41207 matches found
Centreon 2.6.1 - Multiple Vulnerabilities
Centreon 2.6.1 - Multiple Vulnerabilities Centreon 2.6.1 Command Injection Vulnerability Vendor: Centreon Product web page: https://www.centreon.com Affected version: 2.6.1 CES 3.2 Summary: Centreon is the choice of some of the world's largest companies and mission-critical organizations for...
PCMan FTP Server 2.0.7 - Directory Traversal
PCMan FTP Server 2.0.7 - Directory Traversal !/usr/bin/python title: PCMan FTP Server v2.0.7 Directory Traversal author: Jay Turla tested on Windows XP Service Pack 3 - English software Link: https://www.exploit-db.com/apps/9fceb6fefd0f3ca1a8c36e97b6cc925d-PCMan.7z description: PCMAN FTP 2.07 is...
Git 1.9.5 - ssh-agent.exe Buffer Overflow (PoC)
Git 1.9.5 - ssh-agent.exe Buffer Overflow PoC ''' + Credits: hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/AS-GIT-SSH-AGENT-BUFF-OVERFLOW.txt Vendor: ================================ git-scm.com Product: ================================...
Adobe Flash - uint Capacity Field
Adobe Flash - uint Capacity Field Source: https://code.google.com/p/google-security-research/issues/detail?id=504 The latest version of the Vector. length check in Flash 18,0,0,232 is not robust against memory corruptions such as heap overflows. While it’s no longer possible to obviously bypass t...
BMC Track-It! 11.4 - Multiple Vulnerabilities
BMC Track-It! 11.4 - Multiple Vulnerabilities Multiple critical vulnerabilities in BMC Track-It! 11.4 Discovered by Pedro Ribeiro [email protected], Agile Information Security ================================================================================= Disclosure: 04/07/2016 / Last updated:...
vTiger CRM 6.3.0 - (Authenticated) Remote Code Execution
vTiger CRM 6.3.0 - Authenticated Remote Code Execution -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Exploit Title: Vtiger CRM = 6.3.0 Authenticated Remote Code Execution Date: 2015-09-28 Exploit Author: Benjamin Daniel Mussler Vendor Homepage: https://www.vtiger.com Software Link:...
Adobe Acrobat Reader - AFParseDate JavaScript API Restrictions Bypass
Adobe Acrobat Reader - AFParseDate JavaScript API Restrictions Bypass Title: Adobe Acrobat Reader AFParseDate Javascript API Restrictions Bypass Vulnerability Date: 09/28/2015 Author: Reigning Shells, based off PoC published by Zero Day Initiative Vendor Homepage: adobe.com Version: Adobe Reader...
Kaseya Virtual System Administrator (VSA) 7.0 9.1 - (Authenticated) Arbitrary File Upload
Kaseya Virtual System Administrator VSA 7.0 9.1 - Authenticated Arbitrary File Upload !/usr/bin/ruby kazPwn.rb - Kaseya VSA v7 to v9.1 authenticated arbitrary file upload CVE-2015-6589 / ZDI-15-450 =================== by Pedro Ribeiro / Agile Information Security Disclosure date: 28/09/2015 Usage...
WinRar 5.21 - SFX OLE Command Execution
WinRar 5.21 - SFX OLE Command Execution !/usr/bin/python -w Title : WinRar SFX OLE Command Execution Date : 25/09/2015 Author : R-73eN Tested on : Windows Xp SP3 with WinRAR 5.21 Triggering the Vulnerability Run this python script Right click a file and then click on add to archive. check the...
FortiManager 5.2.2 - Persistent Cross-Site Scripting
FortiManager 5.2.2 - Persistent Cross-Site Scripting + Credits: hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/AS-FORTIMANAGER-XSS-0924.txt Vendor: ================================ www.fortinet.com Product: ================================...
FreshFTP 5.52 - .qfl Crash (PoC)
FreshFTP 5.52 - .qfl Crash PoC Exploit Title: FreshFTP .QFL Local DOSWhile Parsing. Date: 9/15/2015 Exploit Author: UnN0n Software Vendor : http://www.freshwebmaster.com/ Software Link: http://www.freshwebmaster.com/download.html Version: 5.52 Tested on: Windows 7 x8632 BIT Steps to Produce the...
X2Engine 4.2 - Arbitrary File Upload
X2Engine 4.2 - Arbitrary File Upload Source: https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2015-5074/ Details: It was discovered that authenticated users were able to upload files of any type providing that the file did not have an extension that was...
X2Engine 4.2 - Cross-Site Request Forgery
X2Engine 4.2 - Cross-Site Request Forgery Source: https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2015-5075/ Details: It was discovered that no protection against Cross-site Request Forgery attacks was implemented, resulting in an attacker being able to...
