OnePlus OTA One/X Crossover Vulnerability(CVE-2017-8851)

Products OnePlus X OnePlus One Vulnerable Version All OnePlus OxygenOS & HydrogenOS OTAs Technical Details Due to lenient updater-script on the OnePlus One & X’s OTA images see below, the fact both products use the same OTA verification keys, and the fact both products share the same...

OnePlus 3/3T OxygenOS Unauthorized Flash Dumping via fastboot(CVE-2017-5625)

Products OnePlus 3T OnePlus 3 Vulnerable Version OxygenOS 4.0.2 and earlier Mitigation Install OxygenOS 4.0.3 or later Summary A physical attacker, PC malware / malicious charger having ADB or fastboot access to the device can cause a locked bootloader to partially dump the content of an arbitrar...

OnePlus OTA OxygenOS/HydrogenOS Crossover Vulnerability(CVE-2017-8850)

Products OnePlus 3T OnePlus 3 OnePlus 2 OnePlus X OnePlus One Vulnerable Version All OnePlus OxygenOS & HydrogenOS OTAs Technical Details Due to lenient updater-script in the OnePlus OTA images see below, and the fact both ROMs use the same OTA verification keys, attackers can install HydrogenOS...

OnePlus OTA Downgrade Vulnerability(CVE-2017-5948)

Products OnePlus 3T OnePlus 3 OnePlus 2 OnePlus X OnePlus One Vulnerable Version All OnePlus OxygenOS & HydrogenOS OTAs Technical Details lenient updater-script in the OnePlus OTAs which does not check that the current version is lower than or equal to the given image’s see below the 4.0.0...

Microsoft IIS Server XSS Vulnerability(CVE-2017-0055)

During a penetration test against the infrastructure of one of our clients we discovered a reflected Cross Site Scripting/HTML injection vulnerability in Microsoft Internet Information Services web server. The vulnerability could be exploited, with the help of user interaction, to inject javascri...

OnePlus 3/3T OxygenOS SELinux Security Bypass(CVE-2017-5554)

Products OnePlus 3T OnePlus 3 Vulnerable Version OxygenOS prior to 4.0.2 Technical Details The attacker can reboot a OnePlus 3/3T device into the fastboot mode, which could be done without any authentication. A physical attacker can press the “Volume Up” button during device boot, where an attack...

Huiwen opac of the library back door leads to the source of the leak

0x00 description Hui Wen libsys library opac system is a colleges and universities to use more of the system, the user has Xiamen University, Nanjing University, Dalian Polytechnic University, Nankai University and many other schools. The system used is Oracle + the php, not from public contact t...

Google Nexus 9 Cypress SAR Firmware Injection via I2C(CVE-2017-0563)

Product Google Nexus 9 Vulnerable Version Nexus 9 Android Builds before N4F27B - May 2017, i.e. before bootloader 3.50.0.0143. Mitigation Install N4F27B or later bootloader version 3.50.0.0143. Technical Details The Nexus 9 device contains a sensor SoC manufactured by Cypress. The sensor is manag...

Google Nexus 9 SensorHub Firmware Downgrade Vulnerability(CVE-2017-0582)

Product Google Nexus 9 Vulnerable Version Nexus 9 Android Builds before N4F27B - May 2017, i.e. before bootloader 3.50.0.0143. Mitigation Install N4F27B or later bootloader version 3.50.0.0143. Technical Details The Nexus 9 device contains a SoC manufactured by Cywee which implements a “Sensor...

OnePlus OTA Lack of TLS Vulnerability(CVE-2016-10370)

Summary The OnePlus OTA Updater pushes the signed-OTA image over HTTP without TLS. While it does not allow for installation of arbitrary OTAs due to the digital signature, it unnecessarily increases the attack surface, and allows for remote exploitation of other vulnerabilities such as...

Cordova-Android MiTM Remote Code Execution(CVE-2017-3160)

Product Apache Cordova Vulnerable Version 6.1.1 and below Technical Details When adding an Android project for the first time: ‘cordova platform add Android’ Cordova requires Gradle build tool to be installed in the local development environment. If the developer had not pre-installed Gradle, the...

