Adrenalin Player 2.2.5.3 is vulnerable to a SEH-Buffer Overflow vulnerability. An attacker can exploit this vulnerability by crafting a malicious .m3u file and sending it to the target user. When the target user opens the malicious file, the attacker can execute arbitrary code on the target system.
XnView is prone to a buffer-overflow vulnerability because the application fails to bounds-check user-supplied data before copying it into an insufficiently sized buffer. Attackers may exploit this issue only if XnView is configured as a handler for other applications, so that it can be passed malicious filenames as command-line data. An attacker can exploit this issue to execute arbitrary code in the context of the user running the affected application. Failed exploit attempts will result in a denial of service.
The application is vulnerable to a time-based attack via a SQL injection in the 'USERNAME' parameter of the POST request. Additionally, the application is vulnerable to a reflected XSS attack when a malicious payload is sent in the 'pag' parameter of the citasmedicas.php page.
The X86_X32 recvmmsg syscall does not properly sanitize the timeout pointer passed from userspace. Exploit primitive: Pass a pointer to a kernel address as timeout for recvmmsg, if the original byte at that address is known it can be overwritten with known data. If the least significant byte is 0xff, waiting 255 seconds will turn it into a 0x00. Restrictions: The first long at the passed address (tv_sec) has to be positive and the second long (tv_nsec) has to be smaller than 1000000000. Overview: Target the release function pointer of the ptmx_fops structure located in non initialized (and thus writable) kernel memory. Zero out the three most significant bytes and thus turn it into a pointer to an address mappable in user space. The release pointer is used as it is followed by 16 0x00 bytes (so the tv_nsec is valid). Open /dev/ptmx, close it and enjoy.
This exploit allows an attacker to upload a malicious PDF file to a vulnerable MediaWiki website with PDF Handler enabled. The attacker can then inject OS commands into the PDF file and execute them by accessing the PHP backdoor created by the exploit.
This PoC trigger is based on the manpage and is used to exploit the Linux 3.4+ recvmmsg x32 compat bug. It creates a socket, binds it to a port, and then uses the recvmmsg system call to receive messages. This can lead to a buffer overflow, which can be used to execute arbitrary code.
Authenticated users with only permission to access some packages in web gui (a.k.a. webConfigurator) will be able to escalate themselves to other privileged admin by exploiting a Local File Inclusion (LFI) vulnerability in the webConfigurator.
Support Center Plus 7916 and lower is prone to a directory traversal vulnerability. When creating a ticket and attaching a file, this can be tampered to link to a local file on the server side. By downloading the attachment from the ticket, the server file is downloaded with the same privileges as the Support Center Plus instance, which on windows is SYSTEM. On linux Support Center Plus is mostly installed as the root user.
A10 Networks (Soft)AX <=2.6.1-GR1-P5 & <=2.7.0 build 217 is prone to an unauthenticated directory traversal vulnerability. It's possible to download any file on the remote AX device with root privileges, without the need to authenticate to the website. The bug was fixed earlier in A10 Tracking ID '82150' according to the release notes, however the fix is not sufficient and can be bypassed. The new protection seems to make sure files are under the /a10data/tmp dir (https://<IP>/xml/downloads/?filename=/a10data/tmp/). By sending a GET request to 'https://<IP>/xml/downloads/?filename=/a10data/tmp/../..' and thus keeping /a10data/tmp, we can bypass this. So if we would like to download the file /etc/shadow we send a GET request to 'https://<IP>/xml/downloads/?filename=/a10data/tmp/../../etc/passwd'. Or if we would like to download a certificate key file: 'https://<IP>/xml/downloads/?filename=/a10data/tmp/../../a10data/key/domain.com'. WARNING: Downloading a file will delete it from the AX device!
SimplyShare is the ultimate tool to Transfer your Photos, Videos and Files easily to other iPhone/iPod Touch/iPad and computers wirelessly (without any iTunes Sync). Download or upload photos/videos/files directly from a computer. Store, manage and view MS Office, iWork, PDF files and many more features. Share Files, Photos or Videos, Download Files from Internet, File Manager, etc.
Services By CQR