Libdbus 1.5.x and earlier, when used in setuid processes not clearing the environment variables, allows local users to gain privileges and execute arbitrary code via the DBUS_SYSTEM_BUS_ADDRESS environment variable.

The best practice for installations of EMC Replication Manager is to register a Replication Manager Client (irccd.exe) instance with the appropiate Replication Manager Server (ird.exe) as soon as the client software is installed on a host.

Registration is performed by Replication Manager administrators from within the Replication Manager Server.



In the time span exposed before registering a Replication Manager Client instance with a Replication Manager Server, the RunProgram function of the Replication Manager Client instance can be invoked with arbitrary arguments by remote unauthenticated attackers in order to execute arbitrary code with SYSTEM privileges on the vulnerable machine.



This module exploits this misconfiguration scenario in order to install an agent on machines running still unregistered instances of EMC Replication Manager Client.

Test a web page's parameters trying to detect potential SQL Injection vulnerabilities.



this update is for 12.5.

On Intel CPUs, sysret to non-canonical addresses causes a fault on the sysret instruction itself after the stack pointer is set to guest value but before the current privilege level (CPL) is changed. Windows is vulnerable due to the way the Windows User Mode Scheduler handles system requests. This module exploits the vulnerability and installs an agent with system privileges.

This update fixes an issue in the documentation.

GE Proficy Historian is prone to a Code execution vulnerability in the KeyScript ActiveX control from keyhelp.ocx. The function LaunchTriPane use the -decompile option and can be abused to write arbitrary files on the remote system.

This update adds support to Impact 12.5



This module exploits a Windows kernel vulnerability by loading a fake keyboard layout through a call to "NtUserLoadKeyboardLayoutEx" function with crafted parameters.



When the keyboard layout is processed by win32k.sys, it produces a kernel heap memory corruption.

This module exploits two vulnerabilities in HP SiteScope to gain remote code execution. The first vulnerability is an authentication bypass in the getSiteScopeConfiguration operation available through the APISiteScopeImpl AXIS service to grab the administrator credentials from the server running HP SiteScope. The second vulnerability is a directory traversal in the UploadFileHandler url that allows to upload files to the server into a directory that allows for scripting.

On Intel CPUs, sysret to non-canonical addresses causes a fault on the sysret instruction itself after the stack pointer is set to guest value but before the current privilege level (CPL) is changed. Windows is vulnerable due to the way the Windows User Mode Scheduler handles system requests. This module exploits the vulnerability and installs an agent with root privileges.

This update adds support to Debian 6.0.0 and adds support for attacking IPv6 targets.



This module exploits a heap overflow bug in Samba Server by sending a crafted request packet via DCERPC call.

This module exploits a vulnerability in the PlayerPT.ocx module included in the Cisco Linksys WVC200 Wireless-G PTZ Internet Video Camera application. The exploit is triggered when the SetSource() method processes a crafted argument resulting in a buffer overflow.

This update improves the xml of the module to be compatible with new product functionality.