QNAP QTS Unauthenticated Remote Code Execution(CVE-2017-17033)

Vulnerability Summary The following advisory describes a memory corruption vulnerability that can lead to an unauthenticated remote code execution in QNAP QTS versions 4.3.x and 4.2.x, including the 4.3.3.0299. QNAP Systems, Inc. “specializes in providing networked solutions for file sharing,...

iOS/MacOS kernel double free due to IOSurfaceRootUserClient not respecting MIG ownership rules(CVE-2017-13861)

I have previously detailed the lifetime management paradigms in MIG in the writeups for: CVE-2016-7612 https://bugs.chromium.org/p/project-zero/issues/detail?id=926 and CVE-2016-7633 https://bugs.chromium.org/p/project-zero/issues/detail?id=954 If a MIG method returns KERNSUCCESS it means that th...

Linksys WVBR0 25 Command Injection(CVE-2017-17411)

In this guest blog, Trend Micro DVLabs researcher Ricky Lawshae discusses the recently disclosed CVE-2017-17411. He discovered and reported this bug through the ZDI program. Earlier this year, I learned that AT&T was starting to move customers away from its U-Verse service in favor of its DirecTV...

MacOS getrusage stack leak through struct padding(CVE-2017-13869)

For 64-bit processes, the getrusage syscall handler converts a struct rusage to a struct user64rusage using mungeuser64rusage, then copies the struct user64rusage to userspace: int getrusagestruct proc p, struct getrusageargs uap, unused int32t retval struct rusage rup, rubuf; struct user64rusage...

Palo Alto Networks firewalls remote root code execution(CVE-2017-15944)

This is a public advisory for CVE-2017-15944 which is a remote root code execution bug in Palo Alto Networks firewalls. Three separate bugs can be used together to remotely execute commands as root through the web management interface without authentication on: PAN-OS 6.1.18 and earlier, PAN-OS...

vBulletin cacheTemplates Unauthenticated Remote Arbitrary File Deletion(CVE-2017-17672)

Vulnerability Summary The following advisory describes a unauthenticated deserialization vulnerability that leads to arbitrary delete files and, under certain circumstances, code execution found in vBulletin version 5. vBulletin, also known as vB, is “a widespread proprietary Internet forum...

vBulletin routestring Unauthenticated Remote Code Execution

Vulnerability Summary The following advisory describes a unauthenticated file inclusion vulnerability that leads to remote code execution found in vBulletin version 5. vBulletin, also known as vB, is a widespread proprietary Internet forum software package developed by vBulletin Solutions, Inc.,...

Zivif Web Cameras Multiple Vulnerabilities

Implementation of access controls is Zivif cameras is severely lacking.As a result, CGI functions can be called directly, bypassing authentication checks. This was first identified with the following request CVE-2017-17106 http:///web/cgi-bin/hi3510/param.cgi?cmd=getuser Cameras respond to this...

帝友p2p借贷系统sql注入

...

Apache Synapse远程命令执行漏洞(CVE-2017-15708)

0X00 介绍 Apache Synapse是一种轻量级的高性能企业服务总线（ESB）。Apache Synapse由快速和异步的中介引擎提供支持，为XML、Web服务和REST提供了卓越的支持。 0X01 分析 我们知道，完成反序列化漏洞需要存在两个条件： 存在反序列化对象数据传输 有缺陷的第三方lib库，例如Apache Commons Collections 在FoxGlove Security安全团队的@breenmachine的博文中，总结了非常全面可能使用反序列化的地方： 在HTTP请求中 RMI，RMI在传输过程中一定会使用序列化和反序列化...

Pomelo Admin Console Web存在任意文件写入漏洞

...

Pomelo Admin Console Web存在任意文件读取漏洞

...

CERIO 11nbg 2.4Ghz High Power Wireless Router (pekcmd) Rootshell Backdoors

Summary CERIO's DT-300N A4 eXtreme Power 11n 2.4Ghz 2x2 High Power Wireless Access Point with built-in 10dBi patch antennas and also supports broadband wireless routing. DT-300N A4's wireless High Power design enhances the range and stability of the device's wireless signal in office and home...

startbbs系统全版本无视验证码爆破漏洞

在登录处： 输入账号密码错误的时候，会提示跳转 当返回该页面时，发现验证码毫无改变？ 抓包，查看了一下，发现有csrftoken。但是cookie里面也有csrftoken，自己测试了发，发现两个csrftoken一样即可。 然后使用burp进行爆破...

APPCMS comment.php文件SQL注入

AppCMS 官网：http://www.appcms.cc/ 审计版本：2.0.101 下载连接：http://www.appcms.cc/download/appcms2.0.101.zip AppCMS comment.php SQL Injection 0x00 前言 一开始是在cnvd（）上看到有人提交这个漏洞没有详情，去官网下载源码本地审计没有审计出来；一次偶然的机会看到@Thinking分享的文章，才知道服务器端获取的“HTTPCLIENTIP”值是http头中“CLIENT-IP”字段的值是可伪造的！看到这个就恍然大悟了 0x01 分析...

Serviio PRO 1.8 DLNA Media Streaming Server Local Privilege Escalation

Summary Serviio is a free media server. It allows you to stream your media files music, video or images to renderer devices e.g. a TV set, Bluray player, games console or mobile phone on your connected home network. Description The application suffers from an unquoted search path issue impacting...

SonicDICOM PACS 2.3.2 Remote Vertical Privilege Escalation Exploit

Summary SonicDICOM is PACS software that combines the capabilities of DICOM Server with web browser based DICOM Viewer. Description The application suffers from a privilege escalation vulnerability. Normal user can elevate his/her privileges by sending a HTTP PATCH request seting the parameter...

Cimetrics BACstac Routing Service 6.2f Local Privilege Escalation

Summary BACstac belongs to product BACstacTM Networking Software and was developed by company Cimetrics Inc. Cimetrics is excited to announce a new version of our industry-leading BACnet protocol stack: BACstac 6.8. The Cimetrics BACstac saves man-years of development when your company needs to...

SonicDICOM PACS 2.3.2 CSRF Add Admin Exploit

Summary SonicDICOM is PACS software that combines the capabilities of DICOM Server with web browser based DICOM Viewer. Description The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be...

SonicDICOM PACS 2.3.2 Multiple Stored Cross-Site Scripting Vulnerabilities

Summary SonicDICOM is PACS software that combines the capabilities of DICOM Server with web browser based DICOM Viewer. Description The application suffers from multiple stored XSS vulnerabilities. Input passed to several API POST parameters is not properly sanitised before being returned to the...

Emby MediaServer 3.2.5 Boolean-based Blind SQL Injection Vulnerability

Summary Emby formerly Media Browser is a media server designed to organize, play, and stream audio and video to a variety of devices. Emby is open-source, and uses a client-server model. Two comparable media servers are Plex and Windows Media Center. Description Emby suffers from a blind SQL...

Emby MediaServer 3.2.5 Password Reset Vulnerability

Summary Emby formerly Media Browser is a media server designed to organize, play, and stream audio and video to a variety of devices. Emby is open-source, and uses a client-server model. Two comparable media servers are Plex and Windows Media Center. Description The issue can be triggered by an...

Cimetrics BACnet Explorer 4.0 XXE Vulnerability

Summary The BACnet Explorer is a BACnet client application that helps auto discover BACnet devices. Description BACnetExplorer suffers from an XML External Entity XXE vulnerability using the DTD parameter entities technique resulting in disclosure and retrieval of arbitrary data on the affected...

New Android vulnerability allows attackers to modify apps without affecting their signatures(CVE-2017-13156)

A serious vulnerability CVE-2017-13156 in Android allows attackers to modify the code in applications without affecting their signatures. The root of the problem is that a file can be a valid APK file and a valid DEX file at the same time. We have named it the Janus vulnerability, after the Roman...

TrueConf Server v4.3.7 Multiple Remote Web Vulnerabilities

Summary TrueConf Server is a powerful, high-quality and highly secured video conferencing software server. It is specially designed to work with up to 250 participants in a multipoint conference over LAN or VPN networks. TrueConf Server requires no hardware and includes client applications for al...

