Posts Tagged ‘ анализа

Constructr CMS 3.03 Multiple Remote Vulnerabilities (XSS/SQLi)

The CMS suffers from several vulnerabilities (SQL and XSS). The sql issue can be triggered when the app tries to parse malicious arguments to the ‘page_id’ in the /xmlOutput/constructrXmlOutput.content.xml.php script with user input not validated. The result can be seen in the source code of the page itself. The xss issue (GET) is thru ‘user’ and ‘hash’ parameter in the /backend/login.php script.

——————————————————————————–

32: $PAGE_ID = $_REQUEST['page_id'];

40: $select_content = $conContent -> query(”
41: SELECT *
42: FROM $DB_TABLE_CONSTRUCTR_CONTENT
43: WHERE page_id = ‘$PAGE_ID’
44: ORDER BY sort ASC
45: “)or die(mysql_error());

51: while ($all_content = $conContent -> fetch_array($select_content))
52: {
53: $id = $all_content['id'];
54: $page_id = $all_content['page_id'];

——————————————————————————–

Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5001.php

2011
03/11
POSTED BY
CATEGORY
Internal
Comments Off

Macro Express Pro 4.2.2.1 MXE File Syntactic Analysis Buffer Overflow PoC

A buffer overflow vulnerability has been identified in Macro Express Pro, possibly this vuln may exist in the regular version and older versions of Macro Express and Macro Express Pro. We’ve reported the issue to the vendor thru their bug reporting system (http://www.macros.com/bugreport.htm) and did not receive any response for confirmation or cooperation.

We’ve managed to overwrite few registers while debugging the application, thus executed arbitrary code on the affected system.

You can take a look at the advisory here: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-4986.php

2011
01/10
POSTED BY
CATEGORY
Internal
Comments Off

Exponent CMS v0.97 Multiple Vulnerabilities

Vendor: OIC Group Inc.
Product web page: http://www.exponentcms.org
Affected version: 0.97

Summary: Open Source Content Management System (PHP+MySQL).

Desc: Exponent CMS suffers from multiple vulnerabilities:

#1. Local File Inclusion / File Disclosure Vulnerability
#2. Arbitrary File Upload / File Modify Vulnerability
#3. Reflected Cross-Site Scripting Vulnerability

(1) LFI/FD occurs when input passed thru the params:
- “action”
- “expid”
- “ajax_action”
- “printerfriendly”
- “section”
- “module”
- “controller”
- “int”
- “src”
- “template”
- “page”
- “_common”

to the scripts:
- “index.php”
- “login_redirect.php”
- “mod_preview.php”
- “podcast.php”
- “popup.php”
- “rss.php”

is not properly verified before being used to include files.
This can be exploited to include files from local resources
with directory traversal attacks and URL encoded NULL bytes.

(2) AFU/E occurs due to an error in:
- “upload_fileuploadcontrol.php”
- “upload_standalone.php”
- “manifest.php”
- “delete.php”
- “edit.php”
- “manage.php”
- “rank_switch.php”
- “save.php”
- “view.php”
- “class.php”
- “deps.php”
- “delete_form.php”
- “delete_process.php”
- “search.php”
- “send_feedback.php”
- “viewday.php”
- “viewmonth.php”
- “viewweek.php”
- “testbot.php”
- “activate_bot.php”
- “deactivate_bot.php”
- “manage_bots.php”
- “run_bot.php”
- “class.php”
- “delete_board.php”
- “delete_post.php”
- “edit_board.php”
- “edit_post.php”
- “edit_rank.php”
- “monitor_all_boards.php”
- “monitor_board.php”
- “monitor_thread.php”
- “preview_post.php”
- “save_board.php”
- “save_post.php”
- “save_rank.php”
- “view_admin.php”
- “view_board.php”
- “view_rank.php”
- “view_thread.php”
- “banner_click.php”
- “ad_delete.php”
- “ad_edit.php”
- “ad_save.php”
- “af_delete.php”
- “af_edit.php”
- “af_save.php”
- “delete_article.php”
- “edit_article.php”
- “save_article.php”
- “save_submission.php”
- “submit_article.php”
- “view_article.php”
- “view_submissions.php”
- “coretasks.php”
- “htmlarea_tasks.php”
- “search_tasks.php”
- “clear_smarty_cache.php”
- “configuresite.php”
- “config_activate.php”
- “config_configuresite.php”
- “config_delete.php”
- “config_save.php”
- “examplecontent.php”
- “finish_install_extension.php”
- “gmgr_delete.php”
- “gmgr_editprofile.php”
- “gmgr_membership.php”
- “gmgr_savegroup.php”
- “gmgr_savemembers.php”

as it allows uploads of files with multiple extensions to a
folder inside the web root. This can be exploited to execute
arbitrary PHP code by uploading a specially crafted PHP script.

