Xerox DocuShare AMI Pro File Parsing Stack Overflow Vulnerability

EIP-db4e064b

A stack-based buffer overflow vulnerability exists within Xerox DocuShare. Exploitation of the vulnerability allows for attackers to execute arbitrary code with system privileges. The specific flaw exists within the parsing of AMI Pro (.sam) file formats. Parsing of this file structure is handled by the KeyView subsystem (lasr.dll).

Vulnerability Identifiers

  • Exodus Intelligence: EIP-db4e064b
  • MITRE CVE: CVE-2007-5909

Vulnerability Metrics

  • CVSSv2 Score: 6.8

Vendor References

Discovery Credit

  • Exodus Intelligence

Disclosure Timeline

  • Disclosed to affected vendor: December 10th, 2021
  • Disclosed to public: February 24th, 2022

Further Information

Readers of this advisory who are interested in receiving further details around the vulnerability, mitigations, detection guidance, and more can contact us at sales@exodusintel.com.

Researchers who are interested in monetizing their 0Day and NDay can work with us through our Research Sponsorship Program.

Xerox DocuShare WordPerfect Parsing Stack Overflow Vulnerability

EIP-c728d1ef

A stack-based buffer overflow vulnerability exists within Xerox DocuShare. Exploitation of the vulnerability allows for attackers to execute arbitrary code with system privileges. The specific flaw exists within the parsing of containers embedded in WordPerfect (.wpd) file formats. Parsing of this file is handled by the KeyView subsystem (kvoop.exe).

Vulnerability Identifiers

  • Exodus Intelligence: EIP-c728d1ef
  • MITRE CVE: CVE-2007-5910

Vulnerability Metrics

  • CVSSv2 Score: 9.3

Vendor References

Discovery Credit

  • Exodus Intelligence

Disclosure Timeline

  • Disclosed to affected vendor: December 10th, 2021
  • Disclosed to public: February 24th, 2022

Further Information

Readers of this advisory who are interested in receiving further details around the vulnerability, mitigations, detection guidance, and more can contact us at sales@exodusintel.com.

Researchers who are interested in monetizing their 0Day and NDay can work with us through our Research Sponsorship Program.

Xerox DocuShare AMI Pro p-tag Parsing Stack Overflow Vulnerability

EIP-6185db3e

A stack-based buffer overflow vulnerability exists within Xerox DocuShare. Exploitation of the vulnerability allows for attackers to execute arbitrary code with system privileges. The specific flaw exists within the parsing of “<:p tags” embedded in AMI Pro (.sam) file formats. Parsing of this file is handled by the KeyView subsystem (kvoop.exe).

Vulnerability Identifiers

  • Exodus Intelligence: EIP-6185db3e
  • MITRE CVE: CVE-2007-5909

Vulnerability Metrics

  • CVSSv2 Score: 6.8

Vendor References

Discovery Credit

  • Exodus Intelligence

Disclosure Timeline

  • Disclosed to affected vendor: December 10th, 2021
  • Disclosed to public: February 24th, 2022

Further Information

Readers of this advisory who are interested in receiving further details around the vulnerability, mitigations, detection guidance, and more can contact us at sales@exodusintel.com.

Researchers who are interested in monetizing their 0Day and NDay can work with us through our Research Sponsorship Program.

ZyXEL Armor Cross-Site Request Forgery Vulnerability

EIP-521a3b40

A cross-site request forgery vulnerability exists within the ZyXEL Armor Z1 AC2350 and Z2 AC2600 series. Exploitation of the vulnerability allows for attackers to run arbitrary commands on vulnerable versions of the firmware under the context of the root user. Exploitation requires either that the attacker has access to the local network or is able to coerce a local user into visiting a malicious website.

Vulnerability Identifiers

  • Exodus Intelligence: EIP-521a3b40
  • MITRE CVE: CVE-2021-4030

Vulnerability Metrics

  • CVSSv2 Score: 7.9

Vendor References

  • https://www.zyxel.com/support/forgery-vulnerabilities-of-select-Armor-home-routers.shtml

Discovery Credit

  • Exodus Intelligence

Disclosure Timeline

  • Disclosed to affected vendor: December 14th, 2021
  • Disclosed to public: February 22nd, 2022

Further Information

Readers of this advisory who are interested in receiving further details around the vulnerability, mitigations, detection guidance, and more can contact us at sales@exodusintel.com.

Researchers who are interested in monetizing their 0Day and NDay can work with us through our Research Sponsorship Program.

ZyXEL Armor Photobak Command Injection Vulnerability

EIP-c624ba9f

A command-injection vulnerability exists within the ZyXEL Armor Z1 AC2350 series. The vulnerable endpoint is within the ‘photobak’ component found in the cgi-bin. Exploitation of the vulnerability allows for remote unauthenticated attackers to run arbitrary commands on vulnerable versions of the firmware under the context of the underlying lighthttpd subsystem.

Vulnerability Identifiers

  • Exodus Intelligence: EIP-c624ba9f
  • MITRE CVE: CVE-2021-4029

Vulnerability Metrics

  • CVSSv2 Score: 8.3

Vendor References

  • https://www.zyxel.com/support/forgery-vulnerabilities-of-select-Armor-home-routers.shtml

Discovery Credit

  • Exodus Intelligence

Disclosure Timeline

  • Disclosed to affected vendor: December 14th, 2021
  • Disclosed to public: February 22nd, 2022

Further Information

Readers of this advisory who are interested in receiving further details around the vulnerability, mitigations, detection guidance, and more can contact us at sales@exodusintel.com.

Researchers who are interested in monetizing their 0Day and NDay can work with us through our Research Sponsorship Program.

Zlibc Environment Variable Handling Local Privilege Escalation Vulnerability

EIP-1a8a439f

A vulnerability exists in Zlibc that allows a local attacker to execute arbitrary code with elevated privileges through manipulation of the LD_ZLIB_CONFFILE and LD_ZLIB_UNCOMPRESSOR environment variables when calling setuid binaries.

Vulnerability Identifiers

  • Exodus Intelligence: EIP-1a8a439f
  • MITRE CVE: N/A

Vulnerability Metrics

  • CVSSv2 Score: 6.6

Vendor References

Discovery Credit

  • Exodus Intelligence

Disclosure Timeline

  • Disclosed to affected vendor: January 5th, 2022
  • Disclosed to public: February 2nd, 2022

Further Information

Readers of this advisory who are interested in receiving further details around the vulnerability, mitigations, detection guidance, and more can contact us at sales@exodusintel.com.

Researchers who are interested in monetizing their 0Day and NDay can work with us through our Research Sponsorship Program.

Arris SURFboard SSDP Command Injection Vulnerability

EIP-55f127ea

A vulnerability exists within Arris SURFboard’s handling of Simple Service Discovery Protocol (SSDP) messages. A specially crafted NOTIFY message with a LOCATION header can result in a command injection under the context of the root user.

Vulnerability Identifiers

  • Exodus Intelligence: EIP-55f127ea
  • MITRE CVE: CVE-2021-41552

Vulnerability Metrics

  • CVSSv2 Score: 8.3

Vendor References

Discovery Credit

  • Exodus Intelligence

Disclosure Timeline

  • Disclosed to affected vendor: June 16th, 2021
  • Disclosed to public: February 2nd, 2022

Further Information

Readers of this advisory who are interested in receiving further details around the vulnerability, mitigations, detection guidance, and more can contact us at sales@exodusintel.com.

Researchers who are interested in monetizing their 0Day and NDay can work with us through our Research Sponsorship Program.