Full Disclosure
Posted by Mohamed A. Baset on Mar 16
# Exploit Title: Metasploit Project initial User Creation CSRF
# Google Dork: N/A
# Date: 14-2-2015
# Exploit Author: Mohamed Abdelbaset Elnoby (@SymbianSyMoh)
# Vendor Homepage: http://www.metasploit.com/
# Software Link:
http://www.rapid7.com/products/metasploit/editions-and-features.jsp
# Version: Free/Pro < 4.11.1 (Update 2015021901)
# Tested on: All OS
# CVE : N/A
Vulnerability:
Cross Site Request Forgery – (CSRF)
Info:…
Posted by NSO Research on Mar 16
Posted by Stefan Kanthak on Mar 16
Hi @ll,
the exploit shown here should be well-known to every
Windows administrator, developer or QA engineer.
In Microsoft’s own terms it doesn’t qualify as security
vulnerability since UAC is a security feature, not a
security boundary.
Preconditions:
* a user running as “protected Administrator” on Windows 7
and newer with standard UAC settings.
JFTR: this is the default for “out-of-the-box” installations…
Posted by Stefan Kanthak on Mar 16
Hi @ll,
since Microsoft won’t — despite (hopefully not only) my constant
nagging and quite some bug reports about unquoted command lines
for more than a dozen years now — fix the BRAINDEAD behaviour
of Windows’ CreateProcess*() functions to play try&error instead
of returning on error to their caller when interpreting their
lpCommandLine argument which lets the BLOODY BEGINNER’s error
known as CWE-428 <…
Posted by Stefan Kanthak on Mar 16
Hi @ll,
since some time Mozilla Firefox and Thunderbird for Windows come with
a “maintenance service” (running privileged under the SYSTEM account):
<https://support.mozilla.org/en-US/kb/what-mozilla-maintenance-service>
The maintenanceservice_installer.exe (which is extracted into the
resp. installation directory) is executed during the end of the
Firefox/Thunderbird installation when the user has not deselected
the “[x]…
Posted by halfdog on Mar 16
Hello list,
I guess this must be common knowledge somehow already, but although hidden in plain sight, it did not make it do me
yet. So [1] is just a very quick, dirty and incomplete writeup of thoughts how to use dmesg to
* Get knowledge about e.g. kernel task structure address
* Bypass ALSR in forking applications
* Get logging information from outside a chroot jail
* Get additional network information from iptables LOG target
hd
[1]…
Posted by Nick Prowse on Mar 16
Multiple Buffer Overflows in Diagnostic Troubleshooting Wizard
Researcher: Nicholas Prowse
Filename: msdt.exe
MD5: (coming soon)
File size: 1024000 bytes Operating System: Windows 8.0
OS Version: Pro
Architecture: x64
Description field in Procmon: Buffer Overflow
Operations (FileSystem Activity):
– QuerySecurityFile
– QueryAllInformationFile
Paths:
– C:WindowsSystem32msdt.exe
-…
Posted by Nick Prowse on Mar 16
Multiple Buffer Overflows in .NetFramework v4.03
Researcher: Nicholas Prowse
Filename: ngen.exe
MD5: ca72696a9861f14cf76f1637b8e6bc44File size: 139264 bytes
Operating System: Windows 8.0
OS Version: Pro
Architecture: x64
Description: MS Common Language Runtime Native Compiler
Image Path: C:Windows.Microsoft.NETFrameworkv4.0.30319ngen.exe
Operations (Registry Activity): RegQueryValue and RegEnumKey
Registry Keys referenced:
-…
Posted by Jing Wang on Mar 16
*724CMS 5.01 Multiple XSS (Cross-site Scripting) Security Vulnerabilities*
Exploit Title: 724CMS Multiple XSS (Cross-site Scripting) Security
Vulnerabilities
Vendor: 724CMS
Product: 724CMS
Vulnerable Versions: 3.01 4.01 4.59 5.01
Tested Version: 5.01
Advisory Publication: March 15, 2015
Latest Update: March 15, 2015
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: *
Impact CVSS Severity (version 2.0):
CVSS v2 Base Score:…
Posted by Jing Wang on Mar 16
*724CMS 5.01 Multiple SQL Injection Security Vulnerabilities*
Exploit Title: 724CMS Multiple SQL Injection Security Vulnerabilities
Vendor: 724CMS
Product: 724CMS
Vulnerable Versions: 3.01 4.01 4.59 5.01
Tested Version: 5.01
Advisory Publication: March 14, 2015
Latest Update: March 14, 2015
Vulnerability Type: Improper Neutralization of Special Elements used in an
SQL Command (‘SQL Injection’) [CWE-89]
CVE Reference: *
Impact…