We've found no protection against CSRF (Cross-site Request Forgery), which made possible to do any kind of act on a user (or admin) account. NO FORMS are secured at all. But we've included some interesting examples. These examples execute actions on the user account while he's visiting a special page prepared by us in any other server. He won't know anything while visiting, as nothing is shown. Logging an user off, posting on user's timeline and changing user password are some of the examples.
NetSchedScan v1.0 is vulnerable to a buffer overflow crash when a crafted input is sent to the Hostname/IP field. This can be exploited by an attacker to cause a denial of service condition.
GlassFish Server is vulnerable to an arbitrary file read vulnerability due to insufficient input validation. An attacker can exploit this vulnerability by sending a specially crafted request to the server. This can allow the attacker to read any file on the server.
Applications Manager suffers from arbitrary command execution. Attackers can exploit this issue using the Upload Files/Binaries feature and adding a command with respected arguments using a .bat file to given binary for execution. In combination with the CSRF, Privilege Escalation, Arbitrary exe and bat file creation and executing system commands with SYSTEM privileges.
The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site. Multiple cross-site scripting vulnerabilities were also discovered. The issue is triggered when input passed via the multiple parameters is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
This exploit allows an attacker to gain a reverse root shell on a vulnerable SevOne NMS server running version 5.3.6.0 or lower. The exploit works by sending a malicious payload to the SevOne PAS server, which is then executed by the server. The payload contains a python script that creates a reverse shell back to the attacker's machine.
There exists a buffer underflow vulnerability in devenum.dll!DeviceMoniker::Load when attempting to null terminate a user supplied string. The function as it exists on Windows 7 x86 is implemented as follows: When the code goes to NULL terminate this buffer it divides the length by 2 and subtracts 2 (v4 is a wchar_t) leading to "x00x00" being written 2 bytes before the allocated buffer. This object "device.1" or {4315D437-5B8C-11D0-BD3B-00A0C911CE86} is reachable from any bit of software that performs an IPersistStream::Load on an arbritrary object. This vulnerable object is also reachable from any bit of software performing an OleLoad(IID_IOleObject) call with an with an attacker controlled CLSID -- as is the case in Office.
This exploit uses a SQL injection vulnerability in WhatsUp Gold v16.3 to execute arbitrary code on the target system. The exploit sends a specially crafted SOAP request to the iDroneComAPI.asmx web service, which contains a malicious SQL query. This query creates a new ASP page on the target system, which contains a script that can be used to execute arbitrary code. The exploit then sends a request to the newly created page, which executes the code.
This program demonstrates how to escalate privileges using an overlayfs mount within a user namespace. It mounts an overlayfs filesystem on /tmp/x/bin and then changes the permissions of the su binary to 04777, allowing it to be executed with root privileges.
Almost all FingerTec Access Control devices are running with open telnet, with a hardcoded default root password. Additionally, it is trivial to enroll a new administrative user on the device with a pin code or RFID card that will allow opening the door.
Services By CQR