Next Page >>
privileges
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory:
Local Privilege Escalation Vulnerabilities in Cisco VPN Client
Advisory ID: cisco-sa-20070815-vpnclient
http://www.cisco.com/warp/public/707/cisco-sa-20070815-vpnclient.shtml
---[ Vulnerability description ]
Positive Research Center has discovered multiple XSS vulnerabilties in Kayako Support Suite.
Application insufficiently verifies subscriberdata incoming parameter in /staff/index.php?_m=news&_a=importexport script.
An attacker with "staff" privileges can use the vulnerabilty to inject and execute arbitrary HTML code and scripts in a user's browser within the trust relationship between the browser and the server.
To use the vulnerability an attacker should convince a user with "staff" privileges to open URL like:
http://example.com/support/staff/index.php?_m=news&_a=managesubscribers&importsub=1&resultdata=YTo0OntzOjEzOiJzdWNjZXNzZW1haWxzIjtpOjA7czoxMjoiZmFpbGVkZW1haWxzIjtpOjE7czoxMToidG90YWxlbWFpbHMiO2k6MTtzOjk6ImVtYWlsbGlzdCI7czo5MDoiPHNjcmlwdD5hbGVydCgneHNzJyk8L3NjcmlwdD5APHNjcmlwdD5hbGVydCgneHNzJyk8L3NjcmlwdD4uPHNjcmlwdD5hbGVydCgneHNzJyk8L3NjcmlwdD4gIjt9
Application insufficiently verifies subject incoming parameter in /staff/index.php?_m=news&_a=insertnews script.
An attacker with "staff" privileges can use the vulnerabilty to inject and execute arbitrary HTML code and scripts in a user's browser within the trust relationship between the browser and the server.
An attacker should trick a user with "staff" privileges to open URL like:
updated since 2007, pre-release exists) or older
Platform: Windows XP and later
Components affected: Device drivers in both applications
Remote: No
Local: Yes
Vulnerability type: DoS, Privilege Escalation
VENDOR SOFTWARE DESCRIPTION:
---------------
=======
Cisco Unity Connection contains two vulnerabilities:
* Cisco Unity Connection Privilege Escalation Vulnerability
* Cisco Unity Connection Denial of Service Vulnerability
Exploitation of the Cisco Unity Connection Privilege Escalation
Vulnerability may allow an authenticated, remote attacker to elevate
privileges and obtain full access to the affected system.
Hash: SHA1
Core Security Technologies - CoreLabs Advisory
http://www.coresecurity.com/corelabs/
WordPress Privileges Unchecked in admin.php and Multiple Information
Disclosures
1. *Advisory Information*
write-only files, leading to a loss of privacy. (CVE-2010-2226)
Gael Delalleu, Rafal Wojtczuk, and Brad Spengler discovered that the memory
manager did not properly handle when applications grow stacks into adjacent
memory regions. A local attacker could exploit this to gain control of
certain applications, potentially leading to privilege escalation, as
demonstrated in attacks against the X server. (CVE-2010-2240)
Suresh Jayaraman discovered that CIFS did not correctly validate certain
response packats. A remote attacker could send specially crafted traffic
that would crash the system, leading to a denial of service.
write-only files, leading to a loss of privacy. (CVE-2010-2226)
Gael Delalleu, Rafal Wojtczuk, and Brad Spengler discovered that the memory
manager did not properly handle when applications grow stacks into adjacent
memory regions. A local attacker could exploit this to gain control of
certain applications, potentially leading to privilege escalation, as
demonstrated in attacks against the X server. (CVE-2010-2240)
Suresh Jayaraman discovered that CIFS did not correctly validate certain
response packats. A remote attacker could send specially crafted traffic
that would crash the system, leading to a denial of service.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: Cisco Unified Communications Manager IP
Phone Personal Address Book Synchronizer Privilege Escalation
Vulnerability
Advisory ID: cisco-sa-20090311-cucmpab
Revision 1.0
Essentially the paper details a way in which the attacker can manipulate the
environment to trick an Oracle database into using arbitrary SQL in DATE
functions and data.
