56796 matches found
Libarchive zip zip_read_mac_metadata Code Execution Vulnerability(CVE-2016-1541)
SUMMARY An exploitable heap overflow vulnerability exists in the zip archive decompression functionality of libarchive. A specially crafted zip file can cause memory corruption leading to code execution. An attacker can send a malformed file to trigger this vulnerability. TESTED VERSIONS libarchi...
Network Time Protocol libntp Message Digest Disclosure Vulnerability(CVE-2016-1550)
SUMMARY An exploitable vulnerability exists in the message authentication functionality of Network Time Protocol libntp. An attacker can send a series of crafted messages to attempt to recover the message digest key. TESTED VERSIONS ntp 4.2.8p4 NTPSec a5fb34b9cc89b92a8fef2f459004865c93bb7f92...
Network Time Protocol ntpd Reference Clock Impersonation Vulnerability(CVE-2016-1551)
SUMMARY ntpd relies on the underlying operating system to protect it from requests that impersonate reference clocks. Because reference clocks are treated like other peers and stored in the same structure, any packet with a source ip address of a reference clock 127.127.1.1 for example that reach...
7zip HFS+ NArchive::NHfs::CHandler::ExtractZlibFile Code Execution Vulnerability(CVE-2016-2334)
DESCRIPTION An exploitable heap overflow vulnerability exists in the NArchive::NHfs::CHandler::ExtractZlibFile method functionality of 7zip that can lead to arbitrary code execution. TESTED VERSIONS 7-Zip 32 15.05 beta 7-Zip 64 9.20 PRODUCT URLS http://www.7-zip.org/ CVSSv3 SCORE 7.3 -...
Anonymous SQL Execution in Oracle Advanced Support
A little over a year ago I was performing a penetration test on a client's external environment. One crucial step in any external penetration test is mapping out accessible web servers. The combination of nmap with EyeWitness make this step rather quick as we can perform port scanning for web...
REMOTE CODE EXECUTION (CVE-2017-13772) WALKTHROUGH ON A TP-LINK ROUTER
INTRODUCTION In this post, I will be discussing my recent findings while conducting vulnerability research on a home router: TP-Link’s WR940N home WiFi router. This post will outline the steps taken to identify vulnerable code paths, and how we can exploit those paths to gain remote code executio...
ZTE ZXR10 Router Multiple Vulnerabilities( CVE-2017-10931)
Vulnerabilities summary The following advisory describes five 5 vulnerabilities found in ZTE ZXR10 Router. ZXR10 ZSR V2 series router is “the next generation intelligent access router product of ZTE, which integrates routing, switching, wireless, security, and VPN gateway. The product adopts...
Apache James Deserialization RCE(CVE-2017-12628)
Analysis of CVE-2017-12628 This morning I spotted a tweet mentioning an “Apache James 3.0.1 JMX Server Deserialization” vulnerability, CVE-2017-12628, which caught my eye because I wrote a generic JMX deserialization exploit which is included in my RMI attack tool BaRMIe. A quick search for more...
Unitrends UEB 9 HTTP API/Storage Remote Root(CVE-2017-12478)
No description provided by source. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Unitrends UEB 9 http api/storage remote root', 'Description' = %q It was discovered that the api/storage web...
Kaltura - Remote Code Execution and Cross-Site Scripting
1 Unauthenticated Remote Code Execution through unserialize from cookie data Because of a hardcoded cookie secret, the cookie signature validation can be bypassed and malicious user input can be passed via the 'userzone' cookie to the unserialize function: abstract class kalturaAction extends...
Linux Kernel 4.14.0-rc4+ - 'waitid()' Privilege Escalation(CVE-2017-5123)
This is a guest post by a young and talented Portuguese exploiter, Federico Bento. He won this year’s Pwnie for Epic Achievement exploiting TIOCSTI ioctl. Days ago he posted a video demonstrating an exploit for CVE-2017-5123 and luckly for you I managed to convince him to do a write-up about it. ...
Ikraus Anti Virus Remote Code Execution(CVE-2017-15643)
Vulnerability summary The following advisory describes an remote code execution found in Ikraus Anti Virus version 2.16.7. KARUS anti.virus “secures your personal data and PC from all kinds of malware. Additionally, the Anti-SPAM module protects you from SPAM and malware from e-mails. Prevent...
Endian Firewall Stored From XSS to Remote Command Execution
Vulnerability Summary The following advisory describes a stored cross site scripting that can be used to trigger remote code execution in Endian Firewall version 5.0.3. Endian Firewall is a “turnkey Linux security distribution, which is an independent, unified security management operating system...
Geneko Routers Information Disclosure
Vulnerability Summary The following advisory describes an information disclosure vulnerability found in Geneko Routers version 3.18.21 Geneko GWG is “compact and cost effective communications solution that provides cellular capabilities for fixed and mobile applications such as data acquisition,...
Linux Kernel AF_PACKET Use-After-Free(CVE-2017-15649)
Vulnerabilities summary The following advisory describes a use-after-free vulnerability found in Linux Kernel’s implementation of AFPACKET that can lead to privilege escalation. AFPACKET sockets “allow users to send or receive packets on the device driver level. This for example lets them to...
K7 Total Security Device Driver Arbitrary Memory Read
Vulnerability Summary The following advisory describes an Crash found in K7 Total Security. Credit An independent security researcher, has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program Vendor response K7 has released patches to address this vulnerability –...
HPE Baseline Smart Gig SFP 24 Switch Pre-authentication Stored XSS
Vulnerability Summary The following advisory describes an unauthenticated stored XSS in the HPE Baseline Smart Gig SFP 24 / 3Com Baseline Switch 2924 SFP Plus Switch. The vulnerability affect versions: Software Version: 01.00.10 Boot version: 1.0.0.14 Hardware Version: 01.01.0a “On April 12, 2010...
Ruby WIN32OLE ole_invoke and ole_query_interface Type Confusion Vulnerabilities(CVE-2016-2336)
DESCRIPTION Type Confusion exists in two methods of Ruby's WIN32OLE class, oleinvoke and olequeryinterface. Attacker passing different type of object than this assumed by developers can cause arbitrary code execution. TESTED VERSIONS Ruby 2.3.0 dev Ruby 2.2.2 PRODUCT URLs https://www.ruby-lang.or...
IBM Domino KeyView PDF Filter Trailer ID Code Execution Vulnerability(CVE-2016-0301)
SUMMARY A heap based buffer overflow vulnerability present in KeyView PDF filter as used by Domino can lead to remote arbitrary code execution. TESTED VERSIONS KeyView 10.16 as used by IBM Domino 9.0.1 PRODUCT URLs http://www-03.ibm.com/software/products/en/ibmdomino DETAILS While parsing an ID...
Libarchive Rar RestartModel Code Execution Vulnerability(CVE-2016-4302)
SUMMARY An exploitable heap overflow vulnerability exists in the Rar decompression functionality of libarchive. A specially crafted Rar file can cause a heap corruption eventually leading to code execution. An attacker can send a malformed file to trigger this vulnerability. TESTED VERSIONS...
IBM Domino KeyView PDF Filter BaseFont Code Execution Vulnerability(CVE-2016-0279)
Summary A heap buffer overflow vulnerability present in the PDF filter of KeyView as used by Domino can lead to arbitrary code execution. Tested Versions KeyView 10.16 as used by IBM Domino 9.0.1 Product URLs http://www-03.ibm.com/software/products/en/ibmdomino Details While parsing a specially...
IBM Domino KeyView PDF Filter Encrypted Stream Code Execution Vulnerability(CVE-2016-0277)
Summary A stack overflow vulnerability present in the PDF filter of KeyView as used by Domino can lead to process crash and possible arbitrary code execution. Tested Versions KeyView 10.16 as used by IBM Domino 9.0.1 Product URLs http://www-03.ibm.com/software/products/en/ibmdomino Details While...
ESnet iPerf3 JSON parse_string UTF Code Execution Vulnerability(CVE-2016-4303)
DESCRIPTION An exploitable remote code execution vulnerability exists in the JSON handling functionality of ESnet iPerf3. A specially crafted JSON string can lead to buffer overflow on the heap resulting in remote code execution. An attacker can send an unauthenticated packet to any reachable...
Adobe Flash Player Infinite Recursion Arbitrary Read Access Violation(CVE-2016-4132)
SUMMARY A potentially exploitable read access violation vulnerability exists in the a way Adobe Flash Player handles infinitely recursive calls. A specially crafted ActionScript code can cause a read access violation which can potentially be further abused. To trriger this vulnerability user...
