41207 matches found
Apple WebKit Safari 10.0.3(12602.4.8) - WebCore::FrameView::scheduleRelayout Use-After-Free
Apple WebKit Safari 10.0.312602.4.8 - WebCore::FrameView::scheduleRelayout Use-After-Free let f = document.body.appendChilddocument.createElement'iframe'; let g = f.contentDocument.body.appendChilddocument.createElement'iframe'; g.contentWindow.onunload = = g.contentWindow.onunload = null; let h ...
WebKit - ContainerNode::parserRemoveChild Universal Cross-Site Scripting
WebKit - ContainerNode::parserRemoveChild Universal Cross-Site Scripting let xml = let p = document.querySelector'p'; let link = p.appendChilddocument.createElement'link'; link.rel = 'stylesheet'; link.href = 'data:,aaaaazxczxczzxzcz'; let btn =...
Skia Graphics Library - Heap Overflow due to Rounding Error in SkEdge::setLine
Skia Graphics Library - Heap Overflow due to Rounding Error in SkEdge::setLine / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1155 Skia bug: https://bugs.chromium.org/p/skia/issues/detail?id=6294 There is a heap overflow in SkARGB32ShaderBlitter::blitH caused by a rounding...
Samba 3.5.0 - Remote Code Execution
Samba 3.5.0 - Remote Code Execution ! /usr/bin/env python Title : ETERNALRED Date: 05/24/2017 Exploit Author: steelo Vendor Homepage: https://www.samba.org Samba 3.5.0 - 4.5.4/4.5.10/4.4.14 CVE-2017-7494 import argparse import os.path import sys import tempfile import time from smb.SMBConnection...
Dup Scout Enterprise 9.7.18 - .xml Local Buffer Overflow
Dup Scout Enterprise 9.7.18 - .xml Local Buffer Overflow author = ''' Created: ScrR1pTK1dd13 Name: Greg Priest Mail: [email protected] Exploit Title: Dup Scout Enterprise v9.7.18 Import Local Buffer Overflow Vuln.SEH Date: 2017.05.24 Exploit Author: Greg Priest Version: Dup Scout...
NetGain EM 7.2.647 build 941 - Authentication Bypass Local File Inclusion
NetGain EM 7.2.647 build 941 - Authentication Bypass Local File Inclusion ''' Exploit Title: Add User Account with Admin Privilege without Login & Local File Inclusion Date: 2017-05-21 Exploit Author: f3ci Vendor Homepage: http://www.netgain-systems.com Software Link:...
Apple macOSiOS - Memory Corruption Due to Bad Bounds Checking in NSCharacterSet Coding for NSKeyedUnarchiver
Apple macOSiOS - Memory Corruption Due to Bad Bounds Checking in NSCharacterSet Coding for NSKeyedUnarchiver Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1168 The dump today has this list of iOS stuff: https://wikileaks.org/ciav7p1/cms/page13205587.html Reading through this...
Apple macOSiOS - TIKeyboardLayout initWithCoder: NSKeyedArchiver Heap Corruption Due to Rounding Error
Apple macOSiOS - TIKeyboardLayout initWithCoder: NSKeyedArchiver Heap Corruption Due to Rounding Error Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1172 Using lldb inside a simple helloworld app for iOS we can see that there are over 600 classes which we could get deserialize...
Apple macOSiOS - NSUnarchiver Heap Corruption Due to Lack of Bounds Checking in [NSBuiltinCharacterSet initWithCoder:]
Apple macOSiOS - NSUnarchiver Heap Corruption Due to Lack of Bounds Checking in NSBuiltinCharacterSet initWithCoder: Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1170 Via NSUnarchiver we can read NSBuiltinCharacterSet with a controlled serialized state. It reads a controlled...
Apple macOSiOS Kernel - Memory Disclosure Due to Lack of Bounds Checking in netagent Socket Option Handling
Apple macOSiOS Kernel - Memory Disclosure Due to Lack of Bounds Checking in netagent Socket Option Handling / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1140 netagentctlsetopt is the setsockopt handler for netagent control sockets. Options of type NETAGENTOPTIONTYPEREGISTER...
Apple macOS - Lack of Bounds Checking in HIServices Custom CFObject Serialization Local Privilege Escalation
Apple macOS - Lack of Bounds Checking in HIServices Custom CFObject Serialization Local Privilege Escalation / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1219 HIServices.framework is used by a handful of deamons and implements its own CFObject serialization mechanism. The...
Apple macOSiOS Kernel - Use-After-Free Due to Bad Locking in Unix Domain Socket File Descriptor Externalization
Apple macOSiOS Kernel - Use-After-Free Due to Bad Locking in Unix Domain Socket File Descriptor Externalization / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1123 unpexternalize is responsible for externalizing the file descriptors carried within a unix domain socket message...
Apple macOSiOS - CAMediaTimingFunctionBuiltin NSKeyedArchiver Memory Corruption Due to Lack of Bounds Checking
Apple macOSiOS - CAMediaTimingFunctionBuiltin NSKeyedArchiver Memory Corruption Due to Lack of Bounds Checking Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1175 CAMediaTimingFunctionBuiltin is a class in QuartzCore. Its initWithCoder: method reads an Int "index" then passes...
Aerohive HiveOS 5.1r5 6.1r5 - Remote Code Execution
Aerohive HiveOS 5.1r5 6.1r5 - Remote Code Execution !/usr/bin/python3 TARGET: AeroHive AP340 HiveOS $cmd"; die; ?" URL of the login page where we will inject our PHP command exec code so it poisons the log file posturl= "/login.php5?version=6.1r2" postfields = "loginauth" : "1", "miniHiveUI" :...
VMware Workstation for Linux 12.5.2 build-4638234 - ALSA Configuration Host Local Privilege Escalation
VMware Workstation for Linux 12.5.2 build-4638234 - ALSA Configuration Host Local Privilege Escalation / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1142 This vulnerability permits an unprivileged user on a Linux machine on which VMWare Workstation is installed to gain root...
Apple macOS - 32-bit syscall exit Kernel Register Leak
Apple macOS - 32-bit syscall exit Kernel Register Leak Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1149 The XNU kernel, when compiled for a x86-64 CPU, can run 32-bit x86 binaries in compatibility mode. 32-bit binaries use partly separate syscall entry and exit paths. To...
Apple macOS - stackshot Raw Frame Pointers
Apple macOS - stackshot Raw Frame Pointers Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1164 This is an issue that allows unentitled root to read kernel frame pointers, which might be useful in combination with a kernel memory corruption bug. By design, the syscall...
Linux Kernel 4.11 - eBPF Verifier Log Leaks Lower Half of map Pointer
Linux Kernel 4.11 - eBPF Verifier Log Leaks Lower Half of map Pointer / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1251 When the eBPF verifier kernel/bpf/verifier.c runs in verbose mode, it dumps all processed instructions to a user-accessible buffer in human-readable form...
PlaySMS 1.4 - import.php Remote Code Execution
PlaySMS 1.4 - import.php Remote Code Execution Exploit Title: PlaySMS 1.4 Remote Code Execution using Phonebook import Function in import.php Date: 21-05-2017 Software Link: https://playsms.org/download/ Version: 1.4 Exploit Author: Touhid M.Shaikh Contact: http://twitter.com/touhidshaikh22...
Secure Auditor 3.0 - Directory Traversal
Secure Auditor 3.0 - Directory Traversal + Credits: John Page aka HYP3RLINX + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/SECURE-AUDITOR-v3.0-DIRECTORY-TRAVERSAL.txt + ISR: ApparitionSec Vendor: ==================== www.secure-bytes.com Product:...
KMCIS CaseAware - Cross-Site Scripting
KMCIS CaseAware - Cross-Site Scripting Exploit Title: CaseAware Cross Site Scripting Vulnerability Date: 20th May 2017 Exploit Author: justpentest Vendor Homepage: https://caseaware.com/ Version: All the versions Contact: [email protected] CVE : 2017-5631 Source:...
