SedSystems D3 Decimator devices have multiple vulnerabilities, including hardcoded credentials, arbitrary file download, and arbitrary code execution. The hardcoded credentials can be found in the /etc/passwd files contained within the default firmware since at least February 2013. The admin user has a default password of "admin", and the root user password is unknown. The arbitrary file download vulnerability can be exploited by sending a crafted request to the /cgi-bin/wcm.cgi endpoint, which will allow the attacker to download any file on the device. The arbitrary code execution vulnerability can be exploited by uploading a crafted tarball that contains a "install" script in its root, which will be executed as root when the device attempts to flash the firmware.
Coppermine is a multi-purpose fully-featured and integrated web picture gallery script written in PHP using GD or ImageMagick as image library with a MySQL backend. A directory travesal vuln exists within the "save_thumb" function of the "crop & rotate" image feature. This can be accessed from pic_editor.php. First upload a file, e.g. "hackerhouse.png" to an album. This will create a predictable file path location with your userid e.g: http://target/cpg15x/albums/userpics/10001/hackerhouse.png. You will then send a POST request to pic_editor to manipulate this file but replace the "new_image" with the filepath you want to read such as "../../../../../etc/passwd". Your file will then by copied to a predictible path location as thumb. http://target/cpg15x/albums/userpics/10001/thumb_hackerhouse.png. To exploit this vulnerability you will need to be able to register an account and upload files to a photo album. You do not need admin rights to exploit this flaw. All versions from cpg 1.4.14 to cpg 1.5.44 have been found vulnerable to this flaw. The coppermine configuration was tested with ImageMagick enabled, your mileage may vary with GD1.x/GD2.x.
PonyOS 4.0 has added several improvements over previous releases including support for setuid binaries and dynamic libraries. The run-time linker does not sanitize environment variables when running setuid files allowing for local root exploitation through manipulated LD_LIBRARY_PATH. Requires build-essential installed to compile the malicious library.
GNS-3 on OS-X bundles the "ubridge" binary as a setuid root file. This file can be used to read arbitary files using "-f" arguement but also as it runs as root can also write arbitrary files with "pcap_file" arguement within configuration ini file. It is possible to abuse this utility to also write arbitary contents by bridging a UDP tunnel and writing to disk. We can exploit these mishaps to gain root privileges on a host that has GNS-3 installed by writing a malicious crontab entry and escalating privileges. This exploit takes advantage of this flaw to overwrite root crontab with our own entry and to spawn a root shell.
The exploit connects to the Catalyst switch and patches it execution flow to allow credless telnet interaction with highest privilege level.
This exploit provides local root on Solaris 7 - 11 (x86 & SPARC). It uses a environment variable of setuid binary dtappgather to manipulate file permissions and create a user owned directory anywhere on the system (as root). It then adds a shared object to locale folder and run setuid binaries with an untrusted library file.
This bug report describes a vulnerability in memory_exchange() that permits PV guest kernels to write to an arbitrary virtual address with hypervisor privileges. The vulnerability was introduced through a broken fix for CVE-2012-5513 / XSA-29. The fix for CVE-2012-5513 / XSA-29 introduced the following check in the memory_exchange() hypercall handler: guest_handle_okay() calls array_access_ok(), which calls access_ok(), which is implemented as follows: access_ok() only checks the address, not the size, if the address points to guest memory, based on the assumption that any caller of access_ok() will access guest memory linearly, starting at the supplied address. Callers that want to access a subrange of the memory referenced by a guest handle are supposed to use guest_handle_subrange_okay(), which takes an additional start offset parameter, instead of guest_handle_okay(). memory_exchange() uses guest_handle_okay(), but only accesses the guest memory arrays referenced by exch.in.extent_start and exch.out.extent_start starting at exch.nr_exchanged, a 64-bit offset.
This vulnerability is related to the Container::replaceAllChildren function in which if the location hash value is set, the page will give focus to the associated element. However, if there is a stylesheet that has not been loaded yet, the focusing will be delayed until the stylesheet gets loaded. The problem is that when the link element linked to the last pending stylesheet is removed from the parent, the notifyChildNodeRemoved function may end up to fire a focus event which runs arbitrary JavaScript code, which can make an iframe(|g| in the PoC) that has an attached frame but has no parent.
This exploit is a Same-Origin Policy (SOP) violation in Safari 10.0.3. It is possible to bypass the SOP check before the SubframeLoader::requestFrame method is called. This can be done by calling showModalDialog which enters a message loop that may start pending page loads. This allows the frame's document to be changed before frame->script().executeIfJavaScriptURL is called, allowing for a SOP violation.
Apache Struts 2.1.x and 2.3.x with the Struts 1 plugin might allow remote code execution via a malicious field value passed in a raw message to the ActionMessage.
Services By CQR