Full Disclosure

Syndicate content
A public, vendor-neutral forum for detailed discussion of vulnerabilities and exploitation techniques, as well as tools, papers, news, and events of interest to the community. The relaxed atmosphere of this quirky list provides some comic relief and certain industry gossip. More importantly, fresh vulnerabilities sometimes hit this list many hours or days before they pass through the Bugtraq moderation queue.
Updated: 10 min 48 sec ago

kernel vuln status question - how can I be protected

27 December, 2016 - 04:12

Posted by BENCSATH Boldizsar on Dec 27

Dear kernel maintainers, specialists,

Regarding latest kernel vulns, like CVE-2016-8655, there were some
reports how and where ubuntu/debian/redhat distributions fixed the problem.

However, I could not find clear indications about fixes in plain vanilla
kernel sources. No indication on LTS, and of course nothing on the
others. O.K. there is a patch for the particular CVS+kernel version, but
it is rather not evident to people that they must not...

Arbitrary file deletion vulnerability in Image Slider allows authenticated users to delete files (WordPress plugin)

27 December, 2016 - 04:11

Posted by dxw Security on Dec 27

Details
================
Software: Image Slider
Version: 1.1.41,1.1.89
Homepage: http://wordpress.org/plugins/image-slider-widget/
Advisory report:
https://security.dxw.com/advisories/arbitrary-file-deletion-vulnerability-in-image-slider-allows-authenticated-users-to-delete-files/
CVE: Awaiting assignment
CVSS: 5.5 (Medium; AV:N/AC:L/Au:S/C:P/I:P/A:N)

Description
================
Arbitrary file deletion vulnerability in Image Slider allows...

BlackArch Linux OVA Image released!

27 December, 2016 - 04:08

Posted by Black Arch on Dec 27

Dear list,

We've released the new BlackArch Linux OVA image. It includes the complete
BlackArch Linux environment together with all tools. The image size is
about ~13GB and ready to use for Virtualbox, VMware and Qemu.

If you're not already familiar with BlackArchLinux, please read the
DESCRIPTION section below.

[ DOWNLOAD ]

You can download the new OVA image here:
https://www.blackarch.org/downloads.html

[ DESCRIPTION ]

BlackArch...

[RT-SA-2016-001] Padding Oracle in Apache mod_session_crypto

23 December, 2016 - 07:28

Posted by RedTeam Pentesting GmbH on Dec 23

Advisory: Padding Oracle in Apache mod_session_crypto

During a penetration test, RedTeam Pentesting discovered a Padding
Oracle vulnerability in mod_session_crypto of the Apache web server.
This vulnerability can be exploited to decrypt the session data and even
encrypt attacker-specified data.

Details
=======

Product: Apache HTTP Server mod_session_crypto
Affected Versions: 2.3 to 2.5
Fixed Versions: 2.4.25
Vulnerability Type: Padding Oracle...

copy-me vulnerable to CSRF allowing unauthenticated attacker to copy posts (WordPress plugin)

21 December, 2016 - 21:04

Posted by dxw Security on Dec 21

Details
================
Software: copy-me
Version: 1.0.0
Homepage: http://wordpress.org/plugins/copy-me/
Advisory report:
https://security.dxw.com/advisories/copy-me-vulnerable-to-csrf-allowing-unauthenticated-attacker-to-copy-posts/
CVE: Awaiting assignment
CVSS: 4.3 (Medium; AV:N/AC:M/Au:N/C:N/I:P/A:N)

Description
================
copy-me vulnerable to CSRF allowing unauthenticated attacker to copy posts

Vulnerability
================
This...

[0-day] RCE and admin credential disclosure in NETGEAR WNR2000

21 December, 2016 - 21:03

Posted by Pedro Ribeiro on Dec 21

Hi,

tl;dr
RCE in NETGEAR WNR2000 routers, exploitable over the LAN by default or
over the WAN if remote administration is enabled.
10.000 devices affected show up in Shodan - these are the ones with
remote admin enabled. There are likely tens of thousands of vulnerable
routers in private LANs as this device is extremely popular.

As usual, NETGEAR did not respond to any of my emails, so I'm releasing
this advisory and exploit code as a...

CVE-2014-4138: MSIE 11 MSHTML CPaste­Command::Convert­Bitmapto­Png heap-based buffer overflow

21 December, 2016 - 21:03

Posted by Berend-Jan Wever on Dec 21

Since November I have been releasing details on all vulnerabilities I
found that I have not released before. This is the 37th entry in the
series. This information is available in more detail on my blog at
http://blog.skylined.nl/20161221001.html. There you can find a repro
that triggered this issue in addition to the information below, as well
as a Proof-of-Concept exploit that attempts to prove exploitability.

If you find these releases...

NEW VMSA-2016-0023 VMware ESXi updates address a cross-site scripting issue

20 December, 2016 - 16:35

Posted by VMware Security Response Center on Dec 20

----------------------------------------------------------------------
VMware Security Advisory

Advisory ID: VMSA-2016-0023
Severity: Important
Synopsis: VMware ESXi updates address a cross-site
scripting issue

Issue date: 2016-12-20
Updated on: 2016-12-20 (Initial Advisory)
CVE number: CVE-2016-7463

1. Summary

VMware ESXi updates address a cross-site scripting issue.

2. Relevant Releases

VMware vSphere...

[ERPSCAN-16-035] SAP Solman - user accounts disclosure

20 December, 2016 - 16:35

Posted by ERPScan inc on Dec 20

Application: SAP Solman

Versions Affected: SAP Solman 7.1-7.31

Vendor URL: http://SAP.com

Bugs: Information Disclosure

Sent: 12.07.2016

Reported: 13.07.2016

Vendor response: 13.07.2016

Date of Public Advisory: 13.09.2016

Reference: SAP Security Note 2344524

Author: Roman Bezhan (ERPScan)

Description

1. ADVISORY INFORMATION

Title:[ERPSCAN-16-035] SAP Solman – user accounts disclosure

Advisory ID:[ERPSCAN-16-035]

Risk: high...

New BlackArch Linux ISOs (2016.12.20) released!

20 December, 2016 - 16:35

Posted by Black Arch on Dec 20

Dear list,

We've released the new BlackArch Linux ISOs along with many
improvements. They include more than 1600 tools now. The armv6h and
armv7h repositories are filled with about 1400 tools.

The x86_64 and i686 live ISOs now exceeds 6GB!

A short ChangeLog of the Live-ISOs:

- include linux kernel 4.8.13
- added more than 100 new tools
- updated all blackarch tools
- updated all system packages
- fix lxdm shutdown/reboot...

CVE-2014-1785: MSIE 11 MSHTML CSpliceTreeEngine::RemoveSplice use-after-free

20 December, 2016 - 16:35

Posted by Berend-Jan Wever on Dec 20

Since November I have been releasing details on all vulnerabilities I
found that I have not released before. This is the 36th entry in the
series. This information is available in more detail on my blog at
http://blog.skylined.nl/20161220001.html. There you can find a repro
that triggered this issue in addition to the information below, as well
as a Proof-of-Concept exploit that attempts to prove exploitability.

If you find these releases...

Hotlinking Vulnerability in Glype (All Versions)

20 December, 2016 - 02:28

Posted by Celso Bento on Dec 19

A vulnerability exists in the hotlinking feature of Glype on all versions
that allow the bypass and makes possible to link directly to proxified
files or develop aplications that integrate direct linking into the url.
This was found while trying to build a DDOS tool that take advantage of
installed copies of Glype worldwide. Since it wasn't possible to develop a
fast tool using common libraries such as jQuery this note was been
released....

CVE-2013-6627: Chrome Chrome HTTP 1xx base::StringTokenizerT<...>::QuickGetNext OOBR

19 December, 2016 - 12:17

Posted by Berend-Jan Wever on Dec 19

Since November I have been releasing details on all vulnerabilities I
found that I have not released before. This is the 35th entry in the
series. This information is available in more detail on my blog at
http://blog.skylined.nl/20161219001.html. There you can find a repro
that triggered this issue in addition to the information below, it also
provides code snippets for the affected code, and a diagram that
attempts to explain the memory layout....

