The Linux kernel failed to properly initialize some entries the proto_ops struct for several protocols, leading to NULL being derefenced and used as a function pointer. By using mmap(2) to map page 0, an attacker can execute arbitrary code in the context of the kernel. Several public exploits exist for this vulnerability, including spender's wunderbar_emporium and rcvalle's ppc port, sock_sendpage.c. All Linux 2.4/2.6 versions since May 2001 are believed to be affected: 2.4.4 up to and including 2.4.37.4; 2.6.0 up to and including 2.6.30.4
9bd69f05ada8cee6b76af8cc4636ab3a3a49a49bfad809f7b97fefaea4e48bb0This Metasploit module exploits the Task Scheduler 2.0 XML 0day exploited by Stuxnet. When processing task files, the Windows Task Scheduler only uses a CRC32 checksum to validate that the file has not been tampered with. Also, In a default configuration, normal users can read and write the task files that they have created. By modifying the task file and creating a CRC32 collision, an attacker can execute arbitrary commands with SYSTEM privileges.
d58b245a3284a4c3a0c953e6cd974d43047680186d9ff32f042bd97e492059fbThis Metasploit module exploits a remote buffer overflow in the ZENworks Configuration Management 10 SP2. The vulnerability exists in the Preboot service and can be triggered by sending a specially crafted packet with the opcode 0x06 (PROXY_CMD_CLEAR_WS) to the 998/TCP port. The module has been successfully tested on Novell ZENworks Configuration Management 10 SP2 and Windows Server 2003 SP2 (DEP bypass).
d8e51661349a2d58c55ebba98e0aab7bf40252bcd11e9570670dbb09e98a4244This Metasploit module exploits a remote buffer overflow in the ZENworks Configuration Management 10 SP2. The vulnerability exists in the Preboot service and can be triggered by sending a specially crafted packet with the opcode 0x21 (PROXY_CMD_FTP_FILE) to port 998/TCP. The module has been successfully tested on Novell ZENworks Configuration Management 10 SP2 and Windows Server 2003 SP2 (DEP bypass).
10965ccc1d7f3bdfb1cdc1edf6199b5eb01250bbec68ab0ee4cf54ba20262a61Nmap's man page mentions that "Nmap should never be installed with special privileges (e.g. suid root) for security reasons.." and specifically avoids making any of its binaries setuid during installation. Nevertheless, administrators sometimes feel the need to do insecure things. This Metasploit module abuses a setuid nmap binary by writing out a lua nse script containing a call to os.execute(). Note that modern interpreters will refuse to run scripts on the command line when EUID != UID, so the cmd/unix/reverse_{perl,ruby} payloads will most likely not work.
36e5626623975013ad17de674718bb242f7551a7c65755515d9aab44a7aa57eaWordPress Cimy User Extra Fields plugin version 2.3.7 suffers from a remote shell upload vulnerability.
3f1cf0c011392b255cd32e6cfb0a2527d78eaaba00b4a507ae004527751b8cc7ClipBucket version 2 suffers from a remote blind SQL injection vulnerability. Note that this finding houses site-specific data.
908a1ea098afb0afffccbe3d11106c241ae2a4f161d8387e327501693cbf137dArora Browser version 0.10.2 remote denial of service proof of concept exploit.
87264302a9bde89050e168e8b2b9679fc2b02cd931240a0e758de293a46e69faKeyPass Password Safe version 1.22 suffers from a filter bypass that allows for malicious script code insertion.
fc0a3a882993015dc7a091e373423dcc5d79e487f44fafbaf9d5dd68199ebf13AVAVoIP version 1.5.12 suffers from cross site scripting and remote shell upload vulnerabilities.
8599e60b92e8454a5283310d93c784484aaad81f0c9a8880f0042a731bd9023dWordPress plugin Count Per Day version 3.1.1 suffers from multiple cross site scripting vulnerabilities.
