Apache Tomcat Upload Bypass / Remote Code Execution(CVE-2017-12617)

CVE-2017-12617 CVE-2017-12617 critical Remote Code Execution RCE vulnerability discovered in Apache Tomcat affect systems with HTTP PUTs enabled via setting the "read-only" initialization parameter of the Default servlet to "false" are affected. Tomcat versions before 9.0.1 Beta, 8.5.23, 8.0.47 a...

Joyent SmartOS Hyprlofs FS IOCTL Native File System Integer Overflow Privilege Escalation Vulnerability(CVE-2016-8733)

Summary An exploitable integer overflow exists in the Joyent SmartOS OS 20161110T013148Z Hyprlofs file system. The vulnerability is present in the Ioctl system call with the command HYPRLOFSADDENTRIES when dealing with native file systems. An attacker can craft an input that can cause a kernel...

Apple: Information Leak when handling WLC_E_COUNTRY_CODE_CHANGED event packets(CVE-2017-7116)

Broadcom produces Wi-Fi HardMAC SoCs which are used to handle the PHY and MAC layer processing. These chips are present in both mobile devices and Wi-Fi routers, and are capable of handling many Wi-Fi related events without delegating to the host OS. On iOS, the "AppleBCMWLANBusInterfacePCIe"...

Joyent SmartOS Hyprlofs FS IOCTL Add Entries 32-bit File System Denial of Service Vulnerability(CVE-2016-9040)

Summary An exploitable denial of service exists in the the Joylent SmartOS OS 20161110T013148Z Hyprlofs file system. The vulnerability is present in the Ioctl system call with the command HYPRLOFSADDENTRIES when used with a 32 bit model. An attacker can cause a buffer to be allocated and never...

Joyent SmartOS Hyprlofs FS IOCTL 32-bit File System Integer Overflow Privilege Escalation Vulnerability(CVE-2016-9031)

Summary An exploitable integer overflow exists in the Joyent SmartOS OS 20161110T013148Z Hyprlofs file system. The vulnerability is present in the Ioctl system call with the command HYPRLOFSADDENTRIES when dealing with 32-bit file systems. An attacker can craft an input that can cause a kernel...

Computerinsel Photoline SVG Parsing Code Execution Vulnerability(CVE-2017-2920)

Summary An memory corruption vulnerability exists in the .SVG parsing functionality of Computerinsel Photoline 20.02. A specially crafted .SVG file can cause a vulnerability resulting in memory corruption, which can potentially lead to arbitrary code execution. An attacker can send a specific .SV...

Dnsmasq DoS Vulnerability(CVE-2017-14495)

No description provided by source. !/usr/bin/python Copyright 2017 Google Inc Licensed under the Apache License, Version 2.0 the "License"; you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless...

Mozilla Firefox WebExtensions can download and open non-executable files without user interaction(CVE-2017-7821)

CVE-2017-7821 "browser.downloads addon feature may be used for RCE" Steps: 1. Go to 'about:debugging' 2. Unpack attached PoC somewhere 3. Back in 'about:debugging' choose 'Load temp addon' and choose the poc 4. jar file is automatically downloaded and executed. We are able to download and execute...

safari10跨域漏洞

safari 10的XMLHttpRequest在null域下可以随意发起跨域请求和设置httpheader 我交到苹果的bugreport，并给apple发邮件后，他们自己悄悄把漏洞修了，连个邮件都没给我发，所以我决定公开poc 这是我在漏洞未修复前截的图： 这个漏洞可以造成同源策略绕过，随便跨域，这是我写的获取gmail数据的代码： html var serveraddress = 'http://127.0.0.1:8000/static/csrfWcn6h/' function deleteSelf let test = document.getElementById'test'...

Dnsmasq Stack based overflow(CVE-2017-14493)

1 Build the docker and open two terminals docker build -t dnsmasq . docker run --rm -t -i --name dnsmasqtest dnsmasq bash docker cp poc.py dnsmasqtest:/poc.py docker exec -it bash 2 On one terminal start dnsmasq: /test/dnsmasqnoasn/src/dnsmasq --no-daemon --dhcp-range=fd00::2,fd00::ff dnsmasq:...

