bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/hardware/webapps/43364.txt
Offensive Security f93f05e46f DB: 2017-12-20 
12 changes to exploits/shellcodes

Microsoft Windows - 'jscript!NameTbl::GetValDef' Use-After-Free
Microsoft Internet Explorer 11 - 'jscript!JSONStringifyObject' Use-After-Free
Microsoft Windows - 'jscript!RegExpComp::Compile' Heap Overflow Through IE or Local Network via WPAD
Microsoft Windows - jscript.dll 'Array.sort' Heap Overflow
Microsoft Windows - 'jscript!JsArraySlice' Uninitialized Variable
Microsoft Windows - 'jscript!RegExpFncObj::LastParen' Out-of-Bounds Read
Intel Content Protection HECI Service - Type Confusion Privilege Escalation

TeamViewer 11 < 13 (Windows 10 x86) - Inline Hooking / Direct Memory Modification Permission Change (PoC)
Tuleap 9.6 - Second-Order PHP Object Injection (Metasploit)
Jenkins - XStream Groovy classpath Deserialization (Metasploit)
BrightSign Digital Signage - Multiple Vulnerablities
Joomla! Component NextGen Editor 2.1.0 - 'plname' SQL Injection
2017-12-20 05:02:22 +00:00

40 lines
No EOL
1.3 KiB
Text
Raw Blame History

# Exploit Title: BrightSign Digital Signage (Multiple Vulnerabilities)
# Date: 12/15/17
# Exploit Author: singularitysec@gmail.com
# Vectors: XSS, Directory Traversal, File Modification, Information Leakage
The BrightSign Digital Signage (4k242) device (Firmware 6.2.63 and below)
suffers from multiple vulnerabilities.
The pages:
/network_diagnostics.html
/storage_info.html
Suffer from a Cross-Site Scripting vulnerability. The REF parameter for
these pages do not sanitize user input, resulting in arbitrary execution,
token theft and related attacks.
The RP parameter in STORAGE.HTML suffers from a directory
traversal/information leakage weakness:
/storage.html?rp=%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2Fetc
Through parameter manipulation, the file system can be traversed,
unauthenticated, allowing for leakage of information and compromise of the
device.
This page also allows for unauthenticated upload of files.
/tools.html
Page allows for unauthenticated rename/manipulation of files.
When combined, these vulnerabilities allow for compromise of both end users
and the device itself.
Ex. A malicious attacker can upload a malicious page of their choosing and
steal credentials, host malicious content or distribute content through the
device, which accepts large format SD cards.
Reference in a new issue View git blame Copy permalink