IE11: Use-after-free in String.lastIndexOf(CVE-2018-0866)

There is a Use-after-free vulnerability in Internet Explorer that could potentially be used for memory disclosure. This was tested on IE11 running on Window 7 64-bit with the latest patches applied. PoC: var vars = new Array2; function main vars0 = new Array1000000; vars1 =...

IE11: Use-after-free in String.localeCompare

There is a Use-after-free vulnerability in Internet Explorer that could potentially be used for memory disclosure. This was tested on IE11 running on Window 7 64-bit with the latest patches applied. PoC: var vars = new Array2; function main vars0 = new Array1000000; vars1 =...

Windows Kernel double fetches in win32kfull!xxxImeWindowPosChanged and win32kfull!InternalRebuildHwndListForIMEClass( CVE-2018-0809)

We have noticed the following code in the win32kfull!xxxImeWindowPosChanged function on Windows 10 version 1709 32-bit listing from the IDA Pro disassembler: .text:000485A4 ; try // except at locF3502 .text:000485A4 mov ebp+msexc.registration.TryLevel, 0 .text:000485AB mov eax, ecx .text:000485AD...

Windows: NPFS Symlink Security Feature Bypass/Elevation of Privilege/Dangerous Behavior(CVE-2018-0823)

Windows: NPFS Symlink Security Feature Bypass/Elevation of Privilege/Dangerous Behavior Platform: Windows 10 1709 functionality not present prior to this version Class: Security Feature Bypass/Elevation of Privilege/Dangerous Behavior Summary: It’s possible to create NPFS symlinks as a low IL or...

Windows Kernel stack memory disclosure in nt!RtlpCopyLegacyContextX86(CVE-2018-0832)

We have discovered a new Windows kernel memory disclosure vulnerability in the creation and copying of a CONTEXT structure to user-mode memory. Two previous bugs in the nearby code area were reported in issues 1177 and 1311 ; in fact, the problem discussed here appears to be a variant of 1177 but...

Windows Kernel 64-bit stack memory disclosure in win32k!SfnINLPHELPINFOSTRUCT (via user-mode callback)(CVE-2018-0810)

We have discovered that a user-mode callback invoked by the win32k!SfnINLPHELPINFOSTRUCT function via KeUserModeCallback leads to the disclosure of uninitialized stack memory to user-mode clients, due to compiler-introduced structure padding. The vulnerability affects Windows 7 64-bit; other...

Windows: Global Reparse Point Security Feature Bypass/Elevation of Privilege(CVE-2018-0822)

Windows: Global Reparse Point Security Feature Bypass/Elevation of Privilege Platform: Windows 10 1709 functionality not present prior to this version Class: Security Feature Bypass/Elevation of Privilege Summary: It’s possible to use the new Global Reparse Point functionality introduced in Windo...

XXE Zeroday Vulnerability in HP PPM

Intro: XXE Zeroday Vulnerability in HP PPM Researchers at Rhino Security Labs discovered an XXE vulnerability in the way HP Project and Portfolio Management Center HP PPM processed imported tickets. Specifically, an XML external entity injection vulnerability allows an attacker to exploit the...

Windows: StorSvc SvcMoveFileInheritSecurity Arbitrary File Creation EoP(CVE-2018-0826)

Windows: StorSvc SvcMoveFileInheritSecurity Arbitrary File Creation EoP Platform: Windows 10 1709 not tested earlier versions Class: Elevation of Privilege Summary: The SvcMoveFileInheritSecurity RPC method in StorSvc can be used to move an arbitrary file to an arbitrary location resulting in...

Apache JMeter uses an unsecure RMI connection in Distributed mode

Severity: Important Vendor: The Apache Software Foundation Versions Affected: JMeter 2.X, 3.X Description 0: When using Distributed Test only RMI based, jmeter uses an unsecured RMI connection. This could allow an attacker to get Access to JMeterEngine and send unauthorized code. This only affect...

