This exploit is a proof-of-concept code for a vulnerability in the Linux kernel. It is a REFCOUNT overflow/Use-After-Free vulnerability in keyrings. It allows an attacker to gain root privileges on the system. The exploit is written in C and uses the keyutils library. It takes a keyring name as an argument and creates a keyring with that name. It then sets the permissions of the keyring to allow all users to access it. It then sets the timeout of the keyring to a large value and assumes authority over the keyring. It then invalidates the keyring and waits for the child process to finish. The child process creates a message queue and sends a message to it. It then sets the request key keyring to 1 and sets the timeout of the keyring to a large value. It then assumes authority over the keyring and calls the userspace_revoke function which calls the commit_creds and prepare_kernel_cred functions to gain root privileges.
A heap memory corruption occurs when PDF-XChange Viewer handle a invalid Shading Type 7 stream. An attacker can leverage this vulnerability to potentially execute arbitrary code on vulnerable installations of PDF-XChange Viewer.
Irving Aguilar discovered a buffer overflow vulnerability in CesarFTP 0.99g. By sending a specially crafted XCWD command with 667 newline characters followed by 20 NOPs, a remote attacker can cause a denial of service condition on the vulnerable server.
SeaWell Networks Spectrum is a “Multiscreen 2.0” Session Delivery Controller. It is high-performance, carrier-grade software that takes ABR video and repackages it – on-the-fly – into any other protocol, including Apple HLS, Adobe HDS, Microsoft Smooth Streaming and MPEG-DASH. Weak, default login credentials - admin / admin were discovered. The configure_manage.php module accepts a file parameter which takes an unrestricted file path as input, allowing an attacker (non-admin, low- privileged user) to read arbitrary files on the system. A low privileged, non-admin user, with only viewer privileges, can perform administrative functions, such as create, update, delete a user (including admin user), or access device's configuration files (policy.xml, cookie_config.xml, systemCfg.xml). The application lacks Authorization controls to restrict any non-admin users from performing admin functions.
Advanced Electron Forum v1.0.9 (AEF) is vulnerable to Remote File Inclusion / CSRF. In Admin control panel there is option to Import Skins and one choice is using a web URL. However there is no CSRF token or check made that this is a valid request made by the currently logged in user, resulting in arbitrary remote file imports from an attacker if the user visits or clicks an malicious link. Victims will then be left open to arbitrary malicious file downloads from anywhere on the net which may be used as a platform for further attacks...
In Admin panel under Edit Boards / General Stuff / General Options, there is an option to sepcify a redirect URL for the forum which is vulnerable to a persistent XSS that will be stored in the MySQL database and execute attacker supplied client side code each time a victim visits the following URLs.
In Admin panel no CSRF protections exist in multiple areas allowing remote attackers to make HTTP request on behalf of the victim if they currently have a valid session (logged in) and visit or click an infected link, resulting in some of the following destructions. Change current database settings, Delete all Inbox / Sent Emails, Delete all 'shouts', Delete all Topics, edit profile, avatar and more all seem vulnerable as well.
SuperDrive suffers from an elevation of privileges vulnerability which can be used by a simple authenticated user that can change the executable file with a binary of choice. The vulnerability exist due to the improper permissions, with the 'C' flag (Change) for 'Authenticated Users' group.
High-Tech Bridge Security Research Lab discovered a path traversal vulnerability in a popular webmail client Roundcube. Vulnerability can be exploited to gain access to sensitive information and under certain circumstances to execute arbitrary code and totally compromise the vulnerable server. The vulnerability exists due to insufficient sanitization of "_skin" HTTP POST parameter in "/index.php" script when changing between different skins of the web application. A remote authenticated attacker can use path traversal sequences (e.g. "../../") to load a new skin from arbitrary location on the system, readable by the webserver.
A user with backup privs can trivially compromise a client installation of Amanda. Amstar is an Amanda Application API script which should not be run by users directly. It uses star to backup and restore data and runs binaries with root permissions when parsing the command line arguement --star-path. An example is shown below where a user with backup privs can gain root access.
Services By CQR