Ruby TclTkIp ip_cancel_eval Type Confusion Vulnerabilities(CVE-2016-2337)
DESCRIPTION Type Confusion exists in canceleval Ruby's TclTkIp class method. Attacker passing different type of object than String as "retval" argument can cause arbitrary code execution. TESTED VERSIONS Ruby 2.3.0 dev Ruby 2.2.2 Tcl/Tk8.6 or later PRODUCT URLs https://www.ruby-lang.org DETAILS...
Google Chrome PDFium jpeg2000 SIZ Code Execution Vulnerability(CVE-2016-1681)
SUMMARY An exploitable heap buffer overflow vulnerability exists in the Pdfium PDF reader included in the Google Chrome web browser. A specially crafted PDF document with embedded jpeg2000 image can cause a heap buffer overflow potentially resulting in an arbitrary code execution. An attacker can...
Ruby pack_pack Use After Free Vulnerability(CVE-2016-2338)
DESCRIPTION An exploitable User After Free vulnerability exists in the packpack function of Ruby. In packpack function each element of array which should be "pack", based on template string is converted to binary representation in proper way. If element is not compatible with corresponding to him...
Ruby Psych::Emitter start_document Heap Overflow Vulnerability(CVE-2016-2338)
DESCRIPTION An exploitable heap overflow vulnerability exists in the Psych::Emitter startdocument function of Ruby. In Psych::Emitter startdocument function heap buffer "head" allocation is made based on tags array length. Specially constructed object passed as element of tags array can increase...
IBM Domino KeyView PDF Filter Stream Length Code Execution Vulnerability(CVE-2016-0278)
Description An integer overflow vulnerability present in the PDF filter of KeyView as used by Domino can lead to process crash and possible arbitrary code execution. Tested Versions KeyView 10.16 as used by IBM Domino 9.0.1 Product URLs http://www-03.ibm.com/software/products/en/ibmdomino Details...
Libarchive mtree parse_device Code Execution Vulnerability(CVE-2016-4301)
SUMMARY An exploitable stack based buffer overflow vulnerability exists in the mtree parsedevice functionality of libarchive. A specially crafted mtree file can cause a buffer overflow resulting in memory corruption/code execution. An attacker can send a malformed file to trigger this...
Libarchive 7zip read_SubStreamsInfo Code Execution Vulnerability(CVE-2016-4300)
SUMMARY An exploitable \heap overflow vulnerability exists in the 7zip readSubStreamsInfo functionality of libarchive. A specially crafted 7zip file can cause a integer overflow resulting in memory corruption that can lead to code execution. An attacker can send a malformed file to trigger this...
Ruby Fiddle::Function.new Heap Overflow Vulnerability(CVE-2016-2339)
DESCRIPTION An exploitable heap overflow vulnerability exists in the Fiddle::Function.new "initialize" function functionality of Ruby. In Fiddle::Function.new "initialize" heap buffer "argtypes" allocation is made based on args array length. Specially constructed object passed as element of args...
Pidgin MXIT Extended Profiles Code Execution Vulnerability(CVE-2016-2371)
DESCRIPTION An out-of-bounds write vulnerability exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent via the server could cause memory corruption resulting in code execution. CVSSv3 SCORE 8.1 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H TESTED VERSIONS Pidgin...
Pidgin MXIT get_utf8_string Code Execution Vulnerability(CVE-2016-2378)
DESCRIPTION A buffer overflow vulnerability exists in the handling of the MXIT protocol Pidgin. Specially crafted data sent via the server could potentially result in a buffer overflow, potentially resulting in memory corruption. A malicious server or an unfiltered malicious user can send negativ...
Pidgin MXIT Suggested Contacts Memory Disclosure Vulnerability(CVE-2016-2375)
DESCRIPTION An exploitable out-of-bounds ready exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT contact information sent from the server can result in memory disclosure. CVSSv3 SCORE 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N TESTED VERSIONS Pidgin 2.10.11 PRODU...
Pidgin MXIT MultiMX Message Code Execution Vulnerability(CVE-2016-2374)
DESCRIPTION An exploitable memory corruption vulnerability exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT MultiMX message sent via the server can result in an out-of-bounds write leading to memory disclosure and code execution. CVSSv3 SCORE 8.1...
