bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1
exploit-db-mirror/exploits/multiple/remote/20139.txt
Offensive Security 880bbe402e DB: 2019-03-08 
14991 changes to exploits/shellcodes

HTC Touch - vCard over IP Denial of Service

TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities

PeerBlock 1.1 - Blue Screen of Death

WS10 Data Server - SCADA Overflow (PoC)

Symantec Endpoint Protection 12.1.4013 - Service Disabling
Memcached 1.4.33 - 'Crash' (PoC)
Memcached 1.4.33 - 'Add' (PoC)
Memcached 1.4.33 - 'sasl' (PoC)
Memcached 1.4.33 - 'Crash' (PoC)
Memcached 1.4.33 - 'Add' (PoC)
Memcached 1.4.33 - 'sasl' (PoC)

Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow

man-db 2.4.1 - 'open_cat_stream()' Local uid=man

CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation

CDRecord's ReadCD - Local Privilege Escalation
Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH)
FreeBSD - Intel SYSRET Privilege Escalation (Metasploit)

CCProxy 6.2 - 'ping' Remote Buffer Overflow

Savant Web Server 3.1 - Remote Buffer Overflow (2)

Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow

Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow
QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit)
Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit)
Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit)
Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass)
TeamCity < 9.0.2 - Disabled Registration Bypass
OpenSSH SCP Client - Write Arbitrary Files
Kados R10 GreenBee - Multiple SQL Injection
WordPress Core 5.0 - Remote Code Execution
phpBB 3.2.3  - Remote Code Execution

Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator)
Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
2019-03-08 05:01:50 +00:00

19 lines
No EOL
2.8 KiB
Text
Raw Blame History

source: https://www.securityfocus.com/bid/1545/info
A set of flaws in multiple vendors' Java implementation allows a malicious applet to open a listening socket to accept network connections against the security policy.
Java applications use the java.net.ServerSocket class to create a listening network socket on which to accept network connections. The server socket class should use the SecurityManager.checkListen() method to determine whether a class is allowed to create a server side listening socket. A SecurityException should be thrown if the class is not allowed to create such socket. By default untrusted classes such as applets should not be allowed to create such sockets. The implementation of Java fails to throw a SecurityException when an applet create a ServerSocket.
After a ServerSocket object has been created an application must accept network connections by called the ServerSocket.accept() method or by subclassing the ServerSocket class an using the ServerSocket.implAccept() method of ServerSocket to implement their own accept method. The ServerSocket.accept() method normally calls the SecurityManager.checkAccept() method to determine if a class can accept a server connection.
The ServerSocket.accept() and the ServerSocket.implAccept() methods both accept the network connection before determining if the class can accept the connection. This is done to determine the remote address and remote port number of the connection. If the connection should not be accepted these methods shutdown the connection by calling the socket's Socket.close() method, and then throwing a SecurityException.
Because the ServerSocket.implAccept() method takes as an argument a Socket object to use for the connection a malicious class can pass it an object which is subclass of the Socket class that overloads its close() method not to close the socket. By then ignoring the SecurityException the malicious class can now accept the connection and make use of the socket.
Sun's implementation of the ServerSocket.implAccept() method seems to have closed the second vulnerability by calling the Socket.impl.close() method instead of the Socket.close() method.
By combining these two flaws a malicious applet can accept connections from any host.
Both Netscape and Microsoft Java Virtual Machines are affected by this vulnerability, however in Microsoft products the file: URL type will not be effective in reading files, meaning that only web-available documents can be retreived via this method. However, the file: method will verify the existence of a file. It will check to see if the file exists and if it does not, it will return a SecurityException error message. Netscape browsers will pass both web documents and local files to the attacker.
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/20139.tar.gz
Reference in a new issue View git blame Copy permalink