This is the eleventh issue of POC || GTFO.
44d56d717c7b3baf7e11aa6624d5a80a90b132a519e61b9682a5f4a635b04c78
The Grandstream VoIP products deploy a remote provisioning mechanism that allows to automatically set configuration elements on phone/app startup. By default, an insecure connection to `fm.grandstream.com` is used to obtain the provisioning profile. An active attacker can redirect this request and change arbitrary values of the configuration. This allows to redirect phone calls through a malicious server, turn the phone into a bug, change passwords, and exfiltrate system logs (including the phone numbers dialed by the user).
d1b894d5b6d9a118fe3fc810c4b4021f3cba247d9652471c993cfbcaf8b5e96a
ProjectSend version r582 suffers from a persistent cross site scripting vulnerability.
5a8b293f6200ed2995e1dee8ac4403297729385e05b38533144dd374cb20d671
Cisco UCS Manager version 2.1(1b) shellshock exploit that spawns a connect-back shell.
8e555e4314339995e576394135e468491a5591e41f42cc88f61d026cdbae0718
Core Security Technologies Advisory - An integer signedness error has been found in the amd64_set_ldt() function in the FreeBSD kernel code (define d in the /sys/amd64/amd64/sys_machdep.c file), which implements the i386_set_ldt system call on the amd64 version of the OS. This integer signedness issue ultimately leads to a heap overflow in the kernel, allowing local unprivileged attackers to crash the system. FreeBSD 10.2 amd64 is affected.
d41fcb2fcfd845b70a122e20b1cbd17e3b183211e307eaf35331480595a9fc22
Ubuntu Security Notice 2935-2 - USN-2935-1 fixed vulnerabilities in PAM. The updates contained a packaging change that prevented upgrades in certain multiarch environments. This update fixes the problem. It was discovered that the PAM pam_userdb module incorrectly used a case-insensitive method when comparing hashed passwords. A local attacker could possibly use this issue to make brute force attacks easier. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. Sebastian Krahmer discovered that the PAM pam_timestamp module incorrectly performed filtering. A local attacker could use this issue to create arbitrary files, or possibly bypass authentication. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. Sebastien Macke discovered that the PAM pam_unix module incorrectly handled large passwords. A local attacker could possibly use this issue in certain environments to enumerate usernames or cause a denial of service. Various other issues were also addressed.
214f43311e3f5da28af52b29d78394d98892007b90a8f9a584a2b84425eaa0e3
Red Hat Security Advisory 2016-0459-01 - The Berkeley Internet Name Domain is an implementation of the Domain Name System protocols. BIND includes a DNS server ; a resolver library ; and tools for verifying that the DNS server is operating correctly. A denial of service flaw was found in the way BIND parsed signature records for DNAME records. By sending a specially crafted query, a remote attacker could use this flaw to cause named to crash. A denial of service flaw was found in the way BIND processed certain control channel input. A remote attacker able to send a malformed packet to the control channel could use this flaw to cause named to crash.
c8d23714786276b2fe2dcce3b2339022e139352436c1daf3d1ae117d012aaeac
Red Hat Security Advisory 2016-0458-01 - The Berkeley Internet Name Domain is an implementation of the Domain Name System protocols. BIND includes a DNS server ; a resolver library ; and tools for verifying that the DNS server is operating correctly. A denial of service flaw was found in the way BIND parsed signature records for DNAME records. By sending a specially crafted query, a remote attacker could use this flaw to cause named to crash. A denial of service flaw was found in the way BIND processed certain control channel input. A remote attacker able to send a malformed packet to the control channel could use this flaw to cause named to crash.
c1535ae831179ad2267763c4754162fe9c02da29df3b5731be3fc7e6a002c636
Red Hat Security Advisory 2016-0460-01 - Mozilla Thunderbird is a standalone mail and newsgroup client. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. Multiple security flaws were found in the graphite2 font library shipped with Thunderbird. A web page containing malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird.
c4e5bc6a5f2c36645ee9570d988cd47a04f703208b64bfc41bafa9409f302ad2
FreeBSD Security Advisory - A special combination of sysarch(2) arguments, specify a request to uninstall a set of descriptors from the LDT. The start descriptor is cleared and the number of descriptors are provided. Due to invalid use of a signed intermediate value in the bounds checking during argument validity verification, unbound zero'ing of the process LDT and adjacent memory can be initiated from usermode. This vulnerability could cause the kernel to panic. In addition it is possible to perform a local Denial of Service against the system by unprivileged processes.
1b06a4a8fb40914b387a59838b891b91a1f57185e7bb078d76328e2d133bb85d
FreeBSD Security Advisory - Due to insufficient input validation in OpenSSH, a client which has permission to establish X11 forwarding sessions to a server can piggyback arbitrary shell commands on the data intended to be passed to the xauth tool. An attacker with valid credentials and permission to establish X11 forwarding sessions can bypass other restrictions which may have been placed on their account, for instance using ForceCommand directives in the server's configuration file.
d2574fbe9a392afc705b1b7d4182a37f52ec3bece6bca525cafffff285a229b1
AKIPS Network Monitor versions 15.37 through 16.5 suffer from a remote command injection vulnerability.
95b953fa411ca824ee148020ad6266248e425f74b8a092b166a88950b0cad00e
The SecLogon service does not sanitize standard handles when creating a new process leading to duplicating a system service thread pool handle into a user accessible process. This can be used to elevate privileges to Local System.
1503dd54222782a3e53678913f5880565b05a932180f2498066832dd8aed5905
There is a Windows kernel crash in the ATMFD.DLL OpenType driver while processing a corrupted OTF font file.
8d92358d69c6cf29a7a2e76627b8f20bcfc96b06bc62c811897c7535e426936e
There is a Windows kernel crash in the ATMFD.DLL OpenType driver while processing a corrupted OTF font file.
292d570afeace4b50b30f7dbd281243c97bd1306ff4c195b7d58b81eb6446be2
This bulletin summary lists two bulletins that have undergone a major revision increment for March, 2016.
c7a1c043361f84c09c7fe61398b9da64aa26d37e25bf41ca5729ae5ad914b559