Full Disclosure

Syndicate content
A public, vendor-neutral forum for detailed discussion of vulnerabilities and exploitation techniques, as well as tools, papers, news, and events of interest to the community. The relaxed atmosphere of this quirky list provides some comic relief and certain industry gossip. More importantly, fresh vulnerabilities sometimes hit this list many hours or days before they pass through the Bugtraq moderation queue.
Updated: 1 min 10 sec ago

Re: [oss-security] CVE-2016-4484: - Cryptsetup Initrd root Shell

16 November, 2016 - 13:31

Posted by Jason Cooper on Nov 16

Hi Hector,

This wording appears to have caused a lot of misunderstanding. afaict,
the binary executable 'cryptsetup' has nothing to do with this bug.
Rather, it is completely in the initrd's script for decrypting a
partition containing the rootfs.

On Debian based systems, the initrd script is in the cryptsetup package,
but if one looks at the upstream repository for cryptsetup:

https://gitlab.com/cryptsetup/cryptsetup.git...

Re: QUANTUMSQUIRREL - attrition.org unmasked as NSA TAO OP

16 November, 2016 - 13:31

Posted by jericho on Nov 16

Actually... I filed a FOIA request with the NSA about their use of a
trademarked image in their presentation, just for kicks. Not surprisingly,
the response was basically "we have no idea what you are talking about".

Cross-Site Scripting in All In One WP Security & Firewall WordPress Plugin

16 November, 2016 - 11:49

Posted by Summer of Pwnage on Nov 16

------------------------------------------------------------------------
Cross-Site Scripting in All In One WP Security & Firewall WordPress
Plugin
------------------------------------------------------------------------
Yorick Koster, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A Cross-Site Scripting vulnerability was...

Nginx (Debian-based distros) - Root Privilege Escalation Vulnerability (CVE-2016-1247)

16 November, 2016 - 03:47

Posted by Dawid Golunski on Nov 16

Vulnerability: Nginx (Debian-based distros) - Root Privilege
Escalation (CVE-2016-1247)

Discovered by: Dawid Golunski (@dawid_golunski)
https://legalhackers.com

Nginx web server packaging on Debian-based distributions such as Debian or
Ubuntu was found to create log directories with insecure permissions which
can be exploited by malicious local attackers to escalate their privileges
from nginx/web user (www-data) to root.
The vulnerability...

New VMSA-2016-0020 - VMware product updates address multiple information disclosure issues

16 November, 2016 - 01:28

Posted by VMware Security Response Center on Nov 15

- ------------------------------------------------------------------------
VMware Security Advisory

Advisory ID: VMSA-2016-0020
Severity: Important
Synopsis: vRealize Operations update addresses REST API
deserialization vulnerability
Issue date: 2016-11-15
Updated on: 2016-11-15 (Initial Advisory)
CVE number: CVE-2016-7462

1. Summary

vRealize Operations update addresses REST API...

Re: [oss-security] CVE-2016-4484: - Cryptsetup Initrd root Shell

15 November, 2016 - 04:55

Posted by Leo Famulari on Nov 15

Hi,

Can you clarify which versions are affected?

The latest upstream version is 1.7.3:

https://gitlab.com/cryptsetup/cryptsetup/commits/master

What is the 2:1 version?

OS-S 2016-21 - Local DoS: Linux Kernel Nullpointer Dereference via keyctl

15 November, 2016 - 04:53

Posted by Ralf Spenneberg on Nov 15

OS-S Security Advisory 2016-21
Local DoS: Linux Kernel Nullpointer Dereference via keyctl

Date:
October 31th, 2016
Authors:
Sergej Schumilo, Ralf Spenneberg, Hendrik Schwartke
CVE:
Not yet assigned
CVSS:
4.9 (AV:L/AC:L/Au:N/C:N/I:N/A:C)
Severity:
Potentially critical. If the kernel is compiled with the option
“Panic-On-Oops”, this vulnerability may lead to a kernel panic.
Ease of Exploitation:
Trivial
Vulnerability Type:
Local unprivileged...

OS-S 2016-22 - Local DoS: Linux Kernel EXT4 Memory Corruption / SLAB-Out-of-Bounds Read

15 November, 2016 - 04:53

Posted by Ralf Spenneberg on Nov 15

OS-S Security Advisory 2016-22
Local DoS: Linux Kernel EXT4 Memory Corruption / SLAB-Out-of-Bounds Read

Date:
October 31th, 2016
Authors:
Sergej Schumilo, Ralf Spenneberg
CVE:
Not yet assigned
CVSS:
4.9 (AV:L/AC:L/Au:N/C:N/I:N/A:C)
Severity:
Critical
Ease of Exploitation:
Trivial
Vulnerability Type:
Memory Corruption / SLAB-Out-of-Bounds Read

Abstract:
Mounting a crafted EXT4 image read-only leads to a memory corruption and
SLAB-Out-of-Bounds...

Re: [oss-security] CVE-2016-4484: - Cryptsetup Initrd root Shell - Update: Dracut is also vulnerable

15 November, 2016 - 04:53

Posted by Hector Marco-Gisbert on Nov 15

Hello,

We have found that systems that use Dracut instead of initramfs are
also vulnerables (tested on Fedora 24 x86_64).

Regards,
Hector Marco & Ismael Ripoll.

CVE-2016-4484: - Cryptsetup Initrd root Shell

15 November, 2016 - 04:53

Posted by Hector Marco on Nov 15

Hello All,

Affected package
----------------
Cryptsetup <= 2:1

CVE-ID
------
CVE-2016-4484

Description
-----------
A vulnerability in Cryptsetup, concretely in the scripts that unlock the
system partition when the partition is ciphered using LUKS (Linux
Unified Key Setup).

This vulnerability allows to obtain a root initramfs shell on affected
systems. The vulnerability is very reliable because it doesn't depend on
specific systems or...

Microsoft Edge edgehtml CAttr­Array::Destroy use-after-free details

15 November, 2016 - 04:52

Posted by Berend-Jan Wever on Nov 15

Throughout November, I plan to release details on vulnerabilities I
found in web-browsers which I've not released before. This is the
eleventh entry in that series. Unfortunately I won't be able to publish
everything within one month at the current rate, so I may continue to
publish these through December and January.

The below information is available in more detail on my blog at
http://blog.skylined.nl/20161115001.html.

Follow me on...

CVE-2015-0040: Microsoft Internet Explorer 11 MSHTML CMapElement::Notify use-after-free details

14 November, 2016 - 11:34

Posted by Berend-Jan Wever on Nov 14

Throughout November, I plan to release details on vulnerabilities I
found in web-browsers which I've not released before. This is the
tenth entry in that series.

The below information is available in more detail on my blog at
http://blog.skylined.nl/20161114001.html.

Follow me on http://twitter.com/berendjanwever for daily browser bugs.

Microsoft Internet Explorer 11 MSHTML CMapElement::Notify use-after-free...

SEC Consult SA-20161114-0 :: Multiple vulnerabilities in I-Panda SolarEagle - Solar Controller Administration Software / MPPT Solar Controller SMART2

14 November, 2016 - 05:02

Posted by SEC Consult Vulnerability Lab on Nov 14

SEC Consult Vulnerability Lab Security Advisory < 20161114-0 >
=======================================================================
title: Multiple vulnerabilities
product: I-Panda SolarEagle - Solar Controller Administration
Software / MPPT Solar Controller SMART2
vulnerable version: SolarEagle V2.00 / MPPT Solar Controller SMART2
fixed version: -
CVE number: -...

New VMSA-2016-0019 - VMware product updates address multiple information disclosure issues

14 November, 2016 - 02:04

Posted by VMware Security Response Center on Nov 13

------------------------------------------------------------------------

VMware Security Advisory

Advisory ID: VMSA-2016-0019
Severity: Critical
Synopsis: VMware Workstation and Fusion updates address critical
out-of-bounds memory access vulnerability
Issue date: 2016-11-13
Updated on: 2016-11-13 (Initial Advisory)
CVE number: CVE-2016-7461

1. Summary

VMware Workstation and Fusion...

Unexpected behavior of cmd.exe while processing .bat files leads to potential command injection vulnerabilities

13 November, 2016 - 16:32

Posted by Julian Horoszkiewicz on Nov 13

Unexpected behavior of cmd.exe while processing .bat files leads to
potential command injection vulnerabilities
Tested on: Windows 7, Windows 10
Author: Julian Horoszkiewicz

It was discovered that cmd.exe, when processing .bat files, treats the
ASCII substitute character (code 26) as a command separator (like & or |).
This opens the way for unexpected command injection vulnerabilities in
applications which generate .bat files based on user...

Trango Systems hidden default root login (all models)

11 November, 2016 - 14:18

Posted by Ian Ling on Nov 11

[+] Credits: Ian Ling
[+] Website: iancaling.com
[+] Source: http://blog.iancaling.com/post/153011925478/

Vendor:
=================
www.trangosys.com

Products:
======================
All models. Newer versions use a different password.

Vulnerability Type:
===================
Default Root Account

CVE Reference:
==============
N/A

Vulnerability Details:
=====================

Trango devices all have a built-in, hidden root account, with a...

Google Chrome blink Serializer::doSerialize bad cast details

11 November, 2016 - 14:18

Posted by Berend-Jan Wever on Nov 11

Throughout November, I plan to release details on vulnerabilities I
found in web-browsers which I've not released before. This is the
ninth entry in that series, and the first to not target a Microsoft browser.

The below information is available in more detail on my blog at
http://blog.skylined.nl/20161111001.html.

Follow me on http://twitter.com/berendjanwever for daily browser bugs.

Google Chrome blink Serializer::doSerialize bad cast...

Teradata Virtual Machine Community Edition v15.10 has insecure file permission

10 November, 2016 - 20:49

Posted by Larry W. Cashdollar on Nov 10

Title: Teradata Virtual Machine Community Edition v15.10 has insecure file permission
Author: Larry W. Cashdollar, @_larry0
Date: 2016-10-01
Download Site: http://downloads.teradata.com/download/database/teradata-virtual-machine-community-edition-for-vmware
<http://downloads.teradata.com/download/database/teradata-virtual-machine-community-edition-for-vmware>
Vendor: Teradata
Vendor Notified: 2016-10-01
Vendor Contact: webform contact...

Reflected Cross-Site Scripting vulnerability in W3 Total Cache plugin

10 November, 2016 - 13:16

Posted by Summer of Pwnage on Nov 10

------------------------------------------------------------------------
Reflected Cross-Site Scripting vulnerability in W3 Total Cache plugin
------------------------------------------------------------------------
Sipke Mellema, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A Cross-Site Scripting vulnerability was found in the...

Information disclosure race condition in W3 Total Cache WordPress Plugin

10 November, 2016 - 13:15

Posted by Summer of Pwnage on Nov 10

------------------------------------------------------------------------
Information disclosure race condition in W3 Total Cache WordPress Plugin
------------------------------------------------------------------------
Sipke Mellema, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
An information disclosure vulnerability was found...