what you don't know can hurt you
Showing 1 - 25 of 65 RSS Feed

Files

modproxy1.html
Posted Jun 14, 2004
Authored by Georgi Guninski | Site guninski.com

The version of mod_proxy shipped with Apache 1.3.31 and possibly earlier versions are susceptible to a buffer overflow via the Content-Length: header. This can lead to a denial of service and possible compromise of a vulnerable system.

tags | advisory, denial of service, overflow
MD5 | e7d78d7a935f0a2ce17af90ae82bf0ba

Related Files

ThinkPHP 5.0.23 Remote Code Execution
Posted Apr 14, 2020
Authored by wvu | Site metasploit.com

This Metasploit module exploits one of two PHP injection vulnerabilities in the ThinkPHP web framework to execute code as the web user. Versions up to and including 5.0.23 are exploitable, though 5.0.23 is vulnerable to a separate vulnerability. The module will automatically attempt to detect the version of the software. Tested against versions 5.0.20 and 5.0.23 as can be found on Vulhub.

tags | exploit, web, php, vulnerability
advisories | CVE-2018-20062, CVE-2019-9082
MD5 | e63e44c2cb033ac880ece4ae4c6a8e43
Ubuntu Security Notice USN-4055-1
Posted Jul 15, 2019
Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice 4055-1 - Mike Salvatore discovered that FlightCrew improperly handled certain malformed EPUB files. An attacker could potentially use this vulnerability to cause a denial of service. Mike Salvatore discovered that FlightCrew mishandled certain malformed EPUB files. An attacker could use this vulnerability to write arbitrary files to the filesystem. Mike Salvatore discovered that the version of Zipios included in FlightCrew mishandled certain malformed ZIP files. An attacker could use this vulnerability to cause a denial of service or consume system resources. Various other issues were also addressed.

tags | advisory, denial of service, arbitrary
systems | linux, ubuntu
advisories | CVE-2019-13032, CVE-2019-13241, CVE-2019-13453
MD5 | 797b140c1d1b3f14e7a806b02c5bfedb
Mandriva Linux Security Advisory 2015-134
Posted Mar 30, 2015
Authored by Mandriva | Site mandriva.com

Mandriva Linux Security Advisory 2015-134 - PulseAudio versions shipped in mbs2 were vulnerable to a remote RTP attack which could crash the PulseAudio server simply by sending an empty UDP packet. Additionally, the version of PulseAudio shipped in mbs2 was a pre-release version of PulseAudio v5 and has been updated to the official final version.

tags | advisory, remote, udp
systems | linux, mandriva
advisories | CVE-2014-3970
MD5 | a8a5c8549f431beaae5b190b6a65cda5
Asterisk Project Security Advisory - AST-2015-002
Posted Jan 29, 2015
Authored by Mark Michelson, Olle Johansson | Site asterisk.org

Asterisk Project Security Advisory - CVE-2014-8150 reported an HTTP request injection vulnerability in libcURL. Asterisk uses libcURL in its func_curl.so module (the CURL() dialplan function), as well as its res_config_curl.so (cURL realtime backend) modules. Since Asterisk may be configured to allow for user-supplied URLs to be passed to libcURL, it is possible that an attacker could use Asterisk as an attack vector to inject unauthorized HTTP requests if the version of libcURL installed on the Asterisk server is affected by CVE-2014-8150.

tags | advisory, web
advisories | CVE-2014-8150
MD5 | 40713dbc27a6fb8e51bb53765591ef4e
FreeBSD Security Advisory - sshd Denial Of Service
Posted Nov 5, 2014
Site security.freebsd.org

FreeBSD Security Advisory - Although OpenSSH is not multithreaded, when OpenSSH is compiled with Kerberos support, the Heimdal libraries bring in the POSIX thread library as a dependency. Due to incorrect library ordering while linking sshd(8), symbols in the C library which are shadowed by the POSIX thread library may not be resolved correctly at run time. Note that this problem is specific to the FreeBSD build system and does not affect other operating systems or the version of OpenSSH available from the FreeBSD ports tree. An incorrectly linked sshd(8) child process may deadlock while handling an incoming connection. The connection may then time out or be interrupted by the client, leaving the deadlocked sshd(8) child process behind. Eventually, the sshd(8) parent process stops accepting new connections. An attacker may take advantage of this by repeatedly connecting and then dropping the connection after having begun, but not completed, the authentication process.

tags | advisory
systems | freebsd, osx
advisories | CVE-2014-8475
MD5 | 9c604890b80de664fad4262cb5aeb66b
DBMS_XMLSTORE As An Auxiliary SQL Injection Function In Oracle 12c
Posted Jul 22, 2014
Authored by David Litchfield

The ability to execute arbitrary SQL on Oracle via a SQL injection flaw is hampered by the fact that the Oracle RDBMS will not batch multiple queries. Typically, a low privileged attacker with say only the CREATE SESSION privilege, must find a function they can inject that will allow them to execute a block of anonymous PL/SQL. These are known as auxiliary inject functions. Depending upon the version of Oracle and what components are installed auxiliary inject functions may be few and far between. For example, on Oracle 12c with the internal Java VM removed, there may be none. Indeed, during a recent client assessment the author of this paper was confronted with such a situation: a PL/SQL injection flaw but with no easy method for easy exploitation to gain full control of the database server. This paper presents a method around such a problem using DBMS_XMLSTORE and, co-incidentally, DBMS_XMLSAVE. This method can be used in web-based SQL injection attacks, as well.

tags | paper, java, web, arbitrary, sql injection
MD5 | d24504669a9cae4404a95a4af656e24a
Feed2JS File Disclosure
Posted Jul 5, 2014
Authored by Michail Strokin

Feed2JS uses MagpieRSS for parsing the feeds, and MagpieRSS uses Snoopy library for fetching the documents. The version of Snoopy in use suffers from a local file disclosure vulnerability.

tags | exploit, local, info disclosure
advisories | CVE-2005-3330, CVE-2008-4796
MD5 | 7a94db7d89e868e5f3a30172c9f6c5c6
Mandriva Linux Security Advisory 2014-060
Posted Mar 14, 2014
Authored by Mandriva | Site mandriva.com

Mandriva Linux Security Advisory 2014-060 - Imapsync, by default, runs a release check when executed, which causes imapsync to connect to http://imapsync.lamiral.info and send information about the version of imapsync, the operating system and perl. The imapsync package has been patched to disable this feature. In imapsync before 1.584, a certificate verification failure when using the --tls option results in imapsync attempting a cleartext login.

tags | advisory, web, perl
systems | linux, mandriva
advisories | CVE-2013-4279, CVE-2014-2014
MD5 | dc91e85cd09740eb24207d0339f140db
Microsoft Internet Explorer SetMouseCapture Use-After-Free
Posted Sep 30, 2013
Authored by sinn3r, temp66 | Site metasploit.com

This Metasploit module exploits a use-after-free vulnerability that targets Internet Explorer 9 on Windows 7. The flaw most likely exists in versions 6/7/8/9/10/11. It was initially found in the wild in Japan, but other regions such as English, Chinese, Korean, etc, were targeted as well. The vulnerability is due to how the mshtml!CDoc::SetMouseCapture function handles a reference during an event. An attacker first can setup two elements, where the second is the child of the first, and then setup a onlosecapture event handler for the parent element. The onlosecapture event seems to require two setCapture() calls to trigger, one for the parent element, one for the child. When the setCapture() call for the child element is called, it finally triggers the event, which allows the attacker to cause an arbitrary memory release using document.write(), which in particular frees up a 0x54-byte memory. The exact size of this memory may differ based on the version of IE. After the free, an invalid reference will still be kept and passed on to more functions, eventually arriving in function MSHTML!CTreeNode::GetInterface, and causing a crash (or arbitrary code execution) when this function attempts to use this reference to call what appears to be a PrivateQueryInterface due to the offset (0x00). To mimic the same exploit found in the wild, this module will try to use the same DLL from Microsoft Office 2007 or 2010 to leverage the attack.

tags | exploit, arbitrary, code execution
systems | windows, 7
advisories | CVE-2013-3893, OSVDB-97380
MD5 | 963f37fd3f414ed4fdd3070cd4eb2c8b
Mandriva Linux Security Advisory 2013-083
Posted Apr 10, 2013
Authored by Mandriva | Site mandriva.com

Mandriva Linux Security Advisory 2013-083 - It was discovered that the version of glib shipped with MBS 1 does not sanitise certain DBUS related environment variables. When used in combination with a setuid application which utilizes dbus via glib, a local user could gain escalated privileges with a specially crafted environment. This is related to a similar issue with dbus. This updated version of glib adds appropriate protection against such scenarios and also adds additional hardening when used in a setuid environment.

tags | advisory, local
systems | linux, mandriva
advisories | CVE-2012-3524
MD5 | 468b28886524ae6dcc7e479e049b7854
Photodex ProShow Producer 5.0.3297 Memory Corruption
Posted Feb 15, 2013
Authored by Julien Ahrens | Site security.inshell.net

A memory corruption vulnerability has been identified in Photodex ProShow Producer version 5.0.3297. When opening a crafted style file (.pxs), the application loads the "title" value from the pxs file. The ColorPickerProc function does not properly validate the length of the string loaded from the "title" value from the pxs file before using it in the further application context, which leads to a memory corruption condition with possible code execution depending on the version of the operating system.

tags | exploit, code execution
MD5 | ce44b18891a4ceef7dbcef706f5dd050
PHP IRC Bot pbot eval() Remote Code Execution
Posted Aug 8, 2012
Authored by Evilcry, juan vazquez, bwall, Jay Turla | Site metasploit.com

This Metasploit module allows remote command execution on the PHP IRC bot pbot by abusing the usage of eval() in the implementation of the .php command. In order to work, the data to connect to the IRC server and channel where find pbot must be provided. The module has been successfully tested on the version of pbot analyzed by Jay Turla, and published on Infosec Institute, running over Ubuntu 10.04 and Windows XP SP3.

tags | exploit, remote, php
systems | linux, windows, xp, ubuntu
MD5 | b4302c2d8b8f5eacb2c614d506570e68
Ubuntu Security Notice USN-1467-1
Posted Jun 12, 2012
Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice 1467-1 - It was discovered that certain builds of MySQL incorrectly handled password authentication on certain platforms. A remote attacker could use this issue to authenticate with an arbitrary password and establish a connection. MySQL has been updated to 5.5.24 in Ubuntu 12.04 LTS. Ubuntu 10.04 LTS, Ubuntu 11.04 and Ubuntu 11.10 have been updated to MySQL 5.1.63. A patch to fix the issue was backported to the version of MySQL in Ubuntu 8.04 LTS. Various other issues were also addressed.

tags | advisory, remote, arbitrary
systems | linux, ubuntu
advisories | CVE-2012-2122
MD5 | ba304634301d9490723e5f73aa3db8e1
Internet Explorer CSS SetUserClip Memory Corruption
Posted Dec 14, 2010
Authored by Matteo Memelli, jduck, yuange1975 | Site metasploit.com

This Metasploit module exploits a memory corruption vulnerability within Microsoft's HTML engine (mshtml). When parsing an HTML page containing a specially crafted CSS tag, memory corruption occurs that can lead arbitrary code execution. It seems like Microsoft code inadvertently increments a vtable pointer to point to an unaligned address within the vtable's function pointers. This leads to the program counter being set to the address determined by the address "[vtable+0x30+1]". The particular address depends on the exact version of the mshtml library in use. Since the address depends on the version of mshtml, some versions may not be exploitable. Specifically, those ending up with a program counter value within another module, in kernel space, or just not able to be reached with various memory spraying techniques. Also, since the address is not controllable, it is unlikely to be possible to use ROP to bypass non-executable memory protections.

tags | exploit, arbitrary, kernel, code execution
advisories | CVE-2010-3962, OSVDB-68987
MD5 | d8abe530c771ff9eb0b738f46b264236
Bugzilla HTTP Response Splitting / Cross Site Scripting / Information Leak
Posted Nov 5, 2010
Authored by Max Kanat-Alexander | Site bugzilla.org

Bugzilla Security Advisory - Bugzilla versions 3.2.8, 3.4.8, 3.6.2 and 3.7.3 suffer from multiple vulnerabilities. There is a way to inject both headers and content to users, causing a serious cross site scripting vulnerability. It was possible to see graphs from Old Charts even if you did not have access to a particular product, and you could browse a particular URL to see all product names. YUI 2.8.1, which shipped with Bugzilla starting with 3.7.x, contained a security vulnerability. The version of YUI shipped with Bugzilla 4.0rc1 and above has been updated to 2.8.2.

tags | advisory, vulnerability, xss
advisories | CVE-2010-3172, CVE-2010-3764
MD5 | 7d0dcc3c375d4e5fb36677d542175508
mod_proxy_http Timeout Detection
Posted Jun 16, 2010
Authored by William A. Rowe Jr.

A timeout detection flaw in the httpd mod_proxy_http module causes proxied response to be sent as the response to a different request, and potentially served to a different client, from the HTTP proxy pool worker pipeline.

tags | advisory, web
advisories | CVE-2010-2068
MD5 | 2d3d748674d4170d8044c48ccc9120c1
Security Notice For CA ARCserve Backup
Posted Mar 20, 2010
Authored by Kevin Kotas | Site www3.ca.com

CA's support is alerting customers to security risks with CA ARCserve Backup. The version of JRE shipped with ARCserve Backup is potentially susceptible to multiple vulnerabilities and has also reached end of life. Support is providing JRE 1.6 upgrades as remediation.

tags | advisory, vulnerability
MD5 | 39b4f795f0d4f2b19a949182519db623
Mod_proxy From Apache 1.3 Integer Overflow
Posted Jan 27, 2010
Authored by Adam Zabrocki

Mod_proxy from Apache 1.3 suffers from an integer overflow. Full details and proof of concept provided.

tags | exploit, overflow, proof of concept
MD5 | 0e53eeae7fb95547ed4e285e0d53d28a
Mandriva Linux Security Advisory 2009-320
Posted Dec 7, 2009
Authored by Mandriva | Site mandriva.com

Mandriva Linux Security Advisory 2009-320 - The acl_group_override function in smbd/posix_acls.c in smbd in Samba 3.0.x before 3.0.35, 3.1.x and 3.2.x before 3.2.13, and 3.3.x before 3.3.6, when dos filemode is enabled, allows remote attackers to modify access control lists for files via vectors related to read access to uninitialized memory. The SMB (aka Samba) subsystem in Apple Mac OS X 10.5.8, when Windows File Sharing is enabled, does not properly handle errors in resolving pathnames, which allows remote authenticated users to bypass intended sharing restrictions, and read, create, or modify files, in certain circumstances involving user accounts that lack home directories. smbd in Samba 3.0 before 3.0.37, 3.2 before 3.2.15, 3.3 before 3.3.8, and 3.4 before 3.4.2 allows remote authenticated users to cause a denial of service (infinite loop) via an unanticipated oplock break notification reply packet. mount.cifs in Samba 3.0 before 3.0.37, 3.2 before 3.2.15, 3.3 before 3.3.8 and 3.4 before 3.4.2, when mount.cifs is installed suid root, does not properly enforce permissions, which allows local users to read part of the credentials file and obtain the password by specifying the path to the credentials file and using the --verbose or -v option. The version of samba shipping with Mandriva Linux 2008.0 has been updated to the latest version (3.0.37) that includes the fixes for these issues.

tags | advisory, remote, denial of service, local, root
systems | linux, windows, apple, osx, mandriva
advisories | CVE-2009-1888, CVE-2009-2813, CVE-2009-2906, CVE-2009-2948
MD5 | d9472f5277cb29bf1f0c59a5e0e42929
Apache Win32 Chunked Encoding
Posted Nov 26, 2009
Authored by H D Moore | Site metasploit.com

This Metasploit module exploits the chunked transfer integer wrap vulnerability in Apache version 1.2.x to 1.3.24. This particular module has been tested with all versions of the official Win32 build between 1.3.9 and 1.3.24. Additionally, it should work against most co-branded and bundled versions of Apache (Oracle 8i, 9i, IBM HTTPD, etc). You will need to use the Check() functionality to determine the exact target version prior to launching the exploit. The version of Apache bundled with Oracle 8.1.7 will not automatically restart, so if you use the wrong target value, the server will crash.

tags | exploit
systems | windows
advisories | CVE-2002-0392
MD5 | e3d3d24a04a5fa710ddd92b1a78239b0
iDEFENSE Security Advisory 2009-04-14.1
Posted Apr 15, 2009
Authored by iDefense Labs | Site idefense.com

iDefense Security Advisory 04.14.09 - Exploitation of a stack corruption vulnerability in Microsoft Corp.'s Word 2000 WordPerfect 6.x Converter could allow an attacker to execute code in the context of the current user. Microsoft Word is able to open documents created in other applications by transparently applying a filter module which converts them to a format Word can use. The WordPerfect 6.x converter from Office 2000 fails to perform sufficient sanity checking on input files. A maliciously constructed WordPerfect document can cause potentially exploitable stack corruption. iDefense Labs have confirmed that the WordPerfect 6.x converter (WPFT632.CNV, with file version 1998.1.27.0) in Microsoft Word 2000 Service Pack 3 is vulnerable. However, the version of this converter installed with Word 2003 is not affected by this vulnerability.

