A remote stack format string vulnerability exists in the 'nsd' binary from multiple OEMs. An attacker can send a specially crafted HTTP request containing format string specifiers to the vulnerable server, which can be used to leak memory contents from the stack. The researcher 'bashis' discovered the vulnerability in December 2017 and released a proof-of-concept (PoC) exploit on GitHub. The affected OEMs include Huatu, I-View, IP Camera Web Service, Stanley Security, 3D Eyes CCTV Platform, Protech Srl, LS vision, GWSECU, 12 Legion Solution, HDVuk IP Camera, Intervid Security, Suzuki Tech, Wellsite IP Camera, iBrido, Protec IP Camera, Maxtron IP Camera, Ascendent, GTvs IP Camera, Squilla, Bikal IP Camera, MW Power, Alfa Vision, KMA Security, Tough Dog Security, Kpro HQ, Lanetwork, AFM Vision, ZetaDo, Jobsight Inc., Datalab IP Technologies, 4Tvision, Proline UK, Tanz, Aisonic, HD-IP, PreSec Security Solution, and EagleVisi.
This vulnerability allows an attacker to create an administrator account without any authentication or other information needed. This can be done by sending a GET request to the Desktop Central server with the necessary parameters. This creates a new administrator user with the password 'admin', allowing the attacker to execute code on all devices managed by Desktop Central. A Metasploit auxiliary module has been released to exploit this vulnerability.
This vulnerability allows an attacker to execute remote commands and read remote files on an Axis camera. The attacker must first configure the camera to allow anonymous view. To execute remote commands, the attacker must send a GET request with a command encoded in the URL. To read remote files, the attacker must send a GET request with the file path encoded in the URL. Both requests must be sent to the target IP and port.
The FailServlet is vulnerable to unauthenticated remote command execution. By sending a specially crafted request to the servlet, an attacker can execute arbitrary commands on the server.
While fuzzing LibreOffice an integer overflow and a heap overflow were found in the ICU library. This library is used by LibreOffice and hundreds of other software packages. Proof of concept files can be downloaded from [1]. These files have been tested with LibreOffice 4.3.3.2 and LibreOffice 4.4.0-beta2 and ICU 52. Note that at this point in time it is unknown whether these vulnerabilities are exploitable.
This creates an account with the following credentials: mr_lit:secret. This will upload the file whatevs.jsp to the web root directory.
TrueOnline is a major Internet Service Provider in Thailand which distributes various rebranded ZyXEL and Billion routers to its customers. Three router models - ZyXEL P660HN-T1A v1, ZyXEL P660HN-T1A v2 and Billion 5200W-T - contain a number of default administrative accounts, as well as authenticated and unauthenticated command injection vulnerabilities (running as root) in their web interfaces, mostly in the syslog remote forwarding function. All the routers are still in widespread use in Thailand, with the Billion 5200W-T router currently being distributed to new customers. These routers are based on the TC3162U SoC (or variants of it), a system-on-a-chip made by TrendChip, which was a manufacturer of SoC that was acquired by Ralink / MediaTek in 2011.
BMC Track-It! 11.4 exposes several .NET remoting services on port 9010, which can be used to invoke methods remotely and retrieve their result. These remote methods are used when a technician uses the Track-It! client console to communicate with the central Track-It! server. A technician would invoke these methods for obtaining tickets, creating a new ticket, uploading files to tickets, etc. On October 2014, two 0 day vulnerabilities for Track-It! 11.3 were disclosed (under CVE-2014-4872). The vulnerabilities were due to the Track-It! server accepting remote method invocations without any kind of authentication or encryption. One of the vulnerabilities allowed an attacker to execute code on the server as NETWORK SERVICE or SYSTEM. Disclosure was done by the US-CERT, which attempted to contact BMC but received no response after 45 days. After this period they released the vulnerability information and two Metasploit exploits were released.
This exploit allows an authenticated user to upload an arbitrary file to the Kaseya VSA server, which can be used to gain remote code execution.
Mambo is vulnerable to an Authentication Bypass issue that is due to an SQL Injection in the login function. The SQL Injection is possible because the $passwd variable is only sanitized when it is not passed as an argument to the function. As seen in the above code it is assumed that the $passwd variable is an md5 hash, but when sending a cookie with values like "usercookie[password]=%27 or 1=1/*; usercookie[username]=admin" an attacker can bypass authentication.
Services By CQR