56796 matches found
Windows Kernel double fetches in win32kfull!xxxImeWindowPosChanged and win32kfull!InternalRebuildHwndListForIMEClass( CVE-2018-0809)
We have noticed the following code in the win32kfull!xxxImeWindowPosChanged function on Windows 10 version 1709 32-bit listing from the IDA Pro disassembler: .text:000485A4 ; try // except at locF3502 .text:000485A4 mov ebp+msexc.registration.TryLevel, 0 .text:000485AB mov eax, ecx .text:000485AD...
XXE Zeroday Vulnerability in HP PPM
Intro: XXE Zeroday Vulnerability in HP PPM Researchers at Rhino Security Labs discovered an XXE vulnerability in the way HP Project and Portfolio Management Center HP PPM processed imported tickets. Specifically, an XML external entity injection vulnerability allows an attacker to exploit the...
Windows: StorSvc SvcMoveFileInheritSecurity Arbitrary File Creation EoP(CVE-2018-0826)
Windows: StorSvc SvcMoveFileInheritSecurity Arbitrary File Creation EoP Platform: Windows 10 1709 not tested earlier versions Class: Elevation of Privilege Summary: The SvcMoveFileInheritSecurity RPC method in StorSvc can be used to move an arbitrary file to an arbitrary location resulting in...
IE11: Use-after-free in String.localeCompare
There is a Use-after-free vulnerability in Internet Explorer that could potentially be used for memory disclosure. This was tested on IE11 running on Window 7 64-bit with the latest patches applied. PoC: var vars = new Array2; function main vars0 = new Array1000000; vars1 =...
Windows Kernel 64-bit stack memory disclosure in win32k!SfnINLPHELPINFOSTRUCT (via user-mode callback)(CVE-2018-0810)
We have discovered that a user-mode callback invoked by the win32k!SfnINLPHELPINFOSTRUCT function via KeUserModeCallback leads to the disclosure of uninitialized stack memory to user-mode clients, due to compiler-introduced structure padding. The vulnerability affects Windows 7 64-bit; other...
IE11: Use-after-free in String.lastIndexOf(CVE-2018-0866)
There is a Use-after-free vulnerability in Internet Explorer that could potentially be used for memory disclosure. This was tested on IE11 running on Window 7 64-bit with the latest patches applied. PoC: var vars = new Array2; function main vars0 = new Array1000000; vars1 =...
Windows Kernel stack memory disclosure in nt!RtlpCopyLegacyContextX86(CVE-2018-0832)
We have discovered a new Windows kernel memory disclosure vulnerability in the creation and copying of a CONTEXT structure to user-mode memory. Two previous bugs in the nearby code area were reported in issues 1177 and 1311 ; in fact, the problem discussed here appears to be a variant of 1177 but...
Windows: Constrained Impersonation Capability EoP(CVE-2018-0821)
Windows: Constrained Impersonation Capability EoP Platform: Windows 10 1703/1709 not tested earlier versions Class: Elevation of Privilege Summary: It’s possible to use the constrained impersonation capability added in Windows 10 to impersonate a lowbox SYSTEM token leading to EoP. Description:...
Windows: Global Reparse Point Security Feature Bypass/Elevation of Privilege(CVE-2018-0822)
Windows: Global Reparse Point Security Feature Bypass/Elevation of Privilege Platform: Windows 10 1709 functionality not present prior to this version Class: Security Feature Bypass/Elevation of Privilege Summary: It’s possible to use the new Global Reparse Point functionality introduced in Windo...
Cisco RV132W Multiple Vulnerabilities(CVE-2018-0125/CVE-2018-0127)
Vulnerabilities Summary The following advisory describes two 2 vulnerabilities found in Cisco RV132W Wireless N VPN version 1.0.1.8 The Cisco RV132W Wireless-N ADSL2+ VPN Router is “easy to use, set up, and deploy. This flexible router offers great performance and is suited for small or home...
Multiple IoT Vendors – Multiple Vulnerabilities
Vulnerabilities summary The following advisory describes three 3 vulnerabilities found in the following vendors: Lorex StarVedia Eminent Kraun The vulnerabilities found: Hard-coded credentials Remote command injection 2 It is possible to chain the vulnerabilities and to achieve unauthenticated...
Apache JMeter uses an unsecure RMI connection in Distributed mode
Severity: Important Vendor: The Apache Software Foundation Versions Affected: JMeter 2.X, 3.X Description 0: When using Distributed Test only RMI based, jmeter uses an unsecured RMI connection. This could allow an attacker to get Access to JMeterEngine and send unauthorized code. This only affect...
CloudMe Unauthenticated Remote Buffer Overflow(CVE-2018-6892)
The following advisory describes one 1 vulnerability found in CloudMe. CloudMe is “a file storage service operated by CloudMe AB that offers cloud storage, file synchronization and client software. It features a blue folder that appears on all devices with the same content, all files are...
TrendNet AUTHORIZED_GROUP Information Disclosure
Vulnerability Summary The following advisory describes an information disclosure found in the following TrendNet routers: TEW-751DR – v1.03B03 TEW-752DRU – v1.03B01 TEW733GR – v1.03B01 TRENDnet’s “N600 Dual Band Wireless Router, model TEW-751DR, offers proven concurrent Dual Band 300 Mbps Wireles...
Adobe Flash Player Use After Free Remote Code Execution Vulnerability(CVE-2018-4878)
EXECUTIVE SUMMARY The 1st of February, Adobe published an advisory concerning a Flash vulnerability CVE-2018-4878. This vulnerability is a use after free that allows Remote Code Execute through a malformed Flash object. Additionally KISA Korean CERT published an advisory about a Flash 0-day used ...
zzcms 8.2 任意用户密码修改
zzcms 8.2 任意用户密码修改 漏洞描述 zzcms是一款企业建站程序。 zzcms 8.2版本/one/getpassword.php文件存在漏洞,攻击者可利用该漏洞修改任意用户密码。 漏洞分析 /one/getpassword.php文件第 73行,触发漏洞的关键代码。 elseif$action=="step3" && @$SESSION'username'!='' $passwordtrue = isset$POST'password'?$POST'password':""; $password=md5trim$passwordtrue; query"update...
Geovision IP Camera Multiple Remote Command Execution - Multiple Stack Overflow - Double free - Unauthorized Access
Subject: Geovision Inc. IP Camera/Video/Access Control Multiple Remote Command Execution - Multiple Stack Overflow - Double free - Unauthorized Access Attack vector: Remote Authentication: Anonymous no credentials needed Researcher: bashis November 2017 PoC: https://github.com/mcw0/PoC Python PoC...
WordPress Core - 'load-scripts.php' Denial of Service(CVE-2018-6389)
According to wordpress.com, the WordPress platform powers 29% of the worldwide internet websites. In this article I am going to explain how Denial of Service can easily be caused to almost any WordPress website online, and how you can patch your WordPress website in order to avoid this...
HPE Integrated Lights-Out 4 Remote Code Execution Vulnerability(CVE-2017-12542)
Subverting your server through its BMC: the HPE iLO4 case ========================================================= Introduction ------------ iLO is the server management solution embedded in almost every HP servers for more than 10 years. It provides every feature required by a system...
Kaspersky Secure Mail Gateway Multiple Vulnerabilities
Advisory Information Title: Kaspersky Secure Mail Gateway Multiple Vulnerabilities Advisory ID: CORE-2017-0010 Advisory URL: http://www.coresecurity.com/advisories/kaspersky-secure-mail-gateway-multiple-vulnerabilities Date published: 2018-02-01 Date of last update: 2018-02-01 Vendors contacted:...
