CVE-2006-5229
OpenSSH portable 4.1 on SUSE Linux, and possibly other platforms and versions, and possibly under limited configurations, allows remote attackers to determine valid usernames via timing discrepancies...
View ArticleCVE-2010-1163
The command matching functionality in sudo 1.6.8 through 1.7.2p5 does not properly handle when a file in the current working directory has the same name as a pseudo-command in the sudoers file and the...
View ArticleMcAfee VirusScan Enterprise security restrictions bypass
McAfee VirusScan Enterprise security restrictions bypass Advisory URL: http://lab.mediaservice.net/advisory/2016-01-mcafee.txt Security Advisory @ Mediaservice.net Srl (#01, 13/04/2016) Data Security...
View ArticleCVE-2016-5983 – IBM WebSphere deserialization of untrusted data
IBM WebSphere deserialization of untrusted data Advisory url: http://lab.mediaservice.net/advisory/2016-02-websphere.txtSecurity Advisory @ Mediaservice.net Srl (#02, 07/10/2016) Data Security Division...
View ArticleCVE-2016-7065 – Red Hat JBoss EAP deserialization of untrusted data
Red Hat JBoss EAP deserialization of untrusted data Advisory URL: http://lab.mediaservice.net/advisory/2016-05-jboss.txtSecurity Advisory @ Mediaservice.net Srl (#05, 23/11/2016) Data Security Division...
View ArticleCVE-2016-8919 – IBM WebSphere deserialization of untrusted data
IBM WebSphere deserialization of untrusted data: http://lab.mediaservice.net/advisory/2016-03-websphere.txtSecurity Advisory @ Mediaservice.net Srl (#01, 06/09/2016) Data Security Division Title: IBM...
View ArticleCVE-2019-2832 – Local privilege escalation via CDE dtprintinfo
A buffer overflow in the DtPrinterAction::PrintActionExists() function in the Common Desktop Environment 2.3.0 and earlier, as used in Oracle Solaris 10 1/13 (Update 11) and earlier, allows local...
View ArticleClik here to view.
CVE-2019-3010 – Local privilege escalation on Solaris 11.x via xscreensaver
As previously mentioned, INFILTRATE left me with the will to hack stuff and enjoy it like it was 1999. That’s why I decided to take a closer look at Solaris 11.4 and search for potential...
View ArticleCVE-2020-2656 – Low impact information disclosure via Solaris xlock
A low impact information disclosure vulnerability in the setuid root xlock binary distributed with Solaris may allow local users to read partial contents of sensitive files. Due to the fact that...
View ArticleClik here to view.
CVE-2020-2696 – Local privilege escalation via CDE dtsession
During my recent audit of Oracle Solaris, undertaken as a weekend project, I inevitably had to review the Common Desktop Environment shipped with Solaris 10. CDE has a huge attack surface of legacy...
View ArticleCVE-2020-7799 – FusionAuth “Apache Freemarker” Code Execution
@Mediaservice.net Security Advisory #2020-03 (last updated on 2020-01-27) Title: FusionAuth command execution via Apache Freemarker Template Application: FusionAuth 1.10 and lower Platforms: Tested on...
View ArticleClik here to view.
CVE-2019-12180 – ReadyAPI & SoapUI command execution via malicous project file
In early 2019, I had to pentest a couple of SOAP WebServices of a client and, as usual, I requested them some example requests as a baseline for my analysis. The client suggested to use a SoapUI /...
View ArticleClik here to view.
CVE-2020-2944 – Local privilege escalation via CDE sdtcm_convert
Since I moved from Solaris 11 to audit Solaris 10, my weekend project has become much more fun… As you already know if you are a reader of this blog, at the beginning of November I started auditing...
View ArticleCVE-2020-2851 – Stack-based buffer overflow in CDE libDtSvc
A difficult to exploit stack-based buffer overflow in the _DtCreateDtDirs() function in the Common Desktop Environment version distributed with Oracle Solaris 10 1/13 (Update 11) and earlier may allow...
View ArticleCVE-2020-2771 – Heap-based buffer overflow in Solaris whodo and w commands
A difficult to exploit heap-based buffer overflow in setuid root whodo and w binaries distributed with Solaris allows local users to corrupt memory and potentially execute arbitrary code in order to...
View Article