Exodus Intel VRT

ZyXEL Armor Cross-Site Request Forgery Vulnerability

by

EIP-521a3b40

A cross-site request forgery vulnerability exists within the ZyXEL Armor Z1 AC2350 and Z2 AC2600 series. Exploitation of the vulnerability allows for attackers to run arbitrary commands on vulnerable versions of the firmware under the context of the root user. Exploitation requires either that the attacker has access to the local network or is able to coerce a local user into visiting a malicious website.

Vulnerability Identifiers

  • Exodus Intelligence: EIP-521a3b40
  • MITRE CVE: CVE-2021-4030

Vulnerability Metrics

  • CVSSv2 Score: 7.9

Vendor References

  • https://www.zyxel.com/support/forgery-vulnerabilities-of-select-Armor-home-routers.shtml

Discovery Credit

  • Exodus Intelligence

Disclosure Timeline

  • Disclosed to affected vendor: December 14th, 2021
  • Disclosed to public: February 22nd, 2022

Further Information

Readers of this advisory who are interested in receiving further details around the vulnerability, mitigations, detection guidance, and more can contact us at sales@exodusintel.com.

Researchers who are interested in monetizing their 0Day and NDay can work with us through our Research Sponsorship Program.

ZyXEL Armor Photobak Command Injection Vulnerability

by

EIP-c624ba9f

A command-injection vulnerability exists within the ZyXEL Armor Z1 AC2350 series. The vulnerable endpoint is within the ‘photobak’ component found in the cgi-bin. Exploitation of the vulnerability allows for remote unauthenticated attackers to run arbitrary commands on vulnerable versions of the firmware under the context of the underlying lighthttpd subsystem.

Vulnerability Identifiers

  • Exodus Intelligence: EIP-c624ba9f
  • MITRE CVE: CVE-2021-4029

Vulnerability Metrics

  • CVSSv2 Score: 8.3

Vendor References

  • https://www.zyxel.com/support/forgery-vulnerabilities-of-select-Armor-home-routers.shtml

Discovery Credit

  • Exodus Intelligence

Disclosure Timeline

  • Disclosed to affected vendor: December 14th, 2021
  • Disclosed to public: February 22nd, 2022

Further Information

Readers of this advisory who are interested in receiving further details around the vulnerability, mitigations, detection guidance, and more can contact us at sales@exodusintel.com.

Researchers who are interested in monetizing their 0Day and NDay can work with us through our Research Sponsorship Program.

Zlibc Environment Variable Handling Local Privilege Escalation Vulnerability

by

EIP-1a8a439f

A vulnerability exists in Zlibc that allows a local attacker to execute arbitrary code with elevated privileges through manipulation of the LD_ZLIB_CONFFILE and LD_ZLIB_UNCOMPRESSOR environment variables when calling setuid binaries.

Vulnerability Identifiers

  • Exodus Intelligence: EIP-1a8a439f
  • MITRE CVE: N/A

Vulnerability Metrics

  • CVSSv2 Score: 6.6

Vendor References

Discovery Credit

  • Exodus Intelligence

Disclosure Timeline

  • Disclosed to affected vendor: January 5th, 2022
  • Disclosed to public: February 2nd, 2022

Further Information

Readers of this advisory who are interested in receiving further details around the vulnerability, mitigations, detection guidance, and more can contact us at sales@exodusintel.com.

Researchers who are interested in monetizing their 0Day and NDay can work with us through our Research Sponsorship Program.

Arris SURFboard SSDP Command Injection Vulnerability

by

EIP-55f127ea

A vulnerability exists within Arris SURFboard’s handling of Simple Service Discovery Protocol (SSDP) messages. A specially crafted NOTIFY message with a LOCATION header can result in a command injection under the context of the root user.

Vulnerability Identifiers

  • Exodus Intelligence: EIP-55f127ea
  • MITRE CVE: CVE-2021-41552

Vulnerability Metrics

  • CVSSv2 Score: 8.3

Vendor References

Discovery Credit

  • Exodus Intelligence

Disclosure Timeline

  • Disclosed to affected vendor: June 16th, 2021
  • Disclosed to public: February 2nd, 2022

Further Information

Readers of this advisory who are interested in receiving further details around the vulnerability, mitigations, detection guidance, and more can contact us at sales@exodusintel.com.

Researchers who are interested in monetizing their 0Day and NDay can work with us through our Research Sponsorship Program.

LiveAction LiveNX AWS Credential Disclosure Vulnerability

by

EIP-7d4ec9e3

Several versions of LiveAction LiveNX network monitoring software contain Amazon Web Services (AWS) credentials. These credentials have privileged access to the LiveAction AWS infrastructure. A remote attacker may abuse these credentials to gain access to LiveAction internal resources.

Vulnerability Identifiers

  • Exodus Intelligence: EIP-7d4ec9e3
  • MITRE CVE: N/A

Vulnerability Metrics

  • CVSSv2 Score: 10

Vendor References

  • This vulnerability has been address in LiveAction LiveNX version 21.4.0

Discovery Credit

  • Exodus Intelligence

Disclosure Timeline

  • Disclosed to affected vendor: July 1st, 2021
  • Disclosed to public: January 19th, 2022

Further Information

Readers of this advisory who are interested in receiving further details around the vulnerability, mitigations, detection guidance, and more can contact us at sales@exodusintel.com.

Researchers who are interested in monetizing their 0Day and NDay can work with us through our Research Sponsorship Program.

UltraVNC Viewer VNC client RFB SolidColor Arbitrary Write Vulnerability

by

EIP-0e1ca3ec

A vulnerability exists within UltraVNC’s “vncviewer.exe” client. A malicious server can trigger an arbitrary memory write condition through a flaw in the function ClientConnection::SolidColor while drawing pixel data to the screen. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the UltraVNC Viewer process.

Vulnerability Identifiers

  • Exodus Intelligence: EIP-0e1ca3ec
  • MITRE CVE: PENDING

Vulnerability Metrics

  • CVSSv2 Score: 5.8

Vendor References

Discovery Credit

  • Exodus Intelligence

Disclosure Timeline

  • Disclosed to affected vendor: December 8th, 2021
  • Disclosed to public: December 16th, 2021

Further Information

Readers of this advisory who are interested in receiving further details around the vulnerability, mitigations, detection guidance, and more can contact us at sales@exodusintel.com.

Researchers who are interested in monetizing their 0Day and NDay can work with us through our Research Sponsorship Program.

UltraVNC Viewer VNC client RFB rfbServerInitMsg Heap Overflow Vulnerability

by

EIP-0e1ca3ec

A vulnerability exists within UltraVNC’s “vncviewer.exe” client. Specifically a malicious server may write arbitrary data to arbitrary memory locations through the  in the “rfbServerInitMsg” function upon parsing a long ‘nameLength’ field returned from a nefarious server. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the UltraVNC Viewer process.

Vulnerability Identifiers

  • Exodus Intelligence: EIP-0e1ca3ec
  • MITRE CVE: PENDING

Vulnerability Metrics

  • CVSSv2 Score: 5.8

Vendor References

Discovery Credit

  • Exodus Intelligence

Disclosure Timeline

  • Disclosed to affected vendor: December 8th, 2021
  • Disclosed to public: December 16th, 2021

Further Information

Readers of this advisory who are interested in receiving further details around the vulnerability, mitigations, detection guidance, and more can contact us at sales@exodusintel.com.

Researchers who are interested in monetizing their 0Day and NDay can work with us through our Research Sponsorship Program.

UltraVNC Viewer VNC client RFB ReadUltraRect Heap Overflow Vulnerability

by

EIP-930b0ea5

A vulnerability exists within UltraVNC’s “vncviewer.exe” client. Specifically a heap overflow can be triggered in the “ClientConnection::ReadUltraRect” function upon decompression of malicious formatted data returned from a nefarious server. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the UltraVNC Viewer process.

Vulnerability Identifiers

  • Exodus Intelligence: EIP-930b0ea5
  • MITRE CVE: PENDING

Vulnerability Metrics

  • CVSSv2 Score: 5.8

Vendor References

Discovery Credit

  • Exodus Intelligence

Disclosure Timeline

  • Disclosed to affected vendor: December 8th, 2021
  • Disclosed to public: December 16th, 2021

Further Information

Readers of this advisory who are interested in receiving further details around the vulnerability, mitigations, detection guidance, and more can contact us at sales@exodusintel.com.

Researchers who are interested in monetizing their 0Day and NDay can work with us through our Research Sponsorship Program.

UltraVNC Viewer VNC client Remote Memory Leak Vulnerability

by

EIP-5182fb5b

A vulnerability exists within UltraVNC view due to a lack of proper stack memory buffer cleanup before constructing the ‘rfbTextChat’ message, which results in a leak of 3-bytes of stack memory. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the UltraVNC Viewer process.

Vulnerability Identifiers

  • Exodus Intelligence: EIP-5182fb5b
  • MITRE CVE: 

Vulnerability Metrics

  • CVSSv2 Score: 4.3

Vendor References

Discovery Credit

  • Exodus Intelligence

Disclosure Timeline

  • Disclosed to affected vendor: June 21th, 2021
  • Disclosed to public: September 25th, 2021

Further Information

Readers of this advisory who are interested in receiving further details around the vulnerability, mitigations, detection guidance, and more can contact us at sales@exodusintel.com.

Researchers who are interested in monetizing their 0Day and NDay can work with us through our Research Sponsorship Program.

NEC EXPRESSCLUSTER X Transaction Server 0x32 File Read Vulnerability

by

EIP-852fe633

An arbitrary file read vulnerability has been found in NEC EXPRESSCLUSTER X that can allow an attacker to read files off the target system. The Transaction Server (clptrnsv.exe) is a system service configured to utilize port 29002 by default to facilitate transactions such as sending and receiving licensing data. This vulnerability occurs during the processing of opcode 0x32, an attacker is able to introduce crafted data into the clptrnsv service to expose arbitrary paths through fopen, fseek, and fread.

Vulnerability Identifiers

  • Exodus Intelligence: EIP-852fe633
  • MITRE CVE: CVE-2021-20707

Vulnerability Metrics

  • CVSSv2 Score: 7.8

Vendor References

Discovery Credit

  • Exodus Intelligence

Disclosure Timeline

  • Disclosed to affected vendor: February 25th, 2021
  • Disclosed to public: October 29th, 2021

Further Information

Readers of this advisory who are interested in receiving further details around the vulnerability, mitigations, detection guidance, and more can contact us at sales@exodusintel.com.

Researchers who are interested in monetizing their 0Day and NDay can work with us through our Research Sponsorship Program.

Intelligence

Support

Company

Copyright 2021 Exodus Intelligence