Home / Exploit
black-hat-logo

Exploit

EXPLOIT DATABASE

PACKETSTORM DATABASE

  • 18 February 2019: Red Hat Security Advisory 2019-0367-01 - Files ≈ Packet Storm
    Red Hat Security Advisory 2019-0367-01 - Red Hat JBoss Core Services is a set of supplementary software for Red Hat JBoss middleware products. This software, such as Apache HTTP Server, is common to multiple JBoss middleware products, and is packaged under Red Hat JBoss Core Services to allow for faster distribution of updates, and for a more consistent update experience. This release of Red Hat JBoss Core Services Apache HTTP Server 2.4.29 Service Pack 1 serves as an update to Red Hat JBoss Core Services Apache HTTP Server 2.4.29, and includes bug fixes for CVEs which are linked to in the References section. Issues addressed include bypass, denial of service, null pointer, out of bounds write, traversal, and use-after-free vulnerabilities.
  • 18 February 2019: Ubuntu Security Notice USN-3891-1 - Files ≈ Packet Storm
    Ubuntu Security Notice 3891-1 - It was discovered that systemd incorrectly handled certain D-Bus messages. A local unprivileged attacker could exploit this in order to crash the init process, resulting in a system denial-of-service.
  • 18 February 2019: Ubuntu Security Notice USN-3850-2 - Files ≈ Packet Storm
    Ubuntu Security Notice 3850-2 - USN-3850-1 fixed several vulnerabilities in NSS. This update provides the corresponding update for Ubuntu 12.04 ESM. Keegan Ryan discovered that NSS incorrectly handled ECDSA key generation. A local attacker could possibly use this issue to perform a cache-timing attack and recover private ECDSA keys. Various other issues were also addressed.
  • 18 February 2019: Red Hat Security Advisory 2019-0365-01 - Files ≈ Packet Storm
    Red Hat Security Advisory 2019-0365-01 - Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server. This release of Red Hat JBoss Enterprise Application Platform 7.1.6 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.1.5, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Issues addressed include a cross site scripting vulnerability.
  • 18 February 2019: Red Hat Security Advisory 2019-0361-01 - Files ≈ Packet Storm
    Red Hat Security Advisory 2019-0361-01 - The RHV-M Virtual Appliance automates the process of installing and configuring the Red Hat Virtualization Manager. The appliance is available to download as an OVA file from the Customer Portal. Issues addressed include stack overflow vulnerabilities.
  • 18 February 2019: Oracle Java Runtime Environment TTF Font Heap Out-Of-Bounds Read - Files ≈ Packet Storm
    A heap-based out-of-bounds read was observed in Oracle Java Runtime Environment version 8u202 while fuzz-testing the processing of TrueType fonts rendering in AlternateSubstitutionSubtable::process.
  • 18 February 2019: Oracle Java Runtime Environment TTF Font Heap Out-Of-Bounds Read - Files ≈ Packet Storm
    A heap-based out-of-bounds read was observed in Oracle Java Runtime Environment version 8u202 while fuzz-testing the processing of TrueType fonts rendering in ExtractBitMap_blocClass.
  • 18 February 2019: Oracle Java Runtime Environment TTF Font Heap Out-Of-Bounds Read - Files ≈ Packet Storm
    A heap-based out-of-bounds read was observed in Oracle Java Runtime Environment version 8u202 while fuzz-testing the processing of TrueType fonts rendering in OpenTypeLayoutEngine::adjustGlyphPositions.
  • 18 February 2019: Oracle Java Runtime Environment OpenType Font Heap Out-Of-Bounds Read - Files ≈ Packet Storm
    A heap-based out-of-bounds read was observed in Oracle Java Runtime Environment version 8u202 while fuzz-testing the processing of OpenType fonts.
  • 18 February 2019: HTMLy 2.7.4 Cross Site Scripting - Files ≈ Packet Storm
    HTMLy version 2.7.4 suffers from multiple cross site scripting vulnerabilities.
  • 18 February 2019: Comodo Dome Firewall 2.7.0 Cross Site Scripting - Files ≈ Packet Storm
    Comodo Dome Firewall version 2.7.0 suffers from multiple cross site scripting vulnerabilities.
  • 18 February 2019: macOS TCP/4444 Bind Shell Null Free Shellcode - Files ≈ Packet Storm
    123 bytes small macOS TCP/4444 /bin/sh binding null free shellcode.
  • 18 February 2019: Debian Security Advisory 4388-2 - Files ≈ Packet Storm
    Debian Linux Security Advisory 4388-2 - Kushal Kumaran reported that the update for mosquitto issued as DSA 4388-1 causes mosquitto to crash when reloading the persistent database. Updated packages are now available to correct this issue.
  • 18 February 2019: Master IP CAM 01 3.3.4.2103 Remote Command Execution - Files ≈ Packet Storm
    Master IP CAM 01 version 3.3.4.2103 suffers from a remote command execution vulnerability.
  • 18 February 2019: ArangoDB Community Edition 3.4.2-1 Cross Site Scripting - Files ≈ Packet Storm
    ArangoDB Community Edition version 3.4.2-1 suffers from a cross site scripting vulnerability.

