Chrome Universal XSS through bypassing ScopedPageSuspender with closing windows (CVE-2017-5007)

VULNERABILITY DETAILS ScopedPageSuspender works by taking pages from Page::ordinaryPages and marking them as suspended. When the window. close is called, the following operations are performed: From /thirdparty/WebKit/Source/web/ChromeClientImpl.cpp: void ChromeClientImpl::closeWindowSoon // Make...

PHPCMS V9 full version of the reflective XSS

No description provided by source...

Apple WebKit: Type confusion in RenderBox with accessibility enabled（CVE-2017-2373）

There is a type confusion vulnerability that affects WebKit with accessibility enabled WebCore::AXObjectCache::gAccessibilityEnabed. PoC: function boom m.append"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"; m.setAttribute"aria-labeledby", "t"; d.open = false; foo Bad cast...

Trend Micro Threat Discovery Appliance <= 2.6.1062r1 log_query_dlp.cgi Command Injection Remote Code Execution Vulnerability (CVE-2016-8590)

Summary: There exists a post authenticated command injection vulnerability that can be used to execute arbitrary code as root. Notes: - Since this is a busybox, getting a connectback seemed hard. So, for this particular PoC, all I did was exec a bind shell using netcat. - Auth is VERY weak, no...

Trend Micro Threat Discovery Appliance <= 2.6.1062r1 (latest) log_query.cgi Command Injection Remote Code Execution Vulnerability (CVE-2016-8591)

Summary: There exists a post authenticated command injection vulnerability that can be used to execute arbitrary code as root. Notes: - Since this is a busybox, getting a connectback seemed hard. So, for this particular PoC, all I did was exec a bind shell using netcat. - Auth is VERY weak, no...

Chrome Security: Universal XSS through removing link elements (CVE-2017-5010)

VULNERABILITY DETAILS When a link element is notified about its removal from the tree and the linked stylesheet happens to be the last pending one in the document, the fragment anchor may be updated, which triggers layout updates when it should be forbidden. In special circumstances, the updates...

Trend Micro Threat Discovery Appliance <= 2.6.1062r1 (latest) log_query_system.cgi Command Injection Remote Code Execution Vulnerability Raw (CVE-2016-8592)

Summary: There exists a post authenticated command injection vulnerability that can be used to execute arbitrary code as root. Notes: - Since this is a busybox, getting a connectback seemed hard. So, for this particular PoC, all I did was exec a bind shell using netcat. - Auth is VERY weak, no...

Chrome Universal XSS by polluting private scripts with named properties (CVE-2017-5008)

VULNERABILITY DETAILS When a private script method is invoked, a ScriptForbiddenScope::AllowUserAgentScript scope is set up to allow running the internal script. It is possible to exploit this scope to execute user code here: static v8::Local compileAndRunPrivateScriptScriptState scriptState,...

Chrome Universal XSS using late widget updates (CVE-2017-5006)

VULNERABILITY DETAILS Among the things that Document::shutdown does, |view-dispose| is called: From /thirdparty/WebKit/Source/core/frame/FrameView.cpp: void FrameView::dispose ... // FIXME: Do we need to do something here for OOPI? HTMLFrameOwnerElement ownerElement = mframe-deprecatedLocalOwner;...

Trend Micro Threat Discovery Appliance <= 2.6.1062r1 (latest) upload.cgi Remote Code Execution Vulnerability Raw (CVE-2016-8593)

Summary: There exists a post authenticated upload vulnerability that can be used to execute arbitrary code. Notes: - Since this is a busybox, getting a connectback seemed hard. So, for this particular PoC, all I did was take command, upload bd, exec, read, rinse, repeat. - You maybe can get a...

Trend Micro Threat Discovery Appliance <= 2.6.1062r1 log_query_dae.cgi Command Injection Remote Code Execution Vulnerability (CVE-2016-8589)

Summary: There exists a post authenticated command injection vulnerability that can be used to execute arbitrary code as root. Notes: - Since this is a busybox, getting a connectback seemed hard. So, for this particular PoC, all I did was exec a bind shell using netcat. - Auth is VERY weak, no...

Trend Micro Threat Discovery Appliance <= 2.6.1062r1 detected_potential_files.cgi Command Injection Remote Code Execution Vulnerability (CVE-2016-8586)

Summary: There exists a post authenticated command injection vulnerability that can be used to execute arbitrary code as root. Notes: - Since this is a busybox, getting a connectback seemed hard. So, for this particular PoC, all I did was exec a bind shell using netcat. - Auth is VERY weak, no...

Trend Micro Threat Discovery Appliance <= 2.6.1062r1 admin_sys_time.cgi Command Injection Remote Code Execution Vulnerability Raw（CVE-2016-8585）

Summary: There exists a post authenticated command injection vulnerability that can be used to execute arbitrary code as root. Notes: - Since this is a busybox, getting a connectback seemed hard. So, for this particular PoC, all I did was exec a bind shell using netcat. - Auth is VERY weak, no...

Trend Micro Threat Discovery Appliance <= 2.6.1062r1 dlp_policy_upload.cgi Remote Code Execution Vulnerability (CVE-2016-8587)

Summary: The vulnerabity is that the dlppolicyupload.cgi allows the upload of a zip file, located statically as: /var/dlppolicy.zip. The problem is that we can then get that file extracted using admindlp.cgi. This gets extracted into 2 locations: - /engptnstores/prod/sensorSDK/data/ -...

Trend Micro Threat Discovery Appliance <= 2.6.1062r1 logoff.cgi Directory Traversal Authentication Bypass Vulnerability（CVE-2016-7552）

Summary: There exists a pre-authenticated directory traversal vulnerability that allows an attacker to delete any folder or file as root. This can result in an attacker causing a DoS or bypassing authentication. Exploitation: An attacker can use this vulnerability to bypass the authentication by...

Chrome Universal XSS using iterables (CVE-2016-1668)

VULNERABILITY DETAILS From /thirdparty/WebKit/Source/bindings/core/v8/Iterable. h: void forEachForBinding... ... v8::LocalcreationContextscriptState-context-Global; v8::Local v8Callbackthe callback. v8Value. As; v8::Localv8ThisArgmethod performs a stable. v8Value; v8::Local args3; args2 =...

Chrome Universal XSS by intercepting a UA shadow tree(CVE-2016-5204)

VULNERABILITY DETAILS When an event is dispatched to an element in a SVG shadow tree, the Event::currentTarget returns the original corresponding node, but the Event::target doesn't make any attempt to redirect access. Therefore, the tree can be trivially leaked like this: Gaining access to the...

Chrome Universal XSS via reentrancy in FrameLoader::startLoad (CVE-2016-1697)

VULNERABILITY DETAILS From /thirdparty/WebKit/Source/core/loader/FrameLoader.cpp: void FrameLoader::startLoad... ASSERTclient-hasWebView; if mframe-document-pageDismissalEventBeingDispatched != Document::NoDismissal return; ... mframe-document-cancelParsing;...

cgiemail and cgiecho Multiple Security Vulnerabilities (CVE-2017-5613)

SEC-212 Format string injection The ability to supply arbitrary format strings to cgiemail and cgiecho allowed code execution whenever a user was able to provide a cgiemail template file. Use CVE-2017-5613. SEC-214 Open redirect The cgiemail and cgiecho binaries served as an open redirect due to...

Chrome Universal XSS via same document navigations (CVE-2016-1711)

VULNERABILITY DETAILS FrameLoader::loadInSameDocument is vulnerable to a problem similar to the one described in issue 613266: void FrameLoader::loadInSameDocumentconst KURL& url, ... ... // If we have a provisional request for a different document, a fragment scroll should cancel it...

Chrome Universal XSS using an <input type="color"> element (CVE-2016-5208)

VULNERABILITY DETAILS When an input element is removed, the popup is closed during the layout tree detach: void HTMLInputElement::detachLayoutTreeconst AttachContext& context HTMLTextFormControlElement::detachLayoutTreecontext; mneedsToUpdateViewValue = true; minputTypeView-closePopupView; If the...

Chrome Type confusion in PDFium (CVE-2017-5057)

No description provided by source. var obj = new this.constructor;obj.author=3;...

Trend Micro Threat Discovery Appliance <= 2.6.1062r1 dlp_policy_upload.cgi Information Disclosure Vulnerability (CVE-2016-7547)

Example: saturn:trendmicrothreatdiscoverydlppolicyuploadlfd mrme$ ./poc.py + usage: ./poc.py + eg: ./poc.py 172.16.175.123 admin /etc/passwd saturn:trendmicrothreatdiscoverydlppolicyuploadlfd mrme$ ./poc.py 172.16.175.123 admin123 /etc/passwd + logged in... + downloading file...

Trend Micro Threat Discovery Appliance - Session Generation Authentication Bypass (CVE-2016-8584)

In the last few months, I have been testing several Trend Micro products with Steven Seeley @steventseeley. Together, we have found more than 200+ RCE Remote Code Execution vulnerabilities and for the first time we presented the outcome of our research at Hack In The Box 2017 Amsterdam in April...

Equation organization leaked windows framework vulnerability tool Esteemaudit RDP vulnerability

1. Reproduction environment: • Windows 2003 sp2 x86 •Windows 2003 configuration the domain server Domain server set up please refer to: https://wenku.baidu.com/view/430e9e96964bcf84b9d57bd4.html） 2. Environment to build: From https://yadi.sk/d/NJqzpqo3GxZA4 download the leaked file Under linux by...

Pre-Auth MySQL remote DOS (Integer Overflow)（CVE-2017-3599）

MySQL server is affected by a remote DoS attack, which could be exploited by a remote unauthenticated attacker to cause a loss of availability on the targeted service. The issue has been verified to affect 5.6.X branch up to 5.6.35 and 5.7.X branch up to 5.7.17. It is strongly recommended that...

WebKit: UXSS via operationSpreadGeneric

Once a spread operation is optimized, the function |operationSpreadGeneric| will be called from then on. But operationSpreadGeneric's trying to get a JSGlobalObject from the argument of a spread operation. It seems that that optimization is not implemented to the release version of Safari yet...

Whole-script confusable domain label spoofing

Posted by Xudong Zheng Before I explain the details of the vulnerability, you should take a look at the proof-of-concept. Punycode makes it possible to register domains with foreign characters. It works by converting individual domain label to an alternative format using only ASCII characters. Fo...

VirtualBox: guest-to-host LPE via broken length handling in slirp copy

There is a vulnerability in VirtualBox that permits an attacker with root privileges in a virtual machine with a NAT network interface to corrupt the memory of the userspace host process and leak memory contents from the userspace host process. This probably permits an attacker with root privileg...

VirtualBox: unprivileged host user -> host kernel privesc via ALSA config（ CVE-2017-3576）

This is another way to escalate from an unprivileged userspace process into the VirtualBox process, which has an open file descriptor to the privileged device /dev/vboxdrv and can use that to compromise the host kernel. The issue is that, for VMs with ALSA audio, the privileged VM host process...

Microsoft Edge: Use-after-free in TypedArray.sort（CVE-2016-7288）

There is a use-after-free in the TypedArray. sort. In TypedArrayCompareElementsHelper https://chromium.googlesource.com/external/github.com/Microsoft/ChakraCore/+/TimeTravelDebugging/lib/Runtime/Library/TypedArray.cpp, the comparison function is called with the following code: Var retVal =...

Apple WebKit: UXSS via PrototypeMap::createEmptyStructure

When creating an object in Javascript, its |Structure| is created with the constructor's prototype's |VM|. Here's some snippets of that routine. Structure InternalFunction::createSubclassStructureExecState exec, JSValue newTarget, Structure baseClass ... if newTarget && newTarget != exec-jsCallee...

Windows: ManagementObject Arbitrary .NET Serialization RCE（CVE-2017-0160）

Windows: ManagementObject Arbitrary .NET Serialization RCE Platform: .NET 4.6, Powershell 4. Tested between Server 2016 and Windows 10 Anniversary Edition Class: Remote Code Execution Summary: Accessing a compromised WMI server over DCOM using System.Management classes or the Powershell...

VirtualBox: guest-to-host out-of-bounds write via virtio-net (CVE-2017-3575)

This is a vulnerability that affects VirtualBox VMs that use a virtio network adapter which is a non-standard configuration. It permits the guest kernel to write up to 4GB of controlled data out of bounds in the trusted userland host process. The bug is in the following code in...

SSD Advisory – Ubuntu LightDM Guest Account Local Privilege Escalation（CVE-2017-7358）

Vulnerability Summary The following advisory describes a local privilege escalation via LightDM found in Ubuntu versions 16.10 / 16.04 LTS. Ubuntu is an open source software platform that runs everywhere from IoT devices, the smartphone, the tablet and the PC to the server and the cloud. LightDM ...

VirtualBox: unprivileged host user -> host kernel privesc via environment and ioctl (CVE-2017-3561)

This bug report describes two separate issues that, when combined, allow any user on a Linux host system on which VirtualBox is installed to gain code execution in the kernel. Since I'm not sure which one of these issues crosses something you consider to be a privilege boundary, I'm reporting the...

Apache Log4j socket receiver deserialization vulnerability (CVE-2017-5645)

Versions Affected: all versions from 2.0-alpha1 to 2.8.1 Description: When using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code. Mitigation: Ja...

EternalChampion - Windows SMB Remote Code Execution Vulnerability (CVE-2017-0146)

A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 SMBv1 server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server. To exploit the vulnerability, in most...

VirtualBox: cooperating VMs can escape from shared folder (CVE-2017-3538)

There is a security issue in the shared folder implementation that permits cooperating guests with write access to the same shared folder to gain access to the whole filesystem of the host, at least on Linux hosts. The issue is that, when the host checks whether a given path escapes the root...

Adobe Creative Cloud desktop application 4. 0. 0. 185 elevation of privilege vulnerability, CVE-2017-3006）

Adobe CC uses weak insecure permissions settings on the "Adobe Photoshop dll & Startup Scripts" directories. This may allow authenticated users to execute arbitrary code in the security context of ANY other users with elevated privileges on the affected system. Issue is the 'C' flag Change for...

PHPCMS V9 arbitrary file download Windows

A, background Arbitrary File Download vulnerability and the PHPCMS v9. 6. 0 wap module SQL injection on in the same file, but the trigger point in the download function. Second, the details 漏洞文件在phpcms\modules\content\down.php vulnerability to trigger the function: php public function download th...

XNU kernel UaF due to lack of locking in set_dp_control_port (CVE-2016-7644)

setdpcontrolport is a MIG method on the hostprivport so this bug is a root-kernel escalation. kernreturnt setdpcontrolport hostprivt hostpriv, ipcportt controlport if hostpriv == HOSTPRIVNULL return KERNINVALIDHOST; if IPVALIDdynamicpagercontrolport ipcportreleasesenddynamicpagercontrolport;...

Jackson enableDefaultTyping method of deserialization code execution vulnerability(CVE-2017-7525)

Earlier this year, a vulnerability was discovered in the Jackson data-binding library, a library for Java that allows developers to easily serialize Java objects to JSON and vice versa, that allowed an attacker to exploit deserialization to achieve Remote Code Execution on the server. This...

Google Chrome webkitdirectory Information Disclosure

Google was the first vendor I contacted regarding this. After initially recieving a SEC-MEDIUM rating, it was later changed to SEC-LOW and ignored for months 6. It turned out that Chrome would be able to detect this type of bug if anyone would try to use it on a mass scale, as it is logged by...

Mozilla Firefox webkitdirectory local files disclosure (CVE-2017-5414)

I have reported three different bugs to Mozilla in the webkitdirectory feature. Luckily the folder picker was only implement in Mozilla's Nightly browser, which is meant to test out new features before landing in the stable version. Bug 1295914 - webkitdirectory could be used to trick users into...

ETERNALROMANCE — Remote privilege escalation (SYSTEM) exploit (Windows XP to Windows 2008 over TCP port 445).

From the shadowbroker, Windows XP to Windows 2008 remote mention the right vulnerability, corresponding to the number ETERNALROMANCE it. Reference: https://github.com/misterch0c/shadowbroker/tree/master/windows/exploits...

ETERNALSYNERGY —remote SMB exploit for  Windows 8 and Windows Server 2012

来自 shadowbroker ， Windows XP 至Windows 2012 SMB漏洞，对应编号 ETERNALSYNERGY。 参考：https://github.com/misterch0c/shadowbroker/blob/master/windows/exploits/...

Microsoft Edge local files disclosure(CVE-2016-7239)

No description provided by source. the difference was that the default directory was 'My Documents' so I showed that the folderpicker can be used to recieve all the files within a victims documents folder. This has since been fixed. Read all files on PC - PoC - By @qab thing opacity: 0.0; Hold do...

ETERNALBLUE - Remote RCE via SMB & NBT (Windows XP to Windows 2012)

From the shadowbroker, Windows XP to Windows 2012 SMB remote code execution vulnerability, corresponding to the number ETERNALBLUE it. CVE-2017-0143 CVE-2017-0144 CVE-2017-0145 CVE-2017-0146 CVE-2017-0147 CVE-2017-0148 Reference:...

ESKIMOROLL-ms14-068 Windows vulnerability in the Key Distribution Center (KDC) service (CVE-2014-6324)

Description MS14-068 is a Windows vulnerability in the Key Distribution Center KDC service. It allows an authenticated user to insert an arbitrary PAC a structure that represent all user rights in its Kerberos ticket the TGT. https://technet.microsoft.com/library/security/ms14-068.aspx In Windows...