Certain Javascript APIs in Adobe Acrobat Pro can only be executed in a privileged context. By adding specially crafted Javascript code to a PDF file it's possible to bypass security restrictions and invoke privileged Javascript APIs, allowing for arbitrary code execution. This exploit takes advantage of the AFParseDate() trusted function, which can call eval() with attacker-controlled input, in order to bypass the security restrictions and ultimately call Collab.uriPutData() to write arbitrary files into the victim's filesystem. The exploit will try to gain code execution on the victim's machine by potentially dropping two files: A DLL named updaternotifications.dll will be written into the same folder where the crafted PDF file is located in the victim's machine. This DLL will be automatically loaded by Adobe Acrobat Pro a few seconds after the crafted PDF file has been opened, as long as the Updater settings of Adobe Acrobat Pro is set to any option different than "Do not download or install updates automatically". An EXE file will be written into the %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup folder, if possible. This executable containing the agent code will be automatically executed upon next user logon into the vulnerable machine. In order for this EXE file to be dropped, the PDF file needs to infer the location of the %USERPROFILE% folder (typically something like C:\Users\JohnDoe) by inspecting the current path of the PDF file. This means that the EXE file will be dropped only if the PDF file is loaded from a path under the %USERPROFILE% folder in the victim's machine, such as the Desktop, the "My Documents" folder, or the "Downloads" folder.
This module uses an Authentication Bypass vulnerability in Magento eCommerce Web Sites and a blind SQL Injection to gain arbitrary code execution on the affected system.
FortiClient is prone to a privilege-escalation vulnerability that affects mdare64_48.sys, mdare32_48.sys, mdare32_52.sys, mdare64_52.sys and Fortishield.sys drivers. All these drivers expose an API to manage processes and the windows registry, for instance, the IOCTL 0x2220c8 of the mdareXX_XX.sys driver returns a full privileged handle to a given process PID. In particular, this same function is replicated inside Fortishield.sys. Attackers can leverage this issue to execute arbitrary code with elevated privileges in the context of any selected process. This module uses the previous vulnerability to inject an agent inside lsass.exe process.
Solarwinds FSM is vulnerable to an authentication bypass in userlogin.jsp that allows attacker to upload an agent via a weekness in the username atribute in settings-new.jsp allowing us to install an agent.
This module exploits a buffer overflow vulnerability in the FastBack server service (FastBackServer.exe) of the IBM Tivoli Storage Manager. The exploit triggers a stack-based buffer overflow by sending a pre-authentication specially crafted packet to port 11460/TCP of the vulnerable system and installs an agent if successful.
This module exploits a vulnerability in the Windows Packager COM object (packager.dll). This module runs a web server waiting for vulnerable clients to connect to it. When the client connects, it will try to install an agent by exploiting the previous vulnerability.
Usermin is vulnerable to an arbitrary command execution in the email signature configuration due to a lack of sanitization on the signature file parameter.
An elevation of privilege vulnerability exists when the Win32k.sys kernel-mode driver improperly handles objects in memory. The vulnerability exists in the Windows OS process of creating windows for applications. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. This module exploits the previous vulnerability to deploy an agent that runs with SYSTEM privileges.
This module exploits an assertion failure vulnerability in BIND 9 servers to cause a denial of service.
This module exploits an "Use After Free" vulnerability in "win32k.sys" by calling to "SetClassLong" function with crafted parameters.