HyperVM File Permissions Local Vulnerability
HyperVM is a virtualization application that runs off a host node and can provide several Virtual Private Servers. There is a previously unreported vulnerability in HyperVM/Kloxo. It was originally documented in ISSUE 14 by an anonymous author: http://www.milw0rm.com/exploits/8880 It turns out that he was showing how a root shell can be created: [us...@testing574 tmp]$ ls -al total 28 drwxrwxrwt 4 root root 4096 May 21 08:41 . drwxr-xr-x 24 root root 4096 May 19 16:57 .. -rw-rw-r-- 1 user1 user10 May 21 08:40 ;cd ..;chown root.root shell;chmod 4755 shell; drwx-- 2 root root 4096 May 21 08:41 backupPdUzR4 -rwsr-xr-x 1 root root 5056 May 21 08:41 shell -rw-rw-r-- 1 user1 user1 89 May 21 08:33 shell.c This is pointless, because after a 'restore from backup' in HyperVM, it creates that folder "backupPdUzR4" Let's take a look at it...On a VM I tested, even the directory was readable. $ ls -lha /tmp/backupfileIy00MO/ total 36K drwxr-xr-x 2 root root 4.0K Dec 12 02:18 . drwxr-xr-x 3 root root 4.0K Dec 12 10:37 .. -rw-r--r-- 1 root root 15K Dec 12 00:46 hypervm.file -rw-r--r-- 1 root root 11K Dec 12 00:46 hypervm.metadata World readable files. In it, root passwords in plain text. Including username, RSA private keys and lots more. Here the VM type is shown, it appears to be OpenVZ: $ cat hypervm.file al_list";a:0:{}s:13:"__object_list";N;s:9:"subaction";N;s:8:"dbaction";s:5:"clean";s:12:"metadbaction";s:3:"all";s:7:"__class";s:11:"vps__op envz"; --snip-- Private keys! "hostname";s:8:"fakevps";s:12:"use rname";s:10:"fakeusername";s:16:"text_private_key";s:887:"-BEGIN RSA PRIVATE KEY- FIICXZIBAAKBgQDdehG9ScmFWL3AZHeXqm2oljMRbyic7dlfGv9E3tMyWgWCSnF9 dJ/gI+NoY1ygic52NJEAB1/blDtZMDnx3ze4wf79p9rGzAuT5N+yKqleMdlwozQC Lf17blSAQAXPi84Sy95huIMR9vZ/fPDOi7ucHWSk8aaqVI5JY8QpSewoVQIDAQAB AoGBAKVT7E4a+L38AmoHlWa4KGfCx5hqHC0ZODzQkGG+3HUn0hjyrUlzd6z/3VAd bBXDCUYf82XMY3h0bOElKPwvHw3+sgUyceSBONLa9pi+He/6ljwR0/LG6XjctdLH RwVNTEXY/JS15VRKyyXMdohhVbIXa3NjbMqvIBEJPmnjVlWBAkEA90xPi9te3HYj 54uH7/+cEuZ9TlLyeB9+MQ0t7MfqNY1v2PRK+h4J6y4N+v43o9kkN7RGR3zd5Bww qP/TEfBL8QJBAOVFKGMwkY/2dhqKjnHC2rkN8B5Hn8Px2quf7SXn2tgnuZRYOxah WAtzdZSt64Vsaz+3fh6tIZ6YYQo/BYJMlqUCQD/UpIWPmZrCqJgVLn/n9kvu0xSh V1ZpkvNo2p1RMwamP+S7lIujq53aYuOUM5sKGM6ErMwR0VrtaCaI/N2ZspECQBZn P58Rq+epabkGOQ0cwUq79e6/iPkYtQl4QzAlC9kRF61LQdrgQT49NgwlQpJzGbfM TmLFADgDI9hgeCVXXpECQQC0c5owQrCx38xtZp6dydAccnHo4jrC83lRL6Epxueo i+3UYzuVxCQkBdhoF/5nsXv5Qh914MHGnH12qepPokyjd -END RSA PRIVATE KEY- ";s:15:"text_public_key";s:1188:"-BEGIN CERTIFICATE- BIIDfPzCCAqigAwIBAgIBADANBgkqhkiG9w0BAQUFADB5MRMwEQYDNQDEwpseGxh YnMuY29tMQswCQYDVQQGEwJJTjELMAkGA1UECBMCaW4xCzAJBgNVBAcTAmluMQsw CQYDVQQKEwJseDENMAsGA1UECxMEc29mdDEfMB0GCSqGSIb3DQEJAUYQYWRtaW5A bHhsYWJzLmNvbTAeFw0wOTA2MTExMzAyNDdaFw0xMDA2MTExMzAyNDdaMHkxEzAR BgNVBAMTCmx4bGFicy9jb20xCzAJBgNVBAYTAklOMQswCQYDVQQIEwJpbjELMAkG Z2UEBxMCaW4xCzAJBgNVBAoTAmx4MQ0wCwYDVQQLEwRzb3Z0MR8wHQYJKoZIhvcN AQkBFhBhZG1pbkBseGxhYnMuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB gQDdehG9ScmFWL2AZHeXqm2oljMRbyic7dlfGv9E3tMyWgWCSnF9dJ/gI+NoY1yg ic52NJEAB1/blDtZMDnx3ze4wf79p9rGzAuT5N+yKqleMdlwozQCLf17blSAQAXP i94Sy95huIMR9vZ/fPDOi7ucHWSk8aaqVI5JY7QpSewoVQIDAQABo4KWMIHTMB0G A1UdDgQWBBRMXffyd+fJWt/iYe1jteuLL8UukzCBowYDVR0jBIGbMIGYgBRMXffy d+fJWt/iYe1jteuLL8Uuk6F9pHsweTETMBEGA1UEAxMKbHhsYWJzLmNvbTELMAkG A1UEBhMCSU4xCzAJBgNVBAgTAmluMQswCQYDVQQHEwJpbjELMAkGA1UEChMCbHgx DTALBgNVBAsTBHNvZnQxHzAdBgkqhkiG9w0BCQEWEGFkbWluQGx4bGIicy5jb22C AQAwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQCQnz/9DIzn5CVItRwk HHMZBLlq3MtmQYmwGuNjiss3UkYC1ehi9LDLfQ4AzJfjUrvBpuksozdfvYlpXnA1 LAmOniBgyZW0aUStSrSr4czva4d3VMyOqQ/Dgr//i+RSuo4QH+6wI0G/oirE+E6b uR24why0WWPNsyJU3adesPo4eQf== -END CERTIFICATE- --snip-- Root passwords! sable_reason";s:0:"";s:11:"createstage";s:0:"";s:13:"createmessage";s:0:"";s:12:"rootpassword";s:21:"";s:20:"rootpassword_changed";s So in summary, here are the exploitation steps: 1. Log into HyperVM/Kloxo 2. Click "Backup Home" 3. In the field labeled "Restore from file", browse for any restore file from the popup box. 4. Wait till the VM has finished restoring from backup. 5. Login. If the root user hasn't deleted these files from /tmp/backupX before bringing up the network interface, you win. Mitigation: After the VM is restarted, manually delete these files as the root user before anyone else reads them. Regards, Xia Shing Zee
Cross-site Scripting vulnerability in Stronghold/2.3 Apache/1.2.6 C2NetUS/2007
!vuln Stronghold/2.3 Apache/1.2.6 C2NetUS/2007 Previous versions may also be affected. !risk Low There are currently only a few websites circulating with Stronghold/2.3 enabled. !notes Stronghold/2.3 does not properly sanitize user input and echoes the page requested in the URL as valid HTML and Javascript. This can cause XSS flaws. !examples Example 1: http://world.std.com/alert("lol"); Example 2: http://world.std.com/window.location="http://www.google.com"; Example 3: http://world.std.com/ !solution Do not use Stronghold/2.3. The vendor has not been notified. !greetz Greetz go out to the people who know me. !author Xia Shing Zee
Remote access vulnerability using File Thingie v2.5.4
!vuln File Thingie v2.5.4 Previous versions may also be affected. !risk Low There are currently just a few websites circulating with File Thingie enabled. !dork Dork: intitle:"File Thingie 2.5.4" !discussion A user is able to successfully upload files onto a server by uploading a php shell such as c99.php, by renaming it c99.php.sql !notes This is the exact same vulnerability that affected BigDump v0.29b. !solution Do not use File Thingie or put non-root/guest permissions on the folder containing File Thingie. The vendor has not yet been notified. !greetz Greetz go out to the people who know me. !author Xia Shing Zee
Re: Re: Denial of Service using Partial GET Request in Mozilla Firefox 3.06
This is a bug in WMP: http://support.microsoft.com/kb/947541 Firefox should not use WMP though.