Vanilla Forums <= 2.3 Unauth Remote Code Execution (CVE-2016-10033)

I. VULNERABILITY ------------------------- Vanilla Forums = 2.3 Unauth. Remote Code Execution RCE exploit CVE-2016-10033 0day II. BACKGROUND ------------------------- "Community Forums Reinvented Create an online community that your customers will love. Vanilla's forum software is used by top...

Google Nexus Synaptics Touchscreen Firmware Injection(CVE-2017-0433)

Products Nexus 6P Nexus 9 Android One Pixel Pixel XL Vulnerable Versions Verified on Nexus 9 6.0.1/MOB30W Verified on Nexus 9 7.0/NRD90M Technical Details Due to lenient SELinux and DAC policy, vulnerable Synaptics DSX touchscreen driver sysfs file entires are exposed to an attacker that executes...

Microsoft Edge Scripting Engine Memory Corruption Vulnerability (CVE-2017-0234)

A remote code execution vulnerability exists in the way that the Chakra JavaScript engine renders when handling objects in memory in Microsoft Edge. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. In a web-base...

Firefox Integer overflow leading to a buffer overflow in nsScriptLoadHandler (CVE-2016-9066)

This post will explore how CVE-2016-9066, a simple but quite interesting from an exploitation perspective vulnerability in Firefox, can be exploited to gain code execution. tl;dr an integer overflow in the code responsible for loading script tags leads to an out-of-bounds write past the end of an...

Oracle PeopleSoft HCM 9.2 XXE Injection

Application: Oracle PeopleSoft Versions Affected: PeopleSoft HCM 9.2 on PeopleTools 8.55 Vendor URL: http://oracle.com Bug: XXE Reported: 23.12.2016 Vendor response: 24.12.2016 Date of Public Advisory: 18.04.2017 Reference: Oracle CPU April 2017 Author: Nadya Krivdyuk ERPScan Description 1...

Git Shell Bypass By Abusing Less (CVE-2017-8386)

The git-shell is a restricted shell maintained by the git developers and is meant to be used as the upstream peer in a git remote session over a ssh tunnel. The basic idea behind this shell is to restrict the allowed commands in a ssh session to the ones required by git which are as follows:...

Linux kernel Local Denial of Service Vulnerability (CVE-2017-7308 )

The packetsetring function in net/packet/afpacket.c in the Linux kernel through 4.10.6 does not properly validate certain block-size data, which allows local users to cause a denial of service integer signedness error and out-of-bounds write, or gain privileges if the CAPNETRAW capability is held...

Microsoft Edge Scripting Engine Memory Corruption Vulnerability (CVE-2017-0236)

A remote code execution vulnerability exists in the way that the Chakra JavaScript engine renders when handling objects in memory in Microsoft Edge. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. In a web-base...

MsMpEng: UIF decoder will spin forever processing sparse blocks

The UIF Universal Image Format is a proprietary file format used by the old shareware utility MagicISO. Microsoft have a dedicated unpacker for UIF that runs as SYSTEM on all filesystem activity !?!. The UIF format has an index structure at a fixed offset from the end of the file, with a pointer ...

Coat of arms of cms any admin add exploit

No description provided by source...

Edge Browsers CSP Bypass

Microsoft Edge 40.15063 Version PoC: http://server.n0tr00t.com/test/edge3.php PiC: https://ws1.sinaimg.cn/large/c334041bgy1ffexx3u68oj20kq08rgma.jpg CSP RULE: header"Content-Security-Policy: default-src 'none' 'unsafe-inline';"; Bypass: function var x =...

Firefox Browsers CSP Bypass

Firefox 53.0.2 Version PoC: http://server.n0tr00t.com/firefox/ffcsp53.0.2.php PiC: https://ws1.sinaimg.cn/large/c334041bgy1ffeb2a6xfej20ph09nacs.jpg CSP RULE: header"Content-Security-Policy: default-src 'none' 'unsafe-inline';"; Bypass: x = new Date.valueOf; document.cookie = "csp=" +...

