Posted by rio.sherri on Oct 01

#!/usr/bin/python -w
# Title : WinRar Expired Notification – OLE Remote Command Execution
# Date : 30/09/2015
# Author : R-73eN
# Tested on : Windows Xp SP3 with WinRAR 5.21
# This exploits a vulnerability in the implementation of showing ads.
# When a user opens any WINRAR file sometimes
# A window with Expired Notification title loads http://www.win-rar.com/notifier/
# reminding user to buy winrar to remove ads.
# Since this uses a http…

Posted by Philip Pettersson on Oct 01

Hi, this is a notice about CVE-2015-5889 which was fixed today in
APPLE-SA-2015-09-30-3.

I reported this issue to Apple in July 2015.

The default root-suid binary /usr/bin/rsh on Mac OS X uses execv() in
an insecure manner.

Most system libraries on OSX use issetugid(2) when initializing to
determine if certain environment variables are safe to use. When
executing a setuid binary as an unprivileged user, variables such as
DYLD_* will be cleared…

Posted by MustLive on Oct 01

Hello list!

In 2011 I wrote 22 advisories about vulnerabilities in Callisto 821+ ADSL
Router (http://seclists.org/fulldisclosure/2011/Aug/1). Because vendor
ignored in 2011 all my letters and subsequent my public disclosure of
vulnerabilities and new devices are vulnerable as well, so in August I
disclosed vulnerabilities in Callisto 821+R3 ADSL Router.

These are Brute Force and Cross-Site Request Forgery vulnerabilities. And
there are…

Posted by Gynvael Coldwind on Oct 01

Correct me if I’m wrong, but the vulnerability can be summarized as: if you
run an untrusted .exe you might execute malicious code?

I hardly see this as giving anything new to the attacker who can just
create a malicious exe file, set the winrar sfx icon and send it to the
victim.

Keep in mind that not every unexpected behavior or software bug is a
security vulnerability.

(and no, potential AV bypass doesn’t make it a vulnerability…

Posted by Javantea on Oct 01

Shell Injection in Pygments FontManager._get_nix_font_path

Product: Pygments
Version: 1.2.2-2.0.2 497:fe62167596bb to 3693:655dbebddc23 Tue Nov 06 17:30:45 2007 +0000 to Aug 21, 2015.
Website: http://pygments.org/
Bitbucket: https://bitbucket.org/birkenfeld/pygments-main
CVSS Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Discovery: Aug 21, 2015

An unsafe use of string concatenation in a shell string occurs in FontManager. If the developer…

Posted by Eduardo Alves on Oct 01

#[+] Title: Telegram – Multiple Vulnerabilities
#[+] Product: Telegram
#[+] Vendor: http://telegram.org/
#[+] SoftWare Link : https://web.telegram.org / https://my.telegram.org
#
# Author : Eduardo Alves
# E-Mail : edudx1[ at ]gmail[ dot ]com
# Website : tempest.com.br/en/

Info:
As we know, the Telegram access uses by default is possible only with a
token (5 digits).
This token could be obtained by: Eavesdropping/desktop…

Posted by Alexander Georgiev on Oct 01

I released a tool to help you exploit race conditions on the filesystem
on windows here:

https://github.com/realalexandergeorgiev/tempracer

It helped me escalate to local admin in multiple environments, because
not being administrator seemed highly illogical.

Live long and prosper

Posted by David Stubley on Oct 01

Link to advisory:
https://www.7elements.co.uk/resources/technical-advisories/cve-2015-2342-vmw
are-vcenter-remote-code-execution/

Advisory Information
Title: vCenter Java JMX/RMI Remote Code Execution
Date Published: 01/10/2015
CVE: CVE-2015-2342
Advisory Summary
VMware vCenter Server provides a centralised platform for managing your
VMware vSphere environments so you can automate and deliver a virtual
infrastructure. VMware vCenter was found to…