[FD] AlienVault 4.5.0 authenticated SQL injection

Hi, the linked gist below details a post-auth SQL injection within AlienVault 4.5.0 OSSIM. Any authed user will do, admin not required. https://gist.github.com/brandonprry/9874177 -- http://volatile-minds.blogspot.com -- blog http://www.volatileminds.net -- website

[FD] EMC CTA v10.0 unauthenticated XXE with root perms

Hi, The linked gist below details an unauthenticated XXE vulnerability that allows an attacker to read /etc/shadow within EMC CTA v10.0. https://gist.github.com/brandonprry/9895721 -- http://volatile-minds.blogspot.com -- blog http://www.volatileminds.net -- website ___

Re: [FD] Security flaw in Full Disclosure mailing list

Actually, most email clients now can filter out your plain texts passwords. For instance, my password is hunter2, but you will only ever see *. Email has worked this way for ages now. On Wed, Apr 2, 2014 at 4:38 PM, Michal Zalewski wrote: > > -table.append(fmt % (listad

Re: [FD] Security flaw in Full Disclosure mailing list

All I see is "Wow so ** will show up as stars? Neat!" On Wed, Apr 2, 2014 at 5:34 PM, Eric G wrote: > On Apr 2, 2014 3:31 PM, "Brandon Perry" wrote: > > > > Actually, most email clients now can filter out your plain texts > passwords. > > &

Re: [FD] Legality of Open Source Tools

If I recall correctly, version 1 of metasploit actually had exploits for *live* sites (a bank) and things, so that is obviously an issue. I don't even think you will find a copy of the first version of metasploit (does HD have one locked up somewhere, who knows). Currently, metasploit is a hammer.

Re: [FD] heartbleed OpenSSL bug CVE-2014-0160

I have seen people pull private keys off of FreeBSD 9.1 machines. https://twitter.com/1njected/status/453797877672706048 On Wed, Apr 9, 2014 at 2:52 PM, Jeremy Voorhis wrote: > I just read an article titled "Why heartbleed doesn't leak the private key" > and the claim seems irresponsible and o

Re: [FD] heartbleed OpenSSL bug CVE-2014-0160

I think all you can do is look at pcaps. Willing to eat crow though. On Thu, Apr 10, 2014 at 12:20 PM, Ingo Schmitt < ingo.schm...@binarysignals.net> wrote: > Is it traceable with the log files when an (successful) attack occurred? > > If yes, we could determine whether the vuln has been used by

Re: [FD] heartbleed OpenSSL bug CVE-2014-0160

Also, yeah, it is only read-only. I think the most dangerous thing about this is the fact that it is seemingly undetectable. Codenomicon obviously was more concerned about the press than they were about this issue. On Fri, Apr 11, 2014 at 4:20 AM, Ivan .Heca wrote: > to be fair to Bruce, here

[FD] Socialtext as a DoS tool?

So, it looks like Socialtext uses this json proxy in its application (at least on the trial in the cloud) and you can specify whatever url you want it to get. https://gist.github.com/brandonprry/10591916 ___ Sent through the Full Disclosure mailing list

[FD] Unitrends enterprise backup remote unauthenticated root

Hi, detailed in this gist is a metasploit module and vulnerability that allows an attacker to execute commands remotely as root without prior authentication: https://gist.github.com/brandonprry/10745756 -- http://volatile-minds.blogspot.com -- blog http://www.volatileminds.net -- website __

[FD] Xerox DocuShare authenticated SQL injection

Hi, detailed in the linked gist is a SQL injection available to authenticated "read-only" users within Xerox DocuShare: https://gist.github.com/brandonprry/10745681 -- http://volatile-minds.blogspot.com -- blog http://www.volatileminds.net -- website

[FD] WebTitan 4.01 multiple vulnerabilities

Hi, please see the linked gist for details on Directory Traversal and RCE vulnerabilities within WebTitan: https://gist.github.com/brandonprry/10747603 -- http://volatile-minds.blogspot.com -- blog http://www.volatileminds.net -- website ___ Sent thro

Re: [FD] DAVOSET v.1.2

It's pronounced 'nuculer'. On Sat, Apr 26, 2014 at 8:45 PM, laurent gaffie wrote: > Yeah!!! Mustlive releases a S-K DOS script, party's on bitches. > > "This is Nuclear Edition. Because of anniversary, I wish you a peaceful > atom." > (-_-') > > > 2014-04-26 19:39 GMT-04:00 MustLive : > > > Hell