28361cdd395c57304d759e3a7c3969bfc5d760b11accedd798ecce30a9dacbeeMGB OpenSource Guestbook version 0.6.9.1 suffers from cross site scripting and remote SQL injection vulnerabilities.
e30d0db62fbca895bd77c358db965a0d775079ae38b45f678fdec8aa710f86acMetasploit plugin 'pcap_log' is vulnerable to an arbitrary file overwrite bug which can further be leveraged to insert user-controlled data resulting in potential escalation of privileges. Metasploit module included.
a3608689ff5f6a56679189ea8149e0e805de1c706fb7d3fedff592abe11d622beasyCMSlite version 1.0.9 suffers from a remote database information disclosure vulnerability.
d76b243f67795b89da6846818d5643c0c788edbdf1c583ff25b07a351804feaaGoogle Chrome developers, while trying to be adaptive and current, added some windows 8 helper functions to aid the development of Metro style behavior, but does not include the library file itself, thus resulting in an unqualified dynamic-link library call to 'metro_driver.dll'. A user with local disk access can carefully construct a DLL that suits the pattern that is being traversed by the client and implement it somewhere along the search path and the client will load it seamlessly.
dbb9d62577ac5b978fa6419192db9f6b4808436e28a90885a8548c968b26a7d8Vivotek Cameras suffer from a configuration disclosure vulnerability that leaks password information.
d058e2a1787927c136f919f18b911e8101c71269a4d32b051967630ea19ce337CakePHP versions 2.x through 2.2.0-RC2 suffer from a XXE injection vulnerability.
54d1c4dda8e08667e5b5c0da52af3bfbbf429c685ad10b6ddb43edebd154ffb5DomsHttpd versions 1.0 and below suffer from a remote denial of service vulnerability.
df48c1ebd005e29be57fe7d977ca199ab00f6e3cc3896927df8c2e16e4d2d267This Metasploit module exploits a stack buffer overflow in ALLMediaServer 0.8. The vulnerability is caused due to a boundary error within the handling of HTTP request. While the exploit supports DEP bypass via ROP, on Windows 7 the stack pivoting isn't reliable across virtual (VMWare, VirtualBox) and physical environments. Because of this the module isn't using DEP bypass on the Windows 7 SP1 target, where by default DEP is OptIn and AllMediaServer won't run with DEP.
cd224eb091bd83cac2f6867238fdeea0e253250295ed9b0257c0173e71de0311Cura is a mobile phone application bundle of remote systems administration tools. It provides a personalized terminal emulator, a syslog module that allows for reading logs directly from a server, a SysMonitor module that visually graphs CPU and RAM usage percentages, access to Nmap, and Server Stats will offer general server information like its Vitals, Hardware information, Memory information, processes, and so on. A security feature will be implemented that allows users to have Cura's database completely wiped upon them sending the compromised phone a secret pattern of their choosing (e.g. send an SMS message containing "phone has been stolen!" to your Android phone to wipe Cura's database, and receive the location of the compromised phone as an SMS to your emergency phone number or as an email to your emergency email address).
1701fc58dc21a0ecb6c45f4836abb5e380f5e8214af1f3d389ec0e35ee46a019Blackboard Mobile Learn version 3.0 suffers from a persistent cross site scripting vulnerability.
b4e651e38bbb3294f231eb8e3bb086bfc5350b4b6edc00836d34547e9116fdeePBBoard CMS version 2.1.4 suffers from cross site request forgery and cross site scripting vulnerabilities.
3504eeef961d0a59f49c9ee08fb6ee83c790ce14364fa6fe2751a1e2eab9d1a9SMF Board version 2.0.2 suffers from multiple cross site scripting vulnerabilities.
c9ae40521ca14dc1b3769503b4731284c9910f6abe411ca09d1b0b085880e22cLepton CMS version 1.2.0 suffers from multiple cross site scripting vulnerabilities.
a1950761b16455f0831bfaca8919628053e40986ef93c4860bbb883b3dd0f353Event Calendar PHP version 1.2 suffers from cross site scripting and remote SQL injection vulnerabilities.
3ad4f5c685a677a797142b6d779de69baf513ebfcb1464004b838916e0b78d0f
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed