Full Disclosure

Syndicate content
A public, vendor-neutral forum for detailed discussion of vulnerabilities and exploitation techniques, as well as tools, papers, news, and events of interest to the community. The relaxed atmosphere of this quirky list provides some comic relief and certain industry gossip. More importantly, fresh vulnerabilities sometimes hit this list many hours or days before they pass through the Bugtraq moderation queue.
Updated: 12 min 30 sec ago

Re: Exim < 4.86.2 Local Root Privilege Escalation

14 March, 2016 - 16:40

Posted by loon on Mar 14

Since when does reverse engineering a patch make you the discoverer of the patched exploit?

this is silly to take credit for.

Yahoo Bug Bounty #37 - Sender Spoofing Vulnerability

14 March, 2016 - 10:33

Posted by Vulnerability Lab on Mar 14

Document Title:
===============
Yahoo Bug Bounty #37 - Sender Spoofing Vulnerability

References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1781

Release Date:
=============
2016-03-07

Vulnerability Laboratory ID (VL-ID):
====================================
1777

Common Vulnerability Scoring System:
====================================
3

Product & Service Introduction:...

ChitaSoft (Web-Application) - SQL Injection Vulnerability

14 March, 2016 - 10:31

Posted by Vulnerability Lab on Mar 14

Document Title:
===============
ChitaSoft (Web-Application) - SQL Injection Vulnerability

References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1782

Release Date:
=============
2016-03-14

Vulnerability Laboratory ID (VL-ID):
====================================
1782

Common Vulnerability Scoring System:
====================================
6.9

Product & Service Introduction:...

Chamlio LMS v1.10.2 - (Profile) Persistent Web Vulnerability

14 March, 2016 - 10:28

Posted by Vulnerability Lab on Mar 14

Document Title:
===============
Chamlio LMS v1.10.2 - (Profile) Persistent Web Vulnerability

References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1781

Release Date:
=============
2016-03-14

Vulnerability Laboratory ID (VL-ID):
====================================
1781

Common Vulnerability Scoring System:
====================================
3.4

Product & Service Introduction:...

Re: Security contact @ Gigabyte

12 March, 2016 - 15:34

Posted by Mustafa Al-Bassam on Mar 12

You're asking this on the full disclosure mailing list. Disclose it here.

Microsoft Edge CDOMTextNode::get_data type confusion

12 March, 2016 - 15:33

Posted by Berend-Jan Wever on Mar 12

Hey,

Last Tuesday, Microsoft fixed a security issue in Microsoft Edge that I
was aware of, but had not had time to report. (i.e. I was waiting for
vulnerability contributor programs to look over my analysis and make me
an offer for the information). Since this issue has been fixed, I have
published my analysis on my blog
<http://blog.skylined.nl/20160310001.html><my%20blog>.

In short: Specially crafted Javascript inside an HTML page...

Wordpress Configuration Error on XDA-Developers.com led to full Web-Server Access and shut down website

12 March, 2016 - 15:33

Posted by Steffen Rogge on Mar 12

Hello Subscribers,

As an Introduction i would like to say that this is my first announcement
and i am not happy about the way it went.
I am a daily reader of the website XDA-Developers which is mainly
announcing information about Android Devices and mobile trends.

At the 07.03.2016 around 10:10 AM i accessed on of their articles an landed
on a strange 404 Page telling me that...

Netgear ReadyNAS Surveillance: Unauthenticated Remote Command Execution

12 March, 2016 - 15:33

Posted by Sysdream Labs on Mar 12

Unauthenticated Remote Command Execution in Netgear ReadyNAS Surveillance
=========================================================================

Product Description
===================

Netgear ReadyNAS Surveillance is a NVR (Network Video Recorder) available for Netgear NAS systems.

Vulnerability Description
=========================

A critical vulnerability has been found in Netgear ReadyNAS Surveillance configuration backup feature,...

Kaltura Community Edition Multiple Vulnerabilities

12 March, 2016 - 15:33

Posted by Daniel Jensen on Mar 12

( , ) (,
. '.' ) ('. ',
). , ('. ( ) (
(_,) .'), ) _ _,
/ _____/ / _ \ ____ ____ _____
\____ \==/ /_\ \ _/ ___\/ _ \ / \
/ \/ | \\ \__( <_> ) Y Y \
/______ /\___|__ / \___ >____/|__|_| /
\/ \/.-. \/ \/:wq
(x.0)
'=.|w|.='
_=''"''=....

Exim < 4.86.2 Local Root Privilege Escalation

12 March, 2016 - 15:33

Posted by Dawid Golunski on Mar 12

Advisory URL:
http://legalhackers.com/advisories/Exim-Local-Root-Privilege-Escalation.txt

=============================================
- Release date: 10.03.2016
- Discovered by: Dawid Golunski
- Severity: High/Critical
=============================================

I. VULNERABILITY
-------------------------

Exim < 4.86.2 Local Root Privilege Escalation

II. BACKGROUND
-------------------------

"Exim is a message transfer agent...

[SE-2012-01] Broken security fix in Oracle Java SE 7/8/9

10 March, 2016 - 01:43

Posted by Security Explorations on Mar 09

Hello All,

On Mar 07, 2016 Security Explorations modified its Disclosure Policy [1].
As a result, we do not tolerate broken fixes any more. If an instance
of a broken fix for a vulnerability we already reported to the vendor
is encountered, it gets disclosed by us without any prior notice.

The vendor that gets the questionable honor to be the first to experience
our modified Disclosure Policy is Oracle.

Yesterday, during my JavaLand talk [2],...

Executable installers are vulnerable^WEVIL (case 31): MalwareBytes' installers allows arbitrary (remote) code execution WITH escalation of privilege

9 March, 2016 - 22:13

Posted by Stefan Kanthak on Mar 09

Hi @ll,

Malwarebytes executable installers mbam-setup-2.2.0.1024.exe
and mbae-setup-1.08.1.1189.exe (available from
<https://downloads.malwarebytes.org/file/mbam_current/> and
<https://downloads.malwarebytes.org/file/mbae_current/>) load
and execute UXTheme.dll and DWMAPI.dll from their "application
directory".

For software downloaded with a web browser the application
directory is typically the user's...

Executable installers are vulnerable^WEVIL (case 30): clamwin-0.99-setup.exe allows arbitrary (remote) code execution WITH escalation of privilege

9 March, 2016 - 22:13

Posted by Stefan Kanthak on Mar 09

Hi @ll,

the executable installer clamwin-0.99-setup.exe (available from
<http://www.clamwin.com/download>) loads and executes DWMAPI.dll
or UXTheme.dll from its "application directory".

For software downloaded with a web browser the application
directory is typically the user's "Downloads" directory: see
<https://insights.sei.cmu.edu/cert/2008/09/carpet-bombing-and-directory-poisoning.html>,
<...

Re: Windows Mail Find People DLL side loading vulnerability

9 March, 2016 - 22:12

Posted by Stefan Kanthak on Mar 09

"Securify B.V." wrote:

[...]

This vulnerability demonstrates Microsoft's terrible SLOPPY coding
horror^Wpractice: it needs two mistakes to create this kind of bug!

"%CommonProgramFiles%\System\wab32res.dll" is (as its name implies)
a resource DLL, which means that it contains no code, but only
(localized) resources, and SHOULD (better: MUST) be loaded via...

Open Vulnerablity ID tracker instead of CVE. Maybe

9 March, 2016 - 22:11

Posted by op7ic \x00 on Mar 09

Hello List,

I`m growing a bit tired of the way MITRE assigns CVEs (or just ignores you)
so instead, I thought some unmoderated list would be easier to manage. I
opted out to keep the same format as CVE with exception of first three
letters.

https://www.freeovi.com

Its completly unmoderated generator so feel free to use it and suggest
improvements.

Thanks

Security contact @ Gigabyte

9 March, 2016 - 22:11

Posted by Gustavo Sorondo on Mar 09

Hi list,

I'd like to know if anyone here know someone working on security at
Gigabyte (http://www.gigabyte.com/), since we are trying to responsibly
report a high risk security flaw we found.

We opened a ticket asking to be contacted by their security team, and the
answer we got was:

"Thanks for your interest, but we already have a security team for our
websites. Regards, GIGABYTE" (sigh)

So, if any of you knows someone in...

Re: Netgear GS105Ev2 - Multiple Vulnerabilities

9 March, 2016 - 17:15

Posted by Benedikt Westermann on Mar 09

Hi Nick,

Status remains the same. The vulnerabilities are also valid for the new version 1.4.0.6. I checked it and could still
reproduce the password-reset, the XSS, the CSRF, and the found also the cookie mentioned in the report after login. So,
nothing has changed with respect to the vulnerabilities.

Regards,
Benedikt

Thomson TWG850 Wireless Router Multiple Vulnerabilities

9 March, 2016 - 17:14

Posted by Sebastian Perez on Mar 09

[System Affected]
Thomson Router
HW Revision 2.0
VENDOR Thomson
BOOT Revision 2.1.7i
MODEL TWG850-4U
Software Version ST9D.01.09
Serial Number 00939902404041
Firmware Name TWG850-4U-9D.01.09-100528-S-001.bin

[Vulnerabilities]
1- Cross-Site Request Forgery
2- Unauthenticated access to resources
3- Persistent Cross-Site Scripting

[Advisory Timeline]
06-Jan-2016 - Vendor contacted through the website
11-Jan-2016 - Email sent to vendor
09-Mar-2016...

New Security Tool: MrLooquer - IPv6 Intelligence

9 March, 2016 - 17:14

Posted by Rafa Sanchez on Mar 09

Dear colleagues,

Please, allow us to introduce MrLooquer -> https://www.mrlooquer.com

MrLooquer combines open source intelligence techniques with heuristic and
data mining to perform one of the first attempts to create a real map about
IPv6 deployment and its relationship with current networks and protocols.

MrLooquer is born as an open initiative with Creative Commons license
focused on:
- Data discovery
- Visual intelligence
-...

CVE-2016-2563 - PuTTY/PSCP <=0.66 buffer overflow - vuln-pscp-sink-sscanf

9 March, 2016 - 17:13

Posted by oststrom (public) on Mar 09

A potential addition to your honeypots.

Author: <github.com/tintinweb>
Ref:
https://github.com/tintinweb/pub/tree/master/pocs/cve-2016-2563
Version: 0.1
Date: Feb 20th, 2016

Tag: putty pscp client-side post-auth stack buffer overwrite when
processing remote file size

Overview
--------

Name: putty
Vendor: sgtatham
References: * http://www.chiark.greenend.org.uk/~sgtatham/putty/...