Next Page >>
execution
have been added: multi-level undo, syntax highlighting, command line history,
on-line help, spell checking, filename completion, block operations, etc.''
-- VIM 7.1 README.txt
Parts of Vim are written in the Vim script language. A feature of this
language widely used in the Vim code is the ``execute'' command, an equivalent
of ``eval'' in some other languages. Throughout Vim, arguments passed to
``execute'' are not sanitized properly. This can lead to arbitrary code
execution. We will show several exploits which execute arbitrary code upon
opening a crafted file with the ex(1), vim(1), or view(1) commands. Only in
few cases will we explore the possibility of remote exploitation. We will
If any exception occurs during execution of a kernel-mode service
routine's prologue prior to the initial SWAPGS instruction, or in the
epilogue after the final SWAPGS instruction, then the fault handler
will be invoked with a "return CS" indicating kernel mode, but with a
GS base not guaranteed to be kernel GS, because the interrupted
prologue code did not yet have a chance to execute the SWAPGS
instruction. In other words, the interrupt handler for the exception
could execute with user GS still active, and yet it will not use
SWAPGS to switch to kernel GS because the previous mode was kernel
mode, meaning the handler could then act upon user-controlled data as
though it were trusted kernel data.
If any exception occurs during execution of a kernel-mode service
routine's prologue prior to the initial SWAPGS instruction, or in the
epilogue after the final SWAPGS instruction, then the fault handler
will be invoked with a "return CS" indicating kernel mode, but with a
GS base not guaranteed to be kernel GS, because the interrupted
prologue code did not yet have a chance to execute the SWAPGS
instruction. In other words, the interrupt handler for the exception
could execute with user GS still active, and yet it will not use
SWAPGS to switch to kernel GS because the previous mode was kernel
mode, meaning the handler could then act upon user-controlled data as
though it were trusted kernel data.
ParametersInterceptor since Struts 2.2.1.1:
acceptedParamNames = "[a-zA-Z0-9\\.\\]\\[\\(\\)_'\\s]+";
Under certain circumstances these restrictions can be bypassed to
execute malicious Java code.
1.) Remote command execution in Struts <= 2.2.1.1 (ExceptionDelegator)
When an exception occurs while applying parameter values to properties
the value is evaluated as OGNL expression. For example this occurs when
(MFSA 2008-22)
CVE-2008-2801
Collin Jackson and Adam Barth discovered that Javascript code
could be executed in the context or signed JAR archives. (MFSA 2008-23)
CVE-2008-2802
"moz_bug_r_a4" discovered that XUL documements can escalate
privileges by accessing the pre-compiled "fastload" file.
///////////////
Architecture of the vulnerable HP Info Center software gives an attacker few different
attack vector combinations:
- remote automated download and execute (e.g. malware instalation)
- remote registry arbitrary key access (e.g. attack preparation, remote system info gathering)
- remote registry data modification (e.g. sensitive data manipulation, malware instalation, DoS attacks)
- system disk data area manipulation and user documents alteration (e.g. system files manipulation,
sensitive user documents access, entire system crash DoS attacks)
Description:
============
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of McAfee LinuxShield. User interaction is not
required to exploit this vulnerability but an attacker must be
authenticated.
The LinuxShield Webinterface communicates with the localy installed
>
>
> Description:
> ============
>
> This vulnerability allows remote attackers to execute arbitrary code on
> vulnerable installations of McAfee LinuxShield. User interaction is not
> required to exploit this vulnerability but an attacker must be
> authenticated.
>
> The LinuxShield Webinterface communicates with the localy installed
The following PoC code is available:
http://[host]/contract_add_service.php?contractid=1%20union%20%28select%20min%28@a:=1%29from%20%28select%201%20union%20select%202%29k%20group%20by%20%28select%20concat%28@@version,0x0,@a:=%28@a%2B1%29%2%29%29%29%20+--+
3) Input passed via the "mode" GET parameter to contact_support.php is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user browser session in context of affected website.
The following PoC code is available:
http://[host]/contact_support.php?mode=1%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
Description:
============
This vulnerability allows remote attackers to execute arbitrary code
on vulnerable installations of McAfee LinuxShield. User interaction
is not required to exploit this vulnerability but an attacker must
be authenticated.
The LinuxShield Webinterface communicates with the localy installed
An out-of-bounds reading flaw in the JBIG2 decoder allows remote
attackers to cause a denial of service (crash) via a crafted PDF file
(CVE-2009-0799).
Multiple input validation flaws in the JBIG2 decoder allows
remote attackers to execute arbitrary code via a crafted PDF file
(CVE-2009-0800).
An integer overflow in the JBIG2 decoder allows remote attackers to
execute arbitrary code via a crafted PDF file (CVE-2009-1179).
An out-of-bounds reading flaw in the JBIG2 decoder allows remote
attackers to cause a denial of service (crash) via a crafted PDF file
(CVE-2009-0799).
Multiple input validation flaws in the JBIG2 decoder allows
remote attackers to execute arbitrary code via a crafted PDF file
(CVE-2009-0800).
An integer overflow in the JBIG2 decoder allows remote attackers to
execute arbitrary code via a crafted PDF file (CVE-2009-1179).
1) Input passed to the "clientid" parameter in "www/admin/banner-
acl.php", "www/admin/banner-edit.php", "www/admin/campaign-zone.php",
"www/admin/advertiser-campaigns.php", "www/admin/campaign-
banners.php", and "www/admin/banner-activate.php" is not properly
sanitised before being returned to the user. This can be exploited to
execute arbitrary HTML and script code in a user's browser session in
the context of an affected site.
2) Input passed to the "orderdirection" and "listorder" parameters in
"www/admin/userlog-index.php" and "www/admin/stats.php" is not
properly sanitised before being returned to the user. This can be
Vulnerability #2: VORBIS Comment String Size Field Heap Overflow
The second vulnerability lies within the parsing of any VORBIS Comment
String Size fields. Settings this fields to an overly large size, such
as 0xFFFFFFF, could also result in another heap-based overflow allowing
arbitrary code to execute in the content of the decoding program.
Similar to the Metadata Block Size Overflow vulnerability above,
exploitation depends on data allocation location, heap structure and
error handlers of the affected application. Exploitation would be
achieved by overwriting pointers in memory with arbitrary values stored
inside the FLAC file or hard coded addresses in DLL files that directing
------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
Akamai's Download Manager allows attackers to download arbitrary
files onto a user's desktop. Using a so-called "blended
threat" attack it is possible to execute arbitrary code. This
attack affects the ActiveX control as well as the Java applet.
------------------------------------------------------------------------
Tested version
------------------------------------------------------------------------
application that aids in downloading and executing the actual Cisco
AnyConnect Secure Mobility Client. The helper application is a Java
applet on the Linux and MacOS X platforms, and either a Java applet
on the Windows platform or an ActiveX control if the browser is
capable of utilizing ActiveX controls. The downloaded helper
application is executed in the context of the originating site in the
user's web browser. The helper application then downloads the Cisco
AnyConnect Secure Mobility Client from the VPN headend and executes
it.
The helper application fails to properly validate the authenticity of
The Windows operating system supports a range of file permissions
for files stored on volumes formatted in the NTFS file system format.
For executing EXE files, the acting user account only needs the
"Execute File" permission, while all others might be missing or denied,
allthough there are cases when this is not true. The exact rule is unknown
to the author. In the system used to test and verify the vulnerability
the Execute File was enough to run programs. On another system running
Windows 7 that was not true. Start of EXE files succeeded only if other
permissions were enabled, including the Read Data permission. On another
1) Multiple Cross-Site Scripting (XSS) in Kajona: CVE-2012-3805
1.1 Input passed via the "absender_name", "absender_email" and "absender_nachricht" GET parameters to /index.php (when "page" is set to "contact") is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in user's browser session in context of affected website.
The following PoC (Proof of Concept) demonstrate the vulnerabilities:
http://kajona/index.php?page=contact&absender_name=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
infected version:All Version
greetz go to:www.at4re.com(Arab Team 4 Reverse Engineering),arab4services.net
Critical: Highly critical
Impact:Command Execution
------------------------------------------------------------------
this is litel POC that can execute arabitrary command in victime machine.
in unexpected way the attacker can put in the project file ".rap file" command instead of the linker path or Macro Assembler "ML.exe" path.
project file look like this.
" some data has been cuted for making it readable"
-------------------------------------
project file structure
> infected version:All Version
> greetz go to:www.at4re.com(Arab Team 4 Reverse Engineering),arab4services.net
> Critical: Highly critical
> Impact:Command Execution
> ------------------------------------------------------------------
> this is litel POC that can execute arabitrary command in victime machine.
> in unexpected way the attacker can put in the project file ".rap file" command instead of the linker path or Macro Assembler "ML.exe" path.
> project file look like this.
> " some data has been cuted for making it readable"
> -------------------------------------
> project file structure
Unauthenticated CGI Access
Multiple CGI command injection vulnerabilities exist in Cisco
TelePresence endpoint devices that could allow a remote,
authenticated attacker to execute arbitrary commands with elevated
privileges. To exploit these vulnerabilities, an attacker must submit
a malformed request to an affected device via TCP port 8082.
An attacker must perform a three-way TCP handshake and establish a
valid session to exploit this vulnerability.
