Debian Linux Security Advisory 4291-1 - Two input sanitization failures have been found in the faxrunq and faxq binaries in mgetty, a smart modem getty replacement. An attacker could leverage them to insert commands via shell metacharacters in jobs id and have them executed with the privilege of the faxrunq/faxq user.
be0cb8e6db32850d296d214e389adee1LW-N605R devices allow remote code execution via shell metacharacters in the HOST field of the ping feature at adm/systools.asp. Authentication is needed but the default password of admin for the admin account may be used in some cases.
381dfb828206901640b7a36fed462414OwlChat version 2.0 suffers from a remote shell upload vulnerability.
05cb90d1713d9b920debded62e0cf99aThis Metasploit module exploits a path traversal via Jetdirect to gain arbitrary code execution by writing a shell script that is loaded on startup to /etc/profile.d. Then, the printer is restarted using SNMP. A large amount of printers are impacted.
330fb84840e2b0a7602e2d3e4c2701b5Ghostscript suffers from file disclosure, shell command execution, memory corruption, and type confusion bugs.
1bbaaab44336f199ff5bab7ea535193586 bytes small Linux/x86 reverse TCP (::FFFF:192.168.1.5:4444/TCP) shell (/bin/sh) + null-free + IPv6 shellcode.
841854d50e743d5f6ad22336b8cda687116 bytes small Linux/ARM reverse shell ::1:4444/TCP with IPv6 shellcode.
b926864087396be941ee4f0a2ef16f49This Metasploit module exploits a vulnerability in SonicWall Global Management System Virtual Appliance versions 8.1 (Build 8110.1197) and below. This virtual appliance can be downloaded from http://www.sonicwall.com/products/sonicwall-gms/ and is used 'in a holistic way to manage your entire network security environment.' These vulnerable versions (8.1 Build 8110.1197 and below) do not prevent unauthenticated, external entities from making XML-RPC requests to port 21009 of the virtual app. After the XML-RPC call is made, a shell script is called like so: 'timeSetup.sh --tz="`command injection here`"' --usentp="blah"'.
70c44d4d505bc2fcf508abeea31a28a9Super CMS Blog Pro PHP Script version 1.0 suffers from shell upload and remote SQL injection vulnerabilities.
4d4af76da07a9471a1cd3679240ce824Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway systems have a web shell application that includes a service called Microhard Sh that is documented only as 'reserved for internal use'. This service can be enabled by an authenticated user within the Services menu in the web admin panel. This can also be enabled via CSRF attack. When the service is enabled, a user 'msshc' is created on the system with password 'msshc' for SSH shell access on port 22. When connected, the user is dropped into a NcFTP jailed environment, that has limited commands for file transfer administration. One of the commands is a custom added 'ping' command that has a command injection vulnerability that allows the attacker to escape the restricted environment and enter into a root shell terminal that can execute commands as the root user. Many versions are affected.
3679d738983dec17aa3243aa408c3212Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway systems suffer from an issue where due to the hidden and undocumented File Editor (Filesystem Browser) shell script 'system-editor.sh' an attacker can leverage this issue to read, modify or delete arbitrary files on the system. Input passed thru the 'path' and 'savefile', 'edit' and 'delfile' GET and POST parameters is not properly sanitized before being used to modify files. This can be exploited by an authenticated attacker to read or modify arbitrary files on the affected system. Many versions are affected.
c7aa24d69a51dbc46e0636cc8eb7baaeLinux/x86_64 reverse shell (IPv6) shellcode with password.
dbd483d4db3276e5d473382e1fdcfc3aCouchDB administrative users can configure the database server via HTTP(S). Some of the configuration options include paths for operating system-level binaries that are subsequently launched by CouchDB. This allows an admin user in Apache CouchDB before 1.7.0 and 2.x before 2.1.1 to execute arbitrary shell commands as the CouchDB user, including downloading and executing scripts from the public internet.
646205692a311200bb3f3d798f50c670IBM QRadar SIEM has three vulnerabilities in the Forensics web application that when chained together allow an attacker to achieve unauthenticated remote code execution. The first stage bypasses authentication by fixating session cookies. The second stage uses those authenticated sessions cookies to write a file to disk and execute that file as the "nobody" user. The third and final stage occurs when the file executed as "nobody" writes an entry into the database that causes QRadar to execute a shell script controlled by the attacker as root within the next minute. Details about these vulnerabilities can be found in the advisories listed in References. The Forensics web application is disabled in QRadar Community Edition, but the code still works, so these vulnerabilities can be exploited in all flavors of QRadar. This Metasploit module was tested with IBM QRadar CE 7.3.0 and 7.3.1. IBM has confirmed versions up to 7.2.8 patch 12 and 7.3.1 patch 3 are vulnerable. Due to payload constraints, this module only runs a generic/shell_reverse_tcp payload.
221b05c8f4d9bb44521c8ebfe10f771dThis Metasploit module exploits a few different vulnerabilities in Nagios XI 5.2.6-5.4.12 to gain remote root access. The steps are: 1. Issue a POST request to /nagiosql/admin/settings.php which sets the database user to root. 2. SQLi on /nagiosql/admin/helpedit.php allows us to enumerate API keys. 3. The API keys are then used to add an administrative user. 4. An authenticated session is established with the newly added user 5. Command Injection on /nagiosxi/backend/index.php allows us to execute the payload with nopasswd sudo, giving us a root shell. 6. Remove the added admin user and reset the database user.
f275b1da0c15a7e7e5fae8036578d5d8LaraChurch Complete Church Management System version 1.0 suffers from a remote shell upload vulnerability.
a7ae782a86b42876fe361349f6cdae3cRed Hat Security Advisory 2018-1932-01 - The zsh shell is a command interpreter usable as an interactive login shell and as a shell script command processor. Zsh resembles the ksh shell, but includes many enhancements. Zsh supports command-line editing, built-in spelling correction, programmable command completion, shell functions, a history mechanism, and more. Issues addressed include buffer overflow and code execution vulnerabilities.
7df45b65507cdbd916c317251f366d7aThis Metasploit module attempts to gain root privileges on Linux systems by abusing a vulnerability in GNU C Library (glibc) version 2.26 and prior. This Metasploit module uses halfdog's RationalLove exploit to exploit a buffer underflow in glibc realpath() and create a SUID root shell. The exploit has offsets for glibc versions 2.23-0ubuntu9 and 2.24-11+deb9u1. The target system must have unprivileged user namespaces enabled. This Metasploit module has been tested successfully on Ubuntu Linux 16.04.3 (x86_64) with glibc version 2.23-0ubuntu9; and Debian 9.0 (x86_64) with glibc version 2.24-11+deb9u1.
fdde72feb2388aee3f2e93395c3c6363This Metasploit module will bypass UAC on Windows 8-10 by hijacking a special key in the Registry under the Current User hive, and inserting a custom command that will get invoked when any binary (.exe) application is launched. But slui.exe is an auto-elevated binary that is vulnerable to file handler hijacking. When we run slui.exe with changed Registry key (HKCU:\Software\Classes\exefile\shell\open\command), it will run our custom command as Admin instead of slui.exe. The module modifies the registry in order for this exploit to work. The modification is reverted once the exploitation attempt has finished. The module does not require the architecture of the payload to match the OS. If specifying EXE::Custom your DLL should call ExitProcess() after starting the payload in a different process.
cbaf903a1f48babbbfdd55bd95607ccfNUUO NVRmini2 and NVRsolo suffer from a remote shell upload vulnerability.
bdc03f1cb1c4e45f65f4b6a879ef92ceWchat Fully Responsive PHP AJAX Chat Script version 1.5 suffers from a remote shell upload vulnerability.
ef20a197f0eb75efb49439e9806f82c9PHP Login and User Management versions 4.1.0 and below suffers from a remote shell upload vulnerability.
bd0631b0840255f200ab219736fbbaaaLikeSoftware CMS suffers from cross site request forgery and remote shell upload vulnerabilities.
fc933e734ee2c898fee0a9fe9c673698Easy File Uploader version 1.7 suffers from a remote shell upload vulnerability.
72afb65d3fa31008dd700ca8653852f9WordPress Peugeot Music plugin version 1.0 suffers from cross site request forgery and remote shell upload vulnerabilities.
977bc38dbf076cea5680909d6b0fd85c
© 2018 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed