The Add & SaveToFile methods in mlsrvx.dll in ArGoSoft Mail Server allow remote attackers to write arbitrary data and execute arbitrary code via crafted HTML pages.
The application is vulnerable to an elevation of privileges vulnerability which can be used by a simple user that can change the executable file with a binary of choice. The vulnerability exists due to the improper permissions, with the 'F' flag (full) for the 'Users' group, for several binary files. The service is installed by default to start on system boot with LocalSystem privileges. Attackers can replace the binary with their rootkit, and on reboot, they get SYSTEM privileges. VideoXpert services also suffer from an unquoted search path issue impacting the 'VideoXpert Core' and 'VideoXpert Exports' services for Windows deployed as part of the VideoXpert Setup bundle. This could potentially allow an authorized but non-privileged local user to execute arbitrary code with elevated privileges on the system. A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user’s code would execute with the elevated privileges of the application.
This is a local root exploit for IBM AIX <= 5.3 sp6. It allows an attacker to gain root privileges on the target system.
Unknown
The IOCTL sent to the DeviceKsecDD device by the BCryptOpenAlgorithmProvider documented API returns uninitialized pool memory in the output buffer. By crafting a specific input data for the IOCTL, an attacker can leak uninitialized values from kernel memory to user-mode.
A crash occurs in the Windows Uniscribe user-mode library, specifically in the USP10!otlReverseChainingLookup::apply function. The crash is triggered when attempting to display text using a corrupted TTF font file.
This exploit allows bypassing the safe_mode and disable_functions protections in PHP 5.2.3 with the win32std extension. It executes the cmd.exe command, either from the command line interface or through Apache. The exploit has been tested on a fully patched Windows XP Professional SP2 system.
This module will bypass Windows 10 UAC by hijacking a special key in the Registry under the current user hive, and inserting a custom command that will get invoked when the Windows fodhelper.exe application is launched. It will spawn a second shell that has the UAC flag turned off. This module modifies a registry key, but cleans up the key once the payload has been invoked. The module does not require the architecture of the payload to match the OS. If specifying EXE::Custom your DLL should call ExitProcess() after starting your payload in a separate process.
The application suffers from an authenticated arbitrary code execution. The vulnerability is caused due to the improper verification of uploaded files in 'image_editor.php' script thru the 'userfile' POST parameter. This can be exploited to execute arbitrary PHP code by uploading a malicious PHP script file that will be stored in '/media/customers/' directory. There is an extension check when uploading images and if the uploaded file does not have the .jpg or .png extension, the application uploads the file with .safety extension, which still executes PHP code. The attacker only needs the sid parameter value which is disclosed within the initial GET request while authenticating and can be collected in MitM attack.
After successfully connecting to the D-Link DIR-600M Wireless N 150 Router with firmware version 3.04, an attacker can easily bypass the router's admin panel by entering blank spaces in the password field. This vulnerability allows unauthorized access to the router's settings, which can be particularly dangerous if the router has a public IP with remote login enabled.
Services By CQR