Packet Storm – Information Security Services, News, Files, Tools, Exploits, Advisories and Whitepapers
TP-Link Cloud Cameras NCXXX Bonjour Command Injection
18 September 2020, 5:11 pmTP-Link cloud cameras NCXXX series (NC200, NC210, NC220, NC230, NC250, NC260, NC450) are vulnerable to an authenticated command injection vulnerability. In all devices except NC210, despite a check on the name length in swSystemSetProductAliasCheck, no other checks are in place in order to prevent shell metacharacters from being introduced. The system name would then be used in swBonjourStartHTTP as part of a shell command where arbitrary commands could be injected and executed as root. NC210 devices cannot be exploited directly via /setsysname.cgi due to proper input validation. NC210 devices are still vulnerable since swBonjourStartHTTP did not perform any validation when reading the alias name from the configuration file. The configuration file can be written, and code execution can be achieved by combining this issue with CVE-2020-12110.
Navy Federal Cross Site Scripting
18 September 2020, 5:09 pmThe Navy Federal site at navyfederal.org suffered from a cross site scripting vulnerability.
Mantis Bug Tracker 2.3.0 Remote Code Execution
18 September 2020, 5:07 pmMantis Bug Tracker version 2.3.0 suffers from a remote code execution vulnerability.
SpamTitan 7.07 Remote Code Execution
18 September 2020, 5:05 pmSpamTitan version 7.07 suffers from an authenticated remote code execution vulnerability.
D-Link DGS-1210-28 Denial Of Service
18 September 2020, 2:22 amD-Link DGS-1210-28 suffers from a denial of service vulnerability.
Microsoft Spooler Local Privilege Elevation
17 September 2020, 9:32 pmThis exploit leverages a file write vulnerability in the print spooler service which will restart if stopped. Because the service cannot be stopped long enough to remove the dll, there is no way to remove the dll once it is loaded by the service. Essentially, on default settings, this module adds a permanent elevated backdoor.
Microsoft SQL Server Reporting Services 2016 Remote Code Execution
17 September 2020, 9:26 pmMicrosoft SQL Server Reporting Services 2016 suffers from a remote code execution vulnerability.
Microsoft Exchange Server DlpUtils AddTenantDlpPolicy Remote Code Execution
17 September 2020, 2:11 pmThis vulnerability allows remote attackers to execute arbitrary code on affected installations of Exchange Server. Authentication is required to exploit this vulnerability. Additionally, the target user must have the “Data Loss Prevention” role assigned and an active mailbox. If the user is in the “Compliance Management” or greater “Organization Management” role groups, then they have the “Data Loss Prevention” role. Since the user who installed Exchange is in the “Organization Management” role group, they transitively have the “Data Loss Prevention” role. The specific flaw exists within the processing of the New-DlpPolicy cmdlet. The issue results from the lack of proper validation of user-supplied template data when creating a DLP policy. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Tested against Exchange Server 2016 CU14 on Windows Server 2016.
Mida Solutions eFramework ajaxreq.php Command Injection
16 September 2020, 3:37 pmThis Metasploit module exploits a command injection vulnerability in Mida Solutions eFramework version 2.9.0 and prior. The ajaxreq.php file allows unauthenticated users to inject arbitrary commands in the PARAM parameter to be executed as the apache user. The sudo configuration permits the apache user to execute any command as root without providing a password, resulting in privileged command execution as root. This module has been successfully tested on Mida Solutions eFramework-C7-2.9.0 virtual appliance.
1CRM 8.6.7 Insecure Direct Object Reference
16 September 2020, 3:31 pm1CRM versions 8.6.7 and below suffer from an insecure direct object reference vulnerability.
Acronis Cyber Backup 12.5 Build 16341 Server-Side Request Forgery
16 September 2020, 3:30 pmAcronis Cyber Backup version 12.5 Build 16341 suffers from a server-side request forgery vulnerability.
Piwigo 2.10.1 Cross Site Scripting
16 September 2020, 3:28 pmPiwigo version 2.10.1 suffers from a cross site scripting vulnerability.
Zerologon Proof Of Concept
16 September 2020, 3:14 pmProof of concept exploit for the Windows Zerologon vulnerability as noted in CVE-2020-1472. By default, it changes the password of the domain controller account.
ThinkAdmin 6 Arbitrary File Read
15 September 2020, 5:09 pmThinkAdmin version 6 suffers from an arbitrary file read vulnerability.
Tailor MS 1.0 Cross Site Scripting
15 September 2020, 5:08 pmTailor MS version 1.0 suffers from a cross site scripting vulnerability.
Joomla! paGO Commerce 2.5.9.0 SQL Injection
14 September 2020, 9:57 pmJoomla! paGO Commerce component 2.5.9.0 suffers from an authenticated remote SQL injection vulnerability.
Pearson Vue VTS 2.3.1911 Unquoted Service Path
14 September 2020, 9:54 pmThe installer in Pearson Vue VTS version 2.3.1911 suffers from an unquoted service path vulnerability.
RAD SecFlow-1v SF_0290_2.3.01.26 Cross Site Request Forgery
14 September 2020, 9:51 pmRAD SecFlow-1v version SF_0290_2.3.01.26 suffers from a cross site request forgery vulnerability.
Rapid7 Nexpose Installer 6.6.39 Unquoted Service Path
14 September 2020, 9:49 pmRapid7 Nexpose Installer version 6.6.39 suffers from an unquoted service path vulnerability.
RAD SecFlow-1v SF_0290_2.3.01.26 Cross Site Scripting
14 September 2020, 9:44 pmRAD SecFlow-1v version SF_0290_2.3.01.26 suffers from a persistent cross site scripting vulnerability.
Linux expand_downwards() / munmap() Race Condition
14 September 2020, 3:06 pmA race condition exists with munmap() downgrades in Linux kernel versions since 4.20.
Microsoft Windows Finger Security Bypass / C2 Channel
14 September 2020, 2:58 pmMicrosoft Windows TCPIP Finger Command finger.exe that ships with the OS, can be used as a file downloader and makeshift C2 channel. Legitimate use of Windows Finger Command is to send Finger Protocol queries to remote Finger daemons to retrieve user information. However, the finger client can also save the remote server response to disk using the command line redirection operator.
DnsAdmin ServerLevelPluginDll Feature Abuse Privilege Escalation
11 September 2020, 3:17 pmThis Metasploit module exploits a feature in the DNS service of Windows Server. Users of the DnsAdmins group can set the ServerLevelPluginDll value using dnscmd.exe to create a registry key at HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters\ named ServerLevelPluginDll that can be made to point to an arbitrary DLL.
VTENEXT 19 CE Remote Code Execution
11 September 2020, 3:13 pmVTENEXT 19 CE suffers from a remote code execution vulnerability.
Tea LaTex 1.0 Remote Code Execution
11 September 2020, 3:12 pmTea LaTex version 1.0 suffers from an unauthenticated remote code execution vulnerability.