The uploaded files are stored in: [CMS_ROOT_HOST]\files

(3) XSS occurs when input passed to the params:
- “u”
- “expid”
- “ajax_action”
- “ss”
- “sm”
- “url”
- “rss_url”
- “lang”
- “toolbar”
- “section”
- “section_name”
- “src”

in scripts:
- “slideshow.js.php”
- “picked_source.php”
- “magpie_debug.php”
- “magpie_simple.php”
- “magpie_slashbox.php”
- “test.php”
- “fcktoolbarconfig.js.php”
- “section_linked.php”
- “index.php”

is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script
code in a user’s browser session in context of an affected site.

Tested on: Microsoft Windows XP Professional SP3 (English)
Apache 2.2.14 (Win32)
MySQL 5.1.41
PHP 5.3.1

Vendor status: [09.10.2010] Vulnerabilities discovered.
[10.10.2010] Vendor contacted.
[13.10.2010] No reply from vendor.
[14.10.2010] Public advisory released.

Advisory ID: ZSL-2010-4969
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4969.php

Vulnerabilities discovered by: Gjoko ‘LiquidWorm’ Krstic
liquidworm gmail com
Zero Science Lab – http://www.zeroscience.mk

Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4969.php

Raw analysis (hi 5 John Leitch): Log_Exponent.txt (616 KB)

2010
10/14
POSTED BY
CATEGORY
Internal
Comments Off

Softek Barcode Reader Toolkit ActiveX 7.1.4.14 (SoftekATL.dll) Buffer Overflow PoC

Vendor: Softek Software Ltd
Product web page: http://www.bardecode.com
Affected version: 7.1.4.14

Summary: The Softek Barcode Reader Toolkit for Windows is a SDK that enables applications
to extract barcode information from images. The API’s available in the toolkit include .net,
java, com, ocx and windows dll. The standard version includes support for both 1 and 2-D
barcodes and special features include the ability to split documents by barcode position.

Desc: The vulnerability is caused due to a boundary error in SoftekATL.DLL when handling the
value assigned to the “DebugTraceFile” property and can be exploited to cause a heap-based
buffer overflow via an overly long string which may lead to execution of arbitrary code.

————————————————————————–

(824.ce0): Access violation – code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000001 ebx=44444444 ecx=7ffdf000 edx=00470608 esi=00470000 edi=4444443c
eip=7c96fa89 esp=0013f0a0 ebp=0013f100 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
ntdll!RtlpNtMakeTemporaryKey+0x7d45:
7c96fa89 0fb707 movzx eax,word ptr [edi] ds:0023:4444443c=????
0:000> g
(824.ce0): Access violation – code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000001 ebx=42424242 ecx=7ffdf000 edx=00470608 esi=00470000 edi=4242423a
eip=7c96fa89 esp=0013f0ac ebp=0013f10c iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
ntdll!RtlpNtMakeTemporaryKey+0x7d45:
7c96fa89 0fb707 movzx eax,word ptr [edi] ds:0023:4242423a=????
0:000> g
eax=00000000 ebx=00000000 ecx=7c800000 edx=7c97e120 esi=7c90de6e edi=00000000
eip=7c90e514 esp=0013fe5c ebp=0013ff58 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
ntdll!KiFastSystemCallRet:
7c90e514 c3 ret

———————–

EIP 7C96FA89
EAX 00000001
EBX 42424242
ECX 7FFDD000 -> 0013F0FC
EDX 00470608 -> 00152CA0
EDI 42424239
ESI 00470000 -> 000000C8
EBP 0013F10C -> 0013F1F4
ESP 0013F0AC -> 00470000

————————————————————————–

Tested on: Microsoft Windows XP Professional SP3 (English)
Microsoft Windows Internet Explorer 8.0.6001.18702
Softek Barcode Reader 7.3.1

Advisory: http://www.zeroscience.mk/mk/vulnerabilities/ZSL-2010-4965.php

2010
09/21
POSTED BY
CATEGORY
Internal
Comments Off

Netautor Professional 5.5.0 (goback) XSS Vulnerability

Vendor: /digiconcept/
Product web page: http://www.digiconcept.net
Affected version: 5.5.0 and DW 5.3.1

Summary: Netautor Professional is an application server and
development environment. Netautor Professional was developed
to serve the practical needs of users, and was continuously
advanced.