Re: [FD] AOL confirms compromise

Best practice is PCI compliance. Duh. On Tue, Apr 29, 2014 at 5:21 PM, Jeffrey Walton wrote: > On Tue, Apr 29, 2014 at 11:30 AM, Daniel Hadfield > wrote: > > http://blog.aol.com/2014/04/28/aol-security-update/ > > > Ouch... Have any details of the "encryption" been analyzed or > discussed? It

Re: [FD] Beginners error: iTunes for Windows runs rogue program C:\Program.exe when opening associated files

Stupid people also share their C: drive on networks. On 04/30/2014 05:17 PM, Alton Blom wrote: > Hi Mike, > It's probalby better seen as a way of keeping persistence on a machine than > a full-blown exploit. > > Alton(ius) > altonblom.com > @altonius_au > > > On Thu, May 1, 2014 at 8:05 AM, Mike C

Re: [FD] Beginners error: iTunes for Windows runs rogue program C:\Program.exe when opening associated files

Also, keep in mind that it isn't just C:\Program.exe What if a privileged application used an insecure temp directory with a space that allowed an attacker on the system to escalate to system? Full blown exploits can take advantage of multiple vulnerabilities that are relatively harmless in and o

[FD] F5 BIG-IQ authed arbitrary user password change

Hi, Detailed at this blog post (with pics!) is a vulnerability within F5 BIG-IQ 4.1.0.2013.0. http://volatile-minds.blogspot.com/2014/05/f5-big-iq-v41020130-authenticated.html A module for this will be uploaded to ExploitHub this evening that will change the root users password and log in over S

Re: [FD] F5 BIG-IQ authed arbitrary user password change

Nm on ExploitHub. Here is the module: https://gist.github.com/brandonprry/2e73acd63094fa2a4f63 On Thu, May 1, 2014 at 5:10 PM, Brandon Perry wrote: > Hi, > > Detailed at this blog post (with pics!) is a vulnerability within F5 > BIG-IQ 4.1.0.2013.0. > > > http://volati

[FD] Moar F5 fun in iControl API

Hi, Linked below is an advisory regarding remote command execution (as root, possibly) vulnerabilities within the iControl API: http://support.f5.com/kb/en-us/solutions/public/15000/200/sol15220.html An example request that will set the hostname to 'root.example.com': http://schemas.xmlsoap.o

[FD] A small project: metafang

Hi, I gave a short presentation on this tool in a turbo talk at ISSW this year. It is a C# application using GTK for the UI that interfaces with a Metasploit RPC instance and creates .NET payloads that will execute x86/x86_64 shellcode straight from Metasploit. You can create a single executable w

[FD] HP Release Control Authenticated Privilege Escalation and XXE

Hi, Linked is a gist detailing a few vulnerabilities I found in HP Release Control 9.20., Build 395. You can download it on the On-premise software tab here: http://www8.hp.com/us/en/software-solutions/software.html?compURI=1350467#.U3aJWl5-_8s Basically, the first request an admin makes whe

Re: [FD] [KIS-2014-06] Dotclear <= 2.6.2 (Media Manager) Unrestricted File Upload Vulnerability

Hi, These are cool. Here is a Metasploit module for the file upload. You seem to need the ability to publish as well the the ability to manage your own media. Feel free to edit as you would like and make a pull request! https://gist.github.com/brandonprry/efc0765c342a44a0dedb On Wed, May 21, 2

Re: [FD] What do you think of Trollc?

Not even sure when the last vulnerability that caused any fluctuation in the stock markets was. On Tue, May 27, 2014 at 1:49 PM, Philip Cheong wrote: > From https://www.startjoin.com/trollc > > *Right now if you're a software exploit developer and you want to monetize > your craft to pay your r

Re: [FD] What do you think of Trollc?

. If weev did this, he could yell all day about supposed vulnerabilities, but as soon as he provided proof that something was exploitable, the company would turn around and sue him under CFAA. On Tue, May 27, 2014 at 2:32 PM, Jeffrey Walton wrote: > On Tue, May 27, 2014 at 3:04 PM, Brand

Re: [FD] TrueCrypt 7.1 repos on GitHub - forking starting point

Two issues with this: 1) TrueCrypt wasn't free as in freedom, it was free as in beer. These forks break the license afaik. 2) Do you trust these users to understand the codebase thoroughly enough and understand cryptography enough to not introduce stupid crypto bugs? That is a huge caveat. Just

[FD] Scrumworks Pro authenticated arbitrary password reset

The latest available version of Scrumworks Pro does not perform proper authorization checks when users attempt to change passwords via the Java Web Start client. If you capture the request the web start client makes when changing the 'administrator' user's password, and substitute the JSESSIONID c

[FD] HP Enterprise Maps 1.00 Authenticated XXE

HP Enterprise Maps 1.00 Authenticated XXE vulnerability http://www8.hp.com/us/en/software/enterprise-software.html Any user that has the ability to import a file to create an artifact (most, if not all authed users?) can upload a specially crafted WSDL that will read files such as /etc/passwd.

