exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 1 - 15 of 15 RSS Feed

Files Date: 2013-12-23

Practical Malleability Attack Against CBC Encrypted LUKS Partition
Posted Dec 23, 2013
Authored by Jakob Lell | Site jakoblell.com

The most popular full disk encryption solution for Linux is LUKS (Linux Unified Key Setup), which provides an easy to use encryption layer for block devices. By default, newly generated LUKS devices are set up with 256-bit AES in CBC mode. Since there is no integrity protection/checksum, it is obviously possible to destroy parts of plaintext files by changing the corresponding ciphertext blocks. Nevertheless many users expect the encryption to make sure that an attacker can only change the plaintext to an unpredictable random value. The CBC mode used by default in LUKS however allows some more targeted manipulation of the plaintext file given that the attacker knows the original plaintext. This article demonstrates how this can be used to inject a full remote code execution backdoor into an encrypted installation of Ubuntu 12.04 created by the alternate installer (the default installer of Ubuntu 12.04 doesn't allow setting up full disk encryption).

tags | paper, remote, code execution
systems | linux, ubuntu
SHA-256 | 83e0e48a068a6889d9cec9e057406641dd9d38932ce22381b3c16a767ef73656
VMware Security Advisory 2013-0016
Posted Dec 23, 2013
Authored by VMware | Site vmware.com

VMware Security Advisory 2013-0016 - VMware ESXi and ESX contain a vulnerability in the handling of certain Virtual Machine file descriptors. This issue may allow an unprivileged vCenter Server user with the privilege “Add Existing Disk" to obtain read and write access to arbitrary files on ESXi or ESX. On ESX, an unprivileged local user may obtain read and write access to arbitrary files. Modifying certain files may allow for code execution after a host reboot.

tags | advisory, arbitrary, local, code execution
advisories | CVE-2013-5973
SHA-256 | d8e6ce5b00c5f9df58de586628a8bf7d43eab978ac46b1da4ee4ede79b23472d
Red Hat CloudForms Management Engine 5.1 agent/linuxpkgs Path Traversal
Posted Dec 23, 2013
Authored by Ramon de C Valle | Site metasploit.com

This Metasploit module exploits a path traversal vulnerability in the "linuxpkgs" action of "agent" controller of the Red Hat CloudForms Management Engine 5.1 (ManageIQ Enterprise Virtualization Manager 5.0 and earlier). It uploads a fake controller to the controllers directory of the Rails application with the encoded payload as an action and sends a request to this action to execute the payload. Optionally, it can also upload a routing file containing a route to the action. (Which is not necessary, since the application already contains a general default route.)

tags | exploit
systems | linux, redhat
advisories | CVE-2013-2068
SHA-256 | ecc3dfeae56af0d7e8234b449d220c4c30764ffe2c2b2a098d22efcf89701574
Synology DiskStation Manager SLICEUPLOAD Remote Command Execution
Posted Dec 23, 2013
Authored by Markus Wulftange | Site metasploit.com

This Metasploit module exploits a vulnerability found in Synology DiskStation Manager (DSM) versions 4.x, which allows the execution of arbitrary commands under root privileges. The vulnerability is located in /webman/imageSelector.cgi, which allows to append arbitrary data to a given file using a so called SLICEUPLOAD functionality, which can be triggered by an unauthenticated user with a specially crafted HTTP request. This is exploited by this module to append the given commands to /redirect.cgi, which is a regular shell script file, and can be invoked with another HTTP request. Synology reported that the vulnerability has been fixed with versions 4.0-2259, 4.2-3243, and 4.3-3810 Update 1, respectively; the 4.1 branch remains vulnerable.

tags | exploit, web, arbitrary, shell, cgi, root
advisories | CVE-2013-6955
SHA-256 | 513af8fcad7f15ab39a785c35d338137aeacd8422cf292ee059738323ccdea1f
OpenSIS 'modname' PHP Code Execution
Posted Dec 23, 2013
Authored by EgiX | Site metasploit.com

This Metasploit module exploits a PHP code execution vulnerability in OpenSIS versions 4.5 to 5.2 which allows any authenticated user to execute arbitrary PHP code under the context of the web-server user. The 'ajax.php' file calls 'eval()' with user controlled data from the 'modname' parameter.

tags | exploit, web, arbitrary, php, code execution
advisories | CVE-2013-1349
SHA-256 | 7c1e06a8368ff3ba80da09ec39f138b29b87f7223b028687a6f1c5149cc3a95f
Zimbra Collaboration Server LFI
Posted Dec 23, 2013
Authored by rubina119 | Site metasploit.com

