The VeraLite has a path traversal vulnerability allowing for disclosure of arbitrary files. This allows an attacker to retrieve the contents of any file on the system such as the /etc/passwd file which contains the hashed root password as well as the tech support remote access password if remote access has been configured. The VeraLite makes a distinction between Administrator and Guest users such that Guest users should not be able to make changes to the configuration of the system. There are several functionalities included in the VeraLite console available to Guest level users which can be used to escalate privileges.
During the setup process for a Karotz unit, if wifi is selected as the method used to connect to the Internet, a python script named 'autorunwifi' is run as root to set up the wifi connectivity. This file, along with several others, is placed in the root of a USB flash drive or hard drive. Another file, named 'autorunwifi.sig', contains a signature of autorunwifi signed with the private key for Violet, to prevent modifications to the 'autorunwifi' script. Since Python first attempts to load modules not built into Python from the same directory as the invoked script, it is possible to override the functionality of imported modules by placing a file with the same basename as the module being imported and an extension of '.py'. In this case, it is possible to write a Python script named 'simplejson.py' and place it in the same directory as the other setup files, which will cause the contents of simplejson.py to be executed at the beginning of the 'autorunwifi' script execution. This attack requires a USB flash drive to be plugged into the Karotz unit, and requires the Karotz to be turned off and on.
The INSTEON Hub allows users to control their home automation devices from their home, and across the Internet. To allow control of the devices from the Internet requires that a user create a port forward from the Internet to the Hub on their home network. This is to allow direct access from a users smart phone. The hub will display a web page that is a legacy of their previous hardware version of home automation control systems. This page allows anonymous access to control any devices connected to the Hub, if the user has not set a user name and password. Additionally it reveals the name of the device, and what city and timezone the device is located. Because INSTEON does not restrict the user in the naming of their device, it is possible for users to use their street address in the naming. Having access to the name of the city, make locating the device trivial using mapping software to search for the house and street name of the controller, and potentially identify the location of the device. The web interface does not require the user to set authentication or authorization to make requests to the Hub. This allows an anonymous threat agent access to turn on and off lights/devices, change temperature settings on thermostats, or even open electronic door locks. Additionally a threat agent also has access to a buffer command, where they can see what lights or devices were turned on or off.
Invoking the "post_login.xml" server-side script, attackers can specify a "hash" password value that is used to authenticate the user. This hash value is eventually processed by the "/usr/sbin/widget" local binary. However, the latter copies the user-controlled hash into a statically-allocated buffer, allowing attackers to overwrite adjacent memory locations. As a proof-of-concept, the following URL allows attackers to control the return value saved on the stack (the vulnerability is triggered when executing "/usr/sbin/widget"): curl http://<target ip>/post_login.xml?hash=AAA...AAABBBB. Another buffer overflow affects the "hedwig.cgi" CGI script. Unauthenticated remote attackers can invoke this CGI with an overly-long cookie value that can overflow a program buffer and overwrite the saved program counter.
Ahmad Moghimi discovered a privilege escalation vulnerability in Agnitum Outpost security suite. The vulnerability exists due to the lack of proper validation of user-supplied input when registering a DLL file. An attacker can exploit this vulnerability by registering a malicious DLL file with Regsvr32.exe and then running the exploit.exe file. This will allow the attacker to gain elevated privileges on the system.
The vulnerabilities exist because these methods fail to properly validate input passed through the 'module' parameter, that is being used in a call to the require_once() function (lines 1530 and 2779). This might be exploited to include arbitrary local files containing malicious PHP code. Successful exploitation of these vulnerabilities requires the application running on PHP < 5.3.4, because a null byte injection is required.
The PASS Command is vulnerable to a buffer overflow. Other commads may be vulnerable.
A CSRF vulnerability exists in Bigace CMS which allows an attacker to add an admin account by sending a malicious link to the victim. The malicious link contains a form with pre-filled values for the username, language, user groups, state, email, passwordnew and passwordcheck fields. When the victim visits the malicious link, the form is automatically submitted and an admin account is created.
FunGamez is vulnerable to a remote file upload vulnerability. An attacker can exploit this vulnerability by sending a malicious file to the server via a specially crafted POST request. The malicious file will be uploaded to the server and can be accessed via the URL http://localhost/[FunGamez]/data/flash/shell.php.
Ginkgo CMS is vulnerable to SQL injection. An attacker can exploit this vulnerability by sending a crafted URL to the vulnerable application. For example, http://server/index.php?rang=5'/**/div/**/0/**/UNION/**/SELECT/**/1,2,3,4,5-- -
Services By CQR