The Install.framework runner suid root binary does not correctly account for the fact that Distributed Objects can be connected to by multiple clients at the same time. By connecting two proxy objects to an IFInstallRunner and calling [IFInstallRunner makeReceiptDirAt:asRoot:] in the first and passing a custom object as the directory name we can get a callback to our code just after the makeReceiptDirAt code has called seteuid(0);setguid(0) to regain privs. Since BSD privileges are per-process this means that our other proxy object will now have euid 0 without having to provide an authorization reference. In this second proxy we can then just call runTaskSecurely and get a root shell before returning from the first proxy's callback function which will then drop privs.
The TimThumb plugin for WordPress is prone to multiple security vulnerabilities including XSS, security bypass, arbitrary file upload, information disclosure, path disclosure, and denial-of-service. Attackers can exploit these vulnerabilities to bypass security restrictions, obtain sensitive information, perform administrative actions, gain unauthorized access, upload arbitrary files, compromise the application, modify data, cause denial-of-service conditions, steal authentication credentials, or control how the site is rendered to the user.
A remote attacker can perform certain administrative actions and gain unauthorized access to the affected application by exploiting this vulnerability. Other attacks are also possible.
The vulnerability allows an attacker to inject SQL commands into the application's database. By manipulating the 'cid' parameter in the 'index.php?module=pnFlashGames&func=view' URL, an attacker can perform a union-based SQL injection and extract sensitive information from the database.
The exploit allows for a buffer overflow in Photoshop CS2/CS3 and Paint Shop Pro 11.20 when parsing PNG files. It can execute arbitrary code such as running calc.exe or binding to port 4444. It has been tested on Windows XP SP2 FR.
IrfanView is vulnerable to an unspecified buffer overflow when processing a crafted .IFF file. This exploit runs calc.exe or binds shell to port 4444.
Sourcefire User Agent is vulnerable to default insecure file permissions and hardcoded encryption keys. A local attacker can exploit this by gaining access to user readable database file and extracting sensitive information. In combination with hard-coded 3DES keys an attacker is able to decrypt configured Domain Controller accounts which can lead to further attacks.
This exploit targets the iPIX Image Well ActiveX control, specifically the CreateMediaGroup method. The vulnerability allows an attacker to execute arbitrary code by providing specially crafted parameters to the method. The exploit code includes a shellcode that executes the calc.exe program.
This exploit allows a local user to connect to Serv-u with a default login/password for local administration. The user can then create an ftp user with execute rights and execute a raw 'SITE EXEC' command, which will be executed with SYSTEM privileges.
This module exploits an OS command injection vulnerability in a web-accessible CGI script used to change passwords for locally-defined proxy user accounts. Valid credentials for such an account are required. Command execution will be in the context of the "nobody" account, but this account had broad sudo permissions, including to run the script /usr/local/bin/chrootpasswd (which changes the password for the Linux root account on the system to the value specified by console input once it is executed). The password for the proxy user account specified will *not* be changed by the use of this module, as long as the target system is vulnerable to the exploit. Very early versions of Endian Firewall (e.g. 1.1 RC5) require HTTP basic auth credentials as well to exploit this vulnerability. Use the USERNAME and PASSWORD advanced options to specify these values if required. Versions >= 3.0.0 still contain the vulnerable code, but it appears to never be executed due to a bug in the vulnerable CGI script which also prevents normal use (http://jira.endian.com/browse/UTM-1002). Versions 2.3.x and 2.4.0 are not vulnerable because of a similar bug (http://bugs.endian.com/print_bug_page.php?bug_id=3083). Tested successfully against the following versions of EFW Community: 1.1 RC5, 2.0, 2.1, 2.2, 2.5.1, 2.5.2. Should function against any version from 1.1 RC5 to
Services By CQR