Western Digital My Cloud Pro Series PR2100 Authenticated RCE

Vulnerability Summary A vulnerability in the Western Digital My Cloud Pro Series PR2100 allows authenticated users to execute commands arbitrary commands. Credit An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program. Vendor...

Windows Kernel 64-bit pool memory disclosure in win32k!UMPDOBJ::LockSurface(CVE-2018-0813)

We have discovered that the win32k!UMPDOBJ::LockSurface function discloses portions of uninitialized pool memory to user-mode clients. The bug was encountered on Windows 7 64-bit; other versions were not tested. The leak was detected in the context of the splwow64.exe process, under the following...

Windows Kernel 64-bit pool memory disclosure via REG_RESOURCE_LIST registry values (CmResourceTypeDevicePrivate entries)(CVE-2018-0898)

We have discovered a Windows kernel memory disclosure vulnerability through the body of "AllocConfig" registry values of type REGRESOURCELIST, which can be found under HKLM\SYSTEM\CurrentControlSet\Enum\\Control\AllocConfig. The vulnerability affects 64-bit versions of Windows 7 to 10. The leak...

Windows Kernel 64-bit pool memory disclosure via REG_RESOURCE_REQUIREMENTS_LIST registry values(CVE-2018-0900)

We have discovered a Windows kernel memory disclosure vulnerability through the contents of "FilteredConfigVector" registry values of type REGRESOURCEREQUIREMENTSLIST, which can be found under HKLM\SYSTEM\CurrentControlSet\Enum\ACPI\\Control\FilteredConfigVector. The vulnerability affects 64-bit...

ModSecurity WAF 3.0 for Nginx - Denial of Service

Use-After-Free UAF During one of the engagements my team tested a WAF running in production Nginx + ModSecurity + OWASP Core Rule Set 123. In the system logs I found information about the Nginx worker processes being terminated due to memory corruption errors. Through fuzzing and stress testing...

Windows Kernel 64-bit pool memory disclosure via REG_RESOURCE_LIST registry values (videoprt.sys descriptors)(CVE-2018-0899)

We have discovered a Windows kernel memory disclosure vulnerability through the body of "AllocConfig" registry values of type REGRESOURCELIST corresponding to devices handled by videoprt.sys, which can be found under HKLM\SYSTEM\CurrentControlSet\Enum\\Control\AllocConfig. The vulnerability...

Windows Kernel 64-bit pool memory disclosure in NtQueryVirtualMemory(MemoryMappedFilenameInformation)(CVE-2018-0894)

We have discovered that the nt!NtQueryVirtualMemory system call invoked with the 2 information class MemoryMappedFilenameInformation discloses portions of uninitialized kernel pool memory to user-mode clients. The vulnerability affects 64-bit versions of Windows 7 to 10. The output buffer for thi...

Windows Kernel 64-bit stack memory disclosure in msrpc!LRPC_CASSOCIATION::AlpcSendCancelMessage(CVE-2018-0896)

We have discovered that the msrpc!LRPCCASSOCIATION::AlpcSendCancelMessage function sends an ALPC message with portions of uninitialized memory from the local stack frame on Windows 7 64-bit other versions were not tested. The message is 0x18 bytes long, 8 of which are uninitialized. The layout of...

YXcms 任意文件删除漏洞

...

phpyun某处sql二次注入

...

乐尚商城系统v1.5前台getshell

...

UNAUTHENTICATED START OF TELNETD ON TENDA AC15 ROUTER

INTRODUCTION We previously showed how the Tenda AC15 router was vulnerable to an unauthenticated remote code execution vulnerability via a stack based buffer overflow. Writing exploits like that can be incredibly interesting, but sometimes, all you need is a GET request to get root. In this post ...

GxlcmsQY企业建站系统前台一处sql注入

...

MikroTik RouterOS SMB Buffer Overflow(CVE-2018-7445)

Advisory Information Title: MikroTik RouterOS SMB Buffer Overflow Advisory ID: CORE-2018-0003 Advisory URL: http://www.coresecurity.com/advisories/mikrotik-routeros-smb-buffer-overflow Date published: 2018-03-15 Date of last update: 2018-03-15 Vendors contacted: MikroTik Release mode:...

Ubuntu本地提权漏洞(CVE-2017-16995)

Since commit f1174f77b50c "bpf/verifier: rework value tracking", the eBPF range tracking is security-relevant for the verification of eBPF code provided by unprivileged users. Therefore, any tiny slip-up in the arithmetic range tracking now turns into an arbitrary read+write in the full kernel...

Chromium: Incorrect size calculation when deserializing Mojo "Event" messages leading to OOB access

VULNERABILITY DETAILS Mojo IPC allows endpoints to communicate with one another, potentially across process boundaries. Each endpoint initially receives a handle to the broker host node, using which it can request subsequent "child" channels to be created...

Chrome: V8: Empty BytecodeJumpTable may lead to OOB read

In the current implementation, the bytecode generator also emits empty jump tables. https://cs.chromium.org/chromium/src/v8/src/interpreter/bytecode-array-writer.cc?rcl=111e990462823c9faeee06b67c0dcf05749d4da8&l=89 So the bytecode for the example code would be generated as follows: Code: function...

