This Metasploit module takes advantage of two vulnerabilities in order to gain remote code execution as root as an otherwise non-privileged authorized user. By taking advantage of a mass assignment vulnerability that allows an unprivileged authenticated user to change the administrator's password hash, the module updates the password to login as the admin to reach the second vulnerability. No server-side sanitization is done on values passed when configuring a static network interface. This allows an administrator user to run arbitrary commands in the context of the web application, which is root when configuring the network interface. This Metasploit module will inadvertently delete any other users that may have been present as a side effect of changing the admin's password.
dec69c75e7fc0e768a05e89693c7430eec2119658aa589cd230964ae4332340fFreeBSD Security Advisory - FreeBSD is alerting everyone to multiple OpenSSL vulnerabilities. The code used to handle the Heartbeat Extension does not do sufficient boundary checks on record length, which allows reading beyond the actual payload. Affects FreeBSD 10.0 only. A flaw in the implementation of Montgomery Ladder Approach would create a side-channel that leaks sensitive timing information.
66de8322e20a842eb886df05af8ec617a08fa29b761f8d1ec57df62b02a3009bFreeBSD Security Advisory - The Network File System (NFS) allows a host to export some or all of its file systems so that other hosts can access them over the network and mount them as if they were on local disks. FreeBSD includes both server and client implementations of NFS. The kernel holds a lock over the source directory vnode while trying to convert the target directory file handle to a vnode, which needs to be returned with the lock held, too. This order may be in violation of normal lock order, which in conjunction with other threads that grab locks in the right order, constitutes a deadlock condition because no thread can proceed. An attacker on a trusted client could cause the NFS server become deadlocked, resulting in a denial of service.
06a17d6d6d665cb7448fdfe9475b3cd86f41e2dbd4f78d7d2cd978834c281738GNUnet is a peer-to-peer framework with focus on providing security. All peer-to-peer messages in the network are confidential and authenticated. The framework provides a transport abstraction layer and can currently encapsulate the network traffic in UDP (IPv4 and IPv6), TCP (IPv4 and IPv6), HTTP, or SMTP messages. GNUnet supports accounting to provide contributing nodes with better service. The primary service build on top of the framework is anonymous file sharing.
f65cbbf9678d5b009b0a9ab2f2a29f8c956a3a23594fb404b10bbfc947fd9d13XCloner Standalone version 3.5 suffers from a cross site request forgery vulnerability.
7cff0b0c5062289d1c5503f87678d7e6b556fb49bac270e87ee36c051e96f8a0codecrypt is a GnuPG-like program for encryption and signing that uses only quantum-computer-resistant algorithms.
3a286297561acfa2c1e993319b1877b862e1a5000ed00727dafee5c81cdb1c45This exploit uses OpenSSL to create an encrypted connection and trigger the heartbleed leak. The leaked information is returned encrypted and is then decrypted, decompressed and wrote to a file to annoy IDS/forensics. The exploit can set the heatbeart payload length arbitrarily or use two preset values for 0x00 and MAX length. The vulnerability occurs due to bounds checking not being performed on a heap value which is user supplied and returned to the user as part of DTLS/TLS heartbeat SSL extension. All versions of OpenSSL 1.0.1 to 1.0.1f are known affected. You must run this against a target which is linked to a vulnerable OpenSSL library using DTLS/TLS.
68bcedd2a727967e92d3a342ff6f366dc236929be5c2a5f69dba9ed2c35f299aCisco Security Advisory - Cisco Adaptive Security Appliance (ASA) Software is affected by privilege escalation, denial of service, and authentication bypass vulnerabilities. These vulnerabilities are independent of one another; a release that is affected by one of the vulnerabilities may not be affected by the others. Successful exploitation of the Cisco ASA ASDM Privilege Escalation Vulnerability and the Cisco ASA SSL VPN Privilege Escalation Vulnerability may allow an attacker or an unprivileged user to elevate privileges and gain administrative access to the affected system. Successful exploitation of the Cisco ASA SSL VPN Authentication Bypass Vulnerability may allow an attacker to obtain unauthorized access to the internal network via SSL VPN. Successful exploitation of the Cisco ASA SIP Denial of Service Vulnerability may cause the exhaustion of available memory. This may cause system instability and in some cases lead to a reload of the affected system, creating a denial of service (DoS) condition. Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are available for some of the vulnerabilities.
