exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 51 - 75 of 100 RSS Feed

Files

Barracuda NG Firewall Remote Command Execution
Posted Jun 12, 2011
Authored by Lukas Nothdurfter, Wolfgang Neudorfer

It is possible to execute an arbitrary command with root privileges on phion netfence 4.0.x, phion netfence versions prior to 4.2.15 and NG Firewall versions prior to 5.0.2 boxes with activated external authentication scheme (i.e. Active Directory). An attacker with the knowledge of an admin's username is able to perform arbitrary shell commands during the ssh login procedure on the box. The knowledge of the admin's password is not required.

tags | advisory, arbitrary, shell, root
SHA-256 | fee59e2c3c8776e6ab9ed6abb4364a9562154ddc30dfed06de24b65179dd71f4

Related Files

Spring Framework / Spring Security Serialization-Based Issues
Posted Sep 9, 2011
Authored by Wouter Coekaerts, SpringSource Security Team

Spring Framework versions 3.0.0 to 3.0.5 and Spring Security versions 2.0.0 to 2.0.6 and 3.0.0 to 3.0.5 suffer from serialization issues. Several issues have been reported which may affect applications which de-serialize objects from an untrusted source such as a remote client. It is possible for a malicious client to inject undesirable behavior into the server by serializing proxies rather than specific class instances, or by taking advantage of internal AOP interfaces which were being exposed through the remote service, in addition to the service interface.

tags | advisory, remote
advisories | CVE-2011-2894
SHA-256 | f905e5bf5433c31b6e389d1aca05670a117b1f5976e8502215745fe22fe34fc4
Apache Struts < 2.2.0 Remote Command Execution
Posted Aug 19, 2011
Authored by Meder Kydyraliev, bannedit | Site metasploit.com

This Metasploit module exploits a remote command execution vulnerability in Apache Struts versions < 2.2.0. This issue is caused by a failure to properly handle unicode characters in OGNL extensive expressions passed to the web server. By sending a specially crafted request to the Struts application it is possible to bypass the "#" restriction on ParameterInterceptors by using OGNL context variables. Bypassing this restriction allows for the execution of arbitrary Java code.

tags | exploit, java, remote, web, arbitrary
advisories | CVE-2010-1870, OSVDB-66280
SHA-256 | f3dc9c6ae8fc8270cc4ef71f82c223ad04ea9e8725f94ee4894465c9a0bfbc4b
Check Point Security Management Symlink Vulnerabilities
Posted Aug 16, 2011
Authored by Matthew Flanagan

Check Point Security Management Products suffer from multiple symlink vulnerabilities. Due to the combination of inadequate file checks, predictable file names and writing of temporary configuration files to /tmp it is possible for a unprivileged local user to exploit the post-installation script to overwrite arbitrary files on the security management system through symlink following. The script also contains a second-order symlink vulnerability which makes it possible for an attacker to gain control of the SMS configuration file: $FWDIR/conf/sofaware/SWManagementServer.ini.

tags | advisory, arbitrary, local, vulnerability
advisories | CVE-2011-2664
SHA-256 | 9c9530656dc7486ce3d99175a4a77905ed90e3d797246e746914fe8311174a28
Zero Day Initiative Advisory 11-253
Posted Aug 13, 2011
Authored by Tipping Point | Site zerodayinitiative.com

Zero Day Initiative Advisory 11-253 - This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of the Adobe Flash Player. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the code responsible for evaluating the scroll method of the Actionscript Bitmap class. The function that uses the parameters to the scroll method performs arithmetic using data from the instantiated Bitmap object. By creating a Bitmap with certain integer values and subsequently calling the scroll method with other large integer values it is possible to force an integer wrap to occur. The resulting value is utilized to calculate a pointer which is operated upon by memory copy operations. By crafting specific values this issue can be exploited to execute remote code in the context of the user running the browser.

tags | advisory, remote, arbitrary
advisories | CVE-2011-2138
SHA-256 | cbcee4905d289d85fc316e709eeb8ade0f8cda5d0c07506d3de8211862d0232d
Zero Day Initiative Advisory 11-251
Posted Aug 10, 2011
Authored by Tipping Point | Site zerodayinitiative.com

Zero Day Initiative Advisory 11-251 - This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apple Quicktime. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the way Quicktime handles invalid values in the Sync Sample Atom. Due to a signed compare instead of an unsigned compare it is possible to corrupt the Sample Atom Table. Values from this table are later used to populate a heap buffer and the corrupted value causes a heap overflow. This can result in remote code execution under the context of the current user.

tags | advisory, remote, overflow, arbitrary, code execution
systems | apple
advisories | CVE-2011-0250
SHA-256 | d90d8f17c50363e8045dac7124e5b77fbbe97e98f3d6db6be2210275abf884c0
OpenSSH Resource Exhaustion Via GSSAPI
Posted Aug 2, 2011
Authored by Adam Zabrocki

OpenSSH with gssapi-with-mic support suffers from a resource exhaustion vulnerability. It is possible to provide any value to the xmalloc() function, which is a simple wrapper to the malloc() function. This forces an application to allocate a huge amount of the memory (4GB?) and naturally exhausts available resources. Repeating this attack, by simply open many session, can kill the server.

tags | advisory
SHA-256 | 65e738aed80888821cfc7b7291b21f403013fd57e28e24c9a17233bbb9662c26
Zero Day Initiative Advisory 11-245
Posted Jul 30, 2011
Authored by Tipping Point | Site zerodayinitiative.com

Zero Day Initiative Advisory 11-245 - This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Sybase Adaptive Server Enterprise. Authentication is not required to exploit this vulnerability. The specific flaw exists within the way Sybase Backup and Monitor servers handle certain data in the login packets. Malformed packets can cause the service in question to lookup a function pointer outside a predefined function pointer array. It is possible to set this function pointer to an address where user controlled data exists and this will result in code execution under the rights of the user running the Monitor Server.

tags | advisory, remote, arbitrary, code execution
SHA-256 | a33a5097372aa85175aa3ce715085578d3c1258260b45dacbedcb9fe9a6fb67a
Mandriva Linux Security Advisory 2011-121
Posted Jul 27, 2011
Authored by Mandriva | Site mandriva.com

Mandriva Linux Security Advisory 2011-121 - All current released versions of Samba are vulnerable to a cross-site request forgery in the Samba Web Administration Tool (SWAT). By tricking a user who is authenticated with SWAT into clicking a manipulated URL on a different web page, it is possible to manipulate SWAT. All current released versions of Samba are vulnerable to a cross-site scripting issue in the Samba Web Administration Tool (SWAT). On the Change Password field, it is possible to insert arbitrary content into the user field.

tags | advisory, web, arbitrary, xss, csrf
systems | linux, mandriva
advisories | CVE-2011-2522, CVE-2011-2694
SHA-256 | b75ce3ace75fea8d22a279188ef3184449337cf90f4fe3d331c11300c3a6a118
Webkit Memory Corruption / Code Execution
Posted Jul 25, 2011
Authored by Nikita Tarakanov, Alex Bazhanyuk

Remote exploitation of a memory corruption vulnerability in WebKit, as included with multiple vendors' browsers, could allow an attacker to execute arbitrary code with the privileges of the current user. Scalable Vector Graphics (SVG) is an XML based file format used to describe two dimensional vector graphics. It defines both a markup language, and a JavaScript interface. When processing DOM queries to SVG tags, Safari fails to handle exceptional conditions. It is possible to trigger a use after free vulnerability by query some properties of SVG tags. This leaves a C++ object pointer in an inconsistent state, which can lead to the execution of arbitrary code. Safari versions prior to 5.1 and 5.0.6 are vulnerable.

tags | advisory, remote, arbitrary, javascript
advisories | CVE-2011-0222
SHA-256 | 620665bfdb86a30421dd34b615a797945553c63b075518ac3852faa9ab9219e1
iDefense Security Advisory 07.20.11 - Webkit Memory Corruption
Posted Jul 21, 2011
Authored by iDefense Labs, wushi | Site idefense.com

iDefense Security Advisory 07.20.11 - Remote exploitation of a memory corruption vulnerability in WebKit, as included with multiple vendors' browsers, could allow an attacker to execute arbitrary code with the privileges of the current user. Scalable Vector Graphics (SVG) is an XML based file format used to describe two dimensional vector graphics. It defines both a markup language, and a JavaScript interface. When parsing a series of SVG tags, and then manipulating them via JavaScript, Safari fails to handle exceptional conditions. It is possible to trigger a use after free vulnerability by manipulating the animVal property of various SVG tags. This leaves a C++ object pointer in an inconsistent state, which can lead to the execution of arbitrary code. Safari versions prior to 5.1 and 5.0.6 are vulnerable.

tags | advisory, remote, arbitrary, javascript
advisories | CVE-2011-0240
SHA-256 | 99c8cb11dcb256c511dc2217aaa40292d8c285040e8f55bc2b42756ce98c3948
Zero Day Initiative Advisory 11-237
Posted Jul 20, 2011
Authored by Tipping Point | Site zerodayinitiative.com

Zero Day Initiative Advisory 11-237 - This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of CA Total Defense Suite r12. Authentication is not required to exploit this vulnerability. The specific flaw exists within the Icihttp.exe module (CA Gateway Security for HTTP), which responds to incoming HTTP requests on port 8080. Due to a flawed copy-loop algorithm in the URL parsing routine, it is possible for a remote unauthenticated user to cause an exploitable heap corruption condition. This could result in the execution of arbitrary code under the context of the Gateway Security service.

tags | advisory, remote, web, arbitrary
advisories | CVE-2011-2667
SHA-256 | 03a726e72a0ef746644c53f5d9af301545b02f72a2a1b6bee3e85609ce19f145
Mozilla Firefox "nsTreeRange" Dangling Pointer Vulnerability
Posted Jul 11, 2011
Authored by regenrecht, xero | Site metasploit.com

This Metasploit module exploits a code execution vulnerability in Mozilla Firefox 3.6.x <= 3.6.16 and 3.5.x <= 3.5.17 found in nsTreeSelection. By overwriting a subfunction of invalidateSelection it is possible to free the nsTreeRange object that the function currently operates on. Any further operations on the freed object can result in remote code execution. Utilizing the call setup the function provides it's possible to bypass DEP without the need for a ROP. Sadly this exploit is still either dependent on Java or bound by ASLR because Firefox doesn't employ any ASLR-free modules anymore.

tags | exploit, java, remote, code execution
advisories | CVE-2011-0073, OSVDB-72087
SHA-256 | bd0456bbc29964266747946f68aee47392e1ba55e7169a60b1f4a5db2ea04edd
iDEFENSE Security Advisory 2011-06-14.2
Posted Jun 18, 2011
Authored by iDefense Labs, Luigi Auriemma | Site idefense.com

iDefense Security Advisory 06.14.11 - Remote exploitation of a heap overflow vulnerability in Adobe Systems Inc.'s Shockwave could allow an attacker to execute arbitrary code with the privileges of the current user. This vulnerability occurs when Shockwave processes a maliciously constructed "DRCF" chunk. Specifically, when parsing a substructure inside of this chunk, it is possible to trigger a code path that leads to an incorrect string copy operation. The vulnerable code performs a certain operation on a heap-based buffer, which has the effect of overwriting the NULL terminator of the string in the middle of the copy operation. This will lead to an endless copy loop until the read operation hits the end of the memory segment. This operation writes beyond the allocated heap buffer, and can lead to the execution of arbitrary code. Shockwave Player version 11.5.9.620 and prior are vulnerable.

tags | advisory, remote, overflow, arbitrary
advisories | CVE-2011-0335
SHA-256 | 3b0ec1fef75086d0e796f5ce1dea0706958798bc9b403f2258059ba1d3e7612f
iDEFENSE Security Advisory 2011-06-14.1
Posted Jun 18, 2011
Authored by iDefense Labs, Luigi Auriemma | Site idefense.com

iDefense Security Advisory 06.14.11 - Remote exploitation of a integer signedness vulnerability in Adobe Systems Inc.'s Shockwave could allow an attacker to execute arbitrary code with the privileges of the current user. This vulnerability occurs when Shockwave processes a maliciously constructed "Lscr" record. This record can embed Lingo script code, which is Shockwave's scripting language. The vulnerability occurs when processing certain opcodes. Specifically, a 32-bit value from the file is used as an offset into a heap buffer without proper validation. When comparing the value to the maximum buffer size, a signed comparison is performed. By using a negative value, it is possible to index outside of the allocated buffer. This results in data outside of the buffer being treated as a valid pointer, and this pointer is later used as the destination of a write operation. This can corrupt an arbitrary memory address, which can lead to the execution of arbitrary code. Shockwave Player version 11.5.9.620 and prior are vulnerable.

tags | advisory, remote, arbitrary
advisories | CVE-2011-0335
SHA-256 | 952c40d913beb9b78faaad430aeb7a3d76e8f0453128f6534822d4e3d407462d
Oracle Java ICC Profile rcs2 Tag Parsing Remote Code Execution
Posted Jun 16, 2011
Authored by Peter Vreugdenhil | Site tippingpoint.com

A vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of the Oracle Java Runtime. User interaction is required to exploit this vulnerability in that the target must visit a malicious page. The specific flaw exists within the way Java handles color profiles. When parsing a color profile containing a invalid 'rcs2' tag, the process can be forced to overflow an integer value during an arithmetic operation. The newly calculated value is then used to allocate memory on the heap. By providing specific values it is possible to cause a memory corruption that can lead to remote code being executed under to user running the browser.

tags | advisory, java, remote, overflow, arbitrary
advisories | CVE-2011-0862
SHA-256 | 8e3be2c1be593c530a4670d03a601ce9798a4842c472af7bed8ad4b21ecff0d3
Zero Day Initiative Advisory 11-192
Posted Jun 9, 2011
Authored by Tipping Point | Site zerodayinitiative.com

Zero Day Initiative Advisory 11-192 - This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Oracle Java. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the way Java webstart parses certain properties from the jnlp file. Due to insufficient quote escaping it is possible to supply additional command line parameters to the java process. By crafting such parameters, an attacker can execute remote code under the context of the user running the process.

tags | advisory, java, remote, arbitrary
advisories | CVE-2011-0863
SHA-256 | a404173fec0adb72b54fdaa57ab9e6ee4ac25a73fd950400775c364b24259cc3
Zero Day Initiative Advisory 11-191
Posted Jun 9, 2011
Authored by Tipping Point | Site zerodayinitiative.com

Zero Day Initiative Advisory 11-191 - This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Oracle Java Runtime. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the way Java handles color profiles. When parsing a color profile containing a 'scrn' tag, the process reads a user specified value describing the number of scrn objects in the file. This value is multiplied with the size of an scrn object possibly resulting in an integer overflow. This value is then used to allocate memory to hold all the scrn objects. By providing specific values it is possible to cause a memory corruption that can lead to remote code being executed under to user running the browser.

tags | advisory, java, remote, overflow, arbitrary
advisories | CVE-2011-0862
SHA-256 | c946917f3c6397b191f67ce05f18033ea0d5160fbea49d515db3cb9e45a0ef5d
Zero Day Initiative Advisory 11-190
Posted Jun 9, 2011
Authored by Tipping Point | Site zerodayinitiative.com

Zero Day Initiative Advisory 11-190 - This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of the Oracle Java Runtime running on OSX or Linux. This vulnerability does not affect java running on Windows. User interaction is required to exploit this vulnerability in that the target must visit a malicious page. The specific flaw exists within the way java handles color profiles. When parsing a color profile containing a invalid 'crdi' tag it is possible to specify a value that can cause an integer to wrap. This integer is then used to specify the size of a heap allocation. By providing a specially crafted tag value an attacker can cause memory corruption that can lead to remote code being executed under to user running the browser.

tags | advisory, java, remote, arbitrary
systems | linux, windows, apple
advisories | CVE-2011-0862
SHA-256 | 98155c7bca1cecc501f145884f81d2f9bdd08fc69143bc5280ab0e9a767b6ef8
Zero Day Initiative Advisory 11-189
Posted Jun 9, 2011
Authored by Tipping Point | Site zerodayinitiative.com

Zero Day Initiative Advisory 11-189 - This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of the Oracle Java Runtime. User interaction is required to exploit this vulnerability in that the target must visit a malicious page. The specific flaw exists within the way java handles color profiles. When parsing a color profile containing a invalid 'ncl2' tag with an invalid value for DevCoords count it is possible to specify an integer that can cause an integer to wrap. This integer is then used to specify the size of a heap allocation. By providing a specially crafted tag value an attacker can cause memory corruption that can lead to remote code being executed under to user running the browser.

tags | advisory, java, remote, arbitrary
advisories | CVE-2011-0862
SHA-256 | b810531598188960f9a0dc23476416c3e8ff58844fa9623a021b0ae698a9bb4b
Zero Day Initiative Advisory 11-188
Posted Jun 9, 2011
Authored by Tipping Point | Site zerodayinitiative.com

Zero Day Initiative Advisory 11-188 - This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of the Oracle Java Runtime. User interaction is required to exploit this vulnerability in that the target must visit a malicious page. The specific flaw exists within the way java handles color profiles. When parsing a color profile containing a invalid 'ncl2' tag it is possible to specify a value that can cause an integer to wrap. This integer is then used to specify the size of a heap allocation. By providing a specially crafted tag value an attacker can cause memory corruption that can lead to remote code being executed under to user running the browser.

tags | advisory, java, remote, arbitrary
advisories | CVE-2011-0862
SHA-256 | f1b1a4bb8f903bb79362784d9ca6d4c44520792caf00a71429e1a83f4eb92e80
Zero Day Initiative Advisory 11-187
Posted Jun 9, 2011
Authored by Tipping Point | Site zerodayinitiative.com

Zero Day Initiative Advisory 11-187 - This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of the Oracle Java Runtime. User interaction is required to exploit this vulnerability in that the target must visit a malicious page. The specific flaw exists within the way Java handles color profiles. When parsing a color profile containing a invalid 'clrt' tag, the process can be forced to overflow an integer value during an arithmetic operation. The newly calculated value is then used to allocate memory on the heap. By providing specific values it is possible to cause a memory corruption that can lead to remote code being executed under to user running the browser.

tags | advisory, java, remote, overflow, arbitrary
advisories | CVE-2011-0862
SHA-256 | ebfb6aaa4b0c4476de8c2e12a095e008fb4a1844d4e8ed012bea7ccafaade5c1
Zero Day Initiative Advisory 11-186
Posted Jun 9, 2011
Authored by Tipping Point | Site zerodayinitiative.com

Zero Day Initiative Advisory 11-186 - This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of java. Authentication is not required to exploit this vulnerability. User interaction is required to exploit this vulnerability in that the target must visit a malicious page. The specific flaw exists within the way Java handles color profiles. When parsing a color profile containing a invalid MultiLanguage 'curv' tag it is possible to cause a memory corruption that can lead to remote code being executed under to user running the browser.

tags | advisory, java, remote, arbitrary
advisories | CVE-2011-0862
SHA-256 | cc9facb15ae97361e8390b5238b9d98ef45480efc8e10d2dd9a238e397f0cdfd
Zero Day Initiative Advisory 11-185
Posted Jun 8, 2011
Authored by Tipping Point | Site zerodayinitiative.com

Zero Day Initiative Advisory 11-185 - This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of java. User interaction is required to exploit this vulnerability in that the target must visit a malicious page. The specific flaw exists within the way java handles color profiles. When parsing a color profile containing a invalid 'bfd ' tag it is possible to specify an integer that can cause an integer to wrap. This integer is then used to specify the size of a heap allocation. By providing a specially crafted tag value an attacker can cause memory corruption that can lead to remote code being executed under to user running the browser.

tags | advisory, java, remote, arbitrary
advisories | CVE-2011-0862
SHA-256 | 1560eac1178a6b8c0716b0a811e0c7664004c1cdfcbeaef89d196dd74e976ae1
Zero Day Initiative Advisory 11-184
Posted Jun 8, 2011
Authored by Tipping Point | Site zerodayinitiative.com

Zero Day Initiative Advisory 11-184 - This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Oracle Java. User interaction is required to exploit this vulnerability in that the target must visit a malicious page. The specific flaw exists within the way Java handles color profiles. When parsing a color profile containing a invalid 'pseq' tag, the process can be forced to overflow an integer value during an arithmetic operation. The newly calculated value is then used to allocate memory on the heap. By providing specific values it is possible to cause a memory corruption that can lead to remote code being executed under to user running the browser.

tags | advisory, java, remote, overflow, arbitrary
advisories | CVE-2011-0862
SHA-256 | 50143877d3e4b4885557fb15e037b0186033700efd7594e5f0abe8ee9ff99046
Zero Day Initiative Advisory 11-183
Posted Jun 8, 2011
Authored by Tipping Point | Site zerodayinitiative.com

Zero Day Initiative Advisory 11-183 - This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of java. User interaction is required to exploit this vulnerability in that the target must visit a malicious page. The specific flaw exists within the way Java handles color profiles. When parsing a color profile containing a invalid MultiLanguage 'mluc' tag it is possible to cause an integer to wrap during an arithmetic operation. This new value is used to allocate memory on the heap. A remote attacker can abuse the faulty code to execute code under the context of the user running the browser.

tags | advisory, java, remote, arbitrary
advisories | CVE-2011-0862
SHA-256 | 7e0d49ef311a48a90d62b1e21bf5d79a85918153e08ac3ba9add9aadb19c1620
Page 3 of 4
Back1234Next

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    0 Files
  • 16
    Apr 16th
    0 Files
  • 17
    Apr 17th
    0 Files
  • 18
    Apr 18th
    0 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close