what you don't know can hurt you
Showing 1 - 25 of 69 RSS Feed

Files from Tim Brown

Email addresstimb at nth-dimension.org.uk
First Active2005-08-17
Last Active2020-05-04
HP Performance Monitoring xglance Privilege Escalation
Posted May 4, 2020
Authored by Tim Brown, h00die, Marco Ortisi, Robert Jaroszuk | Site metasploit.com

This Metasploit module is an exploit that takes advantage of xglance-bin, part of HP's Glance (or Performance Monitoring) version 11 and subsequent, which was compiled with an insecure RPATH option. The RPATH includes a relative path to -L/lib64/ which can be controlled by a user. Creating libraries in this location will result in an escalation of privileges to root.

tags | exploit, root
advisories | CVE-2014-2630
SHA-256 | d8c4bb35d621bfc8cf65e13632145031a44e20cc02cc3e3045d3ba14a00ed48b
xglance-bin Local Root Privilege Escalation
Posted Feb 5, 2020
Authored by Tim Brown, Marco Ortisi, Robert Jaroszuk

xglance-bin local root privilege escalation exploit that has been tested on Linux RHEL 7.x/8.x systems.

tags | exploit, local, root
systems | linux
advisories | CVE-2014-2630
SHA-256 | d27e4f2ed6ba8d5e7e900a787e939d59f6386be68ee424e030c1c37dbe438c85
ifwatchd Privilege Escalation
Posted Oct 8, 2018
Authored by Tim Brown, Brendan Coles, cenobyte | Site metasploit.com

This Metasploit module attempts to gain root privileges on QNX 6.4.x and 6.5.x systems by exploiting the ifwatchd suid executable. ifwatchd allows users to specify scripts to execute using the '-A' command line argument; however, it does not drop privileges when executing user-supplied scripts, resulting in execution of arbitrary commands as root. This Metasploit module has been tested successfully on QNX Neutrino 6.5.0 (x86) and 6.5.0 SP1 (x86).

tags | exploit, arbitrary, x86, root
advisories | CVE-2014-2533
SHA-256 | 520b8401fb7375e448a96f4237b4662a5608ef3cf6d4d3323e0c69df08ce3fa4
Viprinet Multichannel VPN Router 300 Cross Site Scripting
Posted Feb 5, 2016
Authored by Tim Brown | Site portcullis-security.com

Viprinet Multichannel VPN Router 300 suffers from multiple cross site scripting vulnerabilities.

tags | exploit, vulnerability, xss
advisories | CVE-2014-2045
SHA-256 | 845663dad41dae077c418a4bb396d1a462f0e32e87796c3f272773bb936411f0
Viprinet Multichannel VPN Router 300 Identity Verification Fail
Posted Feb 5, 2016
Authored by Tim Brown | Site portcullis-security.com

Viprinet Multichannel VPN Router 300 fails to verify the remote SSL VPN endpoint identity.

tags | advisory, remote
advisories | CVE-2014-9754, CVE-2014-9755
SHA-256 | ea36b1964fe2d6d3cd269ee9fe4f17cffd19bd4f049fa07820aadbc257a0acf5
AMD fglrx-driver 14.4.2 Privilege Escalation
Posted Oct 29, 2015
Authored by Tim Brown | Site portcullis-security.com

Privilege escalation can be achieved via a symlink attack on POSIX shared memory with insecure permission in AMD fglrx-driver version 14.4.2.

tags | advisory
advisories | CVE-2015-7723
SHA-256 | 4e6dcfe5ce3f850f7a06aad8a578e3e8da7469c5142c18444505b01a35ff813c
AMD fglrx-driver 15.7 Privilege Escalation
Posted Oct 29, 2015
Authored by Tim Brown | Site portcullis-security.com

Privilege escalation can be achieved via a symlink attack on POSIX shared memory with insecure permission in AMD fglrx-driver version 15.7.

tags | advisory
advisories | CVE-2015-7724
SHA-256 | 16d49a42c76981e04c0c6c2f6da6ae7568dd75790a6bcb587a7e5d388da2e479
SAP ECC Privilege Escalation
Posted Jul 14, 2015
Authored by Tim Brown | Site portcullis-security.com

SAP ECC uses binaries that are executed with elevated privileges (SetGID and SetUID programs) that have been compiled in manner that means they searched for libraries in insecure locations.

tags | advisory
advisories | CVE-2015-3621
SHA-256 | dda76ea46a15e7f7868621a6ca1e393d8ba4ac5999ea0d317aec6164f94be550
Compaq/Hewlett Packard Glance 11.00 Privilege Escalation
Posted Nov 19, 2014
Authored by Tim Brown | Site portcullis-security.com

It has been identified that binaries that are executed with elevated privileges (SetGID and SetUID programs) in Compaq/HP's Glance for Linux have been compiled in manner that means they searched for libraries in insecure locations. Versions 11.00 and below are affected.

tags | exploit
systems | linux
advisories | CVE-2014-2630
SHA-256 | a66fb0a451a7f6dcc806352c69ac659b9668b544cb151ad815fc0f41f27c3245
IBM AIX Runtime Linker Privilege Escalation
Posted Jul 9, 2014
Authored by Tim Brown | Site portcullis-security.com

