41207 matches found
Claymore Dual ETH + DCRSCLBCPASC GPU Miner - Stack Buffer Overflow Path Traversal
Claymore Dual ETH + DCRSCLBCPASC GPU Miner - Stack Buffer Overflow Path Traversal !/usr/bin/env python -- coding: UTF-8 -- github.com/tintinweb optional: pip install pysocks https://pypi.python.org/pypi/PySocks ''' API overview: nc -L -p 3333 "id":0,"jsonrpc":"2.0","method":"minergetstat1"...
Microsoft Windows Defender - Controlled Folder Bypass Through UNC Path
Microsoft Windows Defender - Controlled Folder Bypass Through UNC Path / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1418 Windows Defender: Controlled Folder Bypass through UNC Path Platform: Windows 10 1709 + Antimalware client version 4.12.16299.15 Class: Security Feature...
Apple macOS 10.13.1 (High Sierra) - Insecure Cron System Local Privilege Escalation
Apple macOS 10.13.1 High Sierra - Insecure Cron System Local Privilege Escalation Recently I was working on an security issue in some other software that has yet to be disclosed which created a rather interesting condition. As a non-root user I was able to write to any file on the system that was...
Arq 5.9.7 - Local Privilege Escalation
Arq 5.9.7 - Local Privilege Escalation =begin As well as the other bugs affecting Arq " backupset = "0" 40 hmac = "0" 40 payload = sprintf "%s%s%s%s$%s%s\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00" + "...
Hashicorp vagrant-vmware-fusion 4.0.24 - Local Privilege Escalation
Hashicorp vagrant-vmware-fusion 4.0.24 - Local Privilege Escalation I have previously disclosed a couple of bugs in Hashicorp's vagrant-vmware-fusion plugin for vagrant. Unfortunately the 4.0.23 release which was supposed to fix the previous bug I reported didn't address the issue, so Hashicorp...
FS Makemytrip Clone - id SQL Injection
FS Makemytrip Clone - id SQL Injection Exploit Title: FS Makemytrip Clone - SQL Injection Date: 2017-12-05 Exploit Author: Dan° Vendor Homepage: https://fortunescripts.com/ Software Link: https://fortunescripts.com/product/makemytrip-clone/ Version: 2017-12-05 Tested on: Kali Linux 2.0 PoC: SQL...
Dasan Networks GPON ONT WiFi Router H640X 12.02-01121 2.77p1-1124 3.03p2-1146 - Remote Code Execution
Dasan Networks GPON ONT WiFi Router H640X 12.02-01121 2.77p1-1124 3.03p2-1146 - Remote Code Execution Vulnerability Summary The following advisory describes a buffer overflow that leads to remote code execution found in Dasan Networks GPON ONT WiFi Router H640X versions 12.02-01121 / 2.77p1-1124 ...
WinduCMS 3.1 - Local File Disclosure
WinduCMS 3.1 - Local File Disclosure !/usr/bin/python Exploit Title: WinduCMS = 3.1 - Local File Disclosure Date: 2017-12-03 Exploit Author: Maciek Krupa Vendor Homepage: http://windu.org Version: 3.1 Tested on: Linux Debian 9 // Description // Local File Disclosure vulnerability exists in WinduC...
Hashicorp vagrant-vmware-fusion 4.0.23 - Local Privilege Escalation
Hashicorp vagrant-vmware-fusion 4.0.23 - Local Privilege Escalation A couple of weeks ago I disclosed a local root privesc in Hashicorp's vagrant-vmware-fusion plugin: https://m4.rkw.io/blog/cve20177642-local-root-privesc-in-hashicorp-vagrantvmw... The initial patch they released was 4.0.21 which...
Hashicorp vagrant-vmware-fusion 5.0.3 - Local Privilege Escalation
Hashicorp vagrant-vmware-fusion 5.0.3 - Local Privilege Escalation Another day, another root privesc bug in this plugin. Not quite so serious this time - this one is only exploitable if the user has the plugin installed but VMware Fusion not installed. This is a fairly unlikely scenario but it's ...
Hashicorp vagrant-vmware-fusion 5.0.1 - Local Privilege Escalation
Hashicorp vagrant-vmware-fusion 5.0.1 - Local Privilege Escalation I recently blogged about how the installation process of version 5.0.0 of this plugin could be hihacked by a local attacker or malware in order to escalate privileges to root. Hashicorp pushed some mitigations for this issue fairl...
FS Shaadi Clone - token SQL Injection
FS Shaadi Clone - token SQL Injection Exploit Title: FS Shaadi Clone - SQL Injection Date: 2017-12-05 Exploit Author: Dan° Vendor Homepage: https://fortunescripts.com/ Software Link: https://fortunescripts.com/product/shaadi-clone/ Version: 2017-12-05 Tested on: Kali Linux 2.0 PoC: SQL Injection ...
Arq 5.9.6 - Local Privilege Escalation
Arq 5.9.6 - Local Privilege Escalation Arq Backup from Haystack Software is a great application for backing up macs and windows machines. Unfortunately versions of Arq for mac before 5.9.7 are vulnerable to a local root privilege escalation exploit. The updater binary has a "setpermissions"...
Proxifier for Mac 2.19 - Local Privilege Escalation
Proxifier for Mac 2.19 - Local Privilege Escalation With CVE-2017-7643 I disclosed a command injection vulnerablity in the KLoader binary that ships with Proxifier = 2.18. Unfortunately 2.19 is also vulnerable to a slightly different attack that yields the same result. When Proxifier is first run...
Murus 1.4.11 - Local Privilege Escalation
Murus 1.4.11 - Local Privilege Escalation I recently blogged about the prevalence of escalation hijack vulnerabilities amongst macOS applications. One example of this is the latest version of Murus firewall. By design it requires the user to authenticate every time in order to obtain the access i...
Hashicorp vagrant-vmware-fusion 5.0.0 - Local Privilege Escalation
Hashicorp vagrant-vmware-fusion 5.0.0 - Local Privilege Escalation After three CVEs and multiple exploits disclosed to Hashicorp they have finally upped their game with this plugin. Now the previously vulnerable non-root-owned ruby code that get executed as root by the sudo helper is no more and...
Sera 1.2 - Local Privilege Escalation Password Disclosure
Sera 1.2 - Local Privilege Escalation Password Disclosure Sera is a free app for mac and iOS that lets you unlock your mac automatically when your iphone is within a configured proximity. Unfortunately to facilitate this it stores the users login password in their home directory at:...
Readymade Classifieds Script 1.0 - SQL Injection
Readymade Classifieds Script 1.0 - SQL Injection Exploit Title: Readymade Classifieds Script 1.0 - SQL Injection Dork: N/A Date: 02.12.2017 Vendor Homepage: http://www.scubez.net/ Software Link: http://www.posty.in/index.html Demo: http://www.posty.in/readymade-classifieds-demo.html Version: 1.0...
Techno Portfolio Management Panel - id SQL Injection
Techno Portfolio Management Panel - id SQL Injection Exploit Title: Techno - Portfolio Management Panel 1.0 - SQL Injection Dork: N/A Date: 02.12.2017 Vendor Homepage: https://codecanyon.net/user/engtechno Software Link: https://codecanyon.net/item/techno-portfolio-management-panel/20919551 Demo:...
Perspective ICM Investigation Case 5.1.1.16 - Privilege Escalation
Perspective ICM Investigation Case 5.1.1.16 - Privilege Escalation Exploit Title: Privilege Escalation - Perspective ICM Investigation & Case - 5.1.1.16 Date Reported to vendor: Jun 28, 2017 Date Accepted by vendor: Jun 11, 2017 Exploit Author: [email protected] Vendor Homepage:...
VX Search 10.2.14 - command_name Buffer Overflow
VX Search 10.2.14 - commandname Buffer Overflow !/usr/bin/python print " VX Search Enterprise v10.2.14 Buffer Overflow SEH \n" Exploit Title : VX Search Enterprise v10.2.14 Buffer Overflow SEH Discovery by : W01fier00t Twitter : @wolfieroot Discovery Date : 22/11/2017 Software Link :...
TeamViewer 11 13 (Windows 10 x86) - Inline Hooking Direct Memory Modification Permission Change
TeamViewer 11 13 Windows 10 x86 - Inline Hooking Direct Memory Modification Permission Change TeamViewer Permissions Hook V1 --- A proof of concept injectable C++ DLL, that uses naked inline hooking and direct memory modification to change TeamViewer permissions. Features As the Server - Enables...
Ruby 2.2.8 2.3.5 2.4.2 2.5.0-preview1 - NET::Ftp Command Injection
Ruby 2.2.8 2.3.5 2.4.2 2.5.0-preview1 - NET::Ftp Command Injection While using NET::Ftp I realised you could get command execution through "malicious" file names. The problem lies in the gettextfileremotefile, localfile = File.basenameremotefile method. When looking at the source code, you'll not...
Socusoft Photo 2 Video Converter 8.0.0 - Local Buffer Overflow
Socusoft Photo 2 Video Converter 8.0.0 - Local Buffer Overflow Exploit Title: Socusoft Photo 2 Video Converter v8.0.0 Local Buffer Overflow Free and Professional variants Date: 01/12/2017 Exploit Author: Jason Magic ret2eax Vendor Homepage: www.socusoft.com Version: 8.0.0 Tested on: Windows Serve...
Abyss Web Server 2.11.6 - Heap Memory Corruption
Abyss Web Server 2.11.6 - Heap Memory Corruption + Credits: John Page aka HyP3rlinX + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/ABYSS-WEB-SERVER-MEMORY-HEAP-CORRUPTION.txt + ISR: ApparitionSec Vendor: ========== aprelium.com Product: =========== Abyss...
Artica Web Proxy 3.06 - Remote Code Execution
Artica Web Proxy 3.06 - Remote Code Execution + Credits: John Page aka Hyp3rlinX + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/ARTICA-WEB-PROXY-v3.06-REMOTE-CODE-EXECUTION-CVE-2017-17055.txt + ISR: ApparitionSec Vendor: ======= www.articatech.com Product...
MistServer 2.12 - Cross-Site Scripting
MistServer 2.12 - Cross-Site Scripting + Credits: John Page aka Hyp3rlinX + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/MIST-SERVER-v2.12-UNAUTHENTICATED-PERSISTENT-XSS-CVE-2017-16884.txt + ISR: ApparitionSec Vendor: ============= mistserver.org Product:...
Jobs2Careers Coroflot Clone - SQL Injection
Jobs2Careers Coroflot Clone - SQL Injection Exploit Title: Jobs2Careers / Coroflot Clone - SQL Injection Date: 2017-11-30 Exploit Author: 8bitsec Vendor Homepage: http://www.i-netsolution.com/ Software Link: http://www.i-netsolution.com/product/jobs2careers-coroflot-jobs-clone-script/ Version: 30...
Linux Kernel - The Huge Dirty Cow Overwriting The Huge Zero Page (1)
Linux Kernel - The Huge Dirty Cow Overwriting The Huge Zero Page 1 // EDB Note: Source https://medium.com/bindecy/huge-dirty-cow-cve-2017-1000405-110eca132de0 // EDB Note: Source https://github.com/bindecy/HugeDirtyCowPOC // Author Note: Before running, make sure to set transparent huge pages to...
Axis Communications MPQTPACS - Heap Overflow Information Leakage
Axis Communications MPQTPACS - Heap Overflow Information Leakage STX Subject: Axis Communications MPQT/PACS Heap Overflow and Information Leakage. Attack vector: Remote Authentication: Anonymous no credentials needed Researcher: bashis August 2017 PoC: https://github.com/mcw0/PoC Release date:...
