A vulnerability in Pulse Connect Secure could allow an authenticated administrator to perform a file write via a maliciously crafted archive uploaded in the administrator web interface. The deployed agent will run with ROOT privileges.
A vulnerability in the admin web interface could allow an authenticated attacker to upload a custom template to perform an arbitrary code execution. These templates can be used to display customised login and meeting pages and are rendered using the Perl Template Toolkit engine. This engine can be coerced into executing code by creating a new "BLOCK" by abusing the "template" global object to create a new block to be evaluated. The deployed agent will run with ROOT privileges.
This module first exploits a server side request forgery vulnerability present in Microsoft.Exchange.HttpProxy of Microsoft Exchange Server to bypass authentication. Then an arbitrary file write vulnerability present in WriteFileActivity of Microsoft.Exchange.Management.ControlPanel.DIService is used to deploy a .aspx file and execute commands. The deployed agent will run with the SYSTEM privileges.
The 'recentVersion' parameter from the snserv endpoint is vulnerable to OS Command Injection when check and execute update operations are performed. This module exploits this vulneravility to install an agent
The function 'processHeaderConfig' is vulnerable to command injection due to lack of validation in the HTTP headers that process as argument. This module exploits this vulneravility to install an agent
IBM Informix Open Admin Tool is vulnerable to an unauthenticated php remote code execution, allowing attackers to execute arbitrary php code in the system. On Windows targets, IBM Informix Open Admin Tool is running as SYSTEM, so deployed agents will have this privilege.
Trend Micro Threat Discovery Appliance is prone to an authentication bypass and a command injection wich allows attackers the execution of system commands.
The new_whitelist.php page in Symantec Web Gateway Management Console allows some specially crafted entries to update the whitelist without proper validation. A lower-privileged but authorized management console user can bypass the whitelist validation using a 'sid' parameter with a value different from zero. This module exploits this vulnerability to inject and execute arbitrary OS commands with the privileges of the 'root' user on the appliance.
JBoss Application Server is prone to a remote vulnerability that allows attackers to take advantage of a deserialization vulnerability present in the commons-collections java library. By exploiting known methods, it is possible to remotely load a InvokerTransformer java class, wich allows the execution of system commands.