Posts Tagged ‘ exploit

Stark CRM v1.0 Multiple Script Injection And Session Riding Vulnerabilities

Multiple stored XSS and CSRF vulnerabilities exist when parsing user input to several POST parameters. The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site and/or execute arbitrary HTML and script code in a user’s browser session.

starkcrm_xss

Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5169.php

NCH Software Inventoria 3.45 (id param) Reflected Cross-Site Scripting Vulnerability

The application suffers from a reflected XSS issue due to a failure to properly sanitize user-supplied input to the ‘id’ GET parameter in the ‘locdelete’ (JSP) script. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user’s browser session.

inventoria_xss

Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5167.php

ACE Stream Media 2.1 (acestream://) Format String Exploit PoC

ACE Stream Media (Ace Player HD) is prone to a remote format string vulnerability because the application fails to properly sanitize user-supplied input thru the URI using the ‘acestream://’ protocol before including it in the format-specifier argument of a formatted-printing function. A remote attacker may exploit this issue to execute arbitrary code with the privileges of the user running the affected application and/or cause memory address disclosure. Failed exploit attempts may cause denial-of-service (DoS) conditions.

aceplayercrash

acestream

Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5165.php

ImpressPages CMS 3.6 Multiple Vulnerabilities (XSS/SQLi/FD/RCE)

Input passed via several parameters is not properly sanitized before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code and HTML/script code in a user’s browser session in context of an affected site.

Input passed to the ‘files[0][file]’ parameter in ‘/ip_cms/modules/administrator/repository/controller.php’ is not properly sanitised before being used to delete files. This can be exploited to delete files with the permissions of the web server via directory traversal sequences passed within the affected POST parameter.

The RCE vulnerability is caused due to the improper verification of uploaded files in ‘/ip_cms/modules/developer/config_exp_imp/manager.php’ script thru the ‘manage()’ function (@line 65) when importing a configuration file. This can be exploited to execute arbitrary PHP code by uploading a malicious PHP script file that will be stored in ‘/file/tmp’ directory after successful injection. Permission Developer[Modules exp/imp] is required (parameter ‘i_n_2[361]’ = on) for successful exploitation.

impresspages-linux-exploit44

impresspages-rce44

Advisories:

ImpressPages CMS v3.6 Multiple XSS/SQLi Vulnerabilities
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5157.php

ImpressPages CMS v3.6 Remote Arbitrary File Deletion Vulnerability
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5158.php

ImpressPages CMS v3.6 manage() Function Remote Code Execution Exploit
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5159.php

Vendor: http://www.impresspages.org/blog/impresspages-cms-3-7-is-mobile-as-never-before/

TeraCopy 2.3 (default.mo) Language File Integer Overflow Vulnerability

TeraCopy is prone to an integer overflow vulnerability because it fails to perform adequate boundary checks when reading language files. Successfully exploiting this issue may allow local attackers to execute arbitrary code in the context of the application. Failed exploit attempts will cause denial-of-service conditions.

teracopy

Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5155.php

Windu CMS 2.2 Multiple Stored XSS And CSRF Vulnerabilities

Windu CMS suffers from a cross-site request forgery vulnerabilities. The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site. Multiple stored XSS vulnerabilities exist when parsing user input to the ‘name’ and ‘username’ POST parameters. Attackers can exploit these weaknesses to execute arbitrary HTML and script code in a user’s browser session.

Advisories:

Windu CMS 2.2 CSRF Add Admin Exploit
Windu CMS 2.2 Multiple Persistent Cross-Site Scripting Vulnerabilities

windu_xss

GLPI version 0.83.7 and 0.83.8 Multiple Vulnerabilities (SQLi/LFI)

GLPI suffers from a file inclusion vulnerability (LFI) when input passed thru the ‘filetype’ parameter to ‘common.tabs.php’ script is not properly verified before being used to include files. This can be exploited to include files from local resources with directory traversal attacks and URL encoded NULL bytes.

Input passed via the POST parameter ‘users_id_assign’ in ‘/ajax/ticketassigninformation.php’ script, POST parameter ‘filename’ in ‘/front/document.form.php’ script, and POST parameter ‘table’ in ‘/ajax/comments.php’ script is not properly sanitised before being used in SQL queries. This can be exploited by a malicious attacker to manipulate SQL queries by injecting arbitrary SQL code in the affected application.

There are several other parameters vulnerable to SQL Injection attacks. For your convenience, test logs: more_sqli-glpi

Advisory [ZSL-2013-5145]: GLPI v0.83.7 (itemtype) Parameter Traversal Arbitrary File Access Exploit
Advisory [ZSL-2013-5146]: GLPI v0.83.8 Multiple Error-based SQL Injection Vulnerabilities

SAS Integration Technologies Client 9.31_M1 (SASspk.dll) Stack-based Overflow

SAS Integration Technologies provides you with software that enables you to build a secure client/server infrastructure on which to implement SAS distributed processing solutions. With SAS Integration Technologies, you can integrate SAS with other applications in your enterprise; provide proactive delivery of information from SAS throughout the enterprise; extend the capabilities of SAS to meet your organization’s specific needs; and develop your own distributed applications that leverage the analytic and reporting powers of SAS. The SAS Deployment Manager is used for post-installation configuration tasks such as configuring some products, applying hot fixes, updating metadata, and uninstalling SAS software.

The SASspk module (SASspk.dll) version 9.310.0.11307, has a function called ‘RetrieveBinaryFile()’ which has one parameter called ‘bstrFileName’ which takes arguments as strings as defined in the function itself as ISPKBinaryFile from the SASPackageRetrieve library. Stack-based buffer overflow was discovered in one of the fuzzing processes that could allow arbitrary code execution by an attacker when exploiting the non-sanitized ‘bstrFileName’ parameter.

SAS Stack-based Buffer Overflow Vulnerability

Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5142.php
Vendor: http://support.sas.com/kb/49/961.html

WordPress Newsletter Plugin 3.2.6 (alert) Reflected XSS Vulnerability

The plugin suffers from a XSS issue due to a failure to properly sanitize user-supplied input to the ‘alert’ GET parameter in the ‘page.php’ script. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user’s browser session.

newsletter_xss

Advisory ID: ZSL-2013-5141
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5141.php

TP-Link TL-WR740N Wireless Router Remote Denial Of Service Exploit

The TP-Link WR740N Wireless N Router network device is exposed to a remote denial of service vulnerability when processing a HTTP request. This issue occurs when the web server (httpd) fails to handle a HTTP GET request over a given default TCP port 80. Sending a sequence of three dots (…) to the router will crash its httpd service denying the legitimate users access to the admin control panel management interface. To bring back the http srv and the admin UI, a user must physically reboot the router.

Three Dots Attack

TP-Link DoS

Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5135.php