This report describes a bug in the XNU implementation of the IPComp protocol. This bug can be remotely triggered by an attacker who is able to send traffic to a macOS system (iOS AFAIK isn't affected) over two network interfaces at the same time. The XNU implementation of IPComp is enabled only on X86-64; ARM64 doesn't seem to have the feature enabled at all. While IPComp is related to IPsec, the IPComp input path processes input even when the user has not configured any IPsec stuff on the system. zlib requires fairly large buffers for decompression and especially for compression. In order to avoid allocating such buffers for each packet, IPComp uses two global z_stream instances 'deflate_stream' and 'inflate_stream'. If IPComp isn't used, the buffer pointers in these z_stream instances remain NULL; only when IPComp is actually used, the kernel will attempt to initialize the buffer pointers. As far as I can tell, the IPComp implementation of XNU has been completely broken for years, which makes it impossible to actually reach the decompression code.
A buffer overflow vulnerability exists in Foscam Video Management System 1.1.6.6, which could allow an attacker to cause a denial of service condition. An attacker must first run a python code to create a file containing a large amount of data. The attacker must then copy the content of the file into the UID field of the Add Device page in the FoscamVMS application. This will cause the application to crash.
A vulnerability in Sricam DeviceViewer 3.12.0.1 allows an attacker to change the password of any registered user by creating a malicious payload file and setting it as the old password when changing the password. The new password can be set to whatever the attacker wants. To confirm the password change, the application must be restarted and the new password can be used to log in.
This exploit allows an attacker to bypass authentication in Zabbix 4.4. The exploit works by sending a specially crafted payload to the server, which sets a cookie that allows the attacker to bypass authentication. The exploit was tested on Linux Apache/2 PHP/7.2.
A buffer overflow vulnerability exists in freeFTP 1.0.8. An attacker can send a specially crafted FTP request with an overly long string, resulting in a buffer overflow and potentially allowing arbitrary code execution.
It is possible to change permissions of arbitrary file so that user have full control over it after exploitation which results in Local Privilege Escalation. It was found that Check Point software (Endpoint Security Client and ZoneAlarm) uses tvDebug.log file stored in "C:WindowsInternet LogstvDebug.log" or in ProgramData, for example "C:ProgramDataCheckPointZoneAlarmLogstvDebug.log". Over this log file all authenticated users have full control and it was found that Check Point service writes to it with SYSTEM privileges. However this file could not be used for exploitaion as it is always used/taken by Check Point service so for example this is why users cannot delete it in normal conditions (unless service crashes and/or is restarted). However it was noticed that when this log file reaches some limit (depending on software) then it is archived to the same location and name but with ZIP extension. The same permissions are set for this archive file so all authenticated users can access it. Taking all of this into account we can create an attack scenario: 1. If tvDebug.zip file exists then delete it 2. Create hardlink (using CreateHardlink.exe) named tvDebug.zip which points to other file that we would like to have permissions to (this file must not be taken by other process when Check Point service tries to use it) 3. Fill tvDebug.log log file above the limit. For ZoneAlarm it is 50Mb, for VPN it is 20Mb. It can be done by using software as normal user. 4. Restart system as service needs to be restarted to make an archive. 5. Now your file has permissions changed and you have all access to it.
Any authenticated (even unprivileged) user can upload any file to any location on the server with root privileges. This results in code execution on underlying system with root privileges. The issue was found in the 'Apps > Software > Add Software' menu, where the user needs to choose the upload via URL option as only this one is vulnerable. The URL needs to point to the attacker's web server where they host, for example, script files. When the form is submitted, the 'urlFileName' parameter is vulnerable to path traversal. This parameter specifies the temporary file name that will be used on the system. Then the application moves this file to another location that is not controlled by the application user. An attacker can, for example, upload a script file on the web server and execute it by sending a GET request.
Allows XSS via the panel/members/ Username, Full Name, or Email field, aka an 'Admin Member JSON Update' issue. First login the panel with user credential, Go to member tag from left menu. http://localhost/panel/members/ Username, Full Name, Email are editable with double click on it. Insert the following payload <img src=x onerror=alert(document.cookie)>
Attacker can bypass login page and access to dashboard page and create Dashboard/Report/Screen/Map without any Username/Password and anonymously. All Created elements [Dashboard/Report/Screen/Map] is accessible by other users and admin.
logrotate is prone to a race condition after renaming the logfile. If logrotate is executed as root, with option that creates a file ( like create, copy, compress, etc.) and the user is in control of the logfile path, it is possible to abuse a race-condition to write files in ANY directories. An attacker could elevate his privileges by writing reverse-shells into directories like '/etc/bash_completition.d/'.
Services By CQR