Expoit Files ≈ Packet Storm

Packet Storm – Information Security Services, News, Files, Tools, Exploits, Advisories and Whitepapers

TP-Link cloud cameras NCXXX series (NC200, NC210, NC220, NC230, NC250, NC260, NC450) are vulnerable to an authenticated command injection vulnerability. In all devices except NC210, despite a check on the name length in swSystemSetProductAliasCheck, no other checks are in place in order to prevent shell metacharacters from being introduced. The system name would then be used in swBonjourStartHTTP as part of a shell command where arbitrary commands could be injected and executed as root. NC210 devices cannot be exploited directly via /setsysname.cgi due to proper input validation. NC210 devices are still vulnerable since swBonjourStartHTTP did not perform any validation when reading the alias name from the configuration file. The configuration file can be written, and code execution can be achieved by combining this issue with CVE-2020-12110.

Navy Federal Cross Site Scripting

18 September 2020, 5:09 pm

The Navy Federal site at navyfederal.org suffered from a cross site scripting vulnerability.
Mantis Bug Tracker version 2.3.0 suffers from a remote code execution vulnerability.

SpamTitan 7.07 Remote Code Execution

18 September 2020, 5:05 pm

SpamTitan version 7.07 suffers from an authenticated remote code execution vulnerability.

D-Link DGS-1210-28 Denial Of Service

18 September 2020, 2:22 am

D-Link DGS-1210-28 suffers from a denial of service vulnerability.
This exploit leverages a file write vulnerability in the print spooler service which will restart if stopped. Because the service cannot be stopped long enough to remove the dll, there is no way to remove the dll once it is loaded by the service. Essentially, on default settings, this module adds a permanent elevated backdoor.
Microsoft SQL Server Reporting Services 2016 suffers from a remote code execution vulnerability.
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Exchange Server. Authentication is required to exploit this vulnerability. Additionally, the target user must have the “Data Loss Prevention” role assigned and an active mailbox. If the user is in the “Compliance Management” or greater “Organization Management” role groups, then they have the “Data Loss Prevention” role. Since the user who installed Exchange is in the “Organization Management” role group, they transitively have the “Data Loss Prevention” role. The specific flaw exists within the processing of the New-DlpPolicy cmdlet. The issue results from the lack of proper validation of user-supplied template data when creating a DLP policy. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Tested against Exchange Server 2016 CU14 on Windows Server 2016.
This Metasploit module exploits a command injection vulnerability in Mida Solutions eFramework version 2.9.0 and prior. The ajaxreq.php file allows unauthenticated users to inject arbitrary commands in the PARAM parameter to be executed as the apache user. The sudo configuration permits the apache user to execute any command as root without providing a password, resulting in privileged command execution as root. This module has been successfully tested on Mida Solutions eFramework-C7-2.9.0 virtual appliance.
1CRM versions 8.6.7 and below suffer from an insecure direct object reference vulnerability.
Acronis Cyber Backup version 12.5 Build 16341 suffers from a server-side request forgery vulnerability.

Piwigo 2.10.1 Cross Site Scripting

16 September 2020, 3:28 pm

Piwigo version 2.10.1 suffers from a cross site scripting vulnerability.

Zerologon Proof Of Concept

16 September 2020, 3:14 pm

Proof of concept exploit for the Windows Zerologon vulnerability as noted in CVE-2020-1472. By default, it changes the password of the domain controller account.

ThinkAdmin 6 Arbitrary File Read

15 September 2020, 5:09 pm

ThinkAdmin version 6 suffers from an arbitrary file read vulnerability.

Tailor MS 1.0 Cross Site Scripting

15 September 2020, 5:08 pm

Tailor MS version 1.0 suffers from a cross site scripting vulnerability.
Joomla! paGO Commerce component suffers from an authenticated remote SQL injection vulnerability.
The installer in Pearson Vue VTS version 2.3.1911 suffers from an unquoted service path vulnerability.
RAD SecFlow-1v version SF_0290_2.3.01.26 suffers from a cross site request forgery vulnerability.
Rapid7 Nexpose Installer version 6.6.39 suffers from an unquoted service path vulnerability.
RAD SecFlow-1v version SF_0290_2.3.01.26 suffers from a persistent cross site scripting vulnerability.
A race condition exists with munmap() downgrades in Linux kernel versions since 4.20.
Microsoft Windows TCPIP Finger Command finger.exe that ships with the OS, can be used as a file downloader and makeshift C2 channel. Legitimate use of Windows Finger Command is to send Finger Protocol queries to remote Finger daemons to retrieve user information. However, the finger client can also save the remote server response to disk using the command line redirection operator.
This Metasploit module exploits a feature in the DNS service of Windows Server. Users of the DnsAdmins group can set the ServerLevelPluginDll value using dnscmd.exe to create a registry key at HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters\ named ServerLevelPluginDll that can be made to point to an arbitrary DLL.

VTENEXT 19 CE Remote Code Execution

11 September 2020, 3:13 pm

VTENEXT 19 CE suffers from a remote code execution vulnerability.

Tea LaTex 1.0 Remote Code Execution

11 September 2020, 3:12 pm

Tea LaTex version 1.0 suffers from an unauthenticated remote code execution vulnerability.