Exploit the possiblities
Showing 1 - 25 of 30 RSS Feed

Files Date: 2015-12-14

Avast Stack Buffer Overflow
Posted Dec 14, 2015
Authored by Tavis Ormandy, Google Security Research

Avast suffers from a stack buffer overflow where strncpy length is discarded.

tags | advisory, overflow
systems | linux
MD5 | 10d2808ab1b30d2c58ffd62c6d44f4cb
Microsoft Office / COM Object DLL Planting
Posted Dec 14, 2015
Authored by Google Security Research, scvitti

It is possible for an attacker to execute a DLL planting attack in Microsoft Office 2010 on Windows 7 x86 with a specially crafted OLE object. This attack also works on Office 2013 running on Windows 7 x64. Other platforms were not tested. The attached POC document "planted-mqrt.doc" contains what was originally an embedded Packager object. The CLSID for this object was changed at offset 0x2650 to be {ecabafc9-7f19-11d2-978e-0000f8757e2a} (formatted as pack(">IHHBBBBBBBB")). This object has a InProcServer32 pointing to comsvcs.dll. Specifically the CQueueAdmin object implemented in the dll. When a user opens this document and single clicks on the icon for foo.txt ole32!OleLoad is invoked on our vulnerable CLSID. This results in a call to a class factory constructor that tries eventually tries to call mqrt!MQGetPrivateComputerInformation. Because mqrt is a delay loaded dll the loader has inserted a stub to call _tailMerge_mqrt_dll on the first call of this function. This results in a kernelbase!LoadLibraryExA call vulnerable to dll planting. If the attached mqrt.dll is placed in the same directory with the planted-mqrt.doc file you should see a popup coming from this DLL being loaded from the current working directory of Word.

tags | exploit, x86
systems | linux, windows, 7
advisories | CVE-2015-6132
MD5 | 7baf5545ef803add763ebdd29e019de5
Avast OOB Write Decrypting PEncrypt Packed Executables
Posted Dec 14, 2015
Authored by Tavis Ormandy, Google Security Research

The attached PEncrypt packed executable causes an OOB write on Avast Server Edition. The attached testcase has the password "infected" to avoid disrupting your mail server.

tags | exploit
systems | linux
MD5 | bbf591fda9b4ac5d5421dedcf676e6a1
Avast Heap Overflow Unpacking MoleBox Archives
Posted Dec 14, 2015
Authored by Tavis Ormandy, Google Security Research

Trivial fuzzing of molebox archives revealed a heap overflow decrypting the packed image in moleboxMaybeUnpack. This vulnerability is obviously exploitable for remote arbitrary code execution as NT AUTHORITY\SYSTEM.

tags | exploit, remote, overflow, arbitrary, code execution
systems | linux
MD5 | 6ee3126b1419bbf96d29df50b73f160b
Avast JetDb::IsExploited4x Performs Unbounded Search On Input
Posted Dec 14, 2015
Authored by Tavis Ormandy, Google Security Research

The attached Microsoft Access Database causes JetDb::IsExploited4x to be called, which contains an unbounded search for objects.

tags | exploit
systems | linux
MD5 | 016b759cc42f8c01bde1d8d7c5fff43a
Rar CmdExtract::UnstoreFile Integer Truncation Memory Corruption
Posted Dec 14, 2015
Authored by Tavis Ormandy, Google Security Research

The attached file crashes in CmdExtract::UnstoreFile because the signed int64 DestUnpSize is truncated to an unsigned 32bit integer. Perhaps CmdExtract::ExtractCurrentFile should sanity check Arc.FileHead.UnpSize early. The researcher observed this crash in Avast Antivirus, but the origin of the code appears to be the unrar source distribution. Many other antiviruses may be affected, and presumably WinRAR and other archivers.

tags | exploit
systems | linux
MD5 | c5a7fe8daf45a195bbec17e45f37503e
Avast Integer Overflow Verifying NumFonts In TTC Header
Posted Dec 14, 2015
Authored by Tavis Ormandy, Google Security Research

If the numFonts field in the TTC header is greater than (SIZE_MAX+1) / 4, an integer overflow occurs in filevirus_ttf() when calling CSafeGenFile::SafeLockBuffer.

tags | exploit, overflow
systems | linux
MD5 | db211b9ee4b3ab648f15f572284b06f4
Adobe Flash IExternalizable.readExternal Type Confusion
Posted Dec 14, 2015
Authored by Google Security Research, natashenka

If IExternalizable.readExternal is overridden with a value that is not a function, Flash assumes it is a function even though it is not one. This leads to execution of a 'method' outside of the ActionScript object's ActionScript vtable, leading to memory corruption.

tags | exploit
systems | linux
advisories | CVE-2015-7647
MD5 | e828a7253a01bc67e67b81be5556d704
Adobe Flash ObjectEncoder.dynamicPropertyWriter Type Confusion
Posted Dec 14, 2015
Authored by Google Security Research, natashenka

There is a type confusion issue during serialization if ObjectEncoder.dynamicPropertyWriter is overridden with a value that is not a function.

tags | exploit
systems | linux
advisories | CVE-2015-7648
MD5 | 2d9994435383066b7da4600d47a38b47
Kaspersky Antivirus Virtual Keyboard GetGraphics() Path Traversal
Posted Dec 14, 2015
Authored by Tavis Ormandy, Google Security Research

Kaspersky Virtual Keyboard suffers from a path traversal vulnerability.

tags | exploit
systems | linux
MD5 | 447098f7ca900017601df2ecdc1831a5
TOR Virtual Network Tunneling Tool 0.2.7.6
Posted Dec 14, 2015
Authored by Roger Dingledine | Site tor.eff.org

Tor is a network of virtual tunnels that allows people and groups to improve their privacy and security on the Internet. It also enables software developers to create new communication tools with built-in privacy features. It provides the foundation for a range of applications that allow organizations and individuals to share information over public networks without compromising their privacy. Individuals can use it to keep remote Websites from tracking them and their family members. They can also use it to connect to resources such as news sites or instant messaging services that are blocked by their local Internet service providers (ISPs).

Changes: Tor version 0.2.7.6 fixes a major bug in entry guard selection, as well as a minor bug in hidden service reliability.
tags | tool, remote, local, peer2peer
systems | unix
MD5 | cc19107b57136a68e8c563bf2d35b072
ManageEngine Desktop Central 9 FileUploadServlet ConnectionId
Posted Dec 14, 2015
Authored by sinn3r | Site metasploit.com

This Metasploit module exploits a vulnerability found in ManageEngine Desktop Central 9. When uploading a 7z file, the FileUploadServlet class does not check the user-controlled ConnectionId parameter in the FileUploadServlet class. This allows a remote attacker to inject a null bye at the end of the value to create a malicious file with an arbitrary file type, and then place it under a directory that allows server-side scripts to run, which results in remote code execution under the context of SYSTEM. Please note that by default, some ManageEngine Desktop Central versions run on port 8020, but older ones run on port 8040. Also, using this exploit will leave debugging information produced by FileUploadServlet in file rdslog0.txt. This exploit was successfully tested on version 9, build 90109 and build 91084.

tags | exploit, remote, arbitrary, code execution
advisories | CVE-2015-8249
MD5 | f5df3d5e194fca9be98f8610c715334c
Jenkins CLI RMI Java Deserialization
Posted Dec 14, 2015
Authored by juan vazquez, Christopher Frohoff, Louis Sato, William Vu, Wei Chen, Steve Breen, Dev Mohanty | Site metasploit.com

This Metasploit module exploits a vulnerability in Jenkins. An unsafe deserialization bug exists on the Jenkins master, which allows remote arbitrary code execution. Authentication is not required to exploit this vulnerability.

tags | exploit, remote, arbitrary, code execution
advisories | CVE-2015-8103
MD5 | 50e8b60db08ec6dd6be8f13764a3e113
WordPress Admin Management Xtended 2.4.0 Privilege Escalation
Posted Dec 14, 2015
Authored by Kacper Szurek

WordPress Admin Management Xtended plugin version 2.4.0 suffers from a privilege escalation vulnerability.

tags | exploit
MD5 | f1a4394c59e0c7e2366f90079d13c44c
SAP NetWeaver J2EE Engine 7.40 Cross Site Scripting
Posted Dec 14, 2015
Authored by Roman Bezhan

SAP NetWeaver J2EE engine version 7.40 suffers from a cross site scripting vulnerability.

tags | advisory, xss
MD5 | 932c4607f574d71013ad921393a8b9ff
SAP NetWeaver J2EE Engine 7.40 SQL Injection
Posted Dec 14, 2015
Authored by Vahagn Vardanyan

SAP NetWeaver J2EE engine version 7.40 suffers from a remote SQL injection vulnerability.

tags | exploit, remote, sql injection
advisories | CVE-2015-7239
MD5 | d941f04e7a1fe86732b8e54f88bd6e72
Android Connections Forensics 1.0
Posted Dec 14, 2015
Authored by Itay Kruk | Site github.com

This tool enables a forensic investigator to map connections to originating processes on Android. It does not require root privileges but requires adb and usb debugging. It is meant to assist in detection of malicious APKs.

tags | tool, root, forensics
systems | unix
MD5 | 29f19dadbca5d6f4bd7417e53dab0d79
mrtparse MRT Parsing Tool 1.4
Posted Dec 14, 2015
Authored by Nobuhiro ITOU, Tetsumune KISO, Yoshiyuki YAMAUCHI | Site github.com

mrtparse is a module to read and analyze the MRT format data. The MRT format data can be used to export routing protocol messages, state changes, and routing information base contents, and is standardized in RFC6396. Programs like Quagga / Zebra, BIRD, OpenBGPD and PyRT can dump the MRT format data. Written in Python.

Changes: Various updates and bug fixes.
tags | tool, protocol, python
systems | unix
MD5 | a70c5088b7487b835b73e0874444bc80
Synnefo Client Cross Site Scripting
Posted Dec 14, 2015
Authored by Aravind C Ajayan

A reflected cross site scripting vulnerability was found in synnefoclient for Synnefo IMS 2015. The vulnerability has been discovered in the plan_name parameter on the request to fetch the package details for the logged in user. Request method is GET.

tags | exploit, xss
advisories | CVE-2015-8247
MD5 | 4b7d34f5ab2c929c6d0e0093ccf1afc7
Joomla Shape 5 MP3 Player 2.0 Local File Disclosure
Posted Dec 14, 2015
Authored by KnocKout

Joomla Shape 5 MP3 Player version 2.0 suffers from a local file disclosure vulnerability.

tags | exploit, local, info disclosure
MD5 | 00a87dbd3db58879c9c32c3c2ac3ca29
HP Security Bulletin HPSBHF03431 1
Posted Dec 14, 2015
Authored by HP | Site hp.com

HP Security Bulletin HPSBHF03431 1 - Potential security vulnerabilities have been identified with HPE Network Switches. The vulnerabilities could be exploited locally to allow bypass of security restrictions, and indirect vulnerabilities. Revision 1 of this advisory.

tags | advisory, vulnerability
advisories | CVE-2015-6859, CVE-2015-6860
MD5 | 302a7bb01d9fba863b308b7c858f1876
Debian Security Advisory 3417-1
Posted Dec 14, 2015
Authored by Debian | Site debian.org

Debian Linux Security Advisory 3417-1 - Tibor Jager, Jorg Schwenk, and Juraj Somorovsky, from Horst Gortz Institute for IT Security, published a paper in ESORICS 2015 where they describe an invalid curve attack in Bouncy Castle Crypto, a Java library for cryptography. An attacker is able to recover private Elliptic Curve keys from different applications, for example, TLS servers.

tags | advisory, java, crypto
systems | linux, debian
advisories | CVE-2015-7940
MD5 | bd709c45178d7ae9afbc3b9046f127c4
Ubuntu Security Notice USN-2834-1
Posted Dec 14, 2015
Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice 2834-1 - Kostya Serebryany discovered that libxml2 incorrectly handled certain malformed documents. If a user or automated system were tricked into opening a specially crafted document, an attacker could possibly cause libxml2 to crash, resulting in a denial of service. CVE-2015-7497,CVE-2015-7498, CVE-2015-7499, Hugh Davenport discovered that libxml2 incorrectly handled certain malformed documents. If a user or automated system were tricked into opening a specially crafted document, an attacker could possibly cause libxml2 to crash, resulting in a denial of service. Various other issues were also addressed.

tags | advisory, denial of service
systems | linux, ubuntu
advisories | CVE-2015-5312, CVE-2015-7497, CVE-2015-7498, CVE-2015-7499, CVE-2015-7500, CVE-2015-8241, CVE-2015-8242, CVE-2015-8317
MD5 | c0e36284260b1ac3eeb2b41ebe461ac7
Debian Security Advisory 3416-1
Posted Dec 14, 2015
Authored by Debian | Site debian.org

Debian Linux Security Advisory 3416-1 - Takeshi Terada discovered a vulnerability in PHPMailer, a PHP library for email transfer, used by many CMSs. The library accepted email addresses and SMTP commands containing line breaks, which can be abused by an attacker to inject messages.

tags | advisory, php
systems | linux, debian
advisories | CVE-2015-8476
MD5 | 348e07b59b8d915e79b01522fc4119a0
Red Hat Security Advisory 2015-2618-01
Posted Dec 14, 2015
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2015-2618-01 - Chromium is an open-source web browser, powered by WebKit. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Chromium to crash, execute arbitrary code, or disclose sensitive information when visited by the victim. All Chromium users should upgrade to these updated packages, which contain Chromium version 47.0.2526.80, which corrects these issues. After installing the update, Chromium must be restarted for the changes to take effect.

tags | advisory, web, arbitrary
systems | linux, redhat
advisories | CVE-2015-6788, CVE-2015-6789, CVE-2015-6790, CVE-2015-6791
MD5 | 73954dc52ca89e2dc61ec4534e3f9df6
Page 1 of 2
Back12Next

File Archive:

November 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    22 Files
  • 2
    Nov 2nd
    28 Files
  • 3
    Nov 3rd
    10 Files
  • 4
    Nov 4th
    1 Files
  • 5
    Nov 5th
    5 Files
  • 6
    Nov 6th
    15 Files
  • 7
    Nov 7th
    15 Files
  • 8
    Nov 8th
    13 Files
  • 9
    Nov 9th
    9 Files
  • 10
    Nov 10th
    9 Files
  • 11
    Nov 11th
    3 Files
  • 12
    Nov 12th
    2 Files
  • 13
    Nov 13th
    15 Files
  • 14
    Nov 14th
    17 Files
  • 15
    Nov 15th
    19 Files
  • 16
    Nov 16th
    15 Files
  • 17
    Nov 17th
    19 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close