Many versions of PuTTY prior to 0.68 have a heap-corrupting integer overflow bug in the ssh_agent_channel_data function which processes messages sent by remote SSH clients to a forwarded agent connection. The agent protocol begins every message with a 32-bit length field, which gives the length of the remainder of the message, not including the length field itself. In order to accumulate the entire message including the length field in an internal buffer, PuTTY added 4 to the received length value, to obtain the message length inclusive of everything. This addition was unfortunately missing a check for unsigned integer overflow. Hence, sending a length field large enough to overflow when 4 is added to it, such as 0xFFFFFFFD, would cause PuTTY to record a value for the total message length (totallen) which was smaller than the amount of data it had already seen (lensofar, which at this point would be 4 bytes for the length field itself). Then, it would assume that the expression totallen-lensofar represented the amount of space it was safe to write into its buffer – but in fact, in the overflowing case, this value would wrap back round to a number just less than 232, far larger than the allocated heap block, and PuTTY could be induced to overwrite its heap with data sent by the attacker.
CVE-2017-7472 is an out-of-memory vulnerability in the Linux kernel. It is caused by a bug in the keyctl_set_reqkey_keyring() function, which can be triggered by running a specially crafted C program. This program will cause the kernel to run out of memory, leading to a denial of service.
This PoC exploits an out-of-bounds write vulnerability in the Android kernel. The vulnerability is triggered when the sin_family field of the sockaddr_in structure is set to 0. This causes the kernel to write to an out-of-bounds memory location, resulting in a kernel panic.
Utilizing the DCOS Cluster's Marathon UI, an attacker can create a docker container with the '/' path mounted with read/write permissions on the host server that is running the docker container. As the docker container executes command as uid 0 it is honored by the host operating system allowing the attacker to edit/create files owed by root. This exploit abuses this to creates a cron job in the '/etc/cron.d/' path of the host server.
Multiple sql-injection vulnerabilities has been discovered in the Xavier PHP Login Script & User Management Admin Panel web-application. The issue allows remote attackers to inject own maliciou sql commands to compromise the web-application or dbms. The sql-injection web vulnerability is located in the `username` and `password` value of the `/login.php` file. Remote attackers are able to inject own sql commands to compromise the web-application or dbms.
Ahsan Tahir, an independent vulnerability researcher discovered a Persistent Cross-Site Scripting Vulnerability in GravCMS Admin Plugin (v 1.4.2). The security risk of the xss vulnerability is estimated as medium with a common vulnerability scoring system count of 3.6. Exploitation of the persistent xss web vulnerability requires a limited admin user account and only low user interaction. Successful exploitation of the vulnerability results in persistent phishing attacks, session hijacking, persistent external redirect to malicious sources and persistent manipulation of affected or connected web module context.
Peplink devices are vulnerable to an SQL injection attack via the bauth cookie parameter which is set e.g. when accessing https://ip/cgi-bin/MANGA/admin.cgi. The injection can be checked with the following command: ./sqlmap.py -u "https://ip/cgi-bin/MANGA/admin.cgi" --cookie="bauth=csOWLxU4BvoMfhY2rHLVFm1EmZWV74zinla9IVclqrYxH16426647" -p"bauth" --level 5 --risk 3 --dbms sqlite --technique=BEUSQ --flush-session -t trace.log -v 3
During the security audit of Tribulant Newsletters plugin for WordPress CMS, multiple vulnerabilities were discovered using DefenseCode WebScanner application security analysis platform. During the security analysis, WebScanner discovered File Disclosure vulnerability and multiple Cross Site Scripting vulnerabilities in Tribulant Newsletters plugin. File Disclosure vulnerability is present in the URL http://vulnerablesite.com/wp-admin/admin.php?page=newsletters-history&wpmlmethod=exportdownload&file=..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5cWINDOWS%5cwin.ini and Cross Site Scripting vulnerability is present in the URL http://vulnerablesite.com/wp-admin/admin.php?page=newsletters-subscribers&method=check-expired%5C%22%3E%3Cscript%3Ealert(%27XSS%27)%3C/script%3E
The login form of the Kronos Telestaff Web Application is vulnerable to blind SQL injection by an unauthenticated user. The vulnerability is due to the unsanitized POST parameter 'user' in the login page. The exploit requires a valid 'code' in the post body, which is often a 4 digit number and can be easily discovered in ~5000 requests. Proof of concept 1 can be used to extract data from the database, while proof of concept 2 can be used to execute code remotely.
JavaScriptCore will allocate a JSFixedArray for every spread operand of the array literal (in slow_path_spread). As such, roughly 4 billion JSValues will have to be allocated, taking up 32 GiB in RAM. To exploit the bug, the author allocates 100 JSArrays of size 0x40000 and roots them, allocates 100 JSArrays of size 0x40000, where only every second one is rooted, allocates a larger JSArray and an ArrayBuffer of the same size, allocates 4 GiB of padding using JSArrays, and triggers the bug by concatenating JSArrays with a combined size of 232 + 0x40000 (containing the repeated byte 0x41). This increases the size of the victim array to the sprayed value (0x4141414141414141), so that it overlaps with the victim ArrayBuffer. This yields the fakeobj and addrof primitives which can then be used to write code to a JIT page and jump to it.
Services By CQR