Adblock Detected

Read

EDB-ID-46989: CentOS 7.6 - 'ptrace_scope' Privilege Escalation Exploit

Read

CVE-2018-1002105: Kubernetes - Arbitrary Requests (Unauthenticated and Authenticated)

Read

CVE-2018-1002105: Kubernetes - Arbitrary Requests (Unauthenticated and Authenticated)

Read

EDB-ID-46057: Product Key Explorer 4.0.9 - Denial of Service (PoC)

Read

EDB-ID-46057: Product Key Explorer 4.0.9 - Denial of Service (PoC)

Read

CVE-2018-1160: Netatalk - Bypass Authentication

Read

CVE-2018-1160: Netatalk - Bypass Authentication

Read

CVE-2018-11529: VLC Media Player - MKV Use-After-Free (Metasploit)

Read

CVE-2018-11529: VLC Media Player - MKV Use-After-Free (Metasploit)

Read

EDB-ID-45515: Billion ADSL Router 400G 20151105641 - Cross-Site Scripting

Read

EDB-ID-45515: Billion ADSL Router 400G 20151105641 - Cross-Site Scripting

Read

EDB-ID-45502: The vulnerabilities can Break the Microsoft Edge Sandbox

Read

EDB-ID-45502 - The vulnerabilities can Break the Microsoft Edge Sandbox

EDB-ID: 45502
CVE: CVE-2018-8463, CVE-2018-8468, CVE-2018-8469
E-DB Verified: Yes
Author: Google Security Research
Type: Remote
Advisory/Source: bugs.chromium.org
Published: 2018-09-27 (2018-10 on toollinux)
Platform: Windows

Vulnerable: Microsoft Edge
* Microsoft Windows 10 for 32-bit Systems
* Microsoft Windows 10 for x64-based Systems
* Microsoft Windows 10 version 1511 for 32-bit Systems
* Microsoft Windows 10 version 1511 for x64-based Systems
* Microsoft Windows 10 Version 1607 for 32-bit Systems
* Microsoft Windows 10 Version 1607 for x64-based Systems
* Microsoft Windows 10 version 1703 for 32-bit Systems
* Microsoft Windows 10 version 1703 for x64-based Systems
* Microsoft Windows 10 version 1709 for 32-bit Systems
* Microsoft Windows 10 version 1709 for x64-based Systems
* Microsoft Windows 10 Version 1803 for 32-bit Systems
* Microsoft Windows 10 Version 1803 for x64-based Systems
* Microsoft Windows Server 2016
* Microsoft Windows Server 2016 for x64-based Systems
* Microsoft Windows Server 2012 R2
* Microsoft Windows Server 2012
* Microsoft Windows Server 2008 R2 for x64-based Systems SP1
* Microsoft Windows Server 2008 R2 for Itanium-based Systems SP1
* Microsoft Windows Server 2008 for x64-based Systems SP2
* Microsoft Windows Server 2008 for Itanium-based Systems SP2
* Microsoft Windows Server 2008 for 32-bit Systems SP2
About CVE-2018-8463
   An elevation of privilege vulnerability exists in Microsoft Edge that could allow an attacker to escape from the AppContainer sandbox in the browser, aka "Microsoft Edge Elevation of Privilege Vulnerability." This affects Microsoft Edge. This CVE ID is unique from CVE-2018-8469.
   An elevation of privilege vulnerability exists in Microsoft Edge that could allow an attacker to escape from the AppContainer sandbox in the browser. An attacker who successfully exploited this vulnerability could gain elevated privileges and break out of the Edge AppContainer sandbox.
   The vulnerability by itself does not allow arbitrary code to run. However, this vulnerability could be used in conjunction with one or more vulnerabilities (for example a remote code execution vulnerability and another elevation of privilege vulnerability) to take advantage of the elevated privileges when running.
   The security update addresses the vulnerability by modifying how Microsoft Edge handles sandboxing.

About CVE-2018-8468
   An elevation of privilege vulnerability exists when Windows, allowing a sandbox escape, aka "Windows Elevation of Privilege Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers.
   An elevation of privilege vulnerability exists in Windows that allows a sandbox escape. An attacker who successfully exploited the vulnerability could use the sandbox escape to elevate privileges on an affected system.
   This vulnerability by itself does not allow arbitrary code execution. However, the vulnerability could allow arbitrary code to run if an attacker uses it in combination with another vulnerability, such as a remote code execution vulnerability or another elevation of privilege vulnerability, that can leverage the elevated privileges when code execution is attempted.
   The security update addresses the vulnerability by correcting how Windows parses files.

About CVE-2018-8469
   An elevation of privilege vulnerability exists in Microsoft Edge that could allow an attacker to escape from the AppContainer sandbox in the browser, aka "Microsoft Edge Elevation of Privilege Vulnerability." This affects Microsoft Edge. This CVE ID is unique from CVE-2018-8463.
   An elevation of privilege vulnerability exists in Microsoft Edge that could allow an attacker to escape from the AppContainer sandbox in the browser. An attacker who successfully exploited this vulnerability could gain elevated privileges and break out of the Edge AppContainer sandbox.
   The vulnerability by itself does not allow arbitrary code to run. However, this vulnerability could be used in conjunction with one or more vulnerabilities (for example a remote code execution vulnerability and another elevation of privilege vulnerability) to take advantage of the elevated privileges when running.
   The security update addresses the vulnerability by modifying how Microsoft Edge handles sandboxing.

And have something to say about toollinux or EDB-ID-45502 (or CVE-2018-8463, CVE-2018-8468, CVE-2018-8469)? Comment below or share this post from toollinux Facebook, toollinux Twitter and toollinux Google Plus.

From Exploit Database, CVE and Microsoft

EDB-ID-45502: The vulnerabilities can Break the Microsoft Edge Sandbox

Read

EDB-ID-45502 - The vulnerabilities can Break the Microsoft Edge Sandbox

EDB-ID: 45502
CVE: CVE-2018-8463, CVE-2018-8468, CVE-2018-8469
E-DB Verified: Yes
Author: Google Security Research
Type: Remote
Advisory/Source: bugs.chromium.org
Published: 2018-09-27 (2018-10 on GitHackTools)
Platform: Windows

Vulnerable: Microsoft Edge
* Microsoft Windows 10 for 32-bit Systems
* Microsoft Windows 10 for x64-based Systems
* Microsoft Windows 10 version 1511 for 32-bit Systems
* Microsoft Windows 10 version 1511 for x64-based Systems
* Microsoft Windows 10 Version 1607 for 32-bit Systems
* Microsoft Windows 10 Version 1607 for x64-based Systems
* Microsoft Windows 10 version 1703 for 32-bit Systems
* Microsoft Windows 10 version 1703 for x64-based Systems
* Microsoft Windows 10 version 1709 for 32-bit Systems
* Microsoft Windows 10 version 1709 for x64-based Systems
* Microsoft Windows 10 Version 1803 for 32-bit Systems
* Microsoft Windows 10 Version 1803 for x64-based Systems
* Microsoft Windows Server 2016
* Microsoft Windows Server 2016 for x64-based Systems
* Microsoft Windows Server 2012 R2
* Microsoft Windows Server 2012
* Microsoft Windows Server 2008 R2 for x64-based Systems SP1
* Microsoft Windows Server 2008 R2 for Itanium-based Systems SP1
* Microsoft Windows Server 2008 for x64-based Systems SP2
* Microsoft Windows Server 2008 for Itanium-based Systems SP2
* Microsoft Windows Server 2008 for 32-bit Systems SP2
About CVE-2018-8463
   An elevation of privilege vulnerability exists in Microsoft Edge that could allow an attacker to escape from the AppContainer sandbox in the browser, aka "Microsoft Edge Elevation of Privilege Vulnerability." This affects Microsoft Edge. This CVE ID is unique from CVE-2018-8469.
   An elevation of privilege vulnerability exists in Microsoft Edge that could allow an attacker to escape from the AppContainer sandbox in the browser. An attacker who successfully exploited this vulnerability could gain elevated privileges and break out of the Edge AppContainer sandbox.
   The vulnerability by itself does not allow arbitrary code to run. However, this vulnerability could be used in conjunction with one or more vulnerabilities (for example a remote code execution vulnerability and another elevation of privilege vulnerability) to take advantage of the elevated privileges when running.
   The security update addresses the vulnerability by modifying how Microsoft Edge handles sandboxing.

About CVE-2018-8468
   An elevation of privilege vulnerability exists when Windows, allowing a sandbox escape, aka "Windows Elevation of Privilege Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers.
   An elevation of privilege vulnerability exists in Windows that allows a sandbox escape. An attacker who successfully exploited the vulnerability could use the sandbox escape to elevate privileges on an affected system.
   This vulnerability by itself does not allow arbitrary code execution. However, the vulnerability could allow arbitrary code to run if an attacker uses it in combination with another vulnerability, such as a remote code execution vulnerability or another elevation of privilege vulnerability, that can leverage the elevated privileges when code execution is attempted.
   The security update addresses the vulnerability by correcting how Windows parses files.

About CVE-2018-8469
   An elevation of privilege vulnerability exists in Microsoft Edge that could allow an attacker to escape from the AppContainer sandbox in the browser, aka "Microsoft Edge Elevation of Privilege Vulnerability." This affects Microsoft Edge. This CVE ID is unique from CVE-2018-8463.
   An elevation of privilege vulnerability exists in Microsoft Edge that could allow an attacker to escape from the AppContainer sandbox in the browser. An attacker who successfully exploited this vulnerability could gain elevated privileges and break out of the Edge AppContainer sandbox.
   The vulnerability by itself does not allow arbitrary code to run. However, this vulnerability could be used in conjunction with one or more vulnerabilities (for example a remote code execution vulnerability and another elevation of privilege vulnerability) to take advantage of the elevated privileges when running.
   The security update addresses the vulnerability by modifying how Microsoft Edge handles sandboxing.

And have something to say about GitHackTools or EDB-ID-45502 (or CVE-2018-8463, CVE-2018-8468, CVE-2018-8469)? Comment below or share this post from GitHackTools Facebook, GitHackTools Twitter and GitHackTools Google Plus.

From Exploit Database, CVE and Microsoft

[ZeroDay] ZDI-18-1078: Cisco WebEx Network Recording Player NMVC RtpConfig Stack-based Buffer Overflow Remote Code Execution Vulnerability

Read

About ZDI-18-1078
   Cisco WebEx Network Recording Player NMVC RtpConfig Stack-based Buffer Overflow Remote Code Execution Vulnerability

   ZDI ID: ZDI-18-1078 or ZDI-CAN-6254
   CVE ID: CVE-2018-15421
   CVSS SCORE: 5.1, (AV:N/AC:H/Au:N/C:P/I:P/A:P)
   AFFECTED VENDORS: Cisco
   AFFECTED PRODUCTS: WebEx

   Additonal Details
  Cisco has issued an update to correct this vulnerability. More details can be found at: cisco-sa-20180919-webex

   Timeline:
    * 2018-05-24 - Vulnerability reported to vendor
    * 2018-09-21 - Coordinated public release of advisory
    * 2018-09-21 - Advisory Updated

   Credit: Ziad Badawi

   Vulnerability Details
      This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Cisco WebEx Network Recording Player. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the NMVC.DLL module. When parsing an ARF file, the process does not properly validate the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code under the context of the current process.

Over this past year, several different researchers submitted bug reports in the Cisco Webex suite of programs. However, in their more than 40 submissions, they missed this trivial stack-based buffer overflow. This blog details ZDI-18-1078, a vulnerability in Cisco Webex Network Recording Player version 31.23.2.58 (now reaching its EOL) that results in remote code execution.

The Vulnerability
   When reading an Advanced Recording (.arf) file, the player attempts to access a file in the current directory named RtpConfig.ini. This action is not documented. The .ini file contains the configuration for what is likely a Real-Time Transport Protocol (RTP) service, but since there is no documentation of the file or the service, it may be something different.

Process Monitor showing nbrplay.exe looking for RtpConfig.ini

The bug occurs in nmvc.dll inside a routine labeled sub_1001F479 that parses RtpConfig.ini and extracts its properties. The following snippet shows how the MinLostRate parameter is getting set up as well as other parameters going downwards.

Setting up different properties

The culprit here is a sscanf call, a banned function by Microsoft, with no width field in the format string. The sscanf function parses the .ini file contents and reads property values in order to match them to a set of hardcoded parameters. The format used is: %[^ \t#]%*[ \t]%[^ \t#]%n

Which writes to three arguments. The first and third specifiers (%[^ \t#]) do not use a width value in between the % and [. This means it will read every character until it reaches whitespace. This will write to the passed arguments Str1 and Source disregarding their sizes and could lead to an overflow if input is large enough.

No width in format string

The .ini file is read in 0x3FF-byte chunks and, since both consecutive variables Source and Str1 are sized 0x100 and 0x106 bytes respectively, an overflow can occur leading to a corrupted stack.

Corrupted stack

Conclusion
Cisco patched this and two other vulnerabilities with advisory cisco-sa-20180919-webex. It is good to know that these versions are reaching their EOL, as many similar bugs have been submitted to the program. Hopefully, the newer versions are more secure. Bug submissions in enterprise software are on the rise, putting this category just behind Desktop Application and SCADA submissions. Considering how many of these programs exist in enterprises, this trend will likely continue.

You can find author on Twitter@ziadrb and follow the his team for the latest exploit techniques and security patches.

And have something to say about toollinux or ZDI-18-1078 (or CVE-2018-15421)? Comment below or share this post from toollinux Facebook, toollinux Twitter and toollinux Google Plus.

From Zero Day Initiative

[ZeroDay] ZDI-18-1078: Cisco WebEx Network Recording Player NMVC RtpConfig Stack-based Buffer Overflow Remote Code Execution Vulnerability

Read

Process Monitor showing nbrplay.exe looking for RtpConfig.ini

Setting up different properties

No width in format string

Corrupted stack

And have something to say about GitHackTools or ZDI-18-1078 (or CVE-2018-15421)? Comment below or share this post from GitHackTools Facebook, GitHackTools Twitter and GitHackTools Google Plus.

From Zero Day Initiative