CERT VULNERABILITY DATABASE

  • Mon, 18 Feb 2019 14:34:54 +0000: VU#730261: Marvell Avastar wireless SoCs have multiple vulnerabilities - CERT Recently Published Vulnerability Notes
    A presentation at the ZeroNights 2018 conference describes multiple security issues with Marvell Avastar SoCs(models 88W8787,88W8797,88W8801,88W8897,and 88W8997). The presentation provides some detail about a block pool memory overflow. During Wi-Fi network scans,an overflow condition can be triggered,overwriting certain block pool data structures. Because many devices conduct automatic background network scans,this vulnerability could be exploited regardless of whether the target is connected to a Wi-Fi network and without user interaction.
  • Wed, 06 Feb 2019 05:11:04 +0000: VU#465632: Microsoft Exchange 2013 and newer are vulnerable to NTLM relay attacks - CERT Recently Published Vulnerability Notes
    Microsoft Exchange supports a API called Exchange Web Services(EWS). One of the EWS API functions is called PushSubscriptionRequest,which can be used to cause the Exchange server to connect to an arbitrary website. Connections made using the PushSubscriptionRequest function will attempt to negotiate with the arbitrary web server using NTLM authentication. Starting with Microsoft Exchange 2013,the NTLM authentication over HTTP fails to set the NTLM Sign and Seal flags. The lack of signing makes this authentication attempt vulnerable to NTLM relay attacks. Microsoft Exchange is by default configured with extensive privileges with respect to the Domain object in Active Directory. Because the Exchange Windows Permissions group has WriteDacl access to the Domain object,this means that the Exchange server privileges obtained using this vulnerability can be used to gain Domain Admin privileges for the domain that contains the vulnerable Exchange server.
  • Mon, 04 Feb 2019 19:46:49 +0000: VU#395981: Self-encrypting hard drives do not adequately protect data - CERT Recently Published Vulnerability Notes
    CVE-2018-12037 There is no cryptographic relation between the password provided by the end user and the key used for the encryption of user data. This can allow an attacker to access the key without knowing the password provided by the end user,allowing the attacker to decrypt information encrypted with that key. According to National Cyber Security Centre - The Netherlands(NCSC-NL),the following products are affected by CVE-2018-12037: Crucial(Micron)MX100,MX200 and MX300 drives Samsung T3 and T5 portable drives Samsung 840 EVO and 850 EVO drives(In"ATA high" mode these devices are vulnerable,In"TCG"or"ATA max"mode these devices are NOT vulnerable.) CVE-2018-12038 Key information is stored within a wear-leveled storage chip. Wear-leveling does not guarantee that an old copy of updated data is fully removed. If the updated data is written to a new segment,old versions of data may exist in the previous segment for some time after it has been updated(until that previous segment is overwritten). This means that if a key is updated with a new password,the previous version of the key(either unprotected,or with an old password)could be accessible,negating the need to know the updated password. According to NCSC-NL,the following products are affected by CVE-2018-12038: Samsung 840 EVO drives Other products were not reported to have been tested,and similar vulnerabilities may be found in those products.
  • Mon, 28 Jan 2019 17:04:10 +0000: VU#756913: Pixar Tractor contains a stored cross-site scripting vulnerability - CERT Recently Published Vulnerability Notes
    Pixar's Tractor software,versions 2.2 and earlier,contain a stored cross-site scripting vulnerability(CWE-79)in the field that allows a user to add a note to an existing node. The stored information is displayed when a user requests information about the node. An attacker could insert JavaScript into this note field that is then saved and displayed to the end user.
  • Tue, 15 Jan 2019 16:31:36 +0000: VU#741315: Dokan file system driver contains a stack-based buffer overflow - CERT Recently Published Vulnerability Notes
    CWE-121:Stack-based Buffer Overflow - CVE-2018-5410 Dokan,versions between 1.0.0.5000 and 1.2.0.1000,are vulnerable to a stack-based buffer overflow in the dokan1.sys driver. An attacker can create a device handle to the system driver and send arbitrary input that will trigger the vulnerability. This vulnerability was introduced in the 1.0.0.5000 version update.
