The IoT Controller web application includes a NodeJS module, node-red, which has the capability for users to read or write to local files on the IoT Controller. With the elevated privileges the web application runs as, this allowed for reading and writing to any file on the IoT Controller filesystem.
ab0f31561d42610f5ba5969c33fa30d3f807865c8f1eaac846a5b376b04319c7Trendmicro InterScan version 6.5-SP2_Build_Linux_1548 suffers from a remote root access vulnerability.
8207670b7b23f48f93f2a7d157326bcd7fa8384a29863a9824938cd6f5929a09Trendmicro InterScan version 6.5-SP2_Build_Linux_1548 suffers from a privilege escalation vulnerability.
d466b761795d8d3086d31d2d398c036a70a01e03515283ad16085a4bf3fe529fTrendmicro InterScan version 6.5-SP2_Build_Linux_1548 suffers from an arbitrary file write vulnerability that can lead to remote command execution.
26ab7b4f02561adad2e13b1c460f10e7406f2bed3b1a400caf9cd13b6a2cc8daSophos Web Appliance version 4.2.1.3 suffers from a remote code execution vulnerability.
63701a9eb15e305ac51389eaeadb3b1a48ad8b7a79c8e2be9b6f3fa830db7304Sophos Web Appliance version 4.2.1.3 suffers from a privilege escalation vulnerability. An unprivileged user can obtain an MD5 hash of the administrator password which can then be used to discover the plain-text password.
6c3a7db5cb2b8006c493d363dd8ec25ba892a528fb9c8d8faf875f49faee60aaCisco Firepower Threat Management Console suffers from a local file inclusion vulnerability. Cisco Fire Linux OS 6.0.1 (build 37/build 1213) is affected.
3bb68d70578902fa49aa28ddac5c00c057ccf7040672b0e7d40d0048e61e4feeCisco Firepower Threat Management Console suffers from a remote command execution vulnerability. Cisco Fire Linux OS 6.0.1 (build 37/build 1213) is affected.
478bf4dcc23d2ef96d26269234864bc75b3152960f1f077a183667abd3cd5cd2Cisco Firepower Threat Management Console suffers from a denial of service vulnerability. Cisco Fire Linux OS 6.0.1 (build 37/build 1213) is affected.
93b912c298ea153c2c41d2e2762896ea94b468117fac32c32eaf77e232760a41Cisco Firepower Threat Management Console has hard-coded MySQL credentials in use. Cisco Fire Linux OS 6.0.1 (build 37/build 1213) is affected.
340707f4d5b3dac91cc48f0c12337c760677cc76dc14f6c4697885df69e314c1Usually processes writing to temporary directories do not need to perform readdir() because they control the filenames they create, so setting /tmp/ , /var/tmp/ , etc. to be mode 1733 is a not uncommon UNIX hardening practice. Affected versions of SQLite reject potential tempdir locations if they are not readable, falling back to '.'. Thus, SQLite will favor e.g. using cwd for tempfiles on such a system, even if cwd is an unsafe location. Notably, SQLite also checks the permissions of '.', but ignores the results of that check. All versions of SQLite prior to 3.13.0 are affected.
762be39effea94233c24738dcf6d499f38f825f4b7984d06ada2c300f0ae4c55The Ubiquiti AirGateway, AirFiber, and mFi platforms feature remote administration via an authenticated web-based portal. Lack of CSRF protection in the Remote Administration Portal, and unsafe passing of user input to operating system commands executed with root privileges, can be abused in a way that enables remote command execution.
90378a8805d8e7a9d70f57b6789f59dbe576e315ddf496817ce14425c0361204The Arris DG1670A leverages a combination of technologies to deliver the product functionality. Combining several of these technologies in an unanticipated way will allow an attacker to execute arbitrary commands on the underlying operating system as the most privileged user.
f9f07867f80d6ed81875b0f0f3426862a601d2df3911aea7d48a11a170f6c39bThe Dell Pre-Boot Authentication Driver (PBADRV.sys) contains a vulnerability that can be leveraged to enable an attacker to write arbitrary code. The 'OutputAddress' from the IOCTL call is not validated before it attempts to write to memory. The content of the write is a four-byte hex value that is always greater than that of the kernel base address. Using multiple writes, it may be possible to overwrite the first entry of HalDispatchTable in a way that the entry would point to a user-land address. An attacker need only allocate shellcode at said address and call the ntdll!NtQueryIntervalProfile() function.
