A vulnerability in Windows Explorer allows for the automatic execution of executable content when a folder is accessed. This can be exploited by malicious actors to run code in the context of the logged-in user. Opening a folder is typically considered safe, making this vulnerability particularly dangerous. The issue can also be exploited remotely if the malicious folder is accessed from an SMB share. A proof-of-concept exploit has been provided that demonstrates the execution of NetMeeting and installation of a keylogger on a vulnerable system.
A weakness has been reported to exist in the VBulletin software that may allow an attacker to spoof parts of the VBulletin interface. The issue exists due to improper validation of user-supplied data. Remote attackers may potentially exploit this issue, by convincing a VBulletin administrator to follow a specially crafted URI. The URI would contain a URI to a remote attacker owned HTML page as a value for the affected parameter of the 'index.php' script. If the administrator were to follow this link, part of the VBulletin user interface may be spoofed by the attacker.
The 'wget' utility has a race-condition vulnerability where it does not lock files that it creates and writes to during file downloads. This vulnerability can be exploited by a local attacker to corrupt files with the privileges of the victim who is running the vulnerable version of wget.
TurboTrafficTrader C does not properly sanitize user input, allowing remote attackers to launch cross-site scripting and HTML injection attacks. The cross-site scripting issues allow attackers to create malicious links that execute hostile code in the victim's web browser. The HTML injection issues allow attackers to post malicious code that is later rendered in the web browser of other visitors to the affected site. These attacks can lead to theft of authentication credentials and other possible attacks.
The vulnerability exists due to the 'help:' protocol implemented by the Mac OS X help application. The 'help:' protocol can be invoked remotely by the Safari web browser, allowing an attacker to craft a malicious link and entice a user to follow the link in order to execute script code via the help application. This can be exploited to execute arbitrary code with minimal user interaction.
The vulnerabilities in LHA allow a malicious archive to execute arbitrary code or corrupt arbitrary files when the archive is operated on. These issues are triggered in the 'extract_one()' function due to a failure of the application to properly validate string lengths in offending files. The exploit code provided creates an archive that, when decompressed with LHA-1.14, will cause a buffer overflow. The exploit utilizes the return-into-libc technique to execute system commands and exit. Specific addresses for the system function, exit function, and /tmp/lhXXXXXX string inside the exploit binary need to be obtained and placed in the code in little endian order.
This exploit targets a vulnerability in the ZwQuerySystemInformation function in Windows. It allows an attacker to escalate their privileges on the affected system.
A vulnerability has been reported that may potentially permit HTML documents to gain unauthorized access to local resources by using specific syntax when referencing said resource as a value for the CODEBASE object property. Under certain conditions, this could be exploited to reference executable content on the victim system. In particular, by pre-pending two backslash characters () to the resource path, it may be possible to invoke the resource. This syntax is reportedly still valid despite patches to limit other means of allowing remote users to reference local content on client systems. This works if the resource is invoked from the Local Zone, so other vulnerabilities are required to bypass Zone restrictions and cause malicious content to be executed in the Local Zone. BIDs 9658, 9320, 9105, and 9107 could all theoretically be exploited in combination with this issue, potentially allowing for execution of arbitrary code on the client system if properly exploited. Attacks that exploit this issue in tandem with other vulnerabilities may be executed through Internet Explorer or HTML email via Outlook/Outlook Express. Note: This BID initially included a proof-of-concept that was published by Roozbeh Afrasiabi that caused a .CHM file to be referenced from the Internet Zone. Further research has determined that this is a new, distinct vulnerability and BID 10348 has been created to describe this issue.
A vulnerability has been identified in multiple products from multiple vendors that may allow a remote attacker to create or modify arbitrary files; these issues relate to the processing of URI requests via various protocol handlers including telnet, rlogin, ssh and mailto. The vulnerability presents itself because applications fail to validate URI input; if a '-' character precedes the host name it is possible to pass options to an application that handles the protocol. Successful exploitation of this issue may allow a remote attacker to create or modify arbitrary files, resulting in a denial of service condition in the browser. The attack would occur in the context of the user running the vulnerable browser.
The built-in DHCP server on Linksys devices is prone to an information disclosure vulnerability. The DHCP server does not handle BOOTP packets properly, allowing an attacker to disclose the contents of the device's memory. This vulnerability can be exploited to watch traffic on the affected device and potentially crash the device, denying service to legitimate users.
Services By CQR