[FD] Root command injection in ext-pack name for Virtualbox because of GKSu

A while back I noticed some funny behavior that I thought was in virtual box at first, but it turn sour the reason I can do this is because of GKSu. I felt like the ramifications were fairly large, and contacting the (supposed?) maintainer of GKSu didn't work. https://community.rapid7.com/communit

[FD] InvGate Service Desk post-auth SQL injection as non-privileged user

Hi, https://gist.github.com/brandonprry/fc4d396ca7503d49a0f5 Detailed in the above gist is a slew of SQL injections available to an authenticated but non-privileged user in the latest available version (from their website) of InvGate. -- http://volatile-minds.blogspot.com -- blog http://www.vol

[FD] Dell Scrutinizer 11.01 multiple vulnerabilities

Hello! The below gists detail at a high level[1] many SQL injection vulnerabilities as well as a privilege escalation vulnerability and corresponding Metasploit modules[2]. [1] https://gist.github.com/brandonprry/36b4b8df1cde279a9305 [2] https://gist.github.com/brandonprry/76741d9a0d4f518fe297 -

Re: [FD] FireFox: Lab Mouse Security: Remote Code Execution via Browser (LZO)

Are we sure it isn't a plugin like mplayer or something that is popping the shell, and not FF itself? On Thu, Jul 10, 2014 at 11:20 AM, Nick Boyce wrote: > On 9 July 2014 18:50, Lee wrote: > > > I know nothing about this, but some friends kept posting a link to this > > video. I saw nothing a

Re: [FD] Should it be better ...

Thank you for bringing this up. When posting my information, I was actually assuming a brief description with links was preferred if you were so inclined to read after a summary. I, for one, didn't grow up on those types of lists and had never even looked at bugtraq from that early on. I also thi

[FD] Raritan PowerIQ v4.10 and v4.2.1 Unauthenticated SQL injection and possible RCE

Raritan PowerIQ suffers from an unauthenticated SQL injection vulnerability within an endpoint used during initial configuration of the licensing for the product. This endpoint is still available after the appliance has been fully configured. POST /license/records HTTP/1.1 Host: 192.168.1.11 Use

Re: [FD] Beginner's error: import function of Windows Mail executes rogue program C:\Program.exe with credentials of other account

So, I am very curious how you are finding these? Have you automated this or is it manual hand work? On Wed, Jul 23, 2014 at 2:50 PM, Stefan Kanthak wrote: > Hi @ll, > > the import function of Windows Mail executes a rogue program C:\Program.exe > with the credentials of another account, resulti

Re: [FD] XXE Injection in HP Release Control

It's not an 0day, I dropped this in may. On Mon, Aug 4, 2014 at 9:39 AM, Douglas Held wrote: > Hello MustLive, > > Did you disclose this to HP? You didn't mention whether this is 0-day or > disclosed (I think you usually publish your disclosure timeline) > > Thanks > Doug > > Date: Thu, 31 Jul

Re: [FD] CVE-2014-5308 - Multiple SQL Injection Vulnerabilities in TestLink

I am unable to exploit this with any user except admin, so I am curious how you were able to come to the conclusion that any user who could sign up would be able to exploit these... "Note:'Any user can create account for the application in 'testlink/firstLogin.php' page hence its possible to explo

[FD] Mulesoft ESB Authenticated Privilege Escalation

Mulesoft ESB Runtime 3.5.1 Authenticated Privilege Escalation → Remote Code Execution Mulesoft ESB Runtime 3.5.1 allows any arbitrary authenticated user to create an administrator user due to a lack of permissions check in the handler/securityService.rpc endpoint. The following HTTP request can

Re: [FD] xdg-open RCE

This is very similar to this gksu bug (which only applies to gksu when in SU_MODE) http://savannah.nongnu.org/bugs/?40023 Attempted to email the gksu 'maintainer', but with no response. Did a quick write up on the Rapid7 site on how I found out about it and the vector I was using to exploit it:

[FD] device42 DCIM authenticated remote root via appliance manager

Remote Authenticated Root in Device42 DCIM Appliance Manager v5.10 and v6.0 http://www.device42.com/download/ Device42 ships virtual appliances ready for production use as a trial (essentially dictated by the license provided). The Appliance Manager listens on HTTP (no SSL) on port 4242 wit

[FD] BMC TrackIt! Unauthenticated Arbitrary Local System User Password Change

BMC TrackIt! 11.3 Unauthenticated Local User Password Change Trial available here: http://www.trackit.com A Metasploit pull request has been made here: https://github.com/rapid7/metasploit-framework/pull/4359 BMC TrackIt! 11.3 when installed with TrackItWeb! allows an unauthenticated user to chan

[FD] eTouch SamePage v4.4.0.0.239 multiple vulnerabilities

Couldn’t find anyone to contact regarding this, so dropping it. eTouch SamePage v4.4.0.0.239 multiple vulnerabilities http://www.etouch.net/products/samepage/index.html Enterprise trial was installed in an Ubuntu virtual machine with MySQL. By default, the listening port is 18080. Required on

[FD] Multiple SQL injections in core Orion service affecting many Solarwinds products (CVE-2014-9566)

I found a couple SQL injection vulnerabilities in the core Orion service used in most of the Solarwinds products (SAM, IPAM, NPM, NCM, etc…). This service provides a consistent configuration and authentication layer across the products. To be exact, the vulnerable applications and versions are: N

[FD] Raritan PowerIQ known session secret

Raritan PowerIQ versions 4.1, 4.2, and 4.3 ship with a Rails 2 web interface with a hardcoded session secret of 8e238c9702412d475a4c44b7726a0537. This can be used to achieve unauthenticated remote code execution as the nginx user on vulnerable systems. msf exploit(rails_secret_deserialization) >

[FD] Web-Dorado ECommerce-WD for Joomla plugin multiple unauthenticated SQL injections

Version 1.2.5 of the ECommerce-WD plugin for Joomla! has multiple unauthenticated SQL injections available via the advanced search functionality. http://extensions.joomla.org/extension/ecommerce-wd The vulnerable parameters are search_category_id, sort_order, and filter_manufacturer_ids within th

[FD] J2Store 3.1.6 unauthenticated SQL injections

J2Store v3.1.6, a Joomla! extension that adds basic store functionality to a Joomla! instance, suffered from two unauthenticated boolean-blind and error-based SQL injection vulnerabilities. Since February 2015, J2Store has had about 16,000 downloads as of this writing. The first vulnerability was

Re: [FD] Symantec Endpoint Protection

Do you have example requests for the SQL injections? > On Jul 31, 2015, at 7:40 AM, Markus Wulftange > wrote: > > Code White found several vulnerabilities in Symantec Endpoint Protection > (SEP), affecting versions 12.1 prior to 12.1 RU6 MP1. > > SEP Manager (SEPM): > > * CVE-2015-1486: Auth

[FD] Raritan PowerIQ default credentials

Hello list, Raritan PowerIQ ships with a few default accounts and passwords/hashes. For the web interface, there are technically 3 default users. web_api:sl33p30F00dumass! epiq_api:raritan admin:raritan You can technically authenticate with the epiq_api user on the web interface and the PowerIQ

[FD] libical 0.47 SEGV on unknown address

Hello lists Attached is a test case for causing a crash in libical 0.47 (shipped with Thunderbird) and this was also tested against 1.0 (various versions shipped with various email clients). = ==24662==ERROR: AddressSanitizer: SEG

Re: [FD] [oss-security] libical 0.47 SEGV on unknown address

> On Jun 25, 2016, at 10:34 AM, Alan Coopersmith > wrote: > > On 06/24/16 06:54 AM, Brandon Perry wrote: >> I am posting this to Full Disclosure/OSS instead of reporting it because I >> have >> opened a handful of libical bugs in the Mozilla bug tracker, a

Re: [FD] [oss-security] libical 0.47 SEGV on unknown address

lient-bug-bounty/> (Security bug must be a remote exploit, the cause of a privilege escalation, or an information leak) > On Jun 25, 2016, at 10:41 AM, Brandon Perry wrote: > >> >> On Jun 25, 2016, at 10:34 AM, Alan Coopersmith > <mailto:alan.coopersm...@oracle.com&

[FD] PrinceXML PHP wrapper command injection

While grabbing a copy PrinceXML, I noticed the company also offered some wrapper classes in various languages for using prince in server applications (web applications). http://www.princexml.com/download/wrappers/ Taking a quick look at the PHP cla

