Windows Kernel win32k.sys multiple bugs in the NtGdiGetDIBitsInternal system call (CVE-2017-0058)

We have discovered two bugs in the implementation of the win32k!NtGdiGetDIBitsInternal system call, which is a part of the graphic subsystem in all modern versions of Windows. The issues can potentially lead to kernel pool memory disclosure bug 1 or denial of service bug 1 and 2. Under certain...

XM tech security monitoring equipment, pre-uc-httpd server causes the presence of any directory traversal and local file inclusion vulnerabilities

0x01 vulnerability overview 1, the vendor information Manufacturer name: XM tech Official domain name: www.xiongmaitech.com Hangzhou XM Information Technology Co., Ltd. specialize in security monitoring, intelligent video independent research and development dedicated to security video monitoring...

Windows Kernel stack memory disclosure in win32kfull!SfnINLPUAHDRAWMENUITEM (CVE-2017-0167)

We have discovered that it is possible to disclose portions of uninitialized kernel stack memory to user-mode applications in Windows 10 indirectly through the win32k! NtUserPaintMenuBar system call, or more specifically, through the user32! fnINLPUAHDRAWMENUITEM user-mode callback 107 on Windows...

Pixie CMS 1.04 arbitrary file upload

Pixie CMS 1.04 background the presence of arbitrary file upload vulnerability Vulnerability analysis: In Publish File Manager module you can upload any file View Code /admin/admin/modules/modfilemanager.php $multiupload-extensions = array '. png', '. jpg', '. gif', '. zip', '. mp3', '. pdf', '...

Linux kernel 'udp. c' remote code execution vulnerability(CVE-2016-10229)

The Linux kernel allows remote attackers to execute arbitrary code via UDP traffic that triggers an unsafe second checksum calculation during execution of a recv system call with the MSGPEEK flag. This may create a kernel panic or memory corruption leading to privilege escalation...

Django is_safe_url() the URL to jump to the filter function of the Bypass（CVE-2017-7233）

Source: same thread safety Emergency Response Center Author: Nearg1e@YSRC Foreign security researcher roks0n provided to the Django official of a vulnerability. On issafeurl function Django comes with a function: django. utils. http. issafeurlurl, host=None, allowedhosts=None, requirehttps=False...

Nintendo: 3DS DNS Client Resolver Library Uses Predictable TXID

I bought a New Nintendo 3DS XL US with firmware 11.2.0-35U, and I've noticed that that DNS client resolved on the 3DS uses a simple incrementing TXID for lookups. This does not provide enough entropy to prevent remote attackers from spoofing responses. For example, see MS08-020 when this happened...

OS Command Injection Vulnerability in ASG and CAS (CVE-2016-9091)

The Advanced Secure Gateway ASG and Content Analysis System CAS management consoles provide a web UI for appliance administrators to manage and monitor the respective appliance. Each management console provides limited functionality to administrators and does not provide them with access to the...

Django.views.static.serve url跳转漏洞（CVE-2017-7234）

来源：同程安全应急响应中心 作者：Nearg1e@YSRC 来自 @Phithon 的一个漏洞。 问题出现在：django.views.static.serve函数上。该函数可以用来指定web站点的静态文件目录。如: python urlpatterns = urlr'^admin/', admin.site.urls, urlr'^staticp/?P.$', serve, 'documentroot': os.path.joinsettings.BASEDIR, 'staticpath'...

TYPO3 CMS news management module SQL injection vulnerability

The News module, the 20th most used module of TYPO3, is subject to an SQL injection vulnerability. Although the author has been contacted numerous times in the span of 4 months, no fix has been provided. We are therefore releasing the details. Also, it should be noted that the vulnerability is on...

Joomla Component JobGrok Listing 3.1-1.2.58 - SQL Injection

sql: http://www.Target.com/index.php?option=comjobgroklist&view=posting&id=2:mechanic&Itemid=SQL...

Trend Micro Threat Discovery Appliance arbitrary files deletion (CVE-2016-7552)

A file delete in the logoff.cgi interface that allows for an authentication bypass CVE-2016-7552. A command injection in the adminsystime.cgi interface that allows for an attacker to gain remote code execution CVE-2016-7547. Trend Micro are not patching this vulnerability since this product is no...

XSS Auditor bypass with link + SVG animations

UserAgent: Mozilla/5.0 Windows NT 10.0; Win64; x64 AppleWebKit/537.36 KHTML, like Gecko Chrome/57.0.2987.133 Safari/537.36 Steps to reproduce the problem: 1. Go to...

Trend Micro Threat Discovery Appliance remote code execution（CVE-2016-7547）

A command injection in the adminsystime. the cgi interface that allows for an attacker to gain remote code execution CVE-2016-7547. Vulnerability linkage: https://www.seebug.org/vuldb/ssvid-92938 This module requires Metasploit: http://metasploit.com/download Current source:...

Microsoft Office OLE2Link vulnerability (CVE-2017-0199)

Vulnerability details references: Office OLE2Link zero-day from NCCGroup） CVE-2017-0199: In the Wild Attacks Leveraging the HTA Handler From FireEye） HTAsThe Microsoft OLE2Link object contains a vulnerability in the way that it processes remotely-linked content. The remote content is opened based...

GeoMoose <=2.9.2 /php/download.php parameter ext arbitrary file read vulnerability

No description provided by source...

The new concept of foreign language network teaching platform ultra vires and arbitrary file upload vulnerabilities

No description provided by source...

dnaLIMS Code Execution / XSS / Traversal / Session Hijacking （CVE-2017-6526）

dnaLIMS Code Execution / XSS / Traversal / Session Hijacking web-application Advisory URL: https://www.shorebreaksecurity.com/blog/product-security-advisory-psa0002-dnalims/ Date published: Mar 08, 2017 Vendor: dnaTools, Inc. CVE IDs: 2017-6526, 2017-6527, 2017-6528, 2017-6529 USCERT VU: 929263...

Cisco IOS and IOS XE Software Cluster Management Protocol Remote Code Execution Vulnerability (CVE-2017-3881)

详情来源：https://artkond.com/2017/04/10/cisco-catalyst-remote-code-execution/ Do you still have telnet enabled on your Catalyst switches? Think twice, here’s a proof-of-concept remote code execution exploit for Catalyst 2960 switch with latest suggested firmware. Check out the exploit code here. What...

PHPCMS registration page arbitrary file upload vulnerability

Author: p0wd3r know Chong Yu 404 security lab Date: 2017-04-12 0x00 vulnerability overview Vulnerability description A few days ago phpcms v9. 6 arbitrary file upload vulnerability caused by a safety ring hot, by the vulnerability the attacker may be in the unauthorized case any file is uploaded,...

PHPCMS v9 wap module SQL injection

Suspicious of the function 1. localhost/phpcms/modules/attachment/attachments. php file of the first 241GET submitted to the src variable to bring the saferelace function, and now we're into this damn filter function to see what it's doing 2. The filter function profile and bypass...

Xen: broken check in memory_exchange() permits PV guest breakout（CVE-2017-7228）

Detailed analysis: Pandavirtualization: Exploiting the Xen hypervisor This bug report describes a vulnerability in memoryexchange that permits PV guest kernels to write to an arbitrary virtual address with the hypervisor privileges. The vulnerability was introduced through a broken fix for...

semcms /semcms/view.php parameter ID injection vulnerability

No description provided by source...

WebKit: Use-after-free in JSC::B3::Procedure::resetReachability（CVE-2017-2470）

Note: It seems it doesn't crash the JSC compiled without Address Sanitizer. PoC: function for var i = 0; i 1000000; ++i const v = Array & 1 ? v : 1; typeof o = 'object'; ; Asan Log: ==32191==ERROR: AddressSanitizer: heap-use-after-free on address 0x607000099738 at pc 0x000106c7af16 bp...

WebKit: UXSS via a synchronous page load（CVE-2017-2480）

Here's a snippet of the method SubframeLoader::requestFrame which is invoked when the |src| of an iframe object is changed. bool SubframeLoader::requestFrameHTMLFrameOwnerElement& ownerElement, const String& urlString, const AtomicString& frameName, LockHistory lockHistory, LockBackForwardList...

Bear sea CMS v1. 0 backend login bypass vulnerability

No description provided by source...

WebKit: UXSS via a focus event and a link element (CVE-2017-2479)

This is somewhat similar to https://crbug.com/663476. Here's a snippet of Container::replaceAllChildren. while RefPtr child = mfirstChild removeBetweennullptr, child-nextSibling, child; notifyChildNodeRemovedthis, child; If the location hash value is set, the page will give focus to the associate...

WebKit: Use-After-Free via Document::adoptNode (CVE-2017-2468)

This is a regression test from: https://crbug.com/541206. But I think it seems not possible to turn it into an UXSS in WebKit. PoC: var s = document.body.appendChilddocument.createElement'script'; s.type = '0'; s.textContent = 'document.body.appendChildparent.i0'; var i0 =...

QNAP QTS multiple RCE vulnerabilities (CVE-2017-6361, CVE-2017-6360, CVE-2017-6359)

QNAP QTS multiple RCE vulnerabilities The latest version of this advisory is available at: https://sintonen.fi/advisories/qnap-qts-multiple-rce-vulnerabilities.txt Overview -------- QNAP QTS firmware contains multiple Command Injection CWE-77 vulnerabilities that can be exploited to gain remote...

WebKit: heap-buffer-overflow in JSC::SymbolTableEntry::isWatchable (CVE-2017-2469)

I confirmed the PoC crashes the release version of Safari 10.0.312602.4.8. It might need to refresh the page several times. PoC: function x = 0 var a; function arguments function b var g = 1; a5; f; g; ; Asan Log: ==55079==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60c0000c8e88 at...

Wordpress Plugin Firewall 2 CSRF/stored XSS vulnerability

Description CSRF/stored XSS in WordPress Firewall 2 allows unauthenticated attackers to do almost anything an admin can Vulnerability HTML is not escaped and there is no CSRF prevention, meaning attackers can put arbitrary HTML content onto the settings page. Proof of concept Visit the following...

iOS/macOS Remote code execution triggered by malformed GIF in ImageIO framework（CVE-2017-2416）

ImageIO Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch 6th generation and later Impact: Processing a maliciously crafted image may lead to arbitrary code execution Description: A memory corruption issue was addressed through improved input validation. CVE-2017-2416:...

Apache Tomcat Directory/Path Traversal

Advisory ID: DC-2017-03-001 Software: Apache Tomcat Software Language: Java Version: 7.0.76 probably 9, 8 and 6 branches also Vendor Status: Vendor contacted Release Date: 2017-04-04 Risk: Medium Full Advisory URL:...

Serv-U FTP/MFT Server Unauthenticated Privilege Escalation

Details source: https://www.trustwave.com/Resources/SpiderLabs-Blog/Exploiting-Privilege-Escalation-in-Serv-U-by-SolarWinds/?page=1&year=0&month=0 I was recently working on an external network penetration test where I identified a new vulnerability in a file sharing web application called Serv-U ...

AMF3 Java implementations deserialization Vulnerability

Details reference: https://codewhitesec.blogspot.kr/2017/04/amf.html Some Java implementations of AMF3 deserializers derive class instances from java. io. Externalizable rather than the AMF3 specification's recommendation of a flash. utils. IExternalizable. A remote attacker with the ability to...

PHP Server Side Request Forgery Security Bypass Vulnerability（CVE-2017-7272）

For historical reasons, fsockopen accepts the port and hostname separately: fsockopen'127.0.0.1', 80 However, with the introdcution of stream transports in PHP 4.3, it became possible to include the port in the hostname specifier: fsockopen'127.0.0.1:80' Or more formally:...

AMF3 Java implementations Improper Restriction of XML External Entity Reference ('XXE')

A detailed analysis of the reference: https://codewhitesec.blogspot.kr/2017/04/amf.html Some Java implementations of AMF3 deserializers allow the external entity references XXEs from XML documents embedded within AMF3 messages. If the XML parsing is handled incorrectly it could potentially expose...

AMF3 Java implementations Improper Control of Dynamically-Managed Code Resources

Details reference: https://codewhitesec.blogspot.kr/2017/04/amf.html Some Java implementations of AMF3 deserializers may allow instantiation of arbitrary classes via their public parameter-less constructor and subsequently call arbitrary Java Beans setter methods. The ability to exploit this...

Broadcom: Multiple memory corruptions in "dhd_pno_process_anqpo_result" (CVE-2017-0572)

Detailed analysis of reference : the https://googleprojectzero.blogspot.tw/2017/04/over-air-exploiting-broadcoms-wi-fi4.html the first part https://googleprojectzero.blogspot.tw/2017/04/over-air-exploiting-broadcoms-wi-fi11.html Part II Broadcom produces the Wi-Fi HardMAC SoCs which are used to...

WebKit: HTMLInputElement use-after-free (CVE-2017-2454)

There is a use-after-free security vulnerability related to how the HTMLInputElement is handled in WebKit. The vulnerability was confirmed on a nightly build of WebKit. The PoC also crashes Safari 10.0.2 on Mac. PoC: function eventhandler1 input.type = "foo"; function eventhandler2...

WebKit: Negative-size memmove in HTMLFormElement (CVE-2017-2459)

There is a negative-size memmove security vulnerability in WebKit. The vulnerability was confirmed on a nightly build of WebKit. The PoC has also been observed to crash Safari 10.0.2 on Mac. PoC Note: It might take a couple of refreshes to trigger the bug: function go var iframe =...

WebKit: use-after-free in FormSubmission::create (CVE-2017-2460)

There is a use-after-free security vulnerability in WebKit. The vulnerability was confirmed on a nightly version of WebKit. The PoC has also been observed to crash Safari 10.0.2 on Mac. Please note: This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available...

WebKit: table use-after-free（CVE-2017-2471）

There is a use-after-free security vulnerability in WebKit. The vulnerability was confirmed on a nightly version of WebKit. The PoC has also been observed to crash Safari 10.0.3 on Mac. PoC: -webkit-border-image: urlfoo 1 5 1 63 repeat; -webkit-flow-into: foo function eventhandler var a;...

Android: Ashmem race conditions in android.util.MemoryIntArray (CVE-2017-0412)

The MemoryIntArray class allows processes to share an in-memory array of integers by transferring an ashmem file descriptor. As the class implements the Parcelable interface, it can be passed within a Parcel or a Bundle and transferred via binder to remote processes. Instead of directly tracking...

Broadcom: Heap overflow in TDLS Teardown Request while handling Fast Transition IE (CVE-2017-0561)

详细分析：https://googleprojectzero.blogspot.tw/2017/04/over-air-exploiting-broadcoms-wi-fi4.html Posted by Gal Beniamini, Project Zero It's a well understood fact that platform security is an integral part of the security of complex systems. For mobile devices, this statement rings even truer; modern...

Broadcom: Heap overflow in "wl_run_escan" when handling WLC_GET_VALID_CHANNELS ioctl results(CVE-2017-0568)

Broadcom produces Wi-Fi HardMAC SoCs which are used to handle the PHY and MAC layer processing. These chips are present in both mobile devices and Wi-Fi routers, and are capable of handling many Wi-Fi related events without delegating to the host OS. On Android devices, the "bcmdhd" driver is use...

Broadcom: Heap overflow in "dhd_handle_swc_evt"(CVE-2017-0569)

roadcom produces Wi-Fi HardMAC SoCs which are used to handle the PHY and MAC layer processing. These chips are present in both mobile devices and Wi-Fi routers, and are capable of handling many Wi-Fi related events without delegating to the host OS. On Android devices, the "bcmdhd" driver is used...

Splunk Enterprise Information Theft (CVE-2017-5607)

Product: Splunk Enterprise Splunk provides the leading platform for Operational Intelligence. Customers use Splunk to search, monitor, analyze and visualize machine data. Splunk Enterprise, collects and analyzes high volumes of machine-generated data. Vulnerability Type: Javascript JSON Informati...

Broadcom: Stack buffer overflow when handling 802.11r (FT) authentication response (CVE-2017-6975)

Detailed analysis of reference : the https://googleprojectzero.blogspot.tw/2017/04/over-air-exploiting-broadcoms-wi-fi4.html the first part https://googleprojectzero.blogspot.tw/2017/04/over-air-exploiting-broadcoms-wi-fi11.html Part II Broadcom produces the Wi-Fi HardMAC SoCs which are used to...

WebKit: ComposedTreeIterator::traverseNextInShadowTree use-after-free（CVE-2017-2466）

There is a use-after-free security vulnerability in WebKit. The vulnerability was confirmed on a nightly version of WebKit. The PoC has also been observed to crash Safari 10.0.2 on Mac. PoC: function go d.open = false; d.innerHTML = "foo"; d.open = true; foo ASan log: ==570==ERROR:...