bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/java/remote/39854.txt
Offensive Security ed0e1e4d44 DB: 2018-09-25 
1979 changes to exploits/shellcodes

Couchdb 1.5.0 - 'uuids' Denial of Service
Apache CouchDB 1.5.0 - 'uuids' Denial of Service

Beyond Remote 2.2.5.3 - Denial of Service (PoC)
udisks2 2.8.0 - Denial of Service (PoC)
Termite 3.4 - Denial of Service (PoC)
SoftX FTP Client 3.3 - Denial of Service (PoC)

Silverstripe 2.3.5 - Cross-Site Request Forgery / Open redirection
SilverStripe CMS 2.3.5 - Cross-Site Request Forgery / Open Redirection

Silverstripe CMS 3.0.2 - Multiple Vulnerabilities
SilverStripe CMS 3.0.2 - Multiple Vulnerabilities

Silverstripe CMS 2.4 - File Renaming Security Bypass
SilverStripe CMS 2.4 - File Renaming Security Bypass

Silverstripe CMS 2.4.5 - Multiple Cross-Site Scripting Vulnerabilities
SilverStripe CMS 2.4.5 - Multiple Cross-Site Scripting Vulnerabilities

Silverstripe CMS 2.4.7 - 'install.php' PHP Code Injection
SilverStripe CMS 2.4.7 - 'install.php' PHP Code Injection

Silverstripe Pixlr Image Editor - 'upload.php' Arbitrary File Upload
SilverStripe CMS Pixlr Image Editor - 'upload.php' Arbitrary File Upload

Silverstripe CMS 2.4.x - 'BackURL' Open Redirection
SilverStripe CMS 2.4.x - 'BackURL' Open Redirection

Silverstripe CMS - 'MemberLoginForm.php' Information Disclosure
SilverStripe CMS - 'MemberLoginForm.php' Information Disclosure

Silverstripe CMS - Multiple HTML Injection Vulnerabilities
SilverStripe CMS - Multiple HTML Injection Vulnerabilities

Apache CouchDB 1.7.0 and 2.x before 2.1.1 - Remote Privilege Escalation
Apache CouchDB 1.7.0 / 2.x < 2.1.1 - Remote Privilege Escalation

Monstra CMS before 3.0.4 - Cross-Site Scripting
Monstra CMS < 3.0.4 - Cross-Site Scripting (2)

Monstra CMS < 3.0.4 - Cross-Site Scripting
Monstra CMS < 3.0.4 - Cross-Site Scripting (1)
Navigate CMS 2.8 - Cross-Site Scripting
Collectric CMU 1.0 - 'lang' SQL injection
Joomla! Component CW Article Attachments 1.0.6 - 'id' SQL Injection
LG SuperSign EZ CMS 2.5 - Remote Code Execution
MyBB Visual Editor 1.8.18 - Cross-Site Scripting
Joomla! Component AMGallery 1.2.3 - 'filter_category_id' SQL Injection
Joomla! Component Micro Deal Factory 2.4.0 - 'id' SQL Injection
RICOH Aficio MP 301 Printer - Cross-Site Scripting
Joomla! Component Auction Factory 4.5.5 - 'filter_order' SQL Injection
RICOH MP C6003 Printer - Cross-Site Scripting

Linux/ARM - Egghunter (PWN!) + execve(_/bin/sh__ NULL_ NULL) Shellcode (28 Bytes)
Linux/ARM - sigaction() Based Egghunter (PWN!) + execve(_/bin/sh__ NULL_ NULL) Shellcode (52 Bytes)
2018-09-25 05:01:51 +00:00

96 lines
No EOL
4.2 KiB
Text
Raw Blame History

Mogwai Security Advisory MSA-2016-01
----------------------------------------------------------------------
Title: PowerFolder Remote Code Execution Vulnerability
Product: PowerFolder Server
Affected versions: 10.4.321 (Linux/Windows) (Other version might be also affected)
Impact: high
Remote: yes
Product link: https://www.powerfolder.com
Reported: 02/03/2016
by: Hans-Martin Muench (Mogwai, IT-Sicherheitsberatung Muench)
Vendor's Description of the Software:
----------------------------------------------------------------------
PowerFolder is the leading on-premise solution for file synchronization
and collaboration in your organization. PowerFolder Business Suite and
PowerFolder Enterprise Suite both offer a fully integrated and secure
solution for backup, synchronization and collaboration.
Support for federated RADIUS, LDAP and RESTful APIs allow PowerFolder
to blend in perfectly into your environment while all data is stored
on your own IT infrastructure, ensuring that your data remains 100%
under your control.
Business recommendation:
-----------------------------------------------------------------------
Apply patches that are provided by the vendor. Restrict access to the
PowerFolder port, as the vulnerability might be exploited with other gadgets.
CVSS2 Ratings
-----------------------------------------------------------------------
CVSS Base Score: 9.3
Impact Subscore: 10
Exploitability Subscore: 8.6
CVSS v2 Vector (AV:N/AC:M/Au:N/C:C/I:C/A:C)
-----------------------------------------------------------------------
Vulnerability description:
----------------------------------------------------------------------
The PowerFolder server and client are written in Java. Data exchange is mainly
done via serialized objects that are send over a dedicated port (TCP port 1337).
This service allows deserialization of untrusted data, which can be exploited to
execute arbitrary code.[1][2]
The tested PowerFolder version contains a modified version of the Java
library "ApacheCommons". In this version, the PowerFolder developers removed
certain dangerous classes like
org.apache.commons.collections.functors.InvokerTransformer
however, exploitation is still possible using another gadget chain [3].
Proof of concept:
----------------------------------------------------------------------
A simple PoC can be found here:
https://github.com/h0ng10/powerfolder-exploit-poc
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/39854.zip
Disclosure timeline:
----------------------------------------------------------------------
10/02/2016: Bug discovered during pentest preparation
02/03/2016: Initial contact via vendor support form
02/03/2016: Response from vendor, asking for additional details
02/03/2016: Sending description, including a very simple PoC
07/03/2016: Response from PowerFolder developers, they are unable to reproduce
the issue
07/03/2016: Response from Mogwai Security, will develop a improved PoC exploit
12/03/2016: Providing an improved exploit PoC that does not only work in LAN
networks
21/03/2016: Requesting an update from the developers
21/03/2016: Phone call with PowerFolder developers
21/03/2016: Additional response from PowerFolder, they plan to release a
security update at the end of the month
01/04/2016: Release of PowerFolder 10 SP5, including vulnerability
acknowledgement [4]
References:
----------------------------------------------------------------------
[1] https://frohoff.github.io/appseccali-marshalling-pickles/
[2] https://www.youtube.com/watch?v=VviY3O-euVQ
[3] https://github.com/frohoff/ysoserial/blob/master/src/main/java/ysoserial/payloads/CommonsCollections3.java
[4] https://wiki.powerfolder.com/display/PFC/PowerFolder+Client+10+SP5
Advisory URL:
----------------------------------------------------------------------
https://www.mogwaisecurity.de/#lab
----------------------------------------------------------------------
Mogwai, IT-Sicherheitsberatung Muench
Gutenbergstrasse 2
89231 Neu-Ulm (Germany)
info@mogwaisecurity.de
Reference in a new issue View git blame Copy permalink