Glassfish Server a service with an unquoted service path running with SYSTEM privileges. This could potentially allow an authorized but non-privileged local user to execute arbitrary code with elevated privileges on the system. A successful attempt would require the local user to be able to insert their code in the system path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.
A charting component in the Symantec Messaging Gateway control center does not properly sanitize user input submitted for charting requests. This could potentially result in an authorized but less privileged user gaining access to paths outside the authorized directory. This could potentially provide read access to some files/directories on the server for which the user is not authorized. The problem relies in the package kavachart-kcServlet-5.3.2.jar, File : com/ve/kavachart/servlet/ChartStream.java, where the vulnerable code is taking parameter 'sn' and writing it to the 'string variable' without any sanitanization for directory traversal and you can successfully use this to do a directory taverasl attack.
This module exploits a integer overflow vulnerability in the Stagefright Library (libstagefright.so). The vulnerability occurs when parsing specially crafted MP4 files. While a wide variety of remote attack vectors exist, this particular exploit is designed to work within an HTML5 compliant browser. Exploitation is done by supplying a specially crafted MP4 file with two tx3g atoms that, when their sizes are summed, cause an integer overflow when processing the second atom. As a result, a temporary buffer is allocated with insufficient size and a memcpy call leads to a heap overflow. This version of the exploit uses a two-stage information leak based on corrupting the MetaData that the browser reads from mediaserver. This method is based on a technique published in NorthBit's Metaphor paper. First, we use a variant of their technique to read the address of a heap buffer located adjacent to a SampleIterator object as the video HTML element's videoHeight. Next, we read the vtable pointer from an empty Vector within the SampleIterator object using the video element's duration. This gives us a code address that we can use to determine the base address of libstagefright and construct a ROP chain dynamically.
Freepbx 13.x are vulnerable to Remote command execution due to the insuffecient sanitization of the user input fields language,destination and also due to the lack of good authentication checking. The ext value can be manipulated by the attacker to change the output file path and the language value can be manipulated by the attacket to load in malicious contents.
Exploiting TP-Link Archer CR-700 Router. On a Linux machine, the user can comment out the line 'send host-name = gethostname();' and change the gethostname() function to an XSS script like '<script>alert(5)</script>'. Then, the user can send a DHCP request to the router to receive an IP address with the command 'dhclient -v -i wlan0'. On logging in, the XSS script executes. Additionally, the router does not have a CSRF token, so the cookie set by the router can be stolen using an XSS script.
The UPS Module has 3 default accounts, (admin,fwupgrade,user) , fwupgrade has a shell access to the device BUT if you try to get access to the shell a shell script closes your conection. To stop the shell script and avoid to terminate your connection you should , set your SSH client to execute "/bin/bash" after you logon the SSH. As a result your shell type will be changed to "/bin/bash" as you see below there is an account called "eurek" and ofcourse it's password also is "eurek". Since that "eurek" is a sudoer user you will get full access to the device.
Iperius Remote allows the user to install the application as a service with an unquoted service path running with SYSTEM privileges. It is important to note that the application installs itself as a service in the same location where the setup file in ran from. Provided that the end user initiates the installation from a directory with spaces in it's path, this could allow an authorized but non-privileged local user to execute arbitrary code with elevated privileges on the system.
NTIOLib.sys is installed with a few different MSI utilities that are part of the software package for MSI motherboards and graphic cards. WinIO.sys is completely different driver and is installed with Dragon Gaming Center application, which is part of the software package for MSI notebooks. Since both drivers expose physical memory access to the unprivileged users, I decided to put it into one report. NTIOLib functionality exposed through IOCTLs: read/write physical memory (using MmMapIoSpace), read write MSR registers (using rdmsr/wrmsr opcodes), read PMC register (using rdpmc opcode), in/out port operations, HalGetBusDataByOffset / HalSetBusDataByOffset. WinIO functionality exposed through IOCTLs: read/write physical memory (ZwMapViewOfSection of “DevicePhysicalMemory”), in/out port operations. RTCore functionality exposed through IOCTLs: read/write physical memory (ZwMapViewOfSection of “DevicePhysicalMemory”), read wrire MSR registers (using rdmsr/wrmsr opcodes).
Elantech Smart-Pad Service lacks of quotes in the filepath, causing it to be a potential vector of privilege escalation attack. To properly exploit this vulnerability, the local attacker must insert an executable file in the path of the service. Upon service restart or system reboot, the malicious code will be run with elevated privileges.
The Joomla Event Booking Component is vulnerable to SQL Injection. The date parameter is vulnerable to SQL injection. An attacker can inject malicious SQL queries into the vulnerable parameter and gain access to the database.
Services By CQR