The Object.create() function in V8 JavaScript engine is vulnerable to type confusion. The vulnerability is caused by a check that fails to guarantee that the prototype given as the parameter is 'null'. This can lead to type confusion when Map::GetObjectCreateMap is called with the prototype, allowing an attacker to transition the prototype and cause type confusion.
antMan versions <= 0.9.c contain a critical authentication defect, allowing an unauthenticated attacker to obtain root permissions within the antMan web management console. The antMan authentication implementation obtains user-supplied username and password parameters from a POST request issued to /login. Next, antMan utilizes Java’s ProcessBuilder class to invoke, as root, a bash script called antsle-auth. This script contains two critical defects that allow an attacker to bypass the authentication checks. By changing the username to > and the password to a url-encoded linefeed (%0a), an attacker can force the authentication script to produce return values not anticipated by the developer.
The V8 JavaScript engine is vulnerable to an out-of-bounds read vulnerability due to the bytecode generator emitting empty jump tables. If the jump table is empty, table_offset_ may exceed table_end_, resulting in out-of-bounds reads. A proof-of-concept exploit is provided which creates a function with an empty jump table and then calls it multiple times.
The vulnerability is caused by the improper write barrier elimination in the code snippet. The code snippet tries to help write barrier elimination by changing field_representation to MachineRepresentation::kTaggedSigned if it is possible to convert to Smi. However, TruncatingUseInfoFromRepresentation(kTaggedSigned) returns UseInfo::AnyTagged() which is also compatible with kTaggedPointer. As a result, even in the case where input_info->representation() is kTaggedPointer and the field_representation is kTaggedSigned, it will still perform a write barrier.
This exploit is used to better understand the memcrashed exploit brought to light thanks to CloudFlare. It uses a vulnerable memcached server list and a destination target to fetch known keys by id and set payload if no keys exist.
This exploit is related to the CVE-2018-5767 vulnerability which is a remote code execution vulnerability in the ARM Cortex-A9 processor. The exploit involves sending a malicious payload to the processor which then allows the attacker to gain access to the device and execute arbitrary code. The exploit code creates a listening socket on port REV_PORT and when a connection is accepted, it updates the global DONE flag to indicate successful exploitation. It then jumps into a loop whereby the user can send remote commands to the device, interacting with a spawned /bin/sh process.
By exploiting the vulnerabilities documented in this advisory, an attacker can fully compromise the web server which has ClipBucket installed. Potentially sensitive data might get exposed through this attack.
If as a server side you break a normal TCP 3 way handshake packets order and inject some response data before 3whs is complete then data still will be received by the a client but some IDS engines may skip content checks on that. Attack scenario TCP flow scheme: Client -> [SYN] [Seq=0 Ack= 0] -> Evil Server Client <- [SYN, ACK] [Seq=0 Ack= 1] <- Evil Server Client <- [PSH, ACK] [Seq=1 Ack= 1] <- Evil Server # Injection before the 3whs is completed Client <- [FIN, ACK] [Seq=83 Ack= 1] <- Evil Server Client -> [ACK] [Seq=1 Ack= 84] -> Evil Server Client -> [PSH, ACK] [Seq=1 Ack= 84] -> Evil Server IDS signature checks for tcp stream or http response body will be skipped in the case of data injection. This attack technique requires all three packets from a malicious server to be received by a client side together before it completes 3whs. Proof of concept server was written in C to reproduce this and it works reliably in local networks. Since some network devices may affect packets transmission exploitation is not so reliable for the internet scenario. Successful exploitation of this vulnerability allows an attacker to bypass detection of malicious traffic by an IDS.
The attacker must know the password for the loginuser account. The confd client is not available to the loginuser account. However, the running service is accessible over a network port on the loopback interface. By replaying the network traffic required to obtain a SID from this service it is possible to escalate privileges to root.
Whilst analysing a number of free communication based applications on the Google Play Store, I took a look at WiFi Baby Monitor: Free & Lite (the free version of WiFi Baby Monitor). Although the premium version offered users the ability to specify a password to be used in the pairing process, the free version offered no such function. Monitoring the traffic using Wireshark during the pairing process revealed that the initial connection is made on port 8257, to start the pairing process, the same sequence is sent each time, after the pairing process is finished, another connection is opened to port 8258, where the audio data will be transmitted, after the connection is made to port 8258, the connection on port 8257 is kept open and used as a heartbeat for the session and on the heartbeat connection, the client will periodically send 0x01 to the baby monitor (roughly once per second). With the pairing process reversed, it was possible to create a proof of concept which proved that it was possible to deploy a small program into a compromised network which would eavesdrop on a baby monitor and allow for an attacker to play the recording back at a later date at their discretion.
Services By CQR