Packet Storm – Information Security Services, News, Files, Tools, Exploits, Advisories and Whitepapers
TP-Link Cloud Cameras NCXXX Bonjour Command Injection18 September 2020, 5:11 pm
TP-Link cloud cameras NCXXX series (NC200, NC210, NC220, NC230, NC250, NC260, NC450) are vulnerable to an authenticated command injection vulnerability. In all devices except NC210, despite a check on the name length in swSystemSetProductAliasCheck, no other checks are in place in order to prevent shell metacharacters from being introduced. The system name would then be used in swBonjourStartHTTP as part of a shell command where arbitrary commands could be injected and executed as root. NC210 devices cannot be exploited directly via /setsysname.cgi due to proper input validation. NC210 devices are still vulnerable since swBonjourStartHTTP did not perform any validation when reading the alias name from the configuration file. The configuration file can be written, and code execution can be achieved by combining this issue with CVE-2020-12110.
Navy Federal Cross Site Scripting18 September 2020, 5:09 pm
The Navy Federal site at navyfederal.org suffered from a cross site scripting vulnerability.
Mantis Bug Tracker 2.3.0 Remote Code Execution18 September 2020, 5:07 pm
Mantis Bug Tracker version 2.3.0 suffers from a remote code execution vulnerability.
SpamTitan 7.07 Remote Code Execution18 September 2020, 5:05 pm
SpamTitan version 7.07 suffers from an authenticated remote code execution vulnerability.
D-Link DGS-1210-28 Denial Of Service18 September 2020, 2:22 am
D-Link DGS-1210-28 suffers from a denial of service vulnerability.
Microsoft Spooler Local Privilege Elevation17 September 2020, 9:32 pm
This exploit leverages a file write vulnerability in the print spooler service which will restart if stopped. Because the service cannot be stopped long enough to remove the dll, there is no way to remove the dll once it is loaded by the service. Essentially, on default settings, this module adds a permanent elevated backdoor.
Microsoft SQL Server Reporting Services 2016 Remote Code Execution17 September 2020, 9:26 pm
Microsoft SQL Server Reporting Services 2016 suffers from a remote code execution vulnerability.
Microsoft Exchange Server DlpUtils AddTenantDlpPolicy Remote Code Execution17 September 2020, 2:11 pm
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Exchange Server. Authentication is required to exploit this vulnerability. Additionally, the target user must have the “Data Loss Prevention” role assigned and an active mailbox. If the user is in the “Compliance Management” or greater “Organization Management” role groups, then they have the “Data Loss Prevention” role. Since the user who installed Exchange is in the “Organization Management” role group, they transitively have the “Data Loss Prevention” role. The specific flaw exists within the processing of the New-DlpPolicy cmdlet. The issue results from the lack of proper validation of user-supplied template data when creating a DLP policy. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Tested against Exchange Server 2016 CU14 on Windows Server 2016.
Mida Solutions eFramework ajaxreq.php Command Injection16 September 2020, 3:37 pm
This Metasploit module exploits a command injection vulnerability in Mida Solutions eFramework version 2.9.0 and prior. The ajaxreq.php file allows unauthenticated users to inject arbitrary commands in the PARAM parameter to be executed as the apache user. The sudo configuration permits the apache user to execute any command as root without providing a password, resulting in privileged command execution as root. This module has been successfully tested on Mida Solutions eFramework-C7-2.9.0 virtual appliance.
1CRM 8.6.7 Insecure Direct Object Reference16 September 2020, 3:31 pm
1CRM versions 8.6.7 and below suffer from an insecure direct object reference vulnerability.
Acronis Cyber Backup 12.5 Build 16341 Server-Side Request Forgery16 September 2020, 3:30 pm
Acronis Cyber Backup version 12.5 Build 16341 suffers from a server-side request forgery vulnerability.
Piwigo 2.10.1 Cross Site Scripting16 September 2020, 3:28 pm
Piwigo version 2.10.1 suffers from a cross site scripting vulnerability.
Zerologon Proof Of Concept16 September 2020, 3:14 pm
Proof of concept exploit for the Windows Zerologon vulnerability as noted in CVE-2020-1472. By default, it changes the password of the domain controller account.
ThinkAdmin 6 Arbitrary File Read15 September 2020, 5:09 pm
ThinkAdmin version 6 suffers from an arbitrary file read vulnerability.
Tailor MS 1.0 Cross Site Scripting15 September 2020, 5:08 pm
Tailor MS version 1.0 suffers from a cross site scripting vulnerability.
Joomla! paGO Commerce 220.127.116.11 SQL Injection14 September 2020, 9:57 pm
Joomla! paGO Commerce component 18.104.22.168 suffers from an authenticated remote SQL injection vulnerability.
Pearson Vue VTS 2.3.1911 Unquoted Service Path14 September 2020, 9:54 pm
The installer in Pearson Vue VTS version 2.3.1911 suffers from an unquoted service path vulnerability.
RAD SecFlow-1v SF_0290_2.3.01.26 Cross Site Request Forgery14 September 2020, 9:51 pm
RAD SecFlow-1v version SF_0290_2.3.01.26 suffers from a cross site request forgery vulnerability.
Rapid7 Nexpose Installer 6.6.39 Unquoted Service Path14 September 2020, 9:49 pm
Rapid7 Nexpose Installer version 6.6.39 suffers from an unquoted service path vulnerability.
RAD SecFlow-1v SF_0290_2.3.01.26 Cross Site Scripting14 September 2020, 9:44 pm
RAD SecFlow-1v version SF_0290_2.3.01.26 suffers from a persistent cross site scripting vulnerability.
Linux expand_downwards() / munmap() Race Condition14 September 2020, 3:06 pm
A race condition exists with munmap() downgrades in Linux kernel versions since 4.20.
Microsoft Windows Finger Security Bypass / C2 Channel14 September 2020, 2:58 pm
Microsoft Windows TCPIP Finger Command finger.exe that ships with the OS, can be used as a file downloader and makeshift C2 channel. Legitimate use of Windows Finger Command is to send Finger Protocol queries to remote Finger daemons to retrieve user information. However, the finger client can also save the remote server response to disk using the command line redirection operator.
DnsAdmin ServerLevelPluginDll Feature Abuse Privilege Escalation11 September 2020, 3:17 pm
This Metasploit module exploits a feature in the DNS service of Windows Server. Users of the DnsAdmins group can set the ServerLevelPluginDll value using dnscmd.exe to create a registry key at HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters\ named ServerLevelPluginDll that can be made to point to an arbitrary DLL.
VTENEXT 19 CE Remote Code Execution11 September 2020, 3:13 pm
VTENEXT 19 CE suffers from a remote code execution vulnerability.
Tea LaTex 1.0 Remote Code Execution11 September 2020, 3:12 pm
Tea LaTex version 1.0 suffers from an unauthenticated remote code execution vulnerability.