Nibbleblog contains a flaw that allows a authenticated remote attacker to execute arbitrary PHP code. This module was tested on version 4.0.3.
This exploit is related to a stack overflow vulnerability in the libvlccore library of VLC media player. The exploit is triggered when a specially crafted MP3 file is loaded into the player. The exploit causes a stack overflow which can be used to execute arbitrary code.
This module exploits an authenticated file upload vulnerability in Wordpress plugin ajax-load-more versions < 2.8.2. Valid wordpress credentials are required for the exploit to work. Tested with version v2.7.3. (May work on older versions).
ZHONE RGW is vulnerable to stack-based buffer overflow attacks due to the use of unsafe string functions without sufficient input validation in the httpd binary. Two exploitable conditions were discovered when requesting a large (7000) character filename ending in .cgi, .tst, .html, .cmd, .conf, .txt and .wl, in GET or POST requests. Vantage Point has developed working code execution exploits for these issues.
Windows 10 has added some new mitigations to block the creation or change the behaviour of certain symbolic links when issued by a low integrity/sandboxed process. The presumed aim to to make it harder to abuse these types of tricks to break out of a sandbox. In earlier builds on Windows 10 NTFS Mount Reparse Points were blocked outright from a sandboxed process, however in 10240 (what can only be assumed a final build) the check was moved to the kernel in IopXXXControlFile and changed slightly so that sandboxed processes could create some mount points. The check is roughly: if (RtlIsSandboxedProcess()) { if(ControlCode == FSCTL_SET_MOUNT_POINT) { if (FsRtlValidateReparsePointBuffer(buffer) && buffer->ReparseTag == TAG_MOUNT_POINT) { NTSTATUS status = ZwOpenFile(..., buffer->ReparseTarget, FILE_GENERIC_WRITE, ... , FILE_DIRECTORY_FILE); if (!NT_SUCCESS(status)) { return status; } } } The kernel is therefore checking that the target of the mount point is a directory and that the current process has write access to the directory. This would sufficiently limit the ability of a sandboxed process to abuse this to write files at a higher privilege. Unfortunately there’s a perhaps unexpected problem with this check, the sandboxed process can redirect the ZwOpenFile call arbitrarily to something it can open for write, yet the original value is set as the mount point. This is because the file open check is being made inside the process which is doing the call which means it honours the user’s device mapping. While this is a sandbox escape, it’s not a particularly useful one as the sandboxed process still has to have write access to the target directory.
This exploit is used to bypass the noexec restriction on Linux systems running version 3.17 or higher. It uses python ctypes and memfd_create to execute a file that would otherwise be blocked by the noexec restriction.
The device comes configured with privileged, backdoor account. For HTTP, 'guest' with attribute <V N="BACKDOOR" V="0x1"/>, is the backdoor account. This is seen in the config file: <chain N="USERNAME_PASSWORD"> <V N="FLAG" V="0x0"/> <V N="USERNAME" V="guest"/> <V N="PASSWORD" V="XXXXairocon"/> <V N="BACKDOOR" V="0x1"/> <V N="PRIORITY" V="0x1"/> </chain> For FTP, 'useradmin' with attribute <V N="USERRIGHT" V="0x2"/>, is the backdoor account. This is seen in the config file: <chain N="FTP_SERVER"> <V N="ENABLE" V="0x1"/> <V N="USERNAME" V="useradmin"/> <V N="PASSWORD" V="useradmin"/> <V N="PORT" V="0x15"/> <V N="USERRIGHT" V="0x2"/> <V N="INSTNUM" V="0x2"/> </chain>
The device comes configured with privileged, backdoor account. For HTTP, 'guest' with attribute <V N="BACKDOOR" V="0x1"/>, is the backdoor account. This is seen in the config file: <chain N="USERNAME_PASSWORD"> <V N="FLAG" V="0x0"/> <V N="USERNAME" V="guest"/> <V N="PASSWORD" V="XXXXairocon"/> <V N="BACKDOOR" V="0x1"/> <V N="PRIORITY" V="0x1"/> </chain> For FTP, 'useradmin' is the backdoor account. This is seen in the config file: <chain N="FTP_SERVER"> <V N="ENABLE" V="0x1"/> <V N="USERNAME" V="useradmin"/> <V N="PASSWORD" V="useradmin"/> <V N="PORT" V="0x15"/> <V N="USERRIGHT" V="0x2"/> <V N="INSTNUM" V="0x2"/> </chain>
A malicious .aiff file causes a buffer overflow vulnerability in Boxoft WAV to MP3 Converter 1.1. The exploit code contains a shellcode that executes calc.exe when the file is opened.
The diagnostic ping function's PingIPAddr parameter in the ZyXEL PMG5318-B20A, firmware version V100AANC0b5, does not properly validate user input. An attacker can execute arbitrary commands as root.
Services By CQR