Tiandy IP cameras Sensitive Information Disclosure

Vulnerability Summary The following advisory describes sensitive information Disclosure found in Tiandy IP cameras version 5.56.17.120 Tianjin Tiandy Digital Technology Co., Ltd Tiandy Tech is “one of top 10 leading CCTV manufacturer in China and a global supplier of advanced video surveillance...

Horde Groupware Unauthorized File Download

Vulnerability Summary The following advisory describes an unauthorized file download vulnerability found in Horde Groupware version 5.2.21. Horde Groupware Webmail Edition is “a free, enterprise ready, browser based communication suite. Users can read, send and organize email messages and manage...

Vacron NVR Remote Command Execution

Vulnerability Summary The following advisory describes a remote command execution vulnerability. VACRON Specializing in “various types of mobile monitoring, CCTV monitoring system, IP remote image monitoring system monitoring and other related production, and can accept ODM, OEM and other...

Dnsmasq Heap based overflow(CVE-2017-14492)

1 Build the docker and open two terminals docker build -t dnsmasq . docker run --rm -t -i --name dnsmasqtest dnsmasq bash docker cp poc.py dnsmasqtest:/poc.py docker exec -it bash 2 On one terminal start dnsmasq: /test/dnsmasqnoasn/src/dnsmasq --no-daemon --dhcp-range=fd00::2,fd00::ff --enable-ra...

Angular-CLI Authentication Bypass

Vulnerability summary The following advisory describes an athentication bypass vulnerability found in Angular-CLI version 1.3.2 The Angular CLI makes “it easy to create an application that already works, right out of the box. It already follows our best practices!” Credit An independent security...

中兴集成多业务路由器-ZXR10 1800-2S 敏感信息泄露漏洞

介绍 ZXR10 1800-2S 路由器是中兴通讯推出的集路由、交换、无线、安全、 VPN 于一体的智能集成多业务路由器产品，凭借模块化、可扩展的系统架构，为用户构建智能、高效、可靠、灵活、易维的网络。 该路由器可广泛灵活的适用于大客户接入、 DCN、园区网、校园网、政企网的出口网关、企业的总部/分支接入、金融网点、移动办公室、行业网纵向网的汇聚/接入等网络。 CVE/CNVD/CNNVD & 厂商回应 CVE-2017-10930...

Apple Safari uxss(CVE-2017-7089)

CVE-2017-7089 Impact: Processing maliciously crafted web content may lead to universal cross site scripting Description: A logic issue existed in the handling of the parent-tab. This issue was addressed with improved state management. Safari 10 Local SOP bypass html function Pewvar...

Dnsmasq Information Leak(CVE-2017-14494)

Sadly, there are no easy docker setup instructions available. Setup a simple network with dnsmasq as dhcpv6 server. Run any dhcpv6 client on the clients machine and obtain the network packets. Look for the server identifier inside the dhcpv6 packets. Then, run the poc on the client: python /poc.p...

Netgear ReadyNAS Surveillance Unauthenticated Remote Command Execution

Vulnerability summary The following advisory describes an Unauthenticated Remote Command Execution vulnerability found in Netgear ReadyNAS Surveillance. Netgear ReadyNAS Surveillance – Small businesses and corporate branch offices require a secure way to protect physical assets, but often lack th...

Dnsmasq DoS Vulnerability(CVE-2017-14496)

No description provided by source. !/usr/bin/python Copyright 2017 Google Inc Licensed under the Apache License, Version 2.0 the "License"; you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless...

Dnsmasq Heap based overflow(CVE-2017-14491)

1 Build the docker and open three terminals docker build -t dnsmasq . docker run --rm -t -i --name dnsmasqtest dnsmasq bash docker cp poc.py dnsmasqtest:/poc.py docker exec -it bash docker exec -it bash 2 On one terminal let’s launch attacker controlled DNS server: python poc.py 127.0.0.2 53...

Discuz! X Front arbitrary file deletion vulnerability

Author: The know Chong Yu 404 laboratory 0x01 description Discuz! X community software, is a PHP and MySQL like other variety of database build performance, comprehensive, security and stability of the Community Forum platform. 2017 9 May 29, Discuz! Fix a security issue has been used to strength...

Broadcom: Multiple overflows when handling 802.11r (FT) Reassociation Response(CVE-2017-11121)

Broadcom produces Wi-Fi HardMAC SoCs which are used to handle the PHY and MAC layer processing. These chips are present in both mobile devices and Wi-Fi routers, and are capable of handling many Wi-Fi related events without delegating to the host OS. In order to allow fast roaming between access...