华天动力OA系统登陆表单某参数可导致xss漏洞

0x00 首先随便找一个，OA系统， 可以去官网 http://www.oa8000.com/ 在线试用demo 或者 Google：inurl:"oaapp/webobjects/oaapp.woa/wo" 找一个 0x01 到登陆页面 /OAapp/WebObjects/OAapp.woa 表单随便填，然后抓包 11.16 和 11.18 两个参数均可利用 修改post数据: 0x02 不仅可POST提交这些参数，GET也同样可以...

Emby MediaServer 3.2.5 Reflected XSS Vulnerability

Summary Emby formerly Media Browser is a media server designed to organize, play, and stream audio and video to a variety of devices. Emby is open-source, and uses a client-server model. Two comparable media servers are Plex and Windows Media Center. Description Emby suffers from a XSS issue due ...

Serviio PRO 1.8 DLNA Media Streaming Server (mediabrowser) DOM Based XSS

Summary Serviio is a free media server. It allows you to stream your media files music, video or images to renderer devices e.g. a TV set, Bluray player, games console or mobile phone on your connected home network. Description The application is vulnerable to a DOM-based cross-site scripting. Da...

Serviio PRO 1.8 DLNA Media Streaming Server REST API Arbitrary Password Change

Summary Serviio is a free media server. It allows you to stream your media files music, video or images to renderer devices e.g. a TV set, Bluray player, games console or mobile phone on your connected home network. Description The version of Serviio installed on the remote Windows/Linux host is...

Serviio PRO 1.8 DLNA Media Streaming Server REST API Arbitrary Code Execution

Summary Serviio is a free media server. It allows you to stream your media files music, video or images to renderer devices e.g. a TV set, Bluray player, games console or mobile phone on your connected home network. Description The version of Serviio installed on the remote Windows host is affect...

Serviio PRO 1.8 DLNA Media Streaming Server REST API Information Disclosure

Summary Serviio is a free media server. It allows you to stream your media files music, video or images to renderer devices e.g. a TV set, Bluray player, games console or mobile phone on your connected home network. Description The version of Serviio installed on the remote Windows/Linux host is...

Emby MediaServer 3.2.5 Directory Traversal File Disclosure Vulnerability

Summary Emby formerly Media Browser is a media server designed to organize, play, and stream audio and video to a variety of devices. Emby is open-source, and uses a client-server model. Two comparable media servers are Plex and Windows Media Center. Description The vulnerability was confirmed on...

Schneider Electric Pelco Sarix/Spectra Cameras CSRF Enable SSH Root Access

Summary Pelco offers the broadest selection of IP cameras designed for security surveillance in a wide variety of commercial and industrial settings. From our industry-leading fixed and high-speed IP cameras to panoramic, thermal imaging, explosionproof and more, we offer a camera for any...

Schneider Electric Pelco VideoXpert Missing Encryption Of Sensitive Information

Summary VideoXpert is a video management solution designed for scalability, fitting the needs surveillance operations of any size. VideoXpert Ultimate can also aggregate other VideoXpert systems, tying multiple video management systems into a single interface. Description The software transmits...

Schneider Electric Pelco VideoXpert Core Admin Portal Directory Traversal

Summary VideoXpert is a video management solution designed for scalability, fitting the needs surveillance operations of any size. VideoXpert Ultimate can also aggregate other VideoXpert systems, tying multiple video management systems into a single interface. Description Pelco VideoXpert suffers...

Schneider Electric Pelco VideoXpert Privilege Escalations

Summary VideoXpert is a video management solution designed for scalability, fitting the needs surveillance operations of any size. VideoXpert Ultimate can also aggregate other VideoXpert systems, tying multiple video management systems into a single interface. Description The application is...

Schneider Electric Pelco Sarix/Spectra Cameras Root Remote Code Execution

Summary Pelco offers the broadest selection of IP cameras designed for security surveillance in a wide variety of commercial and industrial settings. From our industry-leading fixed and high-speed IP cameras to panoramic, thermal imaging, explosionproof and more, we offer a camera for any...

