Fri, 12 Jan 2018 10:02:22 GMT
Kaseya VSA R9.2 Arbitrary File Read
A security vulnerability was found in Kaseya VSA file download file functionality. Using this vulnerability an authenticated user in a Kaseya VSA environment is able to download arbitrary files from the server (including source code of Kaseya, the database backups, configuration files, and even windows files). Version R9.2 was found affected.
Fri, 12 Jan 2018 01:31:15 GMT
Windows Kernel Exploitation Tutorial Part 5: NULL Pointer Dereference
Whitepaper called Windows Kernel Exploitation Tutorial Part 5: NULL Pointer Dereference.
Fri, 12 Jan 2018 00:02:22 GMT
Wireshark Analyzer 2.4.4
Wireshark is a GTK+-based network protocol analyzer that lets you capture and interactively browse the contents of network frames. The goal of the project is to create a commercial-quality analyzer for Unix and Win32 and to give Wireshark features that are missing from closed-source sniffers.
Thu, 11 Jan 2018 15:39:57 GMT
ALLMediaServer 0.95 Stack Buffer Overflow
ALLMediaServer version 0.95 stack buffer overflow exploit with DEP bypass on Windows 7 x64.
Thu, 11 Jan 2018 15:38:43 GMT
Microsoft Windows SMB Server Mount Point Privilege Escalation
On Microsoft Windows, the SMB server drivers (srv.sys and srv2.sys) do not check the destination of a NTFS mount point when manually handling a reparse operation leading to being able to locally open an arbitrary device via an SMB client which can result in privilege escalation.
Thu, 11 Jan 2018 15:37:04 GMT
Microsoft Windows NtImpersonateAnonymousToken LPAC To Non-LPAC Privilege Escalation
On Microsoft Windows, when impersonating the anonymous token in an LPAC the WIN://NOAPPALLPKG security attribute is ignored leading to impersonating a non-LPAC token leading to privilege escalation.
Wed, 10 Jan 2018 01:28:53 GMT
Microsoft Windows NtImpersonateAnonymousToken AC To Non-AC Privilege Escalation
On Microsoft Windows, the check for an AC token when impersonating the anonymous token does not check impersonation token's security level leading to impersonating a non-AC anonymous token leading to privilege escalation.
Wed, 10 Jan 2018 01:27:24 GMT
HPE iMC dbman RestoreDBase Unauthenticated Remote Command Execution
This Metasploit module exploits a remote command execution vulnerability in Hewlett Packard Enterprise Intelligent Management Center before version 7.3 E0504P04. The dbman service allows unauthenticated remote users to restore a user-specified database (OpCode 10007), however the database connection username is not sanitized resulting in command injection, allowing execution of arbitrary operating system commands as SYSTEM. This service listens on TCP port 2810 by default. This Metasploit module has been tested successfully on iMC PLAT v7.2 (E0403) on Windows 7 SP1 (EN).
Wed, 10 Jan 2018 00:56:22 GMT
HPE iMC dbman RestartDB Unauthenticated Remote Command Execution
This Metasploit module exploits a remote command execution vulnerability in Hewlett Packard Enterprise Intelligent Management Center before version 7.3 E0504P04. The dbman service allows unauthenticated remote users to restart a user-specified database instance (OpCode 10008), however the instance ID is not sanitized, allowing execution of arbitrary operating system commands as SYSTEM. This service listens on TCP port 2810 by default. This Metasploit module has been tested successfully on iMC PLAT v7.2 (E0403) on Windows 7 SP1 (EN).
Wed, 10 Jan 2018 00:54:23 GMT
Microsoft Windows Local XPS Print Spooler Sandbox Escape
The Microsoft Windows local print spooler can be abused to create an arbitrary file from a low privilege application including one in an AC as well as a typical Edge LPAC CP leading to elevation of privilege.
Wed, 10 Jan 2018 00:53:19 GMT
Microsoft Windows Kernel ATMFD.DLL NamedEscape 0x250D Pool Corruption
The Microsoft Windows OpenType ATMFD.DLL kernel-mode font driver has an undocumented "escape" interface, handled by the standard DrvEscape and DrvFontManagement functions implemented by the module. The interface is very similar to Buffered IOCTL in nature, and handles 13 different operation codes in the numerical range of 0x2502 to 0x2514. It is accessible to user-mode applications through an exported (but not documented) gdi32!NamedEscape function, which internally invokes the NtGdiExtEscape syscall.
