From 38d804d07d61f25520f302a2f702f77cd4615a07 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Sun, 6 Dec 2015 05:02:03 +0000 Subject: [PATCH] DB: 2015-12-06 1 new exploits --- files.csv | 1 + platforms/windows/local/38871.txt | 75 +++++++++++++++++++++++++++++++ 2 files changed, 76 insertions(+) create mode 100755 platforms/windows/local/38871.txt diff --git a/files.csv b/files.csv index 5de3dd48a..c27dc4f57 100755 --- a/files.csv +++ b/files.csv @@ -35136,3 +35136,4 @@ id,file,description,date,author,platform,type,port 38868,platforms/php/webapps/38868.txt,"Wordpress Plugin Sell Download v1.0.16 - Local File Disclosure",2015-12-04,KedAns-Dz,php,webapps,0 38869,platforms/php/webapps/38869.txt,"Wordpress Plugin TheCartPress v1.4.7 - Multiple Vulnerabilities",2015-12-04,KedAns-Dz,php,webapps,0 38870,platforms/php/webapps/38870.txt,"WordPress Easy Career Openings Plugin 'jobid' Parameter SQL Injection Vulnerability",2013-12-06,Iranian_Dark_Coders_Team,php,webapps,0 +38871,platforms/windows/local/38871.txt,"Cyclope Employee Surveillance <= v8.6.1- Insecure File Permissions",2015-12-06,loneferret,windows,local,0 diff --git a/platforms/windows/local/38871.txt b/platforms/windows/local/38871.txt new file mode 100755 index 000000000..6dfd8dfac --- /dev/null +++ b/platforms/windows/local/38871.txt @@ -0,0 +1,75 @@ +# Author: loneferret of Offensive Security +# Product: Cyclope Employee Surveillance Solution (again) +# Version: <= 6.8.1 +# Vendor Site: http://www.cyclope-series.com/ +# Software Download: http://www.cyclope-series.com/download/index.html +# Link: http://www.cyclope-series.com/setups/setup.exe + +# Software description: +# The employee monitoring software developed by Cyclope-Series is specially designed to inform +# and equip management with statistics relating to the productivity of staff within their organization. + +# Vulnerability: +# Due to insecure file Permissions, a low privileged could potentially +# delete, modify or replace many of the key executable files used, and needed +# by the software. + +# Although I haven't checked older versions, I do recall seeing the same file +# permissions being set. Making this software extremely prone to lots of fun stuff. + +''' File Information ''' +A few files with odd-ball permission. Keep in mind all files are like this. +All files in c:\xampplite, as well as in Program Files. +The "CyclopeClient.exe" is is what is pushed to workstation in order to monitor +employees. As we can see, this file's permission is set to "Everybody". So is the +uninstaller executable. + +So gain access to the system, and as a low privileged user one can +easily replace httpd.exe or mysqld.exe, with an evil EXE file. +Next time that file is executed, you'll get your shell as SYSTEM. +Although they'll be out of a service...bummer + + +# C:\xampplite\mysql\bin>icacls mysqld.exe +# mysqld.exe BUILTIN\Administrators:(I)(F) +# NT AUTHORITY\SYSTEM:(I)(F) +# BUILTIN\Users:(I)(RX) +# NT AUTHORITY\Authenticated Users:(I)(M) +# +# Successfully processed 1 files; Failed processing 0 files +---- + +# C:\xampplite\apache\bin>icacls httpd.exe +# httpd.exe BUILTIN\Administrators:(I)(F) +# NT AUTHORITY\SYSTEM:(I)(F) +# BUILTIN\Users:(I)(RX) +# NT AUTHORITY\Authenticated Users:(I)(M) +# +# Successfully processed 1 files; Failed processing 0 files +---- + +# C:\xampplite\mysql\bin>icacls mysql.exe +# mysql.exe BUILTIN\Administrators:(I)(F) +# NT AUTHORITY\SYSTEM:(I)(F) +# BUILTIN\Users:(I)(RX) +# NT AUTHORITY\Authenticated Users:(I)(M) +# +# Successfully processed 1 files; Failed processing 0 files +---- + +# C:\Program Files\Cyclope\Client>icacls CyclopeClient.exe +# CyclopeClient.exe Everyone:(F) +# +# Successfully processed 1 files; Failed processing 0 files +---- + +# C:\Program Files\Cyclope>icacls unins000.exe +# unins000.exe Everyone:(F) +# +# Successfully processed 1 files; Failed processing 0 files +.. +.. +etc.. +.. +.. +Way too many files to list, essentially whatever this thing installs it's up for grabs.