56796 matches found
Microsoft Edge: Chakra: AsmJSByteCodeGenerator::EmitCall call handling bug(CVE-2018-0780)
AsmJSByteCodeGenerator::EmitCall which is used to emit call insturctions doesn't check if an array identifier is used as callee. The method handles those invalid calls in the same way it handles valid calls such as "arridx & ...". In these cases, the index register remains NoRegister which is...
Netgear路由器信息泄露
NETGEAR美国网件NASDAQ: NTGR,致力于为全球商用企业用户和家庭个人用户提供创新的产品、卓越的智能家庭无线解决方案。 关于路由器漏洞挖掘历来都是是围绕着两个攻击面开展: 脚本语言htm/js/php/lua/sh/asp; 编译语言elf/mips/armv7/arm/。 本文介绍一个最简单也最容易发现的一种漏洞,暂归类为信息泄露吧,造成的危害则是权限绕过但不局限于只拿到用户登录凭证。 所有的美国网件系列路由器都有这样一个页面‘currentsetting.htm’ 可以查看型号和固件版本的特权页面,即不需登陆便可访问该页面。 下载V1.0.0.281.0.28...
MacOS process_policy stack leak through uninitialized field(CVE-2017-7154)
The syscall processpolicyscope=PROCPOLICYSCOPEPROCESS, action=PROCPOLICYACTIONGET, policy=PROCPOLICYRESOURCEUSAGE, policysubtype=PROCPOLICYRUSAGECPU, attrp=, targetpid=0, targetthreadid= causes 4 bytes of uninitialized kernel stack memory to be written to userspace. The call graph looks as follow...
Microsoft Edge: Chakra: JIT: stack-to-heap copy bug(CVE-2018-0776)
If variables don't escape the scope, the variables can be allocated to the stack. However, there are some situations, such as when a bailout happens or accessing to arguments containing stack-allocated variables, where those variables should not exist in the stack. In these cases, the...
Microsoft Edge: Chakra: JIT: Incorrect bounds calculation(CVE-2018-0769)
Let's start with comments in the "GlobOpt::TrackIntSpecializedAddSubConstant" method. // Track bounds for add or sub with a constant. For instance, consider b = a + 2. The value of 'b' should track // that it is equal to the value of 'a' + 2. That part has been done above. Similarly, the value of...
Microsoft Edge: Chakra: JIT: Loop analysis bug(CVE-2018-0777)
Here's the PoC demonstrating OOB write. function optarr, start, end for let i = start; i end; i++ if i === 10 i += 0; // -- a arri = 2.3023e-320; function main let arr = new Array100; arr.fill1.1; for let i = 0; i 1000; i++ optarr, 0, 3; optarr, 0, 100000; main; What happens here is as follows: I...
Microsoft Edge: Chakra: Deferred parsing makes wrong scopes #2(CVE-2018-0775)
Since the PoC is only triggerable when the "DeferParse" flag enabled and requires a with statement, I think this is simillar to issue 1310 . PoC: // Enable the flag using '\n'.repeat0x1000 evalfunction f with function printf; ; ; + '\n'.repeat0x1000; PoC 2: // ./ch poc.js -ForceDeferParse functio...
DeDecms 任意用户登录,管理员密码重置漏洞
简述 Dedecms是一款开源的PHP开源网站管理系统。 DeDecms织梦CMS V5.7.72 正式版20180109 最新版 前台会员模块是采用Cookie中的 DedeUserID+DedeUserIDckMd5字段进行身份鉴别 DedeUserID用于定位区别用户,DedeUserIDckMd5则是服务器生成散列,用于安全验证 Dedecms一处代码由于逻辑不够严谨,导致可以输入字符并获得服务器生成散列 劫持DedeUserIDckMd5字段,绕过安全校验,配合类型转换造成任意用户登录漏洞 漏洞详细原理 文件位置:dedecms/member/index.php:110行...
