Posts Tagged ‘ file

NCH Software Express Burn Plus 4.68 EBP Project File Handling Buffer Overflow PoC

The vulnerability is caused due to a boundary error in the processing of a project file, which can be exploited to cause a unicode buffer overflow when a user opens e.g. a specially crafted .EBP file. Successful exploitation could allow execution of arbitrary code on the affected machine.

eburn2bof

eburn2bof2

Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5166.php

Ref: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5103.php

ImpressPages CMS 3.6 Multiple Vulnerabilities (XSS/SQLi/FD/RCE)

Input passed via several parameters is not properly sanitized before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code and HTML/script code in a user’s browser session in context of an affected site.

Input passed to the ‘files[0][file]’ parameter in ‘/ip_cms/modules/administrator/repository/controller.php’ is not properly sanitised before being used to delete files. This can be exploited to delete files with the permissions of the web server via directory traversal sequences passed within the affected POST parameter.

The RCE vulnerability is caused due to the improper verification of uploaded files in ‘/ip_cms/modules/developer/config_exp_imp/manager.php’ script thru the ‘manage()’ function (@line 65) when importing a configuration file. This can be exploited to execute arbitrary PHP code by uploading a malicious PHP script file that will be stored in ‘/file/tmp’ directory after successful injection. Permission Developer[Modules exp/imp] is required (parameter ‘i_n_2[361]’ = on) for successful exploitation.

impresspages-linux-exploit44

impresspages-rce44

Advisories:

ImpressPages CMS v3.6 Multiple XSS/SQLi Vulnerabilities
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5157.php

ImpressPages CMS v3.6 Remote Arbitrary File Deletion Vulnerability
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5158.php

ImpressPages CMS v3.6 manage() Function Remote Code Execution Exploit
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5159.php

Vendor: http://www.impresspages.org/blog/impresspages-cms-3-7-is-mobile-as-never-before/

GLPI version 0.83.7 and 0.83.8 Multiple Vulnerabilities (SQLi/LFI)

GLPI suffers from a file inclusion vulnerability (LFI) when input passed thru the ‘filetype’ parameter to ‘common.tabs.php’ script is not properly verified before being used to include files. This can be exploited to include files from local resources with directory traversal attacks and URL encoded NULL bytes.

Input passed via the POST parameter ‘users_id_assign’ in ‘/ajax/ticketassigninformation.php’ script, POST parameter ‘filename’ in ‘/front/document.form.php’ script, and POST parameter ‘table’ in ‘/ajax/comments.php’ script is not properly sanitised before being used in SQL queries. This can be exploited by a malicious attacker to manipulate SQL queries by injecting arbitrary SQL code in the affected application.

There are several other parameters vulnerable to SQL Injection attacks. For your convenience, test logs: more_sqli-glpi

Advisory [ZSL-2013-5145]: GLPI v0.83.7 (itemtype) Parameter Traversal Arbitrary File Access Exploit
Advisory [ZSL-2013-5146]: GLPI v0.83.8 Multiple Error-based SQL Injection Vulnerabilities

CMSLogik 1.2.1 Multiple Vulnerabilities

CMSLogik suffers from multiple stored XSS, arbitrary file upload and user enumeration weakness.

Advisories:

CMSLogik 1.2.1 Multiple Persistent XSS Vulnerabilities
CMSLogik 1.2.1 (user param) User Enumeration Weakness
CMSLogik 1.2.1 (upload_file_ajax()) Shell Upload Exploit

cmslogikenum2



Piwigo 2.4.6 (install.php) Remote Arbitrary File Read/Delete Vulnerability

Input passed to the ‘dl’ parameter in ‘install.php’ script is not properly sanitised before being used to get the contents of a resource or delete files. This can be exploited to read and delete arbitrary data from local resources with the permissions of the web server via directory traversal attack.


/install.php:
-------------

113: if (!empty($_GET['dl']) && file_exists(PHPWG_ROOT_PATH.$conf['data_location'].'pwg_'.$_GET['dl']))
114: {
115: $filename = PHPWG_ROOT_PATH.$conf['data_location'].'pwg_'.$_GET['dl'];
116: header('Cache-Control: no-cache, must-revalidate');
117: header('Pragma: no-cache');
118: header('Content-Disposition: attachment; filename="database.inc.php"');
119: header('Content-Transfer-Encoding: binary');
120: header('Content-Length: '.filesize($filename));
121: echo file_get_contents($filename);
122: unlink($filename);
123: exit();
124: }



Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5127.php

OpenEMR 4.1.1 (ofc_upload_image.php) Arbitrary File Upload Vulnerability

The vulnerability is caused due to the improper verification of uploaded files in ‘/library/openflashchart/php-ofc-library/ofc_upload_image.php’ script thru the ‘name’ parameter. This can be exploited to execute arbitrary PHP code by uploading a malicious PHP script with multiple extensions.

OpenEMR Shell Upload

Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5126.php

PRADO PHP Framework 3.2.0 Arbitrary File Read Vulnerability

PRADO Framework suffers from an arbitrary file read vulnerability. Input passed to the ‘sr’ parameter in ‘functional_tests.php’ is not properly sanitised before being used to get the contents of a resource. This can be exploited to read arbitrary data from local resources with directory traversal attack.

Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5113.php

Express Burn Plus v4.58 EBP Project File Handling Buffer Overflow PoC

The vulnerability is caused due to a boundary error in the processing of a project file, which can be exploited to cause a unicode buffer overflow when a user opens e.g. a specially crafted .EBP file. Successful exploitation could allow execution of arbitrary code on the affected machine.

——————————————————————————–
(13d4.a84): Access violation – code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=050a8c70 ebx=004034fc ecx=00000041 edx=fc4d5390 esi=0157cf68 edi=001297fe
eip=004678ef esp=00126420 ebp=001274c0 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
*** WARNING: Unable to verify checksum for image00400000
*** ERROR: Module load completed but symbols could not be loaded for image00400000
image00400000+0x678ef:
004678ef 66890c02 mov word ptr [edx+eax],cx ds:0023:0157e000=????
0:000> d eax
050a8c70 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
050a8c80 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
050a8c90 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
050a8ca0 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
050a8cb0 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
050a8cc0 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
050a8cd0 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
050a8ce0 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
0:000> d esi
0157cf68 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
0157cf78 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
0157cf88 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
0157cf98 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
0157cfa8 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
0157cfb8 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
0157cfc8 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
0157cfd8 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.

———————————————————————————-

Advisory ID: ZSL-2012-5103
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5103.php

Themida and WinLicense Vulnerabilities

The vulnerability in Themida is caused due to a boundary error in the processing of a project file, which can be exploited to cause a buffer overflow when a user opens e.g. a specially crafted .TMD file. Successful exploitation may allow execution of arbitrary code.

WinLicense is prone to an unspecified memory corruption vulnerability. An attacker can exploit this issue by tricking a victim into opening a malicious XML file to execute arbitrary code and to cause denial-of-service conditions.

Advisories:

ZSL-2012-5079http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5079.php
ZSL-2012-5080http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5080.php

webgrind 1.0 (file param) Local File Inclusion Vulnerability

webgrind suffers from a file inlcusion vulnerability (LFI) when input passed thru the ‘file’ parameter to index.php is not properly verified before being used to include files. This can be exploited to include files from local resources with directory traversal attacks and URL encoded NULL bytes.


---------------------------
/index.php:
-----------
122: case 'fileviewer':
123: $file = get('file');
124: $line = get('line');
---------------------------

Advisory details: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5075.php

Thanks to Michael Meyer, OpenVAS Project.