Hyland Perceptive Document Filters Microsoft Word CDATA Code Execution Vulnerability(CVE-2018-3851)

Summary An exploitable heap corruption exists in the Microsoft Word to many types conversion functionality of the Hyland Perspective Document Filters version 11.4.0.2647. A crafted Microsoft Word XML document can lead to heap corruption resulting in remote code execution. An attacker can provide ...

Adobe Acrobat Reader DC ANFancyAlertImpl Remote Code Execution Vulnerability(CVE-2018-4947)

Summary A specific Javascript script embedded in a PDF file can lead to a pointer to previously freed object to be reused when opening a PDF document in Adobe Acrobat Reader DC 2018.009.20044. With careful memory manipulation, this can potentially lead to sensitive memory disclosure or arbitrary...

Foxit PDF Reader Javascript Search Query Remote Code Execution Vulnerability(CVE-2017-14458)

Summary An exploitable use-after-free vulnerability exists in the JavaScript engine of Foxit Software's Foxit PDF Reader version 8.3.2.25013. A specially crafted PDF document can trigger a previously freed object in memory to be reused, resulting in arbitrary code execution. An attacker needs to...

Hyland Perceptive Document Filters DOC to HTML updateNumbering Code Execution Vulnerability(CVE-2018-3855)

Summary An exploitable stack-based buffer overflow exists in the DOC-to-HTML conversion functionality of the Hyland Perceptive Document Filters version 11.4.0.2647. A crafted .doc document can lead to a stack-based buffer, resulting in direct code execution. Tested Versions Perceptive Document...

乐尚商城1.5.0后台任意sql语句执行漏洞

...

Adobe Acrobat Reader DC Net.Discovery.queryServices Remote Code Execution Vulnerability(CVE-2018-4996)

Summary A specific Javascript script embedded in a PDF file can lead to a pointer to previously freed object to be reused when opening a PDF document in Adobe Acrobat Reader DC 2018.009.20044. With careful memory manipulation, this can potentially lead to sensitive memory disclosure or arbitrary...

Foxit PDF Reader JavaScript XFA Clone Remote Code Execution Vulnerability(CVE-2018-3850)

Summary An exploitable use-after-free vulnerability exists in the JavaScript engine Foxit Software Foxit PDF Reader version 9.0.1.1049. A specially crafted PDF document can trigger a previously freed object in memory to be reused, resulting in arbitrary code execution. An attacker needs to trick...

Multi-Master Replication Manager for MySQL mmm_agentd Remote Command Injection Vulnerabilities

Summary Multiple exploitable remote command injection vulnerabilities exist in the MySQL Master-Master Replication Manager MMM mmmagentd daemon 2.2.1. mmmagentd commonly runs with root privileges and does not require authentication by default. A specially crafted MMM protocol message can cause a...

Hyland Perceptive Document Filters DOCX to HTML Code Execution Vulnerability(CVE-2018-3844)

Summary An exploitable use after free exists in the DOCX to HTML conversion functionality of the Hyland Perspective Document Filters version 11.4.0.2647. A crafted DOCX document can lead to a use-after-free resulting in direct code execution. Tested Versions Perceptive Document Filters 11.4.0.264...

OpenPGP、S/MIME information disclosure (CVE-2017-17688,CVE-2017-17689)

EFAIL describes vulnerabilities in the end-to-end encryption technologies OpenPGP and S/MIME that leak the plaintext of encrypted emails. Email is a plaintext communication medium whose communication paths are partly protected by TLS TLS. For people in hostile environments journalists, political...

DHCP Client Script Code Execution Vulnerability(CVE-2018-1111)

Red Hat has been made aware of a command injection flaw found in a script included in the DHCP client dhclient packages in Red Hat Enterprise Linux 6 and 7. A malicious DHCP server, or an attacker on the local network able to spoof DHCP responses, could use this flaw to execute arbitrary commands...

SiteOmat Station Automation Software Multiple Vulnerabilities

A few months ago, while undertaking unrelated research into online connected devices, we uncovered something surprising and realized almost immediately that we could be looking at a critical security threat. What we found was a simple purple web interface that was in fact a link to a real-life ga...

RCE with spring-security-oauth2 分析(CVE-2018-1260)

漏洞公告 环境搭建 利用github上已有的demo： git clone https://github.com/wanghongfei/spring-security-oauth2-example.git 确保导入的spring-security-oauth2为受影响版本，以这里为例为2.0.10 进入spring-security-oauth2-example，修改 cn/com/sina/alan/oauth/config/OAuthSecurityConfig.java的第67行: @Override public void...

Home security camera isn’t secure. SpotCam in the spotlight

Home security cameras whether indoor or outdoor are becoming very accessible and popular, especially those with cloud backup/recording facilities. The idea is simple. The camera sends a video feed up to the provider’s cloud storage. You can then review your footage should an incident occur. What...

DJI Spark hijacking

It is no pleasant experience at all for anyone to get the valuable property bought with the money you have earned with your blood, sweat, and tears stolen by some unknown cybercriminal. The Internet of Things IoT is developing with the rapid pace, and the devices that can be controlled remotely...

SCADAS "BAS920 & ISC2000" Credentials Exposed(CVE-2017-17974)

Exploit; SCADAS "BAS920 & ISC2000"; Credentials Exposed BA System “Improper Access Control Authorization” Exploit Title: "SCADAS "BAS920 & ISC2000"; Credentials Exposed” CVE: CVE-2017-17974 Date: 29/12/2017 Exploit Author: Fernandez Ezequiel @capitanalfa && Bertin Jose @bertinjoseb Vendor: BA...

KONGTOP DVR后门分析(CVE-2018-10734)

前言 在康拓DVR中，存在一个Telnet后门，可以导致监控设备被控制甚至内网被渗透的风险。 下面来分析一下这个后门,没有什么技术含量。 漏洞分析 后门存于在Telnetd文件中，Telnetd负责开启telnet并提供服务，在这里我们可以看到在开了Telnet服务后，对用户的连接进行了监听，如果登录的用户长时间不操作就会登录超时，然后是一系列的服务准备处理函数。 在我们启用了Telnetd服务后，也就是开启了telnet后，程序会判断启动程序是否在终端机器里面运行，如果是则进行下一步，否则就会退出，输出UNKNOW。 在通过了本机环境验证后，程序会开始提取用户的登录数据，并保存在内存中...

Seagate Personal Cloud Multiple Vulnerabilities(CVE-2018-5347)

Vulnerabilities summary The following advisory describes two 2 unauthenticated command injection vulnerabilities. Seagate Personal Cloud Home Media Storage is “the easiest way to store, organize, stream and share all your music, movies, photos, and important documents.” Credit An independent...

Tracking tens of thousands of kids worldwide

tl;dr Gator Watch - a GPS watch for kids - is leaking data in all ends and anyone on the Internet can live track your kid. We're not talking about a security vulnerability, we're talking about non-existing security. Summary Who: Gator Watch Severity level: Critical Reported: August 2017 Reception...

Hacking LIFX Smart LED Light bulbs to steal WiFi Passwords

Context Information Security firm has discovered a security vulnerability in LIFX smart LED light bulbs that can be remotely controlled by mobile devices. Researchers at Context Information Security have discovered a security flaw in a WiFi enabled, smart LED light LIFX bulb that can be remotely...

Denial of Service in iSmartAlarm(CVE-2017-7728)

Vendor: iSmartAlarm, inc. Product: iSmartAlarm cube - All iSmartAlarm is one of the leading IoT manufactures in the domain of smart alarm systems. It provides a fully integrated alarm system with siren, smart cameras and locks. It functions like any alarm system, but with the benefits of a...

Authentication bypass vulnerability in Western Digital My Cloud

Abstract It was discovered that Western Digital My Cloud is affected by an authentication bypass vulnerability. By exploiting this vulnerability, an unauthenticated attacker can bypass the login functionality and gain full control of the device. Tested versions This vulnerability was successfully...

Multiple remote vulnerabilities (RCE, bof) in Nuuo NVR and NETGEAR Surveillance

Multiple vulnerabilities in NUUO NVRmini2 / NVRsolo / Crystal devices and NETGEAR ReadyNAS Surveillance application Discovered by Pedro Ribeiro [email protected], Agile Information Security http://www.agileinfosec.co.uk/ Disclosure: 04/08/2016 / Last updated: 05/08/2016 Background on the affected...

Authentication Bypass allows alarm's commands execution in iSmartAlarm(CVE-2017-7728)

Vendor: iSmartAlarm, inc. Product: iSmartAlarm cube - All iSmartAlarm is one of the leading IoT manufactures in the domain of smart alarm systems. It provides a fully integrated alarm system with siren, smart cameras and locks. It functions like any alarm system, but with the benefits of a...