TrendNet AUTHORIZED_GROUP Information Disclosure

Vulnerability Summary The following advisory describes an information disclosure found in the following TrendNet routers: TEW-751DR – v1.03B03 TEW-752DRU – v1.03B01 TEW733GR – v1.03B01 TRENDnet’s “N600 Dual Band Wireless Router, model TEW-751DR, offers proven concurrent Dual Band 300 Mbps Wireles...

Multiple IoT Vendors – Multiple Vulnerabilities

Vulnerabilities summary The following advisory describes three 3 vulnerabilities found in the following vendors: Lorex StarVedia Eminent Kraun The vulnerabilities found: Hard-coded credentials Remote command injection 2 It is possible to chain the vulnerabilities and to achieve unauthenticated...

Adobe Flash Player Use After Free Remote Code Execution Vulnerability(CVE-2018-4878)

EXECUTIVE SUMMARY The 1st of February, Adobe published an advisory concerning a Flash vulnerability CVE-2018-4878. This vulnerability is a use after free that allows Remote Code Execute through a malformed Flash object. Additionally KISA Korean CERT published an advisory about a Flash 0-day used ...

CloudMe Unauthenticated Remote Buffer Overflow(CVE-2018-6892)

The following advisory describes one 1 vulnerability found in CloudMe. CloudMe is “a file storage service operated by CloudMe AB that offers cloud storage, file synchronization and client software. It features a blue folder that appears on all devices with the same content, all files are...

Cisco RV132W Multiple Vulnerabilities(CVE-2018-0125/CVE-2018-0127)

Vulnerabilities Summary The following advisory describes two 2 vulnerabilities found in Cisco RV132W Wireless N VPN version 1.0.1.8 The Cisco RV132W Wireless-N ADSL2+ VPN Router is “easy to use, set up, and deploy. This flexible router offers great performance and is suited for small or home...

zzcms 8.2 任意用户密码修改

zzcms 8.2 任意用户密码修改 漏洞描述 zzcms是一款企业建站程序。 zzcms 8.2版本/one/getpassword.php文件存在漏洞，攻击者可利用该漏洞修改任意用户密码。 漏洞分析 /one/getpassword.php文件第 73行，触发漏洞的关键代码。 elseif$action=="step3" && @$SESSION'username'!='' $passwordtrue = isset$POST'password'?$POST'password':""; $password=md5trim$passwordtrue; query"update...

WordPress Core - 'load-scripts.php' Denial of Service(CVE-2018-6389)

According to wordpress.com, the WordPress platform powers 29% of the worldwide internet websites. In this article I am going to explain how Denial of Service can easily be caused to almost any WordPress website online, and how you can patch your WordPress website in order to avoid this...

Geovision IP Camera Multiple Remote Command Execution - Multiple Stack Overflow - Double free - Unauthorized Access

Subject: Geovision Inc. IP Camera/Video/Access Control Multiple Remote Command Execution - Multiple Stack Overflow - Double free - Unauthorized Access Attack vector: Remote Authentication: Anonymous no credentials needed Researcher: bashis November 2017 PoC: https://github.com/mcw0/PoC Python PoC...

Kaspersky Secure Mail Gateway Multiple Vulnerabilities

Advisory Information Title: Kaspersky Secure Mail Gateway Multiple Vulnerabilities Advisory ID: CORE-2017-0010 Advisory URL: http://www.coresecurity.com/advisories/kaspersky-secure-mail-gateway-multiple-vulnerabilities Date published: 2018-02-01 Date of last update: 2018-02-01 Vendors contacted:...

HPE Integrated Lights-Out 4 Remote Code Execution Vulnerability(CVE-2017-12542)

Subverting your server through its BMC: the HPE iLO4 case ========================================================= Introduction ------------ iLO is the server management solution embedded in almost every HP servers for more than 10 years. It provides every feature required by a system...