Chrome: V8: JIT: JSBuiltinReducer::ReduceObjectCreate fails to ensure that the prototype is "null"

I think this commit has introduced the bug. https://chromium.googlesource.com/v8/v8/+/ff7063c7d5d8ad8eafcce3da59e65d7fe2b4f915%5E%21/F2 According to the description, Object.create is supposed to be inlined only when the prototype given as the parameter is "null". The following check has to...

Chrome: V8: JIT: Simplified-lowererer IrOpcode::kStoreField, IrOpcode::kStoreElement optimization bug

I think this commit has introduced the bugs: https://chromium.googlesource.com/v8/v8/+/c22ca7f73ba92f22d0cd29b06bb2944a545a8d3e%5E%21/F0 Here's a snippet. case IrOpcode::kStoreField: FieldAccess access = FieldAccessOfnode-op; Node valuenode = node-InputAt1; NodeInfo inputinfo = GetInfovaluenode;...

Chrome: V8: JIT: Type confusion in GetSpecializationContext

PoC: function optarg = = arg let tmp = opt.x; // LdaNamedProperty for ;; arg; yield; function inner tmp; break; for let i = 0; i arg; this; , opt let tmp = arg.x; for ;; arg; yield; tmp = inner tmp; ; for let i = 0; i arg; this; , opt let tmp = arg.x; for ;; arg; yield; tmp = inner tmp; ; for let...

Chromium: Calling "mojo::WrapSharedMemoryHandle" is insufficient to produce read-only descriptors for IPC(CVE-2018-6063)

VULNERABILITY DETAILS The "mojo::WrapSharedMemoryHandle" function is used to produce a "base::SharedBufferHandle" wrapping a given "base::SharedMemoryHandle". The created buffer handle can be sent over Mojo IPC to remote endpoints, including across process boundaries. In some cases, shared memory...

Chromium: Read-only SharedMemory descriptors on Android are writable(CVE-2018-6057)

VULNERABILITY DETAILS The base::SharedMemory class represents a shared memory resource that processes can map into their virtual address space. As shared memory mechanisms differ across operating systems, specialised implementations exist for each OS. In Android's case, the implementation is...

AppWeb Authentication Bypass (Digest, Basic and Forms)(CVE-2018-8715)

Vulnerability Summary A critical vulnerability in the EmbedThis HTTP library, and Appweb versions 5.5.x, 6.x, and 7.x including the latest version present in the git repository. In detail, due to a logic flaw, with a forged HTTP request it is possible to bypass the authentication for form and...

Chromium: Information disclosure via "memory_instrumentation::mojom::Coordinator" interface in "resource_coordinator" service(CVE-2018-6080)

VULNERABILITY DETAILS The "memoryinstrumentation::mojom::Coordinator" mojo interface is exposed by the "resourcecoordinator" service, running under the browser process. The interface requires the "app" capability https://cs.chromium.org/chromium/src/services/resourcecoordinator/manifest.json?l=8,...

123phpshop前台一处sql注入

...

MikroTik RouterOS < 6.38.4 (x86) - 'Chimay Red' Stack Clash Remote Code Execution

!/usr/bin/env python2 Mikrotik Chimay Red Stack Clash Exploit by wsxarcher based on BigNerd95 POC tested on RouterOS 6.38.4 x86 ASLR enabled on libs only DEP enabled import socket, time, sys, struct from pwn import import ropgadget ASTSTACKSIZE = 0x800000 default stack size per thread 8 MB...

semcms外贸网站管理系统php2.4版本web_email.php漏洞修复不完善导致仍存在一处sql注入

...

QCMS最新版3.0.1后台登录验证可绕过，结合任意文件上传可前台getshell

...

BEESCMS V4.0_R_20160525全局变量覆盖导致前台getshell

...

phpshe1.6最新版存在一处update注入

...

FineCMS v5.2.0 SQL注入

在/finecms/dayrui/controllers/Api.php第45行： template-cron = 0; $GET'page' = max1, int$this-input-get'page'; $params = drstring2arrayurldecode$this-input-get'params'; $params'get' = @jsondecodeurldecode$this-input-get'get', TRUE; $this-template-assign$params; $name = strreplacearray'\', '/', '..',...

WhatSNS <=3.6版本前台任意文件上传getshell

...

duomicms前台全局变量覆盖导致getshell

...

Selenium Server 未授权访问漏洞

1.开篇 不知道大家在平日工作中有没有遇到过一些端口，使用浏览器打开是下面这样子的： 上图中我找了几个在不同端口下的例子。 2.Selenium-开源的自动化测试利器 本篇主要的主角-Selenium究竟是什么呢？有过QA经验或安全自动化测试经验的朋友应该知道，以下文字来自百度百科：Selenium1 是一个用于Web应用程序测试的工具。Selenium测试直接运行在浏览器中，就像真正的用户在操作一样。支持的浏览器包括IE（7, 8, 9, 10, 11），Mozilla Firefox，Safari，Google Chrome，Opera等。支持自动录制动作和自动生成...

phpMyWindV5.4用户评论处存储型xss

...

Tenda AC15 Router - Unauthenticated Remote Code Execution(CVE-2018-5767)

INTRODUCTION In this post we will be presenting a pre-authenticated remote code execution vulnerability present in Tenda’s AC15 router. We start by analysing the vulnerability, before moving on to our regular pattern of exploit development – identifying problems and then fixing those in turn to...

Spring data rest 远程代码执行(cve-2017-8046)

漏洞描述 漏洞描述 Spring Data Rest 在处理 PATCH 请求时存在RCE高危漏洞, 可以使用手工构造的JSON数据构造恶意PATCH请求提交至spring-data-rest服务器，使得服务器运行恶意JAVA代码。Spring Data Rest项目的目标是提供一种灵活的、可配置的机制，编写出可以对外暴露出HTTP协议的简单服务。 Git地址: https://github.com/spring-projects/spring-data-rest 漏洞来源: https://pivotal.io/security/cve-2017-8046 影响版本： Spring...

AVTECH {DVR/NVR/IPC} Authenticated RCE

!/usr/bin/env python2.7 SOF Subject: AVTECH DVR/NVR/IPC Authenticated RCE 2018 bashis Attack vector: Remote Authentication: Authenticated Credentials needed Researcher: bashis March 2018 http://www.avtech.com.tw/ """ $./AVTECH-RCE.py --rhost 192.168.57.20 --rport 80 --lhost 192.168.57.1 --lport...

Microsoft Edge: Chakra: JIT: CallRegExSymbolFunction doesn't check the return type

The "CallRegExSymbolFunction" method is used to call symbol functions in regexp objects. But it doesn't check the return value's type. Since the user can define the symbol functions, it can break the JIT compiler's type assumptions. Tested Microsoft Edge 41.16299.15.0 with Experimental JavaScript...

Chrome: V8: Integer overflow with PropertyArray

Here's a snippet of the MigrateFastToFast function which is used to create a new PropertyArray object. int numberoffields = newmap-NumberOfFields; int inobject = newmap-GetInObjectProperties; int unused = newmap-UnusedPropertyFields; ... int totalsize = numberoffields + unused; int external =...

Chrome: V8: TranslatedState::MaterializeCapturedObjectAt caching bug

Here'a snippet of TranslatedState::MaterializeCapturedObjectAt. case JSSETKEYVALUEITERATORTYPE: case JSSETVALUEITERATORTYPE: Handle object = Handle::cast isolate-factory-NewJSObjectFromMapmap, NOTTENURED; Handle properties = materializer.FieldAtvalueindex; Handle elements =...

phpok 4.8.338版本存在 任意文件上传漏洞

phpok 4.8.338版本存在 任意文件上传漏洞 漏洞描述 phpok是深圳市锟铻科技有限公司一套采用PHP+MYSQL语言开发的企业网站系统。 phpok 4.8.338版本存在任意文件上传漏洞，攻击者可利用漏洞上传任意文件，获取网站权限。 漏洞分析 在 www/framework/admin/rescate\control.php 第 53行 public function savef $id = $this-get'id','int'; if!$id if!$this-popedom'add' $this-jsonPLang'您没有权限执行此操作'; else...

Apache Tomcat Security Bypass Vulnerability(CVE-2018-1305)

Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.4 Apache Tomcat 8.5.0 to 8.5.27 Apache Tomcat 8.0.0.RC1 to 8.0.49 Apache Tomcat 7.0.0 to 7.0.84 Description: Security constraints defined by annotations of Servlets were only applied once a Servlet had been...

phpshe1.6后台任意文件删除导致重装getshell

...

dedecms任意图片删除漏洞

...

mavo中noscript xss的安全绕过

首先，我们可以利用noscript不会对跟随字母数字的函数进行检测的特性，把函数与anchor属性的值结合以躲避检测。 mavoscript作为javascript的扩展，并不支持此类操作，所以我们需要将mavoscript转化为javascript模式。 从mavoscript的语法中可知，当mavo遇到无效的mavoscript时，它就会将无效的mavoscript当作javascript来处理。 //X=＇javascript ＇//X+=＇：alert＇+ y.rel + y.title test...

phpshe1.6后台存在多处SQL注入

...

appcms2.0.101任意文件写入

...

IE11: Use-after-free in Js::RegexHelper::RegexReplace(CVE-2018-0866)

There is a Use-after-free vulnerability in Internet Explorer that could potentially be used for memory disclosure. This was tested on IE11 running on Window 7 64-bit with the latest patches applied. Note that the PoC was tested in a 64-bit tab process via TabProcGrowth=0 registry flag and the pag...

Windows: Constrained Impersonation Capability EoP(CVE-2018-0821)

Windows: Constrained Impersonation Capability EoP Platform: Windows 10 1703/1709 not tested earlier versions Class: Elevation of Privilege Summary: It’s possible to use the constrained impersonation capability added in Windows 10 to impersonate a lowbox SYSTEM token leading to EoP. Description:...