This exploit allows an attacker to gain access to a system with BitLocker enabled without PIN or USB key, and with Password Caching enabled, by obtaining physical access to the system and obtaining the FQDN of the device. The attacker then creates an Active Directory with a user with a similar name as the previously logged in user, and a Computer Object with the same name as the target system. The ServicePrincipleName of the Computer Object is then changed to the FQDN of the target system. The attacker then establishes a network connection between the target system and the newly created Domain Controller, and logs in with the password defined in the user created in the Active Directory. The target system displays a change password screen, and the attacker sets a new password and confirms. The attacker then disconnects the target system's network connection and logs in with the new changed password.
The authenticated Directory Traversal vulnerability can be exploited by issuing a specially crafted HTTP GET request utilizing a simple bypass, %C0%2F instead of (/),URL encoding.
Vantage Point has discovered multiple vulnerabilities in FRP v7.2.0 (and possibly prior versions) that allow a remote unauthenticated malicious run arbitrary code with SYSTEM privileges. The backup agents implements a RPC service port 9200 that supports various calls, including a function called "ExecCommand" that unsurprisingly executes shell commands on the system. A password hash is used to authenticate calls on this interface (note that the hash itself and not the password is used for authentication). This hash can be obtained from the remote file disclosure vulnerability present in the software (listed below) and used to authenticate to the RPC service, where subsequently, arbitrary commands are executed as the SYSTEM user.
wieplan suffers from an arbitrary java code execution when parsing WIE documents that uses XMLDecoder, allowing system access to the affected machine. The software is used to generate custom specification order saved in .wie XML file that has to be sent to the vendor offices to be processed.
The D-Link DCS-930L Network Video Camera is vulnerable to OS Command Injection via the web interface. The vulnerability exists at /setSystemCommand, which is accessible with credentials. This vulnerability was present in firmware version 2.01 and fixed by 2.12.
The vulnerability allows an remote attacker to disclose sensitive information on the application-side of the vulnerable module. The vulnerability is located in the `SlingPostServlet` class of the Apache Sling Framework v2.3.6. Remote attackers are able to inject own malicious script codes to the vulnerable `SlingPostServlet` class to disclose the sensitive information. The request method to inject is POST and the attack vector is located on the application-side.
This exploit is a proof-of-concept BSoD (Blue Screen of Death) code for CVE-2016-0051 (MS-016). It is an elevation of privilege (SYSTEM) exploit for CVE-2016-0051 (MS16-016) for Windows 7 SP1 x86 (build 7601). It was created by Tamás Koczka (@koczkatamas - https://twitter.com/koczkatamas).
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Photoshop CC & Bridge CC. User interaction is required to exploit this vulnerability in that the target must open a malicious file. By providing a malformed IFF file, an attacker can cause an heap memory corruption. An attacker could leverage this to execute arbitrary code under the context of the application.
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Photoshop CC & Bridge CC. User interaction is required to exploit this vulnerability in that the target must open a malicious file. By providing a malformed PNG file with an invialid uint32 CRC checksum, an attacker can cause an heap memory corruption. An attacker could leverage this to execute arbitrary code under the context of the application.
The attached mp4 file causes stack corruption in Flash. To run the test, load LoadMP42.swf?file=null.mp4 from a remote server.
Services By CQR