MikroTik RouterOS < 6.38.5 RCE
!/usr/bin/env python2 Mikrotik Chimay Red Stack Clash Exploit by wsxarcher based on BigNerd95 POC tested on RouterOS 6.38.4 x86 ASLR enabled on libs only DEP enabled import socket, time, sys, struct from pwn import import ropgadget ASTSTACKSIZE = 0x20000 stack size per thread 128 KB SKIPSPACE =...
Multiple vulnerabilities in all versions of ASUS routers
1 ASUSWRT 3.0.0.4.376 - multiple vulnerabilities in httpd server all versions of AsusWRT at the time of report to vendor, for previous 376 version see next section 1. Highly predictable session tokens The session token is generated for an authenticated user using stdlib rand function. The token...
CODE EXECUTION (CVE-2018-5189) WALKTHROUGH ON JUNGO WINDRIVER 12.5.1
INTRODUCTION Windows kernel exploitation can be a daunting area to get into. There are tons of helpful tutorials out there and originally this post was going to add to that list. This is the story of how I found CVE-2018-5189 and a complete walkthrough of the exploit development cycle. The idea w...
D-Link Routers 110/412/615/815 Arbitrary Code Execution
!/usr/bin/python Exploit Title: D-Link WAP 615/645/815 .?.?', 'Product Page : .?' def dlinkdetection: try: r = requests.getURL, timeout=10.00 except requests.exceptions.ConnectionError: print "Error: Failed to connect to " + URL return False if r.statuscode != 200: print "Error: " + URL + "...
An Analysis of the OpenSSL SSL Handshake Error State Security Bypass (CVE-2017-3737)
OpenSSL is a widely used library for SSL and TLS protocol implementation that secures data using encryption and decryption based on cryptographic functions. However, a Security Bypass vulnerability – recently addressed in a patch by the OpenSSL Project –can be exploited to make vulnerable SSL...
Sophos XG from Unauthenticated Persistent XSS to Unauthorized Root Access(CVE-2017-18014)
Vulnerability Summary The following advisory describes an unauthenticated persistent XSS that leads to unauthorized root access found in Sophos XG version 17. Sophos XG Firewall “provides unprecedented visibility into your network, users, and applications directly from the all-new control center...
SugarCRM's Security Diet - Multiple Vulnerabilities
SugarCRM is one of the most popular customer relationship management solutions. It is available as a commercial edition and as an open-source community edition and is used by more than 2 million individuals in over 120 countries to manage sensitive customer data 1. Lately its security attracted...
rails_admin rails gem XSS vulnerability(CVE-2017-12098)
Summary An exploitable XSS vulnerability exists in the add filter functionality of the railsadmin rails gem version 1.2.0. A specially crafted URL can cause an XSS flaw resulting in an attacker being able to execute arbitrary javascript on the victim’s browser. An attacker can phish an...
TP-Link 路由器命令注入漏洞(CVE-2017-16957)
0x01 背景 TP-Link TL-WVR 等都是中国普联(TP-LINK)公司的无线路由器产品。 多款 TP-Link 系列产品存在命令注入漏洞,攻击者在登录后可发送恶意字段,经拼接后导致任意命令执行。 该漏洞由 coincoin7 发现,漏洞编号 CVE-2017-16957 0x02 受影响产品 TP-LINK TL-WVR 系列 TP-LINK TL-WAR 系列 TP-LINK TL-ER 系列 TP-LINK TL-R 系列 0x03 漏洞分析 根据原文提供的链接,下载了 TL-WVR450L 的固件,使用 binwalk 解包,拿到 squashfs 系统文件,再用...
Rails delayed_job_web XSS(CVE-2017-12097)
Summary An exploitable XSS vulnerability exists in the filter functionality of the delayedjobweb rails gem version 1.4. A specially crafted URL can cause an XSS flaw resulting in an attacker being able to execute arbitrary javascript on the victim’s browser. An attacker can phish an authenticated...
