This paper details how poorly Linux devices in cop cars are set up and how their lack of a secure design puts everyone at risk.
fc7efa4a04b53671d3343de2d1e7775fdccf6bd40812c3090eabe0d4f58c410b
This Metasploit module exploits a flaw in the getSoundbank function in the Sun JVM. The payload is serialized and passed to the applet via PARAM tags. It must be a native payload. The effected Java versions are JDK and JRE 6 Update 16 and earlier, JDK and JRE 5.0 Update 21 and earlier, SDK and JRE 1.4.2_23 and earlier, and SDK and JRE 1.3.1_26 and earlier. NOTE: Although all of the above versions are reportedly vulnerable, only 1.6.0_u11 and 1.6.0_u16 on Windows XP SP3 were tested.
18334e64c1ccbeb5a3f96e1e9a81a3c6475589d69aefabd8ff1d29aa8ad74a99
This Metasploit module exploits a command execution vulnerability in the Mail.app application shipped with Mac OS X 10.5.0. This flaw was patched in 10.4 in March of 2007, but reintroduced into the final release of 10.5.
aa4bc52d99a5375b0d0710ee2d12fe495a795c13691639ec782fff6ffddc4ede
This Metasploit module exploits the Wyse Rapport Hagent service by pretending to be a legitimate server. This process involves starting both HTTP and FTP services on the attacker side, then contacting the Hagent service of the target and indicating that an update is available. The target will then download the payload wrapped in an executable from the FTP service.
e7be07350ced9d99747f9c25b7062ad223b93cc2cecdcacbc714a84918ea9198
This Metasploit module exploits an arbitrary memory access vulnerability in the Quicktime for Java API provided with Quicktime 7.
42ae033dbe425fc32ab38f3fc3b946e80a302b5e5f4cecc84aa56930c3a7467d
Proof of concept exploit for the Safari RSS feed:// buffer overflow via libxml2.
dc2da5bd1964ea782b2a6d92867880c82e34a71e8d0a5588f17d7720c3f7d3d8
This Metasploit module is a credential leak sniffer for the GE Proficy Real Time Information Portal.
9788f2d35640353df39ddbc0a6e32a572a688684a9eee64d17eb6deecfd827e3
This is a paper detailing the Five Ws of the Citect ODBC vulnerability that affects Citect versions 5, 6, and 7.
964dabad19a7f4cc68531d84e4b801807359a6d0cc916ab14e3874c422b8c097
This Metasploit module exploits a stack overflow in CitectSCADA's ODBC daemon. This has only been tested against Citect versions 5, 6, and 7.
4b8827fd3066f46018ff90f1daa741907933623b3c2e871114a59e4b146524c0
Netragard, L.L.C Advisory - Netragard's SNOsoft Research Team discovered two critical vulnerabilities in the OpenBase SQL Relational Database that can lead to full system compromise. OpenBase versions 10.0.5 and below are affected.
461394d46dce182dddd5cd5ac8284bec3acbe0ca019c1b7a15477e4a510c19e6
This Metasploit module exploits a buffer overflow in the version of libtiff shipped with firmware versions 1.00, 1.01, 1.02, and 1.1.1 of the Apple iPhone. iPhones which have not had the BSD tools installed will need to use a special payload.
159b79d396cc6be73eddeb8db6cd9975c0d95b50f6eb41571ed8f34e088a507f
This Metasploit module exploits a buffer overflow in the version of libtiff shipped with firmware versions 1.00, 1.01, 1.02, and 1.1.1 of the Apple iPhone. iPhones which have not had the BSD tools installed will need to use a special payload.
ba86f554ff58ec884739058eb80af65e4d58a0973721425b952d586468e13d92
A format string vulnerability exists in vpnd. By running the vpnd command with maliciously crafted arguments, a local user can trigger the vulnerability which may lead to arbitrary code execution with system privileges. This file exploits this vulnerability on Mac OS X.
cac8004c33b7c7a74786245dbc74af8080d860279ab8e8548030b1f6120d6571
Netragard, L.L.C Advisory - An exploitable vulnerability exists in FrontBase that can be used to gain NT AUTHORITY\SYSTEM or root privileges on an affected system. FrontBase versions 4.2.7 and below are affected.
