This exploit causes a denial of service on Windows 7 and Windows Server 2008 R2. On Windows 7, the software refuses connections after execution. On Windows 2008 R2, it causes 100% CPU usage and occasional server crash when 1 core is assigned. The exploit is executed by sending 5000 connection requests to the host address on port 5650.
When wget is used in recursive/mirroring mode, according to the manual it can take the following access list options: 'Recursive Accept/Reject Options: -A acclist --accept acclist -R rejlist --reject rejlist'. It was however discovered that when a single file is requested with wget, the access list restrictions are not properly enforced. This can be exploited by an attacker to place malicious files onto the target system, even if the -A or -R parameters are used. The vulnerability is caused by a race condition between the time when wget checks the access list and the time when the file is actually created.
Form vendor's web page 'UCanCode Software is a Market Leading provider of HMI & SCADA, CAD, UML, GIS, Vector Graphics and Real Time Data Visualization Graphics Source Code Kits for C/C++ and .NET software developers more than 40 countries around the world!' After the installation, we can found these activex controls: ProgID: UCCVIEWER.UCCViewerCtrl.1 CLSID: {3B7B3C36-8515-4E15-BC46-D1BEBA2F360C}, ProgID: UCCDRAW.UCCDrawCtrl.1 CLSID: {4B5BEE59-EDD2-4082-A9F7-D65E1CA20FA7}, progID: TKDRAWCAD.TKDrawCADCtrl.1 CLSID: {9022B790-B810-45B4-80BC-2D94EEC5343C}, ProgID: UCCPRINT.UCCPrintCtrl.1 CLSID: {A4FCBD44-6BF5-405C-9598-C8E8ADCE4488}, ProgID: UCCDIAGRAM.UCCDiagramCtrl.1 CLSID: {B6A3BF2C-F770-4182-BE7F-103BF2C76826}, ProgID: UCCUML.UCCUMLCtrl.1 CLSID: {C1F0EE85-363F-483D-97D0-87E2A537BFBA}, ProgID: UCCHMI.UCCHMICtrl.1 CLSID: {EDBBC1DC-58B2-4404-85FD-F9B1C05D96EF}, ProgID: UCCSIMPLE.UCCSIMPLECtrl.1 CLSID: {EF3AAE34-E60A-11E1-9656-00FF8A2F9C5B}
The inode is a data structure in a Unix-style file system which describes a filesystem object such as a file or a directory. Each inode stores the attributes and disk block locations of the object's data. Filesystem object attributes may include metadata, as well as owner and permission data. INODE can be overflowed by mapping a single file too many times, allowing for a local user to possibly gain root access.
The application offers the functionality to import Doxygen documentations via a file upload to make them available in a Confluence page, but does not properly validate the file format/the contents of the uploaded Doxygen file. Since the uploaded file is basically a zipped archive, it is possible to store any type of file in it like an HTML file containing arbitrary script. In DoxygenFileServle.java, the renderContent() method is used to render the content of the uploaded file. The fileContent variable is written to the response without any validation or encoding. This allows an attacker to inject arbitrary script code into the response. The vulnerability is persistent and requires an authenticated user with the permission to upload Doxygen files.
It is possible, that an attacker can perform a DoS attack (for example, an XML Entity expansion attack) and an SMB Relay attack is a type of man-in-the-middle attack where an attacker asks a victim to authenticate to a machine controlled by the attacker, then relays the credentials to the target. The attacker forwards the authentication information both ways, giving him access.
A specially crafted web-page can cause an unknown type of memory corruption in Microsoft Internet Explorer 8. This vulnerability can cause the Ptls5::LsFindSpanVisualBoundaries method (or other methods called by it) to access arbitrary memory.
Vulnerabilities were found in the implementation of this protocol, that could lead to remote code execution and information leak (credentials acquisition). If version 1 is selected when communicating with the TDDP service, there is a lack of authentication in place. Additionally if the message handler accepts the 'Get configuration' message type, this will allow an attacker to retrieve the device configuration. If version 2 is selected when communicating with the TDDP service, the message handler accepts the 'Set configuration' message type. This message type allows an attacker to set the device configuration. The message handler does not check the size of the input, allowing an attacker to send a specially crafted message that will cause a buffer overflow.
The Crestron AirMedia AM-100 with firmware versions v1.1.1.11 - v1.2.1 is vulnerable to multiple issues. GET request: http://[AM-100-ADDRESS]/cgi-bin/login.cgi?lang=en&src=../../../../../../../../../../../../../../../../../../../../etc/shadow. The AM-100 has a hardcoded default credential of rdtool::mistral5885. This interface contains the ability to upload arbitrary files (RD upload) and can enable a telnet server that runs on port 5885 (RD Debug mode). The default root password for these devices is root::awind5885. Valid login sessions for the default (non-debugging) management interface are stored on the filesystem as session01, session02.. etc. Cleartext credentials can be read directly from these files.
EasyPHP Devserver dashboard runs on port 1111, the PHP code contains mulitple RCE vectors, which can allow arbitrary OS commands to be executed on the target system by remote attackers, if a user visits malicious webpage or link. The "index.php" and "explorer.php" files both contain vulnerable code that will happily process both GET / POST RCE requests. Possibility for RFI (remote file inclusion) if the "allow_url_include=0" setting is changed in "php.ini" configuration.
Services By CQR