Wed, 10 Jan 2018 00:51:59 GMT
Microsoft Windows Kernel ATMFD.DLL Out-Of-Bounds Read
The Microsoft Windows OpenType ATMFD.DLL kernel-mode driver lacks any sort of sanitization of various 32-bit offsets found in .MMM files (Multiple Master Metrics), and instead uses them blindly while loading Type 1 Multiple-Master fonts in the system.
Wed, 10 Jan 2018 00:49:04 GMT
Microsoft Windows Kernel nt!PiUEventHandleGetEven Stack Memory Disclosure
The Microsoft Windows kernel suffers from a stack memory disclosure from nt!RawMountVolume via nt!PiUEventHandleGetEvent (\Device\DeviceApi\CMNotify device).
Wed, 10 Jan 2018 00:46:17 GMT
Microsoft Windows Kernel nt!NtQuerySystemInformation Memory Disclosure
The Microsoft Windows kernel pool suffers from a memory disclosure in nt!NtQuerySystemInformation (information class 138, QueryMemoryTopologyInformation).
Tue, 09 Jan 2018 17:37:19 GMT
Microsoft Windows Kernel nt!NtQueryInformationProcess Stack Memory Disclosure
The Microsoft Windows kernel suffers from a stack memory disclosure in nt!NtQueryInformationProcess (information class 76, QueryProcessEnergyValues).
Wed, 03 Jan 2018 03:33:33 GMT
Commvault Communications Service (cvd) Command Injection
This Metasploit module exploits a command injection vulnerability discovered in Commvault Service v11 SP5 and earlier versions (tested in v11 SP5 and v10). The vulnerability exists in the cvd.exe service and allows an attacker to execute arbitrary commands in the context of the service. By default, the Commvault Communications service installs and runs as SYSTEM in Windows and does not require authentication. This vulnerability was discovered in the Windows version. The Linux version wasn't tested.
Tue, 02 Jan 2018 04:44:44 GMT
Fortinet Installer Client 5.6 DLL Hijacking
Fortinet Installer Client 5.6 for Windows PC suffers from a dll hijacking vulnerability.
Tue, 26 Dec 2017 19:32:22 GMT
Fortinet FortiClient Windows Privilege Escalation
Fortinet FortiClient Windows suffers from a privilege escalation vulnerability at logon.
Sun, 24 Dec 2017 16:22:22 GMT
Windows Media Player Information Disclosure
Windows Media Player suffers from an information disclosure vulnerability that lets an attacker know if a file exists.
Fri, 22 Dec 2017 16:36:14 GMT
Ubiquiti UniFi Video 3.7.3 (Windows) Local Privilege Escalation
Ubiquiti UniFi Video version 3.7.3 (Windows) suffers from a local privilege escalation vulnerability due to insecure directory permissions.
Wed, 20 Dec 2017 16:05:36 GMT
Oracle MySQL UDF Payload Execution
This Metasploit module creates and enables a custom UDF (user defined function) on the target host via the SELECT ... into DUMPFILE method of binary injection. On default Microsoft Windows installations of MySQL versions 5.5.9 and below, directory write permissions not enforced, and the MySQL service runs as LocalSystem. NOTE: This Metasploit module will leave a payload executable on the target system when the attack is finished, as well as the UDF DLL, and will define or redefine sys_eval() and sys_exec() functions.
Tue, 19 Dec 2017 15:55:55 GMT
Microsoft Windows Kernel Ring-0 Address Leak
It was discovered that it is possible to disclose addresses of kernel-mode Paged Pool allocations via a race-condition in the implementation of the NtQueryVirtualMemory system call (information class 2, MemoryMappedFilenameInformation). The vulnerability affects Windows 7 to 10, 32-bit and 64-bit.
Sat, 16 Dec 2017 03:33:33 GMT
Microsoft Windows Hello Face Authentication Bypass
Microsoft Windows 10 offers a biometric authentication mechanism using "near infrared" face recognition technology with specific Windows Hello compatible cameras. Due to an insecure implementation of the biometric face recognition in some Windows 10 versions, it is possible to bypass the Windows Hello face authentication via a simple spoofing attack using a modified printed photo of an authorized person.
Sat, 16 Dec 2017 02:33:33 GMT
Apple Security Advisory 2017-12-13-4
Apple Security Advisory 2017-12-13-4 - iTunes 12.7.2 for Windows is now available and addresses code execution and privacy issues.
Apple Security Advisory 2017-12-13-3
Apple Security Advisory 2017-12-13-3 - iCloud for Windows 7.2 is now available and addresses code execution and privacy issues.
view page: 84