A number of people at the time dismissed it as irrelevant because the
attacker required the ALTER SESSIOn privilege. Well, as it turns out, you
don't need the ALTER SESSION privilege at all. Here's why: there are certain
ALTER SESSION statements that can be executed even though the user doesn't
have the ALTER SESSION privilege. The statements that can be executed
without the privilege include those that relate to National Language
Support. Thus a user without ALTER SESSION privileges can change the date
The Cisco Wireless LAN Controller (WLC) product family is affected by
these vulnerabilities:
* Two denial of service (DoS) vulnerabilities
* Three privilege escalation vulnerabilities
* Two access control list (ACL) bypass vulnerabilities
Note: These vulnerabilities are independent of one another. A device
may be affected by one vulnerability and not affected by another.
Al Viro discovered a race condition in the TTY driver. A local attacker
could exploit this to crash the system, leading to a denial of service.
(CVE-2009-4895)
Gleb Napatov discovered that KVM did not correctly check certain privileged
operations. A local attacker with access to a guest kernel could exploit
this to crash the host system, leading to a denial of service.
(CVE-2010-0435)
Dan Rosenberg discovered that the MOVE_EXT ext4 ioctl did not correctly
read or write disk blocks that had changed file assignment or had become
unlinked, leading to a loss of privacy. (CVE-2010-2943)
Tavis Ormandy discovered that the IRDA subsystem did not correctly shut
down. A local attacker could exploit this to cause the system to crash
or possibly gain root privileges. (Ubuntu 10.10 was not affected.)
(CVE-2010-2954)
Brad Spengler discovered that the wireless extensions did not correctly
validate certain request sizes. A local attacker could exploit this
to read portions of kernel memory, leading to a loss of privacy. (Only
1.Vulnerability information
---------------------------
Impact: An unauthenticated remote attacker without any kind of
credentials can access the SMB service under the credentials of an
authorized user. Depending on the privileges of the authorized user, and
the configuration of the remote system, an attacker can gain read/write
access to the remote file system and execute arbitrary code by using
DCE/RPC over SMB.
Remotely Exploitable: Yes
Bugtraq Id: <unknown>
------------------------------------------------------------------------
PulseAudio local race condition privilege escalation vulnerability
------------------------------------------------------------------------
Yorick Koster, June 2009
------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
The PulseAudio binary is affected by a local race condition. If the
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
The DBA role in Oracle Database is not the same as SYSDBA privilege,
which is granted to SYS. There are many things that a user granted the
DBA role can't do - the most important being the ability to alter SYS
owned objects. This is true on databases where
O7_DICTIONARY_ACCESSIBILITY=FALSE (default value).
This vulnerability allows any user with execute privileges on the
http://www.debian.org/security/ dann frazier
May 24, 2011 http://www.debian.org/security/faq
- ----------------------------------------------------------------------
Package : linux-2.6
Vulnerability : privilege escalation/denial of service/information leak
Problem type : local/remote
Debian-specific: no
CVE Id(s) : CVE-2010-3875 CVE-2011-0695 CVE-2011-0711 CVE-2011-0726
CVE-2011-1016 CVE-2011-1078 CVE-2011-1079 CVE-2011-1080
CVE-2011-1090 CVE-2011-1160 CVE-2011-1163 CVE-2011-1170
Summary
=======
Cisco Unified IP Phones 7900 Series devices, also known as TNP
phones, are affected by three vulnerabilities that could allow an
attacker to elevate privileges, change phone configurations, disclose
sensitive information, or load unsigned software. These three
vulnerabilities are classified as two privilege escalation
vulnerabilities and one signature bypass vulnerability.
Cisco has released free software updates that address these
The Cisco AnyConnect Secure Mobility Client, previously known as the
Cisco AnyConnect VPN Client, is affected by the following
vulnerabilities:
* Arbitrary Program Execution Vulnerability
* Local Privilege Escalation Vulnerability
Cisco has released free software updates that address these
vulnerabilities. There are no workarounds for the vulnerabilities
described in this advisory.
(CVE-2008-5012)
It was discovered that Firefox did not properly check if the Flash
module was properly unloaded. By tricking a user into opening a crafted
SWF file, an attacker could cause Firefox to crash and possibly execute
arbitrary code with user privileges. This issue only affects Firefox 2.
(CVE-2008-5013)
Jesse Ruderman discovered that Firefox did not properly guard locks on
non-native objects. If a user were tricked into opening a malicious
website, an attacker could cause a browser crash and possibly execute
Numerous System Management Mode (SMM) privilege escalation
vulnerabilities in ASUS motherboards including Eee PC series
Release Date:
~~~~~~~~~~~~~
07.08.09
Timeline:
SUMMARY
=======
Hannon Hill's Cascade Server product is vulnerable to a command
execution vulnerability. An attacker with access to an unprivileged
account within Cascade Server could exploit this vulnerability to run
arbitrary commands on the system with the privileges of the user who
started Cascade Server.
AFFECTED SOFTWARE
===============================================================================
1. SQL Injection in "moderation.php" action "do_mergeposts"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Precondition: attacker must have moderator privileges in target MyBB
installation, including "canmanagethreads".
From source code of "moderation.php" line ~438:
-------------------------------------------------------------------------------
Contact info: ealvarez at activesec biz
Developer response: None. No response to mail, forum inactive and
bugtracker operating intermitently.
Privilege escalation in bytehoard 2.1
Background
Bytehoard is a web application written in PHP that serves as a file
storage and sharing system.
In whose universe? Did you even read the post? Local admins become LOCAL ADMINS by using a cached domain account who is a LOCAL ADMIN. You have to do it with the network cable unplugged. There is no privilege escalation here.
StenoPlasma's intent was to educate people on how things worked, and while there isn't a security issue here, he was completely correct in that you guys really need to learn what you are talking about.
t
>-----Original Message-----
>From: full-disclosure-bounces@lists.grok.org.uk [mailto:full-disclosure-
>bounces@lists.grok.org.uk] On Behalf Of jcoyle@winwholesale.com
>Sent: Friday, December 10, 2010 11:45 AM
>Sent: Monday, December 13, 2010 9:12 AM
>To: Thor (Hammer of God)
>Cc: George Carlson; bugtraq@securityfocus.com; full-
>disclosure@lists.grok.org.uk
>Subject: Re: [Full-disclosure] Flaw in Microsoft Domain Account Caching Allows
>Local Workstation Admins to Temporarily Escalate Privileges and Login as
>Cached Domain Admin Accounts (2010-M$-002)
>
>I hope I'm not just feeding the troll...
No, you are perpetuating inaccurate vulnerability claims.
1. StenoPlasma claims that a local admin can access and reuse the cached
credentials of other users.
2. Stefan, Thor, et al yawn.
3. Joyce, Andrea, and perhaps others seem to be conflating local access
(what StenoPlasma was talking about) with gaining domain admin privileges on
domain controllers and other resources on separate machines (which nobody
appears to have shown is possible using locally cached credentials).
If I've missed something obvious please educate me.
>
> 1. StenoPlasma claims that a local admin can access and reuse the cached
> credentials of other users.
> 2. Stefan, Thor, et al yawn.
> 3. Joyce, Andrea, and perhaps others seem to be conflating local access
> (what StenoPlasma was talking about) with gaining domain admin privileges on
> domain controllers and other resources on separate machines (which nobody
> appears to have shown is possible using locally cached credentials).
>
> If I've missed something obvious please educate me.
>
Advisory: SugarCRM list privilege restriction bypass
RedTeam Pentesting discovered a vulnerability in SugarCRM that allows
logged in users to bypass restrictions of their list privilege, allowing
to list all entries.
Details
=======
http://www.debian.org/security/ dann frazier
June 18, 2011 http://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : linux-2.6
Vulnerability : privilege escalation/denial of service/information leak
Problem type : local/remote
Debian-specific: no
CVE Id(s) : CVE-2010-2524 CVE-2010-3875 CVE-2010-4075 CVE-2010-4655
CVE-2011-0695 CVE-2011-0710 CVE-2011-0711 CVE-2011-0726
CVE-2011-1010 CVE-2011-1012 CVE-2011-1017 CVE-2011-1078
Details follow:
Alin Rad Pop discovered a heap-based buffer overflow in Firefox when it
converted strings to floating point numbers. If a user were tricked into
viewing a malicious website, a remote attacker could cause a denial of service
or possibly execute arbitrary code with the privileges of the user invoking the
program. (CVE-2009-1563)
Jeremy Brown discovered that the Firefox Download Manager was vulnerable to
symlink attacks. A local attacker could exploit this to create or overwrite
files with the privileges of the user invoking the program. (CVE-2009-3274)
Next Page>>
|
