Congstar Internet-Manager SEH Buffer Overflow is a vulnerability in Congstar Prepaid Internet-Stick (MF100) software version 14.0.0.162. It was discovered in 8.01.2015 by metacom. The vulnerability is caused due to a boundary error when handling specially crafted UpdateCfg.ini file, which can be exploited to cause a stack-based buffer overflow. Successful exploitation of this vulnerability may allow execution of arbitrary code.
Ansible Tower provides the feature to create multiple organizations inside one tower instance. Due to missing validation of the 'is_superuser' parameter during user creation, organization admins can create superadmin accounts and therefoe gain access to all organizations. Ansible Tower is also vulnerable to reflected XSS. The vulnerable parameter is 'name' which is part of the URL when creating a new organization. Ansible Tower is also vulnerable to missing authentication. The vulnerable endpoint is '/api/v1/users/'.
This exploit is written for Mac OS X Yosemite (10.10.1) by @joystick and @rpaleari. It exploits IOBluetoothHCIUserClient::DispatchHCIWriteStoredLinkKey() by creating requests and filling them with data. It then calls IOConnectCallMethod() to send the requests to the user client connection.
This exploit is written for Mac OS X Yosemite (10.10) by @rpaleari and @joystick. It exploits a missing check in IOBluetoothHCIController::TransferACLPacketToHW() to trigger a panic. The exploit uses IOConnectCallMethod to call DispatchHCISendRawACLData().
This exploit triggers a panic by overwriting a stack_canary. It does this by calling IOBluetoothHCIUserClient::DispatchHCIReadLocalName() with an argument that overflows a local buffer and the adjacent stack canary.
This exploit is written for Mac OS X Yosemite (10.10) by @rpaleari and @joystick. It exploits a missing check in IOBluetoothHCIUserClient::DispatchHCICreateConnection() causing a panic. It uses IOConnectCallMethod() to call the vulnerable function and causes an out-of-bounds write.
Gecko CMS suffers from multiple vulnerabilities including Cross-Site Request Forgery, Stored and Reflected Cross-Site Scripting and SQL Injection.
This exploit enables some features of the modem, forcing the administrator of the device, accessing the page to reconfigure the modem again, occurring script execution in the browser of internal network users.
Red Star OS 3.0 is vulnerable to a privilege escalation vulnerability due to the Software Manager (swmng.app) running as root through sudo and allowing the installation of any RPM package, even if unsigned. An attacker can get root access by downloading a malicious RPM package, double-clicking it to open it with the Software Manager, and clicking through the blue buttons until it’s done. After that, running rootsh will give the attacker a root shell. SELinux can be disabled by running setenforce 0 as root.
Red Star 2.0 desktop ships with a world-writeable /etc/rc.d/rc.sysinit which can be abused to execute commands on boot. An example exploitation of this vulnerability is shown in the link provided, which adds a new user 'r00t' to the /etc/passwd file and then switches to the root user.
Services By CQR