Samsung SmartThings Hub video-core credentials videoHostUrl Code Execution Vulnerability(CVE-2018-3872)

Summary An exploitable buffer overflow vulnerability exists in the credentials handler of video-core's HTTP server of Samsung SmartThings Hub. The video-core process incorrectly extracts the videoHostUrl field from a user-controlled JSON payload, leading to a buffer overflow on the stack. An...

Samsung SmartThings Hub video-core samsungWifiScan Code Execution Vulnerability(CVE-2018-3863 - CVE-2018-3866)

Summary Multiple exploitable buffer overflow vulnerabilities exist in the samsungWifiScan handler of video-core's HTTP server of Samsung SmartThings Hub. The video-core process incorrectly extracts fields from a user-controlled JSON payload, leading to a buffer overflow on the stack. An attacker...

Samsung SmartThings Hub hubCore port 39500 sync denial-of-service vulnerability(CVE-2018-3918)

Summary An exploitable vulnerability exists in the remote servers of Samsung SmartThings Hub. The hubCore process listens on port 39500 and relays any unauthenticated messages to SmartThings' remote servers, which incorrectly handle camera IDs for the "sync" operation, leading to arbitrary deleti...

Samsung SmartThings Hub video-core Camera Creation Code Execution Vulnerability(CVE-2018-3905)

Summary An exploitable buffer overflow vulnerability exists in the camera "create" feature of video-core's HTTP server of Samsung SmartThings Hub. The video-core process incorrectly extracts the "state" field from a user-controlled JSON payload, leading to a buffer overflow on the stack. An...

Samsung SmartThings Hub video-core Database clips Code Execution Vulnerability(CVE-2018-3919)

Summary An exploitable stack-based buffer overflow vulnerability exists in the retrieval of database fields in video-core's HTTP server of Samsung SmartThings Hub. The video-core process insecurely extracts the fields from the "clips" table of its SQLite database, leading to a buffer overflow on...

Samsung SmartThings Hub hubCore Port 39500 HTTP Header Injection Vulnerability(CVE-2018-3911)

Summary An exploitable HTTP header injection vulnerability exists in the remote servers of Samsung SmartThings Hub. The hubCore process listens on port 39500 and relays any unauthenticated message to SmartThings' remote servers, which insecurely handle JSON messages, leading to partially controll...

Samsung SmartThings Hub video-core AWSELB Cookie Code Execution Vulnerability(CVE-2018-3925)

Summary An exploitable buffer overflow vulnerability exists in the remote video-host communication of video-core's HTTP server of Samsung SmartThings Hub. The video-core process insecurely parses the AWSELB cookie while communicating with remote video-host servers, leading to a buffer overflow on...

Samsung SmartThings Hub video-core REST Request Parser HTTP Pipelining Injection Vulnerabilities(CVE-2018-3907 - CVE-2018-3909)

Summary Multiple exploitable vulnerabilities exist in the REST parser of video-core's HTTP server of the Samsung SmartThings Hub. The video-core process incorrectly handles pipelined HTTP requests, which allows successive requests to overwrite the previously parsed HTTP method, URL and body. An...

Samsung SmartThings Hub video-core Database shard.videoHostURL Code Execution Vulnerability(CVE-2018-3906)

Summary An exploitable stack-based buffer overflow vulnerability exists in the retrieval of a database field in video-core's HTTP server of Samsung SmartThings Hub. The video-core process insecurely extracts the shard.videoHostURL field from its SQLite database, leading to a buffer overflow on th...

Samsung SmartThings Hub hubCore ZigBee firmware update CRC16 check denial-of-service vulnerability(CVE-2018-3926)

Summary An exploitable integer underflow vulnerability exists in the ZigBee firmware update routine of the hubCore binary of the Samsung SmartThings Hub. The hubCore process incorrectly handles malformed files existing in its "data" directory, leading to an infinite loop, which eventually causes...

Samsung SmartThings Hub video-core database shard code execution vulnerabilities(CVE-2018-3912 - CVE-2018-3917)

Summary Multiple exploitable stack-based buffer overflow vulnerabilities exist in the retrieval of database fields in the video-core HTTP server of the Samsung SmartThings Hub. The video-core process insecurely extracts the fields from the "shard" table of its SQLite database, leading to a buffer...

Samsung SmartThings Hub hubCore Google Breakpad backtrace.io information disclosure vulnerability(CVE-2018-3927)

Summary An exploitable information disclosure vulnerability exists in the crash handler of the hubCore binary of the Samsung SmartThings Hub. When hubCore crashes, Google Breakpad is used to record minidumps, which are sent over an insecure HTTPS connection to the backtrace.io service, leading to...

Samsung SmartThings Hub video-core credentials Parsing SQL Injection Vulnerability(CVE-2018-3879)

Summary An exploitable JSON injection vulnerability exists in the credentials handler of video-core's HTTP server of Samsung SmartThings Hub. The video-core process incorrectly parses the user-controlled JSON payload, leading to a JSON injection which in turn leads to a SQL injection in the...

