Acunetix Web Vulnerability Scanner 10.0 build 20160216 and previous versions, allows remote attackers to execute arbitrary JavaScript code in the context of the scanner GUI. The flaw exists in the way Acunetix WVS render some html elements inside it's GUI, using jscript.dll without any concert about unsafe ActiveX object such as WScript.shell. If Acunetix WVS triggers a vulnerability during a scan session, it saves a local html with the content of html page. With this, it's possible to trigger a fake vulnerability and inject a JavaScript code which triggers the remote command execution. This module also abuses of a second vulnerability affecting the Acunetix Web Vulnerability Scanner Scheduler. The Scheduler allows programmatically scanning of websites without any user interaction. It is possible to schedule a scan via the web interface listening on 127.0.0.1:8183. When a scan is scheduled, a new instance of Acunetix WVS is launched as SYSTEM. Previous to the real scan, several tests are performed on the target host using script files located in %ProgramData%\Acunetix WVS 10\Data\Scripts. Due to bad ACL's in this folder, any user can modify these scripts files. This module modifies the AJP_Audit.script file in order to execute an agent as SYSTEM.
This module exploits a user-after-free vulnerability in the Linux Kernel. When bpf(BPF_PROG_LOAD, ...) was invoked with a BPF program whose bytecode references a non-map file descriptor as a map file descriptor, the error handling code called fdput() twice instead of once (in __bpf_map_get() and in replace_map_fd_with_map_ptr()). If the file descriptor table of the current task is shared, this causes f_count to be decremented too much, allowing the struct file to be freed while it is still in use (use-after-free). This can be exploited to gain root privileges by an unprivileged user.
The Password Manager component installed by various Trend Micro products runs a Node.js HTTP server by default. This web server opens multiple HTTP RPC ports for handling API requests. For example, the openUrlInDefaultBrowser API function, which internally maps to a ShellExecute function call, allows and attacker to execute arbitrary commands on localhost without the need of any type of credentials. This module will wait for a vulnerable target to connect and deploy an agent by abusing the mentioned API functionallity provided by the vulnerable component.
The default error page in Spring Boot (also know as "Whitelabel Error Page"), when a type error is detected in a parameter configured in a controller, will display the provided value. The page's rendering expands Spring Expression Language (SPEL) expressions found in the page, and it does so recursively. Because of this, a string containing an expression language provided as the value for an URL parameter may be evaluated server side while rendering the page if it's from a different type to the expected for said parameter. The "Whitelabel Error Page" is provided by default, but it can be customized. This attack has only been tested with the default error page. In particular, if SPEL is not used a the templating language for another page, or if the page doesn't print the exception due to type mismatch, the attack is not possible.
An authenticated user may inject arbitrary xauth commands by sending an x11 channel request that includes a newline character in the x11 cookie. The newline acts as a command separator to the xauth binary. The injected xauth commands are performed with the effective permissions of the logged in user. This attack requires the server to have 'X11Forwarding yes' enabled. This module injects source xauth command to retrieve arbitrary files.
Subscribe to Exploits