exploit the possibilities
Showing 1 - 17 of 17 RSS Feed

Files from Pietro Oliva

Email addresspietroliva at gmail.com
First Active2010-01-07
Last Active2020-09-18
TP-Link Cloud Cameras NCXXX Bonjour Command Injection
Posted Sep 18, 2020
Authored by Pietro Oliva | Site metasploit.com

TP-Link cloud cameras NCXXX series (NC200, NC210, NC220, NC230, NC250, NC260, NC450) are vulnerable to an authenticated command injection vulnerability. In all devices except NC210, despite a check on the name length in swSystemSetProductAliasCheck, no other checks are in place in order to prevent shell metacharacters from being introduced. The system name would then be used in swBonjourStartHTTP as part of a shell command where arbitrary commands could be injected and executed as root. NC210 devices cannot be exploited directly via /setsysname.cgi due to proper input validation. NC210 devices are still vulnerable since swBonjourStartHTTP did not perform any validation when reading the alias name from the configuration file. The configuration file can be written, and code execution can be achieved by combining this issue with CVE-2020-12110.

tags | exploit, arbitrary, shell, cgi, root, code execution
advisories | CVE-2020-12109
MD5 | 65581bfcfd69f6bd2c8b8917eda921c4
Noise-Java AESGCMOnCtrCipherState.encryptWithAd() Insufficient Boundary Checks
Posted Sep 4, 2020
Authored by Pietro Oliva

Noise-Java suffers from an issue located in the AESGCMOnCtrCipherState.encryptWithAd() method defined in AESGCMOnCtrCipherState.java, where multiple boundary checks are performed to prevent invalid length or offsets from being specified for the encrypt or copy operation. However, some checks were found to be either incomplete or missing.

tags | exploit, java
advisories | CVE-2020-25023
MD5 | 2000d4bd0d53218ec12c6003e0330b00
Noise-Java ChaChaPolyCipherState.encryptWithAd() Insufficient Boundary Checks
Posted Sep 3, 2020
Authored by Pietro Oliva

Noise-Java suffers from an issue located in the ChaChaPolyCipherState.encryptWithAd() method defined in ChaChaPolyCipherState.java, where multiple boundary checks are performed to prevent invalid length or offsets from being specified for the encrypt or copy operation. However, some checks were found to be either incomplete or missing.

tags | exploit, java
advisories | CVE-2020-25021
MD5 | 1b9c6cfdd05d4fa967a1068319a9a299
Noise-Java AESGCMFallbackCipherState.encryptWithAd() Insufficient Boundary Checks
Posted Sep 3, 2020
Authored by Pietro Oliva

Noise-Java suffers from an issue located in the AESGCMFallbackCipherState.encryptWithAd() method defined in AESGCMFallbackCipherState.java, where multiple boundary checks are performed to prevent invalid length or offsets from being specified for the encrypt or copy operation. However, some checks were found to be either incomplete or missing.

tags | exploit, java
advisories | CVE-2020-25022
MD5 | a1cc345764fb55e23d716be4651c4749
Avian JVM 1.2.0 Silent Return
Posted Aug 12, 2020
Authored by Pietro Oliva

Avian JVM version 1.2.0 suffers from a silent return issue in the vm::arrayCopy method defined in classpath-common.h, where multiple boundary checks are performed to prevent out-of-bounds memory read/write. One of these boundary checks makes the code return silently when a negative length is provided instead of throwing an exception.

tags | exploit
advisories | CVE-2020-17361
MD5 | 0250f2cc9c215daf1b9429c6dd2bd22a
Avian JVM 1.2.0 Integer Overflow
Posted Aug 12, 2020
Authored by Pietro Oliva

Avian JVM version 1.2.0 suffers from multiple vm::arrayCopy() integer overflow vulnerabilities.

tags | exploit, overflow, vulnerability
advisories | CVE-2020-17360
MD5 | c9ea3002edc4dc27f2032a67653773ac
TP-LINK Cloud Cameras NCXXX Stack Overflow
Posted Jun 16, 2020
Authored by Pietro Oliva

TP-LINK Cloud Cameras NCXXX suffer from a DelMultiUser stack overflow vulnerability.

tags | exploit, overflow
advisories | CVE-2020-13224
MD5 | 2e5485e5a29b2903236f12f546e6d0e6
TP-LINK Cloud Cameras NCXXX SetEncryptKey Command Injection
Posted May 1, 2020
Authored by Pietro Oliva

TP-LINK Cloud Cameras including products NC260 and NC450 suffer from a command injection vulnerability. The issue is located in the httpSetEncryptKeyRpm method (handler for /setEncryptKey.fcgi) of the ipcamera binary, where the user-controlled EncryptKey parameter is used directly as part of a command line to be executed as root without any input sanitization.

tags | exploit, root
advisories | CVE-2020-12111
MD5 | 9ca6bd89ed55046f95b5938be59cca18
TP-LINK Cloud Cameras NCXXX Hardcoded Encryption Key
Posted May 1, 2020
Authored by Pietro Oliva