  • Mon, 07 Jan 2019 19:17:29 +0000: VU#317277: Texas Instruments CC2640 and CC2650 microcontrollers vulnerable to heap overflow and insecure update - CERT Recently Published Vulnerability Notes
    CWE-119:Improper Restriction of Operations within the Bounds of a Memory Buffer CVE-2018-16986 - also known as BLEEDINGBIT The following Texas Instrument chips are affected: CC2640(non-R2)with BLE-STACK version 2.2.1 or an earlier version CC2650 with BLE-STACK version 2.2.1 or an earlier version CC2640R2F with SimpleLink CC2640R2 SDK version 1.00.00.22(BLE-STACK 3.0.0)CC1350 with SimpleLink CC13x0 SDK version 2.20.00.38(BLE-STACK 2.3.3)or an earlier version The above Texas Instruments controllers contain BLE-Stacks with a memory corruption vulnerability resulting from the mishandling of BLE advertising packets. The function llGetAdvChanPDU that is part of the embedded ROM image in both chips handles the incoming advertising packets and parses their headers. It copies the contents to a separate buffer provided by the calling function. The incorrect length of the packet is taken and ends up being parsed as larger packets than originally intended. If the incoming data is over a certain length,the function will call the halAssertHandler function,as defined by the application running on top of the stack,and not stop execution. Since the flow of execution does not stop,it will copy the overly large packet to the buffer and cause a heap overflow. CVE-2018-7080 - also known as BLEEDINGBIT The following Texas Instruments devices are affected if the Over the Air firmware Download(OAD)feature is enabled and not sufficiently secured: CC2642R CC2640R2 CC2640 CC2650 CC2540 CC2541 Certain Aruba access points are affected. The OAD feature allows for remote firmware updates of some BLE chips. An attacker could connect to a BLE chip on a vulnerable access point(either without authentication or by obtaining the password through other means depending on the implementation)and upload their own malicious firmware,which could give them complete control over the access point.
  • Fri, 04 Jan 2019 18:01:12 +0000: VU#531281: Microsoft Windows DNS servers are vulnerable to heap overflow - CERT Recently Published Vulnerability Notes
    CWE-122:Heap-based Buffer Overflow - CVE-2018-8626 Microsoft Windows Domain Name System(DNS)servers are vulnerable to heap overflow attacks. Microsoft acknowledges that"an attacker who successfully exploited the vulnerability could run arbitrary code in the context of the Local System Account."This remote code execution vulnerability exists in Windows DNS servers when they fail to properly handle requests.
  • Fri, 04 Jan 2019 16:11:36 +0000: VU#289907: Microsoft Windows Kernel Transaction Manager (KTM) is vulnerable to a race condition - CERT Recently Published Vulnerability Notes
    CWE-362:Concurrent Execution using Shared Resource with Improper Synchronization('Race Condition')- CVE-2018-8611 According to Microsoft,the Windows kernel fails"to properly handle objects in memory". A successful attacker could run arbitrary code in kernel mode,and then"install programs; view,change,or delete data; or create new accounts with full user rights."
  • Fri, 21 Dec 2018 14:26:08 +0000: VU#573168: Microsoft Internet Explorer scripting engine JScript memory corruption vulnerability - CERT Recently Published Vulnerability Notes
    Microsoft Internet Explorer contains a scripting engine,which handles execution of scripting languages such as VBScript and JScript. The scripting engine JScript component contains an unspecified memory corruption vulnerability. Any application that supports embedding Internet Explorer or its scripting engine component may be used as an attack vector for this vulnerability. This vulnerability was detected in exploits in the wild.
  • Thu, 20 Dec 2018 21:11:11 +0000: VU#228297: Microsoft Windows MsiAdvertiseProduct function vulnerable to privilege escalation via race condition - CERT Recently Published Vulnerability Notes
    The Microsoft Windows MsiAdvertiseProduct function allows a Windows installer product to generate a script to advertise a product to Windows,which handles shortcut and registry information associated with an installed application. The MsiAdvertiseProduct contains a race condition while performing checks,which can allow an attacker to read an arbitrary file which would otherwise be protected with filesystem ACLs. Exploit code for this vulnerability is publicly available.
  • Thu, 08 Nov 2018 18:58:48 +0000: VU#581311: TP-Link EAP Controller lacks RMI authentication and is vulnerable to deserialization attacks - CERT Recently Published Vulnerability Notes
