The SIGSEGV crash due to an invalid memory read can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark. The crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12352. Attached are three files which trigger the crash.
AjaxExplorer has command terminal feature where you can move, copy, delete files etc... also lets a user save commands in a flat file named 'terminal' under their user profile '/ae.user/owner/myprofile'. An attacker can exploit the application by first creating an .htaccess file with an 'allow from all' directive to bypass access restrictions, next create arbitrary PHP files for remote command execution purposes. This exploit will require two consecutive HTTP requests, so the attacker needs to target an iframe to stay on same page until exploit is completed.
An access violation vulnerability exists in tcpdump version 4.5.1. The vulnerability is triggered when a specially crafted packet is sent to the application. This can result in a denial of service condition.
ProcessMaker v3.0.1.7 is vulnerable to multiple vulnerabilities like Reflected XSS, Stored XSS, and CSRF (x2). One of the CSRF vulnerabilities is in the Designer Project Creation process, which can be exploited by a forged request to force an authenticated user with designer project creation rights to create a new Designer project.
AirOS NanoStation M2 v5.6-beta is vulnerable to arbitrary file download and remote command execution. Valid credentials are required to exploit this vulnerability. The default factory user/passwd combination (ubnt:ubnt) is used in most of the devices. The vulnerability is present in the /usr/www/scr.cgi file which allows attackers to download arbitrary files and execute remote commands. The PoC for arbitrary file download is GET http://x.x.x.x/scr.cgi?fname=../../../../../etc/passwd%00&status= and the PoC for remote command execution is GET http://x.x.x.x/scr.cgi?fname=rc.poststart.sh;cat%20/etc/hosts%00&status=.
The vulnerability is caused due to the improper verification of uploaded files via the Uploader script using 'upload[]' POST parameter which allows of arbitrary files being uploaded in '/fp-content/attachs' directory. The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform actions with administrative privileges if a logged-in user visits a malicious web site resulting in execution of arbitrary PHP code by uploading a malicious PHP script file and execute system commands.
An attacker can exploit a SQL injection vulnerability in the contact_view.php script of the real-estate classified script. By sending a specially crafted request, an attacker can execute arbitrary SQL commands on the underlying database. The vulnerable parameter is contact. The exploit code is provided in the text.
Property Agent RealeState Script is prone to an SQL injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. An attacker can exploit this vulnerability to manipulate SQL queries by injecting arbitrary SQL code. This may allow the attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database implementation.
Graphite2 is a rendering engine for OpenType fonts which is used by many applications. A heap-buffer-overflow vulnerability was discovered in the Graphite2 NameTable::getName method. This vulnerability can be triggered by running the gr2FontTest utility with the -demand -cache /path/to/file command. This vulnerability can lead to arbitrary code execution.
The crash due to a heap-based buffer overread can be observed in an ASAN build of the standard Graphite2 gr2FontTest utility (git trunk), triggered with the command: $ ./gr2fonttest /path/to/file -auto. The exploit occurs when a 145-byte region is allocated by thread T0 and 0 bytes to the right of this region is located at 0x60e00000dff1. This causes an error in the AddressSanitizer and leads to the heap-based buffer overread.
Services By CQR