Re: SQL injection in Joomla extension DT Register

18 December, 2016 - 15:58

Posted by Elar Lang on Dec 18

Update:

2016-12-16: CVE-2016-1000271 assigned by DWF

https://security.elarlang.eu/sql-injection-in-joomla-extension-dt-register.html

CSRF/stored XSS in Quiz And Survey Master (Formerly Quiz Master Next) allows unauthenticated attackers to do almost anything an admin can (WordPress plugin)

16 December, 2016 - 06:04

Posted by dxw Security on Dec 16

Details
================
Software: Quiz And Survey Master (Formerly Quiz Master Next)
Version: 4.5.4,4.7.8
Homepage: https://wordpress.org/plugins/quiz-master-next/
Advisory report:
https://security.dxw.com/advisories/csrfstored-xss-in-quiz-and-survey-master-formerly-quiz-master-next-allows-unauthenticated-attackers-to-do-almost-anything-an-admin-can/
CVE: Awaiting assignment
CVSS: 5.8 (Medium; AV:N/AC:M/Au:N/C:P/I:P/A:N)

Description...

Re: XenForo 1.5.x Unauthenticated Remote Code Injection

16 December, 2016 - 06:04

Posted by Julien Ahrens on Dec 16

This issue does not seem to exist at all.

Among the available versions/updates for XenForo there is no version
1.5.11a as stated in this advisory. After contacting XenForo about this
advisory and the corresponding update, they told me that they are
neither aware of this vulnerability nor about the reporter.

Best Regards
Julien

CVE-2013-0090: MSIE 9 IEFRAME CView::EnsureSize use-after-free

16 December, 2016 - 06:03

Posted by Berend-Jan Wever on Dec 16

Since November I have been releasing details on all vulnerabilities I
found that I have not released before. This is the 34th entry in the
series. This information is available in more detail on my blog at
http://blog.skylined.nl/20161216001.html. There you can find a repro
that triggered this issue in addition to the information below.

If you find these releases useful, and would like to help me make time
to continue releasing this kind of...

MSIE 9 IEFRAME CMarkup­Pointer::Move­To­Gap use-after-free

16 December, 2016 - 06:03

Posted by Berend-Jan Wever on Dec 16

Since November I have been releasing details on all vulnerabilities I
found that I have not released before. This is the 33rd entry in the
series. This information is available in more detail on my blog at
http://blog.skylined.nl/20161215001.html. There you can find a repro
that triggered this issue in addition to the information below.

If you find these releases useful, and would like to help me make time
to continue releasing this kind of...

XenForo 1.5.x Unauthenticated Remote Code Injection

15 December, 2016 - 09:21

Posted by Vishal Mishra on Dec 15

XenForo 1.5.x Remote Code Execution Vulnerability

1. ADVISORY INFORMATION
=======================
Product: XenForo
Vendor URL: xenforo.com
Type: Code Injection [CWE-94]
Date found: 2016-12-09
Date published: 2016-12-15
CVSSv3 Score: 9.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:F/RL:O/RC:C)
CVE: -

2. CREDITS
==========

This vulnerability was discovered and researched by indepent security
expert...

Nagios Core < 4.2.4 Root Privilege Escalation [CVE-2016-9566]

15 December, 2016 - 09:21

Posted by Dawid Golunski on Dec 15

Vulnerability:
Nagios Core < 4.2.4 Root Privilege Escalation
CVE-2016-9566

Discovered by: Dawid Golunski (@dawid_golunski)
https://legalhackers.com

Severity: High

Nagios Core daemon in versions below 4.2.4 was found to perform unsafe
operations when handling the log file. This could be exploited by
malicious local attackers to escalate their privileges from 'nagios'
system user,
or from a user belonging to 'nagios'...