exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 1 - 25 of 113 RSS Feed

Files from Yorick Koster

Real NameYorick Koster
Email addressprivate
Websitenl.linkedin.com/in/yorickkoster
First Active2009-07-17
Last Active2024-08-31
View User Profile
Internet Explorer Iframe Sandbox File Name Disclosure
Posted Aug 31, 2024
Authored by Yorick Koster | Site metasploit.com

It was found that Internet Explorer allows the disclosure of local file names. This issue exists due to the fact that Internet Explorer behaves different for file:// URLs pointing to existing and non-existent files. When used in combination with HTML5 sandbox iframes it is possible to use this behavior to find out if a local file exists. This technique only works on Internet Explorer 10 and 11 since these support the HTML5 sandbox. Also it is not possible to do this from a regular website as file:// URLs are blocked all together. The attack must be performed locally (works with Internet zone Mark of the Web) or from a share.

tags | exploit, web, local
advisories | CVE-2016-3321
SHA-256 | 0b30e1f06e794629552d9172732b96c2d1cf6a789686d06961747f044e43ffcb
WordPress Traversal Directory Denial of Service
Posted Aug 31, 2024
Authored by Yorick Koster, CryptisStudents | Site metasploit.com

Cross-site request forgery (CSRF) vulnerability in the wp_ajax_update_plugin function in wp-admin/includes/ajax-actions.php in WordPress before 4.6 allows remote attackers to hijack the authentication of subscribers for /dev/random read operations by leveraging a late call to

tags | exploit, remote, php, csrf
advisories | CVE-2016-6897
SHA-256 | dfbf6112b8043a07bd5dc3c5f12befea229766c77ef87e3562c17357bedf2f80
Cisco AnyConnect Privilege Escalation
Posted Sep 30, 2020
Authored by Yorick Koster, Christophe de la Fuente, Antoine Goichot | Site metasploit.com

The installer component of Cisco AnyConnect Secure Mobility Client for Windows prior to 4.8.02042 is vulnerable to path traversal and allows local attackers to create/overwrite files in arbitrary locations with system level privileges. The installer component of Cisco AnyConnect Secure Mobility Client for Windows prior to 4.9.00086 is vulnerable to a DLL hijacking and allows local attackers to execute code on the affected machine with with system level privileges. Both attacks consist in sending a specially crafted IPC request to the TCP port 62522 on the loopback device, which is exposed by the Cisco AnyConnect Secure Mobility Agent service.

tags | exploit, arbitrary, local, tcp
systems | cisco, windows
advisories | CVE-2020-3153, CVE-2020-3433
SHA-256 | 74ae12d312c6c46fa9f122b2a106d803de515d0b707dfe34720c066dd56a2680
Microsoft OneDrive 19.232.1124.0010 DLL Hijacking
Posted Jul 10, 2020
Authored by Yorick Koster, Securify B.V.

A file hijacking vulnerability was found in the Microsoft OneDrive client. This vulnerability allows a local attacker to plant a DLL file on the local machine. This DLL will then be loaded whenever (another) user launches OneDrive, running with the privileges of the victim. This issue was successfully verified on Microsoft OneDrive version 19.232.1124.0010.

tags | exploit, local
SHA-256 | cdf89cfe735b764a683421b596c19e1fa3faa2afa4b22a2a0becf3b682b9ff97
Cisco AnyConnect Path Traversal / Privilege Escalation
Posted Jun 25, 2020
Authored by Yorick Koster, Christophe de la Fuente, Antoine Goichot | Site metasploit.com

The installer component of Cisco AnyConnect Secure Mobility Client for Windows prior to version 4.8.02042 is vulnerable to path traversal and allows local attackers to create/overwrite files in arbitrary locations with system level privileges. The attack consists in sending a specially crafted IPC request to the TCP port 62522 on the loopback device, which is exposed by the Cisco AnyConnect Secure Mobility Agent service. This service will then launch the vulnerable installer component (vpndownloader), which copies itself to an arbitrary location before being executed with system privileges. Since vpndownloader is also vulnerable to DLL hijacking, a specially crafted DLL (dbghelp.dll) is created at the same location vpndownloader will be copied to get code execution with system privileges. This exploit has been successfully tested against Cisco AnyConnect Secure Mobility Client versions 4.5.04029, 4.5.05030 and 4.7.04056 on Windows 10 version 1909 (x64) and Windows 7 SP1 (x86).

tags | exploit, arbitrary, x86, local, tcp, code execution
systems | cisco, windows
advisories | CVE-2020-3153
SHA-256 | b6d44c2b494378ff342fef57be9d4be4564327103eadabb01ff166ae6dae9bff
Cisco AnyConnect Secure Mobility Client 4.8.01090 Privilege Escalation
Posted Apr 21, 2020
Authored by Yorick Koster, Securify B.V.

Cisco AnyConnect Secure Mobility Client for Windows version 4.8.01090 suffer from a privilege escalation vulnerability due to insecure handling of path names.

tags | exploit
systems | cisco, windows
advisories | CVE-2020-3153
SHA-256 | 8ee614424eee5c4644b331ca89e2c2afc6470c9c8941cb5e0f7d3280686ef76c
QRadar Community Edition 7.3.1.6 Path Traversal
Posted Apr 21, 2020
Authored by Yorick Koster, Securify B.V.

QRadar Community Edition version 7.3.1.6 has a path traversal that exists in the session validation functionality. In particular, the vulnerability is present in the part that handles session tokens (UUIDs). QRadar fails to validate if the user-supplied token is in the correct format. Using path traversal it is possible for authenticated users to impersonate other users, and also to executed arbitrary code (via Java deserialization). The code will be executed with the privileges of the Tomcat system user.

tags | exploit, java, arbitrary, file inclusion
SHA-256 | d0089d965548cc9ad0cf3335b0445c8f608d84826c153acdf719f7a4d672de9a
QRadar Community Edition 7.3.1.6 Authorization Bypass
Posted Apr 21, 2020
Authored by Yorick Koster, Securify B.V.

QRadar Community Edition version 7.3.1.6 suffers from an authorization bypass vulnerability.

tags | exploit, bypass
advisories | CVE-2020-4274
SHA-256 | eaefd76762cac1aef9a9ba909eae0231fa2f6033f281a8d3c45881d26db41f86
QRadar Community Edition 7.3.1.6 Arbitrary Object Instantiation
Posted Apr 21, 2020
Authored by Yorick Koster, Securify B.V.

QRadar Community Edition version 7.3.1.6 is vulnerable to instantiation of arbitrary objects based on user-supplied input. An authenticated attacker can abuse this to perform various types of attacks including server-side request forgery and (potentially) arbitrary execution of code.

tags | exploit, arbitrary, file inclusion
advisories | CVE-2020-4272
SHA-256 | 79acda4a95f3ff77796484c45f9a5e4263e1e7678990f7cefeb06fe52b21e965
QRadar Community Edition 7.3.1.6 PHP Object Injection
Posted Apr 21, 2020
Authored by Yorick Koster, Securify B.V.

QRadar Community Edition version 7.3.1.6 suffers from a php object injection vulnerability.

tags | exploit, php
advisories | CVE-2020-4271
SHA-256 | f3ead7ab6cd9ff80673ed0eb62aee04ea3cf3ec0b0842fbda2123d7595ae9847
QRadar Community Edition 7.3.1.6 Insecure File Permissions
Posted Apr 21, 2020
Authored by Yorick Koster, Securify B.V.

QRadar Community Edition version 7.3.1.6 suffers from a local privilege escalation due to insecure file permissions with run-result-reader.sh.

tags | exploit, local
advisories | CVE-2020-4270
SHA-256 | 715d99b55d854b8fb9614afe2a7874cfe20587ea62fbe0dc00f243f7d7096d49
QRadar Community Edition 7.3.1.6 Cross Site Scripting
Posted Apr 21, 2020
Authored by Yorick Koster, Securify B.V.

QRadar Community Edition version 7.3.1.6 suffers from a reflective cross site scripting vulnerability in the Forensics link analysis page.

tags | exploit, xss
SHA-256 | de763810bd2f7fcedfeb5bef3c398e9153a25a188ec90a611064997aac9a057b
QRadar Community Edition 7.3.1.6 CSRF / Weak Access Control
Posted Apr 21, 2020
Authored by Yorick Koster, Securify B.V.

QRadar Community Edition version 7.3.1.6 suffers from cross site request forgery and weak access control vulnerabilities.

tags | exploit, vulnerability, csrf
SHA-256 | 1caf5adfef98f5b24c0b2fa37febb95cb109d5510d52d085c81c9c3de940faf4
QRadar Community Edition 7.3.1.6 Server Side Request Forgery
Posted Apr 21, 2020
Authored by Yorick Koster, Securify B.V.

QRadar Community Edition version 7.3.1.6 has an issue where the RssFeedItem class of the QRadar web application is used to fetch and parse RSS feeds. No validation is performed on the user-supplied RSS feed URL. Due to the lack of URL validation (whitelisting), it is possible for authenticated attackers to execute Server-Side Request Forgery attacks. Using this issue it is possible to call the Apache Axis AdminService webservice in order to execute arbitrary code with the privileges of the Tomcat user.

tags | exploit, web, arbitrary
advisories | CVE-2020-4294
SHA-256 | c78ec41b4d8e07a1a88990b1959fd41ff5c7e8f2a7dc9c0d3bc5f59588faaa55
QRadar Community Edition 7.3.1.6 Default Credentials
Posted Apr 21, 2020
Authored by Yorick Koster, Securify B.V.

QRadar Community Edition version 7.3.1.6 is deployed with a default password for the ConfigServices account. Using this default password it is possible to download configuration sets containing sensitive information, including (encrypted) credentials and host tokens. With these host tokens it is possible to access other parts of QRadar.

tags | exploit
advisories | CVE-2020-4269
SHA-256 | 7b24d2b362e3b645c36d7e340f45ee8ed555752f025a186acb8909e63ea7536d
ZoneAlarm TrueVector Internet Monitor Insecure NTFS Permissions
Posted Mar 18, 2020
Authored by Yorick Koster, Securify B.V.

A vulnerability was found in the TrueVector Internet Monitor service, which is installed as part of the Check Point ZoneAlarm firewall. This vulnerability allows a local attacker to cause the affected service to change the file permissions of arbitrary local files. After the file permissions have been changed, the attacker can then overwrite its content, and ultimately gain elevated privileges on the vulnerable machine. This vulnerability was successfully verified on ZoneAlarm Free Firewall version 15.8.023.18219 and TrueVector Internet Monitor version 15.8.7.18219.

tags | exploit, arbitrary, local
SHA-256 | 02f488ac378d0162d935ec047a7f4397a62ed4cbe4aebb0d1d4566f204e6add5
Ivanti Workspace Control UNC Path Data Security Bypass
Posted Oct 1, 2018
Authored by Yorick Koster, Securify B.V.

Ivanti Workspace Control contains a flaw where it is possible to access folders that should be protected by Data Security. A local attacker can bypass these restrictions using localhost UNC paths. Depending on the NTFS permissions it may be possible for local users to access files and folders that should be protected using Data Protection. This issue was successfully verified on Ivanti Workspace Control version 10.2.700.1 and 10.2.950.0.

tags | advisory, local, bypass
SHA-256 | 507e3c9cc2d0a60cb3923378de3e647c3ee8b937f4097ddf9a6615c71a46daf9
Ivanti Workspace Control Registry Stored Credentials
Posted Oct 1, 2018
Authored by Yorick Koster, Securify B.V.

A flaw was found in Workspace Control that allows a local unprivileged user to retrieve the database or Relay server credentials from the Windows Registry. These credentials are encrypted, however the encryption that is used is reversible. This issue was successfully verified on Ivanti Workspace Control version 10.2.700.1 and 10.2.950.0.

tags | advisory, local, registry
systems | windows
SHA-256 | 964ae3397201993a0875edfc0ea849d24a6d6bd09383d580016c683c5209f357
Ivanti Workspace Control Named Pipe Privilege Escalation
Posted Oct 1, 2018
Authored by Yorick Koster, Securify B.V.

It was found that Ivanti Workspace Control allows a local (unprivileged) attacker to run arbitrary commands with Administrator privileges. This issue can be exploited by spawning a new Composer process, injecting a malicious thread in this process. This thread connects to a Named Pipe and sends an instruction to a service to launch an attacker-defined application with elevated privileges. This issue was successfully verified on Ivanti Workspace Control version 10.2.700.1 and 10.2.950.0.

tags | advisory, arbitrary, local
SHA-256 | 8258dbf9be109afe0d7a02ca62f333c5c39f3e9e6c52f1ae3f17a46f22ef8eca
Ivanti Workspace Control Application PowerGrid SEE Whitelist Bypass
Posted Oct 1, 2018
Authored by Yorick Koster, Securify B.V.

It was found that the PowerGrid application can be used to run arbitrary commands via the /SEE command line option. An attacker can abuse this issue to bypass Application Whitelisting in order to run arbitrary code on the target machine. This issue was successfully verified on Ivanti Workspace Control version 10.2.950.0.

tags | exploit, arbitrary, bypass
SHA-256 | d22755c11b4351cbedb8fccbfeb8f10b0a0fd56433daae7099f4a1f97ebe9bcb
Ivanti Workspace Control Application PowerGrid RWS Whitelist Bypass
Posted Oct 1, 2018
Authored by Yorick Koster, Securify B.V.

It was found that the PowerGrid application will execute rundll32.exe from a relative path when it is started with the /RWS command line option. An attacker can abuse this issue to bypass Application Whitelisting in order to run arbitrary code on the target machine. This issue was successfully verified on Ivanti Workspace Control version 10.2.700.1.

tags | exploit, arbitrary, bypass
SHA-256 | 247ebbfbc6e429e14f49ffdb9bfdcf441bfb4a187e2d9cb26ed36d4cf65e0153
Seagate Personal Cloud Information Disclosure
Posted Sep 13, 2018
Authored by Yorick Koster

Seagate Personal Cloud is a consumer-grade Network-Attached Storage device (NAS). It was found that the web application used to manage the NAS is affected by various unauthenticated information disclosure vulnerabilities. The device is configured to trust any CORS origin, and is accessible via the personalcloud.local domain name. Due to this it is possible for any website to gain access to this information. While this information doesn't allow an attacker to compromise the NAS, the information can be used to stage more targeted attacks. This issue was tested on a Seagate Personal Cloud model SRN21C running firmware versions 4.3.16.0 and 4.3.18.0. The software is licensed from LACIE, it is very likely that other devices/models are also affected.

tags | exploit, web, local, vulnerability, info disclosure
SHA-256 | 561f2e8c233f719d62e19876ccec52841abe5ce3a473389348130435a20ce8bc
Seagate Personal Cloud SRN21C SQL Injection
Posted Aug 24, 2018
Authored by Yorick Koster

Seagate Personal Cloud model SRN21C running firmware versions 4.3.16.0 and 4.3.18.0 suffer from remote SQL injection vulnerabilities in the media server.

tags | exploit, remote, vulnerability, sql injection
SHA-256 | e778b88faf6c13b9ded2dc0b1c5a4d719131745dd2f652b92a0899ab6d72d2b9
Seagate Media Server SRN21C Cross Site Scripting
Posted Apr 19, 2018
Authored by Yorick Koster

Seagate Personal Cloud model SRN21C running firmware versions 4.3.16.0 and 4.3.18.0 suffers from a persistent cross site scripting vulnerabilities.

tags | exploit, vulnerability, xss
SHA-256 | e781553767030bf98f0d576bce042a246fa79981a84c0cfb754a87a6669dfce7
Seagate Media Server Path Traversal
Posted Apr 19, 2018
Authored by Yorick Koster

Seagate Personal Cloud model SRN21C running firmware versions 4.3.16.0 and 4.3.18.0 suffer from a path traversal vulnerability.

tags | exploit, file inclusion
SHA-256 | 5ef896e7b37cb5ccba017088977b813090cb4b99b1764b4ea351316ab3dd7a44
Page 1 of 5
Back12345Next

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    0 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close