This is a short write-up on binary planting along with a few old-school 0-days which may still be helpful for pentesters willing to escalate privileges on Windows.
2610f1f8b017ac3a538d7e379b554592Debian Linux Security Advisory 4408-1 - Multiple security issues were discovered in liveMedia, a set of C++ libraries for multimedia streaming which could result in the execution of arbitrary code or denial of service when parsing a malformed RTSP stream.
425b2b589d0ad63f13c2c1d76cedbb9eRed Hat Security Advisory 2019-0593-01 - The OpenStack Load Balancing service provides a Load Balancing-as-a-Service version 2 implementation for Red Hat OpenStack platform director based installations. This update fixes an issue where private keys were written to world-readable log files.
a237bb27c8dae27ed78040888e43e186Ubuntu Security Notice 3911-1 - It was discovered that file incorrectly handled certain malformed ELF files. An attacker could use this issue to cause a denial of service, or possibly execute arbitrary code.
a42b0939b032f1ef360d067831515fc8Red Hat Security Advisory 2019-0580-01 - OpenStack Telemetry collects customer usage data for metering purposes. Telemetry implements bus listener, push, and polling agents for data collection. This data is stored in a database and presented via the REST API. This update addresses an sensitive data leak.
7e644b75b096d36c05109ff05d32869cRed Hat Security Advisory 2019-0590-01 - Ansible is a simple model-driven configuration management, multi-node deployment, and remote-task execution system. Ansible works over SSH and does not require any software or daemons to be installed on remote nodes. Extension modules can be written in any language and are transferred to managed machines automatically. Issues addressed include an information leakage vulnerability.
9ced9e836d867662811d99f22eea78e8libseccomp suffers from an issue where there are incorrect compilations of arithmetic comparisons.
527bc24d7a88f082d48938d2aa6fb5c0Gitea versions 1.7.0 through 1.7.3 suffer from a stored html injection vulnerability.
fef0bde612a1a8aa1deaaf4794d240faTheCarProject version 2 suffers from a remote SQL injection vulnerability.
4798d80d4bad5e0537cc5cd98a477adfWinAVI iPod/3GP/MP4/PSP Converter version 4.4.2 suffers from a local denial of service vulnerability.
6aa97f12923552790249925f4a0695afWinMPG Video Convert versions 9.3.5 and below suffer from a local denial of service vulnerability.
72f20c22098c1a53d29670207f4b4ca1WordPress version 5.0.4 with FormCraft plugin version 2.0 suffers from a cross site request forgery vulnerability that can be leveraged to perform a shell upload.
34bba172e28c83ea38f0a59db712f769CSZ CMS version 1.2.1 suffers from an arbitrary file upload vulnerability.
ad2667b2518dc48fc775c2bce95ae340Ubuntu Security Notice 3910-1 - It was discovered that the f2fs filesystem implementation in the Linux kernel did not handle the noflush_merge mount option correctly. An attacker could use this to cause a denial of service. It was discovered that the procfs filesystem did not properly handle processes mapping some memory elements onto files. A local attacker could use this to block utilities that examine the procfs filesystem to report operating system state, such as ps. Various other issues were also addressed.
4c9e16088685e925a3c78db741714aeeUbuntu Security Notice 3910-2 - USN-3910-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS. It was discovered that the f2fs filesystem implementation in the Linux kernel did not handle the noflush_merge mount option correctly. An attacker could use this to cause a denial of service. Various other issues were also addressed.
90737e4356a35bc59a396e5d7a1d20a2PHP MySQLi Database Class version 2.9.2 which is from joshcam suffers from a remote SQL injection vulnerability.
91d10b8a3c32ac8a868953e610dcaa2fThis Metasploit module exploits an arbitrary command execution vulnerability in Webmin 1.900 and lower versions. Any user authorized to the "Upload and Download" module can execute arbitrary commands with root privileges. In addition, if the Running Processes (proc) privilege is set the user can accurately determine which directory to upload to. Webmin application files can be written/overwritten, which allows remote code execution. The module has been tested successfully with Webmin 1.900 on Ubuntu v18.04.
3ba74c7641d287a5a1d6cee6bdb0eff5This Metasploit module leverages the remote command execution feature provided by the BMC Patrol Agent software. It can also be used to escalate privileges on Windows hosts as the software runs as SYSTEM but only verifies that the password of the provided user is correct. This also means if the software is running on a domain controller, it can be used to escalate from a normal domain user to domain admin as SYSTEM on a DC is DA. **WARNING** The windows version of this exploit uses powershell to execute the payload. The powershell version tends to timeout on the first run so it may take multiple tries.
07522a05b37456d4fcb66eb0e429685aSySS GmbH found out that the wireless desktop set Fujitsu LX901 is vulnerable to keystroke injection attacks by sending unencrypted data packets with the correct packet format to the receiver (USB dongle).
be5d36b96d4f2705e625f64190c28a98VVMware Security Advisory 2019-0003 - VMware Horizon update addresses Connection Server an information disclosure vulnerability.
76f3dac71537e32727ad6ebb2ba40a25VMware Security Advisory 2019-0002 - VMware Workstation update addresses elevation of privilege issues.
bd52e07808c7e943f940f78dc5dad784Moodle version 3.4.1 remote code execution exploit.
bd02c3aeef707232a71ffa986a5773f5Mail Carrier version 2.5.1 suffers from a MAIL FROM buffer overflow vulnerability.
3e57b4dfb5a6eb123d1fd94288b6eb7eICE HRM version 23.0 suffers from remote SQL injection and iframe injection vulnerabilities.
88f32bcf40b75d3ec675f719b69058c2CMS Made Simple Showtime2 module version 3.6.2 suffers from an authenticated arbitrary file upload vulnerability.
2221652ee89c73f5809f4205dcbfb0d2
© 2019 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed