The new_whitelist.php page in Symantec Web Gateway Management Console allows some specially crafted entries to update the whitelist without proper validation. A lower-privileged but authorized management console user can bypass the whitelist validation using a 'sid' parameter with a value different from zero. This module exploits this vulnerability to inject and execute arbitrary OS commands with the privileges of the 'root' user on the appliance.
Disk Pulse server is prone to a buffer-overflow vulnerability when handling a crafted POST request, this can trigger an overflow in a finite-sized internal memory buffer, and install an agent with SYSTEM privileges.
The module exploit a buffer overflow vulnerability in the SNMP code of the Cisco ASA.
Samsung Security Manager is prone to a privilege-escalation vulnerability that affects Apache Felix Gogo runtime. Due to an insecure default installation of the runtime, an attacker could then send commands that will be executed by the mentioned runtime. This module uses the previous vulnerability to inject an agent inside lsass.exe process.
This module exploits a vulnerability in Rivatuner's core (Rivatuner*.sys, RTCore*.sys), a driver used by hardware tweaking apps Rivatuner, MSI Afterburner, EVGA Precision X (and possibly others). During app operation, the driver is loaded and used to read and write physical memory, MSR registers, io ports, etc. This module abuses said functionality to escalate privileges.
This module exploits a race condition vulnerability in the Linux Kernel via MAP_PRIVATE COW. The bug relies in the way the Linux kernel's memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings. An unprivileged, local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system.
PowerFolder Server is prone to a remote vulnerability that allows attackers to take advantage of a deserialization vulnerability present in the commons-collections java library. By exploiting known methods, it is possible to remotely load a java class and inject custom Java bytecode. The exploit abuses this to download and execute an executable with Impact's agent.
The vulnerability resides in parsing crafted PowerPoint documents and produces a Buffer Overflow in the stack. This module was tested on the Symantec Endpoint Manager version 12.1.4013.4013. Other versions may be are vulnerable too.
SugarCRM is vulnerable due to a user input passed through a request parameter is not properly sanitized before being used in a call to the "unserialize()" function. This can be exploited to inject arbitrary PHP objects into the application scope, and could allow unauthenticated attackers to execute arbitrary PHP code via specially crafted serialized objects. Successful exploitation of this vulnerability requires the application running on PHP before version 5.6.25 or 7.0.10. The attack will not leave any trace. This exploit installs an OS Agent.