OpenNMS Java Object Deserialization RCE

! /usr/bin/env python3 Credits: http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/opennms nessus/plugins/opennmsjavaserialize.nasl cobbled together by pancho import socket import sys def buildcmd:...

PHP CVE-2018-5711 - Hanging Websites by a Harmful GIF

Recently, I reviewed several Web frameworks and language implementations, and found some vulnerabilities. This is an simple and interesting case, and seems easy to exploit in real world! Affected All PHP version PHP 5 firstcode = sd-oldcode = 461 GetCodefd, &sd-scd, sd-codesize, FALSE,...

PHPSHE 1.6 userbank sql注入

PHPSHE 1.6 userbank sql注入 漏洞描述 PHPSHE商城系统是将商品展示、在线购物、订单管理、支付管理、文章管理、客户咨询反馈等功能相结合，为用户提供了网上商城建设方案。 PHPSHE开源商城系统userbank页面存在SQL注入漏洞，由于系统未能对用户输入的参数进行严格过滤。攻击者可利用该漏洞获取数据库敏感信息。 漏洞分析 www/module/admin/userbank.php 文件 存在漏洞 default: $gname && $sqlwhere .= " and username like '%$gname%'"; $gtname && $sqlwher...

Oracle Financial Services Analytical Applications 7.3.5.x / 8.0.x XXE Injection(CVE-2018-2660) / XSS(CVE-2018-2661)

Vendor description: ------------------- "Oracle is the unchallenged leader in Financial Services, with an integrated, best-in-class, end-to-end solution of intelligent software and powerful hardware designed to meet every financial service need." Source:...

BMC BladeLogic 8.3.00.64 - Remote Command Execution

Exploit Title: BMC BladeLogic RSCD agent remote exec - XMLRPC version Filename: BMCrexec.py Github: https://github.com/bao7uo/bmcbladelogic Date: 2018-01-24 Exploit Author: Paul Taylor / Foregenix Ltd Website: http://www.foregenix.com/blog Version: BMC RSCD agent 8.3.00.64 CVE: CVE-2016-1542...

BMC BladeLogic RSCD Agent 8.3.00.64 - Windows Users Disclosure

Exploit Title: BMC BladeLogic RSCD agent get Windows users Filename: BMCwinUsers.py Github: https://github.com/bao7uo/bmcbladelogic Date: 2018-01-27 Exploit Author: Paul Taylor / Foregenix Ltd Website: http://www.foregenix.com/blog Version: BMC RSCD agent 8.3.00.64 CVE: CVE-2016-5063 Vendor...

Hotspot Shield Information Disclosure

Vulnerability Summary The following advisory describes a information disclosure found in Hotspot Shield. Hotspot Shield “provides secure and private access to a free and open internet. Enabling access to social networks, sports, audio and video streaming, news, dating, gaming wherever you are.”...

Cisco Adaptive Security Appliance Remote Code Execution and Denial of Service Vulnerability

Summary A vulnerability in the Secure Sockets Layer SSL VPN functionality of the Cisco Adaptive Security Appliance ASA Software could allow an unauthenticated, remote attacker to cause a reload of the affected system or to remotely execute code. The vulnerability is due to an attempt to double fr...

HiSilicon Multiple Vulnerabilities

HiSilicon DVR hack This report discloses serious vulnerabilities with proof of concept PoC code of DVR/NVR devices built using the HiSilicon hi3520d and similar system on a chip SoC. Exploiting the vulnerabilities lead to unauthorized remote code execution RCE using only the web interface, causin...

SEC Consult SA-20180131-0 :: Multiple Vulnerabilities in Sprecher Automation SPRECON-E-C, PU-2433

VENDOR DESCRIPTION “Sprecher Automation GmbH offers switchgears and automation solutions for energy, industry and infrastructure processes. Our customers are power utilities, industries, transportation companies, municipal utilities and public institutions. Company-own developments and cooperatio...

javascript: url with a leading NULL byte can bypass cross origin protection.

javascript: url with a leading NULL byte can bypass cross origin protection. Well, it's not exactly StartsWith, but the same thing for all intents and purposes. In BindingDOMWindow::createWindow there's a call to protocolIsJavaScript, which is a thin wrapper over protocolIs, which is basically ju...

chrome:Persistent UXSS via SchemaRegistry(CVE-2016-1676)

Chrome version: 50.0.2661.75 and still present on current HEAD, 52.0.2713.0 The SchemaRegistry stores extension API schemas in a single v8::Context that lives until the RenderThread =process? is destroyed. Due to vulnerabilities in binding.js, these objects can be intercepted by malicious web...

chrome:UXSS via window.open() via file:// pages

VERSION Chrome Version: 51.0.2675.0 canary Operating System: windows 7 Actually I'm not sure about if this's a security issue because I can repro this just when I use the testcase from local file:/// and when I try it from server 'http://' doesn't repro. Please watch the video for the steps...

Trend Micro Threat Discovery Appliance 2.6.1062r1 - 'dlp_policy_upload.cgi' Remote Code Execution

Summary: The vulnerabity is that the dlppolicyupload.cgi allows the upload of a zip file, located statically as: /var/dlppolicy.zip. The problem is that we can then get that file extracted using admindlp.cgi. This gets extracted into 2 locations: - /engptnstores/prod/sensorSDK/data/ -...

chrome:Cross-origin object leak via fetch

VULNERABILITY DETAILS The promise returned by fetch.callcrossOriginWindow is created in the cross-origin context. Direct cross-origin scripting is not possible because cross-origin function constructors don't work anymore issue 541703 . But the attacker can e.g. call other functions of the...

WebKit: UXSS via ContainerNode::parserInsertBefore(CVE-2017-2508)

VULNERABILITY DETAILS From /WebKit/Source/core/dom/ContainerNode.cpp: void ContainerNode::parserInsertBeforePassRefPtrWillBeRawPtr newChild, Node& nextChild ... while RefPtrWillBeRawPtr parent = newChild-parentNode parent-parserRemoveChildnewChild; if document != newChild-document...

chrome:window.external leaks global object + allows cross origin script access

We use a static local for the External object But that both leaks the entire global object in the wrapper stored inside the External and also means that doing: js // main page. window.external.foo = function alert1 document.body.innerHTML = "" // inside example.com: window.external.foo // alert...

iBall Multiple Vulnerabilities

Vulnerabilities summary The following advisory describes two 2 vulnerabilities found in iB-WRA150N devices, firmware 1.2.6 build 110401 Rel.47776n. iB-WRA150N is “a powerful solution to Internet connectivity at home, small offices and work stations. The key is if you are using an ADSL2+ connectio...

chrome: UXSS in DocumentLoader::createWriterFor

Details: thirdparty/WebKit/Source/core/loader/DocumentLoader.cpp:735: cpp PassRefPtrWillBeRawPtr DocumentLoader::createWriterForconst Document ownerDocument, const DocumentInit& init, const AtomicString& mimeType, const AtomicString& encoding, bool dispatch, ParserSynchronizationPolicy...

Libc Realpath缓冲区下溢漏洞(CVE-2018-1000001)

Introduction The vulnerability described here is caused by Linux kernel behaviour change in the syscall API returning relative pathnames in getcwd and non-defensive function implementation in libc failing to process that pathname correctly. Other libraries are very likely to be affected as well. ...

Remote Code Execution on the Smiths Medical Medfusion 4000

Remote Code Execution on the Smiths Medical Medfusion 4000 In which we detail the process of vulnerability research on a life critical embedded system: a medical infusion pump. Table of Contents Remote Code Execution on the Smiths Medical Medfusion 4000 Table of Contents Summary Introduction Why ...

Oracle VirtualBox Multiple Guest to Host Escape Vulnerabilities(CVE-2018-2698)

Vulnerabilities summary The following advisory describes two 2 guest to host escape found in Oracle VirtualBox version 5.1.30, and VirtualBox version 5.2-rc1. Credit An independent security researcher, Niklas Baumstark, has reported this vulnerability to Beyond Security’s SecuriTeam Secure...

Asus Unauthenticated LAN Remote Command Execution

Vulnerabilities Summary The following advisory describes two 2 vulnerabilities found in AsusWRT Version 3.0.0.4.380.7743. The combination of the vulnerabilities leads to LAN remote command execution on any Asus router. AsusWRT is “THE POWERFUL USER-FRIENDLY INTERFACE – The enhanced ASUSWRT...

xiuno bbs xss漏洞

Xiuno BBS 4.0.0 后台xss 漏洞 1、什么是 Xiuno BBS 4.0？ 它是一款国产、小巧、稳定、支持在大数据量下仍然保持高负载能力的轻论坛。它只有 20 多个表，源代码压缩后 1M 左右，运行速度非常快，处理单次请求在 0.01 秒级别，在有 APC、Yac、XCache 的环境下可以跑到 0.00x 秒，对第三方类库依赖少，作者认为它就像一辆纯手工打造的法拉利，动力强劲，没有一丝赘肉，方便部署和维护，是一个非常好的二次开发的基石。 2，漏洞详情 Xiuno BBS 4.0.0 后台 设置-基本设置- 站点名称 过滤不严 存在xss漏洞。 站点名称处输入xss...

D-Link DNS-325 ShareCenter < 1.05B03 - Multiple Vulnerabilities

Table of contents 00 - Introduction 00.1 Background 01 - Unrestricted File Upload 01.1 - Vulnerable code analysis 01.2 - Remote exploitation 02 - Command Injection 02.1 - Vulnerable code analysis 02.2 - Remote exploitation 03 - Credit 04 - Proof of concept 05 - Solution 06 - Contact information 0...

Microsoft Edge: Chakra: JIT: Incorrect bounds calculation(CVE-2018-0769)

Let's start with comments in the "GlobOpt::TrackIntSpecializedAddSubConstant" method. // Track bounds for add or sub with a constant. For instance, consider b = a + 2. The value of 'b' should track // that it is equal to the value of 'a' + 2. That part has been done above. Similarly, the value of...

Microsoft Edge: Chakra: OOB read in AppendLeftOverItemsFromEndSegment(CVE-2018-0767)

Here's a snippet of AppendLeftOverItemsFromEndSegment in JavascriptArray.inl. growby = endSeg-length; current = current-GrowByMinrecycler, growby; CopyArraycurrent-elements + endIndex + 1, endSeg-length, Js::SparseArraySegmentendSeg-elements, endSeg-length;...

Microsoft Edge: Chakra: AsmJSByteCodeGenerator::EmitCall call handling bug(CVE-2018-0780)

AsmJSByteCodeGenerator::EmitCall which is used to emit call insturctions doesn't check if an array identifier is used as callee. The method handles those invalid calls in the same way it handles valid calls such as "arridx & ...". In these cases, the index register remains NoRegister which is...

Microsoft Edge: Chakra: JavascriptGeneratorFunction::GetPropertyBuiltIns exposes scriptFunction(CVE-2017-11914)

Here's a snippet of the method. bool JavascriptGeneratorFunction::GetPropertyBuiltInsVar originalInstance, PropertyId propertyId, Var value, PropertyValueInfo info, ScriptContext requestContext, BOOL result if propertyId == PropertyIds::length ... int len = 0; Var varLength; if...

Microsoft Edge: Chakra: JIT: stack-to-heap copy bug(CVE-2018-0776)

If variables don't escape the scope, the variables can be allocated to the stack. However, there are some situations, such as when a bailout happens or accessing to arguments containing stack-allocated variables, where those variables should not exist in the stack. In these cases, the...