick Cline [email protected] CVE: None Note: All these security issues have been...

D-Link DIR-645 - Multiple UPNP Vulnerabilities

D-Link DIR-645 - Multiple UPNP Vulnerabilities Advisory Information Title: Dlink DIR-645 UPNP Buffer Overflow Vendors contacted: William Brown Dlink Release mode: Released CVE: None Note: All these security issues have been discussed with the vendor and vendor indicated that they have fixed issue...

Microsoft Windows Kernel - win32k.sys Malformed TrueType Program TTF Font Processing Pool-Based Buffer Overflow (MS15-115)

Microsoft Windows Kernel - win32k.sys Malformed TrueType Program TTF Font Processing Pool-Based Buffer Overflow MS15-115 Source: https://code.google.com/p/google-security-research/issues/detail?id=507 We have observed a number of Windows kernel crashes in the win32k.sys driver while processing...

Kaspersky AntiVirus - .DEX File Format Memory Corruption

Kaspersky AntiVirus - .DEX File Format Memory Corruption Source: https://code.google.com/p/google-security-research/issues/detail?id=529 The attached testcase was found by fuzzing DEX files, and results in a heap overflow with a wild memcpy. Note that Kaspersky catch exceptions and continue...

TECO AP-PCLINK 1.094 - .tpc File Handling Buffer Overflow (PoC)

TECO AP-PCLINK 1.094 - .tpc File Handling Buffer Overflow PoC TECO AP-PCLINK 1.094 TPC File Handling Buffer Overflow Vulnerability Vendor: TECO Electric and Machinery Co., Ltd. Product web page: http://www.teco-group.eu Download: http://globalsa.teco.com.tw/supportdownload.aspx?KindID=9 Affected...

ClipperCMS 1.3.0 - Multiple SQL Injections

ClipperCMS 1.3.0 - Multiple SQL Injections Security Advisory - Curesec Research Team 1. Introduction Affected Product: ClipperCMS 1.3.0 Fixed in: not fixed Fixed Version Link: n/a Vendor Website: http://www.clippercms.com/ Vulnerability Type: SQL Injection Remote Exploitable: Yes Reported to...