5ffa540e1b4add8c5abe5610ec11ee29186c48e865781549c862029d466feeecCisco Security Advisory - Multiple Cisco products incorporate a version of the OpenSSL package affected by a vulnerability that could allow an unauthenticated, remote attacker to retrieve memory in chunks of 64 kilobytes from a connected client or server. The vulnerability is due to a missing bounds check in the handling of the Transport Layer Security (TLS) heartbeat extension. An attacker could exploit this vulnerability by implementing a malicious TLS or Datagram Transport Layer Security (DTLS) client, if trying to exploit the vulnerability on an affected server, or a malicious TLS or DTLS server, if trying to exploit the vulnerability on an affected client. An exploit could send a specially crafted TLS or DTLS heartbeat packet to the connected client or server. An exploit could allow the attacker to disclose a limited portion of memory from a connected client or server for every heartbeat packet sent. The disclosed portions of memory could contain sensitive information that may include private keys and passwords. Cisco is currently investigating its product line to determine which products may be affected by this vulnerability and the impact on the affected product. This advisory will be updated as additional information becomes available. Cisco will release free software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities may be available.
aa38d0a817596e13f8bd7b8c188c91ddc36ab01e027ee09f40c70a1a9f415b96Mandriva Linux Security Advisory 2014-067 - The Montgomery ladder implementation in OpenSSL through 1.0.0l does not ensure that certain swap operations have a constant-time behavior, which makes it easier for local users to obtain ECDSA nonces via a FLUSH+RELOAD cache side-channel attack.
a127887900d2b929726e76323b76e1d45cc581c61d96285182096fdc43b7f4e5Slackware Security Advisory - New openssl packages are available for Slackware 14.0, 14.1, and -current to fix security issues.
cbd69fa7127b1d2897618471567a32c476868f13b4a86d93ce55cb40cf6bd0f5Red Hat Security Advisory 2014-0380-01 - The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash Player web browser plug-in. This update fixes multiple vulnerabilities in Adobe Flash Player. These vulnerabilities are detailed in the Adobe Security Bulletin APSB14-09, listed in the References section. Two flaws were found in the way flash-plugin displayed certain SWF content. An attacker could use these flaws to create a specially crafted SWF file that would cause flash-plugin to crash or, potentially, execute arbitrary code when the victim loaded a page containing the malicious SWF content.
b1c14a6ac4e752c0395f1a5cf3e68d4c9a49a6db0adda89702016afc1fbf3359Red Hat Security Advisory 2014-0389-01 - The Red Hat Enterprise Virtualization reports package provides a suite of pre-configured reports and dashboards that enable you to monitor the system. The reports module is based on JasperReports and JasperServer, and can also be used to create ad-hoc reports. XStream is a simple library used by the Red Hat Enterprise Virtualization reports package to serialize and de-serialize objects to and from XML. It was found that XStream could deserialize arbitrary user-supplied XML content, representing objects of any type. A remote attacker able to pass XML to XStream could use this flaw to perform a variety of attacks, including remote code execution in the context of the server running the XStream application.
a16c938d12b5e191b973ee7db660a864e245264c8e258440a41f5ef37b3c9858Red Hat Security Advisory 2014-0383-01 - Samba is an open-source implementation of the Server Message Block or Common Internet File System protocol, which allows PC-compatible machines to share files, printers, and other information. It was found that certain Samba configurations did not enforce the password lockout mechanism. A remote attacker could use this flaw to perform password guessing attacks on Samba user accounts. Note: this flaw only affected Samba when deployed as a Primary Domain Controller. A flaw was found in Samba's "smbcacls" command, which is used to set or get ACLs on SMB file shares. Certain command line options of this command would incorrectly remove an ACL previously applied on a file or a directory, leaving the file or directory without the intended ACL.
c19e6cdc1c86ce8d2d9ae6517afe1389434492cef52a2b207665af7e66b3427bRed Hat Security Advisory 2014-0382-01 - Python-keystoneclient is a client library and a command line utility for interacting with the OpenStack Identity API. The OpenStack Identity auth_token middleware component handles the authentication of tokens with keystone. When using the auth_token middleware with the memcached token cache enabled, a token for a different identity could be returned. An authenticated user could use this flaw to escalate their privileges by making repeated requests that could eventually allow the user to acquire the administrator's identity. Note that only OpenStack Identity setups using auth_token with memcached were affected.
297e1003410dcf60a89fdc9e38b34135aa67e5284db0c945d874f56b36d8ebccDebian Linux Security Advisory 2898-1 - Several buffer overflows were found in Imagemagick, a suite of image manipulation programs. Processing malformed PSD files could lead to the execution of arbitrary code.
99ac6d2c8ab0c93636ebfd52a3e5fc9843527483aa24a4fea1b7dc184a68c9deMandriva Linux Security Advisory 2014-073 - The BEGIN regular expression in the awk script detector in magic/Magdir/commands in file before 5.15 uses multiple wildcards with unlimited repetitions, which allows context-dependent attackers to cause a denial of service via a crafted ASCII file that triggers a large amount of backtracking, as demonstrated via a file with many newline characters.
3a942a72f3bb0e2d469def4623994ff2661f53ca7af93d0cf0a7bda17e0e2da7Mandriva Linux Security Advisory 2014-070 - Florian Weimer of the Red Hat Product Security Team discovered a heap-based buffer overflow flaw in LibYAML, a fast YAML 1.1 parser and emitter library. A remote attacker could provide a YAML document with a specially-crafted tag that, when parsed by an application using libyaml, would cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. Ivan Fratric of the Google Security Team discovered a heap-based buffer overflow vulnerability in LibYAML, a fast YAML 1.1 parser and emitter library. A remote attacker could provide a specially-crafted YAML document that, when parsed by an application using libyaml, would cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application.
e1f25c0d583c8304373cd3d2e2f19521ec8fc4f79262b8cb5e657e1765fdf67fMandriva Linux Security Advisory 2014-072 - XML eXternal Entity flaws were discovered in the Zend Framework. An attacker could use these flaws to cause a denial of service, access files accessible to the server process, or possibly perform other more advanced XML External Entity attacks. Using the Consumer component of Zend_OpenId, it is possible to login using an arbitrary OpenID account (without knowing any secret information) by using a malicious OpenID Provider. That means OpenID it is possible to login using arbitrary OpenID Identity (MyOpenID, Google, etc), which are not under the control of our own OpenID Provider. Thus, we are able to impersonate any OpenID Identity against the framework.
e61ba5c2e78ef37292a817b871cf91b02ffe099c4bc2a6fa1a917b89f1b8b71dMandriva Linux Security Advisory 2014-071 - Updated yaml package fixes security vulnerability. Ivan Fratric of the Google Security Team discovered a heap-based buffer overflow vulnerability in LibYAML, a fast YAML 1.1 parser and emitter library. A remote attacker could provide a specially-crafted YAML document that, when parsed by an application using libyaml, would cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application.
b4520413f13f98b58835dfd771527df782dbfb9fac3b41bddf49648c08e96dbcMandriva Linux Security Advisory 2014-069 - Florian Weimer of the Red Hat Product Security Team discovered a heap-based buffer overflow flaw in LibYAML, a fast YAML 1.1 parser and emitter library. A remote attacker could provide a YAML document with a specially-crafted tag that, when parsed by an application using libyaml, would cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. Ivan Fratric of the Google Security Team discovered a heap-based buffer overflow vulnerability in LibYAML, a fast YAML 1.1 parser and emitter library. A remote attacker could provide a specially-crafted YAML document that, when parsed by an application using libyaml, would cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. The perl-YAML-LibYAML package is being updated as it contains an embedded copy of LibYAML.
7780c075cd1933fc997c7782f56a049a03ed5df420f176a747880ed4304ee9f9Mandriva Linux Security Advisory 2014-068 - sshd in OpenSSH before 6.6 does not properly support wildcards on AcceptEnv lines in sshd_config, which allows remote attackers to bypass intended environment restrictions by using a substring located before a wildcard character. Matthew Vernon reported that if a SSH server offers a HostCertificate that the ssh client doesn't accept, then the client doesn't check the DNS for SSHFP records. As a consequence a malicious server can disable SSHFP-checking by presenting a certificate.
0cf7a48470f92f54508eabbd4f9e1e0ae23f32cf46918fd1489cc6e856cf1a08Orbit Open Ad Server version 1.1.0 suffers from a remote SQL injection vulnerability.
14a316274072f518559f502c18206d4ed660b33f9595c21dbee1144b878ea2edOpenSSL TLS Heartbeat extension memory disclosure proof of concept. Expansion of the original exploit from Jared Stafford - this one supports multiple SSL/TLS versions.
eacf96cd5f65b639ffd1574293f581a43f690b7ab4f4237f23f7ea69179e7347Trixbox version 2.8.0.4 suffers from a cross site scripting vulnerability.
ac5debdefb1713dc35b3a6547af2cb9057024a951ff7e65c23b7c5901c7dc96f
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed