A Server-Side Request Forgery (SSRF) vulnerability was discovered in Dalim Software ES Core 5.0 build 7184.1. The vulnerability allows an attacker to send malicious requests to internal services that are not accessible from the external network. This can be exploited to gain access to sensitive information, such as the internal network configuration, or to launch further attacks against the internal network.
Multiple vulnerabilities in Dalim Software ES Core 5.0 build 7184.1 allow remote attackers to disclose sensitive information via a direct request to certain files. The vulnerabilities exist due to insufficient validation of user-supplied input. A remote attacker can exploit these vulnerabilities to disclose sensitive information.
DALIM SOFTWARE ES Core is prone to a user-enumeration weakness because it fails to properly check user credentials. An attacker can exploit this issue to enumerate valid usernames and passwords, which can be used to gain access to the affected application.
This exploit abuses a newly discovered GDI object abuse technique to gain Ring 0 primitives. The technique involves the abuse of the GDI palette objects to gain arbitrary read/write primitives. The exploit is demonstrated on Windows 7 SP1 x86.
The remote code execution is a combination of 4 different vulnerabilities: Upload arbitrary files to the specified directories, Log in with a fake authentication mechanism, Log in to Photo Station with any identity, Execute arbitrary code by authenticated user with administrator privileges. The chain of vulnerabilities will allow an attacker to execute code as uid=138862(PhotoStation) gid=138862(PhotoStation) groups=138862(PhotoStation).
The _WM_SetupMidiEvent function in internal_midi.c:2318 in WildMIDI 0.4.2 can cause a denial of service(invalid memory read and application crash) via a crafted mid file. The _WM_SetupMidiEvent function in internal_midi.c:2318 in WildMIDI 0.4.2 can cause a denial of service(invalid memory write and application crash) via a crafted mid file.
This exploit abuses the GDI functions to gain Ring0 access and privilege escalation. It uses the NtAllocateVirtualMemory function to map the NULL page in user space and then uses the GetPaletteEntries and SetPaletteEntries functions to read and write data to the NULL page. It then uses the PsInitialSystemProcess and GetCurrentEPROCESS functions to get the EPROCESS of the System process and the current process respectively. It then reads the token of the System process and sets the token of the current process to the System token, thus gaining Ring0 access and privilege escalation.
During the security audit of Easy Modal plugin for WordPress CMS, multiple vulnerabilities were discovered using DefenseCode ThunderScan application source code security analysis platform. The easiest way to reproduce the vulnerability is to visit the provided URL while being logged in as administrator or another user that is authorized to access the plugin settings page. Users that do not have full administrative privileges could abuse the database access the vulnerability provides to either escalate their privileges or obtain and modify database contents they were not supposed to be able to. The nonce token is required as the URL parameter. Token value is not unique for each request, nor per each URL, so if the attacker manages to obtain a valid token value, the module could be exposed to attack vectors such as Cross Site request forgery (CSRF).
This exploit allows an attacker to inject malicious JavaScript code into the SSID of a Technicolor TC7337 router. The code is then executed when the router's wlscanresults.html page is accessed. The code can be used to extract the router's admin login and password, as well as the Wi-Fi passphrase, and send them to an attacker-controlled server. It can also be used to execute a Cross-Site Request Forgery (CSRF) attack to reboot the router.
The process hardening implemented by the VirtualBox driver can be circumvented to load arbitrary code inside a VirtualBox process giving access to the VBoxDrv driver which can allow routes to EoP from a normal user. On Windows mapped DLLs use an Image Section under the hood. This is a special type of file mapping where the parsing and relocating of the PE file is all handled by the kernel. To allow for sharing of image mappings (so ideally the kernel only needs to do the parsing and relocation once) the kernel memory manager ties the file object to an existing section object by using a unique section pointer set by the file system driver. The interesting thing about this is the section pointer doesn't necessarily ensure the file hasn't changed, just that the file system considered the file the 'same'. Therefore it's possible that opening a file and reading it returns a completely different PE file than the one you'll get if you then map that file as an image section.
Services By CQR