Schneider Electric Pelco VideoXpert Privilege Escalations

Summary VideoXpert is a video management solution designed for scalability, fitting the needs surveillance operations of any size. VideoXpert Ultimate can also aggregate other VideoXpert systems, tying multiple video management systems into a single interface. Description The application is...

OV3 Online Administration 3.0 Parameter Traversal Arbitrary File Access

Summary With the decision to use the OV3 as a platform for your data management, the course is set for scalable, flexible and high-performance applications. Whether you use the OV3 for your internal data management or use it for commercial business applications such as shops, portals, etc. Thanks...

SimpleRisk v20170416-001 Reflected XSS Vulnerabilities

Summary SimpleRisk is an open-source risk management system released under Mozilla Public License and used for risk management activities. It enables risk managers to account for risks, plan mitigation measures, facilitate management reviews, prioritize for project planning, and track periodic...

Uniview Remote Command Execution

...

OV3 Online Administration 3.0 Authenticated Code Execution

Summary With the decision to use the OV3 as a platform for your data management, the course is set for scalable, flexible and high-performance applications. Whether you use the OV3 for your internal data management or use it for commercial business applications such as shops, portals, etc. Thanks...

OV3 Online Administration 3.0 Multiple Unauthenticated SQL Injection Vulnerabilities

Summary With the decision to use the OV3 as a platform for your data management, the course is set for scalable, flexible and high-performance applications. Whether you use the OV3 for your internal data management or use it for commercial business applications such as shops, portals, etc. Thanks...

Schneider Electric Pelco Sarix/Spectra Cameras Multiple XSS Vulnerabilities

Summary Pelco offers the broadest selection of IP cameras designed for security surveillance in a wide variety of commercial and industrial settings. From our industry-leading fixed and high-speed IP cameras to panoramic, thermal imaging, explosionproof and more, we offer a camera for any...

EnGenius EnShare IoT Gigabit Cloud Service 1.4.11 Root Remote Code Execution

Summary With the EnGenius IoT Gigabit Routers and free EnShare app, use your iPhone, iPad or Android-based tablet or smartphone to transfer video, music and other files to and from a router-attached USB hard drive. Enshare is a USB media storage sharing application that enables access to files...

Dasan Networks GPON ONT WiFi Router H64X Series Authentication Bypass

Summary H64xx is comprised of one G-PON uplink port and four ports of Gigabit Ethernet downlink supporting 10/100/1000Base-T RJ45. It helps service providers to extend their core optical network all the way to their subscribers, eliminating bandwidth bottlenecks in the last mile. H64xx is...

Dasan Networks GPON ONT WiFi Router H64X Series Privilege Escalation

Vendor: Dasan Networks Product web page: http://www.dasannetworks.com | http://www.dasannetworks.eu Affected version: Model: H640GR-02 H640GV-03 H640GW-02 H640RW-02 H645G Firmware: 2.77-1115 2.76-9999 2.76-1101 2.67-1070 2.45-1045 Summary: H64xx is comprised of one G-PON uplink port and four port...

Dasan Unauthenticated Remote Code Execution

Vulnerability Summary The following advisory describes a buffer overflow that leads to remote code execution found in Dasan Networks GPON ONT WiFi Router H640X versions 12.02-01121 / 2.77p1-1124 / 3.03p2-1146 Dasan Networks GPON ONT WiFi Router “is indoor type ONT dedicated for FTTH Fibre to the...

Dasan Networks GPON ONT WiFi Router H64X Series System Config Download

Summary H64xx is comprised of one G-PON uplink port and four ports of Gigabit Ethernet downlink supporting 10/100/1000Base-T RJ45. It helps service providers to extend their core optical network all the way to their subscribers, eliminating bandwidth bottlenecks in the last mile. H64xx is...

Dasan Networks GPON ONT WiFi Router H64X Series Cross-Site Request Forgery

Summary H64xx is comprised of one G-PON uplink port and four ports of Gigabit Ethernet downlink supporting 10/100/1000Base-T RJ45. It helps service providers to extend their core optical network all the way to their subscribers, eliminating bandwidth bottlenecks in the last mile. H64xx is...