This Metasploit module exploits a command injection vulnerability in IBM AIX invscout set-uid root utility present in AIX 7.2 and earlier. The undocumented -rpm argument can be used to install an RPM file; and the undocumented -o argument passes arguments to the rpm utility without validation, leading to command injection with effective-uid root privileges. This module has been tested successfully on AIX 7.2.
f3e0281ebf8cc8be1ea81e0032c40dcbde5f2db791362ec9903abdd761d6ef66This Metasploit module is an exploit that takes advantage of xglance-bin, part of HP's Glance (or Performance Monitoring) version 11 and subsequent, which was compiled with an insecure RPATH option. The RPATH includes a relative path to -L/lib64/ which can be controlled by a user. Creating libraries in this location will result in an escalation of privileges to root.
d8c4bb35d621bfc8cf65e13632145031a44e20cc02cc3e3045d3ba14a00ed48bxglance-bin local root privilege escalation exploit that has been tested on Linux RHEL 7.x/8.x systems.
d27e4f2ed6ba8d5e7e900a787e939d59f6386be68ee424e030c1c37dbe438c85This Metasploit module attempts to gain root privileges on QNX 6.4.x and 6.5.x systems by exploiting the ifwatchd suid executable. ifwatchd allows users to specify scripts to execute using the '-A' command line argument; however, it does not drop privileges when executing user-supplied scripts, resulting in execution of arbitrary commands as root. This Metasploit module has been tested successfully on QNX Neutrino 6.5.0 (x86) and 6.5.0 SP1 (x86).
520b8401fb7375e448a96f4237b4662a5608ef3cf6d4d3323e0c69df08ce3fa4Viprinet Multichannel VPN Router 300 suffers from multiple cross site scripting vulnerabilities.
845663dad41dae077c418a4bb396d1a462f0e32e87796c3f272773bb936411f0Viprinet Multichannel VPN Router 300 fails to verify the remote SSL VPN endpoint identity.
ea36b1964fe2d6d3cd269ee9fe4f17cffd19bd4f049fa07820aadbc257a0acf5Privilege escalation can be achieved via a symlink attack on POSIX shared memory with insecure permission in AMD fglrx-driver version 14.4.2.
4e6dcfe5ce3f850f7a06aad8a578e3e8da7469c5142c18444505b01a35ff813cPrivilege escalation can be achieved via a symlink attack on POSIX shared memory with insecure permission in AMD fglrx-driver version 15.7.
16d49a42c76981e04c0c6c2f6da6ae7568dd75790a6bcb587a7e5d388da2e479SAP ECC uses binaries that are executed with elevated privileges (SetGID and SetUID programs) that have been compiled in manner that means they searched for libraries in insecure locations.
dda76ea46a15e7f7868621a6ca1e393d8ba4ac5999ea0d317aec6164f94be550It has been identified that binaries that are executed with elevated privileges (SetGID and SetUID programs) in Compaq/HP's Glance for Linux have been compiled in manner that means they searched for libraries in insecure locations. Versions 11.00 and below are affected.
a66fb0a451a7f6dcc806352c69ac659b9668b544cb151ad815fc0f41f27c3245IBM AIX versions 6.1 and 7.1 suffer from a runtime linker privilege escalation vulnerability.
41ebbb62efa48c6f09b8c1ccff28a5091823df1aa4e13fe9da1b842e17ab27acIBM AIX versions 6.1.8 and later suffer from a local privilege escalation vulnerability in libodm due to an arbitrary file write.
97e4f4df7a7a9611b4f08f9d707eb25d8be03e3dd8f09107da7a1f9b730f813csetuid and setgid programs can escalate privileges via insecure RPATH use in IBM DB2 systems.
