Full Disclosure
Posted by Wang,Tao(Scloud) on Nov 26
INTRODUCTION
==================================
In Android <5.0, a SQL injection vulnerability exists in the opt module WAPPushManager, attacker can remotely send
malformed WAPPush message to launch any activity or service in the victim’s phone (need permission check)
DETAILS
==================================
When a WAPPush message is received, the raw pdu is processed by dispatchWapPdu method in…
Posted by Wang,Tao(Scloud) on Nov 26
INTRODUCTION
==================================
In Android <5.0, an unprivileged app can resend all the SMS stored in the user’s phone to their corresponding
recipients or senders (without user interaction).
No matter whether these SMS are sent to or received from other people. This may leads to undesired cost to user.
Even the worse, since Android also allow unprivileged app to create draft SMS, combined with this trick, bad app can…
Posted by Brandon Perry on Nov 26
Remote Authenticated Root in Device42 DCIM Appliance Manager v5.10 and v6.0
http://www.device42.com/download/
Device42 ships virtual appliances ready for production use as a trial
(essentially dictated by the license provided).
The Appliance Manager listens on HTTP (no SSL) on port 4242 with default
credentials of d42admin:default.
Within the Appliance Manager, the Ping and Traceroute utilities are
susceptible to command injection via bash…
Posted by Wang,Tao(Scloud) on Nov 26
INTRODUCTION
==================================
In Android <5.0 (and maybe >= 4.0), Settings application leaks Pendingintent with a blank base intent (neither the
component nor the action is explicitly set) to third party application, bad app can use this to broadcast intent with
the same permissions and identity of the Settings application, which runs as SYSTEM uid. Thus bad app can broadcast
sensitive intent with the permission of…
Posted by Taoguang Chen on Nov 26
When PHP’s register_globals configuration directive set on, phpBB will call
deregister_globals() function, all global variables registered by PHP will
be destroyed. But deregister_globals() functions can be bypassed.
“`
$input = array_merge(
array_keys($_GET),
array_keys($_POST),
array_keys($_COOKIE),
array_keys($_SERVER),
array_keys($_SESSION),
array_keys($_ENV),
array_keys($_FILES)
);
foreach ($input as $varname)
{
if…
Posted by Taoguang Chen on Nov 26
#MyBB <= 1.8.2 unset_globals() Function Bypass and Remote Code
Execution Vulnerability
Taoguang Chen <[ () chtg57](twitter.com/chtg57)> – 2014.11.21
##I. MyBB’s unset_globals() Function Bypass
When PHP’s register_globals configuration set on, MyBB will call
unset_globals() function, all global variables registered by PHP from
$_POST, $_GET, $_FILES, and $_COOKIE arrays will be destroyed.
“`…
Posted by Stefan Kanthak on Nov 26
Hi @ll,
after opting in to Microsoft Update additional (optional) software
like Silverlight or Microsoft Security Essentials is offered when
a user performs a “custom search” for updates.
Initially the current versions of this additional software are
offered as “optional updates” for download and installation.
For Silverlight cf. <https://support.microsoft.com/kb/2977218>
If the user but does not want to install this…
Posted by Stefan Kanthak on Nov 26
Hi @ll,
according to <https://msdn.microsoft.com/en-us/library/ms724884.aspx>
the value data for REG_SZ and REG_EXPAND_SZ must be
| A null-terminated string…
and the value data for REG_MULTI_SZ must be
| A sequence of null-terminated strings, terminated by an empty string ().
The registry hives delivered with ALL versions of Windows but contain
entries with improper/invalid value data which does not satisfy the
data type…
Posted by Simo Ben youssef on Nov 26
#!/usr/bin/perl
#
# Title: Slider Revolution/Showbiz Pro shell upload exploit
# Author: Simo Ben youssef
# Contact: Simo_at_Morxploit_com
# Discovered: 15 October 2014
# Coded: 15 October 2014
# Updated: 25 November 2014
# Published: 25 November 2014
# MorXploit Research
# http://www.MorXploit.com
# Vendor: ThemePunch
# Vendor url: http://themepunch.com
# Software: Revslider/Showbiz Pro
# Versions: <= 3.0.95 (Revslider) / Version: <= 1.7.1…
Posted by static rez on Nov 26
Wrote up a small post on some stored XSS i found in a honeypot system.
Stored XSS to the admin UI through an explosed emulated telnet service.
enjoy..
fabrizio (@actualclouds)