tags | advisory
advisories | CVE-2009-0088
MD5 | a3f7a6f79d5ec72d483ff50b45e67f03
Debian Linux Security Advisory 1617-1
Posted Jul 25, 2008
Authored by Debian | Site debian.org

Debian Security Advisory 1617-1 - In DSA-1603-1, Debian released an update to the BIND 9 domain name server, which introduced UDP source port randomization to mitigate the threat of DNS cache poisoning attacks (identified by the Common Vulnerabilities and Exposures project as CVE-2008-1447). The fix, while correct, was incompatible with the version of SELinux Reference Policy shipped with Debian Etch, which did not permit a process running in the named_t domain to bind sockets to UDP ports other than the standard 'domain' port (53). The incompatibility affects both the 'targeted' and 'strict' policy packages supplied by this version of refpolicy. This update to the refpolicy packages grants the ability to bind to arbitrary UDP ports to named_t processes. When installed, the updated packages will attempt to update the bind policy module on systems where it had been previously loaded and where the previous version of refpolicy was 0.0.20061018-5 or below.

tags | advisory, arbitrary, udp, vulnerability
systems | linux, debian
advisories | CVE-2008-1447
MD5 | 1f7434c7ae5c8345c7101b841bffb229
iDEFENSE Security Advisory 2007-11-12.1
Posted Nov 13, 2007
Authored by iDefense Labs | Site idefense.com

iDefense Security Advisory 11.12.07 - Local exploitation of an invalid array indexing vulnerability in the NPF.SYS device driver of WinPcap allows attackers to execute arbitrary code in kernel context. The problem specifically exists within the bpf_filter_init function. In several places throughout this function, values supplied from a potential attacker are used as array indexes without proper bounds checking. By making IOCTL requests with specially chosen values, attackers are able to corrupt the stack, or pool memory, within the kernel. iDefense has confirmed the existence of this vulnerability in version 4.0.1 of WinPcap as included in Wireshark 0.99.6a. The version of NPF.SYS tested was 4.0.0.901. iDefense suspects older versions to also be vulnerable.

tags | advisory, arbitrary, kernel, local
advisories | CVE-2007-5756
MD5 | ccb4207f94afc8cd90c0b5776dc0c638
mobilemail_libtiff.rb.txt
Posted Oct 23, 2007
Authored by H D Moore, Kevin Finisterre | Site metasploit.com

This Metasploit module exploits a buffer overflow in the version of libtiff shipped with firmware versions 1.00, 1.01, 1.02, and 1.1.1 of the Apple iPhone. iPhones which have not had the BSD tools installed will need to use a special payload.

tags | exploit, overflow
systems | bsd, apple, iphone
MD5 | 92e658f30a2a455067ca9db033446795
safari_libtiff.rb.txt
Posted Oct 23, 2007
Authored by H D Moore, Kevin Finisterre | Site metasploit.com

This Metasploit module exploits a buffer overflow in the version of libtiff shipped with firmware versions 1.00, 1.01, 1.02, and 1.1.1 of the Apple iPhone. iPhones which have not had the BSD tools installed will need to use a special payload.

tags | exploit, overflow
systems | bsd, apple, iphone
MD5 | a52fa90d5222ed2fd16f87b679276bad
Page 1 of 3
Back123Next

File Archive:

May 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    14 Files
  • 2
    May 2nd
    3 Files
  • 3
    May 3rd
    1 Files
  • 4
    May 4th
    18 Files
  • 5
    May 5th
    15 Files
  • 6
    May 6th
    21 Files
  • 7
    May 7th
    15 Files
  • 8
    May 8th
    19 Files
  • 9
    May 9th
    1 Files
  • 10
    May 10th
    2 Files
  • 11
    May 11th
    18 Files
  • 12
    May 12th
    39 Files
  • 13
    May 13th
    15 Files
  • 14
    May 14th
    17 Files
  • 15
    May 15th
    17 Files
  • 16
    May 16th
    2 Files
  • 17
    May 17th
    2 Files
  • 18
    May 18th
    15 Files
  • 19
    May 19th
    21 Files
  • 20
    May 20th
    15 Files
  • 21
    May 21st
    15 Files
  • 22
    May 22nd
    6 Files
  • 23
    May 23rd
    1 Files
  • 24
    May 24th
    1 Files
  • 25
    May 25th
    2 Files
  • 26
    May 26th
    23 Files
  • 27
    May 27th
    13 Files
  • 28
    May 28th
    18 Files
  • 29
    May 29th
    17 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close