    CWE-306:Missing Authentication for Critical Function - CVE-2018-5393 EAP Controller for Linux utilizes a Java remote method invocation(RMI)service for remote control. The RMI interface does not require any authentication before use. Remote attackers can implement deserialization attacks through the RMI protocol. Successful attacks may allow a remote attacker to remotely control the target server and execute Java functions or bytecode. CWE-502:Deserialization of Untrusted Data - CVE-2015-6420 EAP Controller for Linux bundles a vulnerable version of Apache commons-collections v3.2.1 with the software,which appears to be the root cause of the vulnerability. Therefore,EAP Controller v2.5.3 and earlier are vulnerable to CVE-2015-6420 as documented in VU#576313. EAP Controller v2.5.3 and earlier for Linux are affected by both vulnerabilities.
  • Mon, 05 Nov 2018 19:20:42 +0000: VU#339704: Cisco ASA and FTD SIP Inspection denial-of-service vulnerability - CERT Recently Published Vulnerability Notes
    Cisco Adaptive Security Appliance(ASA)software and Cisco Firepower Threat Defense(FTD)software fails to properly parse SIP traffic,which can allow an attacker to trigger high CPU usage,resulting in a denial-of-service condition on affected devices. This vulnerability is exposed if SIP Inspection is enabled on affected devices,which is the default configuration on ASA devices. The Cisco SIP Inspection feature is advertised to"... enforce the sanity of the SIP messages,as well as detect SIP-based attacks."
  • Tue, 23 Oct 2018 17:34:21 +0000: VU#598349: Automatic DNS registration and proxy autodiscovery allow spoofing of network services - CERT Recently Published Vulnerability Notes
    The Web Proxy Automatic Discovery(WPAD)protocol is used to automatically provide proxy configuration information to devices on a network. Clients issue a special DHCP request to obtain the information for the proxy configuration,but will fall back on a DNS request to one of several standardized URLs making use of the subdomain name of“wpad” if a DHCP response is unavailable. An attacker with local area network(LAN)access may be able to add a device with the name“wpad” to the network,which may produce a collision with a standardized WPAD DNS name. Many customer premise home/office routers(including,but not limited to,Google Wifi and Ubiquiti UniFi)automatically register device names as DNS A records on the LAN,which may allow an attacker to utilize a specially named and configured device to act as a WPAD proxy configuration server. The attacker-served proxy configuration can result in the loss of confidentiality and integrity of any network activity by any device that utilizes WPAD. Other autodiscovery names such as ISATAP may also be exploitable.
  • Tue, 16 Oct 2018 18:51:35 +0000: VU#176301: Auto-Maskin DCU 210E RP 210E and Marine Pro Observer App - CERT Recently Published Vulnerability Notes
    CWE 798:୕se of Hard-Coded Credentials - CVE–2018-5399 The DCU 210E firmware contains an undocumented Dropbear SSH server with a hardcoded username and password. The password is easily susceptible to cracking. CWE-346:୏rigin Validation Error - CVE–2018-5400 The Auto-Maskin products utilize an undocumented custom protocol to set up Modbus communications with other devices without validating those devices. CWE-319:ୃleartext Transmission of Sensitive Information - CVE–2018-5401 The devices transmit process control information via unencrypted Modbus communications. CWE-319:ୃleartext Transmission of Sensitive Information - CVE–2018-5402 The embedded webserver uses unencrypted plaintext for the transmission of the administrator PIN.
  • Thu, 13 Sep 2018 13:05:47 +0000: VU#906424: Microsoft Windows task scheduler contains a local privilege escalation vulnerability in the ALPC interface - CERT Recently Published Vulnerability Notes
    The Microsoft Windows task scheduler SchRpcSetSecurity API contains a vulnerability in the handling of ALPC,which can allow an authenticated user to overwrite the contents of a file that should be protected by filesystem ACLs. This can be leveraged to gain SYSTEM privileges. We have confirmed that the public exploit code works on 64-bit Windows 10 and Windows Server 2016 systems. We have also confirmed compatibility with 32-bit Windows 10 with minor modifications to the public exploit code. Compatibility with other Windows versions is possible with further modifications. This vulnerability is being exploited in the wild.

SECURITYFOCUS DATABASE