This Metasploit module exploits a buffer overflow condition in Ivanti Avalanche MDM versions prior to 6.4.1. An attacker can send a specially crafted message to the Wavelink Avalanche Manager, which could result in arbitrary code execution with the NT/AUTHORITY SYSTEM permissions. This vulnerability occurs during the processing of 3/5/8/100/101/102 item data types. The program tries to copy the item data using qmemcopy to a fixed size data buffer on stack. Upon successful exploitation the attacker gains full access to the target system. This vulnerability has been tested against Ivanti Avalanche MDM version 6.4.0.0 on Windows 10.
f923d88a736ee1b1d58c5f717428d9695cfc5a4107837de0f4006d0c4a042202
This Metasploit module exploits an authentication bypass in Ivanti Sentry which exposes API functionality which allows for code execution in the context of the root user.
ea4bf146aae20e6532518f5f14a0339f6c32348de42b3b15936e869ed48d8e04
Ivanti Avalanche versions prior to 6.4.0.0 suffer from a remote code execution vulnerability.
fbb31ff5f38dd146b12a471e205d680b8205fc2fdb41ac774f03201dcb313808
Ivanti Avalanche versions prior to 6.4.0.186 permits MS-DOS style short names in the configuration path for the Central FileStore. Because of this, an administrator can change the default path to the web root of the applications, upload a JSP file, and achieve remote command execution as NT AUTHORITY\SYSTEM.
2d460c161e59ed0128cbce4a78b4bddc06c84edf0d04e1d6643a9c60b4012dc5
This Metasploit module exploits a command injection vulnerability in the Ivanti Cloud Services Appliance (CSA) for Ivanti Endpoint Manager. A cookie based code injection vulnerability in the Cloud Services Appliance before 4.6.0-512 allows an unauthenticated user to execute arbitrary code with limited permissions. Successful exploitation results in command execution as the nobody user.
ed5ba9659a8b5c3e1351d75d25fedfb77cae4f82344658a2b6b6cbe220161e6d
Ivanti Endpoint Manager CSA versions 4.5 and 4.6 suffer from an unauthenticated remote code execution vulnerability.
6ede7e4c555086097785e7b930d3648768ced8d291ef8685bd545f55401f4bd6
Cypress Solutions CTM-200 wireless gateway version 2.7.1 suffers from an authenticated semi-blind OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands as the root user through the 'ctm-config-upgrade.sh' script leveraging the 'fw_url' POST parameter used in the cmd upgreadefw as argument, called by ctmsys() as pointer to execv() and make_wget_url() function to the wget command in /usr/bin/cmdmain ELF binary.
3c5b924eea85063a32d4abf12a102470e52fe008b637d8c375ec9d27c3e4f296
This Metasploit module exploits an ACL bypass in MobileIron MDM products to execute a Groovy gadget against a Hessian-based Java deserialization endpoint.
5c0db542beea98b42c60393d60ff136e823dca9b8c1933fb194541ebcc3d1e48
SureMDM versions prior to the 2018-11 Patch suffers from local and remote file inclusion vulnerabilities.
b069dba5af00d8f2b4260a759c6f5a4c28e1c87bc836b38530dc45f0811913f3
Ivanti Workspace Control contains a flaw where it is possible to access folders that should be protected by Data Security. A local attacker can bypass these restrictions using localhost UNC paths. Depending on the NTFS permissions it may be possible for local users to access files and folders that should be protected using Data Protection. This issue was successfully verified on Ivanti Workspace Control version 10.2.700.1 and 10.2.950.0.
507e3c9cc2d0a60cb3923378de3e647c3ee8b937f4097ddf9a6615c71a46daf9
A flaw was found in Workspace Control that allows a local unprivileged user to retrieve the database or Relay server credentials from the Windows Registry. These credentials are encrypted, however the encryption that is used is reversible. This issue was successfully verified on Ivanti Workspace Control version 10.2.700.1 and 10.2.950.0.
964ae3397201993a0875edfc0ea849d24a6d6bd09383d580016c683c5209f357
It was found that Ivanti Workspace Control allows a local (unprivileged) attacker to run arbitrary commands with Administrator privileges. This issue can be exploited by spawning a new Composer process, injecting a malicious thread in this process. This thread connects to a Named Pipe and sends an instruction to a service to launch an attacker-defined application with elevated privileges. This issue was successfully verified on Ivanti Workspace Control version 10.2.700.1 and 10.2.950.0.
8258dbf9be109afe0d7a02ca62f333c5c39f3e9e6c52f1ae3f17a46f22ef8eca
It was found that the PowerGrid application can be used to run arbitrary commands via the /SEE command line option. An attacker can abuse this issue to bypass Application Whitelisting in order to run arbitrary code on the target machine. This issue was successfully verified on Ivanti Workspace Control version 10.2.950.0.
d22755c11b4351cbedb8fccbfeb8f10b0a0fd56433daae7099f4a1f97ebe9bcb
It was found that the PowerGrid application will execute rundll32.exe from a relative path when it is started with the /RWS command line option. An attacker can abuse this issue to bypass Application Whitelisting in order to run arbitrary code on the target machine. This issue was successfully verified on Ivanti Workspace Control version 10.2.700.1.
247ebbfbc6e429e14f49ffdb9bfdcf441bfb4a187e2d9cb26ed36d4cf65e0153
Microsoft Machine Debug Manager (mdm) suffers from dll hijacking vulnerabilities.
db92dfe873e589fe2a002dfec15943dbc9eb4432297101f2fd0811808db098a2
Newtec Satellite Modem version MDM6000 2.2.5 suffers from a cross site scripting vulnerability.
66bc91a91c3296445a0ce9b51f0b9593e0c5ff0d247b6788f617a033992cf9be
Red Hat Security Advisory 2015-2241-03 - The chrony suite, chronyd and chronyc, is an advanced implementation of the Network Time Protocol, specially designed to support systems with intermittent connections. It can synchronize the system clock with NTP servers, hardware reference clocks, and manual input. It can also operate as an NTPv4 server or peer to provide a time service to other computers in the network. An out-of-bounds write flaw was found in the way chrony stored certain addresses when configuring NTP or cmdmon access. An attacker that has the command key and is allowed to access cmdmon could use this flaw to crash chronyd or, possibly, execute arbitrary code with the privileges of the chronyd process.
9dcd1e723bb8317bbfc69f9f7175740614fd51f6bffa6bfacdfedd26b82d3eb2
This Metasploit module exploits a vulnerability that exists in the KNOX security component of the Samsung Galaxy firmware that allows a remote webpage to install an APK with arbitrary permissions by abusing the 'smdm://' protocol handler registered by the KNOX component. The vulnerability has been confirmed in the Samsung Galaxy S4, S5, Note 3, and Ace 4.
03a3f71c2c2fa9fd0b119371b2d55e432974a0922073ac802b493949e3fd1f34
JAMF Casper Suite MDM suffers from a cross site request forgery vulnerability.
cf040459d9566c7ec0296767cfadc0a7c77290c27d5f32c1c12b7b58c1b369b8
Secunia Security Advisory - A vulnerability has been reported in Moxa Device Manager MDM Tool, which can be exploited by malicious people to potentially compromise a user's system.
37fe2e9cc0970f707f9a6ff9d560eded3d460a451526b2534219f67bdb896cfa
This Metasploit module exploits a stack overflow in MOXA MDM Tool 2.1. When sending a specially crafted MDMGw (MDM2_Gateway) response, an attacker may be able to execute arbitrary code.
d1dd4e7fce98d32b48eac6791f3f78990a4253f063ff4c36a0b84dd00ca14a1c
iDefense Security Advisory 05.10.07 - Remote exploitation of a buffer overflow vulnerability within Novell Inc.'s NetMail allows attackers to execute arbitrary code with the privileges of the service. This vulnerability specifically exists within the SSL version of the "NMDMC.EXE" service. The application does not perform sufficient input validation when copying data into a fixed size stack buffer. When processing a specially crafted request made to this service, a stack-based buffer overflow occurs leading to corruption of program control registers saved on the stack. iDefense has confirmed the existence of this vulnerability within version 3.52e_FTF2 of Novell Inc's NetMail. Older versions are suspected to be vulnerable.
7c4224fd04fdf501163a3652b70255e6a67bedbbac0803f93921ededa636574a
MDMA Advisory #5 - It is possible to view the source of CGI scripts running under the Savant Webserver by omitting the HTTP version from your request.
1724fba392451be3b3274800afadb12de1c0b9bc1ae2d9480be7bf44fb177af0
MDMA Advisory #6 - EServ v2.92 and prior are vulnerable to a logging heap overflow vulnerability. Java proof of concept exploit code included.
8f8294582a025b703fc4bcc38a6d47de57ed4735dddb9a13e1f4b02168d4ba63