4c39d7663202b0e6a4d111b2cedc2d39282bb058581eda40719607e5ea6add5aSeagate GoFlex Satellite Mobile Wireless Storage devices contain a hardcoded backdoor account. An attacker could use this account to remotely tamper with the underlying operating system when Telnet is enabled.
5c61cfee09fbb37a6bafacad5f5ac3b5b476c894b553933c75614523958a3ff4Linksys EA6100 Wireless Router suffers from an authentication bypass vulnerability.
a8b20e7d7ed604facccbb2ae990af80afdd4329520a1b779fb7446ad55de4272A vulnerability within the ndvbs module allows an attacker to inject memory they control into an arbitrary location they define. This vulnerability can be used to overwrite function pointers in HalDispatchTable resulting in an elevation of privilege. suffers from code execution, and local file inclusion vulnerabilities.
f56522b7ad8171646ac1c3eea8d0052f0c4e3db5b5c86c6dd3e9b9fae91e3b70A vulnerability within the xrvkp module allows an attacker to inject memory they control into an arbitrary location they define. This vulnerability can be used to overwrite function pointers in HalDispatchTable resulting in an elevation of privilege.
77a97ac2af8e5d412b8fd4eb9a999feef3db9cd52adba3ce10f5fa61cc3aa2aeVulnerabilities within the srvkp module allows an attacker to inject memory they control into an arbitrary location they define or cause memory corruption. IOCTL request codes 0x96002400 and 0x96002404 have been demonstrated to trigger these vulnerabilities. These vulnerabilities can be used to obtain control of code flow in a privileged process and ultimately be used to escalate the privilege of an attacker. Version affected is 6.14.10.3930.
a2a0c9af7028c25243f0a56d26ca9915265d443f37f6c6fd0844ddb64354f2ceThe tcpip.sys driver fails to sufficiently validate memory objects used during the processing of a user-provided IOCTL. By crafting an input buffer that will be passed to the Tcp device through the NtDeviceIoControlFile() function, it is possible to trigger a vulnerability that would allow an attacker to elevate privileges. Proof of concept exploit included.
9d61f1a5823955c19741ad2d57e256f3641cf2f035e04e442eac8b77fd3054eaA vulnerability within the vmx86 driver allows an attacker to specify a memory address within the kernel and have the memory stored at that address be returned to the attacker. VMWare Workstation version 10.0.0.40273 is affected.
bf4905c643bfb35f7aa1fcf8969c9ca0cce46972723b84fbd81cf253c06f8385A vulnerability within the MQAC module allows an attacker to inject memory they control into an arbitrary location they define. This can be used by an attacker to overwrite HalDispatchTable+0x4 and execute arbitrary code by subsequently calling NtQueryIntervalProfile. Microsoft MQ Access Control version 5.1.0.1110 on XP SP3 is affected.
ac6de6f3a8cc010f9936f8753463cdbb1d352b1255340abf3d899a75f1c67f7bA vulnerability within the BthPan module allows an attacker to inject memory they control into an arbitrary location they define. This can be used by an attacker to overwrite HalDispatchTable+0x4 and execute arbitrary code by subsequently calling NtQueryIntervalProfile. Microsoft Bluetooth Personal Area Networking version 5.1.2600.5512 on XP SP3 is affected.
9520a3d17643c7ebf1130b867b4f899c083ee1d3103c9e343a9e895529ec8545A vulnerability within VBoxGuest module allows an attacker to inject memory they control into an arbitrary location they define. This can be used by an attacker to overwrite HalDispatchTable+0x4 and execute arbitrary code by subsequently calling NtQueryIntervalProfile. Oracle VirtualBox Guest Additions versions 4.3.8 through 4.3.10 are affected.
23d2e313c1427a208d2779f1e9be216e6d3f6f4025a67191718be30d6c492262Kleeja Upload Center Script version 1.0.1 appears to suffer from a CRLF header injection vulnerability.
76f605b7d08edb4bf05d6d22b3bcf13e784043856c560044d5fd49ceec08d874K Labs Empowers suffers from a remote SQL injection vulnerability.
00b7f605544886c275266536a41562e767219bbef092ede519441ef2e3ed1283
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Subscribe to an RSS Feed