Skip to content

A repository hosting some of my own vulnerability reports and proof-of-concepts.

Notifications You must be signed in to change notification settings

zeropwn/vulnerability-reports-and-pocs

Repository files navigation

My Vulnerability Reports & PoCs

KDE 4/5 KConfig (KDesktopFile) Command Injection (CVE-2019-14744)

Date: July 28th 2019

KDE Frameworks < 5.61.0 is vulnerable to a command injection vulnerability in the KDesktopFile class. When a .desktop or .directory file is instantiated, it unsafely evaluates environment variables and shell expansions using KConfigPrivate::expandString() via the KConfigGroup::readEntry() function. Using a specially crafted .desktop file a remote user could be compromised by simply downloading and viewing the file in their file manager, or by drag and dropping a link of it into their documents or desktop.

Axway SecureTransport 5.x Unauthenticated XML Injection / XXE (CVE-2019-14277)

Date: July 20th 2019

Axway SecureTransport versions 5.3 through 5.0 (and potentially others) are vulnerable to an unauthenticated blind XML injection (& XXE) vulnerability in the resetPassword functionality via the REST API. If executed properly, this vulnerablity can lead to local file disclosure, DOS or URI invocation attacks (e.g SSRF->RCE). It's worth noting that in version 5.4 the v1 API was deprecated... but not removed entirely. Meaning that you can still trigger this vulnerability on updated installations if they have the v1.0, v1.1, v1.2 or v1.3 in the /api/ directory.

EA Origin <10.5.38 Argument Injection Remote Code Execution (CVE-2019-12828)

Date: May 22nd 2019

An issue was discovered in Electronic Arts Origin before 10.5.39. Due to improper sanitization of the origin:// and origin2:// URI schemes, it is possible to inject additional arguments into the Origin process and ultimately leverage code execution by loading a backdoored Qt plugin remotely via the platformpluginpath argument supplied with a Windows network share.

EA Origin <10.5.36 Template Injection Remote Code Exection (CVE-2019-11354)

Date: April 16th 2019

The client in Electronic Arts (EA) Origin 10.5.36 on Windows allows template injection in the title parameter of the Origin2 URI handler. This can be used to escape the underlying AngularJS sandbox and achieve remote code execution via an origin2://game/launch URL for QtApplication QDesktopServices communication.

Soleo IP Relay SSRF/Source Disclosure (No CVE)

Date: August 19th 2018

On Saturday, August 19, Dominik Penner and Manny Mand, two security researchers with Project Insecurity, revealed that TRS systems developed by Soleo Communications were impacted by a local file disclosure vulnerability.

The two explained that this vulnerability, caused by improper input sanitization, allows an attacker to determine what files are stored on a TRS system, and then access the files via its web interface.

Penner and Mand believe an attacker would be able to use this vulnerability to retrieve source code files present on the TRS system or the underlying web server.

"Within the source code lies passwords which allow the servlet to communicate with other services, such as SQL/LDAP," the two said in a report published over the weekend. "An attacker could extract these passwords from within the source files, and further escalate their privileges on the server, or even use said information in a social engineering attack."

OpenEMR v5.0.1.3 Vulnerability Report (Multiple CVEs)

Date: August 7th 2018

Bugs found:

  • SQL Injection (x9)
  • Remote Code Execution (x4)
  • Information Disclosure (x3)
  • Arbitrary Read/Write
  • Unrestricted File Upload
  • Cross-Site Request Forgery to RCE
  • Authentication Bypass

https://github.com/zeropwn/vulnerability-reports-and-pocs/blob/master/OpenEMR%20-%20Vulnerability%20Report.pdf

Linksys Smart WiFi Information Disclosure (CVE-2014-8244)

Exploits an information disclosure vulnerability commonly found in many Linksys routers.

https://github.com/zeropwn/vulnerability-reports-and-pocs/blob/master/Linksys-Smart-WiFi-Information-Disclosure.py https://badpackets.net/over-25000-linksys-smart-wi-fi-routers-vulnerable-to-sensitive-information-disclosure-flaw/

About

A repository hosting some of my own vulnerability reports and proof-of-concepts.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages