bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/multiple/dos/40405.txt
Offensive Security b8ebed3824 DB: 2016-09-22 
6 new exploits

Setuid perl - PerlIO_Debug() Root owned file creation
Setuid perl - PerlIO_Debug() Root Owned File Creation Privilege Escalation

Kaltura 11.1.0-2 - Remote Code Execution (Metasploit)

Openswan 2.4.12/2.6.16 - Insecure Temp File Creation Root Exploit
Openswan 2.4.12/2.6.16 - Insecure Temp File Creation Privilege Escalation

Linux Kernel 2.4 / 2.6 (RedHat Linux 9 / Fedora Core 4<11 / Whitebox 4 / CentOS 4) - 'sock_sendpage()' Ring0 Root Exploit (5)
Linux Kernel 2.4 / 2.6 (RedHat Linux 9 / Fedora Core 4<11 / Whitebox 4 / CentOS 4) - 'sock_sendpage()' Ring0 Privilege Escalation (5)

Linux Kernel 2.6 < 2.6.19 (White Box 4 / CentOS 4.4/4.5 / Fedora Core 4/5/6 x86) - 'ip_append_data()' Ring0 Root Exploit (1)
Linux Kernel 2.6 < 2.6.19 (White Box 4 / CentOS 4.4/4.5 / Fedora Core 4/5/6 x86) - 'ip_append_data()' Ring0 Privilege Escalation (1)

VideoCache 1.9.2 - vccleaner Root
VideoCache 1.9.2 - 'vccleaner' Privilege Escalation

UK One Media CMS - 'id' Error Based SQL Injection
UK One Media CMS - 'id' Error-Based SQL Injection

xt:Commerce Gambio 2008 < 2010 - 'reviews.php' ERROR Based SQL Injection
xt:Commerce Gambio 2008 < 2010 - 'reviews.php' Error-Based SQL Injection

Axis2 - / SAP BusinessObjects Authenticated Code Execution (via SOAP)
Axis2 / SAP BusinessObjects - Authenticated Code Execution (via SOAP)

Ultimate eShop - Error Based SQL Injection
Ultimate eShop - Error-Based SQL Injection

WordPress Plugin Multiple - timthumb.php Vulnerabilities
Multiple WordPress Plugins - timthumb.php File Upload

Linux Kernel 2.0/2.1 (Digital UNIX 4.0 D / FreeBSD 2.2.4 / HP HP-UX 10.20/11.0 / IBM AIX 3.2.5 / NetBSD 1.2 / Solaris 2.5.1) - Smurf Denial of Service

Slackware Linux 3.5 - /etc/group missing results in Root access
Slackware Linux 3.5 - /etc/group Missing Privilege Escalation

Linux Kernel 2.3 (BSD/OS 4.0 / FreeBSD 3.2 / NetBSD 1.4) - Shared Memory Denial of Service

Sudo 1.6.3 - Unclean Environment Variable Root Program Execution
Sudo 1.6.3 - Unclean Environment Variable Privilege Escalation

Linux Kernel 2.0.x/2.2.x/2.4.x / FreeBSD 4.x - Network Device Driver Frame Padding Information Disclosure
Linux Kernel 2.0.x/2.2.x/2.4.x (FreeBSD 4.x) - Network Device Driver Frame Padding Information Disclosure

Microsoft Office PowerPoint 2010 - Invalid Pointer Reference

Symantec rar Decomposer Engine (Multiple Products) - Out-of-Bounds Read / Out-of-Bounds Write

sudo 1.8.0 < 1.8.3p1 (sudo_debug) - Root Exploit + glibc FORTIFY_SOURemote Code Execution Bypass
sudo 1.8.0 < 1.8.3p1 (sudo_debug) - Privilege Escalation + glibc FORTIFY_SOURCE Bypass

Microweber 0.905 - Error Based SQL Injection
Microweber 0.905 - Error-Based SQL Injection

WordPress Theme TimThumb 2.8.13 WebShot Plugin/ - Remote Code Execution
Multiple WordPress Plugins (Using TimThumb 2.8.13 / WordThumb 1.07) - 'WebShot' Remote Code Execution
2016-09-22 05:06:28 +00:00

13 lines
830 B
Text
Executable file
Raw Blame History

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=867
In issue 810 we pointed out to Symantec that they hadn't updated their unrar based unpacker for years, and it was vulnerable to dozens of publicly documented flaws.
I had expected Symantec to rebase on 5.4.2 (the latest version as of this writing), but they appear to have just backported fixes for the few issues I sent them.
Here are two known bugs in unrar that are fixed upstream, but not in Symantec's ancient code. If they continue to refuse to rebase, this might take a few iterations to shake the bugs out. Sigh.
As in issue 810, these are remote code execution vulnerabilities at the highest possible privilege level.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40405.zip
Reference in a new issue View git blame Copy permalink