cd42c535ea4a9cbfa1eb848bf2b4eff416a1e0f36719dba4953b028de6dfb69e
Netragard, L.L.C Advisory - McAfee Virex contains an exploitable feature that enables users to define what files should be excluded for scanning. This feature relies on a configuration file with insecure privileges and is located in /Library/Application Support. Any user on the system can modify or delete the configuration file thus affecting what Virex will scan. Versions 7.7 and below are affected.
a3cb1e800dcc7d0c7dfc001dd8db9bc345f0a9944f95a36846b83a05d5b0d489
Month of Apple Bugs - crashdump follows symlinks within the /Library/Logs/CrashReporter/ directory, allowing admin-group users to execute arbitrary code and overwrite files with elevated privileges. In couple with a specially crafted Mach-O binary, this can be used to write a malicious crontab entry, which will run with root privileges. This ruby code demonstrates this vulnerability.
a2f484f050a3539545bc04527aebfb7718411d5e564498448fa7024d15700ebe
Month of Apple Bugs - Flip4Mac fails to properly handle WMV files with a crafted ASF_File_Properties_Object size field, leading to an exploitable memory corruption condition, which can be abused remotely for arbitrary code execution. This tgz holds a malicious .wmv file that demonstrates this vulnerability.
5b0f7f222237672bd530a2f1c52368b0a593f5907f49c47913ca01b2f7900a50
Month of Apple Bugs - InputManager provided by the user. Code within the input manager will run under wheel privileges. In combination with diskutil and a wheel-writable setuid binary, this allows unprivileged users to gain root privileges. This is the proof of concept exploit that demonstrates this vulnerability.
649846dcedfd17c9b293d5b586249ab6641f7f2f4b7077ce8728d64523c3794e
Month of Apple Bugs - The preference panes setuid helper, writeconfig, makes use of a shell script which lacks of PATH sanitization, allowing users to execute arbitrary binaries under root privileges. This is the proof of concept exploit that demonstrates this vulnerability.
bc6a6482959f9f36bea4aefc8de705de29960037c93a88c4c71f6382b1e18c26
Month of Apple Bugs - Apple iChat AIM URI scheme (referred as the 'url handler') handling is affected by a classic format string vulnerability, allowing remote users to cause a denial of service condition or arbitrary code execution. This is the proof of concept exploit that demonstrates this vulnerability.
c72c10a4e48008dc4508828d784627e557382e0c510236900986c74a82eab3f4
Month of Apple Bugs - Transmit does not allocate enough space when dealing with the string passed on via the ftps:// URL handler, leading to an exploitable heap-based buffer overflow condition. This is the proof of concept exploit.
9080e0d951067307f9ad1fe2f1c855dcceaac4dd146e38b6c610d666ed9c242f
Month of Apple Bugs - Proof of concept exploit rumpusd. rumpusd is vulnerable to different remotely exploitable heap-based buffer overflows, denial of service conditions and local privilege escalation issues.
324e1c2a699138a78ea18bf0111256c4c75fe4eedb6f2baead3e5c38d188b60e
Month of Apple Bugs - Proof of concept exploit for slpd. slpd is vulnerable to a buffer overflow condition when processing the attr-list field of a registration request, leading to an exploitable denial of service condition and potential arbitrary execution. It would allow unprivileged local (and possibly remote) users to execute arbitrary code under root privileges.
b43cb8369fd15b26f59289ce05b054d9e9b5ee73e4ea4f070c7f378698fc6935
Month of Apple Bugs - Proof of concept exploit for Colloquy. Colloquy is vulnerable to a format string vulnerability in the handling of INVITE requests, that can be abused by remote users and requires no interaction at all, leading to a denial of service and potential arbitrary code execution.
ecc8ca506c0501b6a06a3dce70b0267fdd8463686c38cd7f7364ee7acf7ad640
Finder is affected by a memory corruption vulnerability, which leads to an exploitable denial of service condition and potential arbitrary code execution, that can be triggered by DMG images.
238bec1ecee79fefb9639412113e7fdbb037de09b513fba37017e218ba87e114