This module attempts to gain root privileges by exploiting a Python code injection vulnerability in blueman versions prior to 2.0.3. The `org.blueman.Mechanism.EnableNetwork` D-Bus interface exposes the `set_dhcp_handler` function which uses user input in a call to `eval`, without sanitization, resulting in arbitrary code execution as root.
When an AppContainer sandboxed application creates a partial trust class it’s instantiated inside a Runtime Broker running at the normal user privilege. While Windows.Data.Xml.Dom.XmlDocument is marked as Base Trust so would be instantiated inside the same process as the creator, there’s a number of partial trust classes which expose a XmlDocument object. An example of this is the ToastNotificationManager class which expose a XmlDocument through the GetTemplateContent static method. This is exposed to all normal AC and also has explicit permissions to allow lpacAppExperience capability to access it which all Edge Content LPAC processes have. The problem with XmlDocument is it doesn’t custom marshal the object over process boundaries, this means that the XmlDocument which is created by ToastNotificationManager stays in the Runtime Broker. If there’s any security issues with the use of XmlDocument interface then that’s a problem. Looking at the class it’s implemented inside msxml6.dll and is basically a MSXML.DOMDocument.6.0 class in all but name. Checking what interfaces the class supports you find the following (partial list): IPersistMoniker, IPersistStream, IPersistStreamInit, IServiceProvider, IStream, IXMLDOMDocument, IXMLDOMDocument2, IXMLDOMDocument3, IXMLDOMNode, Windows::Xml::Dom::IXmlDocument, Windows::Xml::Dom::IXmlDocumentIO, Windows::Xml::Dom::IXmlDocumentIO2, Windows::Xml::Dom::IXmlNode, Windows::Xml::Dom::IXmlNodeSelector, Windows::Xml::Dom::IXmlNodeSerializer. What stinks here is that the IXMLDOMDocument interface is implemented by the same class which implements the IPersistMoniker interface. This means that the XmlDocument can be used to load a file from a remote location using the IPersistMoniker::Load method.
The doesGC function is used to determine whether to insert write barriers, but it is missing GetIndexedPropertyStorage which can cause a garbage collection via rope strings. This can lead to a Use-after-free vulnerability. The PoC creates an array of 10 strings, each of which is composed of two strings of length 1024*1024*2. It then calls the opt function which performs a number of string operations on the array. After that, it calls gc() to trigger garbage collection. Finally, it calls opt again and assigns the result to o.x. When the program prints o.x, it prints 1234, which is the value of tmp.
Fatal javascript OOM in invalid array length. A proof-of-concept exploit is provided which creates an array with a length of 0x20000000, which causes a fatal out-of-memory error in the V8 JavaScript engine.
A vulnerability in Coship Wireless Routers allows an unauthenticated attacker to reset the admin password without authentication. This is due to the lack of authentication in the ‘apply.cgi’ page. An attacker can exploit this vulnerability by sending a crafted HTTP request to the router’s IP address with the new password in the request body. This will reset the admin password to the new password without authentication.
There are multiple vulnerabilities in ShoreTel/Mitel Connect ONSITE ST 14.2 which, when chained together, result in remote code execution in the context of the running service. The vendor was contacted by Jared McLaren of SecureWorks in early 2018 but a proof of concept was not released. I had access to a single device during the development of this exploit. As such, your system paths may be different and you may need to edit this script to fit your needs.
doorGets CMS 7.0 is vulnerable to an arbitrary file download vulnerability. An attacker can download any file from the server by manipulating the 'f' parameter in the download.php file. This can be exploited by sending a specially crafted HTTP request to the vulnerable application.
Roxy Fileman 1.4.5 is vulnerable to an arbitrary file download vulnerability. An attacker can download any file from the server by manipulating the 'f' parameter in the download.php file. This can be exploited by sending a specially crafted HTTP request to the vulnerable application.
A vulnerability in FortiGate allows an attacker to capture LDAP credentials from the FortiGate web interface. The vulnerability exists due to the lack of authentication when sending a request to the FortiGate web interface. An attacker can exploit this vulnerability by sending a specially crafted request to the FortiGate web interface, which will capture the LDAP credentials. This vulnerability affects FortiGate versions 5.6.3 and below.
A buffer overflow vulnerability exists in Spotify 1.0.96.181 when a maliciously crafted input is sent to the "Host" field in the "Proxy configuration" window, resulting in a denial of service condition.
Services By CQR