Re: [FD] Zabbix 2.2.x, 3.0.x SQL Injection Vulnerability

I actually ended up finding this vuln in a different vector (in the profileIdx2 parameter). /zabbix/jsrpc.php?sid=0bcd4ade648214dc&type=9&method=screen.get×tamp=1471054088083&mode=2&screenid=&groupid=&hostid=0&pageFile=history.php&profileIdx=web.item.graph&profileIdx2=2’3297&updateProfile=true&sc

Re: [FD] Zabbix 2.2.x, 3.0.x SQL Injection Vulnerability

> On Aug 12, 2016, at 10:31 PM, 1...@hushmail.com wrote: > > Which version of Zabbix? 3.0.3? > Right, it’s the same vuln, just in different places. It was fixed in 3.0.4. > -1N3 > > On 8/12/2016 at 7:22 PM, "Brandon Perry" wrote: >> >> I actuall

[FD] Segmentation fault in Oracle Outside In File ID 8.5.3

This is a segfault in the Oracle Outside In File ID library version 8.5.3. http://www.oracle.com/technetwork/middleware/content-management/downloads/oit-dl-otn-097435.html ==22240== Memcheck, a memory error detector ==22240== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al. ==2224

Re: [FD] Multiple SQL injection vulnerabilities in dotCMS (8x CVE)

> On Oct 31, 2016, at 2:41 PM, Elar Lang wrote: > > Title: Multiple SQL injection vulnerabilities in dotCMS (8x CVE) > Credit: Elar Lang / https://security.elarlang.eu > Vendor/Product: dotCMS (http://dotcms.com/) > Vulnerability: SQL injection > Vulnerable version: before 3.5; 3.3.1 and 3.3.2 (

Re: [FD] Joomla com_tag v1.7.6 - (tag) SQL Injection Vulnerability

> On May 3, 2017, at 6:07 AM, Vulnerability Lab > wrote: > > Document Title: > === > Joomla com_tag v1.7.6 - (tag) SQL Injection Vulnerability > > > References (Source): > > https://www.vulnerability-lab.com/get_content.php?id=2061 > > IEDB: http://iedb.ir/ex

[FD] Numerous FreeTDS crashes fixed on master

Attached is a zip file of reported TDS streams that cause segmentation faults in the FreeTDS library. The ‘tsql’ binary was used for the fuzzing, so these most likely only affect client-side functionality. These have been resolved on master and the 1.0 branch. Also included in the zip file is a

Re: [FD] Numerous FreeTDS crashes fixed on master

lt;http://eriqande.github.io/2014/12/19/setting-up-rodbc.html> Also, obviously the tsql binary if used to connect to an untrusted MSSQL/Sybase server. > On May 9, 2017, at 9:34 AM, Brandon Perry wrote: > > Attached is a zip file of reported TDS streams that cause segmentation faults &

Re: [FD] Numerous FreeTDS crashes fixed on master

, feel free to ask off list. > On May 9, 2017, at 9:34 AM, Brandon Perry wrote: > > t signature.asc Description: Message signed with OpenPGP ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosu

[FD] Multiple crashes in OpenEXR

Attached is a zip file of EXR images that cause segmentation faults in the OpenEXR library (tested against 2.2.0). http://www.openexr.com/downloads.html These were reported to ehan...@ilm.com on January 12, 2017, but no updates or

Re: [FD] [oss-security] Dolibarr ERP & CRM - Multiple Issues

> On May 17, 2017, at 3:08 PM, Stefan Pietsch > wrote: > > On 10.05.2017 10:28, FOXMOLE Advisories wrote: >> === FOXMOLE - Security Advisory 2017-02-23 === >> >> Dolibarr ERP & CRM - Multiple Issues >> ~ >> >> Affected Versions >> = >> Doli

Re: [FD] [oss-security] Multiple crashes in OpenEXR

> On May 12, 2017, at 1:48 PM, Brandon Perry wrote: > > >> On May 12, 2017, at 1:45 PM, Henri Salo wrote: >> >> On Fri, May 12, 2017 at 12:09:30PM -0500, Brandon Perry wrote: >>> As of this writing, . No CVEs have been requested. >> >&

Re: [FD] libquicktime multiple vulnerabilities

> On Jun 7, 2017, at 4:43 AM, qflb.wu wrote: > > libquicktime multiple vulnerabilities > > > > Author : qflb.wu > === > > > Introduction: > = > The libquicktime package contains the libquicktime library, various plugins > and codecs, along with graph