SMF (Simple Machine Forum) 2.0.10 - Remote Memory Exfiltration
SMF Simple Machine Forum 2.0.10 - Remote Memory Exfiltration !/usr/bin/python -- coding: iso-8859-15 -- Title: SMF Simple Machine Forum Filippo Roncari Truel Lab http://lab.truel.it Requirements: SMF = 2.0.10 PHP = 5.6.11 / 5.5.27 / 5.4.43 Advisories: TL-2015-PHP04...
Microsoft Windows Kernel - NtGdiBitBlt Buffer Overflow (MS15-097)
Microsoft Windows Kernel - NtGdiBitBlt Buffer Overflow MS15-097 Source: https://code.google.com/p/google-security-research/issues/detail?id=474 --- The attached PoC triggers a buffer overflow in the NtGdiBitBlt system call. It reproduces reliable on Win 7 32-bit with Special Pool enabled on...
Cisco AnyConnect 3.1.08009 - Local Privilege Escalation (via DMG Install Script)
Cisco AnyConnect 3.1.08009 - Local Privilege Escalation via DMG Install Script / Cisco AnyConnect elevation of privileges via DMG install script - proof of concept Yorick Koster, July 2015 https://securify.nl/advisory/SFY20150701/ciscoanyconnectelevationofprivilegesviadmginstallscript.html based ...
refbase 0.9.6 - Multiple Vulnerabilities
refbase 0.9.6 - Multiple Vulnerabilities Exploit Title: Refbase 5 /rss.php?where='nonexistent'+union+allselect+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,concat'version:',@@version,'',34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50-- - /rs...
Microsoft Windows Kernel - Pool Buffer Overflow Drawing Caption Bar (MS15-061)
Microsoft Windows Kernel - Pool Buffer Overflow Drawing Caption Bar MS15-061 Source: https://code.google.com/p/google-security-research/issues/detail?id=321 The PoC triggers a crashes due to a pool buffer overflow while drawing the caption bar of window. The trigger depends on the current window...
Kaspersky AntiVirus - ExeCryptor Parsing Memory Corruption
Kaspersky AntiVirus - ExeCryptor Parsing Memory Corruption Source: https://code.google.com/p/google-security-research/issues/detail?id=525 Fuzzing packed executables found the attached crash, it might be usable as an information leak as part of another bug, so filing as a low-risk bug. If I had t...
Microsoft Windows Kernel - Use-After-Free with Printer Device Contexts (MS15-097)
Microsoft Windows Kernel - Use-After-Free with Printer Device Contexts MS15-097 Source: https://code.google.com/p/google-security-research/issues/detail?id=433 --- The attached PoC demonstrates a UAF condition with printer device contexts. The PoC will trigger on Win 7 32-bit with Special Pool...
Microsoft Windows Kernel - HmgAllocateObjectAttr Use-After-Free (MS15-061)
Microsoft Windows Kernel - HmgAllocateObjectAttr Use-After-Free MS15-061 Source: https://code.google.com/p/google-security-research/issues/detail?id=320 The PoC bug checks reliably with Special Pool enabled on writing to freed memory. A reference to the freed memory is held at offset +0x10 of the...
Kaspersky AntiVirus - Yodas Protector Unpacking Memory Corruption
Kaspersky AntiVirus - Yodas Protector Unpacking Memory Corruption Source: https://code.google.com/p/google-security-research/issues/detail?id=528 The attached testcase was found by fuzzing packed PE files, I suspect it was packed using "Yoda's protector". This vulnerability is obviously exploitab...
Kirby CMS 2.1.0 - Authentication Bypass
Kirby CMS 2.1.0 - Authentication Bypass ============================================= - Release date: 14.09.2015 - Discovered by: Dawid Golunski - Severity: Medium/High ============================================= I. VULNERABILITY ------------------------- Kirby CMS = 2.1.0 Authentication Bypass...
Konica Minolta FTP Utility 1.0 - Directory Traversal
Konica Minolta FTP Utility 1.0 - Directory Traversal / --------------------------------------------------------------------- Konica Minolta FTP Utility directory traversal vulnerability Url: http://download.konicaminolta.hk/bt/driver/mfpu/ftpu/ftpu10.zip Author: shinnai mail:...
Kaspersky AntiVirus - PE Unpacking Integer Overflow
Kaspersky AntiVirus - PE Unpacking Integer Overflow Source: https://code.google.com/p/google-security-research/issues/detail?id=526 Fuzzing of packed executables found the attached crash. 0:022 g 83c.bbc: Access violation - code c0000005 first chance First chance exceptions are reported before an...
Microsoft Windows Kernel - Bitmap Handling Use-After-Free (MS15-061) (1)
Microsoft Windows Kernel - Bitmap Handling Use-After-Free MS15-061 1 Source: https://code.google.com/p/google-security-research/issues/detail?id=293 Platform: Win7 32-bit. trigger.cpp should fire the issue, with two caveats: - PoC will NOT work if compiled as a debug build. - PoC will trigger the...
Microsoft Windows Kernel - UserCommitDesktopMemory Use-After-Free (MS15-073)
Microsoft Windows Kernel - UserCommitDesktopMemory Use-After-Free MS15-073 Source: https://code.google.com/p/google-security-research/issues/detail?id=335 Freed memory is accessed after switching between two desktops of which one is closed. The testcase crashes with and without special pool...
Microsoft Windows Kernel - Use-After-Free with Cursor Object (MS15-097)
Microsoft Windows Kernel - Use-After-Free with Cursor Object MS15-097 Source: https://code.google.com/p/google-security-research/issues/detail?id=457 --- The attached testcase crashes Win 7 with Special Pool enabled while accessing the freed global cursor object gpqCursor. See poc.cpp for...
Microsoft Windows Kernel - DeferWindowPos Use-After-Free (MS15-073)
Microsoft Windows Kernel - DeferWindowPos Use-After-Free MS15-073 Source: https://code.google.com/p/google-security-research/issues/detail?id=339 The attached PoC demonstrate a use-after-free condition that occurs when operating on a DeferWindowPos object from multiple threads. The DeferWindowPos...
Microsoft Windows Kernel - Bitmap Handling Use-After-Free (MS15-061) (2)
Microsoft Windows Kernel - Bitmap Handling Use-After-Free MS15-061 2 Source: https://code.google.com/p/google-security-research/issues/detail?id=311 Bitmap object Use-after-Free 2 The attached PoC triggers a blue screen due to a use after free vulnerability. The crashes are unreliable, however yo...
Apple Mac OSX Regex Engine (TRE) - Integer Signedness Overflow
Apple Mac OSX Regex Engine TRE - Integer Signedness Overflow Source: https://code.google.com/p/google-security-research/issues/detail?id=429 The OS X regex engine function tretnfarunparallel contains the following code: int tbytes; ... if !matchtags numtags = 0; else numtags = tnfa-numtags; ... i...
Microsoft Windows Kernel - bGetRealizedBrush Use-After-Free (MS15-097)
Microsoft Windows Kernel - bGetRealizedBrush Use-After-Free MS15-097 Source: https://code.google.com/p/google-security-research/issues/detail?id=458 --- The attached testcase crashes Win 7 with Special Pool on win32k while accessing freed memory in bGetRealizedBrush. --- Proof of Concept:...
Microsoft Windows Kernel - SURFOBJ Null Pointer Dereference (MS15-061)
Microsoft Windows Kernel - SURFOBJ Null Pointer Dereference MS15-061 Source: https://code.google.com/p/google-security-research/issues/detail?id=312 This issue is very likely a null pointer issue affecting 32-bit Windows version. The offset is from add onto another offset which isn't quite zero, ...
Air Drive Plus 2.4 - Arbitrary File Upload
Air Drive Plus 2.4 - Arbitrary File Upload Document Title: =============== Air Drive Plus v2.4 iOS - Arbitrary File Upload Vulnerability References Source: ==================== http://www.vulnerability-lab.com/getcontent.php?id=1597 Release Date: ============= 2015-09-21 Vulnerability Laboratory ...
MASM32 11R - Crash (PoC)
MASM32 11R - Crash PoC EXPLOIT TITLE: Masm32v11r Buffer OverflowSEH overwrite crash POC AUTHOR: VIKRAMADITYA "-OPTIMUS" Date of Testing: 22nd September 2015 Download Link : http://www.masm32.com/masmdl.htm Tested On : Windows 10 Steps to Crash :- Step 1: Execute this python script Step 2: This...
Kaspersky AntiVirus - VB6 Parsing Integer Overflow
Kaspersky AntiVirus - VB6 Parsing Integer Overflow Source: https://code.google.com/p/google-security-research/issues/detail?id=522 Fuzzing VB6 executables produced the attached crash testcase: 5a8.dc: Access violation - code c0000005 first chance First chance exceptions are reported before any...
Kirby CMS 2.1.0 - Cross-Site Request Forgery Content Upload PHP Script Execution
Kirby CMS 2.1.0 - Cross-Site Request Forgery Content Upload PHP Script Execution ============================================= - Release date: 14.09.2015 - Discovered by: Dawid Golunski - Severity: High ============================================= I. VULNERABILITY ------------------------- Kirby...
Microsoft Windows Kernel - NtGdiStretchBlt Pool Buffer Overflow (MS15-097)
Microsoft Windows Kernel - NtGdiStretchBlt Pool Buffer Overflow MS15-097 Source: https://code.google.com/p/google-security-research/issues/detail?id=415 --- Tested on Win 7 32-bit with Special Pool enabled. Multiple pool buffer overflows can be triggered through the NtGdiStretchBlt system call. T...
Microsoft Windows Kernel - Brush Object Use-After-Free (MS15-061)
Microsoft Windows Kernel - Brush Object Use-After-Free MS15-061 Source: https://code.google.com/p/google-security-research/issues/detail?id=304 Creating a device context with the flag DCXNORESETATTRS and selecting a brush object into the device context will result in the brush being freed on...
Microsoft Windows Kernel - Null Pointer Dereference with Window Station and Clipboard (MS15-061)
Microsoft Windows Kernel - Null Pointer Dereference with Window Station and Clipboard MS15-061 Source: https://code.google.com/p/google-security-research/issues/detail?id=294 Platform: Win7 32-bit. trigger.cpp should fire the issue, with a caveat - PoC might NOT work if compiled as a debug build...
Kaspersky AntiVirus - .DEX File Format Parsing Memory Corruption
Kaspersky AntiVirus - .DEX File Format Parsing Memory Corruption Source: https://code.google.com/p/google-security-research/issues/detail?id=519 Fuzzing the DEX file format found a crash that loads a function pointer from an attacker controlled pointer, on Windows this results in a call to an...
Microsoft Windows Kernel - WindowStation Use-After-Free (MS15-061)
Microsoft Windows Kernel - WindowStation Use-After-Free MS15-061 Source: https://code.google.com/p/google-security-research/issues/detail?id=295 Platform: Win7 32-bit. trigger.cpp should fire the issue, with caveats: - PoC MUST be compiled in release mode. - PoC may need to be run a few times to...
Kaspersky AntiVirus - CHM Parsing Stack Buffer Overflow
Kaspersky AntiVirus - CHM Parsing Stack Buffer Overflow Source: https://code.google.com/p/google-security-research/issues/detail?id=524 Fuzzing CHM files with Kaspersky Antivirus produced the attached crash. 83c.fec: Access violation - code c0000005 first chance First chance exceptions are report...
Apple Mac OSX Regex Engine (TRE) - Stack Buffer Overflow (PoC)
Apple Mac OSX Regex Engine TRE - Stack Buffer Overflow PoC Source: https://code.google.com/p/google-security-research/issues/detail?id=428 OS X Libc uses the slightly obscure TRE regex engine http://laurikari.net/tre/ If used in enhanced mode by passing the REGENHANCED flag to regcomp TRE support...
SAP NetWeaver 7.01 - XML External Entity Injection
SAP NetWeaver 7.01 - XML External Entity Injection Title: SAP Netwaver - XML External Entity Injection Author: Lukasz Miedzinski GPG: Public key provided in attachment Date: 29/10/2014 CVE: CVE-2015-7241 Affected software : =================== SAP Netwear : XML Content and Actions - Import sectio...
Kaspersky AntiVirus - UPX Parsing Memory Corruption
Kaspersky AntiVirus - UPX Parsing Memory Corruption Source: https://code.google.com/p/google-security-research/issues/detail?id=527 While fuzzing UPX packed files, this crash was discovered resulting in an arbitrary stack-relative write. This vulnerability is obviously remotely exploitable for...
Kaspersky AntiVirus - ThinApp Parser Stack Buffer Overflow
Kaspersky AntiVirus - ThinApp Parser Stack Buffer Overflow Source: https://code.google.com/p/google-security-research/issues/detail?id=518 A remotely exploitable stack buffer overflow in ThinApp container parsing. Kaspersky Antivirus I've tested version 15 and 16 and other products using the...
Microsoft Windows Kernel - FlashWindowEx Memory Corruption (MS15-097)
Microsoft Windows Kernel - FlashWindowEx Memory Corruption MS15-097 Source: https://code.google.com/p/google-security-research/issues/detail?id=475 --- The attached PoC triggers a wild write on Win 7 32-bit with Special Pool enabled on win32k.sys. --- Proof of Concept:...
Microsoft Windows Kernel - win32k!vSolidFillRect Buffer Overflow (MS15-061)
Microsoft Windows Kernel - win32k!vSolidFillRect Buffer Overflow MS15-061 Source: https://code.google.com/p/google-security-research/issues/detail?id=313 The PoC triggers a pool buffer overflow in win32k!vSolidFillRect. When using Special Pool we get the crash immediately on the overwrite. Witho...
Cisco AnyConnect Secure Mobility Client 3.1.08009 - Local Privilege Escalation
Cisco AnyConnect Secure Mobility Client 3.1.08009 - Local Privilege Escalation Source: https://code.google.com/p/google-security-research/issues/detail?id=460 Cisco AnyConnect Secure Mobility Client v3.1.08009 Elevation of Privilege Platform: Windows 8.1 Update, Client version 3.1.08009 tested on...