The fix Ubuntu applied to address the Ghostscript vulnerability identified in CVE-2018-16510 appears to be insufficient.
0ac0bf39a81253812182b1698273af4235df1fa484a59f5032b8a187be3fe340Ghostscript has an issues where callers of a procedure are not forced to be properly marked as executeonly or pseudo-operators, allowing for the ability to take complete control of it.
c212335a3050997bb3269410331972bd215ee205ac25561281f6b950ad7bb670Ghostscript suffers from an issue where .loadfontloop exposes system operators in the saved execution stack.
f56f6e290aa802089d31f8990302cc11931c689380900d290b6f5d35582d007bGhostscript suffers from an executeonly bypass with errorhandler setup.
227c5b9392a6f42cf0122d15af332350cf1583e4b26a4c958b0863f5133bbb38gsview does not run -dSAFER, allowing for the execution of arbitrary code.
6a94b056b7d504ce2307bdccc8d5e12f15fcf4dca1e0b3b87b1b2cb5cbff9723Ghostscript has an issue where an error object can expose system operators in the saved execution stack.
dcb624d6a7e684d9f9b8d63bc29a62e9a0cef57276d16e3a9b3f918f9d52cdbaThis Metasploit module exploits a -dSAFER bypass in Ghostscript to execute arbitrary commands by handling a failed restore (grestore) in PostScript to disable LockSafetyParams and avoid invalidaccess. This vulnerability is reachable via libraries such as ImageMagick, and this module provides the latest vector for Ghostscript.
9a18d75e03ae94b3478787aa8898389327fe3597f03bcf6872c9a239283731aeGhostscript suffers from file disclosure, shell command execution, memory corruption, and type confusion bugs.
373c0403a315de2cc28e94cb3d59abdc4fd65812e918d37aaa7564368a57973aFromDocToPdf exposes browsing history to all websites.
d7f71fcc058ac2ac713d8c08d38d49fb58106fe0ebb0890f7dc2caf14ad47d76The Video Downloader Chrome extension suffers from a universal cross site scripting vulnerability.
b5da74f181d1f9d011fafbb0bdf6621ecd124de93f2688457aaf9d1ad4cce81fThis Metasploit module attempts to gain root privileges on Linux systems by abusing a vulnerability in the GNU C Library (glibc) dynamic linker with libmemusage.so library.
866ac744c655ede9c376e4a47945a3a0e64a8cdb089b30ec2822adfef9bb9512Torrent file parsing in libtransmission suffers from overflow vulnerabilities.
54ad18d8336156df7524e96c3d9da8e72a4e6da0788daef159edd65d3ca2b6b4This Metasploit module attempts to gain root privileges on Fedora systems with a vulnerable version of Automatic Bug Reporting Tool (ABRT) configured as the crash handler. A race condition allows local users to change ownership of arbitrary files (CVE-2015-3315). This Metasploit module uses a symlink attack on '/var/tmp/abrt/*/maps' to change the ownership of /etc/passwd, then adds a new user with UID=0 GID=0 to gain root privileges. Winning the race could take a few minutes. This Metasploit module has been tested successfully on ABRT packaged version 2.1.5-1.fc19 on Fedora Desktop 19 x86_64, 2.2.1-1.fc19 on Fedora Desktop 19 x86_64 and 2.2.2-2.fc20 on Fedora Desktop 20 x86_64. Fedora 21 and Red Hat 7 systems are reportedly affected, but untested.
01b8bf4ffa026e722d143beb159ab4a57e3e4542e56046a209e14abce7657161This Metasploit module attempts to gain root privileges on Linux systems by abusing a vulnerability in the GNU C Library (glibc) dynamic linker. glibc ld.so in versions before 2.11.3, and 2.12.x before 2.12.2 does not properly restrict use of the LD_AUDIT environment variable when loading setuid executables which allows control over the $ORIGIN library search path resulting in execution of arbitrary shared objects. This Metasploit module opens a file descriptor to the specified suid executable via a hard link, then replaces the hard link with a shared object before instructing the linker to execute the file descriptor, resulting in arbitrary code execution. The specified setuid binary must be readable and located on the same file system partition as the specified writable directory. This Metasploit module has been tested successfully on glibc version 2.5 on CentOS 5.4 (x86_64), 2.5 on CentOS 5.5 (x86_64) and 2.12 on Fedora 13 (i386). RHEL 5 is reportedly affected, but untested. Some versions of ld.so hit a failed assertion in dl_open_worker causing exploitation to fail.
