The 'fName' parameter is vulnerable to path traversal without the need for any authentication. On Windows environments, downloading files will be done with SYSTEM privileges. This makes it possible to download any file on the filesystem.
Avast will render the commonName of X.509 certificates into an HTMLLayout frame when your MITM proxy detects a bad signature. This means CN="<h1>really?!?!?</h1>" actually works, and is pretty simple to convert into remote code execution.
ElasticSearch before 1.6.1 allows remote attackers to read arbitrary files via unspecified vectors related to snapshot API calls.
ASX to MP3 Converter 1.82.50 is vulnerable to a stack overflow vulnerability. An attacker can exploit this vulnerability by crafting a malicious ASX file and sending it to the victim. When the victim opens the file, the attacker's malicious code will be executed, allowing the attacker to gain control of the victim's system.
The vulnerability exists in the 'Import Settings From File' function of WinRar. Since Settings file of Winrar are saved as a registry file and WinRar executes it in an automatic way without checking if it is writing to the Registry keys used by winrar, we can create a specially crafted settings file and we can overwrite registry keys. We can specify a meterpreter DLL payload using a UNC path on an SMB server we control and then next time a new process starts we will get a shell.
This exploit uses the issetugid() function to bypass the sandbox restrictions and execute the rsh command with the libmalloc environment variable set to a malicious crontab file. This crontab file is used to add a line to the sudoers file, allowing the attacker to gain root privileges.
PiXORD 3GR-431P 3G Wi-Fi Router is a 3G + GPS + 802.11n (2T2R) wireless router. It supports Internet access via 3G and receives position information from GPS. 3GR-431P also supports two Ethernet ports for LAN connectivity and 802.11n Wi-Fi Access Point for WLAN connectivity. The web application lacks strict input validation and hence vulnerabile to OS command injection.
The Dinion NBN-498 Web Interface is vulnerable to XML Injection. An attacker can inject malicious XML code into the web interface, which can be used to gain access to the camera's settings and live feed. The attacker can also modify the camera's settings, such as the resolution, frame rate, and compression.
The setuid root FinderLoadBundle that was included in older DropboxHelperTools versions for OS X allows loading of dynamically linked shared libraries that are residing in the same directory. The directory in which FinderLoadBundle is located is owned by root and that prevents placing arbitrary files there. But creating a hard link from FinderLoadBundle to somewhere in a directory in /tmp circumvents that protection thus making it possible to load a shared library containing a payload which creates a root shell.
On Ubuntu Vivid Linux distribution apport is used for automated sending of client program crash dumps but also of kernel crash dumps. For kernel crashes, upstart or SysV init invokes the program /usr/share/apport/kernel_crashdump at boot to prepare crash dump files for sending. This action is performed with root privileges. As the crash dump directory /var/crash/ is world writable and kernel_crashdump performs file access in unsafe manner, any local user may trigger a denial of service or escalate to root privileges. If symlink and hardlink protection is enabled (which should be the default for any modern system), only denial of service is possible.
Services By CQR