This module exploits CVE-2016-0792 a vulnerability in Jenkins versions older than 1.650 and Jenkins LTS versions older than 1.642.2 which is caused by unsafe deserialization in XStream with Groovy in the classpath, which allows remote arbitrary code execution. The issue affects default installations. Authentication is not required to exploit the vulnerability.
This module exploits a Second-Order PHP Object Injection vulnerability in Tuleap <= 9.6 which could be abused by authenticated users to execute arbitrary PHP code with the permissions of the webserver. The vulnerability exists because of the User::getRecentElements() method is using the unserialize() function with data that can be arbitrarily manipulated by a user through the REST API interface. The exploit's POP chain abuses the __toString() method from the Mustache class to reach a call to eval() in the Transition_PostActionSubFactory::fetchPostActions() method.
The Intel Content Protection HECI Service runs as LocalSystem and hosts a DCOM service. The main function is StartIo which takes an input variant and returns a variant. Based on what it’s trying to do I’d assume the input variant is supposed to be a byte array, however it contains a bug. The issue here is that the In variant is used as a SAFEARRAY without checking that the VARIANT contains a SAFEARRAY. This leads to type confusion, for example a caller could pass VT_UI4 integer with any value they like and this code would interpret that integer as a pointer to a SAFEARRAY structure. This might seem to be only an arbitrary read issue, however the copy of the safe array can be made to execute arbitrary memory. If you point the type confused pointer at a block of memory which looks like a IUnknown array then when copying the array it will try and add a reference to each COM object in the array. This causes a VTable dispatch to AddRef which if carefully crafted should get arbitrary code execution. The call to CopyFrom does verify that the variant type is VT_UI1 (a byte array) however you can set some feature flags such as FADF_UNKNOWN which will force a call to IUnknown::AddRef on the elements of the array without changing the supposed variant type. Also you don’t need to guess the allocation address for the fake safearray as you can use a byte lea to get the address of the type confused pointer.
There is an uninitialized variable vulnerability in jscript.dll. This issue could potentially be exploited through multiple vectors: By opening a malicious web page in Internet Explorer and an attacker on the local network could exploit this issue by posing as a WPAD (Web Proxy Auto-Discovery) host and sending a malicious wpad.dat file to the victim. The issue has been verified on 64-bit Windows 10 with the most recent patches applied.
There is an heap overflow vulnerability in jscript.dll library (used in IE, WPAD and other places). The bug affects 2 functions, JsArrayStringHeapSort and JsArrayFunctionHeapSort. PoC for IE (note: page heap might be required to obsorve the crash): Array.sort is implemented in JsArraySort which, depending if a comparison function was specified or not, calls JsArrayStringHeapSort or JsArrayFunctionHeapSort. These (vulnerable) functions take several arguments, 2 of which are the input array length and the number of elements currently in the input array (this can be smaller than the array length). The vulnerable functions are going to allcoate 2 buffers to store intermediate data. The size of these buffers will be calculated based on *num_elements*. However, while filling those arrays it is possible that the number of elements is going to increase, which causes a heap overflow.
There is a heap overflow in jscript.dll when compiling a regex. This issue could potentially be exploited through multiple vectors: An attacker on the local network could exploit this issue by posing as a WPAD (Web Proxy Auto-Discovery) host and sending a malicious wpad.dat file to the victim. This works because wpad.dat files are JavaScript files interpreted with jscript.dll on the WPAD client. The issue can also be exploited by opening a malicious web page in Internet Explorer. The issue has been verified on 64-bit Win7 and 64-bit Win10 with the most recent patches applied.
TeamViewer Permissions Hook V1 is a proof of concept injectable C++ DLL, that uses naked inline hooking and direct memory modification to change TeamViewer permissions. It utilizes signature/pattern scanning to dynamically locate key parts in the code at which the assembly registers hold pointers to interesting classes. Applies inline naked hooks a.k.a code caves, to hi-jack the pointers to use for modification via direct memory access to their reversed classes. It was built on Windows 10, for TeamViewer x86 Version 13.0.5058.
The vulnerability allows an attacker to inject sql commands by sending a malicious HTTP request to the vulnerable application. The attacker can execute arbitrary SQL commands on the vulnerable system.
There is a use-after-free vulnerability in jscript.dll. This issue could potentially be exploited through multiple vectors: an attacker on the local network could exploit this issue by posing as a WPAD (Web Proxy Auto-Discovery) host and sending a malicious wpad.dat file to the victim, or by opening a malicious web page in Internet Explorer. The issue has been verified on 64-bit Win7 with the most recent patches applied.
The BrightSign Digital Signage (4k242) device (Firmware 6.2.63 and below) suffers from multiple vulnerabilities. The pages: /network_diagnostics.html and /storage_info.html suffer from a Cross-Site Scripting vulnerability. The REF parameter for these pages do not sanitize user input, resulting in arbitrary execution, token theft and related attacks. The RP parameter in STORAGE.HTML suffers from a directory traversal/information leakage weakness. Through parameter manipulation, the file system can be traversed, unauthenticated, allowing for leakage of information and compromise of the device. This page also allows for unauthenticated upload of files. The /tools.html page allows for unauthenticated rename/manipulation of files. When combined, these vulnerabilities allow for compromise of both end users and the device itself.
Services By CQR