uc-httpd is a HTTP daemon used by a wide array of IoT devices (primarily security cameras) which is vulnerable to local file inclusion and directory traversal bugs. There are a few million total vulnerable devices, with around one million vulnerable surviellence cameras. The following request can be made to display the contents of the 'passwd' file: GET ../../../../../etc/passwd HTTP/1.0 To display a directory listing, the following request can be made: GET ../../../../../var/www/html/ HTTP/1.0 The above request would output the contents of the webroot directory as if 'ls' command was executed. The following shodan request can be used to display vulnerable systems: product:uc-httpd
This module triggers an arbitrary shared library load vulnerability in Samba versions 3.5.0 to 4.4.14, 4.5.10, and 4.6.4. This module requires valid credentials, a writeable folder in an accessible share, and knowledge of the server-side path of the writeable folder. In some cases, anonymous access combined with common filesystem locations can be used to automatically exploit this vulnerability.
This module can be used to execute a payload on an Octopus Deploy server given valid credentials or an API key. The payload is execued as a powershell script step on the Octopus Deploy server during a deployment.
During the security audit of Huge-IT Video Gallery plugin for WordPress CMS, security vulnerability was discovered using DefenseCode ThunderScan application source code security analysis platform. The easiest way to reproduce the vulnerability is to visit the provided URL while being logged in as administrator or another user that is authorized to access the plugin settings page. Users that do not have full administrative privileges could abuse the database access the vulnerability provides to either escalate their privileges or obtain and modify database contents they were not supposed to be able to.
Through fuzzing, we have discovered a number of ways to crash the service (and specifically code in the mpengine.dll module), by feeding it with malformed input testcases to scan. A summary of our findings is shown in the table below: corruption_1 is a Heap buffer overflow with a one-byte overflow. corruption_2 is a Heap corruption which may crash in other ways, e.g. invalid read. corruption_3 is an Unspecified memory corruption (?) which may cause different crashes with/out PageHeap.
Cerio Wireless Access Point and Router suffers from several vulnerabilities including: hard-coded and default credentials, information disclosure, command injection and hidden backdoors that allows escaping the restricted shell into a root shell via the 'pekcmd' binary. Given that all the processes run as root, an attacker can easily drop into the root shell with supplying hard-coded strings stored in .rodata segment assigned as static constant variables. The pekcmd shell has several hidden commands that can be used to gain root access.
JAD ( Java Decompiler ) 1.5.8e-1kali1 and prior is prone to a stack-based buffer overflow vulnerability because the application fails to perform adequate boundary-checks on user-supplied input. An attacker could exploit this vulnerability to execute arbitrary code in the context of the application. Failed exploit attempts will result in a denial-of-service condition.
D-Link DCS cameras have a weak/insecure CrossDomain.XML file that allows sites hosting malicious Flash objects to access and/or change the device's settings via a CSRF attack. This is because of the 'allow-access-from domain' child element set to *, thus accepting requests from any domain. If a victim logged into the camera's web console visits a malicious site hosting a malicious Flash file from another Browser tab, the malicious Flash file then can send requests to the victim's DCS series Camera without knowing the credentials. An attacker can host a malicious Flash file that can retrieve Live Feeds or information from the victim's DCS series Camera, add new admin users, or make other changes to the device's settings.
A buffer overflow vulnerability exists in Sandboxie version 5.18 which allows an attacker to cause a denial of service condition by copying a string of 5000 'A' characters to the clipboard and then pasting it into the 'Set Container Folder' dialog box. This will cause the application to crash.
The vulnerability is caused by a negative kernel unit length which leads to an out of bound access in ConvolvePixel() and out-of-bounds data is going to be copied into the SVG image. From there, it can be extracted by an attacker by loading the SVG image into a canvas element.
Services By CQR