IBM AIX versions 6.1 and 7.1 suffer from a runtime linker privilege escalation vulnerability.

tags | advisory
systems | aix
advisories | CVE-2014-3074
SHA-256 | 41ebbb62efa48c6f09b8c1ccff28a5091823df1aa4e13fe9da1b842e17ab27ac
IBM AIX 6.1.8+ Privilege Escalation
Posted Jun 12, 2014
Authored by Tim Brown | Site portcullis-security.com

IBM AIX versions 6.1.8 and later suffer from a local privilege escalation vulnerability in libodm due to an arbitrary file write.

tags | exploit, arbitrary, local
systems | aix
advisories | CVE-2014-3977
SHA-256 | 97e4f4df7a7a9611b4f08f9d707eb25d8be03e3dd8f09107da7a1f9b730f813c
IBM DB2 Privilege Escalation
Posted Jun 4, 2014
Authored by Tim Brown | Site portcullis-security.com

setuid and setgid programs can escalate privileges via insecure RPATH use in IBM DB2 systems.

tags | advisory
advisories | CVE-2014-0907
SHA-256 | 40679a4e85d6d23356386f0877e57636c158e282cb759a60f37f439933615e4e
IBM AIX Kernel Memory Leak / Denial Of Service
Posted May 6, 2014
Authored by Tim Brown | Site portcullis-security.com

IBM AIX versions 5.3, 6.1 and 7.1 releases VIOS 2.2.* suffer from kernel memory leak and denial of service vulnerabilities. It has been identified that the ptrace() system call can be manipulated by an unprivileged user into leaking uninitialized kernel memory and that the method by which this is achieved may also lead to a denial of service condition. This can be achieved by manipulating the parameters that are passed to the ptrace() system call when performing the PT_LDINFO operation. By calling ptrace(PT_LDINFO, childpid, leakbuffer, maximumleak, NULL) with a value of maximumleak that greater than that required for the expected result of the PT_LDINFO operation, the AIX kernel will xmalloc() this space (without initializing it), populate it and then perform a copy operation that returns the result within leakbuffer.

tags | advisory, denial of service, kernel, vulnerability, memory leak
systems | aix
advisories | CVE-2014-0930
SHA-256 | 326046758c80dfd7a90603cb6033621d1db225d4cc2532b1585420f2b0419948
HP Insecure RPATH Use
Posted Apr 14, 2014
Authored by Tim Brown | Site portcullis-security.com

It has been identified that binaries that are executed with elevated privileges (SetGID and SetUID programs) have been compiled in manner that means they searched for libraries in insecure locations. Version 9.40 of HP Array Configuration Utility, HP Array Diagnostics Utility, HP ProLiant Array Diagnostics, and SmartSSD Wear Gauge Utility running on Linux are affected.

tags | exploit
systems | linux
advisories | CVE-2013-6216
SHA-256 | 4616ed05d73796339b56863cd74126065f2db7cca61db513f69ee6a4dd874c0f
BMC Patrol For AIX Insecure RPATH Use
Posted Apr 14, 2014
Authored by Tim Brown | Site portcullis-security.com

It has been identified that binaries that are executed with elevated privileges (SetGID and SetUID programs) have been compiled in manner that means they searched for libraries in insecure locations. Version 3.9.00 of BMC Patrol for AIX is affected.

tags | exploit
systems | aix
advisories | CVE-2014-2591
SHA-256 | d7bb7e62af377661d9e0fc40ac344b19949122236037b9511fb75a879d085add
QNX Neutrino RTOS 6.5.0 Privilege Escalation
Posted Mar 13, 2014
Authored by Tim Brown | Site nth-dimension.org.uk

QNX Neutrino RTOS version 6.5.0 suffers from multiple privilege escalation vulnerabilities.

tags | exploit, vulnerability
SHA-256 | e5e6ce35d1fa0f2a45836c06a404535d1ffccdb3b08407a60b96bf363dc0bd0a
HTML 5 Good Practice Guide
Posted May 16, 2013
Authored by Tim Brown | Site portcullis-security.com

This document is not intended to be a definitive guide, but more of a review of specific security issues resulting from the use of HTML 5.

tags | paper
SHA-256 | e3b7da92b117e655d18a4b2e648cd4ef9db4d3e700ec2c3b40f6234edae3ba09
RIM BlackBerry PlayBook OS 1.0.8.6067 Local File Access
Posted Dec 1, 2012
Authored by Tim Brown | Site nth-dimension.org.uk

The web browser which comes as part of the RIM BlackBerry PlayBook OS can be tricked into disclosing the contents of local files through the planting of a malicious HTML file through the standard download mechanism. It should be noted that in order to exploit this issue, user interaction is required as the user will need to confirm the download of the malicious HTML file.

tags | advisory, web, local
advisories | CVE-2012-5828
SHA-256 | 689b8d28b8e18196499d4e2793fe9980e7a00f2c1dcba64139cd3a89737e5628
Konqueror 4.7.3 Memory Corruption
Posted Oct 31, 2012
Authored by Tim Brown | Site nth-dimension.org.uk

