CVE-2018-1002105: Kubernetes - Arbitrary Requests (Unauthenticated and Authenticated)

CVE-2018-1002105: Kubernetes - Arbitrary Requests (Unauthenticated and Authenticated)

EDB-ID: 46052 and 46053
Author: EVICT
Type: Remote
Published: 2018-12-10 (2018-12)
Platform: Multiple

About CVE-2018-1002105:

   In all Kubernetes versions prior to v1.10.11, v1.11.5, and v1.12.3, incorrect handling of error responses to proxied upgrade requests in the kube-apiserver allowed specially crafted requests to establish a connection through the Kubernetes API server to backend servers, then send arbitrary requests over the same connection directly to the backend, authenticated with the Kubernetes API server's TLS credentials used to establish the backend connection.

About EDB-ID-46052 (Unauthenticated):

About EDB-ID-46053 (Authenticated):


And have something to say about GitHackTools or CVE-2018-1002105? Comment below or share this post from GitHackTools Facebook, GitHackTools Twitter and GitHackTools Google Plus.

From Exploit Database and NVD

EDB-ID-46057: Product Key Explorer 4.0.9 - Denial of Service (PoC)

EDB-ID-46057: Product Key Explorer 4.0.9 - Denial of Service (PoC)

EDB-ID: 46057
Author: T3JV1L
Type: Dos
Published: 2018-12-27 (2018-12)
Platform: Windows_x86

About Product Key Explorer:

   Product Key Explorer is a powerful product key finder solution for Windows, designed to help users find, recover and backup activation keys for +9000 popular software programs installed on local or network computers.

About EDB-ID-46057:

Download Vulnerable App to Exploit

And have something to say about GitHackTools or CVE-2018-11529? Comment below or share this post from GitHackTools Facebook, GitHackTools Twitter and GitHackTools Google Plus.

From Exploit Database

CVE-2018-1160: Netatalk - Bypass Authentication

CVE-2018-1160: Netatalk - Bypass Authentication

EDB-ID: 46048
CVE: CVE-2018–1160
Author: TENABLE NS
Type: Remote
Published: 2018-12-21 (2018-12)
Platform: Multiple

Description about CVE-2018–1160:

   Netatalk before 3.1.12 is vulnerable to an out of bounds write in dsi_opensess.c. This is due to lack of bounds checking on attacker controlled data. A remote unauthenticated attacker can leverage this vulnerability to achieve arbitrary code execution.


And have something to say about GitHackTools or CVE-2018-11529? Comment below or share this post from GitHackTools Facebook, GitHackTools Twitter and GitHackTools Google Plus.

From Exploit Database and NVD

CVE-2018-11529: VLC Media Player - MKV Use-After-Free (Metasploit)

CVE-2018-11529: VLC Media Player - MKV Use-After-Free (Metasploit)

EDB-ID: 45626
CVE: CVE-2018-11529
E-DB Verified: Yes
Author: Metasploit
Type: Local
Published: 2018-10-16
Platform: Windows

Description about CVE-2018-11529:

   VideoLAN VLC media player 2.2.x is prone to a use after free vulnerability which an attacker can leverage to execute arbitrary code via crafted MKV files. Failed exploit attempts will likely result in denial of service conditions.

And have something to say about GitHackTools or CVE-2018-11529? Comment below or share this post from GitHackTools Facebook, GitHackTools Twitter and GitHackTools Google Plus.

From Exploit Database and CVE

EDB-ID-45515: Billion ADSL Router 400G 20151105641 - Cross-Site Scripting

EDB-ID-45515: Billion ADSL Router 400G 20151105641 - Cross-Site Scripting

EDB-ID: 45515
E-DB Verified: Yes
Author: cakes
Type: Webapps
Published: 2018-10
Platform: Hardware

And have something to say about GitHackTools or EDB-ID-45515? Comment below or share this post from GitHackTools Facebook, GitHackTools Twitter and Google Plus.

