Found 26 bookmarks
Newest
Cisco warns of ISE and CCP flaws with public exploit code
Cisco warns of ISE and CCP flaws with public exploit code
Cisco has released patches to address three vulnerabilities with public exploit code in its Identity Services Engine (ISE) and Customer Collaboration Platform (CCP) solutions. The most severe of the three is a critical static credential vulnerability tracked as CVE-2025-20286, found by GMO Cybersecurity's Kentaro Kawane in Cisco ISE. This identity-based policy enforcement software provides endpoint access control and network device administration in enterprise environments. The vulnerability is due to improperly generated credentials when deploying Cisco ISE on cloud platforms, resulting in shared credentials across different deployments. Unauthenticated attackers can exploit it by extracting user credentials from Cisco ISE cloud deployments and using them to access installations in other cloud environments. However, as Cisco explained, threat actors can exploit this flaw successfully only if the Primary Administration node is deployed in the cloud. "A vulnerability in Amazon Web Services (AWS), Microsoft Azure, and Oracle Cloud Infrastructure (OCI) cloud deployments of Cisco Identity Services Engine (ISE) could allow an unauthenticated, remote attacker to access sensitive data, execute limited administrative operations, modify system configurations, or disrupt services within the impacted systems," the company explained.
#bleepingcomputer#EN#2025#CVE-2025-20286#Cisco#Cisco-Customer-Collaboration-Platform#Credentials#Exploit#Hotfix#Identity-Services-Engine#Patch#Proof-of-Concept#Vulnerability
·bleepingcomputer.com·
Cisco warns of ISE and CCP flaws with public exploit code
[CVE-2025-37752] Two Bytes Of Madness: Pwning The Linux Kernel With A 0x0000 Written 262636 Bytes Out-Of-Bounds
[CVE-2025-37752] Two Bytes Of Madness: Pwning The Linux Kernel With A 0x0000 Written 262636 Bytes Out-Of-Bounds
CVE-2025-37752 is an Array-Out-Of-Bounds vulnerability in the Linux network packet scheduler, specifically in the SFQ queuing discipline. An invalid SFQ limit and a series of interactions between SFQ and the TBF Qdisc can lead to a 0x0000 being written approximately 256KB out of bounds at a misaligned offset. If properly exploited, this can enable privilege escalation. Spray sfq_slots in kmalloc-64 to prevent an immediate kernel crash when the bug is triggered. Prevent a type-confused skb from being dequeued by reconfiguring the TBF Qdisc. Drop TBF rate and add packet overhead before the OOB write occurs. Use the 0x0000 written 262636 bytes OOB to corrupt the pipe->files field of a named pipe, free the pipe, cause page-level UAF and get arbitrary R/W in that page. Reclaim the freed page with signalfd files and use the page-level R/W primitive to swap file->private_data with file->f_cred. * Get root by overwriting the process credentials with zeros via signalfd4().bounds at a misaligned offset. If properly exploited, this can enable privilege escalation.
#syst3mfailure.io#EN#2025#CVE-2025-37752#kernelCTF#linux#kernel#pwn#exploit#oob#out-of-bounds#vulnerability
·syst3mfailure.io·
[CVE-2025-37752] Two Bytes Of Madness: Pwning The Linux Kernel With A 0x0000 Written 262636 Bytes Out-Of-Bounds
PoC exploit released for RCE zero-day in D-Link EXO AX4800 routers
PoC exploit released for RCE zero-day in D-Link EXO AX4800 routers
The D-Link EXO AX4800 (DIR-X4860) router is vulnerable to remote unauthenticated command execution that could lead to complete device takeovers by attackers with access to the HNAP port.
#bleepingcomputer#EN#2024#Authentication-Bypass#D-Link#Exploit#Proof-of-Concept#Remote-Command-Execution#Router#Vulnerability#Zero-Day#Security#InfoSec#Computer-Security
·bleepingcomputer.com·
PoC exploit released for RCE zero-day in D-Link EXO AX4800 routers
Bringing process injection into view(s): exploiting all macOS apps using nib files · Sector 7
Bringing process injection into view(s): exploiting all macOS apps using nib files · Sector 7
In a previous blog post we described a process injection vulnerability affecting all AppKit-based macOS applications. This research was presented at Black Hat USA 2022, DEF CON 30 and Objective by the Sea v5. This vulnerability was actually the second universal process injection vulnerability we reported to Apple, but it was fixed earlier than the first. Because it shared some parts of the exploit chain with the first one, there were a few steps we had to skip in the earlier post and the presentations. Now that the first vulnerability has been fixed in macOS 13.0 (Ventura) and improved in macOS 14.0 (Sonoma), we can detail the first one and thereby fill in the blanks of the previous post. This vulnerability was independently found by Adam Chester and written up here under the name “DirtyNIB”. While the exploit chain demonstrated by Adam shares a lot of similarity to ours, our attacks trigger automatically and do not require a user to click a button, making them a lot more stealthy. Therefore we decided to publish our own version of this write-up as well.
#sector7#EN#2024#macos#nib#exploit#research#vulnerability#DirtyNIB
·sector7.computest.nl·
Bringing process injection into view(s): exploiting all macOS apps using nib files · Sector 7
smith (CVE-2023-32434)
smith (CVE-2023-32434)
This write-up presents an exploit for a vulnerability in the XNU kernel: Assigned CVE-2023-32434. Fixed in iOS 16.5.1 and macOS 13.4.1. Reachable from the WebContent sandbox and might have been actively exploited. *Note that this CVE fixed multiple integer overflows, so it is unclear whether or not the integer overflow used in my exploit was also used in-the-wild. Moreover, if it was, it might not have been exploited in the same way. The exploit has been successfully tested on: iOS 16.3, 16.3.1, 16.4 and 16.5 (iPhone 14 Pro Max) macOS 13.1 and 13.4 (MacBook Air M2 2022) All code snippets shown below are from xnu-8792.81.2.
#Poulin-Bélanger#EN#2023#exploit#analysis#vulnerability#github#macos#ios#CVE-2023-32434
·github.com·
smith (CVE-2023-32434)