Samsung SmartThings Hub video-core RTSP Configuration Command Injection Vulnerability(CVE-2018-3856)

Summary An exploitable vulnerability exists in the smart cameras RTSP configuration of the Samsung SmartThings Hub. The device incorrectly handles spaces in the URL field, leading to an arbitrary operating system command injection. An attacker can send a series of HTTP requests to trigger this...

MetInfo6.0.0后台sql注入

...

Sngine v2.5.3 通用型反射XSS漏洞

...

MetInfo6.0.0任意用户密码修改

...

Samsung SmartThings Hub video-core Camera URL Replace Code Execution Vulnerability(CVE-2018-3902)

Summary An exploitable buffer overflow vulnerability exists in the camera "replace" feature of video-core's HTTP server of Samsung SmartThings Hub. The video-core process incorrectly extracts the URL field from a user-controlled JSON payload, leading to a buffer overflow on the stack. An attacker...

Samsung SmartThings Hub video-core clips Code Execution Vulnerability(CVE-2018-3893 - CVE-2018-3897)

Summary Multiple exploitable buffer overflow vulnerabilities exist in the /cameras/XXXX/clips handler of video-core's HTTP server of Samsung SmartThings Hub. The video-core process incorrectly extracts fields from a user-controlled JSON payload, leading to a buffer overflow on the stack. An...

Samsung SmartThings Hub video-core Database find-by-cameraId Code Execution Vulnerability(CVE-2018-3880)

Summary Multiple exploitable vulnerabilities exist in the REST parser of video-core's HTTP server of the Samsung SmartThings Hub. The video-core process incorrectly handles pipelined HTTP requests, which allows successive requests to overwrite the previously parsed HTTP method, URL and body. An...

Samsung SmartThings Hub video-core samsungWifiScan Callback Code Execution Vulnerability(CVE-2018-3867)

Summary An exploitable stack-based buffer overflow vulnerability exists in the samsungWifiScan callback notification of video-core's HTTP server of Samsung SmartThings Hub. The video-core process incorrectly handles the answer received from a smart camera, leading to a buffer overflow on the stac...

eml企业通讯录管理系统经典版V5.4.5 sql注入漏洞

...

MetInfo6.0.0后台任意文件读取下载

...

MetInfo6.0.0任意文件读取漏洞

...

Jenkins 任意文件读取漏洞(CVE-2018-1999002)

SECURITY-914 / CVE-2018-1999002 An arbitrary file read vulnerability in the Stapler web framework used by Jenkins allowed unauthenticated users to send crafted HTTP requests returning the contents of any file on the Jenkins master file system that the Jenkins master process has access to. Input...

Jenkins 配置文件路径改动导致管理员权限开放漏洞(CVE-2018-1999001)

CVE-2018-1999001 为配置文件路径改动漏洞。远程且未经授权的攻击者可以通过构造恶意登录凭证，从 Jenkins 主目录下移除 config.xml 配置文件到其他目录，从而导致 Jenkins 服务下次重启时退回 legacy 模式，对匿名用户也会开放管理员权限，如下图所示： CVE-2018-1999001 漏洞利用的条件是需要等待 Jenkins 服务的重启。...

Scan, Verify and Patch in Minutes: TikiWiki 17.1 SQLi

TikiWiki is an open source software that offers a wiki-style based content management system. It has more than 1.25 million downloads and a large code base of around 1.7 million lines of code. In this blog post, we demonstrate step by step how we used our leading RIPS Code Analysis solution to...

Sony IPELA E Series Camera measurementBitrateExec command injection vulnerability(CVE-2018-3937)

Summary An exploitable command injection vulnerability exists in the measurementBitrateExec functionality of Sony IPELA E Series Network Camera. A specially crafted GET request can cause arbitrary commands to be executed. An attacker can send an HTTP request to trigger this vulnerability. Tested...

MetInfo 6.0.0存在任意文件写入漏洞getshell

...

eml企业通讯录管理系统 v5.4.4 SQL注入

...

seacms 后台getshell

作为只是审计过几次CTF线下赛的代码审计小菜鸟，暑假决定正式开始练习一些CMS的代码审计，于是便挑了SeaCMS这样一款cms进行审计，由于缺乏经验于是选择首先审计后台方面的漏洞，说实话在SeaCMS的后台部分的防护确实较少，发现了许多后台的SQL注入。。。。。后来参考SeaCMS之前的一些漏洞，终于找到了这样一个后台插入if标签从而getshell的后台getshell漏洞点。 首先演示一下整个getshell的流程： 登录面板，进入添加电影的界面，在此界面添加电影，设置图片url为if:1$GLOBALS'G'.'ET'a;//end if;...

MetInfo6.0 sql注入

...

MetInfo6.0任意文件读取

...

WebLogic 任意文件上传漏洞(CVE-2018-2894)

漏洞影响版本：10.3.6.0, 12.1.3.0, 12.2.1.2, 12.2.1.3 下载地址：http://download.oracle.com/otn/nt/middleware/12c/12213/fmw12.2.1.3.0wlsquickDisk11of1.zip 漏洞复现 服务启动后，访问 http://localhost:7001/wsutc/config.do 可以将当前的工作目录为更改为其他目录。以本地环境为例，可以部署到...

云金地国土资源管理系统存在通用型任意文件读取漏洞

...

dedecms 后台getshell

...

seacms 后台sql注入漏洞

...

WebLogic 反序列化远程命令执行漏洞(CVE-2018-2893)

...

Auxblog 1.1.2 代码执行漏洞

...

Remote code execution via multiple attack vectors in WAGO e!DISPLAY 7300T

VENDOR DESCRIPTION “New ideas are the driving force behind our success WAGO is a family-owned company headquartered in Minden, Germany. Independently operating for three generations, WAGO is the global leader of spring pressure electrical interconnect and automation solutions. For more than 60...

VLC media player 2.2.8 Arbitrary Code Execution PoC(CVE-2018-11529)

Exploit Title: VLC media player 2.2.8 Arbitrary Code Execution PoC Date: 6-6-2018 Exploit Author: Eugene Ng Vendor Homepage: https://www.videolan.org/vlc/index.html Software Link: http://download.videolan.org/pub/videolan/vlc/2.2.8/win64/vlc-2.2.8-win64.exe Version: 2.2.8 Tested on: Windows 10 x6...

New ceoAnyone Bug Identified in Multiple Crypto Game Smart Contracts (CVE-2018-11329)

Our vulnerability-scanning system at PeckShield has so far discovered several dangerous smart contract vulnerabilities batchOverflow1, proxyOverflow2, transferFlaw3, ownerAnyone4, multiOverflow5, burnOverflow6. These vulnerabilities typically affect various tokens that may be publicly traded in...

erc20 contract KoreaShow bug(CVE-2018-10973)

An integer overflow in the transferMulti function of a smart contract implementation for KoreaShow, an Ethereum ERC20 token, allows attackers to accomplish an unauthorized increase of digital assets via crafted value parameters. Lets see where this issue is: function transferMultiaddress to,...

Attackers can steal all of Ether in ROC (Rasputin Online Coin) token smart contract (CVE-2018–10944)

Abstract I found a vulnerability of a smart contract for ROC aka Rasputin Online Coin, an Ethereum ERC20 token CVE-2018–109441. The requestdividend function has a critical bug similar to Reentrancy attack. Attackers can call the function in multiple times to steal Ether constantly until all of th...

Aurora IDEX Membership(IDXM), ERC20 Token, allows attackers to acquire contract ownership (CVE-2018–10666)

Abstract I found a new vulnerability in smart contract of IDXM Token CVE-2018–106661. Attackers can acquire contract ownership because the setOwner function is delcared as public. A new owner can subsequently bypass intended access restrictions by, for example, calling uploadBalances. Details In...

DimonCoin(FUD), ERC20 token, allows attackers to steal all victim’s balances (CVE-2018–11411)

Abstract I found a vulnerability of a smart contract for DimonCoinFUD, an Ethereum ERC20 token CVE-2018–114111. This vulnerability is exactly same with the UselessEthereumToken’s vulnerability2, 3. DimonCoin token also has the same vulnerable function which is transferFrom in UET token. Therefore...

New evilReflex Bug Identified in Multiple ERC20 Smart Contracts (CVE-2018-12702, CVE-2018-12703)

Update: 2018-06-24 With swift, coordinated response from Huobi.pro, we appreciate the announcement 11 on suspending the deposits and withdrawals of affected tokens! Our vulnerability-scanning system at PeckShield has so far discovered several dangerous smart contract vulnerabilities batchOverflow...

Attack on Pseudo-random number generator (PRNG) used in 1000 Guess, an Ethereum lottery game. (CVE-2018–12454)

Abstract An Ethereum lottery game, 1000 Guess, has a vulnerability that it generates random numbers predictable by anyone. This game decides a winner by a random number when the number of players who bet on the contract reaches to the predetermined number. The contract generates the random number...

Bugged Smart Contract FuturXE: How Could Someone Mess up with Boolean? (CVE-2018–12025)

Recently SECBIT team found a serious bug about the if condition in a deployed ERC20 smart contract called FuturXE FXE and here is the bugged part: //Function for transer the coin from one address to another function transferFromaddress from, address to, uint value returns bool success //checking...

EPoD: Ethereum Packet of Death (CVE-2018-12018)

PeckShield has so far discovered quite a few critical smart contract vulnerabilities. Besides smart contracts, the Ethereum ecosystem also includes other various components that are equally exposed to possible exploitation. Obviously, one such component is the core of Ethereum, i.e., the underlyi...