Multiple vulnerabilities exist within this piece of software. The largest one is likely the fact that the ‘auth’ string used for authorization isn’t random at all. After authentication, any requests made by the browser send no cookies and only check this ‘auth’ param, which is completely insufficient. Because of this, unauthenticated users can know what the ‘auth’ parameter should be and make requests as the ‘root’ user. Unauthenticated root RCE Because the ‘auth’ variable is not random, an unauthenticated user can post a specially crafted request to the /recoveryconsole/bpl/snmpd.php PHP script. This script does not sanitize the SNMP community string properly which allows the user to execute remote commands as the root user. A metasploit module that exploits this has been given alongside this report. Below is the actual request. To recreate, after authentication, click on Settings -> Clients, Networking, and Notifications -> SNMP and Modify the ‘notpublic’ entry to contain bash metacharacters.
Adobe Reader for Android exposes several insecure Javascript interfaces. This issue can be exploited by opening a malicious PDF in Adobe Reader. Exploiting this issue allows for the execution of arbitrary Java code, which can result in a compromise of the documents stored in Reader and files stored on SD card.
While testing the Netgear firmware, Santhosh Kumar discovered a password disclosure vulnerability and a file uploading vulnerability which could compromise the entire router. The password disclosure vulnerability can be exploited by sending a request to the server/unauth.cgi?id=393087602 or server:8080/passwordrecovered.cgi?id=1738955828, which will return the admin username and password. The file uploading vulnerability can be exploited by sending a request to the server/unauth.cgi?id=393087602 with the content-type set to application/x-www-form-urlencoded.
This module exploits a command injection vulnerability found in the eScan Web Management Console. The vulnerability exists while processing CheckPass login requests. An attacker with a valid username can use a malformed password to execute arbitrary commands. With mwconf privileges, the runasroot utility can be abused to get root privileges. This module has been tested successfully on eScan 5.5-2 on Ubuntu 12.04.
If a logged-in administrator visits a specially crafted page, options can be updated (CSRF) without their consent, and some of those options are output unescaped into the form (XSS). In this example the XSS occurs at line 755 in twitget.php. The nonce-checking should have occurred somewhere around line 661 in the same file.
This plugin is vulnerable to a combination CSRF/XSS attack meaning that if an admin user can be persuaded to visit a URL of the attacker’s choosing (via spear phishing for instance), the attacker can insert arbitrary JavaScript into an admin page. Once that occurs the admin’s browser can be made to do almost anything the admin user could typically do such as create/delete posts, create new admin users, or even exploit vulnerabilities in other plugins.
A local file include web vulnerability has been discovered in the official PDF Album v1.7 iOS mobile web-application. The local file include web vulnerability allows remote attackers to unauthorized include local file/path requests or system specific path commands to compromise the mobile web-application.
Custom message with non-printable characters will crash any WhatsApp client < v2.11.7 for iOS. It uses Yowsup library, that provides us with the options of registration, reading/sending messages, and even engaging in an interactive conversation over WhatsApp protocol.
The vulnerability exists due to insufficient sanitization of user-supplied input in the 'imgurl' parameter of the 'download.php' script. A remote attacker can send a specially crafted request to the vulnerable script and execute arbitrary PHP code on the target system. Successful exploitation of this vulnerability may result in complete compromise of the vulnerable system.
MS14-012 is a vulnerability in Internet Explorer CMarkup which allows an attacker to execute arbitrary code in the context of the current user by exploiting a use-after-free vulnerability. The vulnerability is caused due to a use-after-free error when handling CMarkup objects in Internet Explorer, which can be exploited to execute arbitrary code by tricking a user into visiting a specially crafted web page. Successful exploitation of this vulnerability may allow an attacker to execute arbitrary code in the context of the current user.
Services By CQR