QEMU - NBD Server Long Export Name Stack Buffer Overflow
QEMU - NBD Server Long Export Name Stack Buffer Overflow Introduced in commit f37708f6b8 2.10. The NBD spec says a client can request export names up to 4096 bytes in length, even though they should not expect success on names longer than 256. However, qemu hard-codes the limit of 256, and fails ...
Dup Scout Enterprise 10.0.18 - Input Directory Local Buffer Overflow (SEH)
Dup Scout Enterprise 10.0.18 - Input Directory Local Buffer Overflow SEH !/usr/bin/python import struct Exploit Author: Miguel Mendez Z Exploit Title: Dup Scout Enterprise v10.0.18 "Input Directory" Local Buffer Overflow - SEH Unicode Date: 29-11-2017 Software: Dup Scout Enterprise Version:...
HP iMC Plat 7.2 - Remote Code Execution (2)
HP iMC Plat 7.2 - Remote Code Execution 2 !/opt/local/bin/python2.7 Exploit Title: HP iMC Plat 7.2 dbman Opcode 10008 Command Injection RCE Date: 11-29-2017 Exploit Author: Chris Lyne @lynerc Vendor Homepage: www.hpe.com Software Link:...
WordPress Plugin WooCommerce 2.03.0 - Directory Traversal
WordPress Plugin WooCommerce 2.03.0 - Directory Traversal Exploit Title: WordPress woocommerce directory traversal Date: 28-11-2017 Software Link: https://wordpress.org/plugins/woocommerce/ Exploit Author:fu2x2000 Contact: [email protected] Website: CVE:2017-17058 Version:Tested on WordPress 4.8...
HP iMC Plat 7.2 - Remote Code Execution
HP iMC Plat 7.2 - Remote Code Execution !/opt/local/bin/python2.7 Exploit Title: HP iMC Plat 7.2 dbman Opcode 10007 Command Injection RCE Date: 11-28-2017 Exploit Author: Chris Lyne @lynerc Vendor Homepage: www.hpe.com Software Link:...
Apple macOS 10.13.1 (High Sierra) - Blank Root Local Privilege Escalation
Apple macOS 10.13.1 High Sierra - Blank Root Local Privilege Escalation Source: https://twitter.com/lemiorhan/status/935578694541770752 & https://forums.developer.apple.com/thread/79235 "Dear @AppleSupport, we noticed a HUGE security issue at MacOS High Sierra. Anyone can login as "root" with emp...
Synology StorageManager 5.2 - Root Remote Command Execution
Synology StorageManager 5.2 - Root Remote Command Execution ''' SSD Advisory – Synology StorageManager smart.cgi Remote Command Execution Full report: https://blogs.securiteam.com/index.php/archives/3540 Twitter: @SecuriTeamSSD Weibo: SecuriTeamSSD Vulnerability Summary The following advisory...
Android Gmail 7.11.5.176568039 - Directory Traversal in Attachment Download
Android Gmail 7.11.5.176568039 - Directory Traversal in Attachment Download ''' Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1342 There is a directory traversal issue in attachment downloads in Gmail. For non-gmail accounts, there is no path sanitization on the attachment...
Microsoft Edge Chakra JIT - GlobOpt::OptTagChecks Must Consider IsLoopPrePass Properly
Microsoft Edge Chakra JIT - GlobOpt::OptTagChecks Must Consider IsLoopPrePass Properly / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1365 Some background: https://bugs.chromium.org/p/project-zero/issues/detail?id=1364 There's one more place that emits a BailOnNotObject opcod...
Exim 4.89 - BDAT Denial of Service
Exim 4.89 - BDAT Denial of Service While parsing BDAT data header, exim still scans for '.' and consider it the end of mail. https://github.com/Exim/exim/blob/master/src/src/receive.cL1867 Exim goes into an incorrect state after this message is sent because the function pointer receivegetc is not...