From Exploit Database

EDB-ID-45502: The vulnerabilities can Break the Microsoft Edge Sandbox

EDB-ID-45502 - The vulnerabilities can Break the Microsoft Edge Sandbox

EDB-ID: 45502
CVE: CVE-2018-8463, CVE-2018-8468, CVE-2018-8469
E-DB Verified: Yes
Author: Google Security Research
Type: Remote
Advisory/Source: bugs.chromium.org
Published: 2018-09-27 (2018-10 on GitHackTools)
Platform: Windows

Vulnerable: Microsoft Edge
 * Microsoft Windows 10 for 32-bit Systems
 * Microsoft Windows 10 for x64-based Systems
 * Microsoft Windows 10 version 1511 for 32-bit Systems
 * Microsoft Windows 10 version 1511 for x64-based Systems
 * Microsoft Windows 10 Version 1607 for 32-bit Systems
 * Microsoft Windows 10 Version 1607 for x64-based Systems
 * Microsoft Windows 10 version 1703 for 32-bit Systems
 * Microsoft Windows 10 version 1703 for x64-based Systems
 * Microsoft Windows 10 version 1709 for 32-bit Systems
 * Microsoft Windows 10 version 1709 for x64-based Systems
 * Microsoft Windows 10 Version 1803 for 32-bit Systems
 * Microsoft Windows 10 Version 1803 for x64-based Systems
 * Microsoft Windows Server 2016
 * Microsoft Windows Server 2016 for x64-based Systems
 * Microsoft Windows Server 2012 R2
 * Microsoft Windows Server 2012
 * Microsoft Windows Server 2008 R2 for x64-based Systems SP1
 * Microsoft Windows Server 2008 R2 for Itanium-based Systems SP1
 * Microsoft Windows Server 2008 for x64-based Systems SP2
 * Microsoft Windows Server 2008 for Itanium-based Systems SP2
 * Microsoft Windows Server 2008 for 32-bit Systems SP2
About CVE-2018-8463
   An elevation of privilege vulnerability exists in Microsoft Edge that could allow an attacker to escape from the AppContainer sandbox in the browser, aka "Microsoft Edge Elevation of Privilege Vulnerability." This affects Microsoft Edge. This CVE ID is unique from CVE-2018-8469.
   An elevation of privilege vulnerability exists in Microsoft Edge that could allow an attacker to escape from the AppContainer sandbox in the browser. An attacker who successfully exploited this vulnerability could gain elevated privileges and break out of the Edge AppContainer sandbox.
   The vulnerability by itself does not allow arbitrary code to run. However, this vulnerability could be used in conjunction with one or more vulnerabilities (for example a remote code execution vulnerability and another elevation of privilege vulnerability) to take advantage of the elevated privileges when running.
   The security update addresses the vulnerability by modifying how Microsoft Edge handles sandboxing.

About CVE-2018-8468
   An elevation of privilege vulnerability exists when Windows, allowing a sandbox escape, aka "Windows Elevation of Privilege Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers.
   An elevation of privilege vulnerability exists in Windows that allows a sandbox escape. An attacker who successfully exploited the vulnerability could use the sandbox escape to elevate privileges on an affected system.
   This vulnerability by itself does not allow arbitrary code execution. However, the vulnerability could allow arbitrary code to run if an attacker uses it in combination with another vulnerability, such as a remote code execution vulnerability or another elevation of privilege vulnerability, that can leverage the elevated privileges when code execution is attempted.
   The security update addresses the vulnerability by correcting how Windows parses files.

About CVE-2018-8469
   An elevation of privilege vulnerability exists in Microsoft Edge that could allow an attacker to escape from the AppContainer sandbox in the browser, aka "Microsoft Edge Elevation of Privilege Vulnerability." This affects Microsoft Edge. This CVE ID is unique from CVE-2018-8463.
   An elevation of privilege vulnerability exists in Microsoft Edge that could allow an attacker to escape from the AppContainer sandbox in the browser. An attacker who successfully exploited this vulnerability could gain elevated privileges and break out of the Edge AppContainer sandbox.
   The vulnerability by itself does not allow arbitrary code to run. However, this vulnerability could be used in conjunction with one or more vulnerabilities (for example a remote code execution vulnerability and another elevation of privilege vulnerability) to take advantage of the elevated privileges when running.
   The security update addresses the vulnerability by modifying how Microsoft Edge handles sandboxing.

