Full Disclosure

Syndicate content
A public, vendor-neutral forum for detailed discussion of vulnerabilities and exploitation techniques, as well as tools, papers, news, and events of interest to the community. The relaxed atmosphere of this quirky list provides some comic relief and certain industry gossip. More importantly, fresh vulnerabilities sometimes hit this list many hours or days before they pass through the Bugtraq moderation queue.
Updated: 14 min 33 sec ago

[TZO-09-2020] - Bitdefender Malformed Archive bypass (RAR Uncompressed Size)

17 January, 2020 - 13:21

Posted by Thierry Zoller on Jan 17


.diagcab directory traversal leading to arbitrary code execution

17 January, 2020 - 13:21

Posted by Imre Rad on Jan 17

I identified a flaw in the implementation of Microsoft's
Troubleshooter technology that could lead to remote code execution if
a crafted .diagcab file is opened by the victim. The exploit leverages
a rogue webdav server to trick MSDT to drop files to attacker
controller locations on the file system.

If you see the following pattern in any Windows applications, they
might be vulnerable too:

#define MAXPATH 0x104

TCHAR...

Re: Fortinet FortiSIEM Hardcoded SSH Key

17 January, 2020 - 13:21

Posted by Fortinet PSIRT on Jan 17

Hi, A patch to fix this issue is available to customers and detailed in the following public advisory at
https://fortiguard.com/psirt/FG-IR-19-296.
We can confirm that in addition to the automatic replies, emails were sent to Mr. Klaus on December 5th and December
24th.
However, after some investigation we have learned that the emails were not successfully delivered.
We offer our sincere apologies to Mr. Klaus and have acknowledged his work in...

CVE-2020-2696 - Local privilege escalation via CDE dtsession

17 January, 2020 - 13:19

Posted by Marco Ivaldi on Jan 17

Dear Full Disclosure,

Please find attached an advisory for the following vulnerability, fixed in Oracle's Critical Patch Update (CPU) of
January 2020:

"A buffer overflow in the CheckMonitor() function in the Common Desktop Environment 2.3.1 and earlier and 1.6 and
earlier, as distributed with Oracle Solaris 10 1/13 (Update 11) and earlier, allows local users to gain root privileges
via a long palette name passed to dtsession in a...

CVE-2020-2656 - Low impact information disclosure via Solaris xlock

17 January, 2020 - 13:19

Posted by Marco Ivaldi on Jan 17

Dear Full Disclosure,

Please find attached an advisory for the following vulnerability, fixed in Oracle's Critical Patch Update (CPU) of
January 2020:

"A low impact information disclosure vulnerability in the setuid root xlock binary distributed with Solaris may allow
local users to read partial contents
of sensitive files. Due to the fact that target files must be in a very specific format, exploitation of this flaw to
escalate...

CVE-2019-19697 / Trend Micro Security 2019 (Consumer) / Security Bypass Protected Service Tampering

17 January, 2020 - 13:17

Posted by hyp3rlinx on Jan 17

[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/TREND-MICRO-SECURITY-CONSUMER-SECURITY-BYPASS-PROTECTED-SERVICE-TAMPERING.txt
[+] ISR: ApparitionSec

[Vendor]
www.trendmicro.com

[Product]
Trend Micro Security 2019 (Consumer) Multiple Products

Trend Micro Security provides comprehensive protection for your devices.
This includes protection against ransomware,...

CVE-2019-20357 / Trend Micro Security (Consumer) / Persistent Arbitrary Code Execution

17 January, 2020 - 13:17

Posted by hyp3rlinx on Jan 17

[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/TREND-MICRO-SECURITY-CONSUMER-PERSISTENT-ARBITRARY-CODE-EXECUTION.txt
[+] twitter.com/hyp3rlinx
[+] ISR: ApparitionSec

[Vendor]
www.trendmicro.com

[Product(s)]
Trend Micro Security (Consumer) Multiple Products

Trend Micro Security provides comprehensive protection for your devices.
This includes protection against...

[TOOL] Permanent SD Card Locker (Read Only)

14 January, 2020 - 00:45

Posted by Thierry Zoller on Jan 13

Thought this might be interesting to the audience of FD.
https://blog.zoller.lu/2020/01/sd-card-permanent-read-only-locker.html

[TZO-06-2020] - Kaspersky Generic Archive Bypass (ZIP FLNMLEN)

14 January, 2020 - 00:45

Posted by Thierry Zoller on Jan 13


[TZO-08-2020] Bitdefender Generic Malformed Archive Bypass (ZIP GPFLAG)

14 January, 2020 - 00:45

Posted by Thierry Zoller on Jan 13


[TZO-07-2020] Bitdefender Generic Malformed Archive Bypass (RAR HOST_OS)

11 January, 2020 - 01:09

Posted by Thierry Zoller on Jan 10


[TZO-05-2020] Kaspersky Generic Malformed Archive Bypass (ZIP Compressed Size)

11 January, 2020 - 01:09

Posted by Thierry Zoller on Jan 10


[PATCH] (security) launcher: don't attempt to execute arbitrary binaries

11 January, 2020 - 01:09

Posted by Enrico Weigelt, metux IT consult on Jan 10

What might be convenience functionality, poses a real-life security threat:

A user can be tricked be tricked to download malicious code, unpack it with
+x permissions (eg. via tar) and execute it by just clicking on the icton.
In combination with other techniques (eg. homoglyphs), even more experienced
users can be tricked "open" some supposedly harmless file type, while Thunar
in fact executes a binary - with full user's...

[TZO-04-2020] Bitdefender Generic Malformed Archive Bypass (BZ2)

7 January, 2020 - 12:27

Posted by Thierry Zoller on Jan 07


Multiple Reflected Cross-site Scripting Vulnerabilities in ERPNext 11.1.47

7 January, 2020 - 12:19

Posted by Daniel Bishtawi on Jan 07

Hello,

We are informing you about the vulnerabilities in ERPNext 11.1.47

Here are the details:

Information
--------------------

Advisory by Netsparker
Name: Multiple Reflected Cross-site Scripting Vulnerabilities in ERPNext
Affected Software: ERPNext
Affected Versions: 11.1.47
Vendor Homepage: https://erpnext.com/
Vulnerability Type: Reflected Cross-site Scripting
Severity: High
Status: Fixed
CVSS Score (3.0):...

Two vulnerabilities found in MikroTik's RouterOS

7 January, 2020 - 12:18

Posted by Q C on Jan 07

Advisory: two vulnerabilities found in MikroTik's RouterOS

Details
=======

Product: MikroTik's RouterOS
Affected Versions: before 6.44.6 (Long-term release tree)
Fixed Versions: 6.44.6 (Long-term release tree)
Vendor URL: https://mikrotik.com/
Vendor Status: fixed version released
CVE: -
Credit: Qian Chen(@cq674350529) of Qihoo 360 Nirvan Team

Product Description
==================

RouterOS is the operating system used on the...

Microsoft Windows VCF Card / Mailto Link Denial Of Service

7 January, 2020 - 12:18

Posted by hyp3rlinx on Jan 07

[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-VCF-MAILTO-LINK-DENIAL-OF-SERVICE.txt
[+] twitter.com/hyp3rlinx
[+] ISR: ApparitionSec

[Vendor]
www.microsoft.com

[Product]
A VCF file is a standard file format for storing contact information for a
person or business.
Microsoft Outlook supports the vCard and vCalendar features.
These are a...

Fortinet FortiSIEM Hardcoded SSH Key

7 January, 2020 - 12:18

Posted by Andrew Klaus on Jan 07

Vendor: Fortinet
Product: FortiSIEM
Tested version: 5.2.5, 5.2.6. I haven't confirmed older versions, but there
is a good chance they're also affected.
CVE: Fortinet hands out their own CVEs according to Mitre, and since no
human confirmation was received by Fortinet, no CVE was created yet.

== Summary:

FortiSIEM has a hardcoded SSH public key for user "tunneluser" which is the
same between all installs. An attacker with...

[TZO-03-2020] ESET Generic Malformed Archive Bypass (ZIP Compression Information)

3 January, 2020 - 13:15

Posted by Thierry Zoller on Jan 03


[TZO-02-2020] Kaspersyk Generic Malformed Archive Bypass (ZIP GFlag)

3 January, 2020 - 13:15

Posted by Thierry Zoller on Jan 03