The new_whitelist.php page in Symantec Web Gateway Management Console allows some specially crafted entries to update the whitelist without proper validation. A lower-privileged but authorized management console user can bypass the whitelist validation using a 'sid' parameter with a value different from zero. This module exploits this vulnerability to inject and execute arbitrary OS commands with the privileges of the 'root' user on the appliance.
This module exploits a race condition vulnerability in the Linux Kernel via MAP_PRIVATE COW. The bug relies in the way the Linux kernel's memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings. An unprivileged, local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system.
SugarCRM is vulnerable due to a user input passed through a request parameter is not properly sanitized before being used in a call to the "unserialize()" function. This can be exploited to inject arbitrary PHP objects into the application scope, and could allow unauthenticated attackers to execute arbitrary PHP code via specially crafted serialized objects. Successful exploitation of this vulnerability requires the application running on PHP before version 5.6.25 or 7.0.10. The attack will not leave any trace. This exploit installs an OS Agent.
Directory traversal vulnerability in Action View in Ruby on Rails allows remote attackers to read arbitrary files by leveraging an application's unrestricted use of the render method and providing a .. (dot dot) in a pathname. Combining this with log injection, remote code execution can be achieved.
phpMyAdmin is prone to a regexp abuse via an eval modifier which can be found in old PHP versions. This vulnerability allows authenticated attackers to run arbitrary php code on the affected server. PHP versions 4.3.0-5.4.6 had a "feature" which allowed users to run a RegExp Pattern Modifier using PREG_REPLACE_EVAL and may lead to execute code. phpMyAdmin had an issue in their code that can be exploited from a table replace call. The general idea is to insert a crafted regexp eval record format, and then trigger it via a find and replace function with system commands For that purpose, the exploit will try to use any existing cookies of that host, or the username and password provided. Once logged in, if the user provided a database, it will be used. If not, we will search for existing databases. The attack will not leave any trace. This exploit installs an OS Agent.
The REST plugin in the Apache Struts 2 framework is prone to a remote code execution vulnerability when evaluating OGNL expressions when Dynamic Method Invocation is enabled. This vulnerability allows remote attackers to execute arbitrary Java code on the affected server. This module exploits the vulnerability in any web application built on top of vulnerable versions of Apache Struts 2 making use of the REST plugin with the Dynamic Method Invocation feature enabled. This exploit installs an OS Agent.
This module creates a file in the specified directory. The file abuses a command injection in ImageMagic, downloading an Impact agent and deploying it in the target system. Because ImageMagick is widely used -specially in web applications-, this module will only provide the file with the attack. The file can then used in multiple ways; for example, uploaded to a web site under test.
Subscribe to Linux