Konqueror version 4.7.3 suffers from a number of memory corruption vulnerabilities.

tags | exploit, vulnerability
advisories | CVE-2012-4512, CVE-2012-4513, CVE-2012-4514, CVE-2012-4515
SHA-256 | e553338547e8f9516a41ca14cb1fb5ac3c1728638db05b0a8e2505e5ba2cfb72
Perl 5 Memory Corruption
Posted Oct 26, 2012
Authored by Tim Brown | Site nth-dimension.org.uk

The Perl 5 interpreter is vulnerable to a memory corruption vulnerability which results in memory disclosure and potentially arbitrary code execution when large values are supplied to the x operator.

tags | advisory, arbitrary, perl, code execution
advisories | CVE-2012-5195
SHA-256 | 553cb435fb55599355ceae80210dcc60509e0f1a51cae7259ce1394e8ef9ac7b
Qt KSSL URL Spoofing
Posted Oct 7, 2011
Authored by Tim Brown | Site nth-dimension.org.uk

Various Qt applications including KSSL (the KDE class library responsible for SSL negotiation), Rekonq, Arora and Psi IM are vulnerable to UI spoofing due to their use of QLabel objects to render externally controlled security critical information. The primary area of concern at this time relates to the named applications SSL certificate dialogue UI however other similar dialogue boxes may also be vulnerable.

tags | advisory, spoof
advisories | CVE-2011-3365, CVE-2011-3366, CVE-2011-3367
SHA-256 | f1104d7ba2003aa2ac18e3d2d43aeb4860aa6ccd918b4b4b79f4e418e6abe44f
Ark 2.16 Directory Traversal
Posted Oct 7, 2011
Authored by Tim Brown | Site nth-dimension.org.uk

Ark version 2.16 suffers from a directory traversal vulnerability when handling a malformed ZIP file.

tags | exploit
advisories | CVE-2011-2725
SHA-256 | 65500fe3d0754fdf5656832e5ced430dddaaf1e71169286b94df909c93e51efa
Breaking The Links: Exploiting The Linker
Posted Jul 5, 2011
Authored by Tim Brown | Site nth-dimension.org.uk

The recent discussion relating to insecure library loading on the Microsoft Windows platform provoked a significant amount of debate as to whether GNU/Linux and UNIX variants could be vulnerable to similar attacks. Whilst the general consensus of the Slashdot herd appeared to be that this was just another example of Microsoft doing things wrong, the author felt this was unfair and responded with a blog post that sought to highlight an example of where POSIX style linkers get things wrong. Based on the feedback received to that post, the author decided to investigate the issue a little further. This paper is an amalgamation of what was learnt.

tags | paper
systems | linux, windows, unix, osx
SHA-256 | 38725ccf48a81f4e7da57a4196862e45b938f1fbb3f88bb603cf2a91867ab832
Konqueror 4.4.x / 4.5.x / 4.6.x HTML Injection
Posted Apr 12, 2011
Authored by Tim Brown | Site nth-dimension.org.uk

Nth Dimension Security Advisory (NDSA20110321) - Konqueror versions 4.4.x, 4.5.x, and 4.6.x suffer from an HTML injection vulnerability.

tags | exploit
advisories | CVE-2011-1168
SHA-256 | 14701c32ce4712f4d97a1de84cde5b129f9c273f5594ab66798fa5bbe15018db
QNX Neutrino RTOS Runtime Linker Arbitrary File Creation
Posted Mar 11, 2011
Authored by Tim Brown

The QNX Neutrino RTOS runtime linker allows the creation or overwriting of an arbitrary file. Moreover the technique by which this can be achieved can be triggered even where the binary being executed is setUID and is running as another user. Version 6.5.0 is affected.

tags | advisory, arbitrary
SHA-256 | 7d1751f1d7538142a5f545dae3d6e0f64cbacc7f8b27be5bec111384542a5645
Page 1 of 3
Back123Next

File Archive:

May 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    0 Files
  • 2
    May 2nd
    15 Files
  • 3
    May 3rd
    19 Files
  • 4
    May 4th
    24 Files
  • 5
    May 5th
    15 Files
  • 6
    May 6th
    14 Files
  • 7
    May 7th
    0 Files
  • 8
    May 8th
    0 Files
  • 9
    May 9th
    13 Files
  • 10
    May 10th
    7 Files
  • 11
    May 11th
    99 Files
  • 12
    May 12th
    45 Files
  • 13
    May 13th
    7 Files
  • 14
    May 14th
    0 Files
  • 15
    May 15th
    0 Files
  • 16
    May 16th
    16 Files
  • 17
    May 17th
    26 Files
  • 18
    May 18th
    4 Files
  • 19
    May 19th
    0 Files
  • 20
    May 20th
    0 Files
  • 21
    May 21st
    0 Files
  • 22
    May 22nd
    0 Files
  • 23
    May 23rd
    0 Files
  • 24
    May 24th
    0 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close