And have something to say about GitHackTools or EDB-ID-45502 (or CVE-2018-8463, CVE-2018-8468, CVE-2018-8469)? Comment below or share this post from GitHackTools Facebook, GitHackTools Twitter and GitHackTools Google Plus.

From Exploit Database, CVE and Microsoft

[ZeroDay] ZDI-18-1078: Cisco WebEx Network Recording Player NMVC RtpConfig Stack-based Buffer Overflow Remote Code Execution Vulnerability

About ZDI-18-1078
   Cisco WebEx Network Recording Player NMVC RtpConfig Stack-based Buffer Overflow Remote Code Execution Vulnerability

   ZDI ID: ZDI-18-1078 or ZDI-CAN-6254
   CVE ID: CVE-2018-15421
   CVSS SCORE: 5.1, (AV:N/AC:H/Au:N/C:P/I:P/A:P)
   AFFECTED VENDORS: Cisco
   AFFECTED PRODUCTS: WebEx

   Additonal Details
      Cisco has issued an update to correct this vulnerability. More details can be found at: cisco-sa-20180919-webex

   Timeline:
    * 2018-05-24 - Vulnerability reported to vendor
    * 2018-09-21 - Coordinated public release of advisory
    * 2018-09-21 - Advisory Updated

   Credit: Ziad Badawi

   Vulnerability Details
      This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Cisco WebEx Network Recording Player. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the NMVC.DLL module. When parsing an ARF file, the process does not properly validate the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code under the context of the current process.

Over this past year, several different researchers submitted bug reports in the Cisco Webex suite of programs. However, in their more than 40 submissions, they missed this trivial stack-based buffer overflow. This blog details ZDI-18-1078, a vulnerability in Cisco Webex Network Recording Player version 31.23.2.58 (now reaching its EOL) that results in remote code execution.

The Vulnerability
   When reading an Advanced Recording (.arf) file, the player attempts to access a file in the current directory named RtpConfig.ini. This action is not documented. The .ini file contains the configuration for what is likely a Real-Time Transport Protocol (RTP) service, but since there is no documentation of the file or the service, it may be something different.

Process Monitor showing nbrplay.exe looking for RtpConfig.ini

   The bug occurs in nmvc.dll inside a routine labeled sub_1001F479 that parses RtpConfig.ini and extracts its properties. The following snippet shows how the MinLostRate parameter is getting set up as well as other parameters going downwards.

Setting up different properties

   The culprit here is a sscanf call, a banned function by Microsoft, with no width field in the format string. The sscanf function parses the .ini file contents and reads property values in order to match them to a set of hardcoded parameters. The format used is: %[^ \t#]%*[ \t]%[^ \t#]%n

   Which writes to three arguments. The first and third specifiers (%[^ \t#]) do not use a width value in between the % and [. This means it will read every character until it reaches whitespace. This will write to the passed arguments Str1 and Source disregarding their sizes and could lead to an overflow if input is large enough.

No width in format string

   The .ini file is read in 0x3FF-byte chunks and, since both consecutive variables Source and Str1 are sized 0x100 and 0x106 bytes respectively, an overflow can occur leading to a corrupted stack.

Corrupted stack

Conclusion
   Cisco patched this and two other vulnerabilities with advisory cisco-sa-20180919-webex. It is good to know that these versions are reaching their EOL, as many similar bugs have been submitted to the program. Hopefully, the newer versions are more secure. Bug submissions in enterprise software are on the rise, putting this category just behind Desktop Application and SCADA submissions. Considering how many of these programs exist in enterprises, this trend will likely continue.

   You can find author on Twitter@ziadrb and follow the his team for the latest exploit techniques and security patches.