9a6bdfa99ad597fe9f9517dd0f8bdc9cdeba67fff5dacc64d849ac9bf5bfbfedThis Metasploit module attempts to gain root privileges on Linux systems by abusing a vulnerability in the GNU C Library (glibc) dynamic linker. glibc ld.so in versions before 2.11.3, and 2.12.x before 2.12.2 does not properly restrict use of the LD_AUDIT environment variable when loading setuid executables. This allows loading arbitrary shared objects from the trusted library search path with the privileges of the suid user. This Metasploit module uses LD_AUDIT to load the libpcprofile.so shared object, distributed with some versions of glibc, and leverages arbitrary file creation functionality in the library constructor to write a root-owned world-writable file to a system trusted search path (usually /lib). The file is then overwritten with a shared object then loaded with LD_AUDIT resulting in arbitrary code execution. This Metasploit module has been tested successfully on glibc version 2.11.1 on Ubuntu 10.04 x86_64 and version 2.7 on Debian 5.0.4 i386. RHEL 5 is reportedly affected, but untested. Some glibc distributions do not contain the libpcprofile.so library required for successful exploitation.
79d3dcb40544179ef2c545514e54b7352e225d51c57c720672f33d1b717c00e5The Grammarly chrome extension (approximately ~20M users) exposes it's auth tokens to all websites, therefore any website can login to grammarly.com as you and access all your documents, history, logs, and all other data.
38a9c89eebeb3e6644a94f0e937ee633297f223f24e55bd0ad56fef9c72d79e0This Metasploit module attempts to gain root privileges on Linux systems by invoking the default coredump handler inside a namespace ("container"). Apport versions 2.13 through 2.17.x before 2.17.1 on Ubuntu are vulnerable, due to a feature which allows forwarding reports to a container's Apport by changing the root directory before loading the crash report, causing 'usr/share/apport/apport' within the crashed task's directory to be executed. Similarly, Fedora is vulnerable when the kernel crash handler is configured to change root directory before executing ABRT, causing 'usr/libexec/abrt-hook-ccpp' within the crashed task's directory to be executed. In both instances, the crash handler does not drop privileges, resulting in code execution as root. This Metasploit module has been tested successfully on Apport 2.14.1 on Ubuntu 14.04.1 LTS x86 and x86_64 and ABRT on Fedora 19 and 20 x86_64.
9c651a9002f5646905fcb8abdec1552897cd260c341ec403e60727c2cf691713Blizzard's agent rpc authentication mechanism is vulnerable to DNS rebinding attacks.
01e7bdf4703d545404b5ea8d6c13d0e9fc1c4e0a98a205904426f38fbc152873The Transmission bittorrent client suffers from an RPC session-id mechanism design flaw.
eb5116fc215d9b67c48fcbe0240a784bca401f22dcc20bf7faa2ae78c70be6d1A Microsoft Windows win32k vulnerability has been discovered where using SetClassLong to switch between CS_CLASSDC and CS_OWNDC corrupts DC cache.
d07a83757124fecff65bbde70f529b29553e02b3ecba86891ac3d31b9a1e3f28Microsoft Windows 10 is forcibly installing the Keeper password manager which injects privileged UI's into pages.
ae83b2f7f72326bf46c86779b3f209ce03d065a4da2267e20c685c1f25425281Various GPC Sanitization bypasses exist in Cisco WebEx that can permit from arbitrary remote command execution.
2742e774481d9cd4f1486925a8d6d0f5cd50b3e1c50f16db34aa9fee06887044The Microsoft MsMpEng mpengine x86 emulator suffers from a heap corruption vulnerability in VFS API.
46362a2418387131b284b6f99ffbd92b63a52b28cf6850b31bc0119ebc171b9fThis Metasploit module triggers an arbitrary shared library load vulnerability in Samba versions 3.5.0 to 4.4.14, 4.5.10, and 4.6.4. This Metasploit module requires valid credentials, a writeable folder in an accessible share, and knowledge of the server-side path of the writeable folder. In some cases, anonymous access combined with common filesystem locations can be used to automatically exploit this vulnerability.
467d157dc1bbf3f036cc0f63f280fa7c6781fd91ca452708aab53393895c5ba1Microsoft MsMpEng suffers from multiple privilege escalation vulnerabilities.
b57fb4337aa82768637ff7b8efdf2fef6727f821ca5bfd34a0c7ad06e2c615e7
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed