exploit the possibilities
Showing 1 - 25 of 100 RSS Feed

Files

Barco wePresent Undocumented SSH Interface
Posted Nov 20, 2020
Authored by Jim Becher | Site korelogic.com

Barco wePresent WiPG-1600W version 2.5.1.8 has an SSH daemon included in the firmware image. By default, the SSH daemon is disabled and does not start at system boot. The system initialization scripts read a device configuration file variable to see if the SSH daemon should be started. The web interface does not provide a visible capability to alter this configuration file variable. However, a malicious actor can include this variable in a POST such that the SSH daemon will be started when the device boots.

tags | exploit, web
advisories | CVE-2020-28331
MD5 | 86102878b47498e5776df9ed90a4a19a

Related Files

Barco wePresent Insecure Firmware Image
Posted Nov 20, 2020
Authored by Matthew Bergin, Jim Becher | Site korelogic.com

Barco wePresent WiPG-1600W versions 2.5.1.8, 2.5.0.25, 2.5.0.24, and 2.4.1.19 have firmware that does not perform verification of digitally signed firmware updates and is susceptible to processing and installing modified/malicious images.

tags | exploit
advisories | CVE-2020-28332
MD5 | e4383abb6fd7cd3fb13e1ebe4da07b84
Barco wePresent Global Hardcoded Root SSH Password
Posted Nov 20, 2020
Authored by Jim Becher | Site korelogic.com

Barco wePresent WiPG-1600W versions 2.5.1.8, 2.5.0.25, 2.5.0.24, and 2.4.1.19 have a hardcoded root password hash included in the firmware image.

tags | exploit, root
advisories | CVE-2020-28334
MD5 | f546a4da12e5bb23b7138a0af23f3ff1
Barco wePresent Authentication Bypass
Posted Nov 20, 2020
Authored by Jim Becher | Site korelogic.com

The Barco wePresent WiPG-1600W version 2.5.1.8 web interface does not use session cookies for tracking authenticated sessions. Instead, the web interface uses a "SEID" token that is appended to the end of URLs in GET requests. Thus the "SEID" would be exposed in web proxy logs and browser history. An attacker that is able to capture the "SEID" and originate requests from the same IP address (via a NAT device or web proxy) would be able to access the user interface of the device without having to know the credentials.

tags | exploit, web
advisories | CVE-2020-28333
MD5 | 50b164f3cff95d8cf4dd33881f7f36e0
Barco wePresent Admin Credential Exposure
Posted Nov 20, 2020
Authored by Jim Becher | Site korelogic.com

An attacker armed with hardcoded API credentials from KL-001-2020-004 (CVE-2020-28329) can issue an authenticated query to display the admin password for the main web user interface listening on port 443/tcp for Barco wePresent WiPG-1600W version 2.5.1.8.

tags | exploit, web, tcp
advisories | CVE-2020-28329, CVE-2020-28330
MD5 | 3ad24677ecaeff25f5cac17ee343f4a9
Cellebrite UFED 7.5.0.845 Desktop Escape / Privilege Escalation
Posted May 14, 2020
Authored by Matthew Bergin | Site korelogic.com

Cellebrite UFED device implements local operating system policies that can be circumvented to obtain a command prompt. From there privilege escalation is possible using public exploits. Versions 5.0 through 7.5.0.845 are affected.

tags | exploit, local
advisories | CVE-2020-12798
MD5 | 328d278b40faad761a2336788c12bc32
Cellebrite UFED 7.29 Hardcoded ADB Authentication Keys
Posted Apr 13, 2020
Authored by Matthew Bergin | Site korelogic.com

Cellebrite UFED versions 5.0 through 7.29 use four hardcoded RSA private keys to authenticate to the ADB daemon on target devices. Extracted keys can be used to place evidence onto target devices when performing a forensic extraction.

tags | exploit
advisories | CVE-2020-11723
MD5 | 7843cd98ee3e04e6fea5d8750b053894
Tzumi Electronics Klic Lock Authentication Bypass
Posted Jun 14, 2019
Authored by Kerry Enfinger

Tzumi Electronics Klic Lock version 1.0.9 allows for attackers to access resources via capture-replay.

tags | exploit
advisories | CVE-2019-11334
MD5 | 90a59931dc009b7842e44be11b45bf5e
Barco/AWIND OEM Presentation Platform Unauthenticated Remote Command Injection
Posted May 3, 2019
Authored by Jacob Baines

Barco/AWIND OEM presentation platform suffers from an unauthenticated command injection vulnerability. Products affected include Crestron AM-100 1.6.0.2, Crestron AM-101 2.7.0.1, Barco wePresent WiPG-1000P 2.3.0.10, Barco wePresent WiPG-1600W before 2.4.1.19, Extron ShareLink 200/250 2.0.3.4, Teq AV IT WIPS710 1.1.0.7, InFocus LiteShow3 1.0.16, InFocus LiteShow4 2.0.0.7, Optoma WPS-Pro 1.0.0.5, Blackbox HD WPS 1.0.0.5, and SHARP PN-L703WA 1.4.2.3.

tags | exploit
advisories | CVE-2019-3929
MD5 | 4d985d246a0892ab456ea517663812bd
Dell OpenManage Network Manager 6.2.0.51 SP3 Privilege Escalation
Posted Nov 6, 2018
Authored by Matthew Bergin | Site korelogic.com

Dell OpenManage Network Manager exposes a MySQL listener that can be accessed with default credentials. This MySQL service is running as the root user, so an attacker can exploit this configuration to, e.g., deploy a backdoor and escalate privileges into the root account.

tags | exploit, root
advisories | CVE-2018-15767, CVE-2018-15768
MD5 | 9296a80d1fafbfc2dd325ed3e1388fce
HP Enterprise VAN SDN Controller 2.7.18.0503 Remote Root
Posted Jun 26, 2018
Authored by Matthew Bergin | Site korelogic.com

HP Enterprise VAN SDN Controller version 2.7.18.0503 suffers from an unauthenticated remote root vulnerability. A hard-coded service token can be used to bypass authentication. Built-in functionality can be exploited to deploy and execute a malicious deb file containing a backdoor. A weak sudoers configuration can then be abused to escalate privileges to root. A second issue can be used to deny use of the appliance by continually rebooting it.

tags | exploit, remote, root
MD5 | bf9904ea89edad3e901e6b2663316e90
Sophos UTM 9 loginuser Privilege Escalation
Posted Mar 2, 2018
Authored by Matthew Bergin | Site korelogic.com

Sophos UTM 9 version 9.410 suffers from a loginuser privilege escalation vulnerability.

tags | exploit
MD5 | 394214076f55f7e3c334fbf415512590
Trend Micro IMSVA Management Portal 9.1.0.1600 Authentication Bypass
Posted Feb 9, 2018
Authored by Matthew Bergin | Site korelogic.com

Trend Micro IMSVA Management Portal version 9.1.0.1600 suffers from an authentication bypass vulnerability.

tags | exploit, bypass
MD5 | d82d45e882b2eb1faa1bb688364f31a9
NetEx HyperIP 6.1.0 Local File Inclusion
Posted Feb 9, 2018
Authored by Matthew Bergin | Site korelogic.com

NetEx HyperIP version 6.1.0 suffers from a local file inclusion vulnerability.

tags | exploit, local, file inclusion
MD5 | dc0775578f64cf741c26e424c44b03f5
NetEx HyperIP 6.1.0 Privilege Escalation
Posted Feb 9, 2018
Authored by Matthew Bergin | Site korelogic.com

NetEx HyperIP version 6.1.0 suffers from a privilege escalation vulnerability.

tags | exploit
MD5 | fee902572b3925955cbd9d64820c62f9
NetEx HyperIP 6.1.0 Post-Auth Command Execution
Posted Feb 9, 2018
Authored by Matthew Bergin | Site korelogic.com

NetEx HyperIP version 6.1.0 suffers from a post-authentication command execution vulnerability.

tags | exploit
MD5 | 80d93fa64c37b062c3c6cc3a74d00cdf
NetEx HyperIP 6.1.0 Authentication Bypass
Posted Feb 9, 2018
Authored by Matthew Bergin | Site korelogic.com

NetEx HyperIP version 6.1.0 suffers from an authentication bypass vulnerability.

tags | exploit, bypass
MD5 | 277d52048cffd60814568116ed7bd4b4
Sophos Web Gateway 4.4.1 Cross Site Scripting
Posted Jan 26, 2018
Authored by Matthew Bergin | Site korelogic.com

Sophos Web Gateway version 4.4.1 suffers from a persistent cross site scripting vulnerability.

tags | exploit, web, xss
MD5 | 45f65498ed379818369f240076c5d2c3
Splunk 6.6.x Local Privilege Escalation
Posted Nov 3, 2017
Authored by Hank Leininger | Site korelogic.com

Splunk version 6.6.x suffers from a local privilege escalation vulnerability. Splunk can be configured to run as a non-root user. However, that user owns the configuration file that specifies the user to run as, so it can trivially gain root privileges.

tags | exploit, local, root
MD5 | 3e674b7b7b2bbcdc76d6019cc12711aa
Sophos UTM 9 Management Appplication Local File Inclusion
Posted Oct 25, 2017
Authored by Matthew Bergin | Site korelogic.com

Sophos UTM 9 suffers from a local file inclusion vulnerability. Version 9.410 is affected.

tags | exploit, local, file inclusion
MD5 | 9dd2a9188e82f74e56570b54972a43c5
Sophos UTM 9 loginuser Privilege Escalation Via Insecure Directory Permissions
Posted Oct 25, 2017
Authored by Matthew Bergin | Site korelogic.com

Sophos UTM 9 suffers from a loginuser privilege escalation vulnerability via insecure directory permissions. Version 9.410 is affected.

tags | exploit
MD5 | 56206e25a52b7c734995d01109f5f28c
Sonicwall WXA5000 1.3.2-10-30 Console Jail Escape / Privilege Escalation
Posted Oct 25, 2017
Authored by Matthew Bergin | Site korelogic.com

Sonicwall WXA5000 version 1.3.2-10-30 suffers from console jail escape and privilege escalation vulnerabilities.

tags | exploit, vulnerability
MD5 | 96ae20044a39b528b9cd3c1fe1e9bab9
Infoblox NetMRI VM-AD30-5C6CE Factory Reset Persistence
Posted Oct 25, 2017
Authored by Matthew Bergin | Site korelogic.com

Infoblox NetMRI version VM-AD30-5C6CE suffers from an administration shell factory reset persistence vulnerability.

tags | exploit, shell
MD5 | 3d645a515c1de250781ae9cab7fd9d5c
Infoblox NetMRI 7.1.4 Shell Escape / Privilege Escalation
Posted Oct 25, 2017
Authored by Hank Leininger, Matthew Bergin | Site korelogic.com

Infoblox NetMRI versions 7.1.2 through 7.1.4 suffer from administration shell escape and privilege escalation vulnerabilities.

tags | exploit, shell, vulnerability
MD5 | b723ed326bd04aa156050b80d0b7a39f
Solarwinds LEM Insecure Update Process
Posted Sep 26, 2017
Authored by Hank Leininger

Software updates for Solarwinds products are packaged and delivered insecurely, leading to root compromise of Solarwinds devices.

tags | advisory, root
MD5 | 80fc94af19356ab49a171c02ae5a06b3
Solarwinds LEM 6.3.1 Hardcoded Credentials
Posted Jul 7, 2017
Authored by Matthew Bergin, Joshua Hardin | Site korelogic.com

Solarwinds Log and Event Manager Virtual Appliance version 6.3.1 has hard-coded credentials.

tags | exploit
MD5 | ea71b65684154ffd99e1bd069f695c0a
Page 1 of 4
Back1234Next

File Archive:

November 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    2 Files
  • 2
    Nov 2nd
    9 Files
  • 3
    Nov 3rd
    15 Files
  • 4
    Nov 4th
    90 Files
  • 5
    Nov 5th
    22 Files
  • 6
    Nov 6th
    16 Files
  • 7
    Nov 7th
    1 Files
  • 8
    Nov 8th
    1 Files
  • 9
    Nov 9th
    40 Files
  • 10
    Nov 10th
    27 Files
  • 11
    Nov 11th
    28 Files
  • 12
    Nov 12th
    13 Files
  • 13
    Nov 13th
    18 Files
  • 14
    Nov 14th
    2 Files
  • 15
    Nov 15th
    2 Files
  • 16
    Nov 16th
    29 Files
  • 17
    Nov 17th
    15 Files
  • 18
    Nov 18th
    15 Files
  • 19
    Nov 19th
    21 Files
  • 20
    Nov 20th
    16 Files
  • 21
    Nov 21st
    1 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    19 Files
  • 24
    Nov 24th
    32 Files
  • 25
    Nov 25th
    9 Files
  • 26
    Nov 26th
    11 Files
  • 27
    Nov 27th
    15 Files
  • 28
    Nov 28th
    9 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close