Jackson-databind 远程代码执行漏洞(CVE-2017-17485)
jackson-rce-via-spel An example project that exploits the default typing issue in Jackson-databind https://github.com/FasterXML/jackson-databind via Spring application contexts and expressions Context The Jackson-databind project has a feature called default-typing not enabled by default. When th...
CPP-Ethereum JSON-RPC admin_nodeInfo improper authorization Vulnerability(CVE-2017-12113)
Summary An exploitable improper authorization vulnerability exists in adminnodeInfo API of cpp-ethereum's JSON-RPC commit 4e1015743b95821849d001618a7ce82c7c073768. A JSON request can cause an access to the restricted functionality resulting in authorization bypass. An attacker can send JSON to...
CPP-Ethereum JSON-RPC miner_setEtherbase improper authorization Vulnerability(CVE-2017-12115)
Summary An exploitable improper authorization vulnerability exists in minersetEtherbase API of cpp-ethereum's JSON-RPC commit 4e1015743b95821849d001618a7ce82c7c073768. A JSON request can cause an access to the restricted functionality resulting in authorization bypass. An attacker can send JSON t...
CPP-Ethereum JSON-RPC miner_stop improper authorization Vulnerability(CVE-2017-12118)
Summary An exploitable improper authorization vulnerability exists in minerstop API of cpp-ethereum's JSON-RPC commit 4e1015743b95821849d001618a7ce82c7c073768. A JSON request can cause an access to the restricted functionality resulting in authorization bypass. An attacker can send JSON to trigge...
CPP-Ethereum JSON-RPC admin_peers improper authorization Vulnerability(CVE-2017-12114)
Summary An exploitable improper authorization vulnerability exists in adminpeers API of cpp-ethereum's JSON-RPC commit 4e1015743b95821849d001618a7ce82c7c073768. A JSON request can cause an access to the restricted functionality resulting in authorization bypass. An attacker can send JSON to trigg...
CPP-Ethereum JSON-RPC Denial Of Service Vulnerabilities(CVE-2017-12119)
Summary An exploitable unhandled exception vulnerability exists in multiple APIs of CPP-Ethereum's JSON-RPC. Specially crafted JSON requests can cause a unhandled exception resulting in denial of service. An attacker can send malicious JSON to trigger this vulnerability. Tested Versions Ethereum...
CPP-Ethereum JSON-RPC admin_addPeer Authorization Bypass Vulnerability(CVE-2017-12112)
Summary An exploitable improper authorization vulnerability exists in adminaddPeer API of cpp-ethereum's JSON-RPC commit 4e1015743b95821849d001618a7ce82c7c073768. A JSON request can cause an access to the restricted functionality resulting in authorization bypass. An attacker can send JSON to...
CPP-Ethereum JSON-RPC miner_setGasPrice improper authorization Vulnerability(CVE-2017-12116)
Summary An exploitable improper authorization vulnerability exists in minersetGasPrice API of cpp-ethereum's JSON-RPC commit 4e1015743b95821849d001618a7ce82c7c073768. A JSON request can cause an access to the restricted functionality resulting in authorization bypass. An attacker can send JSON to...
CPP-Ethereum JSON-RPC miner_start improper authorization Vulnerability(CVE-2017-12117)
Summary An exploitable improper authorization vulnerability exists in minerstart API of cpp-ethereum's JSON-RPC commit 4e1015743b95821849d001618a7ce82c7c073768. A JSON request can cause an access to the restricted functionality resulting in authorization bypass. An attacker can send JSON to trigg...
CPP-Ethereum libevm create2 Information Leak Vulnerability(CVE-2017-14457)
Summary An exploitable information leak / denial of service vulnerability exists in the libevm Ethereum Virtual Machine create2 opcode handler of CPP-Ethereum. A specially crafted smart contract code can cause an out-of-bounds read leading to memory disclosure or denial of service. An attacker ca...