And have something to say about GitHackTools or ZDI-18-1078 (or CVE-2018-15421)? Comment below or share this post from GitHackTools Facebook, GitHackTools Twitter and GitHackTools Google Plus.

From Zero Day Initiative

CVE-2018-17182: Linux Kernel Vulnerability and PoC Exploit

A cybersecurity researcher with Google Project Zero has released the details, and a Proof-Of-Concept (PoC) exploit for a high severity vulnerability that exists in Linux kernel since Kernel version 3.16 through 4.18.8.

Discovered by Whitehat hacker Jann Horn, the Kernel vulnerability (CVE-2018-17182) is a cache invalidation bug in the Linux memory management subsystem that leads to use-after-free vulnerability, which if exploited, could allow an attacker to gain root privileges on the targeted system.

The Use-After-Free (UAF) vulnerabilities are a class of memory corruption bug that can be exploited by unprivileged users to corrupt or alter data in memory, enabling them to cause a denial of service (system crash) or escalate privileges to gain administrative access on a system.

Linux Kernel Exploit Takes an Hour to Gain Root Access
   However, Horn says his PoC Linux kernel exploit made available to the public "takes about an hour to run before popping a root shell."

   Horn responsibly reported the vulnerability to Linux kernel maintainers on September 12, and the Linux team fixed the issue in his upstream kernel tree within just two days, which Horn said was "exceptionally fast, compared to the fix times of other software vendors."

   The Linux kernel vulnerability was disclosed on the oss-security mailing list on September 18 and was patched in the upstream-supported stable kernel versions 4.18.9, 4.14.71, 4.9.128, and 4.4.157 on the next day.

   There's also a fix in release 3.16.58 for CVE-2018-17182 PoC.

Debian and Ubuntu Linux Left its Users Vulnerable for Over a Week
   "However, a fix being in the upstream kernel does not automatically mean that users' systems are actually patched," Horn noted.

   The researcher was disappointed knowing that some major Linux distributions, including Debian and Ubuntu, left their users exposed to potential attacks by not releasing kernel updates more than a week after the vulnerability was made public.

   As of Wednesday, both Debian stable and Ubuntu releases 16.04 and 18.04 had not patched the vulnerability.

   However, the Fedora project already rolled out a security patch for CVE-2018-17182 PoC to its users on 22 September.

"Debian stable ships a kernel based on 4.9, but as of 2018-09-26, this kernel was last updated 2018-08-21. Similarly, Ubuntu 16.04 ships a kernel that was last updated 2018-08-27," Horn noted.

"Android only ships security updates once a month. Therefore, when a security-critical fix is available in an upstream stable kernel, it can still take weeks before the fix is actually available to users—especially if the security impact is not announced publicly."

   In response to the Horn's blog post, the maintainers of Ubuntu says the company would possibly release the patches for the Linux kernel flaw around October 1, 2018.

   Horn said that once the patch is deployed in the upstream kernel, the vulnerability and patch becomes public, which, in this case, could allow malicious actors to develop a Linux kernel exploit to target users.

Have something to say about this post? Comment below or share it with The Hackers News on Facebook, Twitter or our LinkedIn Group.

And have something to say about GitHackTools or CVE-2018-17182 PoC? Comment below or share this post from GitHackTools Facebook, GitHackTools Twitter and GitHackTools Google Plus.

Infomation About CVE-2018-17182 PoC
   EDB-ID: 45497
   CVE: CVE-2018-17182
   E-DB Verified: Yes
   Author: Google Security Research
   Type: Local
   Advisory/Source: bugs.chromium.org
   Published: 2018-09-26
   Platform: Linux
   
   Description about CVE-2018-17182
      An issue was discovered in the Linux kernel through 4.18.8. The vmacache_flush_all function in mm/vmacache.c mishandles sequence number overflows. An attacker can trigger a use-after-free (and possibly gain privileges) via certain thread creation, map, unmap, invalidation, and dereference operations.

From The Hackers News, Exploit Database and CVE

CVE-2018-16509: Ghostscript - Failed Restore Command Execution (Metasploit)

EDB-ID: 45367
CVE:  CVE-2018-16509
E-DB Verified: Yes
Author: Metasploit
Type: Local
Advisory/Source: GitHub
Published: 2018-09-10
Platform: Linux

Description about CVE-2018-16509:

   An issue was discovered in Artifex Ghostscript before 9.24. Incorrect "restoration of privilege" checking during handling of /invalidaccess exceptions could be used by attackers able to supply crafted PostScript to execute code using the "pipe" instruction.

And have something to say about GitHackTools or CVE-2018-16509? Comment below or share this post from GitHackTools Facebook, GitHackTools Twitter and GitHackTools Google Plus.

From Exploit Database and CVE

CVE-2018-11776: Apache Struts 2 - Namespace Redirect OGNL Injection (Metasploit module)

EDB-ID: 45367
CVE: CVE-2018-11776
E-DB Verified: Yes
Author: Metasploit
Type: Remote
Advisory/Source: GitHub
Published: 2018-09-10
Platform: Multiple (Windows, Linux)

Description aboout CVE-2018-11776:

   Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible Remote Code Execution when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then: results are used with no namespace and in same time, its upper package have no or wildcard namespace and similar to results, same possibility when using url tag which doesn't have value and action set and in same time, its upper package have no or wildcard namespace.

And have something to say about GitHackTools or CVE-2018-11776? Comment below or share this post from GitHackTools Facebook, GitHackTools Twitter and GitHackTools Google Plus.

From Exploit Database and CVE

[ZeroDay] ZDI-CAN-6135: A Remote Code Execution Vunlnerability in the Windows JET Database Engine

September 20, 2018, Zero Day Initiative are releasing additional information regarding a bug report that has exceeded the 120-day disclosure timeline. More details on this process can be found here in their disclosure policy.

An out-of-bounds (OOB) write in the Microsoft JET Database Engine that could allow remote code execution was initially reported to Microsoft on May 8, 2018. An attacker could leverage this vulnerability to execute code under the context of the current process, however it does require user interaction since the target would need to open a malicious file. As of today, this bug remains unpatched.

The Vulnerability
   The root cause of this issue resides in the Microsoft JET Database Engine. Microsoft patched two-other issues in JET in the September Patch Tuesday updates. While the patched bugs are listed as buffer overflows, this additional bug is actually an out-of-bounds write, which can be triggered by opening a Jet data source via OLEDB. Here’s a look at the resulting crash:

   To trigger this vulnerability, a user would need to open a specially crafted file containing data stored in the JET database format. Various applications use this database format. An attacker using this would be able to execute code at the level of the current process.

   If you’d like to test this out for yourself, you can find the proof of concept code here:

Recommendation
   Our investigation has confirmed this vulnerability exists in Windows 7, but Zero Day Initiative believe that all supported Windows version are impacted by this bug, including server editions. You can view their advisory here. Microsoft continues to work on a patch for this vulnerability, and Zero Day Initiative hope to see it in the regularly scheduled October patch release. In the absence of a patch, the only salient mitigation strategy is to exercise caution and not open files from untrusted sources. 

   As always, As always, Simon Zuckerbraun can be found on Twitter at @HexKitchen, and follow the team for the latest in exploit techniques and security patches.

Disclosure Timeline:
 * 05/08/18 - ZDI reported vulnerability to vendor and the vendor acknowledged that same day
 * 05/14/18 – The vendor replied that they successfully reproduced the issue ZDI reported
 * 09/09/18 – The vendor reported an issue with the fix and that the fix might not make the September release
 * 09/10/18 – ZDI cautioned potential 0-day
 * 09/11/18 – The vendor confirmed the fix did not make the build
 * 09/12/18 – ZDI confirmed to the vendor the intention to 0-day on 09/20/18
 * 09/20/18 - Coordinated public release of advisory

And have something to say about GitHackTools or ZDI-CAN-6135? Comment below or share this post from GitHackTools Facebook, GitHackTools Twitter and GitHackTools Google Plus.

From Zedo Day Initiative