QNAP Android: Don’t Over Provide

The QNAP Android applications Qnotes 1.1.8.0128 and Qget 2.0.1.1029 suffer from unintended data leakage. A malicious process can use this vulnerability to gain access to cached data and logon credentials for the back-end NAS device.

Escaping the Avast sandbox

An Avast Sandbox escape, CVE-2016-4025, is possible due to a design flaw in the Avast DeepScreen feature.  It is likely that this flaw will remain in supported Avast products for some time.

‘Panda Security 2016 Home User’ privilege escalation

All Panda Security 2016 home user products for Windows are vulnerable to privilege escalation, CVE-2015-7378, which allows a local attacker to execute code as SYSTEM from any account (guest included), thus completely compromising the affected host.

‘Panda Security 2016 Business’ privilege escalation

Panda Endpoint Administration Agent allows a local attacker to elevate his privileges from any account type and execute code as SYSTEM, thus completely compromising the affected host, as described in CVE-2016-3943.

CVE-2015-7596 through CVE-2015-7598 & CVE-2015-7961 through CVE-2015-7967: SafeNet Authentication Service Agent vulnerabilities

Several SafeNet Authentication Service Agents could allow a local attacker to obtain privilege escalation due to weak ACLs assigned to subdirectories and executable modules of those products. A user with low privileges could modify and/or substitute executable modules which a high privileged user could later execute in their own security context. Further detail A PDF […]

‘QNAP Signage Station iArtist Lite’ SYSTEM for everyone (Part 3)

The QNAP iArtist Lite application is vulnerable to an uncontrolled search path element. This flaw can be leveraged by a low privileged user or malware to mount a binary file planting attack and obtain SYSTEM level access.