Digital Workroom is a well proven and time-tested Content Management
System. It`s based on also digiconcept`s developed Application Server
“Netautor Professional” and PHP 5. The standard functional range covers
the majoritarian needs on Internet- and Intranet environments for publication
and communication.

Desc: Netautor Professional v5.5.0 suffers from a XSS vulnerability because
input passed via the “goback” parameter to login2.php script is not properly
sanitised before being returned to the user. This can be exploited to execute
arbitrary HTML and script code in a user’s browser session in context of an
affected site.

Tested on: MS WinXP Pro SP3 (EN)
PHP 5.3.0
MySQL 5.1.36
Apache 2.2.11 (Win32)

Vendor status: [14.09.2010] Vulnerability discovered.
[15.09.2010] Contact with the vendor.
[17.09.2010] No reply from vendor.
[17.09.2010] Public advisory released.

Advisory: http://www.zeroscience.mk/mk/vulnerabilities/ZSL-2010-4964.php

2010
09/17
POSTED BY
CATEGORY
Internal
Comments Off

Анализа на неколку веб апликации

Минатиот викенд преземавме неколку веб апликации, CMS, по случаен избор, за да ги тестираме од ранливости со помош на статична анализа на изворен код. Со неколку алатки за ревизија преземени од листава, успеавме да најдеме неколку ранливости и неколку потенцијални ранливости во следниве веб апликации:

- Ez Publish 4.3 (http://www.ez.no)
- Bigace 2.7.2 (http://www.bigace.de)
- dorcMan 3.0.2 (http://www.dorcman.org)
- MySource Matrix 3.28.3 (http://matrix.squiz.net) (закрпено) (ZSL-2010-4962)
- Zen Cart 1.3.9f (http://www.zen-cart.com) (закрпа во тек) (ZSL-2010-????)
- Textpattern 4.2.0 (http://www.textpattern.com) (ZSL-2010-4963)
- Tube Ace 1.5 (http://www.tubeace.com)

Нивото на ризикот од пронајдените ранливости или на оние потенцијалните е некаде од 2 до 3 кадешто 1 е најниското а 5 е највисокото и најопасното ниво :)

Сите апликации се тестирани на следниве платформи:
- Microsoft Windows XP Professional SP3 (EN)
- PHP 5.3.0
- MySQL 5.1.36
- Apache 2.2.11 (Win32)

Од горенаведените апликации, MySource Matrix е закрпена, Zen Cart е во процес на развивање на закрпа, Textpattern – креаторите не одговорија на е-маил и останатите се оние кои содржат потенцијални ранливости.
Беа пронајдени ранливости од типот Persistent и Reflected(Non-Persistent) Cross-Site Scripting, SQL Injection, Local и Remote File Inclusion (LFI/RFI), File Disclosure, Directory Traversal и Denial Of Service (DoS).

За детали на потенцијалните ранливи апликации, ги закачивме необработените логови од анализите:
- Ez Publish (Arbitrary File Event, Potential SQL Error) – Ez_Publish-Audit_Log_1.txt
- Bigace (Potential SQL Error) – Bigace-Audit_Log_1.txt
- dorcMan (Potential SQL Error) – dorcMan-Audit_Log_1.txt
- Tube Ace (Cross-Site Scripting) – Tube_Ace-Audit_Log_1.txt

—–

- MySource Matrix (Cross-Site Scripting) – MySource_Matrix-Audit_Log_1.txt

Останатите апликации кои се со всушност потврдена ранливост беа Zen Cart, MySource Matrix и Textpattern. За Zen Cart нема да дискутираме нити пак да откриваме информации бидејќи се работи на подобрена верзија и секако побезбедна. Ќе биде објавено соодветно безбедносно предупредување откако производителот ќе ја објави подобрената верзија.

Што се однесува до MySource Matrix, веб апликација произведена од компанијата Squiz Pty Ltd. од Австралија. Во соработка со Zero Science Lab, Squiz објави подобрена верзија (3.28.4) во која е закрпена и пронајдената ранливост Cross-Site Scripting.
Се работи за скриптата char_map.php која се наоѓа во “/fudge/wysiwyg/plugins/special_chars/char_map.php” и нејзините 2 параметри “height” и “width” на кои не им се аплицира соодветно санирање односно проверка на внесената вредност пред таа да се врати до корисникот.
Ранливиот код се наоѓа во линиите 182 и 183:

<?php echo $_REQUEST['width'];?>;
<?php echo $_REQUEST['height'];?>;

Со помош на оваа ранливост (Reflected XSS), напаѓачот со различни техники може да го измами корисникот и да дојде до саканите информации во контекст на заразениот сајт.

