A vulnerability in GNU Bash when processing trailing strings after function definitions in the values of environment variables allows remote attackers to execute arbitrary code via a crafted environment. This vulnerability can be leveraged to bypass restricted SSH access (i.e. when the SSH server forces the execution of a specific command, ignoring any command supplied by the client, either by specifying a 'ForceCommand' directive in the 'sshd_config' file, or by using the 'command' keyword in the 'authorized_keys' file) when the default shell for the user is Bash, allowing the remote attacker to execute arbitrary commands on the vulnerable system.
This module exploits a remote code execution vulnerability in the XWork component of Atlassian FishEye, by sending specially crafted HTTP requests to the port 8060/TCP. The ParametersInterceptor class of the XWork framework, part of the Struts 2 web framework, as shipped with Atlassian FishEye, does not properly restrict access to server-side objects. This can be exploited by remote unauthenticated attackers to modify server-side objects and finally execute arbitrary commands via specially crafted OGNL (Object-Graph Navigation Language) expressions.
This module exploits a buffer overflow vulnerability in the T38FaxRateManagement parameter when parsing SIP/SDP requests in 1.4.x prior to 1.4.3. After successful exploitation an agent will be installed. The process being exploited is usually run as root.
This exploit takes advantage of various vulnerabilities and default permissions in the affected versions of the Arkeia Network Backup Software. In the target setup the exploit attempts to gather specific information about the target: the remote operating system, the Arkeia Network Backup version, the target system's name; and attempts to download and analyze a loaded PE file by the Arkeia Network Backup Client to find certain patterns of reusable code loaded in memory. In the attack setup the exploit decides how the target will be exploited in the most successful way using the information gathered in the attack setup.
Stack-based buffer overflow in the map_uri_to_worker function (native/common/jk_uri_worker_map.c) in mod_jk.so for Apache Tomcat JK Web Server Connector 1.2.19 and 1.2.20, as used in Tomcat 4.1.34 and 5.5.20, allows remote attackers to execute arbitrary code via a long URL that triggers the overflow in a URI worker map routine.
The best practice for web applications built on top of the Apache Struts 2 framework is to switch off Developer Mode (struts.devMode parameter in the struts.xml configuration file) before going into production. When devMode is left enabled, attackers can gain remote code execution by setting the 'debug=command' URL parameter and sending OGNL expressions through the 'expression' URL parameter. This module takes advantage of this misconfiguration scenario in order to deploy an agent in the target system.
The DefaultActionMapper class in Apache Struts 2 supports a method for short-circuit navigation state changes by prefixing parameters like "redirect:" or "redirect-action:". The information contained in these prefixes is not properly sanitized before being evaluated as OGNL expressions on the server side, which allows remote attackers to execute arbitrary Java code on the server. This module exploits the vulnerability in any web application built on top of vulnerable versions of the Apache Struts 2 framework.
After successful exploitation an agent will be installed. Usually Apache is ran as the user nobody, or some other low privileged user. After exploitation, the agent will be running as this user.
Subscribe to Linux