Mantis Bug Tracker 1.3.102.3.0 - Cross-Site Request Forgery
Mantis Bug Tracker 1.3.102.3.0 - Cross-Site Request Forgery + Credits: John Page a.k.a hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/MANTIS-BUG-TRACKER-CSRF-PERMALINK-INJECTION.txt + ISR: ApparitionSec Vendor: ================ www.mantisbt.org...
Belden Garrettcom 6K10K Switches - Authentication Bypass Memory Corruption
Belden Garrettcom 6K10K Switches - Authentication Bypass Memory Corruption Introduction ------------ Vulnerabilities were identified in the Belden GarrettCom 6K and 10KT Magnum series network switches. These were discovered during a black box assessment and therefore the vulnerability list should...
Joomla! 3.7.0 - com_fields SQL Injection
Joomla! 3.7.0 - comfields SQL Injection Exploit Title: Joomla 3.7.0 - Sql Injection Date: 05-19-2017 Exploit Author: Mateus Lino Reference: https://blog.sucuri.net/2017/05/sql-injection-vulnerability-joomla-3-7.html Vendor Homepage: https://www.joomla.org/ Version: = 3.7.0 Tested on: Win, Kali...
PlaySMS 1.4 - Remote Code Execution
PlaySMS 1.4 - Remote Code Execution Exploit Title: PlaySMS 1.4 Remote Code Execution to Poisoning admin log Date: 19-05-2017 Software Link: https://playsms.org/download/ Version: 1.4 Exploit Author: Touhid M.Shaikh Contact: http://twitter.com/touhidshaikh22 Website: http://touhidshaikh.com/...
Tecnovision DLX Spot - SSH Backdoor Access
Tecnovision DLX Spot - SSH Backdoor Access Exploit Title: DlxSpot - Player4 LED video wall - Hardcoded Root SSH Password. Google Dork: "DlxSpot - Player4" Date: 2017-05-14 Discoverer: Simon Brannstrom Authors Website: https://unknownpwn.github.io/ Vendor Homepage: http://www.tecnovision.com/...
Sure Thing Disc Labeler 6.2.138.0 - Buffer Overflow (PoC)
Sure Thing Disc Labeler 6.2.138.0 - Buffer Overflow PoC Exploit Title: Sure Thing Disc Labeler - Stack Buffer Overflow PoC Date: 5-19-17 Exploit Author: Chance Johnson [email protected] Vendor Homepage: http://www.surething.com/ Software Link: http://www.surething.com/disclabeler Version:...
Tecnovision DLX Spot - Authentication Bypass
Tecnovision DLX Spot - Authentication Bypass Exploit Title: DlxSpot - Player4 LED video wall - Admin Interface SQL Injection Google Dork: "DlxSpot - Player4" Date: 2017-05-14 Discoverer: Simon Brannstrom Authors Website: https://unknownpwn.github.io/ Vendor Homepage: http://www.tecnovision.com/...
ManageEngine ServiceDesk Plus 9.0 - Authentication Bypass
ManageEngine ServiceDesk Plus 9.0 - Authentication Bypass Title: ManageEngine ServiceDesk Plus Application Compromise Date: 19 May 2017 Researcher: Steven Lackey ByteM3 Product: ServiceDesk Plus http://www.manageengine.com/ Affected Version: 9.0 Other versions could also be affected Fixed Version...
D-Link DIR-600M Wireless N 150 - Authentication Bypass
D-Link DIR-600M Wireless N 150 - Authentication Bypass Exploit Title: D-Link DIR-600M Wireless N 150 Login Page Bypass Date: 19-05-2017 Software Link: http://www.dlink.co.in/products/?pid=DIR-600M Exploit Author: Touhid M.Shaikh Vendor : www.dlink.com Contact : http://twitter.com/touhidshaikh22...
SAP Business One for Android 1.2.3 - XML External Entity Injection
SAP Business One for Android 1.2.3 - XML External Entity Injection Exploit Title: Blind XXE XML External Entityin SAP Date of Disclosure: 17/05/2017 Author: Ravindra Singh Rathore Vendor Homepage: https://www.sap.com/products/business-one.html Product - SAP Business One Android Application Versio...
Tecnovision DLX Spot - Arbitrary File Upload
Tecnovision DLX Spot - Arbitrary File Upload Exploit Title: DlxSpot - Player4 LED video wall - Arbitrary File Upload to RCE Google Dork: "DlxSpot - Player4" Date: 2017-05-14 Discoverer: Simon Brannstrom Authors Website: https://unknownpwn.github.io/ Vendor Homepage: http://www.tecnovision.com/...
Oracle PeopleSoft - Server-Side Request Forgery
Oracle PeopleSoft - Server-Side Request Forgery Application: Oracle PeopleSoft Versions Affected: ToolsRelease: 8.55.03; ToolsReleaseDB: 8.55; PeopleSoft HCM 9.2 Vendor URL: http://oracle.com Bugs: SSRF Reported: 23.12.2016 Vendor response: 24.12.2016 Date of Public Advisory: 18.04.2017 Reference...
KDE 45 - KAuth Local Privilege Escalation
KDE 45 - KAuth Local Privilege Escalation // cc -Wall smb0k.c -pedantic -std=c11 // // smb4k PoC, also demonstrating broader scope of a generic kde // authentication bypass vulnerability // // C 2017 Sebastian Krahmer // define POSIXCSOURCE 200112L include include include include include include...
INFOR EAM 11.0 Build 201410 - filtervalue SQL Injection
INFOR EAM 11.0 Build 201410 - filtervalue SQL Injection SQL injection in INFOR EAM V11.0 Build 201410 search fields web/base/.. via filtervalue parameter ------------------- Assigned CVE: CVE-2017-7952 Reproduction steps: ------------------- 1. Log in with your EAM account 2. Go to any page with ...
Apple iOS 10.3.2 - Notifications API Denial of Service
Apple iOS 10.3.2 - Notifications API Denial of Service Exploit Title: Apple iOS 10.3.2 - Notifications API Denial of Service Date: 05-15-2017 Exploit Author: Sem Voigtländer @OxFEEDFACE, Vincent Desmurs @vincedes3 and Joseph Shenton Vendor Homepage: https://apple.com Software Link:...
Microsoft Windows - COM Aggregate MarshalerIRemUnknown2 Type Confusion Privilege Escalation
Microsoft Windows - COM Aggregate MarshalerIRemUnknown2 Type Confusion Privilege Escalation / Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1107 Windows: COM Aggregate Marshaler/IRemUnknown2 Type Confusion EoP Platform: Windows 10 10586/14393 not tested 8.1 Update 2 Class:...
Microsoft Windows - Running Object Table Register ROTFLAGS_ALLOWANYCLIENT Privilege Escalation
Microsoft Windows - Running Object Table Register ROTFLAGSALLOWANYCLIENT Privilege Escalation Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1112 Windows: Running Object Table Register ROTFLAGSALLOWANYCLIENT EoP Platform: Windows 10 10586/14393 not tested 8.1 Update 2 or Window...
Mozilla Firefox 50 55 - Stack Overflow Denial of Service
Mozilla Firefox 50 55 - Stack Overflow Denial of Service function done var x = ''; for i=0; i'; var uri = 'data:image/svg+xml,' + x; var i = new Image; i.src = uri; !-- Visiting https://bugzilla.mozilla.org/attachment.cgi?id=8817075 may likely crash your browser tab. Debug Information:...
Oracle PeopleSoft Enterprise PeopleTools 8.55 - Remote Code Execution Via Blind XML External Entity
Oracle PeopleSoft Enterprise PeopleTools 8.55 - Remote Code Execution Via Blind XML External Entity !/usr/bin/python3 Oracle PeopleSoft SYSTEM RCE https://www.ambionics.io/blog/oracle-peoplesoft-xxe-to-rce cf 2017-05-17 import requests import urllib.parse import re import string import random...
Adobe Flash - AVC Deblocking Out-of-Bounds Read
Adobe Flash - AVC Deblocking Out-of-Bounds Read Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1171 The attached swf triggers an out-of-bounds read in AVC deblocking. Proof of Concept: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/42017.zip...
INFOR EAM 11.0 Build 201410 - Persistent Cross-Site Scripting via Comment Fields
INFOR EAM 11.0 Build 201410 - Persistent Cross-Site Scripting via Comment Fields Stored XSS in INFOR EAM V11.0 Build 201410 via comment fields ------------------- Assigned CVE: CVE-2017-7953 Reproduction steps: ------------------- 1. Log in with your EAM account 2. Go to the jobs page 3. Click on...
Oracle PeopleSoft - XML External Entity to SYSTEM Remote Code Execution
Oracle PeopleSoft - XML External Entity to SYSTEM Remote Code Execution !/usr/bin/python3 Oracle PeopleSoft SYSTEM RCE https://www.ambionics.io/blog/oracle-peoplesoft-xxe-to-rce cf 2017-05-17 import requests import urllib.parse import re import string import random import sys from...
Adobe Flash - Out-of-Bounds Read in Getting TextField Width
Adobe Flash - Out-of-Bounds Read in Getting TextField Width Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1211 The attached swf causes an out-of-bounds read in getting the width of a TextField. Proof of Concept:...
Adobe Flash - Margin Handling Heap Corruption
Adobe Flash - Margin Handling Heap Corruption Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1174 The attached fuzzed swf causes a crash due to heap corruption when processing the margins of a rich text field. Proof of Concept:...
Microsoft Windows 72008 R2 - EternalBlue SMB Remote Code Execution (MS17-010)
Microsoft Windows 72008 R2 - EternalBlue SMB Remote Code Execution MS17-010 !/usr/bin/python from impacket import smb from struct import pack import sys import socket ''' EternalBlue exploit for Windows 7/2008 by sleepya The exploit might FAIL and CRASH a target system depended on what is...
Microsoft Windows 88.12012 R2 (x64) - EternalBlue SMB Remote Code Execution (MS17-010)
Microsoft Windows 88.12012 R2 x64 - EternalBlue SMB Remote Code Execution MS17-010 !/usr/bin/python from impacket import smb, ntlm from struct import pack import sys import socket ''' EternalBlue exploit for Windows 8 and 2012 by sleepya The exploit might FAIL and CRASH a target system depended o...
Mailcow 0.14 - Cross-Site Request Forgery
Mailcow 0.14 - Cross-Site Request Forgery + Credits: John Page a.k.a hyp3rlinx + Website: hyp3rlinx.altervista.org + Source: http://hyp3rlinx.altervista.org/advisories/MAILCOW-v0.14-CSRF-PASSWORD-RESET-ADD-ADMIN.txt + ISR: ApparitionSec Vendor: ============= mailcow.email mailcow.github.io Produc...
LabF nfsAxe 3.7 FTP Client - Remote Buffer Overflow (SEH)
LabF nfsAxe 3.7 FTP Client - Remote Buffer Overflow SEH !/usr/bin/python print "LabF nfsAxe 3.7 FTP Client Buffer Overflow SEH" print "Author: Tulpa / tulpaattulpa-securitydotcom" Author website: www.tulpa-security.com Author twitter: @tulpasecurity Tested on Windows Vista x86 import socket impor...
Microsoft Windows 7 Kernel - Pool-Based Out-of-Bounds Reads Due to bind() Implementation Bugs in afd.sys tcpip.sys
Microsoft Windows 7 Kernel - Pool-Based Out-of-Bounds Reads Due to bind Implementation Bugs in afd.sys tcpip.sys Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1127 We have identified two related bugs in Windows kernel code responsible for implementing the bind socket function,...