D-Link soap.cgi Stack Buffer Overflow(CVE-2018-5318)
作者:Chu 1. 前言 老板前一段给买了几款路由把玩,研究了下 D-Link DIR 629、DIR 823 这两款板子。 发现在 soap.cgi 中存在几处栈溢出,均可以远程利用,并且其他型号的路由也有对 soap 这一部分代码的复用。 2. 逆向分析与漏洞挖掘 因为是想挖几个能远程利用的洞,首先去看了 HTTP 服务,也就是 /htdocs/cgibin。 D-Link HTTP 服务由cgibin提供,并通过软链接的文件名进入到不同的处理分支: 在各个 cgi 处理函数中,会通过 cgibinparserequest 来解析用户输入,其函数原型大致如下: 参数...
织梦前台任意用户密码修改
常见的弱类型问题 类型转换问题 类型转换是无法避免的问题。例如需要将GET或者是POST的参数转换为int类型,或者是两个变量不匹配的时候,PHP会自动地进行变量转换。但是PHP是一个弱类型的语言,导致在进行类型转换的时候会存在很多意想不到的问题。 数学运算 当php进行一些数学计算的时候 因为 md5's878926199a'=0e545993274517709034328855841020就是0的n次方,所以还是等于0 但是要注意: "0e123456abc"=="0e1dddada"//false 这种返回的是为假 语句条件的松散判断 函数的松散判断...
seacms前台一处鸡肋报错注入,绕过80sec,360webscan获取数据
...
phpshe1.5商城系统任意文件删除加任意代码执行
...
D-Link DNS-320L 'mydlinkBRionyg' Backdoor
Released Date: 2018-01-03 Last Modified: 2017-06-14 Company Info: D-Link Version Info: Vulnerable D-Link DNS-320L ShareCenter = 1.06 Table of contents 00 - Introduction 00.1 Background 01 - Hard coded backdoor 01.1 - Vulnerable code analysis 01.2 - Remote exploitation 02 - Credit 03 - Proof of...
WDMyCloud 2.30.165 CSRF / File Upload / Code Execution / Backdoor / DoS
Released Date: 2018-01-04 Last Modified: 2017-06-11 Company Info: Western Digital Version Info: Vulnerable MyCloud = 2.30.165 MyCloudMirror = 2.30.165 My Cloud Gen 2 My Cloud PR2100 My Cloud PR4100 My Cloud EX2 Ultra My Cloud EX2 My Cloud EX4 My Cloud EX2100 My Cloud EX4100 My Cloud DL2100 My Clo...
Reading privileged memory with a side-channel (Meltdown & Spectre)
We have discovered that CPU data cache timing can be abused to efficiently leak information out of mis-speculated execution, leading to at worst arbitrary virtual memory read vulnerabilities across local security boundaries in various contexts. Variants of this issue are known to affect many mode...
D-Link DSL-6850U Multiple Vulnerabilities
Vulnerabilities Summary The following advisory describes two 2 vulnerabilities found in D-Link DSL-6850U versions BZ1.00.01 – BZ1.00.09. D-Link DSL-6850U is a router “manufactured by D-Link for Bezeq in Israel” The vulnerabilities found are: Default Credentials Remote Command Execution Credit An...
Samsung Internet Browser 6.2.01.12 SOP Bypass / UXSS
Samsung Internet Browser SOP Bypass/UXSS There is a Same Origin Policy bypass / Universal Cross Site Scripting issue in Samsung Internet Browser tested on latest version - 6.2.01.12. First of all, using the combination of MHTML and XSLT ends up resulting in a weird interaction. When you create an...
ZKTeco ZKBioSecurity 3.0 Multiple XSS Vulnerabilities
Summary ZKBioSecurity3.0 is the ultimate "All in One" web based security platform developed by ZKTeco. It contains four integrated modules: access control, video linkage, elevator control and visitor management. With an optimized system architecture designed for high level biometric identificatio...
Telesquare SKT LTE Router SDT-CS3B1 Remote Reboot Denial Of Service
Summary We introduce SDT-CS3B1 LTE router which is a SKT 3G and 4G LTE wireless communication based LTE router product. Description The router suffers from an unauthenticated reboot command execution. Attackers can exploit this issue to cause a denial of service scenario. /lte/lteuicc.shtml: 858:...
Xerox DC260 EFI Fiery Controller Webtools 2.0 Arbitrary File Disclosure
Summary Drive production profitability with Fiery servers and workflow products. See which Fiery digital front end is right for your current or future print engines and business needs. Manage all your printers from a single screen using this intuitive print job management interface. Description...
InfraPower PPS-02-S Q213V1 Hard-coded Credentials Remote Root Access
Summary InfraPower Manager PPS-02-S is a FREE built-in GUI of each IP dongle IPD-02-S only to remotely monitor the connected PDUs. Patented IP Dongle provides IP remote access to the PDUs by a true network IP address chain. Only 1xIP dongle allows access to max. 16 PDUs in daisy chain - which is ...
InfraPower PPS-02-S Q213V1 Cross-Site Request Forgery
Summary InfraPower Manager PPS-02-S is a FREE built-in GUI of each IP dongle IPD-02-S only to remotely monitor the connected PDUs. Patented IP Dongle provides IP remote access to the PDUs by a true network IP address chain. Only 1xIP dongle allows access to max. 16 PDUs in daisy chain - which is ...
ZKTeco ZKBioSecurity 3.0 (visLogin.jsp) Local Authorization Bypass
Summary ZKBioSecurity3.0 is the ultimate "All in One" web based security platform developed by ZKTeco. It contains four integrated modules: access control, video linkage, elevator control and visitor management. With an optimized system architecture designed for high level biometric identificatio...
ZKTeco ZKTime.Net 3.0.1.6 Insecure File Permissions
Summary ZKTime.Net V3.0 is a new generation time attendance management software. Meanwhile, it integrates with time attendance and access control system. Some frequently used functions such as attendance reports, device management and employee management can be managed directly on the home page...
ZKTeco ZKBioSecurity 3.0 CSRF Add Superadmin Exploit
Summary ZKBioSecurity3.0 is the ultimate "All in One" web based security platform developed by ZKTeco. It contains four integrated modules: access control, video linkage, elevator control and visitor management. With an optimized system architecture designed for high level biometric identificatio...
Dell SonicWALL Secure Mobile Access SMA 8.1 XSS And WAF CSRF
Summary Keep up with the demands of today’s remote workforce. Enable secure mobile access to critical apps and data without compromising security. Choose from a variety of scalable secure mobile access SMA appliances and intuitive Mobile Connect apps to fit every size business and budget...
InfraPower PPS-02-S Q213V1 Insecure Direct Object Reference Authorization Bypass
Summary InfraPower Manager PPS-02-S is a FREE built-in GUI of each IP dongle IPD-02-S only to remotely monitor the connected PDUs. Patented IP Dongle provides IP remote access to the PDUs by a true network IP address chain. Only 1xIP dongle allows access to max. 16 PDUs in daisy chain - which is ...
ZKTeco ZKBioSecurity 3.0 File Path Manipulation Vulnerability
Summary ZKBioSecurity3.0 is the ultimate "All in One" web based security platform developed by ZKTeco. It contains four integrated modules: access control, video linkage, elevator control and visitor management. With an optimized system architecture designed for high level biometric identificatio...
ZKTeco ZKAccess Professional 3.5.3 Insecure File Permissions
Summary ZKAccess 3.5 is a desktop software which is suitable for small and medium businesses application. Compatible with all ZKAccess standalone reader controllers, the software can simultaneously manage access control and generate attendance report. The brand new flat GUI design and humanized...
InfraPower PPS-02-S Q213V1 Multiple XSS Vulnerabilities
Summary InfraPower Manager PPS-02-S is a FREE built-in GUI of each IP dongle IPD-02-S only to remotely monitor the connected PDUs. Patented IP Dongle provides IP remote access to the PDUs by a true network IP address chain. Only 1xIP dongle allows access to max. 16 PDUs in daisy chain - which is ...