MsMpEng: Remotely Exploitable Type Confusion(CVE-2017-0290)

MsMpEng is the Malware Protection service that is enabled by default on Windows 8, 8.1, 10, Windows Server 2012, and so on. Additionally, Microsoft Security Essentials, System Centre Endpoint Protection and various other Microsoft security products share the same core engine. MsMpEng runs as NT...

Joomla! Core XSS Vulnerability(CVE-2017-7985)

Joomla! is one of the world's most popular content management system CMS solutions. It enables users to build custom Web sites and powerful online applications. More than 3 percent of Web sites are running Joomla!, and it accounts for more than 9 percent of CMS market share. As of November 2016,...

Joomla! Core XSS Vulnerability(CVE-2017-7986)

Joomla! is one of the world's most popular content management system CMS solutions. It enables users to build custom Web sites and powerful online applications. More than 3 percent of Web sites are running Joomla!, and it accounts for more than 9 percent of CMS market share. As of November 2016,...

Pwn2Own 2017: UAF in JSC::CachedCall (WebKit)

Pwn2Own 2017: UAF in JSC::CachedCall WebKit As a quick introduction, we are Samuel Groß, AKA saelo, and Niklas Baumstark, both students at Karlsruhe Institute of Technology, and have been playing CTF together for quite some time before we decided to team up for this year’s Pwn2Own. Today we are...

WordPress Core 4.6 - Unauthenticated Remote Code Execution

============================================= - Discovered by: Dawid Golunski - dawidatlegalhackers.com - https://legalhackers.com - CVE-2016-10033 - Release date: 03.05.2017 - Revision 1.0 - Severity: Critical ============================================= I. VULNERABILITY -----------------------...

WordPress Core <= 4.7.4 Potential Unauthorized Password Reset

I. VULNERABILITY ------------------------- WordPress Core = 4.7.4 Potential Unauthorized Password Reset 0day II. BACKGROUND ------------------------- "WordPress is a free and open-source content management system CMS based on PHP and MySQL. WordPress was used by more than 27.5% of the top 10...

Heap Overflow Vulnerability in Citrix NetScaler Gateway (CVE-2017-7219)

After presenting my findings on the Swisscom router at the CybSecConference last year, I started looking for a new product to analyze. I quickly found that it’s possible to download virtual “demo” appliances of Citrix products, so I went on to download a Netscaler VPX, which at the time was at...

SDCMS front Desk arbitrary file deletion vulnerability

No description provided by source...

SDCMS arbitrary file read vulnerability

No description provided by source...

Heap Overflow Vulnerability in Citrix NetScaler Gateway (CVE-2017-7219)

After presenting my findings on the Swisscom router at the CybSecConference last year, I started looking for a new product to analyze. I quickly found that it’s possible to download virtual “demo” appliances of Citrix products, so I went on to download a Netscaler VPX, which at the time was at...

SDCMS attachment management plugin arbitrary file deletion vulnerability

No description provided by source...

Intel Active Management Technology, Intel Small Business Technology, and Intel Standard Manageability Escalation of Privilege

Description: There are two ways this vulnerability may be accessed please note that Intel® Small Business Technology is not vulnerable to the first issue. An unprivileged network attacker could gain system privileges to provisioned Intel manageability SKUs: Intel® Active Management Technology AMT...

Ghostscript remote code execution (CVE-2017-8291) (ghostbutt)

No description provided by source. %!PS-Adobe-3.0 EPSF-3.0 %%BoundingBox: -0 -0 100 100 /sizefrom 10000 def /sizestep 500 def /sizeto 65000 def /enlarge 1000 def %/bigarr 65000 array def 0 sizefrom sizestep sizeto pop 1 add for /buffercount exch def /buffersizes buffercount array def 0 sizefrom...

Jenkins XStream: Java crash when trying to instantiate void/Void (CVE-2017-1000355)

Jenkins uses the XStream library to serialize and deserialize XML. Its maintainer recently published a security vulnerability that allows anyone able to provide XML to Jenkins for processing using XStream to crash the Java process. In Jenkins this typically applies to users with permission to...

Jenkins Java Deserialization Remote Code Execution Vulnerability (CVE-2017-1000353)

Vulnerability Summary The following advisory describes Java deserialization vulnerability found in CloudBees Jenkins version 2.32.1 that leads to a Remote Code Execution. Jenkins helps to automate the non-human part of the whole software development process with now common things like continuous...

Jenkins CLI: Login command allowed impersonating any Jenkins user (CVE-2017-1000354)

The login command available in the remoting-based CLI stored the encrypted user name of the successfully authenticated user in a cache file used to authenticate further commands. Users with sufficient permission to create secrets in Jenkins, and download their encrypted values e.g. with...

Jenkins Multiple CSRF vulnerabilities (CVE-2017-1000356)

Multiple Cross-Site Request Forgery vulnerabilities in Jenkins allowed malicious users to perform several administrative actions by tricking a victim into opening a web page. The most notable ones: SECURITY-412: Restart Jenkins immediately, after all builds are finished, or after all plugin...

Zabbix Proxy Server SQL Database Write Vulnerability (CVE-2017-2825)

Official patch earlier to fix the vulnerabilities: the Zabbix code execution vulnerability DETAILS One of the Trapper requests made by the Zabbix proxy is the ìproxy configî request, which allows a proxy to request its own proxy configuration from the Zabbix Server or any other Zabbix Proxyís...

Zabbix Server Active Proxy Trapper Remote Code Execution Vulnerability（ CVE-2017-2824）

Official patch earlier to fix the vulnerabilities: the Zabbix database write vulnerability The vulnerability lies within the ìTrapperî section of the Zabbix Code, this is the network service that allows the Proxies and the Server to communicate TCP Port 10051 There are a set of API calls that the...

Ruby on Rails 'implicit render' functionality Directory Traversal Vulnerability (CVE-2014-0130)

Impact ------ The implicit render functionality allows controllers to render a template, even if there is no explicit action with the corresponding name. This module does not perform adequate input sanitization which could allow an attacker to use a specially crafted request to retrieve arbitrary...

Windows: Dolby Audio X2 Service EoP (CVE-2017-7293)

Windows: Dolby Audio X2 Service Elevation of Privilege Platform: Windows 10 + Realtek Audio Driver version 6.0.1.7898 on a Lenovo P50. Version of the service binary 0.7.2.61 built on 7/18/2016. Class: Elevation of Privilege Summary: The DAX2API service installed as part of the Realtek Audio Drive...

SNMP Incorrect Access Control Vulnerability (CVE 2017-5135) (StringBleed)

In DEFCON 24 IoT Village i gave a talk about the danger of SNMP write properties enabled devices in the IoT, police patrols, ambulances and other in the “critical mission vehicles” were affected in that research. In December 2016 with a colleague from Argentina Ezequiel Fernandez we decided to...

WordPress Plugin WP Vault Local File Inclusion

Description: Type user access: any user. $GET“wpv-image” is not escaped in include file. File / Code: Path: /wp-content/plugins/wp-vault/trunk/wp-vault.php includedirnameFILE . "/images/" . $GET"wpv-image"; if isset$GET"wpvfileid" includedirnameFILE . "/wpv-file-handler.php"; exit; else if...

WordPress Plugin WA Form Builder SQL Injection

Description: Type user access: any user. $POST ‘waformsId’ is not escaped. WAFormBuilderuioutput is accessible for any user. File / Code: Path: /wp-content/plugins/wa-form-builder/main.php global $wpdb; echo 'SELECT FROM '.$wpdb-prefix.'wapwaformbuilder WHERE Id = '.$REQUEST'waformsId'; $formattr...

OurPHP the latest version stored xss

No description provided by source...

WordPress Plugin Delete All Comments Arbitrary File Upload

On November 20th, while auditing a hacked WordPress website, we identified a critical vulnerability in the Delete All Comments WordPress plugin v2.0, which has over 30,000 active installations. Because a part of the delete-all-comments.php main script is not restricted to the administrator, any...

WordPress Plugin Podlove Podcast Publisher Cross Site Scripting and SQL Injection Vulnerabilities

The second plugin that will be dissected is called Podlove Publisher, a Wordpress plugin to manage podcasts. It suffered from multiple SQL injections and cross-site scripting vulnerabilities funnily enough also in a parameter named tab that are fixed by now. The SQL injections were all caused by...