This Metasploit module exploits a local file inclusion on Zimbra 8.0.2 and 7.2.2. The vulnerability allows an attacker to get the LDAP credentials from the localconfig.xml file. The stolen credentials allow the attacker to make requests to the service/admin/soap API. This can then be used to create an authentication token for the admin web interface. This access can be used to achieve remote code execution. This Metasploit module has been tested on Zimbra Collaboration Server 8.0.2 with Ubuntu Server 12.04.

tags | exploit, remote, web, local, code execution, file inclusion
systems | linux, ubuntu
advisories | CVE-2013-7091
SHA-256 | e41cf490ab9469ce31ade3e3bc8198d90c941e76e3bd760f92078a0dc9e99472
HP SiteScope issueSiebelCmd Remote Code Execution
Posted Dec 23, 2013
Authored by rgod, juan vazquez | Site metasploit.com

This Metasploit module exploits a code execution flaw in HP SiteScope. The vulnerability exists in the APISiteScopeImpl web service, specifically in the issueSiebelCmd method, which allows the user to execute arbitrary commands without authentication. This Metasploit module has been tested successfully on HP SiteScope 11.20 over Windows 2003 SP2, Windows 2008 and CentOS 6.5.

tags | exploit, web, arbitrary, code execution
systems | linux, windows, centos
advisories | CVE-2013-4835, OSVDB-99230
SHA-256 | b961edaf771081e73dba11e81febc940689847d6bed6412bc6f0a4ad23ff2aae
Firefox 15.0.1 Code Execution
Posted Dec 23, 2013
Site metasploit.com

On versions of Firefox from 5.0 to 15.0.1, the InstallTrigger global, when given invalid input, would throw an exception that did not have an __exposedProps__ property set. By re-setting this property on the exception object's prototype, the chrome-based defineProperty method is made available. With the defineProperty method, functions belonging to window and document can be overriden with a function that gets called from chrome-privileged context. From here, another vulnerability in the crypto.generateCRMFRequest function is used to "peek" into the context's private scope. Since the window does not have a chrome:// URL, the insecure parts of Components.classes are not available, so instead the AddonManager API is invoked to silently install a malicious plugin.

tags | exploit, cryptography
advisories | CVE-2012-3993, CVE-2013-1710, OSVDB-86111, OSVDB-96019
SHA-256 | f9c391aa7b550b10c8e9686f804da688eca5b3b20ea450df0a1b9e0dac71ac00
Synology DSM 4.3-3810 Directory Traversal
Posted Dec 23, 2013
Authored by Andrea Fabrizi

Synology DSM versions 4.3-3810 and below suffer from multiple directory traversal vulnerabilities.

tags | exploit, vulnerability, file inclusion
advisories | CVE-2013-6987
SHA-256 | baddc783cba3ba3012c1d9f37e58531b749662074b81d95266d64e6544b90e21
Mandriva Linux Security Advisory 2013-301
Posted Dec 23, 2013
Authored by Mandriva | Site mandriva.com

Mandriva Linux Security Advisory 2013-301 - Google notified Mozilla that an intermediate certificate, which chains up to a root included in Mozillas root store, was loaded into a man-in-the-middle traffic management device. This certificate was issued by Agence nationale de la scurit des systmes d'information , an agency of the French government and a certificate authority in Mozilla's root program. A subordinate certificate authority of ANSSI mis-issued an intermediate certificate that they installed on a network monitoring device, which enabled the device to act as a MITM proxy performing traffic management of domain names or IP addresses that the certificate holder did not own or control. The issue was not specific to Firefox but there was evidence that one of the certificates was used for MITM traffic management of domain names that the customer did not legitimately own or control. This issue was resolved by revoking trust in the intermediate used by the sub-CA to issue the certificate for the MITM device. The NSS packages has been upgraded to the version which is unaffected by this security flaw. Additionally the rootcerts packages has been upgraded with the latest certdata.txt file as of 2013/12/04 from mozilla.

tags | advisory, root
systems | linux, mandriva
SHA-256 | 5106dc3e07257f23956e443371826dd7fbe4e2c96c03e8fb81aad03e51d513ae
Mandriva Linux Security Advisory 2013-300
Posted Dec 23, 2013
Authored by Mandriva | Site mandriva.com