OpenNMS Java Object Deserialization RCE
! /usr/bin/env python3 Credits: http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/opennms nessus/plugins/opennmsjavaserialize.nasl cobbled together by pancho import socket import sys def buildcmd:...
PHPSHE 1.6 userbank sql注入
PHPSHE 1.6 userbank sql注入 漏洞描述 PHPSHE商城系统是将商品展示、在线购物、订单管理、支付管理、文章管理、客户咨询反馈等功能相结合,为用户提供了网上商城建设方案。 PHPSHE开源商城系统userbank页面存在SQL注入漏洞,由于系统未能对用户输入的参数进行严格过滤。攻击者可利用该漏洞获取数据库敏感信息。 漏洞分析 www/module/admin/userbank.php 文件 存在漏洞 default: $gname && $sqlwhere .= " and username like '%$gname%'"; $gtname && $sqlwher...
PHP CVE-2018-5711 - Hanging Websites by a Harmful GIF
Recently, I reviewed several Web frameworks and language implementations, and found some vulnerabilities. This is an simple and interesting case, and seems easy to exploit in real world! Affected All PHP version PHP 5 firstcode = sd-oldcode = 461 GetCodefd, &sd-scd, sd-codesize, FALSE,...
Oracle Financial Services Analytical Applications 7.3.5.x / 8.0.x XXE Injection(CVE-2018-2660) / XSS(CVE-2018-2661)
Vendor description: ------------------- "Oracle is the unchallenged leader in Financial Services, with an integrated, best-in-class, end-to-end solution of intelligent software and powerful hardware designed to meet every financial service need." Source:...
BMC BladeLogic RSCD Agent 8.3.00.64 - Windows Users Disclosure
Exploit Title: BMC BladeLogic RSCD agent get Windows users Filename: BMCwinUsers.py Github: https://github.com/bao7uo/bmcbladelogic Date: 2018-01-27 Exploit Author: Paul Taylor / Foregenix Ltd Website: http://www.foregenix.com/blog Version: BMC RSCD agent 8.3.00.64 CVE: CVE-2016-5063 Vendor...
BMC BladeLogic 8.3.00.64 - Remote Command Execution
Exploit Title: BMC BladeLogic RSCD agent remote exec - XMLRPC version Filename: BMCrexec.py Github: https://github.com/bao7uo/bmcbladelogic Date: 2018-01-24 Exploit Author: Paul Taylor / Foregenix Ltd Website: http://www.foregenix.com/blog Version: BMC RSCD agent 8.3.00.64 CVE: CVE-2016-1542...
Cisco Adaptive Security Appliance Remote Code Execution and Denial of Service Vulnerability
Summary A vulnerability in the Secure Sockets Layer SSL VPN functionality of the Cisco Adaptive Security Appliance ASA Software could allow an unauthenticated, remote attacker to cause a reload of the affected system or to remotely execute code. The vulnerability is due to an attempt to double fr...
HiSilicon Multiple Vulnerabilities
HiSilicon DVR hack This report discloses serious vulnerabilities with proof of concept PoC code of DVR/NVR devices built using the HiSilicon hi3520d and similar system on a chip SoC. Exploiting the vulnerabilities lead to unauthorized remote code execution RCE using only the web interface, causin...
SEC Consult SA-20180131-0 :: Multiple Vulnerabilities in Sprecher Automation SPRECON-E-C, PU-2433
VENDOR DESCRIPTION “Sprecher Automation GmbH offers switchgears and automation solutions for energy, industry and infrastructure processes. Our customers are power utilities, industries, transportation companies, municipal utilities and public institutions. Company-own developments and cooperatio...
Hotspot Shield Information Disclosure
Vulnerability Summary The following advisory describes a information disclosure found in Hotspot Shield. Hotspot Shield “provides secure and private access to a free and open internet. Enabling access to social networks, sports, audio and video streaming, news, dating, gaming wherever you are.”...
WebKit: UXSS via ContainerNode::parserInsertBefore(CVE-2017-2508)
VULNERABILITY DETAILS From /WebKit/Source/core/dom/ContainerNode.cpp: void ContainerNode::parserInsertBeforePassRefPtrWillBeRawPtr newChild, Node& nextChild ... while RefPtrWillBeRawPtr parent = newChild-parentNode parent-parserRemoveChildnewChild; if document != newChild-document...
iBall Multiple Vulnerabilities
Vulnerabilities summary The following advisory describes two 2 vulnerabilities found in iB-WRA150N devices, firmware 1.2.6 build 110401 Rel.47776n. iB-WRA150N is “a powerful solution to Internet connectivity at home, small offices and work stations. The key is if you are using an ADSL2+ connectio...
chrome:window.external leaks global object + allows cross origin script access
We use a static local for the External object But that both leaks the entire global object in the wrapper stored inside the External and also means that doing: js // main page. window.external.foo = function alert1 document.body.innerHTML = "" // inside example.com: window.external.foo // alert...
chrome: UXSS in DocumentLoader::createWriterFor
Details: thirdparty/WebKit/Source/core/loader/DocumentLoader.cpp:735: cpp PassRefPtrWillBeRawPtr DocumentLoader::createWriterForconst Document ownerDocument, const DocumentInit& init, const AtomicString& mimeType, const AtomicString& encoding, bool dispatch, ParserSynchronizationPolicy...
chrome:Persistent UXSS via SchemaRegistry(CVE-2016-1676)
Chrome version: 50.0.2661.75 and still present on current HEAD, 52.0.2713.0 The SchemaRegistry stores extension API schemas in a single v8::Context that lives until the RenderThread =process? is destroyed. Due to vulnerabilities in binding.js, these objects can be intercepted by malicious web...
Trend Micro Threat Discovery Appliance 2.6.1062r1 - 'dlp_policy_upload.cgi' Remote Code Execution
Summary: The vulnerabity is that the dlppolicyupload.cgi allows the upload of a zip file, located statically as: /var/dlppolicy.zip. The problem is that we can then get that file extracted using admindlp.cgi. This gets extracted into 2 locations: - /engptnstores/prod/sensorSDK/data/ -...
chrome:Cross-origin object leak via fetch
VULNERABILITY DETAILS The promise returned by fetch.callcrossOriginWindow is created in the cross-origin context. Direct cross-origin scripting is not possible because cross-origin function constructors don't work anymore issue 541703 . But the attacker can e.g. call other functions of the...
chrome:UXSS via window.open() via file:// pages
VERSION Chrome Version: 51.0.2675.0 canary Operating System: windows 7 Actually I'm not sure about if this's a security issue because I can repro this just when I use the testcase from local file:/// and when I try it from server 'http://' doesn't repro. Please watch the video for the steps...
javascript: url with a leading NULL byte can bypass cross origin protection.
javascript: url with a leading NULL byte can bypass cross origin protection. Well, it's not exactly StartsWith, but the same thing for all intents and purposes. In BindingDOMWindow::createWindow there's a call to protocolIsJavaScript, which is a thin wrapper over protocolIs, which is basically ju...
Libc Realpath缓冲区下溢漏洞(CVE-2018-1000001)
Introduction The vulnerability described here is caused by Linux kernel behaviour change in the syscall API returning relative pathnames in getcwd and non-defensive function implementation in libc failing to process that pathname correctly. Other libraries are very likely to be affected as well. ...
Oracle VirtualBox Multiple Guest to Host Escape Vulnerabilities(CVE-2018-2698)
Vulnerabilities summary The following advisory describes two 2 guest to host escape found in Oracle VirtualBox version 5.1.30, and VirtualBox version 5.2-rc1. Credit An independent security researcher, Niklas Baumstark, has reported this vulnerability to Beyond Security’s SecuriTeam Secure...
Remote Code Execution on the Smiths Medical Medfusion 4000
Remote Code Execution on the Smiths Medical Medfusion 4000 In which we detail the process of vulnerability research on a life critical embedded system: a medical infusion pump. Table of Contents Remote Code Execution on the Smiths Medical Medfusion 4000 Table of Contents Summary Introduction Why ...
Asus Unauthenticated LAN Remote Command Execution
Vulnerabilities Summary The following advisory describes two 2 vulnerabilities found in AsusWRT Version 3.0.0.4.380.7743. The combination of the vulnerabilities leads to LAN remote command execution on any Asus router. AsusWRT is “THE POWERFUL USER-FRIENDLY INTERFACE – The enhanced ASUSWRT...
xiuno bbs xss漏洞
Xiuno BBS 4.0.0 后台xss 漏洞 1、什么是 Xiuno BBS 4.0? 它是一款国产、小巧、稳定、支持在大数据量下仍然保持高负载能力的轻论坛。它只有 20 多个表,源代码压缩后 1M 左右,运行速度非常快,处理单次请求在 0.01 秒级别,在有 APC、Yac、XCache 的环境下可以跑到 0.00x 秒,对第三方类库依赖少,作者认为它就像一辆纯手工打造的法拉利,动力强劲,没有一丝赘肉,方便部署和维护,是一个非常好的二次开发的基石。 2,漏洞详情 Xiuno BBS 4.0.0 后台 设置-基本设置- 站点名称 过滤不严 存在xss漏洞。 站点名称处输入xss...
Microsoft Edge: Chakra: Incorrect scope handling(CVE-2018-0774)
PoC: function funcarg = function printfunc; // SetHasOwnLocalInClosure should be called for the param scope in the PostVisitFunction function. printfunc; function func ; Chakra fails to distinguish whether the function is referenced in the param scope and ends up to emit an invalid opcode. functi...
Microsoft Edge: Chakra: JavascriptGeneratorFunction::GetPropertyBuiltIns exposes scriptFunction(CVE-2017-11914)
Here's a snippet of the method. bool JavascriptGeneratorFunction::GetPropertyBuiltInsVar originalInstance, PropertyId propertyId, Var value, PropertyValueInfo info, ScriptContext requestContext, BOOL result if propertyId == PropertyIds::length ... int len = 0; Var varLength; if...
D-Link DNS-343 ShareCenter < 1.05 - Command Injection
Introduction The purpose of this article is to detail the research that I have recently completed regarding the D-Link DNS 343 ShareCenter. Background The D-Link ShareCenter 4-Bay Network Storage Enclosure DNS-343 connects to your network instead of to a computer so everyone on your network can...
D-Link DNS-325 ShareCenter < 1.05B03 - Multiple Vulnerabilities
Table of contents 00 - Introduction 00.1 Background 01 - Unrestricted File Upload 01.1 - Vulnerable code analysis 01.2 - Remote exploitation 02 - Command Injection 02.1 - Vulnerable code analysis 02.2 - Remote exploitation 03 - Credit 04 - Proof of concept 05 - Solution 06 - Contact information 0...
Master IP CAM 01 Vulnerabilities
Some time ago I analized this ipcam with my friend Dzonerzy: var serialNum="VVVIPCSBC150617Z-06929VjmJH54vkK"; var model="RTIPC"; var hardVersion="5900-gc1004"; var softVersion="V3.3.4.2103-S50-SBC-B20150721E"; var ipcname="WIFICAM"; var startdate="2017-8-5 0:0:2"; var runtimes="0 day, 0:54"; var...
Microsoft Edge: Chakra: OOB read in AppendLeftOverItemsFromEndSegment(CVE-2018-0767)
Here's a snippet of AppendLeftOverItemsFromEndSegment in JavascriptArray.inl. growby = endSeg-length; current = current-GrowByMinrecycler, growby; CopyArraycurrent-elements + endIndex + 1, endSeg-length, Js::SparseArraySegmentendSeg-elements, endSeg-length;...