The _kernelrpc_mach_port_insert_right_trap function in the kernel allows a user to create a new mach port name in their process from a port they already have. The ipc_object_copyin function looks up the args->poly name in the current process's mach port namespace and returns an ipc_port_t pointer. If ipc_object_copyin is successful it takes a ref on the port and returns that ref to the caller. mach_port_insert_right will consume that reference but *only* if it succeeds. If it fails then no reference is consumed and a reference can be leaked. This allows an attacker to overflow the reference count of the port and cause a kernel UaF.
If an attacker can cause a MIG callout to fail, then they can cause the kernel to leak references to any port rights contained in the message.
A double free vulnerability exists in the MIG services of macOS due to the mach_msg_server and mach_msg_server_once functions not properly managing the resources associated with each message. If a MIG handler method returns an error code, it is assumed to not have taken ownership of any of the resources in the message and both mach_msg_server and mach_msg_server_once will pass the message to mach_msg_destroy. If the message had an OOL memory descriptor, the deallocate flag is set in the descriptor and this will pass the address contained in the descriptor to vm_deallocate. By default, MIG client code passes OOL memory with the copy type set to MACH_MSG_PHYSICAL_COPY which ends up with the receiver getting a 0 value for deallocate, but by setting the copy type to MACH_MSG_VIRTUAL_COPY in the sender, deallocate will be 1 in the receiver. This can lead to a double free vulnerability if the MIG handler vm_deallocate's the OOL memory and returns an error code, as the mach_msg_* code will deallocate it again.
Vesta CP default install script adds /usr/local/vesta/bin/ directory into /etc/sudoers.d with the NOPASSWD option for the default 'admin' user. All programs in /usr/local/vesta/bin/ directory can therefore be run as root. A command injection vulnerability in 'v-get-web-domain-value' script can be exploited to run arbitrary commands and escalate from admin user to root. Parameter $3 (key) in v-get-web-domain-value is not properly sanitized before being passed to bash eval.
This exploit is for IBM AIX Bellmail local root vulnerability. It is a local privilege escalation vulnerability that affects AIX 6.1, 7.1, 7.2 and VIOS 2.2.x. The exploit uses the bellmail binary to inject a payload into the /etc/suid_profile file which is then executed to gain root privileges. The exploit then creates a root shell in /tmp/shell-<random_number> and sets the permissions to 6755.
In Chakra, Internationlization is initialized the first time the Intl object is used, by executing the script in Intl.js. This code attempts to prevent Object methods from being redefined by user scripts, but there are a few stray calls to Object.defineProperty in initialization. If Object.defineProperty is redefined before Intl is initialized, a user-define method can be called during initialization. If this method defines a Collator (or DateTimeFormat or NumberFormat) getter and setter on the Intl object, it can intercept what it is set to, and set it to a different value instead. This will then cause type confusion in IntlEngineInterfaceExtensionObject::deletePrototypePropertyHelper.
If the call has more than three arguments, it will fall through, leaving newArgs uninitialized. This will cause toLocaleString to be called on uninitialized memory, having a similar effect to type confusion (as integers in the memory can be confused for pointers and vice-versa). A minimal PoC is as follows, and a full PoC is attached: var v = SIMD.Int32x4(1, 2, 3, 4); v.toLocaleString(1, 2, 3, 4, 5, 6, 7);
This exploit abuses cascading subtle side effects of an emulation misstep that at first appears extremely difficult to exploit but ends up presenting beautiful and 100% reliable exploitation possibilities. It is a full, working, reliable, 0day exploit for current Linux distributions (Ubuntu 16.04 LTS and Fedora 25). It’s a full drive-by download in the context of Fedora.
This exploit is used to enumerate users in ntopng. It takes a file containing usernames as an argument and checks if the user exists in the ntopng system. If the user exists, it prints “FOUND”, else it prints “NOT FOUND”.
The plugin does not properly sanitize the user input. Hence, it was vulnerable to SQL injection. The vulnerable page is : custom/lib/cf.SR_redirect_manager.class.php on line 356. Proof of Concept (PoC): GET /path-to-wordpress/%27%29%20AND%20%28SELECT%20%2a%20FROM%20%28SELECT%28SLEEP%285-%28IF%28%27a%27%3D%27a%27%2C0%2C5%29%29%29%29FPYG%29%20AND%20%28%27SQL%27%3D%27SQL HTTP/1.1 Host: localhost Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: wp-settings-time-1=1480877693 Connection: close*
Services By CQR