漏洞信息收集

2024年1月23日发(作者：)

漏洞编号CVE-2016-7098CVE-2016-6754CVE-2016-5639CVE-2016-6563CVE-2016-5764 CVE-2016-3115漏洞描述远程远程远程远程远程远程远程远程远程

CVE-2016-0998CVE-2015-2866CVE-2015-0752CVE-2015-3864CVE-2016-3861远程远程远程远程远程

CVE-2015-7547CVE-2015-1730CVE-2016-6707CVE-2016-6210CVE-2016-3962, CVE-2016-3989CVE-2016-6366CVE-2016-0491, CVE-2016-0492远程远程远程远程远程远程远程

CVE-2016-3987CVE-2015-7768CVE-2016-0998CVE-2015-6132CVE-2015-7874远程远程远程远程远程远程

CVE-2016-8016, CVE-2016-8017, CVE-2016-8018, CVE-2016-8019, CVE-2016-8020, CVE-2016-8021, CVE-2016-8022, CVE-2016-8023, CVE-2016-8024,CVE-2016-8025CVE-2016-1287CVE-2015-3036远程远程远程

CVE-2016-1909CVE-2015-6131CVE-2016-3087CVE-2016-1593远程远程远程远程

漏洞类别GNU Wget < 1.18 - AccessList Bypass / RaceConditionAndroid 'BadKernel'Remote Code ExecutionCrestron AM-10硬件Dlink DIR RoutersUnauthenticated HNAPLogin Stack BufferOverflowWinaXe 7.7 FTP Client -Remote Buffer OverflowEasy Internet SharingProxy Server 2.2 - SEHOverflowDisk Pulse Enterprise9.0.34 - 'Login' BufferOverflow' Rumba FTP Client 4.x -Stack Buffer Overflow(SEH)OpenSSH 7.2p1 -Authenticated xauthCommand Injection漏洞信息公布情况wget是一套免费且开源的支持从网络上自动下载文件的下载工具。GNUwget 1.17及之前的版本中存在竞争条件漏洞。远程服务器端的攻击者可通利用代码过保持HTTP链接开启利用该漏洞绕过既定的访问列表限制。Android V8 JavaScript 引擎任意代码执行漏洞pocDirectory traversal vulnerabilityin cgi-bin/ on CrestronAirMedia AM-100 devices withfirmware before 1.4.0.13 allowspocremote attackers to readarbitrary files via a .. (dotdot) in the src parameter.D-Link路由器产品中的家庭网络自动化协议（简称HNAP）会受到基于堆栈的缓冲区溢出漏洞的影响。在执行HNAP登录操作的过程中，处理格式错误所生成的SOAP信息会导致堆栈内发利用代码生缓冲区溢出问题。SOAP主体内易受攻击的XML字段包括：Action、Username、LoginPassword以及Captch This module exploits a bufferoverflow in the WinaXe 7.7 issue is triggeredwhen a client connects to the利用代码2016.11.3server and is expecting theServer Ready module exploits a SEH bufferoverflow in the Easy Internet利用代码2016.11.10Sharing Proxy Socks Server 2.2This module exploits a stackbuffer overflow in Disk PulseEnterprise9.0.34. If a malicioususer sends a malicious HTTP loginrequest, it is possible toexecute a payload that would run利用代码2016.11.3under the Windows NTAUTHORITYSYSTEM account. Due tosize constraints, this moduleuses the Egghunter techniqueMicro Focus Rumba FTP Client handle long directorynames. An attacker can setup amalicious FTP server that can利用代码2016.10.29send a long directory name whichcan led to remote code executionon connected H是SSH协议的开源实现。OpenSSH <=7.2p1在实现上存在xauth命令注入漏洞，可导致绕过forced-利用代码command及/bin/false。

Use-after-free vulnerability inAdobe Flash Player before18.0.0.333 and 19.x through e 21.0.0.182 on Windows andAdobe Flash -OS X and before 11.2.202.577 h Use-After-Linux, Adobe AIR before利用代码Free ExploitGrandsteam GXV3611_HDRuby on Rails - DynamicRender File Upload /Remote Code ExecutionAndroid 5.0 <= 5.1.1 -'Stagefright' .MP4 tx3gInteger Overflow Android - libutils UTF16to UTF8 Conversion HeapBuffer Overflow21.0.0.176, Adobe AIR SDK before21.0.0.176, and Adobe AIR SDK &Compiler before 21.0.0.176 allowsattackers to execute arbitrarycode via unspecified vectorsSQL injection vulnerability onthe Grandstream GXV3611_HD camerawith firmware before 1.0.3.9 betaallows remote attackers to利用代码execute arbitrary SQL commands byattempting to establish a TELNETsession with a crafted ory traversal vulnerabilityin Action View in Ruby on Railsbefore 3.2.22.1, 4.0.x and e 4.1.14.1, 4.2.x before4.2.5.1, and 5.x 1.1 allows remote利用代码attackers to read arbitrary filesby leveraging an application'sunrestricted use of the rendermethod and providing a .. (dotdot) in a pathnameInteger underflow in theMPEG4Extractor::parseChunkfunction in inlibstagefright in mediaserver inAndroid before 5.1.1 LMY48Mallows remote attackers toexecute arbitrary code via利用代码crafted MPEG-4 data, aka internalbug 23034759. NOTE: thisvulnerability exists because ofan incomplete fix for ls in Android 4.x before4.4.4, 5.0.x before 5.0.2, e 5.1.1, 6.x before 2016-09-01, and 7.0 before 2016-09-01mishandles conversions betweenUnicode character encodings withdifferent encoding widths, whichpocallows remote attackers toexecute arbitrary code or cause adenial of service (heap-basedbuffer overflow) via a craftedfile, aka internal bug 29250543.

glibc 2.9及更高版本在glibc - 'getaddrinfo'getaddrinfo()库函数使用中，其DNSStack Based Buffer客户端解析器存在栈缓冲区溢出漏洞Overflow。通过构造的域名、DNS服务器或中间人攻击，攻击者利用此漏洞可执行任最严重的漏洞可能在用户使用Microsoft InternetInternet Explorer 查看经特殊设计Explorer jscript9 - Java­的网页时允许远程执行代码。成功利Script­Stack­Walker用这些漏洞的攻击者可以获得与当前Memory Corruption 用户相同的用户权限。An elevation of privilegevulnerability in System Server inAndroid 6.x before 2016-11-01 and7.0 before 2016-11-01 couldenable a local maliciousAndroid - Inter-Processapplication to execute arbitrarymunmap with User-code within the context of aControlled Size inprivileged process. This issue rated as High because it could beused to gain local access toelevated capabilities, which arenot normally accessible to athird-party application. AndroidID: A-31350622.当我们使用ssh客户端去连接服务端的时候，如果向服务端发送一个大于10KB的密码，由于OpenSSH服务端会对user:password的组合，使用加密算法OpenSSHd 7.2p2 - UsernameSHA256/SHA512进行加密。如果我们传Enumeration输的是一个不存在的用户名，那么就不会进入sha256(user,password)加密流程，如果用户名存在，服务器将会针对这个10KB大的密码进行SHA256的加密，这里就会产生时间差。Meinberg NTP Time ServerMeinberg NTP Time ServerELX800/GPS M4x V5.30p -ELX800/GPS M4x V5.30p - RemoteRemote Command ExecutionCommand Execution / Escalate/ Escalate PrivilegesPrivileges思科自适应安全设备 (ASA) 软件中的Cisco ASA 8.x -缓冲区溢出漏洞，使得远程验证的用'EXTRABACON'户通过精心编制的 IPv4 SNMP 数据Authentication Bypass包，执行任意代码aka Bug IDCSCva92151 或 EXTRABACON 。This module exploits anauthentication bypass andOracle Applicationarbitrary file upload in OracleTesting Suite (ATS) -Application Testing Suite (OATS),Arbitrary File Uploadversion 12.4.0.2.0 and unknown(Metasploit)earlier versions, to upload andexecute a JSP shell.利用代码pocpoc利用代码利用代码利用代码利用代码

The HTTP server in Trend MicroTrend Micro - word Manager allows remoteHTTP Server Listening onweb servers to execute arbitrarylocalhost Can Executecommands via the url parameter to利用代码Commands(1) api/openUrlInDefaultBrowseror (2) api/ Minolta FTPBuffer overflow in Konica MinoltaUtility 1.00 - CWDFTP Utility 1.0 allows remote利用代码Command SEH Overflowattackers to execute arbitrarycode via a long CWD -after-free vulnerability inAdobe Flash Player before18.0.0.333 and 19.x through e 21.0.0.182 on Windows andOS X and before 11.2.202.577 onLinux, Adobe AIR before21.0.0.176, Adobe AIR SDK beforeAdobe Flash -21.0.0.176, and Adobe AIR SDK &h Use-After-Compiler before 21.0.0.176 allows利用代码Free Exploitattackers to execute arbitrarycode via unspecified vectors, adifferent vulnerability than CVE-2016-0987, CVE-2016-0988, CVE-2016-0990, CVE-2016-0991, CVE-2016-0994, CVE-2016-0995, CVE-2016-0996, CVE-2016-0997, CVE-2016-0999, and CVE-2016-1000.在这个漏洞中，这些特定的CLSID（嵌入在Office文档中），将会导致这些Microsoft Office / COMDLL“, api-ms-win-Object - DLL , with '' or ”从当前目利用代码Load of '' (MS15-录加载。如果攻击者在相同的目录下132)放置上述DLL其中之一，这样嵌入对象的文档也会从这个相同的目录中加载这个DLL，那么攻击者构造的代码将会A remote overflow exists in theKiTTY Chat feature, which enablesKiTTY Portable 0.65.0.2pa remote attacker to execute code- Chat Remote Bufferon the vulnerable system with theOverflow (SEH Windowsrights of the current user, from利用代码XP/7/10)Windows XP x86 to Windows 10 x64included (builds10240/10586).Chat feature is notenabled by SQL Server 2000/2005 -MS SQL Server 2000/2005 -espace espace COM ObjectObject Refresh()Refresh() Unhandled Pointer利用代码Unhandled Pointer ExploitExploit2015/8/29

McAfee Virus ScanEnterprise for Linux -Remote Code ExecutionCisco ASA Software 8.x /9.x - IKEv1 and IKEv2Buffer OverflowLinux/MIPS Kernel 2.6.36- 'NetUSB' Remote CodeExecutionCVE-2016-8016: RemoteUnauthenticated File ExistenceTestCVE-2016-8017: RemoteUnauthenticated File Read (withConstraints)CVE-2016-8018: No Cross-SiteRequest Forgery TokensCVE-2016-8019: Cross SiteScriptingCVE-2016-8020: AuthenticatedRemote Code Execution & PrivilegeEscalationCVE-2016-8021: Web Interface利用代码Allows Arbitrary File Write toKnown LocationCVE-2016-8022: Remote Use ofAuthentication TokensCVE-2016-8023: Brute ForceAuthentication TokensCVE-2016-8024: HTTP ResponseSplittingCVE-2016-8025: Authenticated SQLInjectionWhen chaned together, thesevulnerabilities allow a remoteattacker to execute code as ASA Software的IKEv1及IKEv2代码中存在安全漏洞，未经身份验证的远程攻击者发送精心构造的UDP数据包到受影响系统，可造成受影响系利用代码统重载或远程执行代码。此漏洞源于受影响代码区域的缓冲区溢出。Stack-based buffer overflow inthe run_init_sbus function in theKCodes NetUSB module for theLinux kernel, as used in certainNETGEAR products, TP-LINKproducts, and other products,利用代码allows remote attackers toexecute arbitrary code byproviding a long computer name ina session on TCP port 200052016/12/13

Fortinet FortiAnalyzer before5.0.12 and 5.2.x before 5.2.5;FortiSwitch 3.3.x before 3.3.3;FortiCache 3.0.x before 3.0.8;and FortiOS 4.1.x before 4.1.11,Fortigate OS 4.x < 5.0.74.2.x before 4.2.16, 4.3.x before- SSH Backdoor4.3.17 and 5.0.x before 5.0.8have a hardcoded passphrase forthe Fortimanager_Access account,which allows remote attackers toobtain administrative access viaan SSH oft Windows MediaMicrosoft Windows Media CenterCenter Library - ParsingLibrary - Parsing Remote CodeRemote Code Execution akaExecution aka 'self-executing''self-executing' MCL FileMCL FileThis module exploits a remotecommand execution vulnerabilityApache Struts - RESTin Apache Struts version betweenPlugin With Dynamic2.3.20 and 2.3.28 (exceptMethod Invocation Remote2.3.20.2 and 2.3.24.2). RemoteCode ExecutionCode Execution can be performed(Metasploit)when using REST Plugin with !operator when Dynamic MethodInvocation is module exploits anauthenticated arbitrary fileupload via directory traversaltoNovell ServiceDesk -execute code on the target. ItAuthenticated Arbitraryhas been tested on versions 6.5File Upload (Metasploit)and 7.1.0, in Windows and Linuxinstallations of NovellServiceDesk, as well as theVirtual Appliance provided byNovell.利用代码利用代码利用代码利用代码