Pidgin MXIT Custom Resource Denial of Service Vulnerability(CVE-2016-2370)
DESCRIPTION A denial of service vulnerability exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent from the server could potentially result in an out-of-bounds read. A malicious server or man-in-the-middle can send invalid data to trigger this vulnerability...
Pidgin MXIT Contact Mood Denial of Service Vulnerability(CVE-2016-2373)
DESCRIPTION A denial of service vulnerability exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent via the server could potentially result in an out-of-bounds read. A malicious server or user can send an invalid mood to trigger this vulnerability. CVSSv3 SCORE 5...
Pidgin MXIT mxit_convert_markup_tx Information Leak Vulnerability(CVE-2016-2380)
DESCRIPTION An information leak exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent to the server could potentially result in an out of bounds read. A user could be convinced to enter a particular string which would then get converted incorrectly and could lead...
Pidgin MXIT Splash Image Arbitrary File Overwrite Vulnerability(CVE-2016-4323)
DESCRIPTION A directory traversal exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent from the server could potentially result in an overwrite of files. A malicious server or someone with access to the network traffic can provide an invalid filename for a splas...
Pidgin MXIT Table Command Denial of Service Vulnerability(CVE-2016-2366)
DESCRIPTION A denial of service vulnerability exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent via the server could potentially result in an out-of-bounds read. A malicious server or an attacker who intercepts the network traffic can send invalid data to...
Pidgin MXIT g_snprintf Multiple Buffer Overflow Vulnerabilities(CVE-2016-2368)
DESCRIPTION Multiple memory corruption vulnerabilities exist in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent via the server could result in multiple buffer overflows, potentially resulting in code execution or memory disclosure. CVSSv3 SCORE 7.5...
Pidgin MXIT File Transfer Length Memory Disclosure Vulnerability(CVE-2016-2372)
DESCRIPTION An information leak exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent via the server could potentially result in an out of bounds read. A malicious user, server, or man-in-the-middle can send an invalid size for a file transfer which will trigger ...
The Document Foundation LibreOffice RTF Stylesheet Code Execution Vulnerability(CVE-2016-4324)
SUMMARY An exploitable Use After Free vulnerability exists in the RTF parser LibreOffice. A specially crafted file can cause a use after free resulting in a possible arbitrary code execution. To exploit the vulnerability a malicious file needs to be opened by the user via vulnerable application...
Pidgin MXIT CP_SOCK_REC_TERM Denial of Service Vulnerability(CVE-2016-2369)
DESCRIPTION An NULL pointer dereference vulnerability exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent via the server could potentially result in a denial of service vulnerability. A malicious server can send a packet starting with a NULL byte triggering the...
Apache Solr 7.0.1 - XML External Entity Expansion / Remote Code Execution(CVE-2017-12629)
First Vulnerability: XML External Entity Expansion deftype=xmlparser Lucene includes a query parser that is able to create the full-spectrum of Lucene queries, using an XML data structure. Starting from version 5.1 Solr supports "xml" query parser in the search query. The problem is that lucene x...
Pidgin MXIT Markup Command Denial of Service Vulnerability(CVE-2016-2365)
DESCRIPTION A denial of service vulnerability exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent via the server could potentially result in a null pointer dereference. A malicious server or an attacker who intercepts the network traffic can send invalid data t...
Pidgin MXIT Avatar Length Memory Disclosure Vulnerability(CVE-2016-2367)
DESCRIPTION An information leak exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent via the server could potentially result in an out of bounds read. A malicious user, server, or man-in-the-middle can send an invalid size for an avatar which will trigger an...
Pidgin MXIT read stage 0x3 Code Execution Vulnerability(CVE-2016-2376)
DESCRIPTION A buffer overflows vulnerability exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent from the server could potentially result in arbitrary code execution. A malicious server or an attacker who intercepts the network traffic can send an invalid size...
Pidgin MXIT HTTP Content-Length Buffer Overflow Vulnerability(CVE-2016-2377)
DESCRIPTION A buffer vulnerability exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent by the server could potentially result in an out of bounds write of one byte. A malicious server can send a negative content-length in response to a HTTP request triggering t...