Microsoft Windows 10 (Build 1703 Creators Update) (x86) - WARBIRD NtQuerySystemInformation Kernel Local Privilege Escalation
Microsoft Windows 10 Build 1703 Creators Update x86 - WARBIRD NtQuerySystemInformation Kernel Local Privilege Escalation / EDB Note Source https://gist.github.com/xpn/736daa4d1ff7b9869f4b3d1e9a34d315/ff2e2465d4a07588d0148dc87e77b17b41ef9d1d Source https://blog.xpnsec.com/windows-warbird-privesc/...
ZTE ZXDSL 831CII - Improper Access Restrictions
ZTE ZXDSL 831CII - Improper Access Restrictions Exploit Title: ZTE ZXDSL 831 Unauthorized Configuration Access Date: 27/11/2017 Exploit Author: Ibad Shah Vendor Homepage: zte.com.cn Software Link: - Version: - ZXDSL - 831CII Tested on: Windows 10 CVE :- 2017-16953...
Microsoft Edge Chakra JIT - Inline::InlineCallApplyTarget_Shared does not Return the return Instruction
Microsoft Edge Chakra JIT - Inline::InlineCallApplyTargetShared does not Return the return Instruction / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1366 Here's a snippet of Inline::Optimize. FOREACHINSTREDITINGinstr, instrNext, func-mheadInstr switch instr-mopcode case...
Microsoft Edge Chakra JIT - BailOutOnTaggedValue Bailouts Type Confusion
Microsoft Edge Chakra JIT - BailOutOnTaggedValue Bailouts Type Confusion / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1364 1. In the Chakra's JIT compilation process, it stores variables' type information by basic block. function optb let o; if b // BASIC BLOCK a o = ; else...
Microsoft Edge Chakra JIT - Incorrect Function Declaration Scope
Microsoft Edge Chakra JIT - Incorrect Function Declaration Scope / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1367 In the following JavaScript code, both of the print calls must print out "undefined" because of "x" is a formal parameter. But the second print call prints out...
Diving Log 6.0 - XML External Entity Injection
Diving Log 6.0 - XML External Entity Injection + Exploit Title: Diving Log 6.0 XXE Injection + Date: 27-11-2017 + Exploit Author: Trent Gordon + Vendor Homepage: http://www.divinglog.de + Software Link: http://www.divinglog.de/english/download/ + Disclosed at: https://thenopsled.com/divinglog.txt...
ALLPlayer 7.5 - Local Buffer Overflow (SEH Unicode)
ALLPlayer 7.5 - Local Buffer Overflow SEH Unicode !/usr/bin/python Tested on: Windows 10 Professional x86 Exploit for previous version: https://www.exploit-db.com/exploits/42455/ Seems they haven't patched the vulnerability at all :D msfvenom -p windows/exec CMD="calc.exe" -e x86/unicodemixed...
Linux Kernel - mincore() Uninitialized Kernel Heap Page Disclosure
Linux Kernel - mincore Uninitialized Kernel Heap Page Disclosure / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1431 I found the following bug with an AFL-based fuzzer: When walkpagerange is used on a VMHUGETLB VMA, callbacks from the mmwalk structure are only invoked for...
Linux Kernel (Ubuntu 17.04) - XFRM Local Privilege Escalation
Linux Kernel Ubuntu 17.04 - XFRM Local Privilege Escalation Vulnerability Summary The following advisory describes a Use-after-free vulnerability found in Linux kernel that can lead to privilege escalation. The vulnerability found in Netlink socket subsystem – XFRM. Netlink is used to transfer...
WebKit - WebCore::SVGPatternElement::collectPatternAttributes Out-of-Bounds Read
WebKit - WebCore::SVGPatternElement::collectPatternAttributes Out-of-Bounds Read / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1350 There is an out-of-bounds read security vulnerability in WebKit. The vulnerability was confirmed on ASan build of WebKit nightly. PoC:...