Pwning CCTV cameras

CCTV is ubiquitous in the UK. A recent study estimates there are about 1.85m cameras across the UK – most in private premises. Most of those cameras will be connected to some kind of recording device, which these days means a Digital Video Recorder or DVR. DVRs take video feeds from multiple...

Western Digital My Cloud vulnerable to multiple command injection vulnerabilities

Abstract It was discovered that the Western Digital My Cloud is affected by multiple command injection vulnerabilities. Some of these issues don’t require authentication and allow an attacker to gain complete control root access of the affected device. Some do require authentication, in this case...

BACKDOOR IN SONY IPELA ENGINE IP CAMERAS

EC Consult has found a backdoor in Sony IPELA Engine IP Cameras, mainly used professionally by enterprises and authorities. This backdoor allows an attacker to run arbitrary code on the affected IP cameras. An attacker can use cameras to take a foothold in a network and launch further attacks,...

NagiosXI <= 5.4.12 menuaccess.php SQL injection(CVE-2018-10738)

NagiosXI = 5.4.12 menuaccess.php SQL injectionCVE-2018-10738 Description A SQL injection issue was discovered in Nagios XI via the admin/menuaccess.php chbKey1parameter. Affected Version Nagios XI 5.2.x Nagios XI 5.4.x before 5.4.13 Proof of concept http://xxxx/nagiosql/admin/menuaccess.php...

NagiosXI <= 5.4.12 logbook.php SQL injection(CVE-2018-10737)

NagiosXI = 5.4.12 logbook.php SQL injectionCVE-2018-10737 Description A SQL injection issue was discovered in Nagios XI via the admin/logbook.php txtSearch parameter. Affected Version Nagios XI 5.2.x Nagios XI 5.4.x before 5.4.13 Proof of concept http://xxxx/nagiosql/admin/logbook.php postdata:...

NagiosXI <= 5.4.12 info.php SQL injection(CVE-2018-10736)

NagiosXI = 5.4.12 info.php SQL injectionCVE-2018-10736 Description A SQL injection issue was discovered in Nagios XI via the admin/info.php key1 parameter. Affected Version Nagios XI 5.2.x Nagios XI 5.4.x before 5.4.13 Proof of concept...

NagiosXI <= 5.4.12 commandline.php SQL injection(CVE-2018-10735)

NagiosXI = 5.4.12 commandline.php SQL injectionCVE-2018-10735 Description A SQL injection issue was discovered in Nagios XI via the admin/commandline.php cname parameter. Affected Version Nagios XI 5.2.x Nagios XI 5.4.x before 5.4.13 Proof of concept http...

Exim < 4.90.1 - base64d Remote Code Execution（CVE-2018-6789）

An issue was discovered in the base64d function in the SMTP listener in Exim before 4.90.1. By sending a handcrafted message, a buffer overflow may happen. This can be used to execute code remotely. !/usr/bin/python import time import socket import struct s = None f = None def logo: print print "...

YXcms后台SQL注入漏洞

...

BrilliantTS FUZE card (MCU firmware 0.1.73, BLE firmware 0.7.4)Vulnerability

Description of FUZE Card FUZE is an IoT device the size, shape, and thickness of a normal credit card. You program credit cards into it via Bluetooth BLE using a smart phone app. When you go to pay, you use the buttons and e-Paper display to select which card to emulate. The magnetic stripe...

TPLINK TLWR740N路由器远程代码执行漏洞(CVE-2017-13772)

INTRODUCTION In October of 2017 we disclosed multiple vulnerabilities in TP-Link’s WR940n router that occurred due to multiple code paths calling strcpy on user controllable unsanitised input CVE-2017-13772 The httpd binary responsible for these vulnerabilities contained patterns of code that...

Vlcms xss漏洞

...

Backdoor in Tpshop <= 2.0.8 (CVE-2018-9919)

Backdoor in Tpshop = 2.0.8 CVE-2018-9919 The Tpshop open source mall system is a multi-merchant mode mall system developed by Shenzhen Leopard Network Co., Ltd.This system is based on the Thinkphp development framework. Product Download: http://www.tp-shop.cn/Index/Index/download.html Vulnerabili...

