This is a proof-of-concept exploit that is able to gain kernel privileges on machines that are susceptible to the DRAM 'rowhammer' problem. It runs as an unprivileged userland process on x86-64 Linux. It works by inducing bit flips in page table entries (PTEs). For development purposes, the exploit program has a test mode in which it induces a bit flip by writing to /dev/mem.
A Memory Corruption Vulnerability is detected on Sagem F@st 3304-V2 Telnet service. An attacker can crash the router by sending a very long string. This exploit connects to Sagem F@st 3304-V2 Telnet (Default port 23) and sends a very long string "X"*500000. After the exploit is sent, the telnet service will crash and the router will reboot automatically.
The GET parameter transactionID was used directly in the SQL query without any sanitization which lead directly to SQL Injection vulnerability. Proof of Concept: http://[host]/a2billing/customer/iridium_threed.php?transactionID=-1 and 1=benchmark(2000000,md5(1)) The backend response will delay for few seconds, which means the benchmark() function was executed successfully.
ProjectSend r561 is vulnerable to SQL injection. An attacker can exploit this vulnerability to gain access to the database and execute arbitrary SQL commands. The vulnerable code is located in the client-edit.php file, where the user-supplied input is not properly sanitized before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
The assoc_array_gc function in the associative-array implementation in lib/assoc_array.c in the Linux kernel before 3.16.3 does not properly implement garbage collection, which allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via multiple "keyctl newring" operations followed by a "keyctl timeout" operation.
The PPPoL2TP feature in net/l2tp/l2tp_ppp.c in the Linux kernel through 3.15.6 allows local users to gain privileges by leveraging data-structure differences between an l2tp socket and an inet socket. This is a POC to reproduce vulnerability. No exploitation here, just simple kernel panic.
arch/x86/kernel/entry_64.S in the Linux kernel before 3.17.5 does not properly handle faults associated with the Stack Segment (SS) segment register, which allows local users to gain privileges by triggering an IRET instruction that leads to access to a GS Base address from the wrong space.
When an authenticated user of BEdita CMS is creating a newsletter mail group, the following POST request is sent to the server. The “name” parameter is vulnerable to XSS. An attacker can inject malicious JavaScript code in the “name” parameter and execute it in the context of the victim’s browser. When an authenticated user of BEdita CMS is creating a new user, the following POST request is sent to the server. The “name”, “password”, “password_confirm”, “email” and “status” parameters are vulnerable to CSRF. An attacker can craft a malicious link or a malicious form and send it to the victim. If the victim clicks on the link or submits the form, a new user will be created in BEdita CMS.
Some Seagate Business NAS devices are vulnerable to command execution via a local file include vulnerability hidden in the language parameter of the CodeIgniter session cookie. The vulnerability manifests in the way the language files are included in the code on the login page, and hence is open to attack from users without the need for authentication. The cookie can be easily decrypted using a known static encryption key and re-encrypted once the PHP object string has been modified. This module has been tested on the STBN300 device.
I found a couple SQL injection vulnerabilities in the core Orion service used in most of the Solarwinds products (SAM, IPAM, NPM, NCM, etc…). This service provides a consistent configuration and authentication layer across the products. To be exact, the vulnerable applications and versions are: Network Performance Monitor -- < 11.5, NetFlow Traffic Analyzer -- < 4.1, Network Configuration Manager -- < 7.3.2, IP Address Manager -- < 4.3, User Device Tracker -- < 3.2, VoIP & Network Quality Manager -- < 4.2, Server & Application Monitor -- < 6.2, Web Performance Monitor -- < 2.2. At first glance, the injections are only available to admins, as the requests used are on the Manage Accounts page. However, it seems there is no real ACL check on the GetAccounts and GetAccountGroups endpoints of the AccountManagement.asmx service, which means that even authenticating as Guest allows for exploitation. By default, the Guest account has no password and is enabled. On both the GetAccounts and GetAccountGroups endpoints, the 'sort' and 'dir' parameters are susceptible to boolean-/time-based, and stacked injections. By capturing the AJAX requests made by an admin user to these endpoints, authenticating as Guest and replacing the admin cookie with the Guest cookie, you can still make a successful request, and thus a successful exploitation vector for any authenticated user. Being a stacked injection, this becomes a privilege escalation at the very least, as an attacker is able to insert their own admin user. A pull request for a Metasploit module which should achieve this on any product using the Orion service as the core authentication management system, using the GetAccounts endpoint, has been made.
Services By CQR