Summary
=======
CiscoWorks Common Services for Microsoft Windows contains a
vulnerability that could allow an authenticated, remote attacker to
execute arbitrary commands on the affected system with the privileges
of a system administrator.
Cisco has released free software updates that address this
vulnerability.
High-Tech Bridge SA Security Research Lab has discovered multiple vulnerabilities in osCmax, which can be exploited to perform SQL Injection and Cross-Site Scripting (XSS) attacks.
1) Multiple Cross-Site Scripting (XSS) in osCmax: CVE-2012-1664
1.1 Input passed via the "username" POST parameter to /admin/login.php is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in user's browser session in context of affected website.
The following PoC (Proof of Concept) demonstrates the vulnerability:
<form action="http://[host]/admin/login.php?action=process" method="post" name="main" id="main">
No root still.
Looking at the history and trace of what was run on the target system we see this:
Execute echo "echo 8c8ac888-342b-461f-a0ab-659251f3d602" > /tmp/centrify.cmd.0 Result =0 <----- if we create the file before them, we own it. We can write to it before it's executed and have our command executed.
Execute echo "vmware -v 2> /dev/null |grep 'VMware ESX Server' >/dev/null" >> /tmp/centrify.cmd.0 Result =0
Execute echo "temp=\$?" >> /tmp/centrify.cmd.0 Result =0
Execute echo "echo b2449bef-65c1-45e8-9da0-4801200c5c05" >> /tmp/centrify.cmd.0 Result =0
Execute echo "exit \${temp}" >> /tmp/centrify.cmd.0 Result =0
5722D4D0 8B49 30 MOV ECX,DWORD PTR DS:[ECX+30]
5722D4D3 8B00 MOV EAX,DWORD PTR DS:[EAX]
5722D4D5 51 PUSH ECX
5722D4D6 FF10 CALL DWORD PTR DS:[EAX]
After entering into this function, and since the EAX register is completely under the attacker control, it is possible to supply another custom pointer that will be executed after the code reaches the CALL DWORD PTR DS:[EAX] instruction:
0C0C0C0C 0C 0C OR AL,0C
0C0C0C0E 0C 0C OR AL,0C
0C0C0C10 0300 ADD EAX,DWORD PTR DS:[EAX]
The JBIG2 decoder in Xpdf 3.02pl2 and earlier allows remote attackers
to cause a denial of service (crash) via a crafted PDF file that
triggers a free of uninitialized memory (CVE-2009-0166).
Heap-based buffer overflow in Xpdf 3.02pl2 and earlier, CUPS 1.3.9,
and probably other products, allows remote attackers to execute
arbitrary code via a PDF file with crafted JBIG2 symbol dictionary
segments (CVE-2009-0195).
The JBIG2 decoder in Xpdf 3.02pl2 and earlier allows remote attackers
to cause a denial of service (crash) via a crafted PDF file that
Application: Piwik <= 0.4.5
Severity: Piwik unserializes() user input which allows an attacker
to send a carefully crafted cookie that when unserialized
utilizes Piwik's classes to upload arbitrary files or
execute arbitrary PHP code
Risk: Critical
Vendor Status: Piwik 0.5.0 was released which fixes this vulnerability
Reference:
http://www.sektioneins.com/en/advisories/advisory-032009-piwik-cookie-unserialize-vulnerability/
function, (2) pCAL chunk handling, or (3) setup of 16-bit gamma tables.
(MFSA 2009-10)
CVE-2009-0352
It is possible to execute arbitrary code via vectors related to the
layout engine. (MFSA 2009-01)
CVE-2009-0353
It is possible to execute arbitrary code via vectors related to the
Ubuntu 6.06 LTS, 7.10, and 8.04 LTS. (CVE-2008-3231)
It was discovered that the MNG, MOD, and Real demuxers in xine-lib did not
correctly handle memory allocation failures. If a user or automated system were
tricked into opening a specially crafted MNG, MOD, or Real file, an attacker
could crash xine-lib or possibly execute arbitrary code with the privileges of
the user invoking the program. This issue only applied to Ubuntu 6.06 LTS, 7.10,
and 8.04 LTS. (CVE-2008-5233)
It was discovered that the QT demuxer in xine-lib did not correctly handle
an invalid metadata atom size, resulting in a heap-based buffer overflow. If a
AOL LLC Vendor Statement;
Overview
AOL has become aware of security vulnerabilities in several AIM instant
messaging clients. Successful exploitation of these vulnerabilities could
allow an attacker to execute arbitrary commands on a user's workstation.
AOL has deployed host side filtering on the AIM servers to block this
potentially malicious content from being sent to AIM clients.
Affected Products and Applications
* AIM 6.1
Next Page>>
|