GitList 0.6 Remote Code Execution

python import requests from BaseHTTPServer import BaseHTTPRequestHandler, HTTPServer import urlparse import urllib import threading import time import os import re url = 'http://192.168.1.1/gitlist/' command = 'id' yourip = '192.168.1.100' yourport = 8001 print "GitList 0.6 Unauthenticated RCE"...

Multiple Vulnerabilities in NagiosXI

We found four vulnerabilities in NagiosXI, and chained them together to create a root RCE exploit, available here. Vulnerability chaining can increase the risk posed by individual vulns, it takes a village to raise a root RCE etc. etc. If you’re running NagiosXI = 5.4.12, update. If you perform...

Critical RCE Vulnerability Found in Over a Million GPON Home Routers

Overview: We conducted a comprehensive assessment on a number of GPON home routers. Many routers today use GPON internet, and we found a way to bypass all authentication on the devices CVE-2018-10561. With this authentication bypass, we were also able to unveil another command injection...

TBK DVR Login Bypass(CVE-2018-9995)

En un articulo anterior presente una vuln que me permitía obtener las credenciales de cierto modelo de DVR. Tan simple como: $ curl "http://:/device.rsp?opt=user&cmd=list" -H "Cookie: uid=admin" Resulta que el hallazgo no corresponde a un vendor en particular como originalmente supuse. Me...

Hanbanggaoke IP Camera Arbitrary Password Change(CVE-2017-14335)

Vulnerability summary The following advisory describes an arbitrary password change vulnerability found in Hanbanggaoke webcams. Beijing Hanbang Technology, “one of the first enterprises entering into digital video surveillance industry, has been focusing on R&D of products and technology of...

Multiple Vulnerabilities in TP-Link TL-SG108E(CVE-2017-17745, CVE-2017-17746, CVE-2017-17747)

Overview Three vulnerabilities have been discovered in the TP-Link TL-SG108E, firmware 1.0.0 Build 20160722 Rel.50167: CVE-2017-17745 - Cross Site Scripting XSS in systemnameset.cgi, sysName parameter CVE-2017-17746 - Weak access control for user authentication CVE-2017-17747 - Weak access contro...

Multiple vulnerabilities in Loxone Smart Home

Vendor & product description: "Loxone Electronics was founded in 2009. Our focus is the development and production of control solutions for all homes. Our aim is to make home automation interesting, affordable and accessible for everyone." URL: http://www.loxone.com/enus/company/about-us.html...

SQLi, XSS zero-days expose Belkin IoT devices, Android smartphones

LONDON, UK – Research director Scott Tenaglia and lead research engineer Joe Tanen detailed the vulnerabilities during their ‘Breaking BHAD: Abusing Belkin Home Automation devices’ talk at the Black Hat Europe conference in London last Friday. The zero-day flaws specifically relate to Belkin’s...

Multiple critical vulnerabilities in AGFEO smart home ES 5xx/6xx products

Vendor description: AGFEO GmbH & Co. KG is a vendor of telephone systems and other tele-communication products like DECT phones, headsets or smart home products as well. Business recommendation: The available patches should be installed immediately. SEC Consult recommends not to use this product ...

WordPress Plugin File Upload 4.3.3 - Stored Cross-Site Scripting (PoC)

0x01 漏洞概述 Wordpress的插件WordPress File Upload v4.3.3及其以前版本在管理后台存在一处存储型xss漏洞。攻击者可以通过该漏洞执行js脚本，获取管理员cookie。 漏洞名称：WordPress Plugin File Upload 4.3.3 - Stored Cross-Site Scripting PoC 漏洞来源：https://www.exploit-db.com/exploits/44444/ CVE：CVE-2018-9844 影响组件：WordPress Plugin File Upload...

phpyun重装getshell

...

Heatmiser WiFi thermostat vulnerabilities

Update – if your heating is misbehaving you need to disable port forwarding to port 80 and port 8068. This should be simply following the reverse of whatever you did to set port forwarding up. Alternatively, you could disable WiFi entirely by putting invalid SSID and password in – I believe the...

AXIS Communications - Cross-Site Scripting / Content Injection(CVE-2015-8258)

Technical Details The variable "imagePath=" that is prone to XSS in a large range of products also can be used to resource injection intents. If inserted a URL in this variable will be made an GET request to this URL, so this an interesting point to request malicious codes from the attacker...