40679a4e85d6d23356386f0877e57636c158e282cb759a60f37f439933615e4eIBM AIX versions 5.3, 6.1 and 7.1 releases VIOS 2.2.* suffer from kernel memory leak and denial of service vulnerabilities. It has been identified that the ptrace() system call can be manipulated by an unprivileged user into leaking uninitialized kernel memory and that the method by which this is achieved may also lead to a denial of service condition. This can be achieved by manipulating the parameters that are passed to the ptrace() system call when performing the PT_LDINFO operation. By calling ptrace(PT_LDINFO, childpid, leakbuffer, maximumleak, NULL) with a value of maximumleak that greater than that required for the expected result of the PT_LDINFO operation, the AIX kernel will xmalloc() this space (without initializing it), populate it and then perform a copy operation that returns the result within leakbuffer.
326046758c80dfd7a90603cb6033621d1db225d4cc2532b1585420f2b0419948It has been identified that binaries that are executed with elevated privileges (SetGID and SetUID programs) have been compiled in manner that means they searched for libraries in insecure locations. Version 9.40 of HP Array Configuration Utility, HP Array Diagnostics Utility, HP ProLiant Array Diagnostics, and SmartSSD Wear Gauge Utility running on Linux are affected.
4616ed05d73796339b56863cd74126065f2db7cca61db513f69ee6a4dd874c0fIt has been identified that binaries that are executed with elevated privileges (SetGID and SetUID programs) have been compiled in manner that means they searched for libraries in insecure locations. Version 3.9.00 of BMC Patrol for AIX is affected.
d7bb7e62af377661d9e0fc40ac344b19949122236037b9511fb75a879d085addQNX Neutrino RTOS version 6.5.0 suffers from multiple privilege escalation vulnerabilities.
e5e6ce35d1fa0f2a45836c06a404535d1ffccdb3b08407a60b96bf363dc0bd0aThis document is not intended to be a definitive guide, but more of a review of specific security issues resulting from the use of HTML 5.
e3b7da92b117e655d18a4b2e648cd4ef9db4d3e700ec2c3b40f6234edae3ba09The web browser which comes as part of the RIM BlackBerry PlayBook OS can be tricked into disclosing the contents of local files through the planting of a malicious HTML file through the standard download mechanism. It should be noted that in order to exploit this issue, user interaction is required as the user will need to confirm the download of the malicious HTML file.
689b8d28b8e18196499d4e2793fe9980e7a00f2c1dcba64139cd3a89737e5628Konqueror version 4.7.3 suffers from a number of memory corruption vulnerabilities.
e553338547e8f9516a41ca14cb1fb5ac3c1728638db05b0a8e2505e5ba2cfb72The Perl 5 interpreter is vulnerable to a memory corruption vulnerability which results in memory disclosure and potentially arbitrary code execution when large values are supplied to the x operator.
553cb435fb55599355ceae80210dcc60509e0f1a51cae7259ce1394e8ef9ac7bVarious Qt applications including KSSL (the KDE class library responsible for SSL negotiation), Rekonq, Arora and Psi IM are vulnerable to UI spoofing due to their use of QLabel objects to render externally controlled security critical information. The primary area of concern at this time relates to the named applications SSL certificate dialogue UI however other similar dialogue boxes may also be vulnerable.
f1104d7ba2003aa2ac18e3d2d43aeb4860aa6ccd918b4b4b79f4e418e6abe44fArk version 2.16 suffers from a directory traversal vulnerability when handling a malformed ZIP file.
65500fe3d0754fdf5656832e5ced430dddaaf1e71169286b94df909c93e51efaThe recent discussion relating to insecure library loading on the Microsoft Windows platform provoked a significant amount of debate as to whether GNU/Linux and UNIX variants could be vulnerable to similar attacks. Whilst the general consensus of the Slashdot herd appeared to be that this was just another example of Microsoft doing things wrong, the author felt this was unfair and responded with a blog post that sought to highlight an example of where POSIX style linkers get things wrong. Based on the feedback received to that post, the author decided to investigate the issue a little further. This paper is an amalgamation of what was learnt.
38725ccf48a81f4e7da57a4196862e45b938f1fbb3f88bb603cf2a91867ab832Nth Dimension Security Advisory (NDSA20110321) - Konqueror versions 4.4.x, 4.5.x, and 4.6.x suffer from an HTML injection vulnerability.
14701c32ce4712f4d97a1de84cde5b129f9c273f5594ab66798fa5bbe15018db
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed