Exodus Intel VRT, Author at Exodus Intelligence

SolarWinds Serv-u File Server Command Injection Vulnerability

January 19, 2022September 27, 2021 by Exodus Intel VRT

EIP-d3400c52

The Serv-U File Server supports site specific commands which may not be universally supported by all FTP clients. Among these is the SITE EXEC command which allows a user to execute programs and scripts remotely, if the execute permission is present on the folder where a given program / script resides. A command injection vulnerability exists in this functionality due to improper sanitization of user-supplied parameters provided to the ShellExecuteExW routine. Successful exploitation results in arbitrary command execution under the context of the file server.

Vulnerability Identifiers

Exodus Intelligence: EIP-d3400c52
MITRE CVE: CVE-2021-35223

Vulnerability Metrics

CVSSv2 Score: 9.4

Vendor References

https://documentation.solarwinds.com/en/success_center/servu/content/release_notes/servu_15-2-4_release_notes.htm

Discovery Credit

Exodus Intelligence

Disclosure Timeline

Disclosed to affected vendor: May 14th, 2021
Disclosed to public: September 24th, 2021

Further Information

Readers of this advisory who are interested in receiving further details around the vulnerability, mitigations, detection guidance, and more can contact us at sales@exodusintel.com.

Researchers who are interested in monetizing their 0Day and NDay can work with us through our Research Sponsorship Program.

McAfee DLP Agent Stack Buffer Overflow Remote Code Execution Vulnerability

February 2, 2022September 17, 2021 by Exodus Intel VRT

EIP-035220ca

The vulnerability affects both Data Loss Prevention (DLP) Endpoint for Windows and the DLP Discover products from McAfee. The vulnerability is present within the included lasr.dll module, which is part of the Keyview SDK3 , and is responsible for parsing Ami Pro (.sam) files during server content inspection. A file format parsing vulnerability results in a stack-based buffer overflow that can be abused to achieve remote code execution.

Vulnerability Identifiers

Exodus Intelligence: EIP-035220ca
MITRE CVE: CVE-2021-31844, CVE-2021-31845

Vulnerability Metrics

CVSSv2 Score: 8.2

Vendor References

https://kc.mcafee.com/corporate/index?page=content&id=SB10368

Discovery Credit

Exodus Intelligence

Disclosure Timeline

Disclosed to affected vendor: February 24th, 2021
Disclosed to public: September 14th, 2021

Further Information

Readers of this advisory who are interested in receiving further details around the vulnerability, mitigations, detection guidance, and more can contact us at sales@exodusintel.com.

Researchers who are interested in monetizing their 0Day and NDay can work with us through our Research Sponsorship Program.

Adobe Acrobat Reader Base URI Unicode String Heap Buffer Overflow Vulnerability

January 19, 2022September 17, 2021 by Exodus Intel VRT

EIP-47ea5148

A heap buffer overflow vulnerability exists in the IA32.api module of Adobe Acrobat and Acrobat Reader DC. Upon parsing a specially crafted PDF document containing URI entries with URI dictionaries and a specially crafted base URL defined with raw Unicode strings can trigger the vulnerability to achieve remote code execution.

Vulnerability Identifiers

Exodus Intelligence: EIP-47ea5148
MITRE CVE: CVE-2021-39863

Vulnerability Metrics

CVSSv2 Score: 8.8

Vendor References

https://helpx.adobe.com/security/products/acrobat/apsb21-55.html

Discovery Credit

Exodus Intelligence

Disclosure Timeline

Disclosed to affected vendor: June 28th, 2021
Disclosed to public: September 14th, 2021

Further Information

Readers of this advisory who are interested in receiving further details around the vulnerability, mitigations, detection guidance, and more can contact us at sales@exodusintel.com.

Researchers who are interested in monetizing their 0Day and NDay can work with us through our Research Sponsorship Program.

Foxit PhantomPDF ConvertToPDF Arbitrary File Write Remote Code Execution Vulnerability

December 2, 2021August 24, 2021 by Exodus Intel VRT

EIP-884255a1

The vulnerability exists within an RPC interface listening on TCP port 6000, exposed by Foxit PhantomPDF. The ConvertToPDF method of the Creator object does not properly validate the bstrDestPathName argument, allowing arbitrary files to be written under the context of the user running PhantomPDF. An attacker can create a specially crafted PDF file that will abuse this vulner- ability to achieve remote code execution.

Vulnerability Identifiers

Exodus Intelligence: EIP-884255a1
MITRE CVE: Pending

Vulnerability Metrics

CVSSv2 Score: 7.5

Vendor References

https://www.foxit.com/support/security-bulletins.html

Discovery Credit

Exodus Intelligence

Disclosure Timeline

Disclosed to affected vendors: February 24th, 2021
Disclosed to public: July 27th, 2021

Further Information

Readers of this advisory who are interested in receiving further details around the vulnerability, mitigations, detection guidance, and more can contact us at sales@exodusintel.com.

Researchers who are interested in monetizing their 0Day and NDay can work with us through our Research Sponsorship Program.

Foxit PhantomPDF CombineFiles Arbitrary File Write Remote Code Execution Vulnerability

December 2, 2021August 24, 2021 by Exodus Intel VRT

EIP-adf3136a

The vulnerability exists within an RPC interface listening on TCP port 6000, exposed by Foxit PhantomPDF. The CombineFiles method of the Creator object does not properly validate the DestPDFFile argument, allowing arbitrary files to be written under the context of the user running PhantomPDF. An attacker can create a specially crafted PDF file that will abuse this vulnerability to achieve remote code execution.

Vulnerability Identifiers

Exodus Intelligence: EIP-adf3136a
MITRE CVE: Pending

Vulnerability Metrics

CVSSv2 Score: 7.5

Vendor References

https://www.foxit.com/support/security-bulletins.html

Discovery Credit

Exodus Intelligence

Disclosure Timeline

Disclosed to affected vendors: February 24th, 2021
Disclosed to public: July 27th, 2021

Further Information

Readers of this advisory who are interested in receiving further details around the vulnerability, mitigations, detection guidance, and more can contact us at sales@exodusintel.com.

Researchers who are interested in monetizing their 0Day and NDay can work with us through our Research Sponsorship Program.

Foxit PhantomPDF ConnectedPDF DocSearch_Locator_Table SQL Injection Remote Code Execution Vulnerability

December 2, 2021August 24, 2021 by Exodus Intel VRT

EIP-68b878c6

The vulnerability exists within the ConnectedPDF service, implemented by the FoxitPhantomConnectedPDFService.exe binary. The service listens for connections on TCP port 44440 on localhost and fails to sanitize input data before using it to construct SQL queries. This allows arbitrary files to be written under the context of the user running PhantomPDF. An attacker can create a specially crafted PDF file that will abuse this vulnerability to achieve remote code execution. Each message has a Type field, denoting the message type. The vulnerability resides in the processing of message type 1004, the handler of which is characterized by string references such as “DocSearch_Locator_Table”.

Vulnerability Identifiers

Exodus Intelligence: EIP-68b878c6
MITRE CVE: Pending

Vulnerability Metrics

CVSSv2 Score: 7.5

Vendor References

https://www.foxit.com/support/security-bulletins.html

Discovery Credit

Exodus Intelligence

Disclosure Timeline

Disclosed to affected vendors: February 24th, 2021
Disclosed to public: July 27th, 2021

Further Information

Readers of this advisory who are interested in receiving further details around the vulnerability, mitigations, detection guidance, and more can contact us at sales@exodusintel.com.

Researchers who are interested in monetizing their 0Day and NDay can work with us through our Research Sponsorship Program.

Foxit PhantomPDF ConnectedPDF ConnectedPDF_DRM_Table SQL Injection Remote Code Execution Vulnerability

December 2, 2021August 24, 2021 by Exodus Intel VRT

EIP-962d432f

The vulnerability exists within the ConnectedPDF service, implemented by the FoxitPhantomConnectedPDFService.exe binary. The service listens for connections on TCP port 44440 on localhost and fails to sanitize input data before using it to construct SQL queries. This allows arbitrary files to be written under the context of the user running PhantomPDF. An attacker can create a specially crafted PDF file that will abuse this vulnerability to achieve remote code execution. Each message has a Type field, denoting the message type. The vulnerability resides in the processing of message type 1003, the handler of which is characterized by string references such as “ConnectedPDF_DRM_Table”.

Vulnerability Identifiers

Exodus Intelligence: EIP-962d432f
MITRE CVE: Pending

Vulnerability Metrics

CVSSv2 Score: 7.5

Vendor References

https://www.foxit.com/support/security-bulletins.html

Discovery Credit

Exodus Intelligence

Disclosure Timeline

Disclosed to affected vendors: February 24th, 2021
Disclosed to public: July 27th, 2021

Further Information

Readers of this advisory who are interested in receiving further details around the vulnerability, mitigations, detection guidance, and more can contact us at sales@exodusintel.com.

Researchers who are interested in monetizing their 0Day and NDay can work with us through our Research Sponsorship Program.

Foxit PhantomPDF ConnectedPDF DocUpdate_Notify_Table SQL Injection Remote Code Execution Vulnerability

December 2, 2021August 24, 2021 by Exodus Intel VRT

EIP-6eceec3d

The vulnerability exists within the ConnectedPDF service, implemented by the FoxitPhantomConnectedPDFService.exe binary. The service listens for connections on TCP port 44440 on localhost and fails to sanitize input data before using it to construct SQL queries. This allows arbitrary files to be written under the context of the user running PhantomPDF. An attacker can create a specially crafted PDF file that will abuse this vulnerability to achieve remote code execution. Each message has a Type field, denoting the message type. The vulnerability resides in the processing of message type 1007, the handler of which is characterized by string references such as “DocUpdate_Notify_Table”.

Vulnerability Identifiers

Exodus Intelligence: EIP-6eceec3d
MITRE CVE: Pending

Vulnerability Metrics

CVSSv2 Score: 7.5

Vendor References

https://www.foxit.com/support/security-bulletins.html

Discovery Credit

Exodus Intelligence

Disclosure Timeline

Disclosed to affected vendors: February 24th, 2021
Disclosed to public: July 27th, 2021

Further Information

Readers of this advisory who are interested in receiving further details around the vulnerability, mitigations, detection guidance, and more can contact us at sales@exodusintel.com.

Researchers who are interested in monetizing their 0Day and NDay can work with us through our Research Sponsorship Program.

Foxit PhantomPDF extractPages Arbitrary File Write Remote Code Execution Vulnerability

December 2, 2021August 24, 2021 by Exodus Intel VRT

EIP-a5cba843

The vulnerability exists within the JavaScript PDF API exposed by Foxit PhantomPDF. The extractPages method of the Document object does not properly validate the export path argument, allowing arbitrary files to be written under the context of the user running PhantomPDF. An attacker can create a specially crafted PDF file that will abuse this vulnerability to achieve remote code execution.

Vulnerability Identifiers

Exodus Intelligence: EIP-a5cba843
MITRE CVE: Pending

Vulnerability Metrics

CVSSv2 Score: 7.5

Vendor References

https://www.foxit.com/support/security-bulletins.html

Discovery Credit

Exodus Intelligence

Disclosure Timeline

Disclosed to affected vendors: February 24th, 2021
Disclosed to public: July 27th, 2021

Further Information

Readers of this advisory who are interested in receiving further details around the vulnerability, mitigations, detection guidance, and more can contact us at sales@exodusintel.com.

Researchers who are interested in monetizing their 0Day and NDay can work with us through our Research Sponsorship Program.

Foxit PhantomPDF loadHtmlView Context Level Bypass Vulnerability

December 2, 2021August 23, 2021 by Exodus Intel VRT

EIP-617871b4

The vulnerability exists within the JavaScript PDF API exposed by Foxit PhantomPDF. The loadHtmlView method of the app object invokes attacker-controlled JavaScript code in a privileged context. An attacker can create a specially crafted PDF file that will abuse this vulnerability to bypass the context based security mechanism of the JS PDF API.

Vulnerability Identifiers

Exodus Intelligence: EIP-617871b4
MITRE CVE: Pending

Vulnerability Metrics

CVSSv2 Score: 6.8

Vendor References

https://www.foxit.com/support/security-bulletins.html

Discovery Credit

Exodus Intelligence

Disclosure Timeline

Disclosed to affected vendors: February 24th, 2021
Disclosed to public: July 27th, 2021

Further Information

Readers of this advisory who are interested in receiving further details around the vulnerability, mitigations, detection guidance, and more can contact us at sales@exodusintel.com.

Researchers who are interested in monetizing their 0Day and NDay can work with us through our Research Sponsorship Program.

EIP-d3400c52

Vulnerability Identifiers

Vulnerability Metrics

Vendor References

Discovery Credit

Disclosure Timeline

Further Information

EIP-035220ca

Vulnerability Identifiers

Vulnerability Metrics

Vendor References

Discovery Credit

Disclosure Timeline

Further Information

EIP-47ea5148

Vulnerability Identifiers

Vulnerability Metrics

Vendor References

Discovery Credit

Disclosure Timeline

Further Information

EIP-884255a1

Vulnerability Identifiers

Vulnerability Metrics

Vendor References

Discovery Credit

Disclosure Timeline

Further Information

EIP-adf3136a

Vulnerability Identifiers

Vulnerability Metrics

Vendor References

Discovery Credit

Disclosure Timeline

Further Information

EIP-68b878c6

Vulnerability Identifiers

Vulnerability Metrics

Vendor References

Discovery Credit

Disclosure Timeline

Further Information

EIP-962d432f

Vulnerability Identifiers

Vulnerability Metrics

Vendor References

Discovery Credit

Disclosure Timeline

Further Information

EIP-6eceec3d

Vulnerability Identifiers

Vulnerability Metrics

Vendor References

Discovery Credit

Disclosure Timeline

Further Information

EIP-a5cba843

Vulnerability Metrics

Vendor References

Discovery Credit

Disclosure Timeline

Further Information

EIP-617871b4

Vulnerability Identifiers

Vulnerability Metrics

Vendor References

Discovery Credit

Disclosure Timeline

Further Information

Intelligence

Support

Company