The HTTP server in AsusWRT allows an unauthenticated client to perform a POST request, which can be combined with a vulnerability in the VPN configuration upload routine to enable a special command mode. This command mode can then be abused to execute commands as root by sending a UDP packet to infosvr on port UDP 9999. This exploit leverages that to start telnetd in a random port and connect to it. It has been tested with the RT-AC68U running AsusWRT Version 3.0.0.4.380.7743.
This module exploits a stack-based buffer overflow vulnerability in CloudMe Sync v1.10.9 client application. The vulnerability allows an attacker to execute arbitrary code by sending a specially crafted buffer to the vulnerable application. This module has been tested successfully on Windows 7 SP1 x86.
This module exploits a stack-based buffer overflow vulnerability in Disk Savvy Enterprise v10.4.18, caused by improper bounds checking of the request sent to the built-in server. This module has been tested successfully on Windows 7 SP1 x86.
The Joom!12Pic component in com_joom12pic/admin.joom12pic.php allows remote attackers to include arbitrary files via the mosConfig_live_site parameter.
The exploit allows an unauthenticated remote attacker to execute arbitrary code on the target system by exploiting a buffer overflow vulnerability in Disk Savvy Enterprise v10.4.18 Server. By sending a specially crafted request, an attacker can overwrite the Structured Exception Handler (SEH) and gain control of the program flow.
An attacker could exploit this vulnerability to execute arbitrary code in the context of the application. Failed exploit attempts will result in a denial-of-service condition.
This module attempts to gain root privileges on systems running MagniComp SysInfo versions prior to 10-H64. The .mcsiwrapper suid executable allows loading a config file using the '--configfile' argument. The 'ExecPath' config directive is used to set the executable load path. This module abuses this functionality to set the load path resulting in execution of arbitrary code as root. This module has been tested successfully with SysInfo version 10-H63 on Fedora 20 x86_64, 10-H32 on Fedora 27 x86_64, 10-H10 on Debian 8 x86_64, and 10-GA on Solaris 10u11 x86.
This vulnerability allows an attacker to include a remote file by manipulating the 'mosConfig_live_site' variable in the 'admin.joomlaflashfun.php' file of the Joomla Flash Fun! component. By injecting a malicious file, an attacker can execute arbitrary code on the server.
It’s possible to use the constrained impersonation capability added in Windows 10 to impersonate a lowbox SYSTEM token leading to EoP. Windows 10 added a new security check during impersonation of a token which relies on an AppContainer capability Constrained Impersonation which allows a LowBox process to impersonate another LowBox token, even if it’s for a different user, as long as it meets certain requirements. The only limiting factor is getting hold of a suitable token which has the same session ID. This is easy for example in UAC scenarios (including OTS elevation) but of course that’s a UAC bypass. There’s various tricks to get a SYSTEM token but most of the services run in Session 0. However there are a few processes running as SYSTEM but in the same session on a default install of Windows including CSRSS and Winlogon. There’s also the consent process which is part of UAC which is spawned in the user session. Therefore one way to get the token is to try and elevate a process running on a WebDAV share (hosted on localhost) and negotiate the NTLM/Negotiate auth in a similar way to previous issues I’ve reported (e.g. cases 21243 and 21878).
It’s possible to use the new Global Reparse Point functionality introduced in Windows 10 1709 to bypass the existing sandbox limitations of creating arbitrary file symbolic links.
Services By CQR
