NetDrive installs a service with an unquoted service path running with SYSTEM privileges. This could potentially allow an authorized but non-privileged local user to execute arbitrary code with elevated privileges on the system.
There is a crash when the AVC decoder attempts to free memory, likely indicating memory corruption.
The attached fuzz file causes memory corruption when decompressing embedded video content.
When a process tries to map memory using sys_mmap_pgoff(), vm_mmap_pgoff() is called, which first performs the LSM security check by calling security_mmap_file() and then calls do_mmap_pgoff(), which takes care of the rest and does not rerun the same security check. The syscall handler for io_setup() calls ioctx_alloc(), which calls aio_setup_ring(), which allocates memory via do_mmap_pgoff() - the method that doesn't contain the security check. aio_setup_ring() only requests that the memory is mapped as PROT_READ | PROT_WRITE; however, if the process has called personality(READ_IMPLIES_EXEC) before, this will actually result in the creation of a memory mapping that is both writable and executable, bypassing the SELinux restriction.
Two separate instances of unquoted service path privilege escalation have been discovered. The first instance is within Wise Care 365 4.27 which installs a vulnerable service entitled WiseBootAssistant. The second vulnerability exists when Wise Disk Cleaner 9.29 installs SpyHunter 4. Both of these services run with SYSTEM privileges. This could potentially allow an authorized but non-privileged local user to execute arbitrary code with elevated privileges on the system.
A SQL injection vulnerability exists in Matrimonial Website Script v1.0.2, which allows an attacker to execute arbitrary SQL commands via the 'id' parameter in the 'viewfullprofile1.php' script. An attacker can leverage this vulnerability to gain access to sensitive information stored in the database, such as usernames and passwords. The vulnerability can be exploited by sending a specially crafted HTTP request containing malicious SQL commands to the vulnerable script.
This module exploits the 'diagnostic console' feature in the Metasploit Web UI to obtain a reverse shell. The diagnostic console is able to be enabled or disabled by an administrator on Metasploit Pro and by an authenticated user on Metasploit Express and Metasploit Community. When enabled, the diagnostic console provides access to msfconsole via the web interface. An authenticated user can then use the console to execute shell commands.
The Kerio Control web administration interface is accessible without authentication. This allows an attacker to gain full control over the system. The SSH, telnet and FTP services are also accessible without authentication.
This bug was found using the portal in the index.php page. To exploit the vulnerability only is needed use the version 1.0 of the HTTP protocol to interact with the application. It is possible to inject SQL code in the 'index.php' page '/exponent/index.php'.
A malicious sftp server may force a client-side relative path traversal in jsch's implementation for recursive sftp-get allowing the server to write files outside the clients download basedir with effective permissions of the jsch sftp client process.
Services By CQR