Oracle WebLogic Server is prone to a remote vulnerability that allows attackers to take advantage of a Java deserialization vulnerability. By exploiting known methods, the module establishes a remote connection to the RMI Registry and loads a UnicastRef Object. This manipulation allows for the execution of system commands, enabling remote code execution on the targeted host. The bypass technique involves changing the RMI interface type to java.rmi.activation.Activator.
This module exploits a path traversal vulnerability present in the accountID parameter of the doPost method of com.ilient.server.UserEntry class to deploy an agent. The vulnerability is used to upload a WAR file inside a subdirectory of the web server's root directory to deploy an agent. The deployed agent will run with the same privileges than the SysAid webapp.
This module exploits a path traversal vulnerability present in the accountID parameter of the doPost method of com.ilient.server.UserEntry class to deploy an agent. The vulnerability is used to upload a WAR file inside a subdirectory of the web server's root directory to deploy an agent. The deployed agent will run with the same privileges than the SysAid webapp.
This module exploits an elevation of privilege vulnerability exists due to the MS KS Server kernel module allow accessing memory out of bounds. The vulnerability could allows an attacker to run code with elevated privileges.
This module uses an improper authorization vulnerability in Atlassian Confluence to replace the database contents and create a new admin user in the target system. The created admin account is then used to upload a Servlet plugin JAR file to deploy an agent. The deployed agent will run with the same privileges than the Confluence instance.
This module connects to the remote host and attempts to determine by sending specially crafted requests, if the target is vulnerable or not to CVE-2023-22518 based on the inspection of the target's response.
This module exploits a Java deserialization vulnerability via Openwire protocol by sending a crafted payload as a throwable class type. The deployed agent will run with the same user account privileges as the Apache ActiveMQ application.
This module uses broken access control vulnerability via SafeParametersInterceptor class in Atlassian Confluence to create a new admin user in the target system using the provided credentials. If no credentials are provided, it will generate a random one. This admin account is then used to upload a Servlet plugin JAR file to deploy an agent. The deployed agent will run with the same privileges than the Confluence instance.
The mskssrv.sys driver before 10.0.22621.1 exposes functionality that allows low-privileged users to read and write arbitrary memory via specially crafted IOCTL requests and elevate system privileges.
Arcserve UDP Agent from version 7.0 to 9.0 allows authentication bypass. The method getVersionInfo in WebServiceImpl/services/FlashServiceImpl exposes the AuthUUID token. This token can be used at /WebServiceImpl/services/VirtualStandbyServiceImpl to obtain a valid session. It is also possible to obtain administrator credentials. Also, the credentials of the ArcServe UDP Agent are added as an identity. This module tries to determine remotely, if the target host is either vulnerable to CVE-2023-26258 or not.