Category Archives: Full Disclosure

Full Disclosure

device42 DCIM authenticated remote root via appliance manager

Posted by Brandon Perry on Nov 26

Remote Authenticated Root in Device42 DCIM Appliance Manager v5.10 and v6.0

http://www.device42.com/download/

Device42 ships virtual appliances ready for production use as a trial
(essentially dictated by the license provided).

The Appliance Manager listens on HTTP (no SSL) on port 4242 with default
credentials of d42admin:default.

Within the Appliance Manager, the Ping and Traceroute utilities are
susceptible to command injection via bash…

CVE-2014-8609 Android Settings application privilege leakage vulnerability

Posted by Wang,Tao(Scloud) on Nov 26

INTRODUCTION
==================================
In Android <5.0 (and maybe >= 4.0), Settings application leaks Pendingintent with a blank base intent (neither the
component nor the action is explicitly set) to third party application, bad app can use this to broadcast intent with
the same permissions and identity of the Settings application, which runs as SYSTEM uid. Thus bad app can broadcast
sensitive intent with the permission of…

CVE-2014-8507 Android < 5.0 SQL injection vulnerability in WAPPushManager

Posted by Wang,Tao(Scloud) on Nov 26

INTRODUCTION
==================================
In Android <5.0, a SQL injection vulnerability exists in the opt module WAPPushManager, attacker can remotely send
malformed WAPPush message to launch any activity or service in the victim’s phone (need permission check)

DETAILS
==================================
When a WAPPush message is received, the raw pdu is processed by dispatchWapPdu method in…

CVE-2014-8610 Android < 5.0 SMS resend vulnerability

Posted by Wang,Tao(Scloud) on Nov 26

INTRODUCTION
==================================
In Android <5.0, an unprivileged app can resend all the SMS stored in the user’s phone to their corresponding
recipients or senders (without user interaction).
No matter whether these SMS are sent to or received from other people. This may leads to undesired cost to user.
Even the worse, since Android also allow unprivileged app to create draft SMS, combined with this trick, bad app can…

phpBB <= 3.1.1 deregister_globals() Function Bypass

Posted by Taoguang Chen on Nov 26

When PHP’s register_globals configuration directive set on, phpBB will call
deregister_globals() function, all global variables registered by PHP will
be destroyed. But deregister_globals() functions can be bypassed.

“`
$input = array_merge(
array_keys($_GET),
array_keys($_POST),
array_keys($_COOKIE),
array_keys($_SERVER),
array_keys($_SESSION),
array_keys($_ENV),
array_keys($_FILES)
);

foreach ($input as $varname)
{
if…

MyBB <= 1.8.2 unset_globals() Function Bypass and Remote Code Execution Vulnerability

Posted by Taoguang Chen on Nov 26

#MyBB <= 1.8.2 unset_globals() Function Bypass and Remote Code
Execution Vulnerability

Taoguang Chen <[ () chtg57](twitter.com/chtg57)> – 2014.11.21

##I. MyBB’s unset_globals() Function Bypass

When PHP’s register_globals configuration set on, MyBB will call
unset_globals() function, all global variables registered by PHP from
$_POST, $_GET, $_FILES, and $_COOKIE arrays will be destroyed.

“`…

Defense in depth — the Microsoft way (part 20): Microsoft Update may fail to offer current security updates

Posted by Stefan Kanthak on Nov 26

Hi @ll,

after opting in to Microsoft Update additional (optional) software
like Silverlight or Microsoft Security Essentials is offered when
a user performs a “custom search” for updates.

Initially the current versions of this additional software are
offered as “optional updates” for download and installation.
For Silverlight cf. <https://support.microsoft.com/kb/2977218>

If the user but does not want to install this…

Defense in depth — the Microsoft way (part 21): errors/inconsistencies in Windows registry data may lead to buffer overflows or use of random data

Posted by Stefan Kanthak on Nov 26

Hi @ll,

according to <https://msdn.microsoft.com/en-us/library/ms724884.aspx>
the value data for REG_SZ and REG_EXPAND_SZ must be

| A null-terminated string…

and the value data for REG_MULTI_SZ must be

| A sequence of null-terminated strings, terminated by an empty string ().

The registry hives delivered with ALL versions of Windows but contain
entries with improper/invalid value data which does not satisfy the
data type…

Slider Revolution/Showbiz Pro shell upload exploit

Posted by Simo Ben youssef on Nov 26

#!/usr/bin/perl
#
# Title: Slider Revolution/Showbiz Pro shell upload exploit
# Author: Simo Ben youssef
# Contact: Simo_at_Morxploit_com
# Discovered: 15 October 2014
# Coded: 15 October 2014
# Updated: 25 November 2014
# Published: 25 November 2014
# MorXploit Research
# http://www.MorXploit.com
# Vendor: ThemePunch
# Vendor url: http://themepunch.com
# Software: Revslider/Showbiz Pro
# Versions: <= 3.0.95 (Revslider) / Version: <= 1.7.1…