Mandriva Linux Security Advisory 2013-300 - Buffer overflow in the unpacksms16 function in apps/app_sms.c in Asterisk Open Source 1.8.x before, 10.x before 10.12.4, and 11.x before 11.6.1; Asterisk with Digiumphones 10.x-digiumphones before 10.12.4-digiumphones; and Certified Asterisk 1.8.x before 1.8.15-cert4 and 11.x before 11.2-cert3 allows remote attackers to cause a denial of service via a 16-bit SMS message. The updated packages has been upgraded to the 11.7.0 version which resolves various upstream bugs and is not vulnerable to this issue.

tags | advisory, remote, denial of service, overflow
systems | linux, mandriva
advisories | CVE-2013-7100
SHA-256 | bdd55dafdcea4da65fe6942406c23930b4904a75c696868ded4267c8483b58b2
Debian Security Advisory 2826-1
Posted Dec 23, 2013
Authored by Debian | Site debian.org

Debian Linux Security Advisory 2826-1 - Helmut Grohne discovered that denyhosts, a tool preventing SSH brute-force attacks, could be used to perform remote denial of service against the SSH daemon. Incorrectly specified regular expressions used to detect brute force attacks in authentication logs could be exploited by a malicious user to forge crafted login names in order to make denyhosts ban arbitrary IP addresses.

tags | advisory, remote, denial of service, arbitrary
systems | linux, debian
advisories | CVE-2013-6890
SHA-256 | 911eae8a4359777646922069bd137d138c159a2227879e5f26b8365600301c86
Mandriva Linux Security Advisory 2013-299
Posted Dec 23, 2013
Authored by Mandriva | Site mandriva.com

Mandriva Linux Security Advisory 2013-299 - The winbind_name_list_to_sid_string_list function in nsswitch/pam_winbind.c in Samba through 4.1.2 handles invalid require_membership_of group names by accepting authentication by any user, which allows remote authenticated users to bypass intended access restrictions in opportunistic circumstances by leveraging an administrator's pam_winbind configuration-file mistake. Buffer overflow in the dcerpc_read_ncacn_packet_done function in librpc/rpc/dcerpc_util.c in winbindd in Samba 3.x before 3.6.22, 4.0.x before 4.0.13, and 4.1.x before 4.1.3 allows remote AD domain controllers to execute arbitrary code via an invalid fragment length in a DCE-RPC packet. The updated packages has been upgraded to the 3.6.22 version which resolves various upstream bugs and is not vulnerable to these issues.

tags | advisory, remote, overflow, arbitrary
systems | linux, mandriva
advisories | CVE-2012-6150, CVE-2013-4408
SHA-256 | 616e78bf48894f3bc5d18232a8b44d069f6ab91be39e3eb85bbad5e45a00df87
Slackware Security Advisory - gnupg Updates
Posted Dec 23, 2013
Authored by Slackware Security Team | Site slackware.com

Slackware Security Advisory - New gnupg packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix a security issue.

tags | advisory
systems | linux, slackware
advisories | CVE-2013-4576
SHA-256 | ab3db282a85856e5b007899a61b52bc3ffcb2bbd489689a6786d35e69dff195f
TOR Virtual Network Tunneling Tool
Posted Dec 23, 2013
Authored by Roger Dingledine | Site tor.eff.org

Tor is a network of virtual tunnels that allows people and groups to improve their privacy and security on the Internet. It also enables software developers to create new communication tools with built-in privacy features. It provides the foundation for a range of applications that allow organizations and individuals to share information over public networks without compromising their privacy. Individuals can use it to keep remote Websites from tracking them and their family members. They can also use it to connect to resources such as news sites or instant messaging services that are blocked by their local Internet service providers (ISPs).

Changes: This release features a new circuit handshake and link encryption that use ECC to provide better security and efficiency; makes relays better manage circuit creation requests; uses "directory guards" to reduce client enumeration risks; makes bridges collect and report statistics about the pluggable transports they support; and cleans up and improves the geoip database. The release also includes many stability, security, and privacy fixes.
tags | tool, remote, local, peer2peer
systems | unix
SHA-256 | 53a28478c3f5161729c94ace0c132ce6e2a57418f9cb252f2c2abc3db979e121
Page 1 of 1

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    30 Files
  • 16
    Apr 16th
    10 Files
  • 17
    Apr 17th
    22 Files
  • 18
    Apr 18th
    45 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Security Services
Hosting By