Брзо решение е да се отстранат двете линии за кои производителот изјави дека и така не вршат некаква си функција.

Textpattern е исто така веб апликација, CMS, произведена од Team Textpattern. Тимот на Textpattern не одговори на нашиот труд за комуникација и решивме да го објавиме наодот според нашата полиса за јавно објавување. Се работи за Cross-Site Scripting ранливоста извршена со помош на NULL Termination.

Ранливоста се наоѓа во Textpattern (TXP) Tag Library (txplib_db.php) преку “q” параметрот со чија помош напаѓачот е во состојба да извршува своеволен HTML или JavaScript код директно во корисничкиот прелистувач и негова сесија со користење на нулта енкодирани стрингови (null byte).

Ранливиот параметар се наоѓа во qParamtxtpattern_locations.txt

Доказ на концепт: http://127.0.0.1/textpattern/?q=%00<script>alert(1)</script>

2010
09/08
POSTED BY
CATEGORY
Internal
Comments Off

Corel WordPerfect Office X5 and Corel Presentations X5 File Handling Vulnerabilities

- Corel WordPerfect Office X5 15.0.0.357 (wpd) Remote Buffer Preoccupation PoC

- Corel Presentations X5 15.0.0.357 (shw) Remote Buffer Preoccupation PoC

Corel Corporation

http://www.corel.com

Version: 15.0.0.357 (Standard Edition)

- Summary: Corel® WordPerfect® Office X5 – Standard Edition is the essential
office suite for word processing, spreadsheets, presentations and email.
Chosen over Microsoft® Office by millions of longtime users, it integrates
the latest productivity software with the best of the Web. Work faster and
collaborate more efficiently with all-new Web services, new Microsoft® Office
SharePoint® support, more PDF tools and even better compatibility with Microsoft
Office. It’s everything you expect in an office suite—for less.

- Desc: Corel WordPerfect and Corel Presentations X5 is prone to a remote buffer overflow vulnerability because
the application fails to perform adequate boundary checks on user supplied input with
.WPD (WordPerfect Document) and .SHW (Presentations Slide Show) file. Attackers may exploit this issue to execute arbitrary
code in the context of the application. Failed attacks will cause denial-of-service
conditions.

- Tested On: Microsoft Windows XP Professional SP3 (English)

- Vulnerability Discovered By: Gjoko ‘LiquidWorm’ Krstic

- liquidworm gmail com

- Zero Science Lab – http://www.zeroscience.mk

- 09.07.2010

- Vendor status:

[09.07.2010] Vulnerability discovered.
[09.07.2010] Initial contact with the vendor.
[12.07.2010] No reply from vendor.
[12.07.2010] Public advisory released.

Details:

- Corel Presentations X5 15.0.0.357 (shw) Remote Buffer Preoccupation PoC
- Corel WordPerfect Office X5 15.0.0.357 (wpd) Remote Buffer Preoccupation PoC

2010
07/12
POSTED BY
CATEGORY
Internal
Comments Off

Adobe Reader 9.3.2 (CoolType.dll) Remote Memory Corruption / DoS Vulnerability

Title:

Adobe Reader 9.3.2 (CoolType.dll) Remote Memory Corruption / DoS Vulnerability

Summary:

Adobe Reader software is the global standard for electronic document sharing. It is the only PDF
file viewer that can open and interact with all PDF documents. Use Adobe Reader to view, search,
digitally sign, verify, print, and collaborate on Adobe PDF files.

Vendor:

Adobe Systems Incorporated

Product Web Page:

http://www.adobe.com/

Version tested:

9.3.2
9.3.1

Description:

Adobe Reader suffers from a remote memory corruption vulnerability that causes the application to
crash while processing the malicious .PDF file. The issue is triggered when the reader tries to
initialize the CoolType Typography Engine (cooltype.dll). This vulnerability also affects and crashes
major browsers like: Mozilla Firefox, Opera and Apple Safari. Google Chrome & IE does not crash.
Talking about Blended Threat Vulnerabilities ;).

———————————————————————————–

(bd0.e14): Access violation – code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=313100ee ebx=0211a722 ecx=00000031 edx=02e091a4 esi=00017e58 edi=00000000
eip=08075dc2 esp=0012d478 ebp=0012d488 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
CoolType!CTInit+0x2f827:
08075dc2 660fb644322c movzx ax,byte ptr [edx+esi+2Ch] ds:0023:02e21028=??

———————————————————————————–

Tested On:

Microsoft Windows XP Professional SP3 (English)
Microsoft Windows XP Professional SP2 (English)
Microsoft Windows 7 Ultimate
GNU/Linux Ubuntu Desktop 9.10 (i386) 32-bit
GNU/Linux Fedora 10 (Cambridge) / 2.6.27.41-170.2.117.fc10.i686

Vendor Status:

18.04.2010 – Vendor informed.
18.04.2010 – Vendor replied.
07.05.2010 – Asked vendor for confirmation.
07.05.2010 – Vendor confirms vulnerability.
03.06.2010 – Asked vendor for status.
03.06.2010 – Vendor replied.
24.06.2010 – Vendor reveals patch release date.
29.06.2010 – Coordinated public advisory.

Advisory Details:

Zero Science Lab Advisory ID: ZSL-2010-4943
Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4943.php
Adobe Advisory ID: APSB10-15
Advisory: http://www.adobe.com/support/security/bulletins/apsb10-15.html
CVE ID: CVE-2010-2204

Live Demo:

http://www.zeroscience.mk/codes/thricer.pdf

Vulnerability Discovered By:

Gjoko ‘LiquidWorm’ Krstic

liquidworm gmail com

Zero Science Lab – http://www.zeroscience.mk

Повеќе: http://www.zeroscience.mk/mk/vulnerabilities/ZSL-2010-4943.php

2010
06/29
POSTED BY
CATEGORY
Internal
Comments Off

UK One Media CMS (id) Error Based SQL Injection Vulnerability

Summary: Content Management System (PHP+MySQL)

Vendor: UK One Media – http://www.uk1media.com

Desc: UK One Media CMS suffers from an sql injection vulnerability when parsing query from the id param which results in compromising the entire database structure and executing system commands.

Tested on Apache 2.x (linux), PHP/5.2.11 and MySQL/4.1.22

More details: http://www.zeroscience.mk/mk/vulnerabilities/ZSL-2010-4942.php

2010
06/19
POSTED BY
CATEGORY
Internal
Comments Off

Adobe Shockwave Player 11.5.6.606 (DIR) Multiple Memory Vulnerabilities

Title: Adobe Shockwave Player 11.5.6.606 (DIR) Multiple Memory Vulnerabilities

Vendor: Adobe Systems Incorporated

Product web page: http://www.adobe.com

Summary: Over 450 million Internet-enabled desktops have installed Adobe Shockwave Player.
These people now have access to some of the best the Web has to offer – including
dazzling 3D games and entertainment, interactive product demonstrations, and online
learning applications. Shockwave Player displays Web content that has been created
by Adobe Director.

Desc: Shockwave Player version 11.5.6.606 and earlier from Adobe suffers from a memory consumption /
corruption and buffer overflow vulnerabilities that can aid the attacker to cause denial of service
scenarios and arbitrary code execution. The vulnerable software fails to sanitize user input when
processing .dir files resulting in a crash and overwrite of a few memory registers.

Tested on: Microsoft Windows XP Professional SP3 (English)

Version tested: 11.5.6.606

(f94.ae4): Access violation – code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=20a0a0a0 ebx=207d004c ecx=00000400 edx=41414140 esi=00000000 edi=a80487d8
eip=68008bd6 esp=0012de4c ebp=00000400 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00050206
*** WARNING: Unable to verify checksum for C:\Program Files\Adobe\Adobe Director 11\DIRAPI.dll
*** ERROR: Symbol file could not be found. Defaulted to export symbols for DIRAPI.dll –
DIRAPI!Ordinal14+0x3b16:
68008bd6 2b4f04 sub ecx,dword ptr [edi+4] ds:0023:a80487dc=????????

—————————————————————————————————-

EAX FFFFFFFF
ECX 41414141
EDX FFFFFFFF
EBX 00000018
ESP 0012F3B4
EBP 02793578
ESI 0012F3C4
EDI 02793578
EIP 69009F1F IML32.69009F1F

More info:
http://www.zeroscience.mk/mk/vulnerabilities/ZSL-2010-4937.php
http://www.adobe.com/support/security/bulletins/apsb10-12.html

2010
05/12
POSTED BY
CATEGORY
Internal
Comments Off

Rete Mirabilia

Site Meter