TP-LINK Cloud Cameras including products NC200, NC210, NC220, NC230, NC250, NC260, and NC450 suffer from having a hardcoded encryption key. The issue is located in the methods swSystemBackup and sym.swSystemRestoreFile, where a hardcoded encryption key is used in order to encrypt/decrypt a config backup file. The algorithm in use is DES ECB with modified s-boxes and permutation tables.

tags | exploit
advisories | CVE-2020-12110
MD5 | 435bc8509925987279d2a4323801513a
TP-LINK Cloud Cameras NCXXX Bonjour Command Injection
Posted May 1, 2020
Authored by Pietro Oliva

TP-LINK Cloud Cameras including products NC200, NC210, NC220, NC230, NC250, NC260, and NC450 suffer from a command injection vulnerability. The issue is located in the swSystemSetProductAliasCheck method of the ipcamera binary (Called when setting a new alias for the device via /setsysname.fcgi), where despite a check on the name length, no other checks are in place in order to prevent shell metacharacters from being introduced. The system name would then be used in swBonjourStartHTTP as part of a shell command where arbitrary commands could be injected and executed as root.

tags | exploit, arbitrary, shell, root
advisories | CVE-2020-12109
MD5 | 55083492881e98ef2dd06b513cdf658d
TP-LINK Cloud Cameras NCXXX Remote NULL Pointer Dereference
Posted Apr 1, 2020
Authored by Pietro Oliva

TP-LINK cloud cameras including products NC200, NC210, NC220, NC230, NC250, NC260, and NC450 suffer from a remote null pointer dereference vulnerability.

tags | advisory, remote
advisories | CVE-2020-10231
MD5 | 8a66c2d03002019d01d83e427c1b0fb9
WordPress Pods 2.4.3 CSRF / Cross Site Scripting
Posted Jan 12, 2015
Authored by Pietro Oliva

WordPress Pods plugin versions 2.4.3 and below suffer from cross site request forgery and cross site scripting vulnerabilities.

tags | exploit, vulnerability, xss, csrf
advisories | CVE-2014-7956, CVE-2014-7957
MD5 | 8393d28eee39aab2c860fcfbd03f64d2
WordPress Bulletproof-Security .51 XSS / SQL Injection / SSRF
Posted Nov 5, 2014
Authored by Pietro Oliva

WordPress Bulletproof-Security version .51 suffers from SSRF, cross site scripting, and remote SQL injection vulnerabilities.

tags | exploit, remote, vulnerability, xss, sql injection
advisories | CVE-2014-7958, CVE-2014-7959, CVE-2014-8749
MD5 | cca9c0ce97545065baa0c25016689ac8
WordPress Buddypress 1.9.1 Privilege Escalation
Posted Feb 14, 2014
Authored by Pietro Oliva

WordPress Buddypress plugin versions 1.9.1 and below suffer from a privilege escalation vulnerability.

tags | exploit
advisories | CVE-2014-1889
MD5 | b7ae87866e54f8494c55561931e79a7b
WordPress Buddypress 1.9.1 Cross Site Scripting
Posted Feb 14, 2014
Authored by Pietro Oliva

WordPress Buddypress plugin versions 1.9.1 and below suffer from a persistent cross site scripting vulnerability.

tags | exploit, xss
advisories | CVE-2014-1888
MD5 | c11fda673c81b0c6a4c652a69f4bd6cf
Mplayer 4.4.1 NULL Pointer Dereference
Posted Mar 18, 2010
Authored by Pietro Oliva

mplayer versions 4.4.1 and below NULL pointer dereference exploit.

tags | exploit
MD5 | 5b393ddf344fc2b81f77436fcce10dc8
Gnome Panel 2.28.0 Denial Of Service
Posted Jan 7, 2010
Authored by Pietro Oliva

Gnome Panel versions 2.28.0 and below denial of service proof of concept exploit.

tags | exploit, denial of service, proof of concept
MD5 | d277e073740c5049588e249501c66757
Page 1 of 1
Back1Next

File Archive:

September 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    20 Files
  • 2
    Sep 2nd
    15 Files
  • 3
    Sep 3rd
    15 Files
  • 4
    Sep 4th
    4 Files
  • 5
    Sep 5th
    1 Files
  • 6
    Sep 6th
    1 Files
  • 7
    Sep 7th
    15 Files
  • 8
    Sep 8th
    27 Files
  • 9
    Sep 9th
    7 Files
  • 10
    Sep 10th
    16 Files
  • 11
    Sep 11th
    9 Files
  • 12
    Sep 12th
    0 Files
  • 13
    Sep 13th
    0 Files
  • 14
    Sep 14th
    25 Files
  • 15
    Sep 15th
    15 Files
  • 16
    Sep 16th
    15 Files
  • 17
    Sep 17th
    15 Files
  • 18
    Sep 18th
    12 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close