Expoit Files ≈ Packet Storm

Packet Storm – Information Security Services, News, Files, Tools, Exploits, Advisories and Whitepapers

This Metasploit module exploits an authenticated PHP code injection vulnerability found in openmediavault versions before 4.1.36 and 5.x versions before 5.5.12 inclusive in the “sortfield” POST parameter of the rpc.php page, because “json_encode_safe()” is not used in config/databasebackend.inc. Successful exploitation grants attackers the ability to execute arbitrary commands on the underlying operating system as root.
This Metasploit module uses the Kong admin API to create a route and a serverless function plugin that is associated with the route. The plugin runs Lua code and is used to run a system command using os.execute(). After execution the route is deleted, which also deletes the plugin.
This Metasploit module exploits WordPress Simple File List plugin versions prior to 4.2.3, which allows remote unauthenticated attackers to upload files within a controlled list of extensions. However, the rename function does not conform to the file extension restrictions, thus allowing arbitrary PHP code to be uploaded first as a png then renamed to php and executed.
SyncBreeze version 10.0.28 suffers from a remote buffer overflow vulnerability.
osCommerce version 2.3.4.1 suffers from a persistent cross site scripting vulnerability.
Wondershare Driver Install Service Help version 10.7.1.321 suffers from an unquoted service path vulnerability.
ZTE WLAN router MF253V version 1.0.0B04 suffers from cross site request forgery, hardcoded password, outdated component, and cross site scripting vulnerabilities.
This Metasploit module exploits an unauthenticated command injection vulnerability found in ZeroShell version 3.9.0 in the “/cgi-bin/kerbynet” url. As sudo is configured to execute /bin/tar without a password (NOPASSWD) it is possible to run root commands using the “checkpoint” tar options.
Seowon 130-SLC router version 1.0.11 suffers from a remote code execution vulnerability.
OpenCart version 3.0.3.6 suffers from multiple persistent cross site scripting vulnerabilities.
nopCommerce Store version 4.30 suffers from a persistent cross site scripting vulnerability.
Apache OpenMeetings version 5.0.0 suffers from a denial of service vulnerability.
LifeRay version 7.2.1 GA2 suffers from a persistent cross site scripting vulnerability.
The TP-Link TL-WA855RE V5_200415 suffers from a flow where an unauthenticated attacker can reset the device and then set a new administrator password.
Boxoft Audio Converter version 2.3.0 suffers from a buffer overflow vulnerability.
Barco wePresent WiPG-1600W versions 2.5.1.8, 2.5.0.25, 2.5.0.24, and 2.4.1.19 have firmware that does not perform verification of digitally signed firmware updates and is susceptible to processing and installing modified/malicious images.
Barco wePresent WiPG-1600W versions 2.5.1.8, 2.5.0.25, 2.5.0.24, and 2.4.1.19 have a hardcoded root password hash included in the firmware image.
Barco wePresent WiPG-1600W version 2.5.1.8 has an SSH daemon included in the firmware image. By default, the SSH daemon is disabled and does not start at system boot. The system initialization scripts read a device configuration file variable to see if the SSH daemon should be started. The web interface does not provide a visible capability to alter this configuration file variable. However, a malicious actor can include this variable in a POST such that the SSH daemon will be started when the device boots.
The Barco wePresent WiPG-1600W version 2.5.1.8 web interface does not use session cookies for tracking authenticated sessions. Instead, the web interface uses a “SEID” token that is appended to the end of URLs in GET requests. Thus the “SEID” would be exposed in web proxy logs and browser history. An attacker that is able to capture the “SEID” and originate requests from the same IP address (via a NAT device or web proxy) would be able to access the user interface of the device without having to know the credentials.
An attacker armed with hardcoded API credentials from KL-001-2020-004 (CVE-2020-28329) can issue an authenticated query to display the admin password for the main web user interface listening on port 443/tcp for Barco wePresent WiPG-1600W version 2.5.1.8.
Barco wePresent device firmware includes a hardcoded API account and password that is discoverable by inspecting the firmware image. A malicious actor could use this password to access authenticated, administrative functions in the API. Versions affected include 2.5.1.8, 2.5.0.25, 2.5.0.24, and 2.4.1.19.

Vtiger CRM 7.0 Cross Site Scripting

20 November 2020, 3:59 pm

Vtiger CRM version 7.0 suffers from a persistent cross site scripting vulnerability.
This Metasploit module exploits a series of vulnerabilities to achieve unauthenticated remote code execution on the Rockwell FactoryTalk View SE SCADA product as the IIS user. The attack relies on the chaining of five separate vulnerabilities. The first vulnerability is an unauthenticated project copy request, the second is a directory traversal, and the third is a race condition. In order to achieve full remote code execution on all targets, two information leak vulnerabilities are also abused. This exploit was used by the Flashback team (Pedro Ribeiro + Radek Domanski) in Pwn2Own Miami 2020 to win the EWS category.
IBM Tivoli Storage Manager version 5.2.0.1 suffers from a command line administrative interface buffer overflow vulnerability.
Boxoft Convert Master version 1.3.0 SEH local buffer overflow exploit.