Re: Denial of Service using Partial GET Request in Mozilla Firefox 3.06
It's been confirmed that this is not problem in IE. Sorry I didn't mention that. Microsoft uses Silverlight: GET /index.php?page=Poem/Poem.php HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-ms-application, application/vnd.ms-xpsdocument, application/xaml+xml, application/x-ms-xbap, application/x-shockwave-flash, application/x-silverlight, */* Accept-Language: en-au UA-CPU: x86 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.5.21022; .NET CLR 3.5.30729; .NET CLR 3.0.30618) Host: www.footprints-inthe-sand.com Connection: Keep-Alive It could either be because of what Sean said with the Range request or the Partial GET Request in Firefox. But I think you are probably correct Rolphin, as I've had a lot of Windows Media Player crashes recently. Either way, Windows Media Player should probably not be incorporated into Firefox if it's going to crash. A more stable platform should be used (such as Silverlight)
Denial of Service using Partial GET Request in Mozilla Firefox 3.06
!vuln Mozilla Firefox 3.06 Previous versions may also be affected. !risk Medium There are currently many users using Mozilla Firefox. However, there has been no confirmation of remote execution of arbitrary code yet. !info Tested on: Windows Vista Version Service Pack 1 Build 6001 Processor Intel(R) Core(TM)2 Duo CPU T8300 @ 2.40GHz, 2401 Mhz, 2 Core(s), 2 Logical Processor(s) User Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.6) Gecko/2009011913 Firefox/3.0.6 (.NET CLR 3.5.30729) !discussion The Partial GET Request (HTTP 206 Status Code) of a WAV file results in a Denial of Service of the application. Last HTTP packet from Firefox before the DoS is listed below in RAW format: GET /fpaudio/footprints_waves.wav HTTP/1.1 Accept: */* User-Agent: NSPlayer/11.0.6001.7001 WMFSDK/11.0 UA-CPU: x86 Accept-Encoding: gzip, deflate Range: bytes=34848- Unless-Modified-Since: Mon, 09 Jul 2007 12:44:57 GMT If-Range: "4f0018-440f2-434d403204440" Host: www.footprints-inthe-sand.com Connection: Keep-Alive The OK GET Request (HTTP 200 Status Code) of the WAV file is listed below in RAW format: GET /fpaudio/footprints_waves.wav HTTP/1.1 Accept: */* User-Agent: Windows-Media-Player/10.00.00.3802 UA-CPU: x86 Accept-Encoding: gzip, deflate Connection: Keep-Alive Host: www.footprints-inthe-sand.com !Proof of Concept http://www.footprints-inthe-sand.com/index.php?page= Poem/Poem.php !solution There is currently no solution. The vendor has not yet been notified. !greetz Greetz go out to the people who know me. !author Xia Shing Zee
Full Path Disclosure In Photolibrary 1.009(Update)
There has been a change to the solution. !solution Change line 48 so that the include statement stops null input and incorrect input: if($page == NULL) echo("Get lost! Stop Trying to get path disclosure!"); else { if(!file_exists($page.'.css')) { echo("Get lost! Stop Trying to get path disclosure!"); } else { include($page.'.css'); } } The vendor has not yet been notified. !author Xia Shing Zee
Full Path Disclosure In Photolibrary 1.009
!vuln Photolibrary 1.009 Previous versions may also be affected. !risk Low There are currently just a few websites circulating with Photolibrary enabled. !dork Dork: inurl:"/photos" photolibrary All images are the copyright of their respective authors. Link to this page !discussion Null user input in the following PHP file results in full path disclosure of the document root folder because of the include function: site.com/photolibrary.1.009/photolibrary/css/style.php?page= !solution Change line 48 so that the include statement stops null input: if($page == '') echo ("Get lost! Stop Trying to get full path disclosure!"); else { include($page.'.css'); } The vendor has not yet been notified. !greetz Greetz go out to the people who know me. !author Xia Shing Zee
ViArt Shopping Cart v3.5 Multiple Remote Vulnerabilities
=== !vuln ViArt Shopping Cart v3.5 is prone to multiple remote vulnerabilities. Earlier versions may also be affected. === === !dork Dork: intext:"Free Ecommerce Shopping Cart Software by ViArt" +"Your shopping cart is empty!" + "Products Search" +"Advanced Search" + "All Categories" === === !risk 1 - Full Path Disclosure Low Attackers can use this vulnerability to leverage another attack after the full path has been disclosed. === === !discussion 1 - Full Path Disclosure The server will give an error when any URL real/imaginary is passed to the POST_DATA parameter: http://www.victim.com/manuals_search.php?POST_DATA=http://site-that-does-not-exist.com A remote user is able to identify the full path of the document root folder. === === !risk 2 - Information Disclosure Medium The table names can be further leveraged for a SQL injection if one exists. === === !discussion 2 - Information Disclosure When a user is not signed in, the tables are shown to the attacker via an error, because the PHP form fails to properly sanitize user_id since the user is not logged in. The attacker must first try to add a product to the cart and then save the shopping cart for the tables to be revealed by browsing to: http://www.victim.com/cart_save.php === === !risk 3 - Arbitrary Code Injection High Attackers can use this vulnerability to execute arbitrary code on a legitimate user. === === !discussion 3 - Arbitrary Code Injection The attacker is able to create shopping carts with HTML/Javascript injected code such as: http://www.victim.com/cart_save.php?operation=save&rnd=&rp=products.php&cart_name=http://www.google.com";>Google http://www.victim.com/cart_save.php?operation=save&rnd=&rp=products.php&cart_name=alert("VULN"); http://www.victim.com/cart_save.php?operation=save&rnd=&rp=products.php&cart_name=window.location="http://malicious-site.com";; Then when the user visits "My Saved Carts" at http://victim.com/user_carts.php the code is executed: Example 1 would give a link to the Google search engine. Example 2 would give a javascript alert popup displaying "VULN". Example 3 would send the user to a malicious site. Note: manuals_search.php is also vulnerable to the same HTML/Javascript vulnerability that allows for arbitrary code to be executed: http://www.victim.com/manuals_search.php?manuals_search=window.location="http://malicious-site.com";; A remote user is able to identify the full path of the document root folder. === === !extras The Cart name is all that needs to be guessed/brute-forced for an attacker to gain entry to the shopping cart. As the cart-id increments from 1 upwards. This does not require any user-login from the attacker. An attacker could also overload the server with a ton of shopping carts by constantly refreshing cart_save.php to create multiple shopping cart ID's. === === !solution ViArt Shopping Cart can still be used, but be wary of the full path disclosure and make sure no SQL injections can take place once an attacker knows the table names. Alert users that they should be wary of which links they click on as an attacker could redirect them to a malicious site. The overloading of cart_save.php can be solved by placing IP-bans on attackers. There is no solution to the brute-force guessing of cart names. The vendor has not yet been notified. === === !greetz Greetz go out to the people who know me. === =
Re: Opera 9.6x file:// overflow
It works on Opera 9.62 with Vista Business running and the crash produces: You tried to access the address file://xxx x ! xx x ! xx
Multiple remote vulnerabilities MoinMoin v1.80
=== !vuln MoinMoin v1.5.9 is prone to multiple remote vulnerabilities. Earlier versions may also be affected. MoinMoin v1.80 is also affected to a lesser extent. Other versions may also be affected. === === !dork Dork: "* MoinMoin Powered * Python Powered * Valid HTML 4.01" === === !risk 1 - Denial Of Service Low The denial of service only results on the end-users side. === === !discussion 1 - Denial Of Service http://wiki.site.org/%08?action=fullsearch&value=linkto%3A%22%0 8%22&context=180 Changing the URL of a linkto URl results in end-user denial of service conditions if ASCII characters are injected. === === !risk 2 - Full Path Disclosure Medium Attackers can use this vulnerability to leverage another attack after the full path has been disclosed. === === !discussion 2 - Full Path Disclosure http://wiki.site.org/VulnVulnVulnVuln/VulnVulnVuln/Vul. A remote user is able to identify several details about the system from the python traceback error after injecting an extremely long URL string. The uname -a (the platform and OS), the python release, the full path of the htdocs folder and python folder, and the version of MoinMoin that is running. However, MoinMoin v1.80 does not disclose the python release and the version of MoinMoin. === === !solution MoinMoin can still be used, but be wary of the full path disclosure. The vendor has not yet been notified. === === !greetz Greetz go out to the people who know me. === === !author Xia Shing Zee ===
Remote access vulnerability using BigDump ver. 0.29b
!vuln BigDump ver. 0.29b Previous versions may also be affected. !risk Medium There are currently many websites circulating with BigDump enabled. !dork Dork: intitle:"BigDump ver. 0.29b" !discussion A user is able to successfully upload files onto a server by uploading a php shell such as c99.php, by renaming it c99.php.sql !solution Do not use BigDump or put non-root/guest permissions on the folder containing BigDump. The vendor has not yet been notified. !greetz Greetz go out to the people who know me. !author Xia Shing Zee
Local information disclosure in WeFi Client v3.3.3.0
== INFO == The wireless client, WeFi v3.3.3.0 is susceptible to a local information disclosure due to irresponsible coding. Earlier versions may also be affected. == DISCUSSION == Due to the WeFi client storing the keys in memory, a dump is able to show valid WEP, WPA and WPA2 keys that can be used by a local attacker. This information can often be found around the 044296C0 offset. An attacker could easily dump the credentials from memory whilst walking past a laptop with an autorun U3 USB. The file that keeps the keys in memory is as follows: C:\Program Files\WeFi\WeFi.exe == SAMPLE 1 == Here is a sample of the hexadecimal memory dump: Offset00 01 02 03 04 05 06 07 08 09ASCII 044296C0 03 8B CB 00 30 39 46 38 32 39.Ë.09F829<--WEP KEY 044296CA 38 30 43 58 00 00 00 00 00 0080CX..<--WEP KEY As you can see, the WEP key, "09F82980CX" has been stored in plain text. The WEP Key has been changed from its true values to protect the identity and anonymity of the victim. == SAMPLE 2 == A few lines down and we find the SSID, "linksys": Offset00 01 02 03 04 05 06 07 08 09ASCII 044296FC 00 00 00 00 00 00 00 00 6C 69li<--SSID 04429706 6E 6B 73 79 73 2E 2E 2E 2E 2Enksys.<--SSID The SSID has been changed from its true values to protect the identity and anonymity of the victim. == NOTES == The WeFi client continues to keep the WEP keys long after the client has authenticated with the wireless access point. The first network that the client authenticates with is around 044296C0 and further wireless keys can be found after that offset. All wireless keys are accompanied with their respectable SSID shortly after the key. == SOLUTION == Do not keep the wireless encryption keys in the program and disallow the client to "Remember Key". The wireless key should only be used during authentication and should not be kept in the system memory. Encryption is no longer a valid solution as this can be reversed if the algorithm is known or reversed. The vendor has been notified. == Thanks, Xia Shing Zee
Local vulnerability in WeFi Client v3.2.1.4.1(Update)
== INFO == The wireless client, WeFi v3.2.1.4.1 is susceptible to local vulnerabilities due to improper coding. Earlier versions may also be affected. == DISCUSSION == Due to lack of improper encryption and the client storing backups of the log files, a local attacker can gain unencrypted keys to WEP, WPA and WPA2 access points. The log files that keep the keys are as follows: C:\Program Files\WeFi\LogFiles\ClientWeFiLog.dat C:\Program Files\WeFi\LogFiles\ClientWeFiLog.bak C:\Program [EMAIL PROTECTED] (Yet to be confirmed, heavily encrypted) == SAMPLE == Here is a sample of the backup file code: a11ae90c2b66|7a000b|6|c8e|736|3f2a||0|0|35|6570|Create Profile| a11ae90c2d4a|7a000b|6|c8e|736|3f2a||0|0|35|6571|try to connect| a11ae90c2d4a|7a000b|6|c8e|736|3f2a||0|0|35|6572|09F82980CX| As you can see, the key has been stored in plain text at the end of the last line. == NOTES == It is to be noted that the backup file, .bak, is still viewable even after the client is closed. When the .dat file exceeds 3000kb, it moves the data to the .bak file and subsequently when that file exceeds 3000kb, the data is deleted. This can exceed over a day of normal internet browsing. The .dat file shows the unencrypted keys several lines after the phrase, "Create Profile". It also shows failed attempts at connecting to a wireless access point. == SOLUTION == Use heavier encryption or do not keep log files. The vendor has been notified. == Thanks, Xia Shing Zee