May was a busy month for our user support teams. While the Exploit and the L3 teams were working on the following DOT release (IMPACT 2013 R1.3), we shared more than 30 updates with our customers in May including exploits, modules and maintenance updates. May efforts were mainly focused on delivering new exploits and improving our “Importers” and “Identity Manager” capabilities based on our customers’ feedback.
Updates for May 2013 (excluding five maintenance updates) include:
Remote Code Execution
Firebird SQL CNCT Remote Buffer Overflow Exploit BigAnt IM Server DDNF Username Buffer Overflow Exploit HP Intelligent Management Center mibFileUpload Servlet Remote Exploit Schneider Electric Accutech Manager Heap Overflow Exploit EMC AlphaStor Device Manager 0x41 Command Buffer Overflow Exploit PHPMyAdmin Replace Table Prefix Remote Code Execution Exploit Light HTTP Daemon Buffer Overflow Exploit EMC AlphaStor Library Control Program Buffer Overflow Exploit SAP Netweaver Message Server _MsJ2EE_AddStatistics Memory Corruption Exploit Novell ZENworks Mobile Management Remote Code Execution Exploit
Microsoft Internet Explorer CGenericElement Object Use-After-Free Exploit Microsoft Windows Win32k Font Parsing Vulnerability ClientSide DoS (MS13-036) GlobalSCAPE CuteZIP Buffer Overflow Exploit ERDAS ER Viewer ERM_convert_to_correct_webpath Buffer Overflow Exploit Kingsoft Office wpsio Buffer Overflow Exploit Oracle Java Font Handling Code Execution Exploit IBM SPSS SamplePower C1sizer ActiveX Control Buffer Overflow Exploit
Local & DoS
Microsoft Windows Win32k Divide Error Exception DoS (MS13-046) Wireshark DRDA Dissector DoS Microsoft Windows Win32k Buffer Overflow Exploit (MS13-046) In addition to the above we also published several advisories related to major bugs found in surveillance devices that were highly discussed by the security community. Finally we shared a guide on how to start using CORE CloudCypher that we recommend you to read and get the most out of CORE Impact. Your feedback and questions are greatly appreciated. Please send us your questions and suggestions that help us improve Impact for you. Learn more about penetration testing. Flavio de Cristofaro – Vice President of Engineering for Professional Products