UPSmonitor runs as SYSTEM process. We can communicate with monitor using RMI interface. In manager app there’s an “Administrator” password check, but the password isn’t verified inside monitor process. So we can modify any application settings without knowing administrator password. What is more interesting we can set command which will be executed when monitor get “remote shutdown command”. Because monitor runs as SYSTEM process, this command is also executed with SYSTEM privileges. So using this we can create new administrator account.
This exploit is a proof-of-concept for a vulnerability in the V8 JavaScript engine. It uses a combination of Object.observe, Object.freeze, and Array.prototype.__defineGetter__ to read out-of-bounds memory. It first uses Object.observe to set up a getter on Array.prototype, then uses Object.freeze to freeze a Promise object, and finally uses Array.prototype.__defineGetter__ to read out-of-bounds memory. The exploit then dumps the contents of the memory at the address 0x40000000.
A specially crafted web-page can cause Microsoft Internet Explorer 10 to continue to use an object after freeing the memory used to store the object. An attacker might be able to exploit this issue to execute arbitrary code. An attacker would need to get a target user to open a specially crafted web-page. Disabling Javascript should prevent an attacker from triggering the vulnerable code path.
A specially crafted web-page can cause a type confusion in HTML layout in Microsoft Internet Explorer 11. An attacker might be able to exploit this issue to execute arbitrary code. An attacker would need to get a target user to open a specially crafted web-page. Disabling Javascript should prevent an attacker from triggering the vulnerable code path. Internally MSIE uses various lists of linked CTreePos objects to represent the DOM tree. For HTML/SVG elements a CTreeNode element is created, which embeds two CTreePos instances: one that contains information about the first child of the element and one that indicates the next sibling or parent of the element. For text nodes an object containing only one CTreePos is created, as such nodes never have any children. CTreePos instances have various flags set. This includes a flag that indicates if they are the first (fTPBegin) or second (fTPEnd) CTreePos instance for an element, or the only instance for a test node (fTPText). The vulnerability is caused by the fact that the fTPBegin flag is not set for the first CTreePos instance of a TextNode. This causes the Branch method to return a pointer to a CTreeNode object instead of a TextNode object.
The application server deserializes untrusted data via the JMX Invoker Servlet. This can lead to a DoS via resource exhaustion and potentially remote code execution.
A specially crafted web-page can cause Microsoft Internet Explorer 8 to attempt to read data beyond the boundaries of a memory allocation. An attacker would need to get a target user to open a specially crafted web-page. Disabling Javascript should prevent an attacker from triggering the vulnerable code path.
This exploit is a remote denial of service (DoS) attack against ntpd 4.2.8p3. It sends a specially crafted packet to the ntpd server, which causes it to crash. The packet contains a nonce value that is too large for the server to handle, causing it to crash.
A race condition vulnerability exists in the Linux kernel due to the lack of proper synchronization between the madvise system call and the ptrace system call. This vulnerability allows an attacker to gain access to sensitive information by exploiting the race condition between the two system calls. The attacker can use the madvise system call to modify the memory map of a process, while the ptrace system call can be used to trace the process and gain access to the modified memory map.
The vulnerability allows remote attackers and local privileged account to inject malicious script codes on the application-side to manipulate the router dhcp hostnames. Attackers are able to inject malicious code into the current list of DHCP clients on view, by modifying the DHCP hostname into valid xss payload.
osTicket is a widely-used open source support ticket system. It seamlessly integrates inquiries created via email, phone and web-based forms into a simple easy-to-use multi-user web interface. Manage, organize and archive all your support requests and responses in one place while providing your customers with accountability and responsiveness they deserve. file `osticket/upload/bootstrap.php` contains this snippet of code (line 337-340): if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) // Take the left-most item for X-Forwarded-For $_SERVER['REMOTE_ADDR'] = trim(array_pop( explode(',', $_SERVER['HTTP_X_FORWARDED_FOR']))); The $_SERVER['REMOTE_ADDR'] value gets overrided with the `X-Forwarded-For` header value, at this point, it is not a vulnerability but... file `osticket/upload/include/class.osticket.php` line 309-315 : //Save log based on system log level settings. $sql='INSERT INTO '.SYSLOG_TABLE.' SET created=NOW(), updated=NOW() ' .',title='.db_input(Format::sanitize($title, true)) .',log_type='.db_input($loglevel[$level]) .',log='.db_input(Format::sanitize($message, false)) .',ip_address='.db_input($_SERVER['REMOTE_ADDR']); db_query($sql, false); Everytime when a csrf attack is dettected (checking `X_CSRFTOKEN` header or the post parameter `__CSRFToken__`), Osticket saves into database the user controled value $_SERVER['REMOTE_ADDR'] even if it has an invalid format. Finally the XSS is triggered when a user who can see the system logs like an administrator, visits the /scp/logs.php URI. It hapens because the `Format::sanitize` function does not filter the `<script>` tag.
Services By CQR