Broadcom: Denial of service and OOB read in TCP KeepAlive Offloading(CVE-2017-7066)

Broadcom produces Wi-Fi HardMAC SoCs which are used to handle the PHY and MAC layer processing. These chips are present in both mobile devices and Wi-Fi routers, and are capable of handling many Wi-Fi related events without delegating to the host OS. In order to reduce overhead on the host, some...

Adobe Flash: Out-of-bounds read in applyToRange(CVE-2017-11282)

The attached fuzzed file causes an out-of-bounds read in TextFormat.applyToRange. operator.swf...

Adobe Flash: Out-of-bounds write in MP4 Edge Processing(CVE-2017-11281)

The attached fuzzed MP4 file causes an out-of-bounds memory access when played with Adobe Flash emu.mp4 LoadMP4.swf...

Synology Photo Station 6.7.3-3432 / 6.3-2967 - Remote Code Execution

Description: The remote code execution is a combination of 4 different vulnerabilities: CVE-2017-11151 allows remote attackers to upload arbitrary files to the specified directories. CVE-2017-11152 allows remote attackers to log in with a fake authentication mechanism. CVE-2017-11153 allows remot...

Adobe Flash: Out-of-bounds memory read in MP4 parsing(CVE-2017-11281)

The attached MP4 file causes an out-of-bounds memory access when played in flash player. 7.mp4 LoadMP4.swf...

Broadcom: OOB write when handling 802.11k Neighbor Report Response(CVE-2017-11120)

Broadcom produces Wi-Fi HardMAC SoCs which are used to handle the PHY and MAC layer processing. These chips are present in both mobile devices and Wi-Fi routers, and are capable of handling many Wi-Fi related events without delegating to the host OS. In order to allow fast roaming between access...

Broadcom: Heap overflow when handling 802.11v WNM Sleep Mode Response(CVE-2017-7065)

Broadcom produces Wi-Fi HardMAC SoCs which are used to handle the PHY and MAC layer processing. These chips are present in both mobile devices and Wi-Fi routers, and are capable of handling many Wi-Fi related events without delegating to the host OS. In order to allow clients to configure...

UCMS Site Settings interface the presence of stored-xss vulnerabilities

No description provided by source...

Smart home: remote command execution (RCE)

Smart home: remote command execution RCE During my spare time I am playing around with smart home/domotica/internet of things hardware and software. A while ago I decided to take a look at the security of these solutions, just because I was curious and because it’s fun. Within this research only...

LibOFX Tag Parsing Code Execution Vulnerability

Summary An exploitable buffer overflow vulnerability exists in the tag parsing functionality of LibOFX 0.9.11. A specially crafted OFX file can cause a write out of bounds resulting in a buffer overflow on the stack. An attacker can construct a malicious OFX file to trigger this vulnerability...

Apache Commons Jelly connects to url with certain custom doctype definitions.

Severity: Medium Vendor: The Apache Software Foundation Versions Affected: commons-jelly-1.0 core, namely commons-jelly-1.0.jar Description: During jelly xml file parsing with xerces, if a custom doctype entity is declared with a ?SYSTEM? entity with a url and that entity is used in the body of t...

ansible-vault Yaml Load Code Execution Vulnerability

Summary An exploitable vulnerability exists in the yaml loading functionality of ansible-vault. A specially crafted vault can execute arbitrary python commands resulting in command execution. An attacker can insert python into the vault to trigger this vulnerability. Tested Versions ansible-vault...

Revealing the content of the address bar (IE)

Revealing the content of the address bar IE Hello fellow bug hunter! Today we are going back to Internet Explorer which despite getting old, tons people still use it. I am much happier with MSRC lately, they are really moving forward regarding Edge, design bugs, and they even extended its bug...

Aerospike Database Server Index Name Code Execution Vulnerability(CVE-2016-9052)

Summary An exploitable stack-based buffer overflow vulnerability exists in the querying functionality of Aerospike Database Server 3.10.0.3. A specially crafted packet can cause a stack-based buffer overflow in the function assindexsimatchbyiname resulting in remote code execution. An attacker ca...

Tarantool Key-type Denial Of Service Vulnerability(CVE-2016-9037)

Summary An exploitable out-of-bounds array access vulnerability exists in the xrowheaderdecode function of Tarantool 1.7.2.0-g8e92715. A specially crafted packet can cause the function to access an element outside the bounds of a global array that is used to determine the type of the specified...

Tarantool Msgpuck mp_check Denial Of Service Vulnerability(CVE-2016-9036)

Summary An exploitable incorrect return value vulnerability exists in the mpcheck function of Tarantool's Msgpuck library 1.0.3. A specially crafted packet can cause the mpcheck function to incorrectly return success when trying to check if decoding a map16 packet will read outside the bounds of ...

Aerospike Database Server Client Message Memory Disclosure Vulnerability(CVE-2016-9050)

Summary An exploitable out-of-bounds read vulnerability exists in the client message-parsing functionality of Aerospike Database Server 3.10.0.3. A specially crafted packet can cause an out-of-bounds read resulting in disclosure of memory within the process, the same vulnerability can also be use...

Aerospike Database Server Set Name Code Execution Vulnerability(CVE-2016-9054)

Summary An exploitable stack-based buffer overflow vulnerability exists in the querying functionality of Aerospike Database Server 3.10.0.3. A specially crafted packet can cause a stack-based buffer overflow in the function assindexsimatchlistbysetbinid resulting in remote code execution. An...

Oracle Outside In Technology RTF Parsing Code Execution Vulnerability(CVE-2017-3293)

Summary An exploitable Use After Free vulnerability exists in the RTF parser functionality of Oracle Outside In Technology SDK. A specially crafted RTF document can cause a reuse of a reference to the previously freed memory which can be manipulated into achieving arbitrary code execution. Tested...

Nitro Pro PDF Handling Code Execution Vulnerability(CVE-2016-8709)

Summary A remote out of bound write / memory corruption vulnerability exists in the PDF parsing functionality of Nitro Pro 10. A specially crafted PDF file can cause a vulnerability resulting in potential memory corruption. An attacker can send the victim a specific PDF file to trigger this...

Nitro Pro 10 PDF Handling Code Execution Vulnerability(CVE-2016-8711)

Summary A potential remote code execution vulnerability exists in the PDF parsing functionality of Nitro Pro 10. A specially crafted PDF file can cause a vulnerability resulting in potential code execution. An attacker can send the victim a specific PDF file to trigger this vulnerability. Tested...

Libbpg BGP image decoding Code Execution Vulnerability(CVE-2016-8710)

Summary An exploitable heap write out of bounds vulnerability exists in the decoding of BPG images in libbpg library. A crafted BPG image decoded by libbpg can cause an integer underflow vulnerability causing an out of bounds heap write leading to remote code execution. This vulnerability can be...

Adobe Acrobat Reader DC jpeg decoder Remote Code Execution Vulnerability(CVE-2017-2971)

Summary A use of uninitialized memory vulnerability exists in JPEG image file format decoding code of Adobe Acrobat Reader which ultimately leads to a heap-based buffer overflow which can be abused to achieve remote code execution. A specially crafted PDF file with an embedded JPEG can trigger th...

NEXXT Authentication Bypass

Vulnerability Summary The following advisory describes an authentication bypass found in NEXXT routers. NEXXT Connectivity Solutions develops "state of the art networking devices that help connect people and things together, at home, the office and virtually everywhere". Credit An independent...

McAfee ePolicy Orchestrator DataChannel Blind SQL Injection Vulnerability(CVE-2016-8027)

Summary An exploitable blind sql injection vulnerability exists within McAfee's ePolicy Orchestrator 5.3.0 that is accessible without authentication. A specially crafted HTTP post can allow an aggressor to alter a sql query which can result in disclosure of information within the database or...

Sentora / ZPanel Password Reset Vulnerability

Vulnerability Summary The following advisory describes a password reset found in Sentora / ZPanel. Sentora is “a free to download and use web hosting control panel developed for Linux, UNIX and BSD based servers or computers. The Sentora software can turn a domestic or commercial server into a...

FLIR Systems Multiple Vulnerabilities

Vulnerabilities Summary The following advisory describes 5 five vulnerabilities found in FLIR Systems FLIR Thermal/Infrared Camera FC-Series S, FC-Series ID, PT-Series. FLIR – “Best-in-class thermal cameras with on-board analytics for high-performance intrusion detection. The new FC-Series ID...